* [OE-core][scarthgap 01/12] libxml2: fix CVE-2025-49794 & CVE-2025-49796
2025-07-17 2:58 [OE-core][scarthgap 00/12] Patch review Steve Sakoman
@ 2025-07-17 2:58 ` Steve Sakoman
2025-07-17 2:58 ` [OE-core][scarthgap 02/12] python3: update CVE product Steve Sakoman
` (10 subsequent siblings)
11 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2025-07-17 2:58 UTC (permalink / raw)
To: openembedded-core
From: Hitendra Prajapati <hprajapati@mvista.com>
Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libxml2/-/commit/71e1e8af5ee46dad1b57bb96cfbf1c3ad21fbd7b
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../CVE-2025-49794-CVE-2025-49796.patch | 186 ++++++++++++++++++
meta/recipes-core/libxml/libxml2_2.12.10.bb | 1 +
2 files changed, 187 insertions(+)
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2025-49794-CVE-2025-49796.patch
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2025-49794-CVE-2025-49796.patch b/meta/recipes-core/libxml/libxml2/CVE-2025-49794-CVE-2025-49796.patch
new file mode 100644
index 0000000000..881cac7f03
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2025-49794-CVE-2025-49796.patch
@@ -0,0 +1,186 @@
+From 71e1e8af5ee46dad1b57bb96cfbf1c3ad21fbd7b Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Fri, 4 Jul 2025 14:28:26 +0200
+Subject: [PATCH] schematron: Fix memory safety issues in
+ xmlSchematronReportOutput
+
+Fix use-after-free (CVE-2025-49794) and type confusion (CVE-2025-49796)
+in xmlSchematronReportOutput.
+
+Fixes #931.
+Fixes #933.
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/71e1e8af5ee46dad1b57bb96cfbf1c3ad21fbd7b]
+CVE: CVE-2025-49794 CVE-2025-49796
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ result/schematron/cve-2025-49794_0.err | 2 ++
+ result/schematron/cve-2025-49796_0.err | 2 ++
+ schematron.c | 49 ++++++++++++++------------
+ test/schematron/cve-2025-49794.sct | 10 ++++++
+ test/schematron/cve-2025-49794_0.xml | 6 ++++
+ test/schematron/cve-2025-49796.sct | 9 +++++
+ test/schematron/cve-2025-49796_0.xml | 3 ++
+ 7 files changed, 58 insertions(+), 23 deletions(-)
+ create mode 100644 result/schematron/cve-2025-49794_0.err
+ create mode 100644 result/schematron/cve-2025-49796_0.err
+ create mode 100644 test/schematron/cve-2025-49794.sct
+ create mode 100644 test/schematron/cve-2025-49794_0.xml
+ create mode 100644 test/schematron/cve-2025-49796.sct
+ create mode 100644 test/schematron/cve-2025-49796_0.xml
+
+diff --git a/result/schematron/cve-2025-49794_0.err b/result/schematron/cve-2025-49794_0.err
+new file mode 100644
+index 0000000..5775231
+--- /dev/null
++++ b/result/schematron/cve-2025-49794_0.err
+@@ -0,0 +1,2 @@
++./test/schematron/cve-2025-49794_0.xml:2: element boo0: schematron error : /librar0/boo0 line 2:
++./test/schematron/cve-2025-49794_0.xml fails to validate
+diff --git a/result/schematron/cve-2025-49796_0.err b/result/schematron/cve-2025-49796_0.err
+new file mode 100644
+index 0000000..bf875ee
+--- /dev/null
++++ b/result/schematron/cve-2025-49796_0.err
+@@ -0,0 +1,2 @@
++./test/schematron/cve-2025-49796_0.xml:2: element boo0: schematron error : /librar0/boo0 line 2:
++./test/schematron/cve-2025-49796_0.xml fails to validate
+diff --git a/schematron.c b/schematron.c
+index a825920..411a515 100644
+--- a/schematron.c
++++ b/schematron.c
+@@ -1389,27 +1389,15 @@ exit:
+ * *
+ ************************************************************************/
+
+-static xmlNodePtr
++static xmlXPathObjectPtr
+ xmlSchematronGetNode(xmlSchematronValidCtxtPtr ctxt,
+ xmlNodePtr cur, const xmlChar *xpath) {
+- xmlNodePtr node = NULL;
+- xmlXPathObjectPtr ret;
+-
+ if ((ctxt == NULL) || (cur == NULL) || (xpath == NULL))
+ return(NULL);
+
+ ctxt->xctxt->doc = cur->doc;
+ ctxt->xctxt->node = cur;
+- ret = xmlXPathEval(xpath, ctxt->xctxt);
+- if (ret == NULL)
+- return(NULL);
+-
+- if ((ret->type == XPATH_NODESET) &&
+- (ret->nodesetval != NULL) && (ret->nodesetval->nodeNr > 0))
+- node = ret->nodesetval->nodeTab[0];
+-
+- xmlXPathFreeObject(ret);
+- return(node);
++ return(xmlXPathEval(xpath, ctxt->xctxt));
+ }
+
+ /**
+@@ -1455,25 +1443,40 @@ xmlSchematronFormatReport(xmlSchematronValidCtxtPtr ctxt,
+ (child->type == XML_CDATA_SECTION_NODE))
+ ret = xmlStrcat(ret, child->content);
+ else if (IS_SCHEMATRON(child, "name")) {
++ xmlXPathObject *obj = NULL;
+ xmlChar *path;
+
+ path = xmlGetNoNsProp(child, BAD_CAST "path");
+
+ node = cur;
+ if (path != NULL) {
+- node = xmlSchematronGetNode(ctxt, cur, path);
+- if (node == NULL)
+- node = cur;
++ obj = xmlSchematronGetNode(ctxt, cur, path);
++ if ((obj != NULL) &&
++ (obj->type == XPATH_NODESET) &&
++ (obj->nodesetval != NULL) &&
++ (obj->nodesetval->nodeNr > 0))
++ node = obj->nodesetval->nodeTab[0];
+ xmlFree(path);
+ }
+
+- if ((node->ns == NULL) || (node->ns->prefix == NULL))
+- ret = xmlStrcat(ret, node->name);
+- else {
+- ret = xmlStrcat(ret, node->ns->prefix);
+- ret = xmlStrcat(ret, BAD_CAST ":");
+- ret = xmlStrcat(ret, node->name);
++ switch (node->type) {
++ case XML_ELEMENT_NODE:
++ case XML_ATTRIBUTE_NODE:
++ if ((node->ns == NULL) || (node->ns->prefix == NULL))
++ ret = xmlStrcat(ret, node->name);
++ else {
++ ret = xmlStrcat(ret, node->ns->prefix);
++ ret = xmlStrcat(ret, BAD_CAST ":");
++ ret = xmlStrcat(ret, node->name);
++ }
++ break;
++
++ /* TODO: handle other node types */
++ default:
++ break;
+ }
++
++ xmlXPathFreeObject(obj);
+ } else if (IS_SCHEMATRON(child, "value-of")) {
+ xmlChar *select;
+ xmlXPathObjectPtr eval;
+diff --git a/test/schematron/cve-2025-49794.sct b/test/schematron/cve-2025-49794.sct
+new file mode 100644
+index 0000000..7fc9ee3
+--- /dev/null
++++ b/test/schematron/cve-2025-49794.sct
+@@ -0,0 +1,10 @@
++<sch:schema xmlns:sch="http://purl.oclc.org/dsdl/schematron">
++ <sch:pattern id="">
++ <sch:rule context="boo0">
++ <sch:report test="not(0)">
++ <sch:name path="	e|namespace::*|e"/>
++ </sch:report>
++ <sch:report test="0"></sch:report>
++ </sch:rule>
++ </sch:pattern>
++</sch:schema>
+diff --git a/test/schematron/cve-2025-49794_0.xml b/test/schematron/cve-2025-49794_0.xml
+new file mode 100644
+index 0000000..debc64b
+--- /dev/null
++++ b/test/schematron/cve-2025-49794_0.xml
+@@ -0,0 +1,6 @@
++<librar0>
++ <boo0 t="">
++ <author></author>
++ </boo0>
++ <ins></ins>
++</librar0>
+diff --git a/test/schematron/cve-2025-49796.sct b/test/schematron/cve-2025-49796.sct
+new file mode 100644
+index 0000000..e9702d7
+--- /dev/null
++++ b/test/schematron/cve-2025-49796.sct
+@@ -0,0 +1,9 @@
++<sch:schema xmlns:sch="http://purl.oclc.org/dsdl/schematron">
++ <sch:pattern id="">
++ <sch:rule context="boo0">
++ <sch:report test="not(0)">
++ <sch:name path="/"/>
