* [OE-core][scarthgap 00/22] Patch review
@ 2024-06-17 12:04 Steve Sakoman
0 siblings, 0 replies; 28+ messages in thread
From: Steve Sakoman @ 2024-06-17 12:04 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for scarthgap and have comments back by
end of day Wednesday, June 19
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/7047
The following changes since commit 50b9126cd8668d8c039e9bd61eaba458f7a22014:
cracklib: Modify patch to compile with GCC 14 (2024-06-12 08:09:18 -0700)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut
Changqing Li (1):
expect-native: fix build with gcc-14
Khem Raj (7):
kea: Remove -fvisibility-inlines-hidden from C++ flags
consolekit: Disable incompatible-pointer-types warning as error
gtk4: Disable int-conversion warning as error
ltp: Fix build with GCC-14
iproute2: Fix build with GCC-14
zip: Fix build with gcc-14
kexec-tools: Fix build with GCC-14 on musl
Martin Jansa (6):
expect: ignore various issues now fatal with gcc-14
libunwind: ignore various issues now fatal with gcc-14
p11-kit: ignore various issues fatal with gcc-14 (for 32bit MACHINEs)
lrzsz connman-gnome libfm: ignore various issues fatal with gcc-14
cdrtools-native: fix build with gcc-14
db: ignore implicit-int and implicit-function-declaration issues fatal
with gcc-14
Michael Halstead (1):
yocto-uninative: Update to 4.5 for gcc 14
Richard Purdie (2):
oeqa/sdk/assimp: Upgrade and fix for gcc 14
gcc-runtime: libgomp fix for gcc 14 warnings with mandb selftest
Ross Burton (2):
oeqa/sdkext/devtool: replace use of librdfa
gawk: fix readline detection
Siddharth Doshi (1):
cups: Upgrade 2.4.7 -> 2.4.9
Wang Mingyu (1):
appstream: upgrade 1.0.2 -> 1.0.3
Zoltan Boszormenyi (1):
cdrtools-native: Fix build with GCC 14
meta/conf/distro/include/yocto-uninative.inc | 8 +--
meta/lib/oeqa/sdk/cases/assimp.py | 8 +--
meta/lib/oeqa/sdkext/cases/devtool.py | 7 ++-
meta/recipes-bsp/lrzsz/lrzsz_0.12.20.bb | 6 +++
.../connman/connman-gnome_0.7.bb | 4 ++
.../iproute2/iproute2_6.7.0.bb | 2 +
meta/recipes-connectivity/kea/kea_2.4.1.bb | 1 +
.../cdrtools/cdrtools-native_3.01.bb | 12 ++++-
.../cdrtools/cdrtools/gcc14-fix.patch | 13 +++++
meta/recipes-devtools/expect/expect_5.45.4.bb | 7 +++
meta/recipes-devtools/gcc/gcc-runtime.inc | 2 +-
.../cups/{cups_2.4.7.bb => cups_2.4.9.bb} | 2 +-
...001-m4-readline-add-missing-includes.patch | 38 +++++++++++++
meta/recipes-extended/gawk/gawk_5.3.0.bb | 1 +
...-Use-time_t-instead-of-long-for-type.patch | 54 +++++++++++++++++++
meta/recipes-extended/ltp/ltp_20240129.bb | 1 +
...e-dirent.h-for-closedir-opendir-APIs.patch | 45 ++++++++++++++++
...2-unix.c-Do-not-redefine-DIR-as-FILE.patch | 35 ------------
meta/recipes-extended/zip/zip_3.0.bb | 2 +-
meta/recipes-gnome/gtk+/gtk4_4.14.1.bb | 4 ++
...linux-setup.c-Use-POSIX-basename-API.patch | 54 +++++++++++++++++++
.../kexec/kexec-tools_2.0.28.bb | 1 +
...{appstream_1.0.2.bb => appstream_1.0.3.bb} | 2 +-
.../consolekit/consolekit_0.4.6.bb | 3 ++
meta/recipes-support/db/db_5.3.28.bb | 4 ++
meta/recipes-support/libfm/libfm_1.3.2.bb | 4 ++
.../libunwind/libunwind_1.6.2.bb | 8 +++
.../recipes-support/p11-kit/p11-kit_0.25.3.bb | 10 ++++
28 files changed, 285 insertions(+), 53 deletions(-)
create mode 100644 meta/recipes-devtools/cdrtools/cdrtools/gcc14-fix.patch
rename meta/recipes-extended/cups/{cups_2.4.7.bb => cups_2.4.9.bb} (51%)
create mode 100644 meta/recipes-extended/gawk/gawk/0001-m4-readline-add-missing-includes.patch
create mode 100644 meta/recipes-extended/ltp/ltp/0001-sched_stress-Use-time_t-instead-of-long-for-type.patch
create mode 100644 meta/recipes-extended/zip/zip-3.0/0001-configure-Include-dirent.h-for-closedir-opendir-APIs.patch
delete mode 100644 meta/recipes-extended/zip/zip-3.0/0002-unix.c-Do-not-redefine-DIR-as-FILE.patch
create mode 100644 meta/recipes-kernel/kexec/kexec-tools/0001-x86-linux-setup.c-Use-POSIX-basename-API.patch
rename meta/recipes-support/appstream/{appstream_1.0.2.bb => appstream_1.0.3.bb} (93%)
--
2.34.1
^ permalink raw reply [flat|nested] 28+ messages in thread
* [OE-core][scarthgap 00/22] Patch review
@ 2026-01-20 12:08 Yoann Congal
2026-01-20 12:08 ` [OE-core][scarthgap 01/22] python3: patch CVE-2025-12084 Yoann Congal
` (21 more replies)
0 siblings, 22 replies; 28+ messages in thread
From: Yoann Congal @ 2026-01-20 12:08 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for scarthgap and have comments back by
end of day Thursday, January 22.
This scarthgap patch review request is aimed at getting kirkstone
4.0.33 built on monday:
* Ensuring fixes in kirkstone have their equivalent in more recent
stable branches.
* pseudo upgrade to fix 16117 – AB-INT: do_package: Error executing a python function in exec_func_python() autogenerated
https://bugzilla.yoctoproject.org/show_bug.cgi?id=16117
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/?#/builders/29/builds/3091
via poky-contrib stable/scarthgap-nut. The tip of OE-Core is at:
https://git.yoctoproject.org/poky-contrib/commit/?h=stable/scarthgap-nut&id=a7e7530d8ece2ee31ffcb220264cc9c52616b526
The following changes since commit 6988157ad983978ffd6b12bcefedd4deaffdbbd1:
build-appliance-image: Update to scarthgap head revision (2026-01-02 06:57:59 -0800)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut
for you to fetch changes up to 199c6518f5e363a2d8648bdfe14233afd9b0ba6e:
pseudo: Update to pull in 'makewrappers: Fix EFAULT implementation' (2026-01-19 17:44:48 +0100)
----------------------------------------------------------------
Paul Barker (1):
pseudo: Add hard sstate dependencies for pseudo-native
Peter Marko (16):
python3: patch CVE-2025-12084
python3: patch CVE-2025-13836
util-linux: patch CVE-2025-14104
qemu: ignore CVE-2025-54566 and CVE-2025-54567
glib-2.0: patch CVE-2025-13601
glib-2.0: patch CVE-2025-14087
glib-2.0: patch CVE-2025-14512
dropbear: patch CVE-2019-6111
libpcap: patch CVE-2025-11961
libpcap: patch CVE-2025-11964
cups: allow unknown directives in conf files
libarchive: fix CVE-2025-60753 regression
curl: patch CVE-2025-14017
curl: patch CVE-2025-14819
curl: patch CVE-2025-15079
curl: patch CVE-2025-15224
Richard Purdie (4):
pseudo: Upgrade to version 1.9.1
pseudo: Update to pull in memleak fix
pseudo: Update to pull in openat2 and efault return code changes
pseudo: Update to pull in 'makewrappers: Fix EFAULT implementation'
Robert Yang (1):
pseudo: 1.9.0 -> 1.9.2
.../libpcap/libpcap/CVE-2025-11961-01.patch | 38 ++
.../libpcap/libpcap/CVE-2025-11961-02.patch | 433 ++++++++++++++++++
.../libpcap/libpcap/CVE-2025-11964.patch | 33 ++
.../libpcap/libpcap_1.10.4.bb | 3 +
.../dropbear/dropbear/CVE-2019-6111.patch | 157 +++++++
.../recipes-core/dropbear/dropbear_2022.83.bb | 1 +
.../glib-2.0/glib-2.0/CVE-2025-13601-01.patch | 125 +++++
.../glib-2.0/glib-2.0/CVE-2025-13601-02.patch | 128 ++++++
.../glib-2.0/glib-2.0/CVE-2025-14087-01.patch | 69 +++
.../glib-2.0/glib-2.0/CVE-2025-14087-02.patch | 240 ++++++++++
.../glib-2.0/glib-2.0/CVE-2025-14087-03.patch | 150 ++++++
.../glib-2.0/glib-2.0/CVE-2025-14512.patch | 70 +++
meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb | 6 +
meta/recipes-core/util-linux/util-linux.inc | 2 +
.../util-linux/CVE-2025-14104-01.patch | 33 ++
.../util-linux/CVE-2025-14104-02.patch | 28 ++
.../0001-configure-Prune-PIE-flags.patch | 44 --
.../pseudo/files/glibc238.patch | 65 ---
.../pseudo/files/older-glibc-symbols.patch | 4 +-
meta/recipes-devtools/pseudo/pseudo.inc | 7 +
meta/recipes-devtools/pseudo/pseudo_git.bb | 6 +-
.../python/python3/CVE-2025-12084.patch | 144 ++++++
.../python/python3/CVE-2025-13836.patch | 162 +++++++
.../python/python3_3.12.12.bb | 2 +
meta/recipes-devtools/qemu/qemu.inc | 3 +
meta/recipes-extended/cups/cups.inc | 1 +
...pping-scheduler-on-unknown-directive.patch | 43 ++
...25-60753.patch => CVE-2025-60753-01.patch} | 0
.../libarchive/CVE-2025-60753-02.patch | 46 ++
.../libarchive/libarchive_3.7.9.bb | 3 +-
...st-qual-fix-or-silence-compiler-warn.patch | 85 ++++
.../curl/curl/CVE-2025-14017.patch | 115 +++++
.../curl/curl/CVE-2025-14819.patch | 73 +++
.../curl/curl/CVE-2025-15079.patch | 32 ++
.../curl/curl/CVE-2025-15224.patch | 31 ++
meta/recipes-support/curl/curl_8.7.1.bb | 5 +
36 files changed, 2271 insertions(+), 116 deletions(-)
create mode 100644 meta/recipes-connectivity/libpcap/libpcap/CVE-2025-11961-01.patch
create mode 100644 meta/recipes-connectivity/libpcap/libpcap/CVE-2025-11961-02.patch
create mode 100644 meta/recipes-connectivity/libpcap/libpcap/CVE-2025-11964.patch
create mode 100644 meta/recipes-core/dropbear/dropbear/CVE-2019-6111.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-13601-01.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-13601-02.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-14087-01.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-14087-02.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-14087-03.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-14512.patch
create mode 100644 meta/recipes-core/util-linux/util-linux/CVE-2025-14104-01.patch
create mode 100644 meta/recipes-core/util-linux/util-linux/CVE-2025-14104-02.patch
delete mode 100644 meta/recipes-devtools/pseudo/files/0001-configure-Prune-PIE-flags.patch
delete mode 100644 meta/recipes-devtools/pseudo/files/glibc238.patch
create mode 100644 meta/recipes-devtools/python/python3/CVE-2025-12084.patch
create mode 100644 meta/recipes-devtools/python/python3/CVE-2025-13836.patch
create mode 100644 meta/recipes-extended/cups/cups/0001-conf.c-Fix-stopping-scheduler-on-unknown-directive.patch
rename meta/recipes-extended/libarchive/libarchive/{CVE-2025-60753.patch => CVE-2025-60753-01.patch} (100%)
create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2025-60753-02.patch
create mode 100644 meta/recipes-support/curl/curl/0001-build-enable-Wcast-qual-fix-or-silence-compiler-warn.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2025-14017.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2025-14819.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2025-15079.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2025-15224.patch
^ permalink raw reply [flat|nested] 28+ messages in thread
* [OE-core][scarthgap 01/22] python3: patch CVE-2025-12084
2026-01-20 12:08 [OE-core][scarthgap 00/22] Patch review Yoann Congal
@ 2026-01-20 12:08 ` Yoann Congal
2026-01-20 12:08 ` [OE-core][scarthgap 02/22] python3: patch CVE-2025-13836 Yoann Congal
` (20 subsequent siblings)
21 siblings, 0 replies; 28+ messages in thread
From: Yoann Congal @ 2026-01-20 12:08 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Pick patch from 3.12 branch according to [1].
[1] https://nvd.nist.gov/vuln/detail/CVE-2025-12084
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../python/python3/CVE-2025-12084.patch | 144 ++++++++++++++++++
.../python/python3_3.12.12.bb | 1 +
2 files changed, 145 insertions(+)
create mode 100644 meta/recipes-devtools/python/python3/CVE-2025-12084.patch
diff --git a/meta/recipes-devtools/python/python3/CVE-2025-12084.patch b/meta/recipes-devtools/python/python3/CVE-2025-12084.patch
new file mode 100644
index 0000000000..b7c0650cdc
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2025-12084.patch
@@ -0,0 +1,144 @@
+From 9c9dda6625a2a90d2a06c657eee021d6be19842d Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Mon, 22 Dec 2025 14:48:49 +0100
+Subject: [PATCH] [3.12] gh-142145: Remove quadratic behavior in node ID cache
+ clearing (GH-142146) (#142211)
+
+* gh-142145: Remove quadratic behavior in node ID cache clearing (GH-142146)
+* gh-142754: Ensure that Element & Attr instances have the ownerDocument attribute (GH-142794)
+(cherry picked from commit 1cc7551b3f9f71efbc88d96dce90f82de98b2454)
+(cherry picked from commit 08d8e18ad81cd45bc4a27d6da478b51ea49486e4)
+(cherry picked from commit 8d2d7bb2e754f8649a68ce4116271a4932f76907)
+
+Co-authored-by: Jacob Walls <38668450+jacobtylerwalls@users.noreply.github.com>
+Co-authored-by: Seth Michael Larson <seth@python.org>
+Co-authored-by: Petr Viktorin <encukou@gmail.com>
+Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
+Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
+Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
+Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
+Co-authored-by: Gregory P. Smith <greg@krypto.org>
+
+CVE: CVE-2025-12084
+Upstream-Status: Backport [https://github.com/python/cpython/commit/9c9dda6625a2a90d2a06c657eee021d6be19842d]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ Lib/test/test_minidom.py | 33 ++++++++++++++++++-
+ Lib/xml/dom/minidom.py | 11 ++-----
+ ...-12-01-09-36-45.gh-issue-142145.tcAUhg.rst | 6 ++++
+ 3 files changed, 41 insertions(+), 9 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2025-12-01-09-36-45.gh-issue-142145.tcAUhg.rst
+
+diff --git a/Lib/test/test_minidom.py b/Lib/test/test_minidom.py
+index 699265ccadc..ab4823c8315 100644
+--- a/Lib/test/test_minidom.py
++++ b/Lib/test/test_minidom.py
+@@ -2,13 +2,14 @@
+
+ import copy
+ import pickle
++import time
+ import io
+ from test import support
+ import unittest
+
+ import xml.dom.minidom
+
+-from xml.dom.minidom import parse, Attr, Node, Document, parseString
++from xml.dom.minidom import parse, Attr, Node, Document, Element, parseString
+ from xml.dom.minidom import getDOMImplementation
+ from xml.parsers.expat import ExpatError
+
+@@ -176,6 +177,36 @@ class MinidomTest(unittest.TestCase):
+ self.confirm(dom.documentElement.childNodes[-1].data == "Hello")
+ dom.unlink()
+
++ @support.requires_resource('cpu')
++ def testAppendChildNoQuadraticComplexity(self):
++ impl = getDOMImplementation()
++
++ newdoc = impl.createDocument(None, "some_tag", None)
++ top_element = newdoc.documentElement
++ children = [newdoc.createElement(f"child-{i}") for i in range(1, 2 ** 15 + 1)]
++ element = top_element
++
++ start = time.monotonic()
++ for child in children:
++ element.appendChild(child)
++ element = child
++ end = time.monotonic()
++
++ # This example used to take at least 30 seconds.
++ # Conservative assertion due to the wide variety of systems and
++ # build configs timing based tests wind up run under.
++ # A --with-address-sanitizer --with-pydebug build on a rpi5 still
++ # completes this loop in <0.5 seconds.
++ self.assertLess(end - start, 4)
++
++ def testSetAttributeNodeWithoutOwnerDocument(self):
++ # regression test for gh-142754
++ elem = Element("test")
++ attr = Attr("id")
++ attr.value = "test-id"
++ elem.setAttributeNode(attr)
++ self.assertEqual(elem.getAttribute("id"), "test-id")
++
+ def testAppendChildFragment(self):
+ dom, orig, c1, c2, c3, frag = self._create_fragment_test_nodes()
+ dom.documentElement.appendChild(frag)
+diff --git a/Lib/xml/dom/minidom.py b/Lib/xml/dom/minidom.py
+index ef8a159833b..cada981f39f 100644
+--- a/Lib/xml/dom/minidom.py
++++ b/Lib/xml/dom/minidom.py
+@@ -292,13 +292,6 @@ def _append_child(self, node):
+ childNodes.append(node)
+ node.parentNode = self
+
+-def _in_document(node):
+- # return True iff node is part of a document tree
+- while node is not None:
+- if node.nodeType == Node.DOCUMENT_NODE:
+- return True
+- node = node.parentNode
+- return False
+
+ def _write_data(writer, data):
+ "Writes datachars to writer."
+@@ -355,6 +348,7 @@ class Attr(Node):
+ def __init__(self, qName, namespaceURI=EMPTY_NAMESPACE, localName=None,
+ prefix=None):
+ self.ownerElement = None
++ self.ownerDocument = None
+ self._name = qName
+ self.namespaceURI = namespaceURI
+ self._prefix = prefix
+@@ -680,6 +674,7 @@ class Element(Node):
+
+ def __init__(self, tagName, namespaceURI=EMPTY_NAMESPACE, prefix=None,
+ localName=None):
++ self.ownerDocument = None
+ self.parentNode = None
+ self.tagName = self.nodeName = tagName
+ self.prefix = prefix
+@@ -1539,7 +1534,7 @@ def _clear_id_cache(node):
+ if node.nodeType == Node.DOCUMENT_NODE:
+ node._id_cache.clear()
+ node._id_search_stack = None
+- elif _in_document(node):
++ elif node.ownerDocument:
+ node.ownerDocument._id_cache.clear()
+ node.ownerDocument._id_search_stack= None
+
+diff --git a/Misc/NEWS.d/next/Security/2025-12-01-09-36-45.gh-issue-142145.tcAUhg.rst b/Misc/NEWS.d/next/Security/2025-12-01-09-36-45.gh-issue-142145.tcAUhg.rst
+new file mode 100644
+index 00000000000..05c7df35d14
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2025-12-01-09-36-45.gh-issue-142145.tcAUhg.rst
+@@ -0,0 +1,6 @@
++Remove quadratic behavior in ``xml.minidom`` node ID cache clearing. In order
++to do this without breaking existing users, we also add the *ownerDocument*
++attribute to :mod:`xml.dom.minidom` elements and attributes created by directly
++instantiating the ``Element`` or ``Attr`` class. Note that this way of creating
++nodes is not supported; creator functions like
++:py:meth:`xml.dom.Document.documentElement` should be used instead.
diff --git a/meta/recipes-devtools/python/python3_3.12.12.bb b/meta/recipes-devtools/python/python3_3.12.12.bb
index b70f434ca9..786f52875a 100644
--- a/meta/recipes-devtools/python/python3_3.12.12.bb
+++ b/meta/recipes-devtools/python/python3_3.12.12.bb
@@ -35,6 +35,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
file://0001-test_active_children-skip-problematic-test.patch \
file://0001-test_readline-skip-limited-history-test.patch \
file://CVE-2025-6075.patch \
+ file://CVE-2025-12084.patch \
"
SRC_URI:append:class-native = " \
^ permalink raw reply related [flat|nested] 28+ messages in thread
* [OE-core][scarthgap 02/22] python3: patch CVE-2025-13836
2026-01-20 12:08 [OE-core][scarthgap 00/22] Patch review Yoann Congal
2026-01-20 12:08 ` [OE-core][scarthgap 01/22] python3: patch CVE-2025-12084 Yoann Congal
@ 2026-01-20 12:08 ` Yoann Congal
2026-01-20 12:08 ` [OE-core][scarthgap 03/22] util-linux: patch CVE-2025-14104 Yoann Congal
` (19 subsequent siblings)
21 siblings, 0 replies; 28+ messages in thread
From: Yoann Congal @ 2026-01-20 12:08 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Pick commit from branch 3.12 mentioned in [1].
[1] https://nvd.nist.gov/vuln/detail/CVE-2025-13836
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../python/python3/CVE-2025-13836.patch | 162 ++++++++++++++++++
.../python/python3_3.12.12.bb | 1 +
2 files changed, 163 insertions(+)
create mode 100644 meta/recipes-devtools/python/python3/CVE-2025-13836.patch
diff --git a/meta/recipes-devtools/python/python3/CVE-2025-13836.patch b/meta/recipes-devtools/python/python3/CVE-2025-13836.patch
new file mode 100644
index 0000000000..b90fc5f0ec
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2025-13836.patch
@@ -0,0 +1,162 @@
+From 14b1fdb0a94b96f86fc7b86671ea9582b8676628 Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Mon, 22 Dec 2025 14:50:18 +0100
+Subject: [PATCH] [3.12] gh-119451: Fix a potential denial of service in
+ http.client (GH-119454) (#142140)
+
+gh-119451: Fix a potential denial of service in http.client (GH-119454)
+
+Reading the whole body of the HTTP response could cause OOM if
+the Content-Length value is too large even if the server does not send
+a large amount of data. Now the HTTP client reads large data by chunks,
+therefore the amount of consumed memory is proportional to the amount
+of sent data.
