From patchwork Thu Jul 17 02:58:49 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 67015
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 47170C83F27
	for <webhook@archiver.kernel.org>; Thu, 17 Jul 2025 02:59:21 +0000 (UTC)
Received: from mail-pj1-f53.google.com (mail-pj1-f53.google.com
 [209.85.216.53])
 by mx.groups.io with SMTP id smtpd.web10.40264.1752721151659324894
 for <openembedded-core@lists.openembedded.org>;
 Wed, 16 Jul 2025 19:59:11 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=2wvsoq0m;
 spf=softfail (domain: sakoman.com, ip: 209.85.216.53,
 mailfrom: steve@sakoman.com)
Received: by mail-pj1-f53.google.com with SMTP id
 98e67ed59e1d1-3138e64b42aso623777a91.0
        for <openembedded-core@lists.openembedded.org>;
 Wed, 16 Jul 2025 19:59:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1752721151;
 x=1753325951; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=qtlSzuJKk6hf5m16PH23LSRguAGBLjRCyq6+MnEou2U=;
        b=2wvsoq0mMrgz9gvbzhFI3lOQxdkx4H4OeF5Q871uEBJe2L74TnyX5fRdIWdo8MbNiS
         ZLggk4zlkrayNA0z+TDJFLluIMY0dzn0epIVqdCbA3jZJQ/X4/T5UpF6ByskQxwV/fJt
         kbLW9uPZWcX2NcrwvNZJRUCrX7aU1jBMpJk29WO54icTKh7XMCyQ/T/WPVMbxEhHXUna
         2cJA2yeiofBrTkYdqmBf0QuO0J1NpCIlL9Yb1dABB9ZsuAhw9qMuC4v+C+tXOxMCumkI
         7HQX1HJW4W37G5V6nnDflSgA7Gnb+L/W7Vo3q9T4BQFwrckQ9oxz+zVk3BxJNTw9D3sr
         d/UQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1752721151; x=1753325951;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=qtlSzuJKk6hf5m16PH23LSRguAGBLjRCyq6+MnEou2U=;
        b=KJ/Lb10Qa3euLIaBlegcwrx0JJcrDX+HPq4JcqZciB9Kg9vTY6cxmMI7NFH9dPTfvL
         1OvHY4ar/4EyLL6HDcVP9OGeCZBZSSvOX2QZpEHOzI2c+LRcgftyx6crQNlKiK8rlGNi
         g9nrTH7hI/LM2Lh5SXCHj2H0p+aMeAL87HOCnmmxEjloH+0EYK3KWqSAFV2GUR+xyau8
         0VRkRQOCvlXmyDRFNeNFaV4ruKfiEBZ60C6SJ8uQqyrSooq+M/KYbX2I0P+IXvmOT7TR
         3iDz3Zhj6xRC0hMe4oaXewfa3sGc9tsnpuhsSyygtUAL58q/JcDBOFjnzqRG5SyK2rK+
         Yipg==
X-Gm-Message-State: AOJu0Yx6451tIRBOIXX+b9YZOf6Inn7p9Fpo7NqE7TgCh8KblhKGl3XQ
	ULUUHGOZupU4/eod6R+DcWhk/UsBwFCqrArTF2gGJ1l2ZBIJ1XAG4/oj04cS4RFWJD+mBfWlYfA
	hHT1F
X-Gm-Gg: ASbGncvR88ZZOd1uUtNOenTWv7FIML0xCKrbPweeiS94a8bQhGgVb4QFOzQJU69Ynjn
	XAB4e1L3EH/pk7ZQwUzSRKh+2V2+ix06Wrv6AhriqdaKLm0DfVJnMVJoJQRElx3VbRdxdrkF/X+
	Skn3f83jU1U3cE9FeajiS3QldZ4FNIhgqg05Gv0sH+HlTsgJ+QD+ktN6JSm+ax+CugBQ3gq9Z5G
	9f4vm4ZlAQGYQfAKI7r2RKxvrB2AAdY7AIcQGR5iy2Iva7EMaskvaIIOq/zwUDwM+aBe8xeXoMv
	zxyJ/5pzPppiCom6Z4OiTSRtAkwPLzQZmDyYt8fyYFHZcKqa92J37k5UG57OHlsG0HJIH9UCWPY
	HABlnQmL83Ush2g==
X-Google-Smtp-Source: 
 AGHT+IHbxfq2iLe80N8qAeLo+4zVCHVNF93b/NRsi0wtR87/NpUlzZ+3zLHmEyoSiyVFYofqdWjgbw==
X-Received: by 2002:a17:90b:3f08:b0:313:176b:3d4b with SMTP id
 98e67ed59e1d1-31caf8db637mr1520008a91.22.1752721150579;
        Wed, 16 Jul 2025 19:59:10 -0700 (PDT)
Received: from hexa.. ([2602:feb4:3b:2100:3bfc:8fec:7e35:e96a])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-31c9f29e313sm2204547a91.35.2025.07.16.19.59.09
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 16 Jul 2025 19:59:10 -0700 (PDT)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 01/12] libxml2: fix CVE-2025-49794 &
 CVE-2025-49796
Date: Wed, 16 Jul 2025 19:58:49 -0700
Message-ID: 
 <bb20ddc599314161f3bcd6d5479e81478ceaaa3a.1752721028.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1752721028.git.steve@sakoman.com>
References: <cover.1752721028.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Thu, 17 Jul 2025 02:59:21 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/220501

From: Hitendra Prajapati <hprajapati@mvista.com>

Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libxml2/-/commit/71e1e8af5ee46dad1b57bb96cfbf1c3ad21fbd7b

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../CVE-2025-49794-CVE-2025-49796.patch       | 186 ++++++++++++++++++
 meta/recipes-core/libxml/libxml2_2.12.10.bb   |   1 +
 2 files changed, 187 insertions(+)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2025-49794-CVE-2025-49796.patch

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2025-49794-CVE-2025-49796.patch b/meta/recipes-core/libxml/libxml2/CVE-2025-49794-CVE-2025-49796.patch
new file mode 100644
index 0000000000..881cac7f03
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2025-49794-CVE-2025-49796.patch
@@ -0,0 +1,186 @@
+From 71e1e8af5ee46dad1b57bb96cfbf1c3ad21fbd7b Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Fri, 4 Jul 2025 14:28:26 +0200
+Subject: [PATCH] schematron: Fix memory safety issues in
+ xmlSchematronReportOutput
+
+Fix use-after-free (CVE-2025-49794) and type confusion (CVE-2025-49796)
+in xmlSchematronReportOutput.
+
+Fixes #931.
+Fixes #933.
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/71e1e8af5ee46dad1b57bb96cfbf1c3ad21fbd7b]
+CVE: CVE-2025-49794 CVE-2025-49796
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ result/schematron/cve-2025-49794_0.err |  2 ++
+ result/schematron/cve-2025-49796_0.err |  2 ++
+ schematron.c                           | 49 ++++++++++++++------------
+ test/schematron/cve-2025-49794.sct     | 10 ++++++
+ test/schematron/cve-2025-49794_0.xml   |  6 ++++
+ test/schematron/cve-2025-49796.sct     |  9 +++++
+ test/schematron/cve-2025-49796_0.xml   |  3 ++
+ 7 files changed, 58 insertions(+), 23 deletions(-)
+ create mode 100644 result/schematron/cve-2025-49794_0.err
+ create mode 100644 result/schematron/cve-2025-49796_0.err
+ create mode 100644 test/schematron/cve-2025-49794.sct
+ create mode 100644 test/schematron/cve-2025-49794_0.xml
+ create mode 100644 test/schematron/cve-2025-49796.sct
+ create mode 100644 test/schematron/cve-2025-49796_0.xml
+
+diff --git a/result/schematron/cve-2025-49794_0.err b/result/schematron/cve-2025-49794_0.err
+new file mode 100644
+index 0000000..5775231
+--- /dev/null
++++ b/result/schematron/cve-2025-49794_0.err
+@@ -0,0 +1,2 @@
++./test/schematron/cve-2025-49794_0.xml:2: element boo0: schematron error : /librar0/boo0 line 2:  
++./test/schematron/cve-2025-49794_0.xml fails to validate
+diff --git a/result/schematron/cve-2025-49796_0.err b/result/schematron/cve-2025-49796_0.err
+new file mode 100644
+index 0000000..bf875ee
+--- /dev/null
++++ b/result/schematron/cve-2025-49796_0.err
+@@ -0,0 +1,2 @@
++./test/schematron/cve-2025-49796_0.xml:2: element boo0: schematron error : /librar0/boo0 line 2:  
++./test/schematron/cve-2025-49796_0.xml fails to validate
+diff --git a/schematron.c b/schematron.c
+index a825920..411a515 100644
+--- a/schematron.c
++++ b/schematron.c
+@@ -1389,27 +1389,15 @@ exit:
+  *                                                                      *
+  ************************************************************************/
+ 
+-static xmlNodePtr
++static xmlXPathObjectPtr
+ xmlSchematronGetNode(xmlSchematronValidCtxtPtr ctxt,
+                      xmlNodePtr cur, const xmlChar *xpath) {
+-    xmlNodePtr node = NULL;
+-    xmlXPathObjectPtr ret;
+-
+     if ((ctxt == NULL) || (cur == NULL) || (xpath == NULL))
+         return(NULL);
+ 
+     ctxt->xctxt->doc = cur->doc;
+     ctxt->xctxt->node = cur;
+-    ret = xmlXPathEval(xpath, ctxt->xctxt);
+-    if (ret == NULL)
+-        return(NULL);
+-
+-    if ((ret->type == XPATH_NODESET) &&
+-        (ret->nodesetval != NULL) && (ret->nodesetval->nodeNr > 0))
+-        node = ret->nodesetval->nodeTab[0];
+-
+-    xmlXPathFreeObject(ret);
+-    return(node);
++    return(xmlXPathEval(xpath, ctxt->xctxt));
+ }
+ 
+ /**
+@@ -1455,25 +1443,40 @@ xmlSchematronFormatReport(xmlSchematronValidCtxtPtr ctxt,
+             (child->type == XML_CDATA_SECTION_NODE))
+             ret = xmlStrcat(ret, child->content);
+         else if (IS_SCHEMATRON(child, "name")) {
++            xmlXPathObject *obj = NULL;
+             xmlChar *path;
+ 
+             path = xmlGetNoNsProp(child, BAD_CAST "path");
+ 
+             node = cur;
+             if (path != NULL) {
+-                node = xmlSchematronGetNode(ctxt, cur, path);
+-                if (node == NULL)
+-                    node = cur;
++                obj = xmlSchematronGetNode(ctxt, cur, path);
++                if ((obj != NULL) &&
++                    (obj->type == XPATH_NODESET) &&
++                    (obj->nodesetval != NULL) &&
++                    (obj->nodesetval->nodeNr > 0))
++                    node = obj->nodesetval->nodeTab[0];
+                 xmlFree(path);
+             }
+ 
+-            if ((node->ns == NULL) || (node->ns->prefix == NULL))
+-                ret = xmlStrcat(ret, node->name);
+-            else {
+-                ret = xmlStrcat(ret, node->ns->prefix);
+-                ret = xmlStrcat(ret, BAD_CAST ":");
+-                ret = xmlStrcat(ret, node->name);
++            switch (node->type) {
++                case XML_ELEMENT_NODE:
++                case XML_ATTRIBUTE_NODE:
++                    if ((node->ns == NULL) || (node->ns->prefix == NULL))
++                        ret = xmlStrcat(ret, node->name);
++                    else {
++                        ret = xmlStrcat(ret, node->ns->prefix);
++                        ret = xmlStrcat(ret, BAD_CAST ":");
++                        ret = xmlStrcat(ret, node->name);
++                    }
++                    break;
++
++                /* TODO: handle other node types */
++                default:
++                    break;
+             }
++
++            xmlXPathFreeObject(obj);
+         } else if (IS_SCHEMATRON(child, "value-of")) {
+             xmlChar *select;
+             xmlXPathObjectPtr eval;
+diff --git a/test/schematron/cve-2025-49794.sct b/test/schematron/cve-2025-49794.sct
+new file mode 100644
+index 0000000..7fc9ee3
+--- /dev/null
++++ b/test/schematron/cve-2025-49794.sct
+@@ -0,0 +1,10 @@
++<sch:schema xmlns:sch="http://purl.oclc.org/dsdl/schematron">
++    <sch:pattern id="">
++        <sch:rule context="boo0">
++            <sch:report test="not(0)">
++                <sch:name path="&#9;e|namespace::*|e"/>
++            </sch:report>
++            <sch:report test="0"></sch:report>
++        </sch:rule>
++    </sch:pattern>
++</sch:schema>
+diff --git a/test/schematron/cve-2025-49794_0.xml b/test/schematron/cve-2025-49794_0.xml
+new file mode 100644
+index 0000000..debc64b
+--- /dev/null
++++ b/test/schematron/cve-2025-49794_0.xml
+@@ -0,0 +1,6 @@
++<librar0>
++    <boo0 t="">
++        <author></author>
++    </boo0>
++    <ins></ins>
++</librar0>
+diff --git a/test/schematron/cve-2025-49796.sct b/test/schematron/cve-2025-49796.sct
+new file mode 100644
+index 0000000..e9702d7
+--- /dev/null
++++ b/test/schematron/cve-2025-49796.sct
+@@ -0,0 +1,9 @@
++<sch:schema xmlns:sch="http://purl.oclc.org/dsdl/schematron">
++    <sch:pattern id="">
++        <sch:rule context="boo0">
++            <sch:report test="not(0)">
++                <sch:name path="/"/>
++            </sch:report>
++        </sch:rule>
++    </sch:pattern>
++</sch:schema>
+diff --git a/test/schematron/cve-2025-49796_0.xml b/test/schematron/cve-2025-49796_0.xml
+new file mode 100644
+index 0000000..be33c4e
+--- /dev/null
++++ b/test/schematron/cve-2025-49796_0.xml
+@@ -0,0 +1,3 @@
++<librar0>
++    <boo0/>
++</librar0>
+-- 
+2.49.0
+
diff --git a/meta/recipes-core/libxml/libxml2_2.12.10.bb b/meta/recipes-core/libxml/libxml2_2.12.10.bb
index 1ecac70b4c..488ace62e5 100644
--- a/meta/recipes-core/libxml/libxml2_2.12.10.bb
+++ b/meta/recipes-core/libxml/libxml2_2.12.10.bb
@@ -21,6 +21,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testt
            file://CVE-2025-32414.patch \
            file://CVE-2025-32415.patch \
            file://CVE-2025-6021.patch \
+           file://CVE-2025-49794-CVE-2025-49796.patch \
            "
 
 SRC_URI[archive.sha256sum] = "c3d8c0c34aa39098f66576fe51969db12a5100b956233dc56506f7a8679be995"

