From patchwork Mon Feb 23 19:18:38 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 81628 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B898AEC1123 for ; Mon, 23 Feb 2026 19:19:03 +0000 (UTC) Received: from mail-wr1-f54.google.com (mail-wr1-f54.google.com [209.85.221.54]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.2754.1771874334165865465 for ; Mon, 23 Feb 2026 11:18:54 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=M/nDp68w; spf=pass (domain: gmail.com, ip: 209.85.221.54, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f54.google.com with SMTP id ffacd0b85a97d-43638a33157so4394621f8f.1 for ; Mon, 23 Feb 2026 11:18:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1771874332; x=1772479132; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=vscse/4JetqiAolj10CCXyJJT3UL8VNvDJ6MThYsCrk=; b=M/nDp68wCfZPY+ndcy9S3rbFgUhhqn+LkOkAPjdKbm+LMDfk0jr5NKs4NAens2oWbX U6T8WyISbYPJWRg+ELHmont3q8XcFCmFPRnLDXYtGyrQtFj0IyixuAL0ESE4plvGZ53L Oyy5JRkzA6juyV45smlaKhnSVP4muloVAv2GsXMu/plVjmlD9znOSNKgw3Q7pGWn+Lm2 nyQ9DygqnaViKzXxQioBtkqCHmLwzcKIBBncB4nbfxn5HyEMIxrsee0iWHdj4hC5ipbu 6J1NL8S8iV5eyapwg6duJtSi/xQRY4ux5PTiN8SBgQYporylfVe14cpefKmA/UhYieoW 6m0g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1771874332; x=1772479132; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=vscse/4JetqiAolj10CCXyJJT3UL8VNvDJ6MThYsCrk=; b=D00kR2YAb582lZZM898ehti3M6kXq9nykq/Uc2uN2OEUqN+h1hoyMrxSsuYM/QJSUZ BOeDHWm2lsMLLjIFCVdQzBi1sPDjcZ43oPKH1XxhFNA5849fQ3kSEZ4/cX/Mvr3prVTX oWBLLaoDLuMzyDMgdj7Ec+D2nD3HTN1qTRldbvDQlMFtj9DEqu2/nlnz6j52Os4jTS2L 37EWnQ+2cnqeSeTc+xtTmT4+2XDp7lvXOhF/XN9tJNcHVabDZ2qXesYAF6d7OTtKhrMv hRxeed1ys/s+4gW0+h5cCxu/oZlv+bViXWC6Z4UzaI0nlNWUN8EdWooJksA8KZy7as2C ehOQ== X-Gm-Message-State: AOJu0YzUVKYhpgF1bcILv+w1/xhQtdi5F2OPs+ddqGBxQb12SRHZ8W7A 7tRUsdFjN9EAqXgvXlHRoIx1U/1nTF5pN8zrrGcUZX+CpfnPU/n8Hdj0lgx6KA== X-Gm-Gg: ATEYQzyMZ1Qtn2GvjECLDmosawv3Ef2Ucz9ULZ3isuSn1b0XBtdLKeXunoJanSAJ0jd LbmY/bVUIxuFnWdZb4NAXsSTR0BfZiNGo7rc+UOhKP7yYUrc3Q0HCvgpJ0E2otVyWRAv5B9bh47 l3yM+iv7ZYix32+/rWe1uYxF2VnekrJsbUGqmpxbUo5kD5fKZzKHAGKZA74RQD4BawOU1GlR+0l TMA3WXAtLpV93szrsVuWKUL9RQtVm8kFCytr5FX7yZoMCRwF4kDTf6kjSstYQC8bx5y8VCuT2Xf p2XYZKA1QyN9PAHdbTRtv049fs0iRAgWjRudu4J+fybWwaHhwe9KORDqwLq/3VC5LsbrDVH/wx7 pKiBU9cdestR9fstadfvSqtSITSRWTeWvTNih+PQ+9sda1C/7lt/OKryedpL8byTjKW+NEQ5zb2 jL8gTPWk7uVKglejwUjCh3 X-Received: by 2002:a05:6000:22c1:b0:437:719d:a74a with SMTP id ffacd0b85a97d-4396f1822eemr16953779f8f.58.1771874332081; Mon, 23 Feb 2026 11:18:52 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43970d54760sm21308781f8f.35.2026.02.23.11.18.51 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 23 Feb 2026 11:18:51 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][PATCH 01/13] freerdp: patch CVE-2026-22852 Date: Mon, 23 Feb 2026 20:18:38 +0100 Message-ID: <20260223191850.1049304-1-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 23 Feb 2026 19:19:03 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124555 Details: https://nvd.nist.gov/vuln/detail/CVE-2026-22852 The related github advisory[1] comes with an analysis of the vulnerability, including pointing to the vulnerable code snippet. Backported the commit that touched the mentioned code part in the fixed version, and is in line with the description of the issue. Ptests passed successfully. [1]: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-9chc-g79v-4qq4 Signed-off-by: Gyorgy Sarvari --- .../freerdp/freerdp/CVE-2026-22852.patch | 27 +++++++++++++++++++ .../recipes-support/freerdp/freerdp_2.11.7.bb | 1 + 2 files changed, 28 insertions(+) create mode 100644 meta-oe/recipes-support/freerdp/freerdp/CVE-2026-22852.patch diff --git a/meta-oe/recipes-support/freerdp/freerdp/CVE-2026-22852.patch b/meta-oe/recipes-support/freerdp/freerdp/CVE-2026-22852.patch new file mode 100644 index 0000000000..aa6952fb7d --- /dev/null +++ b/meta-oe/recipes-support/freerdp/freerdp/CVE-2026-22852.patch @@ -0,0 +1,27 @@ +From e3391e8d160f4b1b43d53b4a7d462a3601c45408 Mon Sep 17 00:00:00 2001 +From: akallabeth +Date: Sat, 10 Jan 2026 08:36:38 +0100 +Subject: [PATCH] free up old audio formats + +CVE: CVE-2026-22852 +Upstream-Status: Backport [https://github.com/FreeRDP/FreeRDP/commit/cd1ffa112cfbe1b40a9fd57e299a8ea12e23df0d] +Signed-off-by: Gyorgy Sarvari +--- + channels/audin/client/audin_main.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/channels/audin/client/audin_main.c b/channels/audin/client/audin_main.c +index 23561b153..5ffe09127 100644 +--- a/channels/audin/client/audin_main.c ++++ b/channels/audin/client/audin_main.c +@@ -219,6 +219,10 @@ static UINT audin_process_formats(AUDIN_PLUGIN* audin, AUDIN_CHANNEL_CALLBACK* c + } + + Stream_Seek_UINT32(s); /* cbSizeFormatsPacket */ ++ ++ audio_formats_free(callback->formats, callback->formats_count); ++ callback->formats_count = 0; ++ + callback->formats = audio_formats_new(NumFormats); + + if (!callback->formats) diff --git a/meta-oe/recipes-support/freerdp/freerdp_2.11.7.bb b/meta-oe/recipes-support/freerdp/freerdp_2.11.7.bb index 3ee4f99c1a..70198a1e21 100644 --- a/meta-oe/recipes-support/freerdp/freerdp_2.11.7.bb +++ b/meta-oe/recipes-support/freerdp/freerdp_2.11.7.bb @@ -26,6 +26,7 @@ SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=stable-2.0;protocol=https file://CVE-2024-32661.patch \ file://CVE-2026-22854.patch \ file://CVE-2026-22855.patch \ + file://CVE-2026-22852.patch \ " From patchwork Mon Feb 23 19:18:39 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 81630 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E4316EC1130 for ; Mon, 23 Feb 2026 19:19:03 +0000 (UTC) Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com [209.85.128.44]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.2738.1771874334592412788 for ; Mon, 23 Feb 2026 11:18:54 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=Dq1H9NiW; spf=pass (domain: gmail.com, ip: 209.85.128.44, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f44.google.com with SMTP id 5b1f17b1804b1-483abed83b6so15080045e9.0 for ; Mon, 23 Feb 2026 11:18:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1771874333; x=1772479133; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=qhRJChYzxMG/7B//AMGGV16kre53UC1EMXw+sUMOZh8=; b=Dq1H9NiWj95kDV0IWepsfc9n08XzA+TrhFg/Y3x8Hjc3fC9A67wQxxo2OcsoGD7y1/ EDl14ZOGPyCJU4wuJkUd4z+yFh2dyTlYy7EdRXoWBzNcpbR426o2gtBVS3AGE982Sbgx qiy3mW7xwjUD6alY/mydFlIhBKx/ED+Od6B4qivoLxIm6MipBA/1q+VDsqyDpk8AP9aj 7he7xAQ0gbRZ8wiiaUrZq+k/G3v0rMqjJLgMFR/a53m66qOuhh7Fd8iCfJ471qnleGHQ DNNcHfTbITQlDi5SpJoxJjqiNOIk459U4nuJm8IXaLP29olvSWjki1OFVAhLzUsktAsC iIMw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1771874333; x=1772479133; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=qhRJChYzxMG/7B//AMGGV16kre53UC1EMXw+sUMOZh8=; b=M5y6Y3PK+4GsTZaC0VDLIIH3Mqp762q0zXgWN9fCs36oDWzv+qrUU6SM0J/raZMEuy Z+ndDj6mz5YBszRDBm1x8vH5px01vKHXy24WVB2BjW1E9PmwHOP5s3/r6hybP47aaPGw VtkKIh6c9JG137/7doib1kQr1+9pLh9XOT2l5AHVhj9N6Wc1DaHQQ0VyjUkDfgCOa/iX 3HZeKNqTwiRPq96ZbBtlA0HqvCorYdqu7K51+yqcNhYNc9XUL7au+ah9IvhffG2HSvii XSRpqw+AEBp1SmSeQ3Yu14LBLR9IB7OJaeC8bMqvBg7ZTNLXpavkF5+I6klLjTgAiI0A PoZw== X-Gm-Message-State: AOJu0YzXOZmNPnI+L2kxX7mayQtjZigkmlKJ1bLll2tpTYKYD3tB0tI+ mwVWQyGM7RsF0Znjc6uyPdQr55KyodW70JHJk7+1OFOHy/YHLSbucCNhM04iJQ== X-Gm-Gg: ATEYQzy8glJI3TdhTS0K9J9KDFK4iHOgBERibfFMGO2yp7lh4dTNJNPuNW0a0uZa+YP qCvn25i7FImAZOdNHIMw6AtNuiBBubkzgnN+/PllZIesgvpRFhWtN8mBHVAevk3bAZZTUvBrdpG momvyNl8cC7T9G2zwxXbEJ0hTWMpMilBlfIHF7GKJvrBjaLHi7MzKhf1E3Eng0FfTsQLUdMnckN gXVw46lzNGFIBwRhsfGgKtwsTRYnJjSGHckvXA6v2aVJqt1FDtirqMofHh4JEN7gkH9XpUMgxau B8wz4VsGlfQACDzudeOxV37fq3JiG3BvWh1Y2JPu87dLlGp/O82LU5hUUDMSw08X9Doz3FOuKZU bWymZaGQc9VSxftPi+YuJ/OoHsTgB3kzdooigJuqZvlrP6LJ3RalcEol6zGjPkOjkqxbvsoDFia gjSDChIUbhsEGEooGCdt+b X-Received: by 2002:a05:6000:24c9:b0:437:70d3:44ec with SMTP id ffacd0b85a97d-4396f18a8f0mr16675848f8f.43.1771874332743; Mon, 23 Feb 2026 11:18:52 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43970d54760sm21308781f8f.35.2026.02.23.11.18.52 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 23 Feb 2026 11:18:52 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][PATCH 02/13] freerdp: ignore CVE-2026-22853 Date: Mon, 23 Feb 2026 20:18:39 +0100 Message-ID: <20260223191850.1049304-2-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260223191850.1049304-1-skandigraun@gmail.com> References: <20260223191850.1049304-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 23 Feb 2026 19:19:03 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124556 Details: https://nvd.nist.gov/vuln/detail/CVE-2026-22853 The vulnerable feature was introduced in v3.9.0[1], the recipe version is not affected. Ignore this CVE. [1]: https://github.com/FreeRDP/FreeRDP/commit/a4bd5ba8863c0959501d4604159042a311dae85a Signed-off-by: Gyorgy Sarvari --- meta-oe/recipes-support/freerdp/freerdp_2.11.7.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta-oe/recipes-support/freerdp/freerdp_2.11.7.bb b/meta-oe/recipes-support/freerdp/freerdp_2.11.7.bb index 70198a1e21..63dc177cbe 100644 --- a/meta-oe/recipes-support/freerdp/freerdp_2.11.7.bb +++ b/meta-oe/recipes-support/freerdp/freerdp_2.11.7.bb @@ -119,6 +119,7 @@ python populate_packages:prepend () { CVE_STATUS[CVE-2024-32662] = "fixed-version: 2.x is not affected, bug was introduced in 3.0.0" CVE_STATUS[CVE-2025-68118] = "not-applicable-platform: Windows-only vulnerability" +CVE_STATUS[CVE-2026-22853] = "cpe-incorrect: the vulnerability was introduced in 3.9.0" # avoid http://errors.yoctoproject.org/Errors/Details/852862/ # fixed in freerdp3 with https://github.com/FreeRDP/FreeRDP/pull/10553 From patchwork Mon Feb 23 19:18:40 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 81635 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 185D6EC1139 for ; Mon, 23 Feb 2026 19:19:04 +0000 (UTC) Received: from mail-wr1-f49.google.com (mail-wr1-f49.google.com [209.85.221.49]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.2755.1771874335186444258 for ; Mon, 23 Feb 2026 11:18:55 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=jTOe/GQT; spf=pass (domain: gmail.com, ip: 209.85.221.49, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f49.google.com with SMTP id ffacd0b85a97d-4376acce52eso2940403f8f.1 for ; Mon, 23 Feb 2026 11:18:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1771874333; x=1772479133; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=BcpNwamY0aYUD774U7ILtCJap41jYlb9ONMHQrpFu8w=; b=jTOe/GQTMReh8Mp0MsgsH6MFHtXA9o8wPRvxdbdJ+g5hqFdjS1NhZEq88IUkPhwJ7w mhUqFnyWIejdNLNGouivnAelpbar24cxBRRwCuOkMp3zWXw9LmBSE5TFZquDOAJLDQ6j TfaDJZ0Za3FkFJZWF5zfrD11WkQnpv3CrSj1r5K1wckrZoRCxjARc8S+FCoYtsLzpQJD in8jSTgzSB7hu5W/bdMhy0W5bDcYbG50M3GVyVHKe2tF34XxHkRj0ktJLPRyZRbou/L5 UuBwPCtxIp4u8v3M9+R0LWNAmUg8rX/wBeHRV/eVI22COIaowENSnHYXR0ROl3OJwNyS 9dmQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1771874333; x=1772479133; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=BcpNwamY0aYUD774U7ILtCJap41jYlb9ONMHQrpFu8w=; b=wuJfovVOoY+0/zz7x1mMirmYFc1hXjaHMSbBiRR1fqE9nPGe1BnwowoU6iy+jMYbA3 Pidip/k51d1b6CMtTgREDMNBc3sQX4dc2NEmLVdTy/tizGpnE2qsyGHSOSbmP8n/IRew ri0n9QJve9RdUqJrDFmUZruNzi8E8EvRdjrXdySsLM8H3fx/gZrrwMtPocmVALg5coOc VZ+f+fmRMrXKdtCiBJAWw0BonCjBZRjH4yak8sADS7Strd1u9kWofqfigYQ2Lg3K5FEh nAOHB/iSlpPxYHjU6Nbjd1g6Xux7XphWZtVdrjxDaNKyB1CKrXrEzQSWeLRaP05qhchN UyxA== X-Gm-Message-State: AOJu0YzbQslEPIfO8Ph33DtO60aUdxut48SkiUIAkwVKvKn3C4Uy6Sb1 6Oj5wyBcHikPNkF+WKgKAc/qTRB0RRSDESKJsXBtsggFR0OyO8rkmRHUfV0SBg== X-Gm-Gg: ATEYQzwdl8eWINqRCjRBtzgxPuggAzzoXSoqSvJQ3uy/ATzMGem7jZLlOw2I8ydVnVX fonc7pFc9P+GnwFd6KgO98J570GBE400Qw2arU414bI+rxqGYxdOtsaf2oDwIFDdKYWpL2tjJEj wjIglInJOsArD9DtRCmxZUs1VRzg9Ci/X/6Cmh/+Yay7gobEH/rJt8r2ZrT3Ds5kNfY/9fi+TIC Gk5Oqraq8JP7EQAtatTHk6uqsOD2gzE3rzRyYVWiHa9V9PxUtb6rygIuSIEqLgY5lP4ITGCYTa9 a0758HSVltBAXjyUtUgBzgHKu5dJF97s8bMPjzBUznse7F8EeMdojfJ2XQZPmFgL3ZQ2+nRVIVR IE+M1FUVgJeyAWXXUz9EBvNIGVzk6cHBxoLFu69jtZev/LF1p60yeSDsbC0sI+VxIs14Xe2Zrbs 2KvoMToKhYEkczOLrAsBfq X-Received: by 2002:a05:6000:2913:b0:42f:b707:56e6 with SMTP id ffacd0b85a97d-4396f17a93emr19043583f8f.34.1771874333430; Mon, 23 Feb 2026 11:18:53 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43970d54760sm21308781f8f.35.2026.02.23.11.18.52 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 23 Feb 2026 11:18:53 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-gnome][PATCH 03/13] gimp: ignore already fixed CVEs Date: Mon, 23 Feb 2026 20:18:40 +0100 Message-ID: <20260223191850.1049304-3-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260223191850.1049304-1-skandigraun@gmail.com> References: <20260223191850.1049304-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 23 Feb 2026 19:19:04 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124557 Details: https://nvd.nist.gov/vuln/detail/CVE-2026-0797 https://nvd.nist.gov/vuln/detail/CVE-2026-2044 https://nvd.nist.gov/vuln/detail/CVE-2026-2045 https://nvd.nist.gov/vuln/detail/CVE-2026-2047 https://nvd.nist.gov/vuln/detail/CVE-2026-2048 All these CVEs are already fixed in the recipe version, however NVD tracks them currently without CPE info. Ignore them. Relevant upstream commits: CVE-2026-0797: https://gitlab.gnome.org/GNOME/gimp/-/commit/ca449c745d58daa3f4b1ed4c2030d35d401a009d Note that the commit referenced by NVD is incorrect. This commit was identified from the relevant upstream Gitlab issue: https://gitlab.gnome.org/GNOME/gimp/-/issues/15555 CVE-2026-2044: https://gitlab.gnome.org/GNOME/gimp/-/commit/3b5f9ec2b4c03cf4a51a5414f2793844c26747e5 CVE-2026-2045: https://gitlab.gnome.org/GNOME/gimp/-/commit/bb896f67942557658b3fbfc67a1c073775c002c7 CVE-2026-2047: https://gitlab.gnome.org/GNOME/gimp/-/commit/5873e16f80cf4152d25a4c86b08553008a331e90 CVE-2026-2048: https://gitlab.gnome.org/GNOME/gimp/-/commit/fa69ac5ec5692f675de5c50a6df758f7d3e45117 --- meta-gnome/recipes-gimp/gimp/gimp_3.0.8.bb | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/meta-gnome/recipes-gimp/gimp/gimp_3.0.8.bb b/meta-gnome/recipes-gimp/gimp/gimp_3.0.8.bb index 860fb5d26b..5cbb94055a 100644 --- a/meta-gnome/recipes-gimp/gimp/gimp_3.0.8.bb +++ b/meta-gnome/recipes-gimp/gimp/gimp_3.0.8.bb @@ -135,4 +135,7 @@ RDEPENDS:${PN} = "mypaint-brushes-1.0 glib-networking python3-pygobject" CVE_STATUS[CVE-2007-3741] = "not-applicable-platform: This only applies for Mandriva Linux" CVE_STATUS[CVE-2025-8672] = "not-applicable-config: the vulnerability only affects MacOS" -CVE_STATUS[CVE-2025-15059] = "fixed-version: The issue is fixed since v3.0.8" + +CVE_STATUS_GROUPS += "CVE_STATUS_FIXED_ALREADY" +CVE_STATUS_FIXED_ALREADY[status] = "fixed-version: The issue is fixed since v3.0.8" +CVE_STATUS_FIXED_ALREADY = "CVE-2025-15059 CVE-2026-0797 CVE-2026-2044 CVE-2026-2045 CVE-2026-2047 CVE-2026-2048" From patchwork Mon Feb 23 19:18:41 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 81636 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1A114EC1136 for ; Mon, 23 Feb 2026 19:19:04 +0000 (UTC) Received: from mail-wm1-f51.google.com (mail-wm1-f51.google.com [209.85.128.51]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.2756.1771874335838286196 for ; Mon, 23 Feb 2026 11:18:56 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=Vr8UB//8; spf=pass (domain: gmail.com, ip: 209.85.128.51, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f51.google.com with SMTP id 5b1f17b1804b1-48371119eacso54442795e9.2 for ; Mon, 23 Feb 2026 11:18:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1771874334; x=1772479134; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=xnHZ1ay+QbIyDK4tAdWW/5xMMEzCBtT3qVW5gUPEB10=; b=Vr8UB//88AsXRkE/iLWVyHwN566MRyjbW4I2vHXQqVRvT+5GUPPKKHjzegrx+k9Z80 