From patchwork Fri Feb 27 15:40:29 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gyorgy Sarvari <skandigraun@gmail.com>
X-Patchwork-Id: 82136
Return-Path: <skandigraun@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id E66EEFEFB61
	for <webhook@archiver.kernel.org>; Fri, 27 Feb 2026 15:40:42 +0000 (UTC)
Received: from mail-wm1-f43.google.com (mail-wm1-f43.google.com
 [209.85.128.43])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.98803.1772206835297353949
 for <openembedded-devel@lists.openembedded.org>;
 Fri, 27 Feb 2026 07:40:35 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=GIhOt4xD;
 spf=pass (domain: gmail.com, ip: 209.85.128.43,
 mailfrom: skandigraun@gmail.com)
Received: by mail-wm1-f43.google.com with SMTP id
 5b1f17b1804b1-480706554beso25891635e9.1
        for <openembedded-devel@lists.openembedded.org>;
 Fri, 27 Feb 2026 07:40:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1772206834; x=1772811634;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:to
         :from:from:to:cc:subject:date:message-id:reply-to;
        bh=YUjObkpDxw9dLnRQvun5j6ZioLfvcexP04exBYGY/+k=;
        b=GIhOt4xDq+05OJ8qINDSANRP7nJ+X1z8vDVeq8KIvZz7ySQbKt3RmftiLoW4TXVKx6
         VX00wntP5XV86Hrz9V+knJifqkTuaVxXHIY1Gp6CEFu0vTbr0ZTiUs5lnsILcm+nL2Cx
         LUiRtS4NEetk2+eWiC84zvsqjQBaUJthsUCCWwCcI1IX+Qv675yu/l0ZzqHhaoPoyLvQ
         q8Gd7ANeNvMOFf2IqTN3iX4o7ejZv4CJk9xiX99WMxmMlcw2yKTjI5LkFDZxuUxWQZYB
         ZegZ17tMIstViKzwlZLvGnkVIGAJCQm5vQViVi2Jde168CCcnNBXhZ5C2ESGMsxlVTw0
         AelA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1772206834; x=1772811634;
        h=content-transfer-encoding:mime-version:message-id:date:subject:to
         :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=YUjObkpDxw9dLnRQvun5j6ZioLfvcexP04exBYGY/+k=;
        b=sZbQG9WWNbLKZfgT76qRobWTLu8Ohd/qx/KXuVQciD2FRiuJ3ZZdYZQIoa6+0tdU+/
         9+npAIH7xKXyc8i6mAETrhLfzh3+9aONXYdaQyBXnn9qkoYFrXhKnpESNPmP1hsOdN3M
         o1aEEFWFmKdQSQnOBE/wjrTX+kPkO9naiHHMg8tgeX4luIKlw0HDFRvkJV5fQeSyQnhf
         C/aQi2AM9VySVzAHLCnw/BM/4ukYNRNyiS4Aq+zwDxX7UZb0devHpNj0tQsaAkS2PNmh
         96fb8AteCOtV18PRgk2NSkYPRjaVAX56e0ljIfTFoxzw8alY/zLsjJox5DeehENqc8qu
         8OJw==
X-Gm-Message-State: AOJu0YyK/UoGKWcAqLhH8fj9IVsO86ng3AeFrVJZq9E1HVeUOc89/+4o
	AwZD6nyPlXxYmMOZWu4Acg7Cw9KWe1CPiA/ypNdB0PdQeFY9J7xa/Hp03yKCrQ==
X-Gm-Gg: ATEYQzxJSoH9jbhRJWDe4QDzvoFsE1Av3ofvna5o1A0pFsK9wQCvT/gPEzfq13Q5Seb
	SgQMd+IhaRKo/RyWl4x8vWbmjb2Jg+QqRlk5eAB2ZmnKuVEJuZdKfX3+ZrgrZ3zhsF4QhID4eoz
	oJbgxXW5ezwt9UHVeYFARmPaMIgoBnWNC/d6G6+8nChxJ1EIMlA+8WZSc8V2iS9ky00/w656jfv
	EDEf3V3pt+8EtQ7yMhVhgZviaO2qmDa4IKAsEe/c/0BSR3GERHNtsuSS0D6ReM2rZVJsOLQJMIR
	QXdn5vppmLu2EopRE7BK8ym0nHlSHX7NHenXjCbx856sdmHRZ8l5cPALdYrRKikWSxTHnHgH9l1
	O4adXvJaZ/JUf0nvKDW9EGGxX0FZBbswxUA/wSnM2AEnUgYrLYkBwcFGDmXkHBBgWUrBSEBP9Wo
	q3uS4nkxXFVMnGM/QTA7Sq2W+1YJp6gAk=
X-Received: by 2002:a05:600c:1e2a:b0:480:4a4f:c363 with SMTP id
 5b1f17b1804b1-483c9b9e355mr48310245e9.9.1772206833533;
        Fri, 27 Feb 2026 07:40:33 -0800 (PST)
Received: from desktop ([51.154.145.205])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-483c3b770e7sm123409785e9.9.2026.02.27.07.40.32
        for <openembedded-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 27 Feb 2026 07:40:33 -0800 (PST)
From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-multimedia][kirkstone][PATCH 1/4] streamripper: ignore
 CVE-2020-37065
Date: Fri, 27 Feb 2026 16:40:29 +0100
Message-ID: <20260227154032.499047-1-skandigraun@gmail.com>
X-Mailer: git-send-email 2.53.0
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Fri, 27 Feb 2026 15:40:42 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/124758

