[OE-core][whinlatter 0/6] Patch review

[OE-core][whinlatter 0/6] Patch review

[Yoann Congal]

Please review this set of changes for whinlatter and have comments back by
end of day Friday, March 13.

Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/3380

The following changes since commit 96d653f64e6eaa919dd1f62193a5a96f43430dc4:

  build-appliance-image: Update to whinlatter head revisions (2026-03-10 11:53:11 +0000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/whinlatter-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/whinlatter-nut

for you to fetch changes up to b37db2db1a03c856f7b4cc94e70b7e6c1ef437b5:

  lsb.py: strip ' from os-release file (2026-03-11 01:09:19 +0100)

----------------------------------------------------------------

Livin Sunny (1):
  busybox: Fixes CVE-2025-60876

Martin Jansa (1):
  lsb.py: strip ' from os-release file

Peter Marko (3):
  inetutils: patch CVE-2026-28372
  libpam: set status for CVE-2024-10041
  go: upgrade 1.25.7 -> 1.25.8

Vijay Anusuri (1):
  freetype: Fix CVE-2026-23865

 meta/lib/oe/lsb.py                            |  2 +-
 .../inetutils/inetutils/CVE-2026-28372.patch  | 86 +++++++++++++++++++
 .../inetutils/inetutils_2.6.bb                |  1 +
 .../busybox/busybox/CVE-2025-60876.patch      | 42 +++++++++
 meta/recipes-core/busybox/busybox_1.37.0.bb   |  1 +
 .../go/{go-1.25.7.inc => go-1.25.8.inc}       |  2 +-
 ...e_1.25.7.bb => go-binary-native_1.25.8.bb} |  6 +-
 ..._1.25.7.bb => go-cross-canadian_1.25.8.bb} |  0
 ...{go-cross_1.25.7.bb => go-cross_1.25.8.bb} |  0
 ...osssdk_1.25.7.bb => go-crosssdk_1.25.8.bb} |  0
 ...runtime_1.25.7.bb => go-runtime_1.25.8.bb} |  0
 .../go/{go_1.25.7.bb => go_1.25.8.bb}         |  0
 meta/recipes-extended/pam/libpam_1.7.1.bb     |  2 +
 .../freetype/freetype/CVE-2026-23865.patch    | 54 ++++++++++++
 .../freetype/freetype_2.13.3.bb               |  4 +-
 15 files changed, 194 insertions(+), 6 deletions(-)
 create mode 100644 meta/recipes-connectivity/inetutils/inetutils/CVE-2026-28372.patch
 create mode 100644 meta/recipes-core/busybox/busybox/CVE-2025-60876.patch
 rename meta/recipes-devtools/go/{go-1.25.7.inc => go-1.25.8.inc} (91%)
 rename meta/recipes-devtools/go/{go-binary-native_1.25.7.bb => go-binary-native_1.25.8.bb} (79%)
 rename meta/recipes-devtools/go/{go-cross-canadian_1.25.7.bb => go-cross-canadian_1.25.8.bb} (100%)
 rename meta/recipes-devtools/go/{go-cross_1.25.7.bb => go-cross_1.25.8.bb} (100%)
 rename meta/recipes-devtools/go/{go-crosssdk_1.25.7.bb => go-crosssdk_1.25.8.bb} (100%)
 rename meta/recipes-devtools/go/{go-runtime_1.25.7.bb => go-runtime_1.25.8.bb} (100%)
 rename meta/recipes-devtools/go/{go_1.25.7.bb => go_1.25.8.bb} (100%)
 create mode 100644 meta/recipes-graphics/freetype/freetype/CVE-2026-23865.patch

[OE-core][whinlatter 1/6] busybox: Fixes CVE-2025-60876

[Yoann Congal]

From: Livin Sunny <livinsunny519@gmail.com>

This addresses CVE-2025-60876[1], which allows malicious URLs to inject
HTTP headers. It has been accepted by Debian[2] and is tracked here [4].
The upstream fix has been submitted [3] and is pending merge.

[1] https://nvd.nist.gov/vuln/detail/CVE-2025-60876
[2] https://bugs.debian.org/1120795
[3] https://lists.busybox.net/pipermail/busybox/2025-November/091840.html
[4] https://security-tracker.debian.org/tracker/CVE-2025-60876

Upstream-Status: Submitted [https://lists.busybox.net/pipermail/busybox/2025-November/0918
40.html]

Signed-off-by: Livin Sunny <livinsunny519@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>a

(cherry-picked from f12af98df8f627c6d1836d27be48bac542a4f00e)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 .../busybox/busybox/CVE-2025-60876.patch      | 42 +++++++++++++++++++
 meta/recipes-core/busybox/busybox_1.37.0.bb   |  1 +
 2 files changed, 43 insertions(+)
 create mode 100644 meta/recipes-core/busybox/busybox/CVE-2025-60876.patch

diff --git a/meta/recipes-core/busybox/busybox/CVE-2025-60876.patch b/meta/recipes-core/busybox/busybox/CVE-2025-60876.patch
new file mode 100644
index 00000000000..1cf29680e01
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2025-60876.patch
@@ -0,0 +1,42 @@
+From: Radoslav Kolev <radoslav.kolev@suse.com>
+Date: Fri, 21 Nov 2025 11:21:18 +0200
+Subject: wget: don't allow control characters or spaces in the URL
+Bug-Debian: https://bugs.debian.org/1120795
+
+Fixes CVE-2025-60876 malicious URL can be used to inject
+HTTP headers in the request.
+
+Signed-off-by: Radoslav Kolev <radoslav.kolev@suse.com>
+Reviewed-by: Emmanuel Deloget <logout@free.fr>
+
+Upstream-Status: Submitted [https://lists.busybox.net/pipermail/busybox/2025-November/091840.html]
+
+CVE: CVE-2025-60876
+
+Signed-off-by: Livin Sunny <livinsunny519@gmail.com>
+---
+ networking/wget.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/networking/wget.c b/networking/wget.c
+index ec3767793..fa555427b 100644
+--- a/networking/wget.c
++++ b/networking/wget.c
+@@ -536,6 +536,15 @@ static void parse_url(const char *src_url, struct host_info *h)
+ {
+	char *url, *p, *sp;
+
++	/* Fix for CVE-2025-60876 - don't allow control characters or spaces in the URL */
++	/* otherwise a malicious URL can be used to inject HTTP headers in the request */
++	const unsigned char *u = (void *) src_url;
++	while (*u) {
++		if (*u <= ' ')
++			bb_simple_error_msg_and_die("Unencoded control character found in the URL!");
++		u++;
++	}
++
+	free(h->allocated);
+	h->allocated = url = xstrdup(src_url);
+
+--
+2.47.3
diff --git a/meta/recipes-core/busybox/busybox_1.37.0.bb b/meta/recipes-core/busybox/busybox_1.37.0.bb
index 9e6a7b7b4cb..d3851a27b97 100644
--- a/meta/recipes-core/busybox/busybox_1.37.0.bb
+++ b/meta/recipes-core/busybox/busybox_1.37.0.bb
@@ -58,6 +58,7 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
            file://0001-busybox-Add-awk-gsub-erroneous-word-start-match-test.patch \
            file://CVE-2025-46394-01.patch \
            file://CVE-2025-46394-02.patch \
+           file://CVE-2025-60876.patch \
            "
 SRC_URI:append:libc-musl = " file://musl.cfg"
 SRC_URI:append:x86-64 = " file://sha_accel.cfg"

[OE-core][whinlatter 2/6] inetutils: patch CVE-2026-28372

[Yoann Congal]

From: Peter Marko <peter.marko@siemens.com>

Pick patch according to [1] (equivalent to patch from [2]).

