From patchwork Tue Dec 23 21:22:07 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 77333 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 51C9AE6FE35 for ; Tue, 23 Dec 2025 21:22:46 +0000 (UTC) Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com [209.85.214.176]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.108967.1766524962126085593 for ; Tue, 23 Dec 2025 13:22:42 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=0qOgLw2f; spf=softfail (domain: sakoman.com, ip: 209.85.214.176, mailfrom: steve@sakoman.com) Received: by mail-pl1-f176.google.com with SMTP id d9443c01a7336-2a0fe77d141so57759395ad.1 for ; Tue, 23 Dec 2025 13:22:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1766524961; x=1767129761; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=p0jeDDD4qrMeFT8Gy8AwdViZ9HDq1xDuducxITqukUE=; b=0qOgLw2f5c6Hc592sZGlNxJMjGBboPoSu3iTk5H5kdYKJ29fu6qcC/CDITR4+IFd+p ugq+sQJuTYr5Hb/QAD1GuHCTuKxVNJ4i/QOMv4DjVggCp4PNEDTRA8Hmuhx+Lo4fYX8J /MWWcRZgzA8RC1oevWGCntptIv7gjEH6fLEZFYKz8avnXvsbjYpPGrVd4sK3cfiuoKjC CAzrF1e1JTQwznSgzEx39w1qXeT1tk3fvoi71C1p0ZTaqcMqYrDQF/vDUCbbHwsQW09Y z0QFLRB2m+9SjHFCS1SilmbpSpC1f6+V+pcqBqJMmIuyVIoqDgRx5eKIROg2HAdORqE9 +U9g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766524961; x=1767129761; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=p0jeDDD4qrMeFT8Gy8AwdViZ9HDq1xDuducxITqukUE=; b=GHHehNrwTx1LUJo1qHIXtV0kiEOQaxETC7hdXqlT4S4PBqZ39YEE2HdASXh481v39Q h1mOiunGpYWrIdsMix3sB+5/SkyJrM0XmVMc6M+7vysC/S8PMWKd7loj3lhFTxQdpCVU M82hIN+ouK1i3T+JD/l5GIioutqHtQ6mVo0dzMQf85+0rxFgsBXoBR7QInZE7O0VTxGA X5upKqVuxSHY3h/hPr0AGMsWMfsdOTYauSjOzOD4g+QA/RFTtdImXTxUw7cVF47JHBzQ xU6BZmFs4zluo+rNE3/KSDdcHwOLCWs3EB4PvO8OUJcvw4VhWozak6kS3RTIZMcuj1f5 9zwA== X-Gm-Message-State: AOJu0Yx2a8BsaNr70v3frKgkjGeiUIb19Bdf5MY5zsx2B6eSsysKdQrc TLwIc8N15UtW7tVv/uWnJ3LH6P4I/u+cqUDI0Jeu8mgStldGL6yEoO7zCHqXK6BdaxaVIWqrSQp cex0D X-Gm-Gg: AY/fxX6S9lT8uNnckgvVSqbaksahr1s6nWPlodaKs3pMtY5LXWbEEQRCUzZNmhGZBkj SdC1/LN7fFuytZeVs7A/nnCHn/rkcPn09ZpY7pJVQYDExdboOdT1eZfOQsblJBTxIzE6BElL1m/ yDdH7A8x73ZSj6xiTkPiZQFndolUoYE7Icps5FFHOWaxWOZ7TCaM9Of23amv7mmFrvEiEokDhPH JHOLvQMGK2oSaDdDSjFKWPPRae7VsszawHoICT5uPFAaZFkcN5ExBsdKoni2dVcjxxwF0MoaI+E FNQi7wl00bPnCKyTJxIJhAbqzwlIMk1N9REc9iCNBusAwG33YcJM7cBoCYERLpL5LxZD2gbYwgf iKCjJsju+yCyZZZyMKhjUb+WEaHVNpBiW3bGCzYWH53R56zVfl24ntGsnCvAVNBZRcYGF0lhinc I8OA== X-Google-Smtp-Source: AGHT+IEsREog1gp1VgAZ5o1A2+O4F/HJMf1FomJte9DGZDT9BlzfuQeAQOLdkp1ultPmr8LGNYyCOg== X-Received: by 2002:a17:902:e785:b0:2a2:efa2:5d0e with SMTP id d9443c01a7336-2a2f2328654mr145060075ad.20.1766524961022; Tue, 23 Dec 2025 13:22:41 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:74b3:f61b:a7a7:fafc]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2a2f3d4cbe5sm137258785ad.60.2025.12.23.13.22.40 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Dec 2025 13:22:40 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 01/18] cups 2.4.11: Fix CVE-2025-58436 Date: Tue, 23 Dec 2025 13:22:07 -0800 Message-ID: <6a721aad5f531ac74996386cbaaa0173c2c5001a.1766524798.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Dec 2025 21:22:46 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/228475 From: Deepak Rathore Upstream Repository: https://github.com/OpenPrinting/cups.git Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2025-58436 Type: Security Fix CVE: CVE-2025-58436 Score: 5.5 Patch: https://github.com/OpenPrinting/cups/commit/5d414f1f91bd Signed-off-by: Deepak Rathore Signed-off-by: Steve Sakoman --- meta/recipes-extended/cups/cups.inc | 1 + .../cups/cups/CVE-2025-58436.patch | 635 ++++++++++++++++++ 2 files changed, 636 insertions(+) create mode 100644 meta/recipes-extended/cups/cups/CVE-2025-58436.patch diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc index 0a26a9b6de..cf3df32306 100644 --- a/meta/recipes-extended/cups/cups.inc +++ b/meta/recipes-extended/cups/cups.inc @@ -17,6 +17,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \ file://cups-volatiles.conf \ file://CVE-2025-58060.patch \ file://CVE-2025-58364.patch \ + file://CVE-2025-58436.patch \ " GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases" diff --git a/meta/recipes-extended/cups/cups/CVE-2025-58436.patch b/meta/recipes-extended/cups/cups/CVE-2025-58436.patch new file mode 100644 index 0000000000..5083d082dc --- /dev/null +++ b/meta/recipes-extended/cups/cups/CVE-2025-58436.patch @@ -0,0 +1,635 @@ +From 7587d27139227397ab68cce554a112bb1190e6b6 Mon Sep 17 00:00:00 2001 +From: Zdenek Dohnal +Date: Mon, 13 Oct 2025 10:16:48 +0200 +Subject: [PATCH] Fix unresponsive cupsd process caused by a slow client + +If client is very slow, it will slow cupsd process for other clients. +The fix is the best effort without turning scheduler cupsd into +multithreaded process which would be too complex and error-prone when +backporting to 2.4.x series. + +The fix for unencrypted communication is to follow up on communication +only if there is the whole line on input, and the waiting time is +guarded by timeout. + +Encrypted communication now starts after we have the whole client hello +packet, which conflicts with optional upgrade support to HTTPS via +methods other than method OPTIONS, so this optional support defined in +RFC 2817, section 3.1 is removed. Too slow or incomplete requests are +handled by connection timeout. + +Fixes CVE-2025-58436 + +CVE: CVE-2025-58436 +Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/5d414f1f91bd] + +(cherry picked from commit 5d414f1f91bdca118413301b148f0b188eb1cdc6) +Signed-off-by: Deepak Rathore +--- + cups/http-private.h | 7 +- + cups/http.c | 80 +++++++++++++------- + cups/tls-openssl.c | 15 +++- + scheduler/client.c | 178 ++++++++++++++++++++++++++++---------------- + scheduler/client.h | 3 + + scheduler/select.c | 12 +++ + 6 files changed, 198 insertions(+), 97 deletions(-) + +diff --git a/cups/http-private.h b/cups/http-private.h +index 5f77b8ef0..b8e200bf6 100644 +--- a/cups/http-private.h ++++ b/cups/http-private.h +@@ -121,6 +121,7 @@ extern "C" { + * Constants... + */ + ++# define _HTTP_MAX_BUFFER 32768 /* Size of read buffer */ + # define _HTTP_MAX_SBUFFER 65536 /* Size of (de)compression buffer */ + # define _HTTP_RESOLVE_DEFAULT 0 /* Just resolve with default options */ + # define _HTTP_RESOLVE_STDERR 1 /* Log resolve progress to stderr */ +@@ -232,8 +233,8 @@ struct _http_s /**** HTTP connection structure ****/ + http_encoding_t data_encoding; /* Chunked or not */ + int _data_remaining;/* Number of bytes left (deprecated) */ + int used; /* Number of bytes used in buffer */ +- char buffer[HTTP_MAX_BUFFER]; +- /* Buffer for incoming data */ ++ char _buffer[HTTP_MAX_BUFFER]; ++ /* Old read buffer (deprecated) */ + int _auth_type; /* Authentication in use (deprecated) */ + unsigned char _md5_state[88]; /* MD5 state (deprecated) */ + char nonce[HTTP_MAX_VALUE]; +@@ -307,6 +308,8 @@ struct _http_s /**** HTTP connection structure ****/ + /* Allocated field values */ + *default_fields[HTTP_FIELD_MAX]; + /* Default field values, if any */ ++ char buffer[_HTTP_MAX_BUFFER]; ++ /* Read buffer */ + }; + # endif /* !_HTTP_NO_PRIVATE */ + +diff --git a/cups/http.c b/cups/http.c +index 31a8be361..599703c7b 100644 +--- a/cups/http.c ++++ b/cups/http.c +@@ -53,7 +53,7 @@ static http_t *http_create(const char *host, int port, + static void http_debug_hex(const char *prefix, const char *buffer, + int bytes); + #endif /* DEBUG */ +-static ssize_t http_read(http_t *http, char *buffer, size_t length); ++static ssize_t http_read(http_t *http, char *buffer, size_t length, int timeout); + static ssize_t http_read_buffered(http_t *http, char *buffer, size_t length); + static ssize_t http_read_chunk(http_t *http, char *buffer, size_t length); + static int http_send(http_t *http, http_state_t request, +@@ -1200,7 +1200,7 @@ httpGets(char *line, /* I - Line to read into */ + return (NULL); + } + +- bytes = http_read(http, http->buffer + http->used, (size_t)(HTTP_MAX_BUFFER - http->used)); ++ bytes = http_read(http, http->buffer + http->used, (size_t)(_HTTP_MAX_BUFFER - http->used), http->wait_value); + + DEBUG_printf(("4httpGets: read " CUPS_LLFMT " bytes.", CUPS_LLCAST bytes)); + +@@ -1720,24 +1720,13 @@ httpPeek(http_t *http, /* I - HTTP connection */ + + ssize_t buflen; /* Length of read for buffer */ + +- if (!http->blocking) +- { +- while (!httpWait(http, http->wait_value)) +- { +- if (http->timeout_cb && (*http->timeout_cb)(http, http->timeout_data)) +- continue; +- +- return (0); +- } +- } +- + if ((size_t)http->data_remaining > sizeof(http->buffer)) + buflen = sizeof(http->buffer); + else + buflen = (ssize_t)http->data_remaining; + + DEBUG_printf(("2httpPeek: Reading %d bytes into buffer.", (int)buflen)); +- bytes = http_read(http, http->buffer, (size_t)buflen); ++ bytes = http_read(http, http->buffer, (size_t)buflen, http->wait_value); + + DEBUG_printf(("2httpPeek: Read " CUPS_LLFMT " bytes into buffer.", + CUPS_LLCAST bytes)); +@@ -1758,9 +1747,9 @@ httpPeek(http_t *http, /* I - HTTP connection */ + int zerr; /* Decompressor error */ + z_stream stream; /* Copy of decompressor stream */ + +- if (http->used > 0 && ((z_stream *)http->stream)->avail_in < HTTP_MAX_BUFFER) ++ if (http->used > 0 && ((z_stream *)http->stream)->avail_in < _HTTP_MAX_BUFFER) + { +- size_t buflen = HTTP_MAX_BUFFER - ((z_stream *)http->stream)->avail_in; ++ size_t buflen = _HTTP_MAX_BUFFER - ((z_stream *)http->stream)->avail_in; + /* Number of bytes to copy */ + + if (((z_stream *)http->stream)->avail_in > 0 && +@@ -2018,7 +2007,7 @@ httpRead2(http_t *http, /* I - HTTP connection */ + + if (bytes == 0) + { +- ssize_t buflen = HTTP_MAX_BUFFER - (ssize_t)((z_stream *)http->stream)->avail_in; ++ ssize_t buflen = _HTTP_MAX_BUFFER - (ssize_t)((z_stream *)http->stream)->avail_in; + /* Additional bytes for buffer */ + + if (buflen > 0) +@@ -2768,7 +2757,7 @@ int /* O - 1 to continue, 0 to stop */ + _httpUpdate(http_t *http, /* I - HTTP connection */ + http_status_t *status) /* O - Current HTTP status */ + { +- char line[32768], /* Line from connection... */ ++ char line[_HTTP_MAX_BUFFER], /* Line from connection... */ + *value; /* Pointer to value on line */ + http_field_t field; /* Field index */ + int major, minor; /* HTTP version numbers */ +@@ -2776,12 +2765,46 @@ _httpUpdate(http_t *http, /* I - HTTP connection */ + + DEBUG_printf(("_httpUpdate(http=%p, status=%p), state=%s", (void *)http, (void *)status, httpStateString(http->state))); + ++ /* When doing non-blocking I/O, make sure we have a whole line... */ ++ if (!http->blocking) ++ { ++ ssize_t bytes; /* Bytes "peeked" from connection */ ++ ++ /* See whether our read buffer is full... */ ++ DEBUG_printf(("2_httpUpdate: used=%d", http->used)); ++ ++ if (http->used > 0 && !memchr(http->buffer, '\n', (size_t)http->used) && (size_t)http->used < sizeof(http->buffer)) ++ { ++ /* No, try filling in more data... */ ++ if ((bytes = http_read(http, http->buffer + http->used, sizeof(http->buffer) - (size_t)http->used, /*timeout*/0)) > 0) ++ { ++ DEBUG_printf(("2_httpUpdate: Read %d bytes.", (int)bytes)); ++ http->used += (int)bytes; ++ } ++ } ++ ++ /* Peek at the incoming data... */ ++ if (!http->used || !memchr(http->buffer, '\n', (size_t)http->used)) ++ { ++ /* Don't have a full line, tell the reader to try again when there is more data... */ ++ DEBUG_puts("1_htttpUpdate: No newline in buffer yet."); ++ if ((size_t)http->used == sizeof(http->buffer)) ++ *status = HTTP_STATUS_ERROR; ++ else ++ *status = HTTP_STATUS_CONTINUE; ++ return (0); ++ } ++ ++ DEBUG_puts("2_httpUpdate: Found newline in buffer."); ++ } ++ + /* + * Grab a single line from the connection... + */ + + if (!httpGets(line, sizeof(line), http)) + { ++ DEBUG_puts("1_httpUpdate: Error reading request line."); + *status = HTTP_STATUS_ERROR; + return (0); + } +@@ -4134,7 +4157,8 @@ http_debug_hex(const char *prefix, /* I - Prefix for line */ + static ssize_t /* O - Number of bytes read or -1 on error */ + http_read(http_t *http, /* I - HTTP connection */ + char *buffer, /* I - Buffer */ +- size_t length) /* I - Maximum bytes to read */ ++ size_t length, /* I - Maximum bytes to read */ ++ int timeout) /* I - Wait timeout */ + { + ssize_t bytes; /* Bytes read */ + +@@ -4143,7 +4167,7 @@ http_read(http_t *http, /* I - HTTP connection */ + + if (!http->blocking || http->timeout_value > 0.0) + { +- while (!httpWait(http, http->wait_value)) ++ while (!_httpWait(http, timeout, 1)) + { + if (http->timeout_cb && (*http->timeout_cb)(http, http->timeout_data)) + continue; +@@ -4246,7 +4270,7 @@ http_read_buffered(http_t *http, /* I - HTTP connection */ + else + bytes = (ssize_t)length; + +- DEBUG_printf(("8http_read: Grabbing %d bytes from input buffer.", ++ DEBUG_printf(("8http_read_buffered: Grabbing %d bytes from input buffer.", + (int)bytes)); + + memcpy(buffer, http->buffer, (size_t)bytes); +@@ -4256,7 +4280,7 @@ http_read_buffered(http_t *http, /* I - HTTP connection */ + memmove(http->buffer, http->buffer + bytes, (size_t)http->used); + } + else +- bytes = http_read(http, buffer, length); ++ bytes = http_read(http, buffer, length, http->wait_value); + + return (bytes); + } +@@ -4597,15 +4621,15 @@ http_set_timeout(int fd, /* I - File descriptor */ + static void + http_set_wait(http_t *http) /* I - HTTP connection */ + { +- if (http->blocking) +- { +- http->wait_value = (int)(http->timeout_value * 1000); ++ http->wait_value = (int)(http->timeout_value * 1000); + +- if (http->wait_value <= 0) ++ if (http->wait_value <= 0) ++ { ++ if (http->blocking) + http->wait_value = 60000; ++ else ++ http->wait_value = 1000; + } +- else +- http->wait_value = 10000; + } + + +diff --git a/cups/tls-openssl.c b/cups/tls-openssl.c +index 9fcbe0af3..f746f4cba 100644 +--- a/cups/tls-openssl.c ++++ b/cups/tls-openssl.c +@@ -215,12 +215,14 @@ cupsMakeServerCredentials( + // Save them... + if ((bio = BIO_new_file(keyfile, "wb")) == NULL) + { ++ DEBUG_printf(("1cupsMakeServerCredentials: Unable to create private key file '%s': %s", keyfile, strerror(errno))); + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, strerror(errno), 0); + goto done; + } + + if (!PEM_write_bio_PrivateKey(bio, pkey, NULL, NULL, 0, NULL, NULL)) + { ++ DEBUG_puts("1cupsMakeServerCredentials: PEM_write_bio_PrivateKey failed."); + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unable to write private key."), 1); + BIO_free(bio); + goto done; +@@ -230,12 +232,14 @@ cupsMakeServerCredentials( + + if ((bio = BIO_new_file(crtfile, "wb")) == NULL) + { ++ DEBUG_printf(("1cupsMakeServerCredentials: Unable to create certificate file '%s': %s", crtfile, strerror(errno))); + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, strerror(errno), 0); + goto done; + } + + if (!PEM_write_bio_X509(bio, cert)) + { ++ DEBUG_puts("1cupsMakeServerCredentials: PEM_write_bio_X509 failed."); + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unable to write X.509 certificate."), 1); + BIO_free(bio); + goto done; +@@ -1082,10 +1086,10 @@ _httpTLSStart(http_t *http) // I - Connection to server + + if (!cupsMakeServerCredentials(tls_keypath, cn, 0, NULL, time(NULL) + 3650 * 86400)) + { +- DEBUG_puts("4_httpTLSStart: cupsMakeServerCredentials failed."); ++ DEBUG_printf(("4_httpTLSStart: cupsMakeServerCredentials failed: %s", cupsLastErrorString())); + http->error = errno = EINVAL; + http->status = HTTP_STATUS_ERROR; +- _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unable to create server credentials."), 1); ++// _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unable to create server credentials."), 1); + SSL_CTX_free(context); + _cupsMutexUnlock(&tls_mutex); + +@@ -1346,14 +1350,17 @@ http_bio_read(BIO *h, // I - BIO data + + http = (http_t *)BIO_get_data(h); + +- if (!http->blocking) ++ if (!http->blocking || http->timeout_value > 0.0) + { + /* + * Make sure we have data before we read... + */ + +- if (!_httpWait(http, 10000, 0)) ++ while (!_httpWait(http, http->wait_value, 0)) + { ++ if (http->timeout_cb && (*http->timeout_cb)(http, http->timeout_data)) ++ continue; ++ + #ifdef WIN32 + http->error = WSAETIMEDOUT; + #else +diff --git a/scheduler/client.c b/scheduler/client.c +index 233f9017d..d495d9a75 100644 +--- a/scheduler/client.c ++++ b/scheduler/client.c +@@ -34,11 +34,11 @@ + + static int check_if_modified(cupsd_client_t *con, + struct stat *filestats); +-static int compare_clients(cupsd_client_t *a, cupsd_client_t *b, +- void *data); + #ifdef HAVE_TLS +-static int cupsd_start_tls(cupsd_client_t *con, http_encryption_t e); ++static int check_start_tls(cupsd_client_t *con); + #endif /* HAVE_TLS */ ++static int compare_clients(cupsd_client_t *a, cupsd_client_t *b, ++ void *data); + static char *get_file(cupsd_client_t *con, struct stat *filestats, + char *filename, size_t len); + static http_status_t install_cupsd_conf(cupsd_client_t *con); +@@ -360,14 +360,20 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */ + if (lis->encryption == HTTP_ENCRYPTION_ALWAYS) + { + /* +- * https connection; go secure... ++ * HTTPS connection, force TLS negotiation... + */ + +- if (cupsd_start_tls(con, HTTP_ENCRYPTION_ALWAYS)) +- cupsdCloseClient(con); ++ con->tls_start = time(NULL); ++ con->encryption = HTTP_ENCRYPTION_ALWAYS; + } + else ++ { ++ /* ++ * HTTP connection, but check for HTTPS negotiation on first data... ++ */ ++ + con->auto_ssl = 1; ++ } + #endif /* HAVE_TLS */ + } + +@@ -606,17 +612,46 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */ + + con->auto_ssl = 0; + +- if (recv(httpGetFd(con->http), buf, 1, MSG_PEEK) == 1 && +- (!buf[0] || !strchr("DGHOPT", buf[0]))) ++ if (recv(httpGetFd(con->http), buf, 5, MSG_PEEK) == 5 && buf[0] == 0x16 && buf[1] == 3 && buf[2]) + { + /* +- * Encrypt this connection... ++ * Client hello record, encrypt this connection... + */ + +- cupsdLogClient(con, CUPSD_LOG_DEBUG2, "Saw first byte %02X, auto-negotiating SSL/TLS session.", buf[0] & 255); ++ cupsdLogClient(con, CUPSD_LOG_DEBUG2, "Saw client hello record, auto-negotiating TLS session."); ++ con->tls_start = time(NULL); ++ con->encryption = HTTP_ENCRYPTION_ALWAYS; ++ } ++ } + +- if (cupsd_start_tls(con, HTTP_ENCRYPTION_ALWAYS)) +- cupsdCloseClient(con); ++ if (con->tls_start) ++ { ++ /* ++ * Try negotiating TLS... ++ */ ++ ++ int tls_status = check_start_tls(con); ++ ++ if (tls_status < 0) ++ { ++ /* ++ * TLS negotiation failed, close the connection. ++ */ ++ ++ cupsdCloseClient(con); ++ return; ++ } ++ else if (tls_status == 0) ++ { ++ /* ++ * Nothing to do yet... ++ */ ++ ++ if ((time(NULL) - con->tls_start) > 5) ++ { ++ // Timeout, close the connection... ++ cupsdCloseClient(con); ++ } + + return; + } +@@ -780,9 +815,7 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */ + * Parse incoming parameters until the status changes... + */ + +- while ((status = httpUpdate(con->http)) == HTTP_STATUS_CONTINUE) +- if (!httpGetReady(con->http)) +- break; ++ status = httpUpdate(con->http); + + if (status != HTTP_STATUS_OK && status != HTTP_STATUS_CONTINUE) + { +@@ -944,11 +977,10 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */ + return; + } + +- if (cupsd_start_tls(con, HTTP_ENCRYPTION_REQUIRED)) +- { +- cupsdCloseClient(con); +- return; +- } ++ con->tls_start = time(NULL); ++ con->tls_upgrade = 1; ++ con->encryption = HTTP_ENCRYPTION_REQUIRED; ++ return; + #else + if (!cupsdSendError(con, HTTP_STATUS_NOT_IMPLEMENTED, CUPSD_AUTH_NONE)) + { +@@ -987,32 +1019,11 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */ + if (!