From patchwork Tue Sep 23 11:57:04 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Mittal, Anuj" <anuj.mittal@intel.com>
X-Patchwork-Id: 70772
Return-Path: <anuj.mittal@intel.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 577B1CAC5B2
	for <webhook@archiver.kernel.org>; Tue, 23 Sep 2025 11:57:52 +0000 (UTC)
Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.21])
 by mx.groups.io with SMTP id smtpd.web11.15019.1758628660267361449
 for <openembedded-devel@lists.openembedded.org>;
 Tue, 23 Sep 2025 04:57:42 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@intel.com header.s=Intel header.b=RpOZY7WO;
 spf=pass (domain: intel.com, ip: 198.175.65.21,
 mailfrom: anuj.mittal@intel.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1758628663; x=1790164663;
  h=from:to:subject:date:message-id:in-reply-to:references:
   mime-version:content-transfer-encoding;
  bh=v4fDd3eJ0yJqWUuWUK+z0CbyQncSPuCY/K61tCdasTU=;
  b=RpOZY7WOpVcKwgcxZ+/xxO3t4bSL2xINqgAes1xFf6pSzpyiWGwazGWp
   qe0i7Hs7Li28WfnPYmN2uHXmkSZi2d3rp+u4+iB6LF4skPOgMTtHhM17Q
   n0D7i5VxvjL/0V4DxDaoNxZI8BSvpLxeVDK5z3tEUODJpE47xiUMLdCK0
   TiCJm2DxEoE364arbZx4U7OZvb6i42Wcs8gdCyOTeuIDpXfanXt0+v5/U
   osQi3AnsNuEmmOEFaQ/5K4u9j/xmEt9WxmB5Ekmvc2hJx3VE1RCYrq2QS
   0Xf+ACJqMbJKo6ofhKhQeAbomKXdi3WaIXtAXEUGNW1G3KtwAzmprYrH0
   g==;
X-CSE-ConnectionGUID: JFbFAz6GQJej03rnSZoSUw==
X-CSE-MsgGUID: 5nOqQiWuToKDK/USDIRtOQ==
X-IronPort-AV: E=McAfee;i="6800,10657,11531"; a="60821776"
X-IronPort-AV: E=Sophos;i="6.17,312,1747724400";
   d="scan'208";a="60821776"
Received: from orviesa006.jf.intel.com ([10.64.159.146])
  by orvoesa113.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 Sep 2025 04:57:43 -0700
X-CSE-ConnectionGUID: A4t/iv/yQtWSLGXa0wQHVQ==
X-CSE-MsgGUID: N9zk/9shTk6O2nY8R59sNQ==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.18,287,1751266800";
   d="scan'208";a="175875123"
Received: from anmitta2-mobl4.gar.corp.intel.com (HELO
 anmitta2-mobl4.intel.com) ([10.247.118.223])
  by orviesa006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 Sep 2025 04:57:41 -0700
From: Anuj Mittal <anuj.mittal@intel.com>
To: openembedded-devel@lists.openembedded.org
Subject: [scarthgap][PATCH 01/24] libssh: fix CVE-2025-4878
Date: Tue, 23 Sep 2025 19:57:04 +0800
Message-ID: 
 <71b601e3d721fd8edc0e98b627331e14f8ff7a23.1758626365.git.anuj.mittal@intel.com>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <cover.1758626365.git.anuj.mittal@intel.com>
References: <cover.1758626365.git.anuj.mittal@intel.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Tue, 23 Sep 2025 11:57:52 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/119690

From: Divya Chellam <divya.chellam@windriver.com>

A vulnerability was found in libssh, where an uninitialized variable
exists under certain conditions in the privatekey_from_file() function.
This flaw can be triggered if the file specified by the filename doesn't
exist and may lead to possible signing failures or heap corruption.

Reference:
https://security-tracker.debian.org/tracker/CVE-2025-4878

Upstream-patches:
https://git.libssh.org/projects/libssh.git/commit/?id=697650caa97eaf7623924c75f9fcfec6dd423cd1
https://git.libssh.org/projects/libssh.git/commit/?id=b35ee876adc92a208d47194772e99f9c71e0bedb

Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 .../libssh/libssh/CVE-2025-4878-0001.patch    | 2552 +++++++++++++++++
 .../libssh/libssh/CVE-2025-4878-0002.patch    |   34 +
 .../recipes-support/libssh/libssh_0.10.6.bb   |    2 +
 3 files changed, 2588 insertions(+)
 create mode 100644 meta-oe/recipes-support/libssh/libssh/CVE-2025-4878-0001.patch
 create mode 100644 meta-oe/recipes-support/libssh/libssh/CVE-2025-4878-0002.patch

diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2025-4878-0001.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2025-4878-0001.patch
new file mode 100644
index 0000000000..22f8733a69
--- /dev/null
+++ b/meta-oe/recipes-support/libssh/libssh/CVE-2025-4878-0001.patch
@@ -0,0 +1,2552 @@
+From 697650caa97eaf7623924c75f9fcfec6dd423cd1 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Wed, 23 Apr 2025 17:57:11 +0200
+Subject: [PATCH] CVE-2025-4878 Initialize pointers where possible
+
+This is mostly mechanical change initializing all the pointers I was able to
+find with some grep and manual review of sources and examples.
+
+Used the following greps (which yield some false positives though):
+
+    git grep "    \w* *\* *\w*;$"
+    git grep " ssh_session \w*;"
+    git grep " ssh_channel \w*;"
+    git grep " struct ssh_iterator \*\w*;"
+    git grep " ssh_bind \w*;"
+    git grep " ssh_key \w*;"
+    git grep " ssh_string \w*;"
+    git grep " ssh_buffer \w*;"
+    git grep " HMACCTX \w*;"
+    git grep " SHACTX \w*;"
+    grep -rinP '^(?!.*=)\s*(?:\w+\s+)*\w+\s*\*\s*\w+\s*;'
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
+
+CVE: CVE-2025-4878
+
+Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=697650caa97eaf7623924c75f9fcfec6dd423cd1]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ doc/authentication.dox       | 10 +++----
+ doc/command.dox              |  2 +-
+ doc/forwarding.dox           |  4 +--
+ doc/guided_tour.dox          | 14 ++++-----
+ doc/shell.dox                |  2 +-
+ examples/authentication.c    | 12 ++++----
+ examples/connect_ssh.c       |  2 +-
+ examples/exec.c              |  4 +--
+ examples/knownhosts.c        |  2 +-
+ examples/libssh_scp.c        | 11 ++++----
+ examples/proxy.c             | 18 ++++++------
+ examples/samplesshd-cb.c     | 10 +++----
+ examples/samplesshd-kbdint.c | 16 +++++------
+ examples/scp_download.c      |  4 +--
+ examples/senddata.c          |  4 +--
+ examples/ssh_client.c        |  8 +++---
+ examples/sshd_direct-tcpip.c | 14 ++++-----
+ examples/sshnetcat.c         |  6 ++--
+ src/agent.c                  | 13 +++++----
+ src/auth.c                   |  7 +++--
+ src/bind.c                   | 11 ++++----
+ src/bind_config.c            |  4 +--
+ src/buffer.c                 |  9 +++---
+ src/callbacks.c              |  2 +-
+ src/chachapoly.c             |  2 +-
+ src/channels.c               | 55 ++++++++++++++++++------------------
+ src/client.c                 |  2 +-
+ src/config.c                 |  4 +--
+ src/config_parser.c          | 12 ++++----
+ src/connect.c                |  4 +--
+ src/connector.c              |  5 ++--
+ src/dh_crypto.c              |  2 +-
+ src/ecdh_gcrypt.c            |  4 +--
+ src/gcrypt_missing.c         |  2 +-
+ src/getpass.c                |  4 +--
+ src/gssapi.c                 | 28 +++++++++---------
+ src/kex.c                    |  4 +--
+ src/known_hosts.c            | 41 ++++++++++++++-------------
+ src/knownhosts.c             | 18 ++++++------
+ src/legacy.c                 | 43 +++++++++++++++-------------
+ src/libmbedcrypto.c          |  2 +-
+ src/log.c                    |  2 +-
+ src/messages.c               | 18 ++++++------
+ src/misc.c                   | 24 ++++++++--------
+ src/options.c                | 18 ++++++------
+ src/packet.c                 |  6 ++--
+ src/packet_crypt.c           |  2 +-
+ src/pki.c                    | 50 ++++++++++++++++----------------
+ src/pki_container_openssh.c  | 14 ++++-----
+ src/pki_crypto.c             |  8 +++---
+ src/pki_ed25519.c            |  6 ++--
+ src/pki_ed25519_common.c     |  2 +-
+ src/pki_gcrypt.c             | 12 ++++----
+ src/pki_mbedcrypto.c         | 12 ++++----
+ src/poll.c                   | 10 +++----
+ src/server.c                 | 23 ++++++++-------
+ src/session.c                | 14 ++++-----
+ src/sftpserver.c             | 12 ++++----
+ src/string.c                 |  6 ++--
+ src/threads/winlocks.c       |  2 +-
+ src/wrapper.c                |  2 +-
+ 61 files changed, 340 insertions(+), 324 deletions(-)
+
+diff --git a/doc/authentication.dox b/doc/authentication.dox
+index 7d0ab81d..a0b2df84 100644
+--- a/doc/authentication.dox
++++ b/doc/authentication.dox
+@@ -105,7 +105,7 @@ Here is a small example of password authentication:
+ @code
+ int authenticate_password(ssh_session session)
+ {
+-  char *password;
++  char *password = NULL;
+   int rc;
+ 
+   password = getpass("Enter your password: ");
+@@ -218,7 +218,7 @@ int authenticate_kbdint(ssh_session session)
+   rc = ssh_userauth_kbdint(session, NULL, NULL);
+   while (rc == SSH_AUTH_INFO)
+   {
+-    const char *name, *instruction;
++    const char *name = NULL, *instruction = NULL;
+     int nprompts, iprompt;
+ 
+     name = ssh_userauth_kbdint_getname(session);
+@@ -231,7 +231,7 @@ int authenticate_kbdint(ssh_session session)
+       printf("%s\n", instruction);
+     for (iprompt = 0; iprompt < nprompts; iprompt++)
+     {
+-      const char *prompt;
++      const char *prompt = NULL;
+       char echo;
+ 
+       prompt = ssh_userauth_kbdint_getprompt(session, iprompt, &echo);
+@@ -251,7 +251,7 @@ int authenticate_kbdint(ssh_session session)
+       }
+       else
+       {
+-        char *ptr;
++        char *ptr = NULL;
+ 
+         ptr = getpass(prompt);
+         if (ssh_userauth_kbdint_setanswer(session, iprompt, ptr) < 0)
+@@ -354,7 +354,7 @@ The following example shows how to retrieve and dispose the issue banner:
+ int display_banner(ssh_session session)
+ {
+   int rc;
+-  char *banner;
++  char *banner = NULL;
+ 
+ /*
+  *** Does not work without calling ssh_userauth_none() first ***
+diff --git a/doc/command.dox b/doc/command.dox
+index 588151c6..e82748ce 100644
+--- a/doc/command.dox
++++ b/doc/command.dox
+@@ -22,7 +22,7 @@ a SSH session that uses this channel:
+ @code
+ int show_remote_files(ssh_session session)
+ {
+-  ssh_channel channel;
++  ssh_channel channel = NULL;
+   int rc;
+ 
+   channel = ssh_channel_new(session);
+diff --git a/doc/forwarding.dox b/doc/forwarding.dox
+index 2b202b4d..3ca3aa8a 100644
+--- a/doc/forwarding.dox
++++ b/doc/forwarding.dox
+@@ -100,7 +100,7 @@ used to retrieve google's home page from the remote SSH server.
+ @code
+ int direct_forwarding(ssh_session session)
+ {
+-  ssh_channel forwarding_channel;
++  ssh_channel forwarding_channel = NULL;
+   int rc = SSH_ERROR;
+   char *http_get = "GET / HTTP/1.1\nHost: www.google.com\n\n";
+   int nbytes, nwritten;
+@@ -161,7 +161,7 @@ local libssh application, which handles them:
+ int web_server(ssh_session session)
+ {
+   int rc;
+-  ssh_channel channel;
++  ssh_channel channel = NULL;
+   char buffer[256];
+   int nbytes, nwritten;
+   int port = 0;
+diff --git a/doc/guided_tour.dox b/doc/guided_tour.dox
+index 69576f18..60f4087e 100644
+--- a/doc/guided_tour.dox
++++ b/doc/guided_tour.dox
+@@ -79,7 +79,7 @@ Here is a small example of how to use it:
+ 
+ int main()
+ {
+-  ssh_session my_ssh_session;
++  ssh_session my_ssh_session = NULL;
+   int verbosity = SSH_LOG_PROTOCOL;
+   int port = 22;
+ 
+@@ -126,7 +126,7 @@ Here's an example:
+ 
+ int main()
+ {
+-  ssh_session my_ssh_session;
++  ssh_session my_ssh_session = NULL;
+   int rc;
+ 
+   my_ssh_session = ssh_new();
+@@ -190,8 +190,8 @@ int verify_knownhost(ssh_session session)
+     ssh_key srv_pubkey = NULL;
+     size_t hlen;
+     char buf[10];
+-    char *hexa;
+-    char *p;
++    char *hexa = NULL;
++    char *p = NULL;
+     int cmp;
+     int rc;
+ 
+@@ -317,9 +317,9 @@ The example below shows an authentication with password:
+ 
+ int main()
+ {
+-  ssh_session my_ssh_session;
++  ssh_session my_ssh_session = NULL;
+   int rc;
+-  char *password;
++  char *password = NULL;
+ 
+   // Open session and set options
+   my_ssh_session = ssh_new();
+@@ -380,7 +380,7 @@ The example below shows how to execute a remote command:
+ @code
+ int show_remote_processes(ssh_session session)
+ {
+-  ssh_channel channel;
++  ssh_channel channel = NULL;
+   int rc;
+   char buffer[256];
+   int nbytes;
+diff --git a/doc/shell.dox b/doc/shell.dox
+index d770f27a..54d97888 100644
+--- a/doc/shell.dox
++++ b/doc/shell.dox
+@@ -26,7 +26,7 @@ The code sample below achieves these tasks:
+ @code
+ int shell_session(ssh_session session)
+ {
+-  ssh_channel channel;
++  ssh_channel channel = NULL;
+   int rc;
+ 
+   channel = ssh_channel_new(session);
+diff --git a/examples/authentication.c b/examples/authentication.c
+index 7c47c8bd..31de7cfc 100644
+--- a/examples/authentication.c
++++ b/examples/authentication.c
+@@ -30,8 +30,8 @@ int authenticate_kbdint(ssh_session session, const char *password)
+ 
+     err = ssh_userauth_kbdint(session, NULL, NULL);
+     while (err == SSH_AUTH_INFO) {
+-        const char *instruction;
+-        const char *name;
++        const char *instruction = NULL;
++        const char *name = NULL;
+         char buffer[128];
+         int i, n;
+ 
+@@ -48,8 +48,8 @@ int authenticate_kbdint(ssh_session session, const char *password)
+         }
+ 
+         for (i = 0; i < n; i++) {
+-            const char *answer;
+-            const char *prompt;
++            const char *answer = NULL;
++            const char *prompt = NULL;
+             char echo;
+ 
+             prompt = ssh_userauth_kbdint_getprompt(session, i, &echo);
+@@ -58,7 +58,7 @@ int authenticate_kbdint(ssh_session session, const char *password)
+             }
+ 
+             if (echo) {
+-                char *p;
++                char *p = NULL;
+ 
+                 printf("%s", prompt);
+ 
+@@ -143,7 +143,7 @@ int authenticate_console(ssh_session session)
+     int rc;
+     int method;
+     char password[128] = {0};
+-    char *banner;
++    char *banner = NULL;
+ 
+     // Try to authenticate
+     rc = ssh_userauth_none(session, NULL);
+diff --git a/examples/connect_ssh.c b/examples/connect_ssh.c
+index c9e4ef6e..06094272 100644
+--- a/examples/connect_ssh.c
++++ b/examples/connect_ssh.c
+@@ -22,7 +22,7 @@ clients must be made or how a client should react.
+ #include <stdio.h>
+ 
+ ssh_session connect_ssh(const char *host, const char *user,int verbosity){
+-  ssh_session session;
++  ssh_session session = NULL;
+   int auth=0;
+ 
+   session=ssh_new();
+diff --git a/examples/exec.c b/examples/exec.c
+index 77d3be47..f90df364 100644
+--- a/examples/exec.c
++++ b/examples/exec.c
+@@ -5,8 +5,8 @@
+ #include "examples_common.h"
+ 
+ int main(void) {
+-    ssh_session session;
+-    ssh_channel channel;
++    ssh_session session = NULL;
++    ssh_channel channel = NULL;
+     char buffer[256];
+     int rbytes, wbytes, total = 0;
+     int rc;
+diff --git a/examples/knownhosts.c b/examples/knownhosts.c
+index 0726bfa8..2857a085 100644
+--- a/examples/knownhosts.c
++++ b/examples/knownhosts.c
+@@ -38,7 +38,7 @@ int verify_knownhost(ssh_session session)
+     char buf[10];
+     unsigned char *hash = NULL;
+     size_t hlen;
+-    ssh_key srv_pubkey;
++    ssh_key srv_pubkey = NULL;
+     int rc;
+ 
+     rc = ssh_get_server_publickey(session, &srv_pubkey);
+diff --git a/examples/libssh_scp.c b/examples/libssh_scp.c
+index 6fdf8a4f..a332e0d2 100644
+--- a/examples/libssh_scp.c
++++ b/examples/libssh_scp.c
+@@ -26,9 +26,9 @@ program.
+ #define BUF_SIZE 16384
+ #endif
+ 
+-static char **sources;
++static char **sources = NULL;
+ static int nsources;
+-static char *destination;
++static char *destination = NULL;
+ static int verbosity = 0;
+ 
+ struct location {
+@@ -114,9 +114,10 @@ static void location_free(struct location *loc)
+     }
+ }
+ 
+-static struct location *parse_location(char *loc) {
+-    struct location *location;
+-    char *ptr;
++static struct location *parse_location(char *loc)
++{
++    struct location *location = NULL;
++    char *ptr = NULL;
+ 
+     location = malloc(sizeof(struct location));
+     if (location == NULL) {
+diff --git a/examples/proxy.c b/examples/proxy.c
+index 159a37e5..25451789 100644
+--- a/examples/proxy.c
++++ b/examples/proxy.c
+@@ -35,8 +35,8 @@ clients must be made or how a client should react.
+ static int authenticated=0;
+ static int tries = 0;
+ static int error = 0;
+-static ssh_channel chan=NULL;
+-static char *username;
++static ssh_channel chan = NULL;
++static char *username = NULL;
+ static ssh_gssapi_creds client_creds = NULL;
+ 
+ static int auth_password(ssh_session session, const char *user,
+@@ -216,11 +216,12 @@ static error_t parse_opt (int key, char *arg, struct argp_state *state) {
+ static struct argp argp = {options, parse_opt, args_doc, doc, NULL, NULL, NULL};
+ #endif /* HAVE_ARGP_H */
+ 
+-int main(int argc, char **argv){
+-    ssh_session session;
+-    ssh_bind sshbind;
+-    ssh_event mainloop;
+-    ssh_session client_session;
++int main(int argc, char **argv)
++{
++    ssh_session session = NULL;
++    ssh_bind sshbind = NULL;
++    ssh_event mainloop = NULL;
++    ssh_session client_session = NULL;
+ 
+     struct ssh_server_callbacks_struct cb = {
+         .userdata = NULL,
+@@ -231,7 +232,7 @@ int main(int argc, char **argv){
+ 
+     char buf[BUF_SIZE];
+     char host[128]="";
+-    char *ptr;
++    char *ptr = NULL;
+     int i,r, rc;
+ 
+     sshbind=ssh_bind_new();
+@@ -348,4 +349,3 @@ int main(int argc, char **argv){
+     ssh_finalize();
+     return 0;
+ }
+-
+diff --git a/examples/samplesshd-cb.c b/examples/samplesshd-cb.c
+index e5b48994..693b040d 100644
+--- a/examples/samplesshd-cb.c
++++ b/examples/samplesshd-cb.c
+@@ -257,10 +257,11 @@ static error_t parse_opt (int key, char *arg, struct argp_state *state) {
+ static struct argp argp = {options, parse_opt, args_doc, doc, NULL, NULL, NULL};
+ #endif /* HAVE_ARGP_H */
+ 
+-int main(int argc, char **argv){
+-    ssh_session session;
+-    ssh_bind sshbind;
+-    ssh_event mainloop;
++int main(int argc, char **argv)
++{
++    ssh_session session = NULL;
++    ssh_bind sshbind = NULL;
++    ssh_event mainloop = NULL;
+     struct ssh_server_callbacks_struct cb = {
+         .userdata = NULL,
+         .auth_none_function = auth_none,
+@@ -353,4 +354,3 @@ int main(int argc, char **argv){
+     ssh_finalize();
+     return 0;
+ }
+-
+diff --git a/examples/samplesshd-kbdint.c b/examples/samplesshd-kbdint.c
+index 6608306c..141088c2 100644
+--- a/examples/samplesshd-kbdint.c
++++ b/examples/samplesshd-kbdint.c
+@@ -187,8 +187,8 @@ static error_t parse_opt (int key, char *arg, struct argp_state *state) {
+ static struct argp argp = {options, parse_opt, args_doc, doc, NULL, NULL, NULL};
+ #endif /* HAVE_ARGP_H */
+ 
+-static const char *name;
+-static const char *instruction;
++static const char *name = NULL;
++static const char *instruction = NULL;
+ static const char *prompts[2];
+ static char echo[] = { 1, 0 };
+ 
+@@ -292,11 +292,12 @@ static int authenticate(ssh_session session) {
+     return 0;
+ }
+ 
+-int main(int argc, char **argv){
+-    ssh_session session;
+-    ssh_bind sshbind;
+-    ssh_message message;
+-    ssh_channel chan=0;
++int main(int argc, char **argv)
++{
++    ssh_session session = NULL;
++    ssh_bind sshbind = NULL;
++    ssh_message message = NULL;
++    ssh_channel chan = NULL;
+     char buf[BUF_SIZE];
+     int auth=0;
+     int shell=0;
+@@ -426,4 +427,3 @@ int main(int argc, char **argv){
+     ssh_finalize();
+     return 0;
+ }
+-
+diff --git a/examples/scp_download.c b/examples/scp_download.c
+index e6c1e796..dcaa2cb7 100644
+--- a/examples/scp_download.c
++++ b/examples/scp_download.c
+@@ -108,7 +108,7 @@ static int fetch_files(ssh_session session){
+   int size;
+   char buffer[BUF_SIZE];
+   int mode;
+-  char *filename;
++  char *filename = NULL;
+   int r;
+   ssh_scp scp=ssh_scp_new(session, SSH_SCP_READ | SSH_SCP_RECURSIVE, "/tmp/libssh_tests/*");
+   if(ssh_scp_init(scp) != SSH_OK){
+@@ -167,7 +167,7 @@ static int fetch_files(ssh_session session){
+ }
+ 
+ int main(int argc, char **argv){
+-  ssh_session session;
++  ssh_session session = NULL;
+   if(opts(argc,argv)<0)
+     return EXIT_FAILURE;
+   session=connect_ssh(host,NULL,verbosity);
+diff --git a/examples/senddata.c b/examples/senddata.c
+index 21181fb9..78383a2b 100644
+--- a/examples/senddata.c
++++ b/examples/senddata.c
+@@ -6,7 +6,7 @@
+ #define LIMIT 0x100000000UL
+ 
+ int main(void) {
+-  ssh_session session;
++  ssh_session session = NULL;
+   ssh_channel channel;
+   char buffer[1024*1024];
+   int rc;
+@@ -47,7 +47,7 @@ int main(void) {
+     if(total > LIMIT)
+       break;
+   }
+-    
++
+   if (rc < 0) {
+     printf("error : %s\n",ssh_get_error(session));
+     ssh_channel_close(channel);
+diff --git a/examples/ssh_client.c b/examples/ssh_client.c
+index aaf0cb5b..896890c3 100644
+--- a/examples/ssh_client.c
++++ b/examples/ssh_client.c
+@@ -53,7 +53,7 @@ static struct termios terminal;
+ 
+ static char *pcap_file = NULL;
+ 
+-static char *proxycommand;
++static char *proxycommand = NULL;
+ 
+ static int auth_callback(const char *prompt,
+                          char *buf,
+@@ -252,7 +252,7 @@ static void select_loop(ssh_session session,ssh_channel channel)
+ 
+ static void shell(ssh_session session)
+ {
+-    ssh_channel channel;
++    ssh_channel channel = NULL;
+     struct termios terminal_local;
+     int interactive=isatty(0);
+ 
+@@ -324,7 +324,7 @@ static void batch_shell(ssh_session session)
+ static int client(ssh_session session)
+ {
+     int auth = 0;
+-    char *banner;
++    char *banner = NULL;
+     int state;
+ 
+     if (user) {
+@@ -408,7 +408,7 @@ static void cleanup_pcap(void)
+ 
+ int main(int argc, char **argv)
+ {
+-    ssh_session session;
++    ssh_session session = NULL;
+ 
+     ssh_init();
+     session = ssh_new();
+diff --git a/examples/sshd_direct-tcpip.c b/examples/sshd_direct-tcpip.c
+index b0e29796..152377e9 100644
+--- a/examples/sshd_direct-tcpip.c
++++ b/examples/sshd_direct-tcpip.c
+@@ -358,7 +358,7 @@ my_fd_data_function(UNUSED_PARAM(socket_t fd),
+ {
+     struct event_fd_data_struct *event_fd_data = (struct event_fd_data_struct *)userdata;
+     ssh_channel channel = event_fd_data->channel;
+-    ssh_session session;
++    ssh_session session = NULL;
+     int len, i, wr;
+     char buf[BUF_SIZE];
+     int blocking;
+@@ -452,8 +452,8 @@ open_tcp_socket(ssh_message msg)
+ {
+     struct sockaddr_in sin;
+     int forwardsock = -1;
+-    struct hostent *host;
+-    const char *dest_hostname;
++    struct hostent *host = NULL;
++    const char *dest_hostname = NULL;
+     int dest_port;
+ 
+     forwardsock = socket(AF_INET, SOCK_STREAM, 0);
+@@ -496,8 +496,8 @@ message_callback(UNUSED_PARAM(ssh_session session),
+                  UNUSED_PARAM(void *userdata))
+ {
+     ssh_channel channel;
+-    int socket_fd, *pFd;
+-    struct ssh_channel_callbacks_struct *cb_chan;
++    int socket_fd, *pFd = NULL;
++    struct ssh_channel_callbacks_struct *cb_chan = NULL;
+     struct event_fd_data_struct *event_fd_data;
+ 
+     _ssh_log(SSH_LOG_PACKET, "=== message_callback", "Message type: %d",
+@@ -665,8 +665,8 @@ static struct argp argp = {options, parse_opt, args_doc, doc, NULL, NULL, NULL};
+ int
+ main(int argc, char **argv)
+ {
+-    ssh_session session;
+-    ssh_bind sshbind;
++    ssh_session session = NULL;
++    ssh_bind sshbind = NULL;
+     struct ssh_server_callbacks_struct cb = {
+         .userdata = NULL,
+         .auth_password_function = auth_password,
+diff --git a/examples/sshnetcat.c b/examples/sshnetcat.c
+index 59b0a289..8a1153a6 100644
+--- a/examples/sshnetcat.c
++++ b/examples/sshnetcat.c
+@@ -39,7 +39,7 @@ clients must be made or how a client should react.
+ #define BUF_SIZE 4096
+ #endif
+ 
+-char *host;
++char *host = NULL;
+ const char *desthost="localhost";
+ const char *port="22";
+ 
+@@ -193,7 +193,7 @@ static void forwarding(ssh_session session){
+ 
+ static int client(ssh_session session){
+   int auth=0;
+-  char *banner;
++  char *banner = NULL;
+   int state;
+ 
+   if (ssh_options_set(session, SSH_OPTIONS_HOST ,host) < 0)
+@@ -246,7 +246,7 @@ void cleanup_pcap(void)
+ #endif
+ 
+ int main(int argc, char **argv){
+-    ssh_session session;
++    ssh_session session = NULL;
+ 
+     session = ssh_new();
+ 
+diff --git a/src/agent.c b/src/agent.c
+index 6e3d7d79..c81b0805 100644
+--- a/src/agent.c
++++ b/src/agent.c
+@@ -424,8 +424,9 @@ ssh_key ssh_agent_get_first_ident(struct ssh_session_struct *session,
+ 
+ /* caller has to free comment */
+ ssh_key ssh_agent_get_next_ident(struct ssh_session_struct *session,
+-    char **comment) {
+-    struct ssh_key_struct *key;
++                                 char **comment)
++{
++    struct ssh_key_struct *key = NULL;
+     struct ssh_string_struct *blob = NULL;
+     struct ssh_string_struct *tmp = NULL;
+     int rc;
+@@ -494,10 +495,10 @@ ssh_string ssh_agent_sign_data(ssh_session session,
+                                const ssh_key pubkey,
+                                struct ssh_buffer_struct *data)
+ {
+-    ssh_buffer request;
+-    ssh_buffer reply;
+-    ssh_string key_blob;
+-    ssh_string sig_blob;
++    ssh_buffer request = NULL;
++    ssh_buffer reply = NULL;
++    ssh_string key_blob = NULL;
++    ssh_string sig_blob = NULL;
+     unsigned int type = 0;
+     unsigned int flags = 0;
+     uint32_t dlen;
+diff --git a/src/auth.c b/src/auth.c
+index 4feb6558..98022311 100644
+--- a/src/auth.c
++++ b/src/auth.c
+@@ -195,8 +195,9 @@ static int ssh_userauth_get_response(ssh_session session)
+  *
+  * This banner should be shown to user prior to authentication
+  */
+-SSH_PACKET_CALLBACK(ssh_packet_userauth_banner) {
+-    ssh_string banner;
++SSH_PACKET_CALLBACK(ssh_packet_userauth_banner)
++{
++    ssh_string banner = NULL;
+     (void)type;
+     (void)user;
+ 
+@@ -1398,7 +1399,7 @@ int ssh_userauth_agent_pubkey(ssh_session session,
+                               const char *username,
+                               ssh_public_key publickey)
+ {
+-    ssh_key key;
++    ssh_key key = NULL;
+     int rc;
+ 
+     key = ssh_key_new();
+diff --git a/src/bind.c b/src/bind.c
+index a91e6747..c331006a 100644
+--- a/src/bind.c
++++ b/src/bind.c
+@@ -74,7 +74,7 @@
+ static socket_t bind_socket(ssh_bind sshbind, const char *hostname,
+     int port) {
+     char port_c[6];
+-    struct addrinfo *ai;
++    struct addrinfo *ai = NULL;
+     struct addrinfo hints;
+     int opt = 1;
+     socket_t s;
+@@ -132,8 +132,9 @@ static socket_t bind_socket(ssh_bind sshbind, const char *hostname,
+     return s;
+ }
+ 
+-ssh_bind ssh_bind_new(void) {
+-    ssh_bind ptr;
++ssh_bind ssh_bind_new(void)
++{
++    ssh_bind ptr = NULL;
+ 
+     ptr = calloc(1, sizeof(struct ssh_bind_struct));
+     if (ptr == NULL) {
+@@ -251,7 +252,7 @@ static int ssh_bind_import_keys(ssh_bind sshbind) {
+ }
+ 
+ int ssh_bind_listen(ssh_bind sshbind) {
+-  const char *host;
++  const char *host = NULL;
+   socket_t fd;
+   int rc;
+ 
+@@ -475,7 +476,7 @@ int ssh_bind_accept_fd(ssh_bind sshbind, ssh_session session, socket_t fd)
+                 return SSH_ERROR;
+             }
+         } else {
+-            char *p;
++            char *p = NULL;
+             /* If something was set to the session prior to calling this
+              * function, keep only what is allowed by the options set in
+              * sshbind */
+diff --git a/src/bind_config.c b/src/bind_config.c
+index 27c42c95..ed42cbe3 100644
+--- a/src/bind_config.c
++++ b/src/bind_config.c
+@@ -200,7 +200,7 @@ local_parse_file(ssh_bind bind,
+                  uint8_t *seen,
+                  unsigned int depth)
+ {
+-    FILE *f;
++    FILE *f = NULL;
+     char line[MAX_LINE_SIZE] = {0};
+     unsigned int count = 0;
+     int rv;
+@@ -626,7 +626,7 @@ int ssh_bind_config_parse_file(ssh_bind bind, const char *filename)
+ {
+     char line[MAX_LINE_SIZE] = {0};
+     unsigned int count = 0;
+-    FILE *f;
++    FILE *f = NULL;
+     uint32_t parser_flags;
+     int rv;
+ 
+diff --git a/src/buffer.c b/src/buffer.c
+index 8991e006..62fda334 100644
+--- a/src/buffer.c
++++ b/src/buffer.c
+@@ -371,7 +371,8 @@ int ssh_buffer_allocate_size(struct ssh_buffer_struct *buffer,
+  */
+ void *ssh_buffer_allocate(struct ssh_buffer_struct *buffer, uint32_t len)
+ {
+-    void *ptr;
++    void *ptr = NULL;
++
+     buffer_verify(buffer);
+ 
+     if (buffer->used + len < len) {
+@@ -925,7 +926,7 @@ int ssh_buffer_pack_va(struct ssh_buffer_struct *buffer,
+                        va_list ap)
+ {
+     int rc = SSH_ERROR;
+-    const char *p;
++    const char *p = NULL;
+     union {
+         uint8_t byte;
+         uint16_t word;
+@@ -934,7 +935,7 @@ int ssh_buffer_pack_va(struct ssh_buffer_struct *buffer,
+         ssh_string string;
+         void *data;
+     } o;
+-    char *cstring;
++    char *cstring = NULL;
+     bignum b;
+     size_t len;
+     size_t count;
+@@ -1093,7 +1094,7 @@ int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer,
+                          va_list ap)
+ {
+     int rc = SSH_ERROR;
+-    const char *p = format, *last;
++    const char *p = format, *last = NULL;
+     union {
+         uint8_t *byte;
+         uint16_t *word;
+diff --git a/src/callbacks.c b/src/callbacks.c
+index 3ed2f11c..6bfed62a 100644
+--- a/src/callbacks.c
++++ b/src/callbacks.c
+@@ -113,7 +113,7 @@ int ssh_add_channel_callbacks(ssh_channel channel, ssh_channel_callbacks cb)
+ 
+ int ssh_remove_channel_callbacks(ssh_channel channel, ssh_channel_callbacks cb)
+ {
+-    struct ssh_iterator *it;
++    struct ssh_iterator *it = NULL;
+ 
+     if (channel == NULL || channel->callbacks == NULL){
+         return SSH_ERROR;
+diff --git a/src/chachapoly.c b/src/chachapoly.c
+index 2cd23854..354a0d26 100644
+--- a/src/chachapoly.c
++++ b/src/chachapoly.c
+@@ -42,7 +42,7 @@ static int chacha20_set_encrypt_key(struct ssh_cipher_struct *cipher,
+                                     void *key,
+                                     void *IV)
+ {
+-    struct chacha20_poly1305_keysched *sched;
++    struct chacha20_poly1305_keysched *sched = NULL;
+     uint8_t *u8key = key;
+     (void)IV;
+ 
+diff --git a/src/channels.c b/src/channels.c
+index ab6915a2..8290dbd1 100644
+--- a/src/channels.c
++++ b/src/channels.c
+@@ -165,7 +165,7 @@ uint32_t ssh_channel_new_id(ssh_session session)
+  */
+ SSH_PACKET_CALLBACK(ssh_packet_channel_open_conf){
+   uint32_t channelid=0;
+-  ssh_channel channel;
++  ssh_channel channel = NULL;
+   int rc;
+   (void)type;
+   (void)user;
+@@ -226,7 +226,7 @@ error:
+  */
+ SSH_PACKET_CALLBACK(ssh_packet_channel_open_fail){
+ 
+-  ssh_channel channel;
++  ssh_channel channel = NULL;
+   char *error = NULL;
+   uint32_t code;
+   int rc;
+@@ -386,7 +386,7 @@ end:
+ /* return channel with corresponding local id, or NULL if not found */
+ ssh_channel ssh_channel_from_local(ssh_session session, uint32_t id) {
+   struct ssh_iterator *it;
+-  ssh_channel channel;
++  ssh_channel channel = NULL;
+ 
+   for (it = ssh_list_get_iterator(session->channels); it != NULL ; it=it->next) {
+     channel = ssh_iterator_value(ssh_channel, it);
+@@ -471,7 +471,7 @@ error:
+  */
+ static ssh_channel channel_from_msg(ssh_session session, ssh_buffer packet)
+ {
+-  ssh_channel channel;
++  ssh_channel channel = NULL;
+   uint32_t chan;
+   int rc;
+ 
+@@ -493,7 +493,7 @@ static ssh_channel channel_from_msg(ssh_session session, ssh_buffer packet)
+ }
+ 
+ SSH_PACKET_CALLBACK(channel_rcv_change_window) {
+-  ssh_channel channel;
++  ssh_channel channel = NULL;
+   uint32_t bytes;
+   int rc;
+   (void)user;
+@@ -632,7 +632,7 @@ SSH_PACKET_CALLBACK(channel_rcv_data){
+ }
+ 
+ SSH_PACKET_CALLBACK(channel_rcv_eof) {
+-  ssh_channel channel;
++  ssh_channel channel = NULL;
+   (void)user;
+   (void)type;
+ 
+@@ -676,8 +676,9 @@ static bool ssh_channel_has_unread_data(ssh_channel channel)
+     return false;
+ }
+ 
+-SSH_PACKET_CALLBACK(channel_rcv_close) {
+-    ssh_channel channel;
++SSH_PACKET_CALLBACK(channel_rcv_close)
++{
++    ssh_channel channel = NULL;
+     (void)user;
+     (void)type;
+ 
+@@ -902,7 +903,7 @@ int channel_default_bufferize(ssh_channel channel,
+                               void *data, uint32_t len,
+                               bool is_stderr)
+ {
+-  ssh_session session;
++  ssh_session session = NULL;
+ 
+   if(channel == NULL) {
+       return -1;
+@@ -1041,7 +1042,7 @@ int ssh_channel_open_auth_agent(ssh_channel channel)
+ int ssh_channel_open_forward(ssh_channel channel, const char *remotehost,
+     int remoteport, const char *sourcehost, int localport)
+ {
+-  ssh_session session;
++  ssh_session session = NULL;
+   ssh_buffer payload = NULL;
+   ssh_string str = NULL;
+   int rc = SSH_ERROR;
+@@ -1179,7 +1180,7 @@ error:
+  */
+ void ssh_channel_free(ssh_channel channel)
+ {
+-    ssh_session session;
++    ssh_session session = NULL;
+ 
+     if (channel == NULL) {
+         return;
+@@ -1280,7 +1281,7 @@ void ssh_channel_do_free(ssh_channel channel)
+  */
+ int ssh_channel_send_eof(ssh_channel channel)
+ {
+-    ssh_session session;
++    ssh_session session = NULL;
+     int rc = SSH_ERROR;
+     int err;
+ 
+@@ -1341,7 +1342,7 @@ error:
+  */
+ int ssh_channel_close(ssh_channel channel)
+ {
+-    ssh_session session;
++    ssh_session session = NULL;
+     int rc = 0;
+ 
+     if(channel == NULL) {
+@@ -1437,7 +1438,7 @@ static int channel_write_common(ssh_channel channel,
+                                 const void *data,
+                                 uint32_t len, int is_stderr)
+ {
+-  ssh_session session;
++  ssh_session session = NULL;
+   uint32_t origlen = len;
+   size_t effectivelen;
+   size_t maxpacketlen;
+@@ -1694,7 +1695,7 @@ void ssh_channel_set_blocking(ssh_channel channel, int blocking)
+  * @brief handle a SSH_CHANNEL_SUCCESS packet and set the channel state.
+  */
+ SSH_PACKET_CALLBACK(ssh_packet_channel_success){
+-  ssh_channel channel;
++  ssh_channel channel = NULL;
+   (void)type;
+   (void)user;
+ 
+@@ -1724,7 +1725,7 @@ SSH_PACKET_CALLBACK(ssh_packet_channel_success){
+  * @brief Handle a SSH_CHANNEL_FAILURE packet and set the channel state.
+  */
+ SSH_PACKET_CALLBACK(ssh_packet_channel_failure){
+-  ssh_channel channel;
++  ssh_channel channel = NULL;
+   (void)type;
+   (void)user;
+ 
+@@ -1863,7 +1864,7 @@ error:
+ int ssh_channel_request_pty_size(ssh_channel channel, const char *terminal,
+     int col, int row)
+ {
+-  ssh_session session;
++  ssh_session session = NULL;
+   ssh_buffer buffer = NULL;
+   int rc = SSH_ERROR;
+ 
+@@ -2174,7 +2175,7 @@ static ssh_channel ssh_channel_accept(ssh_session session, int channeltype,
+ #endif
+   ssh_message msg = NULL;
+   ssh_channel channel = NULL;
+-  struct ssh_iterator *iterator;
++  struct ssh_iterator *iterator = NULL;
+   int t;
+ 
+   /*
+@@ -2838,7 +2839,7 @@ error:
+ int channel_read_buffer(ssh_channel channel, ssh_buffer buffer, uint32_t count,
+     int is_stderr)
+ {
+-  ssh_session session;
++  ssh_session session = NULL;
+   char *buffer_tmp = NULL;
+   int r;
+   uint32_t total=0;
+@@ -2979,7 +2980,7 @@ int ssh_channel_read_timeout(ssh_channel channel,
+                              int is_stderr,
+                              int timeout_ms)
+ {
+-  ssh_session session;
++  ssh_session session = NULL;
+   ssh_buffer stdbuf;
+   uint32_t len;
+   struct ssh_channel_read_termination_struct ctx;
+@@ -3103,7 +3104,7 @@ int ssh_channel_read_nonblocking(ssh_channel channel,
+                                  uint32_t count,
+                                  int is_stderr)
+ {
+-    ssh_session session;
++    ssh_session session = NULL;
+     uint32_t to_read;
+     int rc;
+     int blocking;
+@@ -3213,8 +3214,8 @@ int ssh_channel_poll(ssh_channel channel, int is_stderr)
+  */
+ int ssh_channel_poll_timeout(ssh_channel channel, int timeout, int is_stderr)
+ {
+-    ssh_session session;
+-    ssh_buffer stdbuf;
++    ssh_session session = NULL;
++    ssh_buffer stdbuf = NULL;
+     struct ssh_channel_read_termination_struct ctx;
+     size_t len;
+     int rc;
+@@ -3341,7 +3342,7 @@ channel_protocol_select(ssh_channel *rchans, ssh_channel *wchans,
+                         ssh_channel *echans, ssh_channel *rout,
+                         ssh_channel *wout, ssh_channel *eout)
+ {
+-  ssh_channel chan;
++  ssh_channel chan = NULL;
+   int i;
+   int j = 0;
+ 
+@@ -3422,7 +3423,7 @@ static size_t count_ptrs(ssh_channel *ptrs)
+ int ssh_channel_select(ssh_channel *readchans, ssh_channel *writechans,
+                        ssh_channel *exceptchans, struct timeval * timeout)
+ {
+-  ssh_channel *rchans, *wchans, *echans;
++  ssh_channel *rchans = NULL, *wchans = NULL, *echans = NULL;
+   ssh_channel dummy = NULL;
+   ssh_event event = NULL;
+   int rc;
+@@ -3615,7 +3616,7 @@ int ssh_channel_write_stderr(ssh_channel channel, const void *data, uint32_t len
+ int ssh_channel_open_reverse_forward(ssh_channel channel, const char *remotehost,
+                                      int remoteport, const char *sourcehost, int localport)
+ {
+-  ssh_session session;
++  ssh_session session = NULL;
+   ssh_buffer payload = NULL;
+   int rc = SSH_ERROR;
+ 
+@@ -3679,7 +3680,7 @@ error:
+ int ssh_channel_open_x11(ssh_channel channel,
+                          const char *orig_addr, int orig_port)
+ {
+-  ssh_session session;
++  ssh_session session = NULL;
+   ssh_buffer payload = NULL;
+   int rc = SSH_ERROR;
+ 
+diff --git a/src/client.c b/src/client.c
+index e912090e..0cfca1c4 100644
+--- a/src/client.c
++++ b/src/client.c
+@@ -748,7 +748,7 @@ ssh_session_set_disconnect_message(ssh_session session, const char *message)
+ void
+ ssh_disconnect(ssh_session session)
+ {
+-    struct ssh_iterator *it;
++    struct ssh_iterator *it = NULL;
+     int rc;
+ 
+     if (session == NULL) {
+diff --git a/src/config.c b/src/config.c
+index c5c40125..d4d8d419 100644
+--- a/src/config.c
++++ b/src/config.c
+@@ -203,7 +203,7 @@ local_parse_file(ssh_session session,
+                  unsigned int depth,
+                  bool global)
+ {
+-    FILE *f;
++    FILE *f = NULL;
+     char line[MAX_LINE_SIZE] = {0};
+     unsigned int count = 0;
+     int rv;
+@@ -1201,7 +1201,7 @@ int ssh_config_parse_file(ssh_session session, const char *filename)
+ {
+     char line[MAX_LINE_SIZE] = {0};
+     unsigned int count = 0;
+-    FILE *f;
++    FILE *f = NULL;
+     int parsing, rv;
+     bool global = 0;
+ 
+diff --git a/src/config_parser.c b/src/config_parser.c
+index b8b94611..e55c76d0 100644
+--- a/src/config_parser.c
++++ b/src/config_parser.c
+@@ -39,8 +39,8 @@
+  */
+ char *ssh_config_get_cmd(char **str)
+ {
+-    register char *c;
+-    char *r;
++    register char *c = NULL;
++    char *r = NULL;
+ 
+     /* Ignore leading spaces */
+     for (c = *str; *c; c++) {
+@@ -67,7 +67,7 @@ out:
+  */
+ char *ssh_config_get_token(char **str)
+ {
+-    register char *c;
++    register char *c = NULL;
+     bool had_equal = false;
+     char *r = NULL;
+ 
+@@ -116,7 +116,7 @@ out:
+ 
+ long ssh_config_get_long(char **str, long notfound)
+ {
+-    char *p, *endp;
++    char *p = NULL, *endp = NULL;
+     long i;
+ 
+     p = ssh_config_get_token(str);
+@@ -133,7 +133,7 @@ long ssh_config_get_long(char **str, long notfound)
+ 
+ const char *ssh_config_get_str_tok(char **str, const char *def)
+ {
+-    char *p;
++    char *p = NULL;
+ 
+     p = ssh_config_get_token(str);
+     if (p && *p) {
+@@ -145,7 +145,7 @@ const char *ssh_config_get_str_tok(char **str, const char *def)
+ 
+ int ssh_config_get_yesno(char **str, int notfound)
+ {
+-    const char *p;
++    const char *p = NULL;
+ 
+     p = ssh_config_get_str_tok(str, NULL);
+     if (p == NULL) {
+diff --git a/src/connect.c b/src/connect.c
+index 15cae644..2d09af5e 100644
+--- a/src/connect.c
++++ b/src/connect.c
+@@ -194,8 +194,8 @@ socket_t ssh_connect_host_nonblocking(ssh_session session, const char *host,
+         }
+ 
+         if (bind_addr) {
+-            struct addrinfo *bind_ai;
+-            struct addrinfo *bind_itr;
++            struct addrinfo *bind_ai = NULL;
++            struct addrinfo *bind_itr = NULL;
+ 
+             SSH_LOG(SSH_LOG_PACKET, "Resolving %s", bind_addr);
+ 
+diff --git a/src/connector.c b/src/connector.c
+index 56716749..6632cca1 100644
+--- a/src/connector.c
++++ b/src/connector.c
+@@ -637,8 +637,9 @@ error:
+     return rc;
+ }
+ 
+-int ssh_connector_remove_event(ssh_connector connector) {
+-    ssh_session session;
++int ssh_connector_remove_event(ssh_connector connector)
++{
++    ssh_session session = NULL;
+ 
+     if (connector->in_poll != NULL) {
+         ssh_event_remove_poll(connector->event, connector->in_poll);
+diff --git a/src/dh_crypto.c b/src/dh_crypto.c
+index 9ff7ad3c..4dd9b507 100644
+--- a/src/dh_crypto.c
++++ b/src/dh_crypto.c
+@@ -404,7 +404,7 @@ done:
+  */
+ int ssh_dh_init_common(struct ssh_crypto_struct *crypto)
+ {
+-    struct dh_ctx *ctx;
++    struct dh_ctx *ctx = NULL;
+     int rc;
+ 
+     ctx = calloc(1, sizeof(*ctx));
+diff --git a/src/ecdh_gcrypt.c b/src/ecdh_gcrypt.c
+index 3d9d426f..73fcd50f 100644
+--- a/src/ecdh_gcrypt.c
++++ b/src/ecdh_gcrypt.c
+@@ -132,9 +132,9 @@ int ecdh_build_k(ssh_session session)
+ #else
+     size_t k_len = 0;
+     enum ssh_key_exchange_e kex_type = session->next_crypto->kex_type;
+-    ssh_string s;
++    ssh_string s = NULL;
+ #endif
+-    ssh_string pubkey_raw;
++    ssh_string pubkey_raw = NULL;
+     gcry_sexp_t pubkey = NULL;
+     ssh_string privkey = NULL;
+     int rc = SSH_ERROR;
+diff --git a/src/gcrypt_missing.c b/src/gcrypt_missing.c
+index e931ec5b..56dcfb6d 100644
+--- a/src/gcrypt_missing.c
++++ b/src/gcrypt_missing.c
+@@ -47,7 +47,7 @@ int ssh_gcry_dec2bn(bignum *bn, const char *data) {
+ 
+ char *ssh_gcry_bn2dec(bignum bn) {
+   bignum bndup, num, ten;
+-  char *ret;
++  char *ret = NULL;
+   int count, count2;
+   int size, rsize;
+   char decnum;
+diff --git a/src/getpass.c b/src/getpass.c
+index 6be33c77..c19c4bc0 100644
+--- a/src/getpass.c
++++ b/src/getpass.c
+@@ -46,7 +46,7 @@
+  */
+ static int ssh_gets(const char *prompt, char *buf, size_t len, int verify)
+ {
+-    char *tmp;
++    char *tmp = NULL;
+     char *ptr = NULL;
+     int ok = 0;
+ 
+@@ -78,7 +78,7 @@ static int ssh_gets(const char *prompt, char *buf, size_t len, int verify)
+         }
+ 
+         if (verify) {
+-            char *key_string;
++            char *key_string = NULL;
+ 
+             key_string = calloc(1, len);
+             if (key_string == NULL) {
+diff --git a/src/gssapi.c b/src/gssapi.c
+index 5325ac72..fd7b25af 100644
+--- a/src/gssapi.c
++++ b/src/gssapi.c
+@@ -196,7 +196,7 @@ ssh_gssapi_handle_userauth(ssh_session session, const char *user,
+     gss_name_t server_name; /* local server fqdn */
+     OM_uint32 maj_stat, min_stat;
+     size_t i;
+-    char *ptr;
++    char *ptr = NULL;
+     gss_OID_set supported; /* oids supported by server */
+     gss_OID_set both_supported; /* oids supported by both client and server */
+     gss_OID_set selected; /* oid selected for authentication */
+@@ -341,7 +341,7 @@ static char *ssh_gssapi_name_to_char(gss_name_t name)
+ {
+     gss_buffer_desc buffer;
+     OM_uint32 maj_stat, min_stat;
+-    char *ptr;
++    char *ptr = NULL;
+     maj_stat = gss_display_name(&min_stat, name, &buffer, NULL);
+     ssh_gssapi_log_error(SSH_LOG_WARNING,
+                          "converting name",
+@@ -359,9 +359,10 @@ static char *ssh_gssapi_name_to_char(gss_name_t name)
+ 
+ }
+ 
+-SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_server){
+-    ssh_string token;
+-    char *hexa;
++SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_server)
++{
++    ssh_string token = NULL;
++    char *hexa = NULL;
+     OM_uint32 maj_stat, min_stat;
+     gss_buffer_desc input_token, output_token = GSS_C_EMPTY_BUFFER;
+     gss_name_t client_name = GSS_C_NO_NAME;
+@@ -385,7 +386,7 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_server){
+     }
+ 
+     if (ssh_callbacks_exists(session->server_callbacks, gssapi_accept_sec_ctx_function)){
+-        ssh_string out_token=NULL;
++        ssh_string out_token = NULL;
+         rc = session->server_callbacks->gssapi_accept_sec_ctx_function(session,
+                 token, &out_token, session->server_callbacks->userdata);
+         if (rc == SSH_ERROR){
+@@ -507,7 +508,7 @@ static ssh_buffer ssh_gssapi_build_mic(ssh_session session)
+ 
+ SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_mic)
+ {
+-    ssh_string mic_token;
++    ssh_string mic_token = NULL;
+     OM_uint32 maj_stat, min_stat;
+     gss_buffer_desc mic_buf = GSS_C_EMPTY_BUFFER;
+     gss_buffer_desc mic_token_buf = GSS_C_EMPTY_BUFFER;
+@@ -670,7 +671,7 @@ static int ssh_gssapi_match(ssh_session session, gss_OID_set *valid_oids)
+     gss_name_t client_id = GSS_C_NO_NAME;
+     gss_OID oid;
+     unsigned int i;
+-    char *ptr;
++    char *ptr = NULL;
+     int ret;
+ 
+     if (session->gssapi->client.client_deleg_creds == NULL) {
+@@ -866,11 +867,11 @@ static gss_OID ssh_gssapi_oid_from_string(ssh_string oid_s)
+ 
+ SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_response){
+     int rc;
+-    ssh_string oid_s;
++    ssh_string oid_s = NULL;
+     gss_uint32 maj_stat, min_stat;
+     gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
+     gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
+-    char *hexa;
++    char *hexa = NULL;
+     (void)type;
+     (void)user;
+ 
+@@ -987,10 +988,11 @@ static int ssh_gssapi_send_mic(ssh_session session)
+     return ssh_packet_send(session);
+ }
+ 
+-SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_client){
++SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_client)
++{
+     int rc;
+-    ssh_string token;
+-    char *hexa;
++    ssh_string token = NULL;
++    char *hexa = NULL;
+     OM_uint32 maj_stat, min_stat;
+     gss_buffer_desc input_token, output_token = GSS_C_EMPTY_BUFFER;
+     (void)user;
+diff --git a/src/kex.c b/src/kex.c
+index fbc70cf4..ecfc0120 100644
+--- a/src/kex.c
++++ b/src/kex.c
+@@ -330,7 +330,7 @@ static int cmp_first_kex_algo(const char *client_str,
+     size_t client_kex_len;
+     size_t server_kex_len;
+ 
+-    char *colon;
++    char *colon = NULL;
+ 
+     int is_wrong = 1;
+ 
+@@ -762,7 +762,7 @@ char *ssh_client_select_hostkeys(ssh_session session)
+ int ssh_set_client_kex(ssh_session session)
+ {
+     struct ssh_kex_struct *client = &session->next_crypto->client_kex;
+-    const char *wanted;
++    const char *wanted = NULL;
+     int ok;
+     int i;
+ 
+diff --git a/src/known_hosts.c b/src/known_hosts.c
+index 84e15572..f660a6f3 100644
+--- a/src/known_hosts.c
++++ b/src/known_hosts.c
+@@ -79,8 +79,8 @@ static struct ssh_tokens_st *ssh_get_knownhost_line(FILE **file,
+                                                     const char **found_type)
+ {
+     char buffer[MAX_LINE_SIZE] = {0};
+-    char *ptr;
+-    struct ssh_tokens_st *tokens;
++    char *ptr = NULL;
++    struct ssh_tokens_st *tokens = NULL;
+ 
+     if (*file == NULL) {
+         *file = fopen(filename,"r");
+@@ -149,7 +149,7 @@ static struct ssh_tokens_st *ssh_get_knownhost_line(FILE **file,
+ static int check_public_key(ssh_session session, char **tokens) {
+   ssh_string pubkey_blob = NULL;
+   ssh_buffer pubkey_buffer;
+-  char *pubkey_64;
++  char *pubkey_64 = NULL;
+   int rc;
+ 
+     /* ssh-dss or ssh-rsa */
+@@ -205,11 +205,11 @@ static int match_hashed_host(const char *host, const char *sourcehash)
+    * hash := HMAC_SHA1(key=salt,data=host)
+    */
+   unsigned char buffer[256] = {0};
+-  ssh_buffer salt;
+-  ssh_buffer hash;
+-  HMACCTX mac;
+-  char *source;
+-  char *b64hash;
++  ssh_buffer salt = NULL;
++  ssh_buffer hash = NULL;
++  HMACCTX mac = NULL;
++  char *source = NULL;
++  char *b64hash = NULL;
+   int match, rc;
+   size_t size;
+ 
+@@ -304,14 +304,14 @@ static int match_hashed_host(const char *host, const char *sourcehash)
+ int ssh_is_server_known(ssh_session session)
+ {
+     FILE *file = NULL;
+-    char *host;
+-    char *hostport;
+-    const char *type;
++    char *host = NULL;
++    char *hostport = NULL;
++    const char *type = NULL;
+     int match;
+     int i = 0;
+-    char *files[3];
++    char *files[3] = {0};
+ 
+-    struct ssh_tokens_st *tokens;
++    struct ssh_tokens_st *tokens = NULL;
+ 
+     int ret = SSH_SERVER_NOT_KNOWN;
+ 
+@@ -443,12 +443,13 @@ int ssh_is_server_known(ssh_session session)
+  * @deprecated Please use ssh_session_export_known_hosts_entry()
+  * @brief This function is deprecated.
+  */
+-char * ssh_dump_knownhost(ssh_session session) {
++char *ssh_dump_knownhost(ssh_session session)
++{
+     ssh_key server_pubkey = NULL;
+-    char *host;
+-    char *hostport;
+-    char *buffer;
+-    char *b64_key;
++    char *host = NULL;
++    char *hostport = NULL;
++    char *buffer = NULL;
++    char *b64_key = NULL;
+     int rc;
+ 
+     if (session->opts.host == NULL) {
+@@ -513,9 +514,9 @@ char * ssh_dump_knownhost(ssh_session session) {
+  */
+ int ssh_write_knownhost(ssh_session session)
+ {
+-    FILE *file;
++    FILE *file = NULL;
+     char *buffer = NULL;
+-    char *dir;
++    char *dir = NULL;
+     int rc;
+ 
+     if (session->opts.knownhosts == NULL) {
+diff --git a/src/knownhosts.c b/src/knownhosts.c
+index 9f978096..109b4f06 100644
+--- a/src/knownhosts.c
++++ b/src/knownhosts.c
+@@ -61,7 +61,7 @@ static int hash_hostname(const char *name,
+                          size_t *hash_size)
+ {
+     int rc;
+-    HMACCTX mac_ctx;
++    HMACCTX mac_ctx = NULL;
+ 
+     mac_ctx = hmac_init(salt, salt_size, SSH_HMAC_SHA1);
+     if (mac_ctx == NULL) {
+@@ -81,8 +81,8 @@ static int hash_hostname(const char *name,
+ 
+ static int match_hashed_hostname(const char *host, const char *hashed_host)
+ {
+-    char *hashed;
+-    char *b64_hash;
++    char *hashed = NULL;
++    char *b64_hash = NULL;
+     ssh_buffer salt = NULL;
+     ssh_buffer hash = NULL;
+     unsigned char hashed_buf[256] = {0};
+@@ -229,7 +229,7 @@ static int ssh_known_hosts_read_entries(const char *match,
+     char line[MAX_LINE_SIZE];
+     size_t lineno = 0;
+     size_t len = 0;
+-    FILE *fp;
++    FILE *fp = NULL;
+     int rc;
+ 
+     fp = fopen(filename, "r");
+@@ -288,7 +288,7 @@ static int ssh_known_hosts_read_entries(const char *match,
+         for (it = ssh_list_get_iterator(*entries);
+              it != NULL;
+              it = it->next) {
+-            struct ssh_knownhosts_entry *entry2;
++            struct ssh_knownhosts_entry *entry2 = NULL;
+             int cmp;
+             entry2 = ssh_iterator_value(struct ssh_knownhosts_entry *, it);
+             cmp = ssh_known_hosts_entries_compare(entry, entry2);
+@@ -312,8 +312,8 @@ error:
+ 
+ static char *ssh_session_get_host_port(ssh_session session)
+ {
+-    char *host_port;
+-    char *host;
++    char *host_port = NULL;
++    char *host = NULL;
+ 
+     if (session->opts.host == NULL) {
+         ssh_set_error(session,
+@@ -537,7 +537,7 @@ char *ssh_known_hosts_get_algorithms_names(ssh_session session)
+     char *host_port = NULL;
+     size_t count;
+     bool needcomma = false;
+-    char *names;
++    char *names = NULL;
+ 
+     int rc;
+ 
+@@ -645,7 +645,7 @@ int ssh_known_hosts_parse_line(const char *hostname,
+ {
+     struct ssh_knownhosts_entry *e = NULL;
+     char *known_host = NULL;
+-    char *p;
++    char *p = NULL;
+     char *save_tok = NULL;
+     enum ssh_keytypes_e key_type;
+     int match = 0;
+diff --git a/src/legacy.c b/src/legacy.c
+index 7b165dbe..7359040c 100644
+--- a/src/legacy.c
++++ b/src/legacy.c
+@@ -48,7 +48,7 @@ int ssh_auth_list(ssh_session session) {
+ int ssh_userauth_offer_pubkey(ssh_session session, const char *username,
+     int type, ssh_string publickey)
+ {
+-    ssh_key key;
++    ssh_key key = NULL;
+     int rc;
+ 
+     (void) type; /* unused */
+@@ -70,7 +70,7 @@ int ssh_userauth_pubkey(ssh_session session,
+                         ssh_string publickey,
+                         ssh_private_key privatekey)
+ {
+-    ssh_key key;
++    ssh_key key = NULL;
+     int rc;
+ 
+     (void) publickey; /* unused */
+@@ -389,10 +389,11 @@ void publickey_free(ssh_public_key key) {
+   SAFE_FREE(key);
+ }
+ 
+-ssh_public_key publickey_from_privatekey(ssh_private_key prv) {
+-    struct ssh_public_key_struct *p;
+-    ssh_key privkey;
+-    ssh_key pubkey;
++ssh_public_key publickey_from_privatekey(ssh_private_key prv)
++{
++    struct ssh_public_key_struct *p = NULL;
++    ssh_key privkey = NULL;
++    ssh_key pubkey = NULL;
+     int rc;
+ 
+     privkey = ssh_key_new();
+@@ -434,8 +435,8 @@ ssh_private_key privatekey_from_file(ssh_session session,
+                                      const char *passphrase) {
+     ssh_auth_callback auth_fn = NULL;
+     void *auth_data = NULL;
+-    ssh_private_key privkey;
+-    ssh_key key;
++    ssh_private_key privkey = NULL;
++    ssh_key key = NULL;
+     int rc;
+ 
+     (void) type; /* unused */
+@@ -510,7 +511,7 @@ void privatekey_free(ssh_private_key prv) {
+ 
+ ssh_string publickey_from_file(ssh_session session, const char *filename,
+     int *type) {
+-    ssh_key key;
++    ssh_key key = NULL;
+     ssh_string key_str = NULL;
+     int rc;
+ 
+@@ -543,9 +544,10 @@ int ssh_type_from_name(const char *name) {
+     return ssh_key_type_from_name(name);
+ }
+ 
+-ssh_public_key publickey_from_string(ssh_session session, ssh_string pubkey_s) {
+-    struct ssh_public_key_struct *pubkey;
+-    ssh_key key;
++ssh_public_key publickey_from_string(ssh_session session, ssh_string pubkey_s)
++{
++    struct ssh_public_key_struct *pubkey = NULL;
++    ssh_key key = NULL;
+     int rc;
+ 
+     (void) session; /* unused */
+@@ -579,9 +581,10 @@ ssh_public_key publickey_from_string(ssh_session session, ssh_string pubkey_s) {
+     return pubkey;
+ }
+ 
+-ssh_string publickey_to_string(ssh_public_key pubkey) {
+-    ssh_key key;
+-    ssh_string key_blob;
++ssh_string publickey_to_string(ssh_public_key pubkey)
++{
++    ssh_key key = NULL;
++    ssh_string key_blob = NULL;
+     int rc;
+ 
+     if (pubkey == NULL) {
+@@ -624,11 +627,11 @@ int ssh_publickey_to_file(ssh_session session,
+                           ssh_string pubkey,
+                           int type)
+ {
+-    FILE *fp;
+-    char *user;
++    FILE *fp = NULL;
++    char *user = NULL;
+     char buffer[1024];
+     char host[256];
+-    unsigned char *pubkey_64;
++    unsigned char *pubkey_64 = NULL;
+     size_t len;
+     int rc;
+     if(session==NULL)
+@@ -695,9 +698,9 @@ int ssh_try_publickey_from_file(ssh_session session,
+                                 const char *keyfile,
+                                 ssh_string *publickey,
+                                 int *type) {
+-    char *pubkey_file;
++    char *pubkey_file = NULL;
+     size_t len;
+-    ssh_string pubkey_string;
++    ssh_string pubkey_string = NULL;
+     int pubkey_type;
+ 
+     if (session == NULL || keyfile == NULL || publickey == NULL || type == NULL) {
+diff --git a/src/libmbedcrypto.c b/src/libmbedcrypto.c
+index caa3b6e9..422d5ae2 100644
+--- a/src/libmbedcrypto.c
++++ b/src/libmbedcrypto.c
+@@ -133,7 +133,7 @@ cipher_init(struct ssh_cipher_struct *cipher,
+             void *IV)
+ {
+     const mbedtls_cipher_info_t *cipher_info = NULL;
+-    mbedtls_cipher_context_t *ctx;
++    mbedtls_cipher_context_t *ctx = NULL;
+     size_t key_bitlen = 0;
+     size_t iv_size = 0;
+     int rc;
+diff --git a/src/log.c b/src/log.c
+index 5bae18b8..fabbe945 100644
+--- a/src/log.c
++++ b/src/log.c
+@@ -44,7 +44,7 @@
+ 
+ static LIBSSH_THREAD int ssh_log_level;
+ static LIBSSH_THREAD ssh_logging_callback ssh_log_cb;
+-static LIBSSH_THREAD void *ssh_log_userdata;
++static LIBSSH_THREAD void *ssh_log_userdata = NULL;
+ 
+ /**
+  * @defgroup libssh_log The SSH logging functions
+diff --git a/src/messages.c b/src/messages.c
+index 3f969536..6dadabf0 100644
+--- a/src/messages.c
++++ b/src/messages.c
+@@ -479,7 +479,7 @@ static void ssh_message_queue(ssh_session session, ssh_message message)
+  */
+ ssh_message ssh_message_pop_head(ssh_session session){
+   ssh_message msg=NULL;
+-  struct ssh_iterator *i;
++  struct ssh_iterator *i = NULL;
+   if(session->ssh_message_list == NULL)
+     return NULL;
+   i=ssh_list_get_iterator(session->ssh_message_list);
+@@ -493,7 +493,7 @@ ssh_message ssh_message_pop_head(ssh_session session){
+ /* Returns 1 if there is a message available */
+ static int ssh_message_termination(void *s){
+   ssh_session session = s;
+-  struct ssh_iterator *it;
++  struct ssh_iterator *it = NULL;
+   if(session->session_state == SSH_SESSION_STATE_ERROR)
+     return 1;
+   it = ssh_list_get_iterator(session->ssh_message_list);
+@@ -694,7 +694,7 @@ static ssh_buffer ssh_msg_userauth_build_digest(ssh_session session,
+                                                 ssh_string algo)
+ {
+     struct ssh_crypto_struct *crypto = NULL;
+-    ssh_buffer buffer;
++    ssh_buffer buffer = NULL;
+     ssh_string str=NULL;
+     int rc;
+ 
+@@ -933,9 +933,9 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_request){
+ #ifdef WITH_GSSAPI
+   if (strcmp(method, "gssapi-with-mic") == 0) {
+      uint32_t n_oid;
+-     ssh_string *oids;
+-     ssh_string oid;
+-     char *hexa;
++     ssh_string *oids = NULL;
++     ssh_string oid = NULL;
++     char *hexa = NULL;
+      int i;
+      ssh_buffer_get_u32(packet, &n_oid);
+      n_oid=ntohl(n_oid);
+@@ -1019,7 +1019,7 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_info_response){
+ SSH_PACKET_CALLBACK(ssh_packet_userauth_info_response){
+   uint32_t nanswers;
+   uint32_t i;
+-  ssh_string tmp;
++  ssh_string tmp = NULL;
+   int rc;
+ 
+   ssh_message msg = NULL;
+@@ -1251,7 +1251,7 @@ end:
+  * @returns             SSH_OK on success, SSH_ERROR if an error occurred.
+  */
+ int ssh_message_channel_request_open_reply_accept_channel(ssh_message msg, ssh_channel chan) {
+-    ssh_session session;
++    ssh_session session = NULL;
+     int rc;
+ 
+     if (msg == NULL) {
+@@ -1302,7 +1302,7 @@ int ssh_message_channel_request_open_reply_accept_channel(ssh_message msg, ssh_c
+  * @returns NULL in case of error
+  */
+ ssh_channel ssh_message_channel_request_open_reply_accept(ssh_message msg) {
+-	ssh_channel chan;
++	ssh_channel chan = NULL;
+ 	int rc;
+ 
+ 	if (msg == NULL) {
+diff --git a/src/misc.c b/src/misc.c
+index 7081f12a..f371f332 100644
+--- a/src/misc.c
++++ b/src/misc.c
+@@ -393,7 +393,7 @@ int ssh_is_ipaddr(const char *str)
+ 
+ char *ssh_lowercase(const char* str)
+ {
+-  char *new, *p;
++  char *new = NULL, *p = NULL;
+ 
+   if (str == NULL) {
+     return NULL;
+@@ -447,7 +447,7 @@ char *ssh_hostport(const char *host, int port)
+ char *ssh_get_hexa(const unsigned char *what, size_t len)
+ {
+     const char h[] = "0123456789abcdef";
+-    char *hexa;
++    char *hexa = NULL;
+     size_t i;
+     size_t hlen = len * 3;
+ 
+@@ -716,7 +716,7 @@ struct ssh_list *ssh_list_new(void)
+ 
+ void ssh_list_free(struct ssh_list *list)
+ {
+-    struct ssh_iterator *ptr, *next;
++    struct ssh_iterator *ptr = NULL, *next = NULL;
+     if (!list)
+         return;
+     ptr = list->root;
+@@ -737,7 +737,7 @@ struct ssh_iterator *ssh_list_get_iterator(const struct ssh_list *list)
+ 
+ struct ssh_iterator *ssh_list_find(const struct ssh_list *list, void *value)
+ {
+-    struct ssh_iterator *it;
++    struct ssh_iterator *it = NULL;
+ 
+     for (it = ssh_list_get_iterator(list); it != NULL ; it = it->next)
+         if (it->data == value)
+@@ -826,7 +826,7 @@ int ssh_list_prepend(struct ssh_list *list, const void *data)
+ 
+ void ssh_list_remove(struct ssh_list *list, struct ssh_iterator *iterator)
+ {
+-  struct ssh_iterator *ptr, *prev;
++  struct ssh_iterator *ptr = NULL, *prev = NULL;
+ 
+   if (list == NULL) {
+       return;
+@@ -967,7 +967,7 @@ char *ssh_dirname (const char *path)
+ char *ssh_basename (const char *path)
+ {
+   char *new = NULL;
+-  const char *s;
++  const char *s = NULL;
+   size_t len;
+ 
+   if (path == NULL || *path == '\0') {
+@@ -1105,8 +1105,8 @@ int ssh_mkdirs(const char *pathname, mode_t mode)
+  */
+ char *ssh_path_expand_tilde(const char *d)
+ {
+-    char *h = NULL, *r;
+-    const char *p;
++    char *h = NULL, *r = NULL;
++    const char *p = NULL;
+     size_t ld;
+     size_t lh = 0;
+ 
+@@ -1121,7 +1121,7 @@ char *ssh_path_expand_tilde(const char *d)
+ #ifdef _WIN32
+         return strdup(d);
+ #else
+-        struct passwd *pw;
++        struct passwd *pw = NULL;
+         size_t s = p - d;
+         char u[128];
+ 
+@@ -1182,7 +1182,7 @@ char *ssh_path_expand_escape(ssh_session session, const char *s)
+     char *buf = NULL;
+     char *r = NULL;
+     char *x = NULL;
+-    const char *p;
++    const char *p = NULL;
+     size_t i, l;
+ 
+     r = ssh_path_expand_tilde(s);
+@@ -1335,8 +1335,8 @@ char *ssh_path_expand_escape(ssh_session session, const char *s)
+  */
+ int ssh_analyze_banner(ssh_session session, int server)
+ {
+-    const char *banner;
+-    const char *openssh;
++    const char *banner = NULL;
++    const char *openssh = NULL;
+ 
+     if (server) {
+         banner = session->clientbanner;
+diff --git a/src/options.c b/src/options.c
+index 38511455..b641b34f 100644
+--- a/src/options.c
++++ b/src/options.c
+@@ -67,7 +67,7 @@
+  */
+ int ssh_options_copy(ssh_session src, ssh_session *dest)
+ {
+-    ssh_session new;
++    ssh_session new = NULL;
+     struct ssh_iterator *it = NULL;
+     struct ssh_list *list = NULL;
+     char *id = NULL;
+@@ -499,8 +499,8 @@ int ssh_options_set_algo(ssh_session session,
+ int ssh_options_set(ssh_session session, enum ssh_options_e type,
+                     const void *value)
+ {
+-    const char *v;
+-    char *p, *q;
++    const char *v = NULL;
++    char *p = NULL, *q = NULL;
+     long int i;
+     unsigned int u;
+     int rc;
+@@ -1170,7 +1170,7 @@ int ssh_options_get_port(ssh_session session, unsigned int* port_target) {
+  */
+ int ssh_options_get(ssh_session session, enum ssh_options_e type, char** value)
+ {
+-    char* src = NULL;
++    char *src = NULL;
+ 
+     if (session == NULL) {
+         return SSH_ERROR;
+@@ -1192,7 +1192,7 @@ int ssh_options_get(ssh_session session, enum ssh_options_e type, char** value)
+             break;
+         }
+         case SSH_OPTIONS_IDENTITY: {
+-            struct ssh_iterator *it;
++            struct ssh_iterator *it = NULL;
+             it = ssh_list_get_iterator(session->opts.identity);
+             if (it == NULL) {
+                 it = ssh_list_get_iterator(session->opts.identity_non_exp);
+@@ -1445,7 +1445,7 @@ int ssh_options_getopt(ssh_session session, int *argcptr, char **argv)
+  */
+ int ssh_options_parse_config(ssh_session session, const char *filename)
+ {
+-  char *expanded_filename;
++  char *expanded_filename = NULL;
+   int r;
+ 
+   if (session == NULL) {
+@@ -1491,7 +1491,7 @@ out:
+ 
+ int ssh_options_apply(ssh_session session)
+ {
+-    char *tmp;
++    char *tmp = NULL;
+     int rc;
+ 
+     if (session->opts.sshdir == NULL) {
+@@ -2204,7 +2204,7 @@ static char *ssh_bind_options_expand_escape(ssh_bind sshbind, const char *s)
+     char *buf = NULL;
+     char *r = NULL;
+     char *x = NULL;
+-    const char *p;
++    const char *p = NULL;
+     size_t i, l;
+ 
+     r = ssh_path_expand_tilde(s);
+@@ -2310,7 +2310,7 @@ static char *ssh_bind_options_expand_escape(ssh_bind sshbind, const char *s)
+ int ssh_bind_options_parse_config(ssh_bind sshbind, const char *filename)
+ {
+     int rc = 0;
+-    char *expanded_filename;
++    char *expanded_filename = NULL;
+ 
+     if (sshbind == NULL) {
+         return -1;
+diff --git a/src/packet.c b/src/packet.c
+index ea73f9ad..4b4d0dc3 100644
+--- a/src/packet.c
++++ b/src/packet.c
+@@ -1430,8 +1430,8 @@ error:
+ static void ssh_packet_socket_controlflow_callback(int code, void *userdata)
+ {
+     ssh_session session = userdata;
+-    struct ssh_iterator *it;
+-    ssh_channel channel;
++    struct ssh_iterator *it = NULL;
++    ssh_channel channel = NULL;
+ 
+     if (code == SSH_SOCKET_FLOW_WRITEWONTBLOCK) {
+         SSH_LOG(SSH_LOG_TRACE, "sending channel_write_wontblock callback");
+@@ -1894,7 +1894,7 @@ int ssh_packet_send(ssh_session session)
+ 
+     /* We finished the key exchange so we can try to send our queue now */
+     if (rc == SSH_OK && type == SSH2_MSG_NEWKEYS) {
+-        struct ssh_iterator *it;
++        struct ssh_iterator *it = NULL;
+ 
+         if (session->flags & SSH_SESSION_FLAG_KEX_STRICT) {
+             /* reset packet sequence number when running in strict kex mode */
+diff --git a/src/packet_crypt.c b/src/packet_crypt.c
+index fe3f489e..96e9586c 100644
+--- a/src/packet_crypt.c
++++ b/src/packet_crypt.c
+@@ -262,7 +262,7 @@ int ssh_packet_hmac_verify(ssh_session session,
+ {
+     struct ssh_crypto_struct *crypto = NULL;
+     unsigned char hmacbuf[DIGEST_MAX_LEN] = {0};
+-    HMACCTX ctx;
++    HMACCTX ctx = NULL;
+     size_t hmaclen = DIGEST_MAX_LEN;
+     uint32_t seq;
+     int cmp;
+diff --git a/src/pki.c b/src/pki.c
+index a7c84c5e..cf4176fb 100644
+--- a/src/pki.c
++++ b/src/pki.c
+@@ -369,7 +369,7 @@ enum ssh_digest_e ssh_key_hash_from_name(const char *name)
+  */
+ int ssh_key_algorithm_allowed(ssh_session session, const char *type)
+ {
+-    const char *allowed_list;
++    const char *allowed_list = NULL;
+ 
+     if (session->client) {
+         allowed_list = session->opts.pubkey_accepted_types;
+@@ -729,7 +729,7 @@ int ssh_key_cmp(const ssh_key k1,
+ 
+ ssh_signature ssh_signature_new(void)
+ {
+-    struct ssh_signature_struct *sig;
++    struct ssh_signature_struct *sig = NULL;
+ 
+     sig = malloc(sizeof(struct ssh_signature_struct));
+     if (sig == NULL) {
+@@ -821,7 +821,7 @@ int ssh_pki_import_privkey_base64(const char *b64_key,
+                                   void *auth_data,
+                                   ssh_key *pkey)
+ {
+-    ssh_key key;
++    ssh_key key = NULL;
+     char *openssh_header = NULL;
+ 
+     if (b64_key == NULL || pkey == NULL) {
+@@ -944,8 +944,8 @@ int ssh_pki_import_privkey_file(const char *filename,
+                                 void *auth_data,
+                                 ssh_key *pkey) {
+     struct stat sb;
+-    char *key_buf;
+-    FILE *file;
++    char *key_buf = NULL;
++    FILE *file = NULL;
+     off_t size;
+     int rc;
+     char err_msg[SSH_ERRNO_MSG_MAX] = {0};
+@@ -1046,7 +1046,7 @@ int ssh_pki_export_privkey_file(const ssh_key privkey,
+                                 void *auth_data,
+                                 const char *filename)
+ {
+-    ssh_string blob;
++    ssh_string blob = NULL;
+     FILE *fp;
+     int rc;
+ 
+@@ -1093,8 +1093,8 @@ int ssh_pki_export_privkey_file(const ssh_key privkey,
+ /* temporary function to migrate seamlessly to ssh_key */
+ ssh_public_key ssh_pki_convert_key_to_publickey(const ssh_key key)
+ {
+-    ssh_public_key pub;
+-    ssh_key tmp;
++    ssh_public_key pub = NULL;
++    ssh_key tmp = NULL;
+ 
+     if (key == NULL) {
+         return NULL;
+@@ -1131,7 +1131,7 @@ ssh_public_key ssh_pki_convert_key_to_publickey(const ssh_key key)
+ 
+ ssh_private_key ssh_pki_convert_key_to_privatekey(const ssh_key key)
+ {
+-    ssh_private_key privkey;
++    ssh_private_key privkey = NULL;
+ 
+     privkey = calloc(1, sizeof(struct ssh_private_key_struct));
+     if (privkey == NULL) {
+@@ -1521,9 +1521,9 @@ static int pki_import_cert_buffer(ssh_buffer buffer,
+                                   enum ssh_keytypes_e type,
+                                   ssh_key *pkey)
+ {
+-    ssh_buffer cert;
+-    ssh_string tmp_s;
+-    const char *type_c;
++    ssh_buffer cert = NULL;
++    ssh_string tmp_s = NULL;
++    const char *type_c = NULL;
+     ssh_key key = NULL;
+     int rc;
+ 
+@@ -2067,7 +2067,7 @@ error:
+ int ssh_pki_export_privkey_to_pubkey(const ssh_key privkey,
+                                      ssh_key *pkey)
+ {
+-    ssh_key pubkey;
++    ssh_key pubkey = NULL;
+ 
+     if (privkey == NULL || !ssh_key_is_private(privkey)) {
+         return SSH_ERROR;
+@@ -2105,7 +2105,7 @@ int ssh_pki_export_privkey_to_pubkey(const ssh_key privkey,
+ int ssh_pki_export_pubkey_blob(const ssh_key key,
+                                ssh_string *pblob)
+ {
+-    ssh_string blob;
++    ssh_string blob = NULL;
+ 
+     if (key == NULL) {
+         return SSH_OK;
+@@ -2135,8 +2135,8 @@ int ssh_pki_export_pubkey_blob(const ssh_key key,
+ int ssh_pki_export_pubkey_base64(const ssh_key key,
+                                  char **b64_key)
+ {
+-    ssh_string key_blob;
+-    unsigned char *b64;
++    ssh_string key_blob = NULL;
++    unsigned char *b64 = NULL;
+ 
+     if (key == NULL || b64_key == NULL) {
+         return SSH_ERROR;
+@@ -2175,9 +2175,9 @@ int ssh_pki_export_pubkey_file(const ssh_key key,
+ {
+     char key_buf[MAX_LINE_SIZE];
+     char host[256];
+-    char *b64_key;
+-    char *user;
+-    FILE *fp;
++    char *b64_key = NULL;
++    char *user = NULL;
++    FILE *fp = NULL;
+     int rc;
+ 
+     if (key == NULL || filename == NULL || *filename == '\0') {
+@@ -2238,7 +2238,7 @@ int ssh_pki_export_pubkey_file(const ssh_key key,
+  * @returns SSH_OK on success, SSH_ERROR otherwise.
+  **/
+ int ssh_pki_copy_cert_to_privkey(const ssh_key certkey, ssh_key privkey) {
+-  ssh_buffer cert_buffer;
++  ssh_buffer cert_buffer = NULL;
+   int rc;
+ 
+   if (certkey == NULL || privkey == NULL) {
+@@ -2273,7 +2273,7 @@ int ssh_pki_export_signature_blob(const ssh_signature sig,
+                                   ssh_string *sig_blob)
+ {
+     ssh_buffer buf = NULL;
+-    ssh_string str;
++    ssh_string str = NULL;
+     int rc;
+ 
+     if (sig == NULL || sig_blob == NULL) {
+@@ -2337,7 +2337,7 @@ int ssh_pki_import_signature_blob(const ssh_string sig_blob,
+     enum ssh_keytypes_e type;
+     enum ssh_digest_e hash_type;
+     ssh_string algorithm = NULL, blob = NULL;
+-    ssh_buffer buf;
++    ssh_buffer buf = NULL;
+     const char *alg = NULL;
+     uint8_t flags = 0;
+     uint32_t counter = 0;
+@@ -2697,9 +2697,9 @@ ssh_string ssh_pki_do_sign_agent(ssh_session session,
+                                  const ssh_key pubkey)
+ {
+     struct ssh_crypto_struct *crypto = NULL;
+-    ssh_string session_id;
+-    ssh_string sig_blob;
+-    ssh_buffer sig_buf;
++    ssh_string session_id = NULL;
++    ssh_string sig_blob = NULL;
++    ssh_buffer sig_buf = NULL;
+     int rc;
+ 
+     crypto = ssh_packet_get_current_crypto(session, SSH_DIRECTION_BOTH);
+diff --git a/src/pki_container_openssh.c b/src/pki_container_openssh.c
+index 4314c5b7..f2776c2c 100644
+--- a/src/pki_container_openssh.c
++++ b/src/pki_container_openssh.c
+@@ -234,12 +234,12 @@ ssh_pki_openssh_import(const char *text_key,
+                        bool private)
+ {
+     const char *ptr = text_key;
+-    const char *end;
+-    char *base64;
++    const char *end = NULL;
++    char *base64 = NULL;
+     int cmp;
+     int rc;
+     int i;
+-    ssh_buffer buffer = NULL, privkey_buffer=NULL;
++    ssh_buffer buffer = NULL, privkey_buffer = NULL;
+     char *magic = NULL, *ciphername = NULL, *kdfname = NULL;
+     uint32_t nkeys = 0, checkint1 = 0, checkint2 = 0xFFFF;
+     ssh_string kdfoptions = NULL;
+@@ -538,14 +538,14 @@ ssh_string ssh_pki_openssh_privkey_export(const ssh_key privkey,
+ {
+     ssh_buffer buffer;
+     ssh_string str = NULL;
+-    ssh_string pubkey_s=NULL;
++    ssh_string pubkey_s = NULL;
+     ssh_buffer privkey_buffer = NULL;
+     uint32_t rnd;
+     uint32_t rounds = 16;
+-    ssh_string salt=NULL;
+-    ssh_string kdf_options=NULL;
++    ssh_string salt = NULL;
++    ssh_string kdf_options = NULL;
+     int to_encrypt=0;
+-    unsigned char *b64;
++    unsigned char *b64 = NULL;
+     uint32_t str_len, len;
+     uint8_t padding = 1;
+     int ok;
+diff --git a/src/pki_crypto.c b/src/pki_crypto.c
+index aec49544..0fc69121 100644
+--- a/src/pki_crypto.c
++++ b/src/pki_crypto.c
+@@ -382,7 +382,7 @@ int pki_pubkey_build_ecdsa(ssh_key key, int nid, ssh_string e)
+ #else
+     int rc;
+     const char *group_name = OSSL_EC_curve_nid2name(nid);
+-    OSSL_PARAM_BLD *param_bld;
++    OSSL_PARAM_BLD *param_bld = NULL;
+ #endif /* OPENSSL_VERSION_NUMBER */
+ 
+     key->ecdsa_nid = nid;
+@@ -2299,7 +2299,7 @@ static ssh_string pki_ecdsa_signature_to_blob(const ssh_signature sig)
+     const unsigned char *raw_sig_data = NULL;
+     size_t raw_sig_len;
+ 
+-    ECDSA_SIG *ecdsa_sig;
++    ECDSA_SIG *ecdsa_sig = NULL;
+ 
+     int rc;
+ 
+@@ -2616,8 +2616,8 @@ static int pki_signature_from_ecdsa_blob(UNUSED_PARAM(const ssh_key pubkey),
+     ECDSA_SIG *ecdsa_sig = NULL;
+     BIGNUM *pr = NULL, *ps = NULL;
+ 
+-    ssh_string r;
+-    ssh_string s;
++    ssh_string r = NULL;
++    ssh_string s = NULL;
+ 
+     ssh_buffer buf = NULL;
+     uint32_t rlen;
+diff --git a/src/pki_ed25519.c b/src/pki_ed25519.c
+index 6a5a4a8a..0674fb63 100644
+--- a/src/pki_ed25519.c
++++ b/src/pki_ed25519.c
+@@ -62,7 +62,7 @@ int pki_ed25519_sign(const ssh_key privkey,
+                      size_t hlen)
+ {
+     int rc;
+-    uint8_t *buffer;
++    uint8_t *buffer = NULL;
+     uint64_t dlen = 0;
+ 
+     buffer = malloc(hlen + ED25519_SIG_LEN);
+@@ -104,8 +104,8 @@ int pki_ed25519_verify(const ssh_key pubkey,
+                        size_t hlen)
+ {
+     uint64_t mlen = 0;
+-    uint8_t *buffer;
+-    uint8_t *buffer2;
++    uint8_t *buffer = NULL;
++    uint8_t *buffer2 = NULL;
+     int rc;
+ 
+     if (pubkey == NULL || sig == NULL ||
+diff --git a/src/pki_ed25519_common.c b/src/pki_ed25519_common.c
+index bdc6f6bb..59a3b03c 100644
+--- a/src/pki_ed25519_common.c
++++ b/src/pki_ed25519_common.c
+@@ -213,7 +213,7 @@ int pki_ed25519_public_key_to_blob(ssh_buffer buffer, ssh_key key)
+  */
+ ssh_string pki_ed25519_signature_to_blob(ssh_signature sig)
+ {
+-    ssh_string sig_blob;
++    ssh_string sig_blob = NULL;
+     int rc;
+ 
+ #ifdef HAVE_OPENSSL_ED25519
+diff --git a/src/pki_gcrypt.c b/src/pki_gcrypt.c
+index 418a46b3..cb4de325 100644
+--- a/src/pki_gcrypt.c
++++ b/src/pki_gcrypt.c
+@@ -152,7 +152,7 @@ static ssh_string asn1_get_int(ssh_buffer buffer) {
+ 
+ static ssh_string asn1_get_bit_string(ssh_buffer buffer)
+ {
+-    ssh_string str;
++    ssh_string str = NULL;
+     unsigned char type;
+     uint32_t size;
+     unsigned char unused, last, *p;
+@@ -1882,9 +1882,9 @@ ssh_string pki_signature_to_blob(const ssh_signature sig)
+         case SSH_KEYTYPE_ECDSA_P521:
+ #ifdef HAVE_GCRYPT_ECC
+             {
+-                ssh_string R;
+-                ssh_string S;
+-                ssh_buffer b;
++                ssh_string R = NULL;
++                ssh_string S = NULL;
++                ssh_buffer b = NULL;
+ 
+                 b = ssh_buffer_new();
+                 if (b == NULL) {
+@@ -2054,8 +2054,8 @@ ssh_signature pki_signature_from_blob(const ssh_key pubkey,
+         case SSH_KEYTYPE_SK_ECDSA:
+ #ifdef HAVE_GCRYPT_ECC
+             { /* build ecdsa siganature */
+-                ssh_buffer b;
+-                ssh_string r, s;
++                ssh_buffer b = NULL;
++                ssh_string r = NULL, s = NULL;
+                 uint32_t rlen;
+ 
+                 b = ssh_buffer_new();
+diff --git a/src/pki_mbedcrypto.c b/src/pki_mbedcrypto.c
+index cb9d3228..01813702 100644
+--- a/src/pki_mbedcrypto.c
++++ b/src/pki_mbedcrypto.c
+@@ -1078,9 +1078,9 @@ ssh_string pki_signature_to_blob(const ssh_signature sig)
+         case SSH_KEYTYPE_ECDSA_P256:
+         case SSH_KEYTYPE_ECDSA_P384:
+         case SSH_KEYTYPE_ECDSA_P521: {
+-            ssh_string r;
+-            ssh_string s;
+-            ssh_buffer b;
++            ssh_string r = NULL;
++            ssh_string s = NULL;
++            ssh_buffer b = NULL;
+             int rc;
+ 
+             b = ssh_buffer_new();
+@@ -1234,9 +1234,9 @@ ssh_signature pki_signature_from_blob(const ssh_key pubkey,
+         case SSH_KEYTYPE_ECDSA_P384:
+         case SSH_KEYTYPE_ECDSA_P521:
+         case SSH_KEYTYPE_SK_ECDSA: {
+-            ssh_buffer b;
+-            ssh_string r;
+-            ssh_string s;
++            ssh_buffer b = NULL;
++            ssh_string r = NULL;
++            ssh_string s = NULL;
+             size_t rlen;
+ 
+             b = ssh_buffer_new();
+diff --git a/src/poll.c b/src/poll.c
+index 8f81c11c..d0f9726d 100644
+--- a/src/poll.c
++++ b/src/poll.c
+@@ -560,8 +560,8 @@ void ssh_poll_ctx_free(ssh_poll_ctx ctx)
+ 
+ static int ssh_poll_ctx_resize(ssh_poll_ctx ctx, size_t new_size)
+ {
+-  ssh_poll_handle *pollptrs;
+-  ssh_pollfd_t *pollfds;
++  ssh_poll_handle *pollptrs = NULL;
++  ssh_pollfd_t *pollfds = NULL;
+ 
+   pollptrs = realloc(ctx->pollptrs, sizeof(ssh_poll_handle) * new_size);
+   if (pollptrs == NULL) {
+@@ -862,7 +862,7 @@ ssh_event_add_fd(ssh_event event, socket_t fd, short events,
+                  ssh_event_callback cb, void *userdata)
+ {
+     ssh_poll_handle p;
+-    struct ssh_event_fd_wrapper *pw;
++    struct ssh_event_fd_wrapper *pw = NULL;
+ 
+     if(event == NULL || event->ctx == NULL || cb == NULL
+                                            || fd == SSH_INVALID_SOCKET) {
+@@ -932,7 +932,7 @@ int ssh_event_add_session(ssh_event event, ssh_session session)
+ {
+     ssh_poll_handle p;
+ #ifdef WITH_SERVER
+-    struct ssh_iterator *iterator;
++    struct ssh_iterator *iterator = NULL;
+ #endif
+ 
+     if(event == NULL || event->ctx == NULL || session == NULL) {
+@@ -1079,7 +1079,7 @@ int ssh_event_remove_session(ssh_event event, ssh_session session)
+     register size_t i, used;
+     int rc = SSH_ERROR;
+ #ifdef WITH_SERVER
+-    struct ssh_iterator *iterator;
++    struct ssh_iterator *iterator = NULL;
+ #endif
+ 
+     if (event == NULL || event->ctx == NULL || session == NULL) {
+diff --git a/src/server.c b/src/server.c
+index 70b90899..89f8d8b0 100644
+--- a/src/server.c
++++ b/src/server.c
+@@ -85,8 +85,8 @@ int server_set_kex(ssh_session session)
+ {
+     struct ssh_kex_struct *server = &session->next_crypto->server_kex;
+     int i, j, rc;
+-    const char *wanted, *allowed;
+-    char *kept;
++    const char *wanted = NULL, *allowed = NULL;
++    char *kept = NULL;
+     char hostkeys[128] = {0};
+     enum ssh_keytypes_e keytype;
+     size_t len;
+@@ -219,9 +219,10 @@ int ssh_server_init_kex(ssh_session session) {
+     return server_set_kex(session);
+ }
+ 
+-static int ssh_server_send_extensions(ssh_session session) {
++static int ssh_server_send_extensions(ssh_session session)
++{
+     int rc;
+-    const char *hostkey_algorithms;
++    const char *hostkey_algorithms = NULL;
+ 
+     SSH_LOG(SSH_LOG_PACKET, "Sending SSH_MSG_EXT_INFO");
+ 
+@@ -286,8 +287,8 @@ ssh_get_key_params(ssh_session session,
+                    ssh_key *privkey,
+                    enum ssh_digest_e *digest)
+ {
+-    ssh_key pubkey;
+-    ssh_string pubkey_blob;
++    ssh_key pubkey = NULL;
++    ssh_string pubkey_blob = NULL;
+     int rc;
+ 
+     switch(session->srv.hostkey) {
+@@ -723,8 +724,9 @@ static int ssh_message_service_request_reply_default(ssh_message msg) {
+  *
+  * @returns SSH_OK when success otherwise SSH_ERROR
+  */
+-int ssh_message_service_reply_success(ssh_message msg) {
+-    ssh_session session;
++int ssh_message_service_reply_success(ssh_message msg)
++{
++    ssh_session session = NULL;
+     int rc;
+ 
+     if (msg == NULL) {
+@@ -1132,8 +1134,9 @@ int ssh_message_auth_reply_pk_ok(ssh_message msg, ssh_string algo, ssh_string pu
+  *
+  * @returns SSH_OK on success, otherwise SSH_ERROR
+  */
+-int ssh_message_auth_reply_pk_ok_simple(ssh_message msg) {
+-    ssh_string algo;
++int ssh_message_auth_reply_pk_ok_simple(ssh_message msg)
++{
++    ssh_string algo = NULL;
+     ssh_string pubkey_blob = NULL;
+     int ret;
+ 
+diff --git a/src/session.c b/src/session.c
+index 8c509699..0e0f622b 100644
+--- a/src/session.c
++++ b/src/session.c
+@@ -58,7 +58,7 @@
+  */
+ ssh_session ssh_new(void)
+ {
+-    ssh_session session;
++    ssh_session session = NULL;
+     char *id = NULL;
+     int rc;
+ 
+@@ -280,7 +280,7 @@ void ssh_free(ssh_session session)
+ 
+   /* options */
+   if (session->opts.identity) {
+-      char *id;
++      char *id = NULL;
+ 
+       for (id = ssh_list_pop_head(char *, session->opts.identity);
+            id != NULL;
+@@ -291,7 +291,7 @@ void ssh_free(ssh_session session)
+   }
+ 
+   if (session->opts.identity_non_exp) {
+-      char *id;
++      char *id = NULL;
+ 
+       for (id = ssh_list_pop_head(char *, session->opts.identity_non_exp);
+            id != NULL;
+@@ -1157,7 +1157,7 @@ int ssh_get_publickey_hash(const ssh_key key,
+                            unsigned char **hash,
+                            size_t *hlen)
+ {
+-    ssh_string blob;
++    ssh_string blob = NULL;
+     unsigned char *h = NULL;
+     int rc;
+ 
+@@ -1169,7 +1169,7 @@ int ssh_get_publickey_hash(const ssh_key key,
+     switch (type) {
+     case SSH_PUBLICKEY_HASH_SHA1:
+         {
+-            SHACTX ctx;
++            SHACTX ctx = NULL;
+ 
+             h = calloc(1, SHA_DIGEST_LEN);
+             if (h == NULL) {
+@@ -1201,7 +1201,7 @@ int ssh_get_publickey_hash(const ssh_key key,
+         break;
+     case SSH_PUBLICKEY_HASH_SHA256:
+         {
+-            SHA256CTX ctx;
++            SHA256CTX ctx = NULL;
+ 
+             h = calloc(1, SHA256_DIGEST_LEN);
+             if (h == NULL) {
+@@ -1233,7 +1233,7 @@ int ssh_get_publickey_hash(const ssh_key key,
+         break;
+     case SSH_PUBLICKEY_HASH_MD5:
+         {
+-            MD5CTX ctx;
++            MD5CTX ctx = NULL;
+ 
+             /* In FIPS mode, we cannot use MD5 */
+             if (ssh_fips_mode()) {
+diff --git a/src/sftpserver.c b/src/sftpserver.c
+index b3349e16..528ef6f9 100644
+--- a/src/sftpserver.c
++++ b/src/sftpserver.c
+@@ -299,8 +299,8 @@ void sftp_client_message_free(sftp_client_message msg) {
+ 
+ int sftp_reply_name(sftp_client_message msg, const char *name,
+     sftp_attributes attr) {
+-  ssh_buffer out;
+-  ssh_string file;
++  ssh_buffer out = NULL;
++  ssh_string file = NULL;
+ 
+   out = ssh_buffer_new();
+   if (out == NULL) {
+@@ -369,7 +369,7 @@ int sftp_reply_attr(sftp_client_message msg, sftp_attributes attr) {
+ 
+ int sftp_reply_names_add(sftp_client_message msg, const char *file,
+     const char *longname, sftp_attributes attr) {
+-  ssh_string name;
++  ssh_string name = NULL;
+ 
+   name = ssh_string_from_char(file);
+   if (name == NULL) {
+@@ -435,8 +435,8 @@ int sftp_reply_names(sftp_client_message msg) {
+ 
+ int sftp_reply_status(sftp_client_message msg, uint32_t status,
+     const char *message) {
+-  ssh_buffer out;
+-  ssh_string s;
++  ssh_buffer out = NULL;
++  ssh_string s = NULL;
+ 
+   out = ssh_buffer_new();
+   if (out == NULL) {
+@@ -492,7 +492,7 @@ int sftp_reply_data(sftp_client_message msg, const void *data, int len) {
+  * valid info (or worse).
+  */
+ ssh_string sftp_handle_alloc(sftp_session sftp, void *info) {
+-  ssh_string ret;
++  ssh_string ret = NULL;
+   uint32_t val;
+   uint32_t i;
+ 
+diff --git a/src/string.c b/src/string.c
+index 44403487..0ab9310c 100644
+--- a/src/string.c
++++ b/src/string.c
+@@ -106,7 +106,7 @@ int ssh_string_fill(struct ssh_string_struct *s, const void *data, size_t len) {
+  * @note The null byte is not copied nor counted in the output string.
+  */
+ struct ssh_string_struct *ssh_string_from_char(const char *what) {
+-  struct ssh_string_struct *ptr;
++  struct ssh_string_struct *ptr = NULL;
+   size_t len;
+ 
+   if(what == NULL) {
+@@ -180,7 +180,7 @@ const char *ssh_string_get_char(struct ssh_string_struct *s)
+  */
+ char *ssh_string_to_char(struct ssh_string_struct *s) {
+   size_t len;
+-  char *new;
++  char *new = NULL;
+ 
+   if (s == NULL) {
+       return NULL;
+@@ -219,7 +219,7 @@ void ssh_string_free_char(char *s) {
+  * @return              Newly allocated copy of the string, NULL on error.
+  */
+ struct ssh_string_struct *ssh_string_copy(struct ssh_string_struct *s) {
+-  struct ssh_string_struct *new;
++  struct ssh_string_struct *new = NULL;
+   size_t len;
+ 
+   if (s == NULL) {
+diff --git a/src/threads/winlocks.c b/src/threads/winlocks.c
+index da600418..e63635e7 100644
+--- a/src/threads/winlocks.c
++++ b/src/threads/winlocks.c
+@@ -82,7 +82,7 @@ static struct ssh_threads_callbacks_struct ssh_threads_winlock =
+ 
+ void ssh_mutex_lock(SSH_MUTEX *mutex)
+ {
+-    void *rc;
++    void *rc = NULL;
+ 
+     CRITICAL_SECTION *mutex_tmp = NULL;
+ 
+diff --git a/src/wrapper.c b/src/wrapper.c
+index d317dc4c..43bf2137 100644
+--- a/src/wrapper.c
++++ b/src/wrapper.c
+@@ -152,7 +152,7 @@ static void cipher_free(struct ssh_cipher_struct *cipher) {
+ 
+ struct ssh_crypto_struct *crypto_new(void)
+ {
+-    struct ssh_crypto_struct *crypto;
++    struct ssh_crypto_struct *crypto = NULL;
+ 
+     crypto = malloc(sizeof(struct ssh_crypto_struct));
+     if (crypto == NULL) {
+-- 
+2.40.0
+
diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2025-4878-0002.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2025-4878-0002.patch
new file mode 100644
index 0000000000..2c280d258d
--- /dev/null
+++ b/meta-oe/recipes-support/libssh/libssh/CVE-2025-4878-0002.patch
@@ -0,0 +1,34 @@
+From b35ee876adc92a208d47194772e99f9c71e0bedb Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Mon, 28 Apr 2025 11:04:55 +0200
+Subject: [PATCH] CVE-2025-4878 legacy: Properly check return value to avoid
+ NULL pointer dereference
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
+
+CVE: CVE-2025-4878
+
+Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=b35ee876adc92a208d47194772e99f9c71e0bedb]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ src/legacy.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/legacy.c b/src/legacy.c
+index 7359040c..f73ef6cc 100644
+--- a/src/legacy.c
++++ b/src/legacy.c
+@@ -452,7 +452,7 @@ ssh_private_key privatekey_from_file(ssh_session session,
+                                      auth_fn,
+                                      auth_data,
+                                      &key);
+-    if (rc == SSH_ERROR) {
++    if (rc != SSH_OK) {
+         return NULL;
+     }
+ 
+-- 
+2.40.0
+
diff --git a/meta-oe/recipes-support/libssh/libssh_0.10.6.bb b/meta-oe/recipes-support/libssh/libssh_0.10.6.bb
index 48cb47d4c0..6932da5175 100644
--- a/meta-oe/recipes-support/libssh/libssh_0.10.6.bb
+++ b/meta-oe/recipes-support/libssh/libssh_0.10.6.bb
@@ -14,6 +14,8 @@ SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable
            file://CVE-2025-5351.patch \
            file://CVE-2025-5372.patch \
            file://CVE-2025-4877.patch \
+           file://CVE-2025-4878-0001.patch \
+           file://CVE-2025-4878-0002.patch \
           "
 SRCREV = "10e09e273f69e149389b3e0e5d44b8c221c2e7f6"
 

