From patchwork Wed Jan 7 08:08:50 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 78136 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DE992CF6C0D for ; Wed, 7 Jan 2026 08:09:32 +0000 (UTC) Received: from mail-wm1-f52.google.com (mail-wm1-f52.google.com [209.85.128.52]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.1453.1767773363479994316 for ; Wed, 07 Jan 2026 00:09:23 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=r+0b6Fsn; spf=pass (domain: smile.fr, ip: 209.85.128.52, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f52.google.com with SMTP id 5b1f17b1804b1-4779cb0a33fso19132635e9.0 for ; Wed, 07 Jan 2026 00:09:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1767773362; x=1768378162; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=W2h3m2Rku7a5s3v2e8aONDlqWcxyMQ4RH1rnZ71qmzY=; b=r+0b6FsnPuVQfXvfg54+JJpDJsgg7ZPpioDZkvpjVJssGEHHUtxrP1+DnkdK0+IoE3 GnS6hMhUSsSuy6HUumCDZPtXqjCR0uxOroDOVuEnXyOx+HTrc02kOSFkjAD8Y74B2cga sWEtImRT8SQrhUDN3NJldtmbXfnQwW8GwHQJA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767773362; x=1768378162; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=W2h3m2Rku7a5s3v2e8aONDlqWcxyMQ4RH1rnZ71qmzY=; b=gftAKZCrLSNcGqEwLegfZV9Cv+/wZjehES1tqa4dGMGEQMyOdXVeg62AHFlYbYWj0R 3zR4BgtjAvs8gctEYCT72jMDM9ThLcAB7nqlkCNMI96JToalnb9ZGBQXTJ/UV4JNeWtw nObp1VUmnok4nntvQhb+JrTwy0W0QfBIuJ+QZ2sn8t30D4kpFgp1jiYVTj//IuHzCDA/ HYlO3yAdeQikkef9IM9EPTjqVI7RYjw1XtBnKGFmRv2N+9ITvVJ3+ojEW8F9Yb2R43KZ BOyGdO7EhxOk6zR/J57q/g8mzOumDHmFDFggqrtKXOaSNgNqqAmiu4H67PTwKwtYyMLA ozlg== X-Gm-Message-State: AOJu0YwaE5/Xg/of2AwUqaQcMni2lenDaOSZkuQ/ym6xRztO74zFDxXD CAW5687AELYCdYeVKPrfNzDhzBLPsgIarqfq2RizENcKCU/DSYF5cDprXq7oHoOCY3eWzKuUYIy yFfmI X-Gm-Gg: AY/fxX5o1pwARwl9BGpBvNkVQGdbNuiJMO06rkareLQZ82kZCBQqNs0b19KsH05C4ME YRpuZ+1xvj3s2MW8zVsq5Olhw5jK0M5rDTUR96aB4RnxtpN79icyZ4XEhAq5y4/uEa19I3ax0p1 9lAAy6eSfzPCHorplBw57mVqAMx5tD+ZAEXA5DP8z8JfEV9FpOh1kJ9P+7fagDoAx8TAvySnIiQ 5/CtuEgew9Ec/mEBspZV9GnUfFZOpBA/Wqe9qQS81h0yB+6lll1wy4/Vxa8kWof0InZ1tdqmODd j/Xnh9nj9FjAb2APTNWMmIvvtv0TwZkMuF9usj46X+mSyAAb3uJT6lwDS0I7BZrCPvjrCL23k5g yO/bEN43m1gwwtcUwkMgrE+H70s93/kKZMDFyXjVRTIR88AY3ZaEpcC6vupkyREAwcff6J/uHZf w552AYdUNmP5tYOzml6M+dFtCxt2wefZBA8m6BBFVtIgQR3lrLELx8KmTc5tZ3k9sm3LB3smxGD XM3ucOaTVIbtW8= X-Google-Smtp-Source: AGHT+IE2ch1jK03rwQQVt4H7AFAHU5jqrD4jxAgFSWaVxCopjiQV/Ex4gn0wuYQ9LsxbidqIMCu5VQ== X-Received: by 2002:a05:600c:3b15:b0:477:c71:1fc1 with SMTP id 5b1f17b1804b1-47d84b33ba2mr14393185e9.19.1767773361524; Wed, 07 Jan 2026 00:09:21 -0800 (PST) Received: from FRSMI25-LASER.home (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47d8715b5f7sm6093485e9.4.2026.01.07.00.09.20 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Jan 2026 00:09:21 -0800 (PST) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][whinlatter 01/11] dropbear: patch CVE-2019-6111 Date: Wed, 7 Jan 2026 09:08:50 +0100 Message-ID: X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 07 Jan 2026 08:09:32 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/228948 From: Peter Marko Pick patch mentioning this CVE number. Signed-off-by: Peter Marko --- .../dropbear/dropbear/CVE-2019-6111.patch | 157 ++++++++++++++++++ .../recipes-core/dropbear/dropbear_2025.88.bb | 1 + 2 files changed, 158 insertions(+) create mode 100644 meta/recipes-core/dropbear/dropbear/CVE-2019-6111.patch diff --git a/meta/recipes-core/dropbear/dropbear/CVE-2019-6111.patch b/meta/recipes-core/dropbear/dropbear/CVE-2019-6111.patch new file mode 100644 index 0000000000..3ad968aa78 --- /dev/null +++ b/meta/recipes-core/dropbear/dropbear/CVE-2019-6111.patch @@ -0,0 +1,157 @@ +From 48a17cff6aa104b8e806ddb2191f83f1024060f1 Mon Sep 17 00:00:00 2001 +From: Matt Johnston +Date: Tue, 9 Dec 2025 22:59:19 +0900 +Subject: [PATCH] scp CVE-2019-6111 fix + +Cherry-pick from OpenSSH portable + +391ffc4b9d31 ("upstream: check in scp client that filenames sent during") + +upstream: check in scp client that filenames sent during + +remote->local directory copies satisfy the wildcard specified by the user. + +This checking provides some protection against a malicious server +sending unexpected filenames, but it comes at a risk of rejecting wanted +files due to differences between client and server wildcard expansion rules. + +For this reason, this also adds a new -T flag to disable the check. + +reported by Harry Sintonen +fix approach suggested by markus@; +has been in snaps for ~1wk courtesy deraadt@ + +CVE: CVE-2019-6111 +Upstream-Status: Backport [https://github.com/mkj/dropbear/commit/48a17cff6aa104b8e806ddb2191f83f1024060f1] +Signed-off-by: Peter Marko +--- + src/scp.c | 38 +++++++++++++++++++++++++++++--------- + 1 file changed, 29 insertions(+), 9 deletions(-) + +diff --git a/src/scp.c b/src/scp.c +index 384f2cb..bf98986 100644 +--- a/src/scp.c ++++ b/src/scp.c +@@ -76,6 +76,8 @@ + #include "includes.h" + /*RCSID("$OpenBSD: scp.c,v 1.130 2006/01/31 10:35:43 djm Exp $");*/ + ++#include ++ + #include "atomicio.h" + #include "compat.h" + #include "scpmisc.h" +@@ -291,14 +293,14 @@ void verifydir(char *); + + uid_t userid; + int errs, remin, remout; +-int pflag, iamremote, iamrecursive, targetshouldbedirectory; ++int Tflag, pflag, iamremote, iamrecursive, targetshouldbedirectory; + + #define CMDNEEDS 64 + char cmd[CMDNEEDS]; /* must hold "rcp -r -p -d\0" */ + + int response(void); + void rsource(char *, struct stat *); +-void sink(int, char *[]); ++void sink(int, char *[], const char *); + void source(int, char *[]); + void tolocal(int, char *[]); + void toremote(char *, int, char *[]); +@@ -325,8 +327,8 @@ main(int argc, char **argv) + args.list = NULL; + addargs(&args, "%s", ssh_program); + +- fflag = tflag = 0; +- while ((ch = getopt(argc, argv, "dfl:prtvBCc:i:P:q1246S:o:F:")) != -1) ++ fflag = Tflag = tflag = 0; ++ while ((ch = getopt(argc, argv, "dfl:prtTvBCc:i:P:q1246S:o:F:")) != -1) + switch (ch) { + /* User-visible flags. */ + case '1': +@@ -389,9 +391,12 @@ main(int argc, char **argv) + setmode(0, O_BINARY); + #endif + break; ++ case 'T': ++ Tflag = 1; ++ break; + default: + usage(); +- } ++ } + argc -= optind; + argv += optind; + +@@ -409,7 +414,7 @@ main(int argc, char **argv) + } + if (tflag) { + /* Receive data. */ +- sink(argc, argv); ++ sink(argc, argv, NULL); + exit(errs != 0); + } + if (argc < 2) +@@ -589,7 +594,7 @@ tolocal(int argc, char **argv) + continue; + } + xfree(bp); +- sink(1, argv + argc - 1); ++ sink(1, argv + argc - 1, src); + (void) close(remin); + remin = remout = -1; + } +@@ -822,7 +827,7 @@ bwlimit(int amount) + } + + void +-sink(int argc, char **argv) ++sink(int argc, char **argv, const char *src) + { + static BUF buffer; + struct stat stb; +@@ -836,6 +841,7 @@ sink(int argc, char **argv) + off_t size, statbytes; + int setimes, targisdir, wrerrno = 0; + char ch, *cp, *np, *targ, *why, *vect[1], buf[2048]; ++ char *src_copy = NULL, *restrict_pattern = NULL; + struct timeval tv[2]; + + #define atime tv[0] +@@ -857,6 +863,17 @@ sink(int argc, char **argv) + (void) atomicio(vwrite, remout, "", 1); + if (stat(targ, &stb) == 0 && S_ISDIR(stb.st_mode)) + targisdir = 1; ++ if (src != NULL && !iamrecursive && !Tflag) { ++ /* ++ * Prepare to try to restrict incoming filenames to match ++ * the requested destination file glob. ++ */ ++ if ((src_copy = strdup(src)) == NULL) ++ fatal("strdup failed"); ++ if ((restrict_pattern = strrchr(src_copy, '/')) != NULL) { ++ *restrict_pattern++ = '\0'; ++ } ++ } + for (first = 1;; first = 0) { + cp = buf; + if (atomicio(read, remin, cp, 1) != 1) +@@ -939,6 +956,9 @@ sink(int argc, char **argv) + run_err("error: unexpected filename: %s", cp); + exit(1); + } ++ if (restrict_pattern != NULL && ++ fnmatch(restrict_pattern, cp, 0) != 0) ++ SCREWUP("filename does not match request"); + if (targisdir) { + static char *namebuf = NULL; + static size_t cursize = 0; +@@ -977,7 +997,7 @@ sink(int argc, char **argv) + goto bad; + } + vect[0] = xstrdup(np); +- sink(1, vect); ++ sink(1, vect, src); + if (setimes) { + setimes = 0; + if (utimes(vect[0], tv) < 0) diff --git a/meta/recipes-core/dropbear/dropbear_2025.88.bb b/meta/recipes-core/dropbear/dropbear_2025.88.bb index 72a886d907..05af557b21 100644 --- a/meta/recipes-core/dropbear/dropbear_2025.88.bb +++ b/meta/recipes-core/dropbear/dropbear_2025.88.bb @@ -21,6 +21,7 @@ SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \ file://dropbear.default \ file://0001-Fix-proxycmd-without-netcat.patch \ ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ + file://CVE-2019-6111.patch \ " SRC_URI[sha256sum] = "783f50ea27b17c16da89578fafdb6decfa44bb8f6590e5698a4e4d3672dc53d4" From patchwork Wed Jan 7 08:08:51 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 78127 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 85F99C47BEB for ; Wed, 7 Jan 2026 08:09:32 +0000 (UTC) Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com [209.85.128.49]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.1454.1767773364221930745 for ; Wed, 07 Jan 2026 00:09:24 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=nEe1hvtJ; spf=pass (domain: smile.fr, ip: 209.85.128.49, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f49.google.com with SMTP id 5b1f17b1804b1-4779cb0a33fso19132825e9.0 for ; Wed, 07 Jan 2026 00:09:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1767773362; x=1768378162; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=WdPepPcXhlJEvLdPmGaACpckngCTfQ/YxqWhyLQ78cI=; b=nEe1hvtJzOzkKVQmlS0IvgiKQhMHb3b4SsfzHVOap8xYtbVehVXnHz2DcjXLxVlJVR N7LnNA92Oe9qHEDwRQdRT0EIDnrCgFDiCgkqssTYrXoB4G8nvHalmBj+fkWx9+D1g8ND m5IrTYmvCbU+4ZsWLsEc4cqzvUV3Pov+iIgmY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767773362; x=1768378162; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=WdPepPcXhlJEvLdPmGaACpckngCTfQ/YxqWhyLQ78cI=; b=eB4kzEx3w+Ku4zcs8dIHRXMbtXVpGx6PUAwKdZBvlT0JZ/z5fCtY9tI+ReQ9xZ+lCN fpp2k5F1AnabXBUcZDUGGPr9XIIyO8+IZeYy9wK3bA5L9fJytAOeaBsPRo+OtN3MRAnw Oe6OfQdFfBzpaNkYzUPDPdrH49JBrkphjlAPw4DJEBWmWbzStN/93/AtC5KnkW75mfU8 TkhAzdWhxRX+LGQiOxSntjRrnGJ6AAlOGRUbVUnhPLSQd1LkVbHzfpfx8bOLGj+Yxvt5 A7aDE7JR15l/K4PPM9XYK3+oxYcnNV7Q73IqFHuJRtxYbh2ODr3VUeotuY7v8eSGbm/c j/PQ== X-Gm-Message-State: AOJu0YxcBYlPox/curmm95EG3mRc9njdU0wrvzA48pbRK/+TH7da7gTC 2m+bcOHU+yiV2Q9VKfIp8gd8DXVRJ782gccLc6g/37arGXzv7X1fDklS4/TE4VW0RqXLrgTV50z 0dc+L X-Gm-Gg: AY/fxX68lfcut95ZkJXuQuVXRFIeksiIlUCTBUoMyCyJLW5Z09zr3fnOHvXuYygGJ/c XSYPVgI/W6B1aB/Rl7gHi4HawM5Z23a56KS/qujsMq0I1MHsawejI5hrzTexCWdNUbvxpdKOIQr nmS6eZXWN41CPqANyqJYuSOYagG50PCgpJq9CkS0Ue7yZX5ugmmIedLj7ECoIv0yZ3CSRW5X5mU +Kz0jqxRc4WwZa0vL+ExbiAIF8YXIIx3csaeQeE2NPhhYYItmjxTOzqUTi2kZRKLAQMubwXt/kZ 76mqrOGsU2uA2AKVcLU1K6eCYJcWH+va+GNX1QvQAMTGZo5wAirRgd84UpN6KYq80NUNGsKlEt8 a0x1MD2ZYhmXmvBVws6oAoKaHlErZW6OIujya/ViwF1YFUFpRfj0hdkewUzrnjlk7tFgzuzWUx+ LInD1FNFUNlODCIXrNx5xnCXGY/6c5tE2pfL9xW4kHUecB9pRPAm2I0dIb7B4oNxof3SoVS7dgw HPewm20ocxR7p0= X-Google-Smtp-Source: AGHT+IHcv7Tzu5rNc7gh+VDJgm5ktz/V9guVz68UyOCD9NZBfYSFVaBjpm3yuLr5my5KQE5FmNUd7A== X-Received: by 2002:a05:600c:5298:b0:47d:6140:3284 with SMTP id 5b1f17b1804b1-47d84b40804mr13950835e9.37.1767773362452; Wed, 07 Jan 2026 00:09:22 -0800 (PST) Received: from FRSMI25-LASER.home (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47d8715b5f7sm6093485e9.4.2026.01.07.00.09.21 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Jan 2026 00:09:21 -0800 (PST) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][whinlatter 02/11] sqlite3: mark CVE-2025-29087 as patched Date: Wed, 7 Jan 2026 09:08:51 +0100 Message-ID: <1e2f28b83164f793459838edca8431dfe7b831d7.1767772757.