[1] https://security-tracker.debian.org/tracker/CVE-2026-28372
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-28372

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 .../inetutils/inetutils/CVE-2026-28372.patch  | 86 +++++++++++++++++++
 .../inetutils/inetutils_2.6.bb                |  1 +
 2 files changed, 87 insertions(+)
 create mode 100644 meta/recipes-connectivity/inetutils/inetutils/CVE-2026-28372.patch

diff --git a/meta/recipes-connectivity/inetutils/inetutils/CVE-2026-28372.patch b/meta/recipes-connectivity/inetutils/inetutils/CVE-2026-28372.patch
new file mode 100644
index 00000000000..b6d07b2902d
--- /dev/null
+++ b/meta/recipes-connectivity/inetutils/inetutils/CVE-2026-28372.patch
@@ -0,0 +1,86 @@
+From 4db2f19f4caac03c7f4da6363c140bd70df31386 Mon Sep 17 00:00:00 2001
+From: Erik Auerswald <auerswal@unix-ag.uni-kl.de>
+Date: Sun, 15 Feb 2026 15:38:50 +0100
+Subject: [PATCH] telnetd: don't allow systemd service credentials
+
+The login(1) implementation of util-linux added support for
+systemd service credentials in release 2.40.  This allows to
+bypass authentication by specifying a directory name in the
+environment variable CREDENTIALS_DIRECTORY.  If this directory
+contains a file named 'login.noauth' with the content of 'yes',
+login(1) skips authentication.
+
+GNU Inetutils telnetd supports to set arbitrary environment
+variables using the 'Environment' and 'New Environment'
+Telnet options.  This allows specifying a directory containing
+'login.noauth'.  A local user can create such a directory
+and file, and, e.g., specify the user name 'root' to escalate
+privileges.
+
+This problem was reported by Ron Ben Yizhak in
+<https://lists.gnu.org/archive/html/bug-inetutils/2026-02/msg00000.html>.
+
+This commit clears CREDENTIALS_DIRECTORY from the environment
+before executing login(1) to implement a simple fix that can
+be backported easily.
+
+* NEWS.md: Mention fix.
+* THANKS: Mention Ron Ben Yizhak.
+* telnetd/pty.c: Clear CREDENTIALS_DIRECTORY from the environment
+before executing 'login'.
+
+CVE: CVE-2026-28372
+Upstream-Status: Backport [https://cgit.git.savannah.gnu.org/cgit/inetutils.git/commit/?id=4db2f19f4caac03c7f4da6363c140bd70df31386]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ NEWS          | 5 +++++
+ THANKS        | 1 +
+ telnetd/pty.c | 8 ++++++++
+ 3 files changed, 14 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index 877ca53b..f5172a71 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,5 +1,10 @@
+ GNU inetutils NEWS -- history of user-visible changes.
+ 
++** Prevent privilege escalation via telnetd abusing systemd service
++credentials support added to the login(1) implementation of util-linux
++in release 2.40.  Reported by Ron Ben Yizhak in
++<https://lists.gnu.org/archive/html/bug-inetutils/2026-02/msg00000.html>.
++
+ * Noteworthy changes in release 2.6 (2025-02-21) [stable]
+ 
+ ** The release tarball is now reproducible.
+diff --git a/THANKS b/THANKS
+index 8d1d3dbb..ef5f6063 100644
+--- a/THANKS
++++ b/THANKS
+@@ -9,6 +9,7 @@ In particular:
+   NIIBE Yutaka		 (Security fixes & making talk finally work)
+   Nathan Neulinger       (tftpd)
+   Thomas Bushnell        (sockaddr sin_len field)
++  Ron Ben Yizhak         (reported privilege escalation via telnetd)
+ 
+ Please see version control logs and ChangeLog.? for full credits.
+ 
+diff --git a/telnetd/pty.c b/telnetd/pty.c
+index c727e7be..f3518049 100644
+--- a/telnetd/pty.c
++++ b/telnetd/pty.c
+@@ -129,6 +129,14 @@ start_login (char *host, int autologin, char *name)
+   if (!cmd)
+     fatal (net, "can't expand login command line");
+   argcv_get (cmd, "", &argc, &argv);
++
++  /* util-linux's "login" introduced an authentication bypass method
++   * via environment variable "CREDENTIALS_DIRECTORY" in version 2.40.
++   * Clear it from the environment before executing "login" to prevent
++   * abuse via Telnet.
++   */
++  unsetenv ("CREDENTIALS_DIRECTORY");
++
+   execv (argv[0], argv);
+   syslog (LOG_ERR, "%s: %m\n", cmd);
+   fatalperror (net, cmd);
diff --git a/meta/recipes-connectivity/inetutils/inetutils_2.6.bb b/meta/recipes-connectivity/inetutils/inetutils_2.6.bb
index 967ecdd4426..29a40143a28 100644
--- a/meta/recipes-connectivity/inetutils/inetutils_2.6.bb
+++ b/meta/recipes-connectivity/inetutils/inetutils_2.6.bb
@@ -20,6 +20,7 @@ SRC_URI = "${GNU_MIRROR}/inetutils/inetutils-${PV}.tar.xz \
            file://tftpd.xinetd.inetutils \
            file://CVE-2026-24061-01.patch \
            file://CVE-2026-24061-02.patch \
+           file://CVE-2026-28372.patch \
            "
 
