* [OE-core][scarthgap 00/18] Patch review
@ 2024-08-04 17:09 Steve Sakoman
0 siblings, 0 replies; 25+ messages in thread
From: Steve Sakoman @ 2024-08-04 17:09 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for scarthgap and have comments back by
end of day Tuesday, August 6
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/7208
The following changes since commit 1c9d3c22718bf49ae85c2d06e0ee60ebdc2fd0c1:
openssh: systemd notification was implemented upstream (2024-07-28 19:27:16 -0700)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut
Changqing Li (1):
rt-tests: rt_bmark.py: fix TypeError
Christian Taedcke (1):
iptables: fix memory corruption when parsing nft rules
Khem Raj (2):
busybox: CVE-2023-42364 and CVE-2023-42365 fixes
busybox: Add fix for CVE-2023-42366
Mark Hatle (5):
package.py: Fix static debuginfo split
package.py: Fix static library processing
selftest-hardlink: Add additional test cases
create-spdx-*: Support multilibs via SPDX_MULTILIB_SSTATE_ARCHS
oeqa sdk cases: Skip SDK test cases when TCLIBC is newlib
Niko Mauno (1):
libyaml: Fix warning regarding unpatched CVE
Patrick Wicki (1):
gpgme: move gpgme-tool to own sub-package
Peter Marko (1):
libstd-rs,rust-cross-canadian: set CVE_PRODUCT to rust
Ranjitsinh Rathod (1):
rust: Add new varaible RUST_ENABLE_EXTRA_TOOLS
Richard Purdie (3):
create-spdx-3.0/populate_sdk_base: Add SDK_CLASSES inherit mechanism
to fix tarball SPDX manifests
pseudo: Fix to work with glibc 2.40
pseudo: Update to include open symlink handling bugfix
Wadim Egorov (1):
watchdog: Set watchdog_module in default config
Yogita Urade (1):
qemu: upgrade 8.2.2 -> 8.2.3
.../selftest-hardlink/selftest-hardlink.bb | 13 ++
meta/classes-recipe/populate_sdk_base.bbclass | 7 +
meta/classes-recipe/testimage.bbclass | 2 -
meta/classes/create-spdx-2.2.bbclass | 14 +-
meta/lib/oe/package.py | 57 ++++-
meta/lib/oeqa/sdk/cases/assimp.py | 4 +
meta/lib/oeqa/sdk/cases/buildcpio.py | 5 +
meta/lib/oeqa/sdk/cases/buildepoxy.py | 4 +
meta/lib/oeqa/sdk/cases/buildgalculator.py | 4 +
meta/lib/oeqa/sdk/cases/buildlzip.py | 5 +
meta/lib/oeqa/sdk/cases/gcc.py | 4 +
meta/lib/oeqa/selftest/cases/package.py | 26 +++
...01-awk-fix-precedence-of-relative-to.patch | 197 ++++++++++++++++++
...1-awk.c-fix-CVE-2023-42366-bug-15874.patch | 37 ++++
...x-ternary-operator-and-precedence-of.patch | 96 +++++++++
meta/recipes-core/busybox/busybox_1.36.1.bb | 3 +
meta/recipes-core/meta/buildtools-tarball.bb | 3 +
.../pseudo/files/glibc238.patch | 10 +-
meta/recipes-devtools/pseudo/pseudo_git.bb | 2 +-
...u-native_8.2.2.bb => qemu-native_8.2.3.bb} | 0
...e_8.2.2.bb => qemu-system-native_8.2.3.bb} | 0
meta/recipes-devtools/qemu/qemu.inc | 8 +-
...4-Handle-the-vsyscall-page-in-open_s.patch | 56 -----
.../qemu/qemu/CVE-2024-3446-01.patch | 73 -------
.../qemu/qemu/CVE-2024-3446-02.patch | 48 -----
.../qemu/qemu/CVE-2024-3446-03.patch | 47 -----
.../qemu/qemu/CVE-2024-3446-04.patch | 52 -----
.../qemu/qemu/CVE-2024-3567.patch | 48 -----
.../qemu/{qemu_8.2.2.bb => qemu_8.2.3.bb} | 0
.../recipes-devtools/rust/libstd-rs_1.75.0.bb | 2 +
.../rust/rust-cross-canadian.inc | 1 +
meta/recipes-devtools/rust/rust_1.75.0.bb | 6 +-
...se-Add-missing-braces-around-ternary.patch | 37 ++++
.../iptables/iptables_1.8.10.bb | 1 +
.../watchdog/watchdog-config/watchdog.default | 1 +
meta/recipes-rt/rt-tests/files/rt_bmark.py | 2 +-
meta/recipes-support/gpgme/gpgme_1.23.2.bb | 16 +-
meta/recipes-support/libyaml/libyaml_0.2.5.bb | 2 +
38 files changed, 537 insertions(+), 356 deletions(-)
create mode 100644 meta/recipes-core/busybox/busybox/0001-awk-fix-precedence-of-relative-to.patch
create mode 100644 meta/recipes-core/busybox/busybox/0001-awk.c-fix-CVE-2023-42366-bug-15874.patch
create mode 100644 meta/recipes-core/busybox/busybox/0002-awk-fix-ternary-operator-and-precedence-of.patch
rename meta/recipes-devtools/qemu/{qemu-native_8.2.2.bb => qemu-native_8.2.3.bb} (100%)
rename meta/recipes-devtools/qemu/{qemu-system-native_8.2.2.bb => qemu-system-native_8.2.3.bb} (100%)
delete mode 100644 meta/recipes-devtools/qemu/qemu/0001-linux-user-x86_64-Handle-the-vsyscall-page-in-open_s.patch
delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2024-3446-01.patch
delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2024-3446-02.patch
delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2024-3446-03.patch
delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2024-3446-04.patch
delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2024-3567.patch
rename meta/recipes-devtools/qemu/{qemu_8.2.2.bb => qemu_8.2.3.bb} (100%)
create mode 100644 meta/recipes-extended/iptables/iptables/0005-nft-ruleparse-Add-missing-braces-around-ternary.patch
--
2.34.1
^ permalink raw reply [flat|nested] 25+ messages in thread
* [OE-core][scarthgap 00/18] Patch review
@ 2024-08-21 12:50 Steve Sakoman
0 siblings, 0 replies; 25+ messages in thread
From: Steve Sakoman @ 2024-08-21 12:50 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for scarthgap and have comments back by
end of day Friday, August 23
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/7256
The following changes since commit bbb8db8fec7fbee56fcdbc665a758b911d73a767:
u-boot.inc: Refactor do_* steps into functions that can be overridden (2024-08-15 06:02:17 -0700)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut
Alexis Lothoré (1):
oeqa/utils/postactions: transfer whole archive over ssh instead of
doing individual copies
Ashish Sharma (1):
ruby: Backport fix for CVE-2024-27282
Daniel Semkowicz (1):
os-release: Fix VERSION_CODENAME in case it is empty
Gauthier HADERER (1):
populate_sdk_ext.bclass: make sure OECORE_NATIVE_SYSROOT is exported.
Jon Mason (2):
oeqa/runtime/ssh: add retry logic and sleeps to allow for slower
systems
oeqa/runtime/ssh: check for all errors at the end
Jose Quaresma (1):
go: upgrade 1.22.5 -> 1.22.6
Kai Kang (1):
glibc: fix fortran header file conflict for arm
Martin Jansa (1):
libgfortran.inc: fix nativesdk-libgfortran dependencies
Mingli Yu (1):
llvm: Enable libllvm for native build
Richard Purdie (2):
oeqa/runtime/ssh: In case of failure, show exit code and handle -15
(SIGTERM)
oeqa/selftest/reproducibile: Explicitly list virtual targets
Ross Burton (2):
gstreamer1.0: disable flaky baseparser tests
librsvg: don't try to run target code at build time
Siddharth Doshi (1):
Tiff: Security fix for CVE-2024-7006
Trevor Gamblin (1):
maintainers.inc: add self for unassigned python recipes
Ulrich Ölmann (1):
initramfs-framework: fix typos
Weisser, Pascal.ext (1):
qemuboot: Trigger write_qemuboot_conf task on changes of kernel image
realpath
meta/classes-recipe/populate_sdk_ext.bbclass | 2 +-
meta/classes-recipe/qemuboot.bbclass | 3 +-
meta/conf/distro/include/maintainers.inc | 8 +--
meta/lib/oeqa/runtime/cases/ssh.py | 31 ++++++---
meta/lib/oeqa/selftest/cases/reproducible.py | 3 +-
meta/lib/oeqa/utils/postactions.py | 19 +++---
meta/recipes-core/glibc/glibc-package.inc | 8 ++-
.../initrdscripts/initramfs-framework/init | 2 +-
.../initrdscripts/initramfs-framework/rootfs | 2 +-
meta/recipes-core/os-release/os-release.bb | 2 +-
meta/recipes-devtools/gcc/libgfortran.inc | 3 +-
.../go/{go-1.22.5.inc => go-1.22.6.inc} | 2 +-
...e_1.22.5.bb => go-binary-native_1.22.6.bb} | 6 +-
..._1.22.5.bb => go-cross-canadian_1.22.6.bb} | 0
...{go-cross_1.22.5.bb => go-cross_1.22.6.bb} | 0
...osssdk_1.22.5.bb => go-crosssdk_1.22.6.bb} | 0
...runtime_1.22.5.bb => go-runtime_1.22.6.bb} | 0
.../go/{go_1.22.5.bb => go_1.22.6.bb} | 0
meta/recipes-devtools/llvm/llvm_18.1.6.bb | 1 -
.../ruby/ruby/CVE-2024-27282.patch | 28 ++++++++
meta/recipes-devtools/ruby/ruby_3.2.2.bb | 1 +
.../librsvg/disable-rsvg-loader-test.patch | 40 ++++++++++++
meta/recipes-gnome/librsvg/librsvg_2.57.1.bb | 1 +
.../gstreamer/gstreamer1.0/run-ptest | 7 +-
.../libtiff/tiff/CVE-2024-7006.patch | 65 +++++++++++++++++++
meta/recipes-multimedia/libtiff/tiff_4.6.0.bb | 1 +
26 files changed, 198 insertions(+), 37 deletions(-)
rename meta/recipes-devtools/go/{go-1.22.5.inc => go-1.22.6.inc} (89%)
rename meta/recipes-devtools/go/{go-binary-native_1.22.5.bb => go-binary-native_1.22.6.bb} (78%)
rename meta/recipes-devtools/go/{go-cross-canadian_1.22.5.bb => go-cross-canadian_1.22.6.bb} (100%)
rename meta/recipes-devtools/go/{go-cross_1.22.5.bb => go-cross_1.22.6.bb} (100%)
rename meta/recipes-devtools/go/{go-crosssdk_1.22.5.bb => go-crosssdk_1.22.6.bb} (100%)
rename meta/recipes-devtools/go/{go-runtime_1.22.5.bb => go-runtime_1.22.6.bb} (100%)
rename meta/recipes-devtools/go/{go_1.22.5.bb => go_1.22.6.bb} (100%)
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-27282.patch
create mode 100644 meta/recipes-gnome/librsvg/librsvg/disable-rsvg-loader-test.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2024-7006.patch
--
2.34.1
^ permalink raw reply [flat|nested] 25+ messages in thread
* [OE-core][scarthgap 00/18] Patch review
@ 2024-10-15 18:50 Steve Sakoman
0 siblings, 0 replies; 25+ messages in thread
From: Steve Sakoman @ 2024-10-15 18:50 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for scarthgap and have comments back by
end of day Thursday, October 17
Passed a-full on autobuilder:
https://valkyrie.yoctoproject.org/#/builders/29/builds/277
The following changes since commit 5ea3ba00532265165e0d30f6d2eed568f5b5867f:
meta-world-pkgdata: Inherit nopackages (2024-10-06 06:07:52 -0700)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut
Alexander Kanavin (1):
sysvinit: take release tarballs from github
Claus Stovgaard (1):
lib/oe/package-manager: skip processing installed-pkgs with empty
globs
Hitendra Prajapati (2):
cups: Backport fix for CVE-2024-47175
libarchive: fix CVE-2024-48957 & CVE-2024-48958
Jaeyoon Jung (1):
makedevs: Fix matching uid/gid
Jörg Sommer (2):
ptest-runner: Update 2.4.4 -> 2.4.5
runqemu: Fix detection of -serial parameter
Khem Raj (1):
libpcre2: Update base uri PhilipHazel -> PCRE2Project
Louis Rannou (1):
image_qa: fix error handling
Macpaul Lin (1):
linux-firmware: upgrade 20240312 -> 20240909
Paul Barker (1):
meta-ide-support: Mark recipe as MACHINE-specific
Paul Gerber (1):
uboot-sign: fix counters in do_uboot_assemble_fitimage
Peter Marko (1):
rust: ignore CVE-2024-43402
Purushottam Choudhary (1):
virglrenderer: Add patch to fix -int-conversion build issue
Richard Purdie (2):
license: Fix directory layout issues
libsdl2: Fix non-deterministic configure option for libsamplerate
Teresa Remmet (1):
recipes-bsp: usbutils: Fix usb-devices command using busybox
Yogita Urade (1):
ruby: upgrade 3.2.2 -> 3.3.5
meta/classes-global/license.bbclass | 10 +-
meta/classes-recipe/image.bbclass | 11 +-
meta/classes-recipe/uboot-sign.bbclass | 3 +-
meta/lib/oe/package_manager/__init__.py | 76 +++---
meta/lib/oe/utils.py | 2 +-
meta/lib/oeqa/selftest/cases/meta_ide.py | 4 +-
...devices-Fix-usb-devices-with-busybox.patch | 37 +++
meta/recipes-bsp/usbutils/usbutils_017.bb | 1 +
meta/recipes-core/meta/meta-ide-support.bb | 1 +
meta/recipes-core/sysvinit/sysvinit_3.04.bb | 5 +-
.../makedevs/makedevs/makedevs.c | 12 +-
...Alignof-to-define-ALIGN_OF-when-poss.patch | 52 ----
...e.in-do-not-write-host-cross-cc-item.patch | 32 ---
...Obey-LDFLAGS-for-the-link-of-libruby.patch | 25 --
...-Makefile.in-filter-out-f-prefix-map.patch | 42 ---
...eproducible-change-fixing-784225-too.patch | 26 +-
.../0006-Make-gemspecs-reproducible.patch | 18 +-
.../ruby/ruby/CVE-2023-36617_1.patch | 56 ----
.../ruby/ruby/CVE-2023-36617_2.patch | 52 ----
.../ruby/ruby/CVE-2024-27281.patch | 97 -------
.../ruby/ruby/CVE-2024-27282.patch | 28 --
.../ruby/ruby/remove_has_include_macros.patch | 35 ---
.../ruby/{ruby_3.2.2.bb => ruby_3.3.5.bb} | 13 +-
meta/recipes-devtools/rust/rust-source.inc | 1 +
meta/recipes-extended/cups/cups.inc | 5 +
.../cups/cups/CVE-2024-47175-1.patch | 73 +++++
.../cups/cups/CVE-2024-47175-2.patch | 151 +++++++++++
.../cups/cups/CVE-2024-47175-3.patch | 119 +++++++++
.../cups/cups/CVE-2024-47175-4.patch | 249 ++++++++++++++++++
.../cups/cups/CVE-2024-47175-5.patch | 40 +++
.../libarchive/CVE-2024-48957.patch | 36 +++
.../libarchive/CVE-2024-48958.patch | 40 +++
.../libarchive/libarchive_3.7.4.bb | 5 +-
.../libsdl2/libsdl2_2.30.1.bb | 1 +
...nversion-fatal-build-error-with-GCC-.patch | 41 +++
.../virglrenderer/virglrenderer_1.0.1.bb | 1 +
...20240312.bb => linux-firmware_20240909.bb} | 8 +-
.../recipes-support/libpcre/libpcre2_10.43.bb | 2 +-
...-runner_2.4.4.bb => ptest-runner_2.4.5.bb} | 2 +-
scripts/runqemu | 4 +-
40 files changed, 898 insertions(+), 518 deletions(-)
create mode 100755 meta/recipes-bsp/usbutils/usbutils/0001-usb-devices-Fix-usb-devices-with-busybox.patch
delete mode 100644 meta/recipes-devtools/ruby/ruby/0001-fiddle-Use-C11-_Alignof-to-define-ALIGN_OF-when-poss.patch
delete mode 100644 meta/recipes-devtools/ruby/ruby/0001-template-Makefile.in-do-not-write-host-cross-cc-item.patch
delete mode 100644 meta/recipes-devtools/ruby/ruby/0002-Obey-LDFLAGS-for-the-link-of-libruby.patch
delete mode 100644 meta/recipes-devtools/ruby/ruby/0002-template-Makefile.in-filter-out-f-prefix-map.patch
delete mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2023-36617_1.patch
delete mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2023-36617_2.patch
delete mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-27281.patch
delete mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-27282.patch
delete mode 100644 meta/recipes-devtools/ruby/ruby/remove_has_include_macros.patch
rename meta/recipes-devtools/ruby/{ruby_3.2.2.bb => ruby_3.3.5.bb} (88%)
create mode 100644 meta/recipes-extended/cups/cups/CVE-2024-47175-1.patch
create mode 100644 meta/recipes-extended/cups/cups/CVE-2024-47175-2.patch
create mode 100644 meta/recipes-extended/cups/cups/CVE-2024-47175-3.patch
create mode 100644 meta/recipes-extended/cups/cups/CVE-2024-47175-4.patch
create mode 100644 meta/recipes-extended/cups/cups/CVE-2024-47175-5.patch
create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2024-48957.patch
create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2024-48958.patch
create mode 100644 meta/recipes-graphics/virglrenderer/virglrenderer/0001-vrend-Fix-int-conversion-fatal-build-error-with-GCC-.patch
rename meta/recipes-kernel/linux-firmware/{linux-firmware_20240312.bb => linux-firmware_20240909.bb} (99%)
rename meta/recipes-support/ptest-runner/{ptest-runner_2.4.4.bb => ptest-runner_2.4.5.bb} (95%)
--
2.34.1
^ permalink raw reply [flat|nested] 25+ messages in thread
* [OE-core][scarthgap 00/18] Patch review
@ 2025-10-10 2:50 Steve Sakoman
2025-10-12 19:02 ` Gyorgy Sarvari
0 siblings, 1 reply; 25+ messages in thread
From: Steve Sakoman @ 2025-10-10 2:50 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for scarthgap and have comments back by
end of day Monday, October 13
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2553
The following changes since commit 2696c50af9946f425ccaf7d0e7e0eb3fd87c36bb:
expect: fix native build with GCC 15 (2025-10-02 08:40:43 -0700)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut
Aleksandar Nikolic (1):
scripts/install-buildtools: Update to 5.0.12
Archana Polampalli (1):
go: fix CVE-2025-47906
Deepesh Varatharajan (1):
glibc: stable 2.39 branch updates
Gyorgy Sarvari (1):
conf/bitbake.conf: use gnu mirror instead of main server
Hitendra Prajapati (1):
grub2: mark CVE-2024-2312 as not applicable
Peter Marko (10):
busybox: patch CVE-2025-46394
gstreamer1.0: ignore CVEs fixed in plugins
gstreamer1.0: ignore CVE-2025-2759
ghostscript: patch CVE-2025-59798
ghostscript: patch CVE-2025-59799
ghostscript: patch CVE-2025-59800
expat: follow-up for CVE-2024-8176
tiff: ignore 5 CVEs
ffmpeg: ignore 8 CVEs fixed in 6.1.1 and 6.1.3 releases
openssl: upgrade 3.2.4 -> 3.2.6
Ross Burton (1):
pulseaudio: ignore CVE-2024-11586
Steve Sakoman (2):
selftest/cases/meta_ide.py: use use gnu mirror instead of main server
oeqa/sdk/cases/buildcpio.py: use gnu mirror instead of main server
meta/conf/bitbake.conf | 2 +-
meta/lib/oeqa/sdk/cases/buildcpio.py | 2 +-
meta/lib/oeqa/selftest/cases/meta_ide.py | 2 +-
meta/recipes-bsp/grub/grub2.inc | 1 +
.../openssl/openssl/CVE-2025-27587-1.patch | 1918 -----------------
.../openssl/openssl/CVE-2025-27587-2.patch | 129 --
.../{openssl_3.2.4.bb => openssl_3.2.6.bb} | 4 +-
.../busybox/busybox/CVE-2025-46394-01.patch | 57 +
.../busybox/busybox/CVE-2025-46394-02.patch | 32 +
meta/recipes-core/busybox/busybox_1.36.1.bb | 2 +
.../expat/expat/CVE-2024-8176-03.patch | 35 +
.../expat/expat/CVE-2024-8176-04.patch | 115 +
.../expat/expat/CVE-2024-8176-05.patch | 78 +
meta/recipes-core/expat/expat_2.6.4.bb | 3 +
meta/recipes-core/glibc/glibc-version.inc | 4 +-
meta/recipes-devtools/go/go-1.22.12.inc | 1 +
.../go/go/CVE-2025-47906.patch | 183 ++
.../ghostscript/CVE-2025-59798.patch | 134 ++
.../ghostscript/CVE-2025-59799.patch | 41 +
.../ghostscript/CVE-2025-59800.patch | 36 +
.../ghostscript/ghostscript_10.05.1.bb | 3 +
.../recipes-multimedia/ffmpeg/ffmpeg_6.1.3.bb | 4 +
.../gstreamer/gstreamer1.0_1.22.12.bb | 19 +-
meta/recipes-multimedia/libtiff/tiff_4.6.0.bb | 4 +
.../pulseaudio/pulseaudio.inc | 2 +
scripts/install-buildtools | 4 +-
26 files changed, 754 insertions(+), 2061 deletions(-)
delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2025-27587-1.patch
delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2025-27587-2.patch
rename meta/recipes-connectivity/openssl/{openssl_3.2.4.bb => openssl_3.2.6.bb} (98%)
create mode 100644 meta/recipes-core/busybox/busybox/CVE-2025-46394-01.patch
create mode 100644 meta/recipes-core/busybox/busybox/CVE-2025-46394-02.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2024-8176-03.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2024-8176-04.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2024-8176-05.patch
create mode 100644 meta/recipes-devtools/go/go/CVE-2025-47906.patch
create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59798.patch
create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59799.patch
create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59800.patch
--
2.43.0
^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [OE-core][scarthgap 00/18] Patch review
2025-10-10 2:50 [OE-core][scarthgap 00/18] Patch review Steve Sakoman
@ 2025-10-12 19:02 ` Gyorgy Sarvari
2025-10-12 19:19 ` Steve Sakoman
0 siblings, 1 reply; 25+ messages in thread
From: Gyorgy Sarvari @ 2025-10-12 19:02 UTC (permalink / raw)
To: steve, openembedded-core
On 10/10/25 04:50, Steve Sakoman via lists.openembedded.org wrote:
> Please review this set of changes for scarthgap and have comments back by
> end of day Monday, October 13
>
> Passed a-full on autobuilder:
>
> https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2553
This didn't pass... though I guess it's some infra problem?
> The following changes since commit 2696c50af9946f425ccaf7d0e7e0eb3fd87c36bb:
>
> expect: fix native build with GCC 15 (2025-10-02 08:40:43 -0700)
>
> are available in the Git repository at:
>
> https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
> https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut
>
> Aleksandar Nikolic (1):
> scripts/install-buildtools: Update to 5.0.12
>
> Archana Polampalli (1):
> go: fix CVE-2025-47906
>
> Deepesh Varatharajan (1):
> glibc: stable 2.39 branch updates
>
> Gyorgy Sarvari (1):
> conf/bitbake.conf: use gnu mirror instead of main server
>
> Hitendra Prajapati (1):
> grub2: mark CVE-2024-2312 as not applicable
>
> Peter Marko (10):
> busybox: patch CVE-2025-46394
> gstreamer1.0: ignore CVEs fixed in plugins
> gstreamer1.0: ignore CVE-2025-2759
> ghostscript: patch CVE-2025-59798
> ghostscript: patch CVE-2025-59799
> ghostscript: patch CVE-2025-59800
> expat: follow-up for CVE-2024-8176
> tiff: ignore 5 CVEs
> ffmpeg: ignore 8 CVEs fixed in 6.1.1 and 6.1.3 releases
> openssl: upgrade 3.2.4 -> 3.2.6
>
> Ross Burton (1):
> pulseaudio: ignore CVE-2024-11586
>
> Steve Sakoman (2):
> selftest/cases/meta_ide.py: use use gnu mirror instead of main server
> oeqa/sdk/cases/buildcpio.py: use gnu mirror instead of main server
>
> meta/conf/bitbake.conf | 2 +-
> meta/lib/oeqa/sdk/cases/buildcpio.py | 2 +-
> meta/lib/oeqa/selftest/cases/meta_ide.py | 2 +-
> meta/recipes-bsp/grub/grub2.inc | 1 +
> .../openssl/openssl/CVE-2025-27587-1.patch | 1918 -----------------
> .../openssl/openssl/CVE-2025-27587-2.patch | 129 --
> .../{openssl_3.2.4.bb => openssl_3.2.6.bb} | 4 +-
> .../busybox/busybox/CVE-2025-46394-01.patch | 57 +
> .../busybox/busybox/CVE-2025-46394-02.patch | 32 +
> meta/recipes-core/busybox/busybox_1.36.1.bb | 2 +
> .../expat/expat/CVE-2024-8176-03.patch | 35 +
> .../expat/expat/CVE-2024-8176-04.patch | 115 +
> .../expat/expat/CVE-2024-8176-05.patch | 78 +
> meta/recipes-core/expat/expat_2.6.4.bb | 3 +
> meta/recipes-core/glibc/glibc-version.inc | 4 +-
> meta/recipes-devtools/go/go-1.22.12.inc | 1 +
> .../go/go/CVE-2025-47906.patch | 183 ++
> .../ghostscript/CVE-2025-59798.patch | 134 ++
> .../ghostscript/CVE-2025-59799.patch | 41 +
> .../ghostscript/CVE-2025-59800.patch | 36 +
> .../ghostscript/ghostscript_10.05.1.bb | 3 +
> .../recipes-multimedia/ffmpeg/ffmpeg_6.1.3.bb | 4 +
> .../gstreamer/gstreamer1.0_1.22.12.bb | 19 +-
> meta/recipes-multimedia/libtiff/tiff_4.6.0.bb | 4 +
> .../pulseaudio/pulseaudio.inc | 2 +
> scripts/install-buildtools | 4 +-
> 26 files changed, 754 insertions(+), 2061 deletions(-)
> delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2025-27587-1.patch
> delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2025-27587-2.patch
> rename meta/recipes-connectivity/openssl/{openssl_3.2.4.bb => openssl_3.2.6.bb} (98%)
> create mode 100644 meta/recipes-core/busybox/busybox/CVE-2025-46394-01.patch
> create mode 100644 meta/recipes-core/busybox/busybox/CVE-2025-46394-02.patch
> create mode 100644 meta/recipes-core/expat/expat/CVE-2024-8176-03.patch
> create mode 100644 meta/recipes-core/expat/expat/CVE-2024-8176-04.patch
> create mode 100644 meta/recipes-core/expat/expat/CVE-2024-8176-05.patch
> create mode 100644 meta/recipes-devtools/go/go/CVE-2025-47906.patch
> create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59798.patch
> create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59799.patch
> create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59800.patch
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#224644): https://lists.openembedded.org/g/openembedded-core/message/224644
> Mute This Topic: https://lists.openembedded.org/mt/115683663/6084445
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [skandigraun@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [OE-core][scarthgap 00/18] Patch review
2025-10-12 19:02 ` Gyorgy Sarvari
@ 2025-10-12 19:19 ` Steve Sakoman
0 siblings, 0 replies; 25+ messages in thread
From: Steve Sakoman @ 2025-10-12 19:19 UTC (permalink / raw)
To: Gyorgy Sarvari; +Cc: openembedded-core
On Sun, Oct 12, 2025 at 12:02 PM Gyorgy Sarvari <skandigraun@gmail.com> wrote:
>
> On 10/10/25 04:50, Steve Sakoman via lists.openembedded.org wrote:
> > Please review this set of changes for scarthgap and have comments back by
> > end of day Monday, October 13
> >
> > Passed a-full on autobuilder:
> >
> > https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2553
>
> This didn't pass... though I guess it's some infra problem?
Yes, intermittent issue. I retested that one failing test and it succeeded:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/66/builds/2483
Steve
>
> > The following changes since commit 2696c50af9946f425ccaf7d0e7e0eb3fd87c36bb:
> >
> > expect: fix native build with GCC 15 (2025-10-02 08:40:43 -0700)
> >
> > are available in the Git repository at:
> >
> > https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
> > https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut
> >
> > Aleksandar Nikolic (1):
> > scripts/install-buildtools: Update to 5.0.12
> >
> > Archana Polampalli (1):
> > go: fix CVE-2025-47906
> >
> > Deepesh Varatharajan (1):
> > glibc: stable 2.39 branch updates
> >
> > Gyorgy Sarvari (1):
> > conf/bitbake.conf: use gnu mirror instead of main server
> >
> > Hitendra Prajapati (1):
> > grub2: mark CVE-2024-2312 as not applicable
> >
> > Peter Marko (10):
> > busybox: patch CVE-2025-46394
> > gstreamer1.0: ignore CVEs fixed in plugins
> > gstreamer1.0: ignore CVE-2025-2759
> > ghostscript: patch CVE-2025-59798
> > ghostscript: patch CVE-2025-59799
> > ghostscript: patch CVE-2025-59800
> > expat: follow-up for CVE-2024-8176
> > tiff: ignore 5 CVEs
> > ffmpeg: ignore 8 CVEs fixed in 6.1.1 and 6.1.3 releases
> > openssl: upgrade 3.2.4 -> 3.2.6
> >
> > Ross Burton (1):
> > pulseaudio: ignore CVE-2024-11586
> >
> > Steve Sakoman (2):
> > selftest/cases/meta_ide.py: use use gnu mirror instead of main server
> > oeqa/sdk/cases/buildcpio.py: use gnu mirror instead of main server
> >
> > meta/conf/bitbake.conf | 2 +-
> > meta/lib/oeqa/sdk/cases/buildcpio.py | 2 +-
> > meta/lib/oeqa/selftest/cases/meta_ide.py | 2 +-
> > meta/recipes-bsp/grub/grub2.inc | 1 +
> > .../openssl/openssl/CVE-2025-27587-1.patch | 1918 -----------------
> > .../openssl/openssl/CVE-2025-27587-2.patch | 129 --
> > .../{openssl_3.2.4.bb => openssl_3.2.6.bb} | 4 +-
> > .../busybox/busybox/CVE-2025-46394-01.patch | 57 +
> > .../busybox/busybox/CVE-2025-46394-02.patch | 32 +
> > meta/recipes-core/busybox/busybox_1.36.1.bb | 2 +
> > .../expat/expat/CVE-2024-8176-03.patch | 35 +
> > .../expat/expat/CVE-2024-8176-04.patch | 115 +
> > .../expat/expat/CVE-2024-8176-05.patch | 78 +
> > meta/recipes-core/expat/expat_2.6.4.bb | 3 +
> > meta/recipes-core/glibc/glibc-version.inc | 4 +-
> > meta/recipes-devtools/go/go-1.22.12.inc | 1 +
> > .../go/go/CVE-2025-47906.patch | 183 ++
> > .../ghostscript/CVE-2025-59798.patch | 134 ++
> > .../ghostscript/CVE-2025-59799.patch | 41 +
> > .../ghostscript/CVE-2025-59800.patch | 36 +
> > .../ghostscript/ghostscript_10.05.1.bb | 3 +
> > .../recipes-multimedia/ffmpeg/ffmpeg_6.1.3.bb | 4 +
> > .../gstreamer/gstreamer1.0_1.22.12.bb | 19 +-
> > meta/recipes-multimedia/libtiff/tiff_4.6.0.bb | 4 +
> > .../pulseaudio/pulseaudio.inc | 2 +
> > scripts/install-buildtools | 4 +-
> > 26 files changed, 754 insertions(+), 2061 deletions(-)
> > delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2025-27587-1.patch
> > delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2025-27587-2.patch
> > rename meta/recipes-connectivity/openssl/{openssl_3.2.4.bb => openssl_3.2.6.bb} (98%)
> > create mode 100644 meta/recipes-core/busybox/busybox/CVE-2025-46394-01.patch
> > create mode 100644 meta/recipes-core/busybox/busybox/CVE-2025-46394-02.patch
> > create mode 100644 meta/recipes-core/expat/expat/CVE-2024-8176-03.patch
> > create mode 100644 meta/recipes-core/expat/expat/CVE-2024-8176-04.patch
> > create mode 100644 meta/recipes-core/expat/expat/CVE-2024-8176-05.patch
> > create mode 100644 meta/recipes-devtools/go/go/CVE-2025-47906.patch
> > create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59798.patch
> > create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59799.patch
> > create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59800.patch
> >
> >
> > -=-=-=-=-=-=-=-=-=-=-=-
> > Links: You receive all messages sent to this group.
> > View/Reply Online (#224644): https://lists.openembedded.org/g/openembedded-core/message/224644
> > Mute This Topic: https://lists.openembedded.org/mt/115683663/6084445
> > Group Owner: openembedded-core+owner@lists.openembedded.org
> > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [skandigraun@gmail.com]
> > -=-=-=-=-=-=-=-=-=-=-=-
> >
>
^ permalink raw reply [flat|nested] 25+ messages in thread
* [OE-core][scarthgap 00/18] Patch review
@ 2025-12-23 21:22 Steve Sakoman
2025-12-23 21:22 ` [OE-core][scarthgap 01/18] cups 2.4.11: Fix CVE-2025-58436 Steve Sakoman
` (17 more replies)
0 siblings, 18 replies; 25+ messages in thread
From: Steve Sakoman @ 2025-12-23 21:22 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for scarthgap and have comments back by
end of day Tuesday, December 30
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/?#/builders/29/builds/2919
The following changes since commit 2b3d2b671a149cbeea2bdc9ba42192da2015c3b7:
Revert "lib/oe/go: document map_arch, and raise an error on unknown architecture" (2025-12-11 13:41:59 -0800)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut
Adarsh Jagadish Kamini (1):
rsync: fix CVE-2025-10158
Aleksandar Nikolic (1):
scripts/install-buildtools: Update to 5.0.14
Daniel Turull (1):
cmake-native: fix CVE-2025-9301
Deepak Rathore (2):
cups 2.4.11: Fix CVE-2025-58436
cups 2.4.11: Fix CVE-2025-61915
Deepesh Varatharajan (1):
binutils: Fix CVE-2025-11494
Enrico Jörns (1):
cml1.bbclass: use consistent make flags for menuconfig
Jiaying Song (1):
python3-urllib3: fix CVE-2025-66418 CVE-2025-66471
Kai Kang (1):
qemu: fix CVE-2025-12464
Kamel Bouhara (Schneider Electric) (3):
kernel.bbclass: Add task to export kernel configuration to SPDX
spdx30_tasks: Add support for exporting PACKAGECONFIG to SPDX
oeqa/selftest: oe-selftest: Add SPDX tests for kernel config and
PACKAGECONFIG
Martin Jansa (1):
cross.bbclass: Propagate dependencies to outhash
Mingli Yu (2):
libxslt: Fix CVE-2025-11731
ruby: Upgrade 3.3.5 -> 3.3.10
Moritz Haase (1):
curl: Use host CA bundle by default for native(sdk) builds
Yash Shinde (2):
binutils: fix CVE-2025-11839
binutils: fix CVE-2025-11840
meta/classes-recipe/cml1.bbclass | 2 +-
meta/classes-recipe/cross.bbclass | 36 +
meta/classes-recipe/kernel.bbclass | 67 +-
meta/classes/create-spdx-3.0.bbclass | 11 +
meta/lib/oe/spdx30_tasks.py | 20 +
meta/lib/oeqa/selftest/cases/spdx.py | 57 ++
.../binutils/binutils-2.42.inc | 3 +
.../binutils/0028-CVE-2025-11494.patch | 43 ++
.../binutils/0029-CVE-2025-11839.patch | 32 +
.../binutils/0030-CVE-2025-11840.patch | 37 +
.../cmake/cmake-native_3.28.3.bb | 1 +
.../python3-urllib3/CVE-2025-66418.patch | 80 +++
.../python3-urllib3/CVE-2025-66471.patch | 585 ++++++++++++++++
.../python/python3-urllib3_2.2.2.bb | 2 +
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2025-12464.patch | 70 ++
.../rsync/files/CVE-2025-10158.patch | 36 +
meta/recipes-devtools/rsync/rsync_3.2.7.bb | 1 +
.../ruby/ruby/CVE-2025-27219.patch | 31 -
.../ruby/ruby/CVE-2025-27220.patch | 78 ---
.../ruby/ruby/CVE-2025-27221-0001.patch | 57 --
.../ruby/ruby/CVE-2025-27221-0002.patch | 73 --
.../ruby/{ruby_3.3.5.bb => ruby_3.3.10.bb} | 6 +-
meta/recipes-extended/cups/cups.inc | 2 +
.../cups/cups/CVE-2025-58436.patch | 635 ++++++++++++++++++
.../cups/cups/CVE-2025-61915.patch | 491 ++++++++++++++
meta/recipes-support/curl/curl_8.7.1.bb | 11 +-
.../libxslt/files/CVE-2025-11731.patch | 42 ++
.../recipes-support/libxslt/libxslt_1.1.43.bb | 3 +-
scripts/install-buildtools | 4 +-
30 files changed, 2263 insertions(+), 254 deletions(-)
create mode 100644 meta/recipes-devtools/binutils/binutils/0028-CVE-2025-11494.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/0029-CVE-2025-11839.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/0030-CVE-2025-11840.patch
create mode 100644 meta/recipes-devtools/python/python3-urllib3/CVE-2025-66418.patch
create mode 100644 meta/recipes-devtools/python/python3-urllib3/CVE-2025-66471.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2025-12464.patch
create mode 100644 meta/recipes-devtools/rsync/files/CVE-2025-10158.patch
delete mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2025-27219.patch
delete mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2025-27220.patch
delete mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0001.patch
delete mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0002.patch
rename meta/recipes-devtools/ruby/{ruby_3.3.5.bb => ruby_3.3.10.bb} (95%)
create mode 100644 meta/recipes-extended/cups/cups/CVE-2025-58436.patch
create mode 100644 meta/recipes-extended/cups/cups/CVE-2025-61915.patch
create mode 100644 meta/recipes-support/libxslt/files/CVE-2025-11731.patch
--
2.43.0
^ permalink raw reply [flat|nested] 25+ messages in thread
* [OE-core][scarthgap 01/18] cups 2.4.11: Fix CVE-2025-58436
2025-12-23 21:22 [OE-core][scarthgap 00/18] Patch review Steve Sakoman
@ 2025-12-23 21:22 ` Steve Sakoman
2025-12-23 21:22 ` [OE-core][scarthgap 02/18] cups 2.4.11: Fix CVE-2025-61915 Steve Sakoman
` (16 subsequent siblings)
17 siblings, 0 replies; 25+ messages in thread
From: Steve Sakoman @ 2025-12-23 21:22 UTC (permalink / raw)
To: openembedded-core
From: Deepak Rathore <deeratho@cisco.com>
Upstream Repository: https://github.com/OpenPrinting/cups.git
Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2025-58436
Type: Security Fix
CVE: CVE-2025-58436
Score: 5.5
Patch: https://github.com/OpenPrinting/cups/commit/5d414f1f91bd
Signed-off-by: Deepak Rathore <deeratho@cisco.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-extended/cups/cups.inc | 1 +
.../cups/cups/CVE-2025-58436.patch | 635 ++++++++++++++++++
2 files changed, 636 insertions(+)
create mode 100644 meta/recipes-extended/cups/cups/CVE-2025-58436.patch
diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
index 0a26a9b6de..cf3df32306 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -17,6 +17,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
file://cups-volatiles.conf \
file://CVE-2025-58060.patch \
file://CVE-2025-58364.patch \
+ file://CVE-2025-58436.patch \
"
GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"
diff --git a/meta/recipes-extended/cups/cups/CVE-2025-58436.patch b/meta/recipes-extended/cups/cups/CVE-2025-58436.patch
new file mode 100644
index 0000000000..5083d082dc
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2025-58436.patch
@@ -0,0 +1,635 @@
+From 7587d27139227397ab68cce554a112bb1190e6b6 Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Mon, 13 Oct 2025 10:16:48 +0200
+Subject: [PATCH] Fix unresponsive cupsd process caused by a slow client
+
+If client is very slow, it will slow cupsd process for other clients.
+The fix is the best effort without turning scheduler cupsd into
+multithreaded process which would be too complex and error-prone when
+backporting to 2.4.x series.
+
+The fix for unencrypted communication is to follow up on communication
+only if there is the whole line on input, and the waiting time is
+guarded by timeout.
+
+Encrypted communication now starts after we have the whole client hello
+packet, which conflicts with optional upgrade support to HTTPS via
+methods other than method OPTIONS, so this optional support defined in
+RFC 2817, section 3.1 is removed. Too slow or incomplete requests are
+handled by connection timeout.
+
+Fixes CVE-2025-58436
+
+CVE: CVE-2025-58436
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/5d414f1f91bd]
+
+(cherry picked from commit 5d414f1f91bdca118413301b148f0b188eb1cdc6)
+Signed-off-by: Deepak Rathore <deeratho@cisco.com>
+---
+ cups/http-private.h | 7 +-
+ cups/http.c | 80 +++++++++++++-------
+ cups/tls-openssl.c | 15 +++-
+ scheduler/client.c | 178 ++++++++++++++++++++++++++++----------------
+ scheduler/client.h | 3 +
+ scheduler/select.c | 12 +++
+ 6 files changed, 198 insertions(+), 97 deletions(-)
+
+diff --git a/cups/http-private.h b/cups/http-private.h
+index 5f77b8ef0..b8e200bf6 100644
+--- a/cups/http-private.h
++++ b/cups/http-private.h
+@@ -121,6 +121,7 @@ extern "C" {
+ * Constants...
+ */
+
++# define _HTTP_MAX_BUFFER 32768 /* Size of read buffer */
+ # define _HTTP_MAX_SBUFFER 65536 /* Size of (de)compression buffer */
+ # define _HTTP_RESOLVE_DEFAULT 0 /* Just resolve with default options */
+ # define _HTTP_RESOLVE_STDERR 1 /* Log resolve progress to stderr */
+@@ -232,8 +233,8 @@ struct _http_s /**** HTTP connection structure ****/
+ http_encoding_t data_encoding; /* Chunked or not */
+ int _data_remaining;/* Number of bytes left (deprecated) */
+ int used; /* Number of bytes used in buffer */
+- char buffer[HTTP_MAX_BUFFER];
+- /* Buffer for incoming data */
++ char _buffer[HTTP_MAX_BUFFER];
++ /* Old read buffer (deprecated) */
+ int _auth_type; /* Authentication in use (deprecated) */
+ unsigned char _md5_state[88]; /* MD5 state (deprecated) */
+ char nonce[HTTP_MAX_VALUE];
+@@ -307,6 +308,8 @@ struct _http_s /**** HTTP connection structure ****/
+ /* Allocated field values */
+ *default_fields[HTTP_FIELD_MAX];
+ /* Default field values, if any */
++ char buffer[_HTTP_MAX_BUFFER];
++ /* Read buffer */
+ };
+ # endif /* !_HTTP_NO_PRIVATE */
+
+diff --git a/cups/http.c b/cups/http.c
+index 31a8be361..599703c7b 100644
+--- a/cups/http.c
++++ b/cups/http.c
+@@ -53,7 +53,7 @@ static http_t *http_create(const char *host, int port,
+ static void http_debug_hex(const char *prefix, const char *buffer,
+ int bytes);
+ #endif /* DEBUG */
+-static ssize_t http_read(http_t *http, char *buffer, size_t length);
++static ssize_t http_read(http_t *http, char *buffer, size_t length, int timeout);
+ static ssize_t http_read_buffered(http_t *http, char *buffer, size_t length);
+ static ssize_t http_read_chunk(http_t *http, char *buffer, size_t length);
+ static int http_send(http_t *http, http_state_t request,
+@@ -1200,7 +1200,7 @@ httpGets(char *line, /* I - Line to read into */
+ return (NULL);
+ }
+
+- bytes = http_read(http, http->buffer + http->used, (size_t)(HTTP_MAX_BUFFER - http->used));
++ bytes = http_read(http, http->buffer + http->used, (size_t)(_HTTP_MAX_BUFFER - http->used), http->wait_value);
+
+ DEBUG_printf(("4httpGets: read " CUPS_LLFMT " bytes.", CUPS_LLCAST bytes));
+
+@@ -1720,24 +1720,13 @@ httpPeek(http_t *http, /* I - HTTP connection */
+
+ ssize_t buflen; /* Length of read for buffer */
+
+- if (!http->blocking)
+- {
+- while (!httpWait(http, http->wait_value))
+- {
+- if (http->timeout_cb && (*http->timeout_cb)(http, http->timeout_data))
+- continue;
+-
+- return (0);
+- }
+- }
+-
+ if ((size_t)http->data_remaining > sizeof(http->buffer))
+ buflen = sizeof(http->buffer);
+ else
+ buflen = (ssize_t)http->data_remaining;
+
+ DEBUG_printf(("2httpPeek: Reading %d bytes into buffer.", (int)buflen));
+- bytes = http_read(http, http->buffer, (size_t)buflen);
++ bytes = http_read(http, http->buffer, (size_t)buflen, http->wait_value);
+
+ DEBUG_printf(("2httpPeek: Read " CUPS_LLFMT " bytes into buffer.",
+ CUPS_LLCAST bytes));
+@@ -1758,9 +1747,9 @@ httpPeek(http_t *http, /* I - HTTP connection */
+ int zerr; /* Decompressor error */
+ z_stream stream; /* Copy of decompressor stream */
+
+- if (http->used > 0 && ((z_stream *)http->stream)->avail_in < HTTP_MAX_BUFFER)
++ if (http->used > 0 && ((z_stream *)http->stream)->avail_in < _HTTP_MAX_BUFFER)
+ {
+- size_t buflen = HTTP_MAX_BUFFER - ((z_stream *)http->stream)->avail_in;
++ size_t buflen = _HTTP_MAX_BUFFER - ((z_stream *)http->stream)->avail_in;
+ /* Number of bytes to copy */
+
+ if (((z_stream *)http->stream)->avail_in > 0 &&
+@@ -2018,7 +2007,7 @@ httpRead2(http_t *http, /* I - HTTP connection */
+
+ if (bytes == 0)
+ {
+- ssize_t buflen = HTTP_MAX_BUFFER - (ssize_t)((z_stream *)http->stream)->avail_in;
++ ssize_t buflen = _HTTP_MAX_BUFFER - (ssize_t)((z_stream *)http->stream)->avail_in;
+ /* Additional bytes for buffer */
+
+ if (buflen > 0)
+@@ -2768,7 +2757,7 @@ int /* O - 1 to continue, 0 to stop */
+ _httpUpdate(http_t *http, /* I - HTTP connection */
+ http_status_t *status) /* O - Current HTTP status */
+ {
+- char line[32768], /* Line from connection... */
++ char line[_HTTP_MAX_BUFFER], /* Line from connection... */
+ *value; /* Pointer to value on line */
+ http_field_t field; /* Field index */
+ int major, minor; /* HTTP version numbers */
+@@ -2776,12 +2765,46 @@ _httpUpdate(http_t *http, /* I - HTTP connection */
+
+ DEBUG_printf(("_httpUpdate(http=%p, status=%p), state=%s", (void *)http, (void *)status, httpStateString(http->state)));
+
++ /* When doing non-blocking I/O, make sure we have a whole line... */
++ if (!http->blocking)
++ {
++ ssize_t bytes; /* Bytes "peeked" from connection */
++
++ /* See whether our read buffer is full... */
++ DEBUG_printf(("2_httpUpdate: used=%d", http->used));
++
++ if (http->used > 0 && !memchr(http->buffer, '\n', (size_t)http->used) && (size_t)http->used < sizeof(http->buffer))
++ {
++ /* No, try filling in more data... */
++ if ((bytes = http_read(http, http->buffer + http->used, sizeof(http->buffer) - (size_t)http->used, /*timeout*/0)) > 0)
++ {
++ DEBUG_printf(("2_httpUpdate: Read %d bytes.", (int)bytes));
++ http->used += (int)bytes;
++ }
++ }
++
++ /* Peek at the incoming data... */
++ if (!http->used || !memchr(http->buffer, '\n', (size_t)http->used))
++ {
++ /* Don't have a full line, tell the reader to try again when there is more data... */
++ DEBUG_puts("1_htttpUpdate: No newline in buffer yet.");
++ if ((size_t)http->used == sizeof(http->buffer))
++ *status = HTTP_STATUS_ERROR;
++ else
++ *status = HTTP_STATUS_CONTINUE;
++ return (0);
++ }
++
++ DEBUG_puts("2_httpUpdate: Found newline in buffer.");
++ }
++
+ /*
+ * Grab a single line from the connection...
+ */
+
+ if (!httpGets(line, sizeof(line), http))
+ {
++ DEBUG_puts("1_httpUpdate: Error reading request line.");
+ *status = HTTP_STATUS_ERROR;
+ return (0);
+ }
+@@ -4134,7 +4157,8 @@ http_debug_hex(const char *prefix, /* I - Prefix for line */
+ static ssize_t /* O - Number of bytes read or -1 on error */
+ http_read(http_t *http, /* I - HTTP connection */
+ char *buffer, /* I - Buffer */
+- size_t length) /* I - Maximum bytes to read */
++ size_t length, /* I - Maximum bytes to read */
++ int timeout) /* I - Wait timeout */
+ {
+ ssize_t bytes; /* Bytes read */
+
+@@ -4143,7 +4167,7 @@ http_read(http_t *http, /* I - HTTP connection */
+
+ if (!http->blocking || http->timeout_value > 0.0)
+ {
+- while (!httpWait(http, http->wait_value))
++ while (!_httpWait(http, timeout, 1))
+ {
+ if (http->timeout_cb && (*http->timeout_cb)(http, http->timeout_data))
+ continue;
+@@ -4246,7 +4270,7 @@ http_read_buffered(http_t *http, /* I - HTTP connection */
+ else
+ bytes = (ssize_t)length;
+
+- DEBUG_printf(("8http_read: Grabbing %d bytes from input buffer.",
++ DEBUG_printf(("8http_read_buffered: Grabbing %d bytes from input buffer.",
+ (int)bytes));
+
+ memcpy(buffer, http->buffer, (size_t)bytes);
+@@ -4256,7 +4280,7 @@ http_read_buffered(http_t *http, /* I - HTTP connection */
+ memmove(http->buffer, http->buffer + bytes, (size_t)http->used);
+ }
+ else
+- bytes = http_read(http, buffer, length);
++ bytes = http_read(http, buffer, length, http->wait_value);
+
+ return (bytes);
+ }
+@@ -4597,15 +4621,15 @@ http_set_timeout(int fd, /* I - File descriptor */
+ static void
+ http_set_wait(http_t *http) /* I - HTTP connection */
+ {
+- if (http->blocking)
+- {
+- http->wait_value = (int)(http->timeout_value * 1000);
++ http->wait_value = (int)(http->timeout_value * 1000);
+
+- if (http->wait_value <= 0)
++ if (http->wait_value <= 0)
++ {
++ if (http->blocking)
+ http->wait_value = 60000;
++ else
++ http->wait_value = 1000;
+ }
+- else
+- http->wait_value = 10000;
+ }
+
+
+diff --git a/cups/tls-openssl.c b/cups/tls-openssl.c
+index 9fcbe0af3..f746f4cba 100644
+--- a/cups/tls-openssl.c
++++ b/cups/tls-openssl.c
+@@ -215,12 +215,14 @@ cupsMakeServerCredentials(
+ // Save them...
+ if ((bio = BIO_new_file(keyfile, "wb")) == NULL)
+ {
++ DEBUG_printf(("1cupsMakeServerCredentials: Unable to create private key file '%s': %s", keyfile, strerror(errno)));
+ _cupsSetError(IPP_STATUS_ERROR_INTERNAL, strerror(errno), 0);
+ goto done;
+ }
+
+ if (!PEM_write_bio_PrivateKey(bio, pkey, NULL, NULL, 0, NULL, NULL))
+ {
++ DEBUG_puts("1cupsMakeServerCredentials: PEM_write_bio_PrivateKey failed.");
+ _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unable to write private key."), 1);
+ BIO_free(bio);
+ goto done;
+@@ -230,12 +232,14 @@ cupsMakeServerCredentials(
+
+ if ((bio = BIO_new_file(crtfile, "wb")) == NULL)
+ {
++ DEBUG_printf(("1cupsMakeServerCredentials: Unable to create certificate file '%s': %s", crtfile, strerror(errno)));
+ _cupsSetError(IPP_STATUS_ERROR_INTERNAL, strerror(errno), 0);
+ goto done;
+ }
+
+ if (!PEM_write_bio_X509(bio, cert))
+ {
++ DEBUG_puts("1cupsMakeServerCredentials: PEM_write_bio_X509 failed.");
+ _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unable to write X.509 certificate."), 1);
+ BIO_free(bio);
+ goto done;
+@@ -1082,10 +1086,10 @@ _httpTLSStart(http_t *http) // I - Connection to server
+
+ if (!cupsMakeServerCredentials(tls_keypath, cn, 0, NULL, time(NULL) + 3650 * 86400))
+ {
+- DEBUG_puts("4_httpTLSStart: cupsMakeServerCredentials failed.");
++ DEBUG_printf(("4_httpTLSStart: cupsMakeServerCredentials failed: %s", cupsLastErrorString()));
+ http->error = errno = EINVAL;
+ http->status = HTTP_STATUS_ERROR;
+- _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unable to create server credentials."), 1);
++// _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unable to create server credentials."), 1);
+ SSL_CTX_free(context);
+ _cupsMutexUnlock(&tls_mutex);
+
+@@ -1346,14 +1350,17 @@ http_bio_read(BIO *h, // I - BIO data
+
+ http = (http_t *)BIO_get_data(h);
+
+- if (!http->blocking)
++ if (!http->blocking || http->timeout_value > 0.0)
+ {
+ /*
+ * Make sure we have data before we read...
+ */
+
+- if (!_httpWait(http, 10000, 0))
++ while (!_httpWait(http, http->wait_value, 0))
+ {
++ if (http->timeout_cb && (*http->timeout_cb)(http, http->timeout_data))
++ continue;
++
+ #ifdef WIN32
+ http->error = WSAETIMEDOUT;
+ #else
+diff --git a/scheduler/client.c b/scheduler/client.c
+index 233f9017d..d495d9a75 100644
+--- a/scheduler/client.c
++++ b/scheduler/client.c
+@@ -34,11 +34,11 @@
+
+ static int check_if_modified(cupsd_client_t *con,
+ struct stat *filestats);
+-static int compare_clients(cupsd_client_t *a, cupsd_client_t *b,
+- void *data);
+ #ifdef HAVE_TLS
+-static int cupsd_start_tls(cupsd_client_t *con, http_encryption_t e);
++static int check_start_tls(cupsd_client_t *con);
+ #endif /* HAVE_TLS */
++static int compare_clients(cupsd_client_t *a, cupsd_client_t *b,
++ void *data);
+ static char *get_file(cupsd_client_t *con, struct stat *filestats,
+ char *filename, size_t len);
+ static http_status_t install_cupsd_conf(cupsd_client_t *con);
+@@ -360,14 +360,20 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */
+ if (lis->encryption == HTTP_ENCRYPTION_ALWAYS)
+ {
+ /*
+- * https connection; go secure...
++ * HTTPS connection, force TLS negotiation...
+ */
+
+- if (cupsd_start_tls(con, HTTP_ENCRYPTION_ALWAYS))
+- cupsdCloseClient(con);
++ con->tls_start = time(NULL);
++ con->encryption = HTTP_ENCRYPTION_ALWAYS;
+ }
+ else
++ {
++ /*
++ * HTTP connection, but check for HTTPS negotiation on first data...
++ */
++
+ con->auto_ssl = 1;
++ }
+ #endif /* HAVE_TLS */
+ }
+
+@@ -606,17 +612,46 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */
+
+ con->auto_ssl = 0;
+
+- if (recv(httpGetFd(con->http), buf, 1, MSG_PEEK) == 1 &&
+- (!buf[0] || !strchr("DGHOPT", buf[0])))
++ if (recv(httpGetFd(con->http), buf, 5, MSG_PEEK) == 5 && buf[0] == 0x16 && buf[1] == 3 && buf[2])
+ {
+ /*
+- * Encrypt this connection...
++ * Client hello record, encrypt this connection...
+ */
+
+- cupsdLogClient(con, CUPSD_LOG_DEBUG2, "Saw first byte %02X, auto-negotiating SSL/TLS session.", buf[0] & 255);
++ cupsdLogClient(con, CUPSD_LOG_DEBUG2, "Saw client hello record, auto-negotiating TLS session.");
++ con->tls_start = time(NULL);
++ con->encryption = HTTP_ENCRYPTION_ALWAYS;
++ }
++ }
+
+- if (cupsd_start_tls(con, HTTP_ENCRYPTION_ALWAYS))
+- cupsdCloseClient(con);
++ if (con->tls_start)
++ {
++ /*
++ * Try negotiating TLS...
++ */
++
++ int tls_status = check_start_tls(con);
++
++ if (tls_status < 0)
++ {
++ /*
++ * TLS negotiation failed, close the connection.
++ */
++
++ cupsdCloseClient(con);
++ return;
++ }
++ else if (tls_status == 0)
++ {
++ /*
++ * Nothing to do yet...
++ */
++
++ if ((time(NULL) - con->tls_start) > 5)
++ {
++ // Timeout, close the connection...
++ cupsdCloseClient(con);
++ }
+
+ return;
+ }
+@@ -780,9 +815,7 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */
+ * Parse incoming parameters until the status changes...
+ */
+
+- while ((status = httpUpdate(con->http)) == HTTP_STATUS_CONTINUE)
+- if (!httpGetReady(con->http))
+- break;
++ status = httpUpdate(con->http);
+
+ if (status != HTTP_STATUS_OK && status != HTTP_STATUS_CONTINUE)
+ {
+@@ -944,11 +977,10 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */
+ return;
+ }
+
+- if (cupsd_start_tls(con, HTTP_ENCRYPTION_REQUIRED))
+- {
+- cupsdCloseClient(con);
+- return;
+- }
++ con->tls_start = time(NULL);
++ con->tls_upgrade = 1;
++ con->encryption = HTTP_ENCRYPTION_REQUIRED;
++ return;
+ #else
+ if (!cupsdSendError(con, HTTP_STATUS_NOT_IMPLEMENTED, CUPSD_AUTH_NONE))
+ {
+@@ -987,32 +1019,11 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */
+ if (!_cups_strcasecmp(httpGetField(con->http, HTTP_FIELD_CONNECTION),
+ "Upgrade") && !httpIsEncrypted(con->http))
+ {
+-#ifdef HAVE_TLS
+- /*
+- * Do encryption stuff...
+- */
+-
+- httpClearFields(con->http);
+-
+- if (!cupsdSendHeader(con, HTTP_STATUS_SWITCHING_PROTOCOLS, NULL,
+- CUPSD_AUTH_NONE))
+- {
+- cupsdCloseClient(con);
+- return;
+- }
+-
+- if (cupsd_start_tls(con, HTTP_ENCRYPTION_REQUIRED))
+- {
+- cupsdCloseClient(con);
+- return;
+- }
+-#else
+ if (!cupsdSendError(con, HTTP_STATUS_NOT_IMPLEMENTED, CUPSD_AUTH_NONE))
+ {
+ cupsdCloseClient(con);
+ return;
+ }
+-#endif /* HAVE_TLS */
+ }
+
+ if ((status = cupsdIsAuthorized(con, NULL)) != HTTP_STATUS_OK)
+@@ -2685,6 +2696,69 @@ check_if_modified(
+ }
+
+
++#ifdef HAVE_TLS
++/*
++ * 'check_start_tls()' - Start encryption on a connection.
++ */
++
++static int /* O - 0 to continue, 1 on success, -1 on error */
++check_start_tls(cupsd_client_t *con) /* I - Client connection */
++{
++ unsigned char chello[4096]; /* Client hello record */
++ ssize_t chello_bytes; /* Bytes read/peeked */
++ int chello_len; /* Length of record */
++
++
++ /*
++ * See if we have a good and complete client hello record...
++ */
++
++ if ((chello_bytes = recv(httpGetFd(con->http), (char *)chello, sizeof(chello), MSG_PEEK)) < 5)
++ return (0); /* Not enough bytes (yet) */
++
++ if (chello[0] != 0x016 || chello[1] != 3 || chello[2] == 0)
++ return (-1); /* Not a TLS Client Hello record */
++
++ chello_len = (chello[3] << 8) | chello[4];
++
++ if ((chello_len + 5) > chello_bytes)
++ return (0); /* Not enough bytes yet */
++
++ /*
++ * OK, we do, try negotiating...
++ */
++
++ con->tls_start = 0;
++
++ if (httpEncryption(con->http, con->encryption))
++ {
++ cupsdLogClient(con, CUPSD_LOG_ERROR, "Unable to encrypt connection: %s", cupsLastErrorString());
++ return (-1);
++ }
++
++ cupsdLogClient(con, CUPSD_LOG_DEBUG, "Connection now encrypted.");
++
++ if (con->tls_upgrade)
++ {
++ // Respond to the original OPTIONS command...
++ con->tls_upgrade = 0;
++
++ httpClearFields(con->http);
++ httpClearCookie(con->http);
++ httpSetField(con->http, HTTP_FIELD_CONTENT_LENGTH, "0");
++
++ if (!cupsdSendHeader(con, HTTP_STATUS_OK, NULL, CUPSD_AUTH_NONE))
++ {
++ cupsdCloseClient(con);
++ return (-1);
++ }
++ }
++
++ return (1);
++}
++#endif /* HAVE_TLS */
++
++
+ /*
+ * 'compare_clients()' - Compare two client connections.
+ */
+@@ -2705,28 +2779,6 @@ compare_clients(cupsd_client_t *a, /* I - First client */
+ }
+
+
+-#ifdef HAVE_TLS
+-/*
+- * 'cupsd_start_tls()' - Start encryption on a connection.
+- */
+-
+-static int /* O - 0 on success, -1 on error */
+-cupsd_start_tls(cupsd_client_t *con, /* I - Client connection */
+- http_encryption_t e) /* I - Encryption mode */
+-{
+- if (httpEncryption(con->http, e))
+- {
+- cupsdLogClient(con, CUPSD_LOG_ERROR, "Unable to encrypt connection: %s",
+- cupsLastErrorString());
+- return (-1);
+- }
+-
+- cupsdLogClient(con, CUPSD_LOG_DEBUG, "Connection now encrypted.");
+- return (0);
+-}
+-#endif /* HAVE_TLS */
+-
+-
+ /*
+ * 'get_file()' - Get a filename and state info.
+ */
+diff --git a/scheduler/client.h b/scheduler/client.h
+index 9fe4e2ea6..2939ce997 100644
+--- a/scheduler/client.h
++++ b/scheduler/client.h
+@@ -53,6 +53,9 @@ struct cupsd_client_s
+ cups_lang_t *language; /* Language to use */
+ #ifdef HAVE_TLS
+ int auto_ssl; /* Automatic test for SSL/TLS */
++ time_t tls_start; /* Do TLS negotiation? */
++ int tls_upgrade; /* Doing TLS upgrade via OPTIONS? */
++ http_encryption_t encryption; /* Type of TLS negotiation */
+ #endif /* HAVE_TLS */
+ http_addr_t clientaddr; /* Client's server address */
+ char clientname[256];/* Client's server name for connection */
+diff --git a/scheduler/select.c b/scheduler/select.c
+index 2e64f2a7e..ac6205c51 100644
+--- a/scheduler/select.c
++++ b/scheduler/select.c
+@@ -408,6 +408,9 @@ cupsdDoSelect(long timeout) /* I - Timeout in seconds */
+
+ cupsd_in_select = 1;
+
++ // Prevent 100% CPU by releasing control before the kevent call...
++ usleep(1);
++
+ if (timeout >= 0 && timeout < 86400)
+ {
+ ktimeout.tv_sec = timeout;
+@@ -452,6 +455,9 @@ cupsdDoSelect(long timeout) /* I - Timeout in seconds */
+ struct epoll_event *event; /* Current event */
+
+
++ // Prevent 100% CPU by releasing control before the epoll_wait call...
++ usleep(1);
++
+ if (timeout >= 0 && timeout < 86400)
+ nfds = epoll_wait(cupsd_epoll_fd, cupsd_epoll_events, MaxFDs,
+ timeout * 1000);
+@@ -544,6 +550,9 @@ cupsdDoSelect(long timeout) /* I - Timeout in seconds */
+ }
+ }
+
++ // Prevent 100% CPU by releasing control before the poll call...
++ usleep(1);
++
+ if (timeout >= 0 && timeout < 86400)
+ nfds = poll(cupsd_pollfds, (nfds_t)count, timeout * 1000);
+ else
+@@ -597,6 +606,9 @@ cupsdDoSelect(long timeout) /* I - Timeout in seconds */
+ cupsd_current_input = cupsd_global_input;
+ cupsd_current_output = cupsd_global_output;
+
++ // Prevent 100% CPU by releasing control before the select call...
++ usleep(1);
++
+ if (timeout >= 0 && timeout < 86400)
+ {
+ stimeout.tv_sec = timeout;
+--
+2.44.1
+
--
2.43.0
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [OE-core][scarthgap 02/18] cups 2.4.11: Fix CVE-2025-61915
2025-12-23 21:22 [OE-core][scarthgap 00/18] Patch review Steve Sakoman
2025-12-23 21:22 ` [OE-core][scarthgap 01/18] cups 2.4.11: Fix CVE-2025-58436 Steve Sakoman
@ 2025-12-23 21:22 ` Steve Sakoman
2025-12-23 21:22 ` [OE-core][scarthgap 03/18] rsync: fix CVE-2025-10158 Steve Sakoman
` (15 subsequent siblings)
17 siblings, 0 replies; 25+ messages in thread
From: Steve Sakoman @ 2025-12-23 21:22 UTC (permalink / raw)
To: openembedded-core
From: Deepak Rathore <deeratho@cisco.com>
Upstream Repository: https://github.com/OpenPrinting/cups.git
Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2025-61915
Type: Security Fix
CVE: CVE-2025-61915
Score: 6.7
Patch: https://github.com/OpenPrinting/cups/commit/db8d560262c2
Signed-off-by: Deepak Rathore <deeratho@cisco.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-extended/cups/cups.inc | 1 +
.../cups/cups/CVE-2025-61915.patch | 491 ++++++++++++++++++
2 files changed, 492 insertions(+)
create mode 100644 meta/recipes-extended/cups/cups/CVE-2025-61915.patch
diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
index cf3df32306..12668ca023 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -18,6 +18,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
file://CVE-2025-58060.patch \
file://CVE-2025-58364.patch \
file://CVE-2025-58436.patch \
+ file://CVE-2025-61915.patch \
"
GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"
diff --git a/meta/recipes-extended/cups/cups/CVE-2025-61915.patch b/meta/recipes-extended/cups/cups/CVE-2025-61915.patch
new file mode 100644
index 0000000000..ad91c66b73
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2025-61915.patch
@@ -0,0 +1,491 @@
+From 3ff24bbe1d0e11a2edb5cac0ae421b8e95220651 Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Fri, 21 Nov 2025 07:36:36 +0100
+Subject: [PATCH] Fix various issues in cupsd
+
+Various issues were found by @SilverPlate3, recognized as CVE-2025-61915:
+
+- out of bound write when handling IPv6 addresses,
+- cupsd crash caused by null dereference when ErrorPolicy value is empty,
+
+On the top of that, Mike Sweet noticed vulnerability via domain socket,
+exploitable locally if attacker has access to domain socket and knows username
+of user within a group which is present in CUPS system groups:
+
+- rewrite of cupsd.conf via PeerCred authorization via domain socket
+
+The last vulnerability is fixed by introducing PeerCred directive for cups-files.conf,
+which controls whether PeerCred is enabled/disabled for user in CUPS system groups.
+
+Fixes CVE-2025-61915
+
+CVE: CVE-2025-61915
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/db8d560262c2]
+
+(cherry picked from commit db8d560262c22a21ee1e55dfd62fa98d9359bcb0)
+Signed-off-by: Deepak Rathore <deeratho@cisco.com>
+---
+ conf/cups-files.conf.in | 3 ++
+ config-scripts/cups-defaults.m4 | 9 +++++
+ config.h.in | 7 ++++
+ configure | 22 ++++++++++
+ doc/help/man-cups-files.conf.html | 9 ++++-
+ man/cups-files.conf.5 | 17 ++++++--
+ scheduler/auth.c | 8 +++-
+ scheduler/auth.h | 7 ++++
+ scheduler/client.c | 2 +-
+ scheduler/conf.c | 60 ++++++++++++++++++++++++----
+ test/run-stp-tests.sh | 2 +-
+ vcnet/config.h | 7 ++++
+ xcode/CUPS.xcodeproj/project.pbxproj | 2 -
+ xcode/config.h | 7 ++++
+ 14 files changed, 145 insertions(+), 17 deletions(-)
+
+diff --git a/conf/cups-files.conf.in b/conf/cups-files.conf.in
+index 27d8be96f..bc999e420 100644
+--- a/conf/cups-files.conf.in
++++ b/conf/cups-files.conf.in
+@@ -22,6 +22,9 @@
+ SystemGroup @CUPS_SYSTEM_GROUPS@
+ @CUPS_SYSTEM_AUTHKEY@
+
++# Are Unix domain socket peer credentials used for authorization?
++PeerCred @CUPS_PEER_CRED@
++
+ # User that is substituted for unauthenticated (remote) root accesses...
+ #RemoteRoot remroot
+
+diff --git a/config-scripts/cups-defaults.m4 b/config-scripts/cups-defaults.m4
+index 27e5bc472..b4f03d624 100644
+--- a/config-scripts/cups-defaults.m4
++++ b/config-scripts/cups-defaults.m4
+@@ -129,6 +129,15 @@ AC_ARG_WITH([log_level], AS_HELP_STRING([--with-log-level], [set default LogLeve
+ AC_SUBST([CUPS_LOG_LEVEL])
+ AC_DEFINE_UNQUOTED([CUPS_DEFAULT_LOG_LEVEL], ["$CUPS_LOG_LEVEL"], [Default LogLevel value.])
+
++dnl Default PeerCred
++AC_ARG_WITH([peer_cred], AS_HELP_STRING([--with-peer-cred], [set default PeerCred value (on/off/root-only), default=on]), [
++ CUPS_PEER_CRED="$withval"
++], [
++ CUPS_PEER_CRED="on"
++])
++AC_SUBST([CUPS_PEER_CRED])
++AC_DEFINE_UNQUOTED([CUPS_DEFAULT_PEER_CRED], ["$CUPS_PEER_CRED"], [Default PeerCred value.])
++
+ dnl Default AccessLogLevel
+ AC_ARG_WITH(access_log_level, [ --with-access-log-level set default AccessLogLevel value, default=none],
+ CUPS_ACCESS_LOG_LEVEL="$withval",
+diff --git a/config.h.in b/config.h.in
+index 6940b9604..222b3b5bf 100644
+--- a/config.h.in
++++ b/config.h.in
+@@ -86,6 +86,13 @@
+ #define CUPS_DEFAULT_ERROR_POLICY "stop-printer"
+
+
++/*
++ * Default PeerCred value...
++ */
++
++#define CUPS_DEFAULT_PEER_CRED "on"
++
++
+ /*
+ * Default MaxCopies value...
+ */
+diff --git a/configure b/configure
+index f8147c9d6..f456c8588 100755
+--- a/configure
++++ b/configure
+@@ -672,6 +672,7 @@ CUPS_BROWSING
+ CUPS_SYNC_ON_CLOSE
+ CUPS_PAGE_LOG_FORMAT
+ CUPS_ACCESS_LOG_LEVEL
++CUPS_PEER_CRED
+ CUPS_LOG_LEVEL
+ CUPS_FATAL_ERRORS
+ CUPS_ERROR_POLICY
+@@ -925,6 +926,7 @@ with_max_log_size
+ with_error_policy
+ with_fatal_errors
+ with_log_level
++with_peer_cred
+ with_access_log_level
+ enable_page_logging
+ enable_sync_on_close
+@@ -1661,6 +1663,8 @@ Optional Packages:
+ --with-error-policy set default ErrorPolicy value, default=stop-printer
+ --with-fatal-errors set default FatalErrors value, default=config
+ --with-log-level set default LogLevel value, default=warn
++ --with-peer-cred set default PeerCred value (on/off/root-only),
++ default=on
+ --with-access-log-level set default AccessLogLevel value, default=none
+ --with-local-protocols set default BrowseLocalProtocols, default=""
+ --with-cups-user set default user for CUPS
+@@ -11718,6 +11722,24 @@ printf "%s\n" "#define CUPS_DEFAULT_LOG_LEVEL \"$CUPS_LOG_LEVEL\"" >>confdefs.h
+
+
+
++# Check whether --with-peer_cred was given.
++if test ${with_peer_cred+y}
++then :
++ withval=$with_peer_cred;
++ CUPS_PEER_CRED="$withval"
++
++else $as_nop
++
++ CUPS_PEER_CRED="on"
++
++fi
++
++
++
++printf "%s\n" "#define CUPS_DEFAULT_PEER_CRED \"$CUPS_PEER_CRED\"" >>confdefs.h
++
++
++
+ # Check whether --with-access_log_level was given.
+ if test ${with_access_log_level+y}
+ then :
+diff --git a/doc/help/man-cups-files.conf.html b/doc/help/man-cups-files.conf.html
+index c0c775dec..5a9ddefeb 100644
+--- a/doc/help/man-cups-files.conf.html
++++ b/doc/help/man-cups-files.conf.html
+@@ -119,6 +119,13 @@ The default is "/var/log/cups/page_log".
+ <dt><a name="PassEnv"></a><b>PassEnv </b><i>variable </i>[ ... <i>variable </i>]
+ <dd style="margin-left: 5.0em">Passes the specified environment variable(s) to child processes.
+ Note: the standard CUPS filter and backend environment variables cannot be overridden using this directive.
++<dt><a name="PeerCred"></a><b>PeerCred off</b>
++<dd style="margin-left: 5.0em"><dt><b>PeerCred on</b>
++<dd style="margin-left: 5.0em"><dt><b>PeerCred root-only</b>
++<dd style="margin-left: 5.0em">Specifies whether peer credentials are used for authorization when communicating over the UNIX domain socket.
++When <b>on</b>, the peer credentials of any user are accepted for authorization.
++The value <b>off</b> disables the use of peer credentials entirely, while the value <b>root-only</b> allows peer credentials only for the root user.
++Note: for security reasons, the <b>on</b> setting is reduced to <b>root-only</b> for authorization of PUT requests.
+ <dt><a name="RemoteRoot"></a><b>RemoteRoot </b><i>username</i>
+ <dd style="margin-left: 5.0em">Specifies the username that is associated with unauthenticated accesses by clients claiming to be the root user.
+ The default is "remroot".
+@@ -207,7 +214,7 @@ command is used instead.
+ <a href="man-subscriptions.conf.html?TOPIC=Man+Pages"><b>subscriptions.conf</b>(5),</a>
+ CUPS Online Help (<a href="http://localhost:631/help">http://localhost:631/help</a>)
+ <h2 class="title"><a name="COPYRIGHT">Copyright</a></h2>
+-Copyright © 2020-2023 by OpenPrinting.
++Copyright © 2020-2025 by OpenPrinting.
+
+ </body>
+ </html>
+diff --git a/man/cups-files.conf.5 b/man/cups-files.conf.5
+index 8358b62a1..107072c3c 100644
+--- a/man/cups-files.conf.5
++++ b/man/cups-files.conf.5
+@@ -1,14 +1,14 @@
+ .\"
+ .\" cups-files.conf man page for CUPS.
+ .\"
+-.\" Copyright © 2020-2024 by OpenPrinting.
++.\" Copyright © 2020-2025 by OpenPrinting.
+ .\" Copyright © 2007-2019 by Apple Inc.
+ .\" Copyright © 1997-2006 by Easy Software Products.
+ .\"
+ .\" Licensed under Apache License v2.0. See the file "LICENSE" for more
+ .\" information.
+ .\"
+-.TH cups-files.conf 5 "CUPS" "2021-03-06" "OpenPrinting"
++.TH cups-files.conf 5 "CUPS" "2025-10-08" "OpenPrinting"
+ .SH NAME
+ cups\-files.conf \- file and directory configuration file for cups
+ .SH DESCRIPTION
+@@ -166,6 +166,17 @@ The default is "/var/log/cups/page_log".
+ \fBPassEnv \fIvariable \fR[ ... \fIvariable \fR]
+ Passes the specified environment variable(s) to child processes.
+ Note: the standard CUPS filter and backend environment variables cannot be overridden using this directive.
++.\"#PeerCred
++.TP 5
++\fBPeerCred off\fR
++.TP 5
++\fBPeerCred on\fR
++.TP 5
++\fBPeerCred root-only\fR
++Specifies whether peer credentials are used for authorization when communicating over the UNIX domain socket.
++When \fBon\fR, the peer credentials of any user are accepted for authorization.
++The value \fBoff\fR disables the use of peer credentials entirely, while the value \fBroot-only\fR allows peer credentials only for the root user.
++Note: for security reasons, the \fBon\fR setting is reduced to \fBroot-only\fR for authorization of PUT requests.
+ .\"#RemoteRoot
+ .TP 5
+ \fBRemoteRoot \fIusername\fR
+@@ -289,4 +300,4 @@ command is used instead.
+ .BR subscriptions.conf (5),
+ CUPS Online Help (http://localhost:631/help)
+ .SH COPYRIGHT
+-Copyright \[co] 2020-2024 by OpenPrinting.
++Copyright \[co] 2020-2025 by OpenPrinting.
+diff --git a/scheduler/auth.c b/scheduler/auth.c
+index 3c9aa72aa..bd0d28a0e 100644
+--- a/scheduler/auth.c
++++ b/scheduler/auth.c
+@@ -398,7 +398,7 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */
+ }
+ #endif /* HAVE_AUTHORIZATION_H */
+ #if defined(SO_PEERCRED) && defined(AF_LOCAL)
+- else if (!strncmp(authorization, "PeerCred ", 9) &&
++ else if (PeerCred != CUPSD_PEERCRED_OFF && !strncmp(authorization, "PeerCred ", 9) &&
+ con->http->hostaddr->addr.sa_family == AF_LOCAL && con->best)
+ {
+ /*
+@@ -441,6 +441,12 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */
+ }
+ #endif /* HAVE_AUTHORIZATION_H */
+
++ if ((PeerCred == CUPSD_PEERCRED_ROOTONLY || httpGetState(con->http) == HTTP_STATE_PUT_RECV) && strcmp(authorization + 9, "root"))
++ {
++ cupsdLogClient(con, CUPSD_LOG_INFO, "User \"%s\" is not allowed to use peer credentials.", authorization + 9);
++ return;
++ }
++
+ if ((pwd = getpwnam(authorization + 9)) == NULL)
+ {
+ cupsdLogClient(con, CUPSD_LOG_ERROR, "User \"%s\" does not exist.", authorization + 9);
+diff --git a/scheduler/auth.h b/scheduler/auth.h
+index ee98e92c7..fdf71213f 100644
+--- a/scheduler/auth.h
++++ b/scheduler/auth.h
+@@ -50,6 +50,10 @@
+ #define CUPSD_AUTH_LIMIT_ALL 127 /* Limit all requests */
+ #define CUPSD_AUTH_LIMIT_IPP 128 /* Limit IPP requests */
+
++#define CUPSD_PEERCRED_OFF 0 /* Don't allow PeerCred authorization */
++#define CUPSD_PEERCRED_ON 1 /* Allow PeerCred authorization for all users */
++#define CUPSD_PEERCRED_ROOTONLY 2 /* Allow PeerCred authorization for root user */
++
+ #define IPP_ANY_OPERATION (ipp_op_t)0
+ /* Any IPP operation */
+ #define IPP_BAD_OPERATION (ipp_op_t)-1
+@@ -105,6 +109,9 @@ typedef struct
+
+ VAR cups_array_t *Locations VALUE(NULL);
+ /* Authorization locations */
++VAR int PeerCred VALUE(CUPSD_PEERCRED_ON);
++ /* Allow PeerCred authorization? */
++
+ #ifdef HAVE_TLS
+ VAR http_encryption_t DefaultEncryption VALUE(HTTP_ENCRYPT_REQUIRED);
+ /* Default encryption for authentication */
+diff --git a/scheduler/client.c b/scheduler/client.c
+index d495d9a75..81db4aa52 100644
+--- a/scheduler/client.c
++++ b/scheduler/client.c
+@@ -2204,7 +2204,7 @@ cupsdSendHeader(
+ auth_size = sizeof(auth_str) - (size_t)(auth_key - auth_str);
+
+ #if defined(SO_PEERCRED) && defined(AF_LOCAL)
+- if (httpAddrFamily(httpGetAddress(con->http)) == AF_LOCAL)
++ if (PeerCred != CUPSD_PEERCRED_OFF && httpAddrFamily(httpGetAddress(con->http)) == AF_LOCAL)
+ {
+ strlcpy(auth_key, ", PeerCred", auth_size);
+ auth_key += 10;
+diff --git a/scheduler/conf.c b/scheduler/conf.c
+index 3184d72f0..6accf0590 100644
+--- a/scheduler/conf.c
++++ b/scheduler/conf.c
+@@ -47,6 +47,7 @@ typedef enum
+ {
+ CUPSD_VARTYPE_INTEGER, /* Integer option */
+ CUPSD_VARTYPE_TIME, /* Time interval option */
++ CUPSD_VARTYPE_NULLSTRING, /* String option or NULL/empty string */
+ CUPSD_VARTYPE_STRING, /* String option */
+ CUPSD_VARTYPE_BOOLEAN, /* Boolean option */
+ CUPSD_VARTYPE_PATHNAME, /* File/directory name option */
+@@ -69,7 +70,7 @@ static const cupsd_var_t cupsd_vars[] =
+ {
+ { "AutoPurgeJobs", &JobAutoPurge, CUPSD_VARTYPE_BOOLEAN },
+ #ifdef HAVE_DNSSD
+- { "BrowseDNSSDSubTypes", &DNSSDSubTypes, CUPSD_VARTYPE_STRING },
++ { "BrowseDNSSDSubTypes", &DNSSDSubTypes, CUPSD_VARTYPE_NULLSTRING },
+ #endif /* HAVE_DNSSD */
+ { "BrowseWebIF", &BrowseWebIF, CUPSD_VARTYPE_BOOLEAN },
+ { "Browsing", &Browsing, CUPSD_VARTYPE_BOOLEAN },
+@@ -120,7 +121,7 @@ static const cupsd_var_t cupsd_vars[] =
+ { "MaxSubscriptionsPerPrinter",&MaxSubscriptionsPerPrinter, CUPSD_VARTYPE_INTEGER },
+ { "MaxSubscriptionsPerUser", &MaxSubscriptionsPerUser, CUPSD_VARTYPE_INTEGER },
+ { "MultipleOperationTimeout", &MultipleOperationTimeout, CUPSD_VARTYPE_TIME },
+- { "PageLogFormat", &PageLogFormat, CUPSD_VARTYPE_STRING },
++ { "PageLogFormat", &PageLogFormat, CUPSD_VARTYPE_NULLSTRING },
+ { "PreserveJobFiles", &JobFiles, CUPSD_VARTYPE_TIME },
+ { "PreserveJobHistory", &JobHistory, CUPSD_VARTYPE_TIME },
+ { "ReloadTimeout", &ReloadTimeout, CUPSD_VARTYPE_TIME },
+@@ -791,6 +792,13 @@ cupsdReadConfiguration(void)
+ IdleExitTimeout = 60;
+ #endif /* HAVE_ONDEMAND */
+
++ if (!strcmp(CUPS_DEFAULT_PEER_CRED, "off"))
++ PeerCred = CUPSD_PEERCRED_OFF;
++ else if (!strcmp(CUPS_DEFAULT_PEER_CRED, "root-only"))
++ PeerCred = CUPSD_PEERCRED_ROOTONLY;
++ else
++ PeerCred = CUPSD_PEERCRED_ON;
++
+ /*
+ * Setup environment variables...
+ */
+@@ -1831,7 +1839,7 @@ get_addr_and_mask(const char *value, /* I - String from config file */
+
+ family = AF_INET6;
+
+- for (i = 0, ptr = value + 1; *ptr && i < 8; i ++)
++ for (i = 0, ptr = value + 1; *ptr && i >= 0 && i < 8; i ++)
+ {
+ if (*ptr == ']')
+ break;
+@@ -1977,7 +1985,7 @@ get_addr_and_mask(const char *value, /* I - String from config file */
+ #ifdef AF_INET6
+ if (family == AF_INET6)
+ {
+- if (i > 128)
++ if (i < 0 || i > 128)
+ return (0);
+
+ i = 128 - i;
+@@ -2011,7 +2019,7 @@ get_addr_and_mask(const char *value, /* I - String from config file */
+ else
+ #endif /* AF_INET6 */
+ {
+- if (i > 32)
++ if (i < 0 || i > 32)
+ return (0);
+
+ mask[0] = 0xffffffff;
+@@ -2921,7 +2929,17 @@ parse_variable(
+ cupsdSetString((char **)var->ptr, temp);
+ break;
+
++ case CUPSD_VARTYPE_NULLSTRING :
++ cupsdSetString((char **)var->ptr, value);
++ break;
++
+ case CUPSD_VARTYPE_STRING :
++ if (!value)
++ {
++ cupsdLogMessage(CUPSD_LOG_ERROR, "Missing value for %s on line %d of %s.", line, linenum, filename);
++ return (0);
++ }
++
+ cupsdSetString((char **)var->ptr, value);
+ break;
+ }
+@@ -3436,9 +3454,10 @@ read_cupsd_conf(cups_file_t *fp) /* I - File to read from */
+ line, value ? " " : "", value ? value : "", linenum,
+ ConfigurationFile, CupsFilesFile);
+ }
+- else
+- parse_variable(ConfigurationFile, linenum, line, value,
+- sizeof(cupsd_vars) / sizeof(cupsd_vars[0]), cupsd_vars);
++ else if (!parse_variable(ConfigurationFile, linenum, line, value,
++ sizeof(cupsd_vars) / sizeof(cupsd_vars[0]), cupsd_vars) &&
++ (FatalErrors & CUPSD_FATAL_CONFIG))
++ return (0);
+ }
+
+ return (1);
+@@ -3597,6 +3616,31 @@ read_cups_files_conf(cups_file_t *fp) /* I - File to read from */
+ break;
+ }
+ }
++ else if (!_cups_strcasecmp(line, "PeerCred") && value)
++ {
++ /*
++ * PeerCred {off,on,root-only}
++ */
++
++ if (!_cups_strcasecmp(value, "off"))
++ {
++ PeerCred = CUPSD_PEERCRED_OFF;
++ }
++ else if (!_cups_strcasecmp(value, "on"))
++ {
++ PeerCred = CUPSD_PEERCRED_ON;
++ }
++ else if (!_cups_strcasecmp(value, "root-only"))
++ {
++ PeerCred = CUPSD_PEERCRED_ROOTONLY;
++ }
++ else
++ {
++ cupsdLogMessage(CUPSD_LOG_ERROR, "Unknown PeerCred \"%s\" on line %d of %s.", value, linenum, CupsFilesFile);
++ if (FatalErrors & CUPSD_FATAL_CONFIG)
++ return (0);
++ }
++ }
+ else if (!_cups_strcasecmp(line, "PrintcapFormat") && value)
+ {
+ /*
+diff --git a/test/run-stp-tests.sh b/test/run-stp-tests.sh
+index 39b53c3e4..2089f7944 100755
+--- a/test/run-stp-tests.sh
++++ b/test/run-stp-tests.sh
+@@ -512,7 +512,7 @@ fi
+
+ cat >$BASE/cups-files.conf <<EOF
+ FileDevice yes
+-Printcap
++Printcap $BASE/printcap
+ User $user
+ ServerRoot $BASE
+ StateDir $BASE
+diff --git a/vcnet/config.h b/vcnet/config.h
+index 7fc459217..76f5adbb7 100644
+--- a/vcnet/config.h
++++ b/vcnet/config.h
+@@ -169,6 +169,13 @@ typedef unsigned long useconds_t;
+ #define CUPS_DEFAULT_ERROR_POLICY "stop-printer"
+
+
++/*
++ * Default PeerCred value...
++ */
++
++#define CUPS_DEFAULT_PEER_CRED "on"
++
++
+ /*
+ * Default MaxCopies value...
+ */
+diff --git a/xcode/CUPS.xcodeproj/project.pbxproj b/xcode/CUPS.xcodeproj/project.pbxproj
+index 597946440..54ac652a1 100644
+--- a/xcode/CUPS.xcodeproj/project.pbxproj
++++ b/xcode/CUPS.xcodeproj/project.pbxproj
+@@ -3433,7 +3433,6 @@
+ 72220FB313330BCE00FCA411 /* mime.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = mime.c; path = ../scheduler/mime.c; sourceTree = "<group>"; };
+ 72220FB413330BCE00FCA411 /* mime.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = mime.h; path = ../scheduler/mime.h; sourceTree = "<group>"; };
+ 72220FB513330BCE00FCA411 /* type.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = type.c; path = ../scheduler/type.c; sourceTree = "<group>"; };
+- 7226369B18AE6D19004ED309 /* org.cups.cups-lpd.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; name = "org.cups.cups-lpd.plist"; path = "../scheduler/org.cups.cups-lpd.plist"; sourceTree = SOURCE_ROOT; };
+ 7226369C18AE6D19004ED309 /* org.cups.cupsd.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; name = org.cups.cupsd.plist; path = ../scheduler/org.cups.cupsd.plist; sourceTree = SOURCE_ROOT; };
+ 7226369D18AE73BB004ED309 /* config.h.in */ = {isa = PBXFileReference; lastKnownFileType = text; name = config.h.in; path = ../config.h.in; sourceTree = "<group>"; };
+ 722A24EE2178D00C000CAB20 /* debug-internal.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = "debug-internal.h"; path = "../cups/debug-internal.h"; sourceTree = "<group>"; };
+@@ -5055,7 +5054,6 @@
+ isa = PBXGroup;
+ children = (
+ 72E65BDC18DC852700097E89 /* Makefile */,
+- 7226369B18AE6D19004ED309 /* org.cups.cups-lpd.plist */,
+ 72E65BD518DC818400097E89 /* org.cups.cups-lpd.plist.in */,
+ 7226369C18AE6D19004ED309 /* org.cups.cupsd.plist */,
+ 72220F6913330B0C00FCA411 /* auth.c */,
+diff --git a/xcode/config.h b/xcode/config.h
+index e4a63f69d..366da777e 100644
+--- a/xcode/config.h
++++ b/xcode/config.h
+@@ -88,6 +88,13 @@
+ #define CUPS_DEFAULT_ERROR_POLICY "stop-printer"
+
+
++/*
++ * Default PeerCred value...
++ */
++
++#define CUPS_DEFAULT_PEER_CRED "on"
++
++
+ /*
+ * Default MaxCopies value...
+ */
+--
+2.44.1
--
2.43.0
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [OE-core][scarthgap 03/18] rsync: fix CVE-2025-10158
2025-12-23 21:22 [OE-core][scarthgap 00/18] Patch review Steve Sakoman
2025-12-23 21:22 ` [OE-core][scarthgap 01/18] cups 2.4.11: Fix CVE-2025-58436 Steve Sakoman
2025-12-23 21:22 ` [OE-core][scarthgap 02/18] cups 2.4.11: Fix CVE-2025-61915 Steve Sakoman
@ 2025-12-23 21:22 ` Steve Sakoman
2025-12-23 21:22 ` [OE-core][scarthgap 04/18] qemu: fix CVE-2025-12464 Steve Sakoman
` (14 subsequent siblings)
17 siblings, 0 replies; 25+ messages in thread
From: Steve Sakoman @ 2025-12-23 21:22 UTC (permalink / raw)
To: openembedded-core
From: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
Fix an out-of-bounds read triggered by a malicious rsync client
acting as a receiver. The issue can be exploited with read access
to an rsync module.
CVE: CVE-2025-10158
Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../rsync/files/CVE-2025-10158.patch | 36 +++++++++++++++++++
meta/recipes-devtools/rsync/rsync_3.2.7.bb | 1 +
2 files changed, 37 insertions(+)
create mode 100644 meta/recipes-devtools/rsync/files/CVE-2025-10158.patch
diff --git a/meta/recipes-devtools/rsync/files/CVE-2025-10158.patch b/meta/recipes-devtools/rsync/files/CVE-2025-10158.patch
new file mode 100644
index 0000000000..a19cc15107
--- /dev/null
+++ b/meta/recipes-devtools/rsync/files/CVE-2025-10158.patch
@@ -0,0 +1,36 @@
+From 797e17fc4a6f15e3b1756538a9f812b63942686f Mon Sep 17 00:00:00 2001
+From: Andrew Tridgell <andrew@tridgell.net>
+Date: Sat, 23 Aug 2025 17:26:53 +1000
+Subject: [PATCH] fixed an invalid access to files array
+
+
+this was found by Calum Hutton from Rapid7. It is a real bug, but
+analysis shows it can't be leverged into an exploit. Worth fixing
+though.
+
+Many thanks to Calum and Rapid7 for finding and reporting this
+
+CVE: CVE-2025-10158
+Upstream-Status: Backport
+[https://github.com/RsyncProject/rsync/commit/797e17fc4a6f15e3b1756538a9f812b63942686f]
+Signed-off-by: Adarsh Jagadish Kamini<adarsh.jagadish.kamini@est.tech>
+---
+ sender.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sender.c b/sender.c
+index 2bbff2fa..5528071e 100644
+--- a/sender.c
++++ b/sender.c
+@@ -262,6 +262,8 @@ void send_files(int f_in, int f_out)
+
+ if (ndx - cur_flist->ndx_start >= 0)
+ file = cur_flist->files[ndx - cur_flist->ndx_start];
++ else if (cur_flist->parent_ndx < 0)
++ exit_cleanup(RERR_PROTOCOL);
+ else
+ file = dir_flist->files[cur_flist->parent_ndx];
+ if (F_PATHNAME(file)) {
+--
+2.44.1
+
diff --git a/meta/recipes-devtools/rsync/rsync_3.2.7.bb b/meta/recipes-devtools/rsync/rsync_3.2.7.bb
index d0796d3c12..14beafb681 100644
--- a/meta/recipes-devtools/rsync/rsync_3.2.7.bb
+++ b/meta/recipes-devtools/rsync/rsync_3.2.7.bb
@@ -27,6 +27,7 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/src/${BP}.tar.gz \
file://CVE-2024-12087-0003.patch \
file://CVE-2024-12088.patch \
file://CVE-2024-12747.patch \
+ file://CVE-2025-10158.patch \
"
SRC_URI[sha256sum] = "4e7d9d3f6ed10878c58c5fb724a67dacf4b6aac7340b13e488fb2dc41346f2bb"
--
2.43.0
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [OE-core][scarthgap 04/18] qemu: fix CVE-2025-12464
2025-12-23 21:22 [OE-core][scarthgap 00/18] Patch review Steve Sakoman
` (2 preceding siblings ...)
2025-12-23 21:22 ` [OE-core][scarthgap 03/18] rsync: fix CVE-2025-10158 Steve Sakoman
@ 2025-12-23 21:22 ` Steve Sakoman
2025-12-23 21:22 ` [OE-core][scarthgap 05/18] python3-urllib3: fix CVE-2025-66418 CVE-2025-66471 Steve Sakoman
` (13 subsequent siblings)
17 siblings, 0 replies; 25+ messages in thread
From: Steve Sakoman @ 2025-12-23 21:22 UTC (permalink / raw)
To: openembedded-core
From: Kai Kang <kai.kang@windriver.com>
Backport patch to fix CVE-2025-12464 for qemu.
Reference: https://gitlab.com/qemu-project/qemu/-/commit/a01344d9d7
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2025-12464.patch | 70 +++++++++++++++++++
2 files changed, 71 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2025-12464.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 60d372fce0..dde3b0be13 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -42,6 +42,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://qemu-guest-agent.init \
file://qemu-guest-agent.udev \
file://CVE-2024-8354.patch \
+ file://CVE-2025-12464.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2025-12464.patch b/meta/recipes-devtools/qemu/qemu/CVE-2025-12464.patch
new file mode 100644
index 0000000000..6099fc79cd
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2025-12464.patch
@@ -0,0 +1,70 @@
+From a01344d9d78089e9e585faaeb19afccff2050abf Mon Sep 17 00:00:00 2001
+From: Peter Maydell <peter.maydell@linaro.org>
+Date: Tue, 28 Oct 2025 16:00:42 +0000
+Subject: [PATCH] net: pad packets to minimum length in qemu_receive_packet()
+
+In commits like 969e50b61a28 ("net: Pad short frames to minimum size
+before sending from SLiRP/TAP") we switched away from requiring
+network devices to handle short frames to instead having the net core
+code do the padding of short frames out to the ETH_ZLEN minimum size.
+We then dropped the code for handling short frames from the network
+devices in a series of commits like 140eae9c8f7 ("hw/net: e1000:
+Remove the logic of padding short frames in the receive path").
+
+This missed one route where the device's receive code can still see a
+short frame: if the device is in loopback mode and it transmits a
+short frame via the qemu_receive_packet() function, this will be fed
+back into its own receive code without being padded.
+
+Add the padding logic to qemu_receive_packet().
+
+This fixes a buffer overrun which can be triggered in the
+e1000_receive_iov() logic via the loopback code path.
+
+Other devices that use qemu_receive_packet() to implement loopback
+are cadence_gem, dp8393x, lan9118, msf2-emac, pcnet, rtl8139
+and sungem.
+
+Cc: qemu-stable@nongnu.org
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3043
+Reviewed-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+CVE: CVE-2025-12464
+
+Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/a01344d9d7]
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+---
+ net/net.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/net/net.c b/net/net.c
+index 27e0d27807..8aefdb3424 100644
+--- a/net/net.c
++++ b/net/net.c
+@@ -775,10 +775,20 @@ ssize_t qemu_send_packet(NetClientState *nc, const uint8_t *buf, int size)
+
+ ssize_t qemu_receive_packet(NetClientState *nc, const uint8_t *buf, int size)
+ {
++ uint8_t min_pkt[ETH_ZLEN];
++ size_t min_pktsz = sizeof(min_pkt);
++
+ if (!qemu_can_receive_packet(nc)) {
+ return 0;
+ }
+
++ if (net_peer_needs_padding(nc)) {
++ if (eth_pad_short_frame(min_pkt, &min_pktsz, buf, size)) {
++ buf = min_pkt;
++ size = min_pktsz;
++ }
++ }
++
+ return qemu_net_queue_receive(nc->incoming_queue, buf, size);
+ }
+
+--
+2.47.1
+
--
2.43.0
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [OE-core][scarthgap 05/18] python3-urllib3: fix CVE-2025-66418 CVE-2025-66471
2025-12-23 21:22 [OE-core][scarthgap 00/18] Patch review Steve Sakoman
` (3 preceding siblings ...)
2025-12-23 21:22 ` [OE-core][scarthgap 04/18] qemu: fix CVE-2025-12464 Steve Sakoman
@ 2025-12-23 21:22 ` Steve Sakoman
2025-12-23 21:22 ` [OE-core][scarthgap 06/18] cmake-native: fix CVE-2025-9301 Steve Sakoman
` (12 subsequent siblings)
17 siblings, 0 replies; 25+ messages in thread
From: Steve Sakoman @ 2025-12-23 21:22 UTC (permalink / raw)
To: openembedded-core
From: Jiaying Song <jiaying.song.cn@windriver.com>
References:
https://nvd.nist.gov/vuln/detail/CVE-2025-66418
https://nvd.nist.gov/vuln/detail/CVE-2025-66471
Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../python3-urllib3/CVE-2025-66418.patch | 80 +++
.../python3-urllib3/CVE-2025-66471.patch | 585 ++++++++++++++++++
.../python/python3-urllib3_2.2.2.bb | 2 +
3 files changed, 667 insertions(+)
create mode 100644 meta/recipes-devtools/python/python3-urllib3/CVE-2025-66418.patch
create mode 100644 meta/recipes-devtools/python/python3-urllib3/CVE-2025-66471.patch
diff --git a/meta/recipes-devtools/python/python3-urllib3/CVE-2025-66418.patch b/meta/recipes-devtools/python/python3-urllib3/CVE-2025-66418.patch
new file mode 100644
index 0000000000..5d39b36afc
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-urllib3/CVE-2025-66418.patch
@@ -0,0 +1,80 @@
+From 3bf7db860ef730e828b68264e88210190120cacf Mon Sep 17 00:00:00 2001
+From: Illia Volochii <illia.volochii@gmail.com>
+Date: Fri, 5 Dec 2025 16:41:33 +0200
+Subject: [PATCH] Merge commit from fork
+
+* Add a hard-coded limit for the decompression chain
+
+* Reuse new list
+
+CVE: CVE-2025-66418
+
+Upstream-Status: Backport
+[https://github.com/urllib3/urllib3/commit/24d7b67eac89f94e11003424bcf0d8f7b72222a8]
+
+Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
+---
+ changelog/GHSA-gm62-xv2j-4w53.security.rst | 4 ++++
+ src/urllib3/response.py | 12 +++++++++++-
+ test/test_response.py | 10 ++++++++++
+ 3 files changed, 25 insertions(+), 1 deletion(-)
+ create mode 100644 changelog/GHSA-gm62-xv2j-4w53.security.rst
+
+diff --git a/changelog/GHSA-gm62-xv2j-4w53.security.rst b/changelog/GHSA-gm62-xv2j-4w53.security.rst
+new file mode 100644
+index 00000000..6646eaa3
+--- /dev/null
++++ b/changelog/GHSA-gm62-xv2j-4w53.security.rst
+@@ -0,0 +1,4 @@
++Fixed a security issue where an attacker could compose an HTTP response with
++virtually unlimited links in the ``Content-Encoding`` header, potentially
++leading to a denial of service (DoS) attack by exhausting system resources
++during decoding. The number of allowed chained encodings is now limited to 5.
+diff --git a/src/urllib3/response.py b/src/urllib3/response.py
+index a0273d65..b8e8565c 100644
+--- a/src/urllib3/response.py
++++ b/src/urllib3/response.py
+@@ -194,8 +194,18 @@ class MultiDecoder(ContentDecoder):
+ they were applied.
+ """
+
++ # Maximum allowed number of chained HTTP encodings in the
++ # Content-Encoding header.
++ max_decode_links = 5
++
+ def __init__(self, modes: str) -> None:
+- self._decoders = [_get_decoder(m.strip()) for m in modes.split(",")]
++ encodings = [m.strip() for m in modes.split(",")]
++ if len(encodings) > self.max_decode_links:
++ raise DecodeError(
++ "Too many content encodings in the chain: "
++ f"{len(encodings)} > {self.max_decode_links}"
++ )
++ self._decoders = [_get_decoder(e) for e in encodings]
+
+ def flush(self) -> bytes:
+ return self._decoders[0].flush()
+diff --git a/test/test_response.py b/test/test_response.py
+index c0062771..0e8abd93 100644
+--- a/test/test_response.py
++++ b/test/test_response.py
+@@ -581,6 +581,16 @@ class TestResponse:
+ assert r.read(9 * 37) == b"foobarbaz" * 37
+ assert r.read() == b""
+
++ def test_read_multi_decoding_too_many_links(self) -> None:
++ fp = BytesIO(b"foo")
++ with pytest.raises(
++ DecodeError, match="Too many content encodings in the chain: 6 > 5"
++ ):
++ HTTPResponse(
++ fp,
++ headers={"content-encoding": "gzip, deflate, br, zstd, gzip, deflate"},
++ )
++
+ def test_body_blob(self) -> None:
+ resp = HTTPResponse(b"foo")
+ assert resp.data == b"foo"
+--
+2.34.1
+
diff --git a/meta/recipes-devtools/python/python3-urllib3/CVE-2025-66471.patch b/meta/recipes-devtools/python/python3-urllib3/CVE-2025-66471.patch
new file mode 100644
index 0000000000..5329e26272
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-urllib3/CVE-2025-66471.patch
@@ -0,0 +1,585 @@
+From f25c0d11e1b640e3c7e0addb66a1ff50730be508 Mon Sep 17 00:00:00 2001
+From: Illia Volochii <illia.volochii@gmail.com>
+Date: Fri, 5 Dec 2025 16:40:41 +0200
+Subject: [PATCH] Merge commit from fork
+
+* Prevent decompression bomb for zstd in Python 3.14
+
+* Add experimental `decompress_iter` for Brotli
+
+* Update changes for Brotli
+
+* Add `GzipDecoder.decompress_iter`
+
+* Test https://github.com/python-hyper/brotlicffi/pull/207
+
+* Pin Brotli
+
+* Add `decompress_iter` to all decoders and make tests pass
+
+* Pin brotlicffi to an official release
+
+* Revert changes to response.py
+
+* Add `max_length` parameter to all `decompress` methods
+
+* Fix the `test_brotlipy` session
+
+* Unset `_data` on gzip error
+
+* Add a test for memory usage
+
+* Test more methods
+
+* Fix the test for `stream`
+
+* Cover more lines with tests
+
+* Add more coverage
+
+* Make `read1` a bit more efficient
+
+* Fix PyPy tests for Brotli
+
+* Revert an unnecessarily moved check
+
+* Add some comments
+
+* Leave just one `self._obj.decompress` call in `GzipDecoder`
+
+* Refactor test params
+
+* Test reads with all data already in the decompressor
+
+* Prevent needless copying of data decoded with `max_length`
+
+* Rename the changed test
+
+* Note that responses of unknown length should be streamed too
+
+* Add a changelog entry
+
+* Avoid returning a memory view from `BytesQueueBuffer`
+
+* Add one more note to the changelog entry
+
+CVE: CVE-2025-66471
+
+Upstream-Status: Backport
+[https://github.com/urllib3/urllib3/commit/c19571de34c47de3a766541b041637ba5f716ed7]
+
+Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
+---
+ docs/advanced-usage.rst | 3 +-
+ docs/user-guide.rst | 4 +-
+ pyproject.toml | 5 +-
+ src/urllib3/response.py | 278 ++++++++++++++++++++++++++++++++++------
+ 4 files changed, 246 insertions(+), 44 deletions(-)
+
+diff --git a/docs/advanced-usage.rst b/docs/advanced-usage.rst
+index 36a51e67..a12c7143 100644
+--- a/docs/advanced-usage.rst
++++ b/docs/advanced-usage.rst
+@@ -66,7 +66,8 @@ When using ``preload_content=True`` (the default setting) the
+ response body will be read immediately into memory and the HTTP connection
+ will be released back into the pool without manual intervention.
+
+-However, when dealing with large responses it's often better to stream the response
++However, when dealing with responses of large or unknown length,
++it's often better to stream the response
+ content using ``preload_content=False``. Setting ``preload_content`` to ``False`` means
+ that urllib3 will only read from the socket when data is requested.
+
+diff --git a/docs/user-guide.rst b/docs/user-guide.rst
+index 5c78c8af..1d9d0bbd 100644
+--- a/docs/user-guide.rst
++++ b/docs/user-guide.rst
+@@ -145,8 +145,8 @@ to a byte string representing the response content:
+ print(resp.data)
+ # b"\xaa\xa5H?\x95\xe9\x9b\x11"
+
+-.. note:: For larger responses, it's sometimes better to :ref:`stream <stream>`
+- the response.
++.. note:: For responses of large or unknown length, it's sometimes better to
++ :ref:`stream <stream>` the response.
+
+ Using io Wrappers with Response Content
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+diff --git a/pyproject.toml b/pyproject.toml
+index 1fe82937..58a2c2db 100644
+--- a/pyproject.toml
++++ b/pyproject.toml
+@@ -40,8 +40,8 @@ dynamic = ["version"]
+
+ [project.optional-dependencies]
+ brotli = [
+- "brotli>=1.0.9; platform_python_implementation == 'CPython'",
+- "brotlicffi>=0.8.0; platform_python_implementation != 'CPython'"
++ "brotli>=1.2.0; platform_python_implementation == 'CPython'",
++ "brotlicffi>=1.2.0.0; platform_python_implementation != 'CPython'"
+ ]
+ zstd = [
+ "zstandard>=0.18.0",
+@@ -95,6 +95,7 @@ filterwarnings = [
+ '''default:ssl\.PROTOCOL_TLSv1_1 is deprecated:DeprecationWarning''',
+ '''default:ssl\.PROTOCOL_TLSv1_2 is deprecated:DeprecationWarning''',
+ '''default:ssl NPN is deprecated, use ALPN instead:DeprecationWarning''',
++ '''default:Brotli >= 1.2.0 is required to prevent decompression bombs\.:urllib3.exceptions.DependencyWarning''',
+ '''default:Async generator 'quart\.wrappers\.response\.DataBody\.__aiter__\.<locals>\._aiter' was garbage collected.*:ResourceWarning''', # https://github.com/pallets/quart/issues/301
+ '''default:unclosed file <_io\.BufferedWriter name='/dev/null'>:ResourceWarning''', # https://github.com/SeleniumHQ/selenium/issues/13328
+ ]
+diff --git a/src/urllib3/response.py b/src/urllib3/response.py
+index b8e8565c..4304133e 100644
+--- a/src/urllib3/response.py
++++ b/src/urllib3/response.py
+@@ -49,6 +49,7 @@ from .connection import BaseSSLError, HTTPConnection, HTTPException
+ from .exceptions import (
+ BodyNotHttplibCompatible,
+ DecodeError,
++ DependencyWarning,
+ HTTPError,
+ IncompleteRead,
+ InvalidChunkLength,
+@@ -68,7 +69,11 @@ log = logging.getLogger(__name__)
+
+
+ class ContentDecoder:
+- def decompress(self, data: bytes) -> bytes:
++ def decompress(self, data: bytes, max_length: int = -1) -> bytes:
++ raise NotImplementedError()
++
++ @property
++ def has_unconsumed_tail(self) -> bool:
+ raise NotImplementedError()
+
+ def flush(self) -> bytes:
+@@ -78,30 +83,57 @@ class ContentDecoder:
+ class DeflateDecoder(ContentDecoder):
+ def __init__(self) -> None:
+ self._first_try = True
+- self._data = b""
++ self._first_try_data = b""
++ self._unfed_data = b""
+ self._obj = zlib.decompressobj()
+
+- def decompress(self, data: bytes) -> bytes:
+- if not data:
++ def decompress(self, data: bytes, max_length: int = -1) -> bytes:
++ data = self._unfed_data + data
++ self._unfed_data = b""
++ if not data and not self._obj.unconsumed_tail:
+ return data
++ original_max_length = max_length
++ if original_max_length < 0:
++ max_length = 0
++ elif original_max_length == 0:
++ # We should not pass 0 to the zlib decompressor because 0 is
++ # the default value that will make zlib decompress without a
++ # length limit.
++ # Data should be stored for subsequent calls.
++ self._unfed_data = data
++ return b""
+
++ # Subsequent calls always reuse `self._obj`. zlib requires
++ # passing the unconsumed tail if decompression is to continue.
+ if not self._first_try:
+- return self._obj.decompress(data)
++ return self._obj.decompress(
++ self._obj.unconsumed_tail + data, max_length=max_length
++ )
+
+- self._data += data
++ # First call tries with RFC 1950 ZLIB format.
++ self._first_try_data += data
+ try:
+- decompressed = self._obj.decompress(data)
++ decompressed = self._obj.decompress(data, max_length=max_length)
+ if decompressed:
+ self._first_try = False
+- self._data = None # type: ignore[assignment]
++ self._first_try_data = b""
+ return decompressed
++ # On failure, it falls back to RFC 1951 DEFLATE format.
+ except zlib.error:
+ self._first_try = False
+ self._obj = zlib.decompressobj(-zlib.MAX_WBITS)
+ try:
+- return self.decompress(self._data)
++ return self.decompress(
++ self._first_try_data, max_length=original_max_length
++ )
+ finally:
+- self._data = None # type: ignore[assignment]
++ self._first_try_data = b""
++
++ @property
++ def has_unconsumed_tail(self) -> bool:
++ return bool(self._unfed_data) or (
++ bool(self._obj.unconsumed_tail) and not self._first_try
++ )
+
+ def flush(self) -> bytes:
+ return self._obj.flush()
+@@ -117,27 +149,61 @@ class GzipDecoder(ContentDecoder):
+ def __init__(self) -> None:
+ self._obj = zlib.decompressobj(16 + zlib.MAX_WBITS)
+ self._state = GzipDecoderState.FIRST_MEMBER
++ self._unconsumed_tail = b""
+
+- def decompress(self, data: bytes) -> bytes:
++ def decompress(self, data: bytes, max_length: int = -1) -> bytes:
+ ret = bytearray()
+- if self._state == GzipDecoderState.SWALLOW_DATA or not data:
++ if self._state == GzipDecoderState.SWALLOW_DATA:
+ return bytes(ret)
++
++ if max_length == 0:
++ # We should not pass 0 to the zlib decompressor because 0 is
++ # the default value that will make zlib decompress without a
++ # length limit.
++ # Data should be stored for subsequent calls.
++ self._unconsumed_tail += data
++ return b""
++
++ # zlib requires passing the unconsumed tail to the subsequent
++ # call if decompression is to continue.
++ data = self._unconsumed_tail + data
++ if not data and self._obj.eof:
++ return bytes(ret)
++
+ while True:
+ try:
+- ret += self._obj.decompress(data)
++ ret += self._obj.decompress(
++ data, max_length=max(max_length - len(ret), 0)
++ )
+ except zlib.error:
+ previous_state = self._state
+ # Ignore data after the first error
+ self._state = GzipDecoderState.SWALLOW_DATA
++ self._unconsumed_tail = b""
+ if previous_state == GzipDecoderState.OTHER_MEMBERS:
+ # Allow trailing garbage acceptable in other gzip clients
+ return bytes(ret)
+ raise
+- data = self._obj.unused_data
++
++ self._unconsumed_tail = data = (
++ self._obj.unconsumed_tail or self._obj.unused_data
++ )
++ if max_length > 0 and len(ret) >= max_length:
++ break
++
+ if not data:
+ return bytes(ret)
+- self._state = GzipDecoderState.OTHER_MEMBERS
+- self._obj = zlib.decompressobj(16 + zlib.MAX_WBITS)
++ # When the end of a gzip member is reached, a new decompressor
++ # must be created for unused (possibly future) data.
++ if self._obj.eof:
++ self._state = GzipDecoderState.OTHER_MEMBERS
++ self._obj = zlib.decompressobj(16 + zlib.MAX_WBITS)
++
++ return bytes(ret)
++
++ @property
++ def has_unconsumed_tail(self) -> bool:
++ return bool(self._unconsumed_tail)
+
+ def flush(self) -> bytes:
+ return self._obj.flush()
+@@ -152,9 +218,35 @@ if brotli is not None:
+ def __init__(self) -> None:
+ self._obj = brotli.Decompressor()
+ if hasattr(self._obj, "decompress"):
+- setattr(self, "decompress", self._obj.decompress)
++ setattr(self, "_decompress", self._obj.decompress)
+ else:
+- setattr(self, "decompress", self._obj.process)
++ setattr(self, "_decompress", self._obj.process)
++
++ # Requires Brotli >= 1.2.0 for `output_buffer_limit`.
++ def _decompress(self, data: bytes, output_buffer_limit: int = -1) -> bytes:
++ raise NotImplementedError()
++
++ def decompress(self, data: bytes, max_length: int = -1) -> bytes:
++ try:
++ if max_length > 0:
++ return self._decompress(data, output_buffer_limit=max_length)
++ else:
++ return self._decompress(data)
++ except TypeError:
++ # Fallback for Brotli/brotlicffi/brotlipy versions without
++ # the `output_buffer_limit` parameter.
++ warnings.warn(
++ "Brotli >= 1.2.0 is required to prevent decompression bombs.",
++ DependencyWarning,
++ )
++ return self._decompress(data)
++
++ @property
++ def has_unconsumed_tail(self) -> bool:
++ try:
++ return not self._obj.can_accept_more_data()
++ except AttributeError:
++ return False
+
+ def flush(self) -> bytes:
+ if hasattr(self._obj, "flush"):
+@@ -168,16 +260,46 @@ if HAS_ZSTD:
+ def __init__(self) -> None:
+ self._obj = zstd.ZstdDecompressor().decompressobj()
+
+- def decompress(self, data: bytes) -> bytes:
+- if not data:
++ def decompress(self, data: bytes, max_length: int = -1) -> bytes:
++ if not data and not self.has_unconsumed_tail:
+ return b""
+- data_parts = [self._obj.decompress(data)]
+- while self._obj.eof and self._obj.unused_data:
++ if self._obj.eof:
++ data = self._obj.unused_data + data
++ self._obj = zstd.ZstdDecompressor()
++ part = self._obj.decompress(data, max_length=max_length)
++ length = len(part)
++ data_parts = [part]
++ # Every loop iteration is supposed to read data from a separate frame.
++ # The loop breaks when:
++ # - enough data is read;
++ # - no more unused data is available;
++ # - end of the last read frame has not been reached (i.e.,
++ # more data has to be fed).
++ while (
++ self._obj.eof
++ and self._obj.unused_data
++ and (max_length < 0 or length < max_length)
++ ):
+ unused_data = self._obj.unused_data
+- self._obj = zstd.ZstdDecompressor().decompressobj()
+- data_parts.append(self._obj.decompress(unused_data))
++ if not self._obj.needs_input:
++ self._obj = zstd.ZstdDecompressor()
++ part = self._obj.decompress(
++ unused_data,
++ max_length=(max_length - length) if max_length > 0 else -1,
++ )
++ if part_length := len(part):
++ data_parts.append(part)
++ length += part_length
++ elif self._obj.needs_input:
++ break
+ return b"".join(data_parts)
+
++ @property
++ def has_unconsumed_tail(self) -> bool:
++ return not (self._obj.needs_input or self._obj.eof) or bool(
++ self._obj.unused_data
++ )
++
+ def flush(self) -> bytes:
+ ret = self._obj.flush() # note: this is a no-op
+ if not self._obj.eof:
+@@ -210,10 +332,35 @@ class MultiDecoder(ContentDecoder):
+ def flush(self) -> bytes:
+ return self._decoders[0].flush()
+
+- def decompress(self, data: bytes) -> bytes:
+- for d in reversed(self._decoders):
+- data = d.decompress(data)
+- return data
++ def decompress(self, data: bytes, max_length: int = -1) -> bytes:
++ if max_length <= 0:
++ for d in reversed(self._decoders):
++ data = d.decompress(data)
++ return data
++
++ ret = bytearray()
++ # Every while loop iteration goes through all decoders once.
++ # It exits when enough data is read or no more data can be read.
++ # It is possible that the while loop iteration does not produce
++ # any data because we retrieve up to `max_length` from every
++ # decoder, and the amount of bytes may be insufficient for the
++ # next decoder to produce enough/any output.
++ while True:
++ any_data = False
++ for d in reversed(self._decoders):
++ data = d.decompress(data, max_length=max_length - len(ret))
++ if data:
++ any_data = True
++ # We should not break when no data is returned because
++ # next decoders may produce data even with empty input.
++ ret += data
++ if not any_data or len(ret) >= max_length:
++ return bytes(ret)
++ data = b""
++
++ @property
++ def has_unconsumed_tail(self) -> bool:
++ return any(d.has_unconsumed_tail for d in self._decoders)
+
+
+ def _get_decoder(mode: str) -> ContentDecoder:
+@@ -246,9 +393,6 @@ class BytesQueueBuffer:
+
+ * self.buffer, which contains the full data
+ * the largest chunk that we will copy in get()
+-
+- The worst case scenario is a single chunk, in which case we'll make a full copy of
+- the data inside get().
+ """
+
+ def __init__(self) -> None:
+@@ -270,6 +414,10 @@ class BytesQueueBuffer:
+ elif n < 0:
+ raise ValueError("n should be > 0")
+
++ if len(self.buffer[0]) == n and isinstance(self.buffer[0], bytes):
++ self._size -= n
++ return self.buffer.popleft()
++
+ fetched = 0
+ ret = io.BytesIO()
+ while fetched < n:
+@@ -473,7 +621,11 @@ class BaseHTTPResponse(io.IOBase):
+ self._decoder = _get_decoder(content_encoding)
+
+ def _decode(
+- self, data: bytes, decode_content: bool | None, flush_decoder: bool
++ self,
++ data: bytes,
++ decode_content: bool | None,
++ flush_decoder: bool,
++ max_length: int | None = None,
+ ) -> bytes:
+ """
+ Decode the data passed in and potentially flush the decoder.
+@@ -486,9 +638,12 @@ class BaseHTTPResponse(io.IOBase):
+ )
+ return data
+
++ if max_length is None or flush_decoder:
++ max_length = -1
++
+ try:
+ if self._decoder:
+- data = self._decoder.decompress(data)
++ data = self._decoder.decompress(data, max_length=max_length)
+ self._has_decoded_content = True
+ except self.DECODER_ERROR_CLASSES as e:
+ content_encoding = self.headers.get("content-encoding", "").lower()
+@@ -953,6 +1108,14 @@ class HTTPResponse(BaseHTTPResponse):
+ elif amt is not None:
+ cache_content = False
+
++ if self._decoder and self._decoder.has_unconsumed_tail:
++ decoded_data = self._decode(
++ b"",
++ decode_content,
++ flush_decoder=False,
++ max_length=amt - len(self._decoded_buffer),
++ )
++ self._decoded_buffer.put(decoded_data)
+ if len(self._decoded_buffer) >= amt:
+ return self._decoded_buffer.get(amt)
+
+@@ -960,7 +1123,11 @@ class HTTPResponse(BaseHTTPResponse):
+
+ flush_decoder = amt is None or (amt != 0 and not data)
+
+- if not data and len(self._decoded_buffer) == 0:
++ if (
++ not data
++ and len(self._decoded_buffer) == 0
++ and not (self._decoder and self._decoder.has_unconsumed_tail)
++ ):
+ return data
+
+ if amt is None:
+@@ -977,7 +1144,12 @@ class HTTPResponse(BaseHTTPResponse):
+ )
+ return data
+
+- decoded_data = self._decode(data, decode_content, flush_decoder)
++ decoded_data = self._decode(
++ data,
++ decode_content,
++ flush_decoder,
++ max_length=amt - len(self._decoded_buffer),
++ )
+ self._decoded_buffer.put(decoded_data)
+
+ while len(self._decoded_buffer) < amt and data:
+@@ -985,7 +1157,12 @@ class HTTPResponse(BaseHTTPResponse):
+ # For example, the GZ file header takes 10 bytes, we don't want to read
+ # it one byte at a time
+ data = self._raw_read(amt)
+- decoded_data = self._decode(data, decode_content, flush_decoder)
++ decoded_data = self._decode(
++ data,
++ decode_content,
++ flush_decoder,
++ max_length=amt - len(self._decoded_buffer),
++ )
+ self._decoded_buffer.put(decoded_data)
+ data = self._decoded_buffer.get(amt)
+
+@@ -1020,6 +1197,20 @@ class HTTPResponse(BaseHTTPResponse):
+ "Calling read1(decode_content=False) is not supported after "
+ "read1(decode_content=True) was called."
+ )
++ if (
++ self._decoder
++ and self._decoder.has_unconsumed_tail
++ and (amt is None or len(self._decoded_buffer) < amt)
++ ):
++ decoded_data = self._decode(
++ b"",
++ decode_content,
++ flush_decoder=False,
++ max_length=(
++ amt - len(self._decoded_buffer) if amt is not None else None
++ ),
++ )
++ self._decoded_buffer.put(decoded_data)
+ if len(self._decoded_buffer) > 0:
+ if amt is None:
+ return self._decoded_buffer.get_all()
+@@ -1035,7 +1226,9 @@ class HTTPResponse(BaseHTTPResponse):
+ self._init_decoder()
+ while True:
+ flush_decoder = not data
+- decoded_data = self._decode(data, decode_content, flush_decoder)
++ decoded_data = self._decode(
++ data, decode_content, flush_decoder, max_length=amt
++ )
+ self._decoded_buffer.put(decoded_data)
+ if decoded_data or flush_decoder:
+ break
+@@ -1066,7 +1259,11 @@ class HTTPResponse(BaseHTTPResponse):
+ if self.chunked and self.supports_chunked_reads():
+ yield from self.read_chunked(amt, decode_content=decode_content)
+ else:
+- while not is_fp_closed(self._fp) or len(self._decoded_buffer) > 0:
++ while (
++ not is_fp_closed(self._fp)
++ or len(self._decoded_buffer) > 0
++ or (self._decoder and self._decoder.has_unconsumed_tail)
++ ):
+ data = self.read(amt=amt, decode_content=decode_content)
+
+ if data:
+@@ -1218,7 +1415,10 @@ class HTTPResponse(BaseHTTPResponse):
+ break
+ chunk = self._handle_chunk(amt)
+ decoded = self._decode(
+- chunk, decode_content=decode_content, flush_decoder=False
++ chunk,
++ decode_content=decode_content,
++ flush_decoder=False,
++ max_length=amt,
+ )
+ if decoded:
+ yield decoded
+--
+2.34.1
+
diff --git a/meta/recipes-devtools/python/python3-urllib3_2.2.2.bb b/meta/recipes-devtools/python/python3-urllib3_2.2.2.bb
index bdb1c7ca8d..620927322a 100644
--- a/meta/recipes-devtools/python/python3-urllib3_2.2.2.bb
+++ b/meta/recipes-devtools/python/python3-urllib3_2.2.2.bb
@@ -9,6 +9,8 @@ inherit pypi python_hatchling
SRC_URI += " \
file://CVE-2025-50181.patch \
+ file://CVE-2025-66418.patch \
+ file://CVE-2025-66471.patch \
"
RDEPENDS:${PN} += "\
--
2.43.0
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [OE-core][scarthgap 06/18] cmake-native: fix CVE-2025-9301
2025-12-23 21:22 [OE-core][scarthgap 00/18] Patch review Steve Sakoman
` (4 preceding siblings ...)
2025-12-23 21:22 ` [OE-core][scarthgap 05/18] python3-urllib3: fix CVE-2025-66418 CVE-2025-66471 Steve Sakoman
@ 2025-12-23 21:22 ` Steve Sakoman
2025-12-23 21:22 ` [OE-core][scarthgap 07/18] binutils: Fix CVE-2025-11494 Steve Sakoman
` (11 subsequent siblings)
17 siblings, 0 replies; 25+ messages in thread
From: Steve Sakoman @ 2025-12-23 21:22 UTC (permalink / raw)
To: openembedded-core
From: Daniel Turull <daniel.turull@ericsson.com>
Add fix for native recipe, since previous commit for cmake missed it.
5d8a6fb52c cmake: fix CVE-2025-9301
CC: Saravanan <saravanan.kadambathursubramaniyam@windriver.com>
CC: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Daniel Turull <daniel.turull@ericsson.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/cmake/cmake-native_3.28.3.bb | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/recipes-devtools/cmake/cmake-native_3.28.3.bb b/meta/recipes-devtools/cmake/cmake-native_3.28.3.bb
index 376da3254b..7b250752d8 100644
--- a/meta/recipes-devtools/cmake/cmake-native_3.28.3.bb
+++ b/meta/recipes-devtools/cmake/cmake-native_3.28.3.bb
@@ -7,6 +7,7 @@ SRC_URI += "file://OEToolchainConfig.cmake \
file://environment.d-cmake.sh \
file://0005-Disable-use-of-ext2fs-ext2_fs.h-by-cmake-s-internal-.patch \
file://0001-CMakeLists.txt-disable-USE_NGHTTP2.patch \
+ file://CVE-2025-9301.patch \
"
LICENSE:append = " & BSD-1-Clause & MIT & BSD-2-Clause & curl"
--
2.43.0
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [OE-core][scarthgap 07/18] binutils: Fix CVE-2025-11494
2025-12-23 21:22 [OE-core][scarthgap 00/18] Patch review Steve Sakoman
` (5 preceding siblings ...)
2025-12-23 21:22 ` [OE-core][scarthgap 06/18] cmake-native: fix CVE-2025-9301 Steve Sakoman
@ 2025-12-23 21:22 ` Steve Sakoman
2025-12-23 21:22 ` [OE-core][scarthgap 08/18] binutils: fix CVE-2025-11839 Steve Sakoman
` (10 subsequent siblings)
17 siblings, 0 replies; 25+ messages in thread
From: Steve Sakoman @ 2025-12-23 21:22 UTC (permalink / raw)
To: openembedded-core
From: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
Since x86 .eh_frame section may reference _GLOBAL_OFFSET_TABLE_, keep
_GLOBAL_OFFSET_TABLE_ if there is dynamic section and the output
.eh_frame section is non-empty.
Backport a patch from upstream to fix CVE-2025-11494
Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a]
Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../binutils/binutils-2.42.inc | 1 +
.../binutils/0028-CVE-2025-11494.patch | 43 +++++++++++++++++++
2 files changed, 44 insertions(+)
create mode 100644 meta/recipes-devtools/binutils/binutils/0028-CVE-2025-11494.patch
diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc
index 60b0d03ccd..69c5eddefb 100644
--- a/meta/recipes-devtools/binutils/binutils-2.42.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.42.inc
@@ -66,5 +66,6 @@ SRC_URI = "\
file://CVE-2025-11414.patch \
file://CVE-2025-11412.patch \
file://CVE-2025-11413.patch \
+ file://0028-CVE-2025-11494.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/0028-CVE-2025-11494.patch b/meta/recipes-devtools/binutils/binutils/0028-CVE-2025-11494.patch
new file mode 100644
index 0000000000..dc4b413658
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0028-CVE-2025-11494.patch
@@ -0,0 +1,43 @@
+From: "H.J. Lu" <hjl.tools@gmail.com>
+Date: Tue, 30 Sep 2025 08:13:56 +0800
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a]
+CVE: CVE-2025-11494
+
+Since x86 .eh_frame section may reference _GLOBAL_OFFSET_TABLE_, keep
+_GLOBAL_OFFSET_TABLE_ if there is dynamic section and the output
+.eh_frame section is non-empty.
+
+ PR ld/33499
+ * elfxx-x86.c (_bfd_x86_elf_late_size_sections): Keep
+ _GLOBAL_OFFSET_TABLE_ if there is dynamic section and the
+ output .eh_frame section is non-empty.
+
+Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
+
+diff --git a/bfd/elfxx-x86.c b/bfd/elfxx-x86.c
+index c054f7cd..ddc15945 100644
+--- a/bfd/elfxx-x86.c
++++ b/bfd/elfxx-x86.c
+@@ -2447,6 +2447,8 @@ _bfd_x86_elf_late_size_sections (bfd *output_bfd,
+
+ if (htab->elf.sgotplt)
+ {
++ asection *eh_frame;
++
+ /* Don't allocate .got.plt section if there are no GOT nor PLT
+ entries and there is no reference to _GLOBAL_OFFSET_TABLE_. */
+ if ((htab->elf.hgot == NULL
+@@ -2459,7 +2461,11 @@ _bfd_x86_elf_late_size_sections (bfd *output_bfd,
+ && (htab->elf.iplt == NULL
+ || htab->elf.iplt->size == 0)
+ && (htab->elf.igotplt == NULL
+- || htab->elf.igotplt->size == 0))
++ || htab->elf.igotplt->size == 0)
++ && (!htab->elf.dynamic_sections_created
++ || (eh_frame = bfd_get_section_by_name (output_bfd,
++ ".eh_frame")) == NULL
++ || eh_frame->rawsize == 0))
+ {
+ htab->elf.sgotplt->size = 0;
+ /* Solaris requires to keep _GLOBAL_OFFSET_TABLE_ even if it
--
2.43.0
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [OE-core][scarthgap 08/18] binutils: fix CVE-2025-11839
2025-12-23 21:22 [OE-core][scarthgap 00/18] Patch review Steve Sakoman
` (6 preceding siblings ...)
2025-12-23 21:22 ` [OE-core][scarthgap 07/18] binutils: Fix CVE-2025-11494 Steve Sakoman
@ 2025-12-23 21:22 ` Steve Sakoman
2025-12-23 21:22 ` [OE-core][scarthgap 09/18] binutils: fix CVE-2025-11840 Steve Sakoman
` (9 subsequent siblings)
17 siblings, 0 replies; 25+ messages in thread
From: Steve Sakoman @ 2025-12-23 21:22 UTC (permalink / raw)
To: openembedded-core
From: Yash Shinde <Yash.Shinde@windriver.com>
CVE-2025-11839
PR 33448
[BUG] Aborted in tg_tag_type at prdbg.c:2452
Remove call to abort in the DGB debug format printing code, thus allowing
the display of a fuzzed input file to complete without triggering an abort.
https://sourceware.org/bugzilla/show_bug.cgi?id=33448
Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=12ef7d5b7b02d0023db645d86eb9d0797bc747fe]
Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../binutils/binutils-2.42.inc | 1 +
.../binutils/0029-CVE-2025-11839.patch | 32 +++++++++++++++++++
2 files changed, 33 insertions(+)
create mode 100644 meta/recipes-devtools/binutils/binutils/0029-CVE-2025-11839.patch
diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc
index 69c5eddefb..e045ccf00d 100644
--- a/meta/recipes-devtools/binutils/binutils-2.42.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.42.inc
@@ -67,5 +67,6 @@ SRC_URI = "\
file://CVE-2025-11412.patch \
file://CVE-2025-11413.patch \
file://0028-CVE-2025-11494.patch \
+ file://0029-CVE-2025-11839.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/0029-CVE-2025-11839.patch b/meta/recipes-devtools/binutils/binutils/0029-CVE-2025-11839.patch
new file mode 100644
index 0000000000..7f2f6d553d
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0029-CVE-2025-11839.patch
@@ -0,0 +1,32 @@
+From 12ef7d5b7b02d0023db645d86eb9d0797bc747fe Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Mon, 3 Nov 2025 11:49:02 +0000
+Subject: [PATCH] Remove call to abort in the DGB debug format printing code,
+ thus allowing the display of a fuzzed input file to complete without
+ triggering an abort.
+
+PR 33448
+---
+ binutils/prdbg.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=12ef7d5b7b02d0023db645d86eb9d0797bc747fe]
+CVE: CVE-2025-11839
+
+Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com>
+
+diff --git a/binutils/prdbg.c b/binutils/prdbg.c
+index c239aeb1a79..5d405c48e3d 100644
+--- a/binutils/prdbg.c
++++ b/binutils/prdbg.c
+@@ -2449,7 +2449,6 @@ tg_tag_type (void *p, const char *name, unsigned int id,
+ t = "union class ";
+ break;
+ default:
+- abort ();
+ return false;
+ }
+
+--
+2.43.7
+
--
2.43.0
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [OE-core][scarthgap 09/18] binutils: fix CVE-2025-11840
2025-12-23 21:22 [OE-core][scarthgap 00/18] Patch review Steve Sakoman
` (7 preceding siblings ...)
2025-12-23 21:22 ` [OE-core][scarthgap 08/18] binutils: fix CVE-2025-11839 Steve Sakoman
@ 2025-12-23 21:22 ` Steve Sakoman
2025-12-23 21:22 ` [OE-core][scarthgap 10/18] libxslt: Fix CVE-2025-11731 Steve Sakoman
` (8 subsequent siblings)
17 siblings, 0 replies; 25+ messages in thread
From: Steve Sakoman @ 2025-12-23 21:22 UTC (permalink / raw)
To: openembedded-core
From: Yash Shinde <Yash.Shinde@windriver.com>
CVE-2025-11840
PR 33455
[BUG] A SEGV in vfinfo at ldmisc.c:527
A reloc howto set up with EMPTY_HOWTO has a NULL name. More than one
place emitting diagnostics assumes a reloc howto won't have a NULL
name.
https://sourceware.org/bugzilla/show_bug.cgi?id=33455
Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=f6b0f53a36820da91eadfa9f466c22f92e4256e0]
Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../binutils/binutils-2.42.inc | 1 +
.../binutils/0030-CVE-2025-11840.patch | 37 +++++++++++++++++++
2 files changed, 38 insertions(+)
create mode 100644 meta/recipes-devtools/binutils/binutils/0030-CVE-2025-11840.patch
diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc
index e045ccf00d..839d31242e 100644
--- a/meta/recipes-devtools/binutils/binutils-2.42.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.42.inc
@@ -68,5 +68,6 @@ SRC_URI = "\
file://CVE-2025-11413.patch \
file://0028-CVE-2025-11494.patch \
file://0029-CVE-2025-11839.patch \
+ file://0030-CVE-2025-11840.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/0030-CVE-2025-11840.patch b/meta/recipes-devtools/binutils/binutils/0030-CVE-2025-11840.patch
new file mode 100644
index 0000000000..3fb4db880e
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0030-CVE-2025-11840.patch
@@ -0,0 +1,37 @@
+From f6b0f53a36820da91eadfa9f466c22f92e4256e0 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Mon, 3 Nov 2025 09:03:37 +1030
+Subject: [PATCH] PR 33455 SEGV in vfinfo at ldmisc.c:527
+
+A reloc howto set up with EMPTY_HOWTO has a NULL name. More than one
+place emitting diagnostics assumes a reloc howto won't have a NULL
+name.
+
+ PR 33455
+ * coffcode.h (coff_slurp_reloc_table): Don't allow a howto with
+ a NULL name.
+---
+ bfd/coffcode.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=f6b0f53a36820da91eadfa9f466c22f92e4256e0]
+CVE: CVE-2025-11840
+
+Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com>
+
+diff --git a/bfd/coffcode.h b/bfd/coffcode.h
+index 1e5acc0032c..ce1e39131b4 100644
+--- a/bfd/coffcode.h
++++ b/bfd/coffcode.h
+@@ -5345,7 +5345,7 @@ coff_slurp_reloc_table (bfd * abfd, sec_ptr asect, asymbol ** symbols)
+ RTYPE2HOWTO (cache_ptr, &dst);
+ #endif /* RELOC_PROCESSING */
+
+- if (cache_ptr->howto == NULL)
++ if (cache_ptr->howto == NULL || cache_ptr->howto->name == NULL)
+ {
+ _bfd_error_handler
+ /* xgettext:c-format */
+--
+2.43.7
+
--
2.43.0
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [OE-core][scarthgap 10/18] libxslt: Fix CVE-2025-11731
2025-12-23 21:22 [OE-core][scarthgap 00/18] Patch review Steve Sakoman
` (8 preceding siblings ...)
2025-12-23 21:22 ` [OE-core][scarthgap 09/18] binutils: fix CVE-2025-11840 Steve Sakoman
@ 2025-12-23 21:22 ` Steve Sakoman
2025-12-23 21:22 ` [OE-core][scarthgap 11/18] ruby: Upgrade 3.3.5 -> 3.3.10 Steve Sakoman
` (7 subsequent siblings)
17 siblings, 0 replies; 25+ messages in thread
From: Steve Sakoman @ 2025-12-23 21:22 UTC (permalink / raw)
To: openembedded-core
From: Mingli Yu <mingli.yu@windriver.com>
Backport the patch [1] to fix CVE-2025-11731.
[1] https://gitlab.gnome.org/GNOME/libxslt/-/commit/fe508f201efb9ea37bfbe95413b8b28251497de3
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libxslt/files/CVE-2025-11731.patch | 42 +++++++++++++++++++
.../recipes-support/libxslt/libxslt_1.1.43.bb | 3 +-
2 files changed, 44 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-support/libxslt/files/CVE-2025-11731.patch
diff --git a/meta/recipes-support/libxslt/files/CVE-2025-11731.patch b/meta/recipes-support/libxslt/files/CVE-2025-11731.patch
new file mode 100644
index 0000000000..19702af6cb
--- /dev/null
+++ b/meta/recipes-support/libxslt/files/CVE-2025-11731.patch
@@ -0,0 +1,42 @@
+From fe508f201efb9ea37bfbe95413b8b28251497de3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Dominik=20R=C3=B6ttsches?= <drott@chromium.org>
+Date: Wed, 27 Aug 2025 14:28:40 +0300
+Subject: [PATCH] End function node ancestor search at document
+
+Avoids dereferencing a non-existent ->ns property on an
+XML_DOCUMENT_NODE pointer.
+
+Fixes #151.
+
+CVE: CVE-2025-11731
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxslt/-/commit/fe508f201efb9ea37bfbe95413b8b28251497de3]
+
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ libexslt/functions.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/libexslt/functions.c b/libexslt/functions.c
+index 8d35a7ae..a54ee70c 100644
+--- a/libexslt/functions.c
++++ b/libexslt/functions.c
+@@ -617,8 +617,13 @@ exsltFuncResultComp (xsltStylesheetPtr style, xmlNodePtr inst,
+ * instanciation of a func:result element.
+ */
+ for (test = inst->parent; test != NULL; test = test->parent) {
+- if (IS_XSLT_ELEM(test) &&
+- IS_XSLT_NAME(test, "stylesheet")) {
++ if (/* Traversal has reached the top-level document without
++ * finding a func:function ancestor. */
++ (test != NULL && test->type == XML_DOCUMENT_NODE) ||
++ /* Traversal reached a stylesheet-namespace node,
++ * and has left the function namespace. */
++ (IS_XSLT_ELEM(test) &&
++ IS_XSLT_NAME(test, "stylesheet"))) {
+ xsltGenericError(xsltGenericErrorContext,
+ "func:result element not a descendant "
+ "of a func:function\n");
+--
+2.34.1
+
diff --git a/meta/recipes-support/libxslt/libxslt_1.1.43.bb b/meta/recipes-support/libxslt/libxslt_1.1.43.bb
index e08e92085d..e33b1bb902 100644
--- a/meta/recipes-support/libxslt/libxslt_1.1.43.bb
+++ b/meta/recipes-support/libxslt/libxslt_1.1.43.bb
@@ -14,7 +14,8 @@ SECTION = "libs"
DEPENDS = "libxml2"
SRC_URI = "https://download.gnome.org/sources/libxslt/1.1/libxslt-${PV}.tar.xz \
- file://gnome-libxslt-bug-139-apple-fix.diff"
+ file://gnome-libxslt-bug-139-apple-fix.diff \
+ file://CVE-2025-11731.patch"
SRC_URI[sha256sum] = "5a3d6b383ca5afc235b171118e90f5ff6aa27e9fea3303065231a6d403f0183a"
--
2.43.0
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [OE-core][scarthgap 11/18] ruby: Upgrade 3.3.5 -> 3.3.10
2025-12-23 21:22 [OE-core][scarthgap 00/18] Patch review Steve Sakoman
` (9 preceding siblings ...)
2025-12-23 21:22 ` [OE-core][scarthgap 10/18] libxslt: Fix CVE-2025-11731 Steve Sakoman
@ 2025-12-23 21:22 ` Steve Sakoman
2025-12-23 21:22 ` [OE-core][scarthgap 12/18] scripts/install-buildtools: Update to 5.0.14 Steve Sakoman
` (6 subsequent siblings)
17 siblings, 0 replies; 25+ messages in thread
From: Steve Sakoman @ 2025-12-23 21:22 UTC (permalink / raw)
To: openembedded-core
From: Mingli Yu <mingli.yu@windriver.com>
Per ruby maintenance policy [1], the 3.3.x branch should be still in normal
maintenance, so upgrade to the latest version 3.3.10 to fix many security
issues and bugs.
Remove the fix for CVE-2025-27219, CVE-2025-27220 and CVE-2025-27221 as
these fixes have been included in the new version.
[1] https://www.ruby-lang.org/en/downloads/branches/
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../ruby/ruby/CVE-2025-27219.patch | 31 --------
.../ruby/ruby/CVE-2025-27220.patch | 78 -------------------
.../ruby/ruby/CVE-2025-27221-0001.patch | 57 --------------
.../ruby/ruby/CVE-2025-27221-0002.patch | 73 -----------------
.../ruby/{ruby_3.3.5.bb => ruby_3.3.10.bb} | 6 +-
5 files changed, 1 insertion(+), 244 deletions(-)
delete mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2025-27219.patch
delete mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2025-27220.patch
delete mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0001.patch
delete mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0002.patch
rename meta/recipes-devtools/ruby/{ruby_3.3.5.bb => ruby_3.3.10.bb} (95%)
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2025-27219.patch b/meta/recipes-devtools/ruby/ruby/CVE-2025-27219.patch
deleted file mode 100644
index 7813a6143c..0000000000
--- a/meta/recipes-devtools/ruby/ruby/CVE-2025-27219.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From 9907b76dad0777ee300de236dad4b559e07596ab Mon Sep 17 00:00:00 2001
-From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
-Date: Fri, 21 Feb 2025 16:01:17 +0900
-Subject: [PATCH] Use String#concat instead of String#+ for reducing cpu usage
-
-Co-authored-by: "Yusuke Endoh" <mame@ruby-lang.org>
-
-Upstream-Status: Backport [https://github.com/ruby/cgi/commit/9907b76dad0777ee300de236dad4b559e07596ab]
-CVE: CVE-2025-27219
-Signed-off-by: Ashish Sharma <asharma@mvista.com>
-
- lib/cgi/cookie.rb | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/lib/cgi/cookie.rb b/lib/cgi/cookie.rb
-index 9498e2f..1c4ef6a 100644
---- a/lib/cgi/cookie.rb
-+++ b/lib/cgi/cookie.rb
-@@ -190,9 +190,10 @@ def self.parse(raw_cookie)
- values ||= ""
- values = values.split('&').collect{|v| CGI.unescape(v,@@accept_charset) }
- if cookies.has_key?(name)
-- values = cookies[name].value + values
-+ cookies[name].concat(values)
-+ else
-+ cookies[name] = Cookie.new(name, *values)
- end
-- cookies[name] = Cookie.new(name, *values)
- end
-
- cookies
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2025-27220.patch b/meta/recipes-devtools/ruby/ruby/CVE-2025-27220.patch
deleted file mode 100644
index f2f8bc7f76..0000000000
--- a/meta/recipes-devtools/ruby/ruby/CVE-2025-27220.patch
+++ /dev/null
@@ -1,78 +0,0 @@
-From cd1eb08076c8b8e310d4d553d427763f2577a1b6 Mon Sep 17 00:00:00 2001
-From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
-Date: Fri, 21 Feb 2025 15:53:31 +0900
-Subject: [PATCH] Escape/unescape unclosed tags as well
-
-Co-authored-by: Nobuyoshi Nakada <nobu@ruby-lang.org>
-
-CVE: CVE-2025-27220
-
-Upstream-Status: Backport [https://github.com/ruby/cgi/commit/cd1eb08076c8b8e310d4d553d427763f2577a1b6]
-
-Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
----
- lib/cgi/util.rb | 4 ++--
- test/cgi/test_cgi_util.rb | 18 ++++++++++++++++++
- 2 files changed, 20 insertions(+), 2 deletions(-)
-
-diff --git a/lib/cgi/util.rb b/lib/cgi/util.rb
-index 4986e54..5f12eae 100644
---- a/lib/cgi/util.rb
-+++ b/lib/cgi/util.rb
-@@ -184,7 +184,7 @@ module CGI::Util
- def escapeElement(string, *elements)
- elements = elements[0] if elements[0].kind_of?(Array)
- unless elements.empty?
-- string.gsub(/<\/?(?:#{elements.join("|")})(?!\w)(?:.|\n)*?>/i) do
-+ string.gsub(/<\/?(?:#{elements.join("|")})\b[^<>]*+>?/im) do
- CGI.escapeHTML($&)
- end
- else
-@@ -204,7 +204,7 @@ module CGI::Util
- def unescapeElement(string, *elements)
- elements = elements[0] if elements[0].kind_of?(Array)
- unless elements.empty?
-- string.gsub(/<\/?(?:#{elements.join("|")})(?!\w)(?:.|\n)*?>/i) do
-+ string.gsub(/<\/?(?:#{elements.join("|")})\b(?>[^&]+|&(?![gl]t;)\w+;)*(?:>)?/im) do
- unescapeHTML($&)
- end
- else
-diff --git a/test/cgi/test_cgi_util.rb b/test/cgi/test_cgi_util.rb
-index b0612fc..bff77f7 100644
---- a/test/cgi/test_cgi_util.rb
-+++ b/test/cgi/test_cgi_util.rb
-@@ -269,6 +269,14 @@ class CGIUtilTest < Test::Unit::TestCase
- assert_equal("<BR><A HREF="url"></A>", escapeElement('<BR><A HREF="url"></A>', ["A", "IMG"]))
- assert_equal("<BR><A HREF="url"></A>", escape_element('<BR><A HREF="url"></A>', "A", "IMG"))
- assert_equal("<BR><A HREF="url"></A>", escape_element('<BR><A HREF="url"></A>', ["A", "IMG"]))
-+
-+ assert_equal("<A <A HREF="url"></A>", escapeElement('<A <A HREF="url"></A>', "A", "IMG"))
-+ assert_equal("<A <A HREF="url"></A>", escapeElement('<A <A HREF="url"></A>', ["A", "IMG"]))
-+ assert_equal("<A <A HREF="url"></A>", escape_element('<A <A HREF="url"></A>', "A", "IMG"))
-+ assert_equal("<A <A HREF="url"></A>", escape_element('<A <A HREF="url"></A>', ["A", "IMG"]))
-+
-+ assert_equal("<A <A ", escapeElement('<A <A ', "A", "IMG"))
-+ assert_equal("<A <A ", escapeElement('<A <A ', ["A", "IMG"]))
- end
-
-
-@@ -277,6 +285,16 @@ class CGIUtilTest < Test::Unit::TestCase
- assert_equal('<BR><A HREF="url"></A>', unescapeElement(escapeHTML('<BR><A HREF="url"></A>'), ["A", "IMG"]))
- assert_equal('<BR><A HREF="url"></A>', unescape_element(escapeHTML('<BR><A HREF="url"></A>'), "A", "IMG"))
- assert_equal('<BR><A HREF="url"></A>', unescape_element(escapeHTML('<BR><A HREF="url"></A>'), ["A", "IMG"]))
-+
-+ assert_equal('<A <A HREF="url"></A>', unescapeElement(escapeHTML('<A <A HREF="url"></A>'), "A", "IMG"))
-+ assert_equal('<A <A HREF="url"></A>', unescapeElement(escapeHTML('<A <A HREF="url"></A>'), ["A", "IMG"]))
-+ assert_equal('<A <A HREF="url"></A>', unescape_element(escapeHTML('<A <A HREF="url"></A>'), "A", "IMG"))
-+ assert_equal('<A <A HREF="url"></A>', unescape_element(escapeHTML('<A <A HREF="url"></A>'), ["A", "IMG"]))
-+
-+ assert_equal('<A <A ', unescapeElement(escapeHTML('<A <A '), "A", "IMG"))
-+ assert_equal('<A <A ', unescapeElement(escapeHTML('<A <A '), ["A", "IMG"]))
-+ assert_equal('<A <A ', unescape_element(escapeHTML('<A <A '), "A", "IMG"))
-+ assert_equal('<A <A ', unescape_element(escapeHTML('<A <A '), ["A", "IMG"]))
- end
- end
-
---
-2.40.0
-
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0001.patch b/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0001.patch
deleted file mode 100644
index 95802d04f9..0000000000
--- a/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0001.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From 3675494839112b64d5f082a9068237b277ed1495 Mon Sep 17 00:00:00 2001
-From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
-Date: Fri, 21 Feb 2025 16:29:36 +0900
-Subject: [PATCH] Truncate userinfo with URI#join, URI#merge and URI#+
-
-CVE: CVE-2025-27221
-
-Upstream-Status: Backport [https://github.com/ruby/uri/commit/3675494839112b64d5f082a9068237b277ed1495]
-
-Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
----
- lib/uri/generic.rb | 6 +++++-
- test/uri/test_generic.rb | 11 +++++++++++
- 2 files changed, 16 insertions(+), 1 deletion(-)
-
-diff --git a/lib/uri/generic.rb b/lib/uri/generic.rb
-index f3540a2..ecc78c5 100644
---- a/lib/uri/generic.rb
-+++ b/lib/uri/generic.rb
-@@ -1141,7 +1141,11 @@ module URI
- end
-
- # RFC2396, Section 5.2, 7)
-- base.set_userinfo(rel.userinfo) if rel.userinfo
-+ if rel.userinfo
-+ base.set_userinfo(rel.userinfo)
-+ else
-+ base.set_userinfo(nil)
-+ end
- base.set_host(rel.host) if rel.host
- base.set_port(rel.port) if rel.port
- base.query = rel.query if rel.query
-diff --git a/test/uri/test_generic.rb b/test/uri/test_generic.rb
-index e661937..17ba2b6 100644
---- a/test/uri/test_generic.rb
-+++ b/test/uri/test_generic.rb
-@@ -164,6 +164,17 @@ class URI::TestGeneric < Test::Unit::TestCase
- # must be empty string to identify as path-abempty, not path-absolute
- assert_equal('', url.host)
- assert_equal('http:////example.com', url.to_s)
-+
-+ # sec-2957667
-+ url = URI.parse('http://user:pass@example.com').merge('//example.net')
-+ assert_equal('http://example.net', url.to_s)
-+ assert_nil(url.userinfo)
-+ url = URI.join('http://user:pass@example.com', '//example.net')
-+ assert_equal('http://example.net', url.to_s)
-+ assert_nil(url.userinfo)
-+ url = URI.parse('http://user:pass@example.com') + '//example.net'
-+ assert_equal('http://example.net', url.to_s)
-+ assert_nil(url.userinfo)
- end
-
- def test_parse_scheme_with_symbols
---
-2.40.0
-
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0002.patch b/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0002.patch
deleted file mode 100644
index 4435b87c34..0000000000
--- a/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0002.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-From 2789182478f42ccbb62197f952eb730e4f02bfc5 Mon Sep 17 00:00:00 2001
-From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
-Date: Fri, 21 Feb 2025 18:16:28 +0900
-Subject: [PATCH] Fix merger of URI with authority component
-
-https://hackerone.com/reports/2957667
-
-Co-authored-by: Nobuyoshi Nakada <nobu@ruby-lang.org>
-
-CVE: CVE-2025-27221
-
-Upstream-Status: Backport [https://github.com/ruby/uri/commit/2789182478f42ccbb62197f952eb730e4f02bfc5]
-
-Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
----
- lib/uri/generic.rb | 19 +++++++------------
- test/uri/test_generic.rb | 7 +++++++
- 2 files changed, 14 insertions(+), 12 deletions(-)
-
-diff --git a/lib/uri/generic.rb b/lib/uri/generic.rb
-index ecc78c5..2c0a88d 100644
---- a/lib/uri/generic.rb
-+++ b/lib/uri/generic.rb
-@@ -1133,21 +1133,16 @@ module URI
- base.fragment=(nil)
-
- # RFC2396, Section 5.2, 4)
-- if !authority
-- base.set_path(merge_path(base.path, rel.path)) if base.path && rel.path
-- else
-- # RFC2396, Section 5.2, 4)
-- base.set_path(rel.path) if rel.path
-+ if authority
-+ base.set_userinfo(rel.userinfo)
-+ base.set_host(rel.host)
-+ base.set_port(rel.port || base.default_port)
-+ base.set_path(rel.path)
-+ elsif base.path && rel.path
-+ base.set_path(merge_path(base.path, rel.path))
- end
-
- # RFC2396, Section 5.2, 7)
-- if rel.userinfo
-- base.set_userinfo(rel.userinfo)
-- else
-- base.set_userinfo(nil)
-- end
-- base.set_host(rel.host) if rel.host
-- base.set_port(rel.port) if rel.port
- base.query = rel.query if rel.query
- base.fragment=(rel.fragment) if rel.fragment
-
-diff --git a/test/uri/test_generic.rb b/test/uri/test_generic.rb
-index 17ba2b6..1a70dd4 100644
---- a/test/uri/test_generic.rb
-+++ b/test/uri/test_generic.rb
-@@ -267,6 +267,13 @@ class URI::TestGeneric < Test::Unit::TestCase
- assert_equal(u0, u1)
- end
-
-+ def test_merge_authority
-+ u = URI.parse('http://user:pass@example.com:8080')
-+ u0 = URI.parse('http://new.example.org/path')
-+ u1 = u.merge('//new.example.org/path')
-+ assert_equal(u0, u1)
-+ end
-+
- def test_route
- url = URI.parse('http://hoge/a.html').route_to('http://hoge/b.html')
- assert_equal('b.html', url.to_s)
---
-2.40.0
-
diff --git a/meta/recipes-devtools/ruby/ruby_3.3.5.bb b/meta/recipes-devtools/ruby/ruby_3.3.10.bb
similarity index 95%
rename from meta/recipes-devtools/ruby/ruby_3.3.5.bb
rename to meta/recipes-devtools/ruby/ruby_3.3.10.bb
index 8b45946f6b..936bc73e32 100644
--- a/meta/recipes-devtools/ruby/ruby_3.3.5.bb
+++ b/meta/recipes-devtools/ruby/ruby_3.3.10.bb
@@ -26,10 +26,6 @@ SRC_URI = "http://cache.ruby-lang.org/pub/ruby/${SHRT_VER}/ruby-${PV}.tar.gz \
file://0005-Mark-Gemspec-reproducible-change-fixing-784225-too.patch \
file://0006-Make-gemspecs-reproducible.patch \
file://0001-vm_dump.c-Define-REG_S1-and-REG_S2-for-musl-riscv.patch \
- file://CVE-2025-27219.patch \
- file://CVE-2025-27220.patch \
- file://CVE-2025-27221-0001.patch \
- file://CVE-2025-27221-0002.patch \
file://0007-Skip-test_rm_r_no_permissions-test-under-root.patch \
"
UPSTREAM_CHECK_URI = "https://www.ruby-lang.org/en/downloads/"
@@ -51,7 +47,7 @@ do_configure:prepend() {
DEPENDS:append:libc-musl = " libucontext"
-SRC_URI[sha256sum] = "3781a3504222c2f26cb4b9eb9c1a12dbf4944d366ce24a9ff8cf99ecbce75196"
+SRC_URI[sha256sum] = "b555baa467a306cfc8e6c6ed24d0d27b27e9a1bed1d91d95509859eac6b0e928"
PACKAGECONFIG ??= ""
PACKAGECONFIG += "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)}"
--
2.43.0
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [OE-core][scarthgap 12/18] scripts/install-buildtools: Update to 5.0.14
2025-12-23 21:22 [OE-core][scarthgap 00/18] Patch review Steve Sakoman
` (10 preceding siblings ...)
2025-12-23 21:22 ` [OE-core][scarthgap 11/18] ruby: Upgrade 3.3.5 -> 3.3.10 Steve Sakoman
@ 2025-12-23 21:22 ` Steve Sakoman
2025-12-23 21:22 ` [OE-core][scarthgap 13/18] kernel.bbclass: Add task to export kernel configuration to SPDX Steve Sakoman
` (5 subsequent siblings)
17 siblings, 0 replies; 25+ messages in thread
From: Steve Sakoman @ 2025-12-23 21:22 UTC (permalink / raw)
To: openembedded-core
From: Aleksandar Nikolic <aleksandar.nikolic@zeiss.com>
Update to the 5.0.14 release of the 5.0 series for buildtools
Signed-off-by: Aleksandar Nikolic <aleksandar.nikolic@zeiss.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
scripts/install-buildtools | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/scripts/install-buildtools b/scripts/install-buildtools
index a449e45cff..f1c3084245 100755
--- a/scripts/install-buildtools
+++ b/scripts/install-buildtools
@@ -57,8 +57,8 @@ logger = scriptutils.logger_create(PROGNAME, stream=sys.stdout)
DEFAULT_INSTALL_DIR = os.path.join(os.path.split(scripts_path)[0],'buildtools')
DEFAULT_BASE_URL = 'https://downloads.yoctoproject.org/releases/yocto'
-DEFAULT_RELEASE = 'yocto-5.0.12'
-DEFAULT_INSTALLER_VERSION = '5.0.12'
+DEFAULT_RELEASE = 'yocto-5.0.14'
+DEFAULT_INSTALLER_VERSION = '5.0.14'
DEFAULT_BUILDDATE = '202110XX'
# Python version sanity check
--
2.43.0
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [OE-core][scarthgap 13/18] kernel.bbclass: Add task to export kernel configuration to SPDX
2025-12-23 21:22 [OE-core][scarthgap 00/18] Patch review Steve Sakoman
` (11 preceding siblings ...)
2025-12-23 21:22 ` [OE-core][scarthgap 12/18] scripts/install-buildtools: Update to 5.0.14 Steve Sakoman
@ 2025-12-23 21:22 ` Steve Sakoman
2025-12-23 21:22 ` [OE-core][scarthgap 14/18] spdx30_tasks: Add support for exporting PACKAGECONFIG " Steve Sakoman
` (4 subsequent siblings)
17 siblings, 0 replies; 25+ messages in thread
From: Steve Sakoman @ 2025-12-23 21:22 UTC (permalink / raw)
To: openembedded-core
From: "Kamel Bouhara (Schneider Electric)" <kamel.bouhara@bootlin.com>
Introduce a new bitbake task do_create_kernel_config_spdx that extracts
the kernel configuration from ${B}/.config and exports it into the
recipe's SPDX document as a separate build_Build object.
The kernel config parameters are stored as SPDX DictionaryEntry objects
and linked to the main kernel build using an ancestorOf relationship.
This enables the kernel build's configuration to be explicitly captured
in the SPDX document for compliance, auditing, and reproducibility.
The task is gated by SPDX_INCLUDE_KERNEL_CONFIG (default = "0").
Reviewed-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Kamel Bouhara (Schneider Electric) <kamel.bouhara@bootlin.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 228a968e7c47d811c06143279bdb0f9c5f374bef)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/classes-recipe/kernel.bbclass | 64 ++++++++++++++++++++++++++++
meta/classes/create-spdx-3.0.bbclass | 6 +++
2 files changed, 70 insertions(+)
diff --git a/meta/classes-recipe/kernel.bbclass b/meta/classes-recipe/kernel.bbclass
index 4c1cb89a46..d557e98d65 100644
--- a/meta/classes-recipe/kernel.bbclass
+++ b/meta/classes-recipe/kernel.bbclass
@@ -873,5 +873,69 @@ addtask deploy after do_populate_sysroot do_packagedata
EXPORT_FUNCTIONS do_deploy
+python __anonymous() {
+ inherits = (d.getVar("INHERIT") or "")
+ if "create-spdx" in inherits:
+ bb.build.addtask('do_create_kernel_config_spdx', 'do_populate_lic do_deploy', 'do_create_spdx', d)
+}
+
+python do_create_kernel_config_spdx() {
+ if d.getVar("SPDX_INCLUDE_KERNEL_CONFIG", True) == "1":
+ import oe.spdx30
+ import oe.spdx30_tasks
+ from pathlib import Path
+ from datetime import datetime, timezone
+
+ pkg_arch = d.getVar("SSTATE_PKGARCH")
+ deploydir = Path(d.getVar("SPDXDEPLOY"))
+ pn = d.getVar("PN")
+
+ config_path = d.expand("${B}/.config")
+ kernel_params = []
+ if not os.path.exists(config_path):
+ bb.warn(f"SPDX: Kernel config file not found at: {config_path}")
+ return
+
+ try:
+ with open(config_path, 'r') as f:
+ for line in f:
+ line = line.strip()
+ if not line or line.startswith("#"):
+ continue
+ if "=" in line:
+ key, value = line.split("=", 1)
+ kernel_params.append(oe.spdx30.DictionaryEntry(
+ key=key,
+ value=value.strip('"')
+ ))
+ bb.note(f"Parsed {len(kernel_params)} kernel config entries from {config_path}")
+ except Exception as e:
+ bb.error(f"Failed to parse kernel config file: {e}")
+
+ build, build_objset = oe.sbom30.find_root_obj_in_jsonld(
+ d, "recipes", f"recipe-{pn}", oe.spdx30.build_Build
+ )
+
+ kernel_build = build_objset.add_root(
+ oe.spdx30.build_Build(
+ _id=build_objset.new_spdxid("kernel-config"),
+ creationInfo=build_objset.doc.creationInfo,
+ build_buildType="https://openembedded.org/kernel-configuration",
+ build_parameter=kernel_params
+ )
+ )
+
+ oe.spdx30_tasks.set_timestamp_now(d, kernel_build, "build_buildStartTime")
+
+ build_objset.new_relationship(
+ [build],
+ oe.spdx30.RelationshipType.ancestorOf,
+ [kernel_build]
+ )
+
+ oe.sbom30.write_jsonld_doc(d, build_objset, deploydir / pkg_arch / "recipes" / f"recipe-{pn}.spdx.json")
+}
+do_create_kernel_config_spdx[depends] = "virtual/kernel:do_configure"
+
# Add using Device Tree support
inherit kernel-devicetree
diff --git a/meta/classes/create-spdx-3.0.bbclass b/meta/classes/create-spdx-3.0.bbclass
index c0a5436ad6..15c31ba9a3 100644
--- a/meta/classes/create-spdx-3.0.bbclass
+++ b/meta/classes/create-spdx-3.0.bbclass
@@ -50,6 +50,12 @@ SPDX_INCLUDE_TIMESTAMPS[doc] = "Include time stamps in SPDX output. This is \
useful if you want to know when artifacts were produced and when builds \
occurred, but will result in non-reproducible SPDX output"
+SPDX_INCLUDE_KERNEL_CONFIG ??= "0"
+SPDX_INCLUDE_KERNEL_CONFIG[doc] = "If set to '1', the .config file for the kernel will be parsed \
+and each CONFIG_* value will be included in the Build.build_parameter list as DictionaryEntry \
+items. Set to '0' to disable exporting kernel configuration to improve performance or reduce \
+SPDX document size."
+
SPDX_IMPORTS ??= ""
SPDX_IMPORTS[doc] = "SPDX_IMPORTS is the base variable that describes how to \
reference external SPDX ids. Each import is defined as a key in this \
--
2.43.0
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [OE-core][scarthgap 14/18] spdx30_tasks: Add support for exporting PACKAGECONFIG to SPDX
2025-12-23 21:22 [OE-core][scarthgap 00/18] Patch review Steve Sakoman
` (12 preceding siblings ...)
2025-12-23 21:22 ` [OE-core][scarthgap 13/18] kernel.bbclass: Add task to export kernel configuration to SPDX Steve Sakoman
@ 2025-12-23 21:22 ` Steve Sakoman
2025-12-23 21:22 ` [OE-core][scarthgap 15/18] oeqa/selftest: oe-selftest: Add SPDX tests for kernel config and PACKAGECONFIG Steve Sakoman
` (3 subsequent siblings)
17 siblings, 0 replies; 25+ messages in thread
From: Steve Sakoman @ 2025-12-23 21:22 UTC (permalink / raw)
To: openembedded-core
From: "Kamel Bouhara (Schneider Electric)" <kamel.bouhara@bootlin.com>
Introduce the SPDX_INCLUDE_PACKAGECONFIG variable, which when enabled causes
PACKAGECONFIG features to be recorded in the SPDX document as build parameters.
Each feature is recorded as a DictionaryEntry with key PACKAGECONFIG:<feature>
and value enabled or disabled, depending on whether the feature is active in
the current build.
This makes the build-time configuration more transparent in SPDX output and
improves reproducibility tracking.
This makes the build-time configuration more transparent in SPDX output and
improves reproducibility tracking. In particular, it allows consumers of the
SBOM to identify enabled/disabled features that may affect security posture
or feature set.
Reviewed-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Kamel Bouhara (Schneider Electric) <kamel.bouhara@bootlin.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 7ec61ac40345a5c0ef1ce20513a4596989c91ef4)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/classes/create-spdx-3.0.bbclass | 5 +++++
meta/lib/oe/spdx30_tasks.py | 20 ++++++++++++++++++++
2 files changed, 25 insertions(+)
diff --git a/meta/classes/create-spdx-3.0.bbclass b/meta/classes/create-spdx-3.0.bbclass
index 15c31ba9a3..6125e8b547 100644
--- a/meta/classes/create-spdx-3.0.bbclass
+++ b/meta/classes/create-spdx-3.0.bbclass
@@ -56,6 +56,11 @@ and each CONFIG_* value will be included in the Build.build_parameter list as Di
items. Set to '0' to disable exporting kernel configuration to improve performance or reduce \
SPDX document size."
+SPDX_INCLUDE_PACKAGECONFIG ??= "0"
+SPDX_INCLUDE_PACKAGECONFIG[doc] = "If set to '1', each PACKAGECONFIG feature is recorded in the \
+build_Build object's build_parameter list as a DictionaryEntry with key \
+'PACKAGECONFIG:<feature>' and value 'enabled' or 'disabled'"
+
SPDX_IMPORTS ??= ""
SPDX_IMPORTS[doc] = "SPDX_IMPORTS is the base variable that describes how to \
reference external SPDX ids. Each import is defined as a key in this \
diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py
index e425958991..a3d848ceb1 100644
--- a/meta/lib/oe/spdx30_tasks.py
+++ b/meta/lib/oe/spdx30_tasks.py
@@ -809,6 +809,26 @@ def create_spdx(d):
sorted(list(build_inputs)) + sorted(list(debug_source_ids)),
)
+ if d.getVar("SPDX_INCLUDE_PACKAGECONFIG", True) != "0":
+ packageconfig = (d.getVar("PACKAGECONFIG") or "").split()
+ all_features = (d.getVarFlags("PACKAGECONFIG") or {}).keys()
+
+ if all_features:
+ enabled = set(packageconfig)
+ all_features_set = set(all_features)
+ disabled = all_features_set - enabled
+
+ for feature in sorted(all_features):
+ status = "enabled" if feature in enabled else "disabled"
+ build.build_parameter.append(
+ oe.spdx30.DictionaryEntry(
+ key=f"PACKAGECONFIG:{feature}",
+ value=status
+ )
+ )
+
+ bb.note(f"Added PACKAGECONFIG entries: {len(enabled)} enabled, {len(disabled)} disabled")
+
oe.sbom30.write_recipe_jsonld_doc(d, build_objset, "recipes", deploydir)
--
2.43.0
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [OE-core][scarthgap 15/18] oeqa/selftest: oe-selftest: Add SPDX tests for kernel config and PACKAGECONFIG
2025-12-23 21:22 [OE-core][scarthgap 00/18] Patch review Steve Sakoman
` (13 preceding siblings ...)
2025-12-23 21:22 ` [OE-core][scarthgap 14/18] spdx30_tasks: Add support for exporting PACKAGECONFIG " Steve Sakoman
@ 2025-12-23 21:22 ` Steve Sakoman
2025-12-23 21:22 ` [OE-core][scarthgap 16/18] cml1.bbclass: use consistent make flags for menuconfig Steve Sakoman
` (2 subsequent siblings)
17 siblings, 0 replies; 25+ messages in thread
From: Steve Sakoman @ 2025-12-23 21:22 UTC (permalink / raw)
To: openembedded-core
From: "Kamel Bouhara (Schneider Electric)" <kamel.bouhara@bootlin.com>
Add test_kernel_config_spdx and test_packageconfig_spdx to verify
SPDX document generation includes kernel configuration and package
feature metadata when enabled.
Signed-off-by: Kamel Bouhara (Schneider Electric) <kamel.bouhara@bootlin.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 2f0ab110d7521510c60e0493ef3cb021130758cd)
Signed-off-by: Kamel Bouhara <kamel.bouhara@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/lib/oeqa/selftest/cases/spdx.py | 57 ++++++++++++++++++++++++++++
1 file changed, 57 insertions(+)
diff --git a/meta/lib/oeqa/selftest/cases/spdx.py b/meta/lib/oeqa/selftest/cases/spdx.py
index 8cd4e83ca2..035f3fe336 100644
--- a/meta/lib/oeqa/selftest/cases/spdx.py
+++ b/meta/lib/oeqa/selftest/cases/spdx.py
@@ -286,3 +286,60 @@ class SPDX30Check(SPDX3CheckBase, OESelftestTestCase):
break
else:
self.assertTrue(False, "Unable to find imported Host SpdxID")
+
+ def test_kernel_config_spdx(self):
+ kernel_recipe = get_bb_var("PREFERRED_PROVIDER_virtual/kernel")
+ spdx_file = f"recipe-{kernel_recipe}.spdx.json"
+ spdx_path = f"{{DEPLOY_DIR_SPDX}}/{{SSTATE_PKGARCH}}/recipes/{spdx_file}"
+
+ # Make sure kernel is configured first
+ bitbake(f"-c configure {kernel_recipe}")
+
+ objset = self.check_recipe_spdx(
+ kernel_recipe,
+ spdx_path,
+ task="do_create_kernel_config_spdx",
+ extraconf="""\
+ INHERIT += "create-spdx"
+ SPDX_INCLUDE_KERNEL_CONFIG = "1"
+ """,
+ )
+
+ # Check that at least one CONFIG_* entry exists
+ found_kernel_config = False
+ for build_obj in objset.foreach_type(oe.spdx30.build_Build):
+ if getattr(build_obj, "build_buildType", "") == "https://openembedded.org/kernel-configuration":
+ found_kernel_config = True
+ self.assertTrue(
+ len(getattr(build_obj, "build_parameter", [])) > 0,
+ "Kernel configuration build_Build has no CONFIG_* entries"
+ )
+ break
+
+ self.assertTrue(found_kernel_config, "Kernel configuration build_Build not found in SPDX output")
+
+ def test_packageconfig_spdx(self):
+ objset = self.check_recipe_spdx(
+ "tar",
+ "{DEPLOY_DIR_SPDX}/{SSTATE_PKGARCH}/recipes/recipe-tar.spdx.json",
+ extraconf="""\
+ SPDX_INCLUDE_PACKAGECONFIG = "1"
+ """,
+ )
+
+ found_entries = []
+ for build_obj in objset.foreach_type(oe.spdx30.build_Build):
+ for param in getattr(build_obj, "build_parameter", []):
+ if param.key.startswith("PACKAGECONFIG:"):
+ found_entries.append((param.key, param.value))
+
+ self.assertTrue(
+ found_entries,
+ "No PACKAGECONFIG entries found in SPDX output for 'tar'"
+ )
+
+ for key, value in found_entries:
+ self.assertIn(
+ value, ["enabled", "disabled"],
+ f"Unexpected PACKAGECONFIG value '{value}' for {key}"
+ )
--
2.43.0
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [OE-core][scarthgap 16/18] cml1.bbclass: use consistent make flags for menuconfig
2025-12-23 21:22 [OE-core][scarthgap 00/18] Patch review Steve Sakoman
` (14 preceding siblings ...)
2025-12-23 21:22 ` [OE-core][scarthgap 15/18] oeqa/selftest: oe-selftest: Add SPDX tests for kernel config and PACKAGECONFIG Steve Sakoman
@ 2025-12-23 21:22 ` Steve Sakoman
2025-12-23 21:22 ` [OE-core][scarthgap 17/18] curl: Use host CA bundle by default for native(sdk) builds Steve Sakoman
2025-12-23 21:22 ` [OE-core][scarthgap 18/18] cross.bbclass: Propagate dependencies to outhash Steve Sakoman
17 siblings, 0 replies; 25+ messages in thread
From: Steve Sakoman @ 2025-12-23 21:22 UTC (permalink / raw)
To: openembedded-core
From: Enrico Jörns <ejo@pengutronix.de>
The class called 'make menuconfig' without any of the make variables and
options set in EXTRA_OEMAKE, resulting in a quite different build
environment than actually intended.
For the kernel.bbclass this was fixed in commit 8c616bc0 ("kernel: Use
consistent make flags for menuconfig") by appending ${EXTRA_OEMAKE} to
KCONFIG_CONFIG_COMMAND.
Instead of fixing this individually for additional recipes, we simply
include ${EXTRA_OEMAKE} in KCONFIG_CONFIG_COMMAND by default.
For most class users, this change is directly visible in the generated
.config file:
* For barebox and u-boot, the CONFIG_GCC_VERSION erroneously reflected
the host GCC version before where it now correctly reflects the target
toolchain's GCC.
* For u-boot, also the "Compiler: " line at the beginning of the .config
now prints the target toolchain instead of the host ones.
* The kernel had this already set.
* busybox did not produce any difference.
Note that these projects might base some compile-time decisions on e.g.
the actual compiler version used. Having the wrong one in the
menuconfig-generated .config affects at least the visibility and
consistency.
Reported-by: Ulrich Ölmann <u.oelmann@pengutronix.de>
Signed-off-by: Enrico Jörns <ejo@pengutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 1b6ddd452837e67b500a84455a234f5edc8250a9)
Signed-off-by: Enrico Jörns <ejo@pengutronix.de>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/classes-recipe/cml1.bbclass | 2 +-
meta/classes-recipe/kernel.bbclass | 3 ---
2 files changed, 1 insertion(+), 4 deletions(-)
diff --git a/meta/classes-recipe/cml1.bbclass b/meta/classes-recipe/cml1.bbclass
index 456305a315..5519fb61b3 100644
--- a/meta/classes-recipe/cml1.bbclass
+++ b/meta/classes-recipe/cml1.bbclass
@@ -31,7 +31,7 @@ CROSS_CURSES_LIB = "-lncurses -ltinfo"
CROSS_CURSES_INC = '-DCURSES_LOC="<curses.h>"'
TERMINFO = "${STAGING_DATADIR_NATIVE}/terminfo"
-KCONFIG_CONFIG_COMMAND ??= "menuconfig"
+KCONFIG_CONFIG_COMMAND ??= "menuconfig ${EXTRA_OEMAKE}"
KCONFIG_CONFIG_ENABLE_MENUCONFIG ??= "true"
KCONFIG_CONFIG_ROOTDIR ??= "${B}"
python do_menuconfig() {
diff --git a/meta/classes-recipe/kernel.bbclass b/meta/classes-recipe/kernel.bbclass
index d557e98d65..39e198864e 100644
--- a/meta/classes-recipe/kernel.bbclass
+++ b/meta/classes-recipe/kernel.bbclass
@@ -697,9 +697,6 @@ addtask savedefconfig after do_configure
inherit cml1 pkgconfig
-# Need LD, HOSTLDFLAGS and more for config operations
-KCONFIG_CONFIG_COMMAND:append = " ${EXTRA_OEMAKE}"
-
EXPORT_FUNCTIONS do_compile do_transform_kernel do_transform_bundled_initramfs do_install do_configure
# kernel-base becomes kernel-${KERNEL_VERSION}
--
2.43.0
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [OE-core][scarthgap 17/18] curl: Use host CA bundle by default for native(sdk) builds
2025-12-23 21:22 [OE-core][scarthgap 00/18] Patch review Steve Sakoman
` (15 preceding siblings ...)
2025-12-23 21:22 ` [OE-core][scarthgap 16/18] cml1.bbclass: use consistent make flags for menuconfig Steve Sakoman
@ 2025-12-23 21:22 ` Steve Sakoman
2025-12-23 21:22 ` [OE-core][scarthgap 18/18] cross.bbclass: Propagate dependencies to outhash Steve Sakoman
17 siblings, 0 replies; 25+ messages in thread
From: Steve Sakoman @ 2025-12-23 21:22 UTC (permalink / raw)
To: openembedded-core
From: Moritz Haase <Moritz.Haase@bmw.de>
Fixes YOCTO #16077
Commit 0f98fecd (a backport of 4909a46e) broke HTTPS downloads in opkg in the
SDK, they now fail with:
> SSL certificate problem: self-signed certificate in certificate chain
The root cause is a difference in the handling of related env vars between
curl-cli and libcurl. The CLI will honour CURL_CA_BUNDLE and SSL_CERT_DIR|FILE
(see [0]). Those are set in the SDK via env setup scripts like [1], so curl
continued to work. The library however does not handle those env vars. Thus,
unless the program utilizing libcurl has implemented a similar mechanism itself
and configures libcurl accordingly via the API (like for example Git in [2] and
[3]), there will be no default CA bundle configured to verify certificates
against.
Opkg only supports setting the CA bundle path via config options 'ssl_ca_file'
and 'ssl_ca_path'. Upstreaming and then backporting a patch to add env var
support is not a feasible short-time fix for the issue at hand. Instead it's
better to ship libcurl in the SDK with a sensible built-in default - which also
helps any other libcurl users.
This patch is based on a proposal by Peter.Marko@siemens.com in the related
mailing list discussion at [4].
(cherry picked from commit 3f819f57aa1960af36ac0448106d1dce7f38c050)
[0]: https://github.com/curl/curl/blob/400fffa90f30c7a2dc762fa33009d24851bd2016/src/tool_operate.c#L2056-L2084
[1]: https://git.openembedded.org/openembedded-core/tree/meta/recipes-support/curl/curl/environment.d-curl.sh?id=3a15ca2a784539098e95a3a06dec7c39f23db985
[2]: https://github.com/git/git/blob/6ab38b7e9cc7adafc304f3204616a4debd49c6e9/http.c#L1389
[3]: https://github.com/git/git/blob/6ab38b7e9cc7adafc304f3204616a4debd49c6e9/http.c#L1108-L1109
[4]: https://lists.openembedded.org/g/openembedded-core/topic/115993530#msg226751
Signed-off-by: Moritz Haase <Moritz.Haase@bmw.de>
CC: matthias.schiffer@ew.tq-group.com
CC: Peter.Marko@siemens.com
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-support/curl/curl_8.7.1.bb | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes-support/curl/curl_8.7.1.bb
index 6c02746394..0af6a41399 100644
--- a/meta/recipes-support/curl/curl_8.7.1.bb
+++ b/meta/recipes-support/curl/curl_8.7.1.bb
@@ -92,16 +92,21 @@ PACKAGECONFIG[verbose] = "--enable-verbose,--disable-verbose"
PACKAGECONFIG[zlib] = "--with-zlib=${STAGING_LIBDIR}/../,--without-zlib,zlib"
PACKAGECONFIG[zstd] = "--with-zstd,--without-zstd,zstd"
+# Use host certificates for non-target builds. As libcurl doesn't honor any of the env vars (like
+# for example CURL_CA_PATH) that curl-cli does, we need to explicitly set '--with-ca-bundle'
+# accordingly, so that there is a working, built-in default even for those tools that use libcurl,
+# but don't have custom env var handling implemented (like opkg).
+CURL_CA_BUNDLE_BASE_DIR ?= "/etc"
+CURL_CA_BUNDLE_BASE_DIR:class-target = "${sysconfdir}"
+
EXTRA_OECONF = " \
--disable-libcurl-option \
--disable-ntlm-wb \
--without-libpsl \
--enable-optimize \
+ --with-ca-bundle=${CURL_CA_BUNDLE_BASE_DIR}/ssl/certs/ca-certificates.crt \
${@'--without-ssl' if (bb.utils.filter('PACKAGECONFIG', 'gnutls mbedtls openssl', d) == '') else ''} \
"
-EXTRA_OECONF:append:class-target = " \
- --with-ca-bundle=${sysconfdir}/ssl/certs/ca-certificates.crt \
-"
fix_absolute_paths () {
# cleanup buildpaths from curl-config
--
2.43.0
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [OE-core][scarthgap 18/18] cross.bbclass: Propagate dependencies to outhash
2025-12-23 21:22 [OE-core][scarthgap 00/18] Patch review Steve Sakoman
` (16 preceding siblings ...)
2025-12-23 21:22 ` [OE-core][scarthgap 17/18] curl: Use host CA bundle by default for native(sdk) builds Steve Sakoman
@ 2025-12-23 21:22 ` Steve Sakoman
17 siblings, 0 replies; 25+ messages in thread
From: Steve Sakoman @ 2025-12-23 21:22 UTC (permalink / raw)
To: openembedded-core
From: Martin Jansa <martin.jansa@gmail.com>
Similar to what native and staging is doing since:
https://git.openembedded.org/openembedded-core/commit/meta/classes/native.bbclass?id=d6c7b9f4f0e61fa6546d3644e27abe3e96f597e2
https://git.openembedded.org/openembedded-core/commit/meta/classes/staging.bbclass?id=1cf62882bbac543960e4815d117ffce0e53bda07
Cross task outputs can call native dependencies and even when cross
recipe output doesn't change it might produce different results when
the called native dependency is changed, e.g. clang-cross-${TARGET_ARCH}
contains symlink to clang binary from clang-native, but when clang-native
outhash is changed, clang-cross-${TARGET_ARCH} will still be considered
equivalent and target recipes aren't rebuilt with new clang binary, see
work around in https://github.com/kraj/meta-clang/pull/1140 to make target
recipes to depend directly not only on clang-cross-${TARGET_ARCH} but
clang-native as well.
I have added a small testcase in meta-selftest which demostrates this issue.
Not included in this change, but will send it if useful.
openembedded-core $ ls -1 meta-selftest/recipes-devtools/hashequiv-test/
print-datetime-link-cross.bb
print-datetime-link-native.bb
print-datetime-native.bb
print-datetime-usecross.bb
print-datetime-usenative.bb
print-datetime-native provides script which prints defined PRINT_DATETIME variable.
print-datetime-link-native and print-datetime-link-cross both provide a symlink to
the script from print-datetime-native.
print-datetime-usenative and print-datetime-usecross are target recipes using the
native and cross versions of print-datetime-link-* recipe.
# clean build all is rebuilt:
$ bitbake -k print-datetime-usenative print-datetime-usecross
WARNING: print-datetime-native-1.0-r0 do_install: print-datetime-native current DATETIME in script is 2025-11-13_20_05
WARNING: print-datetime-link-native-1.0-r0 do_install: print-datetime-link-native current DATETIME in symlink is 2025-11-13_20_05
WARNING: print-datetime-link-cross-x86_64-1.0-r0 do_install: print-datetime-link-cross-x86_64 current DATETIME in symlink is 2025-11-13_20_05
WARNING: print-datetime-usenative-1.0-r0 do_install: print-datetime-usenative current DATETIME from print-datetime-link is 2025-11-13_20_05
WARNING: print-datetime-usecross-1.0-r0 do_install: print-datetime-usecross current DATETIME from print-datetime-link is 2025-11-13_20_05
# keep sstate-cache and hashserv.db:
# print-datetime-usenative is correctly rebuilt, because print-datetime-link-native has different hash (because print-datetime-native hash changed)
# print-datetime-usecross wasn't rebuilt, because print-datetime-link-cross-x86_64 doesn't include the changed hash of print-datetime-native
$ bitbake -k print-datetime-usenative print-datetime-usecross
WARNING: print-datetime-native-1.0-r0 do_install: print-datetime-native current DATETIME in script is 2025-11-13_20_07
WARNING: print-datetime-link-native-1.0-r0 do_install: print-datetime-link-native current DATETIME in symlink is 2025-11-13_20_07
WARNING: print-datetime-link-cross-x86_64-1.0-r0 do_install: print-datetime-link-cross-x86_64 current DATETIME in symlink is 2025-11-13_20_07
WARNING: print-datetime-usenative-1.0-r0 do_install: print-datetime-usenative current DATETIME from print-datetime-link is 2025-11-13_20_07
It's because print-datetime-link-cross-x86_64 depsig doesn't include print-datetime-native signature:
$ cat tmp/work/x86_64-linux/print-datetime-link-cross-x86_64/1.0/temp/depsig.do_populate_sysroot
OEOuthashBasic
18
SSTATE_PKGSPEC=sstate:print-datetime-link-cross-x86_64:x86_64-oe-linux:1.0:r0:x86_64:14:
task=populate_sysroot
drwx .
drwx ./recipe-sysroot-native
drwx ./recipe-sysroot-native/sysroot-providers
-rw- 32 19fbeb373f781c2504453c1ca04dab018a7bc8388c87f4bbc59589df31523d07 ./recipe-sysroot-native/sysroot-providers/print-datetime-link-cross-x86_64
drwx ./recipe-sysroot-native/usr
drwx ./recipe-sysroot-native/usr/bin
drwx ./recipe-sysroot-native/usr/bin/x86_64-oe-linux
lrwx ./recipe-sysroot-native/usr/bin/x86_64-oe-linux/print-datetime-link -> ../print-datetime
While print-datetime-link-native doesn't have this issue, because print-datetime-native signature is there:
$ cat tmp/work/x86_64-linux/print-datetime-link-native/1.0/temp/depsig.do_populate_sysroot
OEOuthashBasic
18
print-datetime-native: 60f2734a63d708489570ca719413b4662f8368abc9f4760a279a0a5481e4a17b
quilt-native: 65d78a7a5b5cbbf0969798efe558ca28e7ef058f4232fcff266912d16f67a8b8
SSTATE_PKGSPEC=sstate:print-datetime-link-native:x86_64-linux:1.0:r0:x86_64:14:
task=populate_sysroot
drwx .
drwx ./recipe-sysroot-native
drwx ./recipe-sysroot-native/sysroot-providers
-rw- 26 3d5458be834b2d0e4c65466b9b877d6028ae2210a56399284a23144818666f10 ./recipe-sysroot-native/sysroot-providers/print-datetime-link-native
drwx ./recipe-sysroot-native/usr
drwx ./recipe-sysroot-native/usr/bin
lrwx ./recipe-sysroot-native/usr/bin/print-datetime-link -> print-datetime
With the cross.bbclass fix the link-cross recipe has a checksum from native recipe as well:
$ cat tmp/work/x86_64-linux/print-datetime-link-cross-x86_64/1.0/temp/depsig.do_populate_sysroot
OEOuthashBasic
18
print-datetime-native: 9ceb6c27342eae6b8da86c84685af38fb8927ccc19979aae75b8b1e444b11c5c
quilt-native: 65d78a7a5b5cbbf0969798efe558ca28e7ef058f4232fcff266912d16f67a8b8
SSTATE_PKGSPEC=sstate:print-datetime-link-cross-x86_64:x86_64-oe-linux:1.0:r0:x86_64:14:
task=populate_sysroot
drwx .
drwx ./recipe-sysroot-native
drwx ./recipe-sysroot-native/sysroot-providers
-rw- 32 19fbeb373f781c2504453c1ca04dab018a7bc8388c87f4bbc59589df31523d07 ./recipe-sysroot-native/sysroot-providers/print-datetime-link-cross-x86_64
drwx ./recipe-sysroot-native/usr
drwx ./recipe-sysroot-native/usr/bin
drwx ./recipe-sysroot-native/usr/bin/x86_64-oe-linux
lrwx ./recipe-sysroot-native/usr/bin/x86_64-oe-linux/print-datetime-link -> ../print-datetime
And print-datetime-usecross is correctly rebuilt whenever print-datetime-native output is different.
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/classes-recipe/cross.bbclass | 36 +++++++++++++++++++++++++++++++
1 file changed, 36 insertions(+)
diff --git a/meta/classes-recipe/cross.bbclass b/meta/classes-recipe/cross.bbclass
index 93de9a5274..da3c4e7eab 100644
--- a/meta/classes-recipe/cross.bbclass
+++ b/meta/classes-recipe/cross.bbclass
@@ -101,3 +101,39 @@ addtask addto_recipe_sysroot after do_populate_sysroot
do_addto_recipe_sysroot[deptask] = "do_populate_sysroot"
PATH:prepend = "${COREBASE}/scripts/cross-intercept:"
+
+#
+# Cross task outputs can call native dependencies and even when cross
+# recipe output doesn't change it might produce different results when
+# the called native dependency is changed, e.g. clang-cross-${TARGET_ARCH}
+# contains symlink to clang binary from clang-native, but when clang-native
+# outhash is changed, clang-cross-${TARGET_ARCH} will still be considered
+# equivalent and target recipes aren't rebuilt with new clang binary, see
+# work around in https://github.com/kraj/meta-clang/pull/1140 to make target
+# recipes to depend directly not only on clang-cross-${TARGET_ARCH} but
+# clang-native as well.
+#
+# This can cause poor interactions with hash equivalence, since this recipes
+# output-changing dependency is "hidden" and downstream task only see that this
+# recipe has the same outhash and therefore is equivalent. This can result in
+# different output in different cases.
+#
+# To resolve this, unhide the output-changing dependency by adding its unihash
+# to this tasks outhash calculation. Unfortunately, don't know specifically
+# know which dependencies are output-changing, so we have to add all of them.
+#
+python cross_add_do_populate_sysroot_deps () {
+ current_task = "do_" + d.getVar("BB_CURRENTTASK")
+ if current_task != "do_populate_sysroot":
+ return
+
+ taskdepdata = d.getVar("BB_TASKDEPDATA", False)
+ pn = d.getVar("PN")
+ deps = {
+ dep[0]:dep[6] for dep in taskdepdata.values() if
+ dep[1] == current_task and dep[0] != pn
+ }
+
+ d.setVar("HASHEQUIV_EXTRA_SIGDATA", "\n".join("%s: %s" % (k, deps[k]) for k in sorted(deps.keys())))
+}
+SSTATECREATEFUNCS += "cross_add_do_populate_sysroot_deps"
--
2.43.0
^ permalink raw reply related [flat|nested] 25+ messages in thread
end of thread, other threads:[~2025-12-23 21:23 UTC | newest]
Thread overview: 25+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-12-23 21:22 [OE-core][scarthgap 00/18] Patch review Steve Sakoman
2025-12-23 21:22 ` [OE-core][scarthgap 01/18] cups 2.4.11: Fix CVE-2025-58436 Steve Sakoman
2025-12-23 21:22 ` [OE-core][scarthgap 02/18] cups 2.4.11: Fix CVE-2025-61915 Steve Sakoman
2025-12-23 21:22 ` [OE-core][scarthgap 03/18] rsync: fix CVE-2025-10158 Steve Sakoman
2025-12-23 21:22 ` [OE-core][scarthgap 04/18] qemu: fix CVE-2025-12464 Steve Sakoman
2025-12-23 21:22 ` [OE-core][scarthgap 05/18] python3-urllib3: fix CVE-2025-66418 CVE-2025-66471 Steve Sakoman
2025-12-23 21:22 ` [OE-core][scarthgap 06/18] cmake-native: fix CVE-2025-9301 Steve Sakoman
2025-12-23 21:22 ` [OE-core][scarthgap 07/18] binutils: Fix CVE-2025-11494 Steve Sakoman
2025-12-23 21:22 ` [OE-core][scarthgap 08/18] binutils: fix CVE-2025-11839 Steve Sakoman
2025-12-23 21:22 ` [OE-core][scarthgap 09/18] binutils: fix CVE-2025-11840 Steve Sakoman
2025-12-23 21:22 ` [OE-core][scarthgap 10/18] libxslt: Fix CVE-2025-11731 Steve Sakoman
2025-12-23 21:22 ` [OE-core][scarthgap 11/18] ruby: Upgrade 3.3.5 -> 3.3.10 Steve Sakoman
2025-12-23 21:22 ` [OE-core][scarthgap 12/18] scripts/install-buildtools: Update to 5.0.14 Steve Sakoman
2025-12-23 21:22 ` [OE-core][scarthgap 13/18] kernel.bbclass: Add task to export kernel configuration to SPDX Steve Sakoman
2025-12-23 21:22 ` [OE-core][scarthgap 14/18] spdx30_tasks: Add support for exporting PACKAGECONFIG " Steve Sakoman
2025-12-23 21:22 ` [OE-core][scarthgap 15/18] oeqa/selftest: oe-selftest: Add SPDX tests for kernel config and PACKAGECONFIG Steve Sakoman
2025-12-23 21:22 ` [OE-core][scarthgap 16/18] cml1.bbclass: use consistent make flags for menuconfig Steve Sakoman
2025-12-23 21:22 ` [OE-core][scarthgap 17/18] curl: Use host CA bundle by default for native(sdk) builds Steve Sakoman
2025-12-23 21:22 ` [OE-core][scarthgap 18/18] cross.bbclass: Propagate dependencies to outhash Steve Sakoman
-- strict thread matches above, loose matches on Subject: below --
2025-10-10 2:50 [OE-core][scarthgap 00/18] Patch review Steve Sakoman
2025-10-12 19:02 ` Gyorgy Sarvari
2025-10-12 19:19 ` Steve Sakoman
2024-10-15 18:50 Steve Sakoman
2024-08-21 12:50 Steve Sakoman
2024-08-04 17:09 Steve Sakoman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox