From patchwork Sun Mar 29 22:37:33 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 84746 X-Patchwork-Delegate: yoann.congal@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D389CFC980C for ; Sun, 29 Mar 2026 22:38:07 +0000 (UTC) Received: from mail-wr1-f41.google.com (mail-wr1-f41.google.com [209.85.221.41]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.38618.1774823885071846036 for ; Sun, 29 Mar 2026 15:38:05 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=we8WYtOY; spf=pass (domain: smile.fr, ip: 209.85.221.41, mailfrom: yoann.congal@smile.fr) Received: by mail-wr1-f41.google.com with SMTP id ffacd0b85a97d-43cfa33a983so387150f8f.1 for ; Sun, 29 Mar 2026 15:38:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1774823883; x=1775428683; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=2Z5P92f/WBPWltkhEdKSyzPt4B8v/iLjxe5CiaZdZIQ=; b=we8WYtOYxepLLgLXg3O4/PkolY/mu5R37hmfia3Z6pjgW5l4l238F5qEKDixTCpHZu IwqL2+RG52rkAKgnEJLT+ySrzJCX7WEAhFFDmo5PPSpSvQSKsOczcUgrFZQ1yL+MhoA8 wcku6ofRKtgPsupCsOI+yk79VCLLgwiI46rxQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774823883; x=1775428683; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=2Z5P92f/WBPWltkhEdKSyzPt4B8v/iLjxe5CiaZdZIQ=; b=TncKcJH8VzlLLRzDYNNfchBduPfcWfCkbVLyjU2noe4ODTvjX33c10Ux0SpxV8jKGn Y5N/27janUYigCtAI+0rPdaTevndKfxUFWPDtSTvWf07zbO4Om2OYOTg4TgYfoOfKvaB RBjxf4SxDbuWHq6Zr+fpm+/fcCK/RsDl23hT6fO9jiX4HNrNq4urOGvvpA2UcHzPXDrl PPluFhmmRqSclTUs8xAKNhe1sQ5IIvJLtjt6VVjIct5SHYpT8Z8Os8bzbUZlbbuaEXuF iOyjwbLml/B5i8WfmebUJc5tdGR4ZWCGuyMevHrAlBas0Uu3XWttq0HA3vLsB5NgjP8R VUXw== X-Gm-Message-State: AOJu0YxATmoDDUfOHvXsx0QHfvvKD2tf+TLTkIr9WK848RbZjC1tv+RB 3pku80uwQkEHZPZR5TLcBp56q4aZKMcm/S9ujyXpDYMD9nml+KiAH9F8XixBooqOj3SfxL9+pvB d7EQ0wI8= X-Gm-Gg: ATEYQzwT8hVsq59htqZxJCiWMYyxaP7niXLYMrtS1oFzGb32OQo9NLUrNWgRIuuXZRu rJViMgXXTq7yqKkdlfwMIOF9ME9uvwvxSE+Z0/sf9zMysq5qE0axHxMa502x8vVkbYKbB9AFXsk 4Uo2n0Yp7fRnIcvEqYQ9Nfryz2g+xDPburrya7oIVyE4iLyQNsP0ngUfVUnWxYQ3SWAtwutIyzE lU/weXQ0gAQlhQ5xY54qxMlwOqjDAvSPHxcVL7cTIpta03+NB1TDIbmsUFPdMmSiiosb62GyZCT qRhh8ZiQ8s/XUsbYKvaRHjQ0sF3CZm0lKd8UTCOCV4qV4Ib+13Ljt6Va/hCg7DD45lFWArdecFS L3PG/OR6Mdgo4x/yuog07RVK3wXx95YCIO2wA506Z5kf/TEBe9tMcXvS/ynGZimVG3+pY8eEfkg /Gkpueo5eWkM+wth7Igf4F3IXg1mY+BJaU2Rue3lJVvRhi60iVkGAclLQEDv7XPwuaMA2cPoqY7 8uOv0hcrml5tkDf4DiuuPU3HIA= X-Received: by 2002:a05:6000:240f:b0:43c:f687:a39b with SMTP id ffacd0b85a97d-43cf687a433mr8665804f8f.48.1774823883280; Sun, 29 Mar 2026 15:38:03 -0700 (PDT) Received: from FRSMI25-LASER.home (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43cf2471ee2sm13038542f8f.29.2026.03.29.15.38.02 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 29 Mar 2026 15:38:02 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 01/16] tzdata,tzcode-native: Upgrade 2025b -> 2025c Date: Mon, 30 Mar 2026 00:37:33 +0200 Message-ID: <7255b0ff315367abb5f0c6f00974bf30f7861d1b.1774823430.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 29 Mar 2026 22:38:07 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/234159 From: Paul Barker This release mostly changes code and commentary. The only changed data are leap second table expiration and pre-1976 time in Baja California. Full release notes: https://lists.iana.org/hyperkitty/list/tz-announce@iana.org/thread/TAGXKYLMAQRZRFTERQ33CEKOW7KRJVAK/ Signed-off-by: Paul Barker Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie (cherry picked from commit 452334219309793ad74abd6ff390dcb06cab929b) Signed-off-by: Ankur Tyagi Signed-off-by: Yoann Congal --- meta/recipes-extended/timezone/timezone.inc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/meta/recipes-extended/timezone/timezone.inc b/meta/recipes-extended/timezone/timezone.inc index f21bedf4fc5..35f22d5a15a 100644 --- a/meta/recipes-extended/timezone/timezone.inc +++ b/meta/recipes-extended/timezone/timezone.inc @@ -6,7 +6,7 @@ SECTION = "base" LICENSE = "PD & BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=c679c9d6b02bc2757b3eaf8f53c43fba" -PV = "2025b" +PV = "2025c" SRC_URI =" http://www.iana.org/time-zones/repository/releases/tzcode${PV}.tar.gz;name=tzcode;subdir=tz \ http://www.iana.org/time-zones/repository/releases/tzdata${PV}.tar.gz;name=tzdata;subdir=tz \ @@ -16,5 +16,5 @@ S = "${WORKDIR}/tz" UPSTREAM_CHECK_URI = "http://www.iana.org/time-zones" -SRC_URI[tzcode.sha256sum] = "05f8fedb3525ee70d49c87d3fae78a8a0dbae4fe87aa565c65cda9948ae135ec" -SRC_URI[tzdata.sha256sum] = "11810413345fc7805017e27ea9fa4885fd74cd61b2911711ad038f5d28d71474" +SRC_URI[tzcode.sha256sum] = "697ebe6625444aef5080f58e49d03424bbb52e08bf483d3ddb5acf10cbd15740" +SRC_URI[tzdata.sha256sum] = "4aa79e4effee53fc4029ffe5f6ebe97937282ebcdf386d5d2da91ce84142f957" From patchwork Sun Mar 29 22:37:34 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 84750 X-Patchwork-Delegate: yoann.congal@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B3938FC9804 for ; Sun, 29 Mar 2026 22:38:07 +0000 (UTC) Received: from mail-wr1-f53.google.com (mail-wr1-f53.google.com [209.85.221.53]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.38620.1774823886043216672 for ; Sun, 29 Mar 2026 15:38:06 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=mn6Z5Gbe; spf=pass (domain: smile.fr, ip: 209.85.221.53, mailfrom: yoann.congal@smile.fr) Received: by mail-wr1-f53.google.com with SMTP id ffacd0b85a97d-43cfbd17589so524551f8f.0 for ; Sun, 29 Mar 2026 15:38:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1774823884; x=1775428684; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=zGzcOZ724c4YbRHNLv7xePGrypATx1aeyDLzcH8kcqo=; b=mn6Z5Gbeoscwz+sfc2AbhYLQAMR9iPQ2ap0JTYDXuNYkEMC3CkC0NmjhczBsRXemwh kz1FFpfh+4YZWyLmgbtJXWaBjvWa779pwCIDb8JUu9+ZorvkACz3mGj7gpMntzHimpXm pSBnJTy4eJDUJNL6AW9SfPEyYtM2s0TdIqIiE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774823884; x=1775428684; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=zGzcOZ724c4YbRHNLv7xePGrypATx1aeyDLzcH8kcqo=; b=UupetFO/yS7HWKIaVom3evqnn/82pSvPFlPWd5ULWCzLvAXaSwNIFqv7gJVW0BxKK7 AaRCo2exk5l/VVrsXYE3nYR1PtaTJx+SPbM3t/9SiomqvezjGxdnvXFsAiVQR0PYFU25 aE6HppcTW/VlUj40BFayqxXna9/bfUPlYIZVokSBn53y7QY4owQ/iwPTvLF/766hpsEs K+fC7qeM+Z7Shd/5a2Sbd/fBhg21qvvu93Otbcoo9e4bSMzlODfVso7Fz6DJ9zi6v6gZ f+TmNx2Fj0UncZbCO7z1JQnONXw+LCRuYbKyF0dQbAmCjDEDhqwaaE9xeAFuTdY/e7gq c8WQ== X-Gm-Message-State: AOJu0YxIri+jsWvypCqNNIram50M2JC41BrSMsdWY4EJkab8Pau/KYZG f71HBUuF4s/TqcY+ERGjjklUUBMelqZoxcMOoF4C/B037KKp/Gw4b0I8/h2zdGCQg/pxq/tPu1J kswic3MQ= X-Gm-Gg: ATEYQzzc/MhAG1wF+vUWRseIrZpTNXBmoIfIGyxTboPuI7ILFlRY/kbExje/EP3BbdI PyEeAcKhEO0K+orjZWxxwwpjMkRDFg35QPAiGEp3WWCTF+bwoeNjZ4au5Qgd7146Zvd030OKyYD TGuIot199G4X2I/cDwR+3kLxCk2m7P9RzPYDH2aC/M6oeJ2YrZEVbfwkfqg/UBZYoi4nSgKdaiM Kw16yritP8tZNv8aJbBdfdxdKu4lz/ogt8aJcjECxPh+CY8UlsKV9W4sZ8HeQEKh+alGJq3gw1l X2HvTsr0wcjfwlBfCNVngOO5h+PlXIwr61WUMJ7u1auRrZX0aPsQ7SfZGA+eWDyHKhXZlQEmwZC pYNSTIpEc3SqHYanzFBZU648R+chOaU/uUkcMuE2q+MwSsQF8/+l56VPIvQS6Na082WaLEvRfKz lhc/yEarkZYXU3k+bbz6PVBGbutS1FjqQkZb2zBUEgyUwGRaojGDwqaNsFLBbB4lxr6YSidvFE+ ACzrqI+XdyNlZcsTG7M7hoStnA= X-Received: by 2002:a5d:5d86:0:b0:43c:fed2:bb78 with SMTP id ffacd0b85a97d-43cfed2bd19mr2904683f8f.44.1774823884118; Sun, 29 Mar 2026 15:38:04 -0700 (PDT) Received: from FRSMI25-LASER.home (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43cf2471ee2sm13038542f8f.29.2026.03.29.15.38.03 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 29 Mar 2026 15:38:03 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 02/16] python3-cryptography: Fix CVE-2026-26007 Date: Mon, 30 Mar 2026 00:37:34 +0200 Message-ID: <80637cd1b9e2045e9f19fb8337704007fef67e41.1774823430.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 29 Mar 2026 22:38:07 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/234160 From: Nguyen Dat Tho CVE-2026-26007 is fixed upstream in version 46.0.5. Our current version (42.0.5, scarthgap) is still reported as vulnerable by NVD. Backport the upstream fix to address this CVE. Upstream commit: https://github.com/pyca/cryptography/commit/0eebb9dbb6343d9bc1d91e5a2482ed4e054a6d8c CVE report: https://nvd.nist.gov/vuln/detail/CVE-2026-26007 Signed-off-by: Nguyen Dat Tho Signed-off-by: Yoann Congal --- .../python3-cryptography/CVE-2026-26007.patch | 149 ++++++++++++++++++ .../python/python3-cryptography_42.0.5.bb | 1 + 2 files changed, 150 insertions(+) create mode 100644 meta/recipes-devtools/python/python3-cryptography/CVE-2026-26007.patch diff --git a/meta/recipes-devtools/python/python3-cryptography/CVE-2026-26007.patch b/meta/recipes-devtools/python/python3-cryptography/CVE-2026-26007.patch new file mode 100644 index 00000000000..a78d287ccdd --- /dev/null +++ b/meta/recipes-devtools/python/python3-cryptography/CVE-2026-26007.patch @@ -0,0 +1,149 @@ +From 42c914929b52eb16421a4ef1f7e09c8f9fdab7db Mon Sep 17 00:00:00 2001 +From: Paul Kehrer +Date: Wed, 18 Mar 2026 16:01:03 +0900 +Subject: [PATCH] EC check key on cofactor > 1 + +An attacker could create a malicious public key that reveals portions of +your private key when using certain uncommon elliptic curves (binary +curves). This version now includes additional security checks to +prevent this attack. This issue only affects binary elliptic curves, +which are rarely used in real-world applications. Credit to **XlabAI +Team of Tencent Xuanwu Lab and Atuin Automated Vulnerability Discovery +Engine** for reporting the issue. **CVE-2026-26007** + +This is a partial backport of upstream commit +0eebb9dbb6343d9bc1d91e5a2482ed4e054a6d8c, to only include what's +relevant for CVE-2026-26007. + +CVE: CVE-2026-26007 + +Origin: backport, https://github.com/pyca/cryptography/commit/0eebb9dbb6343d9bc1d91e5a2482ed4e054a6d8c +Reference: https://salsa.debian.org/python-team/packages/python-cryptography/-/commit/464e7ca3b0b4493d5906d0c3685de71fda770c59 + +Signed-off-by: Nguyen Dat Tho +Signed-off-by: Paul Kehrer +Co-authored-by: Alex Gaynor +--- +Upstream-Status: Backport [Backport from https://github.com/pyca/cryptography/commit/0eebb9dbb6343d9bc1d91e5a2482ed4e054a6d8c] + + src/rust/src/backend/ec.rs | 39 ++++++++++++++++++++---------- + tests/hazmat/primitives/test_ec.py | 37 ++++++++++++++++++++++++++++ + 2 files changed, 63 insertions(+), 13 deletions(-) + +diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs +index 6a224b49f..27fced086 100644 +--- a/src/rust/src/backend/ec.rs ++++ b/src/rust/src/backend/ec.rs +@@ -155,12 +155,9 @@ pub(crate) fn public_key_from_pkey( + ) -> CryptographyResult { + let ec = pkey.ec_key()?; + let curve = py_curve_from_curve(py, ec.group())?; +- check_key_infinity(&ec)?; +- Ok(ECPublicKey { +- pkey: pkey.to_owned(), +- curve: curve.into(), +- }) ++ ECPublicKey::new(pkey.to_owned(), curve.into()) + } ++ + #[pyo3::prelude::pyfunction] + fn generate_private_key( + py: pyo3::Python<'_>, +@@ -215,10 +212,7 @@ fn from_public_bytes( + let ec = openssl::ec::EcKey::from_public_key(&curve, &point)?; + let pkey = openssl::pkey::PKey::from_ec_key(ec)?; + +- Ok(ECPublicKey { +- pkey, +- curve: py_curve.into(), +- }) ++ ECPublicKey::new(pkey, py_curve.into()) + } + + #[pyo3::prelude::pymethods] +@@ -357,6 +351,28 @@ impl ECPrivateKey { + } + } + ++impl ECPublicKey { ++ fn new( ++ pkey: openssl::pkey::PKey, ++ curve: pyo3::Py, ++ ) -> CryptographyResult { ++ let ec = pkey.ec_key()?; ++ check_key_infinity(&ec)?; ++ let mut bn_ctx = openssl::bn::BigNumContext::new()?; ++ let mut cofactor = openssl::bn::BigNum::new()?; ++ ec.group().cofactor(&mut cofactor, &mut bn_ctx)?; ++ let one = openssl::bn::BigNum::from_u32(1)?; ++ if cofactor != one { ++ ec.check_key().map_err(|_| { ++ pyo3::exceptions::PyValueError::new_err( ++ "Invalid EC key (key out of range, infinity, etc.)", ++ ) ++ })?; ++ } ++ ++ Ok(ECPublicKey { pkey, curve }) ++ } ++} + #[pyo3::prelude::pymethods] + impl ECPublicKey { + #[getter] +@@ -591,10 +607,7 @@ impl EllipticCurvePublicNumbers { + + let pkey = openssl::pkey::PKey::from_ec_key(public_key)?; + +- Ok(ECPublicKey { +- pkey, +- curve: self.curve.clone_ref(py), +- }) ++ ECPublicKey::new(pkey, self.curve.clone_ref(py)) + } + + fn __eq__( +diff --git a/tests/hazmat/primitives/test_ec.py b/tests/hazmat/primitives/test_ec.py +index 334e76dcc..f7f2242f6 100644 +--- a/tests/hazmat/primitives/test_ec.py ++++ b/tests/hazmat/primitives/test_ec.py +@@ -1340,3 +1340,40 @@ class TestECDH: + + with pytest.raises(ValueError): + key.exchange(ec.ECDH(), public_key) ++ ++ ++def test_invalid_sect_public_keys(backend): ++ _skip_curve_unsupported(backend, ec.SECT571K1()) ++ public_numbers = ec.EllipticCurvePublicNumbers(1, 1, ec.SECT571K1()) ++ with pytest.raises(ValueError): ++ public_numbers.public_key() ++ ++ point = binascii.unhexlify( ++ b"0400000000000000000000000000000000000000000000000000000000000000000" ++ b"0000000000000000000000000000000000000000000000000000000000000000000" ++ b"0000000000010000000000000000000000000000000000000000000000000000000" ++ b"0000000000000000000000000000000000000000000000000000000000000000000" ++ b"0000000000000000000001" ++ ) ++ with pytest.raises(ValueError): ++ ec.EllipticCurvePublicKey.from_encoded_point(ec.SECT571K1(), point) ++ ++ der = binascii.unhexlify( ++ b"3081a7301006072a8648ce3d020106052b810400260381920004000000000000000" ++ b"0000000000000000000000000000000000000000000000000000000000000000000" ++ b"0000000000000000000000000000000000000000000000000000000000000100000" ++ b"0000000000000000000000000000000000000000000000000000000000000000000" ++ b"0000000000000000000000000000000000000000000000000000000000000000000" ++ b"00001" ++ ) ++ with pytest.raises(ValueError): ++ serialization.load_der_public_key(der) ++ ++ pem = textwrap.dedent("""-----BEGIN PUBLIC KEY----- ++ MIGnMBAGByqGSM49AgEGBSuBBAAmA4GSAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ++ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ++ AAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ++ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE= ++ -----END PUBLIC KEY-----""").encode() ++ with pytest.raises(ValueError): ++ serialization.load_pem_public_key(pem) diff --git a/meta/recipes-devtools/python/python3-cryptography_42.0.5.bb b/meta/recipes-devtools/python/python3-cryptography_42.0.5.bb index 732f925d926..c4573fa6891 100644 --- a/meta/recipes-devtools/python/python3-cryptography_42.0.5.bb +++ b/meta/recipes-devtools/python/python3-cryptography_42.0.5.bb @@ -11,6 +11,7 @@ LDSHARED += "-pthread" SRC_URI[sha256sum] = "6fe07eec95dfd477eb9530aef5bead34fec819b3aaf6c5bd6d20565da607bfe1" SRC_URI += "file://0001-pyproject.toml-remove-benchmark-disable-option.patch \ + file://CVE-2026-26007.patch \ file://check-memfree.py \ file://run-ptest \ " From patchwork Sun Mar 29 22:37:35 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 84744 X-Patchwork-Delegate: yoann.congal@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A52CEFC97FA for ; Sun, 29 Mar 2026 22:38:07 +0000 (UTC) Received: from mail-wm1-f46.google.com (mail-wm1-f46.google.com [209.85.128.46]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.38375.1774823886598688298 for ; Sun, 29 Mar 2026 15:38:06 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=3KCL+gSz; spf=pass (domain: smile.fr, ip: 209.85.128.46, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f46.google.com with SMTP id 5b1f17b1804b1-4852a9c6309so32148795e9.0 for ; Sun, 29 Mar 2026 15:38:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1774823885; x=1775428685; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=k9l50duf5zEDAhHdXAmfFwGnkBPanJVJv49TAJEdyPQ=; b=3KCL+gSzqHBOQXI5ZB5wZ4faGSJ3w+bjkmuFn3KNIwShBBZvGVwo2TceUoEAClVUUp OGQLBaLgkS5DZqDY6Y93VCYXbWDCbSakm2Sq+ThA7JrIhhH6P7XidWqSbE/uE96j3PGJ PaiRqbKlAh+8mbdyT0fhYAstebbjbIo8iMv3w= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774823885; x=1775428685; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=k9l50duf5zEDAhHdXAmfFwGnkBPanJVJv49TAJEdyPQ=; b=A/8LJwRUnpL9GfkshgtCXT4eaVrViLCP5Dz1MsmPS0GQ5HgDrYaa3mVQYrroSqDK0Q L8jE1qzJUGQN1hP7SwCS/g1k7XPmUZxhDpWAskvhxDwEQ5NKQJH0tgLp4Bs5zfN96TFi se4+g8hTpdI+Oxf00ZJbFg8VXc59QqduLhoW7wYqQZlpznS/NzHas1/25K9Cmcs57Epb YPf0kfrBXicJuKS6ALglrZ17ejmo9tMJPTpnoYsIljzgiktN5+v8zuBuC0OPGFDqSr0k 9wKRzdgR9xdYsuPppxAZp5JpY7/BeT24vbZEac4P/U9+QhcTwHITT5RV4ctTqM4MkjT3 /l1A== X-Gm-Message-State: AOJu0YwWVr9lFEhtBuxa1uR4BKiBxhD3fVi/OQB1hN//h07SSouy4Riz 9YVHlrmD1VZKkPrhNGk446euM5Ypk4Psriqy9R8Vh/rpPRdVIZafNJeo2kBEIb0G42UguyW+HAW Wa7QiQoU= X-Gm-Gg: ATEYQzytrckX1X43fSReDZfAyzJpJQ1TjHuEqB7FIC3CGplbX18mmG3+cq15/UfIEgs PDk/ecpINhB96wgZyw96Jm1OeLtBtheDGKmEn7Whra79yW8Mkd9AayI2JR6z4ghSOb8B9prcIoW xWA+l+Dkl0Pjzw8T857dIRPWdQrzlA6Iw1XBsdlw2cNSYOMqy1tX0b5IUBCRPdzdTzymiIKxbVL flF7FnTNvJJvgKQD8KmBgXrLL6JG3pJkPiwwJipJh9flQxfTNqASfnCozqmxQoUr5hLa4EEnQLB W/dOIdrav8QbCdh6YXSyW6qb8H4S7EL5tLp4sdzvUvcQZRZtI/NQj+WSFLVMMZPHPoKVN0aLkgZ 2fjSI0CQ00cEEinluWSIo/PXSZQ97ijFO/TYmcaDK0Vu/QO7zNkiZhBfZb9A469n88+ZoUHO+68 tOgh9x299GAflCG40KAwAPxzVCnzYsR5B0WX7MgJ3ax1NDE33OAe8bEtt4jiLj8XIiS5O9MJlRz 1KhOO5hAvUuKL1IgVHpG4hc/zE= X-Received: by 2002:a05:600c:3e88:b0:487:1108:48b8 with SMTP id 5b1f17b1804b1-48727ee9897mr159236295e9.2.1774823884702; Sun, 29 Mar 2026 15:38:04 -0700 (PDT) Received: from FRSMI25-LASER.home (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43cf2471ee2sm13038542f8f.29.2026.03.29.15.38.04 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 29 Mar 2026 15:38:04 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 03/16] spdx: add option to include only compiled sources Date: Mon, 30 Mar 2026 00:37:35 +0200 Message-ID: <50390bb45db8560bc9d2ee3ad37979924e0046c7.1774823430.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 29 Mar 2026 22:38:07 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/234161 From: João Marcos Costa (Schneider Electric) When SPDX_INCLUDE_COMPILED_SOURCES is enabled, only include the source code files that are used during compilation. It uses debugsource information generated during do_package. This enables an external tool to use the SPDX information to disregard vulnerabilities that are not compiled. As example, when used with the default config with linux-yocto, the spdx size is reduced from 156MB to 61MB. (From OE-Core rev: c6a2f1fca76fae4c3ea471a0c63d0b453beea968) Adapted to existing files for SPDX3.0 Tested with: - bitbake world on oe-core - oe-selftest --run-tests spdx.SPDX30Check Regarding SPDX2.2, the respective backport was already performed in OE-Core rev: a2866934e58fb377a73e87576c8594988a63ad1b Signed-off-by: João Marcos Costa (Schneider Electric) Signed-off-by: Yoann Congal --- meta/classes/spdx-common.bbclass | 3 +++ meta/lib/oe/spdx30_tasks.py | 12 ++++++++++++ 2 files changed, 15 insertions(+) diff --git a/meta/classes/spdx-common.bbclass b/meta/classes/spdx-common.bbclass index 713a7fc651e..ca0416d1c7f 100644 --- a/meta/classes/spdx-common.bbclass +++ b/meta/classes/spdx-common.bbclass @@ -26,6 +26,7 @@ SPDX_TOOL_VERSION ??= "1.0" SPDXRUNTIMEDEPLOY = "${SPDXDIR}/runtime-deploy" SPDX_INCLUDE_SOURCES ??= "0" +SPDX_INCLUDE_COMPILED_SOURCES ??= "0" SPDX_UUID_NAMESPACE ??= "sbom.openembedded.org" SPDX_NAMESPACE_PREFIX ??= "http://spdx.org/spdxdocs" @@ -40,6 +41,8 @@ SPDX_MULTILIB_SSTATE_ARCHS ??= "${SSTATE_ARCHS}" python () { from oe.cve_check import extend_cve_status extend_cve_status(d) + if d.getVar("SPDX_INCLUDE_COMPILED_SOURCES") == "1": + d.setVar("SPDX_INCLUDE_SOURCES", "1") } def create_spdx_source_deps(d): diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py index a8970dcca0f..9c422d17573 100644 --- a/meta/lib/oe/spdx30_tasks.py +++ b/meta/lib/oe/spdx30_tasks.py @@ -145,6 +145,8 @@ def add_package_files( ignore_dirs=[], ignore_top_level_dirs=[], ): + import oe.spdx + source_date_epoch = d.getVar("SOURCE_DATE_EPOCH") if source_date_epoch: source_date_epoch = int(source_date_epoch) @@ -156,6 +158,11 @@ def add_package_files( bb.note(f"Skip {topdir}") return spdx_files + check_compiled_sources = d.getVar("SPDX_INCLUDE_COMPILED_SOURCES") == "1" + if check_compiled_sources: + compiled_sources, types = oe.spdx.get_compiled_sources(d) + bb.debug(1, f"Total compiled files: {len(compiled_sources)}") + for subdir, dirs, files in os.walk(topdir, onerror=walk_error): dirs[:] = [d for d in dirs if d not in ignore_dirs] if subdir == str(topdir): @@ -171,6 +178,11 @@ def add_package_files( filename = str(filepath.relative_to(topdir)) file_purposes = get_purposes(filepath) + # Check if file is compiled + if check_compiled_sources: + if not oe.spdx.is_compiled_source(filename, compiled_sources, types): + continue + spdx_file = objset.new_file( get_spdxid(file_counter), filename, From patchwork Sun Mar 29 22:37:36 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 84748 X-Patchwork-Delegate: yoann.congal@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 19704FC980E for ; Sun, 29 Mar 2026 22:38:09 +0000 (UTC) Received: from mail-wr1-f43.google.com (mail-wr1-f43.google.com [209.85.221.43]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.38376.1774823887126862030 for ; Sun, 29 Mar 2026 15:38:07 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=ytXFk5q1; spf=pass (domain: smile.fr, ip: 209.85.221.43, mailfrom: yoann.congal@smile.fr) Received: by mail-wr1-f43.google.com with SMTP id ffacd0b85a97d-43b9144790dso2053406f8f.1 for ; Sun, 29 Mar 2026 15:38:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1774823885; x=1775428685; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=0dMej7lmszqTsa6UScljJ48enl+M0n1Z9R80lxhs580=; b=ytXFk5q1vvxaKVF02inO7mVwnw4uN5rp2bBCAImJUozejHpwOf8rN7OYpF4DwD9FtV EBYj/anxJvc9IxF+gGjJFOdcAySga4ROK72X6feKjdeYte/PWOOnKEb3jfl0YBw6oyT5 pgKj7NL5zJKx0rI0A5Ji/ebXu7/kBm7N+lvnM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774823885; x=1775428685; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=0dMej7lmszqTsa6UScljJ48enl+M0n1Z9R80lxhs580=; b=AU0F6ptMWdywm5DygdWfsJ2uliTIiYFVSUEgRWHXA5KB4I0Yg2CueYais3G2BwbMe4 6c21htbmRtQN4W4oDbv+0FScauBKrfnY/W1jO/oVqNXJDiB3Y2AzuJ7Q/2UWCma0olAC Mm2LgMr0V7ZDRz9SjgkfS+suzc17of/m3ztSvQiwPsQXhtiQay68cuPBNrpfWo+wAGwa J77X1xbh1fHg977jqDGWjDuS8UCZGIcKNGSaxglGS666YWEQatG5ZJBk8/5EV2kqeCro BEnHWIlaFG6C9rbZe79mKrFF+ijghHA42PnUbNwwNtlUd1nV2/qa6xKMO7lNhM0ylFWR heiA== X-Gm-Message-State: AOJu0YzG5NHNENhjZa2VmOGoTZUGE42f7Gom1x2W7mshayA8pi7WzE49 lNf9YwpyglT2CyJyNbQpPOSUcRFibPANP9d8H5ApITMdES8e7YTDBXsj/kQUgcBqsxHMsXA57DU 91F+b5Zs= X-Gm-Gg: ATEYQzyO98/8PDwQRYiQiDPUX9PBg/+t74CFZS9kMwfxF9tQ+KFtAc4Kol03n5F4aHH AKbIZWt6XOhqz0FcgMOHkiTQrbyuvO3jOfbkHYB3JN6UDq2+hU4qGpo2/2tra2PI4D/iUQO1vhI wnMzCWCEZAM/56moz1Ha8TX3ZVUIAJjT/PYl8kPxMs/bYlM0ZMZ4hPRoDALgi9HsJ6swgaEhXSH rNEmFgb2Kz3Dc0UCbKKuURwerHd/F+do/xAY2co2Mzvwv6gPDpi7n+dslslWNIKJacd3tb7xCzI LBFLjvhDhSwp5ffB6pshx6H2z1Xr/JL8+naoyaYVkvhmCmSAEcDPFZsWjNlWVceXSObqjdrN20U d3ueJCqp3Eom9Q0KU2imIvAxKSIRrEkXhxpGWaPe32Vbr++XYvwjmMGNwsW7NTw0CdqFsLDW2Sn ARmXeNr5OeV+LctQG6nz0sEKy++mulBX8glDT0f9H9xX3JcwR4DgsATVER/qyFsV0dQYTryF0aD YsXVuf0sW6yDCUHUjAzmQGSRdI= X-Received: by 2002:a05:6000:1448:b0:43b:4f0c:aefd with SMTP id ffacd0b85a97d-43b9e9a0c82mr15783139f8f.23.1774823885195; Sun, 29 Mar 2026 15:38:05 -0700 (PDT) Received: from FRSMI25-LASER.home (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43cf2471ee2sm13038542f8f.29.2026.03.29.15.38.04 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 29 Mar 2026 15:38:04 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 04/16] dtc: backport fix for build with glibc-2.43 Date: Mon, 30 Mar 2026 00:37:36 +0200 Message-ID: <58ef52e9ee33c76689a57e6c39e91c00c257c43f.1774823430.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 29 Mar 2026 22:38:09 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/234162 From: Martin Jansa glibc-2.43 isn't used in OE builds yet, but this fixes dtc-native: https://errors.yoctoproject.org/Errors/Details/903983/ ../sources/dtc-1.7.2/libfdt/fdt_overlay.c: In function ‘overlay_fixup_phandle’: ../sources/dtc-1.7.2/libfdt/fdt_overlay.c:424:21: error: assignment discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers] 424 | sep = memchr(fixup_str, ':', fixup_len); | ^ ../sources/dtc-1.7.2/libfdt/fdt_overlay.c:434:21: error: assignment discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers] 434 | sep = memchr(name, ':', fixup_len); | ^ cc1: all warnings being treated as errors Signed-off-by: Martin Jansa Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie [YC: upstream commit 28552a7b6c94060c7ab3899619ab8afb74124d02] Signed-off-by: Yoann Congal --- .../0001-Fix-discarded-const-qualifiers.patch | 85 +++++++++++++++++++ meta/recipes-kernel/dtc/dtc_1.7.0.bb | 1 + 2 files changed, 86 insertions(+) create mode 100644 meta/recipes-kernel/dtc/dtc/0001-Fix-discarded-const-qualifiers.patch diff --git a/meta/recipes-kernel/dtc/dtc/0001-Fix-discarded-const-qualifiers.patch b/meta/recipes-kernel/dtc/dtc/0001-Fix-discarded-const-qualifiers.patch new file mode 100644 index 00000000000..c643410ae9b --- /dev/null +++ b/meta/recipes-kernel/dtc/dtc/0001-Fix-discarded-const-qualifiers.patch @@ -0,0 +1,85 @@ +From 861cb43eb53afff83e28ba0e0f88ffa464ebe8ca Mon Sep 17 00:00:00 2001 +From: Stephen Gallagher +Date: Tue, 6 Jan 2026 14:19:30 -0500 +Subject: [PATCH] Fix discarded const qualifiers + +It's unsafe to implicitly discard the const qualifier on a pointer. In +overlay_fixup_phandle(), this was probably just an oversight, and making +the "sep" variable a const char * is sufficient to fix it. + +In create_node(), however, the "p" variable is directly modifying the +buffer pointed to by "const char* node_name". To fix this, we need to +actually make a duplicate of the buffer and operate on that instead. + +This introduces a malloc()/free() and an unbounded strdup() into the +operation, but fdtput isn't a long-running service and the node_name +argument comes directly from argv, so this shouldn't introduce a +significant performance impact. + +Signed-off-by: Stephen Gallagher +Signed-off-by: David Gibson +Signed-off-by: Martin Jansa +Upstream-Status: Backport [https://git.kernel.org/pub/scm/utils/dtc/dtc.git/commit/libfdt/fdt_overlay.c?h=main&id=9a1c801a1a3c102bf95c5339c9e985b26b823a21] +--- + fdtput.c | 8 +++++--- + libfdt/fdt_overlay.c | 3 ++- + meson.build | 3 ++- + 3 files changed, 9 insertions(+), 5 deletions(-) + +diff --git a/fdtput.c b/fdtput.c +index c2fecf4..8deec7e 100644 +--- a/fdtput.c ++++ b/fdtput.c +@@ -230,19 +230,21 @@ static int create_paths(char **blob, const char *in_path) + static int create_node(char **blob, const char *node_name) + { + int node = 0; +- char *p; ++ const char *p; ++ char *path = NULL; + + p = strrchr(node_name, '/'); + if (!p) { + report_error(node_name, -1, -FDT_ERR_BADPATH); + return -1; + } +- *p = '\0'; + + *blob = realloc_node(*blob, p + 1); + + if (p > node_name) { +- node = fdt_path_offset(*blob, node_name); ++ path = xstrndup(node_name, (size_t)(p - node_name)); ++ node = fdt_path_offset(*blob, path); ++ free(path); + if (node < 0) { + report_error(node_name, -1, node); + return -1; +diff --git a/libfdt/fdt_overlay.c b/libfdt/fdt_overlay.c +index 5c0c398..75b0619 100644 +--- a/libfdt/fdt_overlay.c ++++ b/libfdt/fdt_overlay.c +@@ -431,7 +431,8 @@ static int overlay_fixup_phandle(void *fdt, void *fdto, int symbols_off, + const char *fixup_str = value; + uint32_t path_len, name_len; + uint32_t fixup_len; +- char *sep, *endptr; ++ const char *sep; ++ char *endptr; + int poffset, ret; + + fixup_end = memchr(value, '\0', len); +diff --git a/meson.build b/meson.build +index 8952e8a..ecb0ae0 100644 +--- a/meson.build ++++ b/meson.build +@@ -14,7 +14,8 @@ add_project_arguments( + '-Wstrict-prototypes', + '-Wmissing-prototypes', + '-Wredundant-decls', +- '-Wshadow' ++ '-Wshadow', ++ '-Wdiscarded-qualifiers' + ]), + language: 'c' + ) diff --git a/meta/recipes-kernel/dtc/dtc_1.7.0.bb b/meta/recipes-kernel/dtc/dtc_1.7.0.bb index 0702fc16dfa..a2f41197fda 100644 --- a/meta/recipes-kernel/dtc/dtc_1.7.0.bb +++ b/meta/recipes-kernel/dtc/dtc_1.7.0.bb @@ -12,6 +12,7 @@ SRC_URI = " \ git://git.kernel.org/pub/scm/utils/dtc/dtc.git;branch=main;protocol=https \ file://0001-meson.build-bump-version-to-1.7.0.patch \ file://0002-meson-allow-building-from-shallow-clones.patch \ + file://0001-Fix-discarded-const-qualifiers.patch \ " SRCREV = "039a99414e778332d8f9c04cbd3072e1dcc62798" From patchwork Sun Mar 29 22:37:37 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 84749 X-Patchwork-Delegate: yoann.congal@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 279D3FC9810 for ; Sun, 29 Mar 2026 22:38:09 +0000 (UTC) Received: from mail-wm1-f53.google.com (mail-wm1-f53.google.com [209.85.128.53]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.38377.1774823887692166431 for ; Sun, 29 Mar 2026 15:38:07 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=umaKER1/; spf=pass (domain: smile.fr, ip: 209.85.128.53, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f53.google.com with SMTP id 5b1f17b1804b1-486fba7ce4cso38127115e9.3 for ; Sun, 29 Mar 2026 15:38:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1774823886; x=1775428686; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=T+R7PuJ+CsfXjuC7V/6QmmmvMOueIhSFAnJLctsI/fs=; b=umaKER1/VSMEN2iVxEocUWo4NZU62FooXqtA0Zf1QInjpXvLd2QchLyrhjnK/Mot1t 9MvyHqIyIPdfpPKHFHpR1zfq3//WM+nV9J1j4z4+NKoOJFzQt2J2TF6i3NpjWEmxVszD JD8Bq6DLeG51MBEac5QgOsVREPH/oOIGkxlR0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774823886; x=1775428686; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=T+R7PuJ+CsfXjuC7V/6QmmmvMOueIhSFAnJLctsI/fs=; b=MW3UL9JqXK+Sdm3GLtAXDLfD4sCkYnhC4lTtnoaW76OGalk9+aBqEd5Z/QXL+Pzx1a XbdC0qc/xOxNKcJkpyMVwOCOzRnQRM9YUAQAj+QbvsdrT/LtxEVB1ZAcL7UOQEYVfhcG IBPELvq1My0EhSpsIHsZJSlOeuUTqy8cl7sIITpDzHxchTIqoS+wzJPkVLM2zbmmFMn0 tTADF2LqQaXquuiAp9fRWgvsCi2YeeP6zcUtC5hRDjcCvKpqHWxJY9t6nPB2w7xALnHI 3it7/0ZgbC2s11VEuBzGz8/q4gA0afVUbpK6VVX4skmcrLdANuIm+CpmYvcTJGK1Pu9a w58Q== X-Gm-Message-State: AOJu0YzD1a6GaehVnDKFzCz2PnofT65GOZ+JIYvoakojdVyYYucRSgXq yqFpEpHn/+cws36y0j2pCOo3wjIICLc0qvbJcOeqW247gidYeq2TuGY4MVQl5GQZzG1ZunRaKeZ rGLpLNCQ= X-Gm-Gg: ATEYQzwFxaNata/P2TNoFLiCxY97na9MwJKj5Y1Ic+nGdQrZNAadbJhFGQ6Io2ZQzXn anulr+lSqLQvGYqoPJzTppze4vL41KdoII6CVQRnXi8qyCBoGwfxK5NYH1s8tz6HOFPtSIeN3xh 0GLOaZtfqWIhRSSTLt0PmwiRi7iQEpHjQttB5v0EjFbyEGHk98ePLU1e77je4VwSbSjoKQwbyIe gdqeZIt/V4WXTjTB9FlSIdNaVcfJtQos7Gv2JiHJMfvBrLp3FnV76iU5e1X3niQ9N2+2h52swAd cII58UQN+2Ue1v2WdBEAzV2h6lUkUwEIXuKolE8f/uX6MrtWbyF/kXUXLXQJeP+4ccrLGU35uqR WX8x/gyvi//Bi78KLo30Od6Zk8kX+3/cCprROhxFCowC1Sy2Kccww5nueIyQchzuiCO4i3d69Ql /kT7epn1ZhE+HqleXWkheKFCrs2MNOh0FK92EieP3HrIJH3otmoYvu/IWHvxSx69aLc6aimMVLj Z1Mora+ik8be3Kpgzb27ryEaY0= X-Received: by 2002:a05:6000:400c:b0:43c:f583:126a with SMTP id ffacd0b85a97d-43cf58312e7mr9788289f8f.14.1774823885743; Sun, 29 Mar 2026 15:38:05 -0700 (PDT) Received: from FRSMI25-LASER.home (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43cf2471ee2sm13038542f8f.29.2026.03.29.15.38.05 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 29 Mar 2026 15:38:05 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 05/16] pseudo: Add fix for glibc 2.43 Date: Mon, 30 Mar 2026 00:37:37 +0200 Message-ID: X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 29 Mar 2026 22:38:09 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/234163 From: Richard Purdie Update to add a fix for a function definition to work with glibc 2.43. Signed-off-by: Richard Purdie [YC: upstream commit 7d35b0e7929d666af783db835a3a809f8f6ce429] Signed-off-by: Yoann Congal --- meta/recipes-devtools/pseudo/pseudo_git.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-devtools/pseudo/pseudo_git.bb b/meta/recipes-devtools/pseudo/pseudo_git.bb index 0f063f18812..3ae560487bd 100644 --- a/meta/recipes-devtools/pseudo/pseudo_git.bb +++ b/meta/recipes-devtools/pseudo/pseudo_git.bb @@ -12,7 +12,7 @@ SRC_URI:append:class-nativesdk = " \ file://older-glibc-symbols.patch" SRC_URI[prebuilt.sha256sum] = "ed9f456856e9d86359f169f46a70ad7be4190d6040282b84c8d97b99072485aa" -SRCREV = "43cbd8fb4914328094ccdb4bb827d74b1bac2046" +SRCREV = "56e1f8df4761da60e41812fc32b1de797d1765e9" S = "${WORKDIR}/git" PV = "1.9.3+git" From patchwork Sun Mar 29 22:37:38 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 84747 X-Patchwork-Delegate: yoann.congal@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 33EF9FC9812 for ; Sun, 29 Mar 2026 22:38:09 +0000 (UTC) Received: from mail-wm1-f46.google.com (mail-wm1-f46.google.com [209.85.128.46]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.38378.1774823888171094286 for ; Sun, 29 Mar 2026 15:38:08 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=0+6fS7ja; spf=pass (domain: smile.fr, ip: 209.85.128.46, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f46.google.com with SMTP id 5b1f17b1804b1-48374014a77so45818535e9.3 for ; Sun, 29 Mar 2026 15:38:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1774823886; x=1775428686; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=P+DU1DQqJCo0kg1Hh2Hy+9t8f8niQx7kgij3NS70Oi8=; b=0+6fS7jaR7ykkfyvmvLFbYMPZDJw/FBDtrhT0BlZ4ajjI7hmIy7erPBgLYN+emGb69 TLrS0JLRrlRu8FmgTZ3mzHEvTEd71b7ZF+gkN1Vi+UY+O7DGimNd87I5v6tZHauPJ7TN JOehkbrduQHAHXJzipCrqv+bUHfCLGUuliuS4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774823886; x=1775428686; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=P+DU1DQqJCo0kg1Hh2Hy+9t8f8niQx7kgij3NS70Oi8=; b=dD5v2NH1bktwKcTg1JMSxMg5hL9V1562wDBXIjst7NW8yxNdnf4/sg8weki49yDkLg P/asn7unr9uNhRzkZA82xPyj8G93pQKMGGsK5dWq9wbyEoXSV984Lup2LUusj5DBVoL8 +mKMR9fXb/vk1/PY8mfv9EOP65zAaCHLdp/23K83RMY004P00Q5hXyomr9lbzWbExOOQ nWEXSMlS/Z8OKNdC+UeMI/SDkBNG0hT5c9SIcoNvLNRnYaiSWM1BwJ9F/856cWuhEVMn OFkzaotgkbDOSlCataK23L4B/3pyWiA5ptEEOpN0nJOB3xrxEh2x8EMoO9Hs70H6GbYT Yqjg== X-Gm-Message-State: AOJu0YwjzDzgugp7GxjPbA4VAQl8NIDlQdDv+9J67V8Wgp+zSGAyAosf 7QK5uK1pMHhKlMMoQI8numWUbjXceF/+DkCfIDgrTvx52Ik/MNNMltKr3h70Y8BpnnZFFcm7BGl FlBglwag= X-Gm-Gg: ATEYQzwKcBghcaRYBeQ4qmUhMYN7eeNjfz/U38kGc6znO2VG7P6YrY6k15K376QlsCU 6YPAUfdicPhLENx5/aNH3xg3vPcJv4tAUhCQe4kMUZda5V6DI/sUS1VxYq0+G8Uq3LOZQF7kOe5 kqyPN4x9fFuKz3XUF53FM786K0qBMiTmdfh3EbCD5WUAcV9HSiAeyju0vR04PTUVen7/8MFgqVk WZY+P2l2r/d8QC0u1Q/hBymer+y74WXvxFpibvmXbWexmjc+d0y8WwD5KTl8soH1T27bj25iK+V VHcLFGrsShWv93mPSLS17jb4QqJ183Q0FVUe5tQVGP77rTIO118PjozTMei+00RBfgsif4/XTvQ pqPnliLnf9fXXiYzZlQ5rgggyc4HTZJ0Da5KiGwgA88m08Lf8DCynq06VGxQHLXWu74SJxQiQt6 UkfR31vPZrQdxmon47y/4QAe8JVLDODittgjgBMSQcArrbGJV/RqTWqbzFgX5zdoxbsnb9KGcp/ ZaSeBoHFzHuxE0U+J8tlbSI6kg= X-Received: by 2002:a05:600c:450a:b0:485:531d:28b9 with SMTP id 5b1f17b1804b1-48727d774e6mr181781565e9.14.1774823886317; Sun, 29 Mar 2026 15:38:06 -0700 (PDT) Received: from FRSMI25-LASER.home (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43cf2471ee2sm13038542f8f.29.2026.03.29.15.38.05 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 29 Mar 2026 15:38:05 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 06/16] yocto-uninative: Update to 5.0 for needed patchelf updates Date: Mon, 30 Mar 2026 00:37:38 +0200 Message-ID: <2e2985c52dfdd9601e97477f26fd6c442b418ba5.1774823430.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 29 Mar 2026 22:38:09 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/234164 From: Michael Halstead Solves some segfaults on relocated qemu-img binaries. [YOCTO #16003] Signed-off-by: Michael Halstead Signed-off-by: Richard Purdie (cherry picked from commit b322bc5387f3baedca5c71ccecaed08d2b046eab) [YC: fixed the commit title] Signed-off-by: Yoann Congal --- meta/conf/distro/include/yocto-uninative.inc | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/meta/conf/distro/include/yocto-uninative.inc b/meta/conf/distro/include/yocto-uninative.inc index 3ced03d4771..e9dc6c86408 100644 --- a/meta/conf/distro/include/yocto-uninative.inc +++ b/meta/conf/distro/include/yocto-uninative.inc @@ -7,9 +7,9 @@ # UNINATIVE_MAXGLIBCVERSION = "2.42" -UNINATIVE_VERSION = "4.9" +UNINATIVE_VERSION = "5.0" UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/${UNINATIVE_VERSION}/" -UNINATIVE_CHECKSUM[aarch64] ?= "812045d826b7fda88944055e8526b95a5a9440bfef608d5b53fd52faab49bf85" -UNINATIVE_CHECKSUM[i686] ?= "5cc28efd0c15a75de4bcb147c6cce65f1c1c9d442173a220f08427f40a3ffa09" -UNINATIVE_CHECKSUM[x86_64] ?= "4c03d1ed2b7b4e823aca4a1a23d8f2e322f1770fc10e859adcede5777aff4f3a" +UNINATIVE_CHECKSUM[aarch64] ?= "a25f2174d0cefcb22af005e9bc72ac01ae83b011c5b6d6d5bf00dac979877f76" +UNINATIVE_CHECKSUM[i686] ?= "959cc2539b692f9b9862825c7324a0fe4d061fca742f6c259f67f581c59af956" +UNINATIVE_CHECKSUM[x86_64] ?= "96045e8b1e242c8a849426a8506c7043f354b39f2bc0035192780e8205e23e9d" From patchwork Sun Mar 29 22:37:39 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 84751 X-Patchwork-Delegate: yoann.congal@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3BF91FC9804 for ; Sun, 29 Mar 2026 22:38:19 +0000 (UTC) Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com [209.85.128.54]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.38621.1774823889138958394 for ; Sun, 29 Mar 2026 15:38:09 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=sPVziziz; spf=pass (domain: smile.fr, ip: 209.85.128.54, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f54.google.com with SMTP id 5b1f17b1804b1-4873ce69ba9so2619405e9.2 for ; Sun, 29 Mar 2026 15:38:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1774823887; x=1775428687; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=SNnr8zCuK9rJCkrulyG7Tv1QtQHZbFJT4AbUSi4SIIA=; b=sPVzizizCpPKWLQ9QEKAshCOgYYiDkUUAd5HCNqhfuOyVvfsUvnnLrZVTWE2A9XOBx Gjy/QtSRJu7jSIVu/cNBiCg10cUf4plSkzOWMs4Fop37aTy6WjkTDCWKhVwmpSziM/sJ LVUwPWu0dxZ8cWzruWoOpDiPF91QjBne+af5A= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774823887; x=1775428687; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=SNnr8zCuK9rJCkrulyG7Tv1QtQHZbFJT4AbUSi4SIIA=; b=nFe8P06Uvn55mTlkMi/PBHUuf/5xTGESeE6nzEBh1ZzrWjSnLcuglCEqJ5YXUz2vuO TawEd58eHSJILjA/VP90tT05Co2SdEOp/fRj0Uc5aXn4Yo+il+oOrkpKAMJOlfQDWCwM FI03K7Iw/xrfZpV9Ihn/2b0apiuu7Bwgyn/mf0+OHGVVr42ccEkjp/TsjIoxVLDlbQVt 1j+rFS2PAdUCt2gyOiJaHDfUBqrWYAiCKTxOHGfipbZpB2eI+tnlJsWhiWIrGJTYEQ3b dlSAU0U7qYxoHs6EudH2afR72C6ijTGl6hMKQAfuSPNpcD02rCcpFvz6vKATkBksXMQo 9z8g== X-Gm-Message-State: AOJu0YyGtDD91P1xAATsuAB6WZo3KsoEvxwZTNXhrRxgD6/sQCML/blA JIm8LvOAMIAUPpjmUY7i25RRTQdTlgKumJ2Q/mKCZ6CmhjEtlse5SMqjrjuox8jdXJQzRrpJyt2 COK6e2kA= X-Gm-Gg: ATEYQzzw5tLkeGBF74b92z770uI5PxGrM3foXXyBHRlSjolBIrxfQ4czvMjjqB81URO yzZTOCSgme9XAw+hxYs4VbekG5agP+66U8co7lcDDfwp345yZaW4+jacHfgLkljO48U//rF64qz +2Lzm9gZ8e1otIpPzt/rhSbtIaj7eC/2mp5kufJcGasM0D0v647JQWj6tVgGnlkWDuTiy4S7Tgv dMWFu7S1cEk4cQIq+e6SjuM3ZGdmLA7sZYHYLk+USMPHptZLgbi28C6/fTiHBkAGvf1RipmM7CE paBAuW5uZG4hP1vUE7e2D+MPvpT8pE9RVUkQiU3mAsKPB/MMgBk8wkb3fb+DowWd8kNpzh2EiTG EoneErgqr+2fe6mk2/ngrzya0ML9krRR7smvKRoRgcXAwl/y83dVdKTJO0fwPrksh/J3AhqMTPy t6s87Jg88+DrUFiMPME0eGo98veWH0KEdHLTa4yDa86AEx2KuXvomPCR5NyqgbfAXleE5GlLgxp DAaQ84qPzcTI7ZoXXAzxLJot9U= X-Received: by 2002:a05:6000:1acd:b0:43d:dd:8cae with SMTP id ffacd0b85a97d-43d00dd92c1mr841648f8f.22.1774823887209; Sun, 29 Mar 2026 15:38:07 -0700 (PDT) Received: from FRSMI25-LASER.home (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43cf2471ee2sm13038542f8f.29.2026.03.29.15.38.06 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 29 Mar 2026 15:38:06 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 07/16] yocto-uninative: Update to 5.1 for glibc 2.43 Date: Mon, 30 Mar 2026 00:37:39 +0200 Message-ID: X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 29 Mar 2026 22:38:19 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/234165 From: Michael Halstead Signed-off-by: Michael Halstead Signed-off-by: Richard Purdie (cherry picked from commit c1fb515f2a88fa0a0e95529afc07a99db001af0e) [YC: fix duplicated line in commit message] Signed-off-by: Yoann Congal --- meta/conf/distro/include/yocto-uninative.inc | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/meta/conf/distro/include/yocto-uninative.inc b/meta/conf/distro/include/yocto-uninative.inc index e9dc6c86408..d97c96f631f 100644 --- a/meta/conf/distro/include/yocto-uninative.inc +++ b/meta/conf/distro/include/yocto-uninative.inc @@ -6,10 +6,10 @@ # to the distro running on the build machine. # -UNINATIVE_MAXGLIBCVERSION = "2.42" -UNINATIVE_VERSION = "5.0" +UNINATIVE_MAXGLIBCVERSION = "2.43" +UNINATIVE_VERSION = "5.1" UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/${UNINATIVE_VERSION}/" -UNINATIVE_CHECKSUM[aarch64] ?= "a25f2174d0cefcb22af005e9bc72ac01ae83b011c5b6d6d5bf00dac979877f76" -UNINATIVE_CHECKSUM[i686] ?= "959cc2539b692f9b9862825c7324a0fe4d061fca742f6c259f67f581c59af956" -UNINATIVE_CHECKSUM[x86_64] ?= "96045e8b1e242c8a849426a8506c7043f354b39f2bc0035192780e8205e23e9d" +UNINATIVE_CHECKSUM[aarch64] ?= "4166237a9dabd222dcb9627a9435dffd756764fabf76ed7ef2e93dc2964567ad" +UNINATIVE_CHECKSUM[i686] ?= "761502cc9aef4d54d0c6fe9418beb9fdd2c6220da6f2b04128c89f47902ab9ae" +UNINATIVE_CHECKSUM[x86_64] ?= "2b63a078c26535e0786e87f81ae69509df30f4dce40693004c527bd5e4ab2b85" From patchwork Sun Mar 29 22:37:40 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 84759 X-Patchwork-Delegate: yoann.congal@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DF400FC981E for ; Sun, 29 Mar 2026 22:38:19 +0000 (UTC) Received: from mail-wr1-f54.google.com (mail-wr1-f54.google.com [209.85.221.54]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.38380.1774823889774473304 for ; Sun, 29 Mar 2026 15:38:10 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=lraR4YYB; spf=pass (domain: smile.fr, ip: 209.85.221.54, mailfrom: yoann.congal@smile.fr) Received: by mail-wr1-f54.google.com with SMTP id ffacd0b85a97d-43cff5dafc3so240965f8f.1 for ; Sun, 29 Mar 2026 15:38:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1774823888; x=1775428688; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=a8Dd+FrHpCNy79P3B933WiRSDFENewdEom0cBtxoJ3g=; b=lraR4YYBPiPvu5jTEF6PDDnJXosfeiLFkBs0fVIFS8XAwcSt1D37dxqgZNFkr3ATXE +wbsKrD26Q6quFE7Yy/0JBMnGP5O6pgFixQh12uLoOQ9K6U1Z+R938URWdbmpqjHekCd /1QzKlwrkWqFte6g9Q1es9Fa5erfHxHQYBOOo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774823888; x=1775428688; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=a8Dd+FrHpCNy79P3B933WiRSDFENewdEom0cBtxoJ3g=; b=jz9UKb5uXdt4qynLS7YmOJF50rUmDpw8O1j3S+HAZLLdweLgWeSVsto2BQDVFA7W/7 am4BFt4pwPiXonOwmvb+1K16YEpwpqyiv6X3kA5YcSxfXE0btvVSx/C26+fOpj7O736b iuj3kRzY2P8rJ4jhpUVBjzXOjxphrPm3tKEtmtNdo/sahkPsCYqVu0D4om2MD7Soq9xz zBxdddxu47Bar15ESC4pJF7ZeNij4qeXHmOnl7ec5v0Nug81JMNJ8tKOJHWF/lQoElin t5SzHv3/BeRxKH4JgcIr+nEd7v9RKpu74zSod9BIphexxtZC9cJYzbzuASwCn9AoLtMN gI8w== X-Gm-Message-State: AOJu0Yxb6SFVIluTCIbtmexYx3p/+m4yjBQWcUEbspCaWR8cKoVnXMm4 v7P6iPdmQ0fC4/ex0gRsFoF4JjLZ2c0GjZIYqYdpg8MkngjMRyR/DzI37tCE4Ti08npUd+yPGid IcAXs4Os= X-Gm-Gg: ATEYQzxIQXY4Zss2b0i32egfTc46P1Thxa7P9GiVc3Ybtvd2idotp+d/iBQrnB9rp2C /X9v9iVu0lSgE07gKczHfyOxr7rDxRek4rjCLV8FuE6MigPUYjW6KqrGLGfRTwC+ZTfLhk4Sc0C VEPlsjqyOobPq3Wim2PtCjkvVR9/ToMhRdu+8lwozy51cBtKuTQbjueFdg8UhYsbTNZyzweZaOI W+vL+Sp+T8pavJYR2vzR0V4OZ3oQMgsHbBKMl4nAnf7bDKzw6/Kg2XXHooSU3HmlMFZ4wvHT+WN XV/jZZdL2/MNUt4R6bb4p3fDpY++BwWBtYM7KuT8mooBe+RmgPTKqradu/tlOQsczjIgH3gxexm 22kjA91PsJ4RqcMrKaUPRhuydVt7BFWxz4z5nr4NVabYvXS2zWUonx+oHQ7U2ProNVPewTbPx8T iOVxL7pOiIWVbt+zeiT3qCZKCj7vpr+GwHlsbokZ/sckj8DI7xrupYWwp3v2SxrzuhlrkTae433 Ewvz0neZcyNhbd2+zQsDLVKcG93ZaNLHLtHAw== X-Received: by 2002:a05:6000:144f:b0:43c:ff58:35c3 with SMTP id ffacd0b85a97d-43cff583739mr2493753f8f.10.1774823887753; Sun, 29 Mar 2026 15:38:07 -0700 (PDT) Received: from FRSMI25-LASER.home (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43cf2471ee2sm13038542f8f.29.2026.03.29.15.38.07 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 29 Mar 2026 15:38:07 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 08/16] elfutils: don't add -Werror to avoid discarded-qualifiers Date: Mon, 30 Mar 2026 00:37:40 +0200 Message-ID: <4ad061a46e26b12c1f2352274fe7c9a829fe9756.1774823430.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 29 Mar 2026 22:38:19 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/234166 From: Martin Jansa With glibc-2.43 on host elfutils-native fails with: elfutils-0.191/libcpu/riscv_disasm.c:1259:46: error: initialization discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers] elfutils-0.194 in master doesn't have this issue thanks to this patch avoiding -Werror from: https://git.openembedded.org/openembedded-core/commit/?id=1d6ac3c811798732e6addc798656bbe104661d77 Signed-off-by: Martin Jansa Signed-off-by: Yoann Congal --- .../elfutils/elfutils_0.191.bb | 1 + ...001-config-eu.am-do-not-force-Werror.patch | 34 +++++++++++++++++++ 2 files changed, 35 insertions(+) create mode 100644 meta/recipes-devtools/elfutils/files/0001-config-eu.am-do-not-force-Werror.patch diff --git a/meta/recipes-devtools/elfutils/elfutils_0.191.bb b/meta/recipes-devtools/elfutils/elfutils_0.191.bb index 0fd6d31af19..5156e5c9f6d 100644 --- a/meta/recipes-devtools/elfutils/elfutils_0.191.bb +++ b/meta/recipes-devtools/elfutils/elfutils_0.191.bb @@ -23,6 +23,7 @@ SRC_URI = "https://sourceware.org/elfutils/ftp/${PV}/${BP}.tar.bz2 \ file://0001-tests-Makefile.am-compile-test_nlist-with-standard-C.patch \ file://0001-debuginfod-Remove-unused-variable.patch \ file://0001-srcfiles-fix-unused-variable-BUFFER_SIZE.patch \ + file://0001-config-eu.am-do-not-force-Werror.patch \ file://CVE-2025-1352.patch \ file://CVE-2025-1365.patch \ file://CVE-2025-1372.patch \ diff --git a/meta/recipes-devtools/elfutils/files/0001-config-eu.am-do-not-force-Werror.patch b/meta/recipes-devtools/elfutils/files/0001-config-eu.am-do-not-force-Werror.patch new file mode 100644 index 00000000000..d4e141927f1 --- /dev/null +++ b/meta/recipes-devtools/elfutils/files/0001-config-eu.am-do-not-force-Werror.patch @@ -0,0 +1,34 @@ +From e169c3fc734be1783b3e1a4768dbec05fb64cb4f Mon Sep 17 00:00:00 2001 +From: Alexander Kanavin +Date: Fri, 22 Nov 2024 12:50:48 +0100 +Subject: [PATCH] config/eu.am: do not force -Werror + +This is undesirable when compiler versions may not be the same +as what upstream is using for their own testing. + +Upstream-Status: Inappropriate [oe-core specific] +Signed-off-by: Alexander Kanavin +--- + config/eu.am | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/config/eu.am b/config/eu.am +index 0b7dab5..5e7a03f 100644 +--- a/config/eu.am ++++ b/config/eu.am +@@ -99,7 +99,6 @@ AM_CFLAGS = -std=gnu99 -Wall -Wshadow -Wformat=2 \ + $(LOGICAL_OP_WARNING) $(DUPLICATED_COND_WARNING) \ + $(NULL_DEREFERENCE_WARNING) $(IMPLICIT_FALLTHROUGH_WARNING) \ + $(USE_AFTER_FREE3_WARNING) \ +- $(if $($(*F)_no_Werror),,-Werror) \ + $(if $($(*F)_no_Wunused),,-Wunused -Wextra) \ + $(if $($(*F)_no_Wstack_usage),,$(STACK_USAGE_WARNING)) \ + $(if $($(*F)_no_Wpacked_not_aligned),$(NO_PACKED_NOT_ALIGNED_WARNING),) \ +@@ -109,7 +108,6 @@ AM_CXXFLAGS = -std=c++11 -Wall -Wshadow \ + $(TRAMPOLINES_WARNING) \ + $(LOGICAL_OP_WARNING) $(DUPLICATED_COND_WARNING) \ + $(NULL_DEREFERENCE_WARNING) $(IMPLICIT_FALLTHROUGH_WARNING) \ +- $(if $($(*F)_no_Werror),,-Werror) \ + $(if $($(*F)_no_Wunused),,-Wunused -Wextra) \ + $(if $($(*F)_no_Wstack_usage),,$(STACK_USAGE_WARNING)) \ + $(if $($(*F)_no_Wpacked_not_aligned),$(NO_PACKED_NOT_ALIGNED_WARNING),) \ From patchwork Sun Mar 29 22:37:41 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 84757 X-Patchwork-Delegate: yoann.congal@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D2647FC981C for ; Sun, 29 Mar 2026 22:38:19 +0000 (UTC) Received: from mail-wr1-f49.google.com (mail-wr1-f49.google.com [209.85.221.49]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.38623.1774823890399043602 for ; Sun, 29 Mar 2026 15:38:10 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=AFz49f4m; spf=pass (domain: smile.fr, ip: 209.85.221.49, mailfrom: yoann.congal@smile.fr) Received: by mail-wr1-f49.google.com with SMTP id ffacd0b85a97d-43b9d3ebed5so2532985f8f.1 for ; Sun, 29 Mar 2026 15:38:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1774823888; x=1775428688; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=SRa06zBwHlV5Ag93Oy22/3Js8afWQqIL+H84bObHBSI=; b=AFz49f4m75Mi+9jmZxrbVBia1xqHRO2q2vFofA5+V6mYN4Jhu6j3D57SR2bidoKSU0 Up9gSWsiYykKUe7Hdcu879StYfs2OftWw/3+3scZIZOako6Kl5/vP1VwbG89t3dpxb5S xuHeiEi/rvPj2thhjmZi4k6yYj7BRvMQnSBvU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774823888; x=1775428688; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=SRa06zBwHlV5Ag93Oy22/3Js8afWQqIL+H84bObHBSI=; b=bugWeaJm/nHLHomb/RrGwWytjyisWFpRbG80tgUSlQefu9jmc1DROiuue/c1OnzmdR PAQfXbGARpNPYxENgEGoxVxCNZG3JslHy9ILwMQcWaXtROV08IZd9BGt3pYa6Q02c5CF 4eCC8LNuWmSVaFZo52KmGkkrp/ZTo8GhvNcjUjqa8tEJLb9jAb3dORa8o33rMI0GIp1l w59NS+up68nO8L07CgtMHq5feLdRhu552STkf1LsMwGLITQS+Z+PC3biX/eTNKAnKEaK CMbLJEIwLu3S4JIC7huxFxuvXBOoVkMytlS5WqoLYf4KQtnlDzuwBfGv1M30PwJpFspQ P4tg== X-Gm-Message-State: AOJu0YyUhdI4S8U1/gIRIHudu9toXEB6TSyL6N0dcPW65SNorrPCEVGN qS1bCOw4wPNS9+CWZezk2rOSc07ZaPI5gd8z/niIaNjmG16p5VnlCCMyHqXoDXbSus7dcLeJybf 4F1KzmfA= X-Gm-Gg: ATEYQzxqzrwF5m776FtuiFbyt6fCDx/bcOxgGIw1RgrlgQYNsTsK3tTWf7MNj5Uwhih n1ZNDCApPFMZ/y181RZ/LAlOzvcQHVXYQHBJmg9riWMefdErsNvvP/bV3e6XWQ274BhPKROLtcs cQkKilcG8wrF7ffUBonH4WI9dwklLF7hnrjLdvFeLlSFVGLhgLgwUwVdlxFFyZ357h1dYB5NuCG R90BJP0mjNMwrZSnJccZFKFNNt3UuuLIvV43mT3BtWHMVOcg/0FLohGBg8zmEwAnC0ipltKeSEO JQPZQY8ScKcKCcf0qng+3BeCzohHE2ORRhkok0fUmTLRMjsiRfBv2LtqkYFDYbbSs4z2mjHWqHQ D0CSGTOFkDfNG9R+kUDJ8yxB4Vxt/Z89PfKJkgeStdgTeKLLm8Yuh0GrG86QJPWrrNYjNiS+oYM oV/zN57V9fz33j/M418fH3N5jrIFGMIU0X4QHAsmZFc3Nz7cDo0DH44/FbwAWHTzT3cOVxIssu0 dgaFnkI15ZodgFy4oaXdk8JYKI= X-Received: by 2002:a5d:5d08:0:b0:43c:f90b:5668 with SMTP id ffacd0b85a97d-43cf90b57fcmr6548445f8f.23.1774823888409; Sun, 29 Mar 2026 15:38:08 -0700 (PDT) Received: from FRSMI25-LASER.home (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43cf2471ee2sm13038542f8f.29.2026.03.29.15.38.07 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 29 Mar 2026 15:38:08 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 09/16] binutils: backport patch to fix build with glibc-2.43 on host Date: Mon, 30 Mar 2026 00:37:41 +0200 Message-ID: <4618b2cc830e53ede824ec0d9abbd939013d1c94.1774823430.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 29 Mar 2026 22:38:19 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/234167 From: Martin Jansa Fixes: ../../../gprofng/libcollector/linetrace.c: In function ‘__collector_ext_line_install’: ../../../gprofng/libcollector/linetrace.c:219:45: error: expected identifier before ‘_Generic’ 219 | if (java_follow_env != NULL && CALL_UTIL (strstr)(java_follow_env, COLLECTOR_JVMTI_OPTION)) | ^~~~~~ ../../../gprofng/libcollector/linetrace.c:219:34: note: in expansion of macro ‘CALL_UTIL’ 219 | if (java_follow_env != NULL && CALL_UTIL (strstr)(java_follow_env, COLLECTOR_JVMTI_OPTION)) | ^~~~~~~~~ Signed-off-by: Martin Jansa Signed-off-by: Yoann Congal --- .../binutils/binutils-2.42.inc | 1 + ...tect-against-standard-library-macros.patch | 31 +++++++++++++++++++ 2 files changed, 32 insertions(+) create mode 100644 meta/recipes-devtools/binutils/binutils/0022-gprofng-protect-against-standard-library-macros.patch diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc index 839d31242ef..36bd49ad03d 100644 --- a/meta/recipes-devtools/binutils/binutils-2.42.inc +++ b/meta/recipes-devtools/binutils/binutils-2.42.inc @@ -43,6 +43,7 @@ SRC_URI = "\ file://0019-Fix-32097-Warnings-when-building-gprofng-with-Clang.patch \ file://0020-gprofng-fix-std-gnu23-compatibility-wrt-unprototyped.patch \ file://0021-gprofng-fix-build-with-std-gnu23.patch \ + file://0022-gprofng-protect-against-standard-library-macros.patch \ file://0018-CVE-2025-0840.patch \ file://CVE-2025-1176.patch \ file://CVE-2025-1178.patch \ diff --git a/meta/recipes-devtools/binutils/binutils/0022-gprofng-protect-against-standard-library-macros.patch b/meta/recipes-devtools/binutils/binutils/0022-gprofng-protect-against-standard-library-macros.patch new file mode 100644 index 00000000000..0fa0a939918 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0022-gprofng-protect-against-standard-library-macros.patch @@ -0,0 +1,31 @@ +From 5f66aee7f4bec7a2d8378034116f5e5c3dc50f41 Mon Sep 17 00:00:00 2001 +From: Andreas Schwab +Date: Sat, 22 Nov 2025 11:29:43 +0100 +Subject: [PATCH] gprofng: protect against standard library macros + +The CALL_UTIL macro can expand to an unparsable expression of the argument +is a macro, like with the new const-preserving standard library macros in +C23. + + * gprofng/src/collector_module.h (CALL_UTIL): Add parens to not + expand its argument if it is a function-like macro. + +Upstream-Status: Backport [2.46 5f66aee7f4bec7a2d8378034116f5e5c3dc50f41] +Signed-off-by: Martin Jansa +--- + gprofng/src/collector_module.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/gprofng/src/collector_module.h b/gprofng/src/collector_module.h +index b64d69c45ab..859a6dd1f7d 100644 +--- a/gprofng/src/collector_module.h ++++ b/gprofng/src/collector_module.h +@@ -119,7 +119,7 @@ typedef struct CollectorUtilFuncs + extern CollectorUtilFuncs __collector_util_funcs; + extern int __collector_dlsym_guard; + +-#define CALL_UTIL(x) __collector_util_funcs.x ++#define CALL_UTIL(x) (__collector_util_funcs.x) + + /* The following constants define the meaning of the "void *arg" + * argument of getFrameInfo(). From patchwork Sun Mar 29 22:37:42 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 84758 X-Patchwork-Delegate: yoann.congal@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BB88DFC981A for ; Sun, 29 Mar 2026 22:38:19 +0000 (UTC) Received: from mail-wr1-f41.google.com (mail-wr1-f41.google.com [209.85.221.41]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.38381.1774823891000431670 for ; Sun, 29 Mar 2026 15:38:11 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=XkwgGvae; spf=pass (domain: smile.fr, ip: 209.85.221.41, mailfrom: yoann.congal@smile.fr) Received: by mail-wr1-f41.google.com with SMTP id ffacd0b85a97d-439c56e822eso4226950f8f.2 for ; Sun, 29 Mar 2026 15:38:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1774823889; x=1775428689; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=ILnd2rVswjl9uGlcuyKTgq1kNzzjubpgOLOZCzpAf3k=; b=XkwgGvaeeuNJDzsG9fT0QVzD0gcLzFV4yl+PSwU/7m6cWtOoG+K60b0OL9FS6QqdEJ vCHMeAVMyzEer2CYIfw3UBJaIPHM8SoaTv+9yfC4/KmZ9HMmZIfeT2AdRQAJBucnf3Hu xqSoAZSxN872RWPy7X95QhmjFkiI3kV+UU0qw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774823889; x=1775428689; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=ILnd2rVswjl9uGlcuyKTgq1kNzzjubpgOLOZCzpAf3k=; b=Z5hI/KrcFuWcRwIKlpwQEOEOma7uhshwex42YF5VRmFr+iGTDF4zzAfDwdTsEakOV/ 0ev/2egfp7aofnusmAVpp4iVdw7EMKVyIfKSoI3O8fEDfTeEF7k/cGVpYPXHxKiQU6Sw vw3trE9hsOxxGnAhmvvcCCb2fwoHQzbOX9CGLjtW+NArh7kmMcrE8B9f0qYxQk8Wslkw n8Zl4fI9pXWynQm8BCUoOiMcaaBKRNQijnbt2neduGLwwfJwUuG0rjNX8vS6btBfSLqH T9Tzb+9ZxdibqPIx+7ymBlBvoo0zzWYgtVT2rhOTxQOrEIR1nOdPiA6Fh/LmKWziyzzC J+RA== X-Gm-Message-State: AOJu0YzkuzcEu6dhn2311CGRmHzY7gCEcgxaFfjUl2jZUilQSo8ISmr7 H9m1WRX9VW3WEvdRkzUwoCVEl5Ryf3FiGKvzQKnlYRuwzzrpTlZ3qcd52PoLYIewPEgo1pKFUxc DsSBT1Nc= X-Gm-Gg: ATEYQzyRVCtBqZyqwFMFonUvnZEuuyIg9nON6VDR4epQuI66PrWFQOclJVP1CYFMkkl LiMJ0dLKylvY7IecUmdGM180aIisLKTpJPjwdyjOfLi7kRqEsGfd9+qxSauPDdc/XiNmOE/L3cD GYtdemJpaT+LFk2YCNQoLG4Clnf79tIqDk5XQSHErnEFNpXJ2vKsZTLKrubrPi+Je/Uh9gJonqM nPnnUN26DeyGEKAEDvzSJRSmRyAAiogrC1XFuKbv63ly/ClSZXJgDB3wUxjjSCivWXty6MbqaKJ LOCJV/qAeXefJo7BTllby2LaT2dh5qu9UlPItZN2WUas7urrxyo0sMbHYugMiY9kCJVazn+F2MV ykjXxp3te7DFHSO9XV+JeaPqE0+snvqX4nTj3fM2Qo7sNtk+X916Q6xX8GA9yZoBTTLGsCynApr YYvxXfhzii3sVnz4WivJSpowlIKjGfgIij3qv8L++bnndntS0PMV+rbzEPWqHp1MdG3n1CAWUd8 Q4q6CGeImE/g3o/rJw7zNjivrg= X-Received: by 2002:a05:6000:2505:b0:439:be78:e1e9 with SMTP id ffacd0b85a97d-43b9ea34773mr17278653f8f.14.1774823889041; Sun, 29 Mar 2026 15:38:09 -0700 (PDT) Received: from FRSMI25-LASER.home (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43cf2471ee2sm13038542f8f.29.2026.03.29.15.38.08 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 29 Mar 2026 15:38:08 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 10/16] python3-pyopenssl: Fix CVE-2026-27448 Date: Mon, 30 Mar 2026 00:37:42 +0200 Message-ID: <7b5fd457e64f50aa501361b2ca8a0732767d60cf.1774823430.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 29 Mar 2026 22:38:19 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/234168 From: Vijay Anusuri Pick patch mentioned in NVD [1] https://nvd.nist.gov/vuln/detail/CVE-2026-27448 [2] https://ubuntu.com/security/CVE-2026-27448 Signed-off-by: Vijay Anusuri Signed-off-by: Yoann Congal --- .../python3-pyopenssl/CVE-2026-27448.patch | 124 ++++++++++++++++++ .../python/python3-pyopenssl_24.0.0.bb | 4 + 2 files changed, 128 insertions(+) create mode 100644 meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27448.patch diff --git a/meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27448.patch b/meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27448.patch new file mode 100644 index 00000000000..87f46b4cb0f --- /dev/null +++ b/meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27448.patch @@ -0,0 +1,124 @@ +From d41a814759a9fb49584ca8ab3f7295de49a85aa0 Mon Sep 17 00:00:00 2001 +From: Alex Gaynor +Date: Mon, 16 Feb 2026 21:04:37 -0500 +Subject: [PATCH] Handle exceptions in set_tlsext_servername_callback callbacks + (#1478) + +When the servername callback raises an exception, call sys.excepthook +with the exception info and return SSL_TLSEXT_ERR_ALERT_FATAL to abort +the handshake. Previously, exceptions would propagate uncaught through +the CFFI callback boundary. + +https://claude.ai/code/session_01P7y1XmWkdtC5UcmZwGDvGi + +Co-authored-by: Claude + +Upstream-Status: Backport [https://github.com/pyca/pyopenssl/commit/d41a814759a9fb49584ca8ab3f7295de49a85aa0] +CVE: CVE-2026-27448 +Signed-off-by: Vijay Anusuri +--- + CHANGELOG.rst | 1 + + src/OpenSSL/SSL.py | 7 ++++++- + tests/test_ssl.py | 50 ++++++++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 57 insertions(+), 1 deletion(-) + +diff --git a/CHANGELOG.rst b/CHANGELOG.rst +index 6e23770..12e60e4 100644 +--- a/CHANGELOG.rst ++++ b/CHANGELOG.rst +@@ -18,6 +18,7 @@ Changes: + + - Added ``OpenSSL.SSL.Connection.get_selected_srtp_profile`` to determine which SRTP profile was negotiated. + `#1279 `_. ++- ``Context.set_tlsext_servername_callback`` now handles exceptions raised in the callback by calling ``sys.excepthook`` and returning a fatal TLS alert. Previously, exceptions were silently swallowed and the handshake would proceed as if the callback had succeeded. + + 23.3.0 (2023-10-25) + ------------------- +diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py +index 4db5240..a6263c4 100644 +--- a/src/OpenSSL/SSL.py ++++ b/src/OpenSSL/SSL.py +@@ -1,5 +1,6 @@ + import os + import socket ++import sys + import typing + from errno import errorcode + from functools import partial, wraps +@@ -1567,7 +1568,11 @@ class Context: + + @wraps(callback) + def wrapper(ssl, alert, arg): +- callback(Connection._reverse_mapping[ssl]) ++ try: ++ callback(Connection._reverse_mapping[ssl]) ++ except Exception: ++ sys.excepthook(*sys.exc_info()) ++ return _lib.SSL_TLSEXT_ERR_ALERT_FATAL + return 0 + + self._tlsext_servername_callback = _ffi.callback( +diff --git a/tests/test_ssl.py b/tests/test_ssl.py +index ca5bf83..55489b9 100644 +--- a/tests/test_ssl.py ++++ b/tests/test_ssl.py +@@ -1855,6 +1855,56 @@ class TestServerNameCallback: + + assert args == [(server, b"foo1.example.com")] + ++ def test_servername_callback_exception( ++ self, monkeypatch: pytest.MonkeyPatch ++ ) -> None: ++ """ ++ When the callback passed to `Context.set_tlsext_servername_callback` ++ raises an exception, ``sys.excepthook`` is called with the exception ++ and the handshake fails with an ``Error``. ++ """ ++ exc = TypeError("server name callback failed") ++ ++ def servername(conn: Connection) -> None: ++ raise exc ++ ++ excepthook_calls: list[ ++ tuple[type[BaseException], BaseException, object] ++ ] = [] ++ ++ def custom_excepthook( ++ exc_type: type[BaseException], ++ exc_value: BaseException, ++ exc_tb: object, ++ ) -> None: ++ excepthook_calls.append((exc_type, exc_value, exc_tb)) ++ ++ context = Context(SSLv23_METHOD) ++ context.set_tlsext_servername_callback(servername) ++ ++ # Necessary to actually accept the connection ++ context.