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 07 Jan 2026 08:09:32 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/228949 From: Peter Marko Description of CVE-2025-29087 and CVE-2025-3277 are very similar. There is no link from NVD, but [1] and [2] from Debian mark these two CVEs as duplicates with the same link for patch. [1] https://security-tracker.debian.org/tracker/CVE-2025-29087 [2] https://security-tracker.debian.org/tracker/CVE-2025-3277 Signed-off-by: Peter Marko --- meta/recipes-support/sqlite/files/CVE-2025-3277.patch | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/recipes-support/sqlite/files/CVE-2025-3277.patch b/meta/recipes-support/sqlite/files/CVE-2025-3277.patch index a3e28465f5..625cf29d3e 100644 --- a/meta/recipes-support/sqlite/files/CVE-2025-3277.patch +++ b/meta/recipes-support/sqlite/files/CVE-2025-3277.patch @@ -7,6 +7,7 @@ Subject: [PATCH] Add a typecast to avoid 32-bit integer overflow in the FossilOrigin-Name: 498e3f1cf57f164fbd8380e92bf91b9f26d6aa05d092fcd135d754abf1e5b1b5 CVE: CVE-2025-3277 +CVE: CVE-2025-29087 Upstream-Status: Backport [https://github.com/sqlite/sqlite/commit/f4fc2ee20311a0a5141726c71d318ab52001c974] Signed-off-by: Ankur Tyagi From patchwork Wed Jan 7 08:08:52 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 78135 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BD6B8CF6C08 for ; Wed, 7 Jan 2026 08:09:32 +0000 (UTC) Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com [209.85.128.54]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.1502.1767773365262663618 for ; Wed, 07 Jan 2026 00:09:25 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=DSv7USjp; spf=pass (domain: smile.fr, ip: 209.85.128.54, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f54.google.com with SMTP id 5b1f17b1804b1-477563e28a3so3891525e9.1 for ; Wed, 07 Jan 2026 00:09:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1767773363; x=1768378163; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=6LAwawHyEfUaFztaVFVKhb6cWIXiDJfucWeGQke472M=; b=DSv7USjpPtEa7NbsMNWO1mq0miM/Zzdh9riuTmZFsEuWEhvzi52QjPM66HJFLj31Jd 4CC+ebQKkXbIZR1dUm+MbFG9iaQxxytt/UknMVpqBx9x7pW/t/RC6wWBEZIdOk54kiLJ k9dc6YidiccMbjV1k+mOgZwcXB9k3BXWqwuok= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767773363; x=1768378163; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=6LAwawHyEfUaFztaVFVKhb6cWIXiDJfucWeGQke472M=; b=DY2DNzpN7VOxvR/TfPFEyNizJOAnUJMPp0tKA8Tv0n9XXfroPrsO0al+mIYDaCkGTA jZFPe0L1+5OrXbzOC/zBmdW4Rh12gFrGgoG+Px7vX3/ViNQTjve4jZFYXAXloqrFWF6I n2T0AUPwaicZDST5N3iE7XZei7R5PA6Wr5BptKbeDWBUPslYjXNdDXe2XWNy9xYO17Oa 1neumkYQQPV3W9K00NgE5h1kuZMkLoL38YRomzWs85xuZ//s22GfMHIr00vpvIX0wcIG VGY2Nqfqts5Qezj8yWV8HqEo0VPkK8APflQBlteduqVE9/TRd9LzRm46D9XEC/UCKTvZ aHJQ== X-Gm-Message-State: AOJu0YyZ8zwrpomY/bkxEKLKv8tE/TCuu2qUEU+ytEbqKA4T4L/Cnm/u vFXm9viow0UA9TmmJwpJ53R5ssRgkJoWxFhBRuyDpYvoFI1jVhIkddu3L7mZaKwOJjlnjXPXCfl BZr7G X-Gm-Gg: AY/fxX4JniEPyBmPAHe+Drku89dUoClnwpur2dHr/qMWebm1T8j6ArUvl/H/jiDBpBa cwG9n5sN+niAsVMAXR8TcjbaobhuXrelAxC4zKl0j25y9FGbvpM2i0rpi1cJKV7fl3sV04UqyHJ 8qdDa82Z78pTBGxu+/+eixnWEjsnWPtHYo1DcYu5nCi5FB6auT5rZ93yaAtc7xUtAkzQ78+CmOu 1EsedLlIOxWHWIJwGFxHRdDwjQTQg/GbPTbFUYHoZCsz5mXTsCosCg7mwCt/rmncsl23EMdD1Z9 4SsVI6M7IiydHHj4FwMTL4czQaDPIeaizSRjCQondVOc2yZXU9kNgZydQsvtAM3G1TFP8pXwFl3 O5X2rHV81XxQuAZmAsP1kX5sQNqXAj8lKj87S86H+S5A0ZBUx1vrKtGZBWBKoMaEBHHY1D3Cgjb j/rYlThhSVcAaCypmi8niz5xcvApGtPBLWnE4ThAJOz1GSSgr9bRp3lWYNRgkXcuSDCjOVM7pOb UxcEq1aAG9B4sPR2mhRe8oqCg== X-Google-Smtp-Source: AGHT+IFmxbAqgzGLOgUesBYgyRisF6aec3ieHkR8I1VusW0JI6cA6P1TGhZSBHEhLvkAGSErRD80lw== X-Received: by 2002:a05:600c:5916:b0:475:d7fd:5c59 with SMTP id 5b1f17b1804b1-47d81810b1fmr39390845e9.16.1767773363381; Wed, 07 Jan 2026 00:09:23 -0800 (PST) Received: from FRSMI25-LASER.home (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47d8715b5f7sm6093485e9.4.2026.01.07.00.09.22 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Jan 2026 00:09:22 -0800 (PST) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][whinlatter 03/11] python3-urllib3: patch CVE-2025-66418 Date: Wed, 7 Jan 2026 09:08:52 +0100 Message-ID: <7e26c0c838e4461885e851c1ac4115f7f39635b2.1767772757.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 07 Jan 2026 08:09:32 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/228950 From: Peter Marko Pick patch per [1]. [1] https://nvd.nist.gov/vuln/detail/CVE-2025-66418 Signed-off-by: Peter Marko --- .../python3-urllib3/CVE-2025-66418.patch | 74 +++++++++++++++++++ .../python/python3-urllib3_2.5.0.bb | 4 + 2 files changed, 78 insertions(+) create mode 100644 meta/recipes-devtools/python/python3-urllib3/CVE-2025-66418.patch diff --git a/meta/recipes-devtools/python/python3-urllib3/CVE-2025-66418.patch b/meta/recipes-devtools/python/python3-urllib3/CVE-2025-66418.patch new file mode 100644 index 0000000000..71fc44e4f9 --- /dev/null +++ b/meta/recipes-devtools/python/python3-urllib3/CVE-2025-66418.patch @@ -0,0 +1,74 @@ +From 24d7b67eac89f94e11003424bcf0d8f7b72222a8 Mon Sep 17 00:00:00 2001 +From: Illia Volochii +Date: Fri, 5 Dec 2025 16:41:33 +0200 +Subject: [PATCH] Merge commit from fork + +* Add a hard-coded limit for the decompression chain + +* Reuse new list + +CVE: CVE-2025-66418 +Upstream-Status: Backport [https://github.com/urllib3/urllib3/commit/24d7b67eac89f94e11003424bcf0d8f7b72222a8] +Signed-off-by: Peter Marko +--- + changelog/GHSA-gm62-xv2j-4w53.security.rst | 4 ++++ + src/urllib3/response.py | 12 +++++++++++- + test/test_response.py | 10 ++++++++++ + 3 files changed, 25 insertions(+), 1 deletion(-) + create mode 100644 changelog/GHSA-gm62-xv2j-4w53.security.rst + +diff --git a/changelog/GHSA-gm62-xv2j-4w53.security.rst b/changelog/GHSA-gm62-xv2j-4w53.security.rst +new file mode 100644 +index 00000000..6646eaa3 +--- /dev/null ++++ b/changelog/GHSA-gm62-xv2j-4w53.security.rst +@@ -0,0 +1,4 @@ ++Fixed a security issue where an attacker could compose an HTTP response with ++virtually unlimited links in the ``Content-Encoding`` header, potentially ++leading to a denial of service (DoS) attack by exhausting system resources ++during decoding. The number of allowed chained encodings is now limited to 5. +diff --git a/src/urllib3/response.py b/src/urllib3/response.py +index 4ba42136..069f726c 100644 +--- a/src/urllib3/response.py ++++ b/src/urllib3/response.py +@@ -220,8 +220,18 @@ class MultiDecoder(ContentDecoder): + they were applied. + """ + ++ # Maximum allowed number of chained HTTP encodings in the ++ # Content-Encoding header. ++ max_decode_links = 5 ++ + def __init__(self, modes: str) -> None: +- self._decoders = [_get_decoder(m.strip()) for m in modes.split(",")] ++ encodings = [m.strip() for m in modes.split(",")] ++ if len(encodings) > self.max_decode_links: ++ raise DecodeError( ++ "Too many content encodings in the chain: " ++ f"{len(encodings)} > {self.max_decode_links}" ++ ) ++ self._decoders = [_get_decoder(e) for e in encodings] + + def flush(self) -> bytes: + return self._decoders[0].flush() +diff --git a/test/test_response.py b/test/test_response.py +index 9592fdd9..d824ae70 100644 +--- a/test/test_response.py ++++ b/test/test_response.py +@@ -584,6 +584,16 @@ class TestResponse: + assert r.read(9 * 37) == b"foobarbaz" * 37 + assert r.read() == b"" + ++ def test_read_multi_decoding_too_many_links(self) -> None: ++ fp = BytesIO(b"foo") ++ with pytest.raises( ++ DecodeError, match="Too many content encodings in the chain: 6 > 5" ++ ): ++ HTTPResponse( ++ fp, ++ headers={"content-encoding": "gzip, deflate, br, zstd, gzip, deflate"}, ++ ) ++ + def test_body_blob(self) -> None: + resp = HTTPResponse(b"foo") + assert resp.data == b"foo" diff --git a/meta/recipes-devtools/python/python3-urllib3_2.5.0.bb b/meta/recipes-devtools/python/python3-urllib3_2.5.0.bb index 62fdf8e345..c39e9676e8 100644 --- a/meta/recipes-devtools/python/python3-urllib3_2.5.0.bb +++ b/meta/recipes-devtools/python/python3-urllib3_2.5.0.bb @@ -7,6 +7,10 @@ SRC_URI[sha256sum] = "3fc47733c7e419d4bc3f6b3dc2b4f890bb743906a30d56ba4a5bfa4bbf inherit pypi python_hatchling +SRC_URI += "\ + file://CVE-2025-66418.patch \ +" + DEPENDS += "python3-hatch-vcs-native" PACKAGECONFIG ??= "" From patchwork Wed Jan 7 08:08:53 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 78138 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id CCF0CCF6C0A for ; Wed, 7 Jan 2026 08:09:32 +0000 (UTC) Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com [209.85.128.49]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.1455.1767773366839479881 for ; Wed, 07 Jan 2026 00:09:27 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=n6fpZSE8; spf=pass (domain: smile.fr, ip: 209.85.128.49, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f49.google.com with SMTP id 5b1f17b1804b1-47d1d8a49f5so11614625e9.3 for ; Wed, 07 Jan 2026 00:09:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1767773365; x=1768378165; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=ZHafy9j+mZ0MzYgcmymxBohQ4/HzrCMk0FMd5B0Q9qI=; b=n6fpZSE8oSNEWb0lylh6bSfRP9BrEWe9T+MaJNUXAmEi9iKrUt8sGi/P1PmaiICJHM EE2hMHrm7f45Dvcdll0MQL7rXld7PFdKWukyqlvDaVyK1JJJmHw4hzzyNImPByhnA1+R DVVfPTSn+I7RMoqtfGqSUSWF0UPLR3kPGAkAs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767773365; x=1768378165; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=ZHafy9j+mZ0MzYgcmymxBohQ4/HzrCMk0FMd5B0Q9qI=; b=neiI/TcyS3EP2tv5H0/e0XyvVmqYP5YIsDWGOu4T7Ul+8J0+G1q8mAMlV36Uoh5iyh jMMIfrsXDlNshKrt9j7+WRdNzn34kkh+XMQmlH4WBKbV3A+YBTxQXtNOq+i5GwqH2yyc MsuFnNyVnGrRqOjeZD5MAuIQb9+yB3xujQjacWyQsh3W6QJdIm6PMj06xaPP4tJAftaz 3jAC0f15Mm5truth/+chOEMmOTo4zVii6DhBQEC0HKNqXh72YTyKuUGNhH/+c9R1XCK0 1s4mAw2IX5y09IhmMqLOiwz9fYTaIdadL2nhoXQHRBHI2i4ug+rXggMHENN+vdE47cqY bfAQ== X-Gm-Message-State: AOJu0YwYcYn9nQtjc3QhiOPo/bjadyg0vEv75FmIH1nBekwKzr2jrO// QNZYVsGSoisbqfuoGY+dzZiXVDvObiZjLCfplj2MD+YLiKo9p3RGlSFT8Qx8/UF52NH0tU7n3wm N3A/z X-Gm-Gg: AY/fxX4Df4apLMeA1EwLwqleM1ACY9sLTrRs+nvOtGfrlT+6UjCLI13zPAdbOmWXqTj Pp0i/CEehYGSKRvstCE8ITVM9BSwjOtj0gVlj/08y4zcF8SNuQ3AozyRAOHlxR0x8qeztoYHopl lXRcL0DofIq0denx5jp7gZu7a9+Kw/C/vVR8okvjfTgyy6h+XT1ncCA7ml2anHrdBNnr7lU0NFh 3iG/COKmBns7L8bvLwWsNPW+uWTrJ0Q9Hdv/AJY7v6fGiqkzMgyjzP/sFSOVa1TeEQy6jneJyek b3Cj7KGFGGIpA08DTqnrp6W1ugX8FL+F5r9pnSwp8CoHM7DTvD9YduIAluMZZRlOurDvbE6KmYo +r6SHn04oEBfmvPO2BJ64d8i2P6RLgHsUQ0rMG5IObv0gwo3rQ6MqF0kINDqrGfdD5U6WaMQ8sz xHoOusRU4ZiD3IVGeNXNmRpQvsOfWSiALHoXJUwZ0vfKxkp6+SXBpGu/iGbY1b36vqX/fCZmLo9 EveEhLppitjAb4= X-Google-Smtp-Source: AGHT+IHIytnieGtFUowEgcK8L6pJWix+Ta1xHi9g9bZORHmhh4Vp0RDxFpn1KM4/7dH9+zwoS86FuQ== X-Received: by 2002:a05:600c:1d14:b0:477:9a28:b0a4 with SMTP id 5b1f17b1804b1-47d849c7aa8mr15875345e9.0.1767773364432; Wed, 07 Jan 2026 00:09:24 -0800 (PST) Received: from FRSMI25-LASER.home (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47d8715b5f7sm6093485e9.4.2026.01.07.00.09.23 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Jan 2026 00:09:23 -0800 (PST) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][whinlatter 04/11] python3-urllib3: patch CVE-2025-66471 Date: Wed, 7 Jan 2026 09:08:53 +0100 Message-ID: <34083b26ca1e5a52c627e41a1adbeaacf79dfa6d.1767772757.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 07 Jan 2026 08:09:32 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/228952 From: Peter Marko Pick patch per [1]. [1] https://nvd.nist.gov/vuln/detail/CVE-2025-66471 Signed-off-by: Peter Marko --- .../python3-urllib3/CVE-2025-66471.patch | 930 ++++++++++++++++++ .../python/python3-urllib3_2.5.0.bb | 1 + 2 files changed, 931 insertions(+) create mode 100644 meta/recipes-devtools/python/python3-urllib3/CVE-2025-66471.patch diff --git a/meta/recipes-devtools/python/python3-urllib3/CVE-2025-66471.patch b/meta/recipes-devtools/python/python3-urllib3/CVE-2025-66471.patch new file mode 100644 index 0000000000..2f8bc4fc92 --- /dev/null +++ b/meta/recipes-devtools/python/python3-urllib3/CVE-2025-66471.patch @@ -0,0 +1,930 @@ +From c19571de34c47de3a766541b041637ba5f716ed7 Mon Sep 17 00:00:00 2001 +From: Illia Volochii +Date: Fri, 5 Dec 2025 16:40:41 +0200 +Subject: [PATCH] Merge commit from fork + +* Prevent decompression bomb for zstd in Python 3.14 + +* Add experimental `decompress_iter` for Brotli + +* Update changes for Brotli + +* Add `GzipDecoder.decompress_iter` + +* Test https://github.com/python-hyper/brotlicffi/pull/207 + +* Pin Brotli + +* Add `decompress_iter` to all decoders and make tests pass + +* Pin brotlicffi to an official release + +* Revert changes to response.py + +* Add `max_length` parameter to all `decompress` methods + +* Fix the `test_brotlipy` session + +* Unset `_data` on gzip error + +* Add a test for memory usage + +* Test more methods + +* Fix the test for `stream` + +* Cover more lines with tests + +* Add more coverage + +* Make `read1` a bit more efficient + +* Fix PyPy tests for Brotli + +* Revert an unnecessarily moved check + +* Add some comments + +* Leave just one `self._obj.decompress` call in `GzipDecoder` + +* Refactor test params + +* Test reads with all data already in the decompressor + +* Prevent needless copying of data decoded with `max_length` + +* Rename the changed test + +* Note that responses of unknown length should be streamed too + +* Add a changelog entry + +* Avoid returning a memory view from `BytesQueueBuffer` + +* Add one more note to the changelog entry + +CVE: CVE-2025-66471 +Upstream-Status: Backport [https://github.com/urllib3/urllib3/commit/c19571de34c47de3a766541b041637ba5f716ed7] +Signed-off-by: Peter Marko +--- + CHANGES.rst | 22 ++++ + docs/advanced-usage.rst | 3 +- + docs/user-guide.rst | 4 +- + pyproject.toml | 5 +- + src/urllib3/response.py | 278 ++++++++++++++++++++++++++++++++++------ + test/test_response.py | 269 +++++++++++++++++++++++++++++++++++++- + 6 files changed, 532 insertions(+), 49 deletions(-) + +diff --git a/CHANGES.rst b/CHANGES.rst +index add194eb..345476f3 100644 +--- a/CHANGES.rst ++++ b/CHANGES.rst +@@ -1,3 +1,25 @@ ++2.6.0 (TBD) ++================== ++ ++Bugfixes ++-------- ++ ++- Fixed a security issue where streaming API could improperly handle highly ++ compressed HTTP content ("decompression bombs") leading to excessive resource ++ consumption even when a small amount of data was requested. Reading small ++ chunks of compressed data is safer and much more efficient now. ++ ++.. caution:: ++ - If urllib3 is not installed with the optional `urllib3[brotli]` extra, but ++ your environment contains a Brotli/brotlicffi/brotlipy package anyway, make ++ sure to upgrade it to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 to ++ benefit from the security fixes and avoid warnings. Prefer using ++ `urllib3[brotli]` to install a compatible Brotli package automatically. ++ ++ - If you use custom decompressors, please make sure to update them to ++ respect the changed API of ``urllib3.response.ContentDecoder``. ++ ++ + 2.5.0 (2025-06-18) + ================== + +diff --git a/docs/advanced-usage.rst b/docs/advanced-usage.rst +index ff773662..3ab4fcf3 100644 +--- a/docs/advanced-usage.rst ++++ b/docs/advanced-usage.rst +@@ -66,7 +66,8 @@ When using ``preload_content=True`` (the default setting) the + response body will be read immediately into memory and the HTTP connection + will be released back into the pool without manual intervention. + +-However, when dealing with large responses it's often better to stream the response ++However, when dealing with responses of large or unknown length, ++it's often better to stream the response + content using ``preload_content=False``. Setting ``preload_content`` to ``False`` means + that urllib3 will only read from the socket when data is requested. + +diff --git a/docs/user-guide.rst b/docs/user-guide.rst +index 5c78c8af..1d9d0bbd 100644 +--- a/docs/user-guide.rst ++++ b/docs/user-guide.rst +@@ -145,8 +145,8 @@ to a byte string representing the response content: + print(resp.data) + # b"\xaa\xa5H?\x95\xe9\x9b\x11" + +-.. note:: For larger responses, it's sometimes better to :ref:`stream ` +- the response. ++.. note:: For responses of large or unknown length, it's sometimes better to ++ :ref:`stream ` the response. + + Using io Wrappers with Response Content + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +diff --git a/pyproject.toml b/pyproject.toml +index c9aa6d13..45538a6e 100644 +--- a/pyproject.toml ++++ b/pyproject.toml +@@ -41,8 +41,8 @@ dynamic = ["version"] + + [project.optional-dependencies] + brotli = [ +- "brotli>=1.0.9; platform_python_implementation == 'CPython'", +- "brotlicffi>=0.8.0; platform_python_implementation != 'CPython'" ++ "brotli>=1.2.0; platform_python_implementation == 'CPython'", ++ "brotlicffi>=1.2.0.0; platform_python_implementation != 'CPython'" + ] + # Once we drop support for Python 3.13 this extra can be removed. + # We'll need a deprecation period for the 'zstandard' module support +@@ -160,6 +160,7 @@ filterwarnings = [ + '''default:ssl\.PROTOCOL_TLSv1_1 is deprecated:DeprecationWarning''', + '''default:ssl\.PROTOCOL_TLSv1_2 is deprecated:DeprecationWarning''', + '''default:ssl NPN is deprecated, use ALPN instead:DeprecationWarning''', ++ '''default:Brotli >= 1.2.0 is required to prevent decompression bombs\.:urllib3.exceptions.DependencyWarning''', + # https://github.com/SeleniumHQ/selenium/issues/13328 + '''default:unclosed file <_io\.BufferedWriter name='/dev/null'>:ResourceWarning''', + # https://github.com/SeleniumHQ/selenium/issues/14686 +diff --git a/src/urllib3/response.py b/src/urllib3/response.py +index 3df98184..4ba42136 100644 +--- a/src/urllib3/response.py ++++ b/src/urllib3/response.py +@@ -33,6 +33,7 @@ from .connection import BaseSSLError, HTTPConnection, HTTPException + from .exceptions import ( + BodyNotHttplibCompatible, + DecodeError, ++ DependencyWarning, + HTTPError, + IncompleteRead, + InvalidChunkLength, +@@ -52,7 +53,11 @@ log = logging.getLogger(__name__) + + + class ContentDecoder: +- def decompress(self, data: bytes) -> bytes: ++ def decompress(self, data: bytes, max_length: int = -1) -> bytes: ++ raise NotImplementedError() ++ ++ @property ++ def has_unconsumed_tail(self) -> bool: + raise NotImplementedError() + + def flush(self) -> bytes: +@@ -62,30 +67,57 @@ class ContentDecoder: + class DeflateDecoder(ContentDecoder): + def __init__(self) -> None: + self._first_try = True +- self._data = b"" ++ self._first_try_data = b"" ++ self._unfed_data = b"" + self._obj = zlib.decompressobj() + +- def decompress(self, data: bytes) -> bytes: +- if not data: ++ def decompress(self, data: bytes, max_length: int = -1) -> bytes: ++ data = self._unfed_data + data ++ self._unfed_data = b"" ++ if not data and not self._obj.unconsumed_tail: + return data ++ original_max_length = max_length ++ if original_max_length < 0: ++ max_length = 0 ++ elif original_max_length == 0: ++ # We should not pass 0 to the zlib decompressor because 0 is ++ # the default value that will make zlib decompress without a ++ # length limit. ++ # Data should be stored for subsequent calls. ++ self._unfed_data = data ++ return b"" + ++ # Subsequent calls always reuse `self._obj`. zlib requires ++ # passing the unconsumed tail if decompression is to continue. + if not self._first_try: +- return self._obj.decompress(data) ++ return self._obj.decompress( ++ self._obj.unconsumed_tail + data, max_length=max_length ++ ) + +- self._data += data ++ # First call tries with RFC 1950 ZLIB format. ++ self._first_try_data += data + try: +- decompressed = self._obj.decompress(data) ++ decompressed = self._obj.decompress(data, max_length=max_length) + if decompressed: + self._first_try = False +- self._data = None # type: ignore[assignment] ++ self._first_try_data = b"" + return decompressed ++ # On failure, it falls back to RFC 1951 DEFLATE format. + except zlib.error: + self._first_try = False + self._obj = zlib.decompressobj(-zlib.MAX_WBITS) + try: +- return self.decompress(self._data) ++ return self.decompress( ++ self._first_try_data, max_length=original_max_length ++ ) + finally: +- self._data = None # type: ignore[assignment] ++ self._first_try_data = b"" ++ ++ @property ++ def has_unconsumed_tail(self) -> bool: ++ return bool(self._unfed_data) or ( ++ bool(self._obj.unconsumed_tail) and not self._first_try ++ ) + + def flush(self) -> bytes: + return self._obj.flush() +@@ -101,27 +133,61 @@ class GzipDecoder(ContentDecoder): + def __init__(self) -> None: + self._obj = zlib.decompressobj(16 + zlib.MAX_WBITS) + self._state = GzipDecoderState.FIRST_MEMBER ++ self._unconsumed_tail = b"" + +- def decompress(self, data: bytes) -> bytes: ++ def decompress(self, data: bytes, max_length: int = -1) -> bytes: + ret = bytearray() +- if self._state == GzipDecoderState.SWALLOW_DATA or not data: ++ if self._state == GzipDecoderState.SWALLOW_DATA: + return bytes(ret) ++ ++ if max_length == 0: ++ # We should not pass 0 to the zlib decompressor because 0 is ++ # the default value that will make zlib decompress without a ++ # length limit. ++ # Data should be stored for subsequent calls. ++ self._unconsumed_tail += data ++ return b"" ++ ++ # zlib requires passing the unconsumed tail to the subsequent ++ # call if decompression is to continue. ++ data = self._unconsumed_tail + data ++ if not data and self._obj.eof: ++ return bytes(ret) ++ + while True: + try: +- ret += self._obj.decompress(data) ++ ret += self._obj.decompress( ++ data, max_length=max(max_length - len(ret), 0) ++ ) + except zlib.error: + previous_state = self._state + # Ignore data after the first error + self._state = GzipDecoderState.SWALLOW_DATA ++ self._unconsumed_tail = b"" + if previous_state == GzipDecoderState.OTHER_MEMBERS: + # Allow trailing garbage acceptable in other gzip clients + return bytes(ret) + raise +- data = self._obj.unused_data ++ ++ self._unconsumed_tail = data = ( ++ self._obj.unconsumed_tail or self._obj.unused_data ++ ) ++ if max_length > 0 and len(ret) >= max_length: ++ break ++ + if not data: + return bytes(ret) +- self._state = GzipDecoderState.OTHER_MEMBERS +- self._obj = zlib.decompressobj(16 + zlib.MAX_WBITS) ++ # When the end of a gzip member is reached, a new decompressor ++ # must be created for unused (possibly future) data. ++ if self._obj.eof: ++ self._state = GzipDecoderState.OTHER_MEMBERS ++ self._obj = zlib.decompressobj(16 + zlib.MAX_WBITS) ++ ++ return bytes(ret) ++ ++ @property ++ def has_unconsumed_tail(self) -> bool: ++ return bool(self._unconsumed_tail) + + def flush(self) -> bytes: + return self._obj.flush() +@@ -136,9 +202,35 @@ if brotli is not None: + def __init__(self) -> None: + self._obj = brotli.Decompressor() + if hasattr(self._obj, "decompress"): +- setattr(self, "decompress", self._obj.decompress) ++ setattr(self, "_decompress", self._obj.decompress) + else: +- setattr(self, "decompress", self._obj.process) ++ setattr(self, "_decompress", self._obj.process) ++ ++ # Requires Brotli >= 1.2.0 for `output_buffer_limit`. ++ def _decompress(self, data: bytes, output_buffer_limit: int = -1) -> bytes: ++ raise NotImplementedError() ++ ++ def decompress(self, data: bytes, max_length: int = -1) -> bytes: ++ try: ++ if max_length > 0: ++ return self._decompress(data, output_buffer_limit=max_length) ++ else: ++ return self._decompress(data) ++ except TypeError: ++ # Fallback for Brotli/brotlicffi/brotlipy versions without ++ # the `output_buffer_limit` parameter. ++ warnings.warn( ++ "Brotli >= 1.2.0 is required to prevent decompression bombs.", ++ DependencyWarning, ++ ) ++ return self._decompress(data) ++ ++ @property ++ def has_unconsumed_tail(self) -> bool: ++ try: ++ return not self._obj.can_accept_more_data() ++ except AttributeError: ++ return False + + def flush(self) -> bytes: + if hasattr(self._obj, "flush"): +@@ -156,16 +248,46 @@ try: + def __init__(self) -> None: + self._obj = zstd.ZstdDecompressor() + +- def decompress(self, data: bytes) -> bytes: +- if not data: ++ def decompress(self, data: bytes, max_length: int = -1) -> bytes: ++ if not data and not self.has_unconsumed_tail: + return b"" +- data_parts = [self._obj.decompress(data)] +- while self._obj.eof and self._obj.unused_data: +- unused_data = self._obj.unused_data ++ if self._obj.eof: ++ data = self._obj.unused_data + data + self._obj = zstd.ZstdDecompressor() +- data_parts.append(self._obj.decompress(unused_data)) ++ part = self._obj.decompress(data, max_length=max_length) ++ length = len(part) ++ data_parts = [part] ++ # Every loop iteration is supposed to read data from a separate frame. ++ # The loop breaks when: ++ # - enough data is read; ++ # - no more unused data is available; ++ # - end of the last read frame has not been reached (i.e., ++ # more data has to be fed). ++ while ( ++ self._obj.eof ++ and self._obj.unused_data ++ and (max_length < 0 or length < max_length) ++ ): ++ unused_data = self._obj.unused_data ++ if not self._obj.needs_input: ++ self._obj = zstd.ZstdDecompressor() ++ part = self._obj.decompress( ++ unused_data, ++ max_length=(max_length - length) if max_length > 0 else -1, ++ ) ++ if part_length := len(part): ++ data_parts.append(part) ++ length += part_length ++ elif self._obj.needs_input: ++ break + return b"".join(data_parts) + ++ @property ++ def has_unconsumed_tail(self) -> bool: ++ return not (self._obj.needs_input or self._obj.eof) or bool( ++ self._obj.unused_data ++ ) ++ + def flush(self) -> bytes: + if not self._obj.eof: + raise DecodeError("Zstandard data is incomplete") +@@ -236,10 +358,35 @@ class MultiDecoder(ContentDecoder): + def flush(self) -> bytes: + return self._decoders[0].flush() + +- def decompress(self, data: bytes) -> bytes: +- for d in reversed(self._decoders): +- data = d.decompress(data) +- return data ++ def decompress(self, data: bytes, max_length: int = -1) -> bytes: ++ if max_length <= 0: ++ for d in reversed(self._decoders): ++ data = d.decompress(data) ++ return data ++ ++ ret = bytearray() ++ # Every while loop iteration goes through all decoders once. ++ # It exits when enough data is read or no more data can be read. ++ # It is possible that the while loop iteration does not produce ++ # any data because we retrieve up to `max_length` from every ++ # decoder, and the amount of bytes may be insufficient for the ++ # next decoder to produce enough/any output. ++ while True: ++ any_data = False ++ for d in reversed(self._decoders): ++ data = d.decompress(data, max_length=max_length - len(ret)) ++ if data: ++ any_data = True ++ # We should not break when no data is returned because ++ # next decoders may produce data even with empty input. ++ ret += data ++ if not any_data or len(ret) >= max_length: ++ return bytes(ret) ++ data = b"" ++ ++ @property ++ def has_unconsumed_tail(self) -> bool: ++ return any(d.has_unconsumed_tail for d in self._decoders) + + + def _get_decoder(mode: str) -> ContentDecoder: +@@ -272,9 +419,6 @@ class BytesQueueBuffer: + + * self.buffer, which contains the full data + * the largest chunk that we will copy in get() +- +- The worst case scenario is a single chunk, in which case we'll make a full copy of +- the data inside get(). + """ + + def __init__(self) -> None: +@@ -296,6 +440,10 @@ class BytesQueueBuffer: + elif n < 0: + raise ValueError("n should be > 0") + ++ if len(self.buffer[0]) == n and isinstance(self.buffer[0], bytes): ++ self._size -= n ++ return self.buffer.popleft() ++ + fetched = 0 + ret = io.BytesIO() + while fetched < n: +@@ -502,7 +650,11 @@ class BaseHTTPResponse(io.IOBase): + self._decoder = _get_decoder(content_encoding) + + def _decode( +- self, data: bytes, decode_content: bool | None, flush_decoder: bool ++ self, ++ data: bytes, ++ decode_content: bool | None, ++ flush_decoder: bool, ++ max_length: int | None = None, + ) -> bytes: + """ + Decode the data passed in and potentially flush the decoder. +@@ -515,9 +667,12 @@ class BaseHTTPResponse(io.IOBase): + ) + return data + ++ if max_length is None or flush_decoder: ++ max_length = -1 ++ + try: + if self._decoder: +- data = self._decoder.decompress(data) ++ data = self._decoder.decompress(data, max_length=max_length) + self._has_decoded_content = True + except self.DECODER_ERROR_CLASSES as e: + content_encoding = self.headers.get("content-encoding", "").lower() +@@ -984,6 +1139,14 @@ class HTTPResponse(BaseHTTPResponse): + elif amt is not None: + cache_content = False + ++ if self._decoder and self._decoder.has_unconsumed_tail: ++ decoded_data = self._decode( ++ b"", ++ decode_content, ++ flush_decoder=False, ++ max_length=amt - len(self._decoded_buffer), ++ ) ++ self._decoded_buffer.put(decoded_data) + if len(self._decoded_buffer) >= amt: + return self._decoded_buffer.get(amt) + +@@ -991,7 +1154,11 @@ class HTTPResponse(BaseHTTPResponse): + + flush_decoder = amt is None or (amt != 0 and not data) + +- if not data and len(self._decoded_buffer) == 0: ++ if ( ++ not data ++ and len(self._decoded_buffer) == 0 ++ and not (self._decoder and self._decoder.has_unconsumed_tail) ++ ): + return data + + if amt is None: +@@ -1008,7 +1175,12 @@ class HTTPResponse(BaseHTTPResponse): + ) + return data + +- decoded_data = self._decode(data, decode_content, flush_decoder) ++ decoded_data = self._decode( ++ data, ++ decode_content, ++ flush_decoder, ++ max_length=amt - len(self._decoded_buffer), ++ ) + self._decoded_buffer.put(decoded_data) + + while len(self._decoded_buffer) < amt and data: +@@ -1016,7 +1188,12 @@ class HTTPResponse(BaseHTTPResponse): + # For example, the GZ file header takes 10 bytes, we don't want to read + # it one byte at a time + data = self._raw_read(amt) +- decoded_data = self._decode(data, decode_content, flush_decoder) ++ decoded_data = self._decode( ++ data, ++ decode_content, ++ flush_decoder, ++ max_length=amt - len(self._decoded_buffer), ++ ) + self._decoded_buffer.put(decoded_data) + data = self._decoded_buffer.get(amt) + +@@ -1051,6 +1228,20 @@ class HTTPResponse(BaseHTTPResponse): + "Calling read1(decode_content=False) is not supported after " + "read1(decode_content=True) was called." + ) ++ if ( ++ self._decoder ++ and self._decoder.has_unconsumed_tail ++ and (amt is None or len(self._decoded_buffer) < amt) ++ ): ++ decoded_data = self._decode( ++ b"", ++ decode_content, ++ flush_decoder=False, ++ max_length=( ++ amt - len(self._decoded_buffer) if amt is not None else None ++ ), ++ ) ++ self._decoded_buffer.put(decoded_data) + if len(self._decoded_buffer) > 0: + if amt is None: + return self._decoded_buffer.get_all() +@@ -1066,7 +1257,9 @@ class HTTPResponse(BaseHTTPResponse): + self._init_decoder() + while True: + flush_decoder = not data +- decoded_data = self._decode(data, decode_content, flush_decoder) ++ decoded_data = self._decode( ++ data, decode_content, flush_decoder, max_length=amt ++ ) + self._decoded_buffer.put(decoded_data) + if decoded_data or flush_decoder: + break +@@ -1097,7 +1290,11 @@ class HTTPResponse(BaseHTTPResponse): + if self.chunked and self.supports_chunked_reads(): + yield from self.read_chunked(amt, decode_content=decode_content) + else: +- while not is_fp_closed(self._fp) or len(self._decoded_buffer) > 0: ++ while ( ++ not is_fp_closed(self._fp) ++ or len(self._decoded_buffer) > 0 ++ or (self._decoder and self._decoder.has_unconsumed_tail) ++ ): + data = self.read(amt=amt, decode_content=decode_content) + + if data: +@@ -1260,7 +1457,10 @@ class HTTPResponse(BaseHTTPResponse): + break + chunk = self._handle_chunk(amt) + decoded = self._decode( +- chunk, decode_content=decode_content, flush_decoder=False ++ chunk, ++ decode_content=decode_content, ++ flush_decoder=False, ++ max_length=amt, + ) + if decoded: + yield decoded +diff --git a/test/test_response.py b/test/test_response.py +index c97fdff0..9592fdd9 100644 +--- a/test/test_response.py ++++ b/test/test_response.py +@@ -1,6 +1,7 @@ + from __future__ import annotations + + import contextlib ++import gzip + import http.client as httplib + import socket + import ssl +@@ -43,6 +44,26 @@ def zstd_compress(data: bytes) -> bytes: + return zstd.compress(data) # type: ignore[no-any-return] + + ++def deflate2_compress(data: bytes) -> bytes: ++ compressor = zlib.compressobj(6, zlib.DEFLATED, -zlib.MAX_WBITS) ++ return compressor.compress(data) + compressor.flush() ++ ++ ++if brotli: ++ try: ++ brotli.Decompressor().process(b"", output_buffer_limit=1024) ++ _brotli_gte_1_2_0_available = True ++ except (AttributeError, TypeError): ++ _brotli_gte_1_2_0_available = False ++else: ++ _brotli_gte_1_2_0_available = False ++try: ++ zstd_compress(b"") ++ _zstd_available = True ++except ModuleNotFoundError: ++ _zstd_available = False ++ ++ + class TestBytesQueueBuffer: + def test_single_chunk(self) -> None: + buffer = BytesQueueBuffer() +@@ -118,12 +139,19 @@ class TestBytesQueueBuffer: + + assert len(get_func(buffer)) == 10 * 2**20 + ++ @pytest.mark.parametrize( ++ "get_func", ++ (lambda b: b.get(len(b)), lambda b: b.get_all()), ++ ids=("get", "get_all"), ++ ) + @pytest.mark.limit_memory("10.01 MB", current_thread_only=True) +- def test_get_all_memory_usage_single_chunk(self) -> None: ++ def test_memory_usage_single_chunk( ++ self, get_func: typing.Callable[[BytesQueueBuffer], bytes] ++ ) -> None: + buffer = BytesQueueBuffer() + chunk = bytes(10 * 2**20) # 10 MiB + buffer.put(chunk) +- assert buffer.get_all() is chunk ++ assert get_func(buffer) is chunk + + + # A known random (i.e, not-too-compressible) payload generated with: +@@ -426,7 +454,26 @@ class TestResponse: + assert r.data == b"foo" + + @onlyZstd() +- def test_decode_multiframe_zstd(self) -> None: ++ @pytest.mark.parametrize( ++ "read_amt", ++ ( ++ # Read all data at once. ++ None, ++ # Read one byte at a time, data of frames will be returned ++ # separately. ++ 1, ++ # Read two bytes at a time, the second read should return ++ # data from both frames. ++ 2, ++ # Read three bytes at a time, the whole frames will be ++ # returned separately in two calls. ++ 3, ++ # Read four bytes at a time, the first read should return ++ # data from the first frame and a part of the second frame. ++ 4, ++ ), ++ ) ++ def test_decode_multiframe_zstd(self, read_amt: int | None) -> None: + data = ( + # Zstandard frame + zstd_compress(b"foo") +@@ -441,8 +488,57 @@ class TestResponse: + ) + + fp = BytesIO(data) +- r = HTTPResponse(fp, headers={"content-encoding": "zstd"}) +- assert r.data == b"foobar" ++ result = bytearray() ++ r = HTTPResponse( ++ fp, headers={"content-encoding": "zstd"}, preload_content=False ++ ) ++ total_length = 6 ++ while len(result) < total_length: ++ chunk = r.read(read_amt, decode_content=True) ++ if read_amt is None: ++ assert len(chunk) == total_length ++ else: ++ assert len(chunk) == min(read_amt, total_length - len(result)) ++ result += chunk ++ assert bytes(result) == b"foobar" ++ ++ @onlyZstd() ++ def test_decode_multiframe_zstd_with_max_length_close_to_compressed_data_size( ++ self, ++ ) -> None: ++ """ ++ Test decoding when the first read from the socket returns all ++ the compressed frames, but then it has to be decompressed in a ++ couple of read calls. ++ """ ++ data = ( ++ # Zstandard frame ++ zstd_compress(b"x" * 1024) ++ # skippable frame (must be ignored) ++ + bytes.fromhex( ++ "50 2A 4D 18" # Magic_Number (little-endian) ++ "07 00 00 00" # Frame_Size (little-endian) ++ "00 00 00 00 00 00 00" # User_Data ++ ) ++ # Zstandard frame ++ + zstd_compress(b"y" * 1024) ++ ) ++ ++ fp = BytesIO(data) ++ r = HTTPResponse( ++ fp, headers={"content-encoding": "zstd"}, preload_content=False ++ ) ++ # Read the whole first frame. ++ assert r.read(1024) == b"x" * 1024 ++ assert len(r._decoded_buffer) == 0 ++ # Read the whole second frame in two reads. ++ assert r.read(512) == b"y" * 512 ++ assert len(r._decoded_buffer) == 0 ++ assert r.read(512) == b"y" * 512 ++ assert len(r._decoded_buffer) == 0 ++ # Ensure no more data is left. ++ assert r.read() == b"" ++ assert len(r._decoded_buffer) == 0 + + @onlyZstd() + def test_chunked_decoding_zstd(self) -> None: +@@ -535,6 +631,169 @@ class TestResponse: + decoded_data += part + assert decoded_data == data + ++ _test_compressor_params: list[ ++ tuple[str, tuple[str, typing.Callable[[bytes], bytes]] | None] ++ ] = [ ++ ("deflate1", ("deflate", zlib.compress)), ++ ("deflate2", ("deflate", deflate2_compress)), ++ ("gzip", ("gzip", gzip.compress)), ++ ] ++ if _brotli_gte_1_2_0_available: ++ _test_compressor_params.append(("brotli", ("br", brotli.compress))) ++ else: ++ _test_compressor_params.append(("brotli", None)) ++ if _zstd_available: ++ _test_compressor_params.append(("zstd", ("zstd", zstd_compress))) ++ else: ++ _test_compressor_params.append(("zstd", None)) ++ ++ @pytest.mark.parametrize("read_method", ("read", "read1")) ++ @pytest.mark.parametrize( ++ "data", ++ [d[1] for d in _test_compressor_params], ++ ids=[d[0] for d in _test_compressor_params], ++ ) ++ def test_read_with_all_data_already_in_decompressor( ++ self, ++ request: pytest.FixtureRequest, ++ read_method: str, ++ data: tuple[str, typing.Callable[[bytes], bytes]] | None, ++ ) -> None: ++ if data is None: ++ pytest.skip(f"Proper {request.node.callspec.id} decoder is not available") ++ original_data = b"bar" * 1000 ++ name, compress_func = data ++ compressed_data = compress_func(original_data) ++ fp = mock.Mock(read=mock.Mock(return_value=b"")) ++ r = HTTPResponse(fp, headers={"content-encoding": name}, preload_content=False) ++ # Put all data in the decompressor's buffer. ++ r._init_decoder() ++ assert r._decoder is not None # for mypy ++ decoded = r._decoder.decompress(compressed_data, max_length=0) ++ if name == "br": ++ # It's known that some Brotli libraries do not respect ++ # `max_length`. ++ r._decoded_buffer.put(decoded) ++ else: ++ assert decoded == b"" ++ # Read the data via `HTTPResponse`. ++ read = getattr(r, read_method) ++ assert read(0) == b"" ++ assert read(2500) == original_data[:2500] ++ assert read(500) == original_data[2500:] ++ assert read(0) == b"" ++ assert read() == b"" ++ ++ @pytest.mark.parametrize( ++ "delta", ++ ( ++ 0, # First read from socket returns all compressed data. ++ -1, # First read from socket returns all but one byte of compressed data. ++ ), ++ ) ++ @pytest.mark.parametrize("read_method", ("read", "read1")) ++ @pytest.mark.parametrize( ++ "data", ++ [d[1] for d in _test_compressor_params], ++ ids=[d[0] for d in _test_compressor_params], ++ ) ++ def test_decode_with_max_length_close_to_compressed_data_size( ++ self, ++ request: pytest.FixtureRequest, ++ delta: int, ++ read_method: str, ++ data: tuple[str, typing.Callable[[bytes], bytes]] | None, ++ ) -> None: ++ """ ++ Test decoding when the first read from the socket returns all or ++ almost all the compressed data, but then it has to be ++ decompressed in a couple of read calls. ++ """ ++ if data is None: ++ pytest.skip(f"Proper {request.node.callspec.id} decoder is not available") ++ ++ original_data = b"foo" * 1000 ++ name, compress_func = data ++ compressed_data = compress_func(original_data) ++ fp = BytesIO(compressed_data) ++ r = HTTPResponse(fp, headers={"content-encoding": name}, preload_content=False) ++ initial_limit = len(compressed_data) + delta ++ read = getattr(r, read_method) ++ initial_chunk = read(amt=initial_limit, decode_content=True) ++ assert len(initial_chunk) == initial_limit ++ assert ( ++ len(read(amt=len(original_data), decode_content=True)) ++ == len(original_data) - initial_limit ++ ) ++ ++ # Prepare 50 MB of compressed data outside of the test measuring ++ # memory usage. ++ _test_memory_usage_decode_with_max_length_params: list[ ++ tuple[str, tuple[str, bytes] | None] ++ ] = [ ++ ( ++ params[0], ++ (params[1][0], params[1][1](b"A" * (50 * 2**20))) if params[1] else None, ++ ) ++ for params in _test_compressor_params ++ ] ++ ++ @pytest.mark.parametrize( ++ "data", ++ [d[1] for d in _test_memory_usage_decode_with_max_length_params], ++ ids=[d[0] for d in _test_memory_usage_decode_with_max_length_params], ++ ) ++ @pytest.mark.parametrize("read_method", ("read", "read1", "read_chunked", "stream")) ++ # Decoders consume different amounts of memory during decompression. ++ # We set the 10 MB limit to ensure that the whole decompressed data ++ # is not stored unnecessarily. ++ # ++ # FYI, the following consumption was observed for the test with ++ # `read` on CPython 3.14.0: ++ # - deflate: 2.3 MiB ++ # - deflate2: 2.1 MiB ++ # - gzip: 2.1 MiB ++ # - brotli: ++ # - brotli v1.2.0: 9 MiB ++ # - brotlicffi v1.2.0.0: 6 MiB ++ # - brotlipy v0.7.0: 105.8 MiB ++ # - zstd: 4.5 MiB ++ @pytest.mark.limit_memory("10 MB", current_thread_only=True) ++ def test_memory_usage_decode_with_max_length( ++ self, ++ request: pytest.FixtureRequest, ++ read_method: str, ++ data: tuple[str, bytes] | None, ++ ) -> None: ++ if data is None: ++ pytest.skip(f"Proper {request.node.callspec.id} decoder is not available") ++ ++ name, compressed_data = data ++ limit = 1024 * 1024 # 1 MiB ++ if read_method in ("read_chunked", "stream"): ++ httplib_r = httplib.HTTPResponse(MockSock) # type: ignore[arg-type] ++ httplib_r.fp = MockChunkedEncodingResponse([compressed_data]) # type: ignore[assignment] ++ r = HTTPResponse( ++ httplib_r, ++ preload_content=False, ++ headers={"transfer-encoding": "chunked", "content-encoding": name}, ++ ) ++ next(getattr(r, read_method)(amt=limit, decode_content=True)) ++ else: ++ fp = BytesIO(compressed_data) ++ r = HTTPResponse( ++ fp, headers={"content-encoding": name}, preload_content=False ++ ) ++ getattr(r, read_method)(amt=limit, decode_content=True) ++ ++ # Check that the internal decoded buffer is empty unless brotli ++ # is used. ++ # Google's brotli library does not fully respect the output ++ # buffer limit: https://github.com/google/brotli/issues/1396 ++ # And unmaintained brotlipy cannot limit the output buffer size. ++ if name != "br" or brotli.__name__ == "brotlicffi": ++ assert len(r._decoded_buffer) == 0 ++ + def test_multi_decoding_deflate_deflate(self) -> None: + data = zlib.compress(zlib.compress(b"foo")) + diff --git a/meta/recipes-devtools/python/python3-urllib3_2.5.0.bb b/meta/recipes-devtools/python/python3-urllib3_2.5.0.bb index c39e9676e8..dcdf45439a 100644 --- a/meta/recipes-devtools/python/python3-urllib3_2.5.0.bb +++ b/meta/recipes-devtools/python/python3-urllib3_2.5.0.bb @@ -9,6 +9,7 @@ inherit pypi python_hatchling SRC_URI += "\ file://CVE-2025-66418.patch \ + file://CVE-2025-66471.patch \ " DEPENDS += "python3-hatch-vcs-native" From patchwork Wed Jan 7 08:08:54 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 78133 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BCEB5CF6C05 for ; Wed, 7 Jan 2026 08:09:32 +0000 (UTC) Received: from mail-wm1-f42.google.com (mail-wm1-f42.google.com [209.85.128.42]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.1503.1767773367016486171 for ; Wed, 07 Jan 2026 00:09:27 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=wlaHcrYI; spf=pass (domain: smile.fr, ip: 209.85.128.42, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f42.google.com with SMTP id 5b1f17b1804b1-477619f8ae5so13811075e9.3 for ; Wed, 07 Jan 2026 00:09:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1767773365; x=1768378165; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=pX5HDZF9TYMWB8uUQTScfMp+8oLpMin4E1CmUv4n6bM=; b=wlaHcrYIf/sCPCtAvoeE+ncCZS3YfzX8OsGJvMr/mwl0ZYBwzu9kNoQa1tySrrQ65N BuUYXygrcXX3lDTfvWkBCQVCYIabnuHowO8r6F0MRFrmS+Gh+qyUmsypPCmdin4+0yvH sUSZo2mmZZP8p0jsw+EcrBop/vh2qkQ/7u4zE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767773365; x=1768378165; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=pX5HDZF9TYMWB8uUQTScfMp+8oLpMin4E1CmUv4n6bM=; b=Om96xF+KA+7QiweVMTCC4cIsvD2CseYjDC9dcMG7WbBHYMMDNTq2U5UgD9/yaZBKtx g9HtH0jJzxCm7eYsQm+35sFeOh3rse3olxzzB34EXP6xTd7sP8qornt4KezgQbtZjssV JEw7TVU+1w0KbxD165oYlFrZ764qRkjx3vUaDmg6C5347kAIxqvTCEFYvkJG94UTnoUG c+hkxx3vQP7LO/diU4vPB6PzZ77ZlE+vfas1jMZaqP0PO4esq4ldZ3eMv5BjlWFsAWJ6 eqV3jn2TPhiFafEPqqBRV2KUWkkRphnDm7nGepzsr+z/wMGmb1QoSQP/BTcoGktoXP41 SQCA== X-Gm-Message-State: AOJu0YzO/RkRqG6+DyeCUtSDwHq+xJ5afKJ2IfMbkeATUaXMbjAG+kUN iNYZBrTxXUtNTF54S9oFvG8OdpSodwcJfPH09bbun798PuE0UnA+HS0aMlvnhXDmjf55xS7lIqJ zct+J X-Gm-Gg: AY/fxX4v3USnh0ZUDY+1aAuirPNkqwWGgUinW6olFi+CJgd7TuecWJLfnDFDLwFeZV7 OWmpytj4kWFJKUHzAm64A0ypaI3p5KO7fICMay6b54dYjdoQ4XStO+ruKnyW4MiZVb5Bi1WYYo8 FO6ZJgNntbS+9axZ2jVmglz3kemo3cSjLJdsyERnqSOEm5EXGfTBFktgjRboxYSXl0qNnKqspJq QLCVm6lEqmrtLq0cTeDupTHb95SKfkp/wPhNMEpGQo8XnpIypMiWVsdkUTpNPd0CrQxtDDsW9Tc IZlKm87D6aMLJ+O3lA8DxUFVxTm8jhweiD49yOuY/T15siHxfV36+M2Y3Np1POsB8su0F3h7LU/ sHEYW9SQPwvJcH2lFjJ5bJTZaWWtSMDK6yDy4BxQnmm2nub05E+BPAHCkyw3K5XlXt2WRl0dBPw y1RtnLpNAVT7myX3nr5f8h4rvqRlRaBSuprbLDBTJGgc0Pw5oNrIUxirmaBjMsCZBar2gdCJJHI k4Wcr/uir0HlRIeW6/cpY6/hQ== X-Google-Smtp-Source: AGHT+IEi8FeqtciphicR9naZMNeNA+H49IvsD8k9/DzDVE7jFQ/FGBstbptrtk1aI2EBlLnpoMrf6A== X-Received: by 2002:a05:600c:a015:b0:479:1348:c61e with SMTP id 5b1f17b1804b1-47d84b54c82mr13683595e9.20.1767773365111; Wed, 07 Jan 2026 00:09:25 -0800 (PST) Received: from FRSMI25-LASER.home (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47d8715b5f7sm6093485e9.4.2026.01.07.00.09.24 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Jan 2026 00:09:24 -0800 (PST) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][whinlatter 05/11] python3: upgrade 3.13.9 -> 3.13.11 Date: Wed, 7 Jan 2026 09:08:54 +0100 Message-ID: <148492a04791a207dcb9302f71d65e6566e23f5c.1767772757.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 07 Jan 2026 08:09:32 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/228951 From: Peter Marko Handles CVE-2025-6075 (in 3.13.10) and CVE-2025-12084 (in 3.13.11). Release information: * https://www.python.org/downloads/release/python-31310/ * Python 3.13.10 is the tenth maintenance release of 3.13, containing around 300 bugfixes, build improvements and documentation changes since 3.13.9. * https://www.python.org/downloads/release/python-31311/ * Python 3.13.11 is the eleventh maintenance release of 3.13. This is an expedited release to fix the following regressions: * gh-142206: Exceptions in multiprocessing in running programs while upgrading Python. * gh-142218: Segmentation faults and assertion failures in insertdict. * gh-140797: Crash when using multiple capturing groups in re.Scanner * And these security fixes: * gh-142145: Remove quadratic behavior in node ID cache clearing (CVE-2025-12084) * gh-119451: Fix a potential denial of service in http.client * gh-119452: Fix a potential virtual memory allocation denial of service in http.server Signed-off-by: Peter Marko --- .../python/{python3_3.13.9.bb => python3_3.13.11.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta/recipes-devtools/python/{python3_3.13.9.bb => python3_3.13.11.bb} (99%) diff --git a/meta/recipes-devtools/python/python3_3.13.9.bb b/meta/recipes-devtools/python/python3_3.13.11.bb similarity index 99% rename from meta/recipes-devtools/python/python3_3.13.9.bb rename to meta/recipes-devtools/python/python3_3.13.11.bb index 2e114a6c5b..2fcfd4aba1 100644 --- a/meta/recipes-devtools/python/python3_3.13.9.bb +++ b/meta/recipes-devtools/python/python3_3.13.11.bb @@ -35,7 +35,7 @@ SRC_URI:append:class-native = " \ file://0001-Lib-sysconfig.py-use-prefix-value-from-build-configu.patch \ " -SRC_URI[sha256sum] = "ed5ef34cda36cfa2f3a340f07cac7e7814f91c7f3c411f6d3562323a866c5c66" +SRC_URI[sha256sum] = "16ede7bb7cdbfa895d11b0642fa0e523f291e6487194d53cf6d3b338c3a17ea2" # exclude pre-releases for both python 2.x and 3.x UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P\d+(\.\d+)+).tar" From patchwork Wed Jan 7 08:08:55 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 78137 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DE9DFCF6C0E for ; Wed, 7 Jan 2026 08:09:32 +0000 (UTC) Received: from mail-wm1-f50.google.com (mail-wm1-f50.google.com [209.85.128.50]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.1504.1767773368046265607 for ; Wed, 07 Jan 2026 00:09:28 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=fdodgS6A; spf=pass (domain: smile.fr, ip: 209.85.128.50, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f50.google.com with SMTP id 5b1f17b1804b1-4779adb38d3so12362645e9.2 for ; Wed, 07 Jan 2026 00:09:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1767773366; x=1768378166; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=R2WvOF7r7UX7vWMO3ItDAEb6Uqh7ipgPh/UHkc93A3s=; b=fdodgS6AHTQn9yvNXsctW2B55sZXlChy7qXlJIoQB8x5My2AmmTuxQEV9v3/t0MV2g XPIGISEL0j+mZODISg+Gc7AqmyAJHs6ZhqqdKDh5jxErPfV5aa1Feg94vJ452Ys3kSfj JZwlujziJNdgh9HSqw/dqi4/R7Z4/l8Kio5i4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767773366; x=1768378166; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=R2WvOF7r7UX7vWMO3ItDAEb6Uqh7ipgPh/UHkc93A3s=; b=OYb1v2L6WnVUUQ8f3/1IlYZstGhA4K2jk727XIEByMrQWwfg5Uqgz3qAXSmlc6IhnA 7+Os/uE/OB7VjYCSCsto54UsexhFY2xeVSdMcvm28XzwOiztf4Eiyv2jmptlt4T/ytw7 1lhFJbPlfs6kW72wR44k5adKthahs0/e0wtN/KsuEh+ZxOpSfwuDXdtRyGFZ6YVaMuqz IUBFld1DkU5Ks0++6MNgeGkR+JZTFvODBimf53tuDPoYECHMbykWmc32O0Lzo8bYy6nD VxcpL9RQLQkWrWqs1lmjiddh37NZOP742F0oD8cvN5UKim0My1zUi7mqyITQMOE4Pxxv MSPw== X-Gm-Message-State: AOJu0YzmvOYPInoCew4O7MKyFAbHrFUTwL0kAtNztnJR2ZKYo9Sh6c1u sm/mo+f/xz7LeUEVBGUp2+7aiJZaFIRFzqADcO8hjjE0qVqIMETMk52EEMBcXShD+JS3fNDenEr 28BbP X-Gm-Gg: AY/fxX6LLZrrRx2++AdtVXgKIuxFVSwNx+LdJLqqKDBCyolycyRAkNtD7CerJtQwHxV RmdljRHOqStabNJyoLFJa6mndshhBe1zyn7xB71w5pmJC3cujnGUGRkWTW0HPSOiNtayZstVrHC TN3bq0V+Rru9pYH37F52VYguPxIlL6iRAgyJKaAdCIQ2jaqTuTAZ41NGO726ZN0LufAnDZdVuQ9 KJCjOm3+itjyvZ9YuopX0041C+twP4tSC98S6QvmWQadlKvYX+dtSCE25e+YjU5hRZ6+/6cfr1i qp0H5w/H/zXa3kuovmPSvFZNlF2gwBW92kzioP6q+EDfoqgt+ApEeFzEMSMXkJY3EBmzx6FP/Im OBXfjmmk+hBgV2TXi47lalrSGL+oIRalRLpjIB4aXgqH2GZR7viUAo3cn7MsjaMkAG8NKh+dr37 DtshC9l1Tl+E+aEYJcfcSXKx1ocDyjr6I5N5Ink+FkD2T4+JTCxOsVRGiLKumUVFnPyjh0XyG6v eI9RR2FrfKFxBc= X-Google-Smtp-Source: AGHT+IFivu7I0Xhmbz5uHth+5Ncd9qaDmNaQJJNtJdY+OKJpeyEvgtmWelGtwZsMOdfkHJZfyHYxkA== X-Received: by 2002:a05:600c:1d0c:b0:471:700:f281 with SMTP id 5b1f17b1804b1-47d84b4093cmr15154885e9.25.1767773366023; Wed, 07 Jan 2026 00:09:26 -0800 (PST) Received: from FRSMI25-LASER.home (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47d8715b5f7sm6093485e9.4.2026.01.07.00.09.25 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Jan 2026 00:09:25 -0800 (PST) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][whinlatter 06/11] libarchive: upgrade 3.8.3 -> 3.8.4 Date: Wed, 7 Jan 2026 09:08:55 +0100 Message-ID: <008b509528d4014ce0fe95bde63bc1aa744bcda1.1767772758.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 07 Jan 2026 08:09:32 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/228953 From: Peter Marko Handles CVE-2025-60753. Release Notes [1]: Libarchive 3.8.4 is a bugfix release. Notable bugxies: * bsdtar: Fix zero-length pattern issue (#2787) * lib: Fix regression introduced in libarchive 3.8.2 when walking enterable but unreadable directories (#2797) Full Changelog: [2] [1] https://github.com/libarchive/libarchive/releases/tag/v3.8.4 [2] https://github.com/libarchive/libarchive/compare/v3.8.3...v3.8.4 (From OE-Core rev: 5479a5e6bcdebd2c5c6f1cbbe039243cf9fbc6b0) Signed-off-by: Peter Marko Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie --- .../libarchive/{libarchive_3.8.3.bb => libarchive_3.8.4.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta/recipes-extended/libarchive/{libarchive_3.8.3.bb => libarchive_3.8.4.bb} (96%) diff --git a/meta/recipes-extended/libarchive/libarchive_3.8.3.bb b/meta/recipes-extended/libarchive/libarchive_3.8.4.bb similarity index 96% rename from meta/recipes-extended/libarchive/libarchive_3.8.3.bb rename to meta/recipes-extended/libarchive/libarchive_3.8.4.bb index e3706ba3bb..e89638f5c6 100644 --- a/meta/recipes-extended/libarchive/libarchive_3.8.3.bb +++ b/meta/recipes-extended/libarchive/libarchive_3.8.4.bb @@ -32,7 +32,7 @@ EXTRA_OECONF += "--enable-largefile --without-iconv" SRC_URI = "https://libarchive.org/downloads/libarchive-${PV}.tar.gz" UPSTREAM_CHECK_URI = "https://www.libarchive.org/" -SRC_URI[sha256sum] = "a290c2d82bce7b806d1e5309558a7bd0ef39067a868f4622a0e32e71a4de8cb6" +SRC_URI[sha256sum] = "b2c75b132a0ec43274d2867221befcb425034cd038e465afbfad09911abb1abb" inherit autotools update-alternatives pkgconfig From patchwork Wed Jan 7 08:08:56 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 78134 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id AD00ACF6C04 for ; Wed, 7 Jan 2026 08:09:32 +0000 (UTC) Received: from mail-wm1-f47.google.com (mail-wm1-f47.google.com [209.85.128.47]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.1456.1767773368478590462 for ; Wed, 07 Jan 2026 00:09:28 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=0Osvcw05; spf=pass (domain: smile.fr, ip: 209.85.128.47, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f47.google.com with SMTP id 5b1f17b1804b1-4779cc419b2so14863815e9.3 for ; Wed, 07 Jan 2026 00:09:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1767773367; x=1768378167; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=qJGGeHJE9wMnR6JujwFzCLLWci1OuhBoihQJrigahuk=; b=0Osvcw05mlzh6IwB6p6w2yVT3t1X6bYGKf5D5S+XcC5/vNKZvNYfqkKqHKRDlEbFaG 4UVQaUVrNKa9qb+mB25+RSUKuGUeZT/AiI5jIjQSFE/xe9eVjzCY7HBXHGFBsmWObsQT gysmc8+OTKLInDbqk51Fl4oxg4aqrJQaumLRM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767773367; x=1768378167; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=qJGGeHJE9wMnR6JujwFzCLLWci1OuhBoihQJrigahuk=; b=W9cRmGhbyZIFSQTOBTpMy6LGIffkVe3Po/FeTLLL8nyNoqnCC1HtSeZ6m1yC5d5C3X uvcomHAx5GXw59itgc1RwaWOKoWbVZxt01EPX+tm1gXjjHqP9RXo1dygiW4aE998tBIm wayXyIb7luZVnqJxYMdje6bWXI8jSnkZDSPOJAcydygFAIQleXVjr00iNdCnn12y/c9H mi/S9nFHOzt/WJrudfflJX13FU4zuAufWaufpujgE9BSTyjtEFLMR7wrQDlZD4Slf8Pz RdvaJjBN9Ub1oseDk9uvnoMSCAy+kt5ZDjFz9Nm8xOD2Ec7ZW8IN7ZLjPY7IM+2+JhIu 8B/g== X-Gm-Message-State: AOJu0YxTdNDKPBNCNfJCnDRtjCib/1NOkP0jH+RvHMFGzUpa1r6GBbgw 4ibkPmL7kVmPV3TPIfrvBOxIXMIDJt+nsw/Z3BkG4sLUz+JwgL/4YuNeNtp+2U+1DFdMm4Bi+y6 aXd3S X-Gm-Gg: AY/fxX4vatmCvY3RV2CFaKRb97/wk8ETKKXbX4o/liSvQLdXUf4x8n5o9Ayq6EnUr5L 60xIZX5pw9dkAzU+Hl1qJEmMkP+rTvKdCic4nQ8tCH6ix3VRS52/+xOaTWMnVMdrN+ZQ4FUzTYe ydhDZHHEnXRObpI+tKULdhIzUkLNQbpWaHJKg0F8CHzlCgQThYOP/fp5MzMS99f4iswBWjj24Pw D+LKm+OGjnpGC5kb89Kr6qZSKGtQDGJumOQRcYo2FISwqwIDCDYTPCaR/nLi7s0v/gUM8HtykQr 26fbcwqc5aG2PW+valQV4nhKuf23yByqQZ3bL/W5UXQ3ViD+DYIpbTUqy9Koq6usT5K/0xqceaw 0xTnaDVs8ezCFg2vpmO8707exHR4DV9D65ydnuM4IzFI3rD8Z7piIYbp53i4tvnUxvPgpLn2ScE 3IVSBZIxVuWPgZOQxJCbyyXl0od2IOw68wsoxEo+TndWwuqEwSdWYhk/zW8PmsEWrj7XPtLFnM4 zCU1e5+gE3kVKk= X-Google-Smtp-Source: AGHT+IGoJy+S071pq/G1f2EnKKJlW9T7zSTuYtwRMs3DZuEYmQibt/WYCYQtPrxYfQBqPWEYGpc9dw== X-Received: by 2002:a05:600c:c4a5:b0:477:1ae1:fa5d with SMTP id 5b1f17b1804b1-47d84b32f5amr14902965e9.20.1767773366561; Wed, 07 Jan 2026 00:09:26 -0800 (PST) Received: from FRSMI25-LASER.home (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47d8715b5f7sm6093485e9.4.2026.01.07.00.09.26 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Jan 2026 00:09:26 -0800 (PST) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][whinlatter 07/11] glib-2.0: upgrade 2.86.1 -> 2.86.3 Date: Wed, 7 Jan 2026 09:08:56 +0100 Message-ID: X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 07 Jan 2026 08:09:32 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/228954 From: Alexander Kanavin Signed-off-by: Alexander Kanavin Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie (From OE-Core rev: 2041beac5c9cf081c5c23220c6fb259381611111) Handles CVE-2025-13601, CVE-2025-14087 and CVE-2025-14512. Signed-off-by: Peter Marko --- ...001-Do-not-write-bindir-into-pkg-config-files.patch | 10 +++++----- .../files/0001-Fix-DATADIRNAME-on-uclibc-Linux.patch | 2 +- ...1-Install-gio-querymodules-as-libexec_PROGRAM.patch | 6 +++--- ...the-warning-about-deprecated-paths-in-schemas.patch | 2 +- ...ts-resources.c-comment-out-a-build-host-only-.patch | 2 +- .../0001-meson-Run-atomics-test-on-clang-as-well.patch | 6 +++--- ...uild-do-not-enable-pidfd-features-on-native-g.patch | 6 +++--- ...o-not-hardcode-python-path-into-various-tools.patch | 2 +- .../recipes-core/glib-2.0/files/relocate-modules.patch | 8 ++++---- meta/recipes-core/glib-2.0/files/skip-timeout.patch | 2 +- ....0-initial_2.86.1.bb => glib-2.0-initial_2.86.3.bb} | 0 .../{glib-2.0_2.86.1.bb => glib-2.0_2.86.3.bb} | 0 meta/recipes-core/glib-2.0/glib.inc | 2 +- 13 files changed, 24 insertions(+), 24 deletions(-) rename meta/recipes-core/glib-2.0/{glib-2.0-initial_2.86.1.bb => glib-2.0-initial_2.86.3.bb} (100%) rename meta/recipes-core/glib-2.0/{glib-2.0_2.86.1.bb => glib-2.0_2.86.3.bb} (100%) diff --git a/meta/recipes-core/glib-2.0/files/0001-Do-not-write-bindir-into-pkg-config-files.patch b/meta/recipes-core/glib-2.0/files/0001-Do-not-write-bindir-into-pkg-config-files.patch index c394ab3277..06841ddfb8 100644 --- a/meta/recipes-core/glib-2.0/files/0001-Do-not-write-bindir-into-pkg-config-files.patch +++ b/meta/recipes-core/glib-2.0/files/0001-Do-not-write-bindir-into-pkg-config-files.patch @@ -1,4 +1,4 @@ -From 8981db5d775e04b72fb68b6a4553c87fdaedee65 Mon Sep 17 00:00:00 2001 +From 6fe3965383d94b3030e85ab899955858710fec5c Mon Sep 17 00:00:00 2001 From: Alexander Kanavin Date: Fri, 15 Feb 2019 11:17:27 +0100 Subject: [PATCH] Do not prefix executables with $bindir in pkg-config files @@ -15,10 +15,10 @@ Signed-off-by: Alexander Kanavin 2 files changed, 13 insertions(+), 11 deletions(-) diff --git a/gio/meson.build b/gio/meson.build -index 5d91b89..1a8da12 100644 +index 2f8f188..57c48d2 100644 --- a/gio/meson.build +++ b/gio/meson.build -@@ -901,17 +901,18 @@ libgio_dep = declare_dependency(link_with : libgio, +@@ -912,17 +912,18 @@ libgio_dep = declare_dependency(link_with : libgio, pkg.generate(libgio, requires : ['glib-2.0', 'gobject-2.0'], variables : [ @@ -46,10 +46,10 @@ index 5d91b89..1a8da12 100644 uninstalled_variables : [ 'gio=${prefix}/gio/gio', diff --git a/glib/meson.build b/glib/meson.build -index 837960d..97d4af0 100644 +index 209bcbf..a86cfd3 100644 --- a/glib/meson.build +++ b/glib/meson.build -@@ -443,9 +443,10 @@ pkg.generate(libglib, +@@ -464,9 +464,10 @@ pkg.generate(libglib, subdirs : ['glib-2.0'], extra_cflags : ['-I${libdir}/glib-2.0/include'] + win32_cflags, variables : [ diff --git a/meta/recipes-core/glib-2.0/files/0001-Fix-DATADIRNAME-on-uclibc-Linux.patch b/meta/recipes-core/glib-2.0/files/0001-Fix-DATADIRNAME-on-uclibc-Linux.patch index 19fffbdc5f..b91624da8b 100644 --- a/meta/recipes-core/glib-2.0/files/0001-Fix-DATADIRNAME-on-uclibc-Linux.patch +++ b/meta/recipes-core/glib-2.0/files/0001-Fix-DATADIRNAME-on-uclibc-Linux.patch @@ -1,4 +1,4 @@ -From 48bfc87e9f757cf65ad967520860bfd7526c36f2 Mon Sep 17 00:00:00 2001 +From 966c58aae35f9e2bcef5238e0331a119e0e51abd Mon Sep 17 00:00:00 2001 From: Khem Raj Date: Sat, 15 Mar 2014 22:42:29 -0700 Subject: [PATCH] Fix DATADIRNAME on uclibc/Linux diff --git a/meta/recipes-core/glib-2.0/files/0001-Install-gio-querymodules-as-libexec_PROGRAM.patch b/meta/recipes-core/glib-2.0/files/0001-Install-gio-querymodules-as-libexec_PROGRAM.patch index 89ba10ff6d..2ebf01b672 100644 --- a/meta/recipes-core/glib-2.0/files/0001-Install-gio-querymodules-as-libexec_PROGRAM.patch +++ b/meta/recipes-core/glib-2.0/files/0001-Install-gio-querymodules-as-libexec_PROGRAM.patch @@ -1,4 +1,4 @@ -From b8dcbf03b315d31759176e9d4fd389e8fda6ffcd Mon Sep 17 00:00:00 2001 +From 0de3a3a791ca32f2330eb3a8ad9da0fe6dce950c Mon Sep 17 00:00:00 2001 From: Jussi Kukkonen Date: Tue, 22 Mar 2016 15:14:58 +0200 Subject: [PATCH] Install gio-querymodules as libexec_PROGRAM @@ -13,10 +13,10 @@ Upstream-Status: Inappropriate [OE specific] 1 file changed, 1 insertion(+) diff --git a/gio/meson.build b/gio/meson.build -index 854b95a..5d91b89 100644 +index 39256d3..2f8f188 100644 --- a/gio/meson.build +++ b/gio/meson.build -@@ -1038,6 +1038,7 @@ gio_querymodules = executable('gio-querymodules', 'gio-querymodules.c', 'giomodu +@@ -1049,6 +1049,7 @@ gio_querymodules = executable('gio-querymodules', 'gio-querymodules.c', 'giomodu c_args : gio_c_args, # intl.lib is not compatible with SAFESEH link_args : noseh_link_args, diff --git a/meta/recipes-core/glib-2.0/files/0001-Remove-the-warning-about-deprecated-paths-in-schemas.patch b/meta/recipes-core/glib-2.0/files/0001-Remove-the-warning-about-deprecated-paths-in-schemas.patch index ebdf957272..d6dd66357a 100644 --- a/meta/recipes-core/glib-2.0/files/0001-Remove-the-warning-about-deprecated-paths-in-schemas.patch +++ b/meta/recipes-core/glib-2.0/files/0001-Remove-the-warning-about-deprecated-paths-in-schemas.patch @@ -1,4 +1,4 @@ -From bdb2772d672e95584585e902689936559c5db05d Mon Sep 17 00:00:00 2001 +From b829f3205e4d8390f02eaa8e7a7bf85e51cbb7ed Mon Sep 17 00:00:00 2001 From: Alexander Kanavin Date: Fri, 12 Jun 2015 17:08:46 +0300 Subject: [PATCH] Remove the warning about deprecated paths in schemas diff --git a/meta/recipes-core/glib-2.0/files/0001-gio-tests-resources.c-comment-out-a-build-host-only-.patch b/meta/recipes-core/glib-2.0/files/0001-gio-tests-resources.c-comment-out-a-build-host-only-.patch index 771b03e66d..7a2fc0b7ef 100644 --- a/meta/recipes-core/glib-2.0/files/0001-gio-tests-resources.c-comment-out-a-build-host-only-.patch +++ b/meta/recipes-core/glib-2.0/files/0001-gio-tests-resources.c-comment-out-a-build-host-only-.patch @@ -1,4 +1,4 @@ -From 8cb75d3bc368ee108a4b14bc57a92bd0c0b2e10e Mon Sep 17 00:00:00 2001 +From 912e674bb0a3b51dabaa58da1834491ef94e6a2a Mon Sep 17 00:00:00 2001 From: Alexander Kanavin Date: Wed, 8 Jan 2020 18:22:46 +0100 Subject: [PATCH] gio/tests/resources.c: comment out a build host-only test diff --git a/meta/recipes-core/glib-2.0/files/0001-meson-Run-atomics-test-on-clang-as-well.patch b/meta/recipes-core/glib-2.0/files/0001-meson-Run-atomics-test-on-clang-as-well.patch index 5ad2a0375b..e4b0d6be79 100644 --- a/meta/recipes-core/glib-2.0/files/0001-meson-Run-atomics-test-on-clang-as-well.patch +++ b/meta/recipes-core/glib-2.0/files/0001-meson-Run-atomics-test-on-clang-as-well.patch @@ -1,4 +1,4 @@ -From 502984fe340a76c92e2c04235f43fdcb47728806 Mon Sep 17 00:00:00 2001 +From 26ddae02d7677bcff7c3933ee856d34df41b548f Mon Sep 17 00:00:00 2001 From: Khem Raj Date: Sat, 12 Oct 2019 17:46:26 -0700 Subject: [PATCH] meson: Run atomics test on clang as well @@ -14,10 +14,10 @@ Signed-off-by: Khem Raj 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meson.build b/meson.build -index a8bcadc..041b68e 100644 +index dab1d61..cc3a5ed 100644 --- a/meson.build +++ b/meson.build -@@ -2077,7 +2077,7 @@ atomicdefine = ''' +@@ -2092,7 +2092,7 @@ atomicdefine = ''' # We know that we can always use real ("lock free") atomic operations with MSVC if cc.get_id() == 'msvc' or cc.get_id() == 'clang-cl' or cc.links(atomictest, name : 'atomic ops') have_atomic_lock_free = true diff --git a/meta/recipes-core/glib-2.0/files/0001-meson.build-do-not-enable-pidfd-features-on-native-g.patch b/meta/recipes-core/glib-2.0/files/0001-meson.build-do-not-enable-pidfd-features-on-native-g.patch index aa098da379..712ae25b27 100644 --- a/meta/recipes-core/glib-2.0/files/0001-meson.build-do-not-enable-pidfd-features-on-native-g.patch +++ b/meta/recipes-core/glib-2.0/files/0001-meson.build-do-not-enable-pidfd-features-on-native-g.patch @@ -1,4 +1,4 @@ -From d5e566c45a9ab4d7e51104ab176e6eb5f705f91d Mon Sep 17 00:00:00 2001 +From c6cd3c0a66ae8f210185e0cb05b2172dc192ce9e Mon Sep 17 00:00:00 2001 From: Alexander Kanavin Date: Sat, 16 Sep 2023 22:28:27 +0200 Subject: [PATCH] meson.build: do not enable pidfd features on native glib @@ -14,10 +14,10 @@ Signed-off-by: Alexander Kanavin 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/meson.build b/meson.build -index 041b68e..155bfd4 100644 +index cc3a5ed..58dd87a 100644 --- a/meson.build +++ b/meson.build -@@ -1075,7 +1075,8 @@ if cc.links('''#include +@@ -1090,7 +1090,8 @@ if cc.links('''#include waitid (P_PIDFD, 0, &child_info, WEXITED | WNOHANG); return 0; }''', name : 'pidfd_open(2) system call') diff --git a/meta/recipes-core/glib-2.0/files/0010-Do-not-hardcode-python-path-into-various-tools.patch b/meta/recipes-core/glib-2.0/files/0010-Do-not-hardcode-python-path-into-various-tools.patch index d26f944d51..8dbdf746b7 100644 --- a/meta/recipes-core/glib-2.0/files/0010-Do-not-hardcode-python-path-into-various-tools.patch +++ b/meta/recipes-core/glib-2.0/files/0010-Do-not-hardcode-python-path-into-various-tools.patch @@ -1,4 +1,4 @@ -From 211927d2caa4a81e1131c2210e1db838104a1fb9 Mon Sep 17 00:00:00 2001 +From 40e40230e6a3c52b79c6f92e8c060bd4d93f0374 Mon Sep 17 00:00:00 2001 From: Alexander Kanavin Date: Tue, 3 Oct 2017 10:45:55 +0300 Subject: [PATCH] Do not hardcode python path into various tools diff --git a/meta/recipes-core/glib-2.0/files/relocate-modules.patch b/meta/recipes-core/glib-2.0/files/relocate-modules.patch index ddf464526c..09de155d08 100644 --- a/meta/recipes-core/glib-2.0/files/relocate-modules.patch +++ b/meta/recipes-core/glib-2.0/files/relocate-modules.patch @@ -1,4 +1,4 @@ -From 456bac53f19d3094aa2007054c87d86c9d65b423 Mon Sep 17 00:00:00 2001 +From 14bbc77bc465b42454112bc6a33264c2c3e013e5 Mon Sep 17 00:00:00 2001 From: Ross Burton Date: Fri, 11 Mar 2016 15:35:55 +0000 Subject: [PATCH] glib-2.0: relocate the GIO module directory for native builds @@ -18,10 +18,10 @@ Signed-off-by: Jussi Kukkonen 1 file changed, 7 deletions(-) diff --git a/gio/giomodule.c b/gio/giomodule.c -index 76c2028..6deba7c 100644 +index 38761e4..afa7878 100644 --- a/gio/giomodule.c +++ b/gio/giomodule.c -@@ -1260,11 +1260,6 @@ get_gio_module_dir (void) +@@ -1272,11 +1272,6 @@ get_gio_module_dir (void) g_free (install_dir); #else module_dir = g_strdup (GIO_MODULE_DIR); @@ -33,7 +33,7 @@ index 76c2028..6deba7c 100644 #include { g_autofree gchar *path = NULL; -@@ -1283,8 +1278,6 @@ get_gio_module_dir (void) +@@ -1295,8 +1290,6 @@ get_gio_module_dir (void) } } } diff --git a/meta/recipes-core/glib-2.0/files/skip-timeout.patch b/meta/recipes-core/glib-2.0/files/skip-timeout.patch index 138e970553..8ef140d0d7 100644 --- a/meta/recipes-core/glib-2.0/files/skip-timeout.patch +++ b/meta/recipes-core/glib-2.0/files/skip-timeout.patch @@ -1,4 +1,4 @@ -From 51bfcab0b60bd57f4d3463c479fdf47e645cd6fe Mon Sep 17 00:00:00 2001 +From f77b9dd72dd0103c7a28dd7e1cdf6e316ecbf030 Mon Sep 17 00:00:00 2001 From: Ross Burton Date: Thu, 28 Mar 2024 16:27:09 +0000 Subject: [PATCH] Skip /timeout/rounding test diff --git a/meta/recipes-core/glib-2.0/glib-2.0-initial_2.86.1.bb b/meta/recipes-core/glib-2.0/glib-2.0-initial_2.86.3.bb similarity index 100% rename from meta/recipes-core/glib-2.0/glib-2.0-initial_2.86.1.bb rename to meta/recipes-core/glib-2.0/glib-2.0-initial_2.86.3.bb diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.86.1.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.86.3.bb similarity index 100% rename from meta/recipes-core/glib-2.0/glib-2.0_2.86.1.bb rename to meta/recipes-core/glib-2.0/glib-2.0_2.86.3.bb diff --git a/meta/recipes-core/glib-2.0/glib.inc b/meta/recipes-core/glib-2.0/glib.inc index 5909851896..bd87d9c601 100644 --- a/meta/recipes-core/glib-2.0/glib.inc +++ b/meta/recipes-core/glib-2.0/glib.inc @@ -236,7 +236,7 @@ SRC_URI:append:class-native = " file://relocate-modules.patch \ file://0001-meson.build-do-not-enable-pidfd-features-on-native-g.patch \ " -SRC_URI[archive.sha256sum] = "119d1708ca022556d6d2989ee90ad1b82bd9c0d1667e066944a6d0020e2d5e57" +SRC_URI[archive.sha256sum] = "b3211d8d34b9df5dca05787ef0ad5d7ca75dec998b970e1aab0001d229977c65" # Find any meson cross files in FILESPATH that are relevant for the current # build (using siteinfo) and add them to EXTRA_OEMESON. From patchwork Wed Jan 7 08:08:57 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 78131 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A2C2ACF6C00 for ; Wed, 7 Jan 2026 08:09:32 +0000 (UTC) Received: from mail-wm1-f50.google.com (mail-wm1-f50.google.com [209.85.128.50]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.1457.1767773369090444990 for ; Wed, 07 Jan 2026 00:09:29 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=OVvyvD1x; spf=pass (domain: smile.fr, ip: 209.85.128.50, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f50.google.com with SMTP id 5b1f17b1804b1-477a2ab455fso16501695e9.3 for ; Wed, 07 Jan 2026 00:09:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1767773367; x=1768378167; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=2ytxzHSDI8jkX246u7UlJqUnkSB/5fPdBx1R77jF2jk=; b=OVvyvD1x6PsvNgYZond69q/dAXxwZLH9Yp+bKARgwKqLo2LFZNhd/9JBcS2sAMJCqe idPkgNXbDv9+CZtrrJ/TM1f/E80Dgk2x2JMqSThSIlAKu4aKr+h1HakGhcYya94UEwRt A8u0FM3hG1fXCHJKA2pOTPw1n0JMapWUav0d0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767773367; x=1768378167; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=2ytxzHSDI8jkX246u7UlJqUnkSB/5fPdBx1R77jF2jk=; b=vEq98VNS8173cfMpkiwDX3rfcrIuv/b/2ohSQozVpW1tV0MvDCAPq684DPUAQQVrM+ VK4yOwGzPhIoT5rw6iu9BkGfpO+oxbFIshsf+vg3xHDVzNL1ZA3dzLwzhG5ip2HI/5zN +D/PXx04YyF2CUsDVeLLtO+cupUen8nMAfFCTwSj/gz4jbmDoWjaRmItG/wrH30w/+/3 QpgXuhDtwYoRNHYOxDVb/deIfcH9xoWAnLSvRv+oWsIXu/LPgGPud7YDWJeWa9cQ+ckQ IiQUAwHP9p4G2i7zMBFQs76nYYTE82HxoKdETgJ54rA1lUeetBla46BydfFQX94nNmsM 4azg== X-Gm-Message-State: AOJu0Ywrac1W3d8rXAvtRq6wC5TQtVBdUyAZpv1jk7x9KkBWLXpPAFZ5 cNyXnv/ATht+8TTrJgehyeOtjvaZr0pNHY1AhiFVyMhl8GMacKcuegQnhEG8XNhIMMlVJeYwaxh lce/8 X-Gm-Gg: AY/fxX4L60lChFsDIt2AwJDcfNh5GLUcOVtXLCPQFSufYSCh+JPtzl7/3pnSv+qodto LSmTAvccGo789WlVDQw7cFYm92PWcMSpEKhUSJoMlhMfjiQ45VnxOPQOkphi4U+YivyzYkx7LT2 VJ7PLwTUuS2BonhU66KQ189pX/2t5aZG1FT0k8H/LDqzoS22+JKisZnq2aPcfXatYGjZMsvrYR3 Ho1JTe/jBLlkFLghOnQoYh3U36HuPu/F2YQwQHioi5JpTkFol6NK9z6owMFI+ubh5wb7IxExbfl 0MJFZZCf49p2ZZqgsB1Qljc8t4xD1MUtrK7uj4rQ+ozk//bQbzn2jeCYITp3q/UFa6yNo0AmLGB 9bdiJOMC4IhxQbW0oEXlGa35HgAY7a7jlInS5QbCkhl+7xefbU9s4+vh8FkRR6UZboWR1jT16N3 vijjKOUsljx03JvXHoqAFQZQcYH2nIdsIqdVRDpL9681daQFj3o2UGNsaxO423k0H1dFUqvmHMx dEh64ACCDwzj72IpZFOBtX6iA== X-Google-Smtp-Source: AGHT+IGG040XtEPHczSt8jhbvH0dUT97s2ZD1ghoZFiJ8cK6tno8odi6okcIlPYQ9tRBiK8G/6vT0Q== X-Received: by 2002:a05:600c:1392:b0:46e:37fe:f0e6 with SMTP id 5b1f17b1804b1-47d84b3b724mr16292005e9.30.1767773367050; Wed, 07 Jan 2026 00:09:27 -0800 (PST) Received: from FRSMI25-LASER.home (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47d8715b5f7sm6093485e9.4.2026.01.07.00.09.26 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Jan 2026 00:09:26 -0800 (PST) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][whinlatter 08/11] libpng: upgrade 1.6.51 -> 1.6.52 Date: Wed, 7 Jan 2026 09:08:57 +0100 Message-ID: <1adeb41577b5b7c0004a92b494947a6a2cbd20c8.1767772758.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 07 Jan 2026 08:09:32 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/228955 From: Peter Marko Handles CVE-2025-66293 >From Release Notes [1]: Fixed CVE-2025-66293 (high severity): Out-of-bounds read in `png_image_read_composite`. (Reported by flyfish101 .) Fixed the Paeth filter handling in the RISC-V RVV implementation. (Reported by Filip Wasil; fixed by Liang Junzhao.) Improved the performance of the RISC-V RVV implementation. (Contributed by Liang Junzhao.) Added allocation failure fuzzing to oss-fuzz. (Contributed by Philippe Antoine.) [1] https://github.com/pnggroup/libpng/blob/v1.6.52/CHANGES#L6307-L6316 (From OE-Core rev: 424c8aba2a52f464b2a652f56770437bdd08bf9e) Signed-off-by: Peter Marko Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie --- .../libpng/{libpng_1.6.51.bb => libpng_1.6.52.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta/recipes-multimedia/libpng/{libpng_1.6.51.bb => libpng_1.6.52.bb} (97%) diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.51.bb b/meta/recipes-multimedia/libpng/libpng_1.6.52.bb similarity index 97% rename from meta/recipes-multimedia/libpng/libpng_1.6.51.bb rename to meta/recipes-multimedia/libpng/libpng_1.6.52.bb index e499f61ff4..fba6e77b1c 100644 --- a/meta/recipes-multimedia/libpng/libpng_1.6.51.bb +++ b/meta/recipes-multimedia/libpng/libpng_1.6.52.bb @@ -14,7 +14,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}${LIBV}/${BP}.tar.xz \ file://run-ptest \ " -SRC_URI[sha256sum] = "a050a892d3b4a7bb010c3a95c7301e49656d72a64f1fc709a90b8aded192bed2" +SRC_URI[sha256sum] = "36bd726228ec93a3b6c22fdb49e94a67b16f2fe9b39b78b7cb65772966661ccc" MIRRORS += "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/ ${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/older-releases/" From patchwork Wed Jan 7 08:08:58 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 78130 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9083FCF6BFD for ; Wed, 7 Jan 2026 08:09:32 +0000 (UTC) Received: from mail-wm1-f52.google.com (mail-wm1-f52.google.com [209.85.128.52]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.1459.1767773369596154301 for ; Wed, 07 Jan 2026 00:09:29 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=hmHvRAAs; spf=pass (domain: smile.fr, ip: 209.85.128.52, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f52.google.com with SMTP id 5b1f17b1804b1-47d3ffa6720so17362735e9.0 for ; Wed, 07 Jan 2026 00:09:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1767773368; x=1768378168; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=LMUi6i8YzT8joLIkeO3q40sWfaa3ltfKleoxH1fvydA=; b=hmHvRAAs1GqFwrvxoxQZzgMOIF2eSiyVC6OU2WR3g6BYQdXDBVtajYKZS+09cpDlqO wv0Q6WsBRaUBIQ1tmMbUU/HyEfjbPh7qJs4CNyBRkwv16dIdj0ROoMoNVDY7m7Vl4M4k mwqG76hl2M7lJt2l7Qqn3F9kR9Axhu/OFnMm8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767773368; x=1768378168; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=LMUi6i8YzT8joLIkeO3q40sWfaa3ltfKleoxH1fvydA=; b=ICmZTgAdtWAkS8ohe8PD6Z3T8A5EDrJQH+TjcUAZjP1UZPfks82F9vACl87CU6Z1yp Lyc1lisFkEswK8YmqhsVoB3sKR9qifBjjwlaojjxh3/KyjruOf3Faje/f3rAua13arYK FkqpDuvodfWfSbkYDTbeHiYXPzUCx2REvz9lXZUycLkwcLuOgxnr/KxHBcvS2A4CUoUm A+5Il66YQFM9C8XpVxUGO/ZgJRhrNfFz0595ct+RUHtho1m4mCVfaKYjwwjl6ae12jC5 JNAK+It/nrZNjjQILRVBAcdLgMQ9gwK6Pm0EwsweTBsFQao+Z5vN6tAxUBLsrP94zoYB sRgA== X-Gm-Message-State: AOJu0Yy4lBtclyiSFdl+8KN28iDSM+BVR+JsN8A2G4EmTomi5GGYREeq 7q8+vUekc/zI6W9muRbvp3YLMnNKw9x0xmTpZ15oeFAq/h79aYG/A9Cgt8QXQ8Y47t+YuDKtwNw MGTYE X-Gm-Gg: AY/fxX7WheywyXW6G/pTlOnFZ/qpt+Xf2iyrzDol4bYUysa0ZBM0JMkKSOlnLegB7jP 0T1WlRdqNwVPO2Kkmr+l9yHWu6ltAg5elULa/tUQqbvYp5GTuuQeBsz5klDTwboxcd7/fUPmFRe O2lAqB92q7QgYWgr/gC6BztfLBGd1oeTAM8YyhDCwrlIaiJmeKM2Jst3ybEeLYy/Pm8Fgqs+0VA 3Sg5l38+CsqcA0BMUh5j+0SheWFdQhaQ3NF5EgU2RDDZuca4C236sggf/Pd56QkN2Ank7BHgsL9 rX5/4BPCM/EtQgOD7Nrp0UpOneasHrhTqO232IlnQ4zqi0gVjGzsqNSO3DUkDNtBxrwVlWOQlvk EO+6IQxJGSrBkFhNxEz4kWykC3gfhRgw9r1dR4nqnSKYYjq+ujc1B3aCVZ8aOmz7MHrQPMa7v+u QymsJKnrUZVTt6eYvVEFtCM5ptlAMMUD+oHjYkqaU2kaAYNiFQVxwyHXRiDKmjY0l0xSuZ/ukiX jmw8qHz2Vm6SIefRdkZj7q8BQ== X-Google-Smtp-Source: AGHT+IF2AAoYvC6YwbHVt3hNZvsximT8RoRrH3ugrVD0mZdAxbeU/rYe7H15fMq9s5SL7tpOoNWXFQ== X-Received: by 2002:a05:600c:500d:b0:477:9d54:58d7 with SMTP id 5b1f17b1804b1-47d84b3b881mr13076185e9.29.1767773367702; Wed, 07 Jan 2026 00:09:27 -0800 (PST) Received: from FRSMI25-LASER.home (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47d8715b5f7sm6093485e9.4.2026.01.07.00.09.27 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Jan 2026 00:09:27 -0800 (PST) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][whinlatter 09/11] libpcap: upgrade 1.10.5 -> 1.10.6 Date: Wed, 7 Jan 2026 09:08:58 +0100 Message-ID: <043c8cdb3138e00ddefdb698cb0f6363e9db20f5.1767772758.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 07 Jan 2026 08:09:32 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/228956 From: Peter Marko Solves CVE-2025-11961 and CVE-2025-11964. Signed-off-by: Peter Marko --- .../libpcap/{libpcap_1.10.5.bb => libpcap_1.10.6.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta/recipes-connectivity/libpcap/{libpcap_1.10.5.bb => libpcap_1.10.6.bb} (95%) diff --git a/meta/recipes-connectivity/libpcap/libpcap_1.10.5.bb b/meta/recipes-connectivity/libpcap/libpcap_1.10.6.bb similarity index 95% rename from meta/recipes-connectivity/libpcap/libpcap_1.10.5.bb rename to meta/recipes-connectivity/libpcap/libpcap_1.10.6.bb index 7ad52acd06..1b10001035 100644 --- a/meta/recipes-connectivity/libpcap/libpcap_1.10.5.bb +++ b/meta/recipes-connectivity/libpcap/libpcap_1.10.6.bb @@ -11,7 +11,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=5eb289217c160e2920d2e35bddc36453 \ DEPENDS = "flex-native bison-native" SRC_URI = "https://www.tcpdump.org/release/${BP}.tar.xz" -SRC_URI[sha256sum] = "84fa89ac6d303028c1c5b754abff77224f45eca0a94eb1a34ff0aa9ceece3925" +SRC_URI[sha256sum] = "ec97d1206bdd19cb6bdd043eaa9f0037aa732262ec68e070fd7c7b5f834d5dfc" inherit autotools binconfig-disabled pkgconfig From patchwork Wed Jan 7 08:08:59 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 78129 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8E775CF6BFF for ; Wed, 7 Jan 2026 08:09:32 +0000 (UTC) Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com [209.85.128.44]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.1460.1767773370126243902 for ; Wed, 07 Jan 2026 00:09:30 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=pxjH3Nk9; spf=pass (domain: smile.fr, ip: 209.85.128.44, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f44.google.com with SMTP id 5b1f17b1804b1-47bdbc90dcaso12421175e9.1 for ; Wed, 07 Jan 2026 00:09:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1767773368; x=1768378168; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=CUn3rENbn7HTzGdhT8hQw9EMgGnYycmxd2oxYUY3qsw=; b=pxjH3Nk9eQHSWsjGdQMhsz1YSMHgz98MOFI1bq9sm2upFJyDYnkFnBaqLcPKjdepmj VAGARz7DFi0DrlFRE9Mysbxq74eBziWaWfzMlnVccsgTCyfaqPH5NtBhlRaEY6CN32Lr Cn+PZKbnbo2wJMWl687TGO82G22brwEJkQOrE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767773368; x=1768378168; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=CUn3rENbn7HTzGdhT8hQw9EMgGnYycmxd2oxYUY3qsw=; b=J1pfLI+WQ2KatmLHCPKpsfpzdB/75ptu+nBk5SrVsNaAsXb40455CtOKQoGbjDfmHy PaPx0UyRKSiHGWOtGQmeer6pYBauo/PRcGG0BcexwQ8/1Za2Iq0O+OqHYaXi50nsExO5 psi4Tbnv2l9x+v8AIMwEG93SSVQEsCXp0vNNsd/eQwutdWdQmU0mZhuX0Fmn30nQfPS2 1yKaoQe32J6qEukVutyfZytCT4xReO9GcMHWDlrMRSIprznjgfyPT3nmPfb0RU7tWfzI b351jJ3ldsUIgmEtZApTQS3oGZbMZTOm3uVSV+0iqUx/474tx42GGJA0bI+scooKwk1E uUFQ== X-Gm-Message-State: AOJu0Yx191lKUowmyMA+2lR8FVLPRpoG3zsoPb53DAyuCtB2bO0u7uZn IUio5fm/hMu7uRgPo0eyhAzJsMPK8EQ1Vrf4w/79UtPmblkQGuBCb1EDTw9Ox7orRFgnWmQILYC 0TJ2F X-Gm-Gg: AY/fxX72nDLf0p1O5Wnl1/j7AfauAb188tAuB4JMbj2oqP7KIZD8Ks+20XRrWDRQPay iq4Bexo7xuGosqLE/Nm+r7HuAivxUUUH0AOatmSi12P6rbxkTOw5IlfNGwJQ8qMGEyqwPc3Qf4E LigNylraWytiA5+HqSYxML2ts2m3no0PmhjIPJW1OETEPkP08tNJNt0FRfjGqJlXa4YICvi7G5U c5HaYOPNMSGpfnkwxXVUU/PPV3W9F6wnjxM/moZIqQ7Skf7uLdYvjyPILpgC3hmFdbDPnlUFrez 2IMSaSsryBW+17QP7jX43AzS5xJqsjJLCa4z30zLMuP5QgqtqMrN8Y5WAxe01+oKGs6Ui4NsbLX fPNSCNHcTyKiYnDD+10MdW0ymMbTcIhpnbpWweaQEOOiGJTgeNwro5biY7N/uVd0rpVWoqfT9iw 6HofxKZGhGcYX3Ieg7e3l34A8Qn1WeGKd8xS8l5mTCG3EJvtPZ00rXUc9aB3uJBQ/b6pyg6X+m7 6FYShoxnJkzmik= X-Google-Smtp-Source: AGHT+IEXeLy5NgK0lcrLv2ruV4KPJ3+OVnUfKm+TH+JHJzSdd9MwsyGzbkIQBbdNvDJazHJAm+Aheg== X-Received: by 2002:a05:600c:470c:b0:477:7a78:3016 with SMTP id 5b1f17b1804b1-47d84b0a5bemr14053175e9.8.1767773368246; Wed, 07 Jan 2026 00:09:28 -0800 (PST) Received: from FRSMI25-LASER.home (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47d8715b5f7sm6093485e9.4.2026.01.07.00.09.27 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Jan 2026 00:09:27 -0800 (PST) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][whinlatter 10/11] Revert "populate_sdk_ext: keep SDK_TARGETS so SPDX/SBOM tasks remain in locked sigs" Date: Wed, 7 Jan 2026 09:08:59 +0100 Message-ID: X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 07 Jan 2026 08:09:32 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/228957 From: Yoann Congal This reverts commit 9964fa3da2fa1e7243fba1a826e59f7bb1813706. This commit was not in master before landing in whinlatter. Signed-off-by: Yoann Congal --- meta/classes-recipe/populate_sdk_ext.bbclass | 9 --------- 1 file changed, 9 deletions(-) diff --git a/meta/classes-recipe/populate_sdk_ext.bbclass b/meta/classes-recipe/populate_sdk_ext.bbclass index 2838ca1a03..2859320ddf 100644 --- a/meta/classes-recipe/populate_sdk_ext.bbclass +++ b/meta/classes-recipe/populate_sdk_ext.bbclass @@ -460,15 +460,6 @@ def prepare_locked_cache(d, baseoutpath, derivative, conf_initpath): # Filter the locked signatures file to just the sstate tasks we are interested in excluded_targets = get_sdk_install_targets(d, images_only=True) - sdk_targets = d.getVar('SDK_TARGETS') - ext_sdk_target_set = set(multilib_pkg_extend(d, sdk_targets).split()) - excluded_set = set(excluded_targets.split()) - - # Ensure SDK_TARGETS and their image SPDX/SBOM tasks are included in the locked signatures, - # as they are required during eSDK installation. - filtered_excluded_set = excluded_set - ext_sdk_target_set - excluded_targets = ' '.join(filtered_excluded_set) - sigfile = d.getVar('WORKDIR') + '/locked-sigs.inc' lockedsigs_pruned = baseoutpath + '/conf/locked-sigs.inc' #nativesdk-only sigfile to merge into locked-sigs.inc From patchwork Wed Jan 7 08:09:00 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 78128 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7DE3FCF6BF4 for ; Wed, 7 Jan 2026 08:09:32 +0000 (UTC) Received: from mail-wm1-f45.google.com (mail-wm1-f45.google.com [209.85.128.45]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.1461.1767773370743009144 for ; Wed, 07 Jan 2026 00:09:31 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=zMeQeLNV; spf=pass (domain: smile.fr, ip: 209.85.128.45, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f45.google.com with SMTP id 5b1f17b1804b1-47aa03d3326so14646435e9.3 for ; Wed, 07 Jan 2026 00:09:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1767773369; x=1768378169; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=b/q6sUbU8uHMOPjj11flh+L+IeCLfhsF0vvcsJXYY78=; b=zMeQeLNVrQC/wrDOocyiEfYhZ/gv4DHCfOydHC20wT8z+ggqh5NUlNBY+59bsTXIzo UUb8uggr6jqZcRJiVy7SqhVruBdwdRGMXYdglop9fimwdFJPVNnRIHXJaxMlAr9GSORX 5LXsOh626OxyzGUbhKXo50HtuYKswC2BkxxUs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767773369; x=1768378169; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=b/q6sUbU8uHMOPjj11flh+L+IeCLfhsF0vvcsJXYY78=; b=U4q4JfXjyH4fRNgFeR8g2cyhKINQBeUkgW5l7ofvXFz9x/VGVD2IRHUUtwobS65lJa mF/hqD+gX7o04bW2GDT3oddE4QD+NkOo4PReyXOMvjDSpEXoHdebnIBt8WtlxMygvSub z1uJpQgmxAfTrkWk60yAplnwzpLGsfijMjD0k+GfAegfQiAN9lK4Qft45dhnaenQa8+D UBkvbYTfhZDILJ4Ld3lDim1XM1hD+Tl8I55ayen9sHgEVS9mmDupYrjy9y2zLnH9bJS8 VcW6qcPQGJqY8WYF+LG4uhcTQ80akBKzCRL6vtpOfAvxMQxzQ6jyC94q1EO7VrZCbBeo hpfA== X-Gm-Message-State: AOJu0Yzkq4RSrbQSvIKBLoKOYiq/5QAol9h34fLmhtjztuvdQv5b3WvF OCLfhv0T4ISYZQdzjTgT1/In2Yt0UqvCdRLs4P97s/N5A9huKKNf+C4UtUWJpsJShdLytUjrYTs yvqbc X-Gm-Gg: AY/fxX7HAjUTIuXaUfWz/tztzWBgO2hwJrZ/XXybeU6lN1cB13EYA3Hj1n9livKs8dS yoIWKT/qWvrl5XWgBrmrUeLuCKNr+B1ML4AcBX7Xi6LowWCa6mFAY/EZy4kZDNG85tF8HmAUwDM Tj15te9+GgsHwy2CQchcx2j82TKEFUp99EWGrUzgSE3Ok/heHQa0JnLECoClU5veSL/7kAkbrK8 xad6FIaP7bCbjXl27HbVjNCCkyWZA2h6nmDuMmgpkv72Xbja42DGy1UKV9quviRYBlDhCFgBGhB sGLFI/i/G0xWqNzKz037tKmW9Wc4dKJII2rrF1jECDJmlxp2fegkkneW7KyxaNP2GS6j1n1Q6yP vswSZozAuPhQdsgClgrB9JECOeG2VWwsExk3yT9+jWgpeI4BRzuUOySZhw1z4lN5urgjD6QEpwb FWMS9atnnCqSuvJ7xeHXCeBZa0jBJFzzjysFGXO3B3Ae4nFAm/915qLQ2HXJvmDTrrynKFT5jK2 AU2Iik91v2w98M= X-Google-Smtp-Source: AGHT+IGwWUnnq8gRCloDozdw/is5mKQh7o1eVh4kqUanwRo7tQY12gGd1t99AlRS+pHelWSv1s1pFQ== X-Received: by 2002:a05:600c:4703:b0:475:e007:baf1 with SMTP id 5b1f17b1804b1-47d84b49e27mr16203855e9.34.1767773368773; Wed, 07 Jan 2026 00:09:28 -0800 (PST) Received: from FRSMI25-LASER.home (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47d8715b5f7sm6093485e9.4.2026.01.07.00.09.28 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Jan 2026 00:09:28 -0800 (PST) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][whinlatter 11/11] Revert "create-spdx-image-3.0: Image SPDX/SBOM tasks are retained for eSDK installation" Date: Wed, 7 Jan 2026 09:09:00 +0100 Message-ID: X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 07 Jan 2026 08:09:32 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/228958 From: Yoann Congal This reverts commit 3f57280caa7918f10e4e9685ad87a3128d4e9f0f. This commit was not in master before landing in whinlatter. Signed-off-by: Yoann Congal --- meta/classes-recipe/create-spdx-image-3.0.bbclass | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/classes-recipe/create-spdx-image-3.0.bbclass b/meta/classes-recipe/create-spdx-image-3.0.bbclass index f070b7e697..636ab14eb0 100644 --- a/meta/classes-recipe/create-spdx-image-3.0.bbclass +++ b/meta/classes-recipe/create-spdx-image-3.0.bbclass @@ -69,7 +69,7 @@ python do_create_image_sbom_spdx() { import oe.spdx30_tasks oe.spdx30_tasks.create_image_sbom_spdx(d) } -addtask do_create_image_sbom_spdx after do_create_rootfs_spdx do_create_image_spdx before do_build do_sdk_depends +addtask do_create_image_sbom_spdx after do_create_rootfs_spdx do_create_image_spdx before do_build SSTATETASKS += "do_create_image_sbom_spdx" SSTATE_SKIP_CREATION:task-create-image-sbom = "1" do_create_image_sbom_spdx[sstate-inputdirs] = "${SPDXIMAGEDEPLOYDIR}"