Details: https://nvd.nist.gov/vuln/detail/CVE-2020-37065

The vulnerability is about a 3rd party Windows-only GUI frontend for
the streamripper library, and not for the CLI application that the
recipe builds. Due to this ignore this CVE.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../recipes-multimedia/streamripper/streamripper_1.64.6.bb     | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta-multimedia/recipes-multimedia/streamripper/streamripper_1.64.6.bb b/meta-multimedia/recipes-multimedia/streamripper/streamripper_1.64.6.bb
index 6014326826..beea0c5795 100644
--- a/meta-multimedia/recipes-multimedia/streamripper/streamripper_1.64.6.bb
+++ b/meta-multimedia/recipes-multimedia/streamripper/streamripper_1.64.6.bb
@@ -30,3 +30,6 @@ EXTRA_OECONF += "\
 
 # the included argv library needs this
 CPPFLAGS:append = " -DANSI_PROTOTYPES"
+
+# cpe-incorrect: the vulnerability is about a Windows frontend, not the CLI
+CVE_CHECK_IGNORE = "CVE-2020-37065"

From patchwork Fri Feb 27 15:40:30 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gyorgy Sarvari <skandigraun@gmail.com>
X-Patchwork-Id: 82138
Return-Path: <skandigraun@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 1695FFEFB65
	for <webhook@archiver.kernel.org>; Fri, 27 Feb 2026 15:40:43 +0000 (UTC)
Received: from mail-wr1-f51.google.com (mail-wr1-f51.google.com
 [209.85.221.51])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.98806.1772206835930410412
 for <openembedded-devel@lists.openembedded.org>;
 Fri, 27 Feb 2026 07:40:36 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=ZA2UIb8G;
 spf=pass (domain: gmail.com, ip: 209.85.221.51,
 mailfrom: skandigraun@gmail.com)
Received: by mail-wr1-f51.google.com with SMTP id
 ffacd0b85a97d-4398f8403edso1710512f8f.1
        for <openembedded-devel@lists.openembedded.org>;
 Fri, 27 Feb 2026 07:40:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1772206834; x=1772811634;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=1NRWOrYW3xOuG0ExMSumhiiUM0rhCW80ysqtszY9yeU=;
        b=ZA2UIb8GgUSMSoM6qMKf0ejEfqhhcEE5o+un/qdzcfX57Y13XtZCC+dENhIF4DqC5q
         sFQN8L7lJsKdnnV+M0XNzXqUiuumM4917W+HzK9UNJ2MZTQUmO8tbbTvXDiARl3Cli1x
         qvSdeIDvd6hqMMjMamQ27FPKhrEcWeIkHhtNyh9GchjRg9+zTXgxoFa2k8Ck02WjS9w/
         CRKyxehPsjrqSIVuZ+NaU0sLE27OU1QJK0sYp0WqRoen/Ug8gJjXPDvMMV33WTHj1oiT
         HAn5nnfWItuM1vgpydls4rS4vIUBs35ms9/gLA03o5J8CS4ECPx7hZQv++uyhGzTX8S1
         3J8A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1772206834; x=1772811634;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=1NRWOrYW3xOuG0ExMSumhiiUM0rhCW80ysqtszY9yeU=;
        b=RQ97avBETg2Vwkg39BGCr+fsZF5AoE3cLUUcLMK4fGC6nV3OEarpOJGGZ8jF6IRwPX
         7GSCHu8ns7+toEj8DLRaWiuu+xGZAZRsqt6Ds702P7wN2r7EnjtHB+pacSrc2fj8FpkD
         0+X2CYvuqh8uPSFZ53DsYIh/3ZsBVFu/VUoI4v7Y62nodbHlbViPHV+woZyHcwp9AUDU
         vN2ZG38TtIffxHgtRYy0CG12kjU0I+WTZhqjuyq01BfVwQWfW7r6jMjxrQFbX5O9ERgk
         tejKxJn8zpQu5NDtwX7dH+9/WpCCj1qRPp4Qx6Vh4yqyoflC3Z/eqxQK2afXckwX6bKK
         98iA==
X-Gm-Message-State: AOJu0Yx1KyWE9v3DGs2zlOD+IL8jsjMXFsazR2oMv1XAqH+fWy4/VjKS
	WSqjS62MOMuaT4grnK3vllFtU0Rioq+c0HVCgdWbXKt34gtJAGBun/0CbTdxvg==
X-Gm-Gg: ATEYQzwWvsL2/6Ilb3NQvD1WxtxLoZpco9Xpm3bQnpc07dFITRR0ZSOH6cuMqBWZ1id
	CIvxEsbax4fQzlln2iV894qi1138bgFzuBzAWKKeX+ivI0k3gReV36UxHWrNdcvgaW68KywDahs
	aS3b3igQ7Al4yGfppFnFpsLTAYmMK1kzSGDF/cZY39gPhxqAoVTT1nP5ZT9d1EXgCxH2GorI6pB
	o0H7UaXR+muO8TBIK1T4no7WGDWxnKZRNFpK+SivvQ3tOcRtsFw+viLuVz6phDrAZLQRCniaEXb
	2O8RRHVc4zs03IQBB5OzjX7P+zOYeoDKXU/zEFQ8c11EY09MLG0q4L6fowZsJ7yM3v0x2dQSkYS
	F1HwZ+UEn2sPj1Wijqqe7V669l2u4JZ2t3bOJVcNfJyUP1r0XW+8sORu6oPRQZJoLmzRJB5TZnt
	xWKkpPZAYb/TnhUUAdHrDa
X-Received: by 2002:a05:600c:458b:b0:483:6d4a:7e6d with SMTP id
 5b1f17b1804b1-483c9bdb6a8mr51131825e9.30.1772206834130;
        Fri, 27 Feb 2026 07:40:34 -0800 (PST)
Received: from desktop ([51.154.145.205])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-483c3b770e7sm123409785e9.9.2026.02.27.07.40.33
        for <openembedded-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 27 Feb 2026 07:40:33 -0800 (PST)
From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-gnome][kirkstone][PATCH 2/4] gnome-shell: ignore CVE-2021-3982
Date: Fri, 27 Feb 2026 16:40:30 +0100
Message-ID: <20260227154032.499047-2-skandigraun@gmail.com>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <20260227154032.499047-1-skandigraun@gmail.com>
References: <20260227154032.499047-1-skandigraun@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Fri, 27 Feb 2026 15:40:43 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/124759

Details: https://nvd.nist.gov/vuln/detail/CVE-2021-3982

The vulnerability is about a privilege escalation, in case
the host distribution sets CAP_SYS_NICE capability on the
gnome-shell binary.

OE distros don't do that, and due to this this recipe is not
affected by this issue. The CVE is ignored.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 meta-gnome/recipes-gnome/gnome-shell/gnome-shell_42.9.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta-gnome/recipes-gnome/gnome-shell/gnome-shell_42.9.bb b/meta-gnome/recipes-gnome/gnome-shell/gnome-shell_42.9.bb
index 4157cdb67d..ea08e87f89 100644
--- a/meta-gnome/recipes-gnome/gnome-shell/gnome-shell_42.9.bb
+++ b/meta-gnome/recipes-gnome/gnome-shell/gnome-shell_42.9.bb
@@ -70,3 +70,5 @@ PACKAGES =+ "${PN}-tools ${PN}-gsettings"
 FILES:${PN}-tools = "${bindir}/*-tool"
 RDEPENDS:${PN}-tools = "python3-core"
 
+# not-applicable-config: OE doesn't set CAP_SYS_NICE capability
+CVE_CHECK_IGNORE = "CVE-2021-3982"

From patchwork Fri Feb 27 15:40:31 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gyorgy Sarvari <skandigraun@gmail.com>
X-Patchwork-Id: 82137
Return-Path: <skandigraun@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id E66B2FEFB60
	for <webhook@archiver.kernel.org>; Fri, 27 Feb 2026 15:40:42 +0000 (UTC)
Received: from mail-wm1-f50.google.com (mail-wm1-f50.google.com
 [209.85.128.50])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.99025.1772206836771645567
 for <openembedded-devel@lists.openembedded.org>;
 Fri, 27 Feb 2026 07:40:37 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=C7gIMw33;
 spf=pass (domain: gmail.com, ip: 209.85.128.50,
 mailfrom: skandigraun@gmail.com)
Received: by mail-wm1-f50.google.com with SMTP id
 5b1f17b1804b1-4836e3288cdso14808485e9.0
        for <openembedded-devel@lists.openembedded.org>;
 Fri, 27 Feb 2026 07:40:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1772206835; x=1772811635;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=8/oFwiEkLIGfyKoXofGJcTPrdur0SpBzw7zKEr6d4uE=;
        b=C7gIMw33bdu4EpCUqQmzDILSrLArSlNaYjTebcLdtwVwcdTd9nl0YywKlOO1B0/wp5
         WUQiiyDtr3qf5zPAnwVwsrVhHAm6qhpS2XftSFWV5C6rBk6jww9T5lzHVVdHe4Ni0fTk
         kzZDP0LukrZeclRWDxVgVCuORjI5jpYt0f2bpedXskfSfDhbBec93mJkjO7mtw0KY2nY
         JTPkVrSFCoMapAKwjxc/SOqTkkfDo0q8Z9WEL6Eoqo+gveI3fAFNuBp24+FKZcJsaMKp
         zueZbxOjtHXV21psSu2Sd+aGVHZWrC7JQh9TQe1ikDMx5biE7awOa61n5fJ11uC+iXz/
         IaWQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1772206835; x=1772811635;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=8/oFwiEkLIGfyKoXofGJcTPrdur0SpBzw7zKEr6d4uE=;
        b=OM69GnO5lLob0Skgk4ZbkdkzNT1E3u/zshW9wvGzFI39J8ryIrgek6xsLZpWpE4sSd
         xJEj3L1ny5sQEGU/3+zCt4gW7o4ErrrX8RUNTwi+XJsXDb8MJnATSRC+OKqugObeshMQ
         LWNsNOmzOUJQp7mAzw9PyMlWajfVU6rz0l4x1wb4jSNMKTgesJH2kH+khxXm887es45K
         iEWdzaGX3bWZ8NUChacg95LsKX7+m+iFnEnxwiZIwuRdTpdK/kBJh3P0mpINZqp6DWQK
         REZybXCezrIbyT1scrwpauqwY9QUNFqVc4tIXlIo+CQz5V7+X5jwUbw5ZdbCEoZhcpbE
         YRiw==
X-Gm-Message-State: AOJu0YyLjy+vGXf5hHIsbVKEMHuUtB8Ia2/52Y5aTF1VcLcP9TKLbZil
	h5NGo1tvz+3Lr3t5qO0xFuFHR4fNul0PDTEETkHzCQvMT1onu34ei4bQmkzPYw==
X-Gm-Gg: ATEYQzwQHHUiGQvcwDwc5cRzjUekQoR+FdofptHr8awiBUUAeBXw4X1OVBCGe8u610h
	QT4ZcrqOULzmhCPLvpODvuZt+/AuQR7K4ziR5Z1RbG4KhILFBVE8dPr+p7zpvqG0FJHwOneQs7n
	+5RtH9ixxdTQF/ig71dtqErClYRZoWMT8zEL4pax4zDC/13shsvicz6I3URyuKR4AlA47wrBw7O
	nujttZGJSslo4jsmvX7Nh9lNbQjE+8G0hrbkFepmHNqRyjHiKdYUWRaz+KyzKd8TevuO/7Qfyuo
	RmDrAxayZXYmrE+zJqYprFD1ckx7WNN4DjBUJfl/+Bqb7Nzf9KMj9AHlLv1vlz4MJP48ZwvdhGN
	Ok+e2GPzdHZYJyEAo9roHZ9knYM8n8CRoyEscAY4nvJLOylrHWHeOSXjFtetqF0At4Kg3hyUthA
	XquqoB4/3E1wW4YUa6C1eP
X-Received: by 2002:a05:600c:8509:b0:483:6d9e:e4f5 with SMTP id
 5b1f17b1804b1-483c990bddfmr54165265e9.5.1772206835044;
        Fri, 27 Feb 2026 07:40:35 -0800 (PST)
Received: from desktop ([51.154.145.205])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-483c3b770e7sm123409785e9.9.2026.02.27.07.40.34
        for <openembedded-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 27 Feb 2026 07:40:34 -0800 (PST)
From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-networking][kirkstone][PATCH 3/4] dovecot: patch CVE-2021-29157
Date: Fri, 27 Feb 2026 16:40:31 +0100
Message-ID: <20260227154032.499047-3-skandigraun@gmail.com>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <20260227154032.499047-1-skandigraun@gmail.com>
References: <20260227154032.499047-1-skandigraun@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Fri, 27 Feb 2026 15:40:42 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/124760

Details: https://nvd.nist.gov/vuln/detail/CVE-2021-29157

Backport the patch that it used by Debian[1] to fix this CVE.

