* [OE-core][scarthgap 1/6] lz4: fix CVE-2025-62813
2025-10-29 20:11 [OE-core][scarthgap 0/6] Patch review Steve Sakoman
@ 2025-10-29 20:11 ` Steve Sakoman
2025-10-29 20:11 ` [OE-core][scarthgap 2/6] binutils: fix CVE-2025-11081 Steve Sakoman
` (4 subsequent siblings)
5 siblings, 0 replies; 8+ messages in thread
From: Steve Sakoman @ 2025-10-29 20:11 UTC (permalink / raw)
To: openembedded-core
From: David Nyström <david.nystrom@est.tech>
Prevent attackers to cause a denial of service (application crash) or
possibly have unspecified other impact when the application processes
untrusted LZ4 frames. For example, LZ4F_createCDict_advanced in
lib/lz4frame.c mishandles NULL checks.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-62813
Upstream patch:
https://github.com/lz4/lz4/commit/f64efec011c058bd70348576438abac222fe6c82
Signed-off-by: David Nyström <david.nystrom@est.tech>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../lz4/files/CVE-2025-62813.patch | 73 +++++++++++++++++++
meta/recipes-support/lz4/lz4_1.9.4.bb | 5 +-
2 files changed, 76 insertions(+), 2 deletions(-)
create mode 100644 meta/recipes-support/lz4/files/CVE-2025-62813.patch
diff --git a/meta/recipes-support/lz4/files/CVE-2025-62813.patch b/meta/recipes-support/lz4/files/CVE-2025-62813.patch
new file mode 100644
index 0000000000..bbd0f74541
--- /dev/null
+++ b/meta/recipes-support/lz4/files/CVE-2025-62813.patch
@@ -0,0 +1,73 @@
+From 10dbd089b74cf858a24a4aa4c2a438984ddf17d7 Mon Sep 17 00:00:00 2001
+From: louislafosse <louis.lafosse@epitech.eu>
+Date: Mon, 31 Mar 2025 20:48:52 +0200
+Subject: [PATCH] fix(null) : improve error handlings when passing a null
+ pointer to some functions from lz4frame
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Upstream-Status: Backport [Upstream commit https://github.com/lz4/lz4/commit/f64efec011c058bd70348576438abac222fe6c82]
+CVE: CVE-2025-62813
+
+Signed-off-by: David Nyström <david.nystrom@est.tech>
+---
+ lib/lz4frame.c | 15 +++++++++++++--
+ tests/frametest.c | 9 ++++++---
+ 2 files changed, 19 insertions(+), 5 deletions(-)
+
+diff --git a/lib/lz4frame.c b/lib/lz4frame.c
+index 174f9ae4..cc6ed6f1 100644
+--- a/lib/lz4frame.c
++++ b/lib/lz4frame.c
+@@ -530,9 +530,16 @@ LZ4F_CDict*
+ LZ4F_createCDict_advanced(LZ4F_CustomMem cmem, const void* dictBuffer, size_t dictSize)
+ {
+ const char* dictStart = (const char*)dictBuffer;
+- LZ4F_CDict* const cdict = (LZ4F_CDict*)LZ4F_malloc(sizeof(*cdict), cmem);
++ LZ4F_CDict* cdict = NULL;
++
+ DEBUGLOG(4, "LZ4F_createCDict_advanced");
+- if (!cdict) return NULL;
++
++ if (!dictStart)
++ return NULL;
++ cdict = (LZ4F_CDict*)LZ4F_malloc(sizeof(*cdict), cmem);
++ if (!cdict)
++ return NULL;
++
+ cdict->cmem = cmem;
+ if (dictSize > 64 KB) {
+ dictStart += dictSize - 64 KB;
+@@ -1429,6 +1436,10 @@ LZ4F_errorCode_t LZ4F_getFrameInfo(LZ4F_dctx* dctx,
+ LZ4F_frameInfo_t* frameInfoPtr,
+ const void* srcBuffer, size_t* srcSizePtr)
+ {
++ assert(dctx != NULL);
++ RETURN_ERROR_IF(frameInfoPtr == NULL, parameter_null);
++ RETURN_ERROR_IF(srcSizePtr == NULL, parameter_null);
++
+ LZ4F_STATIC_ASSERT(dstage_getFrameHeader < dstage_storeFrameHeader);
+ if (dctx->dStage > dstage_storeFrameHeader) {
+ /* frameInfo already decoded */
+diff --git a/tests/frametest.c b/tests/frametest.c
+index 33019551..523e35d1 100644
+--- a/tests/frametest.c
++++ b/tests/frametest.c
+@@ -589,10 +589,13 @@ int basicTests(U32 seed, double compressibility)
+ size_t const srcSize = 65 KB; /* must be > 64 KB to avoid short-size optimizations */
+ size_t const dstCapacity = LZ4F_compressFrameBound(srcSize, NULL);
+ size_t cSizeNoDict, cSizeWithDict;
+- LZ4F_CDict* const cdict = LZ4F_createCDict(CNBuffer, dictSize);
+- if (cdict == NULL) goto _output_error;
+- CHECK( LZ4F_createCompressionContext(&cctx, LZ4F_VERSION) );
++ LZ4F_CDict* cdict = NULL;
+
++ CHECK( LZ4F_createCompressionContext(&cctx, LZ4F_VERSION) );
++ cdict = LZ4F_createCDict(CNBuffer, dictSize);
++ if (cdict == NULL)
++ goto _output_error;
++
+ DISPLAYLEVEL(3, "Testing LZ4F_createCDict_advanced : ");
+ { LZ4F_CDict* const cda = LZ4F_createCDict_advanced(lz4f_cmem_test, CNBuffer, dictSize);
+ if (cda == NULL) goto _output_error;
diff --git a/meta/recipes-support/lz4/lz4_1.9.4.bb b/meta/recipes-support/lz4/lz4_1.9.4.bb
index 51a854d44a..8c96f9bab4 100644
--- a/meta/recipes-support/lz4/lz4_1.9.4.bb
+++ b/meta/recipes-support/lz4/lz4_1.9.4.bb
@@ -13,8 +13,9 @@ PE = "1"
SRCREV = "5ff839680134437dbf4678f3d0c7b371d84f4964"
SRC_URI = "git://github.com/lz4/lz4.git;branch=release;protocol=https \
- file://run-ptest \
- "
+ file://run-ptest \
+ file://CVE-2025-62813.patch \
+ "
UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>.*)"
S = "${WORKDIR}/git"
--
2.43.0
^ permalink raw reply related [flat|nested] 8+ messages in thread* [OE-core][scarthgap 2/6] binutils: fix CVE-2025-11081
2025-10-29 20:11 [OE-core][scarthgap 0/6] Patch review Steve Sakoman
2025-10-29 20:11 ` [OE-core][scarthgap 1/6] lz4: fix CVE-2025-62813 Steve Sakoman
@ 2025-10-29 20:11 ` Steve Sakoman
2025-10-29 20:11 ` [OE-core][scarthgap 3/6] binutils: fix CVE-2025-8225 Steve Sakoman
` (3 subsequent siblings)
5 siblings, 0 replies; 8+ messages in thread
From: Steve Sakoman @ 2025-10-29 20:11 UTC (permalink / raw)
To: openembedded-core
From: Yash Shinde <Yash.Shinde@windriver.com>
CVE: CVE-2025-11081
Trying to dump .sframe in a PE file results in a segfault accessing
elf_section_data.
* objdump (dump_sframe_section, dump_dwarf_section): Don't access
elf_section_type without first checking the file is ELF.
PR 33406 SEGV in dump_dwarf_section
[https://sourceware.org/bugzilla/show_bug.cgi?id=33406]
Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=f87a66db645caf8cc0e6fc87b0c28c78a38af59b]
Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../binutils/binutils-2.42.inc | 1 +
.../binutils/0026-CVE-2025-11081.patch | 84 +++++++++++++++++++
2 files changed, 85 insertions(+)
create mode 100644 meta/recipes-devtools/binutils/binutils/0026-CVE-2025-11081.patch
diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc
index 3e180b6018..5447ab0da4 100644
--- a/meta/recipes-devtools/binutils/binutils-2.42.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.42.inc
@@ -61,5 +61,6 @@ SRC_URI = "\
file://0023-CVE-2025-7545.patch \
file://0024-CVE-2025-11082.patch \
file://0025-CVE-2025-11083.patch \
+ file://0026-CVE-2025-11081.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/0026-CVE-2025-11081.patch b/meta/recipes-devtools/binutils/binutils/0026-CVE-2025-11081.patch
new file mode 100644
index 0000000000..31dbef52fa
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0026-CVE-2025-11081.patch
@@ -0,0 +1,84 @@
+From f87a66db645caf8cc0e6fc87b0c28c78a38af59b Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Tue, 9 Sep 2025 18:32:09 +0930
+Subject: [PATCH] PR 33406 SEGV in dump_dwarf_section
+
+Trying to dump .sframe in a PE file results in a segfault accessing
+elf_section_data.
+
+ * objdump (dump_sframe_section, dump_dwarf_section): Don't access
+ elf_section_type without first checking the file is ELF.
+---
+ binutils/objdump.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=f87a66db645caf8cc0e6fc87b0c28c78a38af59b]
+CVE: CVE-2025-11081
+
+Signed-off-by: Alan Modra <amodra@gmail.com>
+Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com>
+
+diff --git a/binutils/objdump.c b/binutils/objdump.c
+index 290f7e51f66..ee8823da05a 100644
+--- a/binutils/objdump.c
++++ b/binutils/objdump.c
+@@ -4418,6 +4418,10 @@
+ else
+ match = name;
+
++ if (bfd_get_flavour (abfd) == bfd_target_elf_flavour
++ && elf_section_type (section) == SHT_GNU_SFRAME)
++ match = ".sframe";
++
+ for (i = 0; i < max; i++)
+ if ((strcmp (debug_displays [i].section.uncompressed_name, match) == 0
+ || strcmp (debug_displays [i].section.compressed_name, match) == 0
+@@ -4923,6 +4927,36 @@
+ }
+
++static void
++dump_sframe_section (bfd *abfd, const char *sect_name, bool is_mainfile)
++
++{
++ /* Error checking for user provided SFrame section name, if any. */
++ if (sect_name)
++ {
++ asection *sec = bfd_get_section_by_name (abfd, sect_name);
++ if (sec == NULL)
++ {
++ printf (_("No %s section present\n\n"), sanitize_string (sect_name));
++ return;
++ }
++ /* Starting with Binutils 2.45, SFrame sections have section type
++ SHT_GNU_SFRAME. For SFrame sections from Binutils 2.44 or earlier,
++ check explcitly for SFrame sections of type SHT_PROGBITS and name
++ ".sframe" to allow them. */
++ else if (bfd_get_flavour (abfd) != bfd_target_elf_flavour
++ || (elf_section_type (sec) != SHT_GNU_SFRAME
++ && !(elf_section_type (sec) == SHT_PROGBITS
++ && strcmp (sect_name, ".sframe") == 0)))
++ {
++ printf (_("Section %s does not contain SFrame data\n\n"),
++ sanitize_string (sect_name));
++ return;
++ }
++ }
++ dump_dwarf (abfd, is_mainfile);
++}
++
+ static void
+ dump_target_specific (bfd *abfd)
+ {
+ const struct objdump_private_desc * const *desc;
+diff --git a/include/elf/common.h b/include/elf/common.h
+--- a/include/elf/common.h
++++ b/include/elf/common.h
+@@ -528,6 +528,8 @@
+ #define SHT_LOOS 0x60000000 /* First of OS specific semantics */
+ #define SHT_HIOS 0x6fffffff /* Last of OS specific semantics */
+
++#define SHT_GNU_SFRAME 0x6ffffff4 /* SFrame stack trace information. */
++
+ #define SHT_GNU_INCREMENTAL_INPUTS 0x6fff4700 /* incremental build data */
+ #define SHT_GNU_ATTRIBUTES 0x6ffffff5 /* Object attributes */
+ #define SHT_GNU_HASH 0x6ffffff6 /* GNU style symbol hash table */
--
2.43.0
^ permalink raw reply related [flat|nested] 8+ messages in thread* [OE-core][scarthgap 3/6] binutils: fix CVE-2025-8225
2025-10-29 20:11 [OE-core][scarthgap 0/6] Patch review Steve Sakoman
2025-10-29 20:11 ` [OE-core][scarthgap 1/6] lz4: fix CVE-2025-62813 Steve Sakoman
2025-10-29 20:11 ` [OE-core][scarthgap 2/6] binutils: fix CVE-2025-11081 Steve Sakoman
@ 2025-10-29 20:11 ` Steve Sakoman
2025-10-29 20:11 ` [OE-core][scarthgap 4/6] u-boot: fix CVE-2024-42040 Steve Sakoman
` (2 subsequent siblings)
5 siblings, 0 replies; 8+ messages in thread
From: Steve Sakoman @ 2025-10-29 20:11 UTC (permalink / raw)
To: openembedded-core
From: Yash Shinde <Yash.Shinde@windriver.com>
CVE: CVE-2025-8225
It is possible with fuzzed files to have num_debug_info_entries zero
after allocating space for debug_information, leading to multiple
allocations.
* dwarf.c (process_debug_info): Don't test num_debug_info_entries
to determine whether debug_information has been allocated,
test alloc_num_debug_info_entries.
Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=e51fdff7d2e538c0e5accdd65649ac68e6e0ddd4]
Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../binutils/binutils-2.42.inc | 1 +
.../binutils/0027-CVE-2025-8225.patch | 47 +++++++++++++++++++
2 files changed, 48 insertions(+)
create mode 100644 meta/recipes-devtools/binutils/binutils/0027-CVE-2025-8225.patch
diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc
index 5447ab0da4..dcd3325ecc 100644
--- a/meta/recipes-devtools/binutils/binutils-2.42.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.42.inc
@@ -62,5 +62,6 @@ SRC_URI = "\
file://0024-CVE-2025-11082.patch \
file://0025-CVE-2025-11083.patch \
file://0026-CVE-2025-11081.patch \
+ file://0027-CVE-2025-8225.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/0027-CVE-2025-8225.patch b/meta/recipes-devtools/binutils/binutils/0027-CVE-2025-8225.patch
new file mode 100644
index 0000000000..410ba64143
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0027-CVE-2025-8225.patch
@@ -0,0 +1,47 @@
+From e51fdff7d2e538c0e5accdd65649ac68e6e0ddd4 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Wed, 19 Feb 2025 22:45:29 +1030
+Subject: [PATCH] binutils/dwarf.c debug_information leak
+
+It is possible with fuzzed files to have num_debug_info_entries zero
+after allocating space for debug_information, leading to multiple
+allocations.
+
+ * dwarf.c (process_debug_info): Don't test num_debug_info_entries
+ to determine whether debug_information has been allocated,
+ test alloc_num_debug_info_entries.
+---
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=e51fdff7d2e538c0e5accdd65649ac68e6e0ddd4]
+CVE: CVE-2025-8225
+
+ binutils/dwarf.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+Signed-off-by: Alan Modra <amodra@gmail.com>
+Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com>
+
+diff --git a/binutils/dwarf.c b/binutils/dwarf.c
+index 8e004cea839..bfbf83ec9f4 100644
+--- a/binutils/dwarf.c
++++ b/binutils/dwarf.c
+@@ -3807,13 +3807,11 @@ process_debug_info (struct dwarf_section * section,
+ }
+
+ if ((do_loc || do_debug_loc || do_debug_ranges || do_debug_info)
+- && num_debug_info_entries == 0
+- && ! do_types)
++ && alloc_num_debug_info_entries == 0
++ && !do_types)
+ {
+-
+ /* Then allocate an array to hold the information. */
+- debug_information = (debug_info *) cmalloc (num_units,
+- sizeof (* debug_information));
++ debug_information = cmalloc (num_units, sizeof (*debug_information));
+ if (debug_information == NULL)
+ {
+ error (_("Not enough memory for a debug info array of %u entries\n"),
+--
+2.43.7
+
--
2.43.0
^ permalink raw reply related [flat|nested] 8+ messages in thread* [OE-core][scarthgap 4/6] u-boot: fix CVE-2024-42040
2025-10-29 20:11 [OE-core][scarthgap 0/6] Patch review Steve Sakoman
` (2 preceding siblings ...)
2025-10-29 20:11 ` [OE-core][scarthgap 3/6] binutils: fix CVE-2025-8225 Steve Sakoman
@ 2025-10-29 20:11 ` Steve Sakoman
2025-10-29 20:11 ` [OE-core][scarthgap 5/6] tiff: ignore CVE-2025-8961 Steve Sakoman
2025-10-29 20:11 ` [OE-core][scarthgap 6/6] bind: upgrade 9.18.33 -> 9.18.41 Steve Sakoman
5 siblings, 0 replies; 8+ messages in thread
From: Steve Sakoman @ 2025-10-29 20:11 UTC (permalink / raw)
To: openembedded-core
From: Hongxu Jia <hongxu.jia@windriver.com>
Backport a patch [1] from upstrem to fix CVE-2024-42040 [2]
[1] https://source.denx.de/u-boot/u-boot/-/commit/81e5708cc2c865df606e49aed5415adb2a662171
[2] https://nvd.nist.gov/vuln/detail/CVE-2024-42040
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../u-boot/files/CVE-2024-42040.patch | 56 +++++++++++++++++++
meta/recipes-bsp/u-boot/u-boot-common.inc | 1 +
2 files changed, 57 insertions(+)
create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2024-42040.patch
diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-42040.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-42040.patch
new file mode 100644
index 0000000000..2d250e51b7
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/CVE-2024-42040.patch
@@ -0,0 +1,56 @@
+From 1406fc918977bba4dac0af5e22e63a5553aa6aff Mon Sep 17 00:00:00 2001
+From: Paul HENRYS <paul.henrys_ext@softathome.com>
+Date: Thu, 9 Oct 2025 17:43:28 +0200
+Subject: [PATCH] net: bootp: Prevent buffer overflow to avoid leaking the RAM
+ content
+
+CVE-2024-42040 describes a possible buffer overflow when calling
+bootp_process_vendor() in bootp_handler() since the total length
+of the packet is passed to bootp_process_vendor() without being
+reduced to len-(offsetof(struct bootp_hdr,bp_vend)+4).
+
+The packet length is also checked against its minimum size to avoid
+reading data from struct bootp_hdr outside of the packet length.
+
+Signed-off-by: Paul HENRYS <paul.henrys_ext@softathome.com>
+Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
+
+CVE: CVE-2024-42040
+Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/81e5708cc2c865df606e49aed5415adb2a662171]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ net/bootp.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/net/bootp.c b/net/bootp.c
+index 68002909634..843180d296c 100644
+--- a/net/bootp.c
++++ b/net/bootp.c
+@@ -362,6 +362,14 @@ static void bootp_handler(uchar *pkt, unsigned dest, struct in_addr sip,
+ debug("got BOOTP packet (src=%d, dst=%d, len=%d want_len=%zu)\n",
+ src, dest, len, sizeof(struct bootp_hdr));
+
++ /* Check the minimum size of a BOOTP packet is respected.
++ * A BOOTP packet is between 300 bytes and 576 bytes big
++ */
++ if (len < offsetof(struct bootp_hdr, bp_vend) + 64) {
++ printf("Error: got an invalid BOOTP packet (len=%u)\n", len);
++ return;
++ }
++
+ bp = (struct bootp_hdr *)pkt;
+
+ /* Filter out pkts we don't want */
+@@ -379,7 +387,8 @@ static void bootp_handler(uchar *pkt, unsigned dest, struct in_addr sip,
+
+ /* Retrieve extended information (we must parse the vendor area) */
+ if (net_read_u32((u32 *)&bp->bp_vend[0]) == htonl(BOOTP_VENDOR_MAGIC))
+- bootp_process_vendor((uchar *)&bp->bp_vend[4], len);
++ bootp_process_vendor((uchar *)&bp->bp_vend[4], len -
++ (offsetof(struct bootp_hdr, bp_vend) + 4));
+
+ net_set_timeout_handler(0, (thand_f *)0);
+ bootstage_mark_name(BOOTSTAGE_ID_BOOTP_STOP, "bootp_stop");
+--
+2.49.0
+
diff --git a/meta/recipes-bsp/u-boot/u-boot-common.inc b/meta/recipes-bsp/u-boot/u-boot-common.inc
index 3a48b63c42..da34e3d3e8 100644
--- a/meta/recipes-bsp/u-boot/u-boot-common.inc
+++ b/meta/recipes-bsp/u-boot/u-boot-common.inc
@@ -23,6 +23,7 @@ SRC_URI = "git://source.denx.de/u-boot/u-boot.git;protocol=https;branch=master \
file://CVE-2024-57258-2.patch \
file://CVE-2024-57258-3.patch \
file://CVE-2024-57259.patch \
+ file://CVE-2024-42040.patch \
"
S = "${WORKDIR}/git"
--
2.43.0
^ permalink raw reply related [flat|nested] 8+ messages in thread* [OE-core][scarthgap 5/6] tiff: ignore CVE-2025-8961
2025-10-29 20:11 [OE-core][scarthgap 0/6] Patch review Steve Sakoman
` (3 preceding siblings ...)
2025-10-29 20:11 ` [OE-core][scarthgap 4/6] u-boot: fix CVE-2024-42040 Steve Sakoman
@ 2025-10-29 20:11 ` Steve Sakoman
2025-10-29 20:11 ` [OE-core][scarthgap 6/6] bind: upgrade 9.18.33 -> 9.18.41 Steve Sakoman
5 siblings, 0 replies; 8+ messages in thread
From: Steve Sakoman @ 2025-10-29 20:11 UTC (permalink / raw)
To: openembedded-core
From: Yogita Urade <yogita.urade@windriver.com>
This CVE is for the tool which is removed in v4.6.0 via [1] and
re-introduced again in v4.7.0 via [2].
[1] https://gitlab.com/libtiff/libtiff/-/commit/eab89a627f0a65e9a1a47c4b30b4802c80b1ac45
[2] https://gitlab.com/libtiff/libtiff/-/commit/9ab54a858049bef020d578c71d82669531551c00
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-multimedia/libtiff/tiff_4.6.0.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb
index 9957699fb2..777783d7cc 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb
@@ -29,7 +29,7 @@ CVE_STATUS[CVE-2015-7313] = "fixed-version: Tested with check from https://secur
CVE_STATUS[CVE-2023-3164] = "cpe-incorrect: Issue only affects the tiffcrop tool not compiled by default since 4.6.0"
CVE_STATUS_GROUPS += "CVE_STATUS_REMOVED_TOOLS"
-CVE_STATUS_REMOVED_TOOLS = "CVE-2024-13978 CVE-2025-8176 CVE-2025-8177 CVE-2025-8534 CVE-2025-8851"
+CVE_STATUS_REMOVED_TOOLS = "CVE-2024-13978 CVE-2025-8176 CVE-2025-8177 CVE-2025-8534 CVE-2025-8851 CVE-2025-8961"
CVE_STATUS_REMOVED_TOOLS[status] = "cpe-incorrect: tools affected by these CVEs are not present in this release"
inherit autotools multilib_header
--
2.43.0
^ permalink raw reply related [flat|nested] 8+ messages in thread* [OE-core][scarthgap 6/6] bind: upgrade 9.18.33 -> 9.18.41
2025-10-29 20:11 [OE-core][scarthgap 0/6] Patch review Steve Sakoman
` (4 preceding siblings ...)
2025-10-29 20:11 ` [OE-core][scarthgap 5/6] tiff: ignore CVE-2025-8961 Steve Sakoman
@ 2025-10-29 20:11 ` Steve Sakoman
5 siblings, 0 replies; 8+ messages in thread
From: Steve Sakoman @ 2025-10-29 20:11 UTC (permalink / raw)
To: openembedded-core
From: Praveen Kumar <praveen.kumar@windriver.com>
This upgrade fixes
CVE-2025-8677,CVE-2025-40778 and CVE-2025-40780.
Changelog
==========
https://downloads.isc.org/isc/bind9/9.18.41/doc/arm/html/changelog.html
Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../bind/{bind_9.18.33.bb => bind_9.18.41.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename meta/recipes-connectivity/bind/{bind_9.18.33.bb => bind_9.18.41.bb} (97%)
diff --git a/meta/recipes-connectivity/bind/bind_9.18.33.bb b/meta/recipes-connectivity/bind/bind_9.18.41.bb
similarity index 97%
rename from meta/recipes-connectivity/bind/bind_9.18.33.bb
rename to meta/recipes-connectivity/bind/bind_9.18.41.bb
index 2554a7bb5f..a83ec29bb4 100644
--- a/meta/recipes-connectivity/bind/bind_9.18.33.bb
+++ b/meta/recipes-connectivity/bind/bind_9.18.41.bb
@@ -20,7 +20,7 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.xz \
file://0001-avoid-start-failure-with-bind-user.patch \
"
-SRC_URI[sha256sum] = "fb373fac5ebbc41c645160afd5a9fb451918f6c0e69ab1d9474154e2b515de40"
+SRC_URI[sha256sum] = "6ddc1d981511c4da0b203b0513af131e5d15e5f1c261145736fe1f35dd1fe79d"
UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/"
# follow the ESV versions divisible by 2
--
2.43.0
^ permalink raw reply related [flat|nested] 8+ messages in thread