[OE-core][scarthgap 0/5] Patch review

[OE-core][scarthgap 0/5] Patch review

[Steve Sakoman]

Please review this set of changes for scarthgap and have comments back by
end of day Monday, September 9

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2314

The following changes since commit a19afb7db1b9995ce433f8bfeb5406c9fd1fdc19:

  sudo: remove devtool FIXME comment (2025-08-27 10:17:41 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut

Deepak Rathore (1):
  default-distrovars.inc: Fix CONNECTIVITY_CHECK_URIS redirect issue

Hongxu Jia (1):
  rpm: keep leading `/' from sed operation

Kyungjik Min (1):
  pulseaudio: Add audio group explicitly

Stanislav Vovk (1):
  libpam: fix CVE-2024-10963

Vrushti Dabhi (1):
  curl: update CVE_STATUS for CVE-2025-5025

 meta-selftest/files/static-group              |   1 +
 .../distro/include/default-distrovars.inc     |   2 +-
 meta/lib/oeqa/sdk/buildtools-cases/https.py   |   4 +-
 meta/recipes-devtools/rpm/rpm_4.19.1.1.bb     |   6 +-
 .../pam/libpam/CVE-2024-10963.patch           | 265 ++++++++++++++++++
 meta/recipes-extended/pam/libpam_1.5.3.bb     |   1 +
 .../pulseaudio/pulseaudio.inc                 |   2 +-
 meta/recipes-support/curl/curl_8.7.1.bb       |   2 +-
 8 files changed, 275 insertions(+), 8 deletions(-)
 create mode 100644 meta/recipes-extended/pam/libpam/CVE-2024-10963.patch

-- 
2.43.0

[OE-core][scarthgap 1/5] curl: update CVE_STATUS for CVE-2025-5025

[Steve Sakoman]

From: Vrushti Dabhi <vdabhi@cisco.com>

This CVE applies only when curl is built with wolfSSL support.
Revised CVE_STATUS description to align with CVE details.

Reference: https://github.com/openembedded/openembedded-core/commit/93ae0758ef35

Signed-off-by: Vrushti Dabhi <vdabhi@cisco.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-support/curl/curl_8.7.1.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes-support/curl/curl_8.7.1.bb
index a21a086f40..6845a43cd2 100644
--- a/meta/recipes-support/curl/curl_8.7.1.bb
+++ b/meta/recipes-support/curl/curl_8.7.1.bb
@@ -37,7 +37,7 @@ CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl dan
 CVE_STATUS[CVE-2024-32928] = "ignored: CURLOPT_SSL_VERIFYPEER was disabled on google cloud services causing a potential man in the middle attack"
 
 CVE_STATUS[CVE-2025-0725] = "not-applicable-config: gzip decompression of content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option, using zlib 1.2.0.3 or older"
-CVE_STATUS[CVE-2025-5025] = "${@bb.utils.contains('PACKAGECONFIG', 'openssl', 'not-applicable-config: build with openssl','unpatched',d)}"
+CVE_STATUS[CVE-2025-5025] = "${@bb.utils.contains('PACKAGECONFIG', 'openssl', 'not-applicable-config: applicable only with wolfssl','unpatched',d)}"
 
 
 inherit autotools pkgconfig binconfig multilib_header ptest
-- 
2.43.0

[OE-core][scarthgap 2/5] libpam: fix CVE-2024-10963

[Steve Sakoman]

From: Stanislav Vovk <stanislav.vovk@est.tech>

Upstream-Status: Backport from https://github.com/linux-pam/linux-pam/commit/940747f88c16e029b69a74e80a2e94f65cb3e628

Signed-off-by: Stanislav Vovk <stanislav.vovk@est.tech>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../pam/libpam/CVE-2024-10963.patch           | 265 ++++++++++++++++++
 meta/recipes-extended/pam/libpam_1.5.3.bb     |   1 +
 2 files changed, 266 insertions(+)
 create mode 100644 meta/recipes-extended/pam/libpam/CVE-2024-10963.patch

diff --git a/meta/recipes-extended/pam/libpam/CVE-2024-10963.patch b/meta/recipes-extended/pam/libpam/CVE-2024-10963.patch
new file mode 100644
index 0000000000..b79831f0e5
--- /dev/null
+++ b/meta/recipes-extended/pam/libpam/CVE-2024-10963.patch
@@ -0,0 +1,265 @@
+From f9ccee5c4c6cb0d4197b08ebeb36c1dceffe82e8 Mon Sep 17 00:00:00 2001
+From: Thorsten Kukuk <kukuk@suse.com>
+Date: Thu, 14 Nov 2024 10:27:28 +0100
+Subject: [PATCH] pam_access: rework resolving of tokens as hostname
+
+* modules/pam_access/pam_access.c: separate resolving of IP addresses
+  from hostnames. Don't resolve TTYs or display variables as hostname
+  (#834).
+  Add "nodns" option to disallow resolving of tokens as hostname.
+* modules/pam_access/pam_access.8.xml: document nodns option
+* modules/pam_access/access.conf.5.xml: document that hostnames should
+  be written as FQHN.
+
+Upstream-Status: Backport [https://github.com/linux-pam/linux-pam/commit/940747f88c16e029b69a74e80a2e94f65cb3e628]
+CVE: CVE-2024-10963
+Signed-off-by: Stanislav Vovk <stanislav.vovk@est.tech>
+---
+ modules/pam_access/access.conf.5.xml |  4 ++
+ modules/pam_access/pam_access.8.xml  | 46 ++++++++++++------
+ modules/pam_access/pam_access.c      | 72 +++++++++++++++++++++++++++-
+ 3 files changed, 105 insertions(+), 17 deletions(-)
+
+diff --git a/modules/pam_access/access.conf.5.xml b/modules/pam_access/access.conf.5.xml
+index ff1cb223..158fc7df 100644
+--- a/modules/pam_access/access.conf.5.xml
++++ b/modules/pam_access/access.conf.5.xml
+@@ -220,10 +220,14 @@
+       the fields they are ignored. However if the list separator is changed with the
+       <emphasis>listsep</emphasis> option, the spaces will become part of the actual
+       item and the line will be most probably ignored. For this reason, it is not
+       recommended to put spaces around the ':' characters.
+     </para>
++    <para>
++      Hostnames should be written as Fully-Qualified Host Name (FQHN) to avoid
++      confusion with device names or PAM service names.
++    </para>
+   </refsect1>
+ 
+   <refsect1 xml:id="access.conf-see_also">
+     <title>SEE ALSO</title>
+     <para>
+diff --git a/modules/pam_access/pam_access.8.xml b/modules/pam_access/pam_access.8.xml
+index 010e749e..1182c907 100644
+--- a/modules/pam_access/pam_access.8.xml
++++ b/modules/pam_access/pam_access.8.xml
+@@ -20,15 +20,18 @@
+     <cmdsynopsis xml:id="pam_access-cmdsynopsis" sepchar=" ">
+       <command>pam_access.so</command>
+       <arg choice="opt" rep="norepeat">
+         debug
+       </arg>
++      <arg choice="opt" rep="norepeat">
++        noaudit
++      </arg>
+       <arg choice="opt" rep="norepeat">
+         nodefgroup
+       </arg>
+       <arg choice="opt" rep="norepeat">
+-        noaudit
++        nodns
+       </arg>
+       <arg choice="opt" rep="norepeat">
+         accessfile=<replaceable>file</replaceable>
+       </arg>
+       <arg choice="opt" rep="norepeat">
+@@ -127,10 +130,37 @@
+             Do not report logins from disallowed hosts and ttys to the audit subsystem.
+           </para>
+         </listitem>
+       </varlistentry>
+ 
++      <varlistentry>
++        <term>
++          nodefgroup
++        </term>
++        <listitem>
++          <para>
++            User tokens which are not enclosed in parentheses will not be
++	    matched against the group database. The backwards compatible default is
++            to try the group database match even for tokens not enclosed
++            in parentheses.
++          </para>
++        </listitem>
++      </varlistentry>
++
++      <varlistentry>
++        <term>
++          nodns
++        </term>
++        <listitem>
++          <para>
++	    Do not try to resolve tokens as hostnames, only IPv4 and IPv6
++	    addresses will be resolved. Which means to allow login from a
++	    remote host, the IP addresses need to be specified in <filename>access.conf</filename>.
++          </para>
++        </listitem>
++      </varlistentry>
++
+       <varlistentry>
+         <term>
+           fieldsep=separators
+         </term>
+         <listitem>
+@@ -168,24 +198,10 @@
+             "Domain Admins" contain a space.
+           </para>
+         </listitem>
+       </varlistentry>
+ 
+-      <varlistentry>
+-        <term>
+-          nodefgroup
+-        </term>
+-        <listitem>
+-          <para>
+-            User tokens which are not enclosed in parentheses will not be
+-	    matched against the group database. The backwards compatible default is
+-            to try the group database match even for tokens not enclosed
+-            in parentheses.
+-          </para>
+-        </listitem>
+-      </varlistentry>
+-
+     </variablelist>
+   </refsect1>
+ 
+   <refsect1 xml:id="pam_access-types">
+     <title>MODULE TYPES PROVIDED</title>
+diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c
+index f70b7e49..d06496c3 100644
+--- a/modules/pam_access/pam_access.c
++++ b/modules/pam_access/pam_access.c
+@@ -97,10 +97,11 @@ struct login_info {
+     const char *config_file;
+     const char *hostname;
+     int debug;				/* Print debugging messages. */
+     int only_new_group_syntax;		/* Only allow group entries of the form "(xyz)" */
+     int noaudit;			/* Do not audit denials */
++    int nodns;                          /* Do not try to resolve tokens as hostnames */
+     const char *fs;			/* field separator */
+     const char *sep;			/* list-element separator */
+     int from_remote_host;               /* If PAM_RHOST was used for from */
+     struct addrinfo *res;		/* Cached DNS resolution of from */
+     int gai_rv;				/* Cached retval of getaddrinfo */
+@@ -148,10 +149,12 @@ parse_args(pam_handle_t *pamh, struct login_info *loginfo,
+ 	    loginfo->debug = YES;
+ 	} else if (strcmp (argv[i], "nodefgroup") == 0) {
+ 	    loginfo->only_new_group_syntax = YES;
+ 	} else if (strcmp (argv[i], "noaudit") == 0) {
+ 	    loginfo->noaudit = YES;
++	} else if (strcmp (argv[i], "nodns") == 0) {
++	    loginfo->nodns = YES;
+ 	} else {
+ 	    pam_syslog(pamh, LOG_ERR, "unrecognized option [%s]", argv[i]);
+ 	}
+     }
+ 
+@@ -730,11 +733,11 @@ remote_match (pam_handle_t *pamh, char *tok, struct login_info *item)
+ 
+     if (tok[0] == '.') {			/* domain: match last fields */
+       if ((str_len = strlen(string)) > tok_len
+ 	  && strcasecmp(tok, string + str_len - tok_len) == 0)
+ 	return YES;
+-    } else if (tok[tok_len - 1] == '.') {       /* internet network numbers (end with ".") */
++    } else if (tok[tok_len - 1] == '.') {       /* internet network numbers/subnet (end with ".") */
+       struct addrinfo hint;
+ 
+       memset (&hint, '\0', sizeof (hint));
+       hint.ai_flags = AI_CANONNAME;
+       hint.ai_family = AF_INET;
+@@ -805,10 +808,43 @@ string_match (pam_handle_t *pamh, const char *tok, const char *string,
+     }
+     return (NO);
+ }
+ 
+ 
++static int
++is_device (pam_handle_t *pamh, const char *tok)
++{
++  struct stat st;
++  const char *dev = "/dev/";
++  char *devname;
++
++  devname = malloc (strlen(dev) + strlen (tok) + 1);
++  if (devname == NULL) {
++      pam_syslog(pamh, LOG_ERR, "Cannot allocate memory for device name: %m");
++      /*
++       * We should return an error and abort, but pam_access has no good
++       * error handling.
++       */
++      return NO;
++  }
++
++  char *cp = stpcpy (devname, dev);
++  strcpy (cp, tok);
++
++  if (lstat(devname, &st) != 0)
++    {
++      free (devname);
++      return NO;
++    }
++  free (devname);
++
++  if (S_ISCHR(st.st_mode))
++    return YES;
++
++  return NO;
++}
++
+ /* network_netmask_match - match a string against one token
+  * where string is a hostname or ip (v4,v6) address and tok
+  * represents either a hostname, a single ip (v4,v6) address
+  * or a network/netmask
+  */
+@@ -866,14 +902,46 @@ network_netmask_match (pam_handle_t *pamh,
+ 	if (getaddrinfo (tok, NULL, NULL, &ai) != 0)
+ 	  {
+ 	    return NO;
+ 	  }
+       }
++    else if (isipaddr(tok, NULL, NULL) == YES)
++      {
++	if (getaddrinfo (tok, NULL, NULL, &ai) != 0)
++	  {
++	    if (item->debug)
++	      pam_syslog(pamh, LOG_DEBUG, "cannot resolve IP address \"%s\"", tok);
++
++	    return NO;
++	  }
++	netmask_ptr = NULL;
++      }
++    else if (item->nodns)
++      {
++	/* Only hostnames are left, which we would need to resolve via DNS */
++	return NO;
++      }
+     else
+       {
++	/* Bail out on X11 Display entries and ttys. */
++	if (tok[0] == ':')
++	  {
++	    if (item->debug)
++	      pam_syslog (pamh, LOG_DEBUG,
++			  "network_netmask_match: tok=%s is X11 display", tok);
++	    return NO;
++	  }
++	if (is_device (pamh, tok))
++	  {
++	    if (item->debug)
++	      pam_syslog (pamh, LOG_DEBUG,
++			  "network_netmask_match: tok=%s is a TTY", tok);
++	    return NO;
++	  }
++
+         /*
+-	 * It is either an IP address or a hostname.
++	 * It is most likely a hostname.
+ 	 * Let getaddrinfo sort everything out
+ 	 */
+ 	if (getaddrinfo (tok, NULL, NULL, &ai) != 0)
+ 	  {
+ 	    pam_syslog(pamh, LOG_ERR, "cannot resolve hostname \"%s\"", tok);
+-- 
+2.43.5
+
diff --git a/meta/recipes-extended/pam/libpam_1.5.3.bb b/meta/recipes-extended/pam/libpam_1.5.3.bb
index 815085cc82..4c27767ab1 100644
--- a/meta/recipes-extended/pam/libpam_1.5.3.bb
+++ b/meta/recipes-extended/pam/libpam_1.5.3.bb
@@ -34,6 +34,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/Linux-PAM-${PV}.tar.xz \
            file://CVE-2025-6020-01.patch \
            file://CVE-2025-6020-02.patch \
            file://CVE-2025-6020-03.patch \
+           file://CVE-2024-10963.patch \
            "
 
 SRC_URI[sha256sum] = "7ac4b50feee004a9fa88f1dfd2d2fa738a82896763050cd773b3c54b0a818283"
-- 
2.43.0

[OE-core][scarthgap 3/5] rpm: keep leading `/' from sed operation

[Steve Sakoman]

From: Hongxu Jia <hongxu.jia@windriver.com>

For /usr/lib/rpm/macros, Yocto explicitly set OECMAKE_FIND_ROOT_PATH_MODE_PROGRAM
= "ONLY" [1][2] to search tools from CMAKE_FIND_ROOT_PATH [5] which locates in
native recipe sysroot or HOSTTOOLS_DIR. If found in native recipe sysroot or
HOSTTOOLS_DIR, the sed operation removed leading `/'

root@qemux86-64:~# vi /usr/lib/rpm/macros
...
%__xz                   usr/bin/xz
%__make                 usr/bin/make
%__zstd                 usr/bin/zstd
%__quilt                usr/bin/quilt
%__patch                usr/bin/patch
...

root@qemux86-64:~# rpm --eval "%{__xz} %{__make} %{__zstd} %{__quilt} %{__patch}"
usr/bin/xz usr/bin/make usr/bin/zstd usr/bin/quilt usr/bin/patch

This commit keeps leading `/' from sed operation, and similar reason for
/usr/lib/cmake/rpm/rpm-targets.cmake

After applying this commit:
root@qemux86-64:~# rpm --eval "%{__xz} %{__make} %{__zstd} %{__quilt} %{__patch}"
/usr/bin/xz /usr/bin/make /usr/bin/zstd /usr/bin/quilt /usr/bin/patch

[1] https://git.openembedded.org/openembedded-core/commit/?id=f4ea12f6635125ee793f4dd801c538c0186f9dc3
[2] https://cmake.org/cmake/help/latest/variable/CMAKE_FIND_ROOT_PATH_MODE_PROGRAM.html

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 0d0773879ab9520c475c4a8c930b2e663de0e032)
Signed-off-by: Deepak Rathore <deeratho@cisco.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-devtools/rpm/rpm_4.19.1.1.bb | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/meta/recipes-devtools/rpm/rpm_4.19.1.1.bb b/meta/recipes-devtools/rpm/rpm_4.19.1.1.bb
index 9330323797..7505e3452c 100644
--- a/meta/recipes-devtools/rpm/rpm_4.19.1.1.bb
+++ b/meta/recipes-devtools/rpm/rpm_4.19.1.1.bb
@@ -130,10 +130,10 @@ do_install:append:class-nativesdk() {
 }
 
 do_install:append () {
-	sed -i -e 's:${HOSTTOOLS_DIR}/::g' \
-            -e 's:${STAGING_DIR_NATIVE}/::g' \
+	sed -i -e 's:${HOSTTOOLS_DIR}::g' \
+            -e 's:${STAGING_DIR_NATIVE}::g' \
 	    ${D}/${libdir}/rpm/macros
-	sed -i -e 's:${RECIPE_SYSROOT}/::g' \
+	sed -i -e 's:${RECIPE_SYSROOT}::g' \
 	    ${D}/${libdir}/cmake/rpm/rpm-targets.cmake
 
 }
-- 
2.43.0

[OE-core][scarthgap 4/5] default-distrovars.inc: Fix CONNECTIVITY_CHECK_URIS redirect issue

[Steve Sakoman]

From: Deepak Rathore <deeratho@cisco.com>

The default CONNECTIVITY_CHECK_URIS uses "https://yoctoproject.org/connectivity.html"
which redirect to "https://www.yoctoproject.org/connectivity.html".

Some network configurations with proxies or restricted internet access
don't handle HTTP redirects properly during the sanity check phase,
causing build failures with:

ERROR:  OE-core's config sanity checker detected a potential misconfiguration.
Either fix the cause of this error or at your own risk disable the checker (see sanity.conf).
Following is the list of potential problems / advisories:

Fetcher failure for URL: 'https://yoctoproject.org/connectivity.html'. URL doesn't work.

Updated the default URL to use the final destination directly to avoid
redirect-related connectivity check failures.

Also updated SDK test cases in https.py to use the corrected URL for
consistency.

Signed-off-by: Deepak Rathore <deeratho@cisco.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 60cdf960a3560f391babd559737f1afb31fb2c5c)
Signed-off-by: Deepak Rathore <deeratho@cisco.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/conf/distro/include/default-distrovars.inc | 2 +-
 meta/lib/oeqa/sdk/buildtools-cases/https.py     | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/meta/conf/distro/include/default-distrovars.inc b/meta/conf/distro/include/default-distrovars.inc
index 7554081e8b..42e6de216e 100644
--- a/meta/conf/distro/include/default-distrovars.inc
+++ b/meta/conf/distro/include/default-distrovars.inc
@@ -61,4 +61,4 @@ KERNEL_IMAGETYPES ??= "${KERNEL_IMAGETYPE}"
 # fetch from the network (and warn you if not). To disable the test set
 # the variable to be empty.
 # Git example url: git://git.yoctoproject.org/yocto-firewall-test;protocol=git;rev=master;branch=master
-CONNECTIVITY_CHECK_URIS ?= "https://yoctoproject.org/connectivity.html"
+CONNECTIVITY_CHECK_URIS ?= "https://www.yoctoproject.org/connectivity.html"
diff --git a/meta/lib/oeqa/sdk/buildtools-cases/https.py b/meta/lib/oeqa/sdk/buildtools-cases/https.py
index 4525e3d758..98f27e5994 100644
--- a/meta/lib/oeqa/sdk/buildtools-cases/https.py
+++ b/meta/lib/oeqa/sdk/buildtools-cases/https.py
@@ -15,8 +15,8 @@ class HTTPTests(OESDKTestCase):
     """
 
     def test_wget(self):
-        self._run('env -i wget --debug --output-document /dev/null https://yoctoproject.org/connectivity.html')
+        self._run('env -i wget --debug --output-document /dev/null https://www.yoctoproject.org/connectivity.html')
 
     def test_python(self):
         # urlopen() returns a file-like object on success and throws an exception otherwise
-        self._run('python3 -c \'import urllib.request; urllib.request.urlopen("https://yoctoproject.org/connectivity.html")\'')
+        self._run('python3 -c \'import urllib.request; urllib.request.urlopen("https://www.yoctoproject.org/connectivity.html")\'')
-- 
2.43.0

[OE-core][scarthgap 5/5] pulseaudio: Add audio group explicitly

[Steve Sakoman]

From: Kyungjik Min <dpmin7@gmail.com>

Since pulseaudio-server requires the audio group, we explicitly add it.

When use useradd-staticids or do not use the default group in
base-passwd, an error will occur because the audio group is not defined.

NOTE: pulseaudio: Performing useradd with [--root
TOPDIR/tmp/work/cortexa72-poky-linux/pulseaudio/17.0/recipe-sysroot
--home-dir /var/run/pulse --gid 998 --groups audio,pulse
--no-create-home --system --shell /bin/false --uid 998 pulse]
useradd: group 'audio' does not exist
ERROR: pulseaudio: useradd command did not succeed.

Signed-off-by: Kyungjik Min <dpmin7@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta-selftest/files/static-group                  | 1 +
 meta/recipes-multimedia/pulseaudio/pulseaudio.inc | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/meta-selftest/files/static-group b/meta-selftest/files/static-group
index f7a66de24d..c59f9e3019 100644
--- a/meta-selftest/files/static-group
+++ b/meta-selftest/files/static-group
@@ -27,3 +27,4 @@ render:x:527:
 sgx:x:528:
 ptest:x:529:
 xuser:x:530:
+audio:x:531:
diff --git a/meta/recipes-multimedia/pulseaudio/pulseaudio.inc b/meta/recipes-multimedia/pulseaudio/pulseaudio.inc
index 1ab3831519..a93ef8f338 100644
--- a/meta/recipes-multimedia/pulseaudio/pulseaudio.inc
+++ b/meta/recipes-multimedia/pulseaudio/pulseaudio.inc
@@ -146,7 +146,7 @@ do_install:append() {
 }
 
 USERADD_PACKAGES = "pulseaudio-server"
-GROUPADD_PARAM:pulseaudio-server = "--system pulse"
+GROUPADD_PARAM:pulseaudio-server = "--system audio; --system pulse"
 USERADD_PARAM:pulseaudio-server = "--system --home /var/run/pulse \
                               --no-create-home --shell /bin/false \
                               --groups audio,pulse --gid pulse pulse"
-- 
2.43.0

[OE-core][scarthgap 0/5] Patch review

[Steve Sakoman]

Please review this set of changes for scarthgap and have commments back by
end of day Wednesday, December 31

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2954

The following changes since commit dccb7a185fe58a97f33e219b4db283ff4a2071d7:

  cross.bbclass: Propagate dependencies to outhash (2025-12-23 06:28:05 -0800)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut

Changqing Li (1):
  libsoup: fix CVE-2025-12105

Jiaying Song (1):
  grub: fix CVE-2025-54770 CVE-2025-61661 CVE-2025-61662 CVE-2025-61663
    CVE-2025-61664

Vijay Anusuri (3):
  go: Update CVE-2025-58187
  go: Fix CVE-2025-61727
  go: Fix CVE-2025-61729

 .../grub/files/CVE-2025-54770.patch           |  41 ++
 .../grub/files/CVE-2025-61661.patch           |  40 ++
 .../grub/files/CVE-2025-61662.patch           |  72 +++
 .../grub/files/CVE-2025-61663_61664.patch     |  64 +++
 meta/recipes-bsp/grub/grub2.inc               |   4 +
 meta/recipes-devtools/go/go-1.22.12.inc       |   5 +-
 ...025-58187.patch => CVE-2025-58187-1.patch} |   0
 .../go/go/CVE-2025-58187-2.patch              | 516 ++++++++++++++++++
 .../go/go/CVE-2025-61727.patch                | 226 ++++++++
 .../go/go/CVE-2025-61729.patch                | 174 ++++++
 .../libsoup-3.4.4/CVE-2025-12105.patch        |  34 ++
 meta/recipes-support/libsoup/libsoup_3.4.4.bb |   1 +
 12 files changed, 1176 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-54770.patch
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-61661.patch
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-61662.patch
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-61663_61664.patch
 rename meta/recipes-devtools/go/go/{CVE-2025-58187.patch => CVE-2025-58187-1.patch} (100%)
 create mode 100644 meta/recipes-devtools/go/go/CVE-2025-58187-2.patch
 create mode 100644 meta/recipes-devtools/go/go/CVE-2025-61727.patch
 create mode 100644 meta/recipes-devtools/go/go/CVE-2025-61729.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-12105.patch

-- 
2.43.0

[OE-core][scarthgap 0/5] Patch review

[Steve Sakoman]

Please review this set of changes for scarthgap and have comments back by
end of day Thursday, April 3

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1310

The following changes since commit 2f242f2a269bb18aab703f685e27f9c3ba761db8:

  cve-update-nvd2-native: handle missing vulnStatus (2025-03-31 08:26:56 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut

Martin Jansa (1):
  mc: set ac_cv_path_ZIP to avoid buildpaths QA issues

Michael Halstead (1):
  yocto-uninative: Update to 4.7 for glibc 2.41

Peter Marko (2):
  expat: patch CVE-2024-8176
  freetype: follow-up patch for CVE-2025-27363

Virendra Thakur (1):
  rust-cross-canadian: Set CVE_STATUS ignore for CVE-2024-43402

 meta/conf/distro/include/yocto-uninative.inc  |   10 +-
 ...ests-Cover-indirect-entity-recursion.patch |  103 ++
 .../expat/expat/CVE-2024-8176-01.patch        | 1477 +++++++++++++++++
 .../expat/expat/CVE-2024-8176-02.patch        |  248 +++
 meta/recipes-core/expat/expat_2.6.4.bb        |    3 +
 .../rust/rust-cross-canadian.inc              |    4 +
 meta/recipes-extended/mc/mc_4.8.31.bb         |    1 +
 .../freetype/freetype/CVE-2025-27363.patch    |   33 +
 .../freetype/freetype_2.13.2.bb               |    4 +-
 9 files changed, 1877 insertions(+), 6 deletions(-)
 create mode 100644 meta/recipes-core/expat/expat/0001-tests-Cover-indirect-entity-recursion.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2024-8176-01.patch
 create mode 100644 meta/recipes-core/expat/expat/CVE-2024-8176-02.patch
 create mode 100644 meta/recipes-graphics/freetype/freetype/CVE-2025-27363.patch

-- 
2.43.0

[OE-core][scarthgap 0/5] Patch review

[Steve Sakoman]

Please review this set of changes for scarthgap and have comments back by
end of day Tuesday, March 25

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1237

The following changes since commit 1be6d83466e3a0da4222ba502c2a86c25c835a35:

  Revert "gcc-cross-canadian.inc: Fix buildpaths error for pthread.h" (2025-03-20 07:31:40 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut

Denys Dmytriyenko (2):
  gcc: unify cleanup of include-fixed, apply to cross-canadian
  nativesdk-libtool: sanitize the script, remove buildpaths

Makarios Christakis (1):
  icu: Adjust ICU_DATA_DIR path on big endian targets

Peter Marko (1):
  xserver-xorg: mark CVEs fixed in 21.1.16 as fixed

Vijay Anusuri (1):
  libxslt: upgrade 1.1.39 -> 1.1.43

 meta/recipes-devtools/gcc/gcc-common.inc      |  4 +++
 .../gcc/gcc-cross-canadian.inc                |  2 ++
 meta/recipes-devtools/gcc/gcc-cross.inc       |  2 +-
 meta/recipes-devtools/gcc/gcc-target.inc      | 31 +------------------
 .../recipes-devtools/libtool/libtool_2.4.7.bb | 15 +--------
 .../libtool/nativesdk-libtool_2.4.7.bb        |  1 +
 .../libtool/remove-buildpaths.inc             | 13 ++++++++
 .../xorg-xserver/xserver-xorg.inc             |  4 +++
 meta/recipes-support/icu/icu_74-2.bb          |  2 +-
 .../{libxslt_1.1.39.bb => libxslt_1.1.43.bb}  |  4 +--
 10 files changed, 30 insertions(+), 48 deletions(-)
 create mode 100644 meta/recipes-devtools/libtool/remove-buildpaths.inc
 rename meta/recipes-support/libxslt/{libxslt_1.1.39.bb => libxslt_1.1.43.bb} (91%)

-- 
2.43.0