From patchwork Mon Jul 14 16:22:55 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 66762
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 6DE27C83F1B
	for <webhook@archiver.kernel.org>; Mon, 14 Jul 2025 16:23:23 +0000 (UTC)
Received: from mail-pf1-f175.google.com (mail-pf1-f175.google.com
 [209.85.210.175])
 by mx.groups.io with SMTP id smtpd.web10.82423.1752510198361288467
 for <openembedded-core@lists.openembedded.org>;
 Mon, 14 Jul 2025 09:23:18 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=tidvBHeq;
 spf=softfail (domain: sakoman.com, ip: 209.85.210.175,
 mailfrom: steve@sakoman.com)
Received: by mail-pf1-f175.google.com with SMTP id
 d2e1a72fcca58-742c3d06de3so4911467b3a.0
        for <openembedded-core@lists.openembedded.org>;
 Mon, 14 Jul 2025 09:23:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1752510197;
 x=1753114997; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=BqTMffA6VXTd+AyTkFDnnVtr3ujR6Q646wlvs6bXNhA=;
        b=tidvBHeqG7iS1vDHW2I8OaL402p1ZYpGjA60wVjykk1F5Dkj6v/ohblGGjKzj60gtk
         S+z0V9SGL+/NfVLJThfALVkRHRyncYwP8ZuF0bve/bxjbIbIKXODPAh2/Jzzr6EDx/4W
         4IYx972MJSmdN0SeNgPbKdKpuzMQmEuIwGlEM6DcOslO90hU/2LijTm3CEw2gZIrDZnH
         cx5sK45/Ul3fi4gYoc/OttchdnCbvAi2RJ7uo3K79myeze1OlNMMTQmfOfv6mRE5WqFt
         NyJVjGKUXTO4MNgGAdJpGPvyripzNYcHcl/Z5NV8eotWUjprfQnkpeUCAk7LRwwRp1//
         i90A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1752510197; x=1753114997;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=BqTMffA6VXTd+AyTkFDnnVtr3ujR6Q646wlvs6bXNhA=;
        b=SwgWLl2zgD+wHEdFu4lWRW0NWVteVMdU62uCHbx05RYAdzcz/8DAlyp2JlUGbPtVoz
         I/6BvDkLrMs4S2EkeXkJJozT2cmp7/refgd5MYCToCtcSnMlcdE9EyHzF0tycThI3oyB
         jOO62qFPVnGD6mrb5O0d/CVZBJ/cEBg1oqG+LOVz8HLqF+7Ccd4883EXL7hjKlqs2l0K
         sRoqeviJ4GP87YPadb5tSe41Xrib9wxJObhgLapqiIhBMVSP2hLOTJO8hDHQJ/74uPxl
         InX/5jt/E9jSBIPhNrIyuXLdisb549S7iPajPBDyMdHcCxVSyCsEtSdZebmKyuQnHo3B
         rOiQ==
X-Gm-Message-State: AOJu0YzfDqGC2T5VZxpgLt7sCYj7Jm9wYMjB5JyfiaKv3Vjb5POalFev
	8T6UH3SFbWQgldFme4CYNR/gjEoeaF8bSMvE4kVaFRaXLZbbAOET0CtItc6qpPL+NerPb8I5vwv
	69jbr
X-Gm-Gg: ASbGncsGyW+CpSzK776PXTzMFeM5RzucXF3UyZfMTzZmbbfKHSEc+rZLb4CwNG5Vs7x
	K51l+GTfQVEAUbm4TNJVazZxrRiaNw0RnY3R6P7e4VqNOYAH/LGLnBX7Y9hzoxQ9iSNvXjI3XSW
	eZxz8d1Il2VqtTZrXR9YfPoTYvFka6sQdHtODVnGXxs12hTWXYTWxfoz62wzFnCBK2iRk5BPbub
	k3hBNpDfox11nulPsFm+fH3u/SqF+PTGh+QscZsPL7SfMmCepxPM99lU6TVd9k+ZzFuaW4Ry1Us
	Gywwzki2VHlnf5Akd9Dl52IlMeR8wPS+D0ep9Dh1q1EqxZOfMLzW36XAZ0+9NLWDRqJNVf/5kt9
	+yf+iIfymPzcj
X-Google-Smtp-Source: 
 AGHT+IHiloSNtELZ2tOzncmbuAB9TRWOpQkmcvRgg3FIROj72baHe86Obe6l2LZVfs+mfW2g0Gbw1g==
X-Received: by 2002:a05:6a00:178c:b0:748:2f4e:ab4e with SMTP id
 d2e1a72fcca58-74ee284c884mr19687703b3a.11.1752510197386;
        Mon, 14 Jul 2025 09:23:17 -0700 (PDT)
Received: from hexa.. ([2602:feb4:3b:2100:4aa7:6b72:b465:3a4])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-74eb9dd5e8fsm10456053b3a.29.2025.07.14.09.23.16
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 14 Jul 2025 09:23:17 -0700 (PDT)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][walnascar 01/15] icu: fix CVE-2025-5222
Date: Mon, 14 Jul 2025 09:22:55 -0700
Message-ID: 
 <674a3780bb76f4c8adf92d4f91cc9146d32787aa.1752509862.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1752509862.git.steve@sakoman.com>
References: <cover.1752509862.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Mon, 14 Jul 2025 16:23:23 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/220239

From: Changqing Li <changqing.li@windriver.com>

CVE-2025-5222:
A stack buffer overflow was found in Internationl components for unicode
(ICU ). While running the genrb binary, the 'subtag' struct overflowed
at the SRBRoot::addTag function. This issue may lead to memory
corruption and local arbitrary code execution.

Refer:
https://nvd.nist.gov/vuln/detail/CVE-2025-5222
https://unicode-org.atlassian.net/browse/ICU-22957
https://github.com/unicode-org/icu/commit/2c667e31cfd0b6bb1923627a932fd3453a5bac77

Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../icu/icu/CVE-2025-5222.patch               | 166 ++++++++++++++++++
 meta/recipes-support/icu/icu_76-1.bb          |   1 +
 2 files changed, 167 insertions(+)
 create mode 100644 meta/recipes-support/icu/icu/CVE-2025-5222.patch

diff --git a/meta/recipes-support/icu/icu/CVE-2025-5222.patch b/meta/recipes-support/icu/icu/CVE-2025-5222.patch
new file mode 100644
index 0000000000..276d9e4f90
--- /dev/null
+++ b/meta/recipes-support/icu/icu/CVE-2025-5222.patch
@@ -0,0 +1,166 @@
+From b5fd1ccf1068140ca9333878f2172a0947986ca8 Mon Sep 17 00:00:00 2001
+From: Frank Tang <ftang@chromium.org>
+Date: Wed, 22 Jan 2025 11:50:59 -0800
+Subject: [PATCH] ICU-22973 Fix buffer overflow by using CharString
+
+CVE: CVE-2025-5222
+Upstream-Status: Backport [https://github.com/unicode-org/icu/commit/2c667e31cfd0b6bb1923627a932fd3453a5bac77]
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ tools/genrb/parse.cpp | 49 +++++++++++++++++++++---------------
+ 1 file changed, 29 insertions(+), 20 deletions(-)
+
+diff --git a/tools/genrb/parse.cpp b/tools/genrb/parse.cpp
+index f487241..eb85d51 100644
+--- a/tools/genrb/parse.cpp
++++ b/tools/genrb/parse.cpp
+@@ -1153,7 +1153,7 @@ addCollation(ParseState* state, TableResource  *result, const char *collationTyp
+     struct UString    *tokenValue;
+     struct UString     comment;
+     enum   ETokenType  token;
+-    char               subtag[1024];
++    CharString         subtag;
+     UnicodeString      rules;
+     UBool              haveRules = false;
+     UVersionInfo       version;
+@@ -1189,15 +1189,15 @@ addCollation(ParseState* state, TableResource  *result, const char *collationTyp
+             return nullptr;
+         }
+ 
+-        u_UCharsToChars(tokenValue->fChars, subtag, u_strlen(tokenValue->fChars) + 1);
+-
++        subtag.clear();
++        subtag.appendInvariantChars(tokenValue->fChars, u_strlen(tokenValue->fChars), *status);
+         if (U_FAILURE(*status))
+         {
+             res_close(result);
+             return nullptr;
+         }
+ 
+-        member = parseResource(state, subtag, nullptr, status);
++        member = parseResource(state, subtag.data(), nullptr, status);
+ 
+         if (U_FAILURE(*status))
+         {
+@@ -1208,7 +1208,7 @@ addCollation(ParseState* state, TableResource  *result, const char *collationTyp
+         {
+             // Ignore the parsed resources, continue parsing.
+         }
+-        else if (uprv_strcmp(subtag, "Version") == 0 && member->isString())
++        else if (uprv_strcmp(subtag.data(), "Version") == 0 && member->isString())
+         {
+             StringResource *sr = static_cast<StringResource *>(member);
+             char     ver[40];
+@@ -1225,11 +1225,11 @@ addCollation(ParseState* state, TableResource  *result, const char *collationTyp
+             result->add(member, line, *status);
+             member = nullptr;
+         }
+-        else if(uprv_strcmp(subtag, "%%CollationBin")==0)
++        else if(uprv_strcmp(subtag.data(), "%%CollationBin")==0)
+         {
+             /* discard duplicate %%CollationBin if any*/
+         }
+-        else if (uprv_strcmp(subtag, "Sequence") == 0 && member->isString())
++        else if (uprv_strcmp(subtag.data(), "Sequence") == 0 && member->isString())
+         {
+             StringResource *sr = static_cast<StringResource *>(member);
+             rules = sr->fString;
+@@ -1395,7 +1395,7 @@ parseCollationElements(ParseState* state, char *tag, uint32_t startline, UBool n
+     struct UString    *tokenValue;
+     struct UString     comment;
+     enum   ETokenType  token;
+-    char               subtag[1024], typeKeyword[1024];
++    CharString         subtag, typeKeyword;
+     uint32_t           line;
+ 
+     result = table_open(state->bundle, tag, nullptr, status);
+@@ -1437,7 +1437,8 @@ parseCollationElements(ParseState* state, char *tag, uint32_t startline, UBool n
+                 return nullptr;
+             }
+ 
+-            u_UCharsToChars(tokenValue->fChars, subtag, u_strlen(tokenValue->fChars) + 1);
++            subtag.clear();
++            subtag.appendInvariantChars(tokenValue->fChars, u_strlen(tokenValue->fChars), *status);
+ 
+             if (U_FAILURE(*status))
+             {
+@@ -1445,9 +1446,9 @@ parseCollationElements(ParseState* state, char *tag, uint32_t startline, UBool n
+                 return nullptr;
+             }
+ 
+-            if (uprv_strcmp(subtag, "default") == 0)
++            if (uprv_strcmp(subtag.data(), "default") == 0)
+             {
+-                member = parseResource(state, subtag, nullptr, status);
++                member = parseResource(state, subtag.data(), nullptr, status);
+ 
+                 if (U_FAILURE(*status))
+                 {
+@@ -1466,22 +1467,29 @@ parseCollationElements(ParseState* state, char *tag, uint32_t startline, UBool n
+                 if(token == TOK_OPEN_BRACE) {
+                     token = getToken(state, &tokenValue, &comment, &line, status);
+                     TableResource *collationRes;
+-                    if (keepCollationType(subtag)) {
+-                        collationRes = table_open(state->bundle, subtag, nullptr, status);
++                    if (keepCollationType(subtag.data())) {
++                        collationRes = table_open(state->bundle, subtag.data(), nullptr, status);
+                     } else {
+                         collationRes = nullptr;
+                     }
+                     // need to parse the collation data regardless
+-                    collationRes = addCollation(state, collationRes, subtag, startline, status);
++                    collationRes = addCollation(state, collationRes, subtag.data(), startline, status);
+                     if (collationRes != nullptr) {
+                         result->add(collationRes, startline, *status);
+                     }
+                 } else if(token == TOK_COLON) { /* right now, we'll just try to see if we have aliases */
+                     /* we could have a table too */
+                     token = peekToken(state, 1, &tokenValue, &line, &comment, status);
+-                    u_UCharsToChars(tokenValue->fChars, typeKeyword, u_strlen(tokenValue->fChars) + 1);
+-                    if(uprv_strcmp(typeKeyword, "alias") == 0) {
+-                        member = parseResource(state, subtag, nullptr, status);
++                    typeKeyword.clear();
++                    typeKeyword.appendInvariantChars(tokenValue->fChars, u_strlen(tokenValue->fChars), *status);
++                    if (U_FAILURE(*status))
++                    {
++                        res_close(result);
++                        return nullptr;
++                    }
++
++                    if(uprv_strcmp(typeKeyword.data(), "alias") == 0) {
++                        member = parseResource(state, subtag.data(), nullptr, status);
+                         if (U_FAILURE(*status))
+                         {
+                             res_close(result);
+@@ -1523,7 +1531,7 @@ realParseTable(ParseState* state, TableResource *table, char *tag, uint32_t star
+     struct UString    *tokenValue=nullptr;
+     struct UString    comment;
+     enum   ETokenType token;
+-    char              subtag[1024];
++    CharString        subtag;
+     uint32_t          line;
+     UBool             readToken = false;
+ 
+@@ -1562,7 +1570,8 @@ realParseTable(ParseState* state, TableResource *table, char *tag, uint32_t star
+         }
+ 
+         if(uprv_isInvariantUString(tokenValue->fChars, -1)) {
+-            u_UCharsToChars(tokenValue->fChars, subtag, u_strlen(tokenValue->fChars) + 1);
++            subtag.clear();
++            subtag.appendInvariantChars(tokenValue->fChars, u_strlen(tokenValue->fChars), *status);
+         } else {
+             *status = U_INVALID_FORMAT_ERROR;
+             error(line, "invariant characters required for table keys");
+@@ -1575,7 +1584,7 @@ realParseTable(ParseState* state, TableResource *table, char *tag, uint32_t star
+             return nullptr;
+         }
+ 
+-        member = parseResource(state, subtag, &comment, status);
++        member = parseResource(state, subtag.data(), &comment, status);
+ 
+         if (member == nullptr || U_FAILURE(*status))
+         {
+-- 
+2.34.1
+
diff --git a/meta/recipes-support/icu/icu_76-1.bb b/meta/recipes-support/icu/icu_76-1.bb
index f11e72d356..24470ec330 100644
--- a/meta/recipes-support/icu/icu_76-1.bb
+++ b/meta/recipes-support/icu/icu_76-1.bb
@@ -119,6 +119,7 @@ SRC_URI = "${BASE_SRC_URI};name=code \
            ${DATA_SRC_URI};name=data \
            file://filter.json \
            file://0001-icu-Added-armeb-support.patch \
+           file://CVE-2025-5222.patch \
            "
 
 SRC_URI:append:class-target = "\

From patchwork Mon Jul 14 16:22:56 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 66764
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 73DCFC83F27
	for <webhook@archiver.kernel.org>; Mon, 14 Jul 2025 16:23:23 +0000 (UTC)
Received: from mail-pf1-f173.google.com (mail-pf1-f173.google.com
 [209.85.210.173])
 by mx.groups.io with SMTP id smtpd.web10.82427.1752510199785379757
 for <openembedded-core@lists.openembedded.org>;
 Mon, 14 Jul 2025 09:23:19 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=SmBdgexo;
 spf=softfail (domain: sakoman.com, ip: 209.85.210.173,
 mailfrom: steve@sakoman.com)
Received: by mail-pf1-f173.google.com with SMTP id
 d2e1a72fcca58-75001b1bd76so1421945b3a.2
        for <openembedded-core@lists.openembedded.org>;
 Mon, 14 Jul 2025 09:23:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1752510199;
 x=1753114999; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=H1AZanmgzG13lq/JhW0DuaLLmOHKDOQvek16d4dDtqI=;
        b=SmBdgexo7IOSb1HPUEcQs1/4MIQNuKp2TlMjr2izDD3yadaheIW41XsPYwqlAfLqp8
         di+89rekNtDK6GHhyH+y8wj3j1IzRjjHDgz0qn5XFoF8d15s9SMHtX5TgJSaUBALJoMe
         xRpkwdAes1OVo0XQs6mM8drFZDMJy5EsNcozj6Q/5oUze3F6bYHTvtKIlDXQXbiZ8WCB
         GCJP/9AcM5amih7XrLAursP4xUfOmj5bZ2UPAjw1iWdEnKY0vTvJNkhriqGHqyFGMwQx
         tLZTryoZYn8qvRcdhRQtJ3glKclrYKofb146Kx5SO6V5aY915Ng+fG4wfetqNpAeetr0
         Ewdg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1752510199; x=1753114999;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=H1AZanmgzG13lq/JhW0DuaLLmOHKDOQvek16d4dDtqI=;
        b=KPHy+W2bcyfFPDukmFcA2Y66Av96AnPZqOenJhzD/37Lk0Euq3btalIoreKBDPfJwT
         zCyH1YS4GNQr0PdT8us1w0DZOneuLRfmxJadrp1CvLtUjXWLTAcoqezbOtI4CPJ3C+4h
         ZEb5zJFouMlMsimzl00IdH6+OzcuMwBLRYbKg6rjrwL/eKJbJ+XEGG+thckOjRjBuRPD
         uihZHzHjaGeDxJwQjQXePnmgqqRICOijOcA85LqBJW7QUqGcH5J36qvnhMF6IEBLoSPl
         7wi2DqPu7Ig53iqd4wmqA6i9oUM1ERGkfta8D9ZlBSEjPj9VMoS2brUWr67iG5jsc3LA
         zBbA==
X-Gm-Message-State: AOJu0YxCvUUCtNU+FYd0GT7Jw/sf4OZKTNVTZL/WuxnhJNxnLnqkL6Gh
	mdQcA+PnqRJ4uT9rLHWoNDFTG0AP+U33z0x5HhYT/kJMSB/S0+WyyWRtDxhem0g8DxUcV74K9AW
	1O0lF
X-Gm-Gg: ASbGncvaVWBqPXDARUm4wZ805WzWJFh/zxbrImDZMwDbpHowxe5/4unknrJq/EYcOmk
	ApNI/8sC04QWcietuBxlTEOpyYeYp5VEkh9Iy+NwXnbzQ9a4tjCZt950ftMcZDA7odU9WVtQUdL
	plwIsLVzqzfSbpslgadd4yzSBHqeMYjgHfKP8s5AYRJRX9rzXgjKsY0nMNkVHT3aLTcGPu5DBdl
	CO/LOmYre3sl3tmqX3ikdweKE5WTwLJfAX0uf8e/jUVTW5S7m5fIw4XV2HXNSNcbS4UIPzNzRQ1
	5oBsBN8st1sziEgVsWHg/iw7RQHCvHKfQXMA/VCmeu91Yu/wzeMMlCYsWepKdY6KQdGAAn0tXdc
	1922c6dcB1xK21OWJWF3MkdM=
X-Google-Smtp-Source: 
 AGHT+IG3rkb22Xcy7IhjxpJ1V484TBP4Rgx0gFOWcqW5u3IB6WHQsTfN5zBMk4A4ZQqc0BKrc0GndA==
X-Received: by 2002:a05:6a00:9286:b0:748:e8c7:5a38 with SMTP id
 d2e1a72fcca58-74ee32377a9mr18125296b3a.23.1752510198831;
        Mon, 14 Jul 2025 09:23:18 -0700 (PDT)
Received: from hexa.. ([2602:feb4:3b:2100:4aa7:6b72:b465:3a4])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-74eb9dd5e8fsm10456053b3a.29.2025.07.14.09.23.18
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 14 Jul 2025 09:23:18 -0700 (PDT)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][walnascar 02/15] libarchive: fix CVE-2025-5915
Date: Mon, 14 Jul 2025 09:22:56 -0700
Message-ID: 
 <0787eb4ed528cde09ed8f27f070cc6875548f056.1752509862.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1752509862.git.steve@sakoman.com>
References: <cover.1752509862.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Mon, 14 Jul 2025 16:23:23 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/220240

From: Divya Chellam <divya.chellam@windriver.com>

A vulnerability has been identified in the libarchive library. This flaw can lead to a heap b
uffer over-read due to the size of a filter block potentially exceeding the Lempel-Ziv-Storer
-Schieber (LZSS) window. This means the library may attempt to read beyond the allocated memo
ry buffer, which can result in unpredictable program behavior, crashes (denial of service), o
r the disclosure of sensitive information from adjacent memory regions.

