[OE-core][scarthgap 0/6] Patch review

[OE-core][scarthgap 0/6] Patch review

[Steve Sakoman]

Please review this set of changes for scarthgap and have comments back by
end of day Friday, April 18

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1409

The following changes since commit 9de38ac99c2b19f549c00ea5277faf621c6f4e65:

  patch.py: set commituser and commitemail for addNote (2025-04-11 06:47:51 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut

Ashish Sharma (3):
  binutils: Fix CVE-2025-1176
  binutils: patch CVE-2025-1178 & CVE-2024-57360
  binutils: patch CVE-2025-1181

Peter Marko (1):
  libarchive: upgrade 3.7.4 -> 3.7.9

Vijay Anusuri (1):
  openssh: Fix for CVE-2025-32728

Vishwas Udupa (1):
  openssl: rewrite ptest installation

 .../openssh/openssh/CVE-2025-32728.patch      |  44 +++
 .../openssh/openssh_9.6p1.bb                  |   1 +
 .../openssl/openssl/run-ptest                 |  19 +-
 .../openssl/openssl_3.2.4.bb                  |  67 ++--
 .../binutils/binutils-2.42.inc                |   5 +
 .../binutils/binutils/CVE-2024-57360.patch    |  75 ++++
 .../binutils/binutils/CVE-2025-1176.patch     | 156 ++++++++
 .../binutils/binutils/CVE-2025-1178.patch     |  38 ++
 .../binutils/binutils/CVE-2025-1181-pre.patch | 151 ++++++++
 .../binutils/binutils/CVE-2025-1181.patch     | 345 ++++++++++++++++++
 .../libarchive/CVE-2024-20696.patch           | 115 ------
 .../libarchive/CVE-2024-48957.patch           |  36 --
 .../libarchive/CVE-2024-48958.patch           |  40 --
 .../CVE-2025-1632_CVE-2025-25724.patch        |  83 -----
 .../libarchive/libarchive/configurehack.patch |   4 +-
 ...ibarchive_3.7.4.bb => libarchive_3.7.9.bb} |  12 +-
 16 files changed, 866 insertions(+), 325 deletions(-)
 create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2025-32728.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2024-57360.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-1176.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-1178.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-1181-pre.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-1181.patch
 delete mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2024-20696.patch
 delete mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2024-48957.patch
 delete mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2024-48958.patch
 delete mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2025-1632_CVE-2025-25724.patch
 rename meta/recipes-extended/libarchive/{libarchive_3.7.4.bb => libarchive_3.7.9.bb} (84%)

-- 
2.43.0

[OE-core][scarthgap 0/6] Patch review

[Steve Sakoman]

Please review this set of changes for scarthgap and have comments back by
end of day Friday, October 31

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2655

The following changes since commit 0f98fecda8a0436f760e6fd9f3b7eb510e5258b8:

  curl: only set CA bundle in target build (2025-10-24 06:41:43 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut

David Nyström (1):
  lz4: fix CVE-2025-62813

Hongxu Jia (1):
  u-boot: fix CVE-2024-42040

Praveen Kumar (1):
  bind: upgrade 9.18.33 -> 9.18.41

Yash Shinde (2):
  binutils: fix CVE-2025-11081
  binutils: fix CVE-2025-8225

Yogita Urade (1):
  tiff: ignore CVE-2025-8961

 .../u-boot/files/CVE-2024-42040.patch         | 56 +++++++++++++
 meta/recipes-bsp/u-boot/u-boot-common.inc     |  1 +
 .../bind/{bind_9.18.33.bb => bind_9.18.41.bb} |  2 +-
 .../binutils/binutils-2.42.inc                |  2 +
 .../binutils/0026-CVE-2025-11081.patch        | 84 +++++++++++++++++++
 .../binutils/0027-CVE-2025-8225.patch         | 47 +++++++++++
 meta/recipes-multimedia/libtiff/tiff_4.6.0.bb |  2 +-
 .../lz4/files/CVE-2025-62813.patch            | 73 ++++++++++++++++
 meta/recipes-support/lz4/lz4_1.9.4.bb         |  5 +-
 9 files changed, 268 insertions(+), 4 deletions(-)
 create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2024-42040.patch
 rename meta/recipes-connectivity/bind/{bind_9.18.33.bb => bind_9.18.41.bb} (97%)
 create mode 100644 meta/recipes-devtools/binutils/binutils/0026-CVE-2025-11081.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/0027-CVE-2025-8225.patch
 create mode 100644 meta/recipes-support/lz4/files/CVE-2025-62813.patch

-- 
2.43.0

[OE-core][scarthgap 1/6] lz4: fix CVE-2025-62813

[Steve Sakoman]

From: David Nyström <david.nystrom@est.tech>

Prevent attackers to cause a denial of service (application crash) or
possibly have unspecified other impact when the application processes
untrusted LZ4 frames. For example, LZ4F_createCDict_advanced in
lib/lz4frame.c mishandles NULL checks.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-62813

Upstream patch:
https://github.com/lz4/lz4/commit/f64efec011c058bd70348576438abac222fe6c82

Signed-off-by: David Nyström <david.nystrom@est.tech>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../lz4/files/CVE-2025-62813.patch            | 73 +++++++++++++++++++
 meta/recipes-support/lz4/lz4_1.9.4.bb         |  5 +-
 2 files changed, 76 insertions(+), 2 deletions(-)
 create mode 100644 meta/recipes-support/lz4/files/CVE-2025-62813.patch

diff --git a/meta/recipes-support/lz4/files/CVE-2025-62813.patch b/meta/recipes-support/lz4/files/CVE-2025-62813.patch
new file mode 100644
index 0000000000..bbd0f74541
--- /dev/null
+++ b/meta/recipes-support/lz4/files/CVE-2025-62813.patch
@@ -0,0 +1,73 @@
+From 10dbd089b74cf858a24a4aa4c2a438984ddf17d7 Mon Sep 17 00:00:00 2001
+From: louislafosse <louis.lafosse@epitech.eu>
+Date: Mon, 31 Mar 2025 20:48:52 +0200
+Subject: [PATCH] fix(null) : improve error handlings when passing a null
+ pointer to some functions from lz4frame
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Upstream-Status: Backport [Upstream commit https://github.com/lz4/lz4/commit/f64efec011c058bd70348576438abac222fe6c82]
+CVE: CVE-2025-62813
+
+Signed-off-by: David Nyström <david.nystrom@est.tech>
+---
+ lib/lz4frame.c    | 15 +++++++++++++--
+ tests/frametest.c |  9 ++++++---
+ 2 files changed, 19 insertions(+), 5 deletions(-)
+
+diff --git a/lib/lz4frame.c b/lib/lz4frame.c
+index 174f9ae4..cc6ed6f1 100644
+--- a/lib/lz4frame.c
++++ b/lib/lz4frame.c
+@@ -530,9 +530,16 @@ LZ4F_CDict*
+ LZ4F_createCDict_advanced(LZ4F_CustomMem cmem, const void* dictBuffer, size_t dictSize)
+ {
+     const char* dictStart = (const char*)dictBuffer;
+-    LZ4F_CDict* const cdict = (LZ4F_CDict*)LZ4F_malloc(sizeof(*cdict), cmem);
++    LZ4F_CDict* cdict = NULL;
++
+     DEBUGLOG(4, "LZ4F_createCDict_advanced");
+-    if (!cdict) return NULL;
++
++    if (!dictStart)
++        return NULL;
++    cdict = (LZ4F_CDict*)LZ4F_malloc(sizeof(*cdict), cmem);
++    if (!cdict)
++        return NULL;
++
+     cdict->cmem = cmem;
+     if (dictSize > 64 KB) {
+         dictStart += dictSize - 64 KB;
+@@ -1429,6 +1436,10 @@ LZ4F_errorCode_t LZ4F_getFrameInfo(LZ4F_dctx* dctx,
+                                    LZ4F_frameInfo_t* frameInfoPtr,
+                              const void* srcBuffer, size_t* srcSizePtr)
+ {
++    assert(dctx != NULL);
++    RETURN_ERROR_IF(frameInfoPtr == NULL, parameter_null);
++    RETURN_ERROR_IF(srcSizePtr == NULL, parameter_null);
++
+     LZ4F_STATIC_ASSERT(dstage_getFrameHeader < dstage_storeFrameHeader);
+     if (dctx->dStage > dstage_storeFrameHeader) {
+         /* frameInfo already decoded */
+diff --git a/tests/frametest.c b/tests/frametest.c
+index 33019551..523e35d1 100644
+--- a/tests/frametest.c
++++ b/tests/frametest.c
+@@ -589,10 +589,13 @@ int basicTests(U32 seed, double compressibility)
+         size_t const srcSize = 65 KB; /* must be > 64 KB to avoid short-size optimizations */
+         size_t const dstCapacity = LZ4F_compressFrameBound(srcSize, NULL);
+         size_t cSizeNoDict, cSizeWithDict;
+-        LZ4F_CDict* const cdict = LZ4F_createCDict(CNBuffer, dictSize);
+-        if (cdict == NULL) goto _output_error;
+-        CHECK( LZ4F_createCompressionContext(&cctx, LZ4F_VERSION) );
++        LZ4F_CDict* cdict = NULL;
+ 
++        CHECK( LZ4F_createCompressionContext(&cctx, LZ4F_VERSION) );
++        cdict = LZ4F_createCDict(CNBuffer, dictSize);
++        if (cdict == NULL)
++            goto _output_error;
++        
+         DISPLAYLEVEL(3, "Testing LZ4F_createCDict_advanced : ");
+         {   LZ4F_CDict* const cda = LZ4F_createCDict_advanced(lz4f_cmem_test, CNBuffer, dictSize);
+             if (cda == NULL) goto _output_error;
diff --git a/meta/recipes-support/lz4/lz4_1.9.4.bb b/meta/recipes-support/lz4/lz4_1.9.4.bb
index 51a854d44a..8c96f9bab4 100644
--- a/meta/recipes-support/lz4/lz4_1.9.4.bb
+++ b/meta/recipes-support/lz4/lz4_1.9.4.bb
@@ -13,8 +13,9 @@ PE = "1"
 SRCREV = "5ff839680134437dbf4678f3d0c7b371d84f4964"
 
 SRC_URI = "git://github.com/lz4/lz4.git;branch=release;protocol=https \
-	   file://run-ptest \
-	   "
+           file://run-ptest \
+           file://CVE-2025-62813.patch \
+           "
 UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>.*)"
 
 S = "${WORKDIR}/git"
-- 
2.43.0

[OE-core][scarthgap 2/6] binutils: fix CVE-2025-11081

[Steve Sakoman]

From: Yash Shinde <Yash.Shinde@windriver.com>

CVE: CVE-2025-11081

Trying to dump .sframe in a PE file results in a segfault accessing
elf_section_data.

	* objdump (dump_sframe_section, dump_dwarf_section): Don't access
	elf_section_type without first checking the file is ELF.

PR 33406 SEGV in dump_dwarf_section
[https://sourceware.org/bugzilla/show_bug.cgi?id=33406]

Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=f87a66db645caf8cc0e6fc87b0c28c78a38af59b]

Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../binutils/binutils-2.42.inc                |  1 +
 .../binutils/0026-CVE-2025-11081.patch        | 84 +++++++++++++++++++
 2 files changed, 85 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/0026-CVE-2025-11081.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc
index 3e180b6018..5447ab0da4 100644
--- a/meta/recipes-devtools/binutils/binutils-2.42.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.42.inc
@@ -61,5 +61,6 @@ SRC_URI = "\
      file://0023-CVE-2025-7545.patch \
      file://0024-CVE-2025-11082.patch \
      file://0025-CVE-2025-11083.patch \
+     file://0026-CVE-2025-11081.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/0026-CVE-2025-11081.patch b/meta/recipes-devtools/binutils/binutils/0026-CVE-2025-11081.patch
new file mode 100644
index 0000000000..31dbef52fa
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0026-CVE-2025-11081.patch
@@ -0,0 +1,84 @@
+From f87a66db645caf8cc0e6fc87b0c28c78a38af59b Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Tue, 9 Sep 2025 18:32:09 +0930
+Subject: [PATCH] PR 33406 SEGV in dump_dwarf_section
+
+Trying to dump .sframe in a PE file results in a segfault accessing
+elf_section_data.
+
+	* objdump (dump_sframe_section, dump_dwarf_section): Don't access
+	elf_section_type without first checking the file is ELF.
+---
+ binutils/objdump.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=f87a66db645caf8cc0e6fc87b0c28c78a38af59b]
+CVE: CVE-2025-11081
+
+Signed-off-by: Alan Modra <amodra@gmail.com>
+Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com>
+
+diff --git a/binutils/objdump.c b/binutils/objdump.c
+index 290f7e51f66..ee8823da05a 100644
+--- a/binutils/objdump.c
++++ b/binutils/objdump.c
+@@ -4418,6 +4418,10 @@
+   else
+     match = name;
+ 
++  if (bfd_get_flavour (abfd) == bfd_target_elf_flavour
++      && elf_section_type (section) == SHT_GNU_SFRAME)
++    match = ".sframe";
++
+   for (i = 0; i < max; i++)
+     if ((strcmp (debug_displays [i].section.uncompressed_name, match) == 0
+	 || strcmp (debug_displays [i].section.compressed_name, match) == 0
+@@ -4923,6 +4927,36 @@
+ }
+ 
++static void
++dump_sframe_section (bfd *abfd, const char *sect_name, bool is_mainfile)
++
++{
++  /* Error checking for user provided SFrame section name, if any.  */
++  if (sect_name)
++    {
++      asection *sec = bfd_get_section_by_name (abfd, sect_name);
++      if (sec == NULL)
++       {
++         printf (_("No %s section present\n\n"), sanitize_string (sect_name));
++         return;
++       }
++      /* Starting with Binutils 2.45, SFrame sections have section type
++        SHT_GNU_SFRAME.  For SFrame sections from Binutils 2.44 or earlier,
++        check explcitly for SFrame sections of type SHT_PROGBITS and name
++        ".sframe" to allow them.  */
++      else if (bfd_get_flavour (abfd) != bfd_target_elf_flavour
++              || (elf_section_type (sec) != SHT_GNU_SFRAME
++                  && !(elf_section_type (sec) == SHT_PROGBITS
++                       && strcmp (sect_name, ".sframe") == 0)))
++       {
++         printf (_("Section %s does not contain SFrame data\n\n"),
++                 sanitize_string (sect_name));
++         return;
++       }
++    }
++  dump_dwarf (abfd, is_mainfile);
++}
++
+ static void
+ dump_target_specific (bfd *abfd)
+ {
+   const struct objdump_private_desc * const *desc;
+diff --git a/include/elf/common.h b/include/elf/common.h
+--- a/include/elf/common.h
++++ b/include/elf/common.h 
+@@ -528,6 +528,8 @@
+ #define SHT_LOOS	0x60000000	/* First of OS specific semantics */
+ #define SHT_HIOS	0x6fffffff	/* Last of OS specific semantics */
+ 
++#define SHT_GNU_SFRAME	0x6ffffff4	/* SFrame stack trace information.  */
++
+ #define SHT_GNU_INCREMENTAL_INPUTS 0x6fff4700   /* incremental build data */
+ #define SHT_GNU_ATTRIBUTES 0x6ffffff5	/* Object attributes */
+ #define SHT_GNU_HASH	0x6ffffff6	/* GNU style symbol hash table */
-- 
2.43.0

[OE-core][scarthgap 3/6] binutils: fix CVE-2025-8225

[Steve Sakoman]

From: Yash Shinde <Yash.Shinde@windriver.com>

CVE: CVE-2025-8225

It is possible with fuzzed files to have num_debug_info_entries zero
after allocating space for debug_information, leading to multiple
allocations.

* dwarf.c (process_debug_info): Don't test num_debug_info_entries
to determine whether debug_information has been allocated,
test alloc_num_debug_info_entries.

Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=e51fdff7d2e538c0e5accdd65649ac68e6e0ddd4]

Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../binutils/binutils-2.42.inc                |  1 +
 .../binutils/0027-CVE-2025-8225.patch         | 47 +++++++++++++++++++
 2 files changed, 48 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/0027-CVE-2025-8225.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc
index 5447ab0da4..dcd3325ecc 100644
--- a/meta/recipes-devtools/binutils/binutils-2.42.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.42.inc
@@ -62,5 +62,6 @@ SRC_URI = "\
      file://0024-CVE-2025-11082.patch \
      file://0025-CVE-2025-11083.patch \
      file://0026-CVE-2025-11081.patch \
+     file://0027-CVE-2025-8225.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/0027-CVE-2025-8225.patch b/meta/recipes-devtools/binutils/binutils/0027-CVE-2025-8225.patch
new file mode 100644
index 0000000000..410ba64143
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0027-CVE-2025-8225.patch
@@ -0,0 +1,47 @@
+From e51fdff7d2e538c0e5accdd65649ac68e6e0ddd4 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Wed, 19 Feb 2025 22:45:29 +1030
+Subject: [PATCH] binutils/dwarf.c debug_information leak
+
+It is possible with fuzzed files to have num_debug_info_entries zero
+after allocating space for debug_information, leading to multiple
+allocations.
+
+	* dwarf.c (process_debug_info): Don't test num_debug_info_entries
+	to determine whether debug_information has been allocated,
+	test alloc_num_debug_info_entries.
+---
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=e51fdff7d2e538c0e5accdd65649ac68e6e0ddd4]
+CVE: CVE-2025-8225
+
+ binutils/dwarf.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+Signed-off-by: Alan Modra <amodra@gmail.com>
+Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com>
+
+diff --git a/binutils/dwarf.c b/binutils/dwarf.c
+index 8e004cea839..bfbf83ec9f4 100644
+--- a/binutils/dwarf.c
++++ b/binutils/dwarf.c
+@@ -3807,13 +3807,11 @@ process_debug_info (struct dwarf_section * section,
+     }
+ 
+   if ((do_loc || do_debug_loc || do_debug_ranges || do_debug_info)
+-      && num_debug_info_entries == 0
+-      && ! do_types)
++      && alloc_num_debug_info_entries == 0
++      && !do_types)
+     {
+-
+       /* Then allocate an array to hold the information.  */
+-      debug_information = (debug_info *) cmalloc (num_units,
+-						  sizeof (* debug_information));
++      debug_information = cmalloc (num_units, sizeof (*debug_information));
+       if (debug_information == NULL)
+ 	{
+ 	  error (_("Not enough memory for a debug info array of %u entries\n"),
+-- 
+2.43.7
+
-- 
2.43.0

[OE-core][scarthgap 4/6] u-boot: fix CVE-2024-42040

[Steve Sakoman]

From: Hongxu Jia <hongxu.jia@windriver.com>

Backport a patch [1] from upstrem to fix CVE-2024-42040 [2]

[1] https://source.denx.de/u-boot/u-boot/-/commit/81e5708cc2c865df606e49aed5415adb2a662171
[2] https://nvd.nist.gov/vuln/detail/CVE-2024-42040

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../u-boot/files/CVE-2024-42040.patch         | 56 +++++++++++++++++++
 meta/recipes-bsp/u-boot/u-boot-common.inc     |  1 +
 2 files changed, 57 insertions(+)
 create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2024-42040.patch

diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-42040.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-42040.patch
new file mode 100644
index 0000000000..2d250e51b7
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/CVE-2024-42040.patch
@@ -0,0 +1,56 @@
+From 1406fc918977bba4dac0af5e22e63a5553aa6aff Mon Sep 17 00:00:00 2001
+From: Paul HENRYS <paul.henrys_ext@softathome.com>
+Date: Thu, 9 Oct 2025 17:43:28 +0200
+Subject: [PATCH] net: bootp: Prevent buffer overflow to avoid leaking the RAM
+ content
+
+CVE-2024-42040 describes a possible buffer overflow when calling
+bootp_process_vendor() in bootp_handler() since the total length
+of the packet is passed to bootp_process_vendor() without being
+reduced to len-(offsetof(struct bootp_hdr,bp_vend)+4).
+
+The packet length is also checked against its minimum size to avoid
+reading data from struct bootp_hdr outside of the packet length.
+
+Signed-off-by: Paul HENRYS <paul.henrys_ext@softathome.com>
+Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
+
+CVE: CVE-2024-42040
+Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/81e5708cc2c865df606e49aed5415adb2a662171]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ net/bootp.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/net/bootp.c b/net/bootp.c
+index 68002909634..843180d296c 100644
+--- a/net/bootp.c
++++ b/net/bootp.c
+@@ -362,6 +362,14 @@ static void bootp_handler(uchar *pkt, unsigned dest, struct in_addr sip,
+ 	debug("got BOOTP packet (src=%d, dst=%d, len=%d want_len=%zu)\n",
+ 	      src, dest, len, sizeof(struct bootp_hdr));
+ 
++	/* Check the minimum size of a BOOTP packet is respected.
++	 * A BOOTP packet is between 300 bytes and 576 bytes big
++	 */
++	if (len < offsetof(struct bootp_hdr, bp_vend) + 64) {
++		printf("Error: got an invalid BOOTP packet (len=%u)\n", len);
++		return;
++	}
++
+ 	bp = (struct bootp_hdr *)pkt;
+ 
+ 	/* Filter out pkts we don't want */
+@@ -379,7 +387,8 @@ static void bootp_handler(uchar *pkt, unsigned dest, struct in_addr sip,
+ 
+ 	/* Retrieve extended information (we must parse the vendor area) */
+ 	if (net_read_u32((u32 *)&bp->bp_vend[0]) == htonl(BOOTP_VENDOR_MAGIC))
+-		bootp_process_vendor((uchar *)&bp->bp_vend[4], len);
++		bootp_process_vendor((uchar *)&bp->bp_vend[4], len -
++				     (offsetof(struct bootp_hdr, bp_vend) + 4));
+ 
+ 	net_set_timeout_handler(0, (thand_f *)0);
+ 	bootstage_mark_name(BOOTSTAGE_ID_BOOTP_STOP, "bootp_stop");
+-- 
+2.49.0
+
diff --git a/meta/recipes-bsp/u-boot/u-boot-common.inc b/meta/recipes-bsp/u-boot/u-boot-common.inc
index 3a48b63c42..da34e3d3e8 100644
--- a/meta/recipes-bsp/u-boot/u-boot-common.inc
+++ b/meta/recipes-bsp/u-boot/u-boot-common.inc
@@ -23,6 +23,7 @@ SRC_URI = "git://source.denx.de/u-boot/u-boot.git;protocol=https;branch=master \
            file://CVE-2024-57258-2.patch \
            file://CVE-2024-57258-3.patch \
            file://CVE-2024-57259.patch \
+           file://CVE-2024-42040.patch \
 "
 
 S = "${WORKDIR}/git"
-- 
2.43.0

[OE-core][scarthgap 5/6] tiff: ignore CVE-2025-8961

[Steve Sakoman]

From: Yogita Urade <yogita.urade@windriver.com>

This CVE is for the tool which is removed in v4.6.0 via [1] and
re-introduced again in v4.7.0 via [2].

[1] https://gitlab.com/libtiff/libtiff/-/commit/eab89a627f0a65e9a1a47c4b30b4802c80b1ac45
[2] https://gitlab.com/libtiff/libtiff/-/commit/9ab54a858049bef020d578c71d82669531551c00

Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-multimedia/libtiff/tiff_4.6.0.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb
index 9957699fb2..777783d7cc 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb
@@ -29,7 +29,7 @@ CVE_STATUS[CVE-2015-7313] = "fixed-version: Tested with check from https://secur
 CVE_STATUS[CVE-2023-3164] = "cpe-incorrect: Issue only affects the tiffcrop tool not compiled by default since 4.6.0"
 
 CVE_STATUS_GROUPS += "CVE_STATUS_REMOVED_TOOLS"
-CVE_STATUS_REMOVED_TOOLS = "CVE-2024-13978 CVE-2025-8176 CVE-2025-8177 CVE-2025-8534 CVE-2025-8851"
+CVE_STATUS_REMOVED_TOOLS = "CVE-2024-13978 CVE-2025-8176 CVE-2025-8177 CVE-2025-8534 CVE-2025-8851 CVE-2025-8961"
 CVE_STATUS_REMOVED_TOOLS[status] = "cpe-incorrect: tools affected by these CVEs are not present in this release"
 
 inherit autotools multilib_header
-- 
2.43.0

[OE-core][scarthgap 6/6] bind: upgrade 9.18.33 -> 9.18.41

[Steve Sakoman]

From: Praveen Kumar <praveen.kumar@windriver.com>

This upgrade fixes
CVE-2025-8677,CVE-2025-40778 and CVE-2025-40780.

Changelog
==========
https://downloads.isc.org/isc/bind9/9.18.41/doc/arm/html/changelog.html

Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../bind/{bind_9.18.33.bb => bind_9.18.41.bb}                   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-connectivity/bind/{bind_9.18.33.bb => bind_9.18.41.bb} (97%)

diff --git a/meta/recipes-connectivity/bind/bind_9.18.33.bb b/meta/recipes-connectivity/bind/bind_9.18.41.bb
similarity index 97%
rename from meta/recipes-connectivity/bind/bind_9.18.33.bb
rename to meta/recipes-connectivity/bind/bind_9.18.41.bb
index 2554a7bb5f..a83ec29bb4 100644
--- a/meta/recipes-connectivity/bind/bind_9.18.33.bb
+++ b/meta/recipes-connectivity/bind/bind_9.18.41.bb
@@ -20,7 +20,7 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.xz \
            file://0001-avoid-start-failure-with-bind-user.patch \
            "
 
-SRC_URI[sha256sum] = "fb373fac5ebbc41c645160afd5a9fb451918f6c0e69ab1d9474154e2b515de40"
+SRC_URI[sha256sum] = "6ddc1d981511c4da0b203b0513af131e5d15e5f1c261145736fe1f35dd1fe79d"
 
 UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/"
 # follow the ESV versions divisible by 2
-- 
2.43.0