From patchwork Thu Mar 5 08:54:50 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 82528 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0513EEEF31C for ; Thu, 5 Mar 2026 08:55:51 +0000 (UTC) Received: from mail-wm1-f46.google.com (mail-wm1-f46.google.com [209.85.128.46]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.40179.1772700948147683185 for ; Thu, 05 Mar 2026 00:55:48 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=V72pmVOZ; spf=pass (domain: smile.fr, ip: 209.85.128.46, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f46.google.com with SMTP id 5b1f17b1804b1-4806bf39419so64136195e9.1 for ; Thu, 05 Mar 2026 00:55:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1772700946; x=1773305746; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=1bLPa5jY4pi+3Y6AVIFMHps4m5gKi3qzllo2uEN40RU=; b=V72pmVOZmapO4Ui6ZQAArap//iB36kby3fd63Lrwf+CdVjnEhVrXdXWRhsuoF83AmN ivYpLrfWPuwz2zbnA25lPlijiFpzuija6l+sULrm5hm4uhDNUBg/0Dw6lMmWmbxYKFN8 8tdHWP855jidkxJb/jzZ/rv9XXG+imjnaeCSM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772700946; x=1773305746; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=1bLPa5jY4pi+3Y6AVIFMHps4m5gKi3qzllo2uEN40RU=; b=NyYs/ycznEuN3sIui6npPtnGkh/paQi4jgx0Xb1PRWB594zN0VhvlolxRBSZj6sHND Up0i9gP/mJZ6FzoXtz3mGwOOelSRJEZrWuoHkNBUFw9or19toeP7fbVLr2rXSBpOK0dZ xgrTpaEXot7JtPBHk9Xi3MvKGziKXLqFhLLITbuWWjxroJh+P7tKST/gcEPmNg9/tiHB JRnqZ04mfMMRumcplLssfuOr/qyoKzpeS/6DcYcUzsv39RUKMn4wAU6E8Kpsa91/Uy5s JDtR64JLds/bsYDLVvWM0cYzMC5YfdloTDM0OSUjJDRqlFqndWP/zgW916DZNlMJwAKQ zwMw== X-Gm-Message-State: AOJu0YzGJyltaaBxxhFd/UVw/RUfTuTxja6ze74VnezMamcJEomtdWhi 5v2cnSguOLpeaGbQ3wkxhXzHmp+Du+vtH7hj9NysrjaDXtjK1EaUCvVITec5uljd8jXUflBSW/w k5nFw X-Gm-Gg: ATEYQzwgY0VwPRGtoSGwq1RonKmG5skyKn1IA3bkterLyUuo4mOyPbfaYOaKhC8kUiQ /roasnf+P6g+5aHtZMfuJkVYsV82NVrqd5CSXFNZ8fjctSNyQRZM2KxMz11VqSODJ5ydO7Y6gFf PPBjEHLzoaALJb7r4PkzwqKkQ5luaCbnAhjMYSEc9ia603fZMztm3Hy1BPxp0E4KE5rrYYG1YlQ TKV5ExS6jHhiQPV0QoJmunLIVZu7I9H0553842K5367ElknnJTuqEViD+PIzu0b6AD6qn0IATU9 XdrjS7mAlENpNYOOGT8Ogok2qBq1NtSvmmLNmRhFz/vc4ts7ARiO3b+muvrfmJ3G5OjJYXcY8te Wy0BX6gLQ/K3v0l9Mjagvy26C9HygS4H1eIJCc1Phi2BL3ivct7dc2nRfzJW6TRHUeT4pUsXavP YV775CDluNqc9MHnSCV1+AuVSk6Lf269oersCd8FJyorIjpASDPGieQf0V8frCywXD5OcSPJNLq MFoG+glpKn8A+PhLP+2qZ/wNxkk X-Received: by 2002:a05:600c:b95:b0:479:1348:c63e with SMTP id 5b1f17b1804b1-4851ee8ca49mr23905325e9.9.1772700946158; Thu, 05 Mar 2026 00:55:46 -0800 (PST) Received: from FRSMI25-LASER.home (2a01cb001331aa00675b4cbd8c1678f5.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:675b:4cbd:8c16:78f5]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4851fb27a20sm59405175e9.9.2026.03.05.00.55.45 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 05 Mar 2026 00:55:45 -0800 (PST) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][whinlatter 01/12] python3-pip: Backport fix CVE-2026-1703 Date: Thu, 5 Mar 2026 09:54:50 +0100 Message-ID: <6fed4496c22058b0cce06e18eab67457a7873b10.1772700454.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 05 Mar 2026 08:55:51 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/232453 From: Adarsh Jagadish Kamini Include the patch linked in the NVD report: https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735 Signed-off-by: Adarsh Jagadish Kamini Signed-off-by: Yoann Congal --- .../python/python3-pip/CVE-2026-1703.patch | 41 +++++++++++++++++++ .../python/python3-pip_25.2.bb | 4 +- 2 files changed, 44 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch diff --git a/meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch b/meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch new file mode 100644 index 00000000000..826f483ea21 --- /dev/null +++ b/meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch @@ -0,0 +1,41 @@ +From abce61e230c47598ce836157d075608595216a4c Mon Sep 17 00:00:00 2001 +From: Damian Shaw +Date: Fri, 30 Jan 2026 16:27:57 -0500 +Subject: [PATCH v4] Merge pull request #13777 from sethmlarson/commonpath + +Use os.path.commonpath() instead of commonprefix() + +CVE: CVE-2026-1703 + +Upstream-Status: Backport [https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735] + +Signed-off-by: Adarsh Jagadish Kamini +--- + news/+1ee322a1.bugfix.rst | 1 + + src/pip/_internal/utils/unpacking.py | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + create mode 100644 news/+1ee322a1.bugfix.rst + +diff --git a/news/+1ee322a1.bugfix.rst b/news/+1ee322a1.bugfix.rst +new file mode 100644 +index 000000000..edb1b320c +--- /dev/null ++++ b/news/+1ee322a1.bugfix.rst +@@ -0,0 +1 @@ ++Use a path-segment prefix comparison, not char-by-char. +diff --git a/src/pip/_internal/utils/unpacking.py b/src/pip/_internal/utils/unpacking.py +index 0ad3129ac..7cb3de3c4 100644 +--- a/src/pip/_internal/utils/unpacking.py ++++ b/src/pip/_internal/utils/unpacking.py +@@ -83,7 +83,7 @@ def is_within_directory(directory: str, target: str) -> bool: + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + +- prefix = os.path.commonprefix([abs_directory, abs_target]) ++ prefix = os.path.commonpath([abs_directory, abs_target]) + return prefix == abs_directory + + +-- +2.34.1 + diff --git a/meta/recipes-devtools/python/python3-pip_25.2.bb b/meta/recipes-devtools/python/python3-pip_25.2.bb index 350092d9ad0..496eff1f15d 100644 --- a/meta/recipes-devtools/python/python3-pip_25.2.bb +++ b/meta/recipes-devtools/python/python3-pip_25.2.bb @@ -24,7 +24,9 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=63ec52baf95163b597008bb46db68030 \ inherit pypi python_setuptools_build_meta -SRC_URI += "file://no_shebang_mangling.patch" +SRC_URI += "file://no_shebang_mangling.patch \ + file://CVE-2026-1703.patch \ + " SRC_URI[sha256sum] = "578283f006390f85bb6282dffb876454593d637f5d1be494b5202ce4877e71f2" From patchwork Thu Mar 5 08:54:51 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 82530 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 289AEEEF32F for ; Thu, 5 Mar 2026 08:55:51 +0000 (UTC) Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com [209.85.128.44]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.39956.1772700949047341643 for ; Thu, 05 Mar 2026 00:55:49 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=jkKB9Tp6; spf=pass (domain: smile.fr, ip: 209.85.128.44, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f44.google.com with SMTP id 5b1f17b1804b1-4807068eacbso64801405e9.2 for ; Thu, 05 Mar 2026 00:55:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1772700947; x=1773305747; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=f44y10boasrVvjD7pLzjbdEOwWhty8Ztk3YLro0e3mY=; b=jkKB9Tp6jVqZvqlMBJpcZqNljZAdiyYuH1ladd4WfizXKjUBJHSY8bD2Of74BSadDF 4YRRQffv8HagmvouDEY0cDREvG+TI8QkmyNGcWwss0OnjN3wzxrdUKh5TRaU9Gojed7i lmmmpyLLdIVpKZJODvZn9h5pWw4HPiLNMHc84= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772700947; x=1773305747; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=f44y10boasrVvjD7pLzjbdEOwWhty8Ztk3YLro0e3mY=; b=lFdfcDeOkjiouvJnt3irS38XkbedeP6IO4kpo6OkeD3Cim9cQeUJ8QAFuAHPpCZ53N ObQGg4XdXZKtdAelc7JDzg+eQ4N0iBgrsPrCKLZs1EpPdFnN7ml0OuyT5Su5BYxBbQ6t 3tvREcmb8j0d4CjTp07qpip2V99Pd4QwY6XBmzGB4t1DaGDra6k5iR3HVwl7Cccodvz/ Pt/7OH6B5phFFOo3qJVpmWH9kfgT+NPOO44Pf+iske3yiR3TWwwOxgGoym75htUC9Faj Zzgn0n2WjN4R36Dhri8WWZf1nS9laHLA07GKSIndiHMOgPFTmm3jzVBNVrKpchQsbtSZ N7sA== X-Gm-Message-State: AOJu0YxXI6D84Iy3qMfpux2s6Pv+TtnG5RYS8OYfwMJUg+6leJinIKQT 4LhW37i2oIljnylq4UOM13o6FLDHLf16gPjeuEotwRIRO3OYRv3j/tE9ZIlsU7Qhq2DCvwIrwUV RpHED X-Gm-Gg: ATEYQzygOY4a4OpoPowiobStvnIvmejrZ0N0YGbQWozMU1bCFv6DKvcfU2hLwPz8fQS K4tVfglhmWd+9as//Uml+Yko6xGJZQIJB+aXVWt8E5z/cVMAuRORyohhluebYFPCndTuguMyijT in/vdfU9fgaimrA2o+/C6s+83w0MMhaord5EEFq1Ty5dElLQVYZoyf3dB8w8617DhikuJ0Ba2NU ABuMCdE/xdR4wDr0ldLQcHbeG48SokOtw9RRj96SSeKyqvtG8eiznXBJwaCW2N8sdA62Kd19JfX 2xl/8/7nL4HppoQH0RmG+PlX6ivjloUBfH4SRZ2Dm+nfUMFlb2a2GQBrMjbmzRorCDFoSTvQXf+ gwhFn+3Yfa+/BPcLin5zlATJsPdSew/KWZUiw4V42VS3ZzQ5BvCjv8sP1aLrilQRCELaDfuX4cZ maCSthUSCv0jgvevOn1krxI5ncxc2v3LbhXHLjofr5sfsgV8aaWieF+6d9sjbmyHZzFG5M2V9+1 EVshMn8V+51sF6h23ToCIM2P/e6 X-Received: by 2002:a05:600c:3d90:b0:483:bf23:1915 with SMTP id 5b1f17b1804b1-48519849d24mr90935475e9.2.1772700947071; Thu, 05 Mar 2026 00:55:47 -0800 (PST) Received: from FRSMI25-LASER.home (2a01cb001331aa00675b4cbd8c1678f5.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:675b:4cbd:8c16:78f5]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4851fb27a20sm59405175e9.9.2026.03.05.00.55.46 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 05 Mar 2026 00:55:46 -0800 (PST) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][whinlatter 02/12] wireless-regdb: upgrade 2025.10.07 -> 2026.02.04 Date: Thu, 5 Mar 2026 09:54:51 +0100 Message-ID: <6560f78f56a50581cc769c12d29f1795c9dc39cc.1772700454.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 05 Mar 2026 08:55:51 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/232454 From: Ankur Tyagi Signed-off-by: Ankur Tyagi Signed-off-by: Yoann Congal --- ...ireless-regdb_2025.10.07.bb => wireless-regdb_2026.02.04.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta/recipes-kernel/wireless-regdb/{wireless-regdb_2025.10.07.bb => wireless-regdb_2026.02.04.bb} (94%) diff --git a/meta/recipes-kernel/wireless-regdb/wireless-regdb_2025.10.07.bb b/meta/recipes-kernel/wireless-regdb/wireless-regdb_2026.02.04.bb similarity index 94% rename from meta/recipes-kernel/wireless-regdb/wireless-regdb_2025.10.07.bb rename to meta/recipes-kernel/wireless-regdb/wireless-regdb_2026.02.04.bb index 68ae3b0464c..2f7c8160434 100644 --- a/meta/recipes-kernel/wireless-regdb/wireless-regdb_2025.10.07.bb +++ b/meta/recipes-kernel/wireless-regdb/wireless-regdb_2026.02.04.bb @@ -5,7 +5,7 @@ LICENSE = "ISC" LIC_FILES_CHKSUM = "file://LICENSE;md5=07c4f6dea3845b02a18dc00c8c87699c" SRC_URI = "https://www.kernel.org/pub/software/network/${BPN}/${BP}.tar.xz" -SRC_URI[sha256sum] = "d4c872a44154604c869f5851f7d21d818d492835d370af7f58de8847973801c3" +SRC_URI[sha256sum] = "0ff48a5cd9e9cfe8e815a24e023734919e9a3b7ad2f039243ad121cf5aabf6c6" inherit bin_package allarch From patchwork Thu Mar 5 08:54:52 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 82531 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4B2D2EEF331 for ; Thu, 5 Mar 2026 08:55:51 +0000 (UTC) Received: from mail-wm1-f50.google.com (mail-wm1-f50.google.com [209.85.128.50]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.40180.1772700949650616099 for ; Thu, 05 Mar 2026 00:55:49 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=gklT2K3d; spf=pass (domain: smile.fr, ip: 209.85.128.50, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f50.google.com with SMTP id 5b1f17b1804b1-4837f27cf2dso70734145e9.2 for ; Thu, 05 Mar 2026 00:55:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1772700948; x=1773305748; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=ehiShr3c2C4v1lOrNUpIgEsACwgAJ96RiOm+Q3kxkoE=; b=gklT2K3dy1PkN+8Poa98y0a+hilZwlpQKTAmAqKGbLJMVUEUZ2ItZjfJ0l9coP5TnL 7e6qCO06UYYIu5sQdO52Ataa6bXQLoYEJOtmS7+nmpEdHk57av5OzcqyJh7+ZnmvsGWf /HBbPQbSug1Q3q0+8GbtkRRLpV9pHWUIAgPFY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772700948; x=1773305748; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=ehiShr3c2C4v1lOrNUpIgEsACwgAJ96RiOm+Q3kxkoE=; b=o/UeWteTmPxpY/q6aHMkuAjBeyki7o8EvohVJtg5D/c1NDxa+aPWLHauB3dkCCNjYi lNYbR3pxn4lwG+uuv/1NzmZlkfl/gQSJszKRj288OekcNn3ypdGMmqIaqs3uK3pFoW0h pSMK4mDFDsTax9DlHk6tPecytmOigiG5yQo/lOopZA6+XAcSgP5Ixlfv5xvcERHkCcbA sKOJJ5snGP0zjKzknoDG7XDjRfPsoqcfA1y21+YrGfvul3UZPuG85kEARCKk3qFzFvD7 Tq2MruYrQhURhP4xT4U+q31A6vQO/AkE9+16v5oP/t32DahaEz4mThuI+heJO7YMX4Uh Uwdg== X-Gm-Message-State: AOJu0Yy7SIWkbGI8Lrjwd308ygbzjDEnxMTRkqflJDvvXKmDz3qXXRBX /w+9vWlGrP3b532Ox7EH3/HTfHqG7axdwYaP3vBywCrSC11KuWDmLit3eTVk9FcytJAHRD801g5 LSHK3 X-Gm-Gg: ATEYQzz5ONEzPrgVWdOfpSFmraZglMK1MtyCpkuxqeNdkU8fzv+JrvDp4/UuEVxa3S5 I+i/iqDEQxrhhQnAwST1GDpGIfbFEor0n+KOQMIieB2hrAOT9IsqlNJ6Wdhui50S7lscHE15bgo M4jRqsj/EF9vL0GZwaxqc9sUMpuDm4bt8vF09JjnO/jK+Ycu6MxjvECvsFogVO+mpm26ZX4311U T3HtXxYxErftuQ4vX+gLsylb82c5GtoNcWB+SpRrUSKUYicsakJjG2HWz1L1q6NtXSKk0YFo/D4 oh9WT0sOx81URfWwxJKZvXjQVieJF0vVY6gx9OKp3AeklHsc72wVEXItkBNwo5RG9FwSTPqHiWl m/vk4SF6ikHp8ETbDo+XHVe9CRr3JcR8jBY8Y+wnvxKVeJE6Hijr/s8Vab/FBbMD/8/m7tgcuWk pYz+om5ECaq1VXIDF1yueDInt4V/5HgjC26kAwFnZq0F55vLAkkfq+N4BF6W9fo5GKBG6qChtF+ j5J8XB8Kx79YVvBKFOf18XZwhfaOE4mJkhRzes= X-Received: by 2002:a05:600c:4f11:b0:479:35e7:a0e3 with SMTP id 5b1f17b1804b1-485198bda46mr81618635e9.30.1772700947682; Thu, 05 Mar 2026 00:55:47 -0800 (PST) Received: from FRSMI25-LASER.home (2a01cb001331aa00675b4cbd8c1678f5.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:675b:4cbd:8c16:78f5]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4851fb27a20sm59405175e9.9.2026.03.05.00.55.47 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 05 Mar 2026 00:55:47 -0800 (PST) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][whinlatter 03/12] gdk-pixbuf: Fix CVE-2025-6199 Date: Thu, 5 Mar 2026 09:54:52 +0100 Message-ID: <7dd07c908c00be28866690e32c2e6c37b3136c27.1772700454.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 05 Mar 2026 08:55:51 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/232455 From: Shaik Moin Backport the fix for CVE-2025-6199 Add below patch to fix CVE-2025-6199.patch Reference: In Ubuntu and debian, fixed patch is given -> [https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/c4986342b241cdc075259565f3fa7a7597d32a32] Signed-off-by: Shaik Moin [YC: Link to Debian security tracker: https://security-tracker.debian.org/tracker/CVE-2025-6199 ] Signed-off-by: Yoann Congal --- .../gdk-pixbuf/gdk-pixbuf/CVE-2025-6199.patch | 36 +++++++++++++++++++ .../gdk-pixbuf/gdk-pixbuf_2.42.12.bb | 1 + 2 files changed, 37 insertions(+) create mode 100644 meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2025-6199.patch diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2025-6199.patch b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2025-6199.patch new file mode 100644 index 00000000000..1952e3ceaf5 --- /dev/null +++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2025-6199.patch @@ -0,0 +1,36 @@ +From 140200be0b4d5355aab76a6fd474e17d117045ca Mon Sep 17 00:00:00 2001 +From: lumi +Date: Sat, 7 Jun 2025 22:27:06 +0200 +Subject: [PATCH] lzw: Fix reporting of bytes written in decoder + +When the LZW decoder encounters an invalid code, it stops +processing the image and returns the whole buffer size. +It should return the amount of bytes written, instead. + +Fixes #257 + +CVE: CVE-2025-6199 + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/c4986342b241cdc075259565f3fa7a7597d32a32] + +Signed-off-by: Shaik Moin +--- + gdk-pixbuf/lzw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/gdk-pixbuf/lzw.c b/gdk-pixbuf/lzw.c +index 15293560b..4f3dd8beb 100644 +--- a/gdk-pixbuf/lzw.c ++++ b/gdk-pixbuf/lzw.c +@@ -208,7 +208,7 @@ lzw_decoder_feed (LZWDecoder *self, + /* Invalid code received - just stop here */ + if (self->code >= self->code_table_size) { + self->last_code = self->eoi_code; +- return output_length; ++ return n_written; + } + + /* Convert codeword into indexes */ +-- +2.34.1 + diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.12.bb b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.12.bb index 98993cc07d7..f22dc2cd915 100644 --- a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.12.bb +++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.12.bb @@ -22,6 +22,7 @@ SRC_URI += "\ file://run-ptest \ file://fatal-loader.patch \ file://0001-meson.build-allow-a-subset-of-tests-in-cross-compile.patch \ + file://CVE-2025-6199.patch \ " GIR_MESON_OPTION = 'introspection' From patchwork Thu Mar 5 08:54:53 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 82532 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 66F63EEF333 for ; Thu, 5 Mar 2026 08:55:51 +0000 (UTC) Received: from mail-wr1-f54.google.com (mail-wr1-f54.google.com [209.85.221.54]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.39957.1772700950160086952 for ; Thu, 05 Mar 2026 00:55:50 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=i9QcqZth; spf=pass (domain: smile.fr, ip: 209.85.221.54, mailfrom: yoann.congal@smile.fr) Received: by mail-wr1-f54.google.com with SMTP id ffacd0b85a97d-439c944bb62so1211079f8f.3 for ; Thu, 05 Mar 2026 00:55:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1772700948; x=1773305748; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=zdaMzEodhNxK4FzPXn5r1stqGhDppxkJrKueAaSt3rc=; b=i9QcqZth2JUMIPKtMlOoiizOdsjUco73Vk5G6JZ/9lvtfDW59Wias9yk+1nJ477FpM aAHZwwJe1pgC55gb7JbrP+1ZuyOxXgxzDLveHMS//GPBRi15aYdeNe5/7DufEInivnDf 7198LRv9a0Bedfp1CwDoRcPiA09FPMFr+lP2Q= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772700948; x=1773305748; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=zdaMzEodhNxK4FzPXn5r1stqGhDppxkJrKueAaSt3rc=; b=bQ71CN8sTVq9rhMWzcA0auzGnaW/R3ZmgBHIjQaTVz2RuIRYVZPAoSl78PAGljsPmP R7R5qHe0BEL7y1C4w0AUgQP6hBG7paZ2H9zvKn14yrmKm0XN0ias3Xql4qoz/5yXLdD7 EiovW9VtDvj0Q02ui7saqc+RbbVstnyLrxCR4almLLm1nX89AUs1mut8mGHDhNFyzenf AfdPV3ucqHOmlhenuLoyqQyfBxwtDeOTLMRY35qbhUKDeUEFcklMGawkEtscUzQ0YBFs rzGYEJ/bBDohHfg9YOooNxI4IZda59dDnA+ZQStnUVJxZLytGTTQkP/erFunndRsGboM Svmw== X-Gm-Message-State: AOJu0YzFx/nyNqKYJHQgAXn9ELDldi0XXCW3BxYKSHCAsPUJt/aQ+VLM IIyVZAVBFrXHXxelX3KwBV5RR/xLw/tr5KoQIcoAcFXgcWpPniqQWTS5t2P+A+Xkba5aain2YFq 7jxbd X-Gm-Gg: ATEYQzwWyGK5raYiQ44VuJX+PRWkvbxEsKwK0iDObIxv7wUOEoRomsfbooIV9mKhGnP wMu8bgptwixotk1vBPSH/VdQX5/tysoo9aPzi6uNDKQpPM+fZeTKWYOX92kI9uqxZvplWAm4KQ8 63+qOum2afkmQgWPM7jfGLtFRQY3FgnoeOTVE7ZtwGR/FTynKdgNEGaLcWQA0Vx2Oq53eRsDTkS /DdlSvFnNivz71TTR70OJhK+peHALM0pc5M2llZifGDH4VdlEm1YgCCNRGudB5ZzlLnMFIswgyn 8emooaTUYHDIRscvKS37XX1jhxWTZLEItOjp2ajwybUAHuef5/Os1WYq+mQDyNtqDv5ALt3hc4U cflG87nsN5ujMpS18YljW2NwmLepyx8jZoY1eGNbt3V/irDrG5ljJdcubqNZb84YBY0tAnrXkqD 8MY3+kqDJOkDfxuFuUFAIY8r6FSA1Z/bRF2f2NYO/CcTkBBXGdEK6cu/lVAA5qG7ZcBalXPd3Ts JXdLyd1QQ45fDCwcnWMk11DU2gz X-Received: by 2002:a05:600c:8105:b0:477:7bca:8b34 with SMTP id 5b1f17b1804b1-4851983bf08mr72690695e9.6.1772700948295; Thu, 05 Mar 2026 00:55:48 -0800 (PST) Received: from FRSMI25-LASER.home (2a01cb001331aa00675b4cbd8c1678f5.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:675b:4cbd:8c16:78f5]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4851fb27a20sm59405175e9.9.2026.03.05.00.55.47 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 05 Mar 2026 00:55:47 -0800 (PST) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][whinlatter 04/12] linux-yocto: apply cve-exclusions also to rt and tiny recipe variants Date: Thu, 5 Mar 2026 09:54:53 +0100 Message-ID: X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 05 Mar 2026 08:55:51 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/232456 From: Peter Marko Version is the same as base kernel, only configuration differs. There is no reason to not apply the exclusions to all variants. This commit is equivalent of master commit 77fb0331ecc0cb9eff6a711c2a7889f2f6bdda92 Signed-off-by: Peter Marko Signed-off-by: Yoann Congal --- meta/recipes-kernel/linux/linux-yocto-rt_6.12.bb | 1 + meta/recipes-kernel/linux/linux-yocto-rt_6.16.bb | 1 + meta/recipes-kernel/linux/linux-yocto-tiny_6.12.bb | 1 + meta/recipes-kernel/linux/linux-yocto-tiny_6.16.bb | 1 + 4 files changed, 4 insertions(+) diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_6.12.bb b/meta/recipes-kernel/linux/linux-yocto-rt_6.12.bb index e720629b14d..5816902a7ff 100644 --- a/meta/recipes-kernel/linux/linux-yocto-rt_6.12.bb +++ b/meta/recipes-kernel/linux/linux-yocto-rt_6.12.bb @@ -3,6 +3,7 @@ KBRANCH ?= "v6.12/standard/preempt-rt/base" require recipes-kernel/linux/linux-yocto.inc # CVE exclusions +include recipes-kernel/linux/cve-exclusion.inc include recipes-kernel/linux/cve-exclusion_6.12.inc # Skip processing of this recipe if it is not explicitly specified as the diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_6.16.bb b/meta/recipes-kernel/linux/linux-yocto-rt_6.16.bb index d1f7e76501d..2b54315670b 100644 --- a/meta/recipes-kernel/linux/linux-yocto-rt_6.16.bb +++ b/meta/recipes-kernel/linux/linux-yocto-rt_6.16.bb @@ -3,6 +3,7 @@ KBRANCH ?= "v6.16/standard/preempt-rt/base" require recipes-kernel/linux/linux-yocto.inc # CVE exclusions +include recipes-kernel/linux/cve-exclusion.inc include recipes-kernel/linux/cve-exclusion_6.16.inc # Skip processing of this recipe if it is not explicitly specified as the diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_6.12.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_6.12.bb index 164557eaa0a..5828ff986bd 100644 --- a/meta/recipes-kernel/linux/linux-yocto-tiny_6.12.bb +++ b/meta/recipes-kernel/linux/linux-yocto-tiny_6.12.bb @@ -6,6 +6,7 @@ KCONFIG_MODE = "--allnoconfig" require recipes-kernel/linux/linux-yocto.inc # CVE exclusions +include recipes-kernel/linux/cve-exclusion.inc include recipes-kernel/linux/cve-exclusion_6.12.inc LINUX_VERSION ?= "6.12.69" diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_6.16.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_6.16.bb index ef904adad48..92c26d42e3d 100644 --- a/meta/recipes-kernel/linux/linux-yocto-tiny_6.16.bb +++ b/meta/recipes-kernel/linux/linux-yocto-tiny_6.16.bb @@ -6,6 +6,7 @@ KCONFIG_MODE = "--allnoconfig" require recipes-kernel/linux/linux-yocto.inc # CVE exclusions +include recipes-kernel/linux/cve-exclusion.inc include recipes-kernel/linux/cve-exclusion_6.16.inc LINUX_VERSION ?= "6.16.11" From patchwork Thu Mar 5 08:54:54 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 82535 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A6EFFEEF334 for ; Thu, 5 Mar 2026 08:56:01 +0000 (UTC) Received: from mail-wm1-f45.google.com (mail-wm1-f45.google.com [209.85.128.45]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.40181.1772700951113969344 for ; Thu, 05 Mar 2026 00:55:51 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=I6Y585dS; spf=pass (domain: smile.fr, ip: 209.85.128.45, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f45.google.com with SMTP id 5b1f17b1804b1-48334ee0aeaso64609825e9.1 for ; Thu, 05 Mar 2026 00:55:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1772700949; x=1773305749; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=pzRtz2kQKFk0agpovMJatOOGc0oV13I2FcQL+YGZZeg=; b=I6Y585dS7qnFTUqS9TEJOVGxpA64Sc/1yQZ0QwNYyUEbhonEfwlKqVOHDjS0/j+lRb H+ej2DO9rFPW4JVcSJ8sPCRX6oIzHrnEHweOgYUxXlfvIpB+KsfAqCnbN6d/vZ+U+H/j 89D/Vm2Uy3OwCHEEoIxCcvXljPbD6U01O/HVo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772700949; x=1773305749; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=pzRtz2kQKFk0agpovMJatOOGc0oV13I2FcQL+YGZZeg=; b=QUe5f+1YFu+IPKg3U57upBST29JtEegHeULtUXoPAIl/K7B9e1fI4VCbYh6JTdP+up Jq4Y+r4tE1smXXBkX1koIXz/eTrTIwX+2JvNoQR+u5xiWw3NaU5AN+3Jw6YdsKrewNrD ZTAjZ/NJOpV7BTC6L71xLCyPs1mIJOChSnS7M2C+JtyQt7M92++V+UC0VIL/tCIDrQ1e z/UtsqQukMQA13Rbhq0pB4JVNryrk9+jLUGyQz9dsOqdd6Y6X9ooiTb1KtTZqWW9hQsy uH4K4MqXJXj89RgRXcQnzCjEpWdNhP+jKTHC+rR/k2yoIduyfpjIneT7+MChw+4lokcG 0gjw== X-Gm-Message-State: AOJu0YyG9I8tJfZuaJUqKliSG48pGldpInrNkgEBItqWvhalDt09R46z 4XkpDQCOlFPv7d7+ZACKSifefPBw8jlkhEOtjK+LIbae4AYeZKRK83U1STqbRRzGQu2r965467G ayLRh X-Gm-Gg: ATEYQzzA49a5wHS/FcPezWrV/qRRZIVWS6MNm3DSR9d6Eg1LsjK5H8JHG993Hnat5Kp Uv4KseyeVMQvFmWDWRYsIki9ycvpCS6DQsmsfZCdKRl7JMmwmxvvtdb9osAiaqq7zMqFfA3WNu4 zrhb6JzP2Mo3xhQHyzhw2scFypFb4EmTJiDbOQRVBEI3+FatvZS4KARmLJykBuVT2sx8T4BKNo2 V3DSRyng0/JNHjW3xPOciVXNIzZSBf8Hn5cbMW0eF9Sfi/v+RyEbRiiFy6VVJDoMlQ5eu8SLxao Wzr2i02edHXMi4SkaIMQNzCM+tk3+aPyQ3oGIad25e3nGWoR7tmtR6V4B4iBkA+wlN1FPoLqSqm 37SZQVTTuv8A1mRSoTaMVfvjrLcamDeLc9TfjGz4nD0m1zC8Ub8jYkUMfMMHFBybWn0R32bEKpT Jb+A8D74qMqAplr+pBW1cfKzzsO6G60ZjHulMPcxw4VaqDsCJsHhVHuA/2j1HMBGbSVKpBet8RD 2cOXhnw31yvrGQgosiLeHADxwqC X-Received: by 2002:a05:600c:4503:b0:483:709e:f239 with SMTP id 5b1f17b1804b1-48519899450mr79301235e9.22.1772700949204; Thu, 05 Mar 2026 00:55:49 -0800 (PST) Received: from FRSMI25-LASER.home (2a01cb001331aa00675b4cbd8c1678f5.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:675b:4cbd:8c16:78f5]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4851fb27a20sm59405175e9.9.2026.03.05.00.55.48 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 05 Mar 2026 00:55:48 -0800 (PST) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][whinlatter 05/12] cve-exclusions: set status for 5 CVEs Date: Thu, 5 Mar 2026 09:54:54 +0100 Message-ID: <896237f72aa5c5b46023fcb39de64935da11dfda.1772700454.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 05 Mar 2026 08:56:01 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/232457 From: Peter Marko Reuse work of Debian researchers and set status for fixed CVEs accordingly. These are not tracked by kernel itself, so generated exclusions won't help here. * https://security-tracker.debian.org/tracker/CVE-2022-38096 * https://security-tracker.debian.org/tracker/CVE-2023-39176 * https://security-tracker.debian.org/tracker/CVE-2023-39179 * https://security-tracker.debian.org/tracker/CVE-2023-39180 * https://security-tracker.debian.org/tracker/CVE-2023-6535 Signed-off-by: Peter Marko Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie (From OE-Core rev: 699dbbdf3ab2693bae8a7e0425e2519250fdfec4) Signed-off-by: Peter Marko Signed-off-by: Yoann Congal --- meta/recipes-kernel/linux/cve-exclusion.inc | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/meta/recipes-kernel/linux/cve-exclusion.inc b/meta/recipes-kernel/linux/cve-exclusion.inc index 80c76433ef2..7d68a9bbaac 100644 --- a/meta/recipes-kernel/linux/cve-exclusion.inc +++ b/meta/recipes-kernel/linux/cve-exclusion.inc @@ -157,3 +157,19 @@ CVE_STATUS[CVE-2023-7042] = "fixed-version: Fixed from 6.9rc1" #Fix https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=7315dc1e122c85ffdfc8defffbb8f8b616c2eb1a CVE_STATUS[CVE-2024-0193] = "fixed-version: Fixed from 6.7" + +# Fix https://git.kernel.org/linus/517621b7060096e48e42f545fa6646fc00252eac +CVE_STATUS[CVE-2022-38096] = "fixed-version: Fixed from 6.9" + +# Fix https://git.kernel.org/linus/5aa4fda5aa9c2a5a7bac67b4a12b089ab81fee3c +# Fix https://git.kernel.org/linus/79ed288cef201f1f212dfb934bcaac75572fb8f6 +CVE_STATUS[CVE-2023-39176] = "fixed-version: Fixed from 6.5" + +# Fix https://git.kernel.org/linus/e202a1e8634b186da38cbbff85382ea2b9e297cf +CVE_STATUS[CVE-2023-39179] = "fixed-version: Fixed from 6.5" +CVE_STATUS[CVE-2023-39180] = "fixed-version: Fixed from 6.5" + +# Fix https://git.kernel.org/linus/efa56305908ba20de2104f1b8508c6a7401833be +# Fix https://git.kernel.org/linus/0849a5441358cef02586fb2d60f707c0db195628 +# Fix https://git.kernel.org/linus/9a1abc24850eb759e36a2f8869161c3b7254c904 +CVE_STATUS[CVE-2023-6535] = "fixed-version: Fixed from 6.8" From patchwork Thu Mar 5 08:54:55 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 82536 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BC5CAEEF338 for ; Thu, 5 Mar 2026 08:56:01 +0000 (UTC) Received: from mail-wm1-f52.google.com (mail-wm1-f52.google.com [209.85.128.52]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.39958.1772700952339249190 for ; Thu, 05 Mar 2026 00:55:52 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=GK0WVN3b; spf=pass (domain: smile.fr, ip: 209.85.128.52, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f52.google.com with SMTP id 5b1f17b1804b1-483487335c2so64278215e9.2 for ; Thu, 05 Mar 2026 00:55:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1772700950; x=1773305750; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=njpY43cUsFTxwlAfg2Ji7SvYZpV79HUJrf8BEPfihjY=; b=GK0WVN3bBq1wbB34qsWosn2/6H2kCpkybSNosxqnENLD3tXdtV0ALzuvVaa79RRA/u FsKlPb4tapB8hj8QNr8w7vG3tkSLnpvo4iACVxsJuGVmcZPzI80EYGB+REBjy2d7Wc6N 0hw5iPJrFWdd3I4+Sz75/DxaSJ4eVYYeBtvQI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772700950; x=1773305750; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=njpY43cUsFTxwlAfg2Ji7SvYZpV79HUJrf8BEPfihjY=; b=Wxlriw27L03Nwxy8QPoSlR8z1h6kumW0inmrUXI0AO+dql7ohjRLPz37vP6E7Hj0U/ JSKQtfqejlovcj0WOSsxNfpY+rNuQ7s8aYTCW+qjMy+/IGlaDPoseLNI7QHiC0alrIgh WjnJela7pNwF9KWQVxD18KPQPigArrISKAqu0u5E4gV2v6EK9zPj47fUgKWV+LZ8D/YG ZO2m6HYiH1Q6X++5JQLRO8IywVqrvfAce/MvAFPppsjVNHr11DNLAQKEBcyjI3DjauON Gm425Z9uF5r3mh/NHvpfkSK4iXe0DaQtkzOkKah0FmpLQvSAw5lGsEV20tz80A2uGqtQ YO1A== X-Gm-Message-State: AOJu0YzKhyDoX/iP1PCGjN+oxQUIeN6naVQAglooG3gPyCagWS9tWC7b yZLdzBxvKbMMxtNWtcgarGLIu35dyxI7XzOZcDr+52fDUfkN/3IgElXDi/e45N8Ior/icXxotX8 nI0fo X-Gm-Gg: ATEYQzy3CImE1KqETBAzMOKaw6yaCDXj9zUAUGl9zmrkgLoT9XXZP1kIFrVuD3C8QiM rhselyJmZVTPuo1XyCCXcn/Ju5oQWe7avOTT295A/ajoj1Mv876nanlfdNLPVSTGHqqMrQy96jf kmW1EZj5agIHZXC03Us/pwTCUDtnGKEMe1relwZtvQO3XOWdMAGD2tq+NtdB9G66QuCg1kXUYxk ojIDi0zaA0dzP9m2qBtl4T/pk6VRjBJ1PrSGRkThVI5dEWcNVmMUXC32LE9AcBksvBlWMesdHCN Lo1KHjE2GF8CjbPExn03ydFRnDzKojBcTU8U1SwFZPgd83pnXopjYJasQJrsEK6Jw+X/+Wy23sV 4MM4LIsYJKmWReNNlGUVx+xmq0Ab7unNPPpGy1v/YTNfqsUfnV9AWJZjhjgF+4NsFkRcC/wBPqq /anIHlyy/2ncH6/0HEH/otjskEJxWIfmu54hXXXPCUuUBIw68KtbSSNrY6ko+aTlGcon8XRgOWL jbOKvNvthQ/deF8ZpeE0NchU8t3 X-Received: by 2002:a05:600c:3f18:b0:483:8062:b2f with SMTP id 5b1f17b1804b1-48519828da3mr75193185e9.6.1772700950234; Thu, 05 Mar 2026 00:55:50 -0800 (PST) Received: from FRSMI25-LASER.home (2a01cb001331aa00675b4cbd8c1678f5.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:675b:4cbd:8c16:78f5]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4851fb27a20sm59405175e9.9.2026.03.05.00.55.49 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 05 Mar 2026 00:55:49 -0800 (PST) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][whinlatter 06/12] ffmpeg: set status for CVE-2025-12343 Date: Thu, 5 Mar 2026 09:54:55 +0100 Message-ID: <66bfcd43078d5ac3dc46e1a6a544eb2095b2c8e1.1772700454.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 05 Mar 2026 08:56:01 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/232458 From: Peter Marko Per [1] is patch for this CVE [2]. This is equivalent of [3] which is included in n8.0. [1] https://security-tracker.debian.org/tracker/CVE-2025-12343 [2] https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/b8d5f65b9e89d893f27cf00799dbc15fc0ca2f8e [3] https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/263e819aa45cd3c48bf6887be02b4ec504c02048 Signed-off-by: Peter Marko [YC: commit 8536c8b9e9093ac2d7d82c49e61e1c1cded5d1e0 upstream] Signed-off-by: Yoann Congal --- meta/recipes-multimedia/ffmpeg/ffmpeg_8.0.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_8.0.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_8.0.bb index 1e59bfa33fe..0970575b3ca 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_8.0.