From patchwork Sat Jan 10 10:37:12 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 78407 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 62BE3D277D9 for ; Sat, 10 Jan 2026 10:37:33 +0000 (UTC) Received: from mail-pf1-f179.google.com (mail-pf1-f179.google.com [209.85.210.179]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.6312.1768041447053453994 for ; Sat, 10 Jan 2026 02:37:27 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=Xhjzo+Jr; spf=pass (domain: gmail.com, ip: 209.85.210.179, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pf1-f179.google.com with SMTP id d2e1a72fcca58-81df6a302b1so1466618b3a.2 for ; Sat, 10 Jan 2026 02:37:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768041446; x=1768646246; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=rhiVffF4Y5af5eBBdNZ/yggt2ZEMEJ2+eZDb5J5ocIc=; b=Xhjzo+JrE5DHjfIDxFM6zzxY9bEYWY9bL9iOvQ0O1azui/LMDFgcIq+q2zxOoY0+mq 44+twE8gvcfPBE81W+pJWcIvf/2etAnjsS/GR+RqijAJNRM8FPKOa/ilhbIf3IkvEO3A ImM+Lo/vALjPQt0z1h2GVRQCZ+rxBsAEKgIJyggCqWPwNTW4RxK9xNWJdIkYm8CljUww 9bHoGisbdS2u5WlQN/UNXpMaVx0+O5+T66opAolnpaWM+SoP6IYxJgXZxdXumR66cJlo eWx45Ue09bHIjty0lXP+EF37I13ZEE+W/wjODVKnU2+AQl7iRIyzQTxAIKLLKa6n2468 RLYw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768041446; x=1768646246; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=rhiVffF4Y5af5eBBdNZ/yggt2ZEMEJ2+eZDb5J5ocIc=; b=mlS39WKI/D8REBuF/C8MnEJbaa+M/6kuImKdnJINXjIFv2IsEt/GLDmKtn1jEStuLc AIvp0aMd8+aLtW0ywF0hjSoMMjAs1bpsgH8l55XGg+QrsWRd4+xjn83SzPsQU24w2YfD SoSpzYs15kvYGEAgtVSdaCzlxoXyNrNQB3qXO7M7GBQxAU+Ze1+7oBM3OBpZMg8/izII eIyE6B7MF8MahOMiPhG39PXn6aGavMYSX5Bxi4J0eG90Il32BzuKIP+V4nc3I59JifA6 eR/YJ+YTcfUwuLgXZX+lar7vl7JSKIDfQIJntu20OVSUEKZ+fYUrRE9drUf1+sAav7S9 iO0g== X-Gm-Message-State: AOJu0YwjEmCUSbOYzPbUxdnhgziEsCR7J7UaphnE+quj5z9Vq+erZS8+ v1btLHC4GT1i+n8sN2fXIDtbs7Kg/mjyklE3ptgHch3rYPC2agqioItvddzgIA== X-Gm-Gg: AY/fxX5IKhKO6cAcP38mKbQnadC1HhEN3gjAG/obmxggeobOSNUJAFW57rZX9QcukxE 5LfrjOpSvwMBzgiykfjFL1zWo25eQqL9DwbUHxRky/g2RnmPl1bUfgsspckt/cVnDktlnBm6DVJ RhVGGmpIjJP/zMhFKY9oVAM18MUoYg7u9y2LcUTWzCkPmUBcWVYHetx9ug7WZJ0ttNfgCG8/jLY T464E8oF1AeWRahplnG+Q9mtkdg1/oMnCN/9vdCbnYywAkyCDcFiTfPKAkdlf+rbo4gbkfbCicb jx6ZkKVFMQMOebCBHA6Nm8AOaVcJteG5mzcAMT13Vx/nS0ZcDCVcDqxQegCMuaUYt44uz2J3iuJ aQBZVI5f8mzvX/8g5uiPAn6grC2wR7oGg9ZV42vD8F2l4jCxxsdurVj8P/5HwWV8Pegs0juYbmm hbxg5D85mhY3L0LOD7AVldTYo= X-Google-Smtp-Source: AGHT+IFtCTUv1Jo+zycgyUugPZL1OD6zQ9tQA7i/rr5m+hhuGPEsqLcMo+fVgpgb0RZlcys/fFZ2Fw== X-Received: by 2002:a05:6a00:35c6:b0:772:8101:870c with SMTP id d2e1a72fcca58-81b7d260374mr10194944b3a.11.1768041446115; Sat, 10 Jan 2026 02:37:26 -0800 (PST) Received: from NVAPF55DW0D-IPD.. ([167.103.127.10]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-81f46882d19sm375715b3a.63.2026.01.10.02.37.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 10 Jan 2026 02:37:25 -0800 (PST) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi Subject: [oe][meta-oe][scarthgap][PATCH 1/5] freerdp3: ignore CVE-2025-68118 Date: Sat, 10 Jan 2026 23:37:12 +1300 Message-ID: <20260110103716.3470419-1-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 10 Jan 2026 10:37:33 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123320 From: Ankur Tyagi Only affects Windows and can be ignored. Details: https://nvd.nist.gov/vuln/detail/CVE-2025-68118 Signed-off-by: Ankur Tyagi --- meta-oe/recipes-support/freerdp/freerdp3_3.4.0.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta-oe/recipes-support/freerdp/freerdp3_3.4.0.bb b/meta-oe/recipes-support/freerdp/freerdp3_3.4.0.bb index b9ec75236b..6e27efb5ce 100644 --- a/meta-oe/recipes-support/freerdp/freerdp3_3.4.0.bb +++ b/meta-oe/recipes-support/freerdp/freerdp3_3.4.0.bb @@ -74,3 +74,5 @@ do_configure:append() { } FILES:${PN} += "${datadir}" + +CVE_STATUS[CVE-2025-68118] = "not-applicable-platform: only affects Windows" From patchwork Sat Jan 10 10:37:13 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 78408 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3A512D277D9 for ; Sat, 10 Jan 2026 10:37:43 +0000 (UTC) Received: from mail-pf1-f181.google.com (mail-pf1-f181.google.com [209.85.210.181]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.6302.1768041452891657607 for ; Sat, 10 Jan 2026 02:37:32 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=EuGKSl5i; spf=pass (domain: gmail.com, ip: 209.85.210.181, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pf1-f181.google.com with SMTP id d2e1a72fcca58-7ade456b6abso3243052b3a.3 for ; Sat, 10 Jan 2026 02:37:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768041452; x=1768646252; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=xwr1ArxcOfLv9cdAk5tCZ3MD/wjQKcMZ4Vg5KDt+AKc=; b=EuGKSl5iOILoNgGc9svFLsXQBdRR442nDSe6f10YPv0YdnPP/vkecX3FVpw5z4S2JN aQ7jXVQHTVjrH6v6BZnOX3BqaxBmj9PrzFae+ppeRDIXa/mz9HZIzLjlHNGZVjADYH97 DCi9EQRo23OxPmir5JFphc8+3HzKGCgHg4zl73+7GvA72YSOrVaopZpNGnJh7MEOE83c sV2t3k0ey71DDpj2wSgooddNetN8nxai4GYhYAF2Yp+oFfnmAkcndJi0eqHt/QbUJHhz Q6jnAuai4VQ58ZK+ixo2e0go8lD4HwdyFX2NM53U4p1tHCBvRrrzV2X5qiS7WeYn2CML SeYw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768041452; x=1768646252; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=xwr1ArxcOfLv9cdAk5tCZ3MD/wjQKcMZ4Vg5KDt+AKc=; b=P8b0f3SYIIRyufQLVjfggoJWN/+2jSfAFoZTNcOU1ZNZi16MfOTvNFd7Qx3zxtaQHG TIs0pyUkPxtuz3om39gbmVRi0Ycdbi5MhAsRddfk1XBOYDVk0Lgo7hPyeDJZjHrvfbEF Zrt/X2eA0U3tj9qHHKGizM4zyrCpNHc8jnJvPqngC+g+bT3WkmsDiMO08sCjgu4QXi0Z EVoPQezcNa4S4rlozmFwGuKgdPYMHOdQsoOIq//XsaeIGFlya8MsbhR7UAv1P8iOqIzs 6otXtWQf3vDpPFNq6+28yECuI9CU0ZfyeRp0neNtjA3S9JPj0/WWc6xXW9u+radQmRL7 Ws2Q== X-Gm-Message-State: AOJu0YyafTahd3KzL3Zb5Q3itXEBih8c8YfGWU5gyg08L0SrbhhDwVK4 Usj7Kp4GEqbEJrccuFTAy2lo1UzKbYulLbjY9gfnf3RH36OniiAMr/NyRL7hbA== X-Gm-Gg: AY/fxX4Coyi3DeTOereR/AaomMkvB23mAB/IEZsO+469Wa2ET9KVkhI6uo9z/dn0s5G dQW78FHKd6Y0uV+a2D5yxqnikmizt3Otka8/Ux5xV3IqnJvqbxYuiE1VigcnLXG7wqPSvqcCuHr j9aBnQKnvl9OmLjGSKoxsilqQtFS7SUDgqjDOQibRB0HUoCtNBMd6nUbMVGzw1gx+NiKmmzotV+ J8M1L7njaA4y1QvzjLOlcTVMFo/TlpkgLfFBBxtXqpMhe/Khf+pzKAc8eaah5hApmXvvxIgFidX hiWWdchYx4I67bUNGI716Wf5LHFdD+hYnucizlRNJwKN/5dYrFXnAhAw13myMomKDEOoI/S2V7V JQbfo3fzF3iMKEB7j3bSm4HWU9MSuc9qU25sTiTsygHCbBN/U4o8zatW7brd5idCWhjC8uzEFXn d7QrwZYSu6NqhD+JwZav8AygafZdv9CiTTUA== X-Google-Smtp-Source: AGHT+IG1qhUprGK+DxPvv7w9Xz+t9XIVXe6Ui+0KGVonr6LEBCTqCXq71inqelMI3Vt5OpunZ0oCYg== X-Received: by 2002:a05:6a00:4c92:b0:81f:42ba:2005 with SMTP id d2e1a72fcca58-81f42ba25ebmr697283b3a.6.1768041451983; Sat, 10 Jan 2026 02:37:31 -0800 (PST) Received: from NVAPF55DW0D-IPD.. ([167.103.127.10]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-81f46882d19sm375715b3a.63.2026.01.10.02.37.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 10 Jan 2026 02:37:31 -0800 (PST) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi Subject: [oe][meta-oe][scarthgap][PATCH 2/5] influxdb: ignore CVE-2024-30896 Date: Sat, 10 Jan 2026 23:37:13 +1300 Message-ID: <20260110103716.3470419-2-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260110103716.3470419-1-ankur.tyagi85@gmail.com> References: <20260110103716.3470419-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 10 Jan 2026 10:37:43 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123321 From: Ankur Tyagi As mentioned in the comment[1], vulnerability is in /api/v2/authorizations API which only exists in 2.x, 1.x is not affected. Details: https://nvd.nist.gov/vuln/detail/CVE-2024-30896 [1] https://github.com/influxdata/influxdb/issues/24797#issuecomment-2514690740 Signed-off-by: Ankur Tyagi --- meta-oe/recipes-dbs/influxdb/influxdb_1.8.10.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta-oe/recipes-dbs/influxdb/influxdb_1.8.10.bb b/meta-oe/recipes-dbs/influxdb/influxdb_1.8.10.bb index 397b225ccb..37cf213d9d 100644 --- a/meta-oe/recipes-dbs/influxdb/influxdb_1.8.10.bb +++ b/meta-oe/recipes-dbs/influxdb/influxdb_1.8.10.bb @@ -77,3 +77,4 @@ INITSCRIPT_PARAMS = "defaults" SYSTEMD_SERVICE:${PN} = "influxdb.service" CVE_STATUS[CVE-2019-10329] = "cpe-incorrect: Version does not match and only the Jenkins plugin is affected." +CVE_STATUS[CVE-2024-30896] = "not-applicable-config: vulnerability only exists in version 2.x" From patchwork Sat Jan 10 10:37:14 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 78409 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 39476D277DE for ; Sat, 10 Jan 2026 10:37:43 +0000 (UTC) Received: from mail-pf1-f176.google.com (mail-pf1-f176.google.com [209.85.210.176]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.6314.1768041458871389011 for ; Sat, 10 Jan 2026 02:37:38 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=gDUvhcgC; spf=pass (domain: gmail.com, ip: 209.85.210.176, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pf1-f176.google.com with SMTP id d2e1a72fcca58-7b22ffa2a88so2593244b3a.1 for ; Sat, 10 Jan 2026 02:37:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768041458; x=1768646258; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=llTgHxeSoC7ZYOdIAtacPBR738VpZQDVSkSEuU/E5GE=; b=gDUvhcgCjKMm79n1xSLcV7dxtm8QNzXaJBhzWoNDVUYqjXRyLcDWrvs2yYSMsKhCSq ff2pIQTC4TVL1O/cVlRdbiJRJljF4ABjTyB4N1OS9ZW3duhatF9aB1eFzDOd5sNKw1Bz 4DNvVeyGvYyx3fS+NZ3kcOQXTplOL16DRYvMhKmNPEZAjYW4Z7dQtdYWIiam2ne+iwcq /5nkBZmxw8GxCwJdjf9ooRkN2vO1CM7LfYtf95f7e5gpOvATvRziHfCaBgcTT4wIAG6P ukmSox0Axlj96IMSn0ANy9+E3HGTxYLlhoCv5/Vf6eB2uNmCgSKniM/0vi1RjSbFoZZ9 DuAA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768041458; x=1768646258; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=llTgHxeSoC7ZYOdIAtacPBR738VpZQDVSkSEuU/E5GE=; b=hU0Fp99kM5vWFvObZCAfdEDf/s21wS9eSUzw7DmCgDzsmPQDBkEbl8Bga4sfMzbKgo hp2rnyNyI0ihv32uDKLTJjH8YnYSRB7p91m57zb6dbTkSVUTx8bmcqDC9DzLr8zk5lRw 2DnLdFUEPI4eAFOtQHu3Zbg/3AbrRbs4YtQd7h7P1ZrDSQl///ywQ/77NyeqHqWJQB6O CsP71kBh9l0boL8WoQEZ82kjvjzACnK+hPj4BpTZhQ5/9VrvV5yRTjURkzQ/r8JPEM8M 6h8rQW3Jr/tOr1x6ibF2I1FU+SC19Po/+2RlPYwgEyEoIYrBf5oG9ogQH+eazcgGlCeO wxjw== X-Gm-Message-State: AOJu0YwyvuBV/K2yd/MspKk1AYpPBwIaluF9Ko0QYiIgESdfac68aDDa ppnwgYZJIcX1YE64uw5MIJ88wbjmEJ13J98hBM3BmutLIm5jbo52LsP78gpeSg== X-Gm-Gg: AY/fxX642AAJHylGHvmgBh9wrPF5xQHHHs/2L1BVfteZz+oKxiDaqyCsU/rhos1Zhwi 3maED1WsVyaGZ+F4/56LVky5xw5DiArSEhv9QcD7kCYRo41snwQvalIQo1keIeO4wWu1iEbPcC3 KnA4FUu7mJfAp190CYi/+mv3TOLpfR/H1WsBYzB/3IY9EXj+O0LaZTxKc0ksgvhWFqPJyz9Dj4/ MYSjauLSrqskLt+xTeHYz96bQvyuxa/sZMPOKnImUWCNul3ZRuKJHdPEEhzDpSU8HeMeiixF4z3 Nylcbam3HYT2k1bCMBL2ScBNG0KZjomOaQClxfij99BqNXbDSLGMf32RnMr24X+/jl1X2r8BHbn NB9u9niukJGP5cBDTxbfhYO79C7T/yASITU70wC3msz/Qf8Rl60UFt40BSlDzw/jPgzL8Z3XzUw Dws4DjlB9UI/XIKVId8hczjm0= X-Google-Smtp-Source: AGHT+IHTyoo6IPn2WycoAzNhsxeI5aH6IkOmV9zC8QHXWcMumapUs1EeOXnzZwjJ09JI8o6nNMQW3A== X-Received: by 2002:a05:6a00:4387:b0:81f:42d7:aba2 with SMTP id d2e1a72fcca58-81f42d7ac86mr617814b3a.11.1768041457861; Sat, 10 Jan 2026 02:37:37 -0800 (PST) Received: from NVAPF55DW0D-IPD.. ([167.103.127.10]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-81f46882d19sm375715b3a.63.2026.01.10.02.37.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 10 Jan 2026 02:37:37 -0800 (PST) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi Subject: [oe][meta-oe][scarthgap][PATCH 3/5] krb5: ignore CVE-2025-3576 Date: Sat, 10 Jan 2026 23:37:14 +1300 Message-ID: <20260110103716.3470419-3-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260110103716.3470419-1-ankur.tyagi85@gmail.com> References: <20260110103716.3470419-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 10 Jan 2026 10:37:43 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123322 From: Ankur Tyagi Details: https://nvd.nist.gov/vuln/detail/CVE-2025-3576 As mentioned[1], vulnerability is fixed since upstream 1.21 [1] https://security-tracker.debian.org/tracker/CVE-2025-3576 Signed-off-by: Ankur Tyagi --- meta-oe/recipes-connectivity/krb5/krb5_1.21.3.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.21.3.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.21.3.bb index b38a0768e1..572c33a271 100644 --- a/meta-oe/recipes-connectivity/krb5/krb5_1.21.3.bb +++ b/meta-oe/recipes-connectivity/krb5/krb5_1.21.3.bb @@ -38,6 +38,8 @@ SRC_URI[sha256sum] = "b7a4cd5ead67fb08b980b21abd150ff7217e85ea320c9ed0c6dadd3048 CVE_PRODUCT = "kerberos" CVE_VERSION = "5-${PV}" +CVE_STATUS[CVE-2025-3576] = "fixed-version: The vulnerability has been fixed in the current version (1.21.3)" + S = "${WORKDIR}/${BP}/src" DEPENDS = "bison-native ncurses util-linux e2fsprogs e2fsprogs-native openssl" From patchwork Sat Jan 10 10:37:15 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 78411 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3EB86D277E0 for ; Sat, 10 Jan 2026 10:37:53 +0000 (UTC) Received: from mail-pf1-f171.google.com (mail-pf1-f171.google.com [209.85.210.171]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.6316.1768041464843466135 for ; Sat, 10 Jan 2026 02:37:44 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=eRS5vp+A; spf=pass (domain: gmail.com, ip: 209.85.210.171, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pf1-f171.google.com with SMTP id d2e1a72fcca58-81e9d0cd082so968821b3a.0 for ; Sat, 10 Jan 2026 02:37:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768041464; x=1768646264; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=amVu5XIbD0P8CNh3OXA5D8BvcOv2FRI+/Bhlut0Yq58=; b=eRS5vp+AYqqCiTwT8L3PQyKJqDR1t/8Bf4CBBBgMTRtEskcFLPFZOdYCuQvUBdqt48 aUHmdnnPuu+OZc4F5kgJRlcbp2G0HcjY3/1EmjTgnq8Nw32YRVR+YJf+6N0LddlCmOxx OrzLf38ZyyzdzGcE6wSjU2MlXeSWz21LbNWG38AUsZaauJwiUYpYfgQbtR6aAu4n703W 13trnH2ckKq0Sh+2eShngm9ThvOXQCiU2sRwEjA5dtVwhOUeqI2ek08vHvGePrJjMfoo GROkxNJ66IIHXpjk9AKl0mPyTOv9iw9zImdf5hm/L40VN+R4CaRDgHUAvsrAaPs/VDaH mV8A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768041464; x=1768646264; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=amVu5XIbD0P8CNh3OXA5D8BvcOv2FRI+/Bhlut0Yq58=; b=kKnS722tiT0nYNFISojiI61P9nP4OYUOrKWTxNFZUqMYsIDuMwyACUZPg6plxQc5st W4S82qphcuW5Wo8JVT6u2oyJw9J+Z0ERqaFnNzopT9UCLSLhEdMC2U0j+z+4ns26GWM4 1I4r4ekU7ldHB0JpWOpY6Tb2W0vN9wEmug90zYXV3hvh/612wQ4t0cRhNYbPvWksEe2U JVhtczoXS6NRTSbKjlpeLXLViv1rSjyaA9jUIQyl0sfBFVQ7ixfHXFptlBXNIa+JzNWV /P3waVqK8WrQrpiOITsqSDJHbC46J2sPuEDAAd1IIF6kiIqFiJJQlWKbW4tr5QfKSjkV qjDg== X-Gm-Message-State: AOJu0Yxdq4SJjBHE5t+hU7cvtgMw9NtalcqJp9H4DplYzUKzvDhmk33y c67edENCLKO4SfbLO82eGLlnFM015egcfraxBNxHd1RiBGMON6SzcqAs9Cgqow== X-Gm-Gg: AY/fxX5cBbSZNYr7YA0X3EFv6b0Ei+dooTPPurvamvZk1cqjU0M962ab/LK1iK93QZV dyA/YTxzX2P0CgFiU2POeBMB9lLRcsQLbj8Aki1VD30ONOQNvLUob/VVpVkcAYUyVAnKk4eR4QN i8njVXUL3SdJBTIo46wOkfNBe2tmBpp17V8Kn9SbjOArc7j6avxvkQv1f+24+SLTO9f5ZjFKKgl RkoB9sy1PKDDxbgz4mxlMdH556QhzRBFL8kQD2S6gTcmvV4VssCFmzv6SBk1q+MlozIbL7hsisC c6OmzxXcf9zQjLPQP+8MTL47IMz6Y4sFREpXGNpFFL2E//iJkuDkbRtNCRV7LrR1UWvA4e/yM4J 7vumhf9AUC6qy+lf3U5zjfu0dFtABEGvcDChUrHAayxOWfrTKygt7pqScaHMpiIvUeQxi2DyaXn lEY2ib3NXjjYpTFlhcnMRkg/k= X-Google-Smtp-Source: AGHT+IFW5YGBWqkHKpvWPEm1V4e2keYPrwknai5BcY05QWHsZY0/TNyK6qQwP5R3utfmY5NLJ/SrEQ== X-Received: by 2002:a05:6a00:1d1e:b0:81f:4566:cce6 with SMTP id d2e1a72fcca58-81f4566ce72mr409084b3a.28.1768041463769; Sat, 10 Jan 2026 02:37:43 -0800 (PST) Received: from NVAPF55DW0D-IPD.. ([167.103.127.10]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-81f46882d19sm375715b3a.63.2026.01.10.02.37.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 10 Jan 2026 02:37:43 -0800 (PST) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Katariina Lounento , Khem Raj , Gyorgy Sarvari , Ankur Tyagi Subject: [oe][meta-oe][scarthgap][PATCH 4/5] libtar: patch CVEs Date: Sat, 10 Jan 2026 23:37:15 +1300 Message-ID: <20260110103716.3470419-4-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260110103716.3470419-1-ankur.tyagi85@gmail.com> References: <20260110103716.3470419-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 10 Jan 2026 10:37:53 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123323 From: Katariina Lounento cve-check.bbclass reported unpatched vulnerabilities in libtar [1,2,3,4,5]. The NIST assigned base score for the worst vulnerability is 9.1 / critical. The patches were taken from the libtar [6] master branch after the latest tag v1.2.20 (the changes in libtar master mostly originate from Fedora and their patches), and from the Fedora 41 libtar source package [7] and the Debian libtar package 1.2.20-8 [8] where the patches were not available in the libtar repository itself. The Fedora patch series was taken in its entirety in order to minimize differences to Fedora's source tree instead of cherry-picking only CVE fixes. Minimizing the differences should avoid issues with potential inter-dependencies between the patches, and hopefully provide better confidence as even the newest patches have been in use in Fedora for nearly 2 years (since December 2022; Fedora rpms/libtar.git commit e25b692fc7ceaa387dafb865b472510754f51bd2). The series includes even the Fedora patch libtar-1.2.20-no-static-buffer.patch, which contains changes *) that match the libtar commit ec613af2e9371d7a3e1f7c7a6822164a4255b4d1 ("decode: avoid using a static buffer in th_get_pathname()") whose commit message says Note this can break programs that expect sizeof(TAR) to be fixed. The patches applied cleanly except for the Fedora srpm patch libtar-1.2.11-bz729009.patch, which is identical with the pre-existing meta-oe patch 0002-Do-not-strip-libtar.patch and is thus omitted. The meta-openembedded recipe does not include any of the patches in Kirkstone [9] nor the current master [10]. libtar does not have newer releases, and the libtar master doesn't contain all of the changes included in the patches. Fedora's libtar.1.2.11-*.patch are not included in the libtar v1.2.20 release either but only in the master branch after the tag v1.2.20. The version number in the filename is supposedly due to the patches being created originally against v1.2.11 but have been upstreamed or at least committed to the master only after v1.2.20. The commit metadata could not be practically completed in most of the cases due to missing commit messages in the original commits and patches. The informal note about the author ("Authored by") was added to the patch commit messages where the commit message was missing the original author(s)' Signed-off-by. *) The patch also contains the changes split to the libtar commits 495d0c0eabc5648186e7d58ad54b508d14af38f4 ("Check for NULL before freeing th_pathname") and 20aa09bd7775094a2beb0f136c2c7d9e9fd6c7e6 ("Added stdlib.h for malloc() in lib/decode.c")) [1] https://nvd.nist.gov/vuln/detail/CVE-2021-33643 [2] https://nvd.nist.gov/vuln/detail/CVE-2021-33644 [3] https://nvd.nist.gov/vuln/detail/CVE-2021-33645 [4] https://nvd.nist.gov/vuln/detail/CVE-2021-33646 [5] https://nvd.nist.gov/vuln/detail/CVE-2013-4420 [6] https://repo.or.cz/libtar.git [7] https://src.fedoraproject.org/rpms/libtar/tree/f41 [8] https://sources.debian.org/patches/libtar/1.2.20-8/CVE-2013-4420.patch/ [9] https://git.openembedded.org/meta-openembedded/tree/meta-oe/recipes-support/libtar/libtar_1.2.20.bb?h=kirkstone&id=9a24b7679810628b594cc5a9b52f77f53d37004f [10] https://git.openembedded.org/meta-openembedded/tree/meta-oe/recipes-support/libtar/libtar_1.2.20.bb?h=master&id=9356340655b3a4f87f98be88f2d167bb2514a54c Signed-off-by: Katariina Lounento Signed-off-by: Khem Raj (cherry picked from commit 3c9b5b36c8dc619240ac422de2a0aaed0949de08) Signed-off-by: Gyorgy Sarvari (cherry picked from commit 505f2defdc0b6b3a10ce2669bb7f83bf16c721af) Signed-off-by: Ankur Tyagi --- ...-missing-prototype-compiler-warnings.patch | 53 ++++++ ...ix-invalid-memory-de-reference-issue.patch | 44 +++++ ...escriptor-leaks-reported-by-cppcheck.patch | 101 +++++++++++ ...0006-fix-memleak-on-tar_open-failure.patch | 26 +++ ...ix-memleaks-in-libtar-sample-program.patch | 119 +++++++++++++ ...ng-a-static-buffer-in-th_get_pathnam.patch | 89 ++++++++++ ...-for-NULL-before-freeing-th_pathname.patch | 30 ++++ ...-stdlib.h-for-malloc-in-lib-decode.c.patch | 26 +++ ...amming-mistakes-detected-by-static-a.patch | 100 +++++++++++ .../libtar/files/CVE-2013-4420.patch | 160 ++++++++++++++++++ ...-33640-CVE-2021-33645-CVE-2021-33646.patch | 42 +++++ .../files/CVE-2021-33643-CVE-2021-33644.patch | 52 ++++++ .../recipes-support/libtar/libtar_1.2.20.bb | 12 ++ 13 files changed, 854 insertions(+) create mode 100644 meta-oe/recipes-support/libtar/files/0003-Fix-missing-prototype-compiler-warnings.patch create mode 100644 meta-oe/recipes-support/libtar/files/0004-Fix-invalid-memory-de-reference-issue.patch create mode 100644 meta-oe/recipes-support/libtar/files/0005-fix-file-descriptor-leaks-reported-by-cppcheck.patch create mode 100644 meta-oe/recipes-support/libtar/files/0006-fix-memleak-on-tar_open-failure.patch create mode 100644 meta-oe/recipes-support/libtar/files/0007-fix-memleaks-in-libtar-sample-program.patch create mode 100644 meta-oe/recipes-support/libtar/files/0008-decode-avoid-using-a-static-buffer-in-th_get_pathnam.patch create mode 100644 meta-oe/recipes-support/libtar/files/0009-Check-for-NULL-before-freeing-th_pathname.patch create mode 100644 meta-oe/recipes-support/libtar/files/0010-Added-stdlib.h-for-malloc-in-lib-decode.c.patch create mode 100644 meta-oe/recipes-support/libtar/files/0011-libtar-fix-programming-mistakes-detected-by-static-a.patch create mode 100644 meta-oe/recipes-support/libtar/files/CVE-2013-4420.patch create mode 100644 meta-oe/recipes-support/libtar/files/CVE-2021-33640-CVE-2021-33645-CVE-2021-33646.patch create mode 100644 meta-oe/recipes-support/libtar/files/CVE-2021-33643-CVE-2021-33644.patch diff --git a/meta-oe/recipes-support/libtar/files/0003-Fix-missing-prototype-compiler-warnings.patch b/meta-oe/recipes-support/libtar/files/0003-Fix-missing-prototype-compiler-warnings.patch new file mode 100644 index 0000000000..f0fd2a4aa1 --- /dev/null +++ b/meta-oe/recipes-support/libtar/files/0003-Fix-missing-prototype-compiler-warnings.patch @@ -0,0 +1,53 @@ +From 9426ac3d232e2f90c571979a2166c5e1328967d1 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Tue, 15 Oct 2013 14:39:04 +0200 +Subject: [PATCH] Fix missing prototype compiler warnings + +Signed-off-by: Kamil Dudka + +Upstream-Status: Backport [https://repo.or.cz/libtar.git/commit/30e5556d1c9323e9f1887b28d42581c2954b53c9] + +Signed-off-by: Katariina Lounento +--- + lib/append.c | 2 ++ + lib/output.c | 1 + + lib/wrapper.c | 1 + + 3 files changed, 4 insertions(+) + +diff --git a/lib/append.c b/lib/append.c +index 13e1ace..e8bd89d 100644 +--- a/lib/append.c ++++ b/lib/append.c +@@ -13,6 +13,8 @@ + #include + + #include ++#include ++#include + #include + #include + #include +diff --git a/lib/output.c b/lib/output.c +index a2db929..a5262ee 100644 +--- a/lib/output.c ++++ b/lib/output.c +@@ -13,6 +13,7 @@ + #include + + #include ++#include + #include + #include + #include +diff --git a/lib/wrapper.c b/lib/wrapper.c +index 4cd0652..44cc435 100644 +--- a/lib/wrapper.c ++++ b/lib/wrapper.c +@@ -13,6 +13,7 @@ + #include + + #include ++#include + #include + #include + #include diff --git a/meta-oe/recipes-support/libtar/files/0004-Fix-invalid-memory-de-reference-issue.patch b/meta-oe/recipes-support/libtar/files/0004-Fix-invalid-memory-de-reference-issue.patch new file mode 100644 index 0000000000..b1ecb552bc --- /dev/null +++ b/meta-oe/recipes-support/libtar/files/0004-Fix-invalid-memory-de-reference-issue.patch @@ -0,0 +1,44 @@ +From c0a89709860acae5ef67727db7b23db385703bf6 Mon Sep 17 00:00:00 2001 +From: Huzaifa Sidhpurwala +Date: Tue, 15 Oct 2013 14:39:05 +0200 +Subject: [PATCH] Fix invalid memory de-reference issue + +Bug: https://bugzilla.redhat.com/551415 + +Signed-off-by: Kamil Dudka + +Upstream-Status: Backport [https://repo.or.cz/libtar.git/commit/560911b694055b0c677431cf85d4d0d5ebd1a3fd] + +Signed-off-by: Katariina Lounento +--- + lib/libtar.h | 1 + + lib/util.c | 4 +--- + 2 files changed, 2 insertions(+), 3 deletions(-) + +diff --git a/lib/libtar.h b/lib/libtar.h +index 55f509a..7fc4d03 100644 +--- a/lib/libtar.h ++++ b/lib/libtar.h +@@ -172,6 +172,7 @@ int th_write(TAR *t); + #define TH_ISDIR(t) ((t)->th_buf.typeflag == DIRTYPE \ + || S_ISDIR((mode_t)oct_to_int((t)->th_buf.mode)) \ + || ((t)->th_buf.typeflag == AREGTYPE \ ++ && strlen((t)->th_buf.name) \ + && ((t)->th_buf.name[strlen((t)->th_buf.name) - 1] == '/'))) + #define TH_ISFIFO(t) ((t)->th_buf.typeflag == FIFOTYPE \ + || S_ISFIFO((mode_t)oct_to_int((t)->th_buf.mode))) +diff --git a/lib/util.c b/lib/util.c +index 31e8315..11438ef 100644 +--- a/lib/util.c ++++ b/lib/util.c +@@ -148,9 +148,7 @@ oct_to_int(char *oct) + { + int i; + +- sscanf(oct, "%o", &i); +- +- return i; ++ return sscanf(oct, "%o", &i) == 1 ? i : 0; + } + + diff --git a/meta-oe/recipes-support/libtar/files/0005-fix-file-descriptor-leaks-reported-by-cppcheck.patch b/meta-oe/recipes-support/libtar/files/0005-fix-file-descriptor-leaks-reported-by-cppcheck.patch new file mode 100644 index 0000000000..627c270163 --- /dev/null +++ b/meta-oe/recipes-support/libtar/files/0005-fix-file-descriptor-leaks-reported-by-cppcheck.patch @@ -0,0 +1,101 @@ +From d998b9f75c79aab68255dace641dd30db239eff6 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Tue, 15 Oct 2013 19:48:41 -0400 +Subject: [PATCH] fix file descriptor leaks reported by cppcheck + +Bug: https://bugzilla.redhat.com/785760 + +Authored by Kamil Dudka . + +Upstream-Status: Backport [https://repo.or.cz/libtar.git/commit/abd0274e6b2f708e9eaa29414b07b3f542cec694] + +Signed-off-by: Katariina Lounento +--- + lib/append.c | 14 +++++++++----- + lib/extract.c | 4 ++++ + libtar/libtar.c | 3 +++ + 3 files changed, 16 insertions(+), 5 deletions(-) + +diff --git a/lib/append.c b/lib/append.c +index e8bd89d..ff58532 100644 +--- a/lib/append.c ++++ b/lib/append.c +@@ -216,6 +216,7 @@ tar_append_regfile(TAR *t, const char *realname) + int filefd; + int i, j; + size_t size; ++ int rv = -1; + + filefd = open(realname, O_RDONLY); + if (filefd == -1) +@@ -234,25 +235,28 @@ tar_append_regfile(TAR *t, const char *realname) + { + if (j != -1) + errno = EINVAL; +- return -1; ++ goto fail; + } + if (tar_block_write(t, &block) == -1) +- return -1; ++ goto fail; + } + + if (i > 0) + { + j = read(filefd, &block, i); + if (j == -1) +- return -1; ++ goto fail; + memset(&(block[i]), 0, T_BLOCKSIZE - i); + if (tar_block_write(t, &block) == -1) +- return -1; ++ goto fail; + } + ++ /* success! */ ++ rv = 0; ++fail: + close(filefd); + +- return 0; ++ return rv; + } + + +diff --git a/lib/extract.c b/lib/extract.c +index 36357e7..9fc6ad5 100644 +--- a/lib/extract.c ++++ b/lib/extract.c +@@ -228,13 +228,17 @@ tar_extract_regfile(TAR *t, char *realname) + { + if (k != -1) + errno = EINVAL; ++ close(fdout); + return -1; + } + + /* write block to output file */ + if (write(fdout, buf, + ((i > T_BLOCKSIZE) ? T_BLOCKSIZE : i)) == -1) ++ { ++ close(fdout); + return -1; ++ } + } + + /* close output file */ +diff --git a/libtar/libtar.c b/libtar/libtar.c +index 9fa92b2..bb5644c 100644 +--- a/libtar/libtar.c ++++ b/libtar/libtar.c +@@ -83,7 +83,10 @@ gzopen_frontend(char *pathname, int oflags, int mode) + return -1; + + if ((oflags & O_CREAT) && fchmod(fd, mode)) ++ { ++ close(fd); + return -1; ++ } + + gzf = gzdopen(fd, gzoflags); + if (!gzf) diff --git a/meta-oe/recipes-support/libtar/files/0006-fix-memleak-on-tar_open-failure.patch b/meta-oe/recipes-support/libtar/files/0006-fix-memleak-on-tar_open-failure.patch new file mode 100644 index 0000000000..90809ad846 --- /dev/null +++ b/meta-oe/recipes-support/libtar/files/0006-fix-memleak-on-tar_open-failure.patch @@ -0,0 +1,26 @@ +From f6c5cba59444ecda9bbc22b8e8e57fd1015a688d Mon Sep 17 00:00:00 2001 +From: Huzaifa Sidhpurwala +Date: Tue, 15 Oct 2013 20:02:58 -0400 +Subject: [PATCH] fix memleak on tar_open() failure + +Authored by Huzaifa Sidhpurwala . + +Upstream-Status: Backport [https://repo.or.cz/libtar.git/commit/36629a41208375f5105427e98078127551692028] + +Signed-off-by: Katariina Lounento +--- + lib/handle.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/handle.c b/lib/handle.c +index 33a262c..002d23c 100644 +--- a/lib/handle.c ++++ b/lib/handle.c +@@ -82,6 +82,7 @@ tar_open(TAR **t, const char *pathname, tartype_t *type, + (*t)->fd = (*((*t)->type->openfunc))(pathname, oflags, mode); + if ((*t)->fd == -1) + { ++ libtar_hash_free((*t)->h, NULL); + free(*t); + return -1; + } diff --git a/meta-oe/recipes-support/libtar/files/0007-fix-memleaks-in-libtar-sample-program.patch b/meta-oe/recipes-support/libtar/files/0007-fix-memleaks-in-libtar-sample-program.patch new file mode 100644 index 0000000000..f88bcbf9cf --- /dev/null +++ b/meta-oe/recipes-support/libtar/files/0007-fix-memleaks-in-libtar-sample-program.patch @@ -0,0 +1,119 @@ +From e3888e452aee72e0d658185ac20e8e63bed1aff8 Mon Sep 17 00:00:00 2001 +From: Huzaifa Sidhpurwala +Date: Tue, 15 Oct 2013 20:05:04 -0400 +Subject: [PATCH] fix memleaks in libtar sample program + +Authored by Huzaifa Sidhpurwala . + +Upstream-Status: Backport [https://repo.or.cz/libtar.git/commit/f3c711cf3054ff366a1a3500cdc8c64ecc2d2da6] + +Signed-off-by: Katariina Lounento +--- + libtar/libtar.c | 29 ++++++++++++++++++----------- + 1 file changed, 18 insertions(+), 11 deletions(-) + +diff --git a/libtar/libtar.c b/libtar/libtar.c +index bb5644c..23f8741 100644 +--- a/libtar/libtar.c ++++ b/libtar/libtar.c +@@ -253,6 +253,7 @@ extract(char *tarfile, char *rootdir) + if (tar_extract_all(t, rootdir) != 0) + { + fprintf(stderr, "tar_extract_all(): %s\n", strerror(errno)); ++ tar_close(t); + return -1; + } + +@@ -270,12 +271,13 @@ extract(char *tarfile, char *rootdir) + + + void +-usage() ++usage(void *rootdir) + { + printf("Usage: %s [-C rootdir] [-g] [-z] -x|-t filename.tar\n", + progname); + printf(" %s [-C rootdir] [-g] [-z] -c filename.tar ...\n", + progname); ++ free(rootdir); + exit(-1); + } + +@@ -292,6 +294,7 @@ main(int argc, char *argv[]) + int c; + int mode = 0; + libtar_list_t *l; ++ int return_code = -2; + + progname = basename(argv[0]); + +@@ -313,17 +316,17 @@ main(int argc, char *argv[]) + break; + case 'c': + if (mode) +- usage(); ++ usage(rootdir); + mode = MODE_CREATE; + break; + case 'x': + if (mode) +- usage(); ++ usage(rootdir); + mode = MODE_EXTRACT; + break; + case 't': + if (mode) +- usage(); ++ usage(rootdir); + mode = MODE_LIST; + break; + #ifdef HAVE_LIBZ +@@ -332,7 +335,7 @@ main(int argc, char *argv[]) + break; + #endif /* HAVE_LIBZ */ + default: +- usage(); ++ usage(rootdir); + } + + if (!mode || ((argc - optind) < (mode == MODE_CREATE ? 2 : 1))) +@@ -341,7 +344,7 @@ main(int argc, char *argv[]) + printf("argc - optind == %d\tmode == %d\n", argc - optind, + mode); + #endif +- usage(); ++ usage(rootdir); + } + + #ifdef DEBUG +@@ -351,21 +354,25 @@ main(int argc, char *argv[]) + switch (mode) + { + case MODE_EXTRACT: +- return extract(argv[optind], rootdir); ++ return_code = extract(argv[optind], rootdir); ++ break; + case MODE_CREATE: + tarfile = argv[optind]; + l = libtar_list_new(LIST_QUEUE, NULL); + for (c = optind + 1; c < argc; c++) + libtar_list_add(l, argv[c]); +- return create(tarfile, rootdir, l); ++ return_code = create(tarfile, rootdir, l); ++ libtar_list_free(l, NULL); ++ break; + case MODE_LIST: +- return list(argv[optind]); ++ return_code = list(argv[optind]); ++ break; + default: + break; + } + +- /* NOTREACHED */ +- return -2; ++ free(rootdir); ++ return return_code; + } + + diff --git a/meta-oe/recipes-support/libtar/files/0008-decode-avoid-using-a-static-buffer-in-th_get_pathnam.patch b/meta-oe/recipes-support/libtar/files/0008-decode-avoid-using-a-static-buffer-in-th_get_pathnam.patch new file mode 100644 index 0000000000..beba45405e --- /dev/null +++ b/meta-oe/recipes-support/libtar/files/0008-decode-avoid-using-a-static-buffer-in-th_get_pathnam.patch @@ -0,0 +1,89 @@ +From edbee9832475347183a841a8fd5be71f74e10392 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Wed, 23 Oct 2013 15:04:22 +0200 +Subject: [PATCH] decode: avoid using a static buffer in th_get_pathname() + +A solution suggested by Chris Frey: +https://lists.feep.net:8080/pipermail/libtar/2013-October/000377.html + +Note this can break programs that expect sizeof(TAR) to be fixed. + +Authored by Kamil Dudka . + +Upstream-Status: Backport [https://repo.or.cz/libtar.git/commit/ec613af2e9371d7a3e1f7c7a6822164a4255b4d1] + +Signed-off-by: Katariina Lounento +--- + lib/decode.c | 24 +++++++++++++++++------- + lib/handle.c | 1 + + lib/libtar.h | 3 +++ + 3 files changed, 21 insertions(+), 7 deletions(-) + +diff --git a/lib/decode.c b/lib/decode.c +index c16ea2d..edb2185 100644 +--- a/lib/decode.c ++++ b/lib/decode.c +@@ -26,20 +26,30 @@ + char * + th_get_pathname(TAR *t) + { +- static TLS_THREAD char filename[MAXPATHLEN]; +- + if (t->th_buf.gnu_longname) + return t->th_buf.gnu_longname; + +- if (t->th_buf.prefix[0] != '\0') ++ /* allocate the th_pathname buffer if not already */ ++ if (t->th_pathname == NULL) ++ { ++ t->th_pathname = malloc(MAXPATHLEN * sizeof(char)); ++ if (t->th_pathname == NULL) ++ /* out of memory */ ++ return NULL; ++ } ++ ++ if (t->th_buf.prefix[0] == '\0') ++ { ++ snprintf(t->th_pathname, MAXPATHLEN, "%.100s", t->th_buf.name); ++ } ++ else + { +- snprintf(filename, sizeof(filename), "%.155s/%.100s", ++ snprintf(t->th_pathname, MAXPATHLEN, "%.155s/%.100s", + t->th_buf.prefix, t->th_buf.name); +- return filename; + } + +- snprintf(filename, sizeof(filename), "%.100s", t->th_buf.name); +- return filename; ++ /* will be deallocated in tar_close() */ ++ return t->th_pathname; + } + + +diff --git a/lib/handle.c b/lib/handle.c +index 002d23c..a19c046 100644 +--- a/lib/handle.c ++++ b/lib/handle.c +@@ -122,6 +122,7 @@ tar_close(TAR *t) + libtar_hash_free(t->h, ((t->oflags & O_ACCMODE) == O_RDONLY + ? free + : (libtar_freefunc_t)tar_dev_free)); ++ free(t->th_pathname); + free(t); + + return i; +diff --git a/lib/libtar.h b/lib/libtar.h +index 7fc4d03..08a8e0f 100644 +--- a/lib/libtar.h ++++ b/lib/libtar.h +@@ -85,6 +85,9 @@ typedef struct + int options; + struct tar_header th_buf; + libtar_hash_t *h; ++ ++ /* introduced in libtar 1.2.21 */ ++ char *th_pathname; + } + TAR; + diff --git a/meta-oe/recipes-support/libtar/files/0009-Check-for-NULL-before-freeing-th_pathname.patch b/meta-oe/recipes-support/libtar/files/0009-Check-for-NULL-before-freeing-th_pathname.patch new file mode 100644 index 0000000000..2d8f21171b --- /dev/null +++ b/meta-oe/recipes-support/libtar/files/0009-Check-for-NULL-before-freeing-th_pathname.patch @@ -0,0 +1,30 @@ +From bc8ec7d940d7ffc870638521bd134098d2efa5df Mon Sep 17 00:00:00 2001 +From: Chris Frey +Date: Thu, 24 Oct 2013 17:55:12 -0400 +Subject: [PATCH] Check for NULL before freeing th_pathname + +Thanks to Harald Koch for pointing out that AIX 4 and 5 still need this. + +Authored by Chris Frey . + +Upstream-Status: Backport [https://repo.or.cz/libtar.git/commit/495d0c0eabc5648186e7d58ad54b508d14af38f4] + +Signed-off-by: Katariina Lounento +--- + lib/handle.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/lib/handle.c b/lib/handle.c +index a19c046..28a7dc2 100644 +--- a/lib/handle.c ++++ b/lib/handle.c +@@ -122,7 +122,8 @@ tar_close(TAR *t) + libtar_hash_free(t->h, ((t->oflags & O_ACCMODE) == O_RDONLY + ? free + : (libtar_freefunc_t)tar_dev_free)); +- free(t->th_pathname); ++ if (t->th_pathname != NULL) ++ free(t->th_pathname); + free(t); + + return i; diff --git a/meta-oe/recipes-support/libtar/files/0010-Added-stdlib.h-for-malloc-in-lib-decode.c.patch b/meta-oe/recipes-support/libtar/files/0010-Added-stdlib.h-for-malloc-in-lib-decode.c.patch new file mode 100644 index 0000000000..edbd636b23 --- /dev/null +++ b/meta-oe/recipes-support/libtar/files/0010-Added-stdlib.h-for-malloc-in-lib-decode.c.patch @@ -0,0 +1,26 @@ +From c64dfdc6ec5bc752aafd1ac16a380f47602197c4 Mon Sep 17 00:00:00 2001 +From: Chris Frey +Date: Thu, 24 Oct 2013 17:58:47 -0400 +Subject: [PATCH] Added stdlib.h for malloc() in lib/decode.c + +Authored by Chris Frey . + +Upstream-Status: Backport [https://repo.or.cz/libtar.git/commit/20aa09bd7775094a2beb0f136c2c7d9e9fd6c7e6] + +Signed-off-by: Katariina Lounento +--- + lib/decode.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/decode.c b/lib/decode.c +index edb2185..35312be 100644 +--- a/lib/decode.c ++++ b/lib/decode.c +@@ -13,6 +13,7 @@ + #include + + #include ++#include + #include + #include + #include diff --git a/meta-oe/recipes-support/libtar/files/0011-libtar-fix-programming-mistakes-detected-by-static-a.patch b/meta-oe/recipes-support/libtar/files/0011-libtar-fix-programming-mistakes-detected-by-static-a.patch new file mode 100644 index 0000000000..7b39df4254 --- /dev/null +++ b/meta-oe/recipes-support/libtar/files/0011-libtar-fix-programming-mistakes-detected-by-static-a.patch @@ -0,0 +1,100 @@ +From b469d621c0143e652c51bb238fd2060135aa2009 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Tue, 6 Nov 2018 17:24:05 +0100 +Subject: [PATCH] libtar: fix programming mistakes detected by static analysis + +Authored by Kamil Dudka . + +meta-openembedded uses Debian's release tarball [1]. Debian uses +repo.or.cz/libtar.git as their upstream [2]. repo.or.cz/libtar.git has +been inactive since 2013 [3]. + +Upstream-Status: Inactive-Upstream [lastrelease: 2013 lastcommit: 2013] + +[1] https://git.openembedded.org/meta-openembedded/tree/meta-oe/recipes-support/libtar/libtar_1.2.20.bb?h=master#n8 +[2] http://svn.kibibyte.se/libtar/trunk/debian/control (rev 51; not tagged) +[3] https://repo.or.cz/libtar.git/shortlog/refs/heads/master + +Signed-off-by: Katariina Lounento +--- + lib/append.c | 7 +++++++ + lib/wrapper.c | 11 +++++++---- + libtar/libtar.c | 1 + + 3 files changed, 15 insertions(+), 4 deletions(-) + +diff --git a/lib/append.c b/lib/append.c +index ff58532..6386a50 100644 +--- a/lib/append.c ++++ b/lib/append.c +@@ -110,9 +110,16 @@ tar_append_file(TAR *t, const char *realname, const char *savename) + td->td_dev = s.st_dev; + td->td_h = libtar_hash_new(256, (libtar_hashfunc_t)ino_hash); + if (td->td_h == NULL) ++ { ++ free(td); + return -1; ++ } + if (libtar_hash_add(t->h, td) == -1) ++ { ++ libtar_hash_free(td->td_h, free); ++ free(td); + return -1; ++ } + } + libtar_hashptr_reset(&hp); + if (libtar_hash_getkey(td->td_h, &hp, &(s.st_ino), +diff --git a/lib/wrapper.c b/lib/wrapper.c +index 44cc435..2d3f5b9 100644 +--- a/lib/wrapper.c ++++ b/lib/wrapper.c +@@ -97,6 +97,7 @@ tar_append_tree(TAR *t, char *realdir, char *savedir) + struct dirent *dent; + DIR *dp; + struct stat s; ++ int ret = -1; + + #ifdef DEBUG + printf("==> tar_append_tree(0x%lx, \"%s\", \"%s\")\n", +@@ -130,24 +131,26 @@ tar_append_tree(TAR *t, char *realdir, char *savedir) + dent->d_name); + + if (lstat(realpath, &s) != 0) +- return -1; ++ goto fail; + + if (S_ISDIR(s.st_mode)) + { + if (tar_append_tree(t, realpath, + (savedir ? savepath : NULL)) != 0) +- return -1; ++ goto fail; + continue; + } + + if (tar_append_file(t, realpath, + (savedir ? savepath : NULL)) != 0) +- return -1; ++ goto fail; + } + ++ ret = 0; ++fail: + closedir(dp); + +- return 0; ++ return ret; + } + + +diff --git a/libtar/libtar.c b/libtar/libtar.c +index 23f8741..ac339e7 100644 +--- a/libtar/libtar.c ++++ b/libtar/libtar.c +@@ -92,6 +92,7 @@ gzopen_frontend(char *pathname, int oflags, int mode) + if (!gzf) + { + errno = ENOMEM; ++ close(fd); + return -1; + } + diff --git a/meta-oe/recipes-support/libtar/files/CVE-2013-4420.patch b/meta-oe/recipes-support/libtar/files/CVE-2013-4420.patch new file mode 100644 index 0000000000..93b35cbcd3 --- /dev/null +++ b/meta-oe/recipes-support/libtar/files/CVE-2013-4420.patch @@ -0,0 +1,160 @@ +From 2c81f47508fa6bce9df84e3b43dfb16dffb742a0 Mon Sep 17 00:00:00 2001 +From: Raphael Geissert +Date: Thu, 12 Sep 2024 15:51:05 +0300 +Subject: [PATCH] Avoid directory traversal when extracting archives + +Description of the vulnerability from the NIST CVE tracker [1]: + + Multiple directory traversal vulnerabilities in the (1) + tar_extract_glob and (2) tar_extract_all functions in libtar 1.2.20 + and earlier allow remote attackers to overwrite arbitrary files via + a .. (dot dot) in a crafted tar file. + +Imported from the Debian libtar package 1.2.20-8 [2]. Original Debian +description: + + Author: Raphael Geissert + Bug-Debian: https://bugs.debian.org/731860 + Description: Avoid directory traversal when extracting archives + by skipping over leading slashes and any prefix containing ".." components. + Forwarded: yes + +meta-openembedded uses Debian's release tarball [3]. Debian uses +repo.or.cz/libtar.git as their upstream [4]. repo.or.cz/libtar.git has +been inactive since 2013 [5]. + +CVE: CVE-2013-4420 + +Upstream-Status: Inactive-Upstream [lastrelease: 2013 lastcommit: 2013] + +Comments: Added the commit message + +[1] https://nvd.nist.gov/vuln/detail/CVE-2013-4420 +[2] https://sources.debian.org/patches/libtar/1.2.20-8/CVE-2013-4420.patch/ +[3] https://git.openembedded.org/meta-openembedded/tree/meta-oe/recipes-support/libtar/libtar_1.2.20.bb?h=master#n8 +[4] http://svn.kibibyte.se/libtar/trunk/debian/control (rev 51; not tagged) +[5] https://repo.or.cz/libtar.git/shortlog/refs/heads/master + +Signed-off-by: Katariina Lounento +--- + lib/decode.c | 33 +++++++++++++++++++++++++++++++-- + lib/extract.c | 8 ++++---- + lib/internal.h | 1 + + lib/output.c | 4 ++-- + 4 files changed, 38 insertions(+), 8 deletions(-) + +diff --git a/lib/decode.c b/lib/decode.c +index 35312be..edd5f2e 100644 +--- a/lib/decode.c ++++ b/lib/decode.c +@@ -22,13 +22,42 @@ + # include + #endif + ++char * ++safer_name_suffix (char const *file_name) ++{ ++ char const *p, *t; ++ p = t = file_name; ++ while (*p == '/') t = ++p; ++ while (*p) ++ { ++ while (p[0] == '.' && p[0] == p[1] && p[2] == '/') ++ { ++ p += 3; ++ t = p; ++ } ++ /* advance pointer past the next slash */ ++ while (*p && (p++)[0] != '/'); ++ } ++ ++ if (!*t) ++ { ++ t = "."; ++ } ++ ++ if (t != file_name) ++ { ++ /* TODO: warn somehow that the path was modified */ ++ } ++ return (char*)t; ++} ++ + + /* determine full path name */ + char * + th_get_pathname(TAR *t) + { + if (t->th_buf.gnu_longname) +- return t->th_buf.gnu_longname; ++ return safer_name_suffix(t->th_buf.gnu_longname); + + /* allocate the th_pathname buffer if not already */ + if (t->th_pathname == NULL) +@@ -50,7 +79,7 @@ th_get_pathname(TAR *t) + } + + /* will be deallocated in tar_close() */ +- return t->th_pathname; ++ return safer_name_suffix(t->th_pathname); + } + + +diff --git a/lib/extract.c b/lib/extract.c +index 9fc6ad5..4ff1a95 100644 +--- a/lib/extract.c ++++ b/lib/extract.c +@@ -302,14 +302,14 @@ tar_extract_hardlink(TAR * t, char *realname) + if (mkdirhier(dirname(filename)) == -1) + return -1; + libtar_hashptr_reset(&hp); +- if (libtar_hash_getkey(t->h, &hp, th_get_linkname(t), ++ if (libtar_hash_getkey(t->h, &hp, safer_name_suffix(th_get_linkname(t)), + (libtar_matchfunc_t)libtar_str_match) != 0) + { + lnp = (char *)libtar_hashptr_data(&hp); + linktgt = &lnp[strlen(lnp) + 1]; + } + else +- linktgt = th_get_linkname(t); ++ linktgt = safer_name_suffix(th_get_linkname(t)); + + #ifdef DEBUG + printf(" ==> extracting: %s (link to %s)\n", filename, linktgt); +@@ -347,9 +347,9 @@ tar_extract_symlink(TAR *t, char *realname) + + #ifdef DEBUG + printf(" ==> extracting: %s (symlink to %s)\n", +- filename, th_get_linkname(t)); ++ filename, safer_name_suffix(th_get_linkname(t))); + #endif +- if (symlink(th_get_linkname(t), filename) == -1) ++ if (symlink(safer_name_suffix(th_get_linkname(t)), filename) == -1) + { + #ifdef DEBUG + perror("symlink()"); +diff --git a/lib/internal.h b/lib/internal.h +index da7be7f..f05ca4f 100644 +--- a/lib/internal.h ++++ b/lib/internal.h +@@ -21,3 +21,4 @@ + #define TLS_THREAD + #endif + ++char* safer_name_suffix(char const*); +diff --git a/lib/output.c b/lib/output.c +index a5262ee..af754f1 100644 +--- a/lib/output.c ++++ b/lib/output.c +@@ -124,9 +124,9 @@ th_print_long_ls(TAR *t) + else + printf(" link to "); + if ((t->options & TAR_GNU) && t->th_buf.gnu_longlink != NULL) +- printf("%s", t->th_buf.gnu_longlink); ++ printf("%s", safer_name_suffix(t->th_buf.gnu_longlink)); + else +- printf("%.100s", t->th_buf.linkname); ++ printf("%.100s", safer_name_suffix(t->th_buf.linkname)); + } + + putchar('\n'); diff --git a/meta-oe/recipes-support/libtar/files/CVE-2021-33640-CVE-2021-33645-CVE-2021-33646.patch b/meta-oe/recipes-support/libtar/files/CVE-2021-33640-CVE-2021-33645-CVE-2021-33646.patch new file mode 100644 index 0000000000..0a2773fae2 --- /dev/null +++ b/meta-oe/recipes-support/libtar/files/CVE-2021-33640-CVE-2021-33645-CVE-2021-33646.patch @@ -0,0 +1,42 @@ +From e590423f62cf5bc922ff4a1f7eab9bf7d65ee472 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Tue, 4 Oct 2022 10:39:35 +0200 +Subject: [PATCH] free memory allocated by gnu_long* fields + +Authored by Kamil Dudka . + +meta-openembedded uses Debian's release tarball [1]. Debian uses +repo.or.cz/libtar.git as their upstream [2]. repo.or.cz/libtar.git has +been inactive since 2013 [3]. + +CVE: CVE-2021-33640 CVE-2021-33645 CVE-2021-33646 + +Upstream-Status: Inactive-Upstream [lastrelease: 2013 lastcommit: 2013] + +[1] https://git.openembedded.org/meta-openembedded/tree/meta-oe/recipes-support/libtar/libtar_1.2.20.bb?h=master#n8 +[2] http://svn.kibibyte.se/libtar/trunk/debian/control (rev 51; not tagged) +[3] https://repo.or.cz/libtar.git/shortlog/refs/heads/master + +Signed-off-by: Katariina Lounento +--- + lib/handle.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/lib/handle.c b/lib/handle.c +index 28a7dc2..18bd8dc 100644 +--- a/lib/handle.c ++++ b/lib/handle.c +@@ -122,8 +122,11 @@ tar_close(TAR *t) + libtar_hash_free(t->h, ((t->oflags & O_ACCMODE) == O_RDONLY + ? free + : (libtar_freefunc_t)tar_dev_free)); +- if (t->th_pathname != NULL) +- free(t->th_pathname); ++ ++ free(t->th_pathname); ++ free(t->th_buf.gnu_longname); ++ free(t->th_buf.gnu_longlink); ++ + free(t); + + return i; diff --git a/meta-oe/recipes-support/libtar/files/CVE-2021-33643-CVE-2021-33644.patch b/meta-oe/recipes-support/libtar/files/CVE-2021-33643-CVE-2021-33644.patch new file mode 100644 index 0000000000..a61cc3b6a9 --- /dev/null +++ b/meta-oe/recipes-support/libtar/files/CVE-2021-33643-CVE-2021-33644.patch @@ -0,0 +1,52 @@ +From c778d234c396e78bacef7c9bff0dd2bb9fb6aac8 Mon Sep 17 00:00:00 2001 +From: shixuantong <1726671442@qq.com> +Date: Wed, 6 Apr 2022 17:40:57 +0800 +Subject: [PATCH] Ensure that sz is greater than 0. + +Authored by shixuantong <1726671442@qq.com>. + +meta-openembedded uses Debian's release tarball [1]. Debian uses +repo.or.cz/libtar.git as their upstream [2]. repo.or.cz/libtar.git has +been inactive since 2013 [3]. + +CVE: CVE-2021-33643 CVE-2021-33644 + +Upstream-Status: Inactive-Upstream [lastrelease: 2013 lastcommit: 2013] + +[1] https://git.openembedded.org/meta-openembedded/tree/meta-oe/recipes-support/libtar/libtar_1.2.20.bb?h=master#n8 +[2] http://svn.kibibyte.se/libtar/trunk/debian/control (rev 51; not tagged) +[3] https://repo.or.cz/libtar.git/shortlog/refs/heads/master + +Signed-off-by: Katariina Lounento +--- + lib/block.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/lib/block.c b/lib/block.c +index 092bc28..f12c4bc 100644 +--- a/lib/block.c ++++ b/lib/block.c +@@ -118,6 +118,11 @@ th_read(TAR *t) + if (TH_ISLONGLINK(t)) + { + sz = th_get_size(t); ++ if ((int)sz <= 0) ++ { ++ errno = EINVAL; ++ return -1; ++ } + blocks = (sz / T_BLOCKSIZE) + (sz % T_BLOCKSIZE ? 1 : 0); + if (blocks > ((size_t)-1 / T_BLOCKSIZE)) + { +@@ -168,6 +173,11 @@ th_read(TAR *t) + if (TH_ISLONGNAME(t)) + { + sz = th_get_size(t); ++ if ((int)sz <= 0) ++ { ++ errno = EINVAL; ++ return -1; ++ } + blocks = (sz / T_BLOCKSIZE) + (sz % T_BLOCKSIZE ? 1 : 0); + if (blocks > ((size_t)-1 / T_BLOCKSIZE)) + { diff --git a/meta-oe/recipes-support/libtar/libtar_1.2.20.bb b/meta-oe/recipes-support/libtar/libtar_1.2.20.bb index f93d9c09a5..c7501ac684 100644 --- a/meta-oe/recipes-support/libtar/libtar_1.2.20.bb +++ b/meta-oe/recipes-support/libtar/libtar_1.2.20.bb @@ -8,6 +8,18 @@ LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=61cbac6719ae682ce6cd45b5c11e21af" SRC_URI = "${DEBIAN_MIRROR}/main/libt/${BPN}/${BPN}_${PV}.orig.tar.gz \ file://fix_libtool_sysroot.patch \ file://0002-Do-not-strip-libtar.patch \ + file://0003-Fix-missing-prototype-compiler-warnings.patch \ + file://0004-Fix-invalid-memory-de-reference-issue.patch \ + file://0005-fix-file-descriptor-leaks-reported-by-cppcheck.patch \ + file://0006-fix-memleak-on-tar_open-failure.patch \ + file://0007-fix-memleaks-in-libtar-sample-program.patch \ + file://0008-decode-avoid-using-a-static-buffer-in-th_get_pathnam.patch \ + file://0009-Check-for-NULL-before-freeing-th_pathname.patch \ + file://0010-Added-stdlib.h-for-malloc-in-lib-decode.c.patch \ + file://0011-libtar-fix-programming-mistakes-detected-by-static-a.patch \ + file://CVE-2021-33643-CVE-2021-33644.patch \ + file://CVE-2021-33640-CVE-2021-33645-CVE-2021-33646.patch \ + file://CVE-2013-4420.patch \ " S = "${WORKDIR}/${BPN}" From patchwork Sat Jan 10 10:37:16 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 78410 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3EBBED277E1 for ; Sat, 10 Jan 2026 10:37:53 +0000 (UTC) Received: from mail-pf1-f179.google.com (mail-pf1-f179.google.com [209.85.210.179]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.6317.1768041468996359497 for ; Sat, 10 Jan 2026 02:37:49 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=TYsvr/N5; spf=pass (domain: gmail.com, ip: 209.85.210.179, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pf1-f179.google.com with SMTP id d2e1a72fcca58-7b8eff36e3bso4970213b3a.2 for ; Sat, 10 Jan 2026 02:37:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768041468; x=1768646268; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=rpOIJUNgKMOao3yGoKSKSxUmk5vshlUHbOULnNa+7Fw=; b=TYsvr/N5B8asidH4cBYY9PGMP+NlvPZOhwW527zIUjUgGsjWblO2nvRjwDOek4uwS/ 09ApOWePI6hMSHIykraeakL3FK0NWnUMY946LxNfitRYtol+Dcdo1q93y/M4KpGUD71+ 13vcAdnKQakfOkyL5t/3OKnZY/wee/Z4ygPmlSnCjh2tz2VBQGsdjuGhVIqjN3Kry27Y Y9ZD8NbYMo+D/PWIjgrNgzhf7uXU5XWlQFAovKkrwYU31/whi1rJQO4oV7Vnxqpwwj8c MscEAwCjRz1ILrStR0ni5h2Zt/BxMPziWfqE3v3jrCuXhzT8EA2Gn/jk66C7w8R09HPf 56IA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768041468; x=1768646268; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=rpOIJUNgKMOao3yGoKSKSxUmk5vshlUHbOULnNa+7Fw=; b=FdpTbE5JO1p52QtJKMt7Q/d2VXpbjpbaVqi4c3a2ZZqzMgRBp/hw8hOKYDg26+nb1E Vdv1bGQ5eyHJ4qyPbmiGJDCYiJJ0ON4xmx8skTQIQxWdTvDvXXdJilQnIgL7ZobfICva DSzqqcxic+uDHtjXS3x+9600euD9thSNsjiwOLVOceIm1kocy1NTNzaibo9+r1mjCum3 0Qgr5U2cqrDm48f2HuBKo0Li1berbjw1bgZOZrovDhf+MuqKs5g3fX8o31g3ex9LAPgc 3wd+eHG2sijiJYR3J1M6TbPK0Z3WtvsW2sWTowFVFA1K8mDVWsD3ryyIoFKTjwxXNQ9Q JdDA== X-Gm-Message-State: AOJu0Yy9ngISKYhayWP0FFHqvrfJGO4R+JCgzCkb1Q0D0JcGszAC8fIq KJd+cs+5u6eW/nX3KG4YRfgmF/hWP8ggj+Es7KYf6to8yGf2Mx5qPikna1WFZw== X-Gm-Gg: AY/fxX5j8DVeeUDJ9IqBCc1tQUAk7d4dJZNsfsaxPf8jgQskBw7rcwMNqUXC4/3e4bS 5L/dPcgRomeZz4+VtoSi/MWr4ChMwAyK0KE+G+XxWcWmsjyX8P/aydL63kHjevdoBGCVb/vRM01 BEmysTO7Qz1Cm69ouo7+ct/HjfIP9mygERGJGy3lBTkAizXPBVOvnLjTgrWOBKcZO5oBJVDVtYW 6qFYwdlmWKiIKcTV4fx69hNr90UimFFAcLfb7LKOzQUQCsRktnwQiITSmcXsAAQ6RrIJijCAxIa uOtkcoqO3APWapKuDHMFh0GLJmYVJAhIGBs6sJQdSeP206w6ZspeTvRyJcUvB9aZ2XQiaE+aM8R mjkW8kNQWEAdEPf3c2ZlHTjqTapwHih16o/+134dswbsvcTV46NHCLlyGbSqRM7lMvjiq1vxDvK f4cnxO6PSRtm9sH64a4zr3LmM= X-Google-Smtp-Source: AGHT+IFu54m/qKvk5NI+pZ/5lcoabrNI5Or8B5GFVODSTM0T1ucTkcYSKtFSmErrJrFpSyscOr3Eeg== X-Received: by 2002:a05:6a00:6c9b:b0:7aa:e5f2:617d with SMTP id d2e1a72fcca58-81b7e448eb2mr11774893b3a.30.1768041468227; Sat, 10 Jan 2026 02:37:48 -0800 (PST) Received: from NVAPF55DW0D-IPD.. ([167.103.127.10]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-81f46882d19sm375715b3a.63.2026.01.10.02.37.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 10 Jan 2026 02:37:47 -0800 (PST) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi Subject: [oe][meta-oe][scarthgap][PATCH 5/5] libwebsockets: ignore CVE-2025-1866 Date: Sat, 10 Jan 2026 23:37:16 +1300 Message-ID: <20260110103716.3470419-5-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260110103716.3470419-1-ankur.tyagi85@gmail.com> References: <20260110103716.3470419-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 10 Jan 2026 10:37:53 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123324 From: Ankur Tyagi Only affects Windows and can be ignored. Details: https://nvd.nist.gov/vuln/detail/CVE-2025-1866 --- .../recipes-connectivity/libwebsockets/libwebsockets_4.3.3.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta-oe/recipes-connectivity/libwebsockets/libwebsockets_4.3.3.bb b/meta-oe/recipes-connectivity/libwebsockets/libwebsockets_4.3.3.bb index 90ac0c3eb3..413226ced2 100644 --- a/meta-oe/recipes-connectivity/libwebsockets/libwebsockets_4.3.3.bb +++ b/meta-oe/recipes-connectivity/libwebsockets/libwebsockets_4.3.3.bb @@ -68,3 +68,5 @@ RDEPENDS:${PN}-dev += " ${@bb.utils.contains('PACKAGECONFIG', 'static', '${PN}-s SSTATE_SCAN_FILES += "*.cmake" BBCLASSEXTEND = "native" + +CVE_STATUS[CVE-2025-1866] = "not-applicable-platform: only affects Windows"