* [OE-core][scarthgap 0/8] Patch review
@ 2025-01-23 2:59 Steve Sakoman
0 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2025-01-23 2:59 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for scarthgap and have comments back by
end of day Friday, January 24
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/869
The following changes since commit 660e00469f9c99fe733cc8b37f67438a96ff2e97:
libgfortran: fix buildpath QA issue (2025-01-21 12:33:25 -0800)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut
Archana Polampalli (6):
rsync: fix CVE-2024-12084
rsync: fix CVE-2024-12085
rsync: fix CVE-2024-12086
rsync: fix CVE-2024-12087
rsync: fix CVE-2024-12088
rsync: fix CVE-2024-12747
Harish Sadineni (1):
rust-target-config: Fix TARGET_C_INT_WIDTH with correct size
Jiaying Song (1):
boost: fix do_fetch error
.../classes-recipe/rust-target-config.bbclass | 10 +-
.../rsync/files/CVE-2024-12084-0001.patch | 156 ++++++++++++++
.../rsync/files/CVE-2024-12084-0002.patch | 43 ++++
.../rsync/files/CVE-2024-12085.patch | 32 +++
.../rsync/files/CVE-2024-12086-0001.patch | 42 ++++
.../rsync/files/CVE-2024-12086-0002.patch | 108 ++++++++++
.../rsync/files/CVE-2024-12086-0003.patch | 108 ++++++++++
.../rsync/files/CVE-2024-12086-0004.patch | 41 ++++
.../rsync/files/CVE-2024-12087-0001.patch | 49 +++++
.../rsync/files/CVE-2024-12087-0002.patch | 31 +++
.../rsync/files/CVE-2024-12087-0003.patch | 40 ++++
.../rsync/files/CVE-2024-12088.patch | 141 +++++++++++++
.../rsync/files/CVE-2024-12747.patch | 192 ++++++++++++++++++
meta/recipes-devtools/rsync/rsync_3.2.7.bb | 12 ++
meta/recipes-support/boost/boost-1.84.0.inc | 2 +-
15 files changed, 1001 insertions(+), 6 deletions(-)
create mode 100644 meta/recipes-devtools/rsync/files/CVE-2024-12084-0001.patch
create mode 100644 meta/recipes-devtools/rsync/files/CVE-2024-12084-0002.patch
create mode 100644 meta/recipes-devtools/rsync/files/CVE-2024-12085.patch
create mode 100644 meta/recipes-devtools/rsync/files/CVE-2024-12086-0001.patch
create mode 100644 meta/recipes-devtools/rsync/files/CVE-2024-12086-0002.patch
create mode 100644 meta/recipes-devtools/rsync/files/CVE-2024-12086-0003.patch
create mode 100644 meta/recipes-devtools/rsync/files/CVE-2024-12086-0004.patch
create mode 100644 meta/recipes-devtools/rsync/files/CVE-2024-12087-0001.patch
create mode 100644 meta/recipes-devtools/rsync/files/CVE-2024-12087-0002.patch
create mode 100644 meta/recipes-devtools/rsync/files/CVE-2024-12087-0003.patch
create mode 100644 meta/recipes-devtools/rsync/files/CVE-2024-12088.patch
create mode 100644 meta/recipes-devtools/rsync/files/CVE-2024-12747.patch
--
2.43.0
^ permalink raw reply [flat|nested] 19+ messages in thread
* [OE-core][scarthgap 0/8] Patch review
@ 2025-04-11 20:33 Steve Sakoman
0 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2025-04-11 20:33 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for scarthgap and have comments back by
end of day Tuesday, April 15
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1386
Note: there was a failure during oe-selftest-fedora cve_check which is related to NFS issues on the autobuilder infrastructure and not this patch set
The following changes since commit 4003b5faa1e5acfa025e1d0df4e021e06cf8724c:
mc: set ac_cv_path_ZIP to avoid buildpaths QA issues (2025-04-01 08:10:07 -0700)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut
Archana Polampalli (2):
go: fix CVE-2025-22870
ghostscript: upgrade 10.04.0 -> 10.05.0
Changqing Li (1):
patch.py: set commituser and commitemail for addNote
Hitendra Prajapati (1):
go: fix CVE-2025-22871
Peter Marko (4):
ofono: patch CVE-2024-7537
cve-update-nvd2-native: add workaround for json5 style list
xz: upgrade 5.4.6 -> 5.4.7
xz: patch CVE-2025-31115
meta/lib/oe/patch.py | 14 +-
.../ofono/ofono/CVE-2024-7537.patch | 59 ++++++
meta/recipes-connectivity/ofono/ofono_2.4.bb | 1 +
.../meta/cve-update-nvd2-native.bb | 5 +
meta/recipes-devtools/go/go-1.22.12.inc | 2 +
.../go/go/CVE-2025-22870.patch | 80 ++++++++
.../go/go/CVE-2025-22871.patch | 172 ++++++++++++++++++
...ript_10.04.0.bb => ghostscript_10.05.0.bb} | 2 +-
.../xz/xz/CVE-2025-31115-01.patch | 29 +++
.../xz/xz/CVE-2025-31115-02.patch | 152 ++++++++++++++++
.../xz/xz/CVE-2025-31115-03.patch | 98 ++++++++++
.../xz/xz/CVE-2025-31115-04.patch | 56 ++++++
.../xz/{xz_5.4.6.bb => xz_5.4.7.bb} | 8 +-
13 files changed, 669 insertions(+), 9 deletions(-)
create mode 100644 meta/recipes-connectivity/ofono/ofono/CVE-2024-7537.patch
create mode 100644 meta/recipes-devtools/go/go/CVE-2025-22870.patch
create mode 100644 meta/recipes-devtools/go/go/CVE-2025-22871.patch
rename meta/recipes-extended/ghostscript/{ghostscript_10.04.0.bb => ghostscript_10.05.0.bb} (97%)
create mode 100644 meta/recipes-extended/xz/xz/CVE-2025-31115-01.patch
create mode 100644 meta/recipes-extended/xz/xz/CVE-2025-31115-02.patch
create mode 100644 meta/recipes-extended/xz/xz/CVE-2025-31115-03.patch
create mode 100644 meta/recipes-extended/xz/xz/CVE-2025-31115-04.patch
rename meta/recipes-extended/xz/{xz_5.4.6.bb => xz_5.4.7.bb} (89%)
--
2.43.0
^ permalink raw reply [flat|nested] 19+ messages in thread
* [OE-core][scarthgap 0/8] Patch review
@ 2025-05-09 15:45 Steve Sakoman
0 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2025-05-09 15:45 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for scarthgap and have comments back by
end of day Tuesday, May 13
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1557
The following changes since commit 45c50169fa7e34349acf3e24fc19e573cbab4e65:
bluez5: backport a patch to fix btmgmt -i (2025-05-06 09:01:45 -0700)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut
Haixiao Yan (1):
glibc: Add single-threaded fast path to rand()
Praveen Kumar (1):
connman :fix CVE-2025-32743
Vijay Anusuri (6):
libsoup-2.4: Fix CVE-2024-52530
libsoup-2.4: Fix CVE-2024-52531
libsoup-2.4: Fix CVE-2024-52532
libsoup-2.4: Fix CVE-2025-32906
libsoup-2.4: Fix CVE-2025-32909
libsoup: Fix CVE-2025-32914
.../connman/connman/CVE-2025-32743.patch | 48 ++++++
.../connman/connman_1.42.bb | 1 +
...dd-single-threaded-fast-path-to-rand.patch | 47 ++++++
meta/recipes-core/glibc/glibc_2.39.bb | 1 +
.../libsoup/libsoup-2.4/CVE-2024-52530.patch | 149 ++++++++++++++++++
.../libsoup-2.4/CVE-2024-52531-1.patch | 131 +++++++++++++++
.../libsoup-2.4/CVE-2024-52531-2.patch | 36 +++++
.../libsoup-2.4/CVE-2024-52532-1.patch | 36 +++++
.../libsoup-2.4/CVE-2024-52532-2.patch | 42 +++++
.../libsoup-2.4/CVE-2024-52532-3.patch | 46 ++++++
.../libsoup-2.4/CVE-2025-32906-1.patch | 61 +++++++
.../libsoup-2.4/CVE-2025-32906-2.patch | 83 ++++++++++
.../libsoup/libsoup-2.4/CVE-2025-32909.patch | 36 +++++
.../libsoup/libsoup-2.4_2.74.3.bb | 12 +-
.../libsoup-3.4.4/CVE-2025-32914.patch | 111 +++++++++++++
meta/recipes-support/libsoup/libsoup_3.4.4.bb | 1 +
16 files changed, 840 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-connectivity/connman/connman/CVE-2025-32743.patch
create mode 100644 meta/recipes-core/glibc/glibc/0001-stdlib-Add-single-threaded-fast-path-to-rand.patch
create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52530.patch
create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-1.patch
create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52531-2.patch
create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-1.patch
create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-2.patch
create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2024-52532-3.patch
create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906-1.patch
create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32906-2.patch
create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32909.patch
create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32914.patch
--
2.43.0
^ permalink raw reply [flat|nested] 19+ messages in thread
* [OE-core][scarthgap 0/8] Patch review
@ 2025-06-17 16:04 Steve Sakoman
0 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2025-06-17 16:04 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for scarthgap and have comments back by
end of day Thursday, June 19
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1820
The following changes since commit f7ee6db8ca5dc72b7a468531e31403b60e6a0020:
testimage: get real os-release file (2025-06-09 08:06:42 -0700)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut
Aleksandar Nikolic (1):
scripts/install-buildtools: Update to 5.0.10
Colin Pinnell McAllister (1):
ffmpeg: fix CVE-2025-1373
Deepesh Varatharajan (1):
gcc: Upgrade to GCC 13.4
Jiaying Song (1):
python3-requests: upgrade 2.32.3 -> 2.32.4
Peter Marko (1):
net-tools: patch CVE-2025-46836
Poonam Jadhav (1):
libpng: Add ptest
Sandeep Gundlupet Raju (1):
tune-cortexr52: Remove aarch64 for ARM Cortex-R52
Savvas Etairidis (1):
systemd: Rename systemd_v255.21 to systemd_255.21
meta/conf/distro/include/maintainers.inc | 2 +-
.../distro/include/ptest-packagelists.inc | 1 +
.../include/arm/armv8r/tune-cortexr52.inc | 5 +-
.../{systemd_v255.21.bb => systemd_255.21.bb} | 0
.../gcc/{gcc-13.3.inc => gcc-13.4.inc} | 8 +-
...ian_13.3.bb => gcc-cross-canadian_13.4.bb} | 0
.../{gcc-cross_13.3.bb => gcc-cross_13.4.bb} | 0
...-crosssdk_13.3.bb => gcc-crosssdk_13.4.bb} | 0
...cc-runtime_13.3.bb => gcc-runtime_13.4.bb} | 0
...itizers_13.3.bb => gcc-sanitizers_13.4.bb} | 0
...{gcc-source_13.3.bb => gcc-source_13.4.bb} | 0
...ix-c-tweak-for-Wrange-loop-construct.patch | 113 ----
...4fffe3fc82a710bea66ad651720d71c938b8.patch | 549 ------------------
.../gcc/{gcc_13.3.bb => gcc_13.4.bb} | 0
...initial_13.3.bb => libgcc-initial_13.4.bb} | 0
.../gcc/{libgcc_13.3.bb => libgcc_13.4.bb} | 0
...ibgfortran_13.3.bb => libgfortran_13.4.bb} | 0
...s_2.32.3.bb => python3-requests_2.32.4.bb} | 2 +-
.../net-tools/CVE-2025-46836-01.patch | 91 +++
.../net-tools/CVE-2025-46836-02.patch | 31 +
.../net-tools/net-tools_2.10.bb | 2 +
.../recipes-multimedia/ffmpeg/ffmpeg_6.1.2.bb | 4 +
.../recipes-multimedia/libpng/files/run-ptest | 7 +
.../libpng/libpng_1.6.42.bb | 42 +-
scripts/install-buildtools | 4 +-
25 files changed, 185 insertions(+), 676 deletions(-)
rename meta/recipes-core/systemd/{systemd_v255.21.bb => systemd_255.21.bb} (100%)
rename meta/recipes-devtools/gcc/{gcc-13.3.inc => gcc-13.4.inc} (94%)
rename meta/recipes-devtools/gcc/{gcc-cross-canadian_13.3.bb => gcc-cross-canadian_13.4.bb} (100%)
rename meta/recipes-devtools/gcc/{gcc-cross_13.3.bb => gcc-cross_13.4.bb} (100%)
rename meta/recipes-devtools/gcc/{gcc-crosssdk_13.3.bb => gcc-crosssdk_13.4.bb} (100%)
rename meta/recipes-devtools/gcc/{gcc-runtime_13.3.bb => gcc-runtime_13.4.bb} (100%)
rename meta/recipes-devtools/gcc/{gcc-sanitizers_13.3.bb => gcc-sanitizers_13.4.bb} (100%)
rename meta/recipes-devtools/gcc/{gcc-source_13.3.bb => gcc-source_13.4.bb} (100%)
delete mode 100644 meta/recipes-devtools/gcc/gcc/0028-gcc-Fix-c-tweak-for-Wrange-loop-construct.patch
delete mode 100644 meta/recipes-devtools/gcc/gcc/gcc.git-ab884fffe3fc82a710bea66ad651720d71c938b8.patch
rename meta/recipes-devtools/gcc/{gcc_13.3.bb => gcc_13.4.bb} (100%)
rename meta/recipes-devtools/gcc/{libgcc-initial_13.3.bb => libgcc-initial_13.4.bb} (100%)
rename meta/recipes-devtools/gcc/{libgcc_13.3.bb => libgcc_13.4.bb} (100%)
rename meta/recipes-devtools/gcc/{libgfortran_13.3.bb => libgfortran_13.4.bb} (100%)
rename meta/recipes-devtools/python/{python3-requests_2.32.3.bb => python3-requests_2.32.4.bb} (91%)
create mode 100644 meta/recipes-extended/net-tools/net-tools/CVE-2025-46836-01.patch
create mode 100644 meta/recipes-extended/net-tools/net-tools/CVE-2025-46836-02.patch
create mode 100644 meta/recipes-multimedia/libpng/files/run-ptest
--
2.43.0
^ permalink raw reply [flat|nested] 19+ messages in thread
* [OE-core][scarthgap 0/8] Patch review
@ 2025-09-17 20:04 Steve Sakoman
0 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2025-09-17 20:04 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for scarthgap and have comments back by
end of day Friday, Spetember 19
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2395
The following changes since commit baa5e7ea5f37f54c2a00080798ad7fb4c0664f69:
pulseaudio: Add audio group explicitly (2025-09-02 09:27:13 -0700)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut
Divya Chellam (1):
wpa-supplicant: fix CVE-2022-37660
Haixiao Yan (1):
buildtools-tarball: fix unbound variable issues under 'set -u'
Jinfeng Wang (1):
systemtap: Fix task_work_cancel build
Libo Chen (1):
runqemu: fix special characters bug
Martin Jansa (1):
license.py: avoid deprecated ast.Str
Ross Burton (1):
grub2: fix CVE-2024-56738
Vijay Anusuri (2):
cups: upgrade 2.4.10 -> 2.4.11
cups: Fix for CVE-2025-58060 and CVE-2025-58364
meta/lib/oe/license.py | 4 +-
.../grub/files/CVE-2024-56738.patch | 75 ++
meta/recipes-bsp/grub/grub2.inc | 1 +
.../openssl/files/environment.d-openssl.sh | 24 +-
.../wpa-supplicant/CVE-2022-37660-0001.patch | 254 +++++
.../wpa-supplicant/CVE-2022-37660-0002.patch | 139 +++
.../wpa-supplicant/CVE-2022-37660-0003.patch | 196 ++++
.../wpa-supplicant/CVE-2022-37660-0004.patch | 941 ++++++++++++++++++
.../wpa-supplicant/CVE-2022-37660-0005.patch | 144 +++
.../wpa-supplicant/wpa-supplicant_2.10.bb | 5 +
.../git/git/environment.d-git.sh | 8 +-
.../environment.d-python3-requests.sh | 4 +-
meta/recipes-extended/cups/cups.inc | 9 +-
.../cups/0001-use-echo-only-in-init.patch | 2 +-
...-don-t-try-to-run-generated-binaries.patch | 2 +-
...-fix-multilib-install-file-conflicts.patch | 6 +-
.../cups/cups/CVE-2024-47175-1.patch | 73 --
.../cups/cups/CVE-2024-47175-2.patch | 151 ---
.../cups/cups/CVE-2024-47175-3.patch | 119 ---
.../cups/cups/CVE-2024-47175-4.patch | 249 -----
.../cups/cups/CVE-2024-47175-5.patch | 40 -
.../cups/cups/CVE-2025-58060.patch | 60 ++
.../cups/cups/CVE-2025-58364.patch | 61 ++
.../cups/cups/libexecdir.patch | 5 +-
.../cups/{cups_2.4.10.bb => cups_2.4.11.bb} | 2 +-
...sk_work-compatible-with-6.11-kernels.patch | 103 ++
.../recipes-kernel/systemtap/systemtap_git.bb | 1 +
.../curl/curl/environment.d-curl.sh | 8 +-
scripts/runqemu | 7 +-
29 files changed, 2019 insertions(+), 674 deletions(-)
create mode 100644 meta/recipes-bsp/grub/files/CVE-2024-56738.patch
create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2022-37660-0001.patch
create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2022-37660-0002.patch
create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2022-37660-0003.patch
create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2022-37660-0004.patch
create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2022-37660-0005.patch
delete mode 100644 meta/recipes-extended/cups/cups/CVE-2024-47175-1.patch
delete mode 100644 meta/recipes-extended/cups/cups/CVE-2024-47175-2.patch
delete mode 100644 meta/recipes-extended/cups/cups/CVE-2024-47175-3.patch
delete mode 100644 meta/recipes-extended/cups/cups/CVE-2024-47175-4.patch
delete mode 100644 meta/recipes-extended/cups/cups/CVE-2024-47175-5.patch
create mode 100644 meta/recipes-extended/cups/cups/CVE-2025-58060.patch
create mode 100644 meta/recipes-extended/cups/cups/CVE-2025-58364.patch
rename meta/recipes-extended/cups/{cups_2.4.10.bb => cups_2.4.11.bb} (51%)
create mode 100644 meta/recipes-kernel/systemtap/systemtap/0001-Make-stp_task_work-compatible-with-6.11-kernels.patch
--
2.43.0
^ permalink raw reply [flat|nested] 19+ messages in thread
* [OE-core][scarthgap 0/8] Patch review
@ 2025-10-03 16:47 Steve Sakoman
0 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2025-10-03 16:47 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for scarthgap and have comments back by
end of day Tuesday, October 7
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2495
The following changes since commit 55e0c38dc28b73fa689446e2d5e564d235a24084:
vim: upgrade 9.1.1652 -> 9.1.1683 (2025-09-29 13:04:14 -0700)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut
Adrian Freihofer (2):
expect: Revert "expect-native: fix do_compile failure with gcc-14"
expect: fix native build with GCC 15
Khem Raj (1):
expect: Fix build with GCC 15
Ross Burton (3):
expect: update code for Tcl channel implementation
expect: don't run aclocal in do_configure
expect: cleanup do_install
Vijay Anusuri (1):
gstreamer1.0-plugins-bad: Fix CVE-2025-3887
Yogita Urade (1):
tiff: fix CVE-2025-9900
.../expect/expect/tcl840.patch | 27 ++++++
meta/recipes-devtools/expect/expect_5.45.4.bb | 18 ++--
.../CVE-2025-3887-1.patch | 50 ++++++++++
.../CVE-2025-3887-2.patch | 95 +++++++++++++++++++
.../gstreamer1.0-plugins-bad_1.22.12.bb | 2 +
.../libtiff/tiff/CVE-2025-9900.patch | 54 +++++++++++
meta/recipes-multimedia/libtiff/tiff_4.6.0.bb | 1 +
7 files changed, 237 insertions(+), 10 deletions(-)
create mode 100644 meta/recipes-devtools/expect/expect/tcl840.patch
create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2025-3887-1.patch
create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2025-3887-2.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2025-9900.patch
--
2.43.0
^ permalink raw reply [flat|nested] 19+ messages in thread
* [OE-core][scarthgap 0/8] Patch review
@ 2025-10-28 13:46 Steve Sakoman
0 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2025-10-28 13:46 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for scarthgap and have comments back by
end of day Thursday, October 30
Passed a-full on the autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2645
with the exception of the meta-aws test, which failed due to a meta-aws commit
changing the distro from poky-agl to agl
The following changes since commit 649147913e89cd8f7390cb17cd0be94c9710ffa6:
oeqa/runtime/ping: don't bother trying to ping localhost (2025-10-17 07:47:32 -0700)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut
Anders Heimer (1):
libpam: mark CVE-2025-6018 as not applicable
Daniel Semkowicz (1):
gstreamer1.0-plugins-bad: fix buffer allocation fail for v4l2codecs
Martin Jansa (1):
flex: fix build with gcc-15 on host
Matthias Schiffer (1):
curl: only set CA bundle in target build
Peter Marko (1):
expat: patch CVE-2025-59375
Rasmus Villemoes (1):
iptables: remove /etc/ethertypes
Soumya Sambu (2):
elfutils: Fix CVE-2025-1376
elfutils: Fix CVE-2025-1377
.../expat/expat/CVE-2025-59375-00.patch | 52 ++
.../expat/expat/CVE-2025-59375-01.patch | 48 ++
.../expat/expat/CVE-2025-59375-02.patch | 109 ++++
.../expat/expat/CVE-2025-59375-03.patch | 127 ++++
.../expat/expat/CVE-2025-59375-04.patch | 62 ++
.../expat/expat/CVE-2025-59375-05.patch | 64 ++
.../expat/expat/CVE-2025-59375-06.patch | 68 +++
.../expat/expat/CVE-2025-59375-07.patch | 52 ++
.../expat/expat/CVE-2025-59375-08.patch | 577 ++++++++++++++++++
.../expat/expat/CVE-2025-59375-09.patch | 43 ++
.../expat/expat/CVE-2025-59375-10.patch | 54 ++
.../expat/expat/CVE-2025-59375-11.patch | 66 ++
.../expat/expat/CVE-2025-59375-12.patch | 58 ++
.../expat/expat/CVE-2025-59375-13.patch | 309 ++++++++++
.../expat/expat/CVE-2025-59375-14.patch | 122 ++++
.../expat/expat/CVE-2025-59375-15.patch | 70 +++
.../expat/expat/CVE-2025-59375-16.patch | 146 +++++
.../expat/expat/CVE-2025-59375-17.patch | 28 +
.../expat/expat/CVE-2025-59375-18.patch | 74 +++
.../expat/expat/CVE-2025-59375-19.patch | 103 ++++
.../expat/expat/CVE-2025-59375-20.patch | 285 +++++++++
.../expat/expat/CVE-2025-59375-21.patch | 196 ++++++
.../expat/expat/CVE-2025-59375-22.patch | 37 ++
.../expat/expat/CVE-2025-59375-23.patch | 47 ++
.../expat/expat/CVE-2025-59375-24.patch | 36 ++
meta/recipes-core/expat/expat_2.6.4.bb | 25 +
.../elfutils/elfutils_0.191.bb | 2 +
.../elfutils/files/CVE-2025-1376.patch | 58 ++
.../elfutils/files/CVE-2025-1377.patch | 69 +++
...01-Match-malloc-signature-to-its-use.patch | 25 +
meta/recipes-devtools/flex/flex_2.6.4.bb | 1 +
.../iptables/iptables_1.8.10.bb | 2 +
meta/recipes-extended/pam/libpam_1.5.3.bb | 2 +
...s-chain-up-to-parent-decide_allocati.patch | 87 +++
.../gstreamer1.0-plugins-bad_1.22.12.bb | 1 +
meta/recipes-support/curl/curl_8.7.1.bb | 4 +-
36 files changed, 3108 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-core/expat/expat/CVE-2025-59375-00.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2025-59375-01.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2025-59375-02.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2025-59375-03.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2025-59375-04.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2025-59375-05.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2025-59375-06.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2025-59375-07.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2025-59375-08.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2025-59375-09.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2025-59375-10.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2025-59375-11.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2025-59375-12.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2025-59375-13.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2025-59375-14.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2025-59375-15.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2025-59375-16.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2025-59375-17.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2025-59375-18.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2025-59375-19.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2025-59375-20.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2025-59375-21.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2025-59375-22.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2025-59375-23.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2025-59375-24.patch
create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2025-1376.patch
create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2025-1377.patch
create mode 100644 meta/recipes-devtools/flex/flex/0001-Match-malloc-signature-to-its-use.patch
create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/0005-v4l2codecs-Always-chain-up-to-parent-decide_allocati.patch
--
2.43.0
^ permalink raw reply [flat|nested] 19+ messages in thread
* [OE-core][scarthgap 0/8] Patch review
@ 2025-12-02 22:19 Steve Sakoman
2025-12-02 22:19 ` [OE-core][scarthgap 2/8] gnutls: patch CVE-2025-9820 Steve Sakoman
` (7 more replies)
0 siblings, 8 replies; 19+ messages in thread
From: Steve Sakoman @ 2025-12-02 22:19 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for scarthgap and have comments back by
end of day Thursday, December 4
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2811
The following changes since commit 1fbd9eddbdf0da062df0510cabff6f6ee33d5752:
libarchive: patch CVE-2025-60753 (2025-11-24 08:08:18 -0800)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut
Changqing Li (1):
libmicrohttpd: fix CVE-2025-59777, CVE-2025-62689
Moritz Haase (1):
curl: Ensure 'CURL_CA_BUNDLE' from host env is indeed respected
Peter Marko (5):
gnutls: patch CVE-2025-9820
libpng: patch CVE-2025-64505
libpng: patch CVE-2025-64506
libpng: patch CVE-2025-64720
libpng: patch CVE-2025-65018
Praveen Kumar (1):
python3: fix CVE-2025-6075
.../python/python3/CVE-2025-6075.patch | 355 +
.../python/python3_3.12.12.bb | 1 +
.../libpng/files/CVE-2025-64505-01.patch | 111 +
.../libpng/files/CVE-2025-64505-02.patch | 163 +
.../libpng/files/CVE-2025-64505-03.patch | 52 +
.../libpng/files/CVE-2025-64506.patch | 57 +
.../libpng/files/CVE-2025-64720.patch | 103 +
.../libpng/files/CVE-2025-65018-01.patch | 60 +
.../libpng/files/CVE-2025-65018-02.patch | 163 +
.../libpng/libpng_1.6.42.bb | 7 +
.../curl/curl/environment.d-curl.sh | 4 +-
.../gnutls/gnutls/CVE-2025-9820.patch | 250 +
meta/recipes-support/gnutls/gnutls_3.8.4.bb | 1 +
...0001-Remove-broken-experimental-code.patch | 14471 ++++++++++++++++
.../libmicrohttpd/libmicrohttpd_1.0.1.bb | 3 +-
15 files changed, 15798 insertions(+), 3 deletions(-)
create mode 100644 meta/recipes-devtools/python/python3/CVE-2025-6075.patch
create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-64505-01.patch
create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-64505-02.patch
create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-64505-03.patch
create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-64506.patch
create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-64720.patch
create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-65018-01.patch
create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-65018-02.patch
create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-9820.patch
create mode 100644 meta/recipes-support/libmicrohttpd/files/0001-Remove-broken-experimental-code.patch
--
2.43.0
^ permalink raw reply [flat|nested] 19+ messages in thread
* [OE-core][scarthgap 2/8] gnutls: patch CVE-2025-9820
2025-12-02 22:19 [OE-core][scarthgap 0/8] Patch review Steve Sakoman
@ 2025-12-02 22:19 ` Steve Sakoman
2025-12-02 22:19 ` [OE-core][scarthgap 3/8] python3: fix CVE-2025-6075 Steve Sakoman
` (6 subsequent siblings)
7 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2025-12-02 22:19 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
This CVE is announced under [1].