From patchwork Tue Sep 23 11:57:05 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Mittal, Anuj" <anuj.mittal@intel.com>
X-Patchwork-Id: 70767
Return-Path: <anuj.mittal@intel.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 4AB95CAC5A7
	for <webhook@archiver.kernel.org>; Tue, 23 Sep 2025 11:57:52 +0000 (UTC)
Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.21])
 by mx.groups.io with SMTP id smtpd.web11.15019.1758628660267361449
 for <openembedded-devel@lists.openembedded.org>;
 Tue, 23 Sep 2025 04:57:44 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@intel.com header.s=Intel header.b=M+bzEifa;
 spf=pass (domain: intel.com, ip: 198.175.65.21,
 mailfrom: anuj.mittal@intel.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1758628665; x=1790164665;
  h=from:to:subject:date:message-id:in-reply-to:references:
   mime-version:content-transfer-encoding;
  bh=VYoqVT4u0ExckCOF8KXv7+FdGTR1DEQD+IIYxyXAHv8=;
  b=M+bzEifa4zHQAnjgXnIVHkEOizhssJ4n/M1uazHqEspivmqgTpdsq6Gl
   Xizs62E2G0Y3BKolwTuA+BZckoIFWRCiAOz0sTEirWDyXau/ZFsWlPS7f
   aiYOHzMnIYztLTDZYtlmCFEI3wehokh9iSExmd4S5N4l2VsszpvXCF/6T
   sFCDpOgKPnphYBiUi8c+1oGl4iM6cCtMkj5Noqdreui8y9fDCbSVntYF8
   bZNAqWHjL0Ap8zPcTv8FtW4R2UcONp2CurF0DRjhbGEgq+3uHpr+iEDap
   RN3MORM3MmIJnLXI0ueKDQuV/TT8O/mNsVHWYOWX+32OeMQWaoYrQ5LG/
   g==;
X-CSE-ConnectionGUID: j05V/HaKS02sUn3fa5lSmA==
X-CSE-MsgGUID: 826gE+w7Q4G3cpUbQCe7yQ==
X-IronPort-AV: E=McAfee;i="6800,10657,11531"; a="60821777"
X-IronPort-AV: E=Sophos;i="6.17,312,1747724400";
   d="scan'208";a="60821777"
Received: from orviesa006.jf.intel.com ([10.64.159.146])
  by orvoesa113.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 Sep 2025 04:57:44 -0700
X-CSE-ConnectionGUID: AIdW1BD3TI2s3XJMvhtIKA==
X-CSE-MsgGUID: hm17l6gbRfCF3WdhsM8BTQ==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.18,287,1751266800";
   d="scan'208";a="175875125"
Received: from anmitta2-mobl4.gar.corp.intel.com (HELO
 anmitta2-mobl4.intel.com) ([10.247.118.223])
  by orviesa006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 Sep 2025 04:57:43 -0700
From: Anuj Mittal <anuj.mittal@intel.com>
To: openembedded-devel@lists.openembedded.org
Subject: [scarthgap][PATCH 02/24] libssh: fix CVE-2025-5987
Date: Tue, 23 Sep 2025 19:57:05 +0800
Message-ID: 
 <3702195a7ebb1947c8dfc9bba1196d6b42ae6253.1758626365.git.anuj.mittal@intel.com>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <cover.1758626365.git.anuj.mittal@intel.com>
References: <cover.1758626365.git.anuj.mittal@intel.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Tue, 23 Sep 2025 11:57:52 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/119691

From: Divya Chellam <divya.chellam@windriver.com>

A flaw was found in libssh when using the ChaCha20 cipher with the
OpenSSL library. If an attacker manages to exhaust the heap space,
this error is not detected and may lead to libssh using a partially
initialized cipher context. This occurs because the OpenSSL error
code returned aliases with the SSH_OK code, resulting in libssh not
properly detecting the error returned by the OpenSSL library.
This issue can lead to undefined behavior, including compromised
data confidentiality and integrity or crashes.