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem)) ++ context.use_certificate( ++ load_certificate(FILETYPE_PEM, server_cert_pem) ++ ) ++ ++ # Do a little connection to trigger the logic ++ server = Connection(context, None) ++ server.set_accept_state() ++ ++ client = Connection(Context(SSLv23_METHOD), None) ++ client.set_connect_state() ++ client.set_tlsext_host_name(b"foo1.example.com") ++ ++ monkeypatch.setattr(sys, "excepthook", custom_excepthook) ++ with pytest.raises(Error): ++ interact_in_memory(server, client) ++ ++ assert len(excepthook_calls) == 1 ++ assert excepthook_calls[0][0] is TypeError ++ assert excepthook_calls[0][1] is exc ++ assert excepthook_calls[0][2] is not None ++ + + class TestApplicationLayerProtoNegotiation: + """ +-- +2.43.0 + diff --git a/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb b/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb index 116f214bfa8..bc0b568a46a 100644 --- a/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb +++ b/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb @@ -10,6 +10,10 @@ SRC_URI[sha256sum] = "6aa33039a93fffa4563e655b61d11364d01264be8ccb49906101e02a33 PYPI_PACKAGE = "pyOpenSSL" inherit pypi setuptools3 +SRC_URI += " \ + file://CVE-2026-27448.patch \ +" + PACKAGES =+ "${PN}-tests" FILES:${PN}-tests = "${libdir}/${PYTHON_DIR}/site-packages/OpenSSL/test" From patchwork Sun Mar 29 22:37:43 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 84755 X-Patchwork-Delegate: yoann.congal@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9EEBBFC9815 for ; Sun, 29 Mar 2026 22:38:19 +0000 (UTC) Received: from mail-wr1-f50.google.com (mail-wr1-f50.google.com [209.85.221.50]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.38624.1774823891483680086 for ; Sun, 29 Mar 2026 15:38:11 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=2IRo9TA0; spf=pass (domain: smile.fr, ip: 209.85.221.50, mailfrom: yoann.congal@smile.fr) Received: by mail-wr1-f50.google.com with SMTP id ffacd0b85a97d-43b949bf4easo2187360f8f.0 for ; Sun, 29 Mar 2026 15:38:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1774823890; x=1775428690; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=GZ363e0EVIi8MryHmDhiofnldkWTub/QYI8YZsUpARI=; b=2IRo9TA0FMqsdcjpX2OWcPF3GZ6uqjwJtjFNM6n4Mt3NoAKGsyCVtiW+aw9NTQ6tKQ nGQ9JdohHff1T6VaRFktZcimGKjjC+tWKr2Rq8AOMT9XMEzlbzNhSFO6AX8hEHtGAf3i +0bbuKeyu13/3XAm0Lnjnio+PkJL7mQ0XX5tA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774823890; x=1775428690; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=GZ363e0EVIi8MryHmDhiofnldkWTub/QYI8YZsUpARI=; b=PiG4PyEulpn7NnHw9VGfvdKuuKCbJsj+Nb/oDjRHW/J3ydL9LFMzGWWHv1YmLAqp/Z FRkLCAR17NgYI663UI3muf8nC2yQckeY3eLWYdZ9041plmTPoEoXO0bO9EcNySyivdKH zIgO+VOZlJoaf3csDpCIOWYcQjjsmmL3DOi3+ouddSd4pcWXKxhsC2Tg2dRJU4oWsxu2 rsyZblMZ8rm/QrhGGSSgHYKWxqycVMkdHjaobo9dE7Tbx/XvS0NBhkVqBRePhkCkq6VX F088I6ZQhKdkgKJmLzqU15THg4gXO3BXQeVgT4OyDS6VoB/9o8n5/9SI7Y2SAHuLrFhL AhKg== X-Gm-Message-State: AOJu0Yw1XsavM/YMCvvRNPRpkMs1aLmpj8QItoe8WCGMLMQaw/jdP18M Q+UkfrAigeg/ryOt7Un4nQvbRhDk823Z23/upBEEIsCE+J8oADvV97ME6Anunu9I9WjsW/07W7k Vl8e8sao= X-Gm-Gg: ATEYQzxFg2LBARr1MIZF+Ui2umEIHbHIukjieEd9APK7m0vRIq29Du6XlBOvXBFT4kR 05LlGPI0FlrbMOLXY8J8lO0bk8DuvnuThzE3Llg9s3/exJN88sNMezZuZy1n8XYuotfCwG177pp sFoax089ae6S7LTYLLQgxoMpMUC975PiXh3MbzkpIlxTHF98ZP44Kvh21gIKhFv31crWF/ueaNu qesjHT6HdNeEN6aPJm4gLByGu28j8qwy4jaJdUSDaqq6p7f9aWg86LphgymLRb8ULSeUWiRgQQ3 AEnpb2Aubq8Xco3fzJBqQfBBpS6PxkMt1iFwEIRs0p8BXsKkkGt/f6d/wrLJC35ve/ALI3GhS7N AsbKbZP1n6+ihu9ZA1O1KkDmMk1DW/2JNTeFp1DZqXlevREqnGOmxHeTN7z/JsTUWey+/BQbgPb QeuPJUCE0RnWP9sRNHaDdklh9yvxAgGgchDoSAYAFI3BTXBboj9/nvNFj9NPLzLOkMtBMisMpyb f3ksNcSJfLiGIav18vfuG6H/nU= X-Received: by 2002:a05:6000:1a89:b0:43b:9b9a:1bc with SMTP id ffacd0b85a97d-43b9ea9ac46mr17817176f8f.5.1774823889647; Sun, 29 Mar 2026 15:38:09 -0700 (PDT) Received: from FRSMI25-LASER.home (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43cf2471ee2sm13038542f8f.29.2026.03.29.15.38.09 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 29 Mar 2026 15:38:09 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 11/16] python3-pyopenssl: Fix CVE-2026-27459 Date: Mon, 30 Mar 2026 00:37:43 +0200 Message-ID: X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 29 Mar 2026 22:38:19 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/234169 From: Vijay Anusuri Pick patch mentioned in NVD [1] https://nvd.nist.gov/vuln/detail/CVE-2026-27459 [2] https://ubuntu.com/security/CVE-2026-27459 Signed-off-by: Vijay Anusuri Signed-off-by: Yoann Congal --- .../python3-pyopenssl/CVE-2026-27459.patch | 109 ++++++++++++++++++ .../python/python3-pyopenssl_24.0.0.bb | 1 + 2 files changed, 110 insertions(+) create mode 100644 meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27459.patch diff --git a/meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27459.patch b/meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27459.patch new file mode 100644 index 00000000000..f75540f96e0 --- /dev/null +++ b/meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27459.patch @@ -0,0 +1,109 @@ +From 57f09bb4bb051d3bc2a1abd36e9525313d5cd408 Mon Sep 17 00:00:00 2001 +From: Alex Gaynor +Date: Wed, 18 Feb 2026 07:46:15 -0500 +Subject: [PATCH] Fix buffer overflow in DTLS cookie generation callback + (#1479) + +The cookie generate callback copied user-returned bytes into a +fixed-size native buffer without enforcing a maximum length. A +callback returning more than DTLS1_COOKIE_LENGTH bytes would overflow +the OpenSSL-provided buffer, corrupting adjacent memory. + +Co-authored-by: Claude Opus 4.6 + +Upstream-Status: Backport [https://github.com/pyca/pyopenssl/commit/57f09bb4bb051d3bc2a1abd36e9525313d5cd408] +CVE: CVE-2026-27459 +Signed-off-by: Vijay Anusuri +--- + CHANGELOG.rst | 1 + + src/OpenSSL/SSL.py | 7 +++++++ + tests/test_ssl.py | 38 ++++++++++++++++++++++++++++++++++++++ + 3 files changed, 46 insertions(+) + +diff --git a/CHANGELOG.rst b/CHANGELOG.rst +index 12e60e4..6041fdc 100644 +--- a/CHANGELOG.rst ++++ b/CHANGELOG.rst +@@ -16,6 +16,7 @@ Deprecations: + Changes: + ^^^^^^^^ + ++- Properly raise an error if a DTLS cookie callback returned a cookie longer than ``DTLS1_COOKIE_LENGTH`` bytes. Previously this would result in a buffer-overflow. + - Added ``OpenSSL.SSL.Connection.get_selected_srtp_profile`` to determine which SRTP profile was negotiated. + `#1279 `_. + - ``Context.set_tlsext_servername_callback`` now handles exceptions raised in the callback by calling ``sys.excepthook`` and returning a fatal TLS alert. Previously, exceptions were silently swallowed and the handshake would proceed as if the callback had succeeded. +diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py +index a6263c4..2e4da78 100644 +--- a/src/OpenSSL/SSL.py ++++ b/src/OpenSSL/SSL.py +@@ -691,11 +691,18 @@ class _CookieGenerateCallbackHelper(_CallbackExceptionHelper): + def __init__(self, callback): + _CallbackExceptionHelper.__init__(self) + ++ max_cookie_len = getattr(_lib, "DTLS1_COOKIE_LENGTH", 255) ++ + @wraps(callback) + def wrapper(ssl, out, outlen): + try: + conn = Connection._reverse_mapping[ssl] + cookie = callback(conn) ++ if len(cookie) > max_cookie_len: ++ raise ValueError( ++ f"Cookie too long (got {len(cookie)} bytes, " ++ f"max {max_cookie_len})" ++ ) + out[0 : len(cookie)] = cookie + outlen[0] = len(cookie) + return 1 +diff --git a/tests/test_ssl.py b/tests/test_ssl.py +index 55489b9..683e368 100644 +--- a/tests/test_ssl.py ++++ b/tests/test_ssl.py +@@ -4560,6 +4560,44 @@ class TestDTLS: + def test_it_works_with_srtp(self): + self._test_handshake_and_data(srtp_profile=b"SRTP_AES128_CM_SHA1_80") + ++ def test_cookie_generate_too_long(self) -> None: ++ s_ctx = Context(DTLS_METHOD) ++ ++ def generate_cookie(ssl: Connection) -> bytes: ++ return b"\x00" * 256 ++ ++ def verify_cookie(ssl: Connection, cookie: bytes) -> bool: ++ return True ++ ++ s_ctx.set_cookie_generate_callback(generate_cookie) ++ s_ctx.set_cookie_verify_callback(verify_cookie) ++ s_ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem)) ++ s_ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem)) ++ s_ctx.set_options(OP_NO_QUERY_MTU) ++ s = Connection(s_ctx) ++ s.set_accept_state() ++ ++ c_ctx = Context(DTLS_METHOD) ++ c_ctx.set_options(OP_NO_QUERY_MTU) ++ c = Connection(c_ctx) ++ c.set_connect_state() ++ ++ c.set_ciphertext_mtu(1500) ++ s.set_ciphertext_mtu(1500) ++ ++ # Client sends ClientHello ++ try: ++ c.do_handshake() ++ except SSL.WantReadError: ++ pass ++ chunk = c.bio_read(self.LARGE_BUFFER) ++ s.bio_write(chunk) ++ ++ # Server tries DTLSv1_listen, which triggers cookie generation. ++ # The oversized cookie should raise ValueError. ++ with pytest.raises(ValueError, match="Cookie too long"): ++ s.DTLSv1_listen() ++ + def test_timeout(self, monkeypatch): + c_ctx = Context(DTLS_METHOD) + c = Connection(c_ctx) +-- +2.43.0 + diff --git a/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb b/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb index bc0b568a46a..94a70aa17d1 100644 --- a/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb +++ b/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb @@ -12,6 +12,7 @@ inherit pypi setuptools3 SRC_URI += " \ file://CVE-2026-27448.patch \ + file://CVE-2026-27459.patch \ " PACKAGES =+ "${PN}-tests" From patchwork Sun Mar 29 22:37:44 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 84760 X-Patchwork-Delegate: yoann.congal@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9563EFC9816 for ; Sun, 29 Mar 2026 22:38:19 +0000 (UTC) Received: from mail-wm1-f51.google.com (mail-wm1-f51.google.com [209.85.128.51]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.38382.1774823892790871179 for ; Sun, 29 Mar 2026 15:38:13 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=Z9D+FpNd; spf=pass (domain: smile.fr, ip: 209.85.128.51, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f51.google.com with SMTP id 5b1f17b1804b1-486b9675d36so31750905e9.0 for ; Sun, 29 Mar 2026 15:38:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1774823891; x=1775428691; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=mOqc1e6K0ZWiJsMXY4d+3hoCmSfhDbVBByST40kXoTI=; b=Z9D+FpNdgZsblJOgab7cUJgpdPq4eRH5rNkE4AmFPb+YBAF+K0ZOtANYQJyPlj2qlL V0T7ApKAO20iBAwME6LB6+G0BpWpdehCYUfL36ItHvYvAP9PAv6OciorhK+2mgNkZT2X v1B8j2CXQPT8gDqs9d1IHHhmTbTdHHTBTiRhE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774823891; x=1775428691; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=mOqc1e6K0ZWiJsMXY4d+3hoCmSfhDbVBByST40kXoTI=; b=H/onXjDlkkk3jjjgK9NnvCM/r3pV/QfpGDcMB0r6aPSngqEYHv3uf/jTSy6XbaUTy1 u43HvogR/YjnbHqp+dxaHHekkbtPx3li+dEJyZBxrCcUACLu1GCkW+lTgEV+uYpU9Et7 Ou+2psJtZhLJ8WlULOOTMSlUz4Wzo/Tlrcnr7CpZanyLBeN6d4X1fVosVW6u/nKFyQPQ Ki+T0su23iqO8I/qbM9IIiAWM5wtm00SGsrQscnJtubiVC54V9Wpr/TC1IsXAK9p4ZBr 5idBLOcwPFKSTjqcjKIj4u1Y+3No3j8vyrMmYdNTfCAvSqEFjP45P0oZhBv/91TVhKH6 gVxg== X-Gm-Message-State: AOJu0Yx/wAbg7aghIqvST4rPlHbB38ppLxc/8RJlmlmpHfrv4v3M25Iy B8y1NDx8T/87rqOrXsWGwmwbT0/3rIas4ZcUxpqAxOj4nLJiuGdEm4sDOtZLMItfEABlWXphym/ 3fTkL41c= X-Gm-Gg: ATEYQzxX/4OW6KPzd0Jb06bCxZhYGEx63+ekFgbxw9C9Var1QzC3x85L0tfh6E87UqL 2xqPKtexHH2rtXKrPfcOOUzs7Dq3Zf/oLT/H6X0TlJS/QDa7uHr2qEmX9MPTHGogb2BKmvCmw09 nflupB/wVuuqqOZIpluqNLPGkjy239fCpJR/WAp57AUDAdC1lkzP/XDdicqxCRxYikgn+rwWx6y i16c8l7Tzu/akGnXTrgWvj5Eos1poIdEDJ4Od6OvcDCInVwK9NicWktScvbt1ok0kU3tdYoBlTH CtO0ZIj1FeQQrfSMJIDtIgDFCEiGsolLaXrBjsls2XcG54NGHnjveIvgDe83n86lGkvRRJXLFOL 9fZ+hLaUFbRs0HUgBp0fBPZTelqogFkE1355xVy2cX43QVGbgIh3DDKhyxThF99hVYTbAk2GAr2 tP56FlX3KqjbWjVitSdGE49U/qsL1eS5rnl53e5WDOmHuEgKn7rO/Wszrzkj/ETJvmj7BjszYqi +GDAVu7g4othgRcDBXMVaHmRCIJOwDgIUwoqA== X-Received: by 2002:a05:600c:19d2:b0:485:3d3e:167b with SMTP id 5b1f17b1804b1-48727d594bemr173877965e9.5.1774823890637; Sun, 29 Mar 2026 15:38:10 -0700 (PDT) Received: from FRSMI25-LASER.home (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43cf2471ee2sm13038542f8f.29.2026.03.29.15.38.09 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 29 Mar 2026 15:38:09 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 12/16] gnutls: Fix CVE-2025-14831 Date: Mon, 30 Mar 2026 00:37:44 +0200 Message-ID: <385a337cbfde6538a3611bd80e8633d95d60e219.1774823430.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 29 Mar 2026 22:38:19 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/234170 From: Vijay Anusuri Picked commits which mentions this CVE per [1]. [1] https://ubuntu.com/security/CVE-2025-14831 [2] https://security-tracker.debian.org/tracker/CVE-2025-14831 [3] https://gitlab.com/gnutls/gnutls/-/issues/1773 Signed-off-by: Vijay Anusuri Signed-off-by: Yoann Congal --- .../gnutls/gnutls/CVE-2025-14831-1.patch | 61 +++ .../gnutls/gnutls/CVE-2025-14831-2.patch | 30 ++ .../gnutls/gnutls/CVE-2025-14831-3.patch | 45 ++ .../gnutls/gnutls/CVE-2025-14831-4.patch | 200 +++++++ .../gnutls/gnutls/CVE-2025-14831-5.patch | 500 ++++++++++++++++++ .../gnutls/gnutls/CVE-2025-14831-6.patch | 119 +++++ .../gnutls/gnutls/CVE-2025-14831-7.patch | 150 ++++++ .../gnutls/gnutls/CVE-2025-14831-8.patch | 105 ++++ .../gnutls/gnutls/CVE-2025-14831-9.patch | 437 +++++++++++++++ meta/recipes-support/gnutls/gnutls_3.8.4.bb | 9 + 10 files changed, 1656 insertions(+) create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-1.patch create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-2.patch create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-3.patch create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-4.patch create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-5.patch create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-6.patch create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-7.patch create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-8.patch create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-9.patch diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-1.patch b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-1.patch new file mode 100644 index 00000000000..ae52a43a2c0 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-1.patch @@ -0,0 +1,61 @@ +From 0b2377dfccd99be641bf3f1a0de9f0dc8dc0d4b1 Mon Sep 17 00:00:00 2001 +From: Alexander Sosedkin +Date: Mon, 26 Jan 2026 19:02:27 +0100 +Subject: [PATCH] x509/name_constraints: use actual zeroes in universal exclude + IP NC + +Signed-off-by: Alexander Sosedkin + +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/0b2377dfccd99be641bf3f1a0de9f0dc8dc0d4b1] +CVE: CVE-2025-14831 +Signed-off-by: Vijay Anusuri +--- + lib/x509/name_constraints.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/lib/x509/name_constraints.c ++++ b/lib/x509/name_constraints.c +@@ -61,7 +61,7 @@ struct gnutls_name_constraints_st { + + static struct name_constraints_node_st * + name_constraints_node_new(gnutls_x509_name_constraints_t nc, unsigned type, +- unsigned char *data, unsigned int size); ++ const unsigned char *data, unsigned int size); + + static int + name_constraints_node_list_add(struct name_constraints_node_list_st *list, +@@ -285,7 +285,7 @@ static void name_constraints_node_free(s + -*/ + static struct name_constraints_node_st * + name_constraints_node_new(gnutls_x509_name_constraints_t nc, unsigned type, +- unsigned char *data, unsigned int size) ++ const unsigned char *data, unsigned int size) + { + struct name_constraints_node_st *tmp; + int ret; +@@ -339,6 +339,7 @@ static int name_constraints_node_list_in + struct name_constraints_node_list_st removed = { .data = NULL, + .size = 0, + .capacity = 0 }; ++ static const unsigned char universal_ip[32] = { 0 }; + + /* temporary array to see, if we need to add universal excluded constraints + * (see phase 3 for details) +@@ -471,7 +472,7 @@ static int name_constraints_node_list_in + case GNUTLS_SAN_IPADDRESS: + // add universal restricted range for IPv4 + tmp = name_constraints_node_new( +- nc, GNUTLS_SAN_IPADDRESS, NULL, 8); ++ nc, GNUTLS_SAN_IPADDRESS, universal_ip, 8); + if (tmp == NULL) { + gnutls_assert(); + ret = GNUTLS_E_MEMORY_ERROR; +@@ -484,7 +485,7 @@ static int name_constraints_node_list_in + } + // add universal restricted range for IPv6 + tmp = name_constraints_node_new( +- nc, GNUTLS_SAN_IPADDRESS, NULL, 32); ++ nc, GNUTLS_SAN_IPADDRESS, universal_ip, 32); + if (tmp == NULL) { + gnutls_assert(); + ret = GNUTLS_E_MEMORY_ERROR; diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-2.patch b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-2.patch new file mode 100644 index 00000000000..0d340325541 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-2.patch @@ -0,0 +1,30 @@ +From 85d6348a30c74d4ee3710e0f4652f634eaad6914 Mon Sep 17 00:00:00 2001 +From: Alexander Sosedkin +Date: Mon, 26 Jan 2026 19:10:58 +0100 +Subject: [PATCH] tests/name-constraints-ip: stop swallowing errors... + +... now when it started to pass + +Signed-off-by: Alexander Sosedkin + +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/85d6348a30c74d4ee3710e0f4652f634eaad6914] +CVE: CVE-2025-14831 +Signed-off-by: Vijay Anusuri +--- + tests/name-constraints-ip.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/name-constraints-ip.c b/tests/name-constraints-ip.c +index 7a196088dc..a0cf172b7f 100644 +--- a/tests/name-constraints-ip.c ++++ b/tests/name-constraints-ip.c +@@ -772,5 +772,5 @@ int main(int argc, char **argv) + cmocka_unit_test_setup_teardown( + check_ipv4v6_single_constraint_each, setup, teardown) + }; +- cmocka_run_group_tests(tests, NULL, NULL); ++ return cmocka_run_group_tests(tests, NULL, NULL); + } +-- +GitLab + diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-3.patch b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-3.patch new file mode 100644 index 00000000000..ed4a7da3c7a --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-3.patch @@ -0,0 +1,45 @@ +From c28475413f82e1f34295d5c039f0c0a4ca2ee526 Mon Sep 17 00:00:00 2001 +From: Alexander Sosedkin +Date: Mon, 26 Jan 2026 20:14:33 +0100 +Subject: [PATCH] x509/name_constraints: reject some malformed domain names + +Signed-off-by: Alexander Sosedkin + +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/c28475413f82e1f34295d5c039f0c0a4ca2ee526] +CVE: CVE-2025-14831 +Signed-off-by: Vijay Anusuri +--- + lib/x509/name_constraints.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/lib/x509/name_constraints.c b/lib/x509/name_constraints.c +index d07482e3c9..9783d92851 100644 +--- a/lib/x509/name_constraints.c ++++ b/lib/x509/name_constraints.c +@@ -159,6 +159,23 @@ static int validate_name_constraints_node(gnutls_x509_subject_alt_name_t type, + return gnutls_assert_val(GNUTLS_E_MALFORMED_CIDR); + } + ++ /* Validate DNS names and email addresses for malformed input */ ++ if (type == GNUTLS_SAN_DNSNAME || type == GNUTLS_SAN_RFC822NAME) { ++ unsigned int i; ++ if (name->size == 0) ++ return GNUTLS_E_SUCCESS; ++ ++ /* reject names with consecutive dots... */ ++ for (i = 0; i + 1 < name->size; i++) { ++ if (name->data[i] == '.' && name->data[i + 1] == '.') ++ return gnutls_assert_val( ++ GNUTLS_E_ILLEGAL_PARAMETER); ++ } ++ /* ... or names consisting exclusively of dots */ ++ if (name->size == 1 && name->data[0] == '.') ++ return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER); ++ } ++ + return GNUTLS_E_SUCCESS; + } + +-- +GitLab + diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-4.patch b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-4.patch new file mode 100644 index 00000000000..99ec9c5e9a3 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-4.patch @@ -0,0 +1,200 @@ +From 6db7da7fcfe230f445b1edbb56e2a8346120c891 Mon Sep 17 00:00:00 2001 +From: Alexander Sosedkin +Date: Thu, 5 Feb 2026 13:22:10 +0100 +Subject: [PATCH] x509/name_constraints: name_constraints_node_add_{new,copy} + +Signed-off-by: Alexander Sosedkin + +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/6db7da7fcfe230f445b1edbb56e2a8346120c891] +CVE: CVE-2025-14831 +Signed-off-by: Vijay Anusuri +--- + lib/x509/name_constraints.c | 112 ++++++++++++++++-------------------- + 1 file changed, 51 insertions(+), 61 deletions(-) + +--- a/lib/x509/name_constraints.c ++++ b/lib/x509/name_constraints.c +@@ -86,6 +86,38 @@ name_constraints_node_list_add(struct na + return 0; + } + ++static int ++name_constraints_node_add_new(gnutls_x509_name_constraints_t nc, ++ struct name_constraints_node_list_st *list, ++ unsigned type, const unsigned char *data, ++ unsigned int size) ++{ ++ struct name_constraints_node_st *node; ++ int ret; ++ node = name_constraints_node_new(nc, type, data, size); ++ if (node == NULL) { ++ gnutls_assert(); ++ return GNUTLS_E_MEMORY_ERROR; ++ } ++ ret = name_constraints_node_list_add(list, node); ++ if (ret < 0) { ++ gnutls_assert(); ++ return ret; ++ } ++ return GNUTLS_E_SUCCESS; ++} ++ ++static int ++name_constraints_node_add_copy(gnutls_x509_name_constraints_t nc, ++ struct name_constraints_node_list_st *dest, ++ const struct name_constraints_node_st *src) ++{ ++ if (!src) ++ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); ++ return name_constraints_node_add_new(nc, dest, src->type, ++ src->name.data, src->name.size); ++} ++ + // for documentation see the implementation + static int name_constraints_intersect_nodes( + gnutls_x509_name_constraints_t nc, +@@ -188,7 +220,6 @@ static int extract_name_constraints(gnut + unsigned indx; + gnutls_datum_t tmp = { NULL, 0 }; + unsigned int type; +- struct name_constraints_node_st *node; + + for (indx = 1;; indx++) { + snprintf(tmpstr, sizeof(tmpstr), "%s.?%u.base", vstr, indx); +@@ -231,15 +262,9 @@ static int extract_name_constraints(gnut + goto cleanup; + } + +- node = name_constraints_node_new(nc, type, tmp.data, tmp.size); ++ ret = name_constraints_node_add_new(nc, nodes, type, tmp.data, ++ tmp.size); + _gnutls_free_datum(&tmp); +- if (node == NULL) { +- gnutls_assert(); +- ret = GNUTLS_E_MEMORY_ERROR; +- goto cleanup; +- } +- +- ret = name_constraints_node_list_add(nodes, node); + if (ret < 0) { + gnutls_assert(); + goto cleanup; +@@ -459,14 +484,7 @@ static int name_constraints_node_list_in + // Beware: also copies nodes other than DNS, email, IP, + // since their counterpart may have been moved in phase 1. + if (!used) { +- tmp = name_constraints_node_new( +- nc, t2->type, t2->name.data, t2->name.size); +- if (tmp == NULL) { +- gnutls_assert(); +- ret = GNUTLS_E_MEMORY_ERROR; +- goto cleanup; +- } +- ret = name_constraints_node_list_add(permitted, tmp); ++ ret = name_constraints_node_add_copy(nc, permitted, t2); + if (ret < 0) { + gnutls_assert(); + goto cleanup; +@@ -488,27 +506,17 @@ static int name_constraints_node_list_in + switch (type) { + case GNUTLS_SAN_IPADDRESS: + // add universal restricted range for IPv4 +- tmp = name_constraints_node_new( +- nc, GNUTLS_SAN_IPADDRESS, universal_ip, 8); +- if (tmp == NULL) { +- gnutls_assert(); +- ret = GNUTLS_E_MEMORY_ERROR; +- goto cleanup; +- } +- ret = name_constraints_node_list_add(excluded, tmp); ++ ret = name_constraints_node_add_new( ++ nc, excluded, GNUTLS_SAN_IPADDRESS, ++ universal_ip, 8); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + // add universal restricted range for IPv6 +- tmp = name_constraints_node_new( +- nc, GNUTLS_SAN_IPADDRESS, universal_ip, 32); +- if (tmp == NULL) { +- gnutls_assert(); +- ret = GNUTLS_E_MEMORY_ERROR; +- goto cleanup; +- } +- ret = name_constraints_node_list_add(excluded, tmp); ++ ret = name_constraints_node_add_new( ++ nc, excluded, GNUTLS_SAN_IPADDRESS, ++ universal_ip, 32); + if (ret < 0) { + gnutls_assert(); + goto cleanup; +@@ -516,13 +524,8 @@ static int name_constraints_node_list_in + break; + case GNUTLS_SAN_DNSNAME: + case GNUTLS_SAN_RFC822NAME: +- tmp = name_constraints_node_new(nc, type, NULL, 0); +- if (tmp == NULL) { +- gnutls_assert(); +- ret = GNUTLS_E_MEMORY_ERROR; +- goto cleanup; +- } +- ret = name_constraints_node_list_add(excluded, tmp); ++ ret = name_constraints_node_add_new(nc, excluded, type, ++ NULL, 0); + if (ret < 0) { + gnutls_assert(); + goto cleanup; +@@ -544,20 +547,13 @@ static int name_constraints_node_list_co + struct name_constraints_node_list_st *nodes, + const struct name_constraints_node_list_st *nodes2) + { ++ int ret; ++ + for (size_t i = 0; i < nodes2->size; i++) { +- const struct name_constraints_node_st *node = nodes2->data[i]; +- struct name_constraints_node_st *tmp; +- int ret; +- +- tmp = name_constraints_node_new(nc, node->type, node->name.data, +- node->name.size); +- if (tmp == NULL) { +- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); +- } +- ret = name_constraints_node_list_add(nodes, tmp); ++ ret = name_constraints_node_add_copy(nc, nodes, ++ nodes2->data[i]); + if (ret < 0) { +- name_constraints_node_free(tmp); +- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); ++ return gnutls_assert_val(ret); + } + } + +@@ -687,7 +683,6 @@ static int name_constraints_add(gnutls_x + gnutls_x509_subject_alt_name_t type, + const gnutls_datum_t *name, unsigned permitted) + { +- struct name_constraints_node_st *tmp; + struct name_constraints_node_list_st *nodes; + int ret; + +@@ -697,15 +692,10 @@ static int name_constraints_add(gnutls_x + + nodes = permitted ? &nc->permitted : &nc->excluded; + +- tmp = name_constraints_node_new(nc, type, name->data, name->size); +- if (tmp == NULL) +- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); +- +- ret = name_constraints_node_list_add(nodes, tmp); +- if (ret < 0) { +- name_constraints_node_free(tmp); ++ ret = name_constraints_node_add_new(nc, nodes, type, name->data, ++ name->size); ++ if (ret < 0) + return gnutls_assert_val(ret); +- } + + return 0; + } diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-5.patch b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-5.patch new file mode 100644 index 00000000000..7c5ffdf6d8b --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-5.patch @@ -0,0 +1,500 @@ +From 094accd3ebec17ead6c391757eaa18763b72d83f Mon Sep 17 00:00:00 2001 +From: Alexander Sosedkin +Date: Mon, 26 Jan 2026 20:16:36 +0100 +Subject: [PATCH] x509/name_constraints: introduce a rich comparator + +These are preparatory changes before implementing N * log N intersection +over sorted lists of constraints. + +Signed-off-by: Alexander Sosedkin + +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/094accd3ebec17ead6c391757eaa18763b72d83f] +CVE: CVE-2025-14831 +Signed-off-by: Vijay Anusuri +--- + lib/x509/name_constraints.c | 411 ++++++++++++++++++++++++++++-------- + 1 file changed, 320 insertions(+), 91 deletions(-) + +--- a/lib/x509/name_constraints.c ++++ b/lib/x509/name_constraints.c +@@ -39,6 +39,9 @@ + #include "ip.h" + #include "ip-in-cidr.h" + #include "intprops.h" ++#include "minmax.h" ++ ++#include + + #define MAX_NC_CHECKS (1 << 20) + +@@ -63,6 +66,282 @@ static struct name_constraints_node_st * + name_constraints_node_new(gnutls_x509_name_constraints_t nc, unsigned type, + const unsigned char *data, unsigned int size); + ++/* An enum for "rich" comparisons that not only let us sort name constraints, ++ * children-before-parent, but also subsume them during intersection. */ ++enum name_constraint_relation { ++ NC_SORTS_BEFORE = -2, /* unrelated constraints */ ++ NC_INCLUDED_BY = -1, /* nc1 is included by nc2 / children sort first */ ++ NC_EQUAL = 0, /* exact match */ ++ NC_INCLUDES = 1, /* nc1 includes nc2 / parents sort last */ ++ NC_SORTS_AFTER = 2 /* unrelated constraints */ ++}; ++ ++/* A helper to compare just a pair of strings with this rich comparison */ ++static enum name_constraint_relation ++compare_strings(const void *n1, size_t n1_len, const void *n2, size_t n2_len) ++{ ++ int r = memcmp(n1, n2, MIN(n1_len, n2_len)); ++ if (r < 0) ++ return NC_SORTS_BEFORE; ++ if (r > 0) ++ return NC_SORTS_AFTER; ++ if (n1_len < n2_len) ++ return NC_SORTS_BEFORE; ++ if (n1_len > n2_len) ++ return NC_SORTS_AFTER; ++ return NC_EQUAL; ++} ++ ++/* Rich-compare DNS names. Example order/relationships: ++ * z.x.a INCLUDED_BY x.a BEFORE y.a INCLUDED_BY a BEFORE x.b BEFORE y.b */ ++static enum name_constraint_relation compare_dns_names(const gnutls_datum_t *n1, ++ const gnutls_datum_t *n2) ++{ ++ enum name_constraint_relation rel; ++ unsigned int i, j, i_end, j_end; ++ ++ /* start from the end of each name */ ++ i = i_end = n1->size; ++ j = j_end = n2->size; ++ ++ /* skip the trailing dots for the comparison */ ++ while (i && n1->data[i - 1] == '.') ++ i_end = i = i - 1; ++ while (j && n2->data[j - 1] == '.') ++ j_end = j = j - 1; ++ ++ while (1) { ++ // rewind back to beginning or an after-dot position ++ while (i && n1->data[i - 1] != '.') ++ i--; ++ while (j && n2->data[j - 1] != '.') ++ j--; ++ ++ rel = compare_strings(&n1->data[i], i_end - i, &n2->data[j], ++ j_end - j); ++ if (rel == NC_SORTS_BEFORE) /* x.a BEFORE y.a */ ++ return NC_SORTS_BEFORE; ++ if (rel == NC_SORTS_AFTER) /* y.a AFTER x.a */ ++ return NC_SORTS_AFTER; ++ if (!i && j) /* x.a INCLUDES z.x.a */ ++ return NC_INCLUDES; ++ if (i && !j) /* z.x.a INCLUDED_BY x.a */ ++ return NC_INCLUDED_BY; ++ ++ if (!i && !j) /* r == 0, we ran out of components to compare */ ++ return NC_EQUAL; ++ /* r == 0, i && j: step back past a dot and keep comparing */ ++ i_end = i = i - 1; ++ j_end = j = j - 1; ++ ++ /* support for non-standard ".gr INCLUDES example.gr" [1] */ ++ if (!i && j) /* .a INCLUDES x.a */ ++ return NC_INCLUDES; ++ if (i && !j) /* x.a INCLUDED_BY .a */ ++ return NC_INCLUDED_BY; ++ } ++} ++/* [1] https://mailarchive.ietf.org/arch/msg/saag/Bw6PtreW0G7aEG7SikfzKHES4VA */ ++ ++/* Rich-compare email name constraints. Example order/relationships: ++ * z@x.a INCLUDED_BY x.a BEFORE y.a INCLUDED_BY a BEFORE x@b BEFORE y@b */ ++static enum name_constraint_relation compare_emails(const gnutls_datum_t *n1, ++ const gnutls_datum_t *n2) ++{ ++ enum name_constraint_relation domains_rel; ++ unsigned int i, j, i_end, j_end; ++ gnutls_datum_t d1, d2; /* borrow from n1 and n2 */ ++ ++ /* start from the end of each name */ ++ i = i_end = n1->size; ++ j = j_end = n2->size; ++ ++ /* rewind to @s to look for domains */ ++ while (i && n1->data[i - 1] != '@') ++ i--; ++ d1.size = i_end - i; ++ d1.data = &n1->data[i]; ++ while (j && n2->data[j - 1] != '@') ++ j--; ++ d2.size = j_end - j; ++ d2.data = &n2->data[j]; ++ ++ domains_rel = compare_dns_names(&d1, &d2); ++ ++ /* email constraint semantics differ from DNS ++ * DNS: x.a INCLUDED_BY a ++ * Email: x.a INCLUDED_BY .a BEFORE a */ ++ if (domains_rel == NC_INCLUDED_BY || domains_rel == NC_INCLUDES) { ++ bool d1_has_dot = (d1.size > 0 && d1.data[0] == '.'); ++ bool d2_has_dot = (d2.size > 0 && d2.data[0] == '.'); ++ /* a constraint without a dot is exact, excluding subdomains */ ++ if (!d2_has_dot && domains_rel == NC_INCLUDED_BY) ++ domains_rel = NC_SORTS_BEFORE; /* x.a BEFORE a */ ++ if (!d1_has_dot && domains_rel == NC_INCLUDES) ++ domains_rel = NC_SORTS_AFTER; /* a AFTER x.a */ ++ } ++ ++ if (!i && !j) { /* both are domains-only */ ++ return domains_rel; ++ } else if (i && !j) { /* n1 is email, n2 is domain */ ++ switch (domains_rel) { ++ case NC_SORTS_AFTER: ++ return NC_SORTS_AFTER; ++ case NC_SORTS_BEFORE: ++ return NC_SORTS_BEFORE; ++ case NC_INCLUDES: /* n2 is more specific, a@x.a AFTER z.x.a */ ++ return NC_SORTS_AFTER; ++ case NC_EQUAL: /* subdomains match, z@x.a INCLUDED_BY x.a */ ++ case NC_INCLUDED_BY: /* n1 is more specific */ ++ return NC_INCLUDED_BY; ++ } ++ } else if (!i && j) { /* n1 is domain, n2 is email */ ++ switch (domains_rel) { ++ case NC_SORTS_AFTER: ++ return NC_SORTS_AFTER; ++ case NC_SORTS_BEFORE: ++ return NC_SORTS_BEFORE; ++ case NC_INCLUDES: /* n2 is more specific, a AFTER z@x.a */ ++ return NC_SORTS_AFTER; ++ case NC_EQUAL: /* subdomains match, x.a INCLUDES z@x.a */ ++ return NC_INCLUDES; ++ case NC_INCLUDED_BY: /* n1 is more specific, x.a BEFORE z@a */ ++ return NC_SORTS_BEFORE; ++ } ++ } else if (i && j) { /* both are emails */ ++ switch (domains_rel) { ++ case NC_SORTS_AFTER: ++ return NC_SORTS_AFTER; ++ case NC_SORTS_BEFORE: ++ return NC_SORTS_BEFORE; ++ case NC_INCLUDES: // n2 is more specific ++ return NC_SORTS_AFTER; ++ case NC_INCLUDED_BY: // n1 is more specific ++ return NC_SORTS_BEFORE; ++ case NC_EQUAL: // only case when we need to look before the @ ++ break; // see below for readability ++ } ++ } ++ ++ /* i && j, both are emails, domain names match, compare up to @ */ ++ return compare_strings(n1->data, i - 1, n2->data, j - 1); ++} ++ ++/* Rich-compare IP address constraints. Example order/relationships: ++ * 10.0.0.0/24 INCLUDED_BY 10.0.0.0/16 BEFORE 1::1/128 INCLUDED_BY 1::1/127 */ ++static enum name_constraint_relation compare_ip_ncs(const gnutls_datum_t *n1, ++ const gnutls_datum_t *n2) ++{ ++ unsigned int len, i; ++ int r; ++ const unsigned char *ip1, *ip2, *mask1, *mask2; ++ unsigned char masked11[16], masked22[16], masked12[16], masked21[16]; ++ ++ if (n1->size < n2->size) ++ return NC_SORTS_BEFORE; ++ if (n1->size > n2->size) ++ return NC_SORTS_AFTER; ++ len = n1->size / 2; /* 4 for IPv4, 16 for IPv6 */ ++ ++ /* data is a concatenation of prefix and mask */ ++ ip1 = n1->data; ++ ip2 = n2->data; ++ mask1 = n1->data + len; ++ mask2 = n2->data + len; ++ for (i = 0; i < len; i++) { ++ masked11[i] = ip1[i] & mask1[i]; ++ masked22[i] = ip2[i] & mask2[i]; ++ masked12[i] = ip1[i] & mask2[i]; ++ masked21[i] = ip2[i] & mask1[i]; ++ } ++ ++ r = memcmp(mask1, mask2, len); ++ if (r < 0 && !memcmp(masked11, masked21, len)) /* prefix1 < prefix2 */ ++ return NC_INCLUDES; /* ip1 & mask1 == ip2 & mask1 */ ++ if (r > 0 && !memcmp(masked12, masked22, len)) /* prefix1 > prefix2 */ ++ return NC_INCLUDED_BY; /* ip1 & mask2 == ip2 & mask2 */ ++ ++ r = memcmp(masked11, masked22, len); ++ if (r < 0) ++ return NC_SORTS_BEFORE; ++ else if (r > 0) ++ return NC_SORTS_AFTER; ++ return NC_EQUAL; ++} ++ ++static inline bool is_supported_type(unsigned type) ++{ ++ return type == GNUTLS_SAN_DNSNAME || type == GNUTLS_SAN_RFC822NAME || ++ type == GNUTLS_SAN_IPADDRESS; ++} ++ ++/* Universal comparison for name constraint nodes. ++ * Unsupported types sort before supported types to allow early handling. ++ * NULL represents end-of-list and sorts after everything else. */ ++static enum name_constraint_relation ++compare_name_constraint_nodes(const struct name_constraints_node_st *n1, ++ const struct name_constraints_node_st *n2) ++{ ++ bool n1_supported, n2_supported; ++ ++ if (!n1 && !n2) ++ return NC_EQUAL; ++ if (!n1) ++ return NC_SORTS_AFTER; ++ if (!n2) ++ return NC_SORTS_BEFORE; ++ ++ n1_supported = is_supported_type(n1->type); ++ n2_supported = is_supported_type(n2->type); ++ ++ /* unsupported types bubble up (sort first). intersect relies on this */ ++ if (!n1_supported && n2_supported) ++ return NC_SORTS_BEFORE; ++ if (n1_supported && !n2_supported) ++ return NC_SORTS_AFTER; ++ ++ /* next, sort by type */ ++ if (n1->type < n2->type) ++ return NC_SORTS_BEFORE; ++ if (n1->type > n2->type) ++ return NC_SORTS_AFTER; ++ ++ /* now look deeper */ ++ switch (n1->type) { ++ case GNUTLS_SAN_DNSNAME: ++ return compare_dns_names(&n1->name, &n2->name); ++ case GNUTLS_SAN_RFC822NAME: ++ return compare_emails(&n1->name, &n2->name); ++ case GNUTLS_SAN_IPADDRESS: ++ return compare_ip_ncs(&n1->name, &n2->name); ++ default: ++ /* unsupported types: stable lexicographic order */ ++ return compare_strings(n1->name.data, n1->name.size, ++ n2->name.data, n2->name.size); ++ } ++} ++ ++/* qsort-compatible wrapper */ ++static int compare_name_constraint_nodes_qsort(const void *a, const void *b) ++{ ++ const struct name_constraints_node_st *const *n1 = a; ++ const struct name_constraints_node_st *const *n2 = b; ++ enum name_constraint_relation rel; ++ ++ rel = compare_name_constraint_nodes(*n1, *n2); ++ switch (rel) { ++ case NC_SORTS_BEFORE: ++ case NC_INCLUDED_BY: ++ return -1; ++ case NC_SORTS_AFTER: ++ case NC_INCLUDES: ++ return 1; ++ case NC_EQUAL: ++ default: ++ return 0; ++ } ++} ++ + static int + name_constraints_node_list_add(struct name_constraints_node_list_st *list, + struct name_constraints_node_st *node) +@@ -420,9 +699,7 @@ static int name_constraints_node_list_in + } + } + +- if (found != NULL && (t->type == GNUTLS_SAN_DNSNAME || +- t->type == GNUTLS_SAN_RFC822NAME || +- t->type == GNUTLS_SAN_IPADDRESS)) { ++ if (found != NULL && is_supported_type(t->type)) { + /* move node from PERMITTED to REMOVED */ + ret = name_constraints_node_list_add(&removed, t); + if (ret < 0) { +@@ -824,61 +1101,14 @@ cleanup: + return ret; + } + +-static unsigned ends_with(const gnutls_datum_t *str, +- const gnutls_datum_t *suffix) +-{ +- unsigned char *tree; +- unsigned int treelen; +- +- if (suffix->size >= str->size) +- return 0; +- +- tree = suffix->data; +- treelen = suffix->size; +- if ((treelen > 0) && (tree[0] == '.')) { +- tree++; +- treelen--; +- } +- +- if (memcmp(str->data + str->size - treelen, tree, treelen) == 0 && +- str->data[str->size - treelen - 1] == '.') +- return 1; /* match */ +- +- return 0; +-} +- +-static unsigned email_ends_with(const gnutls_datum_t *str, +- const gnutls_datum_t *suffix) +-{ +- if (suffix->size >= str->size) { +- return 0; +- } +- +- if (suffix->size > 0 && memcmp(str->data + str->size - suffix->size, +- suffix->data, suffix->size) != 0) { +- return 0; +- } +- +- if (suffix->size > 1 && suffix->data[0] == '.') { /* .domain.com */ +- return 1; /* match */ +- } else if (str->data[str->size - suffix->size - 1] == '@') { +- return 1; /* match */ +- } +- +- return 0; +-} +- + static unsigned dnsname_matches(const gnutls_datum_t *name, + const gnutls_datum_t *suffix) + { + _gnutls_hard_log("matching %.*s with DNS constraint %.*s\n", name->size, + name->data, suffix->size, suffix->data); + +- if (suffix->size == name->size && +- memcmp(suffix->data, name->data, suffix->size) == 0) +- return 1; /* match */ +- +- return ends_with(name, suffix); ++ enum name_constraint_relation rel = compare_dns_names(name, suffix); ++ return rel == NC_EQUAL || rel == NC_INCLUDED_BY; + } + + static unsigned email_matches(const gnutls_datum_t *name, +@@ -887,11 +1117,8 @@ static unsigned email_matches(const gnut + _gnutls_hard_log("matching %.*s with e-mail constraint %.