From patchwork Mon Dec 29 14:51:42 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 77608 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B542AE9272C for ; Mon, 29 Dec 2025 14:52:02 +0000 (UTC) Received: from mail-wm1-f48.google.com (mail-wm1-f48.google.com [209.85.128.48]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.44421.1767019915250885411 for ; Mon, 29 Dec 2025 06:51:55 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=bkO0Ep/m; spf=pass (domain: gmail.com, ip: 209.85.128.48, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f48.google.com with SMTP id 5b1f17b1804b1-47d59da3d81so2879875e9.0 for ; Mon, 29 Dec 2025 06:51:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767019913; x=1767624713; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=x/t9nDyCMpyg7Z5YHF5MERDuCZ9DRWNftnurVJPbbdE=; b=bkO0Ep/mYJynKSmBYb9gsy4gZWJA2Ornh2P2PgnuBcW1AoAInPU7Ybl3U54F+XDhJ1 8YfqT+/cv9HdofjTZSwLc3yHTCJ/90lAXIaPVLW8n6g+2/Ny0XcN+DmrJaM5Gir6yYw5 wt/xVmtgqpOnunYuySP7wxHgDoYqp50GQGWbIW2d87pJnZHb66oHJuuMiV6Q0hUyfjc2 HvnuGH2MPfIYLFyPds0Nim0Pt+8MYzFwtQnr9ysqhJbR54rNHj/vL5Sx09g06ZYp6i+W dN0ea7ahRRzC/OiyPj/gwN11QW8Rzu8pHHoi+a/KtECYlnX5jmpv0Sy49d7LGc/Bjd+i AlAg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767019913; x=1767624713; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=x/t9nDyCMpyg7Z5YHF5MERDuCZ9DRWNftnurVJPbbdE=; b=K1oz7f3gu/gzH3zq2lHLagExxZYIuwrHsqiDzlK9oSJ9wNSsL80xZxAMnd3a5ikffd HEiiMvg0YlaNrW9s9Yp+3SqL4x6xyuWKkJxloKR2Ls2xwG5dVn3VYnVfsSwyz+c7qNZ4 2T9cLOnSbUSpwmpbkkTP0V7lD/mfZPxMWe/mUr2SFRS+f2AF0i17OEwx9nwUlsPNPWI6 ns+6CtgANtxNHX2rodzd0+oPb0OuJCA9W+puO9wyrxJe1p8UF9vVEFNOqcA9+5lhBVUo tXYiGLRVPz7W4XnfOwlXKE6rxYElfHBF2LgHWPyD5j6KAit9SeWAdtUVyxpkqSpb3ps0 kpNQ== X-Gm-Message-State: AOJu0YyW7QDevMPknGT84FYswNg1sf26mYYFzyOdbX6mngJp5dn2NBIY c7CEkVmCuHBxvkfnC9hRh4onG1X1kCe3udfa2CpPOlc5Tx1aPzQAvMaGVGOBFw== X-Gm-Gg: AY/fxX562HGKz6Ym+D23L3usymEDwJj3UOgHHgE9II5dS6Is5xHM4qDDNd/E531GrMl zcRhx5oYZC+pdFYcY8yF7UpIrqgwmVB+pjRV+Enj7jZ6V7DBWVKTDmVxEfqGtfkbpOTMOn8OB09 YP7SXPke0D9NgmSqVFLZWhbgUHcF/WdmHjaWPuRl0bx7u8taPvGviK6RIQdCeNDTetJpbB76gO8 Dvh3xF089K3X1Q3UUHpRH8jWqq1WK7uyT9M1T45QnD8c4xFBKfcKqgAt8kB3IQkQezn3M1v9N5L IGpd6hgZ86Y7e5SN4E/fVmcDOjrY/X/xxYWV6m1lmxRK25V3wuy/NqmQJ4RhjzdKLqHI0jIcORw 6f1koVkpRvyngoqWHhXvvcAn6c4KgV0OfCx3caLSmfCJffB8fH7O0ts8XCKofzDjgRm3XhrAtCd xxDb3U/R6T X-Google-Smtp-Source: AGHT+IFQcBqaNeZO3WEUbph4FHAr7sk6AKurc3HBxUoOqeg1TJqwJCLgM/55vh8bY0dhx2dE2VvMEw== X-Received: by 2002:a05:6000:230d:b0:430:fb00:108a with SMTP id ffacd0b85a97d-4324e3ebfddmr42064621f8f.2.1767019913243; Mon, 29 Dec 2025 06:51:53 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4324ea1af20sm59449884f8f.2.2025.12.29.06.51.52 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Dec 2025 06:51:52 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-gnome][whinlatter][PATCH 01/11] accountservice: ignore CVE-2023-3297 Date: Mon, 29 Dec 2025 15:51:42 +0100 Message-ID: <20251229145152.489068-1-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 29 Dec 2025 14:52:02 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122980 Details: https://nvd.nist.gov/vuln/detail/CVE-2023-3297 The vulnerability is triggered by a patch added by Ubuntu, and the vulnerable patch is not present in the recipe. Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj (cherry picked from commit 071a45c9d76c9a222c8fbaa50089a8af44f44e74) Signed-off-by: Gyorgy Sarvari --- .../recipes-support/accountsservice/accountsservice_23.13.9.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta-gnome/recipes-support/accountsservice/accountsservice_23.13.9.bb b/meta-gnome/recipes-support/accountsservice/accountsservice_23.13.9.bb index e3dfcfffff..c024ae3f92 100644 --- a/meta-gnome/recipes-support/accountsservice/accountsservice_23.13.9.bb +++ b/meta-gnome/recipes-support/accountsservice/accountsservice_23.13.9.bb @@ -41,3 +41,5 @@ FILES:${PN} += " \ ${datadir}/dbus-1 \ ${datadir}/polkit-1 \ " + +CVE_STATUS[CVE-2023-3297] = "not-applicable-platform: The vulnerability is Ubuntu specific" From patchwork Mon Dec 29 14:51:43 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 77617 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 476FBE9273C for ; Mon, 29 Dec 2025 14:52:03 +0000 (UTC) Received: from mail-wr1-f41.google.com (mail-wr1-f41.google.com [209.85.221.41]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.44422.1767019915674836575 for ; Mon, 29 Dec 2025 06:51:55 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=P5lo1+a6; spf=pass (domain: gmail.com, ip: 209.85.221.41, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f41.google.com with SMTP id ffacd0b85a97d-432755545fcso1724593f8f.1 for ; Mon, 29 Dec 2025 06:51:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767019914; x=1767624714; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=Xa1rqYHIOxBg4laOne1ItmzSsFH3TJt95+5UW/NsE7g=; b=P5lo1+a6cK7PpbkW1qgWueFc7pof4Ha8MwykWSM1UmS4I7fnwXMwswaWkkPOfn0Z3I c2oz5z2TrmQ82N3RK3JDGruVRZ5uENIRf8jEadHR1r4WqU4V+yTlazD2D+Ru7qVsvTtR RgY+J/QRv87pN1Hp7jfpAVzoNwAG+Jif/fCQ8tgwGPF7X2/enBXLRhosUybs8bUmfBJX dVnbSnY01kDaCr75UOMnws7M17mwIBBzr4Nislk57rAQpG5GoCFfm7POhIIQlNpjpxMX hFB8nioKnMi4K+7xZfXK9fIB1/RJ+9+AA+BXhLJHt4ajP2EG6Z0qxKToZrS/QramlkWR okDw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767019914; x=1767624714; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=Xa1rqYHIOxBg4laOne1ItmzSsFH3TJt95+5UW/NsE7g=; b=oDT2WH+5yTmafZ12Wll6wQ0LGuaGvDEMsw3hRyvK5G9V87MSnd3A00U/andjMti7tR 8x0TpSS+3w/qKB0f7ObBQKLJ6DwxqRtSeNPjLFeJ/Ah4apXNDVy+Tj0TDgrDMkLv5wD1 xVtniIj4DxAFuukcA4hgbrsiFt+BxVa13G2rNySbV/iVXdz24ZctroiCw/QMHsCYICZT isjD89ueoyzTJfTBJHHHg2hGtrLR9IBEctRCDZJolz46zTnqnyu+zk++gF9g3hI1r0wP X3JH1XianULorK2EXEGGC5zTY0ltxHmQDqufuDAarPksuwDVmHU1B39VE1hAfXHZhHvZ KuLg== X-Gm-Message-State: AOJu0YyURAo2aTka9xViqVP7p4qXLzpSTOOfznVenxIBPBOIJ/V0k9ty v9sPBhsFW2Q2D+dNtMkVikMAHnkEbGiWNBPHy3s4ZBpsnKjrssV3wES3lIXs+g== X-Gm-Gg: AY/fxX6RE9Qh9Jo4iSx6Ws/+XLpy/DK/QsAW1vtSUb+5BFlOkPI7p2JFTE4J+CkXSZa VkLSEPLMfMHFaZbAhIqoRnHftezYcN642epirDJJBrXHc53KPl+QxLJrsF6HY04sm9mLEGmsE9y 9sqXq/NpUHe8L1cL6kM/0PFdHuE/pFTidaVYPUbpZANeIozFBgYsQiNiQb/qJmg5refkIu364L8 Gavn56ZOLHKX6WFUdkdTPc8MIiq6D1UIvd34bdb3+lpYfWWmyckgI3Hjr3XGeYRxbPd41KSR9A6 xtMT5Vs6yUZOWpBBaHd9BCrRrNHpbh1BSGxRBilMjnnrEj9lbABkpXYN9BOQAX12Z2yiP76AhPr Vwvqqf35be4zIBT6UrEY+8UwykaAaPCwQDN0D2fgBP43MONCjiOqc6GLl++MlEX83bHHlGUfnY6 VMOJhYx+YF X-Google-Smtp-Source: AGHT+IFpbkRYmy3w9lRG8D5KuyTb3q2Dsms+5HEeyd1UyPK8HWgp605JSsDRYCSG3DUYYFw6c0VN8g== X-Received: by 2002:a05:6000:2583:b0:431:53:1f49 with SMTP id ffacd0b85a97d-4324e4f69d4mr29982433f8f.41.1767019913901; Mon, 29 Dec 2025 06:51:53 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4324ea1af20sm59449884f8f.2.2025.12.29.06.51.53 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Dec 2025 06:51:53 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][whinlatter][PATCH 02/11] c-ares: upgrade 1.34.5 -> 1.34.6 Date: Mon, 29 Dec 2025 15:51:43 +0100 Message-ID: <20251229145152.489068-2-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251229145152.489068-1-skandigraun@gmail.com> References: <20251229145152.489068-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 29 Dec 2025 14:52:03 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122981 From: Jason Schonberg Drop memory leak patch which has already been included in this new version. The new version also includes a fix for CVE 2025-62408. Changelog: https://github.com/c-ares/c-ares/releases/tag/v1.34.6 Signed-off-by: Jason Schonberg Signed-off-by: Khem Raj (cherry picked from commit 996768e0800a008e06d6c8d305f443198d4df847) Signed-off-by: Gyorgy Sarvari --- .../c-ares/0001-ares_uri-memory-leak.patch | 21 ------------------- .../{c-ares_1.34.5.bb => c-ares_1.34.6.bb} | 3 +-- 2 files changed, 1 insertion(+), 23 deletions(-) delete mode 100644 meta-oe/recipes-support/c-ares/c-ares/0001-ares_uri-memory-leak.patch rename meta-oe/recipes-support/c-ares/{c-ares_1.34.5.bb => c-ares_1.34.6.bb} (87%) diff --git a/meta-oe/recipes-support/c-ares/c-ares/0001-ares_uri-memory-leak.patch b/meta-oe/recipes-support/c-ares/c-ares/0001-ares_uri-memory-leak.patch deleted file mode 100644 index 4d08651be1..0000000000 --- a/meta-oe/recipes-support/c-ares/c-ares/0001-ares_uri-memory-leak.patch +++ /dev/null @@ -1,21 +0,0 @@ -fix memory leak in ares_uri (#1012) -Dynamic memory, referenced by 'outpath', is allocated at ares_uri.c:527 -by calling function 'ares_buf_create' and lost at ares_uri.c:536. - -Signed-off-by: Felix The Cat (@F3lixTheCat) - --- - -Upstream-Status: Backport [https://github.com/c-ares/c-ares/commit/ee2a1c3eff3c8164b09123005f4b49c571788b59] - ---- a/src/lib/util/ares_uri.c 2025-08-10 15:59:17.501710307 -0400 -+++ b/src/lib/util/ares_uri.c 2025-08-10 16:00:35.867494819 -0400 -@@ -533,7 +533,7 @@ - status = ares_buf_split_str_array(inpath, (const unsigned char *)"/", 1, - ARES_BUF_SPLIT_TRIM, 0, &arr); - if (status != ARES_SUCCESS) { -- return NULL; -+ goto done; - } - - for (i = 0; i < (ares_ssize_t)ares_array_len(arr); i++) { diff --git a/meta-oe/recipes-support/c-ares/c-ares_1.34.5.bb b/meta-oe/recipes-support/c-ares/c-ares_1.34.6.bb similarity index 87% rename from meta-oe/recipes-support/c-ares/c-ares_1.34.5.bb rename to meta-oe/recipes-support/c-ares/c-ares_1.34.6.bb index b434886311..c9c54a9fa0 100644 --- a/meta-oe/recipes-support/c-ares/c-ares_1.34.5.bb +++ b/meta-oe/recipes-support/c-ares/c-ares_1.34.6.bb @@ -6,9 +6,8 @@ LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE.md;md5=d3e72a10e08191f2ca1be3f3228d78f3" SRC_URI = "https://github.com/c-ares/c-ares/releases/download/v${PV}/${BPN}-${PV}.tar.gz \ - file://0001-ares_uri-memory-leak.patch \ file://run-ptest" -SRC_URI[sha256sum] = "7d935790e9af081c25c495fd13c2cfcda4792983418e96358ef6e7320ee06346" +SRC_URI[sha256sum] = "912dd7cc3b3e8a79c52fd7fb9c0f4ecf0aaa73e45efda880266a2d6e26b84ef5" PACKAGECONFIG ?= "${@bb.utils.contains('PTEST_ENABLED', '1', 'tests', '', d)}" PACKAGECONFIG[manpages] = "" From patchwork Mon Dec 29 14:51:44 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 77616 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3DEC2E9273A for ; Mon, 29 Dec 2025 14:52:03 +0000 (UTC) Received: from mail-wr1-f45.google.com (mail-wr1-f45.google.com [209.85.221.45]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.44423.1767019916336999335 for ; Mon, 29 Dec 2025 06:51:56 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=H0IDvfDD; spf=pass (domain: gmail.com, ip: 209.85.221.45, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f45.google.com with SMTP id ffacd0b85a97d-42e2e77f519so5556592f8f.2 for ; Mon, 29 Dec 2025 06:51:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767019915; x=1767624715; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=Sm8nFOiMVUiqxmDNKObMDwVhI9c+LAamK3CErtl7zYc=; b=H0IDvfDDxqoDCVplUTjIULeY2nUBo27rfMcQR4s8qqKull+eb7PtDdtajzIGft/HPH 7/ttvRV7fdRkjTADeS2GXR9Of9D77NfCfYUUjRXyy5Jt4/XdL0Zpic/vwil7a8nLjXLT P+rqUcXst2YjqwgEvhvJW5J7rCqyUqE07xGpeMddfEdwuElxGAwxSWlecakInbT7QmeW yHInYOe6xNuyNpv9LU3b/cUO1O4fwb1dAPW0zHYRUVV5BXSb4ChASd/AXwYsgaMSnE7i 9V9OxHmfhpBaPBob+ppgHrZcc25p0A4QDYCm8F8DxOs+xB4hbz/9v/bkqmHl6xQdtWQz 018A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767019915; x=1767624715; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=Sm8nFOiMVUiqxmDNKObMDwVhI9c+LAamK3CErtl7zYc=; b=RicEDG626aM2a07VEctuO8o+MSc5qbmt9VUyQLaOmrThNBu6/2A2Gb+QHWAOmDBKc2 wk8wKudQCxL04737NF9IeTrVrPXBpvmDwd+mDh4PYO+Mm5zjajUzrIuF5nnrIarYRamp CL2RG3ks3HD6OpwlvVOqT+SHVNqKCMDlOj6IjG5Qv7rqlzcQc3bnqX69eA+AE/eo4FLN Q4YdihmIBTc9mBKtVnGYj4l5IdezXiJ3pkTqEQ10ag7AhygaZkVDd1nNoQJ4UcyBeIIN GAnPPMYL4QX5/UtAvhllzMZJIImn1Tq8ChWAGXs69wRXb4RtUPdZp3lQVLz/7L66l2Nl +3sQ== X-Gm-Message-State: AOJu0YwicCpS3RSLN75coC2FwWXXjo2ZOXm5jR+KRPYyf1/D+6tUmFP5 Ei0CIeQE4qoWoviHZJY+MEb9J/FugcRDy3NqbxhOQlmwlU65fOwC6Q5MdNNzew== X-Gm-Gg: AY/fxX5Z8/lx7rR0V31CTAu7STdheSVeuvuOV/L8400443/WjP99AEfHxkWl63FDUm7 cFPMU6xv3+riYXDPE7L+UCW38BD6DhFadUz3GWHP0Vaxhx1Eicz9RYdtD0/fZ/xRPIiWNNKOjEv 5ZHboXHVLuVmEmbupljwA6AI+yvB/gM0bMIQcWf9agWxywZpRE4obhwapiZo6Byal6vpdBhGrFr O/7nknvRAp/noOMjMnl4sHaS37Vf/ae70W/H4cjC7yBYIME0LdV48Chy6oqcjEcnxgxMUclFxr2 1LvCo0E9Aa2X+fcd/P9W1pkHKXXrdmIqI3bds30LVOjy99MVDURWerBxtVc2Sw+T00Ryv0NxwXN eEAgQy2oBzBV2I7rV/VmaqTg8VdMA7gC3OpaOhQLiteF5785c/Bw8wdkMmoa2ztbM6lZk08LkCV OFkK3TTrfS X-Google-Smtp-Source: AGHT+IG2WCPY6Gzy222EmeNCzZy7JRKnxuRL/Hh4ruIZHfehBIXYENu0UT5d31zFxdByGwORcumHsA== X-Received: by 2002:a05:6000:2c02:b0:42b:4267:83e9 with SMTP id ffacd0b85a97d-4324e4c73f3mr33912881f8f.2.1767019914601; Mon, 29 Dec 2025 06:51:54 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4324ea1af20sm59449884f8f.2.2025.12.29.06.51.54 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Dec 2025 06:51:54 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-networking][whinlatter][PATCH 03/11] cifs-utils: patch CVE-2025-2312 Date: Mon, 29 Dec 2025 15:51:44 +0100 Message-ID: <20251229145152.489068-3-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251229145152.489068-1-skandigraun@gmail.com> References: <20251229145152.489068-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 29 Dec 2025 14:52:03 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122982 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-2312 Pick the patch that is referenced by the NVD report. Signed-off-by: Gyorgy Sarvari --- .../cifs/cifs-utils/CVE-2025-2312.patch | 135 ++++++++++++++++++ .../recipes-support/cifs/cifs-utils_7.0.bb | 4 +- 2 files changed, 138 insertions(+), 1 deletion(-) create mode 100644 meta-networking/recipes-support/cifs/cifs-utils/CVE-2025-2312.patch diff --git a/meta-networking/recipes-support/cifs/cifs-utils/CVE-2025-2312.patch b/meta-networking/recipes-support/cifs/cifs-utils/CVE-2025-2312.patch new file mode 100644 index 0000000000..162e4cc4be --- /dev/null +++ b/meta-networking/recipes-support/cifs/cifs-utils/CVE-2025-2312.patch @@ -0,0 +1,135 @@ +From 44312bbc9aaae39a88541abe7ab7700314d34047 Mon Sep 17 00:00:00 2001 +From: Ritvik Budhiraja +Date: Tue, 19 Nov 2024 06:07:58 +0000 +Subject: [PATCH] CIFS.upcall to accomodate new namespace mount opt + +NOTE: This patch is dependent on one of the previously sent patches: +[PATCH] CIFS: New mount option for cifs.upcall namespace resolution +which introduces a new mount option called upcall_target, to +customise the upcall behaviour. + +Building upon the above patch, the following patch adds functionality +to handle upcall_target as a mount option in cifs.upcall. It can have 2 values - +mount, app. +Having this new mount option allows the mount command to specify where the +upcall should happen: 'mount' for resolving the upcall to the host +namespace, and 'app' for resolving the upcall to the ns of the calling +thread. This will enable both the scenarios where the Kerberos credentials +can be found on the application namespace or the host namespace to which +just the mount operation is "delegated". +This aids use cases like Kubernetes where the mount +happens on behalf of the application in another container altogether. + +Signed-off-by: Ritvik Budhiraja +Signed-off-by: Steve French + +CVE: CVE-2025-2312 +Upstream-Status: Backport [https://git.samba.org/?p=cifs-utils.git;a=commit;h=89b679228cc1be9739d54203d28289b03352c174] +Signed-off-by: Gyorgy Sarvari +--- + cifs.upcall.c | 55 +++++++++++++++++++++++++++++++++++++++++++-------- + 1 file changed, 47 insertions(+), 8 deletions(-) + +diff --git a/cifs.upcall.c b/cifs.upcall.c +index 52c0328..0883afa 100644 +--- a/cifs.upcall.c ++++ b/cifs.upcall.c +@@ -953,6 +953,13 @@ struct decoded_args { + #define MAX_USERNAME_SIZE 256 + char username[MAX_USERNAME_SIZE + 1]; + ++#define MAX_UPCALL_STRING_LEN 6 /* "mount\0" */ ++ enum upcall_target_enum { ++ UPTARGET_UNSPECIFIED, /* not specified, defaults to app */ ++ UPTARGET_MOUNT, /* upcall to the mount namespace */ ++ UPTARGET_APP, /* upcall to the application namespace which did the mount */ ++ } upcall_target; ++ + uid_t uid; + uid_t creduid; + pid_t pid; +@@ -969,6 +976,7 @@ struct decoded_args { + #define DKD_HAVE_PID 0x20 + #define DKD_HAVE_CREDUID 0x40 + #define DKD_HAVE_USERNAME 0x80 ++#define DKD_HAVE_UPCALL_TARGET 0x100 + #define DKD_MUSTHAVE_SET (DKD_HAVE_HOSTNAME|DKD_HAVE_VERSION|DKD_HAVE_SEC) + int have; + }; +@@ -979,6 +987,7 @@ __decode_key_description(const char *desc, struct decoded_args *arg) + size_t len; + char *pos; + const char *tkn = desc; ++ arg->upcall_target = UPTARGET_UNSPECIFIED; + + do { + pos = index(tkn, ';'); +@@ -1077,6 +1086,31 @@ __decode_key_description(const char *desc, struct decoded_args *arg) + } + arg->have |= DKD_HAVE_VERSION; + syslog(LOG_DEBUG, "ver=%d", arg->ver); ++ } else if (strncmp(tkn, "upcall_target=", 14) == 0) { ++ if (pos == NULL) ++ len = strlen(tkn); ++ else ++ len = pos - tkn; ++ ++ len -= 14; ++ if (len > MAX_UPCALL_STRING_LEN) { ++ syslog(LOG_ERR, "upcall_target= value too long for buffer"); ++ return 1; ++ } ++ if (strncmp(tkn + 14, "mount", 5) == 0) { ++ arg->upcall_target = UPTARGET_MOUNT; ++ syslog(LOG_DEBUG, "upcall_target=mount"); ++ } else if (strncmp(tkn + 14, "app", 3) == 0) { ++ arg->upcall_target = UPTARGET_APP; ++ syslog(LOG_DEBUG, "upcall_target=app"); ++ } else { ++ // Should never happen ++ syslog(LOG_ERR, "Invalid upcall_target value: %s, defaulting to app", ++ tkn + 14); ++ arg->upcall_target = UPTARGET_APP; ++ syslog(LOG_DEBUG, "upcall_target=app"); ++ } ++ arg->have |= DKD_HAVE_UPCALL_TARGET; + } + if (pos == NULL) + break; +@@ -1440,15 +1474,20 @@ int main(const int argc, char *const argv[]) + * acceptably in containers, because we'll be looking at the correct + * filesystem and have the correct network configuration. + */ +- rc = switch_to_process_ns(arg->pid); +- if (rc == -1) { +- syslog(LOG_ERR, "unable to switch to process namespace: %s", strerror(errno)); +- rc = 1; +- goto out; ++ if (arg->upcall_target == UPTARGET_APP || arg->upcall_target == UPTARGET_UNSPECIFIED) { ++ syslog(LOG_INFO, "upcall_target=app, switching namespaces to application thread"); ++ rc = switch_to_process_ns(arg->pid); ++ if (rc == -1) { ++ syslog(LOG_ERR, "unable to switch to process namespace: %s", strerror(errno)); ++ rc = 1; ++ goto out; ++ } ++ if (trim_capabilities(env_probe)) ++ goto out; ++ } else { ++ syslog(LOG_INFO, "upcall_target=mount, not switching namespaces to application thread"); + } + +- if (trim_capabilities(env_probe)) +- goto out; + + /* + * The kernel doesn't pass down the gid, so we resort here to scraping +@@ -1495,7 +1534,7 @@ int main(const int argc, char *const argv[]) + * look at the environ file. + */ + env_cachename = +- get_cachename_from_process_env(env_probe ? arg->pid : 0); ++ get_cachename_from_process_env((env_probe && (arg->upcall_target == UPTARGET_APP)) ? arg->pid : 0); + + rc = setuid(uid); + if (rc == -1) { diff --git a/meta-networking/recipes-support/cifs/cifs-utils_7.0.bb b/meta-networking/recipes-support/cifs/cifs-utils_7.0.bb index e2918503be..f86e7bd22b 100644 --- a/meta-networking/recipes-support/cifs/cifs-utils_7.0.bb +++ b/meta-networking/recipes-support/cifs/cifs-utils_7.0.bb @@ -5,7 +5,9 @@ LICENSE = "GPL-3.0-only & LGPL-3.0-only" LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" SRCREV = "316522036133d44ed02cd39ed2748e2b59c85b30" -SRC_URI = "git://git.samba.org/cifs-utils.git;branch=master" +SRC_URI = "git://git.samba.org/cifs-utils.git;branch=master \ + file://CVE-2025-2312.patch \ + " DEPENDS += "libtalloc" From patchwork Mon Dec 29 14:51:45 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 77614 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 37528E92735 for ; Mon, 29 Dec 2025 14:52:03 +0000 (UTC) Received: from mail-wr1-f41.google.com (mail-wr1-f41.google.com [209.85.221.41]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.44442.1767019916952085344 for ; Mon, 29 Dec 2025 06:51:57 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=i/y6nxkq; spf=pass (domain: gmail.com, ip: 209.85.221.41, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f41.google.com with SMTP id ffacd0b85a97d-42e2d02a3c9so5590613f8f.3 for ; Mon, 29 Dec 2025 06:51:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767019915; x=1767624715; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=YjitC+r0icGnIVBIJRp+ifc1VQbHNvkjn5RoRZU206o=; b=i/y6nxkqd7qiAj8Ca+TfAtxFwr0fh6884iT2TUw2bNbva7oXomjdf9/cKaIIylEwwT 070l6InJncu1p1ZE+I0q+HZ9kpHZ8hCWAidyIRHbWvC9FqqOs3GJ7/QKRjSjAi3eWNdY 8RLBlk5wZQd2yR3II9geI61MN/KBSZIqxypAvFXmYmpRdkwSwrvPeK1Up24c3OqOVmfR 8FT4Nf4GIsZqocYtccqVQ5V3Nd8wRxn5JeCybfv7P1p8J4SWIjuult5rzZJu30cto/m8 U09WZ0FAx6N76C/DA8zPanqyqzsPb/4/efQjBuVasmkwlQkU2vEjMyN6TA4K8DQjxZ93 BSnQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767019915; x=1767624715; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=YjitC+r0icGnIVBIJRp+ifc1VQbHNvkjn5RoRZU206o=; b=TSESWY8gJPzBuJII1SfVWMn+Ir3qBsInwS9nv+RvTmPnWOUBFaI+9VXkzIA7/HBzUX BjqJf8SzPCJY6iVc5dkdxxzdWzHulc/EMqEGvahlk/zYW5Sj8d1/pRlM1VcbkBA5SD1q d9XF0t3NKmB2oPDWMWorslwzM8WooEilGYq4S3kye9DPQTBUKveUieikbFE6wMdwnAZe DMiEDilIZzMtyK8BsZwCX9Y40DQ/4ZUTeDHn1LPow/rnkfQ86e2vFlRI1SH3H+zx9SaA TLH0ajvA/ppTbGNIC4oJByIKkQgU/bhOvFCXc+uNO/1zzjO1+pCv4zakuP18D7YzupqL 5XLw== X-Gm-Message-State: AOJu0Yzs9PDXigl5c1wxLorNMG7iFnuD2TmAT233sQDH8nwM5GOBYZVz mANG91/43gI8xLKeoZshpLxOnG1+ZzbIM9mm8cv153+dUt4CcRF4RvCquDcleg== X-Gm-Gg: AY/fxX5n7TO9YDJQRZvLgoufb96hyEo8v4rM4bxPIlrR3h0R9+FPFBJWGowXfwVykby Yrrw2oaWSbMgCP6HzJw7r94rNXclyz9QcW/NS4697uSlx0iBK6jdeScDN6M8SdA7sfOCftMNqFf 0Ydo7Z06k5EIf3CWyTXZGKPgJXlxU7HGJTEJ0pf/SE+6xKgUe8bD8/Sk88vk5tvpGecuk+8iYtD tMClOU02l0hcRLVbrFzn2XxgzD+d8u5jVi1fm3J/614HmMt5F3JGlak+EaDbJIcMpGh/srN+uTa MWtTWlMpMcax9cHs5qcIAloFoQbHNmnF3DW9An5BNQVYb+P3ClD9C7az8JJ6xVrMSg3tThnI+be cxq4qe3da6GETqT0ZRW9oUP3jFE5nwziz4oXVEWdCp06iibIqlaBXzuLs3vExmJSjGRo/PI5c97 1nvqJFzuWd X-Google-Smtp-Source: AGHT+IEZlEyD0bkB7d/97qYcP/RQ2xkXI4a0xxbr+dPecQF5IK9I1nO1GeaTQ4onTAjGEKq4kacY7w== X-Received: by 2002:a05:6000:200f:b0:430:f879:a0ee with SMTP id ffacd0b85a97d-4324e4c1259mr40176060f8f.5.1767019915242; Mon, 29 Dec 2025 06:51:55 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4324ea1af20sm59449884f8f.2.2025.12.29.06.51.54 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Dec 2025 06:51:54 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][whinlatter][PATCH 04/11] cups-filters: patch CVE-2025-64524 Date: Mon, 29 Dec 2025 15:51:45 +0100 Message-ID: <20251229145152.489068-4-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251229145152.489068-1-skandigraun@gmail.com> References: <20251229145152.489068-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 29 Dec 2025 14:52:03 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122983 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-64524 Pick the patch mentioned in the nvd report. Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj (cherry picked from commit 056ee43dd1d0e46a9b40339e877a4bf76cf8196b) Signed-off-by: Gyorgy Sarvari --- .../cups/cups-filters/CVE-2025-64524.patch | 82 +++++++++++++++++++ .../cups/cups-filters_2.0.1.bb | 10 +-- 2 files changed, 87 insertions(+), 5 deletions(-) create mode 100644 meta-oe/recipes-printing/cups/cups-filters/CVE-2025-64524.patch diff --git a/meta-oe/recipes-printing/cups/cups-filters/CVE-2025-64524.patch b/meta-oe/recipes-printing/cups/cups-filters/CVE-2025-64524.patch new file mode 100644 index 0000000000..b8338e333a --- /dev/null +++ b/meta-oe/recipes-printing/cups/cups-filters/CVE-2025-64524.patch @@ -0,0 +1,82 @@ +From 4230ceaec8a6751f724a0d556ce4650d52a83a02 Mon Sep 17 00:00:00 2001 +From: Gyorgy Sarvari +Date: Wed, 12 Nov 2025 15:47:24 +0100 +Subject: [PATCH] rastertopclx.c: Fix infinite loop caused by crafted file + +From: Zdenek Dohnal + +Infinite loop happened because of crafted input raster file, which led +into heap buffer overflow of `CompressBuf` array. + +Based on comments there should be always some `count` when compressing +the data, and processing of crafted file ended with offset and count +being 0. + +Fixes CVE-2025-64524 + +CVE: CVE-2025-64524 +Upstream-Status: Backport [https://github.com/OpenPrinting/cups-filters/commit/956283c74a34ae924266a2a63f8e5f529a1abd06] +Signed-off-by: Gyorgy Sarvari +--- + filter/rastertopclx.c | 25 +++++++++++++++++++++++-- + 1 file changed, 23 insertions(+), 2 deletions(-) + +diff --git a/filter/rastertopclx.c b/filter/rastertopclx.c +index ded86f1..39cb378 100644 +--- a/filter/rastertopclx.c ++++ b/filter/rastertopclx.c +@@ -825,10 +825,10 @@ StartPage(cf_filter_data_t *data, // I - filter data + } + + if (header->cupsCompression) +- CompBuffer = malloc(DotBufferSize * 4); ++ CompBuffer = calloc(DotBufferSize * 4, sizeof(unsigned char)); + + if (header->cupsCompression >= 3) +- SeedBuffer = malloc(DotBufferSize); ++ SeedBuffer = calloc(DotBufferSize, sizeof(unsigned char)); + + SeedInvalid = 1; + +@@ -1159,6 +1159,13 @@ CompressData(unsigned char *line, // I - Data to compress + seed ++; + count ++; + } ++ ++ // ++ // Bail out if we don't have count to compress ++ // ++ ++ if (count == 0) ++ break; + } + + // +@@ -1252,6 +1259,13 @@ CompressData(unsigned char *line, // I - Data to compress + + count = line_ptr - start; + ++ // ++ // Bail out if we don't have count to compress ++ // ++ ++ if (count == 0) ++ break; ++ + #if 0 + fprintf(stderr, + "DEBUG: offset=%d, count=%d, comp_ptr=%p(%d of %d)...\n", +@@ -1424,6 +1438,13 @@ CompressData(unsigned char *line, // I - Data to compress + + count = (line_ptr - start) / 3; + ++ // ++ // Bail out if we don't have count to compress ++ // ++ ++ if (count == 0) ++ break; ++ + // + // Place mode 10 compression data in the buffer; each sequence + // starts with a command byte that looks like: diff --git a/meta-oe/recipes-printing/cups/cups-filters_2.0.1.bb b/meta-oe/recipes-printing/cups/cups-filters_2.0.1.bb index e488bd3039..a6eedda5d7 100644 --- a/meta-oe/recipes-printing/cups/cups-filters_2.0.1.bb +++ b/meta-oe/recipes-printing/cups/cups-filters_2.0.1.bb @@ -5,11 +5,11 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=6d5b952b53dbe7752199903d082e5f07" DEPENDS = "libcupsfilters libppd glib-2.0 poppler" -SRC_URI = " \ - https://github.com/OpenPrinting/${BPN}/releases/download/${PV}/${BP}.tar.xz \ - file://fix-make-race.patch \ - file://0001-Fix-build-failure-with-GCC-15-and-std-c23.patch \ -" +SRC_URI = "https://github.com/OpenPrinting/${BPN}/releases/download/${PV}/${BP}.tar.xz \ + file://fix-make-race.patch \ + file://0001-Fix-build-failure-with-GCC-15-and-std-c23.patch \ + file://CVE-2025-64524.patch \ + " SRC_URI[sha256sum] = "39e71de3ce06762b342749f1dc7cba6817738f7bf4d322c1bb9ab10b8569ab80" UPSTREAM_CHECK_URI = "https://github.com/OpenPrinting/cups-filters/releases" From patchwork Mon Dec 29 14:51:46 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 77615 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 33D1BE92737 for ; Mon, 29 Dec 2025 14:52:03 +0000 (UTC) Received: from mail-wm1-f50.google.com (mail-wm1-f50.google.com [209.85.128.50]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.44424.1767019917847543638 for ; Mon, 29 Dec 2025 06:51:58 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=e+8vcaE/; spf=pass (domain: gmail.com, ip: 209.85.128.50, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f50.google.com with SMTP id 5b1f17b1804b1-47d182a8c6cso40574805e9.1 for ; Mon, 29 Dec 2025 06:51:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767019916; x=1767624716; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=mNqkLWwaQVF2sWtDCDHdH47N+OZoPQ2XuEL74CY2Zzg=; b=e+8vcaE/T+HUUyXzm0aU6/R6xjQVkF5ju6kMxE6odQ0ilnRT1IuPmttIZEMciDOa5E J+RfTkIbCWwSMQ3VC/WM/y4cZwKAxLoxjKOpMFnU+GlrkvN02yP7SPlQrXg1kiERTO60 CdofNPquJ027psj5KfMkN2tEWc1gkF8/5IuDTR2Rr//BCADTeS9NFs3wJfTUGw3gMwve b0QRET6dmBzXnXo5knq7N8YgMGmUMvveyG3zGWhnRMZar2FRrRPnbbcHlTtXSNlswdki 4lJdEOacYr+JanGfbMpVU7YcAucN9TYHooet4zo4ab89HIj9flBF/9Nv8dG7Lds/4MxN 1ONA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767019916; x=1767624716; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=mNqkLWwaQVF2sWtDCDHdH47N+OZoPQ2XuEL74CY2Zzg=; b=CRxekAOqb99ilGPGKRGvxvhCLmy+c+8qeobqfj9oL8X7srGkQkMgZSzEJQf3tmUbvF SEb4CVBdXV1jRVL5Mh9H/T8Td1nj+M7vwqWzzJwXXNXlzbNKAKu2v1Yz8cHBJN4jVoVN GTsK2dOZWzusg45/ND/WAUqTAdzncjFN34Ioyp0DBB3rmwa4cTNT9hqYZkBWN2lvmeBF Qady9G9dHL2PkTT9GbNrAe9fAc+rVFZMC624beSfVGR/ZfgSgxUKK/TH6J3GoZdWwuPv zK2u+iGFXDeuzqKPOgg6KpMihPBOo2ncxBtjVmQL7CRBNADiXflfHqTvQfV6Y0QGOGdl HbCA== X-Gm-Message-State: AOJu0YzDOBq3cUyK+K5OkKHd0SC/dXmJmcR4PGfEyNSmP8hu3vkMcNga 3RoCdiXoCS303PmjVOgvMJLFKcF8tzsAcxLUiZLDRNPCGKJkRaM54/iXPXaYxQ== X-Gm-Gg: AY/fxX7p4oiucZzqv0MerE/p12cqVYoI2IihZMDK9Gddnj+2wGVbGhyENsQLPcoSiVk mKBmT2Wbc989tD6FeGZF+K+JLyP9GsketVyL8C9hYHsmrtpjbzLvYZsD9bppP7GZTZb7Nr8hzkn JF9zbLmOA5xwtSEZ1eiBaQHUSXUysOa1B03J1JFoF45EDxnSHWhekWNfdejZmy4JJoCcUZiQlVh XOMg9Z21Fp1DBSDcbRZMl9XCQ7hltuiYQjAFPSigjl6pyjFdiSOhz9TuFyLtHBuwyKraeyuwiw2 6eCE/bGy6hgSVDqnwcBmClydH+vEJx3IfU7sJGGiv39abxG7gnAGMWLRbPuqm6xWJ9TEYIz4Ms7 ieHuVWoOFiqiXh2F1ggnmpqLm20IzMehMM/JjvVXTYBlqdkisi0e4dgOZvA2tTsdnSDr6rQKRr0 Yklr+GC/wv X-Google-Smtp-Source: AGHT+IGokBNYKqECivUGF9BbaMSJDqgqHsoFp+yzVqzy4IdQxzKLfWk2uEpalgqSId8AlESHCN9+jQ== X-Received: by 2002:a05:600c:b99:b0:479:3a86:dc1c with SMTP id 5b1f17b1804b1-47d195a6369mr338854215e9.36.1767019915949; Mon, 29 Dec 2025 06:51:55 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4324ea1af20sm59449884f8f.2.2025.12.29.06.51.55 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Dec 2025 06:51:55 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-networking][whinlatter][PATCH 05/11] dovecot: patch CVE-2025-30189 Date: Mon, 29 Dec 2025 15:51:46 +0100 Message-ID: <20251229145152.489068-5-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251229145152.489068-1-skandigraun@gmail.com> References: <20251229145152.489068-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 29 Dec 2025 14:52:03 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122984 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-30189 Pick the patches referenced by the advisory[1] from the Full Disclosure list. [1]: https://seclists.org/fulldisclosure/2025/Oct/29 Signed-off-by: Gyorgy Sarvari --- .../dovecot/dovecot/CVE-2025-30189-1.patch | 128 ++++++++++++++++++ .../dovecot/dovecot/CVE-2025-30189-2.patch | 51 +++++++ .../dovecot/dovecot/CVE-2025-30189-3.patch | 36 +++++ .../dovecot/dovecot/CVE-2025-30189-4.patch | 72 ++++++++++ .../dovecot/dovecot/CVE-2025-30189-5.patch | 31 +++++ .../dovecot/dovecot/CVE-2025-30189-6.patch | 88 ++++++++++++ .../dovecot/dovecot/CVE-2025-30189-7.patch | 76 +++++++++++ .../dovecot/dovecot_2.4.1-4.bb | 7 + 8 files changed, 489 insertions(+) create mode 100644 meta-networking/recipes-support/dovecot/dovecot/CVE-2025-30189-1.patch create mode 100644 meta-networking/recipes-support/dovecot/dovecot/CVE-2025-30189-2.patch create mode 100644 meta-networking/recipes-support/dovecot/dovecot/CVE-2025-30189-3.patch create mode 100644 meta-networking/recipes-support/dovecot/dovecot/CVE-2025-30189-4.patch create mode 100644 meta-networking/recipes-support/dovecot/dovecot/CVE-2025-30189-5.patch create mode 100644 meta-networking/recipes-support/dovecot/dovecot/CVE-2025-30189-6.patch create mode 100644 meta-networking/recipes-support/dovecot/dovecot/CVE-2025-30189-7.patch diff --git a/meta-networking/recipes-support/dovecot/dovecot/CVE-2025-30189-1.patch b/meta-networking/recipes-support/dovecot/dovecot/CVE-2025-30189-1.patch new file mode 100644 index 0000000000..ee0d181b1e --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/CVE-2025-30189-1.patch @@ -0,0 +1,128 @@ +From 2bd173264093021372506a89793456dcc42f4248 Mon Sep 17 00:00:00 2001 +From: Aki Tuomi +Date: Fri, 25 Jul 2025 08:16:52 +0300 +Subject: [PATCH] auth: Use AUTH_CACHE_KEY_USER instead of per-database + constants + +Fixes cache key issue where users would end up overwriting +each other in cache due to cache key being essentially static +string because we no longer support %u. + +Forgotten in 2e298e7ee98b6df61cf85117f000290d60a473b8 + +CVE: CVE-2025-30189 +Upstream-Status: Backport [https://github.com/dovecot/core/commit/a70ce7d3e2f983979e971414c5892c4e30197231] +Signed-off-by: Gyorgy Sarvari +--- + src/auth/auth-settings.h | 2 ++ + src/auth/passdb-bsdauth.c | 4 +--- + src/auth/passdb-oauth2.c | 2 +- + src/auth/passdb-pam.c | 3 ++- + src/auth/passdb-passwd.c | 3 +-- + src/auth/userdb-passwd.c | 3 +-- + 6 files changed, 8 insertions(+), 9 deletions(-) + +diff --git a/src/auth/auth-settings.h b/src/auth/auth-settings.h +index 1d420ec..90aba17 100644 +--- a/src/auth/auth-settings.h ++++ b/src/auth/auth-settings.h +@@ -1,6 +1,8 @@ + #ifndef AUTH_SETTINGS_H + #define AUTH_SETTINGS_H + ++#define AUTH_CACHE_KEY_USER "%{user}" ++ + struct master_service; + struct master_service_settings_output; + +diff --git a/src/auth/passdb-bsdauth.c b/src/auth/passdb-bsdauth.c +index 6829267..1b86da4 100644 +--- a/src/auth/passdb-bsdauth.c ++++ b/src/auth/passdb-bsdauth.c +@@ -14,8 +14,6 @@ + #include + #include + +-#define BSDAUTH_CACHE_KEY "%u" +- + struct passdb_bsdauth_settings { + pool_t pool; + }; +@@ -104,7 +102,7 @@ bsdauth_preinit(pool_t pool, struct event *event, + &post_set, error_r) < 0) + return -1; + module->default_cache_key = auth_cache_parse_key_and_fields( +- pool, BSDAUTH_CACHE_KEY, &post_set->fields, "bsdauth"); ++ pool, AUTH_CACHE_KEY_USER, &post_set->fields, "bsdauth"); + + settings_free(post_set); + *module_r = module; +diff --git a/src/auth/passdb-oauth2.c b/src/auth/passdb-oauth2.c +index 96d902d..91fed06 100644 +--- a/src/auth/passdb-oauth2.c ++++ b/src/auth/passdb-oauth2.c +@@ -53,7 +53,7 @@ oauth2_preinit(pool_t pool, struct event *event, struct passdb_module **module_r + if (db_oauth2_init(event, TRUE, &module->db, error_r) < 0) + return -1; + module->module.default_pass_scheme = "PLAIN"; +- module->module.default_cache_key = "%u"; ++ module->module.default_cache_key = AUTH_CACHE_KEY_USER; + *module_r = &module->module; + return 0; + } +diff --git a/src/auth/passdb-pam.c b/src/auth/passdb-pam.c +index 2acbceb..fdf0f57 100644 +--- a/src/auth/passdb-pam.c ++++ b/src/auth/passdb-pam.c +@@ -415,7 +415,8 @@ static int pam_preinit(pool_t pool, struct event *event, + module = p_new(pool, struct pam_passdb_module, 1); + module->module.default_cache_key = + auth_cache_parse_key_and_fields(pool, +- t_strdup_printf("%%u/%s", set->service_name), ++ t_strdup_printf("%"AUTH_CACHE_KEY_USER"\t%s", ++ set->service_name), + &post_set->fields, "pam"); + module->requests_left = set->max_requests; + module->pam_setcred = set->setcred; +diff --git a/src/auth/passdb-passwd.c b/src/auth/passdb-passwd.c +index 1300315..22e2eae 100644 +--- a/src/auth/passdb-passwd.c ++++ b/src/auth/passdb-passwd.c +@@ -10,7 +10,6 @@ + #include "safe-memset.h" + #include "ipwd.h" + +-#define PASSWD_CACHE_KEY "%u" + #define PASSWD_PASS_SCHEME "CRYPT" + + #undef DEF +@@ -142,7 +141,7 @@ static int passwd_preinit(pool_t pool, struct event *event, + &post_set, error_r) < 0) + return -1; + module->default_cache_key = auth_cache_parse_key_and_fields(pool, +- PASSWD_CACHE_KEY, ++ AUTH_CACHE_KEY_USER, + &post_set->fields, + "passwd"); + settings_free(post_set); +diff --git a/src/auth/userdb-passwd.c b/src/auth/userdb-passwd.c +index 5241129..14cf90a 100644 +--- a/src/auth/userdb-passwd.c ++++ b/src/auth/userdb-passwd.c +@@ -9,7 +9,6 @@ + #include "ipwd.h" + #include "time-util.h" + +-#define USER_CACHE_KEY "%u" + #define PASSWD_SLOW_WARN_MSECS (10*1000) + #define PASSWD_SLOW_MASTER_WARN_MSECS 50 + #define PASSDB_SLOW_MASTER_WARN_COUNT_INTERVAL 100 +@@ -225,7 +224,7 @@ static int passwd_preinit(pool_t pool, struct event *event ATTR_UNUSED, + struct passwd_userdb_module *module = + p_new(pool, struct passwd_userdb_module, 1); + +- module->module.default_cache_key = USER_CACHE_KEY; ++ module->module.default_cache_key = AUTH_CACHE_KEY_USER; + *module_r = &module->module; + return 0; + } diff --git a/meta-networking/recipes-support/dovecot/dovecot/CVE-2025-30189-2.patch b/meta-networking/recipes-support/dovecot/dovecot/CVE-2025-30189-2.patch new file mode 100644 index 0000000000..fa1f6fc756 --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/CVE-2025-30189-2.patch @@ -0,0 +1,51 @@ +From ca932f18061b643c19bae839ba3990bb16e51837 Mon Sep 17 00:00:00 2001 +From: Aki Tuomi +Date: Wed, 30 Jul 2025 09:42:20 +0300 +Subject: [PATCH] auth: auth-cache - Refactor auth_cache_parse_key_and_fields() + +Call auth_cache_parse_key_exclude() at the function end, +simplifies next commit. + +CVE: CVE-2025-30189 +Upstream-Status: Backport [https://github.com/dovecot/core/commit/c45ce2c073c9439a9d6366016cb4d41059d737f0] +Signed-off-by: Gyorgy Sarvari +--- + src/auth/auth-cache.c | 24 +++++++++++------------- + 1 file changed, 11 insertions(+), 13 deletions(-) + +diff --git a/src/auth/auth-cache.c b/src/auth/auth-cache.c +index 360ad8b..3ccd45f 100644 +--- a/src/auth/auth-cache.c ++++ b/src/auth/auth-cache.c +@@ -129,20 +129,18 @@ char *auth_cache_parse_key_and_fields(pool_t pool, const char *query, + const ARRAY_TYPE(const_string) *fields, + const char *exclude_driver) + { +- if (array_is_empty(fields)) +- return auth_cache_parse_key_exclude(pool, query, exclude_driver); +- +- string_t *full_query = t_str_new(128); +- str_append(full_query, query); +- +- unsigned int i, count; +- const char *const *str = array_get(fields, &count); +- for (i = 0; i < count; i += 2) { +- str_append_c(full_query, '\t'); +- str_append(full_query, str[i + 1]); ++ if (!array_is_empty(fields)) { ++ unsigned int i, count; ++ const char *const *str = array_get(fields, &count); ++ string_t *full_query = t_str_new(128); ++ str_append(full_query, query); ++ for (i = 0; i < count; i += 2) { ++ str_append_c(full_query, '\t'); ++ str_append(full_query, str[i + 1]); ++ } ++ query = str_c(full_query); + } +- return auth_cache_parse_key_exclude(pool, str_c(full_query), +- exclude_driver); ++ return auth_cache_parse_key_exclude(pool, query, exclude_driver); + } + + static void diff --git a/meta-networking/recipes-support/dovecot/dovecot/CVE-2025-30189-3.patch b/meta-networking/recipes-support/dovecot/dovecot/CVE-2025-30189-3.patch new file mode 100644 index 0000000000..069a4e724f --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/CVE-2025-30189-3.patch @@ -0,0 +1,36 @@ +From 74c526047ffcecc40485df784294b27cedf66136 Mon Sep 17 00:00:00 2001 +From: Aki Tuomi +Date: Fri, 25 Jul 2025 11:48:43 +0300 +Subject: [PATCH] auth: auth-cache - Deduplicate auth_cache_parse_key() to use + auth_cache_parse_key_and_fields() + +Simplifies following commit + +CVE: CVE-2025-30189 +Upstream-Status: Backport [https://github.com/dovecot/core/commit/759ee1af848480987d012de2f7135160156724b6] +Signed-off-by: Gyorgy Sarvari +--- + src/auth/auth-cache.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/auth/auth-cache.c b/src/auth/auth-cache.c +index 3ccd45f..ad8cbe5 100644 +--- a/src/auth/auth-cache.c ++++ b/src/auth/auth-cache.c +@@ -122,14 +122,14 @@ static char *auth_cache_parse_key_exclude(pool_t pool, const char *query, + + char *auth_cache_parse_key(pool_t pool, const char *query) + { +- return auth_cache_parse_key_exclude(pool, query, NULL); ++ return auth_cache_parse_key_and_fields(pool, query, NULL, NULL); + } + + char *auth_cache_parse_key_and_fields(pool_t pool, const char *query, + const ARRAY_TYPE(const_string) *fields, + const char *exclude_driver) + { +- if (!array_is_empty(fields)) { ++ if (fields != NULL && !array_is_empty(fields)) { + unsigned int i, count; + const char *const *str = array_get(fields, &count); + string_t *full_query = t_str_new(128); diff --git a/meta-networking/recipes-support/dovecot/dovecot/CVE-2025-30189-4.patch b/meta-networking/recipes-support/dovecot/dovecot/CVE-2025-30189-4.patch new file mode 100644 index 0000000000..367debca52 --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/CVE-2025-30189-4.patch @@ -0,0 +1,72 @@ +From e0a7cb4b1e0ccdc95a717567818d924ce2888ca3 Mon Sep 17 00:00:00 2001 +From: Aki Tuomi +Date: Fri, 25 Jul 2025 11:51:16 +0300 +Subject: [PATCH] auth: auth-cache - Change auth_cache_parse_key_exclude() to + return error + +Simplifies following commit + +CVE: CVE-2025-30189 +Upstream-Status: Backport [https://github.com/dovecot/core/commit/d12bb78b5a235f31c9d5a655bd223c28d44bcadb] +Signed-off-by: Gyorgy Sarvari +--- + src/auth/auth-cache.c | 25 ++++++++++++++++++------- + 1 file changed, 18 insertions(+), 7 deletions(-) + +diff --git a/src/auth/auth-cache.c b/src/auth/auth-cache.c +index ad8cbe5..407e5d4 100644 +--- a/src/auth/auth-cache.c ++++ b/src/auth/auth-cache.c +@@ -64,8 +64,10 @@ static void auth_cache_key_add_tab_idx(string_t *str, unsigned int i) + str_append_c(str, '}'); + } + +-static char *auth_cache_parse_key_exclude(pool_t pool, const char *query, +- const char *exclude_driver) ++static int auth_cache_parse_key_exclude(pool_t pool, const char *query, ++ const char *exclude_driver, ++ char **cache_key_r, ++ const char **error_r) + { + string_t *str; + bool key_seen[AUTH_REQUEST_VAR_TAB_COUNT]; +@@ -76,9 +78,9 @@ static char *auth_cache_parse_key_exclude(pool_t pool, const char *query, + + struct var_expand_program *prog; + if (var_expand_program_create(query, &prog, &error) < 0) { +- e_debug(auth_event, "auth-cache: var_expand_program_create('%s') failed: %s", +- query, error); +- return p_strdup(pool, ""); ++ *error_r = t_strdup_printf("var_expand_program_create(%s) failed: %s", ++ query, error); ++ return -1; + } + + const char *const *vars = var_expand_program_variables(prog); +@@ -117,7 +119,8 @@ static char *auth_cache_parse_key_exclude(pool_t pool, const char *query, + + var_expand_program_free(&prog); + +- return p_strdup(pool, str_c(str)); ++ *cache_key_r = p_strdup(pool, str_c(str)); ++ return 0; + } + + char *auth_cache_parse_key(pool_t pool, const char *query) +@@ -140,7 +143,15 @@ char *auth_cache_parse_key_and_fields(pool_t pool, const char *query, + } + query = str_c(full_query); + } +- return auth_cache_parse_key_exclude(pool, query, exclude_driver); ++ ++ char *cache_key; ++ const char *error; ++ if (auth_cache_parse_key_exclude(pool, query, exclude_driver, ++ &cache_key, &error) < 0) { ++ e_debug(auth_event, "auth-cache: %s", error); ++ cache_key = p_strdup(pool, ""); ++ } ++ return cache_key; + } + + static void diff --git a/meta-networking/recipes-support/dovecot/dovecot/CVE-2025-30189-5.patch b/meta-networking/recipes-support/dovecot/dovecot/CVE-2025-30189-5.patch new file mode 100644 index 0000000000..8a7692efe2 --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/CVE-2025-30189-5.patch @@ -0,0 +1,31 @@ +From b2d817db6c2a7229c9e3c4ccf8565acdd6f9a4c0 Mon Sep 17 00:00:00 2001 +From: Aki Tuomi +Date: Fri, 25 Jul 2025 11:52:36 +0300 +Subject: [PATCH] auth: auth-cache - Treat cache key parsing errors as fatals + +Avoids accidentically turning off caching + +CVE: CVE-2025-30189 +Upstream-Status: Backport [https://github.com/dovecot/core/commit/20d15baa071747f91176eb3115235aa8c78a3d11] +Signed-off-by: Gyorgy Sarvari +--- + src/auth/auth-cache.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/src/auth/auth-cache.c b/src/auth/auth-cache.c +index 407e5d4..be56934 100644 +--- a/src/auth/auth-cache.c ++++ b/src/auth/auth-cache.c +@@ -147,10 +147,8 @@ char *auth_cache_parse_key_and_fields(pool_t pool, const char *query, + char *cache_key; + const char *error; + if (auth_cache_parse_key_exclude(pool, query, exclude_driver, +- &cache_key, &error) < 0) { +- e_debug(auth_event, "auth-cache: %s", error); +- cache_key = p_strdup(pool, ""); +- } ++ &cache_key, &error) < 0) ++ i_fatal("auth-cache: %s", error); + return cache_key; + } + diff --git a/meta-networking/recipes-support/dovecot/dovecot/CVE-2025-30189-6.patch b/meta-networking/recipes-support/dovecot/dovecot/CVE-2025-30189-6.patch new file mode 100644 index 0000000000..58537ed768 --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/CVE-2025-30189-6.patch @@ -0,0 +1,88 @@ +From 73bf352efaf3ab5f685bc3b34c6780dca79b9318 Mon Sep 17 00:00:00 2001 +From: Aki Tuomi +Date: Fri, 25 Jul 2025 11:41:03 +0300 +Subject: [PATCH] auth: auth-cache - Require cache key to contain at least one + variable + +CVE: CVE-2025-30189 +Upstream-Status: Backport [https://github.com/dovecot/core/commit/0172f8e8c55aff42c688633b2891cf157641366b] +Signed-off-by: Gyorgy Sarvari +--- + src/auth/auth-cache.c | 7 +++++++ + src/auth/test-auth-cache.c | 37 ++++++++++++++++++++++++++++++++++++- + 2 files changed, 43 insertions(+), 1 deletion(-) + +diff --git a/src/auth/auth-cache.c b/src/auth/auth-cache.c +index be56934..32959f5 100644 +--- a/src/auth/auth-cache.c ++++ b/src/auth/auth-cache.c +@@ -86,6 +86,13 @@ static int auth_cache_parse_key_exclude(pool_t pool, const char *query, + const char *const *vars = var_expand_program_variables(prog); + str = t_str_new(32); + ++ if (*vars == NULL && *query != '\0') { ++ var_expand_program_free(&prog); ++ *error_r = t_strdup_printf("%s: Cache key must contain at least one variable", ++ query); ++ return -1; ++ } ++ + for (; *vars != NULL; vars++) { + /* ignore any providers */ + if (strchr(*vars, ':') != NULL && +diff --git a/src/auth/test-auth-cache.c b/src/auth/test-auth-cache.c +index 46836de..b36d83e 100644 +--- a/src/auth/test-auth-cache.c ++++ b/src/auth/test-auth-cache.c +@@ -97,7 +97,35 @@ static void test_auth_cache_parse_key(void) + tests[i].in); + test_assert_strcmp_idx(cache_key, tests[i].out, i); + } ++ ++ test_end(); ++} ++ ++static enum fatal_test_state test_cache_key_missing_variable(unsigned int i) ++{ ++ if (i == 0) ++ test_begin("auth cache missing variable"); ++ ++ /* ensure that we do not accept static string */ ++ static const struct { ++ const char *in, *out; ++ } tests_bad[] = { ++ { "%u", "auth-cache: %u: Cache key must contain at least one variable" }, ++ { "foobar", "auth-cache: foobar: Cache key must contain at least one variable" }, ++ { "%{test", "auth-cache: var_expand_program_create(%{test) " \ ++ "failed: syntax error, unexpected end of file, " \ ++ "expecting CCBRACE or PIPE" }, ++ }; ++ ++ if (i < N_ELEMENTS(tests_bad)) { ++ test_expect_fatal_string(tests_bad[i].out); ++ (void)auth_cache_parse_key(pool_datastack_create(), ++ tests_bad[i].in); ++ return FATAL_TEST_FAILURE; ++ } ++ + test_end(); ++ return FATAL_TEST_FINISHED; + } + + int main(void) +@@ -108,7 +136,14 @@ int main(void) + test_auth_cache_parse_key, + NULL + }; +- int ret = test_run(test_functions); ++ ++ static test_fatal_func_t *const fatal_functions[] = { ++ test_cache_key_missing_variable, ++ NULL, ++ }; ++ ++ int ret = test_run_with_fatals(test_functions, fatal_functions); ++ + event_unref(&auth_event); + return ret; + } diff --git a/meta-networking/recipes-support/dovecot/dovecot/CVE-2025-30189-7.patch b/meta-networking/recipes-support/dovecot/dovecot/CVE-2025-30189-7.patch new file mode 100644 index 0000000000..2e00c79e91 --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/CVE-2025-30189-7.patch @@ -0,0 +1,76 @@ +From f9f3daf58d2fb43e3bb68bead0309ed41a6b6c40 Mon Sep 17 00:00:00 2001 +From: Aki Tuomi +Date: Fri, 25 Jul 2025 12:00:57 +0300 +Subject: [PATCH] auth: auth-cache - Drop auth_cache_parse_key() + +It's only used by tests and can now just call +auth_cache_parse_key_and_fields(). + +CVE: CVE-2025-30189 +Upstream-Status: Backport [https://github.com/dovecot/core/commit/34caed79b76a7b82a2a9c94cf35371bec6c2b826] +Signed-off-by: Gyorgy Sarvari +--- + src/auth/auth-cache.c | 5 ----- + src/auth/auth-cache.h | 6 ++---- + src/auth/test-auth-cache.c | 8 ++++---- + 3 files changed, 6 insertions(+), 13 deletions(-) + +diff --git a/src/auth/auth-cache.c b/src/auth/auth-cache.c +index 32959f5..82cc0d5 100644 +--- a/src/auth/auth-cache.c ++++ b/src/auth/auth-cache.c +@@ -130,11 +130,6 @@ static int auth_cache_parse_key_exclude(pool_t pool, const char *query, + return 0; + } + +-char *auth_cache_parse_key(pool_t pool, const char *query) +-{ +- return auth_cache_parse_key_and_fields(pool, query, NULL, NULL); +-} +- + char *auth_cache_parse_key_and_fields(pool_t pool, const char *query, + const ARRAY_TYPE(const_string) *fields, + const char *exclude_driver) +diff --git a/src/auth/auth-cache.h b/src/auth/auth-cache.h +index 9bdb918..d63621b 100644 +--- a/src/auth/auth-cache.h ++++ b/src/auth/auth-cache.h +@@ -16,10 +16,8 @@ struct auth_cache_node { + struct auth_cache; + struct auth_request; + +-/* Parses all %x variables from query and compresses them into tab-separated +- list, so it can be used as a cache key. */ +-char *auth_cache_parse_key(pool_t pool, const char *query); +-/* Same as auth_cache_parse_key(), but add also variables from "fields", ++/* Parses all %variables from query and compresses them into tab-separated ++ list, so it can be used as a cache key. Adds also variables from "fields", + except variables prefixed with ":" */ + char *auth_cache_parse_key_and_fields(pool_t pool, const char *query, + const ARRAY_TYPE(const_string) *fields, +diff --git a/src/auth/test-auth-cache.c b/src/auth/test-auth-cache.c +index b36d83e..f58c21f 100644 +--- a/src/auth/test-auth-cache.c ++++ b/src/auth/test-auth-cache.c +@@ -93,8 +93,8 @@ static void test_auth_cache_parse_key(void) + test_begin("auth cache parse key"); + + for (i = 0; i < N_ELEMENTS(tests); i++) { +- cache_key = auth_cache_parse_key(pool_datastack_create(), +- tests[i].in); ++ cache_key = auth_cache_parse_key_and_fields(pool_datastack_create(), ++ tests[i].in, NULL, NULL); + test_assert_strcmp_idx(cache_key, tests[i].out, i); + } + +@@ -119,8 +119,8 @@ static enum fatal_test_state test_cache_key_missing_variable(unsigned int i) + + if (i < N_ELEMENTS(tests_bad)) { + test_expect_fatal_string(tests_bad[i].out); +- (void)auth_cache_parse_key(pool_datastack_create(), +- tests_bad[i].in); ++ (void)auth_cache_parse_key_and_fields(pool_datastack_create(), ++ tests_bad[i].in, NULL, NULL); + return FATAL_TEST_FAILURE; + } + diff --git a/meta-networking/recipes-support/dovecot/dovecot_2.4.1-4.bb b/meta-networking/recipes-support/dovecot/dovecot_2.4.1-4.bb index 40cf991ae1..09583f1694 100644 --- a/meta-networking/recipes-support/dovecot/dovecot_2.4.1-4.bb +++ b/meta-networking/recipes-support/dovecot/dovecot_2.4.1-4.bb @@ -15,6 +15,13 @@ SRC_URI = "http://dovecot.org/releases/2.4/dovecot-${PV}.tar.gz \ file://dovecot.socket \ file://0001-m4-Check-for-libunwind-instead-of-libunwind-generic.patch \ file://fix-musl-compilation.patch \ + file://CVE-2025-30189-1.patch \ + file://CVE-2025-30189-2.patch \ + file://CVE-2025-30189-3.patch \ + file://CVE-2025-30189-4.patch \ + file://CVE-2025-30189-5.patch \ + file://CVE-2025-30189-6.patch \ + file://CVE-2025-30189-7.patch \ " SRC_URI[sha256sum] = "fb188603f419ed7aaa07794a8692098c3ec2660bb9c67d0efe24948cbb32ae00" From patchwork Mon Dec 29 14:51:47 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 77611 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 23374E92734 for ; Mon, 29 Dec 2025 14:52:03 +0000 (UTC) Received: from mail-wr1-f47.google.com (mail-wr1-f47.google.com [209.85.221.47]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.44425.1767019918308988452 for ; Mon, 29 Dec 2025 06:51:58 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=fKoEZSUS; spf=pass (domain: gmail.com, ip: 209.85.221.47, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f47.google.com with SMTP id ffacd0b85a97d-430f3ef2d37so7186159f8f.3 for ; Mon, 29 Dec 2025 06:51:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767019917; x=1767624717; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=roRoPMc5wdX+RATEJdCG2rhBgEk1oI2Qd+VrjHlRai8=; b=fKoEZSUSd/hmvFF+6/vkmS+uxL099nlVjxXW3Lurtdo6AtYOW5bgBxPSOutsNjq74H V75r6h2DyAFvwrdHY78da5iUA3TnzgYSl1lYvAtjgojMLZlbyp9DlL3Frn1Z8rwICNE2 agS35iX59eZxNXuN/RUWcEhnG5vSwGTd+I4ubw6tsrWfo2+iMk61Y3/ZRvuDgXAx6MYQ 14BXDAqmb5HAMQ+21TvWuB1hYKzK3aL71Fk+fHx1mRPru+2FzS7orJhYMWHZEcfaD/s3 5GPPJBVx0oS0SMgIZtSl3p7gzSjT9P39kHN/loEgPkzJMOF1AiuhQGHO6z7pkgxeifYC NuLw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767019917; x=1767624717; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=roRoPMc5wdX+RATEJdCG2rhBgEk1oI2Qd+VrjHlRai8=; b=LMmy7tnkaNZO6InEz8VHJSDmNOqxcAs7ZyxUjTVzAKKgZ+3vv8TUFus/SMAyWfu/xS a4nRrkxD90mQLHxP+ZMr6hyamLaaEcMmSfWqo1PJu1E8APTPbK4DNF20m/zhXMaL1xFj hmYsqCVtC1dgYUMeH8vyp7a/GVJM2ApVWHIoUqMkp7SGru3iamwnhWPf71jiz764aIrY b7ExefD0gDqx/BJNKKhEJKPd2nZOmWRg6qc8db5ci4VWoVHDVRqc31/7rD4B10y+3j42 onBkwhUm8+VFWhitRbbHXFynF5qFXLwALY8EJjhoUOJGi33AvJwCDYDbK+dS5kVODF3d so8g== X-Gm-Message-State: AOJu0YzwHPk4vkWd6kTPn/d64gTSihJtYetmxakwuLtlJzJe5dPpHl2r DFyRvcC1KLR6l0YJzRXI/yAllSQFu2ptWa6wzR02kquqBqwtYH/P7UBe0/GeWw== X-Gm-Gg: AY/fxX4kjDbZPkck7R7gxPjuoxfziDqkApIaTTtwnuiidOtlbFzSm9gbAgXwwaUKUl1 jpvOfqNt7Mr/fivz4ZhlWyVeuXE3q/RfHKS7SxDHFgshIWhysrYAbKRbNdg+N8QXd6kfYuHGh1f 3LFVVGdzHgbu6K9VQ9O4L0PpZi1vA1ZeieW4tsjQpiTclHk6YlTvVAxt8uQczzC72fd66w6U2WI WWVKmlaxeT5TVhFp9l5lytY/Q9FkmAGuI8/XyGhIeo+haTSkPVnaLaTkg05fi0TBAaFAYX/PdpF P9QmSOUVa/UGC3B234bZx0cMZBZQDDaKgJBUpwCmZglavzaYSn+v/wA40M5meQj0im5zOqY/a8f 1atRfVsoFMh9D+1W7Em6dIhAbteVrDHIDf5H18ar/rMmw2TaQccobwjfTFeTphiCt9XoVSMCwHP q096uKs27m X-Google-Smtp-Source: AGHT+IGh5Fs+Qq52Or6xe8C4ZkW3L3s5p46tk8mOdtSkiycEmtXjTOAB9biGcF2ud3AVrFm/KveILA== X-Received: by 2002:a05:6000:178f:b0:431:344:5a2d with SMTP id ffacd0b85a97d-4324e4fd90cmr34801005f8f.41.1767019916618; Mon, 29 Dec 2025 06:51:56 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4324ea1af20sm59449884f8f.2.2025.12.29.06.51.56 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Dec 2025 06:51:56 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][whinlatter][PATCH 06/11] fio: ignore CVE-2025-10824 Date: Mon, 29 Dec 2025 15:51:47 +0100 Message-ID: <20251229145152.489068-6-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251229145152.489068-1-skandigraun@gmail.com> References: <20251229145152.489068-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 29 Dec 2025 14:52:03 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122985 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-10824 The upstream maintainer wasn't able to reproduce the issue[1], and the related bug is closed without further action. [1]: https://github.com/axboe/fio/issues/1981 Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj (cherry picked from commit a275078cbeaa0fafcfa4eb60ca69f05a8fe3df99) Signed-off-by: Gyorgy Sarvari --- meta-oe/recipes-benchmark/fio/fio_3.39.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta-oe/recipes-benchmark/fio/fio_3.39.bb b/meta-oe/recipes-benchmark/fio/fio_3.39.bb index 4a94aadf42..2ca52aaecf 100644 --- a/meta-oe/recipes-benchmark/fio/fio_3.39.bb +++ b/meta-oe/recipes-benchmark/fio/fio_3.39.bb @@ -45,3 +45,5 @@ do_install() { install -d ${D}/${docdir}/${PN} cp -R --no-dereference --preserve=mode,links -v ${S}/examples ${D}/${docdir}/${PN}/ } + +CVE_STATUS[CVE-2025-10824] = "disputed: Maintainer could not reproduce the issue, issue is closed without change." From patchwork Mon Dec 29 14:51:48 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 77610 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1A834E92733 for ; Mon, 29 Dec 2025 14:52:03 +0000 (UTC) Received: from mail-wr1-f44.google.com (mail-wr1-f44.google.com [209.85.221.44]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.44445.1767019918872524207 for ; Mon, 29 Dec 2025 06:51:59 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=l/GBoVXL; spf=pass (domain: gmail.com, ip: 209.85.221.44, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f44.google.com with SMTP id ffacd0b85a97d-42fb0fc5aa4so7144572f8f.1 for ; Mon, 29 Dec 2025 06:51:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767019917; x=1767624717; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=U2UE9i93qYAuqbTHsMP0GrYBsEKYQ3wr3h11zfUrIDk=; b=l/GBoVXLNFKAJAFDikuu3Ci4W3UTEVsmB3W6VIn8deu/4HThHNDRZdik33iKR6HlLg ETGWqCIs5pyrIBqwY05mWrPSPXxVkpnPdbRy63KMlxQQC9MVa6Pq/IV2M+iqUQM6rbHz j6e9lc1DfaA2Ub54bycKuC+ZtOJxp6SqIgeoHaVJjalrJCeD6jMVk8RLTn+knkWncvt7 JD0lfHGxwd1z7I8rTjHGt+U0fz2DD4BqzR+DBVSdmo/BqwaF/987pkVLHlGH/nSOTs/e hLaN3+mN2aFZDabR0XdJ0E9gOw5Xa9wMaJkKV2udvTyOaikvDItVJfT88wu+OqI7g0tk 0ZvA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767019917; x=1767624717; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=U2UE9i93qYAuqbTHsMP0GrYBsEKYQ3wr3h11zfUrIDk=; b=ohAozFRVMz/FPaEaM8JDhATUofczLCJ/6KwolsuOQA032LtVeiaTX6OogMdS5Yol8y ZLfSd+0hPcFXmxQN0P2V7y1VqnaB9x5q/IV+w2LWoz22reAtqch34qwaBlRlALn9sXvS C5qvXdTCYmbs5ChWtLg82iilmBgTPiYL2COGPVjHtzrvdyxfkFdwNbsFJlwx+HX1Gal/ aZ4vI27kI9Jy7dS9Fwi+ozNAogYVeSYMGNDprniL3L8FSHVS7cZl4T0auzOLDHqgrFmk m9Ptlhf9PqPLFoCqfTEq8+Agi9C7pKt7O+HmFOZp/SYE8yonDA4FofZ5dAN35HDBsFFW bUmQ== X-Gm-Message-State: AOJu0Yy4qHR3wriYi6yMfxbP6FNLWH22qO6jOnEcp5SeLGEKhXWikXMw wVrvpBzZWUI0m6iaNAL7xsBWpNAkCh8fkGLT0SEuJmMeWhq2W8xHtRxzEiDKtw== X-Gm-Gg: AY/fxX7wiPmNIG/e8LsbL5bOU5XCQazsahuOamG4uWnbpO4hj3axsGmlNu0FW51oAut yG8SJc09dGFE7cdbIN08hDaFRkl6I7KOK6eWZ5iJY/hnQEN+ANXFrhePwCYKrn7MO6kG82hBemB /jYOZulq5BbDY1DqmtU3ZKPvxIazuPBXFBfsYbaSJ9AZV264KKPNwfJW7T5yGhnhq7dvhdWNN9S DvmyKyYR9mzbWlv7Auk3VOCf4nA4WTub6GdXKqNUZaGEQiybkqSw6e/h/TWYgodvmzXZrsN8rlV EY6iZeuicbROIxy2lnEaZlQPvSWvoFn1Ziulb2gxUKWKjx/TRLFK4gvdOEBhkoHpHtuXQFGFaug sc8+0Dnf1HHrlqwqGQmb/8IfLN1SH9OEyVZyuvzw/dmNIhl46Bqd+GkTIFmPNBa6XdeBJlLB9FA iUDpDFWw52 X-Google-Smtp-Source: AGHT+IHzZUZVm2DTKJp8VTawnmKNz7GV3oIGGgNg2uWVfByWmip9CwfbY/4x8AZ0FpEO4iSxFhySXQ== X-Received: by 2002:a05:6000:604:b0:42b:55a1:214f with SMTP id ffacd0b85a97d-4324e4cd634mr34120116f8f.21.1767019917257; Mon, 29 Dec 2025 06:51:57 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4324ea1af20sm59449884f8f.2.2025.12.29.06.51.56 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Dec 2025 06:51:56 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][whinlatter][PATCH 07/11] tigervnc: fix typo in CVE_STATUS Date: Mon, 29 Dec 2025 15:51:48 +0100 Message-ID: <20251229145152.489068-7-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251229145152.489068-1-skandigraun@gmail.com> References: <20251229145152.489068-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 29 Dec 2025 14:52:03 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122986 Forgot to add the CVE- prefix in previous patch. Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj (cherry picked from commit 2f913279d4926ab92b97ffbb7c53031835b393bd) Signed-off-by: Gyorgy Sarvari --- meta-oe/recipes-graphics/tigervnc/tigervnc_1.15.0.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.15.0.bb b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.15.0.bb index d3159f8a88..53832939e1 100644 --- a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.15.0.bb +++ b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.15.0.bb @@ -86,4 +86,4 @@ FILES:${PN} += " \ SYSTEMD_SERVICE:${PN} = "vncserver@.service" -CVE_STATUS[2014-8241] = "fixed-version: The vulnerable code is not present in the used version (1.15.0)" +CVE_STATUS[CVE-2014-8241] = "fixed-version: The vulnerable code is not present in the used version (1.15.0)" From patchwork Mon Dec 29 14:51:49 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 77613 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1286EE92730 for ; Mon, 29 Dec 2025 14:52:03 +0000 (UTC) Received: from mail-wr1-f41.google.com (mail-wr1-f41.google.com [209.85.221.41]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.44446.1767019919740053466 for ; Mon, 29 Dec 2025 06:52:00 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=Iq0141wP; spf=pass (domain: gmail.com, ip: 209.85.221.41, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f41.google.com with SMTP id ffacd0b85a97d-4327555464cso1795540f8f.1 for ; Mon, 29 Dec 2025 06:51:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767019918; x=1767624718; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=BWBUaW6mmto1cO0+pwC/vjcXdnP8afje7128VOI+mWY=; b=Iq0141wPSX/oStivtYRwv65xSrjGGYng7Dtsp7K7fPnv++VmqUHpAAU+11g8Kzpyri h/AeMXs5Op8mhclWe0D3kWcFCNnzNymmMT4SwOBV9Ikl/Q3E4fzSExhQQJsvSyaF6RjF 0y54OoWtsbXdXK87fSyYxcw6e8a3D65Zgclomuk2w6pcsL4e7Y5eO/UfbYwCh612LVBi DKthUSoEXv/vFu9KzdlpZf9GCnGtL2kMRHMXhs0rU74xomXq927dkM59kqivBzbRyai0 rHEB03fNtYBF1nclKyAGyZAybxseO8FoNA6t8MCKAQQN90Qwd1SP5LtFx7gHhcwfrr6K /SgA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767019918; x=1767624718; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=BWBUaW6mmto1cO0+pwC/vjcXdnP8afje7128VOI+mWY=; b=mf0AoSENWEiMbfZd7OxK6MfdiBfHdj+55vzpPaZFN7+4ieq2XR7hki+vguIUdJOxio 7z8B0wtkEWXuQVZpJ0RH6FRcdKm1ErwuQxYHU3aKuEFoabdiiUB0a6/CAxTRp02nkco4 99R5V4hSU7MudzzY4K7+HYLNLte/hcmKNafr9gOzX64wRKYIXIosBU04JtdydArTPPDZ ZJteHDDegue9Xjj9czNKhT736EXxgcLgFT5pbmFcdKDKsbA+nM/UNYkxs5kae92Fl6vR Xxks0p8u3rmmIT9ZNNIlP8X8t0IS5kcHBeU2wpM25BMdbZeL4aHJKXeGxqsLT8/lr1Cc o6wQ== X-Gm-Message-State: AOJu0YzjeNFQqUVNdy7bLTCSAMZRLrXBcwcm1dN8Os8qwgJITVS4/mIE 63xmPawBtL5wbNxW19PRD+otUpOah5rB/Tn3jcxrDzdoz9f0WYLbldEUV8FTOg== X-Gm-Gg: AY/fxX4EFoArcFNQDQzOvJtnbmS34Sb2wWw7fOElliIk8AiUfbqKEgmiIzsurGfoyFi BEFAvnDbNcDzKodSzFBjDQEYmirRQJajQ88kDObv+nWjbHKE+XLZZsGtgRSH1crtcPxj8Jv0L+z CcljveFqywSDiMZJx5klYdLeXNnRqNS8BoZKHobkaMytIvE+hY9/7kGRPeO+GGpYeLEfNzkYzmu vT7FpjYztdqU4YWmO09zKHxG80VtuyNsAfrpXeWM8aqH/VEX8OuVk/K43Rwa08GRemmuQ6XQSoQ 3d86f7qWhVZ0jZw1EWl/t7+XtvbFJ4ctg90ruNHKASjlEtJlE/ao6yZMgXVXr7tpSOjNsY8JIsM D1wk7506cS+z/TgM/n0MFZpkWR+tHZvK6g6+Bq9hy+qUraKfVWdyYlPXRhl7HR3ZPR+l0QF7czl 9m6XbEAmRL X-Google-Smtp-Source: AGHT+IGwyf4+BHV8fv/H2S9Npxyjcg3z2GuPyZDCsui1BOl0mL68nVWRu33qAKvvsWHpqLGNKhLJ1w== X-Received: by 2002:a5d:5d86:0:b0:431:fc:694a with SMTP id ffacd0b85a97d-4324e4c71bbmr43517044f8f.12.1767019917886; Mon, 29 Dec 2025 06:51:57 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4324ea1af20sm59449884f8f.2.2025.12.29.06.51.57 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Dec 2025 06:51:57 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][whinlatter][PATCH 08/11] tigervnc: sync xserver code with oe-core Date: Mon, 29 Dec 2025 15:51:49 +0100 Message-ID: <20251229145152.489068-8-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251229145152.489068-1-skandigraun@gmail.com> References: <20251229145152.489068-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 29 Dec 2025 14:52:03 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122987 TigerVNC compiles its own xserver. Synchronize the xserver version with oe-core. Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj (cherry picked from commit fadb9c05709dae9e817a50e4d99093d4e2937933) Signed-off-by: Gyorgy Sarvari --- meta-oe/recipes-graphics/tigervnc/tigervnc_1.15.0.bb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.15.0.bb b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.15.0.bb index 53832939e1..0adaf70b98 100644 --- a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.15.0.bb +++ b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.15.0.bb @@ -26,10 +26,10 @@ SRC_URI = "git://github.com/TigerVNC/tigervnc.git;branch=1.15-branch;protocol=ht # Keep sync with xorg-server in oe-core XORG_PN ?= "xorg-server" -XORG_PV ?= "21.1.16" +XORG_PV ?= "21.1.18" SRC_URI += "${XORG_MIRROR}/individual/xserver/${XORG_PN}-${XORG_PV}.tar.xz;name=xorg" XORG_S = "${UNPACKDIR}/${XORG_PN}-${XORG_PV}" -SRC_URI[xorg.sha256sum] = "b14a116d2d805debc5b5b2aac505a279e69b217dae2fae2dfcb62400471a9970" +SRC_URI[xorg.sha256sum] = "c878d1930d87725d4a5bf498c24f4be8130d5b2646a9fd0f2994deff90116352" # It is the directory containing the Xorg source for the # machine on which you are building TigerVNC. From patchwork Mon Dec 29 14:51:50 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 77612 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C5664E9272B for ; Mon, 29 Dec 2025 14:52:02 +0000 (UTC) Received: from mail-wm1-f45.google.com (mail-wm1-f45.google.com [209.85.128.45]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.44448.1767019920262560112 for ; Mon, 29 Dec 2025 06:52:00 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=cdfd7d2F; spf=pass (domain: gmail.com, ip: 209.85.128.45, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f45.google.com with SMTP id 5b1f17b1804b1-47795f6f5c0so49035035e9.1 for ; Mon, 29 Dec 2025 06:52:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767019919; x=1767624719; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=K0YGqfzU8h3H6U5n2Q2mBXAqSsy5/iGRsaEB9rO7s44=; b=cdfd7d2FXz5JCtUjACpy8Q01aY1ljWWCoVLHdhZ+oW8auff3WSx1w6nR3XZRnmEKmS DiQSU2zlH03gy7W7HpNmdPHsWSzam0CE5zxGwl1MF01jox2rY7zLZgISABNuR3UydTWP oSTyOcx++Lj0gp1gtN1Q/HcCL6oWiYQjdkhFE8CppHzwsL6B33NIfBoqj4TNOLt8UkVh THWrixPicAtbvXbYyJbc7p7BGIjxGmJy2TVkbzhuEOZvFcH9bHrpxtBSx9yyVLNh8lZ4 i2pbpAJ5KzK9aFOeN4oAUAPA8t6e5czUBnkk0baluB8HO1lwysL8Xn075+f4DCY9eDiY G4cg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767019919; x=1767624719; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=K0YGqfzU8h3H6U5n2Q2mBXAqSsy5/iGRsaEB9rO7s44=; b=tvBAPdEtqkvekBsYFVQQCQfC7lKb1ZpBsyYfJJ41oDAcLqwRVvnsQSEbCzC1UK9wrr E2nl/SmSOhVb0getDchOFKSPbLE6sLN1ObkE/SyyhQFnU9qhDxRJc98DS75FSZR8Nd2V xIQaPkM5gnakeucG66haxT7jAV5kO+cy3dnZL5upmCHPLwMdLxiGmWAVdDhJOUpILMvQ 2AgTr7xVminqUqZkcaLUg5sYFgQ0M+npZg9nazJBc41J80dvCOBG3jHriOE0bXpPEmZV vUAgEr3JTHXxr70XzjwQXcLMJ4YKDb4bsna3UildwcZZYRE0a9Bspc5yHy138zznk6aa puqA== X-Gm-Message-State: AOJu0Yx5d/tHGU5L2YSRLPYHB7cBJ3EGr+iDAXdHtU1p0A7t2XkbH0lt edMNQOd2T7vvvcDfJ6D2gv8s2O8UIKppvEcN1fEQAKH27SOPMWOu2NXsJtJ5dw== X-Gm-Gg: AY/fxX7dGRf+NU8VccZD996Ah0kMaMATAEq2LfBLLq0+2noDSIUe5lUifroSl8TSRoU gPu5vKV1MH0d5NzYIMCFwv3vivRQmN+6Ji6xvZWquNnQCEZliNWPb1fmuKrYT5gFVx0D7RimNnD ZcomOGmCwvzOYsjMxu2tsNpVAPnu7vxTPLq0fIS6AGrjHttH1nTVj/V0fnErRoTVIf9bZG/L0Id LWtYI+COTxZCS+hUAwb0zA4vNgvYTSyiri3w9BP+8DVvV05h234rDMnm8T/6SCJul/kbtxcrws4 brUOvs8HcguN4W3h1+imwEGh7tCdp54O0JhsKyOznQNBXbjUuUln1QqbWqWh4PKBwB4C9ZD13Of 8yzhSCl3SQLTtZ9a23PufmQc7usoPvrTwgYSHqe4IF0PH7THn6TMoPsoxd26nvxN+7/9r1oOKT8 jIO5fLIb9k X-Google-Smtp-Source: AGHT+IHzAt3MC/dbuG/hlZloN/KNJNsxXkdkAy1Vd88jyiS9QKk5qszyrqj3es7sVhb6QuTrOOJGMw== X-Received: by 2002:a05:600c:c83:b0:479:3876:22a8 with SMTP id 5b1f17b1804b1-47d19555940mr370016425e9.16.1767019918542; Mon, 29 Dec 2025 06:51:58 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4324ea1af20sm59449884f8f.2.2025.12.29.06.51.57 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Dec 2025 06:51:58 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][whinlatter][PATCH 09/11] tigervnc: ignore CVE-2023-6377 Date: Mon, 29 Dec 2025 15:51:50 +0100 Message-ID: <20251229145152.489068-9-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251229145152.489068-1-skandigraun@gmail.com> References: <20251229145152.489068-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 29 Dec 2025 14:52:02 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122988 Details: https://nvd.nist.gov/vuln/detail/CVE-2023-6377 TigerVNC compiles its own xserver, this is why this CVE is associated with it - despite the vulnerability being in xserver. The vulnerability was fixed by [1] (from the nvd report), which has been backported[2] to the xserver version used by the recipe - so ignore the CVE, since it's patched already. [1]: https://gitlab.freedesktop.org/xorg/xserver/-/commit/0c1a93d319558fe3ab2d94f51d174b4f93810afd [2]: https://gitlab.freedesktop.org/xorg/xserver/-/commit/a7bda3080d2b44eae668cdcec7a93095385b9652 Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj (cherry picked from commit f691f2178b15eec22f09a1c17b9945fad4e330e6) Signed-off-by: Gyorgy Sarvari --- meta-oe/recipes-graphics/tigervnc/tigervnc_1.15.0.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.15.0.bb b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.15.0.bb index 0adaf70b98..4455050631 100644 --- a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.15.0.bb +++ b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.15.0.bb @@ -87,3 +87,4 @@ FILES:${PN} += " \ SYSTEMD_SERVICE:${PN} = "vncserver@.service" CVE_STATUS[CVE-2014-8241] = "fixed-version: The vulnerable code is not present in the used version (1.15.0)" +CVE_STATUS[CVE-2023-6377] = "fixed-version: The vulnerable code is not present in the used xserver version (21.1.18)" From patchwork Mon Dec 29 14:51:51 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 77618 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 45E3AE9272C for ; Mon, 29 Dec 2025 14:52:13 +0000 (UTC) Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com [209.85.128.49]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.44450.1767019925770741083 for ; Mon, 29 Dec 2025 06:52:06 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=PN7VlROu; spf=pass (domain: gmail.com, ip: 209.85.128.49, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f49.google.com with SMTP id 5b1f17b1804b1-47a95efd2ceso83304365e9.2 for ; Mon, 29 Dec 2025 06:52:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767019924; x=1767624724; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=vGbGuyRnv+N9vvVvX734ikIdFxrUDGszpQCnMIr8oZI=; b=PN7VlROu6z5y/98AI1C5CqfcF5uwxc6VetavcSsNDnItVk/XV5FqseVRMDm4ubz2vs alChydQweqqH06Kneiy67sP42x3uv+vBc98mIwQWtOlXMT5UKY1a7n/C7GawyfP3zbOl pAqld7+ZrTGekqj5MAJHD2FnS3SAzaCDXIkOocB2l63SUHv6Loz8jCUMQoSMLgQicLjk N1V0x7Ij8aNlQMwAOybsipzfZ56vTtEGWIUtBqv58RqmBYOP/x0hmkRNIhYMY4COYwnI aswEF8+Cx45RrRAO4PDb17lcXa+DFnI1FvUo1mq8GdzXt9WkAUpEykY7PdAABNRky+lk HMRg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767019924; x=1767624724; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=vGbGuyRnv+N9vvVvX734ikIdFxrUDGszpQCnMIr8oZI=; b=RnFHfVcnrKWBjwuAiM9zuzM4UGIMO7Iz4z7zw8AXedB7qjGjq+pIBWbHMubgT8slAk 3k/LZE7DNSMpiO2h02Km1Lq9vO3K1dzNRJOyl32k7Tn8Z5isJg7MBoCnLJzTiB8pznwg nF2+gaSuC1dlZGiQllAj+8SIAt4VN955jq8QhpENJlopvRHEo9oeaO7tT5FwqUGSTW0m HEeFyLxNeWYAvT+Q6jfVR3pMcxI03SmE4pb9kKK+jNhSYndaq+d1X/9fgDmHOpude8DG AdrrNu1LfDav2E7f4PFiEJOoEN8KWi+3KaSXE390zmFu79Wa2m3Cye3/PjaXRCb4cr45 /s9A== X-Gm-Message-State: AOJu0Yyh4zlnocPJJHRcK+HIJvApro0HuhnRfSvnIEIerYcks0ateoyq Rw22sm2kb/d/5kVy9VyxhSAhCwfQbi3lFix1p14uIofS80u1r5awXki72thZ+A== X-Gm-Gg: AY/fxX67m4bDhPI6ZY0xczfaERBz4aR9wiSYvWIJTjY/N+Ur98os9kR841d7FCvZ2SV nV/tHhL9uOqwT8z++lwLU9sDdTw5uAmyPYE9KPGfzhtP6zI8qXY9CbzofI0lJFvB9QssUhISlcI LIBfHJIs6s73GQTaqIWUW0V0C0Jk7FiNn81oHeuomVnY8qdr0GElnyXZdNY7bYE6plVlFVsijPz 9SrmePhqkXL7QnwlIP4uHlalOKDIdY/Z0wyWzHewZg4kE8GxKR3L4jKKfZUTJzzZRKV1s/8GMtD o3cojV35gqYbnv/xG5CMZQb7b4hqAhdnA6SRDR6pEaqrfV6Ox8Ou4Wpr/pFUFqgVILOiehw4ysL +LEKsyQrWWW2vcFPe6XmuzSg/d/BhPEXMJ4RJ76TZLhlfqfdkcy0ttLNyOJWgoZ5Y+7AcglIT+q u4Zn2vSOO4 X-Google-Smtp-Source: AGHT+IGy/b1o6ybWiMfPbywgAEg5n14Vov+H/Jx1VAdhEtcbSjwXAQgKgfWCk324PkuGXdk5musixQ== X-Received: by 2002:a05:600c:4fc6:b0:477:755b:5587 with SMTP id 5b1f17b1804b1-47d1955b35fmr308231025e9.8.1767019919169; Mon, 29 Dec 2025 06:51:59 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4324ea1af20sm59449884f8f.2.2025.12.29.06.51.58 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Dec 2025 06:51:58 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][whinlatter][PATCH 10/11] tigervnc: ignore CVE-2023-6478 Date: Mon, 29 Dec 2025 15:51:51 +0100 Message-ID: <20251229145152.489068-10-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251229145152.489068-1-skandigraun@gmail.com> References: <20251229145152.489068-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 29 Dec 2025 14:52:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122990 Details: https://nvd.nist.gov/vuln/detail/CVE-2023-6478 TigerVNC compiles its own xserver, this is why this CVE is associated with it - despite the vulnerability being in xserver. The vulnerability was fixed by [1] (from the nvd report), which has been backported[2] to the xserver version used by the recipe - so ignore the CVE, since it's patched already. [1]: https://gitlab.freedesktop.org/xorg/xserver/-/commit/14f480010a93ff962fef66a16412fafff81ad632 [2]: https://gitlab.freedesktop.org/xorg/xserver/-/commit/58e83c683950ac9e253ab05dd7a13a8368b70a3c Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj (cherry picked from commit 62a78f8ba7c8bd229cc82cf81bcc6a6d8116ebca) Signed-off-by: Gyorgy Sarvari --- meta-oe/recipes-graphics/tigervnc/tigervnc_1.15.0.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.15.0.bb b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.15.0.bb index 4455050631..89704f421d 100644 --- a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.15.0.bb +++ b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.15.0.bb @@ -88,3 +88,4 @@ SYSTEMD_SERVICE:${PN} = "vncserver@.service" CVE_STATUS[CVE-2014-8241] = "fixed-version: The vulnerable code is not present in the used version (1.15.0)" CVE_STATUS[CVE-2023-6377] = "fixed-version: The vulnerable code is not present in the used xserver version (21.1.18)" +CVE_STATUS[CVE-2023-6478] = "fixed-version: The vulnerable code is not present in the used xserver version (21.1.18)" From patchwork Mon Dec 29 14:51:52 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 77609 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B3DAAD3B7E5 for ; Mon, 29 Dec 2025 14:52:02 +0000 (UTC) Received: from mail-wr1-f44.google.com (mail-wr1-f44.google.com [209.85.221.44]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.44426.1767019921615953801 for ; Mon, 29 Dec 2025 06:52:01 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=jQzSLRMn; spf=pass (domain: gmail.com, ip: 209.85.221.44, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f44.google.com with SMTP id ffacd0b85a97d-430f5ecaa08so3718838f8f.3 for ; Mon, 29 Dec 2025 06:52:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767019920; x=1767624720; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=qIKBLszpdxwVAzZ1KRFvm8KHEDICMZv3uTubCJyELw4=; b=jQzSLRMnXuA4LE0IwjcvubW8DS1nzEKbY6IOdfT/Ttf2FaImLqXk2v6gZv57DfYO60 FVUgeDAjrJhcWfMXMyqVqDB5XLqndFwdx8YSIaiYtaNXzASDGImn+UPlszGyy+2iqfX/ QwOU1tezKr1E0mZKkZ8piHuxXF8aJenIw88n+TZWiah6BBc5EI1JVD2ppWxs4SJhryQk 7cdqybTyS2yFcpawMfgnFzlHQhIGu5k8G4IV0LNF5r4QsyylKJVb4R9DaeNyABJZ4rN1 3OdfOTwdtoVXuzkAdD/75S9SfYaAa0McNoKHk2AOFvnuQidtVyttle255Pom02isEtdz x5uQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767019920; x=1767624720; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=qIKBLszpdxwVAzZ1KRFvm8KHEDICMZv3uTubCJyELw4=; b=j+lVZBP1fCw3AMAi1zMbS5LRscxpkX2SxIYSMLBO1prfzRTsUlP0Uu0pFWjLS2rNJY pBlWY0gLMLhz46SE54drrYnfOTxpfv6FtMoiFgF8UHuzbTjnVR6LvE5uJjj7KfZw4pKc URkngdtsLakWVsgOt0IiJLfDgTfIqPKoPpeAeyWGmpayRBFT3PEHdaSWrupGMJXGUun0 cHZhh/08/kBS/B+BWua8PYHloU7otJ4OUcK6O3187cRshdRPnMrIk9lh266CNVKe98fQ xrgaEgfGg+J2W6I/X+EU0WzRWmXLHYTRQs1/acCwH/SWpBjZzuIxNgIMXZjs8/Yx0f8y L1Cw== X-Gm-Message-State: AOJu0Yy8nyDzc9h8iAVFj/3Sa24iWQlmNKsuqqeN6kDB/oEnXExpgjBF ZPqCjhvMFFXCuNQ65y930w8okG82Ps/fGizQFcTnNrZq+p+3qEeEHa5BqxQggw== X-Gm-Gg: AY/fxX4mpycRB7eHvfG13EfXwxyKxBDceAxLDVOpV8keNCvLRGIT1Z75lpMKuQSvqBI /NzRPrGQHDngPOBZ/lXs20COAA1kdVaHIon9WgiKF9iTHwmsXPDkTLg5RauySLAXmj0eh6wui0h qcK7XpwRnfV0qndG3DzhizY4yjD1oPIIpMKbA9NNtn5S/yHWa6QB+PER/4Xf9jJAV61m2lHyqPz KTGQVSyT0fBvuDQW0NL+W8rQzuUri/XK4vugKhagaVVGlU+Pe3ispl5ftyU0Rf35lfqjvaan6S4 gbbFrxaKU2LrpUdoJExnljIBPZDe0ryEuObgLCSya7kp1wyEG2xObBREb4be83nZR7YrD+imm8C yOPLRa1OdI+yopM863SDQhut62WOCVNSmlUpIQ9gcZNWEKwU4AxQOjEHJhxnE9LUkT+mXkOBXfy ylnxoT1foN X-Google-Smtp-Source: AGHT+IHU03p93QiwZU9vuQ/YOrKDJD5Ck2YmK36mdo2UHIr7GYfbCbk+gyut+wexwUDIr+LSVxWc+A== X-Received: by 2002:a05:6000:290b:b0:430:8583:d189 with SMTP id ffacd0b85a97d-4324e4fb659mr39148892f8f.39.1767019919890; Mon, 29 Dec 2025 06:51:59 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4324ea1af20sm59449884f8f.2.2025.12.29.06.51.59 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Dec 2025 06:51:59 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][whinlatter][PATCH 11/11] tigervnc: ignore CVE-2025-26594...26601 Date: Mon, 29 Dec 2025 15:51:52 +0100 Message-ID: <20251229145152.489068-11-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251229145152.489068-1-skandigraun@gmail.com> References: <20251229145152.489068-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 29 Dec 2025 14:52:02 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122989 Ignore the following CVEs: CVE-2025-26594, CVE-2025-26595, CVE-2025-26596, CVE-2025-26597, CVE-2025-26598, CVE-2025-26599, CVE-2025-26600, CVE-2025-26601 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-26594 https://nvd.nist.gov/vuln/detail/CVE-2025-26595 https://nvd.nist.gov/vuln/detail/CVE-2025-26596 https://nvd.nist.gov/vuln/detail/CVE-2025-26597 https://nvd.nist.gov/vuln/detail/CVE-2025-26598 https://nvd.nist.gov/vuln/detail/CVE-2025-26599 https://nvd.nist.gov/vuln/detail/CVE-2025-26600 https://nvd.nist.gov/vuln/detail/CVE-2025-26601 TigerVNC compiles its own xserver, this is why these CVEs are associated with it - despite the vulnerabilities being in xserver. All of these vulnerabilities were fixed by the same PR[1], which has been part of xserver since version 21.1.16 (the currently used xserver version in TigerVNC is 21.1.18). Due to this, ignore these vulnerabilities, and just mark them as patched. [1]: https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1830 Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj (cherry picked from commit 4924e89bb77fe5486063229c50039a458d60f8ea) Signed-off-by: Gyorgy Sarvari --- meta-oe/recipes-graphics/tigervnc/tigervnc_1.15.0.bb | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.15.0.bb b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.15.0.bb index 89704f421d..9fb7abf8f3 100644 --- a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.15.0.bb +++ b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.15.0.bb @@ -89,3 +89,11 @@ SYSTEMD_SERVICE:${PN} = "vncserver@.service" CVE_STATUS[CVE-2014-8241] = "fixed-version: The vulnerable code is not present in the used version (1.15.0)" CVE_STATUS[CVE-2023-6377] = "fixed-version: The vulnerable code is not present in the used xserver version (21.1.18)" CVE_STATUS[CVE-2023-6478] = "fixed-version: The vulnerable code is not present in the used xserver version (21.1.18)" +CVE_STATUS[CVE-2025-26594] = "fixed-version: The vulnerable code is not present in the used xserver version (21.1.18)" +CVE_STATUS[CVE-2025-26595] = "fixed-version: The vulnerable code is not present in the used xserver version (21.1.18)" +CVE_STATUS[CVE-2025-26596] = "fixed-version: The vulnerable code is not present in the used xserver version (21.1.18)" +CVE_STATUS[CVE-2025-26597] = "fixed-version: The vulnerable code is not present in the used xserver version (21.1.18)" +CVE_STATUS[CVE-2025-26598] = "fixed-version: The vulnerable code is not present in the used xserver version (21.1.18)" +CVE_STATUS[CVE-2025-26599] = "fixed-version: The vulnerable code is not present in the used xserver version (21.1.18)" +CVE_STATUS[CVE-2025-26600] = "fixed-version: The vulnerable code is not present in the used xserver version (21.1.18)" +CVE_STATUS[CVE-2025-26601] = "fixed-version: The vulnerable code is not present in the used xserver version (21.1.18)"