From patchwork Tue Dec 16 19:40:02 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 76778 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E20D1D637A1 for ; Tue, 16 Dec 2025 19:40:09 +0000 (UTC) Received: from mail-wm1-f42.google.com (mail-wm1-f42.google.com [209.85.128.42]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.2578.1765914008387127983 for ; Tue, 16 Dec 2025 11:40:08 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=YC1FqynM; spf=pass (domain: gmail.com, ip: 209.85.128.42, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f42.google.com with SMTP id 5b1f17b1804b1-477a1c28778so55222265e9.3 for ; Tue, 16 Dec 2025 11:40:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1765914007; x=1766518807; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=KJF7Ja17rfNjwQ9bTb8IkxzSgo5NV20xvqzviA2bW8g=; b=YC1FqynMhbtZKCRrZek8k2qwjEM7xsZDa47HKFXlVlc/lNBypDYRfZgJLzR0WKU50E Yk+wxXLvepeCa4SXYqpUi3xCFcudf+EpohPh7T67GMI4CPV7MU+N/u7097wOr/IpI1/Z JnjhYoGmlvlPrXVs8EY9Rtq2DjnOMY3cbJ4TxbIT0pxN5lDKMosq2Hni6WOf91TJkwyR F9FHMAYYBtJN42zUj1GMGURztMTotRfUd7qmr3FxfoHWe4i+Ui2hfqQhnDsbMpmYf20Q MPH2toqxanvwnKoyN1EArW1/CbZKvqO2byDBn/NA+4k4tn4/Y4UMtBpwBfAofRVx3NdA jn/Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1765914007; x=1766518807; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=KJF7Ja17rfNjwQ9bTb8IkxzSgo5NV20xvqzviA2bW8g=; b=VEjkbGYnQY5yOCjRGXuh+p6leIMD6uqoyQgZfJKWll6f0OjbKRhhsyScp4JsQL4OkN sBb+rNaLFdKmiihUQuTWWg6ybiDKTm4EokXQFoukLyfUA8ZLJsHipN1eKHu2cbq7dtjI pTMySZKp8vDX2hBNxtLuNZxHV9p6ofG/kr1A1KVgTVva9IokaaEYTIZdwLUM/4PS00RR 12d/cPA2hn2o1L5+Vbdxtf4ctHDd5wL8i36ka5lneRt+FGjGiX6QQhNYz9oERXYOVNCV j1vWuhx2tz/XmotXKTeZ8V9LK1UtNUDO/asqlN376jJt6YrseKXrPZ0BFvXWhB8mC5mu +n7A== X-Gm-Message-State: AOJu0YxY075qYo5dSVS+sexF4YIVvecTnUa/qcRgH5v3OgrSSP/2+ad+ buyXCVXttgOAhcbUTB8Y18hNn998wmwBA7bL+81+7b6zQEVrncF4roW2D/LB/g== X-Gm-Gg: AY/fxX43aif+P5SG3NzgtujQQ+p/sDpgPjv/2mj74RWBoPST27gnHDqcMAvTxlqMN1j 0iIwR2sc2KGJSxCCbNnegyKeLgPJJ9URVuEXNcXbaqCf1kGMlf68sLfgPngSQ4IlHqA7DMRUq8E v58wgaBB9rhlbF21lD/dkSUuobiGrij7GTf0PvKXTWyrA70yoY5dKCylI0m9vXAgqD3OvHRU+bS Mznd+GW4/l80LqAHiT8X0vuIekLPkAjZtQBZVYBUNgIE/fRaxhTtxQZYgSnPDuqDy/4KYMblKYJ IKxf4ZeTBJjH1lgqofP6YmQYh/Vdts4X0tJUDajmTRlCrMcO8ehseVV1OEymeXT3ONWd4EcFawQ ryf0bKMfjiWl2pXQwDIFDbRabtboDmvrdNIgIacjjIwFdxdEA/dFc2rfqqF/HofIulDx0WxQO7b ejpFka/98hKyMO+dtgODo= X-Google-Smtp-Source: AGHT+IFpU/ig64Y8WgTy7dcTnMKh+SERM/mLlI9K0XcQ2yugO3WcvYXA0CH0EpJUssoviPu8lCrpvQ== X-Received: by 2002:a05:600c:608c:b0:477:9fcf:3fe3 with SMTP id 5b1f17b1804b1-47a8f70b09bmr175260415e9.0.1765914006494; Tue, 16 Dec 2025 11:40:06 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47bdc1defb4sm4741395e9.9.2025.12.16.11.40.05 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 16 Dec 2025 11:40:05 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-gnome][kirkstone][PATCH 1/4] accountservice: ignore CVE-2023-3297 Date: Tue, 16 Dec 2025 20:40:02 +0100 Message-ID: <20251216194005.3006575-1-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 16 Dec 2025 19:40:09 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122707 Details: https://nvd.nist.gov/vuln/detail/CVE-2023-3297 The vulnerability is triggered by a patch added by Ubuntu, and the vulnerable patch is not present in the recipe. Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj (cherry picked from commit 071a45c9d76c9a222c8fbaa50089a8af44f44e74) Adapted to Kirkstone Signed-off-by: Gyorgy Sarvari --- .../recipes-support/accountsservice/accountsservice_22.08.8.bb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta-gnome/recipes-support/accountsservice/accountsservice_22.08.8.bb b/meta-gnome/recipes-support/accountsservice/accountsservice_22.08.8.bb index 439958c7d2..702b11d9f0 100644 --- a/meta-gnome/recipes-support/accountsservice/accountsservice_22.08.8.bb +++ b/meta-gnome/recipes-support/accountsservice/accountsservice_22.08.8.bb @@ -30,3 +30,6 @@ FILES:${PN} += " \ ${datadir}/dbus-1 \ ${datadir}/polkit-1 \ " + +# not-applicable-platform: The vulnerability is Ubuntu specific +CVE_CHECK_IGNORE += "CVE-2023-3297" From patchwork Tue Dec 16 19:40:03 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 76779 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E35E8D637A2 for ; Tue, 16 Dec 2025 19:40:09 +0000 (UTC) Received: from mail-wm1-f53.google.com (mail-wm1-f53.google.com [209.85.128.53]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.2579.1765914008998545964 for ; Tue, 16 Dec 2025 11:40:09 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=G1SCFRVH; spf=pass (domain: gmail.com, ip: 209.85.128.53, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f53.google.com with SMTP id 5b1f17b1804b1-47795f6f5c0so32243345e9.1 for ; Tue, 16 Dec 2025 11:40:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1765914007; x=1766518807; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=5WxbAeBKLJhMmw7CHDoXf3837897aKOKFsGaJTDKIUk=; b=G1SCFRVHu9OKyi+QuK2CJD1nuf5lwRM8BvJM2WLBgWH4mw5AGSdazZRrtKNCKfuWTO eQHFHkgFEjkc+3t1W062WJYw56lD5M72P8vFkaAdiktLJveiY3oOeF9kHkHl3bPElwIA I50urc8hYxIV7/CfOXeQvAoKbRWUACEnlcJpzg1aQaJuXSzoFiEFG8D9xt+ouUGYEiZN jQ8qvHEX0SsMFJzTIES45Jg2adqfFtRXsL8UbEuVeTI4+by2aZ+umbpID1JEBI6Vm6h7 RgZqPAnK50FazgYu6H8c9HWzl8wFpQ95UZCQcHoxKaJMnysvT2rClc6e5LWLLrjmCbAH 6heA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1765914007; x=1766518807; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=5WxbAeBKLJhMmw7CHDoXf3837897aKOKFsGaJTDKIUk=; b=FEEDvqkstrsLyAjbGl2KpEjppSFDy86pYik7Gb+MOGmQRPGCjNHWZTXTTnt8nlfPDV C6BwysjiA7WDC2nVB7SeJlinVq9xMJzGdOfkptQVMyNYx2gtV/qzDOepqdQJ1EdzEi7I ntQx/vhPcoWX8uIToLeJbLlUcoU7XjFTJcQWArm/b+VC7KaGtueovP2eFDO7KKDfSIAU OZuBSzH21LKHQYTUSUNa5xk9ljpPXR1pSoHvvX1YgHN8gpWwxwyfXseb376ZRx7Zjt4l rdC2cyi8AKiHdvnUOIPejIcYY1j2vkbiFnf3Bt2rx6why5+vDeiF2F2ePM6jCUC1FgfB emnQ== X-Gm-Message-State: AOJu0YzKUlxqNz6ICb9VVHmCMvd82aXLVaf2gqZQOWHpErU7yPwI1cZY ThcUiBPRtUxlzhI0snmnQgKzl3MZU3qMzsDvAd9Sb4g7fgtCUlpYM/gGF3/HRw== X-Gm-Gg: AY/fxX55sV18IYMT38VgNvulW2Gmr7S8MG//DwGuk/7smM8vTNY5s/nYM/Xe0JnL5BG MyBbUWwb3vkm2xVeSWLWPcyEgQMFsANL+U7jpIqzVm8pDvnTGGyHOZ43Y4AFGBEk62Gm6is1RhT h8Lwhcn5mob5zw5nCkjRm2NstWIz4KloOWzTB4dAsMG57Hp93e0nMlouTcQYZeUYs+IiWuTLrpo AjCIjz53pPx8RaQckIf316prwGBZS2XLFxouHHEDx58CFM7YSnRhnD+99IsH43JF5+fJ4UzmteL C1xq1vkSIGWENilENAralS3GvGYKzmIRVW1xDbSg5lQCXkXWnPYpv+IHVf48yPgF7qUhKe7tCBz +7LoOHfgnpsAkkX7joPZR5FX6q+Xw5cXdhRpRVFUsqObyved/J0uA4wYbGGwm+aCOpkx4dP3RFK rsQRFtoTL3 X-Google-Smtp-Source: AGHT+IEk4x2KVxfpmwJPlwp3F+syKrQB7wmDnYqiXBC+DyteDgUmDmKCUwEB1uf2hcaFWAvWXb5p8w== X-Received: by 2002:a05:600c:35d4:b0:477:7b16:5fa6 with SMTP id 5b1f17b1804b1-47a8f89c85dmr191352885e9.3.1765914007246; Tue, 16 Dec 2025 11:40:07 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47bdc1defb4sm4741395e9.9.2025.12.16.11.40.06 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 16 Dec 2025 11:40:06 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 2/4] postgresql: upgrade 14.19 -> 14.20 Date: Tue, 16 Dec 2025 20:40:03 +0100 Message-ID: <20251216194005.3006575-2-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251216194005.3006575-1-skandigraun@gmail.com> References: <20251216194005.3006575-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 16 Dec 2025 19:40:09 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122708 Beside other bugfixes, it contains fixes for CVE-2025-12817 and