From patchwork Wed Mar 11 19:27:03 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 83138 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 462761125876 for ; Wed, 11 Mar 2026 19:27:43 +0000 (UTC) Received: from mail-wm1-f45.google.com (mail-wm1-f45.google.com [209.85.128.45]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.4759.1773257259646755619 for ; Wed, 11 Mar 2026 12:27:39 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=F2Qn1A4V; spf=pass (domain: smile.fr, ip: 209.85.128.45, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f45.google.com with SMTP id 5b1f17b1804b1-4853f2826f7so1765115e9.1 for ; Wed, 11 Mar 2026 12:27:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1773257258; x=1773862058; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=Ncn8O094lWSQkUSXb2bS6CIKZgWVtD9bT5trbqEFSBI=; b=F2Qn1A4Vvc3ui1RKsbreclp+baj391N1ZggGiBJxeLxIz1nHvM184ERXDc0fQuSTGp A3A/HEh5LavEKxycDVznsWA5EQ8M5K9tFDgWt0zsGuBWT29Ho+1m17b+0QQ1kgTfNB2Q 6A3DVeEpMXwNuTDt16FqSKefgGF5AvDZ7gxzs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1773257258; x=1773862058; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=Ncn8O094lWSQkUSXb2bS6CIKZgWVtD9bT5trbqEFSBI=; b=pVnWLDPgg6KKA3Qm5sYGN9/IPjIaLR0XC009ihjAq9evSDtqsU2Sv69nsVqLXAqcjf Ln6NKvl+qizTAD8AMR5nMFV5wl5XPJraq85obvbIl8H0IIO2TihK9gyOnoL49KJpUzxs 1wo9psIVh2b3Ehu0kKylMtjpZd1qy4FnjBNHzaDkyT4g0D9l7PvhHmN7aTZhja+3NFfh oXcWTdMU8bWhYQ1961MjwZSIPL0BzRKAZ4+iMgmyaPAPyYGksrfQpQylRyBdHxM454Zs O759sC6vDBXlx1sCgZAXWwO+TBdFlIDEWNKN1lqkGBNiVaduo+GW/2PHmEQRO1QqX53I IjOg== X-Gm-Message-State: AOJu0Ywv48/FjiFUscirsdBo/VlCzxiu/FBktLuoqTqhg3DUyI6m+7aU 436ljawx55W0SFAJl1EDdJIUL/rj7rvK4UsQqzQWuko+O1Llur6GzYnQgDUuX7Vhm3+8x3yxWFZ O6dyO X-Gm-Gg: ATEYQzylxCrennFEJJRIhAqUqtzk509B42G5o5qjNN02mM+7dR15HQ2QvqzwW9ulg65 y6q4DlyThMscz1JMD2FDhMCA/vNW0dWcH5ZR7hF2liWSrs3VfTnw6h6/nlCL4XzfstvVVXnDhyl 3IQq43Kw7Ij5czERFvckmi6ZZJGSnB5nobuWVpP7tZvI25rhQSevzMcqaPxy7NtWftwbzFoDLs6 3dCMLVDQKh1ADY6ls9vYKxcrMPhuXpVgp5LUPTSDvM03P4i8IEqHGqbc9GxGUpF1FxpOlLNUyKm hXmFAozVrakyccyEBFnZdo+B333UiaUigdZBpiQYxmQqmMX3MsY/QjIaXRxUFq+0eTdIlp24HzO xwHA+0kZIFKZrPRcRSbBogkeISNoII8JJigzegUNfDVO6Vx0lpFTTKqMV1Mvk4if6brtGV1BgBM Z/dwhwYntcP3/SQh9oFbIuEhtxeBBp6VH9BSvzbwRJLZkxMcRqJXF5qu2/6oP9eCWQM9AaUHWF2 fgxySgORmoIWuNGVmX51wXQxDs= X-Received: by 2002:a05:600c:8486:b0:482:f564:d613 with SMTP id 5b1f17b1804b1-4854b0cbe60mr64614635e9.15.1773257257359; Wed, 11 Mar 2026 12:27:37 -0700 (PDT) Received: from FRSMI25-LASER.home (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-439fe22f3a4sm1452450f8f.38.2026.03.11.12.27.36 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 11 Mar 2026 12:27:37 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][whinlatter 1/6] busybox: Fixes CVE-2025-60876 Date: Wed, 11 Mar 2026 20:27:03 +0100 Message-ID: <35d721cba27869dcff6ac0afec1f8f18836e9017.1773257124.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 11 Mar 2026 19:27:43 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/232900 From: Livin Sunny This addresses CVE-2025-60876[1], which allows malicious URLs to inject HTTP headers. It has been accepted by Debian[2] and is tracked here [4]. The upstream fix has been submitted [3] and is pending merge. [1] https://nvd.nist.gov/vuln/detail/CVE-2025-60876 [2] https://bugs.debian.org/1120795 [3] https://lists.busybox.net/pipermail/busybox/2025-November/091840.html [4] https://security-tracker.debian.org/tracker/CVE-2025-60876 Upstream-Status: Submitted [https://lists.busybox.net/pipermail/busybox/2025-November/0918 40.html] Signed-off-by: Livin Sunny Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie a (cherry-picked from f12af98df8f627c6d1836d27be48bac542a4f00e) Signed-off-by: Peter Marko Signed-off-by: Yoann Congal --- .../busybox/busybox/CVE-2025-60876.patch | 42 +++++++++++++++++++ meta/recipes-core/busybox/busybox_1.37.0.bb | 1 + 2 files changed, 43 insertions(+) create mode 100644 meta/recipes-core/busybox/busybox/CVE-2025-60876.patch diff --git a/meta/recipes-core/busybox/busybox/CVE-2025-60876.patch b/meta/recipes-core/busybox/busybox/CVE-2025-60876.patch new file mode 100644 index 00000000000..1cf29680e01 --- /dev/null +++ b/meta/recipes-core/busybox/busybox/CVE-2025-60876.patch @@ -0,0 +1,42 @@ +From: Radoslav Kolev +Date: Fri, 21 Nov 2025 11:21:18 +0200 +Subject: wget: don't allow control characters or spaces in the URL +Bug-Debian: https://bugs.debian.org/1120795 + +Fixes CVE-2025-60876 malicious URL can be used to inject +HTTP headers in the request. + +Signed-off-by: Radoslav Kolev +Reviewed-by: Emmanuel Deloget + +Upstream-Status: Submitted [https://lists.busybox.net/pipermail/busybox/2025-November/091840.html] + +CVE: CVE-2025-60876 + +Signed-off-by: Livin Sunny +--- + networking/wget.