* [OE-core][scarthgap 01/26] pseudo: Update to version 1.9.8
2026-06-23 13:13 [OE-core][scarthgap 00/26] Patch review Yoann Congal
@ 2026-06-23 13:13 ` Yoann Congal
2026-06-23 13:13 ` [OE-core][scarthgap 02/26] openssh: fix CVE-2026-35386 Yoann Congal
` (24 subsequent siblings)
25 siblings, 0 replies; 28+ messages in thread
From: Yoann Congal @ 2026-06-23 13:13 UTC (permalink / raw)
To: openembedded-core
From: Mark Hatle <mark.hatle@kernel.crashing.org>
Changelog:
Makefile.in: Bump to 1.9.8
pseudo_client.h: Fix typo in the comment
client: permissions drop setuid and setgid
tests: Add setuid permission check
pseudo_client.h: Add +s to PSEUDO_DB_MODE for mkdir
tests: Add test that returned stat is correct
pseudo_client.h: Make it clear both macros must be updated together
Makefile.in: Add pseudo_client.h as a dependency
Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit fa302de94c7da77a49ca0701580467ebaa8eda18)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-devtools/pseudo/pseudo_git.bb | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/meta/recipes-devtools/pseudo/pseudo_git.bb b/meta/recipes-devtools/pseudo/pseudo_git.bb
index 1ca1ebd6bf2..3d7dd62448f 100644
--- a/meta/recipes-devtools/pseudo/pseudo_git.bb
+++ b/meta/recipes-devtools/pseudo/pseudo_git.bb
@@ -12,9 +12,9 @@ SRC_URI:append:class-nativesdk = " \
file://older-glibc-symbols.patch"
SRC_URI[prebuilt.sha256sum] = "ed9f456856e9d86359f169f46a70ad7be4190d6040282b84c8d97b99072485aa"
-SRCREV = "5b7c4b59e7e198aab54b35ea194aeb6d99794f96"
+SRCREV = "823895ba708c63f6ae4dcbfc266210f26c02c698"
S = "${WORKDIR}/git"
-PV = "1.9.7"
+PV = "1.9.8"
# largefile and 64bit time_t support adds these macros via compiler flags globally
# remove them for pseudo since pseudo intercepts some of the functions which will be
^ permalink raw reply related [flat|nested] 28+ messages in thread* [OE-core][scarthgap 02/26] openssh: fix CVE-2026-35386
2026-06-23 13:13 [OE-core][scarthgap 00/26] Patch review Yoann Congal
2026-06-23 13:13 ` [OE-core][scarthgap 01/26] pseudo: Update to version 1.9.8 Yoann Congal
@ 2026-06-23 13:13 ` Yoann Congal
2026-06-23 13:13 ` [OE-core][scarthgap 03/26] tiff: fix CVE-2026-4775 Yoann Congal
` (23 subsequent siblings)
25 siblings, 0 replies; 28+ messages in thread
From: Yoann Congal @ 2026-06-23 13:13 UTC (permalink / raw)
To: openembedded-core
From: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
CVE-2026-35386 is already fixed by the existing CVE-2025-61984 backport.
Rename CVE-2025-61984.patch to CVE-2025-61984_CVE-2026-35386.patch and
add the second CVE tag to document that one patch covers both CVEs.
https://nvd.nist.gov/vuln/detail/CVE-2026-35386
Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
...CVE-2025-61984.patch => CVE-2025-61984_CVE-2026-35386.patch} | 2 +-
meta/recipes-connectivity/openssh/openssh_9.6p1.bb | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
rename meta/recipes-connectivity/openssh/openssh/{CVE-2025-61984.patch => CVE-2025-61984_CVE-2026-35386.patch} (99%)
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2025-61984.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2025-61984_CVE-2026-35386.patch
similarity index 99%
rename from meta/recipes-connectivity/openssh/openssh/CVE-2025-61984.patch
rename to meta/recipes-connectivity/openssh/openssh/CVE-2025-61984_CVE-2026-35386.patch
index f705410b240..7fcb02d613e 100644
--- a/meta/recipes-connectivity/openssh/openssh/CVE-2025-61984.patch
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2025-61984_CVE-2026-35386.patch
@@ -32,7 +32,7 @@ Slightly modified since variable expansion of user names was
first released in 10.0, commit bd30cf784d6e8"
Upstream-Status: Backport [Upstream commit https://github.com/openssh/openssh-portable/commit/35d5917652106aede47621bb3f64044604164043]
-CVE: CVE-2025-61984
+CVE: CVE-2025-61984 CVE-2026-35386
Signed-off-by: David Nyström <david.nystrom@est.tech>
---
ssh.c | 26 +++++++++++++++++++++++---
diff --git a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
index a1b5d4a5535..ea158b56b41 100644
--- a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
@@ -33,7 +33,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
file://CVE-2025-26465.patch \
file://CVE-2025-32728.patch \
file://CVE-2025-61985.patch \
- file://CVE-2025-61984.patch \
+ file://CVE-2025-61984_CVE-2026-35386.patch \
file://CVE-2026-35385.patch \
file://CVE-2026-35387.patch \
file://CVE-2026-35388.patch \
^ permalink raw reply related [flat|nested] 28+ messages in thread* [OE-core][scarthgap 03/26] tiff: fix CVE-2026-4775
2026-06-23 13:13 [OE-core][scarthgap 00/26] Patch review Yoann Congal
2026-06-23 13:13 ` [OE-core][scarthgap 01/26] pseudo: Update to version 1.9.8 Yoann Congal
2026-06-23 13:13 ` [OE-core][scarthgap 02/26] openssh: fix CVE-2026-35386 Yoann Congal
@ 2026-06-23 13:13 ` Yoann Congal
2026-06-23 13:13 ` [OE-core][scarthgap 04/26] go: fix CVE-2025-58183 Yoann Congal
` (22 subsequent siblings)
25 siblings, 0 replies; 28+ messages in thread
From: Yoann Congal @ 2026-06-23 13:13 UTC (permalink / raw)
To: openembedded-core
From: Naman Jain <nmjain23@gmail.com>
Fix CVE-2026-4775
Reference: https://gitlab.com/libtiff/libtiff/-/commit/782a11d6b5b61c6dc21e714950a4af5bf89f023c
Signed-off-by: Naman Jain <namanj1@kpit.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../libtiff/tiff/CVE-2026-4775.patch | 59 +++++++++++++++++++
meta/recipes-multimedia/libtiff/tiff_4.6.0.bb | 1 +
2 files changed, 60 insertions(+)
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2026-4775.patch
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2026-4775.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2026-4775.patch
new file mode 100644
index 00000000000..ed5f0714a61
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2026-4775.patch
@@ -0,0 +1,59 @@
+From 782a11d6b5b61c6dc21e714950a4af5bf89f023c Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sun, 22 Feb 2026 23:32:47 +0100
+Subject: [PATCH] TIFFReadRGBAImage(): prevent integer overflow and later heap
+ overflow on images with huge width in YCbCr tile decoding functions
+
+Fixes https://gitlab.com/libtiff/libtiff/-/issues/787
+
+CVE: CVE-2026-4775
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/782a11d6b5b61c6dc21e714950a4af5bf89f023c]
+
+Signed-off-by: Naman Jain <namanj1@kpit.com>
+---
+ libtiff/tif_getimage.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
+index 4543dddae..fa82d0910 100644
+--- a/libtiff/tif_getimage.c
++++ b/libtiff/tif_getimage.c
+@@ -2224,7 +2224,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr44tile)
+ uint32_t *cp1 = cp + w + toskew;
+ uint32_t *cp2 = cp1 + w + toskew;
+ uint32_t *cp3 = cp2 + w + toskew;
+- int32_t incr = 3 * w + 4 * toskew;
++ const tmsize_t incr = 3 * (tmsize_t)w + 4 * (tmsize_t)toskew;
+
+ (void)y;
+ /* adjust fromskew */
+@@ -2364,7 +2364,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr44tile)
+ DECLAREContigPutFunc(putcontig8bitYCbCr42tile)
+ {
+ uint32_t *cp1 = cp + w + toskew;
+- int32_t incr = 2 * toskew + w;
++ const tmsize_t incr = 2 * (tmsize_t)toskew + w;
+
+ (void)y;
+ fromskew = (fromskew / 4) * (4 * 2 + 2);
+@@ -2522,7 +2522,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr41tile)
+ DECLAREContigPutFunc(putcontig8bitYCbCr22tile)
+ {
+ uint32_t *cp2;
+- int32_t incr = 2 * toskew + w;
++ const tmsize_t incr = 2 * (tmsize_t)toskew + w;
+ (void)y;
+ fromskew = (fromskew / 2) * (2 * 2 + 2);
+ cp2 = cp + w + toskew;
+@@ -2625,7 +2625,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr21tile)
+ DECLAREContigPutFunc(putcontig8bitYCbCr12tile)
+ {
+ uint32_t *cp2;
+- int32_t incr = 2 * toskew + w;
++ const tmsize_t incr = 2 * (tmsize_t)toskew + w;
+ (void)y;
+ fromskew = (fromskew / 1) * (1 * 2 + 2);
+ cp2 = cp + w + toskew;
+--
+GitLab
+
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb
index 07540692fcf..fca846589fd 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb
@@ -18,6 +18,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
file://CVE-2023-52356.patch \
file://CVE-2024-7006.patch \
file://CVE-2025-9900.patch \
+ file://CVE-2026-4775.patch \
"
SRC_URI[sha256sum] = "88b3979e6d5c7e32b50d7ec72fb15af724f6ab2cbf7e10880c360a77e4b5d99a"
^ permalink raw reply related [flat|nested] 28+ messages in thread* [OE-core][scarthgap 04/26] go: fix CVE-2025-58183
2026-06-23 13:13 [OE-core][scarthgap 00/26] Patch review Yoann Congal
` (2 preceding siblings ...)
2026-06-23 13:13 ` [OE-core][scarthgap 03/26] tiff: fix CVE-2026-4775 Yoann Congal
@ 2026-06-23 13:13 ` Yoann Congal
2026-06-23 13:13 ` [OE-core][scarthgap 05/26] go: fix CVE-2026-25679 Yoann Congal
` (21 subsequent siblings)
25 siblings, 0 replies; 28+ messages in thread
From: Yoann Congal @ 2026-06-23 13:13 UTC (permalink / raw)
To: openembedded-core
From: Sudhir Dumbhare <sudumbha@cisco.com>
This patch applies the upstream fix [1], as referenced in [2],
to address unbounded memory consumption when reading GNU tar pax
1.0 sparse file regions in archive/tar.
[1] https://github.com/golang/go/commit/613e746327381d820759ebea6ce722720b343556
[2] https://security-tracker.debian.org/tracker/CVE-2025-58183
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-58183
Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-devtools/go/go-1.22.12.inc | 1 +
.../go/go/CVE-2025-58183.patch | 107 ++++++++++++++++++
2 files changed, 108 insertions(+)
create mode 100644 meta/recipes-devtools/go/go/CVE-2025-58183.patch
diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc
index 7016acd0616..f6feb1d0b5f 100644
--- a/meta/recipes-devtools/go/go-1.22.12.inc
+++ b/meta/recipes-devtools/go/go-1.22.12.inc
@@ -58,6 +58,7 @@ SRC_URI += "\
file://CVE-2026-42501.patch \
file://CVE-2026-42504.patch \
file://CVE-2026-42507.patch \
+ file://CVE-2025-58183.patch \
"
SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71"
diff --git a/meta/recipes-devtools/go/go/CVE-2025-58183.patch b/meta/recipes-devtools/go/go/CVE-2025-58183.patch
new file mode 100644
index 00000000000..51a4f02ddcd
--- /dev/null
+++ b/meta/recipes-devtools/go/go/CVE-2025-58183.patch
@@ -0,0 +1,107 @@
+From c25bf45db0b232e8ad9d2bc53e61678ebc5efe90 Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Thu, 11 Sep 2025 13:32:10 -0700
+Subject: [PATCH] [release-branch.go1.24] archive/tar: set a limit on the
+ size of GNU sparse file 1.0 regions
+
+Sparse files in tar archives contain only the non-zero components
+of the file. There are several different encodings for sparse
+files. When reading GNU tar pax 1.0 sparse files, archive/tar did
+not set a limit on the size of the sparse region data. A malicious
+archive containing a large number of sparse blocks could cause
+archive/tar to read an unbounded amount of data from the archive
+into memory.
+
+Since a malicious input can be highly compressable, a small
+compressed input could cause very large allocations.
+
+Cap the size of the sparse block data to the same limit used
+for PAX headers (1 MiB).
+
+Thanks to Harshit Gupta (Mr HAX) (https://www.linkedin.com/in/iam-harshit-gupta/)
+for reporting this issue.
+
+Fixes CVE-2025-58183
+For #75677
+Fixes #75710
+
+CVE: CVE-2025-58183
+Upstream-Status: Backport [https://github.com/golang/go/commit/613e746327381d820759ebea6ce722720b343556]
+
+Backport Changes:
+- The upstream fix includes a testdata tarball as a git binary diff.
+ However, quilt cannot apply git binary diffs and fails with the error:
+ "File src/archive/tar/testdata/gnu-sparse-many-zeros.tar.bz2:
+ git binary diffs are not supported."
+- As a result, the unnecessary bzip2 test file
+ src/archive/tar/testdata/gnu-sparse-many-zeros.tar.bz2
+ has been removed.
+- Furthermore, in src/archive/tar/reader_test.go, within the TestReader()
+ function, the test vector entry for testdata/gnu-sparse-many-zeros.tar.bz2
+ has been removed.
+
+Change-Id: I70b907b584a7b8676df8a149a1db728ae681a770
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2800
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Nicholas Husin <husin@google.com>
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2967
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/709843
+Reviewed-by: Carlos Amedee <carlos@golang.org>
+TryBot-Bypass: Michael Pratt <mpratt@google.com>
+Auto-Submit: Michael Pratt <mpratt@google.com>
+(cherry picked from commit 613e746327381d820759ebea6ce722720b343556)
+Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
+---
+ src/archive/tar/common.go | 1 +
+ src/archive/tar/reader.go | 9 +++++++--
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/src/archive/tar/common.go b/src/archive/tar/common.go
+index 4910908f81e..ec1b8668547 100644
+--- a/src/archive/tar/common.go
++++ b/src/archive/tar/common.go
+@@ -38,6 +38,7 @@ var (
+ errMissData = errors.New("archive/tar: sparse file references non-existent data")
+ errUnrefData = errors.New("archive/tar: sparse file contains unreferenced data")
+ errWriteHole = errors.New("archive/tar: write non-NUL byte in sparse hole")
++ errSparseTooLong = errors.New("archive/tar: sparse map too long")
+ )
+
+ type headerError []string
+diff --git a/src/archive/tar/reader.go b/src/archive/tar/reader.go
+index 0811779adda..71d0b20b76d 100644
+--- a/src/archive/tar/reader.go
++++ b/src/archive/tar/reader.go
+@@ -531,12 +531,17 @@ func readGNUSparseMap1x0(r io.Reader) (sparseDatas, error) {
+ cntNewline int64
+ buf bytes.Buffer
+ blk block
++ totalSize int
+ )
+
+ // feedTokens copies data in blocks from r into buf until there are
+ // at least cnt newlines in buf. It will not read more blocks than needed.
+ feedTokens := func(n int64) error {
+ for cntNewline < n {
++ totalSize += len(blk)
++ if totalSize > maxSpecialFileSize {
++ return errSparseTooLong
++ }
+ if _, err := mustReadFull(r, blk[:]); err != nil {
+ return err
+ }
+@@ -569,8 +574,8 @@ func readGNUSparseMap1x0(r io.Reader) (sparseDatas, error) {
+ }
+
+ // Parse for all member entries.
+- // numEntries is trusted after this since a potential attacker must have
+- // committed resources proportional to what this library used.
++ // numEntries is trusted after this since feedTokens limits the number of
++ // tokens based on maxSpecialFileSize.
+ if err := feedTokens(2 * numEntries); err != nil {
+ return nil, err
+ }
+--
+2.35.6
+
^ permalink raw reply related [flat|nested] 28+ messages in thread* [OE-core][scarthgap 05/26] go: fix CVE-2026-25679
2026-06-23 13:13 [OE-core][scarthgap 00/26] Patch review Yoann Congal
` (3 preceding siblings ...)
2026-06-23 13:13 ` [OE-core][scarthgap 04/26] go: fix CVE-2025-58183 Yoann Congal
@ 2026-06-23 13:13 ` Yoann Congal
2026-06-23 13:13 ` [OE-core][scarthgap 06/26] go: fix CVE-2026-32288 Yoann Congal
` (20 subsequent siblings)
25 siblings, 0 replies; 28+ messages in thread
From: Yoann Congal @ 2026-06-23 13:13 UTC (permalink / raw)
To: openembedded-core
From: Sudhir Dumbhare <sudumbha@cisco.com>
This patch applies the upstream fix [1], as referenced in [2],
to address insufficient validation in `url.Parse`.
Debian marks older Go branches as not affected because the vulnerable
parseHost surface was introduced by the earlier CVE-2025-47912 fix.
This Scarthgap recipe already carries CVE-2025-47912.patch, so the
fix is applicable to the patched Go 1.22.12 source used here.