Adjusted indentation in the recipe file.

Reference:
https://security-tracker.debian.org/tracker/CVE-2025-5915

Upstream-patches:
https://github.com/libarchive/libarchive/commit/a612bf62f86a6faa47bd57c52b94849f0a404d8c

Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../libarchive/libarchive/CVE-2025-5915.patch | 217 ++++++++++++++++++
 .../libarchive/libarchive_3.7.9.bb            |   5 +-
 2 files changed, 220 insertions(+), 2 deletions(-)
 create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2025-5915.patch

diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2025-5915.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2025-5915.patch
new file mode 100644
index 0000000000..3c911ce9d9
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2025-5915.patch
@@ -0,0 +1,217 @@
+From a612bf62f86a6faa47bd57c52b94849f0a404d8c Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <stoeckmann@users.noreply.github.com>
+Date: Sun, 11 May 2025 19:00:11 +0200
+Subject: [PATCH] rar: Fix heap-buffer-overflow (#2599)
+
+A filter block size must not be larger than the lzss window, which is
+defined
+by dictionary size, which in turn can be derived from unpacked file
+size.
+
+While at it, improve error messages and fix lzss window wrap around
+logic.
+
+Fixes https://github.com/libarchive/libarchive/issues/2565
+
+---------
+
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+Co-authored-by: Tim Kientzle <kientzle@acm.org>
+
+CVE: CVE-2025-5915
+
+Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/a612bf62f86a6faa47bd57c52b94849f0a404d8c]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ Makefile.am                                   |  2 +
+ libarchive/archive_read_support_format_rar.c  | 17 ++++---
+ libarchive/test/CMakeLists.txt                |  1 +
+ .../test/test_read_format_rar_overflow.c      | 48 +++++++++++++++++++
+ .../test/test_read_format_rar_overflow.rar.uu | 11 +++++
+ 5 files changed, 72 insertions(+), 7 deletions(-)
+ create mode 100644 libarchive/test/test_read_format_rar_overflow.c
+ create mode 100644 libarchive/test/test_read_format_rar_overflow.rar.uu
+
+diff --git a/Makefile.am b/Makefile.am
+index 4fafc41..9f3a6d1 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -519,6 +519,7 @@ libarchive_test_SOURCES= \
+ 	libarchive/test/test_read_format_rar_encryption_header.c \
+ 	libarchive/test/test_read_format_rar_filter.c \
+ 	libarchive/test/test_read_format_rar_invalid1.c \
++	libarchive/test/test_read_format_rar_overflow.c \
+ 	libarchive/test/test_read_format_rar5.c \
+ 	libarchive/test/test_read_format_raw.c \
+ 	libarchive/test/test_read_format_tar.c \
+@@ -889,6 +890,7 @@ libarchive_test_EXTRA_DIST=\
+ 	libarchive/test/test_read_format_rar_multivolume.part0003.rar.uu \
+ 	libarchive/test/test_read_format_rar_multivolume.part0004.rar.uu \
+ 	libarchive/test/test_read_format_rar_noeof.rar.uu \
++	libarchive/test/test_read_format_rar_overflow.rar.uu \
+ 	libarchive/test/test_read_format_rar_ppmd_lzss_conversion.rar.uu \
+ 	libarchive/test/test_read_format_rar_ppmd_use_after_free.rar.uu \
+ 	libarchive/test/test_read_format_rar_ppmd_use_after_free2.rar.uu \
+diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
+index 9eb3c84..88eab62 100644
+--- a/libarchive/archive_read_support_format_rar.c
++++ b/libarchive/archive_read_support_format_rar.c
+@@ -451,7 +451,7 @@ static int read_filter(struct archive_read *, int64_t *);
+ static int rar_decode_byte(struct archive_read*, uint8_t *);
+ static int execute_filter(struct archive_read*, struct rar_filter *,
+                           struct rar_virtual_machine *, size_t);
+-static int copy_from_lzss_window(struct archive_read *, void *, int64_t, int);
++static int copy_from_lzss_window(struct archive_read *, uint8_t *, int64_t, int);
+ static inline void vm_write_32(struct rar_virtual_machine*, size_t, uint32_t);
+ static inline uint32_t vm_read_32(struct rar_virtual_machine*, size_t);
+ 
+@@ -2929,7 +2929,7 @@ expand(struct archive_read *a, int64_t *end)
+     }
+ 
+     if ((symbol = read_next_symbol(a, &rar->maincode)) < 0)
+-      return (ARCHIVE_FATAL);
++      goto bad_data;
+ 
+     if (symbol < 256)
+     {
+@@ -2956,14 +2956,14 @@ expand(struct archive_read *a, int64_t *end)
+       else
+       {
+         if (parse_codes(a) != ARCHIVE_OK)
+-          return (ARCHIVE_FATAL);
++          goto bad_data;
+         continue;
+       }
+     }
+     else if(symbol==257)
+     {
+       if (!read_filter(a, end))
+-          return (ARCHIVE_FATAL);
++          goto bad_data;
+       continue;
+     }
+     else if(symbol==258)
+@@ -3048,7 +3048,7 @@ expand(struct archive_read *a, int64_t *end)
+           {
+             if ((lowoffsetsymbol =
+               read_next_symbol(a, &rar->lowoffsetcode)) < 0)
+-              return (ARCHIVE_FATAL);
++              goto bad_data;
+             if(lowoffsetsymbol == 16)
+             {
+               rar->numlowoffsetrepeats = 15;
+@@ -3096,7 +3096,7 @@ bad_data:
+ }
+ 
+ static int
+-copy_from_lzss_window(struct archive_read *a, void *buffer,
++copy_from_lzss_window(struct archive_read *a, uint8_t *buffer,
+                       int64_t startpos, int length)
+ {
+   int windowoffs, firstpart;
+@@ -3111,7 +3111,7 @@ copy_from_lzss_window(struct archive_read *a, void *buffer,
+   }
+   if (firstpart < length) {
+     memcpy(buffer, &rar->lzss.window[windowoffs], firstpart);
+-    memcpy(buffer, &rar->lzss.window[0], length - firstpart);
++    memcpy(buffer + firstpart, &rar->lzss.window[0], length - firstpart);
+   } else {
+     memcpy(buffer, &rar->lzss.window[windowoffs], length);
+   }
+@@ -3266,6 +3266,9 @@ parse_filter(struct archive_read *a, const uint8_t *bytes, uint16_t length, uint
+   else
+     blocklength = prog ? prog->oldfilterlength : 0;
+ 
++  if (blocklength > rar->dictionary_size)
++    return 0;
++
+   registers[3] = PROGRAM_SYSTEM_GLOBAL_ADDRESS;
+   registers[4] = blocklength;
+   registers[5] = prog ? prog->usagecount : 0;
+diff --git a/libarchive/test/CMakeLists.txt b/libarchive/test/CMakeLists.txt
+index 5d7a5d2..59c5f5d 100644
+--- a/libarchive/test/CMakeLists.txt
++++ b/libarchive/test/CMakeLists.txt
+@@ -163,6 +163,7 @@ IF(ENABLE_TEST)
+     test_read_format_rar_encryption_partially.c
+     test_read_format_rar_invalid1.c
+     test_read_format_rar_filter.c
++    test_read_format_rar_overflow.c
+     test_read_format_rar5.c
+     test_read_format_raw.c
+     test_read_format_tar.c
+diff --git a/libarchive/test/test_read_format_rar_overflow.c b/libarchive/test/test_read_format_rar_overflow.c
+new file mode 100644
+index 0000000..b39ed6b
+--- /dev/null
++++ b/libarchive/test/test_read_format_rar_overflow.c
+@@ -0,0 +1,48 @@
++/*-
++ * Copyright (c) 2003-2025 Tim Kientzle
++ * All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in the
++ *    documentation and/or other materials provided with the distribution.
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS OR
++ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
++ * IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT,
++ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
++ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
++ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
++ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++ */
++#include "test.h"
++
++DEFINE_TEST(test_read_format_rar_overflow)
++{
++    struct archive *a;
++    struct archive_entry *ae;
++    const char reffile[] = "test_read_format_rar_overflow.rar";
++    const void *buff;
++    size_t size;
++    int64_t offset;
++
++    extract_reference_file(reffile);
++    assert((a = archive_read_new()) != NULL);
++    assertEqualIntA(a, ARCHIVE_OK, archive_read_support_filter_all(a));
++    assertEqualIntA(a, ARCHIVE_OK, archive_read_support_format_all(a));
++    assertEqualIntA(a, ARCHIVE_OK, archive_read_open_filename(a, reffile, 1024));
++    assertEqualIntA(a, ARCHIVE_OK, archive_read_next_header(a, &ae));
++    assertEqualInt(48, archive_entry_size(ae));
++    /* The next call should reproduce Issue #2565 */
++    assertEqualIntA(a, ARCHIVE_FATAL, archive_read_data_block(a, &buff, &size, &offset));
++
++    assertEqualIntA(a, ARCHIVE_OK, archive_read_close(a));
++    assertEqualInt(ARCHIVE_OK, archive_read_free(a));
++}
+diff --git a/libarchive/test/test_read_format_rar_overflow.rar.uu b/libarchive/test/test_read_format_rar_overflow.rar.uu
+new file mode 100644
+index 0000000..48fd3fd
+--- /dev/null
++++ b/libarchive/test/test_read_format_rar_overflow.rar.uu
+@@ -0,0 +1,11 @@
++begin 644 test_read_format_rar_overflow.rar
++M4F%R(1H'`,($=```(0`@`0``,`````(````````````S`0``````,`"_B%_:
++MZ?^[:7``?S!!,`@P,KB@,T@RN33)MTEB@5Z3<`DP`K35`.0P63@P<,Q&0?#,
++MA##,,",S,(@P,#,@##`&,#":(3`!,#"(`9HPS,,S13`P,#`P,*`PHPS,,S1A
++M,!,!,#","9H@S12D#$PP!C`P`*'F03":,,T8H`@\,/DPJS!/,"30,#`3N%LP
++MCQ6:S3"!,#LP22<-,$5%B"5B$S!)(&*>G#+@!`E`%0ODC])62=DO,)BYJX'P
++M=/LPZ3!!008?%S`P,#`P,#`P,#`P,#`P,#`P,#`P2$PP,#`P03!(,#`P,#`&
++M,`7),#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P
++-,#`P,#`P,#`P,#`P,```
++`
++end
+-- 
+2.40.0
+
diff --git a/meta/recipes-extended/libarchive/libarchive_3.7.9.bb b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb
index 1fa61c3218..c091508799 100644
--- a/meta/recipes-extended/libarchive/libarchive_3.7.9.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb
@@ -30,8 +30,9 @@ PACKAGECONFIG[zstd] = "--with-zstd,--without-zstd,zstd,"
 EXTRA_OECONF += "--enable-largefile --without-iconv"
 
 SRC_URI = "https://libarchive.org/downloads/libarchive-${PV}.tar.gz \
-		   file://CVE-2025-5914.patch \
-		   "
+           file://CVE-2025-5914.patch \
+           file://CVE-2025-5915.patch \
+           "
 
 UPSTREAM_CHECK_URI = "http://libarchive.org/"
 

From patchwork Mon Jul 14 16:22:57 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 66760
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 5BBEEC83F1A
	for <webhook@archiver.kernel.org>; Mon, 14 Jul 2025 16:23:23 +0000 (UTC)
Received: from mail-pf1-f169.google.com (mail-pf1-f169.google.com
 [209.85.210.169])
 by mx.groups.io with SMTP id smtpd.web10.82431.1752510201249475881
 for <openembedded-core@lists.openembedded.org>;
 Mon, 14 Jul 2025 09:23:21 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=j0ZNCN7k;
 spf=softfail (domain: sakoman.com, ip: 209.85.210.169,
 mailfrom: steve@sakoman.com)
Received: by mail-pf1-f169.google.com with SMTP id
 d2e1a72fcca58-742c3d06de3so4911533b3a.0
        for <openembedded-core@lists.openembedded.org>;
 Mon, 14 Jul 2025 09:23:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1752510200;
 x=1753115000; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=NQbmPdvBRqXN9+dBXmz6xYn3xuMOZfqd0aZnbJDpvAE=;
        b=j0ZNCN7k1lKhpP0nPCdAHz2n1AE6ywiTZcZuXwiCVg+wYTxjev5JH9qPRVx0NAPTc/
         H8AfZwAZVqzdEaMSKnhNOAc9Cv3+ULuy/4i5RJzNLihM5U1AxEQtR03UqMqoo1zLyIil
         XnPGR+PIY7Mrou+oquq15ywfG01K9DM6pZ4RIvlhS6bUjqCj5Ud7mgn6sL/YNS47MrXu
         uFrl/S6TXb/qnlDjtJkrtgVWUrW8biE/vdq5c+2xKlRRnZFJa/tN4U/s2ofHopaL97QK
         UzqR+zeaztLXcLwdr7O1M8VNJS3lc1euQilVXHXiDGCk4ISrUWxrCU1cwvE2j3b6l4+b
         K+NQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1752510200; x=1753115000;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=NQbmPdvBRqXN9+dBXmz6xYn3xuMOZfqd0aZnbJDpvAE=;
        b=MgiLyiNNxd+9V06gIrs58j1RKh5qZDfJHOr7HIPQE686m58sAlJ6t3z/BuuTI7OvOd
         lg7bAM1JjvBmf9YDKKeo4nTjRxjovC2kTgqiicCyia150FsZ3+L6C+Vb0L35cwUhrHNp
         Fqkx7sRyHjjJkt1eSD/kNMJ4HizK4f4MPSlLhSRS/nD94WrpfiXWydiL8KNkrCNkZp1F
         X8n8YhSN3zQHDXLLS3g4h88zE9vskEmJLAAERhDjgvr+fHwTqb+RCpNGor8b9xWitXEZ
         6GJQ3y/wZaeuncUjXd+cspt/ygC4vwdnSveM4Wmq+ZjwAMqgz8UUinqvdNbgUL9SPEKf
         0IrA==
X-Gm-Message-State: AOJu0YxtAQi+SlajgABy7d79TEwHYHM7QzEESR+V/cL7OQ2sC8+K54qB
	RhQy0SST6GxdRKEpgI6SOlOOZEmJB4tMtiER+47y4G4aTQyh5PdZGrxhYVmo1r7SeauXjk7H0p0
	N8fLN
X-Gm-Gg: ASbGncsO3k+9yZBHdsQd2zZvmJ/B0WHT75CXjLAUPhsNyPC7DRpl8ZVXB9pUWkSxxBy
	6SCOQ5SqfAo2znK7J8cZIRKrmjjkF2OH6PDPt0VPWxLOz7Gtm5ZZqh0V0/NV4PcnKz86hHZsnFa
	OHqFZSsze0J6SkWEPDzwSyfrw46gr3uIEpW3GZtTOF6A6ZEpy/OpscDJI86E6p9ivbi+iV2eqC6
	zSgWwT/LJYoIrwakEObD+R6mcP8m7RaV3ULKfyGiqh3n30/lbzefhPVxM59tyYrWbW5OXsceDlK
	efAknC4YHdIX6Qmp49BhaAJFllx3RLMLtOVkWSyIZSWmtRPRQ6L+rBm7c4vem2n5Ex6OAjytqQa
	vlfDKnWVouNsc
X-Google-Smtp-Source: 
 AGHT+IEaYl42rN1Iu4f7IKHaDEb56UzIAK3tx7kYEdKVmB5DlvyNIkN6YMIn1J0FkTJdf33vnp9CTQ==
X-Received: by 2002:a05:6a00:3c8e:b0:748:3385:a4a with SMTP id
 d2e1a72fcca58-74ee3531e63mr17483613b3a.23.1752510200316;
        Mon, 14 Jul 2025 09:23:20 -0700 (PDT)
Received: from hexa.. ([2602:feb4:3b:2100:4aa7:6b72:b465:3a4])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-74eb9dd5e8fsm10456053b3a.29.2025.07.14.09.23.19
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 14 Jul 2025 09:23:20 -0700 (PDT)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][walnascar 03/15] libsoup-2.4: fix CVE-2025-4945
Date: Mon, 14 Jul 2025 09:22:57 -0700
Message-ID: 
 <5d0cab3103f336d741e07ff4a2439450846f7273.1752509862.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1752509862.git.steve@sakoman.com>
References: <cover.1752509862.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Mon, 14 Jul 2025 16:23:23 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/220241