++ </sch:report>
++ </sch:rule>
++ </sch:pattern>
++</sch:schema>
+diff --git a/test/schematron/cve-2025-49796_0.xml b/test/schematron/cve-2025-49796_0.xml
+new file mode 100644
+index 0000000..be33c4e
+--- /dev/null
++++ b/test/schematron/cve-2025-49796_0.xml
+@@ -0,0 +1,3 @@
++<librar0>
++ <boo0/>
++</librar0>
+--
+2.49.0
+
diff --git a/meta/recipes-core/libxml/libxml2_2.12.10.bb b/meta/recipes-core/libxml/libxml2_2.12.10.bb
index 1ecac70b4c..488ace62e5 100644
--- a/meta/recipes-core/libxml/libxml2_2.12.10.bb
+++ b/meta/recipes-core/libxml/libxml2_2.12.10.bb
@@ -21,6 +21,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testt
file://CVE-2025-32414.patch \
file://CVE-2025-32415.patch \
file://CVE-2025-6021.patch \
+ file://CVE-2025-49794-CVE-2025-49796.patch \
"
SRC_URI[archive.sha256sum] = "c3d8c0c34aa39098f66576fe51969db12a5100b956233dc56506f7a8679be995"
--
2.43.0
^ permalink raw reply related [flat|nested] 19+ messages in thread* [OE-core][scarthgap 02/12] python3: update CVE product
2025-07-17 2:58 [OE-core][scarthgap 00/12] Patch review Steve Sakoman
2025-07-17 2:58 ` [OE-core][scarthgap 01/12] libxml2: fix CVE-2025-49794 & CVE-2025-49796 Steve Sakoman
@ 2025-07-17 2:58 ` Steve Sakoman
2025-07-17 2:58 ` [OE-core][scarthgap 03/12] busybox: apply patch for CVE-2023-39810 Steve Sakoman
` (9 subsequent siblings)
11 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2025-07-17 2:58 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
There are two "new" CVEs reported for python3, their CPEs are:
* CVE-2020-1171: cpe:2.3:a:microsoft:python:*:*:*:*:*:visual_studio_code:*:* (< 2020.5.0)
* CVE-2020-1192: cpe:2.3:a:microsoft:python:*:*:*:*:*:visual_studio_code:*:* (< 2020.5.0)
These are for "Visual Studio Code Python extension".
Solve this by addding CVE vendor to python CVE product to avoid
confusion with Microsoft as vendor.
Examining CVE DB for historical python entries shows:
sqlite> select vendor, product, count(*) from products where product = 'python' or product = 'cpython'
...> or product like 'python%3' group by vendor, product;
microsoft|python|2
python|python|1054
python_software_foundation|python|2
Note that this already shows that cpython product is not used, so
CVE-2023-33595 mentioned in 62598e1138f21a16d8b1cdd1cfe902aeed854c5c
was updated.
But let's keep it for future in case new CVE starts with that again.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/python/python3_3.12.11.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-devtools/python/python3_3.12.11.bb b/meta/recipes-devtools/python/python3_3.12.11.bb
index 706dabb5cd..84c4f74158 100644
--- a/meta/recipes-devtools/python/python3_3.12.11.bb
+++ b/meta/recipes-devtools/python/python3_3.12.11.bb
@@ -45,7 +45,7 @@ SRC_URI[sha256sum] = "c30bb24b7f1e9a19b11b55a546434f74e739bb4c271a3e3a80ff4380d4
# exclude pre-releases for both python 2.x and 3.x
UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar"
-CVE_PRODUCT = "python cpython"
+CVE_PRODUCT = "python:python python_software_foundation:python cpython"
CVE_STATUS[CVE-2007-4559] = "disputed: Upstream consider this expected behaviour"
CVE_STATUS[CVE-2019-18348] = "not-applicable-config: This is not exploitable when glibc has CVE-2016-10739 fixed"
--
2.43.0
^ permalink raw reply related [flat|nested] 19+ messages in thread* [OE-core][scarthgap 03/12] busybox: apply patch for CVE-2023-39810
2025-07-17 2:58 [OE-core][scarthgap 00/12] Patch review Steve Sakoman
2025-07-17 2:58 ` [OE-core][scarthgap 01/12] libxml2: fix CVE-2025-49794 & CVE-2025-49796 Steve Sakoman
2025-07-17 2:58 ` [OE-core][scarthgap 02/12] python3: update CVE product Steve Sakoman
@ 2025-07-17 2:58 ` Steve Sakoman
2025-07-17 2:58 ` [OE-core][scarthgap 04/12] iputils: patch CVE-2025-48964 Steve Sakoman
` (8 subsequent siblings)
11 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2025-07-17 2:58 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Backport patch referencing this CVE.
Note that the hardening is not activated by default, it adds defconfig
option to enable it.
Since it introduces a breaking change, it shouldn't be enabled in LTS
release by default.
This patch makes busybox cpio equivalent in this release to what is
currently in master and in kirkstone.
Also note that gnu cpio also does not have this hardening, but the CVE
is created only against busybox.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../busybox/busybox/CVE-2023-39810.patch | 136 ++++++++++++++++++
meta/recipes-core/busybox/busybox_1.36.1.bb | 1 +
2 files changed, 137 insertions(+)
create mode 100644 meta/recipes-core/busybox/busybox/CVE-2023-39810.patch
diff --git a/meta/recipes-core/busybox/busybox/CVE-2023-39810.patch b/meta/recipes-core/busybox/busybox/CVE-2023-39810.patch
new file mode 100644
index 0000000000..821ab3508f
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2023-39810.patch
@@ -0,0 +1,136 @@
+From 9a8796436b9b0641e13480811902ea2ac57881d3 Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Wed, 2 Oct 2024 10:12:05 +0200
+Subject: [PATCH] archival: disallow path traversals (CVE-2023-39810)
+
+Create new configure option for archival/libarchive based extractions to
+disallow path traversals.
+As this is a paranoid option and might introduce backward
+incompatibility, default it to no.
+
+Fixes: CVE-2023-39810
+
+Based on the patch by Peter Kaestle <peter.kaestle@nokia.com>
+
+function old new delta
+data_extract_all 921 945 +24
+strip_unsafe_prefix 101 102 +1
+------------------------------------------------------------------------------
+(add/remove: 0/0 grow/shrink: 2/0 up/down: 25/0) Total: 25 bytes
+
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+
+CVE: CVE-2023-39810
+Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=9a8796436b9b0641e13480811902ea2ac57881d3]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ archival/Config.src | 11 +++++++++++
+ archival/libarchive/data_extract_all.c | 8 ++++++++
+ archival/libarchive/unsafe_prefix.c | 6 +++++-
+ scripts/kconfig/lxdialog/check-lxdialog.sh | 2 +-
+ testsuite/cpio.tests | 23 ++++++++++++++++++++++
+ 5 files changed, 48 insertions(+), 2 deletions(-)
+
+diff --git a/archival/Config.src b/archival/Config.src
+index 6f4f30c43..cbcd7217c 100644
+--- a/archival/Config.src
++++ b/archival/Config.src
+@@ -35,4 +35,15 @@ config FEATURE_LZMA_FAST
+ This option reduces decompression time by about 25% at the cost of
+ a 1K bigger binary.
+
++config FEATURE_PATH_TRAVERSAL_PROTECTION
++ bool "Prevent extraction of filenames with /../ path component"
++ default n
++ help
++ busybox tar and unzip remove "PREFIX/../" (if it exists)
++ from extracted names.
++ This option enables this behavior for all other unpacking applets,
++ such as cpio, ar, rpm.
++ GNU cpio 2.15 has NO such sanity check.
++# try other archivers and document their behavior?
++
+ endmenu
+diff --git a/archival/libarchive/data_extract_all.c b/archival/libarchive/data_extract_all.c
+index 049c2c156..8a69711c1 100644
+--- a/archival/libarchive/data_extract_all.c
++++ b/archival/libarchive/data_extract_all.c
+@@ -65,6 +65,14 @@ void FAST_FUNC data_extract_all(archive_handle_t *archive_handle)
+ } while (--n != 0);
+ }
+ #endif
++#if ENABLE_FEATURE_PATH_TRAVERSAL_PROTECTION
++ /* Strip leading "/" and up to last "/../" path component */
++ dst_name = (char *)strip_unsafe_prefix(dst_name);
++#endif
++// ^^^ This may be a problem if some applets do need to extract absolute names.
++// (Probably will need to invent ARCHIVE_ALLOW_UNSAFE_NAME flag).
++// You might think that rpm needs it, but in my tests rpm's internal cpio
++// archive has names like "./usr/bin/FOO", not "/usr/bin/FOO".
+
+ if (archive_handle->ah_flags & ARCHIVE_CREATE_LEADING_DIRS) {
+ char *slash = strrchr(dst_name, '/');
+diff --git a/archival/libarchive/unsafe_prefix.c b/archival/libarchive/unsafe_prefix.c
+index 33e487bf9..667081195 100644
+--- a/archival/libarchive/unsafe_prefix.c
++++ b/archival/libarchive/unsafe_prefix.c
+@@ -14,7 +14,11 @@ const char* FAST_FUNC strip_unsafe_prefix(const char *str)
+ cp++;
+ continue;
+ }
+- if (is_prefixed_with(cp, "/../"+1)) {
++ /* We are called lots of times.
++ * is_prefixed_with(cp, "../") is slower than open-coding it,
++ * with minimal code growth (~few bytes).
++ */
++ if (cp[0] == '.' && cp[1] == '.' && cp[2] == '/') {
+ cp += 3;
+ continue;
+ }
+diff --git a/scripts/kconfig/lxdialog/check-lxdialog.sh b/scripts/kconfig/lxdialog/check-lxdialog.sh
+index 5075ebf2d..910ca1f7c 100755
+--- a/scripts/kconfig/lxdialog/check-lxdialog.sh
++++ b/scripts/kconfig/lxdialog/check-lxdialog.sh
+@@ -55,7 +55,7 @@ trap "rm -f $tmp" 0 1 2 3 15
+ check() {
+ $cc -x c - -o $tmp 2>/dev/null <<'EOF'
+ #include CURSES_LOC
+-main() {}
++int main() { return 0; }
+ EOF
+ if [ $? != 0 ]; then
+ echo " *** Unable to find the ncurses libraries or the" 1>&2
+diff --git a/testsuite/cpio.tests b/testsuite/cpio.tests
+index 85e746589..a4462c53e 100755
+--- a/testsuite/cpio.tests
++++ b/testsuite/cpio.tests
+@@ -154,6 +154,29 @@ testing "cpio -R with extract" \
+ " "" ""
+ SKIP=
+
++# Create an archive containing a file with "../dont_write" filename.
++# See that it will not be allowed to unpack.
++# NB: GNU cpio 2.15 DOES NOT do such checks.
++optional FEATURE_PATH_TRAVERSAL_PROTECTION
++rm -rf cpio.testdir
++mkdir -p cpio.testdir/prepare/inner
++echo "file outside of destination was written" > cpio.testdir/prepare/dont_write
++echo "data" > cpio.testdir/prepare/inner/to_extract
++mkdir -p cpio.testdir/extract
++testing "cpio extract file outside of destination" "\
++(cd cpio.testdir/prepare/inner && echo -e '../dont_write\nto_extract' | cpio -o -H newc) | (cd cpio.testdir/extract && cpio -vi 2>&1)
++echo \$?
++ls cpio.testdir/dont_write 2>&1" \
++"\
++cpio: removing leading '../' from member names
++../dont_write
++to_extract
++1 blocks
++0
++ls: cpio.testdir/dont_write: No such file or directory
++" "" ""
++SKIP=
++
+ # Clean up
+ rm -rf cpio.testdir cpio.testdir2 2>/dev/null
+
diff --git a/meta/recipes-core/busybox/busybox_1.36.1.bb b/meta/recipes-core/busybox/busybox_1.36.1.bb
index 69e9555766..069544cc8a 100644
--- a/meta/recipes-core/busybox/busybox_1.36.1.bb
+++ b/meta/recipes-core/busybox/busybox_1.36.1.bb
@@ -58,6 +58,7 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
file://0001-awk.c-fix-CVE-2023-42366-bug-15874.patch \
file://0001-cut-Fix-s-flag-to-omit-blank-lines.patch \
file://CVE-2022-48174.patch \
+ file://CVE-2023-39810.patch \
"
SRC_URI:append:libc-musl = " file://musl.cfg "
# TODO http://lists.busybox.net/pipermail/busybox/2023-January/090078.html
--
2.43.0
^ permalink raw reply related [flat|nested] 19+ messages in thread* [OE-core][scarthgap 04/12] iputils: patch CVE-2025-48964
2025-07-17 2:58 [OE-core][scarthgap 00/12] Patch review Steve Sakoman
` (2 preceding siblings ...)
2025-07-17 2:58 ` [OE-core][scarthgap 03/12] busybox: apply patch for CVE-2023-39810 Steve Sakoman
@ 2025-07-17 2:58 ` Steve Sakoman
2025-07-17 2:58 ` [OE-core][scarthgap 05/12] gdk-pixbuf: fix CVE-2025-7345 Steve Sakoman
` (7 subsequent siblings)
11 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2025-07-17 2:58 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Pick commit referencing this CVE.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../iputils/iputils/CVE-2025-48964.patch | 99 +++++++++++++++++++
.../iputils/iputils_20240117.bb | 1 +
2 files changed, 100 insertions(+)
create mode 100644 meta/recipes-extended/iputils/iputils/CVE-2025-48964.patch
diff --git a/meta/recipes-extended/iputils/iputils/CVE-2025-48964.patch b/meta/recipes-extended/iputils/iputils/CVE-2025-48964.patch
new file mode 100644
index 0000000000..fc2352c99c
--- /dev/null
+++ b/meta/recipes-extended/iputils/iputils/CVE-2025-48964.patch
@@ -0,0 +1,99 @@
+From afa36390394a6e0cceba03b52b59b6d41710608c Mon Sep 17 00:00:00 2001
+From: Cyril Hrubis <metan@ucw.cz>
+Date: Fri, 16 May 2025 17:57:10 +0200
+Subject: [PATCH] ping: Fix moving average rtt calculation
+
+The rts->rtt counts an exponential weight moving average in a fixed
+point, that means that even if we limit the triptime to fit into a 32bit
+number the average will overflow because because fixed point needs eight
+more bits.
+
+We also have to limit the triptime to 32bit number because otherwise the
+moving average may stil overflow if we manage to produce a large enough
+triptime.
+
+Fixes: CVE-2025-48964
+Fixes: https://bugzilla.suse.com/show_bug.cgi?id=1243772
+Closes: https://github.com/iputils/iputils-ghsa-25fr-jw29-74f9/pull/1
+Reported-by: Mohamed Maatallah <hotelsmaatallahrecemail@gmail.com>
+Reviewed-by: Petr Vorel <pvorel@suse.cz>
+Tested-by: Petr Vorel <pvorel@suse.cz>
+Reviewed-by: Michal Kubecek <mkubecek@suse.cz>
+Reviewed-by: Mohamed Maatallah <hotelsmaatallahrecemail@gmail.com>
+Signed-off-by: Cyril Hrubis <metan@ucw.cz>
+
+CVE: CVE-2025-48964
+Upstream-Status: Backport [https://github.com/iputils/iputils/commit/afa36390394a6e0cceba03b52b59b6d41710608c]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ iputils_common.h | 2 +-
+ ping/ping.h | 2 +-
+ ping/ping_common.c | 8 ++++----
+ 3 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/iputils_common.h b/iputils_common.h
+index 829a749..1296905 100644
+--- a/iputils_common.h
++++ b/iputils_common.h
+@@ -11,7 +11,7 @@
+ __typeof__(&arr[0]))])) * 0)
+
+ /* 1000001 = 1000000 tv_sec + 1 tv_usec */
+-#define TV_SEC_MAX_VAL (LONG_MAX/1000001)
++#define TV_SEC_MAX_VAL (INT32_MAX/1000001)
+
+ #ifdef __GNUC__
+ # define iputils_attribute_format(t, n, m) __attribute__((__format__ (t, n, m)))
+diff --git a/ping/ping.h b/ping/ping.h
+index 4dce538..bc1fab2 100644
+--- a/ping/ping.h
++++ b/ping/ping.h
+@@ -191,7 +191,7 @@ struct ping_rts {
+ long tmax; /* maximum round trip time */
+ double tsum; /* sum of all times, for doing average */
+ double tsum2;
+- int rtt;
++ uint64_t rtt; /* Exponential weight moving average calculated in fixed point */
+ int rtt_addend;
+ uint16_t acked;
+ int pipesize;
+diff --git a/ping/ping_common.c b/ping/ping_common.c
+index 2a3e556..fad5228 100644
+--- a/ping/ping_common.c
++++ b/ping/ping_common.c
+@@ -282,7 +282,7 @@ int __schedule_exit(int next)
+
+ static inline void update_interval(struct ping_rts *rts)
+ {
+- int est = rts->rtt ? rts->rtt / 8 : rts->interval * 1000;
++ int est = rts->rtt ? (int)(rts->rtt / 8) : rts->interval * 1000;
+
+ rts->interval = (est + rts->rtt_addend + 500) / 1000;
+ if (rts->uid && rts->interval < MIN_USER_INTERVAL_MS)
+@@ -778,7 +778,7 @@ restamp:
+ if (triptime > rts->tmax)
+ rts->tmax = triptime;
+ if (!rts->rtt)
+- rts->rtt = triptime * 8;
++ rts->rtt = ((uint64_t)triptime) * 8;
+ else
+ rts->rtt += triptime - rts->rtt / 8;
+ if (rts->opt_adaptive)
+@@ -948,7 +948,7 @@ int finish(struct ping_rts *rts)
+ int ipg = (1000000 * (long long)tv.tv_sec + tv.tv_nsec / 1000) / (rts->ntransmitted - 1);
+
+ printf(_("%sipg/ewma %d.%03d/%d.%03d ms"),
+- comma, ipg / 1000, ipg % 1000, rts->rtt / 8000, (rts->rtt / 8) % 1000);
++ comma, ipg / 1000, ipg % 1000, (int)(rts->rtt / 8000), (int)((rts->rtt / 8) % 1000));
+ }
+ putchar('\n');
+ return (!rts->nreceived || (rts->deadline && rts->nreceived < rts->npackets));
+@@ -973,7 +973,7 @@ void status(struct ping_rts *rts)
+ fprintf(stderr, _(", min/avg/ewma/max = %ld.%03ld/%lu.%03ld/%d.%03d/%ld.%03ld ms"),
+ (long)rts->tmin / 1000, (long)rts->tmin % 1000,
+ tavg / 1000, tavg % 1000,
+- rts->rtt / 8000, (rts->rtt / 8) % 1000, (long)rts->tmax / 1000, (long)rts->tmax % 1000);
++ (int)(rts->rtt / 8000), (int)((rts->rtt / 8) % 1000), (long)rts->tmax / 1000, (long)rts->tmax % 1000);
+ }
+ fprintf(stderr, "\n");
+ }
diff --git a/meta/recipes-extended/iputils/iputils_20240117.bb b/meta/recipes-extended/iputils/iputils_20240117.bb
index 5ff5af8847..21494cae2b 100644
--- a/meta/recipes-extended/iputils/iputils_20240117.bb
+++ b/meta/recipes-extended/iputils/iputils_20240117.bb
@@ -12,6 +12,7 @@ DEPENDS = "gnutls"
SRC_URI = "git://github.com/iputils/iputils;branch=master;protocol=https \
file://CVE-2025-47268.patch \
+ file://CVE-2025-48964.patch \
"
SRCREV = "8372f355bdf7a9b0c79338dd8ef8464c00a5c4e2"
--
2.43.0
^ permalink raw reply related [flat|nested] 19+ messages in thread* [OE-core][scarthgap 05/12] gdk-pixbuf: fix CVE-2025-7345
2025-07-17 2:58 [OE-core][scarthgap 00/12] Patch review Steve Sakoman
` (3 preceding siblings ...)
2025-07-17 2:58 ` [OE-core][scarthgap 04/12] iputils: patch CVE-2025-48964 Steve Sakoman
@ 2025-07-17 2:58 ` Steve Sakoman
2025-07-17 2:58 ` [OE-core][scarthgap 06/12] git: Upgrade 2.44.3 -> 2.44.4 Steve Sakoman
` (6 subsequent siblings)
11 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2025-07-17 2:58 UTC (permalink / raw)
To: openembedded-core
From: Archana Polampalli <archana.polampalli@windriver.com>
A flaw exists in gdk‑pixbuf within the gdk_pixbuf__jpeg_image_load_increment function
(io-jpeg.c) and in glib’s g_base64_encode_step (glib/gbase64.c). When processing
maliciously crafted JPEG images, a heap buffer overflow can occur during Base64 encoding,
allowing out-of-bounds reads from heap memory, potentially causing application crashes or
arbitrary code execution.
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../gdk-pixbuf/gdk-pixbuf/CVE-2025-7345.patch | 55 +++++++++++++++++++
.../gdk-pixbuf/gdk-pixbuf_2.42.12.bb | 1 +
2 files changed, 56 insertions(+)
create mode 100644 meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2025-7345.patch
diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2025-7345.patch b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2025-7345.patch
new file mode 100644
index 0000000000..a8f23d3501
--- /dev/null
+++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2025-7345.patch
@@ -0,0 +1,55 @@
+From 4af78023ce7d3b5e3cec422a59bb4f48fa4f5886 Mon Sep 17 00:00:00 2001
+From: Matthias Clasen <mclasen@redhat.com>
+Date: Fri, 11 Jul 2025 11:02:05 -0400
+Subject: [PATCH] jpeg: Be more careful with chunked icc data
+
+We we inadvertendly trusting the sequence numbers not to lie.
+If they do we would report a larger data size than we actually
+allocated, leading to out of bounds memory access in base64
+encoding later on.
+
+This has been assigned CVE-2025-7345.
+
+Fixes: #249
+
+CVE: CVE-2025-7345
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/4af78023ce7d3b5e3cec422a59bb4f48fa4f5886]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ gdk-pixbuf/io-jpeg.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/gdk-pixbuf/io-jpeg.c b/gdk-pixbuf/io-jpeg.c
+index 3841fc0..9ee1d21 100644
+--- a/gdk-pixbuf/io-jpeg.c
++++ b/gdk-pixbuf/io-jpeg.c
+@@ -356,6 +356,7 @@ jpeg_parse_exif_app2_segment (JpegExifContext *context, jpeg_saved_marker_ptr ma
+ context->icc_profile = g_new (gchar, chunk_size);
+ /* copy the segment data to the profile space */
+ memcpy (context->icc_profile, marker->data + 14, chunk_size);
++ ret = TRUE;
+ goto out;
+ }
+
+@@ -377,12 +378,15 @@ jpeg_parse_exif_app2_segment (JpegExifContext *context, jpeg_saved_marker_ptr ma
+ /* copy the segment data to the profile space */
+ memcpy (context->icc_profile + offset, marker->data + 14, chunk_size);
+
+- /* it's now this big plus the new data we've just copied */
+- context->icc_profile_size += chunk_size;
++ context->icc_profile_size = MAX (context->icc_profile_size, offset + chunk_size);
+
+ /* success */
+ ret = TRUE;
+ out:
++ if (!ret) {
++ g_free (context->icc_profile);
++ context->icc_profile = NULL;
++ }
+ return ret;
+ }
+
+--
+2.40.0
diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.12.bb b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.12.bb
index 9f825a68ef..ff1c7a1fb2 100644
--- a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.12.bb
+++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.12.bb
@@ -20,6 +20,7 @@ SRC_URI = "${GNOME_MIRROR}/${BPN}/${MAJ_VER}/${BPN}-${PV}.tar.xz \
file://run-ptest \
file://fatal-loader.patch \
file://0001-meson.build-allow-a-subset-of-tests-in-cross-compile.patch \
+ file://CVE-2025-7345.patch \
"
SRC_URI[sha256sum] = "b9505b3445b9a7e48ced34760c3bcb73e966df3ac94c95a148cb669ab748e3c7"
--
2.43.0
^ permalink raw reply related [flat|nested] 19+ messages in thread* [OE-core][scarthgap 06/12] git: Upgrade 2.44.3 -> 2.44.4
2025-07-17 2:58 [OE-core][scarthgap 00/12] Patch review Steve Sakoman
` (4 preceding siblings ...)