[1] https://github.com/golang/go/commit/d8174a9500d53784594b198f6195d1fae8dfe803
[2] https://security-tracker.debian.org/tracker/CVE-2026-25679
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2026-25679
Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-devtools/go/go-1.22.12.inc | 1 +
.../go/go/CVE-2026-25679.patch | 74 +++++++++++++++++++
2 files changed, 75 insertions(+)
create mode 100644 meta/recipes-devtools/go/go/CVE-2026-25679.patch
diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc
index f6feb1d0b5f..7d4274b4eb4 100644
--- a/meta/recipes-devtools/go/go-1.22.12.inc
+++ b/meta/recipes-devtools/go/go-1.22.12.inc
@@ -59,6 +59,7 @@ SRC_URI += "\
file://CVE-2026-42504.patch \
file://CVE-2026-42507.patch \
file://CVE-2025-58183.patch \
+ file://CVE-2026-25679.patch \
"
SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71"
diff --git a/meta/recipes-devtools/go/go/CVE-2026-25679.patch b/meta/recipes-devtools/go/go/CVE-2026-25679.patch
new file mode 100644
index 00000000000..13800564f00
--- /dev/null
+++ b/meta/recipes-devtools/go/go/CVE-2026-25679.patch
@@ -0,0 +1,74 @@
+From c8f96fce4d34123a920558a1a3f5c0ddf2bf678e Mon Sep 17 00:00:00 2001
+From: Ian Alexander <jitsu@google.com>
+Date: Wed, 28 Jan 2026 15:29:52 -0500
+Subject: [PATCH] [release-branch.go1.25] net/url: reject IPv6 literal not
+ at start of host
+
+This change rejects IPv6 literals that do not appear at the start of the
+host subcomponent of a URL.
+
+For example:
+ http://example.com[::1] -> rejects
+ http://[::1] -> accepts
+
+Thanks to Masaki Hara (https://github.com/qnighy) of Wantedly.
+
+Updates #77578
+Fixes #77969
+Fixes CVE-2026-25679
+
+CVE: CVE-2026-25679
+Upstream-Status: Backport [https://github.com/golang/go/commit/d8174a9500d53784594b198f6195d1fae8dfe803]
+
+Change-Id: I7109031880758f7c1eb4eca513323328feace33c
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3400
+Reviewed-by: Neal Patel <nealpatel@google.com>
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3642
+Reviewed-on: https://go-review.googlesource.com/c/go/+/752100
+Reviewed-by: Cherry Mui <cherryyz@google.com>
+Auto-Submit: Gopher Robot <gobot@golang.org>
+TryBot-Bypass: Gopher Robot <gobot@golang.org>
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+(cherry picked from commit d8174a9500d53784594b198f6195d1fae8dfe803)
+Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
+---
+ src/net/url/url.go | 4 +++-
+ src/net/url/url_test.go | 6 ++++++
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/src/net/url/url.go b/src/net/url/url.go
+index 5219e3c130b..ab59c63adfa 100644
+--- a/src/net/url/url.go
++++ b/src/net/url/url.go
+@@ -623,7 +623,9 @@ func parseAuthority(authority string) (user *Userinfo, host string, err error) {
+ // parseHost parses host as an authority without user
+ // information. That is, as host[:port].
+ func parseHost(host string) (string, error) {
+- if openBracketIdx := strings.LastIndex(host, "["); openBracketIdx != -1 {
++ if openBracketIdx := strings.LastIndex(host, "["); openBracketIdx > 0 {
++ return "", errors.New("invalid IP-literal")
++ } else if openBracketIdx == 0 {
+ // Parse an IP-Literal in RFC 3986 and RFC 6874.
+ // E.g., "[fe80::1]", "[fe80::1%25en0]", "[fe80::1]:80".
+ closeBracketIdx := strings.LastIndex(host, "]")
+diff --git a/src/net/url/url_test.go b/src/net/url/url_test.go
+index b2f8bd95fcf..8ffbf075cb8 100644
+--- a/src/net/url/url_test.go
++++ b/src/net/url/url_test.go
+@@ -1722,6 +1722,12 @@ func TestParseErrors(t *testing.T) {
+ {"http://[fe80::1", true}, // missing closing bracket
+ {"http://fe80::1]/", true}, // missing opening bracket
+ {"http://[test.com]/", true}, // domain name in brackets
++ {"http://example.com[::1]", true}, // IPv6 literal doesn't start with '['
++ {"http://example.com[::1", true},
++ {"http://[::1", true},
++ {"http://.[::1]", true},
++ {"http:// [::1]", true},
++ {"hxxp://mathepqo[.]serveftp(.)com:9059", true},
+ }
+ for _, tt := range tests {
+ u, err := Parse(tt.in)
+--
+2.35.6
+
^ permalink raw reply related [flat|nested] 28+ messages in thread* [OE-core][scarthgap 06/26] go: fix CVE-2026-32288
2026-06-23 13:13 [OE-core][scarthgap 00/26] Patch review Yoann Congal
` (4 preceding siblings ...)
2026-06-23 13:13 ` [OE-core][scarthgap 05/26] go: fix CVE-2026-25679 Yoann Congal
@ 2026-06-23 13:13 ` Yoann Congal
2026-06-23 13:13 ` [OE-core][scarthgap 07/26] binutils: Fix CVE-2025-69644 Yoann Congal
` (19 subsequent siblings)
25 siblings, 0 replies; 28+ messages in thread
From: Yoann Congal @ 2026-06-23 13:13 UTC (permalink / raw)
To: openembedded-core
From: Sudhir Dumbhare <sudumbha@cisco.com>
This patch applies the upstream fix [1], as referenced in [2],
to address unbounded sparse map handling in `archive/tar`.
[1] https://github.com/golang/go/commit/82b0cdb7411ea2cf02d3a45e6983cc7c8c009d9e
[2] https://security-tracker.debian.org/tracker/CVE-2026-32288
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2026-32288
Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-devtools/go/go-1.22.12.inc | 1 +
.../go/go/CVE-2026-32288.patch | 162 ++++++++++++++++++
2 files changed, 163 insertions(+)
create mode 100644 meta/recipes-devtools/go/go/CVE-2026-32288.patch
diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc
index 7d4274b4eb4..f85104d6f15 100644
--- a/meta/recipes-devtools/go/go-1.22.12.inc
+++ b/meta/recipes-devtools/go/go-1.22.12.inc
@@ -60,6 +60,7 @@ SRC_URI += "\
file://CVE-2026-42507.patch \
file://CVE-2025-58183.patch \
file://CVE-2026-25679.patch \
+ file://CVE-2026-32288.patch \
"
SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71"
diff --git a/meta/recipes-devtools/go/go/CVE-2026-32288.patch b/meta/recipes-devtools/go/go/CVE-2026-32288.patch
new file mode 100644
index 00000000000..a80029ede0a
--- /dev/null
+++ b/meta/recipes-devtools/go/go/CVE-2026-32288.patch
@@ -0,0 +1,162 @@
+From 12bbeb57c20d32519c3f891b428c6f7765db8f55 Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Mon, 23 Mar 2026 13:12:44 -0700
+Subject: [PATCH] [release-branch.go1.25] archive/tar: limit the number of
+ old GNU sparse format entries
+
+We did not set a limit on the maximum size of sparse maps in
+the old GNU sparse format. Set a limit based on the cumulative
+size of the extension blocks used to encode the map (consistent
+with how we limit the sparse map size for other formats).
+
+Add an additional limit to the total number of sparse file entries,
+regardless of encoding, to all sparse formats.
+
+Thanks to Colin Walters (walters@verbum.org),
+Uuganbayar Lkhamsuren (https://github.com/uug4na),
+and Jakub Ciolek for reporting this issue.
+
+Fixes #78301
+Fixes CVE-2026-32288
+
+CVE: CVE-2026-32288
+Upstream-Status: Backport [https://github.com/golang/go/commit/82b0cdb7411ea2cf02d3a45e6983cc7c8c009d9e]
+
+Change-Id: I84877345d7b41cc60c58771860ba70e16a6a6964
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3901
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/4003
+Reviewed-by: Nicholas Husin <husin@google.com>
+Reviewed-by: Neal Patel <nealpatel@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/763554
+TryBot-Bypass: Gopher Robot <gobot@golang.org>
+Auto-Submit: Gopher Robot <gobot@golang.org>
+Reviewed-by: Junyang Shao <shaojunyang@google.com>
+Reviewed-by: David Chase <drchase@google.com>
+(cherry picked from commit 82b0cdb7411ea2cf02d3a45e6983cc7c8c009d9e)
+Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
+---
+ src/archive/tar/format.go | 6 ++++++
+ src/archive/tar/reader.go | 28 ++++++++++++++++++++++++----
+ src/archive/tar/reader_test.go | 11 +++++++++++
+ 3 files changed, 41 insertions(+), 4 deletions(-)
+
+diff --git a/src/archive/tar/format.go b/src/archive/tar/format.go
+index 9954b4d9f55..32e58a9d9b4 100644
+--- a/src/archive/tar/format.go
++++ b/src/archive/tar/format.go
+@@ -147,6 +147,12 @@ const (
+ // Max length of a special file (PAX header, GNU long name or link).
+ // This matches the limit used by libarchive.
+ maxSpecialFileSize = 1 << 20
++
++ // Maximum number of sparse file entries.
++ // We should never actually hit this limit
++ // (every sparse encoding will first be limited by maxSpecialFileSize),
++ // but this adds an additional layer of defense.
++ maxSparseFileEntries = 1 << 20
+ )
+
+ // blockPadding computes the number of bytes needed to pad offset up to the
+diff --git a/src/archive/tar/reader.go b/src/archive/tar/reader.go
+index 71d0b20b76d..3bb8d62106c 100644
+--- a/src/archive/tar/reader.go
++++ b/src/archive/tar/reader.go
+@@ -490,7 +490,8 @@ func (tr *Reader) readOldGNUSparseMap(hdr *Header, blk *block) (sparseDatas, err
+ }
+ s := blk.toGNU().sparse()
+ spd := make(sparseDatas, 0, s.maxEntries())
+- for {
++ totalSize := len(s)
++ for totalSize < maxSpecialFileSize {
+ for i := 0; i < s.maxEntries(); i++ {
+ // This termination condition is identical to GNU and BSD tar.
+ if s.entry(i).offset()[0] == 0x00 {
+@@ -501,7 +502,11 @@ func (tr *Reader) readOldGNUSparseMap(hdr *Header, blk *block) (sparseDatas, err
+ if p.err != nil {
+ return nil, p.err
+ }
+- spd = append(spd, sparseEntry{Offset: offset, Length: length})
++ var err error
++ spd, err = appendSparseEntry(spd, sparseEntry{Offset: offset, Length: length})
++ if err != nil {
++ return nil, err
++ }
+ }
+
+ if s.isExtended()[0] > 0 {
+@@ -510,10 +515,12 @@ func (tr *Reader) readOldGNUSparseMap(hdr *Header, blk *block) (sparseDatas, err
+ return nil, err
+ }
+ s = blk.toSparse()
++ totalSize += len(s)
+ continue
+ }
+ return spd, nil // Done
+ }
++ return nil, errSparseTooLong
+ }
+
+ // readGNUSparseMap1x0 reads the sparse map as stored in GNU's PAX sparse format
+@@ -586,7 +593,10 @@ func readGNUSparseMap1x0(r io.Reader) (sparseDatas, error) {
+ if err1 != nil || err2 != nil {
+ return nil, ErrHeader
+ }
+- spd = append(spd, sparseEntry{Offset: offset, Length: length})
++ spd, err = appendSparseEntry(spd, sparseEntry{Offset: offset, Length: length})
++ if err != nil {
++ return nil, err
++ }
+ }
+ return spd, nil
+ }
+@@ -620,12 +630,22 @@ func readGNUSparseMap0x1(paxHdrs map[string]string) (sparseDatas, error) {
+ if err1 != nil || err2 != nil {
+ return nil, ErrHeader
+ }
+- spd = append(spd, sparseEntry{Offset: offset, Length: length})
++ spd, err = appendSparseEntry(spd, sparseEntry{Offset: offset, Length: length})
++ if err != nil {
++ return nil, err
++ }
+ sparseMap = sparseMap[2:]
+ }
+ return spd, nil
+ }
+
++func appendSparseEntry(spd sparseDatas, ent sparseEntry) (sparseDatas, error) {
++ if len(spd) >= maxSparseFileEntries {
++ return nil, errSparseTooLong
++ }
++ return append(spd, ent), nil
++}
++
+ // Read reads from the current file in the tar archive.
+ // It returns (0, io.EOF) when it reaches the end of that file,
+ // until [Next] is called to advance to the next file.
+diff --git a/src/archive/tar/reader_test.go b/src/archive/tar/reader_test.go
+index 7e0462c3f88..4a527766ba8 100644
+--- a/src/archive/tar/reader_test.go
++++ b/src/archive/tar/reader_test.go
+@@ -1126,6 +1126,17 @@ func TestReadOldGNUSparseMap(t *testing.T) {
+ input: makeInput(FormatGNU, "",
+ makeSparseStrings(sparseDatas{{10 << 30, 512}, {20 << 30, 512}})...),
+ wantMap: sparseDatas{{10 << 30, 512}, {20 << 30, 512}},
++ }, {
++ input: makeInput(FormatGNU, "",
++ makeSparseStrings(func() sparseDatas {
++ var datas sparseDatas
++ // This is more than enough entries to exceed our limit.
++ for i := range int64(1 << 20) {
++ datas = append(datas, sparseEntry{i * 2, (i * 2) + 1})
++ }
++ return datas
++ }())...),
++ wantErr: errSparseTooLong,
+ }}
+
+ for i, v := range vectors {
+--
+2.35.6
+
^ permalink raw reply related [flat|nested] 28+ messages in thread* [OE-core][scarthgap 07/26] binutils: Fix CVE-2025-69644
2026-06-23 13:13 [OE-core][scarthgap 00/26] Patch review Yoann Congal
` (5 preceding siblings ...)
2026-06-23 13:13 ` [OE-core][scarthgap 06/26] go: fix CVE-2026-32288 Yoann Congal
@ 2026-06-23 13:13 ` Yoann Congal
2026-06-23 13:13 ` [OE-core][scarthgap 08/26] python3: Fix CVE-2026-3644 and CVE-2026-0672 Yoann Congal
` (18 subsequent siblings)
25 siblings, 0 replies; 28+ messages in thread
From: Yoann Congal @ 2026-06-23 13:13 UTC (permalink / raw)
To: openembedded-core
From: Deepak Rathore <deeratho@cisco.com>
This patch updates the existing CVE-2025-69647 backport metadata for
CVE-2025-69644. NVD records for CVE-2025-69644 and CVE-2025-69647
reference the same upstream binutils fix commit [1], and the public
CVE advisories are referenced in [2] and [3].
[1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=455446bbdc8675f34808187de2bbad4682016ff7
[2] https://nvd.nist.gov/vuln/detail/CVE-2025-69644
[3] https://nvd.nist.gov/vuln/detail/CVE-2025-69647
Signed-off-by: Deepak Rathore <deeratho@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-devtools/binutils/binutils-2.42.inc | 2 +-
...VE-2025-69647.patch => CVE-2025-69644-CVE-2025-69647.patch} | 3 ++-
2 files changed, 3 insertions(+), 2 deletions(-)
rename meta/recipes-devtools/binutils/binutils/{CVE-2025-69647.patch => CVE-2025-69644-CVE-2025-69647.patch} (96%)
diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc
index 1a865c45f4f..7e83f72632f 100644
--- a/meta/recipes-devtools/binutils/binutils-2.42.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.42.inc
@@ -72,7 +72,7 @@ SRC_URI = "\
file://0028-CVE-2025-11494.patch \
file://0029-CVE-2025-11839.patch \
file://0030-CVE-2025-11840.patch \
- file://CVE-2025-69647.patch \
+ file://CVE-2025-69644-CVE-2025-69647.patch \
file://CVE-2025-69648.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-69647.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-69644-CVE-2025-69647.patch
similarity index 96%
rename from meta/recipes-devtools/binutils/binutils/CVE-2025-69647.patch
rename to meta/recipes-devtools/binutils/binutils/CVE-2025-69644-CVE-2025-69647.patch
index 8e3c1c79e7d..c6b3cefed2b 100644
--- a/meta/recipes-devtools/binutils/binutils/CVE-2025-69647.patch
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-69644-CVE-2025-69647.patch
@@ -12,11 +12,12 @@ length too.
length too small to read header. Limit length to section
size. Limit offset count similarly.
-CVE: CVE-2025-69647
+CVE: CVE-2025-69644 CVE-2025-69647
Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=455446bbdc8675f34808187de2bbad4682016ff7]
Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
+Signed-off-by: Deepak Rathore <deeratho@cisco.com>
---
binutils/dwarf.c | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
^ permalink raw reply related [flat|nested] 28+ messages in thread* [OE-core][scarthgap 08/26] python3: Fix CVE-2026-3644 and CVE-2026-0672
2026-06-23 13:13 [OE-core][scarthgap 00/26] Patch review Yoann Congal
` (6 preceding siblings ...)
2026-06-23 13:13 ` [OE-core][scarthgap 07/26] binutils: Fix CVE-2025-69644 Yoann Congal
@ 2026-06-23 13:13 ` Yoann Congal
2026-06-23 13:13 ` [OE-core][scarthgap 09/26] python3: Fix CVE-2026-4519 and CVE-2026-4786 Yoann Congal
` (17 subsequent siblings)
25 siblings, 0 replies; 28+ messages in thread
From: Yoann Congal @ 2026-06-23 13:13 UTC (permalink / raw)
To: openembedded-core
From: Sudhir Dumbhare <sudumbha@cisco.com>
Apply the upstream v3.13 fix [1], as referenced in [2], to address
CVE-2026-3644 by rejecting control characters in http.cookies.Morsel.update(),
the |= operator, and unpickling paths.