 inherit autotools gettext update-alternatives texinfo

[OE-core][whinlatter 3/6] libpam: set status for CVE-2024-10041

[Yoann Congal]

From: Peter Marko <peter.marko@siemens.com>

This CVE was fixed in v1.6.1 (per [1]).
NVD tracks it as version-less CVE for RedHat.

[1] https://security-tracker.debian.org/tracker/CVE-2024-10041

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 meta/recipes-extended/pam/libpam_1.7.1.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-extended/pam/libpam_1.7.1.bb b/meta/recipes-extended/pam/libpam_1.7.1.bb
index 8d9ea270288..e83accd8815 100644
--- a/meta/recipes-extended/pam/libpam_1.7.1.bb
+++ b/meta/recipes-extended/pam/libpam_1.7.1.bb
@@ -170,3 +170,5 @@ CONFFILES:${PN}-runtime += "${sysconfdir}/security/limits.conf"
 GITHUB_BASE_URI = "https://github.com/linux-pam/linux-pam/releases"
 
 CVE_PRODUCT = "linux-pam"
+
+CVE_STATUS[CVE-2024-10041] = "fixed-version: fixed since v1.6.1"

[OE-core][whinlatter 4/6] go: upgrade 1.25.7 -> 1.25.8

[Yoann Congal]

From: Peter Marko <peter.marko@siemens.com>

Upgrade to latest 1.25.x release [1]:

$ git --no-pager log --oneline go1.25.7..go1.25.8
439ff996f0 (tag: go1.25.8) [release-branch.go1.25] go1.25.8
a9db31e6d9 [release-branch.go1.25] html/template: properly escape URLs in meta content attributes
d8174a9500 [release-branch.go1.25] net/url: reject IPv6 literal not at start of host
4091800393 [release-branch.go1.25] os: avoid escape from Root via ReadDir or Readdir
0ee4ab4c3f [release-branch.go1.25] internal/syscall/windows: correct some enums and syscall signatures
9f8fa93be5 [release-branch.go1.25] os: support deleting inaccessible files in RemoveAll
df7331dc32 [release-branch.go1.25] all: update x/sys
92544bbc98 [release-branch.go1.25] runtime: don't negate eventfd errno
0c56fa2818 [release-branch.go1.25] net/smtp: prevent test failures due to expired test certificate
592530ed6b [release-branch.go1.25] cmd/go: fix pkg-config flag sanitization
0222717377 [release-branch.go1.25] cmd/compile: fix mis-compilation for static array initialization

Fixes CVE-2026-27137, CVE-2026-27138, CVE-2026-27142, CVE-2026-25679 and
      CVE-2026-27139.

Release information: [2]

