From patchwork Thu Feb 26 14:46:18 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 82009 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2F129FCE09B for ; Thu, 26 Feb 2026 14:46:31 +0000 (UTC) Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com [209.85.128.44]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.71417.1772117187557456118 for ; Thu, 26 Feb 2026 06:46:27 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=WKJ/NCvX; spf=pass (domain: gmail.com, ip: 209.85.128.44, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f44.google.com with SMTP id 5b1f17b1804b1-48329eb96a7so7080935e9.3 for ; Thu, 26 Feb 2026 06:46:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1772117186; x=1772721986; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=twItnaHfNbYfvScFIg6n1ga+9tb0cAHNf5rhCPTiicg=; b=WKJ/NCvXkz/NBTbvbkSkH294Q5bDZ2u3cwG2GQKL6AMO4iVcoxz94Mo3iGRCo56bxS 6gD0xp3p/PBP34G4Qnldiflb3Xr4BUEwZJCcT4ezb/4wP3snyAq791Z4tCVTmc9XMJq/ ftoA/9S/uTjemld6SLb3VfYDMwSUsBW0zWcB0Bih7vusYwVWJgLxCEnFAAdpfR/v44ZF eT3lja9X41ADm5RB3DqHBI4iL/76w4gJFQHoaPLE/zJyuvXKoX4NrFwqxfeqbqyJF1an u5Ha3mW9xPaHSjIPWqvf1oTr5P/rEoXcv0gPekz1ANhJenVB8YgFoejOsslJvVl2AFpZ vuLw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772117186; x=1772721986; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=twItnaHfNbYfvScFIg6n1ga+9tb0cAHNf5rhCPTiicg=; b=If3SzwZT2Mz42FlO4IYqB/ti3dg1wVf5H6xFUYSPjwxmCcWyvVWGXV0DvsNT7J2VLs cAzJoLfFOKr+MXjvKdKjWpu8BYwH8lRC6pjQ9aYClCOBcT1W1iWc8flk32InRK3yud+z 7Uag2oMXtMf6x3HyKGTCu44ZlOzj3tN8gAm0aRSpKwZcAb15RBPIF/AFWXN39TmuWiOu +6Y9ZqdcC7N/VFQgxHqlnt+KHhy5PSLHYM8rWiu+rPRqG7W3aBHf0UbkulkzWpQP0pDs pgiVnSZcu3GItD1rJfTIVewtNzgToMyBlJ7FTmrs1yzDerjBcmXgMFNOGK9cPBWlyYd2 0fyA== X-Gm-Message-State: AOJu0Yz+bQo8giMxcrRcedzNFPhBxc2fSJR6fp2uaUcclOzrgeSYjVun N+Xoem4Nx1+2WsCYd2OVo8ulLqZLNBgPkx6DpDmvSIs9Pf+roU8Te6QUxTN+CQ== X-Gm-Gg: ATEYQzwEG8Ap1AB/vgO1MEN6h4TnPtaPAKGt7MUfBdSAPmh0lj1PSDbuFakjdLU+5jv TaJ+nnu2IqPdV9qJybjJvij7ly+ZLHqtVF6S5/xkAnNEnu8yayCDkSqHcbfi5qc5DmPDwnrIAHI QLCWHGZF1hA9j7lHcboSc1DUAxoRE75rv3OSWqJCBsMD3tTFnouUanPyIWy6fcy5oTe7uKMkSpb zh9mGQvzpTFm3tp6dLjrNzGPPojjPqzl75RqtZ2C6i6t2N8zCSxiNQEEi4y6BLsT6Dn+J30p/DC uQJemP99WTUMsTopTZGescLs6Jwb+NmjYSkCbSHzk91ZKYqjYtns8aEf5p9qym/4p1MSP9dxTkK w8MAPPObr6v6EQOZXYBz9STm61aKGAQqI35eT1Ef2uCpK5qpZ+dtvszhtuRjQBoiLfJUf+xtcud GTHPXqM9mSo2JdU0Zkhj7w X-Received: by 2002:a05:600c:46c9:b0:483:6f37:1b51 with SMTP id 5b1f17b1804b1-483a95ea9c9mr308392385e9.23.1772117185495; Thu, 26 Feb 2026 06:46:25 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-483bfcbd781sm75913745e9.8.2026.02.26.06.46.24 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Feb 2026 06:46:25 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 1/7] cups-filters: patch CVE-2025-64503 Date: Thu, 26 Feb 2026 15:46:18 +0100 Message-ID: <20260226144624.3743168-1-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 26 Feb 2026 14:46:31 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124678 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-64503 Pick the patch that is referenced by the NVD advisory. Signed-off-by: Gyorgy Sarvari --- .../recipes-printing/cups/cups-filters.inc | 1 + .../cups/cups-filters/CVE-2025-64503.patch | 43 +++++++++++++++++++ 2 files changed, 44 insertions(+) create mode 100644 meta-oe/recipes-printing/cups/cups-filters/CVE-2025-64503.patch diff --git a/meta-oe/recipes-printing/cups/cups-filters.inc b/meta-oe/recipes-printing/cups/cups-filters.inc index ddd6451ccc..401ca9a9e9 100644 --- a/meta-oe/recipes-printing/cups/cups-filters.inc +++ b/meta-oe/recipes-printing/cups/cups-filters.inc @@ -13,6 +13,7 @@ SRC_URI = "http://openprinting.org/download/cups-filters/cups-filters-${PV}.tar. file://CVE-2025-57812.patch \ file://CVE-2025-64524.patch \ file://CVE-2023-24805.patch \ + file://CVE-2025-64503.patch \ " inherit autotools-brokensep gettext pkgconfig diff --git a/meta-oe/recipes-printing/cups/cups-filters/CVE-2025-64503.patch b/meta-oe/recipes-printing/cups/cups-filters/CVE-2025-64503.patch new file mode 100644 index 0000000000..32ded99d92 --- /dev/null +++ b/meta-oe/recipes-printing/cups/cups-filters/CVE-2025-64503.patch @@ -0,0 +1,43 @@ +From 019bb270f0a8a1db4761e580dc7bb636c1586555 Mon Sep 17 00:00:00 2001 +From: Till Kamppeter +Date: Mon, 10 Nov 2025 18:31:48 +0100 +Subject: [PATCH] Fix out-of-bounds write in pdftoraster + +PDFs with too large page dimensions could cause an integer overflow and then a too small buffer for the pixel line to be allocated. + +Fixed this by cropping the page size to the maximum allowed by the standard, 14400x14400pt, 200x200in, 5x5m + +https://community.adobe.com/t5/indesign-discussions/maximum-width-of-a-pdf/td-p/9217372 + +Fixes CVE-2025-64503 + +CVE: CVE-2025-64503 +Upstream-Status: Backport [https://github.com/OpenPrinting/cups-filters/commit/50d94ca0f2fa6177613c97c59791bde568631865] +Signed-off-by: Gyorgy Sarvari +--- + filter/pdftoraster.cxx | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/filter/pdftoraster.cxx b/filter/pdftoraster.cxx +index e8af184..e6fc573 100755 +--- a/filter/pdftoraster.cxx ++++ b/filter/pdftoraster.cxx +@@ -1688,6 +1688,18 @@ static void outPage(poppler::document *doc, int pageNo, + header.PageSize[0] = (unsigned)l; + else + header.PageSize[1] = (unsigned)l; ++ /* ++ Maximum allowed page size for PDF is 200x200 inches (~ 5x5 m), or 14400x14400 pt ++ https://community.adobe.com/t5/indesign-discussions/maximum-width-of-a-pdf/td-p/9217372 ++ */ ++ if (header.PageSize[0] > 14400) { ++ fprintf(stderr, "ERROR: Page width is %dpt, too large, cropping to 14400pt\n", header.PageSize[0]); ++ header.PageSize[0] = 14400; ++ } ++ if (header.PageSize[1] > 14400) { ++ fprintf(stderr, "ERROR: Page height is %dpt, too large, cropping to 14400pt\n", header.PageSize[1]); ++ header.PageSize[1] = 14400; ++ } + + memset(paperdimensions, 0, sizeof(paperdimensions)); + memset(margins, 0, sizeof(margins)); From patchwork Thu Feb 26 14:46:19 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 82012 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3FDDCFCE09C for ; Thu, 26 Feb 2026 14:46:31 +0000 (UTC) Received: from mail-wm1-f53.google.com (mail-wm1-f53.google.com [209.85.128.53]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.71624.1772117188019655133 for ; Thu, 26 Feb 2026 06:46:28 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=BYO5dxON; spf=pass (domain: gmail.com, ip: 209.85.128.53, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f53.google.com with SMTP id 5b1f17b1804b1-48371119eacso11108265e9.2 for ; Thu, 26 Feb 2026 06:46:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1772117186; x=1772721986; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=0n5Zm6xAaNpx93xvcy+tmEIoJD5gyfBXO8fx/+aWYUM=; b=BYO5dxONzmMUCh49jZfpUBQE2o9I6yUjVXjl6U3g4BWQ2BDbBmMaF4t06Jw5K0nE6J oxYpC5WqGDiqkCrLLoQ568tyXMabtE8hKCtABc1UQI+agfdrZc7BlfUR7FRUlMlCHK4k jRU7Z7b0r3BSxJS2Uvg9rgNqUft5fxK3BNsK1Bp8JFjKakxVsIKVItq/EEZjtsq5O60l ITjFI+PE1dayjhVX6/yZ7XNd+iFInkW3oOgV4pG7wXGyAV7OArepFqOgLVJYMN/ecg0e wBIyoqLaB/Ppv08wQQsWdhLiiVfBrfWMNrLAP3lBYaLjs8yv9n1urqzUsZfDIR7IhwB5 MU8g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772117186; x=1772721986; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=0n5Zm6xAaNpx93xvcy+tmEIoJD5gyfBXO8fx/+aWYUM=; b=aW3QypCjfjaIa/chf+RXQJiMnJGMorFk2f9X0Bi/49tug3SIy+oU+w0KBSrpSdzYHp RzAYwH5syLR12axhAak47Gz0Z8RuCI9hUBeQitI/GzmEbIEwdCrrMCCdmPDdXj0c+BOS mQsIJ/j0DRYCbl2NrDme/53xbPPLilUW0tj6ODEHybsQ6QJW3c/zIUCYzrPjr84gf5T5 mGw9btZ4VgDENdT+be7Vel+sJnlO/cKMdygVUWvefDu9+Ag2IMAQGLHH/1nNQKGfqvsQ mowWTQsfpMwoSg6sPG6Fr+gCuw7OKprca5AITVEJ3wEvDGhnJXih8em5OEKgck0l2auk LYdQ== X-Gm-Message-State: AOJu0YyyDszEYxhsOKCJfqlGnjr5ttEqjKjfHXenOmlDkydTMLX+f3gB 8YH5O24ct2pp40SmDLilzglGlKEMhODTRCKi4bGkMiY3ifI7ZOQLpb4X7vOLHQ== X-Gm-Gg: ATEYQzzbsuolwJAp9FbZ/8eZSFm7ayRD3ocy0aciUNR+/1aDfHvYBv4ZmGshcZhgYmQ yhXutXCPAd2ZdpXLIu4ILRg6aBC+ozC2eGaZxk6edYLMahnQhCWfIF/RQl8e6ChwLDgxjMS0jcq upPdZLSuF+rdgC2XMJVLAfmKq5liVgYkmT0//twX5eCUU+SiT2MdLBZHu6u6GQdrhmXrLjCb/3Z hzbvxxZ7syEvBDK/QwK6lWpCgcvs1BU8AcObN6XSuX34/3AugQS33kbdBkO7Uypu3bOoGAPU3TV n3my+5Igx5nZM0jmpSWINlvtKVTap+gInSvbiZMGOR3kO84Sth2nVULL4+pUvmBY0kVfUHBvClD ai2gu52MbVpQ7l2KkoAp5aTeUYn7L2TWW+ssKJ34VVCHSccZrkLs4IqDf52MwDAcHaQ9rEDEuaA xMRIM5poAaj0DEp+Yxb+IV X-Received: by 2002:a05:600c:8b6c:b0:477:7bca:8b34 with SMTP id 5b1f17b1804b1-483c3da0b6amr36090305e9.6.1772117186133; Thu, 26 Feb 2026 06:46:26 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-483bfcbd781sm75913745e9.8.2026.02.26.06.46.25 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Feb 2026 06:46:25 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-networking][kirkstone][PATCH 2/7] dante: patch CVE-2024-54662 Date: Thu, 26 Feb 2026 15:46:19 +0100 Message-ID: <20260226144624.3743168-2-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260226144624.3743168-1-skandigraun@gmail.com> References: <20260226144624.3743168-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 26 Feb 2026 14:46:31 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124679 Details: https://nvd.nist.gov/vuln/detail/CVE-2024-54662 This backported patch was taken from upstream's website[1], where they identify it as the solution for this vulnerability [1]: https://www.inet.no/dante/ (bottom, "advisories" section) Signed-off-by: Gyorgy Sarvari --- .../dante/dante/CVE-2024-54662.patch | 71 +++++++++++++++++++ .../recipes-protocols/dante/dante_1.4.1.bb | 3 +- 2 files changed, 73 insertions(+), 1 deletion(-) create mode 100644 meta-networking/recipes-protocols/dante/dante/CVE-2024-54662.patch diff --git a/meta-networking/recipes-protocols/dante/dante/CVE-2024-54662.patch b/meta-networking/recipes-protocols/dante/dante/CVE-2024-54662.patch new file mode 100644 index 0000000000..6ed7380410 --- /dev/null +++ b/meta-networking/recipes-protocols/dante/dante/CVE-2024-54662.patch @@ -0,0 +1,71 @@ +From afedc6d8e518e4675be55557322710136a9e17a4 Mon Sep 17 00:00:00 2001 +From: Gyorgy Sarvari +Date: Thu, 26 Feb 2026 14:34:07 +0100 +Subject: [PATCH] fix CVE-2024-54662 + +This patch fixes CVE-2024-54662. + +Description: Dante 1.4.0 through 1.4.3 (fixed in 1.4.4) has incorrect +access control for some sockd.conf configurations involving socksmethod. + +CVE: CVE-2024-54662 +Upstream-Status: Backport [https://www.inet.no/dante/advisory-2024-12-16.patch] +Signed-off-by: Gyorgy Sarvari +--- + sockd/sockd_protocol.c | 29 +++++++++++++++++++++++++---- + 1 file changed, 25 insertions(+), 4 deletions(-) + +diff --git a/sockd/sockd_protocol.c b/sockd/sockd_protocol.c +index d7b9405..1ea973a 100644 +--- a/sockd/sockd_protocol.c ++++ b/sockd/sockd_protocol.c +@@ -428,6 +428,7 @@ recv_v4req (s, request, state) + request_t *request; + negotiate_state_t *state; + { ++ rule_t *crule; + + /* + * v4 request: +@@ -440,6 +441,26 @@ recv_v4req (s, request, state) + /* + * No methods supported in v4. + */ ++ ++ SASSERTX(state->crule != NULL); ++ ++ crule = (rule_t *)state->crule; ++ ++ if (crule->state.smethodc > 0 ++ && crule->state.smethodv[0] != AUTHMETHOD_NONE) { ++ snprintf(state->emsg, sizeof(state->emsg), ++ "client-rule overrides prefered SOCKS authentication to use for " ++ "matching clients to be %s\"%s\", but connected client " ++ "is using SOCKS v4, which does not support any authentication", ++ crule->state.smethodc == 1 ? "" : "one of ", ++ methods2string(crule->state.smethodc, ++ crule->state.smethodv, ++ NULL, ++ 0)); ++ ++ return NEGOTIATE_ERROR; ++ } ++ + request->auth->method = AUTHMETHOD_NONE; + + /* CD */ +@@ -555,10 +576,10 @@ recv_methods(s, request, state) + default: { + /* + * Socks-methods that can be decided for use before we receive +- * the actual request. Normally only gssapi, but if the +- * rule has singleauth enabled and the client matches the +- * criteria for it, the socks-method will also have been +- * chosen already (should be NONE). ++ * the actual request. Normally only gssapi, but if the rule has ++ * singleauth enabled and the client matches the criteria for it, ++ * the socks-method will also have been chosen already (should be ++ * NONE). + */ + size_t i; + diff --git a/meta-networking/recipes-protocols/dante/dante_1.4.1.bb b/meta-networking/recipes-protocols/dante/dante_1.4.1.bb index 48f9708560..522411be4f 100644 --- a/meta-networking/recipes-protocols/dante/dante_1.4.1.bb +++ b/meta-networking/recipes-protocols/dante/dante_1.4.1.bb @@ -12,7 +12,8 @@ LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=221118dda731fe93a85d0ed973467249" SRC_URI = "https://www.inet.no/dante/files/dante-${PV}.tar.gz \ - " + file://CVE-2024-54662.patch \ + " SRC_URI[md5sum] = "68c2ce12119e12cea11a90c7a80efa8f" SRC_URI[sha256sum] = "b6d232bd6fefc87d14bf97e447e4fcdeef4b28b16b048d804b50b48f261c4f53" From patchwork Thu Feb 26 14:46:20 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 82011 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 60C40FCE09F for ; Thu, 26 Feb 2026 14:46:31 +0000 (UTC) Received: from mail-wm1-f48.google.com (mail-wm1-f48.google.com [209.85.128.48]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.71418.1772117188590971065 for ; Thu, 26 Feb 2026 06:46:28 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=BQaOfpbl; spf=pass (domain: gmail.com, ip: 209.85.128.48, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f48.google.com with SMTP id 5b1f17b1804b1-4807068eacbso8062955e9.2 for ; Thu, 26 Feb 2026 06:46:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1772117187; x=1772721987; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=bA0JRYuKqwyWmc+kv0k0d3A6gXgzxIXCPYgcbyiyu2Q=; b=BQaOfpblrvVhy4zMLiXCYDfCbFsqtZ/6Hl9VvXRkvetu9wHiyvP5aB9kc4swLC8nwA ww0tkifuuFOjhFtlDvKzuPycdjvLPr0er/NIA2DSQh/fac/5kRgKMCouM/oRgVfHtvB6 YCD2iCfhpCi/yE+o9TvK4k0vi3tE2PfrWDhfBCVsGXmynOmo6yqcYL6PQqCTGk3jt+ag 0ghu7ZImsXhbnaT4GbGzQ51tBr85zO1NCcwb1GnqKREiNtdme7uq2Jsk6Z1vsdK2ceDk yFgmE9Kop3sFX4HwuQvANwj1+hcp0jpjSTS4uHm51K+5xIGWwZBBG2+vu6gbs5GRZUN5 vIjg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772117187; x=1772721987; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=bA0JRYuKqwyWmc+kv0k0d3A6gXgzxIXCPYgcbyiyu2Q=; b=S6I9RoiwZOJmiuVFMvxajZhk9oueSROzRr1bssVHZ2W+Ab0EOBY7Vz35RizHO+vTPd b/cKV34FX0m6uF7n2T65la2tt7SIGaBGFRot2wZjQd81uRNUedxepjlfbiPEFVfyWqrU Q/l+1vMxHs5EjjndHzTTtehK8+2AaIYsTbzjPUtY9nqX3W80dYxArt5IkZ+qi3kN7Oxw 5jTKKEJ4UkVtHnboZKYt54lE3j6Npc6MjXdDIxaprbNL0E6FXXfsc+JQg57cAuJ4fxzm G3PoV4crbhjcnIZSWpfCBnQgGxc/pL6/DWxN26wKMxFaT0GrztGAdmAM51zP5PSSISxL FmOg== X-Gm-Message-State: AOJu0YzDXpflUgfjKUDbjwRlgjHd7SVxdB+sfD922QEg7eBqBiKA7iOq dBuYdcorD6Bl/sg3GGOORuN7bBpM9s5Ab4jKLcpp6t1nkMSOOf4gY4UJDw0yrg== X-Gm-Gg: ATEYQzyqFtud8sJkc5od0h92qNyE+8q3AEz1b/BjxmNlw4/4MF8Sd/eOLZbkkJ1E6Zc us+koll6ZJAnlxG1/qpl9bCTjDNBsM1gLWwF7GeOS8YZKdzArazte2P7XFdvnBdSvaOUcu037/Y hbjqTHSZBstWqxP6odUunydeDBLPircxO8T4YWod3QSZGvBS2O6q1OEq168G1aCTBZGYlF7QyHX yM6p9nAirEnKLXHUKxlvgpFXTlsNw2fIKj74+UDZ+oSlw9MioC3eKVWGlOkWrL1sx1gh610R6Mk pukQL+nB1k8mtolt1SaJES5Q9ED9xJpZ52LEEk+HykQ9dW4gH7pFbYVdLlS7V0fWUqrSkF6GiXz RiRbD5IOymGFpsQ1gtIWyFEoVrnuISC/FHf8oIue6GbhQTzMoG/bMaFmznDmPMZ/9RL1bpWDZMq X5Uu4cnEmMXOx9nv+x6qDV7dY+nx4v2j0= X-Received: by 2002:a05:600c:4451:b0:483:b505:9db7 with SMTP id 5b1f17b1804b1-483c3df7281mr34647225e9.32.1772117186852; Thu, 26 Feb 2026 06:46:26 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-483bfcbd781sm75913745e9.8.2026.02.26.06.46.26 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Feb 2026 06:46:26 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 