mbox

[scarthgap,0/8] Patch review

Message ID cover.1764713862.git.steve@sakoman.com
State Not Applicable, archived
Delegated to: Steve Sakoman
Headers show

Pull-request

https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut

Message

Steve Sakoman Dec. 2, 2025, 10:19 p.m. UTC 
Please review this set of changes for scarthgap and have comments back by
end of day Thursday, December 4

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2811

The following changes since commit 1fbd9eddbdf0da062df0510cabff6f6ee33d5752:

  libarchive: patch CVE-2025-60753 (2025-11-24 08:08:18 -0800)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut

Changqing Li (1):
  libmicrohttpd: fix CVE-2025-59777, CVE-2025-62689

Moritz Haase (1):
  curl: Ensure 'CURL_CA_BUNDLE' from host env is indeed respected

Peter Marko (5):
  gnutls: patch CVE-2025-9820
  libpng: patch CVE-2025-64505
  libpng: patch CVE-2025-64506
  libpng: patch CVE-2025-64720
  libpng: patch CVE-2025-65018

Praveen Kumar (1):
  python3: fix CVE-2025-6075

 .../python/python3/CVE-2025-6075.patch        |   355 +
 .../python/python3_3.12.12.bb                 |     1 +
 .../libpng/files/CVE-2025-64505-01.patch      |   111 +
 .../libpng/files/CVE-2025-64505-02.patch      |   163 +
 .../libpng/files/CVE-2025-64505-03.patch      |    52 +
 .../libpng/files/CVE-2025-64506.patch         |    57 +
 .../libpng/files/CVE-2025-64720.patch         |   103 +
 .../libpng/files/CVE-2025-65018-01.patch      |    60 +
 .../libpng/files/CVE-2025-65018-02.patch      |   163 +
 .../libpng/libpng_1.6.42.bb                   |     7 +
 .../curl/curl/environment.d-curl.sh           |     4 +-
 .../gnutls/gnutls/CVE-2025-9820.patch         |   250 +
 meta/recipes-support/gnutls/gnutls_3.8.4.bb   |     1 +
 ...0001-Remove-broken-experimental-code.patch | 14471 ++++++++++++++++
 .../libmicrohttpd/libmicrohttpd_1.0.1.bb      |     3 +-
 15 files changed, 15798 insertions(+), 3 deletions(-)
 create mode 100644 meta/recipes-devtools/python/python3/CVE-2025-6075.patch
 create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-64505-01.patch
 create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-64505-02.patch
 create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-64505-03.patch
 create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-64506.patch
 create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-64720.patch
 create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-65018-01.patch
 create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-65018-02.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-9820.patch
 create mode 100644 meta/recipes-support/libmicrohttpd/files/0001-Remove-broken-experimental-code.patch

Comments

Steve Sakoman Dec. 4, 2025, 5:59 p.m. UTC | #1 
On Wed, Dec 3, 2025 at 12:25 AM Gyorgy Sarvari <skandigraun@gmail.com> wrote:
>
> This is quite a big change in the middle of an LTS release... not that I
> have a better solution. But maybe a warning in the docs would be
> appropriate about this removed feature and its reason (not sure who
> takes care of these).

You are quite correct, this is a large change and deserves further
discussion since it is removing a (admittedly experimental) feature.

I will remove this from this series pending further discussion on list.

Steve
Changqing Li Dec. 5, 2025, 2:52 a.m. UTC | #2 
On 12/5/25 01:59, Steve Sakoman wrote:
> CAUTION: This email comes from a non Wind River email account!
> Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
> On Wed, Dec 3, 2025 at 12:25 AM Gyorgy Sarvari<skandigraun@gmail.com> wrote:
>> This is quite a big change in the middle of an LTS release... not that I
>> have a better solution. But maybe a warning in the docs would be
>> appropriate about this removed feature and its reason (not sure who
>> takes care of these).
> You are quite correct, this is a large change and deserves further
> discussion since it is removing a (admittedly experimental) feature.
>
> I will remove this from this series pending further discussion on list.

Hi,

This vulnerability exists in libmicrohttpd_ws.so, which is generated 
when building with the --enable-experimental option, rather than in 
widely used libmicrohttpd.so.

We don't enable this option by default,  also we don't provide 
PACKAGECONFIG for it.

How about we still keep the patch for fixing CVE-2025-59777, 
CVE-2025-62689, and add the following warning in libmicrohttpd_1.0.2.bb

+python do_warn_experimental() {
+    if '--enable-experimental' in d.getVar('EXTRA_OECONF') and 
'0001-Remove-broken-experimental-code.patch' in d.getVar('SRC_URI'):
+        bb.warn("This option is removed for CVE-2025-59777, 
CVE-2025-62689, if you insist to use it, please remove patch 
0001-Remove-broken-experimental-code.patch")
+}
+addtask warn_experimental before do_configure
+

if the user enable '--enable-experimental' , warning is it removed. if 
user insist to use it,  they can remove patch 
0001-Remove-broken-experimental-code.patch locally,  then

warning will disappear.