CVE-2026-3644 [2] revealed the CVE-2026-0672 fix was incomplete, as
Morsel.update(), |=, and unpickling could bypass input validation. The fix
also adds output validation to BaseCookie.js_output(), matching the
control-character safeguards already present in BaseCookie.output().
[1] https://github.com/python/cpython/commit/d16ecc6c3626f0e2cc8f08c309c83934e8a979dd
[2] https://security-tracker.debian.org/tracker/CVE-2026-3644
References:
https://security-tracker.debian.org/tracker/CVE-2026-3644
https://security-tracker.debian.org/tracker/CVE-2026-0672
https://nvd.nist.gov/vuln/detail/CVE-2026-3644
https://nvd.nist.gov/vuln/detail/CVE-2026-0672
Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../python3/CVE-2026-3644_CVE-2026-0672.patch | 154 ++++++++++++++++++
.../python/python3_3.12.13.bb | 1 +
2 files changed, 155 insertions(+)
create mode 100644 meta/recipes-devtools/python/python3/CVE-2026-3644_CVE-2026-0672.patch
diff --git a/meta/recipes-devtools/python/python3/CVE-2026-3644_CVE-2026-0672.patch b/meta/recipes-devtools/python/python3/CVE-2026-3644_CVE-2026-0672.patch
new file mode 100644
index 00000000000..42d8133a183
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2026-3644_CVE-2026-0672.patch
@@ -0,0 +1,154 @@
+From 6e291d2eba0b6820bc924e68f1db750328bf6c75 Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Mon, 16 Mar 2026 15:05:13 +0100
+Subject: [PATCH] [3.13] gh-145599, CVE 2026-3644: Reject control
+ characters in `http.cookies.Morsel.update()` (GH-145600) (#146024)
+
+gh-145599, CVE 2026-3644: Reject control characters in `http.cookies.Morsel.update()` (GH-145600)
+
+Reject control characters in `http.cookies.Morsel.update()` and `http.cookies.BaseCookie.js_output`.
+
+CVE: CVE-2026-3644 CVE-2026-0672
+Upstream-Status: Backport [https://github.com/python/cpython/commit/d16ecc6c3626f0e2cc8f08c309c83934e8a979dd]
+
+Backport Changes:
+- This file is not present in the current version and is therefore omitted
+ Misc/NEWS.d/next/Security/2026-03-06-17-03-38.gh-issue-145599.kchwZV.rst
+
+(cherry picked from commit 57e88c1cf95e1481b94ae57abe1010469d47a6b4)
+
+Co-authored-by: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com>
+Co-authored-by: Victor Stinner <vstinner@python.org>
+Co-authored-by: Victor Stinner <victor.stinner@gmail.com>
+(cherry picked from commit d16ecc6c3626f0e2cc8f08c309c83934e8a979dd)
+Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
+---
+ Lib/http/cookies.py | 24 ++++++++++++++++++----
+ Lib/test/test_http_cookies.py | 38 +++++++++++++++++++++++++++++++++++
+ 2 files changed, 58 insertions(+), 4 deletions(-)
+
+diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py
+index d0a69cbe191..63d119ad46c 100644
+--- a/Lib/http/cookies.py
++++ b/Lib/http/cookies.py
+@@ -335,9 +335,16 @@ class Morsel(dict):
+ key = key.lower()
+ if key not in self._reserved:
+ raise CookieError("Invalid attribute %r" % (key,))
++ if _has_control_character(key, val):
++ raise CookieError("Control characters are not allowed in "
++ f"cookies {key!r} {val!r}")
+ data[key] = val
+ dict.update(self, data)
+
++ def __ior__(self, values):
++ self.update(values)
++ return self
++
+ def isReservedKey(self, K):
+ return K.lower() in self._reserved
+
+@@ -363,9 +370,15 @@ class Morsel(dict):
+ }
+
+ def __setstate__(self, state):
+- self._key = state['key']
+- self._value = state['value']
+- self._coded_value = state['coded_value']
++ key = state['key']
++ value = state['value']
++ coded_value = state['coded_value']
++ if _has_control_character(key, value, coded_value):
++ raise CookieError("Control characters are not allowed in cookies "
++ f"{key!r} {value!r} {coded_value!r}")
++ self._key = key
++ self._value = value
++ self._coded_value = coded_value
+
+ def output(self, attrs=None, header="Set-Cookie:"):
+ return "%s %s" % (header, self.OutputString(attrs))
+@@ -377,13 +390,16 @@ class Morsel(dict):
+
+ def js_output(self, attrs=None):
+ # Print javascript
++ output_string = self.OutputString(attrs)
++ if _has_control_character(output_string):
++ raise CookieError("Control characters are not allowed in cookies")
+ return """
+ <script type="text/javascript">
+ <!-- begin hiding
+ document.cookie = \"%s\";
+ // end hiding -->
+ </script>
+- """ % (self.OutputString(attrs).replace('"', r'\"'))
++ """ % (output_string.replace('"', r'\"'))
+
+ def OutputString(self, attrs=None):
+ # Build up our result
+diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py
+index f196bcc48e3..2478a6c630f 100644
+--- a/Lib/test/test_http_cookies.py
++++ b/Lib/test/test_http_cookies.py
+@@ -573,6 +573,14 @@ class MorselTests(unittest.TestCase):
+ with self.assertRaises(cookies.CookieError):
+ morsel["path"] = c0
+
++ # .__setstate__()
++ with self.assertRaises(cookies.CookieError):
++ morsel.__setstate__({'key': c0, 'value': 'val', 'coded_value': 'coded'})
++ with self.assertRaises(cookies.CookieError):
++ morsel.__setstate__({'key': 'key', 'value': c0, 'coded_value': 'coded'})
++ with self.assertRaises(cookies.CookieError):
++ morsel.__setstate__({'key': 'key', 'value': 'val', 'coded_value': c0})
++
+ # .setdefault()
+ with self.assertRaises(cookies.CookieError):
+ morsel.setdefault("path", c0)
+@@ -587,6 +595,18 @@ class MorselTests(unittest.TestCase):
+ with self.assertRaises(cookies.CookieError):
+ morsel.set("path", "val", c0)
+
++ # .update()
++ with self.assertRaises(cookies.CookieError):
++ morsel.update({"path": c0})
++ with self.assertRaises(cookies.CookieError):
++ morsel.update({c0: "val"})
++
++ # .__ior__()
++ with self.assertRaises(cookies.CookieError):
++ morsel |= {"path": c0}
++ with self.assertRaises(cookies.CookieError):
++ morsel |= {c0: "val"}
++
+ def test_control_characters_output(self):
+ # Tests that even if the internals of Morsel are modified
+ # that a call to .output() has control character safeguards.
+@@ -607,6 +627,24 @@ class MorselTests(unittest.TestCase):
+ with self.assertRaises(cookies.CookieError):
+ cookie.output()
+
++ # Tests that .js_output() also has control character safeguards.
++ for c0 in support.control_characters_c0():
++ morsel = cookies.Morsel()
++ morsel.set("key", "value", "coded-value")
++ morsel._key = c0 # Override private variable.
++ cookie = cookies.SimpleCookie()
++ cookie["cookie"] = morsel
++ with self.assertRaises(cookies.CookieError):
++ cookie.js_output()
++
++ morsel = cookies.Morsel()
++ morsel.set("key", "value", "coded-value")
++ morsel._coded_value = c0 # Override private variable.
++ cookie = cookies.SimpleCookie()
++ cookie["cookie"] = morsel
++ with self.assertRaises(cookies.CookieError):
++ cookie.js_output()
++
+
+ def load_tests(loader, tests, pattern):
+ tests.addTest(doctest.DocTestSuite(cookies))
+--
+2.35.6
+
diff --git a/meta/recipes-devtools/python/python3_3.12.13.bb b/meta/recipes-devtools/python/python3_3.12.13.bb
index 4865178572c..c59d9fba80d 100644
--- a/meta/recipes-devtools/python/python3_3.12.13.bb
+++ b/meta/recipes-devtools/python/python3_3.12.13.bb
@@ -36,6 +36,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
file://0001-test_readline-skip-limited-history-test.patch \
file://CVE-2026-1502.patch \
file://CVE-2026-6100.patch \
+ file://CVE-2026-3644_CVE-2026-0672.patch \
"
SRC_URI:append:class-native = " \
^ permalink raw reply related [flat|nested] 28+ messages in thread* [OE-core][scarthgap 09/26] python3: Fix CVE-2026-4519 and CVE-2026-4786
2026-06-23 13:13 [OE-core][scarthgap 00/26] Patch review Yoann Congal
` (7 preceding siblings ...)
2026-06-23 13:13 ` [OE-core][scarthgap 08/26] python3: Fix CVE-2026-3644 and CVE-2026-0672 Yoann Congal
@ 2026-06-23 13:13 ` Yoann Congal
2026-06-23 13:13 ` [OE-core][scarthgap 10/26] python3: Fix CVE-2026-6019 Yoann Congal
` (16 subsequent siblings)
25 siblings, 0 replies; 28+ messages in thread
From: Yoann Congal @ 2026-06-23 13:13 UTC (permalink / raw)
To: openembedded-core
From: Sudhir Dumbhare <sudumbha@cisco.com>
Apply the upstream v3.12 fix [1], aligned with the original v3.11 fix [2],
and follow-up fix [3] to address CVE-2026-4519 by disallowing URLs with
leading dashes when invoking browser commands, as referenced in [5].
CVE-2026-4786 [6] revealed the CVE-2026-4519 fix was incomplete, as %action
in URLs could bypass dash-prefix checks. Apply follow-up fix [4], noted in
[5], to revalidate the URL after %action expansion.
[1] https://github.com/python/cpython/commit/cbba6119391112aba9c5aebf7b94aea447922c48
[2] https://github.com/python/cpython/commit/ceac1efc66516ac387eef2c9a0ce671895b44f03
[3] https://github.com/python/cpython/commit/96fc5048605863c7b6fd6289643feb0e97edd96c
[4] https://github.com/python/cpython/commit/f4654824ae0850ac87227fb270f9057477946769
[5] https://security-tracker.debian.org/tracker/CVE-2026-4519
[6] https://security-tracker.debian.org/tracker/CVE-2026-4786
References:
https://nvd.nist.gov/vuln/detail/CVE-2026-4519
https://nvd.nist.gov/vuln/detail/CVE-2026-4786
Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../python3/CVE-2026-4519_CVE-2026-4786.patch | 66 ++++++++
.../python/python3/CVE-2026-4519_p1.patch | 107 ++++++++++++
.../python/python3/CVE-2026-4519_p2.patch | 159 ++++++++++++++++++
.../python/python3_3.12.13.bb | 3 +
4 files changed, 335 insertions(+)
create mode 100644 meta/recipes-devtools/python/python3/CVE-2026-4519_CVE-2026-4786.patch
create mode 100644 meta/recipes-devtools/python/python3/CVE-2026-4519_p1.patch
create mode 100644 meta/recipes-devtools/python/python3/CVE-2026-4519_p2.patch
diff --git a/meta/recipes-devtools/python/python3/CVE-2026-4519_CVE-2026-4786.patch b/meta/recipes-devtools/python/python3/CVE-2026-4519_CVE-2026-4786.patch
new file mode 100644
index 00000000000..6a4714f25ae
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2026-4519_CVE-2026-4786.patch
@@ -0,0 +1,66 @@
+From b9af29b9f2f880cdcdc49a1460743680f59dcb4e Mon Sep 17 00:00:00 2001
+From: Stan Ulbrych <stan@python.org>
+Date: Mon, 13 Apr 2026 22:41:51 +0100
+Subject: [PATCH] [3.11] gh-148169: Fix webbrowser `%action` substitution
+ bypass of dash-prefix check (GH-148170) (#148520)
+
+CVE: CVE-2026-4519 CVE-2026-4786
+Upstream-Status: Backport [https://github.com/python/cpython/commit/f4654824ae0850ac87227fb270f9057477946769]
+
+Backport Changes:
+- This file is not present in the current version and is therefore omitted.
+ Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst
+
+(cherry picked from commit d22922c8a7958353689dc4763dd72da2dea03fff)
+(cherry picked from commit f4654824ae0850ac87227fb270f9057477946769)
+Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
+---
+ Lib/test/test_webbrowser.py | 8 ++++++++
+ Lib/webbrowser.py | 5 +++--
+ 2 files changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/Lib/test/test_webbrowser.py b/Lib/test/test_webbrowser.py
+index c9bf525360d..1d21f133725 100644
+--- a/Lib/test/test_webbrowser.py
++++ b/Lib/test/test_webbrowser.py
+@@ -103,6 +103,14 @@ class ChromeCommandTest(CommandTestMixin, unittest.TestCase):
+ options=[],
+ arguments=[URL])
+
++ def test_reject_action_dash_prefixes(self):
++ browser = self.browser_class(name=CMD_NAME)
++ with self.assertRaises(ValueError):
++ browser.open('%action--incognito')
++ # new=1: action is "--new-window", so "%action" itself expands to
++ # a dash-prefixed flag even with no dash in the original URL.
++ with self.assertRaises(ValueError):
++ browser.open('%action', new=1)
+
+ class EdgeCommandTest(CommandTestMixin, unittest.TestCase):
+
+diff --git a/Lib/webbrowser.py b/Lib/webbrowser.py
+index 000e89275b7..97c4eec9080 100755
+--- a/Lib/webbrowser.py
++++ b/Lib/webbrowser.py
+@@ -268,7 +268,6 @@ class UnixBrowser(BaseBrowser):
+
+ def open(self, url, new=0, autoraise=True):
+ sys.audit("webbrowser.open", url)
+- self._check_url(url)
+ if new == 0:
+ action = self.remote_action
+ elif new == 1:
+@@ -282,7 +281,9 @@ class UnixBrowser(BaseBrowser):
+ raise Error("Bad 'new' parameter to open(); " +
+ "expected 0, 1, or 2, got %s" % new)
+
+- args = [arg.replace("%s", url).replace("%action", action)
++ self._check_url(url.replace("%action", action))
++
++ args = [arg.replace("%action", action).replace("%s", url)
+ for arg in self.remote_args]
+ args = [arg for arg in args if arg]
+ success = self._invoke(args, True, autoraise, url)
+--
+2.35.6
+
diff --git a/meta/recipes-devtools/python/python3/CVE-2026-4519_p1.patch b/meta/recipes-devtools/python/python3/CVE-2026-4519_p1.patch
new file mode 100644
index 00000000000..1514d2c5414
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2026-4519_p1.patch
@@ -0,0 +1,107 @@
+From 7df48dd3c6330611a04d85a5159c0ea424dc1e62 Mon Sep 17 00:00:00 2001
+From: Pinky <pinky00ch@gmail.com>
+Date: Wed, 25 Mar 2026 01:02:37 +0530
+Subject: [PATCH] [3.12] gh-143930: Reject leading dashes in webbrowser
+ URLs (GH-146360)
+
+CVE: CVE-2026-4519
+Upstream-Status: Backport [https://github.com/python/cpython/commit/cbba6119391112aba9c5aebf7b94aea447922c48]
+
+Backport Changes:
+- This file is not present in the current version and is therefore omitted
+ Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
+
+(cherry picked from commit 82a24a4442312bdcfc4c799885e8b3e00990f02b)
+
+Co-authored-by: Seth Michael Larson <seth@python.org>
+(cherry picked from commit cbba6119391112aba9c5aebf7b94aea447922c48)
+Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
+---
+ Lib/test/test_webbrowser.py | 5 +++++
+ Lib/webbrowser.py | 12 ++++++++++++
+ 2 files changed, 17 insertions(+)
+
+diff --git a/Lib/test/test_webbrowser.py b/Lib/test/test_webbrowser.py
+index 2d695bc8831..60f094fd6a1 100644
+--- a/Lib/test/test_webbrowser.py
++++ b/Lib/test/test_webbrowser.py
+@@ -59,6 +59,11 @@ class GenericBrowserCommandTest(CommandTestMixin, unittest.TestCase):
+ options=[],
+ arguments=[URL])
+
++ def test_reject_dash_prefixes(self):
++ browser = self.browser_class(name=CMD_NAME)
++ with self.assertRaises(ValueError):
++ browser.open(f"--key=val {URL}")
++
+
+ class BackgroundBrowserCommandTest(CommandTestMixin, unittest.TestCase):
+
+diff --git a/Lib/webbrowser.py b/Lib/webbrowser.py
+index 13b9e85f9e1..0bdb644d7db 100755
+--- a/Lib/webbrowser.py
++++ b/Lib/webbrowser.py
+@@ -158,6 +158,12 @@ class BaseBrowser(object):
+ def open_new_tab(self, url):
+ return self.open(url, 2)
+
++ @staticmethod
++ def _check_url(url):
++ """Ensures that the URL is safe to pass to subprocesses as a parameter"""
++ if url and url.lstrip().startswith("-"):
++ raise ValueError(f"Invalid URL: {url}")
++
+
+ class GenericBrowser(BaseBrowser):
+ """Class for all browsers started with a command
+@@ -175,6 +181,7 @@ class GenericBrowser(BaseBrowser):
+
+ def open(self, url, new=0, autoraise=True):
+ sys.audit("webbrowser.open", url)
++ self._check_url(url)
+ cmdline = [self.name] + [arg.replace("%s", url)
+ for arg in self.args]
+ try:
+@@ -195,6 +202,7 @@ class BackgroundBrowser(GenericBrowser):
+ cmdline = [self.name] + [arg.replace("%s", url)
+ for arg in self.args]
+ sys.audit("webbrowser.open", url)
++ self._check_url(url)
+ try:
+ if sys.platform[:3] == 'win':
+ p = subprocess.Popen(cmdline)
+@@ -260,6 +268,7 @@ class UnixBrowser(BaseBrowser):
+
+ def open(self, url, new=0, autoraise=True):
+ sys.audit("webbrowser.open", url)
++ self._check_url(url)
+ if new == 0:
+ action = self.remote_action
+ elif new == 1:
+@@ -350,6 +359,7 @@ class Konqueror(BaseBrowser):
+
+ def open(self, url, new=0, autoraise=True):
+ sys.audit("webbrowser.open", url)
++ self._check_url(url)
+ # XXX Currently I know no way to prevent KFM from opening a new win.
+ if new == 2:
+ action = "newTab"
+@@ -554,6 +564,7 @@ if sys.platform[:3] == "win":
+ class WindowsDefault(BaseBrowser):
+ def open(self, url, new=0, autoraise=True):
+ sys.audit("webbrowser.open", url)
++ self._check_url(url)
+ try:
+ os.startfile(url)
+ except OSError:
+@@ -638,6 +649,7 @@ if sys.platform == 'darwin':
+
+ def open(self, url, new=0, autoraise=True):
+ sys.audit("webbrowser.open", url)
++ self._check_url(url)
+ if self.name == 'default':
+ script = 'open location "%s"' % url.replace('"', '%22') # opens in default browser
+ else:
+--
+2.35.6
+
diff --git a/meta/recipes-devtools/python/python3/CVE-2026-4519_p2.patch b/meta/recipes-devtools/python/python3/CVE-2026-4519_p2.patch
new file mode 100644
index 00000000000..7ee145e5e80
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2026-4519_p2.patch
@@ -0,0 +1,159 @@
+From 3ca64ff1722d2410a4e50e760de70f6279fa99fa Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Sat, 4 Apr 2026 00:53:49 +0200
+Subject: [PATCH] [3.11] gh-143930: Tweak the exception message and
+ increase test coverage (GH-146476) (GH-148045) (GH-148051) (GH-148052)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+CVE: CVE-2026-4519
+Upstream-Status: Backport [https://github.com/python/cpython/commit/96fc5048605863c7b6fd6289643feb0e97edd96c]
+
+Backport Changes:
+- This file is not present in the current version and is therefore omitted.
+ Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
+- The file introduced in v3.12 by this commit;
+ https://github.com/python/cpython/commit/cbba6119391112aba9c5aebf7b94aea447922c48
+
+(cherry picked from commit cc023511238ad93ecc8796157c6f9139a2bb2932)
+(cherry picked from commit 89bfb8e5ed3c7caa241028f1a4eac5f6275a46a4)
+(cherry picked from commit 3681d47a440865aead912a054d4599087b4270dd)
+
+Co-authored-by: Łukasz Langa <lukasz@langa.pl>
+(cherry picked from commit 96fc5048605863c7b6fd6289643feb0e97edd96c)
+Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
+---
+ Lib/test/test_webbrowser.py | 81 ++++++++++++++++++++++++++++++++++---
+ Lib/webbrowser.py | 2 +-
+ 2 files changed, 76 insertions(+), 7 deletions(-)
+
+diff --git a/Lib/test/test_webbrowser.py b/Lib/test/test_webbrowser.py
+index 60f094fd6a1..c9bf525360d 100644
+--- a/Lib/test/test_webbrowser.py
++++ b/Lib/test/test_webbrowser.py
+@@ -1,6 +1,7 @@
++import io
++import os
+ import webbrowser
+ import unittest
+-import os
+ import sys
+ import subprocess
+ from unittest import mock
+@@ -49,6 +50,14 @@ class CommandTestMixin:
+ popen_args.pop(popen_args.index(option))
+ self.assertEqual(popen_args, arguments)
+
++ def test_reject_dash_prefixes(self):
++ browser = self.browser_class(name=CMD_NAME)
++ with self.assertRaisesRegex(
++ ValueError,
++ r"^Invalid URL \(leading dash disallowed\): '--key=val http.*'$"
++ ):
++ browser.open(f"--key=val {URL}")
++
+
+ class GenericBrowserCommandTest(CommandTestMixin, unittest.TestCase):
+
+@@ -59,11 +68,6 @@ class GenericBrowserCommandTest(CommandTestMixin, unittest.TestCase):
+ options=[],
+ arguments=[URL])
+
+- def test_reject_dash_prefixes(self):
+- browser = self.browser_class(name=CMD_NAME)
+- with self.assertRaises(ValueError):
+- browser.open(f"--key=val {URL}")
+-
+
+ class BackgroundBrowserCommandTest(CommandTestMixin, unittest.TestCase):
+
+@@ -224,6 +228,71 @@ class ELinksCommandTest(CommandTestMixin, unittest.TestCase):
+ arguments=['openURL({},new-tab)'.format(URL)])
+
+
++class MockPopenPipe:
++ def __init__(self, cmd, mode):
++ self.cmd = cmd
++ self.mode = mode
++ self.pipe = io.StringIO()
++ self._closed = False
++
++ def write(self, buf):
++ self.pipe.write(buf)
++
++ def close(self):
++ self._closed = True
++ return None
++
++
++@unittest.skipUnless(sys.platform == "darwin", "macOS specific test")
++class MacOSXOSAScriptTest(unittest.TestCase):
++ def setUp(self):
++ # Ensure that 'BROWSER' is not set to 'open' or something else.
++ # See: https://github.com/python/cpython/issues/131254.
++ env = self.enterContext(os_helper.EnvironmentVarGuard())
++ env.unset("BROWSER")
++
++ support.patch(self, os, "popen", self.mock_popen)
++ self.browser = webbrowser.MacOSXOSAScript("default")
++
++ def mock_popen(self, cmd, mode):
++ self.popen_pipe = MockPopenPipe(cmd, mode)
++ return self.popen_pipe
++
++ def test_default(self):
++ browser = webbrowser.get()
++ assert isinstance(browser, webbrowser.MacOSXOSAScript)
++ self.assertEqual(browser.name, "default")
++
++ def test_default_open(self):
++ url = "https://python.org"
++ self.browser.open(url)
++ self.assertTrue(self.popen_pipe._closed)
++ self.assertEqual(self.popen_pipe.cmd, "osascript")
++ script = self.popen_pipe.pipe.getvalue()
++ self.assertEqual(script.strip(), f'open location "{url}"')
++
++ def test_url_quote(self):
++ self.browser.open('https://python.org/"quote"')
++ script = self.popen_pipe.pipe.getvalue()
++ self.assertEqual(
++ script.strip(), 'open location "https://python.org/%22quote%22"'
++ )
++
++ def test_explicit_browser(self):
++ browser = webbrowser.MacOSXOSAScript("safari")
++ browser.open("https://python.org")
++ script = self.popen_pipe.pipe.getvalue()
++ self.assertIn('tell application "safari"', script)
++ self.assertIn('open location "https://python.org"', script)
++
++ def test_reject_dash_prefixes(self):
++ with self.assertRaisesRegex(
++ ValueError,
++ r"^Invalid URL \(leading dash disallowed\): '--key=val http.*'$"
++ ):
++ self.browser.open(f"--key=val {URL}")
++
++
+ class BrowserRegistrationTest(unittest.TestCase):
+
+ def setUp(self):
+diff --git a/Lib/webbrowser.py b/Lib/webbrowser.py
+index 0bdb644d7db..000e89275b7 100755
+--- a/Lib/webbrowser.py
++++ b/Lib/webbrowser.py
+@@ -162,7 +162,7 @@ class BaseBrowser(object):
+ def _check_url(url):
+ """Ensures that the URL is safe to pass to subprocesses as a parameter"""
+ if url and url.lstrip().startswith("-"):
+- raise ValueError(f"Invalid URL: {url}")
++ raise ValueError(f"Invalid URL (leading dash disallowed): {url!r}")
+
+
+ class GenericBrowser(BaseBrowser):
+--
+2.35.6
+
diff --git a/meta/recipes-devtools/python/python3_3.12.13.bb b/meta/recipes-devtools/python/python3_3.12.13.bb
index c59d9fba80d..ec9ea94824e 100644
--- a/meta/recipes-devtools/python/python3_3.12.13.bb
+++ b/meta/recipes-devtools/python/python3_3.12.13.bb
@@ -37,6 +37,9 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
file://CVE-2026-1502.patch \
file://CVE-2026-6100.patch \
file://CVE-2026-3644_CVE-2026-0672.patch \
+ file://CVE-2026-4519_p1.patch \
+ file://CVE-2026-4519_p2.patch \
+ file://CVE-2026-4519_CVE-2026-4786.patch \
"
SRC_URI:append:class-native = " \
^ permalink raw reply related [flat|nested] 28+ messages in thread* [OE-core][scarthgap 10/26] python3: Fix CVE-2026-6019
2026-06-23 13:13 [OE-core][scarthgap 00/26] Patch review Yoann Congal
` (8 preceding siblings ...)
2026-06-23 13:13 ` [OE-core][scarthgap 09/26] python3: Fix CVE-2026-4519 and CVE-2026-4786 Yoann Congal
@ 2026-06-23 13:13 ` Yoann Congal
2026-06-23 13:13 ` [OE-core][scarthgap 11/26] python3: Fix CVE-2025-13462 Yoann Congal
` (15 subsequent siblings)
25 siblings, 0 replies; 28+ messages in thread
From: Yoann Congal @ 2026-06-23 13:13 UTC (permalink / raw)
To: openembedded-core
From: Sudhir Dumbhare <sudumbha@cisco.com>
This patch applies the upstream fix [1] and follow-up fix [2], as
referenced in [3] and [4], to address an http.cookies.Morsel.js_output()
flaw where inline JavaScript output escaped quotes but did not neutralize
the HTML parser-sensitive </script> sequence.
[1] https://github.com/python/cpython/commit/3c59b8b53fc75c7f9578d16fb8201ceb43e8f76c
[2] https://github.com/python/cpython/commit/e7d4c3ff421916986223690a8425d2383f6f3802
[3] https://github.com/python/cpython/issues/149144
[4] https://security-tracker.debian.org/tracker/CVE-2026-6019
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2026-6019
Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../python/python3/CVE-2026-6019_p1.patch | 133 ++++++++++++++++++
.../python/python3/CVE-2026-6019_p2.patch | 129 +++++++++++++++++
.../python/python3_3.12.13.bb | 2 +
3 files changed, 264 insertions(+)
create mode 100644 meta/recipes-devtools/python/python3/CVE-2026-6019_p1.patch
create mode 100644 meta/recipes-devtools/python/python3/CVE-2026-6019_p2.patch
diff --git a/meta/recipes-devtools/python/python3/CVE-2026-6019_p1.patch b/meta/recipes-devtools/python/python3/CVE-2026-6019_p1.patch
new file mode 100644
index 00000000000..78b01574c91
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2026-6019_p1.patch
@@ -0,0 +1,133 @@
+From be751c3f3a11d40c2133bee5fb6ab6931df31936 Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Thu, 23 Apr 2026 15:05:17 +0200
+Subject: [PATCH] [3.13] gh-90309: Base64-encode cookie values embedded in
+ JS (GH-148888)
+
+CVE: CVE-2026-6019
+Upstream-Status: Backport [https://github.com/python/cpython/commit/3c59b8b53fc75c7f9578d16fb8201ceb43e8f76c]
+
+Backport Changes:
+- This file is not present in the current version and is therefore omitted.
+ Misc/NEWS.d/next/Security/2026-04-21-13-46-30.gh-issue-90309.srvj9q.rst
+
+(cherry picked from commit 76b3923d688c0efc580658476c5f525ec8735104)
+
+Co-authored-by: Seth Larson <seth@python.org>
+(cherry picked from commit 3c59b8b53fc75c7f9578d16fb8201ceb43e8f76c)
+Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
+---
+ Lib/http/cookies.py | 8 ++++++--
+ Lib/test/test_http_cookies.py | 29 ++++++++++++++++++-----------
+ 2 files changed, 24 insertions(+), 13 deletions(-)
+
+diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py
+index 63d119ad46c..aebc2a163e4 100644
+--- a/Lib/http/cookies.py
++++ b/Lib/http/cookies.py
+@@ -389,17 +389,21 @@ class Morsel(dict):
+ return '<%s: %s>' % (self.__class__.__name__, self.OutputString())
+
+ def js_output(self, attrs=None):
++ import base64
+ # Print javascript
+ output_string = self.OutputString(attrs)
+ if _has_control_character(output_string):
+ raise CookieError("Control characters are not allowed in cookies")
++ # Base64-encode value to avoid template
++ # injection in cookie values.
++ output_encoded = base64.b64encode(output_string.encode('utf-8')).decode("ascii")
+ return """
+ <script type="text/javascript">
+ <!-- begin hiding
+- document.cookie = \"%s\";
++ document.cookie = atob(\"%s\");
+ // end hiding -->
+ </script>
+- """ % (output_string.replace('"', r'\"'))
++ """ % (output_encoded,)
+
+ def OutputString(self, attrs=None):
+ # Build up our result
+diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py
+index 2478a6c630f..6aa5df068f9 100644
+--- a/Lib/test/test_http_cookies.py
++++ b/Lib/test/test_http_cookies.py
+@@ -1,5 +1,5 @@
+ # Simple test suite for http/cookies.py
+-
++import base64
+ import copy
+ import unittest
+ import doctest
+@@ -152,17 +152,19 @@ class CookieTests(unittest.TestCase):
+
+ self.assertEqual(C.output(['path']),
+ 'Set-Cookie: Customer="WILE_E_COYOTE"; Path=/acme')
+- self.assertEqual(C.js_output(), r"""
++ cookie_encoded = base64.b64encode(b'Customer="WILE_E_COYOTE"; Path=/acme; Version=1').decode('ascii')
++ self.assertEqual(C.js_output(), fr"""
+ <script type="text/javascript">
+ <!-- begin hiding
+- document.cookie = "Customer=\"WILE_E_COYOTE\"; Path=/acme; Version=1";
++ document.cookie = atob("{cookie_encoded}");
+ // end hiding -->
+ </script>
+ """)
+- self.assertEqual(C.js_output(['path']), r"""
++ cookie_encoded = base64.b64encode(b'Customer="WILE_E_COYOTE"; Path=/acme').decode('ascii')
++ self.assertEqual(C.js_output(['path']), fr"""
+ <script type="text/javascript">
+ <!-- begin hiding
+- document.cookie = "Customer=\"WILE_E_COYOTE\"; Path=/acme";
++ document.cookie = atob("{cookie_encoded}");
+ // end hiding -->
+ </script>
+ """)
+@@ -259,17 +261,19 @@ class CookieTests(unittest.TestCase):
+
+ self.assertEqual(C.output(['path']),
+ 'Set-Cookie: Customer="WILE_E_COYOTE"; Path=/acme')
+- self.assertEqual(C.js_output(), r"""
++ expected_encoded_cookie = base64.b64encode(b'Customer=\"WILE_E_COYOTE\"; Path=/acme; Version=1').decode('ascii')
++ self.assertEqual(C.js_output(), fr"""
+ <script type="text/javascript">
+ <!-- begin hiding
+- document.cookie = "Customer=\"WILE_E_COYOTE\"; Path=/acme; Version=1";
++ document.cookie = atob("{expected_encoded_cookie}");
+ // end hiding -->
+ </script>
+ """)
+- self.assertEqual(C.js_output(['path']), r"""
++ expected_encoded_cookie = base64.b64encode(b'Customer=\"WILE_E_COYOTE\"; Path=/acme').decode('ascii')
++ self.assertEqual(C.js_output(['path']), fr"""
+ <script type="text/javascript">
+ <!-- begin hiding
+- document.cookie = "Customer=\"WILE_E_COYOTE\"; Path=/acme";
++ document.cookie = atob("{expected_encoded_cookie}");
+ // end hiding -->
+ </script>
+ """)
+@@ -360,13 +364,16 @@ class MorselTests(unittest.TestCase):
+ self.assertEqual(
+ M.output(),
+ "Set-Cookie: %s=%s; Path=/foo" % (i, "%s_coded_val" % i))
++ expected_encoded_cookie = base64.b64encode(
++ ("%s=%s; Path=/foo" % (i, "%s_coded_val" % i)).encode("ascii")
++ ).decode('ascii')
+ expected_js_output = """
+ <script type="text/javascript">
+ <!-- begin hiding
+- document.cookie = "%s=%s; Path=/foo";
++ document.cookie = atob("%s");
+ // end hiding -->
+ </script>
+- """ % (i, "%s_coded_val" % i)
++ """ % (expected_encoded_cookie,)
+ self.assertEqual(M.js_output(), expected_js_output)
+ for i in ["foo bar", "foo@bar"]:
+ # Try some illegal characters
+--
+2.35.6
+
diff --git a/meta/recipes-devtools/python/python3/CVE-2026-6019_p2.patch b/meta/recipes-devtools/python/python3/CVE-2026-6019_p2.patch
new file mode 100644
index 00000000000..0646bd2133f
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2026-6019_p2.patch
@@ -0,0 +1,129 @@
+From de449bbc6ff4ce869c17fb551dacc69de25d73a9 Mon Sep 17 00:00:00 2001
+From: Stan Ulbrych <stan@python.org>
+Date: Mon, 8 Jun 2026 20:15:21 +0100
+Subject: [PATCH] [3.13] gh-149144: Use `decodeURIComponent()` for UTF-8
+ support in `js_output()` (GH-149157) (#150949)
+
+CVE: CVE-2026-6019
+Upstream-Status: Backport [https://github.com/python/cpython/commit/e7d4c3ff421916986223690a8425d2383f6f3802]
+
+Co-authored-by: Seth Larson <seth@python.org>
+(cherry picked from commit e7d4c3ff421916986223690a8425d2383f6f3802)
+Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
+---
+ Lib/http/cookies.py | 6 +++---
+ Lib/test/test_http_cookies.py | 27 ++++++++++++++-------------
+ 2 files changed, 17 insertions(+), 16 deletions(-)
+
+diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py
+index aebc2a163e4..2cffa2a9ad6 100644
+--- a/Lib/http/cookies.py
++++ b/Lib/http/cookies.py
+@@ -389,18 +389,18 @@ class Morsel(dict):
+ return '<%s: %s>' % (self.__class__.__name__, self.OutputString())
+
+ def js_output(self, attrs=None):
+- import base64
++ import urllib.parse
+ # Print javascript
+ output_string = self.OutputString(attrs)
+ if _has_control_character(output_string):
+ raise CookieError("Control characters are not allowed in cookies")
+ # Base64-encode value to avoid template
+ # injection in cookie values.
+- output_encoded = base64.b64encode(output_string.encode('utf-8')).decode("ascii")
++ output_encoded = urllib.parse.quote(output_string, safe='', encoding='utf-8')
+ return """
+ <script type="text/javascript">
+ <!-- begin hiding
+- document.cookie = atob(\"%s\");
++ document.cookie = decodeURIComponent(\"%s\");
+ // end hiding -->
+ </script>
+ """ % (output_encoded,)
+diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py
+index 6aa5df068f9..b9cc59cd1db 100644
+--- a/Lib/test/test_http_cookies.py
++++ b/Lib/test/test_http_cookies.py
+@@ -1,10 +1,10 @@
+ # Simple test suite for http/cookies.py
+-import base64
+ import copy
+ import unittest
+ import doctest
+ from http import cookies
+ import pickle
++import urllib.parse
+ from test import support
+
+
+@@ -152,19 +152,19 @@ class CookieTests(unittest.TestCase):
+
+ self.assertEqual(C.output(['path']),
+ 'Set-Cookie: Customer="WILE_E_COYOTE"; Path=/acme')
+- cookie_encoded = base64.b64encode(b'Customer="WILE_E_COYOTE"; Path=/acme; Version=1').decode('ascii')
++ cookie_encoded = urllib.parse.quote('Customer="WILE_E_COYOTE"; Path=/acme; Version=1', safe='', encoding='utf-8')
+ self.assertEqual(C.js_output(), fr"""
+ <script type="text/javascript">
+ <!-- begin hiding
+- document.cookie = atob("{cookie_encoded}");
++ document.cookie = decodeURIComponent("{cookie_encoded}");
+ // end hiding -->
+ </script>
+ """)
+- cookie_encoded = base64.b64encode(b'Customer="WILE_E_COYOTE"; Path=/acme').decode('ascii')
++ cookie_encoded = urllib.parse.quote('Customer="WILE_E_COYOTE"; Path=/acme', safe='', encoding='utf-8')
+ self.assertEqual(C.js_output(['path']), fr"""
+ <script type="text/javascript">
+ <!-- begin hiding
+- document.cookie = atob("{cookie_encoded}");
++ document.cookie = decodeURIComponent("{cookie_encoded}");
+ // end hiding -->
+ </script>
+ """)
+@@ -261,19 +261,19 @@ class CookieTests(unittest.TestCase):
+
+ self.assertEqual(C.output(['path']),
+ 'Set-Cookie: Customer="WILE_E_COYOTE"; Path=/acme')
+- expected_encoded_cookie = base64.b64encode(b'Customer=\"WILE_E_COYOTE\"; Path=/acme; Version=1').decode('ascii')
++ expected_encoded_cookie = urllib.parse.quote('Customer=\"WILE_E_COYOTE\"; Path=/acme; Version=1', safe='', encoding='utf-8')
+ self.assertEqual(C.js_output(), fr"""
+ <script type="text/javascript">
+ <!-- begin hiding
+- document.cookie = atob("{expected_encoded_cookie}");
++ document.cookie = decodeURIComponent("{expected_encoded_cookie}");
+ // end hiding -->
+ </script>
+ """)
+- expected_encoded_cookie = base64.b64encode(b'Customer=\"WILE_E_COYOTE\"; Path=/acme').decode('ascii')
++ expected_encoded_cookie = urllib.parse.quote('Customer=\"WILE_E_COYOTE\"; Path=/acme', safe='', encoding='utf-8')
+ self.assertEqual(C.js_output(['path']), fr"""
+ <script type="text/javascript">
+ <!-- begin hiding
+- document.cookie = atob("{expected_encoded_cookie}");
++ document.cookie = decodeURIComponent("{expected_encoded_cookie}");
+ // end hiding -->
+ </script>
+ """)
+@@ -364,13 +364,14 @@ class MorselTests(unittest.TestCase):
+ self.assertEqual(
+ M.output(),
+ "Set-Cookie: %s=%s; Path=/foo" % (i, "%s_coded_val" % i))
+- expected_encoded_cookie = base64.b64encode(
+- ("%s=%s; Path=/foo" % (i, "%s_coded_val" % i)).encode("ascii")
+- ).decode('ascii')
++ expected_encoded_cookie = urllib.parse.quote(
++ "%s=%s; Path=/foo" % (i, "%s_coded_val" % i),
++ safe='', encoding='utf-8',
++ )
+ expected_js_output = """
+ <script type="text/javascript">
+ <!-- begin hiding
+- document.cookie = atob("%s");
++ document.cookie = decodeURIComponent("%s");
+ // end hiding -->
+ </script>
+ """ % (expected_encoded_cookie,)
+--
+2.35.6
+
diff --git a/meta/recipes-devtools/python/python3_3.12.13.bb b/meta/recipes-devtools/python/python3_3.12.13.bb
index ec9ea94824e..be080c6a362 100644
--- a/meta/recipes-devtools/python/python3_3.12.13.bb
+++ b/meta/recipes-devtools/python/python3_3.12.13.bb
@@ -40,6 +40,8 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
file://CVE-2026-4519_p1.patch \
file://CVE-2026-4519_p2.patch \
file://CVE-2026-4519_CVE-2026-4786.patch \
+ file://CVE-2026-6019_p1.patch \
+ file://CVE-2026-6019_p2.patch \
"
SRC_URI:append:class-native = " \
^ permalink raw reply related [flat|nested] 28+ messages in thread* [OE-core][scarthgap 11/26] python3: Fix CVE-2025-13462
2026-06-23 13:13 [OE-core][scarthgap 00/26] Patch review Yoann Congal
` (9 preceding siblings ...)
2026-06-23 13:13 ` [OE-core][scarthgap 10/26] python3: Fix CVE-2026-6019 Yoann Congal
@ 2026-06-23 13:13 ` Yoann Congal
2026-06-23 13:13 ` [OE-core][scarthgap 12/26] qemu: Fix CVE-2024-6519 Yoann Congal
` (14 subsequent siblings)
25 siblings, 0 replies; 28+ messages in thread
From: Yoann Congal @ 2026-06-23 13:13 UTC (permalink / raw)
To: openembedded-core
From: Sudhir Dumbhare <sudumbha@cisco.com>
Apply the upstream v3.12 fix [1], aligned with the original v3.13 fix [2],
to address incorrect tarfile handling where GNU long name follow-up headers
could be normalized as directories, as referenced in [3].
[1] https://github.com/python/cpython/commit/d10950739a78f54d0718d88fb5a868374603c084
[2] https://github.com/python/cpython/commit/ae99fe3a33b43e303a05f012815cef60b611a9c7
[3] https://security-tracker.debian.org/tracker/CVE-2025-13462
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-13462
Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../python/python3/CVE-2025-13462.patch | 142 ++++++++++++++++++
.../python/python3_3.12.13.bb | 1 +
2 files changed, 143 insertions(+)
create mode 100644 meta/recipes-devtools/python/python3/CVE-2025-13462.patch
diff --git a/meta/recipes-devtools/python/python3/CVE-2025-13462.patch b/meta/recipes-devtools/python/python3/CVE-2025-13462.patch
new file mode 100644
index 00000000000..36d492338ba
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2025-13462.patch
@@ -0,0 +1,142 @@
+From 14d7d2e8f51a17c23c98f13f33743253a0b7a18a Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Mon, 18 May 2026 19:43:51 +0200
+Subject: [PATCH] [3.12] gh-141707: Skip TarInfo DIRTYPE normalization during
+ GNU long name handling (#145817)
+
+gh-141707: Skip TarInfo DIRTYPE normalization during GNU long name handling
+
+CVE: CVE-2025-13462
+Upstream-Status: Backport [https://github.com/python/cpython/commit/d10950739a78f54d0718d88fb5a868374603c084]
+
+Backport Changes:
+- This file is not present in the current version and is therefore omitted
+ Misc/NEWS.d/next/Library/2025-11-18-06-35-53.gh-issue-141707.DBmQIy.rst
+
+(cherry picked from commit 42d754e34c06e57ad6b8e7f92f32af679912d8ab)
+
+Co-authored-by: Seth Michael Larson <seth@python.org>
+Co-authored-by: Eashwar Ranganathan <eashwar@eashwar.com>
+(cherry picked from commit d10950739a78f54d0718d88fb5a868374603c084)
+Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
+---
+ Lib/tarfile.py | 29 +++++++++++++++++++++++++----
+ Lib/test/test_tarfile.py | 19 +++++++++++++++++++
+ Misc/ACKS | 1 +
+ 3 files changed, 45 insertions(+), 4 deletions(-)
+
+diff --git a/Lib/tarfile.py b/Lib/tarfile.py
+index 99451aa765..70fdbe85b0 100755
+--- a/Lib/tarfile.py
++++ b/Lib/tarfile.py
+@@ -1246,6 +1246,20 @@ class TarInfo(object):
+ @classmethod
+ def frombuf(cls, buf, encoding, errors):
+ """Construct a TarInfo object from a 512 byte bytes object.
++
++ To support the old v7 tar format AREGTYPE headers are
++ transformed to DIRTYPE headers if their name ends in '/'.
++ """
++ return cls._frombuf(buf, encoding, errors)
++
++ @classmethod
++ def _frombuf(cls, buf, encoding, errors, *, dircheck=True):
++ """Construct a TarInfo object from a 512 byte bytes object.
++
++ If ``dircheck`` is set to ``True`` then ``AREGTYPE`` headers will
++ be normalized to ``DIRTYPE`` if the name ends in a trailing slash.
++ ``dircheck`` must be set to ``False`` if this function is called
++ on a follow-up header such as ``GNUTYPE_LONGNAME``.
+ """
+ if len(buf) == 0:
+ raise EmptyHeaderError("empty header")
+@@ -1276,7 +1290,7 @@ class TarInfo(object):
+
+ # Old V7 tar format represents a directory as a regular
+ # file with a trailing slash.
+- if obj.type == AREGTYPE and obj.name.endswith("/"):
++ if dircheck and obj.type == AREGTYPE and obj.name.endswith("/"):
+ obj.type = DIRTYPE
+
+ # The old GNU sparse format occupies some of the unused
+@@ -1311,8 +1325,15 @@ class TarInfo(object):
+ """Return the next TarInfo object from TarFile object
+ tarfile.
+ """
++ return cls._fromtarfile(tarfile)
++
++ @classmethod
++ def _fromtarfile(cls, tarfile, *, dircheck=True):
++ """
++ See dircheck documentation in _frombuf().
++ """
+ buf = tarfile.fileobj.read(BLOCKSIZE)
+- obj = cls.frombuf(buf, tarfile.encoding, tarfile.errors)
++ obj = cls._frombuf(buf, tarfile.encoding, tarfile.errors, dircheck=dircheck)
+ obj.offset = tarfile.fileobj.tell() - BLOCKSIZE
+ return obj._proc_member(tarfile)
+
+@@ -1370,7 +1391,7 @@ class TarInfo(object):
+
+ # Fetch the next header and process it.
+ try:
+- next = self.fromtarfile(tarfile)
++ next = self._fromtarfile(tarfile, dircheck=False)
+ except HeaderError as e:
+ raise SubsequentHeaderError(str(e)) from None
+
+@@ -1505,7 +1526,7 @@ class TarInfo(object):
+
+ # Fetch the next header.
+ try:
+- next = self.fromtarfile(tarfile)
++ next = self._fromtarfile(tarfile, dircheck=False)
+ except HeaderError as e:
+ raise SubsequentHeaderError(str(e)) from None
+
+diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py
+index 759fa03ead..82637841ed 100644
+--- a/Lib/test/test_tarfile.py
++++ b/Lib/test/test_tarfile.py
+@@ -1134,6 +1134,25 @@ class LongnameTest:
+ self.assertIsNotNone(tar.getmember(longdir))
+ self.assertIsNotNone(tar.getmember(longdir.removesuffix('/')))
+
++ def test_longname_file_not_directory(self):
++ # Test reading a longname file and ensure it is not handled as a directory
++ # Issue #141707
++ buf = io.BytesIO()
++ with tarfile.open(mode='w', fileobj=buf, format=self.format) as tar:
++ ti = tarfile.TarInfo()
++ ti.type = tarfile.AREGTYPE
++ ti.name = ('a' * 99) + '/' + ('b' * 3)
++ tar.addfile(ti)
++
++ expected = {t.name: t.type for t in tar.getmembers()}
++
++ buf.seek(0)
++ with tarfile.open(mode='r', fileobj=buf) as tar:
++ actual = {t.name: t.type for t in tar.getmembers()}
++
++ self.assertEqual(expected, actual)
++
++
+ class GNUReadTest(LongnameTest, ReadTest, unittest.TestCase):
+
+ subdir = "gnu"
+diff --git a/Misc/ACKS b/Misc/ACKS
+index a6e63a991f..30d5f99ebb 100644
+--- a/Misc/ACKS
++++ b/Misc/ACKS
+@@ -1492,6 +1492,7 @@ Dhushyanth Ramasamy
+ Ashwin Ramaswami
+ Jeff Ramnani
+ Bayard Randel
++Eashwar Ranganathan
+ Varpu Rantala
+ Brodie Rao
+ Rémi Rampin
+--
+2.35.6
+
diff --git a/meta/recipes-devtools/python/python3_3.12.13.bb b/meta/recipes-devtools/python/python3_3.12.13.bb
index be080c6a362..3e28a3942bd 100644
--- a/meta/recipes-devtools/python/python3_3.12.13.bb
+++ b/meta/recipes-devtools/python/python3_3.12.13.bb
@@ -42,6 +42,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
file://CVE-2026-4519_CVE-2026-4786.patch \
file://CVE-2026-6019_p1.patch \
file://CVE-2026-6019_p2.patch \
+ file://CVE-2025-13462.patch \
"
SRC_URI:append:class-native = " \
^ permalink raw reply related [flat|nested] 28+ messages in thread* [OE-core][scarthgap 12/26] qemu: Fix CVE-2024-6519
2026-06-23 13:13 [OE-core][scarthgap 00/26] Patch review Yoann Congal
` (10 preceding siblings ...)
2026-06-23 13:13 ` [OE-core][scarthgap 11/26] python3: Fix CVE-2025-13462 Yoann Congal
@ 2026-06-23 13:13 ` Yoann Congal
2026-06-23 13:13 ` [OE-core][scarthgap 13/26] dpkg: Fix CVE-2026-2219 Yoann Congal
` (13 subsequent siblings)
25 siblings, 0 replies; 28+ messages in thread
From: Yoann Congal @ 2026-06-23 13:13 UTC (permalink / raw)
To: openembedded-core
From: Deepak Rathore <deeratho@cisco.com>
This patch applies the upstream v11.0.0-rc2 backport for
CVE-2024-6519. The upstream fix commit is referenced in [1],
and the public CVE advisory is referenced in [2]. The individual
backported commit link is recorded in the embedded patch header.
[1] https://gitlab.com/qemu-project/qemu/-/commit/4862d2c95104d9fd0430cc003c205094f8ada1f9
[2] https://security-tracker.debian.org/tracker/CVE-2024-6519
Signed-off-by: Deepak Rathore <deeratho@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2024-6519.patch | 51 +++++++++++++++++++
2 files changed, 52 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2024-6519.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index b688c2bd125..ff8877e54b7 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -47,6 +47,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://0002-python-backport-avoid-creating-additional-event-loop.patch \
file://CVE-2025-11234-01.patch \
file://CVE-2025-11234-02.patch \
+ file://CVE-2024-6519.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2024-6519.patch b/meta/recipes-devtools/qemu/qemu/CVE-2024-6519.patch
new file mode 100644
index 00000000000..431afbbc60a
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2024-6519.patch
@@ -0,0 +1,51 @@
+From 86bc714d9d02a23ea6be878febdc327bbfc9ff50 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Fri, 27 Mar 2026 17:37:31 +0100
+Subject: [PATCH] lsi53c895a: keep a reference to the device while SCRIPTS
+ execute
+
+SCRIPTS execution can trigger PCI device unplug and consequently
+a use-after-free after the unplug returns. Avoid this by keeping
+the device alive.
+
+Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3090
+
+CVE: CVE-2024-6519
+Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/4862d2c95104d9fd0430cc003c205094f8ada1f9]
+
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 4862d2c95104d9fd0430cc003c205094f8ada1f9)
+Signed-off-by: Deepak Rathore <deeratho@cisco.com>
+---
+ hw/scsi/lsi53c895a.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
+index 4d0c5fcd9b7..37dd38d7a87 100644
+--- a/hw/scsi/lsi53c895a.c
++++ b/hw/scsi/lsi53c895a.c
+@@ -1158,6 +1158,7 @@ static void lsi_execute_script(LSIState *s)
+ s->waiting = LSI_NOWAIT;
+ }
+
++ object_ref(s);
+ reentrancy_level++;
+
+ s->istat1 |= LSI_ISTAT1_SRUN;
+@@ -1177,6 +1178,7 @@ again:
+ s->waiting = LSI_WAIT_SCRIPTS;
+ lsi_scripts_timer_start(s);
+ reentrancy_level--;
++ object_unref(s);
+ return;
+ }
+ insn = read_dword(s, s->dsp);
+@@ -1625,6 +1627,7 @@ again:
+ trace_lsi_execute_script_stop();
+
+ reentrancy_level--;
++ object_unref(s);
+ }
+
+ static uint8_t lsi_reg_readb(LSIState *s, int offset)
^ permalink raw reply related [flat|nested] 28+ messages in thread* [OE-core][scarthgap 13/26] dpkg: Fix CVE-2026-2219
2026-06-23 13:13 [OE-core][scarthgap 00/26] Patch review Yoann Congal
` (11 preceding siblings ...)
2026-06-23 13:13 ` [OE-core][scarthgap 12/26] qemu: Fix CVE-2024-6519 Yoann Congal
@ 2026-06-23 13:13 ` Yoann Congal
2026-06-23 13:13 ` [OE-core][scarthgap 14/26] libsolv: fix CVE-2026-9150 Yoann Congal
` (12 subsequent siblings)
25 siblings, 0 replies; 28+ messages in thread
From: Yoann Congal @ 2026-06-23 13:13 UTC (permalink / raw)
To: openembedded-core
From: Shubham Pushpkar <spushpka@cisco.com>
This patch applies the upstream fix as referenced in [2], using the
commit shown in [1].
[1] https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=6610297a62c0780dd0e80b0e302ef64fdcc9d313
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-2219
Signed-off-by: Shubham Pushpkar <spushpka@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../dpkg/dpkg/CVE-2026-2219.patch | 47 +++++++++++++++++++
meta/recipes-devtools/dpkg/dpkg_1.22.0.bb | 1 +
2 files changed, 48 insertions(+)
create mode 100644 meta/recipes-devtools/dpkg/dpkg/CVE-2026-2219.patch
diff --git a/meta/recipes-devtools/dpkg/dpkg/CVE-2026-2219.patch b/meta/recipes-devtools/dpkg/dpkg/CVE-2026-2219.patch
new file mode 100644
index 00000000000..779ab924de6
--- /dev/null
+++ b/meta/recipes-devtools/dpkg/dpkg/CVE-2026-2219.patch
@@ -0,0 +1,47 @@
+From 6610297a62c0780dd0e80b0e302ef64fdcc9d313 Mon Sep 17 00:00:00 2001
+From: Guillem Jover <guillem@debian.org>
+Date: Sat, 7 Feb 2026 00:57:55 +0100
+Subject: [PATCH] libdpkg: Terminate zstd decompression when we have no more
+ data
+
+We should be checking whether the input buffer is zero-sized, and then
+mark the stream as finished. Otherwise the zstd implementation does not
+detect that as an end of stream situation and we get stuck in an
+infinite loop spinning the CPU. This means the decompression process
+in dpkg-deb does not terminate, so no EPIPE gets generated and the
+other processes that are part of the unpacking do not stop either.
+
+Reported-by: Yashashree Gund <yash_gund@live.com>
+Fixes: commit 2c2f7066bd8c3209762762fa6905fa567b08ca5a
+Fixes: CVE-2026-2219
+Closes: #1129722
+Stable-Candidate: 1.21.x 1.22.x
+
+CVE: CVE-2026-2219
+Upstream-Status: Backport [https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=6610297a62c0780dd0e80b0e302ef64fdcc9d313]
+
+(cherry picked from commit 6610297a62c0780dd0e80b0e302ef64fdcc9d313)
+Signed-off-by: Shubham Pushpkar <spushpka@cisco.com>
+---
+ lib/dpkg/compress.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/lib/dpkg/compress.c b/lib/dpkg/compress.c
+index adf26ea7..bf73affe 100644
+--- a/lib/dpkg/compress.c
++++ b/lib/dpkg/compress.c
+@@ -1070,6 +1070,11 @@ filter_unzstd_code(struct io_zstd *io, struct io_zstd_stream *s)
+ ZSTD_outBuffer buf_out = { s->next_out, s->avail_out, 0 };
+ size_t ret;
+
++ if (buf_in.size == 0) {
++ s->status = DPKG_STREAM_END;
++ return;
++ }
++
+ ret = ZSTD_decompressStream(s->ctx.d, &buf_out, &buf_in);
+ if (ZSTD_isError(ret))
+ filter_zstd_error(io, ret);
+--
+2.35.6
+
diff --git a/meta/recipes-devtools/dpkg/dpkg_1.22.0.bb b/meta/recipes-devtools/dpkg/dpkg_1.22.0.bb
index 41f51235085..16162ca926f 100644
--- a/meta/recipes-devtools/dpkg/dpkg_1.22.0.bb
+++ b/meta/recipes-devtools/dpkg/dpkg_1.22.0.bb
@@ -15,6 +15,7 @@ SRC_URI = "git://salsa.debian.org/dpkg-team/dpkg.git;protocol=https;branch=main
file://pager.patch \
file://0001-Add-support-for-riscv32-CPU.patch \
file://CVE-2025-6297.patch \
+ file://CVE-2026-2219.patch \
"
SRC_URI:append:class-native = " file://0001-build.c-ignore-return-of-1-from-tar-cf.patch"
^ permalink raw reply related [flat|nested] 28+ messages in thread* [OE-core][scarthgap 14/26] libsolv: fix CVE-2026-9150
2026-06-23 13:13 [OE-core][scarthgap 00/26] Patch review Yoann Congal
` (12 preceding siblings ...)
2026-06-23 13:13 ` [OE-core][scarthgap 13/26] dpkg: Fix CVE-2026-2219 Yoann Congal
@ 2026-06-23 13:13 ` Yoann Congal
2026-06-23 13:13 ` [OE-core][scarthgap 15/26] openssl: upgrade 3.5.6 -> 3.5.7 Yoann Congal
` (11 subsequent siblings)
25 siblings, 0 replies; 28+ messages in thread
From: Yoann Congal @ 2026-06-23 13:13 UTC (permalink / raw)
To: openembedded-core
From: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
Backport patch to fix CVE-2026-9150.
https://nvd.nist.gov/vuln/detail/CVE-2026-9150
Upstream fix:
https://github.com/openSUSE/libsolv/pull/616
Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../libsolv/libsolv/CVE-2026-9150.patch | 68 +++++++++++++++++++
.../libsolv/libsolv_0.7.28.bb | 1 +
2 files changed, 69 insertions(+)
create mode 100644 meta/recipes-extended/libsolv/libsolv/CVE-2026-9150.patch
diff --git a/meta/recipes-extended/libsolv/libsolv/CVE-2026-9150.patch b/meta/recipes-extended/libsolv/libsolv/CVE-2026-9150.patch
new file mode 100644
index 00000000000..4903edb5998
--- /dev/null
+++ b/meta/recipes-extended/libsolv/libsolv/CVE-2026-9150.patch
@@ -0,0 +1,68 @@
+From bea261fd0924ecd5c7e5579f460133ec023c6def Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Wed, 22 Apr 2026 09:18:29 +0200
+Subject: [PATCH] Fix a buffer overflow when copying SHA-384/512 checksum from
+ a Debian repository
+
+When parsing Debian repository, control2solvable() copies a package
+checksum string from the repository into a stack-allocated "char
+checksum[32 * 2 + 1]" array.
+
+If the repository defined a SHA384 or SHA512 tag, a buffer overflow
+occured (as can be seen when compiling libsolv with CFLAGS='-O0 -g
+-fsanitize=address') because those tag values are longer:
+
+ $ cat /tmp/Packages
+ Package: p
+ Version: 1
+ Architecture: all
+ SHA512: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+
+ $ /tmp/b/tools/deb2solv -r /tmp/Packages
+ =================================================================
+ ==3695==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7b685ecf0071 at pc 0x7f6861683722 b
+ p 0x7fff37e3e7a0 sp 0x7fff37e3df60
+ WRITE of size 129 at 0x7b685ecf0071 thread T0
+ #0 0x7f6861683721 in strcpy.part.0 (/lib64/libasan.so.8+0x83721) (BuildId: 80bfc4ae44fdec6ef5fecfb01e2b57d28660991c)
+ #1 0x7f6861d7f34d in control2solvable /home/test/libsolv/ext/repo_deb.c:491
+ #2 0x7f6861d804ea in repo_add_debpackages /home/test/libsolv/ext/repo_deb.c:622
+ #3 0x000000400fd5 in main /home/test/libsolv/tools/deb2solv.c:134
+ #4 0x7f686123c680 in __libc_start_call_main (/lib64/libc.so.6+0x3680) (BuildId: c04494d63bca865bedf571a4075ef8867ccf9fa9)
+ #5 0x7f686123c797 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x3797) (BuildId: c04494d63bca865bedf571a4075ef8867ccf9fa9)
+ #6 0x000000400694 in _start (/tmp/b/tools/deb2solv+0x400694) (BuildId: a3350337819a51edd0c75293970d3458b5033bc9)
+
+ Address 0x7b685ecf0071 is located in stack of thread T0 at offset 113 in frame
+ #0 0x7f6861d7de2a in control2solvable /home/test/libsolv/ext/repo_deb.c:365
+
+ This frame has 1 object(s):
+ [48, 113) 'checksum' (line 371) <== Memory access at offset 113 overflows this variable
+
+This patch fixes it by enlarging the buffer to accomodate the longest
+supported digest string.
+
+This flaw was introduced with c8164bfecf2ba8bcf4c24329534d3104f19da73c
+commit ("[ABI BREAKAGE] add support for SHA224/384/512").
+
+Reported by Aisle Research.
+
+CVE: CVE-2026-9150
+Upstream-Status: Backport [https://github.com/openSUSE/libsolv/commit/c5b5db52aebde00bdeacecf4d0569c217ab3187d]
+
+Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
+---
+ ext/repo_deb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ext/repo_deb.c b/ext/repo_deb.c
+index d400f959..25eaf8cb 100644
+--- a/ext/repo_deb.c
++++ b/ext/repo_deb.c
+@@ -368,7 +368,7 @@ control2solvable(Solvable *s, Repodata *data, char *control)
+ char *p, *q, *end, *tag;
+ int x, l;
+ int havesource = 0;
+- char checksum[32 * 2 + 1];
++ char checksum[64 * 2 + 1];
+ Id checksumtype = 0;
+ Id newtype;
+
diff --git a/meta/recipes-extended/libsolv/libsolv_0.7.28.bb b/meta/recipes-extended/libsolv/libsolv_0.7.28.bb
index 201059323aa..63534dce260 100644
--- a/meta/recipes-extended/libsolv/libsolv_0.7.28.bb
+++ b/meta/recipes-extended/libsolv/libsolv_0.7.28.bb
@@ -10,6 +10,7 @@ DEPENDS = "expat zlib zstd"
SRC_URI = "git://github.com/openSUSE/libsolv.git;branch=master;protocol=https \
file://0001-utils-Conside-musl-when-wrapping-qsort_r.patch \
+ file://CVE-2026-9150.patch \
"
SRCREV = "c8dbb3a77c86600ce09d4f80a504cf4e78a3c359"
^ permalink raw reply related [flat|nested] 28+ messages in thread* [OE-core][scarthgap 15/26] openssl: upgrade 3.5.6 -> 3.5.7
2026-06-23 13:13 [OE-core][scarthgap 00/26] Patch review Yoann Congal
` (13 preceding siblings ...)
2026-06-23 13:13 ` [OE-core][scarthgap 14/26] libsolv: fix CVE-2026-9150 Yoann Congal
@ 2026-06-23 13:13 ` Yoann Congal
2026-06-23 13:13 ` [OE-core][scarthgap 16/26] libinput: fix for CVE-2026-50292 Yoann Congal
` (10 subsequent siblings)
25 siblings, 0 replies; 28+ messages in thread
From: Yoann Congal @ 2026-06-23 13:13 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Release information [1]:
OpenSSL 3.5.7 is a security patch release. The most severe CVE fixed in this release is High.
This release incorporates the following bug fixes and mitigations:
* Fixed heap use-after-free in PKCS7_verify(). (CVE-2026-45447)
* Fixed CMS AuthEnvelopedData processing may accept forged messages. (CVE-2026-34182)
* Fixed unbounded memory growth in the QUIC PATH_CHALLENGE handler. (CVE-2026-34183)
* Fixed NULL pointer dereference in QUIC server initial packet handling. (CVE-2026-42764)
* Fixed AES-OCB IV ignored on EVP_Cipher() path. (CVE-2026-45445)
* Fixed possible heap buffer overflow in ASN.1 multibyte string conversion. (CVE-2026-7383)
* Fixed out-of-bounds read in CMS password-based decryption. (CVE-2026-9076)
* Fixed heap buffer over-read in ASN.1 content parsing. (CVE-2026-34180)
* Fixed PKCS#12 files with PBMAC1 are accepted with short HMAC keys. (CVE-2026-34181)
* Fixed possible NULL dereference in password-dased CMS decryption. (CVE-2026-42766)
* Fixed NULL pointer dereference in CRMF EncryptedValue decryption. (CVE-2026-42767)
* Fixed multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt() and PKCS7_decrypt(). (CVE-2026-42768)
* Fixed trust anchor substitution via cert/issuer typo in CMP rootCaKeyUpdate. (CVE-2026-42769)
* Fixed FFC-DH peer validation uses attacker-supplied q. (CVE-2026-42770)
* Fixed incorrect tag processing for empty messages in AES-GCM-SIV and AES-SIV modes. (CVE-2026-45446)
Refreshed patches.
Installed new test files to pass ptests.
[1] https://github.com/openssl/openssl/blob/openssl-3.5/NEWS.md#major-changes-between-openssl-356-and-openssl-357-9-jun-2026
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(From OE-Core rev: 9365ac47f994a7d6be92b8c011c51ecf48e8ef87)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../openssl/0001-Configure-do-not-tweak-mips-cflags.patch | 2 +-
.../openssl/{openssl_3.5.6.bb => openssl_3.5.7.bb} | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
rename meta/recipes-connectivity/openssl/{openssl_3.5.6.bb => openssl_3.5.7.bb} (98%)
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch
index cf5ff356ee7..cd8906df675 100644
--- a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch
+++ b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch
@@ -20,7 +20,7 @@ diff --git a/Configure b/Configure
index fff97bd..5ee54c1 100755
--- a/Configure
+++ b/Configure
-@@ -1552,16 +1552,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help 2>&1` =~ m/-mno-cygwin/m)
+@@ -1557,16 +1557,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help 2>&1` =~ m/-mno-cygwin/m)
push @{$config{shared_ldflag}}, "-mno-cygwin";
}
diff --git a/meta/recipes-connectivity/openssl/openssl_3.5.6.bb b/meta/recipes-connectivity/openssl/openssl_3.5.7.bb
similarity index 98%
rename from meta/recipes-connectivity/openssl/openssl_3.5.6.bb
rename to meta/recipes-connectivity/openssl/openssl_3.5.7.bb
index 3bf78eff5c2..0b8e8afec81 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.5.6.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.5.7.bb
@@ -19,7 +19,7 @@ SRC_URI:append:class-nativesdk = " \
file://environment.d-openssl.sh \
"
-SRC_URI[sha256sum] = "deae7c80cba99c4b4f940ecadb3c3338b13cb77418409238e57d7f31f2a3b736"
+SRC_URI[sha256sum] = "a8c0d28a529ca480f9f36cf5792e2cd21984552a3c8e4aa11a24aa31aeac98e8"
inherit lib_package multilib_header multilib_script ptest perlnative manpages
MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
@@ -215,7 +215,7 @@ do_install_ptest() {
ln -s ${bindir}/openssl ${D}${PTEST_PATH}/apps
cd ${S}
- find test/certs test/ct test/d2i-tests test/recipes test/ocsp-tests test/ssl-tests test/smime-certs -type f -exec install -m644 -D {} ${D}${PTEST_PATH}/{} \;
+ find test/certs test/ct test/d2i-tests test/recipes test/ocsp-tests test/ssl-tests test/smime-certs test/smime-eml -type f -exec install -m644 -D {} ${D}${PTEST_PATH}/{} \;
find apps test -name \*.cnf -exec install -m644 -D {} ${D}${PTEST_PATH}/{} \;
find apps test -name \*.der -exec install -m644 -D {} ${D}${PTEST_PATH}/{} \;
find apps test -name \*.pem -exec install -m644 -D {} ${D}${PTEST_PATH}/{} \;
^ permalink raw reply related [flat|nested] 28+ messages in thread* [OE-core][scarthgap 16/26] libinput: fix for CVE-2026-50292
2026-06-23 13:13 [OE-core][scarthgap 00/26] Patch review Yoann Congal
` (14 preceding siblings ...)
2026-06-23 13:13 ` [OE-core][scarthgap 15/26] openssl: upgrade 3.5.6 -> 3.5.7 Yoann Congal
@ 2026-06-23 13:13 ` Yoann Congal
2026-06-23 13:13 ` [OE-core][scarthgap 17/26] gdb: backport a patch to fix static_assert in recent GCC Yoann Congal
` (9 subsequent siblings)
25 siblings, 0 replies; 28+ messages in thread
From: Yoann Congal @ 2026-06-23 13:13 UTC (permalink / raw)
To: openembedded-core
From: Hitendra Prajapati <hprajapati@mvista.com>
Pick patch from [1] & [2] also mentioned at Debian report in [3].
[1] https://gitlab.freedesktop.org/libinput/libinput/-/commit/fc2262e1c1847021239065e84f39f15492ef05cc
[2] https://gitlab.freedesktop.org/libinput/libinput/-/commit/b2bde9504d42a5976d76e1f27c640dc561fbd99b
[3] https://security-tracker.debian.org/tracker/CVE-2026-50292
More details :
1. https://nvd.nist.gov/vuln/detail/CVE-2026-50292
2. https://www.openwall.com/lists/oss-security/2026/06/04/5
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../wayland/libinput/CVE-2026-50292-01.patch | 109 ++++++++++++++++++
.../wayland/libinput/CVE-2026-50292-02.patch | 99 ++++++++++++++++
.../wayland/libinput_1.25.0.bb | 2 +
3 files changed, 210 insertions(+)
create mode 100644 meta/recipes-graphics/wayland/libinput/CVE-2026-50292-01.patch
create mode 100644 meta/recipes-graphics/wayland/libinput/CVE-2026-50292-02.patch
diff --git a/meta/recipes-graphics/wayland/libinput/CVE-2026-50292-01.patch b/meta/recipes-graphics/wayland/libinput/CVE-2026-50292-01.patch
new file mode 100644
index 00000000000..35b2734d7a5
--- /dev/null
+++ b/meta/recipes-graphics/wayland/libinput/CVE-2026-50292-01.patch
@@ -0,0 +1,109 @@
+From fc2262e1c1847021239065e84f39f15492ef05cc Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Mon, 1 Jun 2026 10:12:29 +1000
+Subject: [PATCH] util: sanitize control characters in str_sanitize()
+
+str_sanitize() only escaped '%' characters for format string safety.
+Device names from uinput devices can contain arbitrary bytes including
+ANSI escape sequences (ESC, 0x1b) and other control characters. When
+these strings are included in log messages and printed to a terminal,
+the escape sequences are interpreted by the terminal emulator. This
+could allow an attacker to manipulate terminal output (change colors,
+set window title, clear screen) when an administrator views libinput
+logs.
+
+Replace all control characters (0x00-0x1f and 0x7f) with '?' in
+addition to the existing '%' escaping. This prevents terminal escape
+sequence injection through device names in log output.
+
+Assisted-by: Claude:claude-opus-4-6
+(cherry picked from commit 71a2c5cae2a80a1e3bb29e3f3a07ccc3f3de5acb)
+
+Part-of: <https://gitlab.freedesktop.org/libinput/libinput/-/merge_requests/1489>
+
+CVE: CVE-2026-50292
+Upstream-Status: Backport [https://gitlab.freedesktop.org/libinput/libinput/-/commit/fc2262e1c1847021239065e84f39f15492ef05cc]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/util-strings.h | 30 +++++++++++++++++++++++-------
+ test/test-utils.c | 10 ++++++++++
+ 2 files changed, 33 insertions(+), 7 deletions(-)
+
+diff --git a/src/util-strings.h b/src/util-strings.h
+index b0916815..3429ec9c 100644
+--- a/src/util-strings.h
++++ b/src/util-strings.h
+@@ -456,26 +456,42 @@ trunkname(const char *filename);
+
+ /**
+ * Return a copy of str with all % converted to %% to make the string
+- * acceptable as printf format.
++ * acceptable as printf format, and all non-NUL control characters
++ * (bytes 0x01-0x1f, 0x7f) replaced with '?' to prevent terminal
++ * escape sequence injection. NUL bytes are excluded implicitly
++ * because the string is null-terminated.
+ */
+ static inline char *
+ str_sanitize(const char *str)
+ {
+ if (!str)
+ return NULL;
++ size_t slen = strlen(str);
++ slen = min(slen, 512);
+
+- if (!strchr(str, '%'))
++ bool needs_sanitization = false;
++ for (size_t i = 0; i < slen; i++) {
++ unsigned char c = str[i];
++ if (c == '%' || c < 0x20 || c == 0x7f) {
++ needs_sanitization = true;
++ break;
++ }
++ }
++ if (!needs_sanitization)
+ return strdup(str);
+-
+- size_t slen = min(strlen(str), 512);
+ char *sanitized = zalloc(2 * slen + 1);
+ const char *src = str;
+ char *dst = sanitized;
+-
+ for (size_t i = 0; i < slen; i++) {
+- if (*src == '%')
++ unsigned char c = *src++;
++ if (c == '%') {
+ *dst++ = '%';
+- *dst++ = *src++;
++ *dst++ = '%';
++ } else if (c < 0x20 || c == 0x7f) {
++ *dst++ = '?';
++ } else {
++ *dst++ = c;
++ }
+ }
+ *dst = '\0';
+
+diff --git a/test/test-utils.c b/test/test-utils.c
+index fa307031..88aede23 100644
+--- a/test/test-utils.c
++++ b/test/test-utils.c
+@@ -1388,6 +1388,16 @@ START_TEST(strsanitize_test)
+ { "x %", "x %%" },
+ { "%sx", "%%sx" },
+ { "%s%s", "%%s%%s" },
++ { "\t", "?" },
++ { "\n", "?" },
++ { "\r", "?" },
++ { "\x1b[31m", "?[31m" },
++ { "foo\tbar", "foo?bar" },
++ { "foo\nbar", "foo?bar" },
++ { "\x01\x1f\x7f", "???" },
++ { "clean", "clean" },
++ { "a\x1b[0mb", "a?[0mb" },
++ { "%\n", "%%?" },
+ { NULL, NULL },
+ };
+
+--
+2.50.1
+
diff --git a/meta/recipes-graphics/wayland/libinput/CVE-2026-50292-02.patch b/meta/recipes-graphics/wayland/libinput/CVE-2026-50292-02.patch
new file mode 100644
index 00000000000..f78c9f90663
--- /dev/null
+++ b/meta/recipes-graphics/wayland/libinput/CVE-2026-50292-02.patch
@@ -0,0 +1,99 @@
+From b2bde9504d42a5976d76e1f27c640dc561fbd99b Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Mon, 1 Jun 2026 10:48:24 +1000
+Subject: [PATCH] libinput-device-group: sanitize phys before printing it
+
+Bug: https://gitlab.freedesktop.org/libinput/libinput/-/work_items/1296
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-50292
+
+A malicious uinput device could set the phys value (via UI_SET_PHYS)
+to contain a '\n'. When the value is printed as part of the device group
+the udev rules will interpret it as separate property.
+
+Depending on the property this can cause local privilege escalation.
+
+Closes #1296
+
+Found-by: Csome
+(cherry picked from commit 76f0d8a7f57e2868882864b4611281f12f704b55)
+
+Part-of: <https://gitlab.freedesktop.org/libinput/libinput/-/merge_requests/1489>
+
+CVE: CVE-2026-50292
+Upstream-Status: Backport [https://gitlab.freedesktop.org/libinput/libinput/-/commit/b2bde9504d42a5976d76e1f27c640dc561fbd99b]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ udev/libinput-device-group.c | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/udev/libinput-device-group.c b/udev/libinput-device-group.c
+index 3da904e0..d0522685 100644
+--- a/udev/libinput-device-group.c
++++ b/udev/libinput-device-group.c
+@@ -109,7 +109,8 @@ wacom_handle_ekr(struct udev_device *device,
+
+ udev_list_entry_foreach(entry, udev_enumerate_get_list_entry(e)) {
+ struct udev_device *d;
+- const char *path, *phys;
++ char *phys = NULL;
++ const char *path;
+ const char *pidstr, *vidstr;
+ int pid, vid, dist;
+
+@@ -124,7 +125,7 @@ wacom_handle_ekr(struct udev_device *device,
+
+ vidstr = udev_device_get_property_value(d, "ID_VENDOR_ID");
+ pidstr = udev_device_get_property_value(d, "ID_MODEL_ID");
+- phys = udev_device_get_sysattr_value(d, "phys");
++ phys = str_sanitize(udev_device_get_sysattr_value(d, "phys"));
+
+ if (vidstr && pidstr && phys &&
+ safe_atoi_base(vidstr, &vid, 16) &&
+@@ -138,11 +139,13 @@ wacom_handle_ekr(struct udev_device *device,
+ best_dist = dist;
+
+ free(*phys_attr);
+- *phys_attr = safe_strdup(phys);
++ *phys_attr = phys;
++ phys = NULL;
+ }
+ }
+
+ udev_device_unref(d);
++ free(phys);
+ }
+
+ udev_enumerate_unref(e);
+@@ -154,8 +157,8 @@ int main(int argc, char **argv)
+ int rc = 1;
+ struct udev *udev = NULL;
+ struct udev_device *device = NULL;
+- const char *syspath,
+- *phys = NULL;
++ char *phys = NULL;
++ const char *syspath = NULL;
+ const char *product;
+ int bustype, vendor_id, product_id, version;
+ char group[1024];
+@@ -179,8 +182,7 @@ int main(int argc, char **argv)
+ * bit and use the remainder as device group identifier */
+ while (device != NULL) {
+ struct udev_device *parent;
+-
+- phys = udev_device_get_sysattr_value(device, "phys");
++ phys = str_sanitize(udev_device_get_sysattr_value(device, "phys"));
+ if (phys)
+ break;
+
+@@ -249,6 +251,8 @@ int main(int argc, char **argv)
+
+ printf("LIBINPUT_DEVICE_GROUP=%s\n", group);
+
++ free(phys);
++
+ rc = 0;
+ out:
+ if (device)
+--
+2.50.1
+
diff --git a/meta/recipes-graphics/wayland/libinput_1.25.0.bb b/meta/recipes-graphics/wayland/libinput_1.25.0.bb
index 894858e3617..1a33d16f3a6 100644
--- a/meta/recipes-graphics/wayland/libinput_1.25.0.bb
+++ b/meta/recipes-graphics/wayland/libinput_1.25.0.bb
@@ -14,6 +14,8 @@ DEPENDS = "libevdev udev mtdev"
SRC_URI = "git://gitlab.freedesktop.org/libinput/libinput.git;protocol=https;branch=main \
file://run-ptest \
+ file://CVE-2026-50292-01.patch \
+ file://CVE-2026-50292-02.patch \
"
SRCREV = "3fd38d89276b679ac3565efd7c2150fd047902cb"
S = "${WORKDIR}/git"
^ permalink raw reply related [flat|nested] 28+ messages in thread* [OE-core][scarthgap 17/26] gdb: backport a patch to fix static_assert in recent GCC
2026-06-23 13:13 [OE-core][scarthgap 00/26] Patch review Yoann Congal
` (15 preceding siblings ...)
2026-06-23 13:13 ` [OE-core][scarthgap 16/26] libinput: fix for CVE-2026-50292 Yoann Congal
@ 2026-06-23 13:13 ` Yoann Congal
2026-06-23 13:13 ` [OE-core][scarthgap 18/26] oeqa/core/runner: stub addDuration in OETestResult Yoann Congal
` (8 subsequent siblings)
25 siblings, 0 replies; 28+ messages in thread
From: Yoann Congal @ 2026-06-23 13:13 UTC (permalink / raw)
To: openembedded-core
From: Yoann Congal <yoann.congal@smile.fr>
On Ubuntu 26.04, gcc 15.2 defaults to --std=gnu23 in which static_assert
is a keyword, and not a macro to define like with older GCC. This make
MIPS64 code in gdb fail to compile with:
| In file included from ../../gdb-14.2/opcodes/mips16-opc.c:25:
| ../../gdb-14.2/opcodes/mips16-opc.c: In function ‘decode_mips16_operand’:
| ../../gdb-14.2/opcodes/mips-formats.h:86:7: error: expected identifier or ‘(’ before ‘static_assert’
| 86 | static_assert[(1 << (SIZE)) == ARRAY_SIZE (MAP)]; \
| | ^~~~~~~~~~~~~
| ../../gdb-14.2/opcodes/mips16-opc.c:52:15: note: in expansion of macro ‘MAPPED_REG’
| 52 | case '.': MAPPED_REG (0, 0, GP, reg_0_map);
| | ^~~~~~~~~~
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-devtools/gdb/gdb.inc | 1 +
...gnu23-compatibility-wrt-static_asser.patch | 75 +++++++++++++++++++
2 files changed, 76 insertions(+)
create mode 100644 meta/recipes-devtools/gdb/gdb/0001-opcodes-fix-std-gnu23-compatibility-wrt-static_asser.patch
diff --git a/meta/recipes-devtools/gdb/gdb.inc b/meta/recipes-devtools/gdb/gdb.inc
index 81ac441462a..d806a66ac43 100644
--- a/meta/recipes-devtools/gdb/gdb.inc
+++ b/meta/recipes-devtools/gdb/gdb.inc
@@ -13,5 +13,6 @@ SRC_URI = "${GNU_MIRROR}/gdb/gdb-${PV}.tar.xz \
file://0006-resolve-restrict-keyword-conflict.patch \
file://0007-Fix-invalid-sigprocmask-call.patch \
file://0008-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch \
+ file://0001-opcodes-fix-std-gnu23-compatibility-wrt-static_asser.patch \
"
SRC_URI[sha256sum] = "2d4dd8061d8ded12b6c63f55e45344881e8226105f4d2a9b234040efa5ce7772"
diff --git a/meta/recipes-devtools/gdb/gdb/0001-opcodes-fix-std-gnu23-compatibility-wrt-static_asser.patch b/meta/recipes-devtools/gdb/gdb/0001-opcodes-fix-std-gnu23-compatibility-wrt-static_asser.patch
new file mode 100644
index 00000000000..d0d4aa5bd20
--- /dev/null
+++ b/meta/recipes-devtools/gdb/gdb/0001-opcodes-fix-std-gnu23-compatibility-wrt-static_asser.patch
@@ -0,0 +1,75 @@
+From 2b8d72efbe1af100ea4dad4c976b2d3a1fbad676 Mon Sep 17 00:00:00 2001
+From: Sam James <sam@gentoo.org>
+Date: Sat, 16 Nov 2024 05:03:52 +0000
+Subject: [PATCH] opcodes: fix -std=gnu23 compatibility wrt static_assert
+
+
+static_assert is declared in C23 so we can't reuse that identifier:
+* Define our own static_assert conditionally;
+
+* Rename "static assert" hacks to _N as we do already in some places
+ to avoid a conflict.
+
+ChangeLog:
+ PR ld/32372
+
+ * i386-gen.c (static_assert): Define conditionally.
+ * mips-formats.h (MAPPED_INT): Rename identifier.
+ (MAPPED_REG): Rename identifier.
+ (OPTIONAL_MAPPED_REG): Rename identifier.
+ * s390-opc.c (static_assert): Define conditionally.
+
+Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8ebe62f3f0d27806b1bf69f301f5e188b4acd2b4]
+Backport:
+* No static_assert to patch in this version of s390-opc.c.
+Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
+---
+ opcodes/i386-gen.c | 2 ++
+ opcodes/mips-formats.h | 6 +++---
+ 2 files changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/opcodes/i386-gen.c b/opcodes/i386-gen.c
+index cfc5a7a6172..d5901b9667d 100644
+--- a/opcodes/i386-gen.c
++++ b/opcodes/i386-gen.c
+@@ -30,7 +30,9 @@
+
+ /* Build-time checks are preferrable over runtime ones. Use this construct
+ in preference where possible. */
++#ifndef static_assert
+ #define static_assert(e) ((void)sizeof (struct { int _:1 - 2 * !(e); }))
++#endif
+
+ static const char *program_name = NULL;
+ static int debug = 0;
+diff --git a/opcodes/mips-formats.h b/opcodes/mips-formats.h
+index ac73f060a3e..790e23f1783 100644
+--- a/opcodes/mips-formats.h
++++ b/opcodes/mips-formats.h
+@@ -49,7 +49,7 @@
+ #define MAPPED_INT(SIZE, LSB, MAP, PRINT_HEX) \
+ { \
+ typedef char ATTRIBUTE_UNUSED \
+- static_assert[(1 << (SIZE)) == ARRAY_SIZE (MAP)]; \
++ static_assert_3[(1 << (SIZE)) == ARRAY_SIZE (MAP)]; \
+ static const struct mips_mapped_int_operand op = { \
+ { OP_MAPPED_INT, SIZE, LSB }, MAP, PRINT_HEX \
+ }; \
+@@ -83,7 +83,7 @@
+ #define MAPPED_REG(SIZE, LSB, BANK, MAP) \
+ { \
+ typedef char ATTRIBUTE_UNUSED \
+- static_assert[(1 << (SIZE)) == ARRAY_SIZE (MAP)]; \
++ static_assert_4[(1 << (SIZE)) == ARRAY_SIZE (MAP)]; \
+ static const struct mips_reg_operand op = { \
+ { OP_REG, SIZE, LSB }, OP_REG_##BANK, MAP \
+ }; \
+@@ -93,7 +93,7 @@
+ #define OPTIONAL_MAPPED_REG(SIZE, LSB, BANK, MAP) \
+ { \
+ typedef char ATTRIBUTE_UNUSED \
+- static_assert[(1 << (SIZE)) == ARRAY_SIZE (MAP)]; \
++ static_assert_5[(1 << (SIZE)) == ARRAY_SIZE (MAP)]; \
+ static const struct mips_reg_operand op = { \
+ { OP_OPTIONAL_REG, SIZE, LSB }, OP_REG_##BANK, MAP \
+ }; \
^ permalink raw reply related [flat|nested] 28+ messages in thread* [OE-core][scarthgap 18/26] oeqa/core/runner: stub addDuration in OETestResult
2026-06-23 13:13 [OE-core][scarthgap 00/26] Patch review Yoann Congal
` (16 preceding siblings ...)
2026-06-23 13:13 ` [OE-core][scarthgap 17/26] gdb: backport a patch to fix static_assert in recent GCC Yoann Congal
@ 2026-06-23 13:13 ` Yoann Congal
2026-06-23 13:14 ` [OE-core][scarthgap 19/26] classes/gtk-icon-cache: fix libdir passed to the postrm intercept Yoann Congal
` (7 subsequent siblings)
25 siblings, 0 replies; 28+ messages in thread
From: Yoann Congal @ 2026-06-23 13:13 UTC (permalink / raw)
To: openembedded-core
From: Ross Burton <ross.burton@arm.com>
We have a custom TestResult implementation, and Python 3.12 added a new
method addDuration() to the TestResult interface. This would be useful
to implement correctly, but for now stub it out to silence the warning
when running under Python 3.12:
/usr/lib64/python3.12/unittest/case.py:580: RuntimeWarning: TestResult has no addDuration method
warnings.warn("TestResult has no addDuration method",
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 2d6fff81b34476b890f6943997615fbf8d3d133f)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/lib/oeqa/core/runner.py | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/meta/lib/oeqa/core/runner.py b/meta/lib/oeqa/core/runner.py
index b683d9b80a7..0d2bc3a3ed0 100644
--- a/meta/lib/oeqa/core/runner.py
+++ b/meta/lib/oeqa/core/runner.py
@@ -78,6 +78,10 @@ class OETestResult(_TestResult):
self.shownmsg.append(test.id())
break
+ # Python 3.12 added this, stub it out for now
+ def addDuration(self, test, elapsed):
+ pass
+
def logSummary(self, component, context_msg=''):
elapsed_time = self.tc._run_end_time - self.tc._run_start_time
self.tc.logger.info("SUMMARY:")
^ permalink raw reply related [flat|nested] 28+ messages in thread* [OE-core][scarthgap 19/26] classes/gtk-icon-cache: fix libdir passed to the postrm intercept
2026-06-23 13:13 [OE-core][scarthgap 00/26] Patch review Yoann Congal
` (17 preceding siblings ...)
2026-06-23 13:13 ` [OE-core][scarthgap 18/26] oeqa/core/runner: stub addDuration in OETestResult Yoann Congal
@ 2026-06-23 13:14 ` Yoann Congal
2026-06-23 13:14 ` [OE-core][scarthgap 20/26] python3: CVE-2026-3087 not applicable Yoann Congal
` (6 subsequent siblings)
25 siblings, 0 replies; 28+ messages in thread
From: Yoann Congal @ 2026-06-23 13:14 UTC (permalink / raw)
To: openembedded-core
From: Ross Burton <ross.burton@arm.com>
Back in 2015[1] I fixed the libdir passed to the postinst intercept, but
I forgot to also update the postrm intercept. This should also be
libdir_native, not libdir.
[ YOCTO #13896 ]
[1] oe-core 0fe8400717 ("gtk-icon-cache: pass the native libdir to the intercept")
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 92dd67114be325e019c149bddaf5f874f6917094)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/classes-recipe/gtk-icon-cache.bbclass | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/classes-recipe/gtk-icon-cache.bbclass b/meta/classes-recipe/gtk-icon-cache.bbclass
index 9ecb49916c2..2ff10c21181 100644
--- a/meta/classes-recipe/gtk-icon-cache.bbclass
+++ b/meta/classes-recipe/gtk-icon-cache.bbclass
@@ -46,7 +46,7 @@ gtk_icon_cache_postrm() {
if [ "x$D" != "x" ]; then
$INTERCEPT_DIR/postinst_intercept update_gtk_icon_cache ${PKG} \
mlprefix=${MLPREFIX} \
- libdir=${libdir}
+ libdir_native=${libdir_native}
else
for icondir in /usr/share/icons/* ; do
if [ -d $icondir ] ; then
^ permalink raw reply related [flat|nested] 28+ messages in thread* [OE-core][scarthgap 20/26] python3: CVE-2026-3087 not applicable
2026-06-23 13:13 [OE-core][scarthgap 00/26] Patch review Yoann Congal
` (18 preceding siblings ...)
2026-06-23 13:14 ` [OE-core][scarthgap 19/26] classes/gtk-icon-cache: fix libdir passed to the postrm intercept Yoann Congal
@ 2026-06-23 13:14 ` Yoann Congal
2026-06-23 13:14 ` [OE-core][scarthgap 21/26] bzip2: set CVE_PRODUCT Yoann Congal
` (5 subsequent siblings)
25 siblings, 0 replies; 28+ messages in thread
From: Yoann Congal @ 2026-06-23 13:14 UTC (permalink / raw)
To: openembedded-core
From: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
CVE link: https://nvd.nist.gov/vuln/detail/CVE-2026-3087
The CVE is only applicable to Windows OS
Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-devtools/python/python3_3.12.13.bb | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/recipes-devtools/python/python3_3.12.13.bb b/meta/recipes-devtools/python/python3_3.12.13.bb
index 3e28a3942bd..bf0e1702d54 100644
--- a/meta/recipes-devtools/python/python3_3.12.13.bb
+++ b/meta/recipes-devtools/python/python3_3.12.13.bb
@@ -63,6 +63,7 @@ CVE_STATUS[CVE-2022-26488] = "not-applicable-platform: Issue only applies on Win
# The module will be removed in the future and flaws documented.
CVE_STATUS[CVE-2015-20107] = "upstream-wontfix: The mailcap module is insecure by design, so this can't be fixed in a meaningful way"
CVE_STATUS[CVE-2023-36632] = "disputed: Not an issue, in fact expected behaviour"
+CVE_STATUS[CVE-2026-3087] = "not-applicable-platform: Issue only applies on Windows"
PYTHON_MAJMIN = "3.12"
^ permalink raw reply related [flat|nested] 28+ messages in thread* [OE-core][scarthgap 21/26] bzip2: set CVE_PRODUCT
2026-06-23 13:13 [OE-core][scarthgap 00/26] Patch review Yoann Congal
` (19 preceding siblings ...)
2026-06-23 13:14 ` [OE-core][scarthgap 20/26] python3: CVE-2026-3087 not applicable Yoann Congal
@ 2026-06-23 13:14 ` Yoann Congal
2026-06-23 13:14 ` [OE-core][scarthgap 22/26] apr-util: Add CVE_PRODUCT to support product name Yoann Congal
` (4 subsequent siblings)
25 siblings, 0 replies; 28+ messages in thread
From: Yoann Congal @ 2026-06-23 13:14 UTC (permalink / raw)
To: openembedded-core
From: Jonas Munsin <jonas.munsin@gehealthcare.com>
Add CVE_PRODUCT to bzip2
Signed-off-by: Jonas Munsin <jonas.munsin@gehealthcare.com>
Signed-off-by: Maxin John <maxin.john@gehealthcare.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit bc889ea799cc82f7fa018baabca0b821c1209897)
Signed-off-by: Himanshu Jadon <hjadon@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-extended/bzip2/bzip2_1.0.8.bb | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta/recipes-extended/bzip2/bzip2_1.0.8.bb b/meta/recipes-extended/bzip2/bzip2_1.0.8.bb
index 4e3a06f2408..f9224908685 100644
--- a/meta/recipes-extended/bzip2/bzip2_1.0.8.bb
+++ b/meta/recipes-extended/bzip2/bzip2_1.0.8.bb
@@ -66,5 +66,7 @@ FILES:libbz2 = "${libdir}/lib*${SOLIBS}"
RDEPENDS:${PN}-ptest += "make bash"
+CVE_PRODUCT = "bzip:bzip2"
+
PROVIDES:append:class-native = " bzip2-replacement-native"
BBCLASSEXTEND = "native nativesdk"
^ permalink raw reply related [flat|nested] 28+ messages in thread* [OE-core][scarthgap 22/26] apr-util: Add CVE_PRODUCT to support product name
2026-06-23 13:13 [OE-core][scarthgap 00/26] Patch review Yoann Congal
` (20 preceding siblings ...)
2026-06-23 13:14 ` [OE-core][scarthgap 21/26] bzip2: set CVE_PRODUCT Yoann Congal
@ 2026-06-23 13:14 ` Yoann Congal
2026-06-23 13:14 ` [OE-core][scarthgap 23/26] apr: " Yoann Congal
` (3 subsequent siblings)
25 siblings, 0 replies; 28+ messages in thread
From: Yoann Congal @ 2026-06-23 13:14 UTC (permalink / raw)
To: openembedded-core
From: Himanshu Jadon <hjadon@cisco.com>
apr-util is tracked in NVD under apache:apr-util, while a smaller set
of newer CVEs also appears under apache:portable_runtime_utility.
Set CVE_PRODUCT accordingly so cve-check can cover both the historical
and current NVD product identities used for APR-util.
Signed-off-by: Himanshu Jadon <hjadon@cisco.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
(cherry picked from commit 927b505c982ed7443aed348ca54b0073ac63d938)
Signed-off-by: Himanshu Jadon <hjadon@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-support/apr/apr-util_1.6.3.bb | 3 +++
1 file changed, 3 insertions(+)
diff --git a/meta/recipes-support/apr/apr-util_1.6.3.bb b/meta/recipes-support/apr/apr-util_1.6.3.bb
index 1371e262ddb..3a5f52d2501 100644
--- a/meta/recipes-support/apr/apr-util_1.6.3.bb
+++ b/meta/recipes-support/apr/apr-util_1.6.3.bb
@@ -95,3 +95,6 @@ do_install_ptest() {
cp -r ${B}/test/$i $t; \
done
}
+
+# Add CVE_PRODUCT to match the NVD CPE product name
+CVE_PRODUCT = "apache:apr-util apache:portable_runtime_utility"
^ permalink raw reply related [flat|nested] 28+ messages in thread* [OE-core][scarthgap 23/26] apr: Add CVE_PRODUCT to support product name
2026-06-23 13:13 [OE-core][scarthgap 00/26] Patch review Yoann Congal
` (21 preceding siblings ...)
2026-06-23 13:14 ` [OE-core][scarthgap 22/26] apr-util: Add CVE_PRODUCT to support product name Yoann Congal
@ 2026-06-23 13:14 ` Yoann Congal
2026-06-23 13:14 ` [OE-core][scarthgap 24/26] go-binary-native: set status for CVE-2026-39836 Yoann Congal
` (2 subsequent siblings)
25 siblings, 0 replies; 28+ messages in thread
From: Yoann Congal @ 2026-06-23 13:14 UTC (permalink / raw)
To: openembedded-core
From: Himanshu Jadon <hjadon@cisco.com>
apr is tracked in NVD under apache:portable_runtime rather than the
recipe name apr. Set CVE_PRODUCT accordingly so cve-check uses the
correct NVD product identity for APR.
No additional alias was found to be necessary for this recipe.
Signed-off-by: Himanshu Jadon <hjadon@cisco.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
(cherry picked from commit bc3803e12d4938e2de514c39bd5d0f011f883ace)
Signed-off-by: Himanshu Jadon <hjadon@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-support/apr/apr_1.7.5.bb | 3 +++
1 file changed, 3 insertions(+)
diff --git a/meta/recipes-support/apr/apr_1.7.5.bb b/meta/recipes-support/apr/apr_1.7.5.bb
index 78796476e22..7a3445aa201 100644
--- a/meta/recipes-support/apr/apr_1.7.5.bb
+++ b/meta/recipes-support/apr/apr_1.7.5.bb
@@ -136,3 +136,6 @@ do_install_ptest() {
}
export CONFIG_SHELL="/bin/bash"
+
+# Add CVE_PRODUCT to match the NVD CPE product name
+CVE_PRODUCT = "apache:portable_runtime"
^ permalink raw reply related [flat|nested] 28+ messages in thread* [OE-core][scarthgap 24/26] go-binary-native: set status for CVE-2026-39836
2026-06-23 13:13 [OE-core][scarthgap 00/26] Patch review Yoann Congal
` (22 preceding siblings ...)
2026-06-23 13:14 ` [OE-core][scarthgap 23/26] apr: " Yoann Congal
@ 2026-06-23 13:14 ` Yoann Congal
2026-06-23 13:14 ` [OE-core][scarthgap 25/26] go: " Yoann Congal
2026-06-23 13:14 ` [OE-core][scarthgap 26/26] rust,libstd-rs: set status for CVE-2024-3566 Yoann Congal
25 siblings, 0 replies; 28+ messages in thread
From: Yoann Congal @ 2026-06-23 13:14 UTC (permalink / raw)
To: openembedded-core
From: Sudhir Dumbhare <sudumbha@cisco.com>
This issue affects Windows only. The net.Dial and net.LookupPort
functions can panic when given input containing a NUL byte.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2026-39836
https://security-tracker.debian.org/tracker/CVE-2026-39836
Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-devtools/go/go-binary-native_1.22.12.bb | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/recipes-devtools/go/go-binary-native_1.22.12.bb b/meta/recipes-devtools/go/go-binary-native_1.22.12.bb
index 7688a090f40..dd84021cc9e 100644
--- a/meta/recipes-devtools/go/go-binary-native_1.22.12.bb
+++ b/meta/recipes-devtools/go/go-binary-native_1.22.12.bb
@@ -19,6 +19,7 @@ UPSTREAM_CHECK_REGEX = "go(?P<pver>\d+(\.\d+)+)\.linux"
CVE_PRODUCT = "golang:go"
CVE_STATUS[CVE-2024-3566] = "not-applicable-platform: Issue only applies on Windows"
CVE_STATUS[CVE-2025-0913] = "not-applicable-platform: Issue only applies on Windows"
+CVE_STATUS[CVE-2026-39836] = "not-applicable-platform: Issue only applies on Windows"
S = "${WORKDIR}/go"
^ permalink raw reply related [flat|nested] 28+ messages in thread* [OE-core][scarthgap 25/26] go: set status for CVE-2026-39836
2026-06-23 13:13 [OE-core][scarthgap 00/26] Patch review Yoann Congal
` (23 preceding siblings ...)
2026-06-23 13:14 ` [OE-core][scarthgap 24/26] go-binary-native: set status for CVE-2026-39836 Yoann Congal
@ 2026-06-23 13:14 ` Yoann Congal
2026-06-23 13:14 ` [OE-core][scarthgap 26/26] rust,libstd-rs: set status for CVE-2024-3566 Yoann Congal
25 siblings, 0 replies; 28+ messages in thread
From: Yoann Congal @ 2026-06-23 13:14 UTC (permalink / raw)
To: openembedded-core
From: Sudhir Dumbhare <sudumbha@cisco.com>
This issue affects Windows only. The net.Dial and net.LookupPort
functions can panic when given input containing a NUL byte.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2026-39836
https://security-tracker.debian.org/tracker/CVE-2026-39836
Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-devtools/go/go-1.22.12.inc | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc
index f85104d6f15..c825ebd25a3 100644
--- a/meta/recipes-devtools/go/go-1.22.12.inc
+++ b/meta/recipes-devtools/go/go-1.22.12.inc
@@ -65,3 +65,4 @@ SRC_URI += "\
SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71"
CVE_STATUS[CVE-2025-0913] = "not-applicable-platform: Issue only applies on Windows"
+CVE_STATUS[CVE-2026-39836] = "not-applicable-platform: Issue only applies on Windows"
^ permalink raw reply related [flat|nested] 28+ messages in thread* [OE-core][scarthgap 26/26] rust,libstd-rs: set status for CVE-2024-3566
2026-06-23 13:13 [OE-core][scarthgap 00/26] Patch review Yoann Congal
` (24 preceding siblings ...)
2026-06-23 13:14 ` [OE-core][scarthgap 25/26] go: " Yoann Congal
@ 2026-06-23 13:14 ` Yoann Congal
25 siblings, 0 replies; 28+ messages in thread
From: Yoann Congal @ 2026-06-23 13:14 UTC (permalink / raw)
To: openembedded-core
From: Sudhir Dumbhare <sudumbha@cisco.com>
The vulnerability is Windows-specific and depends on command-line
handling through CreateProcess, which does not apply to Linux/Yocto
builds.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-3566
Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-devtools/rust/rust-source.inc | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/recipes-devtools/rust/rust-source.inc b/meta/recipes-devtools/rust/rust-source.inc
index 5b433ceae78..318c7f0e293 100644
--- a/meta/recipes-devtools/rust/rust-source.inc
+++ b/meta/recipes-devtools/rust/rust-source.inc
@@ -23,3 +23,4 @@ UPSTREAM_CHECK_REGEX = "rustc-(?P<pver>\d+(\.\d+)+)-src"
CVE_STATUS[CVE-2024-24576] = "not-applicable-platform: Issue only applies on Windows"
CVE_STATUS[CVE-2024-43402] = "not-applicable-platform: Issue only applies on Windows"
+CVE_STATUS[CVE-2024-3566] = "not-applicable-platform: Issue only applies on Windows"
^ permalink raw reply related [flat|nested] 28+ messages in thread