From patchwork Mon Jan 5 10:02:21 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 77994 X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 57515C2A081 for ; Mon, 5 Jan 2026 10:02:49 +0000 (UTC) Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com [209.85.128.49]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.61161.1767607361513037458 for ; Mon, 05 Jan 2026 02:02:41 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=IcICyZw3; spf=pass (domain: gmail.com, ip: 209.85.128.49, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f49.google.com with SMTP id 5b1f17b1804b1-477a2ab455fso130835245e9.3 for ; Mon, 05 Jan 2026 02:02:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767607360; x=1768212160; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=Gh6JvLT0aRqroM20ZJ0XdPrGHZJDrtVDwnGxdATqMDw=; b=IcICyZw3BZ4ESGoe/ceScqjjkLTOjDXyjHDRKn8l1zZ6tARwDt3drvKWzWqKjWzzYa oB7/lHhuZfJsgO2LMmu09Hi/gIU5cZw+5lN7qGHPkT/bW/BIQuXH7RVnBenIOSVJOUDy ydK5WHoBM8jeEwpGvy/ZIr3W1PVsDQQMrTtqHsAAWvms1d+YHV67o5QbOrQRAp5S56Jo Wnzo3xcmr6U1zsj5pamvZHj78+O1dNWDKmu7QemJgk2vmjNF2IaHOotkQ3pD0BlIb6Fb T7DE5RcGOZqaZ6DJh1JUbAMHeXZ1x12Xi+3tPZvSrti32//v8mqON5EFbhzocQ0FVEX3 o5QQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767607360; x=1768212160; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Gh6JvLT0aRqroM20ZJ0XdPrGHZJDrtVDwnGxdATqMDw=; b=CfyoGZ512VOVLTiGi78ltU+DDPKxnNQUoDpfy9xyMjZ4koGdNrU+ZxTpHcMMvaBNGO GJxTFxJk7wyd9DiEgfEo6VkFCW1i5SB8QlZK375giEJz9W2tykEyYvDp1L1I78ciWcz/ +xj+IehZEUh7sKMp2zxmipYv950fuZLxHAPFm7C6Ub0QNOelT5S+cDnNwbN1d2U+zV+o 57vl+d4T25LQq6o8hmygywYju74OHUNGIQssRR4xxPXyfKSddetbeiWJKOeNXP4ukMgd AhtpycT72BxvY1iTe+p8Ok3mwTRGd02+YXIndq9BZlc+6MMYVC33N+aY0b4QW1/I+fnu fV+w== X-Gm-Message-State: AOJu0YxjBWIYKhWE04XPKjLNB1X5RBHH/MQhQ4l2BkZ7KLQdQj3eY6Gw jbD9qBf0/wzG+8CioFxZLdw0bEJtN0c1juWU24z977OTiTHFmmpjZ00O/cXPfg== X-Gm-Gg: AY/fxX7WrN+FG2dPaT7GcYipoUY4siZqbz3BCy1qGttOrcfSIzlK6svIh/kmntR6SNF hwAK7FyNpfWof2iUDZifEMPEJiVfjJecklZtcfRFS8enz7hSCT9KSp7OWqcBdtak3ZLphy1krLI 4IwJd+pn11KFLPcBybQBxB/wEyyAn4gJ7KLfCij/APKnCIbL3eyaY1Uk61JgiC7THiTLpmzX3JY X5jjvWqTLVjZUjW3rmq329JKfFTmMmCuZdNKd3SwTpr8G3W5/fR4ddpzQEE7NN9DR3S9GmVlxjU m/20MQ3TFEyqpImut0A6WfgO8kJkS5qMAmp2fkVhkt05WheS/Sy1d6VGF3nGTA/buFCZ1Nvimbo L9x+SOvbbwcjntB+xx22hsaB+u/fmnjBEZCe+J082Z5t9vCrwJqVnh82kRhKSiUFVvTGBjuT11K zxwbFVy90QsbZW8DxpHg4= X-Google-Smtp-Source: AGHT+IEUE3HIaG/m2iLFgR36PtL1HgiNX6eGgMOtik3M37rY28kE4AcvTA4i0ouowfdvXEJ43nIw7w== X-Received: by 2002:a05:600c:8b56:b0:479:3a86:dc1a with SMTP id 5b1f17b1804b1-47d5b21d77emr270264545e9.36.1767607359622; Mon, 05 Jan 2026 02:02:39 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47d6d452be4sm144604435e9.10.2026.01.05.02.02.37 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 05 Jan 2026 02:02:38 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-networking][whinlatter][PATCH 01/17] civetweb: ignore CVE-2025-9648 Date: Mon, 5 Jan 2026 11:02:21 +0100 Message-ID: <20260105100237.3081345-1-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 05 Jan 2026 10:02:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123132 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-9648 It is already fixed in the currently used version. Also, update CVE-2025-55763's status to "fixed-version" (so it will be marked as "Patched" in the CVE report instead of "Ignored") Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj (cherry picked from commit bfb76da63bd141173aeb71ce91c336b8aa557a5f) Signed-off-by: Gyorgy Sarvari --- meta-networking/recipes-connectivity/civetweb/civetweb_1.16.bb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/meta-networking/recipes-connectivity/civetweb/civetweb_1.16.bb b/meta-networking/recipes-connectivity/civetweb/civetweb_1.16.bb index 1d0207edb1..0e13bc6deb 100644 --- a/meta-networking/recipes-connectivity/civetweb/civetweb_1.16.bb +++ b/meta-networking/recipes-connectivity/civetweb/civetweb_1.16.bb @@ -10,7 +10,8 @@ SRC_URI = "git://github.com/civetweb/civetweb.git;branch=master;protocol=https \ file://0001-Unittest-Link-librt-and-libm-using-l-option.patch \ " -CVE_STATUS[CVE-2025-55763] = "cpe-incorrect: The vulnerability is fixed in the used revision" +CVE_STATUS[CVE-2025-55763] = "fixed-version: The vulnerability is fixed in the used revision" +CVE_STATUS[CVE-2025-9648] = "fixed-version: The vulnerability is fixed in the used revision" # civetweb supports building with make or cmake (although cmake lacks few features) inherit cmake From patchwork Mon Jan 5 10:02:22 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 77998 X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 79EDDC2A08A for ; Mon, 5 Jan 2026 10:02:49 +0000 (UTC) Received: from mail-wm1-f53.google.com (mail-wm1-f53.google.com [209.85.128.53]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.61163.1767607362007324038 for ; Mon, 05 Jan 2026 02:02:42 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=eEfy7saN; spf=pass (domain: gmail.com, ip: 209.85.128.53, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f53.google.com with SMTP id 5b1f17b1804b1-47d1d8a49f5so69090915e9.3 for ; Mon, 05 Jan 2026 02:02:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767607360; x=1768212160; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=ZNRk3+Q5c7jAj6Aec+cJSMTmlVgJY5jvtYI7hoTwtig=; b=eEfy7saNxJfubId6RXwi+cdX+tsdAyAwkKzsLWKRjEFyjJSNKVfE8HcWj+8sW+2vmK AyM9f4NXHHHoWZB0GrnuaMzWunh2BzQpUxN4Oo7L+EhvAxPpZk7wUOxcgn5l7+JId4Sk QiDV7xFGpDc4F+YkPlZpRKllY8Mp0JClWr/ZKJObw2fk4qYQXpC/f9qFfE32mY64PnJL M6H4pI0MKYmMSsJwsk7xdeD69tC+U5uvNyw1IGoyr8H8OUEyKJAu4FvJN/3D32teGvo6 z8L4J0vAXqpZQabQJrnQ+wIWsUX52r+gRA76HcAQNq7ocnEq25/XMsMfes4QZXO/YeUX 697A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767607360; x=1768212160; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=ZNRk3+Q5c7jAj6Aec+cJSMTmlVgJY5jvtYI7hoTwtig=; b=k4pQkaqvSLWfvv/aT2U8KothYh+2dKXnEubGpRh3I6YTZpAa9VGPzNklMPgBOBpo5N zbJMAoxwE7Km3grDRV+ntQksPf1pKyGmVW3ZMaYjyfi9qM4By9l2ephcdLMOQX/IDBUL 0Mu0OgEnJkrDy8bTaQCYDFP/o+TcWqJn1JsFQBd/BHadvmDzdQUdKEVmYZKMup8Zz0kr 9HkLL4yAhZdDQTQ9ysj+JwzYNEmtsNWEgJ/tjz+LsBwYjM0T5q22qx6fhnL8FrQbXpkG Efua+sMwCY2QjZgDgNKzm3teBNPVxkMswDDzqW/jjo5SPLBkOjy05CUzLiqLoStaSUde 4Fow== X-Gm-Message-State: AOJu0Yz0ZM8jsTiVKzgKH+BA1u5rH5YMr7lnTiVR7GuYKgrjh+YXaRBO RCULkt5+dHn6O4n6l+LiGqPkMdI0sGpzJMh9uXv8pISJOtipPgRDvjIhKQ3DDg== X-Gm-Gg: AY/fxX5YPyuDkvAWpNmQwXPTipCxcu8a4T4S9CUCPY+H2ptT2mks78CGEbmwEnZqd4v NRX1YJyQtz69c/x88eyKtE1e++5t1JpyFMX2dJZzU3rX4hUjKvnXV9qfuPzLiLI7rg8aJmoTq2R fjCUhD7vXUl/weyZWoYKeWfThLxaA3zgXmBPF4AN0OhYA/MwBzyR3X3I3ijz6bdaPg/y4hQ3w2V PgDIrGwcZlUa/6BaYHnVl4TGRj3zN/Q0HCu2hh9n3kfF8IKlYoRbzR7VxSROO9XwxgIlsA51JuP GwyxCF9UH04aSW7ERpmMRbY++EhvLAPNTBJjhubHfnnR1XfnfkWP1G6OvgMw1AdYfcqEMyzyHE5 y/s+JEkgR4jp8nxZ3n3U+/ETV3IzwAxHhTYxxV2HZIq28BPi5Kyg4XdST4WuAB/A4xUXJqfdiF6 rOSCMPQoeE X-Google-Smtp-Source: AGHT+IF9mC0HLUJFhtSDqfipueYHhj2AJ+Ireb0BWjfsBA9RAIhsp5061/9nLq1Gq3BPUMYvg5CodQ== X-Received: by 2002:a05:600c:540e:b0:479:2651:3f9c with SMTP id 5b1f17b1804b1-47d1955794dmr532136135e9.14.1767607360245; Mon, 05 Jan 2026 02:02:40 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47d6d452be4sm144604435e9.10.2026.01.05.02.02.39 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 05 Jan 2026 02:02:39 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-networking][whinlatter][PATCH 02/17] fetchmail: patch CVE-2025-61962 Date: Mon, 5 Jan 2026 11:02:22 +0100 Message-ID: <20260105100237.3081345-2-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260105100237.3081345-1-skandigraun@gmail.com> References: <20260105100237.3081345-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 05 Jan 2026 10:02:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123133 From: Ankur Tyagi Details https://nvd.nist.gov/vuln/detail/CVE-2025-61962 Signed-off-by: Ankur Tyagi Signed-off-by: Anuj Mittal (cherry picked from commit 0d9da1105276f04cb23046de5f31fc75f09e2e89) Signed-off-by: Gyorgy Sarvari --- .../fetchmail/fetchmail/CVE-2025-61962.patch | 51 +++++++++++++++++++ .../fetchmail/fetchmail_6.5.2.bb | 1 + 2 files changed, 52 insertions(+) create mode 100644 meta-networking/recipes-support/fetchmail/fetchmail/CVE-2025-61962.patch diff --git a/meta-networking/recipes-support/fetchmail/fetchmail/CVE-2025-61962.patch b/meta-networking/recipes-support/fetchmail/fetchmail/CVE-2025-61962.patch new file mode 100644 index 0000000000..e7555021e4 --- /dev/null +++ b/meta-networking/recipes-support/fetchmail/fetchmail/CVE-2025-61962.patch @@ -0,0 +1,51 @@ +From 7860cf0689f8bd828bdd6e7116c6670416ead6d7 Mon Sep 17 00:00:00 2001 +From: Matthias Andree +Date: Fri, 3 Oct 2025 13:11:59 +0200 +Subject: [PATCH] Security fix: avoid NULL+1 deref on invalid AUTH reply + +When fetchmail receives a 334 reply from the SMTP server +that does not contain the mandated blank after that response +code, it will attempt reading from memory location 1, which +will usually lead to a crash. + +The simpler fix would have been to check for four bytes "334 " +instead of three bytes "334" but that would make malformed +replies and those that don't match the expected reply code +indistinguishable. + +CVE: CVE-2025-61962 +Upstream-Status: Backport [https://gitlab.com/fetchmail/fetchmail/-/commit/4c3cebfa4e659fb778ca2cae0ccb3f69201609a8] +(cherry picked from commit 4c3cebfa4e659fb778ca2cae0ccb3f69201609a8) +Signed-off-by: Ankur Tyagi +--- + smtp.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/smtp.c b/smtp.c +index 8295c49a..9a89ef09 100644 +--- a/smtp.c ++++ b/smtp.c +@@ -92,6 +92,11 @@ static void SMTP_auth(int sock, char smtp_mode, char *username, char *password, + } + + p = strchr(tmp, ' '); ++ if (!p) { ++ report(stderr, "%s: \"%s\"\n", GT_("Malformed server reply"), visbuf(tmp)); ++ SMTP_auth_error(sock, ""); ++ return; ++ } + p++; + /* (hmh) from64tobits will not NULL-terminate strings! */ + if (from64tobits(b64buf, p, sizeof(b64buf) - 1) <= 0) { +@@ -145,6 +150,11 @@ static void SMTP_auth(int sock, char smtp_mode, char *username, char *password, + } + + p = strchr(tmp, ' '); ++ if (!p) { ++ report(stderr, "%s: \"%s\"\n", GT_("Malformed server reply"), visbuf(tmp)); ++ SMTP_auth_error(sock, ""); ++ return; ++ } + p++; + if (from64tobits(b64buf, p, sizeof(b64buf) - 1) <= 0) { + SMTP_auth_error(sock, GT_("Bad base64 reply from server.\n")); diff --git a/meta-networking/recipes-support/fetchmail/fetchmail_6.5.2.bb b/meta-networking/recipes-support/fetchmail/fetchmail_6.5.2.bb index c1def016e9..6cb1a52d82 100644 --- a/meta-networking/recipes-support/fetchmail/fetchmail_6.5.2.bb +++ b/meta-networking/recipes-support/fetchmail/fetchmail_6.5.2.bb @@ -11,6 +11,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=46d2874dd6a0c8961d80c805f106a35f" DEPENDS = "openssl" SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}-${PV}.tar.xz \ + file://CVE-2025-61962.patch \ " SRC_URI[sha256sum] = "8fd0477408620ae382c1d0ef83d8946a95e5be0c2e582dd4ebe55cba513a45fe" From patchwork Mon Jan 5 10:02:23 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 78001 X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BA736C2A092 for ; Mon, 5 Jan 2026 10:02:49 +0000 (UTC) Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com [209.85.128.54]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.61164.1767607362852507190 for ; Mon, 05 Jan 2026 02:02:43 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=ml+ENXef; spf=pass (domain: gmail.com, ip: 209.85.128.54, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f54.google.com with SMTP id 5b1f17b1804b1-477632d9326so84332675e9.1 for ; Mon, 05 Jan 2026 02:02:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767607361; x=1768212161; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=8lDrR+D4cwUDqqYWDUuEAclzTRddiKF0XAXQUnM1Eo4=; b=ml+ENXefS5D146Il9v4h7NgbrZizsaV6YHwIbBCW68VLEt6a5el3VhI/5Uu+42S2AR l8GHaVP2WtDe+cxxm5Q+TSVzggvF8H0HayJ0X2GADgcFCg2DhB34pV54hYCdUxrByqzT DlQWTAczez1gDkhjoCH4HwllAiIaNOxkzYBmUv9Fbz9mdAwcZ+Q5uCS83ez8g2Q4M9Is qRO1XLZAroqK+9ZJBc311D9aI3ICZz8DiDBzgyuIF7gutRlcCbXORd7HbGc9uXtwtS05 buBZRc5nX1PsVd+JcHqlLyuiliLrontU5ZgZK+EMgqU39ZMquTN9+xXezP9leEa/u7e3 0/dg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767607361; x=1768212161; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=8lDrR+D4cwUDqqYWDUuEAclzTRddiKF0XAXQUnM1Eo4=; b=heTqICYFD4Ew59JghZ2puF+fF4+beAhh6BDawp5CoQuiGAppjlu3+zLCmXOjOsW0Nz m32gdNZZANbDcVCSovDGhrn9Eiwb4VKUMjpRupahxcySj+xYDaT7H0b3EMrcNaXF6mfF 2oAzyUSbt1jUaattnsrOli52vDLlDwLjhBJz+9p8gJpoP7ZR2nW2SIN0lb1Vj1FOyUCQ qbU4V93ryOKg4PGpFPGh/+e/EbgAuYb6gQH40M+xdQD0NNypq9DH1s4TaDm/jR03J9ui 7YSAxiLlCdbAM1VpcVmg201tOSfY2AOovPLWgmrKT/B8RTLut2SfT/a3gbV/+N/bxGga 3dTQ== X-Gm-Message-State: AOJu0YyFR8KphqmC+tec+SANV7Ey6If6N+kDHbqb6OY43baiGsYrKe9F S5+3f0NoZ45rXHzeuDCiNiv0jci78c8mASrdEWerFJZNVTuxsH7cKyiwy7t2vA== X-Gm-Gg: AY/fxX7Y7rDjv+jVl/+yPpMIVJRRgbq2JHb48ET3eshXtVQI4gmBmXmPwHPVi7gXz9U 8BoW1ZEbQtarDzJTAgYNCiFmdQ3tjY/GGb9SwLoev1ZTjScIxl7jQba69mv2z5i/b15dgbq6zOb 1X3xePu2XR6HXmFQvwV4rQWhLtEbj9ohqrYe9ZcOTp74BuzeyW28ypjhxuW0D6veJSX7u/I8FS9 kfuhmN8HjjYDEGwMtUetlLk6FT7zX11ZqqU6NI8A3OYxDufxv6UDs1IlZBNs8BxhcEc7xv2qRkl 04K87qq48HJoN0ghXk0pSfWBTgmm+FOT9Z9hI3rfwx3yjq53ZWIY/lKfQroPNYUHBJ2B2v/8zV1 RBWfdS7Xz0V1ks+RTgO4SNOyy7NOc6LWqRWIEzOZ1Mpp9ptMJOqa7X2W4JUCYn23CU4Jv1yDDtM uExGOcSiGg X-Google-Smtp-Source: AGHT+IG17qyBU1laZno3xe2AkZLzP4xHiUtqKU21HjW4Vz7W8mWWB7/CmIxAis53mlaWAHTKFWUcSg== X-Received: by 2002:a05:600c:4746:b0:47d:3690:7490 with SMTP id 5b1f17b1804b1-47d369076b3mr485231785e9.9.1767607360903; Mon, 05 Jan 2026 02:02:40 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47d6d452be4sm144604435e9.10.2026.01.05.02.02.40 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 05 Jan 2026 02:02:40 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][whinlatter][PATCH 03/17] freerdp3: ignore CVE-2025-68118 Date: Mon, 5 Jan 2026 11:02:23 +0100 Message-ID: <20260105100237.3081345-3-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260105100237.3081345-1-skandigraun@gmail.com> References: <20260105100237.3081345-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 05 Jan 2026 10:02:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123134 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-68118 It is a Windows only vulnerability, ignore it. Signed-off-by: Gyorgy Sarvari --- meta-oe/recipes-support/freerdp/freerdp3_3.18.0.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta-oe/recipes-support/freerdp/freerdp3_3.18.0.bb b/meta-oe/recipes-support/freerdp/freerdp3_3.18.0.bb index 02590973f6..6dfa12780a 100644 --- a/meta-oe/recipes-support/freerdp/freerdp3_3.18.0.bb +++ b/meta-oe/recipes-support/freerdp/freerdp3_3.18.0.bb @@ -12,6 +12,7 @@ SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=master;protocol=https;tag CVE_PRODUCT = "freerdp" +CVE_STATUS[CVE-2025-68118] = "not-applicable-config: Windows-only vulnerability" PACKAGECONFIG ??= " \ ${@bb.utils.filter('DISTRO_FEATURES', 'pam pulseaudio wayland x11', d)} \ From patchwork Mon Jan 5 10:02:24 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 78002 X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id AB8BDC2A08F for ; Mon, 5 Jan 2026 10:02:49 +0000 (UTC) Received: from mail-wm1-f43.google.com (mail-wm1-f43.google.com [209.85.128.43]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.61165.1767607363339860032 for ; Mon, 05 Jan 2026 02:02:43 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=XSNE/Ufc; spf=pass (domain: gmail.com, ip: 209.85.128.43, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f43.google.com with SMTP id 5b1f17b1804b1-47a8195e515so83415445e9.0 for ; Mon, 05 Jan 2026 02:02:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767607362; x=1768212162; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=jrixbsNbnNJmj6xsKotmWAUWMwXK8gP2m0G3fD9qyZo=; b=XSNE/UfcmnpXRhshQXKUKz7CmlR8VRsTwLuUdRF4QkqULtOrIoI8/KbLDgzxRN4GFA wi8OBL9/SUJYfiDP+dJniSr7STJDuCi8/qyTtZ320myvdvaiTtybP/wCPbg42nT3zXxZ UWZKWXMBERTiNJrPisXC3MSH9c3jhgNaeysJgFOGO3hSYD/OTtBGxR24BR8arl6hVNbc VVfeLAsnXrVp/2pUbVZUeIY0IDRCNXL1EU5d0iuhPtX+T8rg+dx63eBLfskfpom2iSze yZNc1/lwNK0dY+yokqbUegEbEC8eRH7JyTifeNUUQ7UAhQj2627GrcSoIysxmwEbEvQh xyRA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767607362; x=1768212162; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=jrixbsNbnNJmj6xsKotmWAUWMwXK8gP2m0G3fD9qyZo=; b=DQaYz4VCKpQyVmJwTz7HsIVfCnPpvmZLKbZuqe51YFZ9T9C9Ry08hl1wVkSKjSuuSj eXhh+eYC49JmkCkBrMkFMJTZhhRjJ6ToQZ4zVOb/rLP/KCZu05LHNXsc7UDFo+Uo80Bs 1ZH7oidZVnoLyQIjzMhe0ZkNZRStxy5A+5FR+au/0G5FNqI0ePD4sC69HEYR5LqH4Y5Z GsPi6BL1xlhoVIXKFwoo0sK8PzHS3qRNyeLS/IQAVL5SbLHX7E33mWwxIJkCibjn8iFI kf/6CDkTMxigZmTKu3eBLlZMiIPNgquGSJVQ8A01aCwjwVnj3IT1/83FWaxKfOCxP3J+ eqSw== X-Gm-Message-State: AOJu0Yxi1QafI/uaQFVmvOkDkkz0FDjnPtDkSUx9Oe35HOzHElxLtNAd bMN5QAnRxPgels6e+KKnZC1s6IWGJMs7ouu+EOpUaMcNRxEAuyLTMyD8lGM+Jw== X-Gm-Gg: AY/fxX5YWOBWOlFJGOsKn/gMz81XT9zkMY2CmJT5qIe1LHXqJIXOievTl0YoRRE97RB Fl1NnaHjNPyeQ6ZQ2EniI6WBAGni02FE/HJb0CV4K3XB0UtNltJIpaTfIrhmYWlXQKtRI89Ac2S 7UGwTeaT/rhS4o10PN9lR2aaZHKsU70S2M2vdx8jQAwgiE/i79xCPoa8Xw7IuXh+G1+9C+moEJ5 1J57w2MZekyHZKB+8hE3I5IM2rk+sez97ErE1MUyvTy9zxIGtqExfhcKj0ltZKw+I50h5tXLITT Gb2DJlFm6a19SmDoYVpCgY0qOOq+rzW7bS2Ulg/uuc2RcRbCCg51ecP3G/uDmn3D+9RYwlt9pDh NhbdGEaNyEHqFPpagZwZ6kQskDQ5i0f7jc95U8yTs4cGEAPsdHsIgb1W1Ijm/+nd8zL3wsnB53W cAI4h/fnJs X-Google-Smtp-Source: AGHT+IHn7mP0AlfARQYUJm5nhAA+lQ2iF6OofKuKQfw6AU/P+m/XFTaAPHARCSilvZ5IhKiG8xkB2A== X-Received: by 2002:a05:600c:3486:b0:477:54cd:200a with SMTP id 5b1f17b1804b1-47d19549631mr595833755e9.6.1767607361607; Mon, 05 Jan 2026 02:02:41 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47d6d452be4sm144604435e9.10.2026.01.05.02.02.41 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 05 Jan 2026 02:02:41 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-gnome][whinlatter][PATCH 04/17] gimp: patch CVE-2025-14422 Date: Mon, 5 Jan 2026 11:02:24 +0100 Message-ID: <20260105100237.3081345-4-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260105100237.3081345-1-skandigraun@gmail.com> References: <20260105100237.3081345-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 05 Jan 2026 10:02:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123135 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-14422 Pick the patch referenced by the NVD report. Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj (cherry picked from commit a0b41204afe57f9b2b3f2e8ff496be72d04e0eb7) Signed-off-by: Gyorgy Sarvari --- .../gimp/gimp/CVE-2025-14422.patch | 66 +++++++++++++++++++ meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb | 12 ++-- 2 files changed, 73 insertions(+), 5 deletions(-) create mode 100644 meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14422.patch diff --git a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14422.patch b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14422.patch new file mode 100644 index 0000000000..420e013916 --- /dev/null +++ b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14422.patch @@ -0,0 +1,66 @@ +From 0a941cab81396d65a8ab547847f8c542039e214f Mon Sep 17 00:00:00 2001 +From: Gyorgy Sarvari +Date: Sun, 23 Nov 2025 16:43:51 +0000 +Subject: [PATCH] plug-ins: Fix ZDI-CAN-28273 + +From: Alx Sa + +Resolves #15286 +Adds a check to the memory allocation +in pnm_load_raw () with g_size_checked_mul () +to see if the size would go out of bounds. +If so, we don't try to allocate and load the +image. + +CVE: CVE-2025-14422 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gimp/-/commit/4ff2d773d58064e6130495de498e440f4a6d5edb] +Signed-off-by: Gyorgy Sarvari +--- + plug-ins/common/file-pnm.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/plug-ins/common/file-pnm.c b/plug-ins/common/file-pnm.c +index 32a33a4..9d349e9 100644 +--- a/plug-ins/common/file-pnm.c ++++ b/plug-ins/common/file-pnm.c +@@ -674,7 +674,7 @@ load_image (GFile *file, + GError **error) + { + GInputStream *input; +- GeglBuffer *buffer; ++ GeglBuffer *buffer = NULL; + GimpImage * volatile image = NULL; + GimpLayer *layer; + char buf[BUFLEN + 4]; /* buffer for random things like scanning */ +@@ -708,6 +708,9 @@ load_image (GFile *file, + g_object_unref (input); + g_free (pnminfo); + ++ if (buffer) ++ g_object_unref (buffer); ++ + if (image) + gimp_image_delete (image); + +@@ -1060,6 +1063,7 @@ pnm_load_raw (PNMScanner *scan, + const Babl *format = NULL; + gint bpc; + guchar *data, *d; ++ gsize data_size; + gushort *s; + gint x, y, i; + gint start, end, scanlines; +@@ -1070,7 +1074,12 @@ pnm_load_raw (PNMScanner *scan, + bpc = 1; + + /* No overflow as long as gimp_tile_height() < 1365 = 2^(31 - 18) / 6 */ +- data = g_new (guchar, gimp_tile_height () * info->xres * info->np * bpc); ++ if (! g_size_checked_mul (&data_size, gimp_tile_height (), info->xres) || ++ ! g_size_checked_mul (&data_size, data_size, info->np) || ++ ! g_size_checked_mul (&data_size, data_size, bpc)) ++ CHECK_FOR_ERROR (FALSE, info->jmpbuf, _("Unsupported maximum value.")); ++ ++ data = g_new (guchar, data_size); + + input = pnmscanner_input (scan); + diff --git a/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb b/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb index 9f38cdcd03..f529930dff 100644 --- a/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb +++ b/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb @@ -56,11 +56,13 @@ GIDOCGEN_MESON_OPTION = "gi-docgen" GIDOCGEN_MESON_ENABLE_FLAG = "enabled" GIDOCGEN_MESON_DISABLE_FLAG = "disabled" -SRC_URI = "https://download.gimp.org/gimp/v3.0/${BP}.tar.xz" -SRC_URI += "file://0001-gimp-cross-compile-fix-for-bz2.patch" -SRC_URI += "file://0002-meson.build-reproducibility-fix.patch" -SRC_URI += "file://0001-meson.build-dont-check-for-lgi.patch" -SRC_URI += "file://0001-meson.build-require-iso-codes-native.patch" +SRC_URI = "https://download.gimp.org/gimp/v3.0/${BP}.tar.xz \ + file://0001-gimp-cross-compile-fix-for-bz2.patch \ + file://0002-meson.build-reproducibility-fix.patch \ + file://0001-meson.build-dont-check-for-lgi.patch \ + file://0001-meson.build-require-iso-codes-native.patch \ + file://CVE-2025-14422.patch \ + " SRC_URI[sha256sum] = "246c225383c72ef9f0dc7703b7d707084bbf177bd2900e94ce466a62862e296b" PACKAGECONFIG[aa] = "-Daa=enabled,-Daa=disabled,aalib" From patchwork Mon Jan 5 10:02:25 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 78000 X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A33B7C2A091 for ; Mon, 5 Jan 2026 10:02:49 +0000 (UTC) Received: from mail-wm1-f48.google.com (mail-wm1-f48.google.com [209.85.128.48]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.61166.1767607364034521670 for ; Mon, 05 Jan 2026 02:02:44 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=dYqBNiRc; spf=pass (domain: gmail.com, ip: 209.85.128.48, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f48.google.com with SMTP id 5b1f17b1804b1-47bdbc90dcaso88530205e9.1 for ; Mon, 05 Jan 2026 02:02:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767607362; x=1768212162; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=PX4gSgsekBaHBNFvimDGL/NvtL868CYbd8c28HIE97k=; b=dYqBNiRcP5c/8Rsd5ZL+XKkst9XkXWOM0t5L5eTmbCv05hNO4W7mDd0mGsr+9WjmbZ 2jrgJW7NfN3qXEQ2Orp3a+AFA5Byf3kQxcyQ1F9DXAH+0Tn2wKnH20uz4ANLWxgccAeF ANzV4y0c2p1+2wx/BVqsuaf6b+BKlQ1XV7lB5YyLtcOiS2oJdlqY5MmBUJaOoOYdCSPM mb5wbpavJg/dn1WKaemv6v/k4iXarz/jhH4Z0EoaLDZIAJIoBejSr6VXuQV/+1Gvz8gq hcomAvLj/xaLJ/zmeWCL5bluFhG53D0QVivdEfh2sGoWxRYO7bxzZyYsbqhHwkXMLupA XF/w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767607362; x=1768212162; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=PX4gSgsekBaHBNFvimDGL/NvtL868CYbd8c28HIE97k=; b=xVDjo/Goe67jcncWexKZ2DkMZaPJKRYO6BqJviz9RM8mU+rPy3xdiwDSiWnIPuDNBm YHe2TEbe1VrvK/MLGtP5dfUQFAWqI+2d4CX83vdCVji9CcXBcLw4OuZEjIguIScPtgNY fTmgqSAlEXFjIXHT+E7HrvKXaxsv4Jyf6m6T84gUaub6zPgqggNdztghfW4PyqunySJm TD2ppcN9eo5qm0PL20cIFnLqe780++fI8XLyqt7US1BH2jH8HhZla1ZzcXXvthMMtKY7 kWBuzbUyg1X+I1rLMcmbRNbmzDHLZBYtVbsfFdG95BJqV3nNVvecYGVhkI/W+FuUrqks +NSg== X-Gm-Message-State: AOJu0YxtOXgyQWhWTty5+LCMIC1yHfZz3P8FUomsRnF9FinJRq3j/kSd x4R7DIwikW3/wblnGcKI1m8Q6A3AZzhi+5kC8/ZvxHa8fNW94xAvh9wpKXJ5oQ== X-Gm-Gg: AY/fxX4RP/fWLcyMHBbeWPrRhQ58ep82qgxenFnuNJ1/97thu2q1hq5QYjS3NGrm0m6 z0xZEMLP4THw5BTYvayZtn5E1kB9oL7+dAPjvLAUUPdZbcM0Zxuhe13Wsl2zX85ssynPqDt2577 igZjsj47Y0lmAmVlkhFMPV/aWkQIulPKLBclj2nLxvvkgNQc20i0ODit4pAqPPPTnl07KDXLynp qqdd/M22Hmp6PLIQB5gjTO9FByFxLRPBp2uM2FzjaCVyqkpP5BxcAOAekCVMgAIO9AEgPzGe606 yebtEM+DUXZ5u/mRjDT+SCIOp6un37AeiEr8mo6ul81nyIxWSmkSC1Q4WLxx2FQJvr3/qWlrvzh MPLe5QhNIlCAjLe/XXxo/+H/JeGSetMqGEZjNOkXLfiXyR614Qt5S4aBqnfiLPovtwQCrxj0zii GhpIQ093f6r70uzQ2cS2A= X-Google-Smtp-Source: AGHT+IG7rKfQqpIClXk2vMrgwwQ8xwpVeD9944DAOB6ZpbnSfHhLm0LFycnb4aik4to34AyTkA/3aA== X-Received: by 2002:a05:600c:628c:b0:47a:7fbf:d5c8 with SMTP id 5b1f17b1804b1-47d1958296bmr543921285e9.26.1767607362287; Mon, 05 Jan 2026 02:02:42 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47d6d452be4sm144604435e9.10.2026.01.05.02.02.41 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 05 Jan 2026 02:02:41 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-gnome][whinlatter][PATCH 05/17] gimp: patch CVE-2025-14423 Date: Mon, 5 Jan 2026 11:02:25 +0100 Message-ID: <20260105100237.3081345-5-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260105100237.3081345-1-skandigraun@gmail.com> References: <20260105100237.3081345-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 05 Jan 2026 10:02:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123136 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-14423 Pick the patch references by the NVD report. Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj (cherry picked from commit 6aa5720e76d632f62f53ed7be7fe649138fbd55c) Signed-off-by: Gyorgy Sarvari --- .../gimp/gimp/CVE-2025-14423.patch | 106 ++++++++++++++++++ meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb | 1 + 2 files changed, 107 insertions(+) create mode 100644 meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14423.patch diff --git a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14423.patch b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14423.patch new file mode 100644 index 0000000000..50a0adfe89 --- /dev/null +++ b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14423.patch @@ -0,0 +1,106 @@ +From a83e8c4ad8ffbce40aa9f9a0f49880e802ef7da1 Mon Sep 17 00:00:00 2001 +From: Gyorgy Sarvari +Date: Sun, 23 Nov 2025 04:22:49 +0000 +Subject: [PATCH] plug-ins: Fix ZDI-CAN-28311 + +From: Alx Sa + +Resolves #15292 +The IFF specification states that EHB format images +have exactly 32 colors in their palette. However, it +is possible for images in the wild to place an incorrect +palette size. This patch checks for this, and either limits +the palette size or breaks accordingly. + +CVE: CVE-2025-14423 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gimp/-/commit/481cdbbb97746be1145ec3a633c567a68633c521] +Signed-off-by: Gyorgy Sarvari +--- + plug-ins/common/file-iff.c | 32 ++++++++++++++++++++++---------- + 1 file changed, 22 insertions(+), 10 deletions(-) + +diff --git a/plug-ins/common/file-iff.c b/plug-ins/common/file-iff.c +index d144a96..f087947 100644 +--- a/plug-ins/common/file-iff.c ++++ b/plug-ins/common/file-iff.c +@@ -337,7 +337,7 @@ load_image (GFile *file, + width = bitMapHeader->w; + height = bitMapHeader->h; + nPlanes = bitMapHeader->nPlanes; +- row_length = (width + 15) / 16; ++ row_length = ((width + 15) / 16) * 2; + pixel_size = nPlanes / 8; + aspect_x = bitMapHeader->xAspect; + aspect_y = bitMapHeader->yAspect; +@@ -375,6 +375,18 @@ load_image (GFile *file, + { + /* EHB mode adds 32 more colors. Each are half the RGB values + * of the first 32 colors */ ++ if (palette_size < 32) ++ { ++ g_set_error (error, G_FILE_ERROR, ++ g_file_error_from_errno (errno), ++ _("Invalid ILBM colormap size")); ++ return NULL; ++ } ++ else if (palette_size > 32) ++ { ++ palette_size = 32; ++ } ++ + for (gint j = 0; j < palette_size * 2; j++) + { + gint offset_index = j + 32; +@@ -386,7 +398,7 @@ load_image (GFile *file, + gimp_cmap[offset_index * 3 + 2] = + colorMap->colorRegister[j].blue / 2; + } +- /* EHB mode always has 64 colors */ ++ /* EHB mode always has 64 colors in total */ + palette_size = 64; + } + } +@@ -447,7 +459,7 @@ load_image (GFile *file, + { + guchar *pixel_row; + +- pixel_row = g_malloc (width * pixel_size * sizeof (guchar)); ++ pixel_row = g_malloc0 (width * pixel_size); + + /* PBM uses one byte per pixel index */ + if (ILBM_imageIsPBM (true_image)) +@@ -459,7 +471,7 @@ load_image (GFile *file, + else + deleave_rgb_row (bitplanes, pixel_row, width, nPlanes, pixel_size); + +- bitplanes += (row_length * 2 * nPlanes); ++ bitplanes += (row_length * nPlanes); + + gegl_buffer_set (buffer, GEGL_RECTANGLE (0, y_height, width, 1), 0, + NULL, pixel_row, GEGL_AUTO_ROWSTRIDE); +@@ -528,7 +540,7 @@ deleave_ham_row (const guchar *gimp_cmap, + /* Deleave rows */ + for (gint i = 0; i < row_length; i++) + { +- for (gint j = 0; j < 8; j++) ++ for (gint j = 0; j < nPlanes; j++) + { + guint8 bitmask = (1 << (8 - j)) - (1 << (7 - j)); + guint8 control = 0; +@@ -590,11 +602,11 @@ deleave_ham_row (const guchar *gimp_cmap, + } + + static void +-deleave_rgb_row (IFF_UByte *bitplanes, +- guchar *pixel_row, +- gint width, +- gint nPlanes, +- gint pixel_size) ++deleave_rgb_row (IFF_UByte *bitplanes, ++ guchar *pixel_row, ++ gint width, ++ gint nPlanes, ++ gint pixel_size) + { + gint row_length = ((width + 15) / 16) * 2; + gint current_pixel = 0; diff --git a/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb b/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb index f529930dff..24281e5dfd 100644 --- a/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb +++ b/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb @@ -62,6 +62,7 @@ SRC_URI = "https://download.gimp.org/gimp/v3.0/${BP}.tar.xz \ file://0001-meson.build-dont-check-for-lgi.patch \ file://0001-meson.build-require-iso-codes-native.patch \ file://CVE-2025-14422.patch \ + file://CVE-2025-14423.patch \ " SRC_URI[sha256sum] = "246c225383c72ef9f0dc7703b7d707084bbf177bd2900e94ce466a62862e296b" From patchwork Mon Jan 5 10:02:26 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 77999 X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 906CFC2A08E for ; Mon, 5 Jan 2026 10:02:49 +0000 (UTC) Received: from mail-wm1-f52.google.com (mail-wm1-f52.google.com [209.85.128.52]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.61167.1767607364794947308 for ; Mon, 05 Jan 2026 02:02:45 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=H9bh6skY; spf=pass (domain: gmail.com, ip: 209.85.128.52, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f52.google.com with SMTP id 5b1f17b1804b1-47775fb6c56so110052045e9.1 for ; Mon, 05 Jan 2026 02:02:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767607363; x=1768212163; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=/e6AirPtPHWQ3hIoiei5bh/kZWutSHSs13ApGAQEHe4=; b=H9bh6skYXqe1MB5v6sQ8XaHY+dbbdjFXvch1M5I0oxdLWL2YAD1/m42qF9aTqYLEeh Duc2zY58nKeWrJjsUjnYWQhQcjC8nzNQkbw9hRkbCuaiIfS6txYsGE9cITKXoyMnBcZ1 EY+mlkiLeAfHC4CYpTMXiDwaZBBlZPQDzm0yDJDBs4vCK+fq8SXaeuAuuXpgufqTuXNh wbA3nn1wOvAs9zsYLv5ImmT4xF4ppNcxdVFDc3prw+V+1Z67Gh8NVuZA8JgCryrScx79 7yutTfojQUJ2RmMDMcGNMopZJMqkrQWXM8bkJmqDinyAZawfd41AHqsBgZT9NZfD8d8K amOQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767607363; x=1768212163; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=/e6AirPtPHWQ3hIoiei5bh/kZWutSHSs13ApGAQEHe4=; b=xJjX9pl6BjVEozAW3j/4T15JfExTJmVZbK29EWgcNebSFIghsPOtgIChL1rKKwz4Gi +vzQNAesp6JErKwxUkQWMfewzyPNs2R00OD7zddhVPUBDnHrfRs0uJots/QnN8esU5dD smW8aPiI03d1H0dMozkWtOlWO42NeYvowURagFpTIqy/tqZ5vl0OovssiJ2I3t9KC68v qVtKtMJrvP2ImSJQhFMkXjU6baWQTudx8jCJnFBuTB9xPZnSsJzbN3DSvmkrQnfTw5Xh xIPtNwMSIBmo4JGIgzmXeADLi5tjIPRabB7P0x9RsmWmLRfpHpEoRTAoB92b1rAgjTlu ybIw== X-Gm-Message-State: AOJu0Yyf8Sq6X7j6Z8yUE4T+jZ72MBMA9OTG3XRMgO5IAY+YFa4WanRR ZXhmB4sO4XfgUjYlS5uwlucRZP6L8zcG/2w3E7SInXccaAdbE2a0CjZw3u2i7w== X-Gm-Gg: AY/fxX7Nr9Whmo0LETVkPkhREKZ43HPmTFkxmoit+0Vt2Zrhp3scGvCNTtK01RcpwV2 rXi93VvYOf2eVN4nRuJrwcX4/tMvMU8v0f2WYAwnlRtPP/Kn3g2JAPR86pLtaudnzP33kIrtZj9 nzE0b0PUAyocJkwgGUJbPz+7LwLlL2t48Smi/OXhzaQdk+kEiUZl28NiqL8tPlY0y8qBGH7HZTc pk6m+N9Zww0BCrUI4mMkWYCsKdVf+1ExYiBF6KTQk0NIJSrx5iqGxJKWz6cRA3BKg2tymRpihhK Ju6VSPlPWNENH6fzgjCHH2OSWtUglHaRJjrSlUbIAK6viYyEzHMxQU59glguzg56H5hs8zowf+s QK6KSmsGHW+MWGwJM7TFaGYQOhjgt9PODb37ZT/PfIKs5kV3DNCVgpOHljS9JYiBi48twiJAS1s y51rDTPPyK X-Google-Smtp-Source: AGHT+IFkMSrCTfbSMQAu/F2+LVv66pLUfhBgVV5Kn0XW0qGnNospOE2sE/Pupgvy0mzmWlVt1ipPIA== X-Received: by 2002:a05:600d:108:20b0:477:9986:5e6b with SMTP id 5b1f17b1804b1-47d1c038664mr423827175e9.28.1767607362945; Mon, 05 Jan 2026 02:02:42 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47d6d452be4sm144604435e9.10.2026.01.05.02.02.42 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 05 Jan 2026 02:02:42 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-gnome][whinlatter][PATCH 06/17] gimp: patch CVE-2025-14424 Date: Mon, 5 Jan 2026 11:02:26 +0100 Message-ID: <20260105100237.3081345-6-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260105100237.3081345-1-skandigraun@gmail.com> References: <20260105100237.3081345-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 05 Jan 2026 10:02:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123137 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-14424 Pick the patch referenced by the NVD report. Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj (cherry picked from commit b16c1a543ac5e997d6d3aa27978393106d5a8937) Signed-off-by: Gyorgy Sarvari --- .../gimp/gimp/CVE-2025-14424.patch | 34 +++++++++++++++++++ meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb | 1 + 2 files changed, 35 insertions(+) create mode 100644 meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14424.patch diff --git a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14424.patch b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14424.patch new file mode 100644 index 0000000000..e7821d3109 --- /dev/null +++ b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14424.patch @@ -0,0 +1,34 @@ +From d30875b606085316b1cb7ac1da0d26e5bac0cf2c Mon Sep 17 00:00:00 2001 +From: Gyorgy Sarvari +Date: Thu, 13 Nov 2025 18:26:51 -0500 +Subject: [PATCH] app: fix #15288 crash when loading malformed xcf + +From: Jacob Boerema + +ZDI-CAN-28376 vulnerability + +Add extra tests to not crash on a NULL g_class. + +CVE: CVE-2025-14424 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gimp/-/commit/5cc55d078b7fba995cef77d195fac325ee288ddd] +Signed-off-by: Gyorgy Sarvari +--- + app/core/gimpitemlist.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/app/core/gimpitemlist.c b/app/core/gimpitemlist.c +index 6473938..a431519 100644 +--- a/app/core/gimpitemlist.c ++++ b/app/core/gimpitemlist.c +@@ -345,7 +345,10 @@ gimp_item_list_named_new (GimpImage *image, + g_return_val_if_fail (GIMP_IS_IMAGE (image), NULL); + + for (iter = items; iter; iter = iter->next) +- g_return_val_if_fail (g_type_is_a (G_OBJECT_TYPE (iter->data), item_type), NULL); ++ { ++ g_return_val_if_fail (iter->data && ((GTypeInstance*) (iter->data))->g_class, NULL); ++ g_return_val_if_fail (g_type_is_a (G_OBJECT_TYPE (iter->data), item_type), NULL); ++ } + + if (! items) + { diff --git a/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb b/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb index 24281e5dfd..bc55aed06f 100644 --- a/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb +++ b/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb @@ -63,6 +63,7 @@ SRC_URI = "https://download.gimp.org/gimp/v3.0/${BP}.tar.xz \ file://0001-meson.build-require-iso-codes-native.patch \ file://CVE-2025-14422.patch \ file://CVE-2025-14423.patch \ + file://CVE-2025-14424.patch \ " SRC_URI[sha256sum] = "246c225383c72ef9f0dc7703b7d707084bbf177bd2900e94ce466a62862e296b" From patchwork Mon Jan 5 10:02:27 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 77997 X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 896A2C2A08D for ; Mon, 5 Jan 2026 10:02:49 +0000 (UTC) Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com [209.85.128.44]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.61067.1767607365443741414 for ; Mon, 05 Jan 2026 02:02:45 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=g6Tv/ilc; spf=pass (domain: gmail.com, ip: 209.85.128.44, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f44.google.com with SMTP id 5b1f17b1804b1-47775fb6cb4so78171675e9.0 for ; Mon, 05 Jan 2026 02:02:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767607364; x=1768212164; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=Osp8JKgSiTGnuManCcrkwZdzHQCcslUCIpQBzJoUX8o=; b=g6Tv/ilc7Ry0LPpjg4lurWynypIGxrWhfTdbfdJ2GdvHa2gGUDhaU007CUwosj/5XY NNQGsTaEPn6wVLagu++g/kFKbXvOkRUg4vJk2GskYKgrQDnvdQB/CNBPiDI+LR7j102v X8XDigqrj5c7txsovufVOIi12kPrJWy9LbUlC9yE/lry9lA9totP1yof193L4zLKlRii OFNMxdVzEIsVyv1skqT+tezC+hUj2+LkGRmksvFOz4+o4tYcrIM+MHzfMPg/b0VcZBeF W7xoyda/RP9MZ4ZUnd3qu9WleWkw03AA2B0fatoxbhIuXe6mTyOvPIFrz4KuDzRi7ntx 6otA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767607364; x=1768212164; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=Osp8JKgSiTGnuManCcrkwZdzHQCcslUCIpQBzJoUX8o=; b=GspJ65tObs9E0TKPaMqgcplqLyEW+ORwX3/nVIxsWiuUd8vg57sX15vKzzLogJBEEw RYzUXpNd+jiEGiKPHEpMQU1mCMWwFc9YdWRAucBZHQzcaKmpfny6d9NOacKnkmMreAjA rtpDuq82oXVeV6LL/6JGpGfqY/7ftyR2E79csHyfrsdXHhUID71vDBqz4rrF5CRxKI9p OH3160O0D6DCAuswdPpkD48NEz2V9w3+9vWiYcurkztE1CQCWMpGDssGf8CVb4oDvRX1 vO2IU/q621TqFwryBUANQVIbstBRYfQFpDsh8CTpcFm0T5Htw+GoOaCmmP+7YZaMaqDj VTxw== X-Gm-Message-State: AOJu0YwyXxZjiekKKI96lzfRx21kKnOqKd9xbcbTtT8Vee8Kgd/kzx78 ifvKoFwrUJ4ilu/E58nScrrfMMUK5G2W+7ECT7b0VOuaOGHhcfVXrkPlgzkh2Q== X-Gm-Gg: AY/fxX7v8+MiCVIhTLZq7Sdg+NdjxMDvDdjc8j8osLtPNi0VxBcFRLhVZWmCgDZqYWb dft687PootdK6A3X/mAKxe3ne0Z2HpQN6s8sRn/6fGSdQeAeuY8wvJdiJUUwg0BHyvqru4FUQjq LI2TvlLZ7uW4JFE3vtsyozDQZN9APSzuRJFGIFfAvwXpk7eA/hpofZn+D3pXigZEiag+t9khDWR 9rLkaUl5jD0R+DB7bSJI2GdQXnR5ehU4urfL3bBV0TrUAejQ8bLKzJVI3p5WR4XXQowwiPF7BzM 1YvBFmJCYrd62U2thurHad8dFe5Mdj2Jl3hZzEVin2c3gps5g0Rri5M7NJQvPOCGE4gv8ckRmuR j6bv2+BZv1jfBV8rjMbfwlM5jULOfvs/GHz2LhwdzOjEUAAQ6TkKTrs1rMAlw6FrJOl6S1XaSNL CNL/gc/oANM85uy44KY7o= X-Google-Smtp-Source: AGHT+IFS/SYDxfjU1fzZS4+ZP9BoVF7PWnL4D5wv9dtyESpzaWkfPIYEb5KOyHHGVK8U6sJm47tc5w== X-Received: by 2002:a05:600c:37ce:b0:477:8a2a:123e with SMTP id 5b1f17b1804b1-47d195911admr605790895e9.33.1767607363592; Mon, 05 Jan 2026 02:02:43 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47d6d452be4sm144604435e9.10.2026.01.05.02.02.43 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 05 Jan 2026 02:02:43 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-gnome][whinlatter][PATCH 07/17] gimp: patch CVE-2025-14425 Date: Mon, 5 Jan 2026 11:02:27 +0100 Message-ID: <20260105100237.3081345-7-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260105100237.3081345-1-skandigraun@gmail.com> References: <20260105100237.3081345-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 05 Jan 2026 10:02:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123138 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-14425 Backport the patch referenced by the nvd report. Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj (cherry picked from commit 49732c90c0a4e1b3fc3679456ce2bd2819b144d0) Signed-off-by: Gyorgy Sarvari --- .../gimp/gimp/CVE-2025-14425.patch | 79 +++++++++++++++++++ meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb | 1 + 2 files changed, 80 insertions(+) create mode 100644 meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14425.patch diff --git a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14425.patch b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14425.patch new file mode 100644 index 0000000000..44e9587570 --- /dev/null +++ b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14425.patch @@ -0,0 +1,79 @@ +From 042e27792026460badbe49664c02fe181e95cb2b Mon Sep 17 00:00:00 2001 +From: Gyorgy Sarvari +Date: Wed, 12 Nov 2025 13:25:44 +0000 +Subject: [PATCH] plug-ins: Mitigate ZDI-CAN-28248 for JP2 images + +From: Alx Sa + +Resolves #15285 +Per the report, it's possible to exceed the size of the pixel buffer +with a high precision_scaled value, as we size it to the width * bpp. +This patch includes precision_scaled in the allocation calculation. +It also adds a g_size_checked_mul () check to ensure there's no +overflow, and moves the pixel and buffer memory freeing to occur +in the out section so that it always runs even on failure. + +CVE: CVE-2025-14425 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gimp/-/commit/cd1c88a0364ad1444c06536731972a99bd8643fd] +Signed-off-by: Gyorgy Sarvari +--- + plug-ins/common/file-jp2-load.c | 23 ++++++++++++++++------- + 1 file changed, 16 insertions(+), 7 deletions(-) + +diff --git a/plug-ins/common/file-jp2-load.c b/plug-ins/common/file-jp2-load.c +index 064b616..604313a 100644 +--- a/plug-ins/common/file-jp2-load.c ++++ b/plug-ins/common/file-jp2-load.c +@@ -1045,14 +1045,15 @@ load_image (GimpProcedure *procedure, + GimpColorProfile *profile = NULL; + GimpImage *gimp_image = NULL; + GimpLayer *layer; ++ GeglBuffer *buffer = NULL; ++ guchar *pixels = NULL; ++ gsize pixels_size; + GimpImageType image_type; + GimpImageBaseType base_type; + gint width; + gint height; + gint num_components; +- GeglBuffer *buffer; + gint i, j, k, it; +- guchar *pixels; + const Babl *file_format; + gint bpp; + GimpPrecision image_precision; +@@ -1318,7 +1319,15 @@ load_image (GimpProcedure *procedure, + bpp = babl_format_get_bytes_per_pixel (file_format); + + buffer = gimp_drawable_get_buffer (GIMP_DRAWABLE (layer)); +- pixels = g_new0 (guchar, width * bpp); ++ ++ if (! g_size_checked_mul (&pixels_size, width, (bpp * (precision_scaled / 8)))) ++ { ++ g_set_error (error, GIMP_PLUG_IN_ERROR, 0, ++ _("Defined row size is too large in JP2 image '%s'."), ++ gimp_file_get_utf8_name (file)); ++ goto out; ++ } ++ pixels = g_new0 (guchar, pixels_size); + + for (i = 0; i < height; i++) + { +@@ -1344,13 +1353,13 @@ load_image (GimpProcedure *procedure, + gegl_buffer_set (buffer, GEGL_RECTANGLE (0, i, width, 1), 0, + file_format, pixels, GEGL_AUTO_ROWSTRIDE); + } +- +- g_free (pixels); +- +- g_object_unref (buffer); + gimp_progress_update (1.0); + + out: ++ if (pixels) ++ g_free (pixels); ++ if (buffer) ++ g_object_unref (buffer); + if (profile) + g_object_unref (profile); + if (image) diff --git a/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb b/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb index bc55aed06f..fa192555bc 100644 --- a/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb +++ b/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb @@ -64,6 +64,7 @@ SRC_URI = "https://download.gimp.org/gimp/v3.0/${BP}.tar.xz \ file://CVE-2025-14422.patch \ file://CVE-2025-14423.patch \ file://CVE-2025-14424.patch \ + file://CVE-2025-14425.patch \ " SRC_URI[sha256sum] = "246c225383c72ef9f0dc7703b7d707084bbf177bd2900e94ce466a62862e296b" From patchwork Mon Jan 5 10:02:28 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 78003 X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C2893C2A094 for ; Mon, 5 Jan 2026 10:02:49 +0000 (UTC) Received: from mail-wm1-f45.google.com (mail-wm1-f45.google.com [209.85.128.45]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.61168.1767607365993959356 for ; Mon, 05 Jan 2026 02:02:46 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=OW2Kudg+; spf=pass (domain: gmail.com, ip: 209.85.128.45, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f45.google.com with SMTP id 5b1f17b1804b1-47796a837c7so89530035e9.0 for ; Mon, 05 Jan 2026 02:02:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767607364; x=1768212164; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=J2Aji10S5AuOWbgp0geqFQGOPg+bFd+nMfpt1gUKbao=; b=OW2Kudg+7MiQp3M45b0/Osglc5xdiRMABxI5h1QGXslWQd2RbqKt4E3i4aD6fgEkE5 irTOivpVJ/xIgG0h4yFUJULSqj7Z3xtXvxD1fQmmV5hasZu7BJt6OyYfCS/yGZvvT+n0 QbS5nVxZqIvElR2KYijFUyi4JelbFp8efIkk15TOhv6T1VLfvMx3CEWIcsUnLtBtTnKI gL/RQvckV3pwjSSNLzfAWBTCFGnxsWrJ6dBEzVWpm98VeVLxxaeUQSe51tKhickgMTbZ VO50w/slhNBz/suH8oldClVcMpslZK6N2TD1zmM3o5QoWz0hTE+SOPgK80LDtHN7Acd5 81Qw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767607364; x=1768212164; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=J2Aji10S5AuOWbgp0geqFQGOPg+bFd+nMfpt1gUKbao=; b=VfQe4KHfeVPxwd1v2VdTMgxPm1znNbtwS0MGfIckn2WaJwxAyoa6NQ3ZQ/Og/1EK7J 7Wnd1fp70gHv+I4bElO/WvB3Me08VzqmRINZKeUoNQ/KIwqPV9iQK6jkMIVj0IRnoUOF xhS24nsG+T3NZfsXzEbCLH/dhLYrRyDpetUSp/0FlLopz6K+l5oyLULfwOycyhdvf5mG KADBTVkjJhI+IQ++M7VYcBrvtS6FXdFt37rdQOPNTKqT+oNCox7hR2TZwpBxqoYMr+PD qvfiBOePKan6Dq4xhAdEdLw/7WlZp+JzITh15VBuNT0rZj/yw7tt7D2yZyVY/xclmKk7 cBrQ== X-Gm-Message-State: AOJu0Yw2TTpHr/EXzYCKfBm9nFF+Z/68p9wk5Wcyggp0a2yV7FGx6zDN DbDE7YtDt3deIn4wcv2agyVVUmmK2Q1UaMPhMD4qmps/A6Qtk1CIr9SBpfPuNQ== X-Gm-Gg: AY/fxX7EeQpiD7CpfalWcUgIMaFuLCGHTFlhodsdqnvRtgX4JVR3RvA+X//dWi5zj1L 55lg+rKWA+dliL9H36DuvPoj+yKZjZ4Olfjuilgk4rfkqj3Q6WnuAtYeF4CUeaZMVVvc1ULfjH/ aNuFXffe+qd1ScvrM7RkP/LL82B/Wd5IzbREDRAK6OjLD4nZyrS71F/zRqT/gadiLMk7yjySd2U Ipk1QbIbGJVsR4Inhfs46DYnlmumT2P375HQyEbCyZT8U3o5Wg4NqknBRLYqwKkLjIjWnxNMt8Y tOttEVemimWErxpljyDxlBmmLj+UdsO5QPkfpf18RpBeRNPc8fTIYRFgpzeezsUyT6eKUDrhhVu PlBB9CjzVWx+v53KArofzY0YxMntg665xbLxe9mkBUM5Lw4ZssAmKWMoisYe5xTKswkIHbf64cQ orTpKzboIa X-Google-Smtp-Source: AGHT+IHFTId/6VuKM8xJC4f3w5PJf9ODvM7EZvz5GXWmhaJ3EyWIrxaoipYvUO8WjlTedcPEV3pXnw== X-Received: by 2002:a05:600c:45c5:b0:47d:4fbe:e6d2 with SMTP id 5b1f17b1804b1-47d4fbee7b1mr363298655e9.12.1767607364213; Mon, 05 Jan 2026 02:02:44 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47d6d452be4sm144604435e9.10.2026.01.05.02.02.43 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 05 Jan 2026 02:02:43 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][whinlatter][PATCH 08/17] imagemagick: upgrade 7.1.2-8 -> 7.1.2-12 Date: Mon, 5 Jan 2026 11:02:28 +0100 Message-ID: <20260105100237.3081345-8-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260105100237.3081345-1-skandigraun@gmail.com> References: <20260105100237.3081345-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 05 Jan 2026 10:02:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123139 Contains fix for CVE-2025-65955 and CVE-2025-69204. Signed-off-by: Gyorgy Sarvari --- .../{imagemagick_7.1.2-8.bb => imagemagick_7.1.2-12.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta-oe/recipes-support/imagemagick/{imagemagick_7.1.2-8.bb => imagemagick_7.1.2-12.bb} (99%) diff --git a/meta-oe/recipes-support/imagemagick/imagemagick_7.1.2-8.bb b/meta-oe/recipes-support/imagemagick/imagemagick_7.1.2-12.bb similarity index 99% rename from meta-oe/recipes-support/imagemagick/imagemagick_7.1.2-8.bb rename to meta-oe/recipes-support/imagemagick/imagemagick_7.1.2-12.bb index b445ae8f62..b804c64cfb 100644 --- a/meta-oe/recipes-support/imagemagick/imagemagick_7.1.2-8.bb +++ b/meta-oe/recipes-support/imagemagick/imagemagick_7.1.2-12.bb @@ -17,7 +17,7 @@ SRC_URI = "git://github.com/ImageMagick/ImageMagick.git;branch=main;protocol=htt file://imagemagick-ptest.sh \ " -SRCREV = "a3b13d143fd7dea44cd71d31aa02f411b597688f" +SRCREV = "bdd4fa561d7bf4c6afd40ee9c89e9f9e82b6e88b" inherit autotools pkgconfig update-alternatives ptest From patchwork Mon Jan 5 10:02:29 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 77995 X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 72FA3C2A088 for ; Mon, 5 Jan 2026 10:02:49 +0000 (UTC) Received: from mail-wm1-f52.google.com (mail-wm1-f52.google.com [209.85.128.52]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.61169.1767607366598987382 for ; Mon, 05 Jan 2026 02:02:46 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=gohukuhX; spf=pass (domain: gmail.com, ip: 209.85.128.52, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f52.google.com with SMTP id 5b1f17b1804b1-47775fb6c56so110052375e9.1 for ; Mon, 05 Jan 2026 02:02:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767607365; x=1768212165; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=EiLTQVZbllIZDnPlvk+Rp1jpnYMla0W8YeVfynKmujM=; b=gohukuhXNlWKh4exa1wd4ACbuXD+BY8JALiyuV/Rc0zQHkPhBdL+6ERxEaFu356TDs puRXaBRJ09qEEq77clGN+v7DsZ5WIaaOxrXSm1DmVe3PkrcFxSqmyjvyVSbyjVxsACvo c4o17WSLyLLBsAxypqajoD95U29jYGEYy/wsOqWi3jlksRW7eJLQTeoVKbyvFQLgp9XS FHpJMnK/uJV08QvgCSE9rOejaLec0iQr5Fj4Xdb9LY0PC2/rxS83P1U4n3E+BXxUyYGn iUAJO7rTYl2Na74UtGrfCJvqlFjVYklfpMb9snhF+QJPNi8vJMm+vWOlZ7gqfYEwzn4u 5W5Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767607365; x=1768212165; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=EiLTQVZbllIZDnPlvk+Rp1jpnYMla0W8YeVfynKmujM=; b=fsHjyEdYg39NXFtSVinv8flhi4noCAzO0FmV69xqT4Pjcr/tiXMjvPSk5v+YtbgdMl LKnFQXrVcf9ob97NGPsTWwXhHf5OPVHKuW0gZ/hbap1fPpaI2mlj2wZvXdC0Oow535Gg G4VUO4+zivfwrOfsr2jjf1ZSgaxM7WgUZ1KNJBbe8lDc5vdIhRcxvE/lnBVCW92UkaT/ SuziWtBKVYfzy5ZrrgEJu6Gk9d/6Zp+QcsBJgGC4k9gSOLJCH1cw79ojZrHWUezHiEvX 1TvM4Qoc9a8V9rbUamBnR644F2PlHLqbhx7ge8hobxU8T0Er/yU+KE1wS99GniVWQtK/ kkwQ== X-Gm-Message-State: AOJu0YxEHiFvlAoxfK9aT8Qm1AAWMq66/nzo4jn6yReY7HOUSw/FxP1R c2LTq5z8FPP8PupzCrGrfW1QOepQDHuZoYmnzGaGiirocirpoa1SlemAm7yvuQ== X-Gm-Gg: AY/fxX5ixX76c9kq8NPlWZaZ8cfOXWjQbK3lcYPrIkvJdtyVvVaxjwK24Z6C3Wd+icd WDUFW2eade0NiFbIBTtOql1c/mjFbR28k8+3roQc83i3tCCjTLCxW/uq3P2paoaKiiTNATDfNU8 gSf17uMCvbloNEquePg1kIzyDaQv3GlvtzhKMXIbHCBhiwgnfzE+lwRflhRQ+EptgWOqiEZlY8a pJkyXRt6WDs6Uarlg065PYnAkGkoUorxM7fT1fCz6euqp8022vp2NTah52TvHZezAi8PtvXMZrp H0jdmMyGnRBaws0/45aCe6vWHu428fSVnaeDtQGXvm/AzhGNg5nhawNP9hDQnwhb+iDb3dPGE5c 0k7TFHhPNQ+6M5ORLNW9hD5ka+6/iTWXcVGknR/x+inXh6Pj9UvIBc6fC4FSeVLkVUQge8Ychii +qY41yElqU X-Google-Smtp-Source: AGHT+IEccWF4RTyKKtnKXCzWMPFwuOaDpxrv6iW/Jq69guALRKUcbYN8BCwS0Hg/UrMo5muDO/ayAQ== X-Received: by 2002:a05:600c:444a:b0:477:7975:30ea with SMTP id 5b1f17b1804b1-47d1959eae7mr608456455e9.29.1767607364891; Mon, 05 Jan 2026 02:02:44 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47d6d452be4sm144604435e9.10.2026.01.05.02.02.44 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 05 Jan 2026 02:02:44 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][whinlatter][PATCH 09/17] libcoap: ignore CVE-2025-50518 Date: Mon, 5 Jan 2026 11:02:29 +0100 Message-ID: <20260105100237.3081345-9-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260105100237.3081345-1-skandigraun@gmail.com> References: <20260105100237.3081345-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 05 Jan 2026 10:02:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123140 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-50518 The vulnerability is disputed by upstream, because the vulnerability requires a user error, incorrect library usage. See also an upstream discussion in a related (rejected) PR: https://github.com/obgm/libcoap/pull/1726 Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj (cherry picked from commit 598176e1cb6c928e322e26d358e8d01ba9d5af0a) Signed-off-by: Gyorgy Sarvari --- meta-networking/recipes-devtools/libcoap/libcoap_4.3.5a.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta-networking/recipes-devtools/libcoap/libcoap_4.3.5a.bb b/meta-networking/recipes-devtools/libcoap/libcoap_4.3.5a.bb index 55c5ed8775..1a8d7ed725 100644 --- a/meta-networking/recipes-devtools/libcoap/libcoap_4.3.5a.bb +++ b/meta-networking/recipes-devtools/libcoap/libcoap_4.3.5a.bb @@ -60,3 +60,5 @@ PACKAGE_BEFORE_PN += "\ FILES:${PN}-bin = "${bindir}" FILES:${PN}-dev += "${datadir}/${BPN}/examples" + +CVE_STATUS[CVE-2025-50518] = "disputed: happens only when library is used incorrectly" From patchwork Mon Jan 5 10:02:30 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 77992 X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 67774C2A086 for ; Mon, 5 Jan 2026 10:02:49 +0000 (UTC) Received: from mail-wm1-f52.google.com (mail-wm1-f52.google.com [209.85.128.52]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.61171.1767607367452517343 for ; Mon, 05 Jan 2026 02:02:47 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=Vzfyo8W7; spf=pass (domain: gmail.com, ip: 209.85.128.52, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f52.google.com with SMTP id 5b1f17b1804b1-4779adb38d3so90458095e9.2 for ; Mon, 05 Jan 2026 02:02:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767607366; x=1768212166; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=gJ/ypXKF/D0APy1PuL+WlUF9igcUKoVOACpExBbT22A=; b=Vzfyo8W7UbE/DdHH7e2SBM7gO0K9KhS+1StSVk1jU0CL7Ehu2XclQf7MKqkpAzxWaM 9CoPOQkhtsuBCU5dWubHvz15+f2DTtuOp38hq6fbPdNh1GhwUCAETXD6n1sgB/Bna4YG uwgfuBgUX+94OaMkx77mhGbrHrMA1fA4fEp02jhUl25gEWkQJjXO7EBbow23Xxu2nkIP Yh/JVSfluOe1F4iDahasenblsNjPyMXEEkKvhbNehrEUWgfw9xNIjU9DB9Op6r8e4Td+ DAyBj/3XF/+B4HDRhPlHnRiMBGbSe49IgKJjJmpITC5pr6Zs0Gn90dPtRomHn6kHEnM/ wr6A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767607366; x=1768212166; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=gJ/ypXKF/D0APy1PuL+WlUF9igcUKoVOACpExBbT22A=; b=WA/VwLbhwrmiA9/EtmO4yDfwSmZ03jGq1ghBzXyvOU6qJPJZcTEV80tFvK7HuKRNUo vxjG4aev4duB1wST/uOLDQx1huc4+FbmT8nmuYdykVZNCTywSQcWTXrtr2ZbxOUdOb+W XyniBdRsp/bKedY0JltZyyNFO8f17y9hm6DiKtdAYOA4TP9p6ahP4CUdok24oKH9nXH6 HrEE60BuVAGuUUk4gto1XHLoHzevBakBkAReesZ5aDdEanfFzA8ZIVRJB8/YF8q0sJ3e QkwzbJkChjOXAzYvZe34m4fZSDQb67SwhoNYY44lwiVCNiySOqB5SvxQgV4b6bgYKsCc nAkw== X-Gm-Message-State: AOJu0YzkPkXNvSBO0l1tsj+fwB2r9/Etl7GzohTWuJFN+ryC5sQc8WoW EU+uRPDGOVtN1pNCMxrxwVVxU0sXHgf0+qRhMNVfK6/zcedkZ+faWWuwi6Smuw== X-Gm-Gg: AY/fxX4G+HTH0gwkmUwYNOKiOcrwHXmbeYSuXZPr900rb1fd/kzYdmo5TpG96LAfEh5 iBemFRBjc4AJhafdaJMzBPEO6X18txOjhC2SYHXjskWoa6NYRCwcGtQLfwD/emE6Yw4S35waD0Z adoD7Cu6bbFaS5PUrytkwXxbh76aNxdeSrEgi1wA8Ki8EcyYVkADkrpPIcJeTACu03VxibXVzIo v/kNsJZkVC4FVxGYyQQm3DFJZjElCz5wIPc0Zss7qPN5iULDpTPw9jYaLu74oGOCysU+uRqv3nW jBP9sN1t55kQgy0CqRaLGED91L46PhLsK7NcJ6+OMc2LJWrQsVMgja6iyfYjc68/mU294DhIu7k HnWtX/WaAHnfPgYOLRvcDQV/UGvovWrrEB/36mC3387S8xYPC+awfwZ5imtByRcSX3Zgg8SXFsN gCZT7TySRR X-Google-Smtp-Source: AGHT+IEumNj1f/rCUDBoeL9tAYITz9BVfpRjRX3wlw/IeEL8HMVyr4D5XI+6yRNpXdSbepxgKKskgA== X-Received: by 2002:a05:600c:5251:b0:477:8a29:582c with SMTP id 5b1f17b1804b1-47d195a425bmr607536825e9.34.1767607365598; Mon, 05 Jan 2026 02:02:45 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47d6d452be4sm144604435e9.10.2026.01.05.02.02.44 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 05 Jan 2026 02:02:45 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][whinlatter][PATCH 10/17] libwebsockets: fix CVE-2025-11677 Date: Mon, 5 Jan 2026 11:02:30 +0100 Message-ID: <20260105100237.3081345-10-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260105100237.3081345-1-skandigraun@gmail.com> References: <20260105100237.3081345-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 05 Jan 2026 10:02:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123141 From: Hugo SIMELIERE Backport a fix from Debian: https://sources.debian.org/patches/libwebsockets/4.3.5-1+deb13u1/CVE-2025-11677.patch Upstream commit: https://github.com/warmcat/libwebsockets/commit/2f082ec31261f556969160143ba94875d783971a Signed-off-by: Bruno VERNAY Signed-off-by: Hugo SIMELIERE Signed-off-by: Anuj Mittal (cherry picked from commit da04d7003e65af77667e2c18fa988f0ada62f744) Signed-off-by: Gyorgy Sarvari --- .../libwebsockets/CVE-2025-11677.patch | 161 ++++++++++++++++++ .../libwebsockets/libwebsockets_4.3.5.bb | 1 + 2 files changed, 162 insertions(+) create mode 100644 meta-oe/recipes-connectivity/libwebsockets/libwebsockets/CVE-2025-11677.patch diff --git a/meta-oe/recipes-connectivity/libwebsockets/libwebsockets/CVE-2025-11677.patch b/meta-oe/recipes-connectivity/libwebsockets/libwebsockets/CVE-2025-11677.patch new file mode 100644 index 0000000000..bf11a893f8 --- /dev/null +++ b/meta-oe/recipes-connectivity/libwebsockets/libwebsockets/CVE-2025-11677.patch @@ -0,0 +1,161 @@ +From c01cb06d99c08579ab33bef066fca8a5338b7c7b Mon Sep 17 00:00:00 2001 +From: Hugo SIMELIERE +Date: Tue, 18 Nov 2025 16:59:22 +0100 +Subject: [PATCH] NN-2025-0102: UAF depending on upgrade allowed + +This document contains sensitive information collected during our +security research activities related with the Libwebsockets library +maintained by Andy Green (warmcat). + ++-------------------------------------------------------------------------------------------------------+ +| Report information | ++:===================================:+:===============================================================:+ +| Vendor | warmcat | ++-------------------------------------+-----------------------------------------------------------------+ +| Vendor URL | https://libwebsockets.org/git/libwebsockets | ++-------------------------------------+-----------------------------------------------------------------+ +| Affected component | libwebsockets | ++-------------------------------------+-----------------------------------------------------------------+ +| Affected version | 4.4 | ++-------------------------------------+-----------------------------------------------------------------+ +| Vulnerability | CWE-416: Use After Free | ++-------------------------------------+-----------------------------------------------------------------+ +| Proposed CVSS v3.1 Base Score | 6.0 | ++-------------------------------------+-----------------------------------------------------------------+ +| Proposed CVSS v3.1 Vector | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N | ++-------------------------------------+-----------------------------------------------------------------+ + ++-----------------------------------------------------------------------------+ +| Security Researcher(s) | ++:===================================:+:=====================================:+ +| Name | **Email address** | ++-------------------------------------+---------------------------------------+ +| Raffaele Bova | labs-advisory@nozominetworks.com | ++-------------------------------------+---------------------------------------+ + +Libwebsockes is a C library that provides client and server +implementation for various protocols (e.g., HTTP, websockets, MQTT) and +more. + +Nozomi Networks Lab discovered a "CWE-416: Use After Free" in the latest +software version of libwebsockets, specifically in the WebSocket server +implementation. + +Depending on the use of the API, the vulnerability may allow an attacker +to read or write data, that could cause a loss of integrity or +availability. + +The issue is caused by the `lws_handshake_protocol` function, specifically +when the upgrade header is not valid, the function calls +`lws_http_transaction_completed`, which frees some of the data in the wsi +structure, then it calls `user_callback_handle_rxflow` passing the up +pointer and uses it on following strcasecmp calls. + +From our understanding, for this vulnerability to have a meaningful +impact, a user that implements the Websocket server, must provide a user +callback function which is going to handle +`LWS_CALLBACK_HTTP_CONFIRM_UPGRADE`, while ignoring the length and doing +operations on the up pointer. + +It is possible to compile the minimal websocket server using address +sanitizer, to quickly verify the use after free. + +From our understanding of the code, if the upgrade header does not match +the intended contents, then the code after the if statement when +`lws_http_transaction_completed` is called, should not be executed, thus +simply enclosing all that code in the else branch solves the issue. + +CVE: CVE-2025-11677 +Upstream-Status: Backport [https://github.com/warmcat/libwebsockets/commit/2f082ec31261f556969160143ba94875d783971a] + +Signed-off-by: Hugo SIMELIERE +--- + lib/roles/http/server/server.c | 58 +++++++++++++++++----------------- + 1 file changed, 29 insertions(+), 29 deletions(-) + +diff --git a/lib/roles/http/server/server.c b/lib/roles/http/server/server.c +index 6b132a42..e6d714e3 100644 +--- a/lib/roles/http/server/server.c ++++ b/lib/roles/http/server/server.c +@@ -2375,49 +2375,49 @@ raw_transition: + HTTP_STATUS_FORBIDDEN, NULL) || + lws_http_transaction_completed(wsi)) + goto bail_nuke_ah; +- } +- +- n = user_callback_handle_rxflow(wsi->a.protocol->callback, +- wsi, LWS_CALLBACK_HTTP_CONFIRM_UPGRADE, +- wsi->user_space, (char *)up, 0); ++ } else { ++ n = user_callback_handle_rxflow(wsi->a.protocol->callback, ++ wsi, LWS_CALLBACK_HTTP_CONFIRM_UPGRADE, ++ wsi->user_space, (char *)up, 0); + +- /* just hang up? */ ++ /* just hang up? */ + +- if (n < 0) +- goto bail_nuke_ah; ++ if (n < 0) ++ goto bail_nuke_ah; + +- /* callback returned headers already, do t_c? */ ++ /* callback returned headers already, do t_c? */ + +- if (n > 0) { +- if (lws_http_transaction_completed(wsi)) ++ if (n > 0) { ++ if (lws_http_transaction_completed(wsi)) + goto bail_nuke_ah; + +- /* continue on */ ++ /* continue on */ + +- return 0; +- } ++ return 0; ++ } + +- /* callback said 0, it was allowed */ ++ /* callback said 0, it was allowed */ + +- if (wsi->a.vhost->options & +- LWS_SERVER_OPTION_VHOST_UPG_STRICT_HOST_CHECK && +- lws_confirm_host_header(wsi)) +- goto bail_nuke_ah; ++ if (wsi->a.vhost->options & ++ LWS_SERVER_OPTION_VHOST_UPG_STRICT_HOST_CHECK && ++ lws_confirm_host_header(wsi)) ++ goto bail_nuke_ah; + +- if (!strcasecmp(up, "websocket")) { ++ if (!strcasecmp(up, "websocket")) { + #if defined(LWS_ROLE_WS) +- lws_metrics_tag_wsi_add(wsi, "upg", "ws"); +- lwsl_info("Upgrade to ws\n"); +- goto upgrade_ws; ++ lws_metrics_tag_wsi_add(wsi, "upg", "ws"); ++ lwsl_info("Upgrade to ws\n"); ++ goto upgrade_ws; + #endif +- } ++ } + #if defined(LWS_WITH_HTTP2) +- if (!strcasecmp(up, "h2c")) { +- lws_metrics_tag_wsi_add(wsi, "upg", "h2c"); +- lwsl_info("Upgrade to h2c\n"); +- goto upgrade_h2c; +- } ++ if (!strcasecmp(up, "h2c")) { ++ lws_metrics_tag_wsi_add(wsi, "upg", "h2c"); ++ lwsl_info("Upgrade to h2c\n"); ++ goto upgrade_h2c; ++ } + #endif ++ } + } + + /* no upgrade ack... he remained as HTTP */ +-- +2.43.0 + diff --git a/meta-oe/recipes-connectivity/libwebsockets/libwebsockets_4.3.5.bb b/meta-oe/recipes-connectivity/libwebsockets/libwebsockets_4.3.5.bb index afe2124f65..0b74adf990 100644 --- a/meta-oe/recipes-connectivity/libwebsockets/libwebsockets_4.3.5.bb +++ b/meta-oe/recipes-connectivity/libwebsockets/libwebsockets_4.3.5.bb @@ -10,6 +10,7 @@ SRCREV = "ab9df9cfc39de7a49967f18387b6b76310947442" SRC_URI = "git://github.com/warmcat/libwebsockets.git;protocol=https;branch=v4.3-stable \ file://0001-sll_protocol-may-be-be16.patch \ file://0002-allow-build-with-cmake-4.patch \ + file://CVE-2025-11677.patch \ " UPSTREAM_CHECK_URI = "https://github.com/warmcat/${BPN}/releases" From patchwork Mon Jan 5 10:02:31 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 77996 X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 64943C2A085 for ; Mon, 5 Jan 2026 10:02:49 +0000 (UTC) Received: from mail-wm1-f47.google.com (mail-wm1-f47.google.com [209.85.128.47]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.61069.1767607368199712378 for ; Mon, 05 Jan 2026 02:02:48 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=KRsTZy7K; spf=pass (domain: gmail.com, ip: 209.85.128.47, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f47.google.com with SMTP id 5b1f17b1804b1-4775895d69cso59018075e9.0 for ; Mon, 05 Jan 2026 02:02:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767607366; x=1768212166; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=9MC0pIM3NWiibb6VwwacYdUSjQGkl5w5BXsHt/Yj554=; b=KRsTZy7K31GcjEG1YhgDghud7EQndCVUvoha0AM2r9Q9PUoJchqOVtzhG9xKtGwTl3 n8QJ8cJDjMQplQOtLJ/72F3O4/Om4xSPMlhyDzrpdjhy3iDaMZhO+mPv8gOYR26fwk7J mMiz44htFW9u9gRXAUDc8Xp32zhrVBNM4+vn1QSxcbRSefmfc1U82Etu+DsoQJvbHwB3 aajtUtpppXTxeSnG+1EALC7MdxY322DRvd6IfC59/1tPuI63qK6Qgi1KNeXewuVKghWV II16LsYJNpPPU6JCPjNktWYnX0QzwqEea37fVh4uH1u5TWukwQHsp1vuY3abbpQG0iLU Rftw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767607366; x=1768212166; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=9MC0pIM3NWiibb6VwwacYdUSjQGkl5w5BXsHt/Yj554=; b=DDFZY49CcVs0diJ42E/2AAqOXjUqiteNxKa38m6RWHSjT1WoC/H0LSb31SUOvsBaUI hs/29NaJJ24GTmiVv87X88fBCfWzBFk9UaU1aTCxOUrL1AxT66OZDrB/ubRByGSx/fjE oNHF7O6z+LyPM66/KOZYV9u/qyXWKBMWbXNEV4ARzcTOH1g701Qe+31zYrHCjVDevvdz Ys1eREfsvDsO2pg8eV+PZ7bG5yK3bvi+BePWw3kFytvlc/KL+1hKzW5Swu8JftNZ5fP0 kIoOUO7VxR4LFPcrVpvUeKUNafljPSUCkc+j1yspdAqbDmJUry0nZRK9GAjOelHhAEFm W6Ag== X-Gm-Message-State: AOJu0Ywu8O1EhVLMvgZmg3nUuKKXDKXmzpqtF+zI+RzNzd0+u+Kq6m+8 adVJflxBYttzzfufDftXNQ5yioazFNjzA3oqErUCfBVDCcWvmX5TLk5zhZjkLA== X-Gm-Gg: AY/fxX7/xjq2JUmkoFHocflnRud6zof0unexTQlN12JunWqD0ygO7G+s/+rbeGPBxRY LMUCXZ4oEzsjto433o65kFPDVRd45imblvVt4QP+5M8RnHv9+7XjFsbilKAJ9qTRGfnMujPypjk oMDmkkFi3iA1T7KAnWqZ9Nv3I4GPN3b1E1Zu/tQzHNNOt9ppjAoQWeaiO2arsSNxbhBwCnCPU7G TKyz7oaNfqOIIuB/KIsxWwSgd7omuIMiedp/lLJAdxsAiHe/KRReh9uh+oetNLcZnPk+sH0D/4v 7ZvvFpGu/YABQ7fO+hB/kMfzWui8p9Xmm38TsFDKZX74jG3EiI39RDLubshYaLUJocODoclNzGd lfAHdMKzy+MkRMbTqlmWG6pJJr4lvEr0F6LxFsT9Yvi3SUi3GH6VFZUHHWKUSlH3sevjBwFC0La 7Q2QnNMhfIYMniWpqvOvc= X-Google-Smtp-Source: AGHT+IGSV/CfcxCZPtV4hzOxWGxpaVGsLicUm6D5zptruq4xrisSyN0Hn460iri4+tpWnA1dN15RPw== X-Received: by 2002:a05:600c:3106:b0:47b:deb9:15fb with SMTP id 5b1f17b1804b1-47d195a0feamr622709185e9.33.1767607366331; Mon, 05 Jan 2026 02:02:46 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47d6d452be4sm144604435e9.10.2026.01.05.02.02.45 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 05 Jan 2026 02:02:45 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][whinlatter][PATCH 11/17] libwebsockets: fix CVE-2025-11678 Date: Mon, 5 Jan 2026 11:02:31 +0100 Message-ID: <20260105100237.3081345-11-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260105100237.3081345-1-skandigraun@gmail.com> References: <20260105100237.3081345-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 05 Jan 2026 10:02:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123142 From: Hugo SIMELIERE Backport a fix from Debian: https://sources.debian.org/patches/libwebsockets/4.3.5-1+deb13u1/CVE-2025-11678.patch Upstream commit: https://github.com/warmcat/libwebsockets/commit/2bb9598562b37c942ba5b04bcde3f7fdf66a9d3a Signed-off-by: Bruno VERNAY Signed-off-by: Hugo SIMELIERE Signed-off-by: Anuj Mittal (cherry picked from commit 5fab8bd31b32892acf3d8b56b240a7958890beac) Signed-off-by: Gyorgy Sarvari --- .../libwebsockets/CVE-2025-11678.patch | 128 ++++++++++++++++++ .../libwebsockets/libwebsockets_4.3.5.bb | 1 + 2 files changed, 129 insertions(+) create mode 100644 meta-oe/recipes-connectivity/libwebsockets/libwebsockets/CVE-2025-11678.patch diff --git a/meta-oe/recipes-connectivity/libwebsockets/libwebsockets/CVE-2025-11678.patch b/meta-oe/recipes-connectivity/libwebsockets/libwebsockets/CVE-2025-11678.patch new file mode 100644 index 0000000000..3489a7e6a1 --- /dev/null +++ b/meta-oe/recipes-connectivity/libwebsockets/libwebsockets/CVE-2025-11678.patch @@ -0,0 +1,128 @@ +From e1d4c32bf773b8cf01eb5e368a4a21679e0b670a Mon Sep 17 00:00:00 2001 +From: Hugo SIMELIERE +Date: Tue, 18 Nov 2025 17:03:33 +0100 +Subject: [PATCH] NN-2025-0103: ADNS crafted response overflow + +This document contains sensitive information collected during our +security research activities related with the Libwebsockets library made +by Andy Green (warmcat). + ++-------------------------------------------------------------------------------------------------------+ +| Report information | ++:===================================:+:===============================================================:+ +| Vendor | warmcat | ++-------------------------------------+-----------------------------------------------------------------+ +| Vendor URL | https://libwebsockets.org/git/libwebsockets | ++-------------------------------------+-----------------------------------------------------------------+ +| Affected component | Ecostruxure Automation Expert | ++-------------------------------------+-----------------------------------------------------------------+ +| Affected version | 4.4 | ++-------------------------------------+-----------------------------------------------------------------+ +| Vulnerability | CWE-121: Stack-based Buffer Overflow | ++-------------------------------------+-----------------------------------------------------------------+ +| Proposed CVSS v3.1 Base Score | 7.5 | ++-------------------------------------+-----------------------------------------------------------------+ +| Proposed CVSS v3.1 Vector | CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | ++-------------------------------------+-----------------------------------------------------------------+ + ++-----------------------------------------------------------------------------+ +| Security Researcher(s) | ++:===================================:+:=====================================:+ +| Name | **Email address** | ++-------------------------------------+---------------------------------------+ +| Raffaele Bova | labs-advisory@nozominetworks.com | ++-------------------------------------+---------------------------------------+ + +**\** + +Libwebsockes is a C library that provides client and server +implementation for various protocols (e.g., HTTP, websockets, MQTT) and +more. + +Nozomi Networks Lab discovered a "CWE-121: Stack-based Buffer Overflow" +in the latest software version of libwebsockets, specifically in the +async-dns component. + +The vulnerability allows an attacker that can inspect DNS requests made +by the victim (e.g. being in the same wireless network) to forge a DNS +response packet that overflows the stack and may lead to arbitrary code +execution (depending on the platform and compiler options). + +The issue resides in `lws_adns_parse_label` function in +`lib/system/async-dns/async-dns-parse.c`; this function iteratively parses +a label however it does not correctly check the number of bytes written +in the destination buffer. + +Specifically, the size of the dest output buffer is specified in the `dl` +argument, however during the read of each substring of the label only +the length of the current substring of the label is accounted for not +overflowing the destination buffer, but previous reads are not accounted +for. + +This means that a label of arbitrary size and content can be supplied +and is copied onto the stack, however it must be split into substrings +of size less than `dl`. + +To trigger the vulnerability an attacker must be able to sniff the DNS +request packet to send a response with a matching identifier, otherwise +the implantation correctly ignores the response. + +We have provided a harness for testing, for ease of use copy the harness +in a subdirectory, for example in minimal-examples-lowlevel/api-tests/, +and build it + +``` +cmake -B build -DLWS_WITH_SYS_ASYNC_DNS=1 -DLWS_WITH_SSL=0 +-DCMAKE_C_FLAGS="-fsanitize=address" . && make -C build lws-test-async-dns +``` + +Then it can be run `./build/bin/lws-test-async-dns < poc_stackbof` + +![Address sanitizer report of stack buffer overflow](./NN-2025-0103_image.png) + +We suggest keeping track of the number of bytes currently written on the +dest buffer, this could be done by saving the original dest pointer, +decrementing dl on each substring memcpy, or using an auxiliary +variable. + +CVE: CVE-2025-11678 +Upstream-Status: Backport [https://github.com/warmcat/libwebsockets/commit/2bb9598562b37c942ba5b04bcde3f7fdf66a9d3a] + +Signed-off-by: Hugo SIMELIERE +--- + lib/system/async-dns/async-dns-parse.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/lib/system/async-dns/async-dns-parse.c b/lib/system/async-dns/async-dns-parse.c +index bdfe2050..81743b3f 100644 +--- a/lib/system/async-dns/async-dns-parse.c ++++ b/lib/system/async-dns/async-dns-parse.c +@@ -35,7 +35,7 @@ lws_adns_parse_label(const uint8_t *pkt, int len, const uint8_t *ls, int budget, + const uint8_t *e = pkt + len, *ols = ls; + char pointer = 0, first = 1; + uint8_t ll; +- int n; ++ int n, readsize = 0; + + if (budget < 1) + return 0; +@@ -88,7 +88,7 @@ again1: + return -1; + } + +- if ((unsigned int)ll + 2 > dl) { ++ if ((unsigned int)(ll + 2 + readsize) > dl) { + lwsl_notice("%s: qname too large\n", __func__); + + return -1; +@@ -101,6 +101,7 @@ again1: + (*dest)[ll + 1] = '\0'; + *dest += ll + 1; + ls += ll; ++ readsize += ll + 1; + + if (pointer) { + if (*ls) +-- +2.43.0 + diff --git a/meta-oe/recipes-connectivity/libwebsockets/libwebsockets_4.3.5.bb b/meta-oe/recipes-connectivity/libwebsockets/libwebsockets_4.3.5.bb index 0b74adf990..cd69281833 100644 --- a/meta-oe/recipes-connectivity/libwebsockets/libwebsockets_4.3.5.bb +++ b/meta-oe/recipes-connectivity/libwebsockets/libwebsockets_4.3.5.bb @@ -11,6 +11,7 @@ SRC_URI = "git://github.com/warmcat/libwebsockets.git;protocol=https;branch=v4.3 file://0001-sll_protocol-may-be-be16.patch \ file://0002-allow-build-with-cmake-4.patch \ file://CVE-2025-11677.patch \ + file://CVE-2025-11678.patch \ " UPSTREAM_CHECK_URI = "https://github.com/warmcat/${BPN}/releases" From patchwork Mon Jan 5 10:02:32 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 77993 X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 58CA2C2A082 for ; Mon, 5 Jan 2026 10:02:49 +0000 (UTC) Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com [209.85.128.44]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.61070.1767607368893233079 for ; Mon, 05 Jan 2026 02:02:49 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=jHjHp1pu; spf=pass (domain: gmail.com, ip: 209.85.128.44, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f44.google.com with SMTP id 5b1f17b1804b1-4779aa4f928so140027295e9.1 for ; Mon, 05 Jan 2026 02:02:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767607367; x=1768212167; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=xSrI72BRfSaOB08H5Q0nj9tPTZ2S9J9n+0biEFRiHok=; b=jHjHp1pu3alqfqdDewbVibcNbn3voK6bYAvAkNFDwifpHQjshPHNA8q64ERprBOMm5 aPOIH/cvPeybba79LTP49SU8MwBLaVyg6cVzmXROwDPvGMKTz9FT+YcnPqadbT2P67nn 8sSXmmEHOp0yuR1r1/F9Zp/JELtYJ8hWyOTHCkkhfSqMU+Nl1rF9xiYG/50tCkyIP8k9 0nL+NfFHBhbHZZhNr3/LH92ApODIsh5demvaGgHKmbVjKnjEDJo86CEG2WqH7qTE/W0+ 945c088ox+cb66KRlbD+dGuNG18/xTXRAMpev2CCMhIevIYBnw7boRc5uvQ59WkKcqQ5 r7XQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767607367; x=1768212167; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=xSrI72BRfSaOB08H5Q0nj9tPTZ2S9J9n+0biEFRiHok=; b=UwJPNZeY6D9I1yzGG/M4xRg2Zl0X4zoLtbEBgGkgUxruEM0tStQoerM+cBuLO0CYq7 9OY1rigTtjCuekmETYYHp07mXd93ms1wrKh3yv8xUC5tObw/63gPo+/d/3lxsn9e1uBs W1Q1vRsLNwqW/Kg4rm9HFC1IB7ZAMibCSVfChyO6ZO4fXTUb8yrg7ce7l+8l3BOsFdKw R3GnzvDzdZtc7ExJ7PZ5kubY84QAnwiNwVBWLx+2Y3gg1swPihRtvk3DEh/MRcrQ4Ort nWz5xJlaK+KLpXFjWd6Qf3mEQtlp6oGl/vbbv6N0YoOzMDbSu3qX3k9rGCPDbWyZtK5e OaiQ== X-Gm-Message-State: AOJu0YxiQ+19n76MdpvNZBLKLfSYh3QkLnEZ25xTHAvJsO4SinEjWVRp haWF+Xbw+4fGjyypCaNOi3qGpvxIK2Sx95Z/PruRKXlA3EPF6helucRU6D8CkQ== X-Gm-Gg: AY/fxX5Nb6dna1AA17wi5bpOyBYqnJQGrcRM+WPNKOr8h/jDKBoHJlYNtjg9Nkvhi9E GfqDCAhCFaSfVLXJ20pzZ+OniWijjxEuY+a6o6VJ4gKMoytVID9corwMJt8+YC5t8EGXEMLoaAu irHFNN6pFiYd8fpLx8/cEb2/id0geQqGaG+9rKGYSMLiDHBz3QoFj71/Z2itmVLVHcwGEkIxrMG rNlaSdmQ8c3kXBkpiZTTXEeDYHvxo3CyhwZpYhdSVP7Yud4I4ceQaSCXcK12Hqmx4CJJ7BRIiig CoEYislkJ5A3vkrVAq6rO9OGlqXFqEg+GHstAc9ChDl7rYiXhM7pvVoD6nwT9DlWNo7tsD5jxRu ff5N4RGSdila3X2uVsdgAaM1kF/Q2GVgA3mHtGPOiU6ciciOM3GYdUCYVHwHocwvrLK/NtOvoqJ 2Y+9owzwme X-Google-Smtp-Source: AGHT+IGcRYRcVGlIK5lOP4E4G8HstVw2ScAagGgASKinbYmkRa4u2sRQCPLw5qVq4SE0DczHuBD1Gg== X-Received: by 2002:a05:600c:c05b:b0:45b:7d77:b592 with SMTP id 5b1f17b1804b1-47d1c03867amr517431505e9.12.1767607366998; Mon, 05 Jan 2026 02:02:46 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47d6d452be4sm144604435e9.10.2026.01.05.02.02.46 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 05 Jan 2026 02:02:46 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-networking][whinlatter][PATCH 12/17] openvpn: upgrade 2.6.16 -> 2.6.17 Date: Mon, 5 Jan 2026 11:02:32 +0100 Message-ID: <20260105100237.3081345-12-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260105100237.3081345-1-skandigraun@gmail.com> References: <20260105100237.3081345-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 05 Jan 2026 10:02:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123143 Contains fix for CVE-2025-13751 Signed-off-by: Gyorgy Sarvari --- .../openvpn/{openvpn_2.6.16.bb => openvpn_2.6.17.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta-networking/recipes-support/openvpn/{openvpn_2.6.16.bb => openvpn_2.6.17.bb} (98%) diff --git a/meta-networking/recipes-support/openvpn/openvpn_2.6.16.bb b/meta-networking/recipes-support/openvpn/openvpn_2.6.17.bb similarity index 98% rename from meta-networking/recipes-support/openvpn/openvpn_2.6.16.bb rename to meta-networking/recipes-support/openvpn/openvpn_2.6.17.bb index 88f564313f..c454a93276 100644 --- a/meta-networking/recipes-support/openvpn/openvpn_2.6.16.bb +++ b/meta-networking/recipes-support/openvpn/openvpn_2.6.17.bb @@ -15,7 +15,7 @@ SRC_URI = "http://swupdate.openvpn.org/community/releases/${BP}.tar.gz \ UPSTREAM_CHECK_URI = "https://openvpn.net/community-downloads" -SRC_URI[sha256sum] = "05cb5fdf1ea33fcba719580b31a97feaa019c4a3050563e88bc3b34675e6fed4" +SRC_URI[sha256sum] = "4cc8e63f710d3001493b13d8a32cf22a214d5e4f71dd37d93831e2fd3208b370" CVE_STATUS[CVE-2020-27569] = "not-applicable-config: Applies only Aviatrix OpenVPN client, not openvpn" From patchwork Mon Jan 5 10:02:33 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 78004 X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B6C17C2A086 for ; Mon, 5 Jan 2026 10:02:59 +0000 (UTC) Received: from mail-wm1-f51.google.com (mail-wm1-f51.google.com [209.85.128.51]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.61071.1767607369366450842 for ; Mon, 05 Jan 2026 02:02:49 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=kagFtQLb; spf=pass (domain: gmail.com, ip: 209.85.128.51, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f51.google.com with SMTP id 5b1f17b1804b1-4779adb38d3so90458385e9.2 for ; Mon, 05 Jan 2026 02:02:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767607368; x=1768212168; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=iBJ77HUV+lzwH7N/1GZNtpMc+jrlE+ktQRj3IRFIMkE=; b=kagFtQLbwdLP+8fFaegmgRI2qU53jkSl1kxrO0GaNN/oXVEPp/P7IemKlm73UUgIZb IHicVSsjqdjbR+Q5V8ekI/hDPKSOaJHWoRGliz+JrhcuM6vMxRXTPPNgTTMmX9ahEy0B 3gHPNVRbBU4CK5Z2sDLfhWuk5a0MeqqZ/10MrVoHhDdoIOntnWUccqnWxrZam8Yf7soI bkHPiBN/mj2E+xHN+/9rTZtCiToO24OL4ve4E8JBC6E/BtYDPd6GQg60w7Rnd6axCxh1 z9CvHRupVAnpviSHdxOwiQ9l8wpp0CgzT22eF5khruu2Zz2genfkXBea0TKz0LWUSvjP kHlQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767607368; x=1768212168; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=iBJ77HUV+lzwH7N/1GZNtpMc+jrlE+ktQRj3IRFIMkE=; b=iUYEqmUPBZvYX3AlOgSl3INwoJrdqzC1shWo3GxmzA20JRvdG+4JSawRX2XSpJyZEZ i03jgRW03wzMgAWcqolaV0X0Owhm9f3rr5fpjQwKCUCwJA/p7huobJMS9hJdjQLTZ7Kv +NB4pbN5PwiZWceWj+wq4w82W+b4aO9amK0NO+NjclmQHuCeGHCJfKhKwCIH0s8+epcS ciJ4+JbewB5sDzTDcDfw3cv3ATNsO+hCt+LXQ/AY2js5PudPdOwzzVTpgagnPKTA3zjQ zQeqxH1T+TnrdpSzzzatvhIFXlryWBQuI9ZQfKhFlwzL8At+NyI6FeoqKhZnPAy0s8i3 UGzg== X-Gm-Message-State: AOJu0YwX2yiEsfWbUVUzTncKfahtFYMp/7POWheu2vyLOb8GBIiOWSNF AIxOPB92U/PdaI+09UT5vMsoh4XxCGTtQfOq0WMnyRN+LiSW79VVCu5uX1erRQ== X-Gm-Gg: AY/fxX5pFd4xb13OQPrzYI6rFaTMCPos4jaohhVE3Zquuz9V/ZJmXh5qmtnFzq2XMNR IPv4aKgdaXa5/gNIbRG5UYU3CxOLWg9kVVMi2Hnfp7ZD8sL+MAoPuDEuYlpQ/5xXV/JWD3r2SWY rtZ16lBCxhi9iBoiFRDPJAm3piE2zQIGIRzHn/ncdoylRgQIc8wSnregvgcx8Bu+y5O5wewiIDl G1O4j6nPidzrO6hfgDc8jOagSaawWFpzXJBS3pqUNgVBncj8YjBbFd5ALc+gxxCDn5BCCQyBWCM mwS0P+86HzKInhsUidM3AQIuk0LsuQAtIdIjdJfOqSz5nfpdAsI6L0STzC9aOc+xv0krDOgZqrn 09T4aUhVtO/RufWw88Ed49Liof/9BY2A/7SbBnGGYI2PJWC1zWeE5QlCcCXo8TkIw3nD0ZjRtYA DDwf8xrjzp X-Google-Smtp-Source: AGHT+IHwkITJYmuWL8Kmh060gXOuyfgHpGmldCnOmEjfRAXOmOyskXD9E45+ZMHhjiOJjwDnxoEeDg== X-Received: by 2002:a05:600c:4e90:b0:46e:4e6d:79f4 with SMTP id 5b1f17b1804b1-47d19557183mr676953825e9.15.1767607367682; Mon, 05 Jan 2026 02:02:47 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47d6d452be4sm144604435e9.10.2026.01.05.02.02.47 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 05 Jan 2026 02:02:47 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][whinlatter][PATCH 13/17] php: upgrade 8.4.15 -> 8.4.16 Date: Mon, 5 Jan 2026 11:02:33 +0100 Message-ID: <20260105100237.3081345-13-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260105100237.3081345-1-skandigraun@gmail.com> References: <20260105100237.3081345-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 05 Jan 2026 10:02:59 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123144 This is a bugfix release, containing fixes for CVE-2025-14177, CVE-2025-14178 and CVE-2025-14180. Changelog: https://www.php.net/ChangeLog-8.php#8.4.16 Signed-off-by: Gyorgy Sarvari --- meta-oe/recipes-devtools/php/{php_8.4.15.bb => php_8.4.16.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta-oe/recipes-devtools/php/{php_8.4.15.bb => php_8.4.16.bb} (99%) diff --git a/meta-oe/recipes-devtools/php/php_8.4.15.bb b/meta-oe/recipes-devtools/php/php_8.4.16.bb similarity index 99% rename from meta-oe/recipes-devtools/php/php_8.4.15.bb rename to meta-oe/recipes-devtools/php/php_8.4.16.bb index 629eef0519..870cb663e6 100644 --- a/meta-oe/recipes-devtools/php/php_8.4.15.bb +++ b/meta-oe/recipes-devtools/php/php_8.4.16.bb @@ -32,7 +32,7 @@ UPSTREAM_CHECK_REGEX = "releases/tag/php-(?P\d+(\.\d+)+)" S = "${UNPACKDIR}/php-${PV}" -SRC_URI[sha256sum] = "b7155bdd498d60d63e4bc320dc224863976d31b5bd9339699726c961255a3197" +SRC_URI[sha256sum] = "6c48c65eba6a2f7a102925d08772239b1f45110aed2187fdd81b933ed439c692" CVE_STATUS_GROUPS += "CVE_STATUS_PHP" CVE_STATUS_PHP[status] = "fixed-version: The name of this product is exactly the same as github.com/emlog/emlog. CVE can be safely ignored." From patchwork Mon Jan 5 10:02:34 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 78005 X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BD14BC2A082 for ; Mon, 5 Jan 2026 10:02:59 +0000 (UTC) Received: from mail-wm1-f43.google.com (mail-wm1-f43.google.com [209.85.128.43]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.61072.1767607370092509391 for ; Mon, 05 Jan 2026 02:02:50 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=PYRrDvKW; spf=pass (domain: gmail.com, ip: 209.85.128.43, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f43.google.com with SMTP id 5b1f17b1804b1-47aa03d3326so89883265e9.3 for ; Mon, 05 Jan 2026 02:02:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767607368; x=1768212168; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=SrprgzhC+pDta+kf6x/KtzvjMTW/0atUDHnBaN0fW50=; b=PYRrDvKWl34uutOWQ0A7Yy/lqb5YvP6HPeA7RHFevRjeGlOatuE8phKdnTfDujSCob /81IfwlTGjwktjBcn0tXZg/87xGul1dHV1pft/WsD+VLcg7yK0wqS9y+jniNhLE9XMdN iecgGsXXwCZYzeDIIavtAkOJ0waTEOT1ZRDI+eujq4d/NaAL1fD3NQc810LXxILlMTWL Ukp9u3SpzGbc8yQJcPNz/nOVW7llkssv9rJB/Tuoh7N06TrgF4XS2mLnmhxgqTMGogFD NWYwjvixADxEaT13uOi7dX0z5EedZKsSbgrIzvAOw8KL/vS77eQwF0VdrVU8k2ApNWu8 qDTw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767607368; x=1768212168; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=SrprgzhC+pDta+kf6x/KtzvjMTW/0atUDHnBaN0fW50=; b=Xz2Rbsa+HmdvlUqItsEWjWg20/wlw1uluvmRU6gHeRP8jGLzYkM7GsDlhcWvbXc18L Hd84cz7O4caEDV8e88RLXTT/Kf2Q8ftyrlsi8eSITpyom36/MtjeFBg1KjcYmLn51T+h unssjWGuGYG/5JmRgtLgHzae6Y9YNgDx2hJ+GILCE2IoZWRU31Wb+8JV2Wxzb1R8Oddj TOjwNiOUZWXatFCNzO6EoJMafoxBM5foED4CRjjswnANV56e3A5SJNfCHPyfwWehDTDs hF99/bgHV8tvItcu3hNQofpnorQvChDd3hOqt3VEzxCT7bzBt1qf0Xh95Ppe65xARcP3 QVyw== X-Gm-Message-State: AOJu0YzYb1baTyjHsXVCgV8OFBCr+72po5HhqTsJKpciK7aD1CQKRIQQ J3fhFnxxB9goQnulDstd7QPOv+iDgVQ48y6ukPMRdNruwf6lJocusB90Ec5vDA== X-Gm-Gg: AY/fxX5txDbss0lGA+egJv+7ONgGphwzSQXjTKVcRVEHooi9QMEFOoYn9e6J7BTmbRr gYmXOetpnZS7gaBascznx67ukpiY+O7tW/lVnk7QgKkHZB0MUhwX0xkt7KLtcXl6s3lDy77GqQb gd1y1FsxQJQODFqR4LOxGNKbSyKAqV+i53x+tJhKs+Vnf3c/3Ppfu8AYDo61x8M+uTaCX2vdkJ3 /EpdI5QSjo5FzDl9pVRjDHTDg6Jp4lTWFmruAfcxDANViaJLAkGbdiH9U1LPcncpw6dky6J0Tzp ehmh+jDSoF501U1Yr4iDI7aoEnh8RU5/QNU3hRZ2Qf5YXF6ScH9FSIj3zulipxm3LWH2GkXRdn3 u1vS46/UMplSCYy/D3qqxA7hQWd+G/l5d+vOLrq33WYVfpft0JMfOhDRcnNiGp3I3XQE1uuGrd9 Kbz9dE1mYN5VLYf1cwnrE= X-Google-Smtp-Source: AGHT+IFGob1n/GQDd80vuDQYFXYtjIWJILfFv1X6Kyo0JjmYIl4kq1iiO/pxReGUlVKUKExl50CkGQ== X-Received: by 2002:a05:600c:4686:b0:471:9da:5232 with SMTP id 5b1f17b1804b1-47d1954ea05mr703370075e9.15.1767607368319; Mon, 05 Jan 2026 02:02:48 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47d6d452be4sm144604435e9.10.2026.01.05.02.02.47 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 05 Jan 2026 02:02:47 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][whinlatter][PATCH 14/17] postgresql: upgrade 17.6 -> 17.7 Date: Mon, 5 Jan 2026 11:02:34 +0100 Message-ID: <20260105100237.3081345-14-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260105100237.3081345-1-skandigraun@gmail.com> References: <20260105100237.3081345-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 05 Jan 2026 10:02:59 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123145 It contains fixes for CVE-2025-12817 and CVE-2025-12818. Changelog: https://www.postgresql.org/docs/release/17.7/ Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj (cherry picked from commit 8217b90e941619820c88dbdb4db5e35d171a4157) Signed-off-by: Gyorgy Sarvari --- ...0003-configure.ac-bypass-autoconf-2.69-version-check.patch | 2 +- .../postgresql/{postgresql_17.6.bb => postgresql_17.7.bb} | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) rename meta-oe/recipes-dbs/postgresql/{postgresql_17.6.bb => postgresql_17.7.bb} (69%) diff --git a/meta-oe/recipes-dbs/postgresql/files/0003-configure.ac-bypass-autoconf-2.69-version-check.patch b/meta-oe/recipes-dbs/postgresql/files/0003-configure.ac-bypass-autoconf-2.69-version-check.patch index 95070b98c5..ce19bacc47 100644 --- a/meta-oe/recipes-dbs/postgresql/files/0003-configure.ac-bypass-autoconf-2.69-version-check.patch +++ b/meta-oe/recipes-dbs/postgresql/files/0003-configure.ac-bypass-autoconf-2.69-version-check.patch @@ -18,7 +18,7 @@ index 642dbde..af37179 100644 +++ b/configure.ac @@ -19,10 +19,6 @@ m4_pattern_forbid(^PGAC_)dnl to catch undefined macros - AC_INIT([PostgreSQL], [17.6], [pgsql-bugs@lists.postgresql.org], [], [https://www.postgresql.org/]) + AC_INIT([PostgreSQL], [17.7], [pgsql-bugs@lists.postgresql.org], [], [https://www.postgresql.org/]) -m4_if(m4_defn([m4_PACKAGE_VERSION]), [2.69], [], [m4_fatal([Autoconf version 2.69 is required. -Untested combinations of 'autoconf' and PostgreSQL versions are not diff --git a/meta-oe/recipes-dbs/postgresql/postgresql_17.6.bb b/meta-oe/recipes-dbs/postgresql/postgresql_17.7.bb similarity index 69% rename from meta-oe/recipes-dbs/postgresql/postgresql_17.6.bb rename to meta-oe/recipes-dbs/postgresql/postgresql_17.7.bb index 9ddb40fefa..81b096194c 100644 --- a/meta-oe/recipes-dbs/postgresql/postgresql_17.6.bb +++ b/meta-oe/recipes-dbs/postgresql/postgresql_17.7.bb @@ -12,6 +12,6 @@ SRC_URI += "\ file://0001-tcl.m4-Recognize-tclsh9.patch \ " -SRC_URI[sha256sum] = "e0630a3600aea27511715563259ec2111cd5f4353a4b040e0be827f94cd7a8b0" +SRC_URI[sha256sum] = "ef9e343302eccd33112f1b2f0247be493cb5768313adeb558b02de8797a2e9b5" -CVE_STATUS[CVE-2017-8806] = "not-applicable-config: Ddoesn't apply to out configuration of postgresql so we can safely ignore it." +CVE_STATUS[CVE-2017-8806] = "not-applicable-config: Doesn't apply to our configuration of postgresql so we can safely ignore it." From patchwork Mon Jan 5 10:02:35 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 78006 X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C3308C2A08D for ; Mon, 5 Jan 2026 10:02:59 +0000 (UTC) Received: from mail-wm1-f53.google.com (mail-wm1-f53.google.com [209.85.128.53]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.61073.1767607370709538792 for ; Mon, 05 Jan 2026 02:02:51 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=DBmdp8GY; spf=pass (domain: gmail.com, ip: 209.85.128.53, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f53.google.com with SMTP id 5b1f17b1804b1-4775e891b5eso56156375e9.2 for ; Mon, 05 Jan 2026 02:02:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767607369; x=1768212169; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=h8dGKymuSlAUn3t+gk1EZpr3Hqg1Q4Bxq6UorgRRyhY=; b=DBmdp8GY/VWq1qYSMjE5FQSJckXs/yfjLK0ptWFcejfO7BwR3hyPnTEiy/lJ+VYO0/ D7OSN6nLRYP4LDS9gYR4YeuIEX4PB3x6ZvPBt3vseIKZsFduWh7iXzY/mzEbZZObP6+0 glnuhvqiaMBDhxotm+XADNZPD1xrHfp0bcHwkkmwJ0OCvBwrwDmb7DZ4AmjAEBttBnLO +e9rwt84A/RsjB7hqpbh0Y1mgCTdi6pfz+M8yGNrJNqd2RG3fPy/b2Bs1LqNmFjvSGCv LIDz97nStyS7e8CNK0UwSO69JcqKw+y8WyLnvPk7Zr4SrHkOxXyZ9+4eYpkOn/xSTvsp giQQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767607369; x=1768212169; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=h8dGKymuSlAUn3t+gk1EZpr3Hqg1Q4Bxq6UorgRRyhY=; b=Qdhr4uhyN4CqnRoNdtmBI2GFMS4pqOn55V8jW7dPmrR9QTfpu78suOR0UxvRE4jCAt jo0G2bPnSsUPo3SC7IRNvQSObplwcOJ/h0otAOnWrNxLGTbhp3YgCz/KRUS5ziHof1Tl VbM0NQcfhVhJP0AfiV/MbvgQpo55vVX/oiscIVaMXK/IrKM/VVcmOuauoR89XILl5+WG x2VLtfQTl9ZZrJmHAYUphFyWjmenF2pwf50iGzCUVnXd/IzFzH1Gbe1wFi33qAHdk09d S3b2+oFojAE96UrxenTmXC4r+Za3mxSfGa61RLmrXzov2lb9M2awaoQ6dH1Rr0DpAAY0 G0fg== X-Gm-Message-State: AOJu0YyG5+ah8J+XIjnJkbe6GlLtof0fQL+RaTAAE9dpXcVpt7vGwS4E HyG8GotD5NkQjR75RMR9Gio+77WRNU1Eo2/4xFsiPOPh9P2bqaxYZyzUMRoVjQ== X-Gm-Gg: AY/fxX76UkdbBrbheGtnUfh+DcAV6vbxdg5ghpwXJZW6L9PApe6zn86K683jMvNvKGz f0Y/OWAhcswCSf1D8h35TM/p7J1f/nNkos8dM4P58XxsYOgTB5Mv+GNist9hGi182SC8/g+BOFh rxBR9zMAPTEvM0Ileds/bN1RPk26C4wP2aToJJGP/Tq4yloitZm8NBbmUyV8N6FH38PBr3p8KfI FTmx4pXlIPYeWDauIglGbp+oqDITeDUbuhLk9hT5caUB8D5ev0J05UHQryalsSlYLCt7EDfT7YP 4i65fch1f0ADJqU5YS3yNHTQUHJj/mP7QjC+8H5zfTjAhghZjVu/NpQRbJPswqwDPdem+Ev0sAi HGzL2RHMn5WBe/5LIOx6Dsh49d1G2P63TkzdZCxzUbmog4JdQ1fvyFSxrrBKK/O/J4j+fiEpa5M wqQHSuNejb X-Google-Smtp-Source: AGHT+IH1w4RWjFjoW7azTuBLVJ/+BhTzd9b99Jz3Im7WY8mtSujCBgVb+9VLfPhwZ2d9XATW7gyi2Q== X-Received: by 2002:a05:600c:154b:b0:477:55c9:c3ea with SMTP id 5b1f17b1804b1-47d1958e7b9mr643886985e9.35.1767607368975; Mon, 05 Jan 2026 02:02:48 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47d6d452be4sm144604435e9.10.2026.01.05.02.02.48 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 05 Jan 2026 02:02:48 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-python][whinlatter][PATCH 15/17] python3-configobj: ignore CVE-2023-26112 Date: Mon, 5 Jan 2026 11:02:35 +0100 Message-ID: <20260105100237.3081345-15-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260105100237.3081345-1-skandigraun@gmail.com> References: <20260105100237.3081345-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 05 Jan 2026 10:02:59 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123146 Details: https://nvd.nist.gov/vuln/detail/CVE-2023-26112 The used version (5.0.9) contains the fix[1] already - ignore the CVE. [1]: https://github.com/DiffSK/configobj/commit/7c618b0bbaff6ecaca51a6f05b29795d1377a4a5 Signed-off-by: Gyorgy Sarvari --- meta-python/recipes-devtools/python/python3-configobj_5.0.9.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta-python/recipes-devtools/python/python3-configobj_5.0.9.bb b/meta-python/recipes-devtools/python/python3-configobj_5.0.9.bb index bd4764f4de..4b9d4eae6d 100644 --- a/meta-python/recipes-devtools/python/python3-configobj_5.0.9.bb +++ b/meta-python/recipes-devtools/python/python3-configobj_5.0.9.bb @@ -13,3 +13,5 @@ RDEPENDS:${PN} += " \ python3-pprint \ python3-six \ " + +CVE_STATUS[CVE-2023-26112] = "fixed-version: the recipe version (5.0.9) contains the fix already" From patchwork Mon Jan 5 10:02:36 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 78008 X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id CFFB6C2A092 for ; Mon, 5 Jan 2026 10:02:59 +0000 (UTC) Received: from mail-wm1-f48.google.com (mail-wm1-f48.google.com [209.85.128.48]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.61074.1767607371368538564 for ; Mon, 05 Jan 2026 02:02:51 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=Aw//Ambd; spf=pass (domain: gmail.com, ip: 209.85.128.48, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f48.google.com with SMTP id 5b1f17b1804b1-47d3ffa5f33so35962455e9.2 for ; Mon, 05 Jan 2026 02:02:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767607370; x=1768212170; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=uVxq/NKI3H8PSMmsqzVsSz0BiKPDX9X9s3CM9iM5I0M=; b=Aw//AmbdiuGOX3bWRsfAc59o8fTfBoHSr0Ohv8DXVvPppPlN0hjcsdcCRiHoYAJTV0 Qic0w1T7TZPGZwNv0oxCk5+cLADh5bXkLxyrkW9Y3aJqAz/IgEJT0cxl7Wf/kNPYFrJs b0dIw3KQ8cM/WJB9qYzzcBk5h+SkZN+UsMyHGbEHNgdmbYyNUzdGLFWTsUN4yw2L6iZl LpSXx9hoheZxfoi2Tx9bKmPnAbmjR13NFzqLzU/p5t+tMxaB2vS4m+LjBtTxx5JqkSYB uPx4XsoB9zBlk/OBXERnR9pH4RIlpckoeCOen/mPxK+GKplRlz+tFgLZ1OjkVd8SAuJ5 /CgA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767607370; x=1768212170; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=uVxq/NKI3H8PSMmsqzVsSz0BiKPDX9X9s3CM9iM5I0M=; b=Q9j3CKnMT/yBYs5PuCIzYH7s7a95G4fFV3aYTq2yUs0teLZiKUx5MRb5gD0espaqQd /IprmeuTB7mr/HQxeEOrRonJE3Kvz7wBRjwGJlFEj37PCs7b/+JFzYQIiTutsJaIAH4z uSPK7/OvxCqF9/LZ8mT7XjhZhzw7DLwlwu1Mzal49twsGKO4e65B2izriLO4VQWH1lJD pdYV8kaZUxOskXB4ZsHQsahcxGwta8AXumq1iqa4VxdSTx67pt7WOXSdd/wJBKJd8eNN Peu2LJRj0yj/dtCXBzQuQwQbA/TAQqBZHS1iStbAur+ngyouTWtVf8GDAPWUoqEvCz2D H8LA== X-Gm-Message-State: AOJu0YxQ/ilIObhvuIV/VCU9KIarqEWpji0njeZAXY/dCuxW1uG0F7sE pwLlRp83+N1YfeLspauQzwA2EN+EoDwAPavamedrUXfZ8/lCrvif/aOsCCkTPA== X-Gm-Gg: AY/fxX6msuBWoaYjkiItBGavp8gMxqCny1Pvz+G4bdeXI4mxFwz+o+kwjSH6+D4Cckv mI6s2YnFU1JJhv2e+JELQmB2VoH4ciw8fUWklFVmTCBpTY1ZvJ+kQ8jtQLVtYbKrgxYR+Y2KZIf iXwjjC/8V3i2BzNObYhhbL73v0VyjbbqDEC3MvdQSiAjPJUPmC8K4IhsP5g1SKMIoEC7bMdO1j1 ST1Ion15ku4GzyZNbFaurj92w3vApR/2M7LQifcBjlAecya3DmxcEtgssNWWJ1BByfKegyAeiK/ ODaOZFWn6sa59ZAjdW6A4E9AjXj9J5+hmiaCZKpeqiD7zZayAyAOQDq/NgppF6wBqgKT0gREG33 D6NPSazoMvcE6lROSX5oAjaznQ2kqMnZl5w06jgKvPPbp6NuZTwRj7146fNDLV3/bz9iUOiiXtu oQ10+nYT6o X-Google-Smtp-Source: AGHT+IFh/JSRlsHqiUPZ6f/1Ys5IaibGd6/9xTz8pMWndcJDm+rJvkBDGdWDKeV7NLjTWHEpp7HX7w== X-Received: by 2002:a05:600c:6299:b0:477:73e9:dbe7 with SMTP id 5b1f17b1804b1-47d1959ae49mr681527625e9.35.1767607369660; Mon, 05 Jan 2026 02:02:49 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47d6d452be4sm144604435e9.10.2026.01.05.02.02.49 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 05 Jan 2026 02:02:49 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-python][whinlatter][PATCH 16/17] python3-django: upgrade 4.2.26 -> 4.2.27 Date: Mon, 5 Jan 2026 11:02:36 +0100 Message-ID: <20260105100237.3081345-16-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260105100237.3081345-1-skandigraun@gmail.com> References: <20260105100237.3081345-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 05 Jan 2026 10:02:59 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123147 Contains fix for CVE-2025-13372 and CVE-2025-64460 Changelog: https://github.com/django/django/blob/4.2.27/docs/releases/4.2.27.txt Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj (cherry picked from commit fae6fe9b4156fae7696a7978700c823f414da8f7) Signed-off-by: Gyorgy Sarvari --- .../{python3-django_4.2.26.bb => python3-django_4.2.27.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta-python/recipes-devtools/python/{python3-django_4.2.26.bb => python3-django_4.2.27.bb} (79%) diff --git a/meta-python/recipes-devtools/python/python3-django_4.2.26.bb b/meta-python/recipes-devtools/python/python3-django_4.2.27.bb similarity index 79% rename from meta-python/recipes-devtools/python/python3-django_4.2.26.bb rename to meta-python/recipes-devtools/python/python3-django_4.2.27.bb index ea790e4b7f..86425ca724 100644 --- a/meta-python/recipes-devtools/python/python3-django_4.2.26.bb +++ b/meta-python/recipes-devtools/python/python3-django_4.2.27.bb @@ -1,7 +1,7 @@ require python3-django.inc inherit python_setuptools_build_meta -SRC_URI[sha256sum] = "9398e487bcb55e3f142cb56d19fbd9a83e15bb03a97edc31f408361ee76d9d7a" +SRC_URI[sha256sum] = "b865fbe0f4a3d1ee36594c5efa42b20db3c8bbb10dff0736face1c6e4bda5b92" RDEPENDS:${PN} += "\ python3-sqlparse \ From patchwork Mon Jan 5 10:02:37 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 78007 X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B6C53C2A088 for ; Mon, 5 Jan 2026 10:02:59 +0000 (UTC) Received: from mail-wm1-f48.google.com (mail-wm1-f48.google.com [209.85.128.48]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.61172.1767607372060635313 for ; Mon, 05 Jan 2026 02:02:52 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=PvoAunHn; spf=pass (domain: gmail.com, ip: 209.85.128.48, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f48.google.com with SMTP id 5b1f17b1804b1-4779aa4f928so140027875e9.1 for ; Mon, 05 Jan 2026 02:02:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767607370; x=1768212170; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=TdaDlSr8fqTx409Pvt7eLnxC/6Mk7K2OfkL3MKjdt48=; b=PvoAunHnhM+Fr53MgIfdmxlHfXFVZuGYo6StAnhDeGDFMCplKKpz8sRi+prc6oYMU9 deL9O0hiHuvh2RS3uRhbKlxVYQF+ysIQMPigwerhDC/NCW/tkZcXhwowSYqihO1BJ3Md /91noJDiO9m8BpNAc4x3C4MW728i5QlGChGQXL+NaEQyVtaWS5cb94vtJUwp51mhWfSC AfsOVCftIZ6+leLLNxzrBmH4LKaMsDhhVjyJnJrSpM7qTFPi8DRtTej1VhRutVu8OzPH M4q5uFhajgMu8RJHlcDqXnXf7+i9a2djV3wORQXK42LpOYgZprpwsA4oniqxWMNwRya0 pa+g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767607370; x=1768212170; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=TdaDlSr8fqTx409Pvt7eLnxC/6Mk7K2OfkL3MKjdt48=; b=aavIqnd4z86aOnvS6i6lDBLhfTukzV6ci6OUWKVpp+0yhzErCG53FQZHxR7Z587ns0 drlQPtGEECxPcyiOQnkOqi8b5L1k4i60OU3vGo17rGpp3nafZpjVbnUsaZObkXtmxzAS PNaM5aPsMmBcpingQObQTn5iFGhRHmStNZ5tBM7JHB9es895SFXwozgG02wS3JvYI019 hmbEqEHP8BZ+3Qz7ypoLviTK4/EkYdiDcxl8rALrwk6M+v0V95PkPUyBSTS/AYPpd/Rq XcwQ4bRkRDtlkxanDYvCs4UMmWn2lGw/UaaQ+1PxjZC5lBDHnRBumMKWipD9aQk5X6wo nTPw== X-Gm-Message-State: AOJu0YwB2C1cn6ZMzEp9y+9GEDXv3jhxlaRr5F2wMrK91p9mVYARjB/V tkuif4Oxv7SDKBBwRquhBjbJqE+t52NhzYiv0UuNwyxxctDwX6nAfnQYvyO6lg== X-Gm-Gg: AY/fxX6jkAscdgn0CqvkOnTX5wxXLs7J+Q+lzAnj1+dSbfeMRFJwDp+8dCuz1t5/r67 as3KvUFGTD551fUV5bp4rtuGRYVjpscyJKC346GfrzxFXSRuap02K/Y9vYlailiKUdKOfelX4yT 6ZuxN+H5DtzVuZC6B+v3KL6ngm8JlEkPKGcku1j1kkgyzosaP5xl6NtzKdMxrooMXVMywVgbdQv cBe4/+WulCEjaLthXO3jiOjQyKvwrV6lCClpi3rxcQMoKSOZSlUGreEE3KhGtu36VXJ7qhg9Z1L FZ2+QgiwqwYaJW5v2PFR8DPxs8FCHize5paMwUiFssjjN69I5lc97hRt0Zls5o3POLNlerk7XiR 5HBCJ6P9+r0ssVHodAWqZw7I1hp0f/ZI5J8ZIS6W4mPgGuRmT75HCsbbxL2PxNY2KHujpDw3bxf EYxCj1H/Xc X-Google-Smtp-Source: AGHT+IH+XjH8YunQltr4rB5E7iTom9BfCYkmAdn9gxfpmkEBtvJgfT5BrjsvJuRLodbZ5iXqeAlQwQ== X-Received: by 2002:a05:600c:5246:b0:477:54cd:2030 with SMTP id 5b1f17b1804b1-47d1957f707mr665534025e9.21.1767607370299; Mon, 05 Jan 2026 02:02:50 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47d6d452be4sm144604435e9.10.2026.01.05.02.02.49 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 05 Jan 2026 02:02:49 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-python][whinlatter][PATCH 17/17] python3-django: upgrade 5.2.8 -> 5.2.9 Date: Mon, 5 Jan 2026 11:02:37 +0100 Message-ID: <20260105100237.3081345-17-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260105100237.3081345-1-skandigraun@gmail.com> References: <20260105100237.3081345-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 05 Jan 2026 10:02:59 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123148 Includes fix for CVE-2025-13372 and CVE-2025-64460 Changelog: https://github.com/django/django/blob/5.2.9/docs/releases/5.2.9.txt Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj (cherry picked from commit 2538918df1826b965215e0441c7aa6d0958f1911) Signed-off-by: Gyorgy Sarvari --- .../python/{python3-django_5.2.8.bb => python3-django_5.2.9.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta-python/recipes-devtools/python/{python3-django_5.2.8.bb => python3-django_5.2.9.bb} (60%) diff --git a/meta-python/recipes-devtools/python/python3-django_5.2.8.bb b/meta-python/recipes-devtools/python/python3-django_5.2.9.bb similarity index 60% rename from meta-python/recipes-devtools/python/python3-django_5.2.8.bb rename to meta-python/recipes-devtools/python/python3-django_5.2.9.bb index f205b5b247..c0aff44a78 100644 --- a/meta-python/recipes-devtools/python/python3-django_5.2.8.bb +++ b/meta-python/recipes-devtools/python/python3-django_5.2.9.bb @@ -1,7 +1,7 @@ require python3-django.inc inherit python_setuptools_build_meta -SRC_URI[sha256sum] = "23254866a5bb9a2cfa6004e8b809ec6246eba4b58a7589bc2772f1bcc8456c7f" +SRC_URI[sha256sum] = "16b5ccfc5e8c27e6c0561af551d2ea32852d7352c67d452ae3e76b4f6b2ca495" RDEPENDS:${PN} += "\ python3-sqlparse \