THDmDICMgdheJH2BbGeKVPrnOHEdlMgXecSfPfrO4+pHCApB3pAR5ejNw+j9vjnQF0lK tHVWG4vwBOVWpCgnmq831HTIoBdv3dyLya3XEXCs9Cff0AZLnlDom7R8ZHVgXBMSea5T gvBOoIozQg42uYSkZZModuproQ6bAXPl8o8ah9pRx1UFYqVHkx4/UU8kpnK4OvCv2C9C 2ep/nEOUOtO6leSSi45EyJZ4NfboM7Li/UNrUu0+HgbY7Z1PUcuub7eX1rbuadRME40V H3Dw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1771874334; x=1772479134; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=xnHZ1ay+QbIyDK4tAdWW/5xMMEzCBtT3qVW5gUPEB10=; b=urrlrrGpZF8YvmRnzW47U09CYTbpC1ZTPAE6yUEBl7mv1miEGSTgta1bK6WQvxTQS7 I2XxzG4+JatWjsJNiIGJoJXqa1lmeQfF53KEjjO+Msp+QBHMpK6UZaculjjuyZHGCdTT IkUmhyXIHDZK9Y+ptCZL5zYRVrbpTS65Nn2qMh2lrP951Jwe/fmlFScjyiEAxu5dtFds sJWET6Q2zMRMS30cqJ32dRSmX47a4MiVqUSzJBqMzxchup4DrjSihdeK9zVIcJ8B+rKC GWPfi2LvTx4GGBlMu0FqaqKK6/A/rnLFqeSt5JGo4/veuYz/DoYgVwuDiz5U908mhtYq xFzw== X-Gm-Message-State: AOJu0YxzJjcJWhDKzLwmGKj+QRHkSlu18/StRIFqXhb2I+SOprkNeEJm q0+L9XbhKD2/4kUwSekUY+51s6Zg/+SLY1Vq3685fYAej3W5fUAfBsvIjziD/w== X-Gm-Gg: AZuq6aKv1veohXp+25osfoyDjUnichxkig9iXI4CgLZSQOcXoDrxn5xylm18i6kg2nl NFUhlTdSf+tM+EXhCdmHcxTgvYwbgM/rwf7bHvW3j0baGpfKdUw0frO/VuWVauvm/0/9beDw2/E Y/WB+osptJ/koBh7VDHpUMK+kZjrV4S9icmQSuTeHIQggUWGkV/Qsu/1vqNHsdGsjjVbHSnHHRw cegaGg6I0iUMky0U0hdORhJ2NeBDvJtSN4+bdL3i8uc3VDnvl6H7Xtpy6LIoY/mvNyxBYLQMwRJ 50Ije+WEcRnTWghZb3rMzYsoCxtnXwzl64FlOYERUBmFE/8e/Hf7qoHfpeHjko3P/hMoxfMNkjq M2k55vv1UF+gywqsrG0UPJPF7vPu1YxZwPJeR7XAmNCMZunS6V/lGew/FUvj5arqJEXQi+mQHaV dXg6QVbwzOQzF7mP3xIU+vLiP34VRy7Ao= X-Received: by 2002:a05:600c:3553:b0:480:6910:abd1 with SMTP id 5b1f17b1804b1-483a962e49dmr184493765e9.18.1771874334097; Mon, 23 Feb 2026 11:18:54 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43970d54760sm21308781f8f.35.2026.02.23.11.18.53 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 23 Feb 2026 11:18:53 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-gnome][PATCH 04/13] gnome-shell: ignore CVE-2021-3982 Date: Mon, 23 Feb 2026 20:18:41 +0100 Message-ID: <20260223191850.1049304-4-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260223191850.1049304-1-skandigraun@gmail.com> References: <20260223191850.1049304-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 23 Feb 2026 19:19:04 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124558 Details: https://nvd.nist.gov/vuln/detail/CVE-2021-3982 The vulnerability is about a privilege escalation, in case the host distribution sets CAP_SYS_NICE capability on the gnome-shell binary. OE distros don't do that, and due to this this recipe is not affected by this issue. The CVE is ignored. Signed-off-by: Gyorgy Sarvari --- meta-gnome/recipes-gnome/gnome-shell/gnome-shell_48.3.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta-gnome/recipes-gnome/gnome-shell/gnome-shell_48.3.bb b/meta-gnome/recipes-gnome/gnome-shell/gnome-shell_48.3.bb index c8a5e20899..802a6948ae 100644 --- a/meta-gnome/recipes-gnome/gnome-shell/gnome-shell_48.3.bb +++ b/meta-gnome/recipes-gnome/gnome-shell/gnome-shell_48.3.bb @@ -92,3 +92,4 @@ PACKAGES =+ "${PN}-tools ${PN}-gsettings" FILES:${PN}-tools = "${bindir}/*-tool" RDEPENDS:${PN}-tools = "python3-core" +CVE_STATUS[CVE-2021-3982] = "not-applicable-config: OE doesn't set CAP_SYS_NICE capability" From patchwork Mon Feb 23 19:18:42 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 81634 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 05E94EC1133 for ; Mon, 23 Feb 2026 19:19:04 +0000 (UTC) Received: from mail-wr1-f49.google.com (mail-wr1-f49.google.com [209.85.221.49]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.2739.1771874336564453155 for ; Mon, 23 Feb 2026 11:18:56 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=UDPo6XTB; spf=pass (domain: gmail.com, ip: 209.85.221.49, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f49.google.com with SMTP id ffacd0b85a97d-43638a33157so4394645f8f.1 for ; Mon, 23 Feb 2026 11:18:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1771874335; x=1772479135; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=BMTLlvOZ9LtaJm5V9E5V67JFsNU7O9iqXBsZJjvSWNM=; b=UDPo6XTBXqXWPMqSwmEptR5tlMK0BJV6kADXVl5UJj7e8Sza2a76w2iSB1UUm6/e0g sLvKvv+lLt5IlkSJqw9FdIOs3bgIB5dEIu6TTIRNTDdeP8b8adbwph9eyO6IHujjxJzv wgTJiAk5SCmTRehDqlpjB3FPVinTfith6iKVCaQLRIX9QnkY6IwYFckf+dMrkftwZnJJ x1nbw/liuWzfL0o0mFeWBtmfwJEk8DBFvQOD/hm/dXM+/MkidzQPdlXhzfWRtNem+ciY a0VLq0JJ0C+fUteZpamZ+dgktJksxz8eQMh5gyXQNFloIPhE/fhwLqWHh2WCIlivd+5s nApQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1771874335; x=1772479135; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=BMTLlvOZ9LtaJm5V9E5V67JFsNU7O9iqXBsZJjvSWNM=; b=LMmSe33VNyFBF2uXwYwOxX/77sQoY9B2pT5qBk+1HO1dL9s53hxNaI8MlGrItdi5vk R0mEdjtRMsu6eKf0CCR51bH298qkyHuVbbb1kZnPmhxRDPrQlOJAWJRRGsV5n5mIM5Sq 46gtdqbQ3OpMqIsBj2e3aJvIm1snTV1vzUPbCXHvPTrxJogwC+ZVvgPQVrL57d05lAy9 F0r9cI6KYgVnroZiaWPXHhcI1iorcZiQx2SruLSHxYUIcGLnQbmIRItsKUdEsECgVl5f 7uuQc8Pa/QkBjaxizxwP/FRw983v7RPmBL5IuZXj0hWaCHQM4BXX9HUckZRYwPty2kfh 0XJg== X-Gm-Message-State: AOJu0Yz9cDdiGQ/ouuWbl2wk4sg5On3N3ETNUeQm2COYnmHz8/NRnGTs 1QAm7LYtIuJz8NgMANmmSYTZNSrknl0oPgFskCZpVrdsM4+x3b4YIIlVeMMokQ== X-Gm-Gg: ATEYQzxBMQbtCvGH1qfS3QPwMmesnqubXcjMS+yxQ+e5i/zd7RbibiScgRhAxcxAh1Z OqihNwYOYHlMrrCrouE7BdVPCFqATHvLA1hPleuRPgIDld+0uRpj/qx8Fx71nCqk7kyaXaqbYxK j8k20AN7HzolYxRaS/B5uF2ERKzROqV3egub/uqqGzkPzbED1CQo+aTlu5fPZpA6hu5salW4Ovt x0qEf8WWq0hlftRj//ysdtC0KOd8oQmgvSYjM66ULmo6FMby3Dr57v9GBux8+f4Zp6vIT7bgD+I o4cSYB0ic1UeSDPjp7sK/HhFdK/+/NH9liyDfhPiaxU60IWjPpbm7Zr1hAvnVFAVfCcuIX/UJyL u38y9gl01Ksbmyxj52qeI7okVPz7K6ovXg4vPlzTKZFiCnBb1Eqq8ilT5SQT34rrIHOjQ/K4LnT 0c8ClQyOwGA9aJlAgCjcUo X-Received: by 2002:a05:6000:2408:b0:437:6b73:ffa9 with SMTP id ffacd0b85a97d-4396f14c9b4mr18101035f8f.5.1771874334783; Mon, 23 Feb 2026 11:18:54 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43970d54760sm21308781f8f.35.2026.02.23.11.18.54 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 23 Feb 2026 11:18:54 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][PATCH 05/13] libcdio: mark CVE-2024-36600 fixed Date: Mon, 23 Feb 2026 20:18:42 +0100 Message-ID: <20260223191850.1049304-5-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260223191850.1049304-1-skandigraun@gmail.com> References: <20260223191850.1049304-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 23 Feb 2026 19:19:04 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124559 Details: https://nvd.nist.gov/vuln/detail/CVE-2024-36600 The vulnerability is fixed since 2.2.1.rc1[1], and officially since v2.3.0. However NVD tracks it like v2.3.0 was still vulnerable. Mark the CVE explicitly patched. [1]: https://github.com/libcdio/libcdio/blob/master/NEWS.md Signed-off-by: Gyorgy Sarvari --- meta-oe/recipes-multimedia/libcdio/libcdio_2.3.0.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta-oe/recipes-multimedia/libcdio/libcdio_2.3.0.bb b/meta-oe/recipes-multimedia/libcdio/libcdio_2.3.0.bb index 11e84c6505..20ffbffd98 100644 --- a/meta-oe/recipes-multimedia/libcdio/libcdio_2.3.0.bb +++ b/meta-oe/recipes-multimedia/libcdio/libcdio_2.3.0.bb @@ -29,3 +29,5 @@ python libcdio_split_packages() { } PACKAGESPLITFUNCS =+ "libcdio_split_packages" + +CVE_STATUS[CVE-2024-36600] = "fixed-version: fixed in v2.3.0" From patchwork Mon Feb 23 19:18:43 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 81633 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id F1D3BEC1134 for ; Mon, 23 Feb 2026 19:19:03 +0000 (UTC) Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com [209.85.128.44]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.2740.1771874337172661838 for ; Mon, 23 Feb 2026 11:18:57 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=bVKZ9dEL; spf=pass (domain: gmail.com, ip: 209.85.128.44, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f44.google.com with SMTP id 5b1f17b1804b1-48378136adcso28526505e9.1 for ; Mon, 23 Feb 2026 11:18:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1771874335; x=1772479135; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=0mZybY8ejKUJzuWmzbVMLFYqsVlFSkCmeDmW32np0/A=; b=bVKZ9dELbyQkIxMrRkcXJKIRR7mHpbIMlBXfVNAlit71Bgnwb/5I4ggwrHK0QtifP9 AnmC5Ky9eJhJrGCL0eJgZY50EX7JFZSW2TGU6MxsenDnEtZLx0hVBs+REqrEh9pNfTU4 Yp1dcf0jSISz4b4hhQv2M/1yv0mc7cRV4eaqxi6aRMSPANI4kusN36X96RxalCYUxTPH ZPwU1cDN2MpI1TA0Dmz8Br/20kG23wZJQRm5ksmNQR5YX0zkWbcc1KCvInbNy/pcSZIb m104OE2GYFICFe+9HKvhxyEdtRll1JIbat+aJCyiwYrRzhX9z+ksVxL+/Tak+YOKAQU8 WuXA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1771874335; x=1772479135; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=0mZybY8ejKUJzuWmzbVMLFYqsVlFSkCmeDmW32np0/A=; b=PfzyJgNJR7RY1UB6AbmRNcURfp9YyIEIMoB/AotJS+cf5dyDsaRrbwNYHoIDKwaXT/ d4N3kOA/AOmYhvMoYBBuwgPtApEXURL2pVF2mTucs80TqEfsoS7as+g9itDwTGymO0Lq VUAmdEHN4K99+h1DeAqQ5V4D0NNLbTuUNOlERlbItD843VD2sdPp9mwryQOi+VEgKgXQ rFlN0Hckfmk7doune5aRy4R2s9bWdJt/Ssg7XXwJ6MfQ1cs0jTCqA8bxhe5Kn4xrdGXI o0/liVNrSecUnglhvL9mpGuqgyamOqWOXui1mSVAPeTUtpqhNmnYXWyqG21MFIQfbudJ n79w== X-Gm-Message-State: AOJu0Yzv1n5eEtTvAz48w7L/7FAoI25WiVdnspainguqFWbbIAV23dyx XpMSHJzPtkqycfITP8XhcVZSz1YiIF8XcTJp9Cx32iCbyL9+sufhD9kQcmdj0A== X-Gm-Gg: AZuq6aLfZE+9tWS3xOsP+ri+uzbVwWAoEClQKGMvRPdK03BLAd7Qna8FGfrez23R1wH polAq+O8L2Cd10gvxHdcG8l97L/+VZJ9AgBK/xpxgaPER7uNE2cl68Zi/0zy5G0ky0jF+s5whr0 aot4XBcBELEXVolV58eNOTpvlxM54jn2YZEYAfe1k8bAOJP8EmnLVVzAGcjZQtVtW08pfDizTaZ MtkfZy4xPwhjvANm2/cw3g7CNmB6VBJ5LfhRMSYnUTeF815eQRqLtbmT8crKdXulwGY3VRd1URu Y8pA/b4nx/kC2foUr/PJtxq2oI3+JTFQTPRACRaFhii6p8BB5hf+Q4unByNF7IvrzSo9adab/kd NAtR5uHB4foh6txmj6uHTAtM2xMwyJ3+LKupvbEfzOkJuMLKZgTR9I8gzuynW6fj33f64wyHxIT qqUPS+fG1dL0L3L7FG2HB6 X-Received: by 2002:a05:600c:8a16:10b0:477:9b35:3e49 with SMTP id 5b1f17b1804b1-483a9d95306mr101413065e9.3.1771874335459; Mon, 23 Feb 2026 11:18:55 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43970d54760sm21308781f8f.35.2026.02.23.11.18.54 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 23 Feb 2026 11:18:55 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-multimedia][PATCH 06/13] minidlna: ignore CVE-2024-51442 Date: Mon, 23 Feb 2026 20:18:43 +0100 Message-ID: <20260223191850.1049304-6-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260223191850.1049304-1-skandigraun@gmail.com> References: <20260223191850.1049304-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 23 Feb 2026 19:19:03 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124560 Details: https://nvd.nist.gov/vuln/detail/CVE-2024-51442 The description of the vulnerability says "attacker [...] execute arbitrary OS commands via a specially crafted minidlna.conf configuration file". There is no official fix for this CVE, and upstream seems to be inactive for the past 3 years. The reason for ignoring this CVE is that the referenced minidlna.conf file is in the /etc folder, and the file is not world-writable. Which means that this vulnerability can be exploited only when someone is root - but if the attacker is already root, they don't need to resort to minidlna config-file modifications to execute any command they want. Signed-off-by: Gyorgy Sarvari --- meta-multimedia/recipes-multimedia/minidlna/minidlna.inc | 1 + 1 file changed, 1 insertion(+) diff --git a/meta-multimedia/recipes-multimedia/minidlna/minidlna.inc b/meta-multimedia/recipes-multimedia/minidlna/minidlna.inc index cb2a1865e8..0dd297098c 100644 --- a/meta-multimedia/recipes-multimedia/minidlna/minidlna.inc +++ b/meta-multimedia/recipes-multimedia/minidlna/minidlna.inc @@ -43,3 +43,4 @@ SYSTEMD_SERVICE:${PN} = "minidlna.service" INITSCRIPT_NAME = "minidlna" INITSCRIPT_PARAMS = "defaults 90" +CVE_STATUS[CVE-2024-51442] = "not-applicable-config: vulnerability requires root access" From patchwork Mon Feb 23 19:18:44 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 81632 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id EC233EC1132 for ; Mon, 23 Feb 2026 19:19:03 +0000 (UTC) Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com [209.85.128.54]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.2741.1771874337833428277 for ; Mon, 23 Feb 2026 11:18:58 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=cwvP8eP1; spf=pass (domain: gmail.com, ip: 209.85.128.54, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f54.google.com with SMTP id 5b1f17b1804b1-483abed83b6so15080345e9.0 for ; Mon, 23 Feb 2026 11:18:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1771874336; x=1772479136; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=MTRaA8Lk/KgoUc44s0fDmWITnMR1fWWfVOakw0V2Ymw=; b=cwvP8eP1Z2d1AZJXFl+gO7X+QjwEOkNo2C7lPmRZ6adnX4vuWsjX9H5VL0GTMTz43r Jwm5AfygnEkcJxyr5ocq2aJe0e572mWOOgudzMWnhtldmtOKJseRWyo17hIp+UPEoAkc 9zxEXYXTNw8pr9K5yLA3rL8/iMYk+5h4ZvkBKGMA3yHYP3JPM5U4mnmNzEXFwgsAqHCj tsw+bRRZOLPCmk4+zZeaSvzHP1l3lIHSibUJg9XzFs5DxGL6VYia8qvui0Ac8+0xKYBw 5r46ZJ36H5BoiFK8aJxpISL/uwsAEvEvxzI4NhzuBQ2h1Hifp6c8Jzxebejy6zgANt3M qONg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1771874336; x=1772479136; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=MTRaA8Lk/KgoUc44s0fDmWITnMR1fWWfVOakw0V2Ymw=; b=ocDfqA0TiYvVx1cmYVt2uab3dncbsG9Cclr8CCUyUHjlCcRmH4SNq2+DZ38GRIXeZe jyo1zUAYrzoH1OnQNzvQYPrqLMwRR1bQSwQv6uu9kicFG/tKWKylomF4icm5Mjoy8Gut CQo8JW4vHvNbw42lBQWyXapvL9TMkDFOjNvUE6SbS/cYzlYIi1aYWp2zdFs5BSh2LDyn vVPj8k2U1P5KapjllW/4FPV0sqGLQefZafoKcCzUwrBGQECcMEWcNrdZh/cEV25lwOD7 Bh2JnhzoVxReL4V6aGscFTSOEVOtygLCb7gGBWyye1UCK9MG3vJFmi4Dc7dO6jis8gJp wZ2w== X-Gm-Message-State: AOJu0Yz48sMGOVZAF+NZmACAeCkWzB5oe3cbhy+rTrT2ds83WQvRMGP8 I5Q23EdxH2EQ80JKFJsVWMaLZz3BcijLGXcDGc0nZvpz5xmkIa7J1fe7HnX6iQ== X-Gm-Gg: AZuq6aKbvba0DE94d2p27IuWw/fSwhkARQTI3J6rdWTVUeguBquCDPS8qWvW1QivqtG a5+Ja2WXz1Unv/m80TfHpI9+2shBvZiOMa7kNXul1hOBJ25BqfvvKYUDVc2pjzsNN5MTOxWsK6r NYdCRqImTYhLD3BP+1xIjddLd4HMeKg2l33813yLjt/sPXaHItSSbGa6MSQRaQuHOqa5sym76eW cmvrEo0m/rGBJP6yxo4VN6GZk9UBbZH1A6DXzND1oLyMDrOjasXk1ZXXdVcL0qkP/pQAAEQwBnu msN9ti8VV1jraloI/J+61tslHRsZ2ggzmBv4hBNJ4fCHbkprIo0F7MMwudfzd/17kC7zrXuGbim Dr5X1Smd+TJ91zHJdx2pguFgwj793cPCZx+AfJoY+Kp0oCyfxy9mHBMV4tX27Fal0zhXWi71bqq 9nOSgEc/UuXuNsJ3hfoNNn X-Received: by 2002:a05:600c:46c9:b0:483:6f37:1b51 with SMTP id 5b1f17b1804b1-483a95ea9c9mr140192565e9.23.1771874336104; Mon, 23 Feb 2026 11:18:56 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43970d54760sm21308781f8f.35.2026.02.23.11.18.55 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 23 Feb 2026 11:18:55 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][PATCH 07/13] openjpeg: patch CVE-2023-39327 Date: Mon, 23 Feb 2026 20:18:44 +0100 Message-ID: <20260223191850.1049304-7-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260223191850.1049304-1-skandigraun@gmail.com> References: <20260223191850.1049304-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 23 Feb 2026 19:19:03 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124561 Details: https://nvd.nist.gov/vuln/detail/CVE-2023-39327 Take the patch that is used by OpenSUSE to mitigate this vulnerability. Upstream seems to be unresponsive to this issue. Signed-off-by: Gyorgy Sarvari --- .../openjpeg/openjpeg/CVE-2023-39327.patch | 50 +++++++++++++++++++ .../openjpeg/openjpeg_2.5.4.bb | 1 + 2 files changed, 51 insertions(+) create mode 100644 meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2023-39327.patch diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2023-39327.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2023-39327.patch new file mode 100644 index 0000000000..05e504a18e --- /dev/null +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2023-39327.patch @@ -0,0 +1,50 @@ +From a3504b2484cf7443c547037511c40f59aff8ae5a Mon Sep 17 00:00:00 2001 +From: Gyorgy Sarvari +Date: Mon, 23 Feb 2026 17:22:18 +0100 +Subject: [PATCH] CVE-2023-39327 + +This patch fixes CVE-2023-39327. + +This patch comes from OpenSuse: +https://build.opensuse.org/projects/openSUSE:Factory/packages/openjpeg2/files/openjpeg2-cve-2023-39327-limit-iterations.patch + +Upstream seems to unresponsive to this vulnerability. + +Upstream-Status: Inactive-Upstream [inactive, when it comes to CVEs] + +Signed-off-by: Gyorgy Sarvari +--- + src/lib/openjp2/t2.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/src/lib/openjp2/t2.c b/src/lib/openjp2/t2.c +index 4e8cf601..ad39cd74 100644 +--- a/src/lib/openjp2/t2.c ++++ b/src/lib/openjp2/t2.c +@@ -441,6 +441,8 @@ OPJ_BOOL opj_t2_decode_packets(opj_tcd_t* tcd, + * and no l_img_comp->resno_decoded are computed + */ + OPJ_BOOL* first_pass_failed = NULL; ++ OPJ_UINT32 l_packet_count = 0; ++ OPJ_UINT32 l_max_packets = 100000; + + if (l_current_pi->poc.prg == OPJ_PROG_UNKNOWN) { + /* TODO ADE : add an error */ +@@ -457,6 +459,17 @@ OPJ_BOOL opj_t2_decode_packets(opj_tcd_t* tcd, + + while (opj_pi_next(l_current_pi)) { + OPJ_BOOL skip_packet = OPJ_FALSE; ++ ++ /* CVE-2023-39327: Check for excessive packet iterations */ ++ if (++l_packet_count > l_max_packets) { ++ opj_event_msg(p_manager, EVT_ERROR, ++ "Excessive packet iterations detected (>%u). Possible malformed stream.\n", ++ l_max_packets); ++ opj_pi_destroy(l_pi, l_nb_pocs); ++ opj_free(first_pass_failed); ++ return OPJ_FALSE; ++ } ++ + JAS_FPRINTF(stderr, + "packet offset=00000166 prg=%d cmptno=%02d rlvlno=%02d prcno=%03d lyrno=%02d\n\n", + l_current_pi->poc.prg1, l_current_pi->compno, l_current_pi->resno, diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.5.4.bb b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.5.4.bb index 6d7d87f5f1..33dc48b2ea 100644 --- a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.5.4.bb +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.5.4.bb @@ -7,6 +7,7 @@ DEPENDS = "libpng tiff lcms zlib" SRC_URI = "git://github.com/uclouvain/openjpeg.git;branch=master;protocol=https \ file://0001-Do-not-ask-cmake-to-export-binaries-they-don-t-make-.patch \ + file://CVE-2023-39327.patch \ " SRCREV = "6c4a29b00211eb0430fa0e5e890f1ce5c80f409f" From patchwork Mon Feb 23 19:18:45 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 81637 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 26609EC113C for ; Mon, 23 Feb 2026 19:19:04 +0000 (UTC) Received: from mail-wr1-f47.google.com (mail-wr1-f47.google.com [209.85.221.47]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.2757.1771874338541330576 for ; Mon, 23 Feb 2026 11:18:58 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=HGvv+6Zi; spf=pass (domain: gmail.com, ip: 209.85.221.47, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f47.google.com with SMTP id ffacd0b85a97d-436317c80f7so3834179f8f.1 for ; Mon, 23 Feb 2026 11:18:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1771874337; x=1772479137; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=l/6T5uniw3bI3X7Kj5v8aom9DZcSOlSPAxKdpB6lJko=; b=HGvv+6ZiG8hE24isbDSCDBG6BIShafFY2/9vuHygy8YTob8vCwZLC1UnZg7ZpbhhrH 2LcvuVU8bQX4c+a9mUToG4jPCTfLpUxRAe+54ykNEs5RzIIzrr4CfNhShYcTPOLDW0Vq XaESZ7qUeDvn5LYOZLWmdKbv5OBukpFGJTWuAQN5jvSXico61te8fhkrlv8k8zVKZnt3 9eAhY0bRCYceIOttnHqxmGgH5ICsHIHHq6T4+ZYw0T7PBVpgZrGjlpVPASNLfHGcdEbL fmXgFNn9W7jARJ/k27gXW5DCnJsgPOpHrAZiBxbVqVpnbgZe7ubzDCVk5acAFlWPvdDj pUoQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1771874337; x=1772479137; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=l/6T5uniw3bI3X7Kj5v8aom9DZcSOlSPAxKdpB6lJko=; b=lYJS/q9vLHb8l0M4f4KM1vItWKZRdcnnvZJ3ytFvHxjgnKZe7TmUkyHVQkoSC1HrJP 5t1Pezbfnpzq4aXohSw9zdS2S769JUUEO+9NzAk8Dp0XoZqmSAuMcx98GB7JTyX3I4N0 jZX0WC6nwcG0i874HZq+QEe/pb99kk+qzXdFhWMjm1pCK5SA8737m8UsdICk2+KGitQD rmam0D+4IUA1zIV7tulp9iXom1y63t04wIxI85SQnl96o3rZyDX1rEsZ2opyt8J4Y7Z7 2F/ANcb0ZeqyrUjVxTswKcINgi5Q+4DqipQodBqG6tV0eKdjjTbGPD1X3FcxrQNHTQx4 noeQ== X-Gm-Message-State: AOJu0YzsvDtftc9PuBozDMXS4daj2rdI1/OmdifXF46f+qm2Kv5HIeD9 s7XmwMND4OXNnkmAYtBNIJMdN4G9ibpG8d11PQDzk5Kbc5LLmFbQNBGd3kj7RA== X-Gm-Gg: ATEYQzxMJxuzcow2wzbttdl4aYOHP/36lxfLqqB22o3Yr41hnp8gZlkeqOx393KLKYS ImmJTwwnnlgBNWPwTSv8bcAm5Lax9PiGgQY+XVc6HdhXWhaf193dQKb6W67Y13ufSGvBiGqHXpw ti2A+T/CF8urbhNbkbuac0NSAWZcb/fqtzKURLR2vamJxULSzBSlg0AegrPzBDX/2YqGDU3IBOh b4SGGsLue/URJaS4MH56OCjcj+4enNFyoN8C/+0MlTTG0PED+qJ4IsP7ZaUKUYgPxji6yZ5xKhv HI9b4hTi7g43OyEL5JrN1W0vTUG03XFAttTaZ3RfalrQdmsePxyOVyq7xj0W4DZYl4X9qhvcZ9f DxmCtUF+RW+en211bw4JD8/mBWeo4iXMPc06VINFRJdVE7A7WzJ14NqvVwzXCBOvLH5Q6ZLNxgX f5OPzsjbkI6qrsJqY18cm/ X-Received: by 2002:a05:6000:1a8a:b0:436:4ba:59a8 with SMTP id ffacd0b85a97d-439625c9b6fmr29282272f8f.3.1771874336743; Mon, 23 Feb 2026 11:18:56 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43970d54760sm21308781f8f.35.2026.02.23.11.18.56 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 23 Feb 2026 11:18:56 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][PATCH 08/13] polkit: add info about CVE-2016-2568 Date: Mon, 23 Feb 2026 20:18:45 +0100 Message-ID: <20260223191850.1049304-8-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260223191850.1049304-1-skandigraun@gmail.com> References: <20260223191850.1049304-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 23 Feb 2026 19:19:04 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124562 Details: https://nvd.nist.gov/vuln/detail/CVE-2016-2568 This commit mostly just tries to add some info to this issue, in the hope that it will save some time for others who try to investigate it. This CVE most probably will stay open in meta-oe in the foreseeable future, although it can be mitigated reasonably easily by the users of the layer. The description of the vulnerability is short enough that it can be reproduced here: "pkexec, when used with --user nonpriv, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer." The general consensus amongst developers/major distros[1][2][3] seems to be that it should be mitigated on the kernel side, to not allow non-privileged users to fake input. To this end, the kernel has introduced a new config in v6.2, called CONFIG_LEGACY_TIOCSTI - when it is enabled, non-privileged used can also fake input. It is however by default enabled (and it is also enabled in the kernels shipped in oe-core, at least at the time of writing this). Disabling this kernel config is considered to be the mitigation, to allow input-faking only by privileged users. [1]: https://security-tracker.debian.org/tracker/CVE-2016-2568 [2]: https://bugzilla.suse.com/show_bug.cgi?id=968674 [3]: https://marc.info/?t=145694748900001&r=1&w=2 / https://marc.info/?l=util-linux-ng&m=145702209921574&w=2 Signed-off-by: Gyorgy Sarvari --- meta-oe/recipes-extended/polkit/polkit_127.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta-oe/recipes-extended/polkit/polkit_127.bb b/meta-oe/recipes-extended/polkit/polkit_127.bb index 40eca9f9ee..f97c6efbf7 100644 --- a/meta-oe/recipes-extended/polkit/polkit_127.bb +++ b/meta-oe/recipes-extended/polkit/polkit_127.bb @@ -65,3 +65,5 @@ FILES:${PN} += " \ ${systemd_unitdir}/system/polkit-agent-helper.socket \ ${systemd_unitdir}/system/polkit-agent-helper@.service \ " + +CVE_STATUS[CVE-2016-2568] = "unpatched: the fix is a kernel compiled without CONFIG_LEGACY_TIOCSTI" From patchwork Mon Feb 23 19:18:46 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 81631 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DB97FEC112B for ; Mon, 23 Feb 2026 19:19:03 +0000 (UTC) Received: from mail-wr1-f54.google.com (mail-wr1-f54.google.com [209.85.221.54]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.2742.1771874339148912486 for ; Mon, 23 Feb 2026 11:18:59 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=dMTE5zFV; spf=pass (domain: gmail.com, ip: 209.85.221.54, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f54.google.com with SMTP id ffacd0b85a97d-4358fb60802so3456387f8f.1 for ; Mon, 23 Feb 2026 11:18:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1771874337; x=1772479137; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=p/5L9eQBdMH5NMm8jH7S7qvonzcxFcSyfa2GBxIWoco=; b=dMTE5zFVsgr2a4bYA9rHo44msQ+sEbr5RebBUK76N0jfenIIuQ4CsKNpRgSvPi2rQ+ HaFajlkTsRatErLHTT4BzN49DDD+qb2RmOGcrpUQCLDm4+Yr/O0owYzEVO9pgQ/OBcOx NRidp9rKbYxmImLvCQy3kXRy2UDNM1Wttv6n1Ljd3o04DThRq7+H24BkE9WQOECWC/Kk gmw9t/3kOJeQdQeKWHRmes/CN/EKBG0EQVOX5zJXFaufHkYOnzs/i99e3pe4kx0PN+Gs PMkOugW6/2HOtHH3g1441ICsc7lj26UAilU4vCmJYxHG52gN6hLtGfXD6xp4T43HjMBE cxYw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1771874337; x=1772479137; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=p/5L9eQBdMH5NMm8jH7S7qvonzcxFcSyfa2GBxIWoco=; b=GISACpSvYnHhf3w6897BTqc1shiyYxdODAEMBDerq5SP2+6hskBVlvdf3EXsYzNCu8 9sWb1iuDoiGuwKuaS9bofsTL9E7sRFQKC18x/ZMzJuU0Un16yr3/5ab5lmjh1W/2lBhX 6KxisaxB5V/EMxZOQ3UHKxjp0JrY2zEjRlpCcLO5y3ZZIqwOSxXUZ0DC4EWJIXyTiuCj T6ADNUIaYGkAGkrFja6ohVYZKMEd7wbgJqEolOX8Yf7S9QBTb/i3RoH0vhnJ/c2JMFop Iui5bXuiFlqVPMATSVhlcWVv/6OxZDGO++jMyEiqH/elMGo+Z7L2dfQO0hmGthCbZbXu SkWA== X-Gm-Message-State: AOJu0YxPgZLDDA9gjBgUSXZDIB2Xc5Pv4H98bApml6N2YVjzWN3Q74JQ fMhytYWZUV6DIjhxyQVlY3JHGlPIyA9LuNzwEG3Hrh/Z2VLfmGuZ9WpCK4pRXA== X-Gm-Gg: ATEYQzwf79xwLRQgrFicaxoBSMuZJ3/vgtBvtl2/thqrOfVVrBxhKPLgReTNn/K1Jv+ Pwq+jkHOeosPWHpFNPUZ5VNmGd3BMQLzjpN7qNQ58hu+UrEobJI2ihcR61A/2+Gfwr+6fHhMCw+ wa71apDLjGMwqdplFdCTrzIYlqdbkVw4Hp9Jqu34JriyaqP7nUfWh79sKgX8K2VTCErp+U5NWk/ 82mtQ01k5pAtpb8lvphBrvd1YPUQhId2Qs1YH0pLu5TGmwl4PM9rXMQqMPtMMLeoDim8chI4x3B nguKl62sKm3gW/dJNVNR3qso7F8galyICg6fbCBhU3kGZ156hYTPYkZRQM5GrGt538JKE4Gmp/d gJ3J/N7r+Y+ECyZpx/Jgrj1XD+TTFUw+qUPbdlROhW0aEERmFV28FIjjdlc3KDOLakd7LuaJYWV atuJ338NQgoFXnvqE3xcJ0 X-Received: by 2002:a05:6000:1a8e:b0:437:678b:83cd with SMTP id ffacd0b85a97d-4396270ce38mr30477840f8f.15.1771874337375; Mon, 23 Feb 2026 11:18:57 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43970d54760sm21308781f8f.35.2026.02.23.11.18.56 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 23 Feb 2026 11:18:57 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][PATCH 09/13] protobuf: ignore CVE-2026-0994 Date: Mon, 23 Feb 2026 20:18:46 +0100 Message-ID: <20260223191850.1049304-9-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260223191850.1049304-1-skandigraun@gmail.com> References: <20260223191850.1049304-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 23 Feb 2026 19:19:03 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124563 Details: https://nvd.nist.gov/vuln/detail/CVE-2026-0994 The vulnerability impacts only the python bindings of protobuf, which is in a separate recipe (python3-protobuf, where it is patched). Ignore this CVE in this recipe due to this. Signed-off-by: Gyorgy Sarvari --- meta-oe/recipes-devtools/protobuf/protobuf_6.33.5.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta-oe/recipes-devtools/protobuf/protobuf_6.33.5.bb b/meta-oe/recipes-devtools/protobuf/protobuf_6.33.5.bb index 4f5f53d4e5..66c9c24473 100644 --- a/meta-oe/recipes-devtools/protobuf/protobuf_6.33.5.bb +++ b/meta-oe/recipes-devtools/protobuf/protobuf_6.33.5.bb @@ -28,6 +28,8 @@ UPSTREAM_CHECK_GITTAGREGEX = "v(?P\d\.\d+\.\d+)" CVE_PRODUCT = "google:protobuf protobuf:protobuf google-protobuf protobuf-cpp" +CVE_STATUS[CVE-2026-0994] = "cpe-incorrect: the vulnerability affects only python3-protobuf recipe" + inherit cmake pkgconfig ptest PACKAGECONFIG ??= "" From patchwork Mon Feb 23 19:18:47 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 81627 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id CDFD6EC112C for ; Mon, 23 Feb 2026 19:19:03 +0000 (UTC) Received: from mail-wr1-f53.google.com (mail-wr1-f53.google.com [209.85.221.53]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.2758.1771874339659583949 for ; Mon, 23 Feb 2026 11:18:59 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=LsVkBbsX; spf=pass (domain: gmail.com, ip: 209.85.221.53, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f53.google.com with SMTP id ffacd0b85a97d-4362197d174so3001657f8f.3 for ; Mon, 23 Feb 2026 11:18:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1771874338; x=1772479138; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=xBPy0L/9K6Bmctqd8rQe6U0gVCPeZLpuP54AHYLRVeQ=; b=LsVkBbsXcLChD0EKjo1Zc1m/aZ3cuF18p9m5FTbgQhRnFiQ89tT0oMqMBGTvkoEa29 tzSsbHXAux1ZWqeNCJgZWQE80uI1SdMiyc1PEzZmabvvIqH8C+GaBMoIMRdBLAtvIFOZ ihqjwgz7069JdTLL4Y0KEn/LxY039u0ZaU9OlVUCAl64UatvN0DDGdDwptmj7o/os1it k4Ly5m2Sbq/qFwDEA00GfjvXx4ceXnwJ3yopCV69Cv3jqyCzTq0AUgZdc58UokX+8+0U xlEu61kqLTDBZj8bpQjoLcUUlKsEU0yKuJoQ/tYe8JJktp8MDthG7cKSHzGoo5118C5v flYQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1771874338; x=1772479138; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=xBPy0L/9K6Bmctqd8rQe6U0gVCPeZLpuP54AHYLRVeQ=; b=Z/Ju58+UnSh+i/aAGNOeYz3P1+Dgi77eH5LGCaXApp4BV3Dbb6rrBe8aB6LeddXpu1 3JkXSqv+ST0DCWGY3PWMwdYrZulNcxn2z1xrVrJGzGun8E5SDCFl4xQYT+CV5IvoGPZG HUkHYU/2KTxjz1MY7TKAYF9WScUvowW8WllYw4eUVbul1vc4T+C+fWXPjST8Y/5hV+w+ Ukg4RB3YxIRG+/i/b5l18X25hqUwrwunEv8OX+JuNv8RP7nkBG8n5v316naam2qUVtBl W3kJNBlLFalgZsv0Faw21o+M/8ZD9/dW7uGRNkAnTfknSnTJgzfn612BAxTfpwc/oAuR +n7w== X-Gm-Message-State: AOJu0Yx9rfoJW3maBRPS7n7Qru5WBCoL4rOoGPin7XGAWByTMHbYJyxf S5qBW3jhT7G7b/qnOdaUbEY2lgfZ2uhdIxpd8Og2SFX5ZA+ct59oaW8RHnUUDw== X-Gm-Gg: ATEYQzxFv9GRRoQWLUHM+5VPFFMWzP93LkeDf/wYwtb5rNhL5cICwOaEm943Zvms14Q AHKDX2xUl4ekACL568dW0zxxjSNC3rCTKIhg8Mm3yXUo6aodYPp6vIgB8Wzh/YSVzWhJlz2Naa9 ELNvOKrkTgaGoyF1TzqMYs33M5xf6fWD6+tXxWRxu8dDwWqGyGlVr7dU0AD5o4SxHBEJwJ1xmkv HrRCbgh5NIckaaRVPBAfSYkTCsNoamh/Bzzj97aH5GJ9xSc95yZQmcbz9xoG1kj+OtweHHpiZSp z8JfEIRNRU528K4ZDoHE7VLus4NMtDH/kWmWJBApeghmjn7vV5a6MBYmNeiEX6ohDO3f0BX9Kkf viTngSzjfM6NFQ7DLqoN+6SO0x/iE0D4CQrn7wJFVPCjz5F0fBEmxF5wx1j/YkTVd7sBaB9u9rQ oIVvQG2OyYD/nFQFfAcsL3 X-Received: by 2002:adf:f3d1:0:b0:439:7e1c:87b0 with SMTP id ffacd0b85a97d-4397e1c8bafmr4362845f8f.37.1771874338004; Mon, 23 Feb 2026 11:18:58 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43970d54760sm21308781f8f.35.2026.02.23.11.18.57 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 23 Feb 2026 11:18:57 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][PATCH 10/13] live555: upgrade 20210824 -> 20260112 Date: Mon, 23 Feb 2026 20:18:47 +0100 Message-ID: <20260223191850.1049304-10-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260223191850.1049304-1-skandigraun@gmail.com> References: <20260223191850.1049304-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 23 Feb 2026 19:19:03 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124564 Signed-off-by: Gyorgy Sarvari --- meta-oe/recipes-multimedia/live555/live555/config.linux-cross | 2 +- .../live555/{live555_20210824.bb => live555_20260112.bb} | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) rename meta-oe/recipes-multimedia/live555/{live555_20210824.bb => live555_20260112.bb} (97%) diff --git a/meta-oe/recipes-multimedia/live555/live555/config.linux-cross b/meta-oe/recipes-multimedia/live555/live555/config.linux-cross index fe6a28604b..19881e4a46 100644 --- a/meta-oe/recipes-multimedia/live555/live555/config.linux-cross +++ b/meta-oe/recipes-multimedia/live555/live555/config.linux-cross @@ -4,7 +4,7 @@ C_COMPILER = $(CC) C_FLAGS = $(COMPILE_OPTS) CPP = cpp CPLUSPLUS_COMPILER = $(CXX) -CPLUSPLUS_FLAGS = $(COMPILE_OPTS) -Wall -DBSD=1 +CPLUSPLUS_FLAGS = $(COMPILE_OPTS) -Wall -DBSD=1 -std=c++20 OBJ = o LINK = $(CXX) -o LINK_OPTS = -L. diff --git a/meta-oe/recipes-multimedia/live555/live555_20210824.bb b/meta-oe/recipes-multimedia/live555/live555_20260112.bb similarity index 97% rename from meta-oe/recipes-multimedia/live555/live555_20210824.bb rename to meta-oe/recipes-multimedia/live555/live555_20260112.bb index 1622a97fe1..8729d9ca0b 100644 --- a/meta-oe/recipes-multimedia/live555/live555_20210824.bb +++ b/meta-oe/recipes-multimedia/live555/live555_20260112.bb @@ -16,7 +16,7 @@ SRC_URI = "https://download.videolan.org/pub/contrib/live555/live.${URLV}.tar.gz # only latest live version stays on http://www.live555.com/liveMedia/public/, add mirror for older MIRRORS += "http://www.live555.com/liveMedia/public/ http://download.videolan.org/contrib/live555/ \n" -SRC_URI[sha256sum] = "ce95a1c79f6d18e959f9dc129b8529b711c60e76754acc285e60946303b923ec" +SRC_URI[sha256sum] = "2c54c2e090065849d0ab8cc7b06942f4e66dde17f2a0c80ae20b907d562c937e" S = "${UNPACKDIR}/live" From patchwork Mon Feb 23 19:18:48 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 81629 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C19DBEC1128 for ; Mon, 23 Feb 2026 19:19:03 +0000 (UTC) Received: from mail-wr1-f48.google.com (mail-wr1-f48.google.com [209.85.221.48]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.2744.1771874340455852440 for ; Mon, 23 Feb 2026 11:19:00 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=Snwa+uCf; spf=pass (domain: gmail.com, ip: 209.85.221.48, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f48.google.com with SMTP id ffacd0b85a97d-4327790c4e9so3576306f8f.2 for ; Mon, 23 Feb 2026 11:19:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1771874339; x=1772479139; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=Dkd0jCmjeUvkEdzlu9HGX2itL4Yu84AW4bYTRGD5zd0=; b=Snwa+uCfevFnFxJb4vppvvfR8p26Y/o2Cp6dO7noWDmPTy+xD34ebgfLIW+R2rdemm 46Mx6E9MvuffMMjVWEtN9oLMp2R5OP5UCU2spb/WqjwJwhQkkdQ3fZqup/6MsyVnLwBb 9JZ+Fnb+L37XsAiMTpJUqF2tQ5P1ZzVVKgsC7lb0omXIfg5I48rrB0Rdt/7SJMIkVtsL QvLgW9dsjSmqp4plhCWnpZsAW+1WiWBvsTdIQ1jM3uPwniZK06HIXdqhcD4WZgwtvp0A QrX1Gl6r91mSc9uigTU+WRxocqQmcVHIHpUpIZmpRBY8LxO2hnNIBFk1vAPI4GU6t0T5 PmPw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1771874339; x=1772479139; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=Dkd0jCmjeUvkEdzlu9HGX2itL4Yu84AW4bYTRGD5zd0=; b=ODWfvlWTqYWDFb3/XD7HkE6498/so9FkVtPpyBQfSUDqVfe/VIR+1psJm8qPKlBGTN JkNG6MhW3K24t5thR5ajZNjhv7/JKYajLSax/5XTT6s4So89dL3G1k7fCy/XU3BE247Q B0VSe31rETnjztaAU/43S8mqUwaYrsglVMO2GHCDx1ow5lpB62MbLyFDP/GAHf/Vou90 7iYk+s7W3iDMKgG0tm/ONGggiP5fZQlP7MPbhMiUTdKW2jpzNQqaqwl2Jis1Ssudv2w8 SkuPV0Xxpyq7Ms3V2DB5iX5A4344wBJwflkXNjnwfB8Jj3T96Fs+KvlNeRUjKWFHulh1 4UVg== X-Gm-Message-State: AOJu0YwU4wvcveUOEqUxUdonAmeHoowxs+ySs0evMUqIm//H5vHxBrw4 ZAk2o+FyhzC5H0VMJkkhnzdnd7L+7kB5umFMDpqYqnMdXCIfI244mEzA0tm5Hw== X-Gm-Gg: ATEYQzx+6Euj8/K6iDv3wgGUdYZN5VDDQ0cTec4qi+sBDLY5nPsb7+RZNWRinH1wVU0 1Qc5fQBRtEnsgffZSgGxMLzdYEWy20p7fhGSa9tJtJyvB/6Wa3efNEYFUr+pGDMZ7vfh2tGdHFR hGHlm7P1VFB9+RnmoRaAC51lTsmW+yMHVETiNhQwDjVwOCRAcADBxG+D+5J+lOvjTy8Y9t81ngf imOnig6J4KdCh6uq1oZ6YoMGu3xaxQ+lmGf5w8FPkN+LI41gLGFKbgvNegXRcBSFdAtkDfV3tsY ExWfu98IdY47ter0BnVGWT8f5acYontaovTmBCVVevVOyZu5qxPeopJiJRI5pN+V9U0OitmYsPZ 5PjCIgn895Y+RqR0HbYpucrjNrDUc5MhLVdsJIn+/w33V1CwZOp3/RI/MqmRCuPgF4IW/76upz2 PpSl1vE9Rz4nDfoxzEMyfw X-Received: by 2002:a05:6000:1884:b0:435:e436:7fb with SMTP id ffacd0b85a97d-4396f19fe06mr16752931f8f.50.1771874338677; Mon, 23 Feb 2026 11:18:58 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43970d54760sm21308781f8f.35.2026.02.23.11.18.58 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 23 Feb 2026 11:18:58 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-python][PATCH 11/13] python3-pillow: upgrade 12.1.0 -> 12.1.1 Date: Mon, 23 Feb 2026 20:18:48 +0100 Message-ID: <20260223191850.1049304-11-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260223191850.1049304-1-skandigraun@gmail.com> References: <20260223191850.1049304-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 23 Feb 2026 19:19:03 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124565 Contains fix for CVE-2026-25990 Ptests passed successfully: Testsuite summary TOTAL: 5024 PASS: 4587 SKIP: 434 XFAIL: 3 FAIL: 0 XPASS: 0 ERROR: 0 Changelog: Patch libavif for svt-av1 4.0 compatibility Fix OOB Write with invalid tile extents Signed-off-by: Gyorgy Sarvari --- .../{python3-pillow_12.1.0.bb => python3-pillow_12.1.1.bb} | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) rename meta-python/recipes-devtools/python/{python3-pillow_12.1.0.bb => python3-pillow_12.1.1.bb} (90%) diff --git a/meta-python/recipes-devtools/python/python3-pillow_12.1.0.bb b/meta-python/recipes-devtools/python/python3-pillow_12.1.1.bb similarity index 90% rename from meta-python/recipes-devtools/python/python3-pillow_12.1.0.bb rename to meta-python/recipes-devtools/python/python3-pillow_12.1.1.bb index 83231cad06..2b3660fc56 100644 --- a/meta-python/recipes-devtools/python/python3-pillow_12.1.0.bb +++ b/meta-python/recipes-devtools/python/python3-pillow_12.1.1.bb @@ -5,10 +5,10 @@ HOMEPAGE = "https://pillow.readthedocs.io" LICENSE = "MIT-CMU" LIC_FILES_CHKSUM = "file://LICENSE;md5=a1b708da743e3fc0e5c35e92daac0bf8" -SRC_URI = "git://github.com/python-pillow/Pillow.git;branch=main;protocol=https;tag=${PV} \ +SRC_URI = "git://github.com/python-pillow/Pillow.git;branch=12.1.x;protocol=https;tag=${PV} \ file://0001-support-cross-compiling.patch \ " -SRCREV = "46f45f674d47b5d8bc54230dda8fe9e214598b87" +SRCREV = "5158d98c807e719c5938aa3886913ef0ea6814e9" inherit python_setuptools_build_meta ptest-python-pytest From patchwork Mon Feb 23 19:18:49 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 81625 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B234FEC1127 for ; Mon, 23 Feb 2026 19:19:03 +0000 (UTC) Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com [209.85.128.54]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.2759.1771874341123328894 for ; Mon, 23 Feb 2026 11:19:01 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=d3K/Ewhf; spf=pass (domain: gmail.com, ip: 209.85.128.54, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f54.google.com with SMTP id 5b1f17b1804b1-48374014a77so48793995e9.3 for ; Mon, 23 Feb 2026 11:19:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1771874339; x=1772479139; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=PHoeOL6q2LszKnVmU2Y5EdvDKKLCzXqwEOq9rHWThxI=; b=d3K/EwhfVbbAMe28MSWEhJ67QVQ/E0bQkYkalt7DBBoNB+6zTsQlfcYsD/PF0OCNfZ 6BEWlDapijJYee3zK0IV5aZijnNrMwbuj0obMTmWYbEUF7l3tUlXfLLSP9xHzKKAJ7vI RJsqg0na1bLvwvpAcHkf1WxVMdpha97h8Fk9BeA7cCi29QXkQvtPs4PDbXNUKp0JcsSM CY7Hsn1hgHbtTAjH/QZxzDOJDX074Wir8WLtR9EwN7yhRah0g8WpBSQXZdrtHkgJwN7M +wL56JrFMcIfc79Kaz+7cDyQI6jt++ny76JbkuBjh9Lj66zRINFRIj2QALYMOj7EHxYp Eanw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1771874339; x=1772479139; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=PHoeOL6q2LszKnVmU2Y5EdvDKKLCzXqwEOq9rHWThxI=; b=a+3jnKe8IZ4IQ0XoeONakEUoL1YOWyjp8lSsWzng5R/bpuGJcYMpMqLChLuUFatBlO KnzX2swUgCEC6HlUpehI8yjZM2H+s6C5M+ZnfxKY/0xd9O51Dx4Wi1dps4Eg0zcauY1G CbmuwG1+szNhbrohJq/UEHNXYpO2iaSG/eOwXE98i9fUbfFDfxXxtC0RE/IY2mFUWBsF 4MalV+dKJnjCoWntbUsldFaPhAWcSPcBw3sJMA4eSekNtAYjwl67HTkGJE6JO/pHZm/V mSTAcbtqLZeSYVhRTWDCnQegQINuKyjLq5GdTIDYeusrHLqNCvUUJQPl6/roM/ggDR5w po5Q== X-Gm-Message-State: AOJu0YxH/ezmmIRP1qidPoMKKLFwVcieOL9VATx8D9fBRbZGRw2pqkUt aTQRHk6U7VgRiUlWH9cY/AqHc+gpK0plXhyY6GIcRAbYIlU3J8qZ3mlBwjlF/Q== X-Gm-Gg: AZuq6aJcxiMttlinuo8v7EOTjxOloadqE5bArB4/iPscUOruDx6JBaNvk0lZkXOuhlR KFzHt048Lutlm4j3e/IJXoRkJGDbY34J4us9PlT+1uZzt1D7TvPFJyOMzFvgNr5WFLKoylObiwd faheVb6rEqA0TS20VVqmoWE5oJ5MQX18L7jJ4N3LjA3atZ/DsZAJ4mlCteXB+YZ+kyLPcXQAWK4 kiFaghCxcTm1L02/2G5XGqobOwoAKeP6Mz2v7102H3Tk4CA+Nz8d8e9iHmH079zcXF9zmxjc4iL UeZNNWyuMCQGTk6oOqrfscYZVr2DGqDs7C4nSbceCSK7e7u1o78N9cdY/jLCdo0kVrj+yLslzEQ z45cHwLZF+YywcqqBL/UuTQMniTIX10Rc0I+wprwNEkTXXTj/o4tv0Ac0Oi/Udr5+CwNRLoKPOo C0+cAVnezPeNkm5OCPetoUcMz0JhsQxlE= X-Received: by 2002:a05:600c:8716:b0:471:1717:411 with SMTP id 5b1f17b1804b1-483a95e9a7fmr167967125e9.24.1771874339364; Mon, 23 Feb 2026 11:18:59 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43970d54760sm21308781f8f.35.2026.02.23.11.18.58 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 23 Feb 2026 11:18:59 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-python][PATCH 12/13] python3-werkzeug: upgrade 3.1.5 -> 3.1.6 Date: Mon, 23 Feb 2026 20:18:49 +0100 Message-ID: <20260223191850.1049304-12-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260223191850.1049304-1-skandigraun@gmail.com> References: <20260223191850.1049304-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 23 Feb 2026 19:19:03 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124566 Contains fix for CVE-2026-27199 Changelog: safe_join on Windows does not allow special devices names in multi-segment paths Signed-off-by: Gyorgy Sarvari --- .../{python3-werkzeug_3.1.5.bb => python3-werkzeug_3.1.6.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta-python/recipes-devtools/python/{python3-werkzeug_3.1.5.bb => python3-werkzeug_3.1.6.bb} (90%) diff --git a/meta-python/recipes-devtools/python/python3-werkzeug_3.1.5.bb b/meta-python/recipes-devtools/python/python3-werkzeug_3.1.6.bb similarity index 90% rename from meta-python/recipes-devtools/python/python3-werkzeug_3.1.5.bb rename to meta-python/recipes-devtools/python/python3-werkzeug_3.1.6.bb index 1df88b78d0..edddca72e0 100644 --- a/meta-python/recipes-devtools/python/python3-werkzeug_3.1.5.bb +++ b/meta-python/recipes-devtools/python/python3-werkzeug_3.1.6.bb @@ -10,7 +10,7 @@ HOMEPAGE = "https://werkzeug.palletsprojects.com" LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=5dc88300786f1c214c1e9827a5229462" -SRC_URI[sha256sum] = "6a548b0e88955dd07ccb25539d7d0cc97417ee9e179677d22c7041c8f078ce67" +SRC_URI[sha256sum] = "210c6bede5a420a913956b4791a7f4d6843a43b6fcee4dfa08a65e93007d0d25" CVE_PRODUCT = "werkzeug" From patchwork Mon Feb 23 19:18:50 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 81626 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B123FEC1126 for ; Mon, 23 Feb 2026 19:19:03 +0000 (UTC) Received: from mail-wm1-f41.google.com (mail-wm1-f41.google.com [209.85.128.41]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.2746.1771874341850954078 for ; Mon, 23 Feb 2026 11:19:02 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=VBgJ2zl0; spf=pass (domain: gmail.com, ip: 209.85.128.41, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f41.google.com with SMTP id 5b1f17b1804b1-483487335c2so43516465e9.2 for ; Mon, 23 Feb 2026 11:19:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1771874340; x=1772479140; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=UBfr+VRWPnqOZrQXduzW11lGsq5T+0KEo1XlIWe//Yo=; b=VBgJ2zl0dyQ5gGgXr/v+JI5Xn+AAlXh9AM9Mq1uCK0zmyHEml83AyVfxSJ3eAemCVw o7KyY1yHFGNpXhNusyTlveLuT4ZkTqxcRiLJVYQEIMbVzcmtesHqwmH11EqkeSsbWuPu wPqjR5/m1aV259EDoMn8CtDaTsJpKGa0fSr4NdndvI7UvjuTbO5ogCUuf3gbqLyLRFTk qvlRZBdMtygc7twdnkvlf4MHG3wkcMdHeZwFgZwXSIOMDGniIBpz+8BwHL417/s33FRt bU3rh0TJxBERUq6NT2YTXjZcd4wmwm8MEPV6gChM3ChKlZCMe4e3OgGao8lwSeWbMGXj s09g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1771874340; x=1772479140; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=UBfr+VRWPnqOZrQXduzW11lGsq5T+0KEo1XlIWe//Yo=; b=dCyXjqfw3FLI5+93IlPi9kcDnvpQZvZgup7t9FpbfRvxsil21vF/MnKAs9eS8Ku4/B 7K2lnV4LFrmuVADGHrLQuCg/TfIZqxGgpcKCbEDue/ixHzUVdfQNwfarhpOjkiQBm/w5 JPF9wi/DCenz///xP8VOIQSXpfOHCZAZOt5TIMg4L+ofm1lpTRy18kIvzio225ltdDvQ 41DLxtXfTVJqg12TL4Xu1l8+FiPX0RqZoSV10M7z7CSYmS41cXmQyYMj/zPEDDMx0mbA j1iFMqYfCrR0RYim0MKYOoEj4wE+o7Lik9DXOcVSYaRqfq4UNPJPqwb14xUjzrRzQkAr kw8A== X-Gm-Message-State: AOJu0YwkZvry4rrZb7lF49Jvl0sE7sgC9kh+WE5HDvw3mNmq9PLlZBkz lILkzZd8dNdr3tRKNFwi7S7/aARy4sYB+O31+pyojg8PBcETdg4JkC9JCjmZNg== X-Gm-Gg: AZuq6aIQTkitStTR4cJK/BaAFzv6wv2iCpkM8lER34SOiv52ILOXc3c7v6O48qCDsHu +rPChTW58kjG68SFnQWOBp6MqLIGv/ESWAsCKMqVp22rWorUZzN0h4ymjnA4+6PB4onCy+uHNNW ucJ5eqWHSz47oQltydRy6opcb5im/6zMRY7Upx/cZEz0Tram22PPhsFuEsW6C+bwzberRIDKlKE SziumyQ9VL0LaC637wiv92DeeIKvWVXuO1hDymtyKreYcUi5a8+uxGWdo/qazs99wYEa7FN7q4R e8fWV7oroVXLwB25om5XTDaJkEVmQqiiodHcGQioBI9gujE4Gza/JEuKKZTYHrz6MWtHc9mWmAo Ev13zHEtnfx2gSUFSYUh0O03RRD2s7PYR9SjthAQ6fCccjxLs6LokCzr8CLQoHI+bfOVrmjYJMK 35gO0C9rznx6rXjQlh/WcU X-Received: by 2002:a05:600c:46c9:b0:483:6f37:1b51 with SMTP id 5b1f17b1804b1-483a95ea9c9mr140195005e9.23.1771874340103; Mon, 23 Feb 2026 11:19:00 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43970d54760sm21308781f8f.35.2026.02.23.11.18.59 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 23 Feb 2026 11:18:59 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-webserver][PATCH 13/13] webmin: patch CVE-2025-67738 Date: Mon, 23 Feb 2026 20:18:50 +0100 Message-ID: <20260223191850.1049304-13-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260223191850.1049304-1-skandigraun@gmail.com> References: <20260223191850.1049304-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 23 Feb 2026 19:19:03 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124567 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-67738 Backport the patch that is referenced by the NVD advisory as the solution. Signed-off-by: Gyorgy Sarvari --- .../webmin/files/CVE-2025-67738.patch | 37 +++++++++++++++++++ .../recipes-webadmin/webmin/webmin_2.501.bb | 3 +- 2 files changed, 39 insertions(+), 1 deletion(-) create mode 100644 meta-webserver/recipes-webadmin/webmin/files/CVE-2025-67738.patch diff --git a/meta-webserver/recipes-webadmin/webmin/files/CVE-2025-67738.patch b/meta-webserver/recipes-webadmin/webmin/files/CVE-2025-67738.patch new file mode 100644 index 0000000000..b29f813e72 --- /dev/null +++ b/meta-webserver/recipes-webadmin/webmin/files/CVE-2025-67738.patch @@ -0,0 +1,37 @@ +From 8729e319979290fea6f4bd8a1664fa41fde24d17 Mon Sep 17 00:00:00 2001 +From: Jamie Cameron +Date: Wed, 29 Oct 2025 22:02:29 -0700 +Subject: [PATCH] Fix quoting of args + +CVE: CVE-2025-67738 +Upstream-Status: Backport [https://github.com/webmin/webmin/commit/1a52bf4d72f9da6d79250c66e51f41c6f5b880ee] +Signed-off-by: Gyorgy Sarvari +--- + squid/cachemgr.cgi | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/squid/cachemgr.cgi b/squid/cachemgr.cgi +index 10548b50..59a4009d 100755 +--- a/squid/cachemgr.cgi ++++ b/squid/cachemgr.cgi +@@ -14,6 +14,7 @@ my ($mgr) = glob($config{'cachemgr_path'}); + if (&has_command($mgr)) { + $| = 1; + my $temp; ++ my $args = join(" ", map { quotemeta($_) } @ARGV); + if ($ENV{'REQUEST_METHOD'} eq 'POST') { + # Deal with POST data + my $post; +@@ -23,10 +24,10 @@ if (&has_command($mgr)) { + &open_tempfile($fh, ">$temp", 0, 1); + &print_tempfile($fh, $post); + &close_tempfile($fh); +- open(MGR, "$mgr ".join(" ", @ARGV)." <$temp |"); ++ open(MGR, "$mgr $args <$temp |"); + } + else { +- open(MGR, "$mgr ".join(" ", @ARGV)." |"); ++ open(MGR, "$mgr $args |"); + } + while() { + print; diff --git a/meta-webserver/recipes-webadmin/webmin/webmin_2.501.bb b/meta-webserver/recipes-webadmin/webmin/webmin_2.501.bb index 2c807947e4..7e09ec3664 100644 --- a/meta-webserver/recipes-webadmin/webmin/webmin_2.501.bb +++ b/meta-webserver/recipes-webadmin/webmin/webmin_2.501.bb @@ -18,7 +18,8 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/webadmin/webmin-${PV}.tar.gz \ file://media-tomb.patch \ file://mysql-config-fix.patch \ file://webmin.service \ - " + file://CVE-2025-67738.patch \ + " SRC_URI[sha256sum] = "0f2772a582d4c4cf24085993729cfc94df2a64d619cefede5400c24b02efb08f" UPSTREAM_CHECK_URI = "http://www.webmin.com/download.html" UPSTREAM_CHECK_REGEX = "webmin-(?P\d+(\.\d+)+).tar.gz"