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_8.0.bb @@ -177,3 +177,4 @@ CVE_STATUS_WRONG_CPE[status] = "fixed-version: these CVEs are fixed in used vers CVE_STATUS[CVE-2025-25468] = "fixed-version: these CVEs are fixed since v8.0" CVE_STATUS[CVE-2025-25469] = "fixed-version: these CVEs are fixed since v8.0" +CVE_STATUS[CVE-2025-12343] = "fixed-version: this CVE are fixed since v8.0" From patchwork Thu Mar 5 08:54:56 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 82538 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D6BB0EEF33A for ; Thu, 5 Mar 2026 08:56:01 +0000 (UTC) Received: from mail-wr1-f53.google.com (mail-wr1-f53.google.com [209.85.221.53]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.39959.1772700953048778018 for ; Thu, 05 Mar 2026 00:55:53 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=qAZ4iY1j; spf=pass (domain: smile.fr, ip: 209.85.221.53, mailfrom: yoann.congal@smile.fr) Received: by mail-wr1-f53.google.com with SMTP id ffacd0b85a97d-4327790c4e9so5966286f8f.2 for ; Thu, 05 Mar 2026 00:55:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1772700951; x=1773305751; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=JYoNDMjelospYlbKoZqhkBVyOEU0ikkLfF8ZJ9JjW+U=; b=qAZ4iY1jCHWjl4bqfumZA92VWEJmqJQM3QNPEA5FtWrcHHXU8tgrP+druED1puGmIc /yzUjiySzdkC4ANdCSrFMNGJjRFQqlqD78A2LtHrlyW1EKKAmyABin/kUUkivbHidI9D X54WkqCDYctkSrEaLaYKVQYvzhM54qbJPmIGA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772700951; x=1773305751; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=JYoNDMjelospYlbKoZqhkBVyOEU0ikkLfF8ZJ9JjW+U=; b=GBpgSnpxMZL2QQVJCSkLVjkdgXY0jQF/KV2ouMLGz+/S9M+XP93LiI6Na+3+LUQ9Uu AnaCl8qSdUYRYriZxAK7unEcH3SYcLGmzez8GgnEegwinWVcG/s80dWpYkcQTwhYLK2d rVqXouj7mkYm+9XGSO5MgXmr+G8mqBeBSF7l1I9owMfc67YlCJ7pPBHB1djFjeKjxLCC SHuicz4mFwUAkpi0uj5WrCU+WTzIBHMC0XYs2/ryeEQ0ZWDY3rS9ONhsn6AIqc7dVQwf 2kHi1lBDI5LRwlpMujvHRREkSSA2JFy6xQXvyR0TcA3/p5pnVz39o/+gyo+XXurhuKFf v7nQ== X-Gm-Message-State: AOJu0YxIuXqk7Uw+AxHOudDERvIQvjZmC1P8RwkoTwoJUTpT5fuBfUk9 OoDdt3DAT6H4tl1RzDjPZt+MKwAYoFX/ngKnvTvqUXlbMbUI0JxamNG4yz1ux5PufjljEa201NF /wmaI X-Gm-Gg: ATEYQzyqQUd0AjZldcFxn73w9qrfXa7dioMh9yvAz5BlbAao3ywxKy7ZgjoeLa/04/8 6yFqrRJxhHSIpRFWP5KbLG+2HgC1wgORiMwafjq4ncxxD74S5tqPQ5e2Q8kARCL3e+Nr6i9BUSV k1YrwkdX0PNdyo1yLlVGPYB4lBDyt5oK0U2639D2HA0gO6VdbwuHxDBXLH6VIuJYyt9triB8i7f LBuJSl8VdmZSKYEW3AvrVPWknLsDJ7dXikP/dJNVqgIvjBJhToV9KQKu/Cx4SyTjeNBVTOCp7Pe JdkjVyAZjsbBhZrlaNpnM5gxvP5DTC/Qj9ON9uk84Sm4rd9FmcZWEDOmWVdJSk+pKCuVVJBi4j/ 2FaszrYZKhLZbupjIbgPzErOkutW2vWCDY50IW2da923b3GQv6Zs7oWA+QXAw+rMI4pf8Eywdbo qpqHuAtnmaq76fGWkkNk324s0vZ8fGhY6NVRCT/bAV5TdZ70My5o1vDd8BMiig1WnFpQmKUMoex jH2jM7ENTs17uxDtKEacISLdPK+ X-Received: by 2002:a05:600c:8b2e:b0:480:68ed:1e70 with SMTP id 5b1f17b1804b1-485198d0f8emr86809385e9.35.1772700950974; Thu, 05 Mar 2026 00:55:50 -0800 (PST) Received: from FRSMI25-LASER.home (2a01cb001331aa00675b4cbd8c1678f5.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:675b:4cbd:8c16:78f5]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4851fb27a20sm59405175e9.9.2026.03.05.00.55.50 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 05 Mar 2026 00:55:50 -0800 (PST) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][whinlatter 07/12] zlib: Fix CVE-2026-27171 Date: Thu, 5 Mar 2026 09:54:56 +0100 Message-ID: <56fa706a39e837f5c4b9e782f215fa98ea23df12.1772700454.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 05 Mar 2026 08:56:01 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/232459 From: Hugo SIMELIERE Pick patch from [1] also mentioned in [2] [1] https://github.com/madler/zlib/issues/904 [2] https://security-tracker.debian.org/tracker/CVE-2026-27171 Signed-off-by: Bruno VERNAY Signed-off-by: Hugo SIMELIERE Signed-off-by: Yoann Congal --- .../zlib/zlib/CVE-2026-27171.patch | 63 +++++++++++++++++++ meta/recipes-core/zlib/zlib_1.3.1.bb | 1 + 2 files changed, 64 insertions(+) create mode 100644 meta/recipes-core/zlib/zlib/CVE-2026-27171.patch diff --git a/meta/recipes-core/zlib/zlib/CVE-2026-27171.patch b/meta/recipes-core/zlib/zlib/CVE-2026-27171.patch new file mode 100644 index 00000000000..e6a8a3eac5f --- /dev/null +++ b/meta/recipes-core/zlib/zlib/CVE-2026-27171.patch @@ -0,0 +1,63 @@ +From f234bdf5c0f94b681312452fcd5e36968221fa04 Mon Sep 17 00:00:00 2001 +From: Mark Adler +Date: Sun, 21 Dec 2025 18:17:56 -0800 +Subject: [PATCH] Check for negative lengths in crc32_combine functions. + +Though zlib.h says that len2 must be non-negative, this avoids the +possibility of an accidental infinite loop. + +Upstream-Status: Backport [https://github.com/madler/zlib/commit/ba829a458576d1ff0f26fc7230c6de816d1f6a77] +CVE: CVE-2026-27171 + +Signed-off-by: Hugo SIMELIERE +--- + crc32.c | 4 ++++ + zlib.h | 4 ++-- + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/crc32.c b/crc32.c +index 6c38f5c..33d8c79 100644 +--- a/crc32.c ++++ b/crc32.c +@@ -1019,6 +1019,8 @@ unsigned long ZEXPORT crc32(unsigned long crc, const unsigned char FAR *buf, + + /* ========================================================================= */ + uLong ZEXPORT crc32_combine64(uLong crc1, uLong crc2, z_off64_t len2) { ++ if (len2 < 0) ++ return 0; + #ifdef DYNAMIC_CRC_TABLE + once(&made, make_crc_table); + #endif /* DYNAMIC_CRC_TABLE */ +@@ -1032,6 +1034,8 @@ uLong ZEXPORT crc32_combine(uLong crc1, uLong crc2, z_off_t len2) { + + /* ========================================================================= */ + uLong ZEXPORT crc32_combine_gen64(z_off64_t len2) { ++ if (len2 < 0) ++ return 0; + #ifdef DYNAMIC_CRC_TABLE + once(&made, make_crc_table); + #endif /* DYNAMIC_CRC_TABLE */ +diff --git a/zlib.h b/zlib.h +index 8d4b932..8c7f8ac 100644 +--- a/zlib.h ++++ b/zlib.h +@@ -1758,14 +1758,14 @@ ZEXTERN uLong ZEXPORT crc32_combine(uLong crc1, uLong crc2, z_off_t len2); + seq1 and seq2 with lengths len1 and len2, CRC-32 check values were + calculated for each, crc1 and crc2. crc32_combine() returns the CRC-32 + check value of seq1 and seq2 concatenated, requiring only crc1, crc2, and +- len2. len2 must be non-negative. ++ len2. len2 must be non-negative, otherwise zero is returned. + */ + + /* + ZEXTERN uLong ZEXPORT crc32_combine_gen(z_off_t len2); + + Return the operator corresponding to length len2, to be used with +- crc32_combine_op(). len2 must be non-negative. ++ crc32_combine_op(). len2 must be non-negative, otherwise zero is returned. + */ + + ZEXTERN uLong ZEXPORT crc32_combine_op(uLong crc1, uLong crc2, uLong op); +-- +2.43.0 + diff --git a/meta/recipes-core/zlib/zlib_1.3.1.bb b/meta/recipes-core/zlib/zlib_1.3.1.bb index ef831421216..892467a1fbd 100644 --- a/meta/recipes-core/zlib/zlib_1.3.1.bb +++ b/meta/recipes-core/zlib/zlib_1.3.1.bb @@ -10,6 +10,7 @@ LIC_FILES_CHKSUM = "file://zlib.h;beginline=6;endline=23;md5=5377232268e952e9ef6 SRC_URI = "https://zlib.net/${BP}.tar.gz \ file://0001-configure-Pass-LDFLAGS-to-link-tests.patch \ file://run-ptest \ + file://CVE-2026-27171.patch \ " UPSTREAM_CHECK_URI = "http://zlib.net/" From patchwork Thu Mar 5 08:54:57 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 82539 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id F3BAEEEF33C for ; Thu, 5 Mar 2026 08:56:01 +0000 (UTC) Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com [209.85.128.54]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.39960.1772700953658821408 for ; Thu, 05 Mar 2026 00:55:53 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=Xl4V8pyY; spf=pass (domain: smile.fr, ip: 209.85.128.54, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f54.google.com with SMTP id 5b1f17b1804b1-4836e3288cdso52072765e9.0 for ; Thu, 05 Mar 2026 00:55:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1772700952; x=1773305752; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=+TB31dVuFu9Y6y5KipvqBu2vvDXlxF4PNaaTwtjySzM=; b=Xl4V8pyY+aCXRaLZYXguoG62KH1RxNIDSh3wgHMdHdten29BUW4KRF0yP8oL4TPZBt MiVtwfY/R2ZvyROwy4021BI25Lm7PKfd5SIR+MblL+VuROP5TKiZf/lHEg2bQ1vtW0HG bl7g1gaKyrd1ImCssK+jjeNm9fFXHcL0LtuZo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772700952; x=1773305752; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=+TB31dVuFu9Y6y5KipvqBu2vvDXlxF4PNaaTwtjySzM=; b=egi3onGGItQAHO4/IlsjqXzewkEjRiPfj7pV9A4CnL+0JFOr90IX0kz/CLqG80jzIq hHgvhsTGix0NcieTyyFBJ4vhj9rdLrJuVShf+0X++a8/NK/fdzgIaEt8aNhJ+I3ydzrP 6mlSo9vRI4NpK9osHW/oauojutJgAEebIcXBbKktGPI4B8+MKES7+Hnb0creN5U+4LQf KpW3/Sqic/KkWfLFOqVzwKVionFHLMVzpC54lrNpVTjmw8EQbVIkp5Jy6xSIAAEB5M6s z6q0yzSBlFlkLHy8DARk53050bY5RjUeldDCrchtFyA9zqwc9LAq1bAWdiKteHUSmMBt Lolw== X-Gm-Message-State: AOJu0Yx25Qy7LFk2kH5WyX36GgqTYVzSwGGLRuG/WLUJkrKEDql95oAf Mazce2JE+NOoBExflpz7Ydu5mJyjPT4j8XIjc87nUer+/vdl5SLRNozyEdH6C+USH+qQdDjP+Qn KKLUB X-Gm-Gg: ATEYQzwXwCmbSsZtISW+OpCqyKenEGFJBecn842o4IpUacPEGh2/XUCSQZegkM6DEqP 1DDCvFA/2osPQJLY6LuEX5lW9F9q4smiLZFKAExhtgUtnf0pD0ZVCbmR0pQCk++ro6wMLXSIETK bV49Jm/sPz8guetsfRBKZY6O1effFRj1GbAu2h9s5PE8LW8vt/3NWiYMW1hlsBbMUWVd2kTjbEi 6hy9ZaD2/WftFwdcrMfIdbpWYEAmurcfoPwZqyP9m4Xa+xoqQq/XPcNF5/sTJc/Lw5DZUBrZlTQ vrTBWTiulJhF80I2HddyA2u3bbuSh8HfDUt3JfetnA89FDcy9C8Ko+BGk+I6hjSXnxLM0wzD7nw iYK3Ap6iL0Bmluaz2PYxZ7X5tMD19F7v5xg1dZwpQyae1PHZFlkn5GYMb1HX4tFzefeikt7zR+x f/EbAHVlXr1c0grIUYMBpm4Xfi+8v7i32ek4LEHTJBZd1p8WvDW53ByhzFekUCw0TQvWI7jpkXl toMCCJFPCMkG3wtM5SjxrLIgPZW X-Received: by 2002:a05:600c:870c:b0:483:a352:b4e4 with SMTP id 5b1f17b1804b1-4851ee81a6amr25234695e9.6.1772700951755; Thu, 05 Mar 2026 00:55:51 -0800 (PST) Received: from FRSMI25-LASER.home (2a01cb001331aa00675b4cbd8c1678f5.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:675b:4cbd:8c16:78f5]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4851fb27a20sm59405175e9.9.2026.03.05.00.55.51 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 05 Mar 2026 00:55:51 -0800 (PST) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][whinlatter 08/12] harfbuzz: Fix CVE-2026-22693 Date: Thu, 5 Mar 2026 09:54:57 +0100 Message-ID: X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 05 Mar 2026 08:56:01 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/232460 From: Hugo SIMELIERE Pick patch mentioned in NVD report [1] [1] https://nvd.nist.gov/vuln/detail/CVE-2026-22693 Signed-off-by: Bruno VERNAY Signed-off-by: Hugo SIMELIERE Signed-off-by: Yoann Congal --- .../harfbuzz/files/CVE-2026-22693.patch | 33 +++++++++++++++++++ .../harfbuzz/harfbuzz_11.4.5.bb | 4 ++- 2 files changed, 36 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-graphics/harfbuzz/files/CVE-2026-22693.patch diff --git a/meta/recipes-graphics/harfbuzz/files/CVE-2026-22693.patch b/meta/recipes-graphics/harfbuzz/files/CVE-2026-22693.patch new file mode 100644 index 00000000000..bf821bb63ae --- /dev/null +++ b/meta/recipes-graphics/harfbuzz/files/CVE-2026-22693.patch @@ -0,0 +1,33 @@ +From 21c880d1154a5bcef2ef68c1687d286820a274ee Mon Sep 17 00:00:00 2001 +From: Behdad Esfahbod +Date: Fri, 9 Jan 2026 04:54:42 -0700 +Subject: [PATCH] [cmap] malloc fail test (#5710) + +Fixes https://github.com/harfbuzz/harfbuzz/security/advisories/GHSA-xvjr-f2r9-c7ww + +Upstream-Status: Backport [https://github.com/harfbuzz/harfbuzz/commit/1265ff8d990284f04d8768f35b0e20ae5f60daae] +CVE: CVE-2026-22693 + +Signed-off-by: Hugo SIMELIERE +--- + src/hb-ot-cmap-table.hh | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/hb-ot-cmap-table.hh b/src/hb-ot-cmap-table.hh +index 294b2b60d..95a436b54 100644 +--- a/src/hb-ot-cmap-table.hh ++++ b/src/hb-ot-cmap-table.hh +@@ -1679,6 +1679,10 @@ struct SubtableUnicodesCache { + { + SubtableUnicodesCache* cache = + (SubtableUnicodesCache*) hb_malloc (sizeof(SubtableUnicodesCache)); ++ ++ if (unlikely (!cache)) ++ return nullptr; ++ + new (cache) SubtableUnicodesCache (source_table); + return cache; + } +-- +2.43.0 + diff --git a/meta/recipes-graphics/harfbuzz/harfbuzz_11.4.5.bb b/meta/recipes-graphics/harfbuzz/harfbuzz_11.4.5.bb index 9e0e42b7174..2364dd7efdc 100644 --- a/meta/recipes-graphics/harfbuzz/harfbuzz_11.4.5.bb +++ b/meta/recipes-graphics/harfbuzz/harfbuzz_11.4.5.bb @@ -8,7 +8,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b98429b8e8e3c2a67cfef01e99e4893d \ file://src/hb-ucd.cc;beginline=1;endline=15;md5=29d4dcb6410429195df67efe3382d8bc \ " -SRC_URI = "${GITHUB_BASE_URI}/download/${PV}/${BPN}-${PV}.tar.xz" +SRC_URI = "${GITHUB_BASE_URI}/download/${PV}/${BPN}-${PV}.tar.xz \ + file://CVE-2026-22693.patch \ + " SRC_URI[sha256sum] = "0f052eb4ab01d8bae98ba971c954becb32be57d7250f18af343b1d27892e03fa" DEPENDS += "glib-2.0-native" From patchwork Thu Mar 5 08:54:58 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 82537 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6641AEEF32F for ; Thu, 5 Mar 2026 08:56:01 +0000 (UTC) Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com [209.85.128.49]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.39963.1772700956118791523 for ; Thu, 05 Mar 2026 00:55:56 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=z9WSob/7; spf=pass (domain: smile.fr, ip: 209.85.128.49, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f49.google.com with SMTP id 5b1f17b1804b1-483487335c2so64278815e9.2 for ; Thu, 05 Mar 2026 00:55:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1772700954; x=1773305754; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=2QRGruo+PfcsOW5RigGNofW/qBNcrKkudy2e2IX8TWw=; b=z9WSob/7qgSaR7e+uhLvzPs2cqcAyw3p6hIhZ/dh3Lhmy5/bdzF0cI6Bnmcm3Zthmh HRaZluxD13DZ4gA2TuIxNmucngZ1iH0fYLFZf3R3dRO1Wk6+Ue7fTJiFYc9AO1QG7SZf dlbo38pD0G4FcZMctL0b3LrVEjdh/B8xPncbM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772700954; x=1773305754; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=2QRGruo+PfcsOW5RigGNofW/qBNcrKkudy2e2IX8TWw=; b=mMWlSnRPvGKMCnPscwFJha7Br7lJf3+Bvkff87+WEgFyH4aAwlJZgxgyT93BDovJfK foaUpwzl4+F02kY17ixWgZTtxymAvjAKcQey1QBMhgwAlUCzlzRSP64ZmuEg5xF9MICa QpK1m0fnP/+wA5qc4mNgtAWUKj/kyudwW8MoAKhyoSENQhYOP9HbKT8B7fV+0YYnJr6P PjvdNv0DrWEs/2XSwnvNkM6ZsOZG+nVFPsccDkPi0zWyVhgGfrponPGyXu8Jrg/FrI7f SxOlI8zgn2xBzjQViBaBhkwmWMHFgvsJklQwQcR0BmXPkR449nZo+q24RtE6OY8EAcXW Ci6g== X-Gm-Message-State: AOJu0YyfTCC2UgCCfde5CjPj+S1Cd0AIsqLyVT18RvRg5Aif6vWt28R9 svjrOzvFpzAcIQpyyeTROHqEbpiYYUuW1bGX/tQp/bEGvNDiOFl5i9gvLEj2Z18jXS8enDJvsd4 Ywyvo X-Gm-Gg: ATEYQzxvifMqTS7ounwiIoEfaVwAwcr1DKtcD9K86qFYCpE1/TgaTODBfNSqnKG9rOG f8hv4n9W0UANcK3+yLQ33IHY2E5hDclb3ZePsKJbmVG9073hmtzvraRTRbN9jbSdvCyZ0a33aZt ty7GpdyDH2Ppi/s8W8cI/PCw9y2MM3D9TPAr63uEbCmL3gxEdy/Ljtvw4BGJpigP7hNcDlBvEsn t0cN6iIWuWzMM3P2yesMk9cSSMe6GGjScuro3uxbDGkEP5bfN/LKTchkGIIUXex1sSEbRtC8xba lzP8XUk9SA2HzB/prnR97p+9jzV2KeK87XjWiksKZEjqkSY//SjOunauVj+tFsvl4/v2vRzzXl4 n4anDtva7UTB+oDJW++l5mMc7KYk8v+Qqi0qDzmd470lRGvucchI4tLeG7m7FWAqJo+D76QSzG4 VD0axgpiuDGTNviFVgSfLKe1ohkbV1sEC4uBFkqnFxNXaRAe0fodjPokSAD5HWHI9bEoWR2HpHO M956UvUE7ONCUt8jhMx9ze6/09Q X-Received: by 2002:a05:600c:6487:b0:47a:810f:1d06 with SMTP id 5b1f17b1804b1-48519828e0dmr82608415e9.4.1772700952883; Thu, 05 Mar 2026 00:55:52 -0800 (PST) Received: from FRSMI25-LASER.home (2a01cb001331aa00675b4cbd8c1678f5.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:675b:4cbd:8c16:78f5]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4851fb27a20sm59405175e9.9.2026.03.05.00.55.51 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 05 Mar 2026 00:55:52 -0800 (PST) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][whinlatter 09/12] gnutls: Fix CVE-2025-14831 Date: Thu, 5 Mar 2026 09:54:58 +0100 Message-ID: <12ed5b743db6658fb2b6784c82d8ddc9e46fdaec.1772700454.