CVE-2025-12818. Release notes: https://www.postgresql.org/docs/release/14.20/ Signed-off-by: Gyorgy Sarvari --- .../0001-configure.ac-bypass-autoconf-2.69-version-check.patch | 2 +- .../postgresql/{postgresql_14.19.bb => postgresql_14.20.bb} | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) rename meta-oe/recipes-dbs/postgresql/{postgresql_14.19.bb => postgresql_14.20.bb} (84%) diff --git a/meta-oe/recipes-dbs/postgresql/files/0001-configure.ac-bypass-autoconf-2.69-version-check.patch b/meta-oe/recipes-dbs/postgresql/files/0001-configure.ac-bypass-autoconf-2.69-version-check.patch index 2eb1deec07..76363cd26d 100644 --- a/meta-oe/recipes-dbs/postgresql/files/0001-configure.ac-bypass-autoconf-2.69-version-check.patch +++ b/meta-oe/recipes-dbs/postgresql/files/0001-configure.ac-bypass-autoconf-2.69-version-check.patch @@ -18,7 +18,7 @@ index bbbb204..0919d2b 100644 +++ b/configure.ac @@ -19,10 +19,6 @@ m4_pattern_forbid(^PGAC_)dnl to catch undefined macros - AC_INIT([PostgreSQL], [14.19], [pgsql-bugs@lists.postgresql.org], [], [https://www.postgresql.org/]) + AC_INIT([PostgreSQL], [14.20], [pgsql-bugs@lists.postgresql.org], [], [https://www.postgresql.org/]) -m4_if(m4_defn([m4_PACKAGE_VERSION]), [2.69], [], [m4_fatal([Autoconf version 2.69 is required. -Untested combinations of 'autoconf' and PostgreSQL versions are not diff --git a/meta-oe/recipes-dbs/postgresql/postgresql_14.19.bb b/meta-oe/recipes-dbs/postgresql/postgresql_14.20.bb similarity index 84% rename from meta-oe/recipes-dbs/postgresql/postgresql_14.19.bb rename to meta-oe/recipes-dbs/postgresql/postgresql_14.20.bb index 1d8ab90c25..04d8723f15 100644 --- a/meta-oe/recipes-dbs/postgresql/postgresql_14.19.bb +++ b/meta-oe/recipes-dbs/postgresql/postgresql_14.20.bb @@ -11,7 +11,7 @@ SRC_URI += "\ file://0001-postgresql-fix-ptest-failure-of-sysviews.patch \ " -SRC_URI[sha256sum] = "727e9e334bc1a31940df808259f69fe47a59f6d42174b22ae62d67fe7a01ad80" +SRC_URI[sha256sum] = "7527f10f1640761bc280ad97d105d286d0cf72e54d36d78cf68e5e5f752b646b" CVE_CHECK_IGNORE += "\ CVE-2017-8806 \ From patchwork Tue Dec 16 19:40:04 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 76780 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E6322D637A3 for ; Tue, 16 Dec 2025 19:40:19 +0000 (UTC) Received: from mail-wm1-f41.google.com (mail-wm1-f41.google.com [209.85.128.41]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.2663.1765914009742471998 for ; Tue, 16 Dec 2025 11:40:10 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=hGrF0SMw; spf=pass (domain: gmail.com, ip: 209.85.128.41, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f41.google.com with SMTP id 5b1f17b1804b1-47796a837c7so36517955e9.0 for ; Tue, 16 Dec 2025 11:40:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1765914008; x=1766518808; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=1Hs7Yh8vZ3QehZh0tMOr2mFMhwiqJlB5jHI8X/QQTos=; b=hGrF0SMwRRy/4LnBe75xBrOef8Q0HNv+4blPTZVfd3byiaDlcv1JEqmTFKW9zI5bhC 0O0t7OHpkkjtjT1/Htus1eCkzlp4ogJEiaTIcbQKMuVs6LypqC+I4XzKoJdjCrwufltp yHN9F8wal61o4Ete2VA/Yzd1jFrt5EK/ePWXTAXgv+ZwL7Zt/buMmL5ZOhFlX08vF71X Ea28nsCjegRFvnWbK5qis/JiWSueFl7vzFVKo7TEz4+Pbh3aA0jbh4jqFDwoMkYayKHO zUJAcAiQImlxLSNuuDTzr6r+isIcaoir0I9rwKvgbgNtajqbeCLPkzH1k9cP8wOfQgZ1 Edxw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1765914008; x=1766518808; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=1Hs7Yh8vZ3QehZh0tMOr2mFMhwiqJlB5jHI8X/QQTos=; b=r0tWLIfkCOFFssD+0fz/A4KHEfN+kyAlnT+YMm7IUwyvQKauf+5hExUgc4L/4SxC64 RNEWpvZo0AfnMB+HVy03oAFuORpmrAs3gWjsN4L0YAap9DdX0sWP7NGHXtIbss8APS4J KIlgOxq+amT6iUguK7y9xUL57mNSvh5gEi2tNoVsqscAg878XWVv0nulF48M1pPxcFCA 8gOHHzQNds7QCYMKQd4uOck6u1hsgkizXN8hKuvE3nDDKXlr6SPjzmWwHM+2bbq67hpH YyP56wbeweP5554mk8cgB9OzPJHkDw4gNGvsD4507tSNkEYDqGzGIbhU8KUjQGdj7f9J pMiw== X-Gm-Message-State: AOJu0YyJ99FZ/EdexHrQydsP3ZDXf+Rwt04eYjS9k/gGSxZ72PbFZ/zq CHmy8AWdf6ne2CTrIVMLp8UhIl0r9/nFy0yZNxAI6aJGizgM/x2648r4UGtMRA== X-Gm-Gg: AY/fxX5wTjExyoo7RP2fCa51daJEuH2faqcjL3h3hgvo9jnyMF+9LFwzu++aVwcuVOY k+wn3DnwqA3vHfrcHCvcsyJCp+arNM0/XVUL6UQAUG0pPM+6/tnpsbKRFVCEPaiZOcHC+KPK14S 05p7D41jQLcN2iDL3z4DAtixZ68AxgwkG+qqe3n0+E8hLflXlcl5b0H1CTuriGGFj7S00XIofKe tqm15tYn27N5mDjI/bxCz93kEDnxFZlznhP6F/OEetn2PrtEletJMFrES5wvQV1cpoFpO7lzMnT W/CcD0fjcVdt2u82p5L0L3iIMJ9fvBxk0qXiFQAox9s9etJCHaL6MPaUF1RaGy3aJKS+7toKHkZ O2gfViOQHTyra53yuXcdLFv27S5//kpqxwA8DIu8grBiQkOeGdmn/YQBA2pxCvCENdbIr10N+w6 MephmGMrEg X-Google-Smtp-Source: AGHT+IGGIcmYd2OA+u3Nv6RxYGr6TuygdInF73+UAHCwx0Wu1DmSEjrdSiU6zvA0pzXPHarAwVAIRw== X-Received: by 2002:a05:600c:1d2a:b0:477:9a28:b09a with SMTP id 5b1f17b1804b1-47a8f7039c3mr167157925e9.0.1765914007963; Tue, 16 Dec 2025 11:40:07 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47bdc1defb4sm4741395e9.9.2025.12.16.11.40.07 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 16 Dec 2025 11:40:07 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-multimedia][kirkstone][PATCH 3/4] openh264: patch CVE-2025-27091 Date: Tue, 16 Dec 2025 20:40:04 +0100 Message-ID: <20251216194005.3006575-3-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251216194005.3006575-1-skandigraun@gmail.com> References: <20251216194005.3006575-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 16 Dec 2025 19:40:19 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122709 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-27091 The advisory confirms that the bug was fixed in v2.6.0. When looking at the relevant Github advisory[1], it mentions the name of the implementer. Pick the patch that was included in this release, created by the mentioned Github account and isn't only a cosmetic or build-system change. [1]: https://github.com/cisco/openh264/security/advisories/GHSA-m99q-5j7x-7m9x Signed-off-by: Gyorgy Sarvari --- .../openh264/openh264/CVE-2025-27091.patch | 27 +++++++++++++++++++ .../openh264/openh264_2.1.1.bb | 1 + 2 files changed, 28 insertions(+) create mode 100644 meta-multimedia/recipes-multimedia/openh264/openh264/CVE-2025-27091.patch diff --git a/meta-multimedia/recipes-multimedia/openh264/openh264/CVE-2025-27091.patch b/meta-multimedia/recipes-multimedia/openh264/openh264/CVE-2025-27091.patch new file mode 100644 index 0000000000..5a3c900e38 --- /dev/null +++ b/meta-multimedia/recipes-multimedia/openh264/openh264/CVE-2025-27091.patch @@ -0,0 +1,27 @@ +From 4e82ae10b594d87da2a7884c2de850857931c78f Mon Sep 17 00:00:00 2001 +From: BenzhengZhang <140143892+BenzhengZhang@users.noreply.github.com> +Date: Thu, 19 Dec 2024 17:12:42 +0800 +Subject: [PATCH] Potential bug fix (#3818) + +CVE: CVE-2025-27091 +Upstream-Status: Backport [https://github.com/cisco/openh264/commit/63db555e30986e3a5f07871368dc90ae78c27449] +Signed-off-by: Gyorgy Sarvari +--- + codec/decoder/core/src/decoder.cpp | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/codec/decoder/core/src/decoder.cpp b/codec/decoder/core/src/decoder.cpp +index 3b38032a..b971f12f 100644 +--- a/codec/decoder/core/src/decoder.cpp ++++ b/codec/decoder/core/src/decoder.cpp +@@ -844,6 +844,10 @@ int32_t WelsDecodeBs (PWelsDecoderContext pCtx, const uint8_t* kpBsBuf, const in + return pCtx->iErrorCode; + } + ++ if (pCtx->iErrorCode != ERR_NONE && !(pCtx->iErrorCode & dsDataErrorConcealed)) { ++ return pCtx->iErrorCode; ++ } ++ + pDstNal += (iDstIdx + 4); //init, increase 4 reserved zero bytes, used to store the next NAL + if ((iSrcLength - iSrcConsumed + 4) > (pRawData->pEnd - pDstNal)) { + pDstNal = pRawData->pCurPos = pRawData->pHead; diff --git a/meta-multimedia/recipes-multimedia/openh264/openh264_2.1.1.bb b/meta-multimedia/recipes-multimedia/openh264/openh264_2.1.1.bb index aababb6684..113dbf1bba 100644 --- a/meta-multimedia/recipes-multimedia/openh264/openh264_2.1.1.bb +++ b/meta-multimedia/recipes-multimedia/openh264/openh264_2.1.1.bb @@ -15,6 +15,7 @@ SRCREV = "50a1fcf70fafe962c526749991cb4646406933ba" BRANCH = "openh264v2.1.1" SRC_URI = "git://github.com/cisco/openh264.git;protocol=https;branch=${BRANCH} \ file://0001-Makefile-Use-cp-options-to-preserve-file-mode.patch \ + file://CVE-2025-27091.patch \ " COMPATIBLE_MACHINE:armv7a = "(.*)" From patchwork Tue Dec 16 19:40:05 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 76781 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E7494D637A4 for ; Tue, 16 Dec 2025 19:40:19 +0000 (UTC) Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com [209.85.128.44]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.2581.1765914010569269891 for ; Tue, 16 Dec 2025 11:40:10 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=KF2X4NZD; spf=pass (domain: gmail.com, ip: 209.85.128.44, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f44.google.com with SMTP id 5b1f17b1804b1-477b198f4bcso40227125e9.3 for ; Tue, 16 Dec 2025 11:40:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1765914009; x=1766518809; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=mOx+UA8iaItb7pYNQpm4DHE44GRp0yVgGW2vR/u0Dnk=; b=KF2X4NZDchKsvJXaEJ2KUVaH0ixuYB1hgQIfLuMGF3O6snHtdXVLizvryIE6DCkTaP HJID51/OnntMg/yc2l6ZlMqB8obRrAWIlHCwlQSfVsSKGG0El9/sTflIRtzSy0LA4EpT p4+DntmPCy+9fPi/L52EtfdIaGAKaXuf4CN8Zdfg8iu/QDn6JLKvDh9HzVO95NzOQXxx /gQ/yqPyELJ1p0u0LymsAgDxU9+IUFDgvuXNUZ++tTqUPr7MfgIXcMGYYGhSNGsIxk0U h7tNIIekTEGWAAqkfvTriD+FXkU7OP4GkKh/luOWAhPueGvgCuQG8lzQNepeqRIA+K1G ssAQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1765914009; x=1766518809; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=mOx+UA8iaItb7pYNQpm4DHE44GRp0yVgGW2vR/u0Dnk=; b=GiJXDbsScWFTIn5Zo6oZ2VEh1VeXDvRP346UF5IFj3exVrahM5MwcbNj1xmy1C1QpZ zdApjVHaHSTew7mt5mpyiP3Atq6hRpiX60/UYUTg4petCrJY+NvpWD8uJNSECL38W9fv mCyGKKKdr3OUNqHGXqSyaahhVDa3WaHa0rLPV1P8PZY8ovyACRZP9iv8xmydeKU7H5+X ctLkAu+2xsv6pIxSgDdhsqCh2YmO59b/xfDzVmlEI4erq234FoO1025+LI93g/mDc8/2 NvxPh1c5ev6BpqhII122qPxWisXA3fEKfQ8hIm7Rbb5G+pb+gebaxpGYOBM6ZOs6Ye0s aZZg== X-Gm-Message-State: AOJu0Yx3OdYaTW215nRfbfiDglj06jKzWVxd5NjIWu4fgAEUaeIFTV1J G1EodT4bmVNlznIUCYTbmZQhYKohJMz17KpzQFCdQ870YC9c0uZs03VHCf4nlA== X-Gm-Gg: AY/fxX5Cfjuu6xjsGNYRLKNc4pFOPAp7Zh51ZBmDh2kXrnnRuPgLT1+GyZi7yZAgWuh N/LY5V9zkfW+OWyrzzUxNX9IHOAy513oHhnhiAO5UapVWSa03liHYbyBHLAU1XnFOZvTxpCZ0WC IHimbrN+N/zk+S861/Ba/IEXbvy0jMPXJBBsQq74w1DPf82mXqDkuoNKs6gVaT1IFbF8tcQBHJq JTlhwHYweXHYLccR6/DcHoDuyHn2TdnzdkbRzvi/gmsEtf66VNXz6LgOoNELPVSLopPVJCoSv2Z JW4mLAd6qKTj+X+s7TVQlvtKvz+Q5/c1e2NZ0B1wwEkWVINRuqlnfdFA1TNlXTPnDf/K9ROYXCK aiEakqldmudQzPsO+yq2OnxEtKA+p++WWQW6A/0A73bX47dRa6FwBUBTHrVPJc5+gcC14Cbxooh SO8bbyRrLX X-Google-Smtp-Source: AGHT+IHiqLx5lLL/JN98KGfjEJQROcGHRswP9jPE/cm2M8aAMaq4172W2guGI+Tc6Ag9qhqQoudzIw== X-Received: by 2002:a05:600d:6405:20b0:47a:935f:618e with SMTP id 5b1f17b1804b1-47a935f64d7mr126136845e9.15.1765914008756; Tue, 16 Dec 2025 11:40:08 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47bdc1defb4sm4741395e9.9.2025.12.16.11.40.08 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 16 Dec 2025 11:40:08 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-networking][kirkstone][PATCH 4/4] proftpd: patch CVE-2024-48651 Date: Tue, 16 Dec 2025 20:40:05 +0100 Message-ID: <20251216194005.3006575-4-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251216194005.3006575-1-skandigraun@gmail.com> References: <20251216194005.3006575-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 16 Dec 2025 19:40:19 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122710 Details: https://nvd.nist.gov/vuln/detail/CVE-2024-48651 Backport the patch mentioned in the NVD report. Signed-off-by: Gyorgy Sarvari --- .../proftpd/files/CVE-2024-48651.patch | 321 ++++++++++++++++++ .../recipes-daemons/proftpd/proftpd_1.3.7c.bb | 3 +- 2 files changed, 323 insertions(+), 1 deletion(-) create mode 100644 meta-networking/recipes-daemons/proftpd/files/CVE-2024-48651.patch diff --git a/meta-networking/recipes-daemons/proftpd/files/CVE-2024-48651.patch b/meta-networking/recipes-daemons/proftpd/files/CVE-2024-48651.patch new file mode 100644 index 0000000000..db525c5418 --- /dev/null +++ b/meta-networking/recipes-daemons/proftpd/files/CVE-2024-48651.patch @@ -0,0 +1,321 @@ +From 1df9a7b29aaedfc563ba908b52ca2414caddf25f Mon Sep 17 00:00:00 2001 +From: TJ Saunders +Date: Wed, 13 Nov 2024 06:33:35 -0800 +Subject: [PATCH] Issue #1830: When no supplemental groups are provided by the + underlying authentication providers, fall back to using the primary + group/GID. (#1835) + +This prevents surprise due to inheritance of the parent processes' supplemental group membership, which might inadvertently provided undesired access. + +CVE: CVE-2024-48651 +Upstream-Status: Backport [https://github.com/proftpd/proftpd/commit/cec01cc0a2523453e5da5a486bc6d977c3768db1] +Signed-off-by: Gyorgy Sarvari +--- + contrib/mod_sftp/auth.c | 14 +- + modules/mod_auth.c | 19 +- + src/auth.c | 14 +- + .../ProFTPD/Tests/Modules/mod_sql_sqlite.pm | 175 ++++++++++++++++++ + 4 files changed, 210 insertions(+), 12 deletions(-) + +diff --git a/contrib/mod_sftp/auth.c b/contrib/mod_sftp/auth.c +index ede821daa..2854a03cd 100644 +--- a/contrib/mod_sftp/auth.c ++++ b/contrib/mod_sftp/auth.c +@@ -382,8 +382,20 @@ static int setup_env(pool *p, const char *user) { + session.groups == NULL) { + res = pr_auth_getgroups(p, pw->pw_name, &session.gids, &session.groups); + if (res < 1) { ++ /* If no supplemental groups are provided, default to using the process ++ * primary GID as the supplemental group. This prevents access ++ * regressions as seen in Issue #1830. ++ */ + (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION, +- "no supplemental groups found for user '%s'", pw->pw_name); ++ "no supplemental groups found for user '%s', " ++ "using primary group %s (GID %lu)", pw->pw_name, session.group, ++ (unsigned long) session.login_gid); ++ ++ session.gids = make_array(p, 2, sizeof(gid_t)); ++ session.groups = make_array(p, 2, sizeof(char *)); ++ ++ *((gid_t *) push_array(session.gids)) = session.login_gid; ++ *((char **) push_array(session.groups)) = pstrdup(p, session.group); + } + } + +diff --git a/modules/mod_auth.c b/modules/mod_auth.c +index e47ed148d..a1b71c0f7 100644 +--- a/modules/mod_auth.c ++++ b/modules/mod_auth.c +@@ -1111,8 +1111,8 @@ static int setup_env(pool *p, cmd_rec *cmd, const char *user, char *pass) { + session.groups = NULL; + } + +- if (!session.gids && +- !session.groups) { ++ if (session.gids == NULL && ++ session.groups == NULL) { + /* Get the supplemental groups. Note that we only look up the + * supplemental group credentials if we have not cached the group + * credentials before, in session.gids and session.groups. +@@ -1122,8 +1122,19 @@ static int setup_env(pool *p, cmd_rec *cmd, const char *user, char *pass) { + */ + res = pr_auth_getgroups(p, pw->pw_name, &session.gids, &session.groups); + if (res < 1) { +- pr_log_debug(DEBUG5, "no supplemental groups found for user '%s'", +- pw->pw_name); ++ /* If no supplemental groups are provided, default to using the process ++ * primary GID as the supplemental group. This prevents access ++ * regressions as seen in Issue #1830. ++ */ ++ pr_log_debug(DEBUG5, "no supplemental groups found for user '%s', " ++ "using primary group %s (GID %lu)", pw->pw_name, session.group, ++ (unsigned long) session.login_gid); ++ ++ session.gids = make_array(p, 2, sizeof(gid_t)); ++ session.groups = make_array(p, 2, sizeof(char *)); ++ ++ *((gid_t *) push_array(session.gids)) = session.login_gid; ++ *((char **) push_array(session.groups)) = pstrdup(p, session.group); + } + } + +diff --git a/src/auth.c b/src/auth.c +index 494a479c0..a6fe9f1c2 100644 +--- a/src/auth.c ++++ b/src/auth.c +@@ -1512,12 +1512,12 @@ int pr_auth_getgroups(pool *p, const char *name, array_header **group_ids, + } + + /* Allocate memory for the array_headers of GIDs and group names. */ +- if (group_ids) { +- *group_ids = make_array(permanent_pool, 2, sizeof(gid_t)); ++ if (group_ids != NULL) { ++ *group_ids = make_array(p, 2, sizeof(gid_t)); + } + +- if (group_names) { +- *group_names = make_array(permanent_pool, 2, sizeof(char *)); ++ if (group_names != NULL) { ++ *group_names = make_array(p, 2, sizeof(char *)); + } + + cmd = make_cmd(p, 3, name, group_ids ? *group_ids : NULL, +@@ -1536,7 +1536,7 @@ int pr_auth_getgroups(pool *p, const char *name, array_header **group_ids, + * for the benefit of auth_getgroup() implementors. + */ + +- if (group_ids) { ++ if (group_ids != NULL) { + register unsigned int i; + char *strgids = ""; + gid_t *gids = (*group_ids)->elts; +@@ -1552,7 +1552,7 @@ int pr_auth_getgroups(pool *p, const char *name, array_header **group_ids, + *strgids ? strgids : "(None; corrupted group file?)"); + } + +- if (group_names) { ++ if (group_names != NULL) { + register unsigned int i; + char *strgroups = ""; + char **groups = (*group_names)->elts; +@@ -1568,7 +1568,7 @@ int pr_auth_getgroups(pool *p, const char *name, array_header **group_ids, + } + } + +- if (cmd->tmp_pool) { ++ if (cmd->tmp_pool != NULL) { + destroy_pool(cmd->tmp_pool); + cmd->tmp_pool = NULL; + } +diff --git a/tests/t/lib/ProFTPD/Tests/Modules/mod_sql_sqlite.pm b/tests/t/lib/ProFTPD/Tests/Modules/mod_sql_sqlite.pm +index 4abb6eb59..f1ffeef34 100644 +--- a/tests/t/lib/ProFTPD/Tests/Modules/mod_sql_sqlite.pm ++++ b/tests/t/lib/ProFTPD/Tests/Modules/mod_sql_sqlite.pm +@@ -467,6 +467,11 @@ my $TESTS = { + order => ++$order, + test_class => [qw(forking bug mod_tls)], + }, ++ ++ sql_user_info_no_suppl_groups_issue1830 => { ++ order => ++$order, ++ test_class => [qw(forking bug rootprivs)], ++ }, + }; + + sub new { +@@ -15732,4 +15737,174 @@ EOC + test_cleanup($setup->{log_file}, $ex); + } + ++sub sql_user_info_no_suppl_groups_issue1830 { ++ my $self = shift; ++ my $tmpdir = $self->{tmpdir}; ++ my $setup = test_setup($tmpdir, 'sqlite'); ++ ++ my $db_file = File::Spec->rel2abs("$tmpdir/proftpd.db"); ++ ++ # Build up sqlite3 command to create users, groups tables and populate them ++ my $db_script = File::Spec->rel2abs("$tmpdir/proftpd.sql"); ++ ++ if (open(my $fh, "> $db_script")) { ++ print $fh <{user}', '$setup->{passwd}', $setup->{uid}, $setup->{gid}, '$setup->{home_dir}', '/bin/bash'); ++ ++CREATE TABLE groups ( ++ groupname TEXT, ++ gid INTEGER, ++ members TEXT ++); ++INSERT INTO groups (groupname, gid, members) VALUES ('$setup->{group}', $setup->{gid}, '$setup->{user}'); ++EOS ++ ++ unless (close($fh)) { ++ die("Can't write $db_script: $!"); ++ } ++ ++ } else { ++ die("Can't open $db_script: $!"); ++ } ++ ++ my $cmd = "sqlite3 $db_file < $db_script"; ++ build_db($cmd, $db_script); ++ ++ # Make sure that, if we're running as root, the database file has ++ # the permissions/privs set for use by proftpd ++ if ($< == 0) { ++ unless (chmod(0666, $db_file)) { ++ die("Can't set perms on $db_file to 0666: $!"); ++ } ++ } ++ ++ my $config = { ++ PidFile => $setup->{pid_file}, ++ ScoreboardFile => $setup->{scoreboard_file}, ++ SystemLog => $setup->{log_file}, ++ TraceLog => $setup->{log_file}, ++ Trace => 'auth:20 sql:20', ++ ++ # Required for logging the expected message ++ DebugLevel => 5, ++ ++ IfModules => { ++ 'mod_delay.c' => { ++ DelayEngine => 'off', ++ }, ++ ++ 'mod_sql.c' => { ++ AuthOrder => 'mod_sql.c', ++ ++ SQLAuthenticate => 'users', ++ SQLAuthTypes => 'plaintext', ++ SQLBackend => 'sqlite3', ++ SQLConnectInfo => $db_file, ++ SQLLogFile => $setup->{log_file}, ++ ++ # Set these, so that our lower UID/GID will be used ++ SQLMinUserUID => 100, ++ SQLMinUserGID => 100, ++ }, ++ }, ++ }; ++ ++ my ($port, $config_user, $config_group) = config_write($setup->{config_file}, ++ $config); ++ ++ # Open pipes, for use between the parent and child processes. Specifically, ++ # the child will indicate when it's done with its test by writing a message ++ # to the parent. ++ my ($rfh, $wfh); ++ unless (pipe($rfh, $wfh)) { ++ die("Can't open pipe: $!"); ++ } ++ ++ my $ex; ++ ++ # Fork child ++ $self->handle_sigchld(); ++ defined(my $pid = fork()) or die("Can't fork: $!"); ++ if ($pid) { ++ eval { ++ sleep(2); ++ ++ my $client = ProFTPD::TestSuite::FTP->new('127.0.0.1', $port); ++ $client->login($setup->{user}, $setup->{passwd}); ++ ++ my $resp_msgs = $client->response_msgs(); ++ my $nmsgs = scalar(@$resp_msgs); ++ ++ my $expected = 1; ++ $self->assert($expected == $nmsgs, ++ test_msg("Expected $expected, got $nmsgs")); ++ ++ $expected = "User $setup->{user} logged in"; ++ $self->assert($expected eq $resp_msgs->[0], ++ test_msg("Expected response '$expected', got '$resp_msgs->[0]'")); ++ ++ $client->quit(); ++ }; ++ if ($@) { ++ $ex = $@; ++ } ++ ++ $wfh->print("done\n"); ++ $wfh->flush(); ++ ++ } else { ++ eval { server_wait($setup->{config_file}, $rfh) }; ++ if ($@) { ++ warn($@); ++ exit 1; ++ } ++ ++ exit 0; ++ } ++ ++ # Stop server ++ server_stop($setup->{pid_file}); ++ $self->assert_child_ok($pid); ++ ++ eval { ++ if (open(my $fh, "< $setup->{log_file}")) { ++ my $ok = 0; ++ ++ while (my $line = <$fh>) { ++ chomp($line); ++ ++ if ($ENV{TEST_VERBOSE}) { ++ print STDERR "# $line\n"; ++ } ++ ++ if ($line =~ /no supplemental groups found for user '$setup->{user}', using primary group/) { ++ $ok = 1; ++ last; ++ } ++ } ++ ++ close($fh); ++ ++ $self->assert($ok, test_msg("Did not see expected log message")); ++ ++ } else { ++ die("Can't read $setup->{log_file}: $!"); ++ } ++ }; ++ if ($@) { ++ $ex = $@ unless $ex; ++ } ++ ++ test_cleanup($setup->{log_file}, $ex); ++} ++ ++ + 1; diff --git a/meta-networking/recipes-daemons/proftpd/proftpd_1.3.7c.bb b/meta-networking/recipes-daemons/proftpd/proftpd_1.3.7c.bb index c8097a14b0..345c714a52 100644 --- a/meta-networking/recipes-daemons/proftpd/proftpd_1.3.7c.bb +++ b/meta-networking/recipes-daemons/proftpd/proftpd_1.3.7c.bb @@ -12,12 +12,13 @@ SRC_URI = "git://github.com/proftpd/proftpd.git;branch=${BRANCH};protocol=https file://proftpd-basic.init \ file://default \ file://close-RequireValidShell-check.patch \ - file://contrib.patch \ + file://contrib.patch \ file://build_fixup.patch \ file://proftpd.service \ file://CVE-2023-51713.patch \ file://CVE-2024-57392.patch \ file://CVE-2023-48795.patch \ + file://CVE-2024-48651.patch \ " S = "${WORKDIR}/git"