From patchwork Sat Aug 9 14:44:17 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 68278 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D9107C87FCF for ; Sat, 9 Aug 2025 14:44:31 +0000 (UTC) Received: from mail-pf1-f180.google.com (mail-pf1-f180.google.com [209.85.210.180]) by mx.groups.io with SMTP id smtpd.web10.7400.1754750669559101833 for ; Sat, 09 Aug 2025 07:44:29 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=iUSAEurX; spf=softfail (domain: sakoman.com, ip: 209.85.210.180, mailfrom: steve@sakoman.com) Received: by mail-pf1-f180.google.com with SMTP id d2e1a72fcca58-76bee58e01cso3744936b3a.1 for ; Sat, 09 Aug 2025 07:44:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1754750669; x=1755355469; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=3SMKilqYTtrASUL+scc0ehpVSeNjEVPqKwRaY79mVCk=; b=iUSAEurXkD3McbbgkkpuzEGmxK5sOgcNshxYfqjGWkcHPi2qHl9BdPzIaUXeUaTMTt evTS1dlDWaSPvr1msazVeP+ua//XC/okgcffCtgRYAFwmN/67z7fT/fc/CKv5A52pxkj i5sSkpfC+y1HadtZtuhbnO2KV8ilnoVgm9YNlFp49KkuCGrZuU8s/dAhML2WosGqe4GC gg0g7ZYJBnYcrROHTpLDGU/Vq5uuFV85a8uj9RVyEGhJy0+R1qcePKjrT6IgDQXKU3Ij Aol4I/RPXSTZljU13wAHXbmcYGqPO1IpE3OzaM058eV03YxWE05ytFTT4ImjtW45y62y Bc/g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1754750669; x=1755355469; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=3SMKilqYTtrASUL+scc0ehpVSeNjEVPqKwRaY79mVCk=; b=GSjHyQiI9bqzJqDiCphtIwqNowp95lAkC3qhgtC7OkmIYul1uaRlLnRaURlUmMf6at E20NHTBYrYjmUEdljlFCUbLy65p9Gf0CMYOyhyqLkPWkyDqQ4DsCDqRLDm03gUNx92Py iyWnIiC8d9I48GAQaylVYy0mmG2XK2JaNFGCoAzhmndcsEgMyV4G7G0baESS0ZX/pqTm cBv2iW3xc0ORfVf5ECP2DryE1xLGCUqnAl86Te1SSK5hWYgdyFcmOGfC6zIqpoSzO3p/ z2FzqyCXqy4vVMwnsaBlDWTxM8KXYeYaa1sII3yUZ/87wjeXWKVnRhRvUQIYY8sg9Xoa 7gCA== X-Gm-Message-State: AOJu0YyCNXzqzWWLHeb6bEK/JcincCKyPdcfpGs00gbOuvEvDuH8OQpH WeDeTCfGXKNZtDIu/LaOugNKDZS2mXNx1MhcTq8o+I8YDkjhaX5zdguGTvyOdVqPk0jl28R+bim OvRik X-Gm-Gg: ASbGnctGbs+27jP0QnUId2zAxWnemPfxbaoT5/iyUH5vbKYsh/PkjQJ91VyLRG6U7uA 9O6T4ecNhroNfi2fz/d0HLJsOTKInJ9Ylox6HZp9SwEcf/yDLNOtcVTxGNam7/UbvaheuLb2uO+ oPOy9ilsLNMXbEGTzRVf/9jrb0pLwMnEza5YSZjnfOQskIbD3+PwSi+p2vYosvRjQ2PS8YDlFgY O8UGX63vRIeTrVDO+/455Lm7xbEghUJNnKotk5YMkl1bj7Qu5ZdyydpH9glj5+R8yDN+dTFR/u0 s/9UGwXtlX8R05XijmrMyQDRJX3ZQ3e3H7s1szuZ9wBJyCWK0DmDUSLfc8FkXBlxXXlB76KUyaA E5m2Wnh40UbYDmQ== X-Google-Smtp-Source: AGHT+IHzPeKLf8tgSu7SoUcMd0PMaJAOuBxpXuDqrfHIUPDihgergyoaeru30oF1wirCBMVmx0osDA== X-Received: by 2002:a05:6a20:1611:b0:240:160b:81bf with SMTP id adf61e73a8af0-240550d16a7mr10923544637.19.1754750668676; Sat, 09 Aug 2025 07:44:28 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:e40b:779f:346e:b2b1]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-b428f4c8639sm5736428a12.43.2025.08.09.07.44.28 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 09 Aug 2025 07:44:28 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][walnascar 1/6] avahi: fix CVE-2024-52615 Date: Sat, 9 Aug 2025 07:44:17 -0700 Message-ID: <455f3a936874e62b57d50cc1b84dc816e35312af.1754750560.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 09 Aug 2025 14:44:31 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/221676 From: Zhang Peng CVE-2024-52615: A flaw was found in Avahi-daemon, which relies on fixed source ports for wide-area DNS queries. This issue simplifies attacks where malicious DNS responses are injected. Reference: [https://nvd.nist.gov/vuln/detail/CVE-2024-52615] [https://github.com/avahi/avahi/security/advisories/GHSA-x6vp-f33h-h32g] Upstream patches: [https://github.com/avahi/avahi/commit/4e2e1ea0908d7e6ad7f38ae04fdcdf2411f8b942] Signed-off-by: Zhang Peng Signed-off-by: Steve Sakoman --- meta/recipes-connectivity/avahi/avahi_0.8.bb | 1 + .../avahi/files/CVE-2024-52615.patch | 228 ++++++++++++++++++ 2 files changed, 229 insertions(+) create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2024-52615.patch diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb b/meta/recipes-connectivity/avahi/avahi_0.8.bb index 734a73541f..4fe8ba4d28 100644 --- a/meta/recipes-connectivity/avahi/avahi_0.8.bb +++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb @@ -36,6 +36,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/avahi-${PV}.tar.gz \ file://CVE-2023-38472.patch \ file://CVE-2023-38473.patch \ file://CVE-2024-52616.patch \ + file://CVE-2024-52615.patch \ " GITHUB_BASE_URI = "https://github.com/avahi/avahi/releases/" diff --git a/meta/recipes-connectivity/avahi/files/CVE-2024-52615.patch b/meta/recipes-connectivity/avahi/files/CVE-2024-52615.patch new file mode 100644 index 0000000000..9737f52837 --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/CVE-2024-52615.patch @@ -0,0 +1,228 @@ +From 4e2e1ea0908d7e6ad7f38ae04fdcdf2411f8b942 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Wed, 27 Nov 2024 18:07:32 +0100 +Subject: [PATCH] core/wide-area: fix for CVE-2024-52615 + +CVE: CVE-2024-52615 +Upstream-Status: Backport [https://github.com/avahi/avahi/commit/4e2e1ea0908d7e6ad7f38ae04fdcdf2411f8b942] + +Signed-off-by: Zhang Peng +--- + avahi-core/wide-area.c | 128 ++++++++++++++++++++++------------------- + 1 file changed, 69 insertions(+), 59 deletions(-) + +diff --git a/avahi-core/wide-area.c b/avahi-core/wide-area.c +index 00a15056e..06df7afc6 100644 +--- a/avahi-core/wide-area.c ++++ b/avahi-core/wide-area.c +@@ -81,6 +81,10 @@ struct AvahiWideAreaLookup { + + AvahiAddress dns_server_used; + ++ int fd; ++ AvahiWatch *watch; ++ AvahiProtocol proto; ++ + AVAHI_LLIST_FIELDS(AvahiWideAreaLookup, lookups); + AVAHI_LLIST_FIELDS(AvahiWideAreaLookup, by_key); + }; +@@ -88,9 +92,6 @@ struct AvahiWideAreaLookup { + struct AvahiWideAreaLookupEngine { + AvahiServer *server; + +- int fd_ipv4, fd_ipv6; +- AvahiWatch *watch_ipv4, *watch_ipv6; +- + /* Cache */ + AVAHI_LLIST_HEAD(AvahiWideAreaCacheEntry, cache); + AvahiHashmap *cache_by_key; +@@ -125,35 +126,67 @@ static AvahiWideAreaLookup* find_lookup(AvahiWideAreaLookupEngine *e, uint16_t i + return l; + } + ++static void socket_event(AVAHI_GCC_UNUSED AvahiWatch *w, int fd, AVAHI_GCC_UNUSED AvahiWatchEvent events, void *userdata); ++ + static int send_to_dns_server(AvahiWideAreaLookup *l, AvahiDnsPacket *p) { ++ AvahiWideAreaLookupEngine *e; + AvahiAddress *a; ++ AvahiServer *s; ++ AvahiWatch *w; ++ int r; + + assert(l); + assert(p); + +- if (l->engine->n_dns_servers <= 0) ++ e = l->engine; ++ assert(e); ++ ++ s = e->server; ++ assert(s); ++ ++ if (e->n_dns_servers <= 0) + return -1; + +- assert(l->engine->current_dns_server < l->engine->n_dns_servers); ++ assert(e->current_dns_server < e->n_dns_servers); + +- a = &l->engine->dns_servers[l->engine->current_dns_server]; ++ a = &e->dns_servers[e->current_dns_server]; + l->dns_server_used = *a; + +- if (a->proto == AVAHI_PROTO_INET) { ++ if (l->fd >= 0) { ++ /* We are reusing lookup object and sending packet to another server so let's cleanup before we establish connection to new server. */ ++ s->poll_api->watch_free(l->watch); ++ l->watch = NULL; + +- if (l->engine->fd_ipv4 < 0) +- return -1; ++ close(l->fd); ++ l->fd = -EBADF; ++ } + +- return avahi_send_dns_packet_ipv4(l->engine->fd_ipv4, AVAHI_IF_UNSPEC, p, NULL, &a->data.ipv4, AVAHI_DNS_PORT); ++ assert(a->proto == AVAHI_PROTO_INET || a->proto == AVAHI_PROTO_INET6); + +- } else { +- assert(a->proto == AVAHI_PROTO_INET6); ++ if (a->proto == AVAHI_PROTO_INET) ++ r = s->config.use_ipv4 ? avahi_open_unicast_socket_ipv4() : -1; ++ else ++ r = s->config.use_ipv6 ? avahi_open_unicast_socket_ipv6() : -1; + +- if (l->engine->fd_ipv6 < 0) +- return -1; ++ if (r < 0) { ++ avahi_log_error(__FILE__ ": Failed to create socket for wide area lookup"); ++ return -1; ++ } + +- return avahi_send_dns_packet_ipv6(l->engine->fd_ipv6, AVAHI_IF_UNSPEC, p, NULL, &a->data.ipv6, AVAHI_DNS_PORT); ++ w = s->poll_api->watch_new(s->poll_api, r, AVAHI_WATCH_IN, socket_event, l); ++ if (!w) { ++ close(r); ++ avahi_log_error(__FILE__ ": Failed to create socket watch for wide area lookup"); ++ return -1; + } ++ ++ l->fd = r; ++ l->watch = w; ++ l->proto = a->proto; ++ ++ return a->proto == AVAHI_PROTO_INET ? ++ avahi_send_dns_packet_ipv4(l->fd, AVAHI_IF_UNSPEC, p, NULL, &a->data.ipv4, AVAHI_DNS_PORT): ++ avahi_send_dns_packet_ipv6(l->fd, AVAHI_IF_UNSPEC, p, NULL, &a->data.ipv6, AVAHI_DNS_PORT); + } + + static void next_dns_server(AvahiWideAreaLookupEngine *e) { +@@ -246,6 +279,9 @@ AvahiWideAreaLookup *avahi_wide_area_lookup_new( + l->dead = 0; + l->key = avahi_key_ref(key); + l->cname_key = avahi_key_new_cname(l->key); ++ l->fd = -EBADF; ++ l->watch = NULL; ++ l->proto = AVAHI_PROTO_UNSPEC; + l->callback = callback; + l->userdata = userdata; + +@@ -314,6 +350,12 @@ static void lookup_destroy(AvahiWideAreaLookup *l) { + if (l->cname_key) + avahi_key_unref(l->cname_key); + ++ if (l->watch) ++ l->engine->server->poll_api->watch_free(l->watch); ++ ++ if (l->fd >= 0) ++ close(l->fd); ++ + avahi_free(l); + } + +@@ -572,14 +614,20 @@ static void handle_packet(AvahiWideAreaLookupEngine *e, AvahiDnsPacket *p) { + } + + static void socket_event(AVAHI_GCC_UNUSED AvahiWatch *w, int fd, AVAHI_GCC_UNUSED AvahiWatchEvent events, void *userdata) { +- AvahiWideAreaLookupEngine *e = userdata; ++ AvahiWideAreaLookup *l = userdata; ++ AvahiWideAreaLookupEngine *e = l->engine; + AvahiDnsPacket *p = NULL; + +- if (fd == e->fd_ipv4) +- p = avahi_recv_dns_packet_ipv4(e->fd_ipv4, NULL, NULL, NULL, NULL, NULL); ++ assert(l); ++ assert(e); ++ assert(l->fd == fd); ++ ++ if (l->proto == AVAHI_PROTO_INET) ++ p = avahi_recv_dns_packet_ipv4(l->fd, NULL, NULL, NULL, NULL, NULL); + else { +- assert(fd == e->fd_ipv6); +- p = avahi_recv_dns_packet_ipv6(e->fd_ipv6, NULL, NULL, NULL, NULL, NULL); ++ assert(l->proto == AVAHI_PROTO_INET6); ++ ++ p = avahi_recv_dns_packet_ipv6(l->fd, NULL, NULL, NULL, NULL, NULL); + } + + if (p) { +@@ -598,32 +646,6 @@ AvahiWideAreaLookupEngine *avahi_wide_area_engine_new(AvahiServer *s) { + e->server = s; + e->cleanup_dead = 0; + +- /* Create sockets */ +- e->fd_ipv4 = s->config.use_ipv4 ? avahi_open_unicast_socket_ipv4() : -1; +- e->fd_ipv6 = s->config.use_ipv6 ? avahi_open_unicast_socket_ipv6() : -1; +- +- if (e->fd_ipv4 < 0 && e->fd_ipv6 < 0) { +- avahi_log_error(__FILE__": Failed to create wide area sockets: %s", strerror(errno)); +- +- if (e->fd_ipv6 >= 0) +- close(e->fd_ipv6); +- +- if (e->fd_ipv4 >= 0) +- close(e->fd_ipv4); +- +- avahi_free(e); +- return NULL; +- } +- +- /* Create watches */ +- +- e->watch_ipv4 = e->watch_ipv6 = NULL; +- +- if (e->fd_ipv4 >= 0) +- e->watch_ipv4 = s->poll_api->watch_new(e->server->poll_api, e->fd_ipv4, AVAHI_WATCH_IN, socket_event, e); +- if (e->fd_ipv6 >= 0) +- e->watch_ipv6 = s->poll_api->watch_new(e->server->poll_api, e->fd_ipv6, AVAHI_WATCH_IN, socket_event, e); +- + e->n_dns_servers = e->current_dns_server = 0; + + /* Initialize cache */ +@@ -651,18 +673,6 @@ void avahi_wide_area_engine_free(AvahiWideAreaLookupEngine *e) { + avahi_hashmap_free(e->lookups_by_id); + avahi_hashmap_free(e->lookups_by_key); + +- if (e->watch_ipv4) +- e->server->poll_api->watch_free(e->watch_ipv4); +- +- if (e->watch_ipv6) +- e->server->poll_api->watch_free(e->watch_ipv6); +- +- if (e->fd_ipv6 >= 0) +- close(e->fd_ipv6); +- +- if (e->fd_ipv4 >= 0) +- close(e->fd_ipv4); +- + avahi_free(e); + } + +@@ -680,7 +690,7 @@ void avahi_wide_area_set_servers(AvahiWideAreaLookupEngine *e, const AvahiAddres + + if (a) { + for (e->n_dns_servers = 0; n > 0 && e->n_dns_servers < AVAHI_WIDE_AREA_SERVERS_MAX; a++, n--) +- if ((a->proto == AVAHI_PROTO_INET && e->fd_ipv4 >= 0) || (a->proto == AVAHI_PROTO_INET6 && e->fd_ipv6 >= 0)) ++ if (a->proto == AVAHI_PROTO_INET || a->proto == AVAHI_PROTO_INET6) + e->dns_servers[e->n_dns_servers++] = *a; + } else { + assert(n == 0); From patchwork Sat Aug 9 14:44:18 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 68279 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DD44ACA0EC1 for ; Sat, 9 Aug 2025 14:44:31 +0000 (UTC) Received: from mail-pf1-f176.google.com (mail-pf1-f176.google.com [209.85.210.176]) by mx.groups.io with SMTP id smtpd.web11.7606.1754750671142169669 for ; Sat, 09 Aug 2025 07:44:31 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=UWIdFDhJ; spf=softfail (domain: sakoman.com, ip: 209.85.210.176, mailfrom: steve@sakoman.com) Received: by mail-pf1-f176.google.com with SMTP id d2e1a72fcca58-76bf3dafaa5so3964524b3a.0 for ; Sat, 09 Aug 2025 07:44:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1754750670; x=1755355470; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=eO4+FmG8t07guRkDESvczjmYXSFj5/tHWcQ3jhV2tBk=; b=UWIdFDhJGiDeTSr88f8cSMiqKBceDDLVsyoxxavjD40+y9pTkmNu6CX49Gw50wB59e ag5bl27JnYnXjIkQx54W42oqi1VPWkJT8LYyuTZkXjC5u1p461mq/WTeQkv4WfoSTINH BJShR2JtpryUVuv553L+dgi3rN8BFJanOCWcE7QLAnKSMJXnp4WOH7u8wi/Og2Djpwve slmySmdYMRmcWj3b/NcsjY/pYZwXGQD1Tf63P7CQ+9PJDTpMX48WoHsotH5SuQ5kYYNj 26o7EheNt0Zja8FxSSAswIrPZCEveqQL7gbJQAN1a3TgZ0GJTORX/kv/RX9vinJpCZst Mbbg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1754750670; x=1755355470; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=eO4+FmG8t07guRkDESvczjmYXSFj5/tHWcQ3jhV2tBk=; b=fu2R074D2Wp+JS7/uKxoCGYixqADlynnld0XZR9DRndtoGq/oo8ygNjCRBZrwBhjiM 8ZJl48MUccedQ21pKyQqSmMTil1jd0oy2ouTW6V53wWdzaGIeoZsDj3Ty4Bdh0C+v41Q fKgb7TC73dVoeoszHOEFFSO5ia6aHy7P6B9yCf/I9TVW824DuQo7tphj/2m6tfLmJjLT tXy8OpOEAHeSdLD+B2Ic3LPnYlm9ygUQTZdZUFOdJd4J7PQUBJJ7v9ZSdXpzNjkTyNlz jZxqfr3Cnwk+HTMzjz1CXTjnHwCYQc5toXwKfhJ2GU6v9o2WX4XgEmvo14/Z0gkLvhNT gGXw== X-Gm-Message-State: AOJu0YyyvWpltECQENDKCHgI3kvYW/39/Em3/qcvyrEg/21jeZ2QpUYJ VQARheZ1z6ZxVxu+abtzhku22oVELJiKA42PXwyla8tVapi7DGvrdHc2ZqC5kxJsfTyioxIdTpT qpCoC X-Gm-Gg: ASbGncu0KSXV8eFk+1LnKUq1jirKjB3HPPUO/D+MY6UingHKKGCYx8m+KZOVQN/7YOD HathUd4mrVi/nOS/KtGM7htkZRmkY1Ww/ZsHfp9j1QR4PImw2OFM1jmnHUJBm8zUblEyrum+T5W 9Zsv/z8mePQR+HRtgeB1m4DaUsDXWO/JI+St1XwRR5prDpaXE9y0iNel1XOgZFtTMJfSJZaXPZq OpW7YC0FuMJzaf6t5ecKP3xxQs+9PMoziZiai3XlEnIf2MTWuGHSvAWl/VqUy5DXM7TBbuqDY7B +huuTCLzpsG0TPZ/mpRoeZ4avtrFPDJYRdHsvPh7Vju1i0lVZiFnTncIaQQUCk0HORbcVid45LD tvUrA8iDdDsUHIQ== X-Google-Smtp-Source: AGHT+IHmZHkgRrcTZn/zinjt0wi6ApHXcZ31YUl/smdPMbEohQIbHC082BhafTvggx7iPONBP9sxbQ== X-Received: by 2002:a05:6a20:3d82:b0:23d:48fc:652b with SMTP id adf61e73a8af0-24055662df5mr10350342637.12.1754750670182; Sat, 09 Aug 2025 07:44:30 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:e40b:779f:346e:b2b1]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-b428f4c8639sm5736428a12.43.2025.08.09.07.44.29 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 09 Aug 2025 07:44:29 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][walnascar 2/6] sqlite3: patch CVE-2025-6965 Date: Sat, 9 Aug 2025 07:44:18 -0700 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 09 Aug 2025 14:44:31 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/221677 From: Peter Marko Pick patch [1] mentioned in NVD report [2] from github mirror [3]. [1] https://www.sqlite.org/src/info/5508b56fd24016c13981ec280ecdd833007c9d8dd595edb295b984c2b487b5c8 [2] https://nvd.nist.gov/vuln/detail/CVE-2025-6965 [3] https://github.com/sqlite/sqlite/commit/c52e9d97d485a3eb168e3f8f3674a7bc4b419703 Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- .../sqlite/sqlite3/CVE-2025-6965.patch | 112 ++++++++++++++++++ meta/recipes-support/sqlite/sqlite3_3.48.0.bb | 1 + 2 files changed, 113 insertions(+) create mode 100644 meta/recipes-support/sqlite/sqlite3/CVE-2025-6965.patch diff --git a/meta/recipes-support/sqlite/sqlite3/CVE-2025-6965.patch b/meta/recipes-support/sqlite/sqlite3/CVE-2025-6965.patch new file mode 100644 index 0000000000..9b2f4409b3 --- /dev/null +++ b/meta/recipes-support/sqlite/sqlite3/CVE-2025-6965.patch @@ -0,0 +1,112 @@ +From c52e9d97d485a3eb168e3f8f3674a7bc4b419703 Mon Sep 17 00:00:00 2001 +From: drh <> +Date: Fri, 27 Jun 2025 19:02:21 +0000 +Subject: [PATCH] Raise an error right away if the number of aggregate terms in + a query exceeds the maximum number of columns. + +FossilOrigin-Name: 5508b56fd24016c13981ec280ecdd833007c9d8dd595edb295b984c2b487b5c8 + +CVE: CVE-2025-6965 +Upstream-Status: Backport [https://github.com/sqlite/sqlite/commit/c52e9d97d485a3eb168e3f8f3674a7bc4b419703] +Signed-off-by: Peter Marko +--- + sqlite3.c | 30 ++++++++++++++++++++++++++---- + 1 file changed, 26 insertions(+), 4 deletions(-) + +diff --git a/sqlite3.c b/sqlite3.c +index 146047d..c78f58b 100644 +--- a/sqlite3.c ++++ b/sqlite3.c +@@ -15257,6 +15257,14 @@ typedef INT16_TYPE LogEst; + #define LARGEST_UINT64 (0xffffffff|(((u64)0xffffffff)<<32)) + #define SMALLEST_INT64 (((i64)-1) - LARGEST_INT64) + ++/* ++** Macro SMXV(n) return the maximum value that can be held in variable n, ++** assuming n is a signed integer type. UMXV(n) is similar for unsigned ++** integer types. ++*/ ++#define SMXV(n) ((((i64)1)<<(sizeof(n)*8-1))-1) ++#define UMXV(n) ((((i64)1)<<(sizeof(n)*8))-1) ++ + /* + ** Round up a number to the next larger multiple of 8. This is used + ** to force 8-byte alignment on 64-bit architectures. +@@ -19046,7 +19054,7 @@ struct AggInfo { + ** from source tables rather than from accumulators */ + u8 useSortingIdx; /* In direct mode, reference the sorting index rather + ** than the source table */ +- u16 nSortingColumn; /* Number of columns in the sorting index */ ++ u32 nSortingColumn; /* Number of columns in the sorting index */ + int sortingIdx; /* Cursor number of the sorting index */ + int sortingIdxPTab; /* Cursor number of pseudo-table */ + int iFirstReg; /* First