From patchwork Thu Apr 16 10:30:57 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ross Burton X-Patchwork-Id: 86274 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5DDE1F8A155 for ; Thu, 16 Apr 2026 10:31:12 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.10857.1776335470412828324 for ; Thu, 16 Apr 2026 03:31:10 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@arm.com header.s=foss header.b=dFi5b4/b; spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: ross.burton@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id F1A8225E1 for ; Thu, 16 Apr 2026 03:31:03 -0700 (PDT) Received: from cesw-amp-gbt-1s-m12830-04.lab.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 3D97B3F7D8 for ; Thu, 16 Apr 2026 03:31:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=arm.com; s=foss; t=1776335469; bh=h4+/vLn8F/6K8I3bdthUZ5QO19oYMNzzAM8jUBjWNDc=; h=From:To:Subject:Date:From; b=dFi5b4/bzkfQGDsoMMd5slsKGzqO3iArRlPCm77+SJ/7oyysEgG08M/ZodiZMuVfR kyselSP22QKEm+m7S1uOTLtCI9j/XZvOwackswVb2x/Nif/LRZqZDd4xi6ZVUjwun3 3gkv+KVd5chzXEgfLr44bkGA5VZ1KUKX2Y7FpJRg= From: Ross Burton To: openembedded-core@lists.openembedded.org Subject: [PATCH v3 1/4] glib-networking: backport fix for CVE-2026-2574 Date: Thu, 16 Apr 2026 11:30:57 +0100 Message-ID: <20260416103100.3152304-1-ross.burton@arm.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 16 Apr 2026 10:31:12 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/235393 CVE-2026-2574: Affected versions of this package are vulnerable to Out-of-bounds Read via improper handling of certificate authority data in the OpenSSL backend. An attacker can cause application crashes and potentially disclose limited heap memory by enticing a client to connect to a malicious TLS server that advertises a specially crafted client-CA list. Signed-off-by: Ross Burton --- ...of-bounds-read-in-accepted-cas-prope.patch | 48 +++++++++++++++++++ .../glib-networking/glib-networking_2.80.1.bb | 1 + 2 files changed, 49 insertions(+) create mode 100644 meta/recipes-core/glib-networking/glib-networking/0004-openssl-fix-out-of-bounds-read-in-accepted-cas-prope.patch diff --git a/meta/recipes-core/glib-networking/glib-networking/0004-openssl-fix-out-of-bounds-read-in-accepted-cas-prope.patch b/meta/recipes-core/glib-networking/glib-networking/0004-openssl-fix-out-of-bounds-read-in-accepted-cas-prope.patch new file mode 100644 index 00000000000..d3673656ad5 --- /dev/null +++ b/meta/recipes-core/glib-networking/glib-networking/0004-openssl-fix-out-of-bounds-read-in-accepted-cas-prope.patch @@ -0,0 +1,48 @@ +From be2173eb9b769255df9474a9128e642b60894f10 Mon Sep 17 00:00:00 2001 +From: Michael Catanzaro +Date: Thu, 12 Mar 2026 12:47:00 -0500 +Subject: [PATCH] openssl: fix out of bounds read in accepted-cas property + getter + +The d2i and i2d functions are quite dangerous because they advance the +provided pointer, so we have to pass a temporary pointer if we're later +going to do anything with the original pointer. + +I've audited the codebase and found this is our only such mistake. + +Fixes #228 (CVE-2026-2574) + +Part-of: + + +(cherry picked from commit c3c84b269165f2a312d47fa15c5cbc7f8ead7631) + +Co-authored-by: Michael Catanzaro + +CVE: CVE-2026-2574 +Upstream-Status: Backport +Signed-off-by: Ross Burton +--- + tls/openssl/gtlsclientconnection-openssl.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/tls/openssl/gtlsclientconnection-openssl.c b/tls/openssl/gtlsclientconnection-openssl.c +index e98fb0b..e2ff0d4 100644 +--- a/tls/openssl/gtlsclientconnection-openssl.c ++++ b/tls/openssl/gtlsclientconnection-openssl.c +@@ -141,9 +141,11 @@ g_tls_client_connection_openssl_get_property (GObject *object, + if (size > 0) + { + unsigned char *ca; ++ unsigned char *tmp; + + ca = g_malloc (size); +- size = i2d_X509_NAME (sk_X509_NAME_value (openssl->ca_list, i), &ca); ++ tmp = ca; ++ size = i2d_X509_NAME (sk_X509_NAME_value (openssl->ca_list, i), &tmp); + if (size > 0) + accepted_cas = g_list_prepend (accepted_cas, g_byte_array_new_take ( + ca, size)); +-- +2.43.0 + diff --git a/meta/recipes-core/glib-networking/glib-networking_2.80.1.bb b/meta/recipes-core/glib-networking/glib-networking_2.80.1.bb index 44e3b0c0b3d..3d47e354e28 100644 --- a/meta/recipes-core/glib-networking/glib-networking_2.80.1.bb +++ b/meta/recipes-core/glib-networking/glib-networking_2.80.1.bb @@ -32,6 +32,7 @@ inherit gnomebase gettext upstream-version-is-even gio-module-cache ptest-gnome SRC_URI += "file://0001-openssl-properly-check-return-value-when-writing-to-.patch \ file://0002-openssl-check-return-value-of-g_tls_bio_alloc.patch \ file://0003-openssl-check-return-values-of-BIO_new.patch \ + file://0004-openssl-fix-out-of-bounds-read-in-accepted-cas-prope.patch \ file://run-ptest" FILES:${PN} += "\ From patchwork Thu Apr 16 10:30:58 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ross Burton X-Patchwork-Id: 86275 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B5225F8A159 for ; Thu, 16 Apr 2026 10:31:12 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.10859.1776335470991014968 for ; Thu, 16 Apr 2026 03:31:11 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@arm.com header.s=foss header.b=oFP+AVFI; spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: ross.burton@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id AAD8825E2 for ; Thu, 16 Apr 2026 03:31:04 -0700 (PDT) Received: from cesw-amp-gbt-1s-m12830-04.lab.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id E260B3F7D8 for ; Thu, 16 Apr 2026 03:31:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=arm.com; s=foss; t=1776335470; bh=phGamMS4N8qEBBm/N5UFxIlyDQ6PKCpuTj2Ngw1ASjU=; h=From:To:Subject:Date:In-Reply-To:References:From; b=oFP+AVFIH3HxZmxjDupZnUfwcQ6AHHNCECOY227dVRGpeNYyaWKfhrr1jRhlSpg9O DCvG7bDexamc+shcLPPwZZPLW5Q+5FAWKWL5be72gWaWRQ61YQeKBSlAraTK81Ihnw CVhMFPv1uFZa1lbfa+sw9MNuwzumI4HtUx37ATbs= From: Ross Burton To: openembedded-core@lists.openembedded.org Subject: [PATCH v3 2/4] libsoup: actually apply patches for CVE-2025-32049 and CVE-2026-1539 Date: Thu, 16 Apr 2026 11:30:58 +0100 Message-ID: <20260416103100.3152304-2-ross.burton@arm.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260416103100.3152304-1-ross.burton@arm.com> References: <20260416103100.3152304-1-ross.burton@arm.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 16 Apr 2026 10:31:12 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/235394 The patches were added to SRC_URI before inheriting gnomebase, which does SRC_URI = "...". This means the patches were never actually part of SRC_URI, so never applied. Signed-off-by: Ross Burton --- meta/recipes-support/libsoup/libsoup_3.6.6.bb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta/recipes-support/libsoup/libsoup_3.6.6.bb b/meta/recipes-support/libsoup/libsoup_3.6.6.bb index 981e74d8160..b51368adb64 100644 --- a/meta/recipes-support/libsoup/libsoup_3.6.6.bb +++ b/meta/recipes-support/libsoup/libsoup_3.6.6.bb @@ -9,6 +9,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=5f30f0716dfdd0d91eb439ebec522ec2" DEPENDS = "glib-2.0 glib-2.0-native libxml2 sqlite3 libpsl nghttp2" +inherit gettext gnomebase upstream-version-is-even gobject-introspection gi-docgen vala + SRC_URI[archive.sha256sum] = "51ed0ae06f9d5a40f401ff459e2e5f652f9a510b7730e1359ee66d14d4872740" SRC_URI += "file://CVE-2025-32049-1.patch \ @@ -20,8 +22,6 @@ SRC_URI += "file://CVE-2025-32049-1.patch \ PROVIDES = "libsoup-3.0" -inherit gettext gnomebase upstream-version-is-even gobject-introspection gi-docgen vala - GIR_MESON_ENABLE_FLAG = 'enabled' GIR_MESON_DISABLE_FLAG = 'disabled' From patchwork Thu Apr 16 10:30:59 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ross Burton X-Patchwork-Id: 86273 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6D072F8A157 for ; Thu, 16 Apr 2026 10:31:12 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.10753.1776335471456881911 for ; Thu, 16 Apr 2026 03:31:11 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@arm.com header.s=foss header.b=lljNZ6mJ; spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: ross.burton@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 62D6E25E1 for ; Thu, 16 Apr 2026 03:31:05 -0700 (PDT) Received: from cesw-amp-gbt-1s-m12830-04.lab.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 9BD423F7D8 for ; Thu, 16 Apr 2026 03:31:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=arm.com; s=foss; t=1776335471; bh=QXIwYVIj6KjjP4CUxbTUZYIWbzqGMDpOTBDLhqckNMQ=; h=From:To:Subject:Date:In-Reply-To:References:From; b=lljNZ6mJoJWStvWGQPFFdfWyeRegKbJbeuVePKkcwJspgeYywujR7Sg+97Cejsr/a lcwsRkRLnsk2gowSqyJG5w3FO/lWMJLvCdS49xDZ0+5RyYjjN8qbNg+MonLjXmqUme WA15kerBXlHVI0rfCU5v98RipEr50Qdu4TEwk2Vk= From: Ross Burton To: openembedded-core@lists.openembedded.org Subject: [PATCH v3 3/4] libsoup: mark CVEs which have been resolved upstream Date: Thu, 16 Apr 2026 11:30:59 +0100 Message-ID: <20260416103100.3152304-3-ross.burton@arm.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260416103100.3152304-1-ross.burton@arm.com> References: <20260416103100.3152304-1-ross.burton@arm.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 16 Apr 2026 10:31:12 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/235395 These issues have all been fixed in the 3.6.6 release that we have, but the CPEs are unversioned. I've contacted NIST to update the database but until that happens we can mark them as fixed. Signed-off-by: Ross Burton --- meta/recipes-support/libsoup/libsoup_3.6.6.bb | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/meta/recipes-support/libsoup/libsoup_3.6.6.bb b/meta/recipes-support/libsoup/libsoup_3.6.6.bb index b51368adb64..9bc3f2f86fb 100644 --- a/meta/recipes-support/libsoup/libsoup_3.6.6.bb +++ b/meta/recipes-support/libsoup/libsoup_3.6.6.bb @@ -58,3 +58,8 @@ DEBIAN_NOAUTONAME:${PN} = "1" RRECOMMENDS:${PN} = "glib-networking" BBCLASSEXTEND = "native nativesdk" + +CVE_STATUS[CVE-2026-1467] = "fixed-version: fixed in 3.6.6" +CVE_STATUS[CVE-2026-1536] = "fixed-version: fixed in 3.6.6" +CVE_STATUS[CVE-2026-1801] = "fixed-version: fixed in 3.6.6" +CVE_STATUS[CVE-2026-2443] = "fixed-version: fixed in 3.6.6" From patchwork Thu Apr 16 10:31:00 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ross Burton X-Patchwork-Id: 86276 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E8F41F8A15B for ; Thu, 16 Apr 2026 10:31:13 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.10753.1776335471456881911 for ; Thu, 16 Apr 2026 03:31:12 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@arm.com header.s=foss header.b=q15Tkn4+; spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: ross.burton@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 1162425E2 for ; Thu, 16 Apr 2026 03:31:06 -0700 (PDT) Received: from cesw-amp-gbt-1s-m12830-04.lab.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 55B113F7D8 for ; Thu, 16 Apr 2026 03:31:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=arm.com; s=foss; t=1776335471; bh=mvcXKFqIIpgGzu0pkh4XBBAmEmR+0K/EO2TvYRRSwFo=; h=From:To:Subject:Date:In-Reply-To:References:From; b=q15Tkn4+fDeF3r9ZLegFE7SpENbOlflP67OK3XjUxLlJDu5G8SZYZc5zzk7rd1B9U 7QtwKC3QoWMzLTsrWWuQfey6Yl3ir1nR2E9csrpYk0RljS9G/PX6DZHA3izxWMl2av z3WhMrDhXE/I+vRN8ZvlHQyBD4UExHzqzlEFDUoU= From: Ross Burton To: openembedded-core@lists.openembedded.org Subject: [PATCH v3 4/4] python3-requests: backport fix for CVE-2026-25645 Date: Thu, 16 Apr 2026 11:31:00 +0100 Message-ID: <20260416103100.3152304-4-ross.burton@arm.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260416103100.3152304-1-ross.burton@arm.com> References: <20260416103100.3152304-1-ross.burton@arm.