Reference:
https://security-tracker.debian.org/tracker/CVE-2025-5987

Upstream-patch:
https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.11&id=90b4845e0c98574bbf7bea9e97796695f064bf57

Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 .../libssh/libssh/CVE-2025-5987.patch         | 37 +++++++++++++++++++
 .../recipes-support/libssh/libssh_0.10.6.bb   |  1 +
 2 files changed, 38 insertions(+)
 create mode 100644 meta-oe/recipes-support/libssh/libssh/CVE-2025-5987.patch

diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2025-5987.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2025-5987.patch
new file mode 100644
index 0000000000..08395e0e7d
--- /dev/null
+++ b/meta-oe/recipes-support/libssh/libssh/CVE-2025-5987.patch
@@ -0,0 +1,37 @@
+From 90b4845e0c98574bbf7bea9e97796695f064bf57 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Tue, 6 May 2025 22:51:41 +0200
+Subject: [PATCH] CVE-2025-5987 libcrypto: Correctly detect failures of chacha
+ initialization
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
+
+CVE: CVE-2025-5987
+
+Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=90b4845e0c98574bbf7bea9e97796695f064bf57]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ src/libcrypto.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/libcrypto.c b/src/libcrypto.c
+index 76e067d3..69a850de 100644
+--- a/src/libcrypto.c
++++ b/src/libcrypto.c
+@@ -771,9 +771,9 @@ chacha20_poly1305_set_key(struct ssh_cipher_struct *cipher,
+         SSH_LOG(SSH_LOG_WARNING, "EVP_CIPHER_CTX_new failed");
+         goto out;
+     }
+-    ret = EVP_EncryptInit_ex(ctx->header_evp, EVP_chacha20(), NULL,
++    rv = EVP_EncryptInit_ex(ctx->header_evp, EVP_chacha20(), NULL,
+                              u8key + CHACHA20_KEYLEN, NULL);
+-    if (ret != 1) {
++    if (rv != 1) {
+         SSH_LOG(SSH_LOG_WARNING, "EVP_CipherInit failed");
+         goto out;
+     }
+-- 
+2.40.0
+
diff --git a/meta-oe/recipes-support/libssh/libssh_0.10.6.bb b/meta-oe/recipes-support/libssh/libssh_0.10.6.bb
index 6932da5175..bf91e69bc8 100644
--- a/meta-oe/recipes-support/libssh/libssh_0.10.6.bb
+++ b/meta-oe/recipes-support/libssh/libssh_0.10.6.bb
@@ -16,6 +16,7 @@ SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable
            file://CVE-2025-4877.patch \
            file://CVE-2025-4878-0001.patch \
            file://CVE-2025-4878-0002.patch \
+           file://CVE-2025-5987.patch \
           "
 SRCREV = "10e09e273f69e149389b3e0e5d44b8c221c2e7f6"
 

From patchwork Tue Sep 23 11:57:06 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Mittal, Anuj" <anuj.mittal@intel.com>
X-Patchwork-Id: 70766
Return-Path: <anuj.mittal@intel.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 4E131CAC5B0
	for <webhook@archiver.kernel.org>; Tue, 23 Sep 2025 11:57:52 +0000 (UTC)
Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.21])
 by mx.groups.io with SMTP id smtpd.web11.15019.1758628660267361449
 for <openembedded-devel@lists.openembedded.org>;
 Tue, 23 Sep 2025 04:57:45 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@intel.com header.s=Intel header.b=U2fUo6XL;
 spf=pass (domain: intel.com, ip: 198.175.65.21,
 mailfrom: anuj.mittal@intel.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1758628666; x=1790164666;
  h=from:to:subject:date:message-id:in-reply-to:references:
   mime-version:content-transfer-encoding;
  bh=lgNunmlrimhOW5oeFQQmWuYeuSyYqp1fpi2hh+kJbY8=;
  b=U2fUo6XL3/Zgc5EUZpozWoaKD3BqOlxp0wv3EtjV+AHqkqA127J7R44Y
   Str287PzyVhhFNZag4b2armTB9U/ztdWuaFAkD+8aSjacHG58wFzsPAJO
   c+AfkpbtTtcEQq/nAIEoUZWF9kOkia9bZchTr5YWpHMd/3zJ5KqDpFonI
   fft1xiqAcQ3lAK8uTIOquuPVPzrBa81s7HHUjjqfx/3K7UnTcPmjSlk7p
   WxXZCjITgbuSoys3rmXl6vT0AgULmWyO6sSG5ViXyIDpGrxVfwV0D5Cki
   FqJ4vTFZPN/byH30q3j3UOJCYHmQiJtrUelMFUwA75xbdwC9liyKzn71f
   g==;
X-CSE-ConnectionGUID: nJXpCJS8Qk6aUAwbNpO+2w==
X-CSE-MsgGUID: bkiuLtusRdWocAot7ZZvFA==
X-IronPort-AV: E=McAfee;i="6800,10657,11531"; a="60821778"
X-IronPort-AV: E=Sophos;i="6.17,312,1747724400";
   d="scan'208";a="60821778"
Received: from orviesa006.jf.intel.com ([10.64.159.146])
  by orvoesa113.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 Sep 2025 04:57:46 -0700
X-CSE-ConnectionGUID: 8ebPkiwqTv2CEALwU1r6VQ==
X-CSE-MsgGUID: 2a1jdbNAQguhZClrc2AwUA==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.18,287,1751266800";
   d="scan'208";a="175875127"
Received: from anmitta2-mobl4.gar.corp.intel.com (HELO
 anmitta2-mobl4.intel.com) ([10.247.118.223])
  by orviesa006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 Sep 2025 04:57:45 -0700
From: Anuj Mittal <anuj.mittal@intel.com>
To: openembedded-devel@lists.openembedded.org
Subject: [scarthgap][PATCH 03/24] nodejs: fix build with gcc-15 on host
Date: Tue, 23 Sep 2025 19:57:06 +0800
Message-ID: 
 <db93848ead8c679acd6f778029aa66ecfeb16071.1758626365.git.anuj.mittal@intel.com>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <cover.1758626365.git.anuj.mittal@intel.com>
References: <cover.1758626365.git.anuj.mittal@intel.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Tue, 23 Sep 2025 11:57:52 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/119692

From: Martin Jansa <martin.jansa@gmail.com>

Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 .../0001-src-fix-build-with-GCC-15.patch      | 33 +++++++++++++++++++
 .../recipes-devtools/nodejs/nodejs_20.18.2.bb |  1 +
 2 files changed, 34 insertions(+)
 create mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/0001-src-fix-build-with-GCC-15.patch

diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/0001-src-fix-build-with-GCC-15.patch b/meta-oe/recipes-devtools/nodejs/nodejs/0001-src-fix-build-with-GCC-15.patch
new file mode 100644
index 0000000000..9d09f4f482
--- /dev/null
+++ b/meta-oe/recipes-devtools/nodejs/nodejs/0001-src-fix-build-with-GCC-15.patch
@@ -0,0 +1,33 @@
+From bade7a1866618b9e46358b839fe5fdf16b1db2be Mon Sep 17 00:00:00 2001
+From: tjuhaszrh <tjuhasz@redhat.com>
+Date: Sat, 25 Jan 2025 10:34:54 +0100
+Subject: [PATCH] src: fix build with GCC 15
+
+Added cstdint to worker_inspector as on more recent version of gcc
+the build was failing due to changes to libstdc++ and the removal
+of transitive includes.
+
+PR-URL: https://github.com/nodejs/node/pull/56740
+Fixes: https://github.com/nodejs/node/issues/56731
+Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
+Reviewed-By: Chengzhong Wu <legendecas@gmail.com>
+Reviewed-By: Richard Lau <rlau@redhat.com>
+Reviewed-By: James M Snell <jasnell@gmail.com>
+
+Upstream-Status: Backport [https://github.com/nodejs/node/commit/bade7a1866618b9e46358b839fe5fdf16b1db2be]
+---
+ src/inspector/worker_inspector.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/inspector/worker_inspector.h b/src/inspector/worker_inspector.h
+index d3254d5aa0ebe4..24403bb1704c40 100644
+--- a/src/inspector/worker_inspector.h
++++ b/src/inspector/worker_inspector.h
+@@ -5,6 +5,7 @@
+ #error("This header can only be used when inspector is enabled")
+ #endif
+ 
++#include <cstdint>
+ #include <memory>
+ #include <string>
+ #include <unordered_map>
diff --git a/meta-oe/recipes-devtools/nodejs/nodejs_20.18.2.bb b/meta-oe/recipes-devtools/nodejs/nodejs_20.18.2.bb
index bef62f88eb..8af90e782a 100644
--- a/meta-oe/recipes-devtools/nodejs/nodejs_20.18.2.bb
+++ b/meta-oe/recipes-devtools/nodejs/nodejs_20.18.2.bb
@@ -27,6 +27,7 @@ SRC_URI = "http://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz \
            file://libatomic.patch \
            file://182d9c05e78.patch \
            file://zlib-fix-pointer-alignment.patch \
+           file://0001-src-fix-build-with-GCC-15.patch \
            file://run-ptest \
            "
 SRC_URI:append:class-target = " \

From patchwork Tue Sep 23 11:57:07 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Mittal, Anuj" <anuj.mittal@intel.com>
X-Patchwork-Id: 70769
Return-Path: <anuj.mittal@intel.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 66174CAC5B1
	for <webhook@archiver.kernel.org>; Tue, 23 Sep 2025 11:57:52 +0000 (UTC)
Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.21])
 by mx.groups.io with SMTP id smtpd.web11.15019.1758628660267361449
 for <openembedded-devel@lists.openembedded.org>;
 Tue, 23 Sep 2025 04:57:47 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@intel.com header.s=Intel header.b=R+jpHSKM;
 spf=pass (domain: intel.com, ip: 198.175.65.21,
 mailfrom: anuj.mittal@intel.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1758628667; x=1790164667;
  h=from:to:subject:date:message-id:in-reply-to:references:
   mime-version:content-transfer-encoding;
  bh=Udz5wXcaohqfl7g4PeO94kt5kpp7+xugAGyd6ke9NeA=;
  b=R+jpHSKMaaW7I+DfEwoozk079Ee+tztOaINJFvmuxJd87iUJBoesdUe5
   +KpLXGHKZrUhGMNEp5eWL3w5ENBG+YLldR4tqNBHtYZKzOlcuPhhOAAE5
   O/rIeLjmYlbKirdJUhkFXHoaOdzi6RCDMPlQPMyiBPI5yLzR4HrB1k4iX
   TeWeblQHrVfeEwffCdeNZ8jUCLpBmyH2um6KTUofOnF5i55cQsPc3BdHL
   38ShKg1LY9leTXcRYQEsWI6MyQFVMH0tZ5W9O9z72BNSpJP7NmMvC8lrW
   YuCVyTf1g0iZhMwrdfWMxVCfU8T9CY9HEnbBeYC+nmqy1A1PECyQEcIIl
   w==;
X-CSE-ConnectionGUID: UfqEluUZSW6R3rDxAw/2lg==
X-CSE-MsgGUID: C4wjJghjR9GJzXf7zI/E9Q==
X-IronPort-AV: E=McAfee;i="6800,10657,11531"; a="60821779"
X-IronPort-AV: E=Sophos;i="6.17,312,1747724400";
   d="scan'208";a="60821779"
Received: from orviesa006.jf.intel.com ([10.64.159.146])
  by orvoesa113.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 Sep 2025 04:57:47 -0700
X-CSE-ConnectionGUID: 6OdYiceUQ/GS9LC5KCnJyg==
X-CSE-MsgGUID: FSbYLiLfTE+WrcGKzmakGA==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.18,287,1751266800";
   d="scan'208";a="175875128"
Received: from anmitta2-mobl4.gar.corp.intel.com (HELO
 anmitta2-mobl4.intel.com) ([10.247.118.223])
  by orviesa006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 Sep 2025 04:57:46 -0700
From: Anuj Mittal <anuj.mittal@intel.com>
To: openembedded-devel@lists.openembedded.org
Subject: [scarthgap][PATCH 04/24] iperf3: fix CVE-2025-54350
Date: Tue, 23 Sep 2025 19:57:07 +0800
Message-ID: 
 <92730597e96a9fc49d6dd7ea3936947127a97bb8.1758626365.git.anuj.mittal@intel.com>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <cover.1758626365.git.anuj.mittal@intel.com>
References: <cover.1758626365.git.anuj.mittal@intel.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Tue, 23 Sep 2025 11:57:52 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/119693

From: Zhang Peng <peng.zhang1.cn@windriver.com>

CVE-2025-54350:
In iperf before 3.19.1, iperf_auth.c has a Base64Decode assertion
failure and application exit upon a malformed authentication attempt.

Reference:
[https://nvd.nist.gov/vuln/detail/CVE-2025-54350]

Upstream patches:
[https://github.com/esnet/iperf/commit/4eab661da0bbaac04493fa40164e928c6df7934a]

Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 .../iperf3/iperf3/CVE-2025-54350.patch        | 39 +++++++++++++++++++
 .../recipes-benchmark/iperf3/iperf3_3.18.bb   |  1 +
 2 files changed, 40 insertions(+)
 create mode 100644 meta-oe/recipes-benchmark/iperf3/iperf3/CVE-2025-54350.patch

diff --git a/meta-oe/recipes-benchmark/iperf3/iperf3/CVE-2025-54350.patch b/meta-oe/recipes-benchmark/iperf3/iperf3/CVE-2025-54350.patch
new file mode 100644
index 0000000000..e6de0e810c
--- /dev/null
+++ b/meta-oe/recipes-benchmark/iperf3/iperf3/CVE-2025-54350.patch
@@ -0,0 +1,39 @@
+From 4cd6c8e85376a33bddd01fac143e27436d41f2b9 Mon Sep 17 00:00:00 2001
+From: "Bruce A. Mah" <bmah@es.net>
+Date: Tue, 24 Jun 2025 15:58:21 -0700
+Subject: [PATCH] Prevent crash due to assertion failures on malformed
+ authentication attempt.
+
+Reported by Han Lee (Apple Information Security)
+CVE-2025-54350
+
+CVE: CVE-2025-54350
+Upstream-Status: Backport [https://github.com/esnet/iperf/commit/4eab661da0bbaac04493fa40164e928c6df7934a]
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/iperf_auth.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/src/iperf_auth.c b/src/iperf_auth.c
+index 86b4eba..632f03d 100644
+--- a/src/iperf_auth.c
++++ b/src/iperf_auth.c
+@@ -28,7 +28,6 @@
+ #include "iperf_config.h"
+ 
+ #include <string.h>
+-#include <assert.h>
+ #include <time.h>
+ #include <sys/types.h>
+ /* FreeBSD needs _WITH_GETLINE to enable the getline() declaration */
+@@ -152,7 +151,6 @@ int Base64Decode(const char* b64message, unsigned char** buffer, size_t* length)
+ 
+     BIO_set_flags(bio, BIO_FLAGS_BASE64_NO_NL); //Do not use newlines to flush buffer
+     *length = BIO_read(bio, *buffer, strlen(b64message));
+-    assert(*length == decodeLen); //length should equal decodeLen, else something went horribly wrong
+     BIO_free_all(bio);
+ 
+     return (0); //success
+-- 
+2.50.0
+
diff --git a/meta-oe/recipes-benchmark/iperf3/iperf3_3.18.bb b/meta-oe/recipes-benchmark/iperf3/iperf3_3.18.bb
index e96d5f084b..7fb2c52d08 100644
--- a/meta-oe/recipes-benchmark/iperf3/iperf3_3.18.bb
+++ b/meta-oe/recipes-benchmark/iperf3/iperf3_3.18.bb
@@ -16,6 +16,7 @@ SRC_URI = "git://github.com/esnet/iperf.git;branch=master;protocol=https \
            file://0002-Remove-pg-from-profile_CFLAGS.patch \
            file://0001-configure.ac-check-for-CPP-prog.patch \
            file://CVE-2025-54349.patch \
+           file://CVE-2025-54350.patch \
           "
 
 SRCREV = "2a2984488d6de8f7a2d1f5938e03ca7be57e227c"

From patchwork Tue Sep 23 11:57:08 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Mittal, Anuj" <anuj.mittal@intel.com>
X-Patchwork-Id: 70768
Return-Path: <anuj.mittal@intel.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 6E414CAC5B3
	for <webhook@archiver.kernel.org>; Tue, 23 Sep 2025 11:57:52 +0000 (UTC)
Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.21])
 by mx.groups.io with SMTP id smtpd.web11.15019.1758628660267361449
 for <openembedded-devel@lists.openembedded.org>;
 Tue, 23 Sep 2025 04:57:48 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@intel.com header.s=Intel header.b=OlA4+FhB;
 spf=pass (domain: intel.com, ip: 198.175.65.21,
 mailfrom: anuj.mittal@intel.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1758628669; x=1790164669;
  h=from:to:subject:date:message-id:in-reply-to:references:
   mime-version:content-transfer-encoding;
  bh=QBk1K7H2xV87CbfJAQT0tm8edZxJfqIVl1BU6enHiso=;
  b=OlA4+FhBh+RTA/DpkmHQiguRMHQZvZe3q4vRse9qvUcPOtcZlQunDr7I
   SxaHEZtc3e9wKkCoBBq8XFtV+eTKn5d8AUIn1t/QabGpX5H/GV7XOVPUG
   G0dzFa112O+Hxx7lkmc4w2VSqi4pbp2cyJP+KOfgDpRjO87jMYj/SxZ3N
   NQlosQ3hG2rGi38eNKuTRcph98ezIa/XY3lcvCMNlxdEHl1uCYMqrNdwZ
   Ul0+2TLOeXg4YZmQB+HIV05e9G5eeqTDBIB8Bh5gabVAWyryojzxv2Aia
   01YYQ9et8x79hXgwqWX24YJ7ah8gj3LLLjrD1rjv9bNeVLa1V2ZqInQY6
   Q==;
X-CSE-ConnectionGUID: EaqsVweAQ+a3nnjnwddDuw==
X-CSE-MsgGUID: EYrO1ph1SLer8KL0EKJCMw==
X-IronPort-AV: E=McAfee;i="6800,10657,11531"; a="60821780"
X-IronPort-AV: E=Sophos;i="6.17,312,1747724400";
   d="scan'208";a="60821780"
Received: from orviesa006.jf.intel.com ([10.64.159.146])
  by orvoesa113.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 Sep 2025 04:57:49 -0700
X-CSE-ConnectionGUID: rgP8a1hpTIit3cRQGlE0ZQ==
X-CSE-MsgGUID: Z6JMeDiWRFiPp48jPuOR+A==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.18,287,1751266800";
   d="scan'208";a="175875129"
Received: from anmitta2-mobl4.gar.corp.intel.com (HELO
 anmitta2-mobl4.intel.com) ([10.247.118.223])
  by orviesa006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 Sep 2025 04:57:48 -0700
From: Anuj Mittal <anuj.mittal@intel.com>
To: openembedded-devel@lists.openembedded.org
Subject: [scarthgap][PATCH 05/24] python3-posix-ipc: fix runtime error
Date: Tue, 23 Sep 2025 19:57:08 +0800
Message-ID: 
 <40db628f58f6d786bbc24cf8438c17f223eb65d7.1758626365.git.anuj.mittal@intel.com>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <cover.1758626365.git.anuj.mittal@intel.com>
References: <cover.1758626365.git.anuj.mittal@intel.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Tue, 23 Sep 2025 11:57:52 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/119694

From: Haixiao Yan <haixiao.yan.cn@windriver.com>

Fix follow runtime error: ./build_support/src/sniff_mq_prio_max:
/lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by
./build_support/src/sniff_mq_prio_max)

Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 ...ndle-runtime-errors-and-return-None-.patch | 47 +++++++++++++++++++
 .../python/python3-posix-ipc_1.2.0.bb         |  1 +
 2 files changed, 48 insertions(+)
 create mode 100644 meta-python/recipes-devtools/python/python3-posix-ipc/0004-build_support-handle-runtime-errors-and-return-None-.patch

diff --git a/meta-python/recipes-devtools/python/python3-posix-ipc/0004-build_support-handle-runtime-errors-and-return-None-.patch b/meta-python/recipes-devtools/python/python3-posix-ipc/0004-build_support-handle-runtime-errors-and-return-None-.patch
new file mode 100644
index 0000000000..e84345a397
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-posix-ipc/0004-build_support-handle-runtime-errors-and-return-None-.patch
@@ -0,0 +1,47 @@
+From b079074048bc33b206b21f73fecb8173cf8adaf0 Mon Sep 17 00:00:00 2001
+From: Haixiao Yan <haixiao.yan.cn@windriver.com>
+Date: Mon, 15 Sep 2025 21:15:45 +0800
+Subject: [PATCH] build_support: handle runtime errors and return None for
+ invalid max_priority
+
+When cross-compiling, test binaries may fail to execute on the host system if
+the target toolchain was built against a newer glibc version than what is
+available on the host.
+
+For example, on Ubuntu 20.04 the following error occurs:
+
+./build_support/src/sniff_mq_prio_max: /lib/x86_64-linux-gnu/libc.so.6: version
+`GLIBC_2.34' not found (required by ./build_support/src/sniff_mq_prio_max)
+
+This change ensures that such runtime errors are gracefully handled, and
+max_priority is set to None when the test binary cannot be executed.
+
+Upstream-Status: Pending
+
+Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
+---
+ build_support/discover_system_info.py | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/build_support/discover_system_info.py b/build_support/discover_system_info.py
+index f6e6c8cbe6ba..4fec48b5529d 100644
+--- a/build_support/discover_system_info.py
++++ b/build_support/discover_system_info.py
+@@ -75,8 +75,12 @@ def compile_and_run(filename, linker_options=""):
+     if does_build_succeed(filename, linker_options=""):
+         try:
+             s = subprocess.Popen(["./build_support/src/%s" % filename[:-2]],
+-                                 stdout=subprocess.PIPE).communicate()[0]
+-            return s.strip().decode()
++                                 stdout=subprocess.PIPE, stderr=subprocess.PIPE)
++            stdout, stderr = s.communicate()
++            if s.returncode != 0:
++                # runtime error
++                return None
++            return stdout.strip().decode()
+         except Exception:
+             # execution resulted in an error
+             return None
+-- 
+2.25.1
+
diff --git a/meta-python/recipes-devtools/python/python3-posix-ipc_1.2.0.bb b/meta-python/recipes-devtools/python/python3-posix-ipc_1.2.0.bb
index 8147e4108b..cad1403813 100644
--- a/meta-python/recipes-devtools/python/python3-posix-ipc_1.2.0.bb
+++ b/meta-python/recipes-devtools/python/python3-posix-ipc_1.2.0.bb
@@ -12,5 +12,6 @@ SRC_URI += " \
     file://0001-build_support-use-source-filename-instead-of-foo-for.patch \
     file://0002-build_support-handle-empty-max_priority-value-as-Non.patch \
     file://0003-build_support-use-does_build_succeed-in-compile_and_.patch \
+    file://0004-build_support-handle-runtime-errors-and-return-None-.patch \
 "
 inherit pypi python_setuptools_build_meta

From patchwork Tue Sep 23 11:57:09 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: "Mittal, Anuj" <anuj.mittal@intel.com>
X-Patchwork-Id: 70771
Return-Path: <anuj.mittal@intel.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 77517CAC5B4
	for <webhook@archiver.kernel.org>; Tue, 23 Sep 2025 11:57:52 +0000 (UTC)
Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.21])
 by mx.groups.io with SMTP id smtpd.web11.15019.1758628660267361449
 for <openembedded-devel@lists.openembedded.org>;
 Tue, 23 Sep 2025 04:57:50 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@intel.com header.s=Intel header.b=d4kAYyE3;
 spf=pass (domain: intel.com, ip: 198.175.65.21,
 mailfrom: anuj.mittal@intel.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1758628671; x=1790164671;
  h=from:to:subject:date:message-id:in-reply-to:references:
   mime-version:content-transfer-encoding;
  bh=ZAQ19IfrklOWPEclMIVY73M9XWF12zfXFyHKYYU3E78=;
  b=d4kAYyE33UUU8zpCzZYTm9bF+3nWtbxfHs4BBra9BRO+29cXJPzrDO+9
   HMEzgQJbFfVuvZLnn+FXI9B/Sobe11B5evXfFy4bxcbQfapC7W8P2hjez
   81MZ9leZAWGz2cwj50HVgU77In05L5LltYKE5RXE6G7fieQpLfdQWPBcg
   ii3P+4KAM+34G+bAKWjvypgj77g10wZDGiVD/ZltDp35ZIw5HsI8iJCPT
   bi8iiEQY1gei8XORD+DiRNzNnUinyO3ezgLL0DBBYlXV2Nur/CiC5c426
   grmAx5T7/dkA0DClhsg0rdllam0/JvcyeuNXS3PRWXHLUGEXNAh9bPo2e
   A==;
X-CSE-ConnectionGUID: MM4MEmwuRAGDXyBqLmx0oQ==
X-CSE-MsgGUID: RRRjt7zmRNGT8jOb2zm7NA==
X-IronPort-AV: E=McAfee;i="6800,10657,11531"; a="60821781"
X-IronPort-AV: E=Sophos;i="6.17,312,1747724400";
   d="scan'208";a="60821781"
Received: from orviesa006.jf.intel.com ([10.64.159.146])
  by orvoesa113.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 Sep 2025 04:57:50 -0700
X-CSE-ConnectionGUID: y+aUSZC1QsyaYu34o1odyQ==
X-CSE-MsgGUID: qVAaPk9HRAGIiC1rbnPBAQ==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.18,287,1751266800";
   d="scan'208";a="175875134"
Received: from anmitta2-mobl4.gar.corp.intel.com (HELO
 anmitta2-mobl4.intel.com) ([10.247.118.223])
  by orviesa006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 Sep 2025 04:57:49 -0700
From: Anuj Mittal <anuj.mittal@intel.com>
To: openembedded-devel@lists.openembedded.org
Subject: [scarthgap][PATCH 06/24] wxwidgets: upgrade 3.2.1 -> 3.2.6
Date: Tue, 23 Sep 2025 19:57:09 +0800
Message-ID: 
 <8bdec6baaa76c0b38260947ccc453000aeb02f31.1758626365.git.anuj.mittal@intel.com>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <cover.1758626365.git.anuj.mittal@intel.com>
References: <cover.1758626365.git.anuj.mittal@intel.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Tue, 23 Sep 2025 11:57:52 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/119695

From: Yi Zhao <yi.zhao@windriver.com>

ChangeLog:
https://raw.githubusercontent.com/wxWidgets/wxWidgets/v3.2.6/docs/changes.txt

* Drop 0001-locale-Avoid-using-glibc-specific-defines-on-musl.patch as
  it has been merged upstream
* Refresh patches
* Add UPSTREAM_CHECK_GITTAGREGEX

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>

(master rev: 903ed68669550ccae20bcd0c18c26d0c336da810)
Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 ...using-glibc-specific-defines-on-musl.patch | 26 --------------
 ...able-cross-magic-it-does-not-work-fo.patch |  8 ++---
 ...tch => 0002-fix-libdir-for-multilib.patch} | 35 ++++++++++++-------
 ...003-create-links-with-relative-path.patch} | 22 ++++++++----
 ...-not-append-system-name-to-lib-name.patch} | 12 +++++--
 ...5-wx-config-fix-libdir-for-multilib.patch} | 29 +++++++++------
 ...-l.patch => 0006-Fix-locale-on-musl.patch} | 18 ++++++++--
 ...E_LARGEFILE_SUPPORT-to-1-explicitly.patch} |  9 ++---
 ...{wxwidgets_3.2.1.bb => wxwidgets_3.2.6.bb} | 17 ++++-----
 9 files changed, 100 insertions(+), 76 deletions(-)
 delete mode 100644 meta-oe/recipes-extended/wxwidgets/wxwidgets/0001-locale-Avoid-using-glibc-specific-defines-on-musl.patch
 rename meta-oe/recipes-extended/wxwidgets/wxwidgets/{fix-libdir-for-multilib.patch => 0002-fix-libdir-for-multilib.patch} (82%)
 rename meta-oe/recipes-extended/wxwidgets/wxwidgets/{create-links-with-relative-path.patch => 0003-create-links-with-relative-path.patch} (72%)
 rename meta-oe/recipes-extended/wxwidgets/wxwidgets/{not-append-system-name-to-lib-name.patch => 0004-don-not-append-system-name-to-lib-name.patch} (73%)
 rename meta-oe/recipes-extended/wxwidgets/wxwidgets/{wx-config-fix-libdir-for-multilib.patch => 0005-wx-config-fix-libdir-for-multilib.patch} (74%)
 rename meta-oe/recipes-extended/wxwidgets/wxwidgets/{musl-locale-l.patch => 0006-Fix-locale-on-musl.patch} (70%)
 rename meta-oe/recipes-extended/wxwidgets/wxwidgets/{0001-Set-HAVE_LARGEFILE_SUPPORT-to-1-explicitly.patch => 0007-Set-HAVE_LARGEFILE_SUPPORT-to-1-explicitly.patch} (83%)
 rename meta-oe/recipes-extended/wxwidgets/{wxwidgets_3.2.1.bb => wxwidgets_3.2.6.bb} (90%)

diff --git a/meta-oe/recipes-extended/wxwidgets/wxwidgets/0001-locale-Avoid-using-glibc-specific-defines-on-musl.patch b/meta-oe/recipes-extended/wxwidgets/wxwidgets/0001-locale-Avoid-using-glibc-specific-defines-on-musl.patch
deleted file mode 100644
index 52f4449339..0000000000
--- a/meta-oe/recipes-extended/wxwidgets/wxwidgets/0001-locale-Avoid-using-glibc-specific-defines-on-musl.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From 72c3b7324f00047e6dc5d8380ed2f6ff2494a6f9 Mon Sep 17 00:00:00 2001
-From: Khem Raj <raj.khem@gmail.com>
-Date: Sun, 18 Dec 2022 14:51:34 -0800
-Subject: [PATCH] locale: Avoid using glibc specific defines on musl
-
-musl does not provide some glibc-only enum members e.g. _NL_ADDRESS_LANG_NAME
-
-Upstream-Status: Submitted [https://github.com/wxWidgets/wxWidgets/pull/23050]
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
----
- src/unix/uilocale.cpp | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/unix/uilocale.cpp b/src/unix/uilocale.cpp
-index 57773e17f5..86816ba896 100644
---- a/src/unix/uilocale.cpp
-+++ b/src/unix/uilocale.cpp
-@@ -619,7 +619,7 @@ wxString
- wxUILocaleImplUnix::GetLocalizedName(wxLocaleName name, wxLocaleForm form) const
- {
-     wxString str;
--#if defined(HAVE_LANGINFO_H) && defined(__LINUX__)
-+#if defined(HAVE_LANGINFO_H) && defined(__LINUX__) && defined(__GLIBC__)
-     switch (name)
-     {
-         case wxLOCALE_NAME_LOCALE:
diff --git a/meta-oe/recipes-extended/wxwidgets/wxwidgets/0001-wx-config.in-Disable-cross-magic-it-does-not-work-fo.patch b/meta-oe/recipes-extended/wxwidgets/wxwidgets/0001-wx-config.in-Disable-cross-magic-it-does-not-work-fo.patch
index b3b9e79c53..a3b8d0c0ee 100644
--- a/meta-oe/recipes-extended/wxwidgets/wxwidgets/0001-wx-config.in-Disable-cross-magic-it-does-not-work-fo.patch
+++ b/meta-oe/recipes-extended/wxwidgets/wxwidgets/0001-wx-config.in-Disable-cross-magic-it-does-not-work-fo.patch
@@ -1,4 +1,4 @@
-From a071243763f4b06fc7e71f541c49cecf380b6f27 Mon Sep 17 00:00:00 2001
+From 8f582c0ea40ccdb2d439b7614459d752f3606e15 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Andreas=20M=C3=BCller?= <schnitzeltony@gmail.com>
 Date: Sun, 11 Oct 2020 22:16:55 +0200
 Subject: [PATCH] wx-config.in: Disable cross magic - it does not work for us
@@ -18,10 +18,10 @@ Signed-off-by: Andreas Müller <schnitzeltony@gmail.com>
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/wx-config.in b/wx-config.in
-index d132e3182f..d0d162e8a3 100755
+index 4df8571d28..1173d89685 100755
 --- a/wx-config.in
 +++ b/wx-config.in
-@@ -396,7 +396,7 @@ get_mask()
+@@ -394,7 +394,7 @@ get_mask()
  }
  
  # Returns true if this script is for a cross compiled config.
@@ -31,5 +31,5 @@ index d132e3182f..d0d162e8a3 100755
  
  # Determine the base directories we require.
 -- 
-2.26.2
+2.25.1
 
diff --git a/meta-oe/recipes-extended/wxwidgets/wxwidgets/fix-libdir-for-multilib.patch b/meta-oe/recipes-extended/wxwidgets/wxwidgets/0002-fix-libdir-for-multilib.patch
similarity index 82%
rename from meta-oe/recipes-extended/wxwidgets/wxwidgets/fix-libdir-for-multilib.patch
rename to meta-oe/recipes-extended/wxwidgets/wxwidgets/0002-fix-libdir-for-multilib.patch
index ea204ed3b1..b599f38871 100644
--- a/meta-oe/recipes-extended/wxwidgets/wxwidgets/fix-libdir-for-multilib.patch
+++ b/meta-oe/recipes-extended/wxwidgets/wxwidgets/0002-fix-libdir-for-multilib.patch
@@ -1,12 +1,18 @@
-wxWidgets hardcodes libdir with 'lib' and does not support multilib which will
-change it. Respect variable wxPLATFORM_LIB_DIR to support libdir be configurable.
+From 9487fe5cd271a4bee96ab590509ef38f6972887a Mon Sep 17 00:00:00 2001
+From: Kai Kang <kai.kang@windriver.com>
+Date: Sat, 12 Oct 2024 18:43:25 +0800
+Subject: [PATCH] fix libdir for multilib
+
+wxWidgets hardcodes libdir with 'lib' and does not support multilib
+which will change it. Respect variable wxPLATFORM_LIB_DIR to support
+libdir be configurable.
 
 Upstream-Status: Pending
 
 Signed-off-by: Kai Kang <kai.kang@windriver.com>
 
-Rebase for wxWidgets 3.2.1. Replace wxPLATFORM_LIB_DIR with LIB_SUFFIX in this
-patch that LIB_SUFFIX has been passed to cmake in cmake.bbclass.
+Rebase for wxWidgets 3.2.1. Replace wxPLATFORM_LIB_DIR with LIB_SUFFIX
+in this patch that LIB_SUFFIX has been passed to cmake in cmake.bbclass.
 
 Signed-off-by: Kai Kang <kai.kang@windriver.com>
 ---
@@ -17,36 +23,36 @@ Signed-off-by: Kai Kang <kai.kang@windriver.com>
  4 files changed, 10 insertions(+), 10 deletions(-)
 
 diff --git a/CMakeLists.txt b/CMakeLists.txt
-index a49ecd3883..d469471f38 100644
+index f6ae7f6210..2a13e448db 100644
 --- a/CMakeLists.txt
 +++ b/CMakeLists.txt
 @@ -45,7 +45,7 @@ include(build/cmake/policies.cmake NO_POLICY_SCOPE)
  # Initialize variables for quick access to wx root dir in sub dirs
  set(wxSOURCE_DIR ${CMAKE_CURRENT_SOURCE_DIR})
- set(wxBINARY_DIR ${CMAKE_BINARY_DIR})
+ set(wxBINARY_DIR ${CMAKE_CURRENT_BINARY_DIR})
 -set(wxOUTPUT_DIR ${wxBINARY_DIR}/lib)
 +set(wxOUTPUT_DIR ${wxBINARY_DIR}/lib${LIB_SUFFIX})
  
  # parse the version number from wx/version.h and include in wxMAJOR_VERSION and wxMINOR_VERSION
  file(READ "${wxSOURCE_DIR}/include/wx/version.h" WX_VERSION_H_CONTENTS)
 diff --git a/build/cmake/config.cmake b/build/cmake/config.cmake
-index b359560bc0..c59ea60923 100644
+index addd8d6b81..9ec677534b 100644
 --- a/build/cmake/config.cmake
 +++ b/build/cmake/config.cmake
-@@ -76,7 +76,7 @@ function(wx_write_config_inplace)
+@@ -100,7 +100,7 @@ function(wx_write_config_inplace)
      execute_process(
          COMMAND
          "${CMAKE_COMMAND}" -E ${COPY_CMD}
--        "${CMAKE_CURRENT_BINARY_DIR}/lib/wx/config/inplace-${TOOLCHAIN_FULLNAME}"
-+        "${CMAKE_CURRENT_BINARY_DIR}/lib${LIB_SUFFIX}/wx/config/inplace-${TOOLCHAIN_FULLNAME}"
-         "${CMAKE_CURRENT_BINARY_DIR}/wx-config"
+-        "${wxBINARY_DIR}/lib/wx/config/inplace-${TOOLCHAIN_FULLNAME}"
++        "${wxBINARY_DIR}/lib${LIB_SUFFIX}/wx/config/inplace-${TOOLCHAIN_FULLNAME}"
+         "${wxBINARY_DIR}/wx-config"
          )
  endfunction()
 diff --git a/build/cmake/functions.cmake b/build/cmake/functions.cmake
-index 7182364e5e..55fbebc7ee 100644
+index 72a34f0b4f..81ede7d8ae 100644
 --- a/build/cmake/functions.cmake
 +++ b/build/cmake/functions.cmake
-@@ -435,8 +435,8 @@ macro(wx_add_library name)
+@@ -462,8 +462,8 @@ macro(wx_add_library name)
          endif()
          wx_install(TARGETS ${name}
              EXPORT wxWidgetsTargets
@@ -105,3 +111,6 @@ index 384c6837b8..d3303faabb 100644
  )
  
  # uninstall target
+-- 
+2.25.1
+
diff --git a/meta-oe/recipes-extended/wxwidgets/wxwidgets/create-links-with-relative-path.patch b/meta-oe/recipes-extended/wxwidgets/wxwidgets/0003-create-links-with-relative-path.patch
similarity index 72%
rename from meta-oe/recipes-extended/wxwidgets/wxwidgets/create-links-with-relative-path.patch
rename to meta-oe/recipes-extended/wxwidgets/wxwidgets/0003-create-links-with-relative-path.patch
index 6eef0b6790..dbede0304f 100644
--- a/meta-oe/recipes-extended/wxwidgets/wxwidgets/create-links-with-relative-path.patch
+++ b/meta-oe/recipes-extended/wxwidgets/wxwidgets/0003-create-links-with-relative-path.patch
@@ -1,18 +1,23 @@
+From b86806ef34d4c9171165c1533064bf34ad822e20 Mon Sep 17 00:00:00 2001
+From: Kai Kang <kai.kang@windriver.com>
+Date: Sat, 12 Oct 2024 18:43:25 +0800
+Subject: [PATCH] create links with relative path
+
 It fails to build python3-wxgtk4 which depends on wxwidgets:
 
 | ERROR: wxwidgets-native-3.2.1-r0 do_populate_sysroot: sstate found an
     absolute path symlink /path/to/build/tmp-glibc/work/x86_64-linux
-	/wxwidgets-native/3.2.1-r0/sysroot-destdir/path/to/build/tmp-glibc/work
-	/x86_64-linux/wxwidgets-native/3.2.1-r0/recipe-sysroot-native/usr/bin/wx-config
+    /wxwidgets-native/3.2.1-r0/sysroot-destdir/path/to/build/tmp-glibc/work
+    /x86_64-linux/wxwidgets-native/3.2.1-r0/recipe-sysroot-native/usr/bin/wx-config
     pointing at /path/to/build/tmp-glibc/work/x86_64-linux/wxwidgets-native/3.2.1-r0
-	/recipe-sysroot-native/usr/lib/wx/config/gtk3-unicode-3.2.
+    /recipe-sysroot-native/usr/lib/wx/config/gtk3-unicode-3.2.
   Please replace this with a relative link.
 | ERROR: wxwidgets-native-3.2.1-r0 do_populate_sysroot: sstate found an
     absolute path symlink /path/to/build/tmp-glibc/work/x86_64-linux/wxwidgets-native
-	/3.2.1-r0/sysroot-destdir/path/to/build/tmp-glibc/work/x86_64-linux/wxwidgets-native
-	/3.2.1-r0/recipe-sysroot-native/usr/bin/wxrc pointing at /path/to/build/tmp-glibc
-	/work/x86_64-linux/wxwidgets-native/3.2.1-r0/recipe-sysroot-native/usr/bin/wxrc-3.2.
-  Please replace this with a relative link.
+    /3.2.1-r0/sysroot-destdir/path/to/build/tmp-glibc/work/x86_64-linux/wxwidgets-native
+    /3.2.1-r0/recipe-sysroot-native/usr/bin/wxrc pointing at /path/to/build/tmp-glibc
+    /work/x86_64-linux/wxwidgets-native/3.2.1-r0/recipe-sysroot-native/usr/bin/wxrc-3.2.
+   Please replace this with a relative link.
 
 Create symlink with relative path to fix the issues.
 
@@ -50,3 +55,6 @@ index dbed8cc9b3..1dbc3261d3 100644
              \"\$ENV{DESTDIR}${CMAKE_INSTALL_PREFIX}/bin/wxrc${EXE_SUFFIX}\" \
              )"
          )
+-- 
+2.25.1
+
diff --git a/meta-oe/recipes-extended/wxwidgets/wxwidgets/not-append-system-name-to-lib-name.patch b/meta-oe/recipes-extended/wxwidgets/wxwidgets/0004-don-not-append-system-name-to-lib-name.patch
similarity index 73%
rename from meta-oe/recipes-extended/wxwidgets/wxwidgets/not-append-system-name-to-lib-name.patch
rename to meta-oe/recipes-extended/wxwidgets/wxwidgets/0004-don-not-append-system-name-to-lib-name.patch
index 6329256b0c..e3463ba170 100644
--- a/meta-oe/recipes-extended/wxwidgets/wxwidgets/not-append-system-name-to-lib-name.patch
+++ b/meta-oe/recipes-extended/wxwidgets/wxwidgets/0004-don-not-append-system-name-to-lib-name.patch
@@ -1,3 +1,8 @@
+From 5e9725c1151e2b029066d61ef5dccf1f3e6cb323 Mon Sep 17 00:00:00 2001
+From: Kai Kang <kai.kang@windriver.com>
+Date: Sat, 12 Oct 2024 18:43:25 +0800
+Subject: [PATCH] don not append system name to lib name
+
 It appends system name to library names for cross compile. For example, the
 library name is libwx_baseu-3.1-Linux.so rather than libwx_baseu-3.1.so. It is
 not appropriate for oe.
@@ -14,10 +19,10 @@ Signed-off-by: Kai Kang <kai.kang@windriver.com>
  1 file changed, 3 insertions(+), 3 deletions(-)
 
 diff --git a/build/cmake/functions.cmake b/build/cmake/functions.cmake
-index e374d9a273..c6b1908bd6 100644
+index 81ede7d8ae..23eebeb914 100644
 --- a/build/cmake/functions.cmake
 +++ b/build/cmake/functions.cmake
-@@ -219,9 +219,9 @@ function(wx_set_target_properties target_name)
+@@ -243,9 +243,9 @@ function(wx_set_target_properties target_name)
      endif()
  
      set(cross_target)
@@ -30,3 +35,6 @@ index e374d9a273..c6b1908bd6 100644
  
      set(lib_prefix "lib")
      if(MSVC OR (WIN32 AND wxBUILD_SHARED))
+-- 
+2.25.1
+
diff --git a/meta-oe/recipes-extended/wxwidgets/wxwidgets/wx-config-fix-libdir-for-multilib.patch b/meta-oe/recipes-extended/wxwidgets/wxwidgets/0005-wx-config-fix-libdir-for-multilib.patch
similarity index 74%
rename from meta-oe/recipes-extended/wxwidgets/wxwidgets/wx-config-fix-libdir-for-multilib.patch
rename to meta-oe/recipes-extended/wxwidgets/wxwidgets/0005-wx-config-fix-libdir-for-multilib.patch
index 628f8dee56..b650c50386 100644
--- a/meta-oe/recipes-extended/wxwidgets/wxwidgets/wx-config-fix-libdir-for-multilib.patch
+++ b/meta-oe/recipes-extended/wxwidgets/wxwidgets/0005-wx-config-fix-libdir-for-multilib.patch
@@ -1,8 +1,14 @@
-It sets 'libdir' with path element 'lib' directly which is not suitable for
-multilib. Add an option '--baselib' for wx-config to support multilib when
-cross compile. And set default value of baselib with "lib${wxPLATFORM_LIB_DIR}".
+From 4230cd84f156f9eb5c9b80ffbc69dd55fa7c7ca7 Mon Sep 17 00:00:00 2001
+From: Kai Kang <kai.kang@windriver.com>
+Date: Sat, 12 Oct 2024 18:43:25 +0800
+Subject: [PATCH] wx-config: fix libdir for multilib
 
-Upstream-Status: Pending [oe specific]
+It sets 'libdir' with path element 'lib' directly which is not suitable
+for multilib. Add an option '--baselib' for wx-config to support
+multilib when cross compile. And set default value of baselib with
+"lib${wxPLATFORM_LIB_DIR}".
+
+Upstream-Status: Inappropriate [oe specific]
 
 Signed-off-by: Kai Kang <kai.kang@windriver.com>
 
@@ -15,10 +21,10 @@ Signed-off-by: Kai Kang <kai.kang@windriver.com>
  2 files changed, 5 insertions(+), 3 deletions(-)
 
 diff --git a/build/cmake/config.cmake b/build/cmake/config.cmake
-index 52ae69d3f6..28aa733eb0 100644
+index 9ec677534b..ee61cf7572 100644
 --- a/build/cmake/config.cmake
 +++ b/build/cmake/config.cmake
-@@ -86,7 +86,7 @@ function(wx_write_config)
+@@ -110,7 +110,7 @@ function(wx_write_config)
      set(prefix ${CMAKE_INSTALL_PREFIX})
      set(exec_prefix "\${prefix}")
      set(includedir "\${prefix}/include")
@@ -26,9 +32,9 @@ index 52ae69d3f6..28aa733eb0 100644
 +    set(libdir "\${exec_prefix}/\${baselib}")
      set(bindir "\${exec_prefix}/bin")
  
-     find_program(EGREP egrep)
+     if(wxBUILD_MONOLITHIC)
 diff --git a/wx-config.in b/wx-config.in
-index e3f7d115bb..0e78af03c7 100755
+index 1173d89685..8364a33e9d 100755
 --- a/wx-config.in
 +++ b/wx-config.in
 @@ -42,7 +42,8 @@ usage()
@@ -41,7 +47,7 @@ index e3f7d115bb..0e78af03c7 100755
             [--list] [--selected-config] [--host=HOST] [--toolkit=TOOLKIT]
             [--universal[=yes|no]] [--unicode[=yes|no]] [--static[=yes|no]]
             [--debug[=yes|no]] [--version[=VERSION]] [--flavour=FLAVOUR]
-@@ -137,7 +138,7 @@ wxconfig_output_options="prefix exec_prefix
+@@ -133,7 +134,7 @@ wxconfig_output_options="prefix exec_prefix
  
  # Options that permit the user to supply hints that may affect the output.
  # These options all accept arbitrary values, to interpret as they please.
@@ -50,7 +56,7 @@ index e3f7d115bb..0e78af03c7 100755
  
  # Input options that accept only a yes or no argument.
  #
-@@ -404,6 +405,7 @@ is_cross()  { [ "x@cross_compiling@" = "xyes" ]; }
+@@ -400,6 +401,7 @@ is_cross()  { [ "xno" = "xyes" ]; }
  # Determine the base directories we require.
  prefix=${input_option_prefix-${this_prefix:-@prefix@}}
  exec_prefix=${input_option_exec_prefix-${input_option_prefix-${this_exec_prefix:-@exec_prefix@}}}
@@ -58,3 +64,6 @@ index e3f7d115bb..0e78af03c7 100755
  wxconfdir="@libdir@/wx/config"
  
  installed_configs=`cd "$wxconfdir" 2> /dev/null && ls | grep -v "^inplace-"`
+-- 
+2.25.1
+
diff --git a/meta-oe/recipes-extended/wxwidgets/wxwidgets/musl-locale-l.patch b/meta-oe/recipes-extended/wxwidgets/wxwidgets/0006-Fix-locale-on-musl.patch
similarity index 70%
rename from meta-oe/recipes-extended/wxwidgets/wxwidgets/musl-locale-l.patch
rename to meta-oe/recipes-extended/wxwidgets/wxwidgets/0006-Fix-locale-on-musl.patch
index e4ca6579f8..37d61dcb3f 100644
--- a/meta-oe/recipes-extended/wxwidgets/wxwidgets/musl-locale-l.patch
+++ b/meta-oe/recipes-extended/wxwidgets/wxwidgets/0006-Fix-locale-on-musl.patch
@@ -1,8 +1,19 @@
-Upstream-Status: Pending
+From 64d5d7f68cde208c6f8a5e0b71da93f98e4720f7 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Sat, 12 Oct 2024 20:30:16 +0800
+Subject: [PATCH] Fix locale on musl
 
 these macro'd away functions don't exist in musl (yet)
+
+Upstream-Status: Pending
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ include/wx/xlocale.h | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
 diff --git a/include/wx/xlocale.h b/include/wx/xlocale.h
-index c433d25..3ab9d84 100644
+index c433d25d05..794cf0b66b 100644
 --- a/include/wx/xlocale.h
 +++ b/include/wx/xlocale.h
 @@ -33,6 +33,26 @@
@@ -32,3 +43,6 @@ index c433d25..3ab9d84 100644
  // The platform-specific locale type
  // If wxXLocale_t is not defined, then only "C" locale support is provided
  #ifdef wxHAS_XLOCALE_SUPPORT
+-- 
+2.25.1
+
diff --git a/meta-oe/recipes-extended/wxwidgets/wxwidgets/0001-Set-HAVE_LARGEFILE_SUPPORT-to-1-explicitly.patch b/meta-oe/recipes-extended/wxwidgets/wxwidgets/0007-Set-HAVE_LARGEFILE_SUPPORT-to-1-explicitly.patch
similarity index 83%
rename from meta-oe/recipes-extended/wxwidgets/wxwidgets/0001-Set-HAVE_LARGEFILE_SUPPORT-to-1-explicitly.patch
rename to meta-oe/recipes-extended/wxwidgets/wxwidgets/0007-Set-HAVE_LARGEFILE_SUPPORT-to-1-explicitly.patch
index 5160f2e1fe..ef94e3551b 100644
--- a/meta-oe/recipes-extended/wxwidgets/wxwidgets/0001-Set-HAVE_LARGEFILE_SUPPORT-to-1-explicitly.patch
+++ b/meta-oe/recipes-extended/wxwidgets/wxwidgets/0007-Set-HAVE_LARGEFILE_SUPPORT-to-1-explicitly.patch
@@ -1,4 +1,4 @@
-From e108aff9d6dae613f486c1b1681f4a3cdf17b845 Mon Sep 17 00:00:00 2001
+From 22f70d5bd039b20bfdad522341412ca001c639db Mon Sep 17 00:00:00 2001
 From: Khem Raj <raj.khem@gmail.com>
 Date: Mon, 19 Dec 2022 15:07:55 -0800
 Subject: [PATCH] Set HAVE_LARGEFILE_SUPPORT to 1 explicitly
@@ -6,16 +6,17 @@ Subject: [PATCH] Set HAVE_LARGEFILE_SUPPORT to 1 explicitly
 nothing sets this to 0, but for some reason it gets undef'd
 
 Upstream-Status: Pending
+
 Signed-off-by: Khem Raj <raj.khem@gmail.com>
 ---
  build/cmake/setup.h.in | 3 +--
  1 file changed, 1 insertion(+), 2 deletions(-)
 
 diff --git a/build/cmake/setup.h.in b/build/cmake/setup.h.in
-index bce33a73f3..22afb4cfa0 100644
+index fcc282980d..767adbf658 100644
 --- a/build/cmake/setup.h.in
 +++ b/build/cmake/setup.h.in
-@@ -869,8 +869,7 @@
+@@ -867,8 +867,7 @@
  /*
   * Define if large (64 bit file offsets) files are supported.
   */
@@ -26,5 +27,5 @@ index bce33a73f3..22afb4cfa0 100644
   * Use OpenGL
   */
 -- 
-2.39.0
+2.25.1
 
diff --git a/meta-oe/recipes-extended/wxwidgets/wxwidgets_3.2.1.bb b/meta-oe/recipes-extended/wxwidgets/wxwidgets_3.2.6.bb
similarity index 90%
rename from meta-oe/recipes-extended/wxwidgets/wxwidgets_3.2.1.bb
rename to meta-oe/recipes-extended/wxwidgets/wxwidgets_3.2.6.bb
index 91653e2852..71e2a60e0c 100644
--- a/meta-oe/recipes-extended/wxwidgets/wxwidgets_3.2.1.bb
+++ b/meta-oe/recipes-extended/wxwidgets/wxwidgets_3.2.6.bb
@@ -20,17 +20,18 @@ DEPENDS += " \
 
 SRC_URI = "gitsm://github.com/wxWidgets/wxWidgets.git;branch=3.2;protocol=https \
            file://0001-wx-config.in-Disable-cross-magic-it-does-not-work-fo.patch \
-           file://fix-libdir-for-multilib.patch \
-           file://create-links-with-relative-path.patch \
-           file://not-append-system-name-to-lib-name.patch \
-           file://wx-config-fix-libdir-for-multilib.patch \
-           file://0001-locale-Avoid-using-glibc-specific-defines-on-musl.patch \
-           file://musl-locale-l.patch \
-           file://0001-Set-HAVE_LARGEFILE_SUPPORT-to-1-explicitly.patch \
+           file://0002-fix-libdir-for-multilib.patch \
+           file://0003-create-links-with-relative-path.patch \
+           file://0004-don-not-append-system-name-to-lib-name.patch \
+           file://0005-wx-config-fix-libdir-for-multilib.patch \
+           file://0006-Fix-locale-on-musl.patch \
+           file://0007-Set-HAVE_LARGEFILE_SUPPORT-to-1-explicitly.patch \
            "
-SRCREV= "97e99707c5d2271a70cb686720b48dbf34ced496"
+SRCREV = "5ff25322553c1870cf20a2e1ba6f20ed50d9fe9a"
 S = "${WORKDIR}/git"
 
+UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)"
+
 # These can be either 'builtin' or 'sys' and builtin means cloned soures are
 # build. So these cannot be PACKAGECONFIGs and let's use libs where we can (see
 # DEPENDS)

From patchwork Tue Sep 23 11:57:10 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Mittal, Anuj" <anuj.mittal@intel.com>
X-Patchwork-Id: 70770
Return-Path: <anuj.mittal@intel.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 7CEFECAC5B6
	for <webhook@archiver.kernel.org>; Tue, 23 Sep 2025 11:57:52 +0000 (UTC)
Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.21])
 by mx.groups.io with SMTP id smtpd.web11.15019.1758628660267361449
 for <openembedded-devel@lists.openembedded.org>;
 Tue, 23 Sep 2025 04:57:51 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@intel.com header.s=Intel header.b=fcYvCDFS;
 spf=pass (domain: intel.com, ip: 198.175.65.21,
 mailfrom: anuj.mittal@intel.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1758628672; x=1790164672;
  h=from:to:subject:date:message-id:in-reply-to:references:
   mime-version:content-transfer-encoding;
  bh=Q/GaBAXPLPfLzvzAR9lnDhcGNX9ge5soxg3qR6sTWN8=;
  b=fcYvCDFSKuiB+il3n5U2Szn9uqO8PVUixYr+i6EiVg4Jd0X8IDzBvCbz
   zyVB7jQifkF42dd+dFSbwyVF31+GJN9vPr6xG9N9uV1rCzWCLiQX690vN
   ijqEzBz0LoQlple/dVpoNUzidekVPdQxcTOhqfTqMOhPFHaCht7YpDDZY
   F5zTnpsKxM0/KATsrvU3KIvEB7iRkBJ5Q3ukO+4qyEtaEWenge/Xs87L+
   KMf+EbiIGScv2lQYw8yVKstSH2y66Ju/DdmcoI++8GMt2BHTpT8EFK8PT
   dPpQtCAGbptR5QOsw2k99aiQOyCHGUrfmqjCUvWU9uDIMQiAU33Q5rOjs
   A==;
X-CSE-ConnectionGUID: /yqJGCEvSW+xHfjJuO5EnQ==
X-CSE-MsgGUID: TFgSMgQFQaC12YTiM+XPZw==
X-IronPort-AV: E=McAfee;i="6800,10657,11531"; a="60821782"
X-IronPort-AV: E=Sophos;i="6.17,312,1747724400";
   d="scan'208";a="60821782"
Received: from orviesa006.jf.intel.com ([10.64.159.146])
  by orvoesa113.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 Sep 2025 04:57:52 -0700
X-CSE-ConnectionGUID: Fix6J5/TTkejxWfo3O/I7w==
X-CSE-MsgGUID: 5PPnL6NsQ+iKInJ9NWjjwQ==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.18,287,1751266800";
   d="scan'208";a="175875157"
Received: from anmitta2-mobl4.gar.corp.intel.com (HELO
 anmitta2-mobl4.intel.com) ([10.247.118.223])
  by orviesa006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 Sep 2025 04:57:51 -0700
From: Anuj Mittal <anuj.mittal@intel.com>
To: openembedded-devel@lists.openembedded.org
Subject: [scarthgap][PATCH 07/24] wxwidgets: fix CVE-2024-58249
Date: Tue, 23 Sep 2025 19:57:10 +0800
Message-ID: 
 <95f7aea47c1d9588ca882004fd48adb59d108cd2.1758626365.git.anuj.mittal@intel.com>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <cover.1758626365.git.anuj.mittal@intel.com>
References: <cover.1758626365.git.anuj.mittal@intel.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Tue, 23 Sep 2025 11:57:52 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/119696

From: Zhang Peng <peng.zhang1.cn@windriver.com>

CVE-2024-58249:
In wxWidgets before 3.2.7, a crash can be triggered in wxWidgets apps when connections are refused in wxWebRequestCURL.

Reference:
[https://nvd.nist.gov/vuln/detail/CVE-2024-58249]

Upstream patches:
[https://github.com/wxWidgets/wxWidgets/commit/f2918a9ac823074901ce27de939baa57788beb3d]

Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>

(walnascar rev: d3d3df49d5f6e8747c0b04100c4f708b4cafbbd4)
Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 .../wxwidgets/wxwidgets/CVE-2024-58249.patch  | 178 ++++++++++++++++++
 .../wxwidgets/wxwidgets_3.2.6.bb              |   1 +
 2 files changed, 179 insertions(+)
 create mode 100644 meta-oe/recipes-extended/wxwidgets/wxwidgets/CVE-2024-58249.patch

diff --git a/meta-oe/recipes-extended/wxwidgets/wxwidgets/CVE-2024-58249.patch b/meta-oe/recipes-extended/wxwidgets/wxwidgets/CVE-2024-58249.patch
new file mode 100644
index 0000000000..8ba9cc1b04
--- /dev/null
+++ b/meta-oe/recipes-extended/wxwidgets/wxwidgets/CVE-2024-58249.patch
@@ -0,0 +1,178 @@
+From e440b3a6097546a8aca66bd4c7a21be25e89d340 Mon Sep 17 00:00:00 2001
+From: Vadim Zeitlin <vadim@wxwidgets.org>
+Date: Sun, 27 Oct 2024 00:56:21 +0200
+Subject: [PATCH] Fix crash when connection is refused in wxWebRequestCURL
+
+Avoid deleting wxEventLoopSourceHandler which may be still in use, as is
+the case when we get write IO notification just before an error one: if
+we delete the handler while handling the former, we crash when getting
+the latter one.
+
+Use a hack to avoid deleting the handlers for which write notification
+is being processed and delete them later, when we get the error one.
+
+See #24885.
+
+(cherry picked from commit 4e0fca8ab9756989598d07b41e672af86eac7092)
+
+CVE: CVE-2024-58249
+Upstream-Status: Backport [https://github.com/wxWidgets/wxWidgets/commit/f2918a9ac823074901ce27de939baa57788beb3d]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/common/webrequest_curl.cpp | 80 +++++++++++++++++++++++++---------
+ 1 file changed, 60 insertions(+), 20 deletions(-)
+
+diff --git a/src/common/webrequest_curl.cpp b/src/common/webrequest_curl.cpp
+index f50acf4f8d..64650ab6b4 100644
+--- a/src/common/webrequest_curl.cpp
++++ b/src/common/webrequest_curl.cpp
+@@ -704,10 +704,13 @@ SocketPollerImpl* SocketPollerImpl::Create(wxEvtHandler* hndlr)
+ 
+ // SocketPollerSourceHandler - a source handler used by the SocketPoller class.
+ 
++class SourceSocketPoller;
++
+ class SocketPollerSourceHandler: public wxEventLoopSourceHandler
+ {
+ public:
+-    SocketPollerSourceHandler(curl_socket_t, wxEvtHandler*);
++    SocketPollerSourceHandler(curl_socket_t sock, SourceSocketPoller* poller)
++        : m_socket(sock), m_poller(poller) {}
+ 
+     void OnReadWaiting() wxOVERRIDE;
+     void OnWriteWaiting() wxOVERRIDE;
+@@ -716,16 +719,9 @@ public:
+ private:
+     void SendEvent(int);
+     curl_socket_t m_socket;
+-    wxEvtHandler* m_handler;
++    SourceSocketPoller* const m_poller;
+ };
+ 
+-SocketPollerSourceHandler::SocketPollerSourceHandler(curl_socket_t sock,
+-                                                     wxEvtHandler* hndlr)
+-{
+-    m_socket = sock;
+-    m_handler = hndlr;
+-}
+-
+ void SocketPollerSourceHandler::OnReadWaiting()
+ {
+     SendEvent(SocketPoller::READY_FOR_READ);
+@@ -741,14 +737,6 @@ void SocketPollerSourceHandler::OnExceptionWaiting()
+     SendEvent(SocketPoller::HAS_ERROR);
+ }
+ 
+-void SocketPollerSourceHandler::SendEvent(int result)
+-{
+-    wxThreadEvent event(wxEVT_SOCKET_POLLER_RESULT);
+-    event.SetPayload<curl_socket_t>(m_socket);
+-    event.SetInt(result);
+-    m_handler->ProcessEvent(event);
+-}
+-
+ // SourceSocketPoller - a SocketPollerImpl based on event loop sources.
+ 
+ class SourceSocketPoller: public SocketPollerImpl
+@@ -760,6 +748,8 @@ public:
+     void StopPolling(curl_socket_t) wxOVERRIDE;
+     void ResumePolling(curl_socket_t) wxOVERRIDE;
+ 
++    void SendEvent(curl_socket_t sock, int result);
++
+ private:
+     WX_DECLARE_HASH_MAP(curl_socket_t, wxEventLoopSource*, wxIntegerHash,\
+                         wxIntegerEqual, SocketDataMap);
+@@ -768,11 +758,25 @@ private:
+ 
+     SocketDataMap m_socketData;
+     wxEvtHandler* m_handler;
++
++    // The socket for which we're currently processing a write IO notification.
++    curl_socket_t m_activeWriteSocket;
++
++    // The sockets that we couldn't clean up yet but should do if/when we get
++    // an error notification for them.
++    wxVector<curl_socket_t> m_socketsToCleanUp;
+ };
+ 
++// This function must be implemented after full SourceSocketPoller declaration.
++void SocketPollerSourceHandler::SendEvent(int result)
++{
++    m_poller->SendEvent(m_socket, result);
++}
++
+ SourceSocketPoller::SourceSocketPoller(wxEvtHandler* hndlr)
+ {
+     m_handler = hndlr;
++    m_activeWriteSocket = 0;
+ }
+ 
+ SourceSocketPoller::~SourceSocketPoller()
+@@ -822,9 +826,7 @@ bool SourceSocketPoller::StartPolling(curl_socket_t sock, int pollAction)
+     }
+     else
+     {
+-        // Otherwise create a new source handler.
+-        srcHandler =
+-            new SocketPollerSourceHandler(sock, m_handler);
++        srcHandler = new SocketPollerSourceHandler(sock, this);
+     }
+ 
+     // Get a new source object for these polling checks.
+@@ -858,6 +860,15 @@ bool SourceSocketPoller::StartPolling(curl_socket_t sock, int pollAction)
+ 
+ void SourceSocketPoller::StopPolling(curl_socket_t sock)
+ {
++    if ( sock == m_activeWriteSocket )
++    {
++        // We can't clean up the socket while we're inside OnWriteWaiting() for
++        // it because it could be followed by OnExceptionWaiting() and we'd
++        // crash if we deleted it already.
++        m_socketsToCleanUp.push_back(sock);
++        return;
++    }
++
+     SocketDataMap::iterator it = m_socketData.find(sock);
+ 
+     if ( it != m_socketData.end() )
+@@ -871,6 +882,35 @@ void SourceSocketPoller::ResumePolling(curl_socket_t WXUNUSED(sock))
+ {
+ }
+ 
++void SourceSocketPoller::SendEvent(curl_socket_t sock, int result)
++{
++    if ( result == SocketPoller::READY_FOR_WRITE )
++    {
++        // Prevent the handler from this socket from being deleted in case we
++        // get a HAS_ERROR event for it immediately after this one.
++        m_activeWriteSocket = sock;
++    }
++
++    wxThreadEvent event(wxEVT_SOCKET_POLLER_RESULT);
++    event.SetPayload<curl_socket_t>(sock);
++    event.SetInt(result);
++    m_handler->ProcessEvent(event);
++
++    m_activeWriteSocket = 0;
++
++    if ( result == SocketPoller::HAS_ERROR )
++    {
++        // Check if we have any sockets to clean up and do it now, it should be
++        // safe.
++        for ( size_t n = 0; n < m_socketsToCleanUp.size(); ++n )
++        {
++            StopPolling(m_socketsToCleanUp[n]);
++        }
++
++        m_socketsToCleanUp.clear();
++    }
++}
++
+ void SourceSocketPoller::CleanUpSocketSource(wxEventLoopSource* source)
+ {
+     wxEventLoopSourceHandler* srcHandler = source->GetHandler();
+-- 
+2.50.0
+
diff --git a/meta-oe/recipes-extended/wxwidgets/wxwidgets_3.2.6.bb b/meta-oe/recipes-extended/wxwidgets/wxwidgets_3.2.6.bb
index 71e2a60e0c..1cf44bbfa3 100644
--- a/meta-oe/recipes-extended/wxwidgets/wxwidgets_3.2.6.bb
+++ b/meta-oe/recipes-extended/wxwidgets/wxwidgets_3.2.6.bb
@@ -26,6 +26,7 @@ SRC_URI = "gitsm://github.com/wxWidgets/wxWidgets.git;branch=3.2;protocol=https
            file://0005-wx-config-fix-libdir-for-multilib.patch \
            file://0006-Fix-locale-on-musl.patch \
            file://0007-Set-HAVE_LARGEFILE_SUPPORT-to-1-explicitly.patch \
+           file://CVE-2024-58249.patch \
            "
 SRCREV = "5ff25322553c1870cf20a2e1ba6f20ed50d9fe9a"
 S = "${WORKDIR}/git"

From patchwork Tue Sep 23 11:57:11 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Mittal, Anuj" <anuj.mittal@intel.com>
X-Patchwork-Id: 70774
Return-Path: <anuj.mittal@intel.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 781C7CAC5A7
	for <webhook@archiver.kernel.org>; Tue, 23 Sep 2025 11:58:02 +0000 (UTC)
Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.21])
 by mx.groups.io with SMTP id smtpd.web11.15019.1758628660267361449
 for <openembedded-devel@lists.openembedded.org>;
 Tue, 23 Sep 2025 04:57:52 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@intel.com header.s=Intel header.b=DfPyWNGr;
 spf=pass (domain: intel.com, ip: 198.175.65.21,
 mailfrom: anuj.mittal@intel.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1758628673; x=1790164673;
  h=from:to:subject:date:message-id:in-reply-to:references:
   mime-version:content-transfer-encoding;
  bh=oxRMss0baKfr+J42Hi+Zy8HFywzxf+cGTvE5KoFLQu0=;
  b=DfPyWNGrvQvaiE1+UCSxfBIwPdF3DGciVCRZ9bf5bvsbcOvI88evTAub
   JioeHkhkyTFr7FN35eYjlU5ZyCT3eZgEYaBGaKegZGTByUa4x9dQbZW6P
   8vI7n+Fdrl2TuCIISj+BgjobFn1kRl/2YI3H3RJw3+m7aZoebTZpgYmjU
   TsVcPaPchGZgkWlA2xHzPJcbEr683Z1dC90NWz7aURl4fQJoZK4TchnyW
   IjgCld/ndLeG9c47mzTrbSn6UAmAkZ4tXdh7ctG0O+VdEyrNQMOwUoTKV
   eov/mMRqmZ4Pesnwupxhd0I63C9kF42dR0RXMIBiWbG9fCcItHmXgW4fg
   g==;
X-CSE-ConnectionGUID: e8eZDK0HRGacUF1Jcwm5Qw==
X-CSE-MsgGUID: IuNsARWcSOmzwMGghT7hQQ==
X-IronPort-AV: E=McAfee;i="6800,10657,11531"; a="60821783"
X-IronPort-AV: E=Sophos;i="6.17,312,1747724400";
   d="scan'208";a="60821783"
Received: from orviesa006.jf.intel.com ([10.64.159.146])
  by orvoesa113.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 Sep 2025 04:57:53 -0700
X-CSE-ConnectionGUID: cMgx7/dFQJqhdZiY9LFgGA==
X-CSE-MsgGUID: g61x517nToKvERhf6Z/Bfw==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.18,287,1751266800";
   d="scan'208";a="175875177"
Received: from anmitta2-mobl4.gar.corp.intel.com (HELO
 anmitta2-mobl4.intel.com) ([10.247.118.223])
  by orviesa006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 Sep 2025 04:57:52 -0700
From: Anuj Mittal <anuj.mittal@intel.com>
To: openembedded-devel@lists.openembedded.org
Subject: [scarthgap][PATCH 08/24] gutenprint: fix a build race-condition
Date: Tue, 23 Sep 2025 19:57:11 +0800
Message-ID: 
 <c85ecb6a4393cddfc0208ca36a90cd75b0d82166.1758626365.git.anuj.mittal@intel.com>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <cover.1758626365.git.anuj.mittal@intel.com>
References: <cover.1758626365.git.anuj.mittal@intel.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Tue, 23 Sep 2025 11:58:02 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/119697

From: Yoann Congal <yoann.congal@smile.fr>

Gutenprint install hooks run in parallel but depend on each other. This
is a race condition and might trigger a build failure (e.g on AB [0]):
| chmod 700 $WORKDIR/image/usr/libexec/cups/backend/backend_gutenprint
| chmod: cannot access '$WORKDIR/image/usr/libexec/cups/backend/backend_gutenprint': Not a directory
| make[5]: *** [Makefile:2166: install-exec-hook] Error 1

Fixes this by adding an explicit dependency between the dependent
targets.

[0]: https://autobuilder.yoctoproject.org/valkyrie/#/builders/87/builds/46/steps/33/logs/stdio

Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 ...-race-condition-around-empty-directo.patch | 60 +++++++++++++++++++
 .../gutenprint/gutenprint_5.3.4.bb            |  4 +-
 2 files changed, 63 insertions(+), 1 deletion(-)
 create mode 100644 meta-oe/recipes-printing/gutenprint/gutenprint/0001-cups-fix-a-build-race-condition-around-empty-directo.patch

diff --git a/meta-oe/recipes-printing/gutenprint/gutenprint/0001-cups-fix-a-build-race-condition-around-empty-directo.patch b/meta-oe/recipes-printing/gutenprint/gutenprint/0001-cups-fix-a-build-race-condition-around-empty-directo.patch
new file mode 100644
index 0000000000..758acfe6be
--- /dev/null
+++ b/meta-oe/recipes-printing/gutenprint/gutenprint/0001-cups-fix-a-build-race-condition-around-empty-directo.patch
@@ -0,0 +1,60 @@
+From e3b0952fe936f90cfda9cbed368fae2143b72089 Mon Sep 17 00:00:00 2001
+From: Yoann Congal <yoann.congal@smile.fr>
+Date: Thu, 3 Jul 2025 15:27:04 +0200
+Subject: [PATCH] cups: fix a build race-condition around empty directories
+ removal
+
+In automake, install-exec and install-data happen in parallel.
+install-exec installs executables and install-data finishes with
+install-data-hook that removes empty directories. If install-data-hook
+happen before install-exec finishes, it might remove a directory while
+it is used by the install process and make it fail.
+
+Fix this by adding an explicit dependency between install-data-hook and
+install-exec.
+
+For example, here is the log of such a failure:
+| make  install-data-hook
+|  hosttools/mkdir -p 'image/usr/libexec/cups/backend'
+| make[5]: Entering directory '$WORKDIR/build/src/cups'
+| Expect a number of "rmdir: Directory not empty" warnings
+|   /bin/bash ../../libtool   --mode=install $HOSTTOOLS/install -c backend_gutenprint '$WORKDIR/image/usr/libexec/cups/backend'
+ # Start of the install process (from install-exec)
+| These messages are harmless and should be ignored.
+...
+| rmdir $WORKDIR/image/usr/libexec/cups/backend
+ # empty /usr/libexec/cups/backend is removed (from install-data-hook)
+...
+| libtool: install: $HOSTTOOLS/install -c backend_gutenprint $WORKDIR/image/usr/libexec/cups/backend
+ # install in a non-existing directory: backend_gutenprint is installed
+ # as /usr/libexec/cups/backend (this is now a file instead of a
+ # directory)
+| make  install-exec-hook
+| make[5]: Entering directory '$WORKDIR/build/src/cups'
+| chmod 700 $WORKDIR/image/usr/libexec/cups/backend/backend_gutenprint
+| chmod: cannot access '$WORKDIR/image/usr/libexec/cups/backend/backend_gutenprint': Not a directory
+ # chmod fails because /usr/libexec/cups/backend is a file and not a
+ # directory
+| make[5]: *** [Makefile:2166: install-exec-hook] Error 1
+
+Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
+Upstream-Status: Submitted [https://sourceforge.net/p/gimp-print/mailman/gimp-print-devel/thread/20250703164244.1120340-1-yoann.congal%40smile.fr/#msg59202153]
+---
+ src/cups/Makefile.am | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/cups/Makefile.am b/src/cups/Makefile.am
+index 7928ee3..fe45c92 100644
+--- a/src/cups/Makefile.am
++++ b/src/cups/Makefile.am
+@@ -206,8 +206,9 @@ uninstall-local: $(INSTALL_DATA_LOCAL_DEPS) $(INSTALL_BLACKLIST)
+ 	$(RM) -f "$(DESTDIR)$(cupsdata_blacklistdir)/net.sf.gimp-print.usb-quirks"
+ 	$(RM) -f "$(DESTDIR)$(pkglibdir)/backend/gutenprint$(GUTENPRINT_MAJOR_VERSION)$(GUTENPRINT_MINOR_VERSION)+usb"
+ 
+-install-data-hook:
++install-data-hook: install-exec
+ # Remove unused directories in install tree
++# Note: it removes "exec" directories, so it must happen after install-exec.
+ 	-@echo 'Expect a number of "rmdir: Directory not empty" warnings'
+ 	-@echo 'These messages are harmless and should be ignored.'
+ 	-rmdir $(DESTDIR)$(cups_modeldir)
diff --git a/meta-oe/recipes-printing/gutenprint/gutenprint_5.3.4.bb b/meta-oe/recipes-printing/gutenprint/gutenprint_5.3.4.bb
index 5263890239..f90a123293 100644
--- a/meta-oe/recipes-printing/gutenprint/gutenprint_5.3.4.bb
+++ b/meta-oe/recipes-printing/gutenprint/gutenprint_5.3.4.bb
@@ -14,7 +14,9 @@ HOMEPAGE = "http://gimp-print.sourceforge.net/"
 LICENSE = "GPL-2.0-or-later"
 LIC_FILES_CHKSUM = "file://COPYING;md5=59530bdf33659b29e73d4adb9f9f6552"
 
-SRC_URI = "https://downloads.sourceforge.net/gimp-print/${BP}.tar.xz"
+SRC_URI = "https://downloads.sourceforge.net/gimp-print/${BP}.tar.xz \
+           file://0001-cups-fix-a-build-race-condition-around-empty-directo.patch \
+           "
 SRC_URI[sha256sum] = "db44a701d2b8e6a8931c83cec06c91226be266d23e5c189d20a39dd175f2023b"
 
 inherit autotools gettext pkgconfig

From patchwork Tue Sep 23 11:57:12 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: "Mittal, Anuj" <anuj.mittal@intel.com>
X-Patchwork-Id: 70773
Return-Path: <anuj.mittal@intel.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 72B51CAC5B0
	for <webhook@archiver.kernel.org>; Tue, 23 Sep 2025 11:58:02 +0000 (UTC)
Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.21])
 by mx.groups.io with SMTP id smtpd.web11.15019.1758628660267361449
 for <openembedded-devel@lists.openembedded.org>;
 Tue, 23 Sep 2025 04:57:54 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@intel.com header.s=Intel header.b=n/uk5Rd9;
 spf=pass (domain: intel.com, ip: 198.175.65.21,
 mailfrom: anuj.mittal@intel.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1758628675; x=1790164675;
  h=from:to:subject:date:message-id:in-reply-to:references:
   mime-version:content-transfer-encoding;
  bh=qNaNR/VfKhTJhusWofiIATc91ZnyaiHANaPLl48t0fk=;
  b=n/uk5Rd9hXRNDC9gqaoCDsMJt04Lca/YkYIgn8TlCCQMoZpXe7XUPG4s
   AIaM7RbUNaOdLcGII1UgR0zn2KflWGnqDVHQQyF4+ZwaMGFjPeUsBb1rO
   kNhd2eAT+KtmggOY82hqVPmowdYFIgyuewzvNHrdrBVJTCMZuqtZlryQ2
   XwLxKgxju4MMkcZrExGcGMLUrpQXma8KbMOui6164Jr0Ts3jWoJkN/INT
   twB7vcBNC/x0XFjJnnPHH6vqh7BrztnS62nVZQhaHLyeCqp+RPENhfi+c
   ri2famdR2vRfttXEtBLDtoM5CP38eOc3m/x9kBxKFX6CX7zs0v6yrFuae
   g==;
X-CSE-ConnectionGUID: IQzdteZuRcaCopI79lnBLQ==
X-CSE-MsgGUID: YbfHH1AmRDKOJkT+LZKU5Q==
X-IronPort-AV: E=McAfee;i="6800,10657,11531"; a="60821787"
X-IronPort-AV: E=Sophos;i="6.17,312,1747724400";
   d="scan'208";a="60821787"
Received: from orviesa006.jf.intel.com ([10.64.159.146])
  by orvoesa113.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 Sep 2025 04:57:55 -0700
X-CSE-ConnectionGUID: hg5fpbjCS5qMNqs9osB4nw==
X-CSE-MsgGUID: 3zxaKC2+SeabJe1O8523xA==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.18,287,1751266800";
   d="scan'208";a="175875180"
Received: from anmitta2-mobl4.gar.corp.intel.com (HELO
 anmitta2-mobl4.intel.com) ([10.247.118.223])
  by orviesa006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 Sep 2025 04:57:54 -0700
From: Anuj Mittal <anuj.mittal@intel.com>
To: openembedded-devel@lists.openembedded.org
Subject: [scarthgap][PATCH 09/24] gutenprint: 5.3.5
Date: Tue, 23 Sep 2025 19:57:12 +0800
Message-ID: 
 <5856e22d34c7b9e07e2c0038d540616bf653aa9c.1758626365.git.anuj.mittal@intel.com>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <cover.1758626365.git.anuj.mittal@intel.com>
References: <cover.1758626365.git.anuj.mittal@intel.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Tue, 23 Sep 2025 11:58:02 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/119698

From: Zoltán Böszörményi <zboszor@gmail.com>

This fixes an installation error:

| make[5]: Entering directory '.../tmp/work/corei7-64-oe-linux/gutenprint/5.3.4/build/src/cups'
| chmod 700 .../tmp/work/corei7-64-oe-linux/gutenprint/5.3.4/image/usr/libexec/cups/backend/backend_gutenprint
| chmod: cannot access '.../tmp/work/corei7-64-oe-linux/gutenprint/5.3.4/image/usr/libexec/cups/backend/backend_gutenprint': No such file or directory

Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 .../gutenprint/{gutenprint_5.3.4.bb => gutenprint_5.3.5.bb}     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta-oe/recipes-printing/gutenprint/{gutenprint_5.3.4.bb => gutenprint_5.3.5.bb} (96%)

diff --git a/meta-oe/recipes-printing/gutenprint/gutenprint_5.3.4.bb b/meta-oe/recipes-printing/gutenprint/gutenprint_5.3.5.bb
similarity index 96%
rename from meta-oe/recipes-printing/gutenprint/gutenprint_5.3.4.bb
rename to meta-oe/recipes-printing/gutenprint/gutenprint_5.3.5.bb
index f90a123293..82953b798c 100644
--- a/meta-oe/recipes-printing/gutenprint/gutenprint_5.3.4.bb
+++ b/meta-oe/recipes-printing/gutenprint/gutenprint_5.3.5.bb
@@ -17,7 +17,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=59530bdf33659b29e73d4adb9f9f6552"
 SRC_URI = "https://downloads.sourceforge.net/gimp-print/${BP}.tar.xz \
            file://0001-cups-fix-a-build-race-condition-around-empty-directo.patch \
            "
-SRC_URI[sha256sum] = "db44a701d2b8e6a8931c83cec06c91226be266d23e5c189d20a39dd175f2023b"
+SRC_URI[sha256sum] = "f5a9f47de28530b1ae2069cfbc647a9a641baeeabe809bb0ef2b3ec5b9668d70"
 
 inherit autotools gettext pkgconfig
 

From patchwork Tue Sep 23 11:57:13 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Mittal, Anuj" <anuj.mittal@intel.com>
X-Patchwork-Id: 70776
Return-Path: <anuj.mittal@intel.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 7DF16CAC5B1
	for <webhook@archiver.kernel.org>; Tue, 23 Sep 2025 11:58:02 +0000 (UTC)
Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.21])
 by mx.groups.io with SMTP id smtpd.web11.15019.1758628660267361449
 for <openembedded-devel@lists.openembedded.org>;
 Tue, 23 Sep 2025 04:57:55 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@intel.com header.s=Intel header.b=lNcOpjlE;
 spf=pass (domain: intel.com, ip: 198.175.65.21,
 mailfrom: anuj.mittal@intel.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1758628676; x=1790164676;
  h=from:to:subject:date:message-id:in-reply-to:references:
   mime-version:content-transfer-encoding;
  bh=tTdDaGaHLxTwNIqcJoYSyF5N6h7sYH5/O+WatQ8zt+s=;
  b=lNcOpjlEcPHffVRHsMid6hFvTcoHw+fLHUT65XWce7ovFVjKPQIu5V8v
   TirmcViBXMRcP+/uiEiOvJB+iwRT4g3+PlZvfoeYeJlhkEYkUqgVQhxBK
   P75fBN5kcAhqUFSyk5IbjYdnwmubAUlWXF06+9TFf6K+BU/4xL14jth0D
   INznAVQhhq20JCPtfmiZe21ffKBuIpp+FGu9ydZBcY8KuudqRjAO4KZSM
   5vYSY4P22CEFq6M/3lsCjQFw0vPxZKPnToihrYELoljnzld4+fz5EPnW7
   qoO/8G8kuRSP/VZ37VNEKnR05luyng98l6vf2QCx0U5BIUra1HbBYspD2
   g==;
X-CSE-ConnectionGUID: BN+e1qC6R0Whdw8dTqhbTg==
X-CSE-MsgGUID: +Ja9KSP8TQmedi3bg7QK4w==
X-IronPort-AV: E=McAfee;i="6800,10657,11531"; a="60821788"
X-IronPort-AV: E=Sophos;i="6.17,312,1747724400";
   d="scan'208";a="60821788"
Received: from orviesa006.jf.intel.com ([10.64.159.146])
  by orvoesa113.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 Sep 2025 04:57:56 -0700
X-CSE-ConnectionGUID: V78hb9ujRFex3ZEW8PQRlQ==
X-CSE-MsgGUID: Q/mbNopwRAKJSP5x+3tLog==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.18,287,1751266800";
   d="scan'208";a="175875186"
Received: from anmitta2-mobl4.gar.corp.intel.com (HELO
 anmitta2-mobl4.intel.com) ([10.247.118.223])
  by orviesa006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 Sep 2025 04:57:55 -0700
From: Anuj Mittal <anuj.mittal@intel.com>
To: openembedded-devel@lists.openembedded.org
Subject: [scarthgap][PATCH 10/24] meta-oe: image: optionally remove RAW image
 after sparse image creation
Date: Tue, 23 Sep 2025 19:57:13 +0800
Message-ID: 
 <385b1baa2b2aa5d65d0db5852b3dbefa94f57abf.1758626365.git.anuj.mittal@intel.com>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <cover.1758626365.git.anuj.mittal@intel.com>
References: <cover.1758626365.git.anuj.mittal@intel.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Tue, 23 Sep 2025 11:58:02 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/119699

From: AshishKumar Mishra <emailaddress.ashish@gmail.com>

When creating sparse images, the RAW image is no longer needed in
some workflows such as Android and CI pipelines. These RAW images
can be multi-GB artifacts and consume significant disk space.

This change introduces a configuration option
`DELETE_RAWIMAGE_AFTER_SPARSE_CMD` which, when set to "1",
removes the RAW image after sparse image generation.

This reduces disk usage in builds where sparse images are the
final deliverables and RAW images are not required.

Default behavior is unchanged: RAW images are kept unless the
variable is explicitly enabled:

    DELETE_RAWIMAGE_AFTER_SPARSE_CMD = "1"   # Delete RAW image
    DELETE_RAWIMAGE_AFTER_SPARSE_CMD = "0"   # Default behavior

(cherry-picked from f5246b7df447ac76ec04c6e5add398862d1c9ccd in master )

Signed-off-by: AshishKumar Mishra <emailaddress.ashish@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta-oe/classes/image_types_sparse.bbclass | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/meta-oe/classes/image_types_sparse.bbclass b/meta-oe/classes/image_types_sparse.bbclass
index d6ea68968e..5416c2a019 100644
--- a/meta-oe/classes/image_types_sparse.bbclass
+++ b/meta-oe/classes/image_types_sparse.bbclass
@@ -9,9 +9,15 @@ SPARSE_BLOCK_SIZE ??= "4096"
 
 CONVERSIONTYPES += "sparse"
 
+DELETE_RAWIMAGE_AFTER_SPARSE_CMD ??= "0"
+
 CONVERSION_CMD:sparse = " \
     truncate --no-create --size=%${SPARSE_BLOCK_SIZE} "${IMAGE_NAME}.${type}"; \
     img2simg -s "${IMAGE_NAME}.${type}" "${IMAGE_NAME}.${type}.sparse" ${SPARSE_BLOCK_SIZE}; \
+    if [ "${DELETE_RAWIMAGE_AFTER_SPARSE_CMD}" = "1" ]; then \
+        rm -f ${IMAGE_NAME}.${type};\
+        bbwarn "Raw file ${IMAGE_NAME}.${type} removed" ;\
+    fi;\
  "
 
 CONVERSION_DEPENDS_sparse = "android-tools-native"

From patchwork Tue Sep 23 11:57:14 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Mittal, Anuj" <anuj.mittal@intel.com>
X-Patchwork-Id: 70775
Return-Path: <anuj.mittal@intel.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 8AD44CAC5B2
	for <webhook@archiver.kernel.org>; Tue, 23 Sep 2025 11:58:02 +0000 (UTC)
Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.21])
 by mx.groups.io with SMTP id smtpd.web11.15019.1758628660267361449
 for <openembedded-devel@lists.openembedded.org>;
 Tue, 23 Sep 2025 04:57:57 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@intel.com header.s=Intel header.b=KC2XeaQY;
 spf=pass (domain: intel.com, ip: 198.175.65.21,
 mailfrom: anuj.mittal@intel.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1758628678; x=1790164678;
  h=from:to:subject:date:message-id:in-reply-to:references:
   mime-version:content-transfer-encoding;
  bh=HcsBD2Dd2f1RLlBn6PUQRSX8VS04N889tgdu3cKgk18=;
  b=KC2XeaQYfstvGeGwoFNIJxwHHGGkR1F9ak2RURgbnZNZXivMvjp5H2pC
   Dbckp8d012ZoMWVgYNkahhe6VLXC+1IYPuxzcnsKBRC7oRSlIguDHimMR
   cJv8ohZoiaT4i+SNKeR1P9X9szEbSAjIaL1/KRUWuqHA9+8srG+L/M3bM
   kPvuZ8QJkZKWjQcoO7rrjo6iqm99BBfoCJ7d5FDgB4FNXYb496hkt+Nok
   VffYj+bY4shcdoTSRGs49+RPiVTnybAtAYg7gp7c9ZkVzYvwBzwEO4pSL
   qix6EPxoiLXJkm+KtK7ziFuLcKapXK/bymbbcuIxlK0BL7vsAIpQzxcYD
   A==;
X-CSE-ConnectionGUID: rkhtL4hmRuupy7EvgEJlcg==
X-CSE-MsgGUID: mKlibM8xT62KIoGtqizo+g==
X-IronPort-AV: E=McAfee;i="6800,10657,11531"; a="60821789"
X-IronPort-AV: E=Sophos;i="6.17,312,1747724400";
   d="scan'208";a="60821789"
Received: from orviesa006.jf.intel.com ([10.64.159.146])
  by orvoesa113.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 Sep 2025 04:57:58 -0700
X-CSE-ConnectionGUID: 1d1nvB5nTs+PBfHwePHEKw==
X-CSE-MsgGUID: QkcJft6LSwGp/gJAH7BvBA==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.18,287,1751266800";
   d="scan'208";a="175875188"
Received: from anmitta2-mobl4.gar.corp.intel.com (HELO
 anmitta2-mobl4.intel.com) ([10.247.118.223])
  by orviesa006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 Sep 2025 04:57:57 -0700
From: Anuj Mittal <anuj.mittal@intel.com>
To: openembedded-devel@lists.openembedded.org
Subject: [scarthgap][PATCH 11/24] libssh 0.10.6: Fix CVE-2025-8114
Date: Tue, 23 Sep 2025 19:57:14 +0800
Message-ID: 
 <49aa81f2d5861bbae3c0886a2a0e39bdf7a16e18.1758626365.git.anuj.mittal@intel.com>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <cover.1758626365.git.anuj.mittal@intel.com>
References: <cover.1758626365.git.anuj.mittal@intel.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Tue, 23 Sep 2025 11:58:02 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/119700

From: Anil Dongare <adongare@cisco.com>

Upstream Repository: https://git.libssh.org/projects/libssh.git/

Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2025-8114
Type: Security Fix
CVE: CVE-2025-8114
Score: 4.7
Patch: https://git.libssh.org/projects/libssh.git/commit/?id=53ac23ded4cb

Signed-off-by: Anil Dongare <adongare@cisco.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 .../libssh/libssh/CVE-2025-8114.patch         | 49 +++++++++++++++++++
 .../recipes-support/libssh/libssh_0.10.6.bb   |  1 +
 2 files changed, 50 insertions(+)
 create mode 100644 meta-oe/recipes-support/libssh/libssh/CVE-2025-8114.patch

diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2025-8114.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2025-8114.patch
new file mode 100644
index 0000000000..10bbbcb114
--- /dev/null
+++ b/meta-oe/recipes-support/libssh/libssh/CVE-2025-8114.patch
@@ -0,0 +1,49 @@
+From 5f4950367c027aa91fcea240df354a856a4a0025 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@cryptomilk.org>
+Date: Wed, 6 Aug 2025 15:17:59 +0200
+Subject: [PATCH] CVE-2025-8114: Fix NULL pointer dereference after allocation
+ failure
+
+CVE: CVE-2025-8114
+Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=53ac23ded4cb]
+
+Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
+Reviewed-by: Jakub Jelen <jjelen@redhat.com>
+(cherry picked from commit 53ac23ded4cb2c5463f6c4cd1525331bd578812d)
+Signed-off-by: Anil Dongare <adongare@cisco.com>
+---
+ src/kex.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/kex.c b/src/kex.c
+index fbc70cf4..b4bab277 100644
+--- a/src/kex.c
++++ b/src/kex.c
+@@ -1391,6 +1391,8 @@ int ssh_make_sessionid(ssh_session session)
+     ssh_log_hexdump("hash buffer", ssh_buffer_get(buf), ssh_buffer_get_len(buf));
+ #endif
+ 
++    /* Set rc for the following switch statement in case we goto error. */
++    rc = SSH_ERROR;
+     switch (session->next_crypto->kex_type) {
+     case SSH_KEX_DH_GROUP1_SHA1:
+     case SSH_KEX_DH_GROUP14_SHA1:
+@@ -1450,6 +1452,7 @@ int ssh_make_sessionid(ssh_session session)
+                session->next_crypto->secret_hash);
+         break;
+     }
++
+     /* During the first kex, secret hash and session ID are equal. However, after
+      * a key re-exchange, a new secret hash is calculated. This hash will not replace
+      * but complement existing session id.
+@@ -1458,6 +1461,7 @@ int ssh_make_sessionid(ssh_session session)
+         session->next_crypto->session_id = malloc(session->next_crypto->digest_len);
+         if (session->next_crypto->session_id == NULL) {
+             ssh_set_error_oom(session);
++            rc = SSH_ERROR;
+             goto error;
+         }
+         memcpy(session->next_crypto->session_id, session->next_crypto->secret_hash,
+-- 
+2.43.5
+
diff --git a/meta-oe/recipes-support/libssh/libssh_0.10.6.bb b/meta-oe/recipes-support/libssh/libssh_0.10.6.bb
index bf91e69bc8..602e01fce6 100644
--- a/meta-oe/recipes-support/libssh/libssh_0.10.6.bb
+++ b/meta-oe/recipes-support/libssh/libssh_0.10.6.bb
@@ -17,6 +17,7 @@ SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable
            file://CVE-2025-4878-0001.patch \
            file://CVE-2025-4878-0002.patch \
            file://CVE-2025-5987.patch \
+           file://CVE-2025-8114.patch \
           "
 SRCREV = "10e09e273f69e149389b3e0e5d44b8c221c2e7f6"
 

From patchwork Tue Sep 23 11:57:15 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Mittal, Anuj" <anuj.mittal@intel.com>
X-Patchwork-Id: 70777
Return-Path: <anuj.mittal@intel.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 956D5CAC5B4
	for <webhook@archiver.kernel.org>; Tue, 23 Sep 2025 11:58:02 +0000 (UTC)
Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.21])
 by mx.groups.io with SMTP id smtpd.web11.15019.1758628660267361449
 for <openembedded-devel@lists.openembedded.org>;
 Tue, 23 Sep 2025 04:57:58 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@intel.com header.s=Intel header.b=UQXhJqFi;
 spf=pass (domain: intel.com, ip: 198.175.65.21,
 mailfrom: anuj.mittal@intel.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1758628679; x=1790164679;
  h=from:to:subject:date:message-id:in-reply-to:references:
   mime-version:content-transfer-encoding;
  bh=Ukq1h58SaJMw9nL8p03wwl18HXDal0fp13ZdXy2wb+g=;
  b=UQXhJqFiEnb1bTJosalTgg6ChJ4cGI7KwsNSOSeZJxwH0HBWir1Jg/i4
   ZJ9S8djLwfhTqFTWk17JSFbWwVNrmYJJ7uwSXH4lhB3VW+5ZMb56GY5xI
   Ik3qzmLoHFG5M84G39f34FLB74u2BJOVBtPPSZjh+gEScGJQEW16sABBQ
   I5FSd7Qv0vTy1dCh4TMZvo5KBn7+1bKoqYQj2BPAKtTCqXgrEy9Mx0ehv
   1BYLVUAmO3fTlamxKDXJjhRULyNU2YYOfmsSjn95O/GPeBK21N+WsdPbB
   mroE7SmsVG6FwkR223e5jeP8ZUsv/cUDfIzJo8QsjNUtQPTLPiRN7b+ds
   Q==;
X-CSE-ConnectionGUID: LAV5tiZUS8iwEeGD8wP0lA==
X-CSE-MsgGUID: rVbkY9flT3u50E9NcKWJ4w==
X-IronPort-AV: E=McAfee;i="6800,10657,11531"; a="60821794"
X-IronPort-AV: E=Sophos;i="6.17,312,1747724400";
   d="scan'208";a="60821794"
Received: from orviesa006.jf.intel.com ([10.64.159.146])
  by orvoesa113.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 Sep 2025 04:57:59 -0700
X-CSE-ConnectionGUID: 10MOnep+Txm4U5+RFfaypw==
X-CSE-MsgGUID: mI/YjQUYR5mBXYrQFNkFPA==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.18,287,1751266800";
   d="scan'208";a="175875189"
Received: from anmitta2-mobl4.gar.corp.intel.com (HELO
 anmitta2-mobl4.intel.com) ([10.247.118.223])
  by orviesa006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 Sep 2025 04:57:58 -0700
From: Anuj Mittal <anuj.mittal@intel.com>
To: openembedded-devel@lists.openembedded.org
Subject: [scarthgap][PATCH 12/24] apache2: upgrade 2.4.64 - 2.4.65
Date: Tue, 23 Sep 2025 19:57:15 +0800
Message-ID: 
 <a5de2a57285b1332983d92e5c2cd0c9cb0a8e382.1758626365.git.anuj.mittal@intel.com>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <cover.1758626365.git.anuj.mittal@intel.com>
References: <cover.1758626365.git.anuj.mittal@intel.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Tue, 23 Sep 2025 11:58:02 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/119701

From: Archana Polampalli <archana.polampalli@windriver.com>

fixes CVE-2025-54090

Changelog:
https://downloads.apache.org/httpd/CHANGES_2.4.65

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 .../apache2/{apache2_2.4.64.bb => apache2_2.4.65.bb}            | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta-webserver/recipes-httpd/apache2/{apache2_2.4.64.bb => apache2_2.4.65.bb} (99%)

diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.64.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.65.bb
similarity index 99%
rename from meta-webserver/recipes-httpd/apache2/apache2_2.4.64.bb
rename to meta-webserver/recipes-httpd/apache2/apache2_2.4.65.bb
index f587935b8f..34526fc78e 100644
--- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.64.bb
+++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.65.bb
@@ -27,7 +27,7 @@ SRC_URI:append:class-target = " \
            "
 
 LIC_FILES_CHKSUM = "file://LICENSE;md5=bddeddfac80b2c9a882241d008bb41c3"
-SRC_URI[sha256sum] = "120b35a2ebf264f277e20f9a94f870f2063342fbff0861404660d7dd0ab1ac29"
+SRC_URI[sha256sum] = "58b8be97d9940ec17f7656c0c6b9f41b618aac468b894b534148e3296c53b8b3"
 
 S = "${WORKDIR}/httpd-${PV}"
 

From patchwork Tue Sep 23 11:57:16 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Mittal, Anuj" <anuj.mittal@intel.com>
X-Patchwork-Id: 70779
Return-Path: <anuj.mittal@intel.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id A2EEBCAC5B3
	for <webhook@archiver.kernel.org>; Tue, 23 Sep 2025 11:58:02 +0000 (UTC)
Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.21])
 by mx.groups.io with SMTP id smtpd.web11.15019.1758628660267361449
 for <openembedded-devel@lists.openembedded.org>;
 Tue, 23 Sep 2025 04:58:00 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@intel.com header.s=Intel header.b=ZcfCB0t+;
 spf=pass (domain: intel.com, ip: 198.175.65.21,
 mailfrom: anuj.mittal@intel.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1758628681; x=1790164681;
  h=from:to:subject:date:message-id:in-reply-to:references:
   mime-version:content-transfer-encoding;
  bh=EwmYD8ZwsHUfWuBKQSBXAGBDUwinbzBWy6payg37nmk=;
  b=ZcfCB0t+J/5aLJR4tI5dY/eO8yw6SmazmWjHMsvnUPDOwGTG8CCpp0uq
   XpzOrBQBoNxZjmZzCqX5gPFiFm5yiKzr4QaJxeusWqeNmOBLMbeFJIJyU
   sec2OVLz1BKgD3XDt8C/flLdBv8FBpeu1KL5ZilEc+z5QBmKFVlntFtt5
   eEGN7pgyuXHKuqC9XDmnAgOPpv5OKB3KJrJmMotsnBcYaJQFLEDb7VWty
   3bR8y6X0K0/Vn0XI0XZ2PWqHvlcTVOvh7qzJiXJnUvn8pQPNsi7vmmp7v
   35eiwK1ArWvP4zfWSTf0DCewhnK/Md1veDcsWQ+Fa25jOzTEORlgqeZBi
   w==;
X-CSE-ConnectionGUID: wsAWcpfDTpyUqVF/NAgHpg==
X-CSE-MsgGUID: LGFHoOqPSfmUYzabZEz3Gw==
X-IronPort-AV: E=McAfee;i="6800,10657,11531"; a="60821797"
X-IronPort-AV: E=Sophos;i="6.17,312,1747724400";
   d="scan'208";a="60821797"
Received: from orviesa006.jf.intel.com ([10.64.159.146])
  by orvoesa113.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 Sep 2025 04:58:01 -0700
X-CSE-ConnectionGUID: MYh7J6jqQGm6Qsc8whQigA==
X-CSE-MsgGUID: DgDZ49xxSMCQ2zepxav04w==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.18,287,1751266800";
   d="scan'208";a="175875193"
Received: from anmitta2-mobl4.gar.corp.intel.com (HELO
 anmitta2-mobl4.intel.com) ([10.247.118.223])
  by orviesa006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 Sep 2025 04:58:00 -0700
From: Anuj Mittal <anuj.mittal@intel.com>
To: openembedded-devel@lists.openembedded.org
Subject: [scarthgap][PATCH 13/24] cjson 1.7.18: Fix CVE-2025-57052
Date: Tue, 23 Sep 2025 19:57:16 +0800
Message-ID: 
 <d9e2cae64f4f7d7145c8389bc2406b5865d12893.1758626365.git.anuj.mittal@intel.com>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <cover.1758626365.git.anuj.mittal@intel.com>
References: <cover.1758626365.git.anuj.mittal@intel.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Tue, 23 Sep 2025 11:58:02 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/119702

From: Shubham Pushpkar <spushpka@cisco.com>

Upstream Repository: https://github.com/DaveGamble/cJSON.git

Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2025-57052
Type: Security Fix
CVE: CVE-2025-57052
Score: 9.8
Patch: https://github.com/DaveGamble/cJSON/commit/74e1ff4994aa

Signed-off-by: Shubham Pushpkar <spushpka@cisco.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 .../cjson/cjson/CVE-2025-57052.patch          | 33 +++++++++++++++++++
 .../recipes-devtools/cjson/cjson_1.7.18.bb    |  1 +
 2 files changed, 34 insertions(+)
 create mode 100644 meta-oe/recipes-devtools/cjson/cjson/CVE-2025-57052.patch

diff --git a/meta-oe/recipes-devtools/cjson/cjson/CVE-2025-57052.patch b/meta-oe/recipes-devtools/cjson/cjson/CVE-2025-57052.patch
new file mode 100644
index 0000000000..ed3d4a7eba
--- /dev/null
+++ b/meta-oe/recipes-devtools/cjson/cjson/CVE-2025-57052.patch
@@ -0,0 +1,33 @@
+From e53a1413304382d562176bed91609e00b4fcf87e Mon Sep 17 00:00:00 2001
+From: Lee <peteralfredlee@gmail.com>
+Date: Fri, 5 Sep 2025 14:53:20 +0800
+Subject: [PATCH] fix the incorrect check in decode_array_index_from_pointer
+ (#957)
+
+this fixes CVE-2025-57052
+
+CVE: CVE-2025-57052
+Upstream-Status: Backport [https://github.com/DaveGamble/cJSON/commit/74e1ff4994aa]
+
+(cherry picked from commit 74e1ff4994aa4139126967f6d289b675b4b36fef)
+Signed-off-by: Shubham Pushpkar <spushpka@cisco.com>
+---
+ cJSON_Utils.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/cJSON_Utils.c b/cJSON_Utils.c
+index 63651df..8fa24f8 100644
+--- a/cJSON_Utils.c
++++ b/cJSON_Utils.c
+@@ -282,7 +282,7 @@ static cJSON_bool decode_array_index_from_pointer(const unsigned char * const po
+         return 0;
+     }
+ 
+-    for (position = 0; (pointer[position] >= '0') && (pointer[0] <= '9'); position++)
++    for (position = 0; (pointer[position] >= '0') && (pointer[position] <= '9'); position++)
+     {
+         parsed_index = (10 * parsed_index) + (size_t)(pointer[position] - '0');
+ 
+-- 
+2.44.1
+
diff --git a/meta-oe/recipes-devtools/cjson/cjson_1.7.18.bb b/meta-oe/recipes-devtools/cjson/cjson_1.7.18.bb
index bdeab3055c..67d536cf24 100644
--- a/meta-oe/recipes-devtools/cjson/cjson_1.7.18.bb
+++ b/meta-oe/recipes-devtools/cjson/cjson_1.7.18.bb
@@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=218947f77e8cb8e2fa02918dc41c50d0"
 
 SRC_URI = "git://github.com/DaveGamble/cJSON.git;branch=master;protocol=https \
            file://run-ptest \
+           file://CVE-2025-57052.patch \
          "
 SRCREV = "acc76239bee01d8e9c858ae2cab296704e52d916"
 

From patchwork Tue Sep 23 11:57:17 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Mittal, Anuj" <anuj.mittal@intel.com>
X-Patchwork-Id: 70778
Return-Path: <anuj.mittal@intel.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id A71C2CAC5B6
	for <webhook@archiver.kernel.org>; Tue, 23 Sep 2025 11:58:02 +0000 (UTC)
Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.21])
 by mx.groups.io with SMTP id smtpd.web11.15019.1758628660267361449
 for <openembedded-devel@lists.openembedded.org>;
 Tue, 23 Sep 2025 04:58:02 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@intel.com header.s=Intel header.b=R4P1eobh;
 spf=pass (domain: intel.com, ip: 198.175.65.21,
 mailfrom: anuj.mittal@intel.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1758628682; x=1790164682;
  h=from:to:subject:date:message-id:in-reply-to:references:
   mime-version:content-transfer-encoding;
  bh=adsJqCUvcqP/n/hl2mqfnLhjIrxmsB0GU2tVAhv0f9I=;
  b=R4P1eobhaaYZLX1/k2Rjjp5YcToTJEwewmisLCFLWJRUqy4U/M/OVX+O
   zr2bzgPsrY00iRmkXV5PDP5flYv2wuMPqd9kzZrVMP3bv2mFoFRSBkXuC
   6nfXw5UkyT9do12Q+TfASr3P6qdMhOLh3iTZ+SEeiGo94NO2oxBQxoail
   eAxz3lqP8nPKlulRgQWI94BSDpXJwLhd5McenLi5YPM1I6oj8SVnJUzfb
   CcCDUCy74D8vs8fyIkoDZ7oxNr9VBWtMr4ZPHNwaFJVgRTB1D+d81z+cb
   N2zJrOCzLfZ8ol2sbtYPHoV1UUCtJfou0Y+sNoYlggOm2KB/rEn9PqSRl
   Q==;
X-CSE-ConnectionGUID: Cf0Xb4BbTKS6Edw/d3o1TQ==
X-CSE-MsgGUID: bQdCG/Q/QCOsyt6So45ckQ==
X-IronPort-AV: E=McAfee;i="6800,10657,11531"; a="60821801"
X-IronPort-AV: E=Sophos;i="6.17,312,1747724400";
   d="scan'208";a="60821801"
Received: from orviesa006.jf.intel.com ([10.64.159.146])
  by orvoesa113.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 Sep 2025 04:58:02 -0700
X-CSE-ConnectionGUID: L4RGU34PT+WZA8dH23EZMQ==
X-CSE-MsgGUID: 7FX2aqS5T0uDHNuGLXP3YQ==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.18,287,1751266800";
   d="scan'208";a="175875197"
Received: from anmitta2-mobl4.gar.corp.intel.com (HELO
 anmitta2-mobl4.intel.com) ([10.247.118.223])
  by orviesa006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 Sep 2025 04:58:01 -0700
From: Anuj Mittal <anuj.mittal@intel.com>
To: openembedded-devel@lists.openembedded.org
Subject: [scarthgap][PATCH 14/24] openjpeg: fix for CVE-2025-54874
Date: Tue, 23 Sep 2025 19:57:17 +0800
Message-ID: 
 <e930b71d14fd71a07ad681229259d0095ec240fa.1758626365.git.anuj.mittal@intel.com>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <cover.1758626365.git.anuj.mittal@intel.com>
References: <cover.1758626365.git.anuj.mittal@intel.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Tue, 23 Sep 2025 11:58:02 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/119703

From: Hitendra Prajapati <hprajapati@mvista.com>

Upstream-Status: Backport https://github.com/uclouvain/openjpeg/commit/f809b80c67717c152a5ad30bf06774f00da4fd2d

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
(cherry picked from commit 5d0643f194e9a7ed77eddbdc1d106536df2eb488)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 .../openjpeg/openjpeg/CVE-2025-54874.patch    | 44 +++++++++++++++++++
 .../openjpeg/openjpeg_2.5.3.bb                |  1 +
 2 files changed, 45 insertions(+)
 create mode 100644 meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2025-54874.patch

diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2025-54874.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2025-54874.patch
new file mode 100644
index 0000000000..187557a35c
--- /dev/null
+++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2025-54874.patch
@@ -0,0 +1,44 @@
+From f809b80c67717c152a5ad30bf06774f00da4fd2d Mon Sep 17 00:00:00 2001
+From: Sebastian Rasmussen <sebras@gmail.com>
+Date: Thu, 16 Jan 2025 02:13:43 +0100
+Subject: [PATCH] opj_jp2_read_header: Check for error after parsing header.
+
+Consider the case where the caller has not set the p_image
+pointer to NULL before calling opj_read_header().
+
+If opj_j2k_read_header_procedure() fails while obtaining the rest
+of the marker segment when calling opj_stream_read_data() because
+the data stream is too short, then opj_j2k_read_header() will
+never have the chance to initialize p_image, leaving it
+uninitialized.
+
+opj_jp2_read_header() will check the p_image value whether
+opj_j2k_read_header() suceeded or failed. This may be detected as
+an error in valgrind or ASAN.
+
+The fix is to check whether opj_j2k_read_header() suceeded before
+using the output argument p_image.
+
+CVE: CVE-2025-54874
+Upstream-Status: Backport [https://github.com/uclouvain/openjpeg/commit/f809b80c67717c152a5ad30bf06774f00da4fd2d]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/lib/openjp2/jp2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/lib/openjp2/jp2.c b/src/lib/openjp2/jp2.c
+index 4df055a5..da506318 100644
+--- a/src/lib/openjp2/jp2.c
++++ b/src/lib/openjp2/jp2.c
+@@ -2873,7 +2873,7 @@ OPJ_BOOL opj_jp2_read_header(opj_stream_private_t *p_stream,
+                               p_image,
+                               p_manager);
+ 
+-    if (p_image && *p_image) {
++    if (ret && p_image && *p_image) {
+         /* Set Image Color Space */
+         if (jp2->enumcs == 16) {
+             (*p_image)->color_space = OPJ_CLRSPC_SRGB;
+-- 
+2.50.1
+
diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.5.3.bb b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.5.3.bb
index 231bf84573..586bfeaf1f 100644
--- a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.5.3.bb
+++ b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.5.3.bb
@@ -7,6 +7,7 @@ DEPENDS = "libpng tiff lcms zlib"
 
 SRC_URI = "git://github.com/uclouvain/openjpeg.git;branch=master;protocol=https \
            file://0001-Do-not-ask-cmake-to-export-binaries-they-don-t-make-.patch \
+           file://CVE-2025-54874.patch \
            "
 SRCREV = "210a8a5690d0da66f02d49420d7176a21ef409dc"
 S = "${WORKDIR}/git"

From patchwork Tue Sep 23 11:57:18 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Mittal, Anuj" <anuj.mittal@intel.com>
X-Patchwork-Id: 70781
Return-Path: <anuj.mittal@intel.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id A123DCAC5B1
	for <webhook@archiver.kernel.org>; Tue, 23 Sep 2025 11:58:12 +0000 (UTC)
Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.21])
 by mx.groups.io with SMTP id smtpd.web11.15019.1758628660267361449
 for <openembedded-devel@lists.openembedded.org>;
 Tue, 23 Sep 2025 04:58:03 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@intel.com header.s=Intel header.b=dNgY6oWZ;
 spf=pass (domain: intel.com, ip: 198.175.65.21,
 mailfrom: anuj.mittal@intel.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1758628684; x=1790164684;
  h=from:to:subject:date:message-id:in-reply-to:references:
   mime-version:content-transfer-encoding;
  bh=bh4tgeAJnj2n8hYmZUYFLE6pw4MFeAtc14XMIR4Z7l4=;
  b=dNgY6oWZeySEhlYujHlWWQ3NX7wUFfhFjlNhBrZnIpHJcia8kokj/s3V
   qBnhICuxwe7FwwulrFhnkIH36x0xGjG2Za0GaTl5XybwmtapGqseVm3ly
   als8/2MsPNGz9wktGR8VgRXCQRrL63xgV92DSZ9NNEHaXGgam+4UgLmMd
   bk5OQFsD6oE8cxklhwxAaQAHQ8g/HsiGTlgbKCxQhBPHZjMP9nqZXj+LX
   PKXz7aT6bMS09mLMg/xeaqSmF6/EiPlYzzpQGhWtOd/1YdmA+NBQKpYW0
   cF7qdjRd1ixwAKhcbjJKWivoSGLkt0vKNEG68iAZsVjBPxXf+fgl9RTJR
   Q==;
X-CSE-ConnectionGUID: JP93ZSBIRGuf2VJGJolRGQ==
X-CSE-MsgGUID: nkRSo0PdQo6yhKlx9d00MQ==
X-IronPort-AV: E=McAfee;i="6800,10657,11531"; a="60821805"
X-IronPort-AV: E=Sophos;i="6.17,312,1747724400";
   d="scan'208";a="60821805"
Received: from orviesa006.jf.intel.com ([10.64.159.146])
  by orvoesa113.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 Sep 2025 04:58:04 -0700
X-CSE-ConnectionGUID: uB2EW6NaTV2hA3tpfI0pZA==
X-CSE-MsgGUID: /avB5VrbSkus+DskhyIwkg==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.18,287,1751266800";
   d="scan'208";a="175875209"
Received: from anmitta2-mobl4.gar.corp.intel.com (HELO
 anmitta2-mobl4.intel.com) ([10.247.118.223])
  by orviesa006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 Sep 2025 04:58:03 -0700
From: Anuj Mittal <anuj.mittal@intel.com>
To: openembedded-devel@lists.openembedded.org
Subject: [scarthgap][PATCH 15/24] fontforge: patch CVE-2024-25081 and
 CVE-2024-25082
Date: Tue, 23 Sep 2025 19:57:18 +0800
Message-ID: 
 <06a086228747b1c689ed4e8bd51847ec45d8aded.1758626365.git.anuj.mittal@intel.com>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <cover.1758626365.git.anuj.mittal@intel.com>
References: <cover.1758626365.git.anuj.mittal@intel.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Tue, 23 Sep 2025 11:58:12 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/119704

From: Peter Marko <peter.marko@siemens.com>

Pick commit from PR [1] linked from [2] and [3] which mlso entions both
these CVEs.

[1] https://github.com/fontforge/fontforge/pull/5367
[2] https://nvd.nist.gov/vuln/detail/CVE-2024-25081
[3] https://nvd.nist.gov/vuln/detail/CVE-2024-25082

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
(cherry picked from commit 1e6dbd183bc7e5dd7681fd5ae65f043cc8641a1d)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 .../CVE-2024-25081_CVE-2024-25082.patch       | 181 ++++++++++++++++++
 .../fontforge/fontforge_20230101.bb           |   1 +
 2 files changed, 182 insertions(+)
 create mode 100644 meta-oe/recipes-graphics/fontforge/fontforge/CVE-2024-25081_CVE-2024-25082.patch

diff --git a/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2024-25081_CVE-2024-25082.patch b/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2024-25081_CVE-2024-25082.patch
new file mode 100644
index 0000000000..40f85e9f33
--- /dev/null
+++ b/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2024-25081_CVE-2024-25082.patch
@@ -0,0 +1,181 @@
+From 216eb14b558df344b206bf82e2bdaf03a1f2f429 Mon Sep 17 00:00:00 2001
+From: Peter Kydas <pk@canva.com>
+Date: Tue, 6 Feb 2024 20:03:04 +1100
+Subject: [PATCH] fix splinefont shell command injection (#5367)
+
+CVE: CVE-2024-25081
+CVE: CVE-2024-25082
+Upstream-Status: Backport [https://github.com/fontforge/fontforge/commit/216eb14b558df344b206bf82e2bdaf03a1f2f429]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ fontforge/splinefont.c | 123 +++++++++++++++++++++++++++++------------
+ 1 file changed, 89 insertions(+), 34 deletions(-)
+
+diff --git a/fontforge/splinefont.c b/fontforge/splinefont.c
+index 239fdc035..647daee10 100644
+--- a/fontforge/splinefont.c
++++ b/fontforge/splinefont.c
+@@ -788,11 +788,14 @@ return( name );
+ 
+ char *Unarchive(char *name, char **_archivedir) {
+     char *dir = getenv("TMPDIR");
+-    char *pt, *archivedir, *listfile, *listcommand, *unarchivecmd, *desiredfile;
++    char *pt, *archivedir, *listfile, *desiredfile;
+     char *finalfile;
+     int i;
+     int doall=false;
+     static int cnt=0;
++    gchar *command[5];
++    gchar *stdoutresponse = NULL;
++    gchar *stderrresponse = NULL;
+ 
+     *_archivedir = NULL;
+ 
+@@ -827,18 +830,30 @@ return( NULL );
+     listfile = malloc(strlen(archivedir)+strlen("/" TOC_NAME)+1);
+     sprintf( listfile, "%s/" TOC_NAME, archivedir );
+ 
+-    listcommand = malloc( strlen(archivers[i].unarchive) + 1 +
+-			strlen( archivers[i].listargs) + 1 +
+-			strlen( name ) + 3 +
+-			strlen( listfile ) +4 );
+-    sprintf( listcommand, "%s %s %s > %s", archivers[i].unarchive,
+-	    archivers[i].listargs, name, listfile );
+-    if ( system(listcommand)!=0 ) {
+-	free(listcommand); free(listfile);
+-	ArchiveCleanup(archivedir);
+-return( NULL );
++    command[0] = archivers[i].unarchive;
++    command[1] = archivers[i].listargs;
++    command[2] = name;
++    command[3] = NULL; // command args need to be NULL-terminated
++
++    if ( g_spawn_sync(
++                      NULL,
++                      command,
++                      NULL,
++                      G_SPAWN_SEARCH_PATH, 
++                      NULL, 
++                      NULL, 
++                      &stdoutresponse, 
++                      &stderrresponse, 
++                      NULL, 
++                      NULL
++                      ) == FALSE) { // did not successfully execute
++      ArchiveCleanup(archivedir);
++      return( NULL );
+     }
+-    free(listcommand);
++    // Write out the listfile to be read in later
++    FILE *fp = fopen(listfile, "wb");
++    fwrite(stdoutresponse, strlen(stdoutresponse), 1, fp);
++    fclose(fp);
+ 
+     desiredfile = ArchiveParseTOC(listfile, archivers[i].ars, &doall);
+     free(listfile);
+@@ -847,22 +862,28 @@ return( NULL );
+ return( NULL );
+     }
+ 
+-    /* I tried sending everything to stdout, but that doesn't work if the */
+-    /*  output is a directory file (ufo, sfdir) */
+-    unarchivecmd = malloc( strlen(archivers[i].unarchive) + 1 +
+-			strlen( archivers[i].listargs) + 1 +
+-			strlen( name ) + 1 +
+-			strlen( desiredfile ) + 3 +
+-			strlen( archivedir ) + 30 );
+-    sprintf( unarchivecmd, "( cd %s ; %s %s %s %s ) > /dev/null", archivedir,
+-	    archivers[i].unarchive,
+-	    archivers[i].extractargs, name, doall ? "" : desiredfile );
+-    if ( system(unarchivecmd)!=0 ) {
+-	free(unarchivecmd); free(desiredfile);
+-	ArchiveCleanup(archivedir);
+-return( NULL );
++    command[0] = archivers[i].unarchive;
++    command[1] = archivers[i].extractargs;
++    command[2] = name;
++    command[3] = doall ? "" : desiredfile;
++    command[4] = NULL;
++
++    if ( g_spawn_sync(
++                      (gchar*)archivedir,
++                      command,
++                      NULL,
++                      G_SPAWN_SEARCH_PATH, 
++                      NULL, 
++                      NULL, 
++                      &stdoutresponse, 
++                      &stderrresponse, 
++                      NULL, 
++                      NULL
++                      ) == FALSE) { // did not successfully execute
++      free(desiredfile);
++      ArchiveCleanup(archivedir);
++      return( NULL );
+     }
+-    free(unarchivecmd);
+ 
+     finalfile = malloc( strlen(archivedir) + 1 + strlen(desiredfile) + 1);
+     sprintf( finalfile, "%s/%s", archivedir, desiredfile );
+@@ -885,20 +906,54 @@ struct compressors compressors[] = {
+ 
+ char *Decompress(char *name, int compression) {
+     char *dir = getenv("TMPDIR");
+-    char buf[1500];
+     char *tmpfn;
+-
++    gchar *command[4];
++    gint stdout_pipe;
++    gchar buffer[4096];
++    gssize bytes_read;
++    GByteArray *binary_data = g_byte_array_new();
++    
+     if ( dir==NULL ) dir = P_tmpdir;
+     tmpfn = malloc(strlen(dir)+strlen(GFileNameTail(name))+2);
+     strcpy(tmpfn,dir);
+     strcat(tmpfn,"/");
+     strcat(tmpfn,GFileNameTail(name));
+     *strrchr(tmpfn,'.') = '\0';
+-    snprintf( buf, sizeof(buf), "%s < %s > %s", compressors[compression].decomp, name, tmpfn );
+-    if ( system(buf)==0 )
+-return( tmpfn );
+-    free(tmpfn);
+-return( NULL );
++
++    command[0] = compressors[compression].decomp;
++    command[1] = "-c";
++    command[2] = name;
++    command[3] = NULL;
++
++    // Have to use async because g_spawn_sync doesn't handle nul-bytes in the output (which happens with binary data)
++    if (g_spawn_async_with_pipes(
++      NULL, 
++      command, 
++      NULL, 
++      G_SPAWN_DO_NOT_REAP_CHILD | G_SPAWN_SEARCH_PATH,
++      NULL, 
++      NULL,  
++      NULL,
++      NULL, 
++      &stdout_pipe, 
++      NULL, 
++      NULL) == FALSE) {
++      //command has failed
++      return( NULL );
++    }
++
++    // Read binary data from pipe and output to file
++    while ((bytes_read = read(stdout_pipe, buffer, sizeof(buffer))) > 0) {
++        g_byte_array_append(binary_data, (guint8 *)buffer, bytes_read);
++    }
++    close(stdout_pipe);
++
++    FILE *fp = fopen(tmpfn, "wb");
++    fwrite(binary_data->data, sizeof(gchar), binary_data->len, fp);
++    fclose(fp);
++    g_byte_array_free(binary_data, TRUE);
++
++		return(tmpfn);
+ }
+ 
+ static char *ForceFileToHaveName(FILE *file, char *exten) {
diff --git a/meta-oe/recipes-graphics/fontforge/fontforge_20230101.bb b/meta-oe/recipes-graphics/fontforge/fontforge_20230101.bb
index 31dd495fd7..d470ff12d4 100644
--- a/meta-oe/recipes-graphics/fontforge/fontforge_20230101.bb
+++ b/meta-oe/recipes-graphics/fontforge/fontforge_20230101.bb
@@ -20,6 +20,7 @@ SRC_URI = "git://github.com/${BPN}/${BPN}.git;branch=master;protocol=https \
            file://0001-fontforgeexe-Use-env-to-find-fontforge.patch \
            file://0001-cmake-Use-alternate-way-to-detect-libm.patch \
            file://0001-Fix-Translations-containing-invalid-directives-hs.patch \
+           file://CVE-2024-25081_CVE-2024-25082.patch \
 "
 S = "${WORKDIR}/git"
 

From patchwork Tue Sep 23 11:57:19 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Mittal, Anuj" <anuj.mittal@intel.com>
X-Patchwork-Id: 70780
Return-Path: <anuj.mittal@intel.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 9F9E3CAC5A7
	for <webhook@archiver.kernel.org>; Tue, 23 Sep 2025 11:58:12 +0000 (UTC)
Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.21])
 by mx.groups.io with SMTP id smtpd.web11.15019.1758628660267361449
 for <openembedded-devel@lists.openembedded.org>;
 Tue, 23 Sep 2025 04:58:05 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@intel.com header.s=Intel header.b=gLWjP+Ta;
 spf=pass (domain: intel.com, ip: 198.175.65.21,
 mailfrom: anuj.mittal@intel.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1758628685; x=1790164685;
  h=from:to:subject:date:message-id:in-reply-to:references:
   mime-version:content-transfer-encoding;
  bh=iIaE+y7ahxWr49CjHv2uqZd3zVEc+rukL2neS4t9TVk=;
  b=gLWjP+Ta2Ze8x5Keg+maOb1lFBCPhlnc54bd+VyO/AXff/eP/s42xJ0F
   GsaFogXZb89Vu6k36PI0NuWudkdqAJOHKqj4SpWqSHlA/3E28u9SAp01t
   GW25J8mxjtvBU1W8FUiwtgsNtOWxYfuJo/OG2A26Lr8s/RZEIBLiqFEMn
   abgwck6tmmyzmOBQkKXnRI7pHUIRytrgjYA+9Kabc79Wz9cCNZs/krAZl
   OBuutJwfsxDKLoZMf6zxOVsr4fAja0CaV/iREuY70kBpHcg/n1XLoQ1MO
   l8BedIgZ82TzcuDCxFk6j4nFWpOEoI4Xg5JnpOJdFG6u5n9H3SIBmQ4hQ
   A==;
X-CSE-ConnectionGUID: D1NcZiN+Qhiu+UFIdFxEsA==
X-CSE-MsgGUID: Wn41eiCpTou0kqI8NGUhdw==
X-IronPort-AV: E=McAfee;i="6800,10657,11531"; a="60821807"
X-IronPort-AV: E=Sophos;i="6.17,312,1747724400";
   d="scan'208";a="60821807"
Received: from orviesa006.jf.intel.com ([10.64.159.146])
  by orvoesa113.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 Sep 2025 04:58:05 -0700
X-CSE-ConnectionGUID: aHHBbF5tRJmIa4bY5hpHlw==
X-CSE-MsgGUID: aAMyh3xgSkG4r3cTIfiuMQ==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.18,287,1751266800";
   d="scan'208";a="175875224"
Received: from anmitta2-mobl4.gar.corp.intel.com (HELO
 anmitta2-mobl4.intel.com) ([10.247.118.223])
  by orviesa006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 Sep 2025 04:58:04 -0700
From: Anuj Mittal <anuj.mittal@intel.com>
To: openembedded-devel@lists.openembedded.org
Subject: [scarthgap][PATCH 16/24] fcgi: patch CVE-2025-23016
Date: Tue, 23 Sep 2025 19:57:19 +0800
Message-ID: 
 <239223765568106604945dfd029b782f4d85200c.1758626365.git.anuj.mittal@intel.com>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <cover.1758626365.git.anuj.mittal@intel.com>
References: <cover.1758626365.git.anuj.mittal@intel.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Tue, 23 Sep 2025 11:58:12 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/119705

From: Peter Marko <peter.marko@siemens.com>

Pick commit referencing this CVE.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
(cherry picked from commit 6e86e0dd54e1ca7459f3e1afebf24f5437d8b586)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 .../fcgi/fcgi/CVE-2025-23016.patch            | 40 +++++++++++++++++++
 .../recipes-support/fcgi/fcgi_git.bb          |  1 +
 2 files changed, 41 insertions(+)
 create mode 100644 meta-webserver/recipes-support/fcgi/fcgi/CVE-2025-23016.patch

diff --git a/meta-webserver/recipes-support/fcgi/fcgi/CVE-2025-23016.patch b/meta-webserver/recipes-support/fcgi/fcgi/CVE-2025-23016.patch
new file mode 100644
index 0000000000..b763d7651c
--- /dev/null
+++ b/meta-webserver/recipes-support/fcgi/fcgi/CVE-2025-23016.patch
@@ -0,0 +1,40 @@
+From b0eabcaf4d4f371514891a52115c746815c2ff15 Mon Sep 17 00:00:00 2001
+From: Pycatchown <39068868+Pycatchown@users.noreply.github.com>
+Date: Tue, 8 Apr 2025 17:39:30 +0200
+Subject: [PATCH] Update fcgiapp.c
+
+Fixing an integer overflow (CVE-2025-23016)
+
+CVE: CVE-2025-23016
+Upstream-Status: Backport [https://github.com/FastCGI-Archives/fcgi2/commit/b0eabcaf4d4f371514891a52115c746815c2ff15]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ libfcgi/fcgiapp.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/libfcgi/fcgiapp.c b/libfcgi/fcgiapp.c
+index 4ffe318..99c3630 100644
+--- a/libfcgi/fcgiapp.c
++++ b/libfcgi/fcgiapp.c
+@@ -1173,6 +1173,10 @@ static int ReadParams(Params *paramsPtr, FCGX_Stream *stream)
+ 	    }
+             nameLen = ((nameLen & 0x7f) << 24) + (lenBuff[0] << 16)
+                     + (lenBuff[1] << 8) + lenBuff[2];
++	    if (nameLen >= INT_MAX) {
++                SetError(stream, FCGX_PARAMS_ERROR);
++                return -1;
++	    }
+         }
+         if((valueLen = FCGX_GetChar(stream)) == EOF) {
+             SetError(stream, FCGX_PARAMS_ERROR);
+@@ -1185,6 +1189,10 @@ static int ReadParams(Params *paramsPtr, FCGX_Stream *stream)
+ 	    }
+             valueLen = ((valueLen & 0x7f) << 24) + (lenBuff[0] << 16)
+                     + (lenBuff[1] << 8) + lenBuff[2];
++	    if (valueLen >= INT_MAX) {
++                SetError(stream, FCGX_PARAMS_ERROR);
++                return -1;
++	    }
+         }
+         /*
+          * nameLen and valueLen are now valid; read the name and value
diff --git a/meta-webserver/recipes-support/fcgi/fcgi_git.bb b/meta-webserver/recipes-support/fcgi/fcgi_git.bb
index 61ef6073e0..d327d435d5 100644
--- a/meta-webserver/recipes-support/fcgi/fcgi_git.bb
+++ b/meta-webserver/recipes-support/fcgi/fcgi_git.bb
@@ -7,6 +7,7 @@ SRCREV = "382aa2b0d53a87c27f2f647dfaf670375ba0b85f"
 PV = "2.4.2"
 
 SRC_URI = "git://github.com/FastCGI-Archives/fcgi2.git;protocol=https;branch=master \
+           file://CVE-2025-23016.patch \
           "
 
 S = "${WORKDIR}/git"

From patchwork Tue Sep 23 11:57:20 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Mittal, Anuj" <anuj.mittal@intel.com>
X-Patchwork-Id: 70783
Return-Path: <anuj.mittal@intel.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id A7E87CAC5B2
	for <webhook@archiver.kernel.org>; Tue, 23 Sep 2025 11:58:12 +0000 (UTC)
Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.21])
 by mx.groups.io with SMTP id smtpd.web11.15019.1758628660267361449
 for <openembedded-devel@lists.openembedded.org>;
 Tue, 23 Sep 2025 04:58:06 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@intel.com header.s=Intel header.b=gSeMz1F+;
 spf=pass (domain: intel.com, ip: 198.175.65.21,
 mailfrom: anuj.mittal@intel.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1758628687; x=1790164687;
  h=from:to:subject:date:message-id:in-reply-to:references:
   mime-version:content-transfer-encoding;
  bh=uW2u31tXLLOHwNClHLjWZL6WVsjIhoxPNrGyEI4Y1OM=;
  b=gSeMz1F+D887RJBZYS0ZgT9KLG3hp/c7Oc4cguUdOMuf9WNeY5bef007
   UfTObCouBaVWhu6dhfcB1UD8ByL4/uRaXxcCaam7x6QhPZfIppG85ahYi
   BjhmiezVIgr3qS4Ns/ztXFeMEJ0vMNHiNxq06+TbhI9TCOLpqqwTXxIPA
   kFBRTvsNVUwCafhj3SjxNtXG4LoEr9w4NfN024CUk2UyxAjCh1ap7G90S
   Wq9EwKzfhO73he/dB+H01f+KwdjSvWEbw+msTPgyDdioJa82YfDlkV/qs
   VwwTaIZ7VyWFxx+Q4TAC0CWFWGUX4CrIxw98RP+EZZGuf6gvPpO8qi5lJ
   w==;
X-CSE-ConnectionGUID: qqIFsxaHR4SqavTS4G+gyA==
X-CSE-MsgGUID: wMQIG8ngT0unvCwCzlNNSw==
X-IronPort-AV: E=McAfee;i="6800,10657,11531"; a="60821809"
X-IronPort-AV: E=Sophos;i="6.17,312,1747724400";
   d="scan'208";a="60821809"
Received: from orviesa006.jf.intel.com ([10.64.159.146])
  by orvoesa113.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 Sep 2025 04:58:07 -0700
X-CSE-ConnectionGUID: +KqkvoYaQ5CwRNSIQGvvSA==
X-CSE-MsgGUID: 5WeYSQluT5WxoXp+mytVkA==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.18,287,1751266800";
   d="scan'208";a="175875232"
Received: from anmitta2-mobl4.gar.corp.intel.com (HELO
 anmitta2-mobl4.intel.com) ([10.247.118.223])
  by orviesa006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 Sep 2025 04:58:06 -0700
From: Anuj Mittal <anuj.mittal@intel.com>
To: openembedded-devel@lists.openembedded.org
Subject: [scarthgap][PATCH 17/24] lcov: Add missing RDEPENDS for nativesdk
Date: Tue, 23 Sep 2025 19:57:20 +0800
Message-ID: 
 <fd29867987066fc047482b90796bbcd5fdf1a481.1758626365.git.anuj.mittal@intel.com>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <cover.1758626365.git.anuj.mittal@intel.com>
References: <cover.1758626365.git.anuj.mittal@intel.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Tue, 23 Sep 2025 11:58:12 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/119706

From: Jef Driesen <jefdriesen@telenet.be>

When building an SDK with lcov included, gcov isn't included in the SDK
by default. Running lcov to generate coverage fails, because it tries to
use the gcov binary from the host system instead and that cause problems
if the gcc versions do not match.

Signed-off-by: Jef Driesen <jefdriesen@telenet.be>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
(cherry picked from commit 0cd6283a4174453ac8d927d917268ba0c3161a02)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta-oe/recipes-support/lcov/lcov_1.16.bb | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/meta-oe/recipes-support/lcov/lcov_1.16.bb b/meta-oe/recipes-support/lcov/lcov_1.16.bb
index 81b80790fe..6b8c105d3e 100755
--- a/meta-oe/recipes-support/lcov/lcov_1.16.bb
+++ b/meta-oe/recipes-support/lcov/lcov_1.16.bb
@@ -50,6 +50,12 @@ RDEPENDS:${PN}:append:class-target = " \
     gcov \
     gcov-symlinks \
 "
+
+RDEPENDS:${PN}:append:class-nativesdk = " \
+    nativesdk-gcov \
+    nativesdk-gcov-symlinks \
+"
+
 SRC_URI = "https://github.com/linux-test-project/lcov/releases/download/v${PV}/lcov-${PV}.tar.gz"
 SRC_URI[md5sum] = "bfee0cef50d7b7bd1df03bfadf68dcef"
 SRC_URI[sha256sum] = "987031ad5528c8a746d4b52b380bc1bffe412de1f2b9c2ba5224995668e3240b"

From patchwork Tue Sep 23 11:57:21 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Mittal, Anuj" <anuj.mittal@intel.com>
X-Patchwork-Id: 70784
Return-Path: <anuj.mittal@intel.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id B62BFCAC5B0
	for <webhook@archiver.kernel.org>; Tue, 23 Sep 2025 11:58:12 +0000 (UTC)
Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.21])
 by mx.groups.io with SMTP id smtpd.web11.15019.1758628660267361449
 for <openembedded-devel@lists.openembedded.org>;
 Tue, 23 Sep 2025 04:58:08 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@intel.com header.s=Intel header.b=ZglyFD5s;
 spf=pass (domain: intel.com, ip: 198.175.65.21,
 mailfrom: anuj.mittal@intel.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1758628689; x=1790164689;
  h=from:to:subject:date:message-id:in-reply-to:references:
   mime-version:content-transfer-encoding;
  bh=cLKNdSDU93zQA9d41V+noXqoVtbqjldZIgAOO16X76c=;
  b=ZglyFD5sr/PvoMZTUGhCj//NVQAQP+Z0df/Je+2I69ZPMgi4WN7uWDTG
   MrAe53VL0yBNjaVoPn7oJjwP4JKjRioO32UX4E4T9cnA5Je0En2B0u8X4
   i0VzKpWFsOY0vtbqbD6Je43l+mZN42STov/9q7Bp56yjfVyUc7c9jOW9U
   EexAuozMaJxSuFTFZ6xodSeU22thdS5YoGToXiiInEhEiA9HPf9pJLo8g
   FErc/oc4gU846HWnR5OXOFYDslW7Oi0Vw3YErZxL6QWhIV/ha70+HvmKO
   NvSASX+qSE7/e8WnbekrEL4abp9BSHYeZ4FGNQp2FBFsAtOT5SBYXJxoS
   A==;
X-CSE-ConnectionGUID: hNq1wYu0QAWNWBFSMMAQQw==
X-CSE-MsgGUID: UtRrzzIQQTCmW8ZumpgVaA==
X-IronPort-AV: E=McAfee;i="6800,10657,11531"; a="60821812"
X-IronPort-AV: E=Sophos;i="6.17,312,1747724400";
   d="scan'208";a="60821812"
Received: from orviesa006.jf.intel.com ([10.64.159.146])
  by orvoesa113.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 Sep 2025 04:58:08 -0700
X-CSE-ConnectionGUID: qxCZh5cERtmrlKdmwJqN/Q==
X-CSE-MsgGUID: CuIVCYJWTqG64RRyk7HdgA==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.18,287,1751266800";
   d="scan'208";a="175875238"
Received: from anmitta2-mobl4.gar.corp.intel.com (HELO
 anmitta2-mobl4.intel.com) ([10.247.118.223])
  by orviesa006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 Sep 2025 04:58:07 -0700
From: Anuj Mittal <anuj.mittal@intel.com>
To: openembedded-devel@lists.openembedded.org
Subject: [scarthgap][PATCH 18/24] libvncserver: fix generated
 LibVNCServerTargets.cmake
Date: Tue, 23 Sep 2025 19:57:21 +0800
Message-ID: 
 <a05db3fd5c75e1b7df7a65422c04650d7fc7f178.1758626365.git.anuj.mittal@intel.com>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <cover.1758626365.git.anuj.mittal@intel.com>
References: <cover.1758626365.git.anuj.mittal@intel.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Tue, 23 Sep 2025 11:58:12 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/119707

From: Marc Ferland <marc.ferland@sonatest.com>

The currently generated LibVNCServerTargets.cmake will include the
following 'set_target_properties':

    set_target_properties(LibVNCServer::vncclient PROPERTIES
      INTERFACE_INCLUDE_DIRECTORIES "${_IMPORT_PREFIX}/include"
      INTERFACE_LINK_LIBRARIES "systemd;/usr/lib/libz.so;/usr/lib/liblzo2.so;/usr/lib/libjpeg.so;/usr/lib/libgcrypt.so;/usr/lib/libgnutls.so"
    )

INTERFACE_LINK_LIBRARIES here points to absolute paths which hardcodes
the library paths. From CMake doc [1]:

    Note that it is not advisable to populate the INTERFACE_LINK_LIBRARIES
    of a target with absolute paths to dependencies. That would hard-code
    into installed packages the library file paths for dependencies as
    found on the machine the package was made on.

This breaks krfb build (kde desktop sharing server) since CMake cannot
find these libraries. Removing the absolute paths solves the issue.

Note: I also added a 'inherit pkgconfig' since libvncserver uses it to
detect libsystemd presence.

1: https://cmake.org/cmake/help/latest/prop_tgt/INTERFACE_LINK_LIBRARIES.html

Signed-off-by: Marc Ferland <marc.ferland@sonatest.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 215694286716cf83bf9e52c5e61b4cbc861098fc)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta-oe/recipes-graphics/libvncserver/libvncserver_0.9.14.bb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta-oe/recipes-graphics/libvncserver/libvncserver_0.9.14.bb b/meta-oe/recipes-graphics/libvncserver/libvncserver_0.9.14.bb
index ce01593b8b..6f271ee0d3 100644
--- a/meta-oe/recipes-graphics/libvncserver/libvncserver_0.9.14.bb
+++ b/meta-oe/recipes-graphics/libvncserver/libvncserver_0.9.14.bb
@@ -42,7 +42,7 @@ PACKAGECONFIG[zlib] = "-DWITH_ZLIB=ON,-DWITH_ZLIB=OFF,zlib"
 PACKAGE_BEFORE_PN = "libvncclient"
 FILES:libvncclient = "${libdir}/libvncclient.*"
 
-inherit cmake
+inherit cmake pkgconfig
 
 SRC_URI = "git://github.com/LibVNC/libvncserver;branch=master;protocol=https"
 SRCREV = "10e9eb75f73e973725dc75c373de5d89807af028"
@@ -52,5 +52,5 @@ S = "${WORKDIR}/git"
 EXTRA_OECMAKE = "-DMAKE_INSTALL_LIBDIR=${libdir}"
 
 do_install:append() {
-    sed -i -e 's|${STAGING_DIR_HOST}||g' ${D}${libdir}/cmake/LibVNCServer/LibVNCServerTargets.cmake
+    sed -i -e 's|${STAGING_DIR_HOST}${libdir}/||g' ${D}${libdir}/cmake/LibVNCServer/LibVNCServerTargets.cmake
 }

From patchwork Tue Sep 23 11:57:22 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Mittal, Anuj" <anuj.mittal@intel.com>
X-Patchwork-Id: 70782
Return-Path: <anuj.mittal@intel.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id C3D25CAC5B3
	for <webhook@archiver.kernel.org>; Tue, 23 Sep 2025 11:58:12 +0000 (UTC)
Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.21])
 by mx.groups.io with SMTP id smtpd.web11.15019.1758628660267361449
 for <openembedded-devel@lists.openembedded.org>;
 Tue, 23 Sep 2025 04:58:09 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@intel.com header.s=Intel header.b=YWcSfKiE;
 spf=pass (domain: intel.com, ip: 198.175.65.21,
 mailfrom: anuj.mittal@intel.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1758628690; x=1790164690;
  h=from:to:subject:date:message-id:in-reply-to:references:
   mime-version:content-transfer-encoding;
  bh=Rl2mo0wZ+K6kPTxjV7n6YEXBtGUgsFRw2gFqW/rdKxQ=;
  b=YWcSfKiE8u/uUJGKeWoj7aQ+qDle9zICATJJMCMnxQc2NO+HK1WRu9bN
   davz/tVO4/Q0CovWYrwnsu5w6EWAhIGCJftHYXcikBjgoOY1Oax7xYZF1
   7pdBR70UhZtQqn5GhgXddio2DK+qnwmUrDJ67qis6wC5o7OJKfNOxHXgh
   fGUnCbTIOBCmKKQ5zXeyacA449vQaqKPtgS2Adssitx3gNdfOpD5Aos7x
   arS6tYwHHhVd87ihZZQNzz2hR5/gPn8zJJuAYoccUzTUP+DuxdB2p6hHv
   Wj8YdzpQWplXfQAYrnYtSy6rPFRkRK6dkOdjdL1gOpEPlp4gFRic8mcjf
   g==;
X-CSE-ConnectionGUID: 2joB6v/rSEKbycv+CgJghA==
X-CSE-MsgGUID: w1W0Ym49R1C9NEpPCVDFoA==
X-IronPort-AV: E=McAfee;i="6800,10657,11531"; a="60821814"
X-IronPort-AV: E=Sophos;i="6.17,312,1747724400";
   d="scan'208";a="60821814"
Received: from orviesa006.jf.intel.com ([10.64.159.146])
  by orvoesa113.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 Sep 2025 04:58:10 -0700
X-CSE-ConnectionGUID: fQ4ovqhSTA29NOmUXqd2GQ==
X-CSE-MsgGUID: cvJ60P2kRtyvr4u5jkCVcg==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.18,287,1751266800";
   d="scan'208";a="175875240"
Received: from anmitta2-mobl4.gar.corp.intel.com (HELO
 anmitta2-mobl4.intel.com) ([10.247.118.223])
  by orviesa006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 Sep 2025 04:58:09 -0700
From: Anuj Mittal <anuj.mittal@intel.com>
To: openembedded-devel@lists.openembedded.org
Subject: [scarthgap][PATCH 19/24] gtkwave: Add libtirpc to depends
Date: Tue, 23 Sep 2025 19:57:22 +0800
Message-ID: 
 <c5e3b885f26869c6c38b0c7d5e893a9643270337.1758626365.git.anuj.mittal@intel.com>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <cover.1758626365.git.anuj.mittal@intel.com>
References: <cover.1758626365.git.anuj.mittal@intel.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Tue, 23 Sep 2025 11:58:12 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/119708

From: Khem Raj <raj.khem@gmail.com>

It was missing as the recipe is using --with-tirpc

Signed-off-by: Khem Raj <raj.khem@gmail.com>

Adapted for Walnascar
Signed-off-by: Gyorgy Sarvari <gyorgy.sarvari@gmail.com>
(cherry picked from commit 8832aa3ca83d6a2f705d4aa48496f8bd12c9cc15)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta-oe/recipes-graphics/gtkwave/gtkwave_3.3.119.bb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta-oe/recipes-graphics/gtkwave/gtkwave_3.3.119.bb b/meta-oe/recipes-graphics/gtkwave/gtkwave_3.3.119.bb
index 0b1b054041..1b16a22a44 100644
--- a/meta-oe/recipes-graphics/gtkwave/gtkwave_3.3.119.bb
+++ b/meta-oe/recipes-graphics/gtkwave/gtkwave_3.3.119.bb
@@ -13,6 +13,7 @@ DEPENDS = " \
     gperf-native \
     gtk+3 \
     gdk-pixbuf \
+    libtirpc \
     tcl \
     tk \
     bzip2 \

From patchwork Tue Sep 23 11:57:23 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Mittal, Anuj" <anuj.mittal@intel.com>
X-Patchwork-Id: 70785
Return-Path: <anuj.mittal@intel.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id C65AACAC5B4
	for <webhook@archiver.kernel.org>; Tue, 23 Sep 2025 11:58:12 +0000 (UTC)
Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.21])
 by mx.groups.io with SMTP id smtpd.web11.15019.1758628660267361449
 for <openembedded-devel@lists.openembedded.org>;
 Tue, 23 Sep 2025 04:58:10 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@intel.com header.s=Intel header.b=WDhJQGI2;
 spf=pass (domain: intel.com, ip: 198.175.65.21,
 mailfrom: anuj.mittal@intel.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1758628691; x=1790164691;
  h=from:to:subject:date:message-id:in-reply-to:references:
   mime-version:content-transfer-encoding;
  bh=gvu06v2lvBKnQGgvTQY4x0Sd1y6Aimvggje1AFS3bH0=;
  b=WDhJQGI2VVNbTglKByKkt0+qEWJNYN8MwweUE3wne7znXFFAd5jk0ZGl
   WOK8oq4lOVBPsd6TjcMrx7IukNhb68TIIet9WEtSTbtdpAQuLVp4Zj/pY
   S/Ysm0/o/OiUB5WGlZrym1K3ZYBexCctq20swPJ9QYTovX8fz65DXaF/e
   EFaPM+UzruvHXtBj0eYDxwaz08tf3bn9Red5+vjSAnw6u3GKjotAP+2K3
   RyvY7Mi5SqkR/OUm5cCwGx6HRJMcGP2j+/xEnOuPsTcINcl7rLDnGBcfd
   uHl77VDUphGq5B5yGzma3fu/iPOA2i8GtnePmHmsrnmiynNicSU+liles
   Q==;
X-CSE-ConnectionGUID: arG70yVATA6qE9rykKDZDA==
X-CSE-MsgGUID: fob4K+7TSmOpcdpqf3V1cw==
X-IronPort-AV: E=McAfee;i="6800,10657,11531"; a="60821817"
X-IronPort-AV: E=Sophos;i="6.17,312,1747724400";
   d="scan'208";a="60821817"
Received: from orviesa006.jf.intel.com ([10.64.159.146])
  by orvoesa113.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 Sep 2025 04:58:11 -0700
X-CSE-ConnectionGUID: 0JagsspgTkqNb6yL0J5UwQ==
X-CSE-MsgGUID: cqRc18d6QbmhWvZbXbDNag==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.18,287,1751266800";
   d="scan'208";a="175875242"
Received: from anmitta2-mobl4.gar.corp.intel.com (HELO
 anmitta2-mobl4.intel.com) ([10.247.118.223])
  by orviesa006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 Sep 2025 04:58:10 -0700
From: Anuj Mittal <anuj.mittal@intel.com>
To: openembedded-devel@lists.openembedded.org
Subject: [scarthgap][PATCH 20/24] geoip: fix do_fetch error
Date: Tue, 23 Sep 2025 19:57:23 +0800
Message-ID: 
 <371879bee73e7b69ebc704257094359be8d339b5.1758626365.git.anuj.mittal@intel.com>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <cover.1758626365.git.anuj.mittal@intel.com>
References: <cover.1758626365.git.anuj.mittal@intel.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Tue, 23 Sep 2025 11:58:12 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/119709

From: Wang Mingyu <wangmy@fujitsu.com>

Change the SRC_URI to the correct value due to the following error:
ERROR: geoip-1.6.12-r0 do_fetch: Bitbake Fetcher Error: FetchError('Unable to fetch URL from any source.', 'http://sources.openembedded.org/GeoIP.dat.20181205.gz;apply=no;name=GeoIP-dat;')

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit aadc2ac9dc49dfb5a2066401f22e7b553b324313)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta-networking/recipes-support/geoip/geoip_1.6.12.bb | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/meta-networking/recipes-support/geoip/geoip_1.6.12.bb b/meta-networking/recipes-support/geoip/geoip_1.6.12.bb
index 429cd69d6d..12599f97de 100644
--- a/meta-networking/recipes-support/geoip/geoip_1.6.12.bb
+++ b/meta-networking/recipes-support/geoip/geoip_1.6.12.bb
@@ -11,10 +11,10 @@ SECTION = "libdevel"
 GEOIP_DATABASE_VERSION = "20181205"
 
 SRC_URI = "git://github.com/maxmind/geoip-api-c.git;branch=main;protocol=https \
-           http://sources.openembedded.org/GeoIP.dat.${GEOIP_DATABASE_VERSION}.gz;apply=no;name=GeoIP-dat; \
-           http://sources.openembedded.org/GeoIPv6.dat.${GEOIP_DATABASE_VERSION}.gz;apply=no;name=GeoIPv6-dat; \
-           http://sources.openembedded.org/GeoLiteCity.dat.${GEOIP_DATABASE_VERSION}.gz;apply=no;name=GeoLiteCity-dat; \
-           http://sources.openembedded.org/GeoLiteCityv6.dat.${GEOIP_DATABASE_VERSION}.gz;apply=no;name=GeoLiteCityv6-dat; \
+           https://downloads.yoctoproject.org/mirror/sources/GeoIP.dat.${GEOIP_DATABASE_VERSION}.gz;apply=no;name=GeoIP-dat; \
+           https://downloads.yoctoproject.org/mirror/sources/GeoIPv6.dat.${GEOIP_DATABASE_VERSION}.gz;apply=no;name=GeoIPv6-dat; \
+           https://downloads.yoctoproject.org/mirror/sources/GeoLiteCity.dat.${GEOIP_DATABASE_VERSION}.gz;apply=no;name=GeoLiteCity-dat; \
+           https://downloads.yoctoproject.org/mirror/sources/GeoLiteCityv6.dat.${GEOIP_DATABASE_VERSION}.gz;apply=no;name=GeoLiteCityv6-dat; \
            file://run-ptest \
 "
 SRCREV = "4b526e7331ca1d692b74a0509ddcc725622ed31a"

From patchwork Tue Sep 23 11:57:24 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Mittal, Anuj" <anuj.mittal@intel.com>
X-Patchwork-Id: 70786
Return-Path: <anuj.mittal@intel.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id CECF9CAC5B6
	for <webhook@archiver.kernel.org>; Tue, 23 Sep 2025 11:58:12 +0000 (UTC)
Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.21])
 by mx.groups.io with SMTP id smtpd.web11.15019.1758628660267361449
 for <openembedded-devel@lists.openembedded.org>;
 Tue, 23 Sep 2025 04:58:12 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@intel.com header.s=Intel header.b=XPHJuN3v;
 spf=pass (domain: intel.com, ip: 198.175.65.21,
 mailfrom: anuj.mittal@intel.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1758628693; x=1790164693;
  h=from:to:subject:date:message-id:in-reply-to:references:
   mime-version:content-transfer-encoding;
  bh=/0878+JDE6e1T+Bp/6J4i38TA8s7jW+pZQsgTOvdJLU=;
  b=XPHJuN3v14/5dO3UK4ybIbaPO/UZT2sbfsDKDXXCL2mj65MPdVrjkYzY
   sJ1SQQYYp/YvXD4qjx/lGen+sdBiqcl+BJqMCkrBdejdqNUnBfw5WJQAj
   I07LFBPsj+GGrb09pcMKOSMzkVNVU8oNqnacyHNDE84j4Bllj31WMazii
   waptqyzyiX3b2ILIuXRhtWu9b6N1ftbPVNXnzRPua56AIMID2WwPCMRs+
   p4enGoai4J6Ec3phVl1YUPhFWnBlCKbl85DBiBPGhBeq5SrM+RkSPffjd
   lwt9L3Kvn1yZOYySXE3bW+NYclgRIiSnPO+oodODZabPa7hVWAx+s8/NO
   Q==;
X-CSE-ConnectionGUID: eCkkQ7HLQ1+9DuS6o04YDw==
X-CSE-MsgGUID: 1yL8Tk0GSeS30p08z1Ixyw==
X-IronPort-AV: E=McAfee;i="6800,10657,11531"; a="60821826"
X-IronPort-AV: E=Sophos;i="6.17,312,1747724400";
   d="scan'208";a="60821826"
Received: from orviesa006.jf.intel.com ([10.64.159.146])
  by orvoesa113.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 Sep 2025 04:58:13 -0700
X-CSE-ConnectionGUID: IegQVqv+RW+tl5gQG3m+ww==
X-CSE-MsgGUID: 3styo79jRQqe/GsX+NuiNA==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.18,287,1751266800";
   d="scan'208";a="175875248"
Received: from anmitta2-mobl4.gar.corp.intel.com (HELO
 anmitta2-mobl4.intel.com) ([10.247.118.223])
  by orviesa006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 Sep 2025 04:58:12 -0700
From: Anuj Mittal <anuj.mittal@intel.com>
To: openembedded-devel@lists.openembedded.org
Subject: [scarthgap][PATCH 21/24] nng: Rename default branch of
 github.com:nanomsg/nng.git
Date: Tue, 23 Sep 2025 19:57:24 +0800
Message-ID: 
 <429e7401a2c4b412e26d4bd78bb507adf4b9a9ca.1758626365.git.anuj.mittal@intel.com>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <cover.1758626365.git.anuj.mittal@intel.com>
References: <cover.1758626365.git.anuj.mittal@intel.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Tue, 23 Sep 2025 11:58:12 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/119710

From: Jeroen Knoops <jeroen.knoops@philips.com>

Default branch is renamed from `master` to `main`. Commitshas are the
same.

Signed-off-by: Jeroen Knoops <jeroen.knoops@philips.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 58679b6a515b51d28c480836ad598fca6f0cc655)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta-networking/recipes-connectivity/nanomsg/nng_1.7.3.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta-networking/recipes-connectivity/nanomsg/nng_1.7.3.bb b/meta-networking/recipes-connectivity/nanomsg/nng_1.7.3.bb
index a6556249b7..9ae3b89371 100644
--- a/meta-networking/recipes-connectivity/nanomsg/nng_1.7.3.bb
+++ b/meta-networking/recipes-connectivity/nanomsg/nng_1.7.3.bb
@@ -5,7 +5,7 @@ SECTION = "libs/networking"
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=a41e579bb4326c21c774f8e51e41d8a3"
 
-SRC_URI = "git://github.com/nanomsg/nng.git;branch=master;protocol=https"
+SRC_URI = "git://github.com/nanomsg/nng.git;branch=main;protocol=https"
 SRCREV = "85fbe7f9e4642b554d0d97f2e3ff2aa12978691a"
 
 S = "${WORKDIR}/git"

From patchwork Tue Sep 23 11:57:25 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Mittal, Anuj" <anuj.mittal@intel.com>
X-Patchwork-Id: 70788
Return-Path: <anuj.mittal@intel.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id CA664CAC5B0
	for <webhook@archiver.kernel.org>; Tue, 23 Sep 2025 11:58:22 +0000 (UTC)
Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.21])
 by mx.groups.io with SMTP id smtpd.web11.15019.1758628660267361449
 for <openembedded-devel@lists.openembedded.org>;
 Tue, 23 Sep 2025 04:58:14 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@intel.com header.s=Intel header.b=gjryEPlv;
 spf=pass (domain: intel.com, ip: 198.175.65.21,
 mailfrom: anuj.mittal@intel.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1758628694; x=1790164694;
  h=from:to:subject:date:message-id:in-reply-to:references:
   mime-version:content-transfer-encoding;
  bh=K3j6Wc2s5E8DS0ZR8EMg6m1VDPfk1OUx5VBPWnBjnmE=;
  b=gjryEPlvuAi38Tg/azY0sOa47lgsQr3bVNJSx4qZwOqjmEs8VoXohEsx
   MEATR3etZn0ypR440o4etnlodMxjOmwU7/olbxrPNHonT2qLOFMcIwh12
   SkjZEV29zHRtrHuVDZt3xeBwyKMd/RLkwqSIYDANsW3vFOWacMjX0jcxg
   YpurLs0s3UbSFEx17z3kXxv9XeU12BHSfMaSayL3oB9ULpcgHUAEWCMkt
   zzYr/JvBVDuVEnsWxx5TXHiE5vCChgcCQ+wWQDO+sefZgBXAkV1BwLxKo
   KiHRup4imQsajeAwmHQdcKhRUuvsG9aBZolMlLFJn+UhJ2sW/Qi6ZsQ4C
   w==;
X-CSE-ConnectionGUID: 3+3Rjj6cTv695msPiDge8w==
X-CSE-MsgGUID: woLrsY86Q76QNWJ+EYUvTA==
X-IronPort-AV: E=McAfee;i="6800,10657,11531"; a="60821833"
X-IronPort-AV: E=Sophos;i="6.17,312,1747724400";
   d="scan'208";a="60821833"
Received: from orviesa006.jf.intel.com ([10.64.159.146])
  by orvoesa113.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 Sep 2025 04:58:14 -0700
X-CSE-ConnectionGUID: qz5vyjgiTuGOs0czTS/wyw==
X-CSE-MsgGUID: dmklhUG8TrOVvpz2so1kDA==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.18,287,1751266800";
   d="scan'208";a="175875254"
Received: from anmitta2-mobl4.gar.corp.intel.com (HELO
 anmitta2-mobl4.intel.com) ([10.247.118.223])
  by orviesa006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 Sep 2025 04:58:13 -0700
From: Anuj Mittal <anuj.mittal@intel.com>
To: openembedded-devel@lists.openembedded.org
Subject: [scarthgap][PATCH 22/24] rp-pppoe: update SRC_URI
Date: Tue, 23 Sep 2025 19:57:25 +0800
Message-ID: 
 <9a3078e6fe4ef072b6b6e97328b8e435111d58ad.1758626365.git.anuj.mittal@intel.com>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <cover.1758626365.git.anuj.mittal@intel.com>
References: <cover.1758626365.git.anuj.mittal@intel.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Tue, 23 Sep 2025 11:58:22 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/119711

From: Wang Mingyu <wangmy@fujitsu.com>

Upstream repository url changed.

Fixes unsuccessful fetch warning.

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit c400aca52a19d74bcc05873eaad8265ecd024d9b)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta-networking/recipes-protocols/rp-pppoe/rp-pppoe_3.15.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta-networking/recipes-protocols/rp-pppoe/rp-pppoe_3.15.bb b/meta-networking/recipes-protocols/rp-pppoe/rp-pppoe_3.15.bb
index 4dfdb8fc21..1bfa4d1e2c 100644
--- a/meta-networking/recipes-protocols/rp-pppoe/rp-pppoe_3.15.bb
+++ b/meta-networking/recipes-protocols/rp-pppoe/rp-pppoe_3.15.bb
@@ -5,7 +5,7 @@ LICENSE = "GPL-2.0-only"
 LIC_FILES_CHKSUM = "file://doc/LICENSE;md5=a194eaefae2be54ee3221339b10d0581"
 
 
-SRC_URI = "https://dianne.skoll.ca/projects/rp-pppoe/download/OLD/rp-pppoe-${PV}.tar.gz \
+SRC_URI = "https://downloads.uls.co.za/rp-pppoe/rp-pppoe-${PV}.tar.gz \
            file://top-autoconf.patch \
            file://configure_in_cross.patch \
            file://update-config.patch \

From patchwork Tue Sep 23 11:57:26 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Mittal, Anuj" <anuj.mittal@intel.com>
X-Patchwork-Id: 70787
Return-Path: <anuj.mittal@intel.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id C46CFCAC5A7
	for <webhook@archiver.kernel.org>; Tue, 23 Sep 2025 11:58:22 +0000 (UTC)
Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.21])
 by mx.groups.io with SMTP id smtpd.web11.15019.1758628660267361449
 for <openembedded-devel@lists.openembedded.org>;
 Tue, 23 Sep 2025 04:58:15 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@intel.com header.s=Intel header.b=AxSL3F2P;
 spf=pass (domain: intel.com, ip: 198.175.65.21,
 mailfrom: anuj.mittal@intel.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1758628696; x=1790164696;
  h=from:to:subject:date:message-id:in-reply-to:references:
   mime-version:content-transfer-encoding;
  bh=0XzIifYzTLB6xlKoOn9yWVNz2l+Rpi8UGfqGwwSmhi0=;
  b=AxSL3F2PHaN6mLMTSE6I9RT71+LnTs40WTy9Y/rfzWOnQftEH/ldkqwH
   MLGn1CS0kFediZIn0JIFy8QBFasz1beVtEqqCt82WH4ecbXDiJzYVp4Qy
   lX4MEiLxIxvafkj4M81zUDK1+d+UpP2WOVLyncOGZlywM/rCNhIAdpMri
   uvC/IMS+cSysdhEV9glFH4R8LCaK/sIETh9r0bSxuvbHITdSKp3uuIQLz
   WqUu4xYLEd4xze2Z9TiBjdyZ/+SZkWOM9ytSQgXNJLw5znXaL68L6zlyc
   xQYl1u6QNMCzqyO8ucHTaGqPjV/Z/GtsBtB3rSBcHlwubX0HxTksglaOW
   g==;
X-CSE-ConnectionGUID: lUiqRz8wTHOpgU/Pr/FWJw==
X-CSE-MsgGUID: BS/yz/RBQZKkav/eEdBkhQ==
X-IronPort-AV: E=McAfee;i="6800,10657,11531"; a="60821837"
X-IronPort-AV: E=Sophos;i="6.17,312,1747724400";
   d="scan'208";a="60821837"
Received: from orviesa006.jf.intel.com ([10.64.159.146])
  by orvoesa113.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 Sep 2025 04:58:16 -0700
X-CSE-ConnectionGUID: eIqiGiICSWuW7/3QDLbesQ==
X-CSE-MsgGUID: 6KEezSJAT+eP3+mkpizHjA==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.18,287,1751266800";
   d="scan'208";a="175875257"
Received: from anmitta2-mobl4.gar.corp.intel.com (HELO
 anmitta2-mobl4.intel.com) ([10.247.118.223])
  by orviesa006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 Sep 2025 04:58:15 -0700
From: Anuj Mittal <anuj.mittal@intel.com>
To: openembedded-devel@lists.openembedded.org
Subject: [scarthgap][PATCH 23/24] mod-dnssd: update SRC_URI
Date: Tue, 23 Sep 2025 19:57:26 +0800
Message-ID: 
 <293446bfa960962113ca22e184cdcbf7bfa545ef.1758626365.git.anuj.mittal@intel.com>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <cover.1758626365.git.anuj.mittal@intel.com>
References: <cover.1758626365.git.anuj.mittal@intel.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Tue, 23 Sep 2025 11:58:22 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/119712

From: Gyorgy Sarvari <skandigraun@gmail.com>

Upstream repository url changed.

Fixes unsuccessful fetch warning.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 10c13bf1fbe18ee51b27d6538df5058879ef1d3b)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta-webserver/recipes-httpd/apache-mod/mod-dnssd_0.6.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta-webserver/recipes-httpd/apache-mod/mod-dnssd_0.6.bb b/meta-webserver/recipes-httpd/apache-mod/mod-dnssd_0.6.bb
index 5fac0a6ed4..6f2a2330ae 100644
--- a/meta-webserver/recipes-httpd/apache-mod/mod-dnssd_0.6.bb
+++ b/meta-webserver/recipes-httpd/apache-mod/mod-dnssd_0.6.bb
@@ -5,7 +5,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
 
 DEPENDS = "apache2 avahi"
 
-SRC_URI = "git://git.0pointer.de/mod_dnssd;protocol=git;branch=master"
+SRC_URI = "git://git.0pointer.net/mod_dnssd.git;protocol=https;branch=master"
 SRCREV = "be2fb9f6158f800685de7a1bc01c39b6cf1fa12c"
 
 S = "${WORKDIR}/git"

From patchwork Tue Sep 23 11:57:27 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Mittal, Anuj" <anuj.mittal@intel.com>
X-Patchwork-Id: 70789
Return-Path: <anuj.mittal@intel.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id C73A1CAC5A7
	for <webhook@archiver.kernel.org>; Tue, 23 Sep 2025 11:59:22 +0000 (UTC)
Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.21])
 by mx.groups.io with SMTP id smtpd.web10.15060.1758628758978212948
 for <openembedded-devel@lists.openembedded.org>;
 Tue, 23 Sep 2025 04:59:19 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@intel.com header.s=Intel header.b=mFtTZOV0;
 spf=pass (domain: intel.com, ip: 198.175.65.21,
 mailfrom: anuj.mittal@intel.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1758628760; x=1790164760;
  h=from:to:subject:date:message-id:in-reply-to:references:
   mime-version:content-transfer-encoding;
  bh=fmnx+qIjh3o3gfpUjwLTkBO8Z8nZL4P1xCFhEtcTO7A=;
  b=mFtTZOV0lfxiKoDz8I+i4aC8EC11CZ17vfy+7kMLYPoBCvqxBosrWswp
   JtKSeSsmPW0W4nbUVRipUIun2hriRUnlrx0I3MqZcfLv7P2kHiC0u7isC
   JBXopa5SCIAAV0HmBsWb2fwnEc+Y3//aqGaiOY7imFo3HSyOcJ5dgcNEu
   0Ztq7atd4d/XRdt2W/ar/4p97dySvABY8NngMU9PK/U1h70In+g0oNLef
   0ZG5+R3tjY2nyjdtGeIngSt0TxJ5fEa38hRjAFTcFsNcc76zlmd1uUS1L
   hY/BKz4hqOC/4cFJrQ94R27CGjegOxcIluz3iPWBGV6mpGKeF/RzeDdzW
   g==;
X-CSE-ConnectionGUID: qBfkgGSvTsKWa1LwmyW9jQ==
X-CSE-MsgGUID: SFr3G5UeSwKEgziAqQzR6Q==
X-IronPort-AV: E=McAfee;i="6800,10657,11531"; a="60821839"
X-IronPort-AV: E=Sophos;i="6.17,312,1747724400";
   d="scan'208";a="60821839"
Received: from orviesa006.jf.intel.com ([10.64.159.146])
  by orvoesa113.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 Sep 2025 04:58:17 -0700
X-CSE-ConnectionGUID: Wi8lP01CSz6dd4Q59G5ulw==
X-CSE-MsgGUID: Bfp70X6gTfiW8u8wRZ6+9w==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.18,287,1751266800";
   d="scan'208";a="175875261"
Received: from anmitta2-mobl4.gar.corp.intel.com (HELO
 anmitta2-mobl4.intel.com) ([10.247.118.223])
  by orviesa006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 Sep 2025 04:58:16 -0700
From: Anuj Mittal <anuj.mittal@intel.com>
To: openembedded-devel@lists.openembedded.org
Subject: [scarthgap][PATCH 24/24] ssmping: Use debian mirror for SRC_URI
Date: Tue, 23 Sep 2025 19:57:27 +0800
Message-ID: 
 <adcb6e98419f07da5be085b8997da7f69146b743.1758626365.git.anuj.mittal@intel.com>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <cover.1758626365.git.anuj.mittal@intel.com>
References: <cover.1758626365.git.anuj.mittal@intel.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Tue, 23 Sep 2025 11:59:22 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/119713

From: Khem Raj <raj.khem@gmail.com>

Original URI is not accessible anymore
Drop md5sum

Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit ceb91603415c6e059d866666574dd1be5b93867a)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta-networking/recipes-support/ssmping/ssmping_0.9.1.bb | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/meta-networking/recipes-support/ssmping/ssmping_0.9.1.bb b/meta-networking/recipes-support/ssmping/ssmping_0.9.1.bb
index 0531ffe640..307120dc75 100644
--- a/meta-networking/recipes-support/ssmping/ssmping_0.9.1.bb
+++ b/meta-networking/recipes-support/ssmping/ssmping_0.9.1.bb
@@ -4,10 +4,9 @@ SECTION = "net"
 LICENSE = "ISC"
 LIC_FILES_CHKSUM = "file://asmping.c;beginline=2;endline=11;md5=1ca8d1a1ca931e5cfe604ebf20a78b71"
 
-SRC_URI = "http://www.venaas.no/multicast/ssmping/${BP}.tar.gz \
+SRC_URI = "${DEBIAN_MIRROR}/main/s/${BPN}/${BPN}_${PV}.orig.tar.gz;downloadfilename=${BP}.tar.gz \
     file://0001-Makefile-tweak-install-dir.patch \
 "
-SRC_URI[md5sum] = "ad8e3d13f6d72918f73be7e7975d7fad"
 SRC_URI[sha256sum] = "22103a37eaa28489169a0927bc01e0596c3485fc4d29fc8456c07fd2c70fca6d"
 
 CFLAGS += "-D_GNU_SOURCE "