[1] https://github.com/golang/go/compare/go1.25.7...go1.25.8
[2] https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 meta/recipes-devtools/go/{go-1.25.7.inc => go-1.25.8.inc}   | 2 +-
 ...o-binary-native_1.25.7.bb => go-binary-native_1.25.8.bb} | 6 +++---
 ...cross-canadian_1.25.7.bb => go-cross-canadian_1.25.8.bb} | 0
 .../go/{go-cross_1.25.7.bb => go-cross_1.25.8.bb}           | 0
 .../go/{go-crosssdk_1.25.7.bb => go-crosssdk_1.25.8.bb}     | 0
 .../go/{go-runtime_1.25.7.bb => go-runtime_1.25.8.bb}       | 0
 meta/recipes-devtools/go/{go_1.25.7.bb => go_1.25.8.bb}     | 0
 7 files changed, 4 insertions(+), 4 deletions(-)
 rename meta/recipes-devtools/go/{go-1.25.7.inc => go-1.25.8.inc} (91%)
 rename meta/recipes-devtools/go/{go-binary-native_1.25.7.bb => go-binary-native_1.25.8.bb} (79%)
 rename meta/recipes-devtools/go/{go-cross-canadian_1.25.7.bb => go-cross-canadian_1.25.8.bb} (100%)
 rename meta/recipes-devtools/go/{go-cross_1.25.7.bb => go-cross_1.25.8.bb} (100%)
 rename meta/recipes-devtools/go/{go-crosssdk_1.25.7.bb => go-crosssdk_1.25.8.bb} (100%)
 rename meta/recipes-devtools/go/{go-runtime_1.25.7.bb => go-runtime_1.25.8.bb} (100%)
 rename meta/recipes-devtools/go/{go_1.25.7.bb => go_1.25.8.bb} (100%)

diff --git a/meta/recipes-devtools/go/go-1.25.7.inc b/meta/recipes-devtools/go/go-1.25.8.inc
similarity index 91%
rename from meta/recipes-devtools/go/go-1.25.7.inc
rename to meta/recipes-devtools/go/go-1.25.8.inc
index ab58f712ef1..5db1b1c04cb 100644
--- a/meta/recipes-devtools/go/go-1.25.7.inc
+++ b/meta/recipes-devtools/go/go-1.25.8.inc
@@ -18,4 +18,4 @@ SRC_URI += "\
     file://0011-cmd-link-stop-forcing-binutils-gold-dependency-on-aa.patch \
     file://0001-runtime-when-using-cgo-on-386-call-C-sigaction-funct.patch \
 "
-SRC_URI[main.sha256sum] = "178f2832820274b43e177d32f06a3ebb0129e427dd20a5e4c88df2c1763cf10a"
+SRC_URI[main.sha256sum] = "e988d4a2446ac7fe3f6daa089a58e9936a52a381355adec1c8983230a8d6c59e"
diff --git a/meta/recipes-devtools/go/go-binary-native_1.25.7.bb b/meta/recipes-devtools/go/go-binary-native_1.25.8.bb
similarity index 79%
rename from meta/recipes-devtools/go/go-binary-native_1.25.7.bb
rename to meta/recipes-devtools/go/go-binary-native_1.25.8.bb
index 19951344810..df6cb542fb6 100644
--- a/meta/recipes-devtools/go/go-binary-native_1.25.7.bb
+++ b/meta/recipes-devtools/go/go-binary-native_1.25.8.bb
@@ -9,9 +9,9 @@ PROVIDES = "go-native"
 
 # Checksums available at https://go.dev/dl/
 SRC_URI = "https://dl.google.com/go/go${PV}.${BUILD_GOOS}-${BUILD_GOARCH}.tar.gz;name=go_${BUILD_GOTUPLE}"
-SRC_URI[go_linux_amd64.sha256sum] = "12e6d6a191091ae27dc31f6efc630e3a3b8ba409baf3573d955b196fdf086005"
-SRC_URI[go_linux_arm64.sha256sum] = "ba611a53534135a81067240eff9508cd7e256c560edd5d8c2fef54f083c07129"
-SRC_URI[go_linux_ppc64le.sha256sum] = "42124c0edc92464e2b37b2d7fcd3658f0c47ebd6a098732415a522be8cb88e3f"
+SRC_URI[go_linux_amd64.sha256sum] = "ceb5e041bbc3893846bd1614d76cb4681c91dadee579426cf21a63f2d7e03be6"
+SRC_URI[go_linux_arm64.sha256sum] = "7d137f59f66bb93f40a6b2b11e713adc2a9d0c8d9ae581718e3fad19e5295dc7"
+SRC_URI[go_linux_ppc64le.sha256sum] = "28ed144a945e4d7188c93f8d85fb772a98ed18f8f9f8d3a650696b739f8cc57c"
 
 UPSTREAM_CHECK_URI = "https://golang.org/dl/"
 UPSTREAM_CHECK_REGEX = "go(?P<pver>\d+(\.\d+)+)\.linux"
diff --git a/meta/recipes-devtools/go/go-cross-canadian_1.25.7.bb b/meta/recipes-devtools/go/go-cross-canadian_1.25.8.bb
similarity index 100%
rename from meta/recipes-devtools/go/go-cross-canadian_1.25.7.bb
rename to meta/recipes-devtools/go/go-cross-canadian_1.25.8.bb
diff --git a/meta/recipes-devtools/go/go-cross_1.25.7.bb b/meta/recipes-devtools/go/go-cross_1.25.8.bb
similarity index 100%
rename from meta/recipes-devtools/go/go-cross_1.25.7.bb
rename to meta/recipes-devtools/go/go-cross_1.25.8.bb
diff --git a/meta/recipes-devtools/go/go-crosssdk_1.25.7.bb b/meta/recipes-devtools/go/go-crosssdk_1.25.8.bb
similarity index 100%
rename from meta/recipes-devtools/go/go-crosssdk_1.25.7.bb
rename to meta/recipes-devtools/go/go-crosssdk_1.25.8.bb
diff --git a/meta/recipes-devtools/go/go-runtime_1.25.7.bb b/meta/recipes-devtools/go/go-runtime_1.25.8.bb
similarity index 100%
rename from meta/recipes-devtools/go/go-runtime_1.25.7.bb
rename to meta/recipes-devtools/go/go-runtime_1.25.8.bb
diff --git a/meta/recipes-devtools/go/go_1.25.7.bb b/meta/recipes-devtools/go/go_1.25.8.bb
similarity index 100%
rename from meta/recipes-devtools/go/go_1.25.7.bb
rename to meta/recipes-devtools/go/go_1.25.8.bb

[OE-core][whinlatter 5/6] freetype: Fix CVE-2026-23865

[Yoann Congal]

From: Vijay Anusuri <vanusuri@mvista.com>

Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-23865
           https://security-tracker.debian.org/tracker/CVE-2026-23865

Picked patch mentioned in NVD

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 .../freetype/freetype/CVE-2026-23865.patch    | 54 +++++++++++++++++++
 .../freetype/freetype_2.13.3.bb               |  4 +-
 2 files changed, 57 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-graphics/freetype/freetype/CVE-2026-23865.patch

diff --git a/meta/recipes-graphics/freetype/freetype/CVE-2026-23865.patch b/meta/recipes-graphics/freetype/freetype/CVE-2026-23865.patch
new file mode 100644
index 00000000000..aa0d4326f83
--- /dev/null
+++ b/meta/recipes-graphics/freetype/freetype/CVE-2026-23865.patch
@@ -0,0 +1,54 @@
+From fc85a255849229c024c8e65f536fe1875d84841c Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Sat, 3 Jan 2026 08:07:57 +0100
+Subject: [PATCH] [ttgxvar] Check for overflow in array size computation.
+
+Problem reported and analyzed by povcfe <povcfe2sec@gmail.com>.
+
+Fixes issue #1382.
+
+* src/truetype/ttgxvar.c (tt_var_load_item_variation_store): Do it.
+
+Upstream-Status: Backport [https://gitlab.com/freetype/freetype/-/commit/fc85a255849229c024c8e65f536fe1875d84841c]
+CVE: CVE-2026-23865
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/truetype/ttgxvar.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c
+index 2ff40c9e8..96ddc04c8 100644
+--- a/src/truetype/ttgxvar.c
++++ b/src/truetype/ttgxvar.c
+@@ -628,6 +628,7 @@
+       FT_UShort  word_delta_count;
+       FT_UInt    region_idx_count;
+       FT_UInt    per_region_size;
++      FT_UInt    delta_set_size;
+ 
+ 
+       if ( FT_STREAM_SEEK( offset + dataOffsetArray[i] ) )
+@@ -697,7 +698,19 @@
+       if ( long_words )
+         per_region_size *= 2;
+ 
+-      if ( FT_NEW_ARRAY( varData->deltaSet, per_region_size * item_count ) )
++      /* Check for overflow (we actually test whether the     */
++      /* multiplication of two unsigned values wraps around). */
++      delta_set_size = per_region_size * item_count;
++      if ( per_region_size                                &&
++           delta_set_size / per_region_size != item_count )
++      {
++        FT_TRACE2(( "tt_var_load_item_variation_store:"
++                    " bad delta set array size\n" ));
++        error = FT_THROW( Array_Too_Large );
++        goto Exit;
++      }
++
++      if ( FT_NEW_ARRAY( varData->deltaSet, delta_set_size ) )
+         goto Exit;
+       if ( FT_Stream_Read( stream,
+                            varData->deltaSet,
+-- 
+GitLab
+
diff --git a/meta/recipes-graphics/freetype/freetype_2.13.3.bb b/meta/recipes-graphics/freetype/freetype_2.13.3.bb
index dbfffdb65fc..1fda9c57e78 100644
--- a/meta/recipes-graphics/freetype/freetype_2.13.3.bb
+++ b/meta/recipes-graphics/freetype/freetype_2.13.3.bb
@@ -13,7 +13,9 @@ LIC_FILES_CHKSUM = "file://LICENSE.TXT;md5=843b6efc16f6b1652ec97f89d5a516c0 \
                     file://docs/GPLv2.TXT;md5=8ef380476f642c20ebf40fecb0add2ec \
                     "
 
-SRC_URI = "${SAVANNAH_NONGNU_MIRROR}/${BPN}/${BP}.tar.xz"
+SRC_URI = "${SAVANNAH_NONGNU_MIRROR}/${BPN}/${BP}.tar.xz \
+           file://CVE-2026-23865.patch \
+"
 SRC_URI[sha256sum] = "0550350666d427c74daeb85d5ac7bb353acba5f76956395995311a9c6f063289"
 
 UPSTREAM_CHECK_REGEX = "freetype-(?P<pver>\d+(\.\d+)+)"

[OE-core][whinlatter 6/6] lsb.py: strip ' from os-release file

[Yoann Congal]

From: Martin Jansa <martin.jansa@gmail.com>

In gentoo the file looks like this:

NAME='Gentoo'
ID='gentoo'
PRETTY_NAME='Gentoo Linux'
VERSION='2.18'
VERSION_ID='2.18'
HOME_URL='https://www.gentoo.org/'
SUPPORT_URL='https://www.gentoo.org/support/'
BUG_REPORT_URL='https://bugs.gentoo.org/'
ANSI_COLOR='1;32'

' were added with:
https://github.com/gentoo/gentoo/commit/2f590e35c9d3d13d5673163527120b2de97fdc80

before that the os-release file looked like this:

NAME=Gentoo
ID=gentoo
PRETTY_NAME="Gentoo Linux"
ANSI_COLOR="1;32"
HOME_URL="https://www.gentoo.org/"
SUPPORT_URL="https://www.gentoo.org/support/"
BUG_REPORT_URL="https://bugs.gentoo.org/"
VERSION_ID="2.18"

The ' is stripped from the ID later in distro_identifier with:
    # Filter out any non-alphanumerics and convert to lowercase
    distro_id = re.sub(r'\W', '', distro_id).lower()
but not from version which results in a weird NATIVELSBSTRING like:
    NATIVELSBSTRING      = "gentoo-'2.18'"

And similarly the directory name in sstate-cache:

oe-core $ ls -d sstate-cache/gentoo-*
"sstate-cache/gentoo-'2.18'"   sstate-cache/gentoo-2.18

Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 55f82653deb1ea8f1304fcba4d588bd55695b616)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 meta/lib/oe/lsb.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/lib/oe/lsb.py b/meta/lib/oe/lsb.py
index 3ec03e5042b..1fc3b968a0a 100644
--- a/meta/lib/oe/lsb.py
+++ b/meta/lib/oe/lsb.py
@@ -16,7 +16,7 @@ def get_os_release():
                     key, val = line.rstrip().split('=', 1)
                 except ValueError:
                     continue
-                data[key.strip()] = val.strip('"')
+                data[key.strip()] = val.strip('"\'')
     return data
 
 def release_dict_osr():

Re: [OE-core][whinlatter 0/6] Patch review

[Yoann Congal]

On Wed Mar 11, 2026 at 8:27 PM CET, Yoann Congal wrote:
> Please review this set of changes for whinlatter and have comments back by
> end of day Friday, March 13.
>
> Passed a-full on autobuilder:
> https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/3380
>
> The following changes since commit 96d653f64e6eaa919dd1f62193a5a96f43430dc4:
>
>   build-appliance-image: Update to whinlatter head revisions (2026-03-10 11:53:11 +0000)
>
> are available in the Git repository at:
>
>   https://git.openembedded.org/openembedded-core-contrib stable/whinlatter-nut
>   https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/whinlatter-nut
>
> for you to fetch changes up to b37db2db1a03c856f7b4cc94e70b7e6c1ef437b5:
>
>   lsb.py: strip ' from os-release file (2026-03-11 01:09:19 +0100)

I plan to also add to this merge: [whinlatter][PATCH] scripts/install-buildtools: Update to 5.3.2
https://lore.kernel.org/openembedded-core/20260312231730.751467-1-yoann.congal@smile.fr/T/#u
>
> ----------------------------------------------------------------
>
> Livin Sunny (1):
>   busybox: Fixes CVE-2025-60876
>
> Martin Jansa (1):
>   lsb.py: strip ' from os-release file
>
> Peter Marko (3):
>   inetutils: patch CVE-2026-28372
>   libpam: set status for CVE-2024-10041
>   go: upgrade 1.25.7 -> 1.25.8
>
> Vijay Anusuri (1):
>   freetype: Fix CVE-2026-23865
>
>  meta/lib/oe/lsb.py                            |  2 +-
>  .../inetutils/inetutils/CVE-2026-28372.patch  | 86 +++++++++++++++++++
>  .../inetutils/inetutils_2.6.bb                |  1 +
>  .../busybox/busybox/CVE-2025-60876.patch      | 42 +++++++++
>  meta/recipes-core/busybox/busybox_1.37.0.bb   |  1 +
>  .../go/{go-1.25.7.inc => go-1.25.8.inc}       |  2 +-
>  ...e_1.25.7.bb => go-binary-native_1.25.8.bb} |  6 +-
>  ..._1.25.7.bb => go-cross-canadian_1.25.8.bb} |  0
>  ...{go-cross_1.25.7.bb => go-cross_1.25.8.bb} |  0
>  ...osssdk_1.25.7.bb => go-crosssdk_1.25.8.bb} |  0
>  ...runtime_1.25.7.bb => go-runtime_1.25.8.bb} |  0
>  .../go/{go_1.25.7.bb => go_1.25.8.bb}         |  0
>  meta/recipes-extended/pam/libpam_1.7.1.bb     |  2 +
>  .../freetype/freetype/CVE-2026-23865.patch    | 54 ++++++++++++
>  .../freetype/freetype_2.13.3.bb               |  4 +-
>  15 files changed, 194 insertions(+), 6 deletions(-)
>  create mode 100644 meta/recipes-connectivity/inetutils/inetutils/CVE-2026-28372.patch
>  create mode 100644 meta/recipes-core/busybox/busybox/CVE-2025-60876.patch
>  rename meta/recipes-devtools/go/{go-1.25.7.inc => go-1.25.8.inc} (91%)
>  rename meta/recipes-devtools/go/{go-binary-native_1.25.7.bb => go-binary-native_1.25.8.bb} (79%)
>  rename meta/recipes-devtools/go/{go-cross-canadian_1.25.7.bb => go-cross-canadian_1.25.8.bb} (100%)
>  rename meta/recipes-devtools/go/{go-cross_1.25.7.bb => go-cross_1.25.8.bb} (100%)
>  rename meta/recipes-devtools/go/{go-crosssdk_1.25.7.bb => go-crosssdk_1.25.8.bb} (100%)
>  rename meta/recipes-devtools/go/{go-runtime_1.25.7.bb => go-runtime_1.25.8.bb} (100%)
>  rename meta/recipes-devtools/go/{go_1.25.7.bb => go_1.25.8.bb} (100%)
>  create mode 100644 meta/recipes-graphics/freetype/freetype/CVE-2026-23865.patch


-- 
Yoann Congal
Smile ECS