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 16 Apr 2026 10:31:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/235396 When unpacking zip files requests uses predictable paths. Backport a fix to use randomly generated pathnames to mitigate injection attacks. Signed-off-by: Ross Burton --- .../python3-requests/CVE-2026-25645.patch | 46 +++++++++++++++++++ .../python/python3-requests_2.32.5.bb | 7 ++- 2 files changed, 49 insertions(+), 4 deletions(-) create mode 100644 meta/recipes-devtools/python/python3-requests/CVE-2026-25645.patch diff --git a/meta/recipes-devtools/python/python3-requests/CVE-2026-25645.patch b/meta/recipes-devtools/python/python3-requests/CVE-2026-25645.patch new file mode 100644 index 00000000000..3bebba65726 --- /dev/null +++ b/meta/recipes-devtools/python/python3-requests/CVE-2026-25645.patch @@ -0,0 +1,46 @@ +From 66d21cb07bd6255b1280291c4fafb71803cdb3b7 Mon Sep 17 00:00:00 2001 +From: Nate Prewitt +Date: Wed, 25 Mar 2026 08:57:56 -0600 +Subject: [PATCH] Merge commit from fork + +Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function +uses a predictable filename when extracting files from zip archives into the system +temporary directory. If the target file already exists, it is reused without validation. +A local attacker with write access to the temp directory could pre-create a malicious +file that would be loaded in place of the legitimate one. Standard usage of the Requests +library is not affected by this vulnerability. Only applications that call +`extract_zipped_paths()` directly are impacted. Starting in version 2.33.0, the library +extracts files to a non-deterministic location. If developers are unable to upgrade, +they can set `TMPDIR` in their environment to a directory with restricted write access. + +CVE: CVE-2026-25645 +Upstream-Status: Backport [https://github.com/psf/requests/commit/66d21cb07bd6255b1280291c4fafb71803cdb3b7] +Signed-off-by: Ross Burton +--- + src/requests/utils.py | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/src/requests/utils.py b/src/requests/utils.py +index d8803e6e91..54959bb8ab 100644 +--- a/src/requests/utils.py ++++ b/src/requests/utils.py +@@ -282,12 +282,13 @@ def extract_zipped_paths(path): + return path + + # we have a valid zip archive and a valid member of that archive +- tmp = tempfile.gettempdir() +- extracted_path = os.path.join(tmp, member.split("/")[-1]) +- if not os.path.exists(extracted_path): +- # use read + write to avoid the creating nested folders, we only want the file, avoids mkdir racing condition +- with atomic_open(extracted_path) as file_handler: +- file_handler.write(zip_file.read(member)) ++ suffix = os.path.splitext(member.split("/")[-1])[-1] ++ fd, extracted_path = tempfile.mkstemp(suffix=suffix) ++ try: ++ os.write(fd, zip_file.read(member)) ++ finally: ++ os.close(fd) ++ + return extracted_path + + diff --git a/meta/recipes-devtools/python/python3-requests_2.32.5.bb b/meta/recipes-devtools/python/python3-requests_2.32.5.bb index 43b63e32b1f..0eb9765b633 100644 --- a/meta/recipes-devtools/python/python3-requests_2.32.5.bb +++ b/meta/recipes-devtools/python/python3-requests_2.32.5.bb @@ -3,13 +3,12 @@ HOMEPAGE = "https://requests.readthedocs.io" LICENSE = "Apache-2.0" LIC_FILES_CHKSUM = "file://LICENSE;md5=34400b68072d710fecd0a2940a0d1658" -SRC_URI:append:class-nativesdk = " \ - file://environment.d-python3-requests.sh \ -" +inherit pypi python_setuptools_build_meta SRC_URI[sha256sum] = "dbba0bac56e100853db0ea71b82b4dfd5fe2bf6d3754a8893c3af500cec7d7cf" -inherit pypi python_setuptools_build_meta +SRC_URI += "file://CVE-2026-25645.patch" +SRC_URI:append:class-nativesdk = " file://environment.d-python3-requests.sh" do_install:append:class-nativesdk() { mkdir -p ${D}${SDKPATHNATIVE}/environment-setup.d