3/7] protobuf: ignore CVE-2026-0994 Date: Thu, 26 Feb 2026 15:46:20 +0100 Message-ID: <20260226144624.3743168-3-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260226144624.3743168-1-skandigraun@gmail.com> References: <20260226144624.3743168-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 26 Feb 2026 14:46:31 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124680 Details: https://nvd.nist.gov/vuln/detail/CVE-2026-0994 The vulnerability impacts only the python bindings of protobuf, which is in a separate recipe (python3-protobuf, where it is patched). Ignore this CVE in this recipe due to this. Signed-off-by: Gyorgy Sarvari --- meta-oe/recipes-devtools/protobuf/protobuf_3.19.6.bb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta-oe/recipes-devtools/protobuf/protobuf_3.19.6.bb b/meta-oe/recipes-devtools/protobuf/protobuf_3.19.6.bb index 95a76514a5..4cab00fc4d 100644 --- a/meta-oe/recipes-devtools/protobuf/protobuf_3.19.6.bb +++ b/meta-oe/recipes-devtools/protobuf/protobuf_3.19.6.bb @@ -37,6 +37,9 @@ EXTRA_OECONF += "--with-protoc=echo" TEST_SRC_DIR = "examples" LANG_SUPPORT = "cpp ${@bb.utils.contains('PACKAGECONFIG', 'python', 'python', '', d)}" +# the vulnerability is in python3-protobuf recipe, not in this one +CVE_CHECK_IGNORE += "CVE-2026-0994" + do_compile_ptest() { mkdir -p "${B}/${TEST_SRC_DIR}" From patchwork Thu Feb 26 14:46:21 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 82010 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2DE55FCE09A for ; Thu, 26 Feb 2026 14:46:31 +0000 (UTC) Received: from mail-wr1-f41.google.com (mail-wr1-f41.google.com [209.85.221.41]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.71625.1772117190475130751 for ; Thu, 26 Feb 2026 06:46:30 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=ajBdCNbI; spf=pass (domain: gmail.com, ip: 209.85.221.41, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f41.google.com with SMTP id ffacd0b85a97d-4398913af88so869057f8f.2 for ; Thu, 26 Feb 2026 06:46:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1772117189; x=1772721989; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=YQOrG9cZeNgSzjZaF0sO2rv3Hq5+53oo6KZ+UhmC7nQ=; b=ajBdCNbIS0iWuLQM489qx3qZ+sDOX9fQrPFYvSEMu7NPfukMNMtU3yBSHZlvgtPDia /Q7ClaO5eK0Zyrc2nH1DuOfpruHH9Xw9nmPV8AOr0lC18S+uYvyjcaPy8fTVPtGs+whG zEbzDJzwraNotwlrJYRvwwWR1eq3drfB0KY4dt+1XQYFDSoDPsPv2ATVIzT11w2siy2l AH06hEEfDv+yTMFRrBPksgH0iy1Ddyl3pHZPwwitNNF5jKLZyz9dEm1DZr59ewvIvYCH YjsZxf05Wn96IAn9gbYju/OPI3ByCcgr34bil/V+3YQlkMjjuadfF8f4WLeQrfiEFxSB jLnA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772117189; x=1772721989; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=YQOrG9cZeNgSzjZaF0sO2rv3Hq5+53oo6KZ+UhmC7nQ=; b=JE7CUiWxifZGTtpWIPPNHf9cGA0y2TIkqcJ4L0Xaaklf1ebSaxKqCM/BUZAW4aCbBz wf6ExudiuSQJhyD1/o+lyudaBaJVqQTZudSRzgcHovSqomZw/ght7JkcNdy1lcgZuZ8g zRDFadwuyBEv8mTH6AtswSWQlsQ+VfdDwJa4BXha1fGwHzvRoBLizTXPp/N4CJlbkXgR xR/V261Twonlcrrg0MC+t6n2ODjctQSu8SZyDobbiEhwWw5PiJEnj5zP66EgWVTOqyhx qfZTk3a6LRa8ifKcL8KwTyWn/HIYsKHH772uVWjqbewTF42fIDZ0mseEIjwDNFL/LpKt lXVA== X-Gm-Message-State: AOJu0YxOBHmS/Mf4vXeRzSohdWlm8eoDJkBnuivmbITY5iniDets8d6v xpx5x4SXbUUjQdQJaPuqp6zWutmTTBIRNyINlByW5KYLp8cezFMYz5cLwEoMvg== X-Gm-Gg: ATEYQzzo2ujdhfhrBImMv2HuzarTYo5mYMfl2s3FAxDG3VT6CGzsUwTwf4P3Gp32OCi NyvYloZoEbpwVwUPYdcHZ3TciKNAvQ2tR4RbrpimnFBtXIalqaZ1JelUly1yoaPcLA8RZlRJy+v 0BnRNcXlgjYCXnVuGavy+T6qPxMmiHwQD73hZPvOk57hZTzlNpSVV/7LnWOD9sLWCPlQO87ltnY QFRb56GqXYF/XsrIYcacmEYmmkaUT3vJEREWSMJY+cRKjIJUguhl0BZiN37NmcedovqakjO5FXp OHC7MkgJWrFDKhhqCey93yIh7t/3pJsiuHe4WZk2/3hJr44eoLaoOC0atNUzYkdajIzVK/i6GgN vAvjTISEkvW/9LLmJNj5cak+Ce6pwAK4fVWVmX7KtDEs6xxCY/hqBRMeFQ5KgcE02Owz6KoFjoc yMccxfMvhlUpAJd63Uiwee X-Received: by 2002:a05:600c:3151:b0:477:54f9:6ac2 with SMTP id 5b1f17b1804b1-483c2123ab3mr82581505e9.0.1772117188529; Thu, 26 Feb 2026 06:46:28 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-483bfcbd781sm75913745e9.8.2026.02.26.06.46.26 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Feb 2026 06:46:28 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 4/7] fontforge: patch CVE-2025-15269 Date: Thu, 26 Feb 2026 15:46:21 +0100 Message-ID: <20260226144624.3743168-4-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260226144624.3743168-1-skandigraun@gmail.com> References: <20260226144624.3743168-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 26 Feb 2026 14:46:31 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124681 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-15269 Pick the patch that refers to this vulnerability ID explicitly. Signed-off-by: Gyorgy Sarvari --- .../fontforge/fontforge/CVE-2025-15269.patch | 35 +++++++++++++++++++ .../fontforge/fontforge_20190801.bb | 1 + 2 files changed, 36 insertions(+) create mode 100644 meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15269.patch diff --git a/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15269.patch b/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15269.patch new file mode 100644 index 0000000000..7fa16480ef --- /dev/null +++ b/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15269.patch @@ -0,0 +1,35 @@ +From bcc5fc655ddd0401595c3f012969de95538e402f Mon Sep 17 00:00:00 2001 +From: Ahmet Furkan Kavraz + <55850855+ahmetfurkankavraz@users.noreply.github.com> +Date: Sat, 10 Jan 2026 20:06:53 +0100 +Subject: [PATCH] Fix CVE-2025-15269: Use-after-free in SFD ligature parsing + (#5722) + +Prevent circular linked list in LigaCreateFromOldStyleMultiple by clearing +the next pointer after shallow copy. The shallow copy propagates liga's +modified next pointer from previous iterations, creating a cycle that +causes double-free when the list is traversed and freed. + +Fixes: CVE-2025-15269 | ZDI-25-1195 | ZDI-CAN-28564 + +Co-authored-by: Ahmet Furkan Kavraz + +CVE: CVE-2025-15269 +Upstream-Status: Backport [https://github.com/fontforge/fontforge/commit/6aea6db5da332d8ac94e3501bb83c1b21f52074d] +Signed-off-by: Gyorgy Sarvari +--- + fontforge/sfd.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fontforge/sfd.c b/fontforge/sfd.c +index 132f9fa0c..940627a3b 100644 +--- a/fontforge/sfd.c ++++ b/fontforge/sfd.c +@@ -4780,6 +4780,7 @@ static PST1 *LigaCreateFromOldStyleMultiple(PST1 *liga) { + while ( (pt = strrchr(liga->pst.u.lig.components,';'))!=NULL ) { + new = chunkalloc(sizeof( PST1 )); + *new = *liga; ++ new->pst.next = NULL; + new->pst.u.lig.components = copy(pt+1); + last->pst.next = (PST *) new; + last = new; diff --git a/meta-oe/recipes-graphics/fontforge/fontforge_20190801.bb b/meta-oe/recipes-graphics/fontforge/fontforge_20190801.bb index cfb20ab2bd..41d43114bf 100644 --- a/meta-oe/recipes-graphics/fontforge/fontforge_20190801.bb +++ b/meta-oe/recipes-graphics/fontforge/fontforge_20190801.bb @@ -20,6 +20,7 @@ SRC_URI = "git://github.com/${BPN}/${BPN}.git;branch=master;protocol=https \ file://CVE-2020-25690-1.patch \ file://CVE-2020-25690-2.patch \ file://CVE-2024-25081-25082.patch \ + file://CVE-2025-15269.patch \ " S = "${WORKDIR}/git" From patchwork Thu Feb 26 14:46:22 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 82015 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 453CAFCE09F for ; Thu, 26 Feb 2026 14:46:41 +0000 (UTC) Received: from mail-wm1-f52.google.com (mail-wm1-f52.google.com [209.85.128.52]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.71420.1772117191018465547 for ; Thu, 26 Feb 2026 06:46:31 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=Fgg7+8o1; spf=pass (domain: gmail.com, ip: 209.85.128.52, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f52.google.com with SMTP id 5b1f17b1804b1-483487335c2so8813735e9.2 for ; Thu, 26 Feb 2026 06:46:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1772117189; x=1772721989; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=FZIzVES58nMD8d0Zfv/KakDR4OR1P2SqKam57pxMoFc=; b=Fgg7+8o1I8iL0oeFai7C90c/JTQZ8OFu39gx0Jn+seo4iR0M7E/VXBoQpghzuQi+/O T7bY5+7AdDgNnIRjbP3ORhr4xxgm0dju68UJZsST4ciAGJ9plHQK11ktWULu4Eqza1NB FxxayQjVWzrwI7VJDQiQzvqLeBd0uZK3NI73TpaYg1KEEfaa5sBOezHkEbmgnQXu0ws2 twZ97riKHh6XCxhhUYBGAIRI6Um3TDRm53L2L2AtEwgelwYUsVVcR90L45HkQlMjUQY1 A2Y/zs4FFtyAoo/9hIKTLtKUANbGUlSqxJeWoCbeA2DtQcXh25FFDCWfDUcrFBBFw341 Jpfg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772117189; x=1772721989; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=FZIzVES58nMD8d0Zfv/KakDR4OR1P2SqKam57pxMoFc=; b=sEI2cZG2XaKguSF6K3SxdFHQxWUjqJow2xnatpolZlwginyMetzUenYNNItpVRO0tY GuU7vKmGGKxPL3gtoHftvn0NRwCmzV40d36APNLe3G+SJQ5LHMGR7KTOilAYhL+sX0UO dXJt9nl08MPVn1+61R7Fw/5RlqlhoC5FuX0FfhCIseHTuPxv4jBpxPprZhNYHdu8GKKr p0GFuGshlMLQ5rShEg8s0/STTNIRR39EtaElZrImKTo1r+r+wO1Paj+wCn1KAEM/peXQ 0aVsrgexXt5sLdGCi2tIGJgkMlBcKB8Zg+3OfHp9brjJ/UJ2urRs8BCgP63dJYzbbD8G lRvQ== X-Gm-Message-State: AOJu0YwuQinO8zkTXBPAMka3Bep8uK7UlhYgW8wiAhPGEzN+/HryC0eR LPXtAVA+DMauP29cRCa6tGqnXLOY3S48a9CBau+Izdp2fjFVdHiLRVjd9zMieg== X-Gm-Gg: ATEYQzzhvQXYnsPqBEqWt1/pd8OlFE+qsC5YPd3nEKQ+l4BYW4vZTJe1qDCK8e2DG1y frVp61ka6OB3VlYbrz4m9yIYGdWRJzwhR6CKnZn2Q+fALwltoB8KV3BO/wAp89DjF3oY9RWRpP4 aAuuevNYFBHZf1ld7mxsOSwQmxGUTzzyWrQgDxWol8DEoL8CzH27v0lf67lwT/miA7n9/nlvDKa 7sK7Yc6tmFFoe+eH50AXJQcE1m/dZU7qh84vyAbhG3wtit7SwgVweqKy2TSRPTvTxZ/voUQt0io rr/2yqwnO1cKRwynAoFOSp3tOD9NKr38gGJYQ+/ALttHQOXQepN1y574k0j/fB+wypRH+9Jjtc7 inRC7va10D85rbyigIrQtQx2wfawbEj+kQOZli0giYlyA2RcZkOvFcHRECH0KY8LGjSE0+DAmxh 3tPwI7kcm2ulfKLbCMBRQc X-Received: by 2002:a05:600c:8b44:b0:480:6852:8d94 with SMTP id 5b1f17b1804b1-483a95eabccmr329844685e9.27.1772117189172; Thu, 26 Feb 2026 06:46:29 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-483bfcbd781sm75913745e9.8.2026.02.26.06.46.28 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Feb 2026 06:46:28 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 5/7] fontforge: patch CVE-2025-15270 Date: Thu, 26 Feb 2026 15:46:22 +0100 Message-ID: <20260226144624.3743168-5-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260226144624.3743168-1-skandigraun@gmail.com> References: <20260226144624.3743168-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 26 Feb 2026 14:46:41 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124682 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-15270 Pick the patch that mentions this vulnerbaility explicitly in its description. Signed-off-by: Gyorgy Sarvari --- .../fontforge/fontforge/CVE-2025-15270.patch | 44 +++++++++++++++++++ .../fontforge/fontforge_20190801.bb | 1 + 2 files changed, 45 insertions(+) create mode 100644 meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15270.patch diff --git a/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15270.patch b/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15270.patch new file mode 100644 index 0000000000..b70a395f79 --- /dev/null +++ b/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15270.patch @@ -0,0 +1,44 @@ +From c36b95c57f85a34ad85ca2be34f62ff1100d52f1 Mon Sep 17 00:00:00 2001 +From: Ahmet Furkan Kavraz + <55850855+ahmetfurkankavraz@users.noreply.github.com> +Date: Sat, 31 Jan 2026 21:23:41 +0100 +Subject: [PATCH] Fix CVE-2025-15270: Heap buffer overflow in SFD kern class + parsing (#5743) + +Fixes: CVE-2025-15270 | ZDI-25-1194 | ZDI-CAN-28563 + +Co-authored-by: Ahmet Furkan Kavraz + +CVE: CVE-2025-15270 +Upstream-Status: Backport [https://github.com/fontforge/fontforge/commit/d01333a5bfa2ac4ed698c24b323d02107deacad7] +Signed-off-by: Gyorgy Sarvari +--- + fontforge/sfd.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/fontforge/sfd.c b/fontforge/sfd.c +index 940627a3b..99d92b051 100644 +--- a/fontforge/sfd.c ++++ b/fontforge/sfd.c +@@ -8276,6 +8276,10 @@ bool SFD_GetFontMetaData( FILE *sfd, + for ( i=classstart; ifirst_cnt; ++i ) { + if (kernclassversion < 3) { + getint(sfd,&temp); ++ if (temp < 0) { ++ LogError(_("Corrupted SFD file: Invalid kern class name length %d. Aborting load."), temp); ++ return false; ++ } + kc->firsts[i] = malloc(temp+1); kc->firsts[i][temp] = '\0'; + nlgetc(sfd); /* skip space */ + fread(kc->firsts[i],1,temp,sfd); +@@ -8293,6 +8297,10 @@ bool SFD_GetFontMetaData( FILE *sfd, + for ( i=1; isecond_cnt; ++i ) { + if (kernclassversion < 3) { + getint(sfd,&temp); ++ if (temp < 0) { ++ LogError(_("Corrupted SFD file: Invalid kern class name length %d. Aborting load."), temp); ++ return false; ++ } + kc->seconds[i] = malloc(temp+1); kc->seconds[i][temp] = '\0'; + nlgetc(sfd); /* skip space */ + fread(kc->seconds[i],1,temp,sfd); diff --git a/meta-oe/recipes-graphics/fontforge/fontforge_20190801.bb b/meta-oe/recipes-graphics/fontforge/fontforge_20190801.bb index 41d43114bf..39f434bfd4 100644 --- a/meta-oe/recipes-graphics/fontforge/fontforge_20190801.bb +++ b/meta-oe/recipes-graphics/fontforge/fontforge_20190801.bb @@ -21,6 +21,7 @@ SRC_URI = "git://github.com/${BPN}/${BPN}.git;branch=master;protocol=https \ file://CVE-2020-25690-2.patch \ file://CVE-2024-25081-25082.patch \ file://CVE-2025-15269.patch \ + file://CVE-2025-15270.patch \ " S = "${WORKDIR}/git" From patchwork Thu Feb 26 14:46:23 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 82013 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4540DFC5902 for ; Thu, 26 Feb 2026 14:46:41 +0000 (UTC) Received: from mail-wm1-f51.google.com (mail-wm1-f51.google.com [209.85.128.51]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.71421.1772117191595997169 for ; Thu, 26 Feb 2026 06:46:31 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=M5M+G/2I; spf=pass (domain: gmail.com, ip: 209.85.128.51, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f51.google.com with SMTP id 5b1f17b1804b1-48374014a77so10645745e9.3 for ; Thu, 26 Feb 2026 06:46:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1772117190; x=1772721990; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=lqJlEs0BfchtHbU6S7xflQebLi81bgznNId7TASFtNc=; b=M5M+G/2Ia6c82lJ1dPv23IxPJ4vQ6lZ4I4ChSqtnVjsOX2oJ9gej6Xj0gvKeFVMdVr dG85nxgNnzYXqSP5acCociFA7xdBqIk3VDRatcxc8JHh9brG+HkkIFzi4hOveU/ekqtJ rghrfMuMXyKB1eXQIP7+80iBVs7U/svju0N4Y9CX3UwUH7SoL3sg24dobM9cuiAfnTCR H1LZDEUBztHUwXOnVdsa7UxijVYAXFL8SA5BFQdEpFzAgLvmEjKMWLTjm8hxeaNve4cr wzjZh3XbM8pnW/7SS4JBXidTzFLggdPIoWqJvnbKnkHTyNKDeu+OJEAoC+qpNvIklxIY CGcQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772117190; x=1772721990; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=lqJlEs0BfchtHbU6S7xflQebLi81bgznNId7TASFtNc=; b=QELSSYXQlzH69QEjGGr6FK3iirmcqfCxgV5roFi7UZcllYc80/Pvrqw/qee/w2oPl1 9/rwu0Ek77ApNU2+Z7K5wSB39ynXu2Q5A9kduhb/6IOYK12Wxcwvdz/MeGS9/x3SweO5 3yGaEonl/UM/3IcBylDdOhtH072hkPHgGaMCVZHmSjqbAxmlt/bFAmsK7BodL4ivT05y nBR7tpA7QAo42pIoj5HFWunhKdahJEmQJApCTxNWmZDZDnr+TjRD8AmXAqi3msH583l1 EcNvVdkMVnYHOCIOhfuMaIYgu3Jw+S3vOqE5Ba53uQTqi4TEQGd0kKPaGfBcKEwjp1Q3 qhJA== X-Gm-Message-State: AOJu0YyUjaV6UwdvQ4KbRdOMb7wRXgB7wQdfW5o642XkQFbnw92J/NTI WkXXIioyyslu57+DF7tia4XEW1iOD+NkjW4GUe+Xr7xEw3RV3GXB4xIIOklgfw== X-Gm-Gg: ATEYQzzdHCW82tIGOMBOmkP4U3mFWRbKMnX013xFVmpHuvAM0JdKFsg5KfCLvcqlZrE ukfnp+ATHEzNH/raXBCfj0fU12QKt8JTqVCj8f3Em3FXs/wxQiIOpt1GxD0p8AUtkZeGwi1GFUY E4f7PRhV57oAsdRpgOS9OOInnQVi0HBAn1wN4DFT9VjZNu4hmf3OJ9oGhtEpDqwIJZaSATIQomu OemHMzZ5q8Fyd2Idow7Y6/p6LbCvH/HGQ5dX+au+azd38AeQNpm2ZUzA0eWI7fMMO2IDdTVPry7 S9ECK7rqf6kmcUdYk9zfGF7RjSkVUUytXM8i8VXwoZ1SVdJ2UsB0rRfcovtpk+J3CUM6qm0/VCO T8yMzGIXLhrbz17Knyl/2x3rZYiV/mgPdjB6eYBHuLodnxcGHZdPAv7m91kyFthUsmBnM7WbVkl r+EIB8rJH5NA+3htOyE3/H1c/H5zN3WZk= X-Received: by 2002:a05:600c:3e05:b0:483:6fc6:1e20 with SMTP id 5b1f17b1804b1-483a95b5410mr331977685e9.9.1772117189801; Thu, 26 Feb 2026 06:46:29 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-483bfcbd781sm75913745e9.8.2026.02.26.06.46.29 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Feb 2026 06:46:29 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 6/7] fontforge: patch CVE-2025-15275 Date: Thu, 26 Feb 2026 15:46:23 +0100 Message-ID: <20260226144624.3743168-6-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260226144624.3743168-1-skandigraun@gmail.com> References: <20260226144624.3743168-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 26 Feb 2026 14:46:41 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124683 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-15275 Pick the patch that mentions this vulnerability ID explicitly. Signed-off-by: Gyorgy Sarvari --- .../fontforge/fontforge/CVE-2025-15275.patch | 33 +++++++++++++++++++ .../fontforge/fontforge_20190801.bb | 1 + 2 files changed, 34 insertions(+) create mode 100644 meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15275.patch diff --git a/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15275.patch b/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15275.patch new file mode 100644 index 0000000000..23a99338d9 --- /dev/null +++ b/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15275.patch @@ -0,0 +1,33 @@ +From dcaa8397934419e3f1fffd8a4bdd68de87484d9d Mon Sep 17 00:00:00 2001 +From: Ahmet Furkan Kavraz + <55850855+ahmetfurkankavraz@users.noreply.github.com> +Date: Fri, 9 Jan 2026 16:58:23 +0100 +Subject: [PATCH] Fix CVE-2025-15275: Heap buffer overflow in SFD image parsing + (#5721) + +Fixes: CVE-2025-15275 | ZDI-25-1189 | ZDI-CAN-28543 + +Co-authored-by: Ahmet Furkan Kavraz + +CVE: CVE-2025-15275 +Upstream-Status: Backport [https://github.com/fontforge/fontforge/commit/7195402701ace7783753ef9424153eff48c9af44] +Signed-off-by: Gyorgy Sarvari +--- + fontforge/sfd.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/fontforge/sfd.c b/fontforge/sfd.c +index 99d92b051..25a81c0b4 100644 +--- a/fontforge/sfd.c ++++ b/fontforge/sfd.c +@@ -3714,6 +3714,10 @@ static ImageList *SFDGetImage(FILE *sfd) { + getint(sfd,&image_type); + getint(sfd,&bpl); + getint(sfd,&clutlen); ++ if ( clutlen < 0 || clutlen > 256 ) { ++ LogError(_("Invalid clut length %d in sfd file, must be between 0 and 256"), clutlen); ++ return NULL; ++ } + gethex(sfd,&trans); + image = GImageCreate(image_type,width,height); + base = image->list_len==0?image->u.image:image->u.images[0]; diff --git a/meta-oe/recipes-graphics/fontforge/fontforge_20190801.bb b/meta-oe/recipes-graphics/fontforge/fontforge_20190801.bb index 39f434bfd4..b41a7dd8de 100644 --- a/meta-oe/recipes-graphics/fontforge/fontforge_20190801.bb +++ b/meta-oe/recipes-graphics/fontforge/fontforge_20190801.bb @@ -22,6 +22,7 @@ SRC_URI = "git://github.com/${BPN}/${BPN}.git;branch=master;protocol=https \ file://CVE-2024-25081-25082.patch \ file://CVE-2025-15269.patch \ file://CVE-2025-15270.patch \ + file://CVE-2025-15275.patch \ " S = "${WORKDIR}/git" From patchwork Thu Feb 26 14:46:24 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 82014 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 51E87FC5937 for ; Thu, 26 Feb 2026 14:46:41 +0000 (UTC) Received: from mail-wm1-f43.google.com (mail-wm1-f43.google.com [209.85.128.43]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.71422.1772117192379551573 for ; Thu, 26 Feb 2026 06:46:32 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=QCA/hMsN; spf=pass (domain: gmail.com, ip: 209.85.128.43, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f43.google.com with SMTP id 5b1f17b1804b1-4836f4cbe0bso8994195e9.3 for ; Thu, 26 Feb 2026 06:46:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1772117191; x=1772721991; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=PckXQyOaePsjlnHvgxTYlxRnfRdVT7aOxylcQRnXCls=; b=QCA/hMsNVgsaJhpy7h7yplc/lQyzqxluw3Yh+8DSKQ9RDdkvs1am4qBAmCHhf4kCMp 2Pxh8AWVk+7bv967hTy9M+fUK00xYiueQh59msrpjymqN59STdpEL7kbDsCpax1/fyJb d0rbjN9iwsFCejQnMQvGlpXay9P62fosdEOMa1Pa9MKKQe56liGcvoMkjTxfQXx7Fieq SP2aUbrV3kQ50k3lUZHYywRKdPZMALaK2Y0ic+XOrL1UBAcnWWugbtTs0B7jmrb6cRiO MuHgO03OGaoWDuIBpdmA3AEAKeM+8N8p4bAiEOVsxtrcYnipR4yDEyXjYoqTsS91RFuc 3LsA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772117191; x=1772721991; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=PckXQyOaePsjlnHvgxTYlxRnfRdVT7aOxylcQRnXCls=; b=q8TB5BptCqbrP3s00poNVLE7a3D0Y+Rj+1wEbWhLwrJjOfcPHCK9y1F9Q0zsQyWeFY iAZowQRmvfPyH6fPHBBzYn55PhsleoCKmbdO0vT+FzX5BnSZGBYNqte9qPsceofpduNJ N63ocgqCcnZGrdc1eQbkRMakloBiGVN00vUvlb7ZSNtm9uBCrpAjlTlA7eYHouIBoWZJ wTvofOT+1M/FfHPiTItRRtLc8rBFKWaUwFqmo15sI/O+122iip8UscAXjUBass5R4WHT Y2vxHzDDN89hTVeepsP+48P9Zay+8RqE4XTEQpNRysVHVbGz6WkBdQ2gpPpJ3g+ZQTbb ++fg== X-Gm-Message-State: AOJu0YzXUsSopVgqQItnjjQpwwb/wCaF975CQr4a4tj8xujl8fHuIpx0 J27KLMYDN8DVfOkYLxtq+2SvjablpYt2AhEsgftkj11iIQ6X5gOCNTnYyZkygw== X-Gm-Gg: ATEYQzycstMVr8VOgje2/Jw42/ioiBJEQB67zKG4kU/PiVEtBdU2BpNLY6UJ3l/dCXf 4aILJgh9hApevXtzDpcgCyBo+cd1fAq8xy46uQqR2Z4GcpCzLwJK5/QQtO1kmEGzgBAZv+j4mcS i3+cxrwHojW1R7DS8ahK6ky5Ko8iE/Lrl0VqlYV82V/RdabZikw+eQIqv65hVCh3ieYQVGuIEzP I1NbtXucLYgmQ2ckjTVQ9ApntJnURrZAnEC+wAO7gqzn+/lcuQGeuD2CeStL3pFISlXDWvE1igc bAwVJPMd40GtvJs0L7SZkZ5Q/aAddnzuZkBleY7VpctCuCEAdZ+HKmuq+/UagvqFTl9h8JOWvOL wKBO40c4JY3A1aHsEspgS56R1lc+0y4ZBbEr1V4ncQwBF3dbr9Z2FTTYgZMe/IIJIF1qHXXGfXF peN/JhHAaGwaqyAMe3fGhv X-Received: by 2002:a05:600c:46c3:b0:480:6ab1:ed0d with SMTP id 5b1f17b1804b1-483c3dbcec9mr35313035e9.9.1772117190525; Thu, 26 Feb 2026 06:46:30 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-483bfcbd781sm75913745e9.8.2026.02.26.06.46.29 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Feb 2026 06:46:30 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 7/7] fontforge: patch CVE-2025-15279 Date: Thu, 26 Feb 2026 15:46:24 +0100 Message-ID: <20260226144624.3743168-7-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260226144624.3743168-1-skandigraun@gmail.com> References: <20260226144624.3743168-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 26 Feb 2026 14:46:41 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124684 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-15279 Pick the patch that mentions this vulnerability ID explicitly. Also, this patch has caused some regression - pick the patch also that fixed that regression. Signed-off-by: Gyorgy Sarvari --- .../fontforge/CVE-2025-15279-1.patch | 41 +++++++++++++++++++ .../fontforge/CVE-2025-15279-2.patch | 34 +++++++++++++++ .../fontforge/fontforge_20190801.bb | 2 + 3 files changed, 77 insertions(+) create mode 100644 meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15279-1.patch create mode 100644 meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15279-2.patch diff --git a/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15279-1.patch b/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15279-1.patch new file mode 100644 index 0000000000..4ab5ae3fb3 --- /dev/null +++ b/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15279-1.patch @@ -0,0 +1,41 @@ +From a64a45ef6930128226d0d8fdaa4b41847ac507a9 Mon Sep 17 00:00:00 2001 +From: Ahmet Furkan Kavraz + <55850855+ahmetfurkankavraz@users.noreply.github.com> +Date: Thu, 8 Jan 2026 15:47:43 +0100 +Subject: [PATCH] Fix CVE-2025-15279: Heap buffer overflow in BMP RLE + decompression (#5720) + +CVSS: 7.8 (High) +ZDI-CAN-27517 +Co-authored-by: Ahmet Furkan Kavraz + +CVE: CVE-2025-15279 +Upstream-Status: Backport [https://github.com/fontforge/fontforge/commit/7d67700cf8888e0bb37b453ad54ed932c8587073] +Signed-off-by: Gyorgy Sarvari +--- + gutils/gimagereadbmp.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/gutils/gimagereadbmp.c b/gutils/gimagereadbmp.c +index e56477fc8..3ec5abbff 100644 +--- a/gutils/gimagereadbmp.c ++++ b/gutils/gimagereadbmp.c +@@ -181,12 +181,18 @@ static int readpixels(FILE *file,struct bmpheader *head) { + int ii = 0; + while ( iiheight*head->width ) { + int cnt = getc(file); ++ if (cnt < 0 || ii + cnt > head->height * head->width) { ++ return 0; ++ } + if ( cnt!=0 ) { + int ch = getc(file); + while ( --cnt>=0 ) + head->byte_pixels[ii++] = ch; + } else { + cnt = getc(file); ++ if (cnt < 0 || ii + cnt > head->height * head->width) { ++ return 0; ++ } + if ( cnt>= 3 ) { + int odd = cnt&1; + while ( --cnt>=0 ) diff --git a/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15279-2.patch b/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15279-2.patch new file mode 100644 index 0000000000..95965f8ab8 --- /dev/null +++ b/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15279-2.patch @@ -0,0 +1,34 @@ +From 3ea803a0205aa1d9134a0440ccd55546e3aec019 Mon Sep 17 00:00:00 2001 +From: Ahmet Furkan Kavraz + <55850855+ahmetfurkankavraz@users.noreply.github.com> +Date: Mon, 12 Jan 2026 22:45:16 +0100 +Subject: [PATCH] Fix CVE-2025-15279: Move bounds check inside cnt >= 3 block + (#5723) + +Co-authored-by: Ahmet Furkan Kavraz + +CVE: CVE-2025-15279 +Upstream-Status: Backport [https://github.com/fontforge/fontforge/commit/720ea95020c964202928afd2e93b0f5fac11027e] +Signed-off-by: Gyorgy Sarvari +--- + gutils/gimagereadbmp.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/gutils/gimagereadbmp.c b/gutils/gimagereadbmp.c +index 3ec5abbff..4bf255ee1 100644 +--- a/gutils/gimagereadbmp.c ++++ b/gutils/gimagereadbmp.c +@@ -190,10 +190,10 @@ static int readpixels(FILE *file,struct bmpheader *head) { + head->byte_pixels[ii++] = ch; + } else { + cnt = getc(file); +- if (cnt < 0 || ii + cnt > head->height * head->width) { +- return 0; +- } + if ( cnt>= 3 ) { ++ if (ii + cnt > head->height * head->width) { ++ return 0; ++ } + int odd = cnt&1; + while ( --cnt>=0 ) + head->byte_pixels[ii++] = getc(file); diff --git a/meta-oe/recipes-graphics/fontforge/fontforge_20190801.bb b/meta-oe/recipes-graphics/fontforge/fontforge_20190801.bb index b41a7dd8de..d8c9752c27 100644 --- a/meta-oe/recipes-graphics/fontforge/fontforge_20190801.bb +++ b/meta-oe/recipes-graphics/fontforge/fontforge_20190801.bb @@ -23,6 +23,8 @@ SRC_URI = "git://github.com/${BPN}/${BPN}.git;branch=master;protocol=https \ file://CVE-2025-15269.patch \ file://CVE-2025-15270.patch \ file://CVE-2025-15275.patch \ + file://CVE-2025-15279-1.patch \ + file://CVE-2025-15279-2.patch \ " S = "${WORKDIR}/git"