+(cherry picked from commit 5a4c4a033a4a54481be6870aa1896fad732555b5)
+
+Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
+
+CVE: CVE-2025-13836
+Upstream-Status: Backport [https://github.com/python/cpython/commit/14b1fdb0a94b96f86fc7b86671ea9582b8676628]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ Lib/http/client.py | 28 ++++++--
+ Lib/test/test_httplib.py | 66 +++++++++++++++++++
+ ...-05-23-11-47-48.gh-issue-119451.qkJe9-.rst | 5 ++
+ 3 files changed, 95 insertions(+), 4 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2024-05-23-11-47-48.gh-issue-119451.qkJe9-.rst
+
+diff --git a/Lib/http/client.py b/Lib/http/client.py
+index fb29923d942..70451d67d4c 100644
+--- a/Lib/http/client.py
++++ b/Lib/http/client.py
+@@ -111,6 +111,11 @@ responses = {v: v.phrase for v in http.HTTPStatus.__members__.values()}
+ _MAXLINE = 65536
+ _MAXHEADERS = 100
+
++# Data larger than this will be read in chunks, to prevent extreme
++# overallocation.
++_MIN_READ_BUF_SIZE = 1 << 20
++
++
+ # Header name/value ABNF (http://tools.ietf.org/html/rfc7230#section-3.2)
+ #
+ # VCHAR = %x21-7E
+@@ -639,10 +644,25 @@ class HTTPResponse(io.BufferedIOBase):
+ reading. If the bytes are truly not available (due to EOF), then the
+ IncompleteRead exception can be used to detect the problem.
+ """
+- data = self.fp.read(amt)
+- if len(data) < amt:
+- raise IncompleteRead(data, amt-len(data))
+- return data
++ cursize = min(amt, _MIN_READ_BUF_SIZE)
++ data = self.fp.read(cursize)
++ if len(data) >= amt:
++ return data
++ if len(data) < cursize:
++ raise IncompleteRead(data, amt - len(data))
++
++ data = io.BytesIO(data)
++ data.seek(0, 2)
++ while True:
++ # This is a geometric increase in read size (never more than
++ # doubling out the current length of data per loop iteration).
++ delta = min(cursize, amt - cursize)
++ data.write(self.fp.read(delta))
++ if data.tell() >= amt:
++ return data.getvalue()
++ cursize += delta
++ if data.tell() < cursize:
++ raise IncompleteRead(data.getvalue(), amt - data.tell())
+
+ def _safe_readinto(self, b):
+ """Same as _safe_read, but for reading into a buffer."""
+diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py
+index 01f5a101901..e46dac00779 100644
+--- a/Lib/test/test_httplib.py
++++ b/Lib/test/test_httplib.py
+@@ -1452,6 +1452,72 @@ class BasicTest(TestCase):
+ thread.join()
+ self.assertEqual(result, b"proxied data\n")
+
++ def test_large_content_length(self):
++ serv = socket.create_server((HOST, 0))
++ self.addCleanup(serv.close)
++
++ def run_server():
++ [conn, address] = serv.accept()
++ with conn:
++ while conn.recv(1024):
++ conn.sendall(
++ b"HTTP/1.1 200 Ok\r\n"
++ b"Content-Length: %d\r\n"
++ b"\r\n" % size)
++ conn.sendall(b'A' * (size//3))
++ conn.sendall(b'B' * (size - size//3))
++
++ thread = threading.Thread(target=run_server)
++ thread.start()
++ self.addCleanup(thread.join, 1.0)
++
++ conn = client.HTTPConnection(*serv.getsockname())
++ try:
++ for w in range(15, 27):
++ size = 1 << w
++ conn.request("GET", "/")
++ with conn.getresponse() as response:
++ self.assertEqual(len(response.read()), size)
++ finally:
++ conn.close()
++ thread.join(1.0)
++
++ def test_large_content_length_truncated(self):
++ serv = socket.create_server((HOST, 0))
++ self.addCleanup(serv.close)
++
++ def run_server():
++ while True:
++ [conn, address] = serv.accept()
++ with conn:
++ conn.recv(1024)
++ if not size:
++ break
++ conn.sendall(
++ b"HTTP/1.1 200 Ok\r\n"
++ b"Content-Length: %d\r\n"
++ b"\r\n"
++ b"Text" % size)
++
++ thread = threading.Thread(target=run_server)
++ thread.start()
++ self.addCleanup(thread.join, 1.0)
++
++ conn = client.HTTPConnection(*serv.getsockname())
++ try:
++ for w in range(18, 65):
++ size = 1 << w
++ conn.request("GET", "/")
++ with conn.getresponse() as response:
++ self.assertRaises(client.IncompleteRead, response.read)
++ conn.close()
++ finally:
++ conn.close()
++ size = 0
++ conn.request("GET", "/")
++ conn.close()
++ thread.join(1.0)
++
+ def test_putrequest_override_domain_validation(self):
+ """
+ It should be possible to override the default validation
+diff --git a/Misc/NEWS.d/next/Security/2024-05-23-11-47-48.gh-issue-119451.qkJe9-.rst b/Misc/NEWS.d/next/Security/2024-05-23-11-47-48.gh-issue-119451.qkJe9-.rst
+new file mode 100644
+index 00000000000..6d6f25cd2f8
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2024-05-23-11-47-48.gh-issue-119451.qkJe9-.rst
+@@ -0,0 +1,5 @@
++Fix a potential memory denial of service in the :mod:`http.client` module.
++When connecting to a malicious server, it could cause
++an arbitrary amount of memory to be allocated.
++This could have led to symptoms including a :exc:`MemoryError`, swapping, out
++of memory (OOM) killed processes or containers, or even system crashes.
diff --git a/meta/recipes-devtools/python/python3_3.12.12.bb b/meta/recipes-devtools/python/python3_3.12.12.bb
index 786f52875a..280d98424a 100644
--- a/meta/recipes-devtools/python/python3_3.12.12.bb
+++ b/meta/recipes-devtools/python/python3_3.12.12.bb
@@ -36,6 +36,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
file://0001-test_readline-skip-limited-history-test.patch \
file://CVE-2025-6075.patch \
file://CVE-2025-12084.patch \
+ file://CVE-2025-13836.patch \
"
SRC_URI:append:class-native = " \
^ permalink raw reply related [flat|nested] 28+ messages in thread
* [OE-core][scarthgap 03/22] util-linux: patch CVE-2025-14104
2026-01-20 12:08 [OE-core][scarthgap 00/22] Patch review Yoann Congal
2026-01-20 12:08 ` [OE-core][scarthgap 01/22] python3: patch CVE-2025-12084 Yoann Congal
2026-01-20 12:08 ` [OE-core][scarthgap 02/22] python3: patch CVE-2025-13836 Yoann Congal
@ 2026-01-20 12:08 ` Yoann Congal
2026-01-20 12:08 ` [OE-core][scarthgap 04/22] qemu: ignore CVE-2025-54566 and CVE-2025-54567 Yoann Congal
` (18 subsequent siblings)
21 siblings, 0 replies; 28+ messages in thread
From: Yoann Congal @ 2026-01-20 12:08 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Pick patches per [1].
[1] https://security-tracker.debian.org/tracker/CVE-2025-14104
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-core/util-linux/util-linux.inc | 2 ++
.../util-linux/CVE-2025-14104-01.patch | 33 +++++++++++++++++++
.../util-linux/CVE-2025-14104-02.patch | 28 ++++++++++++++++
3 files changed, 63 insertions(+)
create mode 100644 meta/recipes-core/util-linux/util-linux/CVE-2025-14104-01.patch
create mode 100644 meta/recipes-core/util-linux/util-linux/CVE-2025-14104-02.patch
diff --git a/meta/recipes-core/util-linux/util-linux.inc b/meta/recipes-core/util-linux/util-linux.inc
index ccab4b17f4..4797682c5d 100644
--- a/meta/recipes-core/util-linux/util-linux.inc
+++ b/meta/recipes-core/util-linux/util-linux.inc
@@ -44,6 +44,8 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/utils/util-linux/v${MAJOR_VERSION}/util-lin
file://CVE-2024-28085-0002.patch \
file://fstab-isolation.patch \
file://sys-utils-hwclock-rtc-fix-pointer-usage.patch \
+ file://CVE-2025-14104-01.patch \
+ file://CVE-2025-14104-02.patch \
"
SRC_URI[sha256sum] = "7b6605e48d1a49f43cc4b4cfc59f313d0dd5402fa40b96810bd572e167dfed0f"
diff --git a/meta/recipes-core/util-linux/util-linux/CVE-2025-14104-01.patch b/meta/recipes-core/util-linux/util-linux/CVE-2025-14104-01.patch
new file mode 100644
index 0000000000..23677345c9
--- /dev/null
+++ b/meta/recipes-core/util-linux/util-linux/CVE-2025-14104-01.patch
@@ -0,0 +1,33 @@
+From aaa9e718c88d6916b003da7ebcfe38a3c88df8e6 Mon Sep 17 00:00:00 2001
+From: Mohamed Maatallah <hotelsmaatallahrecemail@gmail.com>
+Date: Sat, 24 May 2025 03:16:09 +0100
+Subject: [PATCH] Update setpwnam.c
+
+CVE: CVE-2025-14104
+Upstream-Status: Backport [https://github.com/util-linux/util-linux/commit/aaa9e718c88d6916b003da7ebcfe38a3c88df8e6]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ login-utils/setpwnam.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/login-utils/setpwnam.c b/login-utils/setpwnam.c
+index 3e3c1abde..95e470b5a 100644
+--- a/login-utils/setpwnam.c
++++ b/login-utils/setpwnam.c
+@@ -126,10 +126,12 @@ int setpwnam(struct passwd *pwd, const char *prefix)
+ }
+
+ /* Is this the username we were sent to change? */
+- if (!found && linebuf[namelen] == ':' &&
+- !strncmp(linebuf, pwd->pw_name, namelen)) {
+- /* Yes! So go forth in the name of the Lord and
+- * change it! */
++ if (!found &&
++ strncmp(linebuf, pwd->pw_name, namelen) == 0 &&
++ strlen(linebuf) > namelen &&
++ linebuf[namelen] == ':') {
++ /* Yes! But this time let’s not walk past the end of the buffer
++ * in the name of the Lord, SUID, or anything else. */
+ if (putpwent(pwd, fp) < 0)
+ goto fail;
+ found = 1;
diff --git a/meta/recipes-core/util-linux/util-linux/CVE-2025-14104-02.patch b/meta/recipes-core/util-linux/util-linux/CVE-2025-14104-02.patch
new file mode 100644
index 0000000000..9d21db2743
--- /dev/null
+++ b/meta/recipes-core/util-linux/util-linux/CVE-2025-14104-02.patch
@@ -0,0 +1,28 @@
+From 9a36d77012c4c771f8d51eba46b6e62c29bf572a Mon Sep 17 00:00:00 2001
+From: Mohamed Maatallah <hotelsmaatallahrecemail@gmail.com>
+Date: Mon, 26 May 2025 10:06:02 +0100
+Subject: [PATCH] Update bufflen
+
+Update buflen
+
+CVE: CVE-2025-14104
+Upstream-Status: Backport [https://github.com/util-linux/util-linux/commit/9a36d77012c4c771f8d51eba46b6e62c29bf572a]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ login-utils/setpwnam.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/login-utils/setpwnam.c b/login-utils/setpwnam.c
+index 95e470b5a..7778e98f7 100644
+--- a/login-utils/setpwnam.c
++++ b/login-utils/setpwnam.c
+@@ -99,7 +99,8 @@ int setpwnam(struct passwd *pwd, const char *prefix)
+ goto fail;
+
+ namelen = strlen(pwd->pw_name);
+-
++ if (namelen > buflen)
++ buflen += namelen;
+ linebuf = malloc(buflen);
+ if (!linebuf)
+ goto fail;
^ permalink raw reply related [flat|nested] 28+ messages in thread
* [OE-core][scarthgap 04/22] qemu: ignore CVE-2025-54566 and CVE-2025-54567
2026-01-20 12:08 [OE-core][scarthgap 00/22] Patch review Yoann Congal
` (2 preceding siblings ...)
2026-01-20 12:08 ` [OE-core][scarthgap 03/22] util-linux: patch CVE-2025-14104 Yoann Congal
@ 2026-01-20 12:08 ` Yoann Congal
2026-01-20 12:08 ` [OE-core][scarthgap 05/22] glib-2.0: patch CVE-2025-13601 Yoann Congal
` (17 subsequent siblings)
21 siblings, 0 replies; 28+ messages in thread
From: Yoann Congal @ 2026-01-20 12:08 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
These CVEs are not applicable to version 8.2.x as the vulnerable code
was introduced inly in 10.0.0.
Debian made the analysis, reuse their work.
* https://security-tracker.debian.org/tracker/CVE-2025-54566
* https://security-tracker.debian.org/tracker/CVE-2025-54567
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/qemu/qemu.inc | 3 +++
1 file changed, 3 insertions(+)
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index dde3b0be13..748a32215e 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -88,6 +88,9 @@ CVE_STATUS[CVE-2023-1386] = "disputed: not an issue as per https://bugzilla.redh
CVE_STATUS[CVE-2024-7730] = "fixed-version: this is fixed in v8.2.7"
+CVE_STATUS[CVE-2025-54566] = "cpe-incorrect: This issue was introduced in v10.0.0-rc0"
+CVE_STATUS[CVE-2025-54567] = "cpe-incorrect: This issue was introduced in v10.0.0-rc0"
+
COMPATIBLE_HOST:mipsarchn32 = "null"
COMPATIBLE_HOST:mipsarchn64 = "null"
COMPATIBLE_HOST:riscv32 = "null"
^ permalink raw reply related [flat|nested] 28+ messages in thread
* [OE-core][scarthgap 05/22] glib-2.0: patch CVE-2025-13601
2026-01-20 12:08 [OE-core][scarthgap 00/22] Patch review Yoann Congal
` (3 preceding siblings ...)
2026-01-20 12:08 ` [OE-core][scarthgap 04/22] qemu: ignore CVE-2025-54566 and CVE-2025-54567 Yoann Congal
@ 2026-01-20 12:08 ` Yoann Congal
2026-01-20 12:08 ` [OE-core][scarthgap 06/22] glib-2.0: patch CVE-2025-14087 Yoann Congal
` (16 subsequent siblings)
21 siblings, 0 replies; 28+ messages in thread
From: Yoann Congal @ 2026-01-20 12:08 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Pick commits from [1] per [2].
[1] https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4914
[2] https://nvd.nist.gov/vuln/detail/CVE-2025-13601
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../glib-2.0/glib-2.0/CVE-2025-13601-01.patch | 125 +++++++++++++++++
.../glib-2.0/glib-2.0/CVE-2025-13601-02.patch | 128 ++++++++++++++++++
meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb | 2 +
3 files changed, 255 insertions(+)
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-13601-01.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-13601-02.patch
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-13601-01.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-13601-01.patch
new file mode 100644
index 0000000000..ae78832579
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-13601-01.patch
@@ -0,0 +1,125 @@
+From f28340ee62c655487972ad3c632d231ee098fb7f Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@gnome.org>
+Date: Thu, 13 Nov 2025 18:27:22 +0000
+Subject: [PATCH] gconvert: Error out if g_escape_uri_string() would overflow
+
+If the string to escape contains a very large number of unacceptable
+characters (which would need escaping), the calculation of the length of
+the escaped string could overflow, leading to a potential write off the
+end of the newly allocated string.
+
+In addition to that, the number of unacceptable characters was counted
+in a signed integer, which would overflow to become negative, making it
+easier for an attacker to craft an input string which would cause an
+out-of-bounds write.
+
+Fix that by validating the allocation length, and using an unsigned
+integer to count the number of unacceptable characters.
+
+Spotted by treeplus. Thanks to the Sovereign Tech Resilience programme
+from the Sovereign Tech Agency. ID: #YWH-PGM9867-134
+
+Signed-off-by: Philip Withnall <pwithnall@gnome.org>
+
+Fixes: #3827
+
+CVE: CVE-2025-13601
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/f28340ee62c655487972ad3c632d231ee098fb7f]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ glib/gconvert.c | 36 +++++++++++++++++++++++++-----------
+ 1 file changed, 25 insertions(+), 11 deletions(-)
+
+diff --git a/glib/gconvert.c b/glib/gconvert.c
+index b066dd5a8..a02d2ea73 100644
+--- a/glib/gconvert.c
++++ b/glib/gconvert.c
+@@ -1428,8 +1428,9 @@ static const gchar hex[] = "0123456789ABCDEF";
+ /* Note: This escape function works on file: URIs, but if you want to
+ * escape something else, please read RFC-2396 */
+ static gchar *
+-g_escape_uri_string (const gchar *string,
+- UnsafeCharacterSet mask)
++g_escape_uri_string (const gchar *string,
++ UnsafeCharacterSet mask,
++ GError **error)
+ {
+ #define ACCEPTABLE(a) ((a)>=32 && (a)<128 && (acceptable[(a)-32] & use_mask))
+
+@@ -1437,7 +1438,7 @@ g_escape_uri_string (const gchar *string,
+ gchar *q;
+ gchar *result;
+ int c;
+- gint unacceptable;
++ size_t unacceptable;
+ UnsafeCharacterSet use_mask;
+
+ g_return_val_if_fail (mask == UNSAFE_ALL
+@@ -1454,7 +1455,14 @@ g_escape_uri_string (const gchar *string,
+ if (!ACCEPTABLE (c))
+ unacceptable++;
+ }
+-
++
++ if (unacceptable >= (G_MAXSIZE - (p - string)) / 2)
++ {
++ g_set_error_literal (error, G_CONVERT_ERROR, G_CONVERT_ERROR_BAD_URI,
++ _("The URI is too long"));
++ return NULL;
++ }
++
+ result = g_malloc (p - string + unacceptable * 2 + 1);
+
+ use_mask = mask;
+@@ -1479,12 +1487,13 @@ g_escape_uri_string (const gchar *string,
+
+
+ static gchar *
+-g_escape_file_uri (const gchar *hostname,
+- const gchar *pathname)
++g_escape_file_uri (const gchar *hostname,
++ const gchar *pathname,
++ GError **error)
+ {
+ char *escaped_hostname = NULL;
+- char *escaped_path;
+- char *res;
++ char *escaped_path = NULL;
++ char *res = NULL;
+
+ #ifdef G_OS_WIN32
+ char *p, *backslash;
+@@ -1505,10 +1514,14 @@ g_escape_file_uri (const gchar *hostname,
+
+ if (hostname && *hostname != '\0')
+ {
+- escaped_hostname = g_escape_uri_string (hostname, UNSAFE_HOST);
++ escaped_hostname = g_escape_uri_string (hostname, UNSAFE_HOST, error);
++ if (escaped_hostname == NULL)
++ goto out;
+ }
+
+- escaped_path = g_escape_uri_string (pathname, UNSAFE_PATH);
++ escaped_path = g_escape_uri_string (pathname, UNSAFE_PATH, error);
++ if (escaped_path == NULL)
++ goto out;
+
+ res = g_strconcat ("file://",
+ (escaped_hostname) ? escaped_hostname : "",
+@@ -1516,6 +1529,7 @@ g_escape_file_uri (const gchar *hostname,
+ escaped_path,
+ NULL);
+
++out:
+ #ifdef G_OS_WIN32
+ g_free ((char *) pathname);
+ #endif
+@@ -1849,7 +1863,7 @@ g_filename_to_uri (const gchar *filename,
+ hostname = NULL;
+ #endif
+
+- escaped_uri = g_escape_file_uri (hostname, filename);
++ escaped_uri = g_escape_file_uri (hostname, filename, error);
+
+ return escaped_uri;
+ }
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-13601-02.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-13601-02.patch
new file mode 100644
index 0000000000..75c4955316
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-13601-02.patch
@@ -0,0 +1,128 @@
+From 7bd3fc372040cdf8eada7f65c32c30da52a7461d Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@gnome.org>
+Date: Thu, 13 Nov 2025 18:31:43 +0000
+Subject: [PATCH] fuzzing: Add fuzz tests for g_filename_{to,from}_uri()
+
+These functions could be called on untrusted input data, and since they
+do URI escaping/unescaping, they have non-trivial string handling code.
+
+Signed-off-by: Philip Withnall <pwithnall@gnome.org>
+
+See: #3827
+
+CVE: CVE-2025-13601
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/7bd3fc372040cdf8eada7f65c32c30da52a7461d]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ fuzzing/fuzz_filename_from_uri.c | 40 ++++++++++++++++++++++++++++++++
+ fuzzing/fuzz_filename_to_uri.c | 40 ++++++++++++++++++++++++++++++++
+ fuzzing/meson.build | 2 ++
+ 3 files changed, 82 insertions(+)
+ create mode 100644 fuzzing/fuzz_filename_from_uri.c
+ create mode 100644 fuzzing/fuzz_filename_to_uri.c
+
+diff --git a/fuzzing/fuzz_filename_from_uri.c b/fuzzing/fuzz_filename_from_uri.c
+new file mode 100644
+index 000000000..9b7a715f0
+--- /dev/null
++++ b/fuzzing/fuzz_filename_from_uri.c
+@@ -0,0 +1,40 @@
++/*
++ * Copyright 2025 GNOME Foundation, Inc.