From: Changqing Li <changqing.li@windriver.com>

Refer:
https://gitlab.gnome.org/GNOME/libsoup/-/issues/448

Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../libsoup/libsoup-2.4/CVE-2025-4945.patch   | 117 ++++++++++++++++++
 .../libsoup/libsoup-2.4_2.74.3.bb             |   1 +
 2 files changed, 118 insertions(+)
 create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4945.patch

diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4945.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4945.patch
new file mode 100644
index 0000000000..c9fbdbacc8
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4945.patch
@@ -0,0 +1,117 @@
+From 3844026f74a41dd9ccab955899e005995293d246 Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Tue, 8 Jul 2025 14:58:30 +0800
+Subject: [PATCH] soup-date-utils: Add value checks for date/time parsing
+
+Reject date/time when it does not represent a valid value.
+
+Closes #448
+
+CVE: CVE-2025-4945
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/8988379984e33dcc7d3aa58551db13e48755959f]
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ libsoup/soup-date.c  | 21 +++++++++++++++------
+ tests/cookies-test.c | 10 ++++++++++
+ 2 files changed, 25 insertions(+), 6 deletions(-)
+
+diff --git a/libsoup/soup-date.c b/libsoup/soup-date.c
+index 9602d1f..4c114c1 100644
+--- a/libsoup/soup-date.c
++++ b/libsoup/soup-date.c
+@@ -284,7 +284,7 @@ parse_day (SoupDate *date, const char **date_string)
+ 	while (*end == ' ' || *end == '-')
+ 		end++;
+ 	*date_string = end;
+-	return TRUE;
++	return date->day >= 1 && date->day <= 31;
+ }
+ 
+ static inline gboolean
+@@ -324,7 +324,7 @@ parse_year (SoupDate *date, const char **date_string)
+ 	while (*end == ' ' || *end == '-')
+ 		end++;
+ 	*date_string = end;
+-	return TRUE;
++	return date->year > 0 && date->year < 9999;
+ }
+ 
+ static inline gboolean
+@@ -348,7 +348,7 @@ parse_time (SoupDate *date, const char **date_string)
+ 	while (*p == ' ')
+ 		p++;
+ 	*date_string = p;
+-	return TRUE;
++	return  date->hour >= 0 && date->hour < 24 && date->minute >= 0 && date->minute < 60 && date->second >= 0 && date->second < 60;
+ }
+ 
+ static inline gboolean
+@@ -361,8 +361,15 @@ parse_timezone (SoupDate *date, const char **date_string)
+ 		gulong val;
+ 		int sign = (**date_string == '+') ? -1 : 1;
+ 		val = strtoul (*date_string + 1, (char **)date_string, 10);
++		if (val > 9999)
++			return FALSE;
+ 		if (**date_string == ':')
+-			val = 60 * val + strtoul (*date_string + 1, (char **)date_string, 10);
++		{
++			gulong val2 = strtoul (*date_string + 1, (char **)date_string, 10);
++			if (val > 99 || val2 > 99)
++				return FALSE;
++			val = 60 * val + val2;
++		}
+ 		else
+ 			val =  60 * (val / 100) + (val % 100);
+ 		date->offset = sign * val;
+@@ -407,7 +414,8 @@ parse_textual_date (SoupDate *date, const char *date_string)
+ 		if (!parse_month (date, &date_string) ||
+ 		    !parse_day (date, &date_string) ||
+ 		    !parse_time (date, &date_string) ||
+-		    !parse_year (date, &date_string))
++		    !parse_year (date, &date_string) ||
++		    !g_date_valid_dmy(date->day, date->month, date->year))
+ 			return FALSE;
+ 
+ 		/* There shouldn't be a timezone, but check anyway */
+@@ -419,7 +427,8 @@ parse_textual_date (SoupDate *date, const char *date_string)
+ 		if (!parse_day (date, &date_string) ||
+ 		    !parse_month (date, &date_string) ||
+ 		    !parse_year (date, &date_string) ||
+-		    !parse_time (date, &date_string))
++		    !parse_time (date, &date_string) ||
++		    !g_date_valid_dmy(date->day, date->month, date->year))
+ 			return FALSE;
+ 
+ 		/* This time there *should* be a timezone, but we
+diff --git a/tests/cookies-test.c b/tests/cookies-test.c
+index 2e2a54f..6035a86 100644
+--- a/tests/cookies-test.c
++++ b/tests/cookies-test.c
+@@ -413,6 +413,15 @@ do_remove_feature_test (void)
+ 	soup_uri_free (uri);
+ }
+ 
++static void
++do_cookies_parsing_int32_overflow (void)
++{
++	SoupCookie *cookie = soup_cookie_parse ("Age=1;expires=3Mar9    999:9:9+ 999999999-age=main=gne=", NULL);
++	g_assert_nonnull (cookie);
++	g_assert_null (soup_cookie_get_expires (cookie));
++	soup_cookie_free (cookie);
++}
++
+ int
+ main (int argc, char **argv)
+ {
+@@ -434,6 +443,7 @@ main (int argc, char **argv)
+ 	g_test_add_func ("/cookies/accept-policy-subdomains", do_cookies_subdomain_policy_test);
+ 	g_test_add_func ("/cookies/parsing", do_cookies_parsing_test);
+ 	g_test_add_func ("/cookies/parsing/no-path-null-origin", do_cookies_parsing_nopath_nullorigin);
++	g_test_add_func ("/cookies/parsing/int32-overflow", do_cookies_parsing_int32_overflow);
+ 	g_test_add_func ("/cookies/get-cookies/empty-host", do_get_cookies_empty_host_test);
+ 	g_test_add_func ("/cookies/remove-feature", do_remove_feature_test);
+ 	g_test_add_func ("/cookies/secure-cookies", do_cookies_strict_secure_test);
+-- 
+2.34.1
+
diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
index e005e7200e..47f7ba385c 100644
--- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
+++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
@@ -37,6 +37,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
            file://CVE-2025-32907.patch \
            file://CVE-2025-4948.patch \
            file://CVE-2025-4969.patch \
+           file://CVE-2025-4945.patch \
 "
 SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13"
 

From patchwork Mon Jul 14 16:22:58 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 66763
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 601C0C83F21
	for <webhook@archiver.kernel.org>; Mon, 14 Jul 2025 16:23:23 +0000 (UTC)
Received: from mail-pf1-f173.google.com (mail-pf1-f173.google.com
 [209.85.210.173])
 by mx.groups.io with SMTP id smtpd.web10.82432.1752510202706656046
 for <openembedded-core@lists.openembedded.org>;
 Mon, 14 Jul 2025 09:23:22 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=RkJkeObx;
 spf=softfail (domain: sakoman.com, ip: 209.85.210.173,
 mailfrom: steve@sakoman.com)
Received: by mail-pf1-f173.google.com with SMTP id
 d2e1a72fcca58-74b50c71b0aso2556878b3a.0
        for <openembedded-core@lists.openembedded.org>;
 Mon, 14 Jul 2025 09:23:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1752510202;
 x=1753115002; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=dh0wuGI5NUKKrmrAzPmbZozhlrWw5uNX3w8kAvL4rzA=;
        b=RkJkeObxESZtGFKCYjFuzjAZEqMR+2SSwGQLrYjXAiheaxsmjQ0K663q4m6HRsCMWs
         AeM1/9oXdxKagjg3bFwLScCrXiMBH8GLIYMZjl03wEjk5/4gyuN8fME2qQP5n28AJLxJ
         2svgikJBHh5CHxjV0GI/hDMI5Xda75YtYT/f8B71P73K5shKTOefH4FJHlxquEbDqC6k
         6cYCVJYjOTJ2duicpIUAldz4CK1w8psGAS2I0teI6LS+f8QaV8n1eLaFdtpx3qSZ982F
         4QAyBiKPjsueVejaEg50M4WHx90M63owa9NAdQkARln3x5O4tyKlXbGhkAb8GNvtI8X+
         Sh6Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1752510202; x=1753115002;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=dh0wuGI5NUKKrmrAzPmbZozhlrWw5uNX3w8kAvL4rzA=;
        b=Sxwy3gBT2NOPRTiAR1k7PoVLGFSEty++mDR4Saylc5mVLDOg0NyUk5GCE0aE1ufGXx
         yz7wfECdw88qcCLpt4y1OHM4THVuwH+jkxrx+To1GBokYP0mnT4FGA6RnHHaeZ5/E+kp
         /uIZa/3pNWH7tubaEYfO49rQd+vyM/3SLds2WbMPKqMyIOKuy/TjcdwPrUdGYZ1sVKBO
         NzJDsA3QXwGRL42+ialdOmwkxCZWF99pm/Kpgl0Kzyz9f3kmgRgw9PeVFUciWs32D/pV
         YCydUyVsr/ngQ7EHXk/205uNIVzzSCRp7pxiTucxrpyxGOoQBdAIc+8dCxzZa63Zx+MO
         YxkQ==
X-Gm-Message-State: AOJu0YwsRMuq8U/CVxDJFcsqO2NkmsBra3ekC7k8ioBiUm+T3kv6Ufmx
	pNG2SB7eA8WEj73TeshWSKaKvtFvajGtFEfN49df8Klknrfp6diaGXljGtYzckiMHRhyeZNlkch
	/RYOt
X-Gm-Gg: ASbGnct4eHbLLFUI+cZi5sqR4HNR08GGwZAOzUwBwAfN/uoJ75xR//SX30hPPWO+gTC
	CHXUJNQf9AGKd3V9FkHv0uM7hWxLRX7YPC02kHZUBIFyQSh+L+NZFU6uEkdA1wXu8fY01eRKyFP
	6aS0/7l6Dl1z2CtJ8jLGLhcrKTW9AVJc/YoQ37vRehuWdoobdip9c+VqVG5UqgFTe43lb5TCTTX
	pVvCMXuAveTnj2QQRvT/XKJSaLKv+JXO2ODjiCIkp9naZL7xZJoMlJVhXf2pZHTi0IrJLc0wnrr
	StdMwtEWbRYvcMPLmU3TE8j+bl+KQsemz0MaXFv+5mPYG/QTO4EvLR6wIve0ep0js66cHRsVPnR
	mi0jAZwaS0fyR
X-Google-Smtp-Source: 
 AGHT+IHdH84RkhcSczd4+fF/3EEf5W+gihgPyT2dAW2ElCNw4fbpc3cWcQ9SBw+gJkDTbjlvVaGrdw==
X-Received: by 2002:a05:6a00:a94:b0:739:50c0:b3fe with SMTP id
 d2e1a72fcca58-74ee07b6f50mr23336907b3a.8.1752510201677;
        Mon, 14 Jul 2025 09:23:21 -0700 (PDT)
Received: from hexa.. ([2602:feb4:3b:2100:4aa7:6b72:b465:3a4])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-74eb9dd5e8fsm10456053b3a.29.2025.07.14.09.23.21
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 14 Jul 2025 09:23:21 -0700 (PDT)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][walnascar 04/15] libsoup: fix CVE-2025-4945
Date: Mon, 14 Jul 2025 09:22:58 -0700
Message-ID: 
 <db607024fdf95a03d7e08d728a6fdb6537835eee.1752509862.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1752509862.git.steve@sakoman.com>
References: <cover.1752509862.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Mon, 14 Jul 2025 16:23:23 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/220242

From: Changqing Li <changqing.li@windriver.com>

Refer:
https://gitlab.gnome.org/GNOME/libsoup/-/issues/448

Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../libsoup/libsoup/CVE-2025-4945.patch       | 118 ++++++++++++++++++
 meta/recipes-support/libsoup/libsoup_3.6.5.bb |   1 +
 2 files changed, 119 insertions(+)
 create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-4945.patch

diff --git a/meta/recipes-support/libsoup/libsoup/CVE-2025-4945.patch b/meta/recipes-support/libsoup/libsoup/CVE-2025-4945.patch
new file mode 100644
index 0000000000..22a8908f23
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup/CVE-2025-4945.patch
@@ -0,0 +1,118 @@
+From f0ee9d522f302d7d199e3e61fa8cd45eae7b248f Mon Sep 17 00:00:00 2001
+From: Milan Crha <mcrha@redhat.com>
+Date: Thu, 15 May 2025 07:59:14 +0200
+Subject: [PATCH] soup-date-utils: Add value checks for date/time parsing
+
+Reject date/time when it does not represent a valid value.
+
+Closes https://gitlab.gnome.org/GNOME/libsoup/-/issues/448
+
+CVE: CVE-2025-4945
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/8988379984e33dcc7d3aa58551db13e48755959f]
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ libsoup/soup-date-utils.c | 23 +++++++++++++++--------
+ tests/cookies-test.c      | 10 ++++++++++
+ 2 files changed, 25 insertions(+), 8 deletions(-)
+
+diff --git a/libsoup/soup-date-utils.c b/libsoup/soup-date-utils.c
+index fd785f5..34ca995 100644
+--- a/libsoup/soup-date-utils.c
++++ b/libsoup/soup-date-utils.c
+@@ -129,7 +129,7 @@ parse_day (int *day, const char **date_string)
+ 	while (*end == ' ' || *end == '-')
+ 		end++;
+ 	*date_string = end;
+-	return TRUE;
++	return *day >= 1 && *day <= 31;
+ }
+ 
+ static inline gboolean
+@@ -169,7 +169,7 @@ parse_year (int *year, const char **date_string)
+ 	while (*end == ' ' || *end == '-')
+ 		end++;
+ 	*date_string = end;
+-	return TRUE;
++	return *year > 0 && *year < 9999;
+ }
+ 
+ static inline gboolean
+@@ -193,7 +193,7 @@ parse_time (int *hour, int *minute, int *second, const char **date_string)
+ 	while (*p == ' ')
+ 		p++;
+ 	*date_string = p;
+-	return TRUE;
++	return *hour >= 0 && *hour < 24 && *minute >= 0 && *minute < 60 && *second >= 0 && *second < 60;
+ }
+ 
+ static inline gboolean
+@@ -209,9 +209,14 @@ parse_timezone (GTimeZone **timezone, const char **date_string)
+ 		gulong val;
+ 		int sign = (**date_string == '+') ? 1 : -1;
+ 		val = strtoul (*date_string + 1, (char **)date_string, 10);
+-		if (**date_string == ':')
+-			val = 60 * val + strtoul (*date_string + 1, (char **)date_string, 10);
+-		else
++		if (val > 9999)
++			return FALSE;
++		if (**date_string == ':') {
++			gulong val2 = strtoul (*date_string + 1, (char **)date_string, 10);
++			if (val > 99 || val2 > 99)
++				return FALSE;
++			val = 60 * val + val2;
++		} else
+ 			val =  60 * (val / 100) + (val % 100);
+ 		offset_minutes = sign * val;
+                 utc = (sign == -1) && !val;
+@@ -264,7 +269,8 @@ parse_textual_date (const char *date_string)
+ 		if (!parse_month (&month, &date_string) ||
+ 		    !parse_day (&day, &date_string) ||
+ 		    !parse_time (&hour, &minute, &second, &date_string) ||
+-		    !parse_year (&year, &date_string))
++		    !parse_year (&year, &date_string) ||
++		    !g_date_valid_dmy (day, month, year))
+ 			return NULL;
+ 
+ 		/* There shouldn't be a timezone, but check anyway */
+@@ -276,7 +282,8 @@ parse_textual_date (const char *date_string)
+ 		if (!parse_day (&day, &date_string) ||
+ 		    !parse_month (&month, &date_string) ||
+ 		    !parse_year (&year, &date_string) ||
+-		    !parse_time (&hour, &minute, &second, &date_string))
++		    !parse_time (&hour, &minute, &second, &date_string) ||
++		    !g_date_valid_dmy (day, month, year))
+ 			return NULL;
+ 
+ 		/* This time there *should* be a timezone, but we
+diff --git a/tests/cookies-test.c b/tests/cookies-test.c
+index 1d2d456..ff809a4 100644
+--- a/tests/cookies-test.c
++++ b/tests/cookies-test.c
+@@ -460,6 +460,15 @@ do_cookies_parsing_max_age_long_overflow (void)
+ 	soup_cookie_free (cookie);
+ }
+ 
++static void
++do_cookies_parsing_int32_overflow (void)
++{
++	SoupCookie *cookie = soup_cookie_parse ("Age=1;expires=3Mar9    999:9:9+ 999999999-age=main=gne=", NULL);
++	g_assert_nonnull (cookie);
++	g_assert_null (soup_cookie_get_expires (cookie));
++	soup_cookie_free (cookie);
++}
++
+ static void
+ do_cookies_equal_nullpath (void)
+ {
+@@ -718,6 +727,7 @@ main (int argc, char **argv)
+ 	g_test_add_func ("/cookies/parsing/no-path-null-origin", do_cookies_parsing_nopath_nullorigin);
+ 	g_test_add_func ("/cookies/parsing/max-age-int32-overflow", do_cookies_parsing_max_age_int32_overflow);
+ 	g_test_add_func ("/cookies/parsing/max-age-long-overflow", do_cookies_parsing_max_age_long_overflow);
++	g_test_add_func ("/cookies/parsing/int32-overflow", do_cookies_parsing_int32_overflow);
+ 	g_test_add_func ("/cookies/parsing/equal-nullpath", do_cookies_equal_nullpath);
+ 	g_test_add_func ("/cookies/parsing/control-characters", do_cookies_parsing_control_characters);
+         g_test_add_func ("/cookies/parsing/name-value-max-size", do_cookies_parsing_name_value_max_size);
+-- 
+2.34.1
+
diff --git a/meta/recipes-support/libsoup/libsoup_3.6.5.bb b/meta/recipes-support/libsoup/libsoup_3.6.5.bb
index 457a30ec70..acd84af934 100644
--- a/meta/recipes-support/libsoup/libsoup_3.6.5.bb
+++ b/meta/recipes-support/libsoup/libsoup_3.6.5.bb
@@ -20,6 +20,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
            file://CVE-2025-32908-2.patch \
            file://CVE-2025-4948.patch \
            file://CVE-2025-4969.patch \
+           file://CVE-2025-4945.patch \
 "
 SRC_URI[sha256sum] = "6891765aac3e949017945c3eaebd8cc8216df772456dc9f460976fbdb7ada234"
 

From patchwork Mon Jul 14 16:22:59 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 66766
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 6FD54C83F17
	for <webhook@archiver.kernel.org>; Mon, 14 Jul 2025 16:23:33 +0000 (UTC)
Received: from mail-pf1-f170.google.com (mail-pf1-f170.google.com
 [209.85.210.170])
 by mx.groups.io with SMTP id smtpd.web10.82433.1752510203876152511
 for <openembedded-core@lists.openembedded.org>;
 Mon, 14 Jul 2025 09:23:23 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=jvxXxOPl;
 spf=softfail (domain: sakoman.com, ip: 209.85.210.170,
 mailfrom: steve@sakoman.com)
Received: by mail-pf1-f170.google.com with SMTP id
 d2e1a72fcca58-7426c44e014so4303171b3a.3
        for <openembedded-core@lists.openembedded.org>;
 Mon, 14 Jul 2025 09:23:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1752510203;
 x=1753115003; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=JyzlmpQfVmFCI14CpFjyvFx2OQiUbkBJhYfjc381/+4=;
        b=jvxXxOPl2XT8trcGzsV9OocGvnvjt8RqdVjUxsBqo/T2CiMC4KThipxvfoP7f7rM05
         jWioHriOx20C3MO+PV5lZibvJMIqrUxtI0pBYbMQtkwLH0J+9Qb4NRIp6s03+YE1FcwH
         nTT8rr3ueaJf8o/TQ+NxLxpM78wFN0rj2bb84/F8A5HuZPGjOe06bpc5kupNsqbLAboR
         0Rf9r11/RvatFasF3jZnzM/Pwde7WiCrkva6/RtloqZfPbR+LmVGjPCAr1i6d9FmCk2v
         m2tOvafBbhweZ95cX94X4BhGhLBptY2rMDWPDpT2k1Qf07KFl8gaXmLov3KLAKYqyEGo
         xmLg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1752510203; x=1753115003;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=JyzlmpQfVmFCI14CpFjyvFx2OQiUbkBJhYfjc381/+4=;
        b=kHCGZrZiPICrCuMQ1jbfz7ii/srcvkhfugTBihK9vJzRwyZQV7RyRL0ScKG8Uqp9GN
         h7EuTnp42gGee8Yk2Qt5GZhLIBcM8mnOcRoxypNQ3oX4SG7qWHgOfxJBpW0cD12Y2ZNw
         2U6LjbpF4C08m/r3nEkHWS6Fv8N6BcqwjPwA1Nl6pQpfqO7Xs7FpHJR5iXlNylPKvh46
         h3bGAoYTxsvm0CjrQ2hUMtQL19fznWhfpl7UtXy30LmR0T0xCuB72HDLkPlrF16vz++u
         J4IWNecQ/MD3M7jf4iMfHTqwMFKJTlY4SjIw4foshkfD9laeMJs2N5Yl6vQbIxUxKzWW
         urSA==
X-Gm-Message-State: AOJu0YxVFGfdgRWO6CDzK9KGhqdSMelE89d7VFr5V71eY1aw2Xk3M2t6
	CmBac+aJqlrZRuCp6ydiQ9cBpEOysOuZ62fdpOqsXrR9QOVu1GR++xMAMwyB8XGU1q+aVJwX9Pp
	TtoHc
X-Gm-Gg: ASbGncuRlHaxLNjY68m0/VvzaGMxnHO/cWxsVtgCThEQoX62h8j4DLjUQtcoJL1W2xf
	rs21rEWtaRYVNSxnvSG57PIttaR/xFOco7Is2jYZcnLwu7e6efXHIduDKKlLAKxnzdKC2Wg5oZN
	StZmpEC01bJ2ZKD1pZszxja1N6rfC0fFmpX2cV8WiSX92xhFd7SsPwxH6A15+jFncv07XT+iIbe
	2m+uO5HSJ+AclFtmT0v/tH+jGWlJhlDewnjLaA/Ak5470sOdgZvD3AftEfgVEXAw7r8AMhRo+zA
	ZtvZDrckNo80yrvyOOW11KcyrJhkUS+da+SY225lSK9c3grJPB6wDpzZkSobsO0cQ7+8fk2jtzf
	Ind3y9OnTtRlG
X-Google-Smtp-Source: 
 AGHT+IHNzvegjoIHoPgaTotS1kzNuzzxxbdTbxmkAhVWqCF83F1kyqJ9RPVxdRlN6GMLaT05ccK1/Q==
X-Received: by 2002:a05:6a00:218a:b0:742:a82b:abeb with SMTP id
 d2e1a72fcca58-74f1beec959mr17330651b3a.2.1752510203064;
        Mon, 14 Jul 2025 09:23:23 -0700 (PDT)
Received: from hexa.. ([2602:feb4:3b:2100:4aa7:6b72:b465:3a4])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-74eb9dd5e8fsm10456053b3a.29.2025.07.14.09.23.22
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 14 Jul 2025 09:23:22 -0700 (PDT)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][walnascar 05/15] python3: update CVE product
Date: Mon, 14 Jul 2025 09:22:59 -0700
Message-ID: 
 <8659e3537facbf3f5f5a5080137be4d9faf9c970.1752509862.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1752509862.git.steve@sakoman.com>
References: <cover.1752509862.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Mon, 14 Jul 2025 16:23:33 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/220243

From: Peter Marko <peter.marko@siemens.com>

There are two "new" CVEs reported for python3, their CPEs are:
* CVE-2020-1171: cpe:2.3:a:microsoft:python:*:*:*:*:*:visual_studio_code:*:* (< 2020.5.0)
* CVE-2020-1192: cpe:2.3:a:microsoft:python:*:*:*:*:*:visual_studio_code:*:* (< 2020.5.0)
These are for "Visual Studio Code Python extension".

Solve this by addding CVE vendor to python CVE product to avoid
confusion with Microsoft as vendor.

Examining CVE DB for historical python entries shows:
sqlite> select vendor, product, count(*) from products where product = 'python' or product = 'cpython'
   ...> or product like 'python%3' group by vendor, product;
microsoft|python|2
python|python|1054
python_software_foundation|python|2

Note that this already shows that cpython product is not used, so
CVE-2023-33595 mentioned in 62598e1138f21a16d8b1cdd1cfe902aeed854c5c
was updated.
But let's keep it for future in case new CVE starts with that again.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-devtools/python/python3_3.13.4.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-devtools/python/python3_3.13.4.bb b/meta/recipes-devtools/python/python3_3.13.4.bb
index 5b49fee3bf..0a2c41cdce 100644
--- a/meta/recipes-devtools/python/python3_3.13.4.bb
+++ b/meta/recipes-devtools/python/python3_3.13.4.bb
@@ -41,7 +41,7 @@ SRC_URI[sha256sum] = "27b15a797562a2971dce3ffe31bb216042ce0b995b39d768cf15f784cc
 # exclude pre-releases for both python 2.x and 3.x
 UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar"
 
-CVE_PRODUCT = "python cpython"
+CVE_PRODUCT = "python:python python_software_foundation:python cpython"
 
 CVE_STATUS[CVE-2007-4559] = "disputed: Upstream consider this expected behaviour"
 CVE_STATUS[CVE-2019-18348] = "not-applicable-config: This is not exploitable when glibc has CVE-2016-10739 fixed"

From patchwork Mon Jul 14 16:23:00 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 66770
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id A9BD1C83F2C
	for <webhook@archiver.kernel.org>; Mon, 14 Jul 2025 16:23:33 +0000 (UTC)
Received: from mail-pf1-f169.google.com (mail-pf1-f169.google.com
 [209.85.210.169])
 by mx.groups.io with SMTP id smtpd.web10.82434.1752510205929438692
 for <openembedded-core@lists.openembedded.org>;
 Mon, 14 Jul 2025 09:23:25 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=Cz3JCfYe;
 spf=softfail (domain: sakoman.com, ip: 209.85.210.169,
 mailfrom: steve@sakoman.com)
Received: by mail-pf1-f169.google.com with SMTP id
 d2e1a72fcca58-75001b1bd76so1422029b3a.2
        for <openembedded-core@lists.openembedded.org>;
 Mon, 14 Jul 2025 09:23:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1752510205;
 x=1753115005; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=eobZDiZDz3JI/HXIWeokXkchD/qqPA0UfG9bN1u3mYk=;
        b=Cz3JCfYe8M+Ah4iPjlXBYG1xkqxp5NJmLjkszfJJRsnfkePaB69B0Ky1goRfyCY+ei
         jCzZhoj9DtmJTiCvXog+WFOghFLEQQe6DjkFAzxhtNOaS8kQuouLQpmVJQKiNwkYz7FR
         nMNSFkZfEbH5w5P0odinbPeH5drrf9Fp4fUXb+I9Amlm9Dzzud2TtdZlwG++R2XQuRj4
         kKx6pGIYb1a4SBEwLaT8uMesNRfvBPBAcwqqBNEdPqaaAVU71quXiV/XcvlTHjSC7kEd
         XLR/WrRWy73hbLrLz9Nw1l36KvDhJn9GFfdznzjr/+MI2DhTizRewOEDqV76pfCWvZ5C
         2tPw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1752510205; x=1753115005;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=eobZDiZDz3JI/HXIWeokXkchD/qqPA0UfG9bN1u3mYk=;
        b=PfFSg3hBxmH3wz5PqO9Bjekg5AVBWLaGkj0gTPgoAwVHJt3iWScZWqTuxA3TJ/FFfJ
         kAZhoosDXJ6YnvvvnymNd8n5Y8iWiYzrYd873O0pkD40wbD5ktnjiTOdSiX7EUqEcJFg
         duDPTWPf+vqjZddUyjrVhflhAEvVRFSLDaYU4CfM9RRTZiCHi46amn1q8r7I1lg1hToc
         eUMkZ+8DFY08gw4wgKVrwtX9yg6UH1/UN0EM0NBfy3+3yrga3V7/X7bvnMTS/ccmW3b/
         UZr5g0zdld83L5tbBtl/EbAfD5J+W/QxrddWDMO2e7kcIvnk+smNulFYPOnciBXV3ice
         GtuQ==
X-Gm-Message-State: AOJu0Yz0gaoIbjUxJubo+GBvs2fFHpL5ksypSJkTfZAi3qbFTgDhzkmc
	t5UaILA6ozRZQT3ObPnO3syKKxQRJUVcjhgChdzbbjFyZ8NlRRKgNwq0RrLlexw6ofBHWAjMhqy
	0cRgO
X-Gm-Gg: ASbGncvDdbiBY5PhtdXEZO5JjFoov4O/dicJxq0uVIy9ZsbaA3vxFdoML/iLgYJfzB/
	sgQIKGrTFEW2TN1v7YTbqNCvTtSFjjK7IV30Op35wjlquzyT4yEF1pFzkGITpXdIQQ3V4ZOVQPY
	txYqoUEQeS1mZPy50FgXVzu4k9tk8ioNFpIEqa1/Lfrp3AYm4sVS2DLu9HR6hHwP8GsECL6BoU9
	Dh1GtpsAZOMBLg/SfGO8GX37sTOx8q9eGpYpZ9Me53qW/Q8IDxc8vs3jOgIbwnPSx+PcWM9QULf
	/MJlSXG8LiAqX3yzpB9yBqnD2fLx9nusYqMBsaq7hzzmrYQ45c3r0QMk9mcLGCBztAnUWwEbnZy
	W7CGV0KePm+I2
X-Google-Smtp-Source: 
 AGHT+IF3BM2vD6UHL2u+FH7X+R3xrQhKxXSi0U1dlfQ7y4LwuzAD2LKnFo8P1THkxIlZCFbhHyNFcA==
X-Received: by 2002:a05:6a00:2352:b0:730:75b1:7219 with SMTP id
 d2e1a72fcca58-74ee2557a1fmr18599859b3a.12.1752510204814;
        Mon, 14 Jul 2025 09:23:24 -0700 (PDT)
Received: from hexa.. ([2602:feb4:3b:2100:4aa7:6b72:b465:3a4])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-74eb9dd5e8fsm10456053b3a.29.2025.07.14.09.23.23
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 14 Jul 2025 09:23:24 -0700 (PDT)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][walnascar 06/15] webkitgtk: Fix build break on
 non-arm/non-x86 systems
Date: Mon, 14 Jul 2025 09:23:00 -0700
Message-ID: 
 <5066497834de8786520a1c6d3d7dcc22e81276a5.1752509862.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1752509862.git.steve@sakoman.com>
References: <cover.1752509862.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Mon, 14 Jul 2025 16:23:33 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/220244

From: Khem Raj <raj.khem@gmail.com>

Fixes
/webkitgtk-2.48.1/Source/WebCore/platform/audio/DenormalDisabler.cpp:94:47:
   ↪ error: expected ';' after default
   |    94 | DenormalDisabler::DenormalDisabler() = default
   |       |                                               ^
   |       |                                               ;

(From OE-Core rev: 3325e4e7fc82861abf7505ed4f7926dacab96b30)

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../webkitgtk/fix-ftbfs-non-arm-non-x86.patch | 31 +++++++++++++++++++
 meta/recipes-sato/webkit/webkitgtk_2.48.1.bb  |  1 +
 2 files changed, 32 insertions(+)
 create mode 100644 meta/recipes-sato/webkit/webkitgtk/fix-ftbfs-non-arm-non-x86.patch

diff --git a/meta/recipes-sato/webkit/webkitgtk/fix-ftbfs-non-arm-non-x86.patch b/meta/recipes-sato/webkit/webkitgtk/fix-ftbfs-non-arm-non-x86.patch
new file mode 100644
index 0000000000..2381acb1b0
--- /dev/null
+++ b/meta/recipes-sato/webkit/webkitgtk/fix-ftbfs-non-arm-non-x86.patch
@@ -0,0 +1,31 @@
+From 8bee9eb95ae24c6a410f9cd614976f4653d020d9 Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@redhat.com>
+Date: Wed, 2 Apr 2025 15:01:55 -0500
+Subject: [PATCH] REGRESSION(290945.129@webkitglib/2.48): Broke non-x86,
+ non-ARM builds https://bugs.webkit.org/show_bug.cgi?id=287662
+
+Unreviewed stable branch build fix.
+
+* Source/WebCore/platform/audio/DenormalDisabler.cpp:
+
+Canonical link: https://commits.webkit.org/290945.155@webkitglib/2.48
+
+Upstream-Status: Backport [https://github.com/WebKit/WebKit/commit/8bee9eb95ae24c6a410f9cd614976f4653d020d9]
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ Source/WebCore/platform/audio/DenormalDisabler.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Source/WebCore/platform/audio/DenormalDisabler.cpp b/Source/WebCore/platform/audio/DenormalDisabler.cpp
+index 35715e663ce7e..44ba08a33d5d9 100644
+--- a/Source/WebCore/platform/audio/DenormalDisabler.cpp
++++ b/Source/WebCore/platform/audio/DenormalDisabler.cpp
+@@ -91,7 +91,7 @@ DenormalDisabler::~DenormalDisabler()
+     }
+ }
+ #else
+-DenormalDisabler::DenormalDisabler() = default
++DenormalDisabler::DenormalDisabler() = default;
+ DenormalDisabler::~DenormalDisabler() = default;
+ #endif
+ 
diff --git a/meta/recipes-sato/webkit/webkitgtk_2.48.1.bb b/meta/recipes-sato/webkit/webkitgtk_2.48.1.bb
index 58d0a11202..5b9846a6d6 100644
--- a/meta/recipes-sato/webkit/webkitgtk_2.48.1.bb
+++ b/meta/recipes-sato/webkit/webkitgtk_2.48.1.bb
@@ -18,6 +18,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BPN}-${PV}.tar.xz \
            file://sys_futex.patch \
            file://0001-Fix-build-errors-on-RISCV-https-bugs.webkit.org-show.patch \
            file://fix-ftbfs-riscv64.patch \
+           file://fix-ftbfs-non-arm-non-x86.patch \
            "
 SRC_URI[sha256sum] = "98efdf21c4cdca0fe0b73ab5a8cb52093b5aa52d9b1b016a93f71dbfa1eb258f"
 

From patchwork Mon Jul 14 16:23:01 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 66767
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 7D293C83F1B
	for <webhook@archiver.kernel.org>; Mon, 14 Jul 2025 16:23:33 +0000 (UTC)
Received: from mail-pf1-f176.google.com (mail-pf1-f176.google.com
 [209.85.210.176])
 by mx.groups.io with SMTP id smtpd.web10.82435.1752510207263439539
 for <openembedded-core@lists.openembedded.org>;
 Mon, 14 Jul 2025 09:23:27 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=2NEmsdGm;
 spf=softfail (domain: sakoman.com, ip: 209.85.210.176,
 mailfrom: steve@sakoman.com)
Received: by mail-pf1-f176.google.com with SMTP id
 d2e1a72fcca58-7426c44e014so4303259b3a.3
        for <openembedded-core@lists.openembedded.org>;
 Mon, 14 Jul 2025 09:23:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1752510206;
 x=1753115006; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=wOWg99azAAA5Gw6y7c5nJ5RjwB69oS2hCd8IGLRLWVw=;
        b=2NEmsdGmvsqI7UJ5VLOqLTKIb7yBjtaHaDH00OiyUaPJQpqN3DO+GlempTAmH0WKUi
         AythMipdDgeUr++K5g86sW6wQHAAw5XPAvk6aauqdhl4qtBtwbXU1hgJWbIUU7QCKyYX
         JecUVqujgKcNnKwj2fdtgsXebRSBtD6hhBfwEQogk47KTRrDEECkV2AI1MKcRDnoFq1n
         y3kdgWPmKWz8/p29oSZpT6U54rvDohhpvjHPCQNAPPSX+hah79XgX4pq/iKGdJDLcHuf
         jLQnMtRiyZdLWz/1NTwmHx8mLkPwefiD7EnFTNtMbgeg3z9Et6NQrmjg42SA9MDs+A7I
         l7VA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1752510206; x=1753115006;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=wOWg99azAAA5Gw6y7c5nJ5RjwB69oS2hCd8IGLRLWVw=;
        b=UpXfd0LRkrLwo+eAYkbmT/lxMhY8ZRSu+DwfxlYjt++NJV/GQ3Tmhd2JRGWu1Hedbr
         R+P5VrIXxhyfzkj3dDnzG8XD2lGU6fCQlyVZcYW4Wc8599Ciex78nAzu7iv8LBr/VXdl
         sbY1jBFOakUEQCS3WkQ6eM9NYJIKdHRUf/cZftcMsaW+u+4dXDOQxbIWx+ZLjTIVGC8t
         Ow/AWfH1ugGGSyHBzaay0CWRP6N6ACGbuUjyhosGqNoK6f/tNCDxYIpzvHuE7I3vK6dU
         itgNKbm8SBtAOb9MKkjbkE/Uetd1o0fVhi1jIRErpfcn2Or+yi9nLkzVix/NwlY5kl8M
         m3Dw==
X-Gm-Message-State: AOJu0YxbQrOyDF9V1Dodh0dX6KG8LUSWCdC5cRTNDg6iXqa0BifM/u2Y
	fzAgUw7kfzp1XloI8sUsAyrni7hfLMFY+WkbPAgSEOKj1h+ZRlb7QuNbsRK9PdAikMVfNqsOSPT
	NZnvO
X-Gm-Gg: ASbGncuAAKCh9Um7sDdCLuNbyeVSqJq2b/j3Im5BYHGFed3P4/9v9uj03z1UT2z/H/e
	atzuZR94TmZCLMsX37j0itn7h4W9X9M2h28Aoggdz7YbhO1C7CpR+l5B+faDt6zhYrA8CkfEPxh
	ki6NV98bJrgJT+UG214Xt78VgDWZUhIkwzHDk1N4qmD2y19imXWIS2yWLbV6v1DwikUSjBNerhl
	XPjD9+UDtYbjdNjZSpnUiW+3ZBByhg4FXWbznfdR98RiysgqkIRqkoGkIjXWUdiDfhySwWDYF8J
	XhWfaXIk7NYijrGJDaJAB32XJ+qVKkS3HU/+/G51L/8Z7BUJSKv5rsUZrxMPmCGhqW/AV1ndp74
	SxdJ+Oep/iheDpFAv9COt28E=
X-Google-Smtp-Source: 
 AGHT+IGoLfPUNqOvqqIzdQkse5t5fzsZzkZsJK+uTsiFU6E25spsXk15SH2kLQxVYi9T38y2X+iM7g==
X-Received: by 2002:a05:6a00:138c:b0:748:f1ba:9af8 with SMTP id
 d2e1a72fcca58-74f1eeca8e2mr19475997b3a.21.1752510206294;
        Mon, 14 Jul 2025 09:23:26 -0700 (PDT)
Received: from hexa.. ([2602:feb4:3b:2100:4aa7:6b72:b465:3a4])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-74eb9dd5e8fsm10456053b3a.29.2025.07.14.09.23.25
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 14 Jul 2025 09:23:25 -0700 (PDT)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][walnascar 07/15] webkitgtk: Use gcc to compile for arm
 target
Date: Mon, 14 Jul 2025 09:23:01 -0700
Message-ID: 
 <13133bb709d63a5c28906167da15846eb96a9b02.1752509862.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1752509862.git.steve@sakoman.com>
References: <cover.1752509862.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Mon, 14 Jul 2025 16:23:33 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/220245