2025-07-17 2:58 ` [OE-core][scarthgap 05/12] gdk-pixbuf: fix CVE-2025-7345 Steve Sakoman
@ 2025-07-17 2:58 ` Steve Sakoman
2025-07-17 2:58 ` [OE-core][scarthgap 07/12] Revert "sudo: Fix CVE-2025-32462" Steve Sakoman
` (5 subsequent siblings)
11 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2025-07-17 2:58 UTC (permalink / raw)
To: openembedded-core
From: Vijay Anusuri <vanusuri@mvista.com>
Addresses the security issues - CVE-2025-27613, CVE-2025-27614, CVE-2025-46334,
CVE-2025-46835, CVE-2025-48384, CVE-2025-48385, and CVE-2025-48386.
Release Notes:
https://github.com/git/git/blob/v2.44.4/Documentation/RelNotes/2.44.4.txt
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/git/{git_2.44.3.bb => git_2.44.4.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename meta/recipes-devtools/git/{git_2.44.3.bb => git_2.44.4.bb} (98%)
diff --git a/meta/recipes-devtools/git/git_2.44.3.bb b/meta/recipes-devtools/git/git_2.44.4.bb
similarity index 98%
rename from meta/recipes-devtools/git/git_2.44.3.bb
rename to meta/recipes-devtools/git/git_2.44.4.bb
index 7b33d6071e..66936417e1 100644
--- a/meta/recipes-devtools/git/git_2.44.3.bb
+++ b/meta/recipes-devtools/git/git_2.44.4.bb
@@ -172,4 +172,4 @@ EXTRA_OECONF += "ac_cv_snprintf_returns_bogus=no \
"
EXTRA_OEMAKE += "NO_GETTEXT=1"
-SRC_URI[tarball.sha256sum] = "4237c37cdf7b3d38102117b22993b2f761a4c02758dfbe33f7b7423c0b096ca9"
+SRC_URI[tarball.sha256sum] = "302ebe0f4b1c5d1ee477b5ee74f7f2f69efd8fa7f27481e45087ba9a4bb4851c"
--
2.43.0
^ permalink raw reply related [flat|nested] 19+ messages in thread* [OE-core][scarthgap 07/12] Revert "sudo: Fix CVE-2025-32462"
2025-07-17 2:58 [OE-core][scarthgap 00/12] Patch review Steve Sakoman
` (5 preceding siblings ...)
2025-07-17 2:58 ` [OE-core][scarthgap 06/12] git: Upgrade 2.44.3 -> 2.44.4 Steve Sakoman
@ 2025-07-17 2:58 ` Steve Sakoman
2025-07-17 2:58 ` [OE-core][scarthgap 08/12] sudo: upgrade 1.9.15p5 -> 1.9.17p1 Steve Sakoman
` (4 subsequent siblings)
11 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2025-07-17 2:58 UTC (permalink / raw)
To: openembedded-core
This CVE is fixed in the following version bump
This reverts commit d01f888a5ec43fdc8e7bd496ae9317c0fa28da9b.
---
.../sudo/files/CVE-2025-32462.patch | 42 -------------------
meta/recipes-extended/sudo/sudo_1.9.15p5.bb | 1 -
2 files changed, 43 deletions(-)
delete mode 100644 meta/recipes-extended/sudo/files/CVE-2025-32462.patch
diff --git a/meta/recipes-extended/sudo/files/CVE-2025-32462.patch b/meta/recipes-extended/sudo/files/CVE-2025-32462.patch
deleted file mode 100644
index 04610d40fd..0000000000
--- a/meta/recipes-extended/sudo/files/CVE-2025-32462.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From d530367828e3713d09489872743eb92d31fb11ff Mon Sep 17 00:00:00 2001
-From: "Todd C. Miller" <Todd.Miller@sudo.ws>
-Date: Tue, 1 Apr 2025 09:24:51 -0600
-Subject: [PATCH] Only allow a remote host to be specified when listing
- privileges.
-
-This fixes a bug where a user with sudoers privileges on a different
-host could execute a command on the local host, even if the sudoers
-file would not otherwise allow this. CVE-2025-32462
-
-Reported by Rich Mirch @ Stratascale Cyber Research Unit (CRU).
-
-Upstream-Status: Backport [https://github.com/sudo-project/sudo/commit/d530367828e3713d09489872743eb92d31fb11ff]
-CVE: CVE-2025-32462
-Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
----
- plugins/sudoers/sudoers.c | 12 ++++++++++++
- 1 file changed, 12 insertions(+)
-
-diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c
-index 70a0c1a528..ad2fa2f61c 100644
---- a/plugins/sudoers/sudoers.c
-+++ b/plugins/sudoers/sudoers.c
-@@ -350,6 +350,18 @@ sudoers_check_common(struct sudoers_context *ctx, int pwflag)
- time_t now;
- debug_decl(sudoers_check_common, SUDOERS_DEBUG_PLUGIN);
-
-+ /* The user may only specify a host for "sudo -l". */
-+ if (!ISSET(ctx->mode, MODE_LIST|MODE_CHECK)) {
-+ if (strcmp(ctx->runas.host, ctx->user.host) != 0) {
-+ log_warningx(ctx, SLOG_NO_STDERR|SLOG_AUDIT,
-+ N_("user not allowed to set remote host for command"));
-+ sudo_warnx("%s",
-+ U_("a remote host may only be specified when listing privileges."));
-+ ret = false;
-+ goto done;
-+ }
-+ }
-+
- /* If given the -P option, set the "preserve_groups" flag. */
- if (ISSET(ctx->mode, MODE_PRESERVE_GROUPS))
- def_preserve_groups = true;
diff --git a/meta/recipes-extended/sudo/sudo_1.9.15p5.bb b/meta/recipes-extended/sudo/sudo_1.9.15p5.bb
index 30860eb75e..8e542015ad 100644
--- a/meta/recipes-extended/sudo/sudo_1.9.15p5.bb
+++ b/meta/recipes-extended/sudo/sudo_1.9.15p5.bb
@@ -3,7 +3,6 @@ require sudo.inc
SRC_URI = "https://www.sudo.ws/dist/sudo-${PV}.tar.gz \
${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
file://0001-sudo.conf.in-fix-conflict-with-multilib.patch \
- file://CVE-2025-32462.patch \
"
PAM_SRC_URI = "file://sudo.pam"
--
2.43.0
^ permalink raw reply related [flat|nested] 19+ messages in thread* [OE-core][scarthgap 08/12] sudo: upgrade 1.9.15p5 -> 1.9.17p1
2025-07-17 2:58 [OE-core][scarthgap 00/12] Patch review Steve Sakoman
` (6 preceding siblings ...)
