From patchwork Fri Nov 14 19:45:18 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gyorgy Sarvari <skandigraun@gmail.com>
X-Patchwork-Id: 74575
Return-Path: <skandigraun@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id E281ACEACC2
	for <webhook@archiver.kernel.org>; Fri, 14 Nov 2025 19:45:26 +0000 (UTC)
Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com
 [209.85.128.54])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.6979.1763149526182230020
 for <openembedded-devel@lists.openembedded.org>;
 Fri, 14 Nov 2025 11:45:26 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=TV59RcUz;
 spf=pass (domain: gmail.com, ip: 209.85.128.54,
 mailfrom: skandigraun@gmail.com)
Received: by mail-wm1-f54.google.com with SMTP id
 5b1f17b1804b1-4775e891b5eso12964925e9.2
        for <openembedded-devel@lists.openembedded.org>;
 Fri, 14 Nov 2025 11:45:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1763149524; x=1763754324;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:to
         :from:from:to:cc:subject:date:message-id:reply-to;
        bh=zgWKSOdmR/2/aNxOM6nJ0Z2xxabRbyUMHBIAKxxTz1A=;
        b=TV59RcUztcIjqjlXO7w7NsHGOPFEaogN99DkWVlv28w8W/nVSw70KLvpkGwaTwmw+9
         JoXy6fxSi/FbbcpfLf/vnZsd+WpS/ZTOsyvrfvN0sjcF2rBgmN82/hKBpJAi/fJpcnKT
         n1OzI24XzsVTHD2ALOpHZqHj0Wr8DJmDANybBwLAvpvWotuoC7ERPAOmI/f+0rq2AYU1
         dgtuCL+FlDWBu+D6rzbMX0IvbJWUpeZ26amd9K0BFtUiGv+ohjRSoRxp7pg9jv0WIkf2
         arlva8NHkMnobpz7i9fikVM19G1HMi8OrKEIl+lhGMePW9Ema5E4c76+LsUplQ28zW9f
         c87w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1763149524; x=1763754324;
        h=content-transfer-encoding:mime-version:message-id:date:subject:to
         :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=zgWKSOdmR/2/aNxOM6nJ0Z2xxabRbyUMHBIAKxxTz1A=;
        b=bjWwogn7L0PQs6JXNjHUjuBSUi7NEOFXvsTJ7RvHUqp8yQ9//vz61i3ffRuyEZPugB
         HPhEeKBQcnRkSGicPaRyD2eXNmG0JAQ4/lpBdcsI6hBPeabTVDO/Qskp4O/aIjaAdv07
         /4dylLOMpibTCJNp+v1K+pAJKXvPbp+VdMBH8vEmymBRj78qdJ4fFez7MtrZQpSS0lny
         8TQxmHLfhBBr7uqQLoo2JTyX98d43leWMz+L3i9UYiN0VpmN/pysu8+6JAHEIGLlv89F
         Lv1fdkkSAUoZkz3FYl2b1WDFocmCYFof6FEPUTLJhoVKcM23k9/73LIflloQfSrV5QhA
         gxuA==
X-Gm-Message-State: AOJu0YwOLqO7UxOizQUEvTcWry3Detgr+JEdhxNVxljkOM9t/WqBydVU
	vd1QLlhw8jyDZg9y7/dTZP5iWlsBTEtb+V4C5DXyW7fGolWP4ewhfcMkt4LtqnoJ
X-Gm-Gg: ASbGncvzikh7lfBeYgXTuulkBArn+npMoWEUYcgpEM2hx0vsfOyjxDxgi/Ren+8vuH4
	6sPvLcYfnqOm244tZB1Y1fDawVFpIr+TPf/z0K3urJ0hOIBanjhECnVUGGOySYJFbNuSBmsai41
	809OQCAtQ7eD3dvbqtfmUMgFUeI7EYyPZ7yLECa8uo4/LSkn6YtHGeIFQ9gDbxs4BYl0tHwuu2X
	DLxWe7z0ted8b91HJfgtyxUxWpCwxOBZrxLVEz4UHnvvVoWMgNKHXv4twkUa6cKtbveDKWfAcY9
	pNQTztjcGyjLjxVrHIdc1XuAWPscEk9ChUgXjkwZPV7EAuE3VYu6PIid6RGBDxeAbJtE5u0Bsp1
	DdhW414LgVbLWuABpK3iBq0lauLj4LUSa9YX/A/5pGRowI7w1wTYq98GPFzqLV5GE7/40eNYeJQ
	+hdHsaXpsF
X-Google-Smtp-Source: 
 AGHT+IFhIvQMTmgOReG+Vs2TEtnXFGbQv5Wxz6Yfm7gSFknsOamK3u17QhZq+1evprOkRrmVyuoz8w==
X-Received: by 2002:a05:6000:430e:b0:429:c709:7b54 with SMTP id
 ffacd0b85a97d-42b593679eemr4412376f8f.36.1763149524219;
        Fri, 14 Nov 2025 11:45:24 -0800 (PST)
Received: from desktop ([51.154.145.205])
        by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-42b53f17cbfsm11561514f8f.35.2025.11.14.11.45.23
        for <openembedded-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 14 Nov 2025 11:45:23 -0800 (PST)
From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-oe][kirkstone][PATCH 1/5] audiofile: mark CVE-2020-18781 as
 patched
Date: Fri, 14 Nov 2025 20:45:18 +0100
Message-ID: <20251114194522.643069-1-skandigraun@gmail.com>
X-Mailer: git-send-email 2.51.2
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Fri, 14 Nov 2025 19:45:26 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/121711

From: Peter Marko <peter.marko@siemens.com>

Per [1] this CVE is already patched by commit [2].

