From patchwork Thu Dec 25 14:02:18 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 77523 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3BBC8E7AD44 for ; Thu, 25 Dec 2025 14:02:31 +0000 (UTC) Received: from mail-wm1-f45.google.com (mail-wm1-f45.google.com [209.85.128.45]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.138944.1766671346397742112 for ; Thu, 25 Dec 2025 06:02:26 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=BJNf/201; spf=pass (domain: gmail.com, ip: 209.85.128.45, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f45.google.com with SMTP id 5b1f17b1804b1-477563e28a3so41157495e9.1 for ; Thu, 25 Dec 2025 06:02:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1766671344; x=1767276144; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=KLvi0AvqGgC3VLmCrl0IWZ80AThH/tJrJ70ng1vgphQ=; b=BJNf/201xB3niUt5u+iSrQhaEnKfImWeKbpneGNOBSobk7PEQuDlLZP3o5lhKjGwR/ DEMWG+1yhQxD5YXWneU5s9fTA0dGwuUajZO/ctDnTMHg3ZD3ChYYH3jPr3VN0S65Ddbu yumhBxVGwE2OqP1flVvLNSyBQJlkj7TXds1otqevWdzmqtKjFpuSCuUiRtD5yEc6kF9m K3LutDcA0EsYCR1dQGZx/90SlzEzljIvmsi8yPK5I3fEWyNs8q7u5HEs9xoZ3kGYsGsz GH7qYpTm5loHmTIB2zDif+VMMMVAFuImYKtwhQ9TqICckjPAlb7H1vE6ScLv+S9WYXNl m3/A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766671344; x=1767276144; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=KLvi0AvqGgC3VLmCrl0IWZ80AThH/tJrJ70ng1vgphQ=; b=wcu/aspXMirDIUr20ztcDZhCi9JN00CukIx4/Nbs6fg80HyX+dOWbqG9EF87kQcNiY HeeDjz1/a2nbLfBPvwunPd1/1FNA4bUv1/2exCwGX6/GmviKXr0Ej+S6DXGYepV2Bm+k M+LeGVB8UhFudB9e087bUfOuyMIleNX0vHYc0+8r/24n7Sn0bUGyOElXFRoQ5JGQbCx+ 3UG86uUSll1TRrkfg+SyJoO9HFLZXd8EeFMJYQgivPr0KtBVh2tI8CbOUjfNX872xbY2 AVi3+/wydsXA7TW7INmt+E9LzMjGwL/Te0pat1AbhN3xnZ9e0gyiOQo6d1819eIQ5BF/ dOsQ== X-Gm-Message-State: AOJu0YyVtE5XXePctdG8PdULmhrd7sUTeZuVwWVmKmwt/cFhszG/htCp 6kS8VwbC8g8XgPMWf4ciPiazV9My7jlgDuHPitVpZfpTMwzH9BDxaNw9nRnGhQ== X-Gm-Gg: AY/fxX547AF/e8vRQOLqN/0OnKiChFxZoVSseaF4qtflIDO7ow6D39LwjPHnkiZV7Zg kROiBN3N78dOKYu1WVRwFhhy9+i2I4J17kBfMFML/Zfp0L8IGiaMhsJkkVQazz3Ub4IdtkTdXKo yMGDSOA3uS7BG2iFg7EJe+SEFvTh8MIsbUM+EUa3+WdhNH4q1yLwD4NDEsuq2eqotzq7rcSlOLE WakPz/KNqPM1a/i0sXwTq6vAc2QUnomeJWwWSW6ZnYbzjHrK04z6HM1B+x9C27av/MFs8oDsNDo adSGfrRQkX10RDcBBHfdrCb+IjDu1nTlQ6frn08SmqXcyPXQO/hKTCTvllKGXMnuTxaK6EZNGZO xhVp9LF9GhGTOFhzQ9ajZjBoMwMdiuVN/OI18jdQRBYd4hIlSPqbSJCPwur6mmpM+dkgfoqfjDY GUtscCFM4w X-Google-Smtp-Source: AGHT+IE3OmKjDd7h4es7Dx2qJxWvYagR17mR3BsbdrVK+ogj8448uNRXW8pXuJXZ7RpEHEdI53m1Fw== X-Received: by 2002:a05:600c:19ca:b0:477:a289:d854 with SMTP id 5b1f17b1804b1-47d18b98f87mr213046155e9.5.1766671344376; Thu, 25 Dec 2025 06:02:24 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47be27c2260sm388573965e9.15.2025.12.25.06.02.23 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 25 Dec 2025 06:02:23 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 1/4] snappy: add CVE_PRODUCT Date: Thu, 25 Dec 2025 15:02:18 +0100 Message-ID: <20251225140223.3015168-1-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 25 Dec 2025 14:02:31 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122922 From: Emil Kronborg Andersen If CVE_PRODUCT is not explicitly set to google:snappy, CVEs are found for https://github.com/KnpLabs/snappy instead. Signed-off-by: Emil Kronborg Andersen Signed-off-by: Khem Raj (cherry picked from commit b888130e957eb4fe9d69fd70f3b3778ba980b728) Signed-off-by: Gyorgy Sarvari --- meta-oe/recipes-extended/snappy/snappy_1.1.9.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta-oe/recipes-extended/snappy/snappy_1.1.9.bb b/meta-oe/recipes-extended/snappy/snappy_1.1.9.bb index 0d58345d7a..9e0e43ce8f 100644 --- a/meta-oe/recipes-extended/snappy/snappy_1.1.9.bb +++ b/meta-oe/recipes-extended/snappy/snappy_1.1.9.bb @@ -24,3 +24,5 @@ PACKAGECONFIG[lzo] = "-DHAVE_LIBLZO2=1,-DHAVE_LIBLZO2=0,lzo," TARGET_CFLAGS += "-fPIC" EXTRA_OECMAKE += '-DBUILD_SHARED_LIBS="ON" -DSNAPPY_BUILD_TESTS="OFF" -DSNAPPY_BUILD_BENCHMARKS="OFF"' + +CVE_PRODUCT = "google:snappy" From patchwork Thu Dec 25 14:02:19 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 77526 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4C6CDE7AD63 for ; Thu, 25 Dec 2025 14:02:31 +0000 (UTC) Received: from mail-wm1-f42.google.com (mail-wm1-f42.google.com [209.85.128.42]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.138269.1766671346832898908 for ; Thu, 25 Dec 2025 06:02:27 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=goUv28d0; spf=pass (domain: gmail.com, ip: 209.85.128.42, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f42.google.com with SMTP id 5b1f17b1804b1-47775fb6cb4so40268645e9.0 for ; Thu, 25 Dec 2025 06:02:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1766671345; x=1767276145; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=ivw/tKBCYGdAJMLY8mW6jbPNhUmH2LHqXWYy2tXOubY=; b=goUv28d0mhZH6147QbU/eVhlkxJmGrJ4K6g2rP2jSNkl3djvgG/KZp0r6/WmBhaTy8 QL3ICRF/sUh6ZDasFxNbsPsBy54BIBH0xphMluleZIkGtu3fk35xre0KhIbWkvY4KiaN Ixaq3SDqWlVhKD5RWGbAwzax3/SBjA0uKw0eiT0BYNVyfmbCzgM17fj1HbL8B2RcqjDx Yd/TDi5/zYmJbbKlRydEDkxvaoyHJFRjI/gWvfsH42wb/5S5P+K26iYNiar5ZsK3uqW8 EOlz1oyLGoUy6LCB2Lj5nnFoS4Pb3qab02k1yGhPsVfoutskBAPfQFfbfDrZk8X7sFp1 XMMQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766671345; x=1767276145; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=ivw/tKBCYGdAJMLY8mW6jbPNhUmH2LHqXWYy2tXOubY=; b=H7v92WYU71COnVpun3z4aGYl3kVfQKp8vNeG+xf1dkkuODJ3foiJcMObKyZJpTADq1 fFgO2DYeTm3ebcZ+tGzuiz6iSn32DnTLEXwdjqw7B7rMymNPPGto+UabU4adIZYsEZyf bWPx9tZp/ZJMLE6HnjrV2/VqmLoPKy8szB0oEnFyNFuAHvOOJi9naJgrYbSXt1/fx7gB e5A1cqTRA7anVFSZQKZsDTPeDM9avmX8Z9MEgMO7697p4aX3ywgdQAOsaVYFXE9eEpMg PkRQjNCO7mSn69yTN2l9ceXiBCutp9DV1yK1fcxiY4TpZJ6H72l+UaVdfCNusHMv8bXY 7SiA== X-Gm-Message-State: AOJu0YxXFUh2kiFKGMQWVrm5GyrrcU8lStsTaqUvoIB+QdJ+h/bsJvq9 q9qfC+BWkAuMbzCAifzYyIwohsM2QpD0Zj07cfC51SDq46YT8AZyZhQKvnjbdw== X-Gm-Gg: AY/fxX561gduwNxHPDSzvudH4yCO14U4y1/g7I8N6P0jfF+JjNi7UWAZrPG8iOmud6p Ov2l07FAdXxK0IYRQ37t8M47vgUL6PjZwKzY8zG9S1fu87kG4YVBflq9qs/yCQN8LhnpE/zNa1j +J+2vl0Hf7VErhVgj8FJvFlhYMR2SLZEfZq7Hr1IrUVI8Rz3D4ZIYJEc+2OaqaKO30hGbtoafUv hMOIToFWB+RMvtr8fiRgCw2vCN6Wn5Rfo2gd50l6s2zvuOB+PamFcUy6+ggBODV5R8A79QwMxtb U5S/Ugyeme0uhohZmUOc5Fd+ENecGNq2onq9mpZiRDLcdt1ahtMkQvNmcdo4N5WeXQvoRplLt+0 +1a3JbK03JkpzVCkrNqkNWD8GS0/yPABZk/4QtI2Gddgn4nFOu9fLuwglocS61b/B5hzl9KfveA Sn2w3VYb/C X-Google-Smtp-Source: AGHT+IHOQ9XJ+rZD3dQggREyQ+jD13sux/LnawgxQEIfwW1Lji6WdgkHhvMziw8w9uYJOjJzdIDZqg== X-Received: by 2002:a05:600c:4f15:b0:477:b734:8c41 with SMTP id 5b1f17b1804b1-47d19538dfbmr246193085e9.1.1766671345074; Thu, 25 Dec 2025 06:02:25 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47be27c2260sm388573965e9.15.2025.12.25.06.02.24 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 25 Dec 2025 06:02:24 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 2/4] smarty: patch CVE-2018-25047 Date: Thu, 25 Dec 2025 15:02:19 +0100 Message-ID: <20251225140223.3015168-2-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251225140223.3015168-1-skandigraun@gmail.com> References: <20251225140223.3015168-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 25 Dec 2025 14:02:31 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122923 Details: https://nvd.nist.gov/vuln/detail/CVE-2018-25047 Pick the patch that resolved the issue referenced in the nvd report. Signed-off-by: Gyorgy Sarvari --- .../smarty/smarty/CVE-2018-25047.patch | 140 ++++++++++++++++++ .../recipes-support/smarty/smarty_4.1.1.bb | 4 +- 2 files changed, 143 insertions(+), 1 deletion(-) create mode 100644 meta-oe/recipes-support/smarty/smarty/CVE-2018-25047.patch diff --git a/meta-oe/recipes-support/smarty/smarty/CVE-2018-25047.patch b/meta-oe/recipes-support/smarty/smarty/CVE-2018-25047.patch new file mode 100644 index 0000000000..caa48f8a4a --- /dev/null +++ b/meta-oe/recipes-support/smarty/smarty/CVE-2018-25047.patch @@ -0,0 +1,140 @@ +From 5f26e728152007aa57e415a5e3dd77542739aa13 Mon Sep 17 00:00:00 2001 +From: Simon Wisselink +Date: Wed, 14 Sep 2022 11:38:18 +0200 +Subject: [PATCH] Applied appropriate javascript and html escaping in mailto + plugin to counter injection attacks Fixes #454 + +CVE: CVE-2018-25047 +Upstream-Status: Backport [https://github.com/smarty-php/smarty/commit/55ea25d1f50f0406fb1ccedd212c527977793fc9] +Signed-off-by: Gyorgy Sarvari +--- + libs/plugins/function.mailto.php | 28 ++++++++++++------- + .../PluginFunctionMailtoTest.php | 21 ++++++++++++-- + 2 files changed, 37 insertions(+), 12 deletions(-) + +diff --git a/libs/plugins/function.mailto.php b/libs/plugins/function.mailto.php +index 834d0535..671ac069 100644 +--- a/libs/plugins/function.mailto.php ++++ b/libs/plugins/function.mailto.php +@@ -48,8 +48,13 @@ + */ + function smarty_function_mailto($params) + { +- static $_allowed_encoding = +- array('javascript' => true, 'javascript_charcode' => true, 'hex' => true, 'none' => true); ++ static $_allowed_encoding = [ ++ 'javascript' => true, ++ 'javascript_charcode' => true, ++ 'hex' => true, ++ 'none' => true ++ ]; ++ + $extra = ''; + if (empty($params[ 'address' ])) { + trigger_error("mailto: missing 'address' parameter", E_USER_WARNING); +@@ -57,19 +62,19 @@ function smarty_function_mailto($params) + } else { + $address = $params[ 'address' ]; + } ++ + $text = $address; ++ + // netscape and mozilla do not decode %40 (@) in BCC field (bug?) + // so, don't encode it. +- $search = array('%40', '%2C'); +- $replace = array('@', ','); +- $mail_parms = array(); ++ $mail_parms = []; + foreach ($params as $var => $value) { + switch ($var) { + case 'cc': + case 'bcc': + case 'followupto': + if (!empty($value)) { +- $mail_parms[] = $var . '=' . str_replace($search, $replace, rawurlencode($value)); ++ $mail_parms[] = $var . '=' . str_replace(['%40', '%2C'], ['@', ','], rawurlencode($value)); + } + break; + case 'subject': +@@ -83,6 +88,7 @@ function smarty_function_mailto($params) + default: + } + } ++ + if ($mail_parms) { + $address .= '?' . join('&', $mail_parms); + } +@@ -94,19 +100,21 @@ function smarty_function_mailto($params) + ); + return; + } ++ ++ $string = '' . htmlspecialchars($text, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401, Smarty::$_CHARSET) . ''; ++ + if ($encode === 'javascript') { +- $string = '' . $text . ''; + $js_encode = ''; + for ($x = 0, $_length = strlen($string); $x < $_length; $x++) { + $js_encode .= '%' . bin2hex($string[ $x ]); + } + return ''; + } elseif ($encode === 'javascript_charcode') { +- $string = '' . $text . ''; + for ($x = 0, $_length = strlen($string); $x < $_length; $x++) { + $ord[] = ord($string[ $x ]); + } +- return ''; ++ return ''; + } elseif ($encode === 'hex') { + preg_match('!^(.*)(\?.*)$!', $address, $match); + if (!empty($match[ 2 ])) { +@@ -129,6 +137,6 @@ function smarty_function_mailto($params) + return '' . $text_encode . ''; + } else { + // no encoding +- return '' . $text . ''; ++ return $string; + } + } +diff --git a/tests/UnitTests/TemplateSource/TagTests/PluginFunction/PluginFunctionMailtoTest.php b/tests/UnitTests/TemplateSource/TagTests/PluginFunction/PluginFunctionMailtoTest.php +index bc5152a2..52b18ecc 100644 +--- a/tests/UnitTests/TemplateSource/TagTests/PluginFunction/PluginFunctionMailtoTest.php ++++ b/tests/UnitTests/TemplateSource/TagTests/PluginFunction/PluginFunctionMailtoTest.php +@@ -150,7 +150,7 @@ class PluginFunctionMailtoTest extends PHPUnit_Smarty + + public function testUmlauts() + { +- $result = 'me+smtpext@example.com'; ++ $result = 'me+smtpext@example.com'; + $tpl = $this->smarty->createTemplate('eval:{mailto address="me+smtpext@example.com" cc="you@example.com,they@example.com" subject="hällo wörld"}'); + $this->assertEquals(str_replace("\r", '', $result), $this->smarty->fetch($tpl)); + } +@@ -158,9 +158,26 @@ class PluginFunctionMailtoTest extends PHPUnit_Smarty + public function testUmlautsWithoutMbstring() + { + Smarty::$_MBSTRING = false; +- $result = 'me+smtpext@example.com'; ++ $result = 'me+smtpext@example.com'; + $tpl = $this->smarty->createTemplate('eval:{mailto address="me+smtpext@example.com" cc="you@example.com,they@example.com" subject="hällo wörld"}'); + $this->assertEquals(str_replace("\r", '', $result), $this->smarty->fetch($tpl)); + Smarty::$_MBSTRING = true; + } ++ ++ public function testJavascriptChars() ++ { ++ $result = ''; ++ $this->smarty->assign('address', 'me@example.com">me@example.com\'); alert("injection"); //'); ++ $tpl = $this->smarty->createTemplate('eval:{mailto address=$address encode=javascript}'); ++ $this->assertEquals(str_replace("\r", '', $result), $this->smarty->fetch($tpl)); ++ } ++ ++ public function testHtmlChars() ++ { ++ $result = ''; ++ $this->smarty->assign('address', 'me@example.com">

'); ++ $tpl = $this->smarty->createTemplate('eval:{mailto address=$address extra=\'class="email"\'}'); ++ $this->assertEquals(str_replace("\r", '', $result), $this->smarty->fetch($tpl)); ++ } ++ + } diff --git a/meta-oe/recipes-support/smarty/smarty_4.1.1.bb b/meta-oe/recipes-support/smarty/smarty_4.1.1.bb index df441e8db2..382f0f415c 100644 --- a/meta-oe/recipes-support/smarty/smarty_4.1.1.bb +++ b/meta-oe/recipes-support/smarty/smarty_4.1.1.bb @@ -7,7 +7,9 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=2c0f216b2120ffc367e20f2b56df51b3" DEPENDS += "php" -SRC_URI = "git://github.com/smarty-php/smarty.git;protocol=https;branch=master" +SRC_URI = "git://github.com/smarty-php/smarty.git;protocol=https;branch=master \ + file://CVE-2018-25047.patch \ + " SRCREV = "71036be8be02bf93735c47b0b745f722efbc729f" From patchwork Thu Dec 25 14:02:20 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 77525 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3E1E4E7AD60 for ; Thu, 25 Dec 2025 14:02:31 +0000 (UTC) Received: from mail-wm1-f42.google.com (mail-wm1-f42.google.com [209.85.128.42]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.138945.1766671347372090051 for ; Thu, 25 Dec 2025 06:02:27 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=FCqCoBzI; spf=pass (domain: gmail.com, ip: 209.85.128.42, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f42.google.com with SMTP id 5b1f17b1804b1-477632b0621so41880975e9.2 for ; Thu, 25 Dec 2025 06:02:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1766671346; x=1767276146; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=DEeATz59OvMCkqsZCpSEaC4Ts6Pt8Q+moC5Lybs67MA=; b=FCqCoBzIndUoTC/PVJ2s4QpVhomvEBOHVWqh8Onm31maf9xpjn2lxEmD22l/zNOFAa h2prjCEwOi4dBL9/Yh2dn0q8eBSm+MQjXjmL3x4/RrtEBFwg3g5tQ9aOOP7gmuzpXXfB EVxLcdUYaGLLQLBLuCH6GVJcZD228yha0Node5dZ96XDDxj5aA+Fa0jCPeecYqmRhXKC SaA1i0cp5I6jx/X/uMVXcYu5qPEgQMDbrul3Aj++Mc9nMoVM92bGUNCkKFYoRjjW/qed YtV+xLLJDNtSCBvmLggsmAo85yDWtKejik3hjsn9eTPmvWAv1oBajMMAycGtmftsJsD3 F9Lg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766671346; x=1767276146; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=DEeATz59OvMCkqsZCpSEaC4Ts6Pt8Q+moC5Lybs67MA=; b=gzCJb3ANF8Lcm5cdifKRd+844YHKeb5YBN1oD/G+ZDM+rhoTAHlMKDvAqF3+43upRw T52EFx4b0SbLM0ac+euEfT7YmnwganRHR0iVIylNe2wgS/04LpVpW5qF6E0FKfl0C2kF BpvM5HCwC20aVmZN9tDdXq2bxl0vpzMB3OQ45X6z1AYw9BEXhlO5f79unoy1J9id1PmN d33rOsn87QZBA5EN5QnvvaSBSZSNRjVlYNuESMZfbuk5GnXLKxyuWn18Sku27DITAGL8 5Pg/+WIloaHZkflivuRzjYWdqrEm4jjZ33P6iU0jLfzjXoFurFeQgBsDwJT7hQA6xwUL wlYA== X-Gm-Message-State: AOJu0YwE+soSbPTc4mgT3AFTLIXsoQ+YCGT+vCmqcjN37HbO5b0hKXYr aWOYMe99HzXIqpSoExV+gWQkReyuZMYKIKgAKQxoBaIfY68whNKTy6Cm7jP+wQ== X-Gm-Gg: AY/fxX7pMxK668a7KlB79OcgiTCm7tLT0NFU5sA1wMmf/oL4Q3rLs/3yOCgxJoSs8KQ 9xMw6KaMR8AswQBdMMx30/ii0wm6CuIeLrBGA16O+ujYBWXuvFSvJCrVwbb7iTwnBRrzM4l9NLN 5cARZ8Ez5KagD3Lo1drJB3SZkiBeuiETjGrAoR70Rfir0AuWm1s3r+ocaGM7nY+Ei24VEsjrojt deNsk7dhhE0rVSwj6kLSJkD8WrAr9diXNCDIpo7g1Zk6qlSWHCuENu1EO+EfcU5XJZ3mP749FtK SEI9trSNPkNDLL6G/E81pZKWxS/X7v0ugWhymMiq32k9QOv/Mrq2obVMPCI8YCRIfqkeDcWQLFZ U0OHLdemDaQP8DZ7rdogEpJjwrr++bpLLLc61wr9H1iPrmF5qVezA/J+v595Ij8q2q4EFtYtwew wYONqwn/LO X-Google-Smtp-Source: AGHT+IH46JJomSz78lCRuCObOLHmb76XWzE8sUUMyzUf+tMOGI6m3ZPUD0h7Aec7SV/KwwCBziXS7g== X-Received: by 2002:a05:600c:4e46:b0:47d:3ffa:5f03 with SMTP id 5b1f17b1804b1-47d3ffa6713mr61017735e9.21.1766671345694; Thu, 25 Dec 2025 06:02:25 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47be27c2260sm388573965e9.15.2025.12.25.06.02.25 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 25 Dec 2025 06:02:25 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 3/4] smarty: update CVE_PRODUCT Date: Thu, 25 Dec 2025 15:02:20 +0100 Message-ID: <20251225140223.3015168-3-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251225140223.3015168-1-skandigraun@gmail.com> References: <20251225140223.3015168-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 25 Dec 2025 14:02:31 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122924 From: Ankur Tyagi Signed-off-by: Ankur Tyagi Signed-off-by: Khem Raj (cherry picked from commit ceadb83fcf18134b40b36cddcacbc8192ea68f82) Signed-off-by: Gyorgy Sarvari --- meta-oe/recipes-support/smarty/smarty_4.1.1.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta-oe/recipes-support/smarty/smarty_4.1.1.bb b/meta-oe/recipes-support/smarty/smarty_4.1.1.bb index 382f0f415c..1d044e18ce 100644 --- a/meta-oe/recipes-support/smarty/smarty_4.1.1.bb +++ b/meta-oe/recipes-support/smarty/smarty_4.1.1.bb @@ -26,3 +26,5 @@ do_install() { install -m 0644 ${S}/libs/sysplugins/*.php ${D}${datadir}/php/smarty3/libs/sysplugins/ } FILES:${PN} = "${datadir}/php/smarty3/" + +CVE_PRODUCT = "smarty:smarty" From patchwork Thu Dec 25 14:02:21 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 77524 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3CD14E7AD5E for ; Thu, 25 Dec 2025 14:02:31 +0000 (UTC) Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com [209.85.128.44]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.138270.1766671349871024407 for ; Thu, 25 Dec 2025 06:02:30 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=kqIUuehq; spf=pass (domain: gmail.com, ip: 209.85.128.44, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f44.google.com with SMTP id 5b1f17b1804b1-47a95efd2ceso58859285e9.2 for ; Thu, 25 Dec 2025 06:02:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1766671348; x=1767276148; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=5gA275No6o0B8hIcXEt4u396bf51yiAMcHmcId6yHco=; b=kqIUuehqSdhqOrPl5rrI74xcAKlqe5KGcRakP/tGwItiFpcLuerOHRbAvHwLivYK2d D0t8R/g1vrloNyqFgwrRtkVrY7D+qnu6ecy2Gp2ZeWuhRbyem5MZHV0cGOjFLaBPNMoV A9Pgo92DfnyvEAKhNDVl/4dryQOSYLHtfHPcgangJ3F3pCS82aQsAMOMBk7KuKmGEizC QSyYm2ouOV3AmtWYc7lH5xAi1R4J8XEZXzLblT10qQX2CpacgZMjkt2UpUZOvX6l0WQI YIikkLcjguYC25xq1+wlRryGkSBctYNczv0TESskj+fexJm+cQ/eCsDL1icEfXTwBZhH 4KNQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766671348; x=1767276148; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=5gA275No6o0B8hIcXEt4u396bf51yiAMcHmcId6yHco=; b=uIDTTZFvmrpW5XMN3cP+u2HO6K45CUJ5uP7ifMKWWRzf8iFkB1Am4FfDek0Ntbmzg0 AzErDd+p5PxsIj2fYidL5kCCEIXnWoIudMq/xLp2z0uhPw0j403XcVAN98myDe1VAkQR ba0JFOvXOtCg6ZZWrps3omYLxJKN2Vkplji7szerYf6xfqvvCDvZNfC6nmz6LNhzLj5T ifHVlHiNAub4aYzoCNl2QMx3gOcDFbb98vvRPAMG4EZTIi/yeSOShMVuOhxzLpwqXVIR L68bMmONHSqCnE8k90aKgKW0BNcS4ueTyPXg7CoWx75+sdCenmrXygUFCLu6bGb1y7ko gk4g== X-Gm-Message-State: AOJu0YysJU4V0bLAGvFsVzQz77Y8P2HbwqOQ1vgmBvZpzi2FLQipX5Bv 4adgC7AALLn/OyBjnh7sIDPfzLzNdus/zEuZaO+Ht5nF0pZ8Q6q0h68bEM4Dqw== X-Gm-Gg: AY/fxX4/W2B+40YMip4mmcvlREujneEXrxEvKyBUYc/dhmw5rppJ/hbCJYGu5leRpRk MIEdUb/CsHOJRMS+bt3umlMjALIEToFizJTH53TYSACraqAlApeUGv8MSrNtRsLuhji3IHdUeHK Rjun//LOI8bqMHXNcE/iaoCX12Ke7hGgiX7p3Vxa2eI1z50PZNWUysiC9spx22ouyMv3c+aBVpv dskGBeo+G1h93Adh+oSat6TEZdp5trL6puE4parv7dd2fuUAYJgBpZZQkP5nz2o1eoBjqPjd0U6 oGUi3HAkR22d7ncmxdRquuCoptFNIHRp9Bap/iDR4P5Z7li5Oms65OVrNjFZBZ7/ltdhy1bx2Le LD/nxIGEfnYl3MjU2r6awEBrgo4B9x/G5knE5LJVRO6ptB4/AUfmEeVKJBoBusFfk7yyMQkTu6R LwxGuHjFls X-Google-Smtp-Source: AGHT+IHub/3FtXv+9FJH693VNJxcXqf2MRrM8zM/voINsPtI9m2uh1HOShsQT3Mfjbg5nPKnkWb/7A== X-Received: by 2002:a05:600c:8b8c:b0:477:af07:dd1c with SMTP id 5b1f17b1804b1-47d195aaf01mr196498725e9.35.1766671346300; Thu, 25 Dec 2025 06:02:26 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47be27c2260sm388573965e9.15.2025.12.25.06.02.25 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 25 Dec 2025 06:02:25 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 4/4] smarty: patch CVE-2023-28447 Date: Thu, 25 Dec 2025 15:02:21 +0100 Message-ID: <20251225140223.3015168-4-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251225140223.3015168-1-skandigraun@gmail.com> References: <20251225140223.3015168-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 25 Dec 2025 14:02:31 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122925 Details: https://nvd.nist.gov/vuln/detail/CVE-2023-28447 Pick the patch that is referenced by the NVD report. Signed-off-by: Gyorgy Sarvari --- .../smarty/smarty/CVE-2023-28447.patch | 74 +++++++++++++++++++ .../recipes-support/smarty/smarty_4.1.1.bb | 1 + 2 files changed, 75 insertions(+) create mode 100644 meta-oe/recipes-support/smarty/smarty/CVE-2023-28447.patch diff --git a/meta-oe/recipes-support/smarty/smarty/CVE-2023-28447.patch b/meta-oe/recipes-support/smarty/smarty/CVE-2023-28447.patch new file mode 100644 index 0000000000..837019d88a --- /dev/null +++ b/meta-oe/recipes-support/smarty/smarty/CVE-2023-28447.patch @@ -0,0 +1,74 @@ +From 456aad251e7dd399fef136f652a1684c05fefa5a Mon Sep 17 00:00:00 2001 +From: Simon Wisselink +Date: Fri, 24 Mar 2023 12:19:34 +0100 +Subject: [PATCH] Implement fix and tests + +CVE: CVE-2023-28447 +Upstream-Status: Backport [https://github.com/smarty-php/smarty/commit/685662466f653597428966d75a661073104d713d] +Signed-off-by: Gyorgy Sarvari +--- + libs/plugins/modifier.escape.php | 4 +++- + libs/plugins/modifiercompiler.escape.php | 4 +++- + .../PluginModifierEscapeTest.php | 21 +++++++++++++++++++ + 3 files changed, 27 insertions(+), 2 deletions(-) + +diff --git a/libs/plugins/modifier.escape.php b/libs/plugins/modifier.escape.php +index 3ce48382..70d2db92 100644 +--- a/libs/plugins/modifier.escape.php ++++ b/libs/plugins/modifier.escape.php +@@ -188,7 +188,9 @@ function smarty_modifier_escape($string, $esc_type = 'html', $char_set = null, $ + // see https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements + '