From patchwork Thu Oct 9 19:30:45 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 71952 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 663EDCCD18C for ; Thu, 9 Oct 2025 19:31:19 +0000 (UTC) Received: from mail-pf1-f179.google.com (mail-pf1-f179.google.com [209.85.210.179]) by mx.groups.io with SMTP id smtpd.web11.9189.1760038279016436478 for ; Thu, 09 Oct 2025 12:31:19 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=zpShv/pv; spf=softfail (domain: sakoman.com, ip: 209.85.210.179, mailfrom: steve@sakoman.com) Received: by mail-pf1-f179.google.com with SMTP id d2e1a72fcca58-78af9ebe337so1039765b3a.1 for ; Thu, 09 Oct 2025 12:31:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1760038278; x=1760643078; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=GDDYcq8slEEDB8S27Gs2GwhetwMmIlYm9TLA9Kb1NEc=; b=zpShv/pve9ud5wHEIGxvrM3BEkAYpOTFziSgm+gegJ/ZT1NPgqTunbB8X9XWDa4IYi z2MmYIZNo/ayXNmoom1UOWC6H3Cx1BEVb2Vkt6D7I2530+aobZQthK7SB4oO7eyfbTnt mcmMPsljM+8YdKn4N3q5I5tDsRvJVDAfxtGlPKQQ11nfvYY0Tu63iAP6newzsvCyVRdN EdXvQ7ZChO5w/Hrr4tCbK65f6gIsSrFGye/giZWviqsHFA7Ub9kscHudCrg5lM+0CHAu ZKrCpvNoKWwVfmSWaB3Kvqq8drShTG5M7DdZopLMFTKx1XxoU4CGNiHtTMX6dio3N4b5 yaqQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760038278; x=1760643078; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=GDDYcq8slEEDB8S27Gs2GwhetwMmIlYm9TLA9Kb1NEc=; b=QmasiziaOhfOl2ICME0b9XCo4g7rQxtWfSkDLwqFdXiadu1kFiKg8FvYa14drCG3cu 7xdedSqmXmNGBFlzOMLddqoZELrX+L5DJFsVc2xU6eB7vRnkkcf/5dpjV3j0pJdBnDez YeWJJ72ck1zCYiLVe7d25u9tGcBfDt0XXem7rIPNO0w6yRTwxmC8Jl8ki8caKZpJdWWo DED/CJtM72OuGPYmQNztePgTtLgZQaWF43l3bZms7DO4uj3dni3ThwIenLfXh72UJFOQ si/lwFxSBTnaR6vTLwqzb//6662n0ia2Uxaquz16Xhf8KUeNZD1XLmyvROwLfzatpoHI YRsQ== X-Gm-Message-State: AOJu0YymE/S3R0Yk+SxJgqtvlFOI4RtpzdDWB3moTqovFGRPbZmJlTEo 8Ho/H0Z3YYlx81yAnPQRNxT5cv1vBDKHYiGXv2ol9rz35D3QRZ/57lIv1UntU4B7sbN8bPAvOZh 7aUN4 X-Gm-Gg: ASbGncuiv5wR8gs8b46LyKIw99qDlCSsUxuVr4UfXnf1ndgNeOZm4egTfs3c/Sdry07 j+voaEw/juraMSBx0V6pd+NKLtLPb9ZhP4XeBTaW2BgmhkCP0P6iB/fwrDcOq8Gz80M6m7aTC3f YZx/nl1UpI/t68UNLAducgkJFBsrIrq3KoLxJWogNqCd4myjH17mI05zq2v3I+y3qQhTp5CDn/S G/4UyBfq609LijiNsNretX9JbWA3lhQH6C2kg9WsKTVarURqXHkqBwljxiQfnTiOADw0jsNW4kI If+zXu41QDWDZZr2/2Lm6EqQ4D1VMg+AUL5mpxS5O+PyOWsM91xJJSivb0krPkqZJKCqPs3QWZH mrU9h8fhFVtrtQtZPYImw3MbP0xUQjuCU3SuAmA== X-Google-Smtp-Source: AGHT+IF2PFCUi81hV+xG8wFa/e+1iEmnX0F+dW0uOttuFheNBf76g1iLPrVbscTxR8sU44Su71CPcw== X-Received: by 2002:a05:6a00:1701:b0:78c:9b1b:e0e3 with SMTP id d2e1a72fcca58-79385703ee8mr9886869b3a.7.1760038278112; Thu, 09 Oct 2025 12:31:18 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:b96e:4301:8642:779c]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7992d0e2d51sm495864b3a.65.2025.10.09.12.31.17 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 09 Oct 2025 12:31:17 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 01/24] libxml2: fix CVE-2025-9714 Date: Thu, 9 Oct 2025 12:30:45 -0700 Message-ID: <277692c2472f03ae62401bfbd26e8c4d872113d0.1760038088.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 09 Oct 2025 19:31:19 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/224620 From: Theo GAIGE Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libxml2/-/commit/677a42645ef22b5a50741bad5facf9d8a8bc6d21 Signed-off-by: Theo GAIGE Signed-off-by: Steve Sakoman --- .../libxml/libxml2/CVE-2025-9714.patch | 117 ++++++++++++++++++ meta/recipes-core/libxml/libxml2_2.9.14.bb | 1 + 2 files changed, 118 insertions(+) create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2025-9714.patch diff --git a/meta/recipes-core/libxml/libxml2/CVE-2025-9714.patch b/meta/recipes-core/libxml/libxml2/CVE-2025-9714.patch new file mode 100644 index 0000000000..24d1a8348c --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2025-9714.patch @@ -0,0 +1,117 @@ +From 6ef8b9f05cc21d3fc28156fe5d1251834c29c7d7 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 28 Jul 2022 20:21:24 +0200 +Subject: [PATCH] Make XPath depth check work with recursive invocations + +EXSLT functions like dyn:map or dyn:evaluate invoke xmlXPathRunEval +recursively. Don't set depth to zero but keep and restore the original +value to avoid stack overflows when abusing these functions. + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/677a42645ef22b5a50741bad5facf9d8a8bc6d21] +CVE: CVE-2025-9714 + +Signed-off-by: Theo GAIGE +--- + xpath.c | 23 +++++++++++++++++------ + 1 file changed, 17 insertions(+), 6 deletions(-) + +diff --git a/xpath.c b/xpath.c +index c2d845888..028471d53 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -13883,12 +13883,11 @@ static int + xmlXPathRunEval(xmlXPathParserContextPtr ctxt, int toBool) + { + xmlXPathCompExprPtr comp; ++ int oldDepth; + + if ((ctxt == NULL) || (ctxt->comp == NULL)) + return(-1); + +- ctxt->context->depth = 0; +- + if (ctxt->valueTab == NULL) { + /* Allocate the value stack */ + ctxt->valueTab = (xmlXPathObjectPtr *) +@@ -13942,11 +13941,13 @@ xmlXPathRunEval(xmlXPathParserContextPtr ctxt, int toBool) + "xmlXPathRunEval: last is less than zero\n"); + return(-1); + } ++ oldDepth = ctxt->context->depth; + if (toBool) + return(xmlXPathCompOpEvalToBoolean(ctxt, + &comp->steps[comp->last], 0)); + else + xmlXPathCompOpEval(ctxt, &comp->steps[comp->last]); ++ ctxt->context->depth = oldDepth; + + return(0); + } +@@ -14217,6 +14218,7 @@ xmlXPathCompExprPtr + xmlXPathCtxtCompile(xmlXPathContextPtr ctxt, const xmlChar *str) { + xmlXPathParserContextPtr pctxt; + xmlXPathCompExprPtr comp; ++ int oldDepth = 0; + + #ifdef XPATH_STREAMING + comp = xmlXPathTryStreamCompile(ctxt, str); +@@ -14230,8 +14232,10 @@ xmlXPathCtxtCompile(xmlXPathContextPtr ctxt, const xmlChar *str) { + if (pctxt == NULL) + return NULL; + if (ctxt != NULL) +- ctxt->depth = 0; ++ oldDepth = ctxt->depth; + xmlXPathCompileExpr(pctxt, 1); ++ if (ctxt != NULL) ++ ctxt->depth = oldDepth; + + if( pctxt->error != XPATH_EXPRESSION_OK ) + { +@@ -14252,8 +14256,10 @@ xmlXPathCtxtCompile(xmlXPathContextPtr ctxt, const xmlChar *str) { + comp = pctxt->comp; + if ((comp->nbStep > 1) && (comp->last >= 0)) { + if (ctxt != NULL) +- ctxt->depth = 0; ++ oldDepth = ctxt->depth; + xmlXPathOptimizeExpression(pctxt, &comp->steps[comp->last]); ++ if (ctxt != NULL) ++ ctxt->depth = oldDepth; + } + pctxt->comp = NULL; + } +@@ -14409,6 +14415,7 @@ xmlXPathEvalExpr(xmlXPathParserContextPtr ctxt) { + #ifdef XPATH_STREAMING + xmlXPathCompExprPtr comp; + #endif ++ int oldDepth = 0; + + if (ctxt == NULL) return; + +@@ -14422,8 +14429,10 @@ xmlXPathEvalExpr(xmlXPathParserContextPtr ctxt) { + #endif + { + if (ctxt->context != NULL) +- ctxt->context->depth = 0; ++ oldDepth = ctxt->context->depth; + xmlXPathCompileExpr(ctxt, 1); ++ if (ctxt->context != NULL) ++ ctxt->context->depth = oldDepth; + CHECK_ERROR; + + /* Check for trailing characters. */ +@@ -14432,9 +14441,11 @@ xmlXPathEvalExpr(xmlXPathParserContextPtr ctxt) { + + if ((ctxt->comp->nbStep > 1) && (ctxt->comp->last >= 0)) { + if (ctxt->context != NULL) +- ctxt->context->depth = 0; ++ oldDepth = ctxt->context->depth; + xmlXPathOptimizeExpression(ctxt, + &ctxt->comp->steps[ctxt->comp->last]); ++ if (ctxt->context != NULL) ++ ctxt->context->depth = oldDepth; + } + } + +-- +2.43.0 + diff --git a/meta/recipes-core/libxml/libxml2_2.9.14.bb b/meta/recipes-core/libxml/libxml2_2.9.14.bb index f34b0c25ca..932251da98 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.14.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.14.bb @@ -42,6 +42,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar;subdir=${BP};name=testt file://CVE-2025-6021.patch \ file://CVE-2025-49794-CVE-2025-49796.patch \ file://CVE-2025-6170.patch \ + file://CVE-2025-9714.patch \ " SRC_URI[archive.sha256sum] = "60d74a257d1ccec0475e749cba2f21559e48139efba6ff28224357c7c798dfee" From patchwork Thu Oct 9 19:30:46 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 71953 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4ECB2CCD184 for ; Thu, 9 Oct 2025 19:31:29 +0000 (UTC) Received: from mail-pf1-f181.google.com (mail-pf1-f181.google.com [209.85.210.181]) by mx.groups.io with SMTP id smtpd.web10.9237.1760038280986873791 for ; Thu, 09 Oct 2025 12:31:21 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=K58rfgo/; spf=softfail (domain: sakoman.com, ip: 209.85.210.181, mailfrom: steve@sakoman.com) Received: by mail-pf1-f181.google.com with SMTP id d2e1a72fcca58-78af3fe5b17so1106534b3a.2 for ; Thu, 09 Oct 2025 12:31:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1760038280; x=1760643080; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=svI1iKRSpRCatu8c/C1HYiLHrGxbwILsgJvS1n8sPtg=; b=K58rfgo/l4omGjf427rWJjSyNWeCH7xitx529VqCQfdLsqIkdtV4twJiX9hPXOvIX1 AGwImXNkLcjuKWLBVTcCh8QYnl8l4d28JLnRY2gwvtEzd8HHThspHUXzFwup7qwih4Wl kcfYWGCPDLJiXX1idvrBnu4U6kt/qzzEbGQjjHuoldk9sTLBIDn6q4ThEgRm2XEFBKCY dV1RCBgLmYldGfRN9liS4V7RJyo4PF1S1MWWvoQlQP0+FjKv8RRzL2YFrOEhVdv8HmKo obOrDsz1PhAsmxJdp+XkYp2FUeP1Debj5fs31kDnJKeJybh+3usCWDbtCdZ+4IRyEk5L 7RjA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760038280; x=1760643080; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=svI1iKRSpRCatu8c/C1HYiLHrGxbwILsgJvS1n8sPtg=; b=OWAPFQVLw1RKCYONzHDSqh3S2n6y4+zgWXi0TVYc+SvI2EgVg4lt8VwRv/WfRkHtSn TtalFOF86YQfNy5AeTsmBLoOU2FJIKaH+dRsoZrDbbGYH+Nmhhzbq1ywAGDbKbEp58wk 5WzAP+I363xgUUI/wWJ5KKyANeWExgZafZLLnHxroulLlPRITUrkQMw6L8NLbYZ0RMiD +OiLFNKFhg79La32sWeOCyu9DZlD1U4RAM579hicNsfP8otRQmnlcex4rnBPmbTATvcK 9klemw+f3VPUks3Tbu6kQgdmrqsIFVk7gI6l6qxc/JZgdo+YTL37z9GOgvHQKTj4Qt9j xFBw== X-Gm-Message-State: AOJu0Yzo9ukw58kiPZ5TK3iZoWMbBmqHZCy7wOqi/nSn1hcH9wkICxUb wXxb2L6r9TNjNjKL2taBlkPfopQxdmjDdK7+MhInXAcn2tqHB+qoLJDbHD3jpZVCCwNxz66J2cM P/eu4 X-Gm-Gg: ASbGnct/CxwgDdgK7XRMp8dWKQGP62v1gbdVWSfhSYAW5sqkD6NuGTtBGQw2fbbYjZc K+ca9Yvfg6WjtE+tSgxR88Bdti2/muly811Q9u0Gt36UNU9FjkkyFdnvLnSfQIDqizflSsWSI0+ 4xFVXpTGP3g/hYa2yBkPyLSZ4/IMXzl55GXhMt/pTohZNezzfBrVnRbs2Jow3jAdoXgSMQGMY8G HkmRe4KLZ/IS78ofuTVokm8hTHWlmkeLqVkOHkWCjTmZ9mO/SdlwB4U1QTC5wST5HP9fH4gVc5t Hjx6RVDocQrHckFR4ajhh53w8MQaRe8Ri7dj6s4Jo1wXwfsdLviGxVUs05KnngDffMoD4lkxK8F G0DMO7e9JTVKmA/38z4xD+i7M1EDB6CRcsTjIgg== X-Google-Smtp-Source: AGHT+IFciNw8bu2djuutK2uDV4rSM4GndywPk1FGO2pOnLLBc8WAen/kiJ8Jks459uMthhBUJN+gKg== X-Received: by 2002:a05:6a00:8c8:b0:781:27a7:dd0e with SMTP id d2e1a72fcca58-79385ed5786mr8355318b3a.9.1760038279970; Thu, 09 Oct 2025 12:31:19 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:b96e:4301:8642:779c]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7992d0e2d51sm495864b3a.65.2025.10.09.12.31.19 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 09 Oct 2025 12:31:19 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 02/24] gstreamer1.0-plugins-bad: Fix CVE-2025-3887 Date: Thu, 9 Oct 2025 12:30:46 -0700 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 09 Oct 2025 19:31:29 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/224621 From: Vijay Anusuri Upstream-Status: Backport from https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/5463f0e09768ca90aa8c58357c1f4c645db580db & https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/bcaab3609805ea10fb3d9ac0c9d947b4c3563948 Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../CVE-2025-3887-1.patch | 50 ++++++++++ .../CVE-2025-3887-2.patch | 93 +++++++++++++++++++ .../gstreamer1.0-plugins-bad_1.20.7.bb | 2 + 3 files changed, 145 insertions(+) create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2025-3887-1.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2025-3887-2.patch diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2025-3887-1.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2025-3887-1.patch new file mode 100644 index 0000000000..8f4922a4ab --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2025-3887-1.patch @@ -0,0 +1,50 @@ +From 5463f0e09768ca90aa8c58357c1f4c645db580db Mon Sep 17 00:00:00 2001 +From: Seungha Yang +Date: Sat, 15 Mar 2025 22:39:44 +0900 +Subject: [PATCH 1/2] h265parser: Fix max_dec_pic_buffering_minus1 bound check + +Allowed max value is MaxDpbSize - 1 + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/5463f0e09768ca90aa8c58357c1f4c645db580db] +CVE: CVE-2025-3887 +Signed-off-by: Vijay Anusuri +--- + gst-libs/gst/codecparsers/gsth265parser.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/gst-libs/gst/codecparsers/gsth265parser.c b/gst-libs/gst/codecparsers/gsth265parser.c +index 3db1c38..d02e32d 100644 +--- a/gst-libs/gst/codecparsers/gsth265parser.c ++++ b/gst-libs/gst/codecparsers/gsth265parser.c +@@ -72,6 +72,8 @@ + #include + #include + ++#define MAX_DPB_SIZE 16 ++ + #ifndef GST_DISABLE_GST_DEBUG + #define GST_CAT_DEFAULT gst_h265_debug_category_get() + static GstDebugCategory * +@@ -1686,7 +1688,7 @@ gst_h265_parse_vps (GstH265NalUnit * nalu, GstH265VPS * vps) + for (i = + (vps->sub_layer_ordering_info_present_flag ? 0 : + vps->max_sub_layers_minus1); i <= vps->max_sub_layers_minus1; i++) { +- READ_UE_MAX (&nr, vps->max_dec_pic_buffering_minus1[i], G_MAXUINT32 - 1); ++ READ_UE_MAX (&nr, vps->max_dec_pic_buffering_minus1[i], MAX_DPB_SIZE - 1); + READ_UE_MAX (&nr, vps->max_num_reorder_pics[i], + vps->max_dec_pic_buffering_minus1[i]); + READ_UE_MAX (&nr, vps->max_latency_increase_plus1[i], G_MAXUINT32 - 1); +@@ -1882,7 +1884,7 @@ gst_h265_parse_sps (GstH265Parser * parser, GstH265NalUnit * nalu, + for (i = + (sps->sub_layer_ordering_info_present_flag ? 0 : + sps->max_sub_layers_minus1); i <= sps->max_sub_layers_minus1; i++) { +- READ_UE_MAX (&nr, sps->max_dec_pic_buffering_minus1[i], 16); ++ READ_UE_MAX (&nr, sps->max_dec_pic_buffering_minus1[i], MAX_DPB_SIZE - 1); + READ_UE_MAX (&nr, sps->max_num_reorder_pics[i], + sps->max_dec_pic_buffering_minus1[i]); + READ_UE_MAX (&nr, sps->max_latency_increase_plus1[i], G_MAXUINT32 - 1); +-- +2.25.1 + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2025-3887-2.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2025-3887-2.patch new file mode 100644 index 0000000000..3f156f274d --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2025-3887-2.patch @@ -0,0 +1,93 @@ +From bcaab3609805ea10fb3d9ac0c9d947b4c3563948 Mon Sep 17 00:00:00 2001 +From: Seungha Yang +Date: Sat, 15 Mar 2025 23:48:52 +0900 +Subject: [PATCH 2/2] h265parser: Fix num_long_term_pics bound check + +As defined in the spec 7.4.7.1, calculates allowed maximum +value of num_long_term_pics + +Fixes ZDI-CAN-26596 + +Fixes: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/4285 +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/bcaab3609805ea10fb3d9ac0c9d947b4c3563948] +CVE: CVE-2025-3887 +Signed-off-by: Vijay Anusuri +--- + gst-libs/gst/codecparsers/gsth265parser.c | 40 +++++++++++++++++++++-- + 1 file changed, 37 insertions(+), 3 deletions(-) + +diff --git a/gst-libs/gst/codecparsers/gsth265parser.c b/gst-libs/gst/codecparsers/gsth265parser.c +index d02e32d..ad9751f 100644 +--- a/gst-libs/gst/codecparsers/gsth265parser.c ++++ b/gst-libs/gst/codecparsers/gsth265parser.c +@@ -2513,6 +2513,8 @@ gst_h265_parser_parse_slice_hdr (GstH265Parser * parser, + READ_UINT8 (&nr, slice->colour_plane_id, 2); + + if (!GST_H265_IS_NAL_TYPE_IDR (nalu->type)) { ++ const GstH265ShortTermRefPicSet *ref_pic_sets = NULL; ++ + READ_UINT16 (&nr, slice->pic_order_cnt_lsb, + (sps->log2_max_pic_order_cnt_lsb_minus4 + 4)); + +@@ -2525,21 +2527,53 @@ gst_h265_parser_parse_slice_hdr (GstH265Parser * parser, + goto error; + + slice->short_term_ref_pic_set_size = nal_reader_get_pos (&nr) - pos; ++ ++ ref_pic_sets = &slice->short_term_ref_pic_sets; + } else if (sps->num_short_term_ref_pic_sets > 1) { + const guint n = ceil_log2 (sps->num_short_term_ref_pic_sets); + READ_UINT8 (&nr, slice->short_term_ref_pic_set_idx, n); + CHECK_ALLOWED_MAX (slice->short_term_ref_pic_set_idx, + sps->num_short_term_ref_pic_sets - 1); ++ ref_pic_sets = ++ &sps->short_term_ref_pic_set[slice->short_term_ref_pic_set_idx]; ++ } else { ++ ref_pic_sets = &sps->short_term_ref_pic_set[0]; + } + + if (sps->long_term_ref_pics_present_flag) { + guint32 limit; ++ gint max_num_long_term_pics = 0; ++ gint TwoVersionsOfCurrDecPicFlag = 0; + +- if (sps->num_long_term_ref_pics_sps > 0) ++ if (sps->num_long_term_ref_pics_sps > 0) { + READ_UE_MAX (&nr, slice->num_long_term_sps, + sps->num_long_term_ref_pics_sps); +- +- READ_UE_MAX (&nr, slice->num_long_term_pics, 16); ++ } ++ ++ /* 7.4.3.3.3 */ ++ if (pps->pps_scc_extension_flag && ++ pps->pps_scc_extension_params.pps_curr_pic_ref_enabled_flag && ++ (sps->sample_adaptive_offset_enabled_flag || ++ !pps->deblocking_filter_disabled_flag || ++ pps->deblocking_filter_override_enabled_flag)) { ++ TwoVersionsOfCurrDecPicFlag = 1; ++ } ++ ++ /* Calculated upper bound num_long_term_pics can have. 7.4.7.1 */ ++ max_num_long_term_pics = ++ /* sps_max_dec_pic_buffering_minus1[TemporalId], allowed max is ++ * MaxDpbSize - 1 */ ++ MAX_DPB_SIZE - 1 ++ - (gint) slice->num_long_term_sps ++ - (gint) ref_pic_sets->NumNegativePics ++ - (gint) ref_pic_sets->NumPositivePics - ++ TwoVersionsOfCurrDecPicFlag; ++ if (max_num_long_term_pics < 0) { ++ GST_WARNING ("Invalid stream, too many reference pictures"); ++ goto error; ++ } ++ ++ READ_UE_MAX (&nr, slice->num_long_term_pics, max_num_long_term_pics); + limit = slice->num_long_term_sps + slice->num_long_term_pics; + for (i = 0; i < limit; i++) { + if (i < slice->num_long_term_sps) { +-- +2.25.1 + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb index dbe2b64c32..80f6929c16 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb @@ -17,6 +17,8 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-bad/gst-plugins-bad file://CVE-2024-0444.patch \ file://CVE-2023-44446.patch \ file://CVE-2023-50186.patch \ + file://CVE-2025-3887-1.patch \ + file://CVE-2025-3887-2.patch \ " SRC_URI[sha256sum] = "87251beebfd1325e5118cc67774061f6e8971761ca65a9e5957919610080d195" From patchwork Thu Oct 9 19:30:47 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 71957 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4EC78CCD183 for ; Thu, 9 Oct 2025 19:31:29 +0000 (UTC) Received: from mail-pf1-f169.google.com (mail-pf1-f169.google.com [209.85.210.169]) by mx.groups.io with SMTP id smtpd.web11.9190.1760038283182034574 for ; Thu, 09 Oct 2025 12:31:23 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=0sfxnC67; spf=softfail (domain: sakoman.com, ip: 209.85.210.169, mailfrom: steve@sakoman.com) Received: by mail-pf1-f169.google.com with SMTP id d2e1a72fcca58-796f9a8a088so1070937b3a.1 for ; Thu, 09 Oct 2025 12:31:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1760038282; x=1760643082; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=FiRL46nVUvHg0caXtwjBFLYypKA99nBaKsISxmjEmBQ=; b=0sfxnC6704/PJ4yE08urEYpawv4l0fcIe5v4QWaol0AByGB2GJTsqlUznEiwOnbdWe nnSXM2MPLwQu/WRQ4Uo9LqkqM9FUqKT1TdGNGhCIlpyaBn5fDmaS35kJJXEk05YdmmAk aESUsTImNaPyOMd+9jJlESZTJMAvdlxBMhhL67knEWA9/+8M4GjITuivNRxmXdSMpCIv ZRB3qvUWQydJ5bEM+D/ScOSsozPmKlFD+rRSSw0QTYlNE/1bSdJ9wjUjnUcblIhj0nLq 2FLIb+PFi8JfeJyDHdA4BtSJ0dLtCIbzkIEmcbopCrM6jq1XNPpjgWkYHeT99nkiVoau k3Ag== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760038282; x=1760643082; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=FiRL46nVUvHg0caXtwjBFLYypKA99nBaKsISxmjEmBQ=; b=mFUGLvlz2DRDVFOwWGbbkwXQgn7Vke+IT0KQ3uIQv3Zk/ZZMVdL4NkWny9nd5sau6u SY5YhEHMQH6J1UX4GXO4bg29t6dRnMnuxfJv2aRR7FHxEcM7vYbFUPk3w77m+p+d/FEA fnHX079GamZ9QWpPtwW77xhowl4GE+R8HEbwH30lsNORw/3Ya5Tl1CozrcGu+gWW/W/h iCaXy0Ja5SiHSfvwxx4QikyVC/v2ajUFpMNgVGhOpvUbSj4ngZHrxO2QxGWMTeJEdENE 8I1+3WU68fvDOxxxAYMRi6exH6e8L426liEgRi3uCN+l2l6xDq2QsZq1ms6KNZDhHljD yizw== X-Gm-Message-State: AOJu0YwA33u9kQeWTFzk0Q7LqGLic5JaB+mkPHS+0SGaHiimnUwpAG7r oOvaTx8umE6sQ6RgtfhicFKTg5uUdLi1oi+NCk972UOsK6sN9LJ/Ky/wSZNoKgvKlAtUrVncmOT hxVNA X-Gm-Gg: ASbGnct9sOGLTZrx5GRO1atOHYchu/sX/12G+Ko7P9inAdmiOf+3aau+GTAEdo2x4SZ ZZBWoIPzmWbeB0lJFll9AUvCt751WIW3Vj4Wl4qAQ5Vt33iJkXG5cmTFKBtXtG+mqe0Q1LlUT1N qA6gPSgwLe5AO2GieL2WJcv9Ne+XNES/tgBvB2q3Rh/OhcbLgJCq+T+rSQo4DP9N1zb3fk9inIy 9hecfL90EN8ecaZjySJ9TS6styryGEmkQ0tCYz3RyIDq+IY3eO90UPBSaXTZ+OSgT/Y6pus0qVF ge6CPvMXXRUP2mWHB2vJN5eS+NYS216UFrQBtBPLBxSBx3riPld5M/X+MsaJhNojIQbYEE+RwiX pYSbAoj1ViTIC2SduoLXNcGnXJ83GH80j6AB+DQ== X-Google-Smtp-Source: AGHT+IGtXitu/lZsvpHah7XRxlSBxOnmaZnKGEyGVMbkE3UpXEQpvU6ZZVo9VdYAOMzx51ZpbsUocg== X-Received: by 2002:a05:6a00:8d5:b0:793:1b79:ee61 with SMTP id d2e1a72fcca58-79387434292mr9650263b3a.22.1760038282171; Thu, 09 Oct 2025 12:31:22 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:b96e:4301:8642:779c]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7992d0e2d51sm495864b3a.65.2025.10.09.12.31.21 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 09 Oct 2025 12:31:21 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 03/24] busybox: patch CVE-2025-46394 Date: Thu, 9 Oct 2025 12:30:47 -0700 Message-ID: <137299edbc47e8a57173ef3c22bcb719d48d5302.1760038088.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 09 Oct 2025 19:31:29 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/224622 From: Peter Marko Pick commit mentioning this CVE. Additionally fix test broken by the CVE fix. Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- .../busybox/busybox/CVE-2025-46394-01.patch | 57 +++++++++++++++++++ .../busybox/busybox/CVE-2025-46394-02.patch | 32 +++++++++++ meta/recipes-core/busybox/busybox_1.35.0.bb | 2 + 3 files changed, 91 insertions(+) create mode 100644 meta/recipes-core/busybox/busybox/CVE-2025-46394-01.patch create mode 100644 meta/recipes-core/busybox/busybox/CVE-2025-46394-02.patch diff --git a/meta/recipes-core/busybox/busybox/CVE-2025-46394-01.patch b/meta/recipes-core/busybox/busybox/CVE-2025-46394-01.patch new file mode 100644 index 0000000000..c95cba3c33 --- /dev/null +++ b/meta/recipes-core/busybox/busybox/CVE-2025-46394-01.patch @@ -0,0 +1,57 @@ +From f5e1bf966b19ea1821f00a8c9ecd7774598689b4 Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko +Date: Wed, 24 Sep 2025 03:28:47 +0200 +Subject: [PATCH] archival/libarchive: sanitize filenames on output (prevent + control sequence attacks + +This fixes CVE-2025-46394 (terminal escape sequence injection) + +Original credit: Ian.Norton at entrust.com + +function old new delta +header_list 9 15 +6 +header_verbose_list 239 244 +5 +------------------------------------------------------------------------------ +(add/remove: 0/0 grow/shrink: 2/0 up/down: 11/0) Total: 11 bytes + +Signed-off-by: Denys Vlasenko + +CVE: CVE-2025-46394 +Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=f5e1bf966b19ea1821f00a8c9ecd7774598689b4] +Signed-off-by: Peter Marko +--- + archival/libarchive/header_list.c | 2 +- + archival/libarchive/header_verbose_list.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/archival/libarchive/header_list.c b/archival/libarchive/header_list.c +index 0621aa406..9490b3635 100644 +--- a/archival/libarchive/header_list.c ++++ b/archival/libarchive/header_list.c +@@ -8,5 +8,5 @@ + void FAST_FUNC header_list(const file_header_t *file_header) + { + //TODO: cpio -vp DIR should output "DIR/NAME", not just "NAME" */ +- puts(file_header->name); ++ puts(printable_string(file_header->name)); + } +diff --git a/archival/libarchive/header_verbose_list.c b/archival/libarchive/header_verbose_list.c +index a575a08a0..e7a09430d 100644 +--- a/archival/libarchive/header_verbose_list.c ++++ b/archival/libarchive/header_verbose_list.c +@@ -57,13 +57,13 @@ void FAST_FUNC header_verbose_list(const file_header_t *file_header) + ptm->tm_hour, + ptm->tm_min, + ptm->tm_sec, +- file_header->name); ++ printable_string(file_header->name)); + + #endif /* FEATURE_TAR_UNAME_GNAME */ + + /* NB: GNU tar shows "->" for symlinks and "link to" for hardlinks */ + if (file_header->link_target) { +- printf(" -> %s", file_header->link_target); ++ printf(" -> %s", printable_string(file_header->link_target)); + } + bb_putchar('\n'); + } diff --git a/meta/recipes-core/busybox/busybox/CVE-2025-46394-02.patch b/meta/recipes-core/busybox/busybox/CVE-2025-46394-02.patch new file mode 100644 index 0000000000..ec17b9285a --- /dev/null +++ b/meta/recipes-core/busybox/busybox/CVE-2025-46394-02.patch @@ -0,0 +1,32 @@ +From 7378db981d87b4a2264e14d60340a7fb5c67ae59 Mon Sep 17 00:00:00 2001 +From: Peter Marko +Date: Fri, 3 Oct 2025 16:12:56 +0200 +Subject: [PATCH] testsuite/tar.tests: fix test after CVE-2025-46394 + +tar now sanitizes output and this test needs to expect that. + +Signed-off-by: Peter Marko + +CVE: CVE-2025-46394 +Upstream-Status: Submitted [https://lists.busybox.net/pipermail/busybox/2025-October/091743.html] +Signed-off-by: Peter Marko +--- + testsuite/tar.tests | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/testsuite/tar.tests b/testsuite/tar.tests +index 0f2e89112..48fc38114 100755 +--- a/testsuite/tar.tests ++++ b/testsuite/tar.tests +@@ -325,9 +325,9 @@ unset LANG + rm -rf etc usr + ' "\ + etc/ssl/certs/3b2716e5.0 +-etc/ssl/certs/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.pem ++etc/ssl/certs/EBG_Elektronik_Sertifika_Hizmet_Sa??lay??c??s??.pem + etc/ssl/certs/f80cc7f6.0 +-usr/share/ca-certificates/mozilla/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.crt ++usr/share/ca-certificates/mozilla/EBG_Elektronik_Sertifika_Hizmet_Sa??lay??c??s??.crt + 0 + etc/ssl/certs/3b2716e5.0 -> EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.pem + etc/ssl/certs/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.pem -> /usr/share/ca-certificates/mozilla/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.crt diff --git a/meta/recipes-core/busybox/busybox_1.35.0.bb b/meta/recipes-core/busybox/busybox_1.35.0.bb index 1886410dd2..57a5747a48 100644 --- a/meta/recipes-core/busybox/busybox_1.35.0.bb +++ b/meta/recipes-core/busybox/busybox_1.35.0.bb @@ -59,6 +59,8 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \ file://CVE-2023-42366.patch \ file://0001-cut-Fix-s-flag-to-omit-blank-lines.patch \ file://CVE-2023-39810.patch \ + file://CVE-2025-46394-01.patch \ + file://CVE-2025-46394-02.patch \ " SRC_URI:append:libc-musl = " file://musl.cfg " From patchwork Thu Oct 9 19:30:48 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 71956 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5DF7FCCD18A for ; Thu, 9 Oct 2025 19:31:29 +0000 (UTC) Received: from mail-pf1-f178.google.com (mail-pf1-f178.google.com [209.85.210.178]) by mx.groups.io with SMTP id smtpd.web10.9238.1760038285179044806 for ; Thu, 09 Oct 2025 12:31:25 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=JJuV2+nH; spf=softfail (domain: sakoman.com, ip: 209.85.210.178, mailfrom: steve@sakoman.com) Received: by mail-pf1-f178.google.com with SMTP id d2e1a72fcca58-76e2ea933b7so1341873b3a.1 for ; Thu, 09 Oct 2025 12:31:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1760038284; x=1760643084; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=t2Dk3B6aFLb4eA3/NJvBvsLTdiNCn+Tb8GkJ3l4zIVA=; b=JJuV2+nHUd/xXjfGBaMKBewfsKVL7ETUtAlBir1056r/PdVN/wyksW1JXPOOB/7697 9EdsNBwRNMVFFfKRBfUEBLQEMieJCYt3CBmRf+UlZgnupSHMU1Cel94Fey44Dkt97xoR VGKm+ldIv7K4n4LHO/RqyvePEFJRpXLf/0n1NDmaJTihs1f2D40+H3TlAMOLFq1UE3kX o5h4E0g/ClC16sJCd2iedV88RW9a9sEDCTvWC11rs7j4XDK3RW/JTkhemprZRGCR1LT7 +2yak2ik3CINHOIJpyQ+hg/2ePhJ+peFk4hBqoMhLot/4T1AdXzUcOqIUjg/3P/NrOs+ PRbQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760038284; x=1760643084; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=t2Dk3B6aFLb4eA3/NJvBvsLTdiNCn+Tb8GkJ3l4zIVA=; b=mvnXkx4rOVKdD3OHj6G5wixccvYahsxwF3qW3di1JqEKPFAFFxo6Yi5iKiaKRBvwMp 46Ser9Dw2K574qgYCKwpAJp5NgTaKOALRLO9HEaz2PTjjzZYLmXII9EZBLMLqWehrd6i mfQO23xLdro0g6bmkxWV+jKJvH4gsZcIJNR4I+MIGgfs+qQ+eDE+JRIQz31QGDxTxNeF nFmjc8cZR0tWaQxoQDOKAxb3OODEg1q9s++0qviPJ8U09DMe6qG9FW4qvCeUHyCRCwol r8hhZt+cXQKhsQe51Vv5Vi878Zck7K/4DQGNa+ABwYr/7O9Ujk05dToaoOuAVQjmmPlx oyLg== X-Gm-Message-State: AOJu0Yw/PQYHQwH1ub9pI3Yshj3mEbVR808cfWJh5tpY4YZpBhrkiYzt q+lUBy+FiEapIm/Ru+6DQryvgQk96ieD/zL/r6zuEjclcP83c9A+tufzsR92577Xsc51/jkF4cL RYBsl X-Gm-Gg: ASbGnctxRe3He1RGMOhRbd7+SQOwS9GwpZ+qeU3Ptn4nD4+ePjbpWWB5Xj1wVVCJ+Fg vYCj0IbUId7Ir+myUomTCeAWWp+lDTcwoBKyzQAaKx5ROGCTdhapTymCOR8d8d+Cj9q5bNnzhhM YrMPs4Tm5NkqxJ154lDX84r2QPrwePdGV4CrauqyW1d/VHPBh+e9pPqfHCFQoJNo+xn4ERH5As8 izsJsQGMn5d9xA85h1fkqvdfAkBwZzYnZOhHZcMrLD5TTdPVZBueOnWBQTXz8qmM4EnkKCFvqBs YRYPOsBjiuEijxHZtGkINsMy75WC83zmP6P5p0K/innY6rBoRla30Ljfwpkrw72f2r7P6g8FCPA 6IC5EqHENOu7MUsoONosrXbha8t4cMayC4CSFpD1Zq7zIEpQ9 X-Google-Smtp-Source: AGHT+IHuPsxGzGXdMtcPICkd43eshWOOZtL+XD8/e39lNi76AwFw+oJO3LtlFkoepMQwvvcUkD7mnA== X-Received: by 2002:a62:be0f:0:b0:77d:98ee:e1c5 with SMTP id d2e1a72fcca58-792323cfdbfmr11133242b3a.15.1760038284061; Thu, 09 Oct 2025 12:31:24 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:b96e:4301:8642:779c]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7992d0e2d51sm495864b3a.65.2025.10.09.12.31.23 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 09 Oct 2025 12:31:23 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 04/24] libxslt: Patch for CVE-2025-7424 Date: Thu, 9 Oct 2025 12:30:48 -0700 Message-ID: <2e2fa1ae7f24dadae9cb8371174aa7744aa42028.1760038088.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 09 Oct 2025 19:31:29 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/224623 From: Vijay Anusuri This patch is taken from the upstream bug, and is used by Apple in their build of WebKit. Origin: https://gitlab.gnome.org/-/project/1762/uploads/627ae84cb0643d9adf6e5c86947f6be6/gnome-libxslt-bug-139-apple-fix.diff Ref: https://gitlab.gnome.org/GNOME/libxslt/-/issues/139 Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../libxslt/libxslt/CVE-2025-7424.patch | 105 ++++++++++++++++++ .../recipes-support/libxslt/libxslt_1.1.35.bb | 1 + 2 files changed, 106 insertions(+) create mode 100644 meta/recipes-support/libxslt/libxslt/CVE-2025-7424.patch diff --git a/meta/recipes-support/libxslt/libxslt/CVE-2025-7424.patch b/meta/recipes-support/libxslt/libxslt/CVE-2025-7424.patch new file mode 100644 index 0000000000..c6b234a818 --- /dev/null +++ b/meta/recipes-support/libxslt/libxslt/CVE-2025-7424.patch @@ -0,0 +1,105 @@ +From 345d6826d0eae6f0a962456b8ed6f6a1bad0877d Mon Sep 17 00:00:00 2001 +From: David Kilzer +Date: Sat, 24 May 2025 15:06:42 -0700 +Subject: [PATCH] libxslt: Type confusion in xmlNode.psvi between stylesheet + and source nodes + +* libxslt/functions.c: +(xsltDocumentFunctionLoadDocument): +- Implement fix suggested by Ivan Fratric. This copies the xmlDoc, + calls xsltCleanupSourceDoc() to remove pvsi fields, then adds the + xmlDoc to tctxt->docList. +- Add error handling for functions that may return NULL. +* libxslt/transform.c: +- Remove static keyword so this can be called from + xsltDocumentFunctionLoadDocument(). +* libxslt/transformInternals.h: Add. +(xsltCleanupSourceDoc): Add declaration. + +Fixes #139. + +Origin: https://gitlab.gnome.org/-/project/1762/uploads/627ae84cb0643d9adf6e5c86947f6be6/gnome-libxslt-bug-139-apple-fix.diff + +Upstream-Status: Submitted [https://gitlab.gnome.org/GNOME/libxslt/-/issues/139] +CVE: CVE-2025-7424 +Signed-off-by: Vijay Anusuri +--- + libxslt/functions.c | 16 +++++++++++++++- + libxslt/transform.c | 3 ++- + libxslt/transformInternals.h | 9 +++++++++ + 3 files changed, 26 insertions(+), 2 deletions(-) + create mode 100644 libxslt/transformInternals.h + +diff --git a/libxslt/functions.c b/libxslt/functions.c +index da25c24..8a9bdc2 100644 +--- a/libxslt/functions.c ++++ b/libxslt/functions.c +@@ -41,6 +41,7 @@ + #include "numbersInternals.h" + #include "keys.h" + #include "documents.h" ++#include "transformInternals.h" + + #ifdef WITH_XSLT_DEBUG + #define WITH_XSLT_DEBUG_FUNCTION +@@ -152,7 +153,20 @@ xsltDocumentFunctionLoadDocument(xmlXPathParserContextPtr ctxt, xmlChar* URI) + /* + * This selects the stylesheet's doc itself. + */ +- doc = tctxt->style->doc; ++ doc = xmlCopyDoc(tctxt->style->doc, 1); ++ if (doc == NULL) { ++ xsltTransformError(tctxt, NULL, NULL, ++ "document() : failed to copy style doc\n"); ++ goto out_fragment; ++ } ++ xsltCleanupSourceDoc(doc); /* Remove psvi fields. */ ++ idoc = xsltNewDocument(tctxt, doc); ++ if (idoc == NULL) { ++ xsltTransformError(tctxt, NULL, NULL, ++ "document() : failed to create xsltDocument\n"); ++ xmlFreeDoc(doc); ++ goto out_fragment; ++ } + } else { + valuePush(ctxt, xmlXPathNewNodeSet(NULL)); + +diff --git a/libxslt/transform.c b/libxslt/transform.c +index 7299eb5..6976a04 100644 +--- a/libxslt/transform.c ++++ b/libxslt/transform.c +@@ -42,6 +42,7 @@ + #include "xsltutils.h" + #include "pattern.h" + #include "transform.h" ++#include "transformInternals.h" + #include "variables.h" + #include "numbersInternals.h" + #include "namespaces.h" +@@ -5753,7 +5754,7 @@ xsltCountKeys(xsltTransformContextPtr ctxt) + * + * Resets source node flags and ids stored in 'psvi' member. + */ +-static void ++void + xsltCleanupSourceDoc(xmlDocPtr doc) { + xmlNodePtr cur = (xmlNodePtr) doc; + void **psviPtr; +diff --git a/libxslt/transformInternals.h b/libxslt/transformInternals.h +new file mode 100644 +index 0000000..d0f4282 +--- /dev/null ++++ b/libxslt/transformInternals.h +@@ -0,0 +1,9 @@ ++/* ++ * Summary: set of internal interfaces for the XSLT engine transformation part. ++ * ++ * Copy: See Copyright for the status of this software. ++ * ++ * Author: David Kilzer ++ */ ++ ++void xsltCleanupSourceDoc(xmlDocPtr doc); +-- +2.25.1 + diff --git a/meta/recipes-support/libxslt/libxslt_1.1.35.bb b/meta/recipes-support/libxslt/libxslt_1.1.35.bb index 2291ed2cad..f1532a05c1 100644 --- a/meta/recipes-support/libxslt/libxslt_1.1.35.bb +++ b/meta/recipes-support/libxslt/libxslt_1.1.35.bb @@ -21,6 +21,7 @@ SRC_URI = "https://download.gnome.org/sources/libxslt/1.1/libxslt-${PV}.tar.xz \ file://CVE-2023-40403-003.patch \ file://CVE-2023-40403-004.patch \ file://CVE-2023-40403-005.patch \ + file://CVE-2025-7424.patch \ " SRC_URI[sha256sum] = "8247f33e9a872c6ac859aa45018bc4c4d00b97e2feac9eebc10c93ce1f34dd79" From patchwork Thu Oct 9 19:30:49 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 71954 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 64B05CCD18C for ; Thu, 9 Oct 2025 19:31:29 +0000 (UTC) Received: from mail-pf1-f169.google.com (mail-pf1-f169.google.com [209.85.210.169]) by mx.groups.io with SMTP id smtpd.web11.9191.1760038286712745547 for ; Thu, 09 Oct 2025 12:31:26 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=bC5feFRQ; spf=softfail (domain: sakoman.com, ip: 209.85.210.169, mailfrom: steve@sakoman.com) Received: by mail-pf1-f169.google.com with SMTP id d2e1a72fcca58-781010ff051so970753b3a.0 for ; Thu, 09 Oct 2025 12:31:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1760038286; x=1760643086; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=ma/xjlwhrCSuRxFwd4OZnvy73fmFWNTgWWKC0ai3RXU=; b=bC5feFRQEtWZVE0gQr54yNotZI+gu0AuSRrKAj5NP0hBEiD/Kat/PBpaNZPUK8Ogk3 Q2RHRzDkdlV0KnNvzwG1ye2onhKoBSui5aOqU2ibU1HaKHqLO8P8S/07L+YoqwoW0DTv YzMX1PfoSODKxNlwb/gXgiMJmNl1tn+oI7ag+rXAXXi3zHAhkOIPfzQSeIAbLw/gKKLa xgHifAYRp/HOH2+taasCyze58nqZ7T/N878mtAt5kY1GYqIEBOoUPowLxurp9CY35y4o JL5mcjocroOixVSUSu5nJnjFP3wU2YV199rVnckrY1dZjabIZeqgoxX5K92VbOnk82Z/ 9w5w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760038286; x=1760643086; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ma/xjlwhrCSuRxFwd4OZnvy73fmFWNTgWWKC0ai3RXU=; b=safLaVWVyMTlHpieW6F2IqEe6A2dlFeQlRMRx0wei375ynuRbjM9Q0Pbq5mR84M3/j J2YY7TbKSiGcowp4iptE8hHJhUUbY5kR5FUEEmdeNA2Rz1e28WKeN6qhSLVdaVBtLSZN L1mEerLOtBkbsxRyVbMrz02n4+GoX+PUfkpq6g2cat1s57FRI8QdIpl8jFUxIUIVSvLl 7Rds+Zqhw+zK2wqCgibFNxqsiMQ8o8Fuh34IaoiXHmXvAJRnrA2nq3HTpLbkTF0RopvN 5RPLWni4gpLE/Ni0JkVG+0GSu0WESPQr23avz44YCrs+lc+FoYniS9EbKTarDnvKoKep xHTA== X-Gm-Message-State: AOJu0Yx7NqqP5GPI8+s3HtKNSmNl3voGkcd6pnPXppz+NS8jb7kxE0KZ r2avXT34NtoFRu278u0QxIpZJWerXV7zepkyPsjZY9cxuS2A9mp+tOAjZbsaZCv4J8AWe7iq4wg 8FTbZ X-Gm-Gg: ASbGncv04Ak7F8hWWC/kUF7RR26dbzwC4yN+tmYU+W1g2863ybBrebIsRjbsHrn0DVg LY53eilTsd8IOitf4nqDdMopkppLyHFa56sTfg6VduT+lfQ1JI27P633gzl3P72hYC26Rj7v+iQ p3OgjcLKu88hSFBTGWtcRswtXEOEH64c+Sgo9uDUZxHUAuj4DT4jV2mzrwOglcLQ99XmM6yLa77 ALUOZSGm1I+dgOr0D89vwFVi58QItwfMavM3NcTHGbJN2z3qSUPRk6T6Lj/4s+VoT38T9JiirfE CxHC+reFzER76XuyK2Ybc/5OvPTwHXZQK4mB88+dCTZ68Jik4hXYZqiIJIOzVt1qyVtDBSQGD4f CZ+WDtT/FZGJLz+kbc49AzxsPXTE7ZpyH01miNnU+CuXZAdVb X-Google-Smtp-Source: AGHT+IE3MXPcqsmMf53Y/82VKNRmNcl3nXIsvmPLtsRBN+tUpAU7k/wNhMw8WiUQV32i4PzoJTOOtg== X-Received: by 2002:a05:6a00:1890:b0:77f:4641:e5ac with SMTP id d2e1a72fcca58-79385136259mr10733806b3a.6.1760038285619; Thu, 09 Oct 2025 12:31:25 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:b96e:4301:8642:779c]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7992d0e2d51sm495864b3a.65.2025.10.09.12.31.24 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 09 Oct 2025 12:31:25 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 05/24] tiff: Fix CVE-2025-8961 Date: Thu, 9 Oct 2025 12:30:49 -0700 Message-ID: <8d956d80f0eae39f9de68c0cd5a361c69b47cda4.1760038088.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 09 Oct 2025 19:31:29 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/224624 From: Vijay Anusuri Upstream-Status: Backport from https://gitlab.com/libtiff/libtiff/-/commit/0ac97aa7a5bffddd88f7cdbe517264e9db3f5bd5 Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../libtiff/tiff/CVE-2025-8961.patch | 74 +++++++++++++++++++ meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 1 + 2 files changed, 75 insertions(+) create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2025-8961.patch diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8961.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8961.patch new file mode 100644 index 0000000000..05b11a866e --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8961.patch @@ -0,0 +1,74 @@ +From 0ac97aa7a5bffddd88f7cdbe517264e9db3f5bd5 Mon Sep 17 00:00:00 2001 +From: Lee Howard +Date: Fri, 5 Sep 2025 21:42:35 +0000 +Subject: [PATCH] tiffcrop: fix double-free and memory leak exposed by issue + #721 + +Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/0ac97aa7a5bffddd88f7cdbe517264e9db3f5bd5] +CVE: CVE-2025-8961 +Signed-off-by: Vijay Anusuri +--- + tools/tiffcrop.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index e16bc2d..c7d2553 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -929,6 +929,7 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8_t* buf, + TIFFError("readContigTilesIntoBuffer", + "Unable to extract row %"PRIu32" from tile %"PRIu32, + row, TIFFCurrentTile(in)); ++ _TIFFfree(tilebuf); + return 1; + } + break; +@@ -943,6 +944,7 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8_t* buf, + TIFFError("readContigTilesIntoBuffer", + "Unable to extract row %"PRIu32" from tile %"PRIu32, + row, TIFFCurrentTile(in)); ++ _TIFFfree(tilebuf); + return 1; + } + break; +@@ -957,6 +959,7 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8_t* buf, + TIFFError("readContigTilesIntoBuffer", + "Unable to extract row %"PRIu32" from tile %"PRIu32, + row, TIFFCurrentTile(in)); ++ _TIFFfree(tilebuf); + return 1; + } + break; +@@ -969,6 +972,7 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8_t* buf, + TIFFError("readContigTilesIntoBuffer", + "Unable to extract row %"PRIu32" from tile %"PRIu32, + row, TIFFCurrentTile(in)); ++ _TIFFfree(tilebuf); + return 1; + } + break; +@@ -983,10 +987,12 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8_t* buf, + TIFFError("readContigTilesIntoBuffer", + "Unable to extract row %"PRIu32" from tile %"PRIu32, + row, TIFFCurrentTile(in)); ++ _TIFFfree(tilebuf); + return 1; + } + break; + default: TIFFError("readContigTilesIntoBuffer", "Unsupported bit depth %"PRIu16, bps); ++ _TIFFfree(tilebuf); + return 1; + } + } +@@ -2535,7 +2541,7 @@ main(int argc, char* argv[]) + } + + /* If we did not use the read buffer as the crop buffer */ +- if (read_buff) ++ if (read_buff && read_buff != crop_buff) + _TIFFfree(read_buff); + + if (crop_buff) +-- +2.25.1 + diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb index 0b4bef4c41..2ee6cdef73 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb @@ -63,6 +63,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ file://CVE-2025-8534.patch \ file://CVE-2025-8851.patch \ file://CVE-2025-9900.patch \ + file://CVE-2025-8961.patch \ " SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8" From patchwork Thu Oct 9 19:30:50 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 71955 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 64B59CCD18F for ; Thu, 9 Oct 2025 19:31:29 +0000 (UTC) Received: from mail-pf1-f182.google.com (mail-pf1-f182.google.com [209.85.210.182]) by mx.groups.io with SMTP id smtpd.web10.9241.1760038288098786715 for ; Thu, 09 Oct 2025 12:31:28 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=amv/0ChV; spf=softfail (domain: sakoman.com, ip: 209.85.210.182, mailfrom: steve@sakoman.com) Received: by mail-pf1-f182.google.com with SMTP id d2e1a72fcca58-78f3bfe3f69so1314388b3a.2 for ; Thu, 09 Oct 2025 12:31:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1760038287; x=1760643087; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=B/opPl4AzNKYnOWwq/M40T2028m0xwQiZctIFrqThtw=; b=amv/0ChVKO8Bhk8eGa8PxFmImtpA99QQYaoI9jwCVtVRUVhD4czQ6OZFHhNip7PSJn 3qsdf5VOLEx2QPuLPDze20EbYrcgClEpTaaqE7D8fJWwiibPQyxpdRB4zQ6N1tGv+oGi 3eTJMU52Cz2bA2HqQ1TIrKnWdBcTCi5fFqxKUPP0ou5IbMbMZLb+uGVHuHHoPdhKY4Nk HGjTfALcQ6wj19M0eJmzUKVR5eUjoBEPjRmvbj1wOwlm1H6IpTXJBmCwdawept/tuynq pvr9DaKtJw1fE7GyQli3Zs7hxgZd2kAA6ptlPpq1KxMlPtCJjdWbM/4FDam+VDGsuzOu sydA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760038287; x=1760643087; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=B/opPl4AzNKYnOWwq/M40T2028m0xwQiZctIFrqThtw=; b=gRrzPqRH5NdGuQm/k0MlhA35UN4PTRov6VblVKvwVnG91kiJAirpXD0eQnMgTKErXx gC/AyMPI24TGA+p/aQ1jGwx5gcVEd1KxdBTT/BrZDE1nNCi98J9Sb2aUr1yyUnXch6ux C3DvK00rLoo3zs9yS+34YQ26plDJWZYtgRI6VfgTY8yJfXDjtmak55nPUUvKm/B/mxv6 XERftV/YVSUyMfHzx/pKbXmNLrX3fG9EtNv84tbncfXzgL6ChNB9wvoiBOZbkl4UDdc0 Uh64VfNhCBEEZvGeHpBTgLTfhS8em7GKeKooKcNLRud9xXzYj9buisXqcBaunOtlakGk dw9g== X-Gm-Message-State: AOJu0Yw2wIwCOiwyCUp8ny6w5h6S1QlAlAkRYgDby872Vl3dmIV7WHTP dBHPodvvQ8ghYoQrO+Ih+027QLllHmc3YJZda73MMbI3CMZRuaI7Owf9IATojf/WYCVDgQNXm+b Kn4i3 X-Gm-Gg: ASbGncvP9m2XAUcl6jqI2WIqP1C/Mxs3u7wsoyHNpWUP0yaaCVvshQBaDcEEDN/BPas HehJelD1CQ/ueYuHMi8F3eoHfvcZtAERAziazYZUnQouF+W0vDENqkqLoUP8udb6XGIzKEyo//C tszIkezRN9x7272oXm7b/Mp//QP4fGufH+G2ajV0pRqThmtPxq9RbIGFsCjTMQQtmB2GxQXGHbZ vS2GlFtdURIZZzps2D5SM4x+GAP5J1wl3/TQG6kJFNCHsynaOC55FfdeMHcDDU5jbMkJVaHn+us 5g6S4e5FjTyVUQuycSGA4QbweqqJ8ldThGqRmN/zZwY5MzIl0abtBevc0NOp/fW72+YX3USf4zr VKJ14M3R4vsLFehqgrS6ap3pxB1GOkkE8N19fzg== X-Google-Smtp-Source: AGHT+IG28Qmr9RC+dGQFpa7Xel9S/WRNKWYEUhIEFRmR8u3ujw7Qd3NJe8JhW/iIXnMx4X4sV0O/Ew== X-Received: by 2002:a05:6a00:b8a:b0:77e:f03b:d49a with SMTP id d2e1a72fcca58-7938763693cmr9332369b3a.19.1760038287131; Thu, 09 Oct 2025 12:31:27 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:b96e:4301:8642:779c]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7992d0e2d51sm495864b3a.65.2025.10.09.12.31.26 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 09 Oct 2025 12:31:26 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 06/24] tiff: Fix CVE-2025-9165 Date: Thu, 9 Oct 2025 12:30:50 -0700 Message-ID: <08823f96a400055e5924bae3af0d2dfaf488148b.1760038088.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 09 Oct 2025 19:31:29 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/224625 From: Vijay Anusuri Upstream-Commit: https://gitlab.com/libtiff/libtiff/-/commit/ed141286a37f6e5ddafb5069347ff5d587e7a4e0 Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../libtiff/tiff/CVE-2025-9165.patch | 32 +++++++++++++++++++ meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 1 + 2 files changed, 33 insertions(+) create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2025-9165.patch diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2025-9165.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-9165.patch new file mode 100644 index 0000000000..3694b11c67 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-9165.patch @@ -0,0 +1,32 @@ +From ed141286a37f6e5ddafb5069347ff5d587e7a4e0 Mon Sep 17 00:00:00 2001 +From: Su_Laus +Date: Fri, 8 Aug 2025 21:35:30 +0200 +Subject: [PATCH] tiffcmp: fix memory leak when second file cannot be opened. + +Closes #728, #729 + +Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/ed141286a37f6e5ddafb5069347ff5d587e7a4e0] +CVE: CVE-2025-9165 +Signed-off-by: Vijay Anusuri +--- + tools/tiffcmp.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/tools/tiffcmp.c b/tools/tiffcmp.c +index 2a35fe6..f812c7d 100644 +--- a/tools/tiffcmp.c ++++ b/tools/tiffcmp.c +@@ -103,7 +103,10 @@ main(int argc, char* argv[]) + return (2); + tif2 = TIFFOpen(argv[optind+1], "r"); + if (tif2 == NULL) ++ { ++ TIFFClose(tif1); + return (2); ++ } + dirnum = 0; + while (tiffcmp(tif1, tif2)) { + if (!TIFFReadDirectory(tif1)) { +-- +2.25.1 + diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb index 2ee6cdef73..84c3028b45 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb @@ -64,6 +64,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ file://CVE-2025-8851.patch \ file://CVE-2025-9900.patch \ file://CVE-2025-8961.patch \ + file://CVE-2025-9165.patch \ " SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8" From patchwork Thu Oct 9 19:30:51 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 71960 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 60D4CCCD18C for ; Thu, 9 Oct 2025 19:31:39 +0000 (UTC) Received: from mail-pf1-f172.google.com (mail-pf1-f172.google.com [209.85.210.172]) by mx.groups.io with SMTP id smtpd.web11.9192.1760038289288068538 for ; Thu, 09 Oct 2025 12:31:29 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=BYLmj54R; spf=softfail (domain: sakoman.com, ip: 209.85.210.172, mailfrom: steve@sakoman.com) Received: by mail-pf1-f172.google.com with SMTP id d2e1a72fcca58-782bfd0a977so1196329b3a.3 for ; Thu, 09 Oct 2025 12:31:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1760038288; x=1760643088; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=V7bOhIBUbn1T72wGnJuDRLj/+lw2rA2Ty9HuqT9WLw4=; b=BYLmj54ReFBfEXJKLa/mCR7HFgTBzcZaplRJ5ZpAllq/vtynFNN7Uw2YAzuodckO/z X54dwBn7RLhE+gWJF1GSiOTH/fqDKSdjR6ICDTG51qV2xSD5X8M6nGnvYdMETnUA0DoZ oXRpvdJe/KFPQd7o8+a7zvqbuspwrUrHaoRMpqn2GjttxJL6O6oZ3YVik7e04eXWNc5w elZWaVsSS4kW4zb+jx14yxJGzLpVOPbXEHBKFx/5eRZrxH+Kz77l7ZnR7s/Z4SQ1LrZL ECY2st0jf0WTnzF3bg5x4k4anHcnaV/kWi9TP3Hv9LfWAE/7GbwIqK1DM3R1FEWll3SW UL/Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760038288; x=1760643088; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=V7bOhIBUbn1T72wGnJuDRLj/+lw2rA2Ty9HuqT9WLw4=; b=LCZJU31Tdvpcm/yBtcnlfHS4dUHpbBcCfQ1YR6MTHgCAjY/GSii9oP8Ba0DRUNMQJ8 Vv5Cl2LJFhoeqBOcdqkV83Isd/R0QNdjc6jedGPTv7DOGMQYIMFAcBywEeg9rmmW+EAA ZUXA/Cm5H0Fp5PsymFE3DP/B5XT7+IzrqhblztbVsozydaiqfEmB5l2m96r7DO3hajYF JfWg1clXhgiNRHfE9FK9s5ZiE2KvLf/xEcqP4ILq4ouWqgMuWJ/9q5XM+llzhtfWfaV8 M1pS90WdF+9640d2k+55JeXsOCWlv9/RXvaNzE7oqPpP3uypQ3NW4qe4PodBdWxxlA9K TqeA== X-Gm-Message-State: AOJu0Yx3GnQxc1T9o8BQdhmk4yVvc6AcUFj/yt8VidoQYowvXDqiaDTZ m3vuy77ImweNvS3Y0az9YZB9HNA1mSv1i0b1fEtsKKxUw4dMUqjoH/RHhEwM/TiiZvvZnO6YSBq SDArT X-Gm-Gg: ASbGncuwwLrXqcT7xeFrzJsEdo47TxuTi5QuZPO5qmjjYgPB9PgXAKA86mRnklW/EAO 8EfHybHM1P+2Q3wRJrwcdOp7mhy/74+3ej2tQDwPJ5lSpnN0KpdXJaJz52JjlzOL05db/LaT+g8 5ui1eisbxQycsGxNDdxzr2ODrop8huEHHG8tI89TSwJ1VaEAv1/S5PyKbIcxCHjugJ3WC6Z3lhW 1bDujO0rIHKWgv3X5/fz1C68Nv++g3QbDQE7y6z7K2fHCgN0GqsGYJbw8/Xu6PETG2r4Xuy0KAy MfvqN7yHeKobatZ4tbp6cJaXfT3KGdcBrQJ8zdfGDKGwtXYDlM7iSJDXlzJ1yD6FUpzdVayUcHG sW1xKeSQvOvfUWTJtTO1zaJQttLX/w1EhCMuooA== X-Google-Smtp-Source: AGHT+IGl8SkNjSv6pQg70/EcvMMC9Q4cxfJ5i3FsiMmt5ACCL8+Kn8TtYRVpWlv/j1hD4+1aX8xEYA== X-Received: by 2002:a05:6a21:a8c:b0:32d:a91a:7713 with SMTP id adf61e73a8af0-32da91a7747mr12789783637.40.1760038288576; Thu, 09 Oct 2025 12:31:28 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:b96e:4301:8642:779c]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7992d0e2d51sm495864b3a.65.2025.10.09.12.31.28 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 09 Oct 2025 12:31:28 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 07/24] gstreamer1.0: ignore CVEs fixed in plugins Date: Thu, 9 Oct 2025 12:30:51 -0700 Message-ID: <86f48cdb1b26b6e234dde10b1e636e54e8a7e71f.1760038088.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 09 Oct 2025 19:31:39 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/224626 From: Peter Marko All these CVEs were fixed in recent commits. Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- .../gstreamer/gstreamer1.0_1.20.7.bb | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.20.7.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.20.7.bb index 697c6e8b49..b9b9551bc3 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.20.7.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.20.7.bb @@ -71,15 +71,21 @@ FILES:${PN}-dbg += "${datadir}/gdb ${datadir}/gstreamer-1.0/gdb" CVE_PRODUCT = "gstreamer" # these CVEs are patched in gstreamer1.0-plugins-bad -CVE_CHECK_IGNORE += "CVE-2023-40474 CVE-2023-40475 CVE-2023-40476 CVE-2023-44429 CVE-2023-44446 CVE-2023-50186 CVE-2024-0444" +CVE_CHECK_IGNORE += "\ + CVE-2023-40474 CVE-2023-40475 CVE-2023-40476 CVE-2023-44429 CVE-2023-44446 CVE-2023-50186 CVE-2024-0444 \ + CVE-2025-3887 \ +" # these CVEs are patched in gstreamer1.0-plugins-base -CVE_CHECK_IGNORE += "CVE-2024-47538 CVE-2024-47541 CVE-2024-47542 CVE-2024-47600 CVE-2024-47607 CVE-2024-47615 CVE-2024-47835" +CVE_CHECK_IGNORE += " \ + CVE-2024-47538 CVE-2024-47541 CVE-2024-47542 CVE-2024-47600 CVE-2024-47607 CVE-2024-47615 CVE-2024-47835 \ + CVE-2025-47806 CVE-2025-47807 CVE-2025-47808 \ +" # these CVEs are patched in gstreamer1.0-plugins-good CVE_CHECK_IGNORE += " \ CVE-2024-47537 CVE-2024-47539 CVE-2024-47540 CVE-2024-47543 CVE-2024-47544 CVE-2024-47545 \ CVE-2024-47546 CVE-2024-47596 CVE-2024-47597 CVE-2024-47598 CVE-2024-47599 CVE-2024-47601 \ CVE-2024-47602 CVE-2024-47603 CVE-2024-47613 CVE-2024-47774 CVE-2024-47775 CVE-2024-47776 \ - CVE-2024-47777 CVE-2024-47778 CVE-2024-47834 \ + CVE-2024-47777 CVE-2024-47778 CVE-2024-47834 CVE-2025-47183 CVE-2025-47219 \ " PTEST_BUILD_HOST_FILES = "" From patchwork Thu Oct 9 19:30:52 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 71958 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 60D10CCD184 for ; Thu, 9 Oct 2025 19:31:39 +0000 (UTC) Received: from mail-pf1-f176.google.com (mail-pf1-f176.google.com [209.85.210.176]) by mx.groups.io with SMTP id smtpd.web11.9194.1760038290999676858 for ; Thu, 09 Oct 2025 12:31:31 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=wqC7xi6I; spf=softfail (domain: sakoman.com, ip: 209.85.210.176, mailfrom: steve@sakoman.com) Received: by mail-pf1-f176.google.com with SMTP id d2e1a72fcca58-76e2ea933b7so1341978b3a.1 for ; Thu, 09 Oct 2025 12:31:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1760038290; x=1760643090; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=YT8EE1z/Fntu1XWe0BptLiJklPK+k+NBD4cUsyaks9Q=; b=wqC7xi6IxZy5oIjH7JZnd9OkRfQ0lBWhTVPz1Y6uJK/P+86UiMqf44StuvJMsNUN8D cNZU7ThpQ7/PKZEFPhGFelGBVYbhicHky+Laa6LY1EA4KY6VJQVgKTqNanGfAnwquWE7 yn6HG2nZykRlt3vG4rQ+iPddvRxy7H6v8cKrHDJJkWPAtktq0QArEfJkth/OotqVo64y CS+9iXhIJTot/At6i+yInP5LqYwRTTMlYXpAOki5QtuTbkADGcyeUJdSusKj6Tu83waH uSFe9KUtIdiLgIekgSF0jmyN3ScXAmcL2VUo9fTYg1zYehhzsldHNDFfi6bGNa18aGUX SsRQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760038290; x=1760643090; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=YT8EE1z/Fntu1XWe0BptLiJklPK+k+NBD4cUsyaks9Q=; b=X7yr9HRuGyb4LrnXat5cPeYVrHg6FEHesTVpZijQjKS0aUGjVe6+QYWf4YsNY4H78q Dum1lqpQOhBSoz1jw789i081yGt3+K34I2QbgGAOONjV9sY80SCK93C9EY/J0yAmtg8t zrEuVfwBGvkkhcyPe9nuABWmA4kkrzAx9kUBYZDsbkvi4CWdSDMCUbwW3rJvsk0oou9+ gkIY/QatoGtACZyb7sf0RaCJyjjZgeKugYeerUoXJSG+XDy6tCUVoTi9EcHGLBTMtR78 40ThHecP6568zzMFsxAc9tQUttKohMDgJf/lvM86uSFNYBUjJhLE5wrF+18xd66QxOV4 GfCg== X-Gm-Message-State: AOJu0YyTg8giYlecsKeriCRqfw8IsNpLmw5/VE9W8Hb/2/HE6iq3YaOI 1oUVd/iIQlfNuaRSMKmwzAQti+jHa/4mJ9C5gkPcmX7Tz9IzraDatBW4dZ1c8H6J5ByIt47kODo aljxM X-Gm-Gg: ASbGncvX59+HY9/cGTHy5fVuAME6LW3Sm5YZPlDvSzyooKDTAGhD8oVO4ezVa4WPCQo 0LGBRuk44Jlc25VPgenlktNIXoT22iGsvxsEb1/nF+LazWzDBav+8tRz/T+2p8SCiVuHeOofIVe 0wiB2TpkrAv6rUrpsvVB7sNB61HRJ/7Hv1z1U+yBbaei+sBncjC9+kEaC6vIxjUgoqYOeu9hSFN zDs+16ZMi5hJgVVZM++wJKL5rEZ0A/nGc+ONlubV/Vplr21lFAGnjggNDwmQ9VQsC/kWqXwKTUV pm7ElPvAcNOsbKDK2NYcVFyS9+SHu11KtJ1oyFpA1KJnVvIn8cyEVUyjRMJmUfywkTZ2FVzzdvl hHPKGajQGyE9+1+ONDzwmygUhjiw/+ktUA82lug== X-Google-Smtp-Source: AGHT+IEz5IpYD9E9iJOEs2vPWjQTm1+w5pXFyINu+KhTvlEv8mfD8QvBwZqXVSc3yGqy7jiDfE6GTA== X-Received: by 2002:aa7:90d3:0:b0:784:27cb:a2c6 with SMTP id d2e1a72fcca58-7922fab2444mr11980175b3a.2.1760038290006; Thu, 09 Oct 2025 12:31:30 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:b96e:4301:8642:779c]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7992d0e2d51sm495864b3a.65.2025.10.09.12.31.29 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 09 Oct 2025 12:31:29 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 08/24] gstreamer1.0: ignore CVE-2025-2759 Date: Thu, 9 Oct 2025 12:30:52 -0700 Message-ID: <2162bc3b305a0b088018e251baad54c356f7855f.1760038088.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 09 Oct 2025 19:31:39 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/224627 From: Peter Marko Copy statement from [1] that it is problem of installers (non-Linux). Also [2] linked in NVD says "Fixed in 1.25.1 Gstreamer Installer". Since Yocto builds from sources into our own packages, ignore it. [1] https://security-tracker.debian.org/tracker/CVE-2025-2759 [2] https://www.zerodayinitiative.com/advisories/ZDI-25-268/ (From OE-Core rev: 99ee1df6bde2ffd4fa2ddea44c0a9b94d9d77bae) Reworked to CVE_CHECK_IGNORE format. Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- meta/recipes-multimedia/gstreamer/gstreamer1.0_1.20.7.bb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.20.7.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.20.7.bb index b9b9551bc3..3b37503608 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.20.7.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.20.7.bb @@ -88,4 +88,7 @@ CVE_CHECK_IGNORE += " \ CVE-2024-47777 CVE-2024-47778 CVE-2024-47834 CVE-2025-47183 CVE-2025-47219 \ " +# not-applicable-platform: affects installation packages for non Linux OSes +CVE_CHECK_IGNORE += "CVE-2025-2759" + PTEST_BUILD_HOST_FILES = "" From patchwork Thu Oct 9 19:30:53 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 71959 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 70850CCD18F for ; Thu, 9 Oct 2025 19:31:39 +0000 (UTC) Received: from mail-pf1-f170.google.com (mail-pf1-f170.google.com [209.85.210.170]) by mx.groups.io with SMTP id smtpd.web10.9244.1760038292167555748 for ; Thu, 09 Oct 2025 12:31:32 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=04mcEKid; spf=softfail (domain: sakoman.com, ip: 209.85.210.170, mailfrom: steve@sakoman.com) Received: by mail-pf1-f170.google.com with SMTP id d2e1a72fcca58-77f67ba775aso1996387b3a.3 for ; Thu, 09 Oct 2025 12:31:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1760038291; x=1760643091; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=YqA27nS3TAqlJm4Ta3fb7JFun/ZiF53TmHfZDWRV3Cg=; b=04mcEKidCV3x2CGptKm6XJoffNCX+yEhVfF0aI9EjRTJsOC4T1ctleKOkQ/rv9mKvJ DCIzOBWVRPaaPDPRq8IMuFhdmN1G3MPyxijJc4ja62YpFCGwtBvhxjfCm8RqdtYa3KHm POX+xlBd8cjVnNOwZAiTCffz5siF6XxTNUuF27REJMuf3trcJ4EWPCVd+sg/vFEuI6ld vZgiI4GPEvcNfWQiTtxkRg86zIdC6dzq9SzF7kj/k3cDDToHbXw6sfPEYOfqy4Kc8DhQ 2bewBlVhGlIXvnlZzhFhHXFsqsOpaFmQNJhvggHOlPP7esPBbf0cexoPRs9yRcbCKGCS yy0Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760038291; x=1760643091; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=YqA27nS3TAqlJm4Ta3fb7JFun/ZiF53TmHfZDWRV3Cg=; b=AQXuqt708vnp45eYiL4va3KEqK2TB9mqEQmDKWXuINImtSIcrJSAHJgXr+C8/kVLSe VMpPkWs6b+IoRsrHyDMBrYlYh7xYRLkVvGDQGczUepRAJS7pJ0cUvvhSAhlC2M2luYK3 bV3NZpmCehY7AqeRUmS+YBUdiKyBYUYVM1iDF2owj28znBZezvHsKnhuqF+2scXjraRb WZymy4LjKwRzHsJq7ghpBClsk8zJGQnA7heO2saxwc04GQr4n2VjnIzknMRZ3QUG8VQ1 bbmFKro/NOvL5HbE5gOhmsIfDg0e40jcdLJF1j1XTgHOchaDs6PI3Wu59N3SbId0pLmc I7TA== X-Gm-Message-State: AOJu0YwNu+p1DwvmPj9JVAxCrnVIzoITY/QFpARN6/ejrn9y9bE0dorz 4PhaWJEEfUFgyu2ihuu9vtF1ZrfhfUwqdvNxVG5LoMu6GIjAySpVGLdOC0ypmheRp6z6tHDP7Pu ExA5J X-Gm-Gg: ASbGncttfqdF5DRZxV0UhYkPNanpz09Bg2ots4/CT6qmYJCYzvsrGu262PC7X+JK3j+ gZf0pDCt/n3xPP6eHcWvQFuxCimz5Rrlp+qf/j+Bg4t0WIb7PdQW5OBHgwwVadjtVHiw9RM2YjW 90H/zHttRaKXnIIhz+E+GPjh3NL/ua7cg+YC5E/qguZ+3P9bYSkVMfS5sJaOE7kk91NLkMrPZ/o OjbZkxqxf+mdAozrLwTXwnfVPk4t2ZFoweTQY8lLIDJd0Z2ePoIOPaIOd20VDgxdLyq87uWlCk1 liCPl3Vo4JyHmdyx7sh2hykbAsF0Ul7V4qRdlXrfJhXKrJhY+W+IaEAjRaMYLVprF/dhroD2BYB ZkYQmX4FaFOzR4rvpLVap7/iRfym4aSp4ReUEXA== X-Google-Smtp-Source: AGHT+IH4CduP52sFinW6ql5QdJWszENci/+PnY47FA+/r34Eou5AB8lnDT7p+aJy2DQchMEv8S0OyA== X-Received: by 2002:a05:6a20:2451:b0:24a:b9e:4a6c with SMTP id adf61e73a8af0-32da845e56amr11974018637.44.1760038291430; Thu, 09 Oct 2025 12:31:31 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:b96e:4301:8642:779c]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7992d0e2d51sm495864b3a.65.2025.10.09.12.31.30 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 09 Oct 2025 12:31:31 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 09/24] grub: ignore CVE-2024-2312 Date: Thu, 9 Oct 2025 12:30:53 -0700 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 09 Oct 2025 19:31:39 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/224628 From: Peter Marko This CVE is specific to Ubuntu [1]. [1] https://bugs.launchpad.net/ubuntu/+source/grub2-unsigned/+bug/2054127 Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- meta/recipes-bsp/grub/grub2.inc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 1b019752b7..94eeadfb99 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -70,6 +70,8 @@ CVE_CHECK_IGNORE += "CVE-2019-14865" CVE_CHECK_IGNORE += "CVE-2021-46705" # not-applicable-platform: Applies only to RHEL/Fedora CVE_CHECK_IGNORE += "CVE-2024-1048 CVE-2023-4001" +# not-applicable-platform: Applies only to Ubuntu +CVE_CHECK_IGNORE += "CVE-2024-2312" DEPENDS = "flex-native bison-native gettext-native" From patchwork Thu Oct 9 19:30:54 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 71963 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7D86FCCD190 for ; Thu, 9 Oct 2025 19:31:39 +0000 (UTC) Received: from mail-pf1-f182.google.com (mail-pf1-f182.google.com [209.85.210.182]) by mx.groups.io with SMTP id smtpd.web11.9199.1760038293960516893 for ; Thu, 09 Oct 2025 12:31:34 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=14w2FU+i; spf=softfail (domain: sakoman.com, ip: 209.85.210.182, mailfrom: steve@sakoman.com) Received: by mail-pf1-f182.google.com with SMTP id d2e1a72fcca58-781db5068b8so1128440b3a.0 for ; Thu, 09 Oct 2025 12:31:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1760038293; x=1760643093; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=dIpQ48BRe4XOSD8bCq/Mox4fu85/QmK+w/sE2nMPMmI=; b=14w2FU+isRIMC7sfYvQGXJ7nMDox3FOXsIELz0+ufnKwnsHHoWAN41mYLCdQS6wz+F 7KSecJqUdDQFyjNsjSPkzbZm66PuHE6gaoXExndekfuDs5hiFa/sT3+lhEYCN9BAc7zK zAP1Oev+ByYhZFBFXCP2DpBJhJa0edB3ccWjBygTVymESO9Du/wxvETqK8Wvxrw5eGyv WjfQWyrdPI6xM+al2NPA3pTJ6iEtiPo97L6On9vKYXEXHwlWLdjZerfcVVlBLmuJKqNm nlswt0ztk4TC/pttsqo0CbgBSLNTQh5npARUzxzpeTkm0+q/OLwZ6jf6HHYSSwfLBmKK UgtA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760038293; x=1760643093; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=dIpQ48BRe4XOSD8bCq/Mox4fu85/QmK+w/sE2nMPMmI=; b=AXcQdYGlzIcjaFALZjK4qW7EmbZtnemlmn0zKgzH5idoQ8N8vQg2ajE5BhGzk6TlFX fw5eGs9KJufy8luKSBVaHL9l0sor7wrwxYYC23b0eTp9xDZOEdjcWd77bE4q5QP9kFQo wqP4fU+CWPKEvpet/wkNx+4xjypLIokXiGDaKVPVDovrkmwAjIpxoXcIoCve6/XNkCem YTCUi3AZfZhm2geIioD5a6DYbSFI3hMNNljaONpVxlwSLj7q6FCNR4zIbzyrBIOEdErN wGWyoP8SaO4o77fcWp8d75YCO8kHnChbkO6rJz2uwkueZVpAMWMwza8FWckLiTPZa+ra 4VmA== X-Gm-Message-State: AOJu0YzAnqGMYBzio9jlSR+wJSKgtewac5Z2HIHAqc6ZSnSVrxX8ZpHv QJOMMPwWSG3VsuZ+zdSG/rDBiET7nuGX+fkRItm9DamgKGR/XgKYA/84ekfMOpX79iiZLWtqIKr 4xSSv X-Gm-Gg: ASbGnctw4HYGCZxOls8h3UTuUvsMZu3l4L2q1NfUho4767kDkKQktbrNF9y1Yysb6Od FU3LN0GWPn21rZgbMmOI6aq5o4kZJQfZT9yr1h9HnWqO4xWAL7gVP6D8ZlEPLXVSgQAsfBJZfsv gsfkTYaWoaqKCnwRRY9MiF1Eg+TW5+4xaub3OE8wem9qr2kNNUp4CwhUFeqPPjVZi+GpdhEeTSz hHz6fm/K6hsDg4JRMT357Ehg6MMtGK0M27lub4NPH9JKIVzRp406PBD72kUKQJkPa0Gm4XvGbP3 ruohAloLrTJz7/ILE3E4NsNGK7Ufl/tWqSYnn/DMoSbzloQCWpsYcQYOWapSj4z7XI/SBFXWjFU AZYvWRmAjxc3qESh+5DrK0AZ+4/QbM567HyE8pQ== X-Google-Smtp-Source: AGHT+IG5pwkNiFd2+a2pNhpPhkdapK7Fd3NfmBEIhuV1gV5bGUn+D+z3vgH8C1ZrhjtifMcsMYX5+Q== X-Received: by 2002:a05:6a00:1492:b0:772:4319:e7df with SMTP id d2e1a72fcca58-793883da697mr9044960b3a.30.1760038292899; Thu, 09 Oct 2025 12:31:32 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:b96e:4301:8642:779c]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7992d0e2d51sm495864b3a.65.2025.10.09.12.31.32 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 09 Oct 2025 12:31:32 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 10/24] ghostscript: patch CVE-2025-59798 Date: Thu, 9 Oct 2025 12:30:54 -0700 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 09 Oct 2025 19:31:39 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/224629 From: Peter Marko Pick commit mentioned in the NVD report. Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- .../ghostscript/CVE-2025-59798.patch | 134 ++++++++++++++++++ .../ghostscript/ghostscript_9.55.0.bb | 1 + 2 files changed, 135 insertions(+) create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59798.patch diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59798.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59798.patch new file mode 100644 index 0000000000..2520e698b5 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59798.patch @@ -0,0 +1,134 @@ +From 0cae41b23a9669e801211dd4cf97b6dadd6dbdd7 Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Thu, 22 May 2025 12:25:41 +0100 +Subject: [PATCH] pdfwrite - avoid buffer overrun + +Bug #708539 "Buffer overflow in pdf_write_cmap" + +The proposed fix in the report solves the buffer overrun, but does not +tackle a number of other problems. + +This commit checks the result of stream_puts() in +pdf_write_cid_system_info_to_stream() and correctly signals an error to +the caller if that fails. + +In pdf_write_cid_system_info we replace a (rather small!) fixed size +buffer with a dynamically allocated one using the lengths of the strings +which pdf_write_cid_system_info_to_stream() will write, and a small +fixed overhead to deal with the keys and initial byte '/'. + +Because 'buf' is used in the stream 's', if it is too small to hold all +the CIDSystemInfo then we would get an error which was simply discarded +previously. + +We now should avoid the potential error by ensuring the buffer is large +enough for all the information, and if we do get an error we no longer +silently ignore it, which would write an invalid PDF file. + +CVE: CVE-2025-59798 +Upstream-Status: Backport [https://github.com/ArtifexSoftware/ghostpdl/commit/0cae41b23a9669e801211dd4cf97b6dadd6dbdd7] +Signed-off-by: Peter Marko +--- + devices/vector/gdevpdtw.c | 52 ++++++++++++++++++++++++++++++--------- + 1 file changed, 41 insertions(+), 11 deletions(-) + +diff --git a/devices/vector/gdevpdtw.c b/devices/vector/gdevpdtw.c +index ced15c9b2..fe24dd73a 100644 +--- a/devices/vector/gdevpdtw.c ++++ b/devices/vector/gdevpdtw.c +@@ -694,7 +694,8 @@ static int + pdf_write_cid_system_info_to_stream(gx_device_pdf *pdev, stream *s, + const gs_cid_system_info_t *pcidsi, gs_id object_id) + { +- byte *Registry, *Ordering; ++ byte *Registry = NULL, *Ordering = NULL; ++ int code = 0; + + Registry = gs_alloc_bytes(pdev->pdf_memory, pcidsi->Registry.size, "temporary buffer for Registry"); + if (!Registry) +@@ -725,14 +726,19 @@ pdf_write_cid_system_info_to_stream(gx_device_pdf *pdev, stream *s, + } + s_arcfour_process_buffer(&sarc4, Ordering, pcidsi->Ordering.size); + } +- stream_puts(s, "<<\n/Registry"); ++ code = stream_puts(s, "<<\n/Registry"); ++ if (code < 0) ++ goto error; + s_write_ps_string(s, Registry, pcidsi->Registry.size, PRINT_HEX_NOT_OK); +- stream_puts(s, "\n/Ordering"); ++ code = stream_puts(s, "\n/Ordering"); ++ if(code < 0) ++ goto error; + s_write_ps_string(s, Ordering, pcidsi->Ordering.size, PRINT_HEX_NOT_OK); ++error: + pprintd1(s, "\n/Supplement %d\n>>\n", pcidsi->Supplement); + gs_free_object(pdev->pdf_memory, Registry, "free temporary Registry buffer"); + gs_free_object(pdev->pdf_memory, Ordering, "free temporary Ordering buffer"); +- return 0; ++ return code; + } + + int +@@ -777,31 +783,55 @@ pdf_write_cmap(gx_device_pdf *pdev, const gs_cmap_t *pcmap, + *ppres = writer.pres; + writer.pres->where_used = 0; /* CMap isn't a PDF resource. */ + if (!pcmap->ToUnicode) { +- byte buf[200]; ++ byte *buf = NULL; ++ uint64_t buflen = 0; + cos_dict_t *pcd = (cos_dict_t *)writer.pres->object; + stream s; + ++ /* We use 'buf' for the stream 's' below and that needs to have some extra ++ * space for the CIDSystemInfo. We also need an extra byte for the leading '/' ++ * 100 bytes is ample for the overhead. ++ */ ++ buflen = pcmap->CIDSystemInfo->Registry.size + pcmap->CIDSystemInfo->Ordering.size + pcmap->CMapName.size + 100; ++ if (buflen > max_uint) ++ return_error(gs_error_limitcheck); ++ ++ buf = gs_alloc_bytes(pdev->memory, buflen, "pdf_write_cmap"); ++ if (buf == NULL) ++ return_error(gs_error_VMerror); ++ + code = cos_dict_put_c_key_int(pcd, "/WMode", pcmap->WMode); +- if (code < 0) ++ if (code < 0) { ++ gs_free_object(pdev->memory, buf, "pdf_write_cmap"); + return code; ++ } + buf[0] = '/'; + memcpy(buf + 1, pcmap->CMapName.data, pcmap->CMapName.size); + code = cos_dict_put_c_key_string(pcd, "/CMapName", + buf, pcmap->CMapName.size + 1); +- if (code < 0) ++ if (code < 0) { ++ gs_free_object(pdev->memory, buf, "pdf_write_cmap"); + return code; ++ } + s_init(&s, pdev->memory); +- swrite_string(&s, buf, sizeof(buf)); ++ swrite_string(&s, buf, buflen); + code = pdf_write_cid_system_info_to_stream(pdev, &s, pcmap->CIDSystemInfo, 0); +- if (code < 0) ++ if (code < 0) { ++ gs_free_object(pdev->memory, buf, "pdf_write_cmap"); + return code; ++ } + code = cos_dict_put_c_key_string(pcd, "/CIDSystemInfo", + buf, stell(&s)); +- if (code < 0) ++ if (code < 0) { ++ gs_free_object(pdev->memory, buf, "pdf_write_cmap"); + return code; ++ } + code = cos_dict_put_string_copy(pcd, "/Type", "/CMap"); +- if (code < 0) ++ if (code < 0) { ++ gs_free_object(pdev->memory, buf, "pdf_write_cmap"); + return code; ++ } ++ gs_free_object(pdev->memory, buf, "pdf_write_cmap"); + } + if (pcmap->CMapName.size == 0) { + /* Create an arbitrary name (for ToUnicode CMap). */ diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb index 4d696159e0..c9fcaa7a16 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb @@ -76,6 +76,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d file://CVE-2025-27836-1.patch \ file://CVE-2025-27836-2.patch \ file://CVE-2025-48708.patch \ + file://CVE-2025-59798.patch \ " SRC_URI = "${SRC_URI_BASE} \ From patchwork Thu Oct 9 19:30:55 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 71961 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 843A8CCD18A for ; Thu, 9 Oct 2025 19:31:39 +0000 (UTC) Received: from mail-pf1-f176.google.com (mail-pf1-f176.google.com [209.85.210.176]) by mx.groups.io with SMTP id smtpd.web10.9246.1760038295359619826 for ; Thu, 09 Oct 2025 12:31:35 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=mOa9hJ1z; spf=softfail (domain: sakoman.com, ip: 209.85.210.176, mailfrom: steve@sakoman.com) Received: by mail-pf1-f176.google.com with SMTP id d2e1a72fcca58-796f9a8a088so1071119b3a.1 for ; Thu, 09 Oct 2025 12:31:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1760038295; x=1760643095; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=7fzN/GGBcKliVop8aMkZV1uHzYUqAAMnDTCGFO5eIVs=; b=mOa9hJ1zL6oJH0xzs85FluUrDsImRRey/F3EZoVWu3Gn1HQv7TtUCO/n0/L7an1IT9 ZnjITKapSC3UA1cTDQAtTZHSdw5WWACFK3s7J+A6jHJZo08pNoObbHFT4BPL4IEIanWf vFwH1E/oBlMgBdcq4W5zhDWR7llCP/nKDCykgeuoeTdYAAsGg2mxK8T3fAryykoEh09n kv0UlJ811M5gx154irWsD4CBEP+LKh7vCj6kePQI+E+x/v5QKc3/v1j0ShZYJPCqhY6i uo4D1rYSdOJT+ug8PaQA70PgmNEvy/cPNLJQzyIhbacK/6cee0cBw+h8NAMboidQU4Wu r3aA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760038295; x=1760643095; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=7fzN/GGBcKliVop8aMkZV1uHzYUqAAMnDTCGFO5eIVs=; b=L2PSm3r95Eb82fKkPZvjL5Df5ELRzqEEGc+08EFsXJdVa5wzYBXYZDzndzVKQHIn68 eLaOpMzpdVlbpATBC7LzERUbU99vACNQ6n0VyFT3PeL7MZyEejJukjJr71OOPZbkq/Jy hIl9MRPqiaxu5q8vUGLKcsOnErR9sqxBi4UcGBRDBNA36xljJ+mwFc7OI0CRKwXXl59t zzxst1LkDGFQ6/ToI2sk+6FB12gfMHFI1OXPPDYrRaKgWusQK8XWgg5f18Wy3gWdl6m9 tEbzRcbPN5VcDNh6ERaHlVLla4BWLRlOK11FsANvFdqAkcXfb/5Z0GtOAlCuJxOq3DmY yqNQ== X-Gm-Message-State: AOJu0YzRSnHI92EgrPW5YGmXlWFhwIST4QkXJhbRhQUzOlfyZRKsXZEX wkvJtKbZWaAFdUvrY2OJNA5IprqZKI2jt/pENerPJNU9a0u5zZz0ZKYSEZ3oizWALAmwSj4xvO5 +4S2n X-Gm-Gg: ASbGncuUwegHhRmDiYwXgbLNs8FY4S+ZNgzPXltUX/41+yBCed2OiOejp6adO0UiRGq FWsk96BFyqmEE+HiSQAXtsZwuG9hls0EiToqYJ1fM+OD79jzcBWJTQ3/zfojXnVwvdThIWaDpC6 bi6Xpw7Uq5T1k/a1GErchm+UzvQ+m6sIdKFnZZAfXmyyp304MtCFKGOebBd5WFnQKYqlOSBX/+q Zj2QHi0zK0IoS2I11xoNARmnZ1TdmomSGamFk/qKaIR6R85zmDZtUuWPCExJBaoSKdG5PwC9+na uFiLe40hJwAkjYaAFm8f3NRj5cFHuKD2ZmH6PrUG31+wlucdKdooSZmqdcc973QWOIwfiPyXtyE BI6mTlKZ0TcZVsqAItV7JSyUVNf4OWhd1Ou/1vw== X-Google-Smtp-Source: AGHT+IFpZ3U7nnbdebdol5FlLE96xtBVVp/4gd2BBf0YUN6cAYbDrsHLSDTtR/jP+3WokNZrOecHxw== X-Received: by 2002:a05:6a00:1895:b0:781:1f28:eae9 with SMTP id d2e1a72fcca58-79384f48925mr10112459b3a.3.1760038294476; Thu, 09 Oct 2025 12:31:34 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:b96e:4301:8642:779c]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7992d0e2d51sm495864b3a.65.2025.10.09.12.31.33 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 09 Oct 2025 12:31:34 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 11/24] ghostscript: patch CVE-2025-59799 Date: Thu, 9 Oct 2025 12:30:55 -0700 Message-ID: <10a51275bb0f62b018a6182953352ecf7aa3d220.1760038088.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 09 Oct 2025 19:31:39 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/224630 From: Peter Marko Pick commit mentioned in the NVD report. Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- .../ghostscript/CVE-2025-59799.patch | 41 +++++++++++++++++++ .../ghostscript/ghostscript_9.55.0.bb | 1 + 2 files changed, 42 insertions(+) create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59799.patch diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59799.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59799.patch new file mode 100644 index 0000000000..3badd82f22 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59799.patch @@ -0,0 +1,41 @@ +From 6dab38fb211f15226c242ab7a83fa53e4b0ff781 Mon Sep 17 00:00:00 2001 +From: Piotr Kajda +Date: Thu, 8 May 2025 11:37:09 +0100 +Subject: [PATCH] pdfwrite - bounds check some strings + +Bug #708517 + +This differs very slightly from the proposed patch in the bug report, I +had a quick scout through the C file and found another similar case. + +Both fixed here. + +CVE: CVE-2025-59799 +Upstream-Status: Backport [https://github.com/ArtifexSoftware/ghostpdl/commit/6dab38fb211f15226c242ab7a83fa53e4b0ff781] +Signed-off-by: Peter Marko +--- + devices/vector/gdevpdfm.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/devices/vector/gdevpdfm.c b/devices/vector/gdevpdfm.c +index 5aa3644e2..4b1d7d89c 100644 +--- a/devices/vector/gdevpdfm.c ++++ b/devices/vector/gdevpdfm.c +@@ -199,6 +199,8 @@ pdfmark_coerce_dest(gs_param_string *dstr, char dest[MAX_DEST_STRING]) + { + const byte *data = dstr->data; + uint size = dstr->size; ++ if (size > MAX_DEST_STRING) ++ return_error(gs_error_limitcheck); + if (size == 0 || data[0] != '(') + return 0; + /****** HANDLE ESCAPES ******/ +@@ -848,6 +850,8 @@ pdfmark_put_ao_pairs(gx_device_pdf * pdev, cos_dict_t *pcd, + char buf[30]; + int d0, d1; + ++ if (Action[1].size > 29) ++ return_error(gs_error_rangecheck); + memcpy(buf, Action[1].data, Action[1].size); + buf[Action[1].size] = 0; + if (sscanf(buf, "%d %d R", &d0, &d1) == 2) diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb index c9fcaa7a16..349c007e94 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb @@ -77,6 +77,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d file://CVE-2025-27836-2.patch \ file://CVE-2025-48708.patch \ file://CVE-2025-59798.patch \ + file://CVE-2025-59799.patch \ " SRC_URI = "${SRC_URI_BASE} \ From patchwork Thu Oct 9 19:30:56 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 71962 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8B3E1CCD192 for ; Thu, 9 Oct 2025 19:31:39 +0000 (UTC) Received: from mail-pf1-f172.google.com (mail-pf1-f172.google.com [209.85.210.172]) by mx.groups.io with SMTP id smtpd.web11.9200.1760038296930530821 for ; Thu, 09 Oct 2025 12:31:36 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=xpKOEZKL; spf=softfail (domain: sakoman.com, ip: 209.85.210.172, mailfrom: steve@sakoman.com) Received: by mail-pf1-f172.google.com with SMTP id d2e1a72fcca58-791c287c10dso1285738b3a.1 for ; Thu, 09 Oct 2025 12:31:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1760038296; x=1760643096; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=qHhnjvs+02QskC0v/5XPDbhZzRBJF93lDl5I4oeqGXw=; b=xpKOEZKL1RXvVBd5/nwlMcuMjADgCxkcKg+vHWtgxKrBkOG4dcBwxG0leEDd1UsVYO PZXHoDTxN5jjehmYmafZN8YWwejwPfphkkPL5ztXvZAwMvC7dO43aHGwi5NzsxBJ5igT FIJke+6AUMt/kk0CrnJlYnSxR5fG4UItl6mSVklDPMVYdsJJW9fqxGz0t1I92Y8TSgVL wp+yL60weOnMi9/WPTaiFn/jCCK/f0SSTbbhT7cZejRThMYCuBr+tP9ibIbdzOgcRLPL uhin+r/6AxQbDv/Me78pF4r5CAhhAXKTsleJWl7clspJe+uUaft6DmRHfpfq5uOPhh9Y 5Uzw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760038296; x=1760643096; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=qHhnjvs+02QskC0v/5XPDbhZzRBJF93lDl5I4oeqGXw=; b=mytZSeKgFps/wnOQBQnf7VKLhCpL8YQ47wFm9g4w5q8HGec0PLHjwuO3opDxWtyKOg rNOL/cYceXdwCOvohE9CHGTvJ55Nu2vgJl+jwWHcRVR/SpXMSGws10u+OtltSAIEp9Bx BnUHRP403q7z+G3JT5hU7NjEQM4izuZqqSzvxMF3PbX92L9E336iZ4G5nmsB/ey797al GIsBKWC76P1r6dqd5ul+STQvH/fOTLJZEo0D8HEvZMNvgiXjw5kYi+eRuRfMrf+QSSKR YeTfV8XBumxbSgx1tNRu19TAoBZ8xczvJxW4RYDxOmp0hGPo+bsXZLY6OxNTChczLEue +EVA== X-Gm-Message-State: AOJu0YyFQ/cXp8tpLKR8lY/jXKc6QGquu9Qy+8DDsWPdshV2KtQcDJ/E HSx0bqcA0dnGXFV+J0rvAZ21vLVD6ympEE9AKzNDnAmmGvcE4kij2KaHapr1oApZCPfAEepIELF SPFeD X-Gm-Gg: ASbGncutdP7E3I+a51ICWnIh5o4GWL0Xv8lag0Kwg637hlxwA8/abyC5manVuQTjXLQ WoVpdIsJw3TscW8/Yvv+hp4mBNuT7cUk4Sl3+5zhHybpia8kOR7FUpMKIIi4M1HlKfF/T3SQYll B7lRnuMtIkGmY5NsI8koegbty9EDC9lrMdAlAi+mPSY/Q73KMDGxhnVomRmUbmlbKCiub0p3b+4 Cmo+HCGnWAMsfUraqDYNU/hZU1qTHWUPdP1OZygH8cgvJYPe4dPsDFlKRYxlZDj5u3ThgkJlumU rIITYCpyr6zEOuudhrXP9CibsjJrueIRzXlUh0BQVHCnhK35+g7dBCfQgz4zpIVDF+A10ka8EfY aEWlxynpG3Dx83HP2262E6hrfhcwDJvdsNf++vA== X-Google-Smtp-Source: AGHT+IFYmAKV/UeXtojNW33GgpqOF8tEd8G7dl9tJ0fwX04u1xTfc+bYYGHkvjZMsRvYAozrUR9g/Q== X-Received: by 2002:a05:6a20:3d1c:b0:32b:83af:317 with SMTP id adf61e73a8af0-32da812f6edmr11342162637.15.1760038296107; Thu, 09 Oct 2025 12:31:36 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:b96e:4301:8642:779c]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7992d0e2d51sm495864b3a.65.2025.10.09.12.31.35 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 09 Oct 2025 12:31:35 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 12/24] ghostscript: patch CVE-2025-59800 Date: Thu, 9 Oct 2025 12:30:56 -0700 Message-ID: <5109fd6675b6782f10f86f774fe54b6ccecee415.1760038088.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 09 Oct 2025 19:31:39 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/224631 From: Peter Marko Pick commit mentioned in the NVD report. Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- .../ghostscript/CVE-2025-59800.patch | 36 +++++++++++++++++++ .../ghostscript/ghostscript_9.55.0.bb | 1 + 2 files changed, 37 insertions(+) create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59800.patch diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59800.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59800.patch new file mode 100644 index 0000000000..5d50865271 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59800.patch @@ -0,0 +1,36 @@ +From 176cf0188a2294bc307b8caec876f39412e58350 Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Tue, 1 Jul 2025 10:31:17 +0100 +Subject: [PATCH] PDF OCR 8 bit device - avoid overflow + +Bug 708602 "Heap overflow in ocr_line8" + +Make sure the calculation of the required raster size does not overflow +an int. + +CVE: CVE-2025-59800 +Upstream-Status: Backport [https://github.com/ArtifexSoftware/ghostpdl/commit/176cf0188a2294bc307b8caec876f39412e58350] +Signed-off-by: Peter Marko +--- + devices/gdevpdfocr.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/devices/gdevpdfocr.c b/devices/gdevpdfocr.c +index f27dc11db..6362f4104 100644 +--- a/devices/gdevpdfocr.c ++++ b/devices/gdevpdfocr.c +@@ -521,9 +521,12 @@ ocr_line32(gx_device_pdf_image *dev, void *row) + static int + ocr_begin_page(gx_device_pdf_image *dev, int w, int h, int bpp) + { +- int raster = (w+3)&~3; ++ int64_t raster = (w + 3) & ~3; + +- dev->ocr.data = gs_alloc_bytes(dev->memory, raster * h, "ocr_begin_page"); ++ raster = raster * (int64_t)h; ++ if (raster < 0 || raster > max_size_t) ++ return gs_note_error(gs_error_VMerror); ++ dev->ocr.data = gs_alloc_bytes(dev->memory, raster, "ocr_begin_page"); + if (dev->ocr.data == NULL) + return_error(gs_error_VMerror); + dev->ocr.w = w; diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb index 349c007e94..b8195e3eff 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb @@ -78,6 +78,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d file://CVE-2025-48708.patch \ file://CVE-2025-59798.patch \ file://CVE-2025-59799.patch \ + file://CVE-2025-59800.patch \ " SRC_URI = "${SRC_URI_BASE} \ From patchwork Thu Oct 9 19:30:57 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 71964 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 90C7BCCD194 for ; Thu, 9 Oct 2025 19:31:39 +0000 (UTC) Received: from mail-pf1-f182.google.com (mail-pf1-f182.google.com [209.85.210.182]) by mx.groups.io with SMTP id smtpd.web11.9202.1760038298428216458 for ; Thu, 09 Oct 2025 12:31:38 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=FbuOtnrI; spf=softfail (domain: sakoman.com, ip: 209.85.210.182, mailfrom: steve@sakoman.com) Received: by mail-pf1-f182.google.com with SMTP id d2e1a72fcca58-781001e3846so1304104b3a.2 for ; Thu, 09 Oct 2025 12:31:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1760038298; x=1760643098; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=W8M1rihOzb7WeFO74iM8MIIQeT3WMKHWfm0cdjZmfDU=; b=FbuOtnrISTx0pIXcQRg1nEiFu6pgm4CD/5sPIzO2dV7P+Qh/M2eLjkmaFz17+rrk+L 3m4yMwExorbQQPiWCF63H73iX8To/ZlNobqH6iIVoxe9nO/LpiTse1zILd+oDGCzKHCg DSb/StuuvDlOd7mr/O3v2xk3abc1pacIrS9XMxEGHxVoSXDde4Fm+wWy5IR9v1xdsbCY LFAE5UAFaIzNSk/To4eXcUWevNNUrZykTW4r1Zyn3h84Rz2cas9IhF3BA7XcIo+g+Pp7 czp5SDm1cuiZnBEVFnoxrDv1NwwaZ2yb1CDk8H+1NmdRUDxn73fUE78zPs0ovmHQpGEi uYbA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760038298; x=1760643098; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=W8M1rihOzb7WeFO74iM8MIIQeT3WMKHWfm0cdjZmfDU=; b=DR/NHK2yRpqnq3h6GD7RB5qMsLtAHzs0+2sSxA+Zce74496yG3VnRSj4phgrbu+ZZ2 rzlOBMtmzcQOpyd4mWIHMZsCZ/U0fEnY0wtHGoEo7MoNTZUnLIh/fP5QOTLhMvw4hiA9 TKIgV53ugGZnrOD89pw3+SUIzvsQWALfGKR2mUuKwG44XuetKx3DTkbeqUFhWLXI1L5C yrDD88HjNodSGmAnQswh54i7GDO+TXUwR4AY/kz7k4ru3UYbc0LDiMOYof1aGVnYkaCp +EZ3VFXtCgsgGdj0ouMKHy9aVFt75BGeVQO0opZCIfvn13UeY4mr/T/OF2wj5XYCIXRI TRMw== X-Gm-Message-State: AOJu0YyV43lH1g9N8NnFW9Ss4tG8GwgFNaciWFvJW+/octjpscLCp/It U0//DF7He4WhyVLSMy741QaPlxPdk+wEuPxD2ORg1H6t63DFQp2Vt6Of1jNlACTZEJZQPBkfkvu MZ+wQ X-Gm-Gg: ASbGncu5UmM5qjhLTZDm2yKyKz8tuL3S7/vgY/HhDD6S9vrQLUCzXQFtwY3dqMkASj0 e+PlRqoqAcLxQ9CefP64WD+39dnJ5ciNDA65x/JCwy5JgvmfdZUQa9D+7FomtCt9FKG6k2XuU85 qKgDe6eCN8Vrpp1MiPo80yQakZI/cinS4+rZosQFRU8kiJIevW6taTeSllVCsxJW83XguBpoPSH QG9D26czsR5gAVVLzQ14bqDmMzr3SV0lYzS45NgZRHL+WGOCU5nMTWhj+ik/cpH2SGZPTbD+8XW m3gboh5qW6n0iOascBdF0OB0+ZQt5xWWHTA2Tbnc8RmF5nf+XGY5ZL6OqbboxJON/47FOr322iG jdA2lFmZ31mHOZGydyqgGi3EI0aKa2Jl8glnWZw== X-Google-Smtp-Source: AGHT+IG1DLLDlov+O6rPvHYIEr9rg9G7mI1UZBq7m39sdTUPapXKLCEH/WWANcS0l8i0zZ5nZqnq7A== X-Received: by 2002:a05:6a20:9389:b0:2e5:655c:7f93 with SMTP id adf61e73a8af0-32da83dbb59mr11511323637.33.1760038297542; Thu, 09 Oct 2025 12:31:37 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:b96e:4301:8642:779c]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7992d0e2d51sm495864b3a.65.2025.10.09.12.31.37 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 09 Oct 2025 12:31:37 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 13/24] pulseaudio: ignore CVE-2024-11586 Date: Thu, 9 Oct 2025 12:30:57 -0700 Message-ID: <66e45229a9614d33f64167f0259ae1d719839d83.1760038088.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 09 Oct 2025 19:31:39 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/224632 From: Peter Marko As per the linked ticket, this issue is related to an Ubuntu-specific patch that we don't have. (From OE-Core rev: dc81fdc6bdf8ab39b7f2fd994d50256430c36558) (From OE-Core rev: 72e63e44a0c6ad5a408c4dc59a24288c36463439) Rewritten CVE_STATUS to CVE_CHECK_IGNORE. Signed-off-by: Ross Burton Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- meta/recipes-multimedia/pulseaudio/pulseaudio.inc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta/recipes-multimedia/pulseaudio/pulseaudio.inc b/meta/recipes-multimedia/pulseaudio/pulseaudio.inc index 7b9d245c07..58d0040459 100644 --- a/meta/recipes-multimedia/pulseaudio/pulseaudio.inc +++ b/meta/recipes-multimedia/pulseaudio/pulseaudio.inc @@ -281,3 +281,6 @@ RDEPENDS:pulseaudio-server += "\ RDEPENDS:pulseaudio-server += "${@bb.utils.contains('DISTRO_FEATURES', 'x11', \ bb.utils.contains('DISTRO_FEATURES', 'systemd', 'pulseaudio-module-systemd-login', 'pulseaudio-module-console-kit', d), \ '', d)}" + +# not-applicable-platform: specific to Ubuntu 16.04 +CVE_CHECK_IGNORE += "CVE-2024-11586" From patchwork Thu Oct 9 19:30:58 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 71967 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 90B9ACCD183 for ; Thu, 9 Oct 2025 19:31:49 +0000 (UTC) Received: from mail-pf1-f181.google.com (mail-pf1-f181.google.com [209.85.210.181]) by mx.groups.io with SMTP id smtpd.web11.9204.1760038299707025563 for ; Thu, 09 Oct 2025 12:31:39 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=UdnckSUS; spf=softfail (domain: sakoman.com, ip: 209.85.210.181, mailfrom: steve@sakoman.com) Received: by mail-pf1-f181.google.com with SMTP id d2e1a72fcca58-780fc3b181aso827558b3a.2 for ; Thu, 09 Oct 2025 12:31:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1760038299; x=1760643099; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=FUWwMXGnJvjZXn06g2u7P2jOKfZqw2y8+qflU/5QRqo=; b=UdnckSUSGiG8Xic3e+7aooKsw3xNZEHoPUN42YyZijzI24SxAem1wLZ90+DoYu7lrW Xav2rCeTG96tyr4uCybaF5+AyRQEOf95FTBaGj0J+hjSPXVDhvDQR07mSVHWBiqqTI/U MZGle5slkvTg1eySHy43e2MMb7eIB9uHT8YS/K38udsFtFu6LZlwcRkqtvSbofrdg5q3 TEnmgPmrv78osowZO0KqbFtZITZp7bcfh8rlm2P5u9P9LlfL7ziQL9WkRHeYoFkRSsPd kD2hz7fx9SGNkoX/AV356DmkGMa+KcstkMkaOG8IEG2OZOfBNje60smhKJIS7za1CakW 8vDg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760038299; x=1760643099; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=FUWwMXGnJvjZXn06g2u7P2jOKfZqw2y8+qflU/5QRqo=; b=fSBa6BaZWjP6ELch0xTvkMdRih3paqYnw3j8wOyzMW1s+Vr+a3LrsNflwIj/hO6qph 2xRP7H3SiL90nUQcuacfxmtcEyWig95KPLDW9YaSfXvbZFqxJYTmE8kZi4+lLTG65POB y54IqPxX02sF/0vEn2M98tz08QZC3QYgG7sRmqLMQZV1NlaFPAOMWVeMk461FyNj3kcv V2yga85uf2336Fm+LP2SONEhMdr5sVwMuYc2bOGnYj5G8UKq7qzQ0yVwU9CNo9c4Jyt9 jUUer6LsCm9+R6g3TYBvllyyh9pQ/Nkz4UsoPUa0GiA5MbJW1T7FAwhvErCBqMCZTlzR 9zcw== X-Gm-Message-State: AOJu0YzRUHIUrFZPjkb/i8JX01G3aeZmZSSyaKEfWP1QORqlSdmvqKSb Xl+O+PO867yfhK1EgtRrgxx72hLfdMmy5sqXYsQEZCpX4rQaCf3J3tRZB6AFwzAQqgGxoGPwCwa MhxKA X-Gm-Gg: ASbGncsF/Z7LUTtwM+ae8zCcHqkO5e+bagPX2hAC9c2rkJfp80YXrZ1ttieEyrDTxvB 0XR9quRaPRu5ncQvhX5ZgYCCQcxZtQeOzI79ekM5ksLfwtVqrChsjOyiVgovkt/MLF0R2h9M7Aj WffhvZ9xE0D0e9o+vOTY77hh25XdEXy7PpRew720HLy25B41aRN9uQQsKPqf/4OIPZJNHrZA03Z YJ1LrXEuPY0dvoz3lr0lgBKcFz0t2zD/lL57cb2TAPgGH3UdorFdMyjWnX7AeaO0wfGcHC5DNLf gI+ULHHTeLNu0FhjaWV5/IZrfq7fC/tk3jpcn6Iyos9tMHv3Q/lOpAd0XhnBypQIONG4VCs6PSn OoDwPdnHR6GJBP3qb6pUkt3M/scRLVk2BjGXzvA== X-Google-Smtp-Source: AGHT+IErmbj8+5Bf/hqZ3POk8dmiYmX8R1opBEuoM/Bj7RBKaU8aCcltyWHIOiHhluWhTHOLA4MsbA== X-Received: by 2002:a05:6a00:2388:b0:772:3aa4:226e with SMTP id d2e1a72fcca58-79387242fa9mr9900209b3a.19.1760038298890; Thu, 09 Oct 2025 12:31:38 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:b96e:4301:8642:779c]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7992d0e2d51sm495864b3a.65.2025.10.09.12.31.38 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 09 Oct 2025 12:31:38 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 14/24] ffmpeg: ignore CVE-2023-6603 Date: Thu, 9 Oct 2025 12:30:58 -0700 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 09 Oct 2025 19:31:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/224633 From: Peter Marko Per [1] this CVE is fixed by [2] which is available in version 5.0, so version 5.0.3 is not vulnerable anymore. [1] https://security-tracker.debian.org/tracker/CVE-2023-6603 [2] https://github.com/FFmpeg/FFmpeg/commit/28c83584e8f3cd747c1476a74cc2841d3d1fa7f3 Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb index a46cb3480a..d64b97e787 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb @@ -101,6 +101,10 @@ CVE_CHECK_IGNORE += "CVE-2022-3109" # bugfix: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/481e81be1271ac9a0124ee615700390c2371bd89 CVE_CHECK_IGNORE += "CVE-2022-3341" +# This vulnerability was fixed in 5.0 +# bugfix: https://github.com/FFmpeg/FFmpeg/commit/28c83584e8f3cd747c1476a74cc2841d3d1fa7f3 +CVE_CHECK_IGNORE += "CVE-2023-6603" + # Build fails when thumb is enabled: https://bugzilla.yoctoproject.org/show_bug.cgi?id=7717 ARM_INSTRUCTION_SET:armv4 = "arm" ARM_INSTRUCTION_SET:armv5 = "arm" From patchwork Thu Oct 9 19:30:59 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 71965 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 90BD8CCD18A for ; Thu, 9 Oct 2025 19:31:49 +0000 (UTC) Received: from mail-pf1-f170.google.com (mail-pf1-f170.google.com [209.85.210.170]) by mx.groups.io with SMTP id smtpd.web10.9251.1760038301376982010 for ; Thu, 09 Oct 2025 12:31:41 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=bs9cPGqh; spf=softfail (domain: sakoman.com, ip: 209.85.210.170, mailfrom: steve@sakoman.com) Received: by mail-pf1-f170.google.com with SMTP id d2e1a72fcca58-781251eec51so1168529b3a.3 for ; Thu, 09 Oct 2025 12:31:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1760038300; x=1760643100; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=qR035eAnQPMBTYYuTVgWQeYU4fstV8BEdPMKldqRabU=; b=bs9cPGqhJrKrYGd30QgjcSDvREQ4+q+zMmu1ImodMM5I/PVy6LzS1ed4/Hhnx7UW80 AyKlgDJ5SVd6V9gwERVqhkk4Y3mh6eZLdG6q+rllEW7ODoDIXwFdyDR8DZ/rASniczvE 1p1SQnB+wrAZ+95j6KSJICXSpVPz7Kr2DgzN0NLq7UaecY5RYTpJW2kktKCWKArp6jQF uZbweo08md9+UAjpL336wITVlghI7vAh+eRCBdprJjZMVQNP6026gkUzdYh/4ZCykJUG tvu0g2n4QT/sWPFAId7G06ZJhDEFFitWlaXObUIRMvKBhnc9MSQ4dGwWA3nquqRHfJ+s EBFg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760038300; x=1760643100; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=qR035eAnQPMBTYYuTVgWQeYU4fstV8BEdPMKldqRabU=; b=RGnH+BVhBbf5Nk0xvVN1XbvQ25cBrnvdZVrHbuksQ6F55N7NUXjVGs+p48nbOhPO2P eE0l0nY04C/y8rMJg4h75T1CeJeSPdzxbkTX9NI+aa+LQVZd4sAzK0Evc/UizR/ADBGH QYiXY33Qu/+RKJs53ZmBmSQ5AfXjGUbJ6l+lNjFanuz9/oLLCUHYQ4z3kFttJfdkxadg /1pQkxAdNlu6k0bzTi1dVymT1WDxAVt3mfRHJUGe5L2mYBGOpqFV7Oc/XEolFXhoLNXs V20Muw/KXqZCDo7Z9tu1TJUgzXSEcSL5ndpW0TEe8rIhZeZUDcCXHmXeyCQSJhDkvTKn HNEA== X-Gm-Message-State: AOJu0YwUSB3zov8/rRX7IMJGsQT0SONtBzBilZVxmaqrDcoMOXdh6XA1 rQoS3INcAVeqpV2RZFjE6DyGJBMHiztVoYSBMppR1h6l0XWMbtCc0IyNjyz9Afww8OwvsFoQFI7 hGwAj X-Gm-Gg: ASbGnct+nHmFy0NvPeWIlULU68+Thet3Xw0ROcdZ22ix5Dceaj/9SHqb8d3dDeR1HxA PNda3gRHhsB86PB/Vt0+c0me92ismxloXa75SXI1PJyVm9eLjTP3ouOMkGYTGBSUC5szrNQpvrR AkGovFj58V3nro94N8a15YKSII+2qeAYEd9Ods4cP7K6WSUv9HIE9uHLd4mwjUXOn2rpj2srY+D 2qLhDDy7bBzM4t777cprO6J27DGIbGlFMNVwpguF+hotLjFtLpZmeRxomF2mBymuV6mtMiAcLGm kWsqjEmSq3BC7AVew2XYcWndI7brPDC//kwmShB+AW+QUMoO7r3REHxxXMpbSP9jjrIXSLlJ/BD TnVvgMEaeWRBGoaViFd67k3PTwOy6kMyYw3sJEw== X-Google-Smtp-Source: AGHT+IEbgrqpG18IZDwmE2MwWaA19uoBSkko2OIVVHenp6W8TNWLZ1R6LHHuEq8ykqtBF+jwXl6D+A== X-Received: by 2002:a05:6a00:179a:b0:776:1c49:82f8 with SMTP id d2e1a72fcca58-79385702ebbmr10045303b3a.8.1760038300387; Thu, 09 Oct 2025 12:31:40 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:b96e:4301:8642:779c]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7992d0e2d51sm495864b3a.65.2025.10.09.12.31.39 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 09 Oct 2025 12:31:40 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 15/24] ffmpeg: mark CVE-2023-6601 as patched Date: Thu, 9 Oct 2025 12:30:59 -0700 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 09 Oct 2025 19:31:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/224634 From: Peter Marko Per [1] this CVE is fixed by the same commits as the other 3 CVEs. [1] https://security-tracker.debian.org/tracker/CVE-2023-6601 Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- .../ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0002.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0002.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0002.patch index 1ba1006197..d90fd20160 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0002.patch +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0002.patch @@ -21,7 +21,7 @@ Signed-off-by: Michael Niedermayer (cherry picked from commit 91d96dc8ddaebe0b6cb393f672085e6bfaf15a31) Signed-off-by: Michael Niedermayer -CVE: CVE-2023-6602 CVE-2023-6604 CVE-2023-6605 +CVE: CVE-2023-6601 CVE-2023-6602 CVE-2023-6604 CVE-2023-6605 Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/9803800e0e8cd8e1e7695f77cfbf4e0db0abfe57] From patchwork Thu Oct 9 19:31:00 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 71966 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9A66DCCD184 for ; Thu, 9 Oct 2025 19:31:49 +0000 (UTC) Received: from mail-pf1-f180.google.com (mail-pf1-f180.google.com [209.85.210.180]) by mx.groups.io with SMTP id smtpd.web10.9252.1760038302901310873 for ; Thu, 09 Oct 2025 12:31:42 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=RFmFwZVq; spf=softfail (domain: sakoman.com, ip: 209.85.210.180, mailfrom: steve@sakoman.com) Received: by mail-pf1-f180.google.com with SMTP id d2e1a72fcca58-78125ed4052so1580436b3a.0 for ; Thu, 09 Oct 2025 12:31:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1760038302; x=1760643102; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=ub870bIuijFJxXA+HTBYweLcV5g/R6yC5Hq/Kw/IPAs=; b=RFmFwZVqDAiTUggfkCZkqfSG+4+NKuois1qXunw+KSXQxg5YpjTsE4siqqvL0FgFqe MAbbqbzbPvblxUIMF/eqXH70CuO3oLZs0UJur4/XD8LvDM2cBJbUHPC+zGiIWIfHisfZ GIYlD27SrmFVUSXg+HP8V5dnh05TTAE13ifxT06axqgiRxKfKGyypgEUzU43IswMdRnK XWyup0FyMHIESSxECROuL9WozGVCkB9fxS8atNAuHdRq8RU/YLBsgFw8RF9+rvbwRQ15 W+6wLTNZD+3bWf6GPb/RaSvCm/ZIinz346zMXMX7g8w1fjZroafiNVuule/mX8/jObmE VKVA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760038302; x=1760643102; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ub870bIuijFJxXA+HTBYweLcV5g/R6yC5Hq/Kw/IPAs=; b=WPnkcqcGBl4bD3f5E04VuyQv7JwOPh9367B79EiwE//0477adaptOmGzTUGuwXUW7V P9H5g60Qma7c7uhw62cbbL/OEhMFrbS3rWY1f2NFh7wL5Atg1IEF/fS/Z4EMAF5ovzuK 9zJ7SyM17gICXEXINqDgTlBNtpiK0E3a5bYYlS9VdFbkGYug7qbLYQLCtzKoCB+81ZXs qkKztr1uHzwUaWTdcEVd9r66XClZUx4/OKaDZvlo91sF9jCyAX/Tv0aZiKn0XOmXWt/P vISHJIzrCFy0ka1FtZqT/otZb5fK/ZFuRIM3hHvooV/ms3T96ltTsfKR1Yp5oOD3VWWO 1S3w== X-Gm-Message-State: AOJu0Yw+QsQyWLDTAX9V/Afb+kcIAyt08WSDj/Qvx9/kaa981NMxjXfi PG+n9theeLos/fe2S6tTI2l67ZXMcI4toFT+frbgYKPgdJa2AmWUXoD8BNbeuy0NN6vlo39kJjb ZSxPx X-Gm-Gg: ASbGncvbPcNYzZ/3yBAxGpukzkv8dTHp97BozWDOURqaNL5e2iLiUKIitz954DFwuox vBJtjx1s/MYNomHURWYvmv7gVMo8mxbRRfGNSQkiZbsmxR/5aU5NHo3fxEvOQ8v9PyQj6Ev4N6j EG3unAESyl6SfTIzLwWFsumRr8l4m6iunP+cgE80WiRBa3yiesaruA8PZzHQyAhQXfDSso19Lui 0LGhHAHjupOV99MUL4q+YA6F3cjZ7SCxetm1gga9FFvReFg7baD5eYyGcIZ6HKp4to3EQdbsTET FxrBQga7DA2YZKWDz5ae/RNejqYQvBliy2+UkSTm9okbZtkV7tCoJC+qdPWyDRBZfTXuKOG52pM gPbcoCSKOWMZ4gMn+l+4qg4WexRwIobWWKjxhvg== X-Google-Smtp-Source: AGHT+IHy04UWuU23qskqmVVDktE+D2Z/lt6skKxR7QuECqgVMvhMxRXtxHYew4RHLKrFx8Sr+/lMnA== X-Received: by 2002:a05:6a20:7348:b0:2c7:55a3:6168 with SMTP id adf61e73a8af0-32da83de308mr10945834637.30.1760038301897; Thu, 09 Oct 2025 12:31:41 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:b96e:4301:8642:779c]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7992d0e2d51sm495864b3a.65.2025.10.09.12.31.41 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 09 Oct 2025 12:31:41 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 16/24] go: fix CVE-2025-47906 Date: Thu, 9 Oct 2025 12:31:00 -0700 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 09 Oct 2025 19:31:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/224635 From: Archana Polampalli If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned. Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- meta/recipes-devtools/go/go-1.17.13.inc | 1 + .../go/go-1.21/CVE-2025-47906.patch | 171 ++++++++++++++++++ 2 files changed, 172 insertions(+) create mode 100644 meta/recipes-devtools/go/go-1.21/CVE-2025-47906.patch diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc index 2052f4adbc..aab8e85c22 100644 --- a/meta/recipes-devtools/go/go-1.17.13.inc +++ b/meta/recipes-devtools/go/go-1.17.13.inc @@ -67,6 +67,7 @@ SRC_URI = "https://golang.org/dl/go${PV}.src.tar.gz;name=main \ file://CVE-2025-47907-pre-0001.patch \ file://CVE-2025-47907-pre-0002.patch \ file://CVE-2025-47907.patch \ + file://CVE-2025-47906.patch \ " SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd" diff --git a/meta/recipes-devtools/go/go-1.21/CVE-2025-47906.patch b/meta/recipes-devtools/go/go-1.21/CVE-2025-47906.patch new file mode 100644 index 0000000000..272d1ed985 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.21/CVE-2025-47906.patch @@ -0,0 +1,171 @@ +From 8fa31a2d7d9e60c50a3a94080c097b6e65773f4b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Olivier=20Mengu=C3=A9?= +Date: Mon, 30 Jun 2025 16:58:59 +0200 +Subject: [PATCH] [release-branch.go1.23] os/exec: fix incorrect expansion of + "", "." and ".." in LookPath Fix incorrect expansion of "" and "." when $PATH + contains an executable file or, on Windows, a parent directory of a %PATH% + element contains an file with the same name as the %PATH% element but with + one of the %PATHEXT% extension (ex: C:\utils\bin is in PATH, and + C:\utils\bin.exe exists). + +Fix incorrect expansion of ".." when $PATH contains an element which is +an the concatenation of the path to an executable file (or on Windows +a path that can be expanded to an executable by appending a %PATHEXT% +extension), a path separator and a name. + +"", "." and ".." are now rejected early with ErrNotFound. + +Fixes CVE-2025-47906 +Fixes #74803 + +Change-Id: Ie50cc0a660fce8fbdc952a7f2e05c36062dcb50e +Reviewed-on: https://go-review.googlesource.com/c/go/+/685755 +LUCI-TryBot-Result: Go LUCI +Auto-Submit: Damien Neil +Reviewed-by: Roland Shoemaker +Reviewed-by: Damien Neil +(cherry picked from commit e0b07dc) +Reviewed-on: https://go-review.googlesource.com/c/go/+/691855 +Reviewed-by: Michael Knyszek + +CVE: CVE-2025-47906 + +Upstream-Status: Backport [https://github.com/golang/go/commit/8fa31a2d7d9e60c50a3a94080c097b6e65773f4b] + +Signed-off-by: Archana Polampalli +--- + src/internal/execabs/execabs_test.go | 55 ++++++++++++++++++++++++++++ + src/os/exec/exec.go | 9 +++++ + src/os/exec/lp_plan9.go | 4 ++ + src/os/exec/lp_unix.go | 4 ++ + src/os/exec/lp_windows.go | 4 ++ + 5 files changed, 76 insertions(+) + +diff --git a/src/internal/execabs/execabs_test.go b/src/internal/execabs/execabs_test.go +index 97a3f39..99fd64b 100644 +--- a/src/internal/execabs/execabs_test.go ++++ b/src/internal/execabs/execabs_test.go +@@ -100,4 +100,59 @@ func TestLookPath(t *testing.T) { + } else if err.Error() != expectedErr { + t.Errorf("LookPath returned unexpected error: want %q, got %q", expectedErr, err.Error()) + } ++ checker := func(test string) func(t *testing.T) { ++ return func(t *testing.T) { ++ t.Helper() ++ t.Logf("PATH=%s", os.Getenv("PATH")) ++ p, err := LookPath(test) ++ if err == nil { ++ t.Errorf("%q: error expected, got nil", test) ++ } ++ if p != "" { ++ t.Errorf("%q: path returned should be \"\". Got %q", test, p) ++ } ++ } ++ } ++ ++ // Reference behavior for the next test ++ t.Run(pathVar+"=$OTHER2", func(t *testing.T) { ++ t.Run("empty", checker("")) ++ t.Run("dot", checker(".")) ++ t.Run("dotdot1", checker("abc/..")) ++ t.Run("dotdot2", checker("..")) ++ }) ++ ++ // Test the behavior when PATH contains an executable file which is not a directory ++ t.Run(pathVar+"=exe", func(t *testing.T) { ++ // Inject an executable file (not a directory) in PATH. ++ // Use our own binary os.Args[0]. ++ testenv.MustHaveExec(t) ++ exe, err := os.Executable() ++ if err != nil { ++ t.Fatal(err) ++ } ++ ++ t.Setenv(pathVar, exe) ++ t.Run("empty", checker("")) ++ t.Run("dot", checker(".")) ++ t.Run("dotdot1", checker("abc/..")) ++ t.Run("dotdot2", checker("..")) ++ }) ++ ++ // Test the behavior when PATH contains an executable file which is not a directory ++ t.Run(pathVar+"=exe/xx", func(t *testing.T) { ++ // Inject an executable file (not a directory) in PATH. ++ // Use our own binary os.Args[0]. ++ testenv.MustHaveExec(t) ++ exe, err := os.Executable() ++ if err != nil { ++ t.Fatal(err) ++ } ++ ++ t.Setenv(pathVar, filepath.Join(exe, "xx")) ++ t.Run("empty", checker("")) ++ t.Run("dot", checker(".")) ++ t.Run("dotdot1", checker("abc/..")) ++ t.Run("dotdot2", checker("..")) ++ }) + } +diff --git a/src/os/exec/exec.go b/src/os/exec/exec.go +index 505de58..84fd82f 100644 +--- a/src/os/exec/exec.go ++++ b/src/os/exec/exec.go +@@ -790,3 +790,12 @@ func addCriticalEnv(env []string) []string { + } + return append(env, "SYSTEMROOT="+os.Getenv("SYSTEMROOT")) + } ++// validateLookPath excludes paths that can't be valid ++// executable names. See issue #74466 and CVE-2025-47906. ++func validateLookPath(s string) error { ++ switch s { ++ case "", ".", "..": ++ return ErrNotFound ++ } ++ return nil ++} +diff --git a/src/os/exec/lp_plan9.go b/src/os/exec/lp_plan9.go +index e8826a5..ed9f6e3 100644 +--- a/src/os/exec/lp_plan9.go ++++ b/src/os/exec/lp_plan9.go +@@ -33,6 +33,10 @@ func findExecutable(file string) error { + // The result may be an absolute path or a path relative to the current directory. + func LookPath(file string) (string, error) { + // skip the path lookup for these prefixes ++ if err := validateLookPath(file); err != nil { ++ return "", &Error{file, err} ++ } ++ + skip := []string{"/", "#", "./", "../"} + + for _, p := range skip { +diff --git a/src/os/exec/lp_unix.go b/src/os/exec/lp_unix.go +index d1d246a..1b27f2b 100644 +--- a/src/os/exec/lp_unix.go ++++ b/src/os/exec/lp_unix.go +@@ -38,6 +38,10 @@ func LookPath(file string) (string, error) { + // (only bypass the path if file begins with / or ./ or ../) + // but that would not match all the Unix shells. + ++ if err := validateLookPath(file); err != nil { ++ return "", &Error{file, err} ++ } ++ + if strings.Contains(file, "/") { + err := findExecutable(file) + if err == nil { +diff --git a/src/os/exec/lp_windows.go b/src/os/exec/lp_windows.go +index e7a2cdf..7a1d6fb 100644 +--- a/src/os/exec/lp_windows.go ++++ b/src/os/exec/lp_windows.go +@@ -58,6 +58,10 @@ func findExecutable(file string, exts []string) (string, error) { + // a suitable candidate. + // The result may be an absolute path or a path relative to the current directory. + func LookPath(file string) (string, error) { ++ if err := validateLookPath(file); err != nil { ++ return "", &Error{file, err} ++ } ++ + var exts []string + x := os.Getenv(`PATHEXT`) + if x != "" { +-- +2.40.0 From patchwork Thu Oct 9 19:31:01 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 71968 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9D4CDCCD18D for ; Thu, 9 Oct 2025 19:31:49 +0000 (UTC) Received: from mail-pf1-f170.google.com (mail-pf1-f170.google.com [209.85.210.170]) by mx.groups.io with SMTP id smtpd.web11.9209.1760038304023443177 for ; Thu, 09 Oct 2025 12:31:44 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=EP4uCv8B; spf=softfail (domain: sakoman.com, ip: 209.85.210.170, mailfrom: steve@sakoman.com) Received: by mail-pf1-f170.google.com with SMTP id d2e1a72fcca58-7811fa91774so1186748b3a.0 for ; Thu, 09 Oct 2025 12:31:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1760038303; x=1760643103; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=BzXA6gFmJuwFC3d8eUFkXkT/bS+ROUirc0PqzHQS46U=; b=EP4uCv8B2tAX1f59uNj0wb7LTxC1rjk08ZYXxiydZHKLMTe9LLx5ZFGAMKwWE5ejcO NjCnGe037mjOK79trHbZSRUJ3IxfShxYO1cWq8ejel/DIdM5+6UcW/VcV+tK0pfcKtba wmy2P5l3CySylcMHLKt2JGjma55MIedORZ6nDrTy42vLcJ1s7gS4DiiS5SEyuu2GBGdV EE59xr+xB4MKyq0V5/F5XHs+TQuxOrxpwc4Jg562qCz59exOyBgKZEAI6apyG3Q8roSI AucLQZ2hZt0dWK+v8R0loMwxsXnf+3/E/EVtBTgOpeyGPSoY/yCSKA7CeEJ2mfbcmmN3 KTrA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760038303; x=1760643103; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=BzXA6gFmJuwFC3d8eUFkXkT/bS+ROUirc0PqzHQS46U=; b=Mo008HX0yM9fJiv50Eav7AaZk7ib5kkxpxkUKkhjrKGfoDU1TV0EzfwZoOx4KpOD5l ZvCv9oey824TNuFh1ZnEAi7zSfUFCwWAxGwKPj6mnXtI5vSFyvbmeMWG1MQbYNzTJkPV rrWCgVi3WbmxA7A+zcQkWTmpZST5Mr5ajgaHkwhHsa3rESPEQHy2obTwoTPgynIbKK76 l7wVDpfpILed7ja0ubJI8eWQGZ898wATqttXFz6/P/i2r3Z2nIE+svH/hPwwN63+jgi2 kmmLQpKRPuCm7oau3uP3vvk4u4AEgsVcFkAtrwO8pjx1U3qkFQk48GAkJEm+p1uX9L2O rL6g== X-Gm-Message-State: AOJu0YyutZrcNLE0rqh66BJ7euONa0M7HKn+Szbnw/OwPr+HplDLz0Um h84VnOMmAgbwyHZdXXfyL8LDhT1rkfIlYaWdkKWrUxLNQQQNyiVrp1NeLPU8oomDkZWQ3KF013m 3btSW X-Gm-Gg: ASbGncv+oApKeVK1F7UAd7XKqNsQN/kV90RHqxIf/KmYrnULB0YCAmqdKwZAYU0XHAI VtUtDQu/o56VwtCSK/XMP3uUOfqCfSeS543WvypkpscQS+HgXDIsEaUYPI+dv6SF6YixI16VZbH Xk9rHNZiOZJgI+fiSR7yakhu4Auexsa+tA9WXMnfzrPLT8QDxTCVR2tELolyZosLyuaYME+QEkP l3P8QHFkdZoR4HnyC2PDcLTi9tbZZEFG5rkff7nIYAQgG89uz7TrYXVNWEv1/I+ceVjJ/fVFVv+ wLW7tcYw4Js6vFclJQP2mfSSdFCBRtw4MKQZ8a4jsWEXSbc0ptNzL3F3XG62Vfpz0vtvztdXXpr mIQd5YmyrDMJj+p9DoP8n20CO4LFT5UyMs3UhOg== X-Google-Smtp-Source: AGHT+IHSl9LEoz1YzFYTFH35gRNUhI5zbZi5pfHw6hhuGnkDruFSvvDXK/5NtSAgNerGCGCgXkRs8Q== X-Received: by 2002:a05:6a20:914c:b0:250:429b:9e6d with SMTP id adf61e73a8af0-32da850fccfmr12058210637.44.1760038303278; Thu, 09 Oct 2025 12:31:43 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:b96e:4301:8642:779c]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7992d0e2d51sm495864b3a.65.2025.10.09.12.31.42 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 09 Oct 2025 12:31:43 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 17/24] scripts/install-buildtools: Update to 4.0.30 Date: Thu, 9 Oct 2025 12:31:01 -0700 Message-ID: <237452d023dfc895cd8183e30e781da6f60b2ec5.1760038088.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 09 Oct 2025 19:31:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/224636 From: Aleksandar Nikolic Update to the 4.0.30 release of the 4.0 series for buildtools Signed-off-by: Aleksandar Nikolic Signed-off-by: Steve Sakoman --- scripts/install-buildtools | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/install-buildtools b/scripts/install-buildtools index 3c86a087e8..5c990b1f8e 100755 --- a/scripts/install-buildtools +++ b/scripts/install-buildtools @@ -57,8 +57,8 @@ logger = scriptutils.logger_create(PROGNAME, stream=sys.stdout) DEFAULT_INSTALL_DIR = os.path.join(os.path.split(scripts_path)[0],'buildtools') DEFAULT_BASE_URL = 'https://downloads.yoctoproject.org/releases/yocto' -DEFAULT_RELEASE = 'yocto-4.0.28' -DEFAULT_INSTALLER_VERSION = '4.0.28' +DEFAULT_RELEASE = 'yocto-4.0.30' +DEFAULT_INSTALLER_VERSION = '4.0.30' DEFAULT_BUILDDATE = '202110XX' # Python version sanity check From patchwork Thu Oct 9 19:31:02 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 71969 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A8AE0CCD18C for ; Thu, 9 Oct 2025 19:31:49 +0000 (UTC) Received: from mail-pf1-f176.google.com (mail-pf1-f176.google.com [209.85.210.176]) by mx.groups.io with SMTP id smtpd.web10.9255.1760038305547234121 for ; Thu, 09 Oct 2025 12:31:45 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=I1XZ2RCA; spf=softfail (domain: sakoman.com, ip: 209.85.210.176, mailfrom: steve@sakoman.com) Received: by mail-pf1-f176.google.com with SMTP id d2e1a72fcca58-76e4fc419a9so1348084b3a.0 for ; Thu, 09 Oct 2025 12:31:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1760038305; x=1760643105; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=awG4LqcCp9hsuKGSfNu53UGlqOk2senOrbuqTut9yME=; b=I1XZ2RCADLJNs0e3fcE9Z5US5HBLoqABv0CGiCkK8Z9K7e0MIcgUkcdZiWPF4iTQRb BMGx5LgilSEVTXHPo7eLSsEMVeEGsNwN/eh4edEfIQoUUOqgPMbJPOHsSv4fMZ9szzSg CXTwN1I5AdfoNtYrUYqtHnkXjVwDsdyUcBfY9EdeqdyY+nbAllv341+Pw5OI4tFNuMjQ xr4vkrmJ++tlYuhFwDVA8B55q9OfFDHCAubEBhgBE1IQbzovl6cXMShdLelhfPSlW6Q8 RFkYq7WKkoqT1rjroF6d9xOjYqIJGJK+J0Q0CgT0YNiKw8j03DfKcQl6Y/A/twylshtM kG/g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760038305; x=1760643105; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=awG4LqcCp9hsuKGSfNu53UGlqOk2senOrbuqTut9yME=; b=A/WRhGo2E6+qS125+GdT/5xcFY4gOkxur3PW+55pqljnCjwscm1V3+7gv+I05F9KAD rJpSEyyrT6X3h0NSmyU+JrwUEx2dl/Tm3W6qWnafR6iaShzaqtZGb2SpwDJsoOyMfz54 n+20stLiRCGsWvIdGR9M2HXfWGM8dBPyAgdEOblqOXLuLS2vh98xrrer4XMiw5itO/Zt PKAcRJNR3I3AyGdoEYYm9o7/W9W9sLrnGYeRyfkPghUh3u0crTUXrkDJJU8YxO+gZF5q xs7A9b0qfY0er70pmN3LFCrm7oyOb/21SGgxx0tTr6dwZYDczJOKgf9fz5GhuxHSRHAn cW2A== X-Gm-Message-State: AOJu0YyJnABPkJsjccms60aGiXftp9FBC7D3CxcbRxRASQb9ynieXOCw N6nerox8Wcu7GIwFks36jLr19nh+ORvHddbFhOaxoDWr5oP4SMwjzv1F25tNTTHfh/ihREYvdHP M9LdC X-Gm-Gg: ASbGnctiK4oSQzTJCAG1Ewln3+J7e+C6KBpzDTGYpjl0D4dP3JN1kXs1Qep0sWec70Z 9eNuGY59BQyexTbFuQBPwGwtLQ763qJSQAC5OTsaFuQ59lvuIhztusn7R1lofZDVmQLiFmg1TRi N4zaB03zDDWfrzoHU7YPrS+Pjtkgr7ZDuRO/VJ07GEzlMe6UQmA1OGP9wpx5wYaOau+ohG+kDJh gEYppb734ECIbHSdtzvM3AhS2vL37nbmAISW/yfg1UVPRyERdaSGpanvsITtwXtDi4Du62FCkfs LMYJL0Jrahk/vM3a9u93qIHWfdAupE6SdnH8DpwGeb4cB102f/7H6POX48Gt7Fq8dWkOzlh8yTC xQvaTkkOnScD/wgha1xwZI2Zg42BdKLmZq4FNJQ== X-Google-Smtp-Source: AGHT+IHiLEO+Cz9Te6gg8HZXNQBbj7tbylWPsdfpNhXQ0zdj6QIGFT+eYrlw98mzqAZ68pDVP90ETQ== X-Received: by 2002:a05:6a00:17a5:b0:781:1562:1f9e with SMTP id d2e1a72fcca58-793880f0678mr11947449b3a.32.1760038304607; Thu, 09 Oct 2025 12:31:44 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:b96e:4301:8642:779c]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7992d0e2d51sm495864b3a.65.2025.10.09.12.31.44 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 09 Oct 2025 12:31:44 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 18/24] openssl: upgrade 3.0.17 -> 3.0.18 Date: Thu, 9 Oct 2025 12:31:02 -0700 Message-ID: <0a0d640436258269ffaaf23116d41f9a79db5ab7.1760038088.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 09 Oct 2025 19:31:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/224637 From: Archana Polampalli This release incorporates the following bug fixes and mitigations: Fix Out-of-bounds read & write in RFC 3211 KEK Unwrap. (CVE-2025-9230) Fix Out-of-bounds read in HTTP client no_proxy handling. (CVE-2025-9232) Changelog: https://github.com/openssl/openssl/blob/openssl-3.0.18/NEWS.md#openssl-30 Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- .../openssl/{openssl_3.0.17.bb => openssl_3.0.18.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta/recipes-connectivity/openssl/{openssl_3.0.17.bb => openssl_3.0.18.bb} (99%) diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.17.bb b/meta/recipes-connectivity/openssl/openssl_3.0.18.bb similarity index 99% rename from meta/recipes-connectivity/openssl/openssl_3.0.17.bb rename to meta/recipes-connectivity/openssl/openssl_3.0.18.bb index a50bd2edbf..a8dd338327 100644 --- a/meta/recipes-connectivity/openssl/openssl_3.0.17.bb +++ b/meta/recipes-connectivity/openssl/openssl_3.0.18.bb @@ -25,7 +25,7 @@ SRC_URI:append:class-nativesdk = " \ file://environment.d-openssl.sh \ " -SRC_URI[sha256sum] = "dfdd77e4ea1b57ff3a6dbde6b0bdc3f31db5ac99e7fdd4eaf9e1fbb6ec2db8ce" +SRC_URI[sha256sum] = "d80c34f5cf902dccf1f1b5df5ebb86d0392e37049e5d73df1b3abae72e4ffe8b" inherit lib_package multilib_header multilib_script ptest perlnative MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" From patchwork Thu Oct 9 19:31:03 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 71970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B31AACCD18F for ; Thu, 9 Oct 2025 19:31:49 +0000 (UTC) Received: from mail-pf1-f179.google.com (mail-pf1-f179.google.com [209.85.210.179]) by mx.groups.io with SMTP id smtpd.web11.9214.1760038307289424274 for ; Thu, 09 Oct 2025 12:31:47 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=Z1QcTn2E; spf=softfail (domain: sakoman.com, ip: 209.85.210.179, mailfrom: steve@sakoman.com) Received: by mail-pf1-f179.google.com with SMTP id d2e1a72fcca58-789fb76b466so1253429b3a.0 for ; Thu, 09 Oct 2025 12:31:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1760038306; x=1760643106; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=6QGqWQrXYF76rIpinXnbklVeUXD/qCyz3ZNEeLJPVOU=; b=Z1QcTn2EBj9l1nobYXvYxNd74PyGwpEkfayTUM2LpDBpSP52aJSs79s09oONHrnLEa GZaVqz9Y3nMW5mwita8F0NWjZR/6jlXdvdWSOZECgmiBYLkCLQ996ReWZrgM1g5PERSl S/PV458AyL4JPv0Xq27uHLxR0vGwivnzJOsou2FRjsrYdIyQnHwya8RIIJHX5fUKKABV 9057d2hFGU2Hie7SVjUjRGj6vR5XU4uJY8z+7/h4/7GYBDnMDihFpvE4uzqpFfKeQykP 2Y97c1X8XEUHEX4P1WKXNybu6U5vr9aT+tZYC/q4Zxogbc5zkshbLIESK7jRGoF7v00x 00Zg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760038306; x=1760643106; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=6QGqWQrXYF76rIpinXnbklVeUXD/qCyz3ZNEeLJPVOU=; b=HMId/8rEPZ1iLRN7SPNUzVSudslpdjBqn87Wnnh9B36emiJTqQ8PJ5GSSNt+t78FPO +urLqdOS72j7zMHr/U4dlUlCVN+/54KrJVJKKNX/kv22Hm/sbwBqOyNqztGvm5Iw4vtr M4p4ba+AxEEQ9zhPx81T49HM6DEXRg+etgtYeweqovm+8f7CX/HSE047E9SIq9CwF1lt ppuIn/FD3GyM8wK/PEAbfikW/3I9E4rD1LCgnyb6iarmsz88B3BnggO06OwxsXzLxvVr fQrrKlJTPIzxvFvHMCmiC7RSTi6v8fVJtjWFZWhZJ4qjw8NvwmpPkNYBmLdyFhdpUFMg /3mQ== X-Gm-Message-State: AOJu0Yy5L84SYl/ARVydFN7Jp6NEKCbefj5XwTuhfQkb3Olf7Q9FDRZg xfVKM27CzInYoG4/9q438/VSgVEH7c6qaBMCZJD9tF45eKI4hGui2zw4+lMpw1lhxOyOdnZTb4e 20UIZ X-Gm-Gg: ASbGncuEheZHq100AUobQzJ8KlLM41+agdYair7/vtc9toF2knYS/nOGp/pEReEvP9A PxXw/y/rwtiVTqzp0kGREz0UuKnT4E5y5+vfB+raprRfDbYTS5d1D2QFO+pz9O0ivShomlNkhY/ j/mWAvjZ7yn0ui+/4rOCHd3UHPFSVRMZve9z+0kTGZn8+WGCzl5KMGA1ccMUqgykfYADHySGbob tAxSYKPma8c8k/lIJArSp+A0astIoCCmdhpArxjVa6cuBJ10t3vXYQRDKMUlRSRnT+Ht2AOPfDA mPQUiG/Oh7laSQ9UL4rgcf3g2JpYhKlSzqOnez+SceziHVHaBFDvepVcD7N8zXJ1+KhmuOxS15e WAqughy4wzjQnu0A7ShCPfhbGP5QdcqL3GBUPIQ== X-Google-Smtp-Source: AGHT+IGpq7iLt3dC2wr/AfVZUd8sJxX3TEHcp2Lqsic50qb3PnFETJwnd4ikfMFlejX2Bb2ZYX/ASw== X-Received: by 2002:a05:6a00:391a:b0:77e:8130:fda with SMTP id d2e1a72fcca58-79385ddc9f9mr11023686b3a.13.1760038306046; Thu, 09 Oct 2025 12:31:46 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:b96e:4301:8642:779c]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7992d0e2d51sm495864b3a.65.2025.10.09.12.31.45 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 09 Oct 2025 12:31:45 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 19/24] glibc: stable 2.35 branch updates Date: Thu, 9 Oct 2025 12:31:03 -0700 Message-ID: <932ee96c0dc24ac3cdb9cee5bf96375568b41df0.1760038088.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 09 Oct 2025 19:31:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/224638 From: Deepesh Varatharajan git log --oneline a66bc3941ff298e474d5f02d0c3303401951141f..4e50046821f05ada5f14c76803845125ddb3ed7d 4e50046821 (HEAD, origin/release/2.35/master) x86-64: Add GLIBC_ABI_DT_X86_64_PLT [BZ #33212] c97735cfde elf: Handle ld.so with LOAD segment gaps in _dl_find_object (bug 31943) 96cc65a28a elf: Extract rtld_setup_phdr function from dl_main e3f04f64fa elf: Do not add a copy of _dl_find_object to libc.so bfae8bf49c arm: Use _dl_find_object on __gnu_Unwind_Find_exidx (BZ 31405) Testing Results: Before After Diff PASS 4605 4609 +4 XPASS 6 6 0 FAIL 358 356 -2 XFAIL 16 16 0 UNRESOLVED 0 1 +1 UNSUPPORTED 197 197 0 Testcases changes testcase-name before after elf/tst-link-map-contiguous-libc(new) - PASS elf/tst-link-map-contiguous-ldso(new) - FAIL elf/check-dt-x86-64-plt(new) - UNRESOLVED misc/tst-tsearch FAIL PASS posix/bug-regex24 FAIL PASS string/tst-cmp FAIL PASS Signed-off-by: Deepesh Varatharajan Signed-off-by: Steve Sakoman --- meta/recipes-core/glibc/glibc-version.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-core/glibc/glibc-version.inc b/meta/recipes-core/glibc/glibc-version.inc index 0b06005b25..b9f5e8fb8f 100644 --- a/meta/recipes-core/glibc/glibc-version.inc +++ b/meta/recipes-core/glibc/glibc-version.inc @@ -1,6 +1,6 @@ SRCBRANCH ?= "release/2.35/master" PV = "2.35" -SRCREV_glibc ?= "a66bc3941ff298e474d5f02d0c3303401951141f" +SRCREV_glibc ?= "4e50046821f05ada5f14c76803845125ddb3ed7d" SRCREV_localedef ?= "794da69788cbf9bf57b59a852f9f11307663fa87" GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git" From patchwork Thu Oct 9 19:31:04 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 71971 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BA528CCD192 for ; Thu, 9 Oct 2025 19:31:49 +0000 (UTC) Received: from mail-pf1-f178.google.com (mail-pf1-f178.google.com [209.85.210.178]) by mx.groups.io with SMTP id smtpd.web11.9217.1760038308885719046 for ; Thu, 09 Oct 2025 12:31:48 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=fC3zLqQg; spf=softfail (domain: sakoman.com, ip: 209.85.210.178, mailfrom: steve@sakoman.com) Received: by mail-pf1-f178.google.com with SMTP id d2e1a72fcca58-782a77b5ec7so1217523b3a.1 for ; Thu, 09 Oct 2025 12:31:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1760038308; x=1760643108; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=7Isdfl5mDA63wNnTz7gfE/Fml4qDiLg+sYcURB1cq3E=; b=fC3zLqQgKg96sPbLux3e/xU1wXAMvBWthlYon9mMgkXNaHGVXDFXwzwotWlY9yszfj zsdgrw3oBxwB4/hWRSfgtpo1m/GvqZvID+46RhgkbugFxi3RmnVO2wHPOAX/ckBsEqWZ L6VLyrZ7Q90gXc2d7XP7Q0MbJBinB7VhRUMUrkjx2V7RtqOwEeG4Z3JRltU/EPWJkoN+ +zQFduQsjvCyGEfEFXsBpe9ihV5/LfNy/L/QxIhNZxyM18MIklvy3qG/SBdsdupLwgVZ I0QW48JsbQIcokyOWZlQ6+H3LT0E6/Aci7x9xjcXH7kgDSzfBppQvUjENyIUlhOXzOmi H0cQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760038308; x=1760643108; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=7Isdfl5mDA63wNnTz7gfE/Fml4qDiLg+sYcURB1cq3E=; b=fmkBRqPRUvT9j32rQSJAJR6RKpK41kdj7yJpqa2cpe5nOq+PnXKv0D98n+RTqJbwx2 LVUg5Qay9urWHGJFAThr8qQqtORsRpKne34b1ExgY5fzQbO9yq5Z/wLcSiwFndgShKtg PrWEP8IjIGGQjTW9B+7t0cfQyVyab+EhIC1gmOb0CckWLZMys0Y0qX/r5Ty9SyZXr6aD C56Uh2W3SC4SKGIvUcJA1K6rXzENqwpDZ+9rC+8z2LDfvoO/VqUXi0R44k43Gc6H3F7B QkxlQAdr5WMNd4G4J/Mn35vAMkNSraq1qdb/BDSow7cw2whfMM+6zhi67wzSiJSyYee4 wg0A== X-Gm-Message-State: AOJu0YyAe+YWC10BrNV/cJupiKFYIHYibBkPORp9vpGldgHTCKFKXq9v 8/L+sJV5iMBfrs0Hav8/iGX1n22tDdXB91r68BONvHnqfc/2XWCOmQsvx+sRRt329RaB2+dlnUx BFiZI X-Gm-Gg: ASbGncu+Yty4DNx2wfkvMEXaQN7qRGaAoLZZ9P5JvelJEsyjWC1MzBFji3UlQmBsxOm 21OCW0AkfeKN04CR8nvdmKc/lPlHMBoYIJUzHKSQyspv8qLTnD5wP/k6xHXOYX6Ey9LJygt58Da fyWDfFjWFeQVU2VrFUnpicDdBTddUxSJqFChsgnLvIylBCEewEsD4jbfGn54gDswvgRR6/qUKAM kxzMEvvWYFF73sjBTYL1RfBA6QRPZbmU1HgNEVYtawX2KdrKPqV5WJti7giH6IYJOQZCq0WW/TV VnLH8/Ap32SqMSCUtpyJibCx5lDJsLZgDyzjz+Vt+3sAEYOtZ9y9H28O550VVV7M5NHVUhxBnwZ hq1pBB1scxPVAk7QiMJXeFxzOUhB5tGBCrifRyA== X-Google-Smtp-Source: AGHT+IHi9MuKQF7YWkUiKiTBJEsKEbt992m5R4YOyuG1+8zBf8mphQaPNIX9JkyUnRW96iA9zTtfTQ== X-Received: by 2002:a05:6a00:2d8f:b0:781:2538:bfb4 with SMTP id d2e1a72fcca58-79385ce2724mr9305850b3a.10.1760038307861; Thu, 09 Oct 2025 12:31:47 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:b96e:4301:8642:779c]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7992d0e2d51sm495864b3a.65.2025.10.09.12.31.47 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 09 Oct 2025 12:31:47 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 20/24] systemd: backport fix for handle USE_NLS from master Date: Thu, 9 Oct 2025 12:31:04 -0700 Message-ID: <4b612ae7cbdc8327765c34d0e64fa8e0564891d4.1760038088.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 09 Oct 2025 19:31:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/224639 From: AshishKumar Mishra Do not build translations when NLS is disabled. (From OE-Core rev: 83795ef6c3fa12a863cd20b7ec1a2607606987b6) This change corresponds to upstream d848b454e64ffbd642590b4bbc378619e1547ad3 from master . Since the systemd version are different between master & kirkstone applied the patch manually Signed-off-by: Philip Lorenz Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie Signed-off-by: AshishKumar Mishra Signed-off-by: Steve Sakoman --- meta/recipes-core/systemd/systemd_250.14.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/recipes-core/systemd/systemd_250.14.bb b/meta/recipes-core/systemd/systemd_250.14.bb index 66d20a46fd..087c0035eb 100644 --- a/meta/recipes-core/systemd/systemd_250.14.bb +++ b/meta/recipes-core/systemd/systemd_250.14.bb @@ -235,6 +235,7 @@ EXTRA_OEMESON += "-Dnobody-user=nobody \ -Dmode=release \ -Dsystem-alloc-uid-min=101 \ -Dsystem-uid-max=999 \ + -Dtranslations=${@'false' if d.getVar('USE_NLS') == 'no' else 'true'} \ -Dsystem-alloc-gid-min=101 \ -Dsystem-gid-max=999 \ " From patchwork Thu Oct 9 19:31:05 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 71975 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B0A8DCCD183 for ; Thu, 9 Oct 2025 19:31:59 +0000 (UTC) Received: from mail-pf1-f180.google.com (mail-pf1-f180.google.com [209.85.210.180]) by mx.groups.io with SMTP id smtpd.web11.9218.1760038310220665889 for ; Thu, 09 Oct 2025 12:31:50 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=iTpMeiHu; spf=softfail (domain: sakoman.com, ip: 209.85.210.180, mailfrom: steve@sakoman.com) Received: by mail-pf1-f180.google.com with SMTP id d2e1a72fcca58-76e2ea933b7so1342357b3a.1 for ; Thu, 09 Oct 2025 12:31:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1760038309; x=1760643109; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=Exg5rOXbOi6iCBQDIQtdZV1E87A7LQvpjhnU/raAGU8=; b=iTpMeiHupgMQWcyS+gjf98o/3e1KQS5Gjfe32qePryvkZdC6Ic773RE/32tp082Yuw duaTQXCH/N3DVQq1b5LuuD4MBJdIf1o00qWLzufTmuv59nBfuASpYCegQQsnaylwZ6on KibHHvfWj/UFgVGnJn6bbiswNMIxI2J+aysAL/qfFxgUiA4bwO5YzSDOpdTjF29IFUG3 FFISbEas7tsFlm1MWWIQyLHsKdFjoTfVXs8qIRP38aG2DWiftDi+QMvz1ne3KIPwox9L /Mv2aqoszWh5mTixB55w+3p+MNwiaDMy7BO0S6W/2KK0EgAhL8VmynOE+EZc+Gr6gM1M mHNQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760038309; x=1760643109; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Exg5rOXbOi6iCBQDIQtdZV1E87A7LQvpjhnU/raAGU8=; b=FqDEdg9xyEt7JopuPlyGxBfFBnk5MlexJJBpJz/N/qHUZgTRFPy+62nSgaZamoufNk UInZQ/hVrG5yEosLVRjNwIPcFKdUimWPzttqdulR1qeAjgNsOm9vng0klg+pVKjbvbTK Ven29uZy/9o+ySJafYgWqx4mjOMp2TjyQkRKukyfNWbdjaHkhHT/UiL5IUHQr98byueB KXxhmC2tTNEvY1nSJlLzu6CdzkXYvGsTkgi28kdINoX0wjM+4XEfQJ4ZY8k1q+wIXNsM 6j5WjceSR6jUgaDNNTm2rNICWBu6+VZGnaQqpiVQDXDCWDzV8Nm8QJZ54CLH8nSuUJBc bIcQ== X-Gm-Message-State: AOJu0YyTz2a/WgZWOEZ6IxxVfzDqgdFpx+59Pph0G4j5oO9ZA76O3YQ7 0mEj8foR8NutQdFuQBHBmr7Lo7V5yAnT40uwU0PrRUPeyWoi8kBYlWdEWaDUgAmqEORB4MhExqa f26vG X-Gm-Gg: ASbGnctHCodsjVblZ5o2L2N7mSxNOeoVe3TAhnjWjCzdGog/OBZuhL3yIIE01JBy0jW x6JDlm/lRWBqh35L52JwunJBtfjWNFu7DAX92ub63OrK52YjeG4NDmyfBxeLkoAvmIXdVXyeFN7 wTqlc/Nj3I/e4bYuLwZAoyTvdL+9dNfKMKVDxKnz/sK3m3nbXwe+wffF7i7PZIs+0rCuwdNUo4l uVtCN5HM20LkXwbKifH0G5SL/jee9i8r1x5cq8ZTEQAdFQ2sGC4292bIewEzPEf719ZpyaNkuLy 0iST3PIEeVEnGrZSzZSVp3nGgsVEmqRzwhYDpPMzxgEzMZ8LrfGp9Usg/Y/P0edtQeVqmgGz56t TfqV9csmXWcAyArPbQNkLJQ6sRzt/iSyzKE8z4Q== X-Google-Smtp-Source: AGHT+IET7pxPhPvZSfgquS2E7jZRMN0tqb67vZ02eoZoCbk4lKK3RTFsPpiwX1i3adWFE1BjH8/8rA== X-Received: by 2002:a05:6a00:1d08:b0:783:44b9:cbc9 with SMTP id d2e1a72fcca58-79231afd0fdmr14799703b3a.9.1760038309275; Thu, 09 Oct 2025 12:31:49 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:b96e:4301:8642:779c]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7992d0e2d51sm495864b3a.65.2025.10.09.12.31.48 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 09 Oct 2025 12:31:48 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 21/24] p11-kit: backport fix for handle USE_NLS from master Date: Thu, 9 Oct 2025 12:31:05 -0700 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 09 Oct 2025 19:31:59 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/224640 From: AshishKumar Mishra Disable NLS in the build when USE_NLS is off. (From OE-Core rev: b94798ecd535956ef4565663710ea9a701ff21ed) This change corresponds to upstream eeb3974472429a99a724f324dc8a63e435741f68 from master . Since the p11-kit version are different between master & kirkstone applied the patch manually Signed-off-by: Philip Lorenz Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie Signed-off-by: AshishKumar Mishra Signed-off-by: Steve Sakoman --- meta/recipes-support/p11-kit/p11-kit_0.24.1.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/recipes-support/p11-kit/p11-kit_0.24.1.bb b/meta/recipes-support/p11-kit/p11-kit_0.24.1.bb index 72b446204a..62aca0cfee 100644 --- a/meta/recipes-support/p11-kit/p11-kit_0.24.1.bb +++ b/meta/recipes-support/p11-kit/p11-kit_0.24.1.bb @@ -18,6 +18,7 @@ PACKAGECONFIG ??= "" PACKAGECONFIG[manpages] = "-Dman=true,-Dman=false,libxslt-native" PACKAGECONFIG[trust-paths] = "-Dtrust_paths=/etc/ssl/certs/ca-certificates.crt,,,ca-certificates" +EXTRA_OEMESON:append = " -Dnls=${@'false' if d.getVar('USE_NLS') == 'no' else 'true'}" GTKDOC_MESON_OPTION = 'gtk_doc' FILES:${PN} += " \ From patchwork Thu Oct 9 19:31:06 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 71973 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B0AE6CCD18A for ; Thu, 9 Oct 2025 19:31:59 +0000 (UTC) Received: from mail-pf1-f182.google.com (mail-pf1-f182.google.com [209.85.210.182]) by mx.groups.io with SMTP id smtpd.web11.9220.1760038311704927795 for ; Thu, 09 Oct 2025 12:31:51 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=gI5kxKih; spf=softfail (domain: sakoman.com, ip: 209.85.210.182, mailfrom: steve@sakoman.com) Received: by mail-pf1-f182.google.com with SMTP id d2e1a72fcca58-782bfd0a977so1196578b3a.3 for ; Thu, 09 Oct 2025 12:31:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1760038311; x=1760643111; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=kE/0gKB6HCzCXW4fYE/jjoez5i4aEj1oHD0XShhDf20=; b=gI5kxKihv++Njmq8qnGpp309e1XqDWCBXpaR28w0xJhG2EwjOk1Mki/hzD4osfhyko nLXTWv2IuM9toT3hZFw3Bdkdj4N9k6zTATumSCy++fNt3yThQ4lFI67zUCFMqD5t5huL oHOe+b+Nb+LQwLOgXUFK5M89xo8YwE9FPn9kxbfaPXMEwDqimxAURiI3AlmDZw+ya/KR rZ874F94NQv0pGbcYcLnjSpwIH55a8WKL5kCyW+LIAzAq65LR0u0TZjcvRmzwsxDwttc K8aZu0+b8vzEzrKfH6nMHiZ18crElGe3Que66EXzRHgYniRZyscA39EG7dsUkIl7iBeF eakw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760038311; x=1760643111; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=kE/0gKB6HCzCXW4fYE/jjoez5i4aEj1oHD0XShhDf20=; b=eYIcCJOBigam2zGLVFBtaxRsbzWE72MUCspAOZ+eiV8uRCLk6hb1jvWOS0nXPpA8+u jMJO7BZ7O4DluPNyA9QOKSKSUwFpBV4mDZ1Z5fc+k/+ifFVa6azU3X4QsWFrZ7Rp9wBJ HpBhNUqpjVGXAVKilvmpg7raMcZ5nADY+JBcyly+xlM9B1Gju9CRlifhX7TFpylvN6e6 WBSxlcN/msrXHY+OJIGB8MEYbTdykviGHspvjBWx/9+933RkGG5DlV8+cmBaeccAyzGM 1trwc1HQj/zMKXFX9f3gGzVPksWmz+KpO9elmZK0q4UxpSbozQoZPhaxRSUDRKBLLDBR dNXQ== X-Gm-Message-State: AOJu0YzRz5+i0CryPXy0Ar9j7814Y5w8nRUd6Esu8oTgF6LbQDEAFxif 6fPKnQ0xtj2D/s+MRNMoYoNKYpz+bxvpeMzvngEmXuBdEeY7E6kXqCOTPFIjJ+jRUIWCkjhUbQp Ff2Jx X-Gm-Gg: ASbGnctwcXKr386/s0JlWOa9dQQ1TfGQ5MfK7OvBiEUzWGf7/ua3twIYcBwzgSDRtz+ eH8bgofXXYBA0OPnh7UKctWTN1oih0PiFwjwVWTHozXFskQSx7E+2JK8NisrN5Sgv5LsiB58+XK lq89lZyogl+CmOHaiWwMwFEe/BWpL3q8qqRBqczA1Z8I0QdmcMkAGeQxYqqdP7bBSo2vqYWrikl 74NvOTPd54VFp1062Ob6n9jXDElkix7PqW28ZC2S6E8OtQFrb/RnXcner0i/4qX88tCU4Ipm0uJ TLZMmFL2wq0gGsJ26jspKs37evFxz2Vvvd0xXizlbwU8cowZMXQuDmIG6ZjztUfFbM3AFbh3Wmq mjSj2fQgKrhDf1fOho2iQD1KQgPVOGBt/xxfbRw== X-Google-Smtp-Source: AGHT+IF+bbVrIiLCR7r6POtpCNwFTzPYyS+dlWs7JsMaRwhZrk7T524OABv/o1bJiQeQ30S77+rnXg== X-Received: by 2002:a05:6a00:2d28:b0:78c:9c91:678c with SMTP id d2e1a72fcca58-793859f3161mr9113746b3a.4.1760038310673; Thu, 09 Oct 2025 12:31:50 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:b96e:4301:8642:779c]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7992d0e2d51sm495864b3a.65.2025.10.09.12.31.50 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 09 Oct 2025 12:31:50 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 22/24] conf/bitbake.conf: use gnu mirror instead of main server Date: Thu, 9 Oct 2025 12:31:06 -0700 Message-ID: <8418289277056d582d88916b524b920a2e005c75.1760038088.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 09 Oct 2025 19:31:59 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/224641 From: Gyorgy Sarvari ftp.gnu.org is the main server of the GNU project, however download speed can vary greatly based on one's location. Using ftpmirror.gnu.org should redirect the request to the closest up-to-date mirror, which should result sometimes in significantly faster download speed, depending on one's location. This should also distribute the traffic more across the mirrors. This information was sourced from https://www.gnu.org/prep/ftp.html . Signed-off-by: Gyorgy Sarvari Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie (cherry picked from commit d8c6f01d7467e018aa0ed27a87850d9e4434a47a) Signed-off-by: Steve Sakoman --- meta/conf/bitbake.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/conf/bitbake.conf b/meta/conf/bitbake.conf index 290dfda6c8..01baccec41 100644 --- a/meta/conf/bitbake.conf +++ b/meta/conf/bitbake.conf @@ -690,7 +690,7 @@ DEBIAN_MIRROR = "http://ftp.debian.org/debian/pool" GENTOO_MIRROR = "http://distfiles.gentoo.org/distfiles" GNOME_GIT = "git://gitlab.gnome.org/GNOME" GNOME_MIRROR = "https://download.gnome.org/sources/" -GNU_MIRROR = "https://ftp.gnu.org/gnu" +GNU_MIRROR = "https://ftpmirror.gnu.org/gnu" GNUPG_MIRROR = "https://www.gnupg.org/ftp/gcrypt" GPE_MIRROR = "http://gpe.linuxtogo.org/download/source" KERNELORG_MIRROR = "https://cdn.kernel.org/pub" From patchwork Thu Oct 9 19:31:07 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 71974 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BE1D6CCD18D for ; Thu, 9 Oct 2025 19:31:59 +0000 (UTC) Received: from mail-pf1-f172.google.com (mail-pf1-f172.google.com [209.85.210.172]) by mx.groups.io with SMTP id smtpd.web10.9260.1760038312698604600 for ; Thu, 09 Oct 2025 12:31:52 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=l5kGs7Rn; spf=softfail (domain: sakoman.com, ip: 209.85.210.172, mailfrom: steve@sakoman.com) Received: by mail-pf1-f172.google.com with SMTP id d2e1a72fcca58-78af3fe5b17so1106886b3a.2 for ; Thu, 09 Oct 2025 12:31:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1760038312; x=1760643112; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=aWNn1BSyFPRTmczqeovMy/TecTbayiVYy+rRk6YgGjM=; b=l5kGs7RnyrakykjXdY2psW1DNH0o3vSsSkO2jERXF5lN2CnrB500s/Zh22iw7yV3hf vIm2wyCbXH3CuTvy3ULH4gxmFWm2iRwtaHru0B6I3pdPD4Y9V6tsUEGM9FzeXnj57ZQf /+UF38fujah+cHvOyHnDpoz69CKiC4zjl5l415PA71WSIGoYBrm3iRiM8WDeAneVbq05 BsewUVQQPK5Bjb9xHf82Vatp1URPQhSzIAKG7gvef3rUYib/AqRNKzqwLAo/oUeFVJ6E Yo8KfYGwY5/0T2XUvLLluTF3soKnHH1Mv4ei2+fxdIG55HGEePsmbaGPB93ApjH58gMX B07Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760038312; x=1760643112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=aWNn1BSyFPRTmczqeovMy/TecTbayiVYy+rRk6YgGjM=; b=uEvzpAhA9CNz+UmCKNdw7cE7icDD6IBVSea9xv6UM3PRWIwKyMA8T17tMXV3wOw1Di Xavri9DMPxyoBR6RuMoIr1rTyhmQb1OY2pvr9dRAVs/Jj4mIXZypUSAoOMj8NbfQuSAE /TxzHGsltT5cwuzsbSKsQVFf8exZL5GqDcBYNtkr9xbWvck6lUtccoIT3vKzcy5hMVfc w9f9cQZ2ou+uEh5h8fij75INpfUur0RBAn0JwLlbWdPcUHGwYHJGD/UeJMLYIw1oOfeR 5kECnNDT+ghaIYjVICYfF3QwRVMMS9GDu1a6LuZfnfWkDmMmIBnHkItoP478gKYhVlo0 fHXg== X-Gm-Message-State: AOJu0YwrfmbDgiGDDSbdfR4nb29cjSnhIaH0EkswePppz5Zpu1+KXbbQ qZzZcdazJGz8KmFYTvTABPPZGQfqPuoSwoDLDbF2IGpynDSQgbZoCyTUW87PBdSss2fxqvrYe4S kl3me X-Gm-Gg: ASbGncvJGqjKRVXjqiUTDjy+a3RovZjRtGvMd/KnLTAmEZv6NlTVL7P6Ql/vJlLD6Fe XjRak1yM0wJI+AhHEQPYWJvRaXizAkhaNj18N+JHgfquPF6rUgj+awqJLKFa0UrHEj45jvKt5VX XJmCtMYXi4aTFGD9bCgaclSivK9/0xOn13hral0VPAanv5dbtj47O+6TLtOTxYWGOm7WmOAslw6 qV1bfr9VKn5hXyWyXAWle0opfraMd1KD1f4FSdNHIfsWRNXcpxNyJOKN/P9C5U8iESlOY7TTUyj FTzyBlZXkuOJXo0mSjI5zNpYalqvLSUvE/5eUGFFFuOg/NbB+NvQymNAycbrNlKx0ee9gVS7weh ll18VYiNjz4v/nWQYGnNB2qRCaCEP+Y1Rj0GiPQ== X-Google-Smtp-Source: AGHT+IEgKMUL1zRXMnzTU3Wmh+Kp/rIPPLF8dalHh2Yz4t21q+Hk5GFXpFu7xOMo8yHTsKZSp1d2Cw== X-Received: by 2002:a05:6a20:3d91:b0:2c6:cdcc:5dc0 with SMTP id adf61e73a8af0-32da81304f8mr12581888637.16.1760038311968; Thu, 09 Oct 2025 12:31:51 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:b96e:4301:8642:779c]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7992d0e2d51sm495864b3a.65.2025.10.09.12.31.51 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 09 Oct 2025 12:31:51 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 23/24] selftest/cases/meta_ide.py: use use gnu mirror instead of main server Date: Thu, 9 Oct 2025 12:31:07 -0700 Message-ID: <97939775d2b81af392a2f98c922165763ff0ae5f.1760038088.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 09 Oct 2025 19:31:59 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/224642 ftp.gnu.org is the main server of the GNU project, however download speed can vary greatly based on one's location. Using ftpmirror.gnu.org should redirect the request to the closest up-to-date mirror, which should result sometimes in significantly faster download speed, depending on one's location. This should also distribute the traffic more across the mirrors. This information was sourced from https://www.gnu.org/prep/ftp.html Signed-off-by: Steve Sakoman --- meta/lib/oeqa/selftest/cases/meta_ide.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/lib/oeqa/selftest/cases/meta_ide.py b/meta/lib/oeqa/selftest/cases/meta_ide.py index 6f10d30dc9..3dc81b20a7 100644 --- a/meta/lib/oeqa/selftest/cases/meta_ide.py +++ b/meta/lib/oeqa/selftest/cases/meta_ide.py @@ -40,7 +40,7 @@ class MetaIDE(OESelftestTestCase): def test_meta_ide_can_build_cpio_project(self): dl_dir = self.td.get('DL_DIR', None) self.project = SDKBuildProject(self.tmpdir_metaideQA + "/cpio/", self.environment_script_path, - "https://ftp.gnu.org/gnu/cpio/cpio-2.13.tar.gz", + "https://ftpmirror.gnu.org/gnu/cpio/cpio-2.13.tar.gz", self.tmpdir_metaideQA, self.td['DATETIME'], dl_dir=dl_dir) self.project.download_archive() self.assertEqual(self.project.run_configure('$CONFIGURE_FLAGS --disable-maintainer-mode','sed -i -e "/char \*program_name/d" src/global.c;'), 0, From patchwork Thu Oct 9 19:31:08 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 71972 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BE19FCCD184 for ; Thu, 9 Oct 2025 19:31:59 +0000 (UTC) Received: from mail-pf1-f171.google.com (mail-pf1-f171.google.com [209.85.210.171]) by mx.groups.io with SMTP id smtpd.web11.9223.1760038314022977276 for ; Thu, 09 Oct 2025 12:31:54 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=lIM7yS2T; spf=softfail (domain: sakoman.com, ip: 209.85.210.171, mailfrom: steve@sakoman.com) Received: by mail-pf1-f171.google.com with SMTP id d2e1a72fcca58-794f11334adso1184861b3a.3 for ; Thu, 09 Oct 2025 12:31:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1760038313; x=1760643113; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=qo2N2h5220Ky9Xn/B4HoHFGptFS76IfX9XRwYdGRESU=; b=lIM7yS2TXv7mLFWX5nTQ13iDoMdGLESfjeKtNvTU5A0klegARveAXvhQBQ318QQE2M 2haat2ycIPzyfkPQC6OT4Fs2W2qu9d0ucEzZf/F8kV8PytKSdG70Lyx3GWxpHvZyldcx F3jsllnA4p73++CNdEZc3gER4T1E2kIBfN49MU5y6LtPM2p5j8LRM+h+zVsnG4qzzlpY CrDZU0KUS2XBR+edn9Qu2Ti7HwsWcLScrJXYaWoMERnqI8JOV0KLpyyUrlNJV7+niHov 6wbsOZYEB4SVxsa+5Su3S0z3Xyh/2GFtwKTzQ4ubGxI0W0A/yVJPk6iV5YUfe1Ffto0d 8+1Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760038313; x=1760643113; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=qo2N2h5220Ky9Xn/B4HoHFGptFS76IfX9XRwYdGRESU=; b=vqU6SVj/1dN+uN69houY+fEds9CPlLniBA6I0m/N0L6X3eiN4GeolOi7AH2+gevCFN ulVgetOnq4dbYSS3vkwM9aG37CqT6zuHYdSSrJYG79YGTBSoS0cx3yP7zqgxYaQEWkld O7grzKTjT94saf0V2ofiVmJkGWsIXwemYBi6CGYXg3CWC+KDJj64SPKBSjixvumMFvoC fq/KbLgjdPs8w8+6VHwkGYvcWHH3jKvtvAX98yzIg42a9g4lUhTMf+KVtURbyyARxHEU /rSiKKdJjuhIztuloZYDlZLblz4vqBb87AHxL8eIzdzjDbey8J5k5E5jIJ811WTpGUo9 u6vg== X-Gm-Message-State: AOJu0YyJFy8nzrxyODzta/gbvCKlzpoDKlJAty2khk9EGw2qRi8bCH4L Ha2vYV9g4rWVsw3RvQXL0Skeu7uAsFDNzi9c+qT+IWhM0Ewwqn4iIlwqLteKTwncLUbZwufh+42 u8VkE X-Gm-Gg: ASbGncuOcVpkK/1RhlThHQXSZScJ2VIE+J/j+psH2Ul5TwZ61GiFYmXA73GRcMxfQWU cHvGGVQn8osv8wdUv8EkvheQeRr/xMkY/9yUWzVkOFoUP/lZB7/ETBAhWk3vUMtsUljyc69JYKk qSuYYg92ymdzRxjKQEq1dfUauVzlegeGudaRtKpcGI+PdmakHbjINM2ThT6JotGfOzPfe0LLUTE x/Erhf/lS3ppMeRCpsjgwvVhJ4GvFEJQY/m2/b4VUkIPA18VMb6i/LnNsSAyGfpuPWf75q36SQ/ XMhTs2RbTFxeQ26hrfyecVrzv8NLJtUjt4z+yjzlYxTY5SKwtmX/JK7wXp0PF6mX2V1oMpqavT9 +0O/7a/FvUftMULKWhXxhI52lEXkee7altXSsGA== X-Google-Smtp-Source: AGHT+IGP1K48KbVpJajNnnhdG0s7G+x3rguuUmU0R++V5bFFKZzbGfTcHorINSd3XNDH0/NswUCkyg== X-Received: by 2002:a05:6a20:2446:b0:262:4378:9df2 with SMTP id adf61e73a8af0-32da845f861mr11220059637.44.1760038313294; Thu, 09 Oct 2025 12:31:53 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:b96e:4301:8642:779c]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7992d0e2d51sm495864b3a.65.2025.10.09.12.31.52 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 09 Oct 2025 12:31:52 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 24/24] oeqa/sdk/cases/buildcpio.py: use gnu mirror instead of main server Date: Thu, 9 Oct 2025 12:31:08 -0700 Message-ID: <0d11c9103f072841baf39166efc133f2a20fc4dc.1760038088.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 09 Oct 2025 19:31:59 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/224643 ftp.gnu.org is the main server of the GNU project, however download speed can vary greatly based on one's location. Using ftpmirror.gnu.org should redirect the request to the closest up-to-date mirror, which should result sometimes in significantly faster download speed, depending on one's location. This should also distribute the traffic more across the mirrors. This information was sourced from https://www.gnu.org/prep/ftp.html Signed-off-by: Steve Sakoman --- meta/lib/oeqa/sdk/cases/buildcpio.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/lib/oeqa/sdk/cases/buildcpio.py b/meta/lib/oeqa/sdk/cases/buildcpio.py index e7fc211a47..00088d0ea0 100644 --- a/meta/lib/oeqa/sdk/cases/buildcpio.py +++ b/meta/lib/oeqa/sdk/cases/buildcpio.py @@ -17,7 +17,7 @@ class BuildCpioTest(OESDKTestCase): """ def test_cpio(self): with tempfile.TemporaryDirectory(prefix="cpio-", dir=self.tc.sdk_dir) as testdir: - tarball = self.fetch(testdir, self.td["DL_DIR"], "https://ftp.gnu.org/gnu/cpio/cpio-2.13.tar.gz") + tarball = self.fetch(testdir, self.td["DL_DIR"], "https://ftpmirror.gnu.org/gnu/cpio/cpio-2.13.tar.gz") dirs = {} dirs["source"] = os.path.join(testdir, "cpio-2.13")