*s\n", + name->size, name->data, suffix->size, suffix->data); + +- if (suffix->size == name->size && +- memcmp(suffix->data, name->data, suffix->size) == 0) +- return 1; /* match */ +- +- return email_ends_with(name, suffix); ++ enum name_constraint_relation rel = compare_emails(name, suffix); ++ return rel == NC_EQUAL || rel == NC_INCLUDED_BY; + } + + /*- +@@ -915,8 +1142,7 @@ static int name_constraints_intersect_no + // presume empty intersection + struct name_constraints_node_st *intersection = NULL; + const struct name_constraints_node_st *to_copy = NULL; +- unsigned iplength = 0; +- unsigned byte; ++ enum name_constraint_relation rel; + + *_intersection = NULL; + +@@ -925,32 +1151,49 @@ static int name_constraints_intersect_no + } + switch (node1->type) { + case GNUTLS_SAN_DNSNAME: +- if (!dnsname_matches(&node2->name, &node1->name)) ++ rel = compare_dns_names(&node1->name, &node2->name); ++ switch (rel) { ++ case NC_EQUAL: // equal means doesn't matter which one ++ case NC_INCLUDES: // node2 is more specific ++ to_copy = node2; ++ break; ++ case NC_INCLUDED_BY: // node1 is more specific ++ to_copy = node1; ++ break; ++ case NC_SORTS_BEFORE: // no intersection ++ case NC_SORTS_AFTER: // no intersection + return GNUTLS_E_SUCCESS; +- to_copy = node2; ++ } + break; + case GNUTLS_SAN_RFC822NAME: +- if (!email_matches(&node2->name, &node1->name)) ++ rel = compare_emails(&node1->name, &node2->name); ++ switch (rel) { ++ case NC_EQUAL: // equal means doesn't matter which one ++ case NC_INCLUDES: // node2 is more specific ++ to_copy = node2; ++ break; ++ case NC_INCLUDED_BY: // node1 is more specific ++ to_copy = node1; ++ break; ++ case NC_SORTS_BEFORE: // no intersection ++ case NC_SORTS_AFTER: // no intersection + return GNUTLS_E_SUCCESS; +- to_copy = node2; ++ } + break; + case GNUTLS_SAN_IPADDRESS: +- if (node1->name.size != node2->name.size) ++ rel = compare_ip_ncs(&node1->name, &node2->name); ++ switch (rel) { ++ case NC_EQUAL: // equal means doesn't matter which one ++ case NC_INCLUDES: // node2 is more specific ++ to_copy = node2; ++ break; ++ case NC_INCLUDED_BY: // node1 is more specific ++ to_copy = node1; ++ break; ++ case NC_SORTS_BEFORE: // no intersection ++ case NC_SORTS_AFTER: // no intersection + return GNUTLS_E_SUCCESS; +- iplength = node1->name.size / 2; +- for (byte = 0; byte < iplength; byte++) { +- if (((node1->name.data[byte] ^ +- node2->name.data[byte]) // XOR of addresses +- & node1->name.data[byte + +- iplength] // AND mask from nc1 +- & node2->name.data[byte + +- iplength]) // AND mask from nc2 +- != 0) { +- // CIDRS do not intersect +- return GNUTLS_E_SUCCESS; +- } + } +- to_copy = node2; + break; + default: + // for other types, we don't know how to do the intersection, assume empty +@@ -967,20 +1210,6 @@ static int name_constraints_intersect_no + intersection = *_intersection; + + assert(intersection->name.data != NULL); +- +- if (intersection->type == GNUTLS_SAN_IPADDRESS) { +- // make sure both IP addresses are correctly masked +- _gnutls_mask_ip(intersection->name.data, +- intersection->name.data + iplength, +- iplength); +- _gnutls_mask_ip(node1->name.data, +- node1->name.data + iplength, iplength); +- // update intersection, if necessary (we already know one is subset of other) +- for (byte = 0; byte < 2 * iplength; byte++) { +- intersection->name.data[byte] |= +- node1->name.data[byte]; +- } +- } + } + + return GNUTLS_E_SUCCESS; diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-6.patch b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-6.patch new file mode 100644 index 00000000000..6dc599dd9f1 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-6.patch @@ -0,0 +1,119 @@ +From bc62fbb946085527b4b1c02f337dd10c68c54690 Mon Sep 17 00:00:00 2001 +From: Alexander Sosedkin +Date: Wed, 4 Feb 2026 09:09:46 +0100 +Subject: [PATCH] x509/name_constraints: add sorted_view in preparation... + +... for actually using it later for performance gains. + +Signed-off-by: Alexander Sosedkin + +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/bc62fbb946085527b4b1c02f337dd10c68c54690] +CVE: CVE-2025-14831 +Signed-off-by: Vijay Anusuri +--- + lib/x509/name_constraints.c | 62 ++++++++++++++++++++++++++++++------- + 1 file changed, 51 insertions(+), 11 deletions(-) + +--- a/lib/x509/name_constraints.c ++++ b/lib/x509/name_constraints.c +@@ -54,6 +54,9 @@ struct name_constraints_node_list_st { + struct name_constraints_node_st **data; + size_t size; + size_t capacity; ++ /* sorted-on-demand view, valid only when dirty == false */ ++ bool dirty; ++ struct name_constraints_node_st **sorted_view; + }; + + struct gnutls_name_constraints_st { +@@ -342,6 +345,37 @@ static int compare_name_constraint_nodes + } + } + ++/* Bring the sorted view up to date with the list data; clear the dirty flag. */ ++static int ensure_sorted(struct name_constraints_node_list_st *list) ++{ ++ struct name_constraints_node_st **new_data; ++ ++ if (!list->dirty) ++ return GNUTLS_E_SUCCESS; ++ if (!list->size) { ++ list->dirty = false; ++ return GNUTLS_E_SUCCESS; ++ } ++ ++ /* reallocate sorted view to match current size */ ++ new_data = ++ _gnutls_reallocarray(list->sorted_view, list->size, ++ sizeof(struct name_constraints_node_st *)); ++ if (!new_data) ++ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); ++ list->sorted_view = new_data; ++ ++ /* copy pointers and sort in-place */ ++ memcpy(list->sorted_view, list->data, ++ list->size * sizeof(struct name_constraints_node_st *)); ++ qsort(list->sorted_view, list->size, ++ sizeof(struct name_constraints_node_st *), ++ compare_name_constraint_nodes_qsort); ++ ++ list->dirty = false; ++ return GNUTLS_E_SUCCESS; ++} ++ + static int + name_constraints_node_list_add(struct name_constraints_node_list_st *list, + struct name_constraints_node_st *node) +@@ -361,10 +395,23 @@ name_constraints_node_list_add(struct na + list->capacity = new_capacity; + list->data = new_data; + } ++ list->dirty = true; + list->data[list->size++] = node; + return 0; + } + ++static void ++name_constraints_node_list_clear(struct name_constraints_node_list_st *list) ++{ ++ gnutls_free(list->data); ++ gnutls_free(list->sorted_view); ++ list->data = NULL; ++ list->sorted_view = NULL; ++ list->capacity = 0; ++ list->size = 0; ++ list->dirty = false; ++} ++ + static int + name_constraints_node_add_new(gnutls_x509_name_constraints_t nc, + struct name_constraints_node_list_st *list, +@@ -711,6 +758,7 @@ static int name_constraints_node_list_in + permitted->data[i] = + permitted->data[permitted->size - 1]; + permitted->size--; ++ permitted->dirty = true; + continue; + } + i++; +@@ -905,17 +953,9 @@ void _gnutls_x509_name_constraints_clear + struct name_constraints_node_st *node = nc->nodes.data[i]; + name_constraints_node_free(node); + } +- gnutls_free(nc->nodes.data); +- nc->nodes.capacity = 0; +- nc->nodes.size = 0; +- +- gnutls_free(nc->permitted.data); +- nc->permitted.capacity = 0; +- nc->permitted.size = 0; +- +- gnutls_free(nc->excluded.data); +- nc->excluded.capacity = 0; +- nc->excluded.size = 0; ++ name_constraints_node_list_clear(&nc->nodes); ++ name_constraints_node_list_clear(&nc->permitted); ++ name_constraints_node_list_clear(&nc->excluded); + } + + /** diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-7.patch b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-7.patch new file mode 100644 index 00000000000..846862007f0 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-7.patch @@ -0,0 +1,150 @@ +From 80db5e90fa18d3e34bb91dd027bdf76d31e93dcd Mon Sep 17 00:00:00 2001 +From: Alexander Sosedkin +Date: Wed, 4 Feb 2026 13:30:08 +0100 +Subject: [PATCH] x509/name_constraints: implement + name_constraints_node_list_union + +Signed-off-by: Alexander Sosedkin + +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/80db5e90fa18d3e34bb91dd027bdf76d31e93dcd] +CVE: CVE-2025-14831 +Signed-off-by: Vijay Anusuri +--- + lib/x509/name_constraints.c | 98 ++++++++++++++++++++++++++++++++----- + 1 file changed, 86 insertions(+), 12 deletions(-) + +--- a/lib/x509/name_constraints.c ++++ b/lib/x509/name_constraints.c +@@ -41,6 +41,7 @@ + #include "intprops.h" + #include "minmax.h" + ++#include + #include + + #define MAX_NC_CHECKS (1 << 20) +@@ -867,22 +868,95 @@ cleanup: + return ret; + } + +-static int name_constraints_node_list_concat( +- gnutls_x509_name_constraints_t nc, +- struct name_constraints_node_list_st *nodes, +- const struct name_constraints_node_list_st *nodes2) ++static int ++name_constraints_node_list_union(gnutls_x509_name_constraints_t nc, ++ struct name_constraints_node_list_st *nodes, ++ struct name_constraints_node_list_st *nodes2) + { + int ret; ++ size_t i = 0, j = 0; ++ struct name_constraints_node_st *nc1; ++ const struct name_constraints_node_st *nc2; ++ enum name_constraint_relation rel; ++ struct name_constraints_node_list_st result = { 0 }; ++ ++ if (nodes2->size == 0) /* nothing to do */ ++ return GNUTLS_E_SUCCESS; ++ ++ ret = ensure_sorted(nodes); ++ if (ret < 0) { ++ gnutls_assert(); ++ goto cleanup; ++ } ++ ret = ensure_sorted(nodes2); ++ if (ret < 0) { ++ gnutls_assert(); ++ goto cleanup; ++ } ++ ++ /* traverse both lists in a single pass and merge them w/o duplicates */ ++ while (i < nodes->size || j < nodes2->size) { ++ nc1 = (i < nodes->size) ? nodes->sorted_view[i] : NULL; ++ nc2 = (j < nodes2->size) ? nodes2->sorted_view[j] : NULL; + +- for (size_t i = 0; i < nodes2->size; i++) { +- ret = name_constraints_node_add_copy(nc, nodes, +- nodes2->data[i]); ++ rel = compare_name_constraint_nodes(nc1, nc2); ++ switch (rel) { ++ case NC_SORTS_BEFORE: ++ assert(nc1 != NULL); /* comparator-guaranteed */ ++ ret = name_constraints_node_list_add(&result, nc1); ++ i++; ++ break; ++ case NC_SORTS_AFTER: ++ assert(nc2 != NULL); /* comparator-guaranteed */ ++ ret = name_constraints_node_add_copy(nc, &result, nc2); ++ j++; ++ break; ++ case NC_INCLUDES: /* nc1 is broader, shallow-copy it */ ++ assert(nc1 != NULL && nc2 != NULL); /* comparator */ ++ ret = name_constraints_node_list_add(&result, nc1); ++ i++; ++ j++; ++ break; ++ case NC_INCLUDED_BY: /* nc2 is broader, deep-copy it */ ++ assert(nc1 != NULL && nc2 != NULL); /* comparator */ ++ ret = name_constraints_node_add_copy(nc, &result, nc2); ++ i++; ++ j++; ++ break; ++ case NC_EQUAL: ++ assert(nc1 != NULL && nc2 != NULL); /* loop condition */ ++ ret = name_constraints_node_list_add(&result, nc1); ++ i++; ++ j++; ++ break; ++ } + if (ret < 0) { +- return gnutls_assert_val(ret); ++ gnutls_assert(); ++ goto cleanup; + } + } + +- return 0; ++ gnutls_free(nodes->data); ++ gnutls_free(nodes->sorted_view); ++ nodes->data = result.data; ++ nodes->sorted_view = NULL; ++ nodes->size = result.size; ++ nodes->capacity = result.capacity; ++ nodes->dirty = true; ++ /* since we know it's sorted, populate sorted_view almost for free */ ++ nodes->sorted_view = gnutls_calloc( ++ nodes->size, sizeof(struct name_constraints_node_st *)); ++ if (!nodes->sorted_view) ++ return GNUTLS_E_SUCCESS; /* we tried, no harm done */ ++ memcpy(nodes->sorted_view, nodes->data, ++ nodes->size * sizeof(struct name_constraints_node_st *)); ++ nodes->dirty = false; ++ ++ result.data = NULL; ++ return GNUTLS_E_SUCCESS; ++cleanup: ++ name_constraints_node_list_clear(&result); ++ return gnutls_assert_val(ret); + } + + /** +@@ -1023,7 +1097,7 @@ static int name_constraints_add(gnutls_x + * @nc2: The name constraints to be merged with + * + * This function will merge the provided name constraints structures +- * as per RFC5280 p6.1.4. That is, the excluded constraints will be appended, ++ * as per RFC5280 p6.1.4. That is, the excluded constraints will be unioned, + * and permitted will be intersected. The intersection assumes that @nc + * is the root CA constraints. + * +@@ -1045,8 +1119,8 @@ int _gnutls_x509_name_constraints_merge( + return ret; + } + +- ret = name_constraints_node_list_concat(nc, &nc->excluded, +- &nc2->excluded); ++ ret = name_constraints_node_list_union(nc, &nc->excluded, ++ &nc2->excluded); + if (ret < 0) { + gnutls_assert(); + return ret; diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-8.patch b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-8.patch new file mode 100644 index 00000000000..9beca76a352 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-8.patch @@ -0,0 +1,105 @@ +From d0ac999620c8c0aeb6939e1e92d884ca8e40b759 Mon Sep 17 00:00:00 2001 +From: Alexander Sosedkin +Date: Wed, 4 Feb 2026 18:31:37 +0100 +Subject: [PATCH] x509/name_constraints: make types_with_empty_intersection a + bitmask + +Signed-off-by: Alexander Sosedkin + +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/d0ac999620c8c0aeb6939e1e92d884ca8e40b759] +CVE: CVE-2025-14831 +Signed-off-by: Vijay Anusuri +--- + lib/x509/name_constraints.c | 39 +++++++++++++++++++++++++++---------- + 1 file changed, 29 insertions(+), 10 deletions(-) + +--- a/lib/x509/name_constraints.c ++++ b/lib/x509/name_constraints.c +@@ -275,6 +275,7 @@ static enum name_constraint_relation com + + static inline bool is_supported_type(unsigned type) + { ++ /* all of these should be under GNUTLS_SAN_MAX (intersect bitmasks) */ + return type == GNUTLS_SAN_DNSNAME || type == GNUTLS_SAN_RFC822NAME || + type == GNUTLS_SAN_IPADDRESS; + } +@@ -683,6 +684,21 @@ name_constraints_node_new(gnutls_x509_na + return tmp; + } + ++static int ++name_constraints_node_list_union(gnutls_x509_name_constraints_t nc, ++ struct name_constraints_node_list_st *nodes, ++ struct name_constraints_node_list_st *nodes2); ++ ++#define type_bitmask_t uint8_t /* increase if GNUTLS_SAN_MAX grows */ ++#define type_bitmask_set(mask, t) ((mask) |= (1u << (t))) ++#define type_bitmask_clr(mask, t) ((mask) &= ~(1u << (t))) ++#define type_bitmask_in(mask, t) ((mask) & (1u << (t))) ++/* C99-compatible compile-time assertions; gnutls_int.h undefines verify */ ++typedef char assert_san_max[(GNUTLS_SAN_MAX < 8) ? 1 : -1]; ++typedef char assert_dnsname[(GNUTLS_SAN_DNSNAME <= GNUTLS_SAN_MAX) ? 1 : -1]; ++typedef char assert_rfc822[(GNUTLS_SAN_RFC822NAME <= GNUTLS_SAN_MAX) ? 1 : -1]; ++typedef char assert_ipaddr[(GNUTLS_SAN_IPADDRESS <= GNUTLS_SAN_MAX) ? 1 : -1]; ++ + /*- + * @brief name_constraints_node_list_intersect: + * @nc: %gnutls_x509_name_constraints_t +@@ -710,12 +726,9 @@ static int name_constraints_node_list_in + .capacity = 0 }; + static const unsigned char universal_ip[32] = { 0 }; + +- /* temporary array to see, if we need to add universal excluded constraints +- * (see phase 3 for details) +- * indexed directly by (gnutls_x509_subject_alt_name_t enum - 1) */ +- unsigned char types_with_empty_intersection[GNUTLS_SAN_MAX]; +- memset(types_with_empty_intersection, 0, +- sizeof(types_with_empty_intersection)); ++ /* bitmask to see if we need to add universal excluded constraints ++ * (see phase 3 for details) */ ++ type_bitmask_t types_with_empty_intersection = 0; + + if (permitted->size == 0 || permitted2->size == 0) + return 0; +@@ -741,7 +754,8 @@ static int name_constraints_node_list_in + // note the possibility of empty intersection for this type + // if we add something to the intersection in phase 2, + // we will reset this flag back to 0 then +- types_with_empty_intersection[t->type - 1] = 1; ++ type_bitmask_set(types_with_empty_intersection, ++ t->type); + found = t2; + break; + } +@@ -795,8 +809,8 @@ static int name_constraints_node_list_in + GNUTLS_E_INTERNAL_ERROR); + } + // we will not add universal excluded constraint for this type +- types_with_empty_intersection[tmp->type - 1] = +- 0; ++ type_bitmask_clr(types_with_empty_intersection, ++ tmp->type); + // add intersection node to PERMITTED + ret = name_constraints_node_list_add(permitted, + tmp); +@@ -824,7 +838,7 @@ static int name_constraints_node_list_in + * excluded constraint with universal wildcard + * (since the intersection of permitted is now empty). */ + for (type = 1; type <= GNUTLS_SAN_MAX; type++) { +- if (types_with_empty_intersection[type - 1] == 0) ++ if (!type_bitmask_in(types_with_empty_intersection, type)) + continue; + _gnutls_hard_log( + "Adding universal excluded name constraint for type %d.\n", +@@ -868,6 +882,11 @@ cleanup: + return ret; + } + ++#undef type_bitmask_t ++#undef type_bitmask_set ++#undef type_bitmask_clr ++#undef type_bitmask_in ++ + static int + name_constraints_node_list_union(gnutls_x509_name_constraints_t nc, + struct name_constraints_node_list_st *nodes, diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-9.patch b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-9.patch new file mode 100644 index 00000000000..27ed995d8df --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-9.patch @@ -0,0 +1,437 @@ +Backport of: + +From d6054f0016db05fb5c82177ddbd0a4e8331059a1 Mon Sep 17 00:00:00 2001 +From: Alexander Sosedkin +Date: Wed, 4 Feb 2026 20:03:49 +0100 +Subject: [PATCH] x509/name_constraints: name_constraints_node_list_intersect + over sorted + +Fixes: #1773 +Fixes: GNUTLS-SA-2026-02-09-2 +Fixes: CVE-2025-14831 + +Signed-off-by: Alexander Sosedkin + +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/d6054f0016db05fb5c82177ddbd0a4e8331059a1] +CVE: CVE-2025-14831 +Signed-off-by: Vijay Anusuri +--- + NEWS | 7 + + lib/x509/name_constraints.c | 350 ++++++++++++++---------------------- + 2 files changed, 142 insertions(+), 215 deletions(-) + +#diff --git a/NEWS b/NEWS +#index e506db547a..96b7484fdf 100644 +#--- a/NEWS +#+++ b/NEWS +#@@ -14,6 +14,13 @@ See the end for copying conditions. +# Reported by Jaehun Lee. +# [Fixes: GNUTLS-SA-2026-02-09-1, CVSS: high] [CVE-2026-1584] +# +#+** libgnutls: Fix name constraint processing performance issue +#+ Verifying certificates with pathological amounts of name constraints +#+ could lead to a denial of service attack via resource exhaustion. +#+ Reworked processing algorithms exhibit better performance characteristics. +#+ Reported by Tim Scheckenbach. +#+ [Fixes: GNUTLS-SA-2026-02-09-2, CVSS: medium] [CVE-2025-14831] +#+ +# ** libgnutls: Fix multiple unexploitable overflows +# Reported by Tim Rühsen (#1783, #1786). +# +--- a/lib/x509/name_constraints.c ++++ b/lib/x509/name_constraints.c +@@ -446,13 +446,6 @@ name_constraints_node_add_copy(gnutls_x5 + src->name.data, src->name.size); + } + +-// for documentation see the implementation +-static int name_constraints_intersect_nodes( +- gnutls_x509_name_constraints_t nc, +- const struct name_constraints_node_st *node1, +- const struct name_constraints_node_st *node2, +- struct name_constraints_node_st **intersection); +- + /*- + * _gnutls_x509_name_constraints_is_empty: + * @nc: name constraints structure +@@ -716,129 +709,143 @@ typedef char assert_ipaddr[(GNUTLS_SAN_I + static int name_constraints_node_list_intersect( + gnutls_x509_name_constraints_t nc, + struct name_constraints_node_list_st *permitted, +- const struct name_constraints_node_list_st *permitted2, ++ struct name_constraints_node_list_st *permitted2, + struct name_constraints_node_list_st *excluded) + { +- struct name_constraints_node_st *tmp; +- int ret, type, used; +- struct name_constraints_node_list_st removed = { .data = NULL, +- .size = 0, +- .capacity = 0 }; ++ struct name_constraints_node_st *nc1, *nc2; ++ struct name_constraints_node_list_st result = { 0 }; ++ struct name_constraints_node_list_st unsupp2 = { 0 }; ++ enum name_constraint_relation rel; ++ unsigned type; ++ int ret = GNUTLS_E_SUCCESS; ++ size_t i, j, p1_unsupp = 0, p2_unsupp = 0; ++ type_bitmask_t universal_exclude_needed = 0; ++ type_bitmask_t types_in_p1 = 0, types_in_p2 = 0; + static const unsigned char universal_ip[32] = { 0 }; + +- /* bitmask to see if we need to add universal excluded constraints +- * (see phase 3 for details) */ +- type_bitmask_t types_with_empty_intersection = 0; +- + if (permitted->size == 0 || permitted2->size == 0) +- return 0; ++ return GNUTLS_E_SUCCESS; + +- /* Phase 1 +- * For each name in PERMITTED, if a PERMITTED2 does not contain a name +- * with the same type, move the original name to REMOVED. +- * Do this also for node of unknown type (not DNS, email, IP) */ +- for (size_t i = 0; i < permitted->size;) { +- struct name_constraints_node_st *t = permitted->data[i]; +- const struct name_constraints_node_st *found = NULL; +- +- for (size_t j = 0; j < permitted2->size; j++) { +- const struct name_constraints_node_st *t2 = +- permitted2->data[j]; +- if (t->type == t2->type) { +- // check bounds (we will use 't->type' as index) +- if (t->type > GNUTLS_SAN_MAX || t->type == 0) { +- gnutls_assert(); +- ret = GNUTLS_E_INTERNAL_ERROR; +- goto cleanup; +- } +- // note the possibility of empty intersection for this type +- // if we add something to the intersection in phase 2, +- // we will reset this flag back to 0 then +- type_bitmask_set(types_with_empty_intersection, +- t->type); +- found = t2; +- break; +- } ++ /* make sorted views of the arrays */ ++ ret = ensure_sorted(permitted); ++ if (ret < 0) { ++ gnutls_assert(); ++ goto cleanup; ++ } ++ ret = ensure_sorted(permitted2); ++ if (ret < 0) { ++ gnutls_assert(); ++ goto cleanup; ++ } ++ ++ /* deal with the leading unsupported types first: count, then union */ ++ while (p1_unsupp < permitted->size && ++ !is_supported_type(permitted->sorted_view[p1_unsupp]->type)) ++ p1_unsupp++; ++ while (p2_unsupp < permitted2->size && ++ !is_supported_type(permitted2->sorted_view[p2_unsupp]->type)) ++ p2_unsupp++; ++ if (p1_unsupp) { /* copy p1 unsupported type pointers into result */ ++ result.data = gnutls_calloc( ++ p1_unsupp, sizeof(struct name_constraints_node_st *)); ++ if (!result.data) { ++ ret = GNUTLS_E_MEMORY_ERROR; ++ gnutls_assert(); ++ goto cleanup; ++ } ++ memcpy(result.data, permitted->sorted_view, ++ p1_unsupp * sizeof(struct name_constraints_node_st *)); ++ result.size = result.capacity = p1_unsupp; ++ result.dirty = true; ++ } ++ if (p2_unsupp) { /* union will make deep copies from p2 */ ++ unsupp2.data = permitted2->sorted_view; /* so, just alias */ ++ unsupp2.size = unsupp2.capacity = p2_unsupp; ++ unsupp2.dirty = false; /* we know it's sorted */ ++ unsupp2.sorted_view = permitted2->sorted_view; ++ ret = name_constraints_node_list_union(nc, &result, &unsupp2); ++ if (ret < 0) { ++ gnutls_assert(); ++ goto cleanup; + } ++ } + +- if (found != NULL && is_supported_type(t->type)) { +- /* move node from PERMITTED to REMOVED */ +- ret = name_constraints_node_list_add(&removed, t); +- if (ret < 0) { +- gnutls_assert(); +- goto cleanup; +- } +- /* remove node by swapping */ +- if (i < permitted->size - 1) +- permitted->data[i] = +- permitted->data[permitted->size - 1]; +- permitted->size--; +- permitted->dirty = true; +- continue; ++ /* with that out of the way, pre-compute the supported types we have */ ++ for (i = p1_unsupp; i < permitted->size; i++) { ++ type = permitted->sorted_view[i]->type; ++ if (type < 1 || type > GNUTLS_SAN_MAX) { ++ ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); ++ goto cleanup; + } +- i++; ++ type_bitmask_set(types_in_p1, type); + } ++ for (j = p2_unsupp; j < permitted2->size; j++) { ++ type = permitted2->sorted_view[j]->type; ++ if (type < 1 || type > GNUTLS_SAN_MAX) { ++ ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); ++ goto cleanup; ++ } ++ type_bitmask_set(types_in_p2, type); ++ } ++ /* universal excludes might be needed for types intersecting to empty */ ++ universal_exclude_needed = types_in_p1 & types_in_p2; + +- /* Phase 2 +- * iterate through all combinations from PERMITTED2 and PERMITTED +- * and create intersections of nodes with same type */ +- for (size_t i = 0; i < permitted2->size; i++) { +- const struct name_constraints_node_st *t2 = permitted2->data[i]; +- +- // current PERMITTED2 node has not yet been used for any intersection +- // (and is not in REMOVED either) +- used = 0; +- for (size_t j = 0; j < removed.size; j++) { +- const struct name_constraints_node_st *t = +- removed.data[j]; +- // save intersection of name constraints into tmp +- ret = name_constraints_intersect_nodes(nc, t, t2, &tmp); +- if (ret < 0) { +- gnutls_assert(); +- goto cleanup; +- } +- used = 1; +- // if intersection is not empty +- if (tmp != +- NULL) { // intersection for this type is not empty +- // check bounds +- if (tmp->type > GNUTLS_SAN_MAX || +- tmp->type == 0) { +- gnutls_free(tmp); +- return gnutls_assert_val( +- GNUTLS_E_INTERNAL_ERROR); +- } +- // we will not add universal excluded constraint for this type +- type_bitmask_clr(types_with_empty_intersection, +- tmp->type); +- // add intersection node to PERMITTED +- ret = name_constraints_node_list_add(permitted, +- tmp); +- if (ret < 0) { +- gnutls_assert(); +- goto cleanup; +- } +- } ++ /* go through supported type NCs and intersect in a single pass */ ++ i = p1_unsupp; ++ j = p2_unsupp; ++ while (i < permitted->size || j < permitted2->size) { ++ nc1 = (i < permitted->size) ? permitted->sorted_view[i] : NULL; ++ nc2 = (j < permitted2->size) ? permitted2->sorted_view[j] : ++ NULL; ++ rel = compare_name_constraint_nodes(nc1, nc2); ++ ++ switch (rel) { ++ case NC_SORTS_BEFORE: ++ assert(nc1 != NULL); /* comparator-guaranteed */ ++ /* if nothing to intersect with, shallow-copy nc1 */ ++ if (!type_bitmask_in(types_in_p2, nc1->type)) ++ ret = name_constraints_node_list_add(&result, ++ nc1); ++ i++; /* otherwise skip nc1 */ ++ break; ++ case NC_SORTS_AFTER: ++ assert(nc2 != NULL); /* comparator-guaranteed */ ++ /* if nothing to intersect with, deep-copy nc2 */ ++ if (!type_bitmask_in(types_in_p1, nc2->type)) ++ ret = name_constraints_node_add_copy( ++ nc, &result, nc2); ++ j++; /* otherwise skip nc2 */ ++ break; ++ case NC_INCLUDED_BY: /* add nc1, shallow-copy */ ++ assert(nc1 != NULL && nc2 != NULL); /* comparator */ ++ type_bitmask_clr(universal_exclude_needed, nc1->type); ++ ret = name_constraints_node_list_add(&result, nc1); ++ i++; ++ break; ++ case NC_INCLUDES: /* pick nc2, deep-copy */ ++ assert(nc1 != NULL && nc2 != NULL); /* comparator */ ++ type_bitmask_clr(universal_exclude_needed, nc2->type); ++ ret = name_constraints_node_add_copy(nc, &result, nc2); ++ j++; ++ break; ++ case NC_EQUAL: /* pick whichever: nc1, shallow-copy */ ++ assert(nc1 != NULL && nc2 != NULL); /* loop condition */ ++ type_bitmask_clr(universal_exclude_needed, nc1->type); ++ ret = name_constraints_node_list_add(&result, nc1); ++ i++; ++ j++; ++ break; + } +- // if the node from PERMITTED2 was not used for intersection, copy it to DEST +- // Beware: also copies nodes other than DNS, email, IP, +- // since their counterpart may have been moved in phase 1. +- if (!used) { +- ret = name_constraints_node_add_copy(nc, permitted, t2); +- if (ret < 0) { +- gnutls_assert(); +- goto cleanup; +- } ++ if (ret < 0) { ++ gnutls_assert(); ++ goto cleanup; + } + } + +- /* Phase 3 +- * For each type: If we have empty permitted name constraints now +- * and we didn't have at the beginning, we have to add a new +- * excluded constraint with universal wildcard +- * (since the intersection of permitted is now empty). */ ++ /* finishing touch: add universal excluded constraints for types where ++ * both lists had constraints, but all intersections ended up empty */ + for (type = 1; type <= GNUTLS_SAN_MAX; type++) { +- if (!type_bitmask_in(types_with_empty_intersection, type)) ++ if (!type_bitmask_in(universal_exclude_needed, type)) + continue; + _gnutls_hard_log( + "Adding universal excluded name constraint for type %d.\n", +@@ -871,14 +878,24 @@ static int name_constraints_node_list_in + goto cleanup; + } + break; +- default: // do nothing, at least one node was already moved in phase 1 +- break; ++ default: /* unsupported type; should be unreacheable */ ++ ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); ++ goto cleanup; + } + } +- ret = GNUTLS_E_SUCCESS; + ++ gnutls_free(permitted->data); ++ gnutls_free(permitted->sorted_view); ++ permitted->data = result.data; ++ permitted->sorted_view = NULL; ++ permitted->size = result.size; ++ permitted->capacity = result.capacity; ++ permitted->dirty = true; ++ ++ result.data = NULL; ++ ret = GNUTLS_E_SUCCESS; + cleanup: +- gnutls_free(removed.data); ++ name_constraints_node_list_clear(&result); + return ret; + } + +@@ -1254,100 +1271,6 @@ static unsigned email_matches(const gnut + return rel == NC_EQUAL || rel == NC_INCLUDED_BY; + } + +-/*- +- * name_constraints_intersect_nodes: +- * @nc1: name constraints node 1 +- * @nc2: name constraints node 2 +- * @_intersection: newly allocated node with intersected constraints, +- * NULL if the intersection is empty +- * +- * Inspect 2 name constraints nodes (of possibly different types) and allocate +- * a new node with intersection of given constraints. +- * +- * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value. +- -*/ +-static int name_constraints_intersect_nodes( +- gnutls_x509_name_constraints_t nc, +- const struct name_constraints_node_st *node1, +- const struct name_constraints_node_st *node2, +- struct name_constraints_node_st **_intersection) +-{ +- // presume empty intersection +- struct name_constraints_node_st *intersection = NULL; +- const struct name_constraints_node_st *to_copy = NULL; +- enum name_constraint_relation rel; +- +- *_intersection = NULL; +- +- if (node1->type != node2->type) { +- return GNUTLS_E_SUCCESS; +- } +- switch (node1->type) { +- case GNUTLS_SAN_DNSNAME: +- rel = compare_dns_names(&node1->name, &node2->name); +- switch (rel) { +- case NC_EQUAL: // equal means doesn't matter which one +- case NC_INCLUDES: // node2 is more specific +- to_copy = node2; +- break; +- case NC_INCLUDED_BY: // node1 is more specific +- to_copy = node1; +- break; +- case NC_SORTS_BEFORE: // no intersection +- case NC_SORTS_AFTER: // no intersection +- return GNUTLS_E_SUCCESS; +- } +- break; +- case GNUTLS_SAN_RFC822NAME: +- rel = compare_emails(&node1->name, &node2->name); +- switch (rel) { +- case NC_EQUAL: // equal means doesn't matter which one +- case NC_INCLUDES: // node2 is more specific +- to_copy = node2; +- break; +- case NC_INCLUDED_BY: // node1 is more specific +- to_copy = node1; +- break; +- case NC_SORTS_BEFORE: // no intersection +- case NC_SORTS_AFTER: // no intersection +- return GNUTLS_E_SUCCESS; +- } +- break; +- case GNUTLS_SAN_IPADDRESS: +- rel = compare_ip_ncs(&node1->name, &node2->name); +- switch (rel) { +- case NC_EQUAL: // equal means doesn't matter which one +- case NC_INCLUDES: // node2 is more specific +- to_copy = node2; +- break; +- case NC_INCLUDED_BY: // node1 is more specific +- to_copy = node1; +- break; +- case NC_SORTS_BEFORE: // no intersection +- case NC_SORTS_AFTER: // no intersection +- return GNUTLS_E_SUCCESS; +- } +- break; +- default: +- // for other types, we don't know how to do the intersection, assume empty +- return GNUTLS_E_SUCCESS; +- } +- +- // copy existing node if applicable +- if (to_copy != NULL) { +- *_intersection = name_constraints_node_new(nc, to_copy->type, +- to_copy->name.data, +- to_copy->name.size); +- if (*_intersection == NULL) +- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); +- intersection = *_intersection; +- +- assert(intersection->name.data != NULL); +- } +- +- return GNUTLS_E_SUCCESS; +-} +- + /* + * Returns: true if the certification is acceptable, and false otherwise. + */ diff --git a/meta/recipes-support/gnutls/gnutls_3.8.4.bb b/meta/recipes-support/gnutls/gnutls_3.8.4.bb index 026ae650f65..ccb6a2b4b2d 100644 --- a/meta/recipes-support/gnutls/gnutls_3.8.4.bb +++ b/meta/recipes-support/gnutls/gnutls_3.8.4.bb @@ -34,6 +34,15 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar file://CVE-2025-32990.patch \ file://CVE-2025-6395.patch \ file://CVE-2025-9820.patch \ + file://CVE-2025-14831-1.patch \ + file://CVE-2025-14831-2.patch \ + file://CVE-2025-14831-3.patch \ + file://CVE-2025-14831-4.patch \ + file://CVE-2025-14831-5.patch \ + file://CVE-2025-14831-6.patch \ + file://CVE-2025-14831-7.patch \ + file://CVE-2025-14831-8.patch \ + file://CVE-2025-14831-9.patch \ " SRC_URI[sha256sum] = "2bea4e154794f3f00180fa2a5c51fe8b005ac7a31cd58bd44cdfa7f36ebc3a9b" From patchwork Sun Mar 29 22:37:45 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 84753 X-Patchwork-Delegate: yoann.congal@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7A753FC9814 for ; Sun, 29 Mar 2026 22:38:19 +0000 (UTC) Received: from mail-wr1-f50.google.com (mail-wr1-f50.google.com [209.85.221.50]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.38625.1774823893269265769 for ; Sun, 29 Mar 2026 15:38:13 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=FKMSnz6Z; spf=pass (domain: smile.fr, ip: 209.85.221.50, mailfrom: yoann.congal@smile.fr) Received: by mail-wr1-f50.google.com with SMTP id ffacd0b85a97d-439c56e822eso4226964f8f.2 for ; Sun, 29 Mar 2026 15:38:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1774823891; x=1775428691; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=D4ZyTCSo7Fp4GsJZT1B18oMoyKG3O3t8R4ztEVjHDGI=; b=FKMSnz6ZYO+kMUbsr2ZnOAB1iCwkSjPuSx7b7kzth4S0xHAnk9YWmdoaY/npRzzRMZ T64zr37R6/1b8mWd6qBj+INUCufi4yW8QGT9PwUtbyxHxebdNRSLsbkVWId/h6V7FWrn YzQPI4zcXxDtMZR+0bdpXaOsR3458ZRTonpuo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774823891; x=1775428691; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=D4ZyTCSo7Fp4GsJZT1B18oMoyKG3O3t8R4ztEVjHDGI=; b=bvmvS+1+w56kXMgdyAy64lKrgt5RMDecKRUXR8OuHPwS7OtHrJV5+gHcsC+mjXxq4I wBWvRls1lkZwDXA7hxkO8DbKjwwFGrDUZEuUAid55hvcxPyd4AD1cZCPYAnaNCi/AFcR aj1odC8cNgyfW7for/4YsnvdFb0o/Y2BL7n56wsMRii/sa4eES9rlFFk9MFSGY08FPqr Zv/k4qzMvrGLNHdXwq/3UeENNetLLDEA5BJMN6SlW4WfKT6qtXko8N/NifuNwSE4bUda xWgtssI8NE+XZe5Fbs0yQc67A+rilfFP9+tV7hltMGQvv/i3WPGN3T+AA4CBSTcwBQ0C I16g== X-Gm-Message-State: AOJu0YwPqpAEN1KlEY9qwyX3kJYyibZBx3OI4q5WcYawJFi7AbhUoCKA +V9r6fEz7xm02DsM6tUpNImNRl9gcdSSN/t80lwkKvyTCWKbay4M8JfSfvamlA8BuGqhrXKi1NA BVw+XHAA= X-Gm-Gg: ATEYQzx/yKI5+OFSqK0ADpp6SHc+3gwW477CYg/Ya51fErff7bx65io7AquRAZbfiSh GA70EyXIDsz7x6IKYXcTUip34b6A9AQTapp9b3n6uEng3A1tkTd3v+yVz1MfCYaMg9uEkLDzGn6 mcrv6kLu6ZxNeyuf4cj0NY66IY5gOoLX9bqwVB2Ae6n2FzcBb03iEYChwXv8FHIWOFSxdDXJrjU uVoXiGkzuf4Vi2jCxoOnfeZJp41A7DIXjnx3i+2vYD6cmZiXpZWFHckbPS8LYS10yfH4GEXw6Z2 9yJbbmmoLMNMbcZSSqQ5QXy2QhQEVUXAYTrdOS3dHpzuB3/xQptx1LA9Z7/ymnodbx65vLDf+qZ 67Yqbc+D86rkJeSjQlOhCt7B+x1+uoQmGIdq3w3+j/Dw/2Sfpywu5f4AieC7JUJ30cGtdMn/7Ej ChfDpghKhXW7IKhLSA/sowGtR2scjb//aZBuLLoZMA1aU9y0BU7kcWDRStnt4NLqCcY4WUkvAb6 j83VnUGRUgmdH+YerRRRS8k4m0= X-Received: by 2002:a05:6000:2210:b0:439:c2b6:d5d8 with SMTP id ffacd0b85a97d-43b9eaaeae8mr17224900f8f.36.1774823891285; Sun, 29 Mar 2026 15:38:11 -0700 (PDT) Received: from FRSMI25-LASER.home (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43cf2471ee2sm13038542f8f.29.2026.03.29.15.38.10 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 29 Mar 2026 15:38:10 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 13/16] systemd: backport patch to fix journal-file issue Date: Mon, 30 Mar 2026 00:37:45 +0200 Message-ID: <5c63919aec50486f218123890585d791c0e45aab.1774823430.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 29 Mar 2026 22:38:19 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/234171 From: sureshha Backport patch to fix systemd journal-file assertion on removed or corrupted files Extracted from systemd MR: https://github.com/systemd/systemd/pull/40378 Signed-off-by: sureshha Signed-off-by: Yoann Congal --- ...not-trigger-assertion-on-removed-or-.patch | 65 +++++++++++++++++++ meta/recipes-core/systemd/systemd_255.21.bb | 1 + 2 files changed, 66 insertions(+) create mode 100644 meta/recipes-core/systemd/systemd/0023-journal-file-do-not-trigger-assertion-on-removed-or-.patch diff --git a/meta/recipes-core/systemd/systemd/0023-journal-file-do-not-trigger-assertion-on-removed-or-.patch b/meta/recipes-core/systemd/systemd/0023-journal-file-do-not-trigger-assertion-on-removed-or-.patch new file mode 100644 index 00000000000..5f5551870ac --- /dev/null +++ b/meta/recipes-core/systemd/systemd/0023-journal-file-do-not-trigger-assertion-on-removed-or-.patch @@ -0,0 +1,65 @@ +From 1350f39db7e72116c3b2423db02da3ddc8e29082 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sun, 18 Jan 2026 19:15:31 +0900 +Subject: [PATCH] journal-file: do not trigger assertion on removed or + corrupted journal file + +When a journal file is removed or corrupted, then the value `p`, which is +read from Object.data.entry_offset, may be zero. + +Note, journal_file_move_to_object() checks the passed offset and return +-EBADMSG if it is invalid. + +Fixes the issue reported at +https://github.com/systemd/systemd/pull/40372#issuecomment-3762907261. + +Upstream-Status: Backport [https://github.com/systemd/systemd/commit/2185c30de333b09f46ef28b743b123f45e774738] + +Comment: Patch is refreshed as per codebase of v255 + +Signed-off-by: sureshha +--- + src/libsystemd/sd-journal/journal-file.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/src/libsystemd/sd-journal/journal-file.c b/src/libsystemd/sd-journal/journal-file.c +index 08f3b82..633de5b 100644 +--- a/src/libsystemd/sd-journal/journal-file.c ++++ b/src/libsystemd/sd-journal/journal-file.c +@@ -3305,7 +3305,9 @@ use_extra: + + static int test_object_offset(JournalFile *f, uint64_t p, uint64_t needle) { + assert(f); +- assert(p > 0); ++ ++ if (p <= 0) ++ return -EBADMSG; + + if (p == needle) + return TEST_FOUND; +@@ -3341,7 +3343,6 @@ static int test_object_seqnum(JournalFile *f, uint64_t p, uint64_t needle) { + int r; + + assert(f); +- assert(p > 0); + + r = journal_file_move_to_object(f, OBJECT_ENTRY, p, &o); + if (r < 0) +@@ -3382,7 +3383,6 @@ static int test_object_realtime(JournalFile *f, uint64_t p, uint64_t needle) { + int r; + + assert(f); +- assert(p > 0); + + r = journal_file_move_to_object(f, OBJECT_ENTRY, p, &o); + if (r < 0) +@@ -3423,7 +3423,6 @@ static int test_object_monotonic(JournalFile *f, uint64_t p, uint64_t needle) { + int r; + + assert(f); +- assert(p > 0); + + r = journal_file_move_to_object(f, OBJECT_ENTRY, p, &o); + if (r < 0) +-- +2.34.1 diff --git a/meta/recipes-core/systemd/systemd_255.21.bb b/meta/recipes-core/systemd/systemd_255.21.bb index 87e186bbfac..504d6cbef60 100644 --- a/meta/recipes-core/systemd/systemd_255.21.bb +++ b/meta/recipes-core/systemd/systemd_255.21.bb @@ -29,6 +29,7 @@ SRC_URI += " \ file://0002-binfmt-Don-t-install-dependency-links-at-install-tim.patch \ file://0003-timedated-Respond-on-org.freedesktop.timedate1.SetNT.patch \ file://0008-implment-systemd-sysv-install-for-OE.patch \ + file://0023-journal-file-do-not-trigger-assertion-on-removed-or-.patch \ " # patches needed by musl From patchwork Sun Mar 29 22:37:46 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 84754 X-Patchwork-Delegate: yoann.congal@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6C912FC9812 for ; Sun, 29 Mar 2026 22:38:19 +0000 (UTC) Received: from mail-wr1-f49.google.com (mail-wr1-f49.google.com [209.85.221.49]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.38383.1774823893781486595 for ; Sun, 29 Mar 2026 15:38:14 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=KwvHSxye; spf=pass (domain: smile.fr, ip: 209.85.221.49, mailfrom: yoann.congal@smile.fr) Received: by mail-wr1-f49.google.com with SMTP id ffacd0b85a97d-43cf3ee0fc1so744802f8f.1 for ; Sun, 29 Mar 2026 15:38:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1774823892; x=1775428692; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=DSvP/NvN1t3/9H433a5MGzhTzF836fHRYB0mpjq3vhs=; b=KwvHSxye8z1GmLBvbjUwsYcHSUDX43Fy0UVvRbfaupbGf+pKuGFJqrMOW1zeNFh85B 4qspu9Y35pss0GJxBDYcqqWxQv6PtiB7S+DeaCuFePPcIzuQMeysFymPEEBRKD2088Z/ fvqVgtdJ3MsGPuh1PvU7YhcnlYou01IlTj8Yk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774823892; x=1775428692; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=DSvP/NvN1t3/9H433a5MGzhTzF836fHRYB0mpjq3vhs=; b=lhFaz3cOGlQio7GOKXHGgE7jxbFBAzeWRQDXgDERuFzmiGap1GYtAPSyip9hODT58N bqNUQAZhOl9HFod6u2vKCvVwpvqpaD/ia8fdIHZfReksrxoBMqb5hb4d7eewLVKwpHhP YmtKnWqZBzVr/dTEf6xiQAu1ie3n3Ghp5EPfEHB3Rdsk6iNugVHXhS3xqsx3CZocJzKs 0verPkpvY7v2QR3tniH1YcbniGXjbD3ZqFhZ0PMBMANs8GxpN8j9bDLmav/pUiOEWa25 OQzwdWsWeTNrBSekjD+ofEv3qaKm3gzdW8Usb/jAsoKJ4GqMil2oX4hzzK0jmbkk8rKn xAhA== X-Gm-Message-State: AOJu0YyhCNlF19u/c3eDJnofPZwUHv2dk3LbSfht05KIfGJq84eAd7wX /xYmaRgRyBNO+PqKHhST+sWISPGVh7smTbm4hstAg4CFo+OMwMz/Y2RQiTltMddeIJPMUDvCOBY EkPDa/jo= X-Gm-Gg: ATEYQzx1GZLfF92WxTJdTGRINizhmvumDYHphA4Jrlvne2aWYaiWGurAxQWLd/3khTF iyXOigWv66Kby318tmtcw0imEPZDGKPYOAnyPIBZcjF4VBjzoXJJvMEp3WIvs0eUWvT6ZQVkITh sxKIQhLdV1Lodf9G4Vm5cMktn/VbzqnjzI+xpkuENWNjA4QYRwJNXCl5pGqHoGrGbDzYYQsXTrd lBD6YjxPxAui8Aar+OhfbPzWAuUFX2cGQpCcjZ4XNowhFYPR5mQ1es+VLhV/wP6i9apVlKqu0+l uxrkYrBXn7EP0era9Bz14RsFN7I1IsuehVq/pEKEDNUMzN89QJ1i7YnjSUYL+Nv+2IowYTJ02X5 iOQeeRNAwcHzJXiAq0vJKUJMjgDJXYPaGxBK6qORz+T2YcgIoBvgRzAOKVZXR6m9AZ/SlZ8MnZ8 l+kFKDVzn2/mzMHpoCoFgBmgYeD9TySvUrxqlthlZITqoprUVUjnmWY8J9do4R0gQcRuhlkepLK IR8wkdzl1XzdsLIMXqw9LCCL7w= X-Received: by 2002:a5d:5d81:0:b0:43a:4e0:1774 with SMTP id ffacd0b85a97d-43b9eb10f60mr18264485f8f.16.1774823891947; Sun, 29 Mar 2026 15:38:11 -0700 (PDT) Received: from FRSMI25-LASER.home (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43cf2471ee2sm13038542f8f.29.2026.03.29.15.38.11 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 29 Mar 2026 15:38:11 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 14/16] libxml-parser-perl: fix for CVE-2006-10003 Date: Mon, 30 Mar 2026 00:37:46 +0200 Message-ID: <3841818496f190e76351efeb38c6427c03977cd8.1774823430.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 29 Mar 2026 22:38:19 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/234172 From: Hitendra Prajapati Pick patch from [1]. [1] https://security-tracker.debian.org/tracker/CVE-2006-10003 More details : https://nvd.nist.gov/vuln/detail/CVE-2006-10003 Signed-off-by: Hitendra Prajapati Signed-off-by: Yoann Congal --- .../libxml-parser-perl/CVE-2006-10003.patch | 73 +++++++++++++++++++ .../perl/libxml-parser-perl_2.47.bb | 1 + 2 files changed, 74 insertions(+) create mode 100644 meta/recipes-devtools/perl/libxml-parser-perl/CVE-2006-10003.patch diff --git a/meta/recipes-devtools/perl/libxml-parser-perl/CVE-2006-10003.patch b/meta/recipes-devtools/perl/libxml-parser-perl/CVE-2006-10003.patch new file mode 100644 index 00000000000..e9a4b692d2d --- /dev/null +++ b/meta/recipes-devtools/perl/libxml-parser-perl/CVE-2006-10003.patch @@ -0,0 +1,73 @@ +From 08dd37c35ec5e64e26aacb8514437f54708f7fd1 Mon Sep 17 00:00:00 2001 +From: Toddr Bot +Date: Mon, 16 Mar 2026 22:16:11 +0000 +Subject: [PATCH] fix: off-by-one heap buffer overflow in st_serial_stack + growth check + +When st_serial_stackptr == st_serial_stacksize - 1, the old check +(stackptr >= stacksize) would not trigger reallocation. The subsequent +++stackptr then writes at index stacksize, one element past the +allocated buffer. + +Fix by checking stackptr + 1 >= stacksize so the buffer is grown +before the pre-increment write. + +Add a deep nesting test (600 levels) to exercise this code path. + +Fixes #39 + +Co-Authored-By: Claude Opus 4.6 + +CVE: CVE-2006-10003 +Upstream-Status: Backport [https://github.com/cpan-authors/XML-Parser/commit/08dd37c35ec5e64e26aacb8514437f54708f7fd1] +Signed-off-by: Hitendra Prajapati +--- + Expat/Expat.xs | 2 +- + t/deep_nesting.t | 22 ++++++++++++++++++++++ + 2 files changed, 23 insertions(+), 1 deletion(-) + create mode 100644 t/deep_nesting.t + +diff --git a/Expat/Expat.xs b/Expat/Expat.xs +index dbad380..f04a0cf 100644 +--- a/Expat/Expat.xs ++++ b/Expat/Expat.xs +@@ -499,7 +499,7 @@ startElement(void *userData, const char *name, const char **atts) + } + } + +- if (cbv->st_serial_stackptr >= cbv->st_serial_stacksize) { ++ if (cbv->st_serial_stackptr + 1 >= cbv->st_serial_stacksize) { + unsigned int newsize = cbv->st_serial_stacksize + 512; + + Renew(cbv->st_serial_stack, newsize, unsigned int); +diff --git a/t/deep_nesting.t b/t/deep_nesting.t +new file mode 100644 +index 0000000..8237b5f +--- /dev/null ++++ b/t/deep_nesting.t +@@ -0,0 +1,22 @@ ++BEGIN { print "1..1\n"; } ++ ++# Test for deeply nested elements to exercise st_serial_stack reallocation. ++# This catches off-by-one errors in the stack growth check (GH #39). ++ ++use XML::Parser; ++ ++my $depth = 600; ++ ++my $xml = ''; ++for my $i (1 .. $depth) { ++ $xml .= ""; ++} ++for my $i (reverse 1 .. $depth) { ++ $xml .= ""; ++} ++ ++my $p = XML::Parser->new; ++eval { $p->parse($xml) }; ++ ++print "not " if $@; ++print "ok 1\n"; +-- +2.50.1 + diff --git a/meta/recipes-devtools/perl/libxml-parser-perl_2.47.bb b/meta/recipes-devtools/perl/libxml-parser-perl_2.47.bb index 803164f713d..6a36b763a83 100644 --- a/meta/recipes-devtools/perl/libxml-parser-perl_2.47.bb +++ b/meta/recipes-devtools/perl/libxml-parser-perl_2.47.bb @@ -8,6 +8,7 @@ DEPENDS += "expat" SRC_URI = "${CPAN_MIRROR}/authors/id/T/TO/TODDR/XML-Parser-${PV}.tar.gz \ file://0001-Makefile.PL-make-check_lib-cross-friendly.patch \ + file://CVE-2006-10003.patch \ " SRC_URI[sha256sum] = "ad4aae643ec784f489b956abe952432871a622d4e2b5c619e8855accbfc4d1d8" From patchwork Sun Mar 29 22:37:47 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 84756 X-Patchwork-Delegate: yoann.congal@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 53DD4FC980E for ; Sun, 29 Mar 2026 22:38:19 +0000 (UTC) Received: from mail-wm1-f43.google.com (mail-wm1-f43.google.com [209.85.128.43]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.38626.1774823894932185790 for ; Sun, 29 Mar 2026 15:38:15 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=kIBOFzef; spf=pass (domain: smile.fr, ip: 209.85.128.43, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f43.google.com with SMTP id 5b1f17b1804b1-4838c15e3cbso30314085e9.3 for ; Sun, 29 Mar 2026 15:38:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1774823893; x=1775428693; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=tAqfv+OqSVbpeEJ+7m/ua2R9Jf4qLpWqXKMacFjNoBE=; b=kIBOFzefbewDXfLvHGvAbQg6KgvScmchDEp7nNC6W2e73Eh8dsBEjXbd4UTEhKIUfB cLj80sY75ibRrwVH8JLrDQMSHSX4Lyqhug1Pt/YmbUWPnc7dVsVVxAiYcUbRSQrVg+uK M0+QxDy7SwG/QWQkFom6qqZAng+F9H4TtQX4E= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774823893; x=1775428693; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=tAqfv+OqSVbpeEJ+7m/ua2R9Jf4qLpWqXKMacFjNoBE=; b=ld6+TNrolawWn8lM68XfDRmXJlFfJIgnw0Uz6sp+/b3bw8wmvC6MaicZyfqPF5G5IG DDfmxF9G+oVEKlaKsBbOVSseYyOUD6kn6/Bgvm0ppdH1/1PUoNaJNCMPfAUSrbJw6OTC bIfNaFGReeTVKPjIaQ+iufhOlrYdVPFpquyDkvxWKhYfV2YNhxITIUpXcuHybYuFau1Q ky337ALt3sTFFi6cb34P/y7NcDE1nU8ivd7j4/JQeQYKYB0/nh77gLoE0L2Pv8rMnkDk qnMYadzdXi4TkJXwv5qKGRp9Bt2n1nmszcqQBI9zYAoI1e/EgpqPkWWl3XvToK00cI72 Ynkw== X-Gm-Message-State: AOJu0YzdueI/uOXytOtWJGG1pRFNL0C+zoSHy7ItutFgjEIFlq2uLGta GJXxwPZnzysZO5ZnXwANHusyin7m/SmAouxIEHxtovCX5K+d38s1ZypgvhLt13SrJoCBfYVRIyZ 0f94jI10= X-Gm-Gg: ATEYQzwtcR/V5fctcK1niW3Pp2llH9Kp6Nci3xcFzJFVt0xbuNcU0YKpxvqvrnPDeeq fK3LcrI6DCIxJSwMDmmeoEonJdPeWbKaesyUpeuynL4T30+PFI0PHQzotB2XSguzEp7ePAw5Uep n97wps9aHHJsJNtZ94qemwtZaeCwmVDVi0PYmiK+ReOzn+nrQjx/8X0gKwsoytvsZiWS1C+Ush0 FessiHVFmz5zqRykBUAcOrqHhaUuqh1XupOX4QWjec7W0EhfaZ2NoPpvrNwh0M0OwheNpRdLswz aZvCw6WC3PzRO1/kQXPtcb6X3awcuNoIHBYFijuBb89j5IDoSZCJ0SLoDE8wXDQTLIbqIgaBubo L4J3xpZxmiBxRl34mrlc4p8/TL/w+nfHPXNNNAacTmhfWMkaNnPRL9D3cmAGkjdd5D53mKSpSWQ 88YNXiVOq8zxXtwrOGTPIK3INsTZAd+jpk1FblH47vj8nTdkaPxsi0TDplkSvwxh8VjORDgBxL9 mJK7iEupd1kX3cn6GPMpfFrj/NiZWmtYg6WVw== X-Received: by 2002:a05:600c:8207:b0:480:4a8f:2d5c with SMTP id 5b1f17b1804b1-48727ee4444mr178209065e9.29.1774823892852; Sun, 29 Mar 2026 15:38:12 -0700 (PDT) Received: from FRSMI25-LASER.home (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43cf2471ee2sm13038542f8f.29.2026.03.29.15.38.12 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 29 Mar 2026 15:38:12 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 15/16] busybox: fix for CVE-2026-26157, CVE-2026-26158 Date: Mon, 30 Mar 2026 00:37:47 +0200 Message-ID: X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 29 Mar 2026 22:38:19 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/234173 From: Hitendra Prajapati Pick up patch from NVD report. More details : [1]: https://nvd.nist.gov/vuln/detail/CVE-2026-26157 [2]: https://nvd.nist.gov/vuln/detail/CVE-2026-26158 Note: We use patch from busybox mirror that looks trustworthy https://gogs.librecmc.org/OWEALS/busybox. Signed-off-by: Hitendra Prajapati Signed-off-by: Yoann Congal --- .../CVE-2026-26157-CVE-2026-26158-01.patch | 198 ++++++++++++++++++ .../CVE-2026-26157-CVE-2026-26158-02.patch | 37 ++++ meta/recipes-core/busybox/busybox_1.36.1.bb | 2 + 3 files changed, 237 insertions(+) create mode 100644 meta/recipes-core/busybox/busybox/CVE-2026-26157-CVE-2026-26158-01.patch create mode 100644 meta/recipes-core/busybox/busybox/CVE-2026-26157-CVE-2026-26158-02.patch diff --git a/meta/recipes-core/busybox/busybox/CVE-2026-26157-CVE-2026-26158-01.patch b/meta/recipes-core/busybox/busybox/CVE-2026-26157-CVE-2026-26158-01.patch new file mode 100644 index 00000000000..cdc23947949 --- /dev/null +++ b/meta/recipes-core/busybox/busybox/CVE-2026-26157-CVE-2026-26158-01.patch @@ -0,0 +1,198 @@ +From 3fb6b31c716669e12f75a2accd31bb7685b1a1cb Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko +Date: Thu, 29 Jan 2026 11:48:02 +0100 +Subject: [PATCH] tar: strip unsafe hardlink components - GNU tar does the same + +Defends against files like these (python reproducer): + +import tarfile +ti = tarfile.TarInfo("leak_hosts") +ti.type = tarfile.LNKTYPE +ti.linkname = "/etc/hosts" # or "../etc/hosts" or ".." +ti.size = 0 +with tarfile.open("/tmp/hardlink.tar", "w") as t: + t.addfile(ti) + +function old new delta +skip_unsafe_prefix - 127 +127 +get_header_tar 1752 1754 +2 +.rodata 106861 106856 -5 +unzip_main 2715 2706 -9 +strip_unsafe_prefix 102 18 -84 +------------------------------------------------------------------------------ +(add/remove: 1/0 grow/shrink: 1/3 up/down: 129/-98) Total: 31 bytes + +Signed-off-by: Denys Vlasenko + +CVE: CVE-2026-26157, CVE-2026-26158 +Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=3fb6b31c716669e12f75a2accd31bb7685b1a1cb] +(Alternative mirrored URL: https://gogs.librecmc.org/OWEALS/busybox/commit/3fb6b31c716669e12f75a2accd31bb7685b1a1cb) +Signed-off-by: Hitendra Prajapati +--- + archival/libarchive/data_extract_all.c | 7 +++-- + archival/libarchive/get_header_tar.c | 11 ++++++-- + archival/libarchive/unsafe_prefix.c | 30 +++++++++++++++++---- + archival/libarchive/unsafe_symlink_target.c | 1 + + archival/tar.c | 2 +- + archival/unzip.c | 2 +- + include/bb_archive.h | 3 ++- + 7 files changed, 42 insertions(+), 14 deletions(-) + +diff --git a/archival/libarchive/data_extract_all.c b/archival/libarchive/data_extract_all.c +index 8a69711..b84b960 100644 +--- a/archival/libarchive/data_extract_all.c ++++ b/archival/libarchive/data_extract_all.c +@@ -66,8 +66,8 @@ void FAST_FUNC data_extract_all(archive_handle_t *archive_handle) + } + #endif + #if ENABLE_FEATURE_PATH_TRAVERSAL_PROTECTION +- /* Strip leading "/" and up to last "/../" path component */ +- dst_name = (char *)strip_unsafe_prefix(dst_name); ++ /* Skip leading "/" and past last ".." path component */ ++ dst_name = (char *)skip_unsafe_prefix(dst_name); + #endif + // ^^^ This may be a problem if some applets do need to extract absolute names. + // (Probably will need to invent ARCHIVE_ALLOW_UNSAFE_NAME flag). +@@ -185,8 +185,7 @@ void FAST_FUNC data_extract_all(archive_handle_t *archive_handle) + + /* To avoid a directory traversal attack via symlinks, + * do not restore symlinks with ".." components +- * or symlinks starting with "/", unless a magic +- * envvar is set. ++ * or symlinks starting with "/" + * + * For example, consider a .tar created via: + * $ tar cvf bug.tar anything.txt +diff --git a/archival/libarchive/get_header_tar.c b/archival/libarchive/get_header_tar.c +index cc6f3f0..1c40ece 100644 +--- a/archival/libarchive/get_header_tar.c ++++ b/archival/libarchive/get_header_tar.c +@@ -454,8 +454,15 @@ char FAST_FUNC get_header_tar(archive_handle_t *archive_handle) + #endif + + /* Everything up to and including last ".." component is stripped */ +- overlapping_strcpy(file_header->name, strip_unsafe_prefix(file_header->name)); +-//TODO: do the same for file_header->link_target? ++ strip_unsafe_prefix(file_header->name); ++ if (file_header->link_target) { ++ /* GNU tar 1.34 examples: ++ * tar: Removing leading '/' from hard link targets ++ * tar: Removing leading '../' from hard link targets ++ * tar: Removing leading 'etc/../' from hard link targets ++ */ ++ strip_unsafe_prefix(file_header->link_target); ++ } + + /* Strip trailing '/' in directories */ + /* Must be done after mode is set as '/' is used to check if it's a directory */ +diff --git a/archival/libarchive/unsafe_prefix.c b/archival/libarchive/unsafe_prefix.c +index 6670811..89a371a 100644 +--- a/archival/libarchive/unsafe_prefix.c ++++ b/archival/libarchive/unsafe_prefix.c +@@ -5,11 +5,11 @@ + #include "libbb.h" + #include "bb_archive.h" + +-const char* FAST_FUNC strip_unsafe_prefix(const char *str) ++const char* FAST_FUNC skip_unsafe_prefix(const char *str) + { + const char *cp = str; + while (1) { +- char *cp2; ++ const char *cp2; + if (*cp == '/') { + cp++; + continue; +@@ -22,10 +22,25 @@ const char* FAST_FUNC strip_unsafe_prefix(const char *str) + cp += 3; + continue; + } +- cp2 = strstr(cp, "/../"); ++ cp2 = cp; ++ find_dotdot: ++ cp2 = strstr(cp2, "/.."); + if (!cp2) +- break; +- cp = cp2 + 4; ++ break; /* No (more) malicious components */ ++ ++ /* We found "/..something" */ ++ cp2 += 3; ++ if (*cp2 != '/') { ++ if (*cp2 == '\0') { ++ /* Trailing "/..": malicious, return "" */ ++ /* (causes harmless errors trying to create or hardlink a file named "") */ ++ return cp2; ++ } ++ /* "/..name" is not malicious, look for next "/.." */ ++ goto find_dotdot; ++ } ++ /* Found "/../": malicious, advance past it */ ++ cp = cp2 + 1; + } + if (cp != str) { + static smallint warned = 0; +@@ -37,3 +52,8 @@ const char* FAST_FUNC strip_unsafe_prefix(const char *str) + } + return cp; + } ++ ++void FAST_FUNC strip_unsafe_prefix(char *str) ++{ ++ overlapping_strcpy(str, skip_unsafe_prefix(str)); ++} +diff --git a/archival/libarchive/unsafe_symlink_target.c b/archival/libarchive/unsafe_symlink_target.c +index f8dc803..d764c89 100644 +--- a/archival/libarchive/unsafe_symlink_target.c ++++ b/archival/libarchive/unsafe_symlink_target.c +@@ -36,6 +36,7 @@ void FAST_FUNC create_links_from_list(llist_t *list) + *list->data ? "hard" : "sym", + list->data + 1, target + ); ++ /* Note: GNU tar 1.34 errors out only _after_ all links are (attempted to be) created */ + } + list = list->link; + } +diff --git a/archival/tar.c b/archival/tar.c +index 9de3759..cf8c2d1 100644 +--- a/archival/tar.c ++++ b/archival/tar.c +@@ -475,7 +475,7 @@ static int FAST_FUNC writeFileToTarball(struct recursive_state *state, + DBG("writeFileToTarball('%s')", fileName); + + /* Strip leading '/' and such (must be before memorizing hardlink's name) */ +- header_name = strip_unsafe_prefix(fileName); ++ header_name = skip_unsafe_prefix(fileName); + + if (header_name[0] == '\0') + return TRUE; +diff --git a/archival/unzip.c b/archival/unzip.c +index 691a2d8..5844215 100644 +--- a/archival/unzip.c ++++ b/archival/unzip.c +@@ -853,7 +853,7 @@ int unzip_main(int argc, char **argv) + unzip_skip(zip.fmt.extra_len); + + /* Guard against "/abspath", "/../" and similar attacks */ +- overlapping_strcpy(dst_fn, strip_unsafe_prefix(dst_fn)); ++ strip_unsafe_prefix(dst_fn); + + /* Filter zip entries */ + if (find_list_entry(zreject, dst_fn) +diff --git a/include/bb_archive.h b/include/bb_archive.h +index e0ef8fc..1dc77f3 100644 +--- a/include/bb_archive.h ++++ b/include/bb_archive.h +@@ -202,7 +202,8 @@ char get_header_tar_xz(archive_handle_t *archive_handle) FAST_FUNC; + void seek_by_jump(int fd, off_t amount) FAST_FUNC; + void seek_by_read(int fd, off_t amount) FAST_FUNC; + +-const char *strip_unsafe_prefix(const char *str) FAST_FUNC; ++const char *skip_unsafe_prefix(const char *str) FAST_FUNC; ++void strip_unsafe_prefix(char *str) FAST_FUNC; + void create_or_remember_link(llist_t **link_placeholders, + const char *target, + const char *linkname, +-- +2.50.1 + diff --git a/meta/recipes-core/busybox/busybox/CVE-2026-26157-CVE-2026-26158-02.patch b/meta/recipes-core/busybox/busybox/CVE-2026-26157-CVE-2026-26158-02.patch new file mode 100644 index 00000000000..00a276fa4f8 --- /dev/null +++ b/meta/recipes-core/busybox/busybox/CVE-2026-26157-CVE-2026-26158-02.patch @@ -0,0 +1,37 @@ +From 599f5dd8fac390c18b79cba4c14c334957605dae Mon Sep 17 00:00:00 2001 +From: Radoslav Kolev +Date: Mon, 16 Feb 2026 11:50:04 +0200 +Subject: [PATCH] tar: only strip unsafe components from hardlinks, not + symlinks + +commit 3fb6b31c7 introduced a check for unsafe components in +tar archive hardlinks, but it was being applied to symlinks too +which broke "Symlinks and hardlinks coexist" tar test. + +Signed-off-by: Radoslav Kolev +Signed-off-by: Denys Vlasenko + +CVE: CVE-2026-26157, CVE-2026-26158 +Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=599f5dd8fac390c18b79cba4c14c334957605dae] +(Alternative mirrored URL: https://gogs.librecmc.org/OWEALS/busybox/commit/599f5dd8fac390c18b79cba4c14c334957605dae) +Signed-off-by: Hitendra Prajapati +--- + archival/libarchive/get_header_tar.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/archival/libarchive/get_header_tar.c b/archival/libarchive/get_header_tar.c +index 1c40ece..606d806 100644 +--- a/archival/libarchive/get_header_tar.c ++++ b/archival/libarchive/get_header_tar.c +@@ -455,7 +455,7 @@ char FAST_FUNC get_header_tar(archive_handle_t *archive_handle) + + /* Everything up to and including last ".." component is stripped */ + strip_unsafe_prefix(file_header->name); +- if (file_header->link_target) { ++ if (file_header->link_target && !S_ISLNK(file_header->mode)) { + /* GNU tar 1.34 examples: + * tar: Removing leading '/' from hard link targets + * tar: Removing leading '../' from hard link targets +-- +2.50.1 + diff --git a/meta/recipes-core/busybox/busybox_1.36.1.bb b/meta/recipes-core/busybox/busybox_1.36.1.bb index d870e2ee10c..228bfdadd33 100644 --- a/meta/recipes-core/busybox/busybox_1.36.1.bb +++ b/meta/recipes-core/busybox/busybox_1.36.1.bb @@ -62,6 +62,8 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \ file://CVE-2025-46394-01.patch \ file://CVE-2025-46394-02.patch \ file://CVE-2025-60876.patch \ + file://CVE-2026-26157-CVE-2026-26158-01.patch \ + file://CVE-2026-26157-CVE-2026-26158-02.patch \ " SRC_URI:append:libc-musl = " file://musl.cfg " # TODO http://lists.busybox.net/pipermail/busybox/2023-January/090078.html From patchwork Sun Mar 29 22:37:48 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 84752 X-Patchwork-Delegate: yoann.congal@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3BFD6FC980C for ; Sun, 29 Mar 2026 22:38:19 +0000 (UTC) Received: from mail-wr1-f54.google.com (mail-wr1-f54.google.com [209.85.221.54]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.38627.1774823895417113650 for ; Sun, 29 Mar 2026 15:38:15 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=ZLCxsB3W; spf=pass (domain: smile.fr, ip: 209.85.221.54, mailfrom: yoann.congal@smile.fr) Received: by mail-wr1-f54.google.com with SMTP id ffacd0b85a97d-43b9144790dso2053424f8f.1 for ; Sun, 29 Mar 2026 15:38:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1774823893; x=1775428693; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=jPELm9+qfceZTCeb7cLui9XU5WzyxjQ+Dkj8uJbr3XU=; b=ZLCxsB3WgfIwXIJoEavw+dpJRIRNRZaoLGrW7LiiRya9L4tbqBLpKmPVD3A8jBaY+p IBHLf9AAP8zpLaWIAK03YEtbmLdPVfonaRR+1l4veJzEy0LmGK4ZN5EppbRkpsbALO+q N0yMkm6ObVTwsP476rQELM576FmarWGXBzLUM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774823893; x=1775428693; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=jPELm9+qfceZTCeb7cLui9XU5WzyxjQ+Dkj8uJbr3XU=; b=ZF4xvr52FBN0snq43OLLkhG1z+LaS5NHRjkwaHtFZN4d49lgfT1RuUZOxW6vQrhkJ9 FYAPn8PZUcDYRK296KPYcA46T/o9YKVLSSKiCZsAE3Yn/J8K94u7800ERo2D6C7vEbQs uOuL+mIR4oom1+z0LbDshnFgr2cLdofhwv46hhirsot2dCHv3pzul2GcQsSjp+rNnL2w vi7kmpk5lgM2lkKQEw/0iMOKKBPeF3Tmr7E+pxBowT2SLDT700zLg7WUTMLC6CnUmPHF DzoDKLUyuXXPfCObDIzbVH4KFcOOMeT52TgU4BA5q1x7mDjPkyrx2DijRYJCxQsV5gej s7gg== X-Gm-Message-State: AOJu0YxLlVCArchH3lRD0xo43r/0dqeQRQP8q9DQYGYEdbHdN3iLFzQo JMyoD9R1SpjN/8BNoZP+NQrdmawnUDvcypjOrLk4dF2U0O7K14YUg+lx78TZwsrLdf4l1pbjJdn 4Y1Rv5Bg= X-Gm-Gg: ATEYQzxgsMWVXFhXi7bOTyRY41TQMutXMp92NaWJG2kUycE/jH12x+8rxtA1KjPX4y5 6+/f6zG+J5iXAQx9HK1RdxZL7fib3C/x+t8HjtZ8Grsc0FiRt9pYyBeDZ3zDONXxeOv/1d/tLE0 OUmgNOAezIq+C8X0Y1kFbT6fl80ITszOwlx4hxmtJho02l6KIQbVJl9+v16NbMBDpo80BiRw2e0 u+T3NE7dAn2ovd3aj4LOQ129n80llPsic5NLUDKKcs2ZgXc25aA1x1flhZb7wIHtBl2nY5OrmxA J5G3mtjSykQAH9PsOrpstfdcE5ZNidw89C3djlmRdi60BSA0yGU6s6bim5fDnIfYrpEOWvdGyBo nCZ/s1y0r52VxqvW3vyk3OKev3yH1iMvorqt+vMd93Acwlcrvuio3qfXkONQbBKEsBr4l3BENQ1 NKHHDT94zHWbvMQcpB0e3QLchMBRnQrWwYG1EjYJNdmDYT9TSY2F8Lbuku+3GBEq78d2TVyg+w2 +rHja6pHGYC/kClJgbLWdAkCJQ= X-Received: by 2002:a05:6000:604:b0:43b:4592:f91b with SMTP id ffacd0b85a97d-43b9e98162bmr17515375f8f.5.1774823893517; Sun, 29 Mar 2026 15:38:13 -0700 (PDT) Received: from FRSMI25-LASER.home (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43cf2471ee2sm13038542f8f.29.2026.03.29.15.38.13 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 29 Mar 2026 15:38:13 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 16/16] rust: Enable dynamic linking with llvm Date: Mon, 30 Mar 2026 00:37:48 +0200 Message-ID: X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 29 Mar 2026 22:38:19 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/234174 From: Sunil Dora Fixes [Yocto #16058] A segmentation fault occurs in rustc (e.g. in llvm::X86ReadAdvanceTable) when reusing sstate artifacts built with different host toolchain versions. Issue sequence: 1. llvm-native is built with a newer toolchain (e.g. GCC 15/Binutils 2.45). 2. rust-native is later built with an older linker. (e.g. GCC 12/Binutils 2.40). 3. The older linker statically links parts of llvm-native into librustc_driver. 4. The resulting binary crashes at runtime inside the statically linked LLVM code. The corruption happens at link time when mixing static native objects produced by different toolchain generations. Enable dynamic LLVM linking (link-shared = true) for rust-native so rustc links against libLLVM.so instead of static archives, avoiding host linker incompatibilities when reusing sstate artifacts. Signed-off-by: Sunil Dora Suggested-by: Alexander Kanavin Signed-off-by: Richard Purdie (cherry picked from commit 74ba238ff1ba1e9b612aece1989b828f3a8f8770) Signed-off-by: Yoann Congal --- meta/recipes-devtools/rust/rust_1.75.0.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-devtools/rust/rust_1.75.0.bb b/meta/recipes-devtools/rust/rust_1.75.0.bb index b9348bf0507..f037bb33715 100644 --- a/meta/recipes-devtools/rust/rust_1.75.0.bb +++ b/meta/recipes-devtools/rust/rust_1.75.0.bb @@ -128,6 +128,8 @@ python do_configure() { # [llvm] config.add_section("llvm") + if d.getVar('PN') == "rust-native": + config.set("llvm", "link-shared", e(True)) config.set("llvm", "static-libstdcpp", e(False)) if "llvm" in (d.getVar('TC_CXX_RUNTIME') or ""): config.set("llvm", "use-libcxx", e(True))