++ *
++ * SPDX-License-Identifier: LGPL-2.1-or-later
++ *
++ * This library is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU Lesser General Public
++ * License as published by the Free Software Foundation; either
++ * version 2.1 of the License, or (at your option) any later version.
++ *
++ * This library is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ * Lesser General Public License for more details.
++ *
++ * You should have received a copy of the GNU Lesser General Public
++ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
++ */
++
++#include "fuzz.h"
++
++int
++LLVMFuzzerTestOneInput (const unsigned char *data, size_t size)
++{
++ unsigned char *nul_terminated_data = NULL;
++ char *filename = NULL;
++ GError *local_error = NULL;
++
++ fuzz_set_logging_func ();
++
++ /* ignore @size (g_filename_from_uri() doesn’t support it); ensure @data is nul-terminated */
++ nul_terminated_data = (unsigned char *) g_strndup ((const char *) data, size);
++ filename = g_filename_from_uri ((const char *) nul_terminated_data, NULL, &local_error);
++ g_free (nul_terminated_data);
++
++ g_free (filename);
++ g_clear_error (&local_error);
++
++ return 0;
++}
+diff --git a/fuzzing/fuzz_filename_to_uri.c b/fuzzing/fuzz_filename_to_uri.c
+new file mode 100644
+index 000000000..acb319203
+--- /dev/null
++++ b/fuzzing/fuzz_filename_to_uri.c
+@@ -0,0 +1,40 @@
++/*
++ * Copyright 2025 GNOME Foundation, Inc.
++ *
++ * SPDX-License-Identifier: LGPL-2.1-or-later
++ *
++ * This library is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU Lesser General Public
++ * License as published by the Free Software Foundation; either
++ * version 2.1 of the License, or (at your option) any later version.
++ *
++ * This library is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ * Lesser General Public License for more details.
++ *
++ * You should have received a copy of the GNU Lesser General Public
++ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
++ */
++
++#include "fuzz.h"
++
++int
++LLVMFuzzerTestOneInput (const unsigned char *data, size_t size)
++{
++ unsigned char *nul_terminated_data = NULL;
++ char *uri = NULL;
++ GError *local_error = NULL;
++
++ fuzz_set_logging_func ();
++
++ /* ignore @size (g_filename_to_uri() doesn’t support it); ensure @data is nul-terminated */
++ nul_terminated_data = (unsigned char *) g_strndup ((const char *) data, size);
++ uri = g_filename_to_uri ((const char *) nul_terminated_data, NULL, &local_error);
++ g_free (nul_terminated_data);
++
++ g_free (uri);
++ g_clear_error (&local_error);
++
++ return 0;
++}
+diff --git a/fuzzing/meson.build b/fuzzing/meson.build
+index addbe9071..05f936eeb 100644
+--- a/fuzzing/meson.build
++++ b/fuzzing/meson.build
+@@ -22,6 +22,8 @@ fuzz_targets = [
+ 'fuzz_date_parse',
+ 'fuzz_date_time_new_from_iso8601',
+ 'fuzz_dbus_message',
++ 'fuzz_filename_from_uri',
++ 'fuzz_filename_to_uri',
+ 'fuzz_inet_address_mask_new_from_string',
+ 'fuzz_inet_address_new_from_string',
+ 'fuzz_inet_socket_address_new_from_string',
diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb
index 9f93655739..e80ddab4d6 100644
--- a/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb
+++ b/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb
@@ -33,6 +33,8 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \
file://CVE-2025-6052-01.patch \
file://CVE-2025-6052-02.patch \
file://CVE-2025-6052-03.patch \
+ file://CVE-2025-13601-01.patch \
+ file://CVE-2025-13601-02.patch \
"
SRC_URI:append:class-native = " file://relocate-modules.patch \
file://0001-meson.build-do-not-enable-pidfd-features-on-native-g.patch \
^ permalink raw reply related [flat|nested] 28+ messages in thread
* [OE-core][scarthgap 06/22] glib-2.0: patch CVE-2025-14087
2026-01-20 12:08 [OE-core][scarthgap 00/22] Patch review Yoann Congal
` (4 preceding siblings ...)
2026-01-20 12:08 ` [OE-core][scarthgap 05/22] glib-2.0: patch CVE-2025-13601 Yoann Congal
@ 2026-01-20 12:08 ` Yoann Congal
2026-01-20 12:08 ` [OE-core][scarthgap 07/22] glib-2.0: patch CVE-2025-14512 Yoann Congal
` (15 subsequent siblings)
21 siblings, 0 replies; 28+ messages in thread
From: Yoann Congal @ 2026-01-20 12:08 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Pick commits from [1] linked from [2].
[1] https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4933
[2] https://gitlab.gnome.org/GNOME/glib/-/issues/3834
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../glib-2.0/glib-2.0/CVE-2025-14087-01.patch | 69 +++++
.../glib-2.0/glib-2.0/CVE-2025-14087-02.patch | 240 ++++++++++++++++++
.../glib-2.0/glib-2.0/CVE-2025-14087-03.patch | 150 +++++++++++
meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb | 3 +
4 files changed, 462 insertions(+)
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-14087-01.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-14087-02.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-14087-03.patch
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-14087-01.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-14087-01.patch
new file mode 100644
index 0000000000..6ff7747018
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-14087-01.patch
@@ -0,0 +1,69 @@
+From 31f82e22e21bae520b7228f7f57d357fb20df8a4 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@gnome.org>
+Date: Tue, 25 Nov 2025 19:02:56 +0000
+Subject: [PATCH] gvariant-parser: Fix potential integer overflow parsing
+ (byte)strings
+
+The termination condition for parsing string and bytestring literals in
+GVariant text format input was subject to an integer overflow for input
+string (or bytestring) literals longer than `INT_MAX`.
+
+Fix that by counting as a `size_t` rather than as an `int`. The counter
+can never correctly be negative.
+
+Spotted by treeplus. Thanks to the Sovereign Tech Resilience programme
+from the Sovereign Tech Agency. ID: #YWH-PGM9867-145
+
+Signed-off-by: Philip Withnall <pwithnall@gnome.org>
+Fixes: #3834
+
+CVE: CVE-2025-14087
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/31f82e22e21bae520b7228f7f57d357fb20df8a4]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ glib/gvariant-parser.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/glib/gvariant-parser.c b/glib/gvariant-parser.c
+index 2f1d3db9f..2d6e9856f 100644
+--- a/glib/gvariant-parser.c
++++ b/glib/gvariant-parser.c
+@@ -597,7 +597,7 @@ ast_resolve (AST *ast,
+ {
+ GVariant *value;
+ gchar *pattern;
+- gint i, j = 0;
++ size_t i, j = 0;
+
+ pattern = ast_get_pattern (ast, error);
+
+@@ -1621,9 +1621,9 @@ string_free (AST *ast)
+ * No leading/trailing space allowed. */
+ static gboolean
+ unicode_unescape (const gchar *src,
+- gint *src_ofs,
++ size_t *src_ofs,
+ gchar *dest,
+- gint *dest_ofs,
++ size_t *dest_ofs,
+ gsize length,
+ SourceRef *ref,
+ GError **error)
+@@ -1684,7 +1684,7 @@ string_parse (TokenStream *stream,
+ gsize length;
+ gchar quote;
+ gchar *str;
+- gint i, j;
++ size_t i, j;
+
+ token_stream_start_ref (stream, &ref);
+ token = token_stream_get (stream);
+@@ -1814,7 +1814,7 @@ bytestring_parse (TokenStream *stream,
+ gsize length;
+ gchar quote;
+ gchar *str;
+- gint i, j;
++ size_t i, j;
+
+ token_stream_start_ref (stream, &ref);
+ token = token_stream_get (stream);
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-14087-02.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-14087-02.patch
new file mode 100644
index 0000000000..787c2564ab
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-14087-02.patch
@@ -0,0 +1,240 @@
+From ac9de0871281cf734f6e269988f90a2521582a08 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@gnome.org>
+Date: Tue, 25 Nov 2025 19:19:16 +0000
+Subject: [PATCH] gvariant-parser: Use size_t to count numbers of child
+ elements
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Rather than using `gint`, which could overflow for arrays (or dicts, or
+tuples) longer than `INT_MAX`. There may be other limits which prevent
+parsed containers becoming that long, but we might as well make the type
+system reflect the programmer’s intention as best it can anyway.
+
+For arrays and tuples this is straightforward. For dictionaries, it’s
+slightly complicated by the fact that the code used
+`dict->n_children == -1` to indicate that the `Dictionary` struct in
+question actually represented a single freestanding dict entry. In
+GVariant text format, that would be `{1, "one"}`.
+
+The implementation previously didn’t define the semantics of
+`dict->n_children < -1`.
+
+Now, instead, change `Dictionary.n_children` to `size_t`, and define a
+magic value `DICTIONARY_N_CHILDREN_FREESTANDING_ENTRY` to indicate that
+the `Dictionary` represents a single freestanding dict entry.
+
+This magic value is `SIZE_MAX`, and given that a dictionary entry takes
+more than one byte to represent in GVariant text format, that means it’s
+not possible to have that many entries in a parsed dictionary, so this
+magic value won’t be hit by a normal dictionary. An assertion checks
+this anyway.
+
+Spotted while working on #3834.
+
+Signed-off-by: Philip Withnall <pwithnall@gnome.org>
+
+CVE: CVE-2025-14087
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/ac9de0871281cf734f6e269988f90a2521582a08]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ glib/gvariant-parser.c | 58 ++++++++++++++++++++++++------------------
+ 1 file changed, 33 insertions(+), 25 deletions(-)
+
+diff --git a/glib/gvariant-parser.c b/glib/gvariant-parser.c
+index 2d6e9856f..519baa3f3 100644
+--- a/glib/gvariant-parser.c
++++ b/glib/gvariant-parser.c
+@@ -650,9 +650,9 @@ static AST *parse (TokenStream *stream,
+ GError **error);
+
+ static void
+-ast_array_append (AST ***array,
+- gint *n_items,
+- AST *ast)
++ast_array_append (AST ***array,
++ size_t *n_items,
++ AST *ast)
+ {
+ if ((*n_items & (*n_items - 1)) == 0)
+ *array = g_renew (AST *, *array, *n_items ? 2 ** n_items : 1);
+@@ -661,10 +661,10 @@ ast_array_append (AST ***array,
+ }
+
+ static void
+-ast_array_free (AST **array,
+- gint n_items)
++ast_array_free (AST **array,
++ size_t n_items)
+ {
+- gint i;
++ size_t i;
+
+ for (i = 0; i < n_items; i++)
+ ast_free (array[i]);
+@@ -673,11 +673,11 @@ ast_array_free (AST **array,
+
+ static gchar *
+ ast_array_get_pattern (AST **array,
+- gint n_items,
++ size_t n_items,
+ GError **error)
+ {
+ gchar *pattern;
+- gint i;
++ size_t i;
+
+ /* Find the pattern which applies to all children in the array, by l-folding a
+ * coalesce operation.
+@@ -709,7 +709,7 @@ ast_array_get_pattern (AST **array,
+ * pair of values.
+ */
+ {
+- int j = 0;
++ size_t j = 0;
+
+ while (TRUE)
+ {
+@@ -957,7 +957,7 @@ typedef struct
+ AST ast;
+
+ AST **children;
+- gint n_children;
++ size_t n_children;
+ } Array;
+
+ static gchar *
+@@ -990,7 +990,7 @@ array_get_value (AST *ast,
+ Array *array = (Array *) ast;
+ const GVariantType *childtype;
+ GVariantBuilder builder;
+- gint i;
++ size_t i;
+
+ if (!g_variant_type_is_array (type))
+ return ast_type_error (ast, type, error);
+@@ -1076,7 +1076,7 @@ typedef struct
+ AST ast;
+
+ AST **children;
+- gint n_children;
++ size_t n_children;
+ } Tuple;
+
+ static gchar *
+@@ -1086,7 +1086,7 @@ tuple_get_pattern (AST *ast,
+ Tuple *tuple = (Tuple *) ast;
+ gchar *result = NULL;
+ gchar **parts;
+- gint i;
++ size_t i;
+
+ parts = g_new (gchar *, tuple->n_children + 4);
+ parts[tuple->n_children + 1] = (gchar *) ")";
+@@ -1116,7 +1116,7 @@ tuple_get_value (AST *ast,
+ Tuple *tuple = (Tuple *) ast;
+ const GVariantType *childtype;
+ GVariantBuilder builder;
+- gint i;
++ size_t i;
+
+ if (!g_variant_type_is_tuple (type))
+ return ast_type_error (ast, type, error);
+@@ -1308,9 +1308,16 @@ typedef struct
+
+ AST **keys;
+ AST **values;
+- gint n_children;
++
++ /* Iff this is DICTIONARY_N_CHILDREN_FREESTANDING_ENTRY then this struct
++ * represents a single freestanding dict entry (`{1, "one"}`) rather than a
++ * full dict. In the freestanding case, @keys and @values have exactly one
++ * member each. */
++ size_t n_children;
+ } Dictionary;
+
++#define DICTIONARY_N_CHILDREN_FREESTANDING_ENTRY ((size_t) -1)
++
+ static gchar *
+ dictionary_get_pattern (AST *ast,
+ GError **error)
+@@ -1325,7 +1332,7 @@ dictionary_get_pattern (AST *ast,
+ return g_strdup ("Ma{**}");
+
+ key_pattern = ast_array_get_pattern (dict->keys,
+- abs (dict->n_children),
++ (dict->n_children == DICTIONARY_N_CHILDREN_FREESTANDING_ENTRY) ? 1 : dict->n_children,
+ error);
+
+ if (key_pattern == NULL)
+@@ -1356,7 +1363,7 @@ dictionary_get_pattern (AST *ast,
+ return NULL;
+
+ result = g_strdup_printf ("M%s{%c%s}",
+- dict->n_children > 0 ? "a" : "",
++ (dict->n_children > 0 && dict->n_children != DICTIONARY_N_CHILDREN_FREESTANDING_ENTRY) ? "a" : "",
+ key_char, value_pattern);
+ g_free (value_pattern);
+
+@@ -1370,7 +1377,7 @@ dictionary_get_value (AST *ast,
+ {
+ Dictionary *dict = (Dictionary *) ast;
+
+- if (dict->n_children == -1)
++ if (dict->n_children == DICTIONARY_N_CHILDREN_FREESTANDING_ENTRY)
+ {
+ const GVariantType *subtype;
+ GVariantBuilder builder;
+@@ -1403,7 +1410,7 @@ dictionary_get_value (AST *ast,
+ {
+ const GVariantType *entry, *key, *val;
+ GVariantBuilder builder;
+- gint i;
++ size_t i;
+
+ if (!g_variant_type_is_subtype_of (type, G_VARIANT_TYPE_DICTIONARY))
+ return ast_type_error (ast, type, error);
+@@ -1444,12 +1451,12 @@ static void
+ dictionary_free (AST *ast)
+ {
+ Dictionary *dict = (Dictionary *) ast;
+- gint n_children;
++ size_t n_children;
+
+- if (dict->n_children > -1)
+- n_children = dict->n_children;
+- else
++ if (dict->n_children == DICTIONARY_N_CHILDREN_FREESTANDING_ENTRY)
+ n_children = 1;
++ else
++ n_children = dict->n_children;
+
+ ast_array_free (dict->keys, n_children);
+ ast_array_free (dict->values, n_children);
+@@ -1467,7 +1474,7 @@ dictionary_parse (TokenStream *stream,
+ maybe_wrapper, dictionary_get_value,
+ dictionary_free
+ };
+- gint n_keys, n_values;
++ size_t n_keys, n_values;
+ gboolean only_one;
+ Dictionary *dict;
+ AST *first;
+@@ -1510,7 +1517,7 @@ dictionary_parse (TokenStream *stream,
+ goto error;
+
+ g_assert (n_keys == 1 && n_values == 1);
+- dict->n_children = -1;
++ dict->n_children = DICTIONARY_N_CHILDREN_FREESTANDING_ENTRY;
+
+ return (AST *) dict;
+ }
+@@ -1543,6 +1550,7 @@ dictionary_parse (TokenStream *stream,
+ }
+
+ g_assert (n_keys == n_values);
++ g_assert (n_keys != DICTIONARY_N_CHILDREN_FREESTANDING_ENTRY);
+ dict->n_children = n_keys;
+
+ return (AST *) dict;
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-14087-03.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-14087-03.patch
new file mode 100644
index 0000000000..38348c0927
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-14087-03.patch
@@ -0,0 +1,150 @@
+From acaabfedff42e974334dd5368e6103d2845aaba6 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@gnome.org>
+Date: Tue, 25 Nov 2025 19:25:58 +0000
+Subject: [PATCH] gvariant-parser: Convert error handling code to use size_t
+
+The error handling code allows for printing out the range of input bytes
+related to a parsing error. This was previously done using `gint`, but
+the input could be longer than `INT_MAX`, so it should really be done
+using `size_t`.
+
+Spotted while working on #3834.
+
+Signed-off-by: Philip Withnall <pwithnall@gnome.org>
+
+CVE: CVE-2025-14087
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/acaabfedff42e974334dd5368e6103d2845aaba6]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ glib/gvariant-parser.c | 36 +++++++++++++++++++++++-------------
+ 1 file changed, 23 insertions(+), 13 deletions(-)
+
+diff --git a/glib/gvariant-parser.c b/glib/gvariant-parser.c
+index 519baa3f3..1b1ddd654 100644
+--- a/glib/gvariant-parser.c
++++ b/glib/gvariant-parser.c
+@@ -91,7 +91,9 @@ g_variant_parser_get_error_quark (void)
+
+ typedef struct
+ {
+- gint start, end;
++ /* Offsets from the start of the input, in bytes. Can be equal when referring
++ * to a point rather than a range. The invariant `end >= start` always holds. */
++ size_t start, end;
+ } SourceRef;
+
+ G_GNUC_PRINTF(5, 0)
+@@ -106,14 +108,16 @@ parser_set_error_va (GError **error,
+ GString *msg = g_string_new (NULL);
+
+ if (location->start == location->end)
+- g_string_append_printf (msg, "%d", location->start);
++ g_string_append_printf (msg, "%" G_GSIZE_FORMAT, location->start);
+ else
+- g_string_append_printf (msg, "%d-%d", location->start, location->end);
++ g_string_append_printf (msg, "%" G_GSIZE_FORMAT "-%" G_GSIZE_FORMAT,
++ location->start, location->end);
+
+ if (other != NULL)
+ {
+ g_assert (other->start != other->end);
+- g_string_append_printf (msg, ",%d-%d", other->start, other->end);
++ g_string_append_printf (msg, ",%" G_GSIZE_FORMAT "-%" G_GSIZE_FORMAT,
++ other->start, other->end);
+ }
+ g_string_append_c (msg, ':');
+
+@@ -140,11 +144,15 @@ parser_set_error (GError **error,
+
+ typedef struct
+ {
++ /* We should always have the following ordering constraint:
++ * start <= this <= stream <= end
++ * Additionally, unless in an error or EOF state, `this < stream`.
++ */
+ const gchar *start;
+ const gchar *stream;
+ const gchar *end;
+
+- const gchar *this;
++ const gchar *this; /* (nullable) */
+ } TokenStream;
+
+
+@@ -175,7 +183,7 @@ token_stream_set_error (TokenStream *stream,
+ static gboolean
+ token_stream_prepare (TokenStream *stream)
+ {
+- gint brackets = 0;
++ gssize brackets = 0;
+ const gchar *end;
+
+ if (stream->this != NULL)
+@@ -405,7 +413,7 @@ static void
+ pattern_copy (gchar **out,
+ const gchar **in)
+ {
+- gint brackets = 0;
++ gssize brackets = 0;
+
+ while (**in == 'a' || **in == 'm' || **in == 'M')
+ *(*out)++ = *(*in)++;
+@@ -2742,7 +2750,7 @@ g_variant_builder_add_parsed (GVariantBuilder *builder,
+ static gboolean
+ parse_num (const gchar *num,
+ const gchar *limit,
+- guint *result)
++ size_t *result)
+ {
+ gchar *endptr;
+ gint64 bignum;
+@@ -2752,10 +2760,12 @@ parse_num (const gchar *num,
+ if (endptr != limit)
+ return FALSE;
+
++ /* The upper bound here is more restrictive than it technically needs to be,
++ * but should be enough for any practical situation: */
+ if (bignum < 0 || bignum > G_MAXINT)
+ return FALSE;
+
+- *result = (guint) bignum;
++ *result = (size_t) bignum;
+
+ return TRUE;
+ }
+@@ -2766,7 +2776,7 @@ add_last_line (GString *err,
+ {
+ const gchar *last_nl;
+ gchar *chomped;
+- gint i;
++ size_t i;
+
+ /* This is an error at the end of input. If we have a file
+ * with newlines, that's probably the empty string after the
+@@ -2911,7 +2921,7 @@ g_variant_parse_error_print_context (GError *error,
+
+ if (dash == NULL || colon < dash)
+ {
+- guint point;
++ size_t point;
+
+ /* we have a single point */
+ if (!parse_num (error->message, colon, &point))
+@@ -2929,7 +2939,7 @@ g_variant_parse_error_print_context (GError *error,
+ /* We have one or two ranges... */
+ if (comma && comma < colon)
+ {
+- guint start1, end1, start2, end2;
++ size_t start1, end1, start2, end2;
+ const gchar *dash2;
+
+ /* Two ranges */
+@@ -2945,7 +2955,7 @@ g_variant_parse_error_print_context (GError *error,
+ }
+ else
+ {
+- guint start, end;
++ size_t start, end;
+
+ /* One range */
+ if (!parse_num (error->message, dash, &start) || !parse_num (dash + 1, colon, &end))
diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb
index e80ddab4d6..f4df61c896 100644
--- a/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb
+++ b/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb
@@ -35,6 +35,9 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \
file://CVE-2025-6052-03.patch \
file://CVE-2025-13601-01.patch \
file://CVE-2025-13601-02.patch \
+ file://CVE-2025-14087-01.patch \
+ file://CVE-2025-14087-02.patch \
+ file://CVE-2025-14087-03.patch \
"
SRC_URI:append:class-native = " file://relocate-modules.patch \
file://0001-meson.build-do-not-enable-pidfd-features-on-native-g.patch \
^ permalink raw reply related [flat|nested] 28+ messages in thread
* [OE-core][scarthgap 07/22] glib-2.0: patch CVE-2025-14512
2026-01-20 12:08 [OE-core][scarthgap 00/22] Patch review Yoann Congal
` (5 preceding siblings ...)
2026-01-20 12:08 ` [OE-core][scarthgap 06/22] glib-2.0: patch CVE-2025-14087 Yoann Congal
@ 2026-01-20 12:08 ` Yoann Congal
2026-01-20 12:08 ` [OE-core][scarthgap 08/22] dropbear: patch CVE-2019-6111 Yoann Congal
` (14 subsequent siblings)
21 siblings, 0 replies; 28+ messages in thread
From: Yoann Congal @ 2026-01-20 12:08 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Pick patch from [1] linked from [2].
[1] https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4935
[2] https://gitlab.gnome.org/GNOME/glib/-/issues/3845
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../glib-2.0/glib-2.0/CVE-2025-14512.patch | 70 +++++++++++++++++++
meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb | 1 +
2 files changed, 71 insertions(+)
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-14512.patch
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-14512.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-14512.patch
new file mode 100644
index 0000000000..689a433079
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-14512.patch
@@ -0,0 +1,70 @@
+From 1909d8ea9297287f1ff6862968608dcf06e60523 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@gnome.org>
+Date: Thu, 4 Dec 2025 16:37:19 +0000
+Subject: [PATCH] gfileattribute: Fix integer overflow calculating escaping for
+ byte strings
+
+The number of invalid characters in the byte string (characters which
+would have to be percent-encoded) was only stored in an `int`, which
+gave the possibility of a long string largely full of invalid
+characters overflowing this and allowing an attacker-controlled buffer
+size to be allocated.
+
+This could be triggered by an attacker controlled file attribute (of
+type `G_FILE_ATTRIBUTE_TYPE_BYTE_STRING`), such as
+`G_FILE_ATTRIBUTE_THUMBNAIL_PATH` or `G_FILE_ATTRIBUTE_STANDARD_NAME`,
+being read by user code.
+
+Spotted by Codean Labs.
+
+Signed-off-by: Philip Withnall <pwithnall@gnome.org>
+
+Fixes: #3845
+
+CVE: CVE-2025-14512
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/1909d8ea9297287f1ff6862968608dcf06e60523]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ gio/gfileattribute.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/gio/gfileattribute.c b/gio/gfileattribute.c
+index c6fde60fa..d3083e5bd 100644
+--- a/gio/gfileattribute.c
++++ b/gio/gfileattribute.c
+@@ -22,6 +22,7 @@
+
+ #include "config.h"
+
++#include <stdint.h>
+ #include <string.h>
+
+ #include "gfileattribute.h"
+@@ -273,11 +274,12 @@ valid_char (char c)
+ return c >= 32 && c <= 126 && c != '\\';
+ }
+
++/* Returns NULL on error */
+ static char *
+ escape_byte_string (const char *str)
+ {
+ size_t i, len;
+- int num_invalid;
++ size_t num_invalid;
+ char *escaped_val, *p;
+ unsigned char c;
+ const char hex_digits[] = "0123456789abcdef";
+@@ -295,7 +297,12 @@ escape_byte_string (const char *str)
+ return g_strdup (str);
+ else
+ {
+- escaped_val = g_malloc (len + num_invalid*3 + 1);
++ /* Check for overflow. We want to check the inequality:
++ * !(len + num_invalid * 3 + 1 > SIZE_MAX) */
++ if (num_invalid >= (SIZE_MAX - len) / 3)
++ return NULL;
++
++ escaped_val = g_malloc (len + num_invalid * 3 + 1);
+
+ p = escaped_val;
+ for (i = 0; i < len; i++)
diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb
index f4df61c896..c7e18c7bc4 100644
--- a/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb
+++ b/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb
@@ -38,6 +38,7 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \
file://CVE-2025-14087-01.patch \
file://CVE-2025-14087-02.patch \
file://CVE-2025-14087-03.patch \
+ file://CVE-2025-14512.patch \
"
SRC_URI:append:class-native = " file://relocate-modules.patch \
file://0001-meson.build-do-not-enable-pidfd-features-on-native-g.patch \
^ permalink raw reply related [flat|nested] 28+ messages in thread
* [OE-core][scarthgap 08/22] dropbear: patch CVE-2019-6111
2026-01-20 12:08 [OE-core][scarthgap 00/22] Patch review Yoann Congal
` (6 preceding siblings ...)
2026-01-20 12:08 ` [OE-core][scarthgap 07/22] glib-2.0: patch CVE-2025-14512 Yoann Congal
@ 2026-01-20 12:08 ` Yoann Congal
2026-01-20 12:08 ` [OE-core][scarthgap 09/22] libpcap: patch CVE-2025-11961 Yoann Congal
` (13 subsequent siblings)
21 siblings, 0 replies; 28+ messages in thread
From: Yoann Congal @ 2026-01-20 12:08 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Pick patch mentioning this CVE number.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../dropbear/dropbear/CVE-2019-6111.patch | 157 ++++++++++++++++++
.../recipes-core/dropbear/dropbear_2022.83.bb | 1 +
2 files changed, 158 insertions(+)
create mode 100644 meta/recipes-core/dropbear/dropbear/CVE-2019-6111.patch
diff --git a/meta/recipes-core/dropbear/dropbear/CVE-2019-6111.patch b/meta/recipes-core/dropbear/dropbear/CVE-2019-6111.patch
new file mode 100644
index 0000000000..f488ff92c0
--- /dev/null
+++ b/meta/recipes-core/dropbear/dropbear/CVE-2019-6111.patch
@@ -0,0 +1,157 @@
+From 48a17cff6aa104b8e806ddb2191f83f1024060f1 Mon Sep 17 00:00:00 2001
+From: Matt Johnston <matt@ucc.asn.au>
+Date: Tue, 9 Dec 2025 22:59:19 +0900
+Subject: [PATCH] scp CVE-2019-6111 fix
+
+Cherry-pick from OpenSSH portable
+
+391ffc4b9d31 ("upstream: check in scp client that filenames sent during")
+
+upstream: check in scp client that filenames sent during
+
+remote->local directory copies satisfy the wildcard specified by the user.
+
+This checking provides some protection against a malicious server
+sending unexpected filenames, but it comes at a risk of rejecting wanted
+files due to differences between client and server wildcard expansion rules.
+
+For this reason, this also adds a new -T flag to disable the check.
+
+reported by Harry Sintonen
+fix approach suggested by markus@;
+has been in snaps for ~1wk courtesy deraadt@
+
+CVE: CVE-2019-6111
+Upstream-Status: Backport [https://github.com/mkj/dropbear/commit/48a17cff6aa104b8e806ddb2191f83f1024060f1]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ scp.c | 38 +++++++++++++++++++++++++++++---------
+ 1 file changed, 29 insertions(+), 9 deletions(-)
+
+diff --git a/scp.c b/scp.c
+index 384f2cb..bf98986 100644
+--- a/scp.c
++++ b/scp.c
+@@ -76,6 +76,8 @@
+ #include "includes.h"
+ /*RCSID("$OpenBSD: scp.c,v 1.130 2006/01/31 10:35:43 djm Exp $");*/
+
++#include <fnmatch.h>
++
+ #include "atomicio.h"
+ #include "compat.h"
+ #include "scpmisc.h"
+@@ -291,14 +293,14 @@ void verifydir(char *);
+
+ uid_t userid;
+ int errs, remin, remout;
+-int pflag, iamremote, iamrecursive, targetshouldbedirectory;
++int Tflag, pflag, iamremote, iamrecursive, targetshouldbedirectory;
+
+ #define CMDNEEDS 64
+ char cmd[CMDNEEDS]; /* must hold "rcp -r -p -d\0" */
+
+ int response(void);
+ void rsource(char *, struct stat *);
+-void sink(int, char *[]);
++void sink(int, char *[], const char *);
+ void source(int, char *[]);
+ void tolocal(int, char *[]);
+ void toremote(char *, int, char *[]);
+@@ -325,8 +327,8 @@ main(int argc, char **argv)
+ args.list = NULL;
+ addargs(&args, "%s", ssh_program);
+
+- fflag = tflag = 0;
+- while ((ch = getopt(argc, argv, "dfl:prtvBCc:i:P:q1246S:o:F:")) != -1)
++ fflag = Tflag = tflag = 0;
++ while ((ch = getopt(argc, argv, "dfl:prtTvBCc:i:P:q1246S:o:F:")) != -1)
+ switch (ch) {
+ /* User-visible flags. */
+ case '1':
+@@ -389,9 +391,12 @@ main(int argc, char **argv)
+ setmode(0, O_BINARY);
+ #endif
+ break;
++ case 'T':
++ Tflag = 1;
++ break;
+ default:
+ usage();
+- }
++ }
+ argc -= optind;
+ argv += optind;
+
+@@ -409,7 +414,7 @@ main(int argc, char **argv)
+ }
+ if (tflag) {
+ /* Receive data. */
+- sink(argc, argv);
++ sink(argc, argv, NULL);
+ exit(errs != 0);
+ }
+ if (argc < 2)
+@@ -589,7 +594,7 @@ tolocal(int argc, char **argv)
+ continue;
+ }
+ xfree(bp);
+- sink(1, argv + argc - 1);
++ sink(1, argv + argc - 1, src);
+ (void) close(remin);
+ remin = remout = -1;
+ }
+@@ -822,7 +827,7 @@ bwlimit(int amount)
+ }
+
+ void
+-sink(int argc, char **argv)
++sink(int argc, char **argv, const char *src)
+ {
+ static BUF buffer;
+ struct stat stb;
+@@ -836,6 +841,7 @@ sink(int argc, char **argv)
+ off_t size, statbytes;
+ int setimes, targisdir, wrerrno = 0;
+ char ch, *cp, *np, *targ, *why, *vect[1], buf[2048];
++ char *src_copy = NULL, *restrict_pattern = NULL;
+ struct timeval tv[2];
+
+ #define atime tv[0]
+@@ -857,6 +863,17 @@ sink(int argc, char **argv)
+ (void) atomicio(vwrite, remout, "", 1);
+ if (stat(targ, &stb) == 0 && S_ISDIR(stb.st_mode))
+ targisdir = 1;
++ if (src != NULL && !iamrecursive && !Tflag) {
++ /*
++ * Prepare to try to restrict incoming filenames to match
++ * the requested destination file glob.
++ */
++ if ((src_copy = strdup(src)) == NULL)
++ fatal("strdup failed");
++ if ((restrict_pattern = strrchr(src_copy, '/')) != NULL) {
++ *restrict_pattern++ = '\0';
++ }
++ }
+ for (first = 1;; first = 0) {
+ cp = buf;
+ if (atomicio(read, remin, cp, 1) != 1)
+@@ -939,6 +956,9 @@ sink(int argc, char **argv)
+ run_err("error: unexpected filename: %s", cp);
+ exit(1);
+ }
++ if (restrict_pattern != NULL &&
++ fnmatch(restrict_pattern, cp, 0) != 0)
++ SCREWUP("filename does not match request");
+ if (targisdir) {
+ static char *namebuf = NULL;
+ static size_t cursize = 0;
+@@ -977,7 +997,7 @@ sink(int argc, char **argv)
+ goto bad;
+ }
+ vect[0] = xstrdup(np);
+- sink(1, vect);
++ sink(1, vect, src);
+ if (setimes) {
+ setimes = 0;
+ if (utimes(vect[0], tv) < 0)
diff --git a/meta/recipes-core/dropbear/dropbear_2022.83.bb b/meta/recipes-core/dropbear/dropbear_2022.83.bb
index 2ed8d2c2a1..93563aa3b4 100644
--- a/meta/recipes-core/dropbear/dropbear_2022.83.bb
+++ b/meta/recipes-core/dropbear/dropbear_2022.83.bb
@@ -29,6 +29,7 @@ SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \
file://0001-cli-runopts.c-add-missing-DROPBEAR_CLI_PUBKEY_AUTH.patch \
file://0001-Avoid-unused-variable-with-DROPBEAR_CLI_PUBKEY_AUTH-.patch \
file://CVE-2025-47203.patch \
+ file://CVE-2019-6111.patch \
"
SRC_URI[sha256sum] = "bc5a121ffbc94b5171ad5ebe01be42746d50aa797c9549a4639894a16749443b"
^ permalink raw reply related [flat|nested] 28+ messages in thread
* [OE-core][scarthgap 09/22] libpcap: patch CVE-2025-11961
2026-01-20 12:08 [OE-core][scarthgap 00/22] Patch review Yoann Congal
` (7 preceding siblings ...)
2026-01-20 12:08 ` [OE-core][scarthgap 08/22] dropbear: patch CVE-2019-6111 Yoann Congal
@ 2026-01-20 12:08 ` Yoann Congal
2026-01-20 12:08 ` [OE-core][scarthgap 10/22] libpcap: patch CVE-2025-11964 Yoann Congal
` (12 subsequent siblings)
21 siblings, 0 replies; 28+ messages in thread
From: Yoann Congal @ 2026-01-20 12:08 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Pick patch per [1].
Also pick additional preparation patch to apply it cleanly.
[1] https://nvd.nist.gov/vuln/detail/CVE-2025-11961
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libpcap/libpcap/CVE-2025-11961-01.patch | 38 ++
.../libpcap/libpcap/CVE-2025-11961-02.patch | 433 ++++++++++++++++++
.../libpcap/libpcap_1.10.4.bb | 2 +
3 files changed, 473 insertions(+)
create mode 100644 meta/recipes-connectivity/libpcap/libpcap/CVE-2025-11961-01.patch
create mode 100644 meta/recipes-connectivity/libpcap/libpcap/CVE-2025-11961-02.patch
diff --git a/meta/recipes-connectivity/libpcap/libpcap/CVE-2025-11961-01.patch b/meta/recipes-connectivity/libpcap/libpcap/CVE-2025-11961-01.patch
new file mode 100644
index 0000000000..73c3ab3f5c
--- /dev/null
+++ b/meta/recipes-connectivity/libpcap/libpcap/CVE-2025-11961-01.patch
@@ -0,0 +1,38 @@
+From 7224be0fe2f4beb916b7b69141f478facd0f0634 Mon Sep 17 00:00:00 2001
+From: Denis Ovsienko <denis@ovsienko.info>
+Date: Sat, 27 Dec 2025 21:36:11 +0000
+Subject: [PATCH] Rename one of the xdtoi() copies to simplify backporting.
+
+CVE: CVE-2025-11961
+Upstream-Status: Backport [https://github.com/the-tcpdump-group/libpcap/commit/7224be0fe2f4beb916b7b69141f478facd0f0634]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ nametoaddr.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/nametoaddr.c b/nametoaddr.c
+index dc75495c..bdaacbf1 100644
+--- a/nametoaddr.c
++++ b/nametoaddr.c
+@@ -646,7 +646,7 @@ pcap_nametollc(const char *s)
+
+ /* Hex digit to 8-bit unsigned integer. */
+ static inline u_char
+-xdtoi(u_char c)
++pcapint_xdtoi(u_char c)
+ {
+ if (c >= '0' && c <= '9')
+ return (u_char)(c - '0');
+@@ -728,10 +728,10 @@ pcap_ether_aton(const char *s)
+ while (*s) {
+ if (*s == ':' || *s == '.' || *s == '-')
+ s += 1;
+- d = xdtoi(*s++);
++ d = pcapint_xdtoi(*s++);
+ if (PCAP_ISXDIGIT(*s)) {
+ d <<= 4;
+- d |= xdtoi(*s++);
++ d |= pcapint_xdtoi(*s++);
+ }
+ *ep++ = d;
+ }
diff --git a/meta/recipes-connectivity/libpcap/libpcap/CVE-2025-11961-02.patch b/meta/recipes-connectivity/libpcap/libpcap/CVE-2025-11961-02.patch
new file mode 100644
index 0000000000..2dca7908ef
--- /dev/null
+++ b/meta/recipes-connectivity/libpcap/libpcap/CVE-2025-11961-02.patch
@@ -0,0 +1,433 @@
+From b2d2f9a9a0581c40780bde509f7cc715920f1c02 Mon Sep 17 00:00:00 2001
+From: Denis Ovsienko <denis@ovsienko.info>
+Date: Fri, 19 Dec 2025 17:31:13 +0000
+Subject: [PATCH] CVE-2025-11961: Fix OOBR and OOBW in pcap_ether_aton().
+
+pcap_ether_aton() has for a long time required its string argument to be
+a well-formed MAC-48 address, which is always the case when the argument
+comes from other libpcap code, so the function has never validated the
+input and used a simple loop to parse any of the three common MAC-48
+address formats. However, the function has also been a part of the
+public API, so calling it directly with a malformed address can cause
+the loop to read beyond the end of the input string and/or to write
+beyond the end of the allocated output buffer.
+
+To handle invalid input more appropriately, replace the simple loop with
+new functions and require the input to match a supported address format.
+
+This problem was reported by Jin Wei, Kunwei Qian and Ping Chen.
+
+(backported from commit dd08e53e9380e217ae7c7768da9cc3d7bf37bf83)
+
+CVE: CVE-2025-11961
+Upstream-Status: Backport [https://github.com/the-tcpdump-group/libpcap/commit/b2d2f9a9a0581c40780bde509f7cc715920f1c02]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ gencode.c | 5 +
+ nametoaddr.c | 367 +++++++++++++++++++++++++++++++++++++++++++++++----
+ 2 files changed, 349 insertions(+), 23 deletions(-)
+
+diff --git a/gencode.c b/gencode.c
+index 3ddd15f8..76fb2d82 100644
+--- a/gencode.c
++++ b/gencode.c
+@@ -7228,6 +7228,11 @@ gen_ecode(compiler_state_t *cstate, const char *s, struct qual q)
+ return (NULL);
+
+ if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) {
++ /*
++ * Because the lexer guards the input string format, in this
++ * context the function returns NULL iff the implicit malloc()
++ * has failed.
++ */
+ cstate->e = pcap_ether_aton(s);
+ if (cstate->e == NULL)
+ bpf_error(cstate, "malloc");
+diff --git a/nametoaddr.c b/nametoaddr.c
+index f9fcd288..f50d0da5 100644
+--- a/nametoaddr.c
++++ b/nametoaddr.c
+@@ -703,39 +703,360 @@ __pcap_atodn(const char *s, bpf_u_int32 *addr)
+ return(32);
+ }
+
++// Man page: "xxxxxxxxxxxx", regexp: "^[0-9a-fA-F]{12}$".
++static u_char
++pcapint_atomac48_xxxxxxxxxxxx(const char *s, uint8_t *addr)
++{
++ if (strlen(s) == 12 &&
++ PCAP_ISXDIGIT(s[0]) &&
++ PCAP_ISXDIGIT(s[1]) &&
++ PCAP_ISXDIGIT(s[2]) &&
++ PCAP_ISXDIGIT(s[3]) &&
++ PCAP_ISXDIGIT(s[4]) &&
++ PCAP_ISXDIGIT(s[5]) &&
++ PCAP_ISXDIGIT(s[6]) &&
++ PCAP_ISXDIGIT(s[7]) &&
++ PCAP_ISXDIGIT(s[8]) &&
++ PCAP_ISXDIGIT(s[9]) &&
++ PCAP_ISXDIGIT(s[10]) &&
++ PCAP_ISXDIGIT(s[11])) {
++ addr[0] = pcapint_xdtoi(s[0]) << 4 | pcapint_xdtoi(s[1]);
++ addr[1] = pcapint_xdtoi(s[2]) << 4 | pcapint_xdtoi(s[3]);
++ addr[2] = pcapint_xdtoi(s[4]) << 4 | pcapint_xdtoi(s[5]);
++ addr[3] = pcapint_xdtoi(s[6]) << 4 | pcapint_xdtoi(s[7]);
++ addr[4] = pcapint_xdtoi(s[8]) << 4 | pcapint_xdtoi(s[9]);
++ addr[5] = pcapint_xdtoi(s[10]) << 4 | pcapint_xdtoi(s[11]);
++ return 1;
++ }
++ return 0;
++}
++
++// Man page: "xxxx.xxxx.xxxx", regexp: "^[0-9a-fA-F]{4}(\.[0-9a-fA-F]{4}){2}$".