[1]: https://sources.debian.org/src/dovecot/1%3A2.3.13%2Bdfsg1-2%2Bdeb11u1/debian/patches
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../dovecot/dovecot/CVE-2021-29157.patch      | 152 ++++++++++++++++++
 .../recipes-support/dovecot/dovecot_2.3.14.bb |   1 +
 2 files changed, 153 insertions(+)
 create mode 100644 meta-networking/recipes-support/dovecot/dovecot/CVE-2021-29157.patch

diff --git a/meta-networking/recipes-support/dovecot/dovecot/CVE-2021-29157.patch b/meta-networking/recipes-support/dovecot/dovecot/CVE-2021-29157.patch
new file mode 100644
index 0000000000..cb0cba6f98
--- /dev/null
+++ b/meta-networking/recipes-support/dovecot/dovecot/CVE-2021-29157.patch
@@ -0,0 +1,152 @@
+From 1ee6540ef6ffa8cefade0161f4dcd47d82a1d10b Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <skandigraun@gmail.com>
+Date: Fri, 27 Feb 2026 16:10:35 +0100
+Subject: [PATCH] Fix CVE-2021-29157
+
+CVE: CVE-2021-29157
+Upstream-Status: Backport [the patch was taken from Debian: https://sources.debian.org/src/dovecot/1%3A2.3.13%2Bdfsg1-2%2Bdeb11u1/debian/patches/CVE-2021-29157.patch]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/lib-dict-extra/dict-fs.c     | 29 ++++++++++++++++
+ src/lib-oauth2/oauth2-jwt.c      | 58 ++++++++++++++++++--------------
+ src/lib-oauth2/test-oauth2-jwt.c |  2 +-
+ 3 files changed, 62 insertions(+), 27 deletions(-)
+
+diff --git a/src/lib-dict-extra/dict-fs.c b/src/lib-dict-extra/dict-fs.c
+index 31af578..f39c86c 100644
+--- a/src/lib-dict-extra/dict-fs.c
++++ b/src/lib-dict-extra/dict-fs.c
+@@ -68,8 +68,37 @@ static void fs_dict_deinit(struct dict *_dict)
+ 	i_free(dict);
+ }
+ 
++/* Remove unsafe paths */
++static const char *fs_dict_escape_key(const char *key)
++{
++	const char *ptr;
++	string_t *new_key = NULL;
++	/* we take the slow path always if we see potential
++	   need for escaping */
++	while ((ptr = strstr(key, "/.")) != NULL) {
++		/* move to the first dot */
++		const char *ptr2 = ptr + 1;
++		/* find position of non-dot */
++		while (*ptr2 == '.') ptr2++;
++		if (new_key == NULL)
++			new_key = t_str_new(strlen(key));
++		str_append_data(new_key, key, ptr - key);
++		/* if ptr2 is / or end of string, escape */
++		if (*ptr2 == '/' || *ptr2 == '\0')
++			str_append(new_key, "/...");
++		else
++			str_append(new_key, "/.");
++		key = ptr + 2;
++	}
++	if (new_key == NULL)
++		return key;
++	str_append(new_key, key);
++	return str_c(new_key);
++}
++
+ static const char *fs_dict_get_full_key(struct fs_dict *dict, const char *key)
+ {
++	key = fs_dict_escape_key(key);
+ 	if (str_begins(key, DICT_PATH_SHARED))
+ 		return key + strlen(DICT_PATH_SHARED);
+ 	else if (str_begins(key, DICT_PATH_PRIVATE)) {
+diff --git a/src/lib-oauth2/oauth2-jwt.c b/src/lib-oauth2/oauth2-jwt.c
+index 83b241c..8e43cf9 100644
+--- a/src/lib-oauth2/oauth2-jwt.c
++++ b/src/lib-oauth2/oauth2-jwt.c
+@@ -277,6 +277,34 @@ oauth2_jwt_copy_fields(ARRAY_TYPE(oauth2_field) *fields, struct json_tree *tree)
+ 	}
+ }
+ 
++/* Escapes '/' and '%' in identifier to %hex */
++static const char *escape_identifier(const char *identifier)
++{
++	size_t pos = strcspn(identifier, "/%");
++	/* nothing to escape */
++	if (identifier[pos] == '\0')
++		return identifier;
++
++	size_t len = strlen(identifier);
++	string_t *new_id = t_str_new(len);
++	str_append_data(new_id, identifier, pos);
++
++	for (size_t i = pos; i < len; i++) {
++		switch (identifier[i]) {
++		case '/':
++			str_append(new_id, "%2f");
++			break;
++		case '%':
++			str_append(new_id, "%25");
++			break;
++		default:
++			str_append_c(new_id, identifier[i]);
++			break;
++		}
++	}
++	return str_c(new_id);
++}
++
+ static int
+ oauth2_jwt_header_process(struct json_tree *tree, const char **alg_r,
+ 			  const char **kid_r, const char **error_r)
+@@ -377,6 +405,8 @@ oauth2_jwt_body_process(const struct oauth2_settings *set, const char *alg,
+ 	const char *azp = get_field(tree, "azp");
+ 	if (azp == NULL)
+ 		azp = "default";
++	else
++		azp = escape_identifier(azp);
+ 
+ 	if (oauth2_validate_signature(set, azp, alg, kid, blobs, error_r) < 0)
+ 		return -1;
+@@ -429,32 +459,8 @@ int oauth2_try_parse_jwt(const struct oauth2_settings *set,
+ 	else if (*kid == '\0') {
+ 		*error_r = "'kid' field is empty";
+ 		return -1;
+-	}
+-
+-	size_t pos = strcspn(kid, "./%");
+-	if (pos < strlen(kid)) {
+-		/* sanitize kid, cannot allow dots or / in it, so we encode them
+-		 */
+-		string_t *new_kid = t_str_new(strlen(kid));
+-		/* put initial data */
+-		str_append_data(new_kid, kid, pos);
+-		for (const char *c = kid+pos; *c != '\0'; c++) {
+-			switch (*c) {
+-			case '.':
+-				str_append(new_kid, "%2e");
+-				break;
+-			case '/':
+-				str_append(new_kid, "%2f");
+-				break;
+-			case '%':
+-				str_append(new_kid, "%25");
+-				break;
+-			default:
+-				str_append_c(new_kid, *c);
+-				break;
+-			}
+-		}
+-		kid = str_c(new_kid);
++	} else {
++		kid = escape_identifier(kid);
+ 	}
+ 
+ 	/* parse body */
+diff --git a/src/lib-oauth2/test-oauth2-jwt.c b/src/lib-oauth2/test-oauth2-jwt.c
+index 4cfba64..1706a96 100644
+--- a/src/lib-oauth2/test-oauth2-jwt.c
++++ b/src/lib-oauth2/test-oauth2-jwt.c
+@@ -577,7 +577,7 @@ static void test_jwt_kid_escape(void)
+ 	 random_fill(ptr, 32);
+ 	 buffer_t *b64_key = t_base64_encode(0, SIZE_MAX,
+ 					     secret->data, secret->used);
+-	 save_key_to("HS256", "hello%2eworld%2f%25", str_c(b64_key));
++	 save_key_to("HS256", "hello.world%2f%25", str_c(b64_key));
+ 	/* make a token */
+ 	buffer_t *tokenbuf = create_jwt_token_kid("HS256", "hello.world/%");
+ 	/* sign it */
diff --git a/meta-networking/recipes-support/dovecot/dovecot_2.3.14.bb b/meta-networking/recipes-support/dovecot/dovecot_2.3.14.bb
index c1fa702eaa..14303b4c08 100644
--- a/meta-networking/recipes-support/dovecot/dovecot_2.3.14.bb
+++ b/meta-networking/recipes-support/dovecot/dovecot_2.3.14.bb
@@ -13,6 +13,7 @@ SRC_URI = "http://dovecot.org/releases/2.3/dovecot-${PV}.tar.gz \
            file://0001-m4-Check-for-libunwind-instead-of-libunwind-generic.patch \
            file://0001-auth-Fix-handling-passdbs-with-identical-driver-args.patch \
            file://0001-lib-smtp-smtp-server-connection-Fix-STARTTLS-command.patch \
+           file://CVE-2021-29157.patch \
            "
 
 SRC_URI[md5sum] = "2f03532cec3280ae45a101a7a55ccef5"

From patchwork Fri Feb 27 15:40:32 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gyorgy Sarvari <skandigraun@gmail.com>
X-Patchwork-Id: 82139
Return-Path: <skandigraun@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 0206FFEFB62
	for <webhook@archiver.kernel.org>; Fri, 27 Feb 2026 15:40:43 +0000 (UTC)
Received: from mail-wm1-f47.google.com (mail-wm1-f47.google.com
 [209.85.128.47])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.99026.1772206837464677438
 for <openembedded-devel@lists.openembedded.org>;
 Fri, 27 Feb 2026 07:40:37 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=fnhpnyjz;
 spf=pass (domain: gmail.com, ip: 209.85.128.47,
 mailfrom: skandigraun@gmail.com)
Received: by mail-wm1-f47.google.com with SMTP id
 5b1f17b1804b1-48374014a77so25252525e9.3
        for <openembedded-devel@lists.openembedded.org>;
 Fri, 27 Feb 2026 07:40:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1772206836; x=1772811636;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=z/mpB0gIKUty+U0/hfafnNtVw7K2aTalh0Fx2hA4ois=;
        b=fnhpnyjzGBci5rvLBQa7z9BLpU2RnpY1OAuAGbenLUccc3hnmgnPLyPoDxQXZSVtoq
         DspyufxJPBUotrYIuV9MfbESfD4YZozRzFslYd/R/a7WI/QwjGOd3lvvQvh6gDn7uBd4
         i+tOCOXR2RSYBfUYRQ+wUkFr45a/7xxxxK/FMDZoMxbXD35mJ7oBID1MSsfAesptzGIk
         uH8M50jKdnh+X6sclAm/vqkV70wA192FtSd7NjxbSjaTUgEAyQsej3w7Il4KrTPDZyyJ
         XXg57slRbnXcZxCHPKmGLPAsvFkEDvchiHbOsTctj/8uvBpfhaa64c26Tk7o8bD7QqQk
         ZvYw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1772206836; x=1772811636;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=z/mpB0gIKUty+U0/hfafnNtVw7K2aTalh0Fx2hA4ois=;
        b=czxEGC+4qC+0B8bzrPzWjon9NA+UI95t9cR7gWHgD0Bw+1ddej0oqq2VPFq1SFzrjf
         wIwEU1VnD/KvTkcf50PqfPIRA5ssWNyRlazDcGQeMUVvD/eljZjl15PhirwMMtQxU7SO
         lD6M+espKyoqQhQf6txuD37WFWq4E37WwY/YKw52saiRPs+8op6QuMZkOk9jcEbAPvbv
         cHx7YapGfRxISvx1iJvFX4tmvzvRDOFmymojbRyHjQ3zmpBHFHxDt9loY6HszX69c0Xb
         AwkYj2brB3hzm/s5/ckPfpBp+m+mHXhfgYspwtGZK2YF8vaZj2XovBpsk990T11YKJpM
         0roA==
X-Gm-Message-State: AOJu0YxeU9ggw5A1v6TLFkobPgDSxyJCRuc/UyEs1gU6uMv/J5YSHTbp
	xlHS/veUpjLJYsm+VvrTghqRRIkN6h07CEQWUsia5Ad/c4GrOK5O3fOTazTUBQ==
X-Gm-Gg: ATEYQzy+5zsyDJptXC3vB+mzev6U6Sy0bD6VCGn9qQo7XSTFk499TlpvNfaVh7n1zXg
	UFs11YFEI4Xr6JB6jL2yTBLmxfWnKT8gYJpf94/ZWhmQlt2f5CkertKVkkftdKZS+AEKPUr9WsL
	omWWO4yfP21jQcmSEFKZ13i4UlBCCRzcJIzIf18euQgm1XLNc4GDftmphUgJJTTgTPfHy6DTOA5
	O9xl2ZH+4ZhLBQrZxhtYntQ64J+jxMN2L0gSKq7txw58mmiRWV8tPx6SceCOM1SDQ8jkZ6py14l
	bznAG8oPM3kKtoBoXcrSMDpcg8z8TTNzb/LOCpY7/hhLiwhx/ncfcxYkoipPY8L4JLllTrZtLNX
	BvQW8zoojcfhscNr4MnJdWoPTSL79CGNr3qamSZhd+nrthJTwmqwD7FBGP73FYExN39fynOLjgn
	EODE21lQTO6DuRFeSAOXrF
X-Received: by 2002:a05:600c:c490:b0:477:63b5:7148 with SMTP id
 5b1f17b1804b1-483c9bb65ffmr45057245e9.6.1772206835652;
        Fri, 27 Feb 2026 07:40:35 -0800 (PST)
Received: from desktop ([51.154.145.205])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-483c3b770e7sm123409785e9.9.2026.02.27.07.40.35
        for <openembedded-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 27 Feb 2026 07:40:35 -0800 (PST)
From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-oe][kirkstone][PATCH 4/4] emacs: patch CVE-2022-48337
Date: Fri, 27 Feb 2026 16:40:32 +0100
Message-ID: <20260227154032.499047-4-skandigraun@gmail.com>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <20260227154032.499047-1-skandigraun@gmail.com>
References: <20260227154032.499047-1-skandigraun@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Fri, 27 Feb 2026 15:40:43 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/124761

Details: https://nvd.nist.gov/vuln/detail/CVE-2022-48337

Backport the patch that is referenced by he NVD advisory.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 meta-oe/recipes-support/emacs/emacs_27.2.bb   |   1 +
 .../emacs/files/CVE-2022-48337.patch          | 108 ++++++++++++++++++
 2 files changed, 109 insertions(+)
 create mode 100644 meta-oe/recipes-support/emacs/files/CVE-2022-48337.patch

diff --git a/meta-oe/recipes-support/emacs/emacs_27.2.bb b/meta-oe/recipes-support/emacs/emacs_27.2.bb
index 4a7e7aba5c..c17059b15d 100644
--- a/meta-oe/recipes-support/emacs/emacs_27.2.bb
+++ b/meta-oe/recipes-support/emacs/emacs_27.2.bb
@@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=1ebbd3e34237af26da5dc08a4e440464"
 
 SRC_URI = "https://ftp.gnu.org/pub/gnu/emacs/emacs-${PV}.tar.xz \
            file://emacs-glibc-2.34.patch \
+           file://CVE-2022-48337.patch \
           "
 SRC_URI:append:class-target = " file://usemake-docfile-native.patch"
 
diff --git a/meta-oe/recipes-support/emacs/files/CVE-2022-48337.patch b/meta-oe/recipes-support/emacs/files/CVE-2022-48337.patch
new file mode 100644
index 0000000000..351ffc4338
--- /dev/null
+++ b/meta-oe/recipes-support/emacs/files/CVE-2022-48337.patch
@@ -0,0 +1,108 @@
+From a10958677d359e016a4e857a9cd7c98258061f5f Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <skandigraun@gmail.com>
+Date: Tue, 6 Dec 2022 15:42:40 +0800
+Subject: [PATCH] Fix etags local command injection vulnerability
+
+From: lu4nx <lx@shellcodes.org>
+
+* lib-src/etags.c: (escape_shell_arg_string): New function.
+(process_file_name): Use it to quote file names passed to the
+shell.  (Bug#59817)
+
+CVE: CVE-2022-48337
+Upstream-Status: Backport [https://cgit.git.savannah.gnu.org/cgit/emacs.git/commit/?id=01a4035c869b91c153af9a9132c87adb7669ea1c]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ lib-src/etags.c | 63 +++++++++++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 58 insertions(+), 5 deletions(-)
+
+diff --git a/lib-src/etags.c b/lib-src/etags.c
+index bb92f2b..7cecfe2 100644
+--- a/lib-src/etags.c
++++ b/lib-src/etags.c
+@@ -397,6 +397,7 @@ static void pfnote (char *, bool, char *, ptrdiff_t, intmax_t, intmax_t);
+ static void invalidate_nodes (fdesc *, node **);
+ static void put_entries (node *);
+ 
++static char *escape_shell_arg_string (char *);
+ static char *concat (const char *, const char *, const char *);
+ static char *skip_spaces (char *);
+ static char *skip_non_spaces (char *);
+@@ -1635,13 +1636,16 @@ process_file_name (char *file, language *lang)
+       else
+ 	{
+ #if MSDOS || defined (DOS_NT)
+-	  char *cmd1 = concat (compr->command, " \"", real_name);
+-	  char *cmd = concat (cmd1, "\" > ", tmp_name);
++          int buf_len = strlen (compr->command) + strlen (" \"\" > \"\"") + strlen (real_name) + strlen (tmp_name) + 1;
++          char *cmd = xmalloc (buf_len);
++          snprintf (cmd, buf_len, "%s \"%s\" > \"%s\"", compr->command, real_name, tmp_name);
+ #else
+-	  char *cmd1 = concat (compr->command, " '", real_name);
+-	  char *cmd = concat (cmd1, "' > ", tmp_name);
++          char *new_real_name = escape_shell_arg_string (real_name);
++          char *new_tmp_name = escape_shell_arg_string (tmp_name);
++          int buf_len = strlen (compr->command) + strlen ("  > ") + strlen (new_real_name) + strlen (new_tmp_name) + 1;
++          char *cmd = xmalloc (buf_len);
++          snprintf (cmd, buf_len, "%s %s > %s", compr->command, new_real_name, new_tmp_name);
+ #endif
+-	  free (cmd1);
+ 	  int tmp_errno;
+ 	  if (system (cmd) == -1)
+ 	    {
+@@ -1685,6 +1689,55 @@ process_file_name (char *file, language *lang)
+   return;
+ }
+ 
++/*
++ * Adds single quotes around a string, if found single quotes, escaped it.
++ * Return a newly-allocated string.
++ *
++ * For example:
++ * escape_shell_arg_string("test.txt") => 'test.txt'
++ * escape_shell_arg_string("'test.txt") => ''\''test.txt'
++ */
++static char *
++escape_shell_arg_string (char *str)
++{
++  char *p = str;
++  int need_space = 2;           /* ' at begin and end */
++
++  while (*p != '\0')
++    {
++      if (*p == '\'')
++        need_space += 4;        /* ' to '\'', length is 4 */
++      else
++        need_space++;
++
++      p++;
++    }
++
++  char *new_str = xnew (need_space + 1, char);
++  new_str[0] = '\'';
++  new_str[need_space-1] = '\'';
++
++  int i = 1;                    /* skip first byte */
++  p = str;
++  while (*p != '\0')
++    {
++      new_str[i] = *p;
++      if (*p == '\'')
++        {
++          new_str[i+1] = '\\';
++          new_str[i+2] = '\'';
++          new_str[i+3] = '\'';
++          i += 3;
++        }
++
++      i++;
++      p++;
++    }
++
++  new_str[need_space] = '\0';
++  return new_str;
++}
++
+ static void
+ process_file (FILE *fh, char *fn, language *lang)
+ {