2025-07-17 2:58 ` [OE-core][scarthgap 07/12] Revert "sudo: Fix CVE-2025-32462" Steve Sakoman
@ 2025-07-17 2:58 ` Steve Sakoman
2025-07-17 2:58 ` [OE-core][scarthgap 09/12] binutils: stable 2.42 branch updates Steve Sakoman
` (3 subsequent siblings)
11 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2025-07-17 2:58 UTC (permalink / raw)
To: openembedded-core
From: Praveen Kumar <praveen.kumar@windriver.com>
Changelog:
===========
* Fixed CVE-2025-32462. Sudo's -h (--host) option could be specified
when running a command or editing a file. This could enable a
local privilege escalation attack if the sudoers file allows the
user to run commands on a different host.
* Fixed CVE-2025-32463. An attacker can leverage sudo's -R
(--chroot) option to run arbitrary commands as root, even if
they are not listed in the sudoers file. The chroot support has
been deprecated an will be removed entirely in a future release.
License-Update: Copyright updated to 2025
0001-sudo.conf.in-fix-conflict-with-multilib.patch refreshed for 1.9.17
Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
...o.conf.in-fix-conflict-with-multilib.patch | 7 ++-
meta/recipes-extended/sudo/sudo.inc | 2 +-
.../{sudo_1.9.15p5.bb => sudo_1.9.17p1.bb} | 54 ++++++++++++++++++-
3 files changed, 57 insertions(+), 6 deletions(-)
rename meta/recipes-extended/sudo/{sudo_1.9.15p5.bb => sudo_1.9.17p1.bb} (52%)
diff --git a/meta/recipes-extended/sudo/files/0001-sudo.conf.in-fix-conflict-with-multilib.patch b/meta/recipes-extended/sudo/files/0001-sudo.conf.in-fix-conflict-with-multilib.patch
index 041c717e00..1989c5abd7 100644
--- a/meta/recipes-extended/sudo/files/0001-sudo.conf.in-fix-conflict-with-multilib.patch
+++ b/meta/recipes-extended/sudo/files/0001-sudo.conf.in-fix-conflict-with-multilib.patch
@@ -1,4 +1,4 @@
-From 6e835350b7413210c410d3578cfab804186b7a4f Mon Sep 17 00:00:00 2001
+From 8c69192754ba73dd6e3273728a21aa73988f4bfb Mon Sep 17 00:00:00 2001
From: Kai Kang <kai.kang@windriver.com>
Date: Tue, 17 Nov 2020 11:13:40 +0800
Subject: [PATCH] sudo.conf.in: fix conflict with multilib
@@ -15,13 +15,12 @@ Update the comments in sudo.conf.in to avoid the conflict.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Upstream-Status: Inappropriate [OE configuration specific]
-
---
examples/sudo.conf.in | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/examples/sudo.conf.in b/examples/sudo.conf.in
-index 2187457..0908d24 100644
+index bdd676c..094341c 100644
--- a/examples/sudo.conf.in
+++ b/examples/sudo.conf.in
@@ -4,7 +4,7 @@
@@ -53,7 +52,7 @@ index 2187457..0908d24 100644
# Sudo plugin directory:
@@ -74,7 +74,7 @@
# The default directory to use when searching for plugins that are
- # specified without a fully qualified path name.
+ # specified without a fully-qualified path name.
#
-#Path plugin_dir @plugindir@
+#Path plugin_dir $plugindir
diff --git a/meta/recipes-extended/sudo/sudo.inc b/meta/recipes-extended/sudo/sudo.inc
index feb1cf35a7..a23de1fcf7 100644
--- a/meta/recipes-extended/sudo/sudo.inc
+++ b/meta/recipes-extended/sudo/sudo.inc
@@ -4,7 +4,7 @@ HOMEPAGE = "http://www.sudo.ws"
BUGTRACKER = "http://www.sudo.ws/bugs/"
SECTION = "admin"
LICENSE = "ISC & BSD-3-Clause & BSD-2-Clause & Zlib"
-LIC_FILES_CHKSUM = "file://LICENSE.md;md5=5100e20d35f9015f9eef6bdb27ba194f \
+LIC_FILES_CHKSUM = "file://LICENSE.md;md5=2841c822e587db145364ca95e9be2ffa \
file://plugins/sudoers/redblack.c;beginline=1;endline=46;md5=03e35317699ba00b496251e0dfe9f109 \
file://lib/util/reallocarray.c;beginline=3;endline=15;md5=397dd45c7683e90b9f8bf24638cf03bf \
file://lib/util/fnmatch.c;beginline=3;endline=27;md5=004d7d2866ba1f5b41174906849d2e0f \
diff --git a/meta/recipes-extended/sudo/sudo_1.9.15p5.bb b/meta/recipes-extended/sudo/sudo_1.9.17p1.bb
similarity index 52%
rename from meta/recipes-extended/sudo/sudo_1.9.15p5.bb
rename to meta/recipes-extended/sudo/sudo_1.9.17p1.bb
index 8e542015ad..c5d57da9f0 100644
--- a/meta/recipes-extended/sudo/sudo_1.9.15p5.bb
+++ b/meta/recipes-extended/sudo/sudo_1.9.17p1.bb
@@ -1,3 +1,55 @@
+# FIXME: the LIC_FILES_CHKSUM values have been updated by 'devtool upgrade'.
+# The following is the difference between the old and the new license text.
+# Please update the LICENSE value if needed, and summarize the changes in
+# the commit message via 'License-Update:' tag.
+# (example: 'License-Update: copyright years updated.')
+#
+# The changes:
+#
+# --- LICENSE.md
+# +++ LICENSE.md
+# @@ -1,6 +1,6 @@
+# Sudo is distributed under the following license:
+#
+# - Copyright (c) 1994-1996, 1998-2023
+# + Copyright (c) 1994-1996, 1998-2025
+# Todd C. Miller <Todd.Miller@sudo.ws>
+#
+# Permission to use, copy, modify, and distribute this software for any
+# @@ -247,9 +247,9 @@
+#
+# The file arc4random.c bears the following license:
+#
+# - Copyright (c) 1996, David Mazieres <dm@uun.org>
+# - Copyright (c) 2008, Damien Miller <djm@openbsd.org>
+# - Copyright (c) 2013, Markus Friedl <markus@openbsd.org>
+# + Copyright (c) 1996, David Mazieres <dm@uun.org>
+# + Copyright (c) 2008, Damien Miller <djm@openbsd.org>
+# + Copyright (c) 2013, Markus Friedl <markus@openbsd.org>
+# Copyright (c) 2014, Theo de Raadt <deraadt@openbsd.org>
+#
+# Permission to use, copy, modify, and distribute this software for any
+# @@ -282,7 +282,7 @@
+#
+# The file getentropy.c bears the following license:
+#
+# - Copyright (c) 2014 Theo de Raadt <deraadt@openbsd.org>
+# + Copyright (c) 2014 Theo de Raadt <deraadt@openbsd.org>
+# Copyright (c) 2014 Bob Beck <beck@obtuse.com>
+#
+# Permission to use, copy, modify, and distribute this software for any
+# @@ -299,7 +299,7 @@
+#
+# The embedded copy of zlib bears the following license:
+#
+# - Copyright (C) 1995-2022 Jean-loup Gailly and Mark Adler
+# + Copyright (C) 1995-2024 Jean-loup Gailly and Mark Adler
+#
+# This software is provided 'as-is', without any express or implied
+# warranty. In no event will the authors be held liable for any damages
+#
+#
+
require sudo.inc
SRC_URI = "https://www.sudo.ws/dist/sudo-${PV}.tar.gz \
@@ -7,7 +59,7 @@ SRC_URI = "https://www.sudo.ws/dist/sudo-${PV}.tar.gz \
PAM_SRC_URI = "file://sudo.pam"
-SRC_URI[sha256sum] = "558d10b9a1991fb3b9fa7fa7b07ec4405b7aefb5b3cb0b0871dbc81e3a88e558"
+SRC_URI[sha256sum] = "ff607ea717072197738a78f778692cd6df9a7e3e404565f51de063ca27455d32"
DEPENDS += " virtual/crypt ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
RDEPENDS:${PN} += " ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-limits pam-plugin-keyinit', '', d)}"
--
2.43.0
^ permalink raw reply related [flat|nested] 19+ messages in thread* [OE-core][scarthgap 09/12] binutils: stable 2.42 branch updates
2025-07-17 2:58 [OE-core][scarthgap 00/12] Patch review Steve Sakoman
` (7 preceding siblings ...)
2025-07-17 2:58 ` [OE-core][scarthgap 08/12] sudo: upgrade 1.9.15p5 -> 1.9.17p1 Steve Sakoman
@ 2025-07-17 2:58 ` Steve Sakoman
2025-07-17 2:58 ` [OE-core][scarthgap 10/12] kea: set correct permissions for /var/run/kea Steve Sakoman
` (2 subsequent siblings)
11 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2025-07-17 2:58 UTC (permalink / raw)
To: openembedded-core
From: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
Below commit on binutils-2.42 stable branch are updated.
x86: Check MODRM for call and jmp in binutils older than 2.45
Test Results:
Before After Diff
No. of expected passes 302 302 0
No. of unexpected failures 2 2 0
No. of untested testcases 1 1 0
No. of unsupported tests 7 7 0
Testing was done and there were no regressions found
Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/binutils/binutils-2.42.inc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc
index ea018a48a3..9471e6accd 100644
--- a/meta/recipes-devtools/binutils/binutils-2.42.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.42.inc
@@ -21,7 +21,7 @@ UPSTREAM_CHECK_GITTAGREGEX = "binutils-(?P<pver>\d+_(\d_?)*)"
CVE_STATUS[CVE-2023-25584] = "cpe-incorrect: Applies only for version 2.40 and earlier"
CVE_STATUS[CVE-2025-1180] = "patched: fixed by patch for CVE-2025-1176"
-SRCREV ?= "6558f9f5f0ccc107a083ae7fbf106ebcb5efa817"
+SRCREV ?= "f9488b0d92b591bdf3ff8cce485cb0e1b3727cc0"
BINUTILS_GIT_URI ?= "git://sourceware.org/git/binutils-gdb.git;branch=${SRCBRANCH};protocol=https"
SRC_URI = "\
${BINUTILS_GIT_URI} \
--
2.43.0
^ permalink raw reply related [flat|nested] 19+ messages in thread* [OE-core][scarthgap 10/12] kea: set correct permissions for /var/run/kea
2025-07-17 2:58 [OE-core][scarthgap 00/12] Patch review Steve Sakoman
` (8 preceding siblings ...)
2025-07-17 2:58 ` [OE-core][scarthgap 09/12] binutils: stable 2.42 branch updates Steve Sakoman
@ 2025-07-17 2:58 ` Steve Sakoman
2025-07-17 2:58 ` [OE-core][scarthgap 11/12] timedated: wait for jobs before SetNTP response Steve Sakoman
2025-07-17 2:59 ` [OE-core][scarthgap 12/12] oe-debuginfod: add option for data storage Steve Sakoman
11 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2025-07-17 2:58 UTC (permalink / raw)
To: openembedded-core
From: Yi Zhao <yi.zhao@windriver.com>
Set the permissions of /var/run/kea to 750 to fix kea server startup
error:
ERROR [kea-dhcp4.dhcp4/445.140718820303936] DHCP4_INIT_FAIL failed to
initialize Kea server: configuration error using file
'/etc/kea/kea-dhcp4.conf': 'socket-name' is invalid: socket
path:/var/run/kea does not exist or does not have permssions = 750
This permission check was introduced by commit[1] in kea 2.4.2.
[1] https://gitlab.isc.org/isc-projects/kea/-/commit/f7061c4e9711f395fbc940b0cf0ddbde87e0fc13
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-connectivity/kea/files/kea-dhcp-ddns.service | 1 +
meta/recipes-connectivity/kea/files/kea-dhcp4.service | 1 +
meta/recipes-connectivity/kea/files/kea-dhcp6.service | 1 +
3 files changed, 3 insertions(+)
diff --git a/meta/recipes-connectivity/kea/files/kea-dhcp-ddns.service b/meta/recipes-connectivity/kea/files/kea-dhcp-ddns.service
index f6059d73cb..aec6446f0e 100644
--- a/meta/recipes-connectivity/kea/files/kea-dhcp-ddns.service
+++ b/meta/recipes-connectivity/kea/files/kea-dhcp-ddns.service
@@ -6,6 +6,7 @@ After=time-sync.target
[Service]
ExecStartPre=@BASE_BINDIR@/mkdir -p @LOCALSTATEDIR@/run/kea/
+ExecStartPre=@BASE_BINDIR@/chmod 750 @LOCALSTATEDIR@/run/kea/
ExecStart=@SBINDIR@/kea-dhcp-ddns -c @SYSCONFDIR@/kea/kea-dhcp-ddns.conf
[Install]
diff --git a/meta/recipes-connectivity/kea/files/kea-dhcp4.service b/meta/recipes-connectivity/kea/files/kea-dhcp4.service
index b851ea71c5..a2ed4edb59 100644
--- a/meta/recipes-connectivity/kea/files/kea-dhcp4.service
+++ b/meta/recipes-connectivity/kea/files/kea-dhcp4.service
@@ -6,6 +6,7 @@ After=time-sync.target
[Service]
ExecStartPre=@BASE_BINDIR@/mkdir -p @LOCALSTATEDIR@/run/kea/
+ExecStartPre=@BASE_BINDIR@/chmod 750 @LOCALSTATEDIR@/run/kea/
ExecStartPre=@BASE_BINDIR@/mkdir -p @LOCALSTATEDIR@/lib/kea
ExecStart=@SBINDIR@/kea-dhcp4 -c @SYSCONFDIR@/kea/kea-dhcp4.conf
diff --git a/meta/recipes-connectivity/kea/files/kea-dhcp6.service b/meta/recipes-connectivity/kea/files/kea-dhcp6.service
index 0f9f0ef8d9..ed6e017d0c 100644
--- a/meta/recipes-connectivity/kea/files/kea-dhcp6.service
+++ b/meta/recipes-connectivity/kea/files/kea-dhcp6.service
@@ -6,6 +6,7 @@ After=time-sync.target
[Service]
ExecStartPre=@BASE_BINDIR@/mkdir -p @LOCALSTATEDIR@/run/kea/
+ExecStartPre=@BASE_BINDIR@/chmod 750 @LOCALSTATEDIR@/run/kea/
ExecStartPre=@BASE_BINDIR@/mkdir -p @LOCALSTATEDIR@/lib/kea
ExecStart=@SBINDIR@/kea-dhcp6 -c @SYSCONFDIR@/kea/kea-dhcp6.conf
--
2.43.0
^ permalink raw reply related [flat|nested] 19+ messages in thread* [OE-core][scarthgap 11/12] timedated: wait for jobs before SetNTP response
2025-07-17 2:58 [OE-core][scarthgap 00/12] Patch review Steve Sakoman
` (9 preceding siblings ...)
2025-07-17 2:58 ` [OE-core][scarthgap 10/12] kea: set correct permissions for /var/run/kea Steve Sakoman
@ 2025-07-17 2:58 ` Steve Sakoman
2025-07-17 2:59 ` [OE-core][scarthgap 12/12] oe-debuginfod: add option for data storage Steve Sakoman
11 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2025-07-17 2:58 UTC (permalink / raw)
To: openembedded-core
From: Michal Seben <michal.seben@siemens.com>
Backport a fix to address the dbus SetNTP response timing issue.
Fix is already available since systemd v256-rc1.
Signed-off-by: Michal Seben <michal.seben@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
...d-on-org.freedesktop.timedate1.SetNT.patch | 97 +++++++++++++++++++
meta/recipes-core/systemd/systemd_255.21.bb | 1 +
2 files changed, 98 insertions(+)
create mode 100644 meta/recipes-core/systemd/systemd/0003-timedated-Respond-on-org.freedesktop.timedate1.SetNT.patch
diff --git a/meta/recipes-core/systemd/systemd/0003-timedated-Respond-on-org.freedesktop.timedate1.SetNT.patch b/meta/recipes-core/systemd/systemd/0003-timedated-Respond-on-org.freedesktop.timedate1.SetNT.patch
new file mode 100644
index 0000000000..c1d8a94bf7
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/0003-timedated-Respond-on-org.freedesktop.timedate1.SetNT.patch
@@ -0,0 +1,97 @@
+From 3a51e31be9f626cf772733cb289ed64739fab0e4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Michal=20Koutn=C3=BD?= <mkoutny@suse.com>
+Date: Tue, 20 Feb 2024 19:26:16 +0100
+Subject: [PATCH] timedated: Respond on org.freedesktop.timedate1.SetNTP only
+ when really finished
+
+The method returns prematurely (before jobs it triggers terminate). This
+is externally visible because other methods may fail if jobs did not
+finish.
+Postpone the DBus method response until we collect all signals for
+finished jobs.
+systemd-timedated keeps track of in-flight DBus requests and answers
+them all in unspecified order when jobs finish. The capacity of requests
+in systemd-timedated is limited.
+
+Fixes: #17739
+
+Upstream-Status: Backport [https://github.com/systemd/systemd/commit/3a51e31be9f626cf772733cb289ed64739fab0e4]
+Signed-off-by: Michal Seben <michal.seben@siemens.com>
+---
+ src/timedate/timedated.c | 21 ++++++++++++++++++---
+ 1 file changed, 18 insertions(+), 3 deletions(-)
+
+Index: git/src/timedate/timedated.c
+===================================================================
+--- git.orig/src/timedate/timedated.c
++++ git/src/timedate/timedated.c
+@@ -45,6 +45,7 @@
+ #define NULL_ADJTIME_LOCAL "0.0 0 0\n0\nLOCAL\n"
+
+ #define UNIT_LIST_DIRS (const char* const*) CONF_PATHS_STRV("systemd/ntp-units.d")
++#define SET_NTP_IN_FLIGHT_MAX 16
+
+ typedef struct UnitStatusInfo {
+ char *name;
+@@ -61,6 +62,7 @@ typedef struct Context {
+ bool local_rtc;
+ Hashmap *polkit_registry;
+ sd_bus_message *cache;
++ Set *set_ntp_calls;
+
+ sd_bus_slot *slot_job_removed;
+
+@@ -121,6 +123,7 @@ static void context_clear(Context *c) {
+ free(c->zone);
+ bus_verify_polkit_async_registry_free(c->polkit_registry);
+ sd_bus_message_unref(c->cache);
++ set_free(c->set_ntp_calls);
+
+ sd_bus_slot_unref(c->slot_job_removed);
+
+@@ -461,11 +464,19 @@ static int match_job_removed(sd_bus_mess
+ n += !!u->path;
+
+ if (n == 0) {
++ sd_bus_message *cm;
++
+ c->slot_job_removed = sd_bus_slot_unref(c->slot_job_removed);
+
+ (void) sd_bus_emit_properties_changed(sd_bus_message_get_bus(m),
+ "/org/freedesktop/timedate1", "org.freedesktop.timedate1", "NTP",
+ NULL);
++ while ((cm = set_steal_first(c->set_ntp_calls))) {
++ r = sd_bus_reply_method_return(cm, NULL);
++ if (r < 0)
++ log_debug_errno(r, "Failed to reply to SetNTP method call, ignoring: %m");
++ sd_bus_message_unref(cm);
++ }
+ }
+
+ return 0;
+@@ -944,6 +955,9 @@ static int method_set_ntp(sd_bus_message
+ LIST_FOREACH(units, u, c->units)
+ u->path = mfree(u->path);
+
++ if (set_size(c->set_ntp_calls) >= SET_NTP_IN_FLIGHT_MAX)
++ return sd_bus_error_set_errnof(error, EAGAIN, "Too many calls in flight.");
++
+ if (!c->slot_job_removed) {
+ r = bus_match_signal_async(
+ bus,
+@@ -998,11 +1012,12 @@ static int method_set_ntp(sd_bus_message
+ c->slot_job_removed = TAKE_PTR(slot);
+
+ if (selected)
+- log_info("Set NTP to enabled (%s).", selected->name);
++ log_info("Set NTP to be enabled (%s).", selected->name);
+ else
+- log_info("Set NTP to disabled.");
++ log_info("Set NTP to be disabled.");
+
+- return sd_bus_reply_method_return(m, NULL);
++ /* Asynchrounous reply to m in match_job_removed() */
++ return set_ensure_consume(&c->set_ntp_calls, &bus_message_hash_ops, sd_bus_message_ref(m));
+ }
+
+ static int method_list_timezones(sd_bus_message *m, void *userdata, sd_bus_error *error) {
diff --git a/meta/recipes-core/systemd/systemd_255.21.bb b/meta/recipes-core/systemd/systemd_255.21.bb
index bb9dc3da33..e866f9921b 100644
--- a/meta/recipes-core/systemd/systemd_255.21.bb
+++ b/meta/recipes-core/systemd/systemd_255.21.bb
@@ -27,6 +27,7 @@ SRC_URI += " \
file://99-default.preset \
file://systemd-pager.sh \
file://0002-binfmt-Don-t-install-dependency-links-at-install-tim.patch \
+ file://0003-timedated-Respond-on-org.freedesktop.timedate1.SetNT.patch \
file://0008-implment-systemd-sysv-install-for-OE.patch \
"
--
2.43.0
^ permalink raw reply related [flat|nested] 19+ messages in thread* [OE-core][scarthgap 12/12] oe-debuginfod: add option for data storage
2025-07-17 2:58 [OE-core][scarthgap 00/12] Patch review Steve Sakoman
` (10 preceding siblings ...)
2025-07-17 2:58 ` [OE-core][scarthgap 11/12] timedated: wait for jobs before SetNTP response Steve Sakoman
@ 2025-07-17 2:59 ` Steve Sakoman
11 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2025-07-17 2:59 UTC (permalink / raw)
To: openembedded-core
From: Joe Slater <joe.slater@windriver.com>
Storing the data files under $HOME can be unreliable if debuginfod
is used for several projects, especially if $HOME is shared
between machines. We provide an option to save files under the
project directory. The default behavior is unchanged.
(From OE-Core rev: e1e0cf82f559077e2a51447baf137086202c0c4a)
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
scripts/oe-debuginfod | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/scripts/oe-debuginfod b/scripts/oe-debuginfod
index b525310225..60e51addfd 100755
--- a/scripts/oe-debuginfod
+++ b/scripts/oe-debuginfod
@@ -15,14 +15,29 @@ scriptpath.add_bitbake_lib_path()
import bb.tinfoil
import subprocess
+import argparse
if __name__ == "__main__":
+ p = argparse.ArgumentParser()
+ p.add_argument("-d", action='store_true', \
+ help="store debuginfod files in project sub-directory")
+
+ args = p.parse_args()
+
with bb.tinfoil.Tinfoil() as tinfoil:
tinfoil.prepare(config_only=True)
package_classes_var = "DEPLOY_DIR_" + tinfoil.config_data.getVar("PACKAGE_CLASSES").split()[0].replace("package_", "").upper()
feed_dir = tinfoil.config_data.getVar(package_classes_var, expand=True)
+ opts = [ '--verbose', '-R', '-U', feed_dir ]
+
+ if args.d:
+ fdir = os.path.join(os.getcwd(), 'oedid-files')
+ os.makedirs(fdir, exist_ok=True)
+ opts += [ '-d', os.path.join(fdir, 'did.sqlite') ]
+
subprocess.call(['bitbake', '-c', 'addto_recipe_sysroot', 'elfutils-native'])
- subprocess.call(['oe-run-native', 'elfutils-native', 'debuginfod', '--verbose', '-R', '-U', feed_dir])
+ subprocess.call(['oe-run-native', 'elfutils-native', 'debuginfod'] + opts)
+ # we should not get here
print("\nTo use the debuginfod server please ensure that this variable PACKAGECONFIG:pn-elfutils-native = \"debuginfod libdebuginfod\" is set in the local.conf")
--
2.43.0
^ permalink raw reply related [flat|nested] 19+ messages in thread