From: Khem Raj <raj.khem@gmail.com>

Builds with clang run into compiler errors

<inline asm>:320:1: error: Relocation Not In Range
  320 | movw r4, #:lower16:.Lllint_op_tail_call_varargs - .Lllint_relativePCBase
      | ^

(From OE-Core rev: be459bf17d5e47c51d96da1a571de01790c277b9)

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-sato/webkit/webkitgtk_2.48.1.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-sato/webkit/webkitgtk_2.48.1.bb b/meta/recipes-sato/webkit/webkitgtk_2.48.1.bb
index 5b9846a6d6..a58b44440e 100644
--- a/meta/recipes-sato/webkit/webkitgtk_2.48.1.bb
+++ b/meta/recipes-sato/webkit/webkitgtk_2.48.1.bb
@@ -176,3 +176,5 @@ src_package_preprocess () {
             ${B}/WebKitGTK/DerivedSources/webkit/*.cpp
 }
 
+# Clang-20 issue - https://github.com/llvm/llvm-project/issues/132322
+TOOLCHAIN:arm = "gcc"

From patchwork Mon Jul 14 16:23:02 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 66768
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 92795C83F27
	for <webhook@archiver.kernel.org>; Mon, 14 Jul 2025 16:23:33 +0000 (UTC)
Received: from mail-pf1-f169.google.com (mail-pf1-f169.google.com
 [209.85.210.169])
 by mx.groups.io with SMTP id smtpd.web11.82371.1752510208737562878
 for <openembedded-core@lists.openembedded.org>;
 Mon, 14 Jul 2025 09:23:28 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=pdlyPKP/;
 spf=softfail (domain: sakoman.com, ip: 209.85.210.169,
 mailfrom: steve@sakoman.com)
Received: by mail-pf1-f169.google.com with SMTP id
 d2e1a72fcca58-74b54cead6cso3080970b3a.1
        for <openembedded-core@lists.openembedded.org>;
 Mon, 14 Jul 2025 09:23:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1752510208;
 x=1753115008; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=wyL//Rquy15a1LMI+MlP6N2J7pXDv9j1LwklKH1sS+c=;
        b=pdlyPKP/4J90Oc67ku46HwoOZlnwR5fpghMGaQN+y9QU2uxYnsXyJ3uWew7kumGsxb
         PBvAkGmitaYe/DJ5cuJNcdRXSU/CfaunxJFpl2ob5cW43y4Ddn4LgOV24vwXboDVtIR3
         tYflqXcibG5yfjOkvZAOSa3IyEoOus2COF37AKM6ed5Ens1Wy++EDMM0HnicBK2V8kMH
         a22AfNJ387s6vPRncZGXR+u3W6sMium6zD8ZC3VPWkfyUleLjM6u/9TfxiY+SwBQg6LH
         xsn3yDGm5WHLWn3AO10aVYv8Rt05QiUygVxA3PPYWTWBEgdcIrc+IWA5HZv6aUozKAYW
         rRQg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1752510208; x=1753115008;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=wyL//Rquy15a1LMI+MlP6N2J7pXDv9j1LwklKH1sS+c=;
        b=motcpIf6etk1RTKz1IPLtAPij2ZuwkRcTdW2t/rparwlRcRWSZxbvwXI909lgt2/cJ
         Km8yxLROgME40VCw0/txc19CE7WzZmCEGWndPKQuArwA9hIdVmL0UjvzmwrysjkVh+jQ
         Dn5cHcFwV/+k9sGDAgIIlK+XnXtwE1CDBt8m6AQd6HX0C1sscMWYvjaVby6F8uxcNp+Y
         l2eXMu27i+TfnThSpZ8jwfCIDvVupgOmm84YNvLb1q8o8JKnkJfxn4Jumb2txE5Ao0mW
         8eyYzI7SdxcwIFE9OKPs+zD3/jV38+uKvs1woQ/LSOQznAiHzg8N1/m6By5rVm87cFU/
         +7Jw==
X-Gm-Message-State: AOJu0Yy2kFg9cX5JuaMRFRNi9/oLetuZ8uugcbqwgvX1lVnGkRGMhCgL
	KIQ+HHgFWTZgEKTJB/G+qveGZK1vwg7Tdph54JFFcRxe/MypQv+ze9cNL1LtogItQBhEOAnrWNQ
	bv1yt
X-Gm-Gg: ASbGncuF3YSXW4znpFwpKaTejeoCwyc8ePolfbfrgfr1Ti8w97vsmdw0bICEcVlDxB9
	sPGOvDTar53WYTx+/5Ylog1XrBsXa2OiBI5SwdlQBrsBqBVK7A+YTPcDFix59BgrLuFZ/nqtAhh
	fNrR9xJFntpWR9hAEF92WLbo545zpdNEFbTZl7Bu8V8w6YYNq7OJUGW3AUMq4HDfahGBsNUhOAx
	d23op8k5MwGXFSwdyQM9fch++YJxxJpBZu0SHRfSnnT2HmnHYXJlTR0APpfvo1JE9DIhdEHn2XA
	FK8UqcP/NZDlN23puFiHOmvsNf6b0R3W5q8Yp/yh8Kf/xXZ5E4e0mDDIKvoXFjP4l2G7Qa0pgIm
	AITI1oJavQUZH
X-Google-Smtp-Source: 
 AGHT+IEYv6Q+srxMWSH53P6TDxfuQyctL06B5V/U6eBx4Z+8pKr7ReiAHkXWUBJ6tnXGw2bXTNbKxw==
X-Received: by 2002:a05:6a00:987:b0:748:3485:b99d with SMTP id
 d2e1a72fcca58-74ee30456c1mr18168865b3a.18.1752510207820;
        Mon, 14 Jul 2025 09:23:27 -0700 (PDT)
Received: from hexa.. ([2602:feb4:3b:2100:4aa7:6b72:b465:3a4])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-74eb9dd5e8fsm10456053b3a.29.2025.07.14.09.23.27
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 14 Jul 2025 09:23:27 -0700 (PDT)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][walnascar 08/15] webkitgtk: upgrade 2.48.1 -> 2.48.2
Date: Mon, 14 Jul 2025 09:23:02 -0700
Message-ID: 
 <800cac7cc914d9c307b0301dc380aabcf62d6e4f.1752509862.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1752509862.git.steve@sakoman.com>
References: <cover.1752509862.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Mon, 14 Jul 2025 16:23:33 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/220246

From: Yogita Urade <yogita.urade@windriver.com>

Includes fix for CVE-2025-24223, CVE-2025-31204, CVE-2025-31205,
CVE-2025-31206, CVE-2025-31215 and CVE-2025-31257.

Changelog:
=========
- Enable CSS Overscroll Behavior by default.
- Change threaded rendering implementation to use Skia API
instead of WebCore display list that is not thread safe.
- Fix rendering when device scale factor change comes before
the web view geometry update.
- Fix network process crash on exit.
- Fix the build with ENABLE_RESOURCE_USAGE=OFF.
- Fix several crashes and rendering issues.

Drop fix-ftbfs-non-arm-non-x86.patch which is part of upgrade.

(From OE-Core rev: f33b79a07117d4327949aa1661221a3b9bc0f7e3)

Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../webkitgtk/fix-ftbfs-non-arm-non-x86.patch | 31 -------------------
 ...ebkitgtk_2.48.1.bb => webkitgtk_2.48.2.bb} |  3 +-
 2 files changed, 1 insertion(+), 33 deletions(-)
 delete mode 100644 meta/recipes-sato/webkit/webkitgtk/fix-ftbfs-non-arm-non-x86.patch
 rename meta/recipes-sato/webkit/{webkitgtk_2.48.1.bb => webkitgtk_2.48.2.bb} (98%)

diff --git a/meta/recipes-sato/webkit/webkitgtk/fix-ftbfs-non-arm-non-x86.patch b/meta/recipes-sato/webkit/webkitgtk/fix-ftbfs-non-arm-non-x86.patch
deleted file mode 100644
index 2381acb1b0..0000000000
--- a/meta/recipes-sato/webkit/webkitgtk/fix-ftbfs-non-arm-non-x86.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From 8bee9eb95ae24c6a410f9cd614976f4653d020d9 Mon Sep 17 00:00:00 2001
-From: Michael Catanzaro <mcatanzaro@redhat.com>
-Date: Wed, 2 Apr 2025 15:01:55 -0500
-Subject: [PATCH] REGRESSION(290945.129@webkitglib/2.48): Broke non-x86,
- non-ARM builds https://bugs.webkit.org/show_bug.cgi?id=287662
-
-Unreviewed stable branch build fix.
-
-* Source/WebCore/platform/audio/DenormalDisabler.cpp:
-
-Canonical link: https://commits.webkit.org/290945.155@webkitglib/2.48
-
-Upstream-Status: Backport [https://github.com/WebKit/WebKit/commit/8bee9eb95ae24c6a410f9cd614976f4653d020d9]
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
----
- Source/WebCore/platform/audio/DenormalDisabler.cpp | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/Source/WebCore/platform/audio/DenormalDisabler.cpp b/Source/WebCore/platform/audio/DenormalDisabler.cpp
-index 35715e663ce7e..44ba08a33d5d9 100644
---- a/Source/WebCore/platform/audio/DenormalDisabler.cpp
-+++ b/Source/WebCore/platform/audio/DenormalDisabler.cpp
-@@ -91,7 +91,7 @@ DenormalDisabler::~DenormalDisabler()
-     }
- }
- #else
--DenormalDisabler::DenormalDisabler() = default
-+DenormalDisabler::DenormalDisabler() = default;
- DenormalDisabler::~DenormalDisabler() = default;
- #endif
- 
diff --git a/meta/recipes-sato/webkit/webkitgtk_2.48.1.bb b/meta/recipes-sato/webkit/webkitgtk_2.48.2.bb
similarity index 98%
rename from meta/recipes-sato/webkit/webkitgtk_2.48.1.bb
rename to meta/recipes-sato/webkit/webkitgtk_2.48.2.bb
index a58b44440e..75a39558db 100644
--- a/meta/recipes-sato/webkit/webkitgtk_2.48.1.bb
+++ b/meta/recipes-sato/webkit/webkitgtk_2.48.2.bb
@@ -18,9 +18,8 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BPN}-${PV}.tar.xz \
            file://sys_futex.patch \
            file://0001-Fix-build-errors-on-RISCV-https-bugs.webkit.org-show.patch \
            file://fix-ftbfs-riscv64.patch \
-           file://fix-ftbfs-non-arm-non-x86.patch \
            "
-SRC_URI[sha256sum] = "98efdf21c4cdca0fe0b73ab5a8cb52093b5aa52d9b1b016a93f71dbfa1eb258f"
+SRC_URI[sha256sum] = "ec58f6dfc25d3b360388e192f865068d69aab09b4d7df021f90e314d2fa54f37"
 
 inherit cmake pkgconfig gobject-introspection perlnative features_check upstream-version-is-even gi-docgen
 

From patchwork Mon Jul 14 16:23:03 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 66769
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 988BDC83F21
	for <webhook@archiver.kernel.org>; Mon, 14 Jul 2025 16:23:33 +0000 (UTC)
Received: from mail-pf1-f181.google.com (mail-pf1-f181.google.com
 [209.85.210.181])
 by mx.groups.io with SMTP id smtpd.web11.82373.1752510210500208270
 for <openembedded-core@lists.openembedded.org>;
 Mon, 14 Jul 2025 09:23:30 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=h/2LSL+P;
 spf=softfail (domain: sakoman.com, ip: 209.85.210.181,
 mailfrom: steve@sakoman.com)
Received: by mail-pf1-f181.google.com with SMTP id
 d2e1a72fcca58-74931666cbcso3568744b3a.0
        for <openembedded-core@lists.openembedded.org>;
 Mon, 14 Jul 2025 09:23:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1752510210;
 x=1753115010; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=NiuSn/HFFPm1LAcFT9IbwHAzz9dbosGLLY+dTc2iJNc=;
        b=h/2LSL+PcvaCXnCJkuuuOQB4R72XhapNxM+N9DBDHh65TrNKhjAkkhzL75P7Kxtukh
         28nNmcnC0mM9ZG14q03V9ydIxpufKhZ7gC1iBvQ+QDxmEx4b6fyUmmYdtUSU+haiKhMA
         vB68H5LGBgruWeOE7sCPeMZiEr7xm95vLO+1temXUQv4dtipz0auITm3MO4tx3lGxXRR
         ftUT7T8t7mcw1ljOvuJu5iJAl7JbEXMfdz+Q3Ve5OyQvh76nTYi429HHdlEPYp6vkCmi
         hiqRonyvjtKsrb/qgAi4eryuBiYGj9wXRmccKOUcFlGpZI8smysqE8teENG36sDlD49V
         dDCA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1752510210; x=1753115010;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=NiuSn/HFFPm1LAcFT9IbwHAzz9dbosGLLY+dTc2iJNc=;
        b=bHa1b6LUZvVwQ0JxCO7VRw6+nw8AvTEjlfiPqA4wsQ9kUbMUDAcK20oMoR7I6Zw+1R
         7d+K6LIXgDhvFX4EQ9SdknoPx24KftLih23Ljh4PW0N1c/EHp8wPrtBnLgGWyCxcbox0
         7xds4cs8za8riFPjocJbzVh8Jgmg/g9Nj064SponhhR3ukDBB6VQ+a3eFxFV5h73vGjQ
         s7DhIghrv+dey3v0Yv/z+zBpliqJLKPuWAfvfcA3YnIFFBhdvzdzwKSLxpcGMf1KZueU
         TEgH/NepC5usm+5A83HNUFinogwQ9L+Ly2fmK7s1jxxdjnh1h3QESGLPAGMzWIUx2w7u
         SiAA==
X-Gm-Message-State: AOJu0YwIOYLHHb/F6gc/1FUWPMP2IBw4TZCEFe8xN8w0bi05Gj41gwY7
	NstNZuafmdCqE2cxpnbRzCPqz+xgSwbBj21Ld8Mz79ntVJRgjO8iOdWu4vJWWVm99ZmsALnlg5E
	ySlnI
X-Gm-Gg: ASbGncsibs5/AaS/Tx83Duyq8qGjjuG7TUL5v4chIuZSl4tTVKlwxCA5imtPytG23cV
	SqO2YZ5gDE+Rgbb3Aabw40qHZgn9lxzRGM23pWns5L6zDjdTCM0AVdwNjMncMxT7RvwLiMs1rPr
	sKFKdZKU3LdIKn4Yrkpb23B1OI2ni+BC1dCc1oXHhPQi4//OA1aX9ja43tjg7+8ViEtykpVCwSW
	45KHQoNwFprfA+AszKB0lq+HkyhNR8fJpzF7YukRIQvcJY0BukggNKZ7anU9tZ308JtwYvt1o4E
	NNfHuPpBAHfkq9q+7eZ3UNZuAg31vJJUkN6jNd9/qfmVkLsNtJ59/p1pDmEFgwAGga5XAk0k2Al
	PGGMCNkVo9AUo
X-Google-Smtp-Source: 
 AGHT+IHHV1K+rASb06ZgZmHuSrET9NYu2t40jOsw3/T6WBxZxwd25TgQHABX56v3Z+v4X4IiJaTWVg==
X-Received: by 2002:a05:6a00:4603:b0:748:ff39:a0ed with SMTP id
 d2e1a72fcca58-74ee37292e9mr18274269b3a.20.1752510209470;
        Mon, 14 Jul 2025 09:23:29 -0700 (PDT)
Received: from hexa.. ([2602:feb4:3b:2100:4aa7:6b72:b465:3a4])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-74eb9dd5e8fsm10456053b3a.29.2025.07.14.09.23.28
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 14 Jul 2025 09:23:29 -0700 (PDT)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][walnascar 09/15] sudo: upgrade 1.9.16p2 -> 1.9.17
Date: Mon, 14 Jul 2025 09:23:03 -0700
Message-ID: 
 <1956a330b1c880da1fefe9934d28f12393fd9c71.1752509862.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1752509862.git.steve@sakoman.com>
References: <cover.1752509862.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Mon, 14 Jul 2025 16:23:33 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/220247

From: Wang Mingyu <wangmy@fujitsu.com>

License-Update: Copyright updated to 2025

0001-sudo.conf.in-fix-conflict-with-multilib.patch
refreshed for 1.9.17

(From OE-Core rev: c21ed3c8f4ca76ff7c65cf71a93759fad8846386)

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 9d41127b241133267449d81c92eb89123e8a6f48)

Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../0001-sudo.conf.in-fix-conflict-with-multilib.patch      | 6 +++---
 meta/recipes-extended/sudo/sudo.inc                         | 2 +-
 .../sudo/{sudo_1.9.16p2.bb => sudo_1.9.17.bb}               | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)
 rename meta/recipes-extended/sudo/{sudo_1.9.16p2.bb => sudo_1.9.17.bb} (96%)

diff --git a/meta/recipes-extended/sudo/files/0001-sudo.conf.in-fix-conflict-with-multilib.patch b/meta/recipes-extended/sudo/files/0001-sudo.conf.in-fix-conflict-with-multilib.patch
index ec0384e257..1989c5abd7 100644
--- a/meta/recipes-extended/sudo/files/0001-sudo.conf.in-fix-conflict-with-multilib.patch
+++ b/meta/recipes-extended/sudo/files/0001-sudo.conf.in-fix-conflict-with-multilib.patch
@@ -1,4 +1,4 @@
-From 61ae82a2ba502492b6a78f248258abb71daeb227 Mon Sep 17 00:00:00 2001
+From 8c69192754ba73dd6e3273728a21aa73988f4bfb Mon Sep 17 00:00:00 2001
 From: Kai Kang <kai.kang@windriver.com>
 Date: Tue, 17 Nov 2020 11:13:40 +0800
 Subject: [PATCH] sudo.conf.in: fix conflict with multilib
@@ -20,7 +20,7 @@ Upstream-Status: Inappropriate [OE configuration specific]
  1 file changed, 4 insertions(+), 4 deletions(-)
 
 diff --git a/examples/sudo.conf.in b/examples/sudo.conf.in
-index 2187457..0908d24 100644
+index bdd676c..094341c 100644
 --- a/examples/sudo.conf.in
 +++ b/examples/sudo.conf.in
 @@ -4,7 +4,7 @@
@@ -52,7 +52,7 @@ index 2187457..0908d24 100644
  # Sudo plugin directory:
 @@ -74,7 +74,7 @@
  # The default directory to use when searching for plugins that are
- # specified without a fully qualified path name.
+ # specified without a fully-qualified path name.
  #
 -#Path plugin_dir @plugindir@
 +#Path plugin_dir $plugindir
diff --git a/meta/recipes-extended/sudo/sudo.inc b/meta/recipes-extended/sudo/sudo.inc
index 0afbf669f0..a23de1fcf7 100644
--- a/meta/recipes-extended/sudo/sudo.inc
+++ b/meta/recipes-extended/sudo/sudo.inc
@@ -4,7 +4,7 @@ HOMEPAGE = "http://www.sudo.ws"
 BUGTRACKER = "http://www.sudo.ws/bugs/"
 SECTION = "admin"
 LICENSE = "ISC & BSD-3-Clause & BSD-2-Clause & Zlib"
-LIC_FILES_CHKSUM = "file://LICENSE.md;md5=0a6876cbeb2aa51837935ba3fd82ee87 \
+LIC_FILES_CHKSUM = "file://LICENSE.md;md5=2841c822e587db145364ca95e9be2ffa \
                     file://plugins/sudoers/redblack.c;beginline=1;endline=46;md5=03e35317699ba00b496251e0dfe9f109 \
                     file://lib/util/reallocarray.c;beginline=3;endline=15;md5=397dd45c7683e90b9f8bf24638cf03bf \
                     file://lib/util/fnmatch.c;beginline=3;endline=27;md5=004d7d2866ba1f5b41174906849d2e0f \
diff --git a/meta/recipes-extended/sudo/sudo_1.9.16p2.bb b/meta/recipes-extended/sudo/sudo_1.9.17.bb
similarity index 96%
rename from meta/recipes-extended/sudo/sudo_1.9.16p2.bb
rename to meta/recipes-extended/sudo/sudo_1.9.17.bb
index fbe507ad32..71d48f448d 100644
--- a/meta/recipes-extended/sudo/sudo_1.9.16p2.bb
+++ b/meta/recipes-extended/sudo/sudo_1.9.17.bb
@@ -7,7 +7,7 @@ SRC_URI = "https://www.sudo.ws/dist/sudo-${PV}.tar.gz \
 
 PAM_SRC_URI = "file://sudo.pam"
 
-SRC_URI[sha256sum] = "976aa56d3e3b2a75593307864288addb748c9c136e25d95a9cc699aafa77239c"
+SRC_URI[sha256sum] = "3f212c69d534d5822b492d099abb02a593f91ca99f5afde5cb9bd3e1dcdad069"
 
 DEPENDS += " virtual/crypt ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
 RDEPENDS:${PN} += " ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-limits pam-plugin-keyinit', '', d)}"

From patchwork Mon Jul 14 16:23:04 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 66765
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 6E9A4C83F1A
	for <webhook@archiver.kernel.org>; Mon, 14 Jul 2025 16:23:33 +0000 (UTC)
Received: from mail-pf1-f174.google.com (mail-pf1-f174.google.com
 [209.85.210.174])
 by mx.groups.io with SMTP id smtpd.web11.82375.1752510212557373638
 for <openembedded-core@lists.openembedded.org>;
 Mon, 14 Jul 2025 09:23:32 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=juPRvWmp;
 spf=softfail (domain: sakoman.com, ip: 209.85.210.174,
 mailfrom: steve@sakoman.com)
Received: by mail-pf1-f174.google.com with SMTP id
 d2e1a72fcca58-7426c44e014so4303340b3a.3
        for <openembedded-core@lists.openembedded.org>;
 Mon, 14 Jul 2025 09:23:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1752510212;
 x=1753115012; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=zK5pKzFGW4N2o8z/4rFYnNgJR0w/ch9+3CtM9rmgVws=;
        b=juPRvWmpTK3p2rihY0ywx2hI0xhjNg0z+SVBuhSfifFtRgGeZT8u/LRLkMR9bzsEvp
         MxHSrflYrlc1xGiT2tps+xIAMujGjde4NFiATiYxmIxcqVGeZugjbfLhTBQFvq6fpuzP
         7ugMN9u+LoHf1G/ShaQfHFJgSqN4JdGUOxal2QS9a5JuSZsb7odb3UWkAT/0Gu3wGM+t
         z0qZVLc5bm+7P9ZPgxfL4ly4yRFXlGAEohNpclcZeW4rkOmXpZw5ALTXb9s0eppDtyut
         0iSFBa1uh7hbHefh2LBZ4qXp6AS4qUsI0e9VC13b7Qg+uFtgjStnQgKsDD9MvbkTjlpD
         fs3Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1752510212; x=1753115012;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=zK5pKzFGW4N2o8z/4rFYnNgJR0w/ch9+3CtM9rmgVws=;
        b=btb0IEdWTE36PptlkbcYyqV1lUJIW0YpgsG515F+4HXl8/mISwIabRQRXA8FjXdNw1
         8B+ZQ/doVkTuBH/4+UzkqByBbYt7q1r7LkbVx+4LCZUOuktt391lewuMKH0FeiZSRRIQ
         KwUWocktF3Li3xKIn0TZhaO519D60nFyTbW67QDq346Mg5a5VQh3NsXE6ahgaA3cvupE
         xUv7vnJ/iQ6NGEwm7vl4+PnLIA6jrocUWesupxPD4ezEZoPAjAMQrp53Z2qy5/ohQYwk
         q+tCwJnYQ4OxNXbu08u0Sf99Wwotn2n84jYW62wkHCorUJOLbnnuPubJO8YPi9VGqdn0
         2xTA==
X-Gm-Message-State: AOJu0Yzoz2pZwqOPrAbo/PbxC6sDm0r7/NyGb5b41xE6o8RMVk5nq/iM
	/30tbXWnV26CwiFa69hFZ+H/gwWjqLLUnR+GsKRyy9ybV7fxU+zC72yuVghWH/P5/Jh12s2it5M
	GZv/7
X-Gm-Gg: ASbGncvYF0o1/UyNMIdX9azNdgFInsMwZp1c10MptjNGODjaH/yGhSU2c4OZL9RhRZ/
	RsNjV5ONc1PiPYX4t2Q/w28WCYOWIhlQO1szJmDgNSzu9jz7uPdUfYprTmvLKSR/P7iJ8gNmJ/0
	/tFdbmOsfkBTsPxmaKigDmfsw8NkCLQA4bO9ldjSvSiaN95hbi4XxxvsmgPhkM0/bR9nXK92nVn
	oqB2wfXbtZqgs/UW54D5yVILBZjGQ5C2kmLAk6RTP9JRL+6A5f1hS5hyXwf/fMns7TLiWSnFpbe
	j2FrmA1Z6v8V6x4QikvFal/IblKDoSzREGdaYvLTFSYXn+SB0/z6yTMG5JKFd59QiXXGrILTzVc
	oP6IO/F6xLEEl
X-Google-Smtp-Source: 
 AGHT+IGGK4kEvM842ax81Lu0k+vX9bBcWcSLUd6TflgL7BHtrVxoZp3fnYnG6RJalK7lvrC6ZlZUhg==
X-Received: by 2002:a05:6a00:b93:b0:748:2b23:308c with SMTP id
 d2e1a72fcca58-74f1e7ddd35mr16544431b3a.14.1752510211494;
        Mon, 14 Jul 2025 09:23:31 -0700 (PDT)
Received: from hexa.. ([2602:feb4:3b:2100:4aa7:6b72:b465:3a4])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-74eb9dd5e8fsm10456053b3a.29.2025.07.14.09.23.30
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 14 Jul 2025 09:23:31 -0700 (PDT)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][walnascar 10/15] sudo: upgrade 1.9.17 -> 1.9.17p1
Date: Mon, 14 Jul 2025 09:23:04 -0700
Message-ID: 
 <3065d9be88bd66c979926649b442559c611d88a9.1752509862.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1752509862.git.steve@sakoman.com>
References: <cover.1752509862.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Mon, 14 Jul 2025 16:23:33 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/220248

From: Praveen Kumar <praveen.kumar@windriver.com>

Changelog:
===========
* Fixed CVE-2025-32462.  Sudo's -h (--host) option could be specified
   when running a command or editing a file.  This could enable a
   local privilege escalation attack if the sudoers file allows the
   user to run commands on a different host.

* Fixed CVE-2025-32463.  An attacker can leverage sudo's -R
  (--chroot) option to run arbitrary commands as root, even if
  they are not listed in the sudoers file.  The chroot support has
  been deprecated an will be removed entirely in a future release.

Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-extended/sudo/{sudo_1.9.17.bb => sudo_1.9.17p1.bb} | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-extended/sudo/{sudo_1.9.17.bb => sudo_1.9.17p1.bb} (96%)

diff --git a/meta/recipes-extended/sudo/sudo_1.9.17.bb b/meta/recipes-extended/sudo/sudo_1.9.17p1.bb
similarity index 96%
rename from meta/recipes-extended/sudo/sudo_1.9.17.bb
rename to meta/recipes-extended/sudo/sudo_1.9.17p1.bb
index 71d48f448d..83bfc0621c 100644
--- a/meta/recipes-extended/sudo/sudo_1.9.17.bb
+++ b/meta/recipes-extended/sudo/sudo_1.9.17p1.bb
@@ -7,7 +7,7 @@ SRC_URI = "https://www.sudo.ws/dist/sudo-${PV}.tar.gz \
 
 PAM_SRC_URI = "file://sudo.pam"
 
-SRC_URI[sha256sum] = "3f212c69d534d5822b492d099abb02a593f91ca99f5afde5cb9bd3e1dcdad069"
+SRC_URI[sha256sum] = "ff607ea717072197738a78f778692cd6df9a7e3e404565f51de063ca27455d32"
 
 DEPENDS += " virtual/crypt ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
 RDEPENDS:${PN} += " ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-limits pam-plugin-keyinit', '', d)}"

From patchwork Mon Jul 14 16:23:05 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 66771
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 99CC9C83F17
	for <webhook@archiver.kernel.org>; Mon, 14 Jul 2025 16:23:43 +0000 (UTC)
Received: from mail-pf1-f178.google.com (mail-pf1-f178.google.com
 [209.85.210.178])
 by mx.groups.io with SMTP id smtpd.web10.82440.1752510214293551676
 for <openembedded-core@lists.openembedded.org>;
 Mon, 14 Jul 2025 09:23:34 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=KX3ZS+WP;
 spf=softfail (domain: sakoman.com, ip: 209.85.210.178,
 mailfrom: steve@sakoman.com)
Received: by mail-pf1-f178.google.com with SMTP id
 d2e1a72fcca58-748e378ba4fso5286956b3a.1
        for <openembedded-core@lists.openembedded.org>;
 Mon, 14 Jul 2025 09:23:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1752510213;
 x=1753115013; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=Gx6RaiZnOAKPx1bP6RwEN6o3O9wOR1gZy3AlpgAUgeQ=;
        b=KX3ZS+WPHzhIf37ptgulXSTlEp3bW+SHitl1Eq0hSSWSvMiXbxhGqUrkPCvKr8qI1u
         ZHxir3TVSwR0eaGkQOvjgKXm8GVT75fjfK5srKSd0RNEx2Mn86kpK6Z1ikMWTLuvVh4X
         7ltt4GsDYeDnpvL1Gp3wDg0j5NDXz2FcRXOSxkYvVA9NFNs/v16gtmLqgtfm2RJ4G5G6
         LivQZILZNYk2+GrZsV46WkvfmZBswll2XCAaNq3AX+PxAT9TBhrY9JZ2VKU5QYFmme74
         Kq308GwgRDn4dGpvjjSQIP1ktyhciq5NGBwRQPic3hQsORhBCh8Lifd/RAFIlLDGA2hY
         yH/Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1752510213; x=1753115013;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=Gx6RaiZnOAKPx1bP6RwEN6o3O9wOR1gZy3AlpgAUgeQ=;
        b=hkAH9E7S/nB9I+g48/+B+rVMItr4gilnM+8ZBaJSN7/wLN7+Kg0EXy+F2K8SImF6bR
         NnVq28UJT2ZGOeJlk0UIp8oorqNH/Q8W2Xc5LJK098my9LUfXoEJpFm3/32uPkbIaz5G
         zx6eBCqGQmtAGHI3IAJpXWPM7f3JuvRBTibCzIBvJ9YRoeXwqTRhC9Mf+kImLl5cVjKW
         7v4zp0u18r3njoWoIrQQZlEPhC3aojjAAvpWwNkx7DibDKcNbs/fB4chFtH2VKxFwtPp
         NZunWhuOPO9WrPwrxSnHjx8dnpraQ6iKAKhnDoL44hPfP/2FEaEcdjf0P9EnA1d8APUe
         9dPg==
X-Gm-Message-State: AOJu0YxrnUk8i2RM9UH9c3AhRU4nE4epQPH5cpY+ltf1uIoqW4YQaJgY
	jgQHpbTBFbhUUiDQqUbILF0dRgSGug+C0dDNXRZA9HkWkNzD1eAy5D4JysaNaVFkhF5LB0O0nNB
	9Ad55
X-Gm-Gg: ASbGnctii1SkjiP1mVunkPqb9eO2AJPfEt+4ymSPJS9VIDiKeOfGRP1hvaYD047YiFw
	PmJn2IowJloNPncR7qqneq8y3f3F9nteRRmixbpTmCZ4F5P6NNBX1wcqWCMKjmrlNdnvETNqxGt
	kiq2cTgEIdYftHeQi7VyJB3Hq/yl2tGg23tzZw/X84OypFcClf7sPAvjiCgEqhbdR+rNqjfxsmf
	qlyIPh/KzPLdRRKxcSVg8DYLAPlCQZAunNR75+X30/t6gcAT2RkV3P1ZLhxU/ielJGeLtGljTuV
	MVx6CtTlWHqefsCXAHzRWsm9mMtHwVtUu9JwbKKMfVLASbKkl6vxAZbS/EZWxrUl2hBu/hxp9R8
	02QwyO0LStcK5D7e3SuXAi0M=
X-Google-Smtp-Source: 
 AGHT+IHuuqmtVzQcNyaIWY9SyY2VMlR0QoG5fEb1RxnWsxCqxY2OWeOwgIfexXQXCvtwVjugisutTA==
X-Received: by 2002:a05:6a00:2194:b0:749:464a:a77b with SMTP id
 d2e1a72fcca58-74ee3142ac8mr19117414b3a.18.1752510213486;
        Mon, 14 Jul 2025 09:23:33 -0700 (PDT)
Received: from hexa.. ([2602:feb4:3b:2100:4aa7:6b72:b465:3a4])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-74eb9dd5e8fsm10456053b3a.29.2025.07.14.09.23.33
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 14 Jul 2025 09:23:33 -0700 (PDT)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][walnascar 11/15] openssl: upgrade 3.4.1 -> 3.4.2
Date: Mon, 14 Jul 2025 09:23:05 -0700
Message-ID: 
 <8803e5b629b3dd2f0fb9f4ad226a0005f8ce94ad.1752509862.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1752509862.git.steve@sakoman.com>
References: <cover.1752509862.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Mon, 14 Jul 2025 16:23:43 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/220249

From: Archana Polampalli <archana.polampalli@windriver.com>

https://github.com/openssl/openssl/blob/openssl-3.4.2/NEWS.md

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../openssl/{openssl_3.4.1.bb => openssl_3.4.2.bb}              | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-connectivity/openssl/{openssl_3.4.1.bb => openssl_3.4.2.bb} (99%)

diff --git a/meta/recipes-connectivity/openssl/openssl_3.4.1.bb b/meta/recipes-connectivity/openssl/openssl_3.4.2.bb
similarity index 99%
rename from meta/recipes-connectivity/openssl/openssl_3.4.1.bb
rename to meta/recipes-connectivity/openssl/openssl_3.4.2.bb
index 8da64aea6a..2998e37e75 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.4.1.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.4.2.bb
@@ -18,7 +18,7 @@ SRC_URI:append:class-nativesdk = " \
            file://environment.d-openssl.sh \
            "
 
-SRC_URI[sha256sum] = "002a2d6b30b58bf4bea46c43bdd96365aaf8daa6c428782aa4feee06da197df3"
+SRC_URI[sha256sum] = "17b02459fc28be415470cccaae7434f3496cac1306b86b52c83886580e82834c"
 
 inherit lib_package multilib_header multilib_script ptest perlnative manpages
 MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"

From patchwork Mon Jul 14 16:23:06 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 66774
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id B440CC83F27
	for <webhook@archiver.kernel.org>; Mon, 14 Jul 2025 16:23:43 +0000 (UTC)
Received: from mail-pf1-f181.google.com (mail-pf1-f181.google.com
 [209.85.210.181])
 by mx.groups.io with SMTP id smtpd.web10.82442.1752510216393486725
 for <openembedded-core@lists.openembedded.org>;
 Mon, 14 Jul 2025 09:23:36 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=NYzjdMQe;
 spf=softfail (domain: sakoman.com, ip: 209.85.210.181,
 mailfrom: steve@sakoman.com)
Received: by mail-pf1-f181.google.com with SMTP id
 d2e1a72fcca58-742c3d06de3so4911834b3a.0
        for <openembedded-core@lists.openembedded.org>;
 Mon, 14 Jul 2025 09:23:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1752510216;
 x=1753115016; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=CNdw2tqTVqQeZssZ/gmC04UeK3/xWW6RK+pTDFDHnno=;
        b=NYzjdMQe0c04AmGopNCubLy98BZQwM3K4XbjDFZt5aYfbVGDHsTES4MoO/TtNGtFji
         oEygZVE4owTUr0A4qUwUsMUsullGHovxVCShU9SoeniZtz1/JIrr4fSWUYSHNSkdnpGP
         Q6UMmNcIX/vKq6zv7HY0I4jPf4BvuXOfTj+xuH2SJqpOzkMVjNBHCqmKscOXrMmpijhV
         knEGz+xPiXgA86LcvJ2AO1V++LMAquGmgBvPA5bSRSrJ27PrUDZ4RSttbXm2gwxfzH0Q
         ErfbuJ3DCUC+j6wJl6AVQ1TuV6PW+9ZTuXXMx2oAVNQSH1pdCT57yRyEtOKvkLghdz5C
         ZZtw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1752510216; x=1753115016;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=CNdw2tqTVqQeZssZ/gmC04UeK3/xWW6RK+pTDFDHnno=;
        b=bCWao9oaDZAaMgqnUYUQJLkqgXYVDKAF2Rs6EOheU0Qj/yBMfhfBbeBkDLPKk69cGp
         djwQ0pk3cEIwCmX6AvaK7GzQtKik4rjhaSZYQ2towoqkgJ4umIUd+UhApUYSzvc7BkA+
         CDloJ/UF0FAlB03z8jsAiuYcMkdShX6Biwi+M6HwzEQgC1nJc4FM40Re4ZUFrUohRFLA
         tatwCJBsYNCOpIP7HR3+isF0QdqS8xMZKa2qQa5vUni1utYXDVOvT/eEbCp7LImKwJVI
         7X6PsGQH19KGD2gos839am2JNfAaRIHQJ2zokQwnIrsmaFSKgDRGJUN1Z5GFIMNe/H5T
         QIMw==
X-Gm-Message-State: AOJu0YzyVLOoOE2oceXEAwgfnASQodK8Kx/RWhmOkGyDvtF+mnTawNv9
	tIHWgumLhAZzv8YgnXLYMB0eAWJtyVqoU+6vMGVOtamQcgg+W0PQZ4Glf2/LQ8RggxOCbh8cmmm
	AQ8Ho
X-Gm-Gg: ASbGncvF0eDcwbD8njEV4XZL1WyvyZF5LG8Wpt3eANWOAt4jWnbGOJJJTHUeP9JcDd+
	pIvQjYkzxRBOEe/kpYxSIe0gOwrdvRBWgmHqT1MyuzpfTQzb+9mUPDU6LtdiNhlK1H/sAMzzPPE
	aftpWgFj8uRiGHoY8/+avZScDpOjuG3TCaoinYfICsd41FaewRtbK1FUKG7L068m4vfGGTJWPLv
	lDaml56rUakONjycaxpB5s0CitnkXASBJPEgFRwJqKXIAVJ831siNMeD+atzk9VFX61BbCdnsBY
	185iOsAnJv5HEnza4r6twp/MM8H6rs66Q09RceTxUuz/VCtvfkV1pKHbikSuBesqCLIZcz+Nd/X
	RpMrCBVYFpKis
X-Google-Smtp-Source: 
 AGHT+IEPc2jcn0KJy0LwFx/5t05LVjmMYOVR6iHCTxVmNjg9h6jtD8ZnT4eQLmlZl8wsRHFQWZh/9g==
X-Received: by 2002:a05:6a00:124f:b0:748:2ff7:5e22 with SMTP id
 d2e1a72fcca58-74ee09afb8amr19164846b3a.10.1752510215562;
        Mon, 14 Jul 2025 09:23:35 -0700 (PDT)
Received: from hexa.. ([2602:feb4:3b:2100:4aa7:6b72:b465:3a4])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-74eb9dd5e8fsm10456053b3a.29.2025.07.14.09.23.34
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 14 Jul 2025 09:23:35 -0700 (PDT)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][walnascar 12/15] libpam: upgrade 1.7.0 -> 1.7.1
Date: Mon, 14 Jul 2025 09:23:06 -0700
Message-ID: 
 <0c405f1a60446e9e69b0ea6fc0e142eaf4243642.1752509862.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1752509862.git.steve@sakoman.com>
References: <cover.1752509862.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Mon, 14 Jul 2025 16:23:43 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/220250

From: Wang Mingyu <wangmy@fujitsu.com>

0001-meson.build-correct-check-for-existence-of-two-prepr.patch
removed since it's included in 1.7.1

Changelog:
===============
* pam_access: do not resolve ttys or display variables as hostnames.
* pam_access: added "nodns" option to disallow resolving of tokens as hostnames
  (CVE-2024-10963).
* pam_limits: added support for rttime (RLIMIT_RTTIME).
* pam_namespace: fixed potential privilege escalation (CVE-2025-6020).
* meson: added support of elogind as a logind provider.
* Multiple minor bug fixes, build fixes, portability fixes,
  documentation improvements, and translation updates.

(From OE-Core rev: 5e77c48e074a20e58a233ab5ed6d8ef09bbd55c8)

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 ...ect-check-for-existence-of-two-prepr.patch | 40 -------------------
 .../pam/{libpam_1.7.0.bb => libpam_1.7.1.bb}  |  3 +-
 2 files changed, 1 insertion(+), 42 deletions(-)
 delete mode 100644 meta/recipes-extended/pam/libpam/0001-meson.build-correct-check-for-existence-of-two-prepr.patch
 rename meta/recipes-extended/pam/{libpam_1.7.0.bb => libpam_1.7.1.bb} (97%)

diff --git a/meta/recipes-extended/pam/libpam/0001-meson.build-correct-check-for-existence-of-two-prepr.patch b/meta/recipes-extended/pam/libpam/0001-meson.build-correct-check-for-existence-of-two-prepr.patch
deleted file mode 100644
index ef087ffc06..0000000000
--- a/meta/recipes-extended/pam/libpam/0001-meson.build-correct-check-for-existence-of-two-prepr.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 9b5182d4781bcd6fb37a4030faf325965fde3e93 Mon Sep 17 00:00:00 2001
-From: Alexander Kanavin <alex@linutronix.de>
-Date: Thu, 28 Nov 2024 20:32:17 +0100
-Subject: [PATCH] meson: correct check for existence of two preprocessor
- defines
-
-sizeof is meant for *types*, and in case of cross compiling
-the test program produced by it has incorrect syntax
-  __NR_keyctl something;
-and will always fail to compile.
-
-* meson.build: Use cc.get_define() instead of cc.sizeof() to check for
-preprocessor symbols.
-
-Co-authored-by: Dmitry V. Levin <ldv@strace.io>
-Upstream-Status: Backport [https://github.com/linux-pam/linux-pam/pull/861]
-Signed-off-by: Alexander Kanavin <alex@linutronix.de>
----
- meson.build | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/meson.build b/meson.build
-index f6a7dafe9..307fed0aa 100644
---- a/meson.build
-+++ b/meson.build
-@@ -198,12 +198,12 @@ foreach ident: check_functions
-   endif
- endforeach
- 
--enable_pam_keyinit = cc.sizeof('__NR_keyctl', prefix: '#include <sys/syscall.h>') > 0
-+enable_pam_keyinit = cc.get_define('__NR_keyctl', prefix: '#include <sys/syscall.h>') != ''
- 
- if get_option('mailspool') != ''
-   cdata.set_quoted('PAM_PATH_MAILDIR', get_option('mailspool'))
- else
--  have = cc.sizeof('_PATH_MAILDIR', prefix: '#include <paths.h>') > 0
-+  have = cc.get_define('_PATH_MAILDIR', prefix: '#include <paths.h>') != ''
-   cdata.set('PAM_PATH_MAILDIR', have ? '_PATH_MAILDIR' : '"/var/spool/mail"')
- endif
- 
diff --git a/meta/recipes-extended/pam/libpam_1.7.0.bb b/meta/recipes-extended/pam/libpam_1.7.1.bb
similarity index 97%
rename from meta/recipes-extended/pam/libpam_1.7.0.bb
rename to meta/recipes-extended/pam/libpam_1.7.1.bb
index 4abc52bd93..68857c5138 100644
--- a/meta/recipes-extended/pam/libpam_1.7.0.bb
+++ b/meta/recipes-extended/pam/libpam_1.7.1.bb
@@ -22,10 +22,9 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/Linux-PAM-${PV}.tar.xz \
            file://pam.d/other \
            file://run-ptest \
            file://pam-volatiles.conf \
-           file://0001-meson.build-correct-check-for-existence-of-two-prepr.patch \
            "
 
-SRC_URI[sha256sum] = "57dcd7a6b966ecd5bbd95e1d11173734691e16b68692fa59661cdae9b13b1697"
+SRC_URI[sha256sum] = "21dbcec6e01dd578f14789eac9024a18941e6f2702a05cf91b28c232eeb26ab0"
 
 DEPENDS = "bison-native flex-native libxml2-native virtual/crypt"
 

From patchwork Mon Jul 14 16:23:07 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 66772
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 99D9AC83F1A
	for <webhook@archiver.kernel.org>; Mon, 14 Jul 2025 16:23:43 +0000 (UTC)
Received: from mail-pf1-f179.google.com (mail-pf1-f179.google.com
 [209.85.210.179])
 by mx.groups.io with SMTP id smtpd.web10.82445.1752510218147935001
 for <openembedded-core@lists.openembedded.org>;
 Mon, 14 Jul 2025 09:23:38 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=WG6XbZvy;
 spf=softfail (domain: sakoman.com, ip: 209.85.210.179,
 mailfrom: steve@sakoman.com)
Received: by mail-pf1-f179.google.com with SMTP id
 d2e1a72fcca58-74924255af4so3715808b3a.1
        for <openembedded-core@lists.openembedded.org>;
 Mon, 14 Jul 2025 09:23:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1752510217;
 x=1753115017; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=Wev56A66v22erHGRd+HBnA9SImQIkhtum7Ba47hORfY=;
        b=WG6XbZvyHBO9K/pAvC0d7tITqfkJTWE0ZBHF7WE8/Z3JuTo809pkynQVFAb/zi/POW
         fY8r/qDIG+ZKMuF84fzdmMN1fS2x/POv+uwd0TsCSFFrVk45pu2K0xwIbXcngr3KNfds
         2S6AmIQUgfn3Iv60k9sN/w/zbMtk6FmcdDGaUTy4KBEu7EacXEtgcPwUqTU0Gjy2BmY/
         4Q1C+KpZHxAZ6PSyxqLMBokBgRr9nyGWCRk8KlMQ4hJK5LlVmLJvT9etWsacMC9cUnDR
         uLegtRpeA0gb4aCNf8+kbPgrcFLO7tYppjonOz+YyC74S8hO55rwE/cDO148z1DGwMUn
         Dgvw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1752510217; x=1753115017;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=Wev56A66v22erHGRd+HBnA9SImQIkhtum7Ba47hORfY=;
        b=aMbNQ2ECemPDwdm4dYt8Yjtz/eXjAN1+9B/AwsuN2/Wx8zyaNxQEjvq12KNM3aw1f/
         64eAN67c+0nMHH0tgZsjo9iwNelzTwBV1envKm8LOrHHuIAiNNsUeJQ3cEPLObDWPaTE
         2jF4nll2ja5MO1bLuZeUJc8Ek+WXe8hMKEnShfDnz/STllrtkK7Pzsfbp5zKxQa1ijmK
         GDmxLEyV5XwM7PPdBqq2AsaYZDgHar2WYn3AQPg7ov+OoVT8mB+NEb/JfvVh+O1V4a14
         DyvjS2ys4LWzV2px0oP+B1PIPtzYb//O5XAD7jYEwbLiRfGaMwYOVN9Jh67pTyV3K+CS
         HhIA==
X-Gm-Message-State: AOJu0YyKjrrlqKG9gkzvL5Dgbi6g3apz1W5y+ai/7ccXTyeIoTxlsnyO
	RBifSzRLFpobxPewVa4N4k6llOqiqUwT23AkRf9EsL/3ZhkbfzVDseYxKcRwGNQknpDL2sI+xCQ
	RPC73
X-Gm-Gg: ASbGncteiFuoDU50WPz2KmiQZM3b/erUCfOyOmbnG+oEkRmv4bdhWyeTkRQNdppn3FJ
	U0weu7V5NPFXPPAMw+fh+CSX2ueC16F08v/BqKQaAx4ef7CmMxrCXsKbq5W2kxmUSB3nAuR9PQ9
	ScZ8mIyo8915g/3D8fQFuptJbxUfs83qUeDxPUpm/7yzAB5oCHz+DGi7vDFKZNIlDfr8GjUrIKO
	BaYC0p8Jp1PpU4Y17FBimNdf+vcyk2THj2FOyYoUdN4aoVDJ+AxMHCRq1Y8depfuFSp7D4s4NVT
	cLxSua4lR1OhUmiSuT9hKqcd08LrFWa1X+ouAG1VCCMyGCngv4fslwB53vgTq4bLHqgc7XtY/l0
	yaB9JdAsAC6z7m4VcSpRKiMI=
X-Google-Smtp-Source: 
 AGHT+IHTf8viBAPQdYOpcQ9Azd9FBirzseVDPj4o7lQekYP/y4xurrBO1G/38zX3amT1gxqj2XaK2A==
X-Received: by 2002:aa7:8881:0:b0:740:9d7c:8f5c with SMTP id
 d2e1a72fcca58-74ee295b2d0mr19385931b3a.18.1752510217174;
        Mon, 14 Jul 2025 09:23:37 -0700 (PDT)
Received: from hexa.. ([2602:feb4:3b:2100:4aa7:6b72:b465:3a4])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-74eb9dd5e8fsm10456053b3a.29.2025.07.14.09.23.36
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 14 Jul 2025 09:23:36 -0700 (PDT)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][walnascar 13/15] ruby: upgrade 3.4.3 -> 3.4.4
Date: Mon, 14 Jul 2025 09:23:07 -0700
Message-ID: 
 <76ee6464bf82b5eed525f6cd83132cc8c22a94a8.1752509862.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1752509862.git.steve@sakoman.com>
References: <cover.1752509862.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Mon, 14 Jul 2025 16:23:43 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/220251

From: Wang Mingyu <wangmy@fujitsu.com>

0002-Obey-LDFLAGS-for-the-link-of-libruby.patch
0005-Mark-Gemspec-reproducible-change-fixing-784225-too.patch
refreshed for 3.4.4

(From OE-Core rev: 33d75adff3c100d4c16a9dc51dd19f48e20cf328)

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../ruby/0002-Obey-LDFLAGS-for-the-link-of-libruby.patch    | 6 +++---
 ...Mark-Gemspec-reproducible-change-fixing-784225-too.patch | 6 +++---
 meta/recipes-devtools/ruby/{ruby_3.4.3.bb => ruby_3.4.4.bb} | 2 +-
 3 files changed, 7 insertions(+), 7 deletions(-)
 rename meta/recipes-devtools/ruby/{ruby_3.4.3.bb => ruby_3.4.4.bb} (98%)

diff --git a/meta/recipes-devtools/ruby/ruby/0002-Obey-LDFLAGS-for-the-link-of-libruby.patch b/meta/recipes-devtools/ruby/ruby/0002-Obey-LDFLAGS-for-the-link-of-libruby.patch
index bb67df0f40..84fe9aee3d 100644
--- a/meta/recipes-devtools/ruby/ruby/0002-Obey-LDFLAGS-for-the-link-of-libruby.patch
+++ b/meta/recipes-devtools/ruby/ruby/0002-Obey-LDFLAGS-for-the-link-of-libruby.patch
@@ -1,4 +1,4 @@
-From 7e2337d8b0daf264785cb06d1d6c7d61e428a11b Mon Sep 17 00:00:00 2001
+From 2625f6c155105d352d6a1ff3a722e7896431ff91 Mon Sep 17 00:00:00 2001
 From: Christopher Larson <chris_larson@mentor.com>
 Date: Thu, 5 May 2016 10:59:07 -0700
 Subject: [PATCH] Obey LDFLAGS for the link of libruby
@@ -10,10 +10,10 @@ Upstream-Status: Pending
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/template/Makefile.in b/template/Makefile.in
-index 05432cd..41a05bb 100644
+index 8f996b8..c708b64 100644
 --- a/template/Makefile.in
 +++ b/template/Makefile.in
-@@ -119,7 +119,7 @@ ENABLE_SHARED = @ENABLE_SHARED@
+@@ -120,7 +120,7 @@ ENABLE_SHARED = @ENABLE_SHARED@
  LDSHARED = @LIBRUBY_LDSHARED@
  DLDSHARED = @DLDSHARED@
  XDLDFLAGS = @DLDFLAGS@
diff --git a/meta/recipes-devtools/ruby/ruby/0005-Mark-Gemspec-reproducible-change-fixing-784225-too.patch b/meta/recipes-devtools/ruby/ruby/0005-Mark-Gemspec-reproducible-change-fixing-784225-too.patch
index eda45dd862..190eb7d728 100644
--- a/meta/recipes-devtools/ruby/ruby/0005-Mark-Gemspec-reproducible-change-fixing-784225-too.patch
+++ b/meta/recipes-devtools/ruby/ruby/0005-Mark-Gemspec-reproducible-change-fixing-784225-too.patch
@@ -1,4 +1,4 @@
-From ff25f6dddcfbbb7b0464485bb5132458866ab51a Mon Sep 17 00:00:00 2001
+From 97051be9cb9317d2c4d61a82d6d953809e962f13 Mon Sep 17 00:00:00 2001
 From: Lucas Kanashiro <kanashiro@debian.org>
 Date: Fri, 1 Nov 2019 15:25:17 -0300
 Subject: [PATCH] Make gemspecs reproducible
@@ -12,10 +12,10 @@ Upstream-Status: Backport [debian]
  1 file changed, 3 insertions(+), 1 deletion(-)
 
 diff --git a/lib/rubygems/specification.rb b/lib/rubygems/specification.rb
-index 8f353ae..095125f 100644
+index 0b905a7..a102e3c 100644
 --- a/lib/rubygems/specification.rb
 +++ b/lib/rubygems/specification.rb
-@@ -1711,7 +1711,9 @@ class Gem::Specification < Gem::BasicSpecification
+@@ -1709,7 +1709,9 @@ class Gem::Specification < Gem::BasicSpecification
                  raise(Gem::InvalidSpecificationException,
                        "invalid date format in specification: #{date.inspect}")
                end
diff --git a/meta/recipes-devtools/ruby/ruby_3.4.3.bb b/meta/recipes-devtools/ruby/ruby_3.4.4.bb
similarity index 98%
rename from meta/recipes-devtools/ruby/ruby_3.4.3.bb
rename to meta/recipes-devtools/ruby/ruby_3.4.4.bb
index 45047b8859..39e86fdd28 100644
--- a/meta/recipes-devtools/ruby/ruby_3.4.3.bb
+++ b/meta/recipes-devtools/ruby/ruby_3.4.4.bb
@@ -48,7 +48,7 @@ do_configure:prepend() {
 
 DEPENDS:append:libc-musl = " libucontext"
 
-SRC_URI[sha256sum] = "55a4cd1dcbe5ca27cf65e89a935a482c2bb2284832939266551c0ec68b437f46"
+SRC_URI[sha256sum] = "a0597bfdf312e010efd1effaa8d7f1d7833146fdc17950caa8158ffa3dcbfa85"
 
 PACKAGECONFIG ??= ""
 PACKAGECONFIG += "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)}"

From patchwork Mon Jul 14 16:23:08 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 66773
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id A6A52C83F1B
	for <webhook@archiver.kernel.org>; Mon, 14 Jul 2025 16:23:43 +0000 (UTC)
Received: from mail-pf1-f178.google.com (mail-pf1-f178.google.com
 [209.85.210.178])
 by mx.groups.io with SMTP id smtpd.web10.82446.1752510219979555778
 for <openembedded-core@lists.openembedded.org>;
 Mon, 14 Jul 2025 09:23:40 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=FeD0aa+e;
 spf=softfail (domain: sakoman.com, ip: 209.85.210.178,
 mailfrom: steve@sakoman.com)
Received: by mail-pf1-f178.google.com with SMTP id
 d2e1a72fcca58-749068b9b63so3046547b3a.0
        for <openembedded-core@lists.openembedded.org>;
 Mon, 14 Jul 2025 09:23:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1752510219;
 x=1753115019; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=0a/ZPYUh7uJTf/jXJAyfZuIg34NzLjfoYiesVW2NFFE=;
        b=FeD0aa+exZ+rQ4LZt4ks6Fzas0uq3yu/WGOwZjU7FWYbLqKXJrtHjsxeegIA88dhKe
         1LQuNQ1SYZDEKp7kORvbrPjDjU3QH47BtH5qqczwRZ82XEiPstDm9M4+oLIqPzvzPopg
         BGSnf5vT//qG0esBScYnPZEq6UXY0o/idnEHC/bpRoJKk1E/uCM1wLR+KNof0YBuXo1f
         0SbDv8Vfd653zWmI3Y/I74ds2ZVn+W42VWDnt99RBcTqxlCw9Nqx/DzfdTxzGctmubYN
         HQe3aYC65wQ3fIjVDD3JyKgpvs6mE2EfGDTJGdjoboLq9IEYwb3DO7mwYvS+cG4cRwsW
         QBOg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1752510219; x=1753115019;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=0a/ZPYUh7uJTf/jXJAyfZuIg34NzLjfoYiesVW2NFFE=;
        b=NijjXCV63IUxTx6VtfkmfKUFg1IcIgNyKlVlT6rmSBbeAQd/M/V/rqSMzBOoHyNnka
         xYFsZgoL7EINEvegc9S+eVVbeSnvChHHZ21aIYxEtMOVyVtvmyi0KeQY+YpgNFdaJn4A
         FVmPGHEGFgT8AQ0k2Im1XN6dxGuwoqBsvIaHpwXTeluvvPrf3/xX/Zaw2GdIpRXPD/WJ
         TFyFwaGTuS0BEhorLXR2adjIyYzUhZWpqHBXcgZdU8eTnShEJh9JbVCyDnI5L++Flc4j
         WlCGtaZ8shMNCjEuKLzSmlRlmQiE1DKuk5alriQP8NwrVy6ORbRfQh84FrXbCW31pQmf
         EwGw==
X-Gm-Message-State: AOJu0YzaC4ni528eUz4dx+6jeRz8MRiw9WVWzVQQ1pxNPs4KQnclrieZ
	DqBgLL8YfY3sjvDAXhasW5p0tTB9IQMpQOduCIShgfT150ELUeiJqIDwOa9XaJulG3dsUeLxUPD
	np60K
X-Gm-Gg: ASbGncuyBJmzarikEX5tdp+bbhSv/tOVqMA+YNOtbatfi0Rm6SM5bcVfikXnUKJh4+p
	ONKBlCeVOpGr+t3LlMSMNKCuHaDtteGgEYT6hB55QPHcMzY9fNPlO+igG3LAw91IdheA//uJ2Iv
	T14C1N+puiEj/o+cKBdr/oG3LEV2Hia8k1mYgDQQ1iM0efMwFKjW1gOMrR6dJwlzP6EKF9VBcju
	2mMSra4FnSfitHYgvgWnzGgkxazA+1NcG+aNzptk2eGxMhlHjPWyLTX3w7ex8uOzyJyZLB802su
	/+bNjgPZTR7VNl+ZR1mhIbw5GuuPfWenFcJDzwBjNXtI1yoPde8JDgvAIuymodbboqD0ctyeN+S
	q20+LUf7kS6jH
X-Google-Smtp-Source: 
 AGHT+IFttZpwCNE0nffAzdAMHpY4rYeYRb5xUMzFmYRtpN3JrNK4pN6/NUeIO/P23YlWUBgR9TKxew==
X-Received: by 2002:a05:6a21:3987:b0:1f5:9961:c44 with SMTP id
 adf61e73a8af0-2317dbd4e8fmr26065309637.3.1752510218980;
        Mon, 14 Jul 2025 09:23:38 -0700 (PDT)
Received: from hexa.. ([2602:feb4:3b:2100:4aa7:6b72:b465:3a4])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-74eb9dd5e8fsm10456053b3a.29.2025.07.14.09.23.38
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 14 Jul 2025 09:23:38 -0700 (PDT)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][walnascar 14/15] mingetty: fix do_package warning
Date: Mon, 14 Jul 2025 09:23:08 -0700
Message-ID: 
 <3efb82f1f51cbfa04f74626531615526e10bd2b2.1752509862.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1752509862.git.steve@sakoman.com>
References: <cover.1752509862.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Mon, 14 Jul 2025 16:23:43 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/220252

From: Changqing Li <changqing.li@windriver.com>

Reproduce steps(Under the same project dir):
1. enable DISTRO_FEATURES usrmerge,  bitbake mingetty
2. disable DISTRO_FEATURES usrmerge, bitbake mingetty

Result in step 2:
WARNING: mingetty-1.08-r3 do_package: mingetty: NOT adding alternative provide /usr/sbin/getty: /usr/sbin/mingetty does not exist
WARNING: mingetty-1.08-r3 do_package: QA Issue: mingetty: Files/directories were installed but not shipped in any package:
  /sbin
  /usr/sbin

In step1, Line SBINDIR=/sbin is replaced to SBINDIR=/usr/sbin, in step2,
since do_fetch does not rerun, Makefile still has SBINDIR=/usr/sbin, so
sed not works as expected, SBINDIR still equal to /usr/sbin when disable
usrmerge. And cause above two warnings.

Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-extended/mingetty/mingetty_1.08.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-extended/mingetty/mingetty_1.08.bb b/meta/recipes-extended/mingetty/mingetty_1.08.bb
index 00d2564257..5aa19f6c8f 100644
--- a/meta/recipes-extended/mingetty/mingetty_1.08.bb
+++ b/meta/recipes-extended/mingetty/mingetty_1.08.bb
@@ -16,7 +16,7 @@ EXTRA_OEMAKE = "CC='${CC}' \
                 CFLAGS='${CFLAGS} -D_GNU_SOURCE'"
 
 do_install(){
-    sed -i -e "s;SBINDIR=/sbin;SBINDIR=$base_sbindir;"  ${S}/Makefile
+    sed -i -e "/^SBINDIR=/c SBINDIR=$base_sbindir"  ${S}/Makefile
     install -d ${D}${mandir}/man8 ${D}/${base_sbindir}
     oe_runmake install DESTDIR=${D}
 }

From patchwork Mon Jul 14 16:23:09 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 66775
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id AA6F4C83F21
	for <webhook@archiver.kernel.org>; Mon, 14 Jul 2025 16:23:43 +0000 (UTC)
Received: from mail-pf1-f181.google.com (mail-pf1-f181.google.com
 [209.85.210.181])
 by mx.groups.io with SMTP id smtpd.web10.82448.1752510222628554522
 for <openembedded-core@lists.openembedded.org>;
 Mon, 14 Jul 2025 09:23:42 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=BCovqVDG;
 spf=softfail (domain: sakoman.com, ip: 209.85.210.181,
 mailfrom: steve@sakoman.com)
Received: by mail-pf1-f181.google.com with SMTP id
 d2e1a72fcca58-742c3d06de3so4911959b3a.0
        for <openembedded-core@lists.openembedded.org>;
 Mon, 14 Jul 2025 09:23:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1752510222;
 x=1753115022; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=sxfqMHjES7Xzm3ye8cVgSpM/lhpHuEBquWTwJrDmJRw=;
        b=BCovqVDG2kQAmJPLR4fVOBS11kEE/cfYrCVbD5+JWIcHVzakbiDiUH/H9VefWjeNuO
         RbnlwWglhYwjxUfhZVVZ0AnTw5TW9AyA6S8XT2ktvEy5XaldjuTJH7RHQ/ymrnmGs6UA
         dvRwi1OYEmjQauP9ywvFsLIJ77+hZ+Z0KpUkUz2ib6esluIpSJyIxUYys5esRrwp9cvO
         5WdilTREosYdC/kmKDl4f/PM5WD3oxkRZe7UW9/RpndfRnrI1yPbMZboOwRrNWk2/55H
         +4fJFO6KEAtPD2sreGNl6Ixw/wXiDXD2kucm7gxe8UbLvjFFb+w/VF+S7YyRjbE0JdQ9
         1e9A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1752510222; x=1753115022;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=sxfqMHjES7Xzm3ye8cVgSpM/lhpHuEBquWTwJrDmJRw=;
        b=H1ErcF8hiJbWMnBa2/59HiWW/bNaVmYY8iI5Jv3dxAPCWPxGTPsW589T/lzF/xyvSL
         HwyEuO1ohI/GOvIwZLyKuEVKgw/rNhGGNbbXtknSDrGoWKEb1ORaVt/oyor44yeOxccj
         ajh34Fc0zOSJZTUlJla/tuNNAq1fBKmDJsvcKe5EPUD5InwqndCDY1UO0sEzFQnNhZsj
         CjJWVT/z5EwVa3y5nXZ1LetdbIvx6KdyKl3RzX5ABt4gCqIZ3oe/BgWJKXM+VmFO8PNv
         PhGfVEBcD9BVkoBkuJsVW+8/MYkVQrcCfQ96NYNMQXMSFl+3a3meViLJWUgrhkaJoMYj
         NJiw==
X-Gm-Message-State: AOJu0Yz/3G5LgO2rlCQ2Zi0lKqSvF9mEEFm/bmmyyW0XlvGGHvhvc4dQ
	UbwGjq52DxPIhjzUZ66vVwFoYgcj2ruv6pyz29t7JAOTAsaXNtCTau827t9fieBA8czFhH9XiAD
	pyF8w
X-Gm-Gg: ASbGncuoCYp97EVpYf/VFapjFp+BXa4t6BIWugoBmw9Dlc/YjS6QVVXb5XNu1vNKPvY
	dizWyDbb8drQf1NfUd2AF7OMeG3tf4+K2OrYiY5J6B/zNs9wEVHzUwR91t/B5fiUgtZHHGRHmEj
	BZtGiTxlwg0C9dJYUdWutdx9ldgIwEkhIk4TPkN739zSec67pEkZdROQnFnlzw3SPDjKPtYmbWm
	DlB3G8gYNF4hgq8/yzmlHBj2SH8Byk2HfP+g7dzWa88btTW//pwMmizdW6L2KZ22sfuDOKMOtb2
	uHoYBq7ZgnSLNacLIzi4ZF4vIpdcPQpt7/4y9PKlNGqxG4GX+/lsUO9EB3S3To//dKjv6ndIQGH
	TRE1U6FsjrIhhu+HAG44KVco=
X-Google-Smtp-Source: 
 AGHT+IH4ppqbUnoTTXUIx1RQgPydaka3yW2txb0onCLqwLan4yrsx4i/OEMfIEvr9ypXTbr3t6mYQw==
X-Received: by 2002:a05:6a21:33a8:b0:236:355d:5f23 with SMTP id
 adf61e73a8af0-236355d6353mr1630121637.39.1752510221634;
        Mon, 14 Jul 2025 09:23:41 -0700 (PDT)
Received: from hexa.. ([2602:feb4:3b:2100:4aa7:6b72:b465:3a4])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-74eb9dd5e8fsm10456053b3a.29.2025.07.14.09.23.40
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 14 Jul 2025 09:23:41 -0700 (PDT)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][walnascar 15/15] ltp: backport patch to fix compilation
 error for Skylake -march=x86-64-v3
Date: Mon, 14 Jul 2025 09:23:09 -0700
Message-ID: 
 <4225c9abbc68e1a29a54927a9c8e1fe12208e5b4.1752509862.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1752509862.git.steve@sakoman.com>
References: <cover.1752509862.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Mon, 14 Jul 2025 16:23:43 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/220253

From: Yogesh Tyagi <yogesh.tyagi@intel.com>

When the input compiler enables AVX, stack realignment requirements
causes gcc to fail to omit %rbp use, due to which the test fails to
clobber %rbp in inline asm.  Disable AVX to build the test on x86_64 so
that the test continues working.

(From OE-Core rev: bbd3e7886e2ec5ab3578d618b28d007a80d917aa)

Signed-off-by: Yogesh Tyagi <yogesh.tyagi@intel.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 ...cve-2015-3290-Disable-AVX-for-x86_64.patch | 42 +++++++++++++++++++
 meta/recipes-extended/ltp/ltp_20250130.bb     |  1 +
 2 files changed, 43 insertions(+)
 create mode 100644 meta/recipes-extended/ltp/ltp/0001-cve-2015-3290-Disable-AVX-for-x86_64.patch

diff --git a/meta/recipes-extended/ltp/ltp/0001-cve-2015-3290-Disable-AVX-for-x86_64.patch b/meta/recipes-extended/ltp/ltp/0001-cve-2015-3290-Disable-AVX-for-x86_64.patch
new file mode 100644
index 0000000000..c6fae88eb9
--- /dev/null
+++ b/meta/recipes-extended/ltp/ltp/0001-cve-2015-3290-Disable-AVX-for-x86_64.patch
@@ -0,0 +1,42 @@
+From 28d823a63ee29f5d72c2aba781a06a7e2651cadc Mon Sep 17 00:00:00 2001
+From: Siddhesh Poyarekar <siddhesh@gotplt.org>
+Date: Mon, 7 Apr 2025 06:24:47 -0400
+Subject: [PATCH] cve-2015-3290: Disable AVX for x86_64
+
+When the input compiler enables AVX, stack realignment requirements
+causes gcc to fail to omit %rbp use, due to which the test fails to
+clobber %rbp in inline asm.  Disable AVX to build the test on x86_64 so
+that the test continues working.
+
+Link: https://lore.kernel.org/ltp/20250407102448.2605506-2-siddhesh@gotplt.org/
+
+Upstream-Status: Backport [https://github.com/linux-test-project/ltp/commit/28d823a63ee29f5d72c2aba781a06a7e2651cadc]
+
+Reviewed-by: Martin Doucha <mdoucha@suse.cz>
+Reviewed-by: Petr Vorel <pvorel@suse.cz>
+Signed-off-by: Siddhesh Poyarekar <siddhesh@gotplt.org>
+
+---
+ testcases/cve/Makefile | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/testcases/cve/Makefile b/testcases/cve/Makefile
+index 01b9b9ccb..98c38e908 100644
+--- a/testcases/cve/Makefile
++++ b/testcases/cve/Makefile
+@@ -22,6 +22,12 @@ ifneq (,$(filter $(HOST_CPU),x86 x86_64))
+ meltdown: CFLAGS += -msse2
+ endif
+ 
++# The test needs to clobber %rbp, which requires frame pointer omission.  Also
++# for x86_64, disable AVX since that could sometimes require a stack
++# realignment, which gets in the way of frame pointer omission.
+ cve-2015-3290:	CFLAGS += -pthread -fomit-frame-pointer
++ifeq ($(HOST_CPU),x86_64)
++cve-2015-3290: CFLAGS += -mno-avx
++endif
+ 
+ include $(top_srcdir)/include/mk/generic_leaf_target.mk
+-- 
+2.37.3
+
diff --git a/meta/recipes-extended/ltp/ltp_20250130.bb b/meta/recipes-extended/ltp/ltp_20250130.bb
index 690224e6d7..f9521acbc6 100644
--- a/meta/recipes-extended/ltp/ltp_20250130.bb
+++ b/meta/recipes-extended/ltp/ltp_20250130.bb
@@ -30,6 +30,7 @@ SRC_URI = "git://github.com/linux-test-project/ltp.git;branch=master;protocol=ht
            file://0001-Remove-OOM-tests-from-runtest-mm.patch \
            file://0001-Add-__clear_cache-declaration-for-clang.patch \
            file://0001-kernel-kvm-don-t-hardcode-objcopy.patch \
+           file://0001-cve-2015-3290-Disable-AVX-for-x86_64.patch \
            "
 
 S = "${WORKDIR}/git"