From patchwork Tue Mar 17 17:23:40 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 83647 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 78AC9FED9F4 for ; Tue, 17 Mar 2026 17:23:52 +0000 (UTC) Received: from mail-wm1-f41.google.com (mail-wm1-f41.google.com [209.85.128.41]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.81720.1773768229524875238 for ; Tue, 17 Mar 2026 10:23:49 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=IlmY/lOg; spf=pass (domain: gmail.com, ip: 209.85.128.41, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f41.google.com with SMTP id 5b1f17b1804b1-4853fd7b59aso37755065e9.2 for ; Tue, 17 Mar 2026 10:23:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1773768228; x=1774373028; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=RE7/1RbLB5OiJ5XI1frqtwG8TkEEOZvFiPU6zLmXC2c=; b=IlmY/lOgxWGbQQl0dBMhMuPdZkMBJ/O1leUR7EBYAqd4v6VnMtvJ3ilnu4M0NiAYCc uAQ/CT9eiIOMb3oa7mn8rSjffcoRxikz4ZhpxPXdEpQw/H0wiquwYjOc7PpwR0VK+BGf nQJGI5ruBcoC5n+sPYHQdweYgBCDTf4iX3okjqHh/6KoID9IABDJHePnc1hhM8W8w5o6 QHbNt9eoYZ70JzLNeXzyZ27uHMuo0jvnxa1Q7rRTsIhvpRMFvcdjfKYIBgBhVWc5uOWg uQudkevQ+Hr07iZBL8o9eFp3e/A446FYh+kGzLY4QusJD/3hb3yBY901+em9THGWkQap kKlw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1773768228; x=1774373028; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=RE7/1RbLB5OiJ5XI1frqtwG8TkEEOZvFiPU6zLmXC2c=; b=i0hm/HL+WPVImklUMf0q39SE9iTPHkQPqCmiC47VfaQUoCCsPO6a4mGq56L5SYRh5F Ree6wu1dFnkJI3T6AqUjxdLr7s8GUMqcNfcVwbdmVjcp43ga7Xs0bd4lsZ006K27j4tl FHNS8URbAzB+q/mRH0oonuQVn7nPNNEgjff1KZ/7JkqhZ20IJaJFlmIWRgNV0NiJdnVh Y2B2jlUO8OX4z+8Fcz3Ud+Ka3v8juJg9Af+PE8qnGoxfdtJTp69ami+SlvIglwsi0ejs vHRwwRKHk9aF8bhkF6fp8646PeDUYxUxnwr3iV3uC35swVdbh6W6kYPdnDD04xVfxwmw 2ERQ== X-Gm-Message-State: AOJu0YydOEVUwW0uSz9fSV0JVpMXUz+tbNiTIGdpH7TebhmY/GwKrFTz BNvfI/eelvnnvgp1CH5O40kbSZ4bNtf9PJ99mQiPz2+UqXWEz0cgH5V0EocPYA== X-Gm-Gg: ATEYQzzrKmn1XMiaZeDZ9HJhh7ZR7fnJZ6VZvuu2TVLtDD9nfi6/2lL6uQncz9mG9ts nsGiQE/hj6aj3tVvt4yv/Ht9mbQq7L3++e8pbIiPwmhiP91kfAJiiGYIXJjvPZGhUH+K2kbEMwx 95NBaEqs7syNLMjckLUJl4mL4JgX3IOPVeNJ9GmpSZMJJFmOL+WYed5L1dSmIHGg9EnwedGzRwK 3Zlso+tlbeWc+01mshOCNTZVpNQh0thj7pSfXr9yQLtPiuy0LxwlS6AaKCghLY+/ygxCQVaejWJ BFm8WxfvkYdiNY6W0KytnDiRsVBx8IkiKkXrq34RXAE91Wz8iMWr5J9ctUMnvMzDsDxpWVqdGKL v1tsqhGAuB6zFK5RxIOp/Vnx2f4fPtCZFXqukVK942fWTr1NhyuQg5jXS+b0NqxZX/Yfdao569G g0z+qD4rIrDjT2kEjC5c9rwe5mUilLPps= X-Received: by 2002:a05:600c:46c5:b0:485:419c:4eba with SMTP id 5b1f17b1804b1-486f441fbfcmr6238275e9.1.1773768227395; Tue, 17 Mar 2026 10:23:47 -0700 (PDT) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48634a7ac93sm61717385e9.2.2026.03.17.10.23.46 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 17 Mar 2026 10:23:47 -0700 (PDT) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][PATCH 1/7] libsodium: mark CVE-2025-69277 patched Date: Tue, 17 Mar 2026 18:23:40 +0100 Message-ID: <20260317172346.2862459-1-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 17 Mar 2026 17:23:52 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/125323 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-69277 The vulnerability has been fixed[1] since version 1.0.20, but NVD tracks it without version info. Mark it patched explicitly. [1]: https://github.com/jedisct1/libsodium/commit/f2da4cd8cb26599a0285a6ab0c02948e361a674a Signed-off-by: Gyorgy Sarvari --- meta-oe/recipes-crypto/libsodium/libsodium_1.0.21.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta-oe/recipes-crypto/libsodium/libsodium_1.0.21.bb b/meta-oe/recipes-crypto/libsodium/libsodium_1.0.21.bb index 9f07634c41..a1647d2a30 100644 --- a/meta-oe/recipes-crypto/libsodium/libsodium_1.0.21.bb +++ b/meta-oe/recipes-crypto/libsodium/libsodium_1.0.21.bb @@ -13,3 +13,5 @@ SRC_URI[sha256sum] = "9e4285c7a419e82dedb0be63a72eea357d6943bc3e28e6735bf600dd48 inherit autotools BBCLASSEXTEND = "native nativesdk" + +CVE_STATUS[CVE-2025-69277] = "fixed-version: fixed in 1.0.20" From patchwork Tue Mar 17 17:23:41 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 83646 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A960CFED9F8 for ; Tue, 17 Mar 2026 17:23:52 +0000 (UTC) Received: from mail-wm1-f42.google.com (mail-wm1-f42.google.com [209.85.128.42]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.81721.1773768229997841123 for ; Tue, 17 Mar 2026 10:23:50 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=DnalzMIY; spf=pass (domain: gmail.com, ip: 