From patchwork Thu Jul 17 02:58:50 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 67017
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 5E872C83F34
	for <webhook@archiver.kernel.org>; Thu, 17 Jul 2025 02:59:21 +0000 (UTC)
Received: from mail-pl1-f178.google.com (mail-pl1-f178.google.com
 [209.85.214.178])
 by mx.groups.io with SMTP id smtpd.web10.40265.1752721152888300277
 for <openembedded-core@lists.openembedded.org>;
 Wed, 16 Jul 2025 19:59:12 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=ga7yOcn8;
 spf=softfail (domain: sakoman.com, ip: 209.85.214.178,
 mailfrom: steve@sakoman.com)
Received: by mail-pl1-f178.google.com with SMTP id
 d9443c01a7336-234c5b57557so3863875ad.3
        for <openembedded-core@lists.openembedded.org>;
 Wed, 16 Jul 2025 19:59:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1752721152;
 x=1753325952; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=tTPLk5n5EB58ugzVcCBOhg0ueuX60io1ftZwLH041/c=;
        b=ga7yOcn8Ngrh3MoOjxfzv8WJ08bayFDxtCAFVGXjO8l2sNhVXxEnb0louqPvATrVAS
         +2GMmgxshFoJzmdZrwW3TVVe6nYCJsWfQEFzFptwA+w9GB2sItElTCEG0IKs8fSEpVW9
         PHjRcIjxLbrCmnJy0zvGr3ZChNZ9ccWRJDZ/3KZphWucNLF8UboNYxh5GSc42ocmJ0Z9
         62onf+h8GRUoanSJW8grgpECpPVMQ3C0ffw0R56q0kkOL1Hv/hbItuvzxRn/7N9blIJE
         FBIGdH47LAyTC4A6qHMPpz22q0TvcV4ok9X3Pu2JukLc2pXeZbt7p7MHlf9IPAnclnor
         jrnw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1752721152; x=1753325952;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=tTPLk5n5EB58ugzVcCBOhg0ueuX60io1ftZwLH041/c=;
        b=IbB54WxtSj4Xkbbt8shxYB7t6u7eZkOz5uaAYQstKQDGkakHuEaASnrVXUpInHCAS9
         ygZ3U3MtyIWtlit3qrKn/pwOts6DWSPOV9pa9juIGvrPyXeZnbb/owE6zlzRST5ieV9r
         NQ58w/ByPCl5cEZ+4UcAwN86NgfEoOPXbIfvlhqQXec7AcDERofrcr/J2LKI8Xjjxv8F
         y8tMWjTJfnT4+Hu1BXYF4gk0R9culQmp0fxsTFIneSTrxUOyd7GLRrY4RqwCbnLxfBZV
         /48UgO2dMx0hJAUepknef9k0e/Pk90/NVcpE9N+9B9nlipzBVpmYxfW2NpYqE+/t/y9S
         oGrg==
X-Gm-Message-State: AOJu0Yz56y+0d7PgcdOO6oltX6eCyJlGo1QMjtYz8P+jVmXDUW5Uin8e
	G7PioJSKvjaf2Z1BKlfDzA4gWvfXlYkBN4PApMgfCyqJQN11NWWlxJcKwDYP7wdBVoTanynjDQF
	ZWoKu
X-Gm-Gg: ASbGncupNsH6TPguL093lxA+EJeU/ewDGYkwmaZLxUgBhLDa8XpVcnIjVAqFdnOiAmT
	upy17W6uE8aRA61u1GzwwQopABzWIiwUW5a1ePObh0Mn07mRjX3EIVDzG7gTxVYsMIrkOMsFKAm
	H3HL0+m/ZCXSMWo0oCYu6QWLLe6K2bdZjx/67ak8+JdcYqrYwzIRxALTgzuCQcxEYIG8MkQw7TY
	LBb8aJpjjMtFnExX/UpKF1U9FaIudlV3mIJ7H84NtU3RZPJzQK+mnQAGYw8gCOR+IkHMSpuTLW8
	ymvakBV+At+cBA3XpkBgegcl7h+OHNnEQCxP50pXBzPhjBBVhUpQJU8k9nEG3Y4GuQw5LYGZ4TS
	/xC5S0jqlqm+0HQ==
X-Google-Smtp-Source: 
 AGHT+IH5R69ZG5d8mtj181zB0iyRmWISeqvptm8onG/jCrJFbxYDk6PGjoZT/p5PFNhM9wX35w+d1A==
X-Received: by 2002:a17:903:228d:b0:235:ed02:288b with SMTP id
 d9443c01a7336-23e25730152mr74482335ad.30.1752721152067;
        Wed, 16 Jul 2025 19:59:12 -0700 (PDT)
Received: from hexa.. ([2602:feb4:3b:2100:3bfc:8fec:7e35:e96a])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-31c9f29e313sm2204547a91.35.2025.07.16.19.59.11
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 16 Jul 2025 19:59:11 -0700 (PDT)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 02/12] python3: update CVE product
Date: Wed, 16 Jul 2025 19:58:50 -0700
Message-ID: 
 <72369cd66f78a371608c3fff205e0e96c248f2b3.1752721028.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1752721028.git.steve@sakoman.com>
References: <cover.1752721028.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Thu, 17 Jul 2025 02:59:21 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/220502

From: Peter Marko <peter.marko@siemens.com>

There are two "new" CVEs reported for python3, their CPEs are:
* CVE-2020-1171: cpe:2.3:a:microsoft:python:*:*:*:*:*:visual_studio_code:*:* (< 2020.5.0)
* CVE-2020-1192: cpe:2.3:a:microsoft:python:*:*:*:*:*:visual_studio_code:*:* (< 2020.5.0)
These are for "Visual Studio Code Python extension".

Solve this by addding CVE vendor to python CVE product to avoid
confusion with Microsoft as vendor.

Examining CVE DB for historical python entries shows:
sqlite> select vendor, product, count(*) from products where product = 'python' or product = 'cpython'
   ...> or product like 'python%3' group by vendor, product;
microsoft|python|2
python|python|1054
python_software_foundation|python|2

Note that this already shows that cpython product is not used, so
CVE-2023-33595 mentioned in 62598e1138f21a16d8b1cdd1cfe902aeed854c5c
was updated.
But let's keep it for future in case new CVE starts with that again.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-devtools/python/python3_3.12.11.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-devtools/python/python3_3.12.11.bb b/meta/recipes-devtools/python/python3_3.12.11.bb
index 706dabb5cd..84c4f74158 100644
--- a/meta/recipes-devtools/python/python3_3.12.11.bb
+++ b/meta/recipes-devtools/python/python3_3.12.11.bb
@@ -45,7 +45,7 @@ SRC_URI[sha256sum] = "c30bb24b7f1e9a19b11b55a546434f74e739bb4c271a3e3a80ff4380d4
 # exclude pre-releases for both python 2.x and 3.x
 UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar"
 
-CVE_PRODUCT = "python cpython"
+CVE_PRODUCT = "python:python python_software_foundation:python cpython"
 
 CVE_STATUS[CVE-2007-4559] = "disputed: Upstream consider this expected behaviour"
 CVE_STATUS[CVE-2019-18348] = "not-applicable-config: This is not exploitable when glibc has CVE-2016-10739 fixed"

From patchwork Thu Jul 17 02:58:51 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 67020
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 62446C83F38
	for <webhook@archiver.kernel.org>; Thu, 17 Jul 2025 02:59:21 +0000 (UTC)
Received: from mail-pg1-f196.google.com (mail-pg1-f196.google.com
 [209.85.215.196])
 by mx.groups.io with SMTP id smtpd.web11.40512.1752721154553339102
 for <openembedded-core@lists.openembedded.org>;
 Wed, 16 Jul 2025 19:59:14 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=ZKBHxd3+;
 spf=softfail (domain: sakoman.com, ip: 209.85.215.196,
 mailfrom: steve@sakoman.com)
Received: by mail-pg1-f196.google.com with SMTP id
 41be03b00d2f7-b170c99aa49so318812a12.1
        for <openembedded-core@lists.openembedded.org>;
 Wed, 16 Jul 2025 19:59:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1752721154;
 x=1753325954; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=lWXBKeW/N8EWFA2XQbxvAh1u3gOenNOzzH68B8S/jzk=;
        b=ZKBHxd3+H9yTLXFiUDzCXn8Nj6Kc0BRy9iFL8Wsss79r9i+iAX71rdaZrBpZiKwdp4
         oKdqjhjdS4ym/83pRt1asAKJtrRUBv1sYcm+d99+6Nx3rhHtpfGsyRmxr1bUWXvuryRO
         g/p/2gTn8VyQBmYSCxUewhn/HN19UNuLHbpJPF+gB8jfmh6fV1O//UKOaJx1jrfD0kFo
         pqaXk5f9EEqXQ/XSI731GySDMIq9zwQJbwt2cOxnZSELkRGoL4YQt5Z+cpri8BdFlQ1e
         FGnZK1r+IBsTTGSkiJ3e4dXt5gPdVts2IZpJzUb/Lnq0JPcZFPbZsnLsUYyAONpcT80C
         8mxg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1752721154; x=1753325954;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=lWXBKeW/N8EWFA2XQbxvAh1u3gOenNOzzH68B8S/jzk=;
        b=GLawaT7DK+t3/DPYmXw/sfkMTgU6IChvdpFA5pn48Mgmr6OSg0l1HGM/VUbi7VnpP8
         16ELZiYcgCqBfNdeC4cVQW7xtIKQP0oftr1k0ZmwhBV/kd8okL0+c2Tg0lLm+OP4blEr
         5iv2VMmY7zkc2JkTQRJV6vuLnF+WC/B3reM7ZaRhg0RF+MInnYM3nFSxsnY5Ra11AJ1B
         ee6afRW4hvdy6sGDPMerveXf2utb6dA+Z29dDcwckNIq2PktXYfYxEUkscfZM0G5PlAk
         DIj2c4bTvZB9RU8ucGEfk9AIgpDaY6tOg+EHtCO9Mvm7/gCVxLA+gXw6eAiVJd0eYooP
         zsgQ==
X-Gm-Message-State: AOJu0YwgsRjzUhgFMw1y81jkTKhWVHLmiYquOdOXmC8gXJxr/6gc2wvY
	TrHQdvGpJVJjoTxZK7cmrkg0mUGoDlOFibTNURm+/cR9qmRpoEjNIKylRLz/VAa8GWcIWJLFKVX
	c/E1nns0=
X-Gm-Gg: ASbGnctPkPA5qxJhOcs/7x38ib95C4I9/DlQyWYnoCNzoGkHtgvxZxwxUyLVoruDTa2
	dt2Ypd7oFhcHGcZ3nMFDh+5e+cDYtpY9eAMovf2tRUQF7VTDHLU5sX9hb8wQgKuOA9Y18NU162I
	CLyvDP5G09cfClunmXmVWcP0O89TIQ0JJ9N1EWVurg8CvnBpXV0kJRymKAIfShi56L2c+DNi3qq
	lG7SAg80FWC/eBnclrWO2tU/PxbVIeCB2n8ZTC9+VGlDMdUvsFbE0vnHIqX/s0BUtWzlvQAdplx
	VzAMPPanHieHDhPNyD/KFrSXUKfnDOaDX/9Tn+bpkbyHIuuQUnP6TWvrXgvi7ShipDK2QPTRcDp
	ddp4+dkNbrmvguw==
X-Google-Smtp-Source: 
 AGHT+IEIm+KeM55mepwjv1dzLp500xFa+X+5li9Y/z7ZEVdlgDvzaykgpYp6NJqo+DOEM0mdg1d1fQ==
X-Received: by 2002:a17:90b:5447:b0:311:ba2e:bdca with SMTP id
 98e67ed59e1d1-31c9e76f0cbmr7570386a91.28.1752721153616;
        Wed, 16 Jul 2025 19:59:13 -0700 (PDT)
Received: from hexa.. ([2602:feb4:3b:2100:3bfc:8fec:7e35:e96a])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-31c9f29e313sm2204547a91.35.2025.07.16.19.59.12
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 16 Jul 2025 19:59:13 -0700 (PDT)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 03/12] busybox: apply patch for CVE-2023-39810
Date: Wed, 16 Jul 2025 19:58:51 -0700
Message-ID: 
 <3f2b235526d135094408e3895c01bff7b5b938fb.1752721028.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1752721028.git.steve@sakoman.com>
References: <cover.1752721028.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Thu, 17 Jul 2025 02:59:21 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/220503

From: Peter Marko <peter.marko@siemens.com>

Backport patch referencing this CVE.

Note that the hardening is not activated by default, it adds defconfig
option to enable it.
Since it introduces a breaking change, it shouldn't be enabled in LTS
release by default.
This patch makes busybox cpio equivalent in this release to what is
currently in master and in kirkstone.
Also note that gnu cpio also does not have this hardening, but the CVE
is created only against busybox.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../busybox/busybox/CVE-2023-39810.patch      | 136 ++++++++++++++++++
 meta/recipes-core/busybox/busybox_1.36.1.bb   |   1 +
 2 files changed, 137 insertions(+)
 create mode 100644 meta/recipes-core/busybox/busybox/CVE-2023-39810.patch