++static u_char
++pcapint_atomac48_xxxx_3_times(const char *s, uint8_t *addr)
++{
++ const char sep = '.';
++ if (strlen(s) == 14 &&
++ PCAP_ISXDIGIT(s[0]) &&
++ PCAP_ISXDIGIT(s[1]) &&
++ PCAP_ISXDIGIT(s[2]) &&
++ PCAP_ISXDIGIT(s[3]) &&
++ s[4] == sep &&
++ PCAP_ISXDIGIT(s[5]) &&
++ PCAP_ISXDIGIT(s[6]) &&
++ PCAP_ISXDIGIT(s[7]) &&
++ PCAP_ISXDIGIT(s[8]) &&
++ s[9] == sep &&
++ PCAP_ISXDIGIT(s[10]) &&
++ PCAP_ISXDIGIT(s[11]) &&
++ PCAP_ISXDIGIT(s[12]) &&
++ PCAP_ISXDIGIT(s[13])) {
++ addr[0] = pcapint_xdtoi(s[0]) << 4 | pcapint_xdtoi(s[1]);
++ addr[1] = pcapint_xdtoi(s[2]) << 4 | pcapint_xdtoi(s[3]);
++ addr[2] = pcapint_xdtoi(s[5]) << 4 | pcapint_xdtoi(s[6]);
++ addr[3] = pcapint_xdtoi(s[7]) << 4 | pcapint_xdtoi(s[8]);
++ addr[4] = pcapint_xdtoi(s[10]) << 4 | pcapint_xdtoi(s[11]);
++ addr[5] = pcapint_xdtoi(s[12]) << 4 | pcapint_xdtoi(s[13]);
++ return 1;
++ }
++ return 0;
++}
++
+ /*
+- * Convert 's', which can have the one of the forms:
++ * Man page: "xx:xx:xx:xx:xx:xx", regexp: "^[0-9a-fA-F]{1,2}(:[0-9a-fA-F]{1,2}){5}$".
++ * Man page: "xx-xx-xx-xx-xx-xx", regexp: "^[0-9a-fA-F]{1,2}(-[0-9a-fA-F]{1,2}){5}$".
++ * Man page: "xx.xx.xx.xx.xx.xx", regexp: "^[0-9a-fA-F]{1,2}(\.[0-9a-fA-F]{1,2}){5}$".
++ * (Any "xx" above can be "x", which is equivalent to "0x".)
+ *
+- * "xx:xx:xx:xx:xx:xx"
+- * "xx.xx.xx.xx.xx.xx"
+- * "xx-xx-xx-xx-xx-xx"
+- * "xxxx.xxxx.xxxx"
+- * "xxxxxxxxxxxx"
++ * An equivalent (and parametrisable for EUI-64) FSM could be implemented using
++ * a smaller graph, but that graph would be neither acyclic nor planar nor
++ * trivial to verify.
+ *
+- * (or various mixes of ':', '.', and '-') into a new
+- * ethernet address. Assumes 's' is well formed.
++ * |
++ * [.] v
++ * +<---------- START
++ * | |
++ * | | [0-9a-fA-F]
++ * | [.] v
++ * +<--------- BYTE0_X ----------+
++ * | | |
++ * | | [0-9a-fA-F] |
++ * | [.] v |
++ * +<--------- BYTE0_XX | [:\.-]
++ * | | |
++ * | | [:\.-] |
++ * | [.] v |
++ * +<----- BYTE0_SEP_BYTE1 <-----+
++ * | |
++ * | | [0-9a-fA-F]
++ * | [.] v
++ * +<--------- BYTE1_X ----------+
++ * | | |
++ * | | [0-9a-fA-F] |
++ * | [.] v |
++ * +<--------- BYTE1_XX | <sep>
++ * | | |
++ * | | <sep> |
++ * | [.] v |
++ * +<----- BYTE1_SEP_BYTE2 <-----+
++ * | |
++ * | | [0-9a-fA-F]
++ * | [.] v
++ * +<--------- BYTE2_X ----------+
++ * | | |
++ * | | [0-9a-fA-F] |
++ * | [.] v |
++ * +<--------- BYTE2_XX | <sep>
++ * | | |
++ * | | <sep> |
++ * | [.] v |
++ * +<----- BYTE2_SEP_BYTE3 <-----+
++ * | |
++ * | | [0-9a-fA-F]
++ * | [.] v
++ * +<--------- BYTE3_X ----------+
++ * | | |
++ * | | [0-9a-fA-F] |
++ * | [.] v |
++ * +<--------- BYTE3_XX | <sep>
++ * | | |
++ * | | <sep> |
++ * | [.] v |
++ * +<----- BYTE3_SEP_BYTE4 <-----+
++ * | |
++ * | | [0-9a-fA-F]
++ * | [.] v
++ * +<--------- BYTE4_X ----------+
++ * | | |
++ * | | [0-9a-fA-F] |
++ * | [.] v |
++ * +<--------- BYTE4_XX | <sep>
++ * | | |
++ * | | <sep> |
++ * | [.] v |
++ * +<----- BYTE4_SEP_BYTE5 <-----+
++ * | |
++ * | | [0-9a-fA-F]
++ * | [.] v
++ * +<--------- BYTE5_X ----------+
++ * | | |
++ * | | [0-9a-fA-F] |
++ * | [.] v |
++ * +<--------- BYTE5_XX | \0
++ * | | |
++ * | | \0 |
++ * | | v
++ * +--> (reject) +---------> (accept)
++ *
++ */
++static u_char
++pcapint_atomac48_x_xx_6_times(const char *s, uint8_t *addr)
++{
++ enum {
++ START,
++ BYTE0_X,
++ BYTE0_XX,
++ BYTE0_SEP_BYTE1,
++ BYTE1_X,
++ BYTE1_XX,
++ BYTE1_SEP_BYTE2,
++ BYTE2_X,
++ BYTE2_XX,
++ BYTE2_SEP_BYTE3,
++ BYTE3_X,
++ BYTE3_XX,
++ BYTE3_SEP_BYTE4,
++ BYTE4_X,
++ BYTE4_XX,
++ BYTE4_SEP_BYTE5,
++ BYTE5_X,
++ BYTE5_XX,
++ } fsm_state = START;
++ uint8_t buf[6];
++ const char *seplist = ":.-";
++ char sep;
++
++ while (*s) {
++ switch (fsm_state) {
++ case START:
++ if (PCAP_ISXDIGIT(*s)) {
++ buf[0] = pcapint_xdtoi(*s);
++ fsm_state = BYTE0_X;
++ break;
++ }
++ goto reject;
++ case BYTE0_X:
++ if (strchr(seplist, *s)) {
++ sep = *s;
++ fsm_state = BYTE0_SEP_BYTE1;
++ break;
++ }
++ if (PCAP_ISXDIGIT(*s)) {
++ buf[0] = buf[0] << 4 | pcapint_xdtoi(*s);
++ fsm_state = BYTE0_XX;
++ break;
++ }
++ goto reject;
++ case BYTE0_XX:
++ if (strchr(seplist, *s)) {
++ sep = *s;
++ fsm_state = BYTE0_SEP_BYTE1;
++ break;
++ }
++ goto reject;
++ case BYTE0_SEP_BYTE1:
++ if (PCAP_ISXDIGIT(*s)) {
++ buf[1] = pcapint_xdtoi(*s);
++ fsm_state = BYTE1_X;
++ break;
++ }
++ goto reject;
++ case BYTE1_X:
++ if (*s == sep) {
++ fsm_state = BYTE1_SEP_BYTE2;
++ break;
++ }
++ if (PCAP_ISXDIGIT(*s)) {
++ buf[1] = buf[1] << 4 | pcapint_xdtoi(*s);
++ fsm_state = BYTE1_XX;
++ break;
++ }
++ goto reject;
++ case BYTE1_XX:
++ if (*s == sep) {
++ fsm_state = BYTE1_SEP_BYTE2;
++ break;
++ }
++ goto reject;
++ case BYTE1_SEP_BYTE2:
++ if (PCAP_ISXDIGIT(*s)) {
++ buf[2] = pcapint_xdtoi(*s);
++ fsm_state = BYTE2_X;
++ break;
++ }
++ goto reject;
++ case BYTE2_X:
++ if (*s == sep) {
++ fsm_state = BYTE2_SEP_BYTE3;
++ break;
++ }
++ if (PCAP_ISXDIGIT(*s)) {
++ buf[2] = buf[2] << 4 | pcapint_xdtoi(*s);
++ fsm_state = BYTE2_XX;
++ break;
++ }
++ goto reject;
++ case BYTE2_XX:
++ if (*s == sep) {
++ fsm_state = BYTE2_SEP_BYTE3;
++ break;
++ }
++ goto reject;
++ case BYTE2_SEP_BYTE3:
++ if (PCAP_ISXDIGIT(*s)) {
++ buf[3] = pcapint_xdtoi(*s);
++ fsm_state = BYTE3_X;
++ break;
++ }
++ goto reject;
++ case BYTE3_X:
++ if (*s == sep) {
++ fsm_state = BYTE3_SEP_BYTE4;
++ break;
++ }
++ if (PCAP_ISXDIGIT(*s)) {
++ buf[3] = buf[3] << 4 | pcapint_xdtoi(*s);
++ fsm_state = BYTE3_XX;
++ break;
++ }
++ goto reject;
++ case BYTE3_XX:
++ if (*s == sep) {
++ fsm_state = BYTE3_SEP_BYTE4;
++ break;
++ }
++ goto reject;
++ case BYTE3_SEP_BYTE4:
++ if (PCAP_ISXDIGIT(*s)) {
++ buf[4] = pcapint_xdtoi(*s);
++ fsm_state = BYTE4_X;
++ break;
++ }
++ goto reject;
++ case BYTE4_X:
++ if (*s == sep) {
++ fsm_state = BYTE4_SEP_BYTE5;
++ break;
++ }
++ if (PCAP_ISXDIGIT(*s)) {
++ buf[4] = buf[4] << 4 | pcapint_xdtoi(*s);
++ fsm_state = BYTE4_XX;
++ break;
++ }
++ goto reject;
++ case BYTE4_XX:
++ if (*s == sep) {
++ fsm_state = BYTE4_SEP_BYTE5;
++ break;
++ }
++ goto reject;
++ case BYTE4_SEP_BYTE5:
++ if (PCAP_ISXDIGIT(*s)) {
++ buf[5] = pcapint_xdtoi(*s);
++ fsm_state = BYTE5_X;
++ break;
++ }
++ goto reject;
++ case BYTE5_X:
++ if (PCAP_ISXDIGIT(*s)) {
++ buf[5] = buf[5] << 4 | pcapint_xdtoi(*s);
++ fsm_state = BYTE5_XX;
++ break;
++ }
++ goto reject;
++ case BYTE5_XX:
++ goto reject;
++ } // switch
++ s++;
++ } // while
++
++ if (fsm_state == BYTE5_X || fsm_state == BYTE5_XX) {
++ // accept
++ memcpy(addr, buf, sizeof(buf));
++ return 1;
++ }
++
++reject:
++ return 0;
++}
++
++// The 'addr' argument must point to an array of at least 6 elements.
++static int
++pcapint_atomac48(const char *s, uint8_t *addr)
++{
++ return s && (
++ pcapint_atomac48_xxxxxxxxxxxx(s, addr) ||
++ pcapint_atomac48_xxxx_3_times(s, addr) ||
++ pcapint_atomac48_x_xx_6_times(s, addr)
++ );
++}
++
++/*
++ * If 's' is a MAC-48 address in one of the forms documented in pcap-filter(7)
++ * for "ether host", return a pointer to an allocated buffer with the binary
++ * value of the address. Return NULL on any error.
+ */
+ u_char *
+ pcap_ether_aton(const char *s)
+ {
+- register u_char *ep, *e;
+- register u_char d;
++ uint8_t tmp[6];
++ if (! pcapint_atomac48(s, tmp))
++ return (NULL);
+
+- e = ep = (u_char *)malloc(6);
++ u_char *e = malloc(6);
+ if (e == NULL)
+ return (NULL);
+-
+- while (*s) {
+- if (*s == ':' || *s == '.' || *s == '-')
+- s += 1;
+- d = pcapint_xdtoi(*s++);
+- if (PCAP_ISXDIGIT(*s)) {
+- d <<= 4;
+- d |= pcapint_xdtoi(*s++);
+- }
+- *ep++ = d;
+- }
+-
++ memcpy(e, tmp, sizeof(tmp));
+ return (e);
+ }
+
diff --git a/meta/recipes-connectivity/libpcap/libpcap_1.10.4.bb b/meta/recipes-connectivity/libpcap/libpcap_1.10.4.bb
index 36eb4bca75..df091e5ca2 100644
--- a/meta/recipes-connectivity/libpcap/libpcap_1.10.4.bb
+++ b/meta/recipes-connectivity/libpcap/libpcap_1.10.4.bb
@@ -14,6 +14,8 @@ SRC_URI = "https://www.tcpdump.org/release/${BP}.tar.gz \
file://CVE-2023-7256-pre1.patch \
file://CVE-2023-7256.patch \
file://CVE-2024-8006.patch \
+ file://CVE-2025-11961-01.patch \
+ file://CVE-2025-11961-02.patch \
"
SRC_URI[sha256sum] = "ed19a0383fad72e3ad435fd239d7cd80d64916b87269550159d20e47160ebe5f"
^ permalink raw reply related [flat|nested] 28+ messages in thread
* [OE-core][scarthgap 10/22] libpcap: patch CVE-2025-11964
2026-01-20 12:08 [OE-core][scarthgap 00/22] Patch review Yoann Congal
` (8 preceding siblings ...)
2026-01-20 12:08 ` [OE-core][scarthgap 09/22] libpcap: patch CVE-2025-11961 Yoann Congal
@ 2026-01-20 12:08 ` Yoann Congal
2026-01-20 12:08 ` [OE-core][scarthgap 11/22] cups: allow unknown directives in conf files Yoann Congal
` (11 subsequent siblings)
21 siblings, 0 replies; 28+ messages in thread
From: Yoann Congal @ 2026-01-20 12:08 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Pick patch per [1].
[1] https://nvd.nist.gov/vuln/detail/CVE-2025-11964
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libpcap/libpcap/CVE-2025-11964.patch | 33 +++++++++++++++++++
.../libpcap/libpcap_1.10.4.bb | 1 +
2 files changed, 34 insertions(+)
create mode 100644 meta/recipes-connectivity/libpcap/libpcap/CVE-2025-11964.patch
diff --git a/meta/recipes-connectivity/libpcap/libpcap/CVE-2025-11964.patch b/meta/recipes-connectivity/libpcap/libpcap/CVE-2025-11964.patch
new file mode 100644
index 0000000000..003d21fb1f
--- /dev/null
+++ b/meta/recipes-connectivity/libpcap/libpcap/CVE-2025-11964.patch
@@ -0,0 +1,33 @@
+From 7fabf607f2319a36a0bd78444247180acb838e69 Mon Sep 17 00:00:00 2001
+From: Guy Harris <gharris@sonic.net>
+Date: Sun, 7 Sep 2025 12:51:56 -0700
+Subject: [PATCH] Fix a copy-and-pasteo in utf_16le_to_utf_8_truncated().
+
+For the four octets of UTF-8 case, it was decrementing the remaining
+buffer length by 3, not 4.
+
+Thanks to a team of developers from the Univesity of Waterloo for
+reporting this.
+
+(cherry picked from commit aebfca1aea2fc8c177760a26e8f4de27b51d1b3b)
+
+CVE: CVE-2025-11964
+Upstream-Status: Backport [https://github.com/the-tcpdump-group/libpcap/commit/7fabf607f2319a36a0bd78444247180acb838e69]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ fmtutils.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fmtutils.c b/fmtutils.c
+index a5a4fe62..78a0f8b7 100644
+--- a/fmtutils.c
++++ b/fmtutils.c
+@@ -235,7 +235,7 @@ utf_16le_to_utf_8_truncated(const wchar_t *utf_16, char *utf_8,
+ *utf_8++ = ((uc >> 12) & 0x3F) | 0x80;
+ *utf_8++ = ((uc >> 6) & 0x3F) | 0x80;
+ *utf_8++ = ((uc >> 0) & 0x3F) | 0x80;
+- utf_8_len -= 3;
++ utf_8_len -= 4;
+ }
+ }
+
diff --git a/meta/recipes-connectivity/libpcap/libpcap_1.10.4.bb b/meta/recipes-connectivity/libpcap/libpcap_1.10.4.bb
index df091e5ca2..ee7d7540f6 100644
--- a/meta/recipes-connectivity/libpcap/libpcap_1.10.4.bb
+++ b/meta/recipes-connectivity/libpcap/libpcap_1.10.4.bb
@@ -16,6 +16,7 @@ SRC_URI = "https://www.tcpdump.org/release/${BP}.tar.gz \
file://CVE-2024-8006.patch \
file://CVE-2025-11961-01.patch \
file://CVE-2025-11961-02.patch \
+ file://CVE-2025-11964.patch \
"
SRC_URI[sha256sum] = "ed19a0383fad72e3ad435fd239d7cd80d64916b87269550159d20e47160ebe5f"
^ permalink raw reply related [flat|nested] 28+ messages in thread
* [OE-core][scarthgap 11/22] cups: allow unknown directives in conf files
2026-01-20 12:08 [OE-core][scarthgap 00/22] Patch review Yoann Congal
` (9 preceding siblings ...)
2026-01-20 12:08 ` [OE-core][scarthgap 10/22] libpcap: patch CVE-2025-11964 Yoann Congal
@ 2026-01-20 12:08 ` Yoann Congal
2026-01-20 12:16 ` Patchtest results for " patchtest
2026-01-20 12:08 ` [OE-core][scarthgap 12/22] libarchive: fix CVE-2025-60753 regression Yoann Congal
` (10 subsequent siblings)
21 siblings, 1 reply; 28+ messages in thread
From: Yoann Congal @ 2026-01-20 12:08 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Patch for CVE-2025-61915 by mistake causes fatal error on unknown
directives in configuration files.
The default configuration already contains unknown directive in
non-systemd setups:
Unknown directive IdleExitTimeout on line 32 of /etc/cups/cupsd.conf
Backport fix for this from 2.4.x branch which reverts this behavior.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-extended/cups/cups.inc | 1 +
...pping-scheduler-on-unknown-directive.patch | 43 +++++++++++++++++++
2 files changed, 44 insertions(+)
create mode 100644 meta/recipes-extended/cups/cups/0001-conf.c-Fix-stopping-scheduler-on-unknown-directive.patch
diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
index 12668ca023..c7475d2b81 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -19,6 +19,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
file://CVE-2025-58364.patch \
file://CVE-2025-58436.patch \
file://CVE-2025-61915.patch \
+ file://0001-conf.c-Fix-stopping-scheduler-on-unknown-directive.patch \
"
GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"
diff --git a/meta/recipes-extended/cups/cups/0001-conf.c-Fix-stopping-scheduler-on-unknown-directive.patch b/meta/recipes-extended/cups/cups/0001-conf.c-Fix-stopping-scheduler-on-unknown-directive.patch
new file mode 100644
index 0000000000..cf01c82cd6
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/0001-conf.c-Fix-stopping-scheduler-on-unknown-directive.patch
@@ -0,0 +1,43 @@
+From 277d3b1c49895f070bbf4b73cada011d71fbf9f3 Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Thu, 4 Dec 2025 09:04:37 +0100
+Subject: [PATCH] conf.c: Fix stopping scheduler on unknown directive
+
+Change the return value to do not trigger stopping the scheduler in case
+of unknown directive, because stopping the scheduler on config errors
+should only happen in case of syntax errors.
+
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/277d3b1c49895f070bbf4b73cada011d71fbf9f3]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ scheduler/conf.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/scheduler/conf.c b/scheduler/conf.c
+index 7d6da0252..0e7be0ef4 100644
+--- a/scheduler/conf.c
++++ b/scheduler/conf.c
+@@ -2697,16 +2697,16 @@ parse_variable(
+ {
+ /*
+ * Unknown directive! Output an error message and continue...
++ *
++ * Return value 1 is on purpose - we ignore unknown directives to log
++ * error, but do not stop the scheduler in case error in configuration
++ * is set to be fatal.
+ */
+
+- if (!value)
+- cupsdLogMessage(CUPSD_LOG_ERROR, "Missing value for %s on line %d of %s.",
+- line, linenum, filename);
+- else
+- cupsdLogMessage(CUPSD_LOG_ERROR, "Unknown directive %s on line %d of %s.",
+- line, linenum, filename);
++ cupsdLogMessage(CUPSD_LOG_ERROR, "Unknown directive %s on line %d of %s.",
++ line, linenum, filename);
+
+- return (0);
++ return (1);
+ }
+
+ switch (var->type)
^ permalink raw reply related [flat|nested] 28+ messages in thread
* [OE-core][scarthgap 12/22] libarchive: fix CVE-2025-60753 regression
2026-01-20 12:08 [OE-core][scarthgap 00/22] Patch review Yoann Congal
` (10 preceding siblings ...)
2026-01-20 12:08 ` [OE-core][scarthgap 11/22] cups: allow unknown directives in conf files Yoann Congal
@ 2026-01-20 12:08 ` Yoann Congal
2026-01-20 12:08 ` [OE-core][scarthgap 13/22] curl: patch CVE-2025-14017 Yoann Congal
` (9 subsequent siblings)
21 siblings, 0 replies; 28+ messages in thread
From: Yoann Congal @ 2026-01-20 12:08 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Pick patch from PR mentioned in v3.8.5 release notes.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
...25-60753.patch => CVE-2025-60753-01.patch} | 0
.../libarchive/CVE-2025-60753-02.patch | 46 +++++++++++++++++++
.../libarchive/libarchive_3.7.9.bb | 3 +-
3 files changed, 48 insertions(+), 1 deletion(-)
rename meta/recipes-extended/libarchive/libarchive/{CVE-2025-60753.patch => CVE-2025-60753-01.patch} (100%)
create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2025-60753-02.patch
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2025-60753.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2025-60753-01.patch
similarity index 100%
rename from meta/recipes-extended/libarchive/libarchive/CVE-2025-60753.patch
rename to meta/recipes-extended/libarchive/libarchive/CVE-2025-60753-01.patch
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2025-60753-02.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2025-60753-02.patch
new file mode 100644
index 0000000000..637162b894
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2025-60753-02.patch
@@ -0,0 +1,46 @@
+From cfb02de558d843dc5355c4aa2aeb4af49f88bdb9 Mon Sep 17 00:00:00 2001
+From: Martin Matuska <martin@matuska.de>
+Date: Mon, 8 Dec 2025 21:40:46 +0100
+Subject: [PATCH] tar: fix off-bounds read resulting from #2787 (3150539ed)
+
+CVE: CVE-2025-60753
+Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/cfb02de558d843dc5355c4aa2aeb4af49f88bdb9]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ tar/subst.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/tar/subst.c b/tar/subst.c
+index a466f653..53497ad0 100644
+--- a/tar/subst.c
++++ b/tar/subst.c
+@@ -237,7 +237,7 @@ apply_substitution(struct bsdtar *bsdtar, const char *name, char **result,
+
+ char isEnd = 0;
+ do {
+- isEnd = *name == '\0';
++ isEnd = *name == '\0';
+ if (regexec(&rule->re, name, 10, matches, 0))
+ break;
+
+@@ -293,13 +293,13 @@ apply_substitution(struct bsdtar *bsdtar, const char *name, char **result,
+
+ realloc_strcat(result, rule->result + j);
+ if (matches[0].rm_eo > 0) {
+- name += matches[0].rm_eo;
+- } else {
+- // We skip a character because the match is 0-length
+- // so we need to add it to the output
+- realloc_strncat(result, name, 1);
+- name += 1;
+- }
++ name += matches[0].rm_eo;
++ } else if (!isEnd) {
++ // We skip a character because the match is 0-length
++ // so we need to add it to the output
++ realloc_strncat(result, name, 1);
++ name += 1;
++ }
+ } while (rule->global && !isEnd); // Testing one step after because sed et al. run 0-length patterns a last time on the empty string at the end
+ }
+
diff --git a/meta/recipes-extended/libarchive/libarchive_3.7.9.bb b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb
index 86ba53aaf2..b62c3d69b9 100644
--- a/meta/recipes-extended/libarchive/libarchive_3.7.9.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb
@@ -42,7 +42,8 @@ SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
file://0001-Merge-pull-request-2749-from-KlaraSystems-des-tempdi.patch \
file://0001-Merge-pull-request-2753-from-KlaraSystems-des-temp-f.patch \
file://0001-Merge-pull-request-2768-from-Commandoss-master.patch \
- file://CVE-2025-60753.patch \
+ file://CVE-2025-60753-01.patch \
+ file://CVE-2025-60753-02.patch \
"
UPSTREAM_CHECK_URI = "http://libarchive.org/"
^ permalink raw reply related [flat|nested] 28+ messages in thread
* [OE-core][scarthgap 13/22] curl: patch CVE-2025-14017
2026-01-20 12:08 [OE-core][scarthgap 00/22] Patch review Yoann Congal
` (11 preceding siblings ...)
2026-01-20 12:08 ` [OE-core][scarthgap 12/22] libarchive: fix CVE-2025-60753 regression Yoann Congal
@ 2026-01-20 12:08 ` Yoann Congal
2026-01-20 12:08 ` [OE-core][scarthgap 14/22] curl: patch CVE-2025-14819 Yoann Congal
` (8 subsequent siblings)
21 siblings, 0 replies; 28+ messages in thread
From: Yoann Congal @ 2026-01-20 12:08 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Pick patch per [1].
[1] https://curl.se/docs/CVE-2025-14017.html
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../curl/curl/CVE-2025-14017.patch | 115 ++++++++++++++++++
meta/recipes-support/curl/curl_8.7.1.bb | 1 +
2 files changed, 116 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2025-14017.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2025-14017.patch b/meta/recipes-support/curl/curl/CVE-2025-14017.patch
new file mode 100644
index 0000000000..887ff2f97c
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2025-14017.patch
@@ -0,0 +1,115 @@
+From 39d1976b7f709a516e3243338ebc0443bdd8d56d Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 4 Dec 2025 00:14:20 +0100
+Subject: [PATCH] ldap: call ldap_init() before setting the options
+
+Closes #19830
+
+CVE: CVE-2025-14017
+Upstream-Status: Backport [https://github.com/curl/curl/commit/39d1976b7f709a516e3243338ebc0443bdd8d56d]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ lib/ldap.c | 49 +++++++++++++++++++------------------------------
+ 1 file changed, 19 insertions(+), 30 deletions(-)
+
+diff --git a/lib/ldap.c b/lib/ldap.c
+index 63b2cbc414..0911a9239a 100644
+--- a/lib/ldap.c
++++ b/lib/ldap.c
+@@ -362,16 +362,29 @@ static CURLcode ldap_do(struct Curl_easy *data, bool *done)
+ passwd = conn->passwd;
+ }
+
++#ifdef USE_WIN32_LDAP
++ if(ldap_ssl)
++ server = ldap_sslinit(host, conn->primary.remote_port, 1);
++ else
++#else
++ server = ldap_init(host, conn->primary.remote_port);
++#endif
++ if(!server) {
++ failf(data, "LDAP: cannot setup connect to %s:%u",
++ conn->host.dispname, conn->primary.remote_port);
++ result = CURLE_COULDNT_CONNECT;
++ goto quit;
++ }
++
+ #ifdef LDAP_OPT_NETWORK_TIMEOUT
+- ldap_set_option(NULL, LDAP_OPT_NETWORK_TIMEOUT, &ldap_timeout);
++ ldap_set_option(server, LDAP_OPT_NETWORK_TIMEOUT, &ldap_timeout);
+ #endif
+- ldap_set_option(NULL, LDAP_OPT_PROTOCOL_VERSION, &ldap_proto);
++ ldap_set_option(server, LDAP_OPT_PROTOCOL_VERSION, &ldap_proto);
+
+ if(ldap_ssl) {
+ #ifdef HAVE_LDAP_SSL
+ #ifdef USE_WIN32_LDAP
+ /* Win32 LDAP SDK doesn't support insecure mode without CA! */
+- server = ldap_sslinit(host, conn->primary.remote_port, 1);
+ ldap_set_option(server, LDAP_OPT_SSL, LDAP_OPT_ON);
+ #else
+ int ldap_option;
+@@ -439,7 +452,7 @@ static CURLcode ldap_do(struct Curl_easy *data, bool *done)
+ goto quit;
+ }
+ infof(data, "LDAP local: using PEM CA cert: %s", ldap_ca);
+- rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, ldap_ca);
++ rc = ldap_set_option(server, LDAP_OPT_X_TLS_CACERTFILE, ldap_ca);
+ if(rc != LDAP_SUCCESS) {
+ failf(data, "LDAP local: ERROR setting PEM CA cert: %s",
+ ldap_err2string(rc));
+@@ -451,20 +464,13 @@ static CURLcode ldap_do(struct Curl_easy *data, bool *done)
+ else
+ ldap_option = LDAP_OPT_X_TLS_NEVER;
+
+- rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &ldap_option);
++ rc = ldap_set_option(server, LDAP_OPT_X_TLS_REQUIRE_CERT, &ldap_option);
+ if(rc != LDAP_SUCCESS) {
+ failf(data, "LDAP local: ERROR setting cert verify mode: %s",
+ ldap_err2string(rc));
+ result = CURLE_SSL_CERTPROBLEM;
+ goto quit;
+ }
+- server = ldap_init(host, conn->primary.remote_port);
+- if(!server) {
+- failf(data, "LDAP local: Cannot connect to %s:%u",
+- conn->host.dispname, conn->primary.remote_port);
+- result = CURLE_COULDNT_CONNECT;
+- goto quit;
+- }
+ ldap_option = LDAP_OPT_X_TLS_HARD;
+ rc = ldap_set_option(server, LDAP_OPT_X_TLS, &ldap_option);
+ if(rc != LDAP_SUCCESS) {
+@@ -473,15 +479,6 @@ static CURLcode ldap_do(struct Curl_easy *data, bool *done)
+ result = CURLE_SSL_CERTPROBLEM;
+ goto quit;
+ }
+-/*
+- rc = ldap_start_tls_s(server, NULL, NULL);
+- if(rc != LDAP_SUCCESS) {
+- failf(data, "LDAP local: ERROR starting SSL/TLS mode: %s",
+- ldap_err2string(rc));
+- result = CURLE_SSL_CERTPROBLEM;
+- goto quit;
+- }
+-*/
+ #else
+ /* we should probably never come up to here since configure
+ should check in first place if we can support LDAP SSL/TLS */
+@@ -498,15 +495,7 @@ static CURLcode ldap_do(struct Curl_easy *data, bool *done)
+ result = CURLE_NOT_BUILT_IN;
+ goto quit;
+ }
+- else {
+- server = ldap_init(host, conn->primary.remote_port);
+- if(!server) {
+- failf(data, "LDAP local: Cannot connect to %s:%u",
+- conn->host.dispname, conn->primary.remote_port);
+- result = CURLE_COULDNT_CONNECT;
+- goto quit;
+- }
+- }
++
+ #ifdef USE_WIN32_LDAP
+ ldap_set_option(server, LDAP_OPT_PROTOCOL_VERSION, &ldap_proto);
+ rc = ldap_win_bind(data, server, user, passwd);
diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes-support/curl/curl_8.7.1.bb
index 0af6a41399..aa978f0346 100644
--- a/meta/recipes-support/curl/curl_8.7.1.bb
+++ b/meta/recipes-support/curl/curl_8.7.1.bb
@@ -25,6 +25,7 @@ SRC_URI = " \
file://CVE-2024-11053-0003.patch \
file://CVE-2025-0167.patch \
file://CVE-2025-9086.patch \
+ file://CVE-2025-14017.patch \
"
SRC_URI:append:class-nativesdk = " \
^ permalink raw reply related [flat|nested] 28+ messages in thread
* [OE-core][scarthgap 14/22] curl: patch CVE-2025-14819
2026-01-20 12:08 [OE-core][scarthgap 00/22] Patch review Yoann Congal
` (12 preceding siblings ...)
2026-01-20 12:08 ` [OE-core][scarthgap 13/22] curl: patch CVE-2025-14017 Yoann Congal
@ 2026-01-20 12:08 ` Yoann Congal
2026-01-20 12:08 ` [OE-core][scarthgap 15/22] curl: patch CVE-2025-15079 Yoann Congal
` (7 subsequent siblings)
21 siblings, 0 replies; 28+ messages in thread
From: Yoann Congal @ 2026-01-20 12:08 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Pick patch per [1].
Additionally pick commit with definition of CURL_UNCONST to make the
cherry-pick possible without build errors.
It will be probably needed also by further CVE patches.
[1] https://curl.se/docs/CVE-2025-14819.html
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
...st-qual-fix-or-silence-compiler-warn.patch | 85 +++++++++++++++++++
.../curl/curl/CVE-2025-14819.patch | 73 ++++++++++++++++
meta/recipes-support/curl/curl_8.7.1.bb | 2 +
3 files changed, 160 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/0001-build-enable-Wcast-qual-fix-or-silence-compiler-warn.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2025-14819.patch
diff --git a/meta/recipes-support/curl/curl/0001-build-enable-Wcast-qual-fix-or-silence-compiler-warn.patch b/meta/recipes-support/curl/curl/0001-build-enable-Wcast-qual-fix-or-silence-compiler-warn.patch
new file mode 100644
index 0000000000..f652456990
--- /dev/null
+++ b/meta/recipes-support/curl/curl/0001-build-enable-Wcast-qual-fix-or-silence-compiler-warn.patch
@@ -0,0 +1,85 @@
+From 9989d5392e9e61c81fdd3e464511ddd8d73c2f87 Mon Sep 17 00:00:00 2001
+From: Viktor Szakats <commit@vsz.me>
+Date: Fri, 31 Jan 2025 23:20:46 +0100
+Subject: [PATCH] build: enable `-Wcast-qual`, fix or silence compiler warnings
+
+The issues found fell into these categories, with the applied fixes:
+
+- const was accidentally stripped.
+ Adjust code to not cast or cast with const.
+
+- const/volatile missing from arguments, local variables.
+ Constify arguments or variables, adjust/delete casts. Small code
+ changes in a few places.
+
+- const must be stripped because an API dependency requires it.
+ Strip `const` with `CURL_UNCONST()` macro to silence the warning out
+ of our control. These happen at API boundaries. Sometimes they depend
+ on dependency version, which this patch handles as necessary. Also
+ enable const support for the zlib API, using `ZLIB_CONST`. Supported
+ by zlib 1.2.5.2 and newer.
+
+- const must be stripped because a curl API requires it.
+ Strip `const` with `CURL_UNCONST()` macro to silence the warning out
+ of our immediate control. For example we promise to send a non-const
+ argument to a callback, though the data is const internally.
+
+- other cases where we may avoid const stripping by code changes.
+ Also silenced with `CURL_UNCONST()`.
+
+- there are 3 places where `CURL_UNCONST()` is cast again to const.
+ To silence this type of warning:
+ ```
+ lib/vquic/curl_osslq.c:1015:29: error: to be safe all intermediate
+ pointers in cast from 'unsigned char **' to 'const unsigned char **'
+ must be 'const' qualified [-Werror=cast-qual]
+ lib/cf-socket.c:734:32: error: to be safe all intermediate pointers in
+ cast from 'char **' to 'const char **' must be 'const' qualified
+ [-Werror=cast-qual]
+ ```
+ There may be a better solution, but I couldn't find it.
+
+These cases are handled in separate subcommits, but without further
+markup.
+
+If you see a `-Wcast-qual` warning in curl, we appreciate your report
+about it.
+
+Closes #16142
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit/9989d5392e9e61c81fdd3e464511ddd8d73c2f87]
+
+Picked only header file definition, not complete code refactoring.
+CURL_UNCONST will be probably needed also by further CVE patches due to this rework.
+
+Also later modified by removing VS2008 code per 2e1a045d8985e5daa4d9a4f908ed870a16d8e41e.
+
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ lib/curl_setup_once.h | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/lib/curl_setup_once.h b/lib/curl_setup_once.h
+index bf0ee663d3..df5b44c478 100644
+--- a/lib/curl_setup_once.h
++++ b/lib/curl_setup_once.h
+@@ -69,10 +69,18 @@
+ #include <unistd.h>
+ #endif
+
+-#ifdef USE_WOLFSSL
++#if defined(HAVE_STDINT_H) || defined(USE_WOLFSSL)
+ #include <stdint.h>
+ #endif
+
++/* Macro to strip 'const' without triggering a compiler warning.
++ Use* it for APIs that do not or cannot support the const qualifier. */
++#ifdef HAVE_STDINT_H
++# define CURL_UNCONST(p) ((void *)(uintptr_t)(const void *)(p))
++#else
++# define CURL_UNCONST(p) ((void *)(p)) /* Fall back to simple cast */
++#endif
++
+ #ifdef USE_SCHANNEL
+ /* Must set this before <schannel.h> is included directly or indirectly by
+ another Windows header. */
diff --git a/meta/recipes-support/curl/curl/CVE-2025-14819.patch b/meta/recipes-support/curl/curl/CVE-2025-14819.patch
new file mode 100644
index 0000000000..7bed47e7b4
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2025-14819.patch
@@ -0,0 +1,73 @@
+From cd046f6c93b39d673a58c18648d8906e954c4f5d Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 17 Dec 2025 10:54:16 +0100
+Subject: [PATCH] openssl: toggling CURLSSLOPT_NO_PARTIALCHAIN makes a
+ different CA cache
+
+Reported-by: Stanislav Fort
+
+Closes #20009
+
+CVE: CVE-2025-14819
+Upstream-Status: Backport [https://github.com/curl/curl/commit/cd046f6c93b39d673a58c18648d8906e954c4f5d]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ lib/vtls/openssl.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index a7f169d641..7563d9a090 100644
+--- a/lib/vtls/openssl.c
++++ b/lib/vtls/openssl.c
+@@ -317,6 +317,7 @@ struct multi_ssl_backend_data {
+ char *CAfile; /* CAfile path used to generate X509 store */
+ X509_STORE *store; /* cached X509 store or NULL if none */
+ struct curltime time; /* when the cached store was created */
++ BIT(no_partialchain); /* keep partial chain state */
+ };
+ #endif /* HAVE_SSL_X509_STORE_SHARE */
+
+@@ -3378,12 +3379,16 @@ static bool cached_x509_store_expired(const struct Curl_easy *data,
+
+ static bool cached_x509_store_different(
+ struct Curl_cfilter *cf,
++ const struct Curl_easy *data,
+ const struct multi_ssl_backend_data *mb)
+ {
+ struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
++ struct ssl_config_data *ssl_config =
++ Curl_ssl_cf_get_config(cf, CURL_UNCONST(data));
++ if(mb->no_partialchain != ssl_config->no_partialchain)
++ return TRUE;
+ if(!mb->CAfile || !conn_config->CAfile)
+ return mb->CAfile != conn_config->CAfile;
+-
+ return strcmp(mb->CAfile, conn_config->CAfile);
+ }
+
+@@ -3398,7 +3403,7 @@ static X509_STORE *get_cached_x509_store(struct Curl_cfilter *cf,
+ multi->ssl_backend_data &&
+ multi->ssl_backend_data->store &&
+ !cached_x509_store_expired(data, multi->ssl_backend_data) &&
+- !cached_x509_store_different(cf, multi->ssl_backend_data)) {
++ !cached_x509_store_different(cf, data, multi->ssl_backend_data)) {
+ store = multi->ssl_backend_data->store;
+ }
+
+@@ -3427,6 +3432,8 @@ static void set_cached_x509_store(struct Curl_cfilter *cf,
+
+ if(X509_STORE_up_ref(store)) {
+ char *CAfile = NULL;
++ struct ssl_config_data *ssl_config =
++ Curl_ssl_cf_get_config(cf, CURL_UNCONST(data));
+
+ if(conn_config->CAfile) {
+ CAfile = strdup(conn_config->CAfile);
+@@ -3444,6 +3451,7 @@ static void set_cached_x509_store(struct Curl_cfilter *cf,
+ mbackend->time = Curl_now();
+ mbackend->store = store;
+ mbackend->CAfile = CAfile;
++ mbackend->no_partialchain = ssl_config->no_partialchain;
+ }
+ }
+
diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes-support/curl/curl_8.7.1.bb
index aa978f0346..3134846e57 100644
--- a/meta/recipes-support/curl/curl_8.7.1.bb
+++ b/meta/recipes-support/curl/curl_8.7.1.bb
@@ -26,6 +26,8 @@ SRC_URI = " \
file://CVE-2025-0167.patch \
file://CVE-2025-9086.patch \
file://CVE-2025-14017.patch \
+ file://0001-build-enable-Wcast-qual-fix-or-silence-compiler-warn.patch \
+ file://CVE-2025-14819.patch \
"
SRC_URI:append:class-nativesdk = " \
^ permalink raw reply related [flat|nested] 28+ messages in thread
* [OE-core][scarthgap 15/22] curl: patch CVE-2025-15079
2026-01-20 12:08 [OE-core][scarthgap 00/22] Patch review Yoann Congal
` (13 preceding siblings ...)
2026-01-20 12:08 ` [OE-core][scarthgap 14/22] curl: patch CVE-2025-14819 Yoann Congal
@ 2026-01-20 12:08 ` Yoann Congal
2026-01-20 12:08 ` [OE-core][scarthgap 16/22] curl: patch CVE-2025-15224 Yoann Congal
` (6 subsequent siblings)
21 siblings, 0 replies; 28+ messages in thread
From: Yoann Congal @ 2026-01-20 12:08 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Pick patch per [1].
[1] https://curl.se/docs/CVE-2025-15079.html
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../curl/curl/CVE-2025-15079.patch | 32 +++++++++++++++++++
meta/recipes-support/curl/curl_8.7.1.bb | 1 +
2 files changed, 33 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2025-15079.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2025-15079.patch b/meta/recipes-support/curl/curl/CVE-2025-15079.patch
new file mode 100644
index 0000000000..47fa518309
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2025-15079.patch
@@ -0,0 +1,32 @@
+From adca486c125d9a6d9565b9607a19dce803a8b479 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 24 Dec 2025 17:47:03 +0100
+Subject: [PATCH] libssh: set both knownhosts options to the same file
+
+Reported-by: Harry Sintonen
+
+Closes #20092
+
+CVE: CVE-2025-15079
+Upstream-Status: Backport [https://github.com/curl/curl/commit/adca486c125d9a6d9565b9607a19dce803a8b479]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ lib/vssh/libssh.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/lib/vssh/libssh.c b/lib/vssh/libssh.c
+index 7d5905c83d..98c109ab59 100644
+--- a/lib/vssh/libssh.c
++++ b/lib/vssh/libssh.c
+@@ -2224,6 +2224,11 @@ static CURLcode myssh_connect(struct Curl_easy *data, bool *done)
+ infof(data, "Known hosts: %s", data->set.str[STRING_SSH_KNOWNHOSTS]);
+ rc = ssh_options_set(ssh->ssh_session, SSH_OPTIONS_KNOWNHOSTS,
+ data->set.str[STRING_SSH_KNOWNHOSTS]);
++ if(rc == SSH_OK)
++ /* libssh has two separate options for this. Set both to the same file
++ to avoid surprises */
++ rc = ssh_options_set(ssh->ssh_session, SSH_OPTIONS_GLOBAL_KNOWNHOSTS,
++ data->set.str[STRING_SSH_KNOWNHOSTS]);
+ if(rc != SSH_OK) {
+ failf(data, "Could not set known hosts file path");
+ return CURLE_FAILED_INIT;
diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes-support/curl/curl_8.7.1.bb
index 3134846e57..85b91ef958 100644
--- a/meta/recipes-support/curl/curl_8.7.1.bb
+++ b/meta/recipes-support/curl/curl_8.7.1.bb
@@ -28,6 +28,7 @@ SRC_URI = " \
file://CVE-2025-14017.patch \
file://0001-build-enable-Wcast-qual-fix-or-silence-compiler-warn.patch \
file://CVE-2025-14819.patch \
+ file://CVE-2025-15079.patch \
"
SRC_URI:append:class-nativesdk = " \
^ permalink raw reply related [flat|nested] 28+ messages in thread
* [OE-core][scarthgap 16/22] curl: patch CVE-2025-15224
2026-01-20 12:08 [OE-core][scarthgap 00/22] Patch review Yoann Congal
` (14 preceding siblings ...)
2026-01-20 12:08 ` [OE-core][scarthgap 15/22] curl: patch CVE-2025-15079 Yoann Congal
@ 2026-01-20 12:08 ` Yoann Congal
2026-01-20 12:08 ` [OE-core][scarthgap 17/22] pseudo: Upgrade to version 1.9.1 Yoann Congal
` (5 subsequent siblings)
21 siblings, 0 replies; 28+ messages in thread
From: Yoann Congal @ 2026-01-20 12:08 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Pick patch per [1].
[1] https://curl.se/docs/CVE-2025-15224.html
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../curl/curl/CVE-2025-15224.patch | 31 +++++++++++++++++++
meta/recipes-support/curl/curl_8.7.1.bb | 1 +
2 files changed, 32 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2025-15224.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2025-15224.patch b/meta/recipes-support/curl/curl/CVE-2025-15224.patch
new file mode 100644
index 0000000000..dc07f92100
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2025-15224.patch
@@ -0,0 +1,31 @@
+From 16d5f2a5660c61cc27bd5f1c7f512391d1c927aa Mon Sep 17 00:00:00 2001
+From: Harry Sintonen <sintonen@iki.fi>
+Date: Mon, 29 Dec 2025 16:56:39 +0100
+Subject: [PATCH] libssh: require private key or user-agent for public key auth
+
+Closes #20110
+
+CVE: CVE-2025-15224
+Upstream-Status: Backport [https://github.com/curl/curl/commit/16d5f2a5660c61cc27bd5f1c7f512391d1c927aa]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ lib/vssh/libssh.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/lib/vssh/libssh.c b/lib/vssh/libssh.c
+index 5d5125b526..bde6355f73 100644
+--- a/lib/vssh/libssh.c
++++ b/lib/vssh/libssh.c
+@@ -751,7 +751,11 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
+ "keyboard-interactive, " : "",
+ sshc->auth_methods & SSH_AUTH_METHOD_PASSWORD ?
+ "password": "");
+- if(sshc->auth_methods & SSH_AUTH_METHOD_PUBLICKEY) {
++ /* For public key auth we need either the private key or
++ CURLSSH_AUTH_AGENT. */
++ if((sshc->auth_methods & SSH_AUTH_METHOD_PUBLICKEY) &&
++ (data->set.str[STRING_SSH_PRIVATE_KEY] ||
++ (data->set.ssh_auth_types & CURLSSH_AUTH_AGENT))) {
+ state(data, SSH_AUTH_PKEY_INIT);
+ infof(data, "Authentication using SSH public key file");
+ }
diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes-support/curl/curl_8.7.1.bb
index 85b91ef958..ecda13a04e 100644
--- a/meta/recipes-support/curl/curl_8.7.1.bb
+++ b/meta/recipes-support/curl/curl_8.7.1.bb
@@ -29,6 +29,7 @@ SRC_URI = " \
file://0001-build-enable-Wcast-qual-fix-or-silence-compiler-warn.patch \
file://CVE-2025-14819.patch \
file://CVE-2025-15079.patch \
+ file://CVE-2025-15224.patch \
"
SRC_URI:append:class-nativesdk = " \
^ permalink raw reply related [flat|nested] 28+ messages in thread
* [OE-core][scarthgap 17/22] pseudo: Upgrade to version 1.9.1
2026-01-20 12:08 [OE-core][scarthgap 00/22] Patch review Yoann Congal
` (15 preceding siblings ...)
2026-01-20 12:08 ` [OE-core][scarthgap 16/22] curl: patch CVE-2025-15224 Yoann Congal
@ 2026-01-20 12:08 ` Yoann Congal
2026-01-20 12:08 ` [OE-core][scarthgap 18/22] pseudo: 1.9.0 -> 1.9.2 Yoann Congal
` (4 subsequent siblings)
21 siblings, 0 replies; 28+ messages in thread
From: Yoann Congal @ 2026-01-20 12:08 UTC (permalink / raw)
To: openembedded-core
From: Richard Purdie <richard.purdie@linuxfoundation.org>
This brings in:
* nftw, nftw64: add wrapper
* ftw, nftw, ftw64, nftw64: add tests
* Move ftw and ftw64 to calling ntfw and nftw64
* makewrappers: Introduce 'array' support
* pseudo_util.c: Avoid warning when we intentionally discard const
* pseudo_client.c: Fix warning
* yocto-older-glibc-symbols.path: Add as a reference patch
* pseudo/pseudo_client: Add wrapper functions to operate correctly with glibc 2.38 onwards
* configure: Prune PIE flags
* test/test-parallel-rename.sh: Add parallel rename test
* test/test-parallel-symlinks.sh: Add parallel symlink test
* ports/linux/guts: Add .gitignore to ignore generated files
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 994e508b2a0ede8b5cc4fe39444cf25dc9a53faf)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../0001-configure-Prune-PIE-flags.patch | 44 -------------
.../pseudo/files/glibc238.patch | 65 -------------------
.../pseudo/files/older-glibc-symbols.patch | 4 +-
meta/recipes-devtools/pseudo/pseudo_git.bb | 4 +-
4 files changed, 3 insertions(+), 114 deletions(-)
delete mode 100644 meta/recipes-devtools/pseudo/files/0001-configure-Prune-PIE-flags.patch
delete mode 100644 meta/recipes-devtools/pseudo/files/glibc238.patch
diff --git a/meta/recipes-devtools/pseudo/files/0001-configure-Prune-PIE-flags.patch b/meta/recipes-devtools/pseudo/files/0001-configure-Prune-PIE-flags.patch
deleted file mode 100644
index 43504eaab9..0000000000
--- a/meta/recipes-devtools/pseudo/files/0001-configure-Prune-PIE-flags.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From b5545c08e6c674c49aef14b47a56a3e92df4d2a7 Mon Sep 17 00:00:00 2001
-From: Khem Raj <raj.khem@gmail.com>
-Date: Wed, 17 Feb 2016 07:36:34 +0000
-Subject: [pseudo][PATCH] configure: Prune PIE flags
-
-LDFLAGS are not taken from environment and CFLAGS is used for LDFLAGS
-however when using security options -fpie and -pie options are coming
-as part of ARCH_FLAGS and they get into LDFLAGS of shared objects as
-well so we end up with conflicting options -shared -pie, which gold
-rejects outright and bfd linker lets the one appearning last in cmdline
-take effect. This create quite a unpleasant situation in OE when
-security flags are enabled and gold or not-gold options are used
-it errors out but errors are not same.
-
-Anyway, with this patch we filter pie options from ARCH_FLAGS
-ouright and take control of generating PIC objects
-
-Helps with errors like
-
-| /mnt/oe/build/tmp-glibc/sysroots/x86_64-linux/usr/libexec/x86_64-oe-linux/gcc/x86_64-oe-linux/5.3.0/ld: pseudo_client.o: relocation R_X86_64_PC32 against symbol `pseudo_util_debug_flags' can not be used when making a shared object; recompile with -fPIC
-| /mnt/oe/build/tmp-glibc/sysroots/x86_64-linux/usr/libexec/x86_64-oe-linux/gcc/x86_64-oe-linux/5.3.0/ld: final link failed: Bad value
-| collect2: error: ld returned 1 exit status
-| make: *** [lib/pseudo/lib64/libpseudo.so] Error 1
-
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
----
-Upstream-Status: Submitted
-
- configure | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/configure b/configure
-index e5ef9ce..83b0890 100755
---- a/configure
-+++ b/configure
-@@ -339,3 +339,5 @@ sed -e '
- s,@ARCH@,'"$opt_arch"',g
- s,@BITS@,'"$opt_bits"',g
- ' < Makefile.in > Makefile
-+
-+sed -i -e 's/\-[f]*pie//g' Makefile
---
-1.8.3.1
-
diff --git a/meta/recipes-devtools/pseudo/files/glibc238.patch b/meta/recipes-devtools/pseudo/files/glibc238.patch
deleted file mode 100644
index dfb5c283f6..0000000000
--- a/meta/recipes-devtools/pseudo/files/glibc238.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-glibc 2.38 would include __isoc23_strtol and similar symbols. This is trggerd by
-_GNU_SOURCE but we have to set that for other definitions. Therefore play with defines
-to turn this off within pseudo_wrappers.c. Elsewhere we can switch to _DEFAULT_SOURCE
-rather than _GNU_SOURCE.
-
-Upstream-Status: Pending
-
-Index: git/pseudo_wrappers.c
-===================================================================
---- git.orig/pseudo_wrappers.c
-+++ git/pseudo_wrappers.c
-@@ -6,6 +6,18 @@
- * SPDX-License-Identifier: LGPL-2.1-only
- *
- */
-+/* glibc 2.38 would include __isoc23_strtol and similar symbols. This is trggerd by
-+ * _GNU_SOURCE but we have to set that for other definitions. Therefore play with defines
-+ * to turn this off.
-+ */
-+#include <features.h>
-+#undef __GLIBC_USE_ISOC2X
-+#undef __GLIBC_USE_C2X_STRTOL
-+#define __GLIBC_USE_C2X_STRTOL 0
-+#undef __GLIBC_USE_ISOC23
-+#undef __GLIBC_USE_C23_STRTOL
-+#define __GLIBC_USE_C23_STRTOL 0
-+
- #include <assert.h>
- #include <stdlib.h>
- #include <limits.h>
-Index: git/pseudo_util.c
-===================================================================
---- git.orig/pseudo_util.c
-+++ git/pseudo_util.c
-@@ -8,6 +8,17 @@
- */
- /* we need access to RTLD_NEXT for a horrible workaround */
- #define _GNU_SOURCE
-+/* glibc 2.38 would include __isoc23_strtol and similar symbols. This is trggerd by
-+ * _GNU_SOURCE but we have to set that for other definitions. Therefore play with defines
-+ * to turn this off.
-+ */
-+#include <features.h>
-+#undef __GLIBC_USE_ISOC2X
-+#undef __GLIBC_USE_C2X_STRTOL
-+#define __GLIBC_USE_C2X_STRTOL 0
-+#undef __GLIBC_USE_ISOC23
-+#undef __GLIBC_USE_C23_STRTOL
-+#define __GLIBC_USE_C23_STRTOL 0
-
- #include <ctype.h>
- #include <errno.h>
-Index: git/pseudo_client.c
-===================================================================
---- git.orig/pseudo_client.c
-+++ git/pseudo_client.c
-@@ -6,7 +6,7 @@
- * SPDX-License-Identifier: LGPL-2.1-only
- *
- */
--#define _GNU_SOURCE
-+#define _DEFAULT_SOURCE
-
- #include <stdio.h>
- #include <signal.h>
diff --git a/meta/recipes-devtools/pseudo/files/older-glibc-symbols.patch b/meta/recipes-devtools/pseudo/files/older-glibc-symbols.patch
index c453b5f735..f42b32b8d9 100644
--- a/meta/recipes-devtools/pseudo/files/older-glibc-symbols.patch
+++ b/meta/recipes-devtools/pseudo/files/older-glibc-symbols.patch
@@ -28,10 +28,10 @@ diff --git a/Makefile.in b/Makefile.in
@@ -120,7 +120,7 @@ $(PSEUDODB): pseudodb.o $(SHOBJS) $(DBOBJS) pseudo_ipc.o | $(BIN)
libpseudo: $(LIBPSEUDO)
- $(LIBPSEUDO): $(WRAPOBJS) pseudo_client.o pseudo_ipc.o $(SHOBJS) | $(LIB)
+ $(LIBPSEUDO): $(WRAPOBJS) pseudo_client.o pseudo_client_scanf.o pseudo_ipc.o $(SHOBJS) | $(LIB)
- $(CC) $(CFLAGS) $(CFLAGS_PSEUDO) -shared -o $(LIBPSEUDO) \
+ $(CC) $(CFLAGS) -Lprebuilt/$(shell uname -m)-linux/lib/ $(CFLAGS_PSEUDO) -shared -o $(LIBPSEUDO) \
- pseudo_client.o pseudo_ipc.o \
+ pseudo_client.o pseudo_client_scanf.o pseudo_ipc.o \
$(WRAPOBJS) $(SHOBJS) $(LDFLAGS) $(CLIENT_LDFLAGS)
diff --git a/pseudo_wrappers.c b/pseudo_wrappers.c
diff --git a/meta/recipes-devtools/pseudo/pseudo_git.bb b/meta/recipes-devtools/pseudo/pseudo_git.bb
index 87c62e0678..5e2a8bf328 100644
--- a/meta/recipes-devtools/pseudo/pseudo_git.bb
+++ b/meta/recipes-devtools/pseudo/pseudo_git.bb
@@ -1,8 +1,6 @@
require pseudo.inc
SRC_URI = "git://git.yoctoproject.org/pseudo;branch=master;protocol=https \
- file://0001-configure-Prune-PIE-flags.patch \
- file://glibc238.patch \
file://fallback-passwd \
file://fallback-group \
"
@@ -14,7 +12,7 @@ SRC_URI:append:class-nativesdk = " \
file://older-glibc-symbols.patch"
SRC_URI[prebuilt.sha256sum] = "ed9f456856e9d86359f169f46a70ad7be4190d6040282b84c8d97b99072485aa"
-SRCREV = "28dcefb809ce95db997811b5662f0b893b9923e0"
+SRCREV = "3fac97341f0f8270ca28a91098d0a58ca306a6bd"
S = "${WORKDIR}/git"
PV = "1.9.0+git"
^ permalink raw reply related [flat|nested] 28+ messages in thread
* [OE-core][scarthgap 18/22] pseudo: 1.9.0 -> 1.9.2
2026-01-20 12:08 [OE-core][scarthgap 00/22] Patch review Yoann Congal
` (16 preceding siblings ...)
2026-01-20 12:08 ` [OE-core][scarthgap 17/22] pseudo: Upgrade to version 1.9.1 Yoann Congal
@ 2026-01-20 12:08 ` Yoann Congal
2026-01-20 12:08 ` [OE-core][scarthgap 19/22] pseudo: Update to pull in memleak fix Yoann Congal
` (3 subsequent siblings)
21 siblings, 0 replies; 28+ messages in thread
From: Yoann Congal @ 2026-01-20 12:08 UTC (permalink / raw)
To: openembedded-core
From: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 48a42747fd280ce68283e1491971d22273e3bdf2)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-devtools/pseudo/pseudo_git.bb | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/meta/recipes-devtools/pseudo/pseudo_git.bb b/meta/recipes-devtools/pseudo/pseudo_git.bb
index 5e2a8bf328..ec9ef2dd5d 100644
--- a/meta/recipes-devtools/pseudo/pseudo_git.bb
+++ b/meta/recipes-devtools/pseudo/pseudo_git.bb
@@ -12,9 +12,9 @@ SRC_URI:append:class-nativesdk = " \
file://older-glibc-symbols.patch"
SRC_URI[prebuilt.sha256sum] = "ed9f456856e9d86359f169f46a70ad7be4190d6040282b84c8d97b99072485aa"
-SRCREV = "3fac97341f0f8270ca28a91098d0a58ca306a6bd"
+SRCREV = "b4645cb30573c5b3d5e94b9d50e1e2f8beefe9be"
S = "${WORKDIR}/git"
-PV = "1.9.0+git"
+PV = "1.9.2"
# largefile and 64bit time_t support adds these macros via compiler flags globally
# remove them for pseudo since pseudo intercepts some of the functions which will be
^ permalink raw reply related [flat|nested] 28+ messages in thread
* [OE-core][scarthgap 19/22] pseudo: Update to pull in memleak fix
2026-01-20 12:08 [OE-core][scarthgap 00/22] Patch review Yoann Congal
` (17 preceding siblings ...)
2026-01-20 12:08 ` [OE-core][scarthgap 18/22] pseudo: 1.9.0 -> 1.9.2 Yoann Congal
@ 2026-01-20 12:08 ` Yoann Congal
2026-01-20 12:08 ` [OE-core][scarthgap 20/22] pseudo: Add hard sstate dependencies for pseudo-native Yoann Congal
` (2 subsequent siblings)
21 siblings, 0 replies; 28+ messages in thread
From: Yoann Congal @ 2026-01-20 12:08 UTC (permalink / raw)
To: openembedded-core
From: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 42137b6f97da0672af365cd841678f39ce5907d2)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-devtools/pseudo/pseudo_git.bb | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/meta/recipes-devtools/pseudo/pseudo_git.bb b/meta/recipes-devtools/pseudo/pseudo_git.bb
index ec9ef2dd5d..87730511a9 100644
--- a/meta/recipes-devtools/pseudo/pseudo_git.bb
+++ b/meta/recipes-devtools/pseudo/pseudo_git.bb
@@ -12,9 +12,9 @@ SRC_URI:append:class-nativesdk = " \
file://older-glibc-symbols.patch"
SRC_URI[prebuilt.sha256sum] = "ed9f456856e9d86359f169f46a70ad7be4190d6040282b84c8d97b99072485aa"
-SRCREV = "b4645cb30573c5b3d5e94b9d50e1e2f8beefe9be"
+SRCREV = "d1db9c219abf92f15303486a409292237f1fc790"
S = "${WORKDIR}/git"
-PV = "1.9.2"
+PV = "1.9.2+git"
# largefile and 64bit time_t support adds these macros via compiler flags globally
# remove them for pseudo since pseudo intercepts some of the functions which will be
^ permalink raw reply related [flat|nested] 28+ messages in thread
* [OE-core][scarthgap 20/22] pseudo: Add hard sstate dependencies for pseudo-native
2026-01-20 12:08 [OE-core][scarthgap 00/22] Patch review Yoann Congal
` (18 preceding siblings ...)
2026-01-20 12:08 ` [OE-core][scarthgap 19/22] pseudo: Update to pull in memleak fix Yoann Congal
@ 2026-01-20 12:08 ` Yoann Congal
2026-01-20 12:08 ` [OE-core][scarthgap 21/22] pseudo: Update to pull in openat2 and efault return code changes Yoann Congal
2026-01-20 12:08 ` [OE-core][scarthgap 22/22] pseudo: Update to pull in 'makewrappers: Fix EFAULT implementation' Yoann Congal
21 siblings, 0 replies; 28+ messages in thread
From: Yoann Congal @ 2026-01-20 12:08 UTC (permalink / raw)
To: openembedded-core
From: Paul Barker <paul@pbarker.dev>
Where a task (such as do_package) runs under fakeroot, the corresponding
setscene task (do_package_setscene) will also run under fakeroot when
restoring from sstate. Assuming pseudo is used as the fakeroot
implementation, we need pseudo-native and all its runtime dependencies
to be available in the sysroot before running any setscene tasks under
fakeroot.
We already add a hard dependency from all do_package_setscene tasks to
virtual/fakeroot-native:do_populate_sysroot in base.bbclass, but this
does not cover transitive dependencies. So, extend the dependencies of
pseudo-native:do_populate_sysroot_setscene to ensure that the sqlite3
library is also available in the sysroot before running fakeroot
setscene tasks.
[YOCTO #15963]
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 2c146ca657440550e00bc5e53d13502ef7aa945b)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-devtools/pseudo/pseudo.inc | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/meta/recipes-devtools/pseudo/pseudo.inc b/meta/recipes-devtools/pseudo/pseudo.inc
index 7e09b6d58c..9c191560fb 100644
--- a/meta/recipes-devtools/pseudo/pseudo.inc
+++ b/meta/recipes-devtools/pseudo/pseudo.inc
@@ -156,3 +156,10 @@ do_install:append:class-nativesdk () {
}
BBCLASSEXTEND = "native nativesdk"
+
+# Setscene tasks which run under fakeroot must not be executed before
+# pseudo-native and *all* its runtime dependencies are available in the
+# sysroot.
+PSEUDO_SETSCENE_DEPS = ""
+PSEUDO_SETSCENE_DEPS:class-native = "sqlite3-native:do_populate_sysroot"
+do_populate_sysroot_setscene[depends] += "${PSEUDO_SETSCENE_DEPS}"
^ permalink raw reply related [flat|nested] 28+ messages in thread
* [OE-core][scarthgap 21/22] pseudo: Update to pull in openat2 and efault return code changes
2026-01-20 12:08 [OE-core][scarthgap 00/22] Patch review Yoann Congal
` (19 preceding siblings ...)
2026-01-20 12:08 ` [OE-core][scarthgap 20/22] pseudo: Add hard sstate dependencies for pseudo-native Yoann Congal
@ 2026-01-20 12:08 ` Yoann Congal
2026-01-20 12:08 ` [OE-core][scarthgap 22/22] pseudo: Update to pull in 'makewrappers: Fix EFAULT implementation' Yoann Congal
21 siblings, 0 replies; 28+ messages in thread
From: Yoann Congal @ 2026-01-20 12:08 UTC (permalink / raw)
To: openembedded-core
From: Richard Purdie <richard.purdie@linuxfoundation.org>
Pulls in the following fixes:
* makewrappers: Enable a new efault option
* ports/linux/openat2: Add dummy wrapper
* test-syscall: Add a syscall test
* ports/linux/pseudo_wrappers: Avoid openat2 usage via syscall
which should fix issues with the tar CVE fix on Centos/Alma/Rocky 9 distros
that uses openat2 as well as the efault issue breaking rust based uutils.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 51f1388dd1679a28ec3ca468cf16aa0ea32bccf9)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-devtools/pseudo/pseudo_git.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-devtools/pseudo/pseudo_git.bb b/meta/recipes-devtools/pseudo/pseudo_git.bb
index 87730511a9..19da3d4e08 100644
--- a/meta/recipes-devtools/pseudo/pseudo_git.bb
+++ b/meta/recipes-devtools/pseudo/pseudo_git.bb
@@ -12,7 +12,7 @@ SRC_URI:append:class-nativesdk = " \
file://older-glibc-symbols.patch"
SRC_URI[prebuilt.sha256sum] = "ed9f456856e9d86359f169f46a70ad7be4190d6040282b84c8d97b99072485aa"
-SRCREV = "d1db9c219abf92f15303486a409292237f1fc790"
+SRCREV = "9ce8c09980af23ebd4ebf072010469882d0459a6"
S = "${WORKDIR}/git"
PV = "1.9.2+git"
^ permalink raw reply related [flat|nested] 28+ messages in thread
* [OE-core][scarthgap 22/22] pseudo: Update to pull in 'makewrappers: Fix EFAULT implementation'
2026-01-20 12:08 [OE-core][scarthgap 00/22] Patch review Yoann Congal
` (20 preceding siblings ...)
2026-01-20 12:08 ` [OE-core][scarthgap 21/22] pseudo: Update to pull in openat2 and efault return code changes Yoann Congal
@ 2026-01-20 12:08 ` Yoann Congal
21 siblings, 0 replies; 28+ messages in thread
From: Yoann Congal @ 2026-01-20 12:08 UTC (permalink / raw)
To: openembedded-core
From: Richard Purdie <richard.purdie@linuxfoundation.org>
The pseudo update was causing hangs in builds, pull in the fix.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8acdbefd0a148c8b7713f46066ae8489984c5d2d)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-devtools/pseudo/pseudo_git.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-devtools/pseudo/pseudo_git.bb b/meta/recipes-devtools/pseudo/pseudo_git.bb
index 19da3d4e08..c78f1ab724 100644
--- a/meta/recipes-devtools/pseudo/pseudo_git.bb
+++ b/meta/recipes-devtools/pseudo/pseudo_git.bb
@@ -12,7 +12,7 @@ SRC_URI:append:class-nativesdk = " \
file://older-glibc-symbols.patch"
SRC_URI[prebuilt.sha256sum] = "ed9f456856e9d86359f169f46a70ad7be4190d6040282b84c8d97b99072485aa"
-SRCREV = "9ce8c09980af23ebd4ebf072010469882d0459a6"
+SRCREV = "125b020dd2bc46baa37a80784704e382732357b4"
S = "${WORKDIR}/git"
PV = "1.9.2+git"
^ permalink raw reply related [flat|nested] 28+ messages in thread
* Patchtest results for [OE-core][scarthgap 11/22] cups: allow unknown directives in conf files
2026-01-20 12:08 ` [OE-core][scarthgap 11/22] cups: allow unknown directives in conf files Yoann Congal
@ 2026-01-20 12:16 ` patchtest
2026-01-20 12:21 ` Marko, Peter
0 siblings, 1 reply; 28+ messages in thread
From: patchtest @ 2026-01-20 12:16 UTC (permalink / raw)
To: Yoann Congal; +Cc: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 2184 bytes --]
Thank you for your submission. Patchtest identified one
or more issues with the patch. Please see the log below for
more information:
---
Testing patch /home/patchtest/share/mboxes/scarthgap-11-22-cups-allow-unknown-directives-in-conf-files.patch
FAIL: test CVE tag format: Missing or incorrectly formatted CVE tag in patch file. Correct or include the CVE tag in the patch with format: "CVE: CVE-YYYY-XXXX" (test_patch.TestPatch.test_cve_tag_format)
PASS: test Signed-off-by presence (test_mbox.TestMbox.test_signed_off_by_presence)
PASS: test Signed-off-by presence (test_patch.TestPatch.test_signed_off_by_presence)
PASS: test Upstream-Status presence (test_patch.TestPatch.test_upstream_status_presence_format)
PASS: test author valid (test_mbox.TestMbox.test_author_valid)
PASS: test commit message presence (test_mbox.TestMbox.test_commit_message_presence)
PASS: test commit message user tags (test_mbox.TestMbox.test_commit_message_user_tags)
PASS: test mbox format (test_mbox.TestMbox.test_mbox_format)
PASS: test non-AUH upgrade (test_mbox.TestMbox.test_non_auh_upgrade)
PASS: test shortlog format (test_mbox.TestMbox.test_shortlog_format)
PASS: test shortlog length (test_mbox.TestMbox.test_shortlog_length)
PASS: test target mailing list (test_mbox.TestMbox.test_target_mailing_list)
SKIP: pretest pylint: No python related patches, skipping test (test_python_pylint.PyLint.pretest_pylint)
SKIP: test bugzilla entry format: No bug ID found (test_mbox.TestMbox.test_bugzilla_entry_format)
SKIP: test pylint: No python related patches, skipping test (test_python_pylint.PyLint.test_pylint)
SKIP: test series merge on head: Merge test is disabled for now (test_mbox.TestMbox.test_series_merge_on_head)
---
Please address the issues identified and
submit a new revision of the patch, or alternatively, reply to this
email with an explanation of why the patch should be accepted. If you
believe these results are due to an error in patchtest, please submit a
bug at https://bugzilla.yoctoproject.org/ (use the 'Patchtest' category
under 'Yocto Project Subprojects'). For more information on specific
failures, see: https://wiki.yoctoproject.org/wiki/Patchtest. Thank
you!
^ permalink raw reply [flat|nested] 28+ messages in thread
* RE: Patchtest results for [OE-core][scarthgap 11/22] cups: allow unknown directives in conf files
2026-01-20 12:16 ` Patchtest results for " patchtest
@ 2026-01-20 12:21 ` Marko, Peter
2026-01-20 12:59 ` Yoann Congal
0 siblings, 1 reply; 28+ messages in thread
From: Marko, Peter @ 2026-01-20 12:21 UTC (permalink / raw)
To: patchtest@automation.yoctoproject.org, Yoann Congal
Cc: openembedded-core@lists.openembedded.org
False positive as this does not fix CVE, only mentions CVE in commit message.
I'm wondering why this was sent now and not when I submitted the patch.
In recent months there is almost 0 emails from patchtest.
I guess it's broken and revives only from time to time?
Peter
> -----Original Message-----
> From: openembedded-core@lists.openembedded.org <openembedded-
> core@lists.openembedded.org> On Behalf Of Patchtest via
> lists.openembedded.org
> Sent: Tuesday, January 20, 2026 13:17
> To: Yoann Congal <yoann.congal@smile.fr>
> Cc: openembedded-core@lists.openembedded.org
> Subject: Patchtest results for [OE-core][scarthgap 11/22] cups: allow unknown
> directives in conf files
>
> Thank you for your submission. Patchtest identified one
> or more issues with the patch. Please see the log below for
> more information:
>
> ---
> Testing patch /home/patchtest/share/mboxes/scarthgap-11-22-cups-allow-
> unknown-directives-in-conf-files.patch
>
> FAIL: test CVE tag format: Missing or incorrectly formatted CVE tag in patch file.
> Correct or include the CVE tag in the patch with format: "CVE: CVE-YYYY-XXXX"
> (test_patch.TestPatch.test_cve_tag_format)
>
> PASS: test Signed-off-by presence
> (test_mbox.TestMbox.test_signed_off_by_presence)
> PASS: test Signed-off-by presence
> (test_patch.TestPatch.test_signed_off_by_presence)
> PASS: test Upstream-Status presence
> (test_patch.TestPatch.test_upstream_status_presence_format)
> PASS: test author valid (test_mbox.TestMbox.test_author_valid)
> PASS: test commit message presence
> (test_mbox.TestMbox.test_commit_message_presence)
> PASS: test commit message user tags
> (test_mbox.TestMbox.test_commit_message_user_tags)
> PASS: test mbox format (test_mbox.TestMbox.test_mbox_format)
> PASS: test non-AUH upgrade (test_mbox.TestMbox.test_non_auh_upgrade)
> PASS: test shortlog format (test_mbox.TestMbox.test_shortlog_format)
> PASS: test shortlog length (test_mbox.TestMbox.test_shortlog_length)
> PASS: test target mailing list (test_mbox.TestMbox.test_target_mailing_list)
>
> SKIP: pretest pylint: No python related patches, skipping test
> (test_python_pylint.PyLint.pretest_pylint)
> SKIP: test bugzilla entry format: No bug ID found
> (test_mbox.TestMbox.test_bugzilla_entry_format)
> SKIP: test pylint: No python related patches, skipping test
> (test_python_pylint.PyLint.test_pylint)
> SKIP: test series merge on head: Merge test is disabled for now
> (test_mbox.TestMbox.test_series_merge_on_head)
>
> ---
>
> Please address the issues identified and
> submit a new revision of the patch, or alternatively, reply to this
> email with an explanation of why the patch should be accepted. If you
> believe these results are due to an error in patchtest, please submit a
> bug at https://bugzilla.yoctoproject.org/ (use the 'Patchtest' category
> under 'Yocto Project Subprojects'). For more information on specific
> failures, see: https://wiki.yoctoproject.org/wiki/Patchtest. Thank
> you!
^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: Patchtest results for [OE-core][scarthgap 11/22] cups: allow unknown directives in conf files
2026-01-20 12:21 ` Marko, Peter
@ 2026-01-20 12:59 ` Yoann Congal
2026-01-20 17:52 ` Trevor Gamblin
0 siblings, 1 reply; 28+ messages in thread
From: Yoann Congal @ 2026-01-20 12:59 UTC (permalink / raw)
To: Marko, Peter
Cc: patchtest@automation.yoctoproject.org,
openembedded-core@lists.openembedded.org
[-- Attachment #1: Type: text/plain, Size: 3403 bytes --]
Le mar. 20 janv. 2026 à 13:21, Marko, Peter <Peter.Marko@siemens.com> a
écrit :
> False positive as this does not fix CVE, only mentions CVE in commit
> message.
>
Thanks for the analysis :)
> I'm wondering why this was sent now and not when I submitted the patch.
> In recent months there is almost 0 emails from patchtest.
> I guess it's broken and revives only from time to time?
>
Yup, that's it. It was down for a few weeks but looks better now.
> Peter
>
> > -----Original Message-----
> > From: openembedded-core@lists.openembedded.org <openembedded-
> > core@lists.openembedded.org> On Behalf Of Patchtest via
> > lists.openembedded.org
> > Sent: Tuesday, January 20, 2026 13:17
> > To: Yoann Congal <yoann.congal@smile.fr>
> > Cc: openembedded-core@lists.openembedded.org
> > Subject: Patchtest results for [OE-core][scarthgap 11/22] cups: allow
> unknown
> > directives in conf files
> >
> > Thank you for your submission. Patchtest identified one
> > or more issues with the patch. Please see the log below for
> > more information:
> >
> > ---
> > Testing patch /home/patchtest/share/mboxes/scarthgap-11-22-cups-allow-
> > unknown-directives-in-conf-files.patch
> >
> > FAIL: test CVE tag format: Missing or incorrectly formatted CVE tag in
> patch file.
> > Correct or include the CVE tag in the patch with format: "CVE:
> CVE-YYYY-XXXX"
> > (test_patch.TestPatch.test_cve_tag_format)
> >
> > PASS: test Signed-off-by presence
> > (test_mbox.TestMbox.test_signed_off_by_presence)
> > PASS: test Signed-off-by presence
> > (test_patch.TestPatch.test_signed_off_by_presence)
> > PASS: test Upstream-Status presence
> > (test_patch.TestPatch.test_upstream_status_presence_format)
> > PASS: test author valid (test_mbox.TestMbox.test_author_valid)
> > PASS: test commit message presence
> > (test_mbox.TestMbox.test_commit_message_presence)
> > PASS: test commit message user tags
> > (test_mbox.TestMbox.test_commit_message_user_tags)
> > PASS: test mbox format (test_mbox.TestMbox.test_mbox_format)
> > PASS: test non-AUH upgrade (test_mbox.TestMbox.test_non_auh_upgrade)
> > PASS: test shortlog format (test_mbox.TestMbox.test_shortlog_format)
> > PASS: test shortlog length (test_mbox.TestMbox.test_shortlog_length)
> > PASS: test target mailing list
> (test_mbox.TestMbox.test_target_mailing_list)
> >
> > SKIP: pretest pylint: No python related patches, skipping test
> > (test_python_pylint.PyLint.pretest_pylint)
> > SKIP: test bugzilla entry format: No bug ID found
> > (test_mbox.TestMbox.test_bugzilla_entry_format)
> > SKIP: test pylint: No python related patches, skipping test
> > (test_python_pylint.PyLint.test_pylint)
> > SKIP: test series merge on head: Merge test is disabled for now
> > (test_mbox.TestMbox.test_series_merge_on_head)
> >
> > ---
> >
> > Please address the issues identified and
> > submit a new revision of the patch, or alternatively, reply to this
> > email with an explanation of why the patch should be accepted. If you
> > believe these results are due to an error in patchtest, please submit a
> > bug at https://bugzilla.yoctoproject.org/ (use the 'Patchtest' category
> > under 'Yocto Project Subprojects'). For more information on specific
> > failures, see: https://wiki.yoctoproject.org/wiki/Patchtest. Thank
> > you!
>
--
Yoann Congal
Smile ECS
[-- Attachment #2: Type: text/html, Size: 5152 bytes --]
^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: Patchtest results for [OE-core][scarthgap 11/22] cups: allow unknown directives in conf files
2026-01-20 12:59 ` Yoann Congal
@ 2026-01-20 17:52 ` Trevor Gamblin
0 siblings, 0 replies; 28+ messages in thread
From: Trevor Gamblin @ 2026-01-20 17:52 UTC (permalink / raw)
To: yoann.congal, Marko, Peter
Cc: patchtest@automation.yoctoproject.org,
openembedded-core@lists.openembedded.org
On 2026-01-20 07:59, Yoann Congal via lists.openembedded.org wrote:
>
>
> Le mar. 20 janv. 2026 à 13:21, Marko, Peter <Peter.Marko@siemens.com>
> a écrit :
>
> False positive as this does not fix CVE, only mentions CVE in
> commit message.
>
>
> Thanks for the analysis :)
>
> I'm wondering why this was sent now and not when I submitted the
> patch.
> In recent months there is almost 0 emails from patchtest.
> I guess it's broken and revives only from time to time?
>
>
> Yup, that's it. It was down for a few weeks but looks better now.
Yes, it went down for a bit but is back up. I think it may have missed
some patch IDs in its tracker, hence why this was sent now.
>
> Peter
>
> > -----Original Message-----
> > From: openembedded-core@lists.openembedded.org <openembedded-
> > core@lists.openembedded.org> On Behalf Of Patchtest via
> > lists.openembedded.org <http://lists.openembedded.org>
> > Sent: Tuesday, January 20, 2026 13:17
> > To: Yoann Congal <yoann.congal@smile.fr>
> > Cc: openembedded-core@lists.openembedded.org
> > Subject: Patchtest results for [OE-core][scarthgap 11/22] cups:
> allow unknown
> > directives in conf files
> >
> > Thank you for your submission. Patchtest identified one
> > or more issues with the patch. Please see the log below for
> > more information:
> >
> > ---
> > Testing patch
> /home/patchtest/share/mboxes/scarthgap-11-22-cups-allow-
> > unknown-directives-in-conf-files.patch
> >
> > FAIL: test CVE tag format: Missing or incorrectly formatted CVE
> tag in patch file.
> > Correct or include the CVE tag in the patch with format: "CVE:
> CVE-YYYY-XXXX"
> > (test_patch.TestPatch.test_cve_tag_format)
> >
> > PASS: test Signed-off-by presence
> > (test_mbox.TestMbox.test_signed_off_by_presence)
> > PASS: test Signed-off-by presence
> > (test_patch.TestPatch.test_signed_off_by_presence)
> > PASS: test Upstream-Status presence
> > (test_patch.TestPatch.test_upstream_status_presence_format)
> > PASS: test author valid (test_mbox.TestMbox.test_author_valid)
> > PASS: test commit message presence
> > (test_mbox.TestMbox.test_commit_message_presence)
> > PASS: test commit message user tags
> > (test_mbox.TestMbox.test_commit_message_user_tags)
> > PASS: test mbox format (test_mbox.TestMbox.test_mbox_format)
> > PASS: test non-AUH upgrade (test_mbox.TestMbox.test_non_auh_upgrade)
> > PASS: test shortlog format (test_mbox.TestMbox.test_shortlog_format)
> > PASS: test shortlog length (test_mbox.TestMbox.test_shortlog_length)
> > PASS: test target mailing list
> (test_mbox.TestMbox.test_target_mailing_list)
> >
> > SKIP: pretest pylint: No python related patches, skipping test
> > (test_python_pylint.PyLint.pretest_pylint)
> > SKIP: test bugzilla entry format: No bug ID found
> > (test_mbox.TestMbox.test_bugzilla_entry_format)
> > SKIP: test pylint: No python related patches, skipping test
> > (test_python_pylint.PyLint.test_pylint)
> > SKIP: test series merge on head: Merge test is disabled for now
> > (test_mbox.TestMbox.test_series_merge_on_head)
> >
> > ---
> >
> > Please address the issues identified and
> > submit a new revision of the patch, or alternatively, reply to this
> > email with an explanation of why the patch should be accepted.
> If you
> > believe these results are due to an error in patchtest, please
> submit a
> > bug at https://bugzilla.yoctoproject.org/ (use the 'Patchtest'
> category
> > under 'Yocto Project Subprojects'). For more information on specific
> > failures, see: https://wiki.yoctoproject.org/wiki/Patchtest. Thank
> > you!
>
>
>
> --
> Yoann Congal
> Smile ECS
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#229703): https://lists.openembedded.org/g/openembedded-core/message/229703
> Mute This Topic: https://lists.openembedded.org/mt/117361790/7611679
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [tgamblin@baylibre.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 28+ messages in thread
end of thread, other threads:[~2026-01-20 17:52 UTC | newest]
Thread overview: 28+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-01-20 12:08 [OE-core][scarthgap 00/22] Patch review Yoann Congal
2026-01-20 12:08 ` [OE-core][scarthgap 01/22] python3: patch CVE-2025-12084 Yoann Congal
2026-01-20 12:08 ` [OE-core][scarthgap 02/22] python3: patch CVE-2025-13836 Yoann Congal
2026-01-20 12:08 ` [OE-core][scarthgap 03/22] util-linux: patch CVE-2025-14104 Yoann Congal
2026-01-20 12:08 ` [OE-core][scarthgap 04/22] qemu: ignore CVE-2025-54566 and CVE-2025-54567 Yoann Congal
2026-01-20 12:08 ` [OE-core][scarthgap 05/22] glib-2.0: patch CVE-2025-13601 Yoann Congal
2026-01-20 12:08 ` [OE-core][scarthgap 06/22] glib-2.0: patch CVE-2025-14087 Yoann Congal
2026-01-20 12:08 ` [OE-core][scarthgap 07/22] glib-2.0: patch CVE-2025-14512 Yoann Congal
2026-01-20 12:08 ` [OE-core][scarthgap 08/22] dropbear: patch CVE-2019-6111 Yoann Congal
2026-01-20 12:08 ` [OE-core][scarthgap 09/22] libpcap: patch CVE-2025-11961 Yoann Congal
2026-01-20 12:08 ` [OE-core][scarthgap 10/22] libpcap: patch CVE-2025-11964 Yoann Congal
2026-01-20 12:08 ` [OE-core][scarthgap 11/22] cups: allow unknown directives in conf files Yoann Congal
2026-01-20 12:16 ` Patchtest results for " patchtest
2026-01-20 12:21 ` Marko, Peter
2026-01-20 12:59 ` Yoann Congal
2026-01-20 17:52 ` Trevor Gamblin
2026-01-20 12:08 ` [OE-core][scarthgap 12/22] libarchive: fix CVE-2025-60753 regression Yoann Congal
2026-01-20 12:08 ` [OE-core][scarthgap 13/22] curl: patch CVE-2025-14017 Yoann Congal
2026-01-20 12:08 ` [OE-core][scarthgap 14/22] curl: patch CVE-2025-14819 Yoann Congal
2026-01-20 12:08 ` [OE-core][scarthgap 15/22] curl: patch CVE-2025-15079 Yoann Congal
2026-01-20 12:08 ` [OE-core][scarthgap 16/22] curl: patch CVE-2025-15224 Yoann Congal
2026-01-20 12:08 ` [OE-core][scarthgap 17/22] pseudo: Upgrade to version 1.9.1 Yoann Congal
2026-01-20 12:08 ` [OE-core][scarthgap 18/22] pseudo: 1.9.0 -> 1.9.2 Yoann Congal
2026-01-20 12:08 ` [OE-core][scarthgap 19/22] pseudo: Update to pull in memleak fix Yoann Congal
2026-01-20 12:08 ` [OE-core][scarthgap 20/22] pseudo: Add hard sstate dependencies for pseudo-native Yoann Congal
2026-01-20 12:08 ` [OE-core][scarthgap 21/22] pseudo: Update to pull in openat2 and efault return code changes Yoann Congal
2026-01-20 12:08 ` [OE-core][scarthgap 22/22] pseudo: Update to pull in 'makewrappers: Fix EFAULT implementation' Yoann Congal
-- strict thread matches above, loose matches on Subject: below --
2024-06-17 12:04 [OE-core][scarthgap 00/22] Patch review Steve Sakoman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox