From patchwork Thu Sep 25 14:05:05 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peter Marko <peter.marko@siemens.com>
X-Patchwork-Id: 71020
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <peter.marko@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id BB4B5CAC5A5
	for <webhook@archiver.kernel.org>; Thu, 25 Sep 2025 14:06:00 +0000 (UTC)
Received: from mta-65-227.siemens.flowmailer.net
 (mta-65-227.siemens.flowmailer.net [185.136.65.227])
 by mx.groups.io with SMTP id smtpd.web10.12446.1758809159373027764
 for <openembedded-core@lists.openembedded.org>;
 Thu, 25 Sep 2025 07:06:00 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=LXdKqtjJ;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.227,
 mailfrom:
 fm-256628-2025092514055527c56e13be0002070d-n56rax@rts-flowmailer.siemens.com)
Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id
 2025092514055527c56e13be0002070d
        for <openembedded-core@lists.openembedded.org>;
        Thu, 25 Sep 2025 16:05:55 +0200
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=peter.marko@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc;
 bh=ysaej63F2Exv46eYqbWMK5VzD7Lo/jRGwsi5B1tunYc=;
 b=LXdKqtjJ4ghkK3dLxYJToe430L5XfyX9ZBA26Od2Zq99u3cNe8/rrVnZdYmwSd7sSFHQ+B
 5ewQ+ucIpQoZngnB3aCg3URP0chnEVDqz+TGybVHlg6B/QN/247gvbp2kRjIpShrIN5j6r+P
 q+wX3VnPyGVOkXwI5YdjSMhaHm04SHW+Tp21TvjUMe/ahKIJ8XBJsCLHFFc3+Hec8pQvSDIO
 9dBwrKzkvEGCnTcV1y/11Pfts2ROCwcZTDYnkZ+G+mYCr02pJtC09h1m+v376DZgh6ZvfMIH
 pNkfjUC1ir+e5X8N2C0H7PjqClQR63s3YmSiKAztX7hqYc0z/IJWS98A==;
From: Peter Marko <peter.marko@siemens.com>
To: openembedded-core@lists.openembedded.org
Cc: Peter Marko <peter.marko@siemens.com>
Subject: [OE-core][walnascar][PATCH 01/10] gstreamer1.0: set status of 5 CVEs
 to patched
Date: Thu, 25 Sep 2025 16:05:05 +0200
Message-Id: <20250925140514.1103300-1-peter.marko@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-256628:519-21489:flowmailer
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Thu, 25 Sep 2025 14:06:00 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/224030

From: Peter Marko <peter.marko@siemens.com>

These CVEs were fixed in last upgrade.
See commit message for 340b182d5fc972175f1d2a89127f807073c10255

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta/recipes-multimedia/gstreamer/gstreamer1.0_1.24.13.bb | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.24.13.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.24.13.bb
index 6ed00f9aa4b..db662dfec17 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.24.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.24.13.bb
@@ -71,4 +71,8 @@ RDEPENDS:${PN}-ptest:append:libc-glibc = " glibc-gconv-iso8859-5"
 
 CVE_PRODUCT = "gstreamer"
 
+CVE_STATUS_GROUPS += "CVE_STATUS_STABLE_BACKPORT"
+CVE_STATUS_STABLE_BACKPORT = "CVE-2025-47183 CVE-2025-47219 CVE-2025-47806 CVE-2025-47807 CVE-2025-47808"
+CVE_STATUS_STABLE_BACKPORT[status] = "cpe-stable-backport: these CVEs are patched in current version"
+
 PTEST_BUILD_HOST_FILES = ""

From patchwork Thu Sep 25 14:05:06 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peter Marko <peter.marko@siemens.com>
X-Patchwork-Id: 71021
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <peter.marko@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id A8608CAC5A7
	for <webhook@archiver.kernel.org>; Thu, 25 Sep 2025 14:06:10 +0000 (UTC)
Received: from mta-65-227.siemens.flowmailer.net
 (mta-65-227.siemens.flowmailer.net [185.136.65.227])
 by mx.groups.io with SMTP id smtpd.web10.12449.1758809163004068547
 for <openembedded-core@lists.openembedded.org>;
 Thu, 25 Sep 2025 07:06:03 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=JFKBGTok;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.227,
 mailfrom:
 fm-256628-202509251406010233ddcb870002073f-evfnmc@rts-flowmailer.siemens.com)
Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id
 202509251406010233ddcb870002073f
        for <openembedded-core@lists.openembedded.org>;
        Thu, 25 Sep 2025 16:06:01 +0200
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=peter.marko@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To;
 bh=kXzfy+TFA58IWfioFkB+fhFMLx7Z64ISx4E7THSorq0=;
 b=JFKBGTokgnkRbbqQyT2teyslZTxG0EAdD4X2OxpY21vBUlZ42WfqoogxgWaKdlteJemrz+
 sIfS4aZSuD8Kh13COXIrjNOdD93ob6tPX8H5sBLMm/Sbm7E7Sd5qiD/nvaIxFQafOf2iS/8A
 bUxQYxGo4Zk66ndNFNecZSpScKRKjxZvaDGaCXB64vo2izmxTlPdlskEvfYitZF55ZgCebHV
 cKhYCyMcqghsYGGTH3sc3ygV9XqoyiLcEfEkXIdEHHVUrAGntpnwIQCAWEd3nLJYdnGRipwr
 SzhnJSnn22alXKjqBwKp7synbsZaZ+bVnzd+szTHfAwvuc8b5trVEE8A==;
From: Peter Marko <peter.marko@siemens.com>
To: openembedded-core@lists.openembedded.org
Cc: Peter Marko <peter.marko@siemens.com>
Subject: [OE-core][walnascar][PATCH 02/10] gstreamer1.0: ignore CVE-2025-2759
Date: Thu, 25 Sep 2025 16:05:06 +0200
Message-Id: <20250925140514.1103300-2-peter.marko@siemens.com>
In-Reply-To: <20250925140514.1103300-1-peter.marko@siemens.com>
References: <20250925140514.1103300-1-peter.marko@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-256628:519-21489:flowmailer
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Thu, 25 Sep 2025 14:06:10 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/224031

From: Peter Marko <peter.marko@siemens.com>

Copy statement from [1] that it is problem of installers (non-Linux).
Also [2] linked in NVD says "Fixed in 1.25.1 Gstreamer Installer".
Since Yocto builds from sources into our own packages, ignore it.

[1] https://security-tracker.debian.org/tracker/CVE-2025-2759
[2] https://www.zerodayinitiative.com/advisories/ZDI-25-268/

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta/recipes-multimedia/gstreamer/gstreamer1.0_1.24.13.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.24.13.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.24.13.bb
index db662dfec17..71a360ae7b3 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.24.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.24.13.bb
@@ -75,4 +75,6 @@ CVE_STATUS_GROUPS += "CVE_STATUS_STABLE_BACKPORT"
 CVE_STATUS_STABLE_BACKPORT = "CVE-2025-47183 CVE-2025-47219 CVE-2025-47806 CVE-2025-47807 CVE-2025-47808"
 CVE_STATUS_STABLE_BACKPORT[status] = "cpe-stable-backport: these CVEs are patched in current version"
 
+CVE_STATUS[CVE-2025-2759] = "not-applicable-platform: affects installation packages for non Linux OSes"
+
 PTEST_BUILD_HOST_FILES = ""

From patchwork Thu Sep 25 14:05:07 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peter Marko <peter.marko@siemens.com>
X-Patchwork-Id: 71022
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <peter.marko@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id AADBBCAC5B1
	for <webhook@archiver.kernel.org>; Thu, 25 Sep 2025 14:06:10 +0000 (UTC)
Received: from mta-65-227.siemens.flowmailer.net
 (mta-65-227.siemens.flowmailer.net [185.136.65.227])
 by mx.groups.io with SMTP id smtpd.web11.12670.1758809169365033079
 for <openembedded-core@lists.openembedded.org>;
 Thu, 25 Sep 2025 07:06:09 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=OuDzE9oa;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.227,
 mailfrom:
 fm-256628-20250925140607c534a7e7ae0002078b-j2k8_l@rts-flowmailer.siemens.com)
Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id
 20250925140607c534a7e7ae0002078b
        for <openembedded-core@lists.openembedded.org>;
        Thu, 25 Sep 2025 16:06:07 +0200
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=peter.marko@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To;
 bh=vmiUwpx/WQw6Yitq/PfuEKUgfg5q20qM2dBNgU6mJ1U=;
 b=OuDzE9oaQ6M3FfynTTPy5zctgKfLaC3x3trvpa/9+crpXJawVLEMFSiSiIMjhPcRuRSAjh
 ND2EnJlC/cISf8ww2mT6TXOD5sGghKhDuhfSV4OkGZZHJV7qUmHOj9eMSkv9kGxtdazhTa21
 d9GzKWLOgCuhH1mrC/j0HQ+HFIaLw2T/hJSQ8YUcUN3sWnUsc1p5k4WUQ3DPPnaMrO5K1qxK
 lfa+xHVw8cBunEimKc7YzDPemE35J6aNYGGpcMXP/DW0JMza2S6npNhU5trk9h9oZiy0/zOu
 b2Y6N8oKvYiqIIut4Og1QcDY0Mn2AaXaYJ04+8pXRl5tArFr3fpule1w==;
From: Peter Marko <peter.marko@siemens.com>
To: openembedded-core@lists.openembedded.org
Cc: Peter Marko <peter.marko@siemens.com>
Subject: [OE-core][walnascar][PATCH 03/10] gstreamer1.0: set status of
 CVE-2025-3887 to patched
Date: Thu, 25 Sep 2025 16:05:07 +0200
Message-Id: <20250925140514.1103300-3-peter.marko@siemens.com>
In-Reply-To: <20250925140514.1103300-1-peter.marko@siemens.com>
References: <20250925140514.1103300-1-peter.marko@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-256628:519-21489:flowmailer
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Thu, 25 Sep 2025 14:06:10 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/224032

From: Peter Marko <peter.marko@siemens.com>

This CVE was fixed in plugins-bad.
See [1] and [2] which is included in 1.24.13.
These commits are backport of [3] to 1.24.
Commits fixing this CVE were copied from [4].

[1] https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/e4351ef03f1331410b0c1216a6178d885f37e495
[2] https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ed4c2ce380f7168bd4a3423f4398eb341cb931c7
[3] https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8884
[4] https://security-tracker.debian.org/tracker/CVE-2025-3887

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta/recipes-multimedia/gstreamer/gstreamer1.0_1.24.13.bb | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.24.13.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.24.13.bb
index 71a360ae7b3..d15b7daab8c 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.24.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.24.13.bb
@@ -77,4 +77,8 @@ CVE_STATUS_STABLE_BACKPORT[status] = "cpe-stable-backport: these CVEs are patche
 
 CVE_STATUS[CVE-2025-2759] = "not-applicable-platform: affects installation packages for non Linux OSes"
 
+CVE_STATUS_GROUPS += "CVE_STATUS_PLUGINS_BAD"
+CVE_STATUS_PLUGINS_BAD = "CVE-2025-3887"
+CVE_STATUS_PLUGINS_BAD[status] = "cpe-incorrect: these CVEs is patched in current version of gstreamer1.0-plugins-bad"
+
 PTEST_BUILD_HOST_FILES = ""

From patchwork Thu Sep 25 14:05:08 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peter Marko <peter.marko@siemens.com>
X-Patchwork-Id: 71024
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <peter.marko@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id A9340CAC5B1
	for <webhook@archiver.kernel.org>; Thu, 25 Sep 2025 14:06:20 +0000 (UTC)
Received: from mta-64-227.siemens.flowmailer.net
 (mta-64-227.siemens.flowmailer.net [185.136.64.227])
 by mx.groups.io with SMTP id smtpd.web11.12673.1758809174773334691
 for <openembedded-core@lists.openembedded.org>;
 Thu, 25 Sep 2025 07:06:15 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=ulyXy9Ay;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227,
 mailfrom:
 fm-256628-20250925140612c9da336b71000207f3-qbwe82@rts-flowmailer.siemens.com)
Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id
 20250925140612c9da336b71000207f3
        for <openembedded-core@lists.openembedded.org>;
        Thu, 25 Sep 2025 16:06:12 +0200
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=peter.marko@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To;
 bh=kQkHbNuNqZ+TEbA+dqGJEwPVhLS/7TrSTPgP03DOnOo=;
 b=ulyXy9AyLAF1C8ZPGWIlVwOjHjVxocmbazEu4FlHmMqq5rPneVnp189pdxFOztk/fReAcW
 ZnIo0Zq6e7t6vf32M5bWE3nnAbcm+67aMN4BeTMUM0fevw0qCxxXY+ZdSgtl0u1nJUhc9bTi
 ZqQ8+/OCg054PHXcYvUS6TXRW+RM6LMD0kShEIBM68CxSelTAoXeby9eBGpH49IWvQlgWZbj
 ChPIkffvAhI9dUl6QhbwZ+1qmzJuOw7yQhvkXJP3N0lBphAaaKqrwVAdjhx9i8RKYR0OW2Wt
 EFfTOhfUKdOOx/IdxU+61LSmWEo9U/XXYcvPjC1sKgWgWygL2dIEqEEA==;
From: Peter Marko <peter.marko@siemens.com>
To: openembedded-core@lists.openembedded.org
Cc: Ross Burton <ross.burton@arm.com>,
	Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>,
	Richard Purdie <richard.purdie@linuxfoundation.org>,
	Peter Marko <peter.marko@siemens.com>
Subject: [OE-core][walnascar][PATCH 04/10] pulseaudio: ignore CVE-2024-11586
Date: Thu, 25 Sep 2025 16:05:08 +0200
Message-Id: <20250925140514.1103300-4-peter.marko@siemens.com>
In-Reply-To: <20250925140514.1103300-1-peter.marko@siemens.com>
References: <20250925140514.1103300-1-peter.marko@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-256628:519-21489:flowmailer
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Thu, 25 Sep 2025 14:06:20 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/224033

From: Ross Burton <ross.burton@arm.com>

As per the linked ticket, this issue is related to an Ubuntu-specific
patch that we don't have.

(From OE-Core rev: dc81fdc6bdf8ab39b7f2fd994d50256430c36558)

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta/recipes-multimedia/pulseaudio/pulseaudio.inc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-multimedia/pulseaudio/pulseaudio.inc b/meta/recipes-multimedia/pulseaudio/pulseaudio.inc
index 4708145bb96..9aa40a4779a 100644
--- a/meta/recipes-multimedia/pulseaudio/pulseaudio.inc
+++ b/meta/recipes-multimedia/pulseaudio/pulseaudio.inc
@@ -282,3 +282,5 @@ RDEPENDS:pulseaudio-server += "\
 RDEPENDS:pulseaudio-server += "${@bb.utils.contains('DISTRO_FEATURES', 'x11', \
                                   bb.utils.contains('DISTRO_FEATURES', 'systemd', 'pulseaudio-module-systemd-login', 'pulseaudio-module-console-kit', d), \
                                   '', d)}"
+
+CVE_STATUS[CVE-2024-11586] = "not-applicable-platform: specific to Ubuntu 16.04"

From patchwork Thu Sep 25 14:05:09 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peter Marko <peter.marko@siemens.com>
X-Patchwork-Id: 71023
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <peter.marko@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id A3EE9CAC5A5
	for <webhook@archiver.kernel.org>; Thu, 25 Sep 2025 14:06:20 +0000 (UTC)
Received: from mta-65-226.siemens.flowmailer.net
 (mta-65-226.siemens.flowmailer.net [185.136.65.226])
 by mx.groups.io with SMTP id smtpd.web11.12676.1758809179711039364
 for <openembedded-core@lists.openembedded.org>;
 Thu, 25 Sep 2025 07:06:20 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=CLUpS33d;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.226,
 mailfrom:
 fm-256628-202509251406171322dbb782000207cc-g2x7qb@rts-flowmailer.siemens.com)
Received: by mta-65-226.siemens.flowmailer.net with ESMTPSA id
 202509251406171322dbb782000207cc
        for <openembedded-core@lists.openembedded.org>;
        Thu, 25 Sep 2025 16:06:17 +0200
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=peter.marko@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To;
 bh=QctQrvhS6OA7DvYQeAIiZDkMTVV1LdcK7tztY4kSATA=;
 b=CLUpS33dIxbVaiM7Lu++atIIsK8piP6SYiTfvQOkWvGqqbTZI7p8ZfUF1GusT12P/xuV72
 4Jt9OIWmMKbLGs+mFYqUy+73sB9cejobYHd8xg6msHMxUe86SvVsJ450YJCCN76n9gh7pE8Z
 p7t7ehA/vKLoMYD8D8UkVNsbojs9WqUhr3m2LgJLpCziIm8X+VCfkPYm3jCuLllunbPmFHOv
 iEidKOw4/8TxajqqmjRro02+FD4wbfnvftmAOorZDHcVapsv2aJSQKOIIn946WmFZDeUACIj
 ZH7YSa1jxF4a9xXGlWmfDlS0aUpqAiPSfD5Qd4XW16Cn2DY1Qcy+2ydw==;
From: Peter Marko <peter.marko@siemens.com>
To: openembedded-core@lists.openembedded.org
Cc: Ross Burton <ross.burton@arm.com>,
	Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>,
	Richard Purdie <richard.purdie@linuxfoundation.org>,
	Peter Marko <peter.marko@siemens.com>
Subject: [OE-core][walnascar][PATCH 05/10] grub2: mark CVE-2024-2312 as not
 applicable
Date: Thu, 25 Sep 2025 16:05:09 +0200
Message-Id: <20250925140514.1103300-5-peter.marko@siemens.com>
In-Reply-To: <20250925140514.1103300-1-peter.marko@siemens.com>
References: <20250925140514.1103300-1-peter.marko@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-256628:519-21489:flowmailer
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Thu, 25 Sep 2025 14:06:20 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/224034

From: Ross Burton <ross.burton@arm.com>

This issue is specific to the peimage module that Ubuntu add, and is not
an upstream issue.

(From OE-Core rev: 8d2fe3f403e6435e1ffe122a6776381090752d8a)

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta/recipes-bsp/grub/grub2.inc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index 1fe39a59d2d..0563e5f7616 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -43,6 +43,7 @@ SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154
 CVE_STATUS[CVE-2019-14865] = "not-applicable-platform: applies only to RHEL"
 CVE_STATUS[CVE-2023-4001]  = "not-applicable-platform: Applies only to RHEL/Fedora"
 CVE_STATUS[CVE-2024-1048]  = "not-applicable-platform: Applies only to RHEL/Fedora"
+CVE_STATUS[CVE-2024-2312]  = "not-applicable-platform: Applies only to Ubuntu"
 
 DEPENDS = "flex-native bison-native gettext-native"
 

From patchwork Thu Sep 25 14:05:10 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peter Marko <peter.marko@siemens.com>
X-Patchwork-Id: 71025
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <peter.marko@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id A80BBCAC5B1
	for <webhook@archiver.kernel.org>; Thu, 25 Sep 2025 14:06:30 +0000 (UTC)
Received: from mta-64-226.siemens.flowmailer.net
 (mta-64-226.siemens.flowmailer.net [185.136.64.226])
 by mx.groups.io with SMTP id smtpd.web11.12681.1758809185221657696
 for <openembedded-core@lists.openembedded.org>;
 Thu, 25 Sep 2025 07:06:25 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=WjTMrc4s;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.226,
 mailfrom:
 fm-256628-20250925140622d06a669b4300020703-rd4fab@rts-flowmailer.siemens.com)
Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id
 20250925140622d06a669b4300020703
        for <openembedded-core@lists.openembedded.org>;
        Thu, 25 Sep 2025 16:06:22 +0200
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=peter.marko@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To;
 bh=xwVpbddGwHGuIfTSNJNEqABeUlVqSGw7PAvjxucL4K0=;
 b=WjTMrc4sboGAyvwQ/VWQFzZdkmCnQm1JNj07uwvH/Fbx+g4jNGRplModdXszgSL73+9bgp
 gWcL9gr9F35tyWMgs8qkaCYvKHvGUkU4BvbSTQVAjcRpiI3/QD7bPFQZQVWT6yNKGZXUxivq
 ZyncfOkYr3P43nTZye+SUaqdHLirhHrQtIYoa2y7KPq5QlvfP7JYAs+lbo8tpnug1t87cZ1e
 pCbPSpsWU6shxwdAEShkUXgiLB14Fgy2bOajht8Q4CfR36hl1qM4XTaBtKNUSAGqEgW7GOI1
 w8s1PGeWXbsYmfbtzU0JmS+zWIpadhMKrQ4io3R/AEeEA2xGLmTa4lKQ==;
From: Peter Marko <peter.marko@siemens.com>
To: openembedded-core@lists.openembedded.org
Cc: Peter Marko <peter.marko@siemens.com>
Subject: [OE-core][walnascar][PATCH 06/10] cups: patch CVE-2025-58060
Date: Thu, 25 Sep 2025 16:05:10 +0200
Message-Id: <20250925140514.1103300-6-peter.marko@siemens.com>
In-Reply-To: <20250925140514.1103300-1-peter.marko@siemens.com>
References: <20250925140514.1103300-1-peter.marko@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-256628:519-21489:flowmailer
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Thu, 25 Sep 2025 14:06:30 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/224035

From: Peter Marko <peter.marko@siemens.com>

Pick commit mentioned in NVD report.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta/recipes-extended/cups/cups.inc           |  1 +
 .../cups/cups/CVE-2025-58060.patch            | 60 +++++++++++++++++++
 2 files changed, 61 insertions(+)
 create mode 100644 meta/recipes-extended/cups/cups/CVE-2025-58060.patch

diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
index b8761df0d57..aa55d41b843 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -15,6 +15,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
            file://0004-cups-fix-multilib-install-file-conflicts.patch \
            file://volatiles.99_cups \
            file://cups-volatiles.conf \
+           file://CVE-2025-58060.patch \
            "
 
 GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"
diff --git a/meta/recipes-extended/cups/cups/CVE-2025-58060.patch b/meta/recipes-extended/cups/cups/CVE-2025-58060.patch
new file mode 100644
index 00000000000..adb1f10a054
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2025-58060.patch
@@ -0,0 +1,60 @@
+From 595d691075b1d396d2edfaa0a8fd0873a0a1f221 Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Thu, 11 Sep 2025 14:44:59 +0200
+Subject: [PATCH] cupsd: Block authentication using alternate method
+
+Fixes: CVE-2025-58060
+
+CVE: CVE-2025-58060
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/595d691075b1d396d2edfaa0a8fd0873a0a1f221]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ scheduler/auth.c | 21 ++++++++++++++++++++-
+ 1 file changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/scheduler/auth.c b/scheduler/auth.c
+index 5fa53644d..3c9aa72aa 100644
+--- a/scheduler/auth.c
++++ b/scheduler/auth.c
+@@ -513,6 +513,16 @@ cupsdAuthorize(cupsd_client_t *con)	/* I - Client connection */
+     int	userlen;			/* Username:password length */
+ 
+ 
++   /*
++    * Only allow Basic if enabled...
++    */
++
++    if (type != CUPSD_AUTH_BASIC)
++    {
++      cupsdLogClient(con, CUPSD_LOG_ERROR, "Basic authentication is not enabled.");
++      return;
++    }
++
+     authorization += 5;
+     while (isspace(*authorization & 255))
+       authorization ++;
+@@ -558,7 +568,6 @@ cupsdAuthorize(cupsd_client_t *con)	/* I - Client connection */
+     * Validate the username and password...
+     */
+ 
+-    if (type == CUPSD_AUTH_BASIC)
+     {
+ #if HAVE_LIBPAM
+      /*
+@@ -727,6 +736,16 @@ cupsdAuthorize(cupsd_client_t *con)	/* I - Client connection */
+ 					/* Output token for username */
+     gss_name_t		client_name;	/* Client name */
+ 
++   /*
++    * Only allow Kerberos if enabled...
++    */
++
++    if (type != CUPSD_AUTH_NEGOTIATE)
++    {
++      cupsdLogClient(con, CUPSD_LOG_ERROR, "Kerberos authentication is not enabled.");
++      return;
++    }
++
+ #  ifdef __APPLE__
+    /*
+     * If the weak-linked GSSAPI/Kerberos library is not present, don't try

From patchwork Thu Sep 25 14:05:11 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peter Marko <peter.marko@siemens.com>
X-Patchwork-Id: 71026
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <peter.marko@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id A8119CAC5B3
	for <webhook@archiver.kernel.org>; Thu, 25 Sep 2025 14:06:30 +0000 (UTC)
Received: from mta-65-227.siemens.flowmailer.net
 (mta-65-227.siemens.flowmailer.net [185.136.65.227])
 by mx.groups.io with SMTP id smtpd.web10.12460.1758809189248281998
 for <openembedded-core@lists.openembedded.org>;
 Thu, 25 Sep 2025 07:06:29 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=AWTtOjpx;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.227,
 mailfrom:
 fm-256628-20250925140627a529f393af000207b8-ht9fsh@rts-flowmailer.siemens.com)
Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id
 20250925140627a529f393af000207b8
        for <openembedded-core@lists.openembedded.org>;
        Thu, 25 Sep 2025 16:06:27 +0200
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=peter.marko@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To;
 bh=HljXyLeMNvbPN+W5UWLCwLgLeC+64SPPPdLBGfRruGE=;
 b=AWTtOjpxDbWLUfXwqrfDVvv6KdPvagix/QsTfEpUvKg21T1XFCkjwCnGiHn5mZzeHXu7vr
 5CpF3X07/foSkpdWDqzlxkBzw9ffN98d4A9f1SS7ivdCInqASZ5ta4JCiKlkSZmoCAwzqgTG
 25MRfZ6YzvEi51xxSB06t6Qm0/l8qe5QUowVn5hT6vaWmAyM6FXROWG3L+qQmEE+mH8He7lo
 3I062gyLjj8iLhFvsXCgf2lNNdgvO87f5UXalZabts5Gvp4i5LMNie3m6iIbRUqe5gCYftpv
 r5AKhWoT3wQ8QZFX8H/C+koXUA76GXobCcaaHjvf3DjrbvqLUWxqAP0g==;
From: Peter Marko <peter.marko@siemens.com>
To: openembedded-core@lists.openembedded.org
Cc: Peter Marko <peter.marko@siemens.com>
Subject: [OE-core][walnascar][PATCH 07/10] cups: patch CVE-2025-58364
Date: Thu, 25 Sep 2025 16:05:11 +0200
Message-Id: <20250925140514.1103300-7-peter.marko@siemens.com>
In-Reply-To: <20250925140514.1103300-1-peter.marko@siemens.com>
References: <20250925140514.1103300-1-peter.marko@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-256628:519-21489:flowmailer
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Thu, 25 Sep 2025 14:06:30 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/224036

From: Peter Marko <peter.marko@siemens.com>

Pick commit mentioned in NVD report

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta/recipes-extended/cups/cups.inc           |  1 +
 .../cups/cups/CVE-2025-58364.patch            | 58 +++++++++++++++++++
 2 files changed, 59 insertions(+)
 create mode 100644 meta/recipes-extended/cups/cups/CVE-2025-58364.patch

diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
index aa55d41b843..dd035634c57 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -16,6 +16,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
            file://volatiles.99_cups \
            file://cups-volatiles.conf \
            file://CVE-2025-58060.patch \
+           file://CVE-2025-58364.patch \
            "
 
 GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"
diff --git a/meta/recipes-extended/cups/cups/CVE-2025-58364.patch b/meta/recipes-extended/cups/cups/CVE-2025-58364.patch
new file mode 100644
index 00000000000..0f155ee7366
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2025-58364.patch
@@ -0,0 +1,58 @@
+From e58cba9d6fceed4242980e51dbd1302cf638ab1d Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Thu, 11 Sep 2025 14:53:49 +0200
+Subject: [PATCH] libcups: Fix handling of extension tag in `ipp_read_io()`
+
+Fixes: CVE-2025-58364
+
+CVE: CVE-2025-58364
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/e58cba9d6fceed4242980e51dbd1302cf638ab1d]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ cups/ipp.c | 26 +-------------------------
+ 1 file changed, 1 insertion(+), 25 deletions(-)
+
+diff --git a/cups/ipp.c b/cups/ipp.c
+index 283e386b6..e1e361b2c 100644
+--- a/cups/ipp.c
++++ b/cups/ipp.c
+@@ -2949,31 +2949,6 @@ ippReadIO(void       *src,		/* I - Data source */
+ 	  */
+ 
+           tag = (ipp_tag_t)buffer[0];
+-          if (tag == IPP_TAG_EXTENSION)
+-          {
+-           /*
+-            * Read 32-bit "extension" tag...
+-            */
+-
+-	    if ((*cb)(src, buffer, 4) < 4)
+-	    {
+-	      DEBUG_puts("1ippReadIO: Callback returned EOF/error");
+-	      goto rollback;
+-	    }
+-
+-	    tag = (ipp_tag_t)((buffer[0] << 24) | (buffer[1] << 16) | (buffer[2] << 8) | buffer[3]);
+-
+-            if (tag & IPP_TAG_CUPS_CONST)
+-            {
+-             /*
+-              * Fail if the high bit is set in the tag...
+-              */
+-
+-	      _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("IPP extension tag larger than 0x7FFFFFFF."), 1);
+-	      DEBUG_printf(("1ippReadIO: bad tag 0x%x.", tag));
+-	      goto rollback;
+-            }
+-          }
+ 
+ 	  if (tag == IPP_TAG_END)
+ 	  {
+@@ -3196,6 +3171,7 @@ ippReadIO(void       *src,		/* I - Data source */
+ 
+ 	    if ((*cb)(src, buffer, (size_t)n) < n)
+ 	    {
++             _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unable to read IPP attribute name."), 1);
+ 	      DEBUG_puts("1ippReadIO: unable to read name.");
+ 	      goto rollback;
+ 	    }

From patchwork Thu Sep 25 14:05:12 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peter Marko <peter.marko@siemens.com>
X-Patchwork-Id: 71027
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <peter.marko@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id A6213CAC5A7
	for <webhook@archiver.kernel.org>; Thu, 25 Sep 2025 14:06:40 +0000 (UTC)
Received: from mta-64-226.siemens.flowmailer.net
 (mta-64-226.siemens.flowmailer.net [185.136.64.226])
 by mx.groups.io with SMTP id smtpd.web10.12463.1758809195173551091
 for <openembedded-core@lists.openembedded.org>;
 Thu, 25 Sep 2025 07:06:35 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=srek1AKS;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.226,
 mailfrom:
 fm-256628-20250925140633113a40fcb90002076d-myeoxl@rts-flowmailer.siemens.com)
Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id
 20250925140633113a40fcb90002076d
        for <openembedded-core@lists.openembedded.org>;
        Thu, 25 Sep 2025 16:06:33 +0200
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=peter.marko@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To;
 bh=nAaVm0o/nY9ugs2PjFHFQ2mh51ld/ZFZwJye6IxZeck=;
 b=srek1AKSBYrg+3lzIdojQvJ+C55jBlkm3AkwBeIslc3AGnoe8rDHTXIq80BJnnUfisO9rY
 ElB5aTGna9/+fUPDAOEB4y2s5Vt6Vm+1toHHPPh6ci4jmDSe8XOz1xglt+8AgmSxzh5osYcB
 GJ4tHQYRuA9dG4zL+A5+p4FtILNAmRjF1PbPuTRBLK8Fu27RGff3c/2ikNaARYqiUlH2wMoc
 n8IFvMW5iW9BcLnMcuAwT0qS0MXnQnc+Ngjf7Nu9i6GnGU0dwtwdsLULlAc33uCBytDZxmiV
 HKSiD0jpYK48PR2d5NJV/ClVvQk+JopXhjGlp2abHH/N7tU9Hy/gAzRw==;
From: Peter Marko <peter.marko@siemens.com>
To: openembedded-core@lists.openembedded.org
Cc: Peter Marko <peter.marko@siemens.com>
Subject: [OE-core][walnascar][PATCH 08/10] tiff: ignore CVE-2025-8851
Date: Thu, 25 Sep 2025 16:05:12 +0200
Message-Id: <20250925140514.1103300-8-peter.marko@siemens.com>
In-Reply-To: <20250925140514.1103300-1-peter.marko@siemens.com>
References: <20250925140514.1103300-1-peter.marko@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-256628:519-21489:flowmailer
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Thu, 25 Sep 2025 14:06:40 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/224037

From: Peter Marko <peter.marko@siemens.com>

This is fixed in v4.7.0, however cve_check cannot match it as NVD says
"Up to (excluding) 2024-08-11".

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta/recipes-multimedia/libtiff/tiff_4.7.0.bb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta/recipes-multimedia/libtiff/tiff_4.7.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.7.0.bb
index 2155ac8df45..fd383e3d6a3 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.7.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.7.0.bb
@@ -28,6 +28,7 @@ CVE_STATUS[CVE-2015-7313] = "fixed-version: Tested with check from https://secur
 CVE_STATUS[CVE-2023-52356] = "fixed-version: Fixed since 4.7.0, NVD tracks this as version-less vulnerability"
 CVE_STATUS[CVE-2023-6228] = "fixed-version: Fixed since 4.7.0, NVD tracks this as version-less vulnerability"
 CVE_STATUS[CVE-2023-6277] = "fixed-version: Fixed since 4.7.0, NVD tracks this as version-less vulnerability"
+CVE_STATUS[CVE-2025-8851] = "fixed-version: Fixed since 4.7.0, NVD tracks this as fixed in 2024-08-11 vulnerability"
 
 inherit autotools multilib_header
 

From patchwork Thu Sep 25 14:05:13 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peter Marko <peter.marko@siemens.com>
X-Patchwork-Id: 71028
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <peter.marko@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id AB777CAC5B3
	for <webhook@archiver.kernel.org>; Thu, 25 Sep 2025 14:06:40 +0000 (UTC)
Received: from mta-64-226.siemens.flowmailer.net
 (mta-64-226.siemens.flowmailer.net [185.136.64.226])
 by mx.groups.io with SMTP id smtpd.web10.12465.1758809199263658187
 for <openembedded-core@lists.openembedded.org>;
 Thu, 25 Sep 2025 07:06:39 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=lg9TCG7J;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.226,
 mailfrom:
 fm-256628-20250925140637b6b15fe1e000020773-wwxkvf@rts-flowmailer.siemens.com)
Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id
 20250925140637b6b15fe1e000020773
        for <openembedded-core@lists.openembedded.org>;
        Thu, 25 Sep 2025 16:06:37 +0200
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=peter.marko@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To;
 bh=n8odxis6VYUBgyo5bpl6LFBtANbylI7Z6DGbjeEhrMQ=;
 b=lg9TCG7JD5IxXJVKUXD46FPUCR3PKpsiP2KicrSMYc9H/lRdxeAfz9z26i5QDhD8cfFaOC
 SyHzpOoHvJuJW0Hdlafpy6MQQUsQi5bK3opa9MnlxccoE2netX5eAaYkIvztPcSYelupmaIX
 U/SJATUfy7ygd8dCqgaT7dP9BwyT2kLrE0EVjvNj8x5b9UhAwVT8RuITIQ40Q7g5szpC3wyP
 vF91FzmPj4MKApvXuZa13rPopj/H0cdAkhUkz6QC0dvwQt6R8hU7w4sGE2qm/nPX0RugMM7K
 jckseZhYlk2vl9NbqGmVcB1vlOEykf14U7L9jGVCWux4bKx7VPKELZQA==;
From: Peter Marko <peter.marko@siemens.com>
To: openembedded-core@lists.openembedded.org
Cc: Peter Marko <peter.marko@siemens.com>
Subject: [OE-core][walnascar][PATCH 09/10] tiff: patch CVE-2025-9165
Date: Thu, 25 Sep 2025 16:05:13 +0200
Message-Id: <20250925140514.1103300-9-peter.marko@siemens.com>
In-Reply-To: <20250925140514.1103300-1-peter.marko@siemens.com>
References: <20250925140514.1103300-1-peter.marko@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-256628:519-21489:flowmailer
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Thu, 25 Sep 2025 14:06:40 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/224038

From: Peter Marko <peter.marko@siemens.com>

Pick commit mentioned in NVD report.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 .../libtiff/tiff/CVE-2025-9165.patch          | 29 +++++++++++++++++++
 meta/recipes-multimedia/libtiff/tiff_4.7.0.bb |  1 +
 2 files changed, 30 insertions(+)
 create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2025-9165.patch

diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2025-9165.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-9165.patch
new file mode 100644
index 00000000000..560229284c9
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-9165.patch
@@ -0,0 +1,29 @@
+From ed141286a37f6e5ddafb5069347ff5d587e7a4e0 Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Fri, 8 Aug 2025 21:35:30 +0200
+Subject: [PATCH] tiffcmp: fix memory leak when second file cannot be opened.
+
+Closes #728, #729
+
+CVE: CVE-2025-9165
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/ed141286a37f6e5ddafb5069347ff5d587e7a4e0]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ tools/tiffcmp.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/tools/tiffcmp.c b/tools/tiffcmp.c
+index 529c1cdc..88d9470f 100644
+--- a/tools/tiffcmp.c
++++ b/tools/tiffcmp.c
+@@ -105,7 +105,10 @@ int main(int argc, char *argv[])
+         return (2);
+     tif2 = TIFFOpen(argv[optind + 1], "r");
+     if (tif2 == NULL)
++    {
++        TIFFClose(tif1);
+         return (2);
++    }
+     dirnum = 0;
+     while (tiffcmp(tif1, tif2))
+     {
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.7.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.7.0.bb
index fd383e3d6a3..405edabe6f4 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.7.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.7.0.bb
@@ -17,6 +17,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
 	   file://CVE-2025-8177_1.patch \
 	   file://CVE-2025-8177_2.patch \
            file://CVE-2025-8534.patch \
+           file://CVE-2025-9165.patch \
 	   "
 
 SRC_URI[sha256sum] = "67160e3457365ab96c5b3286a0903aa6e78bdc44c4bc737d2e486bcecb6ba976"

From patchwork Thu Sep 25 14:05:14 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peter Marko <peter.marko@siemens.com>
X-Patchwork-Id: 71029
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <peter.marko@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id AF217CAC5B1
	for <webhook@archiver.kernel.org>; Thu, 25 Sep 2025 14:06:50 +0000 (UTC)
Received: from mta-64-225.siemens.flowmailer.net
 (mta-64-225.siemens.flowmailer.net [185.136.64.225])
 by mx.groups.io with SMTP id smtpd.web10.12466.1758809204139958026
 for <openembedded-core@lists.openembedded.org>;
 Thu, 25 Sep 2025 07:06:44 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=rSy2Pksn;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.225,
 mailfrom:
 fm-256628-202509251406415587c66ef600020797-hqgl6r@rts-flowmailer.siemens.com)
Received: by mta-64-225.siemens.flowmailer.net with ESMTPSA id
 202509251406415587c66ef600020797
        for <openembedded-core@lists.openembedded.org>;
        Thu, 25 Sep 2025 16:06:42 +0200
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=peter.marko@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To;
 bh=sUaLTSKRQzZRXJ2V3hqLzaUxCUDH72IuDC2un7vG7nM=;
 b=rSy2PksnCbhMX0uPP48hKuuBQOQITVLqpWkWvTjlVwhzNAZX1XFUdRIbiEEBs/KJK1kg9P
 V/kTUuZt50iQBwzgt1vrl5J+o33TYHcHUPxlqOODQFW1dg8fgYHtOSNluKDaFV3OBbTYq1fD
 CS19TrbOkHFmPe8hA5RSlDHnej0GNt55ZqIxzLKaGYuMGY7SqqXmgARLLqEr9EvFFjGLr0t6
 +KZS0nR+hrmV9BdeJ8cEO3Q0Cz0PoKVUBpvm9XlYORW4QoR9tkTAOn5NdSfAzqN4qpPH4DK9
 nXATOryEYuVuvgt98uWGElMikOjriXipX6iYnPa3YyUrSuTqkHQIBaPg==;
From: Peter Marko <peter.marko@siemens.com>
To: openembedded-core@lists.openembedded.org
Cc: Peter Marko <peter.marko@siemens.com>
Subject: [OE-core][walnascar][PATCH 10/10] tiff: patch CVE-2025-8961
Date: Thu, 25 Sep 2025 16:05:14 +0200
Message-Id: <20250925140514.1103300-10-peter.marko@siemens.com>
In-Reply-To: <20250925140514.1103300-1-peter.marko@siemens.com>
References: <20250925140514.1103300-1-peter.marko@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-256628:519-21489:flowmailer
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Thu, 25 Sep 2025 14:06:50 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/224039

From: Peter Marko <peter.marko@siemens.com>

Pick commit mentioned in [1].

[1] https://security-tracker.debian.org/tracker/CVE-2025-8961

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 .../libtiff/tiff/CVE-2025-8961.patch          | 73 +++++++++++++++++++
 meta/recipes-multimedia/libtiff/tiff_4.7.0.bb |  1 +
 2 files changed, 74 insertions(+)
 create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2025-8961.patch

diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8961.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8961.patch
new file mode 100644
index 00000000000..90207da42b1
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8961.patch
@@ -0,0 +1,73 @@
+From 0ac97aa7a5bffddd88f7cdbe517264e9db3f5bd5 Mon Sep 17 00:00:00 2001
+From: Lee Howard <faxguy@howardsilvan.com>
+Date: Fri, 5 Sep 2025 21:42:35 +0000
+Subject: [PATCH] tiffcrop: fix double-free and memory leak exposed by issue
+ #721
+
+CVE: CVE-2025-8961
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/0ac97aa7a5bffddd88f7cdbe517264e9db3f5bd5]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ tools/tiffcrop.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index ae414efc..be250cc9 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -1072,6 +1072,7 @@ static int readContigTilesIntoBuffer(TIFF *in, uint8_t *buf,
+                                           "Unable to extract row %" PRIu32
+                                           " from tile %" PRIu32,
+                                           row, TIFFCurrentTile(in));
++                                _TIFFfree(tilebuf);
+                                 return 1;
+                             }
+                             break;
+@@ -1086,6 +1087,7 @@ static int readContigTilesIntoBuffer(TIFF *in, uint8_t *buf,
+                                               "Unable to extract row %" PRIu32
+                                               " from tile %" PRIu32,
+                                               row, TIFFCurrentTile(in));
++                                    _TIFFfree(tilebuf);
+                                     return 1;
+                                 }
+                                 break;
+@@ -1098,6 +1100,7 @@ static int readContigTilesIntoBuffer(TIFF *in, uint8_t *buf,
+                                           "Unable to extract row %" PRIu32
+                                           " from tile %" PRIu32,
+                                           row, TIFFCurrentTile(in));
++                                _TIFFfree(tilebuf);
+                                 return 1;
+                             }
+                             break;
+@@ -1110,6 +1113,7 @@ static int readContigTilesIntoBuffer(TIFF *in, uint8_t *buf,
+                                           "Unable to extract row %" PRIu32
+                                           " from tile %" PRIu32,
+                                           row, TIFFCurrentTile(in));
++                                _TIFFfree(tilebuf);
+                                 return 1;
+                             }
+                             break;
+@@ -1124,12 +1128,14 @@ static int readContigTilesIntoBuffer(TIFF *in, uint8_t *buf,
+                                           "Unable to extract row %" PRIu32
+                                           " from tile %" PRIu32,
+                                           row, TIFFCurrentTile(in));
++                                _TIFFfree(tilebuf);
+                                 return 1;
+                             }
+                             break;
+                         default:
+                             TIFFError("readContigTilesIntoBuffer",
+                                       "Unsupported bit depth %" PRIu16, bps);
++                            _TIFFfree(tilebuf);
+                             return 1;
+                     }
+                 }
+@@ -2901,7 +2907,7 @@ int main(int argc, char *argv[])
+     }
+ 
+     /* If we did not use the read buffer as the crop buffer */
+-    if (read_buff)
++    if (read_buff && read_buff != crop_buff)
+         _TIFFfree(read_buff);
+ 
+     if (crop_buff)
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.7.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.7.0.bb
index 405edabe6f4..91e7bfbe172 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.7.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.7.0.bb
@@ -18,6 +18,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
 	   file://CVE-2025-8177_2.patch \
            file://CVE-2025-8534.patch \
            file://CVE-2025-9165.patch \
+           file://CVE-2025-8961.patch \
 	   "
 
 SRC_URI[sha256sum] = "67160e3457365ab96c5b3286a0903aa6e78bdc44c4bc737d2e486bcecb6ba976"