This can be also verified with yocto build.

Running without this patch:
root@qemux86-64:~# sfconvert poc.wav output format wave
malloc(): corrupted top size
Aborted

Running with it:
root@qemux86-64:~# sfconvert poc.wav output format wave
Audio File Library: Bad number of coefficients [error 62]
Could not open file 'poc.wav' for reading.

[1] https://github.com/mpruett/audiofile/issues/56
[2] https://github.com/antlarr/audiofile/commit/c48e4c6503f7dabd41f11d4c9c7b7f8960e7f2c0

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 68f55c158e15a5d35702ae5c730586001e487f86)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../files/0004-Always-check-the-number-of-coefficients.patch     | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta-oe/recipes-multimedia/audiofile/files/0004-Always-check-the-number-of-coefficients.patch b/meta-oe/recipes-multimedia/audiofile/files/0004-Always-check-the-number-of-coefficients.patch
index 282f4c01b9..17a97163f5 100644
--- a/meta-oe/recipes-multimedia/audiofile/files/0004-Always-check-the-number-of-coefficients.patch
+++ b/meta-oe/recipes-multimedia/audiofile/files/0004-Always-check-the-number-of-coefficients.patch
@@ -17,6 +17,7 @@ CVE: CVE-2017-6832
 CVE: CVE-2017-6833
 CVE: CVE-2017-6835
 CVE: CVE-2017-6837
+CVE: CVE-2020-18781
 Upstream-Status: Inactive-Upstream [lastrelease: 2013]
 Signed-off-by: Peter Marko <peter.marko@siemens.com>
 ---

From patchwork Fri Nov 14 19:45:19 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gyorgy Sarvari <skandigraun@gmail.com>
X-Patchwork-Id: 74577
Return-Path: <skandigraun@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id CB84CCEACC6
	for <webhook@archiver.kernel.org>; Fri, 14 Nov 2025 19:45:36 +0000 (UTC)
Received: from mail-wr1-f50.google.com (mail-wr1-f50.google.com
 [209.85.221.50])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.6777.1763149526740977887
 for <openembedded-devel@lists.openembedded.org>;
 Fri, 14 Nov 2025 11:45:27 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=npyUN7MB;
 spf=pass (domain: gmail.com, ip: 209.85.221.50,
 mailfrom: skandigraun@gmail.com)
Received: by mail-wr1-f50.google.com with SMTP id
 ffacd0b85a97d-42b3c965df5so1566521f8f.1
        for <openembedded-devel@lists.openembedded.org>;
 Fri, 14 Nov 2025 11:45:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1763149525; x=1763754325;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=d7b+1sMnmcayadSnPw+iP0RhJocdRMqFiAY/ZZLoIw4=;
        b=npyUN7MBbzmRjzyUnkfMyxKv/ktMT27/ipKgchJfeqBZWXmym5WML2Fuo8xC8+xRSz
         dXQX6HGCaeoet5rCIhmVzUXpun5383CbQiHyM9NIx8IwKSRUQuy1CFtm7BlJyxqcxBwx
         XJSIKzDN9gDhcv1myL+ZcfTZP9Tt7O8gFvJREWPQNIRwY65hohHgXRqKdyTdtxC1EysU
         dL9+1vnj2eHtRRp6OPpK5jj3S7evrziVTZQfVF3gtcMiC9iU/68wcpa++vA39wqN37ua
         pKqiIfOqH/0V7+iDS2GP7J4Zp1UXZ55Nf5TiwmwRmZT0LPyebn9FP9CMegkRa9XCfjhG
         Scbg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1763149525; x=1763754325;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=d7b+1sMnmcayadSnPw+iP0RhJocdRMqFiAY/ZZLoIw4=;
        b=sKvGN4/wJvV7pKz8xa6wRYRlsKtCIeh/evS+Itamj/AU/cXj0Zm5XN8h6IiSGbjlWj
         /oX31poLX9qLsq2qRDl6Yg6Itq3FWHa9gorZjxp/tzPBQ0UfwOCah6+JzPRe7oQtOziS
         KyVXsm49xpy3r6vx7ofHK/Y5VINC0kx5myyAHOkXOET4PsuTDDOn7K7VcBTesdRepxPQ
         OmRa/IFnSIQNAlimWNCsUz2MWhjNCpQwn9w/9i1JQVov+eYBzHpaGMtRbW2n18R5X69k
         1yyJus6rD8/QdTuMO2nUGINr0jcInA0DicILrVh+zBFiynMiEGo89c1WSmTK30e5/tf/
         vQBg==
X-Gm-Message-State: AOJu0YytVQkNNNbcy4bIuYCvQRRazaYaPT0focNa+EfdC+PFu6lk9sOo
	YlSmXf2m97kP1rTVDitleuL4n9toCdi7IGNi8AOqvDocGmPdjJMXaHuuBPrhg70I
X-Gm-Gg: ASbGnculSmJtYqge1EWiQBfG21EcijL8RSiN2mJd2+DZvZMdUkQcf3SrQ74PoNSHu47
	gPWWE0XCEwUwW4l5D3AYssE775CyEhqEa1tWura53G/oixHB3fRVilacMCoyvsag5bfwcQ9c3wl
	unulAEddjEJbFsix1V6TAscFGq4bkCQxXNieCN+H+VSk/S3qoL6t5W9oBJxNztuvxcx6gQ+Xra+
	lmhwvUDuOLv8FEHSoYe7hO5yQI/+pP7EkxsVKjH3fgJN9lGqGaC+wZfrsbElMFwNHJVQhx3cI55
	Fk5+Gc7jIx4AkTI+Zo6rz6io9r4fX9tBlbvzFMy33xgBwlj7zPSHClWaN4I4WoUm9xRwjVro/ou
	gtPIRrRzpPLbQjr6FecZOXcjksbLgKVh45N0VmT2mPUuE118QpLwPwenE7kVIqml+XLCAiA3JA+
	oXMmtKzhNcg8hCdTRaXwU=
X-Google-Smtp-Source: 
 AGHT+IGOqIfk95FyI2bk0ghlzFjM0cx5HTmGAGmfxBaobWkVjie27eITSMaTBHI5ar+iJ0tRbt9X6w==
X-Received: by 2002:a05:6000:1447:b0:429:cbdc:871 with SMTP id
 ffacd0b85a97d-42b593503demr4141259f8f.20.1763149524903;
        Fri, 14 Nov 2025 11:45:24 -0800 (PST)
Received: from desktop ([51.154.145.205])
        by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-42b53f17cbfsm11561514f8f.35.2025.11.14.11.45.24
        for <openembedded-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 14 Nov 2025 11:45:24 -0800 (PST)
From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-oe][kirkstone][PATCH 2/5] uw-imap: patch CVE-2018-19518
Date: Fri, 14 Nov 2025 20:45:19 +0100
Message-ID: <20251114194522.643069-2-skandigraun@gmail.com>
X-Mailer: git-send-email 2.51.2
In-Reply-To: <20251114194522.643069-1-skandigraun@gmail.com>
References: <20251114194522.643069-1-skandigraun@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Fri, 14 Nov 2025 19:45:36 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/121712

