From patchwork Fri Nov 28 20:18:32 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 75566 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 089C7D116F5 for ; Fri, 28 Nov 2025 20:18:51 +0000 (UTC) Received: from mail-wm1-f52.google.com (mail-wm1-f52.google.com [209.85.128.52]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.3254.1764361128113459426 for ; Fri, 28 Nov 2025 12:18:48 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=PS05nMbX; spf=pass (domain: gmail.com, ip: 209.85.128.52, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f52.google.com with SMTP id 5b1f17b1804b1-4779cc419b2so22060815e9.3 for ; Fri, 28 Nov 2025 12:18:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764361126; x=1764965926; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=iOkHh6DTrKjjaE3N58eZ4ejJjNzU/bQCpdyuNwvE8jY=; b=PS05nMbXYDCbuIITSzYFGm8TQtqGSHtdnPQ7MXXEJ03Nb0gaSVhDUgzQqJJCqSkxYD yZTe+2NC5CKJvv786YnEjRFiIFC/ItbpQsUy0QZglGU79T4adaAfSvF6sDMWvRroH3Wx CPVK3n9ZZlR+/oald9WF3gXyvvQNsN25iVU1lmB0vLHku1NeoG14VcGbZyfpTUSe/5/8 mzrnYO8BkybefdExwB7LORaI6fQZ/7pdpfad6Sf2nLedJYxwRxD8R4VJT5rIIORs3OKh KuvvG752/efhoN3GhEfaYv16ihsKIieKgM6igNhooBgxfKt3lX4kfA+w3TMGnwUIudoL 0hgw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764361126; x=1764965926; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=iOkHh6DTrKjjaE3N58eZ4ejJjNzU/bQCpdyuNwvE8jY=; b=ogQmcypebNRyvIjqHuCU98zYp3riarrcyJ48c0s/P3tgjlGMn5GizCGBys2YdFT+rG 4CCon2TQQ/JxrbddTY1iPR9TtyLmASoGIWkvWGCFMJtGcqhWxOdFfWV7mg5vkeiCfh/c 9E62rlHcI4U5vM8mxIUE/qN+GVwWL0S0kUyl1lzYcdp3sBHx+9+0S6FshHAP3yYOz8v5 G9Wz0c6WdApyTWEE3sP5P+9uBWGnmk2inpHNHH4BijFcNHevHoxMQAH9b9MPmzvIXpwo ugktghK8/wg+Wqmv52Z2M1d7pt+0ihy2/vuub9U0sfvKNuGQbR1ZukPLmPCAKTMeelDl olug== X-Gm-Message-State: AOJu0YxG9fubeWQ+Y9gT5WT2+hQK1Aj0Jj0pOSlrW/dOHyy2OGhRw68f h5iJK6P/+TB/EkuR+lcONCnlR387rPWYSUIbzbmrrRMVhIhEa7pvvxsj/B4PIA== X-Gm-Gg: ASbGncsogLM6ce4iFErcNf2/WdgjYN/jB40ebI5T8rMUoaqyOWrW6dvqaypYPUrKEtG YyaMNTJcMrfDAuu7QKk5rbT7ihbmrBxVPrJ/KmcxP0cLCWufCjHeC7wvB7ia18fzdmwcahKCwHo AtTstFBZlSBTxlQ1SIFpCB3fQ0W2snCH/cKghSlSNj45KhSOjex7VqafDHiS3LwpEPvldGRe+NQ WG8Kdzbu49p/j3KkK29NZPblbgeZacGOxJrlPgJ+VRjCDJHVs/ticqtjmEOt+ZxyzslWMDd2h3i 56blBWnmaHf6KbbxHwu8t760GjV6QyB3BzIptukCkq1lI4EkeiQSHyaIsNM8nXFD6gF94r3C7ZY GQGUB0cv+u5ApbD4Tbp9A4YtLMmRaQLGAA37wUXLqlzZv5MfmWL3uMg1jhy1pBt/Ko/dNabw/5L sn/jaSH2kS8o8jIP5m5Mg= X-Google-Smtp-Source: AGHT+IFn00PxP97bbOz38AtMH0mkOlTnhhj0JETqEvl8iCg2EoZSQs3SCZFrqgQUA4KHfbSzS9HRAQ== X-Received: by 2002:a05:600c:a07:b0:477:a3d1:aafb with SMTP id 5b1f17b1804b1-477c115c657mr285702705e9.29.1764361126341; Fri, 28 Nov 2025 12:18:46 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-42e1c5d6064sm11674324f8f.13.2025.11.28.12.18.45 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 28 Nov 2025 12:18:45 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-multimedia][kirkstone][PATCH 01/14] libde265: patch CVE-2022-1253 Date: Fri, 28 Nov 2025 21:18:32 +0100 Message-ID: <20251128201845.2578315-1-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 28 Nov 2025 20:18:51 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122133 Details: https://nvd.nist.gov/vuln/detail/CVE-2022-1253 Pick the patch from the nvd report. The patch is only partially backported, because part of the vulnerable code was introuced only in a later version. Signed-off-by: Gyorgy Sarvari --- .../libde265/libde265/CVE-2022-1253.patch | 34 +++++++++++++++++++ .../libde265/libde265_1.0.5.bb | 4 ++- 2 files changed, 37 insertions(+), 1 deletion(-) create mode 100644 meta-multimedia/recipes-multimedia/libde265/libde265/CVE-2022-1253.patch diff --git a/meta-multimedia/recipes-multimedia/libde265/libde265/CVE-2022-1253.patch b/meta-multimedia/recipes-multimedia/libde265/libde265/CVE-2022-1253.patch new file mode 100644 index 0000000000..57c86101fe --- /dev/null +++ b/meta-multimedia/recipes-multimedia/libde265/libde265/CVE-2022-1253.patch @@ -0,0 +1,34 @@ +From 4dcc28a63e12a6cc8b99bc8e96c5c764fc7a8f1d Mon Sep 17 00:00:00 2001 +From: Dirk Farin +Date: Tue, 5 Apr 2022 09:52:57 +0200 +Subject: [PATCH] error on out-of-range cpb_cnt_minus1 (oss-fuzz issue 27590) + +CVE: CVE-2022-1253 +Upstream-Status: Backport [https://github.com/strukturag/libde265/commit/8e89fe0e175d2870c39486fdd09250b230ec10b8] + +This is a partial backport of the linked commit. The vulnerability impacted +two parts of the code, however one part, which deals with HRD parameters +was only introduced in a later version (1.0.8), and is not present in +the Kirkstone version yet (1.0.5). + +Signed-off-by: Gyorgy Sarvari +--- + libde265/sps.cc | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/libde265/sps.cc b/libde265/sps.cc +index 476cdbb..37bde7b 100644 +--- a/libde265/sps.cc ++++ b/libde265/sps.cc +@@ -425,7 +425,10 @@ de265_error seq_parameter_set::read(error_queue* errqueue, bitreader* br) + + vui_parameters_present_flag = get_bits(br,1); + if (vui_parameters_present_flag) { +- vui.read(errqueue, br, this); ++ de265_error err = vui.read(errqueue, br, this); ++ if (err) { ++ return err; ++ } + } + + diff --git a/meta-multimedia/recipes-multimedia/libde265/libde265_1.0.5.bb b/meta-multimedia/recipes-multimedia/libde265/libde265_1.0.5.bb index d0ecd04f16..a9d5523bb5 100644 --- a/meta-multimedia/recipes-multimedia/libde265/libde265_1.0.5.bb +++ b/meta-multimedia/recipes-multimedia/libde265/libde265_1.0.5.bb @@ -8,7 +8,9 @@ LICENSE = "LGPL-3.0-only & MIT" LICENSE_FLAGS = "commercial" LIC_FILES_CHKSUM = "file://COPYING;md5=695b556799abb2435c97a113cdca512f" -SRC_URI = "https://github.com/strukturag/libde265/releases/download/v${PV}/${BPN}-${PV}.tar.gz" +SRC_URI = "https://github.com/strukturag/libde265/releases/download/v${PV}/${BPN}-${PV}.tar.gz \ + file://CVE-2022-1253.patch \ + " SRC_URI[sha256sum] = "e3f277d8903408615a5cc34718b391b83c97c646faea4f41da93bac5ee08a87f" EXTRA_OECONF = "--disable-sherlock265 --disable-dec265" From patchwork Fri Nov 28 20:18:33 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 75564 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0D643D116F7 for ; Fri, 28 Nov 2025 20:18:51 +0000 (UTC) Received: from mail-wm1-f42.google.com (mail-wm1-f42.google.com [209.85.128.42]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.3256.1764361128719414113 for ; Fri, 28 Nov 2025 12:18:49 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=Wc94KvN7; spf=pass (domain: gmail.com, ip: 209.85.128.42, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f42.google.com with SMTP id 5b1f17b1804b1-4777771ed1aso13076195e9.2 for ; Fri, 28 Nov 2025 12:18:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764361127; x=1764965927; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=LFsOHHIp5xIB7nWyZxlRZECcqMfV6k8Aq2ZGj5QdMoE=; b=Wc94KvN7uwKDx3Kz9DhDBu7BnAuvCEb/zOZiBasThBOqYQzT4gcxzZ0mz8yTJHXRp+ lH+svyTch2LKSe0OciQhvPm6epn/SEkxs0G3okWm1WouZPNLjujTdWouOIEFPTTTkXM6 x+9N4w0C8NUEV27tGAlx2jV1q7cSDJr9pxp6CwOZWRG73mzECGJ+MyUoaAWglsT0sw6h Alr4QrllZ6rtJesbAfveqaaVxiLlYujwaWCHeTYWy+4vXvQw+Emf1KAlvnpNlB+1yWqf OJdAQHsJ2Ed/ZV4K6zb0HrcrCZU91i1NZ2h5o7+/uBgkYNsGjkh63eSU6SqLH33THG4+ ZPMQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764361127; x=1764965927; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=LFsOHHIp5xIB7nWyZxlRZECcqMfV6k8Aq2ZGj5QdMoE=; b=FatMP3JK9ub29LayOBPn3W1wCmFy9AkjXNDmnYKVf4Vay2/mNwli/oj+VHjIbXEFdU j/QOMnqhLcq8eq2pSzkLYUH6Yq7SIP9gp4xMqxYth1k00A04x9CwIwgiKxXZVFjQuLHm 8n3z817ittqhpi6Kncnv9AiDCgj8D4ATAroybB+SHFV4oSGuGnfHz77jbPl0VPMyR7Fu s4q9O6pFXzzi2fw6hOy58ofBOxW9+eVd+c8suajC5824Jnb/OJ5SIacOO3KyTsVUsgK8 oIqPaU664zmVttgKwI7dT930q68I3i9JP/NTSr6rMNvhvd3H6rTlaAonKYlZU63IMulc Ca7Q== X-Gm-Message-State: AOJu0YyxIyvf6dWdC39YhVaGjKkvqTy1Ma/rq/plXoYM5QPl34uIRpxf oVo03jBBSYHzfZaykn7lHKNkm94uVC+gutolk0zFQVkAtPdi4jWSFz1lFV/N/g== X-Gm-Gg: ASbGncsDE3eU6/6cGqqVcLEwzol2cylfSg6CozZrxIzOdd2USU7lXT24FC5lcV+2qIs pYeEBp2ozeOaE41yJoKeF/H0o8+Osy8evsOdnCaFatvyxtNhv3GEmF2I6B6RAGjcoAt+r8ltIh1 02SD6Gs6DsEQ47oXLvY6yDWf/pGFdd5dxMh1mp5sf3hZ8hZ44ZdtrlFRqjoblg2wOQ50U5koC9b E8JbiBdHpbrEivzNbuVs5pzclhd24nsiGopgzIllKCocMzym1LaQ1LYA8qHIhqwJyjjp9QSE8gl 44KFKiepY1F5dcHyYioURuZslkaw3wzDyahV9YSPiXPg8XfV/FqY3n971wypUVjXLlZdfYcUH0B +Hu3iu6Cq4BuaLHDejY9W0DUoR6DoHC69s0kGfMnh8vtR70F3ouS9BYGj4eeiVJfztZPz9oamg6 O8wthF2OZU4MX+gF0K0aU= X-Google-Smtp-Source: AGHT+IHNXblez7puJPX0DTwEe+53CXvAo0/BqLRRnCxw2gfzFI1QCEIGSIyNn4933YPY61ihSbDpPA== X-Received: by 2002:a05:600c:1c1b:b0:477:a02d:397a with SMTP id 5b1f17b1804b1-477c0162cf7mr306074445e9.2.1764361126940; Fri, 28 Nov 2025 12:18:46 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-42e1c5d6064sm11674324f8f.13.2025.11.28.12.18.46 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 28 Nov 2025 12:18:46 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-webserver][kirkstone][PATCH 02/14] cockpit: set correct CVE_PRODUCT Date: Fri, 28 Nov 2025 21:18:33 +0100 Message-ID: <20251128201845.2578315-2-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251128201845.2578315-1-skandigraun@gmail.com> References: <20251128201845.2578315-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 28 Nov 2025 20:18:51 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122134 Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj (cherry picked from commit af4df551eec582844a8b56154117915ace1596cd) --- meta-webserver/recipes-webadmin/cockpit/cockpit_220.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta-webserver/recipes-webadmin/cockpit/cockpit_220.bb b/meta-webserver/recipes-webadmin/cockpit/cockpit_220.bb index c08de89316..6f9005d59b 100644 --- a/meta-webserver/recipes-webadmin/cockpit/cockpit_220.bb +++ b/meta-webserver/recipes-webadmin/cockpit/cockpit_220.bb @@ -189,3 +189,5 @@ do_install:append() { done fi } + +CVE_PRODUCT = "cockpit-project:cockpit" From patchwork Fri Nov 28 20:18:34 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 75565 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 16E2DD116F6 for ; Fri, 28 Nov 2025 20:18:51 +0000 (UTC) Received: from mail-wm1-f42.google.com (mail-wm1-f42.google.com [209.85.128.42]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.3257.1764361129280428142 for ; Fri, 28 Nov 2025 12:18:49 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=dWwXu1LT; spf=pass (domain: gmail.com, ip: 209.85.128.42, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f42.google.com with SMTP id 5b1f17b1804b1-4779cb0a33fso21597245e9.0 for ; Fri, 28 Nov 2025 12:18:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764361128; x=1764965928; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=CdgP+I5Drou8j9+RqYKwPhU0liLn9KAxJXMbjmtz0Hs=; b=dWwXu1LTLTyluJ6i0GOQenZRawo3v8Dlz4dipl/fHxyI9iA0ZZN+ilD5z0p39fS+WG RhCVQj/cdK7VcNBGsgX/YdYsKBtqaq5ilp4i3yAqhIAQbBYiGMMbWYvBDyQE8v8qdMh7 pLRB9sZxgCOKyJZrHZI94RqEIKhb7qUIsAaOFg8Ba/U+WZa9uGPcin2QSS3pyBCsJ/wK pdmpFqgjMvvGZ/nk17gCCEZfartZK//vv/o4hFOk73EdMxeIUg3xXaUTCrhFXdbC2YgH LZrDp5DA59iQ3MhlvScbDBhYvg3VQL/xC85NX92b/R8Bd8H+VkxVe4ur1fYS4Vgv9ejo tGEw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764361128; x=1764965928; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=CdgP+I5Drou8j9+RqYKwPhU0liLn9KAxJXMbjmtz0Hs=; b=VCVKlaLq6meFfIETq9NDNxo83tJRA2rK2xUCv9Or5SGtTc69DGQ8CvCNEuutcK8NQz ggGe6UscUWqWl/m8qEqF30B1J9v5P8tBuF1REeV5Tb5bPKzVLk0NM0xMD/IxBQZyMh1Y Xb56amiGSPaUy/PayzX9duD0Jzf5XCwRym8xVR/cXlmbA9mcIDWp48dAZuHHAY80cd9h dg6Mr9IUKCglZhZ3+e0aRjorQPp/JW5zxgqWy5qeuoUKSKw2f+DnPCDhhmRXT+zEPY3/ uxgQVOUX1bb1gYPS4tQNK37DFMbWWDQ0jWp20nooOldLPzdYm5DOB3NZ+BzKxItEc7EM TAtA== X-Gm-Message-State: AOJu0YyD40IGaw20xvcvl6+XiJI2wpeYl9kjtpVrIG+fdFlatpMhDwz6 oJRz4YsNySlkElqSHIkV0CIwV0aSlDf+I+51d56bPZpA39cs5m+RX2FoTcuGHw== X-Gm-Gg: ASbGncteGzSclP5UEiKBcpcLGEPB9UM0Fwo6WN3qbDruhqjHw9bK0KNtd9f0k4oDjML UQqKMS4qBBKp3k1KL9ZZzUGBzgs3hSO11b5Q4z5zhvmuOhiMq3uONI9DxNMzzyGrk0j0Ss6W6OT nojiOo0H4yeuAgKDeBFvB/TPcasUxadlg1qK0PvqoS3+MsPzpfRWxynKbXxm9AN4yhBOOjqnB2d 5dUYplrEnimZmpsxE0RGZPyoQBVm2byjPH/g+RoTvwvjbdi4G5MXv1gNDbl0JKRCYF13PyzTgOo J5CRTU3/n9OW0Lrk9MoTUAEH3UdzyUJJOYb5dF96+WmkCyAdNbv5v1lKd19RzYtW37mx+v5IZhL mbK9l3Zat9+9TtGKQeKC40v7TN6k69kfeWVUZcQccMivspmMbmtnXzTPCDvyKN3kya61ZB32h6v Zcv73hqZTH2mg2OnqQGRw= X-Google-Smtp-Source: AGHT+IFM1G+xwJCBzZDFUJ38+VITLddC6WmLM5nwrKPabHVQ+8VKksor9a1LbcIYniMzZ5LSBdKdTw== X-Received: by 2002:a05:600c:3595:b0:477:755b:5587 with SMTP id 5b1f17b1804b1-477c0184b34mr310503415e9.8.1764361127597; Fri, 28 Nov 2025 12:18:47 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-42e1c5d6064sm11674324f8f.13.2025.11.28.12.18.47 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 28 Nov 2025 12:18:47 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-multimedia][kirkstone][PATCH 03/14] libao: ignore CVE-2017-11548 Date: Fri, 28 Nov 2025 21:18:34 +0100 Message-ID: <20251128201845.2578315-3-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251128201845.2578315-1-skandigraun@gmail.com> References: <20251128201845.2578315-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 28 Nov 2025 20:18:51 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122135 Both Suse[1] and Debian[2] disputes that this is a vulnerability in libao. Based on their investigation while an issue exists, it is not in libao, however higher in the audio-toolchain, most likely in libmad or mpg321. There seem to be nothing to be fixed about this in libao - ignore this CVE due to this. [1]: https://bugzilla.suse.com/show_bug.cgi?id=1081767 [2]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870608 Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj (cherry picked from commit a993eb8b93f16e3a16c9a1ab2eb0939cb2331593) Reworked for Kirkstone (CVE_STATUS -> CVE_CHECK_IGNORE) Signed-off-by: Gyorgy Sarvari --- meta-multimedia/recipes-multimedia/libao/libao_1.2.0.bb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta-multimedia/recipes-multimedia/libao/libao_1.2.0.bb b/meta-multimedia/recipes-multimedia/libao/libao_1.2.0.bb index b30f398e87..0a424d622a 100644 --- a/meta-multimedia/recipes-multimedia/libao/libao_1.2.0.bb +++ b/meta-multimedia/recipes-multimedia/libao/libao_1.2.0.bb @@ -31,3 +31,6 @@ PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'alsa pulseaudio', d)}" PACKAGECONFIG[alsa] = "--enable-alsa,--disable-alsa,alsa-lib" PACKAGECONFIG[pulseaudio] = "--enable-pulse,--disable-pulse,pulseaudio" FILES:${BPN}-ckport = "${libdir}/ckport" + +# disputed: the referenced vulnerability is not in libao +CVE_CHECK_IGNORE += "CVE-2017-11548" From patchwork Fri Nov 28 20:18:35 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 75563 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id F0F17D116EA for ; Fri, 28 Nov 2025 20:18:50 +0000 (UTC) Received: from mail-wr1-f50.google.com (mail-wr1-f50.google.com [209.85.221.50]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.3258.1764361129915479397 for ; Fri, 28 Nov 2025 12:18:50 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=gJez/7FY; spf=pass (domain: gmail.com, ip: 209.85.221.50, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f50.google.com with SMTP id ffacd0b85a97d-42b38de7940so1069568f8f.3 for ; Fri, 28 Nov 2025 12:18:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764361128; x=1764965928; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=ZHKn++OFGbpFA6d51SL8EdKuGKEPppFo6meQmtbgFsM=; b=gJez/7FY7JQSlYq/s45xyTl5000pfApi1HVDUQ8Eya9XA0+4GwHerw/RB6cwUzia5V yBSAZqbH8dAGCP3pbFPKCE+xD+NRpnN8keE9rbuImpl6RKzllMFkbe8AhcwOHyg0uEg5 PbJlO1fn8sbEeConHDSWlkpGQ4nAXi019FPREtC77R6gB8/DcQp4vkZrUfpXliF2ofxr bOVcZzZCAKUYYnU5TiPzhwwyP5cgQJa+3vQ69s1Q6tR5erXBFlTA2S5qaq4arzh91yKi RzfPc4r3Y8BM65zZghKwjJO9ByP/iGos5y7pHkYdmxmEbtfHMZP8hfkriXTgE1YL6oL9 dwkQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764361128; x=1764965928; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=ZHKn++OFGbpFA6d51SL8EdKuGKEPppFo6meQmtbgFsM=; b=UB3TbTGFguW32cJ0wq8GD1+mwJabxY36tka6viVLoEA76pa1P4Lbp78g2dEQQwokJW bqhdBHEG7EYla/BNjtikECeyznm4De9tDwQa4CM7eh/WaRxeGokwn9u4otrghZVxNLt4 fJDdDiBL2by+ymfnPG1NhOD2jaQrwzH3s69K2/UBQ77Ir/172ZvGh5csmoZ7CeV6g4fb K8yHcWBAMlstCTwBfdixHu2KNTeLblfFSQbji1t1eTm7r0BauHr9p91YOy23A8+SVQpQ jQhn9e7pyt4WmLPQuB9Pyuq7WLFZKqXdK/oVQi4U/8Isim3r15dDIUST7rw4sPz5cD25 PaEg== X-Gm-Message-State: AOJu0Yzw71BX7K6RWlCpeseKFHTcCaK2VNSBhXl734uxSTBlTcz/+OPd i0jOzFV9lP+yq7VxDgjpjuoFPAf+lQcCspYjkbcArrZyYj+XZRWZiznq0pnmgw== X-Gm-Gg: ASbGncumYbKOUenzk4xoBVzVNexE7RFtTfst9sZjb1NpYtAi5NyZFTphv8ma+l4Xd+r FuX7VhoGq+nKZS7f3nDT+32fQvxdKDkGKWsHV7+FGMBetlahcrpMTyyytGAMQqIqwcym+fQ/NE3 pWfz/7HI/NsSOa0UAQsqMyx/dqtfGjqKpFn5dfQounIxz6G0uUKCsPF8vu0JEou3Pwt4omWGrxf EGyieE1WPbkxJOCHtoXxHr3qMoayWwsdyMG4rypVB+4oN4PhuQuD95pIyCs19J+oUgwPcrthSoo bq5z2lHDrggSHRR+RpRK0/BR2lx2Ts7MMMdr+KakzicIWasOS+OERjn5/p4mzDWwRlKvnZQuzlU S0G2patOov17Dm3Lcx5z0VaXJVkOGYOYbK746y6TBMlf5BLOiVy+OwJ41LPhi9hQzAqtakVW/xl 30JwDnvRb3 X-Google-Smtp-Source: AGHT+IFfF/TONoIR4xQr7SM3bD9YT0rJV8FlVipGwtZoeyWB3l7WFKu8rEkoEuZhQY7cA81cd9WJLg== X-Received: by 2002:a05:6000:2909:b0:42b:40df:2337 with SMTP id ffacd0b85a97d-42cc1d0ce73mr31387611f8f.50.1764361128246; Fri, 28 Nov 2025 12:18:48 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-42e1c5d6064sm11674324f8f.13.2025.11.28.12.18.47 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 28 Nov 2025 12:18:47 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 04/14] tigervnc: ignore CVE-2014-8241 Date: Fri, 28 Nov 2025 21:18:35 +0100 Message-ID: <20251128201845.2578315-4-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251128201845.2578315-1-skandigraun@gmail.com> References: <20251128201845.2578315-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 28 Nov 2025 20:18:50 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122136 Details: https://nvd.nist.gov/vuln/detail/CVE-2014-8241 The vulnerability is about a potential null-pointer dereference, because of a malloc result is not verified[1]. The vulnerable code has been refactored since completely[2], and the code isn't present anymore in the codebase. [1]: https://github.com/TigerVNC/tigervnc/issues/993#issuecomment-612874972 - attachment [2]: https://github.com/TigerVNC/tigervnc/commit/b8a24f055f1a29886d8b18bb3f0902144dc5bd14 Signed-off-by: Gyorgy Sarvari --- meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb index 5cde7c9fb4..699c0ed74f 100644 --- a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb +++ b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb @@ -131,3 +131,6 @@ FILES:${PN} += " \ " FILES:${PN}-dbg += "${libdir}/xorg/modules/extensions/.debug" + +# fixed-version: The vulnerable code is not present in the used version (1.11.0) +CVE_CHECK_IGNORE += "CVE-2014-8241" From patchwork Fri Nov 28 20:18:36 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 75567 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 10EE8D116F5 for ; Fri, 28 Nov 2025 20:19:01 +0000 (UTC) Received: from mail-wr1-f53.google.com (mail-wr1-f53.google.com [209.85.221.53]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.3256.1764361130729063453 for ; Fri, 28 Nov 2025 12:18:51 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=kgCeVzwn; spf=pass (domain: gmail.com, ip: 209.85.221.53, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f53.google.com with SMTP id ffacd0b85a97d-42b31507ed8so2031220f8f.1 for ; Fri, 28 Nov 2025 12:18:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764361129; x=1764965929; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=XRntGkGhKIVlSKqgqCXOQVHmcIr1ZFo3IIklKgUO8pY=; b=kgCeVzwndzKphmzDAjmQ6PPNUO/EofHhxrrAuE/D9p7YjQcGRFL6W4yWSqr53NgXj3 EGoi+U5MnTIQtNZGqpRwXcYqiucYxRXeE7LrwtLqLnKHl92K23Ic8MFBpoytq2ED/bhw dKKI9y87nGmdxHYsyVrHpjRxlvUOs+mLSVZ7IhS0vRQALeZGBezXFnIf7Z7sCkExNuH3 N2ErRc1my5RWLHUcVfxYtf3wUHamRSLNEIm9i4T4RF5vKAsUCZhxkjTdSItqzGen8a4Y jr/oW3/US0G+yAu2OnNfVuSi14TuK/wtjJSzMhJHefjIYRy0wQxCh0nnbNFjFziCJDP4 V4rw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764361129; x=1764965929; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=XRntGkGhKIVlSKqgqCXOQVHmcIr1ZFo3IIklKgUO8pY=; b=kqNY3tJvWhmddeWFY/zedkeqRGhr6ZhuAR0ej/eM5/CTnvD9pcVezPgMVkyMv43zzI dEOvQqe9pMdV2tqxiEZdz9UIpsaLOPMrcQkLqBJVLLe9tE2pT3ZquDJ9xmu27O2JE0KY uMuwoafVcWzur36/exkTUX6rFWI/oVG2wYszs/nBfabN7Qp9buHMezFt13/UcL3PQb8i ocIJBHjeuUKXIoxlIR2aWkjb7bHWiBgk1Rht73rN9CRGog50AksljaWZ8+Ox2JrlagGV VAuW0+eSAQRpuMGhTLZVwpv7hsZWwhZ0TaMVXfOCBe2ESsyHmg3aVRd4ZP8iq2DyLl6o OsPA== X-Gm-Message-State: AOJu0YyF1xEgEjYXUfec/9Zr3TsAY9MUMh7HZVYYhbjJsdxkXm0J0uje trlUlVIv/dvpptcvkknHkafHc6FxUf2miNhEDAlgWyz28zs9zXcV3kvjezFFMw== X-Gm-Gg: ASbGncsboUK94aDf2xpSWIjO+hfVYiySkLG1fMJMT1ha7ouURS7TP7fpAp9qyxdWXXE UNZCvrsNHlDApp7ojGKGBqVsvMc7nXWn5/3gNVYM/CXKb2nKRU6EGbMKy08fThWsAtkj1ECAPL7 6W/9yYmU52IPes4n2J/XyrV/AxNrS4M0lAAP+VWZHBARTOnbNG4mVXjZD45O5sexz+PzMJNnc2c TxXJ9cWmfNg0gs0OfLlRbInnc0Er/8VLIcn4yO0On00rbb45QVfTPKXEvK0cHBfIuRlLIk9sap9 kVxRdg5mk9lDm9Zw8pLnbXDd6DlQUSTff/VEYj6zfwL3BnOwnPMBqAQo06gyHfPdurW5FsZIL4n FYo8nO//HhBMYOjDosPnUnTF8z2sndli5KSssCYpOu7qkVCcBBuUXxda7r/lJdTLja95CC12kFa vDdZng8iAt X-Google-Smtp-Source: AGHT+IFMxmnLj2d5a4MSqFLYDqfe21G1KdQSElBFmDd2lUfIOCDwbUB55E8+qltHVavs9xgv0egomA== X-Received: by 2002:a05:6000:420a:b0:42b:5603:3d03 with SMTP id ffacd0b85a97d-42e0f2317e6mr18105873f8f.25.1764361128869; Fri, 28 Nov 2025 12:18:48 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-42e1c5d6064sm11674324f8f.13.2025.11.28.12.18.48 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 28 Nov 2025 12:18:48 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 05/14] libraw: ignore CVE-2020-35530 Date: Fri, 28 Nov 2025 21:18:36 +0100 Message-ID: <20251128201845.2578315-5-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251128201845.2578315-1-skandigraun@gmail.com> References: <20251128201845.2578315-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 28 Nov 2025 20:19:01 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122137 Details: https://nvd.nist.gov/vuln/detail/CVE-2020-35530 The fix is already included in the currently used revision. Signed-off-by: Gyorgy Sarvari --- meta-oe/recipes-support/libraw/libraw_0.20.2.bb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta-oe/recipes-support/libraw/libraw_0.20.2.bb b/meta-oe/recipes-support/libraw/libraw_0.20.2.bb index 1940864a20..d842501ab4 100644 --- a/meta-oe/recipes-support/libraw/libraw_0.20.2.bb +++ b/meta-oe/recipes-support/libraw/libraw_0.20.2.bb @@ -9,3 +9,6 @@ S = "${WORKDIR}/git" inherit autotools pkgconfig DEPENDS = "jpeg jasper lcms" + +# The fix is already included in the current versin (0.20.2) +CVE_CHECK_IGNORE += "CVE-2020-35530" From patchwork Fri Nov 28 20:18:37 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 75570 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 30966D116F8 for ; Fri, 28 Nov 2025 20:19:01 +0000 (UTC) Received: from mail-wr1-f48.google.com (mail-wr1-f48.google.com [209.85.221.48]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.3257.1764361131238731070 for ; Fri, 28 Nov 2025 12:18:51 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=M3gGErpy; spf=pass (domain: gmail.com, ip: 209.85.221.48, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f48.google.com with SMTP id ffacd0b85a97d-429c82bf86bso1448472f8f.1 for ; Fri, 28 Nov 2025 12:18:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764361130; x=1764965930; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=5r3Ahh1SVyTq9jEleRHP+3AWSO/1XIdkOc4bnU5tRjA=; b=M3gGErpyv7Hd27BbUIorSJxDjStdN3nPqFSxOlx2dJsqv41ifKTKdMLekMy97H8JuK wBXsYQ3CqvX2EY/SFiJiZWOx/GhcUvY+4Z7DxkeNFppIqRE87xX96G4iGMnmryx7awgK aYe6UK3aXT0qpT3yPx58h8ewYrZ1cqFSi13agCtWl/qmN7RdRApA0Rni0nHkhEmK61s4 Pt0evTjkXDBUj0K8n9/r4A1KwXNvEse2UP+O+J6CTL1gW/Wnoot2c9Spryf7AZSS5bkF BugImBwSE9qhVT5P4TcA9fbSrblaB4hMbncfq7t7EYIDNDkuXgx2tbTWCHiPqGZuo19v tB1g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764361130; x=1764965930; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=5r3Ahh1SVyTq9jEleRHP+3AWSO/1XIdkOc4bnU5tRjA=; b=E36XZxuwPRfK6/BBUji9rCUpr7YQmsZ2Q0rtvPNPkoo9dTpJGeX82IAhSLDP/iOSQj uWwNUBKicJPsz9qPpLMZJ0HOMCjhBTN+qK+lLWQfXHk7PU4jrYJ4Dd4x/mAMhISxOse2 cnbVqhFw0nrsAqMR+P28d70CUDZYuG5rDlZXinK8K/whHwThu36n8OmjLxNx7T/W7+5B plb3RskKtimrDNcn3/f1hgEDC8l6Nw6k20O0isdk/UlsnNWlie1WHxQfTABeKyJVnmDR FoasVzu9o5rmgW+Hxf8EZur63/B1zA88xpkXE2LrE3tpEfCkLKPWgC2vPqL9RD/GF+2v 7QOw== X-Gm-Message-State: AOJu0YzD3LEGWGe1qlx/jAlwg1Dz62JMEfD9LKam6JWb2Hi8r+MhHE+3 Rg4uMwk8MePkDp/OCFg44vbYUPsPfa6AkCQAX8tPDGrhOAtmf3T5D1eH3HSyjg== X-Gm-Gg: ASbGncsw9tCgV8qFk5WsY9Y6JfGRQT6MZR8qX37rGSSkpMu2iNk4F8+9SHSL0gDE8pC 172Atz+qbhlvrwwCMCht8Eod/4fHAeyVWvBUIYj/g2S4bQ13YvPP61zxxkSYwANypTu4Ef8Nyly zBPq0aPeVdGMRC9iTSGvnGLwzIGH+/kUQvncEB3PfXAWdNr9M9ccaJiReOdMbfiFdK6B1GAUley 3Vqf56iWfWOyNRXocNm0jHVg3ThU0kIfFyu2ZYG7sgsDrlRJ8dElHH3RymtROVmevd4GOXlAKaU KhtO3oTtNRtpDJWyx8H6ZW3U41B7D04jwlalX/L2XpPDqZCfzaRJ7iJjOj85T/+RVGzt24jixbU Tj5H0tVNPxRkpBfq+UUkrgUICpqQ+IQ/Jv18frpJ+WrunbCh4wR4x860oohsc4LGgoKhFT1CxGs on9e7zc/1e X-Google-Smtp-Source: AGHT+IH0Ar/MGrkX3WVXWgbiiZv8ngXktiqzW12eq1T2G8ogz7gmCHJ82r9p7gkzUMeI3RibcB/vlw== X-Received: by 2002:a5d:5c89:0:b0:42b:3ee9:4775 with SMTP id ffacd0b85a97d-42cc1abe271mr32402483f8f.11.1764361129553; Fri, 28 Nov 2025 12:18:49 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-42e1c5d6064sm11674324f8f.13.2025.11.28.12.18.48 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 28 Nov 2025 12:18:49 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 06/14] libraw: ignore CVE-2020-35531 Date: Fri, 28 Nov 2025 21:18:37 +0100 Message-ID: <20251128201845.2578315-6-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251128201845.2578315-1-skandigraun@gmail.com> References: <20251128201845.2578315-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 28 Nov 2025 20:19:01 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122138 Details: https://nvd.nist.gov/vuln/detail/CVE-2020-35531 The fix is already included in the currently used revision. Signed-off-by: Gyorgy Sarvari --- meta-oe/recipes-support/libraw/libraw_0.20.2.bb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta-oe/recipes-support/libraw/libraw_0.20.2.bb b/meta-oe/recipes-support/libraw/libraw_0.20.2.bb index d842501ab4..d87c78f46b 100644 --- a/meta-oe/recipes-support/libraw/libraw_0.20.2.bb +++ b/meta-oe/recipes-support/libraw/libraw_0.20.2.bb @@ -10,5 +10,5 @@ inherit autotools pkgconfig DEPENDS = "jpeg jasper lcms" -# The fix is already included in the current versin (0.20.2) -CVE_CHECK_IGNORE += "CVE-2020-35530" +# The fixes are already included in the current versin (0.20.2) +CVE_CHECK_IGNORE += "CVE-2020-35530 CVE-2020-35531" From patchwork Fri Nov 28 20:18:38 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 75574 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 49D61D116F7 for ; Fri, 28 Nov 2025 20:19:01 +0000 (UTC) Received: from mail-wr1-f51.google.com (mail-wr1-f51.google.com [209.85.221.51]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.3258.1764361131924571764 for ; Fri, 28 Nov 2025 12:18:52 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=Me1Q3lYz; spf=pass (domain: gmail.com, ip: 209.85.221.51, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f51.google.com with SMTP id ffacd0b85a97d-42b3377aaf2so1382134f8f.2 for ; Fri, 28 Nov 2025 12:18:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764361130; x=1764965930; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=qRxmQUAHQuzKa9gDIUWBYeQT65jZUG2LuYi2bh6vcbQ=; b=Me1Q3lYz2sYjd+a9U95gf25jacJ3OX06ezxbEE5Hhuqz+YFKeEiarNYKdZTsekbdkE O9xd+9KAJVTVbtMLgSKbJzaI/o63ElUHqme/Eh/HUMHk6y3c4LJjDHTh7V5lXv9aRz/D tKzRxeLKcvkAcE7xdp5HJwIVWDNpJYKpmsp/6V4YsN9GSkUV4M81IvHLOxRtkduuxPKO 6i9au507ZZf6GhLXn8ogAKOz/Eg6BCiszLn8jmwF9kQKy3YscRNtkNxrC/upaqJByNav hjclievBtvrxpwbqMJKHRTSXFeatOld5xeqjCUKaDmNEyrJL+QkPSupwz6bVw7S3lKf4 eRXg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764361130; x=1764965930; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=qRxmQUAHQuzKa9gDIUWBYeQT65jZUG2LuYi2bh6vcbQ=; b=vsujTq65AWnITpZVi/sQw42Mc9KZIVqgu24KSEBnsOKL/RWilUplDAOIGhXMDtcnHV NW/kVW5wmzc6RmlOHg7Mk+o6zmafxYhC9EZ5PLGcg+w/wecusqaQMyhYGyvemFrWQE4F X8sVvYkECJ944iDzYyfctNjcXTVwfXwL92NtQCBRNuBTLwpCiU4SUC22l99qLpJe/QgR dlCw7FXom6br6xmYLwI+hsyYd6WEvRk21whhev3Wx8h/by2cWHjoWYfDKByod/mXRMjZ RS767r87w15HCDLat0GqCZxf7CcyOi7T1GyPtXbJ7H5YrJZxt3zfcUqczGtI4UfyOvbd uMVQ== X-Gm-Message-State: AOJu0YxPNpA2oR6eEL2D8DmoLfkU3T5sN7xDs4+YiPr+VtxTru7yTfO0 AMM3tvtGG8xMG5vBMvcTKo0azyVqSWaxlvFdyzQ5ynbKX+zfNNdBCS3GOPFthQ== X-Gm-Gg: ASbGnctazTsSxwNWI3koEYlXGjbFTgJSXqaBiqQZv4sFeWxGS1x8T7SRFh0OxjXj14d lsABP8GFOFJ3MKJlPwdWA4+HAfrxhGVAVo3YyNOuyBpu2RFu7H3OpRaJx1SX83kfk7HW22jy3Bf JRiswARWYzwSmWnU4i/TuV2hvbhZ2YvsGM3yDDEP3ElQHQae6U0FxA65UaHBXVEbsAbbq3VK75U 8AwWq7PESwe98j36ru3JU7UTUfqxbOptSvMlHfjhTEePEkRwFb52iRQ4+5lAL6Ts0V3+jt7uPgv 7VB2pcuZwH2U1EdCJfS0sztb57tQYsuWyUJLdXbpYCqyQeGZUcEFYVVimMQDRdSycA0+Sp7/PTW 743xOXLzqgtg0crGv7P+uC+S+xM+ufwuGZpttyhh1keshHSpFV83IhHLbwSzKWypYYX7pV9ozgb 06rs703lLq X-Google-Smtp-Source: AGHT+IFVQcMPi3/q2jJggHmoetCnLqHNIcXh/fZvY1csZD1UR6Y/blIYrLitSgT8AAmKzUFkJZhs4g== X-Received: by 2002:a5d:584d:0:b0:429:d391:642d with SMTP id ffacd0b85a97d-42cc1ac9a9fmr30672475f8f.5.1764361130233; Fri, 28 Nov 2025 12:18:50 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-42e1c5d6064sm11674324f8f.13.2025.11.28.12.18.49 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 28 Nov 2025 12:18:49 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 07/14] libraw: ignore CVE-2020-35532 Date: Fri, 28 Nov 2025 21:18:38 +0100 Message-ID: <20251128201845.2578315-7-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251128201845.2578315-1-skandigraun@gmail.com> References: <20251128201845.2578315-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 28 Nov 2025 20:19:01 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122139 Details: https://nvd.nist.gov/vuln/detail/CVE-2020-35532 The fix is already included in the currently used revision. Signed-off-by: Gyorgy Sarvari --- meta-oe/recipes-support/libraw/libraw_0.20.2.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-oe/recipes-support/libraw/libraw_0.20.2.bb b/meta-oe/recipes-support/libraw/libraw_0.20.2.bb index d87c78f46b..ee64c33d78 100644 --- a/meta-oe/recipes-support/libraw/libraw_0.20.2.bb +++ b/meta-oe/recipes-support/libraw/libraw_0.20.2.bb @@ -11,4 +11,4 @@ inherit autotools pkgconfig DEPENDS = "jpeg jasper lcms" # The fixes are already included in the current versin (0.20.2) -CVE_CHECK_IGNORE += "CVE-2020-35530 CVE-2020-35531" +CVE_CHECK_IGNORE += "CVE-2020-35530 CVE-2020-35531 CVE-2020-35532" From patchwork Fri Nov 28 20:18:39 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 75576 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5731FD116FC for ; Fri, 28 Nov 2025 20:19:01 +0000 (UTC) Received: from mail-wm1-f48.google.com (mail-wm1-f48.google.com [209.85.128.48]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.3260.1764361132556431188 for ; Fri, 28 Nov 2025 12:18:52 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=eVFT0YJ4; spf=pass (domain: gmail.com, ip: 209.85.128.48, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f48.google.com with SMTP id 5b1f17b1804b1-47789cd2083so11813265e9.2 for ; Fri, 28 Nov 2025 12:18:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764361131; x=1764965931; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=GMq/nFeahgVjCUk0uE7ZD5Pme7SbGmR9rG4PWj8iCxU=; b=eVFT0YJ4nmqHvjZHHo5pOhjzeWDzL5BJoR9SwTOBiUfT4yisF8CMNVjFHy6zCq4nIc zrPu7CVu3m5jAoDv3oz93f7ZvjSfLLz73e6g0fxYsDsxlGHI9KDicqm3HVGslk6GzMPK 1xZwypHku6BPZK3+Db1O4Is+ugvJecrp/GACirywIssVMzaqrBrXqvhP4bRr0sC/aPL0 ME72DxUKNC9ngoebJZC12q9SbC+vwkHDbgiJO1nYiWBb06MsFoWg4blZ40d9RHLV6m10 tOdOARS7IpyD/sNXy2uBJgeqMjmHmraajKFzVzrJlys4KTGeFGEbgq4OeANAHYvB2oBd mKyA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764361131; x=1764965931; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=GMq/nFeahgVjCUk0uE7ZD5Pme7SbGmR9rG4PWj8iCxU=; b=AP2wnxKgumfSJgi97l9+BmzF2mYLKusmePsho1ExdLGL93t8zEH2upG95TL+ft9WY2 he5dB9eHhmU6AHBVZJzMGMFpU76uq8AxZFNEjCUhDZTaIzmekUXID2NxQPpojXkt3bd9 f65NpmCQAu3ufg+5coTIFIliEDMCLiIab5pPMmBWb1Mc9ULFyTB8klqVIlEPWsEGrcDY YbgZYiWENsPGHGEYsDLiQ04umnfj/MJeH32Ef8PkqtEz1F7yL2M14Mzy3pEVsabkvL5i Qa1oJhV9YT8SMMfowv7EhXD79Qw0BeTRKcQWUiNmtuBDk1KPbkRLb0C7sF4D0l3tUeQO E0DQ== X-Gm-Message-State: AOJu0Yz1cT+QKLqccmMH/xFkc7GnZ2je3hVl6Sp7II+Dg4Wo9P3u1eoX rd37Gsomovx+htXaKO2+xqyEJwiQnHtHvK1Ev5XKBukBEiNMfFKACWObNM/b3g== X-Gm-Gg: ASbGnctzyqVgL9Xk7m1vaA/RTkjtT8LT5l7NhN28vf0LVsw9fo1eDllXE6vYLlboh0s 8/mKtp8Wtx9sOo4WX/Yniy/2Jq2Y9rl1MUNEgm+D1iKK/oq0R9CEkqwovqfLdoiEC3KQjN0HuKj eKn8L6yw7wlCtdnTpfg831CxLwZ0ebfoxEaTnQv8wu+318uW6m/0q6Rjk+fXR3W3zbiWRb9Ix01 WJL4plCzIvo7TqFhgUGNvQLKwzbaMKE5riOCgo5fVG6XWDfIsOqWxnvL3AZFK1kBYBiJ+C40VVz sGP+z9cXLSrIdWhBf353LcZaIWamXp/K1Gy3noBQhdj9FfOxvNwFRM3ewwnOr9CQEGU8+LNGupZ adrtUpNUVI4ov8mEJO2YNs1bOiivJFD9wwbFEA38r0gJAlo+YoHTUd4mfeTYB7uS+s0uA9U5t02 jncG1TVe/IFoYmeGYQ9nw= X-Google-Smtp-Source: AGHT+IGRlG032OxkzP4pFjPg6Nc5GM5wgpQhcJ/0p5LGLH0DV7T6NhHCc6QE06HSyvd6E4jtm3W/7Q== X-Received: by 2002:a5d:64e9:0:b0:42b:3a1b:f700 with SMTP id ffacd0b85a97d-42cc1cbd1d4mr32791153f8f.20.1764361130872; Fri, 28 Nov 2025 12:18:50 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-42e1c5d6064sm11674324f8f.13.2025.11.28.12.18.50 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 28 Nov 2025 12:18:50 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 08/14] libraw: ignore CVE-2020-35533 Date: Fri, 28 Nov 2025 21:18:39 +0100 Message-ID: <20251128201845.2578315-8-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251128201845.2578315-1-skandigraun@gmail.com> References: <20251128201845.2578315-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 28 Nov 2025 20:19:01 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122140 Details: https://nvd.nist.gov/vuln/detail/CVE-2020-35533 The fix is already included in the currently used revision. Signed-off-by: Gyorgy Sarvari --- meta-oe/recipes-support/libraw/libraw_0.20.2.bb | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/meta-oe/recipes-support/libraw/libraw_0.20.2.bb b/meta-oe/recipes-support/libraw/libraw_0.20.2.bb index ee64c33d78..41aac581f1 100644 --- a/meta-oe/recipes-support/libraw/libraw_0.20.2.bb +++ b/meta-oe/recipes-support/libraw/libraw_0.20.2.bb @@ -11,4 +11,9 @@ inherit autotools pkgconfig DEPENDS = "jpeg jasper lcms" # The fixes are already included in the current versin (0.20.2) -CVE_CHECK_IGNORE += "CVE-2020-35530 CVE-2020-35531 CVE-2020-35532" +CVE_CHECK_IGNORE += " \ + CVE-2020-35530 \ + CVE-2020-35531 \ + CVE-2020-35532 \ + CVE-2020-35533 \ + " From patchwork Fri Nov 28 20:18:40 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 75572 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 10EA7D116E2 for ; Fri, 28 Nov 2025 20:19:01 +0000 (UTC) Received: from mail-wm1-f45.google.com (mail-wm1-f45.google.com [209.85.128.45]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.3260.1764361133233036397 for ; Fri, 28 Nov 2025 12:18:53 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=G10PCt4A; spf=pass (domain: gmail.com, ip: 209.85.128.45, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f45.google.com with SMTP id 5b1f17b1804b1-477ba2c1ca2so24702445e9.2 for ; Fri, 28 Nov 2025 12:18:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764361131; x=1764965931; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=ldfJNaW1+PjFj4wYgqXLxIi8RkALTMjExhYM11NIAOg=; b=G10PCt4AjLS0+K4gpXig35PZSS9Je2nCANgA/8mQfflVpEm3VhYg5vflEP3I7Q4dzW 360dDl2wefKfOJ+d4siG4ww7DfFZ+wH3B+Qd1f1jERVKHqIe2pM0GciIraYc38XOGk2Y /j1sZ8grup+NdQL+506jkdo2YASFZgtUKx/7WZVeg+WvJHpXdjP/zfgmF2vWhsrmQGiS YoBimEsDuS/SfTlWEihW/+s7BoqmS5BIEMtLBGp90ZqcoeQIdj0CmsBk7wgUQfpDNm1L g8gGv7ZpzdjzRD/euklUoj115Iqx28umedzTU41XGSRqd7WGh1S/J5ksIh4Xyz7/4LUb GISA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764361131; x=1764965931; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=ldfJNaW1+PjFj4wYgqXLxIi8RkALTMjExhYM11NIAOg=; b=RxzsOGhkHlkIZe9/cFYmHCNds3xamzlnNP7eMlmdCkVSWm3bbncz4V3oRJrRgGTuN7 4ZP34NHZGzaw5mhmCJXUyFxZ7MzhOH5V125xOggtbb+kJxXnsN4xwaLPjO+CiPPqQqps 7cQEziB5l9ifCy4bC9zlpqtzrH9XbJxqKIfAfkz6KUwqx3wa9YR+/LW8fBLm/Qci8XKa POlEmhvbJBI4+LfzlJX3PoKIPFJHZpTYc7+gcJ3o6mSNhtbf/NWIX6nL5yJJDN0XCsfF 8UNNNbHuTn3vg/HY2ylXB9hge5XYhTx+itUAXKMv9aCBLedatdj1L2HVbRfplxeIUou8 +KFw== X-Gm-Message-State: AOJu0YyGLtHt7A6w87wzXG+yRn/LWrJ7NG0ofxsP2AbBJSLamm63BFQT jRuC0PVhE37QlRb1u3KoTx6VNRcG3xn7jMQapO4lRyJW0Y6WegaFVVmVAcaFFw== X-Gm-Gg: ASbGncvTeR9Vp7B64MBZxvxziXhgIuCBSdE8tn8OJgQqXX/nSIMEUcz+fuphnU0xMmr tIBOo4wPAuAmKkHAaY6W/GYcQGuAzlhOP7V7bPpqN7cqW4+5FLti2vbRQ7x3jTyMW2xSr539rG8 H5M478rNR1aFvqxrgf5VyNArVd716/U9TYYE5ipDHwpdjnhDcVSRV2LxHHaDIoauyPYi6UznlEj RU2UHYm7C6RE6ZfFi4wJ4svXpZUs7LzELo+E+bXY3lJX1y/npXjN6TWarIBNK2hoSlsqA9pAn4y D1AyW8XO5Q8eofmBgK5zRTun+sExWpFcmHrACP70taB9JTh/60ZJU18YB1DukUtMfdT8xOkYwmS WjD0T1Z+PUwZGldReq4HLQEA3CjFWs9/DKLJgdspz6mlje9Ze7bFB+OFPOhssQ4iMOjZfwsGaZx TKgKzbY7pZ X-Google-Smtp-Source: AGHT+IG7Nk7x4oqkFCYjjNX5yl5RXzaj6A7zDISq18OzOUJE4pomyEZnMPSH/+olOYEr2X8GwzxOsQ== X-Received: by 2002:a05:600c:3b11:b0:477:9814:6882 with SMTP id 5b1f17b1804b1-47904aceef6mr152956515e9.5.1764361131489; Fri, 28 Nov 2025 12:18:51 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-42e1c5d6064sm11674324f8f.13.2025.11.28.12.18.50 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 28 Nov 2025 12:18:51 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 09/14] libraw: ignore CVE-2020-35534 Date: Fri, 28 Nov 2025 21:18:40 +0100 Message-ID: <20251128201845.2578315-9-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251128201845.2578315-1-skandigraun@gmail.com> References: <20251128201845.2578315-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 28 Nov 2025 20:19:01 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122141 Details: https://nvd.nist.gov/vuln/detail/CVE-2020-35534 The fix is already included in the currently used revision. Signed-off-by: Gyorgy Sarvari --- meta-oe/recipes-support/libraw/libraw_0.20.2.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta-oe/recipes-support/libraw/libraw_0.20.2.bb b/meta-oe/recipes-support/libraw/libraw_0.20.2.bb index 41aac581f1..c7e83c05f5 100644 --- a/meta-oe/recipes-support/libraw/libraw_0.20.2.bb +++ b/meta-oe/recipes-support/libraw/libraw_0.20.2.bb @@ -16,4 +16,5 @@ CVE_CHECK_IGNORE += " \ CVE-2020-35531 \ CVE-2020-35532 \ CVE-2020-35533 \ + CVE-2020-35534 \ " From patchwork Fri Nov 28 20:18:41 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 75569 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2652AD116F6 for ; Fri, 28 Nov 2025 20:19:01 +0000 (UTC) Received: from mail-wr1-f41.google.com (mail-wr1-f41.google.com [209.85.221.41]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.3262.1764361133915780420 for ; Fri, 28 Nov 2025 12:18:54 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=jFCWJ5BB; spf=pass (domain: gmail.com, ip: 209.85.221.41, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f41.google.com with SMTP id ffacd0b85a97d-42b3669ca3dso1007042f8f.0 for ; Fri, 28 Nov 2025 12:18:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764361132; x=1764965932; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=Qr51pApV/DtFGQ2RQZeUGTOnmlT8G5cHFjDs263J+PE=; b=jFCWJ5BBKmu2oUk3w2V8eNlZCSp2IGAgcIP0nBq7tBlGIuBXPcd9xaZrbv/Qn25EXR 2m9PwfOHaSCWNrP2HDSF3I97sKXHoMi/TaiusyQD+4culpWdVCtnDdYZ3YjBgJYyhTiT nkxixNLQFugDeO7xSY7E4y5uEprtn7LzJwvJuir+IDlW25AN9Rd3FpPfkjeQ+bo10vaI +Ls1BXHJArFVqzFX8PZPYG43Byv1MyJH1HnzhXYZ/Ie6+sbCaoLx7eai25PhWiJCihJ6 k0MD13h9MAbOCjwyI59CtcqqcjdDWrtPLv7S9chB78EQKqjBrXuyiDxUuNcT7eXYwcHR C/sg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764361132; x=1764965932; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=Qr51pApV/DtFGQ2RQZeUGTOnmlT8G5cHFjDs263J+PE=; b=oYFQCnSYQYblfonmd7Q10m79y7VRgA5F+CASazHjs99oP0smDHDjiS0K7hEjpFGSJm vkc9q3gQo5qQCjG81KLMU/BwKOFNIxn2Md/y2c4fYKeZHNWhtHEFf3xBo7foTXzO3Rng JIJlW9Q6ag8Dfy22craAGMNrA+GzsKfyw20chYhsCHQEDXGm2EnFUThSsUEFA5T+yhYr BdhG4qf/CJnj6hNPf1QrIIC3poi/mkzO0HMVRaUvPbeK0COyBrJL/OVtspjJvlpjK1pN 7U9SvFwhScu59JaPYNJUqQyygxEun6969AUNPGJqQaulfrLvFE2oDXxyjgA5s4osF8A2 jSvg== X-Gm-Message-State: AOJu0Ywf01oeC41hi2iXlSQn4ErHug1zyn3LONtcG0fcPlY3sUN+MXn1 UMOz28/WHLiaFknEjK3miTiy8CojIPXF+mTW87M1uuIRe6sN4RrCTQCkGfhq8g== X-Gm-Gg: ASbGnctNf2VClAKU0ua03k9HFxJ195Z8IBZ5v+XUim3iTpnk81qnWvYHk02moJ4wJ5c BAMwxSSkw/zXXFFThsQh5XYFyhFAgjVPiaMoswwyXG5lw4VFVr/JMZzciyagmAg4jeS0As0qd1L 8aWLS0dVkz8gXjBkeOFkYOt/fETHnmpRmjoj4+OTXqsfRR4RjxiR1uO8/bOaicaheE8ao+z9WAr S7gGFoBpeNYugW2+4bC0mSOdVOCzkQKBd/pNHy1H3lU5mGjIyEL4pic3wsNE3JR8QIyEs5QcRUH 4mcULvHmkEUFNNHQ/9H0RqNZJb2TowxD/EubU/Ohl77R9rbbZoarm+0TzezpqXbkdE41X+IiSsS tJ0Ijvc2+BwJIsDbWBuh2FI3YtWq1gxcXejTOKVQFXe83HBt9ZBMBHSSsXKd5dafzv1TkGyXL0t RxYJY6N7TzkWOAXRvwHuI= X-Google-Smtp-Source: AGHT+IEJCVcBlMWbQFzm9HdcAtiCJUVSAZJaeyvM55OCNrA7JZv7Xil2qfa+3Zh0LwoDwDcjo3n4zg== X-Received: by 2002:a05:6000:1447:b0:42b:3131:5434 with SMTP id ffacd0b85a97d-42cc1d0cfefmr32155250f8f.38.1764361132163; Fri, 28 Nov 2025 12:18:52 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-42e1c5d6064sm11674324f8f.13.2025.11.28.12.18.51 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 28 Nov 2025 12:18:51 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 10/14] libraw: ignore CVE-2020-35535 Date: Fri, 28 Nov 2025 21:18:41 +0100 Message-ID: <20251128201845.2578315-10-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251128201845.2578315-1-skandigraun@gmail.com> References: <20251128201845.2578315-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 28 Nov 2025 20:19:01 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122142 Details: https://nvd.nist.gov/vuln/detail/CVE-2020-35535 The fix is already included in the used revision. Signed-off-by: Gyorgy Sarvari --- meta-oe/recipes-support/libraw/libraw_0.20.2.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta-oe/recipes-support/libraw/libraw_0.20.2.bb b/meta-oe/recipes-support/libraw/libraw_0.20.2.bb index c7e83c05f5..51057f97b7 100644 --- a/meta-oe/recipes-support/libraw/libraw_0.20.2.bb +++ b/meta-oe/recipes-support/libraw/libraw_0.20.2.bb @@ -17,4 +17,5 @@ CVE_CHECK_IGNORE += " \ CVE-2020-35532 \ CVE-2020-35533 \ CVE-2020-35534 \ + CVE-2020-35535 \ " From patchwork Fri Nov 28 20:18:42 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 75571 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 30A12D116F9 for ; Fri, 28 Nov 2025 20:19:01 +0000 (UTC) Received: from mail-wr1-f47.google.com (mail-wr1-f47.google.com [209.85.221.47]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.3263.1764361134560408716 for ; Fri, 28 Nov 2025 12:18:54 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=Kx3SScQN; spf=pass (domain: gmail.com, ip: 209.85.221.47, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f47.google.com with SMTP id ffacd0b85a97d-42b39d51dcfso1453494f8f.2 for ; Fri, 28 Nov 2025 12:18:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764361133; x=1764965933; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=bALTHpv3kBp8MeFQInSS5WUNfM+aFDcTIgL0tFUCNzc=; b=Kx3SScQNk/nlg4n5BWkmbz3A5MLPCdbduRwJd97iZqIgJHo72bew4fyWqPm3Rl5Vwe iZzjUQiTkvpyl3R/dIx+UxqtGN3lFCx5AISFgAMzsGm5o839I+m0LCPlRbU8et4jj3zI LqCMEqAZYRzu9u0fkBXHo3isLdomujUCriTR1srAca8h30Z2npEN+XsPkKahafMGeXX/ 8JlFdok3Xq5doRBDqizAbCW8xrI2X7Hbu1ijnEJabxYXtScwe9ZlS2sMpfbM38mf1vFe 3aYZyloWQUNEVRL1fBGaxwL+xN8xMMqpm12UEfRWG4UPsC3jQslpbF1lYgjpOychWpMt IBCg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764361133; x=1764965933; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=bALTHpv3kBp8MeFQInSS5WUNfM+aFDcTIgL0tFUCNzc=; b=Gz4tHMJz2Mx9ZSzSUiIz25FwUiHAUBwSmIVEgizfnCL9AhOCQ6fopS5EnbV30lOUvO 48Tt9YnmXcVwA545FjW7OIEikgwvzQLZvm+lMql06hAhEPLUFjALgRMTIbrnFGAW9Lqn q0owYT98/eBbJEq084SqpgDqGWgwuq5Un+nia631VGYOygLpKmaPLvmUjRczg8GhMWvZ kVjF/vdCuvrqO/HaD/wAEzsE5DAYQsRl583HwuNdq4lx0oIlAhoAgAOZ4b2uFNnh5x6o bElr0ZnTj8ME3I2yu8ak6znOqHVmNrHyshcAWVcDA4YyHmflo7LgfGX35tsHpaUdKlV5 LDHQ== X-Gm-Message-State: AOJu0YzLl9fP6f2CbDF+xmlZAuN54sF5x7shLdV8AizvcziPxnyS+/pK 9Z8utkwLHii75AxYzQQMvsUu4Q39SAYYIg7mn8VaWQ/VxdyQ5On7b8JiCkw8fA== X-Gm-Gg: ASbGnctX9DpVGOfmqQfqbNN8mY1hB8Wh+iArTdp2NIzUTg0ARkKefdLhPFGmvdRu2Sd JcBX2FWt6OM9vFWwvHmcEQVqjjta0ogibwUk18u1MeENkLUjYN7SjbrgO2XhzZBX1w4iqp8SZ0d ACeEj/gnO/8aDhoOnEXNLntzA0iNwj3+Gd9mFPlPrqTGA8GVjDEWGdya46zLxv+98KU9o+CcQzA WG23hk8EB0wg5GOh8Jo8L9r3hk5m2kz46jYgvYVtoLL3tsaRKqkQraiX0Y0p80tcQhzFxpV1bp6 tA1ghQ+472XwzpqO8Y3+OkOLOVFpbSB5TKcys6QzZXEkmVMNyZolXQRFCONFJey3M/dpBGJyX/w UvwfRIXAFZ06pxZTI8rCoyU8hTAlOzBGf7vAknMLY6mL49X5VYGoBT4nLCP8N0itEkxUpiKmh1w StIJ5jBsa0AMSqAxompy8= X-Google-Smtp-Source: AGHT+IGMDXcdKvkD5TRCZYgrDEJcJBDEKzcAHAH2Z/HzEQFa32g8UaE3XDZJwwu9N7nbFk0A4UK3uA== X-Received: by 2002:a05:6000:2484:b0:42b:41d3:dafa with SMTP id ffacd0b85a97d-42cc1d0cfcemr30070470f8f.46.1764361132811; Fri, 28 Nov 2025 12:18:52 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-42e1c5d6064sm11674324f8f.13.2025.11.28.12.18.52 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 28 Nov 2025 12:18:52 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 11/14] libraw: patch CVE-2023-1729 Date: Fri, 28 Nov 2025 21:18:42 +0100 Message-ID: <20251128201845.2578315-11-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251128201845.2578315-1-skandigraun@gmail.com> References: <20251128201845.2578315-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 28 Nov 2025 20:19:01 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122143 Details: https://nvd.nist.gov/vuln/detail/CVE-2023-1729 Pick the patch that is mentioned to solve the issue in the issue linked from the nvd report. Signed-off-by: Gyorgy Sarvari --- .../libraw/libraw/CVE-2023-1729.patch | 25 +++++++++++++++++++ .../recipes-support/libraw/libraw_0.20.2.bb | 4 ++- 2 files changed, 28 insertions(+), 1 deletion(-) create mode 100644 meta-oe/recipes-support/libraw/libraw/CVE-2023-1729.patch diff --git a/meta-oe/recipes-support/libraw/libraw/CVE-2023-1729.patch b/meta-oe/recipes-support/libraw/libraw/CVE-2023-1729.patch new file mode 100644 index 0000000000..db6f2a2d9a --- /dev/null +++ b/meta-oe/recipes-support/libraw/libraw/CVE-2023-1729.patch @@ -0,0 +1,25 @@ +From f7a1082a65b444d606d82ae71e1279789601f78d Mon Sep 17 00:00:00 2001 +From: Alex Tutubalin +Date: Sat, 14 Jan 2023 18:32:59 +0300 +Subject: [PATCH] do not set shrink flag for 3/4 component images + +CVE: CVE-2023-1729 +Upstream-Status: Backport [https://github.com/LibRaw/LibRaw/commit/9ab70f6dca19229cb5caad7cc31af4e7501bac93] +Signed-off-by: Gyorgy Sarvari +--- + src/preprocessing/raw2image.cpp | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/preprocessing/raw2image.cpp b/src/preprocessing/raw2image.cpp +index 18f897eb..64722efd 100644 +--- a/src/preprocessing/raw2image.cpp ++++ b/src/preprocessing/raw2image.cpp +@@ -43,6 +43,8 @@ void LibRaw::raw2image_start() + + // adjust for half mode! + IO.shrink = ++ !imgdata.rawdata.color4_image && !imgdata.rawdata.color3_image && ++ !imgdata.rawdata.float4_image && !imgdata.rawdata.float3_image && + P1.filters && + (O.half_size || ((O.threshold || O.aber[0] != 1 || O.aber[2] != 1))); + diff --git a/meta-oe/recipes-support/libraw/libraw_0.20.2.bb b/meta-oe/recipes-support/libraw/libraw_0.20.2.bb index 51057f97b7..b331d77e8d 100644 --- a/meta-oe/recipes-support/libraw/libraw_0.20.2.bb +++ b/meta-oe/recipes-support/libraw/libraw_0.20.2.bb @@ -2,7 +2,9 @@ SUMMARY = "raw image decoder" LICENSE = "LGPL-2.1-only | CDDL-1.0" LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=74c9dffdc42805f9c0de2f97df6031fc" -SRC_URI = "git://github.com/LibRaw/LibRaw.git;branch=master;protocol=https" +SRC_URI = "git://github.com/LibRaw/LibRaw.git;branch=master;protocol=https \ + file://CVE-2023-1729.patch \ + " SRCREV = "0209b6a2caec189e6d1a9b21c10e9e49f46e5a92" S = "${WORKDIR}/git" From patchwork Fri Nov 28 20:18:43 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 75568 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1A3CBD116EA for ; Fri, 28 Nov 2025 20:19:01 +0000 (UTC) Received: from mail-wr1-f47.google.com (mail-wr1-f47.google.com [209.85.221.47]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.3262.1764361135141509869 for ; Fri, 28 Nov 2025 12:18:55 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=fJ3vUFFD; spf=pass (domain: gmail.com, ip: 209.85.221.47, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f47.google.com with SMTP id ffacd0b85a97d-42b3c965ca9so1266328f8f.1 for ; Fri, 28 Nov 2025 12:18:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764361133; x=1764965933; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=WgOXvraMkwetJ12RXxC/at0LVWePlvNdekro/tyvjKw=; b=fJ3vUFFDyGQ1slkGU+cKsHlaTFPBgECn0S+pqIIQ4D8lWZ3v1hNFmYyUMy0SrBurlj 0DYI7mSOxMrQ1xzx64tygW2RIJh+tZvI0EnASsvAjSCR1iI11rgHs429Kr3Nr5KecTIY DvUZN7/hyYFiJI0RCZm2tW/uVjitqPmOMrlbHxaW57c0nnm/M5275RGh4MG0WGlJh837 K+yR30fxuHwbQ4eJ2t0nKlxviStmQeC7QH1ZcdA2RKW/CuU1SDqVgythMJi5LJQ46gic fZFMjpNXsp1gnQ5LcLtSmwjTpPhVOHlY6v2oI6awAPNTQzvLq5romlaa7ZqSDZuGhl4R BM8Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764361133; x=1764965933; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=WgOXvraMkwetJ12RXxC/at0LVWePlvNdekro/tyvjKw=; b=St/RyCMpWvT7wbwyKJNEEZSEyxPTnGQY2DC6tkBMKBbFiyVm3q7KZa4ElDHKAGZChS 82+YuRClnitKfMRNGT53dBhVqBOJpP8nDQiWXfNOLr/xEtJnwdb6yFUsOrtkcOMjy1Bi X1zSmAJZxrPNC5rVEWnHp+f0Tu59GcmdY6EFptS3VGldclxiC3GRUbIraEC7GP3Ykloq ja0tX4p4CcTqT7lRLJRzX20dMcID7lmyzlLaYnTrc+iGI+mMNAAa8Kse7BlcoKZZGTfL utdS3RFE1jWlwEnBqHfjZj8Wj1eEkAXR3HbqHch7DlK2geY8A/nn6QBnbpl2HXo9ClXK gzxw== X-Gm-Message-State: AOJu0YwOTQXgtgFVewuwFYzsnpDEHEcuCsHy0lvZ7CER+iZtjrU0qZRn e5CaAUO6d5uOMKxskN/PRnwLTT6LG0t+r6ca6vQSSCeWILLgjyQNUEhUspq8Ag== X-Gm-Gg: ASbGnct4udtFbivBgWzPkoq3g7U1qTp5OevRN2wlY/lz6OL+PqDokAwkkAAPUuGGTSw g2aYF9UPzQE7YkYNVRCeA1cI4MIxFcdGVZJFyeKXw55okO2e+ww+W04HexJMiaHEoGC2/AoF8kQ MS+W6It+DMe5efxDP46ZRv01Wxu+of6Bd58l/nXlHM53nC7DcWZUkHY3IS5s7aJ1eF6sL6k7Wie V7NLb51LzbLjeipW3P+cE4q0qRrA5H2JXdfMfRYLJZWpIRqjJi7yxJyJ2HieKOw9ehxwCJd/TF6 UGTKg7J/vMGE+MKyZt2XQHPcdDw1/wnJh0bReLYtrrG+BcIg6P9Td/10r0rgucke5UONAv2D84w vhLvHlqvCK+8FPwB0XfnOyIGF3fMTfoTYHlo8YgwBnUsv2Jrq8qWt8zScHQxwpIEktw9E1sOgsl draTZ7C8IW X-Google-Smtp-Source: AGHT+IEYoRux4clhN5a4R0/3+iiWtryQaQknA+yJcoPBI5AqryCwIMyJ7VFkUy9JL4Waeo/U32uYEg== X-Received: by 2002:a5d:588b:0:b0:42b:411b:e487 with SMTP id ffacd0b85a97d-42cc1cd920amr32707776f8f.2.1764361133452; Fri, 28 Nov 2025 12:18:53 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-42e1c5d6064sm11674324f8f.13.2025.11.28.12.18.52 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 28 Nov 2025 12:18:53 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 12/14] libraw: patch CVE-2025-43961 and CVE-2025-43962 Date: Fri, 28 Nov 2025 21:18:43 +0100 Message-ID: <20251128201845.2578315-12-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251128201845.2578315-1-skandigraun@gmail.com> References: <20251128201845.2578315-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 28 Nov 2025 20:19:01 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122144 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-43961 https://nvd.nist.gov/vuln/detail/CVE-2025-43962 Pick the patch that is mentioned by the nvd reports - the same patch fixes both vulnerabilities. Signed-off-by: Gyorgy Sarvari --- .../libraw/libraw/CVE-2025-43961-43962.patch | 104 ++++++++++++++++++ .../recipes-support/libraw/libraw_0.20.2.bb | 1 + 2 files changed, 105 insertions(+) create mode 100644 meta-oe/recipes-support/libraw/libraw/CVE-2025-43961-43962.patch diff --git a/meta-oe/recipes-support/libraw/libraw/CVE-2025-43961-43962.patch b/meta-oe/recipes-support/libraw/libraw/CVE-2025-43961-43962.patch new file mode 100644 index 0000000000..236bdfd621 --- /dev/null +++ b/meta-oe/recipes-support/libraw/libraw/CVE-2025-43961-43962.patch @@ -0,0 +1,104 @@ +From f6587920471337158c058539c8e0353cbe0925d3 Mon Sep 17 00:00:00 2001 +From: Alex Tutubalin +Date: Sat, 1 Feb 2025 15:32:39 +0300 +Subject: [PATCH] Prevent out-of-bounds read in fuji 0xf00c tag parser + +Prevent out-of-bounds read in fuji 0xf00c tag parser + +prevent OOB reads in phase_one_correct + +CVE: CVE-2025-43961 CVE-2025-43962 +Upstream-Status: Backport [https://github.com/LibRaw/LibRaw/commit/66fe663e02a4dd610b4e832f5d9af326709336c2] +Signed-off-by: Gyorgy Sarvari +--- + src/decoders/load_mfbacks.cpp | 18 ++++++++++++++---- + src/metadata/tiff.cpp | 22 ++++++++++++++-------- + 2 files changed, 28 insertions(+), 12 deletions(-) + +diff --git a/src/decoders/load_mfbacks.cpp b/src/decoders/load_mfbacks.cpp +index 9d7c0511..2def6d6e 100644 +--- a/src/decoders/load_mfbacks.cpp ++++ b/src/decoders/load_mfbacks.cpp +@@ -331,6 +331,9 @@ int LibRaw::phase_one_correct() + fseek(ifp, off_412, SEEK_SET); + for (i = 0; i < 9; i++) + head[i] = get4() & 0x7fff; ++ unsigned w0 = head[1] * head[3], w1 = head[2] * head[4]; ++ if (w0 > 10240000 || w1 > 10240000) ++ throw LIBRAW_EXCEPTION_ALLOC; + yval[0] = (float *)calloc(head[1] * head[3] + head[2] * head[4], 6); + merror(yval[0], "phase_one_correct()"); + yval[1] = (float *)(yval[0] + head[1] * head[3]); +@@ -356,10 +359,17 @@ int LibRaw::phase_one_correct() + for (k = j = 0; j < head[1]; j++) + if (num < xval[0][k = head[1] * i + j]) + break; +- frac = (j == 0 || j == head[1]) +- ? 0 +- : (xval[0][k] - num) / (xval[0][k] - xval[0][k - 1]); +- mult[i - cip] = yval[0][k - 1] * frac + yval[0][k] * (1 - frac); ++ if (j == 0 || j == head[1] || k < 1 || k >= w0+w1) ++ frac = 0; ++ else ++ { ++ int xdiv = (xval[0][k] - xval[0][k - 1]); ++ frac = xdiv ? (xval[0][k] - num) / (xval[0][k] - xval[0][k - 1]) : 0; ++ } ++ if (k < w0 + w1) ++ mult[i - cip] = yval[0][k > 0 ? k - 1 : 0] * frac + yval[0][k] * (1 - frac); ++ else ++ mult[i - cip] = 0; + } + i = ((mult[0] * (1 - cfrac) + mult[1] * cfrac) * row + num) * 2; + RAW(row, col) = LIM(i, 0, 65535); +diff --git a/src/metadata/tiff.cpp b/src/metadata/tiff.cpp +index cd2406d6..804ffa9c 100644 +--- a/src/metadata/tiff.cpp ++++ b/src/metadata/tiff.cpp +@@ -980,17 +980,20 @@ int LibRaw::parse_tiff_ifd(int base) + if ((fwb[0] == rafdata[fi]) && (fwb[1] == rafdata[fi + 1]) && + (fwb[2] == rafdata[fi + 2])) + { +- if (rafdata[fi - 15] != ++ if (fi > 14 && rafdata[fi - 15] != + fwb[0]) // 15 is offset of Tungsten WB from the first + // preset, Fine Weather WB + continue; +- for (int wb_ind = 0, ofst = fi - 15; wb_ind < Fuji_wb_list1.size(); +- wb_ind++, ofst += 3) ++ if (fi >= 15) + { +- icWBC[Fuji_wb_list1[wb_ind]][1] = +- icWBC[Fuji_wb_list1[wb_ind]][3] = rafdata[ofst]; +- icWBC[Fuji_wb_list1[wb_ind]][0] = rafdata[ofst + 1]; +- icWBC[Fuji_wb_list1[wb_ind]][2] = rafdata[ofst + 2]; ++ for (int wb_ind = 0, ofst = fi - 15; wb_ind < (int)Fuji_wb_list1.size(); ++ wb_ind++, ofst += 3) ++ { ++ icWBC[Fuji_wb_list1[wb_ind]][1] = ++ icWBC[Fuji_wb_list1[wb_ind]][3] = rafdata[ofst]; ++ icWBC[Fuji_wb_list1[wb_ind]][0] = rafdata[ofst + 1]; ++ icWBC[Fuji_wb_list1[wb_ind]][2] = rafdata[ofst + 2]; ++ } + } + + if ((imFuji.RAFDataVersion == 0x0260) || // X-Pro3 +@@ -1000,6 +1003,8 @@ int LibRaw::parse_tiff_ifd(int base) + fi += 96; + for (fj = fi; fj < (fi + 15); fj += 3) + { ++ if (fj > libraw_internal_data.unpacker_data.lenRAFData - 3) ++ break; + if (rafdata[fj] != rafdata[fi]) + { + fj -= 93; +@@ -1009,7 +1014,8 @@ int LibRaw::parse_tiff_ifd(int base) + (imFuji.RAFDataVersion == 0x0261) || // X100V + (imFuji.RAFDataVersion == 0x0262)) // X-T4 + fj -= 9; +- for (int iCCT = 0, ofst = fj; iCCT < 31; ++ for (int iCCT = 0, ofst = fj; iCCT < 31 ++ && ofst < libraw_internal_data.unpacker_data.lenRAFData - 3; + iCCT++, ofst += 3) + { + icWBCCTC[iCCT][0] = FujiCCT_K[iCCT]; diff --git a/meta-oe/recipes-support/libraw/libraw_0.20.2.bb b/meta-oe/recipes-support/libraw/libraw_0.20.2.bb index b331d77e8d..2e4ee20633 100644 --- a/meta-oe/recipes-support/libraw/libraw_0.20.2.bb +++ b/meta-oe/recipes-support/libraw/libraw_0.20.2.bb @@ -4,6 +4,7 @@ LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=74c9dffdc42805f9c0de2f97df6031fc" SRC_URI = "git://github.com/LibRaw/LibRaw.git;branch=master;protocol=https \ file://CVE-2023-1729.patch \ + file://CVE-2025-43961-43962.patch \ " SRCREV = "0209b6a2caec189e6d1a9b21c10e9e49f46e5a92" S = "${WORKDIR}/git" From patchwork Fri Nov 28 20:18:44 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 75575 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 49EEBD116FD for ; Fri, 28 Nov 2025 20:19:01 +0000 (UTC) Received: from mail-wr1-f53.google.com (mail-wr1-f53.google.com [209.85.221.53]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.3264.1764361135872978461 for ; Fri, 28 Nov 2025 12:18:56 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=QqWi5qcW; spf=pass (domain: gmail.com, ip: 209.85.221.53, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f53.google.com with SMTP id ffacd0b85a97d-42b3b0d76fcso1394379f8f.3 for ; Fri, 28 Nov 2025 12:18:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764361134; x=1764965934; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=6go1kSWQs/vxvFPF2KjsRCFxtk7adCP0fQeaTSnFih0=; b=QqWi5qcWJ/qmHhDboEsfaQgzippmqwGISKkNjE6zOx8yZ5B92FsWZ97a2esSlPaoTB Py2xakFr9KmZmO/0GhDKqvrAUijtrcmBnc2wOcwMd4D87oFnX+Gkh31ISi1pkX3UB+CE Dyvp119sXZqc7H0Q6EjYNjDUolgOK7DyCuwOuggYX3Y/ztgYlb7mZWNqwmPq23IpJqpd ZKg+Oi2aFi7ea9Fm52S0TCfU/JHIqZ37njTZ956QhiC9to5eV/+HcYq9s1MNpeU5U3GL HGvfg/GkTj5qCApx6jT6yBvFO6QCK7LqV6cz+n16/lVEMHAWwbul1V9rMIYo1pFVYqAL mOyA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764361134; x=1764965934; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=6go1kSWQs/vxvFPF2KjsRCFxtk7adCP0fQeaTSnFih0=; b=Lrgb76igLqGR1t+RC8nhk0qeQsNkqFq4odkVwX7Mwi8+XmwIvka8G5RQmxkXRV1Vyc F7LsheVNis0lVx5nS2gUxK+U3wxzHBnzVEX+4i7viJBH+9+Frj6Cz0VLuB2LCO/V8tP6 lsTtSmpXouNOj9GmYZ/c672+a7vcwm/L1iRq68oC+KW35nA+FMpqA22T5W1YjlT+Z6zU Ae0O8clv4FO2Sdn06PwE54BMEmr1zvHBvF5QJ6C7qtOGQO7hWleMqDXCMyo77Huo86cD wBWzwPhGJlMsfYiwzTc8L3bAv8dSxRO8pjUNdyMYolckimKxwUp0BX+Qe5ZrhrDZwwG0 1xFw== X-Gm-Message-State: AOJu0YzDrQ1mifdqVlQ3EKSWZ2F5/66J0f2KZEFmAEd9z4B7Y6ntPA9A gLQ9bbVM3CxBH+AqMT23GG2e5XN7WzTnhXQBMBCSGnGMigUrnebxyMtUFRtOcQ== X-Gm-Gg: ASbGnctEJXoh+Jes99vCgs6vN6qscU+pP4PBFNW3M9HheT6IBtNpCJbXtfkd0AyYUwB H1wNyoK3a8IoXZbOmCL9jTRR3OgxVPiaVWuh2N2nWR/Is+lo3GN6si1edE0HgB6QRi3JHQPI7WV P4Nta/KbcFYk/ujh06DKuQuZOR1DPvzvPG3De6KFKjF3vdq2HiGJgg3blBw+FQIVS7XFT9w/a7e 6PZRSICiW5VSTLFy0lJDVS1XODLS+4i+OZP4prNSQlZWIZCr7of9qmeJMViI4SPcji53v7RZTkN XODl/agAYMBM6KqonvKwFewlVL6AICWxdCEFxMq2NqeBbm9v7D3DRioLSdZih0KYGifzB62UN11 dV2bsLj6yOQBL6Z9yRDzsFUD43Ce0e8iknQKdYzRma4SeluR1ewwrXb8lgj9+qNpynAbqHP4Okx SgMFi/PIzl X-Google-Smtp-Source: AGHT+IHP/1T4+y2cOnWZ5seVyUOnThxhkD6dB9Hh0z1uAkcRGDAexGwtH+Irp8dF8tLj63cB6bju7A== X-Received: by 2002:a05:6000:3104:b0:405:3028:1be2 with SMTP id ffacd0b85a97d-42cc1cd8ecamr28550160f8f.11.1764361134217; Fri, 28 Nov 2025 12:18:54 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-42e1c5d6064sm11674324f8f.13.2025.11.28.12.18.53 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 28 Nov 2025 12:18:53 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 13/14] libraw: patch CVE-2025-43963 Date: Fri, 28 Nov 2025 21:18:44 +0100 Message-ID: <20251128201845.2578315-13-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251128201845.2578315-1-skandigraun@gmail.com> References: <20251128201845.2578315-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 28 Nov 2025 20:19:01 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122145 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-43963 Pick the patch that is referenced in the nvd report. Signed-off-by: Gyorgy Sarvari --- .../libraw/libraw/CVE-2025-43963.patch | 36 +++++++++++++++++++ .../recipes-support/libraw/libraw_0.20.2.bb | 1 + 2 files changed, 37 insertions(+) create mode 100644 meta-oe/recipes-support/libraw/libraw/CVE-2025-43963.patch diff --git a/meta-oe/recipes-support/libraw/libraw/CVE-2025-43963.patch b/meta-oe/recipes-support/libraw/libraw/CVE-2025-43963.patch new file mode 100644 index 0000000000..9e594dd110 --- /dev/null +++ b/meta-oe/recipes-support/libraw/libraw/CVE-2025-43963.patch @@ -0,0 +1,36 @@ +From 188a8ba8e1e0a7a85d04dafd867a1a069b568ed9 Mon Sep 17 00:00:00 2001 +From: Alex Tutubalin +Date: Thu, 6 Feb 2025 21:01:58 +0300 +Subject: [PATCH] check split_col/split_row values in phase_one_correct + +CVE: CVE-2025-43963 +Upstream-Status: Backport [https://github.com/LibRaw/LibRaw/commit/be26e7639ecf8beb55f124ce780e99842de2e964] +Signed-off-by: Gyorgy Sarvari +--- + src/decoders/load_mfbacks.cpp | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/decoders/load_mfbacks.cpp b/src/decoders/load_mfbacks.cpp +index 2def6d6e..00a9bc1e 100644 +--- a/src/decoders/load_mfbacks.cpp ++++ b/src/decoders/load_mfbacks.cpp +@@ -211,7 +211,8 @@ int LibRaw::phase_one_correct() + off_412 = ftell(ifp) - 38; + } + } +- else if (tag == 0x041f && !qlin_applied) ++ else if (tag == 0x041f && !qlin_applied && ph1.split_col > 0 && ph1.split_col < raw_width ++ && ph1.split_row > 0 && ph1.split_row < raw_height) + { /* Quadrant linearization */ + ushort lc[2][2][16], ref[16]; + int qr, qc; +@@ -288,7 +289,8 @@ int LibRaw::phase_one_correct() + } + qmult_applied = 1; + } +- else if (tag == 0x0431 && !qmult_applied) ++ else if (tag == 0x0431 && !qmult_applied && ph1.split_col > 0 && ph1.split_col < raw_width ++ && ph1.split_row > 0 && ph1.split_row < raw_height) + { /* Quadrant combined */ + ushort lc[2][2][7], ref[7]; + int qr, qc; diff --git a/meta-oe/recipes-support/libraw/libraw_0.20.2.bb b/meta-oe/recipes-support/libraw/libraw_0.20.2.bb index 2e4ee20633..8d82d3a49c 100644 --- a/meta-oe/recipes-support/libraw/libraw_0.20.2.bb +++ b/meta-oe/recipes-support/libraw/libraw_0.20.2.bb @@ -5,6 +5,7 @@ LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=74c9dffdc42805f9c0de2f97df6031fc" SRC_URI = "git://github.com/LibRaw/LibRaw.git;branch=master;protocol=https \ file://CVE-2023-1729.patch \ file://CVE-2025-43961-43962.patch \ + file://CVE-2025-43963.patch \ " SRCREV = "0209b6a2caec189e6d1a9b21c10e9e49f46e5a92" S = "${WORKDIR}/git" From patchwork Fri Nov 28 20:18:45 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 75573 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3D198D116FA for ; Fri, 28 Nov 2025 20:19:01 +0000 (UTC) Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com [209.85.128.44]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.3266.1764361136697101449 for ; Fri, 28 Nov 2025 12:18:57 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=lHbpWJ6E; spf=pass (domain: gmail.com, ip: 209.85.128.44, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f44.google.com with SMTP id 5b1f17b1804b1-477a1c28778so25001415e9.3 for ; Fri, 28 Nov 2025 12:18:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764361135; x=1764965935; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=Z6t33wsB2GdLyDKrVh+WtObHT2P+HWnuP0+mfGiSy18=; b=lHbpWJ6Efbdd6AdUDI93I1io1OGHsLprGSM9kL+91L5SvpfORN5zmLd7bCVpGNPMTL +3x5pqms5GQSJDPt5cBbkdyMiH61SsKHF+oM0tf/PtP/LFS9fBWgB52rXcqrV86zzPUv 6FzQ8eTGVP/vU4eqZg/AYzQ855HJ8N/3oFTQt/WRNTCI9tgWQX3z5xkygADAdo5CdzKe 90kxhcl3px16RLMUuVvQeeNXb9Fz+cy7U5+SUw/9TIATRpjAJQjrnlqVYVGF0ELLGw6t YLSlz8n3AMaNfcgFlAnMePgMcIhTdEVmwIpqyDwg4hnPPGywsElMW9mnumklxOADrWsm +SPw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764361135; x=1764965935; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=Z6t33wsB2GdLyDKrVh+WtObHT2P+HWnuP0+mfGiSy18=; b=sPx0eNdYSEfGnMJnmKpqYhiPaYLrjGwdMOqOr6SrceEaolRvVXecYy+QTzj7e5GvKE 2d7fD+0TZyk0o6yvgimclKd7xEY45eDo/hmdX1o5pYjLEH8+EALj0AJ8bMaO50CNthk3 J43JzTtqlVhvSVDZBVENtsesRc5Cj8bqUF0QPjzJ13lxcQw22b/q+SPoZQPVHHCR/8U9 1a98FFiqH0bkjxGumWWiQ4Slq4/on47e4paLBScTv/CzXUH004DkcEjns+N8kDqRN84+ zsqHBHsbnR6a0eluodt7odOxihfQXubcfEhjkLgSdmkK8/qz/+1VM84Qe7xQlNzuOCpH Hx3Q== X-Gm-Message-State: AOJu0YyUPbj5wgI4tPUXT3qcC0pdbS36Zt39dmq5DYZ4rdSgpA8nG2Mc 7LBV3rUs1gLAmzM4Llp+tYWWo55FAsD0vn+lRiGq170B0odu00bHuMWUCjoNyw== X-Gm-Gg: ASbGncu3PPi+DUg+I2njR1+ryViUpb9VV3c8Ow1MaRTn7JpdQLEgTkIfb7t4NWMiKwq WUc/P6aLNjBsFj//mr1goKEif87oI6yFMoxFSwSNdmJBeeWQw+O5LWuxm9CUat2wxgEkZM2SHnL uaOnMKk8yHWMpv7NzCskHD/86Zgmt1k4pJ57rL4ysOOKo8LOVTD+u/lZs01XlD8RaeFB2ejvukL Oai25PE7dbRuNkU1ioXyxXVVFzY3GZ+Qi5hmrQ7vPWLzW/1ZElFD6w4s0Pz1dEcqQTvhv6ls8k/ zzwdfLz5Rp/WwMw4cG3ZOixsK2h2GEeucXLyg2M1iV5qdySOcYo12uS6fqhyZ5EB3kXVjsIymJf rPTdO0nv3rouqcSCMjUbyoPkFY09t8y5Kv3q0FcVLIMkifj5m4O1G2E/GN+1x+c3pB9vIe5SQqV OISPvl2+Vo X-Google-Smtp-Source: AGHT+IERuBsLkprO4LYjrBB5z+bMmrdTyfpwg/7o55OFVJC6+cTyJWsvVsttMxndCUEptAVPMlQ1vA== X-Received: by 2002:a05:600c:3b1a:b0:45d:d1a3:ba6a with SMTP id 5b1f17b1804b1-47904b29e28mr160211435e9.33.1764361134852; Fri, 28 Nov 2025 12:18:54 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-42e1c5d6064sm11674324f8f.13.2025.11.28.12.18.54 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 28 Nov 2025 12:18:54 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 14/14] libraw: patch CVE-2025-43964 Date: Fri, 28 Nov 2025 21:18:45 +0100 Message-ID: <20251128201845.2578315-14-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251128201845.2578315-1-skandigraun@gmail.com> References: <20251128201845.2578315-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 28 Nov 2025 20:19:01 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122146 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-43964 Pick the patch that is referenced by the nvd report. Signed-off-by: Gyorgy Sarvari --- .../libraw/libraw/CVE-2025-43964.patch | 25 +++++++++++++++++++ .../recipes-support/libraw/libraw_0.20.2.bb | 1 + 2 files changed, 26 insertions(+) create mode 100644 meta-oe/recipes-support/libraw/libraw/CVE-2025-43964.patch diff --git a/meta-oe/recipes-support/libraw/libraw/CVE-2025-43964.patch b/meta-oe/recipes-support/libraw/libraw/CVE-2025-43964.patch new file mode 100644 index 0000000000..592c2d5ea1 --- /dev/null +++ b/meta-oe/recipes-support/libraw/libraw/CVE-2025-43964.patch @@ -0,0 +1,25 @@ +From 0e068c2826ca6a70973ec2a75d05bc95b11e4977 Mon Sep 17 00:00:00 2001 +From: Alex Tutubalin +Date: Sun, 2 Mar 2025 11:35:43 +0300 +Subject: [PATCH] additional checks in PhaseOne correction tag 0x412 processing + +CVE: CVE-2025-43964 +Upstream-Status: Backport [https://github.com/LibRaw/LibRaw/commit/a50dc3f1127d2e37a9b39f57ad9bb2ebb60f18c0] +Signed-off-by: Gyorgy Sarvari +--- + src/decoders/load_mfbacks.cpp | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/decoders/load_mfbacks.cpp b/src/decoders/load_mfbacks.cpp +index 00a9bc1e..8ba791c6 100644 +--- a/src/decoders/load_mfbacks.cpp ++++ b/src/decoders/load_mfbacks.cpp +@@ -336,6 +336,8 @@ int LibRaw::phase_one_correct() + unsigned w0 = head[1] * head[3], w1 = head[2] * head[4]; + if (w0 > 10240000 || w1 > 10240000) + throw LIBRAW_EXCEPTION_ALLOC; ++ if (w0 < 1 || w1 < 1) ++ throw LIBRAW_EXCEPTION_IO_CORRUPT; + yval[0] = (float *)calloc(head[1] * head[3] + head[2] * head[4], 6); + merror(yval[0], "phase_one_correct()"); + yval[1] = (float *)(yval[0] + head[1] * head[3]); diff --git a/meta-oe/recipes-support/libraw/libraw_0.20.2.bb b/meta-oe/recipes-support/libraw/libraw_0.20.2.bb index 8d82d3a49c..3ac2d3e795 100644 --- a/meta-oe/recipes-support/libraw/libraw_0.20.2.bb +++ b/meta-oe/recipes-support/libraw/libraw_0.20.2.bb @@ -6,6 +6,7 @@ SRC_URI = "git://github.com/LibRaw/LibRaw.git;branch=master;protocol=https \ file://CVE-2023-1729.patch \ file://CVE-2025-43961-43962.patch \ file://CVE-2025-43963.patch \ + file://CVE-2025-43964.patch \ " SRCREV = "0209b6a2caec189e6d1a9b21c10e9e49f46e5a92" S = "${WORKDIR}/git"