From patchwork Fri Mar 20 00:28:08 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yoann Congal <yoann.congal@smile.fr>
X-Patchwork-Id: 83932
Return-Path: <yoann.congal@smile.fr>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 369D41093174
	for <webhook@archiver.kernel.org>; Fri, 20 Mar 2026 00:28:39 +0000 (UTC)
Received: from mail-wm1-f45.google.com (mail-wm1-f45.google.com
 [209.85.128.45])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.2619.1773966510773992120
 for <openembedded-core@lists.openembedded.org>;
 Thu, 19 Mar 2026 17:28:31 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@smile.fr header.s=google header.b=VxkEDgUb;
 spf=pass (domain: smile.fr, ip: 209.85.128.45,
 mailfrom: yoann.congal@smile.fr)
Received: by mail-wm1-f45.google.com with SMTP id
 5b1f17b1804b1-486ff201041so1763495e9.1
        for <openembedded-core@lists.openembedded.org>;
 Thu, 19 Mar 2026 17:28:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=smile.fr; s=google; t=1773966509; x=1774571309;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=OhEO0V90K/mXlLFn3x7bZAfVaJE/grxKR5d+d3IKTCI=;
        b=VxkEDgUb1TeCn8qlJzEhdZc4u36VnGRm4v0tpLETVkqok/FweyR26HXyIXL1bQLv23
         jHBxqnUSxcBVLdisPUrRHTO+j9OQOnPjYKtVU3CnXbyoLQiPjqE2o2LRIoyOZ41Vyr2L
         5FQTv/Nql3RyT1EHbosID4ngs+MPfPBDN1rgQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1773966509; x=1774571309;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=OhEO0V90K/mXlLFn3x7bZAfVaJE/grxKR5d+d3IKTCI=;
        b=pymEKcX9MjjWKSdF2w0l7QNPjPjh1OSAmPqWgPQ3vxugkZJL6+0qbGPVKPIUQzGvVP
         3dlgvcgUjWIWcd1J87fEXmzXrJMfNj+IZz8a830X+NuZ6HejYPtlJgiMDx2gfKq9NLTx
         sVBn1zeZsCvsq0QbdLH+ySwrtPKZa6xM6EHlOKm3GwftQZV3yWoHRUEZL7HW1nQShhgR
         aSxv77sBLcOtHqKI9ZppfPpDjSbOvq+vSVXYjwAJof5An0CHkBrceoDW8VSqG+yEl/yH
         XtXXXpYsC09UFBhw5Sgx2W4C8CcuNtVitnbxfSUW0dOUoruP23r1Cv0IaKgwuYcDGiBH
         +UTA==
X-Gm-Message-State: AOJu0YyeT5uwPZRbqz839zhtTspt0FX2ekMEMB5PA0TdL+QWZ3i3ZHF9
	wcRYeVxZH/n0EC7anaotYiywh+76G/K0Z4OCk8RO0z5MR/pK1ybe6V8MFIeAoPWuSrGtvQXO2hV
	1omkL
X-Gm-Gg: ATEYQzyWKfijigExTPj+RXymVT6FM64xkzyX6xONWRJAETDph9iWh8nSAEaSOwxGDcu
	m9/8vYxk2xbz68z0Nx6bpDvPEo8ynURxybX+rsto5cmOR2AdnRErUoQ4sYs+3KK8BMk7wxLDcjB
	7OMaswvhfXiXYocL0T0BRDGrPZjD1EQWIwtGqEoTwGmcvzxqL8M66hWsXgETU/jypoHp2JZKQCN
	ZJYd7j2oKSGX9ECF1j0hLVKHCYuZPGMI3cpWEbgiWlCdIQYz3VL2kKv1UomLWQM4bhvSN+OzYJS
	EgD4H0NBDYp0Ct/CXcauwdk8DN+NLS00ITnc2Oe5ydfd67mRkFSkvpozd5B/10qRklZvtWD+UOD
	YVpGMPsAOhxHImZtnwE9s2SrZpLrxC8A/aqmlO/iAPrkcMAkCelfNxw3aSvHkSloFq4gsJ4UYC8
	YCBQ6OHNr4dyX+KLuVlodPuAqUZObzPv9z1c6WNYhx+W5wC+2jxJ+nwXZRKNiOM8MblsVl3IPBf
	yftJquYaiWO5KiZb5qnv9WKG0cVHLzYmJbGTQ==
X-Received: by 2002:a05:600c:c167:b0:477:a1a2:d829 with SMTP id
 5b1f17b1804b1-486fedc9a52mr16051795e9.13.1773966508777;
        Thu, 19 Mar 2026 17:28:28 -0700 (PDT)
Received: from FRSMI25-LASER.home
 (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr.
 [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-486fe8359acsm23850655e9.12.2026.03.19.17.28.28
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 19 Mar 2026 17:28:28 -0700 (PDT)
From: Yoann Congal <yoann.congal@smile.fr>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 01/15] inetutils: patch CVE-2026-28372
Date: Fri, 20 Mar 2026 01:28:08 +0100
Message-ID: 
 <ed976c159eab45e6ca1f8e1ba73c5872818e80d2.1773966414.git.yoann.congal@smile.fr>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <cover.1773966414.git.yoann.congal@smile.fr>
References: <cover.1773966414.git.yoann.congal@smile.fr>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Fri, 20 Mar 2026 00:28:39 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/233562

From: Peter Marko <peter.marko@siemens.com>

Pick patch according to [1] (equivalent to patch from [2]).

This CVE is needed if util-linux >= 2.40 is used which is not the case
in Yocto kirkstone, however it's always possible that users update
packages in their layers.

[1] https://security-tracker.debian.org/tracker/CVE-2026-28372
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-28372

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 .../inetutils/inetutils/CVE-2026-28372.patch  | 86 +++++++++++++++++++
 .../inetutils/inetutils_2.5.bb                |  1 +
 2 files changed, 87 insertions(+)
 create mode 100644 meta/recipes-connectivity/inetutils/inetutils/CVE-2026-28372.patch

diff --git a/meta/recipes-connectivity/inetutils/inetutils/CVE-2026-28372.patch b/meta/recipes-connectivity/inetutils/inetutils/CVE-2026-28372.patch
new file mode 100644
index 00000000000..4e6bf0c87ca
--- /dev/null
+++ b/meta/recipes-connectivity/inetutils/inetutils/CVE-2026-28372.patch
@@ -0,0 +1,86 @@
+From 4db2f19f4caac03c7f4da6363c140bd70df31386 Mon Sep 17 00:00:00 2001
+From: Erik Auerswald <auerswal@unix-ag.uni-kl.de>
+Date: Sun, 15 Feb 2026 15:38:50 +0100
+Subject: [PATCH] telnetd: don't allow systemd service credentials
+
+The login(1) implementation of util-linux added support for
+systemd service credentials in release 2.40.  This allows to
+bypass authentication by specifying a directory name in the
+environment variable CREDENTIALS_DIRECTORY.  If this directory
+contains a file named 'login.noauth' with the content of 'yes',
+login(1) skips authentication.
+
+GNU Inetutils telnetd supports to set arbitrary environment
+variables using the 'Environment' and 'New Environment'
+Telnet options.  This allows specifying a directory containing
+'login.noauth'.  A local user can create such a directory
+and file, and, e.g., specify the user name 'root' to escalate
+privileges.
+
+This problem was reported by Ron Ben Yizhak in
+<https://lists.gnu.org/archive/html/bug-inetutils/2026-02/msg00000.html>.
+
+This commit clears CREDENTIALS_DIRECTORY from the environment
+before executing login(1) to implement a simple fix that can
+be backported easily.
+
+* NEWS.md: Mention fix.
+* THANKS: Mention Ron Ben Yizhak.
+* telnetd/pty.c: Clear CREDENTIALS_DIRECTORY from the environment
+before executing 'login'.
+
+CVE: CVE-2026-28372
+Upstream-Status: Backport [https://cgit.git.savannah.gnu.org/cgit/inetutils.git/commit/?id=4db2f19f4caac03c7f4da6363c140bd70df31386]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ NEWS          | 5 +++++
+ THANKS        | 1 +
+ telnetd/pty.c | 8 ++++++++
+ 3 files changed, 14 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index 877ca53b..f5172a71 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,5 +1,10 @@
+ GNU inetutils NEWS -- history of user-visible changes.
+ 
++** Prevent privilege escalation via telnetd abusing systemd service
++credentials support added to the login(1) implementation of util-linux
++in release 2.40.  Reported by Ron Ben Yizhak in
++<https://lists.gnu.org/archive/html/bug-inetutils/2026-02/msg00000.html>.
++
+ * Noteworthy changes in release 2.5 (2023-12-29) [stable]
+ 
+ ** ftpd, rcp, rlogin, rsh, rshd, uucpd
+diff --git a/THANKS b/THANKS
+index 8d1d3dbb..ef5f6063 100644
+--- a/THANKS
++++ b/THANKS
+@@ -9,6 +9,7 @@ In particular:
+   NIIBE Yutaka		 (Security fixes & making talk finally work)
+   Nathan Neulinger       (tftpd)
+   Thomas Bushnell        (sockaddr sin_len field)
++  Ron Ben Yizhak         (reported privilege escalation via telnetd)
+ 
+ Please see version control logs and ChangeLog.? for full credits.
+ 
+diff --git a/telnetd/pty.c b/telnetd/pty.c
+index c727e7be..f3518049 100644
+--- a/telnetd/pty.c
++++ b/telnetd/pty.c
+@@ -130,6 +130,14 @@ start_login (char *host, int autologin, char *name)
+   if (!cmd)
+     fatal (net, "can't expand login command line");
+   argcv_get (cmd, "", &argc, &argv);
++
++  /* util-linux's "login" introduced an authentication bypass method
++   * via environment variable "CREDENTIALS_DIRECTORY" in version 2.40.
++   * Clear it from the environment before executing "login" to prevent
++   * abuse via Telnet.
++   */
++  unsetenv ("CREDENTIALS_DIRECTORY");
++
+   execv (argv[0], argv);
+   syslog (LOG_ERR, "%s: %m\n", cmd);
+   fatalperror (net, cmd);
diff --git a/meta/recipes-connectivity/inetutils/inetutils_2.5.bb b/meta/recipes-connectivity/inetutils/inetutils_2.5.bb
index 486878022f0..6c53902356f 100644
--- a/meta/recipes-connectivity/inetutils/inetutils_2.5.bb
+++ b/meta/recipes-connectivity/inetutils/inetutils_2.5.bb
@@ -20,6 +20,7 @@ SRC_URI = "${GNU_MIRROR}/inetutils/inetutils-${PV}.tar.xz \
            file://tftpd.xinetd.inetutils \
            file://CVE-2026-24061-1.patch \
            file://CVE-2026-24061-2.patch \
+           file://CVE-2026-28372.patch \
            "
 
 inherit autotools gettext update-alternatives texinfo

From patchwork Fri Mar 20 00:28:09 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yoann Congal <yoann.congal@smile.fr>
X-Patchwork-Id: 83931
Return-Path: <yoann.congal@smile.fr>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 2237F1093172
	for <webhook@archiver.kernel.org>; Fri, 20 Mar 2026 00:28:39 +0000 (UTC)
Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com
 [209.85.128.44])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.2620.1773966511140610099
 for <openembedded-core@lists.openembedded.org>;
 Thu, 19 Mar 2026 17:28:31 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@smile.fr header.s=google header.b=PleiN6s/;
 spf=pass (domain: smile.fr, ip: 209.85.128.44,
 mailfrom: yoann.congal@smile.fr)
Received: by mail-wm1-f44.google.com with SMTP id
 5b1f17b1804b1-48541edecf9so16119155e9.1
        for <openembedded-core@lists.openembedded.org>;
 Thu, 19 Mar 2026 17:28:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=smile.fr; s=google; t=1773966509; x=1774571309;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=2fKU5Ducx78GYZd4fQ5Om3SJS0UpxldAFXiIHf9S6Ig=;
        b=PleiN6s/98/sRbD768zSgkPdd42tWAH+x5PyBVWLHAjNeVldH4/CLdPPGmBCgtKVjf
         MiyEGC95rVdKQQI3HUwU952YKv8Q+v9VupOtpDzeQejIHSgaRkrpkkxX6aWaL2ZYAFjy
         izHezCniv2/wS+sqxtAU4rwnQP03Dd82cEC+k=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1773966509; x=1774571309;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=2fKU5Ducx78GYZd4fQ5Om3SJS0UpxldAFXiIHf9S6Ig=;
        b=eQ4yicW8rsMAfyov9nJlq/FAql+7Be+YXJ/JLxEBL1nV3rc22ciOmjNtPHQ7jJWtbP
         xDtD5y2H9vdryKSGBXClocOyaFTE3I73I4/YsvE3gZftZVtqdUcp6CrEvrQ5FvYG87ZU
         3ROg6TENHfs6kc5PcNMu7wHrIb6iUdwdbJxvNaYbKLVO+es4KdweuH64mHl4nTRVCiH2
         nnbgkulijRwj4dDS0eMnjgDmn0ngSIgvyPFUOUhvGhIMoLfTtIiAFCJbT+VtD64PX+o6
         fE98ikTIojRGPQ0Kh9f6tkTAGTu05zfIfmrxNcAX5RsGY5ur8aTWG2qWSPpCcCeec1w/
         tjjQ==
X-Gm-Message-State: AOJu0YzyWYDZs4RcCLpPzu04grGLWKgSoPhmrviht4C0b7Jr81Q6p3AN
	WLUUEO4RuHN+oX/mhS81P8GvvJXg2ScWsOd4SGHMB1dSqqbFFQ0rnDxETML+hCbBTn6M33OWx2r
	8B30C
X-Gm-Gg: ATEYQzxMuEtPVTDGWDzrYTI8URqX7YjZZuGw4+oKtPZzW5oIfvU+oj6laqS+HpB8Hs3
	WMDBmiozBAFtZ2iBDNkvGOQDENLsFmd2VkP2VCbqedeNtJEZhe8nNBISr3ThmWByCrgimuXMrYd
	NbJquGCD5+ZLUXiaX64ctLz4nrXGtMfIj9uNQlbJFeUh9WpOeRUvaVi0UvfCUcEJGllB+94FaUl
	2zYSLB6xobDzqSQs5OPE2z4gBRFfg2jeQMDb73Afalsmaj3tGrr/2sTO5MRybEVdQsZN/B4b/76
	1bT3pTQ9/Mz8+TMYtOSgBGYMlVvXqJybQo7dbRau8AMNndXhhwHnRF4S47wqGiSsgsnJ6e+SYMm
	S7Uavx/1qzdnvDLkwVLlTvs3CS5Uceb3Nkg4AKq6AZbzLeoiERaoAk76w6Z0JYAEJ6Pk6shXOHm
	GUM9EzNfHDUAKyV/wZbWUzkEBKGG/I3Xv5c7dsFEcEpKhCvNypiDu2fVAKyJ1IFkoXaTXtEpQth
	NeR2YIgcCME+zWFZsXE1Vlrpp8G2wx8L36U/w==
X-Received: by 2002:a05:600c:3e8d:b0:486:fe45:483 with SMTP id
 5b1f17b1804b1-486fee25f82mr13906375e9.22.1773966509153;
        Thu, 19 Mar 2026 17:28:29 -0700 (PDT)
Received: from FRSMI25-LASER.home
 (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr.
 [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-486fe8359acsm23850655e9.12.2026.03.19.17.28.28
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 19 Mar 2026 17:28:28 -0700 (PDT)
From: Yoann Congal <yoann.congal@smile.fr>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 02/15] wireless-regdb: upgrade 2025.10.07 ->
 2026.02.04
Date: Fri, 20 Mar 2026 01:28:09 +0100
Message-ID: 
 <99b21af18cc644029aaf70a1eebc2f2e84a42207.1773966414.git.yoann.congal@smile.fr>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <cover.1773966414.git.yoann.congal@smile.fr>
References: <cover.1773966414.git.yoann.congal@smile.fr>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Fri, 20 Mar 2026 00:28:39 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/233563

From: Ankur Tyagi <ankur.tyagi85@gmail.com>

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit f86c38b13121788fe6a654df04800d24b2b28b61)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
[YC: logs: https://git.kernel.org/pub/scm/linux/kernel/git/wens/wireless-regdb.git/log/?h=master-2026-02-04]
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 ...ireless-regdb_2025.10.07.bb => wireless-regdb_2026.02.04.bb} | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-kernel/wireless-regdb/{wireless-regdb_2025.10.07.bb => wireless-regdb_2026.02.04.bb} (94%)

diff --git a/meta/recipes-kernel/wireless-regdb/wireless-regdb_2025.10.07.bb b/meta/recipes-kernel/wireless-regdb/wireless-regdb_2026.02.04.bb
similarity index 94%
rename from meta/recipes-kernel/wireless-regdb/wireless-regdb_2025.10.07.bb
rename to meta/recipes-kernel/wireless-regdb/wireless-regdb_2026.02.04.bb
index 68ae3b0464c..2f7c8160434 100644
--- a/meta/recipes-kernel/wireless-regdb/wireless-regdb_2025.10.07.bb
+++ b/meta/recipes-kernel/wireless-regdb/wireless-regdb_2026.02.04.bb
@@ -5,7 +5,7 @@ LICENSE = "ISC"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=07c4f6dea3845b02a18dc00c8c87699c"
 
 SRC_URI = "https://www.kernel.org/pub/software/network/${BPN}/${BP}.tar.xz"
-SRC_URI[sha256sum] = "d4c872a44154604c869f5851f7d21d818d492835d370af7f58de8847973801c3"
+SRC_URI[sha256sum] = "0ff48a5cd9e9cfe8e815a24e023734919e9a3b7ad2f039243ad121cf5aabf6c6"
 
 inherit bin_package allarch
 

From patchwork Fri Mar 20 00:28:10 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yoann Congal <yoann.congal@smile.fr>
X-Patchwork-Id: 83919
Return-Path: <yoann.congal@smile.fr>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 9BEA5109193F
	for <webhook@archiver.kernel.org>; Fri, 20 Mar 2026 00:28:37 +0000 (UTC)
Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com
 [209.85.128.44])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.2621.1773966511638006081
 for <openembedded-core@lists.openembedded.org>;
 Thu, 19 Mar 2026 17:28:31 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@smile.fr header.s=google header.b=w3iF4B4g;
 spf=pass (domain: smile.fr, ip: 209.85.128.44,
 mailfrom: yoann.congal@smile.fr)
Received: by mail-wm1-f44.google.com with SMTP id
 5b1f17b1804b1-486fd27754bso6837605e9.3
        for <openembedded-core@lists.openembedded.org>;
 Thu, 19 Mar 2026 17:28:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=smile.fr; s=google; t=1773966510; x=1774571310;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=YGnVqFYJL3fZw0Y22jbWMqVE80Z5RvKp0Pyuslu9W6A=;
        b=w3iF4B4gpOv+robX77NOV+K0QsAN8aL1wTyJOI6xOatjoz5rwb7ptMgkmxBvq5mUY2
         O8sj1LEdzDnKTmR5jP1/jan8dn06d26VAKQIpg3qYe14clRHR9eRnDXgG7gJhh/27S2+
         e8CmNtCSi0wk5wccpoGlEmgX0X8k3YKyRgHqA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1773966510; x=1774571310;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=YGnVqFYJL3fZw0Y22jbWMqVE80Z5RvKp0Pyuslu9W6A=;
        b=BvJ4s1byqyWnCBN55EnaxqyasH5+ozXncGV8ijxPvXmimZOgL5kd+QeIAFPrXfIp0q
         npzx8tVZbdSh70XpRtELO5BwcbiaWIZEtwb2HXugGLXBV2QdKnfOIpaQRne5CTYzJ2bG
         FpsEWKAIyM4jaEtHgAU5xKH2myUwB/hCjgYGIdq+sMFUHvEMB1g7krKjrfdMq4uM/R4J
         NN4C9fryCtqJ9I2gzQkyLNlYiXZ3FSA5nzpSXL8BrBkeTp5v9Eog73PhSn7H+Av5tUkx
         Ds2DLjXpECF2Ju4NKYgstTNbgdD8xnrg+lCNgphNtn9Y6g5pQ6pwA0HstEtFWbvzumK+
         opPw==
X-Gm-Message-State: AOJu0YxO4MAnAONilpi9iaaF4yO0w6z83+Xz9VdWgc/ZhPmuwkTEoNzK
	h/P1VWMbwuHFgrbaiZr8EzK0d22VSEyVUqzCLPX8kO1VlZzoX9DgXCo4QLfju2t+1dArTDD809j
	agXLn
X-Gm-Gg: ATEYQzwn9vyzfzk0GxrPxto41T2KoRKBQ+nc0+DvkGYGUa06v1D0XJTfdh5WkhkOpPf
	2ZJicQmxZAEhTqeqrcKRA/aYCq0sEhWle1gKsyoTzL4/vbCFJwAfQgaJe57tFCdPmwOWafB8IVU
	JF9UPH7RPWupTCENaVcwJscTKfTjWYbYk4boFzB7xDyz3EToSz17q7zNKGNS9OOcop3HyB3nRDT
	Wyr8hUKWOwrSbo4HbstrCCiNeEQ1JeFjP11IhDJtKPNZDOw16Q795zIFU/us33xIBVktmHRaO/R
	Cc2OTtZuxT/Dsm/266S1EFfnEcUtWpNLVqjiuZrrNM6lRRj34j9DoKA7DnAxfxoI463bSUWXkdr
	uSeImGTUFe98i0o3C7wSHMIbFhNM6T3DJVK+Fkk0Owdz2jpcOTiK6Vkv5+7PJxLqKsbsBsS6Uy+
	oCnWYNDgE79G67tT69darVWLCin8dGEk5GGDm6XAcjKWW6QMMSiQ+vl+9A+Z2APzWMmOgSvZv8/
	NuxBXW5WzAqPABdDtu3MdRLDpTBUdCwo7PsEw==
X-Received: by 2002:a05:600c:46cc:b0:485:3b9e:caa7 with SMTP id
 5b1f17b1804b1-486fee230d1mr14103695e9.23.1773966509730;
        Thu, 19 Mar 2026 17:28:29 -0700 (PDT)
Received: from FRSMI25-LASER.home
 (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr.
 [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-486fe8359acsm23850655e9.12.2026.03.19.17.28.29
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 19 Mar 2026 17:28:29 -0700 (PDT)
From: Yoann Congal <yoann.congal@smile.fr>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 03/15] lsb.py: strip ' from os-release file
Date: Fri, 20 Mar 2026 01:28:10 +0100
Message-ID: 
 <b33b40496b44df3988451468f5d5a7ed6a79a3b8.1773966414.git.yoann.congal@smile.fr>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <cover.1773966414.git.yoann.congal@smile.fr>
References: <cover.1773966414.git.yoann.congal@smile.fr>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Fri, 20 Mar 2026 00:28:37 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/233564

From: Martin Jansa <martin.jansa@gmail.com>

In gentoo the file looks like this:

NAME='Gentoo'
ID='gentoo'
PRETTY_NAME='Gentoo Linux'
VERSION='2.18'
VERSION_ID='2.18'
HOME_URL='https://www.gentoo.org/'
SUPPORT_URL='https://www.gentoo.org/support/'
BUG_REPORT_URL='https://bugs.gentoo.org/'
ANSI_COLOR='1;32'

' were added with:
https://github.com/gentoo/gentoo/commit/2f590e35c9d3d13d5673163527120b2de97fdc80

before that the os-release file looked like this:

NAME=Gentoo
ID=gentoo
PRETTY_NAME="Gentoo Linux"
ANSI_COLOR="1;32"
HOME_URL="https://www.gentoo.org/"
SUPPORT_URL="https://www.gentoo.org/support/"
BUG_REPORT_URL="https://bugs.gentoo.org/"
VERSION_ID="2.18"

The ' is stripped from the ID later in distro_identifier with:
    # Filter out any non-alphanumerics and convert to lowercase
    distro_id = re.sub(r'\W', '', distro_id).lower()
but not from version which results in a weird NATIVELSBSTRING like:
    NATIVELSBSTRING      = "gentoo-'2.18'"

And similarly the directory name in sstate-cache:

oe-core $ ls -d sstate-cache/gentoo-*
"sstate-cache/gentoo-'2.18'"   sstate-cache/gentoo-2.18

Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 55f82653deb1ea8f1304fcba4d588bd55695b616)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 meta/lib/oe/lsb.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/lib/oe/lsb.py b/meta/lib/oe/lsb.py
index 3ec03e5042b..1fc3b968a0a 100644
--- a/meta/lib/oe/lsb.py
+++ b/meta/lib/oe/lsb.py
@@ -16,7 +16,7 @@ def get_os_release():
                     key, val = line.rstrip().split('=', 1)
                 except ValueError:
                     continue
-                data[key.strip()] = val.strip('"')
+                data[key.strip()] = val.strip('"\'')
     return data
 
 def release_dict_osr():

From patchwork Fri Mar 20 00:28:11 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yoann Congal <yoann.congal@smile.fr>
X-Patchwork-Id: 83920
Return-Path: <yoann.congal@smile.fr>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id AA7B2109193D
	for <webhook@archiver.kernel.org>; Fri, 20 Mar 2026 00:28:37 +0000 (UTC)
Received: from mail-wm1-f51.google.com (mail-wm1-f51.google.com
 [209.85.128.51])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.2622.1773966512055734853
 for <openembedded-core@lists.openembedded.org>;
 Thu, 19 Mar 2026 17:28:32 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@smile.fr header.s=google header.b=fbzwZnYo;
 spf=pass (domain: smile.fr, ip: 209.85.128.51,
 mailfrom: yoann.congal@smile.fr)
Received: by mail-wm1-f51.google.com with SMTP id
 5b1f17b1804b1-486fb112c09so485755e9.1
        for <openembedded-core@lists.openembedded.org>;
 Thu, 19 Mar 2026 17:28:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=smile.fr; s=google; t=1773966510; x=1774571310;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=OesDvmcjGBPe6c3iXpZsuflgY3c2ZsIxyQb7w/uUu9k=;
        b=fbzwZnYoO3ppwj4YmH6YuQZVArlYrECysjxFF/OvzpWCJIxcDNAdld7aMs4L5xJVPx
         W+KfMcfCseikhHrFMcNwiOqIc2eZgBxOHRkonjnme+wECkR1B48hNTFD2tecWy1KKCAw
         fbNaOgn5DwW4ECl0AW7wcFmUrSpDVnBE6dkDI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1773966510; x=1774571310;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=OesDvmcjGBPe6c3iXpZsuflgY3c2ZsIxyQb7w/uUu9k=;
        b=g9Qa2FjD+OUJndjyUrrM30LPYBIVbc2ngL35A7dD+RqgnOiwBf0+jCjkklw/0xb5gY
         ywqspuLOnKX09KztCKqmItdIyGZ/jGeN+olglE8dmdLJSvwMs8psbhsf433olf+LZVNl
         XlnHgkieHq70hbs/s6NPXhoXlnJqFYJNp/XcVgoEG+J8ruXxliU5QRBZVLdHSt4aHQcI
         KToBZKEZ/17n/Mitwp0o5tQmtYAjURJOB8Nv6/NX0SXTZoET958uJIwDl47cG8hDTJTD
         TTSMaQKmT32dJsrs18ciXg0QFDale4BWbBmBaMkjzTJT27rYA3BG8TSlB7ysmHbExZ1C
         JhEQ==
X-Gm-Message-State: AOJu0Yywd0lLUBI8ARFT712JTgLFft6mjbMCTpPz5TvVXsoDQqtZ8I8a
	06x87EEvGmuNiC6NjbBfyLV6ObArksmjQGtvDTMOK4gFRqrt2ZqhxsHGdA4LFCSMv5dOyrpTaq6
	RVAUl
X-Gm-Gg: ATEYQzzshzSv3dTh1/PmAQM6WonDanqWSssO4KW7OjvSaFIjQwplCxu2fOe1I99IWqf
	JG2HlB1Ed4wKKJSfKFzxUG0W+vwYM4z3XmBbaQEpTJf0moW/YzQADrzjb359oMXfxEAfZGBYb8x
	It4CLbU4NolDPLkTgYTF6E7j3cIyZrMk2AP1BqBYEbSgh9A08qpADw3c0rlVnuiAaFhu0Vo+U/v
	vo6f9nSFwDITxhCbrwgVhdtvAvSJCaPLMvbN+YW62hMoH3AdsdqQMwomt9ufm9vKoB/pQoO4l5L
	Vr06TTYRTQT51dZIwhxWj4/sfixwwDTsq2yuCe8JEDVVg08fly1vHYFQp5Ij9qqBJMVI1mt/KpO
	kw0zaupFxBC6Jof6+DDpeyFRWOpt0I5yJJlEF99MNca5lCTFr5eYFOLENJ7hGTPdq4Mhd2lQXI8
	YesbSSrynoGgsPU0cc7rE6/LiOOjStFTDriOokGyBmnSGGjFkflmvow7uzqfx6uu3C0NAM3Q3sp
	oi8xc+pQakNNZJiI8nuw9Nj4DY=
X-Received: by 2002:a05:600c:3546:b0:486:fbdb:b718 with SMTP id
 5b1f17b1804b1-486fee29536mr14901645e9.25.1773966510235;
        Thu, 19 Mar 2026 17:28:30 -0700 (PDT)
Received: from FRSMI25-LASER.home
 (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr.
 [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-486fe8359acsm23850655e9.12.2026.03.19.17.28.29
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 19 Mar 2026 17:28:29 -0700 (PDT)
From: Yoann Congal <yoann.congal@smile.fr>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 04/15] tiff: ignore CVE-2025-61143,
 CVE-2025-61144 and CVE-2025-61145
Date: Fri, 20 Mar 2026 01:28:11 +0100
Message-ID: 
 <2552809fb0b3664824be09ee6dce66db97aa0755.1773966414.git.yoann.congal@smile.fr>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <cover.1773966414.git.yoann.congal@smile.fr>
References: <cover.1773966414.git.yoann.congal@smile.fr>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Fri, 20 Mar 2026 00:28:37 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/233565

From: Ankur Tyagi <ankur.tyagi85@gmail.com>

These CVEs are for tools which were removed in v4.6.0[1]

[1]https://gitlab.com/libtiff/libtiff/-/commit/eab89a627f0a65e9a1a47c4b30b4802c80b1ac45

Details:
https://nvd.nist.gov/vuln/detail/CVE-2025-61143
https://nvd.nist.gov/vuln/detail/CVE-2025-61144
https://nvd.nist.gov/vuln/detail/CVE-2025-61145

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
[YC: NVD patches for these CVEs only modify the tools which are not in
the tarball we use]
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 meta/recipes-multimedia/libtiff/tiff_4.6.0.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb
index 777783d7ccd..07540692fcf 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb
@@ -29,7 +29,7 @@ CVE_STATUS[CVE-2015-7313] = "fixed-version: Tested with check from https://secur
 CVE_STATUS[CVE-2023-3164] = "cpe-incorrect: Issue only affects the tiffcrop tool not compiled by default since 4.6.0"
 
 CVE_STATUS_GROUPS += "CVE_STATUS_REMOVED_TOOLS"
-CVE_STATUS_REMOVED_TOOLS = "CVE-2024-13978 CVE-2025-8176 CVE-2025-8177 CVE-2025-8534 CVE-2025-8851 CVE-2025-8961"
+CVE_STATUS_REMOVED_TOOLS = "CVE-2024-13978 CVE-2025-8176 CVE-2025-8177 CVE-2025-8534 CVE-2025-8851 CVE-2025-8961 CVE-2025-61143 CVE-2025-61144 CVE-2025-61145"
 CVE_STATUS_REMOVED_TOOLS[status] = "cpe-incorrect: tools affected by these CVEs are not present in this release"
 
 inherit autotools multilib_header

From patchwork Fri Mar 20 00:28:12 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yoann Congal <yoann.congal@smile.fr>
X-Patchwork-Id: 83924
Return-Path: <yoann.congal@smile.fr>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id D34341088E60
	for <webhook@archiver.kernel.org>; Fri, 20 Mar 2026 00:28:37 +0000 (UTC)
Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com
 [209.85.128.44])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.2623.1773966512493324760
 for <openembedded-core@lists.openembedded.org>;
 Thu, 19 Mar 2026 17:28:32 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@smile.fr header.s=google header.b=u9bnkdTK;
 spf=pass (domain: smile.fr, ip: 209.85.128.44,
 mailfrom: yoann.congal@smile.fr)
Received: by mail-wm1-f44.google.com with SMTP id
 5b1f17b1804b1-485392de558so10379515e9.1
        for <openembedded-core@lists.openembedded.org>;
 Thu, 19 Mar 2026 17:28:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=smile.fr; s=google; t=1773966511; x=1774571311;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=CajgZvDDrD7gwU8NfOJ5Ci2MwM8WQHrjZS0+rueWj+w=;
        b=u9bnkdTKkujnuaDlKMRyvpFTNf2n/qd9/PBXksTXYZ9BT5vTbtGHfqDLcLJTzC0zi9
         5fDKDo7QGGr1WJ1kYQs2f4sWSBeuYchgamKsMXUrrgQRZcxqAaVWapeN/PNnnhqP22SH
         6NZJubuICGFXF/3V2vkln9FhIiBWL3nppvipM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1773966511; x=1774571311;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=CajgZvDDrD7gwU8NfOJ5Ci2MwM8WQHrjZS0+rueWj+w=;
        b=epYpvhdRiLHoA5/Q8j2TujSeOHJ4erV9F1/hLwmTD3PAanJHFSm+/6ejrgvuFY8FPe
         G1e9vT1C+s4cc5dfLDCwkoAKXbZ3HA0837c/8D0CBj6k3WUDycg1yBJTHoQy2ecPJtHG
         kSYaF1VvT5Pn6Rr7TN4l8e5hHBTfqw1txEyk83oLqAs0LBYVnU8GfpkI+4nw749og1Tv
         n+7MuH9yb7345Zg0jb4ptVj7LCXSda3eohvD0NW9CRyqJD17Dba6rRcAAog7TFwh+7tK
         ogN/Ri2Kz1CWKRDIzlV2xn1R3J88QhJD06sPwwSwqP7iflbw06sLo9nYVT/aQ5aZa3Oq
         id5A==
X-Gm-Message-State: AOJu0YwpWsORhCMVsDeT3F/VwiFR9jTpWDLeUIcWdBKJTLJISz/PPgOS
	mzZtiRpS+ATvZWk/ec0RBDgeZrgEnvj7tBmPjJ7IRi0RmiszM0mhyxQuidIgvMDnQiSQMwx79Zr
	s2yN8
X-Gm-Gg: ATEYQzxPQXEY98QtOK+6XEaHtGuid6Jxd3A/tj//1OLwnv1Uv8xIXPW6NRU4BicUCRq
	/3jOrTCcEsPYQrCgAA6nZEX4uOb175AKVzjDUmRqElmGzqm9JrdvdcjUbIejeDCZlIYOXlq8VA+
	nhLeeofEe3PORRSinM2K1QjkGsC0w/iNN9ZtMqqV0sPrC3VsR5VRbagFOKneGZZYDZOwpNZzezi
	ijf9yev2GIwrjW0PmOSM44cyvyevIObKD12HKGOTbdFgpGm2CyMJs+gXe4hkVlIgPTW2/CToKER
	gKeTlEfSFhRnpjDZ/YTHnq9lbV3gjp1HQdkfGdm263qUnaPG8N6Vpbam8Bl5s9Bo+gbqMzOofHj
	W4p8L5JOMMbF2HXMrg6IHcCpttPeN24NCMT0691+EX7/LXWOF7/z9RsiksN+wPUladiKtI8RZxa
	tbnqSsUoGY3AugY78lHhduijI0DvFHX1kxxsgzsR33klZ+Trz5LebLT5yBnk8Gg5/aJmX56kUXc
	Q1yJJHfHYN7ZBhdIeCSeXWmGw4=
X-Received: by 2002:a05:600c:3549:b0:485:3fe6:21f5 with SMTP id
 5b1f17b1804b1-486fedb5928mr14695235e9.10.1773966510621;
        Thu, 19 Mar 2026 17:28:30 -0700 (PDT)
Received: from FRSMI25-LASER.home
 (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr.
 [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-486fe8359acsm23850655e9.12.2026.03.19.17.28.30
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 19 Mar 2026 17:28:30 -0700 (PDT)
From: Yoann Congal <yoann.congal@smile.fr>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 05/15] improve_kernel_cve_report: do not override
 backported-patch
Date: Fri, 20 Mar 2026 01:28:12 +0100
Message-ID: 
 <1ff16651f97bfa7d369ad982c3d46f0f9cd8fa1c.1773966414.git.yoann.congal@smile.fr>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <cover.1773966414.git.yoann.congal@smile.fr>
References: <cover.1773966414.git.yoann.congal@smile.fr>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Fri, 20 Mar 2026 00:28:37 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/233566

From: Daniel Turull <daniel.turull@ericsson.com>

If the user has a CVE_STATUS for their own backported patch,
the backport takes priority over upstream vulnerable versions.

Signed-off-by: Daniel Turull <daniel.turull@ericsson.com>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 0beef05be119ea465ba06553a42edea03dfc9fd3)
Signed-off-by: Himanshu Jadon <hjadon@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 scripts/contrib/improve_kernel_cve_report.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/scripts/contrib/improve_kernel_cve_report.py b/scripts/contrib/improve_kernel_cve_report.py
index 829cc4cd30e..a81aa0ff943 100755
--- a/scripts/contrib/improve_kernel_cve_report.py
+++ b/scripts/contrib/improve_kernel_cve_report.py
@@ -340,6 +340,10 @@ def cve_update(cve_data, cve, entry):
     if cve_data[cve]['status'] == entry['status']:
         return
     if entry['status'] == "Unpatched" and cve_data[cve]['status'] == "Patched":
+        # Backported-patch (e.g. vendor kernel repo with cherry-picked CVE patch)
+        # has priority over unpatch from CNA
+        if cve_data[cve]['detail'] == "backported-patch":
+            return
         logging.warning("CVE entry %s update from Patched to Unpatched from the scan result", cve)
         cve_data[cve] = copy_data(cve_data[cve], entry)
         return

From patchwork Fri Mar 20 00:28:13 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yoann Congal <yoann.congal@smile.fr>
X-Patchwork-Id: 83921
Return-Path: <yoann.congal@smile.fr>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 29A211090252
	for <webhook@archiver.kernel.org>; Fri, 20 Mar 2026 00:28:38 +0000 (UTC)
Received: from mail-wm1-f52.google.com (mail-wm1-f52.google.com
 [209.85.128.52])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.2624.1773966513023505015
 for <openembedded-core@lists.openembedded.org>;
 Thu, 19 Mar 2026 17:28:33 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@smile.fr header.s=google header.b=q7PzMTHC;
 spf=pass (domain: smile.fr, ip: 209.85.128.52,
 mailfrom: yoann.congal@smile.fr)
Received: by mail-wm1-f52.google.com with SMTP id
 5b1f17b1804b1-4852a9c6309so671055e9.0
        for <openembedded-core@lists.openembedded.org>;
 Thu, 19 Mar 2026 17:28:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=smile.fr; s=google; t=1773966511; x=1774571311;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=orXkvDVc17+ZJFfXn3xd6Wb8qQRjC4r3GGADA0O0z/U=;
        b=q7PzMTHCJL7Z7fSq46Kq2Z1hiq/X6RvMyBZ0rkBGkxqy3PrmfOlp5+xdGg3qO0lcEA
         STk9iNSwrB5POIBcjtz5Jvmsq3nYPL8I87rRAK9JgNVuZu9UV6ZWAzYNsU6lf/B92TuV
         M53N1928jQ1IUxBUsxJmw/QeBK1xqjsRkt2FI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1773966511; x=1774571311;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=orXkvDVc17+ZJFfXn3xd6Wb8qQRjC4r3GGADA0O0z/U=;
        b=SKrtzVVT5z9FkN4Wl0OOdFxzzDD+yv6CHN5naMEHR8KpPJXG0NXnapZeCQWf+VU6aV
         e8OygrVHlY9Q7sP0MjVEIlQ3mEPYhWdeoRQoMavRJs6/rfheq8DTTlBdraCsREr0CkXK
         CTEH9tS0QYHULJI+IfqZoVSS/8n4Xi2PMV+j+ix+JOCjKKLSxoPEJLYQOYPSLGYengF/
         6TLn4X/2qmxE3XuxaGhoJnoozXI6eY1RN4UDWGnyy7ssACLZ9MVohbMy+AxtFDPwLIRs
         ioQzrZBcASShGn3cG5Nfxmtu8XMd43gc9A+hkK95pLX4ld77ZlLY73TSOqL6bRgF1ZsG
         yhrg==
X-Gm-Message-State: AOJu0YwGqBBW7KvieAqyZ/dNSg/BMIygz5KZz0onS6wRi9PBmQiJAj55
	vqKzmo15mhtrGG8RktXHYJSGmtblr5lEZSwxVD9mqk7vTg1zmmHS2D8dvwR98LvO5knWQwCwrky
	d7Qff
X-Gm-Gg: ATEYQzx1THojzLFf4VlcRuwX1RB+XjUVW5bteufRp/8lIWAMCq/u8TEUfhGdjZ2Zhfi
	m9qrt3QXsAFl6lxX+nkSbA6W57vbDrozePW8drSuProyCJxsxThubaCzGTONPb7MuOM68P2q02t
	7rEu2GxYhySTWMy13CFsZ1zBQPjKWNeMuh011ZGnrm2SZjxRCulwEabTrH430fMxa0tkzhKEgnX
	ojsq7s62488lP75bRP4WaSBhbXvnQLxU2SQV7lOYwI1WIjYj8BsU5rB8VKldattY/SLUpinimjH
	pDXXf4VjfCCV062tAGYuuhi/e7l7kenY+hmNmOrNr7d4kntmCUZL23nWm3u4NTJCa7YppG5+wJp
	KoDspOBQ26GGOWu/Y8FphixiEw0R6FbJ/rWk8fWgyjPkbB++YFDR4OOSDD1UL4fkbU9WfvNORdN
	bJ1G3/7FjNSJWLSWC+i8zd/6vMK5SmFBdwBidnzF8ShLjWCS/m3pFAq2GBv/w23vMcvo50/bwdS
	qPvDeiPKfOxtDl9jft9fszfgKM=
X-Received: by 2002:a05:600c:3b07:b0:485:419c:4eab with SMTP id
 5b1f17b1804b1-486fedab40emr13888205e9.6.1773966511032;
        Thu, 19 Mar 2026 17:28:31 -0700 (PDT)
Received: from FRSMI25-LASER.home
 (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr.
 [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-486fe8359acsm23850655e9.12.2026.03.19.17.28.30
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 19 Mar 2026 17:28:30 -0700 (PDT)
From: Yoann Congal <yoann.congal@smile.fr>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 06/15] improve_kernel_cve_report: do not use
 custom version
Date: Fri, 20 Mar 2026 01:28:13 +0100
Message-ID: 
 <caa804f222fcf710895e687b042bad677e1001cf.1773966414.git.yoann.congal@smile.fr>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <cover.1773966414.git.yoann.congal@smile.fr>
References: <cover.1773966414.git.yoann.congal@smile.fr>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Fri, 20 Mar 2026 00:28:38 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/233567

From: Daniel Turull <daniel.turull@ericsson.com>

When using the version specified in cve-summary.json, we need to
remove the suffix containing the custom version to match the
versions from the CVEs.

This patch truncates the version from cve-summary.json to use only
the base version of the kernel.

This is only applicable for kernels where the user has added their
own version.

Signed-off-by: Daniel Turull <daniel.turull@ericsson.com>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 3942d40e96989268e8d1030f9d8c3859044d9635)
Signed-off-by: Himanshu Jadon <hjadon@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 scripts/contrib/improve_kernel_cve_report.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/scripts/contrib/improve_kernel_cve_report.py b/scripts/contrib/improve_kernel_cve_report.py
index a81aa0ff943..5c39df05a5a 100755
--- a/scripts/contrib/improve_kernel_cve_report.py
+++ b/scripts/contrib/improve_kernel_cve_report.py
@@ -445,10 +445,12 @@ def main():
                 is_kernel=True
         if not is_kernel:
             continue
-
+        # We remove custom versions after -
+        upstream_version = Version(pkg["version"].split("-")[0])
+        logging.info("Checking kernel %s", upstream_version)
         kernel_cves = get_kernel_cves(args.datadir,
                                       compiled_files,
-                                      Version(pkg["version"]))
+                                      upstream_version)
         logging.info("Total kernel cves from kernel CNA: %s", len(kernel_cves))
         cves = {issue["id"]: issue for issue in pkg["issue"]}
         logging.info("Total kernel before processing cves: %s", len(cves))

From patchwork Fri Mar 20 00:28:14 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yoann Congal <yoann.congal@smile.fr>
X-Patchwork-Id: 83923
Return-Path: <yoann.congal@smile.fr>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 6C2741093162
	for <webhook@archiver.kernel.org>; Fri, 20 Mar 2026 00:28:38 +0000 (UTC)
Received: from mail-wm1-f41.google.com (mail-wm1-f41.google.com
 [209.85.128.41])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.2625.1773966513580752181
 for <openembedded-core@lists.openembedded.org>;
 Thu, 19 Mar 2026 17:28:33 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@smile.fr header.s=google header.b=hzY1WPDl;
 spf=pass (domain: smile.fr, ip: 209.85.128.41,
 mailfrom: yoann.congal@smile.fr)
Received: by mail-wm1-f41.google.com with SMTP id
 5b1f17b1804b1-4856cd3f1ffso15343785e9.3
        for <openembedded-core@lists.openembedded.org>;
 Thu, 19 Mar 2026 17:28:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=smile.fr; s=google; t=1773966512; x=1774571312;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=QTSw4lJ7Nf24QQ2xlKrIRJOrz7nsQJQWCYKAoMUjXsg=;
        b=hzY1WPDl6LANCn4ZADhkD6oevUnrjTFwICherFBa2yUkEW4NZhJe6YoG96sVzd7uJq
         SoDzoShPl4RZDXBa8JQYVGiu7dvJaT6KySnMN68CN7lULaj+kiapdG3/QtIu+AooRn8I
         KmKr396FL9rRCO+pav7f5vSiwlCoXYJtQsxbc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1773966512; x=1774571312;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=QTSw4lJ7Nf24QQ2xlKrIRJOrz7nsQJQWCYKAoMUjXsg=;
        b=jTntJOU5wFvRE54wcbkzqMqw0AezE4JZQXU1VL+4rv0+b9BwqajgxAZvJ+RRgNUzmD
         ocGap667syG3C/SEA7w5WHaUax7AVWYMa81a77I+vxgd2rkL5fybrTrNHchj+sXefNFI
         kQpaO/K6r/dIK0cN339XyNNUTW6zB40Geyt3klDJIBJT7i640WnT7U+3239rcr3aaYAi
         y7CbifALH3pxoo8IjDWDhXq0LN9utf/nP9pB1H+HbCqhWgFn01nLblu5Fx3QzdqvDuTH
         74rC0uQkw03wNwkofg6ZuC+71MPbZOWdhV/ZamCYA7JZJZV1qdU4r3k5O+HZhBeGIYEI
         Ji5Q==
X-Gm-Message-State: AOJu0YwIimTi0jNEgA+HzuGIdaMt+IlGfiqGRYgHSppKEwt2AM6O2i57
	+KCXLxEh0BokpzJM3qkJqdrQZQQypZ3Il8LrLqNZmLzxJE8GZVmWDl2lcErV2SBpyZDv8S07Tdn
	diGd9
X-Gm-Gg: ATEYQzz23JrhtUVyKbqhiN1gpLqcuvggjRboevt4fPch0ujItJZMR0krWXRH3UTplTh
	aluPXqIiYgJUtLY30+aiRJKmgh73jjb9h5r41BaIFSG6zo7LAncQbhnrd8hxNfvLg6DDLEW1h3P
	XO8ii012xFeNwirFazEcyiwnysWnycNlGhYnwAcoeTJpPnA5ceaNrw1U0fzkmALYN8SE0K4sPTs
	7HHUIOAmF4VwFX5bOyBEjMGotjbnPUmfk8uuDi4tGZkCD0FH33Wj4MDaxe7vVfsyzVp76JRAMUq
	VkqRutt3Tv2/qj32jtHmrqvPPfO35IRQQvkTLUUxhN9LwRTP4M3XSDqf6WGouJ9RA9JpPHtNwqp
	dx6tDWbTnDsc7D78rC9ckbE+FTnYK2qvdvX3tJm92Ay5XJWWQo9BqxOMp9bg0QZBZSd17vTYEZ6
	n3EfLfCaYq2uhG5u3242lA8ebi1Gv1ttFQc0grADQaABE9c3H+Qwnyy7e9uAWXlEl/rwNT2x/8O
	wMCYGswnVdSh8sCnKBg3QTiXqk=
X-Received: by 2002:a05:600c:1d15:b0:485:3eba:ab96 with SMTP id
 5b1f17b1804b1-486febb7648mr14788945e9.3.1773966511582;
        Thu, 19 Mar 2026 17:28:31 -0700 (PDT)
Received: from FRSMI25-LASER.home
 (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr.
 [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-486fe8359acsm23850655e9.12.2026.03.19.17.28.31
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 19 Mar 2026 17:28:31 -0700 (PDT)
From: Yoann Congal <yoann.congal@smile.fr>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 07/15] improve_kernel_cve_report: add option to
 read debugsources.zstd
Date: Fri, 20 Mar 2026 01:28:14 +0100
Message-ID: 
 <366e124551bdbac0846512fa98cb8d6df5415cd7.1773966414.git.yoann.congal@smile.fr>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <cover.1773966414.git.yoann.congal@smile.fr>
References: <cover.1773966414.git.yoann.congal@smile.fr>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Fri, 20 Mar 2026 00:28:38 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/233568

From: Daniel Turull <daniel.turull@ericsson.com>

Adding option to be able to import debugsources.zstd directly.
The linux-yocto-debugsources.zstd is generated in every build and
does not require any additional configuration.

In contrast, SPDX_INCLUDE_COMPILED_SOURCES needs to be explicitly
added and increases build time.

Signed-off-by: Daniel Turull <daniel.turull@ericsson.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
(cherry picked from commit c84a8958f30bbb982656ddcbe7476f6f81e1a6fb)
Signed-off-by: Himanshu Jadon <hjadon@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 scripts/contrib/improve_kernel_cve_report.py | 27 ++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/scripts/contrib/improve_kernel_cve_report.py b/scripts/contrib/improve_kernel_cve_report.py
index 5c39df05a5a..3a15b1ed26e 100755
--- a/scripts/contrib/improve_kernel_cve_report.py
+++ b/scripts/contrib/improve_kernel_cve_report.py
@@ -236,6 +236,26 @@ def read_spdx3(spdx):
             cfiles.add(filename)
     return cfiles
 
+def read_debugsources(file_path):
+    '''
+    Read zstd file from pkgdata to extract sources
+    '''
+    import zstandard as zstd
+    import itertools
+    # Decompress the .zst file
+    cfiles = set()
+    with open(file_path, 'rb') as fh:
+        dctx = zstd.ZstdDecompressor()
+        with dctx.stream_reader(fh) as reader:
+            decompressed_bytes = reader.read()
+            json_data = json.loads(decompressed_bytes)
+            # We need to remove one level from the debug sources
+            for source_list in json_data.values():
+                for source in source_list:
+                    src = source.split("/",1)[1]
+                    cfiles.add(src)
+    return cfiles
+
 def check_kernel_compiled_files(compiled_files, cve_info):
     """
     Return if a CVE affected us depending on compiled files
@@ -372,6 +392,10 @@ def main():
         "--spdx",
         help="SPDX2/3 for the kernel. Needs to include compiled sources",
     )
+    parser.add_argument(
+        "--debug-sources-file",
+        help="Debug sources zstd file generated from Yocto",
+    )
     parser.add_argument(
         "--datadir",
         type=pathlib.Path,
@@ -415,6 +439,9 @@ def main():
     if args.spdx:
         compiled_files = read_spdx(args.spdx)
         logging.info("Total compiled files %d", len(compiled_files))
+    if args.debug_sources_file:
+        compiled_files = read_debugsources(args.debug_sources_file)
+        logging.info("Total compiled files %d", len(compiled_files))
 
     if args.old_cve_report:
         with open(args.old_cve_report, encoding='ISO-8859-1') as f:

From patchwork Fri Mar 20 00:28:15 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yoann Congal <yoann.congal@smile.fr>
X-Patchwork-Id: 83925
Return-Path: <yoann.congal@smile.fr>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 999001093164
	for <webhook@archiver.kernel.org>; Fri, 20 Mar 2026 00:28:38 +0000 (UTC)
Received: from mail-wm1-f51.google.com (mail-wm1-f51.google.com
 [209.85.128.51])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.2628.1773966514016272569
 for <openembedded-core@lists.openembedded.org>;
 Thu, 19 Mar 2026 17:28:34 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@smile.fr header.s=google header.b=aSMqAhfx;
 spf=pass (domain: smile.fr, ip: 209.85.128.51,
 mailfrom: yoann.congal@smile.fr)
Received: by mail-wm1-f51.google.com with SMTP id
 5b1f17b1804b1-486fd27754bso6837705e9.3
        for <openembedded-core@lists.openembedded.org>;
 Thu, 19 Mar 2026 17:28:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=smile.fr; s=google; t=1773966512; x=1774571312;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=DoA9lxObqe1I888ocaQy48TVD+WYT5DaZqo8Gz8zcnM=;
        b=aSMqAhfxe9D3PBhf5sHEQSX7pLbqvG15Sqs16ppc+l9ltZ+MzZTiOwkQ+C0osuSXPb
         GmmMtCR9qg27Q263YodpPjTQJpfw2+J9Kbh07k54te/4iW4GLlvVsUPLPzq3nwXelSRb
         MZvDCQ4qeaKkpYo5BcORmdEBMgVfRvJHMIySM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1773966512; x=1774571312;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=DoA9lxObqe1I888ocaQy48TVD+WYT5DaZqo8Gz8zcnM=;
        b=S6DUC7k3RKHmw8LY+SxsWPS5REK6rzdHsts9F6gZOy4Os3Kdo/P2f3vrJw8NsSpc1R
         w7+8IcM8yz0UZg+801uCIfQ4uLKutM1pp859Ps3ebhVgoH3lxD2JCTfdv5ykWfl6EqN5
         Eu45i8pitO+UxjZWH4GQ7vYFjdgVKxF9AIF+uhnE6itUIAXjqnhepz7iRZRKsqTZJLp5
         L2NeND3wCyD+nbzpMC+PMVoGZgMHNMXnGoX2IEe0zZ4uder0DedPO7/MqGCasptES2JP
         sYtyj2urwXbXE+3WOeanQ657c/+4jViVWXIS7js1KR2UxJ07KM3IyXQqgCHOoCmzap/G
         NlkQ==
X-Gm-Message-State: AOJu0Yw0U1SGe2uV9SbjlNh8W18szN4xsNTDrMN7RkAtUDoOVfpEpIMx
	puSBTU6++BSRwl7PF5VqZmbKvmIGYuqXlNt8i577FLMJ5cDUiA7uxo0+ny7Dv/AxVQQrdOBHAL2
	j12oc
X-Gm-Gg: ATEYQzyCaPSl2nFuxOgXP/f5CZRDgRCwpZPbXZ8zFQ3JAYOpyHaWjRREo10zUKrtETn
	IHrkU4qLROhl6S4S21KYmSWwWEonbr1ZOwfp8nZBKOkiUPz8FzlIMVdRrLatpQxEVfebD99TUav
	X93JqR2F99/yaNUsvbROARs9iXEwlDk4ZOEqfO+opWGepkhmsSRpTYCvixKnadGc82w7bmAWeRB
	eYdC7FPlfXcp98VznRlg+LH5J47dHPhaVOtGfd8awri7LjnHPp+9RfOJPE1Jt51PK0TxuNK0cSn
	8jOhw3+uBowe3g3mL7tlhbxeR9cZ35pzD+3HDovb+4XZMM/1WKFEJs00AsRRTj91W5CRbrotwvu
	+ZxOuC/TitUsipqHpmNSLl27/NVHQor8nmEOgYo2kgVH/m28zZ768+EciTDw3mKEDAUtbW8BhFX
	zQhmOQC7cvHfEEA4bWZQ/bPY+5U/uYETKwPtRXF7lhGFArX1CMWMNkt+lLZbadPZAK0tG6lai26
	VbERvcvzrL7N+qAvlTkDsYEL0g=
X-Received: by 2002:a05:600c:83c8:b0:477:5c58:3d42 with SMTP id
 5b1f17b1804b1-486fedbd0a5mr13301515e9.10.1773966512046;
        Thu, 19 Mar 2026 17:28:32 -0700 (PDT)
Received: from FRSMI25-LASER.home
 (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr.
 [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-486fe8359acsm23850655e9.12.2026.03.19.17.28.31
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 19 Mar 2026 17:28:31 -0700 (PDT)
From: Yoann Congal <yoann.congal@smile.fr>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 08/15] freetype: Fix CVE-2026-23865
Date: Fri, 20 Mar 2026 01:28:15 +0100
Message-ID: 
 <6a33eff7114af1fb3b994f0795f99eebd078d24a.1773966414.git.yoann.congal@smile.fr>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <cover.1773966414.git.yoann.congal@smile.fr>
References: <cover.1773966414.git.yoann.congal@smile.fr>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Fri, 20 Mar 2026 00:28:38 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/233569

From: Vijay Anusuri <vanusuri@mvista.com>

Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-23865
           https://security-tracker.debian.org/tracker/CVE-2026-23865

Picked patch mentioned in NVD

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 .../freetype/freetype/CVE-2026-23865.patch    | 54 +++++++++++++++++++
 .../freetype/freetype_2.13.2.bb               |  1 +
 2 files changed, 55 insertions(+)
 create mode 100644 meta/recipes-graphics/freetype/freetype/CVE-2026-23865.patch

diff --git a/meta/recipes-graphics/freetype/freetype/CVE-2026-23865.patch b/meta/recipes-graphics/freetype/freetype/CVE-2026-23865.patch
new file mode 100644
index 00000000000..aa0d4326f83
--- /dev/null
+++ b/meta/recipes-graphics/freetype/freetype/CVE-2026-23865.patch
@@ -0,0 +1,54 @@
+From fc85a255849229c024c8e65f536fe1875d84841c Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Sat, 3 Jan 2026 08:07:57 +0100
+Subject: [PATCH] [ttgxvar] Check for overflow in array size computation.
+
+Problem reported and analyzed by povcfe <povcfe2sec@gmail.com>.
+
+Fixes issue #1382.
+
+* src/truetype/ttgxvar.c (tt_var_load_item_variation_store): Do it.
+
+Upstream-Status: Backport [https://gitlab.com/freetype/freetype/-/commit/fc85a255849229c024c8e65f536fe1875d84841c]
+CVE: CVE-2026-23865
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/truetype/ttgxvar.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c
+index 2ff40c9e8..96ddc04c8 100644
+--- a/src/truetype/ttgxvar.c
++++ b/src/truetype/ttgxvar.c
+@@ -628,6 +628,7 @@
+       FT_UShort  word_delta_count;
+       FT_UInt    region_idx_count;
+       FT_UInt    per_region_size;
++      FT_UInt    delta_set_size;
+ 
+ 
+       if ( FT_STREAM_SEEK( offset + dataOffsetArray[i] ) )
+@@ -697,7 +698,19 @@
+       if ( long_words )
+         per_region_size *= 2;
+ 
+-      if ( FT_NEW_ARRAY( varData->deltaSet, per_region_size * item_count ) )
++      /* Check for overflow (we actually test whether the     */
++      /* multiplication of two unsigned values wraps around). */
++      delta_set_size = per_region_size * item_count;
++      if ( per_region_size                                &&
++           delta_set_size / per_region_size != item_count )
++      {
++        FT_TRACE2(( "tt_var_load_item_variation_store:"
++                    " bad delta set array size\n" ));
++        error = FT_THROW( Array_Too_Large );
++        goto Exit;
++      }
++
++      if ( FT_NEW_ARRAY( varData->deltaSet, delta_set_size ) )
+         goto Exit;
+       if ( FT_Stream_Read( stream,
+                            varData->deltaSet,
+-- 
+GitLab
+
diff --git a/meta/recipes-graphics/freetype/freetype_2.13.2.bb b/meta/recipes-graphics/freetype/freetype_2.13.2.bb
index ce7a615a3c8..e053fef3b51 100644
--- a/meta/recipes-graphics/freetype/freetype_2.13.2.bb
+++ b/meta/recipes-graphics/freetype/freetype_2.13.2.bb
@@ -15,6 +15,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.TXT;md5=843b6efc16f6b1652ec97f89d5a516c0 \
 
 SRC_URI = "${SAVANNAH_NONGNU_MIRROR}/${BPN}/${BP}.tar.xz \
            file://CVE-2025-27363.patch \
+           file://CVE-2026-23865.patch \
 "
 SRC_URI[sha256sum] = "12991c4e55c506dd7f9b765933e62fd2be2e06d421505d7950a132e4f1bb484d"
 

From patchwork Fri Mar 20 00:28:16 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yoann Congal <yoann.congal@smile.fr>
X-Patchwork-Id: 83929
Return-Path: <yoann.congal@smile.fr>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id C13741093163
	for <webhook@archiver.kernel.org>; Fri, 20 Mar 2026 00:28:38 +0000 (UTC)
Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com
 [209.85.128.49])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.2626.1773966514690509719
 for <openembedded-core@lists.openembedded.org>;
 Thu, 19 Mar 2026 17:28:35 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@smile.fr header.s=google header.b=w1F18Afs;
 spf=pass (domain: smile.fr, ip: 209.85.128.49,
 mailfrom: yoann.congal@smile.fr)
Received: by mail-wm1-f49.google.com with SMTP id
 5b1f17b1804b1-486ff201041so1763625e9.1
        for <openembedded-core@lists.openembedded.org>;
 Thu, 19 Mar 2026 17:28:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=smile.fr; s=google; t=1773966513; x=1774571313;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=wT51peYY3bb5kZ///bjH5lNa9M4ckxNyaRQZwgmQHkA=;
        b=w1F18Afs9yduLhTMRJ4Rk0sj58fPmc0/BXh8VSRIFGGrBzsTlIuYidI5CDCLmtQ+0V
         xPR4inLcowUz6EM0YkfeJ6oyanlSb2S197mokm65zSdrANSPxgRKMDe7LEHq64vWt7SG
         2wLuJf3DT+wbt3zrCKhUQ+gpDgC38WnnsoTU8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1773966513; x=1774571313;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=wT51peYY3bb5kZ///bjH5lNa9M4ckxNyaRQZwgmQHkA=;
        b=Z5p+CaLFJum/yuRHNizKIawABDqZ7ukh1OzAMIVTB3Zf/F+GjLgDpE59qhK7O5x2Ey
         jMzKpHJOU5+ZJzwPpmZS5FHFIMnVZTgdCiGk1sV4hTY3VwjcGSwwLWth5ONSYHrCkA7N
         1YdYCp5qZ4eNlNx71VBlIT4Q47UNR/XOUGhSNzFDiCVzjGaiWs6bDoIxsoDDoHz3FLNb
         iBK6cNTLM0oBqCugvGWHax/mkuprAJZh0iTOoetgw5eegG8UWR4rjyF+3hQswsW2y8sS
         BwS+OVTAGj2id86DZn+G4s3fd5GRpfVJfQtPV/0r0qx/oI/70JDevcflpX+cFoXEbXU5
         No9g==
X-Gm-Message-State: AOJu0Yyt2wP5FDXVsQ6JRQ2xbySG5MmPC0Z2rWkMtXkZLQrdCD8xXKOz
	SgXAc4itr0YoNL0LE4sN6jenJXefFtsII3tkrwtFMTfsZga4PEClsHdaAJ9oym+u9LbCgSbSSTl
	8EOvs
X-Gm-Gg: ATEYQzxNpSMIKosilgbziMlrYUxu+O4HM3HovyynZxEdxNbpJwrgX3tKSMo4942SWmY
	3W4rMymtXpkzc7BUHF6o/eEHRkJgE6EdG5Bjb7msdRhawOZUOamV1AKiSxjYKeTToGTwJfIN4Wp
	LG6KxNMDArMWUTVouqV1myppvyAhR7rG95tQVjnF+K7+7omDBQuX2XHamHH/5a/7MSvzrMjvNmc
	Li3/dWqRPYvDDe0bjd/UuRaFbeby9yM2CKtGMj0v/u1bnOOqiTBxlcg7Ex71gWasGdwXIbr2vOp
	hz0RTgftSa16xUm7Oct+gXoJadqcp0BAj9khO0O/TPZr8zPVuTiBNvhQXzjJ7B5Jv45OX7SFy/6
	41cxc4fVIwpmxR4dZVaxk1G0h+KsYH5WfanLiEZlANWb6+2Kc//q/6rURsXXbQ54jlKv4DRe4Z7
	PjmtvqBJ2qvHIQdq7+rO/IxWvoqTatlsVw3FpnYMGqyMK+LJ8vbaOoEvJKY0fc6tiqC7uN4UJqI
	vTYczb2Sm1fHQMNWTyz39NWNFI=
X-Received: by 2002:a05:600c:8b31:b0:485:469f:5320 with SMTP id
 5b1f17b1804b1-486fee2d9e0mr14234555e9.30.1773966512549;
        Thu, 19 Mar 2026 17:28:32 -0700 (PDT)
Received: from FRSMI25-LASER.home
 (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr.
 [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-486fe8359acsm23850655e9.12.2026.03.19.17.28.32
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 19 Mar 2026 17:28:32 -0700 (PDT)
From: Yoann Congal <yoann.congal@smile.fr>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 09/15] go: Fix CVE-2025-61726.patch variable
 ordering
Date: Fri, 20 Mar 2026 01:28:16 +0100
Message-ID: 
 <367d5ae92969c94ee439ed0fbba3ba4b9b0b6397.1773966414.git.yoann.congal@smile.fr>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <cover.1773966414.git.yoann.congal@smile.fr>
References: <cover.1773966414.git.yoann.congal@smile.fr>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Fri, 20 Mar 2026 00:28:38 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/233570

From: Eduardo Ferreira <eduardo.barbosa@toradex.com>

Commit 6a1ae4e792 (go 1.22.12: Fix CVE-2025-61726, 2026-02-11)
introduced a patch backporting a fix for CVE-2025-61726, but
this patch also introduced a bug.

From Go's source code[1], they say that the 'All' table from 'godebugs'
should be populated alphabetically by Name. And 'Lookup'[2] function uses
binary search to try and find the variable.

Here's the trace:
Mar 06 11:33:33 toradex-smarc-imx95-12594035 systemd[1]: Started Docker Application Container Engine.
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: 2026/03/06 11:34:53 http: panic serving @: godebug: Value of name not listed in godeb
ugs.All: urlmaxqueryparams
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: goroutine 78 [running]:
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/http.(*conn).serve.func1()
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]:         net/http/server.go:1903 +0xb0
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: panic({0x55743e8740?, 0x4000b526c0?})
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]:         runtime/panic.go:770 +0x124
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: go.opentelemetry.io/otel/sdk/trace.(*recordingSpan).End.deferwrap1()
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]:         go.opentelemetry.io/otel/sdk@v1.19.0/trace/span.go:383 +0x2c
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: go.opentelemetry.io/otel/sdk/trace.(*recordingSpan).End(0x40011b4a80, {0x0, 0x0, 0x40
006441c0?})
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]:         go.opentelemetry.io/otel/sdk@v1.19.0/trace/span.go:421 +0x898
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: panic({0x55743e8740?, 0x4000b526c0?})
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]:         runtime/panic.go:770 +0x124
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: internal/godebug.(*Setting).Value.func1()
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]:         internal/godebug/godebug.go:141 +0xd8
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: sync.(*Once).doSlow(0x22?, 0x55748a9b60?)
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]:         sync/once.go:74 +0x100
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: sync.(*Once).Do(...)
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]:         sync/once.go:65
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: internal/godebug.(*Setting).Value(0x5575b21be0)
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]:         internal/godebug/godebug.go:138 +0x50
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/url.urlParamsWithinMax(0x1)
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]:         net/url/url.go:968 +0x3c
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/url.parseQuery(0x400069a630, {0x0, 0x0})
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]:         net/url/url.go:985 +0xdc
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/url.ParseQuery(...)
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]:         net/url/url.go:958
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/http.(*Request).ParseForm(0x4000bdab40)
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]:         net/http/request.go:1317 +0x33c
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: github.com/docker/docker/api/server/httputils.ParseForm(0x0?)
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]:         github.com/docker/docker/api/server/httputils/httputils.go:104 +0x20

The 'Lookup' function was failing due to the wrong ordering and returning 'nil',
which was not being checked properly and caused this issue.

The fix was to just reorder the line where 'urlmaxqueryparams' is being
added to respect the alphabetical ordering. And for that the whole CVE
patch was generated again.

This change was validated with docker-moby (original issue), where a container
run successfully and no traces in the logs.

[1] https://github.com/golang/go/blob/master/src/internal/godebugs/table.go#L20
[2] https://github.com/golang/go/blob/master/src/internal/godebugs/table.go#L100

Signed-off-by: Eduardo Ferreira <eduardo.barbosa@toradex.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 .../go/go/CVE-2025-61726.patch                | 21 ++++++++++---------
 1 file changed, 11 insertions(+), 10 deletions(-)

diff --git a/meta/recipes-devtools/go/go/CVE-2025-61726.patch b/meta/recipes-devtools/go/go/CVE-2025-61726.patch
index ab053ff55c9..bdd10bc9331 100644
--- a/meta/recipes-devtools/go/go/CVE-2025-61726.patch
+++ b/meta/recipes-devtools/go/go/CVE-2025-61726.patch
@@ -1,4 +1,4 @@
-From 85050ca6146f3edb50ded0a352ab9edbd635effc Mon Sep 17 00:00:00 2001
+From bf06767a9ac737387eee77c7eedd67c65e853ac2 Mon Sep 17 00:00:00 2001
 From: Damien Neil <dneil@google.com>
 Date: Mon, 3 Nov 2025 14:28:47 -0800
 Subject: [PATCH] [release-branch.go1.24] net/url: add urlmaxqueryparams
@@ -36,6 +36,7 @@ Reviewed-by: Junyang Shao <shaojunyang@google.com>
 TryBot-Bypass: Michael Pratt <mpratt@google.com>
 (cherry picked from commit 85c794ddce26a092b0ea68d0fca79028b5069d5a)
 Signed-off-by: Deepak Rathore <deeratho@cisco.com>
+Signed-off-by: Eduardo Ferreira <eduardo.barbosa@toradex.com>
 ---
  doc/godebug.md                 |  7 +++++
  src/internal/godebugs/table.go |  1 +
@@ -45,7 +46,7 @@ Signed-off-by: Deepak Rathore <deeratho@cisco.com>
  5 files changed, 85 insertions(+)
 
 diff --git a/doc/godebug.md b/doc/godebug.md
-index ae4f0576b4..635597ea42 100644
+index ae4f057..635597e 100644
 --- a/doc/godebug.md
 +++ b/doc/godebug.md
 @@ -126,6 +126,13 @@ for example,
@@ -63,19 +64,19 @@ index ae4f0576b4..635597ea42 100644
  to concerns around VCS injection attacks. This behavior can be renabled with the
  setting `allowmultiplevcs=1`.
 diff --git a/src/internal/godebugs/table.go b/src/internal/godebugs/table.go
-index 33dcd81fc3..4ae043053c 100644
+index 33dcd81..7178df6 100644
 --- a/src/internal/godebugs/table.go
 +++ b/src/internal/godebugs/table.go
-@@ -52,6 +52,7 @@ var All = []Info{
+@@ -51,6 +51,7 @@ var All = []Info{
+	{Name: "tlsmaxrsasize", Package: "crypto/tls"},
 	{Name: "tlsrsakex", Package: "crypto/tls", Changed: 22, Old: "1"},
 	{Name: "tlsunsafeekm", Package: "crypto/tls", Changed: 22, Old: "1"},
-	{Name: "x509sha1", Package: "crypto/x509"},
 +	{Name: "urlmaxqueryparams", Package: "net/url", Changed: 24, Old: "0"},
+	{Name: "x509sha1", Package: "crypto/x509"},
 	{Name: "x509usefallbackroots", Package: "crypto/x509"},
 	{Name: "x509usepolicies", Package: "crypto/x509"},
-	{Name: "zipinsecurepath", Package: "archive/zip"},
 diff --git a/src/net/url/url.go b/src/net/url/url.go
-index d2ae03232f..5219e3c130 100644
+index d2ae032..cdca468 100644
 --- a/src/net/url/url.go
 +++ b/src/net/url/url.go
 @@ -13,6 +13,7 @@ package url
@@ -118,7 +119,7 @@ index d2ae03232f..5219e3c130 100644
 		var key string
 		key, query, _ = strings.Cut(query, "&")
 diff --git a/src/net/url/url_test.go b/src/net/url/url_test.go
-index fef236e40a..b2f8bd95fc 100644
+index fef236e..b2f8bd9 100644
 --- a/src/net/url/url_test.go
 +++ b/src/net/url/url_test.go
 @@ -1488,6 +1488,54 @@ func TestParseQuery(t *testing.T) {
@@ -177,7 +178,7 @@ index fef236e40a..b2f8bd95fc 100644
 	url *URL
 	out string
 diff --git a/src/runtime/metrics/doc.go b/src/runtime/metrics/doc.go
-index 517ec0e0a4..335f7873b3 100644
+index 517ec0e..88d6d8c 100644
 --- a/src/runtime/metrics/doc.go
 +++ b/src/runtime/metrics/doc.go
 @@ -328,6 +328,11 @@ Below is the full list of supported metrics, ordered lexicographically.
@@ -193,4 +194,4 @@ index 517ec0e0a4..335f7873b3 100644
 		The number of non-default behaviors executed by the crypto/x509
 		package due to a non-default GODEBUG=x509sha1=... setting.
 --
-2.35.6
+2.34.1

From patchwork Fri Mar 20 00:28:17 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yoann Congal <yoann.congal@smile.fr>
X-Patchwork-Id: 83922
Return-Path: <yoann.congal@smile.fr>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 1C23A1088E74
	for <webhook@archiver.kernel.org>; Fri, 20 Mar 2026 00:28:38 +0000 (UTC)
Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com
 [209.85.128.44])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.2629.1773966515053897700
 for <openembedded-core@lists.openembedded.org>;
 Thu, 19 Mar 2026 17:28:35 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@smile.fr header.s=google header.b=Dre9iHKz;
 spf=pass (domain: smile.fr, ip: 209.85.128.44,
 mailfrom: yoann.congal@smile.fr)
Received: by mail-wm1-f44.google.com with SMTP id
 5b1f17b1804b1-486fb14227cso13601505e9.3
        for <openembedded-core@lists.openembedded.org>;
 Thu, 19 Mar 2026 17:28:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=smile.fr; s=google; t=1773966513; x=1774571313;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=Tqn6qc6TWnhdqWOpPDIQUgD7qCGtt+ZIMcgv73AylGo=;
        b=Dre9iHKzCYdyRgByZLs5yC4yNQnqabJq0BG6NUbawpYnkRbm1Mmka9lgHNmZGG9DRd
         j3x33rmKRXcu60GY8RDBlLXjf/u7sNdWLrJ6YThdCJYDqXpolvZmQQXvLEI8dhT3KjKd
         LyO85XQ0MW4o/4JPE/EvGEmr9tTT0V6Bb8jBI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1773966513; x=1774571313;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=Tqn6qc6TWnhdqWOpPDIQUgD7qCGtt+ZIMcgv73AylGo=;
        b=lbrue2YYJMxgGJCFS17ihUJ1/7AmtM2kh21VCN/Tj0mgKaT/XUIyK/JhvOMtoQ9sI8
         LfriwWKzJFF/vCwaX3sO0kacj/jVw7KCQ1Waw5pzgFIq7KNcYwZqpHUMGazvwuAv897k
         eG4c5bifFH1p33QsTnacN3gXlxZHcA3iF4uHOKr40+bV3eDueeBzJ7wTfuz1Mt2hVu5L
         JfBYYGgsCmGmgy6dGGcbCL8e5Ze/ugkarAa2Agykm7ftKjssgw/bsLtKPTVybzfVE1FM
         sfsg5kWZgJKKJ7rlP3ONmkdGwD3TM2nU6kQ5oypHEuHCR39T4/75xNeLORBeUnRQ4ydM
         lNTA==
X-Gm-Message-State: AOJu0YxrDMmBEVdcSGsxfcBIjPV1jcB0sUEtfd3pi37opBZybogHxl2J
	3sYeKxvDoetUVUickD0GvYruqd+Aaj40wMAzr3/D3lXEWehKuA7cgw5PyxChYjQJCSQkZTT1LMy
	xT2CH
X-Gm-Gg: ATEYQzxPmylGZz7KnHS5ymFAdDdys//AjJ+JhrgNOIJMcuwURw0T8ycaoKIHYw96sbJ
	ysOO2c012gpIDbhsmh58TdWESQoJZYPLz7t91qXydNFcc4F2Pu96NyEsE+OKZ1hXf2UrwqnUuUf
	TiFx0sXOyClYlJvOOCWbE+yiDCfG78yh1BQMpe6yy5GKx4BkvpMMII6CazCFMmgtsC3YAQwemS3
	ryVVW0d+ptYT52trI8/lvnZJuJRxtCYgl68i+cVmV7QAbrZR089CuQHeGA/X6WwVZ+ZOAsBp6oN
	63+JEYyOQEALj+ApPszWS9R2LSBv3FxsHDyFoynMh2GVog6e342LpY4BjiCMUGsfgCyKxTEerY6
	G0KuT537XqeGj1t1+4THW2gD/1VfyS/yiI2lMzKSgOWFgabpwmMfJl7YiskBlxuGlOMDc9ZrfGn
	c4KCXMF+9Q4HUwaUMRFQDQxKYqzRhga6y5iZ2g+I0ifdNtEXXu74Lqsf0zqhb1E74yVox4CXl+z
	nkFk5ev84HnqBus1rcUtORkZkY=
X-Received: by 2002:a05:600c:c167:b0:486:fab9:a578 with SMTP id
 5b1f17b1804b1-486fedc3843mr13926065e9.11.1773966513161;
        Thu, 19 Mar 2026 17:28:33 -0700 (PDT)
Received: from FRSMI25-LASER.home
 (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr.
 [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-486fe8359acsm23850655e9.12.2026.03.19.17.28.32
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 19 Mar 2026 17:28:32 -0700 (PDT)
From: Yoann Congal <yoann.congal@smile.fr>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 10/15] python3-pip: Fix CVE-2026-1703
Date: Fri, 20 Mar 2026 01:28:17 +0100
Message-ID: 
 <d39069d89c3f17123e9161ca3f870ad5e353a717.1773966414.git.yoann.congal@smile.fr>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <cover.1773966414.git.yoann.congal@smile.fr>
References: <cover.1773966414.git.yoann.congal@smile.fr>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Fri, 20 Mar 2026 00:28:38 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/233571

From: Vijay Anusuri <vanusuri@mvista.com>

Pick patch according to [1]

[1] https://security-tracker.debian.org/tracker/CVE-2026-1703
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-1703
[3] https://github.com/pypa/pip/pull/13777

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 .../python/python3-pip/CVE-2026-1703.patch    | 37 +++++++++++++++++++
 .../python/python3-pip_24.0.bb                |  4 +-
 2 files changed, 40 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch

diff --git a/meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch b/meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch
new file mode 100644
index 00000000000..1470b7c541f
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch
@@ -0,0 +1,37 @@
+From 4c651b70d60ed91b13663bcda9b3ed41748d0124 Mon Sep 17 00:00:00 2001
+From: Seth Michael Larson <seth@python.org>
+Date: Fri, 30 Jan 2026 09:49:11 -0600
+Subject: [PATCH] Use os.path.commonpath() instead of commonprefix()
+
+Upstream-Status: Backport [https://github.com/pypa/pip/commit/4c651b70d60ed91b13663bcda9b3ed41748d0124]
+CVE: CVE-2026-1703
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ news/+1ee322a1.bugfix.rst            | 1 +
+ src/pip/_internal/utils/unpacking.py | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+ create mode 100644 news/+1ee322a1.bugfix.rst
+
+diff --git a/news/+1ee322a1.bugfix.rst b/news/+1ee322a1.bugfix.rst
+new file mode 100644
+index 0000000..edb1b32
+--- /dev/null
++++ b/news/+1ee322a1.bugfix.rst
+@@ -0,0 +1 @@
++Use a path-segment prefix comparison, not char-by-char.
+diff --git a/src/pip/_internal/utils/unpacking.py b/src/pip/_internal/utils/unpacking.py
+index 78b5c13..0b26525 100644
+--- a/src/pip/_internal/utils/unpacking.py
++++ b/src/pip/_internal/utils/unpacking.py
+@@ -81,7 +81,7 @@ def is_within_directory(directory: str, target: str) -> bool:
+     abs_directory = os.path.abspath(directory)
+     abs_target = os.path.abspath(target)
+ 
+-    prefix = os.path.commonprefix([abs_directory, abs_target])
++    prefix = os.path.commonpath([abs_directory, abs_target])
+     return prefix == abs_directory
+ 
+ 
+-- 
+2.43.0
+
diff --git a/meta/recipes-devtools/python/python3-pip_24.0.bb b/meta/recipes-devtools/python/python3-pip_24.0.bb
index be4a29500a5..12a5e1cc3cf 100644
--- a/meta/recipes-devtools/python/python3-pip_24.0.bb
+++ b/meta/recipes-devtools/python/python3-pip_24.0.bb
@@ -31,7 +31,9 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=63ec52baf95163b597008bb46db68030 \
 
 inherit pypi python_setuptools_build_meta
 
-SRC_URI += "file://no_shebang_mangling.patch"
+SRC_URI += "file://no_shebang_mangling.patch \
+            file://CVE-2026-1703.patch \
+           "
 
 SRC_URI[sha256sum] = "ea9bd1a847e8c5774a5777bb398c19e80bcd4e2aa16a4b301b718fe6f593aba2"
 

From patchwork Fri Mar 20 00:28:18 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yoann Congal <yoann.congal@smile.fr>
X-Patchwork-Id: 83926
Return-Path: <yoann.congal@smile.fr>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id DA0141093168
	for <webhook@archiver.kernel.org>; Fri, 20 Mar 2026 00:28:38 +0000 (UTC)
Received: from mail-wm1-f46.google.com (mail-wm1-f46.google.com
 [209.85.128.46])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.2630.1773966515535836300
 for <openembedded-core@lists.openembedded.org>;
 Thu, 19 Mar 2026 17:28:35 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@smile.fr header.s=google header.b=Mog5Rbf+;
 spf=pass (domain: smile.fr, ip: 209.85.128.46,
 mailfrom: yoann.congal@smile.fr)
Received: by mail-wm1-f46.google.com with SMTP id
 5b1f17b1804b1-48538c5956bso13238245e9.0
        for <openembedded-core@lists.openembedded.org>;
 Thu, 19 Mar 2026 17:28:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=smile.fr; s=google; t=1773966514; x=1774571314;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=Brig5MXXzBasL0oGROb86REdQH9AStmhYe0KWitI1f8=;
        b=Mog5Rbf+ZysRlW1yrX3Cp8bLpIxIlCeLNBOmdhQwSJHaTNKNCOFcm5OD+DLTtLURv0
         qc0WOS2Gki+bLKfDtwR6G7vZ7owZI2ZGRnehOP7qxYCdZBFCrZUAS3Lt/IVW78Sea1j2
         aqThIb8+W21ItrtSAcn3Hu5GhO9DvxMoXvSc4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1773966514; x=1774571314;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=Brig5MXXzBasL0oGROb86REdQH9AStmhYe0KWitI1f8=;
        b=CdzKIxewPXqnaTLhSa+0T+/VtNse6GvAMvGki/lNhDviByoLDpFBeXr5XI8fq7DWur
         3XsYsuDYnhKLG4QBBSt7kxepVY3rTDv6+6n0WuOh9zUGl8ulr8qe+YQDnzpOuv6AFpw9
         gv1MjrKhO7DHBZXrubqB6MbC2ZZmFiPYB2tCtVA3XmS2oQwg7DDrbWe7j2PxR9YgZmJg
         LP3L06AjkRkSGWIWFyni5aP0QWnL5jluoEjWbLuxO7QYCELGqwSu3UtUsl7Rw31Lt8FZ
         JkGcWKu76iIjiKxr5AjdDrW+v3fkS4FtlQLz6Iy5HcKu9/IIpolDCnY8n7YIeb//oaqO
         DzPg==
X-Gm-Message-State: AOJu0YxAxzyMP3P3CHYG2PxW7+GXVqLefTV5yEhmhXlBrKKSCRJSbGre
	ScY4y6riZL1TLgyfPB/Ud91BamfZvKAp0lvgkPtpgV7Ze6WjK2ouMs4YT2gHGjbpb7qjudvXuPy
	evJ38
X-Gm-Gg: ATEYQzz3WZKXO4Ox5DygYkd8YE/fkA1maa8YGXJQiLvnUIh8c3w95XX37Ifr0uJtr+t
	LUaTjP0I8jA4sbQUzJWW61kuD9j4VA7JUuBGctsqUgAaSE0jUUbylmwRrYBvnJwsOR0Pk1Ci1PW
	TLls6V8YXHtJ7RO7ruTfMxAt3Rs4mqGYgZaBQiZm5wOFW6TwrZOUaYdA0918pZCNwLYvkHyNRYj
	NMkxQsXhCkH0yw/4nLNAV1ESsexNDduw1fPWBRGQZF0SiDliT0JFK4m38ub2IV3tMCCN2PhVXw0
	USR8igiMoVXD1hrq0b5lwWB46oD94KmAyjK1w7cSJk07eGteYPmZQDCvHnAfX7feV0OCH/7/uxC
	1BSipeW8qsUL44mSugHxTqJdhLsC+wc6fVYQAAp7vFy8EvBWWFMXTCX/LDOOsfH5IbXMPdRhqKT
	2alMv8E065symuaEIBlSdK23WYgELnyhAPq2W82OdnEKnzBSdJLWEDqSMQIELOK4Tf0dplx6KAM
	co1UpYO2V/HzVHWYn+CKP3kcWZEfV+xWSrEmQ==
X-Received: by 2002:a05:600c:3105:b0:485:3c11:de84 with SMTP id
 5b1f17b1804b1-486fe8f08cbmr19347315e9.14.1773966513601;
        Thu, 19 Mar 2026 17:28:33 -0700 (PDT)
Received: from FRSMI25-LASER.home
 (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr.
 [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-486fe8359acsm23850655e9.12.2026.03.19.17.28.33
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 19 Mar 2026 17:28:33 -0700 (PDT)
From: Yoann Congal <yoann.congal@smile.fr>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 11/15] oe-setup-build: Fix typo
Date: Fri, 20 Mar 2026 01:28:18 +0100
Message-ID: 
 <42f69d702f790f6f2c0eef0124ab9d618b1fd945.1773966414.git.yoann.congal@smile.fr>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <cover.1773966414.git.yoann.congal@smile.fr>
References: <cover.1773966414.git.yoann.congal@smile.fr>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Fri, 20 Mar 2026 00:28:38 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/233572

From: Ryan Eatmon <reatmon@ti.com>

A variable was mistyped in an error message resulting in this error:

NameError: name 'tempalte_name' is not defined. Did you mean: 'template_name'?

Signed-off-by: Ryan Eatmon <reatmon@ti.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 275a3c015d37729c3b0c9cc4395d50ea2f210f02)
Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 scripts/oe-setup-build | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/oe-setup-build b/scripts/oe-setup-build
index c0476992a2a..1cb06b3b793 100755
--- a/scripts/oe-setup-build
+++ b/scripts/oe-setup-build
@@ -77,7 +77,7 @@ def find_template(template_name, templates):
         for t in templates:
             if t["templatename"] == template_name:
                 return t
-        print("Configuration {} is not one of {}, please try again.".format(tempalte_name, [t["templatename"] for t in templates]))
+        print("Configuration {} is not one of {}, please try again.".format(template_name, [t["templatename"] for t in templates]))
         return None
 
 def setup_build_env(args):

From patchwork Fri Mar 20 00:28:19 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yoann Congal <yoann.congal@smile.fr>
X-Patchwork-Id: 83928
Return-Path: <yoann.congal@smile.fr>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id E440C109316A
	for <webhook@archiver.kernel.org>; Fri, 20 Mar 2026 00:28:38 +0000 (UTC)
Received: from mail-wm1-f42.google.com (mail-wm1-f42.google.com
 [209.85.128.42])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.2627.1773966515994707289
 for <openembedded-core@lists.openembedded.org>;
 Thu, 19 Mar 2026 17:28:36 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@smile.fr header.s=google header.b=H3Iiqpxc;
 spf=pass (domain: smile.fr, ip: 209.85.128.42,
 mailfrom: yoann.congal@smile.fr)
Received: by mail-wm1-f42.google.com with SMTP id
 5b1f17b1804b1-486b9675d36so10352275e9.0
        for <openembedded-core@lists.openembedded.org>;
 Thu, 19 Mar 2026 17:28:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=smile.fr; s=google; t=1773966514; x=1774571314;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=k3jg9qRQJKqrFYwXUcwwjymeKCBaDCPPh1JmZqHQNfY=;
        b=H3IiqpxcikfBDDtA/fGA9iqGV2+/ykD6Y4+c21Gu50eXTazrCH470CnyPbaSYujNV3
         VXexJrtjRUuBin6aKxW/x56lrFYUliazedbaOtQhsubg1ClWnrVreprspxHuTbJxct34
         41RdIumP2E+9JGUNh2qK/hsKF3qNUKqPsG2rM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1773966514; x=1774571314;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=k3jg9qRQJKqrFYwXUcwwjymeKCBaDCPPh1JmZqHQNfY=;
        b=Ollexy9pEjldWQvZcGCEjk1329ppWVd9+1nxU6FkNVFU/XzTbofkW+u/Qrdmj2GkRh
         GoDrwcPJNcnuqYEWBunQtkL5Ck7354DpWo1DgWx/3WiQY3ieevFf+EmK/NGWvEt0S3Ef
         Lf1ZOrJwtmsW5npgOjrLHqco1Nubrgzx2U3YHCDdC1s8on94HONNKolr6vUanDXZUWHh
         HrX0uG9hOY2Gd7YxIVxPFHT2wLUAGNu5Pzen8PUXP/eJOZhlQ8rvkGdgEMT6M5PziyZj
         bAoE0cgNvzY+gWnlgTNwHTV8TsVym7r0cyYYgPh/G86RcdtwQTcUZezjMgT8l7HY5jk3
         6b1g==
X-Gm-Message-State: AOJu0YySy6o7TRGoOZbY5ycAVghELnATOKGqZxv/e2aVgb90UuYf9JJd
	j6HAifCZboItooqKzH44h/avGBAlfG21SBNRC0MwjTJvBiQtiv4T3J6yGTB3nNvQLFdUKgym2Y6
	dkoT8
X-Gm-Gg: ATEYQzywHIqsIpHSe9HhC/LE/LDcFG1kRWrFVkqPHmAnFOvvEyKFDzFcQjY00wWHLsV
	Q/FkpWyBFl5NWPfH+SEfWAJSOZEj4Xa2DQw334JM/wPHHSYjNlsOF13phejzhffK7cvs01uxPmt
	AstLqZLEZ/SS0VM0/VUyS8zA90Zai6G/eSSvNm5x5F7xpsuEBFtR0gA8M0l8kty5y0aOeaQyc+V
	q8cQ+oUROhF8SfuzJpgK9jtc6rZ33jCVUdlLeSMkJqZa4arGVzafxIZjTpPSzzL/5GsASTp2HLc
	EygUHOJd3OoPiivb2WhLILkFi2niikkZK/CkSB0IDvttmOrHIYSJ3OnXIU/uLmR8i/Ybj+YuKIB
	hEGSYvoiyMl88aIlAmrjFH8/2UA/ztQwoj10R0SRNIPMRefsT6BqqszGBQkbOrziTiIOKy/niUX
	gOiztT0dTMhznElaiJ97mGJm+BtjwuJ97iKbhD/9wD3jfcctUqu6zlXxS+kAQaInG6MrpYJipxM
	quMAYMaD8ps0/hG76BWk7Piy8E=
X-Received: by 2002:a05:600c:1f86:b0:485:17a7:b9c7 with SMTP id
 5b1f17b1804b1-486fedb551dmr15621015e9.10.1773966514029;
        Thu, 19 Mar 2026 17:28:34 -0700 (PDT)
Received: from FRSMI25-LASER.home
 (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr.
 [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-486fe8359acsm23850655e9.12.2026.03.19.17.28.33
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 19 Mar 2026 17:28:33 -0700 (PDT)
From: Yoann Congal <yoann.congal@smile.fr>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 12/15] systemd-systemctl: Fix instance name
 parsing with escapes or periods
Date: Fri, 20 Mar 2026 01:28:19 +0100
Message-ID: 
 <e84c18db267cfdd5e29a6ac7f7e44ef644b366ed.1773966414.git.yoann.congal@smile.fr>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <cover.1773966414.git.yoann.congal@smile.fr>
References: <cover.1773966414.git.yoann.congal@smile.fr>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Fri, 20 Mar 2026 00:28:38 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/233573

From: Trent Piepho <trent.piepho@igorinstitute.com>

Fixes [YOCTO #16130]

When extracting the instance name from a template instances such as
'example@host.domain.com.service', the systemctl replacement script will
split the instance on the first period, producing an instance argument of
'host' and a template of 'example@.domain.com.service'.  This is incorrect,
as systemd will split on the last period, producing an instance argument of
'host.domain.com' and a template of 'example@.service'.

When constructing the template name, the script will also pass the string
as is to re.sub(), which will try to process any backslash escapes in the
string.  These are legal in systemd unit names and should be preserved.
They also are not valid Python escape sequences.  Use re.escape() to
preserve anything in the unit name that might be considered a regex
exscape.

Signed-off-by: Trent Piepho <trent.piepho@igorinstitute.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 meta/recipes-core/systemd/systemd-systemctl/systemctl | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/meta/recipes-core/systemd/systemd-systemctl/systemctl b/meta/recipes-core/systemd/systemd-systemctl/systemctl
index 2229bc7b6d2..b9e04a90707 100755
--- a/meta/recipes-core/systemd/systemd-systemctl/systemctl
+++ b/meta/recipes-core/systemd/systemd-systemctl/systemctl
@@ -202,7 +202,8 @@ class SystemdUnit():
         try:
             for dependent in config.get('Install', prop):
                 # expand any %i to instance (ignoring escape sequence %%)
-                dependent = re.sub("([^%](%%)*)%i", "\\g<1>{}".format(instance), dependent)
+                if instance is not None:
+                    dependent = re.sub("([^%](%%)*)%i", "\\g<1>{}".format(re.escape(instance)), dependent)
                 wants = systemdir / "{}.{}".format(dependent, dirstem) / service
                 add_link(wants, target)
 
@@ -212,13 +213,13 @@ class SystemdUnit():
     def enable(self, units_enabled=[]):
         # if we're enabling an instance, first extract the actual instance
         # then figure out what the template unit is
-        template = re.match(r"[^@]+@(?P<instance>[^\.]*)\.", self.unit)
+        template = re.match(r"[^@]+@(?P<instance>.*)\.", self.unit)
         instance_unit_name = None
         if template:
             instance = template.group('instance')
             if instance != "":
                 instance_unit_name = self.unit
-            unit = re.sub(r"@[^\.]*\.", "@.", self.unit, 1)
+            unit = re.sub(r"@{}\.".format(re.escape(instance)), "@.", self.unit, 1)
         else:
             instance = None
             unit = self.unit

From patchwork Fri Mar 20 00:28:20 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yoann Congal <yoann.congal@smile.fr>
X-Patchwork-Id: 83934
Return-Path: <yoann.congal@smile.fr>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 0737A109316E
	for <webhook@archiver.kernel.org>; Fri, 20 Mar 2026 00:28:39 +0000 (UTC)
Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com
 [209.85.128.44])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.2631.1773966516460518943
 for <openembedded-core@lists.openembedded.org>;
 Thu, 19 Mar 2026 17:28:36 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@smile.fr header.s=google header.b=gBtLEKuH;
 spf=pass (domain: smile.fr, ip: 209.85.128.44,
 mailfrom: yoann.congal@smile.fr)
Received: by mail-wm1-f44.google.com with SMTP id
 5b1f17b1804b1-48374014a77so12740445e9.3
        for <openembedded-core@lists.openembedded.org>;
 Thu, 19 Mar 2026 17:28:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=smile.fr; s=google; t=1773966515; x=1774571315;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=vXR8dxPE7WfYOEJp9dsKI+1kx2EHH1KKmMWKVjh7MEk=;
        b=gBtLEKuHsxUzyY3NZZSP8hc4CfcTV892/SMR1Bi5OV/HyQfJDUQiJgvMgOA9lmDHdp
         /6f01UYhwN/x+oiURS4upJt1Q53A0D+e7NH35AxD7qqj8WzzaziR/XzeSa39eLRR2zDu
         8T65ouoUKiWuyEoeXY01akU5DAvjD/ZDtdjsw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1773966515; x=1774571315;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=vXR8dxPE7WfYOEJp9dsKI+1kx2EHH1KKmMWKVjh7MEk=;
        b=U7McNpOr9jzxAV4vtpFyxi6vYJlZnlZtAOVk/EU4KvkMtjQDso5ZIIrcAeXhxzt7e/
         UNwAuPBBNIJ+R8fikS2wSFE58GzpIQQUq0Q37y4SUY9I7y1l7acUQLezEH3MAQBu8gz1
         /Gph/Ncr/wME4l1ss2FP0JTl7SQXUf+KgrC6a3M5R1VMU//qY/aiiN3J2/hZmd0E0+6+
         ruGG5FPN8v6egcKigp5/X9cRQ0XQ0PM8Y8xnvwefTAiZT29FdNPXqEvOwMYRvKNXtcGk
         P4OC4aEaaJS8R+JYdV1bKbVkjf1Z85Dsx1bvWzUPRpk6I9Aj3qllpnkeUgBqR3g9oYSx
         IxLA==
X-Gm-Message-State: AOJu0YxjBNgeBTcRIH1GXKXjRwG4HGHuoEoyD2jdtFKoavM9nwNWXtvL
	YfFS2HuTlGAWGDJhoWRGrFIDfFvodTU+iA57y7S91tqEr8rrDXlegoTa1meCcdYbAYnMS8P8sUu
	s9+Jj
X-Gm-Gg: ATEYQzw2BzLWhWWOuRo7nT2zjAxjb+r7TWBteph9Ek2fHKKVtLfLh3zxt/sPyxxeOhk
	rKhT7Q8/6Zkqn7pDIV2zzygYOj/YrRXUVQdZJu1eHHeAb6sKr+Rt2a8xVl7/ghGGAbjjnIUTSLP
	QRwNRfZrjrvoXI1mAiGCRZZ15yyucV5/SQB+PbEUSm3oAmkALmgl+PoPNyvYGAAXlKUC6+BDJkk
	ouf4Vis/T3try0j4OSxo3rLyjt5yZppb80X56XpT3W2gI+iqANrPDOukCc6I84Xk7EkgfZ5/cLT
	CG7KM+2QevfSd3MF67OmvWqw9LRc7VrngYbKPMPii5mlZ5n6PRbE6F5gO9usdC10SwCeqol9Mzc
	vTdOD3eePx1/EoU9o6YJxcfeUvv7h5TjUQbvX6+p6jmB/d9ZooBIiVZHW5Uni01/5msrPqwGJdu
	0trz9wB2Ncu4wauxQIEUzMtEyH33M5d0ebrLs7H6VJweigpNqZMIzyj9RxVru0YDplu4bCuYJiZ
	wCny+GYn67SSc3kdo9TJXEQLdU=
X-Received: by 2002:a05:600c:1c0a:b0:485:40c6:f528 with SMTP id
 5b1f17b1804b1-486fee2bb38mr14337595e9.30.1773966514528;
        Thu, 19 Mar 2026 17:28:34 -0700 (PDT)
Received: from FRSMI25-LASER.home
 (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr.
 [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-486fe8359acsm23850655e9.12.2026.03.19.17.28.34
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 19 Mar 2026 17:28:34 -0700 (PDT)
From: Yoann Congal <yoann.congal@smile.fr>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 13/15] inetutils: Fix CVE-2026-32746
Date: Fri, 20 Mar 2026 01:28:20 +0100
Message-ID: 
 <025e550f82e2c2c68c5296c4d568163aad123be1.1773966414.git.yoann.congal@smile.fr>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <cover.1773966414.git.yoann.congal@smile.fr>
References: <cover.1773966414.git.yoann.congal@smile.fr>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Fri, 20 Mar 2026 00:28:39 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/233574

From: Vijay Anusuri <vanusuri@mvista.com>

Pick patch according to [1]

[1] https://security-tracker.debian.org/tracker/CVE-2026-32746
[2] https://lists.gnu.org/archive/html/bug-inetutils/2026-03/msg00031.html
[3] https://codeberg.org/inetutils/inetutils/pulls/17/files