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/networking/wget.c b/networking/wget.c +index ec3767793..fa555427b 100644 +--- a/networking/wget.c ++++ b/networking/wget.c +@@ -536,6 +536,15 @@ static void parse_url(const char *src_url, struct host_info *h) + { + char *url, *p, *sp; + ++ /* Fix for CVE-2025-60876 - don't allow control characters or spaces in the URL */ ++ /* otherwise a malicious URL can be used to inject HTTP headers in the request */ ++ const unsigned char *u = (void *) src_url; ++ while (*u) { ++ if (*u <= ' ') ++ bb_simple_error_msg_and_die("Unencoded control character found in the URL!"); ++ u++; ++ } ++ + free(h->allocated); + h->allocated = url = xstrdup(src_url); + +-- +2.47.3 diff --git a/meta/recipes-core/busybox/busybox_1.37.0.bb b/meta/recipes-core/busybox/busybox_1.37.0.bb index 9e6a7b7b4cb..d3851a27b97 100644 --- a/meta/recipes-core/busybox/busybox_1.37.0.bb +++ b/meta/recipes-core/busybox/busybox_1.37.0.bb @@ -58,6 +58,7 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \ file://0001-busybox-Add-awk-gsub-erroneous-word-start-match-test.patch \ file://CVE-2025-46394-01.patch \ file://CVE-2025-46394-02.patch \ + file://CVE-2025-60876.patch \ " SRC_URI:append:libc-musl = " file://musl.cfg" SRC_URI:append:x86-64 = " file://sha_accel.cfg" From patchwork Wed Mar 11 19:27:04 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 83142 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 84000112588E for ; Wed, 11 Mar 2026 19:27:43 +0000 (UTC) Received: from mail-wr1-f49.google.com (mail-wr1-f49.google.com [209.85.221.49]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.4760.1773257259934943888 for ; Wed, 11 Mar 2026 12:27:40 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=KorTsbTe; spf=pass (domain: smile.fr, ip: 209.85.221.49, mailfrom: yoann.congal@smile.fr) Received: by mail-wr1-f49.google.com with SMTP id ffacd0b85a97d-439cd6b0aedso198216f8f.1 for ; Wed, 11 Mar 2026 12:27:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1773257258; x=1773862058; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=OUJuoLsJCtyZedY5zcPchDp30SV63UPwZC42BOCtcIk=; b=KorTsbTerQp/3WRzbAr0FdOI/VHY8v6cpwiXjFk5AhsihRQgTjShF62dhV9Kw1paQ5 3441OMUVcE2rcycbZXUWDZQQeRliX6Bu9d96/X5uzBO8lV26Shl03d0RfdWusYEqWLiI IP6giFAelaCGWlfgRMc+ti8RVAtOlRw+MQYUA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1773257258; x=1773862058; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=OUJuoLsJCtyZedY5zcPchDp30SV63UPwZC42BOCtcIk=; b=eib0fkwRNKjPF+ueVEkXVc4fWNemXcuU8RBnS6jQoSBFZuKKRhmsLH9bIaUn9owvwq fNZxqNMTAQ1alvdDMXD8ts+spEnz87QuEhtyQus4F4y1OxIb2Z8GhxOgaHb/j+HhXi+V 1/fd7ZO4d6zUp0apbEvcMrU3YxCncYIzVYNq/ctUQru+g1yz+i1hCrBTCphiQZXudwgX aCLGuJlK8ZsYpZR5BvqrjWXJUGIdx0LRJ7JjIW7mB/IivDpO4foek3u9G1Mt2I4ASw3r B/ewNtdVXQeqM5KPCuDqBYq++TvL8Gi60VogyBx1Nt2rtSV2rT9ML69hYmfTvf56+6Hs 3ovA== X-Gm-Message-State: AOJu0YyoAlifIM3huDS1z0ChnJQBoODhiWu4CmTfIXk2HJOFX0iIQe2J buLVECzm+QMAsiAhgKs/+sMfrPRe8quxbwZlxODmXgyhbGMpWjGBvF4O2tKaoBYZw6uY/aBCr67 tS8q4 X-Gm-Gg: ATEYQzxpZ5aKWSCHCx5fjruiV0RfftAmTW03LY0Sjro+r2dPE5Ja4ZksY2nkY0aPkwP +7gvf1mYSJFNtklr4AGONVXfxzF1Hv4Rm66qA0WYOnrVs+VbiDX9lqvIrXRbdb8U76GONlW5wRP LRXlMCVdE+T75bDCTJsZFa/jllIaCBdmXP4vA4jmVc1bUEe2c8hxemuXhgrZk5yIS3o9UqOV/BS oNDTtOYApWuuN3o2aSrWD8EqthpxIReoG7ZyDPpvrYkp35FaR7w8NwCh/ojbwW2lwKmSHeXlrCp tcLmRj7tIQ+HYyDL2Tp/++OPK5kAZ4Vb8pML6RvAjAiGsmldWzGQAfgEKB+PZ3EBL/nXqsArlNJ YDR6XXPZbdycUc+PoLC7vtzn8D9wNlgzJB0q3dd6gwg+CgBpsCb5RGja+V7idyYnz4i59YZbUWV +ir+L1sce8HUXgI26MKCGm4jcN/WALSNwqtJl4ivB8WJjz+TAtT2Yp6asHa0phJyXeYevd03Nii YZhdeGwVoV7n291DOSveiMOCw4= X-Received: by 2002:a05:6000:2508:b0:439:ccd7:cde1 with SMTP id ffacd0b85a97d-439f81e7d29mr7558235f8f.14.1773257257893; Wed, 11 Mar 2026 12:27:37 -0700 (PDT) Received: from FRSMI25-LASER.home (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-439fe22f3a4sm1452450f8f.38.2026.03.11.12.27.37 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 11 Mar 2026 12:27:37 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][whinlatter 2/6] inetutils: patch CVE-2026-28372 Date: Wed, 11 Mar 2026 20:27:04 +0100 Message-ID: <971eca1ca9625cb7b3aeab756fde6425568cbd70.1773257124.