diff --git a/meta/recipes-core/busybox/busybox/CVE-2023-39810.patch b/meta/recipes-core/busybox/busybox/CVE-2023-39810.patch
new file mode 100644
index 0000000000..821ab3508f
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2023-39810.patch
@@ -0,0 +1,136 @@
+From 9a8796436b9b0641e13480811902ea2ac57881d3 Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Wed, 2 Oct 2024 10:12:05 +0200
+Subject: [PATCH] archival: disallow path traversals (CVE-2023-39810)
+
+Create new configure option for archival/libarchive based extractions to
+disallow path traversals.
+As this is a paranoid option and might introduce backward
+incompatibility, default it to no.
+
+Fixes: CVE-2023-39810
+
+Based on the patch by Peter Kaestle <peter.kaestle@nokia.com>
+
+function                                             old     new   delta
+data_extract_all                                     921     945     +24
+strip_unsafe_prefix                                  101     102      +1
+------------------------------------------------------------------------------
+(add/remove: 0/0 grow/shrink: 2/0 up/down: 25/0)               Total: 25 bytes
+
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+
+CVE: CVE-2023-39810
+Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=9a8796436b9b0641e13480811902ea2ac57881d3]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ archival/Config.src                        | 11 +++++++++++
+ archival/libarchive/data_extract_all.c     |  8 ++++++++
+ archival/libarchive/unsafe_prefix.c        |  6 +++++-
+ scripts/kconfig/lxdialog/check-lxdialog.sh |  2 +-
+ testsuite/cpio.tests                       | 23 ++++++++++++++++++++++
+ 5 files changed, 48 insertions(+), 2 deletions(-)
+
+diff --git a/archival/Config.src b/archival/Config.src
+index 6f4f30c43..cbcd7217c 100644
+--- a/archival/Config.src
++++ b/archival/Config.src
+@@ -35,4 +35,15 @@ config FEATURE_LZMA_FAST
+ 	This option reduces decompression time by about 25% at the cost of
+ 	a 1K bigger binary.
+ 
++config FEATURE_PATH_TRAVERSAL_PROTECTION
++	bool "Prevent extraction of filenames with /../ path component"
++	default n
++	help
++	busybox tar and unzip remove "PREFIX/../" (if it exists)
++	from extracted names.
++	This option enables this behavior for all other unpacking applets,
++	such as cpio, ar, rpm.
++	GNU cpio 2.15 has NO such sanity check.
++# try other archivers and document their behavior?
++
+ endmenu
+diff --git a/archival/libarchive/data_extract_all.c b/archival/libarchive/data_extract_all.c
+index 049c2c156..8a69711c1 100644
+--- a/archival/libarchive/data_extract_all.c
++++ b/archival/libarchive/data_extract_all.c
+@@ -65,6 +65,14 @@ void FAST_FUNC data_extract_all(archive_handle_t *archive_handle)
+ 		} while (--n != 0);
+ 	}
+ #endif
++#if ENABLE_FEATURE_PATH_TRAVERSAL_PROTECTION
++	/* Strip leading "/" and up to last "/../" path component */
++	dst_name = (char *)strip_unsafe_prefix(dst_name);
++#endif
++// ^^^ This may be a problem if some applets do need to extract absolute names.
++// (Probably will need to invent ARCHIVE_ALLOW_UNSAFE_NAME flag).
++// You might think that rpm needs it, but in my tests rpm's internal cpio
++// archive has names like "./usr/bin/FOO", not "/usr/bin/FOO".
+ 
+ 	if (archive_handle->ah_flags & ARCHIVE_CREATE_LEADING_DIRS) {
+ 		char *slash = strrchr(dst_name, '/');
+diff --git a/archival/libarchive/unsafe_prefix.c b/archival/libarchive/unsafe_prefix.c
+index 33e487bf9..667081195 100644
+--- a/archival/libarchive/unsafe_prefix.c
++++ b/archival/libarchive/unsafe_prefix.c
+@@ -14,7 +14,11 @@ const char* FAST_FUNC strip_unsafe_prefix(const char *str)
+ 			cp++;
+ 			continue;
+ 		}
+-		if (is_prefixed_with(cp, "/../"+1)) {
++		/* We are called lots of times.
++		 * is_prefixed_with(cp, "../") is slower than open-coding it,
++		 * with minimal code growth (~few bytes).
++		 */
++		if (cp[0] == '.' && cp[1] == '.' && cp[2] == '/') {
+ 			cp += 3;
+ 			continue;
+ 		}
+diff --git a/scripts/kconfig/lxdialog/check-lxdialog.sh b/scripts/kconfig/lxdialog/check-lxdialog.sh
+index 5075ebf2d..910ca1f7c 100755
+--- a/scripts/kconfig/lxdialog/check-lxdialog.sh
++++ b/scripts/kconfig/lxdialog/check-lxdialog.sh
+@@ -55,7 +55,7 @@ trap "rm -f $tmp" 0 1 2 3 15
+ check() {
+         $cc -x c - -o $tmp 2>/dev/null <<'EOF'
+ #include CURSES_LOC
+-main() {}
++int main() { return 0; }
+ EOF
+ 	if [ $? != 0 ]; then
+ 	    echo " *** Unable to find the ncurses libraries or the"       1>&2
+diff --git a/testsuite/cpio.tests b/testsuite/cpio.tests
+index 85e746589..a4462c53e 100755
+--- a/testsuite/cpio.tests
++++ b/testsuite/cpio.tests
+@@ -154,6 +154,29 @@ testing "cpio -R with extract" \
+ " "" ""
+ SKIP=
+ 
++# Create an archive containing a file with "../dont_write" filename.
++# See that it will not be allowed to unpack.
++# NB: GNU cpio 2.15 DOES NOT do such checks.
++optional FEATURE_PATH_TRAVERSAL_PROTECTION
++rm -rf cpio.testdir
++mkdir -p cpio.testdir/prepare/inner
++echo "file outside of destination was written" > cpio.testdir/prepare/dont_write
++echo "data" > cpio.testdir/prepare/inner/to_extract
++mkdir -p cpio.testdir/extract
++testing "cpio extract file outside of destination" "\
++(cd cpio.testdir/prepare/inner && echo -e '../dont_write\nto_extract' | cpio -o -H newc) | (cd cpio.testdir/extract && cpio -vi 2>&1)
++echo \$?
++ls cpio.testdir/dont_write 2>&1" \
++"\
++cpio: removing leading '../' from member names
++../dont_write
++to_extract
++1 blocks
++0
++ls: cpio.testdir/dont_write: No such file or directory
++" "" ""
++SKIP=
++
+ # Clean up
+ rm -rf cpio.testdir cpio.testdir2 2>/dev/null
+ 
diff --git a/meta/recipes-core/busybox/busybox_1.36.1.bb b/meta/recipes-core/busybox/busybox_1.36.1.bb
index 69e9555766..069544cc8a 100644
--- a/meta/recipes-core/busybox/busybox_1.36.1.bb
+++ b/meta/recipes-core/busybox/busybox_1.36.1.bb
@@ -58,6 +58,7 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
            file://0001-awk.c-fix-CVE-2023-42366-bug-15874.patch \
            file://0001-cut-Fix-s-flag-to-omit-blank-lines.patch \
            file://CVE-2022-48174.patch \
+           file://CVE-2023-39810.patch \
            "
 SRC_URI:append:libc-musl = " file://musl.cfg "
 # TODO http://lists.busybox.net/pipermail/busybox/2023-January/090078.html

From patchwork Thu Jul 17 02:58:52 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 67019
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 6C8F9C83F39
	for <webhook@archiver.kernel.org>; Thu, 17 Jul 2025 02:59:21 +0000 (UTC)
Received: from mail-pg1-f176.google.com (mail-pg1-f176.google.com
 [209.85.215.176])
 by mx.groups.io with SMTP id smtpd.web11.40513.1752721155843879029
 for <openembedded-core@lists.openembedded.org>;
 Wed, 16 Jul 2025 19:59:15 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=aucJ+quN;
 spf=softfail (domain: sakoman.com, ip: 209.85.215.176,
 mailfrom: steve@sakoman.com)
Received: by mail-pg1-f176.google.com with SMTP id
 41be03b00d2f7-b3220c39cffso450039a12.0
        for <openembedded-core@lists.openembedded.org>;
 Wed, 16 Jul 2025 19:59:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1752721155;
 x=1753325955; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=8JUkgvItye3faZ49AHOKR+SHLwNH2lnxtRvO4U8kVZM=;
        b=aucJ+quNX49xtocAC8rp53IWnCqvsPgzaD2hMtyNv7gHw2ZoQ8/F5zv0m/hiW29DTt
         QRapcQDQbs4FwAwCPJh216pFft1JVfbi4lWV3FTOppGDZ4on3lU2SYOVnwpx/8LlpFQM
         FFNckeUwJbBLsGj4XsY3r0r+6M5HDhtUJh3R4ou4yRUPRsiELogbWfbvuxLbWpl1dfL5
         vn727FvJl+2heEbSLH96uYgtAW7eOmkxjuhu8hxhr79mqG9aO7UvD8UVTS/kn7xP8Jqw
         eSQTXn+Xl4at+dTZBSo8THH33iLRTew7h69jO2gvocsK0zE4x5buy1swkU00JRsJwQ+K
         g7dA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1752721155; x=1753325955;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=8JUkgvItye3faZ49AHOKR+SHLwNH2lnxtRvO4U8kVZM=;
        b=l0z/Ge+KOODuK2gogrY1C6QJUii+X7qrBYoJK+07uwzV0QtFE5+0m81quPYdyiCWOT
         VgNzE544KyOi8Y09KZ3ugWHwhgFEJPrVehuKwFtwN1cp2Xtc/+gE6YACujxZTLUbSczv
         yb6oayJtLmN1stwcfRXX1CQLNm5UTk1G2JSeNOdEO8COgHPHMx+CvhiQOPRfltVLIJbI
         GQITBOoSr4cXvr5vrQy2KdHCOhj2rHy4c5eQiHlrRf8Ugo24heUqBIzcFvHsVopAayGK
         tUW9aWP0ZjL8lA/4mlxNaGuvMNvXCzho0cK/zJUJxYfYwQAuMrXsOl3Y99J2QELIuyeF
         pQNw==
X-Gm-Message-State: AOJu0Ywvd1nB2tij49ELGzZXKAa0hwIhCO+vP8MQl94b0aoVMmRrVULM
	tTYx/NeWAmb5uWhAPR4pP69QbT4XcRWEhVsNaYP16Nb37nl2q8oDYQ87BOYTjUutjCQWXPHOEe2
	S9I27
X-Gm-Gg: ASbGncsFaxfHb53XBs7i5DPBg4To/YftmfXsBuN7sxTEG/gQ+Sg6cjh9qZDqJubta2t
	Hp9tjCmkFE1L93IqF5zhYq+7OkxiyObHy+Ray6cUx4ALmX0jROBAOC6siaS7zTVsRMBKYBKgRpH
	zGbYCcTloOx+EbfdIpuusGranccCsVYXvRRXIzpP9p0ELZM8UMwmJ7QSODNHDRFBu9LQqbbZEXN
	mks/CzszuhymeWET91fXPPPQBIjrXBbCKSU7KWr4BO3EXEMx1RLZP5TCdIIGi3ZX0BWw4xCZN1M
	59OEAza/PvtBAj+HIcTaoKidemETwhsCydPsRazxGuugLYj1/tyRnmP760JrWt7DrW4rd6MgJDj
	U8Qke4LMFkwzxwA==
X-Google-Smtp-Source: 
 AGHT+IEyqIWgeRqWP7YgWnNRxa5Mtb6hP72ftxB2g3Sss6fskvJcR6j7/NWA/QYexxYgB7FuAishmA==
X-Received: by 2002:a17:90a:ec8b:b0:312:1ac5:c7c7 with SMTP id
 98e67ed59e1d1-31c9f3993d8mr7291312a91.2.1752721155064;
        Wed, 16 Jul 2025 19:59:15 -0700 (PDT)
Received: from hexa.. ([2602:feb4:3b:2100:3bfc:8fec:7e35:e96a])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-31c9f29e313sm2204547a91.35.2025.07.16.19.59.14
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 16 Jul 2025 19:59:14 -0700 (PDT)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 04/12] iputils: patch CVE-2025-48964
Date: Wed, 16 Jul 2025 19:58:52 -0700
Message-ID: 
 <a8193571c8cdba55f568d831a4546e0fed892be0.1752721028.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1752721028.git.steve@sakoman.com>
References: <cover.1752721028.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Thu, 17 Jul 2025 02:59:21 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/220504

From: Peter Marko <peter.marko@siemens.com>

Pick commit referencing this CVE.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../iputils/iputils/CVE-2025-48964.patch      | 99 +++++++++++++++++++
 .../iputils/iputils_20240117.bb               |  1 +
 2 files changed, 100 insertions(+)
 create mode 100644 meta/recipes-extended/iputils/iputils/CVE-2025-48964.patch

diff --git a/meta/recipes-extended/iputils/iputils/CVE-2025-48964.patch b/meta/recipes-extended/iputils/iputils/CVE-2025-48964.patch
new file mode 100644
index 0000000000..fc2352c99c
--- /dev/null
+++ b/meta/recipes-extended/iputils/iputils/CVE-2025-48964.patch
@@ -0,0 +1,99 @@
+From afa36390394a6e0cceba03b52b59b6d41710608c Mon Sep 17 00:00:00 2001
+From: Cyril Hrubis <metan@ucw.cz>
+Date: Fri, 16 May 2025 17:57:10 +0200
+Subject: [PATCH] ping: Fix moving average rtt calculation
+
+The rts->rtt counts an exponential weight moving average in a fixed
+point, that means that even if we limit the triptime to fit into a 32bit
+number the average will overflow because because fixed point needs eight
+more bits.
+
+We also have to limit the triptime to 32bit number because otherwise the
+moving average may stil overflow if we manage to produce a large enough
+triptime.
+
+Fixes: CVE-2025-48964
+Fixes: https://bugzilla.suse.com/show_bug.cgi?id=1243772
+Closes: https://github.com/iputils/iputils-ghsa-25fr-jw29-74f9/pull/1
+Reported-by: Mohamed Maatallah <hotelsmaatallahrecemail@gmail.com>
+Reviewed-by: Petr Vorel <pvorel@suse.cz>
+Tested-by: Petr Vorel <pvorel@suse.cz>
+Reviewed-by: Michal Kubecek <mkubecek@suse.cz>
+Reviewed-by: Mohamed Maatallah <hotelsmaatallahrecemail@gmail.com>
+Signed-off-by: Cyril Hrubis <metan@ucw.cz>
+
+CVE: CVE-2025-48964
+Upstream-Status: Backport [https://github.com/iputils/iputils/commit/afa36390394a6e0cceba03b52b59b6d41710608c]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ iputils_common.h   | 2 +-
+ ping/ping.h        | 2 +-
+ ping/ping_common.c | 8 ++++----
+ 3 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/iputils_common.h b/iputils_common.h
+index 829a749..1296905 100644
+--- a/iputils_common.h
++++ b/iputils_common.h
+@@ -11,7 +11,7 @@
+ 					 __typeof__(&arr[0]))])) * 0)
+ 
+ /* 1000001 = 1000000 tv_sec + 1 tv_usec */
+-#define TV_SEC_MAX_VAL (LONG_MAX/1000001)
++#define TV_SEC_MAX_VAL (INT32_MAX/1000001)
+ 
+ #ifdef __GNUC__
+ # define iputils_attribute_format(t, n, m) __attribute__((__format__ (t, n, m)))
+diff --git a/ping/ping.h b/ping/ping.h
+index 4dce538..bc1fab2 100644
+--- a/ping/ping.h
++++ b/ping/ping.h
+@@ -191,7 +191,7 @@ struct ping_rts {
+ 	long tmax;			/* maximum round trip time */
+ 	double tsum;			/* sum of all times, for doing average */
+ 	double tsum2;
+-	int rtt;
++	uint64_t rtt;                   /* Exponential weight moving average calculated in fixed point */
+ 	int rtt_addend;
+ 	uint16_t acked;
+ 	int pipesize;
+diff --git a/ping/ping_common.c b/ping/ping_common.c
+index 2a3e556..fad5228 100644
+--- a/ping/ping_common.c
++++ b/ping/ping_common.c
+@@ -282,7 +282,7 @@ int __schedule_exit(int next)
+ 
+ static inline void update_interval(struct ping_rts *rts)
+ {
+-	int est = rts->rtt ? rts->rtt / 8 : rts->interval * 1000;
++	int est = rts->rtt ? (int)(rts->rtt / 8) : rts->interval * 1000;
+ 
+ 	rts->interval = (est + rts->rtt_addend + 500) / 1000;
+ 	if (rts->uid && rts->interval < MIN_USER_INTERVAL_MS)
+@@ -778,7 +778,7 @@ restamp:
+ 			if (triptime > rts->tmax)
+ 				rts->tmax = triptime;
+ 			if (!rts->rtt)
+-				rts->rtt = triptime * 8;
++				rts->rtt = ((uint64_t)triptime) * 8;
+ 			else
+ 				rts->rtt += triptime - rts->rtt / 8;
+ 			if (rts->opt_adaptive)
+@@ -948,7 +948,7 @@ int finish(struct ping_rts *rts)
+ 		int ipg = (1000000 * (long long)tv.tv_sec + tv.tv_nsec / 1000) / (rts->ntransmitted - 1);
+ 
+ 		printf(_("%sipg/ewma %d.%03d/%d.%03d ms"),
+-		       comma, ipg / 1000, ipg % 1000, rts->rtt / 8000, (rts->rtt / 8) % 1000);
++		       comma, ipg / 1000, ipg % 1000, (int)(rts->rtt / 8000), (int)((rts->rtt / 8) % 1000));
+ 	}
+ 	putchar('\n');
+ 	return (!rts->nreceived || (rts->deadline && rts->nreceived < rts->npackets));
+@@ -973,7 +973,7 @@ void status(struct ping_rts *rts)
+ 		fprintf(stderr, _(", min/avg/ewma/max = %ld.%03ld/%lu.%03ld/%d.%03d/%ld.%03ld ms"),
+ 			(long)rts->tmin / 1000, (long)rts->tmin % 1000,
+ 			tavg / 1000, tavg % 1000,
+-			rts->rtt / 8000, (rts->rtt / 8) % 1000, (long)rts->tmax / 1000, (long)rts->tmax % 1000);
++			(int)(rts->rtt / 8000), (int)((rts->rtt / 8) % 1000), (long)rts->tmax / 1000, (long)rts->tmax % 1000);
+ 	}
+ 	fprintf(stderr, "\n");
+ }
diff --git a/meta/recipes-extended/iputils/iputils_20240117.bb b/meta/recipes-extended/iputils/iputils_20240117.bb
index 5ff5af8847..21494cae2b 100644
--- a/meta/recipes-extended/iputils/iputils_20240117.bb
+++ b/meta/recipes-extended/iputils/iputils_20240117.bb
@@ -12,6 +12,7 @@ DEPENDS = "gnutls"
 
 SRC_URI = "git://github.com/iputils/iputils;branch=master;protocol=https \
            file://CVE-2025-47268.patch \
+           file://CVE-2025-48964.patch \
           "
 SRCREV = "8372f355bdf7a9b0c79338dd8ef8464c00a5c4e2"
 

From patchwork Thu Jul 17 02:58:53 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 67016
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 51E59C83F22
	for <webhook@archiver.kernel.org>; Thu, 17 Jul 2025 02:59:21 +0000 (UTC)
Received: from mail-pl1-f177.google.com (mail-pl1-f177.google.com
 [209.85.214.177])
 by mx.groups.io with SMTP id smtpd.web10.40267.1752721157746558470
 for <openembedded-core@lists.openembedded.org>;
 Wed, 16 Jul 2025 19:59:17 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=zi3ynz9U;
 spf=softfail (domain: sakoman.com, ip: 209.85.214.177,
 mailfrom: steve@sakoman.com)
Received: by mail-pl1-f177.google.com with SMTP id
 d9443c01a7336-23694cec0feso4297395ad.2
        for <openembedded-core@lists.openembedded.org>;
 Wed, 16 Jul 2025 19:59:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1752721157;
 x=1753325957; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=VDTFvkWyNUI9byYvrzbP2iE5ipXQhV03/8lF437mwo4=;
        b=zi3ynz9UDxgXdIk/DG+a4U3Hg3SzaxHq5qnJ1qTOuME7PcLKClTafmYEo96dq7o5mm
         AFeBc98Izoq740W4SmdR+bX1/VpC3kUaKUMhFMAmQlTjlbMiycN/qvIvwLqZkdKEMjjB
         eXmymW/7Leq7azwA3CkTTJAtz/4Bsfkn1j0qFQgz++KnOE1H6ujVBD7wgDNeP81dkM4R
         FTxXHSr4c7r2f6370y9uKF1Cd79ncj0Fe6RVpac2fzjEMc8vtcTeMBJExMo3iqgy4u3v
         BIEznhZYR2JLZ/1vZVNqT1L2/Y2vZa48c8UeRCsSc62yt+9s5jmdND+BxTENcVZD7enB
         UuYQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1752721157; x=1753325957;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=VDTFvkWyNUI9byYvrzbP2iE5ipXQhV03/8lF437mwo4=;
        b=Mn2lxdtywVqm7XGQIxuuISoBgbGXh/Z5uDTFil7LAbfmcBvSE69b/7/y+8NvJscbKU
         84ntkWehDCUW2iQnNKWledHIfygw/WrbRZZf8wOCBVeA/jhePODi+/uAud28OiR4yGUH
         QF1nc9PKiIMS2dA/v2or3XuCdzN5rFZ9Bv9iCyGhAPfkm0rJZJ0hPsLvWfBXhaZ9R0Qz
         vpdP2bVH4/BTUzPtiTPgAKHwTv3VpQZiZe5RFQt2l6TDDNMowQKs7hOirWCvkgieRD2o
         3W9T+hqa4Yo1SSlThf7WroxjJ2Bq6fEmnCZL+DL0pQcxRB+NUz6hHgUXeoNacnEjV90/
         1Fqw==
X-Gm-Message-State: AOJu0Ywx4c452yEgwQSfvbF2l7GbznTbwJBPCQfbSUXHy7v1X0GodoDR
	ty4HetJD9bhjlDhBjkQvrDOLr3ujT54M/qqxEHdT6HLM3099DjGNLgQkSlTVD0+hU6ZLTFiqB4G
	qtYKW
X-Gm-Gg: ASbGncs257iOJiay56U02GSeWwlk4B9jjAZ4cVehEetegS1ibySpM1jti+25tIlAUoA
	g1FqFCYYkVN2Wv7nsIKEhz+8wTmFybVhItevJJewnG2jioMZFL0Uiq4IjXtKJvmifsypR16c3IZ
	bx35gSvOwe92OVqB71IGlqGk38528vl9HJNHs0IJcTkHIFS3VRlRyYUqhEAsEOPxgSvYtOAyZtL
	O1DgezKuUaCoIIre2HpXw7vyiqTuDgfrg+Xrm6PAiUqmkyLv//B8VXh5UGG0R/NtTzYQSRs3S48
	muW1Z1uvJf52IYZSD++vPZXWi0dYA3eOV+BCAU6Swa9mFTQCM5QcobgydJWeKG39olOx8KvO9vY
	IJZIG6megG/2GXA==
X-Google-Smtp-Source: 
 AGHT+IE9BCZ8lqJo8ZpuJ0fISKpN6fEF/BUKuCcxIEGha66Bd2Yu7mGzMAIMXUZwfSeiw/I0AHuzXA==
X-Received: by 2002:a17:903:41c3:b0:235:eb8d:7fff with SMTP id
 d9443c01a7336-23e24f4aab3mr75742245ad.28.1752721156910;
        Wed, 16 Jul 2025 19:59:16 -0700 (PDT)
Received: from hexa.. ([2602:feb4:3b:2100:3bfc:8fec:7e35:e96a])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-31c9f29e313sm2204547a91.35.2025.07.16.19.59.15
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 16 Jul 2025 19:59:16 -0700 (PDT)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 05/12] gdk-pixbuf: fix CVE-2025-7345
Date: Wed, 16 Jul 2025 19:58:53 -0700
Message-ID: 
 <78a52a7feb995b4ab4f4df6b16feaac60f6ad59b.1752721028.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1752721028.git.steve@sakoman.com>
References: <cover.1752721028.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Thu, 17 Jul 2025 02:59:21 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/220505

From: Archana Polampalli <archana.polampalli@windriver.com>

A flaw exists in gdk‑pixbuf within the gdk_pixbuf__jpeg_image_load_increment function
(io-jpeg.c) and in glib’s g_base64_encode_step (glib/gbase64.c). When processing
maliciously crafted JPEG images, a heap buffer overflow can occur during Base64 encoding,
allowing out-of-bounds reads from heap memory, potentially causing application crashes or
arbitrary code execution.

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../gdk-pixbuf/gdk-pixbuf/CVE-2025-7345.patch | 55 +++++++++++++++++++
 .../gdk-pixbuf/gdk-pixbuf_2.42.12.bb          |  1 +
 2 files changed, 56 insertions(+)
 create mode 100644 meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2025-7345.patch

diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2025-7345.patch b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2025-7345.patch
new file mode 100644
index 0000000000..a8f23d3501
--- /dev/null
+++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2025-7345.patch
@@ -0,0 +1,55 @@
+From 4af78023ce7d3b5e3cec422a59bb4f48fa4f5886 Mon Sep 17 00:00:00 2001
+From: Matthias Clasen <mclasen@redhat.com>
+Date: Fri, 11 Jul 2025 11:02:05 -0400
+Subject: [PATCH] jpeg: Be more careful with chunked icc data
+
+We we inadvertendly trusting the sequence numbers not to lie.
+If they do we would report a larger data size than we actually
+allocated, leading to out of bounds memory access in base64
+encoding later on.
+
+This has been assigned CVE-2025-7345.
+
+Fixes: #249
+
+CVE: CVE-2025-7345
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/4af78023ce7d3b5e3cec422a59bb4f48fa4f5886]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ gdk-pixbuf/io-jpeg.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/gdk-pixbuf/io-jpeg.c b/gdk-pixbuf/io-jpeg.c
+index 3841fc0..9ee1d21 100644
+--- a/gdk-pixbuf/io-jpeg.c
++++ b/gdk-pixbuf/io-jpeg.c
+@@ -356,6 +356,7 @@ jpeg_parse_exif_app2_segment (JpegExifContext *context, jpeg_saved_marker_ptr ma
+		context->icc_profile = g_new (gchar, chunk_size);
+		/* copy the segment data to the profile space */
+		memcpy (context->icc_profile, marker->data + 14, chunk_size);
++                ret = TRUE;
+		goto out;
+	}
+
+@@ -377,12 +378,15 @@ jpeg_parse_exif_app2_segment (JpegExifContext *context, jpeg_saved_marker_ptr ma
+	/* copy the segment data to the profile space */
+	memcpy (context->icc_profile + offset, marker->data + 14, chunk_size);
+
+-	/* it's now this big plus the new data we've just copied */
+-	context->icc_profile_size += chunk_size;
++        context->icc_profile_size = MAX (context->icc_profile_size, offset + chunk_size);
+
+	/* success */
+	ret = TRUE;
+ out:
++        if (!ret) {
++                g_free (context->icc_profile);
++                context->icc_profile = NULL;
++        }
+	return ret;
+ }
+
+--
+2.40.0
diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.12.bb b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.12.bb
index 9f825a68ef..ff1c7a1fb2 100644
--- a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.12.bb
+++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.12.bb
@@ -20,6 +20,7 @@ SRC_URI = "${GNOME_MIRROR}/${BPN}/${MAJ_VER}/${BPN}-${PV}.tar.xz \
            file://run-ptest \
            file://fatal-loader.patch \
            file://0001-meson.build-allow-a-subset-of-tests-in-cross-compile.patch \
+           file://CVE-2025-7345.patch \
            "
 
 SRC_URI[sha256sum] = "b9505b3445b9a7e48ced34760c3bcb73e966df3ac94c95a148cb669ab748e3c7"

From patchwork Thu Jul 17 02:58:54 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 67014
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 4631CC83F1B
	for <webhook@archiver.kernel.org>; Thu, 17 Jul 2025 02:59:21 +0000 (UTC)
Received: from mail-pg1-f175.google.com (mail-pg1-f175.google.com
 [209.85.215.175])
 by mx.groups.io with SMTP id smtpd.web11.40515.1752721159085142049
 for <openembedded-core@lists.openembedded.org>;
 Wed, 16 Jul 2025 19:59:19 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=vXqeAidu;
 spf=softfail (domain: sakoman.com, ip: 209.85.215.175,
 mailfrom: steve@sakoman.com)
Received: by mail-pg1-f175.google.com with SMTP id
 41be03b00d2f7-b390136ed88so283677a12.2
        for <openembedded-core@lists.openembedded.org>;
 Wed, 16 Jul 2025 19:59:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1752721158;
 x=1753325958; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=Q54uFqFFzzoRCvgFN5VDG2OSO6tg2US+OMwH3LMyiIw=;
        b=vXqeAiduKwB7N+70uv/8IXzMnUlhkGICcJ0EzaR3acYofuwZU/l2145KOHaiJgWwjO
         U943yw2zuO9VBRcQRoY2+ScAKpV24d3Tw7wMS3SOn8pbvmTv76VEodYqx9/rSZ89h7Ih
         P/kDovwQEnNZkHeH0dz0ft918WhCjgLg/FFKAeyuwvpQCcfaM2JMRZF8jn6iIh4+uU2Z
         IqDDWxvFhAgUu2hwll88CXyGuJB8ipAe+FYB2GRu6v8v8P2ihWc1DiuXL9rR5LwYlDXi
         AXgwFmS95fuFu4B/9xCjBpdNmhL1ApnEB/agOYqjXtAR5mtVf+8DNjisSGGOigiy65PD
         r4kA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1752721158; x=1753325958;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=Q54uFqFFzzoRCvgFN5VDG2OSO6tg2US+OMwH3LMyiIw=;
        b=Rzc3aEnc64GTz9gpYK3BmpKPNz7hN0mvye5fD7aNlAnED8ODQrRBN6dZWTNe/5ySJN
         zAP5LHeGZBK5JaCNsMai1p7NKB9N1i7wlXbAJ62VxkHsJFenXGEeiEtpMkJ9G1AiEo8W
         ygvl2RK1sSxiQxbPzWj3WQ2AYWa1jqxpzZQXWJNzNJVGUKpJknqL6+4Q8XQJ/Yc+h7rX
         cPw7vNWfJc/B8jMGm3tw2XUhHwLaVOdeygW0OYkIbCM1F20VW5sHhVcGPhNeP0mTJ2tb
         8XqbQglas/7MHyHtwA8w1l8v8gGF+SgXSEa1hz9lrbPT7sZuMAYfpAg2Khj33IAdZpnL
         V0Ng==
X-Gm-Message-State: AOJu0YxYPFa1LSbiBtyEwo42T0TaoM6rx87OaK31lIRrOQKCZVfOM3fm
	n/AXW/HziT9Bb75HjnHv2YnaTnLgLrvUtxdcJq3GU7gNJBQpEujXq2ynP0LsTWeYqqxISR7ZB3H
	VEqBH
X-Gm-Gg: ASbGncs42t8qEpsmc9n4H8UV9TZddODyxDziWyNMCyOdFxpyW9XnK/IJtHHeBDSSdq3
	TIGEaj1y/64Bms/dE1tYSZcK9cioiXPJ2FPxN0GE0+6g3xZZBsW0u8J7ccxMJkdW6yUDLgI1ZEr
	r1FRj9NgLJu3woAyrQquL8DXcq1VMM3KdK0jCeUC+e9ccfmOIkbzMhD/+iJ+1bJX74OqMypkqhP
	e3trAcdAMU6C4HvjzRGmkFmDQSB9ofQuFdvE1HzpjhQ7knJoZCUm5jQlSLP6OB/Gqd2UQPUNBE9
	tCHO30xwJ4GHqPt+wkRKqhOt1ejTdTAuhOGC1gtkz/p/v6y6wLGKZBZu9XA251o09GXW5T3mjrv
	mavX7Yy0m1driIzoD1R8TbFam
X-Google-Smtp-Source: 
 AGHT+IG/GtJA3sJpUDUdvZ9Ge4zManuVMZfICH+wzo4y+lHk46BP56c4ugnIQfyHfl74rfeN9aBh+Q==
X-Received: by 2002:a17:90a:e18c:b0:312:e49b:c972 with SMTP id
 98e67ed59e1d1-31c9e7022f4mr7677441a91.15.1752721158285;
        Wed, 16 Jul 2025 19:59:18 -0700 (PDT)
Received: from hexa.. ([2602:feb4:3b:2100:3bfc:8fec:7e35:e96a])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-31c9f29e313sm2204547a91.35.2025.07.16.19.59.17
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 16 Jul 2025 19:59:17 -0700 (PDT)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 06/12] git: Upgrade 2.44.3 -> 2.44.4
Date: Wed, 16 Jul 2025 19:58:54 -0700
Message-ID: 
 <3a9fdcb2ea0dd2744f59a62f2722bfa276302324.1752721028.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1752721028.git.steve@sakoman.com>
References: <cover.1752721028.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Thu, 17 Jul 2025 02:59:21 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/220506

From: Vijay Anusuri <vanusuri@mvista.com>

Addresses the security issues - CVE-2025-27613, CVE-2025-27614, CVE-2025-46334,
CVE-2025-46835, CVE-2025-48384, CVE-2025-48385, and CVE-2025-48386.

Release Notes:
https://github.com/git/git/blob/v2.44.4/Documentation/RelNotes/2.44.4.txt

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-devtools/git/{git_2.44.3.bb => git_2.44.4.bb} | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-devtools/git/{git_2.44.3.bb => git_2.44.4.bb} (98%)

diff --git a/meta/recipes-devtools/git/git_2.44.3.bb b/meta/recipes-devtools/git/git_2.44.4.bb
similarity index 98%
rename from meta/recipes-devtools/git/git_2.44.3.bb
rename to meta/recipes-devtools/git/git_2.44.4.bb
index 7b33d6071e..66936417e1 100644
--- a/meta/recipes-devtools/git/git_2.44.3.bb
+++ b/meta/recipes-devtools/git/git_2.44.4.bb
@@ -172,4 +172,4 @@ EXTRA_OECONF += "ac_cv_snprintf_returns_bogus=no \
                  "
 EXTRA_OEMAKE += "NO_GETTEXT=1"
 
-SRC_URI[tarball.sha256sum] = "4237c37cdf7b3d38102117b22993b2f761a4c02758dfbe33f7b7423c0b096ca9"
+SRC_URI[tarball.sha256sum] = "302ebe0f4b1c5d1ee477b5ee74f7f2f69efd8fa7f27481e45087ba9a4bb4851c"

From patchwork Thu Jul 17 02:58:55 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 67018
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 51E96C83F37
	for <webhook@archiver.kernel.org>; Thu, 17 Jul 2025 02:59:21 +0000 (UTC)
Received: from mail-pj1-f45.google.com (mail-pj1-f45.google.com
 [209.85.216.45])
 by mx.groups.io with SMTP id smtpd.web11.40517.1752721160836677857
 for <openembedded-core@lists.openembedded.org>;
 Wed, 16 Jul 2025 19:59:20 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=BCg9/Aim;
 spf=softfail (domain: sakoman.com, ip: 209.85.216.45,
 mailfrom: steve@sakoman.com)
Received: by mail-pj1-f45.google.com with SMTP id
 98e67ed59e1d1-3190fbe8536so458719a91.3
        for <openembedded-core@lists.openembedded.org>;
 Wed, 16 Jul 2025 19:59:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1752721160;
 x=1753325960; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=Ibt/isOy36/S56FeWvBuG1hKnUYDieuIFcRV0+ID/5o=;
        b=BCg9/AimXNPFszn4cKnp/nd64ZpgTrqKOm2QHXAjzGaN/xqVs+OX1tBeRBtwDoMPeo
         +w87JyE78sT0hgYSXcjar7JC9EPVXwFNnea4zyCfZksliGiVQUzUGnV6Me4KZNhhqjbl
         cv6w9iQLjKUCl+pJW7v2gYDEeJdiBXVvv5wtQS8FjSwDE87zsOlhdTyIRobZvD6QWOgc
         4QS86Q7mOdlhIwfbG8dBbAaKGU8pwPU6taGz+irH4eZD16gSLnmf9CbwcQfkET+C2kaC
         WQg6y3wAU/oV4gWN4+a3QPHXZS0odGChAPBkgfV4yTleK7hg+KPbpaEv9mA9GYbjP9Ny
         2q9g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1752721160; x=1753325960;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=Ibt/isOy36/S56FeWvBuG1hKnUYDieuIFcRV0+ID/5o=;
        b=fDsIgAFRbNsaFIhiBKIc9iW4scX/FsgpplttH7QfRWZdGB73UluzlrM9mXZpkqT3P4
         +N43dqm5djfj088WzctYjl+9fccYWQkNQimoVimigIS5keTtDAQNjI8/bZ7t+SvNIvLx
         ZhJNv21im8Ijpw9fhi0/dAG7SNXTjh3299x+65PzKQW7Tw8JysDC48/iBFbpziq+mTL3
         ZaiVrrcXByEw83/EtNDN+PYIV/gA0ULTvyMdf2t7mZc064m44kjX8Ao6hc6FOM7kpDOn
         d/pPzDTzNJpWRsa6FbhuEdotHSYfblRYQDyTtBh8YbXAmH2LuL2uBsR4Hh69e4k/oVGn
         kFrQ==
X-Gm-Message-State: AOJu0Yzx65WQJtS6g3LWhCihUNY68R2cyy2MSzKYSJxQr3SM1aQg628k
	/7Sz1M6akkl4ZFSUei+wFJ14yv830kuxhFQ6FXrZ0duN3bX3U0Afcmx8CH1q9ZAF3e9OrPw3QXh
	xrzNb
X-Gm-Gg: ASbGncutXhb4nu7yYSlNj/Pu9du2IHn/IXJEDZL9x3FvZ/d5FpoI0nPK0da5L8nepV8
	QqWSv22HKt3b6lj27zrHpvfzIWcmqi4fGdzmiv8uCu6SN72Glb5xiEop8CkSbn3lQgB/Suhk+V3
	VTKUti/nbX3cb89/vhXdtWbXZjY7qQXLhCgc2XeNNcE1CfCbuzs2jEnKzFHYYzRehK3L472zjzK
	yRHbldCDE8GW9zA5DXjea5ezDqI4EQt6pEJV6G/8b6z3LV90e/hrccPJQrpNwiU8fuScAeM5JBu
	tM6gi5yff6ZUIuXfamkClbxh1+grtvLkXN5PiKZN46+09xf/nrFfH6FPe9LA8l5J9u1P6qn2M5q
	/cXapx2xi1lBo3Q==
X-Google-Smtp-Source: 
 AGHT+IHnudHeChbcdQ1QzXZbzSBCaNlSW7C5Z50yKB8yILiA4tfqE3QitCnUJlyOLrsJ2IMd24O0Vw==
X-Received: by 2002:a17:90b:2810:b0:311:fc8b:31b5 with SMTP id
 98e67ed59e1d1-31c9f47cff5mr7332256a91.14.1752721159997;
        Wed, 16 Jul 2025 19:59:19 -0700 (PDT)
Received: from hexa.. ([2602:feb4:3b:2100:3bfc:8fec:7e35:e96a])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-31c9f29e313sm2204547a91.35.2025.07.16.19.59.19
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 16 Jul 2025 19:59:19 -0700 (PDT)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 07/12] Revert "sudo: Fix CVE-2025-32462"
Date: Wed, 16 Jul 2025 19:58:55 -0700
Message-ID: 
 <9310d6f867798ab98f1343ce1bc74ad8bbd6d1dd.1752721028.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1752721028.git.steve@sakoman.com>
References: <cover.1752721028.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Thu, 17 Jul 2025 02:59:21 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/220507

This CVE is fixed in the following version bump

This reverts commit d01f888a5ec43fdc8e7bd496ae9317c0fa28da9b.
---
 .../sudo/files/CVE-2025-32462.patch           | 42 -------------------
 meta/recipes-extended/sudo/sudo_1.9.15p5.bb   |  1 -
 2 files changed, 43 deletions(-)
 delete mode 100644 meta/recipes-extended/sudo/files/CVE-2025-32462.patch

diff --git a/meta/recipes-extended/sudo/files/CVE-2025-32462.patch b/meta/recipes-extended/sudo/files/CVE-2025-32462.patch
deleted file mode 100644
index 04610d40fd..0000000000
--- a/meta/recipes-extended/sudo/files/CVE-2025-32462.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From d530367828e3713d09489872743eb92d31fb11ff Mon Sep 17 00:00:00 2001
-From: "Todd C. Miller" <Todd.Miller@sudo.ws>
-Date: Tue, 1 Apr 2025 09:24:51 -0600
-Subject: [PATCH] Only allow a remote host to be specified when listing
- privileges.
-
-This fixes a bug where a user with sudoers privileges on a different
-host could execute a command on the local host, even if the sudoers
-file would not otherwise allow this.  CVE-2025-32462
-
-Reported by Rich Mirch @ Stratascale Cyber Research Unit (CRU).
-
-Upstream-Status: Backport [https://github.com/sudo-project/sudo/commit/d530367828e3713d09489872743eb92d31fb11ff]
-CVE: CVE-2025-32462
-Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
----
- plugins/sudoers/sudoers.c | 12 ++++++++++++
- 1 file changed, 12 insertions(+)
-
-diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c
-index 70a0c1a528..ad2fa2f61c 100644
---- a/plugins/sudoers/sudoers.c
-+++ b/plugins/sudoers/sudoers.c
-@@ -350,6 +350,18 @@ sudoers_check_common(struct sudoers_context *ctx, int pwflag)
-     time_t now;
-     debug_decl(sudoers_check_common, SUDOERS_DEBUG_PLUGIN);
- 
-+    /* The user may only specify a host for "sudo -l". */
-+    if (!ISSET(ctx->mode, MODE_LIST|MODE_CHECK)) {
-+	if (strcmp(ctx->runas.host, ctx->user.host) != 0) {
-+	    log_warningx(ctx, SLOG_NO_STDERR|SLOG_AUDIT,
-+		N_("user not allowed to set remote host for command"));
-+	    sudo_warnx("%s",
-+		U_("a remote host may only be specified when listing privileges."));
-+	    ret = false;
-+	    goto done;
-+	}
-+    }
-+
-     /* If given the -P option, set the "preserve_groups" flag. */
-     if (ISSET(ctx->mode, MODE_PRESERVE_GROUPS))
- 	def_preserve_groups = true;
diff --git a/meta/recipes-extended/sudo/sudo_1.9.15p5.bb b/meta/recipes-extended/sudo/sudo_1.9.15p5.bb
index 30860eb75e..8e542015ad 100644
--- a/meta/recipes-extended/sudo/sudo_1.9.15p5.bb
+++ b/meta/recipes-extended/sudo/sudo_1.9.15p5.bb
@@ -3,7 +3,6 @@ require sudo.inc
 SRC_URI = "https://www.sudo.ws/dist/sudo-${PV}.tar.gz \
            ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
            file://0001-sudo.conf.in-fix-conflict-with-multilib.patch \
-           file://CVE-2025-32462.patch \
            "
 
 PAM_SRC_URI = "file://sudo.pam"

From patchwork Thu Jul 17 02:58:56 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 67022
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 69B59C83F22
	for <webhook@archiver.kernel.org>; Thu, 17 Jul 2025 02:59:31 +0000 (UTC)
Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com
 [209.85.214.176])
 by mx.groups.io with SMTP id smtpd.web10.40268.1752721162254868931
 for <openembedded-core@lists.openembedded.org>;
 Wed, 16 Jul 2025 19:59:22 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=Pvpk6gUp;
 spf=softfail (domain: sakoman.com, ip: 209.85.214.176,
 mailfrom: steve@sakoman.com)
Received: by mail-pl1-f176.google.com with SMTP id
 d9443c01a7336-23c8a505177so3882035ad.2
        for <openembedded-core@lists.openembedded.org>;
 Wed, 16 Jul 2025 19:59:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1752721161;
 x=1753325961; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=vewiFWydFc0l/pDGPw7gRpv2YkWoIl9H5nJXutMbvwc=;
        b=Pvpk6gUpCD7x9MXeCJ0KJ2lQ+v4AI8zilyrEg80gIhMvLKsij9xlK+lCswoUvXFi5v
         CjOwWsMbVa4u+1HjLVWXlWt+xUU8il/RVLwonZzYlvuM/s6GIfRpAj1zJcbUX4bhbjfL
         XrLzWA4rpM1FJ6uZKHyL1rTRLoAsZwEZXYzWP5vJKyL5Zr2aq1TN+wTRJBDaORrUBydq
         1/CWrs907uRVEbasSr60YCHGcovvOJ4Cqh+WgpUEzy2w4VdvJeRoAqtBvd5WOuMPEYPA
         u6U7dRAy+Eh/AQbgGjT83KLRafGuBJp6Hgm6MSq2y5AtShEHemfe1TAwJYhs6CBrA+QS
         zQUg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1752721161; x=1753325961;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=vewiFWydFc0l/pDGPw7gRpv2YkWoIl9H5nJXutMbvwc=;
        b=jUDhB6bbMCkgn9/UXdnpqK9DvSWalD9fDrA8QtiCBhHWyHXBJagfD+LuPnscq7bu3/
         ABjijMoWVqKZ9AjwfDMRJXK7ne5FPwPpK8ui/VMT//kX3LpmpnbBnTB6wZPFakh8WRRm
         nlW6t9XjKp4gqvNhcF+FAJ25JkpmPA/PPjo6Pj72iYREIRIHC2bHzdGzfHuqoq5Ssc0l
         ZgIvlqc8PPH3112/sOvajvU9Wr9SyvOW8HCugCu3EO/CsVRu+onYLh21GGkkFNXvQdP+
         1E1boga+n6maXhTdc5WSPf5pX3AbyP4K70li66g2dK92BNTmZkJvyDGbIK1gMdWTUwQx
         /UiQ==
X-Gm-Message-State: AOJu0Ywtk/lAMAernrh8Gvr7LPqvDkYh5qGrnFePkr2PXarQDU8mzryM
	SrS9gGsyyw2t0H1Skzw1JgmNyzkkRTlFJ5lI1AIfC3ZaVs2BkDeKDrY/K//JNy0X7BFzwpeB6ve
	p2lrq
X-Gm-Gg: ASbGncslvvZpcH7R1lzC8KZALVmB2roYJyhITopGoSj6TrkS/WhcOlrBIm8eHSuZtvu
	mgDWUT4BUyBZ8f9CfLyPCi1jd0SKMF5u9Nwp8EYRE4weOCh9UHOLOr2O01vCEbbaeRWrQ7MvkUS
	Nw5DY8n5XJy51JKvQeQ0U+LuGmWsvdYCk0dSk/y7ycV+9As0U4y6FogB5KE5kTMm4CDyRFyoIOt
	UEZDXKcoV5Osi1RLb/UxwJO4cMF5UfstHwf7+WxawL1psTkS2n2H7Hw+w2NjhpaKU2X2/uj6TgO
	vX104KQ+ceQ+zCjl6t9lBh7nEooBduvnYzCwW5wDjDSltoKQFhhYrSaXbhXxp3VFVM75OJxbWdp
	dlidzxWKsB0i6yfMz+wgsC151
X-Google-Smtp-Source: 
 AGHT+IEhoI1FsVFBU0Y43zbgz1pWo/cKrBsjJMZDUNVzz9LC8qe459XCnN3b2fVOsG+S3vpN0pGYog==
X-Received: by 2002:a17:902:e54a:b0:234:8a4a:adad with SMTP id
 d9443c01a7336-23e24f44a17mr76901175ad.26.1752721161406;
        Wed, 16 Jul 2025 19:59:21 -0700 (PDT)
Received: from hexa.. ([2602:feb4:3b:2100:3bfc:8fec:7e35:e96a])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-31c9f29e313sm2204547a91.35.2025.07.16.19.59.20
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 16 Jul 2025 19:59:21 -0700 (PDT)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 08/12] sudo: upgrade 1.9.15p5 -> 1.9.17p1
Date: Wed, 16 Jul 2025 19:58:56 -0700
Message-ID: 
 <b04af6db102c97f3d4338dbcfdcab927b5194a69.1752721028.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1752721028.git.steve@sakoman.com>
References: <cover.1752721028.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Thu, 17 Jul 2025 02:59:31 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/220508

From: Praveen Kumar <praveen.kumar@windriver.com>

Changelog:
===========
* Fixed CVE-2025-32462.  Sudo's -h (--host) option could be specified
   when running a command or editing a file.  This could enable a
   local privilege escalation attack if the sudoers file allows the
   user to run commands on a different host.

* Fixed CVE-2025-32463.  An attacker can leverage sudo's -R
  (--chroot) option to run arbitrary commands as root, even if
  they are not listed in the sudoers file.  The chroot support has
  been deprecated an will be removed entirely in a future release.

License-Update: Copyright updated to 2025

0001-sudo.conf.in-fix-conflict-with-multilib.patch refreshed for 1.9.17

Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 ...o.conf.in-fix-conflict-with-multilib.patch |  7 ++-
 meta/recipes-extended/sudo/sudo.inc           |  2 +-
 .../{sudo_1.9.15p5.bb => sudo_1.9.17p1.bb}    | 54 ++++++++++++++++++-
 3 files changed, 57 insertions(+), 6 deletions(-)
 rename meta/recipes-extended/sudo/{sudo_1.9.15p5.bb => sudo_1.9.17p1.bb} (52%)

diff --git a/meta/recipes-extended/sudo/files/0001-sudo.conf.in-fix-conflict-with-multilib.patch b/meta/recipes-extended/sudo/files/0001-sudo.conf.in-fix-conflict-with-multilib.patch
index 041c717e00..1989c5abd7 100644
--- a/meta/recipes-extended/sudo/files/0001-sudo.conf.in-fix-conflict-with-multilib.patch
+++ b/meta/recipes-extended/sudo/files/0001-sudo.conf.in-fix-conflict-with-multilib.patch
@@ -1,4 +1,4 @@
-From 6e835350b7413210c410d3578cfab804186b7a4f Mon Sep 17 00:00:00 2001
+From 8c69192754ba73dd6e3273728a21aa73988f4bfb Mon Sep 17 00:00:00 2001
 From: Kai Kang <kai.kang@windriver.com>
 Date: Tue, 17 Nov 2020 11:13:40 +0800
 Subject: [PATCH] sudo.conf.in: fix conflict with multilib
@@ -15,13 +15,12 @@ Update the comments in sudo.conf.in to avoid the conflict.
 Signed-off-by: Kai Kang <kai.kang@windriver.com>
 
 Upstream-Status: Inappropriate [OE configuration specific]
-
 ---
  examples/sudo.conf.in | 8 ++++----
  1 file changed, 4 insertions(+), 4 deletions(-)
 
 diff --git a/examples/sudo.conf.in b/examples/sudo.conf.in
-index 2187457..0908d24 100644
+index bdd676c..094341c 100644
 --- a/examples/sudo.conf.in
 +++ b/examples/sudo.conf.in
 @@ -4,7 +4,7 @@
@@ -53,7 +52,7 @@ index 2187457..0908d24 100644
  # Sudo plugin directory:
 @@ -74,7 +74,7 @@
  # The default directory to use when searching for plugins that are
- # specified without a fully qualified path name.
+ # specified without a fully-qualified path name.
  #
 -#Path plugin_dir @plugindir@
 +#Path plugin_dir $plugindir
diff --git a/meta/recipes-extended/sudo/sudo.inc b/meta/recipes-extended/sudo/sudo.inc
index feb1cf35a7..a23de1fcf7 100644
--- a/meta/recipes-extended/sudo/sudo.inc
+++ b/meta/recipes-extended/sudo/sudo.inc
@@ -4,7 +4,7 @@ HOMEPAGE = "http://www.sudo.ws"
 BUGTRACKER = "http://www.sudo.ws/bugs/"
 SECTION = "admin"
 LICENSE = "ISC & BSD-3-Clause & BSD-2-Clause & Zlib"
-LIC_FILES_CHKSUM = "file://LICENSE.md;md5=5100e20d35f9015f9eef6bdb27ba194f \
+LIC_FILES_CHKSUM = "file://LICENSE.md;md5=2841c822e587db145364ca95e9be2ffa \
                     file://plugins/sudoers/redblack.c;beginline=1;endline=46;md5=03e35317699ba00b496251e0dfe9f109 \
                     file://lib/util/reallocarray.c;beginline=3;endline=15;md5=397dd45c7683e90b9f8bf24638cf03bf \
                     file://lib/util/fnmatch.c;beginline=3;endline=27;md5=004d7d2866ba1f5b41174906849d2e0f \
diff --git a/meta/recipes-extended/sudo/sudo_1.9.15p5.bb b/meta/recipes-extended/sudo/sudo_1.9.17p1.bb
similarity index 52%
rename from meta/recipes-extended/sudo/sudo_1.9.15p5.bb
rename to meta/recipes-extended/sudo/sudo_1.9.17p1.bb
index 8e542015ad..c5d57da9f0 100644
--- a/meta/recipes-extended/sudo/sudo_1.9.15p5.bb
+++ b/meta/recipes-extended/sudo/sudo_1.9.17p1.bb
@@ -1,3 +1,55 @@
+# FIXME: the LIC_FILES_CHKSUM values have been updated by 'devtool upgrade'.
+# The following is the difference between the old and the new license text.
+# Please update the LICENSE value if needed, and summarize the changes in
+# the commit message via 'License-Update:' tag.
+# (example: 'License-Update: copyright years updated.')
+#
+# The changes:
+#
+# --- LICENSE.md
+# +++ LICENSE.md
+# @@ -1,6 +1,6 @@
+#  Sudo is distributed under the following license:
+#
+# -    Copyright (c) 1994-1996, 1998-2023
+# +    Copyright (c) 1994-1996, 1998-2025
+#          Todd C. Miller <Todd.Miller@sudo.ws>
+#
+#      Permission to use, copy, modify, and distribute this software for any
+# @@ -247,9 +247,9 @@
+#
+#  The file arc4random.c bears the following license:
+#
+# -    Copyright (c) 1996, David Mazieres <dm@uun.org>
+# -    Copyright (c) 2008, Damien Miller <djm@openbsd.org>
+# -    Copyright (c) 2013, Markus Friedl <markus@openbsd.org>
+# +    Copyright (c) 1996, David Mazieres <dm@uun.org>
+# +    Copyright (c) 2008, Damien Miller <djm@openbsd.org>
+# +    Copyright (c) 2013, Markus Friedl <markus@openbsd.org>
+#      Copyright (c) 2014, Theo de Raadt <deraadt@openbsd.org>
+#
+#      Permission to use, copy, modify, and distribute this software for any
+# @@ -282,7 +282,7 @@
+#
+#  The file getentropy.c bears the following license:
+#
+# -    Copyright (c) 2014 Theo de Raadt <deraadt@openbsd.org>
+# +    Copyright (c) 2014 Theo de Raadt <deraadt@openbsd.org>
+#      Copyright (c) 2014 Bob Beck <beck@obtuse.com>
+#
+#      Permission to use, copy, modify, and distribute this software for any
+# @@ -299,7 +299,7 @@
+#
+#  The embedded copy of zlib bears the following license:
+#
+# -    Copyright (C) 1995-2022 Jean-loup Gailly and Mark Adler
+# +    Copyright (C) 1995-2024 Jean-loup Gailly and Mark Adler
+#
+#      This software is provided 'as-is', without any express or implied
+#      warranty.  In no event will the authors be held liable for any damages
+#
+#
+
 require sudo.inc
 
 SRC_URI = "https://www.sudo.ws/dist/sudo-${PV}.tar.gz \
@@ -7,7 +59,7 @@ SRC_URI = "https://www.sudo.ws/dist/sudo-${PV}.tar.gz \
 
 PAM_SRC_URI = "file://sudo.pam"
 
-SRC_URI[sha256sum] = "558d10b9a1991fb3b9fa7fa7b07ec4405b7aefb5b3cb0b0871dbc81e3a88e558"
+SRC_URI[sha256sum] = "ff607ea717072197738a78f778692cd6df9a7e3e404565f51de063ca27455d32"
 
 DEPENDS += " virtual/crypt ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
 RDEPENDS:${PN} += " ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-limits pam-plugin-keyinit', '', d)}"

From patchwork Thu Jul 17 02:58:57 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 67023
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 75D54C83F1B
	for <webhook@archiver.kernel.org>; Thu, 17 Jul 2025 02:59:31 +0000 (UTC)
Received: from mail-pl1-f171.google.com (mail-pl1-f171.google.com
 [209.85.214.171])
 by mx.groups.io with SMTP id smtpd.web10.40269.1752721163569890356
 for <openembedded-core@lists.openembedded.org>;
 Wed, 16 Jul 2025 19:59:23 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=klGHj/O9;
 spf=softfail (domain: sakoman.com, ip: 209.85.214.171,
 mailfrom: steve@sakoman.com)
Received: by mail-pl1-f171.google.com with SMTP id
 d9443c01a7336-235ef62066eso5698905ad.3
        for <openembedded-core@lists.openembedded.org>;
 Wed, 16 Jul 2025 19:59:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1752721163;
 x=1753325963; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=GBAMtl8afungTtZMJrBJllHIwMSmPtThm+3Ip58SP08=;
        b=klGHj/O9BpdoVCCYQ8ShOYiYA4DTJZ/rerrIfBwetf4YsvG0DpKcZ71RGLQxP007AU
         rPfipkLhOVO2RdeBqqctsV36vcLYIPj0ITAiX+wPz18Ph8XjPOUxY2fUC40oRSZXDipr
         TCsRAZZsAwkTwHV9osfJTrMuIsFeGQZKLH0ZKsD7QQyNjS5JV4xjkAVmDYzcEx69gWnr
         JkJgsvpbLEYTGT2uOQuVoOyRuh7pM5BIFEBPbUcje9G+RQ2wwQoT/HmS5rlv39bGpQyP
         ASPMCatoHwuaKbrFTtguFkJ5NOas8MfVJXYrUMTFykHwg1IM3re2uC76M/dBdT1cCBjI
         ifTA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1752721163; x=1753325963;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=GBAMtl8afungTtZMJrBJllHIwMSmPtThm+3Ip58SP08=;
        b=UmDfh41tOJxemwRV1qxXAjGKndMeOParAyKUEabS0G7YyjSKEdvLu8qL5P3U3mxjln
         02A0nENKGoakuaKq3y8up/t0Ei4jRCXCrwHrdMdBFoI+aA/i7Bwhy8aln1rRWw1lIkoi
         vdJe3/+qPvwn9jo/g7oEyruqoMRXlKUZZlE4+z2QwjR/lGgODUobM5lThhPdnR3D6gR6
         9sDLDv0rIQ3FD+JHlxi85kjB8/zS2T7zj9MmL3VJnk7sEb2ysmUkF6Casx4HzD/7hp7c
         ZNSIBe+arXnEM4QrIrS3zDJ7eKEoTfYszE0UsILX2uioMv1dv7THus8LgI6kSxcBOdMw
         UivA==
X-Gm-Message-State: AOJu0YwQ0tLzc2M525EfGINbXjYGxCpaGebCkg67sJbyX9sr8Gga9dFV
	64kQl0b2B0teNU8RSpAkIlYyhQ0pJRF3JmxemXMX5Gt/o75gLbo871q8bIDYhAl2D9Zvz0w+sBa
	JOMgU
X-Gm-Gg: ASbGncvpSCDPDc02rN/xMMkWuKbUY1fQ3XUYhOiJ5SiI7GLeSo41dPkoKGWc9f5y2oo
	JnPB4JQDalCZbQlLaAyPA6mJ0vOVY6jOuZgpDzeGsUooJtyGpzyNQtfQwXBglxVo9QmTFai2u5g
	plCNIqJZn+1YmKLS1Zv6is1iMaLWRLWHU1GvBi2OVLv9jPV6Al6xCN8Oc8EA2j1bzFJ1wrwXxfi
	PlfVXj9sUb7up390zQqMFelOZ/aM7eJl3NyIKhb3nFyM0uLRCJJe8c4xRw0aLwFFGAB/e0zScmg
	VMH0K6D3XG/EqVMZjrITA7RXhZEr4eCdXEcsWQ7v+euctx4klB43A3blHPr4CBuvvkLxaUxs6lE
	Hxpra4LAzpq14Pg==
X-Google-Smtp-Source: 
 AGHT+IGwp/xGisGQfkFSfqSQzxfQaTTr+AL7p4ePcX3HhRicXwaT7viMWjKFK9wTgOaOjwH8EIWb0w==
X-Received: by 2002:a17:902:f642:b0:234:a139:1217 with SMTP id
 d9443c01a7336-23e302a2b4cmr16084125ad.18.1752721162772;
        Wed, 16 Jul 2025 19:59:22 -0700 (PDT)
Received: from hexa.. ([2602:feb4:3b:2100:3bfc:8fec:7e35:e96a])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-31c9f29e313sm2204547a91.35.2025.07.16.19.59.22
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 16 Jul 2025 19:59:22 -0700 (PDT)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 09/12] binutils: stable 2.42 branch updates
Date: Wed, 16 Jul 2025 19:58:57 -0700
Message-ID: 
 <412def8923a89f3c385eae25901bed0c07859029.1752721028.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1752721028.git.steve@sakoman.com>
References: <cover.1752721028.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Thu, 17 Jul 2025 02:59:31 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/220509

From: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>

Below commit on binutils-2.42 stable branch are updated.

x86: Check MODRM for call and jmp in binutils older than 2.45

Test Results:
                                 Before  After  Diff
No. of expected passes            302     302    0
No. of unexpected failures        2       2      0
No. of untested testcases         1       1      0
No. of unsupported tests          7       7      0

Testing was done and there were no regressions found

Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-devtools/binutils/binutils-2.42.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc
index ea018a48a3..9471e6accd 100644
--- a/meta/recipes-devtools/binutils/binutils-2.42.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.42.inc
@@ -21,7 +21,7 @@ UPSTREAM_CHECK_GITTAGREGEX = "binutils-(?P<pver>\d+_(\d_?)*)"
 CVE_STATUS[CVE-2023-25584] = "cpe-incorrect: Applies only for version 2.40 and earlier"
 CVE_STATUS[CVE-2025-1180] = "patched: fixed by patch for CVE-2025-1176" 
 
-SRCREV ?= "6558f9f5f0ccc107a083ae7fbf106ebcb5efa817"
+SRCREV ?= "f9488b0d92b591bdf3ff8cce485cb0e1b3727cc0"
 BINUTILS_GIT_URI ?= "git://sourceware.org/git/binutils-gdb.git;branch=${SRCBRANCH};protocol=https"
 SRC_URI = "\
      ${BINUTILS_GIT_URI} \

From patchwork Thu Jul 17 02:58:58 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 67024
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 82CA1C83F34
	for <webhook@archiver.kernel.org>; Thu, 17 Jul 2025 02:59:31 +0000 (UTC)
Received: from mail-pj1-f47.google.com (mail-pj1-f47.google.com
 [209.85.216.47])
 by mx.groups.io with SMTP id smtpd.web10.40270.1752721165736698640
 for <openembedded-core@lists.openembedded.org>;
 Wed, 16 Jul 2025 19:59:25 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=1LIsAej6;
 spf=softfail (domain: sakoman.com, ip: 209.85.216.47,
 mailfrom: steve@sakoman.com)
Received: by mail-pj1-f47.google.com with SMTP id
 98e67ed59e1d1-313a001d781so485659a91.3
        for <openembedded-core@lists.openembedded.org>;
 Wed, 16 Jul 2025 19:59:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1752721165;
 x=1753325965; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=w9IodKLqpRkrJg/ZNb3m3p+uAwc1Cndhf8UZgrXzPog=;
        b=1LIsAej6YdNT4eMEmw9J7BoWi94k6QZjEj3qFxNU+oiB5LGI6eVCKuNPZx40Fa1OeX
         MuJjNaPsyMwjvsXEU7vwWMphSOpg8G6n+ODtEHmdyz4WPy2FuQ4YRlwy4gt8TiF0yqPc
         9j4BpYArv67z40pUeXfSp0Bw280Vxl5/zuW2OiSP8L/G844hf/cO3uhJGyFkKriXUqVc
         svL5aLdXm53Wid7Y7SPC6bQbr6ZsJfHZarRaIPKnSzD8oNLKiuVll+QFCjeY9S8pf+jn
         YlWkfBBlbQFt4YtEU/DZeR9IPSo8163HHffc+KlHF9zjgFe2a1yyc2MKqNA59VCUN9+l
         jhlg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1752721165; x=1753325965;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=w9IodKLqpRkrJg/ZNb3m3p+uAwc1Cndhf8UZgrXzPog=;
        b=VAmf5Ec1ZKUJVJrfa2GuMt+Lw51qV8H/wKuJlqJp8KW6on0W9kTsnHAp24Tr2ek3zv
         4lWp9Eo0QHMh9T9OMlsArenA8s70/uZetYG1Ju9Bmh/qqnYqPBhNC6CW7oIJywtFNc6l
         yc0bfwHrR03L5xUS0vsbrl9frDI6oCViPugS3aIrTSRuhiTHpIozR9idM8veoYLznUq+
         W2oWRPVCRlFZizEx05QBDaii1bmtjOC3HLqq3QYE+t/iQ+eM3ANn2au0uPLto5QU4YDM
         /4ZTR58IsaPh3Q0mohdV6DQMuI4ApT6EJE6pzDtPQMiynVv1U+RAKiT8ULFVzhq6YJ+j
         Eujw==
X-Gm-Message-State: AOJu0Yz7eyro74L0YqFqXr4S4/57oRStiSspPObPc8XiyhsHYj0JElns
	xwTRKjsT/yLQLk/1k4SAENGmHOl9yBtGj3+wjqNOaow94S+Lp3UOqo0vCG64ftSDgXp9zcuUSby
	zZXL7
X-Gm-Gg: ASbGncttebjeysFyIQqnIJFLbzV1fAGmf9hcsIT0gsnqw3l1bDnqzqnycg1mIJ/U8MS
	Bhxg3rotfwaBz8G2pKZM3f2EGDmNrJv1rZzKjvO1Tc+YZYwVkL8/P8fwOr0Ga46VjaryFMNzxBq
	8sNvoJ9cuXwERSfLJFRcCBSGSMqudlEvuGQ7UMbvVHyWYNzzFrk+5MNBUJx7RddmtiDmYCY+HZK
	ygBPCszuPuPAEyezswRM4czTjkeYG6iVaoVTl4WsFsnfV5ZzD1Q2dmM6IS8RE7l+wJTIOme7DxH
	ZsdBnjxnIImflNje2DyBo4hhathFvmT9JOlY9kZiJasr26x/MSJ70EulPE/SHH7EU+52bo59JzV
	SnxY4K3VeAy3vFQ==
X-Google-Smtp-Source: 
 AGHT+IH21nVzGywXPhIY5H8mtPX4WmKVqyDELbcH+Tz6OsRmAbJlWdUaNaM5PjJNvG7emgA3pF70tQ==
X-Received: by 2002:a17:90b:4985:b0:313:2e69:8002 with SMTP id
 98e67ed59e1d1-31c9f42eb2dmr7004591a91.20.1752721164648;
        Wed, 16 Jul 2025 19:59:24 -0700 (PDT)
Received: from hexa.. ([2602:feb4:3b:2100:3bfc:8fec:7e35:e96a])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-31c9f29e313sm2204547a91.35.2025.07.16.19.59.23
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 16 Jul 2025 19:59:24 -0700 (PDT)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 10/12] kea: set correct permissions for
 /var/run/kea
Date: Wed, 16 Jul 2025 19:58:58 -0700
Message-ID: 
 <5b709e2c165bf46f4f35e1783ab7ec54fabd2ec3.1752721028.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1752721028.git.steve@sakoman.com>
References: <cover.1752721028.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Thu, 17 Jul 2025 02:59:31 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/220510

From: Yi Zhao <yi.zhao@windriver.com>

Set the permissions of /var/run/kea to 750 to fix kea server startup
error:

ERROR [kea-dhcp4.dhcp4/445.140718820303936] DHCP4_INIT_FAIL failed to
initialize Kea server: configuration error using file
'/etc/kea/kea-dhcp4.conf': 'socket-name' is invalid: socket
path:/var/run/kea does not exist or does not have permssions = 750

This permission check was introduced by commit[1] in kea 2.4.2.

[1] https://gitlab.isc.org/isc-projects/kea/-/commit/f7061c4e9711f395fbc940b0cf0ddbde87e0fc13

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-connectivity/kea/files/kea-dhcp-ddns.service | 1 +
 meta/recipes-connectivity/kea/files/kea-dhcp4.service     | 1 +
 meta/recipes-connectivity/kea/files/kea-dhcp6.service     | 1 +
 3 files changed, 3 insertions(+)

diff --git a/meta/recipes-connectivity/kea/files/kea-dhcp-ddns.service b/meta/recipes-connectivity/kea/files/kea-dhcp-ddns.service
index f6059d73cb..aec6446f0e 100644
--- a/meta/recipes-connectivity/kea/files/kea-dhcp-ddns.service
+++ b/meta/recipes-connectivity/kea/files/kea-dhcp-ddns.service
@@ -6,6 +6,7 @@ After=time-sync.target
 
 [Service]
 ExecStartPre=@BASE_BINDIR@/mkdir -p @LOCALSTATEDIR@/run/kea/
+ExecStartPre=@BASE_BINDIR@/chmod 750 @LOCALSTATEDIR@/run/kea/
 ExecStart=@SBINDIR@/kea-dhcp-ddns -c @SYSCONFDIR@/kea/kea-dhcp-ddns.conf
 
 [Install]
diff --git a/meta/recipes-connectivity/kea/files/kea-dhcp4.service b/meta/recipes-connectivity/kea/files/kea-dhcp4.service
index b851ea71c5..a2ed4edb59 100644
--- a/meta/recipes-connectivity/kea/files/kea-dhcp4.service
+++ b/meta/recipes-connectivity/kea/files/kea-dhcp4.service
@@ -6,6 +6,7 @@ After=time-sync.target
 
 [Service]
 ExecStartPre=@BASE_BINDIR@/mkdir -p @LOCALSTATEDIR@/run/kea/
+ExecStartPre=@BASE_BINDIR@/chmod 750 @LOCALSTATEDIR@/run/kea/
 ExecStartPre=@BASE_BINDIR@/mkdir -p @LOCALSTATEDIR@/lib/kea
 ExecStart=@SBINDIR@/kea-dhcp4 -c @SYSCONFDIR@/kea/kea-dhcp4.conf
 
diff --git a/meta/recipes-connectivity/kea/files/kea-dhcp6.service b/meta/recipes-connectivity/kea/files/kea-dhcp6.service
index 0f9f0ef8d9..ed6e017d0c 100644
--- a/meta/recipes-connectivity/kea/files/kea-dhcp6.service
+++ b/meta/recipes-connectivity/kea/files/kea-dhcp6.service
@@ -6,6 +6,7 @@ After=time-sync.target
 
 [Service]
 ExecStartPre=@BASE_BINDIR@/mkdir -p @LOCALSTATEDIR@/run/kea/
+ExecStartPre=@BASE_BINDIR@/chmod 750 @LOCALSTATEDIR@/run/kea/
 ExecStartPre=@BASE_BINDIR@/mkdir -p @LOCALSTATEDIR@/lib/kea
 ExecStart=@SBINDIR@/kea-dhcp6 -c @SYSCONFDIR@/kea/kea-dhcp6.conf
 

From patchwork Thu Jul 17 02:58:59 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 67025
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 82D0FC83F38
	for <webhook@archiver.kernel.org>; Thu, 17 Jul 2025 02:59:31 +0000 (UTC)
Received: from mail-pj1-f41.google.com (mail-pj1-f41.google.com
 [209.85.216.41])
 by mx.groups.io with SMTP id smtpd.web10.40272.1752721167722551901
 for <openembedded-core@lists.openembedded.org>;
 Wed, 16 Jul 2025 19:59:27 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=n5VAXlDq;
 spf=softfail (domain: sakoman.com, ip: 209.85.216.41,
 mailfrom: steve@sakoman.com)
Received: by mail-pj1-f41.google.com with SMTP id
 98e67ed59e1d1-3138b2f0249so435998a91.2
        for <openembedded-core@lists.openembedded.org>;
 Wed, 16 Jul 2025 19:59:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1752721167;
 x=1753325967; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=bLr1sUVfeDcwLd6B26Ti6OhYs5ulJnVrilQZWbjwHvI=;
        b=n5VAXlDqMoK5bA6YbK5CGUlfOUvGSRbEbuVvh72H7/ArkSfQ+WxE+x5dJ3h7p3Lr7i
         M8ZuAoEnoJNCIKkXbMxqI00QE7WlSmL9ZH+vCFMEr1mS+t3bAxVtBxiPQbfLqlmx4kxY
         vgFf6NWPZzN3iGex2khCmmBBU2g1b/oBqTEBWd15wKqVhV9HJa295M+9QLNGZ7ealuaG
         VShdEC13rebtRhW1Tfn5zxtYhh/DM7uiRPSz5NiVHBTA3HyujZ8svmcVS6auwzonUX24
         RUiOhbWOuePoa7tKJwZZInenDXNsD/aJEhJlXeO0FdkjayiuHgAYPQVQ0XkN2rnOKUVc
         1IDA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1752721167; x=1753325967;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=bLr1sUVfeDcwLd6B26Ti6OhYs5ulJnVrilQZWbjwHvI=;
        b=cvL1tKN5ht9gvl5inrZu5Xu/fm3syx6OtGD5ZZnGrePbwSYtj7UQRbfZln/+zO/SGu
         kMVa+VSLwfmvsE9NTQrRozkj0KaCpHGAeJFsBtrqTjeQfEfKY8Ena8geKQmhvSZF0b3O
         8j1ncB439G6BFfyd+ucnVNIq9CHWkwnBEMtN0eX8WSRi6jryNLm5rVIFj6VYlXJ2u7KZ
         zoITBILX4yFWAsxCqz1SVk2y/26AawchqbHgvaYZrxEDth0ERIPI60t/lhG00ePagnNH
         WE1uLIAuYv8OaN1lk7sFXNjDXbXQX89l3eGfepwKWxEpwcF0vbZtvNRevQnk3xHnxqPk
         H+lQ==
X-Gm-Message-State: AOJu0YzBx4BifdpbkgB1Nk60TbwOVeP5jbPVYw4GkTBSdhPT0FJ8/uPt
	i80c9gnqAE9ZSg8sdDOmHb5IW94hCet0R9MS42kMo1NxH5devKSX9sqZpEVQIuKTvusqmqb2TvE
	HpBed
X-Gm-Gg: ASbGncs9ME9GSdotCDHLlMKgNYgi+4F/JjUYTqCjtEfnH8GAGzMytaMF0dBn9rsKvSI
	cBJZnEHA1PGIEnWoeUxlDYBE1Mv1pA3/7RcQ5DpramP8/u2gzkkV6DAdbKWBvGls8odwhZ61tBi
	kztTZdIZTj+1ua3Ntt0o4sJiVOKQcgxSZiEsOeb32wh8ecG7qCf9lCTRXGJwNbv/rDeexsJfjiZ
	erjzh6ps0M6W+aPYon3UyMcVOTvaTfKHGxvY3ZTpd8f/1luV2Fi/U6Uva/wAUBT5vse1U1/2Jko
	dYSJT0Vw0A9K5Im3I9hPkmPjeQZS8IYZaIUlQpVry+9MXC8SlL/uR1FRt7jAIrBfYCRuOCYdynl
	mAAeBajsgzdoqfQ==
X-Google-Smtp-Source: 
 AGHT+IHflXrvTkgPpCMZ7vHz/rwGwzJNDG2IYrg/JjlMR4RApA7M7Ml3ij07OZA0H8nnP4qCJtqyPg==
X-Received: by 2002:a17:90b:5247:b0:312:f263:954a with SMTP id
 98e67ed59e1d1-31c9e6e833dmr6318353a91.5.1752721166520;
        Wed, 16 Jul 2025 19:59:26 -0700 (PDT)
Received: from hexa.. ([2602:feb4:3b:2100:3bfc:8fec:7e35:e96a])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-31c9f29e313sm2204547a91.35.2025.07.16.19.59.25
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 16 Jul 2025 19:59:26 -0700 (PDT)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 11/12] timedated: wait for jobs before SetNTP
 response
Date: Wed, 16 Jul 2025 19:58:59 -0700
Message-ID: 
 <4db0483cfd14e31c3e7cc87d538d73275fd51bbf.1752721028.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1752721028.git.steve@sakoman.com>
References: <cover.1752721028.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Thu, 17 Jul 2025 02:59:31 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/220511

From: Michal Seben <michal.seben@siemens.com>

Backport a fix to address the dbus SetNTP response timing issue.
Fix is already available since systemd v256-rc1.

Signed-off-by: Michal Seben <michal.seben@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 ...d-on-org.freedesktop.timedate1.SetNT.patch | 97 +++++++++++++++++++
 meta/recipes-core/systemd/systemd_255.21.bb   |  1 +
 2 files changed, 98 insertions(+)
 create mode 100644 meta/recipes-core/systemd/systemd/0003-timedated-Respond-on-org.freedesktop.timedate1.SetNT.patch

diff --git a/meta/recipes-core/systemd/systemd/0003-timedated-Respond-on-org.freedesktop.timedate1.SetNT.patch b/meta/recipes-core/systemd/systemd/0003-timedated-Respond-on-org.freedesktop.timedate1.SetNT.patch
new file mode 100644
index 0000000000..c1d8a94bf7
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/0003-timedated-Respond-on-org.freedesktop.timedate1.SetNT.patch
@@ -0,0 +1,97 @@
+From 3a51e31be9f626cf772733cb289ed64739fab0e4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Michal=20Koutn=C3=BD?= <mkoutny@suse.com>
+Date: Tue, 20 Feb 2024 19:26:16 +0100
+Subject: [PATCH] timedated: Respond on org.freedesktop.timedate1.SetNTP only
+ when really finished
+
+The method returns prematurely (before jobs it triggers terminate). This
+is externally visible because other methods may fail if jobs did not
+finish.
+Postpone the DBus method response until we collect all signals for
+finished jobs.
+systemd-timedated keeps track of in-flight DBus requests and answers
+them all in unspecified order when jobs finish. The capacity of requests
+in systemd-timedated is limited.
+
+Fixes: #17739
+
+Upstream-Status: Backport [https://github.com/systemd/systemd/commit/3a51e31be9f626cf772733cb289ed64739fab0e4]
+Signed-off-by: Michal Seben <michal.seben@siemens.com>
+---
+ src/timedate/timedated.c | 21 ++++++++++++++++++---
+ 1 file changed, 18 insertions(+), 3 deletions(-)
+
+Index: git/src/timedate/timedated.c
+===================================================================
+--- git.orig/src/timedate/timedated.c
++++ git/src/timedate/timedated.c
+@@ -45,6 +45,7 @@
+ #define NULL_ADJTIME_LOCAL "0.0 0 0\n0\nLOCAL\n"
+ 
+ #define UNIT_LIST_DIRS (const char* const*) CONF_PATHS_STRV("systemd/ntp-units.d")
++#define SET_NTP_IN_FLIGHT_MAX 16
+ 
+ typedef struct UnitStatusInfo {
+         char *name;
+@@ -61,6 +62,7 @@ typedef struct Context {
+         bool local_rtc;
+         Hashmap *polkit_registry;
+         sd_bus_message *cache;
++        Set *set_ntp_calls;
+ 
+         sd_bus_slot *slot_job_removed;
+ 
+@@ -121,6 +123,7 @@ static void context_clear(Context *c) {
+         free(c->zone);
+         bus_verify_polkit_async_registry_free(c->polkit_registry);
+         sd_bus_message_unref(c->cache);
++        set_free(c->set_ntp_calls);
+ 
+         sd_bus_slot_unref(c->slot_job_removed);
+ 
+@@ -461,11 +464,19 @@ static int match_job_removed(sd_bus_mess
+                         n += !!u->path;
+ 
+         if (n == 0) {
++                sd_bus_message *cm;
++
+                 c->slot_job_removed = sd_bus_slot_unref(c->slot_job_removed);
+ 
+                 (void) sd_bus_emit_properties_changed(sd_bus_message_get_bus(m),
+                                                       "/org/freedesktop/timedate1", "org.freedesktop.timedate1", "NTP",
+                                                       NULL);
++                while ((cm = set_steal_first(c->set_ntp_calls))) {
++                        r = sd_bus_reply_method_return(cm, NULL);
++                        if (r < 0)
++                                log_debug_errno(r, "Failed to reply to SetNTP method call, ignoring: %m");
++                        sd_bus_message_unref(cm);
++                }
+         }
+ 
+         return 0;
+@@ -944,6 +955,9 @@ static int method_set_ntp(sd_bus_message
+         LIST_FOREACH(units, u, c->units)
+                 u->path = mfree(u->path);
+ 
++        if (set_size(c->set_ntp_calls) >= SET_NTP_IN_FLIGHT_MAX)
++                return sd_bus_error_set_errnof(error, EAGAIN, "Too many calls in flight.");
++
+         if (!c->slot_job_removed) {
+                 r = bus_match_signal_async(
+                                 bus,
+@@ -998,11 +1012,12 @@ static int method_set_ntp(sd_bus_message
+                 c->slot_job_removed = TAKE_PTR(slot);
+ 
+         if (selected)
+-                log_info("Set NTP to enabled (%s).", selected->name);
++                log_info("Set NTP to be enabled (%s).", selected->name);
+         else
+-                log_info("Set NTP to disabled.");
++                log_info("Set NTP to be disabled.");
+ 
+-        return sd_bus_reply_method_return(m, NULL);
++        /* Asynchrounous reply to m in match_job_removed() */
++        return set_ensure_consume(&c->set_ntp_calls, &bus_message_hash_ops, sd_bus_message_ref(m));
+ }
+ 
+ static int method_list_timezones(sd_bus_message *m, void *userdata, sd_bus_error *error) {
diff --git a/meta/recipes-core/systemd/systemd_255.21.bb b/meta/recipes-core/systemd/systemd_255.21.bb
index bb9dc3da33..e866f9921b 100644
--- a/meta/recipes-core/systemd/systemd_255.21.bb
+++ b/meta/recipes-core/systemd/systemd_255.21.bb
@@ -27,6 +27,7 @@ SRC_URI += " \
            file://99-default.preset \
            file://systemd-pager.sh \
            file://0002-binfmt-Don-t-install-dependency-links-at-install-tim.patch \
+           file://0003-timedated-Respond-on-org.freedesktop.timedate1.SetNT.patch \
            file://0008-implment-systemd-sysv-install-for-OE.patch \
            "
 

From patchwork Thu Jul 17 02:59:00 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 67021
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 69B93C83F27
	for <webhook@archiver.kernel.org>; Thu, 17 Jul 2025 02:59:31 +0000 (UTC)
Received: from mail-pj1-f47.google.com (mail-pj1-f47.google.com
 [209.85.216.47])
 by mx.groups.io with SMTP id smtpd.web10.40273.1752721168657879616
 for <openembedded-core@lists.openembedded.org>;
 Wed, 16 Jul 2025 19:59:28 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=gSDtm/I1;
 spf=softfail (domain: sakoman.com, ip: 209.85.216.47,
 mailfrom: steve@sakoman.com)
Received: by mail-pj1-f47.google.com with SMTP id
 98e67ed59e1d1-31393526d0dso450394a91.0
        for <openembedded-core@lists.openembedded.org>;
 Wed, 16 Jul 2025 19:59:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1752721168;
 x=1753325968; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=3Bs0tLdg35vY313ByYwTjqILVDveKfqKQ0PlzAaPBVE=;
        b=gSDtm/I1mTcGj2LMQqxHKBMDPXxlK45+d8qUzOqBDWfh7uUeRYHoaeZkSD1uG6Nzoc
         oK2vHhz8cYF8ols9d9xGF2XvJxboqRy6W4kuXdhOfPRVku1sYhGQL1snm2IK0y/ZQism
         lOBhrE7OmpyB+SD7fTujIzdrEJuLMv58eZaXUzWYHGingZ0EkEnU8J1izBYRB/g/i5nr
         WTOh6+j9+OKmmjE9G/lIUH9GqGmHhBPq1H/tXVq9nBeKSMYlJkF0ROpd7o09hOjHgGjm
         +J0u5pUtOYrjLNqe1SXzdcw2xlq2VbgdEg57zVMhN3Bnf4rdV9o1SQsuzGi5cEF6GdOB
         J21A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1752721168; x=1753325968;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=3Bs0tLdg35vY313ByYwTjqILVDveKfqKQ0PlzAaPBVE=;
        b=ZR+d5hjCe3er3i8M/ELMTeio56dOtVUAy6YNRFdaN73zStDbLzOndKsS4X2rQ/PmOU
         D3smGnBhDcCodPWUPfc6wXg3EawTRaYrssCW6aCrsEnaEdBPgYmH9G/Z6F9U7KrRt3Rs
         2eTIqB7apXM3YQo2+OHJig+NLNCZyYwajewXABg4HMV+RSwaYM9oDI8HHRaNZBIY7hLz
         Xn9Rc9LKJAkEs4eTX0qW68ykuDQRHqPrTU0S932D08b4rkNS1bE+f/BrV7670g34QrRG
         e4HRO6PZP5pyd85tcOWOOYQZomh9CNNsMDDA8ZM65HWtYN7vKHQLsAPyyKjXmbrmt3K/
         K0FA==
X-Gm-Message-State: AOJu0YyvcGnaMjf9dmPvy0Na8IWfCLPy8oEO3j0WGXkf98CNIYIKUmbN
	q3VhUrX5Z470uF+OT7VlFA2yD7f8tOWEi8EfBJ58H/PczXaLjNob+Ta15wNTYUtL1ihLIr+cDSI
	YkcXJ
X-Gm-Gg: ASbGnct8bo1NqSb0o8akTt0kuL0jr5WOZYrV1dA0ewweJr/2xo00tL5bMOffWXXecSQ
	o63lm19rvKYDN7hXkdNek4XpZq+/tXvhkzKMRBkY8wHAN/iQLcUBGWumadrWag/GYDcbGHmsT/I
	9QoDkFmxSR6L+8mCk8vARXGg5IoV626hX2uyFpum0XvjdDAnSX7bIq8yRkPVeU5ruCO1FXQiIYO
	RubdZe0oIGxRmM0/svZjHPoP5RjX3QSjaBPFPJzvNWkyAeCRcLz8MWFAw/MZ407lMAQWKLuwOOK
	pEm7HRwnUmLIheKmZJC7cmQmH0nHhJ1q3ZCIf/+dkpEcptkIyM3Pq97zWjjWNA6sHVzHRm67IRS
	5tgr3xcEgvixFGw==
X-Google-Smtp-Source: 
 AGHT+IGQqmoJKKIaQTWziFeOjAzEOwQj6UrdMtbiAM5Y3gQluTmqFeI6FyVUgylauY1Q83BL54fy7Q==
X-Received: by 2002:a17:90a:e7d1:b0:312:e9bd:5d37 with SMTP id
 98e67ed59e1d1-31c9e6e2dabmr7854967a91.6.1752721167887;
        Wed, 16 Jul 2025 19:59:27 -0700 (PDT)
Received: from hexa.. ([2602:feb4:3b:2100:3bfc:8fec:7e35:e96a])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-31c9f29e313sm2204547a91.35.2025.07.16.19.59.27
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 16 Jul 2025 19:59:27 -0700 (PDT)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 12/12] oe-debuginfod: add option for data storage
Date: Wed, 16 Jul 2025 19:59:00 -0700
Message-ID: 
 <24c0ab18045920bb5c1e965c0ea6d176fd6de234.1752721028.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1752721028.git.steve@sakoman.com>
References: <cover.1752721028.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Thu, 17 Jul 2025 02:59:31 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/220512

From: Joe Slater <joe.slater@windriver.com>

Storing the data files under $HOME can be unreliable if debuginfod
is used for several projects, especially if $HOME is shared
between machines.  We provide an option to save files under the
project directory.  The default behavior is unchanged.

(From OE-Core rev: e1e0cf82f559077e2a51447baf137086202c0c4a)

Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 scripts/oe-debuginfod | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/scripts/oe-debuginfod b/scripts/oe-debuginfod
index b525310225..60e51addfd 100755
--- a/scripts/oe-debuginfod
+++ b/scripts/oe-debuginfod
@@ -15,14 +15,29 @@ scriptpath.add_bitbake_lib_path()
 
 import bb.tinfoil
 import subprocess
+import argparse
 
 if __name__ == "__main__":
+    p = argparse.ArgumentParser()
+    p.add_argument("-d", action='store_true', \
+                         help="store debuginfod files in project sub-directory")
+
+    args = p.parse_args()
+
     with bb.tinfoil.Tinfoil() as tinfoil:
         tinfoil.prepare(config_only=True)
         package_classes_var = "DEPLOY_DIR_" + tinfoil.config_data.getVar("PACKAGE_CLASSES").split()[0].replace("package_", "").upper()
         feed_dir = tinfoil.config_data.getVar(package_classes_var, expand=True)
 
+    opts = [ '--verbose', '-R', '-U', feed_dir ]
+
+    if args.d:
+        fdir = os.path.join(os.getcwd(), 'oedid-files')
+        os.makedirs(fdir, exist_ok=True)
+        opts += [ '-d', os.path.join(fdir, 'did.sqlite') ]
+
     subprocess.call(['bitbake', '-c', 'addto_recipe_sysroot', 'elfutils-native'])
 
-    subprocess.call(['oe-run-native', 'elfutils-native', 'debuginfod', '--verbose', '-R', '-U', feed_dir])
+    subprocess.call(['oe-run-native', 'elfutils-native', 'debuginfod'] + opts)
+    # we should not get here
     print("\nTo use the debuginfod server please ensure that this variable PACKAGECONFIG:pn-elfutils-native = \"debuginfod libdebuginfod\" is set in the local.conf")