[OE-core][kirkstone 0/4] Patch review

[OE-core][kirkstone 0/4] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Thursday, October 30

Passed a-full on the autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2650

The following changes since commit 9b3dbd691f6ebdbdfe88cef3d3a676ddd1399c63:

  python3: upgrade 3.10.18 -> 3.10.19 (2025-10-17 07:39:27 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Hitendra Prajapati (1):
  git: fix CVE-2025-48386

Peter Marko (1):
  lz4: patch CVE-2025-62813

Yash Shinde (2):
  binutils: fix CVE-2025-11081
  binutils: fix CVE-2025-8225

 .../binutils/binutils-2.38.inc                |  2 +
 .../binutils/0046-CVE-2025-11081.patch        | 84 ++++++++++++++++
 .../binutils/0047-CVE-2025-8225.patch         | 47 +++++++++
 .../git/git/CVE-2025-48386.patch              | 97 +++++++++++++++++++
 meta/recipes-devtools/git/git_2.35.7.bb       |  1 +
 .../lz4/files/CVE-2025-62813.patch            | 69 +++++++++++++
 meta/recipes-support/lz4/lz4_1.9.4.bb         |  4 +-
 7 files changed, 303 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-devtools/binutils/binutils/0046-CVE-2025-11081.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/0047-CVE-2025-8225.patch
 create mode 100644 meta/recipes-devtools/git/git/CVE-2025-48386.patch
 create mode 100644 meta/recipes-support/lz4/files/CVE-2025-62813.patch

-- 
2.43.0

[OE-core][kirkstone 1/4] binutils: fix CVE-2025-11081

[Steve Sakoman]

From: Yash Shinde <Yash.Shinde@windriver.com>

CVE: CVE-2025-11081

Trying to dump .sframe in a PE file results in a segfault accessing
elf_section_data.

	* objdump (dump_sframe_section, dump_dwarf_section): Don't access
	elf_section_type without first checking the file is ELF.

PR 33406 SEGV in dump_dwarf_section
[https://sourceware.org/bugzilla/show_bug.cgi?id=33406]

Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=f87a66db645caf8cc0e6fc87b0c28c78a38af59b]

Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../binutils/binutils-2.38.inc                |  1 +
 .../binutils/0046-CVE-2025-11081.patch        | 84 +++++++++++++++++++
 2 files changed, 85 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/0046-CVE-2025-11081.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.38.inc b/meta/recipes-devtools/binutils/binutils-2.38.inc
index 2e978edc6f..2444a304be 100644
--- a/meta/recipes-devtools/binutils/binutils-2.38.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.38.inc
@@ -82,5 +82,6 @@ SRC_URI = "\
      file://0043-CVE-2025-7545.patch \
      file://0044-CVE-2025-11082.patch \
      file://0045-CVE-2025-11083.patch \
+     file://0046-CVE-2025-11081.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/0046-CVE-2025-11081.patch b/meta/recipes-devtools/binutils/binutils/0046-CVE-2025-11081.patch
new file mode 100644
index 0000000000..31dbef52fa
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0046-CVE-2025-11081.patch
@@ -0,0 +1,84 @@
+From f87a66db645caf8cc0e6fc87b0c28c78a38af59b Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Tue, 9 Sep 2025 18:32:09 +0930
+Subject: [PATCH] PR 33406 SEGV in dump_dwarf_section
+
+Trying to dump .sframe in a PE file results in a segfault accessing
+elf_section_data.
+
+	* objdump (dump_sframe_section, dump_dwarf_section): Don't access
+	elf_section_type without first checking the file is ELF.
+---
+ binutils/objdump.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=f87a66db645caf8cc0e6fc87b0c28c78a38af59b]
+CVE: CVE-2025-11081
+
+Signed-off-by: Alan Modra <amodra@gmail.com>
+Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com>
+
+diff --git a/binutils/objdump.c b/binutils/objdump.c
+index 290f7e51f66..ee8823da05a 100644
+--- a/binutils/objdump.c
++++ b/binutils/objdump.c
+@@ -4418,6 +4418,10 @@
+   else
+     match = name;
+ 
++  if (bfd_get_flavour (abfd) == bfd_target_elf_flavour
++      && elf_section_type (section) == SHT_GNU_SFRAME)
++    match = ".sframe";
++
+   for (i = 0; i < max; i++)
+     if ((strcmp (debug_displays [i].section.uncompressed_name, match) == 0
+	 || strcmp (debug_displays [i].section.compressed_name, match) == 0
+@@ -4923,6 +4927,36 @@
+ }
+ 
++static void
++dump_sframe_section (bfd *abfd, const char *sect_name, bool is_mainfile)
++
++{
++  /* Error checking for user provided SFrame section name, if any.  */
++  if (sect_name)
++    {
++      asection *sec = bfd_get_section_by_name (abfd, sect_name);
++      if (sec == NULL)
++       {
++         printf (_("No %s section present\n\n"), sanitize_string (sect_name));
++         return;
++       }
++      /* Starting with Binutils 2.45, SFrame sections have section type
++        SHT_GNU_SFRAME.  For SFrame sections from Binutils 2.44 or earlier,
++        check explcitly for SFrame sections of type SHT_PROGBITS and name
++        ".sframe" to allow them.  */
++      else if (bfd_get_flavour (abfd) != bfd_target_elf_flavour
++              || (elf_section_type (sec) != SHT_GNU_SFRAME
++                  && !(elf_section_type (sec) == SHT_PROGBITS
++                       && strcmp (sect_name, ".sframe") == 0)))
++       {
++         printf (_("Section %s does not contain SFrame data\n\n"),
++                 sanitize_string (sect_name));
++         return;
++       }
++    }
++  dump_dwarf (abfd, is_mainfile);
++}
++
+ static void
+ dump_target_specific (bfd *abfd)
+ {
+   const struct objdump_private_desc * const *desc;
+diff --git a/include/elf/common.h b/include/elf/common.h
+--- a/include/elf/common.h
++++ b/include/elf/common.h 
+@@ -528,6 +528,8 @@
+ #define SHT_LOOS	0x60000000	/* First of OS specific semantics */
+ #define SHT_HIOS	0x6fffffff	/* Last of OS specific semantics */
+ 
++#define SHT_GNU_SFRAME	0x6ffffff4	/* SFrame stack trace information.  */
++
+ #define SHT_GNU_INCREMENTAL_INPUTS 0x6fff4700   /* incremental build data */
+ #define SHT_GNU_ATTRIBUTES 0x6ffffff5	/* Object attributes */
+ #define SHT_GNU_HASH	0x6ffffff6	/* GNU style symbol hash table */
-- 
2.43.0

[OE-core][kirkstone 2/4] binutils: fix CVE-2025-8225

[Steve Sakoman]

From: Yash Shinde <Yash.Shinde@windriver.com>

CVE: CVE-2025-8225

It is possible with fuzzed files to have num_debug_info_entries zero
after allocating space for debug_information, leading to multiple
allocations.

* dwarf.c (process_debug_info): Don't test num_debug_info_entries
to determine whether debug_information has been allocated,
test alloc_num_debug_info_entries.

Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=e51fdff7d2e538c0e5accdd65649ac68e6e0ddd4]

Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../binutils/binutils-2.38.inc                |  1 +
 .../binutils/0047-CVE-2025-8225.patch         | 47 +++++++++++++++++++
 2 files changed, 48 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/0047-CVE-2025-8225.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.38.inc b/meta/recipes-devtools/binutils/binutils-2.38.inc
index 2444a304be..ade69881a1 100644
--- a/meta/recipes-devtools/binutils/binutils-2.38.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.38.inc
@@ -83,5 +83,6 @@ SRC_URI = "\
      file://0044-CVE-2025-11082.patch \
      file://0045-CVE-2025-11083.patch \
      file://0046-CVE-2025-11081.patch \
+     file://0047-CVE-2025-8225.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/0047-CVE-2025-8225.patch b/meta/recipes-devtools/binutils/binutils/0047-CVE-2025-8225.patch
new file mode 100644
index 0000000000..410ba64143
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0047-CVE-2025-8225.patch
@@ -0,0 +1,47 @@
+From e51fdff7d2e538c0e5accdd65649ac68e6e0ddd4 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Wed, 19 Feb 2025 22:45:29 +1030
+Subject: [PATCH] binutils/dwarf.c debug_information leak
+
+It is possible with fuzzed files to have num_debug_info_entries zero
+after allocating space for debug_information, leading to multiple
+allocations.
+
+	* dwarf.c (process_debug_info): Don't test num_debug_info_entries
+	to determine whether debug_information has been allocated,
+	test alloc_num_debug_info_entries.
+---
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=e51fdff7d2e538c0e5accdd65649ac68e6e0ddd4]
+CVE: CVE-2025-8225
+
+ binutils/dwarf.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+Signed-off-by: Alan Modra <amodra@gmail.com>
+Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com>
+
+diff --git a/binutils/dwarf.c b/binutils/dwarf.c
+index 8e004cea839..bfbf83ec9f4 100644
+--- a/binutils/dwarf.c
++++ b/binutils/dwarf.c
+@@ -3807,13 +3807,11 @@ process_debug_info (struct dwarf_section * section,
+     }
+ 
+   if ((do_loc || do_debug_loc || do_debug_ranges || do_debug_info)
+-      && num_debug_info_entries == 0
+-      && ! do_types)
++      && alloc_num_debug_info_entries == 0
++      && !do_types)
+     {
+-
+       /* Then allocate an array to hold the information.  */
+-      debug_information = (debug_info *) cmalloc (num_units,
+-						  sizeof (* debug_information));
++      debug_information = cmalloc (num_units, sizeof (*debug_information));
+       if (debug_information == NULL)
+ 	{
+ 	  error (_("Not enough memory for a debug info array of %u entries\n"),
+-- 
+2.43.7
+
-- 
2.43.0

Re: [OE-core][kirkstone 2/4] binutils: fix CVE-2025-8225

[Khem Raj]

this looks ok.

On Tue, Oct 28, 2025 at 7:54 PM Steve Sakoman via
lists.openembedded.org <steve=sakoman.com@lists.openembedded.org>
wrote:
>
> From: Yash Shinde <Yash.Shinde@windriver.com>
>
> CVE: CVE-2025-8225
>
> It is possible with fuzzed files to have num_debug_info_entries zero
> after allocating space for debug_information, leading to multiple
> allocations.
>
> * dwarf.c (process_debug_info): Don't test num_debug_info_entries
> to determine whether debug_information has been allocated,
> test alloc_num_debug_info_entries.
>
> Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=e51fdff7d2e538c0e5accdd65649ac68e6e0ddd4]
>
> Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com>
> Signed-off-by: Steve Sakoman <steve@sakoman.com>
> ---
>  .../binutils/binutils-2.38.inc                |  1 +
>  .../binutils/0047-CVE-2025-8225.patch         | 47 +++++++++++++++++++
>  2 files changed, 48 insertions(+)
>  create mode 100644 meta/recipes-devtools/binutils/binutils/0047-CVE-2025-8225.patch
>
> diff --git a/meta/recipes-devtools/binutils/binutils-2.38.inc b/meta/recipes-devtools/binutils/binutils-2.38.inc
> index 2444a304be..ade69881a1 100644
> --- a/meta/recipes-devtools/binutils/binutils-2.38.inc
> +++ b/meta/recipes-devtools/binutils/binutils-2.38.inc
> @@ -83,5 +83,6 @@ SRC_URI = "\
>       file://0044-CVE-2025-11082.patch \
>       file://0045-CVE-2025-11083.patch \
>       file://0046-CVE-2025-11081.patch \
> +     file://0047-CVE-2025-8225.patch \
>  "
>  S  = "${WORKDIR}/git"
> diff --git a/meta/recipes-devtools/binutils/binutils/0047-CVE-2025-8225.patch b/meta/recipes-devtools/binutils/binutils/0047-CVE-2025-8225.patch
> new file mode 100644
> index 0000000000..410ba64143
> --- /dev/null
> +++ b/meta/recipes-devtools/binutils/binutils/0047-CVE-2025-8225.patch
> @@ -0,0 +1,47 @@
> +From e51fdff7d2e538c0e5accdd65649ac68e6e0ddd4 Mon Sep 17 00:00:00 2001
> +From: Alan Modra <amodra@gmail.com>
> +Date: Wed, 19 Feb 2025 22:45:29 +1030
> +Subject: [PATCH] binutils/dwarf.c debug_information leak
> +
> +It is possible with fuzzed files to have num_debug_info_entries zero
> +after allocating space for debug_information, leading to multiple
> +allocations.
> +
> +       * dwarf.c (process_debug_info): Don't test num_debug_info_entries
> +       to determine whether debug_information has been allocated,
> +       test alloc_num_debug_info_entries.
> +---
> +
> +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=e51fdff7d2e538c0e5accdd65649ac68e6e0ddd4]
> +CVE: CVE-2025-8225
> +
> + binutils/dwarf.c | 8 +++-----
> + 1 file changed, 3 insertions(+), 5 deletions(-)
> +
> +Signed-off-by: Alan Modra <amodra@gmail.com>
> +Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com>
> +
> +diff --git a/binutils/dwarf.c b/binutils/dwarf.c
> +index 8e004cea839..bfbf83ec9f4 100644
> +--- a/binutils/dwarf.c
> ++++ b/binutils/dwarf.c
> +@@ -3807,13 +3807,11 @@ process_debug_info (struct dwarf_section * section,
> +     }
> +
> +   if ((do_loc || do_debug_loc || do_debug_ranges || do_debug_info)
> +-      && num_debug_info_entries == 0
> +-      && ! do_types)
> ++      && alloc_num_debug_info_entries == 0
> ++      && !do_types)
> +     {
> +-
> +       /* Then allocate an array to hold the information.  */
> +-      debug_information = (debug_info *) cmalloc (num_units,
> +-                                                sizeof (* debug_information));
> ++      debug_information = cmalloc (num_units, sizeof (*debug_information));
> +       if (debug_information == NULL)
> +       {
> +         error (_("Not enough memory for a debug info array of %u entries\n"),
> +--
> +2.43.7
> +
> --
> 2.43.0
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#225424): https://lists.openembedded.org/g/openembedded-core/message/225424
> Mute This Topic: https://lists.openembedded.org/mt/116006916/1997914
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [raj.khem@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

[OE-core][kirkstone 3/4] git: fix CVE-2025-48386

[Steve Sakoman]

From: Hitendra Prajapati <hprajapati@mvista.com>

Upstream-Status: Backport from https://github.com/git/git/commit/9de345cb273cc7faaeda279c7e07149d8a15a319

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../git/git/CVE-2025-48386.patch              | 97 +++++++++++++++++++
 meta/recipes-devtools/git/git_2.35.7.bb       |  1 +
 2 files changed, 98 insertions(+)
 create mode 100644 meta/recipes-devtools/git/git/CVE-2025-48386.patch

diff --git a/meta/recipes-devtools/git/git/CVE-2025-48386.patch b/meta/recipes-devtools/git/git/CVE-2025-48386.patch
new file mode 100644
index 0000000000..e78e95dbea
--- /dev/null
+++ b/meta/recipes-devtools/git/git/CVE-2025-48386.patch
@@ -0,0 +1,97 @@
+From 9de345cb273cc7faaeda279c7e07149d8a15a319 Mon Sep 17 00:00:00 2001
+From: Taylor Blau <me@ttaylorr.com>
+Date: Mon, 19 May 2025 18:30:29 -0400
+Subject: [PATCH] wincred: avoid buffer overflow in wcsncat()
+
+The wincred credential helper uses a static buffer ("target") as a
+unique key for storing and comparing against internal storage. It does
+this by building up a string is supposed to look like:
+
+    git:$PROTOCOL://$USERNAME@$HOST/@path
+
+However, the static "target" buffer is declared as a wide string with no
+more than 1,024 wide characters. The first call to wcsncat() is almost
+correct (it copies no more than ARRAY_SIZE(target) wchar_t's), but does
+not account for the trailing NUL, introducing an off-by-one error.
+
+But subsequent calls to wcsncat() have an additional problem on top of
+the off-by-one. They do not account for the length of the existing
+wide string being built up in 'target'. So the following:
+
+    $ perl -e '
+        my $x = "x" x 1_000;
+        print "protocol=$x\nhost=$x\nusername=$x\npath=$x\n"
+      ' |
+      C\:/Program\ Files/Git/mingw64/libexec/git-core/git-credential-wincred.exe get
+
+will result in a segmentation fault from over-filling buffer.
+
+This bug is as old as the wincred helper itself, dating back to
+a6253da (contrib: add win32 credential-helper, 2012-07-27). Commit
+8b2d219 (wincred: improve compatibility with windows versions,
+2013-01-10) replaced the use of strncat() with wcsncat(), but retained
+the buggy behavior.
+
+Fix this by using a "target_append()" helper which accounts for both the
+length of the existing string within the buffer, as well as the trailing
+NUL character.
+
+Reported-by: David Leadbeater <dgl@dgl.cx>
+Helped-by: David Leadbeater <dgl@dgl.cx>
+Helped-by: Jeff King <peff@peff.net>
+Signed-off-by: Taylor Blau <me@ttaylorr.com>
+
+CVE: CVE-2025-48386
+Upstream-Status: Backport [https://github.com/git/git/commit/9de345cb273cc7faaeda279c7e07149d8a15a319]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ .../wincred/git-credential-wincred.c          | 22 +++++++++++++------
+ 1 file changed, 15 insertions(+), 7 deletions(-)
+
+diff --git a/contrib/credential/wincred/git-credential-wincred.c b/contrib/credential/wincred/git-credential-wincred.c
+index 5091048..00ecd87 100644
+--- a/contrib/credential/wincred/git-credential-wincred.c
++++ b/contrib/credential/wincred/git-credential-wincred.c
+@@ -93,6 +93,14 @@ static void load_cred_funcs(void)
+ 
+ static WCHAR *wusername, *password, *protocol, *host, *path, target[1024];
+ 
++static void target_append(const WCHAR *src)
++{
++	size_t avail = ARRAY_SIZE(target) - wcslen(target) - 1; /* -1 for NUL */
++	if (avail < wcslen(src))
++		die("target buffer overflow");
++	wcsncat(target, src, avail);
++}
++
+ static void write_item(const char *what, LPCWSTR wbuf, int wlen)
+ {
+ 	char *buf;
+@@ -304,17 +312,17 @@ int main(int argc, char *argv[])
+ 
+ 	/* prepare 'target', the unique key for the credential */
+ 	wcscpy(target, L"git:");
+-	wcsncat(target, protocol, ARRAY_SIZE(target));
+-	wcsncat(target, L"://", ARRAY_SIZE(target));
++	target_append(protocol);
++	target_append(L"://");
+ 	if (wusername) {
+-		wcsncat(target, wusername, ARRAY_SIZE(target));
+-		wcsncat(target, L"@", ARRAY_SIZE(target));
++		target_append(wusername);
++		target_append(L"@");
+ 	}
+ 	if (host)
+-		wcsncat(target, host, ARRAY_SIZE(target));
++		target_append(host);
+ 	if (path) {
+-		wcsncat(target, L"/", ARRAY_SIZE(target));
+-		wcsncat(target, path, ARRAY_SIZE(target));
++		target_append(L"/");
++		target_append(path);
+ 	}
+ 
+ 	if (!strcmp(argv[1], "get"))
+-- 
+2.50.1
+
diff --git a/meta/recipes-devtools/git/git_2.35.7.bb b/meta/recipes-devtools/git/git_2.35.7.bb
index 2079c3ddc8..063446645e 100644
--- a/meta/recipes-devtools/git/git_2.35.7.bb
+++ b/meta/recipes-devtools/git/git_2.35.7.bb
@@ -28,6 +28,7 @@ SRC_URI = "${KERNELORG_MIRROR}/software/scm/git/git-${PV}.tar.gz;name=tarball \
            file://CVE-2024-52006.patch \
            file://CVE-2025-27614-CVE-2025-27613-CVE-2025-46334-CVE-2025-46835.patch \
            file://CVE-2025-48384.patch \
+           file://CVE-2025-48386.patch \
            "
 
 S = "${WORKDIR}/git-${PV}"
-- 
2.43.0

[OE-core][kirkstone 4/4] lz4: patch CVE-2025-62813

[Steve Sakoman]

From: Peter Marko <peter.marko@siemens.com>

Pick commit mentioned in NVD report.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../lz4/files/CVE-2025-62813.patch            | 69 +++++++++++++++++++
 meta/recipes-support/lz4/lz4_1.9.4.bb         |  4 +-
 2 files changed, 72 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-support/lz4/files/CVE-2025-62813.patch

diff --git a/meta/recipes-support/lz4/files/CVE-2025-62813.patch b/meta/recipes-support/lz4/files/CVE-2025-62813.patch
new file mode 100644
index 0000000000..cb4d497d7c
--- /dev/null
+++ b/meta/recipes-support/lz4/files/CVE-2025-62813.patch
@@ -0,0 +1,69 @@
+From f64efec011c058bd70348576438abac222fe6c82 Mon Sep 17 00:00:00 2001
+From: louislafosse <louis.lafosse@epitech.eu>
+Date: Mon, 31 Mar 2025 20:48:52 +0200
+Subject: [PATCH] fix(null) : improve error handlings when passing a null
+ pointer to some functions from lz4frame
+
+CVE: CVE-2025-62813
+Upstream-Status: Backport [https://github.com/lz4/lz4/commit/f64efec011c058bd70348576438abac222fe6c82]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ lib/lz4frame.c    | 15 +++++++++++++--
+ tests/frametest.c |  9 ++++++---
+ 2 files changed, 19 insertions(+), 5 deletions(-)
+
+diff --git a/lib/lz4frame.c b/lib/lz4frame.c
+index 85daca7b..c9e4a3cf 100644
+--- a/lib/lz4frame.c
++++ b/lib/lz4frame.c
+@@ -530,9 +530,16 @@ LZ4F_CDict*
+ LZ4F_createCDict_advanced(LZ4F_CustomMem cmem, const void* dictBuffer, size_t dictSize)
+ {
+     const char* dictStart = (const char*)dictBuffer;
+-    LZ4F_CDict* const cdict = (LZ4F_CDict*)LZ4F_malloc(sizeof(*cdict), cmem);
++    LZ4F_CDict* cdict = NULL;
++
+     DEBUGLOG(4, "LZ4F_createCDict_advanced");
+-    if (!cdict) return NULL;
++
++    if (!dictStart)
++        return NULL;
++    cdict = (LZ4F_CDict*)LZ4F_malloc(sizeof(*cdict), cmem);
++    if (!cdict)
++        return NULL;
++
+     cdict->cmem = cmem;
+     if (dictSize > 64 KB) {
+         dictStart += dictSize - 64 KB;
+@@ -1429,6 +1436,10 @@ LZ4F_errorCode_t LZ4F_getFrameInfo(LZ4F_dctx* dctx,
+                                    LZ4F_frameInfo_t* frameInfoPtr,
+                              const void* srcBuffer, size_t* srcSizePtr)
+ {
++    assert(dctx != NULL);
++    RETURN_ERROR_IF(frameInfoPtr == NULL, parameter_null);
++    RETURN_ERROR_IF(srcSizePtr == NULL, parameter_null);
++
+     LZ4F_STATIC_ASSERT(dstage_getFrameHeader < dstage_storeFrameHeader);
+     if (dctx->dStage > dstage_storeFrameHeader) {
+         /* frameInfo already decoded */
+diff --git a/tests/frametest.c b/tests/frametest.c
+index de0fe643..90247547 100644
+--- a/tests/frametest.c
++++ b/tests/frametest.c
+@@ -589,10 +589,13 @@ int basicTests(U32 seed, double compressibility)
+         size_t const srcSize = 65 KB; /* must be > 64 KB to avoid short-size optimizations */
+         size_t const dstCapacity = LZ4F_compressFrameBound(srcSize, NULL);
+         size_t cSizeNoDict, cSizeWithDict;
+-        LZ4F_CDict* const cdict = LZ4F_createCDict(CNBuffer, dictSize);
+-        if (cdict == NULL) goto _output_error;
+-        CHECK( LZ4F_createCompressionContext(&cctx, LZ4F_VERSION) );
++        LZ4F_CDict* cdict = NULL;
+ 
++        CHECK( LZ4F_createCompressionContext(&cctx, LZ4F_VERSION) );
++        cdict = LZ4F_createCDict(CNBuffer, dictSize);
++        if (cdict == NULL)
++            goto _output_error;
++        
+         DISPLAYLEVEL(3, "Testing LZ4F_createCDict_advanced : ");
+         {   LZ4F_CDict* const cda = LZ4F_createCDict_advanced(lz4f_cmem_test, CNBuffer, dictSize);
+             if (cda == NULL) goto _output_error;
diff --git a/meta/recipes-support/lz4/lz4_1.9.4.bb b/meta/recipes-support/lz4/lz4_1.9.4.bb
index a2a178bab5..16bb4d0823 100644
--- a/meta/recipes-support/lz4/lz4_1.9.4.bb
+++ b/meta/recipes-support/lz4/lz4_1.9.4.bb
@@ -12,7 +12,9 @@ PE = "1"
 
 SRCREV = "5ff839680134437dbf4678f3d0c7b371d84f4964"
 
-SRC_URI = "git://github.com/lz4/lz4.git;branch=release;protocol=https"
+SRC_URI = "git://github.com/lz4/lz4.git;branch=release;protocol=https \
+           file://CVE-2025-62813.patch \
+"
 UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>.*)"
 
 S = "${WORKDIR}/git"
-- 
2.43.0

[OE-core][kirkstone 0/4] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Wednesday, December 31

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2953

The following changes since commit c15faee8854e85e02693a041d88326f30b24ee92:

  cross.bbclass: Propagate dependencies to outhash (2025-12-29 08:40:22 -0800)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Jiaying Song (1):
  grub: fix CVE-2025-61661 CVE-2025-61662 CVE-2025-61663 CVE-2025-61664

Vijay Anusuri (3):
  go: Update CVE-2025-58187
  go: Fix CVE-2025-61727
  go: Fix CVE-2025-61729

 .../grub/files/CVE-2025-61661.patch           |  40 ++
 .../grub/files/CVE-2025-61662.patch           |  72 +++
 .../grub/files/CVE-2025-61663_61664.patch     |  64 +++
 meta/recipes-bsp/grub/grub2.inc               |   3 +
 meta/recipes-devtools/go/go-1.17.13.inc       |   5 +-
 ...025-58187.patch => CVE-2025-58187-1.patch} |   0
 .../go/go-1.18/CVE-2025-58187-2.patch         | 516 ++++++++++++++++++
 .../go/go-1.18/CVE-2025-61727.patch           | 229 ++++++++
 .../go/go-1.18/CVE-2025-61729.patch           | 172 ++++++
 9 files changed, 1100 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-61661.patch
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-61662.patch
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-61663_61664.patch
 rename meta/recipes-devtools/go/go-1.18/{CVE-2025-58187.patch => CVE-2025-58187-1.patch} (100%)
 create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2025-58187-2.patch
 create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2025-61727.patch
 create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2025-61729.patch

-- 
2.43.0

[OE-core][kirkstone 0/4] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Thursday, December 11

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2836

The following changes since commit 80c7fd87fd95a79c6eb5f41b95cf70ccc70d9615:

  systemd-bootchart: update SRC_URI branch (2025-12-01 07:13:56 -0800)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Hitendra Prajapati (2):
  libxml2: Security fix for CVE-2025-7425
  openssh: fix CVE-2025-61984

Peter Marko (2):
  libpng: patch CVE-2025-66293
  libmicrohttpd: disable experimental code by default

 .../openssh/openssh/CVE-2025-61984.patch      |  98 +++
 .../openssh/openssh_8.9p1.bb                  |   1 +
 .../libxml/libxml2/CVE-2025-7425.patch        | 802 ++++++++++++++++++
 meta/recipes-core/libxml/libxml2_2.9.14.bb    |   1 +
 .../libpng/files/CVE-2025-66293-01.patch      |  60 ++
 .../libpng/files/CVE-2025-66293-02.patch      | 125 +++
 .../libpng/libpng_1.6.39.bb                   |   2 +
 .../libmicrohttpd/libmicrohttpd_0.9.76.bb     |   3 +
 8 files changed, 1092 insertions(+)
 create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2025-61984.patch
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2025-7425.patch
 create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-66293-01.patch
 create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-66293-02.patch