209.85.128.42, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f42.google.com with SMTP id 5b1f17b1804b1-48557c8ad47so37810565e9.0 for ; Tue, 17 Mar 2026 10:23:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1773768228; x=1774373028; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=cu4mawSHiRmGam9fLCGhXCaBuSGe+/I0dWP8gcy/mpA=; b=DnalzMIYXywtMHgFkZHGxHoDhMjwKSFq7g/M5Z5Upajpt9HIpPrOogVbM1GEQk83pN bzYTKRkAh6VJVNI6zHfkjf8EJIVkGnBr7bFRupag4prodEoWh1qMVQyHJdt4wvva7sal 7GuPoDDkKgF7TK9pKEV90NHhs6xQDmRZsTjpcsOQfenNioYKkDq898qCRtFtmWLWZb2l mZ39F9SGJoLEjG7XscvB9v1ee8krSKRn2CMHDmxfepal3GIY2VgBvgENsGueouDUV5N/ PIVKJjPA+yD7xgrc1CUA/5LYsz7V3Wxm/xNVidAAD1hL/c0CU2KN6tM90jnHn/mztOyZ eYZQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1773768228; x=1774373028; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=cu4mawSHiRmGam9fLCGhXCaBuSGe+/I0dWP8gcy/mpA=; b=lWAQ9Y5hOI2oeHWZFtjhv2GLovDOnPIk1FyVMrOimOFFDEtKWcaGE+eR2RhfECUu20 1+21dH8sryXiWZySFumtPCq5Y3b3TwTUnG42QAKKL8j1sfVgBhzLCGRpY7DiTjXrQ39C ZPl7lsr+EHibKPLkGqpqHSRgcS/lEsuuN01r169WhH+L2THMVlAvPjCZ6FRdwO914IEy zQyv7XBq28KP2+hrVk0R7gw4D/oTQvUpJs9ABnlDNnlaZs/SEzgHn8/KoNRDIpcUvLVL KQHVYBbEsf/W4zaoxgVjsDO7iLBCqGOir/YSaNHGmzY/Z0EyHeDZzrc1GyR4kE47uXoa NCgQ== X-Gm-Message-State: AOJu0Yy3cMxSFhQ/j1fr2Ljum2cxxVhqLgtNV0DbyPmFYsn7RQV0z6VO KR11uCtikl5tf7frHWXgVv2D8ejy7SNSiCtEJiAWUB4CYiZXRa7e23HV8JOXHg== X-Gm-Gg: ATEYQzzw1sD8Phky1KDn2Xf3r+PokUk6Xhp6M2rONidytSkxAlEk+8Mac168DH38+wk YvzLbgv7D4zzjKiSzi2hHBzvkdjMlj/DHp1RDcL4VNosUuXLwHDJr78DskS1HGOYAxhbcqDlzl9 JJoFvsUX/wJihxKR6XcczDJ5BEvbuNdCPwBIDzOEXzI2/Szte87PLa0tNFn1H+wB7JTnonFQi92 4ckI41vbfQvX0+x9MgsmrciR6r5GOKtiTmuZ37jx9pJy7P5wC10ic883r+wsuDoAB6ou0kOXXNz XSLBVe7xVxg0N3b5cvQ6fTkXzPLDYB1f3yCIkX4OQ6FleWbuOcDPtDYJll65gDd/Y9vCgSYXX06 Cl5i2d00Xyf0CxDB7W9kh6YuWUrwKf59yni5+Mh8BY6bScSy7Y3ux9GM2Fnfyh86+lnQc8xgfeR IPbU5CtE8phXdib8UU9VxY X-Received: by 2002:a05:600c:3e8d:b0:485:4eaf:eb53 with SMTP id 5b1f17b1804b1-486f447503emr5642705e9.19.1773768228103; Tue, 17 Mar 2026 10:23:48 -0700 (PDT) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48634a7ac93sm61717385e9.2.2026.03.17.10.23.47 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 17 Mar 2026 10:23:47 -0700 (PDT) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-multimedia][PATCH 2/7] libde265: patch CVE-2025-61147 Date: Tue, 17 Mar 2026 18:23:41 +0100 Message-ID: <20260317172346.2862459-2-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260317172346.2862459-1-skandigraun@gmail.com> References: <20260317172346.2862459-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 17 Mar 2026 17:23:52 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/125324 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-61147 Backport the patch that is referenced by the NVD advisory. Signed-off-by: Gyorgy Sarvari --- .../libde265/libde265/CVE-2025-61147.patch | 103 ++++++++++++++++++ .../libde265/libde265_1.0.16.bb | 4 +- 2 files changed, 106 insertions(+), 1 deletion(-) create mode 100644 meta-multimedia/recipes-multimedia/libde265/libde265/CVE-2025-61147.patch diff --git a/meta-multimedia/recipes-multimedia/libde265/libde265/CVE-2025-61147.patch b/meta-multimedia/recipes-multimedia/libde265/libde265/CVE-2025-61147.patch new file mode 100644 index 0000000000..56d48f2a7d --- /dev/null +++ b/meta-multimedia/recipes-multimedia/libde265/libde265/CVE-2025-61147.patch @@ -0,0 +1,103 @@ +From d73508b7578964f2115ddf051b8fe9b4445978d4 Mon Sep 17 00:00:00 2001 +From: Dirk Farin +Date: Tue, 9 Sep 2025 15:14:05 +0200 +Subject: [PATCH] check for valid integer command line parameters (#484) + +CVE: CVE-2025-61147 +Upstream-Status: Backport [https://github.com/strukturag/libde265/commit/8b17e0930f77db07f55e0b89399a8f054ddbecf7] +Signed-off-by: Gyorgy Sarvari +--- + CMakeLists.txt | 2 +- + dec265/dec265.cc | 44 +++++++++++++++++++++++++++++++++++++++++--- + 2 files changed, 42 insertions(+), 4 deletions(-) + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 4da99216..997945a9 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -5,7 +5,7 @@ project (libde265 + VERSION 1.0.16 + ) + +-set(CMAKE_CXX_STANDARD 11) ++set(CMAKE_CXX_STANDARD 17) + set(CMAKE_CXX_STANDARD_REQUIRED ON) + set(CMAKE_CXX_EXTENSIONS OFF) + set(CMAKE_POSITION_INDEPENDENT_CODE ON) +diff --git a/dec265/dec265.cc b/dec265/dec265.cc +index 79f67cd3..ecf5d131 100644 +--- a/dec265/dec265.cc ++++ b/dec265/dec265.cc +@@ -27,6 +27,10 @@ + #define DO_MEMORY_LOGGING 0 + + #include "de265.h" ++#include ++#include ++#include ++ + #ifdef HAVE_CONFIG_H + #include "config.h" + #endif +@@ -563,6 +567,40 @@ void (*volatile __malloc_initialize_hook)(void) = init_my_hooks; + #endif + + ++int parse_param(const char* arg, std::optional lower_bound, std::optional upper_bound, const char* arg_name) ++{ ++ int value; ++ ++ try { ++ size_t len; ++ value = std::stoi(optarg, &len); ++ if (arg[len] != 0) { ++ std::cerr << "invalid argument to " << arg_name << "\n"; ++ exit(5); ++ } ++ } catch (std::invalid_argument const& ex) { ++ std::cerr << "invalid argument to " << arg_name << "\n"; ++ exit(5); ++ } ++ catch (std::out_of_range const& ex) { ++ std::cerr << "argument to -T is out of range\n"; ++ exit(5); ++ } ++ ++ if (lower_bound && value < *lower_bound) { ++ std::cerr << "argument to " << arg_name << " may not be smaller than " << *lower_bound << "\n"; ++ exit(5); ++ } ++ ++ if (upper_bound && value > *upper_bound) { ++ std::cerr << "argument to " << arg_name << " may not be larger than " << *upper_bound << "\n"; ++ exit(5); ++ } ++ ++ return value; ++} ++ ++ + int main(int argc, char** argv) + { + while (1) { +@@ -578,9 +616,9 @@ int main(int argc, char** argv) + + switch (c) { + case 'q': quiet++; break; +- case 't': nThreads=atoi(optarg); break; ++ case 't': nThreads=parse_param(optarg, 0, std::nullopt, "-t"); break; + case 'c': check_hash=true; break; +- case 'f': max_frames=atoi(optarg); break; ++ case 'f': max_frames=parse_param(optarg, 1, std::nullopt, "-f"); break; + case 'o': write_yuv=true; output_filename=optarg; break; + case 'h': show_help=true; break; + case 'd': dump_headers=true; break; +@@ -592,7 +630,7 @@ int main(int argc, char** argv) + case 'm': measure_quality=true; reference_filename=optarg; break; + case 's': show_ssim_map=true; break; + case 'e': show_psnr_map=true; break; +- case 'T': highestTID=atoi(optarg); break; ++ case 'T': highestTID = parse_param(optarg, 0, std::nullopt, "-T"); break; + case 'v': verbosity++; break; + } + } diff --git a/meta-multimedia/recipes-multimedia/libde265/libde265_1.0.16.bb b/meta-multimedia/recipes-multimedia/libde265/libde265_1.0.16.bb index 40910633e8..701f0e5f69 100644 --- a/meta-multimedia/recipes-multimedia/libde265/libde265_1.0.16.bb +++ b/meta-multimedia/recipes-multimedia/libde265/libde265_1.0.16.bb @@ -8,7 +8,9 @@ LICENSE = "LGPL-3.0-only & MIT" LICENSE_FLAGS = "commercial" LIC_FILES_CHKSUM = "file://COPYING;md5=695b556799abb2435c97a113cdca512f" -SRC_URI = "git://github.com/strukturag/libde265.git;branch=master;protocol=https;tag=v${PV}" +SRC_URI = "git://github.com/strukturag/libde265.git;branch=master;protocol=https;tag=v${PV} \ + file://CVE-2025-61147.patch \ + " SRCREV = "7ba65889d3d6d8a0d99b5360b028243ba843be3a" From patchwork Tue Mar 17 17:23:42 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 83648 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BBB18FED9FA for ; Tue, 17 Mar 2026 17:23:52 +0000 (UTC) Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com [209.85.128.54]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.81722.1773768230555399209 for ; Tue, 17 Mar 2026 10:23:50 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=lhSFHP61; spf=pass (domain: gmail.com, ip: 209.85.128.54, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f54.google.com with SMTP id 5b1f17b1804b1-4853c1ca73aso51083615e9.2 for ; Tue, 17 Mar 2026 10:23:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1773768229; x=1774373029; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=9YjjzR+b9PRpeOQRmh/HGohXtdPjXtwNAzn3XqBY13I=; b=lhSFHP61XFc/0owpnaPwJSEtYueDgA0KzuMIeCIPcHDsSqEKndqisxDuNXw52bB2Z3 uw8ja/B2o7gwzuEXSPAqQ7hQH3KZrGdp4ud8utwDa1aFgDVVvshw828TZ4a5UV+IRsxR 7S+sBZjDm9JdxmEPWS6mLJ3z7PlYML07d5dbdCbDvzZxImXw9LTRUZ2wASHwuHNE54hc o8DuRpuEs+7z08aER+I8iqXNP8WZNaKAY6qmxEiVjA9wUiP9JSqLSXdRVbmpaZRDZUZh mlzYjWue+x9sNJtQmO2GKLiKCyhiSBZodK/NYWIN8IZMCM1gcAbsDa7i5syXFqQomdBd TETA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1773768229; x=1774373029; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=9YjjzR+b9PRpeOQRmh/HGohXtdPjXtwNAzn3XqBY13I=; b=PZi895YbspKF56SqC+5CJa7hEVfAaN6dLijj7QAC8IrOXXwbfpgnfo0vNFLBBsZvLE eVW9P4ACntdBknnMVtrqwB7uJBohfwH65ydERIcOlyq93TxDTfQXkAAAz5cMnJndBDyA ueTJwGm8SGLNBe20OsinDAT8PS1DWjLyRjUpMyL9+yb8YQnGn6EDap98G1JuAcqtJpHE pNljqj2A4dmYTiYYJm7jsgH496elDD+EQ8HfhxhQHDj/afiklo/P6LQRthevnXv01nUB