new file mode 100644
@@ -0,0 +1,37 @@
+From 361f274ca901c3c476697a6404662d95f4dd43cb Mon Sep 17 00:00:00 2001
+From: Matthew Fernandez <matthew.fernandez@gmail.com>
+Date: Wed, 24 Jul 2024 13:19:03 +0800
+Subject: [PATCH] gvc gvconfig_plugin_install_from_config: more tightly scope
+ 'gv_api'
+
+CVE: CVE-2023-46045
+Upstream-Status: Backport [https://gitlab.com/graphviz/graphviz/-/commit/361f274ca901c3c476697a6404662d95f4dd43cb]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ lib/gvc/gvconfig.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/lib/gvc/gvconfig.c b/lib/gvc/gvconfig.c
+index d03de09..2f31b98 100644
+--- a/lib/gvc/gvconfig.c
++++ b/lib/gvc/gvconfig.c
+@@ -174,7 +174,6 @@ static int gvconfig_plugin_install_from_config(GVC_t * gvc, char *s)
+ {
+ char *package_path, *name, *api;
+ const char *type;
+- api_t gv_api;
+ int quality;
+ int nest = 0;
+ gvplugin_package_t *package;
+@@ -189,7 +188,7 @@ static int gvconfig_plugin_install_from_config(GVC_t * gvc, char *s)
+ package = gvplugin_package_record(gvc, package_path, name);
+ do {
+ api = token(&nest, &s);
+- gv_api = gvplugin_api(api);
++ const api_t gv_api = gvplugin_api(api);
+ do {
+ if (nest == 2) {
+ type = token(&nest, &s);
+--
+2.25.1
new file mode 100644
@@ -0,0 +1,38 @@
+From 3f31704cafd7da3e86bb2861accf5e90c973e62a Mon Sep 17 00:00:00 2001
+From: Matthew Fernandez <matthew.fernandez@gmail.com>
+Date: Wed, 24 Jul 2024 13:39:39 +0800
+Subject: [PATCH] gvc gvconfig_plugin_install_from_config: more tightly scope
+ 'api'
+
+CVE: CVE-2023-46045
+Upstream-Status: Backport [https://gitlab.com/graphviz/graphviz/-/commit/3f31704cafd7da3e86bb2861accf5e90c973e62a]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ lib/gvc/gvconfig.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/gvc/gvconfig.c b/lib/gvc/gvconfig.c
+index 2f31b98..ea0d81b 100644
+--- a/lib/gvc/gvconfig.c
++++ b/lib/gvc/gvconfig.c
+@@ -172,7 +172,7 @@ static char *token(int *nest, char **tokens)
+
+ static int gvconfig_plugin_install_from_config(GVC_t * gvc, char *s)
+ {
+- char *package_path, *name, *api;
++ char *package_path, *name;
+ const char *type;
+ int quality;
+ int nest = 0;
+@@ -187,7 +187,7 @@ static int gvconfig_plugin_install_from_config(GVC_t * gvc, char *s)
+ name = "x";
+ package = gvplugin_package_record(gvc, package_path, name);
+ do {
+- api = token(&nest, &s);
++ const char *api = token(&nest, &s);
+ const api_t gv_api = gvplugin_api(api);
+ do {
+ if (nest == 2) {
+--
+2.25.1
new file mode 100644
@@ -0,0 +1,33 @@
+From a95f977f5d809915ec4b14836d2b5b7f5e74881e Mon Sep 17 00:00:00 2001
+From: Matthew Fernandez <matthew.fernandez@gmail.com>
+Date: Wed, 24 Jul 2024 15:02:06 +0800
+Subject: [PATCH] gvc: detect plugin installation failure and display an error
+
+Gitlab: fixes #2441
+Reported-by: GJDuck
+
+CVE: CVE-2023-46045
+Upstream-Status: Backport [https://gitlab.com/graphviz/graphviz/-/commit/a95f977f5d809915ec4b14836d2b5b7f5e74881e]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ lib/gvc/gvconfig.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/lib/gvc/gvconfig.c b/lib/gvc/gvconfig.c
+index ea0d81b..1eccc70 100644
+--- a/lib/gvc/gvconfig.c
++++ b/lib/gvc/gvconfig.c
+@@ -189,6 +189,10 @@ static int gvconfig_plugin_install_from_config(GVC_t * gvc, char *s)
+ do {
+ const char *api = token(&nest, &s);
+ const api_t gv_api = gvplugin_api(api);
++ if (gv_api == (api_t)-1) {
++ agerr(AGERR, "config error: %s %s not found\n", package_path, api);
++ return 0;
++ }
+ do {
+ if (nest == 2) {
+ type = token(&nest, &s);
+--
+2.25.1
@@ -20,6 +20,9 @@ inherit autotools-brokensep pkgconfig gettext qemu
SRC_URI = "https://gitlab.com/api/v4/projects/4207231/packages/generic/${BPN}-releases/${PV}/${BP}.tar.xz \
file://0001-Autotools-fix-do-not-put-prefix-based-paths-in-compi.patch \
+ file://CVE-2023-46045-0001.patch \
+ file://CVE-2023-46045-0002.patch \
+ file://CVE-2023-46045-0003.patch \
"
# Use native mkdefs
SRC_URI:append:class-target = "\