register in range for aCol[] and aFunc[] */ +@@ -19055,8 +19063,8 @@ struct AggInfo { + Table *pTab; /* Source table */ + Expr *pCExpr; /* The original expression */ + int iTable; /* Cursor number of the source table */ +- i16 iColumn; /* Column number within the source table */ +- i16 iSorterColumn; /* Column number in the sorting index */ ++ int iColumn; /* Column number within the source table */ ++ int iSorterColumn; /* Column number in the sorting index */ + } *aCol; + int nColumn; /* Number of used entries in aCol[] */ + int nAccumulator; /* Number of columns that show through to the output. +@@ -116445,7 +116453,9 @@ static void findOrCreateAggInfoColumn( + ){ + struct AggInfo_col *pCol; + int k; ++ int mxTerm = pParse->db->aLimit[SQLITE_LIMIT_COLUMN]; + ++ assert( mxTerm <= SMXV(i16) ); + assert( pAggInfo->iFirstReg==0 ); + pCol = pAggInfo->aCol; + for(k=0; knColumn; k++, pCol++){ +@@ -116463,6 +116473,10 @@ static void findOrCreateAggInfoColumn( + assert( pParse->db->mallocFailed ); + return; + } ++ if( k>mxTerm ){ ++ sqlite3ErrorMsg(pParse, "more than %d aggregate terms", mxTerm); ++ k = mxTerm; ++ } + pCol = &pAggInfo->aCol[k]; + assert( ExprUseYTab(pExpr) ); + pCol->pTab = pExpr->y.pTab; +@@ -116496,6 +116510,7 @@ fix_up_expr: + if( pExpr->op==TK_COLUMN ){ + pExpr->op = TK_AGG_COLUMN; + } ++ assert( k <= SMXV(pExpr->iAgg) ); + pExpr->iAgg = (i16)k; + } + +@@ -116580,13 +116595,19 @@ static int analyzeAggregate(Walker *pWalker, Expr *pExpr){ + ** function that is already in the pAggInfo structure + */ + struct AggInfo_func *pItem = pAggInfo->aFunc; ++ int mxTerm = pParse->db->aLimit[SQLITE_LIMIT_COLUMN]; ++ assert( mxTerm <= SMXV(i16) ); + for(i=0; inFunc; i++, pItem++){ + if( NEVER(pItem->pFExpr==pExpr) ) break; + if( sqlite3ExprCompare(0, pItem->pFExpr, pExpr, -1)==0 ){ + break; + } + } +- if( i>=pAggInfo->nFunc ){ ++ if( i>mxTerm ){ ++ sqlite3ErrorMsg(pParse, "more than %d aggregate terms", mxTerm); ++ i = mxTerm; ++ assert( inFunc ); ++ }else if( i>=pAggInfo->nFunc ){ + /* pExpr is original. Make a new entry in pAggInfo->aFunc[] + */ + u8 enc = ENC(pParse->db); +@@ -116640,6 +116661,7 @@ static int analyzeAggregate(Walker *pWalker, Expr *pExpr){ + */ + assert( !ExprHasProperty(pExpr, EP_TokenOnly|EP_Reduced) ); + ExprSetVVAProperty(pExpr, EP_NoReduce); ++ assert( i <= SMXV(pExpr->iAgg) ); + pExpr->iAgg = (i16)i; + pExpr->pAggInfo = pAggInfo; + return WRC_Prune; diff --git a/meta/recipes-support/sqlite/sqlite3_3.48.0.bb b/meta/recipes-support/sqlite/sqlite3_3.48.0.bb index 11f103dddc..6c9f1ed5d9 100644 --- a/meta/recipes-support/sqlite/sqlite3_3.48.0.bb +++ b/meta/recipes-support/sqlite/sqlite3_3.48.0.bb @@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed0 SRC_URI = "http://www.sqlite.org/2025/sqlite-autoconf-${SQLITE_PV}.tar.gz \ file://CVE-2025-3277.patch \ file://CVE-2025-29088.patch \ + file://CVE-2025-6965.patch \ " SRC_URI[sha256sum] = "ac992f7fca3989de7ed1fe99c16363f848794c8c32a158dafd4eb927a2e02fd5" From patchwork Sat Aug 9 14:44:19 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 68281 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BE545CA0EC0 for ; Sat, 9 Aug 2025 14:44:41 +0000 (UTC) Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com [209.85.214.180]) by mx.groups.io with SMTP id smtpd.web11.7607.1754750672644089170 for ; Sat, 09 Aug 2025 07:44:32 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=ps/uL4Tu; spf=softfail (domain: sakoman.com, ip: 209.85.214.180, mailfrom: steve@sakoman.com) Received: by mail-pl1-f180.google.com with SMTP id d9443c01a7336-24049d16515so25597915ad.1 for ; Sat, 09 Aug 2025 07:44:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1754750672; x=1755355472; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=VEXaJz3584lbCVnd/4Cs8gdU1HDTK6tV8dW3t1zDkpw=; b=ps/uL4TukJt26Eb82YAuKKpbb+H7QQO5h3rlTtQG+8ByPs4WzlFHljA5RnXFv5PeHQ B/QM9nc6LBr1KbIvedJQvcLb6qz6Y/D+COet0Dj0JILH7nzpCojZZDDf9wN0aw4wuOE8 rDvepTdRB2ElMX8najZZXwu7z3mTMsd+uYyojCOoDE/DxGHplyGe0Sw7cEolNP2lx4Uh QLRojEYxfyISdMUINNzjx74qqnWQ729m0eMKjg5+e1bQEaAEady+SUAdCufkD1/qfz8n wPBpKpXKwyNNfuo5gv+MHhJPJvaIEvcrdYbOrPqIvzIo0Z9BuLwn49fGTl3UyxjaO8Vh IRJA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1754750672; x=1755355472; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=VEXaJz3584lbCVnd/4Cs8gdU1HDTK6tV8dW3t1zDkpw=; b=CmSxmGyekY9AUVu6vqBMkVUo5AkFZZSzhbBoUXDLtsbFEiqrUswZUK43jzjcvFI2vy 1T+Dj7VRvAWZZW9GU+3XOR7UU5kd/SETKABrHr1Hz7CTH53RaV0vdc77h6UCpmWLmF6n 1Bb14fAwuIbpdw73UZ57SUJq3pQ6JHKPksVzKUntLgznf7WOCadN2n/MBSoHVMe+U9Wv enoWHQuQ1+IKBY3kDc6Pjty6RS+hMead8vGZEFxF7k3ax8xejNYxmKLhVJRKgkSiLvZq hYwHinPO99+mPRGUA42edybAIgAbntECvmxwP52TbNnaV2H1uOYamqrnhEa91uT33nw0 hMfA== X-Gm-Message-State: AOJu0YwwRuDL09FiLJkUiwfAKQ75ItB4xWnUCBZIR5nI20pTXivXTL1/ qB3aMb4tTubxL8nmv9np8yliFZrVJUPb9iuyhcPKkDDiluljTFTm8kPUdbqmhODJIhm6hZzBfB7 7XR5J X-Gm-Gg: ASbGncvKID1k6+4raqxkMSnEnTdlW3a/wUlStvmTFgPA11/8myoKUcn8QTLqsXFI7kG aksrmk8dVqM4ucxYgEffTSWyeu5KV6CW92ZGKP3Mi5O45Vih6TrxaW0srTj6jydMfPaBslUYD2Q pm9iKPiVLr7pFrQwFRBpbXlRoVXWIP8cOypfjRDwQt21aHMKFzbF2BiK8KU1cGwD7pLpq8irJDE xkTECnFuSqoPMmemEe8mrL1ntY+wOyFBAVkboCxnPlV4DRczaYi2eVF2iPdl6ZE1FFNivK51+gl a8IRvBk9sLWPcm8C0NJWOM07z5lFURIjACTJteRsHj3BIWhVuS5C+wfhqNzNP55c7P1XVI0qlX8 N1+cr7VXMih5ACg== X-Google-Smtp-Source: AGHT+IF/kec/Bq4VvcT6CM7DpfeeDT5VVKAFTt91xFAs0zQBeRycmOovRrce6LwGBnBqdmoNRSX8Zw== X-Received: by 2002:a17:902:c94a:b0:240:3913:7c84 with SMTP id d9443c01a7336-242c1ecc793mr93876325ad.4.1754750671682; Sat, 09 Aug 2025 07:44:31 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:e40b:779f:346e:b2b1]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-b428f4c8639sm5736428a12.43.2025.08.09.07.44.30 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 09 Aug 2025 07:44:31 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][walnascar 3/6] python3: fix CVE-2025-8194 Date: Sat, 9 Aug 2025 07:44:19 -0700 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 09 Aug 2025 14:44:41 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/221678 From: Praveen Kumar There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the “tarfile” module: https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1 Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-8194 Upstream-patch: https://github.com/python/cpython/commit/cdae923ffe187d6ef916c0f665a31249619193fe Signed-off-by: Praveen Kumar Signed-off-by: Steve Sakoman --- .../python/python3/CVE-2025-8194.patch | 224 ++++++++++++++++++ .../recipes-devtools/python/python3_3.13.4.bb | 1 + 2 files changed, 225 insertions(+) create mode 100644 meta/recipes-devtools/python/python3/CVE-2025-8194.patch diff --git a/meta/recipes-devtools/python/python3/CVE-2025-8194.patch b/meta/recipes-devtools/python/python3/CVE-2025-8194.patch new file mode 100644 index 0000000000..28653e1843 --- /dev/null +++ b/meta/recipes-devtools/python/python3/CVE-2025-8194.patch @@ -0,0 +1,224 @@ +From cdae923ffe187d6ef916c0f665a31249619193fe Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@users.noreply.github.com> +Date: Mon, 28 Jul 2025 17:59:33 +0200 +Subject: [PATCH] gh-130577: tarfile now validates archives to ensure member + offsets are non-negative (GH-137027) (#137170) + +gh-130577: tarfile now validates archives to ensure member offsets are non-negative (GH-137027) +(cherry picked from commit 7040aa54f14676938970e10c5f74ea93cd56aa38) + +Co-authored-by: Alexander Urieles +Co-authored-by: Gregory P. Smith + +CVE: CVE-2025-8194 + +Upstream-Status: Backport [https://github.com/python/cpython/commit/cdae923ffe187d6ef916c0f665a31249619193fe] + +Signed-off-by: Praveen Kumar +--- + Lib/tarfile.py | 3 + + Lib/test/test_tarfile.py | 156 ++++++++++++++++++ + ...-07-23-00-35-29.gh-issue-130577.c7EITy.rst | 3 + + 3 files changed, 162 insertions(+) + create mode 100644 Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst + +diff --git a/Lib/tarfile.py b/Lib/tarfile.py +index 0980f6a..9ff9df6 100755 +--- a/Lib/tarfile.py ++++ b/Lib/tarfile.py +@@ -1636,6 +1636,9 @@ class TarInfo(object): + """Round up a byte count by BLOCKSIZE and return it, + e.g. _block(834) => 1024. + """ ++ # Only non-negative offsets are allowed ++ if count < 0: ++ raise InvalidHeaderError("invalid offset") + blocks, remainder = divmod(count, BLOCKSIZE) + if remainder: + blocks += 1 +diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py +index ac31be0..7024be4 100644 +--- a/Lib/test/test_tarfile.py ++++ b/Lib/test/test_tarfile.py +@@ -50,6 +50,7 @@ bz2name = os.path.join(TEMPDIR, "testtar.tar.bz2") + xzname = os.path.join(TEMPDIR, "testtar.tar.xz") + tmpname = os.path.join(TEMPDIR, "tmp.tar") + dotlessname = os.path.join(TEMPDIR, "testtar") ++SPACE = b" " + + sha256_regtype = ( + "e09e4bc8b3c9d9177e77256353b36c159f5f040531bbd4b024a8f9b9196c71ce" +@@ -4578,6 +4579,161 @@ class OverwriteTests(archiver_tests.OverwriteTests, unittest.TestCase): + ar.extractall(self.testdir, filter='fully_trusted') + + ++class OffsetValidationTests(unittest.TestCase): ++ tarname = tmpname ++ invalid_posix_header = ( ++ # name: 100 bytes ++ tarfile.NUL * tarfile.LENGTH_NAME ++ # mode, space, null terminator: 8 bytes ++ + b"000755" + SPACE + tarfile.NUL ++ # uid, space, null terminator: 8 bytes ++ + b"000001" + SPACE + tarfile.NUL ++ # gid, space, null terminator: 8 bytes ++ + b"000001" + SPACE + tarfile.NUL ++ # size, space: 12 bytes ++ + b"\xff" * 11 + SPACE ++ # mtime, space: 12 bytes ++ + tarfile.NUL * 11 + SPACE ++ # chksum: 8 bytes ++ + b"0011407" + tarfile.NUL ++ # type: 1 byte ++ + tarfile.REGTYPE ++ # linkname: 100 bytes ++ + tarfile.NUL * tarfile.LENGTH_LINK ++ # magic: 6 bytes, version: 2 bytes ++ + tarfile.POSIX_MAGIC ++ # uname: 32 bytes ++ + tarfile.NUL * 32 ++ # gname: 32 bytes ++ + tarfile.NUL * 32 ++ # devmajor, space, null terminator: 8 bytes ++ + tarfile.NUL * 6 + SPACE + tarfile.NUL ++ # devminor, space, null terminator: 8 bytes ++ + tarfile.NUL * 6 + SPACE + tarfile.NUL ++ # prefix: 155 bytes ++ + tarfile.NUL * tarfile.LENGTH_PREFIX ++ # padding: 12 bytes ++ + tarfile.NUL * 12 ++ ) ++ invalid_gnu_header = ( ++ # name: 100 bytes ++ tarfile.NUL * tarfile.LENGTH_NAME ++ # mode, null terminator: 8 bytes ++ + b"0000755" + tarfile.NUL ++ # uid, null terminator: 8 bytes ++ + b"0000001" + tarfile.NUL ++ # gid, space, null terminator: 8 bytes ++ + b"0000001" + tarfile.NUL ++ # size, space: 12 bytes ++ + b"\xff" * 11 + SPACE ++ # mtime, space: 12 bytes ++ + tarfile.NUL * 11 + SPACE ++ # chksum: 8 bytes ++ + b"0011327" + tarfile.NUL ++ # type: 1 byte ++ + tarfile.REGTYPE ++ # linkname: 100 bytes ++ + tarfile.NUL * tarfile.LENGTH_LINK ++ # magic: 8 bytes ++ + tarfile.GNU_MAGIC ++ # uname: 32 bytes ++ + tarfile.NUL * 32 ++ # gname: 32 bytes ++ + tarfile.NUL * 32 ++ # devmajor, null terminator: 8 bytes ++ + tarfile.NUL * 8 ++ # devminor, null terminator: 8 bytes ++ + tarfile.NUL * 8 ++ # padding: 167 bytes ++ + tarfile.NUL * 167 ++ ) ++ invalid_v7_header = ( ++ # name: 100 bytes ++ tarfile.NUL * tarfile.LENGTH_NAME ++ # mode, space, null terminator: 8 bytes ++ + b"000755" + SPACE + tarfile.NUL ++ # uid, space, null terminator: 8 bytes ++ + b"000001" + SPACE + tarfile.NUL ++ # gid, space, null terminator: 8 bytes ++ + b"000001" + SPACE + tarfile.NUL ++ # size, space: 12 bytes ++ + b"\xff" * 11 + SPACE ++ # mtime, space: 12 bytes ++ + tarfile.NUL * 11 + SPACE ++ # chksum: 8 bytes ++ + b"0010070" + tarfile.NUL ++ # type: 1 byte ++ + tarfile.REGTYPE ++ # linkname: 100 bytes ++ + tarfile.NUL * tarfile.LENGTH_LINK ++ # padding: 255 bytes ++ + tarfile.NUL * 255 ++ ) ++ valid_gnu_header = tarfile.TarInfo("filename").tobuf(tarfile.GNU_FORMAT) ++ data_block = b"\xff" * tarfile.BLOCKSIZE ++ ++ def _write_buffer(self, buffer): ++ with open(self.tarname, "wb") as f: ++ f.write(buffer) ++ ++ def _get_members(self, ignore_zeros=None): ++ with open(self.tarname, "rb") as f: ++ with tarfile.open( ++ mode="r", fileobj=f, ignore_zeros=ignore_zeros ++ ) as tar: ++ return tar.getmembers() ++ ++ def _assert_raises_read_error_exception(self): ++ with self.assertRaisesRegex( ++ tarfile.ReadError, "file could not be opened successfully" ++ ): ++ self._get_members() ++ ++ def test_invalid_offset_header_validations(self): ++ for tar_format, invalid_header in ( ++ ("posix", self.invalid_posix_header), ++ ("gnu", self.invalid_gnu_header), ++ ("v7", self.invalid_v7_header), ++ ): ++ with self.subTest(format=tar_format): ++ self._write_buffer(invalid_header) ++ self._assert_raises_read_error_exception() ++ ++ def test_early_stop_at_invalid_offset_header(self): ++ buffer = self.valid_gnu_header + self.invalid_gnu_header + self.valid_gnu_header ++ self._write_buffer(buffer) ++ members = self._get_members() ++ self.assertEqual(len(members), 1) ++ self.assertEqual(members[0].name, "filename") ++ self.assertEqual(members[0].offset, 0) ++ ++ def test_ignore_invalid_archive(self): ++ # 3 invalid headers with their respective data ++ buffer = (self.invalid_gnu_header + self.data_block) * 3 ++ self._write_buffer(buffer) ++ members = self._get_members(ignore_zeros=True) ++ self.assertEqual(len(members), 0) ++ ++ def test_ignore_invalid_offset_headers(self): ++ for first_block, second_block, expected_offset in ( ++ ( ++ (self.valid_gnu_header), ++ (self.invalid_gnu_header + self.data_block), ++ 0, ++ ), ++ ( ++ (self.invalid_gnu_header + self.data_block), ++ (self.valid_gnu_header), ++ 1024, ++ ), ++ ): ++ self._write_buffer(first_block + second_block) ++ members = self._get_members(ignore_zeros=True) ++ self.assertEqual(len(members), 1) ++ self.assertEqual(members[0].name, "filename") ++ self.assertEqual(members[0].offset, expected_offset) ++ ++ + def setUpModule(): + os_helper.unlink(TEMPDIR) + os.makedirs(TEMPDIR) +diff --git a/Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst b/Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst +new file mode 100644 +index 0000000..342cabb +--- /dev/null ++++ b/Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst +@@ -0,0 +1,3 @@ ++:mod:`tarfile` now validates archives to ensure member offsets are ++non-negative. (Contributed by Alexander Enrique Urieles Nieto in ++:gh:`130577`.) +-- +2.40.0 diff --git a/meta/recipes-devtools/python/python3_3.13.4.bb b/meta/recipes-devtools/python/python3_3.13.4.bb index 0a2c41cdce..6823a21cc3 100644 --- a/meta/recipes-devtools/python/python3_3.13.4.bb +++ b/meta/recipes-devtools/python/python3_3.13.4.bb @@ -30,6 +30,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ file://0001-test_active_children-skip-problematic-test.patch \ file://0001-test_readline-skip-limited-history-test.patch \ file://0001-Generate-data-for-OpenSSL-3.4-and-add-it-to-multissl.patch \ + file://CVE-2025-8194.patch \ " SRC_URI:append:class-native = " \ From patchwork Sat Aug 9 14:44:20 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 68280 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C3830C87FCB for ; Sat, 9 Aug 2025 14:44:41 +0000 (UTC) Received: from mail-pj1-f41.google.com (mail-pj1-f41.google.com [209.85.216.41]) by mx.groups.io with SMTP id smtpd.web11.7608.1754750673892966384 for ; Sat, 09 Aug 2025 07:44:33 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=tj+lg//c; spf=softfail (domain: sakoman.com, ip: 209.85.216.41, mailfrom: steve@sakoman.com) Received: by mail-pj1-f41.google.com with SMTP id 98e67ed59e1d1-3214762071bso3684644a91.3 for ; Sat, 09 Aug 2025 07:44:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1754750673; x=1755355473; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=gA2gg6Ze+Utoyct+NIylVvgewG/Do4PxzK70wnjxJJs=; b=tj+lg//chKOxGN+syJJoK4XEV6Kv7geMvVl7unhZ64+ebJmx+vbUH7vMs4gtz1zQkt ML0hqRQve4PZ121Jz3pR9g/+Ky0FWrZmCgOcsd/Buch3zq2UcUPt3u15PSJtGNxz2p2h H1IhwJ46M3Nf0eU/Ydr5sZAdxZg8QQBas24RRS0MsusqJvfIQdqzux2IBPWtbJUdtb76 jbWpgiCw4Fe04t9viRsJO5ew+r3QdgyWu5gHBxEnAy9YSLI0mPFlDM/2x0uz3jd3ED7G diSbeSDaLrdDlzwlRJSX3ipZUDwBrlpTGWmoqwSLQq55s7CNvW76esZ89d31YnXfTVE7 Useg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1754750673; x=1755355473; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=gA2gg6Ze+Utoyct+NIylVvgewG/Do4PxzK70wnjxJJs=; b=UNUUIHlmgJOvxrb3+hDpAMsJCXwmKp9Qn0Ex8lYVW0BH2J6qOnjGUecFtyxJocQjxi voVQqUyUBeeRiQUrLMWhPBkqstem05gqerm0MuZ3qGL2k5j44YwO3TY1J063CAgio5ek 68Z7nkJs0CURbGsXBgigEPbHD1XQudk9Kk95qNq+S/P8tieiTgpO94qfF0vqL1gYm1rk EvE9FXOe/bQjv3cuLRGS6IAeUgtPu27uVLF2eq+CcFcIWQdPhsazoRcz2Rt0xsMiIQeN nVF5X/5KyVPzFFq+aHA/clqhQ4JQR2WQNglM9iP/l/xZnq2XkoJeJsnkU5BGOkaqIYzS r/Mg== X-Gm-Message-State: AOJu0Yxawd1ed1ZxogR3nn59xvPXYPljdMbe01e64JlQPHGvzOrETsGk rxZ1Hols2LX5iogeeAClU1HVyksrzKSjW3nRUUTa2FmDzy5AmPAfc6h7zwUqBy7fnVj83M3fgSN olJuW X-Gm-Gg: ASbGnctCn+zYSws/VFNIfMDCCbXPNEYqMifHegNumQMCAHMBas9qnEEuIob9knAVyQj BhJ02NjI1teQntoq+MJYfPyCVfGYSv+CxpWnClOPOwq65LbGWki0DCPAoqVXQaI1oUS7ZJkBy0j +0MCUtZ6LCVrjnD3Ttad7fJ4Jo32VXB2a2FO5xtYGzIfY+z4EsoPmByet9CXUxDBcP7G2561b5y g9nMZoEvbAbq51px5C5/HSFdI6C0L5ygE3qQlgouED9TCpLKigbkJ9o6FDP2QybZeG7UR2Jg8de oG3AOwdnftKuKekbNrre2hlYwYUDT3FjwTpt71GH/CQpjlIRhSjfulVxX62VIITgvlkoKWTMT2i osi6WJsv7uvPlkw== X-Google-Smtp-Source: AGHT+IFzTXPLGwV7BwlSloRHwbLE3y2sd7tFwzwXeBlUAMAtcAMXDn4kKAEV9ML48GEblVE8hs+/YA== X-Received: by 2002:a17:90b:4987:b0:31e:ebb6:6499 with SMTP id 98e67ed59e1d1-32183e6170fmr10545158a91.24.1754750673024; Sat, 09 Aug 2025 07:44:33 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:e40b:779f:346e:b2b1]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-b428f4c8639sm5736428a12.43.2025.08.09.07.44.32 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 09 Aug 2025 07:44:32 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][walnascar 4/6] glibc: stable 2.41 branch updates Date: Sat, 9 Aug 2025 07:44:20 -0700 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 09 Aug 2025 14:44:41 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/221679 From: Peter Marko $ git log --oneline 6e489c17f827317bcf8544efefa65f13b5a079dc..e7c419a2957590fb657900fc92a89708f41abd9d e7c419a295 (origin/release/2.41/master, release/2.41/master) iconv: iconv -o should not create executable files (bug 33164) 1e16d0096d posix: Fix double-free after allocation failure in regcomp (bug 33185) Add CVE-2025-8058 to CVE ignore list as this is (bug 33185) commit. Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- meta/recipes-core/glibc/glibc-version.inc | 2 +- meta/recipes-core/glibc/glibc_2.41.bb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/meta/recipes-core/glibc/glibc-version.inc b/meta/recipes-core/glibc/glibc-version.inc index a2cfd0f308..881a9cce2c 100644 --- a/meta/recipes-core/glibc/glibc-version.inc +++ b/meta/recipes-core/glibc/glibc-version.inc @@ -1,6 +1,6 @@ SRCBRANCH ?= "release/2.41/master" PV = "2.41+git" -SRCREV_glibc ?= "6e489c17f827317bcf8544efefa65f13b5a079dc" +SRCREV_glibc ?= "e7c419a2957590fb657900fc92a89708f41abd9d" SRCREV_localedef ?= "fab74f31b3811df543e24b6de47efdf45b538abc" GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git;protocol=https" diff --git a/meta/recipes-core/glibc/glibc_2.41.bb b/meta/recipes-core/glibc/glibc_2.41.bb index 7ddf7f9127..8a65e8ce9f 100644 --- a/meta/recipes-core/glibc/glibc_2.41.bb +++ b/meta/recipes-core/glibc/glibc_2.41.bb @@ -17,7 +17,7 @@ Allows for ASLR bypass so can bypass some hardening, not an exploit in itself, m easier access for another. 'ASLR bypass itself is not a vulnerability.'" CVE_STATUS_GROUPS += "CVE_STATUS_STABLE_BACKPORTS" -CVE_STATUS_STABLE_BACKPORTS = "CVE-2025-4802 CVE-2025-5702 CVE-2025-5745" +CVE_STATUS_STABLE_BACKPORTS = "CVE-2025-4802 CVE-2025-5702 CVE-2025-5745 CVE-2025-8058" CVE_STATUS_STABLE_BACKPORTS[status] = "cpe-stable-backport: fix available in used git hash" DEPENDS += "gperf-native bison-native" From patchwork Sat Aug 9 14:44:21 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 68283 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id CB8BECA0EC1 for ; Sat, 9 Aug 2025 14:44:41 +0000 (UTC) Received: from mail-pj1-f46.google.com (mail-pj1-f46.google.com [209.85.216.46]) by mx.groups.io with SMTP id smtpd.web10.7402.1754750675257755813 for ; Sat, 09 Aug 2025 07:44:35 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=as4ESmgS; spf=softfail (domain: sakoman.com, ip: 209.85.216.46, mailfrom: steve@sakoman.com) Received: by mail-pj1-f46.google.com with SMTP id 98e67ed59e1d1-31efefd2655so2483674a91.0 for ; Sat, 09 Aug 2025 07:44:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1754750674; x=1755355474; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=sBvgGtZKPI8w9qMxvi4/MbuWwPXgdgqmJhnut2jZkU4=; b=as4ESmgS0I+tthu/amGA8Mul8RHknYMD6lXaSCPa5TInPYDcDFA0r1Gb+l2ZgKgStX jQfzvQ3NrmP7x95vx6SSjw9PnkujQrC72ERV5qy1SncQOZJmDoOJEzE3KpNtlVoRTYvd +tKoB1C0mw3uBVO7Yu/8DxhOeUPQDQf9BeGI+eYvzto5yX3ADBSljp67PjWXgAPa2++c IKvus27Agt5I+zla8qNDRUFW+BXp26nx036jPG8WqeyWoxME8GBK9yGUgAjKBtjyH1Nq ta1J6csMygBIwxxAFRe94IZMswIHReWTSKhfG8aWVwdcZ1Zoxc8vsQsF7EFaPzGf/okk j0kA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1754750674; x=1755355474; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=sBvgGtZKPI8w9qMxvi4/MbuWwPXgdgqmJhnut2jZkU4=; b=H4i6bs4QCqktUJwf4odlJG7+n3I7Ey7Nqo0Hu9Hs/HyYEBfVcaR8kXk1OoYb8+rUxC 1eqWBIMcLqJFZJ8/MF5DWjxvBHX9pwVylSCYkX9ZZLA0eZEkmsAXeuG7F9Sv4NRFWXLY S8IAWezWz55nzwV0nFAHKElgnDUsyPYTtAV8hjebqi5Cv7/aZkyTiUgqxeVlSNmM5448 ls+YtdTnchevfwz154bsxKoHyXJ6XD9CeID8Yg5jEyyHuyOAfd6pi0cnjSBmY9nQumxN NtxQOFvblvy2XtyqOxM6hC7Nc9/+mA9yG5Fxl4cHqAJ3ToK1al7o3yUx1yTNTBLbvRrv OTdA== X-Gm-Message-State: AOJu0Yxf7vEzmfSa9LWnCP1Db4tP+fpVBbzu60sa1GLYdGh34v56v3cO qUuNLrBVgmLBXtKXAT11mqgDPtv3xcycuqt5VTv7XcK/p4QKejPURuDt+IbP6e1fRjRnYt1DTw8 hR9L7 X-Gm-Gg: ASbGncvWSiu1szpcZTb1Pv73n2hrRTn8MU5kV/oqIExKBJZUv1QiRgX+LYYKQjbQkwC /3PIJ/RDQrmycf6gkETmDjVvTx+8UkRpWvfJbu9oqJIvyyNOl1G6B/I20ZHodYMtwNk+PdtYkrB TnA7x0tO8mjitvLVLLuJWt/YGA+Oen6jv09DcdoMAEaWuzS61U8+PMCmljphiYQniSli08UZkWg 2TpvV1O8UVEYJdtlcr46AtBSgyWxtUrxEUDhCC+pnSPFmYSh76bnnwRS9FD6Yf96V2aAS14G2q4 Jyknr/LysEFc9U+YKjlwTjB+aEE0yB0WXsvMzht2k/C6VZYq/VTzEp30/o7Om3nKPid6zw4Nw2w RHZMM2asuVm4u4qhBao0/yLyj X-Google-Smtp-Source: AGHT+IEIB2nhfBiVBCrrGDFKkx/UEknsffDAVBfGwjeRSe+nEoZWhrIfKH4oNFOvIOp2eCu0eqMW3g== X-Received: by 2002:a17:90b:2c90:b0:31e:a8c4:c188 with SMTP id 98e67ed59e1d1-321846522d7mr9542469a91.14.1754750674386; Sat, 09 Aug 2025 07:44:34 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:e40b:779f:346e:b2b1]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-b428f4c8639sm5736428a12.43.2025.08.09.07.44.33 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 09 Aug 2025 07:44:34 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][walnascar 5/6] gnutls: upgrade 3.8.9 -> 3.8.10 Date: Sat, 9 Aug 2025 07:44:21 -0700 Message-ID: <26207963abdaeb7767e15c5fdb51b8396c80ab71.1754750560.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 09 Aug 2025 14:44:41 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/221680 From: Gyorgy Sarvari Skip compress-cert-conf test when running ptests, because it requires gnutls to be compiled with brotli PACKAGECONFIG, however brotli is not part of oe-core. Changelog: https://gitlab.com/gnutls/gnutls/-/blob/master/NEWS (From OE-Core rev: 2ad41436acdc5f37803ade51c98ae0dc06103e45) Signed-off-by: Gyorgy Sarvari Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- meta/recipes-support/gnutls/gnutls/run-ptest | 1 + .../gnutls/{gnutls_3.8.9.bb => gnutls_3.8.10.bb} | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) rename meta/recipes-support/gnutls/{gnutls_3.8.9.bb => gnutls_3.8.10.bb} (97%) diff --git a/meta/recipes-support/gnutls/gnutls/run-ptest b/meta/recipes-support/gnutls/gnutls/run-ptest index 17e26eae70..b7827e1358 100644 --- a/meta/recipes-support/gnutls/gnutls/run-ptest +++ b/meta/recipes-support/gnutls/gnutls/run-ptest @@ -37,6 +37,7 @@ is_disallowed() { # currently not exported to target. test_disallowlist="" +test_disallowlist="${test_disallowlist} compress-cert-conf" test_disallowlist="${test_disallowlist} dtls-stress" test_disallowlist="${test_disallowlist} handshake-large-cert" test_disallowlist="${test_disallowlist} id-on-xmppAddr" diff --git a/meta/recipes-support/gnutls/gnutls_3.8.9.bb b/meta/recipes-support/gnutls/gnutls_3.8.10.bb similarity index 97% rename from meta/recipes-support/gnutls/gnutls_3.8.9.bb rename to meta/recipes-support/gnutls/gnutls_3.8.10.bb index f2b7ac7bb8..600f23683e 100644 --- a/meta/recipes-support/gnutls/gnutls_3.8.9.bb +++ b/meta/recipes-support/gnutls/gnutls_3.8.10.bb @@ -25,7 +25,7 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar file://Add-ptest-support.patch \ " -SRC_URI[sha256sum] = "69e113d802d1670c4d5ac1b99040b1f2d5c7c05daec5003813c049b5184820ed" +SRC_URI[sha256sum] = "db7fab7cce791e7727ebbef2334301c821d79a550ec55c9ef096b610b03eb6b7" inherit autotools texinfo pkgconfig gettext lib_package gtk-doc ptest From patchwork Sat Aug 9 14:44:22 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 68282 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BD995C87FCF for ; Sat, 9 Aug 2025 14:44:41 +0000 (UTC) Received: from mail-pg1-f169.google.com (mail-pg1-f169.google.com [209.85.215.169]) by mx.groups.io with SMTP id smtpd.web11.7609.1754750676843562904 for ; Sat, 09 Aug 2025 07:44:36 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=M0B9pmNE; spf=softfail (domain: sakoman.com, ip: 209.85.215.169, mailfrom: steve@sakoman.com) Received: by mail-pg1-f169.google.com with SMTP id 41be03b00d2f7-b34a8f69862so2261765a12.2 for ; Sat, 09 Aug 2025 07:44:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1754750676; x=1755355476; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=dKiQoYXdDQTwxMLQLNJmniwkAgJSJ2uFpTOWMlPCDIY=; b=M0B9pmNEenBUNlFsq0bjbqM8hnrGZSk3sKpE9ueQOJPlZiqkKe16NsCGuee89A1/vC vbgR5D7OGsgZ5Tm0wrLWwsXZfJ68MVQkTCemI1JHlrJ2/bubWIG+kf05Ub+ATm8FpHRJ yMt9cwQgbUr3+MmC4Ebbi9EJv+jdNn1iHUF19Bit40o4g4uPDtapt8LrlSXtOOw6ZP24 X1tEJkVilaczjhJugj2l67q8jD5uJCmy5Jg8sgyAyAvuY2NG3K2CcQAMKl6Qk+FoHHTg ZFlkAWznPk6Bjfrj8jPjXOnzhfIG31whFq8s4+u7miQZl2QkTJM4sXfFhtdDzzMKjVn+ BlJg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1754750676; x=1755355476; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=dKiQoYXdDQTwxMLQLNJmniwkAgJSJ2uFpTOWMlPCDIY=; b=nRSKuBJBRi2A2CJhzyTFz3sFXBvCYoBXUrLq/d2HRh9sb//OcyUVbK3zYufOW6k8It mSUluhJsYwDzk8MNrVmvCF1tg/133JtOrO4UKsVMflewzh4ZKOqyeALoaR2CknL0n6+G ETNkrXs9GQCZThkU1lxVU8R7br6Y5w9494d/EoK3v0Wksr+bj+7SnxyO/DGXG+p/vLoa U2ItecseeUX1jjToeT3Bl1YaGdB0an+KHA1hJXncoKcJcyd4J+9ExcLoo3fp1Eos81vC VMPusd8g3gW25MW2JeNPQaJnfYrGSwZyz4jBsHu61fdRp7JmNIhVKyP/UkzzBz3/cAdO Bavg== X-Gm-Message-State: AOJu0YwUS1/K2O2dfL3T+P5TuwBIrBJUk3sdq81Uc9uimAsPVXpn0cOV 9DFglqHF/DXFUFwo/rLTAjI36aXwLT+QM9Y8Dxz7hrukx90U1mkZxSstykKHsZugB03le8hFNHV +PcEI X-Gm-Gg: ASbGncuELgIA1ui6emyIEUaHhRb3zhXR+9fITiuTPrBjNAPMhJ2Nsb9nazeCmyhyJ3W 7wt0vS06G+zeouNHiKfTVg/BJXNREphxv8EEwzErNH0/hPSLPVlH+5mLMMDKmUrR4xBT+1tQ+hq Hb7j+VGBcKCCiADTK0CaG6WDm9ZSx2qe1jdE+6ol+T+k+vjOXcMFb52n4PMJr74FlEiqxE9k1Zc sTdlNtolEOYG4tT6DyPCSM5a3nGLEApeISwP8VznrQ2ybohPRi52BmB7SrsfP6nQHxsRw7R4b0r DIwXmVVxROLi/w88gUS2ZP809C4wBl6//UXPTzuxpCrsnxDNTAicp/fit1QZRN3+pbOFD+W2Bjz 7YIt1rDWyYCg4tg== X-Google-Smtp-Source: AGHT+IG2WaDUyy9qdz6GEUTCEtmyjen/T8u+pseR65ZxjqAs19rGN02VQ7mf+bf/A3aYV4uteL67tA== X-Received: by 2002:a17:902:ccd2:b0:242:d4a4:bba1 with SMTP id d9443c01a7336-242d4a4bcc3mr28557835ad.30.1754750675907; Sat, 09 Aug 2025 07:44:35 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:e40b:779f:346e:b2b1]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-b428f4c8639sm5736428a12.43.2025.08.09.07.44.35 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 09 Aug 2025 07:44:35 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][walnascar 6/6] ca-certificates: correct the SRC_URI Date: Sat, 9 Aug 2025 07:44:22 -0700 Message-ID: <69090e41eb0a8b92e0684d391966f9627bfe5195.1754750560.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 09 Aug 2025 14:44:41 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/221681 From: Jiaying Song The original tarball URL is no longer valid, as it has been moved to an archive location. This update points to the new location. Signed-off-by: Jiaying Song Signed-off-by: Steve Sakoman --- .../recipes-support/ca-certificates/ca-certificates_20241223.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-support/ca-certificates/ca-certificates_20241223.bb b/meta/recipes-support/ca-certificates/ca-certificates_20241223.bb index bbdc7dd68d..7977e3ae5c 100644 --- a/meta/recipes-support/ca-certificates/ca-certificates_20241223.bb +++ b/meta/recipes-support/ca-certificates/ca-certificates_20241223.bb @@ -15,7 +15,7 @@ DEPENDS:class-nativesdk = "openssl-native" PACKAGE_WRITE_DEPS += "openssl-native debianutils-native" SRC_URI[sha256sum] = "dd8286d0a9dd35c756fea5f1df3fed1510fb891f376903891b003cd9b1ad7e03" -SRC_URI = "${DEBIAN_MIRROR}/main/c/ca-certificates/${BPN}_${PV}.tar.xz \ +SRC_URI = "https://snapshot.debian.org/archive/debian/20241223T143500Z/pool/main/c/${BPN}/${BPN}_${PV}.tar.xz \ file://0002-update-ca-certificates-use-SYSROOT.patch \ file://0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch \ file://default-sysroot.patch \