From: Peter Marko <peter.marko@siemens.com>

Take patch from Debian from
https://salsa.debian.org/lts-team/packages/uw-imap/-/commit/873b07f46ce40f43bca10ec85fe63a7a0b934294

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 9f7c1e6bd101494c6cc5dad16a7fa65a13cbac70)

Adapted to Kirkstone.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../uw-imap/uw-imap/CVE-2018-19518.patch      | 24 +++++++++++++++++++
 .../recipes-devtools/uw-imap/uw-imap_2007f.bb |  1 +
 2 files changed, 25 insertions(+)
 create mode 100644 meta-oe/recipes-devtools/uw-imap/uw-imap/CVE-2018-19518.patch

diff --git a/meta-oe/recipes-devtools/uw-imap/uw-imap/CVE-2018-19518.patch b/meta-oe/recipes-devtools/uw-imap/uw-imap/CVE-2018-19518.patch
new file mode 100644
index 0000000000..d942a752b3
--- /dev/null
+++ b/meta-oe/recipes-devtools/uw-imap/uw-imap/CVE-2018-19518.patch
@@ -0,0 +1,24 @@
+uw-imap (8:2007f~dfsg-6) unstable; urgency=medium
+
+  * [CVE-2018-19518] 2013_disable_rsh.patch (new): Disable access to IMAP
+    mailboxes through running imapd over rsh, and therefore ssh (Closes:
+    #914632). Code using the library can enable it with tcp_parameters()
+    after making sure that the IMAP server name is sanitized.
+
+ -- Magnus Holmgren <holmgren@debian.org>  Tue, 26 Feb 2019 23:35:43 +0100
+
+CVE: CVE-2018-19518
+Upstream-Status: Inactive-Upstream [lastrelease: 2007]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+
+--- a/src/osdep/unix/Makefile
++++ b/src/osdep/unix/Makefile
+@@ -988,7 +988,7 @@ onceenv:
+ 	 -DMD5ENABLE=\"$(MD5PWD)\" -DMAILSPOOL=\"$(MAILSPOOL)\" \
+ 	 -DANONYMOUSHOME=\"$(MAILSPOOL)/anonymous\" \
+ 	 -DACTIVEFILE=\"$(ACTIVEFILE)\" -DNEWSSPOOL=\"$(NEWSSPOOL)\" \
+-	 -DRSHPATH=\"$(RSHPATH)\" -DLOCKPGM=\"$(LOCKPGM)\" \
++	 -DLOCKPGM=\"$(LOCKPGM)\" \
+ 	 -DLOCKPGM1=\"$(LOCKPGM1)\" -DLOCKPGM2=\"$(LOCKPGM2)\" \
+ 	 -DLOCKPGM3=\"$(LOCKPGM3)\" > OSCFLAGS
+ 	echo $(BASELDFLAGS) $(EXTRALDFLAGS) > LDFLAGS
diff --git a/meta-oe/recipes-devtools/uw-imap/uw-imap_2007f.bb b/meta-oe/recipes-devtools/uw-imap/uw-imap_2007f.bb
index df90b629a9..de614716cf 100644
--- a/meta-oe/recipes-devtools/uw-imap/uw-imap_2007f.bb
+++ b/meta-oe/recipes-devtools/uw-imap/uw-imap_2007f.bb
@@ -11,6 +11,7 @@ SRC_URI = "https://fossies.org/linux/misc/old/imap-${PV}.tar.gz \
            file://imap-2007e-shared.patch \
            file://imap-2007f-format-security.patch \
            file://0001-Support-OpenSSL-1.1.patch \
+           file://CVE-2018-19518.patch \
            "
 
 SRC_URI[md5sum] = "2126fd125ea26b73b20f01fcd5940369"