//changqing

>
> Steve
Anuj Mittal Dec. 5, 2025, 3:41 a.m. UTC | #3 
On Fri, Dec 5, 2025 at 8:22 AM Changqing Li via lists.openembedded.org
<changqing.li=windriver.com@lists.openembedded.org> wrote:
>
>
> On 12/5/25 01:59, Steve Sakoman wrote:
>
> CAUTION: This email comes from a non Wind River email account!
> Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
> On Wed, Dec 3, 2025 at 12:25 AM Gyorgy Sarvari <skandigraun@gmail.com> wrote:
>
> This is quite a big change in the middle of an LTS release... not that I
> have a better solution. But maybe a warning in the docs would be
> appropriate about this removed feature and its reason (not sure who
> takes care of these).
>
> You are quite correct, this is a large change and deserves further
> discussion since it is removing a (admittedly experimental) feature.
>
> I will remove this from this series pending further discussion on list.
>
> Hi,
>
> This vulnerability exists in libmicrohttpd_ws.so, which is generated when building with the --enable-experimental option, rather than in widely used libmicrohttpd.so.
>
> We don't enable this option by default,  also we don't provide PACKAGECONFIG for it.
>
> How about we still keep the patch for fixing CVE-2025-59777, CVE-2025-62689, and add the following warning in libmicrohttpd_1.0.2.bb
>
> +python do_warn_experimental() {
> +    if '--enable-experimental' in d.getVar('EXTRA_OECONF') and '0001-Remove-broken-experimental-code.patch' in d.getVar('SRC_URI'):
> +        bb.warn("This option is removed for CVE-2025-59777, CVE-2025-62689, if you insist to use it, please remove patch 0001-Remove-broken-experimental-code.patch")
> +}
> +addtask warn_experimental before do_configure
> +
>
> if the user enable '--enable-experimental' , warning is it removed. if user insist to use it,  they can remove patch 0001-Remove-broken-experimental-code.patch locally,  then
>
> warning will disappear.

I think it should be the other way around. If we don't enable the
option and don't have a tunable PACKAGECONFIG for it, why complicate
and patch? If someone did enable it knowingly, they should fix it in
their append or recipe.

Thanks,

Anuj
Changqing Li Dec. 8, 2025, 6:58 a.m. UTC | #4 
On 12/5/25 11:41, Anuj Mittal wrote:
> CAUTION: This email comes from a non Wind River email account!
> Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
> On Fri, Dec 5, 2025 at 8:22 AM Changqing Li via lists.openembedded.org
> <changqing.li=windriver.com@lists.openembedded.org> wrote:
>>
>> On 12/5/25 01:59, Steve Sakoman wrote:
>>
>> CAUTION: This email comes from a non Wind River email account!
>> Do not click links or open attachments unless you recognize the sender and know the content is safe.
>>
>> On Wed, Dec 3, 2025 at 12:25 AM Gyorgy Sarvari<skandigraun@gmail.com> wrote:
>>
>> This is quite a big change in the middle of an LTS release... not that I
>> have a better solution. But maybe a warning in the docs would be
>> appropriate about this removed feature and its reason (not sure who
>> takes care of these).
>>
>> You are quite correct, this is a large change and deserves further
>> discussion since it is removing a (admittedly experimental) feature.
>>
>> I will remove this from this series pending further discussion on list.
>>
>> Hi,
>>
>> This vulnerability exists in libmicrohttpd_ws.so, which is generated when building with the --enable-experimental option, rather than in widely used libmicrohttpd.so.
>>
>> We don't enable this option by default,  also we don't provide PACKAGECONFIG for it.
>>
>> How about we still keep the patch for fixing CVE-2025-59777, CVE-2025-62689, and add the following warning in libmicrohttpd_1.0.2.bb
>>
>> +python do_warn_experimental() {
>> +    if '--enable-experimental' in d.getVar('EXTRA_OECONF') and '0001-Remove-broken-experimental-code.patch' in d.getVar('SRC_URI'):
>> +        bb.warn("This option is removed for CVE-2025-59777, CVE-2025-62689, if you insist to use it, please remove patch 0001-Remove-broken-experimental-code.patch")
>> +}
>> +addtask warn_experimental before do_configure
>> +
>>
>> if the user enable '--enable-experimental' , warning is it removed. if user insist to use it,  they can remove patch 0001-Remove-broken-experimental-code.patch locally,  then
>>
>> warning will disappear.
> I think it should be the other way around. If we don't enable the
> option and don't have a tunable PACKAGECONFIG for it, why complicate
> and patch? If someone did enable it knowingly, they should fix it in
> their append or recipe.

if we don't patch it,  should we add function like do_warn_experimental 
to remind user about the CVE?

it is possible that user enable experimental, but they don't know the 
existence of CVE-2025-59777, CVE-2025-62689.

Thanks

//Changqing

> Thanks,
>
> Anuj