-- 
2.43.0

[OE-core][kirkstone 0/4] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Thursday, August 7

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2150

The following changes since commit b4a2f74ba0b40abcdf56c4b58cae5f7ce145d511:

  sqlite3: Fix CVE-2025-6965 (2025-07-29 06:39:06 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Peter Marko (3):
  sqlite3: patch CVE-2025-7458
  sqlite3: ignore CVE-2025-3277
  glibc: stable 2.35 branch updates

Zhang Peng (1):
  avahi: fix CVE-2024-52615

 meta/recipes-connectivity/avahi/avahi_0.8.bb  |   1 +
 .../avahi/files/CVE-2024-52615.patch          | 228 ++++++++++++++++
 meta/recipes-core/glibc/glibc-version.inc     |   2 +-
 .../glibc/glibc/0025-CVE-2025-4802.patch      | 250 ------------------
 meta/recipes-core/glibc/glibc_2.35.bb         |   2 +-
 ...mpts-to-improve-the-detection-of-cov.patch |  91 +++++++
 .../sqlite/files/CVE-2025-7458.patch          |  32 +++
 meta/recipes-support/sqlite/sqlite3_3.38.5.bb |   4 +
 8 files changed, 358 insertions(+), 252 deletions(-)
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2024-52615.patch
 delete mode 100644 meta/recipes-core/glibc/glibc/0025-CVE-2025-4802.patch
 create mode 100644 meta/recipes-support/sqlite/files/0001-This-branch-attempts-to-improve-the-detection-of-cov.patch
 create mode 100644 meta/recipes-support/sqlite/files/CVE-2025-7458.patch

-- 
2.43.0

[OE-core][kirkstone 0/4] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Thursday, April 17

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1401

The following changes since commit 7399cf17590204f8289f356cce4575592d6e3536:

  ghostscript: Fix CVE-2025-27836 (2025-04-08 08:36:03 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Divya Chellam (1):
  ruby: fix CVE-2024-43398

Hitendra Prajapati (1):
  go: fix CVE-2025-22871

Peter Marko (2):
  cve-update-nvd2-native: add workaround for json5 style list
  systemd: ignore CVEs which reappeared after upgrade to 250.14

 .../meta/cve-update-nvd2-native.bb            |   5 +
 meta/recipes-core/systemd/systemd.inc         |   3 +
 meta/recipes-devtools/go/go-1.17.13.inc       |   1 +
 .../go/go-1.21/CVE-2025-22871.patch           | 172 ++++++++++++++++++
 .../ruby/ruby/CVE-2024-43398.patch            |  81 +++++++++
 meta/recipes-devtools/ruby/ruby_3.1.3.bb      |   1 +
 6 files changed, 263 insertions(+)
 create mode 100644 meta/recipes-devtools/go/go-1.21/CVE-2025-22871.patch
 create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-43398.patch

-- 
2.43.0

[OE-core][kirkstone 0/4] Patch review

[Steve Sakoman]

Please review this set of changes for kirktone and have comments back by
end of day Monday, March 31

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1277

The following changes since commit 1172a71f2104454a13e64886adbdb381aa8d6e0e:

  libxcrypt-compat: Remove libcrypt.so to fix conflict with libcrypt (2025-03-21 06:48:11 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Bruce Ashfield (2):
  linux-yocto/5.15: update to v5.15.179
  linux-yocto/5.10: update to v5.10.234

Peter Marko (1):
  python3: patch CVE-2025-0938

Vijay Anusuri (1):
  vim: Upgrade 9.1.1115 -> 9.1.1198

 .../python/python3/CVE-2025-0938.patch        | 131 ++++++++++++++++++
 .../python/python3_3.10.16.bb                 |   1 +
 .../linux/linux-yocto-rt_5.10.bb              |   6 +-
 .../linux/linux-yocto-rt_5.15.bb              |   6 +-
 .../linux/linux-yocto-tiny_5.10.bb            |   8 +-
 .../linux/linux-yocto-tiny_5.15.bb            |   6 +-
 meta/recipes-kernel/linux/linux-yocto_5.10.bb |  24 ++--
 meta/recipes-kernel/linux/linux-yocto_5.15.bb |  26 ++--
 meta/recipes-support/vim/vim.inc              |   4 +-
 9 files changed, 172 insertions(+), 40 deletions(-)
 create mode 100644 meta/recipes-devtools/python/python3/CVE-2025-0938.patch

-- 
2.43.0

[OE-core][kirkstone 0/4] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Tuesday, February 3

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/911

The following changes since commit 077aab43f2c928eb8da71934405c62327010f552:

  classes/qemu: use tune to select QEMU_EXTRAOPTIONS, not package architecture (2025-01-20 06:06:07 -0800)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Deepesh Varatharajan (1):
  glibc: stable 2.35 branch updates

Peter Marko (1):
  openssl: patch CVE-2024-13176

Yash Shinde (2):
  binutils: internal gdb: Fix CVE-2024-53589
  gdb: Fix CVE-2024-53589

 .../openssl/openssl/CVE-2024-13176.patch      | 125 ++++++++++++++++++
 .../openssl/openssl_3.0.15.bb                 |   1 +
 meta/recipes-core/glibc/glibc-version.inc     |   2 +-
 .../binutils/binutils-2.38.inc                |   1 +
 .../binutils/0037-CVE-2024-53589.patch        |  92 +++++++++++++
 meta/recipes-devtools/gdb/gdb.inc             |   1 +
 .../gdb/gdb/0014-CVE-2024-53589.patch         |  92 +++++++++++++
 7 files changed, 313 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-13176.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/0037-CVE-2024-53589.patch
 create mode 100644 meta/recipes-devtools/gdb/gdb/0014-CVE-2024-53589.patch

-- 
2.43.0

[OE-core][kirkstone 0/4] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Monday, March 11

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6658

The following changes since commit d63af11e92094487d6e358f27283e5385937e7a8:

  kernel.bbclass: Set pkg-config variables for building modules (2024-03-03 11:56:20 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Chen Qi (1):
  useradd-example: do not use unsupported clear text password

Fabio Estevam (1):
  u-boot: Move UBOOT_INITIAL_ENV back to u-boot.inc

Hitendra Prajapati (1):
  golang: Fix CVE-2023-45289 & CVE-2023-45290

Steve Sakoman (1):
  selftest: skip virgl gtk/sdl test on ubuntu 18.04

 .../useradd/useradd-example.bb                |   4 +-
 meta/classes/uboot-config.bbclass             |   4 -
 meta/lib/oeqa/selftest/cases/runtime_test.py  |   2 +
 meta/recipes-bsp/u-boot/u-boot.inc            |   4 +
 meta/recipes-devtools/go/go-1.17.13.inc       |   2 +
 .../go/go-1.21/CVE-2023-45289.patch           | 121 ++++++++
 .../go/go-1.21/CVE-2023-45290.patch           | 270 ++++++++++++++++++
 7 files changed, 401 insertions(+), 6 deletions(-)
 create mode 100644 meta/recipes-devtools/go/go-1.21/CVE-2023-45289.patch
 create mode 100644 meta/recipes-devtools/go/go-1.21/CVE-2023-45290.patch

-- 
2.34.1

[OE-core][kirkstone 0/4] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Monday, February 5

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6513

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6513

The following changes since commit a744a897f0ea7d34c31c024c13031221f9a85f24:

  build-appliance-image: Update to kirkstone head revision (2024-01-25 04:06:50 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Alexander Kanavin (1):
  python3-jinja2: upgrade 3.1.1 -> 3.1.2

Lee Chee Yang (1):
  xwayland: Fix CVE-2023-6377 CVE-2023-6478

Ludovic Jozeau (1):
  image-live.bbclass: LIVE_ROOTFS_TYPE support compression

Wang Mingyu (1):
  python3-jinja2: upgrade 3.1.2 -> 3.1.3

 meta/classes/image-live.bbclass               |  2 +-
 ...inja2_3.1.1.bb => python3-jinja2_3.1.3.bb} |  2 +-
 .../xwayland/xwayland/CVE-2023-6377.patch     | 82 +++++++++++++++++++
 .../xwayland/xwayland/CVE-2023-6478.patch     | 66 +++++++++++++++
 .../xwayland/xwayland_22.1.8.bb               |  2 +
 5 files changed, 152 insertions(+), 2 deletions(-)
 rename meta/recipes-devtools/python/{python3-jinja2_3.1.1.bb => python3-jinja2_3.1.3.bb} (92%)
 create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2023-6377.patch
 create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2023-6478.patch

-- 
2.34.1

[OE-core][kirkstone 0/4] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Wednesday, January 3

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6384

The following changes since commit 2afd9a6002cba2a23dd62a1805b4be04083c041b:

  testimage: Exclude wtmp from target-dumper commands (2023-12-20 11:40:13 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Archana Polampalli (2):
  openssh: fix CVE-2023-51384
  openssh: fix CVE-2023-51385

Khem Raj (1):
  elfutils: Disable stringop-overflow warning for build host

Steve Sakoman (1):
  testimage: drop target_dumper, host_dumper, and monitor_dumper

 meta/classes/testimage.bbclass                |  24 ---
 .../openssh/openssh/CVE-2023-51384.patch      | 171 ++++++++++++++++++
 .../openssh/openssh/CVE-2023-51385.patch      |  97 ++++++++++
 .../openssh/openssh_8.9p1.bb                  |   2 +
 .../elfutils/elfutils_0.186.bb                |   2 +
 5 files changed, 272 insertions(+), 24 deletions(-)
 create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-51384.patch
 create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-51385.patch

-- 
2.34.1