KSXtscfhAA29Zbn1U/UaOTG4saK56p12YmO1NhI1uH1XQwAGA+s7LQAD3u+5tFBk4m2l PwZg== X-Gm-Message-State: AOJu0YxYkqWmRgNnORRAdQM/l61tpSxI/7V5DcUH16//OfsmA4NzJIrc dtVicTeh7wtcIJlqn3V7Q1DhXvBga1qZtccrAZCZ9pqOy6UxhEL4oHNTc1ZHsA== X-Gm-Gg: ATEYQzyINxxPFpNpWlJPQ8gtCDePimfw+R5+adcGm1jkM/BFzLbyb708Kb8VA8DhFDP 7y62rxeTxYrjT0CqZXXRl1IVmK6ViWy5APM38qcDod24OzW9mpG9ECEp9NVF4Qy/CX834QQ/h/l dgtQy94wdHmoxtgCX5IyDep6cJa4yWbtxAz3dThyWIa4vY2r/4rMNGr1QRoth6z4z6EtDsdKxhG pxDjyYoYRPX59li/dLlw4TLiyeJLXv+OH3SBaYTU6l/jU0yttCNmjq9lhiRgd04zPr3+j+Hrgy1 +z511GkXbmPRM+vf/QuTRLhG0DrT5mkRoONFMqu/kEWpPxbwKte6mnFiAV9clbLOHAua7wtuhWy rkO4N5m9Cvc26veKhtsA8o456tQGsN1v0r2fK/55wz31ZhLYcvwFS4UtuYJgnxc3DdSA/ma1Ko6 /xKOIfEifQEmV5dxEemCzr X-Received: by 2002:a05:600c:c494:b0:480:69b6:dfed with SMTP id 5b1f17b1804b1-486f4579716mr5712665e9.24.1773768228743; Tue, 17 Mar 2026 10:23:48 -0700 (PDT) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48634a7ac93sm61717385e9.2.2026.03.17.10.23.48 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 17 Mar 2026 10:23:48 -0700 (PDT) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][PATCH 3/7] exiv2: mark CVE-2026-27631 patched Date: Tue, 17 Mar 2026 18:23:42 +0100 Message-ID: <20260317172346.2862459-3-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260317172346.2862459-1-skandigraun@gmail.com> References: <20260317172346.2862459-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 17 Mar 2026 17:23:52 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/125325 Details: https://nvd.nist.gov/vuln/detail/CVE-2026-27631 Though NVD indicates that 0.28.8 is still vulnerable, that does not seem to be the case: the fix that is referenced by the advisory has been backported[1] to this verison. Due to this, mark this CVE as patched. [1]: https://github.com/Exiv2/exiv2/commit/21d129c842212c198dd887dbaafc5ce734e9dfad Signed-off-by: Gyorgy Sarvari --- meta-oe/recipes-support/exiv2/exiv2_0.28.8.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.28.8.bb b/meta-oe/recipes-support/exiv2/exiv2_0.28.8.bb index df0e72f5d6..9369daa805 100644 --- a/meta-oe/recipes-support/exiv2/exiv2_0.28.8.bb +++ b/meta-oe/recipes-support/exiv2/exiv2_0.28.8.bb @@ -36,3 +36,5 @@ do_install_ptest(){ install -d ${D}${PTEST_PATH}/src install ${S}/src/canonmn_int.cpp ${D}${PTEST_PATH}/src } + +CVE_STATUS[CVE-2026-27631] = "fixed-version: fixed in 0.28.8" From patchwork Tue Mar 17 17:23:43 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 83645 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 78A84FED9F3 for ; Tue, 17 Mar 2026 17:23:52 +0000 (UTC) Received: from mail-wm1-f43.google.com (mail-wm1-f43.google.com [209.85.128.43]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.81723.1773768231172685761 for ; Tue, 17 Mar 2026 10:23:51 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=Z9E5tjG9; spf=pass (domain: gmail.com, ip: 209.85.128.43, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f43.google.com with SMTP id 5b1f17b1804b1-4852f8ac7e9so71318765e9.1 for ; Tue, 17 Mar 2026 10:23:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1773768229; x=1774373029; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=8UtCpcnMpFtt0MkX47ccdijDsFL7S9/lZerx3klH60A=; b=Z9E5tjG9PMW2RN1WCf9QhLt9MeLvXrEze7p5pi8WiazbQK9dxIulvlW7dIBZBI27T2 7bEe3VwxZ3JixiCH7zWsNGMe/9AcEWxrsQ7n7+/56bPRwZj7CATjnQQKFwLr4KrFkYfE PkoXpqSFAhRuFy56M5TFDAiIlOtXX8E82thAG0dMSmdMUqpQe04rBZO9foZOA4issjyL KO1B6BSODy/NHL89hV1oZo8izBGtJRxfAtPuLkDbfVvI607pghN+RM6gKRzu2+L9Sv6h uajfrPf/Dd9aYvYFbzw00cQu0fE62cQ0R2cAordlHZwodPsn99hCQjl3yOQRvD1/vI0V MBjQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1773768229; x=1774373029; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=8UtCpcnMpFtt0MkX47ccdijDsFL7S9/lZerx3klH60A=; b=XO9XO9mTDo/EoO2CMtznQqLxxdnW/OrnNuEC1GY3HNG8+BBAecFgfYS0bFzfsO321b vxMTyRDUQGlh1jDmOc01dBl8AwiunTwcy9C4CcNZ432dW3zW+7Mazf72wDTc2lOchPMJ WfFTIRHYVHk5pkXWaYWyDfgnaGqx8k63rereMcNpGujqKtjngauaSckBtPCPrRA1QsSl 3G9k3s7yVY0G9nTgtWvhS9lD48LjsYDAF2Dn85YUVfRbvrfHy7w29Esqg2Ph/lo1Q9Ud VvC7KrjtkiDEISu/tVEdjUMN5ILdDJyRzcqAzgVx0oQuUHygv0CHruMpIcZIRO55slZE UyWg== X-Gm-Message-State: AOJu0YxkWcLJFO6bHL1WX/okto6SQK2N+I6k4kAstndpGbiRWiN1/zyq m7isnAWYiRy/T7ynojIO3erqZneOz4xapBQsnUR8H/AMF+E7Viknj9LpKjJ3jQ== X-Gm-Gg: ATEYQzyDZLxvcLSTBEkigi14YkgCSOumivjEsadvXt7BtaKJ4QyW/OfD8I61WK5wftw Te7R79LUuEzmQkAjP1y60RS+T95c7iByhzGPHRgCOv+E2NvldHV5FMSjvoG4d097Dtae351RyLr wQWaV++ostUu0qprLinTndDpzNKFZgToDikQakb6m7fldZ9SKN/BWguGHr/32+7zwDqV0QsT7GV aw8yn1yYZI9yUlbjV2dLmsrr8v0MInTn6jtwS5viWQ/659Yjz+94hoGvuNL9kuP8uu63jkqBbiQ Q+sgvbpCt3bvLpwvFQBU6oFfW2Wgn8yiEzW/iTchMjCQaFX3KBgStGQnBsbtLks32HFt41aeXw3 AgSJ6ytB6MYUs1A4+DMJqd31dZ5oBEz8bq38oD6fxA0ek11df9+EXTmnZL7nh6ha/gPDXRkVcBp 0LyUJR78Al+pHvEJlNv8zutTHwDTuhSLA= X-Received: by 2002:a05:600c:8b6f:b0:485:6ec7:2df with SMTP id 5b1f17b1804b1-486f4435d46mr5895635e9.8.1773768229413; Tue, 17 Mar 2026 10:23:49 -0700 (PDT) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48634a7ac93sm61717385e9.2.2026.03.17.10.23.48 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 17 Mar 2026 10:23:49 -0700 (PDT) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-networking][PATCH 4/7] ettercap: fix typo in CVE ID Date: Tue, 17 Mar 2026 18:23:43 +0100 Message-ID: <20260317172346.2862459-4-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260317172346.2862459-1-skandigraun@gmail.com> References: <20260317172346.2862459-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 17 Mar 2026 17:23:52 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/125326 The CVE fix is correct, but the CVE ID contains a typo. The correct ID is CVE-2026-3606. Signed-off-by: Gyorgy Sarvari --- .../ettercap/{CVE-2026-3603.patch => CVE-2026-3606.patch} | 0 meta-networking/recipes-support/ettercap/ettercap_0.8.4.bb | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) rename meta-networking/recipes-support/ettercap/ettercap/{CVE-2026-3603.patch => CVE-2026-3606.patch} (100%) diff --git a/meta-networking/recipes-support/ettercap/ettercap/CVE-2026-3603.patch b/meta-networking/recipes-support/ettercap/ettercap/CVE-2026-3606.patch similarity index 100% rename from meta-networking/recipes-support/ettercap/ettercap/CVE-2026-3603.patch rename to meta-networking/recipes-support/ettercap/ettercap/CVE-2026-3606.patch diff --git a/meta-networking/recipes-support/ettercap/ettercap_0.8.4.bb b/meta-networking/recipes-support/ettercap/ettercap_0.8.4.bb index b806a77164..6fac3a0b84 100644 --- a/meta-networking/recipes-support/ettercap/ettercap_0.8.4.bb +++ b/meta-networking/recipes-support/ettercap/ettercap_0.8.4.bb @@ -22,7 +22,7 @@ DEPENDS += "ethtool \ RDEPENDS:${PN} += "bash ethtool libgcc" SRC_URI = "gitsm://github.com/Ettercap/ettercap;branch=master;protocol=https;tag=v${PV} \ - file://CVE-2026-3603.patch \ + file://CVE-2026-3606.patch \ " SRCREV = "41da65f4026a9e4cea928e61941b976d9279f508" From patchwork Tue Mar 17 17:23:44 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 83649 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8BE0FFED9F6 for ; Tue, 17 Mar 2026 17:23:52 +0000 (UTC) Received: from mail-wm1-f41.google.com (mail-wm1-f41.google.com [209.85.128.41]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.81724.1773768231871867669 for ; Tue, 17 Mar 2026 10:23:52 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=nG4lLYlN; spf=pass (domain: gmail.com, ip: 209.85.128.41, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f41.google.com with SMTP id 5b1f17b1804b1-485392de558so36264925e9.1 for ; Tue, 17 Mar 2026 10:23:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1773768230; x=1774373030; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=R6ZBhW7BFuVEPLcGNG2UmQcMsiP26TNH5lAl3NjccQk=; b=nG4lLYlNIp+L1GWS1NOPV8ntOKk5A6dgwnd7QegbmrLD+AGCLqjwvwG9iU2kJ9TnWh Aq0JJRMMslVqRDdWZkU453eCEMn5mX94ciF62iJBlieXDF2nCgH7uN9WXdkU6DsxrMRX PbZIKKxUCEuGMG+XwbA+gU96LDMYnwRHhYL1++X3x4gMNbyVizeVos2cygvdkXt9sMj6 mVFG79g4K3RtQZWuhMcik/XSbu7lzA+PuTMerFzeuWADFZpz16XfyX1DzMNPODn9o4+4 YRXrJYwJLWOzJeHtSRlZSqkS9Eni4PQAzuoz7HEYq8mJUA98zGwSN57wJb3fkMM6x4vh Wmew== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1773768230; x=1774373030; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=R6ZBhW7BFuVEPLcGNG2UmQcMsiP26TNH5lAl3NjccQk=; b=on3S//A505fyVolVHyF8wqZgRm1zYUH1YkPcVUeNKcRNn7ZV2kGkWmroaOh2yvNspB uRYd7zgCfU2X+zN/d85DvF4Zwgrykh3Gdct9dWUQlPdOMXFpuRmXMjpJSSH2WS10JWB8 rR2v2v3u0NgElpkmSMkVUnajBYyuzfTE7tFBoy66pdNzD7eOzwZZF9HOYUmF0KO7wFzh euaK48n8KvhFj7nHxA8IcZ7HAeAk0e2FoCiDl/+EvnqnGt3b36mHnnnJ3cmJQeqJlj7r 1h0XWNIGcV9G3bvv+3MiPBxz84bAGqIEhsl2mgWu8TdsXuT6mu0H+TyYZzAMJLNFgxqS NYwQ== X-Gm-Message-State: AOJu0YwQzu6gj9mhiYyzDJgwgfpIeo6Pwpa/LV6fVzPIeNe9/G5rjg5T Dtx+z8/HcOGHP5WTTNu5jZbEiXEMv0Ypy4Q2fIdLnTvbTq4rRw7wRZCgdY3nRQ== X-Gm-Gg: ATEYQzxTT1Cf8+yF/MdwoPdJLhIffU98fj750UdPNDAc+3f9J8JfAADHxSekeBEm3l9 qRKx8XiShrPEUU/3V8+EwqCn63MP+DPObd7aeuecEi49ltKBt+/LX8gNKUZmATvoLUQc5oj59s5 GykauctnsQG9gdbOfKsEyuS5Z9l1Y8cQ5BDFSMHJpRXjVfSMr7SySSAcT+wTlrFwNY/8PjXDd44 63Y8G3qpyrwFZfC7xOfJuvSQhNxZ1BB+uqrnnHI6AEKV71heiz5B8ycqXu/+btqaDmAt8TxWAfH c8plde10JwPe+5A/zH9mWrAG5ews1hd65oEgkkYnTt3XdhbJL8aIH87qyFBPQ57DlB8hrU2rJii dXfvL5rdympIbfnU0RwwZ8xQybMTF95TeEwTDNCmQ+JzMwAo2Aw7t64CcMYAUFR7uVyKsFSYU9O MtF9tpc0NZr7eCfVTq1rvC X-Received: by 2002:a05:600c:5394:b0:480:3ad0:93bf with SMTP id 5b1f17b1804b1-486f445fb3fmr5631325e9.24.1773768230042; Tue, 17 Mar 2026 10:23:50 -0700 (PDT) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48634a7ac93sm61717385e9.2.2026.03.17.10.23.49 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 17 Mar 2026 10:23:49 -0700 (PDT) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-python][PATCH 5/7] python-pyjwt: upgrade 2.11.0 -> 2.12.1 Date: Tue, 17 Mar 2026 18:23:44 +0100 Message-ID: <20260317172346.2862459-5-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260317172346.2862459-1-skandigraun@gmail.com> References: <20260317172346.2862459-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 17 Mar 2026 17:23:52 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/125327 Contains fix for CVE-2026-32597. Since NVD tracks this CVE without version info, mark the CVE explicitly patched. Changes: 2.12.1: Add typing_extensions dependency for Python < 3.11 2.12.0: chore(docs): fix docs build Annotate PyJWKSet.keys for pyright fix: close HTTPError to prevent ResourceWarning on Python 3.14 chore: remove superfluous constants chore(tests): enable mypy Bump actions/download-artifact from 7 to 8 fix: do not store reference to algorithms dict on PyJWK Use PyJWK algorithm when encoding without explicit algorithm Validate the crit (Critical) Header Parameter defined in RFC 7515 ยง4.1.11. (CVE-2026-32597) Signed-off-by: Gyorgy Sarvari --- .../{python3-pyjwt_2.11.0.bb => python3-pyjwt_2.12.1.bb} | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) rename meta-python/recipes-devtools/python/{python3-pyjwt_2.11.0.bb => python3-pyjwt_2.12.1.bb} (80%) diff --git a/meta-python/recipes-devtools/python/python3-pyjwt_2.11.0.bb b/meta-python/recipes-devtools/python/python3-pyjwt_2.12.1.bb similarity index 80% rename from meta-python/recipes-devtools/python/python3-pyjwt_2.11.0.bb rename to meta-python/recipes-devtools/python/python3-pyjwt_2.12.1.bb index 4e81efe45f..28eceece97 100644 --- a/meta-python/recipes-devtools/python/python3-pyjwt_2.11.0.bb +++ b/meta-python/recipes-devtools/python/python3-pyjwt_2.12.1.bb @@ -5,11 +5,12 @@ HOMEPAGE = "https://github.com/jpadilla/pyjwt" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=e4b56d2c9973d8cf54655555be06e551" -SRC_URI[sha256sum] = "35f95c1f0fbe5d5ba6e43f00271c275f7a1a4db1dab27bf708073b75318ea623" +SRC_URI[sha256sum] = "c74a7a2adf861c04d002db713dd85f84beb242228e671280bf709d765b03672b" PYPI_PACKAGE = "pyjwt" CVE_PRODUCT = "pyjwt" CVE_STATUS[CVE-2025-45768] = "disputed: vulnerability can be avoided if the library is used correctly" +CVE_STATUS[CVE-2026-32597] = "fixed-version: fixed in 2.12.0" inherit pypi python_setuptools_build_meta @@ -19,3 +20,4 @@ RDEPENDS:${PN} = "\ " BBCLASSEXTEND = "native nativesdk" + From patchwork Tue Mar 17 17:23:45 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 83650 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B7F9CFED9F6 for ; Tue, 17 Mar 2026 17:24:02 +0000 (UTC) Received: from mail-wm1-f45.google.com (mail-wm1-f45.google.com [209.85.128.45]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.81494.1773768232470278372 for ; Tue, 17 Mar 2026 10:23:52 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=IcjxQPHL; spf=pass (domain: gmail.com, ip: 209.85.128.45, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f45.google.com with SMTP id 5b1f17b1804b1-485410a0a8aso54549195e9.2 for ; Tue, 17 Mar 2026 10:23:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1773768231; x=1774373031; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=b37nhQTXgJj23EpRABX8DiKTdIYmZwM1FrzSKvFjP7I=; b=IcjxQPHLR5SamJndERFnbG63KgYEFL2RP80V6Do9ehtPyRgW8fIoB3sfD4N6yMTWI2 JyXc9qWDq/c2Yx9h/53pEBAHqRyIbDtCpi+Q9NqgTpQwbbAeSiGLXNmSAGXR4mCSL3B1 4i0XWdF+jvz6G+qk04qjE8Jqv4kg3koMasB6WpW8yaMN4ejnd0n4zW7+Dd2kfsbqYMsZ CQBLgpqIAHqCr6Qi+81D+WRFaPIWmZ5sWKy65mXsbJzHrqr/OpsAaGrWtWZ63C73Mske 7VCUIWlCp7+1l0cMO7nCNfb+/L4nx7MwG3IyBwG6cXoF+rfZzQ+kJ3FpUoPYoFklqWew i6CA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1773768231; x=1774373031; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=b37nhQTXgJj23EpRABX8DiKTdIYmZwM1FrzSKvFjP7I=; b=UPodTZje5VYwJQ8Fzg7DXlmhPx+Trxb590QlBA2i4G1C2kzgtGlc1H7AXVt97H3spv SzpCCx/StEZX6tTn1jVTkCE/CO+3c6YNJA6WmEdvXYDCrDKfPJiSX98Q/ZVwmCBOHO5w 9XIc8BYTe3lakwpRGq9FY7/bI9hNwqoZGLFTmE3DNLC351lpOlgUDAoKnADRg3/YJKXr 8TIlznZbotJcCcDZBhAYkgVpZ0TtES5vFlEWKJPjojVxajHnTm55ekhkfgFKgkIsaUGN Rms7W7RW0Bwy6FcKLc9x9Xw4QMXZrlTdrweLFQixcupn8KQUBk2PhFJjex2iEiby9qZs S6fA== X-Gm-Message-State: AOJu0YyCkwLZWyRmRzNWW3yOKE4zKIBvjrkMGNzSeOMgLjQ1g+DYIrdn vbWmzDclr4B5XONb+EfFvdA4fPWv0BmwasyECELywO3nBJ9JP+Z3S2T06xkmrA== X-Gm-Gg: ATEYQzzCUTRpdUfHTfYWAmLfHN2NX7TJmZ+olKk+u86CJg0WEFvrIpuo83VITpOA9Hs cwkRswYbEJKRQkCHBICnCdDvTdA6df6MdwGirRm8aQO/vHaBdnFDF+fShs37NtXMHMBokf+up+M dAoC7DR876/GqpYjiuJsHXFGj2kkuwDKTB1Ec26TI6YHiowRgPseTlF9I7Oplt/OBHsv4x+pQqq 7dE1BYQ0LMKI44shvsgaMEy33tSco3w4XHuvBgMukYOVLTFsg/JMOLiEGWhIhBdYZt4TdVjOADL pM9qSbN5AAMgm+RiSf6WYQ7eQ1LPytmKH1WZIsanO8VDMso1N2FOaW+/rCjFm7trosnE+qcavHA RXPfm6C2m+2HL0Q85WXZ5rEJ+G2n8H5UAx1WPptSEk5LM7gFLeyKnk/FhIC6J+Hbb9YMCNSgJm5 rYzV9dosFulXYp17Js8KWo/sozIh+lFXM= X-Received: by 2002:a05:600c:4e0d:b0:480:1c69:9d36 with SMTP id 5b1f17b1804b1-486f4456f02mr5737505e9.17.1773768230693; Tue, 17 Mar 2026 10:23:50 -0700 (PDT) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48634a7ac93sm61717385e9.2.2026.03.17.10.23.50 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 17 Mar 2026 10:23:50 -0700 (PDT) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][PATCH 6/7] unixodbc: mark CVE-2024-1013 patched Date: Tue, 17 Mar 2026 18:23:45 +0100 Message-ID: <20260317172346.2862459-6-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260317172346.2862459-1-skandigraun@gmail.com> References: <20260317172346.2862459-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 17 Mar 2026 17:24:02 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/125328 Details: https://nvd.nist.gov/vuln/detail/CVE-2024-1013 The vulnerability has been patched since 2.3.13[1], however NVD tracks it without version info. Due to this, mark it patched explicitly. [1]: https://github.com/lurcher/unixODBC/commit/249bfcc511e89431b910ce2c62ae0b62bb9cc214 Signed-off-by: Gyorgy Sarvari --- meta-oe/recipes-support/unixodbc/unixodbc_2.3.14.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta-oe/recipes-support/unixodbc/unixodbc_2.3.14.bb b/meta-oe/recipes-support/unixodbc/unixodbc_2.3.14.bb index 6f26f7b174..62992f6f50 100644 --- a/meta-oe/recipes-support/unixodbc/unixodbc_2.3.14.bb +++ b/meta-oe/recipes-support/unixodbc/unixodbc_2.3.14.bb @@ -46,3 +46,5 @@ do_install:prepend() { do_install:append() { oe_multilib_header unixodbc.h unixODBC/unixodbc_conf.h } + +CVE_STATUS[CVE-2024-1013] = "fixed-version: fixed in 2.3.13" From patchwork Tue Mar 17 17:23:46 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 83651 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C7E6CFED9F9 for ; Tue, 17 Mar 2026 17:24:02 +0000 (UTC) Received: from mail-wm1-f45.google.com (mail-wm1-f45.google.com [209.85.128.45]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.81495.1773768233294135507 for ; Tue, 17 Mar 2026 10:23:53 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=PIkCFXVQ; spf=pass (domain: gmail.com, ip: 209.85.128.45, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f45.google.com with SMTP id 5b1f17b1804b1-486507134e4so11396665e9.0 for ; Tue, 17 Mar 2026 10:23:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1773768232; x=1774373032; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=dtMHQlzaV2n7GWaSHYrOpUPde5/8uZCNPGo0nZcPF+Y=; b=PIkCFXVQk9OpBgD1FWuX2q99hogmJYCnVzsyMpHcUFDOfN1mV6sttNB3OTYP6t/3Fv ZV4X/nT1+HaETGMIL+JCm643ftgNRVEHIExGi/FPIs6Egau5zLZ0vctMkZWrWhvXgTHr mnWPx0UoJG5e6e6Sc0KhNGf5G6zBjIkaFrN710fHR0CIqhT7hOkpNVItTjZTV/f8dhwh RXUJK+ISl0rTXE0USxloZ7ABqR/MoZiJHo9/6RriM12Mb5z6SEhzV36QNBMMG/T0J4e8 WwGKX+9TFoOdqMXULEy8S8A8lXQCW/moWcxgQnTSOSKAJMDZGM1o9WxDD3lktF8T9NTA 1b+Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1773768232; x=1774373032; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=dtMHQlzaV2n7GWaSHYrOpUPde5/8uZCNPGo0nZcPF+Y=; b=O8cZBRD4pGRmyj54mZ+BSaaNb6vqrHZ0ecPSnesbXS68alGBz7QOxyKo7B88mZfHEr RKa3egc0gQEvsbKcv2gtL0CknLcQ3WsVA2+l5QduChus1LgJ4iSeMl+gi15zeAEtwto9 MKPqGN4lRaJdugPM0Q5GpuCEOL88AfUBreNK7iGgrH0FrqyJJjR1EjnJjqjRmIUgQG6D GVWkh1xsqJoZaF3D0fSaySMOsWGHwa18Oo60cQjH3/1zZLFLt1iVhol6HtfEWdqG2PhX ul3W2fQS01IV2MHL56oOpb00PuIL+kGUPSfUW3XvVszY5ekDnJ8UtX/2iwZ8l6bA+/FM f58Q== X-Gm-Message-State: AOJu0Yz20JPL+i1/zKwn11G8BdoGGJ6HKyLLmxFaqYmu7QU3AnQhqOzi JAOILd6UWR/VbSKpAj6jCNg78u8cI4Eg73ZA+32rfWDxBmLAAZbNH6wD+wEfvg== X-Gm-Gg: ATEYQzw/d7Eq/FUDsJ69bKWE5FppupcoxR7to7oAEmZGECJt+v/7Wh6heFQYxvx2QWb 2zHW269/HwjpqKy2JmvBBwuEWwUJmCdfi1P/H4HY3PynjiRhDjn3ff2j/odj1wWRnTfEN468dHV 733Ngka//uKI3otXzhtPLXlYnAaVPDLCud0oIEjCTObB3f0+WUp1YpCc2MqB6+RrKSe8z+5ByPz /WxEpfszOwYPXxpv0lKc9Qz63avXd6ALGiGhyhXBmoG4RG0dCsPUqx7udZRIF3xNoomNYy9cQW+ h3cX6L+FI1fVgBj5dbl7rwQpsaO2NGQnHRL+hFu5W5/wLFezzqz0EuYlax1Q2SEfE1Lp+uUKKg6 VAi51FlfsPdWOGSZqzx5AS8F+VHWuQbctz+sCuOvLc2LFZoRZli4sNaM8jWsai1M7jvdXh9wOFB lhFzNoU6aSnOblUiXubhIv X-Received: by 2002:a05:600c:8518:b0:485:4328:407a with SMTP id 5b1f17b1804b1-486f44435d3mr5709785e9.19.1773768231348; Tue, 17 Mar 2026 10:23:51 -0700 (PDT) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48634a7ac93sm61717385e9.2.2026.03.17.10.23.50 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 17 Mar 2026 10:23:50 -0700 (PDT) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-multimedia][PATCH 7/7] libheif: CVE-2026-3949 Date: Tue, 17 Mar 2026 18:23:46 +0100 Message-ID: <20260317172346.2862459-7-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260317172346.2862459-1-skandigraun@gmail.com> References: <20260317172346.2862459-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 17 Mar 2026 17:24:02 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/125329 Details: https://nvd.nist.gov/vuln/detail/CVE-2026-3949 Backport the patch that is referenced by the NVD report (in the description) Signed-off-by: Gyorgy Sarvari --- .../libheif/libheif/CVE-2026-3949.patch | 50 +++++++++++++++++++ .../libheif/libheif_1.21.2.bb | 4 +- 2 files changed, 53 insertions(+), 1 deletion(-) create mode 100644 meta-multimedia/recipes-multimedia/libheif/libheif/CVE-2026-3949.patch diff --git a/meta-multimedia/recipes-multimedia/libheif/libheif/CVE-2026-3949.patch b/meta-multimedia/recipes-multimedia/libheif/libheif/CVE-2026-3949.patch new file mode 100644 index 0000000000..ef5d9c1ee4 --- /dev/null +++ b/meta-multimedia/recipes-multimedia/libheif/libheif/CVE-2026-3949.patch @@ -0,0 +1,50 @@ +From cba59e7671a36a78e31c0490efe74ec226918580 Mon Sep 17 00:00:00 2001 +From: Dirk Farin +Date: Tue, 24 Feb 2026 00:32:48 +0100 +Subject: [PATCH] vvdec: check that NAL size does not exceed data size (#1712) + +CVE: CVE-2026-3949 +Upstream-Status: Backport [https://github.com/strukturag/libheif/commit/b97c8b5f198b27f375127cd597a35f2113544d03] +Signed-off-by: Gyorgy Sarvari +--- + libheif/plugins/decoder_vvdec.cc | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/libheif/plugins/decoder_vvdec.cc b/libheif/plugins/decoder_vvdec.cc +index 09515720..14b3e9fd 100644 +--- a/libheif/plugins/decoder_vvdec.cc ++++ b/libheif/plugins/decoder_vvdec.cc +@@ -55,6 +55,7 @@ struct vvdec_decoder + std::string error_message; + }; + ++static const char kEmptyString[] = ""; + static const char kSuccess[] = "Success"; + + static const int VVDEC_PLUGIN_PRIORITY = 100; +@@ -179,9 +180,25 @@ heif_error vvdec_push_data2(void* decoder_raw, const void* frame_data, size_t fr + + const auto* data = (const uint8_t*) frame_data; + ++ if (frame_size < 4) { ++ return { ++ heif_error_Decoder_plugin_error, ++ heif_suberror_End_of_data, ++ kEmptyString ++ }; ++ } ++ + for (;;) { + uint32_t size = four_bytes_to_uint32(data[0], data[1], data[2], data[3]); + ++ if (frame_size < 4 + size) { ++ return { ++ heif_error_Decoder_plugin_error, ++ heif_suberror_End_of_data, ++ kEmptyString ++ }; ++ } ++ + data += 4; + + std::vector nalu; diff --git a/meta-multimedia/recipes-multimedia/libheif/libheif_1.21.2.bb b/meta-multimedia/recipes-multimedia/libheif/libheif_1.21.2.bb index 7ccac771dc..ab29fa3b02 100644 --- a/meta-multimedia/recipes-multimedia/libheif/libheif_1.21.2.bb +++ b/meta-multimedia/recipes-multimedia/libheif/libheif_1.21.2.bb @@ -6,7 +6,9 @@ LICENSE_FLAGS = "commercial" COMPATIBLE_MACHINE:powerpc64le = "null" -SRC_URI = "git://github.com/strukturag/libheif.git;protocol=https;branch=master;tag=v${PV}" +SRC_URI = "git://github.com/strukturag/libheif.git;protocol=https;branch=master;tag=v${PV} \ + file://CVE-2026-3949.patch \ + " SRCREV = "62f1b8c76ed4d8305071fdacbe74ef9717bacac5"