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 05 Mar 2026 08:56:01 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/232463 From: Vijay Anusuri Picked commits which mentions this CVE per [1]. [1] https://ubuntu.com/security/CVE-2025-14831 [2] https://security-tracker.debian.org/tracker/CVE-2025-14831 [3] https://gitlab.com/gnutls/gnutls/-/issues/1773 Backported https://gitlab.com/gnutls/gnutls/-/commit/6e118a4dfe820ce62fc77130b89188bcd8fbcaad to apply patches cleanly. Signed-off-by: Vijay Anusuri Signed-off-by: Yoann Congal --- .../gnutls/gnutls/CVE-2025-14831-1.patch | 119 +++++ .../gnutls/gnutls/CVE-2025-14831-10.patch | 424 +++++++++++++++ .../gnutls/gnutls/CVE-2025-14831-2.patch | 66 +++ .../gnutls/gnutls/CVE-2025-14831-3.patch | 30 ++ .../gnutls/gnutls/CVE-2025-14831-4.patch | 45 ++ .../gnutls/gnutls/CVE-2025-14831-5.patch | 205 +++++++ .../gnutls/gnutls/CVE-2025-14831-6.patch | 505 ++++++++++++++++++ .../gnutls/gnutls/CVE-2025-14831-7.patch | 124 +++++ .../gnutls/gnutls/CVE-2025-14831-8.patch | 155 ++++++ .../gnutls/gnutls/CVE-2025-14831-9.patch | 110 ++++ meta/recipes-support/gnutls/gnutls_3.8.10.bb | 10 + 11 files changed, 1793 insertions(+) create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-1.patch create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-10.patch create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-2.patch create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-3.patch create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-4.patch create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-5.patch create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-6.patch create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-7.patch create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-8.patch create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-9.patch diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-1.patch b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-1.patch new file mode 100644 index 00000000000..1bfa771043c --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-1.patch @@ -0,0 +1,119 @@ +From 6e118a4dfe820ce62fc77130b89188bcd8fbcaad Mon Sep 17 00:00:00 2001 +From: chenjianhu +Date: Fri, 1 Aug 2025 17:18:23 +0800 +Subject: [PATCH] x509: fix incorrect handling in name constraints merging + +As mentioned in commit ca573d65 ("x509: Fix asymmetry in name +constraints intersection", 2016-07-29), the +_gnutls_name_constraints_intersect function exhibited an +asymmetry in name constraints intersection behavior, specifically +manifested as: +1. Nodes of unique types in PERMITTED (absent in PERMITTED2) were + preserved +2. Nodes of unique types in PERMITTED2 (absent in PERMITTED) were + discarded + +A 'used' flag was introduced, where if a node from PERMITTED2 was + not used for the intersection, it would be copied to PERMITTED. + +However,an unresolved edge case persisted: +- When 'removed.size > 0', the 'used' flag was unconditionally set +to 1 +- This prevented copying of PERMITTED2 nodes with unique types + +Signed-off-by: chenjianhu +Modified-by: Daiki Ueno + +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/6e118a4dfe820ce62fc77130b89188bcd8fbcaad] +CVE: CVE-2025-14831 #Backport to apply CVE patches cleanly +Signed-off-by: Vijay Anusuri +--- + lib/x509/name_constraints.c | 5 +++- + tests/name-constraints-merge.c | 55 ++++++++++++++++++++++++++++++++++ + 2 files changed, 59 insertions(+), 1 deletion(-) + +diff --git a/lib/x509/name_constraints.c b/lib/x509/name_constraints.c +index 3c6e306303..2be6a2aaa6 100644 +--- a/lib/x509/name_constraints.c ++++ b/lib/x509/name_constraints.c +@@ -414,7 +414,10 @@ static int name_constraints_node_list_intersect( + gnutls_assert(); + goto cleanup; + } +- used = 1; ++ ++ if (t->type == t2->type) ++ used = 1; ++ + // if intersection is not empty + if (tmp != + NULL) { // intersection for this type is not empty +diff --git a/tests/name-constraints-merge.c b/tests/name-constraints-merge.c +index 03b3243cc7..70376aaa74 100644 +--- a/tests/name-constraints-merge.c ++++ b/tests/name-constraints-merge.c +@@ -418,6 +418,61 @@ void doit(void) + gnutls_x509_name_constraints_deinit(nc1); + gnutls_x509_name_constraints_deinit(nc2); + ++ /* 5: variant of suite 0: after moving rfc822Name (ccc.com) ++ * from NC1 to NC2, dNSName (xxx.ccc.com) should still be ++ * rejected. ++ * ++ * NC1: permitted DNS org ++ * permitted DNS ccc.com ++ * NC2: permitted DNS org ++ * permitted email ccc.com ++ * permitted DNS aaa.bbb.ccc.com ++ */ ++ suite = 5; ++ ++ ret = gnutls_x509_name_constraints_init(&nc1); ++ check_for_error(ret); ++ ++ ret = gnutls_x509_name_constraints_init(&nc2); ++ check_for_error(ret); ++ ++ set_name("org", &name); ++ ret = gnutls_x509_name_constraints_add_permitted( ++ nc1, GNUTLS_SAN_DNSNAME, &name); ++ check_for_error(ret); ++ ++ set_name("ccc.com", &name); ++ ret = gnutls_x509_name_constraints_add_permitted( ++ nc1, GNUTLS_SAN_DNSNAME, &name); ++ check_for_error(ret); ++ ++ set_name("org", &name); ++ ret = gnutls_x509_name_constraints_add_permitted( ++ nc2, GNUTLS_SAN_DNSNAME, &name); ++ check_for_error(ret); ++ ++ set_name("ccc.com", &name); ++ ret = gnutls_x509_name_constraints_add_permitted( ++ nc2, GNUTLS_SAN_RFC822NAME, &name); ++ check_for_error(ret); ++ ++ set_name("aaa.bbb.ccc.com", &name); ++ ret = gnutls_x509_name_constraints_add_permitted( ++ nc2, GNUTLS_SAN_DNSNAME, &name); ++ check_for_error(ret); ++ ++ ret = _gnutls_x509_name_constraints_merge(nc1, nc2); ++ check_for_error(ret); ++ ++ /* check intersection of permitted */ ++ set_name("xxx.ccc.com", &name); ++ ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, ++ &name); ++ check_test_result(suite, ret, NAME_REJECTED, &name); ++ ++ gnutls_x509_name_constraints_deinit(nc1); ++ gnutls_x509_name_constraints_deinit(nc2); ++ + /* Test footer */ + + if (debug) +-- +GitLab + diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-10.patch b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-10.patch new file mode 100644 index 00000000000..5507719ac01 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-10.patch @@ -0,0 +1,424 @@ +From d6054f0016db05fb5c82177ddbd0a4e8331059a1 Mon Sep 17 00:00:00 2001 +From: Alexander Sosedkin +Date: Wed, 4 Feb 2026 20:03:49 +0100 +Subject: [PATCH] x509/name_constraints: name_constraints_node_list_intersect + over sorted + +Fixes: #1773 +Fixes: GNUTLS-SA-2026-02-09-2 +Fixes: CVE-2025-14831 + +Signed-off-by: Alexander Sosedkin + +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/d6054f0016db05fb5c82177ddbd0a4e8331059a1] +CVE: CVE-2025-14831 +Signed-off-by: Vijay Anusuri +--- + lib/x509/name_constraints.c | 350 ++++++++++++++---------------------- + 1 file changed, 135 insertions(+), 215 deletions(-) + +diff --git a/lib/x509/name_constraints.c b/lib/x509/name_constraints.c +index 1d78d1b..04722bd 100644 +--- a/lib/x509/name_constraints.c ++++ b/lib/x509/name_constraints.c +@@ -446,13 +446,6 @@ name_constraints_node_add_copy(gnutls_x509_name_constraints_t nc, + src->name.data, src->name.size); + } + +-// for documentation see the implementation +-static int name_constraints_intersect_nodes( +- gnutls_x509_name_constraints_t nc, +- const struct name_constraints_node_st *node1, +- const struct name_constraints_node_st *node2, +- struct name_constraints_node_st **intersection); +- + /*- + * _gnutls_x509_name_constraints_is_empty: + * @nc: name constraints structure +@@ -716,132 +709,143 @@ typedef char assert_ipaddr[(GNUTLS_SAN_IPADDRESS <= GNUTLS_SAN_MAX) ? 1 : -1]; + static int name_constraints_node_list_intersect( + gnutls_x509_name_constraints_t nc, + struct name_constraints_node_list_st *permitted, +- const struct name_constraints_node_list_st *permitted2, ++ struct name_constraints_node_list_st *permitted2, + struct name_constraints_node_list_st *excluded) + { +- struct name_constraints_node_st *tmp; +- int ret, type, used; +- struct name_constraints_node_list_st removed = { .data = NULL, +- .size = 0, +- .capacity = 0 }; ++ struct name_constraints_node_st *nc1, *nc2; ++ struct name_constraints_node_list_st result = { 0 }; ++ struct name_constraints_node_list_st unsupp2 = { 0 }; ++ enum name_constraint_relation rel; ++ unsigned type; ++ int ret = GNUTLS_E_SUCCESS; ++ size_t i, j, p1_unsupp = 0, p2_unsupp = 0; ++ type_bitmask_t universal_exclude_needed = 0; ++ type_bitmask_t types_in_p1 = 0, types_in_p2 = 0; + static const unsigned char universal_ip[32] = { 0 }; + +- /* bitmask to see if we need to add universal excluded constraints +- * (see phase 3 for details) */ +- type_bitmask_t types_with_empty_intersection = 0; +- + if (permitted->size == 0 || permitted2->size == 0) +- return 0; ++ return GNUTLS_E_SUCCESS; + +- /* Phase 1 +- * For each name in PERMITTED, if a PERMITTED2 does not contain a name +- * with the same type, move the original name to REMOVED. +- * Do this also for node of unknown type (not DNS, email, IP) */ +- for (size_t i = 0; i < permitted->size;) { +- struct name_constraints_node_st *t = permitted->data[i]; +- const struct name_constraints_node_st *found = NULL; +- +- for (size_t j = 0; j < permitted2->size; j++) { +- const struct name_constraints_node_st *t2 = +- permitted2->data[j]; +- if (t->type == t2->type) { +- // check bounds (we will use 't->type' as index) +- if (t->type > GNUTLS_SAN_MAX || t->type == 0) { +- gnutls_assert(); +- ret = GNUTLS_E_INTERNAL_ERROR; +- goto cleanup; +- } +- // note the possibility of empty intersection for this type +- // if we add something to the intersection in phase 2, +- // we will reset this flag back to 0 then +- type_bitmask_set(types_with_empty_intersection, +- t->type); +- found = t2; +- break; +- } +- } ++ /* make sorted views of the arrays */ ++ ret = ensure_sorted(permitted); ++ if (ret < 0) { ++ gnutls_assert(); ++ goto cleanup; ++ } ++ ret = ensure_sorted(permitted2); ++ if (ret < 0) { ++ gnutls_assert(); ++ goto cleanup; ++ } + +- if (found != NULL && is_supported_type(t->type)) { +- /* move node from PERMITTED to REMOVED */ +- ret = name_constraints_node_list_add(&removed, t); +- if (ret < 0) { +- gnutls_assert(); +- goto cleanup; +- } +- /* remove node by swapping */ +- if (i < permitted->size - 1) +- permitted->data[i] = +- permitted->data[permitted->size - 1]; +- permitted->size--; +- permitted->dirty = true; +- continue; ++ /* deal with the leading unsupported types first: count, then union */ ++ while (p1_unsupp < permitted->size && ++ !is_supported_type(permitted->sorted_view[p1_unsupp]->type)) ++ p1_unsupp++; ++ while (p2_unsupp < permitted2->size && ++ !is_supported_type(permitted2->sorted_view[p2_unsupp]->type)) ++ p2_unsupp++; ++ if (p1_unsupp) { /* copy p1 unsupported type pointers into result */ ++ result.data = gnutls_calloc( ++ p1_unsupp, sizeof(struct name_constraints_node_st *)); ++ if (!result.data) { ++ ret = GNUTLS_E_MEMORY_ERROR; ++ gnutls_assert(); ++ goto cleanup; ++ } ++ memcpy(result.data, permitted->sorted_view, ++ p1_unsupp * sizeof(struct name_constraints_node_st *)); ++ result.size = result.capacity = p1_unsupp; ++ result.dirty = true; ++ } ++ if (p2_unsupp) { /* union will make deep copies from p2 */ ++ unsupp2.data = permitted2->sorted_view; /* so, just alias */ ++ unsupp2.size = unsupp2.capacity = p2_unsupp; ++ unsupp2.dirty = false; /* we know it's sorted */ ++ unsupp2.sorted_view = permitted2->sorted_view; ++ ret = name_constraints_node_list_union(nc, &result, &unsupp2); ++ if (ret < 0) { ++ gnutls_assert(); ++ goto cleanup; + } +- i++; + } + +- /* Phase 2 +- * iterate through all combinations from PERMITTED2 and PERMITTED +- * and create intersections of nodes with same type */ +- for (size_t i = 0; i < permitted2->size; i++) { +- const struct name_constraints_node_st *t2 = permitted2->data[i]; +- +- // current PERMITTED2 node has not yet been used for any intersection +- // (and is not in REMOVED either) +- used = 0; +- for (size_t j = 0; j < removed.size; j++) { +- const struct name_constraints_node_st *t = +- removed.data[j]; +- // save intersection of name constraints into tmp +- ret = name_constraints_intersect_nodes(nc, t, t2, &tmp); +- if (ret < 0) { +- gnutls_assert(); +- goto cleanup; +- } ++ /* with that out of the way, pre-compute the supported types we have */ ++ for (i = p1_unsupp; i < permitted->size; i++) { ++ type = permitted->sorted_view[i]->type; ++ if (type < 1 || type > GNUTLS_SAN_MAX) { ++ ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); ++ goto cleanup; ++ } ++ type_bitmask_set(types_in_p1, type); ++ } ++ for (j = p2_unsupp; j < permitted2->size; j++) { ++ type = permitted2->sorted_view[j]->type; ++ if (type < 1 || type > GNUTLS_SAN_MAX) { ++ ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); ++ goto cleanup; ++ } ++ type_bitmask_set(types_in_p2, type); ++ } ++ /* universal excludes might be needed for types intersecting to empty */ ++ universal_exclude_needed = types_in_p1 & types_in_p2; ++ ++ /* go through supported type NCs and intersect in a single pass */ ++ i = p1_unsupp; ++ j = p2_unsupp; ++ while (i < permitted->size || j < permitted2->size) { ++ nc1 = (i < permitted->size) ? permitted->sorted_view[i] : NULL; ++ nc2 = (j < permitted2->size) ? permitted2->sorted_view[j] : ++ NULL; ++ rel = compare_name_constraint_nodes(nc1, nc2); + +- if (t->type == t2->type) +- used = 1; +- +- // if intersection is not empty +- if (tmp != +- NULL) { // intersection for this type is not empty +- // check bounds +- if (tmp->type > GNUTLS_SAN_MAX || +- tmp->type == 0) { +- gnutls_free(tmp); +- return gnutls_assert_val( +- GNUTLS_E_INTERNAL_ERROR); +- } +- // we will not add universal excluded constraint for this type +- type_bitmask_clr(types_with_empty_intersection, +- tmp->type); +- // add intersection node to PERMITTED +- ret = name_constraints_node_list_add(permitted, +- tmp); +- if (ret < 0) { +- gnutls_assert(); +- goto cleanup; +- } +- } ++ switch (rel) { ++ case NC_SORTS_BEFORE: ++ assert(nc1 != NULL); /* comparator-guaranteed */ ++ /* if nothing to intersect with, shallow-copy nc1 */ ++ if (!type_bitmask_in(types_in_p2, nc1->type)) ++ ret = name_constraints_node_list_add(&result, ++ nc1); ++ i++; /* otherwise skip nc1 */ ++ break; ++ case NC_SORTS_AFTER: ++ assert(nc2 != NULL); /* comparator-guaranteed */ ++ /* if nothing to intersect with, deep-copy nc2 */ ++ if (!type_bitmask_in(types_in_p1, nc2->type)) ++ ret = name_constraints_node_add_copy( ++ nc, &result, nc2); ++ j++; /* otherwise skip nc2 */ ++ break; ++ case NC_INCLUDED_BY: /* add nc1, shallow-copy */ ++ assert(nc1 != NULL && nc2 != NULL); /* comparator */ ++ type_bitmask_clr(universal_exclude_needed, nc1->type); ++ ret = name_constraints_node_list_add(&result, nc1); ++ i++; ++ break; ++ case NC_INCLUDES: /* pick nc2, deep-copy */ ++ assert(nc1 != NULL && nc2 != NULL); /* comparator */ ++ type_bitmask_clr(universal_exclude_needed, nc2->type); ++ ret = name_constraints_node_add_copy(nc, &result, nc2); ++ j++; ++ break; ++ case NC_EQUAL: /* pick whichever: nc1, shallow-copy */ ++ assert(nc1 != NULL && nc2 != NULL); /* loop condition */ ++ type_bitmask_clr(universal_exclude_needed, nc1->type); ++ ret = name_constraints_node_list_add(&result, nc1); ++ i++; ++ j++; ++ break; + } +- // if the node from PERMITTED2 was not used for intersection, copy it to DEST +- // Beware: also copies nodes other than DNS, email, IP, +- // since their counterpart may have been moved in phase 1. +- if (!used) { +- ret = name_constraints_node_add_copy(nc, permitted, t2); +- if (ret < 0) { +- gnutls_assert(); +- goto cleanup; +- } ++ if (ret < 0) { ++ gnutls_assert(); ++ goto cleanup; + } + } + +- /* Phase 3 +- * For each type: If we have empty permitted name constraints now +- * and we didn't have at the beginning, we have to add a new +- * excluded constraint with universal wildcard +- * (since the intersection of permitted is now empty). */ ++ /* finishing touch: add universal excluded constraints for types where ++ * both lists had constraints, but all intersections ended up empty */ + for (type = 1; type <= GNUTLS_SAN_MAX; type++) { +- if (!type_bitmask_in(types_with_empty_intersection, type)) ++ if (!type_bitmask_in(universal_exclude_needed, type)) + continue; + _gnutls_hard_log( + "Adding universal excluded name constraint for type %d.\n", +@@ -874,14 +878,24 @@ static int name_constraints_node_list_intersect( + goto cleanup; + } + break; +- default: // do nothing, at least one node was already moved in phase 1 +- break; ++ default: /* unsupported type; should be unreacheable */ ++ ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); ++ goto cleanup; + } + } +- ret = GNUTLS_E_SUCCESS; + ++ gnutls_free(permitted->data); ++ gnutls_free(permitted->sorted_view); ++ permitted->data = result.data; ++ permitted->sorted_view = NULL; ++ permitted->size = result.size; ++ permitted->capacity = result.capacity; ++ permitted->dirty = true; ++ ++ result.data = NULL; ++ ret = GNUTLS_E_SUCCESS; + cleanup: +- gnutls_free(removed.data); ++ name_constraints_node_list_clear(&result); + return ret; + } + +@@ -1257,100 +1271,6 @@ static unsigned email_matches(const gnutls_datum_t *name, + return rel == NC_EQUAL || rel == NC_INCLUDED_BY; + } + +-/*- +- * name_constraints_intersect_nodes: +- * @nc1: name constraints node 1 +- * @nc2: name constraints node 2 +- * @_intersection: newly allocated node with intersected constraints, +- * NULL if the intersection is empty +- * +- * Inspect 2 name constraints nodes (of possibly different types) and allocate +- * a new node with intersection of given constraints. +- * +- * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value. +- -*/ +-static int name_constraints_intersect_nodes( +- gnutls_x509_name_constraints_t nc, +- const struct name_constraints_node_st *node1, +- const struct name_constraints_node_st *node2, +- struct name_constraints_node_st **_intersection) +-{ +- // presume empty intersection +- struct name_constraints_node_st *intersection = NULL; +- const struct name_constraints_node_st *to_copy = NULL; +- enum name_constraint_relation rel; +- +- *_intersection = NULL; +- +- if (node1->type != node2->type) { +- return GNUTLS_E_SUCCESS; +- } +- switch (node1->type) { +- case GNUTLS_SAN_DNSNAME: +- rel = compare_dns_names(&node1->name, &node2->name); +- switch (rel) { +- case NC_EQUAL: // equal means doesn't matter which one +- case NC_INCLUDES: // node2 is more specific +- to_copy = node2; +- break; +- case NC_INCLUDED_BY: // node1 is more specific +- to_copy = node1; +- break; +- case NC_SORTS_BEFORE: // no intersection +- case NC_SORTS_AFTER: // no intersection +- return GNUTLS_E_SUCCESS; +- } +- break; +- case GNUTLS_SAN_RFC822NAME: +- rel = compare_emails(&node1->name, &node2->name); +- switch (rel) { +- case NC_EQUAL: // equal means doesn't matter which one +- case NC_INCLUDES: // node2 is more specific +- to_copy = node2; +- break; +- case NC_INCLUDED_BY: // node1 is more specific +- to_copy = node1; +- break; +- case NC_SORTS_BEFORE: // no intersection +- case NC_SORTS_AFTER: // no intersection +- return GNUTLS_E_SUCCESS; +- } +- break; +- case GNUTLS_SAN_IPADDRESS: +- rel = compare_ip_ncs(&node1->name, &node2->name); +- switch (rel) { +- case NC_EQUAL: // equal means doesn't matter which one +- case NC_INCLUDES: // node2 is more specific +- to_copy = node2; +- break; +- case NC_INCLUDED_BY: // node1 is more specific +- to_copy = node1; +- break; +- case NC_SORTS_BEFORE: // no intersection +- case NC_SORTS_AFTER: // no intersection +- return GNUTLS_E_SUCCESS; +- } +- break; +- default: +- // for other types, we don't know how to do the intersection, assume empty +- return GNUTLS_E_SUCCESS; +- } +- +- // copy existing node if applicable +- if (to_copy != NULL) { +- *_intersection = name_constraints_node_new(nc, to_copy->type, +- to_copy->name.data, +- to_copy->name.size); +- if (*_intersection == NULL) +- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); +- intersection = *_intersection; +- +- assert(intersection->name.data != NULL); +- } +- +- return GNUTLS_E_SUCCESS; +-} +- + /* + * Returns: true if the certification is acceptable, and false otherwise. + */ +-- +2.43.0 + diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-2.patch b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-2.patch new file mode 100644 index 00000000000..9066098a01f --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-2.patch @@ -0,0 +1,66 @@ +From 0b2377dfccd99be641bf3f1a0de9f0dc8dc0d4b1 Mon Sep 17 00:00:00 2001 +From: Alexander Sosedkin +Date: Mon, 26 Jan 2026 19:02:27 +0100 +Subject: [PATCH] x509/name_constraints: use actual zeroes in universal exclude + IP NC + +Signed-off-by: Alexander Sosedkin + +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/0b2377dfccd99be641bf3f1a0de9f0dc8dc0d4b1] +CVE: CVE-2025-14831 +Signed-off-by: Vijay Anusuri +--- + lib/x509/name_constraints.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/lib/x509/name_constraints.c b/lib/x509/name_constraints.c +index 2be6a2aaa6..d07482e3c9 100644 +--- a/lib/x509/name_constraints.c ++++ b/lib/x509/name_constraints.c +@@ -61,7 +61,7 @@ struct gnutls_name_constraints_st { + + static struct name_constraints_node_st * + name_constraints_node_new(gnutls_x509_name_constraints_t nc, unsigned type, +- unsigned char *data, unsigned int size); ++ const unsigned char *data, unsigned int size); + + static int + name_constraints_node_list_add(struct name_constraints_node_list_st *list, +@@ -285,7 +285,7 @@ static void name_constraints_node_free(struct name_constraints_node_st *node) + -*/ + static struct name_constraints_node_st * + name_constraints_node_new(gnutls_x509_name_constraints_t nc, unsigned type, +- unsigned char *data, unsigned int size) ++ const unsigned char *data, unsigned int size) + { + struct name_constraints_node_st *tmp; + int ret; +@@ -339,6 +339,7 @@ static int name_constraints_node_list_intersect( + struct name_constraints_node_list_st removed = { .data = NULL, + .size = 0, + .capacity = 0 }; ++ static const unsigned char universal_ip[32] = { 0 }; + + /* temporary array to see, if we need to add universal excluded constraints + * (see phase 3 for details) +@@ -474,7 +475,7 @@ static int name_constraints_node_list_intersect( + case GNUTLS_SAN_IPADDRESS: + // add universal restricted range for IPv4 + tmp = name_constraints_node_new( +- nc, GNUTLS_SAN_IPADDRESS, NULL, 8); ++ nc, GNUTLS_SAN_IPADDRESS, universal_ip, 8); + if (tmp == NULL) { + gnutls_assert(); + ret = GNUTLS_E_MEMORY_ERROR; +@@ -487,7 +488,7 @@ static int name_constraints_node_list_intersect( + } + // add universal restricted range for IPv6 + tmp = name_constraints_node_new( +- nc, GNUTLS_SAN_IPADDRESS, NULL, 32); ++ nc, GNUTLS_SAN_IPADDRESS, universal_ip, 32); + if (tmp == NULL) { + gnutls_assert(); + ret = GNUTLS_E_MEMORY_ERROR; +-- +GitLab + diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-3.patch b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-3.patch new file mode 100644 index 00000000000..0d340325541 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-3.patch @@ -0,0 +1,30 @@ +From 85d6348a30c74d4ee3710e0f4652f634eaad6914 Mon Sep 17 00:00:00 2001 +From: Alexander Sosedkin +Date: Mon, 26 Jan 2026 19:10:58 +0100 +Subject: [PATCH] tests/name-constraints-ip: stop swallowing errors... + +... now when it started to pass + +Signed-off-by: Alexander Sosedkin + +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/85d6348a30c74d4ee3710e0f4652f634eaad6914] +CVE: CVE-2025-14831 +Signed-off-by: Vijay Anusuri +--- + tests/name-constraints-ip.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/name-constraints-ip.c b/tests/name-constraints-ip.c +index 7a196088dc..a0cf172b7f 100644 +--- a/tests/name-constraints-ip.c ++++ b/tests/name-constraints-ip.c +@@ -772,5 +772,5 @@ int main(int argc, char **argv) + cmocka_unit_test_setup_teardown( + check_ipv4v6_single_constraint_each, setup, teardown) + }; +- cmocka_run_group_tests(tests, NULL, NULL); ++ return cmocka_run_group_tests(tests, NULL, NULL); + } +-- +GitLab + diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-4.patch b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-4.patch new file mode 100644 index 00000000000..ed4a7da3c7a --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-4.patch @@ -0,0 +1,45 @@ +From c28475413f82e1f34295d5c039f0c0a4ca2ee526 Mon Sep 17 00:00:00 2001 +From: Alexander Sosedkin +Date: Mon, 26 Jan 2026 20:14:33 +0100 +Subject: [PATCH] x509/name_constraints: reject some malformed domain names + +Signed-off-by: Alexander Sosedkin + +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/c28475413f82e1f34295d5c039f0c0a4ca2ee526] +CVE: CVE-2025-14831 +Signed-off-by: Vijay Anusuri +--- + lib/x509/name_constraints.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/lib/x509/name_constraints.c b/lib/x509/name_constraints.c +index d07482e3c9..9783d92851 100644 +--- a/lib/x509/name_constraints.c ++++ b/lib/x509/name_constraints.c +@@ -159,6 +159,23 @@ static int validate_name_constraints_node(gnutls_x509_subject_alt_name_t type, + return gnutls_assert_val(GNUTLS_E_MALFORMED_CIDR); + } + ++ /* Validate DNS names and email addresses for malformed input */ ++ if (type == GNUTLS_SAN_DNSNAME || type == GNUTLS_SAN_RFC822NAME) { ++ unsigned int i; ++ if (name->size == 0) ++ return GNUTLS_E_SUCCESS; ++ ++ /* reject names with consecutive dots... */ ++ for (i = 0; i + 1 < name->size; i++) { ++ if (name->data[i] == '.' && name->data[i + 1] == '.') ++ return gnutls_assert_val( ++ GNUTLS_E_ILLEGAL_PARAMETER); ++ } ++ /* ... or names consisting exclusively of dots */ ++ if (name->size == 1 && name->data[0] == '.') ++ return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER); ++ } ++ + return GNUTLS_E_SUCCESS; + } + +-- +GitLab + diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-5.patch b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-5.patch new file mode 100644 index 00000000000..514ee3c70fc --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-5.patch @@ -0,0 +1,205 @@ +From 6db7da7fcfe230f445b1edbb56e2a8346120c891 Mon Sep 17 00:00:00 2001 +From: Alexander Sosedkin +Date: Thu, 5 Feb 2026 13:22:10 +0100 +Subject: [PATCH] x509/name_constraints: name_constraints_node_add_{new,copy} + +Signed-off-by: Alexander Sosedkin + +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/6db7da7fcfe230f445b1edbb56e2a8346120c891] +CVE: CVE-2025-14831 +Signed-off-by: Vijay Anusuri +--- + lib/x509/name_constraints.c | 112 ++++++++++++++++-------------------- + 1 file changed, 51 insertions(+), 61 deletions(-) + +diff --git a/lib/x509/name_constraints.c b/lib/x509/name_constraints.c +index 9783d92851..81035eef8f 100644 +--- a/lib/x509/name_constraints.c ++++ b/lib/x509/name_constraints.c +@@ -86,6 +86,38 @@ name_constraints_node_list_add(struct name_constraints_node_list_st *list, + return 0; + } + ++static int ++name_constraints_node_add_new(gnutls_x509_name_constraints_t nc, ++ struct name_constraints_node_list_st *list, ++ unsigned type, const unsigned char *data, ++ unsigned int size) ++{ ++ struct name_constraints_node_st *node; ++ int ret; ++ node = name_constraints_node_new(nc, type, data, size); ++ if (node == NULL) { ++ gnutls_assert(); ++ return GNUTLS_E_MEMORY_ERROR; ++ } ++ ret = name_constraints_node_list_add(list, node); ++ if (ret < 0) { ++ gnutls_assert(); ++ return ret; ++ } ++ return GNUTLS_E_SUCCESS; ++} ++ ++static int ++name_constraints_node_add_copy(gnutls_x509_name_constraints_t nc, ++ struct name_constraints_node_list_st *dest, ++ const struct name_constraints_node_st *src) ++{ ++ if (!src) ++ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); ++ return name_constraints_node_add_new(nc, dest, src->type, ++ src->name.data, src->name.size); ++} ++ + // for documentation see the implementation + static int name_constraints_intersect_nodes( + gnutls_x509_name_constraints_t nc, +@@ -188,7 +220,6 @@ static int extract_name_constraints(gnutls_x509_name_constraints_t nc, + unsigned indx; + gnutls_datum_t tmp = { NULL, 0 }; + unsigned int type; +- struct name_constraints_node_st *node; + + for (indx = 1;; indx++) { + snprintf(tmpstr, sizeof(tmpstr), "%s.?%u.base", vstr, indx); +@@ -231,15 +262,9 @@ static int extract_name_constraints(gnutls_x509_name_constraints_t nc, + goto cleanup; + } + +- node = name_constraints_node_new(nc, type, tmp.data, tmp.size); ++ ret = name_constraints_node_add_new(nc, nodes, type, tmp.data, ++ tmp.size); + _gnutls_free_datum(&tmp); +- if (node == NULL) { +- gnutls_assert(); +- ret = GNUTLS_E_MEMORY_ERROR; +- goto cleanup; +- } +- +- ret = name_constraints_node_list_add(nodes, node); + if (ret < 0) { + gnutls_assert(); + goto cleanup; +@@ -462,14 +487,7 @@ static int name_constraints_node_list_intersect( + // Beware: also copies nodes other than DNS, email, IP, + // since their counterpart may have been moved in phase 1. + if (!used) { +- tmp = name_constraints_node_new( +- nc, t2->type, t2->name.data, t2->name.size); +- if (tmp == NULL) { +- gnutls_assert(); +- ret = GNUTLS_E_MEMORY_ERROR; +- goto cleanup; +- } +- ret = name_constraints_node_list_add(permitted, tmp); ++ ret = name_constraints_node_add_copy(nc, permitted, t2); + if (ret < 0) { + gnutls_assert(); + goto cleanup; +@@ -491,27 +509,17 @@ static int name_constraints_node_list_intersect( + switch (type) { + case GNUTLS_SAN_IPADDRESS: + // add universal restricted range for IPv4 +- tmp = name_constraints_node_new( +- nc, GNUTLS_SAN_IPADDRESS, universal_ip, 8); +- if (tmp == NULL) { +- gnutls_assert(); +- ret = GNUTLS_E_MEMORY_ERROR; +- goto cleanup; +- } +- ret = name_constraints_node_list_add(excluded, tmp); ++ ret = name_constraints_node_add_new( ++ nc, excluded, GNUTLS_SAN_IPADDRESS, ++ universal_ip, 8); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + // add universal restricted range for IPv6 +- tmp = name_constraints_node_new( +- nc, GNUTLS_SAN_IPADDRESS, universal_ip, 32); +- if (tmp == NULL) { +- gnutls_assert(); +- ret = GNUTLS_E_MEMORY_ERROR; +- goto cleanup; +- } +- ret = name_constraints_node_list_add(excluded, tmp); ++ ret = name_constraints_node_add_new( ++ nc, excluded, GNUTLS_SAN_IPADDRESS, ++ universal_ip, 32); + if (ret < 0) { + gnutls_assert(); + goto cleanup; +@@ -519,13 +527,8 @@ static int name_constraints_node_list_intersect( + break; + case GNUTLS_SAN_DNSNAME: + case GNUTLS_SAN_RFC822NAME: +- tmp = name_constraints_node_new(nc, type, NULL, 0); +- if (tmp == NULL) { +- gnutls_assert(); +- ret = GNUTLS_E_MEMORY_ERROR; +- goto cleanup; +- } +- ret = name_constraints_node_list_add(excluded, tmp); ++ ret = name_constraints_node_add_new(nc, excluded, type, ++ NULL, 0); + if (ret < 0) { + gnutls_assert(); + goto cleanup; +@@ -547,20 +550,13 @@ static int name_constraints_node_list_concat( + struct name_constraints_node_list_st *nodes, + const struct name_constraints_node_list_st *nodes2) + { +- for (size_t i = 0; i < nodes2->size; i++) { +- const struct name_constraints_node_st *node = nodes2->data[i]; +- struct name_constraints_node_st *tmp; +- int ret; ++ int ret; + +- tmp = name_constraints_node_new(nc, node->type, node->name.data, +- node->name.size); +- if (tmp == NULL) { +- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); +- } +- ret = name_constraints_node_list_add(nodes, tmp); ++ for (size_t i = 0; i < nodes2->size; i++) { ++ ret = name_constraints_node_add_copy(nc, nodes, ++ nodes2->data[i]); + if (ret < 0) { +- name_constraints_node_free(tmp); +- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); ++ return gnutls_assert_val(ret); + } + } + +@@ -690,7 +686,6 @@ static int name_constraints_add(gnutls_x509_name_constraints_t nc, + gnutls_x509_subject_alt_name_t type, + const gnutls_datum_t *name, unsigned permitted) + { +- struct name_constraints_node_st *tmp; + struct name_constraints_node_list_st *nodes; + int ret; + +@@ -700,15 +695,10 @@ static int name_constraints_add(gnutls_x509_name_constraints_t nc, + + nodes = permitted ? &nc->permitted : &nc->excluded; + +- tmp = name_constraints_node_new(nc, type, name->data, name->size); +- if (tmp == NULL) +- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); +- +- ret = name_constraints_node_list_add(nodes, tmp); +- if (ret < 0) { +- name_constraints_node_free(tmp); ++ ret = name_constraints_node_add_new(nc, nodes, type, name->data, ++ name->size); ++ if (ret < 0) + return gnutls_assert_val(ret); +- } + + return 0; + } +-- +GitLab + diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-6.patch b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-6.patch new file mode 100644 index 00000000000..6970c6ccfe4 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-6.patch @@ -0,0 +1,505 @@ +From 094accd3ebec17ead6c391757eaa18763b72d83f Mon Sep 17 00:00:00 2001 +From: Alexander Sosedkin +Date: Mon, 26 Jan 2026 20:16:36 +0100 +Subject: [PATCH] x509/name_constraints: introduce a rich comparator + +These are preparatory changes before implementing N * log N intersection +over sorted lists of constraints. + +Signed-off-by: Alexander Sosedkin + +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/094accd3ebec17ead6c391757eaa18763b72d83f] +CVE: CVE-2025-14831 +Signed-off-by: Vijay Anusuri +--- + lib/x509/name_constraints.c | 411 ++++++++++++++++++++++++++++-------- + 1 file changed, 320 insertions(+), 91 deletions(-) + +diff --git a/lib/x509/name_constraints.c b/lib/x509/name_constraints.c +index 81035eef8f..b5d732d0c5 100644 +--- a/lib/x509/name_constraints.c ++++ b/lib/x509/name_constraints.c +@@ -39,6 +39,9 @@ + #include "ip.h" + #include "ip-in-cidr.h" + #include "intprops.h" ++#include "minmax.h" ++ ++#include + + #define MAX_NC_CHECKS (1 << 20) + +@@ -63,6 +66,282 @@ static struct name_constraints_node_st * + name_constraints_node_new(gnutls_x509_name_constraints_t nc, unsigned type, + const unsigned char *data, unsigned int size); + ++/* An enum for "rich" comparisons that not only let us sort name constraints, ++ * children-before-parent, but also subsume them during intersection. */ ++enum name_constraint_relation { ++ NC_SORTS_BEFORE = -2, /* unrelated constraints */ ++ NC_INCLUDED_BY = -1, /* nc1 is included by nc2 / children sort first */ ++ NC_EQUAL = 0, /* exact match */ ++ NC_INCLUDES = 1, /* nc1 includes nc2 / parents sort last */ ++ NC_SORTS_AFTER = 2 /* unrelated constraints */ ++}; ++ ++/* A helper to compare just a pair of strings with this rich comparison */ ++static enum name_constraint_relation ++compare_strings(const void *n1, size_t n1_len, const void *n2, size_t n2_len) ++{ ++ int r = memcmp(n1, n2, MIN(n1_len, n2_len)); ++ if (r < 0) ++ return NC_SORTS_BEFORE; ++ if (r > 0) ++ return NC_SORTS_AFTER; ++ if (n1_len < n2_len) ++ return NC_SORTS_BEFORE; ++ if (n1_len > n2_len) ++ return NC_SORTS_AFTER; ++ return NC_EQUAL; ++} ++ ++/* Rich-compare DNS names. Example order/relationships: ++ * z.x.a INCLUDED_BY x.a BEFORE y.a INCLUDED_BY a BEFORE x.b BEFORE y.b */ ++static enum name_constraint_relation compare_dns_names(const gnutls_datum_t *n1, ++ const gnutls_datum_t *n2) ++{ ++ enum name_constraint_relation rel; ++ unsigned int i, j, i_end, j_end; ++ ++ /* start from the end of each name */ ++ i = i_end = n1->size; ++ j = j_end = n2->size; ++ ++ /* skip the trailing dots for the comparison */ ++ while (i && n1->data[i - 1] == '.') ++ i_end = i = i - 1; ++ while (j && n2->data[j - 1] == '.') ++ j_end = j = j - 1; ++ ++ while (1) { ++ // rewind back to beginning or an after-dot position ++ while (i && n1->data[i - 1] != '.') ++ i--; ++ while (j && n2->data[j - 1] != '.') ++ j--; ++ ++ rel = compare_strings(&n1->data[i], i_end - i, &n2->data[j], ++ j_end - j); ++ if (rel == NC_SORTS_BEFORE) /* x.a BEFORE y.a */ ++ return NC_SORTS_BEFORE; ++ if (rel == NC_SORTS_AFTER) /* y.a AFTER x.a */ ++ return NC_SORTS_AFTER; ++ if (!i && j) /* x.a INCLUDES z.x.a */ ++ return NC_INCLUDES; ++ if (i && !j) /* z.x.a INCLUDED_BY x.a */ ++ return NC_INCLUDED_BY; ++ ++ if (!i && !j) /* r == 0, we ran out of components to compare */ ++ return NC_EQUAL; ++ /* r == 0, i && j: step back past a dot and keep comparing */ ++ i_end = i = i - 1; ++ j_end = j = j - 1; ++ ++ /* support for non-standard ".gr INCLUDES example.gr" [1] */ ++ if (!i && j) /* .a INCLUDES x.a */ ++ return NC_INCLUDES; ++ if (i && !j) /* x.a INCLUDED_BY .a */ ++ return NC_INCLUDED_BY; ++ } ++} ++/* [1] https://mailarchive.ietf.org/arch/msg/saag/Bw6PtreW0G7aEG7SikfzKHES4VA */ ++ ++/* Rich-compare email name constraints. Example order/relationships: ++ * z@x.a INCLUDED_BY x.a BEFORE y.a INCLUDED_BY a BEFORE x@b BEFORE y@b */ ++static enum name_constraint_relation compare_emails(const gnutls_datum_t *n1, ++ const gnutls_datum_t *n2) ++{ ++ enum name_constraint_relation domains_rel; ++ unsigned int i, j, i_end, j_end; ++ gnutls_datum_t d1, d2; /* borrow from n1 and n2 */ ++ ++ /* start from the end of each name */ ++ i = i_end = n1->size; ++ j = j_end = n2->size; ++ ++ /* rewind to @s to look for domains */ ++ while (i && n1->data[i - 1] != '@') ++ i--; ++ d1.size = i_end - i; ++ d1.data = &n1->data[i]; ++ while (j && n2->data[j - 1] != '@') ++ j--; ++ d2.size = j_end - j; ++ d2.data = &n2->data[j]; ++ ++ domains_rel = compare_dns_names(&d1, &d2); ++ ++ /* email constraint semantics differ from DNS ++ * DNS: x.a INCLUDED_BY a ++ * Email: x.a INCLUDED_BY .a BEFORE a */ ++ if (domains_rel == NC_INCLUDED_BY || domains_rel == NC_INCLUDES) { ++ bool d1_has_dot = (d1.size > 0 && d1.data[0] == '.'); ++ bool d2_has_dot = (d2.size > 0 && d2.data[0] == '.'); ++ /* a constraint without a dot is exact, excluding subdomains */ ++ if (!d2_has_dot && domains_rel == NC_INCLUDED_BY) ++ domains_rel = NC_SORTS_BEFORE; /* x.a BEFORE a */ ++ if (!d1_has_dot && domains_rel == NC_INCLUDES) ++ domains_rel = NC_SORTS_AFTER; /* a AFTER x.a */ ++ } ++ ++ if (!i && !j) { /* both are domains-only */ ++ return domains_rel; ++ } else if (i && !j) { /* n1 is email, n2 is domain */ ++ switch (domains_rel) { ++ case NC_SORTS_AFTER: ++ return NC_SORTS_AFTER; ++ case NC_SORTS_BEFORE: ++ return NC_SORTS_BEFORE; ++ case NC_INCLUDES: /* n2 is more specific, a@x.a AFTER z.x.a */ ++ return NC_SORTS_AFTER; ++ case NC_EQUAL: /* subdomains match, z@x.a INCLUDED_BY x.a */ ++ case NC_INCLUDED_BY: /* n1 is more specific */ ++ return NC_INCLUDED_BY; ++ } ++ } else if (!i && j) { /* n1 is domain, n2 is email */ ++ switch (domains_rel) { ++ case NC_SORTS_AFTER: ++ return NC_SORTS_AFTER; ++ case NC_SORTS_BEFORE: ++ return NC_SORTS_BEFORE; ++ case NC_INCLUDES: /* n2 is more specific, a AFTER z@x.a */ ++ return NC_SORTS_AFTER; ++ case NC_EQUAL: /* subdomains match, x.a INCLUDES z@x.a */ ++ return NC_INCLUDES; ++ case NC_INCLUDED_BY: /* n1 is more specific, x.a BEFORE z@a */ ++ return NC_SORTS_BEFORE; ++ } ++ } else if (i && j) { /* both are emails */ ++ switch (domains_rel) { ++ case NC_SORTS_AFTER: ++ return NC_SORTS_AFTER; ++ case NC_SORTS_BEFORE: ++ return NC_SORTS_BEFORE; ++ case NC_INCLUDES: // n2 is more specific ++ return NC_SORTS_AFTER; ++ case NC_INCLUDED_BY: // n1 is more specific ++ return NC_SORTS_BEFORE; ++ case NC_EQUAL: // only case when we need to look before the @ ++ break; // see below for readability ++ } ++ } ++ ++ /* i && j, both are emails, domain names match, compare up to @ */ ++ return compare_strings(n1->data, i - 1, n2->data, j - 1); ++} ++ ++/* Rich-compare IP address constraints. Example order/relationships: ++ * 10.0.0.0/24 INCLUDED_BY 10.0.0.0/16 BEFORE 1::1/128 INCLUDED_BY 1::1/127 */ ++static enum name_constraint_relation compare_ip_ncs(const gnutls_datum_t *n1, ++ const gnutls_datum_t *n2) ++{ ++ unsigned int len, i; ++ int r; ++ const unsigned char *ip1, *ip2, *mask1, *mask2; ++ unsigned char masked11[16], masked22[16], masked12[16], masked21[16]; ++ ++ if (n1->size < n2->size) ++ return NC_SORTS_BEFORE; ++ if (n1->size > n2->size) ++ return NC_SORTS_AFTER; ++ len = n1->size / 2; /* 4 for IPv4, 16 for IPv6 */ ++ ++ /* data is a concatenation of prefix and mask */ ++ ip1 = n1->data; ++ ip2 = n2->data; ++ mask1 = n1->data + len; ++ mask2 = n2->data + len; ++ for (i = 0; i < len; i++) { ++ masked11[i] = ip1[i] & mask1[i]; ++ masked22[i] = ip2[i] & mask2[i]; ++ masked12[i] = ip1[i] & mask2[i]; ++ masked21[i] = ip2[i] & mask1[i]; ++ } ++ ++ r = memcmp(mask1, mask2, len); ++ if (r < 0 && !memcmp(masked11, masked21, len)) /* prefix1 < prefix2 */ ++ return NC_INCLUDES; /* ip1 & mask1 == ip2 & mask1 */ ++ if (r > 0 && !memcmp(masked12, masked22, len)) /* prefix1 > prefix2 */ ++ return NC_INCLUDED_BY; /* ip1 & mask2 == ip2 & mask2 */ ++ ++ r = memcmp(masked11, masked22, len); ++ if (r < 0) ++ return NC_SORTS_BEFORE; ++ else if (r > 0) ++ return NC_SORTS_AFTER; ++ return NC_EQUAL; ++} ++ ++static inline bool is_supported_type(unsigned type) ++{ ++ return type == GNUTLS_SAN_DNSNAME || type == GNUTLS_SAN_RFC822NAME || ++ type == GNUTLS_SAN_IPADDRESS; ++} ++ ++/* Universal comparison for name constraint nodes. ++ * Unsupported types sort before supported types to allow early handling. ++ * NULL represents end-of-list and sorts after everything else. */ ++static enum name_constraint_relation ++compare_name_constraint_nodes(const struct name_constraints_node_st *n1, ++ const struct name_constraints_node_st *n2) ++{ ++ bool n1_supported, n2_supported; ++ ++ if (!n1 && !n2) ++ return NC_EQUAL; ++ if (!n1) ++ return NC_SORTS_AFTER; ++ if (!n2) ++ return NC_SORTS_BEFORE; ++ ++ n1_supported = is_supported_type(n1->type); ++ n2_supported = is_supported_type(n2->type); ++ ++ /* unsupported types bubble up (sort first). intersect relies on this */ ++ if (!n1_supported && n2_supported) ++ return NC_SORTS_BEFORE; ++ if (n1_supported && !n2_supported) ++ return NC_SORTS_AFTER; ++ ++ /* next, sort by type */ ++ if (n1->type < n2->type) ++ return NC_SORTS_BEFORE; ++ if (n1->type > n2->type) ++ return NC_SORTS_AFTER; ++ ++ /* now look deeper */ ++ switch (n1->type) { ++ case GNUTLS_SAN_DNSNAME: ++ return compare_dns_names(&n1->name, &n2->name); ++ case GNUTLS_SAN_RFC822NAME: ++ return compare_emails(&n1->name, &n2->name); ++ case GNUTLS_SAN_IPADDRESS: ++ return compare_ip_ncs(&n1->name, &n2->name); ++ default: ++ /* unsupported types: stable lexicographic order */ ++ return compare_strings(n1->name.data, n1->name.size, ++ n2->name.data, n2->name.size); ++ } ++} ++ ++/* qsort-compatible wrapper */ ++static int compare_name_constraint_nodes_qsort(const void *a, const void *b) ++{ ++ const struct name_constraints_node_st *const *n1 = a; ++ const struct name_constraints_node_st *const *n2 = b; ++ enum name_constraint_relation rel; ++ ++ rel = compare_name_constraint_nodes(*n1, *n2); ++ switch (rel) { ++ case NC_SORTS_BEFORE: ++ case NC_INCLUDED_BY: ++ return -1; ++ case NC_SORTS_AFTER: ++ case NC_INCLUDES: ++ return 1; ++ case NC_EQUAL: ++ default: ++ return 0; ++ } ++} ++ + static int + name_constraints_node_list_add(struct name_constraints_node_list_st *list, + struct name_constraints_node_st *node) +@@ -420,9 +699,7 @@ static int name_constraints_node_list_intersect( + } + } + +- if (found != NULL && (t->type == GNUTLS_SAN_DNSNAME || +- t->type == GNUTLS_SAN_RFC822NAME || +- t->type == GNUTLS_SAN_IPADDRESS)) { ++ if (found != NULL && is_supported_type(t->type)) { + /* move node from PERMITTED to REMOVED */ + ret = name_constraints_node_list_add(&removed, t); + if (ret < 0) { +@@ -827,61 +1104,14 @@ cleanup: + return ret; + } + +-static unsigned ends_with(const gnutls_datum_t *str, +- const gnutls_datum_t *suffix) +-{ +- unsigned char *tree; +- unsigned int treelen; +- +- if (suffix->size >= str->size) +- return 0; +- +- tree = suffix->data; +- treelen = suffix->size; +- if ((treelen > 0) && (tree[0] == '.')) { +- tree++; +- treelen--; +- } +- +- if (memcmp(str->data + str->size - treelen, tree, treelen) == 0 && +- str->data[str->size - treelen - 1] == '.') +- return 1; /* match */ +- +- return 0; +-} +- +-static unsigned email_ends_with(const gnutls_datum_t *str, +- const gnutls_datum_t *suffix) +-{ +- if (suffix->size >= str->size) { +- return 0; +- } +- +- if (suffix->size > 0 && memcmp(str->data + str->size - suffix->size, +- suffix->data, suffix->size) != 0) { +- return 0; +- } +- +- if (suffix->size > 1 && suffix->data[0] == '.') { /* .domain.com */ +- return 1; /* match */ +- } else if (str->data[str->size - suffix->size - 1] == '@') { +- return 1; /* match */ +- } +- +- return 0; +-} +- + static unsigned dnsname_matches(const gnutls_datum_t *name, + const gnutls_datum_t *suffix) + { + _gnutls_hard_log("matching %.*s with DNS constraint %.*s\n", name->size, + name->data, suffix->size, suffix->data); + +- if (suffix->size == name->size && +- memcmp(suffix->data, name->data, suffix->size) == 0) +- return 1; /* match */ +- +- return ends_with(name, suffix); ++ enum name_constraint_relation rel = compare_dns_names(name, suffix); ++ return rel == NC_EQUAL || rel == NC_INCLUDED_BY; + } + + static unsigned email_matches(const gnutls_datum_t *name, +@@ -890,11 +1120,8 @@ static unsigned email_matches(const gnutls_datum_t *name, + _gnutls_hard_log("matching %.*s with e-mail constraint %.*s\n", + name->size, name->data, suffix->size, suffix->data); + +- if (suffix->size == name->size && +- memcmp(suffix->data, name->data, suffix->size) == 0) +- return 1; /* match */ +- +- return email_ends_with(name, suffix); ++ enum name_constraint_relation rel = compare_emails(name, suffix); ++ return rel == NC_EQUAL || rel == NC_INCLUDED_BY; + } + + /*- +@@ -918,8 +1145,7 @@ static int name_constraints_intersect_nodes( + // presume empty intersection + struct name_constraints_node_st *intersection = NULL; + const struct name_constraints_node_st *to_copy = NULL; +- unsigned iplength = 0; +- unsigned byte; ++ enum name_constraint_relation rel; + + *_intersection = NULL; + +@@ -928,32 +1154,49 @@ static int name_constraints_intersect_nodes( + } + switch (node1->type) { + case GNUTLS_SAN_DNSNAME: +- if (!dnsname_matches(&node2->name, &node1->name)) ++ rel = compare_dns_names(&node1->name, &node2->name); ++ switch (rel) { ++ case NC_EQUAL: // equal means doesn't matter which one ++ case NC_INCLUDES: // node2 is more specific ++ to_copy = node2; ++ break; ++ case NC_INCLUDED_BY: // node1 is more specific ++ to_copy = node1; ++ break; ++ case NC_SORTS_BEFORE: // no intersection ++ case NC_SORTS_AFTER: // no intersection + return GNUTLS_E_SUCCESS; +- to_copy = node2; ++ } + break; + case GNUTLS_SAN_RFC822NAME: +- if (!email_matches(&node2->name, &node1->name)) ++ rel = compare_emails(&node1->name, &node2->name); ++ switch (rel) { ++ case NC_EQUAL: // equal means doesn't matter which one ++ case NC_INCLUDES: // node2 is more specific ++ to_copy = node2; ++ break; ++ case NC_INCLUDED_BY: // node1 is more specific ++ to_copy = node1; ++ break; ++ case NC_SORTS_BEFORE: // no intersection ++ case NC_SORTS_AFTER: // no intersection + return GNUTLS_E_SUCCESS; +- to_copy = node2; ++ } + break; + case GNUTLS_SAN_IPADDRESS: +- if (node1->name.size != node2->name.size) ++ rel = compare_ip_ncs(&node1->name, &node2->name); ++ switch (rel) { ++ case NC_EQUAL: // equal means doesn't matter which one ++ case NC_INCLUDES: // node2 is more specific ++ to_copy = node2; ++ break; ++ case NC_INCLUDED_BY: // node1 is more specific ++ to_copy = node1; ++ break; ++ case NC_SORTS_BEFORE: // no intersection ++ case NC_SORTS_AFTER: // no intersection + return GNUTLS_E_SUCCESS; +- iplength = node1->name.size / 2; +- for (byte = 0; byte < iplength; byte++) { +- if (((node1->name.data[byte] ^ +- node2->name.data[byte]) // XOR of addresses +- & node1->name.data[byte + +- iplength] // AND mask from nc1 +- & node2->name.data[byte + +- iplength]) // AND mask from nc2 +- != 0) { +- // CIDRS do not intersect +- return GNUTLS_E_SUCCESS; +- } + } +- to_copy = node2; + break; + default: + // for other types, we don't know how to do the intersection, assume empty +@@ -970,20 +1213,6 @@ static int name_constraints_intersect_nodes( + intersection = *_intersection; + + assert(intersection->name.data != NULL); +- +- if (intersection->type == GNUTLS_SAN_IPADDRESS) { +- // make sure both IP addresses are correctly masked +- _gnutls_mask_ip(intersection->name.data, +- intersection->name.data + iplength, +- iplength); +- _gnutls_mask_ip(node1->name.data, +- node1->name.data + iplength, iplength); +- // update intersection, if necessary (we already know one is subset of other) +- for (byte = 0; byte < 2 * iplength; byte++) { +- intersection->name.data[byte] |= +- node1->name.data[byte]; +- } +- } + } + + return GNUTLS_E_SUCCESS; +-- +GitLab + diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-7.patch b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-7.patch new file mode 100644 index 00000000000..8dfda528619 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-7.patch @@ -0,0 +1,124 @@ +From bc62fbb946085527b4b1c02f337dd10c68c54690 Mon Sep 17 00:00:00 2001 +From: Alexander Sosedkin +Date: Wed, 4 Feb 2026 09:09:46 +0100 +Subject: [PATCH] x509/name_constraints: add sorted_view in preparation... + +... for actually using it later for performance gains. + +Signed-off-by: Alexander Sosedkin + +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/bc62fbb946085527b4b1c02f337dd10c68c54690] +CVE: CVE-2025-14831 +Signed-off-by: Vijay Anusuri +--- + lib/x509/name_constraints.c | 62 ++++++++++++++++++++++++++++++------- + 1 file changed, 51 insertions(+), 11 deletions(-) + +diff --git a/lib/x509/name_constraints.c b/lib/x509/name_constraints.c +index b5d732d0c5..41f30d13b9 100644 +--- a/lib/x509/name_constraints.c ++++ b/lib/x509/name_constraints.c +@@ -54,6 +54,9 @@ struct name_constraints_node_list_st { + struct name_constraints_node_st **data; + size_t size; + size_t capacity; ++ /* sorted-on-demand view, valid only when dirty == false */ ++ bool dirty; ++ struct name_constraints_node_st **sorted_view; + }; + + struct gnutls_name_constraints_st { +@@ -342,6 +345,37 @@ static int compare_name_constraint_nodes_qsort(const void *a, const void *b) + } + } + ++/* Bring the sorted view up to date with the list data; clear the dirty flag. */ ++static int ensure_sorted(struct name_constraints_node_list_st *list) ++{ ++ struct name_constraints_node_st **new_data; ++ ++ if (!list->dirty) ++ return GNUTLS_E_SUCCESS; ++ if (!list->size) { ++ list->dirty = false; ++ return GNUTLS_E_SUCCESS; ++ } ++ ++ /* reallocate sorted view to match current size */ ++ new_data = ++ _gnutls_reallocarray(list->sorted_view, list->size, ++ sizeof(struct name_constraints_node_st *)); ++ if (!new_data) ++ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); ++ list->sorted_view = new_data; ++ ++ /* copy pointers and sort in-place */ ++ memcpy(list->sorted_view, list->data, ++ list->size * sizeof(struct name_constraints_node_st *)); ++ qsort(list->sorted_view, list->size, ++ sizeof(struct name_constraints_node_st *), ++ compare_name_constraint_nodes_qsort); ++ ++ list->dirty = false; ++ return GNUTLS_E_SUCCESS; ++} ++ + static int + name_constraints_node_list_add(struct name_constraints_node_list_st *list, + struct name_constraints_node_st *node) +@@ -361,10 +395,23 @@ name_constraints_node_list_add(struct name_constraints_node_list_st *list, + list->capacity = new_capacity; + list->data = new_data; + } ++ list->dirty = true; + list->data[list->size++] = node; + return 0; + } + ++static void ++name_constraints_node_list_clear(struct name_constraints_node_list_st *list) ++{ ++ gnutls_free(list->data); ++ gnutls_free(list->sorted_view); ++ list->data = NULL; ++ list->sorted_view = NULL; ++ list->capacity = 0; ++ list->size = 0; ++ list->dirty = false; ++} ++ + static int + name_constraints_node_add_new(gnutls_x509_name_constraints_t nc, + struct name_constraints_node_list_st *list, +@@ -711,6 +758,7 @@ static int name_constraints_node_list_intersect( + permitted->data[i] = + permitted->data[permitted->size - 1]; + permitted->size--; ++ permitted->dirty = true; + continue; + } + i++; +@@ -908,17 +956,9 @@ void _gnutls_x509_name_constraints_clear(gnutls_x509_name_constraints_t nc) + struct name_constraints_node_st *node = nc->nodes.data[i]; + name_constraints_node_free(node); + } +- gnutls_free(nc->nodes.data); +- nc->nodes.capacity = 0; +- nc->nodes.size = 0; +- +- gnutls_free(nc->permitted.data); +- nc->permitted.capacity = 0; +- nc->permitted.size = 0; +- +- gnutls_free(nc->excluded.data); +- nc->excluded.capacity = 0; +- nc->excluded.size = 0; ++ name_constraints_node_list_clear(&nc->nodes); ++ name_constraints_node_list_clear(&nc->permitted); ++ name_constraints_node_list_clear(&nc->excluded); + } + + /** +-- +GitLab + diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-8.patch b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-8.patch new file mode 100644 index 00000000000..28d86ec6273 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-8.patch @@ -0,0 +1,155 @@ +From 80db5e90fa18d3e34bb91dd027bdf76d31e93dcd Mon Sep 17 00:00:00 2001 +From: Alexander Sosedkin +Date: Wed, 4 Feb 2026 13:30:08 +0100 +Subject: [PATCH] x509/name_constraints: implement + name_constraints_node_list_union + +Signed-off-by: Alexander Sosedkin + +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/80db5e90fa18d3e34bb91dd027bdf76d31e93dcd] +CVE: CVE-2025-14831 +Signed-off-by: Vijay Anusuri +--- + lib/x509/name_constraints.c | 98 ++++++++++++++++++++++++++++++++----- + 1 file changed, 86 insertions(+), 12 deletions(-) + +diff --git a/lib/x509/name_constraints.c b/lib/x509/name_constraints.c +index 41f30d13b9..de20dd8ef4 100644 +--- a/lib/x509/name_constraints.c ++++ b/lib/x509/name_constraints.c +@@ -41,6 +41,7 @@ + #include "intprops.h" + #include "minmax.h" + ++#include + #include + + #define MAX_NC_CHECKS (1 << 20) +@@ -870,22 +871,95 @@ cleanup: + return ret; + } + +-static int name_constraints_node_list_concat( +- gnutls_x509_name_constraints_t nc, +- struct name_constraints_node_list_st *nodes, +- const struct name_constraints_node_list_st *nodes2) ++static int ++name_constraints_node_list_union(gnutls_x509_name_constraints_t nc, ++ struct name_constraints_node_list_st *nodes, ++ struct name_constraints_node_list_st *nodes2) + { + int ret; ++ size_t i = 0, j = 0; ++ struct name_constraints_node_st *nc1; ++ const struct name_constraints_node_st *nc2; ++ enum name_constraint_relation rel; ++ struct name_constraints_node_list_st result = { 0 }; ++ ++ if (nodes2->size == 0) /* nothing to do */ ++ return GNUTLS_E_SUCCESS; ++ ++ ret = ensure_sorted(nodes); ++ if (ret < 0) { ++ gnutls_assert(); ++ goto cleanup; ++ } ++ ret = ensure_sorted(nodes2); ++ if (ret < 0) { ++ gnutls_assert(); ++ goto cleanup; ++ } ++ ++ /* traverse both lists in a single pass and merge them w/o duplicates */ ++ while (i < nodes->size || j < nodes2->size) { ++ nc1 = (i < nodes->size) ? nodes->sorted_view[i] : NULL; ++ nc2 = (j < nodes2->size) ? nodes2->sorted_view[j] : NULL; + +- for (size_t i = 0; i < nodes2->size; i++) { +- ret = name_constraints_node_add_copy(nc, nodes, +- nodes2->data[i]); ++ rel = compare_name_constraint_nodes(nc1, nc2); ++ switch (rel) { ++ case NC_SORTS_BEFORE: ++ assert(nc1 != NULL); /* comparator-guaranteed */ ++ ret = name_constraints_node_list_add(&result, nc1); ++ i++; ++ break; ++ case NC_SORTS_AFTER: ++ assert(nc2 != NULL); /* comparator-guaranteed */ ++ ret = name_constraints_node_add_copy(nc, &result, nc2); ++ j++; ++ break; ++ case NC_INCLUDES: /* nc1 is broader, shallow-copy it */ ++ assert(nc1 != NULL && nc2 != NULL); /* comparator */ ++ ret = name_constraints_node_list_add(&result, nc1); ++ i++; ++ j++; ++ break; ++ case NC_INCLUDED_BY: /* nc2 is broader, deep-copy it */ ++ assert(nc1 != NULL && nc2 != NULL); /* comparator */ ++ ret = name_constraints_node_add_copy(nc, &result, nc2); ++ i++; ++ j++; ++ break; ++ case NC_EQUAL: ++ assert(nc1 != NULL && nc2 != NULL); /* loop condition */ ++ ret = name_constraints_node_list_add(&result, nc1); ++ i++; ++ j++; ++ break; ++ } + if (ret < 0) { +- return gnutls_assert_val(ret); ++ gnutls_assert(); ++ goto cleanup; + } + } + +- return 0; ++ gnutls_free(nodes->data); ++ gnutls_free(nodes->sorted_view); ++ nodes->data = result.data; ++ nodes->sorted_view = NULL; ++ nodes->size = result.size; ++ nodes->capacity = result.capacity; ++ nodes->dirty = true; ++ /* since we know it's sorted, populate sorted_view almost for free */ ++ nodes->sorted_view = gnutls_calloc( ++ nodes->size, sizeof(struct name_constraints_node_st *)); ++ if (!nodes->sorted_view) ++ return GNUTLS_E_SUCCESS; /* we tried, no harm done */ ++ memcpy(nodes->sorted_view, nodes->data, ++ nodes->size * sizeof(struct name_constraints_node_st *)); ++ nodes->dirty = false; ++ ++ result.data = NULL; ++ return GNUTLS_E_SUCCESS; ++cleanup: ++ name_constraints_node_list_clear(&result); ++ return gnutls_assert_val(ret); + } + + /** +@@ -1026,7 +1100,7 @@ static int name_constraints_add(gnutls_x509_name_constraints_t nc, + * @nc2: The name constraints to be merged with + * + * This function will merge the provided name constraints structures +- * as per RFC5280 p6.1.4. That is, the excluded constraints will be appended, ++ * as per RFC5280 p6.1.4. That is, the excluded constraints will be unioned, + * and permitted will be intersected. The intersection assumes that @nc + * is the root CA constraints. + * +@@ -1048,8 +1122,8 @@ int _gnutls_x509_name_constraints_merge(gnutls_x509_name_constraints_t nc, + return ret; + } + +- ret = name_constraints_node_list_concat(nc, &nc->excluded, +- &nc2->excluded); ++ ret = name_constraints_node_list_union(nc, &nc->excluded, ++ &nc2->excluded); + if (ret < 0) { + gnutls_assert(); + return ret; +-- +GitLab + diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-9.patch b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-9.patch new file mode 100644 index 00000000000..ed6be93c54b --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-9.patch @@ -0,0 +1,110 @@ +From d0ac999620c8c0aeb6939e1e92d884ca8e40b759 Mon Sep 17 00:00:00 2001 +From: Alexander Sosedkin +Date: Wed, 4 Feb 2026 18:31:37 +0100 +Subject: [PATCH] x509/name_constraints: make types_with_empty_intersection a + bitmask + +Signed-off-by: Alexander Sosedkin + +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/d0ac999620c8c0aeb6939e1e92d884ca8e40b759] +CVE: CVE-2025-14831 +Signed-off-by: Vijay Anusuri +--- + lib/x509/name_constraints.c | 39 +++++++++++++++++++++++++++---------- + 1 file changed, 29 insertions(+), 10 deletions(-) + +diff --git a/lib/x509/name_constraints.c b/lib/x509/name_constraints.c +index de20dd8ef4..1d78d1bc50 100644 +--- a/lib/x509/name_constraints.c ++++ b/lib/x509/name_constraints.c +@@ -275,6 +275,7 @@ static enum name_constraint_relation compare_ip_ncs(const gnutls_datum_t *n1, + + static inline bool is_supported_type(unsigned type) + { ++ /* all of these should be under GNUTLS_SAN_MAX (intersect bitmasks) */ + return type == GNUTLS_SAN_DNSNAME || type == GNUTLS_SAN_RFC822NAME || + type == GNUTLS_SAN_IPADDRESS; + } +@@ -683,6 +684,21 @@ name_constraints_node_new(gnutls_x509_name_constraints_t nc, unsigned type, + return tmp; + } + ++static int ++name_constraints_node_list_union(gnutls_x509_name_constraints_t nc, ++ struct name_constraints_node_list_st *nodes, ++ struct name_constraints_node_list_st *nodes2); ++ ++#define type_bitmask_t uint8_t /* increase if GNUTLS_SAN_MAX grows */ ++#define type_bitmask_set(mask, t) ((mask) |= (1u << (t))) ++#define type_bitmask_clr(mask, t) ((mask) &= ~(1u << (t))) ++#define type_bitmask_in(mask, t) ((mask) & (1u << (t))) ++/* C99-compatible compile-time assertions; gnutls_int.h undefines verify */ ++typedef char assert_san_max[(GNUTLS_SAN_MAX < 8) ? 1 : -1]; ++typedef char assert_dnsname[(GNUTLS_SAN_DNSNAME <= GNUTLS_SAN_MAX) ? 1 : -1]; ++typedef char assert_rfc822[(GNUTLS_SAN_RFC822NAME <= GNUTLS_SAN_MAX) ? 1 : -1]; ++typedef char assert_ipaddr[(GNUTLS_SAN_IPADDRESS <= GNUTLS_SAN_MAX) ? 1 : -1]; ++ + /*- + * @brief name_constraints_node_list_intersect: + * @nc: %gnutls_x509_name_constraints_t +@@ -710,12 +726,9 @@ static int name_constraints_node_list_intersect( + .capacity = 0 }; + static const unsigned char universal_ip[32] = { 0 }; + +- /* temporary array to see, if we need to add universal excluded constraints +- * (see phase 3 for details) +- * indexed directly by (gnutls_x509_subject_alt_name_t enum - 1) */ +- unsigned char types_with_empty_intersection[GNUTLS_SAN_MAX]; +- memset(types_with_empty_intersection, 0, +- sizeof(types_with_empty_intersection)); ++ /* bitmask to see if we need to add universal excluded constraints ++ * (see phase 3 for details) */ ++ type_bitmask_t types_with_empty_intersection = 0; + + if (permitted->size == 0 || permitted2->size == 0) + return 0; +@@ -741,7 +754,8 @@ static int name_constraints_node_list_intersect( + // note the possibility of empty intersection for this type + // if we add something to the intersection in phase 2, + // we will reset this flag back to 0 then +- types_with_empty_intersection[t->type - 1] = 1; ++ type_bitmask_set(types_with_empty_intersection, ++ t->type); + found = t2; + break; + } +@@ -798,8 +812,8 @@ static int name_constraints_node_list_intersect( + GNUTLS_E_INTERNAL_ERROR); + } + // we will not add universal excluded constraint for this type +- types_with_empty_intersection[tmp->type - 1] = +- 0; ++ type_bitmask_clr(types_with_empty_intersection, ++ tmp->type); + // add intersection node to PERMITTED + ret = name_constraints_node_list_add(permitted, + tmp); +@@ -827,7 +841,7 @@ static int name_constraints_node_list_intersect( + * excluded constraint with universal wildcard + * (since the intersection of permitted is now empty). */ + for (type = 1; type <= GNUTLS_SAN_MAX; type++) { +- if (types_with_empty_intersection[type - 1] == 0) ++ if (!type_bitmask_in(types_with_empty_intersection, type)) + continue; + _gnutls_hard_log( + "Adding universal excluded name constraint for type %d.\n", +@@ -871,6 +885,11 @@ cleanup: + return ret; + } + ++#undef type_bitmask_t ++#undef type_bitmask_set ++#undef type_bitmask_clr ++#undef type_bitmask_in ++ + static int + name_constraints_node_list_union(gnutls_x509_name_constraints_t nc, + struct name_constraints_node_list_st *nodes, +-- +GitLab + diff --git a/meta/recipes-support/gnutls/gnutls_3.8.10.bb b/meta/recipes-support/gnutls/gnutls_3.8.10.bb index 5430ee20856..ce9fdce3f46 100644 --- a/meta/recipes-support/gnutls/gnutls_3.8.10.bb +++ b/meta/recipes-support/gnutls/gnutls_3.8.10.bb @@ -24,6 +24,16 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar file://run-ptest \ file://Add-ptest-support.patch \ file://CVE-2025-9820.patch \ + file://CVE-2025-14831-1.patch \ + file://CVE-2025-14831-2.patch \ + file://CVE-2025-14831-3.patch \ + file://CVE-2025-14831-4.patch \ + file://CVE-2025-14831-5.patch \ + file://CVE-2025-14831-6.patch \ + file://CVE-2025-14831-7.patch \ + file://CVE-2025-14831-8.patch \ + file://CVE-2025-14831-9.patch \ + file://CVE-2025-14831-10.patch \ " SRC_URI[sha256sum] = "db7fab7cce791e7727ebbef2334301c821d79a550ec55c9ef096b610b03eb6b7" From patchwork Thu Mar 5 08:54:59 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 82540 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 12F0CEEF33E for ; Thu, 5 Mar 2026 08:56:02 +0000 (UTC) Received: from mail-wm1-f45.google.com (mail-wm1-f45.google.com [209.85.128.45]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.40182.1772700955456545560 for ; Thu, 05 Mar 2026 00:55:55 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=zg6GDPPc; spf=pass (domain: smile.fr, ip: 209.85.128.45, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f45.google.com with SMTP id 5b1f17b1804b1-4836e3288cdso52072955e9.0 for ; Thu, 05 Mar 2026 00:55:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1772700954; x=1773305754; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=DJRXiyYSHn9FUIfTtJzSZkEuZayUmgkWl7qLQjZfQMM=; b=zg6GDPPc67QkOXoLialQHliV9AdZts2DzVDTywwV2PDMwGtGzsoAGkLbyjgwYa4aaC oS1UJ83cSWss2Do2u2a/F2By96H604jt9+HDC2Nbc0gH+Zwtel0W6x9IS++Nxh+DLRnB myULGIRYUqzv7RtBT2vwxV35NiAjbydApuND4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772700954; x=1773305754; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=DJRXiyYSHn9FUIfTtJzSZkEuZayUmgkWl7qLQjZfQMM=; b=eagq0eUkPrgkQMcDC/pacTMiJIGlhT5EL5CPTEmzQiwLNWQVIr94s7eAE+Vhbhh4Af MxQsKGlC8l+9OVSDF0SWYZOGtgDdKtokKU3Jm3BRuJ0Byg5S8EHWVGwUQhORtC5f3M4b BelJLaKat/LlUrxztdYI+p7EO3LyLSRGaBriaAzpLszMPloqFCuCBk537SXLqZps46HT ofAHZdqu1w2Z1BKZN7M72nKLA0MaBoGXNMXmd8BALpWwt6P4MMbT9C5wmOEVjkEePpDe ijJMFth57pSlaJegawr4mgY6IuuhBnNO5q9dOfJiIwDe+yX2CrSe8i2D6PA2OJd2iosr TuiQ== X-Gm-Message-State: AOJu0YzJz1lbV/CcwfAgyVRzal/RmVIcN5dgSfSgL5NaoDqujWZdkbEL qQ15TMABXqmY+SJ1pIUBKUAo8Rh0h3hINH3aE+ZntOKys4pb+WVCTWwdN2aqoNjF5dw95D9XU7C UWf2l X-Gm-Gg: ATEYQzw9X9NXOYu6rcjEA/qu+/jR9Tn/n/k4njuIth7ax/cYqHXyoSevLG8frjArzjM /gloRLX0s7Vy1mhcQSJV6TjYi9K345O/8AYpOWsgMxreIPbTlQo5EML3KiSbSvMzx9vri1WhxZd DOv8Hz5o593zPRi6EjLtLP3HapbRsoWKEYldbXygsj0vtZRAmdGaPa4ZePVfp+700sNo6ZEI+7F LWu2lLUHMUCTJW7F1M73UdHGO1AYNenjW88JtRqGD/t3Wi/gGorEw0isjJwSVgsMGU4w70DxdKF OJNyHlzRGksRY2i/nrhAV5HtLfmWxAkbzQi7PYNfDgqJxdOwhZSDYeuWHDpG3dTtBGpnKMiQiN7 JSTBq0oaC7j28LSdvopEhxwMLg/tHLqZPd7cmQpUPHC58kk2mCZIKQzvXziNTOVSmO0hMNo/jCp +yYOvtF3ar0LqpFdYvJ44+WMM4ueNdMYPqDZhoIAFWRwMorl4GiJASOgF3+pGxAgKPDM+1Uehf6 CLAgE0lSXQrc61oeZCmae65G60Pxq9bVvUODc4= X-Received: by 2002:a05:600c:1d21:b0:47d:403a:277 with SMTP id 5b1f17b1804b1-4851ee7b570mr24233835e9.4.1772700953504; Thu, 05 Mar 2026 00:55:53 -0800 (PST) Received: from FRSMI25-LASER.home (2a01cb001331aa00675b4cbd8c1678f5.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:675b:4cbd:8c16:78f5]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4851fb27a20sm59405175e9.9.2026.03.05.00.55.53 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 05 Mar 2026 00:55:53 -0800 (PST) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][whinlatter 10/12] README: Add whinlatter subject-prefix to git-send-email suggestion Date: Thu, 5 Mar 2026 09:54:59 +0100 Message-ID: <46724cf2319e1a1fba8215165c11fe3d7c9ac039.1772700454.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 05 Mar 2026 08:56:02 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/232461 From: Yoann Congal That might help new users send correct first stable patches. Signed-off-by: Yoann Congal --- README.OE-Core.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.OE-Core.md b/README.OE-Core.md index 7187fb94be3..35a9866db7b 100644 --- a/README.OE-Core.md +++ b/README.OE-Core.md @@ -22,7 +22,7 @@ As a quick guide, patches should be sent to openembedded-core@lists.openembedded The git command to do that would be: ``` -git send-email -M -1 --to openembedded-core@lists.openembedded.org +git send-email -M -1 --to openembedded-core@lists.openembedded.org --subject-prefix='whinlatter][PATCH' ``` Mailing list: From patchwork Thu Mar 5 08:55:00 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 82534 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 90560EEF331 for ; Thu, 5 Mar 2026 08:56:01 +0000 (UTC) Received: from mail-wm1-f41.google.com (mail-wm1-f41.google.com [209.85.128.41]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.39962.1772700955934127759 for ; Thu, 05 Mar 2026 00:55:56 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=SxZS1G8U; spf=pass (domain: smile.fr, ip: 209.85.128.41, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f41.google.com with SMTP id 5b1f17b1804b1-480706554beso83931785e9.1 for ; Thu, 05 Mar 2026 00:55:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1772700954; x=1773305754; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=EEQ8P7loztNrtpMVfmUfpm+vptjFJq6U0yy1SCUWefk=; b=SxZS1G8U2jtfOFti6Mt8iG/i8v9iDf71MkFQSSgaqfyK38PCa1udpQa8Lipo2y2dN2 xAgq8kVBphZAftDuX5mcQTeXVKtT9p0AWBZ7In7rKcV2c5ZVXWaEYAcU3PHfBLiQijj7 gvtM1rSTRudPBGkXaEEE7vW8xrB5rrXUwp0ys= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772700954; x=1773305754; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=EEQ8P7loztNrtpMVfmUfpm+vptjFJq6U0yy1SCUWefk=; b=ii2wFDUMMB9tkvz+IY9DXWKht5wS1PfDe7/2Dyvn5MTsUITEmyym7FGlhUr9DMeq34 ONclakS1U6cgjv6nrzJtyewWvG4FNxwGCIVjsdakEmiDx4lqLqA1opSKYxCtX9ii/si6 z7zHFmqdyli3WAN0pDaF+TbLeLTnfXrhavsT8htrAuISKyMcakmhGTHONMCBjGOM6tBy iYmvnBgNtujDwSt41EtZbYZoWnKVVJ4JiqFUhnHgDdHXPGIt540kcjBKI2/ccFpqLB9k PzgAdUuWxt9vBQ5RRbb+YzuLHEbWTJIc/DEcGISokjEwXtjFMMrxF/xOrt71/qEw75oz ImYA== X-Gm-Message-State: AOJu0YwDqzUhwC1EZkYVRwimEsOOKIq0eA5l9FuDG6hO9lLfZsf0bW3T FYgoqZKWUnHNYefhyFTBIA9emJZ7qgLqDJdacrzWpXxu2Nz/6W60octfzWsxM9GROcuogXNy9jO L0lD8 X-Gm-Gg: ATEYQzxNNtZQzHM/mix3fEMKuJ0Hyf7R2jSmJgVsY96/5sjYiH9DgiX+/SIIxWtxMyy 0wO+VRewhw+GYb6dwJbqB2ydmC9+4uSWUgVubOY9R8p3DaYBvYOEmbo77f0pxCDAJT5qdJbRfmx YcB/GxTqt/dlg7KhV9BQV57a1oSmsqkxSKF0k/8BUmDNkUtp+flAt8AkxDhp49T5rugp9TPUm9w F8I4+SBEYm9mqxF1qrQ6fT0Ckk/HAqwx5b7W1yL4acwHfv2Fn5MZDCuOIq4jBQux76w1TOdLhf3 x4GZCXMhDQJdEJ8jnBj3A0KGgNDtZp7wM10FDjkaXxCuAvfW0Q3XrqjBvrvGKYSDZ+p+6doBMF2 vw6ugT+Kwdlu4RcSqEiMfWp64JZ5zaMHnbsJHdh43t3Pfcmq575bhBYjvD44vJyY6/tDWIFJr3F urcL/noDHxiKPymNJSpvwZ4kLleOkbx8K/t0Olx0s6xy55QGIgbXwQXEm4cFTx9HnTjdZuZZ6WH RkFtzc53P1NgJi3+vd1MX8aZBlG X-Received: by 2002:a05:600c:828d:b0:483:ad56:8d16 with SMTP id 5b1f17b1804b1-4851983a7fcmr80207825e9.6.1772700954058; Thu, 05 Mar 2026 00:55:54 -0800 (PST) Received: from FRSMI25-LASER.home (2a01cb001331aa00675b4cbd8c1678f5.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:675b:4cbd:8c16:78f5]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4851fb27a20sm59405175e9.9.2026.03.05.00.55.53 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 05 Mar 2026 00:55:53 -0800 (PST) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][whinlatter 11/12] b4-config: add send-prefixes for whinlatter Date: Thu, 5 Mar 2026 09:55:00 +0100 Message-ID: X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 05 Mar 2026 08:56:01 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/232462 From: Yoann Congal That might help new users send correct first stable patches. Signed-off-by: Yoann Congal --- .b4-config | 1 + 1 file changed, 1 insertion(+) diff --git a/.b4-config b/.b4-config index 41094218531..82d6c756e5e 100644 --- a/.b4-config +++ b/.b4-config @@ -1,3 +1,4 @@ [b4] send-series-to = openembedded-core@lists.openembedded.org prep-pre-flight-checks = disable-needs-auto-to-cc, disable-needs-checking + send-prefixes = whinlatter From patchwork Thu Mar 5 08:55:01 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 82533 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 813E6EEF332 for ; Thu, 5 Mar 2026 08:56:01 +0000 (UTC) Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com [209.85.128.49]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.39964.1772700956608718234 for ; Thu, 05 Mar 2026 00:55:56 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=Y+Fwu9bo; spf=pass (domain: smile.fr, ip: 209.85.128.49, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f49.google.com with SMTP id 5b1f17b1804b1-48378136adcso46369325e9.1 for ; Thu, 05 Mar 2026 00:55:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1772700955; x=1773305755; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=YrS3aVqQ4eOCKDHjwft9zzOB09AzueoltfUMxxOZT4Y=; b=Y+Fwu9boXv/QTU9o3sT2YmHNcr7lHPWp5usBTMpBdKKkAjHB8ZAcV3IJL6SQ721Vff O93noRRubZFjrpuAa2T2u1VtqluZJWTUCFaxzDLKlB/eHMWsAnDE1xzIelVF9B6EvsiV wH6SiQYB247wu8Um0fzoiknRDfMotyJ75ae74= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772700955; x=1773305755; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=YrS3aVqQ4eOCKDHjwft9zzOB09AzueoltfUMxxOZT4Y=; b=pt5DN1U1Q4ZevrRhplWYqMxPZ58Ej15jYPuWeiw4CRmj4NO2BugrzL3or+FaOv+u88 1gG+oALXq5R44YBkemwxOT3VWekgLIORtBPiVPSBgAqwq8nQv4ha3piGTAHwWEz22/ka YUpjxhLxnmiT2Iuc9yephAJP9Pox7QvicOBQYnwH3ncGXmiYhd/2ffh/wwCUAzKQw6xB 27r80tAgk7fo7WCKF8W47XbQnGgRIg0PZuWMKdD6oY+vj+7WpB/RYhfFG3Ol4yKP+FYz JQTyr+oPrfQjalotNWbst8Ne3rrvCyo2UWSrgTfi/dqaLa5wRVZQMoa5O29+BhangS62 avXw== X-Gm-Message-State: AOJu0Yy0JBoUfKiVOIceC4l7aIdxVIWhE0kU2GEGa+oXmqGd+XJY4XTn 36+3VItcVvag+Ei3NjrOnN2TMG/zDnzo0VN6h+7/wdVQZdyi7OoVF0m4BsCy/kXF0RyDosG8QLr p2MTO X-Gm-Gg: ATEYQzygOx7OHFEAylkEROr0hruOPuRoZf/0dtryvf/z3vwNuqvSK8Usc9VdIjmRLXp SBNg+RYZKN6XW0qM4J8mAyrJEgpiLLuTI6V1sJjnk1ho4nP6kWn+7FzhT43ldhFOdnWp4jrhvsd VVoCQCAAq/9uBxros4zyC7J2R/YwewJS9D0Xk/gdQPAa8eMGYase7UMFw0huMzQAN1TRsIZg6+m QIc4lxLWk6CwD1kTLh/Rhloj1GHm82D3m1GgrLU8Kr1/R28m555Tiv5aeJHRDKwDZmWwRHuiplf kaYLu9PAqsfuCqv7E/swSLr3rs/3QGECI4fo2rzStUQw4PuT5wOm6A3Wr5dOmtWsXbrjlc6wFuF /CQMgF2jxSDeTOg32stE4bj4gQaCuh77KaJr0Xtb0e6/47Fdrot7fa1P4xmn2IkQ1HnGM9N8HEf +11lqsOW7m7N5DbJOM786E1VCJ103g3/GOfELk8qkHe0EVVm12czcikGdKkxiEPG+9SGeA7BPCb 7tyBuqZsgMREmH9ty662Ki6qydw X-Received: by 2002:a05:600c:34d1:b0:477:a978:3a7b with SMTP id 5b1f17b1804b1-48519888c4amr84421235e9.22.1772700954568; Thu, 05 Mar 2026 00:55:54 -0800 (PST) Received: from FRSMI25-LASER.home (2a01cb001331aa00675b4cbd8c1678f5.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:675b:4cbd:8c16:78f5]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4851fb27a20sm59405175e9.9.2026.03.05.00.55.54 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 05 Mar 2026 00:55:54 -0800 (PST) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][whinlatter 12/12] python3: skip flaky test_default_timeout test Date: Thu, 5 Mar 2026 09:55:01 +0100 Message-ID: <2542c55501b4fe6e8655e15e18bc5d2b34f23f23.1772700454.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 05 Mar 2026 08:56:01 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/232464 From: Antonin Godard We have been observing intermittent issues with this test on the Autobuilder: https://bugzilla.yoctoproject.org/show_bug.cgi?id=15885 This is probably due to the Autobuilder being heavily loaded at the time of the test. The logs on the ticket above do not allow us to know which of the two "test_default_timeout" tests is failing, so disable both with self.skipTest(). Excerpt from `ptest-runner python3`: test_default_timeout (test.test_multiprocessing_fork.test_manager.WithManagerTestBarrier.test_default_timeout) SKIP: Test the barrier's default timeout 'skip flaky timeout test' [YOCTO #15885] Signed-off-by: Antonin Godard Signed-off-by: Richard Purdie (cherry picked from commit 9382dee2a59a359f38e03179d01fce47c2d86372) Signed-off-by: Yoann Congal --- ...kip-flaky-test_default_timeout-tests.patch | 49 +++++++++++++++++++ .../python/python3_3.13.11.bb | 1 + 2 files changed, 50 insertions(+) create mode 100644 meta/recipes-devtools/python/python3/0001-Skip-flaky-test_default_timeout-tests.patch diff --git a/meta/recipes-devtools/python/python3/0001-Skip-flaky-test_default_timeout-tests.patch b/meta/recipes-devtools/python/python3/0001-Skip-flaky-test_default_timeout-tests.patch new file mode 100644 index 00000000000..4e1bd833b46 --- /dev/null +++ b/meta/recipes-devtools/python/python3/0001-Skip-flaky-test_default_timeout-tests.patch @@ -0,0 +1,49 @@ +From baf2dda48e51fcb17a716e52cc5c4e162a6bb7d3 Mon Sep 17 00:00:00 2001 +From: Antonin Godard +Date: Mon, 19 Jan 2026 11:38:36 +0100 +Subject: [PATCH] Skip flaky test_default_timeout tests + +We have been observing issues with this test on the Autobuilder: +https://bugzilla.yoctoproject.org/show_bug.cgi?id=15885 + +The logs on the ticket above do not allow us to know which of the two +"test_default_timeout" tests is failing, so disable both with +self.skipTest(). + +Excerpt from `ptest-runner python3`: + + test_default_timeout (test.test_multiprocessing_fork.test_manager.WithManagerTestBarrier.test_default_timeout) + SKIP: Test the barrier's default timeout 'skip flaky timeout test' + +Upstream-Status: Inappropriate [OE specific, but might be related to https://github.com/python/cpython/issues/129266#issuecomment-2613058866] + +Signed-off-by: Antonin Godard +--- + Lib/test/_test_multiprocessing.py | 1 + + Lib/test/lock_tests.py | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/Lib/test/_test_multiprocessing.py b/Lib/test/_test_multiprocessing.py +index e8064e7..9ab1f9e 100644 +--- a/Lib/test/_test_multiprocessing.py ++++ b/Lib/test/_test_multiprocessing.py +@@ -2259,6 +2259,7 @@ class _TestBarrier(BaseTestCase): + """ + Test the barrier's default timeout + """ ++ self.skipTest('skip flaky timeout test') + barrier = self.Barrier(self.N, timeout=0.5) + results = self.DummyList() + self.run_threads(self._test_default_timeout_f, (barrier, results)) +diff --git a/Lib/test/lock_tests.py b/Lib/test/lock_tests.py +index 8c8f890..43e9b90 100644 +--- a/Lib/test/lock_tests.py ++++ b/Lib/test/lock_tests.py +@@ -1165,6 +1165,7 @@ class BarrierTests(BaseTestCase): + """ + Test the barrier's default timeout + """ ++ self.skipTest('skip flaky timeout test') + timeout = 0.100 + barrier = self.barriertype(2, timeout=timeout) + def f(): diff --git a/meta/recipes-devtools/python/python3_3.13.11.bb b/meta/recipes-devtools/python/python3_3.13.11.bb index 2fcfd4aba19..2bc2389b7e4 100644 --- a/meta/recipes-devtools/python/python3_3.13.11.bb +++ b/meta/recipes-devtools/python/python3_3.13.11.bb @@ -30,6 +30,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ file://0001-test_active_children-skip-problematic-test.patch \ file://0001-test_readline-skip-limited-history-test.patch \ file://0001-Generate-data-for-OpenSSL-3.4-and-add-it-to-multissl.patch \ + file://0001-Skip-flaky-test_default_timeout-tests.patch \ " SRC_URI:append:class-native = " \ file://0001-Lib-sysconfig.py-use-prefix-value-from-build-configu.patch \