Pick commit which mentions this CVE per [2].
[1] https://www.gnutls.org/security-new.html#GNUTLS-SA-2025-11-18
[2] https://security-tracker.debian.org/tracker/CVE-2025-9820
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../gnutls/gnutls/CVE-2025-9820.patch | 250 ++++++++++++++++++
meta/recipes-support/gnutls/gnutls_3.8.4.bb | 1 +
2 files changed, 251 insertions(+)
create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-9820.patch
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2025-9820.patch b/meta/recipes-support/gnutls/gnutls/CVE-2025-9820.patch
new file mode 100644
index 0000000000..99a6c11ee4
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2025-9820.patch
@@ -0,0 +1,250 @@
+From 1d56f96f6ab5034d677136b9d50b5a75dff0faf5 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Tue, 18 Nov 2025 13:17:55 +0900
+Subject: [PATCH] pkcs11: avoid stack overwrite when initializing a token
+
+If gnutls_pkcs11_token_init is called with label longer than 32
+characters, the internal storage used to blank-fill it would
+overflow. This adds a guard to prevent that.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+
+CVE: CVE-2025-9820
+Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/1d56f96f6ab5034d677136b9d50b5a75dff0faf5]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ NEWS | 4 +
+ lib/pkcs11_write.c | 5 +-
+ tests/Makefile.am | 2 +-
+ tests/pkcs11/long-label.c | 164 ++++++++++++++++++++++++++++++++++++++
+ 4 files changed, 172 insertions(+), 3 deletions(-)
+ create mode 100644 tests/pkcs11/long-label.c
+
+diff --git a/NEWS b/NEWS
+index 0ae3c9991..d6df70ee6 100644
+--- a/NEWS
++++ b/NEWS
+@@ -5,6 +5,10 @@ Copyright (C) 2000-2016 Free Software Foundation, Inc.
+ Copyright (C) 2013-2019 Nikos Mavrogiannopoulos
+ See the end for copying conditions.
+
++** libgnutls: Fix stack overwrite in gnutls_pkcs11_token_init
++ Reported by Luigino Camastra from Aisle Research. [GNUTLS-SA-2025-11-18,
++ CVSS: low] [CVE-2025-9820]
++
+ ** libgnutls: Fix NULL pointer dereference when 2nd Client Hello omits PSK
+ Reported by Stefan Bühler. [GNUTLS-SA-2025-07-07-4, CVSS: medium]
+ [CVE-2025-6395]
+diff --git a/lib/pkcs11_write.c b/lib/pkcs11_write.c
+index f5e9058e0..64b85a2df 100644
+--- a/lib/pkcs11_write.c
++++ b/lib/pkcs11_write.c
+@@ -28,6 +28,7 @@
+ #include "pkcs11x.h"
+ #include "x509/common.h"
+ #include "pk.h"
++#include "minmax.h"
+
+ static const ck_bool_t tval = 1;
+ static const ck_bool_t fval = 0;
+@@ -1173,7 +1174,7 @@ int gnutls_pkcs11_delete_url(const char *object_url, unsigned int flags)
+ * gnutls_pkcs11_token_init:
+ * @token_url: A PKCS #11 URL specifying a token
+ * @so_pin: Security Officer's PIN
+- * @label: A name to be used for the token
++ * @label: A name to be used for the token, at most 32 characters
+ *
+ * This function will initialize (format) a token. If the token is
+ * at a factory defaults state the security officer's PIN given will be
+@@ -1211,7 +1212,7 @@ int gnutls_pkcs11_token_init(const char *token_url, const char *so_pin,
+ /* so it seems memset has other uses than zeroing! */
+ memset(flabel, ' ', sizeof(flabel));
+ if (label != NULL)
+- memcpy(flabel, label, strlen(label));
++ memcpy(flabel, label, MIN(sizeof(flabel), strlen(label)));
+
+ rv = pkcs11_init_token(module, slot, (uint8_t *)so_pin, strlen(so_pin),
+ (uint8_t *)flabel);
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index be4966f4b..8327c90ca 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -496,7 +496,7 @@ pathbuf_CPPFLAGS = $(AM_CPPFLAGS) \
+ if ENABLE_PKCS11
+ if !WINDOWS
+ ctests += tls13/post-handshake-with-cert-pkcs11 pkcs11/tls-neg-pkcs11-no-key \
+- global-init-override pkcs11/distrust-after
++ global-init-override pkcs11/distrust-after pkcs11/long-label
+ tls13_post_handshake_with_cert_pkcs11_DEPENDENCIES = libpkcs11mock2.la libutils.la
+ tls13_post_handshake_with_cert_pkcs11_LDADD = $(LDADD) $(LIBDL)
+ pkcs11_tls_neg_pkcs11_no_key_DEPENDENCIES = libpkcs11mock2.la libutils.la
+diff --git a/tests/pkcs11/long-label.c b/tests/pkcs11/long-label.c
+new file mode 100644
+index 000000000..a70bc9728
+--- /dev/null
++++ b/tests/pkcs11/long-label.c
+@@ -0,0 +1,164 @@
++/*
++ * Copyright (C) 2025 Red Hat, Inc.
++ *
++ * Author: Daiki Ueno
++ *
++ * This file is part of GnuTLS.
++ *
++ * GnuTLS is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; either version 3 of the License, or
++ * (at your option) any later version.
++ *
++ * GnuTLS is distributed in the hope that it will be useful, but
++ * WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ * General Public License for more details.
++ *
++ * You should have received a copy of the GNU Lesser General Public License
++ * along with this program. If not, see <https://www.gnu.org/licenses/>
++ */
++
++#ifdef HAVE_CONFIG_H
++#include "config.h"
++#endif
++
++#include <stdbool.h>
++#include <stdio.h>
++#include <stdlib.h>
++
++#if defined(_WIN32)
++
++int main(void)
++{
++ exit(77);
++}
++
++#else
++
++#include <string.h>
++#include <unistd.h>
++#include <gnutls/gnutls.h>
++
++#include "cert-common.h"
++#include "pkcs11/softhsm.h"
++#include "utils.h"
++
++/* This program tests that a token can be initialized with
++ * a label longer than 32 characters.
++ */
++
++static void tls_log_func(int level, const char *str)
++{
++ fprintf(stderr, "server|<%d>| %s", level, str);
++}
++
++#define PIN "1234"
++
++#define CONFIG_NAME "softhsm-long-label"
++#define CONFIG CONFIG_NAME ".config"
++
++static int pin_func(void *userdata, int attempt, const char *url,
++ const char *label, unsigned flags, char *pin,
++ size_t pin_max)
++{
++ if (attempt == 0) {
++ strcpy(pin, PIN);
++ return 0;
++ }
++ return -1;
++}
++
++static void test(const char *provider)
++{
++ int ret;
++ size_t i;
++
++ gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
++
++ success("test with %s\n", provider);
++
++ if (debug) {
++ gnutls_global_set_log_function(tls_log_func);
++ gnutls_global_set_log_level(4711);
++ }
++
++ /* point to SoftHSM token that libpkcs11mock4.so internally uses */
++ setenv(SOFTHSM_ENV, CONFIG, 1);
++
++ gnutls_pkcs11_set_pin_function(pin_func, NULL);
++
++ ret = gnutls_pkcs11_add_provider(provider, "trusted");
++ if (ret != 0) {
++ fail("gnutls_pkcs11_add_provider: %s\n", gnutls_strerror(ret));
++ }
++
++ /* initialize softhsm token */
++ ret = gnutls_pkcs11_token_init(
++ SOFTHSM_URL, PIN,
++ "this is a very long label whose length exceeds 32");
++ if (ret < 0) {
++ fail("gnutls_pkcs11_token_init: %s\n", gnutls_strerror(ret));
++ }
++
++ for (i = 0;; i++) {
++ char *url = NULL;
++
++ ret = gnutls_pkcs11_token_get_url(i, 0, &url);
++ if (ret < 0)
++ break;
++ if (strstr(url,
++ "token=this%20is%20a%20very%20long%20label%20whose"))
++ break;
++ }
++ if (ret < 0)
++ fail("gnutls_pkcs11_token_get_url: %s\n", gnutls_strerror(ret));
++
++ gnutls_pkcs11_deinit();
++}
++
++void doit(void)
++{
++ const char *bin;
++ const char *lib;
++ char buf[128];
++
++ if (gnutls_fips140_mode_enabled())
++ exit(77);
++
++ /* this must be called once in the program */
++ global_init();
++
++ /* we call gnutls_pkcs11_init manually */
++ gnutls_pkcs11_deinit();
++
++ /* check if softhsm module is loadable */
++ lib = softhsm_lib();
++
++ /* initialize SoftHSM token that libpkcs11mock4.so internally uses */
++ bin = softhsm_bin();
++
++ set_softhsm_conf(CONFIG);
++ snprintf(buf, sizeof(buf),
++ "%s --init-token --slot 0 --label test --so-pin " PIN
++ " --pin " PIN,
++ bin);
++ system(buf);
++
++ test(lib);
++
++ lib = getenv("P11MOCKLIB4");
++ if (lib == NULL) {
++ fail("P11MOCKLIB4 is not set\n");
++ }
++
++ set_softhsm_conf(CONFIG);
++ snprintf(buf, sizeof(buf),
++ "%s --init-token --slot 0 --label test --so-pin " PIN
++ " --pin " PIN,
++ bin);
++ system(buf);
++
++ test(lib);
++}
++#endif /* _WIN32 */
diff --git a/meta/recipes-support/gnutls/gnutls_3.8.4.bb b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
index dde3bc3014..026ae650f6 100644
--- a/meta/recipes-support/gnutls/gnutls_3.8.4.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
@@ -33,6 +33,7 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
file://CVE-2025-32988.patch \
file://CVE-2025-32990.patch \
file://CVE-2025-6395.patch \
+ file://CVE-2025-9820.patch \
"
SRC_URI[sha256sum] = "2bea4e154794f3f00180fa2a5c51fe8b005ac7a31cd58bd44cdfa7f36ebc3a9b"
--
2.43.0
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [OE-core][scarthgap 3/8] python3: fix CVE-2025-6075
2025-12-02 22:19 [OE-core][scarthgap 0/8] Patch review Steve Sakoman
2025-12-02 22:19 ` [OE-core][scarthgap 2/8] gnutls: patch CVE-2025-9820 Steve Sakoman
@ 2025-12-02 22:19 ` Steve Sakoman
2025-12-02 22:19 ` [OE-core][scarthgap 4/8] libpng: patch CVE-2025-64505 Steve Sakoman
` (5 subsequent siblings)
7 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2025-12-02 22:19 UTC (permalink / raw)
To: openembedded-core
From: Praveen Kumar <praveen.kumar@windriver.com>
If the value passed to os.path.expandvars() is user-controlled a
performance degradation is possible when expanding environment variables.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-6075
Upstream-patch:
https://github.com/python/cpython/commit/9ab89c026aa9611c4b0b67c288b8303a480fe742
Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../python/python3/CVE-2025-6075.patch | 355 ++++++++++++++++++
.../python/python3_3.12.12.bb | 1 +
2 files changed, 356 insertions(+)
create mode 100644 meta/recipes-devtools/python/python3/CVE-2025-6075.patch
diff --git a/meta/recipes-devtools/python/python3/CVE-2025-6075.patch b/meta/recipes-devtools/python/python3/CVE-2025-6075.patch
new file mode 100644
index 0000000000..346af4df94
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2025-6075.patch
@@ -0,0 +1,355 @@
+From 9ab89c026aa9611c4b0b67c288b8303a480fe742 Mon Sep 17 00:00:00 2001
+From: Łukasz Langa <lukasz@langa.pl>
+Date: Fri, 31 Oct 2025 17:58:09 +0100
+Subject: [PATCH] gh-136065: Fix quadratic complexity in os.path.expandvars()
+ (GH-134952) (GH-140845)
+
+(cherry picked from commit f029e8db626ddc6e3a3beea4eff511a71aaceb5c)
+
+Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
+Co-authored-by: Łukasz Langa <lukasz@langa.pl>
+
+CVE: CVE-2025-6075
+
+Upstream-Status: Backport [https://github.com/python/cpython/commit/9ab89c026aa9611c4b0b67c288b8303a480fe742]
+
+Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
+---
+ Lib/ntpath.py | 126 ++++++------------
+ Lib/posixpath.py | 43 +++---
+ Lib/test/test_genericpath.py | 14 ++
+ Lib/test/test_ntpath.py | 18 ++-
+ ...-05-30-22-33-27.gh-issue-136065.bu337o.rst | 1 +
+ 5 files changed, 92 insertions(+), 110 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst
+
+diff --git a/Lib/ntpath.py b/Lib/ntpath.py
+index 1bef630..393d358 100644
+--- a/Lib/ntpath.py
++++ b/Lib/ntpath.py
+@@ -409,17 +409,23 @@ def expanduser(path):
+ # XXX With COMMAND.COM you can use any characters in a variable name,
+ # XXX except '^|<>='.
+
++_varpattern = r"'[^']*'?|%(%|[^%]*%?)|\$(\$|[-\w]+|\{[^}]*\}?)"
++_varsub = None
++_varsubb = None
++
+ def expandvars(path):
+ """Expand shell variables of the forms $var, ${var} and %var%.
+
+ Unknown variables are left unchanged."""
+ path = os.fspath(path)
++ global _varsub, _varsubb
+ if isinstance(path, bytes):
+ if b'$' not in path and b'%' not in path:
+ return path
+- import string
+- varchars = bytes(string.ascii_letters + string.digits + '_-', 'ascii')
+- quote = b'\''
++ if not _varsubb:
++ import re
++ _varsubb = re.compile(_varpattern.encode(), re.ASCII).sub
++ sub = _varsubb
+ percent = b'%'
+ brace = b'{'
+ rbrace = b'}'
+@@ -428,94 +434,44 @@ def expandvars(path):
+ else:
+ if '$' not in path and '%' not in path:
+ return path
+- import string
+- varchars = string.ascii_letters + string.digits + '_-'
+- quote = '\''
++ if not _varsub:
++ import re
++ _varsub = re.compile(_varpattern, re.ASCII).sub
++ sub = _varsub
+ percent = '%'
+ brace = '{'
+ rbrace = '}'
+ dollar = '$'
+ environ = os.environ
+- res = path[:0]
+- index = 0
+- pathlen = len(path)
+- while index < pathlen:
+- c = path[index:index+1]
+- if c == quote: # no expansion within single quotes
+- path = path[index + 1:]
+- pathlen = len(path)
+- try:
+- index = path.index(c)
+- res += c + path[:index + 1]
+- except ValueError:
+- res += c + path
+- index = pathlen - 1
+- elif c == percent: # variable or '%'
+- if path[index + 1:index + 2] == percent:
+- res += c
+- index += 1
+- else:
+- path = path[index+1:]
+- pathlen = len(path)
+- try:
+- index = path.index(percent)
+- except ValueError:
+- res += percent + path
+- index = pathlen - 1
+- else:
+- var = path[:index]
+- try:
+- if environ is None:
+- value = os.fsencode(os.environ[os.fsdecode(var)])
+- else:
+- value = environ[var]
+- except KeyError:
+- value = percent + var + percent
+- res += value
+- elif c == dollar: # variable or '$$'
+- if path[index + 1:index + 2] == dollar:
+- res += c
+- index += 1
+- elif path[index + 1:index + 2] == brace:
+- path = path[index+2:]
+- pathlen = len(path)
+- try:
+- index = path.index(rbrace)
+- except ValueError:
+- res += dollar + brace + path
+- index = pathlen - 1
+- else:
+- var = path[:index]
+- try:
+- if environ is None:
+- value = os.fsencode(os.environ[os.fsdecode(var)])
+- else:
+- value = environ[var]
+- except KeyError:
+- value = dollar + brace + var + rbrace
+- res += value
+- else:
+- var = path[:0]
+- index += 1
+- c = path[index:index + 1]
+- while c and c in varchars:
+- var += c
+- index += 1
+- c = path[index:index + 1]
+- try:
+- if environ is None:
+- value = os.fsencode(os.environ[os.fsdecode(var)])
+- else:
+- value = environ[var]
+- except KeyError:
+- value = dollar + var
+- res += value
+- if c:
+- index -= 1
++
++ def repl(m):
++ lastindex = m.lastindex
++ if lastindex is None:
++ return m[0]
++ name = m[lastindex]
++ if lastindex == 1:
++ if name == percent:
++ return name
++ if not name.endswith(percent):
++ return m[0]
++ name = name[:-1]
+ else:
+- res += c
+- index += 1
+- return res
++ if name == dollar:
++ return name
++ if name.startswith(brace):
++ if not name.endswith(rbrace):
++ return m[0]
++ name = name[1:-1]
++
++ try:
++ if environ is None:
++ return os.fsencode(os.environ[os.fsdecode(name)])
++ else:
++ return environ[name]
++ except KeyError:
++ return m[0]
++
++ return sub(repl, path)
+
+
+ # Normalize a path, e.g. A//B, A/./B and A/foo/../B all become A\B.
+diff --git a/Lib/posixpath.py b/Lib/posixpath.py
+index 90a6f54..6306f14 100644
+--- a/Lib/posixpath.py
++++ b/Lib/posixpath.py
+@@ -314,42 +314,41 @@ def expanduser(path):
+ # This expands the forms $variable and ${variable} only.
+ # Non-existent variables are left unchanged.
+
+-_varprog = None
+-_varprogb = None
++_varpattern = r'\$(\w+|\{[^}]*\}?)'
++_varsub = None
++_varsubb = None
+
+ def expandvars(path):
+ """Expand shell variables of form $var and ${var}. Unknown variables
+ are left unchanged."""
+ path = os.fspath(path)
+- global _varprog, _varprogb
++ global _varsub, _varsubb
+ if isinstance(path, bytes):
+ if b'$' not in path:
+ return path
+- if not _varprogb:
++ if not _varsubb:
+ import re
+- _varprogb = re.compile(br'\$(\w+|\{[^}]*\})', re.ASCII)
+- search = _varprogb.search
++ _varsubb = re.compile(_varpattern.encode(), re.ASCII).sub
++ sub = _varsubb
+ start = b'{'
+ end = b'}'
+ environ = getattr(os, 'environb', None)
+ else:
+ if '$' not in path:
+ return path
+- if not _varprog:
++ if not _varsub:
+ import re
+- _varprog = re.compile(r'\$(\w+|\{[^}]*\})', re.ASCII)
+- search = _varprog.search
++ _varsub = re.compile(_varpattern, re.ASCII).sub
++ sub = _varsub
+ start = '{'
+ end = '}'
+ environ = os.environ
+- i = 0
+- while True:
+- m = search(path, i)
+- if not m:
+- break
+- i, j = m.span(0)
+- name = m.group(1)
+- if name.startswith(start) and name.endswith(end):
++
++ def repl(m):
++ name = m[1]
++ if name.startswith(start):
++ if not name.endswith(end):
++ return m[0]
+ name = name[1:-1]
+ try:
+ if environ is None:
+@@ -357,13 +356,11 @@ def expandvars(path):
+ else:
+ value = environ[name]
+ except KeyError:
+- i = j
++ return m[0]
+ else:
+- tail = path[j:]
+- path = path[:i] + value
+- i = len(path)
+- path += tail
+- return path
++ return value
++
++ return sub(repl, path)
+
+
+ # Normalize a path, e.g. A//B, A/./B and A/foo/../B all become A/B.
+diff --git a/Lib/test/test_genericpath.py b/Lib/test/test_genericpath.py
+index 3eefb72..1cec587 100644
+--- a/Lib/test/test_genericpath.py
++++ b/Lib/test/test_genericpath.py
+@@ -7,6 +7,7 @@ import os
+ import sys
+ import unittest
+ import warnings
++from test import support
+ from test.support import is_emscripten
+ from test.support import os_helper
+ from test.support import warnings_helper
+@@ -443,6 +444,19 @@ class CommonTest(GenericTest):
+ os.fsencode('$bar%s bar' % nonascii))
+ check(b'$spam}bar', os.fsencode('%s}bar' % nonascii))
+
++ @support.requires_resource('cpu')
++ def test_expandvars_large(self):
++ expandvars = self.pathmodule.expandvars
++ with os_helper.EnvironmentVarGuard() as env:
++ env.clear()
++ env["A"] = "B"
++ n = 100_000
++ self.assertEqual(expandvars('$A'*n), 'B'*n)
++ self.assertEqual(expandvars('${A}'*n), 'B'*n)
++ self.assertEqual(expandvars('$A!'*n), 'B!'*n)
++ self.assertEqual(expandvars('${A}A'*n), 'BA'*n)
++ self.assertEqual(expandvars('${'*10*n), '${'*10*n)
++
+ def test_abspath(self):
+ self.assertIn("foo", self.pathmodule.abspath("foo"))
+ with warnings.catch_warnings():
+diff --git a/Lib/test/test_ntpath.py b/Lib/test/test_ntpath.py
+index ced9dc4..f4d5063 100644
+--- a/Lib/test/test_ntpath.py
++++ b/Lib/test/test_ntpath.py
+@@ -7,6 +7,7 @@ import sys
+ import unittest
+ import warnings
+ from ntpath import ALLOW_MISSING
++from test import support
+ from test.support import cpython_only, os_helper
+ from test.support import TestFailed, is_emscripten
+ from test.support.os_helper import FakePath
+@@ -58,7 +59,7 @@ def tester(fn, wantResult):
+ fn = fn.replace("\\", "\\\\")
+ gotResult = eval(fn)
+ if wantResult != gotResult and _norm(wantResult) != _norm(gotResult):
+- raise TestFailed("%s should return: %s but returned: %s" \
++ raise support.TestFailed("%s should return: %s but returned: %s" \
+ %(str(fn), str(wantResult), str(gotResult)))
+
+ # then with bytes
+@@ -74,7 +75,7 @@ def tester(fn, wantResult):
+ warnings.simplefilter("ignore", DeprecationWarning)
+ gotResult = eval(fn)
+ if _norm(wantResult) != _norm(gotResult):
+- raise TestFailed("%s should return: %s but returned: %s" \
++ raise support.TestFailed("%s should return: %s but returned: %s" \
+ %(str(fn), str(wantResult), repr(gotResult)))
+
+
+@@ -882,6 +883,19 @@ class TestNtpath(NtpathTestCase):
+ check('%spam%bar', '%sbar' % nonascii)
+ check('%{}%bar'.format(nonascii), 'ham%sbar' % nonascii)
+
++ @support.requires_resource('cpu')
++ def test_expandvars_large(self):
++ expandvars = ntpath.expandvars
++ with os_helper.EnvironmentVarGuard() as env:
++ env.clear()
++ env["A"] = "B"
++ n = 100_000
++ self.assertEqual(expandvars('%A%'*n), 'B'*n)
++ self.assertEqual(expandvars('%A%A'*n), 'BA'*n)
++ self.assertEqual(expandvars("''"*n + '%%'), "''"*n + '%')
++ self.assertEqual(expandvars("%%"*n), "%"*n)
++ self.assertEqual(expandvars("$$"*n), "$"*n)
++
+ def test_expanduser(self):
+ tester('ntpath.expanduser("test")', 'test')
+
+diff --git a/Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst b/Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst
+new file mode 100644
+index 0000000..1d152bb
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst
+@@ -0,0 +1 @@
++Fix quadratic complexity in :func:`os.path.expandvars`.
+--
+2.40.0
diff --git a/meta/recipes-devtools/python/python3_3.12.12.bb b/meta/recipes-devtools/python/python3_3.12.12.bb
index 9a957c59bc..b70f434ca9 100644
--- a/meta/recipes-devtools/python/python3_3.12.12.bb
+++ b/meta/recipes-devtools/python/python3_3.12.12.bb
@@ -34,6 +34,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
file://0001-test_deadlock-skip-problematic-test.patch \
file://0001-test_active_children-skip-problematic-test.patch \
file://0001-test_readline-skip-limited-history-test.patch \
+ file://CVE-2025-6075.patch \
"
SRC_URI:append:class-native = " \
--
2.43.0
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [OE-core][scarthgap 4/8] libpng: patch CVE-2025-64505
2025-12-02 22:19 [OE-core][scarthgap 0/8] Patch review Steve Sakoman
2025-12-02 22:19 ` [OE-core][scarthgap 2/8] gnutls: patch CVE-2025-9820 Steve Sakoman
2025-12-02 22:19 ` [OE-core][scarthgap 3/8] python3: fix CVE-2025-6075 Steve Sakoman
@ 2025-12-02 22:19 ` Steve Sakoman
2025-12-02 22:19 ` [OE-core][scarthgap 5/8] libpng: patch CVE-2025-64506 Steve Sakoman
` (4 subsequent siblings)
7 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2025-12-02 22:19 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Pick commit per NVD report.
Add two patches to apply it cleanly.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libpng/files/CVE-2025-64505-01.patch | 111 ++++++++++++
.../libpng/files/CVE-2025-64505-02.patch | 163 ++++++++++++++++++
.../libpng/files/CVE-2025-64505-03.patch | 52 ++++++
.../libpng/libpng_1.6.42.bb | 3 +
4 files changed, 329 insertions(+)
create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-64505-01.patch
create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-64505-02.patch
create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-64505-03.patch
diff --git a/meta/recipes-multimedia/libpng/files/CVE-2025-64505-01.patch b/meta/recipes-multimedia/libpng/files/CVE-2025-64505-01.patch
new file mode 100644
index 0000000000..1e7d122803
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/files/CVE-2025-64505-01.patch
@@ -0,0 +1,111 @@
+From 0fa3c0f698c2ca618a0fa44e10a822678df85373 Mon Sep 17 00:00:00 2001
+From: Cosmin Truta <ctruta@gmail.com>
+Date: Thu, 15 Feb 2024 21:53:24 +0200
+Subject: [PATCH] chore: Clean up the spurious uses of `sizeof(png_byte)`; fix
+ the manual
+
+By definition, `sizeof(png_byte)` is 1.
+
+Remove all the occurences of `sizeof(png_byte)` from the code, and fix
+a related typo in the libpng manual.
+
+Also update the main .editorconfig file to reflect the fixing expected
+by a FIXME note.
+
+CVE: CVE-2025-64505
+Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/0fa3c0f698c2ca618a0fa44e10a822678df85373]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ libpng-manual.txt | 4 ++--
+ libpng.3 | 4 ++--
+ pngrtran.c | 17 +++++++----------
+ 3 files changed, 11 insertions(+), 14 deletions(-)
+
+diff --git a/libpng-manual.txt b/libpng-manual.txt
+index eb24ef483..d2918ce31 100644
+--- a/libpng-manual.txt
++++ b/libpng-manual.txt
+@@ -1178,11 +1178,11 @@ where row_pointers is an array of pointers to the pixel data for each row:
+ If you know your image size and pixel size ahead of time, you can allocate
+ row_pointers prior to calling png_read_png() with
+
+- if (height > PNG_UINT_32_MAX/(sizeof (png_byte)))
++ if (height > PNG_UINT_32_MAX / (sizeof (png_bytep)))
+ png_error(png_ptr,
+ "Image is too tall to process in memory");
+
+- if (width > PNG_UINT_32_MAX/pixel_size)
++ if (width > PNG_UINT_32_MAX / pixel_size)
+ png_error(png_ptr,
+ "Image is too wide to process in memory");
+
+diff --git a/libpng.3 b/libpng.3
+index 57d06f2db..8875b219a 100644
+--- a/libpng.3
++++ b/libpng.3
+@@ -1697,11 +1697,11 @@ where row_pointers is an array of pointers to the pixel data for each row:
+ If you know your image size and pixel size ahead of time, you can allocate
+ row_pointers prior to calling png_read_png() with
+
+- if (height > PNG_UINT_32_MAX/(sizeof (png_byte)))
++ if (height > PNG_UINT_32_MAX / (sizeof (png_bytep)))
+ png_error(png_ptr,
+ "Image is too tall to process in memory");
+
+- if (width > PNG_UINT_32_MAX/pixel_size)
++ if (width > PNG_UINT_32_MAX / pixel_size)
+ png_error(png_ptr,
+ "Image is too wide to process in memory");
+
+diff --git a/pngrtran.c b/pngrtran.c
+index 74cca476b..041f9306c 100644
+--- a/pngrtran.c
++++ b/pngrtran.c
+@@ -441,7 +441,7 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette,
+ int i;
+
+ png_ptr->quantize_index = (png_bytep)png_malloc(png_ptr,
+- (png_alloc_size_t)((png_uint_32)num_palette * (sizeof (png_byte))));
++ (png_alloc_size_t)num_palette);
+ for (i = 0; i < num_palette; i++)
+ png_ptr->quantize_index[i] = (png_byte)i;
+ }
+@@ -458,7 +458,7 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette,
+
+ /* Initialize an array to sort colors */
+ png_ptr->quantize_sort = (png_bytep)png_malloc(png_ptr,
+- (png_alloc_size_t)((png_uint_32)num_palette * (sizeof (png_byte))));
++ (png_alloc_size_t)num_palette);
+
+ /* Initialize the quantize_sort array */
+ for (i = 0; i < num_palette; i++)
+@@ -592,11 +592,9 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette,
+
+ /* Initialize palette index arrays */
+ png_ptr->index_to_palette = (png_bytep)png_malloc(png_ptr,
+- (png_alloc_size_t)((png_uint_32)num_palette *
+- (sizeof (png_byte))));
++ (png_alloc_size_t)num_palette);
+ png_ptr->palette_to_index = (png_bytep)png_malloc(png_ptr,
+- (png_alloc_size_t)((png_uint_32)num_palette *
+- (sizeof (png_byte))));
++ (png_alloc_size_t)num_palette);
+
+ /* Initialize the sort array */
+ for (i = 0; i < num_palette; i++)
+@@ -761,12 +759,11 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette,
+ size_t num_entries = ((size_t)1 << total_bits);
+
+ png_ptr->palette_lookup = (png_bytep)png_calloc(png_ptr,
+- (png_alloc_size_t)(num_entries * (sizeof (png_byte))));
++ (png_alloc_size_t)(num_entries));
+
+- distance = (png_bytep)png_malloc(png_ptr, (png_alloc_size_t)(num_entries *
+- (sizeof (png_byte))));
++ distance = (png_bytep)png_malloc(png_ptr, (png_alloc_size_t)num_entries);
+
+- memset(distance, 0xff, num_entries * (sizeof (png_byte)));
++ memset(distance, 0xff, num_entries);
+
+ for (i = 0; i < num_palette; i++)
+ {
diff --git a/meta/recipes-multimedia/libpng/files/CVE-2025-64505-02.patch b/meta/recipes-multimedia/libpng/files/CVE-2025-64505-02.patch
new file mode 100644
index 0000000000..5a3e50b642
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/files/CVE-2025-64505-02.patch
@@ -0,0 +1,163 @@
+From ea094764f3436e3c6524622724c2d342a3eff235 Mon Sep 17 00:00:00 2001
+From: Cosmin Truta <ctruta@gmail.com>
+Date: Sat, 8 Nov 2025 17:16:59 +0200
+Subject: [PATCH] Fix a memory leak in function `png_set_quantize`; refactor
+
+Release the previously-allocated array `quantize_index` before
+reallocating it. This avoids leaking memory when the function
+`png_set_quantize` is called multiple times on the same `png_struct`.
+
+This function assumed single-call usage, but fuzzing revealed that
+repeated calls would overwrite the pointers without freeing the
+original allocations, leaking 256 bytes per call for `quantize_index`
+and additional memory for `quantize_sort` when histogram-based
+quantization is used.
+
+Also remove the array `quantize_sort` from the list of `png_struct`
+members and make it a local variable. This array is initialized,
+used and released exclusively inside the function `png_set_quantize`.
+
+Reported-by: Samsung-PENTEST <Samsung-PENTEST@users.noreply.github.com>
+Analyzed-by: degrigis <degrigis@users.noreply.github.com>
+Reviewed-by: John Bowler <jbowler@acm.org>
+
+CVE: CVE-2025-64505
+Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/ea094764f3436e3c6524622724c2d342a3eff235]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ pngrtran.c | 43 +++++++++++++++++++++++--------------------
+ pngstruct.h | 1 -
+ 2 files changed, 23 insertions(+), 21 deletions(-)
+
+diff --git a/pngrtran.c b/pngrtran.c
+index 1809db704..4632dd521 100644
+--- a/pngrtran.c
++++ b/pngrtran.c
+@@ -440,6 +440,12 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette,
+ {
+ int i;
+
++ /* Initialize the array to index colors.
++ *
++ * Be careful to avoid leaking memory. Applications are allowed to call
++ * this function more than once per png_struct.
++ */
++ png_free(png_ptr, png_ptr->quantize_index);
+ png_ptr->quantize_index = (png_bytep)png_malloc(png_ptr,
+ (png_alloc_size_t)num_palette);
+ for (i = 0; i < num_palette; i++)
+@@ -454,15 +460,14 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette,
+ * Perhaps not the best solution, but good enough.
+ */
+
+- int i;
++ png_bytep quantize_sort;
++ int i, j;
+
+- /* Initialize an array to sort colors */
+- png_ptr->quantize_sort = (png_bytep)png_malloc(png_ptr,
++ /* Initialize the local array to sort colors. */
++ quantize_sort = (png_bytep)png_malloc(png_ptr,
+ (png_alloc_size_t)num_palette);
+-
+- /* Initialize the quantize_sort array */
+ for (i = 0; i < num_palette; i++)
+- png_ptr->quantize_sort[i] = (png_byte)i;
++ quantize_sort[i] = (png_byte)i;
+
+ /* Find the least used palette entries by starting a
+ * bubble sort, and running it until we have sorted
+@@ -474,19 +479,18 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette,
+ for (i = num_palette - 1; i >= maximum_colors; i--)
+ {
+ int done; /* To stop early if the list is pre-sorted */
+- int j;
+
+ done = 1;
+ for (j = 0; j < i; j++)
+ {
+- if (histogram[png_ptr->quantize_sort[j]]
+- < histogram[png_ptr->quantize_sort[j + 1]])
++ if (histogram[quantize_sort[j]]
++ < histogram[quantize_sort[j + 1]])
+ {
+ png_byte t;
+
+- t = png_ptr->quantize_sort[j];
+- png_ptr->quantize_sort[j] = png_ptr->quantize_sort[j + 1];
+- png_ptr->quantize_sort[j + 1] = t;
++ t = quantize_sort[j];
++ quantize_sort[j] = quantize_sort[j + 1];
++ quantize_sort[j + 1] = t;
+ done = 0;
+ }
+ }
+@@ -498,18 +502,18 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette,
+ /* Swap the palette around, and set up a table, if necessary */
+ if (full_quantize != 0)
+ {
+- int j = num_palette;
++ j = num_palette;
+
+ /* Put all the useful colors within the max, but don't
+ * move the others.
+ */
+ for (i = 0; i < maximum_colors; i++)
+ {
+- if ((int)png_ptr->quantize_sort[i] >= maximum_colors)
++ if ((int)quantize_sort[i] >= maximum_colors)
+ {
+ do
+ j--;
+- while ((int)png_ptr->quantize_sort[j] >= maximum_colors);
++ while ((int)quantize_sort[j] >= maximum_colors);
+
+ palette[i] = palette[j];
+ }
+@@ -517,7 +521,7 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette,
+ }
+ else
+ {
+- int j = num_palette;
++ j = num_palette;
+
+ /* Move all the used colors inside the max limit, and
+ * develop a translation table.
+@@ -525,13 +529,13 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette,
+ for (i = 0; i < maximum_colors; i++)
+ {
+ /* Only move the colors we need to */
+- if ((int)png_ptr->quantize_sort[i] >= maximum_colors)
++ if ((int)quantize_sort[i] >= maximum_colors)
+ {
+ png_color tmp_color;
+
+ do
+ j--;
+- while ((int)png_ptr->quantize_sort[j] >= maximum_colors);
++ while ((int)quantize_sort[j] >= maximum_colors);
+
+ tmp_color = palette[j];
+ palette[j] = palette[i];
+@@ -569,8 +573,7 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette,
+ }
+ }
+ }
+- png_free(png_ptr, png_ptr->quantize_sort);
+- png_ptr->quantize_sort = NULL;
++ png_free(png_ptr, quantize_sort);
+ }
+ else
+ {
+diff --git a/pngstruct.h b/pngstruct.h
+index 084422bc1..fe5fa0415 100644
+--- a/pngstruct.h
++++ b/pngstruct.h
+@@ -413,7 +413,6 @@ struct png_struct_def
+
+ #ifdef PNG_READ_QUANTIZE_SUPPORTED
+ /* The following three members were added at version 1.0.14 and 1.2.4 */
+- png_bytep quantize_sort; /* working sort array */
+ png_bytep index_to_palette; /* where the original index currently is
+ in the palette */
+ png_bytep palette_to_index; /* which original index points to this
diff --git a/meta/recipes-multimedia/libpng/files/CVE-2025-64505-03.patch b/meta/recipes-multimedia/libpng/files/CVE-2025-64505-03.patch
new file mode 100644
index 0000000000..ddda8678ce
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/files/CVE-2025-64505-03.patch
@@ -0,0 +1,52 @@
+From 6a528eb5fd0dd7f6de1c39d30de0e41473431c37 Mon Sep 17 00:00:00 2001
+From: Cosmin Truta <ctruta@gmail.com>
+Date: Sat, 8 Nov 2025 23:58:26 +0200
+Subject: [PATCH] Fix a buffer overflow in `png_do_quantize`
+
+Allocate the quantize_index array to PNG_MAX_PALETTE_LENGTH (256 bytes)
+instead of num_palette bytes. This approach matches the allocation
+pattern for `palette[]`, `trans_alpha[]` and `riffled_palette[]` which
+were similarly oversized in libpng 1.2.1 to prevent buffer overflows
+from malformed PNG files with out-of-range palette indices.
+
+Out-of-range palette indices `index >= num_palette` will now read
+identity-mapped values from the `quantize_index` array (where index N
+maps to palette entry N). This prevents undefined behavior while
+avoiding runtime bounds checking overhead in the performance-critical
+pixel processing loop.
+
+Reported-by: Samsung-PENTEST <Samsung-PENTEST@users.noreply.github.com>
+Analyzed-by: degrigis <degrigis@users.noreply.github.com>
+
+CVE: CVE-2025-64505
+Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/6a528eb5fd0dd7f6de1c39d30de0e41473431c37]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ pngrtran.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/pngrtran.c b/pngrtran.c
+index 4632dd521..9c2475fde 100644
+--- a/pngrtran.c
++++ b/pngrtran.c
+@@ -441,14 +441,18 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette,
+ int i;
+
+ /* Initialize the array to index colors.
++ *
++ * Ensure quantize_index can fit 256 elements (PNG_MAX_PALETTE_LENGTH)
++ * rather than num_palette elements. This is to prevent buffer overflows
++ * caused by malformed PNG files with out-of-range palette indices.
+ *
+ * Be careful to avoid leaking memory. Applications are allowed to call
+ * this function more than once per png_struct.
+ */
+ png_free(png_ptr, png_ptr->quantize_index);
+ png_ptr->quantize_index = (png_bytep)png_malloc(png_ptr,
+- (png_alloc_size_t)num_palette);
+- for (i = 0; i < num_palette; i++)
++ PNG_MAX_PALETTE_LENGTH);
++ for (i = 0; i < PNG_MAX_PALETTE_LENGTH; i++)
+ png_ptr->quantize_index[i] = (png_byte)i;
+ }
+
diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.42.bb b/meta/recipes-multimedia/libpng/libpng_1.6.42.bb
index 4c21e8d597..dec78e568c 100644
--- a/meta/recipes-multimedia/libpng/libpng_1.6.42.bb
+++ b/meta/recipes-multimedia/libpng/libpng_1.6.42.bb
@@ -12,6 +12,9 @@ LIBV = "16"
SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/${PV}/${BP}.tar.xz \
file://run-ptest \
+ file://CVE-2025-64505-01.patch \
+ file://CVE-2025-64505-02.patch \
+ file://CVE-2025-64505-03.patch \
"
SRC_URI[sha256sum] = "c919dbc11f4c03b05aba3f8884d8eb7adfe3572ad228af972bb60057bdb48450"
--
2.43.0
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [OE-core][scarthgap 5/8] libpng: patch CVE-2025-64506
2025-12-02 22:19 [OE-core][scarthgap 0/8] Patch review Steve Sakoman
` (2 preceding siblings ...)
2025-12-02 22:19 ` [OE-core][scarthgap 4/8] libpng: patch CVE-2025-64505 Steve Sakoman
@ 2025-12-02 22:19 ` Steve Sakoman
2025-12-02 22:19 ` [OE-core][scarthgap 6/8] libpng: patch CVE-2025-64720 Steve Sakoman
` (3 subsequent siblings)
7 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2025-12-02 22:19 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Pick commit per NVD report.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libpng/files/CVE-2025-64506.patch | 57 +++++++++++++++++++
.../libpng/libpng_1.6.42.bb | 1 +
2 files changed, 58 insertions(+)
create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-64506.patch
diff --git a/meta/recipes-multimedia/libpng/files/CVE-2025-64506.patch b/meta/recipes-multimedia/libpng/files/CVE-2025-64506.patch
new file mode 100644
index 0000000000..dc7fe00601
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/files/CVE-2025-64506.patch
@@ -0,0 +1,57 @@
+From 2bd84c019c300b78e811743fbcddb67c9d9bf821 Mon Sep 17 00:00:00 2001
+From: Cosmin Truta <ctruta@gmail.com>
+Date: Fri, 7 Nov 2025 22:40:05 +0200
+Subject: [PATCH] Fix a heap buffer overflow in `png_write_image_8bit`
+
+The condition guarding the pre-transform path incorrectly allowed 8-bit
+input data to enter `png_write_image_8bit` which expects 16-bit input.
+This caused out-of-bounds reads when processing 8-bit grayscale+alpha
+images (GitHub #688), or 8-bit RGB or RGB+alpha images (GitHub #746),
+with the `convert_to_8bit` flag set (an invalid combination that should
+bypass the pre-transform path).
+
+The second part of the condition, i.e.
+
+ colormap == 0 && convert_to_8bit != 0
+
+failed to verify that input was 16-bit, i.e.
+
+ linear != 0
+
+contradicting the comment "This only applies when the input is 16-bit".
+
+The fix consists in restructuring the condition to ensure both the
+`alpha` path and the `convert_to_8bit` path require linear (16-bit)
+input. The corrected condition, i.e.
+
+ linear != 0 && (alpha != 0 || display->convert_to_8bit != 0)
+
+matches the expectation of the `png_write_image_8bit` function and
+prevents treating 8-bit buffers as 16-bit data.
+
+Reported-by: Samsung-PENTEST <Samsung-PENTEST@users.noreply.github.com>
+Reported-by: weijinjinnihao <weijinjinnihao@users.noreply.github.com>
+Analyzed-by: degrigis <degrigis@users.noreply.github.com>
+Reviewed-by: John Bowler <jbowler@acm.org>
+
+CVE: CVE-2025-64506
+Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/2bd84c019c300b78e811743fbcddb67c9d9bf821]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ pngwrite.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/pngwrite.c b/pngwrite.c
+index 35a5d17b6..83148960e 100644
+--- a/pngwrite.c
++++ b/pngwrite.c
+@@ -2142,8 +2142,7 @@ png_image_write_main(png_voidp argument)
+ * before it is written. This only applies when the input is 16-bit and
+ * either there is an alpha channel or it is converted to 8-bit.
+ */
+- if ((linear != 0 && alpha != 0 ) ||
+- (colormap == 0 && display->convert_to_8bit != 0))
++ if (linear != 0 && (alpha != 0 || display->convert_to_8bit != 0))
+ {
+ png_bytep row = png_voidcast(png_bytep, png_malloc(png_ptr,
+ png_get_rowbytes(png_ptr, info_ptr)));
diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.42.bb b/meta/recipes-multimedia/libpng/libpng_1.6.42.bb
index dec78e568c..ab043e3338 100644
--- a/meta/recipes-multimedia/libpng/libpng_1.6.42.bb
+++ b/meta/recipes-multimedia/libpng/libpng_1.6.42.bb
@@ -15,6 +15,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/${PV}/${BP}.tar.xz
file://CVE-2025-64505-01.patch \
file://CVE-2025-64505-02.patch \
file://CVE-2025-64505-03.patch \
+ file://CVE-2025-64506.patch \
"
SRC_URI[sha256sum] = "c919dbc11f4c03b05aba3f8884d8eb7adfe3572ad228af972bb60057bdb48450"
--
2.43.0
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [OE-core][scarthgap 6/8] libpng: patch CVE-2025-64720
2025-12-02 22:19 [OE-core][scarthgap 0/8] Patch review Steve Sakoman
` (3 preceding siblings ...)
2025-12-02 22:19 ` [OE-core][scarthgap 5/8] libpng: patch CVE-2025-64506 Steve Sakoman
@ 2025-12-02 22:19 ` Steve Sakoman
2025-12-02 22:19 ` [OE-core][scarthgap 7/8] libpng: patch CVE-2025-65018 Steve Sakoman
` (2 subsequent siblings)
7 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2025-12-02 22:19 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Pick commit per NVD report.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libpng/files/CVE-2025-64720.patch | 103 ++++++++++++++++++
.../libpng/libpng_1.6.42.bb | 1 +
2 files changed, 104 insertions(+)
create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-64720.patch
diff --git a/meta/recipes-multimedia/libpng/files/CVE-2025-64720.patch b/meta/recipes-multimedia/libpng/files/CVE-2025-64720.patch
new file mode 100644
index 0000000000..08df7c3210
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/files/CVE-2025-64720.patch
@@ -0,0 +1,103 @@
+From 08da33b4c88cfcd36e5a706558a8d7e0e4773643 Mon Sep 17 00:00:00 2001
+From: Cosmin Truta <ctruta@gmail.com>
+Date: Wed, 12 Nov 2025 13:46:23 +0200
+Subject: [PATCH] Fix a buffer overflow in `png_init_read_transformations`
+
+The palette compositing code in `png_init_read_transformations` was
+incorrectly applying background compositing when PNG_FLAG_OPTIMIZE_ALPHA
+was set. This violated the premultiplied alpha invariant
+`component <= alpha` expected by `png_image_read_composite`, causing
+values that exceeded the valid range for the PNG_sRGB_FROM_LINEAR lookup
+tables.
+
+When PNG_ALPHA_OPTIMIZED is active, palette entries should contain pure
+premultiplied RGB values without background compositing. The background
+compositing must happen later in `png_image_read_composite` where the
+actual background color from the PNG file is available.
+
+The fix consists in introducing conditional behavior based on
+PNG_FLAG_OPTIMIZE_ALPHA: when set, the code performs only
+premultiplication using the formula `component * alpha + 127) / 255`
+with proper gamma correction. When not set, the original background
+compositing calculation based on the `png_composite` macro is preserved.
+
+This prevents buffer overflows in `png_image_read_composite` where
+out-of-range premultiplied values would cause out-of-bounds array access
+in `png_sRGB_base[]` and `png_sRGB_delta[]`.
+
+Reported-by: Samsung-PENTEST <Samsung-PENTEST@users.noreply.github.com>
+Analyzed-by: John Bowler <jbowler@acm.org>
+
+CVE: CVE-2025-64720
+Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/08da33b4c88cfcd36e5a706558a8d7e0e4773643]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ pngrtran.c | 52 ++++++++++++++++++++++++++++++++++++++++++----------
+ 1 file changed, 42 insertions(+), 10 deletions(-)
+
+diff --git a/pngrtran.c b/pngrtran.c
+index 548780030..2f5202255 100644
+--- a/pngrtran.c
++++ b/pngrtran.c
+@@ -1698,19 +1698,51 @@ png_init_read_transformations(png_structrp png_ptr)
+ }
+ else /* if (png_ptr->trans_alpha[i] != 0xff) */
+ {
+- png_byte v, w;
++ if ((png_ptr->flags & PNG_FLAG_OPTIMIZE_ALPHA) != 0)
++ {
++ /* Premultiply only:
++ * component = round((component * alpha) / 255)
++ */
++ png_uint_32 component;
+
+- v = png_ptr->gamma_to_1[palette[i].red];
+- png_composite(w, v, png_ptr->trans_alpha[i], back_1.red);
+- palette[i].red = png_ptr->gamma_from_1[w];
++ component = png_ptr->gamma_to_1[palette[i].red];
++ component =
++ (component * png_ptr->trans_alpha[i] + 128) / 255;
++ palette[i].red = png_ptr->gamma_from_1[component];
+
+- v = png_ptr->gamma_to_1[palette[i].green];
+- png_composite(w, v, png_ptr->trans_alpha[i], back_1.green);
+- palette[i].green = png_ptr->gamma_from_1[w];
++ component = png_ptr->gamma_to_1[palette[i].green];
++ component =
++ (component * png_ptr->trans_alpha[i] + 128) / 255;
++ palette[i].green = png_ptr->gamma_from_1[component];
+
+- v = png_ptr->gamma_to_1[palette[i].blue];
+- png_composite(w, v, png_ptr->trans_alpha[i], back_1.blue);
+- palette[i].blue = png_ptr->gamma_from_1[w];
++ component = png_ptr->gamma_to_1[palette[i].blue];
++ component =
++ (component * png_ptr->trans_alpha[i] + 128) / 255;
++ palette[i].blue = png_ptr->gamma_from_1[component];
++ }
++ else
++ {
++ /* Composite with background color:
++ * component =
++ * alpha * component + (1 - alpha) * background
++ */
++ png_byte v, w;
++
++ v = png_ptr->gamma_to_1[palette[i].red];
++ png_composite(w, v,
++ png_ptr->trans_alpha[i], back_1.red);
++ palette[i].red = png_ptr->gamma_from_1[w];
++
++ v = png_ptr->gamma_to_1[palette[i].green];
++ png_composite(w, v,
++ png_ptr->trans_alpha[i], back_1.green);
++ palette[i].green = png_ptr->gamma_from_1[w];
++
++ v = png_ptr->gamma_to_1[palette[i].blue];
++ png_composite(w, v,
++ png_ptr->trans_alpha[i], back_1.blue);
++ palette[i].blue = png_ptr->gamma_from_1[w];
++ }
+ }
+ }
+ else
diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.42.bb b/meta/recipes-multimedia/libpng/libpng_1.6.42.bb
index ab043e3338..6f5b69b754 100644
--- a/meta/recipes-multimedia/libpng/libpng_1.6.42.bb
+++ b/meta/recipes-multimedia/libpng/libpng_1.6.42.bb
@@ -16,6 +16,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/${PV}/${BP}.tar.xz
file://CVE-2025-64505-02.patch \
file://CVE-2025-64505-03.patch \
file://CVE-2025-64506.patch \
+ file://CVE-2025-64720.patch \
"
SRC_URI[sha256sum] = "c919dbc11f4c03b05aba3f8884d8eb7adfe3572ad228af972bb60057bdb48450"
--
2.43.0
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [OE-core][scarthgap 7/8] libpng: patch CVE-2025-65018
2025-12-02 22:19 [OE-core][scarthgap 0/8] Patch review Steve Sakoman
` (4 preceding siblings ...)
2025-12-02 22:19 ` [OE-core][scarthgap 6/8] libpng: patch CVE-2025-64720 Steve Sakoman
@ 2025-12-02 22:19 ` Steve Sakoman
2025-12-02 22:19 ` [OE-core][scarthgap 8/8] curl: Ensure 'CURL_CA_BUNDLE' from host env is indeed respected Steve Sakoman
[not found] ` <ce604b9bf682e404baa15800fcdbc01abd6a66e1.1764713862.git.steve@sakoman.com>
7 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2025-12-02 22:19 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Pick commit per NVD report.
Add two patches to apply it cleanly.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libpng/files/CVE-2025-65018-01.patch | 60 +++++++
.../libpng/files/CVE-2025-65018-02.patch | 163 ++++++++++++++++++
.../libpng/libpng_1.6.42.bb | 2 +
3 files changed, 225 insertions(+)
create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-65018-01.patch
create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-65018-02.patch
diff --git a/meta/recipes-multimedia/libpng/files/CVE-2025-65018-01.patch b/meta/recipes-multimedia/libpng/files/CVE-2025-65018-01.patch
new file mode 100644
index 0000000000..cdee6c76c0
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/files/CVE-2025-65018-01.patch
@@ -0,0 +1,60 @@
+From 16b5e3823918840aae65c0a6da57c78a5a496a4d Mon Sep 17 00:00:00 2001
+From: Cosmin Truta <ctruta@gmail.com>
+Date: Mon, 17 Nov 2025 20:38:47 +0200
+Subject: [PATCH] Fix a buffer overflow in `png_image_finish_read`
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Reject bit-depth mismatches between IHDR and the requested output
+format. When a 16-bit PNG is processed with an 8-bit output format
+request, `png_combine_row` writes using the IHDR depth before
+transformation, causing writes beyond the buffer allocated via
+`PNG_IMAGE_SIZE(image)`.
+
+The validation establishes a safe API contract where
+`PNG_IMAGE_SIZE(image)` is guaranteed to be sufficient across the
+transformation pipeline.
+
+Example overflow (32×32 pixels, 16-bit RGB to 8-bit RGBA):
+- Input format: 16 bits/channel × 3 channels = 6144 bytes
+- Output buffer: 8 bits/channel × 4 channels = 4096 bytes
+- Overflow: 6144 bytes - 4096 bytes = 2048 bytes
+
+Larger images produce proportionally larger overflows. For example,
+for 256×256 pixels, the overflow is 131072 bytes.
+
+Reported-by: yosiimich <yosiimich@users.noreply.github.com>
+
+CVE: CVE-2025-65018
+Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/16b5e3823918840aae65c0a6da57c78a5a496a4d]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ pngread.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/pngread.c b/pngread.c
+index 212afb7d2..92571ec33 100644
+--- a/pngread.c
++++ b/pngread.c
+@@ -4166,6 +4166,20 @@ png_image_finish_read(png_imagep image, png_const_colorp background,
+ int result;
+ png_image_read_control display;
+
++ /* Reject bit depth mismatches to avoid buffer overflows. */
++ png_uint_32 ihdr_bit_depth =
++ image->opaque->png_ptr->bit_depth;
++ int requested_linear =
++ (image->format & PNG_FORMAT_FLAG_LINEAR) != 0;
++ if (ihdr_bit_depth == 16 && !requested_linear)
++ return png_image_error(image,
++ "png_image_finish_read: "
++ "16-bit PNG must use 16-bit output format");
++ if (ihdr_bit_depth < 16 && requested_linear)
++ return png_image_error(image,
++ "png_image_finish_read: "
++ "8-bit PNG must not use 16-bit output format");
++
+ memset(&display, 0, (sizeof display));
+ display.image = image;
+ display.buffer = buffer;
diff --git a/meta/recipes-multimedia/libpng/files/CVE-2025-65018-02.patch b/meta/recipes-multimedia/libpng/files/CVE-2025-65018-02.patch
new file mode 100644
index 0000000000..891cd20c3f
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/files/CVE-2025-65018-02.patch
@@ -0,0 +1,163 @@
+From 218612ddd6b17944e21eda56caf8b4bf7779d1ea Mon Sep 17 00:00:00 2001
+From: Cosmin Truta <ctruta@gmail.com>
+Date: Wed, 19 Nov 2025 21:45:13 +0200
+Subject: [PATCH] Rearchitect the fix to the buffer overflow in
+ `png_image_finish_read`
+
+Undo the fix from commit 16b5e3823918840aae65c0a6da57c78a5a496a4d.
+That fix turned out to be unnecessarily limiting. It rejected all
+16-to-8 bit transformations, although the vulnerability only affects
+interlaced PNGs where `png_combine_row` writes using IHDR bit-depth
+before the transformation completes.
+
+The proper solution is to add an intermediate `local_row` buffer,
+specifically for the slow but necessary step of 16-to-8 bit conversion
+of interlaced images. (The processing of non-interlaced images remains
+intact, using the fast path.) We added the flag `do_local_scale` and
+the function `png_image_read_direct_scaled`, following the pattern that
+involves `do_local_compose`.
+
+In conclusion:
+- The 16-to-8 bit transformations of interlaced images are now safe,
+ as they use an intermediate buffer.
+- The 16-to-8 bit transformations of non-interlaced images remain safe,
+ as the fast path remains unchanged.
+- All our regression tests are now passing.
+
+CVE: CVE-2025-65018
+Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/218612ddd6b17944e21eda56caf8b4bf7779d1ea]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ pngread.c | 89 ++++++++++++++++++++++++++++++++++++++++++++++---------
+ 1 file changed, 75 insertions(+), 14 deletions(-)
+
+diff --git a/pngread.c b/pngread.c
+index 92571ec33..79917daaa 100644
+--- a/pngread.c
++++ b/pngread.c
+@@ -3262,6 +3262,54 @@ png_image_read_colormapped(png_voidp argument)
+ }
+ }
+
++/* Row reading for interlaced 16-to-8 bit depth conversion with local buffer. */
++static int
++png_image_read_direct_scaled(png_voidp argument)
++{
++ png_image_read_control *display = png_voidcast(png_image_read_control*,
++ argument);
++ png_imagep image = display->image;
++ png_structrp png_ptr = image->opaque->png_ptr;
++ png_bytep local_row = png_voidcast(png_bytep, display->local_row);
++ png_bytep first_row = png_voidcast(png_bytep, display->first_row);
++ ptrdiff_t row_bytes = display->row_bytes;
++ int passes;
++
++ /* Handle interlacing. */
++ switch (png_ptr->interlaced)
++ {
++ case PNG_INTERLACE_NONE:
++ passes = 1;
++ break;
++
++ case PNG_INTERLACE_ADAM7:
++ passes = PNG_INTERLACE_ADAM7_PASSES;
++ break;
++
++ default:
++ png_error(png_ptr, "unknown interlace type");
++ }
++
++ /* Read each pass using local_row as intermediate buffer. */
++ while (--passes >= 0)
++ {
++ png_uint_32 y = image->height;
++ png_bytep output_row = first_row;
++
++ for (; y > 0; --y)
++ {
++ /* Read into local_row (gets transformed 8-bit data). */
++ png_read_row(png_ptr, local_row, NULL);
++
++ /* Copy from local_row to user buffer. */
++ memcpy(output_row, local_row, (size_t)row_bytes);
++ output_row += row_bytes;
++ }
++ }
++
++ return 1;
++}
++
+ /* Just the row reading part of png_image_read. */
+ static int
+ png_image_read_composite(png_voidp argument)
+@@ -3680,6 +3728,7 @@ png_image_read_direct(png_voidp argument)
+ int linear = (format & PNG_FORMAT_FLAG_LINEAR) != 0;
+ int do_local_compose = 0;
+ int do_local_background = 0; /* to avoid double gamma correction bug */
++ int do_local_scale = 0; /* for interlaced 16-to-8 bit conversion */
+ int passes = 0;
+
+ /* Add transforms to ensure the correct output format is produced then check
+@@ -3806,8 +3855,16 @@ png_image_read_direct(png_voidp argument)
+ png_set_expand_16(png_ptr);
+
+ else /* 8-bit output */
++ {
+ png_set_scale_16(png_ptr);
+
++ /* For interlaced images, use local_row buffer to avoid overflow
++ * in png_combine_row() which writes using IHDR bit-depth.
++ */
++ if (png_ptr->interlaced != 0)
++ do_local_scale = 1;
++ }
++
+ change &= ~PNG_FORMAT_FLAG_LINEAR;
+ }
+
+@@ -4083,6 +4140,24 @@ png_image_read_direct(png_voidp argument)
+ return result;
+ }
+
++ else if (do_local_scale != 0)
++ {
++ /* For interlaced 16-to-8 conversion, use an intermediate row buffer
++ * to avoid buffer overflows in png_combine_row. The local_row is sized
++ * for the transformed (8-bit) output, preventing the overflow that would
++ * occur if png_combine_row wrote 16-bit data directly to the user buffer.
++ */
++ int result;
++ png_voidp row = png_malloc(png_ptr, png_get_rowbytes(png_ptr, info_ptr));
++
++ display->local_row = row;
++ result = png_safe_execute(image, png_image_read_direct_scaled, display);
++ display->local_row = NULL;
++ png_free(png_ptr, row);
++
++ return result;
++ }
++
+ else
+ {
+ png_alloc_size_t row_bytes = (png_alloc_size_t)display->row_bytes;
+@@ -4166,20 +4241,6 @@ png_image_finish_read(png_imagep image, png_const_colorp background,
+ int result;
+ png_image_read_control display;
+
+- /* Reject bit depth mismatches to avoid buffer overflows. */
+- png_uint_32 ihdr_bit_depth =
+- image->opaque->png_ptr->bit_depth;
+- int requested_linear =
+- (image->format & PNG_FORMAT_FLAG_LINEAR) != 0;
+- if (ihdr_bit_depth == 16 && !requested_linear)
+- return png_image_error(image,
+- "png_image_finish_read: "
+- "16-bit PNG must use 16-bit output format");
+- if (ihdr_bit_depth < 16 && requested_linear)
+- return png_image_error(image,
+- "png_image_finish_read: "
+- "8-bit PNG must not use 16-bit output format");
+-
+ memset(&display, 0, (sizeof display));
+ display.image = image;
+ display.buffer = buffer;
diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.42.bb b/meta/recipes-multimedia/libpng/libpng_1.6.42.bb
index 6f5b69b754..2d5216cb65 100644
--- a/meta/recipes-multimedia/libpng/libpng_1.6.42.bb
+++ b/meta/recipes-multimedia/libpng/libpng_1.6.42.bb
@@ -17,6 +17,8 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/${PV}/${BP}.tar.xz
file://CVE-2025-64505-03.patch \
file://CVE-2025-64506.patch \
file://CVE-2025-64720.patch \
+ file://CVE-2025-65018-01.patch \
+ file://CVE-2025-65018-02.patch \
"
SRC_URI[sha256sum] = "c919dbc11f4c03b05aba3f8884d8eb7adfe3572ad228af972bb60057bdb48450"
--
2.43.0
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [OE-core][scarthgap 8/8] curl: Ensure 'CURL_CA_BUNDLE' from host env is indeed respected
2025-12-02 22:19 [OE-core][scarthgap 0/8] Patch review Steve Sakoman
` (5 preceding siblings ...)
2025-12-02 22:19 ` [OE-core][scarthgap 7/8] libpng: patch CVE-2025-65018 Steve Sakoman
@ 2025-12-02 22:19 ` Steve Sakoman
[not found] ` <ce604b9bf682e404baa15800fcdbc01abd6a66e1.1764713862.git.steve@sakoman.com>
7 siblings, 0 replies; 19+ messages in thread
From: Steve Sakoman @ 2025-12-02 22:19 UTC (permalink / raw)
To: openembedded-core
From: Moritz Haase <Moritz.Haase@bmw.de>
Due to what looks like a copy'n'paste mistake, the environment setup script
might override 'CURL_CA_BUNDLE' from the host env instead of leaving it
untouched. Fix that.
(cherry picked from commit 545e43a7a45be02fda8fc3af69faa20e889f58c4)
CC: changqing.li@windriver.com
CC: raj.khem@gmail.com
CC: Peter.Marko@siemens.com
Signed-off-by: Moritz Haase <Moritz.Haase@bmw.de>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-support/curl/curl/environment.d-curl.sh | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/meta/recipes-support/curl/curl/environment.d-curl.sh b/meta/recipes-support/curl/curl/environment.d-curl.sh
index 581108ef35..b948db2cf6 100644
--- a/meta/recipes-support/curl/curl/environment.d-curl.sh
+++ b/meta/recipes-support/curl/curl/environment.d-curl.sh
@@ -1,6 +1,6 @@
# Respect host env CURL_CA_BUNDLE/CURL_CA_PATH first, then auto-detected host cert, then cert in buildtools
-# CAFILE/CAPATH is auto-deteced when source buildtools
-if [ -z "${CURL_CA_PATH:-}" ]; then
+# CAFILE/CAPATH is auto-detected when source buildtools
+if [ -z "${CURL_CA_BUNDLE:-}" ]; then
if [ -n "${CAFILE:-}" ];then
export CURL_CA_BUNDLE="$CAFILE"
elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then
--
2.43.0
^ permalink raw reply related [flat|nested] 19+ messages in thread
* Re: [OE-core][scarthgap 1/8] libmicrohttpd: fix CVE-2025-59777, CVE-2025-62689
[not found] ` <b0caac3f-5a60-48e4-bd89-15fb3654a91e@gmail.com>
@ 2025-12-04 17:59 ` Steve Sakoman
2025-12-05 2:52 ` Changqing Li
0 siblings, 1 reply; 19+ messages in thread
From: Steve Sakoman @ 2025-12-04 17:59 UTC (permalink / raw)
To: Gyorgy Sarvari, Changqing Li; +Cc: openembedded-core
On Wed, Dec 3, 2025 at 12:25 AM Gyorgy Sarvari <skandigraun@gmail.com> wrote:
>
> This is quite a big change in the middle of an LTS release... not that I
> have a better solution. But maybe a warning in the docs would be
> appropriate about this removed feature and its reason (not sure who
> takes care of these).
You are quite correct, this is a large change and deserves further
discussion since it is removing a (admittedly experimental) feature.
I will remove this from this series pending further discussion on list.
Steve
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [OE-core][scarthgap 1/8] libmicrohttpd: fix CVE-2025-59777, CVE-2025-62689
2025-12-04 17:59 ` [OE-core][scarthgap 1/8] libmicrohttpd: fix CVE-2025-59777, CVE-2025-62689 Steve Sakoman
@ 2025-12-05 2:52 ` Changqing Li
2025-12-05 3:41 ` Anuj Mittal
0 siblings, 1 reply; 19+ messages in thread
From: Changqing Li @ 2025-12-05 2:52 UTC (permalink / raw)
To: Steve Sakoman, Gyorgy Sarvari; +Cc: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 1818 bytes --]
On 12/5/25 01:59, Steve Sakoman wrote:
> CAUTION: This email comes from a non Wind River email account!
> Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
> On Wed, Dec 3, 2025 at 12:25 AM Gyorgy Sarvari<skandigraun@gmail.com> wrote:
>> This is quite a big change in the middle of an LTS release... not that I
>> have a better solution. But maybe a warning in the docs would be
>> appropriate about this removed feature and its reason (not sure who
>> takes care of these).
> You are quite correct, this is a large change and deserves further
> discussion since it is removing a (admittedly experimental) feature.
>
> I will remove this from this series pending further discussion on list.
Hi,
This vulnerability exists in libmicrohttpd_ws.so, which is generated
when building with the --enable-experimental option, rather than in
widely used libmicrohttpd.so.
We don't enable this option by default, also we don't provide
PACKAGECONFIG for it.
How about we still keep the patch for fixing CVE-2025-59777,
CVE-2025-62689, and add the following warning in libmicrohttpd_1.0.2.bb
+python do_warn_experimental() {
+ if '--enable-experimental' in d.getVar('EXTRA_OECONF') and
'0001-Remove-broken-experimental-code.patch' in d.getVar('SRC_URI'):
+ bb.warn("This option is removed for CVE-2025-59777,
CVE-2025-62689, if you insist to use it, please remove patch
0001-Remove-broken-experimental-code.patch")
+}
+addtask warn_experimental before do_configure
+
if the user enable '--enable-experimental' , warning is it removed. if
user insist to use it, they can remove patch
0001-Remove-broken-experimental-code.patch locally, then
warning will disappear.
//changqing
>
> Steve
[-- Attachment #2: Type: text/html, Size: 2889 bytes --]
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [OE-core][scarthgap 1/8] libmicrohttpd: fix CVE-2025-59777, CVE-2025-62689
2025-12-05 2:52 ` Changqing Li
@ 2025-12-05 3:41 ` Anuj Mittal
2025-12-08 6:58 ` Changqing Li
0 siblings, 1 reply; 19+ messages in thread
From: Anuj Mittal @ 2025-12-05 3:41 UTC (permalink / raw)
To: changqing.li; +Cc: Steve Sakoman, Gyorgy Sarvari, openembedded-core
On Fri, Dec 5, 2025 at 8:22 AM Changqing Li via lists.openembedded.org
<changqing.li=windriver.com@lists.openembedded.org> wrote:
>
>
> On 12/5/25 01:59, Steve Sakoman wrote:
>
> CAUTION: This email comes from a non Wind River email account!
> Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
> On Wed, Dec 3, 2025 at 12:25 AM Gyorgy Sarvari <skandigraun@gmail.com> wrote:
>
> This is quite a big change in the middle of an LTS release... not that I
> have a better solution. But maybe a warning in the docs would be
> appropriate about this removed feature and its reason (not sure who
> takes care of these).
>
> You are quite correct, this is a large change and deserves further
> discussion since it is removing a (admittedly experimental) feature.
>
> I will remove this from this series pending further discussion on list.
>
> Hi,
>
> This vulnerability exists in libmicrohttpd_ws.so, which is generated when building with the --enable-experimental option, rather than in widely used libmicrohttpd.so.
>
> We don't enable this option by default, also we don't provide PACKAGECONFIG for it.
>
> How about we still keep the patch for fixing CVE-2025-59777, CVE-2025-62689, and add the following warning in libmicrohttpd_1.0.2.bb
>
> +python do_warn_experimental() {
> + if '--enable-experimental' in d.getVar('EXTRA_OECONF') and '0001-Remove-broken-experimental-code.patch' in d.getVar('SRC_URI'):
> + bb.warn("This option is removed for CVE-2025-59777, CVE-2025-62689, if you insist to use it, please remove patch 0001-Remove-broken-experimental-code.patch")
> +}
> +addtask warn_experimental before do_configure
> +
>
> if the user enable '--enable-experimental' , warning is it removed. if user insist to use it, they can remove patch 0001-Remove-broken-experimental-code.patch locally, then
>
> warning will disappear.
I think it should be the other way around. If we don't enable the
option and don't have a tunable PACKAGECONFIG for it, why complicate
and patch? If someone did enable it knowingly, they should fix it in
their append or recipe.
Thanks,
Anuj
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [OE-core][scarthgap 1/8] libmicrohttpd: fix CVE-2025-59777, CVE-2025-62689
2025-12-05 3:41 ` Anuj Mittal
@ 2025-12-08 6:58 ` Changqing Li
0 siblings, 0 replies; 19+ messages in thread
From: Changqing Li @ 2025-12-08 6:58 UTC (permalink / raw)
To: Anuj Mittal; +Cc: Steve Sakoman, Gyorgy Sarvari, openembedded-core
[-- Attachment #1: Type: text/plain, Size: 2701 bytes --]
On 12/5/25 11:41, Anuj Mittal wrote:
> CAUTION: This email comes from a non Wind River email account!
> Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
> On Fri, Dec 5, 2025 at 8:22 AM Changqing Li via lists.openembedded.org
> <changqing.li=windriver.com@lists.openembedded.org> wrote:
>>
>> On 12/5/25 01:59, Steve Sakoman wrote:
>>
>> CAUTION: This email comes from a non Wind River email account!
>> Do not click links or open attachments unless you recognize the sender and know the content is safe.
>>
>> On Wed, Dec 3, 2025 at 12:25 AM Gyorgy Sarvari<skandigraun@gmail.com> wrote:
>>
>> This is quite a big change in the middle of an LTS release... not that I
>> have a better solution. But maybe a warning in the docs would be
>> appropriate about this removed feature and its reason (not sure who
>> takes care of these).
>>
>> You are quite correct, this is a large change and deserves further
>> discussion since it is removing a (admittedly experimental) feature.
>>
>> I will remove this from this series pending further discussion on list.
>>
>> Hi,
>>
>> This vulnerability exists in libmicrohttpd_ws.so, which is generated when building with the --enable-experimental option, rather than in widely used libmicrohttpd.so.
>>
>> We don't enable this option by default, also we don't provide PACKAGECONFIG for it.
>>
>> How about we still keep the patch for fixing CVE-2025-59777, CVE-2025-62689, and add the following warning in libmicrohttpd_1.0.2.bb
>>
>> +python do_warn_experimental() {
>> + if '--enable-experimental' in d.getVar('EXTRA_OECONF') and '0001-Remove-broken-experimental-code.patch' in d.getVar('SRC_URI'):
>> + bb.warn("This option is removed for CVE-2025-59777, CVE-2025-62689, if you insist to use it, please remove patch 0001-Remove-broken-experimental-code.patch")
>> +}
>> +addtask warn_experimental before do_configure
>> +
>>
>> if the user enable '--enable-experimental' , warning is it removed. if user insist to use it, they can remove patch 0001-Remove-broken-experimental-code.patch locally, then
>>
>> warning will disappear.
> I think it should be the other way around. If we don't enable the
> option and don't have a tunable PACKAGECONFIG for it, why complicate
> and patch? If someone did enable it knowingly, they should fix it in
> their append or recipe.
if we don't patch it, should we add function like do_warn_experimental
to remind user about the CVE?
it is possible that user enable experimental, but they don't know the
existence of CVE-2025-59777, CVE-2025-62689.
Thanks
//Changqing
> Thanks,
>
> Anuj
[-- Attachment #2: Type: text/html, Size: 3839 bytes --]
^ permalink raw reply [flat|nested] 19+ messages in thread
end of thread, other threads:[~2025-12-08 6:59 UTC | newest]
Thread overview: 19+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-12-02 22:19 [OE-core][scarthgap 0/8] Patch review Steve Sakoman
2025-12-02 22:19 ` [OE-core][scarthgap 2/8] gnutls: patch CVE-2025-9820 Steve Sakoman
2025-12-02 22:19 ` [OE-core][scarthgap 3/8] python3: fix CVE-2025-6075 Steve Sakoman
2025-12-02 22:19 ` [OE-core][scarthgap 4/8] libpng: patch CVE-2025-64505 Steve Sakoman
2025-12-02 22:19 ` [OE-core][scarthgap 5/8] libpng: patch CVE-2025-64506 Steve Sakoman
2025-12-02 22:19 ` [OE-core][scarthgap 6/8] libpng: patch CVE-2025-64720 Steve Sakoman
2025-12-02 22:19 ` [OE-core][scarthgap 7/8] libpng: patch CVE-2025-65018 Steve Sakoman
2025-12-02 22:19 ` [OE-core][scarthgap 8/8] curl: Ensure 'CURL_CA_BUNDLE' from host env is indeed respected Steve Sakoman
[not found] ` <ce604b9bf682e404baa15800fcdbc01abd6a66e1.1764713862.git.steve@sakoman.com>
[not found] ` <b0caac3f-5a60-48e4-bd89-15fb3654a91e@gmail.com>
2025-12-04 17:59 ` [OE-core][scarthgap 1/8] libmicrohttpd: fix CVE-2025-59777, CVE-2025-62689 Steve Sakoman
2025-12-05 2:52 ` Changqing Li
2025-12-05 3:41 ` Anuj Mittal
2025-12-08 6:58 ` Changqing Li
-- strict thread matches above, loose matches on Subject: below --
2025-10-28 13:46 [OE-core][scarthgap 0/8] Patch review Steve Sakoman
2025-10-03 16:47 Steve Sakoman
2025-09-17 20:04 Steve Sakoman
2025-06-17 16:04 Steve Sakoman
2025-05-09 15:45 Steve Sakoman
2025-04-11 20:33 Steve Sakoman
2025-01-23 2:59 Steve Sakoman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox