From patchwork Mon Feb 9 09:28:44 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 80727 X-Patchwork-Delegate: yoann.congal@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C502FE78D7C for ; Mon, 9 Feb 2026 09:29:26 +0000 (UTC) Received: from mail-wr1-f44.google.com (mail-wr1-f44.google.com [209.85.221.44]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.43982.1770629360266159200 for ; Mon, 09 Feb 2026 01:29:20 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=JLhTOYsr; spf=pass (domain: smile.fr, ip: 209.85.221.44, mailfrom: yoann.congal@smile.fr) Received: by mail-wr1-f44.google.com with SMTP id ffacd0b85a97d-436263e31abso2870749f8f.1 for ; Mon, 09 Feb 2026 01:29:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1770629358; x=1771234158; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=5dXwVEJ8eVGN97NyV+4n2vlnLsAw0puXKzcrydqoY2U=; b=JLhTOYsrHswrfmrpl3W0WUV/SSUyOFbLRUQh0pkhN/06mcs5U1KqEAWZiuxKMSwGQi pcXJ2cyeXX7SpLZeeckNefCmvVj5zgwIr/0bPCZVfIQ+LNRy8OzUfJaq1MaP5QmFRXwT cBica7zACyUmbH/jVnevdnCJ1XnKSL2qPVlPA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770629358; x=1771234158; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=5dXwVEJ8eVGN97NyV+4n2vlnLsAw0puXKzcrydqoY2U=; b=qOk5XhUg57MzQR+mODUct7CUGuAV3v4qHaZiinuYbq6plyjnzgYo9a5Q52SaqalVtD llEtSiH5gaHgOLF2nSTdVFvZes0ijWh86yavm54gX+CB3pJ3CicmPIZBAuz5l1XefoOI zp8jkfryY0vZsErhk9p4P7q+trc0JukW8JR4ue2HLQV8nLtQDERC0uSoIpEI837kjwNo 0JZJqqxOte52pqN319E+JVcwi3UVzcdlQsb9DPT/GW3f1q4W+3vITshfMTtOVQR6A8cL fIVydtnzbiD/TSCzL/SeJW3VK6WbcWvr5a0owDFAE/9onsgDwUDE8qnq1RJfdkFiJUuS URgg== X-Gm-Message-State: AOJu0YyFZFXN2HlnpuyYgH1/oR4wJyjGW0eRtN6LGZdCeSnGEcrRGGRQ l+ij42hbCKwbH5OZLv464gx3E+c7I5tXNQU6aIN/ZFaO+MxjdSdqow0JSVVYyadgvIjCdNX1P5d QtWx/4TU= X-Gm-Gg: AZuq6aItmDXCr7MW0Eu7M+EZlZZojjrkGQAKsRX5dXY9HYGBD3pgSSZG8Agc+1u0PuC RM9p/q0gcRGT8ixDAVzLxHIIqMGn3bu/kyuRH46gW4KmTT8XddndBr3yikIxI3iEM/gCWwcnQ18 DmWcuESC7ABCozxP9PDRVFTg5y9gn53h6SnkjmxKUcnybyA3MWlDBXIQgfa/Wgq4MA3qr9gG1Rj 72slIyHC8XSC+/AqyDUWzHWSwyc1xJcOFVKH08TFXqwrVcTf6I67QrVubaZRK2+pagpbzXYEF9t avqmI+n2dUstcSLR2lg2Hh4uiXQB8KBE/BNEGolG1cJIScNxtZoZHQEto9gbL677JqULeE2DM3D E9lW3KwXyr+ySJ3TcY3Qgw0r6CMmwvLvG/kfiYoKqW5rCM6TEkhcXnspPv7xEQkP0+jfIXviGFH vIZAl1vE+9mCX8punt1FoT+4qblSzD7Zba2/o7yoTvpxbFF72rqc7ZFdDXd5XSIzBWIL05H15Xc wzJyh9/zeL9S4E= X-Received: by 2002:a05:6000:24c6:b0:431:c73:48a8 with SMTP id ffacd0b85a97d-4362938b112mr16231636f8f.29.1770629358197; Mon, 09 Feb 2026 01:29:18 -0800 (PST) Received: from FRSMI25-LASER.home (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4376a78d796sm9575656f8f.20.2026.02.09.01.29.17 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 09 Feb 2026 01:29:17 -0800 (PST) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 01/25] curl: fix CVE-2025-10148 Date: Mon, 9 Feb 2026 10:28:44 +0100 Message-ID: X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 09 Feb 2026 09:29:26 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/230752 From: Hitendra Prajapati curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection. A predictable mask pattern allows for a malicious server to induce traffic between the two communicating parties that could be interpreted by an involved proxy (configured or transparent) as genuine, real, HTTP traffic with content and thereby poison its cache. That cached poisoned content could then be served to all users of that proxy. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-10148 Upstream patch: https://github.com/curl/curl/commit/84db7a9eae8468c0445b15aa806fa Signed-off-by: Hitendra Prajapati Signed-off-by: Yoann Congal --- .../curl/curl/CVE-2025-10148.patch | 57 +++++++++++++++++++ meta/recipes-support/curl/curl_8.7.1.bb | 1 + 2 files changed, 58 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2025-10148.patch diff --git a/meta/recipes-support/curl/curl/CVE-2025-10148.patch b/meta/recipes-support/curl/curl/CVE-2025-10148.patch new file mode 100644 index 00000000000..d37497febe9 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2025-10148.patch @@ -0,0 +1,57 @@ +From 84db7a9eae8468c0445b15aa806fa7fa806fa0f2 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 8 Sep 2025 14:14:15 +0200 +Subject: [PATCH] ws: get a new mask for each new outgoing frame + +Reported-by: Calvin Ruocco +Closes #18496 + +CVE: CVE-2025-10148 +Upstream-Status: Backport [https://github.com/curl/curl/commit/84db7a9eae8468c0445b15aa806fa] +Signed-off-by: Hitendra Prajapati +--- + lib/ws.c | 21 +++++++++++++-------- + 1 file changed, 13 insertions(+), 8 deletions(-) + +diff --git a/lib/ws.c b/lib/ws.c +index 5bc5ecc..02e0ef0 100644 +--- a/lib/ws.c ++++ b/lib/ws.c +@@ -614,6 +614,18 @@ static ssize_t ws_enc_write_head(struct Curl_easy *data, + enc->payload_remain = enc->payload_len = payload_len; + ws_enc_info(enc, data, "sending"); + ++ /* 4 bytes random */ ++ ++ result = Curl_rand(data, (unsigned char *)&enc->mask, sizeof(enc->mask)); ++ if(result) ++ return result; ++ ++#ifdef DEBUGBUILD ++ if(getenv("CURL_WS_FORCE_ZERO_MASK")) ++ /* force the bit mask to 0x00000000, effectively disabling masking */ ++ memset(&enc->mask, 0, sizeof(enc->mask)); ++#endif ++ + /* add 4 bytes mask */ + memcpy(&head[hlen], &enc->mask, 4); + hlen += 4; +@@ -802,14 +814,7 @@ CURLcode Curl_ws_accept(struct Curl_easy *data, + subprotocol not requested by the client), the client MUST Fail + the WebSocket Connection. */ + +- /* 4 bytes random */ +- +- result = Curl_rand(data, (unsigned char *)&ws->enc.mask, +- sizeof(ws->enc.mask)); +- if(result) +- return result; +- infof(data, "Received 101, switch to WebSocket; mask %02x%02x%02x%02x", +- ws->enc.mask[0], ws->enc.mask[1], ws->enc.mask[2], ws->enc.mask[3]); ++ infof(data, "Received 101, switch to WebSocket"); + + /* Install our client writer that decodes WS frames payload */ + result = Curl_cwriter_create(&ws_dec_writer, data, &ws_cw_decode, +-- +2.50.1 + diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes-support/curl/curl_8.7.1.bb index ecda13a04e1..0d7aea0978b 100644 --- a/meta/recipes-support/curl/curl_8.7.1.bb +++ b/meta/recipes-support/curl/curl_8.7.1.bb @@ -25,6 +25,7 @@ SRC_URI = " \ file://CVE-2024-11053-0003.patch \ file://CVE-2025-0167.patch \ file://CVE-2025-9086.patch \ + file://CVE-2025-10148.patch \ file://CVE-2025-14017.patch \ file://0001-build-enable-Wcast-qual-fix-or-silence-compiler-warn.patch \ file://CVE-2025-14819.patch \ From patchwork Mon Feb 9 09:28:45 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 80728 X-Patchwork-Delegate: yoann.congal@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D950DE78D7D for ; Mon, 9 Feb 2026 09:29:26 +0000 (UTC) Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com [209.85.128.44]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.43983.1770629360752566694 for ; Mon, 09 Feb 2026 01:29:21 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=11BXBMVE; spf=pass (domain: smile.fr, ip: 209.85.128.44, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f44.google.com with SMTP id 5b1f17b1804b1-48069a48629so39016525e9.0 for ; Mon, 09 Feb 2026 01:29:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1770629359; x=1771234159; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=csG5LxkEcKuUeQ68xfuxITgYqpTe8q6RTbU7hVrBC4Q=; b=11BXBMVEvi6/ShBtyUIjlOBq9SAM14W+WrCNC6TxiyTJZYMK24ZVvQNWy82+XtYUuU z+lLeCO8kWum+wPV7jBkSQ43mMIstTKxL7uAXByPcfezyIAdOVBREZ8nyDvCY0l8ZsqB gd0J18jxOqgxedvEW1BeNCZzpHzaFu3WlD7sE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770629359; x=1771234159; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=csG5LxkEcKuUeQ68xfuxITgYqpTe8q6RTbU7hVrBC4Q=; b=U4zXWwFHiMQ7h5nagPrzuei0oWZyu1++rjmjcN/AflKS4F6dBQNGLjh/aDlxAmxQlp HbiWlqzS6dAqhtRQzQr2lP723A0jRLakcJdVl2lcmACuNMTLgoSMFs+ekYMUdxD3mNL3 2928g/iaRxnUWiTUw5SEbxXgUTlNg8uQ8qbdjupFxs4Rqb0mUvUjz5idAuXFG8AvrV2T OA604ZFhOZingYee3Bw+uvsxkCjP7/ERN8t+N/WsxgNMgkr0/wgrP3EK/K6uq46KMsmV TRpDC1qIb5frJT1FckTDD2fwKixBnmWgeaR6VxWLz5h5qEglb258eoa+j/ef9ElXtJrs Y78g== X-Gm-Message-State: AOJu0YwyW4kBQa23Jgp7FyaMBUr/qtwGPgejglbuJjfvAp6ZDo7/vwI9 MiSZ6o2utBvped9o/7LBq6Ly9RkK6cyfX7k17GEe5ZIXclR4fd/QvLDQKwARJ/FZKEhSc6Zhg7y w6cGm9LU= X-Gm-Gg: AZuq6aKcZskcmhi7AmGFC3ITiiZV4/dYYIBrMVDdZhbkI7yb+IUY0SIn8LR99CNCCyt F4bLn9HMvpdAJVxTIUKu+urEtR9DKcrdIBswx4ahA4kq6fQ4QDpnCC7sNa7SmtsTDMLdFivr/au BLrp2eeAFyX5/yY0X+oUtxNY++SrbJ7sI5+ixuwhYJTNeO/CQVBRzf/6U+Ew+WeOSWDnORySQTj RA7vQCWAOJFl1PYO1w1mXvDO100HdyGjnDvKwivc6kTTHFLXZbMRCJyTrmCegReehECtu5BpBf+ mBZNG6NWUa5/eJxkEMdYMKwyj5ApBvYr/TfmQgSKApf+Q9rlbctXqRuskTNkcuLVi8nAUTuvdyI Q6KGLHGp4Uy+ET2uSt5+W9v0bnHtzxRiW1DQoEI0Lg55fTHm3UuoW5rPKq1qAEeM8e5rdPzunPy AtwsGc58PdC6kAYTjD/N6jC8LVr4U5tzBtBLx2zfqFiGJjMUsDU3DcfQOAvkW3m824hJouSiMgb pqtZVJSmpr/Xr7lctDIVq7Pgw== X-Received: by 2002:a05:600c:34c7:b0:477:b0b9:3129 with SMTP id 5b1f17b1804b1-483201dc3ebmr149041585e9.3.1770629358746; Mon, 09 Feb 2026 01:29:18 -0800 (PST) Received: from FRSMI25-LASER.home (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4376a78d796sm9575656f8f.20.2026.02.09.01.29.18 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 09 Feb 2026 01:29:18 -0800 (PST) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 02/25] curl: patch CVE-2025-14524 Date: Mon, 9 Feb 2026 10:28:45 +0100 Message-ID: <1a71732df03fda94d0a7f170da3e7f34df7aa780.1770626074.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 09 Feb 2026 09:29:26 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/230753 From: Amaury Couderc Signed-off-by: Amaury Couderc Signed-off-by: Yoann Congal --- .../curl/curl/CVE-2025-14524.patch | 44 +++++++++++++++++++ meta/recipes-support/curl/curl_8.7.1.bb | 1 + 2 files changed, 45 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2025-14524.patch diff --git a/meta/recipes-support/curl/curl/CVE-2025-14524.patch b/meta/recipes-support/curl/curl/CVE-2025-14524.patch new file mode 100644 index 00000000000..7692130f6e9 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2025-14524.patch @@ -0,0 +1,44 @@ +From 0bccd8d29c89d70120444088d3893af59f3772bf Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 10 Dec 2025 11:40:47 +0100 +Subject: [PATCH] curl_sasl: if redirected, require permission to use bearer + +Closes #19933 + +CVE: CVE-2025-14524 +Upstream-Status: Backport [https://github.com/curl/curl/commit/1a822275d333dc6da6043497160fd04c8fa48640] + +Signed-off-by: Amaury Couderc +--- + lib/curl_sasl.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/lib/curl_sasl.c b/lib/curl_sasl.c +index 66639cbacc..fe646548a8 100644 +--- a/lib/curl_sasl.c ++++ b/lib/curl_sasl.c +@@ -357,7 +357,9 @@ CURLcode Curl_sasl_start(struct SASL *sasl, struct Curl_easy *data, + data->set.str[STRING_SERVICE_NAME] : + sasl->params->service; + #endif +- const char *oauth_bearer = data->set.str[STRING_BEARER]; ++ const char *oauth_bearer = ++ (!data->state.this_is_a_follow || data->set.allow_auth_to_other_hosts) ? ++ data->set.str[STRING_BEARER] : NULL; + struct bufref nullmsg; + + Curl_conn_get_host(data, FIRSTSOCKET, &hostname, &disp_hostname, &port); +@@ -544,7 +546,9 @@ CURLcode Curl_sasl_continue(struct SASL *sasl, struct Curl_easy *data, + data->set.str[STRING_SERVICE_NAME] : + sasl->params->service; + #endif +- const char *oauth_bearer = data->set.str[STRING_BEARER]; ++ const char *oauth_bearer = ++ (!data->state.this_is_a_follow || data->set.allow_auth_to_other_hosts) ? ++ data->set.str[STRING_BEARER] : NULL; + struct bufref serverdata; + + Curl_conn_get_host(data, FIRSTSOCKET, &hostname, &disp_hostname, &port); +-- +2.43.0 + diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes-support/curl/curl_8.7.1.bb index 0d7aea0978b..9e37684b2cc 100644 --- a/meta/recipes-support/curl/curl_8.7.1.bb +++ b/meta/recipes-support/curl/curl_8.7.1.bb @@ -27,6 +27,7 @@ SRC_URI = " \ file://CVE-2025-9086.patch \ file://CVE-2025-10148.patch \ file://CVE-2025-14017.patch \ + file://CVE-2025-14524.patch \ file://0001-build-enable-Wcast-qual-fix-or-silence-compiler-warn.patch \ file://CVE-2025-14819.patch \ file://CVE-2025-15079.patch \ From patchwork Mon Feb 9 09:28:46 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 80729 X-Patchwork-Delegate: yoann.congal@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DD52AEE6B6F for ; Mon, 9 Feb 2026 09:29:26 +0000 (UTC) Received: from mail-wr1-f52.google.com (mail-wr1-f52.google.com [209.85.221.52]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.44195.1770629361922066942 for ; Mon, 09 Feb 2026 01:29:22 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=EqhPZ+/3; spf=pass (domain: smile.fr, ip: 209.85.221.52, mailfrom: yoann.congal@smile.fr) Received: by mail-wr1-f52.google.com with SMTP id ffacd0b85a97d-4376acce52eso628402f8f.1 for ; Mon, 09 Feb 2026 01:29:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1770629360; x=1771234160; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=BYxvOXdbU7E+ni8TwXzoDwwFG0g1UcS4YuGV08PV/uo=; b=EqhPZ+/3wwGFQxgIqP0qSI5Agh1d8gUOuFb6P8U9r0a3ID1qzauKQdq4+rox4phnuA jxhIIZ3eG3sikl2MdW0Mu5RrgeO2zoab835MKAaEDyE9+yPXMwyc+cTVxl0Gv/SeoHFT PraGYKfv36cPfPQZVX8Ub2oQF9fsuJeRfBAx8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770629360; x=1771234160; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=BYxvOXdbU7E+ni8TwXzoDwwFG0g1UcS4YuGV08PV/uo=; b=DBRA7GbORZFRxCNpmNtPuoPEw9y9E+ZwgOO+edHnDhcqj4e/OZ/zWkpeBmyoEO/jkW Y4CerGzx4gn1wB1tuQTuoaACslZgBUOqjLQc0AdA5F+PDjF6bGUZL6AxkZF82fW2l3yt mvQLlTASaUoahQdDlwABOjm+P5/9S8zZShsMiVdLyrwbeO2yZIuC1LODId1CsG468lWD +EB2nPBwTAQInGDqKAVYiQQDPBqiw47Ddd93X1y5HiS7dk3ju+THoGvWd56tZp2L3vdJ x4NAVMzcRPT0VIweiCW/B9PWFUolNiVgBbISJRCHUD43/TBgPv9opgyxxZwyoUYBGfkG fPdw== X-Gm-Message-State: AOJu0YyuOG4ZUQK3y7OrTaondjErQ/VnET0MDTybwzJW61KnBKPe+J3z IQHUe9v7kfwIX887HlX+TZMQaevvzQ2RP8vclsczvoih6fhORQACSJGI9GpAv2f26ZBqpqzhd32 zYxiWO/w= X-Gm-Gg: AZuq6aI1Pb6hdMS0/fWsT4S1QHtgdlYjwceLywa/N0ghoZqEfN4kFdfYxJiM6PryAKz 0AH6c31nXkDMm8R9TFRLS9++LOHb0ChmJON7e/EX+ISsXjv9jjoiWKbIDudNMkmJJVD0PQcOeE0 Kpduy4KivX7zQA3iAGh/v42sZJBYAZpfAhgPxIkjAYtVVLnmXFwnIa/bxUvoS1qm1cZaW4/i3oV dMARe5MQABiLfA5n3kcu++omZIg2gvxVcJT7d9sxy2bU+qoB0D55XoyYkAFDceyAYXcU5Bxuj/o CNHbflC4vJESkTYNESr2WVYNLWvSua/BOGZq81hudXUz5HrsnK2kgMHa+E8G2Pb7XM3o5cJgXqM kedqjMvWtXI6EZ4Rzd7osnt34MAfwIdDG6Ckzy8l4keIuE1jMrzuAO2u/4RhCNxUJ5B9aAmVuFH otBydK2Zxmj+RsSDwtfomTmcb4j++ZSEykMh+jQRx2+1GQLkxKcd0V9mgPwWYfJQEiJUZ1BLWBp +aPxTKonCaURwgtxr7JF6S9Hw== X-Received: by 2002:a05:6000:4284:b0:435:a2f8:150d with SMTP id ffacd0b85a97d-43629385b15mr14019476f8f.59.1770629359843; Mon, 09 Feb 2026 01:29:19 -0800 (PST) Received: from FRSMI25-LASER.home (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4376a78d796sm9575656f8f.20.2026.02.09.01.29.18 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 09 Feb 2026 01:29:18 -0800 (PST) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 03/25] expat: patch CVE-2026-24515 Date: Mon, 9 Feb 2026 10:28:46 +0100 Message-ID: <45b5a511c828835c023e7888874877c0ebfd7b13.1770626074.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 09 Feb 2026 09:29:26 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/230754 From: Peter Marko Pick commits from PR linked in NVD report. Signed-off-by: Peter Marko Signed-off-by: Yoann Congal --- .../expat/expat/CVE-2026-24515-01.patch | 43 +++++++ .../expat/expat/CVE-2026-24515-02.patch | 117 ++++++++++++++++++ meta/recipes-core/expat/expat_2.6.4.bb | 2 + 3 files changed, 162 insertions(+) create mode 100644 meta/recipes-core/expat/expat/CVE-2026-24515-01.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2026-24515-02.patch diff --git a/meta/recipes-core/expat/expat/CVE-2026-24515-01.patch b/meta/recipes-core/expat/expat/CVE-2026-24515-01.patch new file mode 100644 index 00000000000..0250374c76b --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-24515-01.patch @@ -0,0 +1,43 @@ +From 86fc914a7acc49246d5fde0ab6ed97eb8a0f15f9 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Sun, 18 Jan 2026 17:53:37 +0100 +Subject: [PATCH] lib: Make XML_ExternalEntityParserCreate copy unknown + encoding handler user data + +Patch suggested by Artiphishell Inc. + +CVE: CVE-2026-24515 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/86fc914a7acc49246d5fde0ab6ed97eb8a0f15f9] +Signed-off-by: Peter Marko +--- + lib/xmlparse.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index 593cd90d..18577ee3 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -1749,6 +1749,7 @@ XML_ExternalEntityParserCreate(XML_Parser oldParser, const XML_Char *context, + XML_ExternalEntityRefHandler oldExternalEntityRefHandler; + XML_SkippedEntityHandler oldSkippedEntityHandler; + XML_UnknownEncodingHandler oldUnknownEncodingHandler; ++ void *oldUnknownEncodingHandlerData; + XML_ElementDeclHandler oldElementDeclHandler; + XML_AttlistDeclHandler oldAttlistDeclHandler; + XML_EntityDeclHandler oldEntityDeclHandler; +@@ -1794,6 +1795,7 @@ XML_ExternalEntityParserCreate(XML_Parser oldParser, const XML_Char *context, + oldExternalEntityRefHandler = parser->m_externalEntityRefHandler; + oldSkippedEntityHandler = parser->m_skippedEntityHandler; + oldUnknownEncodingHandler = parser->m_unknownEncodingHandler; ++ oldUnknownEncodingHandlerData = parser->m_unknownEncodingHandlerData; + oldElementDeclHandler = parser->m_elementDeclHandler; + oldAttlistDeclHandler = parser->m_attlistDeclHandler; + oldEntityDeclHandler = parser->m_entityDeclHandler; +@@ -1854,6 +1856,7 @@ XML_ExternalEntityParserCreate(XML_Parser oldParser, const XML_Char *context, + parser->m_externalEntityRefHandler = oldExternalEntityRefHandler; + parser->m_skippedEntityHandler = oldSkippedEntityHandler; + parser->m_unknownEncodingHandler = oldUnknownEncodingHandler; ++ parser->m_unknownEncodingHandlerData = oldUnknownEncodingHandlerData; + parser->m_elementDeclHandler = oldElementDeclHandler; + parser->m_attlistDeclHandler = oldAttlistDeclHandler; + parser->m_entityDeclHandler = oldEntityDeclHandler; diff --git a/meta/recipes-core/expat/expat/CVE-2026-24515-02.patch b/meta/recipes-core/expat/expat/CVE-2026-24515-02.patch new file mode 100644 index 00000000000..7d6758fe095 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-24515-02.patch @@ -0,0 +1,117 @@ +From 8efea3e255d55c7e0a5b70b226f4652ab00e1a27 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Sun, 18 Jan 2026 17:26:31 +0100 +Subject: [PATCH] tests: Cover effect of XML_SetUnknownEncodingHandler user + data + +CVE: CVE-2026-24515 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/8efea3e255d55c7e0a5b70b226f4652ab00e1a27] +Signed-off-by: Peter Marko +--- + tests/basic_tests.c | 42 +++++++++++++++++++++++++++++++++++++++ + tests/handlers.c | 10 ++++++++++ + tests/handlers.h | 3 +++ + 3 files changed, 55 insertions(+) + +diff --git a/tests/basic_tests.c b/tests/basic_tests.c +index 0231e094..0ed98d86 100644 +--- a/tests/basic_tests.c ++++ b/tests/basic_tests.c +@@ -4527,6 +4527,46 @@ START_TEST(test_unknown_encoding_invalid_attr_value) { + } + END_TEST + ++START_TEST(test_unknown_encoding_user_data_primary) { ++ // This test is based on ideas contributed by Artiphishell Inc. ++ const char *const text = "\n" ++ "\n"; ++ XML_Parser parser = XML_ParserCreate(NULL); ++ XML_SetUnknownEncodingHandler(parser, ++ user_data_checking_unknown_encoding_handler, ++ (void *)(intptr_t)0xC0FFEE); ++ ++ assert_true(_XML_Parse_SINGLE_BYTES(parser, text, (int)strlen(text), XML_TRUE) ++ == XML_STATUS_OK); ++ ++ XML_ParserFree(parser); ++} ++END_TEST ++ ++START_TEST(test_unknown_encoding_user_data_secondary) { ++ // This test is based on ideas contributed by Artiphishell Inc. ++ const char *const text_main = "\n" ++ "]>\n" ++ "&ext;\n"; ++ const char *const text_external = "\n" ++ "data"; ++ ExtTest2 test_data = {text_external, (int)strlen(text_external), NULL, NULL}; ++ XML_Parser parser = XML_ParserCreate(NULL); ++ XML_SetExternalEntityRefHandler(parser, external_entity_loader2); ++ XML_SetUnknownEncodingHandler(parser, ++ user_data_checking_unknown_encoding_handler, ++ (void *)(intptr_t)0xC0FFEE); ++ XML_SetUserData(parser, &test_data); ++ ++ assert_true(_XML_Parse_SINGLE_BYTES(parser, text_main, (int)strlen(text_main), ++ XML_TRUE) ++ == XML_STATUS_OK); ++ ++ XML_ParserFree(parser); ++} ++END_TEST ++ + /* Test an external entity parser set to use latin-1 detects UTF-16 + * BOMs correctly. + */ +@@ -6372,6 +6412,8 @@ make_basic_test_case(Suite *s) { + tcase_add_test(tc_basic, test_unknown_encoding_invalid_surrogate); + tcase_add_test(tc_basic, test_unknown_encoding_invalid_high); + tcase_add_test(tc_basic, test_unknown_encoding_invalid_attr_value); ++ tcase_add_test(tc_basic, test_unknown_encoding_user_data_primary); ++ tcase_add_test(tc_basic, test_unknown_encoding_user_data_secondary); + tcase_add_test__if_xml_ge(tc_basic, test_ext_entity_latin1_utf16le_bom); + tcase_add_test__if_xml_ge(tc_basic, test_ext_entity_latin1_utf16be_bom); + tcase_add_test__if_xml_ge(tc_basic, test_ext_entity_latin1_utf16le_bom2); +diff --git a/tests/handlers.c b/tests/handlers.c +index 5bca2b1f..d077f688 100644 +--- a/tests/handlers.c ++++ b/tests/handlers.c +@@ -45,6 +45,7 @@ + # undef NDEBUG /* because test suite relies on assert(...) at the moment */ + #endif + ++#include + #include + #include + #include +@@ -407,6 +408,15 @@ long_encoding_handler(void *userData, const XML_Char *encoding, + return XML_STATUS_OK; + } + ++int XMLCALL ++user_data_checking_unknown_encoding_handler(void *userData, ++ const XML_Char *encoding, ++ XML_Encoding *info) { ++ const intptr_t number = (intptr_t)userData; ++ assert_true(number == 0xC0FFEE); ++ return long_encoding_handler(userData, encoding, info); ++} ++ + /* External Entity Handlers */ + + int XMLCALL +diff --git a/tests/handlers.h b/tests/handlers.h +index fa6267fb..915040e5 100644 +--- a/tests/handlers.h ++++ b/tests/handlers.h +@@ -159,6 +159,9 @@ extern int XMLCALL long_encoding_handler(void *userData, + const XML_Char *encoding, + XML_Encoding *info); + ++extern int XMLCALL user_data_checking_unknown_encoding_handler( ++ void *userData, const XML_Char *encoding, XML_Encoding *info); ++ + /* External Entity Handlers */ + + typedef struct ExtOption { diff --git a/meta/recipes-core/expat/expat_2.6.4.bb b/meta/recipes-core/expat/expat_2.6.4.bb index 1d2d818ecf7..a61357e6c14 100644 --- a/meta/recipes-core/expat/expat_2.6.4.bb +++ b/meta/recipes-core/expat/expat_2.6.4.bb @@ -41,6 +41,8 @@ SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \ file://CVE-2025-59375-22.patch \ file://CVE-2025-59375-23.patch \ file://CVE-2025-59375-24.patch \ + file://CVE-2026-24515-01.patch \ + file://CVE-2026-24515-02.patch \ " GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/" From patchwork Mon Feb 9 09:28:47 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 80726 X-Patchwork-Delegate: yoann.congal@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C6291E78D7A for ; Mon, 9 Feb 2026 09:29:26 +0000 (UTC) Received: from mail-wr1-f47.google.com (mail-wr1-f47.google.com [209.85.221.47]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.43984.1770629362996578037 for ; Mon, 09 Feb 2026 01:29:23 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=WzOmxW7I; spf=pass (domain: smile.fr, ip: 209.85.221.47, mailfrom: yoann.congal@smile.fr) Received: by mail-wr1-f47.google.com with SMTP id ffacd0b85a97d-43622089851so3407841f8f.3 for ; Mon, 09 Feb 2026 01:29:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1770629361; x=1771234161; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=qDp+PHBR8HrfGx9tkz1RiIFeEr5goqJ2f6Hma5HqA0g=; b=WzOmxW7IYza8e5Rez+jQeZ3OBX7Sbvpjv4PQB7ijHJyPV9V0SuHNj/EQ3EbfVIl8q0 Pw3yBsoaoapj8QYjAHHGUEiEYNrSlh7EILbIqSuYCga+UwjJ7uA+tKW/KrzwH+P316yp CnMlgLhK+MdF2VbANtIm9f+0F9AcboRAZ0ZTw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770629361; x=1771234161; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=qDp+PHBR8HrfGx9tkz1RiIFeEr5goqJ2f6Hma5HqA0g=; b=m2GuMPRPOJAF8zgYIELdJD/qToDHe5JZOB6W2h7V/pHvH/kEY5iCECWUr1TiQykSM/ pm4KYFowb2kZV8edy1/psBmO1aa13A0+xrF2BgwKzxorFCf2HDnHGdf9+qvOLbRtEKsa ZgCICcWs3kWG5/hZETvCf04pOgXgXvwF8HjPT87c270IneGwcLSQU44pmqzMVB32nd/b 0T0TDQYiGOJClnY08GayTuZGTNKwzzXlBPrtcoznGmSOS3GBZ7OhB0q0JHG8JszXeZxI bkH7oNXx7EYmPW7zswWsdjxa98ENa8bIEK0JqjjGb+C3WONjIFT0xghhfB2hOVSX7cHB jPAQ== X-Gm-Message-State: AOJu0Yz+tQHe7iqWItt8QSqmtHhed8rwYuONOUyxbrZVsWrC1rYjeku5 iMJUX/9UmR8apf91ZvOmU/HiMj0HP5Mc5ozQQaWcsoP1WgTbTlwuIJPMqjDbbGOFC9o/LyCGinG H3lIUFc0= X-Gm-Gg: AZuq6aLi0Ra6i0YHmBlGiXKrKOmFi/ZaoUTssjosyZftPvKRv9UjIggRxanbTsglvhD 0YVxco8SsUuEZ6LokGqAlrtbLJFZqBAoP97abMRsCE0SaUHjHf0AWP4esuQ8EG8tTxIvEgjdQWu toCZGccFtL5/th1TYwRzm7j16uIkEj1HN0KGgKAMf08qxrvM6Y7N6BLj2atDhstDpLcnEDoPD4w LKHzGuQ084xpx90bL+Wm/b46qUpQL9UwSROAbTPO0pIfpW1dvZp7uNx1PF4DXQ/62D5cxfd2xnB WKL9APShB+TeNuGGuqbe9XjOCDrjgmMSTWdmcl7LjYx+/VokctO1wrJLpxPsgjCuwzadzA5cW3F XL7plkU5x5o+lK2JQ7ki2YRUp3u8wSQ4v+6X61KC2om+QLG/oiRON5PqI06v2ufOlD18r1J7IP2 x7/XX9+PDFB0NHJJquqtXDV6hvkMzSsyZBytzeFJb2mU8+Gy2tOq4ADBuvYazlb3tI+JFv6gPZz LegUxPldf9eOXlWgyGwlLoHng== X-Received: by 2002:a05:6000:26cd:b0:431:1d4:3a71 with SMTP id ffacd0b85a97d-43629345e67mr17290135f8f.27.1770629360996; Mon, 09 Feb 2026 01:29:20 -0800 (PST) Received: from FRSMI25-LASER.home (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4376a78d796sm9575656f8f.20.2026.02.09.01.29.19 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 09 Feb 2026 01:29:20 -0800 (PST) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 04/25] expat: patch CVE-2026-25210 Date: Mon, 9 Feb 2026 10:28:47 +0100 Message-ID: X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 09 Feb 2026 09:29:26 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/230755 From: Peter Marko Pick patches from [1]. [1] https://github.com/libexpat/libexpat/pull/1075 Signed-off-by: Peter Marko Signed-off-by: Yoann Congal --- .../expat/expat/CVE-2026-25210-01.patch | 27 +++++++++++++ .../expat/expat/CVE-2026-25210-02.patch | 38 +++++++++++++++++++ .../expat/expat/CVE-2026-25210-03.patch | 28 ++++++++++++++ meta/recipes-core/expat/expat_2.6.4.bb | 3 ++ 4 files changed, 96 insertions(+) create mode 100644 meta/recipes-core/expat/expat/CVE-2026-25210-01.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2026-25210-02.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2026-25210-03.patch diff --git a/meta/recipes-core/expat/expat/CVE-2026-25210-01.patch b/meta/recipes-core/expat/expat/CVE-2026-25210-01.patch new file mode 100644 index 00000000000..d56e8811915 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-25210-01.patch @@ -0,0 +1,27 @@ +From 7ddea353ad3795f7222441274d4d9a155b523cba Mon Sep 17 00:00:00 2001 +From: Matthew Fernandez +Date: Thu, 2 Oct 2025 17:15:15 -0700 +Subject: [PATCH] lib: Make a doubling more readable + +Suggested-by: Sebastian Pipping + +CVE: CVE-2026-25210 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/7ddea353ad3795f7222441274d4d9a155b523cba] +Signed-off-by: Peter Marko +--- + lib/xmlparse.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index 8cf29257..2f9adffc 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -3499,7 +3499,7 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc, + tag->name.strLen = convLen; + break; + } +- bufSize = (int)(tag->bufEnd - tag->buf) << 1; ++ bufSize = (int)(tag->bufEnd - tag->buf) * 2; + { + char *temp = REALLOC(parser, tag->buf, bufSize); + if (temp == NULL) diff --git a/meta/recipes-core/expat/expat/CVE-2026-25210-02.patch b/meta/recipes-core/expat/expat/CVE-2026-25210-02.patch new file mode 100644 index 00000000000..21bd6e4fd0e --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-25210-02.patch @@ -0,0 +1,38 @@ +From 8855346359a475c022ec8c28484a76c852f144d9 Mon Sep 17 00:00:00 2001 +From: Matthew Fernandez +Date: Thu, 2 Oct 2025 17:15:15 -0700 +Subject: [PATCH] lib: Realign a size with the `REALLOC` type signature it is + passed into + +Note that this implicitly assumes `tag->bufEnd >= tag->buf`, which should +already be guaranteed true. + +CVE: CVE-2026-25210 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/8855346359a475c022ec8c28484a76c852f144d9] +Signed-off-by: Peter Marko +--- +--- + lib/xmlparse.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index 2f9adffc..ee18a87f 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -3488,7 +3488,6 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc, + const char *fromPtr = tag->rawName; + toPtr = (XML_Char *)tag->buf; + for (;;) { +- int bufSize; + int convLen; + const enum XML_Convert_Result convert_res + = XmlConvert(enc, &fromPtr, rawNameEnd, (ICHAR **)&toPtr, +@@ -3499,7 +3498,7 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc, + tag->name.strLen = convLen; + break; + } +- bufSize = (int)(tag->bufEnd - tag->buf) * 2; ++ const size_t bufSize = (size_t)(tag->bufEnd - tag->buf) * 2; + { + char *temp = REALLOC(parser, tag->buf, bufSize); + if (temp == NULL) diff --git a/meta/recipes-core/expat/expat/CVE-2026-25210-03.patch b/meta/recipes-core/expat/expat/CVE-2026-25210-03.patch new file mode 100644 index 00000000000..46a1618e040 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-25210-03.patch @@ -0,0 +1,28 @@ +From 9c2d990389e6abe2e44527eeaa8b39f16fe859c7 Mon Sep 17 00:00:00 2001 +From: Matthew Fernandez +Date: Thu, 2 Oct 2025 17:15:15 -0700 +Subject: [PATCH] lib: Introduce an integer overflow check for tag buffer + reallocation + +Suggested-by: Sebastian Pipping + +CVE: CVE-2026-25210 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/9c2d990389e6abe2e44527eeaa8b39f16fe859c7] +Signed-off-by: Peter Marko +--- + lib/xmlparse.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index ee18a87f..d8c54c38 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -3498,6 +3498,8 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc, + tag->name.strLen = convLen; + break; + } ++ if (SIZE_MAX / 2 < (size_t)(tag->bufEnd - tag->buf)) ++ return XML_ERROR_NO_MEMORY; + const size_t bufSize = (size_t)(tag->bufEnd - tag->buf) * 2; + { + char *temp = REALLOC(parser, tag->buf, bufSize); diff --git a/meta/recipes-core/expat/expat_2.6.4.bb b/meta/recipes-core/expat/expat_2.6.4.bb index a61357e6c14..048093f010d 100644 --- a/meta/recipes-core/expat/expat_2.6.4.bb +++ b/meta/recipes-core/expat/expat_2.6.4.bb @@ -43,6 +43,9 @@ SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \ file://CVE-2025-59375-24.patch \ file://CVE-2026-24515-01.patch \ file://CVE-2026-24515-02.patch \ + file://CVE-2026-25210-01.patch \ + file://CVE-2026-25210-02.patch \ + file://CVE-2026-25210-03.patch \ " GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/" From patchwork Mon Feb 9 09:28:48 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 80724 X-Patchwork-Delegate: yoann.congal@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B1279E78D78 for ; Mon, 9 Feb 2026 09:29:26 +0000 (UTC) Received: from mail-wr1-f41.google.com (mail-wr1-f41.google.com [209.85.221.41]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.43985.1770629364105654069 for ; Mon, 09 Feb 2026 01:29:24 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=2OdzVDo5; spf=pass (domain: smile.fr, ip: 209.85.221.41, mailfrom: yoann.congal@smile.fr) Received: by mail-wr1-f41.google.com with SMTP id ffacd0b85a97d-43638a3330dso1182395f8f.0 for ; Mon, 09 Feb 2026 01:29:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1770629362; x=1771234162; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=kC0f1o6y5qYzMJoQmiV4crFawuF7AW4/wgODRj8Rfv4=; b=2OdzVDo5cSR/PAFOiZA0RAKBC0687g17bUQjF69AL2WeMk4HkylVePIlfapk4tyGcs zWCLXkIrOiuovgPnKm7LsANDdSRQE/ELcQfC6c3APYyYNCrQhhDwQdXiHUvdj8vxgMV2 C/fTA2yErnK782cTtT2zKpbJNp1PZMqLNb7t0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770629362; x=1771234162; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=kC0f1o6y5qYzMJoQmiV4crFawuF7AW4/wgODRj8Rfv4=; b=qfyfn6cQE5uEy1R73U5sewqG+cUjI4ufRkSZytaLQbS8K24e5dNuU/uJ7HKvQ7/Dp5 DepAGvoR+kAKX4JID/NzXWmlEx8ev4SkE37/ju+lOC5oT367YONnIFSyyRaY+39pnlq2 QxVTWMcULsqvt7gqfkkn8n27PjO2EpA4XI+CVLQLMM+f12PyQzqskSLxozpMS4svi0+g Cuehcu9DoEbQRNRjnRKyrTN6jSdaqloqpzhZhc4clodb3+YdKZCRtZVRJ4F2tAHBMoqN FvMzrHWCQ4tQmKtsRPKU4kJS0vVxNYOtorg/Vox6cfyP4CLZulod6WsRg8ttRefs4O6p 7OoA== X-Gm-Message-State: AOJu0Yzyefy5AYkM54alkbxb8+odyvjSCjBicqGA9/w8daMCA01aeTXD REY9S1rfIdIH+Et8u1rPEJbLUrrdIVpTKaYLr8CpYNojnROjnKC+zd7ZmGa5cONdnsznRmQDUtI lCVaQMA8= X-Gm-Gg: AZuq6aLidqL4bI6MwgG2ahquDxaQVtIMcFmhGPe3hIaTztnz01yheAiwvre/BJSLPhC ytB5lL7AVkK0jTfxj5QM2vvopCyYQRr19GqYyTX5x7HY1Kdlp0Pbv4Qzrn1kQzGKZlo5SmpojUe mCpK0gt29HjeJ6XY5N8nUqDnVhJqdIH+3mSNC/YVlEEtMBpGTqCxyOROWTlu74oMXzXizTbp56h X0xazo2H4A8Hfybq/dOIo3f/n+Gb2qoLO4y3xDquByMvS+JawYp+MvUVfqOcVCZY7eSmMqV2Ge0 VQnLIDdAiSBKAZoo6DpYvV/KNdonNTKB7ffpqEGzvTIi2uq2JAuPr5Uu+taOwQiJgSqWRsEK263 JfC3iEN5hT02uxqzQh5Lv1Psc0sDeWjQkQx8hXLzA8YWsMFa+nH9sxlzJagRWe/K7G2sk7AJ7v1 K1w1a5K1zthGwVrutOyCClO+nAcKl5sHYTVxc1rlNc1z6Q9PvIxQIbCJBkWvyGP1bEAppGFcn3Q YKMCLIZyMc06ZoTkVuQXlEo+g== X-Received: by 2002:a05:6000:2411:b0:435:a4a9:6f79 with SMTP id ffacd0b85a97d-4362933bef4mr14301341f8f.8.1770629362181; Mon, 09 Feb 2026 01:29:22 -0800 (PST) Received: from FRSMI25-LASER.home (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4376a78d796sm9575656f8f.20.2026.02.09.01.29.21 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 09 Feb 2026 01:29:21 -0800 (PST) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 05/25] glib-2.0: patch CVE-2026-0988 Date: Mon, 9 Feb 2026 10:28:48 +0100 Message-ID: <266cd9b505f0da7655a0270adfea1e1f276dbce7.1770626074.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 09 Feb 2026 09:29:26 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/230756 From: Peter Marko Pick relevant commit from [2] linked from [1]. [1] https://gitlab.gnome.org/GNOME/glib/-/issues/3851 [2] https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4944 Signed-off-by: Peter Marko Signed-off-by: Yoann Congal --- .../glib-2.0/glib-2.0/CVE-2026-0988.patch | 58 +++++++++++++++++++ meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb | 1 + 2 files changed, 59 insertions(+) create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-0988.patch diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-0988.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-0988.patch new file mode 100644 index 00000000000..daf86224d5d --- /dev/null +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2026-0988.patch @@ -0,0 +1,58 @@ +From c5766cff61ffce0b8e787eae09908ac348338e5f Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Thu, 18 Dec 2025 23:12:18 +0000 +Subject: [PATCH] gbufferedinputstream: Fix a potential integer overflow in + peek() + +If the caller provides `offset` and `count` arguments which overflow, +their sum will overflow and could lead to `memcpy()` reading out more +memory than expected. + +Spotted by Codean Labs. + +Signed-off-by: Philip Withnall + +Fixes: #3851 + +CVE: CVE-2026-0988 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/c5766cff61ffce0b8e787eae09908ac348338e5f] +Signed-off-by: Peter Marko +--- + gio/gbufferedinputstream.c | 2 +- + gio/tests/buffered-input-stream.c | 10 ++++++++++ + 2 files changed, 11 insertions(+), 1 deletion(-) + +diff --git a/gio/gbufferedinputstream.c b/gio/gbufferedinputstream.c +index 9e6bacc62..56d656be0 100644 +--- a/gio/gbufferedinputstream.c ++++ b/gio/gbufferedinputstream.c +@@ -590,7 +590,7 @@ g_buffered_input_stream_peek (GBufferedInputStream *stream, + + available = g_buffered_input_stream_get_available (stream); + +- if (offset > available) ++ if (offset > available || offset > G_MAXSIZE - count) + return 0; + + end = MIN (offset + count, available); +diff --git a/gio/tests/buffered-input-stream.c b/gio/tests/buffered-input-stream.c +index a1af4eeff..2b2a0d9aa 100644 +--- a/gio/tests/buffered-input-stream.c ++++ b/gio/tests/buffered-input-stream.c +@@ -60,6 +60,16 @@ test_peek (void) + g_assert_cmpint (npeek, ==, 0); + g_free (buffer); + ++ buffer = g_new0 (char, 64); ++ npeek = g_buffered_input_stream_peek (G_BUFFERED_INPUT_STREAM (in), buffer, 8, 0); ++ g_assert_cmpint (npeek, ==, 0); ++ g_free (buffer); ++ ++ buffer = g_new0 (char, 64); ++ npeek = g_buffered_input_stream_peek (G_BUFFERED_INPUT_STREAM (in), buffer, 5, G_MAXSIZE); ++ g_assert_cmpint (npeek, ==, 0); ++ g_free (buffer); ++ + g_object_unref (in); + g_object_unref (base); + } diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb index c7e18c7bc41..97618d1d40b 100644 --- a/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb +++ b/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb @@ -39,6 +39,7 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \ file://CVE-2025-14087-02.patch \ file://CVE-2025-14087-03.patch \ file://CVE-2025-14512.patch \ + file://CVE-2026-0988.patch \ " SRC_URI:append:class-native = " file://relocate-modules.patch \ file://0001-meson.build-do-not-enable-pidfd-features-on-native-g.patch \ From patchwork Mon Feb 9 09:28:49 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 80731 X-Patchwork-Delegate: yoann.congal@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B2204E78D79 for ; Mon, 9 Feb 2026 09:29:26 +0000 (UTC) Received: from mail-wm1-f46.google.com (mail-wm1-f46.google.com [209.85.128.46]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.43986.1770629365198095165 for ; Mon, 09 Feb 2026 01:29:25 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=LeAkmyx+; spf=pass (domain: smile.fr, ip: 209.85.128.46, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f46.google.com with SMTP id 5b1f17b1804b1-47ee937ecf2so39441635e9.0 for ; Mon, 09 Feb 2026 01:29:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1770629363; x=1771234163; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=UmrbNyQAAABIUZ6LQSf2oSmPyzUW0VF22dAs105bKIk=; b=LeAkmyx+TY6tkfdhg1dgyDH03T3NHkwwyfU3F5hgCg5lY3/tmuAn7/FSXXCsN0mcv7 JqPil1V6Fv/sMugX0ikOr6bX2Ei9vQx9x5g2lqHJJoJajL7rgRfTOlrQCoEf4SmLWLld zhcYJoWkZG2gktYlJsPq9CmLyqnyvHHIYhMIg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770629363; x=1771234163; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=UmrbNyQAAABIUZ6LQSf2oSmPyzUW0VF22dAs105bKIk=; b=rTDAdfYGAdesJvSZjOJ1TGIHe5NuibZLwFKLoVZ7y3lYQp9NP0R2GrIeO2w/ub+LlH sXh4eFogGveO1IldhtPUlVMsqJs9apyumWGrCgzEsaz1gpfKNTK/R4iAaO6gOiFQGB2/ pa20MhjAq76Nt4rM6Ii2xIxkiD62J7nZzVtDPVj3QtGblI6ZI4iaWz5Q7WA9VBQgcsZi ZsAenHzEPz5fcQbsgy4s64NkIQYQauY9imB3m9T6ht+xszxHJr4zul7dhDATtnOobB3u yeTDR1acJJHkMpiW3n4Zinx8Bq6UJPVR/J8qxhdp6Qbi38n6+LpVkVTAkxjFbaHIz8d5 zrpw== X-Gm-Message-State: AOJu0Yzet+hPOFCa6dMCA/uwWgjF2X/JSethF3ckqt13kvnQEq5ErOZi noxGgcBxKfWUpbqob48YaqdPBeq0SPjppUbjH09oeLBOgbVxs6YeMs7KWBDT6UMFn/x0uhY4Ic4 yWY3ybNA= X-Gm-Gg: AZuq6aLgn6APCJiBRA/04ABHb9oEee3VQIhMROPYGWspJE86E7RXqXmY/Ea/UyV8PIN SZTIwfFDqtxCdvRIcsc+o9BbEIuObWZEpuV6zPnj/NP4f/a0LxyA8FmVh4SEXGj9j6diJ7mu59+ eda1XU2Mej73HGwYx2RQMG8Oe5+GiEADlfX7XBNl9YsULAK7kIiNNgNP55cCJx2Vp9zHfIZpdK/ /1PNm9I5wSqOi1Nf/deouFS8RLY3+qHsjFhNZGpkbbx9UQV1yx/idgQ3uTRHx7Ef4/7dfsN28tm 74jSZ9YQnV3UYfqtygKHTIQXVPUM0k1E15C+h4+SCPKANeILGokrBoBj4zO5pHoz9p4C1oUHVtw HYLCrc241xxc2H9c0daMJ0APHPTK29R81qqGv/q2uuw4+wyURpTW0ufZyy9UbaT9ck5aJlSY7t7 W+Sv7AHfWV24/p9dySa1vmtlvzGOfP4pR01sK7DCNkD8Cehrbx6nglulzZvR0rzZkqu4J/R83B6 NIz+ELVia0na1M= X-Received: by 2002:a7b:ce17:0:b0:480:63c1:3ac7 with SMTP id 5b1f17b1804b1-483178e3012mr144760605e9.2.1770629363207; Mon, 09 Feb 2026 01:29:23 -0800 (PST) Received: from FRSMI25-LASER.home (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4376a78d796sm9575656f8f.20.2026.02.09.01.29.22 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 09 Feb 2026 01:29:22 -0800 (PST) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 06/25] inetutils: Fix CVE-2026-24061 Date: Mon, 9 Feb 2026 10:28:49 +0100 Message-ID: <66c0a08c1e1df861aadf673c4148a138ed7b00ce.1770626074.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 09 Feb 2026 09:29:26 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/230757 From: Vijay Anusuri Upstream-Status: Backport from https://cgit.git.savannah.gnu.org/cgit/inetutils.git/commit/?id=ccba9f748aa8d50a38d7748e2e60362edd6a32cc & https://cgit.git.savannah.gnu.org/cgit/inetutils.git/commit/?id=fd702c02497b2f398e739e3119bed0b23dd7aa7b Ref: https://lists.gnu.org/archive/html/bug-inetutils/2026-01/msg00004.html Signed-off-by: Vijay Anusuri Signed-off-by: Yoann Congal --- .../inetutils/CVE-2026-24061-1.patch | 41 +++++++++ .../inetutils/CVE-2026-24061-2.patch | 85 +++++++++++++++++++ .../inetutils/inetutils_2.5.bb | 2 + 3 files changed, 128 insertions(+) create mode 100644 meta/recipes-connectivity/inetutils/inetutils/CVE-2026-24061-1.patch create mode 100644 meta/recipes-connectivity/inetutils/inetutils/CVE-2026-24061-2.patch diff --git a/meta/recipes-connectivity/inetutils/inetutils/CVE-2026-24061-1.patch b/meta/recipes-connectivity/inetutils/inetutils/CVE-2026-24061-1.patch new file mode 100644 index 00000000000..f19cb5d18b8 --- /dev/null +++ b/meta/recipes-connectivity/inetutils/inetutils/CVE-2026-24061-1.patch @@ -0,0 +1,41 @@ +From fd702c02497b2f398e739e3119bed0b23dd7aa7b Mon Sep 17 00:00:00 2001 +From: Paul Eggert +Date: Tue, 20 Jan 2026 01:10:36 -0800 +Subject: Fix injection bug with bogus user names + +Problem reported by Kyu Neushwaistein. +* telnetd/utility.c (_var_short_name): +Ignore user names that start with '-' or contain shell metacharacters. + +Signed-off-by: Simon Josefsson + +Upstream-Status: Backport [https://cgit.git.savannah.gnu.org/cgit/inetutils.git/commit/?id=fd702c02497b2f398e739e3119bed0b23dd7aa7b] +CVE: CVE-2026-24061 +Signed-off-by: Vijay Anusuri +--- + telnetd/utility.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/telnetd/utility.c b/telnetd/utility.c +index b486226e..c02cd0e6 100644 +--- a/telnetd/utility.c ++++ b/telnetd/utility.c +@@ -1733,7 +1733,14 @@ _var_short_name (struct line_expander *exp) + return user_name ? xstrdup (user_name) : NULL; + + case 'U': +- return getenv ("USER") ? xstrdup (getenv ("USER")) : xstrdup (""); ++ { ++ /* Ignore user names starting with '-' or containing shell ++ metachars, as they can cause trouble. */ ++ char const *u = getenv ("USER"); ++ return xstrdup ((u && *u != '-' ++ && !u[strcspn (u, "\t\n !\"#$&'()*;<=>?[\\^`{|}~")]) ++ ? u : ""); ++ } + + default: + exp->state = EXP_STATE_ERROR; +-- +cgit v1.2.3 + diff --git a/meta/recipes-connectivity/inetutils/inetutils/CVE-2026-24061-2.patch b/meta/recipes-connectivity/inetutils/inetutils/CVE-2026-24061-2.patch new file mode 100644 index 00000000000..2a572941904 --- /dev/null +++ b/meta/recipes-connectivity/inetutils/inetutils/CVE-2026-24061-2.patch @@ -0,0 +1,85 @@ +From ccba9f748aa8d50a38d7748e2e60362edd6a32cc Mon Sep 17 00:00:00 2001 +From: Simon Josefsson +Date: Tue, 20 Jan 2026 14:02:39 +0100 +Subject: telnetd: Sanitize all variable expansions + +* telnetd/utility.c (sanitize): New function. +(_var_short_name): Use it for all variables. + +Upstream-Status: Backport [https://cgit.git.savannah.gnu.org/cgit/inetutils.git/commit/?id=ccba9f748aa8d50a38d7748e2e60362edd6a32cc] +CVE: CVE-2026-24061 +Signed-off-by: Vijay Anusuri +--- + telnetd/utility.c | 32 ++++++++++++++++++-------------- + 1 file changed, 18 insertions(+), 14 deletions(-) + +diff --git a/telnetd/utility.c b/telnetd/utility.c +index c02cd0e6..b21ad961 100644 +--- a/telnetd/utility.c ++++ b/telnetd/utility.c +@@ -1684,6 +1684,17 @@ static void _expand_cond (struct line_expander *exp); + static void _skip_block (struct line_expander *exp); + static void _expand_block (struct line_expander *exp); + ++static char * ++sanitize (const char *u) ++{ ++ /* Ignore values starting with '-' or containing shell metachars, as ++ they can cause trouble. */ ++ if (u && *u != '-' && !u[strcspn (u, "\t\n !\"#$&'()*;<=>?[\\^`{|}~")]) ++ return u; ++ else ++ return ""; ++} ++ + /* Expand a variable referenced by its short one-symbol name. + Input: exp->cp points to the variable name. + FIXME: not implemented */ +@@ -1710,13 +1721,13 @@ _var_short_name (struct line_expander *exp) + return xstrdup (timebuf); + + case 'h': +- return xstrdup (remote_hostname); ++ return xstrdup (sanitize (remote_hostname)); + + case 'l': +- return xstrdup (local_hostname); ++ return xstrdup (sanitize (local_hostname)); + + case 'L': +- return xstrdup (line); ++ return xstrdup (sanitize (line)); + + case 't': + q = strchr (line + 1, '/'); +@@ -1724,23 +1735,16 @@ _var_short_name (struct line_expander *exp) + q++; + else + q = line; +- return xstrdup (q); ++ return xstrdup (sanitize (q)); + + case 'T': +- return terminaltype ? xstrdup (terminaltype) : NULL; ++ return terminaltype ? xstrdup (sanitize (terminaltype)) : NULL; + + case 'u': +- return user_name ? xstrdup (user_name) : NULL; ++ return user_name ? xstrdup (sanitize (user_name)) : NULL; + + case 'U': +- { +- /* Ignore user names starting with '-' or containing shell +- metachars, as they can cause trouble. */ +- char const *u = getenv ("USER"); +- return xstrdup ((u && *u != '-' +- && !u[strcspn (u, "\t\n !\"#$&'()*;<=>?[\\^`{|}~")]) +- ? u : ""); +- } ++ return xstrdup (sanitize (getenv ("USER"))); + + default: + exp->state = EXP_STATE_ERROR; +-- +cgit v1.2.3 + diff --git a/meta/recipes-connectivity/inetutils/inetutils_2.5.bb b/meta/recipes-connectivity/inetutils/inetutils_2.5.bb index 0f1a0736bd4..486878022f0 100644 --- a/meta/recipes-connectivity/inetutils/inetutils_2.5.bb +++ b/meta/recipes-connectivity/inetutils/inetutils_2.5.bb @@ -18,6 +18,8 @@ SRC_URI = "${GNU_MIRROR}/inetutils/inetutils-${PV}.tar.xz \ file://rsh.xinetd.inetutils \ file://telnet.xinetd.inetutils \ file://tftpd.xinetd.inetutils \ + file://CVE-2026-24061-1.patch \ + file://CVE-2026-24061-2.patch \ " inherit autotools gettext update-alternatives texinfo From patchwork Mon Feb 9 09:28:50 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 80730 X-Patchwork-Delegate: yoann.congal@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id EBAAFEE6B75 for ; Mon, 9 Feb 2026 09:29:26 +0000 (UTC) Received: from mail-wr1-f42.google.com (mail-wr1-f42.google.com [209.85.221.42]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.44197.1770629366242271168 for ; Mon, 09 Feb 2026 01:29:26 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=vxL81/O5; spf=pass (domain: smile.fr, ip: 209.85.221.42, mailfrom: yoann.congal@smile.fr) Received: by mail-wr1-f42.google.com with SMTP id ffacd0b85a97d-4376c0bffc1so680420f8f.0 for ; Mon, 09 Feb 2026 01:29:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1770629364; x=1771234164; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=UXbSrxVnwzgplsnL6FetcT1CSp/zsFFTgxF/GuwkoiE=; b=vxL81/O5B/xMiaGiApCMWXC+kg0eMJS45vkGAneoMnIeMuCr0t1l2pf8LRl/sJN3RD ZpiCPPhy2PGsBSToCOowfLCvaGmQemj1qkqolF434Zdqz053HUCasUPK2ulNSrthS3V7 geod0SaLCP5UvqIOD8q/kCZc4Rhgo5Xc8bMMk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770629364; x=1771234164; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=UXbSrxVnwzgplsnL6FetcT1CSp/zsFFTgxF/GuwkoiE=; b=JXrC8QzAq2jCFBvE7B5VVWwKBQ43Rj/mgUbfCzZzQjZ+qPuDkWvLyBkrwgFUmgMnLg 93pifiF3O+F+DFJkgCdKQZDsSk41ysV5KCflznhzQxAPXLHc08arj+/M6gYax3MncyZZ kwBE6G5rSInh5mnhF+YAfSa1QlH1bNrF8ofhYo41v683/+x7JCr+DlFWM9IuqVx6vyTS csI7y0Nu2z+7shDTRH+UDEQLbC5UmEj3NEsjMjuD3yPlVO1hx7EAa5PHjdTUlJSEgjX7 5QWtNxzUeSV/4abjUpqsY8DgkrXmaJR9R4JFHFupJQlUf2+bR+MNr0nBKW5I0VVNQEGh 4Z0A== X-Gm-Message-State: AOJu0YyVLl35cJtIcKAwzU9Zrm6CEiY+ZPQXB07vfqQZGm7USkEoUekD BpqfjITOcWF+0mgcH4Y6cFA9lJ7eAXrJaCWjCH36Lskc34vMmtuCuIj4RcjRLbBM4D/Dy5K0VOZ OT73xUAI= X-Gm-Gg: AZuq6aJv2eXvrg2Q3lDLkraMsIMp9oZ+UjEy3mCjLP395phRnAM58s2bzjcXhdDHQIw +XlHeZAJqQOIAv4GicuAQt+VxwU5q1IpAeVwLqXXqtvLCj31qxCN2tyiCtW2ElUFPCuFwGMemvv rYbwwCxYnS0U1aULKg/lGMCMVFrV5uQr0WdGHY8PasFoNa6pgo5/XZjkBsiJpUGmB3a6cIgfRiD 4mz67vWt0mAEWB8VVfx0ABgNPmobupozWMtjiDo6+JFrsj4yIDtJGVVCDbgaoMFSQHeqaD4OOsn QCdOVmxvG9xPBFNuIvCAVYs7YNSocjfQJY1yhTuBc5kKPQL+LPgO6RPrM0GNKA+wtvxbGqupDAF Hxl8PodkhR4vt6XqVsyR0vHeqBmRyVm55z258+e+f9J3dhWUsknkfZPQ7CnhjK3BooPuVVBCxKZ OUkd0e+bebzD+jr7dfBEoBWVbb+v+BFPDgjbbpJpsFxhmYUTGGALk8MEL0gNSb12cXDv3xrE143 VQsH5yopQxtGk4= X-Received: by 2002:a05:6000:1889:b0:430:f790:99d7 with SMTP id ffacd0b85a97d-4362965faffmr17079757f8f.27.1770629364327; Mon, 09 Feb 2026 01:29:24 -0800 (PST) Received: from FRSMI25-LASER.home (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4376a78d796sm9575656f8f.20.2026.02.09.01.29.23 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 09 Feb 2026 01:29:23 -0800 (PST) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 07/25] libpng: patch CVE-2026-22695 Date: Mon, 9 Feb 2026 10:28:50 +0100 Message-ID: <72567b765dd4818da56d470ae718d714ee0485dd.1770626074.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 09 Feb 2026 09:29:26 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/230758 From: Peter Marko Pick commit per [1]. This CVE is regression of fix for CVE-2025-65018. [1] https://security-tracker.debian.org/tracker/CVE-2026-22695 Signed-off-by: Peter Marko Signed-off-by: Yoann Congal --- .../libpng/files/CVE-2026-22695.patch | 77 +++++++++++++++++++ .../libpng/libpng_1.6.42.bb | 1 + 2 files changed, 78 insertions(+) create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2026-22695.patch diff --git a/meta/recipes-multimedia/libpng/files/CVE-2026-22695.patch b/meta/recipes-multimedia/libpng/files/CVE-2026-22695.patch new file mode 100644 index 00000000000..6456b6c4917 --- /dev/null +++ b/meta/recipes-multimedia/libpng/files/CVE-2026-22695.patch @@ -0,0 +1,77 @@ +From e4f7ad4ea2a471776c81dda4846b7691925d9786 Mon Sep 17 00:00:00 2001 +From: Cosmin Truta +Date: Fri, 9 Jan 2026 20:51:53 +0200 +Subject: [PATCH] Fix a heap buffer over-read in `png_image_read_direct_scaled` + +Fix a regression from commit 218612ddd6b17944e21eda56caf8b4bf7779d1ea. + +The function `png_image_read_direct_scaled`, introduced by the fix for +CVE-2025-65018, copies transformed row data from an intermediate buffer +(`local_row`) to the user's output buffer. The copy incorrectly used +`row_bytes` (the caller's stride) as the size parameter to memcpy, even +though `local_row` is only `png_get_rowbytes()` bytes long. + +This causes a heap buffer over-read when: + +1. The caller provides a padded stride (e.g., for memory alignment): + memcpy reads past the end of `local_row` by `stride - row_width` + bytes. + +2. The caller provides a negative stride (for bottom-up layouts): + casting ptrdiff_t to size_t produces ~2^64, causing memcpy to + attempt reading exabytes, resulting in an immediate crash. + +The fix consists in using the size of the row buffer for the copy and +using the stride for pointer advancement only. + +Reported-by: Petr Simecek +Analyzed-by: Stanislav Fort +Analyzed-by: Pavel Kohout +Co-authored-by: Petr Simecek +Signed-off-by: Cosmin Truta + +CVE: CVE-2026-22695 +Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/e4f7ad4ea2a471776c81dda4846b7691925d9786] +Signed-off-by: Peter Marko +--- + AUTHORS | 1 + + pngread.c | 4 +++- + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/AUTHORS b/AUTHORS +index 26b7bb50f..b9c0fffcf 100644 +--- a/AUTHORS ++++ b/AUTHORS +@@ -23,6 +23,7 @@ Authors, for copyright and licensing purposes. + * Mike Klein + * Pascal Massimino + * Paul Schmidt ++ * Petr Simecek + * Philippe Antoine + * Qiang Zhou + * Sam Bushell +diff --git a/pngread.c b/pngread.c +index e3426292b..9d86b01dc 100644 +--- a/pngread.c ++++ b/pngread.c +@@ -3270,9 +3270,11 @@ png_image_read_direct_scaled(png_voidp argument) + argument); + png_imagep image = display->image; + png_structrp png_ptr = image->opaque->png_ptr; ++ png_inforp info_ptr = image->opaque->info_ptr; + png_bytep local_row = png_voidcast(png_bytep, display->local_row); + png_bytep first_row = png_voidcast(png_bytep, display->first_row); + ptrdiff_t row_bytes = display->row_bytes; ++ size_t copy_bytes = png_get_rowbytes(png_ptr, info_ptr); + int passes; + + /* Handle interlacing. */ +@@ -3302,7 +3304,7 @@ png_image_read_direct_scaled(png_voidp argument) + png_read_row(png_ptr, local_row, NULL); + + /* Copy from local_row to user buffer. */ +- memcpy(output_row, local_row, (size_t)row_bytes); ++ memcpy(output_row, local_row, copy_bytes); + output_row += row_bytes; + } + } diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.42.bb b/meta/recipes-multimedia/libpng/libpng_1.6.42.bb index 6dc7ffe2722..fe99e5df092 100644 --- a/meta/recipes-multimedia/libpng/libpng_1.6.42.bb +++ b/meta/recipes-multimedia/libpng/libpng_1.6.42.bb @@ -21,6 +21,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/${PV}/${BP}.tar.xz file://CVE-2025-65018-02.patch \ file://CVE-2025-66293-01.patch \ file://CVE-2025-66293-02.patch \ + file://CVE-2026-22695.patch \ " SRC_URI[sha256sum] = "c919dbc11f4c03b05aba3f8884d8eb7adfe3572ad228af972bb60057bdb48450" From patchwork Mon Feb 9 09:28:51 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 80733 X-Patchwork-Delegate: yoann.congal@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E139EE78D7D for ; Mon, 9 Feb 2026 09:29:36 +0000 (UTC) Received: from mail-wr1-f43.google.com (mail-wr1-f43.google.com [209.85.221.43]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.43987.1770629367475874317 for ; Mon, 09 Feb 2026 01:29:27 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=etJtlE8W; spf=pass (domain: smile.fr, ip: 209.85.221.43, mailfrom: yoann.congal@smile.fr) Received: by mail-wr1-f43.google.com with SMTP id ffacd0b85a97d-43770c94dfaso661851f8f.2 for ; Mon, 09 Feb 2026 01:29:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1770629365; x=1771234165; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=8YsZYwgbVIf0f3zFJ28+/KyAsSLKohSXRNHtZDNwisw=; b=etJtlE8W1t564PJ+6abbxd1riA3KuZPOxMEa8XL4w20VDCqvvwcdxs0IVSo0vkrr4a 6Q0fk9LBbN/20CZBNY9NG4Acc703i+eQa472CKfQ9LcUg2WGVPsxNzWhavY5bPsQKWZz rYJX1qmYFuU1Asvzfl8fX13UinDuFIV5nxI4A= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770629365; x=1771234165; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=8YsZYwgbVIf0f3zFJ28+/KyAsSLKohSXRNHtZDNwisw=; b=B+IeqcPAfbYarRQP44YVJBPGtWJgCQRp99rHiAW3TrtwZ6dczmHU13uFXVb15amUj7 l+RWDPdodnCaSL32HD2MhiSyVZlWsPtmGcx05SXg/OHuqJK8xCY8HY5VtcM1JcPE6GYp z8b58zQpa2dk9UF186mtpKkBrZz8ZidJ7OFqy6PMUU5hn7is97PKFFqrSxTEodWt9dmW UMXw5i+bdr4mHCJBYYQYiWwx/3foObkFPd/LBRMvo1/M0+i2rIBx85cYEQ2TivQ6PzQ6 s5ojbgJB6TyhTbTCQ3ATOusRkcxj+cGYKmB4cpOhXSYdivUyfUR23qOwu5K+qtOQqPYN czBA== X-Gm-Message-State: AOJu0Yz8H5w/g0Gsu7snCex7E0daZI5RGkXMg0DraKn3CcB/jeRE0XUF 4rNTSIa4CJqVK5h6tEVhShtziMVSPcJMmQAyRSsuWU8kzXY9QMphY2rXWluuLCkTxi3274whYLr bS5/m8Ic= X-Gm-Gg: AZuq6aJDN7izVKT9qbl0p2UkjsVJJbzqywtvcX7TjgYfHOu6GlikK/Uoe4NtC6KGb9O 44HMTmoi2zweIY2Kh8X5YHeRf3kSa/9CYQk2XE7F3+daWbQfuOJtJsuQSXOAYuzEVBLz7fmIrlC sq1nF+2njzXsiutYdC2Ej3aexe0lN0gzNDj7Egg7NQHNnQq32/Ppw16sjbQu1/ZVCxvOgIFaJtk aEZWJ0bHNZjcXkg9Ts8wNH+s6OdHuYLi787ZKEEzwvRMZvY/lyEr3qxVA1CCQQddHA+HrO88rmq dPIvZPlogWvxpIDEzmDDvfdLGqM1wBeNDT5pmTR0UxL7ugboOJJmj6mEln0KBEA7Rz2yxFQARup s75Cbrwtz0whQHWlR8T4QEJnAsLH1hY/0em3nvbwyVkUBmR91q9z00nBH8oIX4Oz56tymZMyJ7d FhjR1FUJQAUnrYosBZd6HhmcW3VPY8icPzHiK0Kyg9tbgGN3vuZM0pqsY2Zvz8WjLt0TPnfEOmX VgnrFXf7jWNj/M= X-Received: by 2002:a05:6000:2505:b0:432:dfea:1fa8 with SMTP id ffacd0b85a97d-4362938b33amr18125464f8f.45.1770629365362; Mon, 09 Feb 2026 01:29:25 -0800 (PST) Received: from FRSMI25-LASER.home (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4376a78d796sm9575656f8f.20.2026.02.09.01.29.24 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 09 Feb 2026 01:29:24 -0800 (PST) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 08/25] libpng: patch CVE-2026-22801 Date: Mon, 9 Feb 2026 10:28:51 +0100 Message-ID: X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 09 Feb 2026 09:29:36 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/230759 From: Peter Marko Pick comit per [1]. [1] https://github.com/pnggroup/libpng/security/advisories/GHSA-vgjq-8cw5-ggw8 Signed-off-by: Peter Marko Signed-off-by: Yoann Congal --- .../libpng/files/CVE-2026-22801.patch | 173 ++++++++++++++++++ .../libpng/libpng_1.6.42.bb | 1 + 2 files changed, 174 insertions(+) create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2026-22801.patch diff --git a/meta/recipes-multimedia/libpng/files/CVE-2026-22801.patch b/meta/recipes-multimedia/libpng/files/CVE-2026-22801.patch new file mode 100644 index 00000000000..8a611ac7494 --- /dev/null +++ b/meta/recipes-multimedia/libpng/files/CVE-2026-22801.patch @@ -0,0 +1,173 @@ +From cf155de014fc6c5cb199dd681dd5c8fb70429072 Mon Sep 17 00:00:00 2001 +From: Cosmin Truta +Date: Sat, 10 Jan 2026 15:20:18 +0200 +Subject: [PATCH] fix: Remove incorrect truncation casts from + `png_write_image_*` + +The type of the row stride (`display->row_bytes`) is ptrdiff_t. Casting +to png_uint_16 before division will truncate large strides, causing +incorrect pointer arithmetic for images exceeding 65535 bytes per row. +For bottom-up images (negative stride), the truncation also corrupts +the sign, advancing the row pointer forward instead of backward. + +Remove the erroneous casts and let the compiler handle the pointer +arithmetic correctly. Also replace `sizeof (png_uint_16)` with 2. + +Add regression test via `pngstest --stride-extra N` where N > 32767 +triggers the affected code paths. + +A NOTE ABOUT HISTORY: +The original code in libpng 1.5.6 (2011) had no such casts. They were +introduced in libpng 1.6.26 (2016), likely to silence compiler warnings +on 16-bit systems where the cast would be a no-op. On 32/64-bit systems +the cast truncates the strides above 65535 and corrupts the negative +strides. + +CVE: CVE-2026-22801 +Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/cf155de014fc6c5cb199dd681dd5c8fb70429072] +Signed-off-by: Peter Marko +--- + CMakeLists.txt | 9 ++++++++- + contrib/libtests/pngstest.c | 29 ++++++++++++++++++++++++++++- + pngwrite.c | 10 +++++----- + tests/pngstest-large-stride | 8 ++++++++ + 4 files changed, 49 insertions(+), 7 deletions(-) + create mode 100755 tests/pngstest-large-stride + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index a8cd82402..a595ed91d 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -1,7 +1,7 @@ + + # CMakeLists.txt - CMake lists for libpng + # +-# Copyright (c) 2018-2024 Cosmin Truta. ++# Copyright (c) 2018-2026 Cosmin Truta + # Copyright (c) 2007-2018 Glenn Randers-Pehrson. + # Originally written by Christian Ehrlicher, 2007. + # +@@ -859,6 +859,13 @@ if(PNG_TESTS AND PNG_SHARED) + endforeach() + endforeach() + ++ # Regression test: ++ # Use stride_extra > 32767 to trigger row_bytes > 65535 for linear images. ++ png_add_test(NAME pngstest-large-stride ++ COMMAND pngstest ++ OPTIONS --stride-extra 33000 --tmpfile "large-stride-" --log ++ FILES "${CMAKE_CURRENT_SOURCE_DIR}/contrib/testpngs/rgb-alpha-16-linear.png") ++ + add_executable(pngunknown ${pngunknown_sources}) + target_link_libraries(pngunknown PRIVATE png_shared) + +diff --git a/contrib/libtests/pngstest.c b/contrib/libtests/pngstest.c +index ff4c2b24a..2f29afee2 100644 +--- a/contrib/libtests/pngstest.c ++++ b/contrib/libtests/pngstest.c +@@ -1,7 +1,7 @@ + + /* pngstest.c + * +- * Copyright (c) 2021 Cosmin Truta ++ * Copyright (c) 2021-2026 Cosmin Truta + * Copyright (c) 2013-2017 John Cunningham Bowler + * + * This code is released under the libpng license. +@@ -3571,6 +3571,33 @@ main(int argc, char **argv) + opts |= NO_RESEED; + else if (strcmp(arg, "--fault-gbg-warning") == 0) + opts |= GBG_ERROR; ++ else if (strcmp(arg, "--stride-extra") == 0) ++ { ++ if (c+1 < argc) ++ { ++ char *ep; ++ unsigned long val = strtoul(argv[++c], &ep, 0); ++ ++ if (ep > argv[c] && *ep == 0 && val <= 65535) ++ stride_extra = (int)val; ++ ++ else ++ { ++ fflush(stdout); ++ fprintf(stderr, "%s: bad argument for --stride-extra: %s\n", ++ argv[0], argv[c]); ++ exit(99); ++ } ++ } ++ ++ else ++ { ++ fflush(stdout); ++ fprintf(stderr, "%s: missing argument for --stride-extra\n", ++ argv[0]); ++ exit(99); ++ } ++ } + else if (strcmp(arg, "--tmpfile") == 0) + { + if (c+1 < argc) +diff --git a/pngwrite.c b/pngwrite.c +index 08066bcc4..a95b846c8 100644 +--- a/pngwrite.c ++++ b/pngwrite.c +@@ -1,7 +1,7 @@ + + /* pngwrite.c - general routines to write a PNG file + * +- * Copyright (c) 2018-2024 Cosmin Truta ++ * Copyright (c) 2018-2026 Cosmin Truta + * Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson + * Copyright (c) 1996-1997 Andreas Dilger + * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc. +@@ -1645,7 +1645,7 @@ png_write_image_16bit(png_voidp argument) + } + + png_write_row(png_ptr, png_voidcast(png_const_bytep, display->local_row)); +- input_row += (png_uint_16)display->row_bytes/(sizeof (png_uint_16)); ++ input_row += display->row_bytes / 2; + } + + return 1; +@@ -1771,7 +1771,7 @@ png_write_image_8bit(png_voidp argument) + + png_write_row(png_ptr, png_voidcast(png_const_bytep, + display->local_row)); +- input_row += (png_uint_16)display->row_bytes/(sizeof (png_uint_16)); ++ input_row += display->row_bytes / 2; + } /* while y */ + } + +@@ -1796,7 +1796,7 @@ png_write_image_8bit(png_voidp argument) + } + + png_write_row(png_ptr, output_row); +- input_row += (png_uint_16)display->row_bytes/(sizeof (png_uint_16)); ++ input_row += display->row_bytes / 2; + } + } + +@@ -2115,7 +2115,7 @@ png_image_write_main(png_voidp argument) + ptrdiff_t row_bytes = display->row_stride; + + if (linear != 0) +- row_bytes *= (sizeof (png_uint_16)); ++ row_bytes *= 2; + + if (row_bytes < 0) + row += (image->height-1) * (-row_bytes); +diff --git a/tests/pngstest-large-stride b/tests/pngstest-large-stride +new file mode 100755 +index 000000000..7958c5b42 +--- /dev/null ++++ b/tests/pngstest-large-stride +@@ -0,0 +1,8 @@ ++#!/bin/sh ++ ++# Regression test: ++# Use stride_extra > 32767 to trigger row_bytes > 65535 for linear images. ++exec ./pngstest \ ++ --stride-extra 33000 \ ++ --tmpfile "large-stride-" \ ++ --log "${srcdir}/contrib/testpngs/rgb-alpha-16-linear.png" diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.42.bb b/meta/recipes-multimedia/libpng/libpng_1.6.42.bb index fe99e5df092..0e375a0ce84 100644 --- a/meta/recipes-multimedia/libpng/libpng_1.6.42.bb +++ b/meta/recipes-multimedia/libpng/libpng_1.6.42.bb @@ -22,6 +22,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/${PV}/${BP}.tar.xz file://CVE-2025-66293-01.patch \ file://CVE-2025-66293-02.patch \ file://CVE-2026-22695.patch \ + file://CVE-2026-22801.patch \ " SRC_URI[sha256sum] = "c919dbc11f4c03b05aba3f8884d8eb7adfe3572ad228af972bb60057bdb48450" From patchwork Mon Feb 9 09:28:52 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 80738 X-Patchwork-Delegate: yoann.congal@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0B8C3E7E0A0 for ; Mon, 9 Feb 2026 09:29:37 +0000 (UTC) Received: from mail-wm1-f48.google.com (mail-wm1-f48.google.com [209.85.128.48]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.44200.1770629368060850834 for ; Mon, 09 Feb 2026 01:29:28 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=Nur/DD0v; spf=pass (domain: smile.fr, ip: 209.85.128.48, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f48.google.com with SMTP id 5b1f17b1804b1-47edd6111b4so59894015e9.1 for ; Mon, 09 Feb 2026 01:29:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1770629366; x=1771234166; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=Cci+XdPd5TXzBJ7WTfZGi6s8ulHOjrzOjlw31HCfIJo=; b=Nur/DD0v3RV1fLBZi2h5scL+YiLoZ9MF1uLXPtOwaIrzDPjOuJ4AC0f/Ppxj2Pi50+ zM5iBl6AB9+Q7FPMQVclXAifrK7q9YAd6e/sAJ9+q9o8k0sXaT9GkyuxMsl2n+XcSVY4 MT7jSJWPbVHYFwcRafxRP1NEhyNOiD4VC7lNg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770629366; x=1771234166; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=Cci+XdPd5TXzBJ7WTfZGi6s8ulHOjrzOjlw31HCfIJo=; b=lPR88NjrWYCRnAe6rHHelQFe3pSBvccIVDvlcg61jYdTEa170PwHWaI2xPbNXkkaq7 9C4/wQOUeOU7O4vzZPu1QQFXWDlKwoxwgZosuAKJEZ9vLdM2TeP0v1Ntm7QJrQTnbPqD MX0W3XV4VmydtJnz5cD65S2rDLLncTp9loCoUvD8u1eET0aKX3CvJbnz9CTlmhJv7bKd VjBuYrAUU3GxK2X22hNrfR4Q9UkJb5vwQIBK8on51zFlKZFkx5tbXgoP8o4bS//Oi0LO 4lvDNliEy9g63uKxh9wMSFSyH8JUh+l5MG+5N7KL7jCBasBsTdzYUeKZrMmpP1voTKhq LxWQ== X-Gm-Message-State: AOJu0YySoIX0XNWSXC6AmzRw8bt9IVZ4NaskMMZeKX347di5YwGQxdcj NqP/JPfWPrFTqE6doVBMWkI8NxpKWEWecl3ZmakuCVL2CAvLeEvULA7BV09Vmhys5oQ+uSkZzuq E06RZSis= X-Gm-Gg: AZuq6aJAiSP4IxByBs0bjFxDhUMqoswQaeVvVQdDW5QvvEvtc4Ip9UNnvV5v9x3oVEK w1SLQFUp5F6dxqzzU7nLkhDZ99C+8EahNaQ9Aq+S/9Q3m56s9sSUgSk+KfjLIb88r/auZA1eAzz 7RhRXpiTA42/SGICebYsEkjHLkpvjev4Pug50fcH7JvjEKNQ3FA639fa/xBTyy57o10OZi8rruz 10sso2YFI870QV188BazaIaGhLZYdWlFrZKF94GWSXpwLTwuSQM9iDhJ903j7LaWLKEG+Z6qIl9 IJREpvtPRTLaGqTaEA0geWcU4idSkhhhI903gweODVVxCrATipWZbwVy19pkPQS/LaDz+e8KuUL cm+d/V1TZz57OPAerTjsxcj65saeAdniHkCBF8WMm6Q8tWCD5j0ulI9UdyRQ/+D6c9FW1PkPHy3 OgvRZJE5oTg1Pzu93SqHRvAW5pY+KBbOVK5Jxe4cuuWlvX9ZQO2jeE1llsHopn5Vi0fnqU4Cl1e nJwNk9qvgq8JFA= X-Received: by 2002:a05:600c:19c7:b0:479:1ac2:f9b8 with SMTP id 5b1f17b1804b1-483202161femr156186305e9.21.1770629366059; Mon, 09 Feb 2026 01:29:26 -0800 (PST) Received: from FRSMI25-LASER.home (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4376a78d796sm9575656f8f.20.2026.02.09.01.29.25 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 09 Feb 2026 01:29:25 -0800 (PST) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 09/25] libtasn1: Fix CVE-2025-13151 Date: Mon, 9 Feb 2026 10:28:52 +0100 Message-ID: <8cb69ea01147671fc403a91dfa91bcee563e1269.1770626074.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 09 Feb 2026 09:29:37 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/230760 From: Hugo SIMELIERE Upstream-Status: Backport from https://gitlab.com/gnutls/libtasn1/-/commit/d276cc495a2a32b182c3c39851f1ba58f2d9f9b8 Signed-off-by: Bruno VERNAY Signed-off-by: Hugo SIMELIERE Signed-off-by: Yoann Congal --- .../gnutls/libtasn1/CVE-2025-13151.patch | 30 +++++++++++++++++++ .../recipes-support/gnutls/libtasn1_4.20.0.bb | 1 + 2 files changed, 31 insertions(+) create mode 100644 meta/recipes-support/gnutls/libtasn1/CVE-2025-13151.patch diff --git a/meta/recipes-support/gnutls/libtasn1/CVE-2025-13151.patch b/meta/recipes-support/gnutls/libtasn1/CVE-2025-13151.patch new file mode 100644 index 00000000000..5047d679840 --- /dev/null +++ b/meta/recipes-support/gnutls/libtasn1/CVE-2025-13151.patch @@ -0,0 +1,30 @@ +From ff7aa7ef2b9ba41df8f2d1e71b05bf2c2ad868dd Mon Sep 17 00:00:00 2001 +From: Vijay Sarvepalli +Date: Mon, 22 Dec 2025 12:24:27 -0500 +Subject: [PATCH] Fix for CVE-2025-13151 Buffer overflow + +Upstream-Status: Backport [https://gitlab.com/gnutls/libtasn1/-/commit/d276cc495a2a32b182c3c39851f1ba58f2d9f9b8] +CVE: CVE-2025-13151 + +Signed-off-by: Simon Josefsson +Signed-off-by: Hugo SIMELIERE +--- + lib/decoding.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/decoding.c b/lib/decoding.c +index 1e0fcb3..abcb49f 100644 +--- a/lib/decoding.c ++++ b/lib/decoding.c +@@ -1983,7 +1983,7 @@ int + asn1_expand_octet_string (asn1_node_const definitions, asn1_node *element, + const char *octetName, const char *objectName) + { +- char name[2 * ASN1_MAX_NAME_SIZE + 1], value[ASN1_MAX_NAME_SIZE]; ++ char name[2 * ASN1_MAX_NAME_SIZE + 2], value[ASN1_MAX_NAME_SIZE]; + int retCode = ASN1_SUCCESS, result; + int len, len2, len3; + asn1_node_const p2; +-- +2.47.1 + diff --git a/meta/recipes-support/gnutls/libtasn1_4.20.0.bb b/meta/recipes-support/gnutls/libtasn1_4.20.0.bb index 8127ba5b1db..bfc011a2f17 100644 --- a/meta/recipes-support/gnutls/libtasn1_4.20.0.bb +++ b/meta/recipes-support/gnutls/libtasn1_4.20.0.bb @@ -11,6 +11,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=1ebbd3e34237af26da5dc08a4e440464 \ SRC_URI = "${GNU_MIRROR}/libtasn1/libtasn1-${PV}.tar.gz \ file://dont-depend-on-help2man.patch \ + file://CVE-2025-13151.patch \ " DEPENDS = "bison-native" From patchwork Mon Feb 9 09:28:53 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 80741 X-Patchwork-Delegate: yoann.congal@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3AC24E7E0AA for ; Mon, 9 Feb 2026 09:29:37 +0000 (UTC) Received: from mail-wr1-f49.google.com (mail-wr1-f49.google.com [209.85.221.49]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.43988.1770629368678517717 for ; Mon, 09 Feb 2026 01:29:29 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=zQCeiEWl; spf=pass (domain: smile.fr, ip: 209.85.221.49, mailfrom: yoann.congal@smile.fr) Received: by mail-wr1-f49.google.com with SMTP id ffacd0b85a97d-436356740e6so1740701f8f.2 for ; Mon, 09 Feb 2026 01:29:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1770629367; x=1771234167; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=BoUKEbQSi25NZuadOIQjFDduL9MOA4I7UNqk9RxYquo=; b=zQCeiEWl7zr1AKZApceFI5ff8Lia7QpXGtZfEl/HcBWFwZH8idSsFTgKtjmJ32RCw1 aePnEPwx7GFADE6gHu9V0Su5pYtyd99uNAlojx1Q0q5VGm0qM5srfjzn2mWVQx0I0u5D d5FBeOd9F+3xC7BcgyCQ5mpmYx10hKtLOMX70= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770629367; x=1771234167; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=BoUKEbQSi25NZuadOIQjFDduL9MOA4I7UNqk9RxYquo=; b=UAoyd+yK23jj2iYxoSHbbxGXIBqRMbH0AaR88RQnzf9yWJf+acooLDDW83itD2AHtO dR0XRX6IKbPaV6DeL3WEPhu/ol1afneOgTYHS0ZI0aQ3xV3g9s5RBNcpj/k/fYNaZUg4 pekT7PVHJygrLPDv8a4aIhNJ2Nn6zTwrh59dnFy3p7761cCeIlWdHr5NZEjPunV6EVFB CTgCBomQiG/uAM29Bh0k1MK/zGYqXR9Vpy3G1V6MkD54yAPPYMls0Rv4tJKrCGHY4Xuv LjRKE5fKHuIHtVe/SyJ9arqvrlHgM8pCqzckn5iq+o+o3U+51wUuPW4HecirnJBZ7tNo cVUQ== X-Gm-Message-State: AOJu0YwIJyCSvrVRqWZFFDqZL7XR/w5xQovhiW2J8O90MQtz8x/lkCyS i6Oqw1oLwcdo6BOdYH9dNjAlwbOYfvxImC1+C+D4YLEVl1vYXrEmV5PT56UXR2VQmEPQC/cmmiX WRqoKUNc= X-Gm-Gg: AZuq6aL6l4uaz+e7w0zIy0ETQMcemouXDFIzbhFXh5kyWY+FQ2DMnEEzJ+EvWFNjhSB Aszy3NuOFKmkSO3bHn/teBjIj2sC6f10eRit/tFZmf48Hr/n3D+6g+e0zmFUPcDkwidIhNfPS4Y ZVkFeoN/CFWglKmNumKnJu5GUyzdO+JQIVYMRO9tNwOIDMPASvpAH8vzoRQS7v3FrvBScVjoMbS 5jcZDWtYMeOFxXwWP9G6bN7ig7EfHB8CjO4jQ0kwoYjbxenRJUBfC/ukl7boGE+E7FBZcbUK6ET 13kXIpBeQ3F7Qu7sZkO5RhU4Af5TqvGFE/48AxTNxha2jYnhBlyncaGhMc+qE3ezA11Rt3bobPR Jv2sEG96K3S5MOsXjUTaLieJOUPoKhegDQ22nePPCUqJz+xoBYkj4T4qXRRbBS9vqebCvQ0I+Aj jRS1/Lwz1wxiHocWMOLMfIvywyDIyzZjNdDElW+qqBjRoPpvxcHoheFej8nY0jDtqI1ulnkjzo2 nYR5NdrBtx/VAM= X-Received: by 2002:a05:6000:2885:b0:437:67c0:78f2 with SMTP id ffacd0b85a97d-43767c07be7mr5527903f8f.2.1770629366722; Mon, 09 Feb 2026 01:29:26 -0800 (PST) Received: from FRSMI25-LASER.home (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4376a78d796sm9575656f8f.20.2026.02.09.01.29.26 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 09 Feb 2026 01:29:26 -0800 (PST) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 10/25] libxml2: patch CVE-2026-0989 Date: Mon, 9 Feb 2026 10:28:53 +0100 Message-ID: X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 09 Feb 2026 09:29:37 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/230761 From: Peter Marko Pick patch from [1] linked from [2]. [1] https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/374 [2] https://gitlab.gnome.org/GNOME/libxml2/-/issues/998 Signed-off-by: Peter Marko Signed-off-by: Yoann Congal --- .../libxml/libxml2/CVE-2026-0989.patch | 309 ++++++++++++++++++ meta/recipes-core/libxml/libxml2_2.12.10.bb | 1 + 2 files changed, 310 insertions(+) create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2026-0989.patch diff --git a/meta/recipes-core/libxml/libxml2/CVE-2026-0989.patch b/meta/recipes-core/libxml/libxml2/CVE-2026-0989.patch new file mode 100644 index 00000000000..66ff1219ded --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2026-0989.patch @@ -0,0 +1,309 @@ +From 19549c61590c1873468c53e0026a2fbffae428ef Mon Sep 17 00:00:00 2001 +From: Daniel Garcia Moreno +Date: Fri, 10 Oct 2025 09:38:31 +0200 +Subject: [PATCH] Add RelaxNG include limit + +This patch adds a default xmlRelaxNGIncludeLimit of 1.000, and that +limit can be modified at runtime with the env variable +RNG_INCLUDE_LIMIT. + +Fix https://gitlab.gnome.org/GNOME/libxml2/-/issues/998 + +CVE: CVE-2026-0989 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/19549c61590c1873468c53e0026a2fbffae428ef] +Signed-off-by: Peter Marko +--- + include/libxml/relaxng.h | 4 ++ + relaxng.c | 63 ++++++++++++++++++++-- + runtest.c | 67 ++++++++++++++++++++++++ + test/relaxng/include/include-limit.rng | 4 ++ + test/relaxng/include/include-limit_1.rng | 4 ++ + test/relaxng/include/include-limit_2.rng | 4 ++ + test/relaxng/include/include-limit_3.rng | 8 +++ + 7 files changed, 150 insertions(+), 4 deletions(-) + create mode 100644 test/relaxng/include/include-limit.rng + create mode 100644 test/relaxng/include/include-limit_1.rng + create mode 100644 test/relaxng/include/include-limit_2.rng + create mode 100644 test/relaxng/include/include-limit_3.rng + +diff --git a/include/libxml/relaxng.h b/include/libxml/relaxng.h +index eafc6604..099dacd8 100644 +--- a/include/libxml/relaxng.h ++++ b/include/libxml/relaxng.h +@@ -138,6 +138,10 @@ XMLPUBFUN int + xmlRelaxParserSetFlag (xmlRelaxNGParserCtxtPtr ctxt, + int flag); + ++XMLPUBFUN int ++ xmlRelaxParserSetIncLImit (xmlRelaxNGParserCtxt *ctxt, ++ int limit); ++ + XMLPUBFUN void + xmlRelaxNGFreeParserCtxt (xmlRelaxNGParserCtxtPtr ctxt); + XMLPUBFUN void +diff --git a/relaxng.c b/relaxng.c +index 1d74ba9f..c0e94a3c 100644 +--- a/relaxng.c ++++ b/relaxng.c +@@ -18,6 +18,8 @@ + + #ifdef LIBXML_SCHEMAS_ENABLED + ++#include ++#include + #include + #include + #include +@@ -44,6 +46,12 @@ + static const xmlChar *xmlRelaxNGNs = (const xmlChar *) + "http://relaxng.org/ns/structure/1.0"; + ++/* ++ * Default include limit, this can be override with RNG_INCLUDE_LIMIT ++ * env variable ++ */ ++static const int _xmlRelaxNGIncludeLimit = 1000; ++ + #define IS_RELAXNG(node, typ) \ + ((node != NULL) && (node->ns != NULL) && \ + (node->type == XML_ELEMENT_NODE) && \ +@@ -225,6 +233,7 @@ struct _xmlRelaxNGParserCtxt { + int incNr; /* Depth of the include parsing stack */ + int incMax; /* Max depth of the parsing stack */ + xmlRelaxNGIncludePtr *incTab; /* array of incs */ ++ int incLimit; /* Include limit, to avoid stack-overflow on parse */ + + int idref; /* requires idref checking */ + +@@ -1410,6 +1419,23 @@ xmlRelaxParserSetFlag(xmlRelaxNGParserCtxtPtr ctxt, int flags) + return(0); + } + ++/** ++ * Semi private function used to set the include recursion limit to a ++ * parser context. Set to 0 to use the default value. ++ * ++ * @param ctxt a RelaxNG parser context ++ * @param limit the new include depth limit ++ * @returns 0 if success and -1 in case of error ++ */ ++int ++xmlRelaxParserSetIncLImit(xmlRelaxNGParserCtxt *ctxt, int limit) ++{ ++ if (ctxt == NULL) return(-1); ++ if (limit < 0) return(-1); ++ ctxt->incLimit = limit; ++ return(0); ++} ++ + /************************************************************************ + * * + * Document functions * +@@ -1425,7 +1451,7 @@ static xmlDocPtr xmlRelaxNGCleanupDoc(xmlRelaxNGParserCtxtPtr ctxt, + * + * Pushes a new include on top of the include stack + * +- * Returns 0 in case of error, the index in the stack otherwise ++ * Returns -1 in case of error, the index in the stack otherwise + */ + static int + xmlRelaxNGIncludePush(xmlRelaxNGParserCtxtPtr ctxt, +@@ -1439,9 +1465,15 @@ xmlRelaxNGIncludePush(xmlRelaxNGParserCtxtPtr ctxt, + sizeof(ctxt->incTab[0])); + if (ctxt->incTab == NULL) { + xmlRngPErrMemory(ctxt, "allocating include\n"); +- return (0); ++ return (-1); + } + } ++ if (ctxt->incNr >= ctxt->incLimit) { ++ xmlRngPErr(ctxt, (xmlNodePtr)value->doc, XML_RNGP_PARSE_ERROR, ++ "xmlRelaxNG: inclusion recursion limit reached\n", NULL, NULL); ++ return(-1); ++ } ++ + if (ctxt->incNr >= ctxt->incMax) { + ctxt->incMax *= 2; + ctxt->incTab = +@@ -1450,7 +1482,7 @@ xmlRelaxNGIncludePush(xmlRelaxNGParserCtxtPtr ctxt, + sizeof(ctxt->incTab[0])); + if (ctxt->incTab == NULL) { + xmlRngPErrMemory(ctxt, "allocating include\n"); +- return (0); ++ return (-1); + } + } + ctxt->incTab[ctxt->incNr] = value; +@@ -1620,7 +1652,9 @@ xmlRelaxNGLoadInclude(xmlRelaxNGParserCtxtPtr ctxt, const xmlChar * URL, + /* + * push it on the stack + */ +- xmlRelaxNGIncludePush(ctxt, ret); ++ if (xmlRelaxNGIncludePush(ctxt, ret) < 0) { ++ return (NULL); ++ } + + /* + * Some preprocessing of the document content, this include recursing +@@ -7357,11 +7391,32 @@ xmlRelaxNGParse(xmlRelaxNGParserCtxtPtr ctxt) + xmlDocPtr doc; + xmlNodePtr root; + ++ const char *include_limit_env = getenv("RNG_INCLUDE_LIMIT"); ++ + xmlRelaxNGInitTypes(); + + if (ctxt == NULL) + return (NULL); + ++ if (ctxt->incLimit == 0) { ++ ctxt->incLimit = _xmlRelaxNGIncludeLimit; ++ if (include_limit_env != NULL) { ++ char *strEnd; ++ unsigned long val = 0; ++ errno = 0; ++ val = strtoul(include_limit_env, &strEnd, 10); ++ if (errno != 0 || *strEnd != 0 || val > INT_MAX) { ++ xmlRngPErr(ctxt, NULL, XML_RNGP_PARSE_ERROR, ++ "xmlRelaxNGParse: invalid RNG_INCLUDE_LIMIT %s\n", ++ (const xmlChar*)include_limit_env, ++ NULL); ++ return(NULL); ++ } ++ if (val) ++ ctxt->incLimit = val; ++ } ++ } ++ + /* + * First step is to parse the input document into an DOM/Infoset + */ +diff --git a/runtest.c b/runtest.c +index 49519aef..45109f0a 100644 +--- a/runtest.c ++++ b/runtest.c +@@ -3781,6 +3781,70 @@ rngTest(const char *filename, + return(ret); + } + ++/** ++ * Parse an RNG schemas with a custom RNG_INCLUDE_LIMIT ++ * ++ * @param filename the schemas file ++ * @param result the file with expected result ++ * @param err the file with error messages ++ * @returns 0 in case of success, an error code otherwise ++ */ ++static int ++rngIncludeTest(const char *filename, ++ const char *resul ATTRIBUTE_UNUSED, ++ const char *errr ATTRIBUTE_UNUSED, ++ int options ATTRIBUTE_UNUSED) { ++ xmlRelaxNGParserCtxtPtr ctxt; ++ xmlRelaxNGPtr schemas; ++ int ret = 0; ++ ++ /* first compile the schemas if possible */ ++ ctxt = xmlRelaxNGNewParserCtxt(filename); ++ xmlRelaxNGSetParserStructuredErrors(ctxt, testStructuredErrorHandler, ++ NULL); ++ ++ /* Should work */ ++ schemas = xmlRelaxNGParse(ctxt); ++ if (schemas == NULL) { ++ testErrorHandler(NULL, "Relax-NG schema %s failed to compile\n", ++ filename); ++ ret = -1; ++ goto done; ++ } ++ xmlRelaxNGFree(schemas); ++ xmlRelaxNGFreeParserCtxt(ctxt); ++ ++ ctxt = xmlRelaxNGNewParserCtxt(filename); ++ /* Should fail */ ++ xmlRelaxParserSetIncLImit(ctxt, 2); ++ xmlRelaxNGSetParserStructuredErrors(ctxt, testStructuredErrorHandler, ++ NULL); ++ schemas = xmlRelaxNGParse(ctxt); ++ if (schemas != NULL) { ++ ret = -1; ++ xmlRelaxNGFree(schemas); ++ } ++ xmlRelaxNGFreeParserCtxt(ctxt); ++ ++ ctxt = xmlRelaxNGNewParserCtxt(filename); ++ /* Should work */ ++ xmlRelaxParserSetIncLImit(ctxt, 3); ++ xmlRelaxNGSetParserStructuredErrors(ctxt, testStructuredErrorHandler, ++ NULL); ++ schemas = xmlRelaxNGParse(ctxt); ++ if (schemas == NULL) { ++ testErrorHandler(NULL, "Relax-NG schema %s failed to compile\n", ++ filename); ++ ret = -1; ++ goto done; ++ } ++ xmlRelaxNGFree(schemas); ++ ++done: ++ xmlRelaxNGFreeParserCtxt(ctxt); ++ return(ret); ++} ++ + #ifdef LIBXML_READER_ENABLED + /** + * rngStreamTest: +@@ -5112,6 +5176,9 @@ testDesc testDescriptions[] = { + { "Relax-NG regression tests" , + rngTest, "./test/relaxng/*.rng", NULL, NULL, NULL, + XML_PARSE_DTDATTR | XML_PARSE_NOENT }, ++ { "Relax-NG include limit tests" , ++ rngIncludeTest, "./test/relaxng/include/include-limit.rng", NULL, NULL, NULL, ++ 0 }, + #ifdef LIBXML_READER_ENABLED + { "Relax-NG streaming regression tests" , + rngStreamTest, "./test/relaxng/*.rng", NULL, NULL, NULL, +diff --git a/test/relaxng/include/include-limit.rng b/test/relaxng/include/include-limit.rng +new file mode 100644 +index 00000000..51f03942 +--- /dev/null ++++ b/test/relaxng/include/include-limit.rng +@@ -0,0 +1,4 @@ ++ ++ ++ ++ +diff --git a/test/relaxng/include/include-limit_1.rng b/test/relaxng/include/include-limit_1.rng +new file mode 100644 +index 00000000..4672da38 +--- /dev/null ++++ b/test/relaxng/include/include-limit_1.rng +@@ -0,0 +1,4 @@ ++ ++ ++ ++ +diff --git a/test/relaxng/include/include-limit_2.rng b/test/relaxng/include/include-limit_2.rng +new file mode 100644 +index 00000000..b35ecaa8 +--- /dev/null ++++ b/test/relaxng/include/include-limit_2.rng +@@ -0,0 +1,4 @@ ++ ++ ++ ++ +diff --git a/test/relaxng/include/include-limit_3.rng b/test/relaxng/include/include-limit_3.rng +new file mode 100644 +index 00000000..86213c62 +--- /dev/null ++++ b/test/relaxng/include/include-limit_3.rng +@@ -0,0 +1,8 @@ ++ ++ ++ ++ ++ ++ ++ ++ diff --git a/meta/recipes-core/libxml/libxml2_2.12.10.bb b/meta/recipes-core/libxml/libxml2_2.12.10.bb index 101be545c0d..396be51d994 100644 --- a/meta/recipes-core/libxml/libxml2_2.12.10.bb +++ b/meta/recipes-core/libxml/libxml2_2.12.10.bb @@ -25,6 +25,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testt file://CVE-2025-49795.patch \ file://CVE-2025-6170.patch \ file://CVE-2025-7425.patch \ + file://CVE-2026-0989.patch \ " SRC_URI[archive.sha256sum] = "c3d8c0c34aa39098f66576fe51969db12a5100b956233dc56506f7a8679be995" From patchwork Mon Feb 9 09:28:54 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 80740 X-Patchwork-Delegate: yoann.congal@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 303BBE7E0A9 for ; Mon, 9 Feb 2026 09:29:37 +0000 (UTC) Received: from mail-wm1-f46.google.com (mail-wm1-f46.google.com [209.85.128.46]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.43989.1770629369195041592 for ; Mon, 09 Feb 2026 01:29:29 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=PdkwZu+f; spf=pass (domain: smile.fr, ip: 209.85.128.46, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f46.google.com with SMTP id 5b1f17b1804b1-4805ef35864so35360775e9.0 for ; Mon, 09 Feb 2026 01:29:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1770629367; x=1771234167; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=uHAB0U7nmEbE12e77TcEGpVsofOnN3eJDYEXd5JEs8A=; b=PdkwZu+fNrgPQHtWZ3ZIhicakBVO04QSLGgSqyRj5KYUJJ8SKRQCltBHy4IEEolx2y cH4rBBW6oiJIGag954ZAhl5hcDZAWtTFgrAGYvtOJRjIawGwEQ9huDwK4rYngSRiFmok 2ktyvPKFsept6tp+9qzAlcFBZ4aiHZ3bCxuZs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770629367; x=1771234167; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=uHAB0U7nmEbE12e77TcEGpVsofOnN3eJDYEXd5JEs8A=; b=AiSHNyKvXoc1szLpS81dqneE3yYIGJOTKXfPTYi8ircW+uuFVYOmjyFdvyfwAeyANF npdh4RgsRN3HTAluPu1iCz9m+ohFEsiGUn/CQvdwdN++VHq+K8k68ARdmUgP5sHbhTQR iSwQ+TLQmM9bljO0adwFqCoQEt3muY5Ah5R2RuAieRCXneBAVhxpreHlthSD8Vp6LU/V xU+6+pbYj5hTv9WVF+l8XWpoW598s7nXmbjEFqXMmmJVhuOUQsjDj/p64J5y/9ypGVCc qLFMqWUx6NfFmxswckpZKzbRsGq7pGGa7EbRx+2bsAldBc3mSpnhqejBo/zpfucTjl5q Jr3Q== X-Gm-Message-State: AOJu0Yztxx/xuP/HiMOsTq57apok2/zbK8q0QLwXNdwTAw0LGKUxt02M gft/Ep0I1h2l14rQi86lk3oh5BrvxmJXXH/pzFpxAxDmXzsTE8wf6lxkGzM1ujmaY5yyS+9zHd7 INQVAudM= X-Gm-Gg: AZuq6aI9sO+cXSB+AQ7S8vqzl8MbN7Pv97TDpO0LpEWRk6kU+6txMeCaqCi0g9oFYGO QjHtsppDEh8A8xq+xyPl8OkUgoaFK4GxHrc/UsoXfDu20DTvVpi9ENHFQbQhn8wjfkNJB2W14b+ 4gna/BlHOS82DhE235YegS0cgP8w9eXDj1nyCiOnyKzPn4v7P3lUsYjNOobUguReWvnH2Kdp3rZ z06/MOFiZFHeyNgzkxA+oleIzw0OM681BBxeQ7anXFqcMuLu3NE9N5/c7SIu5fiboD42hkPH3gz SXoejakW9Um0i4eWFJZODsQlBiauLjwWoQLp+ZOtKDh5pz7hltg2lSbqdHgVYr6dVenyL+kYguo qqUTb1bCDoPgZdC4XKA5tH9qNn+4te6V6UZKRLr0z5mGBIZ0JzvRlbhqvnAWukP3LzFalg5ENtZ vSW3nsb/KKZSpx0Gk5fi5voUiYpKjSnDPwJeQGIlxSuX80ZMXfhis7oWkzph8f8zYihz9fidM/w SaPdmqG/HaRwMo= X-Received: by 2002:a05:600c:81ca:b0:480:68ed:1e70 with SMTP id 5b1f17b1804b1-483202282c4mr177657755e9.35.1770629367294; Mon, 09 Feb 2026 01:29:27 -0800 (PST) Received: from FRSMI25-LASER.home (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4376a78d796sm9575656f8f.20.2026.02.09.01.29.26 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 09 Feb 2026 01:29:26 -0800 (PST) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 11/25] libxml2: patch CVE-2026-0990 Date: Mon, 9 Feb 2026 10:28:54 +0100 Message-ID: X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 09 Feb 2026 09:29:37 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/230762 From: Peter Marko Pick patch which closed [1]. [1] https://gitlab.gnome.org/GNOME/libxml2/-/issues/1018 Signed-off-by: Peter Marko Signed-off-by: Yoann Congal --- .../libxml/libxml2/CVE-2026-0990.patch | 76 +++++++++++++++++++ meta/recipes-core/libxml/libxml2_2.12.10.bb | 1 + 2 files changed, 77 insertions(+) create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2026-0990.patch diff --git a/meta/recipes-core/libxml/libxml2/CVE-2026-0990.patch b/meta/recipes-core/libxml/libxml2/CVE-2026-0990.patch new file mode 100644 index 00000000000..d001da19bcc --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2026-0990.patch @@ -0,0 +1,76 @@ +From 1961208e958ca22f80a0b4e4c9d71cfa050aa982 Mon Sep 17 00:00:00 2001 +From: Daniel Garcia Moreno +Date: Wed, 17 Dec 2025 15:24:08 +0100 +Subject: [PATCH] catalog: prevent inf recursion in xmlCatalogXMLResolveURI + +Fix https://gitlab.gnome.org/GNOME/libxml2/-/issues/1018 + +CVE: CVE-2026-0989 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/1961208e958ca22f80a0b4e4c9d71cfa050aa982] +Signed-off-by: Peter Marko +--- + catalog.c | 31 +++++++++++++++++++++++-------- + 1 file changed, 23 insertions(+), 8 deletions(-) + +diff --git a/catalog.c b/catalog.c +index 76c063a8..46b877e6 100644 +--- a/catalog.c ++++ b/catalog.c +@@ -2086,12 +2086,21 @@ static xmlChar * + xmlCatalogListXMLResolveURI(xmlCatalogEntryPtr catal, const xmlChar *URI) { + xmlChar *ret = NULL; + xmlChar *urnID = NULL; ++ xmlCatalogEntryPtr cur = NULL; + + if (catal == NULL) + return(NULL); + if (URI == NULL) + return(NULL); + ++ if (catal->depth > MAX_CATAL_DEPTH) { ++ xmlCatalogErr(catal, NULL, XML_CATALOG_RECURSION, ++ "Detected recursion in catalog %s\n", ++ catal->name, NULL, NULL); ++ return(NULL); ++ } ++ catal->depth++; ++ + if (!xmlStrncmp(URI, BAD_CAST XML_URN_PUBID, sizeof(XML_URN_PUBID) - 1)) { + urnID = xmlCatalogUnWrapURN(URI); + if (xmlDebugCatalogs) { +@@ -2105,21 +2114,27 @@ xmlCatalogListXMLResolveURI(xmlCatalogEntryPtr catal, const xmlChar *URI) { + ret = xmlCatalogListXMLResolve(catal, urnID, NULL); + if (urnID != NULL) + xmlFree(urnID); ++ catal->depth--; + return(ret); + } +- while (catal != NULL) { +- if (catal->type == XML_CATA_CATALOG) { +- if (catal->children == NULL) { +- xmlFetchXMLCatalogFile(catal); ++ cur = catal; ++ while (cur != NULL) { ++ if (cur->type == XML_CATA_CATALOG) { ++ if (cur->children == NULL) { ++ xmlFetchXMLCatalogFile(cur); + } +- if (catal->children != NULL) { +- ret = xmlCatalogXMLResolveURI(catal->children, URI); +- if (ret != NULL) ++ if (cur->children != NULL) { ++ ret = xmlCatalogXMLResolveURI(cur->children, URI); ++ if (ret != NULL) { ++ catal->depth--; + return(ret); ++ } + } + } +- catal = catal->next; ++ cur = cur->next; + } ++ ++ catal->depth--; + return(ret); + } + diff --git a/meta/recipes-core/libxml/libxml2_2.12.10.bb b/meta/recipes-core/libxml/libxml2_2.12.10.bb index 396be51d994..6a03fc3f6c7 100644 --- a/meta/recipes-core/libxml/libxml2_2.12.10.bb +++ b/meta/recipes-core/libxml/libxml2_2.12.10.bb @@ -26,6 +26,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testt file://CVE-2025-6170.patch \ file://CVE-2025-7425.patch \ file://CVE-2026-0989.patch \ + file://CVE-2026-0990.patch \ " SRC_URI[archive.sha256sum] = "c3d8c0c34aa39098f66576fe51969db12a5100b956233dc56506f7a8679be995" From patchwork Mon Feb 9 09:28:55 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 80739 X-Patchwork-Delegate: yoann.congal@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 231DEE7E0A7 for ; Mon, 9 Feb 2026 09:29:37 +0000 (UTC) Received: from mail-wr1-f50.google.com (mail-wr1-f50.google.com [209.85.221.50]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.44203.1770629369888015695 for ; Mon, 09 Feb 2026 01:29:30 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=vQir1hGF; spf=pass (domain: smile.fr, ip: 209.85.221.50, mailfrom: yoann.congal@smile.fr) Received: by mail-wr1-f50.google.com with SMTP id ffacd0b85a97d-4359249bbacso2883369f8f.0 for ; Mon, 09 Feb 2026 01:29:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1770629368; x=1771234168; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=EvsAmmJk1nn5Q54y5wapzWLcJe+YbcG6W+S8D5b5P2E=; b=vQir1hGF8GmPxrIqUuIiGHR+oxaHqsBkoLExnOP/60y5U1t0/KRIBpCgLhnN+FbCEq ujAAP2UxfwB8+qvP/r5UmnI3N6CTBZangUDDhdERBHRacrcMeOGcizsW+WFAThEsFEHB YnO3+ytDrKsHvOql+EMnR85i36AM7fnVRqYtU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770629368; x=1771234168; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=EvsAmmJk1nn5Q54y5wapzWLcJe+YbcG6W+S8D5b5P2E=; b=Vb0cr0LVAkpHmIMuAqU6vOUo9aXlWRmdBPz5ETyGAjcS1NsSi5JfWfBtkjtzcSaIoQ WK8kzmVZ7yQAsB7giwmUYW2cadfa7XBn9ju/fhkpARDWcOG+n/skfZNHbOxXdQX1q6nv 1dx2JaEOBqR0bfN2Y+JXdiaIJDW2gMkpitTL9p7tOUGuuZR2fJAiEWrwF9JdVV4OGv5O uYDFpmVGorjo9e3y5WOlRiF9EKHAyiBTYRq2yzGV/6DEWMgbastNGBOhYGEDQHPBtc2Y E2fTihw1xPNjex69Oxt5deX32fPcm1Irv1zJrL3iaogC/ZCdCLnM8ZHcz6vPsz1bc6Hd H9xg== X-Gm-Message-State: AOJu0YwxNNoWgNtnJXNL6s692ul31u/+r36Tz6KIoCURyMWD08ZrHQbb xUQMdtjoV44osvS2Br7AEtdTBZgT/EYV/YvgsB646IFQV+KmLT9dhR8eTU/VtVmfFxR0gN57dW0 WPtfewFM= X-Gm-Gg: AZuq6aI6JgxmooKhPWhqOVpUasQvX58QJjtKzadL9X6dSZUEGULSnjpyFjW+uhzSlwY RIi1rcUDMBUw/CM/8WTi0TSpwEr6dfrL9sFMOimOxQL8zLMIWfO0N3eoaCDaLY6aBbLxQJvW3N9 FKdhbH2g0h7MMUU/tke27slVS5ar2a+xoZdwjpyHYOFtZku8a1G9YTzww9BMRXDhngsqWGBUMlF ibzwEEug7XlWIK7x4GV6A1UccDhUM38W+6K1JDb5vGvlqCubCBIssiQX/pPxyvIFnrbozSUF7bQ 9ybcaU9+aBou+ZFKFecXN83xi4jDcQoJ5orKW2aqKqxCZGhPJJQPB+IpQnGIjp2kXChXkYPbt8o TVLSAHsMG5XpNNTCnbgZfYhN0BWvMAauWW1f7PDr1J1zIkGuCUvIwjXL0prC+EUb0cgp+hQxAIJ sELz24SdGZTcjAAFVrVNRzqgNM7Bi74btvx0cXmgwC26jQ4NM2mVegcB/G8PdkNBI6l/eZiOvQd 5ONWRu9lfCRCKyqdZbrLoZbsA== X-Received: by 2002:a05:6000:2510:b0:437:722d:5c66 with SMTP id ffacd0b85a97d-437722d5d26mr2079417f8f.16.1770629367821; Mon, 09 Feb 2026 01:29:27 -0800 (PST) Received: from FRSMI25-LASER.home (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4376a78d796sm9575656f8f.20.2026.02.09.01.29.27 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 09 Feb 2026 01:29:27 -0800 (PST) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 12/25] libxml2: patch CVE-2026-0992 Date: Mon, 9 Feb 2026 10:28:55 +0100 Message-ID: <412eea0b1c9f39ad0079e80b152ac774af8a1164.1770626074.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 09 Feb 2026 09:29:37 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/230763 From: Peter Marko Pick patch which closed [1]. Adapt for missing xmlCatalogPrintDebug per [2]. [1] https://gitlab.gnome.org/GNOME/libxml2/-/issues/1019 [2] https://gitlab.gnome.org/GNOME/libxml2/-/commit/728869809eb7eee1b1681d558b4b506a8019c151 Signed-off-by: Peter Marko Signed-off-by: Yoann Congal --- .../libxml/libxml2/CVE-2026-0992.patch | 49 +++++++++++++++++++ meta/recipes-core/libxml/libxml2_2.12.10.bb | 1 + 2 files changed, 50 insertions(+) create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2026-0992.patch diff --git a/meta/recipes-core/libxml/libxml2/CVE-2026-0992.patch b/meta/recipes-core/libxml/libxml2/CVE-2026-0992.patch new file mode 100644 index 00000000000..b335dafb634 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2026-0992.patch @@ -0,0 +1,49 @@ +From f75abfcaa419a740a3191e56c60400f3ff18988d Mon Sep 17 00:00:00 2001 +From: Daniel Garcia Moreno +Date: Fri, 19 Dec 2025 11:02:18 +0100 +Subject: [PATCH] catalog: Ignore repeated nextCatalog entries + +This patch makes the catalog parsing to ignore repeated entries of +nextCatalog with the same value. + +Fix https://gitlab.gnome.org/GNOME/libxml2/-/issues/1019 + +CVE: CVE-2026-0989 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/f75abfcaa419a740a3191e56c60400f3ff18988d] +Signed-off-by: Peter Marko +--- + catalog.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/catalog.c b/catalog.c +index 46b877e6..fa6d77ca 100644 +--- a/catalog.c ++++ b/catalog.c +@@ -1266,9 +1266,27 @@ xmlParseXMLCatalogNode(xmlNodePtr cur, xmlCatalogPrefer prefer, + BAD_CAST "delegateURI", BAD_CAST "uriStartString", + BAD_CAST "catalog", prefer, cgroup); + } else if (xmlStrEqual(cur->name, BAD_CAST "nextCatalog")) { ++ xmlCatalogEntryPtr prev = parent->children; ++ + entry = xmlParseXMLCatalogOneNode(cur, XML_CATA_NEXT_CATALOG, + BAD_CAST "nextCatalog", NULL, + BAD_CAST "catalog", prefer, cgroup); ++ /* Avoid duplication of nextCatalog */ ++ while (prev != NULL) { ++ if ((prev->type == XML_CATA_NEXT_CATALOG) && ++ (xmlStrEqual (prev->URL, entry->URL)) && ++ (xmlStrEqual (prev->value, entry->value)) && ++ (prev->prefer == entry->prefer) && ++ (prev->group == entry->group)) { ++ if (xmlDebugCatalogs) ++ fprintf(stderr, ++ "Ignoring repeated nextCatalog %s\n", entry->URL); ++ xmlFreeCatalogEntry(entry, NULL); ++ entry = NULL; ++ break; ++ } ++ prev = prev->next; ++ } + } + if (entry != NULL) { + if (parent != NULL) { diff --git a/meta/recipes-core/libxml/libxml2_2.12.10.bb b/meta/recipes-core/libxml/libxml2_2.12.10.bb index 6a03fc3f6c7..fa081c2382f 100644 --- a/meta/recipes-core/libxml/libxml2_2.12.10.bb +++ b/meta/recipes-core/libxml/libxml2_2.12.10.bb @@ -27,6 +27,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testt file://CVE-2025-7425.patch \ file://CVE-2026-0989.patch \ file://CVE-2026-0990.patch \ + file://CVE-2026-0992.patch \ " SRC_URI[archive.sha256sum] = "c3d8c0c34aa39098f66576fe51969db12a5100b956233dc56506f7a8679be995" From patchwork Mon Feb 9 09:28:56 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 80737 X-Patchwork-Delegate: yoann.congal@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1CD4FE7E0A1 for ; Mon, 9 Feb 2026 09:29:37 +0000 (UTC) Received: from mail-wr1-f52.google.com (mail-wr1-f52.google.com [209.85.221.52]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.43991.1770629370534478213 for ; Mon, 09 Feb 2026 01:29:30 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=ad453Trl; spf=pass (domain: smile.fr, ip: 209.85.221.52, mailfrom: yoann.congal@smile.fr) Received: by mail-wr1-f52.google.com with SMTP id ffacd0b85a97d-43638a33157so1025158f8f.1 for ; Mon, 09 Feb 2026 01:29:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1770629369; x=1771234169; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=26QFH8vD7/zqx3ft2yCccMMB3acy6we6zwjfRwKMbI8=; b=ad453Trlx2BHB1YbLgmPrUWhFJVN9TD1qsYNdYYwXUxRJ0P67krmKCfnKVzGXctSla jmYu4/axEtOpVygP6OBnNoslRBF1zQUtEw3/Jix3Up92bjvbX2sU9dC15IWf/Lb5xRls h8Dg5pz5Kr2sayMHazsv9O5tijT4yFNiaR+VU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770629369; x=1771234169; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=26QFH8vD7/zqx3ft2yCccMMB3acy6we6zwjfRwKMbI8=; b=mUMskTGlRYamzIq0hIJLjLxHUtXTAph8BPfqti/j7n250j8XqB4LNfXuK/N53Is2fj z7X3iGLNwLjbyGnljIaJ/WLm0/bvlt/NFdt4DcDf3F25Rp/Ds0y+xmrZKoab2kmiL5wv 7z+uxap14F+KNY2gvjkxoI6y300DFIOkIQTR//+qt3RGgEApedCnhZ3nAifhRh0vTV13 ydACPZOYG0KHJjKphqPqyCpKzCEP4yHSy+AWjZLUJd9FvOSu+VWF9fcdBPKEOkYy3/qw +t49b6Gu9P/zy5yneExfpBF2FzWsr8h7fROQU/CCxyIcofn3E3QDYSXMaHfRE4mtmTmY Qehw== X-Gm-Message-State: AOJu0YwpkNdBx7Hu/7VAD8/tWV2ffNUa3GfDbXTUJwdqbnVduZhmGgLy kSRG7UsBfQysr303zd84j8B1sPCyZ+d7I2b/l8SoO+EFn5vV4zjWS809F0YYrAwN/zOVH0qopes ztMPLM8Q= X-Gm-Gg: AZuq6aIUDUabE2JC1qUzSYplFQr5FSHOX5c7MToaFYsTf4iOR1eNxJQL0kG5Pm0kUYI hFFbMeVn5rBK4Fjz2K+kal13ZBGSxYk/k6bHgO8hZxLeSHKX1TA8//Ky/IYM4ktGTxCgiznOqNC yRZGFyuiVipZmkkSYiZBel1rK99NVtk1jWi6TH5l5rgkJdflxyXbVFbAEkEj5Lvw9uGHtpBMcSC 6LYDT63K8MeRsvqwUbjNFmC9sajvUorWNlE3KG6GWI/eZPWm+QMy+gVjDvcP0i4QXyF25joQnvs T3LHVER4tDV0GdxakcBXPSwk8HCVejw3qWfYiZQNn9ckE1BBVu7ujMProYOxPoUdumFKrEwUr0d VtshnUoCDG5fh+eL3fqIVf2isIEh5tQTeYkcTvr3GFoYYshzM2IBefaQxydqxTdROLj5vTXSZf3 j2Zdt9VHagD8p48TIIiIFskRMfMj0czY3kR9TfaTuz7hbpDi37LafjDeqby2p3etaCW5bVWqJhC m5GjNsLwz/N/zI= X-Received: by 2002:a05:6000:2585:b0:435:e451:39d4 with SMTP id ffacd0b85a97d-4362937ba48mr16416072f8f.44.1770629368487; Mon, 09 Feb 2026 01:29:28 -0800 (PST) Received: from FRSMI25-LASER.home (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4376a78d796sm9575656f8f.20.2026.02.09.01.29.27 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 09 Feb 2026 01:29:28 -0800 (PST) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 13/25] libxml2: add follow-up patch for CVE-2026-0992 Date: Mon, 9 Feb 2026 10:28:56 +0100 Message-ID: <8b7d2e4979f567f38d2072b1f65e1cbddb3169c0.1770626074.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 09 Feb 2026 09:29:37 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/230764 From: Peter Marko References: * https://gitlab.gnome.org/GNOME/libxml2/-/issues/1019 * https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/377 Signed-off-by: Peter Marko Signed-off-by: Yoann Congal --- ...2026-0992.patch => CVE-2026-0992-01.patch} | 0 .../libxml/libxml2/CVE-2026-0992-02.patch | 323 ++++++++++++++++++ .../libxml/libxml2/CVE-2026-0992-03.patch | 33 ++ meta/recipes-core/libxml/libxml2_2.12.10.bb | 4 +- 4 files changed, 359 insertions(+), 1 deletion(-) rename meta/recipes-core/libxml/libxml2/{CVE-2026-0992.patch => CVE-2026-0992-01.patch} (100%) create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2026-0992-02.patch create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2026-0992-03.patch diff --git a/meta/recipes-core/libxml/libxml2/CVE-2026-0992.patch b/meta/recipes-core/libxml/libxml2/CVE-2026-0992-01.patch similarity index 100% rename from meta/recipes-core/libxml/libxml2/CVE-2026-0992.patch rename to meta/recipes-core/libxml/libxml2/CVE-2026-0992-01.patch diff --git a/meta/recipes-core/libxml/libxml2/CVE-2026-0992-02.patch b/meta/recipes-core/libxml/libxml2/CVE-2026-0992-02.patch new file mode 100644 index 00000000000..bab0c4e1f0c --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2026-0992-02.patch @@ -0,0 +1,323 @@ +From f8399e62a31095bf1ced01827c33f9b29494046f Mon Sep 17 00:00:00 2001 +From: Daniel Garcia Moreno +Date: Fri, 19 Dec 2025 12:27:54 +0100 +Subject: [PATCH] testcatalog: Add new tests for catalog.c + +Adds a new test program to run specific tests related to catalog +parsing. + +This initial version includes a couple of tests, the first one to check +the infinite recursion detection related to: +https://gitlab.gnome.org/GNOME/libxml2/-/issues/1018. + +The second one tests the nextCatalog element repeated parsing, related +to: +https://gitlab.gnome.org/GNOME/libxml2/-/issues/1019 +https://gitlab.gnome.org/GNOME/libxml2/-/issues/1040 + +CVE: CVE-2026-0992 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/f8399e62a31095bf1ced01827c33f9b29494046f] +Signed-off-by: Peter Marko +--- + CMakeLists.txt | 2 + + Makefile.am | 6 ++ + catalog.c | 63 +++++++++++----- + include/libxml/catalog.h | 2 + + test/catalogs/catalog-recursive.xml | 3 + + test/catalogs/repeated-next-catalog.xml | 10 +++ + testcatalog.c | 96 +++++++++++++++++++++++++ + 7 files changed, 163 insertions(+), 19 deletions(-) + create mode 100644 test/catalogs/catalog-recursive.xml + create mode 100644 test/catalogs/repeated-next-catalog.xml + create mode 100644 testcatalog.c + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 163661f8..7d5702df 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -517,6 +517,7 @@ if(LIBXML2_WITH_TESTS) + runxmlconf + runsuite + testapi ++ testcatalog + testchar + testdict + testModule +@@ -543,6 +544,7 @@ if(LIBXML2_WITH_TESTS) + if(NOT WIN32) + add_test(NAME testapi COMMAND testapi) + endif() ++ add_test(NAME testcatalog COMMAND testcatalog) + add_test(NAME testchar COMMAND testchar) + add_test(NAME testdict COMMAND testdict) + add_test(NAME testparser COMMAND testparser) +diff --git a/Makefile.am b/Makefile.am +index c51dfd8e..c794eac8 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -21,6 +21,7 @@ check_PROGRAMS = \ + testModule \ + testThreads \ + testapi \ ++ testcatalog \ + testchar \ + testdict \ + testlimits \ +@@ -143,6 +144,10 @@ testlimits_SOURCES=testlimits.c + testlimits_DEPENDENCIES = $(DEPS) + testlimits_LDADD= $(LDADDS) + ++testcatalog_SOURCES=testcatalog.c ++testcatalog_DEPENDENCIES = $(DEPS) ++testcatalog_LDADD= $(LDADDS) ++ + testchar_SOURCES=testchar.c + testchar_DEPENDENCIES = $(DEPS) + testchar_LDADD= $(LDADDS) +@@ -206,6 +211,7 @@ check-local: + $(CHECKER) ./runtest$(EXEEXT) + $(CHECKER) ./testrecurse$(EXEEXT) + $(CHECKER) ./testapi$(EXEEXT) ++ $(CHECKER) ./testcatalog$(EXEEXT) + $(CHECKER) ./testchar$(EXEEXT) + $(CHECKER) ./testdict$(EXEEXT) + $(CHECKER) ./testparser$(EXEEXT) +diff --git a/catalog.c b/catalog.c +index 401dbc14..eb889162 100644 +--- a/catalog.c ++++ b/catalog.c +@@ -649,43 +649,54 @@ static void xmlDumpXMLCatalogNode(xmlCatalogEntryPtr catal, xmlNodePtr catalog, + } + } + +-static int +-xmlDumpXMLCatalog(FILE *out, xmlCatalogEntryPtr catal) { +- int ret; +- xmlDocPtr doc; ++static xmlDocPtr ++xmlDumpXMLCatalogToDoc(xmlCatalogEntryPtr catal) { + xmlNsPtr ns; + xmlDtdPtr dtd; + xmlNodePtr catalog; +- xmlOutputBufferPtr buf; ++ xmlDocPtr doc = xmlNewDoc(NULL); ++ if (doc == NULL) { ++ return(NULL); ++ } + +- /* +- * Rebuild a catalog +- */ +- doc = xmlNewDoc(NULL); +- if (doc == NULL) +- return(-1); + dtd = xmlNewDtd(doc, BAD_CAST "catalog", +- BAD_CAST "-//OASIS//DTD Entity Resolution XML Catalog V1.0//EN", +-BAD_CAST "http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd"); ++ BAD_CAST "-//OASIS//DTD Entity Resolution XML Catalog V1.0//EN", ++ BAD_CAST "http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd"); + + xmlAddChild((xmlNodePtr) doc, (xmlNodePtr) dtd); + + ns = xmlNewNs(NULL, XML_CATALOGS_NAMESPACE, NULL); + if (ns == NULL) { +- xmlFreeDoc(doc); +- return(-1); ++ xmlFreeDoc(doc); ++ return(NULL); + } + catalog = xmlNewDocNode(doc, ns, BAD_CAST "catalog", NULL); + if (catalog == NULL) { +- xmlFreeNs(ns); +- xmlFreeDoc(doc); +- return(-1); ++ xmlFreeDoc(doc); ++ xmlFreeNs(ns); ++ return(NULL); + } + catalog->nsDef = ns; + xmlAddChild((xmlNodePtr) doc, catalog); +- + xmlDumpXMLCatalogNode(catal, catalog, doc, ns, NULL); + ++ return(doc); ++} ++ ++static int ++xmlDumpXMLCatalog(FILE *out, xmlCatalogEntryPtr catal) { ++ int ret; ++ xmlDocPtr doc; ++ xmlOutputBufferPtr buf; ++ ++ /* ++ * Rebuild a catalog ++ */ ++ doc = xmlDumpXMLCatalogToDoc(catal); ++ if (doc == NULL) { ++ return(-1); ++ } ++ + /* + * reserialize it + */ +@@ -3417,6 +3428,20 @@ xmlCatalogDump(FILE *out) { + + xmlACatalogDump(xmlDefaultCatalog, out); + } ++ ++/** ++ * Dump all the global catalog content as a xmlDoc ++ * This function is just for testing/debugging purposes ++ * ++ * @returns The catalog as xmlDoc or NULL if failed, it must be freed by the caller. ++ */ ++xmlDocPtr ++xmlCatalogDumpDoc(void) { ++ if (!xmlCatalogInitialized) ++ xmlInitializeCatalog(); ++ ++ return xmlDumpXMLCatalogToDoc(xmlDefaultCatalog->xml); ++} + #endif /* LIBXML_OUTPUT_ENABLED */ + + /** +diff --git a/include/libxml/catalog.h b/include/libxml/catalog.h +index 88a7483c..e1bc5feb 100644 +--- a/include/libxml/catalog.h ++++ b/include/libxml/catalog.h +@@ -119,6 +119,8 @@ XMLPUBFUN void + #ifdef LIBXML_OUTPUT_ENABLED + XMLPUBFUN void + xmlCatalogDump (FILE *out); ++XMLPUBFUN xmlDocPtr ++ xmlCatalogDumpDoc (void); + #endif /* LIBXML_OUTPUT_ENABLED */ + XMLPUBFUN xmlChar * + xmlCatalogResolve (const xmlChar *pubID, +diff --git a/test/catalogs/catalog-recursive.xml b/test/catalogs/catalog-recursive.xml +new file mode 100644 +index 00000000..3b3d03f9 +--- /dev/null ++++ b/test/catalogs/catalog-recursive.xml +@@ -0,0 +1,3 @@ ++ ++ ++ +diff --git a/test/catalogs/repeated-next-catalog.xml b/test/catalogs/repeated-next-catalog.xml +new file mode 100644 +index 00000000..76d34c3c +--- /dev/null ++++ b/test/catalogs/repeated-next-catalog.xml +@@ -0,0 +1,10 @@ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ +diff --git a/testcatalog.c b/testcatalog.c +new file mode 100644 +index 00000000..86d33bd0 +--- /dev/null ++++ b/testcatalog.c +@@ -0,0 +1,96 @@ ++/* ++ * testcatalog.c: C program to run libxml2 catalog.c unit tests ++ * ++ * To compile on Unixes: ++ * cc -o testcatalog `xml2-config --cflags` testcatalog.c `xml2-config --libs` -lpthread ++ * ++ * See Copyright for the status of this software. ++ * ++ * Author: Daniel Garcia ++ */ ++ ++ ++#include "libxml.h" ++#include ++ ++#ifdef LIBXML_CATALOG_ENABLED ++#include ++ ++/* Test catalog resolve uri with recursive catalog */ ++static int ++testRecursiveDelegateUri(void) { ++ int ret = 0; ++ const char *cat = "test/catalogs/catalog-recursive.xml"; ++ const char *entity = "/foo.ent"; ++ xmlChar *resolved = NULL; ++ ++ xmlInitParser(); ++ xmlLoadCatalog(cat); ++ ++ /* This should trigger recursive error */ ++ resolved = xmlCatalogResolveURI(BAD_CAST entity); ++ if (resolved != NULL) { ++ fprintf(stderr, "CATALOG-FAILURE: Catalog %s entity should fail to resolve\n", entity); ++ ret = 1; ++ } ++ xmlCatalogCleanup(); ++ ++ return ret; ++} ++ ++/* Test parsing repeated NextCatalog */ ++static int ++testRepeatedNextCatalog(void) { ++ int ret = 0; ++ int i = 0; ++ const char *cat = "test/catalogs/repeated-next-catalog.xml"; ++ const char *entity = "/foo.ent"; ++ xmlDocPtr doc = NULL; ++ xmlNodePtr node = NULL; ++ ++ xmlInitParser(); ++ ++ xmlLoadCatalog(cat); ++ /* To force the complete recursive load */ ++ xmlCatalogResolveURI(BAD_CAST entity); ++ /** ++ * Ensure that the doc doesn't contain the same nextCatalog ++ */ ++ doc = xmlCatalogDumpDoc(); ++ xmlCatalogCleanup(); ++ ++ if (doc == NULL) { ++ fprintf(stderr, "CATALOG-FAILURE: Failed to dump the catalog\n"); ++ return 1; ++ } ++ ++ /* Just the root "catalog" node with a series of nextCatalog */ ++ node = xmlDocGetRootElement(doc); ++ node = node->children; ++ for (i=0; node != NULL; node=node->next, i++) {} ++ if (i > 1) { ++ fprintf(stderr, "CATALOG-FAILURE: Found %d nextCatalog entries and should be 1\n", i); ++ ret = 1; ++ } ++ ++ xmlFreeDoc(doc); ++ ++ return ret; ++} ++ ++int ++main(void) { ++ int err = 0; ++ ++ err |= testRecursiveDelegateUri(); ++ err |= testRepeatedNextCatalog(); ++ ++ return err; ++} ++#else ++/* No catalog, so everything okay */ ++int ++main(void) { ++ return 0; ++} ++#endif diff --git a/meta/recipes-core/libxml/libxml2/CVE-2026-0992-03.patch b/meta/recipes-core/libxml/libxml2/CVE-2026-0992-03.patch new file mode 100644 index 00000000000..5964fd16b51 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2026-0992-03.patch @@ -0,0 +1,33 @@ +From deed3b7873dff30b7f87f7f33154c9932a772522 Mon Sep 17 00:00:00 2001 +From: Daniel Garcia Moreno +Date: Sun, 18 Jan 2026 19:47:11 +0100 +Subject: [PATCH] catalog: Do not check value for duplication nextCatalog + +The value field stores the path as it appears in the catalog definition, +the URL is built using xmlBuildURI that changes the relative paths to +absolute. + +This change fixes the issue of using relative path to the same catalog +in the same file. + +Fix https://gitlab.gnome.org/GNOME/libxml2/-/issues/1040 + +CVE: CVE-2026-0992 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/deed3b7873dff30b7f87f7f33154c9932a772522] +Signed-off-by: Peter Marko +--- + catalog.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/catalog.c b/catalog.c +index eb889162..ba9ee7ae 100644 +--- a/catalog.c ++++ b/catalog.c +@@ -1286,7 +1286,6 @@ xmlParseXMLCatalogNode(xmlNodePtr cur, xmlCatalogPrefer prefer, + while (prev != NULL) { + if ((prev->type == XML_CATA_NEXT_CATALOG) && + (xmlStrEqual (prev->URL, entry->URL)) && +- (xmlStrEqual (prev->value, entry->value)) && + (prev->prefer == entry->prefer) && + (prev->group == entry->group)) { + if (xmlDebugCatalogs) diff --git a/meta/recipes-core/libxml/libxml2_2.12.10.bb b/meta/recipes-core/libxml/libxml2_2.12.10.bb index fa081c2382f..25da11bd2d3 100644 --- a/meta/recipes-core/libxml/libxml2_2.12.10.bb +++ b/meta/recipes-core/libxml/libxml2_2.12.10.bb @@ -27,7 +27,9 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testt file://CVE-2025-7425.patch \ file://CVE-2026-0989.patch \ file://CVE-2026-0990.patch \ - file://CVE-2026-0992.patch \ + file://CVE-2026-0992-01.patch \ + file://CVE-2026-0992-02.patch \ + file://CVE-2026-0992-03.patch \ " SRC_URI[archive.sha256sum] = "c3d8c0c34aa39098f66576fe51969db12a5100b956233dc56506f7a8679be995" From patchwork Mon Feb 9 09:28:57 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 80736 X-Patchwork-Delegate: yoann.congal@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 15230E7E0A3 for ; Mon, 9 Feb 2026 09:29:37 +0000 (UTC) Received: from mail-wr1-f50.google.com (mail-wr1-f50.google.com [209.85.221.50]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.44204.1770629371128998371 for ; Mon, 09 Feb 2026 01:29:31 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=EwT64iKx; spf=pass (domain: smile.fr, ip: 209.85.221.50, mailfrom: yoann.congal@smile.fr) Received: by mail-wr1-f50.google.com with SMTP id ffacd0b85a97d-435f177a8f7so2807561f8f.1 for ; Mon, 09 Feb 2026 01:29:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1770629369; x=1771234169; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=y3lovjTVcvH7bRG8Yxoh93/2wj5Ut7q0ZKMA3J5resk=; b=EwT64iKxfz79JOUYTWYVUsLMCVMbtVB8YxCG61xu9vlZ39sdPFzaF0ZsLKsh3SrQRb SAZAC8gX/AM/R2XOmX89c+ufSc6VhfPUlWgO2ZJmj0pAapR6FylRUZhOVpBSZP958OI2 lITu1AL+Fh1kWpLmRDOYm00IEJMJghxB5ya+w= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770629369; x=1771234169; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=y3lovjTVcvH7bRG8Yxoh93/2wj5Ut7q0ZKMA3J5resk=; b=HK7Xwo6XmZ1JzQuMSsGM1LPWwChLR6U0GOz9OJn005+Qp8S0MgBACIXr/06u+nFq/G BoEd6br4erMMBM6h0/P5aGHEw/OWv/Q+laRswByAR+W2uQRlxYy0xBpxwr5RhiXrfJ83 68TzxGWVTgvFEvqGzXw4PkN5nqGS24TRCegm+9qK2sAptH7Gl0QYnoY8qyvgqj3jZxu/ ePr1e0SZ96iwDsF+ioZYDOQ9m8xWSVluOsVAseYqhQhXOP5x/fZ94ONv7PkJtV8LgDdL RMoK36pmOZdmXaPWvjaTxzz6ufD4Kd5HEiHMD1Zk11f1qYxrNqI1JKrWSwJRLKk/F3of DZiQ== X-Gm-Message-State: AOJu0YzagdkapIMHWr1WFxfF01ZwOL0YHCgZuNNhkyFMbPZT1+oklwAC sPEvK1ykF9n6Oo/wwzNgnNbP6EEBc+lI2I038aVXzRersSjGlJK24Akfqec7r0yy1p7P0X/xUN4 UmdHKklo= X-Gm-Gg: AZuq6aIVuqLF1rR4DhwtSWunhpWQJqF98wyEHdRjW4beWxH3vzY6CjfMwp70Kyrdn/0 XotrDTnbzNyBLx8NP2/PwkjJ/wzVnjXp/p0WX8uHe3Af6pO33E97TEkNw7G5Yd4leLdYcdybhCh Y0QPJ6961d5ToKYhiWHcBBn3XGjO1ZFQ47GlwKOJay2PeHIkrrsCj3B9xWcV/JSoWckFUqDcn0+ RyDfVdTMB2M/h5zJlIZqxmrKJMIoRxvD7ttD5UFlvk1BnTMmT+hO22XOHsXwlVUYfZXuTjEidek 82KCxFnvfIpJNRrhRo4TXPF2sdnqNLSgdMzQBxxlIgJsq86Oi5HazyjuvO2g4S38/OGwisj8TFj 05vGDqCGFcWJRA35uWzceLk4u38Qnu3DW2bmR6tr/xHR1hCaSTVNFZ56sGuzzEIUIvbcQ/m+ss3 TRS/oAOpeTavWyGirQFwhavJsXguE5uX14ItHjrsHYmfEh9ldBu87UAaxpcw/kgQTaQku6naNU2 PaTLvM8bhB/1lU= X-Received: by 2002:a5d:52cf:0:b0:436:173c:b8e3 with SMTP id ffacd0b85a97d-436293865d9mr12866056f8f.29.1770629369141; Mon, 09 Feb 2026 01:29:29 -0800 (PST) Received: from FRSMI25-LASER.home (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4376a78d796sm9575656f8f.20.2026.02.09.01.29.28 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 09 Feb 2026 01:29:28 -0800 (PST) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 14/25] python3: patch CVE-2025-13837 Date: Mon, 9 Feb 2026 10:28:57 +0100 Message-ID: X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 09 Feb 2026 09:29:37 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/230765 From: Peter Marko Pick patch from 3.12 branch per NVD report. Signed-off-by: Peter Marko Signed-off-by: Yoann Congal --- .../python/python3/CVE-2025-13837.patch | 162 ++++++++++++++++++ .../python/python3_3.12.12.bb | 1 + 2 files changed, 163 insertions(+) create mode 100644 meta/recipes-devtools/python/python3/CVE-2025-13837.patch diff --git a/meta/recipes-devtools/python/python3/CVE-2025-13837.patch b/meta/recipes-devtools/python/python3/CVE-2025-13837.patch new file mode 100644 index 00000000000..0f2e06a4912 --- /dev/null +++ b/meta/recipes-devtools/python/python3/CVE-2025-13837.patch @@ -0,0 +1,162 @@ +From 5a8b19677d818fb41ee55f310233772e15aa1a2b Mon Sep 17 00:00:00 2001 +From: Serhiy Storchaka +Date: Mon, 22 Dec 2025 15:49:44 +0200 +Subject: [PATCH] [3.12] gh-119342: Fix a potential denial of service in + plistlib (GH-119343) (#142149) + +Reading a specially prepared small Plist file could cause OOM because file's +read(n) preallocates a bytes object for reading the specified amount of +data. Now plistlib reads large data by chunks, therefore the upper limit of +consumed memory is proportional to the size of the input file. +(cherry picked from commit 694922cf40aa3a28f898b5f5ee08b71b4922df70) + +CVE: CVE-2025-13837 +Upstream-Status: Backport [https://github.com/python/cpython/commit/5a8b19677d818fb41ee55f310233772e15aa1a2b] +Signed-off-by: Peter Marko +--- + Lib/plistlib.py | 31 ++++++++++------ + Lib/test/test_plistlib.py | 37 +++++++++++++++++-- + ...-05-21-22-11-31.gh-issue-119342.BTFj4Z.rst | 5 +++ + 3 files changed, 59 insertions(+), 14 deletions(-) + create mode 100644 Misc/NEWS.d/next/Security/2024-05-21-22-11-31.gh-issue-119342.BTFj4Z.rst + +diff --git a/Lib/plistlib.py b/Lib/plistlib.py +index 3292c30d5f..c5554ea1f7 100644 +--- a/Lib/plistlib.py ++++ b/Lib/plistlib.py +@@ -73,6 +73,9 @@ from xml.parsers.expat import ParserCreate + PlistFormat = enum.Enum('PlistFormat', 'FMT_XML FMT_BINARY', module=__name__) + globals().update(PlistFormat.__members__) + ++# Data larger than this will be read in chunks, to prevent extreme ++# overallocation. ++_MIN_READ_BUF_SIZE = 1 << 20 + + class UID: + def __init__(self, data): +@@ -499,12 +502,24 @@ class _BinaryPlistParser: + + return tokenL + ++ def _read(self, size): ++ cursize = min(size, _MIN_READ_BUF_SIZE) ++ data = self._fp.read(cursize) ++ while True: ++ if len(data) != cursize: ++ raise InvalidFileException ++ if cursize == size: ++ return data ++ delta = min(cursize, size - cursize) ++ data += self._fp.read(delta) ++ cursize += delta ++ + def _read_ints(self, n, size): +- data = self._fp.read(size * n) ++ data = self._read(size * n) + if size in _BINARY_FORMAT: + return struct.unpack(f'>{n}{_BINARY_FORMAT[size]}', data) + else: +- if not size or len(data) != size * n: ++ if not size: + raise InvalidFileException() + return tuple(int.from_bytes(data[i: i + size], 'big') + for i in range(0, size * n, size)) +@@ -561,22 +576,16 @@ class _BinaryPlistParser: + + elif tokenH == 0x40: # data + s = self._get_size(tokenL) +- result = self._fp.read(s) +- if len(result) != s: +- raise InvalidFileException() ++ result = self._read(s) + + elif tokenH == 0x50: # ascii string + s = self._get_size(tokenL) +- data = self._fp.read(s) +- if len(data) != s: +- raise InvalidFileException() ++ data = self._read(s) + result = data.decode('ascii') + + elif tokenH == 0x60: # unicode string + s = self._get_size(tokenL) * 2 +- data = self._fp.read(s) +- if len(data) != s: +- raise InvalidFileException() ++ data = self._read(s) + result = data.decode('utf-16be') + + elif tokenH == 0x80: # UID +diff --git a/Lib/test/test_plistlib.py b/Lib/test/test_plistlib.py +index fa46050658..229a5a242e 100644 +--- a/Lib/test/test_plistlib.py ++++ b/Lib/test/test_plistlib.py +@@ -841,8 +841,7 @@ class TestPlistlib(unittest.TestCase): + + class TestBinaryPlistlib(unittest.TestCase): + +- @staticmethod +- def decode(*objects, offset_size=1, ref_size=1): ++ def build(self, *objects, offset_size=1, ref_size=1): + data = [b'bplist00'] + offset = 8 + offsets = [] +@@ -854,7 +853,11 @@ class TestBinaryPlistlib(unittest.TestCase): + len(objects), 0, offset) + data.extend(offsets) + data.append(tail) +- return plistlib.loads(b''.join(data), fmt=plistlib.FMT_BINARY) ++ return b''.join(data) ++ ++ def decode(self, *objects, offset_size=1, ref_size=1): ++ data = self.build(*objects, offset_size=offset_size, ref_size=ref_size) ++ return plistlib.loads(data, fmt=plistlib.FMT_BINARY) + + def test_nonstandard_refs_size(self): + # Issue #21538: Refs and offsets are 24-bit integers +@@ -963,6 +966,34 @@ class TestBinaryPlistlib(unittest.TestCase): + with self.assertRaises(plistlib.InvalidFileException): + plistlib.loads(b'bplist00' + data, fmt=plistlib.FMT_BINARY) + ++ def test_truncated_large_data(self): ++ self.addCleanup(os_helper.unlink, os_helper.TESTFN) ++ def check(data): ++ with open(os_helper.TESTFN, 'wb') as f: ++ f.write(data) ++ # buffered file ++ with open(os_helper.TESTFN, 'rb') as f: ++ with self.assertRaises(plistlib.InvalidFileException): ++ plistlib.load(f, fmt=plistlib.FMT_BINARY) ++ # unbuffered file ++ with open(os_helper.TESTFN, 'rb', buffering=0) as f: ++ with self.assertRaises(plistlib.InvalidFileException): ++ plistlib.load(f, fmt=plistlib.FMT_BINARY) ++ for w in range(20, 64): ++ s = 1 << w ++ # data ++ check(self.build(b'\x4f\x13' + s.to_bytes(8, 'big'))) ++ # ascii string ++ check(self.build(b'\x5f\x13' + s.to_bytes(8, 'big'))) ++ # unicode string ++ check(self.build(b'\x6f\x13' + s.to_bytes(8, 'big'))) ++ # array ++ check(self.build(b'\xaf\x13' + s.to_bytes(8, 'big'))) ++ # dict ++ check(self.build(b'\xdf\x13' + s.to_bytes(8, 'big'))) ++ # number of objects ++ check(b'bplist00' + struct.pack('>6xBBQQQ', 1, 1, s, 0, 8)) ++ + + class TestKeyedArchive(unittest.TestCase): + def test_keyed_archive_data(self): +diff --git a/Misc/NEWS.d/next/Security/2024-05-21-22-11-31.gh-issue-119342.BTFj4Z.rst b/Misc/NEWS.d/next/Security/2024-05-21-22-11-31.gh-issue-119342.BTFj4Z.rst +new file mode 100644 +index 0000000000..04fd8faca4 +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2024-05-21-22-11-31.gh-issue-119342.BTFj4Z.rst +@@ -0,0 +1,5 @@ ++Fix a potential memory denial of service in the :mod:`plistlib` module. ++When reading a Plist file received from untrusted source, it could cause ++an arbitrary amount of memory to be allocated. ++This could have led to symptoms including a :exc:`MemoryError`, swapping, out ++of memory (OOM) killed processes or containers, or even system crashes. diff --git a/meta/recipes-devtools/python/python3_3.12.12.bb b/meta/recipes-devtools/python/python3_3.12.12.bb index 280d98424a5..ce2c830655d 100644 --- a/meta/recipes-devtools/python/python3_3.12.12.bb +++ b/meta/recipes-devtools/python/python3_3.12.12.bb @@ -37,6 +37,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ file://CVE-2025-6075.patch \ file://CVE-2025-12084.patch \ file://CVE-2025-13836.patch \ + file://CVE-2025-13837.patch \ " SRC_URI:append:class-native = " \ From patchwork Mon Feb 9 09:28:58 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 80742 X-Patchwork-Delegate: yoann.congal@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3E9BAE7E0AD for ; Mon, 9 Feb 2026 09:29:37 +0000 (UTC) Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com [209.85.128.44]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.44205.1770629372285157870 for ; Mon, 09 Feb 2026 01:29:32 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=P9RXIigB; spf=pass (domain: smile.fr, ip: 209.85.128.44, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f44.google.com with SMTP id 5b1f17b1804b1-4806e0f6b69so31682795e9.3 for ; Mon, 09 Feb 2026 01:29:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1770629370; x=1771234170; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=/5HRrLlPXRT9uVnFrlc7CErbMFLqWAyUpSxaEJByP3E=; b=P9RXIigBgcoWukJgCxzxS85YwUlG9iHvhy/zfOss+641G7IUaXGmRkjqvAyY83xbCG YpondSMxUcgiKn2/p/H3rCq9aS1fvuxhpC0Y7LoQxRbI+MFE4487I5S0ZbbRquPmjAx/ Q2A7JgPVZ9NGWLqXArEO7WbUIdUS6niCo+aSE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770629370; x=1771234170; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=/5HRrLlPXRT9uVnFrlc7CErbMFLqWAyUpSxaEJByP3E=; b=bbiHjdkQ2bF1gztFs6HZqNyc2bQvl/qodNMnnNTH73g6ySJW46RjJDN8U1w0oiWFzc DjTVysxZdu7Djtr86+Nd4MZiE9jRVY77VYeMnShqIhlG52T4AuQUlrqv/JbWhiJQuS+v 0CfT17mN2JkCwPq5r7ju2xru8nE3vOxiebjT0hwcuHEipfNvL4qmg3axAjImm3rbI4JJ xlxZUKeDiQL4omcC2K+E8wpQ0AajMhbiSvG7cyr7pFhuEgtmgCQHaC/0G3O52vIHTvg6 jmj2CvRn9GXEx0Al+TWrhEgM8Rah/hD+Kod8Xf5apgp8wrTpTMJhI+uyUyA2Ax0PB+LI P66Q== X-Gm-Message-State: AOJu0YxXCnQT47FYZ4rNw1gd06CajJ0v6riLprgUvnHU3NHFhobrQDnu XhjCdL4q8aObIT29QkJG2KJWh1f2m9in/DkOjbDPEn19LMMYVmYFE+cDMZqrO+YpIZegLbF7AhI djFf1qgE= X-Gm-Gg: AZuq6aK6kDd149fUKtbIouD8KgfsxQ+YHRgONiNjF+Y7atGv6q8FR46zjDW22R+7Wdu cWchcz6uaqz685HwqZ3EPqQAhEBqYPFQFkNUqBLImnIsAB27jz78+L+TDAPyo6nBym+dQw5UEA/ S/b5EFbTWeNGxvdAGMhrfSsXR2LgkV7btjqlXJCV8lSm8T6+ILWnihr/Cp3S1ntE0HXQ8VNULAi HspVRjUylIjP7laIGHixsjZ5WBQ1CH+BwPZMWD6DuefvhfgnayYV9xLtFejojeKiwb15K27813m HfUlDDkhx4cCUpu/jDl5HvRXQ6PgIHEzY3pyA9Hm3URd3VxYOtU8KE6N9lYDAROeZMXFKB/yGxz rajWBdcuuxy8jHdoB2lYb4WqNjNY4+Qb1TMI0kExB4oErJIveM9VyAC5w7DOq3pL4ytMhlE9ueH bsOTu7pbos8szqXIyULBpxOayZMMNbdo+KA3JjYG9Kdx8It1ewbkzb++qg4hCU6MuC1ewDQlB3z q3dZkIuJZ30ehg= X-Received: by 2002:a05:600c:c16d:b0:477:9dc1:b706 with SMTP id 5b1f17b1804b1-483202146dfmr139479735e9.19.1770629370318; Mon, 09 Feb 2026 01:29:30 -0800 (PST) Received: from FRSMI25-LASER.home (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4376a78d796sm9575656f8f.20.2026.02.09.01.29.29 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 09 Feb 2026 01:29:29 -0800 (PST) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 15/25] python-urllib3: Backport fix for CVE-2026-21441 Date: Mon, 9 Feb 2026 10:28:58 +0100 Message-ID: X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 09 Feb 2026 09:29:37 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/230766 From: Adarsh Jagadish Kamini Include the patch linked in the NVD report : https://nvd.nist.gov/vuln/detail/CVE-2026-21441 Signed-off-by: Adarsh Jagadish Kamini Signed-off-by: Yoann Congal --- .../python3-urllib3/CVE-2026-21441.patch | 105 ++++++++++++++++++ .../python/python3-urllib3_2.2.2.bb | 1 + 2 files changed, 106 insertions(+) create mode 100644 meta/recipes-devtools/python/python3-urllib3/CVE-2026-21441.patch diff --git a/meta/recipes-devtools/python/python3-urllib3/CVE-2026-21441.patch b/meta/recipes-devtools/python/python3-urllib3/CVE-2026-21441.patch new file mode 100644 index 00000000000..16af67af312 --- /dev/null +++ b/meta/recipes-devtools/python/python3-urllib3/CVE-2026-21441.patch @@ -0,0 +1,105 @@ +From 686d2bdd4affd3c86e605f54a72afe53c920f72f Mon Sep 17 00:00:00 2001 +From: Illia Volochii +Date: Wed, 7 Jan 2026 18:07:30 +0200 +Subject: [PATCH] Backport fix CVE-2026-21441 python urllib3 + +Original commit: 8864ac407bba8607950025e0979c4c69bc7abc7b +Original-author: Illia Volochii + +Bugfixes +-------- + +- Fixed a high-severity security issue where decompression-bomb safeguards of + the streaming API were bypassed when HTTP redirects were followed. + (`GHSA-38jv-5279-wg99 `__) + +* Stop decoding response content during redirects needlessly + +* Rename the new query parameter + +* Add a changelog entry + +Fixes CVE-2026-21441 +CVE: CVE-2026-21441 + +Upstream-Status: Backport [https://github.com/urllib3/urllib3/commit/8864ac407bba8607950025e0979c4c69bc7abc7b] + +Signed-off-by: Adarsh Jagadish Kamini +--- + dummyserver/app.py | 8 +++++++- + src/urllib3/response.py | 6 +++++- + test/with_dummyserver/test_connectionpool.py | 19 +++++++++++++++++++ + 3 files changed, 31 insertions(+), 2 deletions(-) + +diff --git a/dummyserver/app.py b/dummyserver/app.py +index 9fc9d1b7..c4978152 100644 +--- a/dummyserver/app.py ++++ b/dummyserver/app.py +@@ -233,10 +233,16 @@ async def redirect() -> ResponseReturnValue: + values = await request.values + target = values.get("target", "/") + status = values.get("status", "303 See Other") ++ compressed = values.get("compressed") == "true" + status_code = status.split(" ")[0] + + headers = [("Location", target)] +- return await make_response("", status_code, headers) ++ if compressed: ++ headers.append(("Content-Encoding", "gzip")) ++ data = gzip.compress(b"foo") ++ else: ++ data = b"" ++ return await make_response(data, status_code, headers) + + + @hypercorn_app.route("/redirect_after") +diff --git a/src/urllib3/response.py b/src/urllib3/response.py +index a0273d65..909da62b 100644 +--- a/src/urllib3/response.py ++++ b/src/urllib3/response.py +@@ -646,7 +646,11 @@ class HTTPResponse(BaseHTTPResponse): + Unread data in the HTTPResponse connection blocks the connection from being released back to the pool. + """ + try: +- self.read() ++ self.read( ++ # Do not spend resources decoding the content unless ++ # decoding has already been initiated. ++ decode_content=self._has_decoded_content, ++ ) + except (HTTPError, OSError, BaseSSLError, HTTPException): + pass + +diff --git a/test/with_dummyserver/test_connectionpool.py b/test/with_dummyserver/test_connectionpool.py +index 4fbe6a4f..ebcdf9bf 100644 +--- a/test/with_dummyserver/test_connectionpool.py ++++ b/test/with_dummyserver/test_connectionpool.py +@@ -480,6 +480,25 @@ class TestConnectionPool(HypercornDummyServerTestCase): + assert r.status == 200 + assert r.data == b"Dummy server!" + ++ @mock.patch("urllib3.response.GzipDecoder.decompress") ++ def test_no_decoding_with_redirect_when_preload_disabled( ++ self, gzip_decompress: mock.MagicMock ++ ) -> None: ++ """ ++ Test that urllib3 does not attempt to decode a gzipped redirect ++ response when `preload_content` is set to `False`. ++ """ ++ with HTTPConnectionPool(self.host, self.port) as pool: ++ # Three requests are expected: two redirects and one final / 200 OK. ++ response = pool.request( ++ "GET", ++ "/redirect", ++ fields={"target": "/redirect?compressed=true", "compressed": "true"}, ++ preload_content=False, ++ ) ++ assert response.status == 200 ++ gzip_decompress.assert_not_called() ++ + def test_303_redirect_makes_request_lose_body(self) -> None: + with HTTPConnectionPool(self.host, self.port) as pool: + response = pool.request( +-- +2.44.0 + diff --git a/meta/recipes-devtools/python/python3-urllib3_2.2.2.bb b/meta/recipes-devtools/python/python3-urllib3_2.2.2.bb index 620927322a0..f6ac8f89cad 100644 --- a/meta/recipes-devtools/python/python3-urllib3_2.2.2.bb +++ b/meta/recipes-devtools/python/python3-urllib3_2.2.2.bb @@ -11,6 +11,7 @@ SRC_URI += " \ file://CVE-2025-50181.patch \ file://CVE-2025-66418.patch \ file://CVE-2025-66471.patch \ + file://CVE-2026-21441.patch \ " RDEPENDS:${PN} += "\ From patchwork Mon Feb 9 09:28:59 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 80734 X-Patchwork-Delegate: yoann.congal@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 02DD8EE6B6F for ; Mon, 9 Feb 2026 09:29:37 +0000 (UTC) Received: from mail-wr1-f53.google.com (mail-wr1-f53.google.com [209.85.221.53]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.43993.1770629373308402085 for ; Mon, 09 Feb 2026 01:29:33 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=WyaTJKLb; spf=pass (domain: smile.fr, ip: 209.85.221.53, mailfrom: yoann.congal@smile.fr) Received: by mail-wr1-f53.google.com with SMTP id ffacd0b85a97d-4376c0bffc1so680522f8f.0 for ; Mon, 09 Feb 2026 01:29:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1770629371; x=1771234171; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=JNnIEYLIJEJ5PvKTOiEgwU4Yh0nnrlwrSUVHm9oin5M=; b=WyaTJKLbgz2o+9T+bvlzUguGR/Csh7sgAUoi8fUDiI/hehb+hN3C8VSG8oXgyf5l/U HIZ8FZ2gxPRYm1+njfarc+R7/19FfWWPy0JXg5Y6NldSrPaW0jLt9D2cM10MNrylN+I7 tixhd43mi/5hAEDM0B9w4ulEV/M2tQtYEsZJk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770629371; x=1771234171; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=JNnIEYLIJEJ5PvKTOiEgwU4Yh0nnrlwrSUVHm9oin5M=; b=bZgbyCVju39vxNMC7+hduLRo0MCbmLrdwgvDDhqjZCsNQmo4UoiRRO7mpKmTxyDjCC aLmAkAwND2l+XZGrOD4zG4xiEJvnsPHPSxvOqLVLgnxmJshRrDRxK5PxqaklopSDj48j 8+iBkRTA2BFocVyTNn4b0H3GUL+m+dmG3ECi6YlawfoRNZTh45rXwGXo+WjOGNmmCPVX U0tfl3lPq8F5ovMFL2FP6eh8ub4GBCgQh2h1wJmCaU3alKoZ0On5GtMOlKqX9QxCHxUz lAcvFmShWDzv4wSfs5Y2bRcj819xsIKLw4xuluRWxH1rWZNNyaWIOqRvXlKmnVz+rPVM aoPg== X-Gm-Message-State: AOJu0YxGtNZD2FdFX/6MFW5W93rbzUY4s0X8SK769Qfeoxq4Ko7uUMUS /6C0YxhoHtg0u4HyHHin6I+RpzCuQWdj8gqQ2tpZENoJGQx19QoVJ21PFMylh1ccsTWNxaptZe5 gjKIDT6I= X-Gm-Gg: AZuq6aKdjheYXcdm0Qn24NwU6ii8FdzFg3ORvLRPCrRrsLwoCb59KmyfAk5IKxJFy1u Lwonvwc1F+UBZnS3puHZwtXuctPvX0Sqn/1pgadUU4agC4XaWv7+BQk/u+ib8HjCRtSRBCKCwZn E6hGjFaCJagprdVWawW98B5z73BRjZA+p/KFQFGglJaGbWfzRD8aV8/TXHhTOXgfROeqQq8yfyv /0NY2cjM9mF026PLQpOu422Cv2wnvNuQCO/F3Pbw+sUzzdGeuIRkMLe6w38RAUsWz7lkdOX4aI9 5AFLodoY1hiZtyCSnQodIq39kSqtxEQCBnlzd2445NPhEhbsRNvF2Vm9ocG02C4Y3t7qP3a9yWE sUfsDuN2TcgTStHFfjrsTmaNj94MMy62Zxo7p2AafYdytnwYrDaNUW7myCdKvys7jA7hNxXes3t PwypsYafGHc58u/S1KO/wKgCQ7lqE7cLZpboxUu5MEiHxyFWM/aY5CHemZQFSTAtt9FVpIK4uyo 4K9btqN2v65vvU= X-Received: by 2002:a05:6000:2909:b0:435:8d80:1b7e with SMTP id ffacd0b85a97d-43629692057mr14478951f8f.60.1770629371410; Mon, 09 Feb 2026 01:29:31 -0800 (PST) Received: from FRSMI25-LASER.home (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4376a78d796sm9575656f8f.20.2026.02.09.01.29.30 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 09 Feb 2026 01:29:30 -0800 (PST) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 16/25] zlib: ignore CVE-2026-22184 Date: Mon, 9 Feb 2026 10:28:59 +0100 Message-ID: <52cbace519c5d490a83550d7baa1c0fa200eafcb.1770626074.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 09 Feb 2026 09:29:37 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/230767 From: Peter Marko This is CVE for example tool contrib/untgz. This is not compiled in Yocto zlib recipe. This CVE has controversial CVSS3 score of 9.8. Signed-off-by: Peter Marko Signed-off-by: Yoann Congal --- meta/recipes-core/zlib/zlib_1.3.1.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/recipes-core/zlib/zlib_1.3.1.bb b/meta/recipes-core/zlib/zlib_1.3.1.bb index e6a81ef7898..8ebc6befc2b 100644 --- a/meta/recipes-core/zlib/zlib_1.3.1.bb +++ b/meta/recipes-core/zlib/zlib_1.3.1.bb @@ -48,3 +48,4 @@ BBCLASSEXTEND = "native nativesdk" CVE_STATUS[CVE-2023-45853] = "not-applicable-config: we don't build minizip" CVE_STATUS[CVE-2023-6992] = "cpe-incorrect: this CVE is for cloudflare zlib" +CVE_STATUS[CVE-2026-22184] = "not-applicable-config: vulnerable file is not compiled" From patchwork Mon Feb 9 09:29:00 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 80735 X-Patchwork-Delegate: yoann.congal@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E8691E78D74 for ; Mon, 9 Feb 2026 09:29:36 +0000 (UTC) Received: from mail-wm1-f52.google.com (mail-wm1-f52.google.com [209.85.128.52]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.44206.1770629374444558371 for ; Mon, 09 Feb 2026 01:29:34 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=2OO2AnrV; spf=pass (domain: smile.fr, ip: 209.85.128.52, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f52.google.com with SMTP id 5b1f17b1804b1-4806bf39419so32109305e9.1 for ; Mon, 09 Feb 2026 01:29:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1770629372; x=1771234172; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=m1XlL+e33BYB1zaaSHh1xUBcHYopPJfWBCRJ9+pZksU=; b=2OO2AnrVAWHicPWrlvRY/VUyuKfSxizcfVh6sXcLSw/46dN5wFm6o8V/dgMkdIzFQi xBH0Y4Fz8Ucs/iiU89BQNlFNZ0wqsIJjFD6AGTkAm5DXoddP+JbO0HVrRT3grRJPNQ3U bMdm9VUAO01Wbp6izZ4p4TSOwg68epVKr/69A= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770629373; x=1771234173; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=m1XlL+e33BYB1zaaSHh1xUBcHYopPJfWBCRJ9+pZksU=; b=Q4HGVJGE859/VR92hi+qiyllfc2bImZ/DNexr717Xu7phQF8o8plnufNA6OFgWAqfU gPaw35wyZZoSJF701Axn1SGrEw0W7v9765szy9UQxGPkCYfRXY65I51ctzuZPNUSW84K vmVb245JzPVOD21Rf/GSELHVLlSvlvLhLe8/HR5wCYC8zY7mKJaGieM6DRpd6UuhA/pb fpyTc5TB8UrNPvSq8CA7tvf9HaFIHL4UT/j5kHQmltIZV+M9Lt0Urs4PxShKr1wLXPBy neInTUoE0+kvSurfdJn/z7ZgPhwpJvKHCJSLFbJYUsKvAnAr4JXq1pAHltIvZsiFPt3j XT2Q== X-Gm-Message-State: AOJu0YwXwCNtthCr98aDwvSlIUEaE6Y4/jf5ygJNoqP5DfwfVfqy9KQB M/9CFvMGFwLW3rMInQy8s9Lqpn1r+qxVdQrh9jWQw4BW632pHRB4kGEL+zkiPK5BFILct+ZleE9 nQe9ZAPI= X-Gm-Gg: AZuq6aIdwRbxEH2k2GYbN9vuSue7X2FyboZRnpmMHBjj0+Rx5LlEGindjVVngHNO1qm NM9ucknYDruVDkrYMoYHTSC9ZK0dnQId3ujRKhK4disfOq0SC9FwysF7GlHWVuSEG39IT61l+E6 IezjCu+9Ghg7ymLbQvulK2RgHIHIjMoEbzE4VnizpVhMrVCFj9k3jhFQaS+TThNoWVzeqlGLao7 AqprMU2v0zySsn09mPsy4qsBHU3l4BuHFqvWDk8GBfie7Y986rl4dNj36NyGG9j2OUtVSPqsdvv MFQrsOBru+ZfJpYE8Krm36WL/A6FLRUQzpg76nGU1I9AhKia4TJK590aqwpLuj291FGPDe9Yk2+ 8b/vshLVUYdB18xl06+k53nwvswruohVj4IJutMyV6m/66MOprQ9Qbaen4WInTnqbB6q2IVUDlj M2YR/gtqxuN5FzABvegYtKAHEA1GIIzFB+br1MrYUTFZhcud5tuyNs2EyXtSVHO4eotlmcEcRaW xB3vbDtaCqXw5w= X-Received: by 2002:a05:600c:8505:b0:47e:e2b8:66e6 with SMTP id 5b1f17b1804b1-483203d5affmr154835785e9.14.1770629372400; Mon, 09 Feb 2026 01:29:32 -0800 (PST) Received: from FRSMI25-LASER.home (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4376a78d796sm9575656f8f.20.2026.02.09.01.29.31 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 09 Feb 2026 01:29:31 -0800 (PST) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 17/25] ffmpeg: upgrade 6.1.3 -> 6.1.4 Date: Mon, 9 Feb 2026 10:29:00 +0100 Message-ID: X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 09 Feb 2026 09:29:36 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/230768 From: Ankur Tyagi Dropped patches that are part of the upstream version. Changelog: https://git.ffmpeg.org/gitweb/ffmpeg.git/blob/34277e12e80031c7f89494ba543684bc1dd0be8f:/Changelog Signed-off-by: Ankur Tyagi Signed-off-by: Yoann Congal --- .../ffmpeg/ffmpeg/CVE-2024-35365.patch | 62 ----------- .../ffmpeg/ffmpeg/CVE-2024-36618.patch | 36 ------ .../ffmpeg/ffmpeg/CVE-2025-1594.patch | 105 ------------------ .../{ffmpeg_6.1.3.bb => ffmpeg_6.1.4.bb} | 5 +- 4 files changed, 1 insertion(+), 207 deletions(-) delete mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35365.patch delete mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36618.patch delete mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-1594.patch rename meta/recipes-multimedia/ffmpeg/{ffmpeg_6.1.3.bb => ffmpeg_6.1.4.bb} (98%) diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35365.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35365.patch deleted file mode 100644 index 2b5646e07ca..00000000000 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35365.patch +++ /dev/null @@ -1,62 +0,0 @@ -From ced5c5fdb8634d39ca9472a2026b2d2fea16c4e5 Mon Sep 17 00:00:00 2001 -From: Andreas Rheinhardt -Date: Mon, 25 Mar 2024 16:54:25 +0100 -Subject: [PATCH] fftools/ffmpeg_mux_init: Fix double-free on error - -MATCH_PER_STREAM_OPT iterates over all options of a given -OptionDef and tests whether they apply to the current stream; -if so, they are set to ost->apad, otherwise, the code errors -out. If no error happens, ost->apad is av_strdup'ed in order -to take ownership of this pointer. - -But this means that setting it originally was premature, -as it leads to double-frees when an error happens lateron. -This can simply be reproduced with -ffmpeg -filter_complex anullsrc -apad bar -apad:n baz -f null - -This is a regression since 83ace80bfd80fcdba2c65fa1d554923ea931d5bd. - -Fix this by using a temporary variable instead of directly -setting ost->apad. Also only strdup the string if it actually -is != NULL. - -Reviewed-by: Marth64 -Signed-off-by: Andreas Rheinhardt - -CVE: CVE-2024-35365 - -Upstream-Status: Backport [https://github.com/ffmpeg/ffmpeg/commit/ced5c5fdb8634d39ca9472a2026b2d2fea16c4e5] - -Signed-off-by: Archana Polampalli ---- - fftools/ffmpeg_mux_init.c | 9 +++++++-- - 1 file changed, 7 insertions(+), 2 deletions(-) - -diff --git a/fftools/ffmpeg_mux_init.c b/fftools/ffmpeg_mux_init.c -index 63a25a3..685c064 100644 ---- a/fftools/ffmpeg_mux_init.c -+++ b/fftools/ffmpeg_mux_init.c -@@ -845,6 +845,7 @@ static int new_stream_audio(Muxer *mux, const OptionsContext *o, - int channels = 0; - char *layout = NULL; - char *sample_fmt = NULL; -+ const char *apad = NULL; - - MATCH_PER_STREAM_OPT(audio_channels, i, channels, oc, st); - if (channels) { -@@ -882,8 +883,12 @@ static int new_stream_audio(Muxer *mux, const OptionsContext *o, - - MATCH_PER_STREAM_OPT(audio_sample_rate, i, audio_enc->sample_rate, oc, st); - -- MATCH_PER_STREAM_OPT(apad, str, ost->apad, oc, st); -- ost->apad = av_strdup(ost->apad); -+ MATCH_PER_STREAM_OPT(apad, str, apad, oc, st); -+ if (apad) { -+ ost->apad = av_strdup(apad); -+ if (!ost->apad) -+ return AVERROR(ENOMEM); -+ } - - #if FFMPEG_OPT_MAP_CHANNEL - /* check for channel mapping for this audio stream */ --- -2.40.0 diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36618.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36618.patch deleted file mode 100644 index 5caca2da7c6..00000000000 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36618.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 7a089ed8e049e3bfcb22de1250b86f2106060857 Mon Sep 17 00:00:00 2001 -From: Andreas Rheinhardt -Date: Tue, 12 Mar 2024 23:23:17 +0100 -Subject: [PATCH] avformat/avidec: Fix integer overflow iff ULONG_MAX < - INT64_MAX - -Affects many FATE-tests, see -https://fate.ffmpeg.org/report.cgi?time=20240312011016&slot=ppc-linux-gcc-13.2-ubsan-altivec-qemu - -Reviewed-by: James Almer -Signed-off-by: Andreas Rheinhardt - -CVE: CVE-2024-36618 - -Upstream-Status: Backport [https://github.com/ffmpeg/ffmpeg/commit/7a089ed8e049e3bfcb22de1250b86f2106060857] - -Signed-off-by: Archana Polampalli ---- - libavformat/avidec.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/libavformat/avidec.c b/libavformat/avidec.c -index 00bd7a9..bc95466 100644 ---- a/libavformat/avidec.c -+++ b/libavformat/avidec.c -@@ -1696,7 +1696,7 @@ static int check_stream_max_drift(AVFormatContext *s) - int *idx = av_calloc(s->nb_streams, sizeof(*idx)); - if (!idx) - return AVERROR(ENOMEM); -- for (min_pos = pos = 0; min_pos != INT64_MAX; pos = min_pos + 1LU) { -+ for (min_pos = pos = 0; min_pos != INT64_MAX; pos = min_pos + 1ULL) { - int64_t max_dts = INT64_MIN / 2; - int64_t min_dts = INT64_MAX / 2; - int64_t max_buffer = 0; --- -2.40.0 diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-1594.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-1594.patch deleted file mode 100644 index af71055c02b..00000000000 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-1594.patch +++ /dev/null @@ -1,105 +0,0 @@ -From bedfb6eca402037f5cbb115fa767d106b8c14f1c Mon Sep 17 00:00:00 2001 -From: Lynne -Date: Sat, 8 Feb 2025 04:35:31 +0100 -Subject: [PATCH] aacenc_tns: clamp filter direction energy measurement - -The issue is that: - -float en[2]; -... -tns->n_filt[w] = is8 ? 1 : order != TNS_MAX_ORDER ? 2 : 3; -for (g = 0; g < tns->n_filt[w]; g++) { - tns->direction[w][g] = slant != 2 ? slant : en[g] < en[!g]; - -When using the AAC Main profile, n_filt = 3, and slant is by -default 2 (normal long frames), g can go above 1. - -en is the evolution of energy in the frequency domain for every -band at the given window. E.g. whether the energy is concentrated -at the top of each band, or the bottom. - -For 2-pole filters, its straightforward. -For 3-pole filters, we need more than 2 measurements. - -This commit properly implements support for 3-pole filters, by measuring -the band energy across three areas. - -Do note that even xHE-AAC caps n_filt to 2, and only AAC Main allows -n_filt == 3. - -Fixes https://trac.ffmpeg.org/ticket/11418 - -CVE: CVE-2025-1594 - -Upstream-Status: Backport [https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/bedfb6eca402037f5cbb115fa767d106b8c14f1c] - -Signed-off-by: Archana Polampalli ---- - libavcodec/aacenc_tns.c | 33 ++++++++++++++++++++++++--------- - 1 file changed, 24 insertions(+), 9 deletions(-) - -diff --git a/libavcodec/aacenc_tns.c b/libavcodec/aacenc_tns.c -index 8dc6dfc..9ea3506 100644 ---- a/libavcodec/aacenc_tns.c -+++ b/libavcodec/aacenc_tns.c -@@ -172,6 +172,7 @@ void ff_aac_search_for_tns(AACEncContext *s, SingleChannelElement *sce) - sce->ics.window_sequence[0] == LONG_START_SEQUENCE ? 0 : 2; - const int sfb_len = sfb_end - sfb_start; - const int coef_len = sce->ics.swb_offset[sfb_end] - sce->ics.swb_offset[sfb_start]; -+ const int n_filt = is8 ? 1 : order != TNS_MAX_ORDER ? 2 : 3; - - if (coef_len <= 0 || sfb_len <= 0) { - sce->tns.present = 0; -@@ -179,16 +180,30 @@ void ff_aac_search_for_tns(AACEncContext *s, SingleChannelElement *sce) - } - - for (w = 0; w < sce->ics.num_windows; w++) { -- float en[2] = {0.0f, 0.0f}; -+ float en[4] = {0.0f, 0.0f, 0.0f, 0.0f}; - int oc_start = 0, os_start = 0; - int coef_start = sce->ics.swb_offset[sfb_start]; - -- for (g = sfb_start; g < sce->ics.num_swb && g <= sfb_end; g++) { -- FFPsyBand *band = &s->psy.ch[s->cur_channel].psy_bands[w*16+g]; -- if (g > sfb_start + (sfb_len/2)) -- en[1] += band->energy; -- else -- en[0] += band->energy; -+ if (n_filt == 2) { -+ for (g = sfb_start; g < sce->ics.num_swb && g <= sfb_end; g++) { -+ FFPsyBand *band = &s->psy.ch[s->cur_channel].psy_bands[w*16+g]; -+ if (g > sfb_start + (sfb_len/2)) -+ en[1] += band->energy; /* End */ -+ else -+ en[0] += band->energy; /* Start */ -+ } -+ en[2] = en[0]; -+ } else { -+ for (g = sfb_start; g < sce->ics.num_swb && g <= sfb_end; g++) { -+ FFPsyBand *band = &s->psy.ch[s->cur_channel].psy_bands[w*16+g]; -+ if (g > sfb_start + (sfb_len/2) + (sfb_len/4)) -+ en[2] += band->energy; /* End */ -+ else if (g > sfb_start + (sfb_len/2) - (sfb_len/4)) -+ en[1] += band->energy; /* Middle */ -+ else -+ en[0] += band->energy; /* Start */ -+ } -+ en[3] = en[0]; - } - - /* LPC */ -@@ -198,9 +213,9 @@ void ff_aac_search_for_tns(AACEncContext *s, SingleChannelElement *sce) - if (!order || !isfinite(gain) || gain < TNS_GAIN_THRESHOLD_LOW || gain > TNS_GAIN_THRESHOLD_HIGH) - continue; - -- tns->n_filt[w] = is8 ? 1 : order != TNS_MAX_ORDER ? 2 : 3; -+ tns->n_filt[w] = n_filt; - for (g = 0; g < tns->n_filt[w]; g++) { -- tns->direction[w][g] = slant != 2 ? slant : en[g] < en[!g]; -+ tns->direction[w][g] = slant != 2 ? slant : en[g] < en[g + 1]; - tns->order[w][g] = g < tns->n_filt[w] ? order/tns->n_filt[w] : order - oc_start; - tns->length[w][g] = g < tns->n_filt[w] ? sfb_len/tns->n_filt[w] : sfb_len - os_start; - quantize_coefs(&coefs[oc_start], tns->coef_idx[w][g], tns->coef[w][g], --- -2.40.0 - diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.3.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.4.bb similarity index 98% rename from meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.3.bb rename to meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.4.bb index 38c6d1f2b7d..8b0b7cfd6e9 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.3.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.4.bb @@ -29,15 +29,12 @@ SRC_URI = " \ file://vulkan_fix_gcc14.patch \ file://CVE-2024-28661.patch \ file://CVE-2023-49528.patch \ - file://CVE-2024-35365.patch \ - file://CVE-2024-36618.patch \ file://CVE-2024-35369.patch \ file://CVE-2025-25473.patch \ file://CVE-2025-22921.patch \ - file://CVE-2025-1594.patch \ " -SRC_URI[sha256sum] = "bc5f1e4a4d283a6492354684ee1124129c52293bcfc6a9169193539fbece3487" +SRC_URI[sha256sum] = "a231e3d5742c44b1cdaebfb98ad7b6200d12763e0b6db9e1e2c5891f2c083a18" # https://nvd.nist.gov/vuln/detail/CVE-2023-39018 # https://github.com/bramp/ffmpeg-cli-wrapper/issues/291 From patchwork Mon Feb 9 09:29:01 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 80732 X-Patchwork-Delegate: yoann.congal@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E12CDE78D7C for ; Mon, 9 Feb 2026 09:29:36 +0000 (UTC) Received: from mail-wr1-f51.google.com (mail-wr1-f51.google.com [209.85.221.51]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.43994.1770629375580962415 for ; Mon, 09 Feb 2026 01:29:35 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=FX5l/Qwp; spf=pass (domain: smile.fr, ip: 209.85.221.51, mailfrom: yoann.congal@smile.fr) Received: by mail-wr1-f51.google.com with SMTP id ffacd0b85a97d-43767807da6so799418f8f.2 for ; Mon, 09 Feb 2026 01:29:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1770629374; x=1771234174; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=I4EP/9HXbj5RlxSqggAV/KV/48k+3gH8qf9ermQljI8=; b=FX5l/QwpgqF5i2FJ0YGckFIVCgqreChvpZG+KC5xIq4KRHOdaDv4WKiM3fFmdrg6oF /+w9XBt0a2RHDASXSH6C0OPkzyN2M2MizJkIk332w50gB+ZqApZwc3PFtB8xqtZt+8/g 67OifeOnhCJmOcWdoY8FLqzoDi2hplHRz4Tq8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770629374; x=1771234174; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=I4EP/9HXbj5RlxSqggAV/KV/48k+3gH8qf9ermQljI8=; b=XXvCt0s3ijpk2LIGg4oepKDix74GqtoDJmGymsNezL/N41QDb9NpuTJ64z+wKQ/o2n N9PMtj2Ysj/xJwt9Cj89vN4aMwsJKNSbcfy3KI6D0EUJwZUPQl6OiYOa1/DqhESnDHgq zAbOjVGgjCw3MuLIdui+fAqdpKzq/1gFrG6dhyMazC2FG9kjJnFn3EBUlJQ2rYFI+Id7 HOX/tcWSc1ZDJgmmlT/TiqyugyN9/vydYafUxBXpCH4Ez9cxqbeaSc7rXZcf/04F8b2D CCZ3l67J3UAqySGXP3bIZggxD7g7E7g0Ebf/DsmNB+RqdBe7RZkw39yjQTA33CiG9pI0 2gLQ== X-Gm-Message-State: AOJu0YweReKftHD66y+/N6mVvwxZt82e7Kl9veiiS5M/1vbf4WXXYsDS T687HZn6jZxa2SxuYf0Zppilz5zlUwcqDz2haUq2hWlp+uDBXhheP5IxbgXB0W3Y6+p/0DfK1er JKLoZ8D8= X-Gm-Gg: AZuq6aKDi1HWAYHbrKcT0lMqX3wTg55jR02qHi1cCqEE/3G895MGWfw4zUHLsuHl0g6 TCbzrRNBeaV9slcGheg1qsF7UMig460rEQ1tu3r9K4b9H4O+inegmGwKXADXAxlXSNuYweoXczf YdP7Yf1bRQGVBnTFKdbmBqmLnRAf0syUpO3CAtZBnzyW7OS32ACa/UkMit1omLmFZJ0qAaTFe1V 6YaNC/yMPgJdoKYWxki6kWC/eTazmnhHEF0XfOQDJj6Zjo6HGjh6CWyy9WHzRRMYEH9bLuAHs00 vsba6zEsWWWXQxlgyBdLubm9Qs9ilPUG1qEYsBj3eVU/fuw3Y2LNdUxFyI7FdmjNwIX7UcNm6IJ mcfVW1sHn4yJnEl9qZlPu94cgufccsumLnhcLrXGxYD2ETvtEvePjjAO1AnNu3dD4b/UGUtIAf7 W7Csi85GtJaNQ4rizDoSlaNM2w99jtkeyU5ca/vv2babCkpeR9AwG3enA9DJINQbPTy8a8pZBAx 8wo+E5JjgHqunU= X-Received: by 2002:a5d:5e01:0:b0:436:1a4b:de36 with SMTP id ffacd0b85a97d-4362923f28bmr16935816f8f.22.1770629373537; Mon, 09 Feb 2026 01:29:33 -0800 (PST) Received: from FRSMI25-LASER.home (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4376a78d796sm9575656f8f.20.2026.02.09.01.29.32 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 09 Feb 2026 01:29:32 -0800 (PST) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 18/25] ffmpeg: ignore CVE-2025-25469 Date: Mon, 9 Feb 2026 10:29:01 +0100 Message-ID: <33f0c3a70be9bc4a885622b8c033f9fe1bfeba3e.1770626074.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 09 Feb 2026 09:29:36 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/230769 From: Ankur Tyagi Details https://nvd.nist.gov/vuln/detail/CVE-2025-25469 This vulnerability exists in IAMF (Immersive Audio Model and Formats demuxer) which was introduced in version 7.0 [1] $ git tag --contains 4ee05182b7cccfa6928dcb0a45c2b50b7d9ea39b n7.0 n7.0.1 n7.0.2 n7.0.3 n7.1 n7.1-dev n7.1.1 n7.1.2 n7.1.3 n7.2-dev n8.0 n8.0.1 n8.1-dev [1] https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/4ee05182b7cccfa6928dcb0a45c2b50b7d9ea39b Signed-off-by: Ankur Tyagi Signed-off-by: Yoann Congal --- meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.4.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.4.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.4.bb index 8b0b7cfd6e9..c1536015d98 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.4.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.4.bb @@ -51,6 +51,8 @@ CVE_STATUS_GROUPS += "CVE_STATUS_FIXED_61x" CVE_STATUS_FIXED_61x = "CVE-2023-49502 CVE-2023-50007 CVE-2023-50008 CVE-2023-50009 CVE-2023-50010 CVE-2024-31578 CVE-2024-31582 CVE-2024-31585" CVE_STATUS_FIXED_61x[status] = "cpe-incorrect:these CVEs are fixed in 6.1.x" +CVE_STATUS[CVE-2025-25469] = "cpe-incorrect: Current version (6.1.4) is not impacted." + # Build fails when thumb is enabled: https://bugzilla.yoctoproject.org/show_bug.cgi?id=7717 ARM_INSTRUCTION_SET:armv4 = "arm" ARM_INSTRUCTION_SET:armv5 = "arm" From patchwork Mon Feb 9 09:29:02 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 80743 X-Patchwork-Delegate: yoann.congal@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3EA98E7E0A7 for ; Mon, 9 Feb 2026 09:29:47 +0000 (UTC) Received: from mail-wr1-f43.google.com (mail-wr1-f43.google.com [209.85.221.43]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.43995.1770629376837609747 for ; Mon, 09 Feb 2026 01:29:37 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=w+iDVi1o; spf=pass (domain: smile.fr, ip: 209.85.221.43, mailfrom: yoann.congal@smile.fr) Received: by mail-wr1-f43.google.com with SMTP id ffacd0b85a97d-4327790c4e9so2505888f8f.2 for ; Mon, 09 Feb 2026 01:29:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1770629375; x=1771234175; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=Wrr/tU1fz1OGMBqa9wYxRgu1lVrjJyfEE7X4ddcDDRg=; b=w+iDVi1o+hgwssXZJWqwndguP5TOW1XuTqk/9a7amztUtb6fH4oaqsCHecRyk2ka7e xB4BJDJ9RA1Crmg3YBcrlMMeNM6i0wlNg1L9E8XgxVeoMmCVp3CG5FAWkePe4qao6i2b 1i883airhJhCQuCo0Jh2FqDANr9ZJQSz2G03Q= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770629375; x=1771234175; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=Wrr/tU1fz1OGMBqa9wYxRgu1lVrjJyfEE7X4ddcDDRg=; b=Q7L2MbzQ6ks3GfMn5WngG+NY3IPVDv6DO9vEo8E/AQLzC7fGyQHgyBlsRGPDn3FUQl bNULPNs5ytwsjGFhy13kcAP4drLVkFank1avM87n+PfilrnNQmAFpBLsVvq28yGemkRZ jjT/M0KCbReKLz2NOcXyX9BdO58DqetJsU85vljcGo2lKWdnQjeVWyTME9YHTbYvhEO2 MBErhr/N1A0Op7R+g1KJcqfa3BRrrT+Eq6q/tidIWD4DmoRwpYU+VAt5lHuqTGZVuq6G vm+UDlS+vAYDDRjPkhOOOAF3LfspfDWAS5Zg8vjFgT6sNnxl7aM7VF799B6CrFsxXTso CXLA== X-Gm-Message-State: AOJu0YzhkmVkYFNXmFjNfeSUrDfyr9mcY6yNKv6tgijF92EW0m/j8qQs xchkypi/KzKqfB6psny+kSTbKmP/HJn4rwkBFm9h3+W3OXq7pchc6y4U2QXDQQLoN/0FEohfToK qfdLcZPk= X-Gm-Gg: AZuq6aKMImHyWmW6ThXpNzBkj0om6NTAg7P0X38KQ0ixXYCwTFGIKgWFbp+s3ud5cJU eq3q+QpVI7XiGFIQ2FFfK2nIGXvhm7NaYMbqsddDGgVS2nO5WMNTWowg5zHjX79hcgElx5B/ibk UNIkhqoT9qmejfwyJqRajMDOBL1J1vcnRY70mvfq9+buM8w+ZZpE9+t5a/FdGy08CRP8iel00Bx 1HgniViTLQh5Be3uCAWyXuGgI0lgbe1NK1yrGxgIP1YEAlH0iEKfmfa40iyqqk/5dXDJ4WQowg6 3p15PpIh3R+nnyjiBq0utNy85Q5dhhp2j3iNyYJ92uxW0zwVew+MjkSSWPoxfYWeQWALjfL9CHO ZtCP6P6lJyoBjRgJA/Gv3rvjvn9Lf0YWLPnJvo1ItsMGljjh84YcmsBHB3E/5wB9K8AVaX5BGPy FgkysX30Ohx2c1+0UKEtgRkWRtyJeQA1zyCN9FOtlVeH1KCsvkQIvbIDzx8J76xEF7C+Sb/eDoM 6mpwueZ2nmb+uk= X-Received: by 2002:a05:6000:184d:b0:435:a370:2d71 with SMTP id ffacd0b85a97d-43629388a20mr18378694f8f.33.1770629374805; Mon, 09 Feb 2026 01:29:34 -0800 (PST) Received: from FRSMI25-LASER.home (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4376a78d796sm9575656f8f.20.2026.02.09.01.29.33 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 09 Feb 2026 01:29:33 -0800 (PST) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 19/25] glibc: stable 2.39 branch updates Date: Mon, 9 Feb 2026 10:29:02 +0100 Message-ID: <3f86db0e4faf9519fcfcb981e57f673daeb20269.1770626074.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 09 Feb 2026 09:29:47 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/230770 From: Peter Marko git log --oneline 58cbbd43fe82910cf8ae9008351b0b0665104500..ce65d944e38a20cb70af2a48a4b8aa5d8fabe1cc ce65d944e3 (HEAD -> release/2.39/master, origin/release/2.39/master) posix: Reset wordexp_t fields with WRDE_REUSE (CVE-2025-15281 / BZ 33814) 831f63b94c resolv: Fix NSS DNS backend for getnetbyaddr (CVE-2026-0915) fb22fd3f5b memalign: reinstate alignment overflow check (CVE-2026-0861) 10c0bcb3d3 support: Exit on consistency check failure in resolv_response_add_name f47dd22366 support: Fix FILE * leak in check_for_unshare_hints in test-container 4a53354eaf sprof: fix -Wformat warnings on 32-bit hosts beb8267909 sprof: check pread size and offset for overflow c07002038f getaddrinfo.c: Avoid uninitialized pointer access [BZ #32465] ae5fb93559 nptl: Optimize trylock for high cache contention workloads (BZ #33704) efff7cb659 ppc64le: Power 10 rawmemchr clobbers v20 (bug #33091) f6becd8ae8 ppc64le: Restore optimized strncmp for power10 0daa4e46b8 ppc64le: Restore optimized strcmp for power10 28c1de6580 AArch64: Fix instability in AdvSIMD tan 03d0393343 AArch64: Optimise SVE scalar callbacks 0d05a895f1 aarch64: fix includes in SME tests c1dc4412f8 aarch64: fix cfi directives around __libc_arm_za_disable d60f15dc89 aarch64: tests for SME d1d0d09e9e aarch64: clear ZA state of SME before clone and clone3 syscalls dbe1904b7c aarch64: define macro for calling __libc_arm_za_disable 58cf4aa421 aarch64: update tests for SME 1b3bd9a9a6 aarch64: Disable ZA state of SME in setjmp and sigsetjmp 38942a336b linux: Also check pkey_get for ENOSYS on tst-pkey (BZ 31996) c74d59a656 aarch64: Do not link conform tests with -Wl,-z,force-bti (bug 33601) 323ad087a1 x86: fix wmemset ifunc stray '!' (bug 33542) Testing Results: Before After Diff PASS 4926 4921 -5 XPASS 4 4 0 FAIL 223 229 +6 XFAIL 16 16 0 UNSUPPORTED 224 224 0 Changes in failed testcases: testcase-name before after elf/tst-audit21 PASS FAIL malloc/tst-malloc-too-large PASS FAIL malloc/tst-malloc-too-large-malloc-check PASS FAIL malloc/tst-malloc-too-large-malloc-hugetlb1 PASS FAIL malloc/tst-malloc-too-large-malloc-hugetlb2 PASS FAIL malloc/tst-malloc-too-large-mcheck PASS FAIL Signed-off-by: Peter Marko Signed-off-by: Yoann Congal --- meta/recipes-core/glibc/glibc-version.inc | 2 +- meta/recipes-core/glibc/glibc_2.39.bb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/meta/recipes-core/glibc/glibc-version.inc b/meta/recipes-core/glibc/glibc-version.inc index 2ca15711587..03a8e5d01e3 100644 --- a/meta/recipes-core/glibc/glibc-version.inc +++ b/meta/recipes-core/glibc/glibc-version.inc @@ -1,6 +1,6 @@ SRCBRANCH ?= "release/2.39/master" PV = "2.39+git" -SRCREV_glibc ?= "58cbbd43fe82910cf8ae9008351b0b0665104500" +SRCREV_glibc ?= "ce65d944e38a20cb70af2a48a4b8aa5d8fabe1cc" SRCREV_localedef ?= "cba02c503d7c853a38ccfb83c57e343ca5ecd7e5" GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git;protocol=https" diff --git a/meta/recipes-core/glibc/glibc_2.39.bb b/meta/recipes-core/glibc/glibc_2.39.bb index ff6c8f3b437..7958d64eed1 100644 --- a/meta/recipes-core/glibc/glibc_2.39.bb +++ b/meta/recipes-core/glibc/glibc_2.39.bb @@ -18,7 +18,7 @@ easier access for another. 'ASLR bypass itself is not a vulnerability.'" CVE_STATUS_GROUPS += "CVE_STATUS_STABLE_BACKPORTS" CVE_STATUS_STABLE_BACKPORTS = "CVE-2024-2961 CVE-2024-33599 CVE-2024-33600 CVE-2024-33601 CVE-2024-33602 CVE-2025-0395 \ - CVE-2025-4802 CVE-2025-5702 CVE-2025-8058" + CVE-2025-4802 CVE-2025-5702 CVE-2025-8058 CVE-2025-15281 CVE-2026-0861 CVE-2026-0915" CVE_STATUS_STABLE_BACKPORTS[status] = "cpe-stable-backport: fix available in used git hash" DEPENDS += "gperf-native bison-native" From patchwork Mon Feb 9 09:29:03 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 80745 X-Patchwork-Delegate: yoann.congal@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5D46FE7E0AF for ; Mon, 9 Feb 2026 09:29:47 +0000 (UTC) Received: from mail-wr1-f67.google.com (mail-wr1-f67.google.com [209.85.221.67]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.43996.1770629377830000150 for ; Mon, 09 Feb 2026 01:29:38 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=SlJPsYGf; spf=pass (domain: smile.fr, ip: 209.85.221.67, mailfrom: yoann.congal@smile.fr) Received: by mail-wr1-f67.google.com with SMTP id ffacd0b85a97d-43770c94dfaso662088f8f.2 for ; Mon, 09 Feb 2026 01:29:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1770629376; x=1771234176; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=C4KrseN+Jk69L6Yih8CoN0UKLC2V7CLZQh5+MGWFhQk=; b=SlJPsYGflitmpyni4VIBWRo/+H4PAimQ3n8jH6NF1Gl5pi1EJk7Xm2RjxsXWu5ESAv xqcDgDrouj5ukhz234pJMPtjiRf/pQoSNzdoGf7/2usVNFpgvvJGxOgqqywnox9vMni6 29OHWKTeaO1gqhg6NvDP9RFGxI18aeIfyaKBs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770629376; x=1771234176; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=C4KrseN+Jk69L6Yih8CoN0UKLC2V7CLZQh5+MGWFhQk=; b=Mi7t2kOBkQRax3bizIkBY053Gd9CwVcvkRzfvl7bcemxEqAVt0THpoHjBzeIg+kMmh 6HylhILA3SHyWcp2FNjc2tUDT47UB1ccwQma4MrtINNtN5le5W4KfI77wwxKKTWMtKCN JcyP6g63h1AVRS5a1sVZmSJ4TH075nj0CTwTy3GG0CMnVYPHvhajE99S1jt9t5bXGCXc XypxbwBoaLkL/VT+Wsq6kOmcVPBXGLqy+9+ZzOBgZdq2XQ/dlowzxFVEFV08qthetiWL h1pXtvCxE9k5oqGUSuslzsIlkfF9hB4py0Kok+OrjElxPP4z3uLVeshk7XDHN6FmnJSf MHaQ== X-Gm-Message-State: AOJu0YztQcWm9Addjsp2PSjc7F+swpV0GSVh259ya0HH/pqqYhR6Vyxq XXspb0x5x96OLaV0mfD3jr/W4kWtJ78XM1gsw6nl9xFoVxkhWUnzy8MfL+ZIRVf/LdrW+8GPq95 SJ9PH4Pzy4Q== X-Gm-Gg: AZuq6aJjs/tGGUOrkWO5l4zez8I/9mFwfta7LgGIHL0yG7IvQWiBeH1zEv/Y3UKDNEP CmWLEyB0d/iQRSEIs8laTd/zoZ6EWvALh6dh5BuBNTjlei5YBoD3FXt6XZSryfiHJjg6WJR9XaB XMWW8MedRRNfdYG6sMlOT6H3wt4JUlZEI6GCQvcPNv3CQCE4gqIl322ZkFaEcMgfGl4HlXm0SK6 h6l9CGBtvUzwDM0GmpFrRaycYcelabqMjE+FWh5cxsQFM1mC7aSneGdNnjBaz32M3KJhP0JSdk9 OGsX1c7DMpzxAry2RFQcLbZsWn7osT858o7as+vujjq9331MRgAGYoJ8WY1u3RC2x182JLbEWbg C44dcqgbvtRr8VwzlwSjP1S/eGewzlxS1+jPwniGHHqB9BfmD8nzsMVO3+cqxTscv0////lJIZE CDi60J0qqiNBmMtgv+6xjs/EqE5CLS2pFlvKuYKtre5ndaNIY0N4pBIEYEo86QJeUTiboss71Tf IUY2govZGmfTIQ= X-Received: by 2002:a05:6000:402c:b0:435:db6e:e3b3 with SMTP id ffacd0b85a97d-43629381a45mr15529907f8f.36.1770629375854; Mon, 09 Feb 2026 01:29:35 -0800 (PST) Received: from FRSMI25-LASER.home (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4376a78d796sm9575656f8f.20.2026.02.09.01.29.35 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 09 Feb 2026 01:29:35 -0800 (PST) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 20/25] meta/classes: fix missing vardeps for CVE status variables Date: Mon, 9 Feb 2026 10:29:03 +0100 Message-ID: <7c522722b89e5882bf46e472cf98cacb5fb586b5.1770626074.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 09 Feb 2026 09:29:47 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/230771 From: Benjamin Robin (Schneider Electric) Several CVE helper functions (get_patched_cves() and decode_cve_status()) implicitly depend on the CVE_STATUS and CVE_CHECK_STATUSMAP variables, but these were not declared in the vardeps of their callers. On Scarthgap, the upstream fix (2cc43c72ff28aa39a417dd8d57cd7c8741c0e541) cannot be cherry-picked cleanly, as it also requires BitBake changes. As a workaround, explicitly add CVE_STATUS and CVE_CHECK_STATUSMAP to the vardeps of all tasks invoking these helpers, ensuring correct task re-execution when CVE status changes. This keeps CVE-related metadata generation consistent without requiring BitBake modifications. Signed-off-by: Benjamin Robin (Schneider Electric) Signed-off-by: Yoann Congal --- meta/classes/create-spdx-2.2.bbclass | 1 + meta/classes/create-spdx-3.0.bbclass | 2 ++ meta/classes/cve-check.bbclass | 1 + meta/classes/vex.bbclass | 1 + 4 files changed, 5 insertions(+) diff --git a/meta/classes/create-spdx-2.2.bbclass b/meta/classes/create-spdx-2.2.bbclass index aaa2e78fe21..037193bb4b9 100644 --- a/meta/classes/create-spdx-2.2.bbclass +++ b/meta/classes/create-spdx-2.2.bbclass @@ -710,6 +710,7 @@ python do_create_spdx() { oe.sbom.write_doc(d, package_doc, pkg_arch, "packages", indent=get_json_indent(d)) } +do_create_spdx[vardeps] += "CVE_STATUS" do_create_spdx[vardepsexclude] += "BB_NUMBER_THREADS" # NOTE: depending on do_unpack is a hack that is necessary to get it's dependencies for archive the source addtask do_create_spdx after do_package do_packagedata do_unpack do_collect_spdx_deps before do_populate_sdk do_build do_rm_work diff --git a/meta/classes/create-spdx-3.0.bbclass b/meta/classes/create-spdx-3.0.bbclass index 6125e8b5479..388497054b0 100644 --- a/meta/classes/create-spdx-3.0.bbclass +++ b/meta/classes/create-spdx-3.0.bbclass @@ -159,6 +159,8 @@ do_create_spdx[vardeps] += "\ SPDX_PROFILES \ SPDX_NAMESPACE_PREFIX \ SPDX_UUID_NAMESPACE \ + CVE_STATUS \ + CVE_CHECK_STATUSMAP \ " addtask do_create_spdx after \ diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index f5bbaa5d159..3f4704fb4ec 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -187,6 +187,7 @@ python do_cve_check () { } addtask cve_check before do_build +do_cve_check[vardeps] += "CVE_STATUS CVE_CHECK_STATUSMAP" do_cve_check[depends] = "cve-update-nvd2-native:do_unpack" do_cve_check[nostamp] = "1" diff --git a/meta/classes/vex.bbclass b/meta/classes/vex.bbclass index 707e6f45a19..45a15348724 100644 --- a/meta/classes/vex.bbclass +++ b/meta/classes/vex.bbclass @@ -160,6 +160,7 @@ python do_generate_vex () { cve_write_data_json(d, cve_data, cves_status) } +do_generate_vex[vardeps] += "CVE_STATUS CVE_CHECK_STATUSMAP" addtask generate_vex before do_build From patchwork Mon Feb 9 09:29:04 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 80749 X-Patchwork-Delegate: yoann.congal@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 70CF1E7E0B2 for ; Mon, 9 Feb 2026 09:29:47 +0000 (UTC) Received: from mail-wr1-f42.google.com (mail-wr1-f42.google.com [209.85.221.42]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.43998.1770629379290897757 for ; Mon, 09 Feb 2026 01:29:39 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=vzoFCvTR; spf=pass (domain: smile.fr, ip: 209.85.221.42, mailfrom: yoann.congal@smile.fr) Received: by mail-wr1-f42.google.com with SMTP id ffacd0b85a97d-436e8758b91so667992f8f.0 for ; Mon, 09 Feb 2026 01:29:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1770629377; x=1771234177; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=YK+qTxQTqXtBQI4Vk8pQONRQyGPEEbDmi0I8oaIhS7U=; b=vzoFCvTRjCMwDJEmk2QhTCCjxB8R0Hsr2LuRm09v/9VYGHkwPtZm1QnQ80xJDW0Uxu Wh5dysX21vDhAdfXXRd75UgCckI5frRx4A+jNfr3okhR/z3ma98yKDXPTnmTSCsJ4awC UAUk2IjBYRsBoE76enX+mD8GLq4sefIQk1AO0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770629377; x=1771234177; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=YK+qTxQTqXtBQI4Vk8pQONRQyGPEEbDmi0I8oaIhS7U=; b=F/XshTHqfueiSQzbiXWhOt0GFLAbGNyDQlSSt5q87tVUskobhblbPGSgcNUOYnf3Oh J8yC01vBb823lBxgFEXkWF9R1GmoS0ZC5zqO/A+OOjW6zPALWqw9KWksJnW2cVYZVWxo PTkXNN7EwfgIXBvS2UGjPf6Ql9B1cHY+34OGYJsMhX7oafE29+ONqFQ1v7RId+cRZ3uF bOUjFaDw54bC43Y7tNA6eXvom1/caMbgKetLtd3WtjBiv848iIr6uBfgqTcs5G8K/zUE B19mRPweCkrvQNX86dnD3InDWpVQ4uoL7PTbCh/CxY4s/SgNPNn6ikes82HFgVv6xsrz nJBw== X-Gm-Message-State: AOJu0YxRvU+xRroS3XDM+O5d+ujj+qHX3JrqiWgXth78JsQZ+vMSiNla oeVRWism7ycR5uuU+ZUUfFsBHiXFxZgjbjaMr+hQNLmaIQCyK10+D2ue3SGhYNj8nbmuKHuG6UM ljhK/g8A= X-Gm-Gg: AZuq6aKGWRhW2oVMEbsdEb36+pa+BpOlVPP5oRJl45Reo5ncgodj1xXFgQNy8d+2eaE CwVpbACwg/j1XTlcOFhtqJnlKLP/S36px7ToYezqxltbIg/oCP4TKu10pKG9ikVxY1prtkF4EtP W96F5brZut4MB6GZrdAs5hdqzeRVtCpOb4oZ4p9qe8x6MLR1B28c0+k8YEV1n2miq5P22AgUpZf MDlH+Vv6ny5X6ggg0/927VDVlVBES8NQXlyJ+uArMthwbFGcpxmxrACYyr5rUPJcF021JZm8c0S /1ZYg/hTv0paMIE75A5xxAA62GyvZzXZgmy/ruR4vL+QpGk5c+td0tQkUY9sVSdyigGOmH6UtG0 LZlLw/CzbDd/xWTfzshJLvUH/QELAB1S2S7RcXrkDWsjQCA2ajanEccf2m0PPBe72SOsz8U37e6 Owus+LZyr1W0k1pzNUFvI3IZCgPmNSR2yNNsP8FWiSPrBU7Cl3Zgz8rww6Spz3l756stws1UUzn 3Z++x+SVw2HWwg= X-Received: by 2002:adf:e587:0:b0:436:369a:7f36 with SMTP id ffacd0b85a97d-436369a80bcmr7951380f8f.45.1770629377040; Mon, 09 Feb 2026 01:29:37 -0800 (PST) Received: from FRSMI25-LASER.home (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4376a78d796sm9575656f8f.20.2026.02.09.01.29.36 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 09 Feb 2026 01:29:36 -0800 (PST) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 21/25] improve_kernel_cve_report: add script for postprocesing of kernel CVE data Date: Mon, 9 Feb 2026 10:29:04 +0100 Message-ID: <1adc13b185d18abd926ceab4fc893374b35f9adf.1770626074.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 09 Feb 2026 09:29:47 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/230772 From: Daniel Turull Adding postprocessing script to process data from linux CNA that includes more accurate metadata and it is updated directly by the source. Example of enhanced CVE from a report from cve-check: { "id": "CVE-2024-26710", "status": "Ignored", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26710", "summary": "In the Linux kernel, the following vulnerability [...]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "modified": "2025-03-17T15:36:11.620", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "detail": "not-applicable-config", "description": "Source code not compiled by config. ['arch/powerpc/include/asm/thread_info.h']" }, And same from a report generated with vex: { "id": "CVE-2024-26710", "status": "Ignored", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26710", "detail": "not-applicable-config", "description": "Source code not compiled by config. ['arch/powerpc/include/asm/thread_info.h']" }, For unpatched CVEs, provide more context in the description: Tested with 6.12.22 kernel { "id": "CVE-2025-39728", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39728", "summary": "In the Linux kernel, the following vulnerability has been [...], "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "modified": "2025-04-21T14:23:45.950", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "detail": "version-in-range", "description": "Needs backporting (fixed from 6.12.23)" }, CC: Peter Marko CC: Marta Rybczynska Signed-off-by: Daniel Turull Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie (cherry picked from commit e60b1759c1aea5b8f5317e46608f0a3e782ecf57) Signed-off-by: Suresh H A Signed-off-by: Yoann Congal --- scripts/contrib/improve_kernel_cve_report.py | 467 +++++++++++++++++++ 1 file changed, 467 insertions(+) create mode 100755 scripts/contrib/improve_kernel_cve_report.py diff --git a/scripts/contrib/improve_kernel_cve_report.py b/scripts/contrib/improve_kernel_cve_report.py new file mode 100755 index 00000000000..829cc4cd30e --- /dev/null +++ b/scripts/contrib/improve_kernel_cve_report.py @@ -0,0 +1,467 @@ +#! /usr/bin/env python3 +# +# Copyright OpenEmbedded Contributors +# +# The script uses another source of CVE information from linux-vulns +# to enrich the cve-summary from cve-check or vex. +# It can also use the list of compiled files from the kernel spdx to ignore CVEs +# that are not affected since the files are not compiled. +# +# It creates a new json file with updated CVE information +# +# Compiled files can be extracted adding the following in local.conf +# SPDX_INCLUDE_COMPILED_SOURCES:pn-linux-yocto = "1" +# +# Tested with the following CVE sources: +# - https://git.kernel.org/pub/scm/linux/security/vulns.git +# - https://github.com/CVEProject/cvelistV5 +# +# Example: +# python3 ./openembedded-core/scripts/contrib/improve_kernel_cve_report.py --spdx tmp/deploy/spdx/3.0.1/qemux86_64/recipes/recipe-linux-yocto.spdx.json --kernel-version 6.12.27 --datadir ./vulns +# python3 ./openembedded-core/scripts/contrib/improve_kernel_cve_report.py --spdx tmp/deploy/spdx/3.0.1/qemux86_64/recipes/recipe-linux-yocto.spdx.json --datadir ./vulns --old-cve-report build/tmp/log/cve/cve-summary.json +# +# SPDX-License-Identifier: GPLv2 + +import argparse +import json +import sys +import logging +import glob +import os +import pathlib +from packaging.version import Version + +def is_linux_cve(cve_info): + '''Return true is the CVE belongs to Linux''' + if not "affected" in cve_info["containers"]["cna"]: + return False + for affected in cve_info["containers"]["cna"]["affected"]: + if not "product" in affected: + return False + if affected["product"] == "Linux" and affected["vendor"] == "Linux": + return True + return False + +def get_kernel_cves(datadir, compiled_files, version): + """ + Get CVEs for the kernel + """ + cves = {} + + check_config = len(compiled_files) > 0 + + base_version = Version(f"{version.major}.{version.minor}") + + # Check all CVES from kernel vulns + pattern = os.path.join(datadir, '**', "CVE-*.json") + cve_files = glob.glob(pattern, recursive=True) + not_applicable_config = 0 + fixed_as_later_backport = 0 + vulnerable = 0 + not_vulnerable = 0 + for cve_file in sorted(cve_files): + cve_info = {} + with open(cve_file, "r", encoding='ISO-8859-1') as f: + cve_info = json.load(f) + + if len(cve_info) == 0: + logging.error("Not valid data in %s. Aborting", cve_file) + break + + if not is_linux_cve(cve_info): + continue + cve_id = os.path.basename(cve_file)[:-5] + description = cve_info["containers"]["cna"]["descriptions"][0]["value"] + if cve_file.find("rejected") >= 0: + logging.debug("%s is rejected by the CNA", cve_id) + cves[cve_id] = { + "id": cve_id, + "status": "Ignored", + "detail": "rejected", + "summary": description, + "description": f"Rejected by CNA" + } + continue + if any(elem in cve_file for elem in ["review", "reverved", "testing"]): + continue + + is_vulnerable, first_affected, last_affected, better_match_first, better_match_last, affected_versions = get_cpe_applicability(cve_info, version) + + logging.debug("%s: %s (%s - %s) (%s - %s)", cve_id, is_vulnerable, better_match_first, better_match_last, first_affected, last_affected) + + if is_vulnerable is None: + logging.warning("%s doesn't have good metadata", cve_id) + if is_vulnerable: + is_affected = True + affected_files = [] + if check_config: + is_affected, affected_files = check_kernel_compiled_files(compiled_files, cve_info) + + if not is_affected and len(affected_files) > 0: + logging.debug( + "%s - not applicable configuration since affected files not compiled: %s", + cve_id, affected_files) + cves[cve_id] = { + "id": cve_id, + "status": "Ignored", + "detail": "not-applicable-config", + "summary": description, + "description": f"Source code not compiled by config. {affected_files}" + } + not_applicable_config +=1 + # Check if we have backport + else: + if not better_match_last: + fixed_in = last_affected + else: + fixed_in = better_match_last + logging.debug("%s needs backporting (fixed from %s)", cve_id, fixed_in) + cves[cve_id] = { + "id": cve_id, + "status": "Unpatched", + "detail": "version-in-range", + "summary": description, + "description": f"Needs backporting (fixed from {fixed_in})" + } + vulnerable += 1 + if (better_match_last and + Version(f"{better_match_last.major}.{better_match_last.minor}") == base_version): + fixed_as_later_backport += 1 + # Not vulnerable + else: + if not first_affected: + logging.debug("%s - not known affected %s", + cve_id, + better_match_last) + cves[cve_id] = { + "id": cve_id, + "status": "Patched", + "detail": "version-not-in-range", + "summary": description, + "description": "No CPE match" + } + not_vulnerable += 1 + continue + backport_base = Version(f"{better_match_last.major}.{better_match_last.minor}") + if version < first_affected: + logging.debug('%s - fixed-version: only affects %s onwards', + cve_id, + first_affected) + cves[cve_id] = { + "id": cve_id, + "status": "Patched", + "detail": "fixed-version", + "summary": description, + "description": f"only affects {first_affected} onwards" + } + not_vulnerable += 1 + elif last_affected <= version: + logging.debug("%s - fixed-version: Fixed from version %s", + cve_id, + last_affected) + cves[cve_id] = { + "id": cve_id, + "status": "Patched", + "detail": "fixed-version", + "summary": description, + "description": f"fixed-version: Fixed from version {last_affected}" + } + not_vulnerable += 1 + elif backport_base == base_version: + logging.debug("%s - cpe-stable-backport: Backported in %s", + cve_id, + better_match_last) + cves[cve_id] = { + "id": cve_id, + "status": "Patched", + "detail": "cpe-stable-backport", + "summary": description, + "description": f"Backported in {better_match_last}" + } + not_vulnerable += 1 + else: + logging.debug("%s - version not affected %s", cve_id, str(affected_versions)) + cves[cve_id] = { + "id": cve_id, + "status": "Patched", + "detail": "version-not-in-range", + "summary": description, + "description": f"Range {affected_versions}" + } + not_vulnerable += 1 + + logging.info("Total CVEs ignored due to not applicable config: %d", not_applicable_config) + logging.info("Total CVEs not vulnerable due version-not-in-range: %d", not_vulnerable) + logging.info("Total vulnerable CVEs: %d", vulnerable) + + logging.info("Total CVEs already backported in %s: %s", base_version, + fixed_as_later_backport) + return cves + +def read_spdx(spdx_file): + '''Open SPDX file and extract compiled files''' + with open(spdx_file, 'r', encoding='ISO-8859-1') as f: + spdx = json.load(f) + if "spdxVersion" in spdx: + if spdx["spdxVersion"] == "SPDX-2.2": + return read_spdx2(spdx) + if "@graph" in spdx: + return read_spdx3(spdx) + return [] + +def read_spdx2(spdx): + ''' + Read spdx2 compiled files from spdx + ''' + cfiles = set() + if 'files' not in spdx: + return cfiles + for item in spdx['files']: + for ftype in item['fileTypes']: + if ftype == "SOURCE": + filename = item["fileName"][item["fileName"].find("/")+1:] + cfiles.add(filename) + return cfiles + +def read_spdx3(spdx): + ''' + Read spdx3 compiled files from spdx + ''' + cfiles = set() + for item in spdx["@graph"]: + if "software_primaryPurpose" not in item: + continue + if item["software_primaryPurpose"] == "source": + filename = item['name'][item['name'].find("/")+1:] + cfiles.add(filename) + return cfiles + +def check_kernel_compiled_files(compiled_files, cve_info): + """ + Return if a CVE affected us depending on compiled files + """ + files_affected = set() + is_affected = False + + for item in cve_info['containers']['cna']['affected']: + if "programFiles" in item: + for f in item['programFiles']: + if f not in files_affected: + files_affected.add(f) + + if len(files_affected) > 0: + for f in files_affected: + if f in compiled_files: + logging.debug("File match: %s", f) + is_affected = True + return is_affected, files_affected + +def get_cpe_applicability(cve_info, v): + ''' + Check if version is affected and return affected versions + ''' + base_branch = Version(f"{v.major}.{v.minor}") + affected = [] + if not 'cpeApplicability' in cve_info["containers"]["cna"]: + return None, None, None, None, None, None + + for nodes in cve_info["containers"]["cna"]["cpeApplicability"]: + for node in nodes.values(): + vulnerable = False + matched_branch = False + first_affected = Version("5000") + last_affected = Version("0") + better_match_first = Version("0") + better_match_last = Version("5000") + + if len(node[0]['cpeMatch']) == 0: + first_affected = None + last_affected = None + better_match_first = None + better_match_last = None + + for cpe_match in node[0]['cpeMatch']: + version_start_including = Version("0") + version_end_excluding = Version("0") + if 'versionStartIncluding' in cpe_match: + version_start_including = Version(cpe_match['versionStartIncluding']) + else: + version_start_including = Version("0") + # if versionEndExcluding is missing we are in a branch, which is not fixed. + if "versionEndExcluding" in cpe_match: + version_end_excluding = Version(cpe_match["versionEndExcluding"]) + else: + # if versionEndExcluding is missing we are in a branch, which is not fixed. + version_end_excluding = Version( + f"{version_start_including.major}.{version_start_including.minor}.5000" + ) + affected.append(f" {version_start_including}-{version_end_excluding}") + # Detect if versionEnd is in fixed in base branch. It has precedence over the rest + branch_end = Version(f"{version_end_excluding.major}.{version_end_excluding.minor}") + if branch_end == base_branch: + if version_start_including <= v < version_end_excluding: + vulnerable = cpe_match['vulnerable'] + # If we don't match in our branch, we are not vulnerable, + # since we have a backport + matched_branch = True + better_match_first = version_start_including + better_match_last = version_end_excluding + if version_start_including <= v < version_end_excluding and not matched_branch: + if version_end_excluding < better_match_last: + better_match_first = max(version_start_including, better_match_first) + better_match_last = min(better_match_last, version_end_excluding) + vulnerable = cpe_match['vulnerable'] + matched_branch = True + + first_affected = min(version_start_including, first_affected) + last_affected = max(version_end_excluding, last_affected) + # Not a better match, we use the first and last affected instead of the fake .5000 + if vulnerable and better_match_last == Version(f"{base_branch}.5000"): + better_match_last = last_affected + better_match_first = first_affected + return vulnerable, first_affected, last_affected, better_match_first, better_match_last, affected + +def copy_data(old, new): + '''Update dictionary with new entries, while keeping the old ones''' + for k in new.keys(): + old[k] = new[k] + return old + +# Function taken from cve_check.bbclass. Adapted to cve fields +def cve_update(cve_data, cve, entry): + # If no entry, just add it + if cve not in cve_data: + cve_data[cve] = entry + return + # If we are updating, there might be change in the status + if cve_data[cve]['status'] == "Unknown": + cve_data[cve] = copy_data(cve_data[cve], entry) + return + if cve_data[cve]['status'] == entry['status']: + return + if entry['status'] == "Unpatched" and cve_data[cve]['status'] == "Patched": + logging.warning("CVE entry %s update from Patched to Unpatched from the scan result", cve) + cve_data[cve] = copy_data(cve_data[cve], entry) + return + if entry['status'] == "Patched" and cve_data[cve]['status'] == "Unpatched": + logging.warning("CVE entry %s update from Unpatched to Patched from the scan result", cve) + cve_data[cve] = copy_data(cve_data[cve], entry) + return + # If we have an "Ignored", it has a priority + if cve_data[cve]['status'] == "Ignored": + logging.debug("CVE %s not updating because Ignored", cve) + return + # If we have an "Ignored", it has a priority + if entry['status'] == "Ignored": + cve_data[cve] = copy_data(cve_data[cve], entry) + logging.debug("CVE entry %s updated from Unpatched to Ignored", cve) + return + logging.warning("Unhandled CVE entry update for %s %s from %s %s to %s", + cve, cve_data[cve]['status'], cve_data[cve]['detail'], entry['status'], entry['detail']) + +def main(): + parser = argparse.ArgumentParser( + description="Update cve-summary with kernel compiled files and kernel CVE information" + ) + parser.add_argument( + "-s", + "--spdx", + help="SPDX2/3 for the kernel. Needs to include compiled sources", + ) + parser.add_argument( + "--datadir", + type=pathlib.Path, + help="Directory where CVE data is", + required=True + ) + parser.add_argument( + "--old-cve-report", + help="CVE report to update. (Optional)", + ) + parser.add_argument( + "--kernel-version", + help="Kernel version. Needed if old cve_report is not provided (Optional)", + type=Version + ) + parser.add_argument( + "--new-cve-report", + help="Output file", + default="cve-summary-enhance.json" + ) + parser.add_argument( + "-D", + "--debug", + help='Enable debug ', + action="store_true") + + args = parser.parse_args() + + if args.debug: + log_level=logging.DEBUG + else: + log_level=logging.INFO + logging.basicConfig(format='[%(filename)s:%(lineno)d] %(message)s', level=log_level) + + if not args.kernel_version and not args.old_cve_report: + parser.error("either --kernel-version or --old-cve-report are needed") + return -1 + + # by default we don't check the compiled files, unless provided + compiled_files = [] + if args.spdx: + compiled_files = read_spdx(args.spdx) + logging.info("Total compiled files %d", len(compiled_files)) + + if args.old_cve_report: + with open(args.old_cve_report, encoding='ISO-8859-1') as f: + cve_report = json.load(f) + else: + #If summary not provided, we create one + cve_report = { + "version": "1", + "package": [ + { + "name": "linux-yocto", + "version": str(args.kernel_version), + "products": [ + { + "product": "linux_kernel", + "cvesInRecord": "Yes" + } + ], + "issue": [] + } + ] + } + + for pkg in cve_report['package']: + is_kernel = False + for product in pkg['products']: + if product['product'] == "linux_kernel": + is_kernel=True + if not is_kernel: + continue + + kernel_cves = get_kernel_cves(args.datadir, + compiled_files, + Version(pkg["version"])) + logging.info("Total kernel cves from kernel CNA: %s", len(kernel_cves)) + cves = {issue["id"]: issue for issue in pkg["issue"]} + logging.info("Total kernel before processing cves: %s", len(cves)) + + for cve in kernel_cves: + cve_update(cves, cve, kernel_cves[cve]) + + pkg["issue"] = [] + for cve in sorted(cves): + pkg["issue"].extend([cves[cve]]) + logging.info("Total kernel cves after processing: %s", len(pkg['issue'])) + + with open(args.new_cve_report, "w", encoding='ISO-8859-1') as f: + json.dump(cve_report, f, indent=2) + + return 0 + +if __name__ == "__main__": + sys.exit(main()) + From patchwork Mon Feb 9 09:29:05 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 80748 X-Patchwork-Delegate: yoann.congal@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7591FE7E0B3 for ; Mon, 9 Feb 2026 09:29:47 +0000 (UTC) Received: from mail-wr1-f51.google.com (mail-wr1-f51.google.com [209.85.221.51]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.44208.1770629379727591202 for ; Mon, 09 Feb 2026 01:29:40 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=T9QdYuWV; spf=pass (domain: smile.fr, ip: 209.85.221.51, mailfrom: yoann.congal@smile.fr) Received: by mail-wr1-f51.google.com with SMTP id ffacd0b85a97d-43638a33157so1025259f8f.1 for ; Mon, 09 Feb 2026 01:29:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1770629378; x=1771234178; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=ctNaJ5tu41DYJP7AfpTFbDORKJGuauuFOt9j00smo48=; b=T9QdYuWVHoOXcWXfIVxvzGX1/kuitiXsiJ/y5I6cQJumwoqWue+sfR22MDw4p2FfSH 1B0m6yLQJJWNAQXx/6Zif+s1DoApShXPvR0iVs5WO1VR+TBJIzLV2UemrEmlwEuRzHBG 6l9qXbkRjlilS7O+sakGIYFWfDZhN5R//5knY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770629378; x=1771234178; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=ctNaJ5tu41DYJP7AfpTFbDORKJGuauuFOt9j00smo48=; b=n15HiJsMU74cmvyAc8ONzsqG6q4oI7WmuyUnhKoo+jNC3ms61yd9g2m+9bBLF3u2fT zIp9V21/FA759CPW0xzvIS6MccCfdv8QQykMBH1nJzcQ9x8wyr499eljU8JFMDuMfF9S s5m17shDQSVLXhAur1o1WMvw45uUPEHZntjsPrPpdFHxhVo45vq1oGu/rzejcTgDo322 fhSHOfIVOVlsT+4gHNTkpRvqmKlIMRs8NZk88oZ6Lc7s6GN0F7LogilXbH61PxUYVBem nxNl5e/Y6ScawEIsynG6aL24Ch3Q6GZuI20ZwYq/sPZ+vDJhJ/PkZZWJZ/YY1c1kwCU5 98+g== X-Gm-Message-State: AOJu0Ywd+czxjD7m3c0y1gDdlLNc2pX39DHJGqPIpLtKe/yrujiyOxue FURkZJwi02mdNoMKF6YVIFA5X5P2QPmoi47gBtbR9GHWvQE8qb9G7b0BI5N8N470SOM3tHL8FNX OP8ohz0k= X-Gm-Gg: AZuq6aJG0XI+d0PloI/6BRTDZE4G7sIbRc8aA2mK4SAlIFjSTa5ceugOPGxl93JhXgi OOFJiSlOsyc5apXp3wHkzpdta1t9i7JBCgGCiL3V/Ak0t3DNvi31joRaPOC+VfL9dNscWhSsz4a pYWR7EGumv0bLnvtuNTEWepmpcOY6xepDD5kTK1rz2MN2qtZFTIHNWB0vEx6Iz8YFCpVzU5kDB6 LwrwN7gNYxJP+/ImgOqz5XKjB8MHBG20w3V2repe3k2d0Kxl89/EVIS1xRaCJ47GAH588NOAjQ2 26gyBkA9qCqBJr0q5EOaOAT2nMeorPtoEhE42hZGN6q4Y2RkCNB4gJj7qQRZH/+wgSMVsHQBsBv fKzmYKAPP/7bAfomoy+wMKgZOT+Vxt7qCr7rJC37bibp3vwHGt++S4+e7vwlQ4puN81keZX6H66 W5vd6FxSDPg59aJI5XBsxAzyhb01XSyDc1LDiGRFY3rbngGDiGf+Zs5dYBLtXXEqUMNxCGuHo8y 1rWI8eQBp3TOZs= X-Received: by 2002:a05:6000:4308:b0:437:75c1:578d with SMTP id ffacd0b85a97d-43775c163afmr1006020f8f.11.1770629377766; Mon, 09 Feb 2026 01:29:37 -0800 (PST) Received: from FRSMI25-LASER.home (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4376a78d796sm9575656f8f.20.2026.02.09.01.29.37 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 09 Feb 2026 01:29:37 -0800 (PST) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 22/25] lighttpd: Fix trailing slash on files in mod_dirlisting Date: Mon, 9 Feb 2026 10:29:05 +0100 Message-ID: <790da20c7bbd569cf75aa95adf5a7f1afe288f97.1770626074.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 09 Feb 2026 09:29:47 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/230773 From: Fred Bacon Fixes [YOCTO #16128] Backport of upstream bug fix from lighttpd-1.4.75. Version 1.4.74 introduced a bug that would append a trailing slash to files in a directory listing. When the user attempts to download one of these files, the web browser could not save the file with a trailing slash. As a consequence, every web browser tested would generate a random character string for the saved file name. Signed-off-by: Fred Bacon [Yoann: Fixed Upstream-Status: Backport URL] Signed-off-by: Yoann Congal --- .../lighttpd/0001-mod_dirlisting.patch | 48 +++++++++++++++++++ .../lighttpd/lighttpd_1.4.74.bb | 1 + 2 files changed, 49 insertions(+) create mode 100644 meta/recipes-extended/lighttpd/lighttpd/0001-mod_dirlisting.patch diff --git a/meta/recipes-extended/lighttpd/lighttpd/0001-mod_dirlisting.patch b/meta/recipes-extended/lighttpd/lighttpd/0001-mod_dirlisting.patch new file mode 100644 index 00000000000..9df2b7556c2 --- /dev/null +++ b/meta/recipes-extended/lighttpd/lighttpd/0001-mod_dirlisting.patch @@ -0,0 +1,48 @@ +From 3d400ce06dcb950a61363f87330324db244f4bac Mon Sep 17 00:00:00 2001 +From: Glenn Strauss +Date: Thu, 29 Feb 2024 20:59:57 -0500 +Subject: [PATCH] [mod_dirlisting] fix suffix display of '/' on file (fixes + #3242) + +fix incorrect suffix display of '/' on files + +(regression in lighttpd 1.4.74) + +(thx guy) + +Upstream-Status: Backport [https://github.com/lighttpd/lighttpd1.4/commit/3d400ce06dcb950a61363f87330324db244f4bac] + +References: +[1] https://redmine.lighttpd.net/issues/3242 + +Signed-off-by: Glenn Strauss +--- + src/mod_dirlisting.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/src/mod_dirlisting.c b/src/mod_dirlisting.c +index a3432211..2686cd3e 100644 +--- a/src/mod_dirlisting.c ++++ b/src/mod_dirlisting.c +@@ -1022,10 +1022,19 @@ static void http_list_directory_dirname(buffer * const out, const dirls_entry_t + buffer_append_string_len(out, CONST_STR_LEN("-  Directory\n")); + } + ++static void http_list_file_ent(buffer * const out, const dirls_entry_t * const ent, const char * const name) { ++ buffer_append_string_encoded(out, name, ent->namelen, ENCODING_REL_URI_PART); ++ buffer_append_string_len(out, CONST_STR_LEN("\">")); ++ buffer_append_string_encoded(out, name, ent->namelen, ENCODING_MINIMAL_XML); ++ buffer_append_string_len(out, CONST_STR_LEN("")); ++ ++ http_list_directory_mtime(out, ent); ++} ++ + static void http_list_directory_filename(buffer * const out, const dirls_entry_t * const ent, const char * const name, handler_ctx * const hctx) { + buffer_append_string_len(out, CONST_STR_LEN(" X-Patchwork-Id: 80746 X-Patchwork-Delegate: yoann.congal@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 517F8E7E0AD for ; Mon, 9 Feb 2026 09:29:47 +0000 (UTC) Received: from mail-wr1-f53.google.com (mail-wr1-f53.google.com [209.85.221.53]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.43999.1770629380173288398 for ; Mon, 09 Feb 2026 01:29:40 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=E74jzQzz; spf=pass (domain: smile.fr, ip: 209.85.221.53, mailfrom: yoann.congal@smile.fr) Received: by mail-wr1-f53.google.com with SMTP id ffacd0b85a97d-4362d4050c1so2648725f8f.2 for ; Mon, 09 Feb 2026 01:29:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1770629378; x=1771234178; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=0VxcCPr172Jc5KFxnIQvVwFdYIQgt22u5fD4HL8+yaI=; b=E74jzQzzfDGEgrUUhMN+vhroD9ILvPY0yn0VFrbqySFD0mukiWb5yksRtJXqxL7Lle 0gppg4DcDdc0qsnoUrjk9Bkz0DfZ6HqsVR3mHuTiGKYAfCb7Nx8mMqiwoVIr1VoDF+SJ gqYMLjmR5VvCiZ7aEByo+sUy09QVKKJLanmVc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770629378; x=1771234178; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=0VxcCPr172Jc5KFxnIQvVwFdYIQgt22u5fD4HL8+yaI=; b=GIUDdwNgvAWYq2+KUkieTzl2h/5NT2YUNq/YAmXozqC+k0ubeI4E2zDgw9SbvwOXWC Bgf7sgVBTe8GDjUKhxQdLuE5LGAHMFyTiGV7uR+e0mpPg1VjNRn1rqMWbT17TeXeo0cX 1lZh5k3Ypd7e4ZDvnZnC0FCrqCS5m1YEfBh4XgMn26JwRu9DUWE+JNp/MqsxqHUINYK3 r8n9rK96VeTzMND5zFLHDOvR0qx0/LNvE6EjULTEpPx0BvW8z/DoXZ9LRzjz9YNoimJT /0a7yimknHFerNh/GY5elDmXE446WDf30J1dFCizxvPSDxf8ADm/8GqiQfe6bLiMnMfT y2FA== X-Gm-Message-State: AOJu0YxxjqayVBryEjEHsv44Cfe09cc085wuJpicsoIqW5acm4wgylmR fGdiTywI61uoEaUEGuIDzN39huDDrr7pb+O7knTX3Oaj7TCNnGbPgCRg6CLITWyy+gvGF69+KTA pWOGI1kg= X-Gm-Gg: AZuq6aJKHjcvViCXKuQ02yZ8sk3Vp4H2z4FDXq3xF5EAWD41o8kbEXDQ53esG6gnVNL jI+Nn3uDLVwBqQdy53qubvTUgeXEPA1Fsr7cdX0pSGquggKKCeRI5utjSo9h2twMS1q+mosQKpo 6Ej0do2JCtlVLYC3iaGz5Fpl3mroznFQTQFuXBHlRWpUmvCnXcfY+dHvKUtSFo2UhG2dnguP5gL bOqd61WhDTsAuC+Lnb6uyrIdHvgggEHvV5P1p91RjIZzLx2jULtJvFQhyieRV2eQJFY935pXxIT 4n/jmYZggKgiPa7RyQT5fdLxURQWWgR8ND76NjcNcnkio9CQmS2tox8/DI396KiKO7RSWjyYbEY nJACoc3LqeOw9gfWMSN/c6Htpv232WKarc06wrIvCY65aeM0SVcbhZ1CPeLn5g8dvxE6K0Hh7xy euRJ4OymlzitBT9WVcCk6/jwv+mPg3pDc4UEQiwLD0nAjH8CpKnuVJ6lvEuPhqnr1D4ibPyOb/g 8BaH8VdM+kFPYw= X-Received: by 2002:a5d:64c7:0:b0:436:2356:47cb with SMTP id ffacd0b85a97d-4362938b18fmr15505563f8f.36.1770629378327; Mon, 09 Feb 2026 01:29:38 -0800 (PST) Received: from FRSMI25-LASER.home (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4376a78d796sm9575656f8f.20.2026.02.09.01.29.37 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 09 Feb 2026 01:29:37 -0800 (PST) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 23/25] docbook-xml-dtd4: fix the fetching failure Date: Mon, 9 Feb 2026 10:29:06 +0100 Message-ID: <7c9acdff1e69a82c89fd447c25b7d6186acdef87.1770626074.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 09 Feb 2026 09:29:47 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/230774 From: Khai Dang Updating SRC_URI, the old archive url is deprecated. Signed-off-by: Khai Dang Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie (cherry picked from commit c137d3637b6171fbd3bfd671a56096e7f2b3c318) Signed-off-by: Yoann Congal --- .../docbook-xml/docbook-xml-dtd4_4.5.bb | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/meta/recipes-devtools/docbook-xml/docbook-xml-dtd4_4.5.bb b/meta/recipes-devtools/docbook-xml/docbook-xml-dtd4_4.5.bb index e4b4201b1f9..43c3ba17ad8 100644 --- a/meta/recipes-devtools/docbook-xml/docbook-xml-dtd4_4.5.bb +++ b/meta/recipes-devtools/docbook-xml/docbook-xml-dtd4_4.5.bb @@ -25,11 +25,11 @@ LIC_FILES_CHKSUM = "file://${WORKDIR}/LICENSE-OASIS;md5=c608985dd5f7f215e669e763 # bitbake build system. # -SRC_URI = "https://docbook.org/xml/4.1.2/docbkx412.zip;name=payload412;subdir=docbook-4.1.2 \ - https://docbook.org/xml/4.2/docbook-xml-4.2.zip;name=payload42;subdir=docbook-4.2 \ - https://docbook.org/xml/4.3/docbook-xml-4.3.zip;name=payload43;subdir=docbook-4.3 \ - https://docbook.org/xml/4.4/docbook-xml-4.4.zip;name=payload44;subdir=docbook-4.4 \ - https://docbook.org/xml/${PV}/docbook-xml-${PV}.zip;name=payloadPV;subdir=docbook-${PV} \ +SRC_URI = "https://archive.docbook.org/xml/4.1.2/docbkx412.zip;name=payload412;subdir=docbook-4.1.2 \ + https://archive.docbook.org/xml/4.2/docbook-xml-4.2.zip;name=payload42;subdir=docbook-4.2 \ + https://archive.docbook.org/xml/4.3/docbook-xml-4.3.zip;name=payload43;subdir=docbook-4.3 \ + https://archive.docbook.org/xml/4.4/docbook-xml-4.4.zip;name=payload44;subdir=docbook-4.4 \ + https://archive.docbook.org/xml/${PV}/docbook-xml-${PV}.zip;name=payloadPV;subdir=docbook-${PV} \ file://docbook-xml-update-catalog.xml.patch \ file://LICENSE-OASIS" From patchwork Mon Feb 9 09:29:07 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 80747 X-Patchwork-Delegate: yoann.congal@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4B69CE7E0A3 for ; Mon, 9 Feb 2026 09:29:47 +0000 (UTC) Received: from mail-wr1-f49.google.com (mail-wr1-f49.google.com [209.85.221.49]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.44210.1770629381235303135 for ; Mon, 09 Feb 2026 01:29:41 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=E1r+RxJ+; spf=pass (domain: smile.fr, ip: 209.85.221.49, mailfrom: yoann.congal@smile.fr) Received: by mail-wr1-f49.google.com with SMTP id ffacd0b85a97d-4362507f0bcso2465682f8f.0 for ; Mon, 09 Feb 2026 01:29:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1770629379; x=1771234179; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=eWwpq+K4lfAsHS8hIwa3kzMwrcicgqjiPOa8LAL2Ko4=; b=E1r+RxJ+ue3sh+NoHd2s471LSWPPBEF8zI6zuic/INYRBSF44vBK1M/awUwbOrBOiK cv4Mj8izJDSkvKpwC8W4Xwm8XGdfdgTNewQwSePH+CoIw/sj8hH1ULh2bAS3nfmeJWGS OHkTl0ct22YxEt/RIF6rTACPNweEvqafpj1vk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770629379; x=1771234179; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=eWwpq+K4lfAsHS8hIwa3kzMwrcicgqjiPOa8LAL2Ko4=; b=lCjWFtn1d1S+LipdnWpElpGBGjjQbxcWT4gQ/TSK5fSLyJtn6vU8TCsDFyTlf2a2mT PV8mSkKiZnooORFsCbT0uaOf+7pjilW5wAXHGVNQ05Mj+k/GqkcU6H4gxQYbozgxAYve 1d4BnJ21knC1QqfdCR7by8X5832pX8+En6YoVt5e8l4mqWE93jngyjB5NVj6D0p7RBuT GcBrHnFXsI4i/21qNOWEs2SdXZBdBOevtf+6BZdwyVqJWg9QLPKOwIVyV0l1cA/BwEin oLG7+yGML8ObuLdWeSr9FDapBSIuiJm0LEdWkv5MKFlHEI572mEtbZhVGTmqfw3jRfpc SrfQ== X-Gm-Message-State: AOJu0YwCIDNgVUGXzIqS93e97r9VTfJIiPV1QWGQ4Gl6roBPipDIgUvs 27+r0zynuKyFHVXBopBExAHpkmUia0rIpydSI2vY+K+jj4WAEZm/AhrHr5jdTz902FkU3JfzTNb 6N1+KNxY= X-Gm-Gg: AZuq6aKZoyAPCrzzJoztys89zU3ZiNRwDrKi+4X/I65Akt8nZeUouS4iBG1vbzMxoif jjnt26obYTRPH2cps+7KA9BKAXWVoIta2TkGnLGfqtsBruPcPzr+ZtuHzTDx8vvBAx/NwjaImso iw7mdzjzYcmC9ogDZ8B0b1Fk8hWplXo8nuRc65P/JJm3YUYtZ1ZGPDlozZArkQKao/Ak+e5JtOL 6eIofo95e5XTNI9lGBU2CTaCpbJ55aU8j/I23y00li8HLBrRt+unOwhZ9qaGRYbqQGuWCbkSVB7 TlH276PZ8BSOddBZKkjuRvuS5zuWkiswVoDKeDacT3JnmCVbREf5qZstw+TgSqUCVrS9AhEZPkV d/JpLGQ5FKyYsEZwFxtPWsVn9FawHHStTHE00IyVfbHL0X94kPDm9ISNAEszCINcVTb9gd4aUII sAPVfQVjVoR1UmSmqUENSCWPqIU5JJGcV2b+q+p/5IDbRo67k367a29tbx+6p8VNXOyGx0nqC/C 5gTgy4RQTy1ru0= X-Received: by 2002:a5d:64c9:0:b0:436:180e:78d9 with SMTP id ffacd0b85a97d-43629035082mr15327800f8f.1.1770629379306; Mon, 09 Feb 2026 01:29:39 -0800 (PST) Received: from FRSMI25-LASER.home (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4376a78d796sm9575656f8f.20.2026.02.09.01.29.38 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 09 Feb 2026 01:29:38 -0800 (PST) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 24/25] pseudo: Update to 1.9.3 release Date: Mon, 9 Feb 2026 10:29:07 +0100 Message-ID: X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 09 Feb 2026 09:29:47 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/230775 From: Richard Purdie Pulls in the following changes: Makefile.in: Bump version to 1.9.3 configure: Minor code quality changes pseudo: code quality scan - resolved various potential issues makewrappers: improve error handling and robustness Update COPYRIGHT files ports/linux/pseudo_wrappers.c: Call the wrappers where possible ports/linux/pseudo_wrappers.c: Workaround compile error on Debian 11 ports/linux/pseudo_wrappers.c: Reorder the syscall operations ports/unix/guts/realpath.c: Fix indents pseudo_util.c: Skip realpath like expansion for /proc on Linux test/test-proc-pipe.sh: Add test case for proc pipes ports/unix/guts/realpath.c: realpath fails if the resolved path doesn't exist Signed-off-by: Richard Purdie Signed-off-by: Antonin Godard Signed-off-by: Richard Purdie (cherry picked from commit 524f4bbb11f9c7e0126e8bd46af217b452d48f5e) Signed-off-by: Yoann Congal --- meta/recipes-devtools/pseudo/pseudo_git.bb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta/recipes-devtools/pseudo/pseudo_git.bb b/meta/recipes-devtools/pseudo/pseudo_git.bb index c78f1ab724d..d08fe9f42c3 100644 --- a/meta/recipes-devtools/pseudo/pseudo_git.bb +++ b/meta/recipes-devtools/pseudo/pseudo_git.bb @@ -12,9 +12,9 @@ SRC_URI:append:class-nativesdk = " \ file://older-glibc-symbols.patch" SRC_URI[prebuilt.sha256sum] = "ed9f456856e9d86359f169f46a70ad7be4190d6040282b84c8d97b99072485aa" -SRCREV = "125b020dd2bc46baa37a80784704e382732357b4" +SRCREV = "750362cc7b9fa58dffccd95d919b435c6d8ac614" S = "${WORKDIR}/git" -PV = "1.9.2+git" +PV = "1.9.3+git" # largefile and 64bit time_t support adds these macros via compiler flags globally # remove them for pseudo since pseudo intercepts some of the functions which will be From patchwork Mon Feb 9 09:29:08 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 80744 X-Patchwork-Delegate: yoann.congal@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3EA65E7E0A1 for ; Mon, 9 Feb 2026 09:29:47 +0000 (UTC) Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com [209.85.128.54]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.44000.1770629382322329500 for ; Mon, 09 Feb 2026 01:29:42 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=HEObnEbH; spf=pass (domain: smile.fr, ip: 209.85.128.54, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f54.google.com with SMTP id 5b1f17b1804b1-4806ce0f97bso35475925e9.0 for ; Mon, 09 Feb 2026 01:29:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1770629380; x=1771234180; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=EyUWkdtgqD4WZiN3KrF5ETnACH9YSeggFOopw8foAfo=; b=HEObnEbHwmFK6U4sar2bLzhPr9+DTLP7XZyGUC0jYseFAMv8jqXRl7ldJ1jFa27pdW 3Ifk9Q+h8OgiM+XFeaIFEYR1w/xWopvVdYfiwt9uydM6F6EwkyWL34xi4mmNmjVgoBr/ 8oMmXo7oraN/TZOdo+X9rfsaYRfFxKGqmF6GA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770629380; x=1771234180; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=EyUWkdtgqD4WZiN3KrF5ETnACH9YSeggFOopw8foAfo=; b=Org1mdaIIHurEMWN+j/68IQprhhDwU2RrpBH00rN4mqq2yyY/+5K5D6oyLobN/nxxR KYDjkyE6DSHo8tMMv41e+JDL8ttkxwiUNW5I0A+lJqW0tatWEUKH4vlyKz8+NibRpSSo EoERNQoDZ1dsIXknrBGJiL29lZv/X12b5Zul/jW58miZcb47K31gl9CJ+dYzn3aQbXtl O+380ci3cZ3lNmYR80voQmDYxBOeUbTHwPGYETaO3Pga4SldCTLrjNTYd9Fm7+X/m/cv OtsleoZrTQwUyI0s7HhbyjAVc0WkT6osmJhx3TpNxwUvWhnhh/GscYSVDX2abNxYPUAj 62lg== X-Gm-Message-State: AOJu0YzZe8XFPCVdaZPiu2C7hWv8041zzvDJf6U9pvciti1nis2BBEQu 8r5zTB5rwF8l2eorSJJ4BnZwGVUe+/I5/IgrqGAvFJo2vdUoPIcTHsTHmvHOXIf20b+PcFvYuTN VrEcML1U= X-Gm-Gg: AZuq6aIi8KyNAn22zDQQimOSkElt/dc58hFn/0l8WSu2P6od2FKLX+gV/EcvDB63wGU WYebMthwPt/SdiI1qx47280NYttHmxiy0dLYa1j9P5HZb41KoHAfusca46Zh4SC5SjqZwWJOck7 ImS4kq2DadqZG1P8cKgtWafWlIElhemkJ/1a7H+fmUWgLaVsn6P5XtMXEW8tWLAqiOp2GJxGOXY sPYokkH5I5dAERqyC6gZUbt6hfoeoKGBZp2T2erTRV4iNYiw91zyapp5yy1Z/jp5gb5JElwnhta sLnPUK4s7EXDWYYLl/evPT7/lu0Ifir+Acul9FEa4Zgdha8HOegV9h5BvZ/wJhs2tMc9EhTdJ/U 55B3c0BiAGgKIocY4XO8/QHYyKFXSoxqINN1NUm/nTP5MGTkbdyisuxijukU5M2exr7h6RBcPFm r3iSFx90IOkIhOE1+OFsRuiWm56MPE9csIO7XOMpr8vxjZJmrsT9P0gmcIOQDtRZsfRmyAOA8gF V/Lf/3GyMSy3CE= X-Received: by 2002:a05:600c:4e48:b0:47e:e076:c7a5 with SMTP id 5b1f17b1804b1-483201e408dmr134244025e9.11.1770629380321; Mon, 09 Feb 2026 01:29:40 -0800 (PST) Received: from FRSMI25-LASER.home (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4376a78d796sm9575656f8f.20.2026.02.09.01.29.39 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 09 Feb 2026 01:29:39 -0800 (PST) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 25/25] libtheora: set CVE_PRODUCT Date: Mon, 9 Feb 2026 10:29:08 +0100 Message-ID: <6334c612dbc96e1e6593c8b02f073e5170e82e31.1770626074.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 09 Feb 2026 09:29:47 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/230776 From: Ken Kurematsu In the NVD database, the product name of libtheora is theora. This was set to ensure that cve-check works correctly. Signed-off-by: Ken Kurematsu Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie (cherry picked from commit a8ddda60332e2a3219e905c1545b5da917f855c6) Signed-off-by: Yoann Congal --- meta/recipes-multimedia/libtheora/libtheora_1.1.1.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-multimedia/libtheora/libtheora_1.1.1.bb b/meta/recipes-multimedia/libtheora/libtheora_1.1.1.bb index 11674af379f..5e94bc29751 100644 --- a/meta/recipes-multimedia/libtheora/libtheora_1.1.1.bb +++ b/meta/recipes-multimedia/libtheora/libtheora_1.1.1.bb @@ -16,6 +16,8 @@ SRC_URI[sha256sum] = "b6ae1ee2fa3d42ac489287d3ec34c5885730b1296f0801ae577a35193d UPSTREAM_CHECK_REGEX = "libtheora-(?P\d+(\.\d)+)\.(tar\.gz|tgz)" +CVE_PRODUCT = "theora" + inherit autotools pkgconfig EXTRA_OECONF = "--disable-examples"