_cups_strcasecmp(httpGetField(con->http, HTTP_FIELD_CONNECTION), + "Upgrade") && !httpIsEncrypted(con->http)) + { +-#ifdef HAVE_TLS +- /* +- * Do encryption stuff... +- */ +- +- httpClearFields(con->http); +- +- if (!cupsdSendHeader(con, HTTP_STATUS_SWITCHING_PROTOCOLS, NULL, +- CUPSD_AUTH_NONE)) +- { +- cupsdCloseClient(con); +- return; +- } +- +- if (cupsd_start_tls(con, HTTP_ENCRYPTION_REQUIRED)) +- { +- cupsdCloseClient(con); +- return; +- } +-#else + if (!cupsdSendError(con, HTTP_STATUS_NOT_IMPLEMENTED, CUPSD_AUTH_NONE)) + { + cupsdCloseClient(con); + return; + } +-#endif /* HAVE_TLS */ + } + + if ((status = cupsdIsAuthorized(con, NULL)) != HTTP_STATUS_OK) +@@ -2685,6 +2696,69 @@ check_if_modified( + } + + ++#ifdef HAVE_TLS ++/* ++ * 'check_start_tls()' - Start encryption on a connection. ++ */ ++ ++static int /* O - 0 to continue, 1 on success, -1 on error */ ++check_start_tls(cupsd_client_t *con) /* I - Client connection */ ++{ ++ unsigned char chello[4096]; /* Client hello record */ ++ ssize_t chello_bytes; /* Bytes read/peeked */ ++ int chello_len; /* Length of record */ ++ ++ ++ /* ++ * See if we have a good and complete client hello record... ++ */ ++ ++ if ((chello_bytes = recv(httpGetFd(con->http), (char *)chello, sizeof(chello), MSG_PEEK)) < 5) ++ return (0); /* Not enough bytes (yet) */ ++ ++ if (chello[0] != 0x016 || chello[1] != 3 || chello[2] == 0) ++ return (-1); /* Not a TLS Client Hello record */ ++ ++ chello_len = (chello[3] << 8) | chello[4]; ++ ++ if ((chello_len + 5) > chello_bytes) ++ return (0); /* Not enough bytes yet */ ++ ++ /* ++ * OK, we do, try negotiating... ++ */ ++ ++ con->tls_start = 0; ++ ++ if (httpEncryption(con->http, con->encryption)) ++ { ++ cupsdLogClient(con, CUPSD_LOG_ERROR, "Unable to encrypt connection: %s", cupsLastErrorString()); ++ return (-1); ++ } ++ ++ cupsdLogClient(con, CUPSD_LOG_DEBUG, "Connection now encrypted."); ++ ++ if (con->tls_upgrade) ++ { ++ // Respond to the original OPTIONS command... ++ con->tls_upgrade = 0; ++ ++ httpClearFields(con->http); ++ httpClearCookie(con->http); ++ httpSetField(con->http, HTTP_FIELD_CONTENT_LENGTH, "0"); ++ ++ if (!cupsdSendHeader(con, HTTP_STATUS_OK, NULL, CUPSD_AUTH_NONE)) ++ { ++ cupsdCloseClient(con); ++ return (-1); ++ } ++ } ++ ++ return (1); ++} ++#endif /* HAVE_TLS */ ++ ++ + /* + * 'compare_clients()' - Compare two client connections. + */ +@@ -2705,28 +2779,6 @@ compare_clients(cupsd_client_t *a, /* I - First client */ + } + + +-#ifdef HAVE_TLS +-/* +- * 'cupsd_start_tls()' - Start encryption on a connection. +- */ +- +-static int /* O - 0 on success, -1 on error */ +-cupsd_start_tls(cupsd_client_t *con, /* I - Client connection */ +- http_encryption_t e) /* I - Encryption mode */ +-{ +- if (httpEncryption(con->http, e)) +- { +- cupsdLogClient(con, CUPSD_LOG_ERROR, "Unable to encrypt connection: %s", +- cupsLastErrorString()); +- return (-1); +- } +- +- cupsdLogClient(con, CUPSD_LOG_DEBUG, "Connection now encrypted."); +- return (0); +-} +-#endif /* HAVE_TLS */ +- +- + /* + * 'get_file()' - Get a filename and state info. + */ +diff --git a/scheduler/client.h b/scheduler/client.h +index 9fe4e2ea6..2939ce997 100644 +--- a/scheduler/client.h ++++ b/scheduler/client.h +@@ -53,6 +53,9 @@ struct cupsd_client_s + cups_lang_t *language; /* Language to use */ + #ifdef HAVE_TLS + int auto_ssl; /* Automatic test for SSL/TLS */ ++ time_t tls_start; /* Do TLS negotiation? */ ++ int tls_upgrade; /* Doing TLS upgrade via OPTIONS? */ ++ http_encryption_t encryption; /* Type of TLS negotiation */ + #endif /* HAVE_TLS */ + http_addr_t clientaddr; /* Client's server address */ + char clientname[256];/* Client's server name for connection */ +diff --git a/scheduler/select.c b/scheduler/select.c +index 2e64f2a7e..ac6205c51 100644 +--- a/scheduler/select.c ++++ b/scheduler/select.c +@@ -408,6 +408,9 @@ cupsdDoSelect(long timeout) /* I - Timeout in seconds */ + + cupsd_in_select = 1; + ++ // Prevent 100% CPU by releasing control before the kevent call... ++ usleep(1); ++ + if (timeout >= 0 && timeout < 86400) + { + ktimeout.tv_sec = timeout; +@@ -452,6 +455,9 @@ cupsdDoSelect(long timeout) /* I - Timeout in seconds */ + struct epoll_event *event; /* Current event */ + + ++ // Prevent 100% CPU by releasing control before the epoll_wait call... ++ usleep(1); ++ + if (timeout >= 0 && timeout < 86400) + nfds = epoll_wait(cupsd_epoll_fd, cupsd_epoll_events, MaxFDs, + timeout * 1000); +@@ -544,6 +550,9 @@ cupsdDoSelect(long timeout) /* I - Timeout in seconds */ + } + } + ++ // Prevent 100% CPU by releasing control before the poll call... ++ usleep(1); ++ + if (timeout >= 0 && timeout < 86400) + nfds = poll(cupsd_pollfds, (nfds_t)count, timeout * 1000); + else +@@ -597,6 +606,9 @@ cupsdDoSelect(long timeout) /* I - Timeout in seconds */ + cupsd_current_input = cupsd_global_input; + cupsd_current_output = cupsd_global_output; + ++ // Prevent 100% CPU by releasing control before the select call... ++ usleep(1); ++ + if (timeout >= 0 && timeout < 86400) + { + stimeout.tv_sec = timeout; +-- +2.44.1 + From patchwork Tue Dec 23 21:22:08 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 77335 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5EA0CE6FE38 for ; Tue, 23 Dec 2025 21:22:46 +0000 (UTC) Received: from mail-pl1-f179.google.com (mail-pl1-f179.google.com [209.85.214.179]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.108968.1766524964505713558 for ; Tue, 23 Dec 2025 13:22:44 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=Fwj+a810; spf=softfail (domain: sakoman.com, ip: 209.85.214.179, mailfrom: steve@sakoman.com) Received: by mail-pl1-f179.google.com with SMTP id d9443c01a7336-2a07fac8aa1so58157105ad.1 for ; Tue, 23 Dec 2025 13:22:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1766524964; x=1767129764; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=mYwIL+WJ+rai5WxLPwWTn2jUc/ZsT0lrbyEJB9bcxhg=; b=Fwj+a810bPXYKsgEyjc3opy5jFKPJSiPX4lhYww7Ez9bR16PEJ5iRYYdU+aNEDHLhr H9rn/07bKFqSjAQH8Zv1IsRwjiBUfDpARh5cV0HR7JqNPfdt+zbXzIbhV3q0BezdfLNL 1AOQII5e6UqNP/021/TTc3fmva9f25pfQ0rvjgTwB1bd84mht2XMggvsIWkF0iHNRxdi tLpalx9rh0xe3l0SwalNplqQGk+YYELSyvS5xOx7++8aua/rFpXQ1Xu8yW7mxJRv0+JG bK+yVGin+T2PB7WBDXiC4XzqP5Bcdm+9xFzyfTQ8dJ2Hs96md9TkQZkUmrFKErEDmVg5 LkZg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766524964; x=1767129764; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=mYwIL+WJ+rai5WxLPwWTn2jUc/ZsT0lrbyEJB9bcxhg=; b=pl9id+LM0HVf071fn5zVbGnTmLSnkgqh+oe26Kugea6iQ5sx0LcDEVbx9c0Afj2fgH fBXmei+xeIv8DWWBZFV7eBIEOqTJZ1xj4eW87s8DvDUeXk718CBmyOHbdoL/EDbgrS8I MAOIF5EyAFs+udoaLc0402BqCIFoEEyf1pRvzVdFg+bMnVwU2RSpdtD5RkBBmGWDIiQA zvYPPE7124DIuFBiztQdVzt3QnNYfmVskc3cEtuYNNVWef/hPzPcSZQz9+myhlAx9A34 MKQzzDV3q00DZBxnrKZIRqqa4F8+Uv3myKLXV4WeFQQ/1Hq23A2j8SYBnd0c0ko6KUQs Lqww== X-Gm-Message-State: AOJu0YzCfFIk2C77nXegFRZTXQaH1AGH9h3SSbwQmB8yVdkhyk3XyZC5 a7lBkyuwUJsqmnqdAM0bPLx6zFfs5xVS6aOZOtK11OExcsI3VBkYfaRcVIvDkDDpoOVFugJgnrF H8qHG X-Gm-Gg: AY/fxX6zm/GnYocS0QwTdkfpkobfjDLxD5+6ibIWN7x/umDSbLE1GCoha6PllITRJnl lYBPp3sLkz5MLCBPZpLafvHFPnfu9j5PjXTCaJdAt38ikK8J1yhvV2Muy1VlWgJLYTmsV3KUnmX ArVKg2igregXiTsUL0QhywE6WV06ZfLDZyRJjKY09wGXFoyltk8Gqh+3gefmsRvYpEbeOw9caHw Vtih903NlK1EkHFUWWjqlSfTyXA4B/k30gWKyxVV1P5ThSPnY3Nc2Nv5Dr9zSD3u0GjMYZ2KXAS shRGsBECBKZ2MP18GQ2X7vwqysl5mKR50ykdcbiE8tBLqZtl3lYHSboaVZciswgcL8u+MVMajGX oHjUQPh9B3CGwDRrKWMljA2gBGhTn4wMJ0ig+mMRKPGG7PMomZtXpkQNc3rcheP2cNgcw3eQNNB Vy0Q== X-Google-Smtp-Source: AGHT+IGthJeAvdxRlTclO2ZYtkhgoB6yDiGyp3w1HUB0hZ3wxsGK3Vpsr2w2y3E292H73xCcOkZ8YQ== X-Received: by 2002:a17:902:e785:b0:2a0:acf1:ad0f with SMTP id d9443c01a7336-2a2f22024e0mr136947065ad.12.1766524963463; Tue, 23 Dec 2025 13:22:43 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:74b3:f61b:a7a7:fafc]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2a2f3d4cbe5sm137258785ad.60.2025.12.23.13.22.42 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Dec 2025 13:22:42 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 02/18] cups 2.4.11: Fix CVE-2025-61915 Date: Tue, 23 Dec 2025 13:22:08 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Dec 2025 21:22:46 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/228476 From: Deepak Rathore Upstream Repository: https://github.com/OpenPrinting/cups.git Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2025-61915 Type: Security Fix CVE: CVE-2025-61915 Score: 6.7 Patch: https://github.com/OpenPrinting/cups/commit/db8d560262c2 Signed-off-by: Deepak Rathore Signed-off-by: Steve Sakoman --- meta/recipes-extended/cups/cups.inc | 1 + .../cups/cups/CVE-2025-61915.patch | 491 ++++++++++++++++++ 2 files changed, 492 insertions(+) create mode 100644 meta/recipes-extended/cups/cups/CVE-2025-61915.patch diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc index cf3df32306..12668ca023 100644 --- a/meta/recipes-extended/cups/cups.inc +++ b/meta/recipes-extended/cups/cups.inc @@ -18,6 +18,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \ file://CVE-2025-58060.patch \ file://CVE-2025-58364.patch \ file://CVE-2025-58436.patch \ + file://CVE-2025-61915.patch \ " GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases" diff --git a/meta/recipes-extended/cups/cups/CVE-2025-61915.patch b/meta/recipes-extended/cups/cups/CVE-2025-61915.patch new file mode 100644 index 0000000000..ad91c66b73 --- /dev/null +++ b/meta/recipes-extended/cups/cups/CVE-2025-61915.patch @@ -0,0 +1,491 @@ +From 3ff24bbe1d0e11a2edb5cac0ae421b8e95220651 Mon Sep 17 00:00:00 2001 +From: Zdenek Dohnal +Date: Fri, 21 Nov 2025 07:36:36 +0100 +Subject: [PATCH] Fix various issues in cupsd + +Various issues were found by @SilverPlate3, recognized as CVE-2025-61915: + +- out of bound write when handling IPv6 addresses, +- cupsd crash caused by null dereference when ErrorPolicy value is empty, + +On the top of that, Mike Sweet noticed vulnerability via domain socket, +exploitable locally if attacker has access to domain socket and knows username +of user within a group which is present in CUPS system groups: + +- rewrite of cupsd.conf via PeerCred authorization via domain socket + +The last vulnerability is fixed by introducing PeerCred directive for cups-files.conf, +which controls whether PeerCred is enabled/disabled for user in CUPS system groups. + +Fixes CVE-2025-61915 + +CVE: CVE-2025-61915 +Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/db8d560262c2] + +(cherry picked from commit db8d560262c22a21ee1e55dfd62fa98d9359bcb0) +Signed-off-by: Deepak Rathore +--- + conf/cups-files.conf.in | 3 ++ + config-scripts/cups-defaults.m4 | 9 +++++ + config.h.in | 7 ++++ + configure | 22 ++++++++++ + doc/help/man-cups-files.conf.html | 9 ++++- + man/cups-files.conf.5 | 17 ++++++-- + scheduler/auth.c | 8 +++- + scheduler/auth.h | 7 ++++ + scheduler/client.c | 2 +- + scheduler/conf.c | 60 ++++++++++++++++++++++++---- + test/run-stp-tests.sh | 2 +- + vcnet/config.h | 7 ++++ + xcode/CUPS.xcodeproj/project.pbxproj | 2 - + xcode/config.h | 7 ++++ + 14 files changed, 145 insertions(+), 17 deletions(-) + +diff --git a/conf/cups-files.conf.in b/conf/cups-files.conf.in +index 27d8be96f..bc999e420 100644 +--- a/conf/cups-files.conf.in ++++ b/conf/cups-files.conf.in +@@ -22,6 +22,9 @@ + SystemGroup @CUPS_SYSTEM_GROUPS@ + @CUPS_SYSTEM_AUTHKEY@ + ++# Are Unix domain socket peer credentials used for authorization? ++PeerCred @CUPS_PEER_CRED@ ++ + # User that is substituted for unauthenticated (remote) root accesses... + #RemoteRoot remroot + +diff --git a/config-scripts/cups-defaults.m4 b/config-scripts/cups-defaults.m4 +index 27e5bc472..b4f03d624 100644 +--- a/config-scripts/cups-defaults.m4 ++++ b/config-scripts/cups-defaults.m4 +@@ -129,6 +129,15 @@ AC_ARG_WITH([log_level], AS_HELP_STRING([--with-log-level], [set default LogLeve + AC_SUBST([CUPS_LOG_LEVEL]) + AC_DEFINE_UNQUOTED([CUPS_DEFAULT_LOG_LEVEL], ["$CUPS_LOG_LEVEL"], [Default LogLevel value.]) + ++dnl Default PeerCred ++AC_ARG_WITH([peer_cred], AS_HELP_STRING([--with-peer-cred], [set default PeerCred value (on/off/root-only), default=on]), [ ++ CUPS_PEER_CRED="$withval" ++], [ ++ CUPS_PEER_CRED="on" ++]) ++AC_SUBST([CUPS_PEER_CRED]) ++AC_DEFINE_UNQUOTED([CUPS_DEFAULT_PEER_CRED], ["$CUPS_PEER_CRED"], [Default PeerCred value.]) ++ + dnl Default AccessLogLevel + AC_ARG_WITH(access_log_level, [ --with-access-log-level set default AccessLogLevel value, default=none], + CUPS_ACCESS_LOG_LEVEL="$withval", +diff --git a/config.h.in b/config.h.in +index 6940b9604..222b3b5bf 100644 +--- a/config.h.in ++++ b/config.h.in +@@ -86,6 +86,13 @@ + #define CUPS_DEFAULT_ERROR_POLICY "stop-printer" + + ++/* ++ * Default PeerCred value... ++ */ ++ ++#define CUPS_DEFAULT_PEER_CRED "on" ++ ++ + /* + * Default MaxCopies value... + */ +diff --git a/configure b/configure +index f8147c9d6..f456c8588 100755 +--- a/configure ++++ b/configure +@@ -672,6 +672,7 @@ CUPS_BROWSING + CUPS_SYNC_ON_CLOSE + CUPS_PAGE_LOG_FORMAT + CUPS_ACCESS_LOG_LEVEL ++CUPS_PEER_CRED + CUPS_LOG_LEVEL + CUPS_FATAL_ERRORS + CUPS_ERROR_POLICY +@@ -925,6 +926,7 @@ with_max_log_size + with_error_policy + with_fatal_errors + with_log_level ++with_peer_cred + with_access_log_level + enable_page_logging + enable_sync_on_close +@@ -1661,6 +1663,8 @@ Optional Packages: + --with-error-policy set default ErrorPolicy value, default=stop-printer + --with-fatal-errors set default FatalErrors value, default=config + --with-log-level set default LogLevel value, default=warn ++ --with-peer-cred set default PeerCred value (on/off/root-only), ++ default=on + --with-access-log-level set default AccessLogLevel value, default=none + --with-local-protocols set default BrowseLocalProtocols, default="" + --with-cups-user set default user for CUPS +@@ -11718,6 +11722,24 @@ printf "%s\n" "#define CUPS_DEFAULT_LOG_LEVEL \"$CUPS_LOG_LEVEL\"" >>confdefs.h + + + ++# Check whether --with-peer_cred was given. ++if test ${with_peer_cred+y} ++then : ++ withval=$with_peer_cred; ++ CUPS_PEER_CRED="$withval" ++ ++else $as_nop ++ ++ CUPS_PEER_CRED="on" ++ ++fi ++ ++ ++ ++printf "%s\n" "#define CUPS_DEFAULT_PEER_CRED \"$CUPS_PEER_CRED\"" >>confdefs.h ++ ++ ++ + # Check whether --with-access_log_level was given. + if test ${with_access_log_level+y} + then : +diff --git a/doc/help/man-cups-files.conf.html b/doc/help/man-cups-files.conf.html +index c0c775dec..5a9ddefeb 100644 +--- a/doc/help/man-cups-files.conf.html ++++ b/doc/help/man-cups-files.conf.html +@@ -119,6 +119,13 @@ The default is "/var/log/cups/page_log". +
PassEnv variable [ ... variable ] +
Passes the specified environment variable(s) to child processes. + Note: the standard CUPS filter and backend environment variables cannot be overridden using this directive. ++
PeerCred off ++
PeerCred on ++
PeerCred root-only ++
Specifies whether peer credentials are used for authorization when communicating over the UNIX domain socket. ++When on, the peer credentials of any user are accepted for authorization. ++The value off disables the use of peer credentials entirely, while the value root-only allows peer credentials only for the root user. ++Note: for security reasons, the on setting is reduced to root-only for authorization of PUT requests. +
RemoteRoot username +
Specifies the username that is associated with unauthenticated accesses by clients claiming to be the root user. + The default is "remroot". +@@ -207,7 +214,7 @@ command is used instead. + subscriptions.conf(5), + CUPS Online Help (http://localhost:631/help) +

Copyright

+-Copyright © 2020-2023 by OpenPrinting. ++Copyright © 2020-2025 by OpenPrinting. + + + +diff --git a/man/cups-files.conf.5 b/man/cups-files.conf.5 +index 8358b62a1..107072c3c 100644 +--- a/man/cups-files.conf.5 ++++ b/man/cups-files.conf.5 +@@ -1,14 +1,14 @@ + .\" + .\" cups-files.conf man page for CUPS. + .\" +-.\" Copyright © 2020-2024 by OpenPrinting. ++.\" Copyright © 2020-2025 by OpenPrinting. + .\" Copyright © 2007-2019 by Apple Inc. + .\" Copyright © 1997-2006 by Easy Software Products. + .\" + .\" Licensed under Apache License v2.0. See the file "LICENSE" for more + .\" information. + .\" +-.TH cups-files.conf 5 "CUPS" "2021-03-06" "OpenPrinting" ++.TH cups-files.conf 5 "CUPS" "2025-10-08" "OpenPrinting" + .SH NAME + cups\-files.conf \- file and directory configuration file for cups + .SH DESCRIPTION +@@ -166,6 +166,17 @@ The default is "/var/log/cups/page_log". + \fBPassEnv \fIvariable \fR[ ... \fIvariable \fR] + Passes the specified environment variable(s) to child processes. + Note: the standard CUPS filter and backend environment variables cannot be overridden using this directive. ++.\"#PeerCred ++.TP 5 ++\fBPeerCred off\fR ++.TP 5 ++\fBPeerCred on\fR ++.TP 5 ++\fBPeerCred root-only\fR ++Specifies whether peer credentials are used for authorization when communicating over the UNIX domain socket. ++When \fBon\fR, the peer credentials of any user are accepted for authorization. ++The value \fBoff\fR disables the use of peer credentials entirely, while the value \fBroot-only\fR allows peer credentials only for the root user. ++Note: for security reasons, the \fBon\fR setting is reduced to \fBroot-only\fR for authorization of PUT requests. + .\"#RemoteRoot + .TP 5 + \fBRemoteRoot \fIusername\fR +@@ -289,4 +300,4 @@ command is used instead. + .BR subscriptions.conf (5), + CUPS Online Help (http://localhost:631/help) + .SH COPYRIGHT +-Copyright \[co] 2020-2024 by OpenPrinting. ++Copyright \[co] 2020-2025 by OpenPrinting. +diff --git a/scheduler/auth.c b/scheduler/auth.c +index 3c9aa72aa..bd0d28a0e 100644 +--- a/scheduler/auth.c ++++ b/scheduler/auth.c +@@ -398,7 +398,7 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ + } + #endif /* HAVE_AUTHORIZATION_H */ + #if defined(SO_PEERCRED) && defined(AF_LOCAL) +- else if (!strncmp(authorization, "PeerCred ", 9) && ++ else if (PeerCred != CUPSD_PEERCRED_OFF && !strncmp(authorization, "PeerCred ", 9) && + con->http->hostaddr->addr.sa_family == AF_LOCAL && con->best) + { + /* +@@ -441,6 +441,12 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ + } + #endif /* HAVE_AUTHORIZATION_H */ + ++ if ((PeerCred == CUPSD_PEERCRED_ROOTONLY || httpGetState(con->http) == HTTP_STATE_PUT_RECV) && strcmp(authorization + 9, "root")) ++ { ++ cupsdLogClient(con, CUPSD_LOG_INFO, "User \"%s\" is not allowed to use peer credentials.", authorization + 9); ++ return; ++ } ++ + if ((pwd = getpwnam(authorization + 9)) == NULL) + { + cupsdLogClient(con, CUPSD_LOG_ERROR, "User \"%s\" does not exist.", authorization + 9); +diff --git a/scheduler/auth.h b/scheduler/auth.h +index ee98e92c7..fdf71213f 100644 +--- a/scheduler/auth.h ++++ b/scheduler/auth.h +@@ -50,6 +50,10 @@ + #define CUPSD_AUTH_LIMIT_ALL 127 /* Limit all requests */ + #define CUPSD_AUTH_LIMIT_IPP 128 /* Limit IPP requests */ + ++#define CUPSD_PEERCRED_OFF 0 /* Don't allow PeerCred authorization */ ++#define CUPSD_PEERCRED_ON 1 /* Allow PeerCred authorization for all users */ ++#define CUPSD_PEERCRED_ROOTONLY 2 /* Allow PeerCred authorization for root user */ ++ + #define IPP_ANY_OPERATION (ipp_op_t)0 + /* Any IPP operation */ + #define IPP_BAD_OPERATION (ipp_op_t)-1 +@@ -105,6 +109,9 @@ typedef struct + + VAR cups_array_t *Locations VALUE(NULL); + /* Authorization locations */ ++VAR int PeerCred VALUE(CUPSD_PEERCRED_ON); ++ /* Allow PeerCred authorization? */ ++ + #ifdef HAVE_TLS + VAR http_encryption_t DefaultEncryption VALUE(HTTP_ENCRYPT_REQUIRED); + /* Default encryption for authentication */ +diff --git a/scheduler/client.c b/scheduler/client.c +index d495d9a75..81db4aa52 100644 +--- a/scheduler/client.c ++++ b/scheduler/client.c +@@ -2204,7 +2204,7 @@ cupsdSendHeader( + auth_size = sizeof(auth_str) - (size_t)(auth_key - auth_str); + + #if defined(SO_PEERCRED) && defined(AF_LOCAL) +- if (httpAddrFamily(httpGetAddress(con->http)) == AF_LOCAL) ++ if (PeerCred != CUPSD_PEERCRED_OFF && httpAddrFamily(httpGetAddress(con->http)) == AF_LOCAL) + { + strlcpy(auth_key, ", PeerCred", auth_size); + auth_key += 10; +diff --git a/scheduler/conf.c b/scheduler/conf.c +index 3184d72f0..6accf0590 100644 +--- a/scheduler/conf.c ++++ b/scheduler/conf.c +@@ -47,6 +47,7 @@ typedef enum + { + CUPSD_VARTYPE_INTEGER, /* Integer option */ + CUPSD_VARTYPE_TIME, /* Time interval option */ ++ CUPSD_VARTYPE_NULLSTRING, /* String option or NULL/empty string */ + CUPSD_VARTYPE_STRING, /* String option */ + CUPSD_VARTYPE_BOOLEAN, /* Boolean option */ + CUPSD_VARTYPE_PATHNAME, /* File/directory name option */ +@@ -69,7 +70,7 @@ static const cupsd_var_t cupsd_vars[] = + { + { "AutoPurgeJobs", &JobAutoPurge, CUPSD_VARTYPE_BOOLEAN }, + #ifdef HAVE_DNSSD +- { "BrowseDNSSDSubTypes", &DNSSDSubTypes, CUPSD_VARTYPE_STRING }, ++ { "BrowseDNSSDSubTypes", &DNSSDSubTypes, CUPSD_VARTYPE_NULLSTRING }, + #endif /* HAVE_DNSSD */ + { "BrowseWebIF", &BrowseWebIF, CUPSD_VARTYPE_BOOLEAN }, + { "Browsing", &Browsing, CUPSD_VARTYPE_BOOLEAN }, +@@ -120,7 +121,7 @@ static const cupsd_var_t cupsd_vars[] = + { "MaxSubscriptionsPerPrinter",&MaxSubscriptionsPerPrinter, CUPSD_VARTYPE_INTEGER }, + { "MaxSubscriptionsPerUser", &MaxSubscriptionsPerUser, CUPSD_VARTYPE_INTEGER }, + { "MultipleOperationTimeout", &MultipleOperationTimeout, CUPSD_VARTYPE_TIME }, +- { "PageLogFormat", &PageLogFormat, CUPSD_VARTYPE_STRING }, ++ { "PageLogFormat", &PageLogFormat, CUPSD_VARTYPE_NULLSTRING }, + { "PreserveJobFiles", &JobFiles, CUPSD_VARTYPE_TIME }, + { "PreserveJobHistory", &JobHistory, CUPSD_VARTYPE_TIME }, + { "ReloadTimeout", &ReloadTimeout, CUPSD_VARTYPE_TIME }, +@@ -791,6 +792,13 @@ cupsdReadConfiguration(void) + IdleExitTimeout = 60; + #endif /* HAVE_ONDEMAND */ + ++ if (!strcmp(CUPS_DEFAULT_PEER_CRED, "off")) ++ PeerCred = CUPSD_PEERCRED_OFF; ++ else if (!strcmp(CUPS_DEFAULT_PEER_CRED, "root-only")) ++ PeerCred = CUPSD_PEERCRED_ROOTONLY; ++ else ++ PeerCred = CUPSD_PEERCRED_ON; ++ + /* + * Setup environment variables... + */ +@@ -1831,7 +1839,7 @@ get_addr_and_mask(const char *value, /* I - String from config file */ + + family = AF_INET6; + +- for (i = 0, ptr = value + 1; *ptr && i < 8; i ++) ++ for (i = 0, ptr = value + 1; *ptr && i >= 0 && i < 8; i ++) + { + if (*ptr == ']') + break; +@@ -1977,7 +1985,7 @@ get_addr_and_mask(const char *value, /* I - String from config file */ + #ifdef AF_INET6 + if (family == AF_INET6) + { +- if (i > 128) ++ if (i < 0 || i > 128) + return (0); + + i = 128 - i; +@@ -2011,7 +2019,7 @@ get_addr_and_mask(const char *value, /* I - String from config file */ + else + #endif /* AF_INET6 */ + { +- if (i > 32) ++ if (i < 0 || i > 32) + return (0); + + mask[0] = 0xffffffff; +@@ -2921,7 +2929,17 @@ parse_variable( + cupsdSetString((char **)var->ptr, temp); + break; + ++ case CUPSD_VARTYPE_NULLSTRING : ++ cupsdSetString((char **)var->ptr, value); ++ break; ++ + case CUPSD_VARTYPE_STRING : ++ if (!value) ++ { ++ cupsdLogMessage(CUPSD_LOG_ERROR, "Missing value for %s on line %d of %s.", line, linenum, filename); ++ return (0); ++ } ++ + cupsdSetString((char **)var->ptr, value); + break; + } +@@ -3436,9 +3454,10 @@ read_cupsd_conf(cups_file_t *fp) /* I - File to read from */ + line, value ? " " : "", value ? value : "", linenum, + ConfigurationFile, CupsFilesFile); + } +- else +- parse_variable(ConfigurationFile, linenum, line, value, +- sizeof(cupsd_vars) / sizeof(cupsd_vars[0]), cupsd_vars); ++ else if (!parse_variable(ConfigurationFile, linenum, line, value, ++ sizeof(cupsd_vars) / sizeof(cupsd_vars[0]), cupsd_vars) && ++ (FatalErrors & CUPSD_FATAL_CONFIG)) ++ return (0); + } + + return (1); +@@ -3597,6 +3616,31 @@ read_cups_files_conf(cups_file_t *fp) /* I - File to read from */ + break; + } + } ++ else if (!_cups_strcasecmp(line, "PeerCred") && value) ++ { ++ /* ++ * PeerCred {off,on,root-only} ++ */ ++ ++ if (!_cups_strcasecmp(value, "off")) ++ { ++ PeerCred = CUPSD_PEERCRED_OFF; ++ } ++ else if (!_cups_strcasecmp(value, "on")) ++ { ++ PeerCred = CUPSD_PEERCRED_ON; ++ } ++ else if (!_cups_strcasecmp(value, "root-only")) ++ { ++ PeerCred = CUPSD_PEERCRED_ROOTONLY; ++ } ++ else ++ { ++ cupsdLogMessage(CUPSD_LOG_ERROR, "Unknown PeerCred \"%s\" on line %d of %s.", value, linenum, CupsFilesFile); ++ if (FatalErrors & CUPSD_FATAL_CONFIG) ++ return (0); ++ } ++ } + else if (!_cups_strcasecmp(line, "PrintcapFormat") && value) + { + /* +diff --git a/test/run-stp-tests.sh b/test/run-stp-tests.sh +index 39b53c3e4..2089f7944 100755 +--- a/test/run-stp-tests.sh ++++ b/test/run-stp-tests.sh +@@ -512,7 +512,7 @@ fi + + cat >$BASE/cups-files.conf < X-Patchwork-Id: 77332 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4C4B9E6FE34 for ; Tue, 23 Dec 2025 21:22:46 +0000 (UTC) Received: from mail-pl1-f170.google.com (mail-pl1-f170.google.com [209.85.214.170]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.108970.1766524965896879884 for ; Tue, 23 Dec 2025 13:22:45 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=tibFwvSY; spf=softfail (domain: sakoman.com, ip: 209.85.214.170, mailfrom: steve@sakoman.com) Received: by mail-pl1-f170.google.com with SMTP id d9443c01a7336-2a0d0788adaso48435195ad.3 for ; Tue, 23 Dec 2025 13:22:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1766524965; x=1767129765; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=RirXUGP2wmWRUOouuDLB7virsPw9hdE6IZtMljt/Nno=; b=tibFwvSYOLQhCI7ibzlv2vUyMnvMYQwr8kZnJGhkIyda9vLe9x29ZG6sTihGYQNHye D9Ih4+EEgSJ39+B0AZkIh5qiKr0AfZD5JZiUcKnGwy64WBII1g07fXZqE0O3RSK/2RLp magwRJDKWySM4/pFtO5k70zHQnUOeLmK1PaOxdoA9/zMngOX43DUdpc7O3czoPVomT4w 9QCQTjM4DxQSqb01w00WiykMN3Wq0tBd3mdWBb/3sU+VIX4Y6zXycjc3wLYL6cjO+ygb rqq89GyUzfwt6TrB6tMAVhNnibaPsG3mxm7QlqiIxgtczXHLF4jyecPt52MaBhK3FBd9 Sxnw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766524965; x=1767129765; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=RirXUGP2wmWRUOouuDLB7virsPw9hdE6IZtMljt/Nno=; b=WQkjYTSr1Dr+sJ7nqAt8Ky8mT/Q4ffwfazG4Ou9IOIszdB1w0RhhvCAA2fyCO0UXMM zTujkHUXvm/oJ8FuEDizabZTwLjzyiYanlaVuXtOVk1e/813B/gOQuxMKVps1sq8KUfW 2ySxZQo7lrZulk5FD6L3Cro/2KI67+IO5XqwuaG9Sx2SY45BItmR63ktOmwzV1xFVhAS 1M6Q2Y/J7xuzB7WZbdpGm0U7lbCJzVIi2XkeKLGhv4y3E6KS85gR2QqUPSOZ+EqpD+fB APpoQvNN6SbChju+IHsvTky4TcTMkzmgv7BDZStxdRScW1LhtnlOPnSML5jWjeLV0uWZ Kw+w== X-Gm-Message-State: AOJu0Yz5u9fvkTn0Co3JDW6xvPh+6PKTSZbK4iJfShds63+cM05ZQTxe 7NvZdE8buXOftu+IawOEJcZQRYUFQRG9vf+fWnmC+4Ay2B0oktwyAI3WanrDiOOEtMliueHu5cg O3gVV X-Gm-Gg: AY/fxX65tq3imCmYyxUPTkYCqK7TFvxH2f1f7zVZmujYM/gE459+P/j3UuFYEHHIkny De9db+SqiefiYUgFP+4LwIzgpzydo0D8or0Zr7pBUtSroo5XlKu/fhErGCjmbqBCgNyzWTII4q0 aTrJSNllSnZgsRJaONbb/Q01MthqYb6Frk30o6s83Pi1KZt6x87ispQmQaSaRV/4ukKJbimunL9 tNQ0v9K3oYsa+F/YpgwBCkqAUvX7ejV21jSqHN+/lLsxKsLSy2ADcDr9E2MyrF7wrH2GJKPS+fb w4gVyc7v8SIiQ2uDgNzWVjYilDfb5HhZvsReu05ALVqqTc16iCR7qUEF5AdmLEdRZecdyX0Kvxb FEbfOZLZpWe5mMO+Xr1sudaId94c5adv2xDMtJn+nX8f28KaYDRN6tDKh2txtynFfDZtW8Yn6NF NWexp7WexQvOs9 X-Google-Smtp-Source: AGHT+IESX7ST33CPfW6lfXdQEIM5Pf9zni7qkkPp/yBgaTtS5y6MAmU9QKSnVFAtT7uBE+0l77p+dg== X-Received: by 2002:a17:902:ec8d:b0:2a0:daa7:8a57 with SMTP id d9443c01a7336-2a2f2836573mr153623975ad.30.1766524965099; Tue, 23 Dec 2025 13:22:45 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:74b3:f61b:a7a7:fafc]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2a2f3d4cbe5sm137258785ad.60.2025.12.23.13.22.44 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Dec 2025 13:22:44 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 03/18] rsync: fix CVE-2025-10158 Date: Tue, 23 Dec 2025 13:22:09 -0800 Message-ID: <110933506d7a1177d1a074866d08fe0b0da612d7.1766524798.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Dec 2025 21:22:46 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/228477 From: Adarsh Jagadish Kamini Fix an out-of-bounds read triggered by a malicious rsync client acting as a receiver. The issue can be exploited with read access to an rsync module. CVE: CVE-2025-10158 Signed-off-by: Adarsh Jagadish Kamini Signed-off-by: Steve Sakoman --- .../rsync/files/CVE-2025-10158.patch | 36 +++++++++++++++++++ meta/recipes-devtools/rsync/rsync_3.2.7.bb | 1 + 2 files changed, 37 insertions(+) create mode 100644 meta/recipes-devtools/rsync/files/CVE-2025-10158.patch diff --git a/meta/recipes-devtools/rsync/files/CVE-2025-10158.patch b/meta/recipes-devtools/rsync/files/CVE-2025-10158.patch new file mode 100644 index 0000000000..a19cc15107 --- /dev/null +++ b/meta/recipes-devtools/rsync/files/CVE-2025-10158.patch @@ -0,0 +1,36 @@ +From 797e17fc4a6f15e3b1756538a9f812b63942686f Mon Sep 17 00:00:00 2001 +From: Andrew Tridgell +Date: Sat, 23 Aug 2025 17:26:53 +1000 +Subject: [PATCH] fixed an invalid access to files array + + +this was found by Calum Hutton from Rapid7. It is a real bug, but +analysis shows it can't be leverged into an exploit. Worth fixing +though. + +Many thanks to Calum and Rapid7 for finding and reporting this + +CVE: CVE-2025-10158 +Upstream-Status: Backport +[https://github.com/RsyncProject/rsync/commit/797e17fc4a6f15e3b1756538a9f812b63942686f] +Signed-off-by: Adarsh Jagadish Kamini +--- + sender.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sender.c b/sender.c +index 2bbff2fa..5528071e 100644 +--- a/sender.c ++++ b/sender.c +@@ -262,6 +262,8 @@ void send_files(int f_in, int f_out) + + if (ndx - cur_flist->ndx_start >= 0) + file = cur_flist->files[ndx - cur_flist->ndx_start]; ++ else if (cur_flist->parent_ndx < 0) ++ exit_cleanup(RERR_PROTOCOL); + else + file = dir_flist->files[cur_flist->parent_ndx]; + if (F_PATHNAME(file)) { +-- +2.44.1 + diff --git a/meta/recipes-devtools/rsync/rsync_3.2.7.bb b/meta/recipes-devtools/rsync/rsync_3.2.7.bb index d0796d3c12..14beafb681 100644 --- a/meta/recipes-devtools/rsync/rsync_3.2.7.bb +++ b/meta/recipes-devtools/rsync/rsync_3.2.7.bb @@ -27,6 +27,7 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/src/${BP}.tar.gz \ file://CVE-2024-12087-0003.patch \ file://CVE-2024-12088.patch \ file://CVE-2024-12747.patch \ + file://CVE-2025-10158.patch \ " SRC_URI[sha256sum] = "4e7d9d3f6ed10878c58c5fb724a67dacf4b6aac7340b13e488fb2dc41346f2bb" From patchwork Tue Dec 23 21:22:10 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 77337 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4AC07E6FE37 for ; Tue, 23 Dec 2025 21:22:56 +0000 (UTC) Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com [209.85.214.174]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.108971.1766524967459194331 for ; Tue, 23 Dec 2025 13:22:47 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=XMpBXuhX; spf=softfail (domain: sakoman.com, ip: 209.85.214.174, mailfrom: steve@sakoman.com) Received: by mail-pl1-f174.google.com with SMTP id d9443c01a7336-2a0d5c365ceso68134715ad.3 for ; Tue, 23 Dec 2025 13:22:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1766524967; x=1767129767; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=NbO35VawjlqVBJbM1+QliAj1gdWADzw9fxg0556y/ak=; b=XMpBXuhXDgisJMyi+X0h3Vpzq79U4mSQNb/2f36w+S3WbTegHujb7PDoyp+zLaaoLx 2WpjnQNOptG09bCBIlj3wGRbJ/3cOzDAq8UoTg38MGRHu3Rer6g/pz0sCTEhQhBvFvOu EbJwtizNF5mkwIfG2Byb+zX7GwdDB9zNuR3RWsJKs27nX4rihnx6sEtObdXM6Iqu5BZA HP7TVF3p8B/F7zOoCwYqNoXBHKX/TPoKzlZX8Dr9ZmdZgOWTyg7h/5qutCa7YxHd8wN2 x6g7gMh+Tkfs9+cXgyRZ+eKYLblPISBynthDDAk8H9rpZFhXU22K/AIpMput5O8McoSr 07Cg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766524967; x=1767129767; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=NbO35VawjlqVBJbM1+QliAj1gdWADzw9fxg0556y/ak=; b=rZ88JRTon3NUWCzYp4q5fESh6+bPxW7iMbhjU9Zod+7PD0NYeyFXG+654xgZ8CfrFr PyqrDMcxY1RklLGpm37sdUkFw3NSUaF24k5IQ+0UXTWMONO3oX35bw0vIR7fiqSQs11/ q0qwcoCQMG2w9f709qQt0zkgyUsPaw9C2uuOik5VyUmk/NqrrxlFzcWgOn+FrlhI+HZE W1EuMqc8z/4K63mIKVZ2An2clso6tWtlmPrwnko4jT77tUP99PnPGY7opMKob6B24QbJ wLjFcOoJu/VRBypMYDxKucyuLTgTb688DIuwAF5fBcLWac+y3801rOraY85ALIZiy1rw PA/A== X-Gm-Message-State: AOJu0Yzt6dF96Oc0r4VcN7eRynMRKAPb1q8GBarx8w9wXQUV7vlfHMB+ yig+HgQ48EePQ7175n0bYATmiZQY3veKQCe2Hj21qHw04uwPQs5ELLshi2ieiCW3lszT9bGajPI DB8A2 X-Gm-Gg: AY/fxX7Cf1l8EMJTMg7bUtr6xsfItFxw9ayDQ4BuceBkFiobjl1oEWbAAmKAmHSgqQ3 B5f0u45tFZf431JILWPFxHsszmRldBO4MIsaazlHQF9Bnv+V859R+0RHj/u0rfSlrSmit+OHTLt ZsnuoEVy1vOXt0yoIUtcWOd6yx6u8J2qqkLk8lnYjHKzpyY1n3ZypqM37NzikGh1f4rbm7isGuJ BLSwVqIqDrkVuyMjqZuytuouqUDpQtEL1T0jTFYT9+iYjA5EePHoVmJ8RGDKE/cMhQTNGQEVYmq S3UpdbOiakfQwnqV83B7eH7Rjtoi2MzonCstCfD4lxDSlaLq+0ShKHLBeLX2OOZVB/TBYfFSPqU e5JWQs8vTJ2aykcmiumo6X//AEX1vT4LkKd80g7mPeKho29PSJL5lH4kuulXG6xCSXAXRG0BfBR MySA== X-Google-Smtp-Source: AGHT+IE3mE0wu8OmYvs1tSF4X0m8hOprCJQveg8RtxkjEndCUfHFNJ87d4ZDx8YwJG0PdreeKeaTpA== X-Received: by 2002:a17:903:2301:b0:294:f6b4:9a42 with SMTP id d9443c01a7336-2a2f21fad06mr128665845ad.9.1766524966744; Tue, 23 Dec 2025 13:22:46 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:74b3:f61b:a7a7:fafc]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2a2f3d4cbe5sm137258785ad.60.2025.12.23.13.22.45 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Dec 2025 13:22:46 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 04/18] qemu: fix CVE-2025-12464 Date: Tue, 23 Dec 2025 13:22:10 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Dec 2025 21:22:56 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/228478 From: Kai Kang Backport patch to fix CVE-2025-12464 for qemu. Reference: https://gitlab.com/qemu-project/qemu/-/commit/a01344d9d7 Signed-off-by: Kai Kang Signed-off-by: Steve Sakoman --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2025-12464.patch | 70 +++++++++++++++++++ 2 files changed, 71 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2025-12464.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 60d372fce0..dde3b0be13 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -42,6 +42,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://qemu-guest-agent.init \ file://qemu-guest-agent.udev \ file://CVE-2024-8354.patch \ + file://CVE-2025-12464.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2025-12464.patch b/meta/recipes-devtools/qemu/qemu/CVE-2025-12464.patch new file mode 100644 index 0000000000..6099fc79cd --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2025-12464.patch @@ -0,0 +1,70 @@ +From a01344d9d78089e9e585faaeb19afccff2050abf Mon Sep 17 00:00:00 2001 +From: Peter Maydell +Date: Tue, 28 Oct 2025 16:00:42 +0000 +Subject: [PATCH] net: pad packets to minimum length in qemu_receive_packet() + +In commits like 969e50b61a28 ("net: Pad short frames to minimum size +before sending from SLiRP/TAP") we switched away from requiring +network devices to handle short frames to instead having the net core +code do the padding of short frames out to the ETH_ZLEN minimum size. +We then dropped the code for handling short frames from the network +devices in a series of commits like 140eae9c8f7 ("hw/net: e1000: +Remove the logic of padding short frames in the receive path"). + +This missed one route where the device's receive code can still see a +short frame: if the device is in loopback mode and it transmits a +short frame via the qemu_receive_packet() function, this will be fed +back into its own receive code without being padded. + +Add the padding logic to qemu_receive_packet(). + +This fixes a buffer overrun which can be triggered in the +e1000_receive_iov() logic via the loopback code path. + +Other devices that use qemu_receive_packet() to implement loopback +are cadence_gem, dp8393x, lan9118, msf2-emac, pcnet, rtl8139 +and sungem. + +Cc: qemu-stable@nongnu.org +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3043 +Reviewed-by: Akihiko Odaki +Signed-off-by: Peter Maydell +Signed-off-by: Jason Wang + +CVE: CVE-2025-12464 + +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/a01344d9d7] + +Signed-off-by: Kai Kang +--- + net/net.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/net/net.c b/net/net.c +index 27e0d27807..8aefdb3424 100644 +--- a/net/net.c ++++ b/net/net.c +@@ -775,10 +775,20 @@ ssize_t qemu_send_packet(NetClientState *nc, const uint8_t *buf, int size) + + ssize_t qemu_receive_packet(NetClientState *nc, const uint8_t *buf, int size) + { ++ uint8_t min_pkt[ETH_ZLEN]; ++ size_t min_pktsz = sizeof(min_pkt); ++ + if (!qemu_can_receive_packet(nc)) { + return 0; + } + ++ if (net_peer_needs_padding(nc)) { ++ if (eth_pad_short_frame(min_pkt, &min_pktsz, buf, size)) { ++ buf = min_pkt; ++ size = min_pktsz; ++ } ++ } ++ + return qemu_net_queue_receive(nc->incoming_queue, buf, size); + } + +-- +2.47.1 + From patchwork Tue Dec 23 21:22:11 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 77340 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 57FBEE6FE3A for ; Tue, 23 Dec 2025 21:22:56 +0000 (UTC) Received: from mail-pl1-f182.google.com (mail-pl1-f182.google.com [209.85.214.182]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.109342.1766524969531410140 for ; Tue, 23 Dec 2025 13:22:49 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=KHM++qPQ; spf=softfail (domain: sakoman.com, ip: 209.85.214.182, mailfrom: steve@sakoman.com) Received: by mail-pl1-f182.google.com with SMTP id d9443c01a7336-2a0d52768ccso66721625ad.1 for ; Tue, 23 Dec 2025 13:22:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1766524969; x=1767129769; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=C5zDMuLAwqyZI1Q6QDozpvXRbvgIODTVeloGxxgJXLc=; b=KHM++qPQZQMV5EC+EirnHJBkSanGWtnqBJVt3Ytinhw/8kvJOZ83k40MnVxywHZa0M Ojk8LtgY0jSo0dr2q85tV+9eRLzAvVZFb165N0CkHqJGR8/0vFYBlku2awRrnjRBJ4e3 zd5lUYg6RhMnc+WyI8g+i/N2FQDjylxREC8I0EEqn3qi2zcAiiOT9XIYvpg6hMj37LeX 6lWAjBh5wyCUNc4KcDy/nGuNmAlVybXof5TywVdfXN/xAVWquMttfZIkdeADXNtekK7B yz6IiLOSe5v80iKtB7JljZoXvYXPYhRkqwkly01RuPBFoIz5RhvNZKPcv5cwaxiE5//7 1y/w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766524969; x=1767129769; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=C5zDMuLAwqyZI1Q6QDozpvXRbvgIODTVeloGxxgJXLc=; b=GgSk7lT4Z2jMdRJgayWAWhLijcOLcoZDo976FHDLWH2Gj6n5x2Kid+FeR/ZUudFFCF ISxrnX+YjhYGprFgeRyhFFZTBi/fKQYHKutCrfAxL9sHC38pO3fxYyAzkEncdGxG/zY+ JHhw9nv9sXedcjpfPkqqFMBLuGGNsFCe8LzfBgpwnHY4XaOZM8dUaMcbkIZSjKPHcLVJ qqBYEwVE1C3Y6DROWO9wzc8JJZqF3ur2wWFJDNMP5Ro5N9QJkUwmV3w/BLIj2wmSwuUu jcWpclwProPo8OgoKw+xdTBUXd/ckLBetNTbd/qpwPte0ER4ShgiUz4oEpnE41fYikam 5iPA== X-Gm-Message-State: AOJu0Yyk0yM1FWq3IX+OX4vWWXP6ehbDlMyM2ycDQiQS3X7/ZPXwx/TJ xcnDykS3Yd2EzihRRYZbHS8blgb3MLKsTeoStvF52Kqim8EVHle2T4f4Kfg5rWK6V6XN7jhRRHl vGO+p X-Gm-Gg: AY/fxX7w3uFLTzXn6+dt1eFx3/5EikdUXKgTvU+EHwxQ5rcCE9ZES6OxisVNEEAxX+V wjjzy6wx6vN/bjMTE7urOSMbNYa1aQASwCIrdP1fYPYLgcf3tseaJDFTLY8KW+8ZuvOahKREqCT fdVmkIequFlC7ZosS1wlEcfQpAj4x4KAJ4qkh6rgIKXvOUFJkX3c3sPHMTDy21899tOAUbK4Rhz 67tWgQsyvX5Z1k29DgfHDG9AceSQo4rPfZ4hGCxm3xdeNtsRFDsoGJ048R7SKqio65HPc4Jczu9 H5ito4za4/dfeKLluEs3X+ClKUXRZPMRx3WXZrdKosG0bPn5PErVMOkIkazPe/FvuVkcFcpBL1J Gd31fHp8fNia7HTLEVFGyP2sIESmmw2KqkIzEXZlAHOPoRSuUMBOrGSTgMVrmaTthnfmNTR+aC0 RJPQ== X-Google-Smtp-Source: AGHT+IFepmz8zc30SfvGKq+WxP4+8XVDjo6mVQVAMROXQENjBxRq209+fXEkkn5jB/WiObISaFGfzg== X-Received: by 2002:a17:903:2f87:b0:295:59ef:809e with SMTP id d9443c01a7336-2a2f232db53mr137116405ad.24.1766524968513; Tue, 23 Dec 2025 13:22:48 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:74b3:f61b:a7a7:fafc]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2a2f3d4cbe5sm137258785ad.60.2025.12.23.13.22.47 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Dec 2025 13:22:48 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 05/18] python3-urllib3: fix CVE-2025-66418 CVE-2025-66471 Date: Tue, 23 Dec 2025 13:22:11 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Dec 2025 21:22:56 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/228479 From: Jiaying Song References: https://nvd.nist.gov/vuln/detail/CVE-2025-66418 https://nvd.nist.gov/vuln/detail/CVE-2025-66471 Signed-off-by: Jiaying Song Signed-off-by: Steve Sakoman --- .../python3-urllib3/CVE-2025-66418.patch | 80 +++ .../python3-urllib3/CVE-2025-66471.patch | 585 ++++++++++++++++++ .../python/python3-urllib3_2.2.2.bb | 2 + 3 files changed, 667 insertions(+) create mode 100644 meta/recipes-devtools/python/python3-urllib3/CVE-2025-66418.patch create mode 100644 meta/recipes-devtools/python/python3-urllib3/CVE-2025-66471.patch diff --git a/meta/recipes-devtools/python/python3-urllib3/CVE-2025-66418.patch b/meta/recipes-devtools/python/python3-urllib3/CVE-2025-66418.patch new file mode 100644 index 0000000000..5d39b36afc --- /dev/null +++ b/meta/recipes-devtools/python/python3-urllib3/CVE-2025-66418.patch @@ -0,0 +1,80 @@ +From 3bf7db860ef730e828b68264e88210190120cacf Mon Sep 17 00:00:00 2001 +From: Illia Volochii +Date: Fri, 5 Dec 2025 16:41:33 +0200 +Subject: [PATCH] Merge commit from fork + +* Add a hard-coded limit for the decompression chain + +* Reuse new list + +CVE: CVE-2025-66418 + +Upstream-Status: Backport +[https://github.com/urllib3/urllib3/commit/24d7b67eac89f94e11003424bcf0d8f7b72222a8] + +Signed-off-by: Jiaying Song +--- + changelog/GHSA-gm62-xv2j-4w53.security.rst | 4 ++++ + src/urllib3/response.py | 12 +++++++++++- + test/test_response.py | 10 ++++++++++ + 3 files changed, 25 insertions(+), 1 deletion(-) + create mode 100644 changelog/GHSA-gm62-xv2j-4w53.security.rst + +diff --git a/changelog/GHSA-gm62-xv2j-4w53.security.rst b/changelog/GHSA-gm62-xv2j-4w53.security.rst +new file mode 100644 +index 00000000..6646eaa3 +--- /dev/null ++++ b/changelog/GHSA-gm62-xv2j-4w53.security.rst +@@ -0,0 +1,4 @@ ++Fixed a security issue where an attacker could compose an HTTP response with ++virtually unlimited links in the ``Content-Encoding`` header, potentially ++leading to a denial of service (DoS) attack by exhausting system resources ++during decoding. The number of allowed chained encodings is now limited to 5. +diff --git a/src/urllib3/response.py b/src/urllib3/response.py +index a0273d65..b8e8565c 100644 +--- a/src/urllib3/response.py ++++ b/src/urllib3/response.py +@@ -194,8 +194,18 @@ class MultiDecoder(ContentDecoder): + they were applied. + """ + ++ # Maximum allowed number of chained HTTP encodings in the ++ # Content-Encoding header. ++ max_decode_links = 5 ++ + def __init__(self, modes: str) -> None: +- self._decoders = [_get_decoder(m.strip()) for m in modes.split(",")] ++ encodings = [m.strip() for m in modes.split(",")] ++ if len(encodings) > self.max_decode_links: ++ raise DecodeError( ++ "Too many content encodings in the chain: " ++ f"{len(encodings)} > {self.max_decode_links}" ++ ) ++ self._decoders = [_get_decoder(e) for e in encodings] + + def flush(self) -> bytes: + return self._decoders[0].flush() +diff --git a/test/test_response.py b/test/test_response.py +index c0062771..0e8abd93 100644 +--- a/test/test_response.py ++++ b/test/test_response.py +@@ -581,6 +581,16 @@ class TestResponse: + assert r.read(9 * 37) == b"foobarbaz" * 37 + assert r.read() == b"" + ++ def test_read_multi_decoding_too_many_links(self) -> None: ++ fp = BytesIO(b"foo") ++ with pytest.raises( ++ DecodeError, match="Too many content encodings in the chain: 6 > 5" ++ ): ++ HTTPResponse( ++ fp, ++ headers={"content-encoding": "gzip, deflate, br, zstd, gzip, deflate"}, ++ ) ++ + def test_body_blob(self) -> None: + resp = HTTPResponse(b"foo") + assert resp.data == b"foo" +-- +2.34.1 + diff --git a/meta/recipes-devtools/python/python3-urllib3/CVE-2025-66471.patch b/meta/recipes-devtools/python/python3-urllib3/CVE-2025-66471.patch new file mode 100644 index 0000000000..5329e26272 --- /dev/null +++ b/meta/recipes-devtools/python/python3-urllib3/CVE-2025-66471.patch @@ -0,0 +1,585 @@ +From f25c0d11e1b640e3c7e0addb66a1ff50730be508 Mon Sep 17 00:00:00 2001 +From: Illia Volochii +Date: Fri, 5 Dec 2025 16:40:41 +0200 +Subject: [PATCH] Merge commit from fork + +* Prevent decompression bomb for zstd in Python 3.14 + +* Add experimental `decompress_iter` for Brotli + +* Update changes for Brotli + +* Add `GzipDecoder.decompress_iter` + +* Test https://github.com/python-hyper/brotlicffi/pull/207 + +* Pin Brotli + +* Add `decompress_iter` to all decoders and make tests pass + +* Pin brotlicffi to an official release + +* Revert changes to response.py + +* Add `max_length` parameter to all `decompress` methods + +* Fix the `test_brotlipy` session + +* Unset `_data` on gzip error + +* Add a test for memory usage + +* Test more methods + +* Fix the test for `stream` + +* Cover more lines with tests + +* Add more coverage + +* Make `read1` a bit more efficient + +* Fix PyPy tests for Brotli + +* Revert an unnecessarily moved check + +* Add some comments + +* Leave just one `self._obj.decompress` call in `GzipDecoder` + +* Refactor test params + +* Test reads with all data already in the decompressor + +* Prevent needless copying of data decoded with `max_length` + +* Rename the changed test + +* Note that responses of unknown length should be streamed too + +* Add a changelog entry + +* Avoid returning a memory view from `BytesQueueBuffer` + +* Add one more note to the changelog entry + +CVE: CVE-2025-66471 + +Upstream-Status: Backport +[https://github.com/urllib3/urllib3/commit/c19571de34c47de3a766541b041637ba5f716ed7] + +Signed-off-by: Jiaying Song +--- + docs/advanced-usage.rst | 3 +- + docs/user-guide.rst | 4 +- + pyproject.toml | 5 +- + src/urllib3/response.py | 278 ++++++++++++++++++++++++++++++++++------ + 4 files changed, 246 insertions(+), 44 deletions(-) + +diff --git a/docs/advanced-usage.rst b/docs/advanced-usage.rst +index 36a51e67..a12c7143 100644 +--- a/docs/advanced-usage.rst ++++ b/docs/advanced-usage.rst +@@ -66,7 +66,8 @@ When using ``preload_content=True`` (the default setting) the + response body will be read immediately into memory and the HTTP connection + will be released back into the pool without manual intervention. + +-However, when dealing with large responses it's often better to stream the response ++However, when dealing with responses of large or unknown length, ++it's often better to stream the response + content using ``preload_content=False``. Setting ``preload_content`` to ``False`` means + that urllib3 will only read from the socket when data is requested. + +diff --git a/docs/user-guide.rst b/docs/user-guide.rst +index 5c78c8af..1d9d0bbd 100644 +--- a/docs/user-guide.rst ++++ b/docs/user-guide.rst +@@ -145,8 +145,8 @@ to a byte string representing the response content: + print(resp.data) + # b"\xaa\xa5H?\x95\xe9\x9b\x11" + +-.. note:: For larger responses, it's sometimes better to :ref:`stream ` +- the response. ++.. note:: For responses of large or unknown length, it's sometimes better to ++ :ref:`stream ` the response. + + Using io Wrappers with Response Content + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +diff --git a/pyproject.toml b/pyproject.toml +index 1fe82937..58a2c2db 100644 +--- a/pyproject.toml ++++ b/pyproject.toml +@@ -40,8 +40,8 @@ dynamic = ["version"] + + [project.optional-dependencies] + brotli = [ +- "brotli>=1.0.9; platform_python_implementation == 'CPython'", +- "brotlicffi>=0.8.0; platform_python_implementation != 'CPython'" ++ "brotli>=1.2.0; platform_python_implementation == 'CPython'", ++ "brotlicffi>=1.2.0.0; platform_python_implementation != 'CPython'" + ] + zstd = [ + "zstandard>=0.18.0", +@@ -95,6 +95,7 @@ filterwarnings = [ + '''default:ssl\.PROTOCOL_TLSv1_1 is deprecated:DeprecationWarning''', + '''default:ssl\.PROTOCOL_TLSv1_2 is deprecated:DeprecationWarning''', + '''default:ssl NPN is deprecated, use ALPN instead:DeprecationWarning''', ++ '''default:Brotli >= 1.2.0 is required to prevent decompression bombs\.:urllib3.exceptions.DependencyWarning''', + '''default:Async generator 'quart\.wrappers\.response\.DataBody\.__aiter__\.\._aiter' was garbage collected.*:ResourceWarning''', # https://github.com/pallets/quart/issues/301 + '''default:unclosed file <_io\.BufferedWriter name='/dev/null'>:ResourceWarning''', # https://github.com/SeleniumHQ/selenium/issues/13328 + ] +diff --git a/src/urllib3/response.py b/src/urllib3/response.py +index b8e8565c..4304133e 100644 +--- a/src/urllib3/response.py ++++ b/src/urllib3/response.py +@@ -49,6 +49,7 @@ from .connection import BaseSSLError, HTTPConnection, HTTPException + from .exceptions import ( + BodyNotHttplibCompatible, + DecodeError, ++ DependencyWarning, + HTTPError, + IncompleteRead, + InvalidChunkLength, +@@ -68,7 +69,11 @@ log = logging.getLogger(__name__) + + + class ContentDecoder: +- def decompress(self, data: bytes) -> bytes: ++ def decompress(self, data: bytes, max_length: int = -1) -> bytes: ++ raise NotImplementedError() ++ ++ @property ++ def has_unconsumed_tail(self) -> bool: + raise NotImplementedError() + + def flush(self) -> bytes: +@@ -78,30 +83,57 @@ class ContentDecoder: + class DeflateDecoder(ContentDecoder): + def __init__(self) -> None: + self._first_try = True +- self._data = b"" ++ self._first_try_data = b"" ++ self._unfed_data = b"" + self._obj = zlib.decompressobj() + +- def decompress(self, data: bytes) -> bytes: +- if not data: ++ def decompress(self, data: bytes, max_length: int = -1) -> bytes: ++ data = self._unfed_data + data ++ self._unfed_data = b"" ++ if not data and not self._obj.unconsumed_tail: + return data ++ original_max_length = max_length ++ if original_max_length < 0: ++ max_length = 0 ++ elif original_max_length == 0: ++ # We should not pass 0 to the zlib decompressor because 0 is ++ # the default value that will make zlib decompress without a ++ # length limit. ++ # Data should be stored for subsequent calls. ++ self._unfed_data = data ++ return b"" + ++ # Subsequent calls always reuse `self._obj`. zlib requires ++ # passing the unconsumed tail if decompression is to continue. + if not self._first_try: +- return self._obj.decompress(data) ++ return self._obj.decompress( ++ self._obj.unconsumed_tail + data, max_length=max_length ++ ) + +- self._data += data ++ # First call tries with RFC 1950 ZLIB format. ++ self._first_try_data += data + try: +- decompressed = self._obj.decompress(data) ++ decompressed = self._obj.decompress(data, max_length=max_length) + if decompressed: + self._first_try = False +- self._data = None # type: ignore[assignment] ++ self._first_try_data = b"" + return decompressed ++ # On failure, it falls back to RFC 1951 DEFLATE format. + except zlib.error: + self._first_try = False + self._obj = zlib.decompressobj(-zlib.MAX_WBITS) + try: +- return self.decompress(self._data) ++ return self.decompress( ++ self._first_try_data, max_length=original_max_length ++ ) + finally: +- self._data = None # type: ignore[assignment] ++ self._first_try_data = b"" ++ ++ @property ++ def has_unconsumed_tail(self) -> bool: ++ return bool(self._unfed_data) or ( ++ bool(self._obj.unconsumed_tail) and not self._first_try ++ ) + + def flush(self) -> bytes: + return self._obj.flush() +@@ -117,27 +149,61 @@ class GzipDecoder(ContentDecoder): + def __init__(self) -> None: + self._obj = zlib.decompressobj(16 + zlib.MAX_WBITS) + self._state = GzipDecoderState.FIRST_MEMBER ++ self._unconsumed_tail = b"" + +- def decompress(self, data: bytes) -> bytes: ++ def decompress(self, data: bytes, max_length: int = -1) -> bytes: + ret = bytearray() +- if self._state == GzipDecoderState.SWALLOW_DATA or not data: ++ if self._state == GzipDecoderState.SWALLOW_DATA: + return bytes(ret) ++ ++ if max_length == 0: ++ # We should not pass 0 to the zlib decompressor because 0 is ++ # the default value that will make zlib decompress without a ++ # length limit. ++ # Data should be stored for subsequent calls. ++ self._unconsumed_tail += data ++ return b"" ++ ++ # zlib requires passing the unconsumed tail to the subsequent ++ # call if decompression is to continue. ++ data = self._unconsumed_tail + data ++ if not data and self._obj.eof: ++ return bytes(ret) ++ + while True: + try: +- ret += self._obj.decompress(data) ++ ret += self._obj.decompress( ++ data, max_length=max(max_length - len(ret), 0) ++ ) + except zlib.error: + previous_state = self._state + # Ignore data after the first error + self._state = GzipDecoderState.SWALLOW_DATA ++ self._unconsumed_tail = b"" + if previous_state == GzipDecoderState.OTHER_MEMBERS: + # Allow trailing garbage acceptable in other gzip clients + return bytes(ret) + raise +- data = self._obj.unused_data ++ ++ self._unconsumed_tail = data = ( ++ self._obj.unconsumed_tail or self._obj.unused_data ++ ) ++ if max_length > 0 and len(ret) >= max_length: ++ break ++ + if not data: + return bytes(ret) +- self._state = GzipDecoderState.OTHER_MEMBERS +- self._obj = zlib.decompressobj(16 + zlib.MAX_WBITS) ++ # When the end of a gzip member is reached, a new decompressor ++ # must be created for unused (possibly future) data. ++ if self._obj.eof: ++ self._state = GzipDecoderState.OTHER_MEMBERS ++ self._obj = zlib.decompressobj(16 + zlib.MAX_WBITS) ++ ++ return bytes(ret) ++ ++ @property ++ def has_unconsumed_tail(self) -> bool: ++ return bool(self._unconsumed_tail) + + def flush(self) -> bytes: + return self._obj.flush() +@@ -152,9 +218,35 @@ if brotli is not None: + def __init__(self) -> None: + self._obj = brotli.Decompressor() + if hasattr(self._obj, "decompress"): +- setattr(self, "decompress", self._obj.decompress) ++ setattr(self, "_decompress", self._obj.decompress) + else: +- setattr(self, "decompress", self._obj.process) ++ setattr(self, "_decompress", self._obj.process) ++ ++ # Requires Brotli >= 1.2.0 for `output_buffer_limit`. ++ def _decompress(self, data: bytes, output_buffer_limit: int = -1) -> bytes: ++ raise NotImplementedError() ++ ++ def decompress(self, data: bytes, max_length: int = -1) -> bytes: ++ try: ++ if max_length > 0: ++ return self._decompress(data, output_buffer_limit=max_length) ++ else: ++ return self._decompress(data) ++ except TypeError: ++ # Fallback for Brotli/brotlicffi/brotlipy versions without ++ # the `output_buffer_limit` parameter. ++ warnings.warn( ++ "Brotli >= 1.2.0 is required to prevent decompression bombs.", ++ DependencyWarning, ++ ) ++ return self._decompress(data) ++ ++ @property ++ def has_unconsumed_tail(self) -> bool: ++ try: ++ return not self._obj.can_accept_more_data() ++ except AttributeError: ++ return False + + def flush(self) -> bytes: + if hasattr(self._obj, "flush"): +@@ -168,16 +260,46 @@ if HAS_ZSTD: + def __init__(self) -> None: + self._obj = zstd.ZstdDecompressor().decompressobj() + +- def decompress(self, data: bytes) -> bytes: +- if not data: ++ def decompress(self, data: bytes, max_length: int = -1) -> bytes: ++ if not data and not self.has_unconsumed_tail: + return b"" +- data_parts = [self._obj.decompress(data)] +- while self._obj.eof and self._obj.unused_data: ++ if self._obj.eof: ++ data = self._obj.unused_data + data ++ self._obj = zstd.ZstdDecompressor() ++ part = self._obj.decompress(data, max_length=max_length) ++ length = len(part) ++ data_parts = [part] ++ # Every loop iteration is supposed to read data from a separate frame. ++ # The loop breaks when: ++ # - enough data is read; ++ # - no more unused data is available; ++ # - end of the last read frame has not been reached (i.e., ++ # more data has to be fed). ++ while ( ++ self._obj.eof ++ and self._obj.unused_data ++ and (max_length < 0 or length < max_length) ++ ): + unused_data = self._obj.unused_data +- self._obj = zstd.ZstdDecompressor().decompressobj() +- data_parts.append(self._obj.decompress(unused_data)) ++ if not self._obj.needs_input: ++ self._obj = zstd.ZstdDecompressor() ++ part = self._obj.decompress( ++ unused_data, ++ max_length=(max_length - length) if max_length > 0 else -1, ++ ) ++ if part_length := len(part): ++ data_parts.append(part) ++ length += part_length ++ elif self._obj.needs_input: ++ break + return b"".join(data_parts) + ++ @property ++ def has_unconsumed_tail(self) -> bool: ++ return not (self._obj.needs_input or self._obj.eof) or bool( ++ self._obj.unused_data ++ ) ++ + def flush(self) -> bytes: + ret = self._obj.flush() # note: this is a no-op + if not self._obj.eof: +@@ -210,10 +332,35 @@ class MultiDecoder(ContentDecoder): + def flush(self) -> bytes: + return self._decoders[0].flush() + +- def decompress(self, data: bytes) -> bytes: +- for d in reversed(self._decoders): +- data = d.decompress(data) +- return data ++ def decompress(self, data: bytes, max_length: int = -1) -> bytes: ++ if max_length <= 0: ++ for d in reversed(self._decoders): ++ data = d.decompress(data) ++ return data ++ ++ ret = bytearray() ++ # Every while loop iteration goes through all decoders once. ++ # It exits when enough data is read or no more data can be read. ++ # It is possible that the while loop iteration does not produce ++ # any data because we retrieve up to `max_length` from every ++ # decoder, and the amount of bytes may be insufficient for the ++ # next decoder to produce enough/any output. ++ while True: ++ any_data = False ++ for d in reversed(self._decoders): ++ data = d.decompress(data, max_length=max_length - len(ret)) ++ if data: ++ any_data = True ++ # We should not break when no data is returned because ++ # next decoders may produce data even with empty input. ++ ret += data ++ if not any_data or len(ret) >= max_length: ++ return bytes(ret) ++ data = b"" ++ ++ @property ++ def has_unconsumed_tail(self) -> bool: ++ return any(d.has_unconsumed_tail for d in self._decoders) + + + def _get_decoder(mode: str) -> ContentDecoder: +@@ -246,9 +393,6 @@ class BytesQueueBuffer: + + * self.buffer, which contains the full data + * the largest chunk that we will copy in get() +- +- The worst case scenario is a single chunk, in which case we'll make a full copy of +- the data inside get(). + """ + + def __init__(self) -> None: +@@ -270,6 +414,10 @@ class BytesQueueBuffer: + elif n < 0: + raise ValueError("n should be > 0") + ++ if len(self.buffer[0]) == n and isinstance(self.buffer[0], bytes): ++ self._size -= n ++ return self.buffer.popleft() ++ + fetched = 0 + ret = io.BytesIO() + while fetched < n: +@@ -473,7 +621,11 @@ class BaseHTTPResponse(io.IOBase): + self._decoder = _get_decoder(content_encoding) + + def _decode( +- self, data: bytes, decode_content: bool | None, flush_decoder: bool ++ self, ++ data: bytes, ++ decode_content: bool | None, ++ flush_decoder: bool, ++ max_length: int | None = None, + ) -> bytes: + """ + Decode the data passed in and potentially flush the decoder. +@@ -486,9 +638,12 @@ class BaseHTTPResponse(io.IOBase): + ) + return data + ++ if max_length is None or flush_decoder: ++ max_length = -1 ++ + try: + if self._decoder: +- data = self._decoder.decompress(data) ++ data = self._decoder.decompress(data, max_length=max_length) + self._has_decoded_content = True + except self.DECODER_ERROR_CLASSES as e: + content_encoding = self.headers.get("content-encoding", "").lower() +@@ -953,6 +1108,14 @@ class HTTPResponse(BaseHTTPResponse): + elif amt is not None: + cache_content = False + ++ if self._decoder and self._decoder.has_unconsumed_tail: ++ decoded_data = self._decode( ++ b"", ++ decode_content, ++ flush_decoder=False, ++ max_length=amt - len(self._decoded_buffer), ++ ) ++ self._decoded_buffer.put(decoded_data) + if len(self._decoded_buffer) >= amt: + return self._decoded_buffer.get(amt) + +@@ -960,7 +1123,11 @@ class HTTPResponse(BaseHTTPResponse): + + flush_decoder = amt is None or (amt != 0 and not data) + +- if not data and len(self._decoded_buffer) == 0: ++ if ( ++ not data ++ and len(self._decoded_buffer) == 0 ++ and not (self._decoder and self._decoder.has_unconsumed_tail) ++ ): + return data + + if amt is None: +@@ -977,7 +1144,12 @@ class HTTPResponse(BaseHTTPResponse): + ) + return data + +- decoded_data = self._decode(data, decode_content, flush_decoder) ++ decoded_data = self._decode( ++ data, ++ decode_content, ++ flush_decoder, ++ max_length=amt - len(self._decoded_buffer), ++ ) + self._decoded_buffer.put(decoded_data) + + while len(self._decoded_buffer) < amt and data: +@@ -985,7 +1157,12 @@ class HTTPResponse(BaseHTTPResponse): + # For example, the GZ file header takes 10 bytes, we don't want to read + # it one byte at a time + data = self._raw_read(amt) +- decoded_data = self._decode(data, decode_content, flush_decoder) ++ decoded_data = self._decode( ++ data, ++ decode_content, ++ flush_decoder, ++ max_length=amt - len(self._decoded_buffer), ++ ) + self._decoded_buffer.put(decoded_data) + data = self._decoded_buffer.get(amt) + +@@ -1020,6 +1197,20 @@ class HTTPResponse(BaseHTTPResponse): + "Calling read1(decode_content=False) is not supported after " + "read1(decode_content=True) was called." + ) ++ if ( ++ self._decoder ++ and self._decoder.has_unconsumed_tail ++ and (amt is None or len(self._decoded_buffer) < amt) ++ ): ++ decoded_data = self._decode( ++ b"", ++ decode_content, ++ flush_decoder=False, ++ max_length=( ++ amt - len(self._decoded_buffer) if amt is not None else None ++ ), ++ ) ++ self._decoded_buffer.put(decoded_data) + if len(self._decoded_buffer) > 0: + if amt is None: + return self._decoded_buffer.get_all() +@@ -1035,7 +1226,9 @@ class HTTPResponse(BaseHTTPResponse): + self._init_decoder() + while True: + flush_decoder = not data +- decoded_data = self._decode(data, decode_content, flush_decoder) ++ decoded_data = self._decode( ++ data, decode_content, flush_decoder, max_length=amt ++ ) + self._decoded_buffer.put(decoded_data) + if decoded_data or flush_decoder: + break +@@ -1066,7 +1259,11 @@ class HTTPResponse(BaseHTTPResponse): + if self.chunked and self.supports_chunked_reads(): + yield from self.read_chunked(amt, decode_content=decode_content) + else: +- while not is_fp_closed(self._fp) or len(self._decoded_buffer) > 0: ++ while ( ++ not is_fp_closed(self._fp) ++ or len(self._decoded_buffer) > 0 ++ or (self._decoder and self._decoder.has_unconsumed_tail) ++ ): + data = self.read(amt=amt, decode_content=decode_content) + + if data: +@@ -1218,7 +1415,10 @@ class HTTPResponse(BaseHTTPResponse): + break + chunk = self._handle_chunk(amt) + decoded = self._decode( +- chunk, decode_content=decode_content, flush_decoder=False ++ chunk, ++ decode_content=decode_content, ++ flush_decoder=False, ++ max_length=amt, + ) + if decoded: + yield decoded +-- +2.34.1 + diff --git a/meta/recipes-devtools/python/python3-urllib3_2.2.2.bb b/meta/recipes-devtools/python/python3-urllib3_2.2.2.bb index bdb1c7ca8d..620927322a 100644 --- a/meta/recipes-devtools/python/python3-urllib3_2.2.2.bb +++ b/meta/recipes-devtools/python/python3-urllib3_2.2.2.bb @@ -9,6 +9,8 @@ inherit pypi python_hatchling SRC_URI += " \ file://CVE-2025-50181.patch \ + file://CVE-2025-66418.patch \ + file://CVE-2025-66471.patch \ " RDEPENDS:${PN} += "\ From patchwork Tue Dec 23 21:22:12 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 77339 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 60105E6FE3F for ; Tue, 23 Dec 2025 21:22:56 +0000 (UTC) Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com [209.85.214.180]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.108973.1766524971465175454 for ; Tue, 23 Dec 2025 13:22:51 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=M52HDOSQ; spf=softfail (domain: sakoman.com, ip: 209.85.214.180, mailfrom: steve@sakoman.com) Received: by mail-pl1-f180.google.com with SMTP id d9443c01a7336-2a0bae9aca3so77334385ad.3 for ; Tue, 23 Dec 2025 13:22:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1766524971; x=1767129771; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=iR9+XF88A61xPN7jTv2BsPy82EdgrZo2HPP+YePd52U=; b=M52HDOSQnE7AEhUbNqZ+KkzrMXF6vqN+EKz+W07GPI12QFkBGNER7kJJ5yQ/J5RMml 7lKdc4S/tRPR4YGwaUenoxAEnpV76hv7Qxt7gTjLM4zsaszfQJUZs97UGTb8klJnFtMu 3Bx6QOpVQWRPlwJdk1XrewKpzP8L4Nu8Tzwg1Wb2VgU2K3hYBZUWJVtNyls8i3ETTd5V +iurIJCF69EeQuXsyqEQqq6nDuZZoboWq+ozyCm3f4AYR3sf4Bmz7xryEpnNMAGR1sMI DuoR/I0MLyJRN5ww8s7hWXhQ+DSb8w5N7kFxKjHbW9ZdFl/4M5axkzyzRAtB6okiiixI UNzg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766524971; x=1767129771; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=iR9+XF88A61xPN7jTv2BsPy82EdgrZo2HPP+YePd52U=; b=CxPdbPMaEG28X1MHHnpa0EYrew9cCQpBzWRky2s5m2hCpZhCSZRYBwoLwcouFCSE2V snxhe2IYqhIwv1HlWIJMJ9n6dnDGo8tXBFN69SZsUz2+NHm/VacvQNqnfWVAqwIH9tVv EShZB41G1M46bNjG9piBrNw0NE44Qurxo/U2H9+Jzr7A+YaUrpn8t8ekp+8WqnJTKw8N otgrw5lNRlbOdSgB38BZytyBr+4LArinpakJQMTl8sWjDJNrSA96VKdanbcSOxg4zPTz sN13LPhsqpeGsoWYGzC7zGnNmt2Wm6R59NuksoG0muuO0fUL9IYQmmT8dZj8galwhjOi YSLQ== X-Gm-Message-State: AOJu0Yz8Nnmrls9IbJuUVcJejFe6MCF7zSphcow58pNsVHldo8HfbQzY fDRcN6EZwEuvb1UZkXsaF8j/jJB9kDxogiEGEoULkEcsLi6pCu3lM4x7frQA33SStQAzVxL8yVx TJkuX X-Gm-Gg: AY/fxX72FEMRMTfIN7LoLlTmJTf/z/DOE1DGZjf/c4vlWnTd6w8Y6d7Nh0j3+frIrRt X6WCturOYcoL5foo3xKSOxToeHT0C2qirm/Fy7/e88AmMSeLuR5AnuG78b1UOnRUWeBxV4o5wiO kXoWfvQ/LHzysVkq7LUw3N1AtQoev7eGtc1R2+yzPisfH/sil4foGiJ/2iIu5G75OgTVTnB8ZyM xL3qigb7M9Ro+bXRGtUNSpdNwCx6vyyBsG70F2eiOaC/3XTd7BTmpQSae9G4H7RL9w73vz9yGnG yOm/khQTnc8aV9jBhrePOBgA5bZR30g0sXo4tU+lFh1+N9M/4eEn0p9GNxM2yyO0/ZDym08Bkfw 39xBqHX2skd07aE7pSAK5AMpempnR7hQvnyNcObZ6X/wGP0RnhX0SRVnKP1BT1E1+O0AcGaZGyx h3xw== X-Google-Smtp-Source: AGHT+IF4T6wxreDQafPsVNGWYOgqGAU2y2f+EuxEpM0KGS0gxjXkhmIBmjh9A3FRv032BXxH+tlJwA== X-Received: by 2002:a17:903:2a8b:b0:298:1422:510d with SMTP id d9443c01a7336-2a2f293daefmr148354955ad.48.1766524970715; Tue, 23 Dec 2025 13:22:50 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:74b3:f61b:a7a7:fafc]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2a2f3d4cbe5sm137258785ad.60.2025.12.23.13.22.49 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Dec 2025 13:22:50 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 06/18] cmake-native: fix CVE-2025-9301 Date: Tue, 23 Dec 2025 13:22:12 -0800 Message-ID: <24f831be7d99d5ea3fe304b9aa2d82e7e2d4a5fa.1766524798.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Dec 2025 21:22:56 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/228480 From: Daniel Turull Add fix for native recipe, since previous commit for cmake missed it. 5d8a6fb52c cmake: fix CVE-2025-9301 CC: Saravanan CC: Steve Sakoman Signed-off-by: Daniel Turull Signed-off-by: Steve Sakoman --- meta/recipes-devtools/cmake/cmake-native_3.28.3.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/recipes-devtools/cmake/cmake-native_3.28.3.bb b/meta/recipes-devtools/cmake/cmake-native_3.28.3.bb index 376da3254b..7b250752d8 100644 --- a/meta/recipes-devtools/cmake/cmake-native_3.28.3.bb +++ b/meta/recipes-devtools/cmake/cmake-native_3.28.3.bb @@ -7,6 +7,7 @@ SRC_URI += "file://OEToolchainConfig.cmake \ file://environment.d-cmake.sh \ file://0005-Disable-use-of-ext2fs-ext2_fs.h-by-cmake-s-internal-.patch \ file://0001-CMakeLists.txt-disable-USE_NGHTTP2.patch \ + file://CVE-2025-9301.patch \ " LICENSE:append = " & BSD-1-Clause & MIT & BSD-2-Clause & curl" From patchwork Tue Dec 23 21:22:13 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 77338 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 506B7E6FE34 for ; Tue, 23 Dec 2025 21:22:56 +0000 (UTC) Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com [209.85.214.180]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.108976.1766524973043116350 for ; Tue, 23 Dec 2025 13:22:53 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=CBcmfXSR; spf=softfail (domain: sakoman.com, ip: 209.85.214.180, mailfrom: steve@sakoman.com) Received: by mail-pl1-f180.google.com with SMTP id d9443c01a7336-2a0c09bb78cso38810195ad.0 for ; Tue, 23 Dec 2025 13:22:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1766524972; x=1767129772; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=hsq+EzRZGSmNAGUVwySFY3ruMDiJp4QKGFFlb0O1wjc=; b=CBcmfXSRmSn1enjFoeZZdZSDBfEyuz4N64EYF3vJJ8sdkGKoUNnqw6zvUJgwFd0aBj KLmP7JH/4WVxDpJn+FySoCRn4ZOxQd00yS6iZGJDrYMcE6BZVKomz2sR4VKjAh1AaPIT l3g9sG4rP9+uf5ExEuqT/JULz9RpsnxOBanUKSWZBvvTH89h1u3ll0I/ayoA0/t5EFSe Wm20R8Mye1EQzesDpIFjG2Dgnuqrb4USWeLrRwRkI9Y7yngaEOxwZxIeyvAh5f8/3VnC 4/FvOaXzoxFBGIRcWrtq7itQBlF0cihHiOIchPtWtGEprxMinNRnkbpsGNbZFxB+HHGt 9YoA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766524972; x=1767129772; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=hsq+EzRZGSmNAGUVwySFY3ruMDiJp4QKGFFlb0O1wjc=; b=KZWFICb5ctXFBCkWwtj/lLjM3m7rJqumIPoIIBcuCY58M8V6Nq/FBHbIEnceSohlLo 8zsgQq7gTkFNTVn0uvY6OsanMKE6bp08uFD7W1I/QrxIdliXobuJuiZHrTCsvceMOIMn 1VWnPd/00Jt88af61ZzV924P4zWRvefYy5P8gGHti6lSaxiBGcOYi3LJB1yVDOhzfgu9 v8s30Ytl0jFuQCQdvLjnTXi5sZhD/oaFKIGRJWi0yBFYggMLOV+xR7gjP2cYiMXnFsom aHgjwJIBpO6hFr7ts2vWp20cFx/G6w2/qdvN5p0f1+QlE8WvwGhQzLDfYT4TM21JNtpj i1ng== X-Gm-Message-State: AOJu0YzdgHWuUuAvJBPRtX6RoFgCSy8YHdywCQRruoVGCqOcXd1dQxXR EevwNH1mxFeneNXl1cEWwtbIBb3qOtpTFBU7hRknatvN16BfndhgiuBPOqHFpyDxEpgUpuaysrX QHSpi X-Gm-Gg: AY/fxX79QLZK573mRe5/bPe6Cv+Wb+kGZGJdEIsqZvkgeGm8tbjfvYeYhfRscCLcmbb mgCg47pjiHqKsHviQcdFg6/WZTq3qaoQY3dujmLGDtXFwU9orsrlZT7d7m2uROISzn5yICmuvcM pvX+tmhNXKpLLrZpP2wBGn+EhRxgLxbyuawB1q/UIVza6r96x/owrjGJ91XZRUXNs96D3YZ+uZ/ Rf8+59I0/G1U0oBPb+Pp9fI4EIfnlIRzjSuvn7pakE34gqUbjkHCT2pnQW2kzJPGra29H0LflKv vVqYL8kRt8D2rrVcUoXIxVue/5rKe5vT+M2wYHXoP0ZYU3xvZBDg8cxkM8BFNqWmrXs9x3yGWYD KI3m1VLfKVCzH/0yrOZlTuA3YjY5/OKMt87HXgA8OWUdVKejLmHq2AHbZza7j9nzuSAeIFqGCN6 lk/Q== X-Google-Smtp-Source: AGHT+IHy5v3H2mbTJ2mLw1LpNLLeSzedhT9UGqmm1jOl4CmrSbYGsXWIWP2OcxoPtdyAHYjJoo8gQQ== X-Received: by 2002:a17:903:1984:b0:29f:cb81:8be2 with SMTP id d9443c01a7336-2a2cab31208mr137504555ad.20.1766524972292; Tue, 23 Dec 2025 13:22:52 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:74b3:f61b:a7a7:fafc]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2a2f3d4cbe5sm137258785ad.60.2025.12.23.13.22.51 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Dec 2025 13:22:51 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 07/18] binutils: Fix CVE-2025-11494 Date: Tue, 23 Dec 2025 13:22:13 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Dec 2025 21:22:56 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/228481 From: Deepesh Varatharajan Since x86 .eh_frame section may reference _GLOBAL_OFFSET_TABLE_, keep _GLOBAL_OFFSET_TABLE_ if there is dynamic section and the output .eh_frame section is non-empty. Backport a patch from upstream to fix CVE-2025-11494 Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a] Signed-off-by: Deepesh Varatharajan Signed-off-by: Steve Sakoman --- .../binutils/binutils-2.42.inc | 1 + .../binutils/0028-CVE-2025-11494.patch | 43 +++++++++++++++++++ 2 files changed, 44 insertions(+) create mode 100644 meta/recipes-devtools/binutils/binutils/0028-CVE-2025-11494.patch diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc index 60b0d03ccd..69c5eddefb 100644 --- a/meta/recipes-devtools/binutils/binutils-2.42.inc +++ b/meta/recipes-devtools/binutils/binutils-2.42.inc @@ -66,5 +66,6 @@ SRC_URI = "\ file://CVE-2025-11414.patch \ file://CVE-2025-11412.patch \ file://CVE-2025-11413.patch \ + file://0028-CVE-2025-11494.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/0028-CVE-2025-11494.patch b/meta/recipes-devtools/binutils/binutils/0028-CVE-2025-11494.patch new file mode 100644 index 0000000000..dc4b413658 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0028-CVE-2025-11494.patch @@ -0,0 +1,43 @@ +From: "H.J. Lu" +Date: Tue, 30 Sep 2025 08:13:56 +0800 + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a] +CVE: CVE-2025-11494 + +Since x86 .eh_frame section may reference _GLOBAL_OFFSET_TABLE_, keep +_GLOBAL_OFFSET_TABLE_ if there is dynamic section and the output +.eh_frame section is non-empty. + + PR ld/33499 + * elfxx-x86.c (_bfd_x86_elf_late_size_sections): Keep + _GLOBAL_OFFSET_TABLE_ if there is dynamic section and the + output .eh_frame section is non-empty. + +Signed-off-by: Deepesh Varatharajan + +diff --git a/bfd/elfxx-x86.c b/bfd/elfxx-x86.c +index c054f7cd..ddc15945 100644 +--- a/bfd/elfxx-x86.c ++++ b/bfd/elfxx-x86.c +@@ -2447,6 +2447,8 @@ _bfd_x86_elf_late_size_sections (bfd *output_bfd, + + if (htab->elf.sgotplt) + { ++ asection *eh_frame; ++ + /* Don't allocate .got.plt section if there are no GOT nor PLT + entries and there is no reference to _GLOBAL_OFFSET_TABLE_. */ + if ((htab->elf.hgot == NULL +@@ -2459,7 +2461,11 @@ _bfd_x86_elf_late_size_sections (bfd *output_bfd, + && (htab->elf.iplt == NULL + || htab->elf.iplt->size == 0) + && (htab->elf.igotplt == NULL +- || htab->elf.igotplt->size == 0)) ++ || htab->elf.igotplt->size == 0) ++ && (!htab->elf.dynamic_sections_created ++ || (eh_frame = bfd_get_section_by_name (output_bfd, ++ ".eh_frame")) == NULL ++ || eh_frame->rawsize == 0)) + { + htab->elf.sgotplt->size = 0; + /* Solaris requires to keep _GLOBAL_OFFSET_TABLE_ even if it From patchwork Tue Dec 23 21:22:14 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 77336 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4AC45E6FE38 for ; Tue, 23 Dec 2025 21:22:56 +0000 (UTC) Received: from mail-pl1-f181.google.com (mail-pl1-f181.google.com [209.85.214.181]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.108977.1766524974963470542 for ; Tue, 23 Dec 2025 13:22:55 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=tp//gnOB; spf=softfail (domain: sakoman.com, ip: 209.85.214.181, mailfrom: steve@sakoman.com) Received: by mail-pl1-f181.google.com with SMTP id d9443c01a7336-2a07fac8aa1so58158155ad.1 for ; Tue, 23 Dec 2025 13:22:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1766524974; x=1767129774; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=aXg0nnNAMtvcNF86cbAtrT6Or204nszWW0tgelCu0DM=; b=tp//gnOBUuWDLFjyUPPHH2imBQHYclNQlfU/z5Rst3mMyStNp94AeHzCT+z5CyJuKu TMAXThxsCRznLXVCrpI3zYhjLOUY5r8PgZtCKITd4nS06PFsOzdsfex/kHTSfVuSv3Yi eALzIlDSrVHn4y8NvGqkZltcGj3CD/PD/7ZIGqXZ4gho8aCcITFr5Ud6eZQiw7YXG2X9 GiqaJIV9+ue2V8Ki9SQwBd2bWgoeSNab6eP3p0Eg5Z7Omslx3g2/W3k5hc+angAxXJpT KkVt/ErGg0hCLobhlLZk2V9l7avpEkILG+5VSXKNzqZd+bvYcL1NSFgfHIWnKBzK7udu 2mgA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766524974; x=1767129774; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=aXg0nnNAMtvcNF86cbAtrT6Or204nszWW0tgelCu0DM=; b=ezM9pRlmfahyOeOVTKijT02wvnVVi67UYeyberPrOL+Bznw2cQ6Ga1wrNMZIFLRgJ1 qe/cr9ZTR1DmIPsF8c5Vmwwcj/tA2H+6ryvNGtZcQRc2/k/P+So9OpILCk3yr/+40wdu o+E0bHMKYU2XOGofCoVTCCBZTf8oS+7RQwQob3x1rt6+QKiZGO5DI2hqyVespNc2L7hp Wa995UazXQm5/lWaGaJORf7htk/uyddJ0ZnbcGCsDtYRhz06VBg6ErTrxMCSDCwq0Mdg Z03RDVMh04gL6kyS6/XT4KFVgzdjMmCQ8u3XmvsI8mWhxq7e/gN2VLHTj9nxzfmu+3fY 9CCg== X-Gm-Message-State: AOJu0YxKTZs5GVlDSBit2Lt2XGF8BPaB6dXwygwoajCQ5qMVTKEJyq++ IovbOHE6X+PUux0/MTtqcQZNSedQJSmMyOpRwOvjFnCc64ZLh3LhyW6XoMbqJWLQFvmoC7n1I0Q lo5MK X-Gm-Gg: AY/fxX7WvcjHjMKcDPlnQ6nF3bUDdCM7+DB5y5AB/dqI8fEhFwebqGjU9yENv1KYCrb bsw87+F2/FRKKuIPL8lzNwjwZ33umz2mIqA6WJTNqGsw/k/df78JxEoIjgisYx1Tmo5z+16Gfkg S8uFKsbH1KtdI8aF4tmYFySn3HOt0Qf1SSMzkRh6T7SJG6NlLvUrXORcAlStoItcNt/b4htn76h WE3/MP43yTeZQ62Ze+tcVXm4IIzyokDrWt0TDT7yD7P47NafXwEeGLIM59J9GfuFTvD1XLcKnpt adLd3nvX4u5nAQh+mhG4Xiqc89NtmNXrUO6QTtr3Qnl5vbPKWbIkTX4MEuF+kSzpMm4QhlVmUPQ KKGCaO4NBAlp6u5yI1GlgWb9G1tfbQohSNOcYV1FQMvCXuwW67ZflRc0Pbo+zlvB5DOroGOWaAe 870A== X-Google-Smtp-Source: AGHT+IEKWJ4YXyqq93wFRKPa2PCUP/gS17xa2+L6eaORq1EgXJbL4pCvEaoRFoi5BvHaK0wXm2n7WQ== X-Received: by 2002:a17:902:fc8d:b0:2a0:ccef:a5d3 with SMTP id d9443c01a7336-2a2f2202fdamr178415925ad.3.1766524974036; Tue, 23 Dec 2025 13:22:54 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:74b3:f61b:a7a7:fafc]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2a2f3d4cbe5sm137258785ad.60.2025.12.23.13.22.53 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Dec 2025 13:22:53 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 08/18] binutils: fix CVE-2025-11839 Date: Tue, 23 Dec 2025 13:22:14 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Dec 2025 21:22:56 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/228482 From: Yash Shinde CVE-2025-11839 PR 33448 [BUG] Aborted in tg_tag_type at prdbg.c:2452 Remove call to abort in the DGB debug format printing code, thus allowing the display of a fuzzed input file to complete without triggering an abort. https://sourceware.org/bugzilla/show_bug.cgi?id=33448 Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=12ef7d5b7b02d0023db645d86eb9d0797bc747fe] Signed-off-by: Yash Shinde Signed-off-by: Steve Sakoman --- .../binutils/binutils-2.42.inc | 1 + .../binutils/0029-CVE-2025-11839.patch | 32 +++++++++++++++++++ 2 files changed, 33 insertions(+) create mode 100644 meta/recipes-devtools/binutils/binutils/0029-CVE-2025-11839.patch diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc index 69c5eddefb..e045ccf00d 100644 --- a/meta/recipes-devtools/binutils/binutils-2.42.inc +++ b/meta/recipes-devtools/binutils/binutils-2.42.inc @@ -67,5 +67,6 @@ SRC_URI = "\ file://CVE-2025-11412.patch \ file://CVE-2025-11413.patch \ file://0028-CVE-2025-11494.patch \ + file://0029-CVE-2025-11839.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/0029-CVE-2025-11839.patch b/meta/recipes-devtools/binutils/binutils/0029-CVE-2025-11839.patch new file mode 100644 index 0000000000..7f2f6d553d --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0029-CVE-2025-11839.patch @@ -0,0 +1,32 @@ +From 12ef7d5b7b02d0023db645d86eb9d0797bc747fe Mon Sep 17 00:00:00 2001 +From: Nick Clifton +Date: Mon, 3 Nov 2025 11:49:02 +0000 +Subject: [PATCH] Remove call to abort in the DGB debug format printing code, + thus allowing the display of a fuzzed input file to complete without + triggering an abort. + +PR 33448 +--- + binutils/prdbg.c | 1 - + 1 file changed, 1 deletion(-) + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=12ef7d5b7b02d0023db645d86eb9d0797bc747fe] +CVE: CVE-2025-11839 + +Signed-off-by: Yash Shinde + +diff --git a/binutils/prdbg.c b/binutils/prdbg.c +index c239aeb1a79..5d405c48e3d 100644 +--- a/binutils/prdbg.c ++++ b/binutils/prdbg.c +@@ -2449,7 +2449,6 @@ tg_tag_type (void *p, const char *name, unsigned int id, + t = "union class "; + break; + default: +- abort (); + return false; + } + +-- +2.43.7 + From patchwork Tue Dec 23 21:22:15 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 77341 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5D360E6FE3A for ; Tue, 23 Dec 2025 21:23:06 +0000 (UTC) Received: from mail-pl1-f175.google.com (mail-pl1-f175.google.com [209.85.214.175]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.109346.1766524976790262380 for ; Tue, 23 Dec 2025 13:22:56 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=NaGRuxpa; spf=softfail (domain: sakoman.com, ip: 209.85.214.175, mailfrom: steve@sakoman.com) Received: by mail-pl1-f175.google.com with SMTP id d9443c01a7336-2a12ed4d205so47457965ad.0 for ; Tue, 23 Dec 2025 13:22:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1766524976; x=1767129776; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=r6Ti996WAmYn96WwFClCs2HcogWnOjRi4gNqfxQ21+4=; b=NaGRuxpaEz3ks7DFZkLa4jXrtoHCpaDtFsqx7u2Atwy+biB3yIJop6pvykncGgVfnT YudU8U6byhIOIrEOAi1B+6rgLjItlKTnbRHhzbEZRDxmf50nrbCd8XcN9kXGBDpuXc/i DmMR7U+CasKG8BFoADCltn6CFOjk8Icckg4a9/k5DzVs20xijpafzCbNGeky0/ut8uIM 50NyWpBslNNmmYKIy0LWFc7cgrNB/H60oXTeS9caYUP9YtF74G+4B0RZklvSsFIGm+ra u3Y4lWCKxabi+um98I/XXtmCCHn2I8ZmTVS8wcb5VXyH8gUlWIx2xnN0IsjcDi5Q2fgH N22Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766524976; x=1767129776; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=r6Ti996WAmYn96WwFClCs2HcogWnOjRi4gNqfxQ21+4=; b=etLCNXzMADQO9DsCiTdDIuaiTV4dksXKsP9lN5kdSO/H0k/DYBH3pv8x27uaI/eAaO tLw4Vknn2XPDl69p+qXrV7iW2YElInNsTJasQpeuaB3d8v8Vin74FPW47aGAQwbmfcHu nrFIVmSr7mtknDk/TXT4W1SIeATjqi4kv5Y7e89+qUuQIvSqhpygxhpij9OYdW0V4sdm hAAQEALU/7rAcPGkDlw8zVoY2Gvz98tK8SzimnXDv9awknTW4mqsFMcLs5oUBRcLGfkO c5ds5thuRjlROHcQsD0WBHV2IaNaJPXC7zPRZD4I4ka1DFvt29R0CM3+VHNXARLlpEVh mXEg== X-Gm-Message-State: AOJu0YwW1MtvaXIdZ5j0Zc479/m9dTkHYFM4vhiV9D/6re8jspjf3fx2 H6/xM7+nIqtEAUulLiSCqnYif5Au0kQR7ZGdM8eWcVaO/+KF1f8iHoXwjnjDD2ngmxqJlkz0bkG RJzUe X-Gm-Gg: AY/fxX4+CXhPQFCym453FOTm6rdWRPM3yGe4VMOr5Nhbbcft2SgQrWOz0Id/TSMwyTz lk7fYIUugt9hWQa6HqwQmofE9JFwmH425d4Zs7WfAU7HuVdr7oEecoz8qoFe/NpKgBAMLAX2k13 DAamd4KqbE9uMYn4VVsOKkTe6HJxjM2fi4bUIjIyGwLNV6SFyblWJ2zyfNGbH/RGibM9AdsAyrb Q6sAlenIrr9A2xOD7dwUe+OseQgV9SH0E2BBRFRjs35IMzxyapvDSLCGUvMKnCOoNOA2nhkz9gR Gfl0eg9Zl6T/MVTz0QZxPYIqsHJT7HLxEgxoGdbriGflB3jyX433N3oWfdwiNLGyCFbmUY9xDUP 89bKIbTTkUzrg1Hw/uOGcoQZBrnTicnAD/sw9kydsLD84WOZkJd+ckwqqe5VUQ/Ej7N+dEU/6Cd n0BA== X-Google-Smtp-Source: AGHT+IFEjaFdq01C8poIysM105DePkKpOJcv0FN7MEPsyk+/kRVOHGaYQoqXzAGENOKo2WJ0bxy8Mg== X-Received: by 2002:a17:903:4b27:b0:2a2:d2e8:9f2d with SMTP id d9443c01a7336-2a2f28408ebmr134018845ad.48.1766524975907; Tue, 23 Dec 2025 13:22:55 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:74b3:f61b:a7a7:fafc]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2a2f3d4cbe5sm137258785ad.60.2025.12.23.13.22.54 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Dec 2025 13:22:55 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 09/18] binutils: fix CVE-2025-11840 Date: Tue, 23 Dec 2025 13:22:15 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Dec 2025 21:23:06 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/228483 From: Yash Shinde CVE-2025-11840 PR 33455 [BUG] A SEGV in vfinfo at ldmisc.c:527 A reloc howto set up with EMPTY_HOWTO has a NULL name. More than one place emitting diagnostics assumes a reloc howto won't have a NULL name. https://sourceware.org/bugzilla/show_bug.cgi?id=33455 Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=f6b0f53a36820da91eadfa9f466c22f92e4256e0] Signed-off-by: Yash Shinde Signed-off-by: Steve Sakoman --- .../binutils/binutils-2.42.inc | 1 + .../binutils/0030-CVE-2025-11840.patch | 37 +++++++++++++++++++ 2 files changed, 38 insertions(+) create mode 100644 meta/recipes-devtools/binutils/binutils/0030-CVE-2025-11840.patch diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc index e045ccf00d..839d31242e 100644 --- a/meta/recipes-devtools/binutils/binutils-2.42.inc +++ b/meta/recipes-devtools/binutils/binutils-2.42.inc @@ -68,5 +68,6 @@ SRC_URI = "\ file://CVE-2025-11413.patch \ file://0028-CVE-2025-11494.patch \ file://0029-CVE-2025-11839.patch \ + file://0030-CVE-2025-11840.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/0030-CVE-2025-11840.patch b/meta/recipes-devtools/binutils/binutils/0030-CVE-2025-11840.patch new file mode 100644 index 0000000000..3fb4db880e --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0030-CVE-2025-11840.patch @@ -0,0 +1,37 @@ +From f6b0f53a36820da91eadfa9f466c22f92e4256e0 Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Mon, 3 Nov 2025 09:03:37 +1030 +Subject: [PATCH] PR 33455 SEGV in vfinfo at ldmisc.c:527 + +A reloc howto set up with EMPTY_HOWTO has a NULL name. More than one +place emitting diagnostics assumes a reloc howto won't have a NULL +name. + + PR 33455 + * coffcode.h (coff_slurp_reloc_table): Don't allow a howto with + a NULL name. +--- + bfd/coffcode.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=f6b0f53a36820da91eadfa9f466c22f92e4256e0] +CVE: CVE-2025-11840 + +Signed-off-by: Yash Shinde + +diff --git a/bfd/coffcode.h b/bfd/coffcode.h +index 1e5acc0032c..ce1e39131b4 100644 +--- a/bfd/coffcode.h ++++ b/bfd/coffcode.h +@@ -5345,7 +5345,7 @@ coff_slurp_reloc_table (bfd * abfd, sec_ptr asect, asymbol ** symbols) + RTYPE2HOWTO (cache_ptr, &dst); + #endif /* RELOC_PROCESSING */ + +- if (cache_ptr->howto == NULL) ++ if (cache_ptr->howto == NULL || cache_ptr->howto->name == NULL) + { + _bfd_error_handler + /* xgettext:c-format */ +-- +2.43.7 + From patchwork Tue Dec 23 21:22:16 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 77345 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 70368E6FE41 for ; Tue, 23 Dec 2025 21:23:06 +0000 (UTC) Received: from mail-pl1-f177.google.com (mail-pl1-f177.google.com [209.85.214.177]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.109348.1766524978314327956 for ; Tue, 23 Dec 2025 13:22:58 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=UuDQtcZk; spf=softfail (domain: sakoman.com, ip: 209.85.214.177, mailfrom: steve@sakoman.com) Received: by mail-pl1-f177.google.com with SMTP id d9443c01a7336-29f1bc40b35so90324515ad.2 for ; Tue, 23 Dec 2025 13:22:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1766524977; x=1767129777; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=nslpJaQPR0Bf1gNrD81xGr4aTJKi+psK56BBI5gXJSU=; b=UuDQtcZkFgbvbQaLa6or97F0G5LGxsMtcBqOqAv3qCCb84KkzELKsCcxwBWGgCeGd8 EAjWF3m6SCdCLF5VAMh9hvl+hKqxJN0vG5l2j5yXJBLMWtxWn3GbepFUzZ8lKPEd9q2p DX/vACZnPOyInWYJiiIhruxZDd9P4dc6ZEkzFK7tBP7eD/V3TLpv7jnFgHE01xq81HvM DuynCf2vtJ6sKcEu5f0ClA8Em3f3bQxFDrPQMgx+hEOcQ+rm+PQlKe0RVGfN9ZiVRKhT aLV63L4J1K+evZTAD/GlGZhsKDRiYK7/0EMSlmdKZpwsDzsRBZYuNUgF48ob16NeCv9H mHGA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766524977; x=1767129777; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=nslpJaQPR0Bf1gNrD81xGr4aTJKi+psK56BBI5gXJSU=; b=YnFUOtpIyUPnK+0fav10m6XU202i/ODv3vlK3KVVl8zoO5uNmj/ylZmNu7HOxE77Cv F9Bu8npwHxrh8p6Tz2nv9IgyyLB46nFWn0Ut3oNad/Eu7hRYh3XiS+au+gniP2OGZwJI GIHbgital/hTZH4HOx9UVuNVyB2/4t7tYj68evfb1MtZr4g/kmWY/EV/3CKyBW3xDJ9W Tg4NWD6Mc1deahNykSlkTxPKM12msZG0O6Mmh9QdhGeEe0l6dfNvndQNSJxygzWZ1S4X wtaNkbPt1pJlL9acKm0Sd+xX14XVABNvyUSNiJkRXqCcoiiO6xTKEtuhCleZLP7vcXM3 pjPQ== X-Gm-Message-State: AOJu0Yw+XS8QfAvWk5te2OjNeprq4msCi0MWUtq4lOJX2M2PpusqUe93 W1TokLYFaokajewKidAiIhJCogU5wbAXXFBkqxl2dCNX62+PRJr91B2St1fH0zBD+b9R6ITzGj2 vA3BS X-Gm-Gg: AY/fxX4UAFUvU3giPPISm4LILsMFzrKzABJ4QS5TRZWiDre4Y21TIIjaBbwIG81iI7B w347QN5u2n9TVo9m/9Z2y8DTdwdFH62EAxA4S1aol94kzW7idaJiendBIFAtw+fP0r+arr1kExz 65YT9Jxvf5bFbbwGI4L1cm1YI5yI9U5cbJzSHT3DleMfoHXdwZd+OAMg1dcZR+Ou4tZTGer+Ep7 MKIkB+kuEpGs21RNtQC/T/HoQNKwzntm744Zf0dS7kjKe0jIOMjbYFglE6M5JGSL6MB0zp7LJgJ qASZfO8dNFB0UKlEF2bXMRI5Yd956hZDgY9jNBHEWfgozkauEwAT2pdHVXy8k2i5Q9WQWGYU2oS 4WG+Hnn1BqceFJjOPRPWbpM2UQFP4nEG/lT1fCrGLRsVk8mCC1L00h4CJrvtorfWwJLPQ4wnIRN 0gDw== X-Google-Smtp-Source: AGHT+IFy41hzndAlpZS4v6eJ9wJKhUF83c+UWZcCW5VqnSXIDIvqecfRqTLsT2lQMHhiabe8HiYNcA== X-Received: by 2002:a17:902:ce01:b0:2a0:c5a6:c8df with SMTP id d9443c01a7336-2a2f2329badmr172973275ad.21.1766524977572; Tue, 23 Dec 2025 13:22:57 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:74b3:f61b:a7a7:fafc]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2a2f3d4cbe5sm137258785ad.60.2025.12.23.13.22.56 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Dec 2025 13:22:57 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 10/18] libxslt: Fix CVE-2025-11731 Date: Tue, 23 Dec 2025 13:22:16 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Dec 2025 21:23:06 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/228484 From: Mingli Yu Backport the patch [1] to fix CVE-2025-11731. [1] https://gitlab.gnome.org/GNOME/libxslt/-/commit/fe508f201efb9ea37bfbe95413b8b28251497de3 Signed-off-by: Mingli Yu Signed-off-by: Steve Sakoman --- .../libxslt/files/CVE-2025-11731.patch | 42 +++++++++++++++++++ .../recipes-support/libxslt/libxslt_1.1.43.bb | 3 +- 2 files changed, 44 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-support/libxslt/files/CVE-2025-11731.patch diff --git a/meta/recipes-support/libxslt/files/CVE-2025-11731.patch b/meta/recipes-support/libxslt/files/CVE-2025-11731.patch new file mode 100644 index 0000000000..19702af6cb --- /dev/null +++ b/meta/recipes-support/libxslt/files/CVE-2025-11731.patch @@ -0,0 +1,42 @@ +From fe508f201efb9ea37bfbe95413b8b28251497de3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Dominik=20R=C3=B6ttsches?= +Date: Wed, 27 Aug 2025 14:28:40 +0300 +Subject: [PATCH] End function node ancestor search at document + +Avoids dereferencing a non-existent ->ns property on an +XML_DOCUMENT_NODE pointer. + +Fixes #151. + +CVE: CVE-2025-11731 + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxslt/-/commit/fe508f201efb9ea37bfbe95413b8b28251497de3] + +Signed-off-by: Mingli Yu +--- + libexslt/functions.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/libexslt/functions.c b/libexslt/functions.c +index 8d35a7ae..a54ee70c 100644 +--- a/libexslt/functions.c ++++ b/libexslt/functions.c +@@ -617,8 +617,13 @@ exsltFuncResultComp (xsltStylesheetPtr style, xmlNodePtr inst, + * instanciation of a func:result element. + */ + for (test = inst->parent; test != NULL; test = test->parent) { +- if (IS_XSLT_ELEM(test) && +- IS_XSLT_NAME(test, "stylesheet")) { ++ if (/* Traversal has reached the top-level document without ++ * finding a func:function ancestor. */ ++ (test != NULL && test->type == XML_DOCUMENT_NODE) || ++ /* Traversal reached a stylesheet-namespace node, ++ * and has left the function namespace. */ ++ (IS_XSLT_ELEM(test) && ++ IS_XSLT_NAME(test, "stylesheet"))) { + xsltGenericError(xsltGenericErrorContext, + "func:result element not a descendant " + "of a func:function\n"); +-- +2.34.1 + diff --git a/meta/recipes-support/libxslt/libxslt_1.1.43.bb b/meta/recipes-support/libxslt/libxslt_1.1.43.bb index e08e92085d..e33b1bb902 100644 --- a/meta/recipes-support/libxslt/libxslt_1.1.43.bb +++ b/meta/recipes-support/libxslt/libxslt_1.1.43.bb @@ -14,7 +14,8 @@ SECTION = "libs" DEPENDS = "libxml2" SRC_URI = "https://download.gnome.org/sources/libxslt/1.1/libxslt-${PV}.tar.xz \ - file://gnome-libxslt-bug-139-apple-fix.diff" + file://gnome-libxslt-bug-139-apple-fix.diff \ + file://CVE-2025-11731.patch" SRC_URI[sha256sum] = "5a3d6b383ca5afc235b171118e90f5ff6aa27e9fea3303065231a6d403f0183a" From patchwork Tue Dec 23 21:22:17 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 77346 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7D1D1E6FE47 for ; Tue, 23 Dec 2025 21:23:06 +0000 (UTC) Received: from mail-pl1-f177.google.com (mail-pl1-f177.google.com [209.85.214.177]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.109349.1766524980055939619 for ; Tue, 23 Dec 2025 13:23:00 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=QXX3eLkX; spf=softfail (domain: sakoman.com, ip: 209.85.214.177, mailfrom: steve@sakoman.com) Received: by mail-pl1-f177.google.com with SMTP id d9443c01a7336-2a0eaf55d58so37839475ad.1 for ; Tue, 23 Dec 2025 13:23:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1766524979; x=1767129779; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=Ai8UIw4VnkrnLzJ2piao74n7e/OSjC5WbSyI9OvfXA0=; b=QXX3eLkXt0qKPzvv1PU3dhkDHi1RClMzV5k1+nL18Zci/Y7oeaouIvsrNTlrtsEQU7 pIs5sOOzqlIh5ikVE4s8Pjk/Vgr60Bg8UKDioNIxVdpr9gI22FHHPgrmf6TZtXM3Q8ZE IsQL/5TEPUe83ucSigE3k8O9e2TFxPJC8PheEMFomun6ZsoZlJD28OQ2DRsbEZ+SEaCA taKJjxju1QjDH7hz6ckk76gLIEk5A8bzg+gNoiy6GU2gS9QODsP9xzFDskbY6sS+gmrZ /q2oNWmmc5OO7BgwNYUgD3z5nW0B3B4IPt2xb5Agy2nY445di7xfQA6beJsivtrkvCpX paKw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766524979; x=1767129779; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=Ai8UIw4VnkrnLzJ2piao74n7e/OSjC5WbSyI9OvfXA0=; b=TmgrEPHF95s9J2QsfZfIuZHWxpcvv+9z6LDK1prLl27oLEI/NX8ES/I8oVwOtu0b3l adqOAcUDUZsiEJeulioPJiHgvDaOS1cDYkjakmZ4vomktkTMBPhs2ufM80o7EMyYSfF0 uApZ5o2bRCjc76HCXlAGo5K42+LQkl6QdCFP31GU/x5LUp7G0dksr1R62/wsUnjenC/x 029qUdArW/9x55tOecIFC4DEyuu/FUffA4Osj1EhHUKqpDMZDfyPC5050f3ys2g9/XMu OEFLgzW8YCmej0BesiVFkfVLusKJTWNCFHvCx90vd0HCUNu/AEql3rHvMgkigBFaZEGA YrlQ== X-Gm-Message-State: AOJu0Yzw6u9sVaZEgespzA/+Cru5mBQxaUe9jtD3IgVFtioRI/9BKBvq rVz5e+uQyDy89ZMOnd8+nG2VlNzAwl1Z7r0xSL73nMCMA/gbcjWjtAX2ftXCI6Tvx97duqFr9zH z78AU X-Gm-Gg: AY/fxX6rE/fegHPcmHuG44tL45ff+P7iwbbj4rJMYrk+ulL9l8yqMikr3WsEsGgSd73 wK/V9ay9+UFGsDcOmQB63x7X+Yms1BAS/+D2a6kreF0kDiGHs5qFi7FSTWIej9YDfcdC12u+n69 NfGFll8raL3hFPtM2fL1cfQ2+TNuHdGPfpm4sd2Cd4jZy2V7JvG7eUjGt41WptZvIshKDLxdot0 yiQF9fHPwTdvXbXKriXgGBv9xo0gyWGDMPNHK7Bm1+ogpW7Z5Hh75QabeueNX4XiEYt5ABKf0Bj /1BVdXmnc8nDAinHmnlkNOADjPbkD0EfzRGpPLSli0EImL3fCIiKj9hmuSaudSmVv6jYC6I5AbI pwoNNyc+Z2XOWf+vnuFTb2DDTkTFWZjyDV4XvbWA9YLcieeGUI2G10HBpw9hy3eRAifkDGiJqYF 9CRA== X-Google-Smtp-Source: AGHT+IGSSwbqci7MRuHFIzKNyrrAorHE+GuE65U71kxzF32E7G+0dSmPBVDudWe9qT1Gl/tvDZqzsA== X-Received: by 2002:a17:903:2450:b0:2a0:e5c3:d149 with SMTP id d9443c01a7336-2a2f0d40410mr165418995ad.23.1766524979253; Tue, 23 Dec 2025 13:22:59 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:74b3:f61b:a7a7:fafc]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2a2f3d4cbe5sm137258785ad.60.2025.12.23.13.22.58 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Dec 2025 13:22:58 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 11/18] ruby: Upgrade 3.3.5 -> 3.3.10 Date: Tue, 23 Dec 2025 13:22:17 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Dec 2025 21:23:06 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/228485 From: Mingli Yu Per ruby maintenance policy [1], the 3.3.x branch should be still in normal maintenance, so upgrade to the latest version 3.3.10 to fix many security issues and bugs. Remove the fix for CVE-2025-27219, CVE-2025-27220 and CVE-2025-27221 as these fixes have been included in the new version. [1] https://www.ruby-lang.org/en/downloads/branches/ Signed-off-by: Mingli Yu Signed-off-by: Steve Sakoman --- .../ruby/ruby/CVE-2025-27219.patch | 31 -------- .../ruby/ruby/CVE-2025-27220.patch | 78 ------------------- .../ruby/ruby/CVE-2025-27221-0001.patch | 57 -------------- .../ruby/ruby/CVE-2025-27221-0002.patch | 73 ----------------- .../ruby/{ruby_3.3.5.bb => ruby_3.3.10.bb} | 6 +- 5 files changed, 1 insertion(+), 244 deletions(-) delete mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2025-27219.patch delete mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2025-27220.patch delete mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0001.patch delete mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0002.patch rename meta/recipes-devtools/ruby/{ruby_3.3.5.bb => ruby_3.3.10.bb} (95%) diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2025-27219.patch b/meta/recipes-devtools/ruby/ruby/CVE-2025-27219.patch deleted file mode 100644 index 7813a6143c..0000000000 --- a/meta/recipes-devtools/ruby/ruby/CVE-2025-27219.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 9907b76dad0777ee300de236dad4b559e07596ab Mon Sep 17 00:00:00 2001 -From: Hiroshi SHIBATA -Date: Fri, 21 Feb 2025 16:01:17 +0900 -Subject: [PATCH] Use String#concat instead of String#+ for reducing cpu usage - -Co-authored-by: "Yusuke Endoh" - -Upstream-Status: Backport [https://github.com/ruby/cgi/commit/9907b76dad0777ee300de236dad4b559e07596ab] -CVE: CVE-2025-27219 -Signed-off-by: Ashish Sharma - - lib/cgi/cookie.rb | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/lib/cgi/cookie.rb b/lib/cgi/cookie.rb -index 9498e2f..1c4ef6a 100644 ---- a/lib/cgi/cookie.rb -+++ b/lib/cgi/cookie.rb -@@ -190,9 +190,10 @@ def self.parse(raw_cookie) - values ||= "" - values = values.split('&').collect{|v| CGI.unescape(v,@@accept_charset) } - if cookies.has_key?(name) -- values = cookies[name].value + values -+ cookies[name].concat(values) -+ else -+ cookies[name] = Cookie.new(name, *values) - end -- cookies[name] = Cookie.new(name, *values) - end - - cookies diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2025-27220.patch b/meta/recipes-devtools/ruby/ruby/CVE-2025-27220.patch deleted file mode 100644 index f2f8bc7f76..0000000000 --- a/meta/recipes-devtools/ruby/ruby/CVE-2025-27220.patch +++ /dev/null @@ -1,78 +0,0 @@ -From cd1eb08076c8b8e310d4d553d427763f2577a1b6 Mon Sep 17 00:00:00 2001 -From: Hiroshi SHIBATA -Date: Fri, 21 Feb 2025 15:53:31 +0900 -Subject: [PATCH] Escape/unescape unclosed tags as well - -Co-authored-by: Nobuyoshi Nakada - -CVE: CVE-2025-27220 - -Upstream-Status: Backport [https://github.com/ruby/cgi/commit/cd1eb08076c8b8e310d4d553d427763f2577a1b6] - -Signed-off-by: Divya Chellam ---- - lib/cgi/util.rb | 4 ++-- - test/cgi/test_cgi_util.rb | 18 ++++++++++++++++++ - 2 files changed, 20 insertions(+), 2 deletions(-) - -diff --git a/lib/cgi/util.rb b/lib/cgi/util.rb -index 4986e54..5f12eae 100644 ---- a/lib/cgi/util.rb -+++ b/lib/cgi/util.rb -@@ -184,7 +184,7 @@ module CGI::Util - def escapeElement(string, *elements) - elements = elements[0] if elements[0].kind_of?(Array) - unless elements.empty? -- string.gsub(/<\/?(?:#{elements.join("|")})(?!\w)(?:.|\n)*?>/i) do -+ string.gsub(/<\/?(?:#{elements.join("|")})\b[^<>]*+>?/im) do - CGI.escapeHTML($&) - end - else -@@ -204,7 +204,7 @@ module CGI::Util - def unescapeElement(string, *elements) - elements = elements[0] if elements[0].kind_of?(Array) - unless elements.empty? -- string.gsub(/<\/?(?:#{elements.join("|")})(?!\w)(?:.|\n)*?>/i) do -+ string.gsub(/<\/?(?:#{elements.join("|")})\b(?>[^&]+|&(?![gl]t;)\w+;)*(?:>)?/im) do - unescapeHTML($&) - end - else -diff --git a/test/cgi/test_cgi_util.rb b/test/cgi/test_cgi_util.rb -index b0612fc..bff77f7 100644 ---- a/test/cgi/test_cgi_util.rb -+++ b/test/cgi/test_cgi_util.rb -@@ -269,6 +269,14 @@ class CGIUtilTest < Test::Unit::TestCase - assert_equal("
<A HREF="url"></A>", escapeElement('
', ["A", "IMG"])) - assert_equal("
<A HREF="url"></A>", escape_element('
', "A", "IMG")) - assert_equal("
<A HREF="url"></A>", escape_element('
', ["A", "IMG"])) -+ -+ assert_equal("<A <A HREF="url"></A>", escapeElement('', "A", "IMG")) -+ assert_equal("<A <A HREF="url"></A>", escapeElement('', ["A", "IMG"])) -+ assert_equal("<A <A HREF="url"></A>", escape_element('', "A", "IMG")) -+ assert_equal("<A <A HREF="url"></A>", escape_element('', ["A", "IMG"])) -+ -+ assert_equal("<A <A ", escapeElement('', unescapeElement(escapeHTML('
'), ["A", "IMG"])) - assert_equal('<BR>', unescape_element(escapeHTML('
'), "A", "IMG")) - assert_equal('<BR>', unescape_element(escapeHTML('
'), ["A", "IMG"])) -+ -+ assert_equal('', unescapeElement(escapeHTML(''), "A", "IMG")) -+ assert_equal('', unescapeElement(escapeHTML(''), ["A", "IMG"])) -+ assert_equal('', unescape_element(escapeHTML(''), "A", "IMG")) -+ assert_equal('', unescape_element(escapeHTML(''), ["A", "IMG"])) -+ -+ assert_equal(' -Date: Fri, 21 Feb 2025 16:29:36 +0900 -Subject: [PATCH] Truncate userinfo with URI#join, URI#merge and URI#+ - -CVE: CVE-2025-27221 - -Upstream-Status: Backport [https://github.com/ruby/uri/commit/3675494839112b64d5f082a9068237b277ed1495] - -Signed-off-by: Divya Chellam ---- - lib/uri/generic.rb | 6 +++++- - test/uri/test_generic.rb | 11 +++++++++++ - 2 files changed, 16 insertions(+), 1 deletion(-) - -diff --git a/lib/uri/generic.rb b/lib/uri/generic.rb -index f3540a2..ecc78c5 100644 ---- a/lib/uri/generic.rb -+++ b/lib/uri/generic.rb -@@ -1141,7 +1141,11 @@ module URI - end - - # RFC2396, Section 5.2, 7) -- base.set_userinfo(rel.userinfo) if rel.userinfo -+ if rel.userinfo -+ base.set_userinfo(rel.userinfo) -+ else -+ base.set_userinfo(nil) -+ end - base.set_host(rel.host) if rel.host - base.set_port(rel.port) if rel.port - base.query = rel.query if rel.query -diff --git a/test/uri/test_generic.rb b/test/uri/test_generic.rb -index e661937..17ba2b6 100644 ---- a/test/uri/test_generic.rb -+++ b/test/uri/test_generic.rb -@@ -164,6 +164,17 @@ class URI::TestGeneric < Test::Unit::TestCase - # must be empty string to identify as path-abempty, not path-absolute - assert_equal('', url.host) - assert_equal('http:////example.com', url.to_s) -+ -+ # sec-2957667 -+ url = URI.parse('http://user:pass@example.com').merge('//example.net') -+ assert_equal('http://example.net', url.to_s) -+ assert_nil(url.userinfo) -+ url = URI.join('http://user:pass@example.com', '//example.net') -+ assert_equal('http://example.net', url.to_s) -+ assert_nil(url.userinfo) -+ url = URI.parse('http://user:pass@example.com') + '//example.net' -+ assert_equal('http://example.net', url.to_s) -+ assert_nil(url.userinfo) - end - - def test_parse_scheme_with_symbols --- -2.40.0 - diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0002.patch b/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0002.patch deleted file mode 100644 index 4435b87c34..0000000000 --- a/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0002.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 2789182478f42ccbb62197f952eb730e4f02bfc5 Mon Sep 17 00:00:00 2001 -From: Hiroshi SHIBATA -Date: Fri, 21 Feb 2025 18:16:28 +0900 -Subject: [PATCH] Fix merger of URI with authority component - -https://hackerone.com/reports/2957667 - -Co-authored-by: Nobuyoshi Nakada - -CVE: CVE-2025-27221 - -Upstream-Status: Backport [https://github.com/ruby/uri/commit/2789182478f42ccbb62197f952eb730e4f02bfc5] - -Signed-off-by: Divya Chellam ---- - lib/uri/generic.rb | 19 +++++++------------ - test/uri/test_generic.rb | 7 +++++++ - 2 files changed, 14 insertions(+), 12 deletions(-) - -diff --git a/lib/uri/generic.rb b/lib/uri/generic.rb -index ecc78c5..2c0a88d 100644 ---- a/lib/uri/generic.rb -+++ b/lib/uri/generic.rb -@@ -1133,21 +1133,16 @@ module URI - base.fragment=(nil) - - # RFC2396, Section 5.2, 4) -- if !authority -- base.set_path(merge_path(base.path, rel.path)) if base.path && rel.path -- else -- # RFC2396, Section 5.2, 4) -- base.set_path(rel.path) if rel.path -+ if authority -+ base.set_userinfo(rel.userinfo) -+ base.set_host(rel.host) -+ base.set_port(rel.port || base.default_port) -+ base.set_path(rel.path) -+ elsif base.path && rel.path -+ base.set_path(merge_path(base.path, rel.path)) - end - - # RFC2396, Section 5.2, 7) -- if rel.userinfo -- base.set_userinfo(rel.userinfo) -- else -- base.set_userinfo(nil) -- end -- base.set_host(rel.host) if rel.host -- base.set_port(rel.port) if rel.port - base.query = rel.query if rel.query - base.fragment=(rel.fragment) if rel.fragment - -diff --git a/test/uri/test_generic.rb b/test/uri/test_generic.rb -index 17ba2b6..1a70dd4 100644 ---- a/test/uri/test_generic.rb -+++ b/test/uri/test_generic.rb -@@ -267,6 +267,13 @@ class URI::TestGeneric < Test::Unit::TestCase - assert_equal(u0, u1) - end - -+ def test_merge_authority -+ u = URI.parse('http://user:pass@example.com:8080') -+ u0 = URI.parse('http://new.example.org/path') -+ u1 = u.merge('//new.example.org/path') -+ assert_equal(u0, u1) -+ end -+ - def test_route - url = URI.parse('http://hoge/a.html').route_to('http://hoge/b.html') - assert_equal('b.html', url.to_s) --- -2.40.0 - diff --git a/meta/recipes-devtools/ruby/ruby_3.3.5.bb b/meta/recipes-devtools/ruby/ruby_3.3.10.bb similarity index 95% rename from meta/recipes-devtools/ruby/ruby_3.3.5.bb rename to meta/recipes-devtools/ruby/ruby_3.3.10.bb index 8b45946f6b..936bc73e32 100644 --- a/meta/recipes-devtools/ruby/ruby_3.3.5.bb +++ b/meta/recipes-devtools/ruby/ruby_3.3.10.bb @@ -26,10 +26,6 @@ SRC_URI = "http://cache.ruby-lang.org/pub/ruby/${SHRT_VER}/ruby-${PV}.tar.gz \ file://0005-Mark-Gemspec-reproducible-change-fixing-784225-too.patch \ file://0006-Make-gemspecs-reproducible.patch \ file://0001-vm_dump.c-Define-REG_S1-and-REG_S2-for-musl-riscv.patch \ - file://CVE-2025-27219.patch \ - file://CVE-2025-27220.patch \ - file://CVE-2025-27221-0001.patch \ - file://CVE-2025-27221-0002.patch \ file://0007-Skip-test_rm_r_no_permissions-test-under-root.patch \ " UPSTREAM_CHECK_URI = "https://www.ruby-lang.org/en/downloads/" @@ -51,7 +47,7 @@ do_configure:prepend() { DEPENDS:append:libc-musl = " libucontext" -SRC_URI[sha256sum] = "3781a3504222c2f26cb4b9eb9c1a12dbf4944d366ce24a9ff8cf99ecbce75196" +SRC_URI[sha256sum] = "b555baa467a306cfc8e6c6ed24d0d27b27e9a1bed1d91d95509859eac6b0e928" PACKAGECONFIG ??= "" PACKAGECONFIG += "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)}" From patchwork Tue Dec 23 21:22:18 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 77343 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 68471E6FE43 for ; Tue, 23 Dec 2025 21:23:06 +0000 (UTC) Received: from mail-pl1-f175.google.com (mail-pl1-f175.google.com [209.85.214.175]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.109351.1766524981544724388 for ; Tue, 23 Dec 2025 13:23:01 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=d4Ke8PA/; spf=softfail (domain: sakoman.com, ip: 209.85.214.175, mailfrom: steve@sakoman.com) Received: by mail-pl1-f175.google.com with SMTP id d9443c01a7336-2a0a33d0585so50804685ad.1 for ; Tue, 23 Dec 2025 13:23:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1766524981; x=1767129781; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=4LDwVmMOuEHrfHmlpitRdTZzdc39V8cbwAN1hNfxlCo=; b=d4Ke8PA/2rRewRqODOXUECfvSnFJlNW+21kSVSPT/AwHpJFgvpXfkqOXxMVswB4/6m UNhWzfy1WeEgl2WdLBsuSCki8hi4YXKRzXQ0UsCIESx2qOwbDl2pj3L/56oq6PExRK5e Qkl+DpTWLGmwsMtt7sH+H4eUGjPxPLxXWwYwUeyt7ni/9YlMAkBiDwD+lIt7tIrQelZB P8hVwdYas3sUNG5H7BsHwI/WBikVnGF2y5wKAbZcxg5shGJaVCWVfs3YIQveo6rGALIZ y87DKhHicj4NvpYl3djtifaQlwXdY4DRY+gGsH6X3S7LoPVNQPg6u5yQYSWEPcBgBmAe csyw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766524981; x=1767129781; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=4LDwVmMOuEHrfHmlpitRdTZzdc39V8cbwAN1hNfxlCo=; b=NIYyuq04vZLM+Mc19QLWxjMaHrc9t+3vHFWu0HCKzF2sSTJOvQvENGC9ACIrLNmbvh att06OHkQw0DnurDFk0x3YZkUfEtH2JwpXxbNyfVrjpsJ5Mu/1aj2LgFxGXitlDqiVID 9cFFSJyGx0y4CwI6q5YspPLlwyHEG5rgx1UVlo2oK8JzSBATWfr92wE1epdNchwuNfZB cYzYOjaIUaAJVRZJhR1b8vnwzWG6ZFr3ObNjdQN8K4Db72FcJViDOyIXa+2tEK70lzyM DqNTkoMb74+dPLH3ll/CNCF/OVUxYGt46bLo2iJNXzsIp4P24PgHl0N4PoEaf7YzQ2LG qMMA== X-Gm-Message-State: AOJu0YziF/P3dVhH6GzS8Cxp4f0MkWR8EZtVltyGL+jWSVxLOET2LeD3 4qadbrFyK9HdG1j+n9QBTxDzkO4KIalDpBuI9mliqTLbTDiGdFEMiw7GsxB3L9KMLG/fXZbjcCz XCyCf X-Gm-Gg: AY/fxX7IeXkzwL1oRt+uOOB5ZlYt/yCNjgl2vXs0FTjG4R4bpZ1HgSbO/1FHeog88dW ovipA+caW70Kb3DGk9sadhUaURK/W+4zE2o1QQOpI04tNeVLKu03QcsBn55DtFdKAioNsZqnTGc rZSaEpMAkOWLdy5aK2/m1mslGtfmlaVX14GEGIyzMoL93YdbUkxnc3T0FfrvBuQI+CgoyhoQPWB R74Bd3HzX/WjEslmZLkbG/anUkUYzu5ECvHKUfRWlh9PayQHaVqB3j8jG4oOCYOs5FfrM096OSR d6/nf+Cz6NLOl/vkMoaFIOQMfAMzkVdS+j7G4pLLe04idrK8yVqMieTE2F/oq9pXQvC7vQbw/7b prvFeGiosn0/cHL7JHJjk6bXRK+kGLMuRh3l5dudoHBkzQAHHDYltBMcw9ZUNTpY8HIgg1vrVjf lerw== X-Google-Smtp-Source: AGHT+IFtOIxbJ6f1hGupQRWoa/4l78alSR8gVrlE9P3pRw4XNrkaL6MrnR+n6zGIrKLsaBTBgdI5OA== X-Received: by 2002:a17:902:c943:b0:295:9db1:ff3a with SMTP id d9443c01a7336-2a2f2735164mr161732205ad.28.1766524980784; Tue, 23 Dec 2025 13:23:00 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:74b3:f61b:a7a7:fafc]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2a2f3d4cbe5sm137258785ad.60.2025.12.23.13.23.00 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Dec 2025 13:23:00 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 12/18] scripts/install-buildtools: Update to 5.0.14 Date: Tue, 23 Dec 2025 13:22:18 -0800 Message-ID: <4c85440cd95d9cd007ef4346ecc9580806526c96.1766524798.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Dec 2025 21:23:06 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/228486 From: Aleksandar Nikolic Update to the 5.0.14 release of the 5.0 series for buildtools Signed-off-by: Aleksandar Nikolic Signed-off-by: Steve Sakoman --- scripts/install-buildtools | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/install-buildtools b/scripts/install-buildtools index a449e45cff..f1c3084245 100755 --- a/scripts/install-buildtools +++ b/scripts/install-buildtools @@ -57,8 +57,8 @@ logger = scriptutils.logger_create(PROGNAME, stream=sys.stdout) DEFAULT_INSTALL_DIR = os.path.join(os.path.split(scripts_path)[0],'buildtools') DEFAULT_BASE_URL = 'https://downloads.yoctoproject.org/releases/yocto' -DEFAULT_RELEASE = 'yocto-5.0.12' -DEFAULT_INSTALLER_VERSION = '5.0.12' +DEFAULT_RELEASE = 'yocto-5.0.14' +DEFAULT_INSTALLER_VERSION = '5.0.14' DEFAULT_BUILDDATE = '202110XX' # Python version sanity check From patchwork Tue Dec 23 21:22:19 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 77344 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 63DA5E6FE40 for ; Tue, 23 Dec 2025 21:23:06 +0000 (UTC) Received: from mail-pl1-f193.google.com (mail-pl1-f193.google.com [209.85.214.193]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.108979.1766524983178246651 for ; Tue, 23 Dec 2025 13:23:03 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=EtWEczQt; spf=softfail (domain: sakoman.com, ip: 209.85.214.193, mailfrom: steve@sakoman.com) Received: by mail-pl1-f193.google.com with SMTP id d9443c01a7336-2a0a33d0585so50804825ad.1 for ; Tue, 23 Dec 2025 13:23:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1766524982; x=1767129782; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=davM2ZIJ6VnqdMPzlxPnkAdPQqCs+BzOiy2aDgzVZbc=; b=EtWEczQtqvi/f2eNV+41y6tlJhnCuqJUPhNWrrDjiNPkMeZnRaZne43/Sff99JM2nH 7evCaIVDp2zMTS7EHaJsnlAQ/L3PyHmEL69FBJTFKPsivQ3wCGIdHa+MONLCrMcea/+i utba6mVW80pASY+yVuOTpsnxEwJXeFRfR/lZRIa5C1PTwqi8aJJqygnYdem1+cN5NfBX dDv7ZIb/V4k85+mzAXLceA1Lb9PqTRNvOHp6bx5GXLZCM9k0obQCX2uvJOUskeDZ4hUe ov32lmsVnJohZwIT8BwemNUjL+0qlbZ0eozH2GQZHuXqoSa6mvkLV0xFpHwkm2s2xoZT Ilqg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766524982; x=1767129782; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=davM2ZIJ6VnqdMPzlxPnkAdPQqCs+BzOiy2aDgzVZbc=; b=GwPuD8TQr6631SkR/h/8f+4scfr1veMVaYISq5r2wV2lgf2ODuE3D7NnWrHfC85igs jdWLTXckDVL9IaPq9Uxa3F1bjCbqcoBNbf5S/Ja4B9VH4xqo41aYUYYAmCulptyWAxho vgy7WCwNgaZ0jMYwkSzZ44Yf3HqQMZuWgxRytsWBJif00yNU5FLarskyLWZzbY3hkYS+ F6vdJ5KfacDBeV02hcgeg9Pa3P23yuZX5Nehswl0COOOyUnr1n9FLevbE+Te+FPnf0TG lf/+6TybHv/dC17jrHyh2rqDOrqZl4NA4cI6LxtberwU/3CRtrS0bIxnonfnUnvYAjc0 i3wQ== X-Gm-Message-State: AOJu0YwSoWsmwAok1nMempxeNMYB8Cw7djylDNaIxllmmT8vINYooDu6 TS8D9zLZszOen5zv3h/JzLvmpjYY0aKdZQnzJqaGujLaIfG2/ByEKIZYcrxintmUlm6f968XMJY Jge9YrYQ= X-Gm-Gg: AY/fxX7jIaBadATsuFysDDTm2kCVfFR7GkTQv8WEu+/KVae4Pzk9DWMMKSSjn96orrW 8/tuyLYq2KRv5a0ve/bBKhOAR/h6KBv24RFMDnLMQvwaxC+fcTNs+bDI6BLAV7zB7CENshphTp2 +uUV7UayNE6nlaw4v5x5+Pb1KJewdUiQPFOzdjtyXMMLBOGgQL7osL4AldThdm5syfP27jGcEF3 XTuSVktU5mZr7Kz3pJLS3s8nX5coc79BFynZRThsdIiF4GEBVh7nvFSPMKPeSS1QZn7C/lwU6kG P0gAJ5WPHQOh32ni03ZOjL4aysosTZnt0+2F5noWV/QzcRhoDynJM5hQ8MTuNwFtXcgOftFyhSb x+kZEmUXeMKNfIoaHIbbF3wTK6rrTod1i+EzsTunnYpXnr5aT51CHWA5vGBkeSvw43CAta80Tcz NWCA== X-Google-Smtp-Source: AGHT+IFUT71+4FpwryFflHAULmwN+IwlFXvxMawIWvLG9iQWp92muKd2BQoOjUKvZ+GcoYKcIM5VnQ== X-Received: by 2002:a17:903:1c8:b0:2a1:3769:1cf8 with SMTP id d9443c01a7336-2a2f2734d5emr151796335ad.33.1766524982240; Tue, 23 Dec 2025 13:23:02 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:74b3:f61b:a7a7:fafc]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2a2f3d4cbe5sm137258785ad.60.2025.12.23.13.23.01 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Dec 2025 13:23:01 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 13/18] kernel.bbclass: Add task to export kernel configuration to SPDX Date: Tue, 23 Dec 2025 13:22:19 -0800 Message-ID: <1fff29a0428778929ffa530482ebf7db95f1e0ae.1766524798.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Dec 2025 21:23:06 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/228487 From: "Kamel Bouhara (Schneider Electric)" Introduce a new bitbake task do_create_kernel_config_spdx that extracts the kernel configuration from ${B}/.config and exports it into the recipe's SPDX document as a separate build_Build object. The kernel config parameters are stored as SPDX DictionaryEntry objects and linked to the main kernel build using an ancestorOf relationship. This enables the kernel build's configuration to be explicitly captured in the SPDX document for compliance, auditing, and reproducibility. The task is gated by SPDX_INCLUDE_KERNEL_CONFIG (default = "0"). Reviewed-by: Joshua Watt Signed-off-by: Kamel Bouhara (Schneider Electric) Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie (cherry picked from commit 228a968e7c47d811c06143279bdb0f9c5f374bef) Signed-off-by: Steve Sakoman --- meta/classes-recipe/kernel.bbclass | 64 ++++++++++++++++++++++++++++ meta/classes/create-spdx-3.0.bbclass | 6 +++ 2 files changed, 70 insertions(+) diff --git a/meta/classes-recipe/kernel.bbclass b/meta/classes-recipe/kernel.bbclass index 4c1cb89a46..d557e98d65 100644 --- a/meta/classes-recipe/kernel.bbclass +++ b/meta/classes-recipe/kernel.bbclass @@ -873,5 +873,69 @@ addtask deploy after do_populate_sysroot do_packagedata EXPORT_FUNCTIONS do_deploy +python __anonymous() { + inherits = (d.getVar("INHERIT") or "") + if "create-spdx" in inherits: + bb.build.addtask('do_create_kernel_config_spdx', 'do_populate_lic do_deploy', 'do_create_spdx', d) +} + +python do_create_kernel_config_spdx() { + if d.getVar("SPDX_INCLUDE_KERNEL_CONFIG", True) == "1": + import oe.spdx30 + import oe.spdx30_tasks + from pathlib import Path + from datetime import datetime, timezone + + pkg_arch = d.getVar("SSTATE_PKGARCH") + deploydir = Path(d.getVar("SPDXDEPLOY")) + pn = d.getVar("PN") + + config_path = d.expand("${B}/.config") + kernel_params = [] + if not os.path.exists(config_path): + bb.warn(f"SPDX: Kernel config file not found at: {config_path}") + return + + try: + with open(config_path, 'r') as f: + for line in f: + line = line.strip() + if not line or line.startswith("#"): + continue + if "=" in line: + key, value = line.split("=", 1) + kernel_params.append(oe.spdx30.DictionaryEntry( + key=key, + value=value.strip('"') + )) + bb.note(f"Parsed {len(kernel_params)} kernel config entries from {config_path}") + except Exception as e: + bb.error(f"Failed to parse kernel config file: {e}") + + build, build_objset = oe.sbom30.find_root_obj_in_jsonld( + d, "recipes", f"recipe-{pn}", oe.spdx30.build_Build + ) + + kernel_build = build_objset.add_root( + oe.spdx30.build_Build( + _id=build_objset.new_spdxid("kernel-config"), + creationInfo=build_objset.doc.creationInfo, + build_buildType="https://openembedded.org/kernel-configuration", + build_parameter=kernel_params + ) + ) + + oe.spdx30_tasks.set_timestamp_now(d, kernel_build, "build_buildStartTime") + + build_objset.new_relationship( + [build], + oe.spdx30.RelationshipType.ancestorOf, + [kernel_build] + ) + + oe.sbom30.write_jsonld_doc(d, build_objset, deploydir / pkg_arch / "recipes" / f"recipe-{pn}.spdx.json") +} +do_create_kernel_config_spdx[depends] = "virtual/kernel:do_configure" + # Add using Device Tree support inherit kernel-devicetree diff --git a/meta/classes/create-spdx-3.0.bbclass b/meta/classes/create-spdx-3.0.bbclass index c0a5436ad6..15c31ba9a3 100644 --- a/meta/classes/create-spdx-3.0.bbclass +++ b/meta/classes/create-spdx-3.0.bbclass @@ -50,6 +50,12 @@ SPDX_INCLUDE_TIMESTAMPS[doc] = "Include time stamps in SPDX output. This is \ useful if you want to know when artifacts were produced and when builds \ occurred, but will result in non-reproducible SPDX output" +SPDX_INCLUDE_KERNEL_CONFIG ??= "0" +SPDX_INCLUDE_KERNEL_CONFIG[doc] = "If set to '1', the .config file for the kernel will be parsed \ +and each CONFIG_* value will be included in the Build.build_parameter list as DictionaryEntry \ +items. Set to '0' to disable exporting kernel configuration to improve performance or reduce \ +SPDX document size." + SPDX_IMPORTS ??= "" SPDX_IMPORTS[doc] = "SPDX_IMPORTS is the base variable that describes how to \ reference external SPDX ids. Each import is defined as a key in this \ From patchwork Tue Dec 23 21:22:20 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 77342 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5D39FE6FE3D for ; Tue, 23 Dec 2025 21:23:06 +0000 (UTC) Received: from mail-pl1-f181.google.com (mail-pl1-f181.google.com [209.85.214.181]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.109353.1766524985201633559 for ; Tue, 23 Dec 2025 13:23:05 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=pNX73DIv; spf=softfail (domain: sakoman.com, ip: 209.85.214.181, mailfrom: steve@sakoman.com) Received: by mail-pl1-f181.google.com with SMTP id d9443c01a7336-2a1388cdac3so50541225ad.0 for ; Tue, 23 Dec 2025 13:23:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1766524984; x=1767129784; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=V3VYeWCgSEDULDobV27JF6i+q8ZN9cqqBHpHKsoC1N4=; b=pNX73DIvzFtlOgDIeU8HC2mKvqGDQzSBjT3L3yuhN7SnUXPU9mikAiJY+Ch0OyPFZr LbxxoLqVw5s8Ggx44DoPN0PZAeVkL+pz7EPEE2o97z3+8Ie0cDmcqmOIyjGkNMI+uKX7 UO0Q1C+KvMUdmn7xPWnaY2MDxZ9MrcFW1Xp0N0fEIii2pYaFEzwO8UXRUxMJlDhdLwLf LM+VcjIEIYPS64toVJx2u0F1m80j5eAh17OI4/lOs1Suqn461awz3aJzF4ZghNX6zJzx t9fS6UYO9gSh+SS39xPjktyGlH2LNar2AuLSUZOfS3oWkLPcTjubv3OVYWVeJUYUkX49 iz4Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766524984; x=1767129784; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=V3VYeWCgSEDULDobV27JF6i+q8ZN9cqqBHpHKsoC1N4=; b=FOCh3w4PXwlNzXgKIBvRTFFTiKHcCv70VqGLR4Kalr1dgLRUNKRRhHXLCPefMQ9Wip AWqONeCIMlS0WWdTPoEGwDxgWRT2Jsj0j8Eq0z4J5T7e519fA5apeesMes6fx/Z/b4Zs MFo/bXiClZZ8utTYut3HGKkykJ4S9fZwxfrZ/rXGSIGyV6BkGkHI/YwPzMUxdzfC0RkT rN+fhPexSXG/cVcPiyj1XiUPcrflLGGJpaMBbKbG2yKQPraD8CmLfmvECyXU7vsf7EBQ 6EdlgNL/+iir0mT/ZdzT0txZ9VHmtsRfny7FFQ5+TQ0bGhRShwV0H+3DXnIjE+6dOl1b sP7g== X-Gm-Message-State: AOJu0YzWgdeiqiYnB2ZyChA0ktet8htVWzdbtG5vWXNk9wCqv6H+aZ00 QWtrR5sdy3sImLVhurG3IRYW2G8JBQfRLV8sLfrc/OJ/tCnlDafTSIcbLAtA3AmLG2xAeL2cPgi TtNUn X-Gm-Gg: AY/fxX6ijhu8W16eDoiIXpjOMPfeNLWrxPNZ6PMnlAswJv6GfBGn6QLwN0hrMn98G8a evOc0F0Xma4ME208vps3qFaB0VDgXSHxxXTDK2sB1KSBJPNszzfBetKwFi3FU2GblaDt5a3Zco2 agV8akmtnuu9Fk8GUn+fvjUvxb5B3CfKFIhsPBhamznA0r89aEXvCFgVPKB9aVdQ72rL78//c3Z dc+DaPp78ux/yCeoB7W9Rnncp5KtXXn1b4vnzIE4ZLoYMiCnN0CcJQdWih8TZHLfla7q232E/aW sYXl9PybV3vQ8ZQOetcOsP0c9H+YRafmUPfWuROrmFGpw0Z4ccbUAwDHtRD25hYhhLyp4j4o68s XLRB3aKbJU+OgOJFG+kE2e/1u5wKI6+s8fBy41s/ioAoFYxzSVXbU2yQd+3YBRuchtw3HVa6Pq7 3Ddw== X-Google-Smtp-Source: AGHT+IH5DIBpI3rMrIAwKgS8LM4TMp8EOesE8iWiODHrYjHTfqQMI0A2gL2s3sPFJBaKKG7oYNowng== X-Received: by 2002:a17:902:e846:b0:2a0:9656:a218 with SMTP id d9443c01a7336-2a2f2a3587emr125292975ad.28.1766524984344; Tue, 23 Dec 2025 13:23:04 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:74b3:f61b:a7a7:fafc]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2a2f3d4cbe5sm137258785ad.60.2025.12.23.13.23.03 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Dec 2025 13:23:03 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 14/18] spdx30_tasks: Add support for exporting PACKAGECONFIG to SPDX Date: Tue, 23 Dec 2025 13:22:20 -0800 Message-ID: <5cfd0690f819379d9f97c86d2078c3e529efe385.1766524798.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Dec 2025 21:23:06 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/228488 From: "Kamel Bouhara (Schneider Electric)" Introduce the SPDX_INCLUDE_PACKAGECONFIG variable, which when enabled causes PACKAGECONFIG features to be recorded in the SPDX document as build parameters. Each feature is recorded as a DictionaryEntry with key PACKAGECONFIG: and value enabled or disabled, depending on whether the feature is active in the current build. This makes the build-time configuration more transparent in SPDX output and improves reproducibility tracking. This makes the build-time configuration more transparent in SPDX output and improves reproducibility tracking. In particular, it allows consumers of the SBOM to identify enabled/disabled features that may affect security posture or feature set. Reviewed-by: Joshua Watt Signed-off-by: Kamel Bouhara (Schneider Electric) Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie (cherry picked from commit 7ec61ac40345a5c0ef1ce20513a4596989c91ef4) Signed-off-by: Steve Sakoman --- meta/classes/create-spdx-3.0.bbclass | 5 +++++ meta/lib/oe/spdx30_tasks.py | 20 ++++++++++++++++++++ 2 files changed, 25 insertions(+) diff --git a/meta/classes/create-spdx-3.0.bbclass b/meta/classes/create-spdx-3.0.bbclass index 15c31ba9a3..6125e8b547 100644 --- a/meta/classes/create-spdx-3.0.bbclass +++ b/meta/classes/create-spdx-3.0.bbclass @@ -56,6 +56,11 @@ and each CONFIG_* value will be included in the Build.build_parameter list as Di items. Set to '0' to disable exporting kernel configuration to improve performance or reduce \ SPDX document size." +SPDX_INCLUDE_PACKAGECONFIG ??= "0" +SPDX_INCLUDE_PACKAGECONFIG[doc] = "If set to '1', each PACKAGECONFIG feature is recorded in the \ +build_Build object's build_parameter list as a DictionaryEntry with key \ +'PACKAGECONFIG:' and value 'enabled' or 'disabled'" + SPDX_IMPORTS ??= "" SPDX_IMPORTS[doc] = "SPDX_IMPORTS is the base variable that describes how to \ reference external SPDX ids. Each import is defined as a key in this \ diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py index e425958991..a3d848ceb1 100644 --- a/meta/lib/oe/spdx30_tasks.py +++ b/meta/lib/oe/spdx30_tasks.py @@ -809,6 +809,26 @@ def create_spdx(d): sorted(list(build_inputs)) + sorted(list(debug_source_ids)), ) + if d.getVar("SPDX_INCLUDE_PACKAGECONFIG", True) != "0": + packageconfig = (d.getVar("PACKAGECONFIG") or "").split() + all_features = (d.getVarFlags("PACKAGECONFIG") or {}).keys() + + if all_features: + enabled = set(packageconfig) + all_features_set = set(all_features) + disabled = all_features_set - enabled + + for feature in sorted(all_features): + status = "enabled" if feature in enabled else "disabled" + build.build_parameter.append( + oe.spdx30.DictionaryEntry( + key=f"PACKAGECONFIG:{feature}", + value=status + ) + ) + + bb.note(f"Added PACKAGECONFIG entries: {len(enabled)} enabled, {len(disabled)} disabled") + oe.sbom30.write_recipe_jsonld_doc(d, build_objset, "recipes", deploydir) From patchwork Tue Dec 23 21:22:21 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 77348 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7521BE6FE41 for ; Tue, 23 Dec 2025 21:23:16 +0000 (UTC) Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com [209.85.214.174]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.108981.1766524986782553535 for ; Tue, 23 Dec 2025 13:23:06 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=PYB/3Eub; spf=softfail (domain: sakoman.com, ip: 209.85.214.174, mailfrom: steve@sakoman.com) Received: by mail-pl1-f174.google.com with SMTP id d9443c01a7336-2a12ed4d205so47458855ad.0 for ; Tue, 23 Dec 2025 13:23:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1766524986; x=1767129786; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=OXLc3w99BMxoACBy3FYvd9FpKAJWbUJyLPhry+DfJIc=; b=PYB/3EubFQMXe/UsuLS9BACOltrK0Ll8ZKrggUEOo3fxcHl0Zu4an5Bv1Ss9/dAuXJ YZKOSBGsxgR3mZoEJgB46r00/7Bd6We8oC3TXu8T/M0nHKxuOnhLIt5VHVjHQQLe44KP 8i5GRswJNEjGkrcWw/FFWul4qnVkmRZ2UTX5cSHv6X37D1z/OMOUp2o6R7iUt+ACtQx1 MAVXhBIT9cZKsqGTR4ApW/Y3MhSS3wde6e0qndT2LBI4zer0UK/UNaho9qQRlyingUvl Ll9drXjp2K+pM3EtO+f445yWiJcaJvjO15hTHVYZcUeX96tGtNdnNb6nkOJjS7fWyJVe dMlg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766524986; x=1767129786; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=OXLc3w99BMxoACBy3FYvd9FpKAJWbUJyLPhry+DfJIc=; b=KmFb5UxsRsOJI08L5KEe7b3JFlyF01SammdbkFekAr/kE7BmKw6YpPo8Xc4Jt/X7x1 dNpy/W1p8kpzeMWfh58BGSa2gAqV/B1risA9AQqY01zEyuelGj1AKBn5kwNezJg6riKv W7jZvtZcnFkqrNBbsXtvqfRBXXNK5tyiJEviOkOcKv6RmS22QJo9+aVDq6RPJhWUgMR8 2mTsG5m9kL7WGJo9xNhMYIV+OJdhk+7ZPwQuEQFtKKQz1oypMvBghWqu0KNNFlXMXb7p LF9/E1AfrPBw1jURZHG2cr5EzFsMEv84AfLkls8ExdbqQmblSLWbo/Mawc0yjZNN2+cB F5pg== X-Gm-Message-State: AOJu0YwOPWA3RKsVuA+9jCbHORFPkFD9jtU+jRS3d8WePksSsPd+NuGa c0x1dGPAI4JM5zzkgOhQKZM4TA+zG6ZOjBWIiPGkxDPeJk9DezPOE+l8zRQCi6/DMNQckddLG+7 GqQVJ X-Gm-Gg: AY/fxX6WEzOn8A0gR+DLrV4eXLf/aAryksKPvnR/9xtEaCchjPWEJj+VbL7loLya5DS pea8Y3xYE42bFWJzEaxkSVlSOojGSQpOzceZiJXl2Q8BQLnw1ag1XKMKrXLGa5MbcliGxzt4Ybd J6E1XsvKJZ3FM9NI/xa6Ie6j/9T6PCnYymc9+bUlu+up/zUH1z2svGbeztUY+o297oWhsxWAt4A KA0GBgYKJRtX+n0FTAZMsmFvQfMTQQ4bmOat6wLCLZzKwEswtCLAhn0ebxXvCnL13SPSYG7GXT+ Whekm3SQT1W24gzuaLH5Re9mwotJ/1OHeDAEaXmaT2BP0Hdejh8l5be3Nh2zElzSgZw8co5hvMP 2CjD+z5wmX8ezipt8VC97CcokvjpH5WmR9xFsYYBaqWen9gwcgD5cd7qO/W7C08sXm+HhgMSOiB A8ADDXKVBVApuD X-Google-Smtp-Source: AGHT+IEzsh0hoLRi7KyDacom8QMbnbk8kTGRX1cl88rQdXo2oR0CSdfqRp7pSdbeJq4W2FmNRj5IDA== X-Received: by 2002:a17:903:244f:b0:29f:3042:407f with SMTP id d9443c01a7336-2a2f2227091mr148309815ad.21.1766524985965; Tue, 23 Dec 2025 13:23:05 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:74b3:f61b:a7a7:fafc]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2a2f3d4cbe5sm137258785ad.60.2025.12.23.13.23.05 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Dec 2025 13:23:05 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 15/18] oeqa/selftest: oe-selftest: Add SPDX tests for kernel config and PACKAGECONFIG Date: Tue, 23 Dec 2025 13:22:21 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Dec 2025 21:23:16 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/228489 From: "Kamel Bouhara (Schneider Electric)" Add test_kernel_config_spdx and test_packageconfig_spdx to verify SPDX document generation includes kernel configuration and package feature metadata when enabled. Signed-off-by: Kamel Bouhara (Schneider Electric) Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie (cherry picked from commit 2f0ab110d7521510c60e0493ef3cb021130758cd) Signed-off-by: Kamel Bouhara Signed-off-by: Steve Sakoman --- meta/lib/oeqa/selftest/cases/spdx.py | 57 ++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) diff --git a/meta/lib/oeqa/selftest/cases/spdx.py b/meta/lib/oeqa/selftest/cases/spdx.py index 8cd4e83ca2..035f3fe336 100644 --- a/meta/lib/oeqa/selftest/cases/spdx.py +++ b/meta/lib/oeqa/selftest/cases/spdx.py @@ -286,3 +286,60 @@ class SPDX30Check(SPDX3CheckBase, OESelftestTestCase): break else: self.assertTrue(False, "Unable to find imported Host SpdxID") + + def test_kernel_config_spdx(self): + kernel_recipe = get_bb_var("PREFERRED_PROVIDER_virtual/kernel") + spdx_file = f"recipe-{kernel_recipe}.spdx.json" + spdx_path = f"{{DEPLOY_DIR_SPDX}}/{{SSTATE_PKGARCH}}/recipes/{spdx_file}" + + # Make sure kernel is configured first + bitbake(f"-c configure {kernel_recipe}") + + objset = self.check_recipe_spdx( + kernel_recipe, + spdx_path, + task="do_create_kernel_config_spdx", + extraconf="""\ + INHERIT += "create-spdx" + SPDX_INCLUDE_KERNEL_CONFIG = "1" + """, + ) + + # Check that at least one CONFIG_* entry exists + found_kernel_config = False + for build_obj in objset.foreach_type(oe.spdx30.build_Build): + if getattr(build_obj, "build_buildType", "") == "https://openembedded.org/kernel-configuration": + found_kernel_config = True + self.assertTrue( + len(getattr(build_obj, "build_parameter", [])) > 0, + "Kernel configuration build_Build has no CONFIG_* entries" + ) + break + + self.assertTrue(found_kernel_config, "Kernel configuration build_Build not found in SPDX output") + + def test_packageconfig_spdx(self): + objset = self.check_recipe_spdx( + "tar", + "{DEPLOY_DIR_SPDX}/{SSTATE_PKGARCH}/recipes/recipe-tar.spdx.json", + extraconf="""\ + SPDX_INCLUDE_PACKAGECONFIG = "1" + """, + ) + + found_entries = [] + for build_obj in objset.foreach_type(oe.spdx30.build_Build): + for param in getattr(build_obj, "build_parameter", []): + if param.key.startswith("PACKAGECONFIG:"): + found_entries.append((param.key, param.value)) + + self.assertTrue( + found_entries, + "No PACKAGECONFIG entries found in SPDX output for 'tar'" + ) + + for key, value in found_entries: + self.assertIn( + value, ["enabled", "disabled"], + f"Unexpected PACKAGECONFIG value '{value}' for {key}" + ) From patchwork Tue Dec 23 21:22:22 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 77349 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7C215E6FE45 for ; Tue, 23 Dec 2025 21:23:16 +0000 (UTC) Received: from mail-pl1-f193.google.com (mail-pl1-f193.google.com [209.85.214.193]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.109355.1766524988171557108 for ; Tue, 23 Dec 2025 13:23:08 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=m7CrMFCc; spf=softfail (domain: sakoman.com, ip: 209.85.214.193, mailfrom: steve@sakoman.com) Received: by mail-pl1-f193.google.com with SMTP id d9443c01a7336-2a0ac29fca1so47623565ad.2 for ; Tue, 23 Dec 2025 13:23:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1766524987; x=1767129787; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=sMj53PIJ3XWsNnCqvGtne3dbeqaS5i2pw0yaiah0u+k=; b=m7CrMFCcn5IYRKOKDYRWOYaeNth7KIxEIJyXc1Kzti5Po1RIo59vqoQD22G8wueRmS S3QcufaRnZ3tiZ/vV/5ybyhThmX8vRY5Ewa7F4Wi3l1DO4wYiEOyabu5sCp9VP2SkIxY iA6yUICq1O2VDum61P0TwrGPAsQBLayeMTkSieZ5JtfbajEjYI3sQ6SgcADtG7rJVd5E rCDHVqeZtrraBN/tRZ2Vom9D5y3fXAR8cbNbjepdDiEUfh1LA8w2Dp0+BKgq2Bs5DKXu 8Mnw2TuZuXgGDEJ2rkygQDqDPOcd/2Rexxbf9ZTZE7AG3YkAXCiyAeD78gxVlGt/lUD2 2qSg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766524987; x=1767129787; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=sMj53PIJ3XWsNnCqvGtne3dbeqaS5i2pw0yaiah0u+k=; b=L2flXDmz0HyPpRU2QqOkF9GG2SOKi/sj6Kmpu0rvWSia9HCEM59lBLwVwQ8mZzDeDy zX10n5EhESieFh8j0JR4RAf2VFwyCyzqXp1OtaFQ6ykWdswCfMRJsO3aN6ndn9d8WBp3 dreJUQXW3ZwexwJfwmzevlRYhoXs/vbn4m4/4cwT9lOewM44MLthekYo9fTDc4fMQwh1 8nS4bfwnHGOLQC5IqFOdlq1hk5k6rdS+0VyIefd3JNyeyxHE1EzqNC6kyUHKUlL62jbf K+XKjW+AFSCyQ5oczI1dm+P0QwXo0brwkC8YWZFAPw4yupGlCW8LsGwZzGv9lz4GQbu2 OUqQ== X-Gm-Message-State: AOJu0Ywwqx3Lzi9aklJ6yWf/hSVMlIAugIhIJOFys5Gsb875F8UI1Lg+ SZnR9nv7w6ruI0OvtGVEg7xbZFlB7TOGWbgBB2n5zjPhahKMF5KZaTI5PWgFu2356ywp/0FejKO hk4AIE7k= X-Gm-Gg: AY/fxX76MSgkKqruZS4aHeskxQPS1+XYcF1/UkrMa+Y8zY5Qjl28geIyLc5RH8qn3rU VQm2JrZDCgTc9v5ZlfQfuomJMj0hbRwbITurXXNRrFKYx+5hHJgpsraLiUTYDDnAqQioROPxqHz eRGB+HQ92WfUJ3Wqut4xzc0Z4D06p2j5ay2xMOG7Hz22gTNYKOKM3bME/LiUhCRcfYH2kXsreqd HhiWaMdXawx4pkFwK9liPEwLV9+AEhhNbIVdBJJO02S8wnHLnlDnXlWHNMWvzWHz8ZXo4wplGIw 9eU9gMPBVYjYO5rylidb2S11aLRaguVdpojPRJO1D3+FP3TTMYkj48Z14Snvo3FHz3D6JWXzF4R p6sTRi4SMNbiII/nfZhWQeA2cxr88GVbUr/EmZWtRnfXdoUH/O01eWnAAAegJms0GBP3kbO7a0o YOMA== X-Google-Smtp-Source: AGHT+IFBmHZUbLsUJoeINBm1xx1KVGW76ztpmWjUco2MRJgFRCKlixjuT2sH3tZV51IFlnb0vIE+KA== X-Received: by 2002:a17:902:ef43:b0:2a0:945d:a195 with SMTP id d9443c01a7336-2a2f283beabmr151678865ad.45.1766524987428; Tue, 23 Dec 2025 13:23:07 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:74b3:f61b:a7a7:fafc]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2a2f3d4cbe5sm137258785ad.60.2025.12.23.13.23.06 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Dec 2025 13:23:07 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 16/18] cml1.bbclass: use consistent make flags for menuconfig Date: Tue, 23 Dec 2025 13:22:22 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Dec 2025 21:23:16 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/228490 From: Enrico Jörns The class called 'make menuconfig' without any of the make variables and options set in EXTRA_OEMAKE, resulting in a quite different build environment than actually intended. For the kernel.bbclass this was fixed in commit 8c616bc0 ("kernel: Use consistent make flags for menuconfig") by appending ${EXTRA_OEMAKE} to KCONFIG_CONFIG_COMMAND. Instead of fixing this individually for additional recipes, we simply include ${EXTRA_OEMAKE} in KCONFIG_CONFIG_COMMAND by default. For most class users, this change is directly visible in the generated .config file: * For barebox and u-boot, the CONFIG_GCC_VERSION erroneously reflected the host GCC version before where it now correctly reflects the target toolchain's GCC. * For u-boot, also the "Compiler: " line at the beginning of the .config now prints the target toolchain instead of the host ones. * The kernel had this already set. * busybox did not produce any difference. Note that these projects might base some compile-time decisions on e.g. the actual compiler version used. Having the wrong one in the menuconfig-generated .config affects at least the visibility and consistency. Reported-by: Ulrich Ölmann Signed-off-by: Enrico Jörns Signed-off-by: Richard Purdie (cherry picked from commit 1b6ddd452837e67b500a84455a234f5edc8250a9) Signed-off-by: Enrico Jörns Signed-off-by: Steve Sakoman --- meta/classes-recipe/cml1.bbclass | 2 +- meta/classes-recipe/kernel.bbclass | 3 --- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/meta/classes-recipe/cml1.bbclass b/meta/classes-recipe/cml1.bbclass index 456305a315..5519fb61b3 100644 --- a/meta/classes-recipe/cml1.bbclass +++ b/meta/classes-recipe/cml1.bbclass @@ -31,7 +31,7 @@ CROSS_CURSES_LIB = "-lncurses -ltinfo" CROSS_CURSES_INC = '-DCURSES_LOC=""' TERMINFO = "${STAGING_DATADIR_NATIVE}/terminfo" -KCONFIG_CONFIG_COMMAND ??= "menuconfig" +KCONFIG_CONFIG_COMMAND ??= "menuconfig ${EXTRA_OEMAKE}" KCONFIG_CONFIG_ENABLE_MENUCONFIG ??= "true" KCONFIG_CONFIG_ROOTDIR ??= "${B}" python do_menuconfig() { diff --git a/meta/classes-recipe/kernel.bbclass b/meta/classes-recipe/kernel.bbclass index d557e98d65..39e198864e 100644 --- a/meta/classes-recipe/kernel.bbclass +++ b/meta/classes-recipe/kernel.bbclass @@ -697,9 +697,6 @@ addtask savedefconfig after do_configure inherit cml1 pkgconfig -# Need LD, HOSTLDFLAGS and more for config operations -KCONFIG_CONFIG_COMMAND:append = " ${EXTRA_OEMAKE}" - EXPORT_FUNCTIONS do_compile do_transform_kernel do_transform_bundled_initramfs do_install do_configure # kernel-base becomes kernel-${KERNEL_VERSION} From patchwork Tue Dec 23 21:22:23 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 77350 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 80AC5E6FE4A for ; Tue, 23 Dec 2025 21:23:16 +0000 (UTC) Received: from mail-pl1-f169.google.com (mail-pl1-f169.google.com [209.85.214.169]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.108986.1766524990031662088 for ; Tue, 23 Dec 2025 13:23:10 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=y/Ul1yaa; spf=softfail (domain: sakoman.com, ip: 209.85.214.169, mailfrom: steve@sakoman.com) Received: by mail-pl1-f169.google.com with SMTP id d9443c01a7336-2a12ebe4b74so92922535ad.0 for ; Tue, 23 Dec 2025 13:23:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1766524989; x=1767129789; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=hU9J8u/2LNLEOyq8Ph75MH2E7+T+AvpRr7eTDthWUFE=; b=y/Ul1yaa8aBou2MY0kxv28OeaLR8i9xHWkYBoY7BmVORG9pqct9RTVu7wkRPc+1ypZ PFLg3e1LMB2jDjRvqH1RyvJC6Pkhg/toeuhQvKuK6oM+40k9gsDJ4StxGDj5IDVBKmUo qVrjruBJdVRd+flwW1+i3qyUTOE8EglxbWb/Xvx+j2iPqeNZQF9giah4uh6ImBOy3Bsb ub1Fi3KuDGiddk1ROA+xzlmydW0AySb6MuVBpBM4D6ucHKD2+H1knCPg86FSm/nxT//U CINgJsuY3uWOcW54JOmc1RMbxvO22nGCr4R4/zxXWONMNO3FyMoByUvfWsmHPl8iu3ff oTHw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766524989; x=1767129789; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=hU9J8u/2LNLEOyq8Ph75MH2E7+T+AvpRr7eTDthWUFE=; b=iBhLz/Jde7RxN4hlQlxrMiv18bo37i2Y1/4O02yKBCc8ngk88Sjky4sW0HO7k9QHOU pCMiaswuA/4n5GuEAnGRvTNIaxAgEvEosAwS1wzW7COZ2HEtHae+KEAMI3pbwTxpyJgr TIpiOeSOkcA6XlHF5JwulHHSiZI5XV9uD43i+0+PAIQisM5bWulVEHj5idcYqoaSpv5z AyK0yLvUpZ5D7Fzp5GnkkApFHS+kOTPy7a48Fhxaw7d+Nf863g7ZsoQWnaWhenDReecc MFdaDpaBvip3q4PjKcEoEJfi265rfOhXp6psszm/QfY6xcHQArhAvBLIC7w37FpIA6bz /eKA== X-Gm-Message-State: AOJu0YwilL7N1D1ApOxt32U3zkAfwYXxAvvIjsTxK5fLijzLIHrxqUPq zRG+8QIqvZ/jnL5PhNruYYDwr6bpEXTj52HjMEPXJ4F/BIestF1QtVsJBp777PBJ/ZF257RHVCs 9hUvk X-Gm-Gg: AY/fxX4/DSeZnoBu8bqjCM0X5GhFcn6t6haiFHJ5EXu2VofNLuoouwfyFjmg3HQkcqD k5SCUaewyrOh11eQKChmfJnMbm3qAz/Px+g4ZbMsEVMokMNYpvzWMZJM4lTKHZveIXL4GNeJkl+ 4PmHAkjAv6zBX79iaspfaLfkI6/XTTxOSmk4lww1j0FrVOKbci2bs8K2XVSNDLtEc3dFaKq8G/M DZG6dolzr++CYuSJfgHdHMyt9ThBxzJRO2/oJXSBRtrtDx0GX90pN3S0J8a2VKL7chXhwr697fa 0uMfoL4YU73FoyAOWWuuhNEIUm4ufmTMG8UZRc8+lK19w5DadrfM4agqGzCa2/IOBLWwv3gSIsd YVUpJhpDGZBP+3x8/nX9SVVtUrpX7eJV8DACOhKSvt8c5mlW87VtdtZ/EfIdGY/kMA7UqxofH04 Rhe7AGsRE7NI6e X-Google-Smtp-Source: AGHT+IFAUI0BySxyq2gROGvf30cGBg4XEmpDNQRNyDJfm4roniij5lXM2b/84sZ6COWc8CM6E+iZCQ== X-Received: by 2002:a17:902:e552:b0:2a0:d4e3:7188 with SMTP id d9443c01a7336-2a2f2223bc0mr178499175ad.13.1766524989249; Tue, 23 Dec 2025 13:23:09 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:74b3:f61b:a7a7:fafc]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2a2f3d4cbe5sm137258785ad.60.2025.12.23.13.23.08 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Dec 2025 13:23:08 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 17/18] curl: Use host CA bundle by default for native(sdk) builds Date: Tue, 23 Dec 2025 13:22:23 -0800 Message-ID: <0e553b685c0a987a7be1eee16b7b5e3e48a036e2.1766524798.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Dec 2025 21:23:16 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/228491 From: Moritz Haase Fixes YOCTO #16077 Commit 0f98fecd (a backport of 4909a46e) broke HTTPS downloads in opkg in the SDK, they now fail with: > SSL certificate problem: self-signed certificate in certificate chain The root cause is a difference in the handling of related env vars between curl-cli and libcurl. The CLI will honour CURL_CA_BUNDLE and SSL_CERT_DIR|FILE (see [0]). Those are set in the SDK via env setup scripts like [1], so curl continued to work. The library however does not handle those env vars. Thus, unless the program utilizing libcurl has implemented a similar mechanism itself and configures libcurl accordingly via the API (like for example Git in [2] and [3]), there will be no default CA bundle configured to verify certificates against. Opkg only supports setting the CA bundle path via config options 'ssl_ca_file' and 'ssl_ca_path'. Upstreaming and then backporting a patch to add env var support is not a feasible short-time fix for the issue at hand. Instead it's better to ship libcurl in the SDK with a sensible built-in default - which also helps any other libcurl users. This patch is based on a proposal by Peter.Marko@siemens.com in the related mailing list discussion at [4]. (cherry picked from commit 3f819f57aa1960af36ac0448106d1dce7f38c050) [0]: https://github.com/curl/curl/blob/400fffa90f30c7a2dc762fa33009d24851bd2016/src/tool_operate.c#L2056-L2084 [1]: https://git.openembedded.org/openembedded-core/tree/meta/recipes-support/curl/curl/environment.d-curl.sh?id=3a15ca2a784539098e95a3a06dec7c39f23db985 [2]: https://github.com/git/git/blob/6ab38b7e9cc7adafc304f3204616a4debd49c6e9/http.c#L1389 [3]: https://github.com/git/git/blob/6ab38b7e9cc7adafc304f3204616a4debd49c6e9/http.c#L1108-L1109 [4]: https://lists.openembedded.org/g/openembedded-core/topic/115993530#msg226751 Signed-off-by: Moritz Haase CC: matthias.schiffer@ew.tq-group.com CC: Peter.Marko@siemens.com Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie Signed-off-by: Steve Sakoman --- meta/recipes-support/curl/curl_8.7.1.bb | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes-support/curl/curl_8.7.1.bb index 6c02746394..0af6a41399 100644 --- a/meta/recipes-support/curl/curl_8.7.1.bb +++ b/meta/recipes-support/curl/curl_8.7.1.bb @@ -92,16 +92,21 @@ PACKAGECONFIG[verbose] = "--enable-verbose,--disable-verbose" PACKAGECONFIG[zlib] = "--with-zlib=${STAGING_LIBDIR}/../,--without-zlib,zlib" PACKAGECONFIG[zstd] = "--with-zstd,--without-zstd,zstd" +# Use host certificates for non-target builds. As libcurl doesn't honor any of the env vars (like +# for example CURL_CA_PATH) that curl-cli does, we need to explicitly set '--with-ca-bundle' +# accordingly, so that there is a working, built-in default even for those tools that use libcurl, +# but don't have custom env var handling implemented (like opkg). +CURL_CA_BUNDLE_BASE_DIR ?= "/etc" +CURL_CA_BUNDLE_BASE_DIR:class-target = "${sysconfdir}" + EXTRA_OECONF = " \ --disable-libcurl-option \ --disable-ntlm-wb \ --without-libpsl \ --enable-optimize \ + --with-ca-bundle=${CURL_CA_BUNDLE_BASE_DIR}/ssl/certs/ca-certificates.crt \ ${@'--without-ssl' if (bb.utils.filter('PACKAGECONFIG', 'gnutls mbedtls openssl', d) == '') else ''} \ " -EXTRA_OECONF:append:class-target = " \ - --with-ca-bundle=${sysconfdir}/ssl/certs/ca-certificates.crt \ -" fix_absolute_paths () { # cleanup buildpaths from curl-config From patchwork Tue Dec 23 21:22:24 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 77347 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7525FE6FE43 for ; Tue, 23 Dec 2025 21:23:16 +0000 (UTC) Received: from mail-pl1-f193.google.com (mail-pl1-f193.google.com [209.85.214.193]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.109358.1766524991711259203 for ; Tue, 23 Dec 2025 13:23:11 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=dywQwWuz; spf=softfail (domain: sakoman.com, ip: 209.85.214.193, mailfrom: steve@sakoman.com) Received: by mail-pl1-f193.google.com with SMTP id d9443c01a7336-2a110548cdeso75306515ad.0 for ; Tue, 23 Dec 2025 13:23:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1766524991; x=1767129791; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=P/osPGFLgdeKgfXNjZMo8YPTnozBVb0LabLtYDG1Y3Q=; b=dywQwWuzrrH9LvZYYqap60J+Q28HSiHBwxjPEl6tyoLsVwtFzqR7uTuSkbOWGWp/3O WjUsKOxcau6H0ZKS2hPZ6krgnch27mEwEvyWsiLjZOChD7nrPJzBF/wLgwKe1PUkzVOl J9SBzPaUo4YzqGT2BZ8TtXdqNQAMb1z5VJ7Nfjk5X6CjoANsTSsYy5C/SZDhh3vc9K/e jkwUpTjDBV9fSBaoCNvwyvWRW6HIYM/fFSO2KqQu9Akjo3vvcJFSYyYeW2GsARHnXU+z ZO3u/q3maaVZQ+7XWulUgFZaICrToD8rO5cd2IVkmy1397C9Yp4l4+DnrjlSuRH2xs33 s1bw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766524991; x=1767129791; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=P/osPGFLgdeKgfXNjZMo8YPTnozBVb0LabLtYDG1Y3Q=; b=EzpHWcgCxZDHJ42iOM4+JHUaFDYqsIOr9bcBx+l2/ka4lW6abhzbG70IBanL/NmAG8 lB5Zc0dGUdKZL5QYfEAUNnznzqhqdb3ufLRNADBBDErVsSpRyNrkKEPXtVWy0o5eN3sQ DspC6+SVerjFjyUXP+zIrSPB0IDy6IiSCDeyCYyuk3X37X31J/kxSR55ZFbakrqehHbQ Su+oigeDK3na8RcM6nTZAYEjMmCUqSh0ITBtK1VBSKQ5/yF4QIpQ4Wh1qtzn7XD78a9I JLxRUM6AAe4aquDONFFuFBrr54PJC6ruczLxwsVSKCdxYkPR4pYYGOqdS0d/eoAOXgS0 EgUA== X-Gm-Message-State: AOJu0YwdxkB90cVu0LeK4On5cOZl/0CC8g86ZiO+9grBvo5daHG6ne6V PnakTBoDivPbmdGKtXo3cgnEUTGcYILtFXOjJcRPn5086V35Bdri5kmEWWzP3KuaAIU4kDLDFTI 02dkgLwY= X-Gm-Gg: AY/fxX7uVQ+OhHL8h8LcArRv0bIxa9SDe9otwdnpCQi0yM+HOR7HdEij0zB5q1rwt12 UCd1hEPIAGO09RqmgyKjm9hetuHBes4YR43UpGKZSRMg0NhkZkmNo9VVm07P+3SGdkpS99MlHwx OqM4FcFbi5VAl+P8yQ+YzbWn7bvxWzUbR53I5e1+9h/EV9ubMEqix0j7DgoDse3yXh8+2R73U4X hq/fOY83qwpbo6dgPtmvmCUQOmq7elcFbaLC11CD/YafrSBGqZNeHA4uvh0Y3J2aRrO9vAlLts2 q3xNAH2ZtrzXQ+qLAEJo70mlaTuUAt++jX9PVvOBzrDlj+tF0NKLW4j+E+fXI5nCtCGpfm75rHo PP7BNCiAWDyTds0206bnN+Op4TAhBRkoSBIvhcpAc1XO8p10fP6xzzEHwxV0gHXXPgqjesdL0dx 3cuw== X-Google-Smtp-Source: AGHT+IGXTEFUMiPXAkiQ6tOAHJ1fOPKtLdvQUI8WBJcb0aswJVbrkJlzKPxE6NlObQoKsFjXb8ACaQ== X-Received: by 2002:a17:902:c94f:b0:29e:9387:f2b0 with SMTP id d9443c01a7336-2a2f2830fe5mr158199695ad.39.1766524990692; Tue, 23 Dec 2025 13:23:10 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:74b3:f61b:a7a7:fafc]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2a2f3d4cbe5sm137258785ad.60.2025.12.23.13.23.10 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Dec 2025 13:23:10 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 18/18] cross.bbclass: Propagate dependencies to outhash Date: Tue, 23 Dec 2025 13:22:24 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Dec 2025 21:23:16 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/228492 From: Martin Jansa Similar to what native and staging is doing since: https://git.openembedded.org/openembedded-core/commit/meta/classes/native.bbclass?id=d6c7b9f4f0e61fa6546d3644e27abe3e96f597e2 https://git.openembedded.org/openembedded-core/commit/meta/classes/staging.bbclass?id=1cf62882bbac543960e4815d117ffce0e53bda07 Cross task outputs can call native dependencies and even when cross recipe output doesn't change it might produce different results when the called native dependency is changed, e.g. clang-cross-${TARGET_ARCH} contains symlink to clang binary from clang-native, but when clang-native outhash is changed, clang-cross-${TARGET_ARCH} will still be considered equivalent and target recipes aren't rebuilt with new clang binary, see work around in https://github.com/kraj/meta-clang/pull/1140 to make target recipes to depend directly not only on clang-cross-${TARGET_ARCH} but clang-native as well. I have added a small testcase in meta-selftest which demostrates this issue. Not included in this change, but will send it if useful. openembedded-core $ ls -1 meta-selftest/recipes-devtools/hashequiv-test/ print-datetime-link-cross.bb print-datetime-link-native.bb print-datetime-native.bb print-datetime-usecross.bb print-datetime-usenative.bb print-datetime-native provides script which prints defined PRINT_DATETIME variable. print-datetime-link-native and print-datetime-link-cross both provide a symlink to the script from print-datetime-native. print-datetime-usenative and print-datetime-usecross are target recipes using the native and cross versions of print-datetime-link-* recipe. # clean build all is rebuilt: $ bitbake -k print-datetime-usenative print-datetime-usecross WARNING: print-datetime-native-1.0-r0 do_install: print-datetime-native current DATETIME in script is 2025-11-13_20_05 WARNING: print-datetime-link-native-1.0-r0 do_install: print-datetime-link-native current DATETIME in symlink is 2025-11-13_20_05 WARNING: print-datetime-link-cross-x86_64-1.0-r0 do_install: print-datetime-link-cross-x86_64 current DATETIME in symlink is 2025-11-13_20_05 WARNING: print-datetime-usenative-1.0-r0 do_install: print-datetime-usenative current DATETIME from print-datetime-link is 2025-11-13_20_05 WARNING: print-datetime-usecross-1.0-r0 do_install: print-datetime-usecross current DATETIME from print-datetime-link is 2025-11-13_20_05 # keep sstate-cache and hashserv.db: # print-datetime-usenative is correctly rebuilt, because print-datetime-link-native has different hash (because print-datetime-native hash changed) # print-datetime-usecross wasn't rebuilt, because print-datetime-link-cross-x86_64 doesn't include the changed hash of print-datetime-native $ bitbake -k print-datetime-usenative print-datetime-usecross WARNING: print-datetime-native-1.0-r0 do_install: print-datetime-native current DATETIME in script is 2025-11-13_20_07 WARNING: print-datetime-link-native-1.0-r0 do_install: print-datetime-link-native current DATETIME in symlink is 2025-11-13_20_07 WARNING: print-datetime-link-cross-x86_64-1.0-r0 do_install: print-datetime-link-cross-x86_64 current DATETIME in symlink is 2025-11-13_20_07 WARNING: print-datetime-usenative-1.0-r0 do_install: print-datetime-usenative current DATETIME from print-datetime-link is 2025-11-13_20_07 It's because print-datetime-link-cross-x86_64 depsig doesn't include print-datetime-native signature: $ cat tmp/work/x86_64-linux/print-datetime-link-cross-x86_64/1.0/temp/depsig.do_populate_sysroot OEOuthashBasic 18 SSTATE_PKGSPEC=sstate:print-datetime-link-cross-x86_64:x86_64-oe-linux:1.0:r0:x86_64:14: task=populate_sysroot drwx . drwx ./recipe-sysroot-native drwx ./recipe-sysroot-native/sysroot-providers -rw- 32 19fbeb373f781c2504453c1ca04dab018a7bc8388c87f4bbc59589df31523d07 ./recipe-sysroot-native/sysroot-providers/print-datetime-link-cross-x86_64 drwx ./recipe-sysroot-native/usr drwx ./recipe-sysroot-native/usr/bin drwx ./recipe-sysroot-native/usr/bin/x86_64-oe-linux lrwx ./recipe-sysroot-native/usr/bin/x86_64-oe-linux/print-datetime-link -> ../print-datetime While print-datetime-link-native doesn't have this issue, because print-datetime-native signature is there: $ cat tmp/work/x86_64-linux/print-datetime-link-native/1.0/temp/depsig.do_populate_sysroot OEOuthashBasic 18 print-datetime-native: 60f2734a63d708489570ca719413b4662f8368abc9f4760a279a0a5481e4a17b quilt-native: 65d78a7a5b5cbbf0969798efe558ca28e7ef058f4232fcff266912d16f67a8b8 SSTATE_PKGSPEC=sstate:print-datetime-link-native:x86_64-linux:1.0:r0:x86_64:14: task=populate_sysroot drwx . drwx ./recipe-sysroot-native drwx ./recipe-sysroot-native/sysroot-providers -rw- 26 3d5458be834b2d0e4c65466b9b877d6028ae2210a56399284a23144818666f10 ./recipe-sysroot-native/sysroot-providers/print-datetime-link-native drwx ./recipe-sysroot-native/usr drwx ./recipe-sysroot-native/usr/bin lrwx ./recipe-sysroot-native/usr/bin/print-datetime-link -> print-datetime With the cross.bbclass fix the link-cross recipe has a checksum from native recipe as well: $ cat tmp/work/x86_64-linux/print-datetime-link-cross-x86_64/1.0/temp/depsig.do_populate_sysroot OEOuthashBasic 18 print-datetime-native: 9ceb6c27342eae6b8da86c84685af38fb8927ccc19979aae75b8b1e444b11c5c quilt-native: 65d78a7a5b5cbbf0969798efe558ca28e7ef058f4232fcff266912d16f67a8b8 SSTATE_PKGSPEC=sstate:print-datetime-link-cross-x86_64:x86_64-oe-linux:1.0:r0:x86_64:14: task=populate_sysroot drwx . drwx ./recipe-sysroot-native drwx ./recipe-sysroot-native/sysroot-providers -rw- 32 19fbeb373f781c2504453c1ca04dab018a7bc8388c87f4bbc59589df31523d07 ./recipe-sysroot-native/sysroot-providers/print-datetime-link-cross-x86_64 drwx ./recipe-sysroot-native/usr drwx ./recipe-sysroot-native/usr/bin drwx ./recipe-sysroot-native/usr/bin/x86_64-oe-linux lrwx ./recipe-sysroot-native/usr/bin/x86_64-oe-linux/print-datetime-link -> ../print-datetime And print-datetime-usecross is correctly rebuilt whenever print-datetime-native output is different. Signed-off-by: Martin Jansa Signed-off-by: Steve Sakoman --- meta/classes-recipe/cross.bbclass | 36 +++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/meta/classes-recipe/cross.bbclass b/meta/classes-recipe/cross.bbclass index 93de9a5274..da3c4e7eab 100644 --- a/meta/classes-recipe/cross.bbclass +++ b/meta/classes-recipe/cross.bbclass @@ -101,3 +101,39 @@ addtask addto_recipe_sysroot after do_populate_sysroot do_addto_recipe_sysroot[deptask] = "do_populate_sysroot" PATH:prepend = "${COREBASE}/scripts/cross-intercept:" + +# +# Cross task outputs can call native dependencies and even when cross +# recipe output doesn't change it might produce different results when +# the called native dependency is changed, e.g. clang-cross-${TARGET_ARCH} +# contains symlink to clang binary from clang-native, but when clang-native +# outhash is changed, clang-cross-${TARGET_ARCH} will still be considered +# equivalent and target recipes aren't rebuilt with new clang binary, see +# work around in https://github.com/kraj/meta-clang/pull/1140 to make target +# recipes to depend directly not only on clang-cross-${TARGET_ARCH} but +# clang-native as well. +# +# This can cause poor interactions with hash equivalence, since this recipes +# output-changing dependency is "hidden" and downstream task only see that this +# recipe has the same outhash and therefore is equivalent. This can result in +# different output in different cases. +# +# To resolve this, unhide the output-changing dependency by adding its unihash +# to this tasks outhash calculation. Unfortunately, don't know specifically +# know which dependencies are output-changing, so we have to add all of them. +# +python cross_add_do_populate_sysroot_deps () { + current_task = "do_" + d.getVar("BB_CURRENTTASK") + if current_task != "do_populate_sysroot": + return + + taskdepdata = d.getVar("BB_TASKDEPDATA", False) + pn = d.getVar("PN") + deps = { + dep[0]:dep[6] for dep in taskdepdata.values() if + dep[1] == current_task and dep[0] != pn + } + + d.setVar("HASHEQUIV_EXTRA_SIGDATA", "\n".join("%s: %s" % (k, deps[k]) for k in sorted(deps.keys()))) +} +SSTATECREATEFUNCS += "cross_add_do_populate_sysroot_deps"