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 11 Mar 2026 19:27:43 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/232901 From: Peter Marko Pick patch according to [1] (equivalent to patch from [2]). [1] https://security-tracker.debian.org/tracker/CVE-2026-28372 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-28372 Signed-off-by: Peter Marko Signed-off-by: Yoann Congal --- .../inetutils/inetutils/CVE-2026-28372.patch | 86 +++++++++++++++++++ .../inetutils/inetutils_2.6.bb | 1 + 2 files changed, 87 insertions(+) create mode 100644 meta/recipes-connectivity/inetutils/inetutils/CVE-2026-28372.patch diff --git a/meta/recipes-connectivity/inetutils/inetutils/CVE-2026-28372.patch b/meta/recipes-connectivity/inetutils/inetutils/CVE-2026-28372.patch new file mode 100644 index 00000000000..b6d07b2902d --- /dev/null +++ b/meta/recipes-connectivity/inetutils/inetutils/CVE-2026-28372.patch @@ -0,0 +1,86 @@ +From 4db2f19f4caac03c7f4da6363c140bd70df31386 Mon Sep 17 00:00:00 2001 +From: Erik Auerswald +Date: Sun, 15 Feb 2026 15:38:50 +0100 +Subject: [PATCH] telnetd: don't allow systemd service credentials + +The login(1) implementation of util-linux added support for +systemd service credentials in release 2.40. This allows to +bypass authentication by specifying a directory name in the +environment variable CREDENTIALS_DIRECTORY. If this directory +contains a file named 'login.noauth' with the content of 'yes', +login(1) skips authentication. + +GNU Inetutils telnetd supports to set arbitrary environment +variables using the 'Environment' and 'New Environment' +Telnet options. This allows specifying a directory containing +'login.noauth'. A local user can create such a directory +and file, and, e.g., specify the user name 'root' to escalate +privileges. + +This problem was reported by Ron Ben Yizhak in +. + +This commit clears CREDENTIALS_DIRECTORY from the environment +before executing login(1) to implement a simple fix that can +be backported easily. + +* NEWS.md: Mention fix. +* THANKS: Mention Ron Ben Yizhak. +* telnetd/pty.c: Clear CREDENTIALS_DIRECTORY from the environment +before executing 'login'. + +CVE: CVE-2026-28372 +Upstream-Status: Backport [https://cgit.git.savannah.gnu.org/cgit/inetutils.git/commit/?id=4db2f19f4caac03c7f4da6363c140bd70df31386] +Signed-off-by: Peter Marko +--- + NEWS | 5 +++++ + THANKS | 1 + + telnetd/pty.c | 8 ++++++++ + 3 files changed, 14 insertions(+) + +diff --git a/NEWS b/NEWS +index 877ca53b..f5172a71 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,5 +1,10 @@ + GNU inetutils NEWS -- history of user-visible changes. + ++** Prevent privilege escalation via telnetd abusing systemd service ++credentials support added to the login(1) implementation of util-linux ++in release 2.40. Reported by Ron Ben Yizhak in ++. ++ + * Noteworthy changes in release 2.6 (2025-02-21) [stable] + + ** The release tarball is now reproducible. +diff --git a/THANKS b/THANKS +index 8d1d3dbb..ef5f6063 100644 +--- a/THANKS ++++ b/THANKS +@@ -9,6 +9,7 @@ In particular: + NIIBE Yutaka (Security fixes & making talk finally work) + Nathan Neulinger (tftpd) + Thomas Bushnell (sockaddr sin_len field) ++ Ron Ben Yizhak (reported privilege escalation via telnetd) + + Please see version control logs and ChangeLog.? for full credits. + +diff --git a/telnetd/pty.c b/telnetd/pty.c +index c727e7be..f3518049 100644 +--- a/telnetd/pty.c ++++ b/telnetd/pty.c +@@ -129,6 +129,14 @@ start_login (char *host, int autologin, char *name) + if (!cmd) + fatal (net, "can't expand login command line"); + argcv_get (cmd, "", &argc, &argv); ++ ++ /* util-linux's "login" introduced an authentication bypass method ++ * via environment variable "CREDENTIALS_DIRECTORY" in version 2.40. ++ * Clear it from the environment before executing "login" to prevent ++ * abuse via Telnet. ++ */ ++ unsetenv ("CREDENTIALS_DIRECTORY"); ++ + execv (argv[0], argv); + syslog (LOG_ERR, "%s: %m\n", cmd); + fatalperror (net, cmd); diff --git a/meta/recipes-connectivity/inetutils/inetutils_2.6.bb b/meta/recipes-connectivity/inetutils/inetutils_2.6.bb index 967ecdd4426..29a40143a28 100644 --- a/meta/recipes-connectivity/inetutils/inetutils_2.6.bb +++ b/meta/recipes-connectivity/inetutils/inetutils_2.6.bb @@ -20,6 +20,7 @@ SRC_URI = "${GNU_MIRROR}/inetutils/inetutils-${PV}.tar.xz \ file://tftpd.xinetd.inetutils \ file://CVE-2026-24061-01.patch \ file://CVE-2026-24061-02.patch \ + file://CVE-2026-28372.patch \ " inherit autotools gettext update-alternatives texinfo From patchwork Wed Mar 11 19:27:05 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 83140 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A17471125892 for ; Wed, 11 Mar 2026 19:27:43 +0000 (UTC) Received: from mail-wr1-f54.google.com (mail-wr1-f54.google.com [209.85.221.54]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.4761.1773257260562240695 for ; Wed, 11 Mar 2026 12:27:40 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=m1ohczGQ; spf=pass (domain: smile.fr, ip: 209.85.221.54, mailfrom: yoann.congal@smile.fr) Received: by mail-wr1-f54.google.com with SMTP id ffacd0b85a97d-439b790af67so1145026f8f.0 for ; Wed, 11 Mar 2026 12:27:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1773257259; x=1773862059; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=/zBQik64VmUqGsGYBlp62eoP2WydmO22cb9R5G298rc=; b=m1ohczGQCXjZDdTUNU1Kt8ef16QI1k6VFMBGAkQoCCx/nC1Vf4AA5ZWq+PFCQGtiQM qyA6wkR/OZYqMIvaoHcD9lFWu9CYVbOwCWZSVwihaFd6L0w8z0Wa+Jz0gqVAdobaUObw TKwVJTt0t0tsZ2odxWCDBtlM54Q4vIBZyukAU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1773257259; x=1773862059; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=/zBQik64VmUqGsGYBlp62eoP2WydmO22cb9R5G298rc=; b=MDHFlt+Wyaiqz5Tao5N9QyJ15n58DFm+Ltx0/x7VxFajwb6KfKn+GrIEohA4KPG9wK 05lSr5FO/1WA787INBU5liKAejplfQFJRHSwnGRzV9rVqmySAXIS6s9d0KzbkTvIxDyK dNAbR6PlfpwGOm7ZKKKMrwDUjY+f/lrTH0d5zMRBtk2EMoa5+nHlugaBEDij1kLCm/+D +LBDWZ7ioUsMdRkyxSsN6uYvJjCbgBzpt9wVCX4rV807b8IGRT4AYCKlE0yjAnKNwbWD d/CeuaIrw+w5D196dRz28QJESCp1DmiDgyzqqnHGogFCnfmH4aVdYKF72my/Vl6evCLi +BCQ== X-Gm-Message-State: AOJu0Yy4H8QkRvUHi/8tKAQVzYiLGpi0yMr/WCpA4gJZpJ/KVet2fDLc XQKF+0uDuI8SiJmL/IxmmE2QQw6F5AYbId1VYu+xKNcpzzw1c8lcRsoLnDAqLqLuCZyCnumIIoF Au8vq X-Gm-Gg: ATEYQzxQBq0AprvJr7SYCSzkHLXpN+T8RbrKfRgPMbQ/N+RE16xPCMHC3wSE7O/cOC6 LgofszqSBdTFnXTMRC80ieq/RLR/6CKXH2XEutkEmWNkmk8korkuWRz2XWv+nSEHZv+88pvsP0h fJ5afYGCXb4toPuo2dkl5jwgPCzjl22w7G9Eslezz1tjM3GkYnzgsfmdv81rXt4JrzIaYqKKDv/ 00hBekkl6v6JXeK7xLtv6jVod3K6HIMz2t/yZ7AZ8+bvIqhV6ySUDvfAEJPn003oZTpsxa6pr4M xwdi6cJ2lnPjB+QHoAF50vkfUTOP3m14YCTgEKLt3fiKOrbDnRTQawCpHzYgYRSRQ++iO7UwjCN RezvDbvr0kLrT7Ilde71Z6X6RDB7KKiJPERwNYJtyqHpVswOlwXqgrO52ovOmDmGU7WA5WxP1fa ej9GbhuOkcVAl+Z1fgSxhJaU4x1rco57EcX1bEkEmSWmLl612Hy+O9dyfvAIBvv3hxFD/Z8FwYy Tqg77K4TVUSviqfghQwsyZF9TU= X-Received: by 2002:a05:6000:64d:b0:439:c078:9a57 with SMTP id ffacd0b85a97d-439fe1b417fmr1342769f8f.25.1773257258537; Wed, 11 Mar 2026 12:27:38 -0700 (PDT) Received: from FRSMI25-LASER.home (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-439fe22f3a4sm1452450f8f.38.2026.03.11.12.27.37 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 11 Mar 2026 12:27:38 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][whinlatter 3/6] libpam: set status for CVE-2024-10041 Date: Wed, 11 Mar 2026 20:27:05 +0100 Message-ID: <8cd638d1acec0e03b4d66b49f8bcb91eea50648a.1773257124.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 11 Mar 2026 19:27:43 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/232902 From: Peter Marko This CVE was fixed in v1.6.1 (per [1]). NVD tracks it as version-less CVE for RedHat. [1] https://security-tracker.debian.org/tracker/CVE-2024-10041 Signed-off-by: Peter Marko Signed-off-by: Yoann Congal --- meta/recipes-extended/pam/libpam_1.7.1.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-extended/pam/libpam_1.7.1.bb b/meta/recipes-extended/pam/libpam_1.7.1.bb index 8d9ea270288..e83accd8815 100644 --- a/meta/recipes-extended/pam/libpam_1.7.1.bb +++ b/meta/recipes-extended/pam/libpam_1.7.1.bb @@ -170,3 +170,5 @@ CONFFILES:${PN}-runtime += "${sysconfdir}/security/limits.conf" GITHUB_BASE_URI = "https://github.com/linux-pam/linux-pam/releases" CVE_PRODUCT = "linux-pam" + +CVE_STATUS[CVE-2024-10041] = "fixed-version: fixed since v1.6.1" From patchwork Wed Mar 11 19:27:06 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 83141 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 720B8112587E for ; Wed, 11 Mar 2026 19:27:43 +0000 (UTC) Received: from mail-wr1-f44.google.com (mail-wr1-f44.google.com [209.85.221.44]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.4874.1773257261301437439 for ; Wed, 11 Mar 2026 12:27:41 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=oerAy5Mp; spf=pass (domain: smile.fr, ip: 209.85.221.44, mailfrom: yoann.congal@smile.fr) Received: by mail-wr1-f44.google.com with SMTP id ffacd0b85a97d-439bcec8613so184081f8f.3 for ; Wed, 11 Mar 2026 12:27:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1773257259; x=1773862059; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=moo+DXo+6H6ZbNchJCsulvKgL3hOmbwDLeVQdsoZNp8=; b=oerAy5MpYFGqrsgpy5Wn3Qg2sklgIpQe/KeleRKCy6ktvBHwe74AF7hj4WmU5RV6mi fp+dHhj1EQiCaIvrTNb21DNmHzNmh4PK/Wiaxs+nVeefVUeyV0ZBZI2UnKv4plYJFYaS YTZuMMbdb5x+TWQ81VluYOU788MRoegcrxVfU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1773257259; x=1773862059; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=moo+DXo+6H6ZbNchJCsulvKgL3hOmbwDLeVQdsoZNp8=; b=BBs+geApK98kYQa24OIsindG1ZCaDE31Y0SUrZB19sUToCMj9fXqMNzfqCNHe9YzZQ TWXTll6m77R2EiIwN2vq3Sp3g3yyr+QrWFyuFHUSPqJUmCQFV0J0I/LWxedNZ4q7sF8J EvYbYJo+/OkUlLdYgly8ipwQyvHaAzIfb7gjkExkCm+aLuX/1ymq/6wrCN0677X1FcPF pPHEqloE49mK7G1fZbquGRoQ1+FV/A2vrkq80LKs9YpO0ujcTP/BwoUOo4PbzhY2JFeM c1WhV6ik+yWuX6soStqbQk+yDXzstqmHE2LXZ5E3jKko9Wzi7ltLSacseTh2f3P3M6SL 9dDA== X-Gm-Message-State: AOJu0YwgdqeD11p/EV0766JnSltYI1ztrIPvMvgKd/EffGfs8JawuPGz OCCd+k+AxFEyAUU3/7OzlrhKLJtSdyiUHWiwwTrsVgwH3D5xeG3UA28rl+wRAw+uzTLXewGEpcX cRT/5 X-Gm-Gg: ATEYQzy5VGmBsZBEeYhnQdYeQd0usCbW4zD9mNa61zf25ON7ly0Xoxy6KXfO9W/CvYw +eLc8WCsFMpGKq1P9/pNsagFHew5+66WDpH9KvHpW/DODkPKS/+ct9SvJ7YH9xG1fYAua30lcVi ZXa1I1ZdArFOUKPTTqZ5NQVwaKVUfQgrTCzYpLDZkxYjLYMQG2zj+3n2GnYUPJxmveOHKorSb3a BSZPuJtst3dpw2638wIscAxyd7z2QAHFXRcHO43JOOxifOw3CU/piqazA6u9IyA6qRv5/zKRZXs 4jnLJ04o6/e6dixzi0T3dqpOWclfpY7hTCmyUE2u8G1zTw9rnjyClOux3t7SI6bproqNG30BP9U F8hZQ/C5ILYgJrBX9Ywds2mf2EAjL1yx9c/8g/+IsW60q4yW9UJ6ZnwXvigHF/Mig/7yjJStJdS 8vR9MxFTJYuMeEfhlxsKm1QtMXrSHLD2tU1lW4ndG6k1uRrbUBM4kzmIodiWGZAItja+kdcnzQw rb2yJhc1gVfCpvtnPqs5LU0/0k= X-Received: by 2002:a05:6000:26d1:b0:439:abcd:b317 with SMTP id ffacd0b85a97d-439f81c7005mr7342632f8f.14.1773257259195; Wed, 11 Mar 2026 12:27:39 -0700 (PDT) Received: from FRSMI25-LASER.home (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-439fe22f3a4sm1452450f8f.38.2026.03.11.12.27.38 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 11 Mar 2026 12:27:38 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][whinlatter 4/6] go: upgrade 1.25.7 -> 1.25.8 Date: Wed, 11 Mar 2026 20:27:06 +0100 Message-ID: <5204e5698cccfc55562b0d5c0eba904b12f911e5.1773257124.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 11 Mar 2026 19:27:43 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/232903 From: Peter Marko Upgrade to latest 1.25.x release [1]: $ git --no-pager log --oneline go1.25.7..go1.25.8 439ff996f0 (tag: go1.25.8) [release-branch.go1.25] go1.25.8 a9db31e6d9 [release-branch.go1.25] html/template: properly escape URLs in meta content attributes d8174a9500 [release-branch.go1.25] net/url: reject IPv6 literal not at start of host 4091800393 [release-branch.go1.25] os: avoid escape from Root via ReadDir or Readdir 0ee4ab4c3f [release-branch.go1.25] internal/syscall/windows: correct some enums and syscall signatures 9f8fa93be5 [release-branch.go1.25] os: support deleting inaccessible files in RemoveAll df7331dc32 [release-branch.go1.25] all: update x/sys 92544bbc98 [release-branch.go1.25] runtime: don't negate eventfd errno 0c56fa2818 [release-branch.go1.25] net/smtp: prevent test failures due to expired test certificate 592530ed6b [release-branch.go1.25] cmd/go: fix pkg-config flag sanitization 0222717377 [release-branch.go1.25] cmd/compile: fix mis-compilation for static array initialization Fixes CVE-2026-27137, CVE-2026-27138, CVE-2026-27142, CVE-2026-25679 and CVE-2026-27139. Release information: [2] [1] https://github.com/golang/go/compare/go1.25.7...go1.25.8 [2] https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk Signed-off-by: Peter Marko Signed-off-by: Yoann Congal --- meta/recipes-devtools/go/{go-1.25.7.inc => go-1.25.8.inc} | 2 +- ...o-binary-native_1.25.7.bb => go-binary-native_1.25.8.bb} | 6 +++--- ...cross-canadian_1.25.7.bb => go-cross-canadian_1.25.8.bb} | 0 .../go/{go-cross_1.25.7.bb => go-cross_1.25.8.bb} | 0 .../go/{go-crosssdk_1.25.7.bb => go-crosssdk_1.25.8.bb} | 0 .../go/{go-runtime_1.25.7.bb => go-runtime_1.25.8.bb} | 0 meta/recipes-devtools/go/{go_1.25.7.bb => go_1.25.8.bb} | 0 7 files changed, 4 insertions(+), 4 deletions(-) rename meta/recipes-devtools/go/{go-1.25.7.inc => go-1.25.8.inc} (91%) rename meta/recipes-devtools/go/{go-binary-native_1.25.7.bb => go-binary-native_1.25.8.bb} (79%) rename meta/recipes-devtools/go/{go-cross-canadian_1.25.7.bb => go-cross-canadian_1.25.8.bb} (100%) rename meta/recipes-devtools/go/{go-cross_1.25.7.bb => go-cross_1.25.8.bb} (100%) rename meta/recipes-devtools/go/{go-crosssdk_1.25.7.bb => go-crosssdk_1.25.8.bb} (100%) rename meta/recipes-devtools/go/{go-runtime_1.25.7.bb => go-runtime_1.25.8.bb} (100%) rename meta/recipes-devtools/go/{go_1.25.7.bb => go_1.25.8.bb} (100%) diff --git a/meta/recipes-devtools/go/go-1.25.7.inc b/meta/recipes-devtools/go/go-1.25.8.inc similarity index 91% rename from meta/recipes-devtools/go/go-1.25.7.inc rename to meta/recipes-devtools/go/go-1.25.8.inc index ab58f712ef1..5db1b1c04cb 100644 --- a/meta/recipes-devtools/go/go-1.25.7.inc +++ b/meta/recipes-devtools/go/go-1.25.8.inc @@ -18,4 +18,4 @@ SRC_URI += "\ file://0011-cmd-link-stop-forcing-binutils-gold-dependency-on-aa.patch \ file://0001-runtime-when-using-cgo-on-386-call-C-sigaction-funct.patch \ " -SRC_URI[main.sha256sum] = "178f2832820274b43e177d32f06a3ebb0129e427dd20a5e4c88df2c1763cf10a" +SRC_URI[main.sha256sum] = "e988d4a2446ac7fe3f6daa089a58e9936a52a381355adec1c8983230a8d6c59e" diff --git a/meta/recipes-devtools/go/go-binary-native_1.25.7.bb b/meta/recipes-devtools/go/go-binary-native_1.25.8.bb similarity index 79% rename from meta/recipes-devtools/go/go-binary-native_1.25.7.bb rename to meta/recipes-devtools/go/go-binary-native_1.25.8.bb index 19951344810..df6cb542fb6 100644 --- a/meta/recipes-devtools/go/go-binary-native_1.25.7.bb +++ b/meta/recipes-devtools/go/go-binary-native_1.25.8.bb @@ -9,9 +9,9 @@ PROVIDES = "go-native" # Checksums available at https://go.dev/dl/ SRC_URI = "https://dl.google.com/go/go${PV}.${BUILD_GOOS}-${BUILD_GOARCH}.tar.gz;name=go_${BUILD_GOTUPLE}" -SRC_URI[go_linux_amd64.sha256sum] = "12e6d6a191091ae27dc31f6efc630e3a3b8ba409baf3573d955b196fdf086005" -SRC_URI[go_linux_arm64.sha256sum] = "ba611a53534135a81067240eff9508cd7e256c560edd5d8c2fef54f083c07129" -SRC_URI[go_linux_ppc64le.sha256sum] = "42124c0edc92464e2b37b2d7fcd3658f0c47ebd6a098732415a522be8cb88e3f" +SRC_URI[go_linux_amd64.sha256sum] = "ceb5e041bbc3893846bd1614d76cb4681c91dadee579426cf21a63f2d7e03be6" +SRC_URI[go_linux_arm64.sha256sum] = "7d137f59f66bb93f40a6b2b11e713adc2a9d0c8d9ae581718e3fad19e5295dc7" +SRC_URI[go_linux_ppc64le.sha256sum] = "28ed144a945e4d7188c93f8d85fb772a98ed18f8f9f8d3a650696b739f8cc57c" UPSTREAM_CHECK_URI = "https://golang.org/dl/" UPSTREAM_CHECK_REGEX = "go(?P\d+(\.\d+)+)\.linux" diff --git a/meta/recipes-devtools/go/go-cross-canadian_1.25.7.bb b/meta/recipes-devtools/go/go-cross-canadian_1.25.8.bb similarity index 100% rename from meta/recipes-devtools/go/go-cross-canadian_1.25.7.bb rename to meta/recipes-devtools/go/go-cross-canadian_1.25.8.bb diff --git a/meta/recipes-devtools/go/go-cross_1.25.7.bb b/meta/recipes-devtools/go/go-cross_1.25.8.bb similarity index 100% rename from meta/recipes-devtools/go/go-cross_1.25.7.bb rename to meta/recipes-devtools/go/go-cross_1.25.8.bb diff --git a/meta/recipes-devtools/go/go-crosssdk_1.25.7.bb b/meta/recipes-devtools/go/go-crosssdk_1.25.8.bb similarity index 100% rename from meta/recipes-devtools/go/go-crosssdk_1.25.7.bb rename to meta/recipes-devtools/go/go-crosssdk_1.25.8.bb diff --git a/meta/recipes-devtools/go/go-runtime_1.25.7.bb b/meta/recipes-devtools/go/go-runtime_1.25.8.bb similarity index 100% rename from meta/recipes-devtools/go/go-runtime_1.25.7.bb rename to meta/recipes-devtools/go/go-runtime_1.25.8.bb diff --git a/meta/recipes-devtools/go/go_1.25.7.bb b/meta/recipes-devtools/go/go_1.25.8.bb similarity index 100% rename from meta/recipes-devtools/go/go_1.25.7.bb rename to meta/recipes-devtools/go/go_1.25.8.bb From patchwork Wed Mar 11 19:27:07 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 83143 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 83A8D1125895 for ; Wed, 11 Mar 2026 19:27:45 +0000 (UTC) Received: from mail-wr1-f53.google.com (mail-wr1-f53.google.com [209.85.221.53]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.4762.1773257261773475824 for ; Wed, 11 Mar 2026 12:27:42 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=MA7aCRj5; spf=pass (domain: smile.fr, ip: 209.85.221.53, mailfrom: yoann.congal@smile.fr) Received: by mail-wr1-f53.google.com with SMTP id ffacd0b85a97d-439ce3605ecso203749f8f.0 for ; Wed, 11 Mar 2026 12:27:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1773257260; x=1773862060; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=LHRCaDOwucd9lupN/jIIsg49qUyC0732E4CXQAzYVYM=; b=MA7aCRj5QmcKU1odD1f+36DipnEYM7519XXTEiY5Iwy7Na0zCaj/C8oSWxTevJ+1kR /qSe2y4qUNudR3NMfZzztp5nJlFNwNJwcpRRJb8OxeoBaqc/QEpIBEsGCI/IUSZWzQ0Q 5C+RbnvOxh61Cr/0r/X9JMDBN9pwspJlGGOcs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1773257260; x=1773862060; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=LHRCaDOwucd9lupN/jIIsg49qUyC0732E4CXQAzYVYM=; b=tkrE4GYcOUSVcKGULHY+bzvUhN0lUZC5IYxHBPifBDWMJsRtmSKgMWVoZ+G9ydG/QH Gg+hOrjYTaRbeQm/9aZfqQ4XXrSdxU5MRTLN171LqqP8wm/6TwMc8TPYC8KJw/EOxGSI bjOmaero+oTJGmIUd5P3QaQGjfk7QmboSY1V6G4qkDx1osyIKeOS5G6h0FNLF7fmx2Gf 5cf31Cgv2bOHl3NA2nRqnrbBdaqUBbrbCDQUIAAN9/OZTZ88Qfu5HCj6s4MnJPtQdee1 oe7b53FZ4j2hFSwHE5KNHKQSVVQ9t/BtQGKqkIPS4u3cSWoAhDENt6DyUWXHeycg/QkA KQPQ== X-Gm-Message-State: AOJu0YwP0NI2N7A14coU/4h5fiLMhpaAk+1kV+lVMxg6ja/QTrIgVuhl D3oCMMSdV7kNzSXTMz18xS7oasquiud3p9gR+nT86RHiK79HuZfipYb73omXQllpAgA71Lv1C3f kIGNC X-Gm-Gg: ATEYQzwctp2KdP5PRXlEfLVf7sFLv+f2N87+cHXjksS7ls+1UdSJSqexch8A5/ueuJR HRp74vUWasOwxRa+p2tH1/1ASyBr+ftvVVEoavtvCPwzN99sv+IJLS8XJO8dx/aEwNZbtk6wr0d Rrod8Q+2Bjg/Bo6ogJrtXXwNxHkPuGAJnuTNK0rlCRbN960xlR5+4Wd1Zg0cV8Bmf3nC9XkQL7F gjTbTnxzf/95fSzNjQx2lNBP23P1ZHPCxckxVXfsNbafrmPkXbXs1PAj/qRFUhHGMTjU5MKwhly EH9E6DVBWktLzBibwlzP4hcxiemAyImQS+XVvUxF8Dsju1UlhmCt6qUpL3LJCCQ/X/Mw0xa8xXZ eSg1Y62JjBPGxgpcbYaaiXgndmEhM9b0UanuOF14iHbgFjntohXrnqsN/T34XAVXudpODvUHwKu JQAwwxnghOpfx7BuhM4Rv+EcyggxFDXqsyXkeUaYoUj6UOvGSAZmyVmiBjJeeMEg2BQck26hsKn WiVrhnwSIc5u3bAKLtR+qFY9A4= X-Received: by 2002:a05:6000:1378:b0:439:fcd5:c9bb with SMTP id ffacd0b85a97d-439fcd5cb9emr2102489f8f.34.1773257259805; Wed, 11 Mar 2026 12:27:39 -0700 (PDT) Received: from FRSMI25-LASER.home (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-439fe22f3a4sm1452450f8f.38.2026.03.11.12.27.39 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 11 Mar 2026 12:27:39 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][whinlatter 5/6] freetype: Fix CVE-2026-23865 Date: Wed, 11 Mar 2026 20:27:07 +0100 Message-ID: X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 11 Mar 2026 19:27:45 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/232904 From: Vijay Anusuri Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-23865 https://security-tracker.debian.org/tracker/CVE-2026-23865 Picked patch mentioned in NVD Signed-off-by: Vijay Anusuri Signed-off-by: Yoann Congal --- .../freetype/freetype/CVE-2026-23865.patch | 54 +++++++++++++++++++ .../freetype/freetype_2.13.3.bb | 4 +- 2 files changed, 57 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-graphics/freetype/freetype/CVE-2026-23865.patch diff --git a/meta/recipes-graphics/freetype/freetype/CVE-2026-23865.patch b/meta/recipes-graphics/freetype/freetype/CVE-2026-23865.patch new file mode 100644 index 00000000000..aa0d4326f83 --- /dev/null +++ b/meta/recipes-graphics/freetype/freetype/CVE-2026-23865.patch @@ -0,0 +1,54 @@ +From fc85a255849229c024c8e65f536fe1875d84841c Mon Sep 17 00:00:00 2001 +From: Werner Lemberg +Date: Sat, 3 Jan 2026 08:07:57 +0100 +Subject: [PATCH] [ttgxvar] Check for overflow in array size computation. + +Problem reported and analyzed by povcfe . + +Fixes issue #1382. + +* src/truetype/ttgxvar.c (tt_var_load_item_variation_store): Do it. + +Upstream-Status: Backport [https://gitlab.com/freetype/freetype/-/commit/fc85a255849229c024c8e65f536fe1875d84841c] +CVE: CVE-2026-23865 +Signed-off-by: Vijay Anusuri +--- + src/truetype/ttgxvar.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c +index 2ff40c9e8..96ddc04c8 100644 +--- a/src/truetype/ttgxvar.c ++++ b/src/truetype/ttgxvar.c +@@ -628,6 +628,7 @@ + FT_UShort word_delta_count; + FT_UInt region_idx_count; + FT_UInt per_region_size; ++ FT_UInt delta_set_size; + + + if ( FT_STREAM_SEEK( offset + dataOffsetArray[i] ) ) +@@ -697,7 +698,19 @@ + if ( long_words ) + per_region_size *= 2; + +- if ( FT_NEW_ARRAY( varData->deltaSet, per_region_size * item_count ) ) ++ /* Check for overflow (we actually test whether the */ ++ /* multiplication of two unsigned values wraps around). */ ++ delta_set_size = per_region_size * item_count; ++ if ( per_region_size && ++ delta_set_size / per_region_size != item_count ) ++ { ++ FT_TRACE2(( "tt_var_load_item_variation_store:" ++ " bad delta set array size\n" )); ++ error = FT_THROW( Array_Too_Large ); ++ goto Exit; ++ } ++ ++ if ( FT_NEW_ARRAY( varData->deltaSet, delta_set_size ) ) + goto Exit; + if ( FT_Stream_Read( stream, + varData->deltaSet, +-- +GitLab + diff --git a/meta/recipes-graphics/freetype/freetype_2.13.3.bb b/meta/recipes-graphics/freetype/freetype_2.13.3.bb index dbfffdb65fc..1fda9c57e78 100644 --- a/meta/recipes-graphics/freetype/freetype_2.13.3.bb +++ b/meta/recipes-graphics/freetype/freetype_2.13.3.bb @@ -13,7 +13,9 @@ LIC_FILES_CHKSUM = "file://LICENSE.TXT;md5=843b6efc16f6b1652ec97f89d5a516c0 \ file://docs/GPLv2.TXT;md5=8ef380476f642c20ebf40fecb0add2ec \ " -SRC_URI = "${SAVANNAH_NONGNU_MIRROR}/${BPN}/${BP}.tar.xz" +SRC_URI = "${SAVANNAH_NONGNU_MIRROR}/${BPN}/${BP}.tar.xz \ + file://CVE-2026-23865.patch \ +" SRC_URI[sha256sum] = "0550350666d427c74daeb85d5ac7bb353acba5f76956395995311a9c6f063289" UPSTREAM_CHECK_REGEX = "freetype-(?P\d+(\.\d+)+)" From patchwork Wed Mar 11 19:27:08 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 83144 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 87801112589B for ; Wed, 11 Mar 2026 19:27:45 +0000 (UTC) Received: from mail-wr1-f54.google.com (mail-wr1-f54.google.com [209.85.221.54]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.4875.1773257262258247127 for ; Wed, 11 Mar 2026 12:27:42 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=riFRq47a; spf=pass (domain: smile.fr, ip: 209.85.221.54, mailfrom: yoann.congal@smile.fr) Received: by mail-wr1-f54.google.com with SMTP id ffacd0b85a97d-439c56e822eso243496f8f.2 for ; Wed, 11 Mar 2026 12:27:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1773257260; x=1773862060; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=YGnVqFYJL3fZw0Y22jbWMqVE80Z5RvKp0Pyuslu9W6A=; b=riFRq47aAmaKBUsig2NB6k1s3vXBs7zN2hT2DNGXuMIY20SlTham+/mpCylwDKNj5i aPYN2TB6gTqfKWEJ9ejF7nM919fwz3v6uW0yHa9HfOuaDNLvSy4Xu2pnqFhRnSs0T2KE kB6DqCauCb41CN7IugA6DyqixvSydRzekxlEg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1773257260; x=1773862060; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=YGnVqFYJL3fZw0Y22jbWMqVE80Z5RvKp0Pyuslu9W6A=; b=I6NUVHcF0ryMgiOvEWwtrlhINQC5PjHEYx0DLS/FdM3vZjpUzQq0Np9Cff8p9zJ9Zl lHYyNx9+OUF2o1zPNYBmh41cHrNoO+7U6LUSoClCCE2fBf0fhUpUbOn/HDkOQlPOTQZt HCOXbEkOc4PE0dH67Vkjg8H6NcSuda/QgBm3gIyvClfHT2MJGWLybyyCiT+CNokMoe7b b9u0CX4/UEWoh0voicW6ivvtWEiKx9wzBOLrf+RN6V/IquR5OIXTbMonnZn8lck9N3uK /XyBR6lvGzIO2frMfrCYmaHk990K0LTVG2EXIv1YJhFxAFZom20wwFzRlnp6h0E16b7e oO8g== X-Gm-Message-State: AOJu0YzLwgCmqgFByClmBdnwrXIbb01mcjPA65MDCTdvn4cg5/+/ktlu kXzCKG+3k2H98JGUKiaQpC/36dQwwb8m9VvZQfhte8KVVGo7/8cUdyha5rarW8UEyIg2pVxlsYX iQK77 X-Gm-Gg: ATEYQzyEreWFW+2UuKK7zHbk4b9KZ3cX9SdXlarq5vNovanR2Gjj/5zuWB9thGSw/Py tIK8io8FqAnsTpxGe11SpWq/kYh37Mc31A16iU+phb7cOHtFPKrNt3xEw8hah9jOX97IJLYyK2e M3NeIpbQctYF43vDew3eSp6kKFNs+uS2i500nBaoy6IYs5hfyPCLRT1nr6myhoCtJ4ADeyUJ5L4 Jw6skEGMxruiHSuJg2CatHXs+OLA7GM52zJYeUDQmT/5oz6nCtvPsbeX+LTGtU91Cdw5Q1U34Mk fIf7PsmL8zdxzv0ulynBuVUgyUsMBe2Q+4V1Ljhf1x4DHLF9VyUcm6Rx2hWFgE+bmGoLECSD0Eu y+AZuNYDNCjkwPePB0uqI+knaVOexs3YuIQSYgSxJnrlRpsxpLr71g+DWmUCuxpHs8kQ6MWpN1v fMScgqaKABzvOnNI/LQBsXjuP/iOmceOlxEcDS42tCkH0kvujArJaMK/2srXplApruliizNbxnD 3YjzSuYSX5vvuk+8Pyw6Lk6+ks= X-Received: by 2002:a05:6000:2dc5:b0:439:be78:e1e9 with SMTP id ffacd0b85a97d-439f81c0248mr7558504f8f.14.1773257260333; Wed, 11 Mar 2026 12:27:40 -0700 (PDT) Received: from FRSMI25-LASER.home (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-439fe22f3a4sm1452450f8f.38.2026.03.11.12.27.39 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 11 Mar 2026 12:27:40 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][whinlatter 6/6] lsb.py: strip ' from os-release file Date: Wed, 11 Mar 2026 20:27:08 +0100 Message-ID: X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 11 Mar 2026 19:27:45 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/232905 From: Martin Jansa In gentoo the file looks like this: NAME='Gentoo' ID='gentoo' PRETTY_NAME='Gentoo Linux' VERSION='2.18' VERSION_ID='2.18' HOME_URL='https://www.gentoo.org/' SUPPORT_URL='https://www.gentoo.org/support/' BUG_REPORT_URL='https://bugs.gentoo.org/' ANSI_COLOR='1;32' ' were added with: https://github.com/gentoo/gentoo/commit/2f590e35c9d3d13d5673163527120b2de97fdc80 before that the os-release file looked like this: NAME=Gentoo ID=gentoo PRETTY_NAME="Gentoo Linux" ANSI_COLOR="1;32" HOME_URL="https://www.gentoo.org/" SUPPORT_URL="https://www.gentoo.org/support/" BUG_REPORT_URL="https://bugs.gentoo.org/" VERSION_ID="2.18" The ' is stripped from the ID later in distro_identifier with: # Filter out any non-alphanumerics and convert to lowercase distro_id = re.sub(r'\W', '', distro_id).lower() but not from version which results in a weird NATIVELSBSTRING like: NATIVELSBSTRING = "gentoo-'2.18'" And similarly the directory name in sstate-cache: oe-core $ ls -d sstate-cache/gentoo-* "sstate-cache/gentoo-'2.18'" sstate-cache/gentoo-2.18 Signed-off-by: Martin Jansa Signed-off-by: Antonin Godard Signed-off-by: Richard Purdie (cherry picked from commit 55f82653deb1ea8f1304fcba4d588bd55695b616) Signed-off-by: Yoann Congal --- meta/lib/oe/lsb.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/lib/oe/lsb.py b/meta/lib/oe/lsb.py index 3ec03e5042b..1fc3b968a0a 100644 --- a/meta/lib/oe/lsb.py +++ b/meta/lib/oe/lsb.py @@ -16,7 +16,7 @@ def get_os_release(): key, val = line.rstrip().split('=', 1) except ValueError: continue - data[key.strip()] = val.strip('"') + data[key.strip()] = val.strip('"\'') return data def release_dict_osr():