From patchwork Fri Nov 14 19:45:20 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gyorgy Sarvari <skandigraun@gmail.com>
X-Patchwork-Id: 74578
Return-Path: <skandigraun@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id E6C0DCEACCA
	for <webhook@archiver.kernel.org>; Fri, 14 Nov 2025 19:45:36 +0000 (UTC)
Received: from mail-wr1-f50.google.com (mail-wr1-f50.google.com
 [209.85.221.50])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.6778.1763149527455240879
 for <openembedded-devel@lists.openembedded.org>;
 Fri, 14 Nov 2025 11:45:27 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=ZQIOAjPf;
 spf=pass (domain: gmail.com, ip: 209.85.221.50,
 mailfrom: skandigraun@gmail.com)
Received: by mail-wr1-f50.google.com with SMTP id
 ffacd0b85a97d-42b39d51dcfso1262581f8f.2
        for <openembedded-devel@lists.openembedded.org>;
 Fri, 14 Nov 2025 11:45:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1763149526; x=1763754326;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=XAt09NZqDi1HAMpLIQG/MAblaP5Ok5MseZRrxv2iGzk=;
        b=ZQIOAjPfXVzYQI7WIp5nU4h2r9bWX42w0rF1ZQxpLfTixRgaOD7U+lpOOrVGmEl7V1
         Y6oiPZgAg0tNEl4fGEu6e01bbPdUwGxbsL+3X6nkubwb4gEIuPehGO8vlhjHYOgHzRKH
         BkOHMWTJz0erD5LS3sEshwTdRTVV+PlHUXvwVIZ3A2r5Z+mL+cehcNhuRKkDWE1wYlZc
         ZB3SMRMUHzD22pOAcLIL3oS41UaDrZ+kaxg7Qh3a5VQa3xKMWStxOk+IegTzRNJ8uC4D
         y6iESWMAYV6viNfQ9nU6K/c1mswTve3tLjJis2eccG2aHXW3vDoBIBSTK6P9d03VbOkb
         EmZg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1763149526; x=1763754326;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=XAt09NZqDi1HAMpLIQG/MAblaP5Ok5MseZRrxv2iGzk=;
        b=ZgPGQL9mQLnxgsRfOU66Vib4c0P5+wPQa2rHC5hQr+H63z2HFdgFOgL6vkJbe67689
         d81ktaLubkHJ8258t/rVxtCV1aOFJw4DAvnx6vssYyb/cfaISdMYW4vspfHFkYgETFA7
         zoBt+dZL+xg5pb/y6CwL5x7tWnuay5x3Gcr/SJq/HDMihPOb7iEcp22s49bnxRrH55Kb
         1y17u2JbSAJnVT7+FPkM8UafepEJDLvz+tOOyyKfoKPjmdlltZMy9HBWSa2EvGxni3WK
         NIFiy1hxNR2glRWM1JKdkv6RSZzQqfnexj9cPfODGXbnkI0jkxsJDZeM9l10CH9WpUpA
         Apzw==
X-Gm-Message-State: AOJu0YyKmB/5/plhzfPfkL/Pc4p+P2o9mOWEKhKHmt7m7cgnlXRW+76s
	FgTXP8BKNhcXywSB3wJhleuOU+fTc5edencYy/8/fjgbJ/Cr6o5YnEMS66DT/YFQ
X-Gm-Gg: ASbGncuS7hgtbLsH2sc/f3OQGvEHsQKJlOP7OkGncW+TnKPOVrpRYRkkXHRL2BY/I22
	IBUfGjCLGJrzUNos4NQtMsBY2wpbPJ5hNM57uIRJV/oBDeEV6b1txCNcNNrUQ0MzZLPD0KK3onP
	7Nxqh2j13DfWokn5XaAUL5kkfblkicT65zX15+ArMY2FfyO1fTLwspUuS+DOgb9eUiPYrx6GdWb
	XMIOhzX888B3uA35huMVsysMpv/eqxDgW1JaCsA8NvS2mfnlFlp6oUU1EzWQITlmmHBXdemHGM3
	2rprIkQS/gVDOdREOKTFtRBShURHL2/lBTRni+qLfBMIIGnzRSSFKwtkLocJO18jtk6g7z+z1hc
	uoow6tRUG4Mso8KlJv5UrEqrbgJTh7J4sUaTNOe2uoSTwpSnLov6StL2CXmcHXllOYal7Vcq6YA
	==
X-Google-Smtp-Source: 
 AGHT+IGo9HEC4T9XVtDgAVY6fhUjnl6weyrigkkoa9gfNJ4XmV5tcDe3l2DClxlHKBjHzO35nAiy3A==
X-Received: by 2002:a05:6000:2509:b0:42b:3d7c:c7cf with SMTP id
 ffacd0b85a97d-42b593446acmr4417715f8f.15.1763149525684;
        Fri, 14 Nov 2025 11:45:25 -0800 (PST)
Received: from desktop ([51.154.145.205])
        by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-42b53f17cbfsm11561514f8f.35.2025.11.14.11.45.25
        for <openembedded-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 14 Nov 2025 11:45:25 -0800 (PST)
From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-networking][kirkstone][PATCH 3/5] usrsctp: patch CVE-2019-20503
Date: Fri, 14 Nov 2025 20:45:20 +0100
Message-ID: <20251114194522.643069-3-skandigraun@gmail.com>
X-Mailer: git-send-email 2.51.2
In-Reply-To: <20251114194522.643069-1-skandigraun@gmail.com>
References: <20251114194522.643069-1-skandigraun@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Fri, 14 Nov 2025 19:45:36 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/121713

Details: https://nvd.nist.gov/vuln/detail/CVE-2019-20503

Pick the patch mentioned in the nvd report.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../usrsctp/usrsctp/CVE-2019-20503.patch      | 54 +++++++++++++++++++
 .../recipes-protocols/usrsctp/usrsctp_git.bb  |  3 +-
 2 files changed, 56 insertions(+), 1 deletion(-)
 create mode 100644 meta-networking/recipes-protocols/usrsctp/usrsctp/CVE-2019-20503.patch

diff --git a/meta-networking/recipes-protocols/usrsctp/usrsctp/CVE-2019-20503.patch b/meta-networking/recipes-protocols/usrsctp/usrsctp/CVE-2019-20503.patch
new file mode 100644
index 0000000000..fc75151f00
--- /dev/null
+++ b/meta-networking/recipes-protocols/usrsctp/usrsctp/CVE-2019-20503.patch
@@ -0,0 +1,54 @@
+From c7f318fc788472da19f0a2579d2c2d439e362f04 Mon Sep 17 00:00:00 2001
+From: Michael Tuexen <tuexen@fh-muenster.de>
+Date: Fri, 20 Dec 2019 17:02:02 +0100
+Subject: [PATCH] Improve input validation for some parameters having a too
+ small reported length.
+
+Thanks to Natalie Silvanovich from Google for finding one of these
+issues in the SCTP userland stack and reporting it.
+
+CVE: CVE-2019-20503
+Upstream-Status: Backport [https://github.com/sctplab/usrsctp/commit/790a7a2555aefb392a5a69923f1e9d17b4968467]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ usrsctplib/netinet/sctp_auth.c | 3 ++-
+ usrsctplib/netinet/sctp_pcb.c  | 5 ++++-
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/usrsctplib/netinet/sctp_auth.c b/usrsctplib/netinet/sctp_auth.c
+index 5e5813b..0660af4 100755
+--- a/usrsctplib/netinet/sctp_auth.c
++++ b/usrsctplib/netinet/sctp_auth.c
+@@ -1455,7 +1455,8 @@ sctp_auth_get_cookie_params(struct sctp_tcb *stcb, struct mbuf *m,
+ 		ptype = ntohs(phdr->param_type);
+ 		plen = ntohs(phdr->param_length);
+ 
+-		if ((plen == 0) || (offset + plen > length))
++		if ((plen < sizeof(struct sctp_paramhdr)) ||
++			(offset + plen > length))
+ 			break;
+ 
+ 		if (ptype == SCTP_RANDOM) {
+diff --git a/usrsctplib/netinet/sctp_pcb.c b/usrsctplib/netinet/sctp_pcb.c
+index 6629f24..b99d089 100755
+--- a/usrsctplib/netinet/sctp_pcb.c
++++ b/usrsctplib/netinet/sctp_pcb.c
+@@ -7245,7 +7245,7 @@ sctp_load_addresses_from_init(struct sctp_tcb *stcb, struct mbuf *m,
+ 		if (offset + plen > limit) {
+ 			break;
+ 		}
+-		if (plen == 0) {
++		if (plen < sizeof(struct sctp_paramhdr)) {
+ 			break;
+ 		}
+ #ifdef INET
+@@ -7461,6 +7461,9 @@ sctp_load_addresses_from_init(struct sctp_tcb *stcb, struct mbuf *m,
+ 			if (plen > sizeof(lstore)) {
+ 				return (-23);
+ 			}
++			if (plen < sizeof(struct sctp_asconf_addrv4_param)) {
++				return (-101);
++			}
+ 			phdr = sctp_get_next_param(m, offset,
+ 						   (struct sctp_paramhdr *)&lstore,
+ 						   plen);
diff --git a/meta-networking/recipes-protocols/usrsctp/usrsctp_git.bb b/meta-networking/recipes-protocols/usrsctp/usrsctp_git.bb
index dcfa7406d2..2361eacebd 100644
--- a/meta-networking/recipes-protocols/usrsctp/usrsctp_git.bb
+++ b/meta-networking/recipes-protocols/usrsctp/usrsctp_git.bb
@@ -4,7 +4,8 @@ LIC_FILES_CHKSUM = "file://LICENSE.md;md5=ffcf846341f3856d79a483eafa18e2a5"
 
 SRCREV = "a10cd498d964508c0e6ec6bd2be9dd4afcbb4d86"
 SRC_URI = "git://github.com/sctplab/usrsctp;protocol=https;branch=master \
-          "
+           file://CVE-2019-20503.patch \
+           "
 
 S = "${WORKDIR}/git"
 

From patchwork Fri Nov 14 19:45:21 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gyorgy Sarvari <skandigraun@gmail.com>
X-Patchwork-Id: 74579
Return-Path: <skandigraun@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id CA912CE8D76
	for <webhook@archiver.kernel.org>; Fri, 14 Nov 2025 19:45:36 +0000 (UTC)
Received: from mail-wr1-f48.google.com (mail-wr1-f48.google.com
 [209.85.221.48])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.6779.1763149528022722555
 for <openembedded-devel@lists.openembedded.org>;
 Fri, 14 Nov 2025 11:45:28 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=m9YEpYF/;
 spf=pass (domain: gmail.com, ip: 209.85.221.48,
 mailfrom: skandigraun@gmail.com)
Received: by mail-wr1-f48.google.com with SMTP id
 ffacd0b85a97d-42b3669ca3dso1391897f8f.0
        for <openembedded-devel@lists.openembedded.org>;
 Fri, 14 Nov 2025 11:45:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1763149526; x=1763754326;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=fwuR/us2Bg+r9YHrgdzMgcm3R/jycXdqSUXEHI9x4ho=;
        b=m9YEpYF/s05MmAhZpLIJCFoAyAxAFZ3JWqLAqiX1DRvGzoEhSTwcxUQtkqEpR6TNvB
         rbTSyLVWE/SM+FGY1X3TixGReXnp62WAMyI0fBzJFe8kdFpMYF+95ZSiPy1AsfJB/XEp
         qqMVUkkPWoq4ahWEhyifzSMa0rEMJQQskZdMKOz5aFGCkxhwqK2c651nSrFqg4U01Kkk
         cBTuOu78l5dtJpXb+U2FFo98lUf4bv60+SKhHLL6GDd5w0ithc7bqfFR639KQluM6cvq
         POaWmIzSCqT/PRwddrulpEvQeSOdPQuuHvQu+e2FvIasCTb/Ojqz5uO9WJJ1e4KzuIdT
         +icQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1763149526; x=1763754326;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=fwuR/us2Bg+r9YHrgdzMgcm3R/jycXdqSUXEHI9x4ho=;
        b=KcADU1Enz+HDh4pQc3u9RaWPddThyuG3IZuGP1vcdmAqBId3+20T8BJq6vfOaaaAF0
         LRizLCQ9/2qEFueBCxxw71vdB2r1Scm+BrBV6mmUYA/EpDMTpRshN80Af7z1n9DhKMYJ
         aTbWHdctk02n23psVmaUcPjvMTAICQz3Cah6L9uKjRHl3u0bdxTbc7sPgNCsDWXnZVFR
         gThFOObP5g+HWWbGBHK6gbEAJr+y5lopq/EUyU92nIsoyD4zYbARV1Xunwy0KX0sLZ54
         M0OR38nxjSp+lPRS6cjILsyOsg38DHS4IHzMxjvUWvSoe7sHZ0BrwMNulGJO/MA0cKS7
         EZbA==
X-Gm-Message-State: AOJu0Yy2+wS9TxHuULi3klqlLWwCC1CXjqRxaXJGVnGZ1mECrxDZpy0u
	iPYL1l+W/JAOd2nqTcKuKahT5Nea6u8LMeCy0OM3peZBkhsR8W4zUZGjQRU7IsiE
X-Gm-Gg: ASbGncsM++szneM+CoiK0sm0E4dCBM3dHTHtwV74c8pjJNNpR/A9o1jV94sUZxmWWan
	IcliAvIf6u2+iCJdU0afYo23WNfMziC8hSNHRCRM3rFEdRSkvY9UCTR9uabjtTet+eGEVRZoAeA
	SIMzzsh7/N4jNw5CH5BRNbnQQOyK6ZICWT99ou0NG3+GR77eCuXEzw55lHHzBXOm17NZUetiQuL
	/HL8+Y6aCkTvGXsMJma7i5y8Z87Ph84aiHplOsg7nswtRTd9W0Mmq5DQwPAhNmKcAT+Igv+cOM4
	YRqWIgr0r9oeoMwgFOviN0rm781deXzN3cwAjQP6MFl8MYdLjoP8RUBnpDqpWuyCNtljbbUnRko
	qAqSvazE5D1pbXfQopkHxDw4SJ3HDTsB+y/+eG4KzvgZdvNORXhlW8/OxV/BEH+mCEulkqiF5CI
	jfpODSV3L6Hdk5VyU+RGU=
X-Google-Smtp-Source: 
 AGHT+IF5tw0JpLGAx+/qXr8NHQXoLyI9yqpD7Ut0oeXV26Sf7wroBRWCfvagtkYRrXbWRpFmnRBC9w==
X-Received: by 2002:a05:6000:1a87:b0:429:d66b:508f with SMTP id
 ffacd0b85a97d-42b595a498bmr3936380f8f.30.1763149526344;
        Fri, 14 Nov 2025 11:45:26 -0800 (PST)
Received: from desktop ([51.154.145.205])
        by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-42b53f17cbfsm11561514f8f.35.2025.11.14.11.45.25
        for <openembedded-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 14 Nov 2025 11:45:26 -0800 (PST)
From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-networking][kirkstone][PATCH 4/5] usbredir: patch CVE-2021-3700
Date: Fri, 14 Nov 2025 20:45:21 +0100
Message-ID: <20251114194522.643069-4-skandigraun@gmail.com>
X-Mailer: git-send-email 2.51.2
In-Reply-To: <20251114194522.643069-1-skandigraun@gmail.com>
References: <20251114194522.643069-1-skandigraun@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Fri, 14 Nov 2025 19:45:36 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/121714

Details: https://nvd.nist.gov/vuln/detail/CVE-2021-3700

Pick the patch mentioned in the nvd report.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../spice/usbredir/CVE-2021-3700.patch        | 74 +++++++++++++++++++
 .../recipes-support/spice/usbredir_0.9.0.bb   |  4 +-
 2 files changed, 77 insertions(+), 1 deletion(-)
 create mode 100644 meta-networking/recipes-support/spice/usbredir/CVE-2021-3700.patch

diff --git a/meta-networking/recipes-support/spice/usbredir/CVE-2021-3700.patch b/meta-networking/recipes-support/spice/usbredir/CVE-2021-3700.patch
new file mode 100644
index 0000000000..4804e740b5
--- /dev/null
+++ b/meta-networking/recipes-support/spice/usbredir/CVE-2021-3700.patch
@@ -0,0 +1,74 @@
+From 4851f8d4538e0a25992619ad96a2366c1632e46e Mon Sep 17 00:00:00 2001
+From: Michael Hanselmann <public@hansmi.ch>
+Date: Sun, 8 Aug 2021 15:35:58 +0200
+Subject: [PATCH] Avoid use-after-free in serialization
+
+Serializing parsers with large amounts of buffered write data (e.g. in case of
+a slow or blocked write destination) would cause "serialize_data" to reallocate
+the state buffer whose default size is 64kB (USBREDIRPARSER_SERIALIZE_BUF_SIZE).
+The pointer to the position for the write buffer count would then point to
+a location outside the buffer where the number of write buffers would be written
+as a 32-bit value.
+
+As of QEMU 5.2.0 the serializer is invoked for migrations. Serializations for
+migrations may happen regularily such as when using the COLO feature[1].
+Serialization happens under QEMU's I/O lock. The guest can't control the state
+while the serialization is happening. The value written is the number of
+outstanding buffers which would be suceptible to timing and host system system
+load. The guest would have to continously groom the write buffers. A useful
+value needs to be allocated in the exact position freed during the buffer size
+increase, but before the buffer count is written. The author doesn't consider it
+realistic to exploit this use-after-free reliably.
+
+[1] https://wiki.qemu.org/Features/COLO
+
+Signed-off-by: Michael Hanselmann <public@hansmi.ch>
+
+CVE: CVE-2021-3700
+Upstream-Status: Backport [https://gitlab.freedesktop.org/spice/usbredir/-/commit/03c519ff5831ba]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ usbredirparser/usbredirparser.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/usbredirparser/usbredirparser.c b/usbredirparser/usbredirparser.c
+index ba8edb4..ccd3078 100644
+--- a/usbredirparser/usbredirparser.c
++++ b/usbredirparser/usbredirparser.c
+@@ -20,6 +20,7 @@
+ */
+ #include "config.h"
+ 
++#include <stddef.h>
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <stdarg.h>
+@@ -1594,8 +1595,9 @@ int usbredirparser_serialize(struct usbredirparser *parser_pub,
+     struct usbredirparser_priv *parser =
+         (struct usbredirparser_priv *)parser_pub;
+     struct usbredirparser_buf *wbuf;
+-    uint8_t *write_buf_count_pos, *state = NULL, *pos = NULL;
++    uint8_t *state = NULL, *pos = NULL;
+     uint32_t write_buf_count = 0, len, remain = 0;
++    ptrdiff_t write_buf_count_pos;
+ 
+     *state_dest = NULL;
+     *state_len = 0;
+@@ -1640,7 +1642,7 @@ int usbredirparser_serialize(struct usbredirparser *parser_pub,
+                        parser->data, parser->data_read, "packet-data"))
+         return -1;
+ 
+-    write_buf_count_pos = pos;
++    write_buf_count_pos = pos - state;
+     /* To be replaced with write_buf_count later */
+     if (serialize_int(parser, &state, &pos, &remain, 0, "write_buf_count"))
+         return -1;
+@@ -1655,7 +1657,7 @@ int usbredirparser_serialize(struct usbredirparser *parser_pub,
+         wbuf = wbuf->next;
+     }
+     /* Patch in write_buf_count */
+-    memcpy(write_buf_count_pos, &write_buf_count, sizeof(int32_t));
++    memcpy(state + write_buf_count_pos, &write_buf_count, sizeof(int32_t));
+ 
+     /* Patch in length */
+     len = pos - state;
diff --git a/meta-networking/recipes-support/spice/usbredir_0.9.0.bb b/meta-networking/recipes-support/spice/usbredir_0.9.0.bb
index edd8aeb9c3..bf0d87065e 100644
--- a/meta-networking/recipes-support/spice/usbredir_0.9.0.bb
+++ b/meta-networking/recipes-support/spice/usbredir_0.9.0.bb
@@ -9,7 +9,9 @@ DEPENDS = "libusb1"
 
 SRCREV = "bca484fc6f206ab9da2f73e8a0118fad45374d4e"
 
-SRC_URI = "git://gitlab.freedesktop.org/spice/usbredir;branch=main;protocol=https"
+SRC_URI = "git://gitlab.freedesktop.org/spice/usbredir;branch=main;protocol=https \
+           file://CVE-2021-3700.patch \
+           "
 
 S = "${WORKDIR}/git"
 

From patchwork Fri Nov 14 19:45:22 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gyorgy Sarvari <skandigraun@gmail.com>
X-Patchwork-Id: 74576
Return-Path: <skandigraun@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id D3243CEACC5
	for <webhook@archiver.kernel.org>; Fri, 14 Nov 2025 19:45:36 +0000 (UTC)
Received: from mail-wr1-f47.google.com (mail-wr1-f47.google.com
 [209.85.221.47])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.6980.1763149528612997794
 for <openembedded-devel@lists.openembedded.org>;
 Fri, 14 Nov 2025 11:45:28 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=NteLjvRO;
 spf=pass (domain: gmail.com, ip: 209.85.221.47,
 mailfrom: skandigraun@gmail.com)
Received: by mail-wr1-f47.google.com with SMTP id
 ffacd0b85a97d-42b3c5defb2so1595379f8f.2
        for <openembedded-devel@lists.openembedded.org>;
 Fri, 14 Nov 2025 11:45:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1763149527; x=1763754327;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=nDBpGsskI/yEN0PT7LKhL/VGP0Uz2bhyvL6vpuRs8GI=;
        b=NteLjvRO0ScgX0xn1hHX0s6GViiVH2Ktzd8LDMoOAfnpRfzMI9SqXReOpiFDce/EHy
         f07QbI6wsW8d4Ic/aW0G2FeQBA0Z/oOtyDzlBQQ67w7SLPgEbnSeIlyvOrVCAOThSJCV
         qptVb9upHvn0bDFG/QSIkFb7F8K4GWLmL1SeegpTyLGKsLWKiIVdIpjK+PI/Gsfm/2s2
         7ZnFP/FYTQYEArScY7P1qX8L+8tDygQhFXnDiLebLIC9WyE9TulPc57MiwbdnrOMCt38
         SFJfN9dkqZyxvM1ov8auwwVzUqvGpoT8caYNAPWEgrhuwwH6L1NnlcNsbijCHw2dY2L3
         4x8Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1763149527; x=1763754327;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=nDBpGsskI/yEN0PT7LKhL/VGP0Uz2bhyvL6vpuRs8GI=;
        b=Wm9dw4zOQEoqnZazb767/JGZ3cDkEntpOxN97yLGwhYBuQ0Pqtlm8P7QPvZgry4CVo
         yVZbhTwG5JeZW9v0NObKLBA2eHDGrQw0gjXQltKz0wRVzhrgeZVDRv0Ybh1+5W8qpotv
         vyrtYoILPfWuKVVCRFpj6v9tYyAXt14QZC1hB/ENX6TdH5DKPrzEOTht9wJ91AfTrCz7
         IMWOCm/3OUVFFDjW1QjLWp8w3Enjyd5Rhz5HaYRFBBvoeMgKQQefCDmWIMdefTSnVzzG
         59CcvsaZSF3cGeh0eOlbQWDHniiQIsROK5M8mxARphscmqnk9aCUy84zGFCoc3u92+Ag
         720Q==
X-Gm-Message-State: AOJu0YxYbSDchYnbao7+M2cBX+n0TholPjIAkjPw5wzBhNYqXQxYYjdE
	nqc9Yui6My7eWoqJKoneIxMhVZruhksXnUc4AHR7hq3uHi2Yv7OvhROFRDlX2XJR
X-Gm-Gg: ASbGncsL59m0Ge9V20TaK678zN5fQkpeIA3MusnkCIuFexfQvlQx9btt3HLowKm9xhL
	2znbIkt7Cf7xHw3k/UqTWvZDTSAhlKzz8NoOG7ZlsB+uTZFThT33hg95I8jPpecWbdPoCmmGqG1
	Yxp+BaUGzHjsQPsSxDsyN2qIglL6kswOzrSe/ocO82Wt9QbHcTyrko9KV03o08VP71UmuRDsTZG
	tyQqH8SLQPxgg2lWqp5nXKgtBvfterh430peMcLWS2FHTfvAZqWmCqS2z254+aS+kHBf4eu1HcE
	qYnE1tWOJRsUZFE6cWhKOa986F7TBLRyjrRLbPyg05IRy+WRbDyX5Juvjyng6PFQ3inVh29cPNw
	xYHOZqCYpMl2hqwI1nMRPtlm+1oVgrHfWnTsTcS3zaWCtA44L/l3bs91L5+MsZt+SUGhIZ7wHTg
	==
X-Google-Smtp-Source: 
 AGHT+IGtHjryB98eMOBz1m3w89A/l9d+5wLvDKd9r03ywN9yeRmmpFQGWo0x5ZAueFRtwn69GJAaxg==
X-Received: by 2002:a05:6000:2901:b0:429:c4bb:fbc7 with SMTP id
 ffacd0b85a97d-42b59349bb0mr3851277f8f.16.1763149526931;
        Fri, 14 Nov 2025 11:45:26 -0800 (PST)
Received: from desktop ([51.154.145.205])
        by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-42b53f17cbfsm11561514f8f.35.2025.11.14.11.45.26
        for <openembedded-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 14 Nov 2025 11:45:26 -0800 (PST)
From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-oe][kirkstone][PATCH 5/5] tmux: ignore CVE-2020-27347
Date: Fri, 14 Nov 2025 20:45:22 +0100
Message-ID: <20251114194522.643069-5-skandigraun@gmail.com>
X-Mailer: git-send-email 2.51.2
In-Reply-To: <20251114194522.643069-1-skandigraun@gmail.com>
References: <20251114194522.643069-1-skandigraun@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Fri, 14 Nov 2025 19:45:36 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/121715

Details: https://nvd.nist.gov/vuln/detail/CVE-2020-27347

The fix for this vulnerability was backported to the recipe's version,
and it is included already.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 meta-oe/recipes-extended/tmux/tmux_3.1c.bb | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/meta-oe/recipes-extended/tmux/tmux_3.1c.bb b/meta-oe/recipes-extended/tmux/tmux_3.1c.bb
index ec9fe34cf1..f983ed7a86 100644
--- a/meta-oe/recipes-extended/tmux/tmux_3.1c.bb
+++ b/meta-oe/recipes-extended/tmux/tmux_3.1c.bb
@@ -23,3 +23,7 @@ do_configure:prepend() {
     # not automatically created when building outside the source directory.
     mkdir -p ${B}/compat
 }
+
+# The fix was backported to the user version:
+# https://github.com/tmux/tmux/commit/d0ad34e94d63def5178f02281637d2d15cb42c88
+CVE_CHECK_IGNORE += "CVE-2020-27347"