[OE-core][kirkstone 0/9] Patch review

[OE-core][kirkstone 0/9] Patch review

[Steve Sakoman]

Please review this set of patches for kirkstone and have comments back by end
of day Wednesday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3692

The following changes since commit ec9e9497730f0a9c8ad3d696c8cdcec06267aacf:

  base-passwd: Disable shell for default users (2022-05-16 13:59:44 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Alexander Kanavin (1):
  mmc-utils: upgrade to latest revision

Claudius Heine (1):
  classes: rootfs-postcommands: add skip option to overlayfs_qa_check

Marta Rybczynska (1):
  cve-check: Fix report generation

Richard Purdie (2):
  staging: Fix rare sysroot corruption issue
  selftest/imagefeatures/overlayfs: Always append to DISTRO_FEATURES

Robert Joslyn (1):
  curl: Backport CVE fixes

Samuli Piippo (1):
  binutils: Bump to latest 2.38 release branch

Steve Sakoman (1):
  python3: fix reproducibility issue with python3-core

wangmy (1):
  librepo: upgrade 1.14.2 -> 1.14.3

 meta/classes/cve-check.bbclass                |  18 +-
 meta/classes/rootfs-postcommands.bbclass      |  10 +-
 meta/classes/staging.bbclass                  |  24 +
 meta/lib/oeqa/selftest/cases/imagefeatures.py |   2 +-
 meta/lib/oeqa/selftest/cases/overlayfs.py     |  36 +-
 .../binutils/binutils-2.38.inc                |   2 +-
 .../{librepo_1.14.2.bb => librepo_1.14.3.bb}  |   2 +-
 meta/recipes-devtools/mmc/mmc-utils_git.bb    |   2 +-
 .../recipes-devtools/python/python3_3.10.4.bb |   5 +
 .../curl/curl/CVE-2022-22576.patch            | 145 ++++++
 .../curl/curl/CVE-2022-27774-1.patch          |  45 ++
 .../curl/curl/CVE-2022-27774-2.patch          |  80 +++
 .../curl/curl/CVE-2022-27774-3.patch          |  83 ++++
 .../curl/curl/CVE-2022-27774-4.patch          |  35 ++
 .../curl/curl/CVE-2022-27775.patch            |  37 ++
 .../curl/curl/CVE-2022-27776.patch            | 115 +++++
 .../curl/curl/CVE-2022-27779.patch            |  42 ++
 .../curl/curl/CVE-2022-27780.patch            |  33 ++
 .../curl/curl/CVE-2022-27781.patch            |  43 ++
 .../curl/curl/CVE-2022-27782-1.patch          | 458 ++++++++++++++++++
 .../curl/curl/CVE-2022-27782-2.patch          |  71 +++
 .../curl/curl/CVE-2022-30115.patch            |  82 ++++
 meta/recipes-support/curl/curl_7.82.0.bb      |  16 +-
 23 files changed, 1362 insertions(+), 24 deletions(-)
 rename meta/recipes-devtools/librepo/{librepo_1.14.2.bb => librepo_1.14.3.bb} (94%)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2022-22576.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27774-1.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27774-2.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27774-3.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27774-4.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27775.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27776.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27779.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27780.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27781.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27782-1.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27782-2.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2022-30115.patch

-- 
2.25.1

[OE-core][kirkstone 0/9] Patch review

[Steve Sakoman]

Please review this set of patchesd for kirkstone and have comments back by
end of day Tuesday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/4468

The following changes since commit 0c0723757fbba9a4b88c0f98477a18d1e220da2e:

  mirrors.bbclass: use shallow tarball for binutils-native (2022-11-06 06:00:05 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Alexander Kanavin (2):
  lttng-modules: upgrade 2.13.4 -> 2.13.5
  quilt: backport a patch to address grep 3.8 failures

Hitendra Prajapati (1):
  QEMU: CVE-2022-3165 VNC: integer underflow in vnc_client_cut_text_ext
    leads to CPU exhaustion

Michael Opdenacker (1):
  create-spdx.bbclass: remove unused SPDX_INCLUDE_PACKAGED

Narpat Mali (1):
  python3-mako: backport fix for CVE-2022-40023

Ross Burton (3):
  pixman: backport fix for CVE-2022-44638
  sanity: check for GNU tar specifically
  qemu: add io_uring PACKAGECONFIG

ciarancourtney (1):
  wic: swap partitions are not added to fstab

 meta/classes/create-spdx.bbclass              |   2 -
 meta/classes/sanity.bbclass                   |   8 +
 .../python/python3-mako/CVE-2022-40023.patch  | 119 +++++++++++++++
 .../python/python3-mako_1.1.6.bb              |   2 +
 meta/recipes-devtools/qemu/qemu.inc           |   3 +-
 .../qemu/qemu/CVE-2022-3165.patch             |  61 ++++++++
 meta/recipes-devtools/quilt/quilt.inc         |   1 +
 .../quilt/quilt/fix-grep-3.8.patch            | 144 ++++++++++++++++++
 .../xorg-lib/pixman/CVE-2022-44638.patch      |  33 ++++
 .../xorg-lib/pixman_0.40.0.bb                 |   1 +
 .../lttng-modules/0001-fix-compaction.patch   |  68 ---------
 ...c-fix-tracepoint-mm_page_alloc_zone_.patch | 106 -------------
 ...oduce-kfree_skb_reason-v5.15.58.v5.1.patch |  53 -------
 ...ags-parameter-from-aops-write_begin-.patch |  76 ---------
 ...Fix-type-of-cpu-in-trace-event-v5.19.patch | 124 ---------------
 ...ules_2.13.4.bb => lttng-modules_2.13.5.bb} |   7 +-
 scripts/lib/wic/plugins/imager/direct.py      |   2 +-
 17 files changed, 373 insertions(+), 437 deletions(-)
 create mode 100644 meta/recipes-devtools/python/python3-mako/CVE-2022-40023.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2022-3165.patch
 create mode 100644 meta/recipes-devtools/quilt/quilt/fix-grep-3.8.patch
 create mode 100644 meta/recipes-graphics/xorg-lib/pixman/CVE-2022-44638.patch
 delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0001-fix-compaction.patch
 delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0001-fix-mm-page_alloc-fix-tracepoint-mm_page_alloc_zone_.patch
 delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0001-fix-net-skb-introduce-kfree_skb_reason-v5.15.58.v5.1.patch
 delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0002-fix-fs-Remove-flags-parameter-from-aops-write_begin-.patch
 delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0003-fix-workqueue-Fix-type-of-cpu-in-trace-event-v5.19.patch
 rename meta/recipes-kernel/lttng/{lttng-modules_2.13.4.bb => lttng-modules_2.13.5.bb} (78%)

-- 
2.25.1

[OE-core][kirkstone 0/9] Patch review

[Steve Sakoman]

Please review this set of patches for kirkstone and have comments back by
end of day Thursday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/4800

The following changes since commit 4760fac939a6204e3cb7dcd3699cd9a2508f9dee:

  devtool: process local files only for the main branch (2023-01-12 04:56:26 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Bhabu Bindu (1):
  qemu: Fix CVE-2022-4144

Daniel Gomez (1):
  gtk-icon-cache: Fix GTKIC_CMD if-else condition

KARN JYE LAU (1):
  freetype:update mirror site.

Martin Jansa (1):
  ffmpeg: refresh patches to apply cleanly

Narpat Mali (3):
  python3-setuptools: fix for CVE-2022-40897
  python3-wheel: fix for CVE-2022-40898
  python3-git: fix for CVE-2022-24439

Yash Shinde (1):
  glibc: stable 2.35 branch updates.

Yogita Urade (1):
  libksba: fix CVE-2022-47629

 meta/classes/gtk-icon-cache.bbclass           |   2 +-
 meta/recipes-core/glibc/glibc-version.inc     |   2 +-
 ...-git-CVE-2022-24439-fix-from-PR-1518.patch |  97 ++++
 ...-git-CVE-2022-24439-fix-from-PR-1521.patch | 488 ++++++++++++++++++
 .../python/python3-git_3.1.27.bb              |   4 +
 ...-of-whitespace-to-search-backtrack.-.patch |  31 ++
 .../python/python3-setuptools_59.5.0.bb       |   1 +
 ...tential-DoS-attack-via-WHEEL_INFO_RE.patch |  32 ++
 .../python/python3-wheel_0.37.1.bb            |   4 +-
 meta/recipes-devtools/qemu/qemu.inc           |   1 +
 .../qemu/qemu/CVE-2022-4144.patch             |  99 ++++
 .../freetype/freetype_2.11.1.bb               |   2 +-
 ...c-stop-accessing-out-of-bounds-frame.patch |  19 +-
 ...c-stop-accessing-out-of-bounds-frame.patch |   7 +-
 ...-vp3-Add-missing-check-for-av_malloc.patch |  12 +-
 ...overflow-in-the-CRL-signature-parser.patch |  72 +++
 meta/recipes-support/libksba/libksba_1.6.2.bb |   3 +-
 17 files changed, 848 insertions(+), 28 deletions(-)
 create mode 100644 meta/recipes-devtools/python/python3-git/0001-python3-git-CVE-2022-24439-fix-from-PR-1518.patch
 create mode 100644 meta/recipes-devtools/python/python3-git/0001-python3-git-CVE-2022-24439-fix-from-PR-1521.patch
 create mode 100644 meta/recipes-devtools/python/python3-setuptools/0001-Limit-the-amount-of-whitespace-to-search-backtrack.-.patch
 create mode 100644 meta/recipes-devtools/python/python3-wheel/0001-Fixed-potential-DoS-attack-via-WHEEL_INFO_RE.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2022-4144.patch
 create mode 100644 meta/recipes-support/libksba/libksba/0001-Fix-an-integer-overflow-in-the-CRL-signature-parser.patch

-- 
2.25.1

[OE-core][kirkstone 0/9] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Thursday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5492

The following changes since commit 0e17a5a4f0e3301bf78f77bb5ca4aaf3e4dbc7af:

  Revert "ipk: Decode byte data to string in manifest handling" (2023-06-17 05:18:44 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Archana Polampalli (1):
  nasm: fix CVE-2022-46457

Bruce Ashfield (1):
  kernel: don't force PAHOLE=false

Chen Qi (1):
  staging.bbclass: do not add extend_recipe_sysroot to prefuncs of
    prepare_recipe_sysroot

Lorenzo Arena (1):
  conf: add nice level to the hash config ignred variables

Martin Jansa (1):
  go.bbclass: don't use test to check output from ls

Pavel Zhukov (1):
  lib/terminal.py: Add urxvt terminal

Ranjitsinh Rathod (1):
  kmscube: Correct DEPENDS to avoid overwrite

Thomas Roos (1):
  oeqa/selftest/cases/devtool.py: skip all tests require folder a git
    repo

Wang Mingyu (1):
  iso-codes: upgrade 4.13.0 -> 4.15.0

 meta/classes/go.bbclass                       |  2 +-
 meta/classes/kernel.bbclass                   |  2 +-
 meta/classes/staging.bbclass                  |  2 +-
 meta/conf/bitbake.conf                        |  2 +-
 meta/lib/oe/terminal.py                       |  4 ++
 meta/lib/oeqa/selftest/cases/devtool.py       |  8 +++
 .../nasm/nasm/CVE-2022-46457.patch            | 50 +++++++++++++++++++
 meta/recipes-devtools/nasm/nasm_2.15.05.bb    |  1 +
 meta/recipes-graphics/kmscube/kmscube_git.bb  |  3 +-
 ...so-codes_4.13.0.bb => iso-codes_4.15.0.bb} |  2 +-
 10 files changed, 69 insertions(+), 7 deletions(-)
 create mode 100644 meta/recipes-devtools/nasm/nasm/CVE-2022-46457.patch
 rename meta/recipes-support/iso-codes/{iso-codes_4.13.0.bb => iso-codes_4.15.0.bb} (94%)

-- 
2.34.1

[OE-core][kirkstone 0/9] Patch review

[Steve Sakoman]

Unfortunately this series of linux-yocto version bumps has caused a
number of issues with adding and resizing partitions.  The problem was
introduced in 5.15.132 and has not been fixed in any of the subsequent
version bumps.

Bruce and have decided to revert this series until we have an acceptable fix.

Please have any comments back by end of day Monday, March 11.

The following changes since commit e5aae8a371717215a7d78459788ad67dfaefe37e:

  golang: Fix CVE-2023-45289 & CVE-2023-45290 (2024-03-07 04:18:33 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Steve Sakoman (9):
  Revert "linux-yocto/5.15: update CVE exclusions"
  Revert "linux-yocto/5.15: update to v5.15.148"
  Revert "linux-yocto/5.15: update CVE exclusions"
  Revert "linux-yocto/5.15: update to v5.15.147"
  Revert "linux-yocto/5.15: update CVE exclusions"
  Revert "linux-yocto/5.15: update to v5.15.146"
  Revert "linux-yocto/5.15: update to v5.15.145"
  Revert "linux-yocto/5.15: update to v5.15.142"
  Revert "linux-yocto/5.15: update to v5.15.141"

 .../linux/cve-exclusion_5.15.inc              | 372 ++----------------
 .../linux/linux-yocto-rt_5.15.bb              |   6 +-
 .../linux/linux-yocto-tiny_5.15.bb            |   6 +-
 meta/recipes-kernel/linux/linux-yocto_5.15.bb |  26 +-
 4 files changed, 57 insertions(+), 353 deletions(-)

-- 
2.34.1

[OE-core][kirkstone 0/9] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Thursday, April 4

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6758

The following changes since commit 1b5405955c7c2579ed1f52522e2e177d0281fa33:

  glibc: Fix subscript typos for get_nscd_addresses (2024-03-19 03:33:32 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Claus Stovgaard (1):
  gcc: Backport sanitizer fix for 32-bit ALSR

Colin McAllister (1):
  common-licenses: Backport missing license

Lee Chee Yang (2):
  xwayland: fix CVE-2023-6816 CVE-2024-0408/0409
  tiff: fix CVE-2023-52356 CVE-2023-6277

Meenali Gupta (1):
  expat: fix CVE-2023-52425

Tan Wen Yan (1):
  python3-urllib3: update to v1.26.18

Vijay Anusuri (2):
  curl: backport Debian patch for CVE-2024-2398
  qemu: Fix for CVE-2023-6683

aszh07 (1):
  nghttp2: fix CVE-2023-44487

 .../LGPL-3.0-with-zeromq-exception            | 181 ++++
 .../expat/expat/CVE-2023-52425-0001.patch     |  40 +
 .../expat/expat/CVE-2023-52425-0002.patch     |  87 ++
 .../expat/expat/CVE-2023-52425-0003.patch     | 222 +++++
 .../expat/expat/CVE-2023-52425-0004.patch     |  42 +
 .../expat/expat/CVE-2023-52425-0005.patch     |  69 ++
 .../expat/expat/CVE-2023-52425-0006.patch     |  67 ++
 .../expat/expat/CVE-2023-52425-0007.patch     | 159 +++
 .../expat/expat/CVE-2023-52425-0008.patch     |  95 ++
 .../expat/expat/CVE-2023-52425-0009.patch     |  52 +
 .../expat/expat/CVE-2023-52425-0010.patch     | 111 +++
 .../expat/expat/CVE-2023-52425-0011.patch     |  89 ++
 .../expat/expat/CVE-2023-52425-0012.patch     |  87 ++
 meta/recipes-core/expat/expat_2.5.0.bb        |  12 +
 meta/recipes-devtools/gcc/gcc-11.4.inc        |   1 +
 .../gcc/gcc/0031-gcc-sanitizers-fix.patch     |  63 ++
 ..._1.26.17.bb => python3-urllib3_1.26.18.bb} |   2 +-
 meta/recipes-devtools/qemu/qemu.inc           |   1 +
 .../qemu/qemu/CVE-2023-6683.patch             |  92 ++
 .../xwayland/xwayland/CVE-2023-6816.patch     |  57 ++
 .../xwayland/xwayland/CVE-2024-0408.patch     |  65 ++
 .../xwayland/xwayland/CVE-2024-0409.patch     |  47 +
 .../xwayland/xwayland_22.1.8.bb               |   3 +
 .../libtiff/tiff/CVE-2023-52356.patch         |  54 +
 .../libtiff/tiff/CVE-2023-6277-1.patch        | 178 ++++
 .../libtiff/tiff/CVE-2023-6277-2.patch        | 151 +++
 .../libtiff/tiff/CVE-2023-6277-3.patch        |  46 +
 .../libtiff/tiff/CVE-2023-6277-4.patch        |  93 ++
 meta/recipes-multimedia/libtiff/tiff_4.3.0.bb |   5 +
 .../curl/curl/CVE-2024-2398.patch             |  89 ++
 meta/recipes-support/curl/curl_7.82.0.bb      |   1 +
 .../nghttp2/nghttp2/CVE-2023-44487.patch      | 927 ++++++++++++++++++
 .../recipes-support/nghttp2/nghttp2_1.47.0.bb |   1 +
 33 files changed, 3188 insertions(+), 1 deletion(-)
 create mode 100644 meta/files/common-licenses/LGPL-3.0-with-zeromq-exception
 create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0001.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0002.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0003.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0004.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0005.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0006.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0007.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0008.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0009.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0010.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0011.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0012.patch
 create mode 100644 meta/recipes-devtools/gcc/gcc/0031-gcc-sanitizers-fix.patch
 rename meta/recipes-devtools/python/{python3-urllib3_1.26.17.bb => python3-urllib3_1.26.18.bb} (86%)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-6683.patch
 create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2023-6816.patch
 create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2024-0408.patch
 create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2024-0409.patch
 create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch
 create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-1.patch
 create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-2.patch
 create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-3.patch
 create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-4.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2024-2398.patch
 create mode 100644 meta/recipes-support/nghttp2/nghttp2/CVE-2023-44487.patch

-- 
2.34.1

[OE-core][kirkstone 0/9] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and hjave comments back by
end of day Tuesday, June 25

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/7065

The following changes since commit ab2649ef6c83f0ae7cac554a72e6bea4dcda0e99:

  build-appliance-image: Update to kirkstone head revision (2024-06-01 19:12:27 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Changqing Li (1):
  man-pages: remove conflict pages

Deepthi Hemraj (1):
  glibc: stable 2.35 branch updates

Khem Raj (1):
  gobject-introspection: Do not hardcode objdump name

Peter Marko (1):
  glib-2.0: patch CVE-2024-34397

Siddharth (1):
  openssl: Upgrade 3.0.13 -> 3.0.14

Siddharth Doshi (1):
  libxml2: Security fix for CVE-2024-34459

Thomas Perrot (1):
  man-pages: add an alternative link name for crypt_r.3

Yogita Urade (2):
  acpica: fix CVE-2024-24856
  ruby: fix CVE-2024-27280

 .../openssl/openssl/CVE-2024-2511.patch       | 122 ---
 .../openssl/openssl/CVE-2024-4603.patch       | 180 ----
 .../{openssl_3.0.13.bb => openssl_3.0.14.bb}  |   4 +-
 .../glib-2.0/glib-2.0/CVE-2024-34397_01.patch | 129 +++
 .../glib-2.0/glib-2.0/CVE-2024-34397_02.patch |  62 ++
 .../glib-2.0/glib-2.0/CVE-2024-34397_03.patch | 985 ++++++++++++++++++
 .../glib-2.0/glib-2.0/CVE-2024-34397_04.patch | 253 +++++
 .../glib-2.0/glib-2.0/CVE-2024-34397_05.patch |  88 ++
 .../glib-2.0/glib-2.0/CVE-2024-34397_06.patch | 263 +++++
 .../glib-2.0/glib-2.0/CVE-2024-34397_07.patch |  45 +
 .../glib-2.0/glib-2.0/CVE-2024-34397_08.patch | 168 +++
 .../glib-2.0/glib-2.0/CVE-2024-34397_09.patch |  81 ++
 .../glib-2.0/glib-2.0/CVE-2024-34397_10.patch | 108 ++
 .../glib-2.0/glib-2.0/CVE-2024-34397_11.patch | 133 +++
 .../glib-2.0/glib-2.0/CVE-2024-34397_12.patch | 173 +++
 .../glib-2.0/glib-2.0/CVE-2024-34397_13.patch | 513 +++++++++
 .../glib-2.0/glib-2.0/CVE-2024-34397_14.patch |  75 ++
 .../glib-2.0/glib-2.0/CVE-2024-34397_15.patch |  47 +
 .../glib-2.0/glib-2.0/CVE-2024-34397_16.patch |  62 ++
 .../glib-2.0/glib-2.0/CVE-2024-34397_17.patch | 121 +++
 .../glib-2.0/glib-2.0/CVE-2024-34397_18.patch |  50 +
 meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb |  18 +
 meta/recipes-core/glibc/glibc-version.inc     |   2 +-
 .../libxml/libxml2/CVE-2024-34459.patch       |  30 +
 meta/recipes-core/libxml/libxml2_2.9.14.bb    |   1 +
 .../ruby/ruby/CVE-2024-27280.patch            |  87 ++
 meta/recipes-devtools/ruby/ruby_3.1.3.bb      |   1 +
 .../acpica/acpica/CVE-2024-24856.patch        |  33 +
 .../acpica/acpica_20211217.bb                 |   4 +-
 .../man-pages/man-pages_5.13.bb               |  12 +-
 .../gobject-introspection_1.72.0.bb           |   2 +-
 31 files changed, 3536 insertions(+), 316 deletions(-)
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-2511.patch
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-4603.patch
 rename meta/recipes-connectivity/openssl/{openssl_3.0.13.bb => openssl_3.0.14.bb} (98%)
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_01.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_02.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_03.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_04.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_05.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_06.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_07.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_08.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_09.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_10.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_11.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_12.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_13.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_14.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_15.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_16.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_17.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_18.patch
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2024-34459.patch
 create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-27280.patch
 create mode 100644 meta/recipes-extended/acpica/acpica/CVE-2024-24856.patch

-- 
2.34.1

[OE-core][kirkstone 0/9] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Thursday, December 19

Passed a-full on autobuilder:

https://valkyrie.yoctoproject.org/#/builders/29/builds/663

The following changes since commit b132b817f5931b290e5348dd4a17fbfdc5c6e2c4:

  dbus: disable assertions and enable only modular tests (2024-12-10 05:38:29 -0800)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Alex Kiernan (1):
  base-passwd: Add the sgx group

Alexandre Belloni (1):
  base-passwd: fix patchreview warning

Ernst Persson (1):
  package.bbclass: Use shlex instead of deprecated pipes

Jiaying Song (1):
  subversion: fix CVE-2024-46901

Louis Rannou (1):
  base-passwd: add the wheel group

Peter Kjellerstedt (3):
  base-passwd: Regenerate the patches
  base-passwd: Update to 3.5.52
  base-passwd: Update the status for two patches

Yogita Urade (1):
  xserver-xorg: fix CVE-2024-9632

 meta/classes/package.bbclass                  |   4 +-
 .../0001-Add-a-shutdown-group.patch           |  26 +++
 .../0001-base-passwd-Add-the-sgx-group.patch  |  30 ++++
 ...nstead-of-bin-bash-for-the-root-user.patch |  23 +++
 ...t-since-we-do-not-have-an-etc-shadow.patch |  21 +++
 ...put-group-for-the-dev-input-devices.patch} |  17 +-
 .../{kvm.patch => 0005-Add-kvm-group.patch}   |   2 +-
 ...ble-to-build-without-debconf-support.patch | 129 ++++++++++++++
 ...-to-disable-the-generation-of-the-do.patch |  46 +++++
 .../base-passwd/0008-Add-wheel-group.patch    |  20 +++
 .../base-passwd/add_shutdown.patch            |  19 ---
 .../base-passwd/disable-docs.patch            |  24 ---
 .../base-passwd/disable-shell.patch           |  57 -------
 .../base-passwd/base-passwd/nobash.patch      |  15 --
 .../base-passwd/base-passwd/noshadow.patch    |  14 --
 ...passwd_3.5.29.bb => base-passwd_3.5.52.bb} |  30 ++--
 .../subversion/CVE-2024-46901.patch           | 161 ++++++++++++++++++
 .../subversion/subversion_1.14.2.bb           |   3 +-
 .../xserver-xorg/CVE-2024-9632.patch          |  58 +++++++
 .../xorg-xserver/xserver-xorg_21.1.8.bb       |   1 +
 20 files changed, 547 insertions(+), 153 deletions(-)
 create mode 100644 meta/recipes-core/base-passwd/base-passwd/0001-Add-a-shutdown-group.patch
 create mode 100644 meta/recipes-core/base-passwd/base-passwd/0001-base-passwd-Add-the-sgx-group.patch
 create mode 100644 meta/recipes-core/base-passwd/base-passwd/0002-Use-bin-sh-instead-of-bin-bash-for-the-root-user.patch
 create mode 100644 meta/recipes-core/base-passwd/base-passwd/0003-Remove-for-root-since-we-do-not-have-an-etc-shadow.patch
 rename meta/recipes-core/base-passwd/base-passwd/{input.patch => 0004-Add-an-input-group-for-the-dev-input-devices.patch} (42%)
 rename meta/recipes-core/base-passwd/base-passwd/{kvm.patch => 0005-Add-kvm-group.patch} (88%)
 create mode 100644 meta/recipes-core/base-passwd/base-passwd/0006-Make-it-possible-to-build-without-debconf-support.patch
 create mode 100644 meta/recipes-core/base-passwd/base-passwd/0007-Make-it-possible-to-disable-the-generation-of-the-do.patch
 create mode 100644 meta/recipes-core/base-passwd/base-passwd/0008-Add-wheel-group.patch
 delete mode 100644 meta/recipes-core/base-passwd/base-passwd/add_shutdown.patch
 delete mode 100644 meta/recipes-core/base-passwd/base-passwd/disable-docs.patch
 delete mode 100644 meta/recipes-core/base-passwd/base-passwd/disable-shell.patch
 delete mode 100644 meta/recipes-core/base-passwd/base-passwd/nobash.patch
 delete mode 100644 meta/recipes-core/base-passwd/base-passwd/noshadow.patch
 rename meta/recipes-core/base-passwd/{base-passwd_3.5.29.bb => base-passwd_3.5.52.bb} (79%)
 create mode 100644 meta/recipes-devtools/subversion/subversion/CVE-2024-46901.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-9632.patch

-- 
2.34.1

[OE-core][kirkstone 0/9] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Tuesday, July 8

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1949

The following changes since commit 75e54301c5076eb0454aee33c870adf078f563fd:

  build-appliance-image: Update to kirkstone head revision (2025-06-27 08:10:04 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Archana Polampalli (6):
  xwayland: fix CVE-2025-49175
  xwayland: fix CVE-2025-49176
  xwayland: fix CVE-2025-49177
  xwayland: fix CVE-2025-49178
  xwayland: fix CVE-2025-49178
  xwayland: fix CVE-2025-49180

Chen Qi (1):
  systemd: backport patches to fix CVE-2025-4598

Colin Pinnell McAllister (1):
  libarchive: Fix CVE-2025-5914

Yogita Urade (1):
  python3-urllib3: fix CVE-2025-50181

 .../systemd/systemd/CVE-2025-4598-0001.patch  |  92 ++++++++
 .../systemd/systemd/CVE-2025-4598-0002.patch  | 106 +++++++++
 .../systemd/systemd/CVE-2025-4598-0003.patch  | 144 ++++++++++++
 .../systemd/systemd/CVE-2025-4598-0004.patch  |  36 +++
 meta/recipes-core/systemd/systemd_250.14.bb   |   4 +
 .../python3-urllib3/CVE-2025-50181.patch      | 214 ++++++++++++++++++
 .../python/python3-urllib3_1.26.18.bb         |   4 +
 .../libarchive/libarchive/CVE-2025-5914.patch |  46 ++++
 .../libarchive/libarchive_3.6.2.bb            |   1 +
 .../xwayland/xwayland/CVE-2025-49175.patch    |  92 ++++++++
 .../xwayland/CVE-2025-49176-0001.patch        |  93 ++++++++
 .../xwayland/CVE-2025-49176-0002.patch        |  38 ++++
 .../xwayland/xwayland/CVE-2025-49177.patch    |  55 +++++
 .../xwayland/xwayland/CVE-2025-49178.patch    |  50 ++++
 .../xwayland/xwayland/CVE-2025-49179.patch    |  69 ++++++
 .../xwayland/xwayland/CVE-2025-49180.patch    |  45 ++++
 .../xwayland/xwayland_22.1.8.bb               |   7 +
 17 files changed, 1096 insertions(+)
 create mode 100644 meta/recipes-core/systemd/systemd/CVE-2025-4598-0001.patch
 create mode 100644 meta/recipes-core/systemd/systemd/CVE-2025-4598-0002.patch
 create mode 100644 meta/recipes-core/systemd/systemd/CVE-2025-4598-0003.patch
 create mode 100644 meta/recipes-core/systemd/systemd/CVE-2025-4598-0004.patch
 create mode 100644 meta/recipes-devtools/python/python3-urllib3/CVE-2025-50181.patch
 create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2025-5914.patch
 create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49175.patch
 create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49176-0001.patch
 create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49176-0002.patch
 create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49177.patch
 create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49178.patch
 create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49179.patch
 create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49180.patch

-- 
2.43.0

[OE-core][kirkstone 0/9] Patch review

[Steve Sakoman]

Please review this set of changes for scarthgap and have comments back by
end of day Thursday, August 21

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/?#/builders/29/builds/2236

The following changes since commit 3d1c037a7cb7858a4e3c33a94f5d343a81aac5f7:

  go-helloworld: fix license (2025-08-12 09:57:24 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Dan McGregor (1):
  systemd: Fix manpage build after CVE-2025-4598

Hitendra Prajapati (3):
  gstreamer1.0-plugins-base: fix CVE-2025-47806 & CVE-2025-47808
  gstreamer1.0-plugins-good: fix CVE-2025-47183 & CVE-2025-47219
  git: fix CVE-2025-27614-CVE-2025-27613-CVE-2025-46334-CVE-2025-46835

Peter Marko (1):
  glib-2.0: ignore CVE-2025-4056

Vijay Anusuri (3):
  xserver-xorg: Fix for CVE-2025-49175
  xserver-xorg: Fix for CVE-2025-49176
  xserver-xorg: Fix for CVE-2025-49177

Youngseok Jeong (1):
  libubootenv: backport patch to fix unknown type name 'size_t'

 ...-Include-cstddef-in-the-header-for-C.patch |   27 +
 meta/recipes-bsp/u-boot/libubootenv_0.3.2.bb  |    6 +-
 meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb |    3 +
 .../systemd/systemd/CVE-2025-4598-0003.patch  |    7 +-
 ...-27613-CVE-2025-46334-CVE-2025-46835.patch | 2500 +++++++++++++++++
 meta/recipes-devtools/git/git_2.35.7.bb       |    1 +
 .../xserver-xorg/CVE-2025-49175.patch         |   91 +
 .../xserver-xorg/CVE-2025-49176-1.patch       |   92 +
 .../xserver-xorg/CVE-2025-49176-2.patch       |   37 +
 .../xserver-xorg/CVE-2025-49177.patch         |   54 +
 .../xorg-xserver/xserver-xorg_21.1.8.bb       |    4 +
 .../CVE-2025-47806.patch                      |   50 +
 .../CVE-2025-47808.patch                      |   36 +
 .../gstreamer1.0-plugins-base_1.20.7.bb       |    2 +
 .../CVE-2025-47183-001.patch                  |  151 +
 .../CVE-2025-47183-002.patch                  |   80 +
 .../CVE-2025-47219.patch                      |   40 +
 .../gstreamer1.0-plugins-good_1.20.7.bb       |    3 +
 18 files changed, 3179 insertions(+), 5 deletions(-)
 create mode 100644 meta/recipes-bsp/u-boot/files/0001-Include-cstddef-in-the-header-for-C.patch
 create mode 100644 meta/recipes-devtools/git/git/CVE-2025-27614-CVE-2025-27613-CVE-2025-46334-CVE-2025-46835.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49175.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49176-1.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49176-2.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49177.patch
 create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2025-47806.patch
 create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2025-47808.patch
 create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2025-47183-001.patch
 create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2025-47183-002.patch
 create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2025-47219.patch

-- 
2.43.0

[OE-core][kirkstone 1/9] systemd: Fix manpage build after CVE-2025-4598

[Steve Sakoman]

From: Dan McGregor <daniel.mcgregor@vecima.com>

The previous fix missed another cherry-pick that fixed building
manpages after the coredump patch. The version-info.xml file doesn't
exist in 250. It was introduced later, so remove the reference to
it.

Signed-off-by: Daniel McGregor <daniel.mcgregor@vecima.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-core/systemd/systemd/CVE-2025-4598-0003.patch | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/meta/recipes-core/systemd/systemd/CVE-2025-4598-0003.patch b/meta/recipes-core/systemd/systemd/CVE-2025-4598-0003.patch
index 737121af12..a3337b9108 100644
--- a/meta/recipes-core/systemd/systemd/CVE-2025-4598-0003.patch
+++ b/meta/recipes-core/systemd/systemd/CVE-2025-4598-0003.patch
@@ -33,16 +33,16 @@ Upstream-Status: Backport [https://github.com/systemd/systemd-stable/commit/2eb4
 
 Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
 ---
- man/systemd-coredump.xml     | 12 ++++++++++++
+ man/systemd-coredump.xml     | 11 +++++++++++
  src/coredump/coredump.c      | 21 ++++++++++++++++++---
  sysctl.d/50-coredump.conf.in |  2 +-
- 3 files changed, 31 insertions(+), 4 deletions(-)
+ 3 files changed, 30 insertions(+), 4 deletions(-)
 
 diff --git a/man/systemd-coredump.xml b/man/systemd-coredump.xml
 index cb9f47745b..ba7cad12bc 100644
 --- a/man/systemd-coredump.xml
 +++ b/man/systemd-coredump.xml
-@@ -259,6 +259,18 @@ COREDUMP_FILENAME=/var/lib/systemd/coredump/core.Web….552351.….zst
+@@ -259,6 +259,17 @@ COREDUMP_FILENAME=/var/lib/systemd/coredump/core.Web….552351.….zst
          </listitem>
        </varlistentry>
  
@@ -54,7 +54,6 @@ index cb9f47745b..ba7cad12bc 100644
 +        project='man-pages'><refentrytitle>prctl</refentrytitle><manvolnum>2</manvolnum></citerefentry>.
 +        </para>
 +
-+        <xi:include href="version-info.xml" xpointer="v258"/>
 +        </listitem>
 +      </varlistentry>
 +
-- 
2.43.0

[OE-core][kirkstone 2/9] gstreamer1.0-plugins-base: fix CVE-2025-47806 & CVE-2025-47808

[Steve Sakoman]

From: Hitendra Prajapati <hprajapati@mvista.com>

Backport fixes for:

* CVE-2025-47806 - Upstream-Status: Backport from  https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/da4380c4df0e00f8d0bad569927bfc7ea35ec37d
* CVE-2025-47808 - Upstream-Status: Backport from  https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/6b19f117518a765a25c99d1c4b09f2838a8ed0c9

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../CVE-2025-47806.patch                      | 50 +++++++++++++++++++
 .../CVE-2025-47808.patch                      | 36 +++++++++++++
 .../gstreamer1.0-plugins-base_1.20.7.bb       |  2 +
 3 files changed, 88 insertions(+)
 create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2025-47806.patch
 create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2025-47808.patch

diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2025-47806.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2025-47806.patch
new file mode 100644
index 0000000000..530d579231
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2025-47806.patch
@@ -0,0 +1,50 @@
+From da4380c4df0e00f8d0bad569927bfc7ea35ec37d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Thu, 8 May 2025 12:46:40 +0300
+Subject: [PATCH] subparse: Make sure that subrip time string is not too long
+ before zero-padding
+
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/4419
+Fixes CVE-2025-47806
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/9135>
+
+CVE: CVE-2025-47806
+Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/da4380c4df0e00f8d0bad569927bfc7ea35ec37d]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ gst/subparse/gstsubparse.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/gst/subparse/gstsubparse.c b/gst/subparse/gstsubparse.c
+index 1d8fa51..81a7f65 100644
+--- a/gst/subparse/gstsubparse.c
++++ b/gst/subparse/gstsubparse.c
+@@ -850,7 +850,7 @@ parse_subrip_time (const gchar * ts_string, GstClockTime * t)
+   g_strdelimit (s, " ", '0');
+   g_strdelimit (s, ".", ',');
+ 
+-  /* make sure we have exactly three digits after he comma */
++  /* make sure we have exactly three digits after the comma */
+   p = strchr (s, ',');
+   if (p == NULL) {
+     /* If there isn't a ',' the timestamp is broken */
+@@ -859,6 +859,15 @@ parse_subrip_time (const gchar * ts_string, GstClockTime * t)
+     return FALSE;
+   }
+ 
++  /* Check if the comma is too far into the string to avoid
++   * stack overflow when zero-padding the sub-second part.
++   *
++   * Allow for 3 digits of hours just in case. */
++  if ((p - s) > sizeof ("hhh:mm:ss,")) {
++    GST_WARNING ("failed to parse subrip timestamp string '%s'", s);
++    return FALSE;
++  }
++
+   ++p;
+   len = strlen (p);
+   if (len > 3) {
+-- 
+2.50.1
+
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2025-47808.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2025-47808.patch
new file mode 100644
index 0000000000..5b9fefc321
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2025-47808.patch
@@ -0,0 +1,36 @@
+From 6b19f117518a765a25c99d1c4b09f2838a8ed0c9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Thu, 8 May 2025 09:04:52 +0300
+Subject: [PATCH] tmplayer: Don't append NULL + 1 to the string buffer when
+ parsing lines without text
+
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/4417
+Fixes CVE-2025-47808
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/9132>
+
+CVE: CVE-2025-47808
+Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/6b19f117518a765a25c99d1c4b09f2838a8ed0c9]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ gst/subparse/tmplayerparse.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/gst/subparse/tmplayerparse.c b/gst/subparse/tmplayerparse.c
+index 807e332..a9225d3 100644
+--- a/gst/subparse/tmplayerparse.c
++++ b/gst/subparse/tmplayerparse.c
+@@ -125,7 +125,9 @@ tmplayer_parse_line (ParserState * state, const gchar * line, guint line_num)
+        * durations from the start times anyway, so as long as the parser just
+        * forwards state->start_time by duration after it pushes the line we
+        * are about to return it will all be good. */
+-      g_string_append (state->buf, text_start + 1);
++      if (text_start) {
++        g_string_append (state->buf, text_start + 1);
++      }
+     } else if (line_num > 0) {
+       GST_WARNING ("end of subtitle unit but no valid start time?!");
+     }
+-- 
+2.50.1
+
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.20.7.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.20.7.bb
index fc9afff628..05d58e83b0 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.20.7.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.20.7.bb
@@ -20,6 +20,8 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-base/gst-plugins-ba
            file://CVE-2024-47615-1.patch \
            file://CVE-2024-47615-2.patch \
            file://CVE-2024-47835.patch \
+           file://CVE-2025-47806.patch \
+           file://CVE-2025-47808.patch \
            "
 SRC_URI[sha256sum] = "fde6696a91875095d82c1012b5777c28ba926047ffce08508e12c1d2c66f0057"
 
-- 
2.43.0

[OE-core][kirkstone 3/9] gstreamer1.0-plugins-good: fix CVE-2025-47183 & CVE-2025-47219

[Steve Sakoman]

From: Hitendra Prajapati <hprajapati@mvista.com>

* CVE-2025-47183 - Upstream-Status: Backport from https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/c4d0f4bbd9a8e97f119a4528b9f4662a6b80922c && https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/d76cae74dad89994bfcdad83da6ef1ad69074332
* CVE-2025-47219 - Upstream-Status: Backport from https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/b80803943388050cb870c95934fc52feeffb94ac

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../CVE-2025-47183-001.patch                  | 151 ++++++++++++++++++
 .../CVE-2025-47183-002.patch                  |  80 ++++++++++
 .../CVE-2025-47219.patch                      |  40 +++++
 .../gstreamer1.0-plugins-good_1.20.7.bb       |   3 +
 4 files changed, 274 insertions(+)
 create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2025-47183-001.patch
 create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2025-47183-002.patch
 create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2025-47219.patch

diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2025-47183-001.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2025-47183-001.patch
new file mode 100644
index 0000000000..93c3b36d20
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2025-47183-001.patch
@@ -0,0 +1,151 @@
+From c4d0f4bbd9a8e97f119a4528b9f4662a6b80922c Mon Sep 17 00:00:00 2001
+From: Jochen Henneberg <jochen@centricular.com>
+Date: Tue, 10 Dec 2024 21:34:48 +0100
+Subject: [PATCH] qtdemux: Use mvhd transform matrix and support for flipping
+
+The mvhd matrix is now combined with the tkhd matrix. The combined
+matrix is then checked if it matches one of the standard values for
+GST_TAG_IMAGE_ORIENTATION.
+This check now includes matrices with flipping.
+
+Fixes #4064
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8127.
+
+CVE: CVE-2025-47183
+Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/c4d0f4bbd9a8e97f119a4528b9f4662a6b80922c]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ gst/isomp4/qtdemux.c | 53 ++++++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 49 insertions(+), 4 deletions(-)
+
+diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
+index bacf7d5..a5b28f5 100644
+--- a/gst/isomp4/qtdemux.c
++++ b/gst/isomp4/qtdemux.c
+@@ -10555,6 +10555,23 @@ qtdemux_parse_transformation_matrix (GstQTDemux * qtdemux,
+   return TRUE;
+ }
+ 
++static void
++qtdemux_mul_transformation_matrix (GstQTDemux * qtdemux,
++    guint32 * a, guint32 * b, guint32 * c)
++{
++#define QTMUL_MATRIX(_a,_b) (((_a) == 0 || (_b) == 0) ? 0 : \
++      ((_a) == (_b) ? 1 : -1))
++#define QTADD_MATRIX(_a,_b) ((_a) + (_b) > 0 ? (1U << 16) : \
++      ((_a) + (_b) < 0) ? (G_MAXUINT16 << 16) : 0u)
++
++  c[2] = c[5] = c[6] = c[7] = 0;
++  c[0] = QTADD_MATRIX (QTMUL_MATRIX (a[0], b[0]), QTMUL_MATRIX (a[1], b[3]));
++  c[1] = QTADD_MATRIX (QTMUL_MATRIX (a[0], b[1]), QTMUL_MATRIX (a[1], b[4]));
++  c[3] = QTADD_MATRIX (QTMUL_MATRIX (a[3], b[0]), QTMUL_MATRIX (a[4], b[3]));
++  c[4] = QTADD_MATRIX (QTMUL_MATRIX (a[3], b[1]), QTMUL_MATRIX (a[4], b[4]));
++  c[8] = a[8];
++}
++
+ static void
+ qtdemux_inspect_transformation_matrix (GstQTDemux * qtdemux,
+     QtDemuxStream * stream, guint32 * matrix, GstTagList ** taglist)
+@@ -10583,6 +10600,14 @@ qtdemux_inspect_transformation_matrix (GstQTDemux * qtdemux,
+       rotation_tag = "rotate-180";
+     } else if (QTCHECK_MATRIX (matrix, 0, G_MAXUINT16, 1, 0)) {
+       rotation_tag = "rotate-270";
++    } else if (QTCHECK_MATRIX (matrix, G_MAXUINT16, 0, 0, 1)) {
++      rotation_tag = "flip-rotate-0";
++    } else if (QTCHECK_MATRIX (matrix, 0, G_MAXUINT16, 1, 0)) {
++      rotation_tag = "flip-rotate-90";
++    } else if (QTCHECK_MATRIX (matrix, 1, 0, 0, G_MAXUINT16)) {
++      rotation_tag = "flip-rotate-180";
++    } else if (QTCHECK_MATRIX (matrix, 0, 1, 1, 0)) {
++      rotation_tag = "flip-rotate-270";
+     } else {
+       GST_FIXME_OBJECT (qtdemux, "Unhandled transformation matrix values");
+     }
+@@ -10869,7 +10894,7 @@ qtdemux_parse_stereo_svmi_atom (GstQTDemux * qtdemux, QtDemuxStream * stream,
+  * traks that do not decode to something (like strm traks) will not have a pad.
+  */
+ static gboolean
+-qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak)
++qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak, guint32 * mvhd_matrix)
+ {
+   GstByteReader tkhd;
+   int offset;
+@@ -11041,15 +11066,21 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak)
+ 
+   /* parse rest of tkhd */
+   if (stream->subtype == FOURCC_vide) {
++    guint32 tkhd_matrix[9];
+     guint32 matrix[9];
+ 
+     /* version 1 uses some 64-bit ints */
+     if (!gst_byte_reader_skip (&tkhd, 20 + value_size))
+       goto corrupt_file;
+ 
+-    if (!qtdemux_parse_transformation_matrix (qtdemux, &tkhd, matrix, "tkhd"))
++    if (!qtdemux_parse_transformation_matrix (qtdemux, &tkhd, tkhd_matrix,
++            "tkhd"))
+       goto corrupt_file;
+ 
++    /* calculate the final matrix from the mvhd_matrix and the tkhd matrix */
++    qtdemux_mul_transformation_matrix (qtdemux, mvhd_matrix, tkhd_matrix,
++        matrix);
++
+     if (!gst_byte_reader_get_uint32_be (&tkhd, &w)
+         || !gst_byte_reader_get_uint32_be (&tkhd, &h))
+       goto corrupt_file;
+@@ -13800,11 +13831,14 @@ qtdemux_parse_tree (GstQTDemux * qtdemux)
+   guint64 creation_time;
+   GstDateTime *datetime = NULL;
+   gint version;
++  GstByteReader mvhd_reader;
++  guint32 matrix[9];
+ 
+   /* make sure we have a usable taglist */
+   qtdemux->tag_list = gst_tag_list_make_writable (qtdemux->tag_list);
+ 
+-  mvhd = qtdemux_tree_get_child_by_type (qtdemux->moov_node, FOURCC_mvhd);
++  mvhd = qtdemux_tree_get_child_by_type_full (qtdemux->moov_node,
++      FOURCC_mvhd, &mvhd_reader);
+   if (mvhd == NULL) {
+     GST_LOG_OBJECT (qtdemux, "No mvhd node found, looking for redirects.");
+     return qtdemux_parse_redirects (qtdemux);
+@@ -13815,15 +13849,26 @@ qtdemux_parse_tree (GstQTDemux * qtdemux)
+     creation_time = QT_UINT64 ((guint8 *) mvhd->data + 12);
+     qtdemux->timescale = QT_UINT32 ((guint8 *) mvhd->data + 28);
+     qtdemux->duration = QT_UINT64 ((guint8 *) mvhd->data + 32);
++    if (!gst_byte_reader_skip (&mvhd_reader, 4 + 8 + 8 + 4 + 8))
++      return FALSE;
+   } else if (version == 0) {
+     creation_time = QT_UINT32 ((guint8 *) mvhd->data + 12);
+     qtdemux->timescale = QT_UINT32 ((guint8 *) mvhd->data + 20);
+     qtdemux->duration = QT_UINT32 ((guint8 *) mvhd->data + 24);
++    if (!gst_byte_reader_skip (&mvhd_reader, 4 + 4 + 4 + 4 + 4))
++      return FALSE;
+   } else {
+     GST_WARNING_OBJECT (qtdemux, "Unhandled mvhd version %d", version);
+     return FALSE;
+   }
+ 
++  if (!gst_byte_reader_skip (&mvhd_reader, 4 + 2 + 2 + 2 * 4))
++    return FALSE;
++
++  if (!qtdemux_parse_transformation_matrix (qtdemux, &mvhd_reader, matrix,
++          "mvhd"))
++    return FALSE;
++
+   /* Moving qt creation time (secs since 1904) to unix time */
+   if (creation_time != 0) {
+     /* Try to use epoch first as it should be faster and more commonly found */
+@@ -13892,7 +13937,7 @@ qtdemux_parse_tree (GstQTDemux * qtdemux)
+   /* parse all traks */
+   trak = qtdemux_tree_get_child_by_type (qtdemux->moov_node, FOURCC_trak);
+   while (trak) {
+-    qtdemux_parse_trak (qtdemux, trak);
++    qtdemux_parse_trak (qtdemux, trak, matrix);
+     /* iterate all siblings */
+     trak = qtdemux_tree_get_sibling_by_type (trak, FOURCC_trak);
+   }
+-- 
+2.50.1
+
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2025-47183-002.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2025-47183-002.patch
new file mode 100644
index 0000000000..a33a3354ee
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2025-47183-002.patch
@@ -0,0 +1,80 @@
+From d76cae74dad89994bfcdad83da6ef1ad69074332 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Tue, 29 Apr 2025 09:43:58 +0300
+Subject: [PATCH] qtdemux: Use byte reader to parse mvhd box
+
+This avoids OOB reads.
+
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/4394
+Fixes CVE-2025-47183
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/9133>
+
+CVE: CVE-2025-47183
+Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/d76cae74dad89994bfcdad83da6ef1ad69074332]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ gst/isomp4/qtdemux.c | 36 ++++++++++++++++++++++++++----------
+ 1 file changed, 26 insertions(+), 10 deletions(-)
+
+diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
+index a5b28f5..9844ac2 100644
+--- a/gst/isomp4/qtdemux.c
++++ b/gst/isomp4/qtdemux.c
+@@ -13830,7 +13830,7 @@ qtdemux_parse_tree (GstQTDemux * qtdemux)
+   GNode *pssh;
+   guint64 creation_time;
+   GstDateTime *datetime = NULL;
+-  gint version;
++  guint8 version;
+   GstByteReader mvhd_reader;
+   guint32 matrix[9];
+ 
+@@ -13844,19 +13844,35 @@ qtdemux_parse_tree (GstQTDemux * qtdemux)
+     return qtdemux_parse_redirects (qtdemux);
+   }
+ 
+-  version = QT_UINT8 ((guint8 *) mvhd->data + 8);
++  if (!gst_byte_reader_get_uint8 (&mvhd_reader, &version))
++    return FALSE;
++  /* flags */
++  if (!gst_byte_reader_skip (&mvhd_reader, 3))
++    return FALSE;
+   if (version == 1) {
+-    creation_time = QT_UINT64 ((guint8 *) mvhd->data + 12);
+-    qtdemux->timescale = QT_UINT32 ((guint8 *) mvhd->data + 28);
+-    qtdemux->duration = QT_UINT64 ((guint8 *) mvhd->data + 32);
+-    if (!gst_byte_reader_skip (&mvhd_reader, 4 + 8 + 8 + 4 + 8))
++    if (!gst_byte_reader_get_uint64_be (&mvhd_reader, &creation_time))
++      return FALSE;
++    /* modification time */
++    if (!gst_byte_reader_skip (&mvhd_reader, 8))
++      return FALSE;
++    if (!gst_byte_reader_get_uint32_be (&mvhd_reader, &qtdemux->timescale))
++      return FALSE;
++    if (!gst_byte_reader_get_uint64_be (&mvhd_reader, &qtdemux->duration))
+       return FALSE;
+   } else if (version == 0) {
+-    creation_time = QT_UINT32 ((guint8 *) mvhd->data + 12);
+-    qtdemux->timescale = QT_UINT32 ((guint8 *) mvhd->data + 20);
+-    qtdemux->duration = QT_UINT32 ((guint8 *) mvhd->data + 24);
+-    if (!gst_byte_reader_skip (&mvhd_reader, 4 + 4 + 4 + 4 + 4))
++    guint32 tmp;
++
++    if (!gst_byte_reader_get_uint32_be (&mvhd_reader, &tmp))
++      return FALSE;
++    creation_time = tmp;
++    /* modification time */
++    if (!gst_byte_reader_skip (&mvhd_reader, 4))
++      return FALSE;
++    if (!gst_byte_reader_get_uint32_be (&mvhd_reader, &qtdemux->timescale))
++      return FALSE;
++    if (!gst_byte_reader_get_uint32_be (&mvhd_reader, &tmp))
+       return FALSE;
++    qtdemux->duration = tmp;
+   } else {
+     GST_WARNING_OBJECT (qtdemux, "Unhandled mvhd version %d", version);
+     return FALSE;
+-- 
+2.50.1
+
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2025-47219.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2025-47219.patch
new file mode 100644
index 0000000000..7e77a02642
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2025-47219.patch
@@ -0,0 +1,40 @@
+From b80803943388050cb870c95934fc52feeffb94ac Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Sat, 3 May 2025 09:43:32 +0300
+Subject: [PATCH] qtdemux: Check if enough bytes are available for each stsd
+ entry
+
+There must be at least 8 bytes for the length / fourcc of each entry. After
+reading those, the length is already validated against the remaining available
+bytes.
+
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/4407
+Fixes CVE-2025-47219
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/9137>
+
+CVE: CVE-2025-47219
+Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/b80803943388050cb870c95934fc52feeffb94ac]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ gst/isomp4/qtdemux.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
+index 9844ac2..0a88fb9 100644
+--- a/gst/isomp4/qtdemux.c
++++ b/gst/isomp4/qtdemux.c
+@@ -11124,6 +11124,10 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak, guint32 * mvhd_matrix)
+     gchar *codec = NULL;
+     QtDemuxStreamStsdEntry *entry = &stream->stsd_entries[stsd_index];
+ 
++    /* needs at least length and fourcc */
++    if (remaining_stsd_len < 8)
++      goto corrupt_file;
++
+     /* and that entry should fit within stsd */
+     len = QT_UINT32 (stsd_entry_data);
+     if (len > remaining_stsd_len)
+-- 
+2.50.1
+
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb
index e82473086e..197b070893 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb
@@ -37,6 +37,9 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-go
            file://CVE-2024-47775_47776_47777_47778-5.patch \
            file://CVE-2024-47775_47776_47777_47778-6.patch \
            file://CVE-2024-47775_47776_47777_47778-7.patch \
+           file://CVE-2025-47183-001.patch \
+           file://CVE-2025-47183-002.patch \
+           file://CVE-2025-47219.patch \
            "
 
 SRC_URI[sha256sum] = "599f093cc833a1e346939ab6e78a3f8046855b6da13520aae80dd385434f4ab2"
-- 
2.43.0

[OE-core][kirkstone 4/9] xserver-xorg: Fix for CVE-2025-49175

[Steve Sakoman]

From: Vijay Anusuri <vanusuri@mvista.com>

Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/0885e0b26225c90534642fe911632ec0779eebee

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../xserver-xorg/CVE-2025-49175.patch         | 91 +++++++++++++++++++
 .../xorg-xserver/xserver-xorg_21.1.8.bb       |  1 +
 2 files changed, 92 insertions(+)
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49175.patch

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49175.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49175.patch
new file mode 100644
index 0000000000..2f56a8f6b9
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49175.patch
@@ -0,0 +1,91 @@
+From 0885e0b26225c90534642fe911632ec0779eebee Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Fri, 28 Mar 2025 09:43:52 +0100
+Subject: [PATCH] render: Avoid 0 or less animated cursors
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Animated cursors use a series of cursors that the client can set.
+
+By default, the Xserver assumes at least one cursor is specified
+while a client may actually pass no cursor at all.
+
+That causes an out-of-bound read creating the animated cursor and a
+crash of the Xserver:
+
+ | Invalid read of size 8
+ |    at 0x5323F4: AnimCursorCreate (animcur.c:325)
+ |    by 0x52D4C5: ProcRenderCreateAnimCursor (render.c:1817)
+ |    by 0x52DC80: ProcRenderDispatch (render.c:1999)
+ |    by 0x4A1E9D: Dispatch (dispatch.c:560)
+ |    by 0x4B0169: dix_main (main.c:284)
+ |    by 0x4287F5: main (stubmain.c:34)
+ |  Address 0x59aa010 is 0 bytes after a block of size 0 alloc'd
+ |    at 0x48468D3: reallocarray (vg_replace_malloc.c:1803)
+ |    by 0x52D3DA: ProcRenderCreateAnimCursor (render.c:1802)
+ |    by 0x52DC80: ProcRenderDispatch (render.c:1999)
+ |    by 0x4A1E9D: Dispatch (dispatch.c:560)
+ |    by 0x4B0169: dix_main (main.c:284)
+ |    by 0x4287F5: main (stubmain.c:34)
+ |
+ | Invalid read of size 2
+ |    at 0x5323F7: AnimCursorCreate (animcur.c:325)
+ |    by 0x52D4C5: ProcRenderCreateAnimCursor (render.c:1817)
+ |    by 0x52DC80: ProcRenderDispatch (render.c:1999)
+ |    by 0x4A1E9D: Dispatch (dispatch.c:560)
+ |    by 0x4B0169: dix_main (main.c:284)
+ |    by 0x4287F5: main (stubmain.c:34)
+ |  Address 0x8 is not stack'd, malloc'd or (recently) free'd
+
+To avoid the issue, check the number of cursors specified and return a
+BadValue error in both the proc handler (early) and the animated cursor
+creation (as this is a public function) if there is 0 or less cursor.
+
+CVE-2025-49175
+
+This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
+reported by Julian Suleder via ERNW Vulnerability Disclosure.
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: José Expósito <jexposit@redhat.com>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2024>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/0885e0b26225c90534642fe911632ec0779eebee]
+CVE: CVE-2025-49175
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ render/animcur.c | 3 +++
+ render/render.c  | 2 ++
+ 2 files changed, 5 insertions(+)
+
+diff --git a/render/animcur.c b/render/animcur.c
+index f906cd8130..1194cee7e7 100644
+--- a/render/animcur.c
++++ b/render/animcur.c
+@@ -305,6 +305,9 @@ AnimCursorCreate(CursorPtr *cursors, CARD32 *deltas, int ncursor,
+     int rc = BadAlloc, i;
+     AnimCurPtr ac;
+ 
++    if (ncursor <= 0)
++        return BadValue;
++
+     for (i = 0; i < screenInfo.numScreens; i++)
+         if (!GetAnimCurScreen(screenInfo.screens[i]))
+             return BadImplementation;
+diff --git a/render/render.c b/render/render.c
+index 113f6e0c5a..fe9f03c8c8 100644
+--- a/render/render.c
++++ b/render/render.c
+@@ -1799,6 +1799,8 @@ ProcRenderCreateAnimCursor(ClientPtr client)
+     ncursor =
+         (client->req_len -
+          (bytes_to_int32(sizeof(xRenderCreateAnimCursorReq)))) >> 1;
++    if (ncursor <= 0)
++        return BadValue;
+     cursors = xallocarray(ncursor, sizeof(CursorPtr) + sizeof(CARD32));
+     if (!cursors)
+         return BadAlloc;
+-- 
+GitLab
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb
index 6790eb0921..565489a926 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb
@@ -36,6 +36,7 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
            file://CVE-2025-26601-3.patch \
            file://CVE-2025-26601-4.patch \
            file://CVE-2022-49737.patch \
+           file://CVE-2025-49175.patch \
            "
 SRC_URI[sha256sum] = "38aadb735650c8024ee25211c190bf8aad844c5f59632761ab1ef4c4d5aeb152"
 
-- 
2.43.0

[OE-core][kirkstone 5/9] xserver-xorg: Fix for CVE-2025-49176

[Steve Sakoman]

From: Vijay Anusuri <vanusuri@mvista.com>

Upstream-Status: Backport from
https://gitlab.freedesktop.org/xorg/xserver/-/commit/03731b326a80b582e48d939fe62cb1e2b10400d9
& https://gitlab.freedesktop.org/xorg/xserver/-/commit/4fc4d76b2c7aaed61ed2653f997783a3714c4fe1

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../xserver-xorg/CVE-2025-49176-1.patch       | 92 +++++++++++++++++++
 .../xserver-xorg/CVE-2025-49176-2.patch       | 37 ++++++++
 .../xorg-xserver/xserver-xorg_21.1.8.bb       |  2 +
 3 files changed, 131 insertions(+)
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49176-1.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49176-2.patch

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49176-1.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49176-1.patch
new file mode 100644
index 0000000000..24c0156540
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49176-1.patch
@@ -0,0 +1,92 @@
+From 03731b326a80b582e48d939fe62cb1e2b10400d9 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Mon, 7 Apr 2025 16:13:34 +0200
+Subject: [PATCH] os: Do not overflow the integer size with BigRequest
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The BigRequest extension allows requests larger than the 16-bit length
+limit.
+
+It uses integers for the request length and checks for the size not to
+exceed the maxBigRequestSize limit, but does so after translating the
+length to integer by multiplying the given size in bytes by 4.
+
+In doing so, it might overflow the integer size limit before actually
+checking for the overflow, defeating the purpose of the test.
+
+To avoid the issue, make sure to check that the request size does not
+overflow the maxBigRequestSize limit prior to any conversion.
+
+The caller Dispatch() function however expects the return value to be in
+bytes, so we cannot just return the converted value in case of error, as
+that would also overflow the integer size.
+
+To preserve the existing API, we use a negative value for the X11 error
+code BadLength as the function only return positive values, 0 or -1 and
+update the caller Dispatch() function to take that case into account to
+return the error code to the offending client.
+
+CVE-2025-49176
+
+This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
+reported by Julian Suleder via ERNW Vulnerability Disclosure.
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2024>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/03731b326a80b582e48d939fe62cb1e2b10400d9]
+CVE: CVE-2025-49176
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ dix/dispatch.c | 9 +++++----
+ os/io.c        | 4 ++++
+ 2 files changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/dix/dispatch.c b/dix/dispatch.c
+index b3e5feacc2..2308cfe6d1 100644
+--- a/dix/dispatch.c
++++ b/dix/dispatch.c
+@@ -527,9 +527,10 @@ Dispatch(void)
+ 
+                 /* now, finally, deal with client requests */
+                 result = ReadRequestFromClient(client);
+-                if (result <= 0) {
+-                    if (result < 0)
+-                        CloseDownClient(client);
++                if (result == 0)
++                    break;
++                else if (result == -1) {
++                    CloseDownClient(client);
+                     break;
+                 }
+ 
+@@ -550,7 +551,7 @@ Dispatch(void)
+                                           client->index,
+                                           client->requestBuffer);
+ #endif
+-                if (result > (maxBigRequestSize << 2))
++                if (result < 0 || result > (maxBigRequestSize << 2))
+                     result = BadLength;
+                 else {
+                     result = XaceHookDispatch(client, client->majorOp);
+diff --git a/os/io.c b/os/io.c
+index 1fffaf62c7..3e39c10e6f 100644
+--- a/os/io.c
++++ b/os/io.c
+@@ -300,6 +300,10 @@ ReadRequestFromClient(ClientPtr client)
+                 needed = get_big_req_len(request, client);
+         }
+         client->req_len = needed;
++        if (needed > MAXINT >> 2) {
++            /* Check for potential integer overflow */
++            return -(BadLength);
++        }
+         needed <<= 2;           /* needed is in bytes now */
+     }
+     if (gotnow < needed) {
+-- 
+GitLab
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49176-2.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49176-2.patch
new file mode 100644
index 0000000000..6476af9a85
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49176-2.patch
@@ -0,0 +1,37 @@
+From 4fc4d76b2c7aaed61ed2653f997783a3714c4fe1 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Wed, 18 Jun 2025 08:39:02 +0200
+Subject: [PATCH] os: Check for integer overflow on BigRequest length
+
+Check for another possible integer overflow once we get a complete xReq
+with BigRequest.
+
+Related to CVE-2025-49176
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Suggested-by: Peter Harris <pharris2@rocketsoftware.com>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2028>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/4fc4d76b2c7aaed61ed2653f997783a3714c4fe1]
+CVE: CVE-2025-49176 #Follow-up Patch
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ os/io.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/os/io.c b/os/io.c
+index e7b76b9cea..167b40a720 100644
+--- a/os/io.c
++++ b/os/io.c
+@@ -394,6 +394,8 @@ ReadRequestFromClient(ClientPtr client)
+                     needed = get_big_req_len(request, client);
+             }
+             client->req_len = needed;
++            if (needed > MAXINT >> 2)
++                return -(BadLength);
+             needed <<= 2;
+         }
+         if (gotnow < needed) {
+-- 
+GitLab
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb
index 565489a926..6013d0e53c 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb
@@ -37,6 +37,8 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
            file://CVE-2025-26601-4.patch \
            file://CVE-2022-49737.patch \
            file://CVE-2025-49175.patch \
+           file://CVE-2025-49176-1.patch \
+           file://CVE-2025-49176-2.patch \
            "
 SRC_URI[sha256sum] = "38aadb735650c8024ee25211c190bf8aad844c5f59632761ab1ef4c4d5aeb152"
 
-- 
2.43.0

[OE-core][kirkstone 6/9] xserver-xorg: Fix for CVE-2025-49177

[Steve Sakoman]

From: Vijay Anusuri <vanusuri@mvista.com>

Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/ab02fb96b1c701c3bb47617d965522c34befa6af

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../xserver-xorg/CVE-2025-49177.patch         | 54 +++++++++++++++++++
 .../xorg-xserver/xserver-xorg_21.1.8.bb       |  1 +
 2 files changed, 55 insertions(+)
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49177.patch

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49177.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49177.patch
new file mode 100644
index 0000000000..d71d97d3c2
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49177.patch
@@ -0,0 +1,54 @@
+From ab02fb96b1c701c3bb47617d965522c34befa6af Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Mon, 28 Apr 2025 10:05:36 +0200
+Subject: [PATCH] xfixes: Check request length for SetClientDisconnectMode
+
+The handler of XFixesSetClientDisconnectMode does not check the client
+request length.
+
+A client could send a shorter request and read data from a former
+request.
+
+Fix the issue by checking the request size matches.
+
+CVE-2025-49177
+
+This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
+reported by Julian Suleder via ERNW Vulnerability Disclosure.
+
+Fixes: e167299f6 - xfixes: Add ClientDisconnectMode
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2024>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/ab02fb96b1c701c3bb47617d965522c34befa6af]
+CVE: CVE-2025-49177
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ xfixes/disconnect.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/xfixes/disconnect.c b/xfixes/disconnect.c
+index 7793272..209e3d8 100644
+--- a/xfixes/disconnect.c
++++ b/xfixes/disconnect.c
+@@ -67,6 +67,7 @@ ProcXFixesSetClientDisconnectMode(ClientPtr client)
+     ClientDisconnectPtr pDisconnect = GetClientDisconnect(client);
+ 
+     REQUEST(xXFixesSetClientDisconnectModeReq);
++    REQUEST_SIZE_MATCH(xXFixesSetClientDisconnectModeReq);
+ 
+     pDisconnect->disconnect_mode = stuff->disconnect_mode;
+ 
+@@ -80,7 +81,7 @@ SProcXFixesSetClientDisconnectMode(ClientPtr client)
+ 
+     swaps(&stuff->length);
+ 
+-    REQUEST_AT_LEAST_SIZE(xXFixesSetClientDisconnectModeReq);
++    REQUEST_SIZE_MATCH(xXFixesSetClientDisconnectModeReq);
+ 
+     swapl(&stuff->disconnect_mode);
+ 
+-- 
+2.25.1
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb
index 6013d0e53c..1fceec89f7 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb
@@ -39,6 +39,7 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
            file://CVE-2025-49175.patch \
            file://CVE-2025-49176-1.patch \
            file://CVE-2025-49176-2.patch \
+           file://CVE-2025-49177.patch \
            "
 SRC_URI[sha256sum] = "38aadb735650c8024ee25211c190bf8aad844c5f59632761ab1ef4c4d5aeb152"
 
-- 
2.43.0

[OE-core][kirkstone 7/9] git: fix CVE-2025-27614-CVE-2025-27613-CVE-2025-46334-CVE-2025-46835

[Steve Sakoman]

From: Hitendra Prajapati <hprajapati@mvista.com>

Upstream-Status: Backport from from https://github.com/git/git/commit/d61cfed2c23705fbeb9c0d08f59e75ee08738950

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 ...-27613-CVE-2025-46334-CVE-2025-46835.patch | 2500 +++++++++++++++++
 meta/recipes-devtools/git/git_2.35.7.bb       |    1 +
 2 files changed, 2501 insertions(+)
 create mode 100644 meta/recipes-devtools/git/git/CVE-2025-27614-CVE-2025-27613-CVE-2025-46334-CVE-2025-46835.patch

diff --git a/meta/recipes-devtools/git/git/CVE-2025-27614-CVE-2025-27613-CVE-2025-46334-CVE-2025-46835.patch b/meta/recipes-devtools/git/git/CVE-2025-27614-CVE-2025-27613-CVE-2025-46334-CVE-2025-46835.patch
new file mode 100644
index 0000000000..e08bf41b3c
--- /dev/null
+++ b/meta/recipes-devtools/git/git/CVE-2025-27614-CVE-2025-27613-CVE-2025-46334-CVE-2025-46835.patch
@@ -0,0 +1,2500 @@
+From: d61cfed2c23705fbeb9c0d08f59e75ee08738950 Merge: 664d4fa692 311d9ada3a
+Author: Taylor Blau <me@ttaylorr.com>
+Date:   Fri May 23 17:17:06 2025 -0400
+
+    Merge branch 'js/gitk-git-gui-harden-exec-open' into maint-2.43
+
+    This merges in fixes for CVE-2025-27614, CVE-2025-27613, CVE-2025-46334,
+    and CVE-2025-46835 targeting Gitk and Git GUI.
+
+    * js/gitk-git-gui-harden-exec-open: (41 commits)
+      git-gui: sanitize 'exec' arguments: convert new 'cygpath' calls
+      git-gui: do not mistake command arguments as redirection operators
+      git-gui: introduce function git_redir for git calls with redirections
+      git-gui: pass redirections as separate argument to git_read
+      git-gui: pass redirections as separate argument to _open_stdout_stderr
+      git-gui: convert git_read*, git_write to be non-variadic
+      git-gui: override exec and open only on Windows
+      gitk: sanitize 'open' arguments: revisit recently updated 'open' calls
+      git-gui: use git_read in githook_read
+      git-gui: sanitize $PATH on all platforms
+      git-gui: break out a separate function git_read_nice
+      git-gui: assure PATH has only absolute elements.
+      git-gui: remove option --stderr from git_read
+      git-gui: cleanup git-bash menu item
+      git-gui: sanitize 'exec' arguments: background
+      git-gui: avoid auto_execok in do_windows_shortcut
+      git-gui: sanitize 'exec' arguments: simple cases
+      git-gui: avoid auto_execok for git-bash menu item
+      git-gui: treat file names beginning with "|" as relative paths
+      git-gui: remove unused proc is_shellscript
+      git-gui: remove git config --list handling for git < 1.5.3
+      git-gui: remove special treatment of Windows from open_cmd_pipe
+      git-gui: remove HEAD detachment implementation for git < 1.5.3
+      git-gui: use only the configured shell
+      git-gui: remove Tcl 8.4 workaround on 2>@1 redirection
+      git-gui: make _shellpath usable on startup
+      git-gui: use [is_Windows], not bad _shellpath
+      git-gui: _which, only add .exe suffix if not present
+      gitk: encode arguments correctly with "open"
+      gitk: sanitize 'open' arguments: command pipeline
+      gitk: collect construction of blameargs into a single conditional
+      gitk: sanitize 'open' arguments: simple commands, readable and writable
+      gitk: sanitize 'open' arguments: simple commands with redirections
+      gitk: sanitize 'open' arguments: simple commands
+      gitk: sanitize 'exec' arguments: redirect to process
+      gitk: sanitize 'exec' arguments: redirections and background
+      gitk: sanitize 'exec' arguments: redirections
+      gitk: sanitize 'exec' arguments: 'eval exec'
+      gitk: sanitize 'exec' arguments: simple cases
+      gitk: have callers of diffcmd supply pipe symbol when necessary
+      gitk: treat file names beginning with "|" as relative paths
+      ...
+
+    Signed-off-by: Taylor Blau <me@ttaylorr.com>
+
+Upstream-Status: Backport from [https://github.com/git/git/commit/d61cfed2c23705fbeb9c0d08f59e75ee08738950]
+CVE: CVE-2025-27614, CVE-2025-27613, CVE-2025-46334, CVE-2025-46835
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ git-gui/git-gui.sh                   | 622 +++++++++++++++++----------
+ git-gui/lib/blame.tcl                |  12 +-
+ git-gui/lib/branch.tcl               |   6 +-
+ git-gui/lib/browser.tcl              |   2 +-
+ git-gui/lib/checkout_op.tcl          |  25 +-
+ git-gui/lib/choose_repository.tcl    |  23 +-
+ git-gui/lib/choose_rev.tcl           |   8 +-
+ git-gui/lib/commit.tcl               |  14 +-
+ git-gui/lib/console.tcl              |   5 +-
+ git-gui/lib/database.tcl             |   2 +-
+ git-gui/lib/diff.tcl                 |  12 +-
+ git-gui/lib/index.tcl                |   8 +-
+ git-gui/lib/merge.tcl                |   6 +-
+ git-gui/lib/mergetool.tcl            |   8 +-
+ git-gui/lib/remote.tcl               |   8 +-
+ git-gui/lib/remote_branch_delete.tcl |   2 +-
+ git-gui/lib/shortcut.tcl             |  16 +-
+ git-gui/lib/sshkey.tcl               |   7 +-
+ git-gui/lib/tools.tcl                |   7 +-
+ git-gui/lib/win32.tcl                |   9 +-
+ gitk-git/gitk                        | 298 ++++++++-----
+ 21 files changed, 667 insertions(+), 433 deletions(-)
+
+diff --git a/git-gui/git-gui.sh b/git-gui/git-gui.sh
+index 201524c..2f38291 100755
+--- a/git-gui/git-gui.sh
++++ b/git-gui/git-gui.sh
+@@ -24,7 +24,7 @@ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ GNU General Public License for more details.
+ 
+ You should have received a copy of the GNU General Public License
+-along with this program; if not, see <http://www.gnu.org/licenses/>.}]
++along with this program; if not, see <https://www.gnu.org/licenses/>.}]
+ 
+ ######################################################################
+ ##
+@@ -44,6 +44,211 @@ if {[catch {package require Tcl 8.5} err]
+ 
+ catch {rename send {}} ; # What an evil concept...
+ 
++######################################################################
++##
++## Enabling platform-specific code paths
++
++proc is_MacOSX {} {
++	if {[tk windowingsystem] eq {aqua}} {
++		return 1
++	}
++	return 0
++}
++
++proc is_Windows {} {
++	if {$::tcl_platform(platform) eq {windows}} {
++		return 1
++	}
++	return 0
++}
++
++set _iscygwin {}
++proc is_Cygwin {} {
++	global _iscygwin
++	if {$_iscygwin eq {}} {
++		if {[string match "CYGWIN_*" $::tcl_platform(os)]} {
++			set _iscygwin 1
++		} else {
++			set _iscygwin 0
++		}
++	}
++	return $_iscygwin
++}
++
++######################################################################
++##
++## PATH lookup. Sanitize $PATH, assure exec/open use only that
++
++if {[is_Windows]} {
++	set _path_sep {;}
++	set _search_exe .exe
++} else {
++	set _path_sep {:}
++	set _search_exe {}
++}
++
++if {[is_Windows]} {
++	set gitguidir [file dirname [info script]]
++	regsub -all ";" $gitguidir "\\;" gitguidir
++	set env(PATH) "$gitguidir;$env(PATH)"
++}
++
++set _search_path {}
++set _path_seen [dict create]
++foreach p [split $env(PATH) $_path_sep] {
++	# Keep only absolute paths, getting rid of ., empty, etc.
++	if {[file pathtype $p] ne {absolute}} {
++		continue
++	}
++	# Keep only the first occurence of any duplicates.
++	set norm_p [file normalize $p]
++	if {[dict exists $_path_seen $norm_p]} {
++		continue
++	}
++	dict set _path_seen $norm_p 1
++	lappend _search_path $norm_p
++}
++unset _path_seen
++
++set env(PATH) [join $_search_path $_path_sep]
++
++if {[is_Windows]} {
++	proc _which {what args} {
++		global _search_exe _search_path
++
++		if {[lsearch -exact $args -script] >= 0} {
++			set suffix {}
++		} elseif {[string match *$_search_exe [string tolower $what]]} {
++			# The search string already has the file extension
++			set suffix {}
++		} else {
++			set suffix $_search_exe
++		}
++
++		foreach p $_search_path {
++			set p [file join $p $what$suffix]
++			if {[file exists $p]} {
++				return [file normalize $p]
++			}
++		}
++		return {}
++	}
++
++	proc sanitize_command_line {command_line from_index} {
++		set i $from_index
++		while {$i < [llength $command_line]} {
++			set cmd [lindex $command_line $i]
++			if {[llength [file split $cmd]] < 2} {
++				set fullpath [_which $cmd]
++				if {$fullpath eq ""} {
++					throw {NOT-FOUND} "$cmd not found in PATH"
++				}
++				lset command_line $i $fullpath
++			}
++
++			# handle piped commands, e.g. `exec A | B`
++			for {incr i} {$i < [llength $command_line]} {incr i} {
++				if {[lindex $command_line $i] eq "|"} {
++					incr i
++					break
++				}
++			}
++		}
++		return $command_line
++	}
++
++	# Override `exec` to avoid unsafe PATH lookup
++
++	rename exec real_exec
++
++	proc exec {args} {
++		# skip options
++		for {set i 0} {$i < [llength $args]} {incr i} {
++			set arg [lindex $args $i]
++			if {$arg eq "--"} {
++				incr i
++				break
++			}
++			if {[string range $arg 0 0] ne "-"} {
++				break
++			}
++		}
++		set args [sanitize_command_line $args $i]
++		uplevel 1 real_exec $args
++	}
++
++	# Override `open` to avoid unsafe PATH lookup
++
++	rename open real_open
++
++	proc open {args} {
++		set arg0 [lindex $args 0]
++		if {[string range $arg0 0 0] eq "|"} {
++			set command_line [string trim [string range $arg0 1 end]]
++			lset args 0 "| [sanitize_command_line $command_line 0]"
++		}
++		uplevel 1 real_open $args
++	}
++
++} else {
++	# On non-Windows platforms, auto_execok, exec, and open are safe, and will
++	# use the sanitized search path. But, we need _which for these.
++
++	proc _which {what args} {
++		return [lindex [auto_execok $what] 0]
++	}
++}
++
++# Wrap exec/open to sanitize arguments
++
++# unsafe arguments begin with redirections or the pipe or background operators
++proc is_arg_unsafe {arg} {
++	regexp {^([<|>&]|2>)} $arg
++}
++
++proc make_arg_safe {arg} {
++	if {[is_arg_unsafe $arg]} {
++		set arg [file join . $arg]
++	}
++	return $arg
++}
++
++proc make_arglist_safe {arglist} {
++	set res {}
++	foreach arg $arglist {
++		lappend res [make_arg_safe $arg]
++	}
++	return $res
++}
++
++# executes one command
++# no redirections or pipelines are possible
++# cmd is a list that specifies the command and its arguments
++# calls `exec` and returns its value
++proc safe_exec {cmd} {
++	eval exec [make_arglist_safe $cmd]
++}
++
++# executes one command in the background
++# no redirections or pipelines are possible
++# cmd is a list that specifies the command and its arguments
++# calls `exec` and returns its value
++proc safe_exec_bg {cmd} {
++	eval exec [make_arglist_safe $cmd] &
++}
++
++proc safe_open_file {filename flags} {
++	# a file name starting with "|" would attempt to run a process
++	# but such a file name must be treated as a relative path
++	# hide the "|" behind "./"
++	if {[string index $filename 0] eq "|"} {
++		set filename [file join . $filename]
++	}
++	open $filename $flags
++}
++
++# End exec/open wrappers
++
+ ######################################################################
+ ##
+ ## locate our library
+@@ -144,14 +349,64 @@ unset oguimsg
+ 
+ if {[tk windowingsystem] eq "aqua"} {
+ 	catch {
+-		exec osascript -e [format {
++		safe_exec [list osascript -e [format {
+ 			tell application "System Events"
+ 				set frontmost of processes whose unix id is %d to true
+ 			end tell
+-		} [pid]]
++		} [pid]]]
+ 	}
+ }
+ 
++# Wrap exec/open to sanitize arguments
++
++# unsafe arguments begin with redirections or the pipe or background operators
++proc is_arg_unsafe {arg} {
++	regexp {^([<|>&]|2>)} $arg
++}
++
++proc make_arg_safe {arg} {
++	if {[is_arg_unsafe $arg]} {
++		set arg [file join . $arg]
++	}
++	return $arg
++}
++
++proc make_arglist_safe {arglist} {
++	set res {}
++	foreach arg $arglist {
++		lappend res [make_arg_safe $arg]
++	}
++	return $res
++}
++
++# executes one command
++# no redirections or pipelines are possible
++# cmd is a list that specifies the command and its arguments
++# calls `exec` and returns its value
++proc safe_exec {cmd} {
++	eval exec [make_arglist_safe $cmd]
++}
++
++# executes one command in the background
++# no redirections or pipelines are possible
++# cmd is a list that specifies the command and its arguments
++# calls `exec` and returns its value
++proc safe_exec_bg {cmd} {
++	eval exec [make_arglist_safe $cmd] &
++}
++
++proc safe_open_file {filename flags} {
++	# a file name starting with "|" would attempt to run a process
++	# but such a file name must be treated as a relative path
++	# hide the "|" behind "./"
++	if {[string index $filename 0] eq "|"} {
++		set filename [file join . $filename]
++	}
++	open $filename $flags
++}
++
++# End exec/open wrappers
++
+ ######################################################################
+ ##
+ ## read only globals
+@@ -180,15 +435,37 @@ if {$_trace >= 0} {
+ # branches).
+ set _last_merged_branch {}
+ 
+-proc shellpath {} {
+-	global _shellpath env
+-	if {[string match @@* $_shellpath]} {
+-		if {[info exists env(SHELL)]} {
+-			return $env(SHELL)
+-		} else {
+-			return /bin/sh
+-		}
++# for testing, allow unconfigured _shellpath
++if {[string match @@* $_shellpath]} {
++	if {[info exists env(SHELL)]} {
++		set _shellpath $env(SHELL)
++	} else {
++		set _shellpath /bin/sh
+ 	}
++}
++
++if {[is_Windows]} {
++	set _shellpath [safe_exec [list cygpath -m $_shellpath]]
++}
++
++if {![file executable $_shellpath] || \
++	!([file pathtype $_shellpath] eq {absolute})} {
++	set errmsg "The defined shell ('$_shellpath') is not usable, \
++		it must be an absolute path to an executable."
++	puts stderr $errmsg
++
++	catch {wm withdraw .}
++	tk_messageBox \
++		-icon error \
++		-type ok \
++		-title "git-gui: configuration error" \
++		-message $errmsg
++	exit 1
++}
++
++
++proc shellpath {} {
++	global _shellpath
+ 	return $_shellpath
+ }
+ 
+@@ -252,40 +529,6 @@ proc reponame {} {
+ 	return $::_reponame
+ }
+ 
+-proc is_MacOSX {} {
+-	if {[tk windowingsystem] eq {aqua}} {
+-		return 1
+-	}
+-	return 0
+-}
+-
+-proc is_Windows {} {
+-	if {$::tcl_platform(platform) eq {windows}} {
+-		return 1
+-	}
+-	return 0
+-}
+-
+-proc is_Cygwin {} {
+-	global _iscygwin
+-	if {$_iscygwin eq {}} {
+-		if {$::tcl_platform(platform) eq {windows}} {
+-			if {[catch {set p [exec cygpath --windir]} err]} {
+-				set _iscygwin 0
+-			} else {
+-				set _iscygwin 1
+-				# Handle MSys2 which is only cygwin when MSYSTEM is MSYS.
+-				if {[info exists ::env(MSYSTEM)] && $::env(MSYSTEM) ne "MSYS"} {
+-					set _iscygwin 0
+-				}
+-			}
+-		} else {
+-			set _iscygwin 0
+-		}
+-	}
+-	return $_iscygwin
+-}
+-
+ proc is_enabled {option} {
+ 	global enabled_options
+ 	if {[catch {set on $enabled_options($option)}]} {return 0}
+@@ -418,7 +661,7 @@ proc _git_cmd {name} {
+ 			# Tcl on Windows doesn't know it.
+ 			#
+ 			set p [gitexec git-$name]
+-			set f [open $p r]
++			set f [safe_open_file $p r]
+ 			set s [gets $f]
+ 			close $f
+ 
+@@ -473,6 +716,9 @@ proc _which {what args} {
+ 
+ 	if {[is_Windows] && [lsearch -exact $args -script] >= 0} {
+ 		set suffix {}
++	} elseif {[is_Windows] && [string match *$_search_exe [string tolower $what]]} {
++		# The search string already has the file extension
++		set suffix {}
+ 	} else {
+ 		set suffix $_search_exe
+ 	}
+@@ -486,32 +732,14 @@ proc _which {what args} {
+ 	return {}
+ }
+ 
+-# Test a file for a hashbang to identify executable scripts on Windows.
+-proc is_shellscript {filename} {
+-	if {![file exists $filename]} {return 0}
+-	set f [open $filename r]
+-	fconfigure $f -encoding binary
+-	set magic [read $f 2]
+-	close $f
+-	return [expr {$magic eq "#!"}]
+-}
+-
+-# Run a command connected via pipes on stdout.
++# Run a shell command connected via pipes on stdout.
+ # This is for use with textconv filters and uses sh -c "..." to allow it to
+-# contain a command with arguments. On windows we must check for shell
+-# scripts specifically otherwise just call the filter command.
++# contain a command with arguments. We presume this
++# to be a shellscript that the configured shell (/bin/sh by default) knows
++# how to run.
+ proc open_cmd_pipe {cmd path} {
+-	global env
+-	if {![file executable [shellpath]]} {
+-		set exe [auto_execok [lindex $cmd 0]]
+-		if {[is_shellscript [lindex $exe 0]]} {
+-			set run [linsert [auto_execok sh] end -c "$cmd \"\$0\"" $path]
+-		} else {
+-			set run [concat $exe [lrange $cmd 1 end] $path]
+-		}
+-	} else {
+-		set run [list [shellpath] -c "$cmd \"\$0\"" $path]
+-	}
++	set run [list [shellpath] -c "$cmd \"\$0\"" $path]
++	set run [make_arglist_safe $run]
+ 	return [open |$run r]
+ }
+ 
+@@ -521,7 +749,7 @@ proc _lappend_nice {cmd_var} {
+ 
+ 	if {![info exists _nice]} {
+ 		set _nice [_which nice]
+-		if {[catch {exec $_nice git version}]} {
++		if {[catch {safe_exec [list $_nice git version]}]} {
+ 			set _nice {}
+ 		} elseif {[is_Windows] && [file dirname $_nice] ne [file dirname $::_git]} {
+ 			set _nice {}
+@@ -533,7 +761,11 @@ proc _lappend_nice {cmd_var} {
+ }
+ 
+ proc git {args} {
+-	set fd [eval [list git_read] $args]
++	git_redir $args {}
++}
++
++proc git_redir {cmd redir} {
++	set fd [git_read $cmd $redir]
+ 	fconfigure $fd -translation binary -encoding utf-8
+ 	set result [string trimright [read $fd] "\n"]
+ 	close $fd
+@@ -543,111 +775,47 @@ proc git {args} {
+ 	return $result
+ }
+ 
+-proc _open_stdout_stderr {cmd} {
+-	_trace_exec $cmd
++proc safe_open_command {cmd {redir {}}} {
++	set cmd [make_arglist_safe $cmd]
++	_trace_exec [concat $cmd $redir]
+ 	if {[catch {
+-			set fd [open [concat [list | ] $cmd] r]
+-		} err]} {
+-		if {   [lindex $cmd end] eq {2>@1}
+-		    && $err eq {can not find channel named "1"}
+-			} {
+-			# Older versions of Tcl 8.4 don't have this 2>@1 IO
+-			# redirect operator.  Fallback to |& cat for those.
+-			# The command was not actually started, so its safe
+-			# to try to start it a second time.
+-			#
+-			set fd [open [concat \
+-				[list | ] \
+-				[lrange $cmd 0 end-1] \
+-				[list |& cat] \
+-				] r]
+-		} else {
+-			error $err
+-		}
++		set fd [open [concat [list | ] $cmd $redir] r]
++	} err]} {
++		error $err
+ 	}
+ 	fconfigure $fd -eofchar {}
+ 	return $fd
+ }
+ 
+-proc git_read {args} {
+-	set opt [list]
+-
+-	while {1} {
+-		switch -- [lindex $args 0] {
+-		--nice {
+-			_lappend_nice opt
+-		}
+-
+-		--stderr {
+-			lappend args 2>@1
+-		}
++proc git_read {cmd {redir {}}} {
++	set cmdp [_git_cmd [lindex $cmd 0]]
++	set cmd [lrange $cmd 1 end]
+ 
+-		default {
+-			break
+-		}
+-
+-		}
+-
+-		set args [lrange $args 1 end]
+-	}
+-
+-	set cmdp [_git_cmd [lindex $args 0]]
+-	set args [lrange $args 1 end]
+-
+-	return [_open_stdout_stderr [concat $opt $cmdp $args]]
++	return [safe_open_command [concat $cmdp $cmd] $redir]
+ }
+ 
+-proc git_write {args} {
++proc git_read_nice {cmd} {
+ 	set opt [list]
+ 
+-	while {1} {
+-		switch -- [lindex $args 0] {
+-		--nice {
+-			_lappend_nice opt
+-		}
++	_lappend_nice opt
+ 
+-		default {
+-			break
+-		}
++	set cmdp [_git_cmd [lindex $cmd 0]]
++	set cmd [lrange $cmd 1 end]
+ 
+-		}
+-
+-		set args [lrange $args 1 end]
+-	}
++	return [safe_open_command [concat $opt $cmdp $cmd]]
++}
+ 
+-	set cmdp [_git_cmd [lindex $args 0]]
+-	set args [lrange $args 1 end]
++proc git_write {cmd} {
++	set cmd [make_arglist_safe $cmd]
++	set cmdp [_git_cmd [lindex $cmd 0]]
++	set cmd [lrange $cmd 1 end]
+ 
+-	_trace_exec [concat $opt $cmdp $args]
+-	return [open [concat [list | ] $opt $cmdp $args] w]
++	_trace_exec [concat $cmdp $cmd]
++	return [open [concat [list | ] $cmdp $cmd] w]
+ }
+ 
+ proc githook_read {hook_name args} {
+-	set pchook [gitdir hooks $hook_name]
+-	lappend args 2>@1
+-
+-	# On Windows [file executable] might lie so we need to ask
+-	# the shell if the hook is executable.  Yes that's annoying.
+-	#
+-	if {[is_Windows]} {
+-		upvar #0 _sh interp
+-		if {![info exists interp]} {
+-			set interp [_which sh]
+-		}
+-		if {$interp eq {}} {
+-			error "hook execution requires sh (not in PATH)"
+-		}
+-
+-		set scr {if test -x "$1";then exec "$@";fi}
+-		set sh_c [list $interp -c $scr $interp $pchook]
+-		return [_open_stdout_stderr [concat $sh_c $args]]
+-	}
+-
+-	if {[file executable $pchook]} {
+-		return [_open_stdout_stderr [concat [list $pchook] $args]]
+-	}
+-
+-	return {}
++	git_read [concat [list hook run --ignore-missing $hook_name --] $args] [list 2>@1]
+ }
+ 
+ proc kill_file_process {fd} {
+@@ -655,9 +823,9 @@ proc kill_file_process {fd} {
+ 
+ 	catch {
+ 		if {[is_Windows]} {
+-			exec taskkill /pid $process
++			safe_exec [list taskkill /pid $process]
+ 		} else {
+-			exec kill $process
++			safe_exec [list kill $process]
+ 		}
+ 	}
+ }
+@@ -683,7 +851,7 @@ proc sq {value} {
+ proc load_current_branch {} {
+ 	global current_branch is_detached
+ 
+-	set fd [open [gitdir HEAD] r]
++	set fd [safe_open_file [gitdir HEAD] r]
+ 	fconfigure $fd -translation binary -encoding utf-8
+ 	if {[gets $fd ref] < 1} {
+ 		set ref {}
+@@ -1045,7 +1213,7 @@ You are using [git-version]:
+ ## configure our library
+ 
+ set idx [file join $oguilib tclIndex]
+-if {[catch {set fd [open $idx r]} err]} {
++if {[catch {set fd [safe_open_file $idx r]} err]} {
+ 	catch {wm withdraw .}
+ 	tk_messageBox \
+ 		-icon error \
+@@ -1083,53 +1251,30 @@ unset -nocomplain idx fd
+ ##
+ ## config file parsing
+ 
+-git-version proc _parse_config {arr_name args} {
+-	>= 1.5.3 {
+-		upvar $arr_name arr
+-		array unset arr
+-		set buf {}
+-		catch {
+-			set fd_rc [eval \
+-				[list git_read config] \
+-				$args \
+-				[list --null --list]]
+-			fconfigure $fd_rc -translation binary -encoding utf-8
+-			set buf [read $fd_rc]
+-			close $fd_rc
+-		}
+-		foreach line [split $buf "\0"] {
+-			if {[regexp {^([^\n]+)\n(.*)$} $line line name value]} {
+-				if {[is_many_config $name]} {
+-					lappend arr($name) $value
+-				} else {
+-					set arr($name) $value
+-				}
+-			} elseif {[regexp {^([^\n]+)$} $line line name]} {
+-				# no value given, but interpreting them as
+-				# boolean will be handled as true
+-				set arr($name) {}
+-			}
+-		}
+-	}
+-	default {
+-		upvar $arr_name arr
+-		array unset arr
+-		catch {
+-			set fd_rc [eval [list git_read config --list] $args]
+-			while {[gets $fd_rc line] >= 0} {
+-				if {[regexp {^([^=]+)=(.*)$} $line line name value]} {
+-					if {[is_many_config $name]} {
+-						lappend arr($name) $value
+-					} else {
+-						set arr($name) $value
+-					}
+-				} elseif {[regexp {^([^=]+)$} $line line name]} {
+-					# no value given, but interpreting them as
+-					# boolean will be handled as true
+-					set arr($name) {}
+-				}
++proc _parse_config {arr_name args} {
++	upvar $arr_name arr
++	array unset arr
++	set buf {}
++	catch {
++		set fd_rc [git_read \
++			[concat config \
++			$args \
++			--null --list]]
++		fconfigure $fd_rc -translation binary -encoding utf-8
++		set buf [read $fd_rc]
++		close $fd_rc
++	}
++	foreach line [split $buf "\0"] {
++		if {[regexp {^([^\n]+)\n(.*)$} $line line name value]} {
++			if {[is_many_config $name]} {
++				lappend arr($name) $value
++			} else {
++				set arr($name) $value
+ 			}
+-			close $fd_rc
++		} elseif {[regexp {^([^\n]+)$} $line line name]} {
++			# no value given, but interpreting them as
++			# boolean will be handled as true
++			set arr($name) {}
+ 		}
+ 	}
+ }
+@@ -1412,7 +1557,7 @@ proc repository_state {ctvar hdvar mhvar} {
+ 	set merge_head [gitdir MERGE_HEAD]
+ 	if {[file exists $merge_head]} {
+ 		set ct merge
+-		set fd_mh [open $merge_head r]
++		set fd_mh [safe_open_file $merge_head r]
+ 		while {[gets $fd_mh line] >= 0} {
+ 			lappend mh $line
+ 		}
+@@ -1431,7 +1576,7 @@ proc PARENT {} {
+ 		return $p
+ 	}
+ 	if {$empty_tree eq {}} {
+-		set empty_tree [git mktree << {}]
++		set empty_tree [git_redir [list mktree] [list << {}]]
+ 	}
+ 	return $empty_tree
+ }
+@@ -1490,12 +1635,12 @@ proc rescan {after {honor_trustmtime 1}} {
+ 	} else {
+ 		set rescan_active 1
+ 		ui_status [mc "Refreshing file status..."]
+-		set fd_rf [git_read update-index \
++		set fd_rf [git_read [list update-index \
+ 			-q \
+ 			--unmerged \
+ 			--ignore-missing \
+ 			--refresh \
+-			]
++			]]
+ 		fconfigure $fd_rf -blocking 0 -translation binary
+ 		fileevent $fd_rf readable \
+ 			[list rescan_stage2 $fd_rf $after]
+@@ -1551,11 +1696,11 @@ proc rescan_stage2 {fd after} {
+ 	set rescan_active 2
+ 	ui_status [mc "Scanning for modified files ..."]
+ 	if {[git-version >= "1.7.2"]} {
+-		set fd_di [git_read diff-index --cached --ignore-submodules=dirty -z [PARENT]]
++		set fd_di [git_read [list diff-index --cached --ignore-submodules=dirty -z [PARENT]]]
+ 	} else {
+-		set fd_di [git_read diff-index --cached -z [PARENT]]
++		set fd_di [git_read [list diff-index --cached -z [PARENT]]]
+ 	}
+-	set fd_df [git_read diff-files -z]
++	set fd_df [git_read [list diff-files -z]]
+ 
+ 	fconfigure $fd_di -blocking 0 -translation binary -encoding binary
+ 	fconfigure $fd_df -blocking 0 -translation binary -encoding binary
+@@ -1564,7 +1709,7 @@ proc rescan_stage2 {fd after} {
+ 	fileevent $fd_df readable [list read_diff_files $fd_df $after]
+ 
+ 	if {[is_config_true gui.displayuntracked]} {
+-		set fd_lo [eval git_read ls-files --others -z $ls_others]
++		set fd_lo [git_read [concat ls-files --others -z $ls_others]]
+ 		fconfigure $fd_lo -blocking 0 -translation binary -encoding binary
+ 		fileevent $fd_lo readable [list read_ls_others $fd_lo $after]
+ 		incr rescan_active
+@@ -1576,7 +1721,7 @@ proc load_message {file {encoding {}}} {
+ 
+ 	set f [gitdir $file]
+ 	if {[file isfile $f]} {
+-		if {[catch {set fd [open $f r]}]} {
++		if {[catch {set fd [safe_open_file $f r]}]} {
+ 			return 0
+ 		}
+ 		fconfigure $fd -eofchar {}
+@@ -1600,23 +1745,23 @@ proc run_prepare_commit_msg_hook {} {
+ 	# it will be .git/MERGE_MSG (merge), .git/SQUASH_MSG (squash), or an
+ 	# empty file but existent file.
+ 
+-	set fd_pcm [open [gitdir PREPARE_COMMIT_MSG] a]
++	set fd_pcm [safe_open_file [gitdir PREPARE_COMMIT_MSG] a]
+ 
+ 	if {[file isfile [gitdir MERGE_MSG]]} {
+ 		set pcm_source "merge"
+-		set fd_mm [open [gitdir MERGE_MSG] r]
++		set fd_mm [safe_open_file [gitdir MERGE_MSG] r]
+ 		fconfigure $fd_mm -encoding utf-8
+ 		puts -nonewline $fd_pcm [read $fd_mm]
+ 		close $fd_mm
+ 	} elseif {[file isfile [gitdir SQUASH_MSG]]} {
+ 		set pcm_source "squash"
+-		set fd_sm [open [gitdir SQUASH_MSG] r]
++		set fd_sm [safe_open_file [gitdir SQUASH_MSG] r]
+ 		fconfigure $fd_sm -encoding utf-8
+ 		puts -nonewline $fd_pcm [read $fd_sm]
+ 		close $fd_sm
+ 	} elseif {[file isfile [get_config commit.template]]} {
+ 		set pcm_source "template"
+-		set fd_sm [open [get_config commit.template] r]
++		set fd_sm [safe_open_file [get_config commit.template] r]
+ 		fconfigure $fd_sm -encoding utf-8
+ 		puts -nonewline $fd_pcm [read $fd_sm]
+ 		close $fd_sm
+@@ -2206,7 +2351,7 @@ proc do_gitk {revs {is_submodule false}} {
+ 			unset env(GIT_DIR)
+ 			unset env(GIT_WORK_TREE)
+ 		}
+-		eval exec $cmd $revs "--" "--" &
++		safe_exec_bg [concat $cmd $revs "--" "--"]
+ 
+ 		set env(GIT_DIR) $_gitdir
+ 		set env(GIT_WORK_TREE) $_gitworktree
+@@ -2243,7 +2388,7 @@ proc do_git_gui {} {
+ 		set pwd [pwd]
+ 		cd $current_diff_path
+ 
+-		eval exec $exe gui &
++		safe_exec_bg [concat $exe gui]
+ 
+ 		set env(GIT_DIR) $_gitdir
+ 		set env(GIT_WORK_TREE) $_gitworktree
+@@ -2272,16 +2417,18 @@ proc get_explorer {} {
+ 
+ proc do_explore {} {
+ 	global _gitworktree
+-	set explorer [get_explorer]
+-	eval exec $explorer [list [file nativename $_gitworktree]] &
++	set cmd [get_explorer]
++	lappend cmd [file nativename $_gitworktree]
++	safe_exec_bg $cmd
+ }
+ 
+ # Open file relative to the working tree by the default associated app.
+ proc do_file_open {file} {
+ 	global _gitworktree
+-	set explorer [get_explorer]
++	set cmd [get_explorer]
+ 	set full_file_path [file join $_gitworktree $file]
+-	exec $explorer [file nativename $full_file_path] &
++	lappend cmd [file nativename $full_file_path]
++	safe_exec_bg $cmd
+ }
+ 
+ set is_quitting 0
+@@ -2315,7 +2462,7 @@ proc do_quit {{rc {1}}} {
+ 			if {![string match amend* $commit_type]
+ 				&& $msg ne {}} {
+ 				catch {
+-					set fd [open $save w]
++					set fd [safe_open_file $save w]
+ 					fconfigure $fd -encoding utf-8
+ 					puts -nonewline $fd $msg
+ 					close $fd
+@@ -2373,7 +2520,7 @@ proc do_quit {{rc {1}}} {
+ 	set ret_code $rc
+ 
+ 	# Briefly enable send again, working around Tk bug
+-	# http://sourceforge.net/tracker/?func=detail&atid=112997&aid=1821174&group_id=12997
++	# https://sourceforge.net/p/tktoolkit/bugs/2343/
+ 	tk appname [appname]
+ 
+ 	destroy .
+@@ -2759,17 +2906,16 @@ if {![is_bare]} {
+ 
+ if {[is_Windows]} {
+ 	# Use /git-bash.exe if available
+-	set normalized [file normalize $::argv0]
+-	regsub "/mingw../libexec/git-core/git-gui$" \
+-		$normalized "/git-bash.exe" cmdLine
+-	if {$cmdLine != $normalized && [file exists $cmdLine]} {
+-		set cmdLine [list "Git Bash" $cmdLine &]
++	set _git_bash [safe_exec [list cygpath -m /git-bash.exe]]
++	if {[file executable $_git_bash]} {
++		set _bash_cmdline [list "Git Bash" $_git_bash]
+ 	} else {
+-		set cmdLine [list "Git Bash" bash --login -l &]
++		set _bash_cmdline [list "Git Bash" bash --login -l]
+ 	}
+ 	.mbar.repository add command \
+ 		-label [mc "Git Bash"] \
+-		-command {eval exec [auto_execok start] $cmdLine}
++		-command {safe_exec_bg [concat [list [_which cmd] /c start] $_bash_cmdline]}
++	unset _git_bash
+ }
+ 
+ if {[is_Windows] || ![is_bare]} {
+@@ -4134,7 +4280,7 @@ if {[winfo exists $ui_comm]} {
+ 				}
+ 			} elseif {$m} {
+ 				catch {
+-					set fd [open [gitdir GITGUI_BCK] w]
++					set fd [safe_open_file [gitdir GITGUI_BCK] w]
+ 					fconfigure $fd -encoding utf-8
+ 					puts -nonewline $fd $msg
+ 					close $fd
+diff --git a/git-gui/lib/blame.tcl b/git-gui/lib/blame.tcl
+index 8441e10..d6fd8be 100644
+--- a/git-gui/lib/blame.tcl
++++ b/git-gui/lib/blame.tcl
+@@ -481,14 +481,14 @@ method _load {jump} {
+ 		if {$do_textconv ne 0} {
+ 			set fd [open_cmd_pipe $textconv $path]
+ 		} else {
+-			set fd [open $path r]
++			set fd [safe_open_file $path r]
+ 		}
+ 		fconfigure $fd -eofchar {}
+ 	} else {
+ 		if {$do_textconv ne 0} {
+-			set fd [git_read cat-file --textconv "$commit:$path"]
++			set fd [git_read [list cat-file --textconv "$commit:$path"]]
+ 		} else {
+-			set fd [git_read cat-file blob "$commit:$path"]
++			set fd [git_read [list cat-file blob "$commit:$path"]]
+ 		}
+ 	}
+ 	fconfigure $fd \
+@@ -617,7 +617,7 @@ method _exec_blame {cur_w cur_d options cur_s} {
+ 	}
+ 
+ 	lappend options -- $path
+-	set fd [eval git_read --nice blame $options]
++	set fd [git_read_nice [concat blame $options]]
+ 	fconfigure $fd -blocking 0 -translation lf -encoding utf-8
+ 	fileevent $fd readable [cb _read_blame $fd $cur_w $cur_d]
+ 	set current_fd $fd
+@@ -986,7 +986,7 @@ method _showcommit {cur_w lno} {
+ 		if {[catch {set msg $header($cmit,message)}]} {
+ 			set msg {}
+ 			catch {
+-				set fd [git_read cat-file commit $cmit]
++				set fd [git_read [list cat-file commit $cmit]]
+ 				fconfigure $fd -encoding binary -translation lf
+ 				# By default commits are assumed to be in utf-8
+ 				set enc utf-8
+@@ -1134,7 +1134,7 @@ method _blameparent {} {
+ 		} else {
+ 			set diffcmd [list diff-tree --unified=0 $cparent $cmit -- $new_path]
+ 		}
+-		if {[catch {set fd [eval git_read $diffcmd]} err]} {
++		if {[catch {set fd [git_read $diffcmd]} err]} {
+ 			$status_operation stop [mc "Unable to display parent"]
+ 			error_popup [strcat [mc "Error loading diff:"] "\n\n$err"]
+ 			return
+diff --git a/git-gui/lib/branch.tcl b/git-gui/lib/branch.tcl
+index 8b0c485..39e0f2d 100644
+--- a/git-gui/lib/branch.tcl
++++ b/git-gui/lib/branch.tcl
+@@ -7,7 +7,7 @@ proc load_all_heads {} {
+ 	set rh refs/heads
+ 	set rh_len [expr {[string length $rh] + 1}]
+ 	set all_heads [list]
+-	set fd [git_read for-each-ref --format=%(refname) $rh]
++	set fd [git_read [list for-each-ref --format=%(refname) $rh]]
+ 	fconfigure $fd -translation binary -encoding utf-8
+ 	while {[gets $fd line] > 0} {
+ 		if {!$some_heads_tracking || ![is_tracking_branch $line]} {
+@@ -21,10 +21,10 @@ proc load_all_heads {} {
+ 
+ proc load_all_tags {} {
+ 	set all_tags [list]
+-	set fd [git_read for-each-ref \
++	set fd [git_read [list for-each-ref \
+ 		--sort=-taggerdate \
+ 		--format=%(refname) \
+-		refs/tags]
++		refs/tags]]
+ 	fconfigure $fd -translation binary -encoding utf-8
+ 	while {[gets $fd line] > 0} {
+ 		if {![regsub ^refs/tags/ $line {} name]} continue
+diff --git a/git-gui/lib/browser.tcl b/git-gui/lib/browser.tcl
+index a982983..6fc8d4d 100644
+--- a/git-gui/lib/browser.tcl
++++ b/git-gui/lib/browser.tcl
+@@ -196,7 +196,7 @@ method _ls {tree_id {name {}}} {
+ 	lappend browser_stack [list $tree_id $name]
+ 	$w conf -state disabled
+ 
+-	set fd [git_read ls-tree -z $tree_id]
++	set fd [git_read [list ls-tree -z $tree_id]]
+ 	fconfigure $fd -blocking 0 -translation binary -encoding utf-8
+ 	fileevent $fd readable [cb _read $fd]
+ }
+diff --git a/git-gui/lib/checkout_op.tcl b/git-gui/lib/checkout_op.tcl
+index 21ea768..87ed0b4 100644
+--- a/git-gui/lib/checkout_op.tcl
++++ b/git-gui/lib/checkout_op.tcl
+@@ -304,12 +304,12 @@ The rescan will be automatically started now.
+ 		_readtree $this
+ 	} else {
+ 		ui_status [mc "Refreshing file status..."]
+-		set fd [git_read update-index \
++		set fd [git_read [list update-index \
+ 			-q \
+ 			--unmerged \
+ 			--ignore-missing \
+ 			--refresh \
+-			]
++			]]
+ 		fconfigure $fd -blocking 0 -translation binary
+ 		fileevent $fd readable [cb _refresh_wait $fd]
+ 	}
+@@ -345,14 +345,15 @@ method _readtree {} {
+ 		[mc "Updating working directory to '%s'..." [_name $this]] \
+ 		[mc "files checked out"]]
+ 
+-	set fd [git_read --stderr read-tree \
++	set fd [git_read [list read-tree \
+ 		-m \
+ 		-u \
+ 		-v \
+ 		--exclude-per-directory=.gitignore \
+ 		$HEAD \
+ 		$new_hash \
+-		]
++		] \
++		[list 2>@1]]
+ 	fconfigure $fd -blocking 0 -translation binary
+ 	fileevent $fd readable [cb _readtree_wait $fd $status_bar_operation]
+ }
+@@ -510,18 +511,8 @@ method _update_repo_state {} {
+ 	delete_this
+ }
+ 
+-git-version proc _detach_HEAD {log new} {
+-	>= 1.5.3 {
+-		git update-ref --no-deref -m $log HEAD $new
+-	}
+-	default {
+-		set p [gitdir HEAD]
+-		file delete $p
+-		set fd [open $p w]
+-		fconfigure $fd -translation lf -encoding utf-8
+-		puts $fd $new
+-		close $fd
+-	}
++proc _detach_HEAD {log new} {
++	git update-ref --no-deref -m $log HEAD $new
+ }
+ 
+ method _confirm_reset {cur} {
+@@ -582,7 +573,7 @@ method _confirm_reset {cur} {
+ 	pack $w.buttons.cancel -side right -padx 5
+ 	pack $w.buttons -side bottom -fill x -pady 10 -padx 10
+ 
+-	set fd [git_read rev-list --pretty=oneline $cur ^$new_hash]
++	set fd [git_read [list rev-list --pretty=oneline $cur ^$new_hash]]
+ 	while {[gets $fd line] > 0} {
+ 		set abbr [string range $line 0 7]
+ 		set subj [string range $line 41 end]
+diff --git a/git-gui/lib/choose_repository.tcl b/git-gui/lib/choose_repository.tcl
+index af1fee7..76224d9 100644
+--- a/git-gui/lib/choose_repository.tcl
++++ b/git-gui/lib/choose_repository.tcl
+@@ -662,8 +662,8 @@ method _do_clone2 {} {
+ 			set pwd [pwd]
+ 			if {[catch {
+ 				file mkdir [gitdir objects info]
+-				set f_in [open [file join $objdir info alternates] r]
+-				set f_cp [open [gitdir objects info alternates] w]
++				set f_in [safe_open_file [file join $objdir info alternates] r]
++				set f_cp [safe_open_file [gitdir objects info alternates] w]
+ 				fconfigure $f_in -translation binary -encoding binary
+ 				fconfigure $f_cp -translation binary -encoding binary
+ 				cd $objdir
+@@ -752,7 +752,7 @@ method _do_clone2 {} {
+ 			[cb _do_clone_tags]
+ 	}
+ 	shared {
+-		set fd [open [gitdir objects info alternates] w]
++		set fd [safe_open_file [gitdir objects info alternates] w]
+ 		fconfigure $fd -translation binary
+ 		puts $fd $objdir
+ 		close $fd
+@@ -785,8 +785,8 @@ method _copy_files {objdir tocopy} {
+ 	}
+ 	foreach p $tocopy {
+ 		if {[catch {
+-				set f_in [open [file join $objdir $p] r]
+-				set f_cp [open [file join .git objects $p] w]
++				set f_in [safe_open_file [file join $objdir $p] r]
++				set f_cp [safe_open_file [file join .git objects $p] w]
+ 				fconfigure $f_in -translation binary -encoding binary
+ 				fconfigure $f_cp -translation binary -encoding binary
+ 
+@@ -843,12 +843,12 @@ method _clone_refs {} {
+ 		error_popup [mc "Not a Git repository: %s" [file tail $origin_url]]
+ 		return 0
+ 	}
+-	set fd_in [git_read for-each-ref \
++	set fd_in [git_read [list for-each-ref \
+ 		--tcl \
+-		{--format=list %(refname) %(objectname) %(*objectname)}]
++		{--format=list %(refname) %(objectname) %(*objectname)}]]
+ 	cd $pwd
+ 
+-	set fd [open [gitdir packed-refs] w]
++	set fd [safe_open_file [gitdir packed-refs] w]
+ 	fconfigure $fd -translation binary
+ 	puts $fd "# pack-refs with: peeled"
+ 	while {[gets $fd_in line] >= 0} {
+@@ -902,7 +902,7 @@ method _do_clone_full_end {ok} {
+ 
+ 		set HEAD {}
+ 		if {[file exists [gitdir FETCH_HEAD]]} {
+-			set fd [open [gitdir FETCH_HEAD] r]
++			set fd [safe_open_file [gitdir FETCH_HEAD] r]
+ 			while {[gets $fd line] >= 0} {
+ 				if {[regexp "^(.{40})\t\t" $line line HEAD]} {
+ 					break
+@@ -978,13 +978,14 @@ method _do_clone_checkout {HEAD} {
+ 		[mc "files"]]
+ 
+ 	set readtree_err {}
+-	set fd [git_read --stderr read-tree \
++	set fd [git_read [list read-tree \
+ 		-m \
+ 		-u \
+ 		-v \
+ 		HEAD \
+ 		HEAD \
+-		]
++		] \
++		[list 2>@1]]
+ 	fconfigure $fd -blocking 0 -translation binary
+ 	fileevent $fd readable [cb _readtree_wait $fd]
+ }
+diff --git a/git-gui/lib/choose_rev.tcl b/git-gui/lib/choose_rev.tcl
+index 6dae793..8ae7e8a 100644
+--- a/git-gui/lib/choose_rev.tcl
++++ b/git-gui/lib/choose_rev.tcl
+@@ -146,14 +146,14 @@ constructor _new {path unmerged_only title} {
+ 	append fmt { %(*subject)}
+ 	append fmt {]}
+ 	set all_refn [list]
+-	set fr_fd [git_read for-each-ref \
++	set fr_fd [git_read [list for-each-ref \
+ 		--tcl \
+ 		--sort=-taggerdate \
+ 		--format=$fmt \
+ 		refs/heads \
+ 		refs/remotes \
+ 		refs/tags \
+-		]
++		]]
+ 	fconfigure $fr_fd -translation lf -encoding utf-8
+ 	while {[gets $fr_fd line] > 0} {
+ 		set line [eval $line]
+@@ -176,7 +176,7 @@ constructor _new {path unmerged_only title} {
+ 	close $fr_fd
+ 
+ 	if {$unmerged_only} {
+-		set fr_fd [git_read rev-list --all ^$::HEAD]
++		set fr_fd [git_read [list rev-list --all ^$::HEAD]]
+ 		while {[gets $fr_fd sha1] > 0} {
+ 			if {[catch {set rlst $cmt_refn($sha1)}]} continue
+ 			foreach refn $rlst {
+@@ -579,7 +579,7 @@ method _reflog_last {name} {
+ 
+ 	set last {}
+ 	if {[catch {set last [file mtime [gitdir $name]]}]
+-	&& ![catch {set g [open [gitdir logs $name] r]}]} {
++	&& ![catch {set g [safe_open_file [gitdir logs $name] r]}]} {
+ 		fconfigure $g -translation binary
+ 		while {[gets $g line] >= 0} {
+ 			if {[regexp {> ([1-9][0-9]*) } $line line when]} {
+diff --git a/git-gui/lib/commit.tcl b/git-gui/lib/commit.tcl
+index 11379f8..bb6056d 100644
+--- a/git-gui/lib/commit.tcl
++++ b/git-gui/lib/commit.tcl
+@@ -27,7 +27,7 @@ You are currently in the middle of a merge that has not been fully completed.  Y
+ 	if {[catch {
+ 			set name ""
+ 			set email ""
+-			set fd [git_read cat-file commit $curHEAD]
++			set fd [git_read [list cat-file commit $curHEAD]]
+ 			fconfigure $fd -encoding binary -translation lf
+ 			# By default commits are assumed to be in utf-8
+ 			set enc utf-8
+@@ -225,7 +225,7 @@ A good commit message has the following format:
+ 	# -- Build the message file.
+ 	#
+ 	set msg_p [gitdir GITGUI_EDITMSG]
+-	set msg_wt [open $msg_p w]
++	set msg_wt [safe_open_file $msg_p w]
+ 	fconfigure $msg_wt -translation lf
+ 	setup_commit_encoding $msg_wt
+ 	puts $msg_wt $msg
+@@ -325,7 +325,7 @@ proc commit_commitmsg_wait {fd_ph curHEAD msg_p} {
+ 
+ proc commit_writetree {curHEAD msg_p} {
+ 	ui_status [mc "Committing changes..."]
+-	set fd_wt [git_read write-tree]
++	set fd_wt [git_read [list write-tree]]
+ 	fileevent $fd_wt readable \
+ 		[list commit_committree $fd_wt $curHEAD $msg_p]
+ }
+@@ -350,7 +350,7 @@ proc commit_committree {fd_wt curHEAD msg_p} {
+ 	# -- Verify this wasn't an empty change.
+ 	#
+ 	if {$commit_type eq {normal}} {
+-		set fd_ot [git_read cat-file commit $PARENT]
++		set fd_ot [git_read [list cat-file commit $PARENT]]
+ 		fconfigure $fd_ot -encoding binary -translation lf
+ 		set old_tree [gets $fd_ot]
+ 		close $fd_ot
+@@ -388,8 +388,8 @@ A rescan will be automatically started now.
+ 	foreach p [concat $PARENT $MERGE_HEAD] {
+ 		lappend cmd -p $p
+ 	}
+-	lappend cmd <$msg_p
+-	if {[catch {set cmt_id [eval git $cmd]} err]} {
++	set msgtxt [list <$msg_p]
++	if {[catch {set cmt_id [git_redir $cmd $msgtxt]} err]} {
+ 		catch {file delete $msg_p}
+ 		error_popup [strcat [mc "commit-tree failed:"] "\n\n$err"]
+ 		ui_status [mc "Commit failed."]
+@@ -409,7 +409,7 @@ A rescan will be automatically started now.
+ 	if {$commit_type ne {normal}} {
+ 		append reflogm " ($commit_type)"
+ 	}
+-	set msg_fd [open $msg_p r]
++	set msg_fd [safe_open_file $msg_p r]
+ 	setup_commit_encoding $msg_fd 1
+ 	gets $msg_fd subject
+ 	close $msg_fd
+diff --git a/git-gui/lib/console.tcl b/git-gui/lib/console.tcl
+index bb6b9c8..4715ce9 100644
+--- a/git-gui/lib/console.tcl
++++ b/git-gui/lib/console.tcl
+@@ -92,10 +92,9 @@ method _init {} {
+ 
+ method exec {cmd {after {}}} {
+ 	if {[lindex $cmd 0] eq {git}} {
+-		set fd_f [eval git_read --stderr [lrange $cmd 1 end]]
++		set fd_f [git_read [lrange $cmd 1 end] [list 2>@1]]
+ 	} else {
+-		lappend cmd 2>@1
+-		set fd_f [_open_stdout_stderr $cmd]
++		set fd_f [safe_open_command $cmd [list 2>@1]]
+ 	}
+ 	fconfigure $fd_f -blocking 0 -translation binary
+ 	fileevent $fd_f readable [cb _read $fd_f $after]
+diff --git a/git-gui/lib/database.tcl b/git-gui/lib/database.tcl
+index 8578308..1fc0ea0 100644
+--- a/git-gui/lib/database.tcl
++++ b/git-gui/lib/database.tcl
+@@ -3,7 +3,7 @@
+ 
+ proc do_stats {} {
+ 	global use_ttk NS
+-	set fd [git_read count-objects -v]
++	set fd [git_read [list count-objects -v]]
+ 	while {[gets $fd line] > 0} {
+ 		if {[regexp {^([^:]+): (\d+)$} $line _ name value]} {
+ 			set stats($name) $value
+diff --git a/git-gui/lib/diff.tcl b/git-gui/lib/diff.tcl
+index 871ad48..8ec740e 100644
+--- a/git-gui/lib/diff.tcl
++++ b/git-gui/lib/diff.tcl
+@@ -202,7 +202,7 @@ proc show_other_diff {path w m cont_info} {
+ 					set sz [string length $content]
+ 				}
+ 				file {
+-					set fd [open $path r]
++					set fd [safe_open_file $path r]
+ 					fconfigure $fd \
+ 						-eofchar {} \
+ 						-encoding [get_path_encoding $path]
+@@ -226,7 +226,7 @@ proc show_other_diff {path w m cont_info} {
+ 			$ui_diff insert end \
+ 				"* [mc "Git Repository (subproject)"]\n" \
+ 				d_info
+-		} elseif {![catch {set type [exec file $path]}]} {
++		} elseif {![catch {set type [safe_exec [list file $path]]}]} {
+ 			set n [string length $path]
+ 			if {[string equal -length $n $path $type]} {
+ 				set type [string range $type $n end]
+@@ -338,7 +338,7 @@ proc start_show_diff {cont_info {add_opts {}}} {
+ 		}
+ 	}
+ 
+-	if {[catch {set fd [eval git_read --nice $cmd]} err]} {
++	if {[catch {set fd [git_read_nice $cmd]} err]} {
+ 		set diff_active 0
+ 		unlock_index
+ 		ui_status [mc "Unable to display %s" [escape_path $path]]
+@@ -617,7 +617,7 @@ proc apply_or_revert_hunk {x y revert} {
+ 
+ 	if {[catch {
+ 		set enc [get_path_encoding $current_diff_path]
+-		set p [eval git_write $apply_cmd]
++		set p [git_write $apply_cmd]
+ 		fconfigure $p -translation binary -encoding $enc
+ 		puts -nonewline $p $wholepatch
+ 		close $p} err]} {
+@@ -853,7 +853,7 @@ proc apply_or_revert_range_or_line {x y revert} {
+ 
+ 	if {[catch {
+ 		set enc [get_path_encoding $current_diff_path]
+-		set p [eval git_write $apply_cmd]
++		set p [git_write $apply_cmd]
+ 		fconfigure $p -translation binary -encoding $enc
+ 		puts -nonewline $p $current_diff_header
+ 		puts -nonewline $p $wholepatch
+@@ -890,7 +890,7 @@ proc undo_last_revert {} {
+ 
+ 	if {[catch {
+ 		set enc $last_revert_enc
+-		set p [eval git_write $apply_cmd]
++		set p [git_write $apply_cmd]
+ 		fconfigure $p -translation binary -encoding $enc
+ 		puts -nonewline $p $last_revert
+ 		close $p} err]} {
+diff --git a/git-gui/lib/index.tcl b/git-gui/lib/index.tcl
+index d2ec24b..857864f 100644
+--- a/git-gui/lib/index.tcl
++++ b/git-gui/lib/index.tcl
+@@ -75,7 +75,7 @@ proc update_indexinfo {msg path_list after} {
+ 	if {$batch > 25} {set batch 25}
+ 
+ 	set status_bar_operation [$::main_status start $msg [mc "files"]]
+-	set fd [git_write update-index -z --index-info]
++	set fd [git_write [list update-index -z --index-info]]
+ 	fconfigure $fd \
+ 		-blocking 0 \
+ 		-buffering full \
+@@ -144,7 +144,7 @@ proc update_index {msg path_list after} {
+ 	if {$batch > 25} {set batch 25}
+ 
+ 	set status_bar_operation [$::main_status start $msg [mc "files"]]
+-	set fd [git_write update-index --add --remove -z --stdin]
++	set fd [git_write [list update-index --add --remove -z --stdin]]
+ 	fconfigure $fd \
+ 		-blocking 0 \
+ 		-buffering full \
+@@ -218,13 +218,13 @@ proc checkout_index {msg path_list after capture_error} {
+ 	if {$batch > 25} {set batch 25}
+ 
+ 	set status_bar_operation [$::main_status start $msg [mc "files"]]
+-	set fd [git_write checkout-index \
++	set fd [git_write [list checkout-index \
+ 		--index \
+ 		--quiet \
+ 		--force \
+ 		-z \
+ 		--stdin \
+-		]
++		]]
+ 	fconfigure $fd \
+ 		-blocking 0 \
+ 		-buffering full \
+diff --git a/git-gui/lib/merge.tcl b/git-gui/lib/merge.tcl
+index 664803c..44c3f93 100644
+--- a/git-gui/lib/merge.tcl
++++ b/git-gui/lib/merge.tcl
+@@ -93,7 +93,7 @@ method _start {} {
+ 	set spec [$w_rev get_tracking_branch]
+ 	set cmit [$w_rev get_commit]
+ 
+-	set fh [open [gitdir FETCH_HEAD] w]
++	set fh [safe_open_file [gitdir FETCH_HEAD] w]
+ 	fconfigure $fh -translation lf
+ 	if {$spec eq {}} {
+ 		set remote .
+@@ -118,7 +118,7 @@ method _start {} {
+ 		set cmd [list git]
+ 		lappend cmd merge
+ 		lappend cmd --strategy=recursive
+-		lappend cmd [git fmt-merge-msg <[gitdir FETCH_HEAD]]
++		lappend cmd [git_redir [list fmt-merge-msg] [list <[gitdir FETCH_HEAD]]]
+ 		lappend cmd HEAD
+ 		lappend cmd $name
+ 	}
+@@ -239,7 +239,7 @@ Continue with resetting the current changes?"]
+ 	}
+ 
+ 	if {[ask_popup $op_question] eq {yes}} {
+-		set fd [git_read --stderr read-tree --reset -u -v HEAD]
++		set fd [git_read [list read-tree --reset -u -v HEAD] [list 2>@1]]
+ 		fconfigure $fd -blocking 0 -translation binary
+ 		set status_bar_operation [$::main_status \
+ 			start \
+diff --git a/git-gui/lib/mergetool.tcl b/git-gui/lib/mergetool.tcl
+index e688b01..6b26726 100644
+--- a/git-gui/lib/mergetool.tcl
++++ b/git-gui/lib/mergetool.tcl
+@@ -88,7 +88,7 @@ proc merge_load_stages {path cont} {
+ 	set merge_stages(3) {}
+ 	set merge_stages_buf {}
+ 
+-	set merge_stages_fd [eval git_read ls-files -u -z -- {$path}]
++	set merge_stages_fd [git_read [list ls-files -u -z -- $path]]
+ 
+ 	fconfigure $merge_stages_fd -blocking 0 -translation binary -encoding binary
+ 	fileevent $merge_stages_fd readable [list read_merge_stages $merge_stages_fd $cont]
+@@ -293,7 +293,7 @@ proc merge_tool_get_stages {target stages} {
+ 	foreach fname $stages {
+ 		if {$merge_stages($i) eq {}} {
+ 			file delete $fname
+-			catch { close [open $fname w] }
++			catch { close [safe_open_file $fname w] }
+ 		} else {
+ 			# A hack to support autocrlf properly
+ 			git checkout-index -f --stage=$i -- $target
+@@ -343,9 +343,9 @@ proc merge_tool_start {cmdline target backup stages} {
+ 
+ 	# Force redirection to avoid interpreting output on stderr
+ 	# as an error, and launch the tool
+-	lappend cmdline {2>@1}
++	set redir [list {2>@1}]
+ 
+-	if {[catch { set mtool_fd [_open_stdout_stderr $cmdline] } err]} {
++	if {[catch { set mtool_fd [safe_open_command $cmdline $redir] } err]} {
+ 		delete_temp_files $mtool_tmpfiles
+ 		error_popup [mc "Could not start the merge tool:\n\n%s" $err]
+ 		return
+diff --git a/git-gui/lib/remote.tcl b/git-gui/lib/remote.tcl
+index ef77ed7..cf796d1 100644
+--- a/git-gui/lib/remote.tcl
++++ b/git-gui/lib/remote.tcl
+@@ -32,7 +32,7 @@ proc all_tracking_branches {} {
+ 	}
+ 
+ 	if {$pat ne {}} {
+-		set fd [eval git_read for-each-ref --format=%(refname) $cmd]
++		set fd [git_read [concat for-each-ref --format=%(refname) $cmd]]
+ 		while {[gets $fd n] > 0} {
+ 			foreach spec $pat {
+ 				set dst [string range [lindex $spec 0] 0 end-2]
+@@ -75,7 +75,7 @@ proc load_all_remotes {} {
+ 
+ 		foreach name $all_remotes {
+ 			catch {
+-				set fd [open [file join $rm_dir $name] r]
++				set fd [safe_open_file [file join $rm_dir $name] r]
+ 				while {[gets $fd line] >= 0} {
+ 					if {[regexp {^URL:[ 	]*(.+)$} $line line url]} {
+ 						set remote_url($name) $url
+@@ -145,7 +145,7 @@ proc add_fetch_entry {r} {
+ 		}
+ 	} else {
+ 		catch {
+-			set fd [open [gitdir remotes $r] r]
++			set fd [safe_open_file [gitdir remotes $r] r]
+ 			while {[gets $fd n] >= 0} {
+ 				if {[regexp {^Pull:[ \t]*([^:]+):} $n]} {
+ 					set enable 1
+@@ -182,7 +182,7 @@ proc add_push_entry {r} {
+ 		}
+ 	} else {
+ 		catch {
+-			set fd [open [gitdir remotes $r] r]
++			set fd [safe_open_file [gitdir remotes $r] r]
+ 			while {[gets $fd n] >= 0} {
+ 				if {[regexp {^Push:[ \t]*([^:]+):} $n]} {
+ 					set enable 1
+diff --git a/git-gui/lib/remote_branch_delete.tcl b/git-gui/lib/remote_branch_delete.tcl
+index 5ba9fca..c8c99b1 100644
+--- a/git-gui/lib/remote_branch_delete.tcl
++++ b/git-gui/lib/remote_branch_delete.tcl
+@@ -308,7 +308,7 @@ method _load {cache uri} {
+ 		set full_list [list]
+ 		set head_cache($cache) [list]
+ 		set full_cache($cache) [list]
+-		set active_ls [git_read ls-remote $uri]
++		set active_ls [git_read [list ls-remote $uri]]
+ 		fconfigure $active_ls \
+ 			-blocking 0 \
+ 			-translation lf \
+diff --git a/git-gui/lib/shortcut.tcl b/git-gui/lib/shortcut.tcl
+index 97d1d7a..d97be99 100644
+--- a/git-gui/lib/shortcut.tcl
++++ b/git-gui/lib/shortcut.tcl
+@@ -12,7 +12,7 @@ proc do_windows_shortcut {} {
+ 			set fn ${fn}.lnk
+ 		}
+ 		# Use git-gui.exe if available (ie: git-for-windows)
+-		set cmdLine [auto_execok git-gui.exe]
++		set cmdLine [list [_which git-gui]]
+ 		if {$cmdLine eq {}} {
+ 			set cmdLine [list [info nameofexecutable] \
+ 							 [file normalize $::argv0]]
+@@ -30,7 +30,7 @@ proc do_cygwin_shortcut {} {
+ 	global argv0 _gitworktree
+ 
+ 	if {[catch {
+-		set desktop [exec cygpath \
++		set desktop [safe_exec [list cygpath \
+ 			--windows \
+ 			--absolute \
+ 			--long-name \
+@@ -48,14 +48,14 @@ proc do_cygwin_shortcut {} {
+ 			set fn ${fn}.lnk
+ 		}
+ 		if {[catch {
+-				set sh [exec cygpath \
++				set sh [safe_exec [list cygpath \
+ 					--windows \
+ 					--absolute \
+-					/bin/sh.exe]
+-				set me [exec cygpath \
++					/bin/sh.exe]]
++				set me [safe_exec [list cygpath \
+ 					--unix \
+ 					--absolute \
+-					$argv0]
++					$argv0]]
+ 				win32_create_lnk $fn [list \
+ 					$sh -c \
+ 					"CHERE_INVOKING=1 source /etc/profile;[sq $me] &" \
+@@ -86,7 +86,7 @@ proc do_macosx_app {} {
+ 
+ 				file mkdir $MacOS
+ 
+-				set fd [open [file join $Contents Info.plist] w]
++				set fd [safe_open_file [file join $Contents Info.plist] w]
+ 				puts $fd {<?xml version="1.0" encoding="UTF-8"?>
+ <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+ <plist version="1.0">
+@@ -111,7 +111,7 @@ proc do_macosx_app {} {
+ </plist>}
+ 				close $fd
+ 
+-				set fd [open $exe w]
++				set fd [safe_open_file $exe w]
+ 				puts $fd "#!/bin/sh"
+ 				foreach name [lsort [array names env]] {
+ 					set value $env($name)
+diff --git a/git-gui/lib/sshkey.tcl b/git-gui/lib/sshkey.tcl
+index 589ff8f..c3e681b 100644
+--- a/git-gui/lib/sshkey.tcl
++++ b/git-gui/lib/sshkey.tcl
+@@ -7,7 +7,7 @@ proc find_ssh_key {} {
+ 		~/.ssh/id_rsa.pub ~/.ssh/identity.pub
+ 	} {
+ 		if {[file exists $name]} {
+-			set fh    [open $name r]
++			set fh    [safe_open_file $name r]
+ 			set cont  [read $fh]
+ 			close $fh
+ 			return [list $name $cont]
+@@ -83,9 +83,10 @@ proc make_ssh_key {w} {
+ 	set sshkey_title [mc "Generating..."]
+ 	$w.header.gen configure -state disabled
+ 
+-	set cmdline [list sh -c {echo | ssh-keygen -q -t rsa -f ~/.ssh/id_rsa 2>&1}]
++	set cmdline [list [shellpath] -c \
++		{echo | ssh-keygen -q -t rsa -f ~/.ssh/id_rsa 2>&1}]
+ 
+-	if {[catch { set sshkey_fd [_open_stdout_stderr $cmdline] } err]} {
++	if {[catch { set sshkey_fd [safe_open_command $cmdline] } err]} {
+ 		error_popup [mc "Could not start ssh-keygen:\n\n%s" $err]
+ 		return
+ 	}
+diff --git a/git-gui/lib/tools.tcl b/git-gui/lib/tools.tcl
+index 413f1a1..48fddfd 100644
+--- a/git-gui/lib/tools.tcl
++++ b/git-gui/lib/tools.tcl
+@@ -110,14 +110,14 @@ proc tools_exec {fullname} {
+ 
+ 	set cmdline $repo_config(guitool.$fullname.cmd)
+ 	if {[is_config_true "guitool.$fullname.noconsole"]} {
+-		tools_run_silent [list sh -c $cmdline] \
++		tools_run_silent [list [shellpath] -c $cmdline] \
+ 				 [list tools_complete $fullname {}]
+ 	} else {
+ 		regsub {/} $fullname { / } title
+ 		set w [console::new \
+ 			[mc "Tool: %s" $title] \
+ 			[mc "Running: %s" $cmdline]]
+-		console::exec $w [list sh -c $cmdline] \
++		console::exec $w [list [shellpath] -c $cmdline] \
+ 				 [list tools_complete $fullname $w]
+ 	}
+ 
+@@ -130,8 +130,7 @@ proc tools_exec {fullname} {
+ }
+ 
+ proc tools_run_silent {cmd after} {
+-	lappend cmd 2>@1
+-	set fd [_open_stdout_stderr $cmd]
++	set fd [safe_open_command $cmd [list 2>@1]]
+ 
+ 	fconfigure $fd -blocking 0 -translation binary
+ 	fileevent $fd readable [list tools_consume_input $fd $after]
+diff --git a/git-gui/lib/win32.tcl b/git-gui/lib/win32.tcl
+index db91ab8..3aedae2 100644
+--- a/git-gui/lib/win32.tcl
++++ b/git-gui/lib/win32.tcl
+@@ -2,11 +2,11 @@
+ # Copyright (C) 2007 Shawn Pearce
+ 
+ proc win32_read_lnk {lnk_path} {
+-	return [exec cscript.exe \
++	return [safe_exec [list cscript.exe \
+ 		/E:jscript \
+ 		/nologo \
+ 		[file join $::oguilib win32_shortcut.js] \
+-		$lnk_path]
++		$lnk_path]]
+ }
+ 
+ proc win32_create_lnk {lnk_path lnk_exec lnk_dir} {
+@@ -15,12 +15,13 @@ proc win32_create_lnk {lnk_path lnk_exec lnk_dir} {
+ 	set lnk_args [lrange $lnk_exec 1 end]
+ 	set lnk_exec [lindex $lnk_exec 0]
+ 
+-	eval [list exec wscript.exe \
++	set cmd [list wscript.exe \
+ 		/E:jscript \
+ 		/nologo \
+ 		[file nativename [file join $oguilib win32_shortcut.js]] \
+ 		$lnk_path \
+ 		[file nativename [file join $oguilib git-gui.ico]] \
+ 		$lnk_dir \
+-		$lnk_exec] $lnk_args
++		$lnk_exec]
++	safe_exec [concat $cmd $lnk_args]
+ }
+diff --git a/gitk-git/gitk b/gitk-git/gitk
+index 23d9dd1..1c8c9c0 100755
+--- a/gitk-git/gitk
++++ b/gitk-git/gitk
+@@ -9,6 +9,92 @@ exec wish "$0" -- "$@"
+ 
+ package require Tk
+ 
++
++# Wrap exec/open to sanitize arguments
++
++# unsafe arguments begin with redirections or the pipe or background operators
++proc is_arg_unsafe {arg} {
++    regexp {^([<|>&]|2>)} $arg
++}
++
++proc make_arg_safe {arg} {
++    if {[is_arg_unsafe $arg]} {
++        set arg [file join . $arg]
++    }
++    return $arg
++}
++
++proc make_arglist_safe {arglist} {
++    set res {}
++    foreach arg $arglist {
++        lappend res [make_arg_safe $arg]
++    }
++    return $res
++}
++
++# executes one command
++# no redirections or pipelines are possible
++# cmd is a list that specifies the command and its arguments
++# calls `exec` and returns its value
++proc safe_exec {cmd} {
++    eval exec [make_arglist_safe $cmd]
++}
++
++# executes one command with redirections
++# no pipelines are possible
++# cmd is a list that specifies the command and its arguments
++# redir is a list that specifies redirections (output, background, constant(!) commands)
++# calls `exec` and returns its value
++proc safe_exec_redirect {cmd redir} {
++    eval exec [make_arglist_safe $cmd] $redir
++}
++
++proc safe_open_file {filename flags} {
++    # a file name starting with "|" would attempt to run a process
++    # but such a file name must be treated as a relative path
++    # hide the "|" behind "./"
++    if {[string index $filename 0] eq "|"} {
++        set filename [file join . $filename]
++    }
++    open $filename $flags
++}
++
++# opens a command pipeline for reading
++# cmd is a list that specifies the command and its arguments
++# calls `open` and returns the file id
++proc safe_open_command {cmd} {
++    open |[make_arglist_safe $cmd] r
++}
++
++# opens a command pipeline for reading and writing
++# cmd is a list that specifies the command and its arguments
++# calls `open` and returns the file id
++proc safe_open_command_rw {cmd} {
++    open |[make_arglist_safe $cmd] r+
++}
++
++# opens a command pipeline for reading with redirections
++# cmd is a list that specifies the command and its arguments
++# redir is a list that specifies redirections
++# calls `open` and returns the file id
++proc safe_open_command_redirect {cmd redir} {
++    set cmd [make_arglist_safe $cmd]
++    open |[concat $cmd $redir] r
++}
++
++# opens a pipeline with several commands for reading
++# cmds is a list of lists, each of which specifies a command and its arguments
++# calls `open` and returns the file id
++proc safe_open_pipeline {cmds} {
++    set cmd {}
++    foreach subcmd $cmds {
++        set cmd [concat $cmd | [make_arglist_safe $subcmd]]
++    }
++    open $cmd r
++}
++
++# End exec/open wrappers
++
+ proc hasworktree {} {
+     return [expr {[exec git rev-parse --is-bare-repository] == "false" &&
+                   [exec git rev-parse --is-inside-git-dir] == "false"}]
+@@ -134,7 +220,7 @@ proc unmerged_files {files} {
+     set mlist {}
+     set nr_unmerged 0
+     if {[catch {
+-        set fd [open "| git ls-files -u" r]
++        set fd [safe_open_command {git ls-files -u}]
+     } err]} {
+         show_error {} . "[mc "Couldn't get list of unmerged files:"] $err"
+         exit 1
+@@ -296,7 +382,7 @@ proc parseviewrevs {view revs} {
+     } elseif {[lsearch -exact $revs --all] >= 0} {
+         lappend revs HEAD
+     }
+-    if {[catch {set ids [eval exec git rev-parse $revs]} err]} {
++    if {[catch {set ids [safe_exec [concat git rev-parse $revs]]} err]} {
+         # we get stdout followed by stderr in $err
+         # for an unknown rev, git rev-parse echoes it and then errors out
+         set errlines [split $err "\n"]
+@@ -374,7 +460,7 @@ proc start_rev_list {view} {
+     set args $viewargs($view)
+     if {$viewargscmd($view) ne {}} {
+         if {[catch {
+-            set str [exec sh -c $viewargscmd($view)]
++            set str [safe_exec [list sh -c $viewargscmd($view)]]
+         } err]} {
+             error_popup "[mc "Error executing --argscmd command:"] $err"
+             return 0
+@@ -405,14 +491,16 @@ proc start_rev_list {view} {
+         if {$revs eq {}} {
+             return 0
+         }
+-        set args [concat $vflags($view) $revs]
++        set args $vflags($view)
+     } else {
++        set revs {}
+         set args $vorigargs($view)
+     }
+ 
+     if {[catch {
+-        set fd [open [concat | git log --no-color -z --pretty=raw $show_notes \
+-                        --parents --boundary $args "--" $files] r]
++        set fd [safe_open_command_redirect [concat git log --no-color -z --pretty=raw $show_notes \
++                        --parents --boundary $args --stdin] \
++                        [list "<<[join [concat $revs "--" $files] "\n"]"]]
+     } err]} {
+         error_popup "[mc "Error executing git log:"] $err"
+         return 0
+@@ -446,9 +534,9 @@ proc stop_instance {inst} {
+         set pid [pid $fd]
+ 
+         if {$::tcl_platform(platform) eq {windows}} {
+-            exec taskkill /pid $pid
++            safe_exec [list taskkill /pid $pid]
+         } else {
+-            exec kill $pid
++            safe_exec [list kill $pid]
+         }
+     }
+     catch {close $fd}
+@@ -554,13 +642,18 @@ proc updatecommits {} {
+             set revs $newrevs
+             set vposids($view) [lsort -unique [concat $oldpos $vposids($view)]]
+         }
+-        set args [concat $vflags($view) $revs --not $oldpos]
++        set args $vflags($view)
++        foreach r $oldpos {
++                lappend revs "^$r"
++        }
+     } else {
++        set revs {}
+         set args $vorigargs($view)
+     }
+     if {[catch {
+-        set fd [open [concat | git log --no-color -z --pretty=raw $show_notes \
+-                        --parents --boundary $args "--" $vfilelimit($view)] r]
++        set fd [safe_open_command_redirect [concat git log --no-color -z --pretty=raw $show_notes \
++                        --parents --boundary $args --stdin] \
++                        [list "<<[join [concat $revs "--" $vfilelimit($view)] "\n"]"]]
+     } err]} {
+         error_popup "[mc "Error executing git log:"] $err"
+         return
+@@ -1527,8 +1620,8 @@ proc getcommitlines {fd inst view updating}  {
+             # and if we already know about it, using the rewritten
+             # parent as a substitute parent for $id's children.
+             if {![catch {
+-                set rwid [exec git rev-list --first-parent --max-count=1 \
+-                              $id -- $vfilelimit($view)]
++                set rwid [safe_exec [list git rev-list --first-parent --max-count=1 \
++                              $id -- $vfilelimit($view)]]
+             }]} {
+                 if {$rwid ne {} && [info exists varcid($view,$rwid)]} {
+                     # use $rwid in place of $id
+@@ -1648,7 +1741,7 @@ proc do_readcommit {id} {
+     global tclencoding
+ 
+     # Invoke git-log to handle automatic encoding conversion
+-    set fd [open [concat | git log --no-color --pretty=raw -1 $id] r]
++    set fd [safe_open_command [concat git log --no-color --pretty=raw -1 $id]]
+     # Read the results using i18n.logoutputencoding
+     fconfigure $fd -translation lf -eofchar {}
+     if {$tclencoding != {}} {
+@@ -1784,7 +1877,7 @@ proc readrefs {} {
+     foreach v {tagids idtags headids idheads otherrefids idotherrefs} {
+         unset -nocomplain $v
+     }
+-    set refd [open [list | git show-ref -d] r]
++    set refd [safe_open_command [list git show-ref -d]]
+     if {$tclencoding != {}} {
+         fconfigure $refd -encoding $tclencoding
+     }
+@@ -1832,7 +1925,7 @@ proc readrefs {} {
+     set selectheadid {}
+     if {$selecthead ne {}} {
+         catch {
+-            set selectheadid [exec git rev-parse --verify $selecthead]
++            set selectheadid [safe_exec [list git rev-parse --verify $selecthead]]
+         }
+     }
+ }
+@@ -2092,7 +2185,7 @@ proc makewindow {} {
+             {mc "Reread re&ferences" command rereadrefs}
+             {mc "&List references" command showrefs -accelerator F2}
+             {xx "" separator}
+-            {mc "Start git &gui" command {exec git gui &}}
++            {mc "Start git &gui" command {safe_exec_redirect [list git gui] [list &]}}
+             {xx "" separator}
+             {mc "&Quit" command doquit -accelerator Meta1-Q}
+         }}
+@@ -2874,7 +2967,7 @@ proc savestuff {w} {
+     set remove_tmp 0
+     if {[catch {
+         set try_count 0
+-        while {[catch {set f [open $config_file_tmp {WRONLY CREAT EXCL}]}]} {
++        while {[catch {set f [safe_open_file $config_file_tmp {WRONLY CREAT EXCL}]}]} {
+             if {[incr try_count] > 50} {
+                 error "Unable to write config file: $config_file_tmp exists"
+             }
+@@ -2955,9 +3048,9 @@ proc savestuff {w} {
+ proc resizeclistpanes {win w} {
+     global oldwidth oldsash use_ttk
+     if {[info exists oldwidth($win)]} {
+-	if {[info exists oldsash($win)]} {
+-	    set s0 [lindex $oldsash($win) 0]
+-	    set s1 [lindex $oldsash($win) 1]
++        if {[info exists oldsash($win)]} {
++            set s0 [lindex $oldsash($win) 0]
++            set s1 [lindex $oldsash($win) 1]
+         } elseif {$use_ttk} {
+             set s0 [$win sashpos 0]
+             set s1 [$win sashpos 1]
+@@ -2991,8 +3084,10 @@ proc resizeclistpanes {win w} {
+         } else {
+             $win sash place 0 $sash0 [lindex $s0 1]
+             $win sash place 1 $sash1 [lindex $s1 1]
++            set sash0 [list $sash0 [lindex $s0 1]]
++            set sash1 [list $sash1 [lindex $s1 1]]
+         }
+-	set oldsash($win) [list $sash0 $sash1]
++        set oldsash($win) [list $sash0 $sash1]
+     }
+     set oldwidth($win) $w
+ }
+@@ -3000,8 +3095,8 @@ proc resizeclistpanes {win w} {
+ proc resizecdetpanes {win w} {
+     global oldwidth oldsash use_ttk
+     if {[info exists oldwidth($win)]} {
+-	if {[info exists oldsash($win)]} {
+-	    set s0 $oldsash($win)
++        if {[info exists oldsash($win)]} {
++            set s0 $oldsash($win)
+         } elseif {$use_ttk} {
+             set s0 [$win sashpos 0]
+         } else {
+@@ -3023,8 +3118,9 @@ proc resizecdetpanes {win w} {
+             $win sashpos 0 $sash0
+         } else {
+             $win sash place 0 $sash0 [lindex $s0 1]
++            set sash0 [list $sash0 [lindex $s0 1]]
+         }
+-	set oldsash($win) $sash0
++        set oldsash($win) $sash0
+     }
+     set oldwidth($win) $w
+ }
+@@ -3587,7 +3683,7 @@ proc gitknewtmpdir {} {
+             set tmpdir $gitdir
+         }
+         set gitktmpformat [file join $tmpdir ".gitk-tmp.XXXXXX"]
+-        if {[catch {set gitktmpdir [exec mktemp -d $gitktmpformat]}]} {
++        if {[catch {set gitktmpdir [safe_exec [list mktemp -d $gitktmpformat]]}]} {
+             set gitktmpdir [file join $gitdir [format ".gitk-tmp.%s" [pid]]]
+         }
+         if {[catch {file mkdir $gitktmpdir} err]} {
+@@ -3609,7 +3705,7 @@ proc gitknewtmpdir {} {
+ proc save_file_from_commit {filename output what} {
+     global nullfile
+ 
+-    if {[catch {exec git show $filename -- > $output} err]} {
++    if {[catch {safe_exec_redirect [list git show $filename --] [list > $output]} err]} {
+         if {[string match "fatal: bad revision *" $err]} {
+             return $nullfile
+         }
+@@ -3674,7 +3770,7 @@ proc external_diff {} {
+ 
+     if {$difffromfile ne {} && $difftofile ne {}} {
+         set cmd [list [shellsplit $extdifftool] $difffromfile $difftofile]
+-        if {[catch {set fl [open |$cmd r]} err]} {
++        if {[catch {set fl [safe_open_command $cmd]} err]} {
+             file delete -force $diffdir
+             error_popup "$extdifftool: [mc "command failed:"] $err"
+         } else {
+@@ -3778,7 +3874,7 @@ proc external_blame_diff {} {
+ # Find the SHA1 ID of the blob for file $fname in the index
+ # at stage 0 or 2
+ proc index_sha1 {fname} {
+-    set f [open [list | git ls-files -s $fname] r]
++    set f [safe_open_command [list git ls-files -s $fname]]
+     while {[gets $f line] >= 0} {
+         set info [lindex [split $line "\t"] 0]
+         set stage [lindex $info 2]
+@@ -3838,7 +3934,7 @@ proc external_blame {parent_idx {line {}}} {
+     # being given an absolute path...
+     set f [make_relative $f]
+     lappend cmdline $base_commit $f
+-    if {[catch {eval exec $cmdline &} err]} {
++    if {[catch {safe_exec_redirect $cmdline [list &]} err]} {
+         error_popup "[mc "git gui blame: command failed:"] $err"
+     }
+ }
+@@ -3866,7 +3962,7 @@ proc show_line_source {} {
+                 # must be a merge in progress...
+                 if {[catch {
+                     # get the last line from .git/MERGE_HEAD
+-                    set f [open [file join $gitdir MERGE_HEAD] r]
++                    set f [safe_open_file [file join $gitdir MERGE_HEAD] r]
+                     set id [lindex [split [read $f] "\n"] end-1]
+                     close $f
+                 } err]} {
+@@ -3889,19 +3985,17 @@ proc show_line_source {} {
+         }
+         set line [lindex $h 1]
+     }
+-    set blameargs {}
++    set blamefile [file join $cdup $flist_menu_file]
+     if {$from_index ne {}} {
+-        lappend blameargs | git cat-file blob $from_index
+-    }
+-    lappend blameargs | git blame -p -L$line,+1
+-    if {$from_index ne {}} {
+-        lappend blameargs --contents -
++        set blameargs [list \
++            [list git cat-file blob $from_index] \
++            [list git blame -p -L$line,+1 --contents - -- $blamefile]]
+     } else {
+-        lappend blameargs $id
++        set blameargs [list \
++            [list git blame -p -L$line,+1 $id -- $blamefile]]
+     }
+-    lappend blameargs -- [file join $cdup $flist_menu_file]
+     if {[catch {
+-        set f [open $blameargs r]
++        set f [safe_open_pipeline $blameargs]
+     } err]} {
+         error_popup [mc "Couldn't start git blame: %s" $err]
+         return
+@@ -4826,8 +4920,8 @@ proc do_file_hl {serial} {
+         # must be "containing:", i.e. we're searching commit info
+         return
+     }
+-    set cmd [concat | git diff-tree -r -s --stdin $gdtargs]
+-    set filehighlight [open $cmd r+]
++    set cmd [concat git diff-tree -r -s --stdin $gdtargs]
++    set filehighlight [safe_open_command_rw $cmd]
+     fconfigure $filehighlight -blocking 0
+     filerun $filehighlight readfhighlight
+     set fhl_list {}
+@@ -5256,8 +5350,8 @@ proc get_viewmainhead {view} {
+     global viewmainheadid vfilelimit viewinstances mainheadid
+ 
+     catch {
+-        set rfd [open [concat | git rev-list -1 $mainheadid \
+-                           -- $vfilelimit($view)] r]
++        set rfd [safe_open_command [concat git rev-list -1 $mainheadid \
++                           -- $vfilelimit($view)]]
+         set j [reg_instance $rfd]
+         lappend viewinstances($view) $j
+         fconfigure $rfd -blocking 0
+@@ -5322,14 +5416,14 @@ proc dodiffindex {} {
+     if {!$showlocalchanges || !$hasworktree} return
+     incr lserial
+     if {[package vcompare $git_version "1.7.2"] >= 0} {
+-        set cmd "|git diff-index --cached --ignore-submodules=dirty HEAD"
++        set cmd "git diff-index --cached --ignore-submodules=dirty HEAD"
+     } else {
+-        set cmd "|git diff-index --cached HEAD"
++        set cmd "git diff-index --cached HEAD"
+     }
+     if {$vfilelimit($curview) ne {}} {
+         set cmd [concat $cmd -- $vfilelimit($curview)]
+     }
+-    set fd [open $cmd r]
++    set fd [safe_open_command $cmd]
+     fconfigure $fd -blocking 0
+     set i [reg_instance $fd]
+     filerun $fd [list readdiffindex $fd $lserial $i]
+@@ -5354,11 +5448,11 @@ proc readdiffindex {fd serial inst} {
+     }
+ 
+     # now see if there are any local changes not checked in to the index
+-    set cmd "|git diff-files"
++    set cmd "git diff-files"
+     if {$vfilelimit($curview) ne {}} {
+         set cmd [concat $cmd -- $vfilelimit($curview)]
+     }
+-    set fd [open $cmd r]
++    set fd [safe_open_command $cmd]
+     fconfigure $fd -blocking 0
+     set i [reg_instance $fd]
+     filerun $fd [list readdifffiles $fd $serial $i]
+@@ -7147,8 +7241,8 @@ proc browseweb {url} {
+     global web_browser
+ 
+     if {$web_browser eq {}} return
+-    # Use eval here in case $web_browser is a command plus some arguments
+-    if {[catch {eval exec $web_browser [list $url] &} err]} {
++    # Use concat here in case $web_browser is a command plus some arguments
++    if {[catch {safe_exec_redirect [concat $web_browser [list $url]] [list &]} err]} {
+         error_popup "[mc "Error starting web browser:"] $err"
+     }
+ }
+@@ -7650,13 +7744,13 @@ proc gettree {id} {
+     if {![info exists treefilelist($id)]} {
+         if {![info exists treepending]} {
+             if {$id eq $nullid} {
+-                set cmd [list | git ls-files]
++                set cmd [list git ls-files]
+             } elseif {$id eq $nullid2} {
+-                set cmd [list | git ls-files --stage -t]
++                set cmd [list git ls-files --stage -t]
+             } else {
+-                set cmd [list | git ls-tree -r $id]
++                set cmd [list git ls-tree -r $id]
+             }
+-            if {[catch {set gtf [open $cmd r]}]} {
++            if {[catch {set gtf [safe_open_command $cmd]}]} {
+                 return
+             }
+             set treepending $id
+@@ -7720,13 +7814,13 @@ proc showfile {f} {
+         return
+     }
+     if {$diffids eq $nullid} {
+-        if {[catch {set bf [open $f r]} err]} {
++        if {[catch {set bf [safe_open_file $f r]} err]} {
+             puts "oops, can't read $f: $err"
+             return
+         }
+     } else {
+         set blob [lindex $treeidlist($diffids) $i]
+-        if {[catch {set bf [open [concat | git cat-file blob $blob] r]} err]} {
++        if {[catch {set bf [safe_open_command [concat git cat-file blob $blob]]} err]} {
+             puts "oops, error reading blob $blob: $err"
+             return
+         }
+@@ -7876,7 +7970,7 @@ proc diffcmd {ids flags} {
+     if {$i >= 0} {
+         if {[llength $ids] > 1 && $j < 0} {
+             # comparing working directory with some specific revision
+-            set cmd [concat | git diff-index $flags]
++            set cmd [concat git diff-index $flags]
+             if {$i == 0} {
+                 lappend cmd -R [lindex $ids 1]
+             } else {
+@@ -7884,7 +7978,7 @@ proc diffcmd {ids flags} {
+             }
+         } else {
+             # comparing working directory with index
+-            set cmd [concat | git diff-files $flags]
++            set cmd [concat git diff-files $flags]
+             if {$j == 1} {
+                 lappend cmd -R
+             }
+@@ -7893,7 +7987,7 @@ proc diffcmd {ids flags} {
+         if {[package vcompare $git_version "1.7.2"] >= 0} {
+             set flags "$flags --ignore-submodules=dirty"
+         }
+-        set cmd [concat | git diff-index --cached $flags]
++        set cmd [concat git diff-index --cached $flags]
+         if {[llength $ids] > 1} {
+             # comparing index with specific revision
+             if {$j == 0} {
+@@ -7909,7 +8003,7 @@ proc diffcmd {ids flags} {
+         if {$log_showroot} {
+             lappend flags --root
+         }
+-        set cmd [concat | git diff-tree -r $flags $ids]
++        set cmd [concat git diff-tree -r $flags $ids]
+     }
+     return $cmd
+ }
+@@ -7921,7 +8015,7 @@ proc gettreediffs {ids} {
+     if {$limitdiffs && $vfilelimit($curview) ne {}} {
+             set cmd [concat $cmd -- $vfilelimit($curview)]
+     }
+-    if {[catch {set gdtf [open $cmd r]}]} return
++    if {[catch {set gdtf [safe_open_command $cmd]}]} return
+ 
+     set treepending $ids
+     set treediff {}
+@@ -8041,7 +8135,7 @@ proc getblobdiffs {ids} {
+     if {$limitdiffs && $vfilelimit($curview) ne {}} {
+         set cmd [concat $cmd -- $vfilelimit($curview)]
+     }
+-    if {[catch {set bdf [open $cmd r]} err]} {
++    if {[catch {set bdf [safe_open_command $cmd]} err]} {
+         error_popup [mc "Error getting diffs: %s" $err]
+         return
+     }
+@@ -8758,7 +8852,7 @@ proc gotocommit {} {
+                 set id [lindex $matches 0]
+             }
+         } else {
+-            if {[catch {set id [exec git rev-parse --verify $sha1string]}]} {
++            if {[catch {set id [safe_exec [list git rev-parse --verify $sha1string]]}]} {
+                 error_popup [mc "Revision %s is not known" $sha1string]
+                 return
+             }
+@@ -9064,10 +9158,8 @@ proc getpatchid {id} {
+ 
+     if {![info exists patchids($id)]} {
+         set cmd [diffcmd [list $id] {-p --root}]
+-        # trim off the initial "|"
+-        set cmd [lrange $cmd 1 end]
+         if {[catch {
+-            set x [eval exec $cmd | git patch-id]
++            set x [safe_exec_redirect $cmd [list | git patch-id]]
+             set patchids($id) [lindex $x 0]
+         }]} {
+             set patchids($id) "error"
+@@ -9163,14 +9255,14 @@ proc diffcommits {a b} {
+     set fna [file join $tmpdir "commit-[string range $a 0 7]"]
+     set fnb [file join $tmpdir "commit-[string range $b 0 7]"]
+     if {[catch {
+-        exec git diff-tree -p --pretty $a >$fna
+-        exec git diff-tree -p --pretty $b >$fnb
++        safe_exec_redirect [list git diff-tree -p --pretty $a] [list >$fna]
++        safe_exec_redirect [list git diff-tree -p --pretty $b] [list >$fnb]
+     } err]} {
+         error_popup [mc "Error writing commit to file: %s" $err]
+         return
+     }
+     if {[catch {
+-        set fd [open "| diff -U$diffcontext $fna $fnb" r]
++        set fd [safe_open_command "diff -U$diffcontext $fna $fnb"]
+     } err]} {
+         error_popup [mc "Error diffing commits: %s" $err]
+         return
+@@ -9310,10 +9402,7 @@ proc mkpatchgo {} {
+     set newid [$patchtop.tosha1 get]
+     set fname [$patchtop.fname get]
+     set cmd [diffcmd [list $oldid $newid] -p]
+-    # trim off the initial "|"
+-    set cmd [lrange $cmd 1 end]
+-    lappend cmd >$fname &
+-    if {[catch {eval exec $cmd} err]} {
++    if {[catch {safe_exec_redirect $cmd [list >$fname &]} err]} {
+         error_popup "[mc "Error creating patch:"] $err" $patchtop
+     }
+     catch {destroy $patchtop}
+@@ -9382,9 +9471,9 @@ proc domktag {} {
+     }
+     if {[catch {
+         if {$msg != {}} {
+-            exec git tag -a -m $msg $tag $id
++            safe_exec [list git tag -a -m $msg $tag $id]
+         } else {
+-            exec git tag $tag $id
++            safe_exec [list git tag $tag $id]
+         }
+     } err]} {
+         error_popup "[mc "Error creating tag:"] $err" $mktagtop
+@@ -9452,7 +9541,7 @@ proc copyreference {} {
+     if {$autosellen < 40} {
+         lappend cmd --abbrev=$autosellen
+     }
+-    set reference [eval exec $cmd $rowmenuid]
++    set reference [safe_exec [concat $cmd $rowmenuid]]
+ 
+     clipboard clear
+     clipboard append $reference
+@@ -9502,7 +9591,7 @@ proc wrcomgo {} {
+     set id [$wrcomtop.sha1 get]
+     set cmd "echo $id | [$wrcomtop.cmd get]"
+     set fname [$wrcomtop.fname get]
+-    if {[catch {exec sh -c $cmd >$fname &} err]} {
++    if {[catch {safe_exec_redirect [list sh -c $cmd] [list >$fname &]} err]} {
+         error_popup "[mc "Error writing commit:"] $err" $wrcomtop
+     }
+     catch {destroy $wrcomtop}
+@@ -9606,7 +9695,7 @@ proc mkbrgo {top} {
+     nowbusy newbranch
+     update
+     if {[catch {
+-        eval exec git branch $cmdargs
++        safe_exec [concat git branch $cmdargs]
+     } err]} {
+         notbusy newbranch
+         error_popup $err
+@@ -9647,7 +9736,7 @@ proc mvbrgo {top prevname} {
+     nowbusy renamebranch
+     update
+     if {[catch {
+-        eval exec git branch $cmdargs
++        safe_exec [concat git branch $cmdargs]
+     } err]} {
+         notbusy renamebranch
+         error_popup $err
+@@ -9688,7 +9777,7 @@ proc exec_citool {tool_args {baseid {}}} {
+         }
+     }
+ 
+-    eval exec git citool $tool_args &
++    safe_exec_redirect [concat git citool $tool_args] [list &]
+ 
+     array unset env GIT_AUTHOR_*
+     array set env $save_env
+@@ -9711,7 +9800,7 @@ proc cherrypick {} {
+     update
+     # Unfortunately git-cherry-pick writes stuff to stderr even when
+     # no error occurs, and exec takes that as an indication of error...
+-    if {[catch {exec sh -c "git cherry-pick -r $rowmenuid 2>&1"} err]} {
++    if {[catch {safe_exec [list sh -c "git cherry-pick -r $rowmenuid 2>&1"]} err]} {
+         notbusy cherrypick
+         if {[regexp -line \
+                  {Entry '(.*)' (would be overwritten by merge|not uptodate)} \
+@@ -9773,7 +9862,7 @@ proc revert {} {
+     nowbusy revert [mc "Reverting"]
+     update
+ 
+-    if [catch {exec git revert --no-edit $rowmenuid} err] {
++    if [catch {safe_exec [list git revert --no-edit $rowmenuid]} err] {
+         notbusy revert
+         if [regexp {files would be overwritten by merge:(\n(( |\t)+[^\n]+\n)+)}\
+                 $err match files] {
+@@ -9849,8 +9938,8 @@ proc resethead {} {
+     bind $w <Visibility> "grab $w; focus $w"
+     tkwait window $w
+     if {!$confirm_ok} return
+-    if {[catch {set fd [open \
+-            [list | git reset --$resettype $rowmenuid 2>@1] r]} err]} {
++    if {[catch {set fd [safe_open_command_redirect \
++            [list git reset --$resettype $rowmenuid] [list 2>@1]]} err]} {
+         error_popup $err
+     } else {
+         dohidelocalchanges
+@@ -9921,7 +10010,7 @@ proc cobranch {} {
+ 
+     # check the tree is clean first??
+     set newhead $headmenuhead
+-    set command [list | git checkout]
++    set command [list git checkout]
+     if {[string match "remotes/*" $newhead]} {
+         set remote $newhead
+         set newhead [string range $newhead [expr [string last / $newhead] + 1] end]
+@@ -9935,12 +10024,11 @@ proc cobranch {} {
+     } else {
+         lappend command $newhead
+     }
+-    lappend command 2>@1
+     nowbusy checkout [mc "Checking out"]
+     update
+     dohidelocalchanges
+     if {[catch {
+-        set fd [open $command r]
++        set fd [safe_open_command_redirect $command [list 2>@1]]
+     } err]} {
+         notbusy checkout
+         error_popup $err
+@@ -10006,7 +10094,7 @@ proc rmbranch {} {
+     }
+     nowbusy rmbranch
+     update
+-    if {[catch {exec git branch -D $head} err]} {
++    if {[catch {safe_exec [list git branch -D $head]} err]} {
+         notbusy rmbranch
+         error_popup $err
+         return
+@@ -10197,7 +10285,7 @@ proc getallcommits {} {
+         set cachedarcs 0
+         set allccache [file join $gitdir "gitk.cache"]
+         if {![catch {
+-            set f [open $allccache r]
++            set f [safe_open_file $allccache r]
+             set allcwait 1
+             getcache $f
+         }]} return
+@@ -10206,7 +10294,7 @@ proc getallcommits {} {
+     if {$allcwait} {
+         return
+     }
+-    set cmd [list | git rev-list --parents]
++    set cmd [list git rev-list --parents]
+     set allcupdate [expr {$seeds ne {}}]
+     if {!$allcupdate} {
+         set ids "--all"
+@@ -10228,10 +10316,17 @@ proc getallcommits {} {
+             foreach id $seeds {
+                 lappend ids "^$id"
+             }
++            lappend ids "--"
+         }
+     }
+     if {$ids ne {}} {
+-        set fd [open [concat $cmd $ids] r]
++        if {$ids eq "--all"} {
++            set cmd [concat $cmd "--all"]
++            set fd [safe_open_command $cmd]
++        } else {
++            set cmd [concat $cmd --stdin]
++            set fd [safe_open_command_redirect $cmd [list "<<[join $ids "\n"]"]]
++        }
+         fconfigure $fd -blocking 0
+         incr allcommits
+         nowbusy allcommits
+@@ -10621,7 +10716,7 @@ proc savecache {} {
+     set cachearc 0
+     set cachedarcs $nextarc
+     catch {
+-        set f [open $allccache w]
++        set f [safe_open_file $allccache w]
+         puts $f [list 1 $cachedarcs]
+         run writecache $f
+     }
+@@ -11324,7 +11419,7 @@ proc add_tag_ctext {tag} {
+ 
+     if {![info exists cached_tagcontent($tag)]} {
+         catch {
+-            set cached_tagcontent($tag) [exec git cat-file -p $tag]
++            set cached_tagcontent($tag) [safe_exec [list git cat-file -p $tag]]
+         }
+     }
+     $ctext insert end "[mc "Tag"]: $tag\n" bold
+@@ -11927,7 +12022,7 @@ proc formatdate {d} {
+ }
+ 
+ # This list of encoding names and aliases is distilled from
+-# http://www.iana.org/assignments/character-sets.
++# https://www.iana.org/assignments/character-sets.
+ # Not all of them are supported by Tcl.
+ set encoding_aliases {
+     { ANSI_X3.4-1968 iso-ir-6 ANSI_X3.4-1986 ISO_646.irv:1991 ASCII
+@@ -12210,7 +12305,7 @@ proc gitattr {path attr default} {
+         set r $path_attr_cache($attr,$path)
+     } else {
+         set r "unspecified"
+-        if {![catch {set line [exec git check-attr $attr -- $path]}]} {
++        if {![catch {set line [safe_exec [list git check-attr $attr -- $path]]}]} {
+             regexp "(.*): $attr: (.*)" $line m f r
+         }
+         set path_attr_cache($attr,$path) $r
+@@ -12237,7 +12332,7 @@ proc cache_gitattr {attr pathlist} {
+     while {$newlist ne {}} {
+         set head [lrange $newlist 0 [expr {$lim - 1}]]
+         set newlist [lrange $newlist $lim end]
+-        if {![catch {set rlist [eval exec git check-attr $attr -- $head]}]} {
++        if {![catch {set rlist [safe_exec [concat git check-attr $attr -- $head]]}]} {
+             foreach row [split $rlist "\n"] {
+                 if {[regexp "(.*): $attr: (.*)" $row m path value]} {
+                     if {[string index $path 0] eq "\""} {
+@@ -12290,11 +12385,11 @@ if {[catch {package require Tk 8.4} err]} {
+ 
+ # on OSX bring the current Wish process window to front
+ if {[tk windowingsystem] eq "aqua"} {
+-    exec osascript -e [format {
++    safe_exec [list osascript -e [format {
+         tell application "System Events"
+             set frontmost of processes whose unix id is %d to true
+         end tell
+-    } [pid] ]
++    } [pid] ]]
+ }
+ 
+ # Unset GIT_TRACE var if set
+@@ -12443,7 +12538,7 @@ if {[tk windowingsystem] eq "aqua"} {
+ 
+ catch {
+     # follow the XDG base directory specification by default. See
+-    # http://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html
++    # https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html
+     if {[info exists env(XDG_CONFIG_HOME)] && $env(XDG_CONFIG_HOME) ne ""} {
+         # XDG_CONFIG_HOME environment variable is set
+         set config_file [file join $env(XDG_CONFIG_HOME) git gitk]
+@@ -12539,7 +12634,7 @@ if {$selecthead eq "HEAD"} {
+ if {$i >= [llength $argv] && $revtreeargs ne {}} {
+     # no -- on command line, but some arguments (other than --argscmd)
+     if {[catch {
+-        set f [eval exec git rev-parse --no-revs --no-flags $revtreeargs]
++        set f [safe_exec [concat git rev-parse --no-revs --no-flags $revtreeargs]]
+         set cmdline_files [split $f "\n"]
+         set n [llength $cmdline_files]
+         set revtreeargs [lrange $revtreeargs 0 end-$n]
+@@ -12705,3 +12800,4 @@ getcommits {}
+ # indent-tabs-mode: t
+ # tab-width: 8
+ # End:
++
+-- 
+2.50.1
+
diff --git a/meta/recipes-devtools/git/git_2.35.7.bb b/meta/recipes-devtools/git/git_2.35.7.bb
index 765180a38d..3520b4db90 100644
--- a/meta/recipes-devtools/git/git_2.35.7.bb
+++ b/meta/recipes-devtools/git/git_2.35.7.bb
@@ -26,6 +26,7 @@ SRC_URI = "${KERNELORG_MIRROR}/software/scm/git/git-${PV}.tar.gz;name=tarball \
            file://CVE-2024-50349-0001.patch \
            file://CVE-2024-50349-0002.patch \
            file://CVE-2024-52006.patch \
+           file://CVE-2025-27614-CVE-2025-27613-CVE-2025-46334-CVE-2025-46835.patch \
            "
 
 S = "${WORKDIR}/git-${PV}"
-- 
2.43.0

[OE-core][kirkstone 8/9] glib-2.0: ignore CVE-2025-4056

[Steve Sakoman]

From: Peter Marko <peter.marko@siemens.com>

NVD report [1] says:
A flaw was found in GLib. A denial of service on **Windows platforms**
may occur if an application attempts to spawn a program using long
command lines.

The fix [3] (linked from [2]) also changes only files
glib/gspawn-win32-helper.c
glib/gspawn-win32.c

[1] https://nvd.nist.gov/vuln/detail/CVE-2025-4056
[2] https://gitlab.gnome.org/GNOME/glib/-/issues/3668
[3] https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4570

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb
index 8d2c452088..31b6c1fe98 100644
--- a/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb
+++ b/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb
@@ -97,3 +97,6 @@ def find_meson_cross_files(d):
 python () {
     find_meson_cross_files(d)
 }
+
+# not-applicable-platform: Issue only applies on Windows
+CVE_CHECK_IGNORE += "CVE-2025-4056"
-- 
2.43.0

[OE-core][kirkstone 9/9] libubootenv: backport patch to fix unknown type name 'size_t'

[Steve Sakoman]

From: Youngseok Jeong <youngseok1.jeong@lge.com>

Fix:
../recipe-sysroot/usr/include/libuboot.h:29:2: error: unknown type name 'size_t'
size_t          envsize;
^

This error can be avoided by using CXXFLAGS:append = " -include cstddef"
but this way would be needed in all recipes that use libuboot.h.
Therefore, Backport the patch to include <cstddef> in C++ builds.

Signed-off-by: Youngseok Jeong <youngseok1.jeong@lge.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 ...-Include-cstddef-in-the-header-for-C.patch | 27 +++++++++++++++++++
 meta/recipes-bsp/u-boot/libubootenv_0.3.2.bb  |  6 ++++-
 2 files changed, 32 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-bsp/u-boot/files/0001-Include-cstddef-in-the-header-for-C.patch

diff --git a/meta/recipes-bsp/u-boot/files/0001-Include-cstddef-in-the-header-for-C.patch b/meta/recipes-bsp/u-boot/files/0001-Include-cstddef-in-the-header-for-C.patch
new file mode 100644
index 0000000000..9a006e2cfd
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/0001-Include-cstddef-in-the-header-for-C.patch
@@ -0,0 +1,27 @@
+From 10c9a571f1c0472799f72b1924b039aab231e95f Mon Sep 17 00:00:00 2001
+From: Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com>
+Date: Thu, 16 Dec 2021 16:19:50 +0100
+Subject: [PATCH] Include cstddef in the header for C++
+
+So C++ compiler always has access to the definition of size_t.
+
+Signed-off-by: Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com>
+Signed-off-by: Youngseok Jeong <youngseok1.jeong@lge.com>
+Upstream-Status: Backport [v0.3.3 https://github.com/sbabic/libubootenv/pull/19/commits/764226a7de2ea79b182d92829922489537c766fa]
+---
+ src/libuboot.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/libuboot.h b/src/libuboot.h
+index 88f0558..1f305f4 100644
+--- a/src/libuboot.h
++++ b/src/libuboot.h
+@@ -6,6 +6,8 @@
+  */
+ 
+ #ifdef __cplusplus
++#include <cstddef>
++
+ extern "C" {
+ #endif
+ 
diff --git a/meta/recipes-bsp/u-boot/libubootenv_0.3.2.bb b/meta/recipes-bsp/u-boot/libubootenv_0.3.2.bb
index e8f58941cf..7ff57ae157 100644
--- a/meta/recipes-bsp/u-boot/libubootenv_0.3.2.bb
+++ b/meta/recipes-bsp/u-boot/libubootenv_0.3.2.bb
@@ -10,7 +10,11 @@ LICENSE = "LGPL-2.1-only"
 LIC_FILES_CHKSUM = "file://Licenses/lgpl-2.1.txt;md5=4fbd65380cdd255951079008b364516c"
 SECTION = "libs"
 
-SRC_URI = "git://github.com/sbabic/libubootenv;protocol=https;branch=master"
+SRC_URI = " \
+    git://github.com/sbabic/libubootenv;protocol=https;branch=master \
+    file://0001-Include-cstddef-in-the-header-for-C.patch \
+"
+
 SRCREV = "ba7564f5006d09bec51058cf4f5ac90d4dc18b3c"
 
 S = "${WORKDIR}/git"
-- 
2.43.0

[OE-core][kirkstone 0/9] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Thursday, August 28

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2267

The following changes since commit e401a16d8e26d25cec95fcea98d6530036cffca1:

  libubootenv: backport patch to fix unknown type name 'size_t' (2025-08-19 10:14:55 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Hitendra Prajapati (1):
  gstreamer1.0-plugins-base: fix CVE-2025-47807

Jiaying Song (1):
  openssl: fix CVE-2023-50781

Peter Marko (4):
  qemu: ignore CVE-2024-7730
  glib-2.0: patch CVE-2025-7039
  dpkg: patch CVE-2025-6297
  libarchive: patch regression of patch for CVE-2025-5918

Vijay Anusuri (3):
  xserver-xorg: Fix for CVE-2025-49178
  xserver-xorg: Fix for CVE-2025-49179
  xserver-xorg: Fix for CVE-2025-49180

 .../openssl/openssl/CVE-2023-50781-1.patch    | 618 ++++++++++++++++++
 .../openssl/openssl/CVE-2023-50781-2.patch    | 358 ++++++++++
 .../openssl/openssl/CVE-2023-50781-3.patch    |  41 ++
 .../openssl/openssl/CVE-2023-50781-4.patch    | 441 +++++++++++++
 .../openssl/openssl/CVE-2023-50781-5.patch    | 284 ++++++++
 .../openssl/openssl/CVE-2023-50781-6.patch    |  57 ++
 .../openssl/openssl_3.0.17.bb                 |   8 +-
 .../glib-2.0/glib-2.0/CVE-2025-7039-01.patch  |  40 ++
 .../glib-2.0/glib-2.0/CVE-2025-7039-02.patch  |  43 ++
 meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb |   2 +
 .../dpkg/dpkg/CVE-2025-6297.patch             | 125 ++++
 meta/recipes-devtools/dpkg/dpkg_1.21.4.bb     |   1 +
 meta/recipes-devtools/qemu/qemu.inc           |   3 +
 ...2025-5918.patch => CVE-2025-5918-01.patch} |   0
 .../libarchive/CVE-2025-5918-02.patch         |  51 ++
 .../libarchive/libarchive_3.6.2.bb            |   3 +-
 .../xserver-xorg/CVE-2025-49178.patch         |  49 ++
 .../xserver-xorg/CVE-2025-49179.patch         |  67 ++
 .../xserver-xorg/CVE-2025-49180-1.patch       |  44 ++
 .../xserver-xorg/CVE-2025-49180-2.patch       |  52 ++
 .../xorg-xserver/xserver-xorg_21.1.8.bb       |   4 +
 .../CVE-2025-47807.patch                      |  49 ++
 .../gstreamer1.0-plugins-base_1.20.7.bb       |   1 +
 23 files changed, 2339 insertions(+), 2 deletions(-)
 create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-1.patch
 create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-2.patch
 create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-3.patch
 create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-4.patch
 create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-5.patch
 create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-6.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-7039-01.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-7039-02.patch
 create mode 100644 meta/recipes-devtools/dpkg/dpkg/CVE-2025-6297.patch
 rename meta/recipes-extended/libarchive/libarchive/{CVE-2025-5918.patch => CVE-2025-5918-01.patch} (100%)
 create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2025-5918-02.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49178.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49179.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49180-1.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49180-2.patch
 create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2025-47807.patch

-- 
2.43.0

[OE-core][kirkstone 0/9] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Friday, September 5

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/?#/builders/29/builds/2309

The following changes since commit 36cf6bb39df081b27306d27b20155995b73e1a01:

  Revert "sqlite3: patch CVE-2025-7458" (2025-09-01 08:18:45 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Deepak Rathore (1):
  default-distrovars.inc: Fix CONNECTIVITY_CHECK_URIS redirect issue

Kyungjik Min (1):
  pulseaudio: Add audio group explicitly

Mingli Yu (1):
  vim: not adjust script pathnames for native scripts either

Peter Marko (2):
  vim: upgrade 9.1.1198 -> 9.1.1652
  sudo: remove devtool FIXME comment

Praveen Kumar (1):
  git: fix CVE-2025-48384

Yogita Urade (3):
  tiff: fix CVE-2024-13978
  tiff: fix CVE-2025-8534
  tiff: fix CVE-2025-8851

 meta-selftest/files/static-group              |  1 +
 .../distro/include/default-distrovars.inc     |  2 +-
 meta/lib/oeqa/sdk/buildtools-cases/https.py   |  4 +-
 .../git/git/CVE-2025-48384.patch              | 85 +++++++++++++++++++
 meta/recipes-devtools/git/git_2.35.7.bb       |  1 +
 meta/recipes-extended/sudo/sudo_1.9.17p1.bb   | 52 ------------
 .../libtiff/tiff/CVE-2024-13978.patch         | 47 ++++++++++
 .../libtiff/tiff/CVE-2025-8534.patch          | 60 +++++++++++++
 .../libtiff/tiff/CVE-2025-8851.patch          | 71 ++++++++++++++++
 meta/recipes-multimedia/libtiff/tiff_4.3.0.bb |  3 +
 .../pulseaudio/pulseaudio.inc                 |  2 +-
 ...src-Makefile-improve-reproducibility.patch | 10 +--
 .../vim/files/disable_acl_header_check.patch  | 12 +--
 .../vim/files/no-path-adjust.patch            | 35 +++++---
 meta/recipes-support/vim/vim.inc              |  7 +-
 15 files changed, 308 insertions(+), 84 deletions(-)
 create mode 100644 meta/recipes-devtools/git/git/CVE-2025-48384.patch
 create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2024-13978.patch
 create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2025-8534.patch
 create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2025-8851.patch

-- 
2.43.0

[OE-core][kirkstone 0/9] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Thursday, November 27

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2776

The following changes since commit ff72b41a3f0bf1820405b8782f0d125cd10e3406:

  oe-build-perf-report: relax metadata matching rules (2025-11-19 08:28:19 -0800)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Divya Chellam (3):
  ruby: fix CVE-2024-35176
  ruby: fix CVE-2024-39908
  ruby: fix CVE-2024-41123

Gyorgy Sarvari (1):
  flac: patch seeking bug

Peter Marko (3):
  libarchive: patch 3.8.3 security issue 1
  libarchive: patch 3.8.3 security issue 2
  libarchive: patch CVE-2025-60753

Praveen Kumar (1):
  python3: fix CVE-2025-6075

Vijay Anusuri (1):
  python3-idna: Fix CVE-2024-3651

 .../python/python3-idna/CVE-2024-3651.patch   | 2484 +++++++++++++++++
 .../python/python3-idna_3.3.bb                |    2 +
 .../python/python3/CVE-2025-6075.patch        |  364 +++
 .../python/python3_3.10.19.bb                 |    1 +
 .../ruby/ruby/CVE-2024-35176.patch            |  112 +
 .../ruby/ruby/CVE-2024-39908-0001.patch       |   46 +
 .../ruby/ruby/CVE-2024-39908-0002.patch       |  130 +
 .../ruby/ruby/CVE-2024-39908-0003.patch       |   46 +
 .../ruby/ruby/CVE-2024-39908-0004.patch       |   76 +
 .../ruby/ruby/CVE-2024-39908-0005.patch       |   87 +
 .../ruby/ruby/CVE-2024-39908-0006.patch       |   44 +
 .../ruby/ruby/CVE-2024-39908-0007.patch       |   44 +
 .../ruby/ruby/CVE-2024-39908-0008.patch       |   44 +
 .../ruby/ruby/CVE-2024-39908-0009.patch       |   36 +
 .../ruby/ruby/CVE-2024-39908-0010.patch       |   53 +
 .../ruby/ruby/CVE-2024-39908-0011.patch       |   35 +
 .../ruby/ruby/CVE-2024-39908-0012.patch       |   36 +
 .../ruby/ruby/CVE-2024-41123-0001.patch       |   44 +
 .../ruby/ruby/CVE-2024-41123-0002.patch       |   37 +
 .../ruby/ruby/CVE-2024-41123-0003.patch       |   55 +
 .../ruby/ruby/CVE-2024-41123-0004.patch       |  163 ++
 .../ruby/ruby/CVE-2024-41123-0005.patch       |  111 +
 meta/recipes-devtools/ruby/ruby_3.1.3.bb      |   18 +
 ...ax-path-length-metadata-writing-2243.patch |   30 +
 ...request-2696-from-al3xtjames-mkstemp.patch |   28 +
 ...st-2749-from-KlaraSystems-des-tempdi.patch |  183 ++
 ...st-2753-from-KlaraSystems-des-temp-f.patch |  190 ++
 ...-request-2768-from-Commandoss-master.patch |   28 +
 .../libarchive/CVE-2025-60753.patch           |   76 +
 .../libarchive/libarchive_3.6.2.bb            |    6 +
 .../flac/files/0001-Fix-seeking-bug.patch     |   34 +
 meta/recipes-multimedia/flac/flac_1.3.4.bb    |    3 +-
 32 files changed, 4645 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-devtools/python/python3-idna/CVE-2024-3651.patch
 create mode 100644 meta/recipes-devtools/python/python3/CVE-2025-6075.patch
 create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-35176.patch
 create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0001.patch
 create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0002.patch
 create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0003.patch
 create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0004.patch
 create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0005.patch
 create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0006.patch
 create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0007.patch
 create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0008.patch
 create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0009.patch
 create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0010.patch
 create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0011.patch
 create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0012.patch
 create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-41123-0001.patch
 create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-41123-0002.patch
 create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-41123-0003.patch
 create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-41123-0004.patch
 create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-41123-0005.patch
 create mode 100644 meta/recipes-extended/libarchive/libarchive/0001-Fix-max-path-length-metadata-writing-2243.patch
 create mode 100644 meta/recipes-extended/libarchive/libarchive/0001-Merge-pull-request-2696-from-al3xtjames-mkstemp.patch
 create mode 100644 meta/recipes-extended/libarchive/libarchive/0001-Merge-pull-request-2749-from-KlaraSystems-des-tempdi.patch
 create mode 100644 meta/recipes-extended/libarchive/libarchive/0001-Merge-pull-request-2753-from-KlaraSystems-des-temp-f.patch
 create mode 100644 meta/recipes-extended/libarchive/libarchive/0001-Merge-pull-request-2768-from-Commandoss-master.patch
 create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2025-60753.patch
 create mode 100644 meta/recipes-multimedia/flac/files/0001-Fix-seeking-bug.patch

-- 
2.43.0