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 .../inetutils/inetutils/CVE-2026-32746.patch  | 40 +++++++++++++++++++
 .../inetutils/inetutils_2.5.bb                |  1 +
 2 files changed, 41 insertions(+)
 create mode 100644 meta/recipes-connectivity/inetutils/inetutils/CVE-2026-32746.patch

diff --git a/meta/recipes-connectivity/inetutils/inetutils/CVE-2026-32746.patch b/meta/recipes-connectivity/inetutils/inetutils/CVE-2026-32746.patch
new file mode 100644
index 00000000000..0e55f3f0a4e
--- /dev/null
+++ b/meta/recipes-connectivity/inetutils/inetutils/CVE-2026-32746.patch
@@ -0,0 +1,40 @@
+From 6864598a29b652a6b69a958f5cd1318aa2b258af Mon Sep 17 00:00:00 2001
+From: Collin Funk <collin.funk1@gmail.com>
+Date: Wed, 11 Mar 2026 23:06:46 -0700
+Subject: [PATCH] telnetd: fix stack buffer overflow processing SLC suboption triplets
+
+Previously a client could write past the end of an internal buffer using
+an SLC suboption with many triplets using function octets greater than
+18, possibly leading to remote code execution. Reported by Adiel Sol,
+Arad Inbar, Erez Cohen, Nir Somech, Ben Grinberg, Daniel Lubel at DREAM
+Security Research Team at:
+<https://lists.gnu.org/r/bug-inetutils/2026-03/msg00031.html>.
+
+* telnetd/slc.c (add_slc): Return early if writing the tuple would lead
+us to writing past the end of the buffer.
+* NEWS.md: Mention the fix.
+
+Upstream-Status: Backport [https://cgit.git.savannah.gnu.org/cgit/inetutils.git/commit/?id=6864598a29b652a6b69a958f5cd1318aa2b258af]
+CVE: CVE-2026-32746
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ telnetd/slc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/telnetd/slc.c b/telnetd/slc.c
+index b3cc117..9d6bad1 100644
+--- a/telnetd/slc.c
++++ b/telnetd/slc.c
+@@ -162,6 +162,9 @@ get_slc_defaults (void)
+ void
+ add_slc (register char func, register char flag, register cc_t val)
+ {
++  /* Do nothing if the entire triplet cannot fit in the buffer.  */
++  if (slcbuf + sizeof slcbuf - slcptr <= 6)
++    return;
+ 
+   if ((*slcptr++ = (unsigned char) func) == 0xff)
+     *slcptr++ = 0xff;
+-- 
+2.43.0
+
diff --git a/meta/recipes-connectivity/inetutils/inetutils_2.5.bb b/meta/recipes-connectivity/inetutils/inetutils_2.5.bb
index 6c53902356f..29ff62379d3 100644
--- a/meta/recipes-connectivity/inetutils/inetutils_2.5.bb
+++ b/meta/recipes-connectivity/inetutils/inetutils_2.5.bb
@@ -21,6 +21,7 @@ SRC_URI = "${GNU_MIRROR}/inetutils/inetutils-${PV}.tar.xz \
            file://CVE-2026-24061-1.patch \
            file://CVE-2026-24061-2.patch \
            file://CVE-2026-28372.patch \
+           file://CVE-2026-32746.patch \
            "
 
 inherit autotools gettext update-alternatives texinfo

From patchwork Fri Mar 20 00:28:21 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yoann Congal <yoann.congal@smile.fr>
X-Patchwork-Id: 83930
Return-Path: <yoann.congal@smile.fr>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 15FEA1093170
	for <webhook@archiver.kernel.org>; Fri, 20 Mar 2026 00:28:39 +0000 (UTC)
Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com
 [209.85.128.44])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.2632.1773966516897102879
 for <openembedded-core@lists.openembedded.org>;
 Thu, 19 Mar 2026 17:28:37 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@smile.fr header.s=google header.b=LW9LFf2r;
 spf=pass (domain: smile.fr, ip: 209.85.128.44,
 mailfrom: yoann.congal@smile.fr)
Received: by mail-wm1-f44.google.com with SMTP id
 5b1f17b1804b1-4852f8ac7e9so13044005e9.1
        for <openembedded-core@lists.openembedded.org>;
 Thu, 19 Mar 2026 17:28:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=smile.fr; s=google; t=1773966515; x=1774571315;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=ZFI8K6iiibIDXS4noEj8nAOlMawp7a3N9Js3Osjb9Xc=;
        b=LW9LFf2rmpYVhsy/eHKZ3tQh3MIxjcs5OlbXMFz2KCyXzqb+PouC/Xv8LUo3evBVVG
         nTpRYk+xZFM1Sva4wSlw1AtDN4OTGNtfxMYFg126jFwJUOa/JuRMDQcUCHDIDEYLWYSZ
         TaHhvGqVl8vwXEkmvIhpt0QaGrulfwHyc7aDw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1773966515; x=1774571315;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=ZFI8K6iiibIDXS4noEj8nAOlMawp7a3N9Js3Osjb9Xc=;
        b=lt4ooA6vRLIuTDcChI7hWPD4C8kpLza1Bc7X2v4CoAsPkEbsygVyuZA6hIg8croc+I
         u/T9OU7JptFRaidVDLMSNnlcTigqCvwp32U+TuyknFaaR26uQPU4/LJPeUvoWxoVU9bL
         a4+zYhs8xoMzewyKq5Y0F4V09oKEI1ELSe+QGh/Ir16a4YJaFfgikaXH93aTRBsFWL+l
         wzLBFwS8xxLrHSZ2vmWgjDe54rsd/1vDHl+KIutWXSwfSCQRw+ydQpJqCcUJTTOndK/h
         2ZTdZsdiGqy+pjZUAcWit70pikxZKa2xGKtU0xYiUImcoejIw1e9tL5Us0T0G66lq7xM
         wrxg==
X-Gm-Message-State: AOJu0YyY9ly8+UakeTURxXCr48vD1dmPq4ViFPi/fUAxoLxw8OOh4UkS
	b/ZWVov3gxUXtVln+hfEbuNwvKmFva+HM0JxzGm1Ae1Oo98XSpqV+r+3uF8/vEUfWm87hGB77kt
	SAbyd
X-Gm-Gg: ATEYQzyg0y5PdJ6a1TgAydbsgyeMTLwHNgY0QpBX+DaYkCm4ApDtfjHmKBvJzkUQZ7M
	t0uickGrArLsja0Kja08wFmQ8PTjzBmrxFRZ64yA71K18XiQAUI2BT0PaKk7Zon/2RljSaxoMOs
	dbjWfkiuRQsnjknDKwjsrustT/ApY0nztZ7PpZrvViMuMG0jOJV+rFs2Z6R05mcM3hoDsWQ4fnR
	aP7mRUO6I2KA7MV7ErldJ/E5cSsIKgorQ/CDlWnMvtdWCkIhhlDkHAZrZZgdQvJbA5ZoaMJEmTD
	K+/SKHR3nLcvM0fk8gImJwBC9SSwZqID/5MqO9TEMTAFK31jOusO66S17kdQNGUDnz3CSrsFRuI
	Yr/iPZAB7GpifLewHIEyvqdEpzRL6h229Zzv+RInavRRP7a35d8xU2UtnUXGzCBfnUM+oe7CSs+
	WKG+N6oiAK9eh9B/SNhrMqiPZj9QFJUEdUMRo2fL+FznS/bbws4dGGLS05C1ADoSSDnwsJsXve+
	4C0SfKImX/UNzCbakSLFk1sgfM=
X-Received: by 2002:a05:600c:a55:b0:485:ae14:8192 with SMTP id
 5b1f17b1804b1-486febb5da9mr15065995e9.7.1773966515003;
        Thu, 19 Mar 2026 17:28:35 -0700 (PDT)
Received: from FRSMI25-LASER.home
 (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr.
 [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-486fe8359acsm23850655e9.12.2026.03.19.17.28.34
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 19 Mar 2026 17:28:34 -0700 (PDT)
From: Yoann Congal <yoann.congal@smile.fr>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 14/15] python3-setuptools: drop Windows launcher
 executables on non-mingw builds
Date: Fri, 20 Mar 2026 01:28:21 +0100
Message-ID: 
 <c84d8bfdfbd5f9aacfe1ff049ee974b925d9f235.1773966414.git.yoann.congal@smile.fr>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <cover.1773966414.git.yoann.congal@smile.fr>
References: <cover.1773966414.git.yoann.congal@smile.fr>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Fri, 20 Mar 2026 00:28:39 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/233575

From: Krupal Ka Patel <krkapate@cisco.com>

setuptools installs Windows launcher executables (cli*.exe, gui*.exe)
into site-packages. These binaries are only used on Windows platforms
but are packaged for target, native, and nativesdk builds.

Remove the Windows launcher executables when not building for a mingw
(mingw32/mingw64) host to avoid shipping unused Windows binaries.

Signed-off-by: Krupal Ka Patel <krkapate@cisco.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit cf7c79f3962f2be99cfda47e8cc730091e6a18cb)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 .../recipes-devtools/python/python3-setuptools_69.1.1.bb | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/meta/recipes-devtools/python/python3-setuptools_69.1.1.bb b/meta/recipes-devtools/python/python3-setuptools_69.1.1.bb
index 46b2f0ab008..00f83056dbf 100644
--- a/meta/recipes-devtools/python/python3-setuptools_69.1.1.bb
+++ b/meta/recipes-devtools/python/python3-setuptools_69.1.1.bb
@@ -19,6 +19,15 @@ SRC_URI += " \
 
 SRC_URI[sha256sum] = "5c0806c7d9af348e6dd3777b4f4dbb42c7ad85b190104837488eab9a7c945cf8"
 
+do_install:append() {
+	# setuptools ships Windows launcher executables (cli*.exe, gui*.exe).
+	# Keep them only when building for a Windows (mingw) host.
+	case "${HOST_OS}" in
+		mingw32|mingw64) ;;
+		*) rm -f ${D}${PYTHON_SITEPACKAGES_DIR}/setuptools/*.exe ;;
+	esac
+}
+
 DEPENDS += "python3"
 
 RDEPENDS:${PN} = "\

From patchwork Fri Mar 20 00:28:22 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yoann Congal <yoann.congal@smile.fr>
X-Patchwork-Id: 83933
Return-Path: <yoann.congal@smile.fr>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 585E01093176
	for <webhook@archiver.kernel.org>; Fri, 20 Mar 2026 00:28:39 +0000 (UTC)
Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com
 [209.85.128.54])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.2633.1773966517320123835
 for <openembedded-core@lists.openembedded.org>;
 Thu, 19 Mar 2026 17:28:37 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@smile.fr header.s=google header.b=oQqEVP+U;
 spf=pass (domain: smile.fr, ip: 209.85.128.54,
 mailfrom: yoann.congal@smile.fr)
Received: by mail-wm1-f54.google.com with SMTP id
 5b1f17b1804b1-48558d6ef83so777625e9.3
        for <openembedded-core@lists.openembedded.org>;
 Thu, 19 Mar 2026 17:28:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=smile.fr; s=google; t=1773966515; x=1774571315;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=vE6UzhuFaqo0M9AHbypRvBWP6GNRmPkD+nUMNnzcWhE=;
        b=oQqEVP+Ut9rbMO973OLiuJdbIUFrSe8G5rfRA4gM9ycY0Tgc7ZnUSq6TQ+yB+jkMMs
         vmXEfOcLxGlll3gBeluwK94J9Zy2tn/ti+li/f/b/nPlGMeuIDVs5oAdV62cpoiCugPF
         c6oufb/qL+clmLc54RffGdVBANzarXrehBBLs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1773966515; x=1774571315;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=vE6UzhuFaqo0M9AHbypRvBWP6GNRmPkD+nUMNnzcWhE=;
        b=DvKMhjhK9QUPGe4djw+XA8iYLyJy/tOEg4729ugb7TMSUMAgjLiiHECC1rSCukPWYv
         So864nEfp7122l2BNLO4SYupGE8jFneTzSvC/C+YTKUwag2d4xoDHrseiU8ONhIB4Ojj
         tytn5v7Eeuyn0uuJ27y68jIemcataMZTJ4rQj3HigmtHRF5LcKCmQa93quEHqWebb4eU
         AARfeRKQcYIhFx9JAya/DYdWokAP6BGConHEXaBehxxOKi1isjj1Xam3RAbvqgMnz+un
         Pd/dM1TuiS1FH8RvSxb4P59T3fDuCaI3frZJi8VZWHfxTGnLsAxkQmSaIMIu26p5PC6A
         IciA==
X-Gm-Message-State: AOJu0YzAxMYumJ6Dl79zIe/zKHoGqC43+MEXObB8RAlCU3cSnTbkWa+t
	HOtWw34nIeOO8OuK6a9UNy0rMbT33EGq34YVYXanGA8T2MCTlNYAFLNIi7HXsZffACFhY82aY1F
	a00yW
X-Gm-Gg: ATEYQzxoRzBiKX4Eg0pIrrLJPuXrrPD1+TFLFJzJzKB8QenhnL1Gud0JJ6aB/KL6udJ
	7wIrxdb1cdiZskWNQ4StUhYKXsGH7H3wAr9dXcxLyGSJc2UOYkUKLfdtmJ09/syYIgYBFIpkBD9
	oh/FyRixHS0LkVbSX+eaVxuJMC1mJFwwSiFvgguowoLG5LnXg4r+6wg4OpbR/xEXh3FpPetvT/k
	RZvVbDRcEbY+wsewp3G2x+Y9+uwVOZlL+dX2GQZLpHXssDX7D5fK/u2SijxgOZ/7a0IxLpuwS1L
	0VV8c3IJfHT0EMduBGvcV3WIqNM6yikPHRWkftsXTXgPEo4RGvjjYzhlxnzXbFFmD2VdHEWYhrI
	VagzCBvBuF7Dmg2a1O40R0Dbf7PmXWoYhG2G+eTLkzzeBgKmJroLrxR4qgglqSQ9wTwuB0sLgar
	KYowS4Zj1Iu0rp5AA6u3gaBm6D7itboc9oZN26EaTqUyFMkz/6XPyXfv1oyuonzlaecL+cJEmfG
	7guZ2Q0dTvLJH+71x+k7lsn59Q=
X-Received: by 2002:a05:600c:3b07:b0:486:af22:4a2a with SMTP id
 5b1f17b1804b1-486febbc445mr14598025e9.7.1773966515389;
        Thu, 19 Mar 2026 17:28:35 -0700 (PDT)
Received: from FRSMI25-LASER.home
 (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr.
 [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-486fe8359acsm23850655e9.12.2026.03.19.17.28.35
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 19 Mar 2026 17:28:35 -0700 (PDT)
From: Yoann Congal <yoann.congal@smile.fr>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 15/15] python3-pip: drop unused Windows distlib
 launcher templates
Date: Fri, 20 Mar 2026 01:28:22 +0100
Message-ID: 
 <a6eecf76e21469a96979cf426f54de08d39118dc.1773966414.git.yoann.congal@smile.fr>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <cover.1773966414.git.yoann.congal@smile.fr>
References: <cover.1773966414.git.yoann.congal@smile.fr>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Fri, 20 Mar 2026 00:28:39 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/233576

From: Krupal Ka Patel <krkapate@cisco.com>

pip vendors distlib which ships Windows launcher template binaries
(*.exe) under pip/_vendor/distlib. These files are only used on
Windows systems but are installed and packaged for target, native,
and nativesdk builds.

Remove the distlib *.exe templates when not building for a mingw
(mingw32/mingw64) host to avoid shipping unused Windows binaries and
reduce package noise.

Signed-off-by: Krupal Ka Patel <krkapate@cisco.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 90d208fbb06b6e6b5aaddb0048fd6e2e1d46c8bd)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 meta/recipes-devtools/python/python3-pip_24.0.bb | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/meta/recipes-devtools/python/python3-pip_24.0.bb b/meta/recipes-devtools/python/python3-pip_24.0.bb
index 12a5e1cc3cf..cf123a5d230 100644
--- a/meta/recipes-devtools/python/python3-pip_24.0.bb
+++ b/meta/recipes-devtools/python/python3-pip_24.0.bb
@@ -41,6 +41,15 @@ do_install:append() {
     rm -f ${D}/${bindir}/pip
 }
 
+do_install:append(){
+	# pip vendors distlib which ships Windows launcher templates (*.exe).
+	# Keep them only when building for a Windows (mingw) host.
+	case "${HOST_OS}" in
+		mingw32|mingw64) ;;
+		*) rm -f ${D}${PYTHON_SITEPACKAGES_DIR}/pip/_vendor/distlib/*.exe ;;
+	esac
+}
+
 RDEPENDS:${PN} = "\
   python3-compile \
   python3-io \