From patchwork Thu Apr 23 12:47:59 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 86710 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 49487F589B5 for ; Thu, 23 Apr 2026 12:48:45 +0000 (UTC) Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com [209.85.214.180]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.18650.1776948524904531786 for ; Thu, 23 Apr 2026 05:48:44 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20251104 header.b=Fy6uEy5v; spf=pass (domain: gmail.com, ip: 209.85.214.180, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pl1-f180.google.com with SMTP id d9443c01a7336-2ad9516a653so33491625ad.0 for ; Thu, 23 Apr 2026 05:48:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776948524; x=1777553324; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=VaY1O2O8lS7g4LAnRXst2arbGik5FBoK/caQLD5hj3s=; b=Fy6uEy5vk8pMhFG7P14vCx1oWqHSoajVgpeM+XPXzeaqYwy7RF2uckT0RHWXQ82Rrn a7+c1mN88Rjr5I/Z8rf4yjB2dZZXrxSlA9nMiXkIaxEkrEM1wV2DNsJzesRtQTV96bBc XdTE/cjR3W+38gbgg4HXL45/MsmtEKKSKirMW65+b7I9f6iZN28m0zOpTTpbnm5V26J7 64OybvCvQ7tDFU6OgODfdwKDp0I1vJbR4NUQUd/Q3irh6mEy0p9ABUrPXhUFTksyWIkZ f3f2qisbOB7tQcf1f+hYn84saUp6xRIWM+2VegpFJU36qUlzdp370jb8iAFqFVgJ/qpU PpwA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776948524; x=1777553324; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=VaY1O2O8lS7g4LAnRXst2arbGik5FBoK/caQLD5hj3s=; b=OCBH2F+sE1WdqHW2aLhPXeFHH3MnQwZZK8YqzvOq9/308xvKUWMLEfbROx7aY4k5fW i35brtmS2syN0MiwYEpultvpQg0JjCmxFEKO/hBG4Ree/i3Vqosk33LvPk+EjdUBg5Z8 MiNs74Uovo8qIHpLTXghAQWEgWoe4QstxR7yCOMDXsCq8xIlRYUaYwVzbYWGloYs0d3G brOubCPsV/BbPcLcM2aQzbDgvFzxD6vRVTxwj4iuVqVhkwKjT9aO7tWf7liYn/DPaEsm 7uZVx5sbsS3en94kZjromGVnkGJKB0AM433A8wlCcZRtRCJi2QSJzbEFzVaZhR8cOKu1 xWSg== X-Gm-Message-State: AOJu0YxMQeWHsOZm2G2QY0kl/yRZf3RRs28SRJ2kQKmUxb7e+zlZECY9 Ka9dftHg2p1OTbzrL1iP4ww0nf8wUy6oiHwHEW295Etko5/g5CDhZ8bEr+QiEcWP X-Gm-Gg: AeBDievLrPzCQNEtDZGKu+0n71Rsz0QfYN0LWvkQfN4SsOUKtFeolj3orLGQWrLmZTp xL1hc2cETm6XzAqZPunG5BoLtvvIdPKM+RVY8ChfJjRLIT1w2v+2rPQLyyStfhEPx/J3wkZFjgj FVMDnIW1zVbr+PWfZqpaGjBxPTdgwy6HVmzrjGOLujHw5WZbWG/5RlcVZCYqHuRhbTnrHBa6RR2 in4J8q+nkZMOJ2597OtHzuIG/Nf8GgHLN6N3/iWuz8gh6y58UblI5jvu2PlG1ZNzlNM32lkPVEy fU5lbfPe+lByBOcvo1iXAhH2YtRvfQkthPUMsAWqeeESqn4SfS3hnOItqEnLs/8IhcTppr6lilg 99uv1XKzMxcCFBMAob5D0oFUZRSQHecW31JwAsmftRRGV+qEy1ggaMkV7tJ8rS/tfp3sddgJqK0 u/JFTkywDZOM17gPs5XY/zoHP19enOcg/6Qo3FA2wICWDQCOQ= X-Received: by 2002:a17:903:8c4:b0:2b0:61c2:8e7a with SMTP id d9443c01a7336-2b5f9f1c601mr263731825ad.25.1776948524036; Thu, 23 Apr 2026 05:48:44 -0700 (PDT) Received: from NVAPF55DW0D-IPD.. ([203.211.108.128]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2b5faa14487sm204043415ad.18.2026.04.23.05.48.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 23 Apr 2026 05:48:43 -0700 (PDT) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Peter Kjellerstedt , Peter Kjellerstedt , Khem Raj , Ankur Tyagi Subject: [oe][meta-oe][whinlatter][PATCH 1/19] jq: Use Git to fetch the code Date: Fri, 24 Apr 2026 00:47:59 +1200 Message-ID: <20260423124823.1983261-1-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 23 Apr 2026 12:48:45 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/126577 From: Peter Kjellerstedt There is a bug (see https://github.com/jqlang/jq/issues/434), which results in an empty version being used if autoreconf is run on the jq sources when using a release tar ball. The incorrect assumption is that autoreconf is only used when fetching the code using Git. The empty version results in an incorrect libjq.pc file being created where the version is not set, which results in, e.g., `pkgconf --libs 'libjq > 1.6'` failing even if version 1.8.1 of jq is actually installed. Switch to fetching the code using Git to workaround the bug. Signed-off-by: Peter Kjellerstedt Signed-off-by: Khem Raj (cherry picked from commit ed33569f822a3a8d41f82f6980a046d17aca37d5) Signed-off-by: Ankur Tyagi --- ...-with-disable-maintainer-mode-and-so.patch | 44 +++++++++++++++++++ meta-oe/recipes-devtools/jq/jq_1.8.1.bb | 14 +++--- 2 files changed, 52 insertions(+), 6 deletions(-) create mode 100644 meta-oe/recipes-devtools/jq/jq/0001-Support-building-with-disable-maintainer-mode-and-so.patch diff --git a/meta-oe/recipes-devtools/jq/jq/0001-Support-building-with-disable-maintainer-mode-and-so.patch b/meta-oe/recipes-devtools/jq/jq/0001-Support-building-with-disable-maintainer-mode-and-so.patch new file mode 100644 index 0000000000..12a64a75ed --- /dev/null +++ b/meta-oe/recipes-devtools/jq/jq/0001-Support-building-with-disable-maintainer-mode-and-so.patch @@ -0,0 +1,44 @@ +From 27f417f4812e688a59fc5186b7768cec004cd6e5 Mon Sep 17 00:00:00 2001 +From: Peter Kjellerstedt +Date: Wed, 8 Apr 2026 05:58:49 +0200 +Subject: [PATCH] Support building with --disable-maintainer-mode and source != + build dir (#3518) + +If --disable-maintainer-mode is enabled, then the rules for generating +parser.[ch] and lexer.[ch] did nothing. This worked fine if the source +and build directories are the same as the pre-generated parser.c and +lexer.c files would suffice. However, if the build directory is not the +same as the source directory, then the rest of the Make rules expect +parser.[ch] and lexer.[ch] to have been created in the build directory +if their source files (parser.y and lexer.l) are newer than the target +files, which can happen in case the source is fetched using Git. + +Avoid the problem by copying the files to the build directory if needed. + +Co-authored-by: Peter Kjellerstedt +Upstream-Status: Backport [https://github.com/jqlang/jq/commit/27f417f4812e688a59fc5186b7768cec004cd6e5] +--- + Makefile.am | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/Makefile.am b/Makefile.am +index 96d6038..acb9443 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -41,9 +41,14 @@ src/lexer.h: src/lexer.c + else + BUILT_SOURCES = src/builtin.inc src/config_opts.inc src/version.h + .y.c: +- $(AM_V_YACC) echo "NOT building parser.c!" ++ $(AM_V_YACC) [ "$( X-Patchwork-Id: 86711 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2671EF589B6 for ; Thu, 23 Apr 2026 12:48:55 +0000 (UTC) Received: from mail-pl1-f178.google.com (mail-pl1-f178.google.com [209.85.214.178]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.18524.1776948532359787802 for ; Thu, 23 Apr 2026 05:48:52 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20251104 header.b=VIcg7BCV; spf=pass (domain: gmail.com, ip: 209.85.214.178, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pl1-f178.google.com with SMTP id d9443c01a7336-2b23fcf90b2so63439615ad.3 for ; Thu, 23 Apr 2026 05:48:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776948531; x=1777553331; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=HsZb8JOM11D3/bziILA8/RlDEPZr+Npjm7b/3KXQ7Yw=; b=VIcg7BCVMCn4eQkZ46kRxTFMmPDCAyhXXaJ+YZwDxpw+xaXeEPWSw+08vvSDLcoAgE jnbFSMKItNl5CoATX9rmBJ2cFtQX+eiVRCpylDgeNFOK4uh7pfDeY6m3e36PQK/XOirg Rg72y+ZlnuMYh34mq9qPkxY+GrkI+sa/pdzvLlAEWBUwUYT78aMz02yvTrb/A5RCYM8z SHT2wicPvkM5M/90GPLWPPhRLcShUQK1M2F4IoEOUvS7qrCIbFk6OPcOtgddPLNCiGwB zoBUIT4onsgKDICS4cKWFTJ2h4QasJvO1E3CfO48MWEhlGr9Ibb4ZNY8KLsM/JY6UExa Z52A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776948531; x=1777553331; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=HsZb8JOM11D3/bziILA8/RlDEPZr+Npjm7b/3KXQ7Yw=; b=Wc8Bpc53GmkOdfOG9frk+hbP+e2CP+EL4YjylLiTDGe58qPXdbWZII7xKqy8y/fzCx WdkfShev9bYGgSPbH3yVIf96cK9cQDi1zyIPwAzvHmOOX8FC0wZAldGFRRmqrGKdMVa7 4il7WnkCUhnLUP4Og7/q47GcfRW9bmSQmxjl3GhhvFL8xJCcTsJK8urjeqiJ4U3+msyw wwMa1LiqWui1jfJ7Y526VODOWWf1C68LTUCMfaSFAZ3Xh8I3J3ZWjBgmiYTuKZIK+++3 e0/zZn2uPwlUGAWbqxShox9XLgn3t7Kt1Tfjkcr2DWT/OG42dIjv1/kXNCOreAzLh/0j wqNw== X-Gm-Message-State: AOJu0YzNDXJ6cbgpsQRIiWUb1RuvQF5JaAZ3b2LiPE/Z87KXsUcw8dLE A378SfNf49xhMkhN5kO+hKXqq7vwqlzEYEl44eY2e5GNKeJWvCuM1wznAOI2ehvq X-Gm-Gg: AeBDietES/h77wwy5Q9H3VpgbGDNDeTtbIB3h9AckqFDLxTxLk96q6zG9h+xDXqT4sH kpFIX9xX7nN49G+1ccPeM0kt+dATNcj++ksKKpB1aEESGFzI6XxMQJnnj3ki500fTjZL3BsDMrD h5mC9XASDu7w2MXntzqjHfMYjx4VbCOmcNa7ZDB4TraLOuhGPVifSc09SjZ74sjHyT5QmOotIhi z0gUPhIlh7sy85ruzAdgcl8sWdCim3YuBseB2LpI+9EMqf+w3tahwMHh7zM7rTC9A64TQIxFqew zOM9sFPOqnb2kHbmn2WvleZaG066rcO70dZ/JfRmHBnk1tG6N5du4NMiZI3pOYYR6/zxjWinjP3 WS4MO+CzXhE8vJ3n9lLoAsAkmfKBZbB0pzT7iPtmUF88quh+DiK3bGAPjPDIn7evOMLZ4H6bTuU Y0x42QEtAFPf4G2whgCTpGvCph2JJliSV8K4muWEn7HeiMXg0= X-Received: by 2002:a17:902:7585:b0:2b4:656b:aeb0 with SMTP id d9443c01a7336-2b5f9f61d74mr175970195ad.35.1776948531403; Thu, 23 Apr 2026 05:48:51 -0700 (PDT) Received: from NVAPF55DW0D-IPD.. ([203.211.108.128]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2b5faa14487sm204043415ad.18.2026.04.23.05.48.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 23 Apr 2026 05:48:50 -0700 (PDT) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Gyorgy Sarvari , Khem Raj , Ankur Tyagi Subject: [oe][meta-oe][whinlatter][PATCH 2/19] jq: patch CVE-2026-32316 Date: Fri, 24 Apr 2026 00:48:00 +1200 Message-ID: <20260423124823.1983261-2-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260423124823.1983261-1-ankur.tyagi85@gmail.com> References: <20260423124823.1983261-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 23 Apr 2026 12:48:55 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/126578 From: Gyorgy Sarvari Details: https://nvd.nist.gov/vuln/detail/CVE-2026-32316 Backport the patch that is referenced by the NVD advisory. Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj (cherry picked from commit e94ab85126f12d77253107084dc8463c79b3e776) Signed-off-by: Ankur Tyagi --- .../jq/jq/CVE-2026-32316.patch | 53 +++++++++++++++++++ meta-oe/recipes-devtools/jq/jq_1.8.1.bb | 10 ++-- 2 files changed, 58 insertions(+), 5 deletions(-) create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2026-32316.patch diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-32316.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-32316.patch new file mode 100644 index 0000000000..1277b356d8 --- /dev/null +++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-32316.patch @@ -0,0 +1,53 @@ +From 321e62b356df2d4ed47aba4f3818e447ec4d77fc Mon Sep 17 00:00:00 2001 +From: itchyny +Date: Thu, 12 Mar 2026 20:28:43 +0900 +Subject: [PATCH] Fix heap buffer overflow in `jvp_string_append` and + `jvp_string_copy_replace_bad` + +In `jvp_string_append`, the allocation size `(currlen + len) * 2` could +overflow `uint32_t` when `currlen + len` exceeds `INT_MAX`, causing a small +allocation followed by a large `memcpy`. + +In `jvp_string_copy_replace_bad`, the output buffer size calculation +`length * 3 + 1` could overflow `uint32_t`, again resulting in a small +allocation followed by a large write. + +Add overflow checks to both functions to return an error for strings +that would exceed `INT_MAX` in length. Fixes CVE-2026-32316. + +CVE: CVE-2026-32316 +Upstream-Status: Backport [https://github.com/jqlang/jq/commit/e47e56d226519635768e6aab2f38f0ab037c09e5] +Signed-off-by: Gyorgy Sarvari +--- + src/jv.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/src/jv.c b/src/jv.c +index e4529a4..74be05a 100644 +--- a/src/jv.c ++++ b/src/jv.c +@@ -1114,7 +1114,12 @@ static jv jvp_string_copy_replace_bad(const char* data, uint32_t length) { + const char* end = data + length; + const char* i = data; + +- uint32_t maxlength = length * 3 + 1; // worst case: all bad bytes, each becomes a 3-byte U+FFFD ++ // worst case: all bad bytes, each becomes a 3-byte U+FFFD ++ uint64_t maxlength = (uint64_t)length * 3 + 1; ++ if (maxlength >= INT_MAX) { ++ return jv_invalid_with_msg(jv_string("String too long")); ++ } ++ + jvp_string* s = jvp_string_alloc(maxlength); + char* out = s->data; + int c = 0; +@@ -1174,6 +1179,10 @@ static uint32_t jvp_string_remaining_space(jvp_string* s) { + static jv jvp_string_append(jv string, const char* data, uint32_t len) { + jvp_string* s = jvp_string_ptr(string); + uint32_t currlen = jvp_string_length(s); ++ if ((uint64_t)currlen + len >= INT_MAX) { ++ jv_free(string); ++ return jv_invalid_with_msg(jv_string("String too long")); ++ } + + if (jvp_refcnt_unshared(string.u.ptr) && + jvp_string_remaining_space(s) >= len) { diff --git a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb index 6eaa2de6df..71d7387bf8 100644 --- a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb +++ b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb @@ -10,11 +10,11 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=cf7fcb0a1def4a7ad62c028f7d0dca47" SRCREV = "4467af7068b1bcd7f882defff6e7ea674c5357f4" -SRC_URI = " \ - git://github.com/jqlang/jq.git;protocol=https;branch=master;tag=jq-${PV} \ - file://run-ptest \ - file://0001-Support-building-with-disable-maintainer-mode-and-so.patch \ -" +SRC_URI = "git://github.com/jqlang/jq.git;protocol=https;branch=master;tag=jq-${PV} \ + file://run-ptest \ + file://0001-Support-building-with-disable-maintainer-mode-and-so.patch \ + file://CVE-2026-32316.patch \ + " inherit autotools ptest From patchwork Thu Apr 23 12:48:01 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 86713 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 255EBF589B7 for ; Thu, 23 Apr 2026 12:49:05 +0000 (UTC) Received: from mail-pj1-f52.google.com (mail-pj1-f52.google.com [209.85.216.52]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.18655.1776948539142715257 for ; Thu, 23 Apr 2026 05:48:59 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20251104 header.b=G3R72jLr; spf=pass (domain: gmail.com, ip: 209.85.216.52, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pj1-f52.google.com with SMTP id 98e67ed59e1d1-35d9f68d011so4404167a91.2 for ; Thu, 23 Apr 2026 05:48:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776948538; x=1777553338; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=4XILb0gPHX3WMMKyOhtIuAxPRcHZcIVDDFsSk8zYP0k=; b=G3R72jLrc4X90WAN9Xi5g5Hxp4//U7eUMEsC9IqbEN8cEsJrudipyO4VeIqfuEVNAe dKrqZSHbqa7egz1a+q5QFpxjDOTg7/sMHF89kSo5I1Ue34SEc/8ixamFetzqEPUA+2du mEq+zLWmRNtJdr/cBdJjSjUhsh/5q/vCjO2nH/k/cV/Yl/n1zeNNwWYozynwSGwFBDwG B2eebke11dRtqIhI8fh+WO9q7PI0aWz6c6J6gh7mQqPVXOrJKa2lcxzrHt5Mu1PLX4ws s0pAZob1KLBi2QC/+ZcXcqWZeFXChn7Mk0IWp5t0K668bvkNEaHgPGTJ0pLnVC3J8Paz D7wQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776948538; x=1777553338; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=4XILb0gPHX3WMMKyOhtIuAxPRcHZcIVDDFsSk8zYP0k=; b=nZQd9rYrkcKKjgWqq6wmu3YfR2UK5UPvxxTPtyCbvl1rA3U0d/hP8kyl4cFg7on5YP RW5SYBq+rfD+3Q6AbgKp3qXe3a4ccmtyDMObn5VlGCjESpn0qNH6Wq4blm3Hj7o2ul8n 3hxYZXu8L9DYlzw+ggITNCvedQK1GBsObd1KryFylleKGg8lw736Lv+DpvWOqLyL9KB1 NL8FaZXSL3dkSvNhxeO6D2zOX7oWzwzctqfsxbLHOiGmCv/4i8uFHruCRDGe7a2bykec JUXfCroXGbhRxI0c4uzQEnMm1niHp/DYKnu7ibw2EEmpwJS3xrRtNbGYiS77mP/dD5kH g2ow== X-Gm-Message-State: AOJu0YxlDIYAlOBYrX0+eNDVuW9Bamjy1pp8qlsCVfgjZnyGYWKeg7XQ q4jVpFpsoZaR+vtLtHCsKrjDQ+WkXoJSWQoWskRZIyyIu76XOgpehxMwAoD7hcm3 X-Gm-Gg: AeBDies7+1y7UDuZR7MO1cojPLT+wXO1rgWEJzRFGlXERNdwKr130tRhW0zRxcq/c3B wPFLPAnHV/ZJJi4jfPY9SsntfdDskxsOEVgeZ3CWco/xby31ytYJ5nHYaKMG/4kOEIVKCl/RP9s SRN/P/lpjjUv4o4FBGlfS3Qv+i8jkoG7qErB4YgZwJaVeTH/EoH2r71ttj5w8C1yCMCj4I0Cd4H nI18AN0F83d9FatwUk8jRe2pPN746YtXOuguNx3cMqsSf1AhVeVBtVw2eXAv/D85tq2/aP7MTN/ G71IpupZ4axCA1LXLWncbWi5r+f3gg8YuY2zIfvkac6FqqAMEU259cRH5vIjTz+Grgbr9yl1R+N a5RitoVa3OXby94n9IRf9C6bwXVnDC70sSR/YOmJRe36L19VkxuwRoUOwIJA03gKJC/PPEP6LSX 1nr/nR+rg0pWGt1uflhQ7rj3jcrRRQOhg0Xm+++vRYaUX9dEKIzNPP4OE6yg== X-Received: by 2002:a17:903:1ac8:b0:2b0:70c8:ccea with SMTP id d9443c01a7336-2b5f9eaeba2mr280291865ad.13.1776948538325; Thu, 23 Apr 2026 05:48:58 -0700 (PDT) Received: from NVAPF55DW0D-IPD.. ([203.211.108.128]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2b5faa14487sm204043415ad.18.2026.04.23.05.48.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 23 Apr 2026 05:48:57 -0700 (PDT) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Gyorgy Sarvari , Khem Raj , Ankur Tyagi Subject: [oe][meta-oe][whinlatter][PATCH 3/19] jq: patch CVE-2026-33947 Date: Fri, 24 Apr 2026 00:48:01 +1200 Message-ID: <20260423124823.1983261-3-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260423124823.1983261-1-ankur.tyagi85@gmail.com> References: <20260423124823.1983261-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 23 Apr 2026 12:49:05 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/126579 From: Gyorgy Sarvari Details: https://nvd.nist.gov/vuln/detail/CVE-2026-33947 Backport the patch that is referenced by the NVD report. Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj (cherry picked from commit 525e18ce214213193d9a280de3bfd2deb847110e) Signed-off-by: Ankur Tyagi --- .../jq/jq/CVE-2026-33947.patch | 104 ++++++++++++++++++ meta-oe/recipes-devtools/jq/jq_1.8.1.bb | 1 + 2 files changed, 105 insertions(+) create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2026-33947.patch diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-33947.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-33947.patch new file mode 100644 index 0000000000..69a8381f06 --- /dev/null +++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-33947.patch @@ -0,0 +1,104 @@ +From 5fd935884a6f5b3d8ecdcacfc5d3982140f3a478 Mon Sep 17 00:00:00 2001 +From: itchyny +Date: Mon, 13 Apr 2026 11:23:40 +0900 +Subject: [PATCH] Limit path depth to prevent stack overflow + +Deeply nested path arrays can cause unbounded recursion in +`jv_setpath`, `jv_getpath`, and `jv_delpaths`, leading to +stack overflow. Add a depth limit of 10000 to match the +existing `tojson` depth limit. This fixes CVE-2026-33947. + +CVE: CVE-2026-33947 +Upstream-Status: Backport [https://github.com/jqlang/jq/commit/fb59f1491058d58bdc3e8dd28f1773d1ac690a1f] +Signed-off-by: Gyorgy Sarvari +--- + src/jv_aux.c | 21 +++++++++++++++++++++ + tests/jq.test | 25 +++++++++++++++++++++++++ + 2 files changed, 46 insertions(+) + +diff --git a/src/jv_aux.c b/src/jv_aux.c +index bc1405f..594a21f 100644 +--- a/src/jv_aux.c ++++ b/src/jv_aux.c +@@ -375,6 +375,10 @@ static jv jv_dels(jv t, jv keys) { + return t; + } + ++#ifndef MAX_PATH_DEPTH ++#define MAX_PATH_DEPTH (10000) ++#endif ++ + jv jv_setpath(jv root, jv path, jv value) { + if (jv_get_kind(path) != JV_KIND_ARRAY) { + jv_free(value); +@@ -382,6 +386,12 @@ jv jv_setpath(jv root, jv path, jv value) { + jv_free(path); + return jv_invalid_with_msg(jv_string("Path must be specified as an array")); + } ++ if (jv_array_length(jv_copy(path)) > MAX_PATH_DEPTH) { ++ jv_free(value); ++ jv_free(root); ++ jv_free(path); ++ return jv_invalid_with_msg(jv_string("Path too deep")); ++ } + if (!jv_is_valid(root)){ + jv_free(value); + jv_free(path); +@@ -434,6 +444,11 @@ jv jv_getpath(jv root, jv path) { + jv_free(path); + return jv_invalid_with_msg(jv_string("Path must be specified as an array")); + } ++ if (jv_array_length(jv_copy(path)) > MAX_PATH_DEPTH) { ++ jv_free(root); ++ jv_free(path); ++ return jv_invalid_with_msg(jv_string("Path too deep")); ++ } + if (!jv_is_valid(root)) { + jv_free(path); + return root; +@@ -511,6 +526,12 @@ jv jv_delpaths(jv object, jv paths) { + jv_free(elem); + return err; + } ++ if (jv_array_length(jv_copy(elem)) > MAX_PATH_DEPTH) { ++ jv_free(object); ++ jv_free(paths); ++ jv_free(elem); ++ return jv_invalid_with_msg(jv_string("Path too deep")); ++ } + jv_free(elem); + } + if (jv_array_length(jv_copy(paths)) == 0) { +diff --git a/tests/jq.test b/tests/jq.test +index 4ecf72f..6186d8b 100644 +--- a/tests/jq.test ++++ b/tests/jq.test +@@ -2507,3 +2507,28 @@ strflocaltime("" | ., @uri) + 0 + "" + "" ++ ++# regression test for CVE-2026-33947 ++setpath([range(10000) | 0]; 0) | flatten ++null ++[0] ++ ++try setpath([range(10001) | 0]; 0) catch . ++null ++"Path too deep" ++ ++getpath([range(10000) | 0]) ++null ++null ++ ++try getpath([range(10001) | 0]) catch . ++null ++"Path too deep" ++ ++delpaths([[range(10000) | 0]]) ++null ++null ++ ++try delpaths([[range(10001) | 0]]) catch . ++null ++"Path too deep" diff --git a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb index 71d7387bf8..6df1d46f48 100644 --- a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb +++ b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb @@ -14,6 +14,7 @@ SRC_URI = "git://github.com/jqlang/jq.git;protocol=https;branch=master;tag=jq-${ file://run-ptest \ file://0001-Support-building-with-disable-maintainer-mode-and-so.patch \ file://CVE-2026-32316.patch \ + file://CVE-2026-33947.patch \ " inherit autotools ptest From patchwork Thu Apr 23 12:48:02 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 86712 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 31F53F589B9 for ; Thu, 23 Apr 2026 12:49:05 +0000 (UTC) Received: from mail-pl1-f181.google.com (mail-pl1-f181.google.com [209.85.214.181]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.18529.1776948543633672455 for ; Thu, 23 Apr 2026 05:49:03 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20251104 header.b=QJwwrnty; spf=pass (domain: gmail.com, ip: 209.85.214.181, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pl1-f181.google.com with SMTP id d9443c01a7336-2b7adb38d65so5528215ad.2 for ; Thu, 23 Apr 2026 05:49:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776948543; x=1777553343; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=9sAxLWYHMN/1KEFGUf+zBSxgWSUToCS60PPo6QWeoNQ=; b=QJwwrntyA6pAvDGgF1CSWveN2vFxqRxidns/ABs9PHTrY6Q8mvortWRm7TQWdk2ztx fnTN9Va/pfrbta+gJbkLM24pE/L5xXAIxiPLSUalbEDtKoCRUm+V7jite1B6vZdeUYwy 9f03BdOxNLgyowkt1lRv1O3lBsS8tjK1l45+uGYMn1+3Pi/12T5eKw8hUf4IHdMmC+/U mEh2uq69QYBcO1CNIiOALm8wrnnIxx/kqfs2Wj9etholH3YLR0djtyt5bHTvItdfJK8/ CkGP1thk5gy6ls20aAnbcRuygbPwD9vQezemFbOuAa5kiwv5nisFOFcSf1F/vMOZkN7Q hdtg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776948543; x=1777553343; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=9sAxLWYHMN/1KEFGUf+zBSxgWSUToCS60PPo6QWeoNQ=; b=kn90plKFiU8WBhXVFqaJyMVnKPeiJ+VBIwHgxUiP7n53sptO1m7C9Tze2mouXpqNk0 FvAgO6hh5csc+R0po4BXFvxKHoTr9+o7p6OXTtvjjkk+/9ir1/JM7vpxuT2W8TbegpUI uoqqKY82S0yDNMkU6kWb6+wDVrp2rR9EOJ+eXwEeIpxKejhnEpv2JNglK7dJIM1mjHpf 9NRzeaFFz5iSpMhImZs9pZIcr2KRkMbF1C4fLBhg86tvrxggmUiaFumATCMy97ey/ic/ 8W2qec0Tgm7kA6hCgnVGqyqFlnIMCrzkTMKyLErBUlTbZwWvglftHAaR7SFQN+uh7M5k 1VBA== X-Gm-Message-State: AOJu0YzVN+kRuyPjP1WCE6uzNfPvbJwNHCKri+LblX62e1qprTt7xKGY 6HnjP0GsUXkOB/SJW9Lu+/SpIjHSZ4jI9IVSmlELGR4scEyN51zOkswNwvkZ60xP X-Gm-Gg: AeBDietKUzxLLG7mgkVRM+qmjSrZG0NxpAy3iKE1NceKY8oDqn+zEwvkFdeCe2TCAdP caBT5YwbZ5dOoSGuEMZNNimVsmpctw328ifV30yraYJILDtAlpeGdnq2vLhev2yV4RwuLZBxpto f0lPUkGPbvwcuRiX1YWpAstN07wxHsmQAqbdCUSPpPnKwwSGK8pJMQrmIM8WxAwl/WlWV9WOX08 M7Hj1I1g8FkwBFA78en5oB039GE1N7IAR90KxcxWTqGyWwp4KGc2hyWtXzMYWtnQqNhIdw7bmT7 AnSKcULj7xpcTIxlqdXtT8aLTugHfLJc77Al0lNfhkdU6npYIi3SMx/K01ZRAmD7OfhNHjAjwnN GsGI8Av96UoSvYzMjbHJxnRtjyY/V42vzFG3qdaw8k2C+ubPPEKjBWS4rT5yn6GSmNizlz731BG kHmj2NXiNSev+YJKYhHYSg+4A2Z2zHd9SIGicb1kooiBZniyw= X-Received: by 2002:a17:903:350c:b0:2b2:4310:8d1a with SMTP id d9443c01a7336-2b5f9f8204fmr271498605ad.38.1776948542806; Thu, 23 Apr 2026 05:49:02 -0700 (PDT) Received: from NVAPF55DW0D-IPD.. ([203.211.108.128]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2b5faa14487sm204043415ad.18.2026.04.23.05.49.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 23 Apr 2026 05:49:02 -0700 (PDT) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Gyorgy Sarvari , Khem Raj , Ankur Tyagi Subject: [oe][meta-oe][whinlatter][PATCH 4/19] jq: patch CVE-2026-33948 Date: Fri, 24 Apr 2026 00:48:02 +1200 Message-ID: <20260423124823.1983261-4-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260423124823.1983261-1-ankur.tyagi85@gmail.com> References: <20260423124823.1983261-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 23 Apr 2026 12:49:05 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/126580 From: Gyorgy Sarvari Details: https://nvd.nist.gov/vuln/detail/CVE-2026-33948 Backport the patch that is referenced by the NVD advisory. Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj (cherry picked from commit 8d399af3337b25d71f8cd4308b9788ac4e88b730) Signed-off-by: Ankur Tyagi --- .../jq/jq/CVE-2026-33948.patch | 49 +++++++++++++++++++ meta-oe/recipes-devtools/jq/jq_1.8.1.bb | 1 + 2 files changed, 50 insertions(+) create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2026-33948.patch diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-33948.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-33948.patch new file mode 100644 index 0000000000..8625429c74 --- /dev/null +++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-33948.patch @@ -0,0 +1,49 @@ +From 19a792c4cdb6b91c056eac033ac3367af6e67755 Mon Sep 17 00:00:00 2001 +From: itchyny +Date: Mon, 13 Apr 2026 08:46:11 +0900 +Subject: [PATCH] Fix NUL truncation in the JSON parser + +This fixes CVE-2026-33948. + +CVE: CVE-2026-33948 +Upstream-Status: Backport [https://github.com/jqlang/jq/commit/6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b] +Signed-off-by: Gyorgy Sarvari +--- + src/util.c | 8 +------- + tests/shtest | 6 ++++++ + 2 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/src/util.c b/src/util.c +index bcb86da..60ec4d5 100644 +--- a/src/util.c ++++ b/src/util.c +@@ -309,13 +309,7 @@ static int jq_util_input_read_more(jq_util_input_state *state) { + if (p != NULL) + state->current_line++; + +- if (p == NULL && state->parser != NULL) { +- /* +- * There should be no NULs in JSON texts (but JSON text +- * sequences are another story). +- */ +- state->buf_valid_len = strlen(state->buf); +- } else if (p == NULL && feof(state->current_input)) { ++ if (p == NULL && feof(state->current_input)) { + size_t i; + + /* +diff --git a/tests/shtest b/tests/shtest +index 887a6bb..a046afe 100755 +--- a/tests/shtest ++++ b/tests/shtest +@@ -842,4 +842,10 @@ if ! $msys && ! $mingw; then + fi + fi + ++# CVE-2026-33948: No NUL truncation in the JSON parser ++if printf '{}\x00{}' | $JQ >/dev/null 2> /dev/null; then ++ printf 'Error expected but jq exited successfully\n' 1>&2 ++ exit 1 ++fi ++ + exit 0 diff --git a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb index 6df1d46f48..acea1e4b27 100644 --- a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb +++ b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb @@ -15,6 +15,7 @@ SRC_URI = "git://github.com/jqlang/jq.git;protocol=https;branch=master;tag=jq-${ file://0001-Support-building-with-disable-maintainer-mode-and-so.patch \ file://CVE-2026-32316.patch \ file://CVE-2026-33947.patch \ + file://CVE-2026-33948.patch \ " inherit autotools ptest From patchwork Thu Apr 23 12:48:03 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 86714 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2695CF589B8 for ; Thu, 23 Apr 2026 12:49:15 +0000 (UTC) Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com [209.85.214.180]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.18660.1776948549627584285 for ; Thu, 23 Apr 2026 05:49:09 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20251104 header.b=Cv/3Jvil; spf=pass (domain: gmail.com, ip: 209.85.214.180, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pl1-f180.google.com with SMTP id d9443c01a7336-2b4583f0a1aso41835945ad.3 for ; Thu, 23 Apr 2026 05:49:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776948549; x=1777553349; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=VM5NaAAxIkcwrKTrrsoZYrrn0IhHdIYsfEKgXTEYSgM=; b=Cv/3JviljuNQEL3P3Dt5uCVtMTnBW8eGN4lkwMwoK9d2douiZrXyC+zjLndX066glA Efn41YPINIlvP0uW/MLpJYaTRp/jAElxL+BLhX3pEz05p7GO+DakpxYeGuw1sgu84ncI nsoXlTqyg5abwW62SM6MpwFYnJ8TxCcm/WuHkqwlZKLT+25QF1zFjlGFRqRoJhHB4HD5 B9g+aD3HASp+DnGRch0Es9X/fUCIOA9aGz/WYHmJF0P7cGaEP6EcV+itdBFJ1uYPGWbF uTjkeWWx5zAQ+eKi3xUduV52SCIka4TVLkVn5GLvsyOA9JTWSo36dObb91VxyBWbYFqj uenQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776948549; x=1777553349; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=VM5NaAAxIkcwrKTrrsoZYrrn0IhHdIYsfEKgXTEYSgM=; b=s2u9eQNO8XTDWFeCUnSuzDCWPyIOlbfYDnRDKXHUpeB6FvKUjG8bjdLmoHFOeqnMyJ DmkJ7hGaEA65PPjJfw04GspI4qXkebX8AaxkkvPoRuCxIvn1h41jxgH2rE0/3/LadWN6 BC7vyKIJJO9AonFQcvNJ1EQiCWEknee5HSjPpStp8r310aBF3ybY8ymBNgyYVJyDpbjE NQua4e11TlBQKif20YR4xxY1nRnnApNasmu61XeDOkKMKB9oIE8sg3bWXmTI43mAWpxh 2lKXxPn7uHTrVGOQ4g2XwkVEmD72Z2EgdDT4HLiElIQIb87lgMQqMQrUtmKAj28rUb4K UD1g== X-Gm-Message-State: AOJu0YzznhcpTYLfWMtJfx9ygm9ny+l0JsayTeFOMwJbtAiRK5TJwcjz gf4Is4gihB3bYrDySJrIU8UIdDyykGLm+Stt+6P5vysIbJ2zfT01eshUmmbIihD3 X-Gm-Gg: AeBDietZfQrTbRwTvQPH7QNW35iJXTVC4a04KEe8U+/Pk9Y2xJ41P3jVSjUIxY5tkDc yE42sYXtJPeyz3ZIk7TQ4nNT9+D2DqsSInh1W63CiOK6FsC7nE+gmJ0g2XtzZT0zxrGEPqrNA7c rETWWUwkqKl28B42SWX6ZGIgFzyA/wmSlCB0hd39MA4kMsFxbrSVUyIuVpWe6V3x8TV640Kunbu m8h82utUN8b0agnSVtHjmQaToLd8hOoMVvN9m7SulGZQ2bv+ODJab4lulS6kUkTrHm6SjUqqWlp wYAiCGbPnXBy7ZGEyZLomOWRPR9cvRTdUuAreMIuzpwPWhzYYrXjb/sh+yu3gE7+E5XgLOuFuZh v8/oOwopSeOlSkwOhX/LYbVsOOMZOMhIZSrGSX9qJZK2Cgp8HK1pc02Zip6GK8Vb95yiSMKxWt2 1TJLNUOQeRCGEAqaYrU0/xipACRubdfllm2Mp/M4PEUQJn8bk= X-Received: by 2002:a17:902:7003:b0:2b0:bed1:46f7 with SMTP id d9443c01a7336-2b5f9fdfb9bmr196564885ad.37.1776948548754; Thu, 23 Apr 2026 05:49:08 -0700 (PDT) Received: from NVAPF55DW0D-IPD.. ([203.211.108.128]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2b5faa14487sm204043415ad.18.2026.04.23.05.49.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 23 Apr 2026 05:49:08 -0700 (PDT) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Gyorgy Sarvari , Khem Raj , Ankur Tyagi Subject: [oe][meta-oe][whinlatter][PATCH 5/19] jq: patch CVE-2026-39979 Date: Fri, 24 Apr 2026 00:48:03 +1200 Message-ID: <20260423124823.1983261-5-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260423124823.1983261-1-ankur.tyagi85@gmail.com> References: <20260423124823.1983261-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 23 Apr 2026 12:49:15 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/126581 From: Gyorgy Sarvari Details: https://nvd.nist.gov/vuln/detail/CVE-2026-39979 Backport the patch that is referenced by the NVD advisory.y Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj (cherry picked from commit 2b1e34f0f51b103fa37f163cdccdeebf821ac7c1) Signed-off-by: Ankur Tyagi --- .../jq/jq/CVE-2026-39979.patch | 31 +++++++++++++++++++ meta-oe/recipes-devtools/jq/jq_1.8.1.bb | 1 + 2 files changed, 32 insertions(+) create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2026-39979.patch diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-39979.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-39979.patch new file mode 100644 index 0000000000..40c57a46a0 --- /dev/null +++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-39979.patch @@ -0,0 +1,31 @@ +From ac09f274b6c029a23e3dffc38afac819b5daacc4 Mon Sep 17 00:00:00 2001 +From: itchyny +Date: Mon, 13 Apr 2026 11:04:52 +0900 +Subject: [PATCH] Fix out-of-bounds read in jv_parse_sized() + +This fixes CVE-2026-39979. + +Co-authored-by: Mattias Wadman + +CVE: CVE-2026-39979 +Upstream-Status: Backport [https://github.com/jqlang/jq/commit/2f09060afab23fe9390cce7cb860b10416e1bf5f] +Signed-off-by: Gyorgy Sarvari +--- + src/jv_parse.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/jv_parse.c b/src/jv_parse.c +index ffcf51f..e6b8aa9 100644 +--- a/src/jv_parse.c ++++ b/src/jv_parse.c +@@ -892,8 +892,9 @@ jv jv_parse_sized_custom_flags(const char* string, int length, int flags) { + + if (!jv_is_valid(value) && jv_invalid_has_msg(jv_copy(value))) { + jv msg = jv_invalid_get_msg(value); +- value = jv_invalid_with_msg(jv_string_fmt("%s (while parsing '%s')", ++ value = jv_invalid_with_msg(jv_string_fmt("%s (while parsing '%.*s')", + jv_string_value(msg), ++ length, + string)); + jv_free(msg); + } diff --git a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb index acea1e4b27..026f6bfa71 100644 --- a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb +++ b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb @@ -16,6 +16,7 @@ SRC_URI = "git://github.com/jqlang/jq.git;protocol=https;branch=master;tag=jq-${ file://CVE-2026-32316.patch \ file://CVE-2026-33947.patch \ file://CVE-2026-33948.patch \ + file://CVE-2026-39979.patch \ " inherit autotools ptest From patchwork Thu Apr 23 12:48:04 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 86715 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 360EDF589BB for ; Thu, 23 Apr 2026 12:49:15 +0000 (UTC) Received: from mail-pl1-f172.google.com (mail-pl1-f172.google.com [209.85.214.172]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.18662.1776948554235133730 for ; Thu, 23 Apr 2026 05:49:14 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20251104 header.b=gXM0Fsjd; spf=pass (domain: gmail.com, ip: 209.85.214.172, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pl1-f172.google.com with SMTP id d9443c01a7336-2aaf43014d0so40881105ad.2 for ; Thu, 23 Apr 2026 05:49:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776948553; x=1777553353; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=HBD9IdsgYyHPzCXaQWn2ffgyB68AQMZgTAwTCERjmNE=; b=gXM0FsjdFhYVtYDJaB5kWdWzMSnattssmx8Gb3zgmQyn+EZPSyqBf0vpYvlV3uhzKq sw7gMY66AfLWG5O1n2LuLkn0Ej0FjyPiZGoQKJQOqLqHSQxmy5LRgBa7bHfTqQHfRClv C65MoA/bD/OaCo/T3DldKAeWZV1GbrFKe3l2QvP7ZZYaoLSgzgnTHrtkj9I5ZmAyDncF 8quYx8znqHt4GjPOvVAuaYVV5qHM12BMHCgVS7l+koSB7nk05j+mS21v/jyZX75fHPjQ tm/l+aNpYfYcs9rHnzw7CYwIMqH6zYkZv0mzNBLE4L+IERITNDCPXA7hF53fgffXyczP eO+g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776948553; x=1777553353; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=HBD9IdsgYyHPzCXaQWn2ffgyB68AQMZgTAwTCERjmNE=; b=crEr2pv0zUGliGMQidB1CKP0mrUAKk2X3sKpSvxUm65EIL2cJVFuSOW9ZQHvjn3QCB /1Yj+o85hZrt4O18CEvrLZIIpa5C9gJwI6FvXz6wn8HYOn/kQzPxCCJeIdEBHnlQJpKw VFk9bFU2PYCljgEQZ27eYkK8ekgXbhrYNH5VrfHJ6Bci1zkctMhGg9LS61WqH3bu00BE ju4t3mmnZOL9Et/xRgZMCmFwmVBuiYTrbarQfpzNg345Fi6f8I70XfC6NxYB9BpzZuaH WPgMMVENN7pZaJP1Za4pLS956tGgVkSXzizzfVWbdIiGDOjDT2Hk025ykm+fUUga5ZP+ mHWA== X-Gm-Message-State: AOJu0YyUY1YZIT0DUxLWwFOBVMKZUl+Rkck9IO/hmVGUPucVezb//Afz 8Z4mEv8yoME/FBThrMZt5BE2pinpNxYGMnLT4xl4zzNLpIAB+akFIedxN/XbUGXj X-Gm-Gg: AeBDiesLnqfhoil4lNFbkLZWt5xLGH6IX5/+SEGgoxwWmdgPDaqhOp1b7OsWyb6HKyX 1EW62OtctQpZnNq+kHYoVeQyBpbCK+ag2cJgpbQ5Xs3fTP5lzyIkrGRE4vy6ZJVd/Q6ZFxgkfV+ aXBDbMiLysHi9GhgnZmuXH2o0hBD3xSU9esTFNGPgFCN/jQOb1+EYj+Q+9rIYweESokRokvIRDm Zmq7/seIM2FvZwBDtJBTUBolJRPmm0Q116wh2bgjrzXllaRs5mpo6Hb95fVWv3R/O2je09jxd4g fwrnq2OdVUus6KNWMOS77RjZBeubeI0P51zD5wMAYDAt+G3MniTd8EE7uyZfN6YnnhkOC4ipDbH u+ezGrcnrr+LfxD38YsINIK62fLdHLUhWImClSUtvVJZVdUqfB/oObjpQfKxcUu60dSJCaWrazA +sZ9pr4zjKWdHAoemqF2ajTzIE/fNnYb+xEFutQYe/KAhmPEw= X-Received: by 2002:a17:902:b493:b0:2b0:c451:ae8a with SMTP id d9443c01a7336-2b5f9eaf437mr183377475ad.13.1776948553440; Thu, 23 Apr 2026 05:49:13 -0700 (PDT) Received: from NVAPF55DW0D-IPD.. ([203.211.108.128]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2b5faa14487sm204043415ad.18.2026.04.23.05.49.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 23 Apr 2026 05:49:13 -0700 (PDT) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi Subject: [oe][meta-oe][whinlatter][PATCH 6/19] lcms: patch CVE-2026-41254 Date: Fri, 24 Apr 2026 00:48:04 +1200 Message-ID: <20260423124823.1983261-6-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260423124823.1983261-1-ankur.tyagi85@gmail.com> References: <20260423124823.1983261-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 23 Apr 2026 12:49:15 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/126582 From: Ankur Tyagi Details: https://nvd.nist.gov/vuln/detail/CVE-2026-41254 Backport the patches referenced by the NVD advisory. Signed-off-by: Ankur Tyagi --- .../lcms/lcms/CVE-2026-41254_1.patch | 30 ++++++++++++++++ .../lcms/lcms/CVE-2026-41254_2.patch | 36 +++++++++++++++++++ meta-oe/recipes-support/lcms/lcms_2.16.bb | 5 ++- 3 files changed, 70 insertions(+), 1 deletion(-) create mode 100644 meta-oe/recipes-support/lcms/lcms/CVE-2026-41254_1.patch create mode 100644 meta-oe/recipes-support/lcms/lcms/CVE-2026-41254_2.patch diff --git a/meta-oe/recipes-support/lcms/lcms/CVE-2026-41254_1.patch b/meta-oe/recipes-support/lcms/lcms/CVE-2026-41254_1.patch new file mode 100644 index 0000000000..7bf46706e5 --- /dev/null +++ b/meta-oe/recipes-support/lcms/lcms/CVE-2026-41254_1.patch @@ -0,0 +1,30 @@ +From 524f3df7511b49543a65a7de2a08640777c1b29c Mon Sep 17 00:00:00 2001 +From: Marti Maria +Date: Thu, 19 Feb 2026 09:07:20 +0100 +Subject: [PATCH] Fix integer overflow in CubeSize() + +Thanks to @zerojackyi for reporting + +(cherry picked from commit da6110b1d14abc394633a388209abd5ebedd7ab0) + +CVE: CVE-2026-41254 +Upstream-Status: Backport [https://github.com/mm2/Little-CMS/commit/da6110b1d14abc394633a388209abd5ebedd7ab0] +Signed-off-by: Ankur Tyagi +--- + src/cmslut.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/cmslut.c b/src/cmslut.c +index 1ea61a8..3488d0c 100644 +--- a/src/cmslut.c ++++ b/src/cmslut.c +@@ -460,7 +460,8 @@ void EvaluateCLUTfloatIn16(const cmsFloat32Number In[], cmsFloat32Number Out[], + static + cmsUInt32Number CubeSize(const cmsUInt32Number Dims[], cmsUInt32Number b) + { +- cmsUInt32Number rv, dim; ++ cmsUInt32Number dim; ++ cmsUInt64Number rv; + + _cmsAssert(Dims != NULL); + diff --git a/meta-oe/recipes-support/lcms/lcms/CVE-2026-41254_2.patch b/meta-oe/recipes-support/lcms/lcms/CVE-2026-41254_2.patch new file mode 100644 index 0000000000..0602258ef5 --- /dev/null +++ b/meta-oe/recipes-support/lcms/lcms/CVE-2026-41254_2.patch @@ -0,0 +1,36 @@ +From 73ffd45705d368c159bb819ab0b1a033638c3ffe Mon Sep 17 00:00:00 2001 +From: Marti Maria +Date: Thu, 12 Mar 2026 22:57:35 +0100 +Subject: [PATCH] check for overflow + +Thanks to Guanni Qu for detecting & reporting the issue + +(cherry picked from commit e0641b1828d0a1af5ecb1b11fe22f24fceefd4bc) + +CVE: CVE-2026-41254 +Upstream-Status: Backport [https://github.com/mm2/Little-CMS/commit/e0641b1828d0a1af5ecb1b11fe22f24fceefd4bc] +Signed-off-by: Ankur Tyagi +--- + src/cmslut.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/cmslut.c b/src/cmslut.c +index 3488d0c..f2d0ec4 100644 +--- a/src/cmslut.c ++++ b/src/cmslut.c +@@ -468,12 +468,12 @@ cmsUInt32Number CubeSize(const cmsUInt32Number Dims[], cmsUInt32Number b) + for (rv = 1; b > 0; b--) { + + dim = Dims[b-1]; +- if (dim <= 1) return 0; // Error +- +- rv *= dim; ++ if (dim <= 1) return 0; + + // Check for overflow + if (rv > UINT_MAX / dim) return 0; ++ ++ rv *= dim; + } + + // Again, prevent overflow diff --git a/meta-oe/recipes-support/lcms/lcms_2.16.bb b/meta-oe/recipes-support/lcms/lcms_2.16.bb index 9422c7330b..c67653757f 100644 --- a/meta-oe/recipes-support/lcms/lcms_2.16.bb +++ b/meta-oe/recipes-support/lcms/lcms_2.16.bb @@ -3,7 +3,10 @@ SECTION = "libs" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=e9ce323c4b71c943a785db90142b228a" -SRC_URI = "${SOURCEFORGE_MIRROR}/lcms/lcms2-${PV}.tar.gz" +SRC_URI = "${SOURCEFORGE_MIRROR}/lcms/lcms2-${PV}.tar.gz \ + file://CVE-2026-41254_1.patch \ + file://CVE-2026-41254_2.patch \ +" SRC_URI[sha256sum] = "d873d34ad8b9b4cea010631f1a6228d2087475e4dc5e763eb81acc23d9d45a51" DEPENDS = "tiff" From patchwork Thu Apr 23 12:48:05 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 86716 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 25C9AF589BB for ; Thu, 23 Apr 2026 12:49:25 +0000 (UTC) Received: from mail-pj1-f44.google.com (mail-pj1-f44.google.com [209.85.216.44]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.18538.1776948559828701222 for ; Thu, 23 Apr 2026 05:49:19 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20251104 header.b=IEURxt3h; spf=pass (domain: gmail.com, ip: 209.85.216.44, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pj1-f44.google.com with SMTP id 98e67ed59e1d1-35691a231a7so4531830a91.3 for ; Thu, 23 Apr 2026 05:49:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776948559; x=1777553359; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=ADczkm/XQ53pvagM37tymCrf2dmm6h61keyEJu9gfUE=; b=IEURxt3hyphrT/+h2Yh6zxVDWxldV00tVOslURH3JifAkn7070fNV1wXvRlqwo+BZp 7QS/sk/9Ug966HLDeizOzCaxNvnb6xpT/VquOVWq1X1LbST4EybzQFezKXCq984Hgfql nLtCqSlUd2MyTs4gfW8QDuJfCXLno7TjR6VBFFkS7lM2xzStHbqSpS8N/EUIrJAkLiUu Hm3x1OKwxlTfNWBzCq4yJXdJHXlBCg6Wvn2S7agZumFfSlMk8Lk7GVru+GUvh55AUNHO HXqWZbHy0iBz6rwoDAoq1/5SsttAt2RKjYZ7UYRTjWFSRWVtroSlCRmXsYCkb3o1eAly GGJw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776948559; x=1777553359; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=ADczkm/XQ53pvagM37tymCrf2dmm6h61keyEJu9gfUE=; b=Dh9sKVQugHsJh4ZRSrub6XULJi+oRf/axScW05ygviWxCMit6yUWUTVPfpWCmftKwm 9nUabJfJ7Xd9JkgjEBrLMM1jxjeYIlaRZDxbpXz2tQjWO4K817YtWAV0ymiL+fua5JgJ i4sR1Ul27L6shQEXGa/jW1AYNF3qeWk+DPp5GKoDyss1ma/XWLwQldR+Nw8ptWem1tfj QSWPA0JauTD8bLM9sUaIDn65ORCM49B5kJwVJ5YXKdgrL97l2LeRmc3Cb4OkgnD9Qvc0 Tis8DgZnQW6CPisZvWHVEsLneVX3bO+EtkBOXhVgBhvBeVXWC3c0I9LNQe3QOJVCguNH ZN1w== X-Gm-Message-State: AOJu0YzSFWSSWsunbhmzwAoWawxfu5CkvpGqWylpb6XsVDb+Vap0lfAL LssPv37gdKn+Z4U9xPY2bC7ZKgmLBTfbANrVr5xzAhLBotqyh0CSGxB9A4Pqxpd3 X-Gm-Gg: AeBDietDys7uHoAkg13Pj3aT8tNmgbELE7apYNc0+BevUaDxYr7L8vogozPaDORXYzo GTZfH4iVSCseLi6+vWKk5QguDSCdIRM0FK5oIfw0zqOu6HtttVBz0AEW4cfEAb7P6pWe0r5hRQV Kcxf6O5jfF5FU4ICYv5Oi4Tg8EjFAr2ISRuH5y/yI8Jx1xVBn3/J+CosEuqM46AFqybDRTqXUZ3 DRjJQAfdzaHk0SzO3iKPHJGQjh7vd6V6hiAhSFaNPXUB2lX40lCwvka8MoJRYOcRz9USRG2gPZx ot3wvYWRPVLtDtT3BhaS6RZIcCLOM59wWqCUSltHD+mKpoUzNvnLYHmVgx7heCYsduAx0kwIEj2 J5HYrmEARtP3K2goGXgEsOS/mX5fPwB0qmFDmm7Ip5qqbx3+b55MbBWg+NdJ+bjFQHj3WgzsM1g p2EYqM9BJnX0hsBcmLTDTsip4Vjfc4VD56Kr3o4SBWWxKGFaI= X-Received: by 2002:a17:90b:55cf:b0:35d:9c43:57fe with SMTP id 98e67ed59e1d1-3614046583dmr27728698a91.13.1776948558954; Thu, 23 Apr 2026 05:49:18 -0700 (PDT) Received: from NVAPF55DW0D-IPD.. ([203.211.108.128]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2b5faa14487sm204043415ad.18.2026.04.23.05.49.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 23 Apr 2026 05:49:18 -0700 (PDT) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi Subject: [oe][meta-networking][whinlatter][PATCH 7/19] libcoap: patch CVE-2026-29013 Date: Fri, 24 Apr 2026 00:48:05 +1200 Message-ID: <20260423124823.1983261-7-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260423124823.1983261-1-ankur.tyagi85@gmail.com> References: <20260423124823.1983261-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 23 Apr 2026 12:49:25 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/126583 From: Ankur Tyagi Details: https://nvd.nist.gov/vuln/detail/CVE-2026-29013 Debian[1] also identified this as a fix. [1] https://security-tracker.debian.org/tracker/CVE-2026-29013 Signed-off-by: Ankur Tyagi --- .../libcoap/libcoap/CVE-2026-29013.patch | 86 +++++++++++++++++++ .../libcoap/libcoap_4.3.5a.bb | 1 + 2 files changed, 87 insertions(+) create mode 100644 meta-networking/recipes-devtools/libcoap/libcoap/CVE-2026-29013.patch diff --git a/meta-networking/recipes-devtools/libcoap/libcoap/CVE-2026-29013.patch b/meta-networking/recipes-devtools/libcoap/libcoap/CVE-2026-29013.patch new file mode 100644 index 0000000000..87d4016af9 --- /dev/null +++ b/meta-networking/recipes-devtools/libcoap/libcoap/CVE-2026-29013.patch @@ -0,0 +1,86 @@ +From 9e830709e98b0213c8806157ccae13df9d3fed74 Mon Sep 17 00:00:00 2001 +From: Jon Shallow +Date: Tue, 24 Mar 2026 14:15:09 +0000 +Subject: [PATCH] sanitizer: Fix reported issues + +coap_new_cache_entry() does not correctly check for no PDU data when called +with COAP_CACHE_RECORD_PDU. No current libcoap code (examples and library) +call coap_new_cache_entry() with COAP_CACHE_RECORD_PDU set. + +Internal function coap_pdu_resize() can be used to reduce a PDU size, +creating current options confusion. Fix is not to reduce PDU if new +size is smaller than the current used size. No current libcoap code calls +coap_pdu_resize() to reduce the size. + +If there is an issue with the PDU options where the maximum used option +value is larger than the last defined option value, an assert() is triggered. + +All of the coap_*_option() functions correctly manage pdu->max_opt, but +this issue could occur if coap_pdu_resize() was called to reduce the PDU size +below that of pdu->used_size. + +(cherry picked from commit b7847c4dbb0dbee7c90b09a673d4cae256f03718) + +CVE: CVE-2026-29013 +Upstream-Status: Backport [https://github.com/obgm/libcoap/commit/b7847c4dbb0dbee7c90b09a673d4cae256f03718] +Signed-off-by: Ankur Tyagi +--- + src/coap_cache.c | 3 ++- + src/coap_pdu.c | 11 +++++++++-- + 2 files changed, 11 insertions(+), 3 deletions(-) + +diff --git a/src/coap_cache.c b/src/coap_cache.c +index 16931f56..e018604d 100644 +--- a/src/coap_cache.c ++++ b/src/coap_cache.c +@@ -203,7 +203,8 @@ coap_new_cache_entry_lkd(coap_session_t *session, const coap_pdu_t *pdu, + memcpy(entry->pdu, pdu, offsetof(coap_pdu_t, token)); + memcpy(entry->pdu->token, pdu->token, pdu->used_size); + /* And adjust all the pointers etc. */ +- entry->pdu->data = entry->pdu->token + (pdu->data - pdu->token); ++ if (pdu->data) ++ entry->pdu->data = entry->pdu->token + (pdu->data - pdu->token); + } + } + entry->cache_key = coap_cache_derive_key(session, pdu, session_based); +diff --git a/src/coap_pdu.c b/src/coap_pdu.c +index 9394e6fe..2e06ccbc 100644 +--- a/src/coap_pdu.c ++++ b/src/coap_pdu.c +@@ -280,10 +280,12 @@ fail: + int + coap_pdu_resize(coap_pdu_t *pdu, size_t new_size) { + if (new_size > pdu->alloc_size) { ++ /* Expanding the PDU usage */ + #if !defined(WITH_LWIP) + uint8_t *new_hdr; + size_t offset; + #endif ++ + if (pdu->max_size && new_size > pdu->max_size) { + coap_log_warn("coap_pdu_resize: pdu too big\n"); + return 0; +@@ -314,8 +316,8 @@ coap_pdu_resize(coap_pdu_t *pdu, size_t new_size) { + else + pdu->actual_token.s = &pdu->token[2]; + #endif ++ pdu->alloc_size = new_size; + } +- pdu->alloc_size = new_size; + return 1; + } + +@@ -629,7 +631,12 @@ coap_insert_option(coap_pdu_t *pdu, coap_option_num_t number, size_t len, + } + prev_number = opt_iter.number; + } +- assert(option != NULL); ++ if (option == NULL) { ++ /* Code is broken somewhere */ ++ coap_log_warn("coap_insert_option: Broken max_opt\n"); ++ return 0; ++ } ++ + /* size of option inc header to insert */ + shift = coap_opt_encode_size(number - prev_number, len); + diff --git a/meta-networking/recipes-devtools/libcoap/libcoap_4.3.5a.bb b/meta-networking/recipes-devtools/libcoap/libcoap_4.3.5a.bb index 611795e17d..eaece6f1f0 100644 --- a/meta-networking/recipes-devtools/libcoap/libcoap_4.3.5a.bb +++ b/meta-networking/recipes-devtools/libcoap/libcoap_4.3.5a.bb @@ -9,6 +9,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=05d17535846895e23ea4c79b16a9e904" SRC_URI = "git://github.com/obgm/libcoap.git;branch=release-4.3.5-patches;protocol=https;tag=v${PV} \ file://run-ptest \ + file://CVE-2026-29013.patch \ " SRCREV = "e3fdcdcfbd1588754fe9dd4b754ac9397260f0f9" From patchwork Thu Apr 23 12:48:06 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 86718 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 314D0F589BC for ; Thu, 23 Apr 2026 12:49:35 +0000 (UTC) Received: from mail-pl1-f172.google.com (mail-pl1-f172.google.com [209.85.214.172]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.18541.1776948565488081114 for ; Thu, 23 Apr 2026 05:49:25 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20251104 header.b=MI8H/M3y; spf=pass (domain: gmail.com, ip: 209.85.214.172, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pl1-f172.google.com with SMTP id d9443c01a7336-2aae146b604so44174045ad.3 for ; Thu, 23 Apr 2026 05:49:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776948565; x=1777553365; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=PjtWXtG0V77yiKvrnkAZgapG0YgfgXFMKzn1xHh3ZBE=; b=MI8H/M3yy4FgqCEE+/bWyaZWuDFLBAC1s5omj6I8RPPj6PQpT9L06X3o04tSKVo5B6 bU45k3dKeeu0PC7YGIl3nPTS2QPSBluBvO4HWnCkKrTHYGwcYm2zZNg38c/McEag0xnt 2ZGN6J1urZAjn1o8e0TiP7HGwdPbAnENx/p/XWWMirUg5e05DTL+5av+EPeHKUOiZqg4 fhxM/DHOSEIxBVJZjw8+zFNg5G7DJcSWKPQ0+fo5WBK5oMMe69VFU6/qGx2ZGwxqAruy Xx0/2p1CmKFfjMMddjtKHSTG40aOIL04fQ4lO86YskQb5/HuEkYncrhpjxAnrIdYrxHQ vhMA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776948565; x=1777553365; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=PjtWXtG0V77yiKvrnkAZgapG0YgfgXFMKzn1xHh3ZBE=; b=nemo/dhgrF9S029rJq8fbZCi+RVaYllFwRao+Ldelb5WKK3XqydMxzhFfRcyLIcQXh NhmroLVyAUuWaH+BR+urOxT9Iuk6yjbHnxfZOxPk/KZ8/yCHMDPOpTJz/nOdHOhLGvxx HJw0fmRUPWrCiPyrI6jTnsQ2sTrje1d8+Q+5RTGl/AuNojx0pVNyayUHXxGtQ42dr+Sg 5kKoCRRivRvppqAdqC0X9trtKLKRZKMOhXXzMSWaeOdQiu470gD55tniPqgU4zi9wCKm eQY3LnpnFe1uXcCzEjT0Zt9Y1mWOicgPG5zhinXWzyjnFtU8teZcgaYByIiaDr7llhcE ekqg== X-Gm-Message-State: AOJu0YzYQysS5mPtwHxjl15Qy6Z8SSPNhxNKu38W0ceduY++E8B6ycp7 Pdp3UJPtSPkRGv1q7+CUZJAosdssN2KhQdzhHB9zfxkGqNIJ0pSSfNM/p2t62By1 X-Gm-Gg: AeBDietHWqCK082Fnh12cadfoxfk1haAp/ywQRgBRQEhgPTLGGWEH0FSpdp2ro9QR39 GkSZP6pM/uitKXQi05yCyyKxB9RNs1yLs53N0iUDVC6R8dr2O9r4sw6w04q7VjDZnsVkA5272g5 2GkFCoA/5UFvcDGtLmidXoS734xN4ZEWdsY8SxeFmAcAarmfobXbheD/uzB0auEynMPuwkyZIan mfxCaQmUTJYvPa/Q11KuoUHfRk2lQxZrSg+mzVwvj6euJMPaklzi16QklEc6PrOaPNl1kiqAOz7 fyE3s5AIM/3hWyf84Ic/uSwwc+llTYfJWuwHKlIclA7VOTB9NTQvi5cQ3yVDEMF2cHwL2wHFYKn UtL5MWEvj0lyOojtOrRF/RDDOT+o7pS30t5PYQ32yvO8Lr0qzPXpYhkWHQYsdWaL6UyHM1kDfk/ vJVScrKpQT+fOlCXvEi/fo9zSZKex831/Jmlj1FHLLSkDe2FOuP00OaTBZ+w== X-Received: by 2002:a17:902:cec8:b0:2b0:5b4e:370c with SMTP id d9443c01a7336-2b5f9f8b3ccmr300492915ad.32.1776948564648; Thu, 23 Apr 2026 05:49:24 -0700 (PDT) Received: from NVAPF55DW0D-IPD.. ([203.211.108.128]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2b5faa14487sm204043415ad.18.2026.04.23.05.49.22 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 23 Apr 2026 05:49:24 -0700 (PDT) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Gyorgy Sarvari , Khem Raj , Ankur Tyagi Subject: [oe][meta-oe][whinlatter][PATCH 8/19] libgphoto2: patch CVE-2026-40333 Date: Fri, 24 Apr 2026 00:48:06 +1200 Message-ID: <20260423124823.1983261-8-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260423124823.1983261-1-ankur.tyagi85@gmail.com> References: <20260423124823.1983261-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 23 Apr 2026 12:49:35 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/126584 From: Gyorgy Sarvari Details: https://nvd.nist.gov/vuln/detail/CVE-2026-40333 Backport the patch referenced by the NVD advisory. Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj Signed-off-by: Ankur Tyagi --- .../gphoto2/libgphoto2/CVE-2026-40333.patch | 150 ++++++++++++++++++ .../gphoto2/libgphoto2_2.5.33.bb | 3 +- 2 files changed, 152 insertions(+), 1 deletion(-) create mode 100644 meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40333.patch diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40333.patch b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40333.patch new file mode 100644 index 0000000000..77c307e88d --- /dev/null +++ b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40333.patch @@ -0,0 +1,150 @@ +From 8fefd2da7b9e2c7c448086cd251b108c0ebf1262 Mon Sep 17 00:00:00 2001 +From: Marcus Meissner +Date: Wed, 8 Apr 2026 15:18:42 +0200 +Subject: [PATCH] Fixed EOS ImageFormat/CustomFuncEx Parsers Lack Length + Parameter +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +ptp_unpack_EOS_ImageFormat() and ptp_unpack_EOS_CustomFuncEx() accept +const unsigned char** data but no length/size parameter. They perform +unbounded reads via dtoh32o calls (up to 36 bytes for ImageFormat, +up to 1024 bytes for CustomFuncEx). Callers in ptp_unpack_EOS_events() +have xsize available but never pass it. + + CVE-2026-40333 + +Reported-By: Sebastián Alba + +CVE: CVE-2026-40333 +Upstream-Status: Backport [https://github.com/gphoto/libgphoto2/commit/1817ecead20c2aafa7549dac9619fe38f47b2f53] +Signed-off-by: Gyorgy Sarvari +--- + camlibs/ptp2/ptp-pack.c | 53 ++++++++++++++++++++++++++++++++++------- + 1 file changed, 44 insertions(+), 9 deletions(-) + +diff --git a/camlibs/ptp2/ptp-pack.c b/camlibs/ptp2/ptp-pack.c +index 09421b7..09dcc24 100644 +--- a/camlibs/ptp2/ptp-pack.c ++++ b/camlibs/ptp2/ptp-pack.c +@@ -1448,7 +1448,7 @@ ptp_unpack_Canon_EOS_FE (PTPParams *params, const unsigned char* data, unsigned + + + static inline uint16_t +-ptp_unpack_EOS_ImageFormat (PTPParams* params, const unsigned char** data ) ++ptp_unpack_EOS_ImageFormat (PTPParams* params, const unsigned char** data, unsigned int *size ) + { + /* + EOS ImageFormat entries look are a sequence of u32 values: +@@ -1492,30 +1492,57 @@ ptp_unpack_EOS_ImageFormat (PTPParams* params, const unsigned char** data ) + + const uint8_t* d = *data; + uint32_t offset = 0; +- uint32_t n = dtoh32o (d, offset); ++ uint32_t n; + uint32_t l, t1, s1, c1, t2 = 0, s2 = 0, c2 = 0; + ++ if (*size < sizeof(uint32_t)) { ++ ptp_debug (params, "parsing EOS ImageFormat property failed 1 (size %d)", *size); ++ return 0; ++ } ++ n = dtoh32o (d, offset); ++ *size -= sizeof(uint32_t); ++ + if (n != 1 && n !=2) { + ptp_debug (params, "parsing EOS ImageFormat property failed (n != 1 && n != 2: %d)", n); + return 0; + } +- ++ if (*size < sizeof(uint32_t)) { ++ ptp_debug (params, "parsing EOS ImageFormat property failed 2 (size %d)", *size); ++ return 0; ++ } + l = dtoh32o (d, offset); ++ *size -= sizeof(uint32_t); ++ + if (l != 0x10) { + ptp_debug (params, "parsing EOS ImageFormat property failed (l != 0x10: 0x%x)", l); + return 0; + } + ++ if (*size < 3*sizeof(uint32_t)) { ++ ptp_debug (params, "parsing EOS ImageFormat property failed 3 (size %d)", *size); ++ return 0; ++ } + t1 = dtoh32o (d, offset); + s1 = dtoh32o (d, offset); + c1 = dtoh32o (d, offset); ++ *size -= 3*sizeof(uint32_t); + + if (n == 2) { ++ if (*size < sizeof(uint32_t)) { ++ ptp_debug (params, "parsing EOS ImageFormat property failed 4 (size %d)", *size); ++ return 0; ++ } + l = dtoh32o (d, offset); ++ *size -= sizeof(uint32_t); ++ + if (l != 0x10) { + ptp_debug (params, "parsing EOS ImageFormat property failed (l != 0x10: 0x%x)", l); + return 0; + } ++ if (*size < 3*sizeof(uint32_t)) { ++ ptp_debug (params, "parsing EOS ImageFormat property failed 5 (size %d)", *size); ++ return 0; ++ } + t2 = dtoh32o (d, offset); + s2 = dtoh32o (d, offset); + c2 = dtoh32o (d, offset); +@@ -1668,12 +1695,20 @@ ptp_unpack_EOS_FocusInfoEx (PTPParams* params, const unsigned char** data, uint3 + + + static inline char* +-ptp_unpack_EOS_CustomFuncEx (PTPParams* params, const unsigned char** data ) ++ptp_unpack_EOS_CustomFuncEx (PTPParams* params, const unsigned char** data, unsigned int *size ) + { +- uint32_t s = dtoh32a( *data ); +- uint32_t n = s/4, i; ++ uint32_t s, n, i; + char *str, *p; + ++ if (*size < sizeof(uint32_t)) ++ return strdup("bad length"); ++ ++ s = dtoh32a( *data ); ++ n = s/4; ++ ++ if (*size < 4+s) ++ return strdup("bad length"); ++ + if (s > 1024) { + ptp_debug (params, "customfuncex data is larger than 1k / %d... unexpected?", s); + return strdup("bad length"); +@@ -1962,7 +1997,7 @@ ptp_unpack_EOS_events (PTPParams *params, const unsigned char* data, unsigned in + case PTP_DPC_CANON_EOS_ImageFormatExtHD: + /* special handling of ImageFormat properties */ + for (j=0;jFORM.Enum.SupportedValue[j].u16 = ptp_unpack_EOS_ImageFormat( params, &xdata ); ++ dpd->FORM.Enum.SupportedValue[j].u16 = ptp_unpack_EOS_ImageFormat( params, &xdata, &xsize ); + ptp_debug (params, INDENT "prop %x option[%2d] == 0x%04x", dpc, j, dpd->FORM.Enum.SupportedValue[j].u16); + } + break; +@@ -2267,7 +2302,7 @@ ptp_unpack_EOS_events (PTPParams *params, const unsigned char* data, unsigned in + case PTP_DPC_CANON_EOS_ImageFormatSD: + case PTP_DPC_CANON_EOS_ImageFormatExtHD: + dpd->DataType = PTP_DTC_UINT16; +- dpd->DefaultValue.u16 = ptp_unpack_EOS_ImageFormat( params, &xdata ); ++ dpd->DefaultValue.u16 = ptp_unpack_EOS_ImageFormat( params, &xdata, &xsize ); + dpd->CurrentValue.u16 = dpd->DefaultValue.u16; + ptp_debug (params, INDENT "prop %x value == 0x%04x (u16)", dpc, dpd->CurrentValue.u16); + break; +@@ -2275,7 +2310,7 @@ ptp_unpack_EOS_events (PTPParams *params, const unsigned char* data, unsigned in + dpd->DataType = PTP_DTC_STR; + free (dpd->DefaultValue.str); + free (dpd->CurrentValue.str); +- dpd->DefaultValue.str = ptp_unpack_EOS_CustomFuncEx( params, &xdata ); ++ dpd->DefaultValue.str = ptp_unpack_EOS_CustomFuncEx( params, &xdata, &xsize ); + dpd->CurrentValue.str = strdup( (char*)dpd->DefaultValue.str ); + ptp_debug (params, INDENT "prop %x value == %s", dpc, dpd->CurrentValue.str); + break; diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb b/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb index 6b5e6c21b9..e5a64c504a 100644 --- a/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb +++ b/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb @@ -12,7 +12,8 @@ DEPENDS = "libtool jpeg virtual/libusb0 libexif zlib libxml2" SRC_URI = "${SOURCEFORGE_MIRROR}/gphoto/${BP}.tar.xz;name=libgphoto2 \ file://40-libgphoto2.rules \ file://0001-configure-Filter-out-buildpaths-from-CC.patch \ -" + file://CVE-2026-40333.patch \ + " SRC_URI[libgphoto2.sha256sum] = "28825f767a85544cb58f6e15028f8e53a5bb37a62148b3f1708b524781c3bef2" UPSTREAM_CHECK_URI = "https://sourceforge.net/projects/gphoto/files/libgphoto/" From patchwork Thu Apr 23 12:48:07 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 86717 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 40EF7F589BE for ; Thu, 23 Apr 2026 12:49:35 +0000 (UTC) Received: from mail-pl1-f172.google.com (mail-pl1-f172.google.com [209.85.214.172]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.18666.1776948569299219958 for ; Thu, 23 Apr 2026 05:49:29 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20251104 header.b=eO/jDaYl; spf=pass (domain: gmail.com, ip: 209.85.214.172, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pl1-f172.google.com with SMTP id d9443c01a7336-2ab39b111b9so27081765ad.1 for ; Thu, 23 Apr 2026 05:49:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776948568; x=1777553368; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=XIM7icUHErCSROTJJwtt5d/U1crUy1umV20jPba6VXg=; b=eO/jDaYlPZ5dkLQYUUBpUvE71PCJHCMXN4MUa6Dc5c5ZL60G8D2m0XzqDWssHkgsB7 usXJMECZ+14t0RCwVSgpAwV+HVBlf7VZPC5FrtpjIkfEzLhwbHP1V0E4zMMyvs7VEvu6 5k+OS4exNL3jIgBXr5vQ27ZgnYEC5LDEWvClWGoVDZZkO4sSWksdK5BoSNWXywz/fHa3 iuBHm8Fg8DrbxpZ5h0+xCl8pVFLOvl76XBRIkghg8D+vTTH2CY+nIAVj8EtSjiExj1mJ u8Nb+LW/OH7+BxylihCUbJeE8EG/yVYntacxW1gyhxNdD/jI+RLB336JA1JwuNKd4+l7 cjaQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776948568; x=1777553368; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=XIM7icUHErCSROTJJwtt5d/U1crUy1umV20jPba6VXg=; b=U5ZSijcHj7te97e1C7LSm4x7mTY3/l/P2t8Y7Mte4+ssumcDCCcY4VvzcHoKSa+4eX QpEc4tELAdeeTi6nbRQAAFBO8YDqywN52z0sr5yZEYMt951IJtfAxd/lecolcsRf/6QF trd9gBs/8F2aWpYTPObVbAy5Ox5RKuHUz5z34ZfUPQq7kfbyjJxU+t7ws3I4ylkINPBe 0rZC8JycFoAnvu9NVD0I5PTDIOi+dPY4bXhFL5K/JCeKJyYmSLWPtmn9xibvFRJm3gAF ev0bVyOIc8axxBM5p0uo141s+a/1sxHHmnWEWbWAtrW9aWc/ec5Wb+T/0vGQieUu9fuQ vABQ== X-Gm-Message-State: AOJu0YyF2YrytuzhMTCupGFCUeInsLHksc2C1b5R0Zbg1Uptwxuitzba xHF/ne3BzPN8pJsaW6QmpLeNoqAWqkeYdYeKmPEdNzj3DEqthd5qhfU74GY3eTXP X-Gm-Gg: AeBDiesQ8f6WbLoWji+RzfCDYQkV5XzRCvxP/NEzsD68ra4fW26QNxryqAbP81s52KH sYPp7/4sHk4EhdrMEfRXytHYBG9s23ciS9w/386pocJzePDqjFvgs99RJCIZvV/hCUkt+2Fz2ON BIhi0al8Y7FzUWUHKJ2ULmbC+y6T+TK/tpsC9G6JiCYK0kYOGfYtFhblin5bHNjpsj7DzuCu/fL DSBMSkccZBzhHCEse6JS1FYmK9cwdSEfFlx/hDAtItaufHDAPtZAoSMYWcu5Qq4L1YW5+CNqr4N +4IRbQBB7v2/L6kgJBVFu1p6TWeuSDn03vPEFJd8OxNkvZ1r+No/M5nMAoPqNC2MUM2wrEuEvKU gCkhsaLACYS/hH5zqs7rzwq8AT7rdKUfxr8aQ8IgHqZHHMsswG1IMuwrxmaevbP54hxoshWzTZ2 SHv+3o8H1WSA+6L8/qtUP1PH+I+eLW1x089sJV8HMt58UGsJw= X-Received: by 2002:a17:902:8d98:b0:2b4:5fae:cbd8 with SMTP id d9443c01a7336-2b5f9f83117mr200681595ad.37.1776948568470; Thu, 23 Apr 2026 05:49:28 -0700 (PDT) Received: from NVAPF55DW0D-IPD.. ([203.211.108.128]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2b5faa14487sm204043415ad.18.2026.04.23.05.49.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 23 Apr 2026 05:49:28 -0700 (PDT) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Gyorgy Sarvari , Khem Raj , Ankur Tyagi Subject: [oe][meta-oe][whinlatter][PATCH 9/19] libgphoto2: patch CVE-2026-40334 Date: Fri, 24 Apr 2026 00:48:07 +1200 Message-ID: <20260423124823.1983261-9-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260423124823.1983261-1-ankur.tyagi85@gmail.com> References: <20260423124823.1983261-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 23 Apr 2026 12:49:35 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/126585 From: Gyorgy Sarvari Details: https://nvd.nist.gov/vuln/detail/CVE-2026-40334 Backport the patch that is referenced by the NVD advisory. Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj (cherry picked from commit ce3fa8ad2a403c0c9bfcbcc9f4fc877c6ffb9fab) Signed-off-by: Ankur Tyagi --- .../gphoto2/libgphoto2/CVE-2026-40334.patch | 37 +++++++++++++++++++ .../gphoto2/libgphoto2_2.5.33.bb | 1 + 2 files changed, 38 insertions(+) create mode 100644 meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40334.patch diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40334.patch b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40334.patch new file mode 100644 index 0000000000..883582dff0 --- /dev/null +++ b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40334.patch @@ -0,0 +1,37 @@ +From 20b33a26b2efdbf2c35c5cacc54a041855ec764b Mon Sep 17 00:00:00 2001 +From: Marcus Meissner +Date: Wed, 8 Apr 2026 15:15:54 +0200 +Subject: [PATCH] Fixed Canon FolderEntry Missing Null Termination +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +ptp_unpack_Canon_FE() copies filename with strncpy into a 13-byte +buffer without explicit null termination. The EOS variant at line +1451–1452 correctly adds fe->Filename[PTP_CANON_FilenameBufferLen-1] += 0; confirming this was recognized as necessary but not applied to the +original Canon path. + + CVE-2026-40334 + +Reported-By: Sebastián Alba + +CVE: CVE-2026-40334 +Upstream-Status: Backport [https://github.com/gphoto/libgphoto2/commit/259fc7d3bfe534ce4b114c464f55b448670ab873] +Signed-off-by: Gyorgy Sarvari +--- + camlibs/ptp2/ptp-pack.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/camlibs/ptp2/ptp-pack.c b/camlibs/ptp2/ptp-pack.c +index 09dcc24..982b4f4 100644 +--- a/camlibs/ptp2/ptp-pack.c ++++ b/camlibs/ptp2/ptp-pack.c +@@ -1369,6 +1369,7 @@ ptp_unpack_Canon_FE (PTPParams *params, const unsigned char* data, PTPCANONFolde + fe->ObjectSize = dtoh32a(data + PTP_cfe_ObjectSize); + fe->Time = (time_t)dtoh32a(data + PTP_cfe_Time); + strncpy(fe->Filename, (char*)data + PTP_cfe_Filename, PTP_CANON_FilenameBufferLen); ++ fe->Filename[PTP_CANON_FilenameBufferLen-1] = '\0'; + } + + /* diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb b/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb index e5a64c504a..9e4726d8e9 100644 --- a/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb +++ b/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb @@ -13,6 +13,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/gphoto/${BP}.tar.xz;name=libgphoto2 \ file://40-libgphoto2.rules \ file://0001-configure-Filter-out-buildpaths-from-CC.patch \ file://CVE-2026-40333.patch \ + file://CVE-2026-40334.patch \ " SRC_URI[libgphoto2.sha256sum] = "28825f767a85544cb58f6e15028f8e53a5bb37a62148b3f1708b524781c3bef2" From patchwork Thu Apr 23 12:48:08 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 86720 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4CA70F589C0 for ; Thu, 23 Apr 2026 12:49:35 +0000 (UTC) Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com [209.85.214.174]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.18546.1776948572275437169 for ; Thu, 23 Apr 2026 05:49:32 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20251104 header.b=p/knO5pF; spf=pass (domain: gmail.com, ip: 209.85.214.174, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pl1-f174.google.com with SMTP id d9443c01a7336-2b788a98557so22155015ad.2 for ; Thu, 23 Apr 2026 05:49:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776948571; x=1777553371; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=8jhshFja19pUjDU8AslJAGnI96VUUOOgGWxM7XuvJoo=; b=p/knO5pFOIfWfhuJmluzx9LPDCyGMTJzj3JTmluP7oW740/16qleaOkRCOQADfJSsf 3DJPA3/Qhc4McfgPFbF+f0gLMnaBR93AF3v+mnMcxRVM5WP2BR7RlCkaqPg++wOCgyyK PBXKUDiSkjYBNUFlxAyuWcy5EnkBsH0GKJuLaklZ5eMWj9Pkjzd4X/Cv/QBiu5eThbcg zHx4Rv012VYTdPm2/aN/gpl47oVhDqaihPPhX+Kua8Vc0aUnPunxUUBw4WBV4bjnctDB uy1wx9L/tQSr/rrqR7TgcjqWLv2LCnXZoaRdsqjC3qrnfDgwQEoNntROmulGhhaTzxl3 GiOw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776948571; x=1777553371; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=8jhshFja19pUjDU8AslJAGnI96VUUOOgGWxM7XuvJoo=; b=D89jB8rAwBJa5qMB2SjnWauvk8TRH5YTwIzybIjtml0nO8GKrgjYgP/uZ/ogl9KF9L GnAU27D/KU/dBIHVd+L5mObdxL5gPe4DgeIFYkhqbJqC5/OOmLnrBBtYoYXiXRlkm3CJ m7Qehf0Su5C9y0bkutQvEiKHrtZFMahgL9rCJkNR5cj3a6TJMiDlqHGDuPzCmGvVxyJi h6iv0qwrnfqOhSf6CoW6CKr2PNDaCwryvym5cGeWW4D84cqD8zyvE8ebBTxm4XBqdhnC DtdVyfHNjS4Uff8ZlDgzMOsI6oRB6YLsLPOn2+cHY4uCDlCEABVGMeJDycx9n4iFzaWw LDBA== X-Gm-Message-State: AOJu0YxadqUN+SCQh1nWZb2W0LTmQEL8tgbKgA88ro1rGpvlXtofuKLl yfFnEszFrsOjsEyVTHwAQMFZio9165umkpO51WH0Kc6MuSDCeSkzhADWdBtZZzfE X-Gm-Gg: AeBDieslil/vX+KZErzXYqJQz38NvKH36/1yMUvJR7vGB4NkkPZYI2XmAp8FZMmNZF0 g0MfYznDubiuRIFjUGCwYrS+f4oG+5uoaTpYiu+hTdS7KROkXpl2a1B8Ts/M3PZz4q+mIsBE+3v G6k40BegGRtpaqKKBvFYqcR2+qirzdV1qLm4nN2WSgiXl3Y8oSXuobZxz8np2IBEagQ+Q/Dg5c9 xPYG8DCSslxaUIqvIS0u0d/Qe/IlifTJLnM1GnZSXi3uV95YR9f3uOrY7X2ITkZZz6B1z8MrUMt 71a9Cl1fPhB0+zvW0kBZ4ZpT1ijVHEuJtZXja5nExl3QS8o+pbTgPXMCEbGwOTFMcREyQkJKnW4 Kal/KCLc3uTlIyOlJVAX1BXI8PWUtquAcNjxSnK90M9tfO3ZOvLVrCXXRQ/+vIQpfysva+5SXyi OyTts7DOHEvFgoOPI/g/nMBwxnTWeiPalcDXkBahcrt/G3Dy3Jxhzrw3CWuA== X-Received: by 2002:a17:902:d58a:b0:2b0:ac1e:9737 with SMTP id d9443c01a7336-2b5f9ec5ea7mr285970845ad.12.1776948571424; Thu, 23 Apr 2026 05:49:31 -0700 (PDT) Received: from NVAPF55DW0D-IPD.. ([203.211.108.128]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2b5faa14487sm204043415ad.18.2026.04.23.05.49.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 23 Apr 2026 05:49:31 -0700 (PDT) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Gyorgy Sarvari , Khem Raj , Ankur Tyagi Subject: [oe][meta-oe][whinlatter][PATCH 10/19] libgphoto2: patch CVE-2026-40335 Date: Fri, 24 Apr 2026 00:48:08 +1200 Message-ID: <20260423124823.1983261-10-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260423124823.1983261-1-ankur.tyagi85@gmail.com> References: <20260423124823.1983261-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 23 Apr 2026 12:49:35 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/126586 From: Gyorgy Sarvari Details: https://nvd.nist.gov/vuln/detail/CVE-2026-40335 Backport the patch that is referenced by the NVD advisory. Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj (cherry picked from commit f735ea20b176591b65deaa456e93ebf7ecbead3f) Signed-off-by: Ankur Tyagi --- .../gphoto2/libgphoto2/CVE-2026-40335.patch | 43 +++++++++++++++++++ .../gphoto2/libgphoto2_2.5.33.bb | 1 + 2 files changed, 44 insertions(+) create mode 100644 meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40335.patch diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40335.patch b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40335.patch new file mode 100644 index 0000000000..dfe832e6c8 --- /dev/null +++ b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40335.patch @@ -0,0 +1,43 @@ +From edcdf804662eb4340fdc371af4853d6579e969ab Mon Sep 17 00:00:00 2001 +From: Marcus Meissner +Date: Wed, 8 Apr 2026 15:07:38 +0200 +Subject: [PATCH] =?UTF-8?q?Fixed=20UINT128/INT128=20Unchecked=20Offset=20A?= + =?UTF-8?q?dvance=20(CWE-125)=20=E2=80=94=20MEDIUM?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Finding 5: UINT128/INT128 Unchecked Offset Advance (CWE-125) — MEDIUM + +In ptp_unpack_DPV(), the PTP_DTC_UINT128 and PTP_DTC_INT128 cases advance *offset += 16 without verifying 16 bytes remain. The entry check at line 609 only guarantees *offset < total (at least 1 byte available). After the unchecked advance, *offset can exceed total, and the CTVAL macro's bounds check (total - *offset < sizeof(target)) wraps due to unsigned arithmetic. + +CVE-2026-40335 + +Reported-By: Sebastián Alba + +CVE: CVE-2026-40335 +Upstream-Status: Backport [https://github.com/gphoto/libgphoto2/commit/433bde9888d70aa726e32744cd751d7dbe94379a] +Signed-off-by: Gyorgy Sarvari +--- + camlibs/ptp2/ptp-pack.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/camlibs/ptp2/ptp-pack.c b/camlibs/ptp2/ptp-pack.c +index 982b4f4..7fc120d 100644 +--- a/camlibs/ptp2/ptp-pack.c ++++ b/camlibs/ptp2/ptp-pack.c +@@ -614,10 +614,14 @@ ptp_unpack_DPV ( + case PTP_DTC_UINT64: CTVAL(value->u64,dtoh64a); break; + + case PTP_DTC_UINT128: ++ if (total - *offset < 16) ++ return 0; + *offset += 16; + /*fprintf(stderr,"unhandled unpack of uint128n");*/ + break; + case PTP_DTC_INT128: ++ if (total - *offset < 16) ++ return 0; + *offset += 16; + /*fprintf(stderr,"unhandled unpack of int128n");*/ + break; diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb b/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb index 9e4726d8e9..84ce802ea4 100644 --- a/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb +++ b/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb @@ -14,6 +14,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/gphoto/${BP}.tar.xz;name=libgphoto2 \ file://0001-configure-Filter-out-buildpaths-from-CC.patch \ file://CVE-2026-40333.patch \ file://CVE-2026-40334.patch \ + file://CVE-2026-40335.patch \ " SRC_URI[libgphoto2.sha256sum] = "28825f767a85544cb58f6e15028f8e53a5bb37a62148b3f1708b524781c3bef2" From patchwork Thu Apr 23 12:48:09 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 86719 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6EEDBF589C2 for ; Thu, 23 Apr 2026 12:49:35 +0000 (UTC) Received: from mail-pl1-f178.google.com (mail-pl1-f178.google.com [209.85.214.178]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.18669.1776948575121975431 for ; Thu, 23 Apr 2026 05:49:35 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20251104 header.b=qElwnoSl; spf=pass (domain: gmail.com, ip: 209.85.214.178, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pl1-f178.google.com with SMTP id d9443c01a7336-2b0afa0210bso30514455ad.2 for ; Thu, 23 Apr 2026 05:49:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776948574; x=1777553374; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=7spcN0DpTVleDWtPWpAVK0jQmfzDh7eMnV/zRjba6Vc=; b=qElwnoSlmed+HjSfxp5SkInQDyT89xJ+zmq2M2e8SaHDqKFroNunz60giyb+HBFTDm v3hK93O2YGVKOZ0MJD+j7RmUNKYDVharfYlw9RxDD3SAUEb0hP55PuwfYLT25u7eNHgg XKWI89QitiIhq5ES3r0/MWFXtl/o/N1TmChqdreoKCOBVlIx7N4pn4kkeOXSi1zIuGhs Al6kHVPjCtjNmBAzv7w1L5sG6ILZPH6Qrgeo2VKE5uDkbx375EDI5BwlkCapV/IAMmKC WjEv/qWQu336/auwnfKJaxzyDt8tIY1Z6MHuCvsxO0rov84Pjk2VsCZVUJiA8ovlvjCF FnjQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776948574; x=1777553374; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=7spcN0DpTVleDWtPWpAVK0jQmfzDh7eMnV/zRjba6Vc=; b=lQmRCS6rxDyE+VZW7l7izES+H8NkdKsqppUb1f3obd02K8vltMaXo1Mn5qgNbdmOw9 pTGHF7JQhtA/Hdz123wq5ndq8uVBsaHOfYBIaTE1vzeGOuJmd0PkSQ59B1vUpdgNOsiT lCcuNOACNvQNkZI5Xox66xF94wl5l3eS9ikBDbFSXleK+TACMJnsuO5xRPOZe1fWGQRV qHrFXN5i0K3AjjZJpWn2cmmR2m1w3lEI5rWhBqPo0rPt8UYc/yT5Rc5sb9rjbVskbXXm R3yjSeOoxNNY1ZNiAbKRgt01HthXt9EseFYni77w5vrH4xpLuCa5uJQ9AJf3csZuRJMd 97DQ== X-Gm-Message-State: AOJu0Yz3H4+5k74MYvYUx/QnUux2//5gCZqmMxsZZyCIovslzHDrGIZY iOozycvWxmgTeMDSOmE+u1MXpu6dvYi/apIogAKK4kvJHNz87goK4jt8dbIhvHk9 X-Gm-Gg: AeBDietqJLfwokgWbrrewI/9R6VN8HD1nFVXSarGAbNFvbwaGsLgipGA7Qtg6nRQOls ieH3pm0nl8ZciD+vybaQKnOfoYLIYrN7OQyMKN5Ds4C0txVvcovvLCpMcJ9OZ8Os3Sza+oudTLa D9Am+v2I8ziBIjj1iI6MN9RNRmpHNLobc2YYF51GtO7o+LjuPMvzUll6SWTxsVSrhpu3hOTZOSW NtPV2Gw2iQq32sBaCUxrIQLbMbpkp+AJXPP25D+xtPzqEh/viIZf4fmWkp6K2LNVUeORgB8xOdU cCkL8y9Hljt60QrTvR8PVN9LkSOh+rR23bpRFxQkIKNl54XRYZQZ43wzfN3G2CoNpN4TgWn8sJD L421F9foqCfcdRXG78RAqS1SZDdqjAjb7WSbmrd+Pu2lbbDvdyn5+hMIW/fSeh4aYOdeVvGdFaP zT7VUQgXj14GstrZ6CjcuEXcGYvvqv1gTUEVizL1f0YOJyPok= X-Received: by 2002:a17:903:3b45:b0:2aa:d5e5:b136 with SMTP id d9443c01a7336-2b5f9fb3568mr197423765ad.38.1776948574232; Thu, 23 Apr 2026 05:49:34 -0700 (PDT) Received: from NVAPF55DW0D-IPD.. ([203.211.108.128]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2b5faa14487sm204043415ad.18.2026.04.23.05.49.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 23 Apr 2026 05:49:33 -0700 (PDT) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Gyorgy Sarvari , Khem Raj , Ankur Tyagi Subject: [oe][meta-oe][whinlatter][PATCH 11/19] libgphoto2: patch CVE-2026-40336 Date: Fri, 24 Apr 2026 00:48:09 +1200 Message-ID: <20260423124823.1983261-11-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260423124823.1983261-1-ankur.tyagi85@gmail.com> References: <20260423124823.1983261-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 23 Apr 2026 12:49:35 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/126587 From: Gyorgy Sarvari Details: https://nvd.nist.gov/vuln/detail/CVE-2026-40336 Backport the patch referenced by the NVD advisory. Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj (cherry picked from commit 078f26b084d7a7e4ac61521f73188249b9bdd39a) Signed-off-by: Ankur Tyagi --- .../gphoto2/libgphoto2/CVE-2026-40336.patch | 44 +++++++++++++++++++ .../gphoto2/libgphoto2_2.5.33.bb | 1 + 2 files changed, 45 insertions(+) create mode 100644 meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40336.patch diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40336.patch b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40336.patch new file mode 100644 index 0000000000..1a809b4f25 --- /dev/null +++ b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40336.patch @@ -0,0 +1,44 @@ +From e19c45d3530f1585805711e14aa4ea788e499f46 Mon Sep 17 00:00:00 2001 +From: Marcus Meissner +Date: Wed, 8 Apr 2026 15:13:51 +0200 +Subject: [PATCH] Fixed Sony DPD Secondary Enum List Memory Leak +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Finding 4: Sony DPD Secondary Enum List Memory Leak (CWE-401) — LOW + +File: ptp-pack.c:884-885 + +When processing a secondary enumeration list (2024+ Sony cameras), line +884–885 overwrites dpd->FORM.Enum.SupportedValue with a new calloc() +without freeing the previous allocation from line 857. The original +array and any string values it contains are leaked. + +CVE-2026-40336 + +Reported-By: Sebastián Alba + +CVE: CVE-2026-40336 +Upstream-Status: Backport [https://github.com/gphoto/libgphoto2/commit/404ff02c75f3cb280196fc260a63c4d26cf1a8f6] +Signed-off-by: Gyorgy Sarvari +--- + camlibs/ptp2/ptp-pack.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/camlibs/ptp2/ptp-pack.c b/camlibs/ptp2/ptp-pack.c +index 7fc120d..fc51d77 100644 +--- a/camlibs/ptp2/ptp-pack.c ++++ b/camlibs/ptp2/ptp-pack.c +@@ -879,6 +879,11 @@ ptp_unpack_Sony_DPD (PTPParams *params, const unsigned char* data, PTPDeviceProp + /* check if we have a secondary list of items, this is for newer Sonys (2024) */ + if (val < 0x200) { /* if a secondary list is not provided, this will be the next property code - 0x5XXX or 0xDxxx */ + if (dpd->FormFlag == PTP_DPFF_Enumeration) { ++ /* free old enum variables */ ++ for (i=0;iFORM.Enum.NumberOfValues;i++) ++ ptp_free_propvalue (dpd->DataType, dpd->FORM.Enum.SupportedValue+i); ++ free (dpd->FORM.Enum.SupportedValue); ++ + N = dtoh16o(data, *poffset); + dpd->FORM.Enum.SupportedValue = calloc(N,sizeof(dpd->FORM.Enum.SupportedValue[0])); + if (!dpd->FORM.Enum.SupportedValue) diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb b/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb index 84ce802ea4..85c86a03a6 100644 --- a/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb +++ b/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb @@ -15,6 +15,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/gphoto/${BP}.tar.xz;name=libgphoto2 \ file://CVE-2026-40333.patch \ file://CVE-2026-40334.patch \ file://CVE-2026-40335.patch \ + file://CVE-2026-40336.patch \ " SRC_URI[libgphoto2.sha256sum] = "28825f767a85544cb58f6e15028f8e53a5bb37a62148b3f1708b524781c3bef2" From patchwork Thu Apr 23 12:48:10 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 86721 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 616E5F589C1 for ; Thu, 23 Apr 2026 12:49:45 +0000 (UTC) Received: from mail-pl1-f170.google.com (mail-pl1-f170.google.com [209.85.214.170]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.18547.1776948578039658297 for ; Thu, 23 Apr 2026 05:49:38 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20251104 header.b=rmobVDjI; spf=pass (domain: gmail.com, ip: 209.85.214.170, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pl1-f170.google.com with SMTP id d9443c01a7336-2b299b3c739so30681665ad.3 for ; Thu, 23 Apr 2026 05:49:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776948577; x=1777553377; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=qh6creXaPw5LSjO4rOV6xdbHJH9l1Ga16KrKfRb7UNI=; b=rmobVDjIkQCBv59Z7yHY2XQ3UKwK3lU6DIdOvB8k8SmJmDwb2kicFAHANg+FsoMfxt /V/jHkzXx1TCS0zlKlnaQnJrVnWapD36vnywHt1+wsIpksZmSE8mJTLNFWj4ZcuXJVaD xhxSYve24hsJmVQZTK1YoNuxbF90h4B2rZ1TlBw19w/BXEUXBa3ZmP4b9kikLsm6NxKY uImIjMofgNKFp0XHK3KHIPa1qhKBd7Q8JUr/sZgfSeXCe5999sveWir4+hDSvjj5MBo9 kTIgZCCB44+Fbt9jDhh05zey8NSTaEX6JsO+JLgNjtOcfMG229wd1ne0de/aN+ve6Ny6 cfZg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776948577; x=1777553377; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=qh6creXaPw5LSjO4rOV6xdbHJH9l1Ga16KrKfRb7UNI=; b=GzSQ2Z8iPS2IdEkhAhPWsi3OKrovQrj8zxmSNtGN8W5zRkSK2HNuyqhaF8mRwdmkyo S2y42o1OyQeDZarfzdF5YR0bpXQyTw5h+naVlKPV/AaI4fp+7j1bauO/MOGG61eNIi1U vZBpuCYJfSTNgy0dhdjvm2hhdXgBZVx2YNKOrOaC6Z38S08lSIGRz9dww/dfFjg4gAh5 4uGCJZGvagiQTPDKxzrRfYROWXLDNTXZI9nIs8Mr5NJlSBs02EJu/km4plbdx3CU2SjE QhCj+w6LzfjGiCOiwED4cLPrIK3hSsNxiAF06Lx++B4DWfXl4TXHEtBmnEau97uRX8Hr GTbA== X-Gm-Message-State: AOJu0YxfXlWWFXNk2fV/B6P61913EhfXLIG+zBsJd25BWbUD7xKBkHNm lwTlUw1ChBuPHin1Z4z2RyH0b3kW8OWC00sIynx1ZRP0/PH2Zhg9F9cPm8sP4loQ X-Gm-Gg: AeBDiet+e8N86SqeFDtCDSD0Pl79xMJGw056qdRd9bXa1f3hqye85Ty5aCZISJpjCCr xA6p2ylmLC0RoqjLbVDAvF9bV4v7aKfDemdQ3X8ZeENgWMKt1of3Gjtg8KY/I1UgEdwZyI3LO4J 3Yo4/BVzfUhS4e53r6+Tzmkbya38gQeI4tu3H03wm3veT2n3g0ZCPPrvdl6cCuAakeSIIq9REze 45nrRs//Ny5znQ/N60L6OWtyOK7onaCJ7PDMM7fFv9CPVXt/0QRYj8h23uNQN0uWT6xMtyPNrvr eP7np9bwVfZUG7goE22Pzum5VwEJtqwE9NkoRTMNTAY0hX3iAKgGULov0n2snoPLxCT576rIGGo DNibe0QHBqeGNatREOY5kOY1/Eltx7xVOB5cemitWNtOlc8OQqRyyONFFy4N1fAmKmKSeFjPrlK mGlq3BilFpFzPrPyEv9zDLIe2lF9Gbh5yXwVhZ/HkA+NX+AerS33GBKPZBJw== X-Received: by 2002:a17:902:a70a:b0:2b2:b117:1d5d with SMTP id d9443c01a7336-2b5f9f93101mr195625835ad.33.1776948577195; Thu, 23 Apr 2026 05:49:37 -0700 (PDT) Received: from NVAPF55DW0D-IPD.. ([203.211.108.128]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2b5faa14487sm204043415ad.18.2026.04.23.05.49.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 23 Apr 2026 05:49:36 -0700 (PDT) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Gyorgy Sarvari , Khem Raj , Ankur Tyagi Subject: [oe][meta-oe][whinlatter][PATCH 12/19] libgphoto2: patch CVE-2026-40338 Date: Fri, 24 Apr 2026 00:48:10 +1200 Message-ID: <20260423124823.1983261-12-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260423124823.1983261-1-ankur.tyagi85@gmail.com> References: <20260423124823.1983261-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 23 Apr 2026 12:49:45 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/126588 From: Gyorgy Sarvari Details: https://nvd.nist.gov/vuln/detail/CVE-2026-40338 Backport the patch referenced by the NVD advisory. Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj (cherry picked from commit f22e17508e89cf8bbb98e3cbe186bb99e379c456) Signed-off-by: Ankur Tyagi --- .../gphoto2/libgphoto2/CVE-2026-40338.patch | 34 +++++++++++++++++++ .../gphoto2/libgphoto2_2.5.33.bb | 1 + 2 files changed, 35 insertions(+) create mode 100644 meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40338.patch diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40338.patch b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40338.patch new file mode 100644 index 0000000000..9f233f2ec9 --- /dev/null +++ b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40338.patch @@ -0,0 +1,34 @@ +From 43cc20e807cd2935869617a7d8b9488070712c0e Mon Sep 17 00:00:00 2001 +From: Marcus Meissner +Date: Sat, 11 Apr 2026 10:47:52 +0200 +Subject: [PATCH] =?UTF-8?q?Fixed=20Sony=20DPD=20Enum=20Count=20OOB=20Read?= + =?UTF-8?q?=20(CWE-125)=20=E2=80=94=20MEDIUM?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +In the PTP_DPFF_Enumeration case of ptp_unpack_Sony_DPD(), dtoh16o(data, *poffset) reads 2 bytes for enumeration count N without verifying 2 bytes remain. The standard parser at line 704 has this check. + +CVE-2026-40338 + +Reported-By: Sebastián Alba + +CVE: CVE-2026-40338 +Upstream-Status: Backport [https://github.com/gphoto/libgphoto2/commit/3b9f9696be76ae51dca983d9dd8ce586a2561845] +Signed-off-by: Gyorgy Sarvari +--- + camlibs/ptp2/ptp-pack.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/camlibs/ptp2/ptp-pack.c b/camlibs/ptp2/ptp-pack.c +index fc51d77..f90d2a5 100644 +--- a/camlibs/ptp2/ptp-pack.c ++++ b/camlibs/ptp2/ptp-pack.c +@@ -851,6 +851,7 @@ ptp_unpack_Sony_DPD (PTPParams *params, const unsigned char* data, PTPDeviceProp + break; + case PTP_DPFF_Enumeration: { + #define N dpd->FORM.Enum.NumberOfValues ++ if (*poffset + sizeof(uint16_t) > dpdlen) goto outofmemory; + N = dtoh16o(data, *poffset); + dpd->FORM.Enum.SupportedValue = calloc(N,sizeof(dpd->FORM.Enum.SupportedValue[0])); + if (!dpd->FORM.Enum.SupportedValue) diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb b/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb index 85c86a03a6..440b78dffb 100644 --- a/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb +++ b/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb @@ -16,6 +16,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/gphoto/${BP}.tar.xz;name=libgphoto2 \ file://CVE-2026-40334.patch \ file://CVE-2026-40335.patch \ file://CVE-2026-40336.patch \ + file://CVE-2026-40338.patch \ " SRC_URI[libgphoto2.sha256sum] = "28825f767a85544cb58f6e15028f8e53a5bb37a62148b3f1708b524781c3bef2" From patchwork Thu Apr 23 12:48:11 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 86723 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6D3E7F589C3 for ; Thu, 23 Apr 2026 12:49:45 +0000 (UTC) Received: from mail-pl1-f171.google.com (mail-pl1-f171.google.com [209.85.214.171]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.18674.1776948580969607320 for ; Thu, 23 Apr 2026 05:49:41 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20251104 header.b=Qj4dXgWG; spf=pass (domain: gmail.com, ip: 209.85.214.171, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pl1-f171.google.com with SMTP id d9443c01a7336-2a8fba3f769so29711515ad.2 for ; Thu, 23 Apr 2026 05:49:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776948580; x=1777553380; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=jGmMMP4U9rVEDfwjqWUt4/8pFwvd8heztUThkaDY0/E=; b=Qj4dXgWG3git9ZekR1cX/60+vuiIJMCbFpJQBk7uXEW3pu3hByXS/gdoGPt1QKguz2 1QbPf6xPdIrZkUzoBOktbjUx/a4cQzQATBc0RsdiZ23s+KyUun0wV5NOLfzY6LlfaRas O61a4AVm1f48CA3/f9EYKXATG6Tt9Da97WmVZUm0RHfmyFnpk+iPZF8zZxxIcVAjC009 vawJVMZCXQcf1Ch0NVtyq0KOw5q+zbOLVvw4I44MogIGaggBMJ30CIpJbUnDLlIhy295 QUlR2SKPVJmalrz6MWWIDhxqJWgjqZMBbTzCPXD+lyWrabgBeewRsz6ETN90Q4+O7HFN oBiA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776948580; x=1777553380; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=jGmMMP4U9rVEDfwjqWUt4/8pFwvd8heztUThkaDY0/E=; b=oBhoDANqRHEfP6LmeWuKMBT9TLRGIQP0jTJXqFbvfGmN9PuV5HRaYucyjohqmFsm8L VS9O6v2/EaiUPLWkO9+gMYH4DzLPrxtq7h9O84QWUo3rpjUdzJZUdN7zUC1/IUYrhUHD 8k9k1nprBsWCWDsmxndJzBcuqIK8XLlTMNllVuMXp9Ypk3i13S6/c/IAEB6KJeXdG57w +VRvjHBH7DJnFNAM64ni8MlVOu9FeAwjriWuaNiV7uyQqtmKuuNzJF0HQvB54Ekt+DEn PUKK87VNXb/tWPCDtL7J14qwaJKeBPSHUOrJWo2kPLBkN0CBCLAF1X9bAG29jU4TQMG8 KAMQ== X-Gm-Message-State: AOJu0YwG/SIx/02PIaipKpqygejjGMTmG3HMjVS92LX1nfIoZpnT0DfM sKPBh2PqiYC/173jzAF7rvMoG0zJGz6U+tQcDGsSrZzIr4cPkB7lf0mSZlsTrnXS X-Gm-Gg: AeBDievoJCLSTwDUsGEkL9teQKX80pg91pyfHwqzi3sV+DJKI4KByPC7q58J5yQ6Gxt AQJNJQrOtB6qsKd9YY9Uh9jTljvIOFQpq0DCGxls2viYQobAybUX8/dCvxR8ebPI10cplOeytld 3+Dzim1fdSh+6+andkDUcC+8xS8w2aTfiE9SVWBrBR/0olslSwi9Q/uwMIqxB1yVxhY7j8Wzl1U BiS+60228DF9gC3uBGkj26djp8Z4IUMXJJMLzj+bQUHwQOe3KAXz70qN82EwhpyN0ewB/MHco28 fafyin8vyOwbmEqpZQ2ieC7/0PFpfN29sBwvHtEZbIYyGkJvuiRPk/LGR3PXI0LMoqbHMHQLwzZ DB0UngOhMVgO0N31F5AoycFFHQF4EB5RgWeD+Vsdcn/84STvcxuqQGXAcNxoDlqrOJsgORhdalt Oj+1OBdq6QArEqI4YELrKc/r0Zvwi+msw6vHntPHE5feZnHKQ= X-Received: by 2002:a17:903:3d43:b0:2b0:5d60:7f3f with SMTP id d9443c01a7336-2b5f9ee90bdmr205996165ad.16.1776948580157; Thu, 23 Apr 2026 05:49:40 -0700 (PDT) Received: from NVAPF55DW0D-IPD.. ([203.211.108.128]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2b5faa14487sm204043415ad.18.2026.04.23.05.49.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 23 Apr 2026 05:49:39 -0700 (PDT) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Gyorgy Sarvari , Khem Raj , Ankur Tyagi Subject: [oe][meta-oe][whinlatter][PATCH 13/19] libgphoto2: patch CVE-2026-40339 Date: Fri, 24 Apr 2026 00:48:11 +1200 Message-ID: <20260423124823.1983261-13-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260423124823.1983261-1-ankur.tyagi85@gmail.com> References: <20260423124823.1983261-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 23 Apr 2026 12:49:45 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/126589 From: Gyorgy Sarvari Details: https://nvd.nist.gov/vuln/detail/CVE-2026-40339 Backport the patch referenced by the NVD advisory. Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj (cherry picked from commit 2e3be1dddc215192ff277740271d65cdceaa0b18) Signed-off-by: Ankur Tyagi --- .../gphoto2/libgphoto2/CVE-2026-40339.patch | 41 +++++++++++++++++++ .../gphoto2/libgphoto2_2.5.33.bb | 1 + 2 files changed, 42 insertions(+) create mode 100644 meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40339.patch diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40339.patch b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40339.patch new file mode 100644 index 0000000000..b00ac72772 --- /dev/null +++ b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40339.patch @@ -0,0 +1,41 @@ +From 585e8113b541469347d09c341c2e8b468b431adb Mon Sep 17 00:00:00 2001 +From: Marcus Meissner +Date: Sat, 11 Apr 2026 10:50:47 +0200 +Subject: [PATCH] =?UTF-8?q?Fixed=20Sony=20DPD=20FormFlag=20OOB=20Read=20(C?= + =?UTF-8?q?WE-125)=20=E2=80=94=20MEDIUM?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +ptp_unpack_Sony_DPD() reads the FormFlag byte via dtoh8o(data, *poffset) +without a prior bounds check. The standard ptp_unpack_DPD() at line +686–687 correctly validates *offset + sizeof(uint8_t) > dpdlen before +this same read, but the Sony variant omits this check. + +CVE-2026-40339 + +Reported-By: Sebastián Alba + +CVE: CVE-2026-40339 +Upstream-Status: Backport [https://github.com/gphoto/libgphoto2/commit/09f8a940b1e418b5693f5c11e3016a1ad2cea62d] +Signed-off-by: Gyorgy Sarvari +--- + camlibs/ptp2/ptp-pack.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/camlibs/ptp2/ptp-pack.c b/camlibs/ptp2/ptp-pack.c +index f90d2a5..28648a5 100644 +--- a/camlibs/ptp2/ptp-pack.c ++++ b/camlibs/ptp2/ptp-pack.c +@@ -833,9 +833,10 @@ ptp_unpack_Sony_DPD (PTPParams *params, const unsigned char* data, PTPDeviceProp + code or the Data Type is a string (with two empty strings as + values). In both cases Form Flag should be set to 0x00 and FORM is + not present. */ +- + if (*poffset==PTP_dpd_Sony_DefaultValue) + return 1; ++ if (*poffset + sizeof(uint8_t) > dpdlen) ++ return 1; + + dpd->FormFlag = dtoh8o(data, *poffset); + ptp_debug (params, "formflag 0x%04x", dpd->FormFlag); diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb b/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb index 440b78dffb..b8d6aee3c1 100644 --- a/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb +++ b/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb @@ -17,6 +17,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/gphoto/${BP}.tar.xz;name=libgphoto2 \ file://CVE-2026-40335.patch \ file://CVE-2026-40336.patch \ file://CVE-2026-40338.patch \ + file://CVE-2026-40339.patch \ " SRC_URI[libgphoto2.sha256sum] = "28825f767a85544cb58f6e15028f8e53a5bb37a62148b3f1708b524781c3bef2" From patchwork Thu Apr 23 12:48:12 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 86722 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5FA50F589C0 for ; Thu, 23 Apr 2026 12:49:45 +0000 (UTC) Received: from mail-pl1-f178.google.com (mail-pl1-f178.google.com [209.85.214.178]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.18678.1776948584099584676 for ; Thu, 23 Apr 2026 05:49:44 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20251104 header.b=GVMpW6Ry; spf=pass (domain: gmail.com, ip: 209.85.214.178, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pl1-f178.google.com with SMTP id d9443c01a7336-2ad9a9be502so41179825ad.0 for ; Thu, 23 Apr 2026 05:49:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776948583; x=1777553383; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=KBfCX6yF00xghKVGrHV11kwtbDc06JuXsHdj1A9gGYk=; b=GVMpW6RybviChH+RP4onBUmtYRDgSWMfmG1I5zLERGP3M2tIcApzidQc3FBBOFLxhT uXWfPvoVkn5OhELMjgqAXXiHx+PVPbz+E9rJabY9gbbar89TNFvmVjHAFeJlsIafH+mq PRgGicLSOb6as5GImYU71MlkcXr/C6VjxntKne4Fm+MwQIEAfCo2NbYIpv8T7rPRIzt8 /yTamj5KV3ZzzlKJkdb7VVHiTvY+hDS2Fby6FPTrR6/9bqZbd0y1htkZIw4CjyHyLCj+ zpBhNHoNMyqwIRAOsytnk9B+YlOupwaBD7mYNCmkzg8jTfMxGZPGK8U//Qezc0wIH5tj pH9Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776948583; x=1777553383; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=KBfCX6yF00xghKVGrHV11kwtbDc06JuXsHdj1A9gGYk=; b=nPt2PER5/z8xaAfAK4l09zAjy1+49o5QNmm48vZqieOdXymMCU2NdlQgjUaQh9/8b+ aGGkVzspXl46i7M0HaYeAfGXucaOjFZtnS5sJ/p2PfHKs1QhmlvW8s4P4liNTLbp5gn9 lt3AeyMzghd5Z5I0IJA+oplIQX93ZuZPSLVlZE7590uB8ZbKP/118HIFpBxQ/ufhSJlm /mENTMDCIPYweBc42Oml6SzHm0Ppxm+2mTxqs8x0ly0dTcOuUcNNtAoc/TzMgy7ywIlZ JP3rsUx1aHyFbbWL88HjYsNpRltqh1oCbvApaLUSVyAJMXNV7SwilKJAsZrFPZ1UlVbm 3VsA== X-Gm-Message-State: AOJu0Yzzjl2LXqSCCdIXHm8I5GNcRvjlvXLZBLply0IEbbwcy7LwkP7Y xF24TY/STU7pmNOFrLOshF8xIacwAncPmCPbmOd1vniLuesAKGc4kAzcVmpnN/5f X-Gm-Gg: AeBDieuxs9MLPVPNxucpHC8tFN/bkYlVRgFmWrvxBIAiCw/OptiJLMzHMs1olTVy3Hy 3MAgwT4BoXRXH3JqfqXvxaLtqvm4p2ByYmNUQyMff6sme9t3O++QpdH+oiGqwNXMU1WzS3iqYg9 WCsCwqcXQmRCpm6T2AxwEk5VuYFmIJOIhmRZY3+hUoDQfj/PRifmNNdP/nPiB45rigvcpVS0MLl W3K7dRVEuA6nj55oNhiMx1IAfpHRdrnLLyRFa4s6O0yaNhO1BhZb96C0Jr4Bcu6DnmHe4dHM+hJ FbWgBX73DpHLvSeGF0V8YVeaXhUw5pDcDUJNtduLvxf+uOMOYI3jQ0kHJjxWRHX83QvEInQYQeJ VKjCtTIQu+XTB64cBV516r1YYECEEykqk6X283w7WchXQjMYO647yFQDVT5dWxuCUKwa7yZFy2R J0ppoG54GgC6tOb5pgeyUSzwKtaO40ZWnqppPAxCxW1HdCplM= X-Received: by 2002:a17:903:2acb:b0:2b4:6398:6aa2 with SMTP id d9443c01a7336-2b5f9f3a802mr307095775ad.27.1776948583079; Thu, 23 Apr 2026 05:49:43 -0700 (PDT) Received: from NVAPF55DW0D-IPD.. ([203.211.108.128]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2b5faa14487sm204043415ad.18.2026.04.23.05.49.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 23 Apr 2026 05:49:42 -0700 (PDT) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Gyorgy Sarvari , Khem Raj , Ankur Tyagi Subject: [oe][meta-oe][whinlatter][PATCH 14/19] libgphoto2: patch CVE-2026-40340 Date: Fri, 24 Apr 2026 00:48:12 +1200 Message-ID: <20260423124823.1983261-14-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260423124823.1983261-1-ankur.tyagi85@gmail.com> References: <20260423124823.1983261-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 23 Apr 2026 12:49:45 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/126590 From: Gyorgy Sarvari Details: https://nvd.nist.gov/vuln/detail/CVE-2026-40340 Backport the patch referenced by the NVD advisory. Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj (cherry picked from commit 420e5aec46b8e9344c4d9e692f2e05236b9c89e5) Signed-off-by: Ankur Tyagi --- .../gphoto2/libgphoto2/CVE-2026-40340.patch | 40 +++++++++++++++++++ .../gphoto2/libgphoto2_2.5.33.bb | 1 + 2 files changed, 41 insertions(+) create mode 100644 meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40340.patch diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40340.patch b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40340.patch new file mode 100644 index 0000000000..a0852692b0 --- /dev/null +++ b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40340.patch @@ -0,0 +1,40 @@ +From fd9f234df894caec6c65144b5a4f0264aadf0989 Mon Sep 17 00:00:00 2001 +From: Marcus Meissner +Date: Wed, 8 Apr 2026 16:01:48 +0200 +Subject: [PATCH] Fixed ObjectInfo Parser OOB Read +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +ptp_unpack_OI() validates len < PTP_oi_SequenceNumber (i.e., len < 48) but then accesses: + + Offsets 48–51: dtoh32a(data + PTP_oi_SequenceNumber) at line 563 (4 bytes OOB) + Offset 52: data[PTP_oi_filenamelen] at line 547 (5 bytes OOB) + Offset 56: data[PTP_oi_filenamelen+4] at line 547 (9 bytes OOB) + +The Samsung Galaxy 64-bit objectsize detection heuristic reads up to 9 bytes beyond the validated boundary. + + CVE-2026-40340 + +Reported-By: Sebastián Alba + +CVE: CVE-2026-40340 +Upstream-Status: Backport [https://github.com/gphoto/libgphoto2/commit/7c7f515bc88c3d0c4098ac965d313518e0ccbe33] +Signed-off-by: Gyorgy Sarvari +--- + camlibs/ptp2/ptp-pack.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/camlibs/ptp2/ptp-pack.c b/camlibs/ptp2/ptp-pack.c +index 28648a5..9eba06f 100644 +--- a/camlibs/ptp2/ptp-pack.c ++++ b/camlibs/ptp2/ptp-pack.c +@@ -526,7 +526,7 @@ ptp_unpack_OI (PTPParams *params, const unsigned char* data, PTPObjectInfo *oi, + { + char *capture_date; + +- if (!data || len < PTP_oi_SequenceNumber) ++ if (!data || len < PTP_oi_filenamelen + 5) + return; + + oi->Filename = oi->Keywords = NULL; diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb b/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb index b8d6aee3c1..40ada8dd20 100644 --- a/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb +++ b/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb @@ -18,6 +18,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/gphoto/${BP}.tar.xz;name=libgphoto2 \ file://CVE-2026-40336.patch \ file://CVE-2026-40338.patch \ file://CVE-2026-40339.patch \ + file://CVE-2026-40340.patch \ " SRC_URI[libgphoto2.sha256sum] = "28825f767a85544cb58f6e15028f8e53a5bb37a62148b3f1708b524781c3bef2" From patchwork Thu Apr 23 12:48:13 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 86725 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 73ECDF589C2 for ; Thu, 23 Apr 2026 12:49:55 +0000 (UTC) Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com [209.85.214.176]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.18680.1776948586951755689 for ; Thu, 23 Apr 2026 05:49:47 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20251104 header.b=pI4lFIlr; spf=pass (domain: gmail.com, ip: 209.85.214.176, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pl1-f176.google.com with SMTP id d9443c01a7336-2b24fede2acso42844415ad.3 for ; Thu, 23 Apr 2026 05:49:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776948586; x=1777553386; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=biX2uJrrHn9o2AuZ2J7A8YvWEM1YaV1BS6R3+xNhovE=; b=pI4lFIlruDCvw/YYClN363n378Ipqq8jJi2oupNq64jz3xdaHCkLLKcfeAL64e+2AC vtanRXXOEgVxU7d/4WysKREJ/9vyzJO7GRofxIVI572jzMPB62Zil1T9Yn/iexjCNKfM ui22kSct/6Ckht7rv/zQUTQ3EXXMWj2s7jlBt8EXRvkZd7CF4ZY70hos/b3Pi9Y5+XSB U9so6RsOuI8R97Ous+O6+EOTWGm7QINaiQ+ZWeBr2pOnVqy3si5Tw2zMFVfRzPaxUtic 8ajHqlIRl6oRzPKataYSkuIfazF0ordd/nWriZYTGW7rgqJaa8Rzwfq/y/JWx65iTkjw 8A4Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776948586; x=1777553386; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=biX2uJrrHn9o2AuZ2J7A8YvWEM1YaV1BS6R3+xNhovE=; b=joIAvzQNkANw6IexRPusBVDC/xLHzX30MCGnEdbx2/MfaqVDV+isiP5zmxkvJsZQy3 bBZPDHbUHrs/eqbD4YqbLi+FCM8Rr66YY5qvoarYAU/ChOe5oLBZSV0zcJJLFwIjwhWT 3zfmlrxnz2CW0p9v9ZJ+TBi6ZHCFHGukJUbfo+J5Ze3WBUpc0IVaXRnIVc5Bc8jM5sIV eSt9M1c1OsHXKaytr41EUt028zETewrDHgzJ0zi1iAOwiTU9p3oYeiYyH2QV9iMfFXdK mY6I9QmAbbRMEVS1DI6GM2B21bw0FDCCyb6v4HEl5o03s9bJjtktAPYmPBCBvoC4VMir HRTA== X-Gm-Message-State: AOJu0YzeEFucfNec6h8l2DlIsYFshp7SyLser2uv5sxZGoTjP4Yv25r5 /6cgMAD7q6ogyvReTGrfIhqUXI4qn2jyPPPRxyKNzmhJ65gtLSmRohAl6C5zHb+3 X-Gm-Gg: AeBDiestPN+/EhLTCpD2BZuz4KyIHNmoqPLuQqnHnYpq2JyI29Dvs/fTKQ2KE1AK2wb g1BDd2BKSQwIzspQr8sFC5zb++bjYMqhH/hhNU/Xmo3KjrAwyESreeafz8LQHVmJ2Za9OAsEi8f OZM/hfhj6fVdHHoy4OaBa6kk3QwKbx5Mhnc7+S/5piRmKGXB6Vway3G2zY3HmHMdeCRjMA5D+wv C/FGjOjqawCeX+96w6c0B+gcxHIuslYl9Njcb++yorsI1qbgLjUD/U/eIU2IdIsuLMennzyLGF4 FwGOSlmewgh2+EcGBrRBL3XqDxYR0S8keFjzfuKsT0x+Y7b33lqDnYVI1OTKp+NbJzMLglVJzFN SluGcrDK0sORrDVkKRGwUaunzWd6jCleQur+ghRBM83wO6WN1DPpLnANUb2bJvebREMhvykuVAD IATZQVDAJwmAfPq6dol8ZM8g99D91KQyKHob/+RHZF4Hq/db8= X-Received: by 2002:a17:902:ea83:b0:2b0:624f:8edc with SMTP id d9443c01a7336-2b5f9eb06e2mr226444865ad.12.1776948586058; Thu, 23 Apr 2026 05:49:46 -0700 (PDT) Received: from NVAPF55DW0D-IPD.. ([203.211.108.128]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2b5faa14487sm204043415ad.18.2026.04.23.05.49.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 23 Apr 2026 05:49:45 -0700 (PDT) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Gyorgy Sarvari , Khem Raj , Ankur Tyagi Subject: [oe][meta-oe][whinlatter][PATCH 15/19] libgphoto2: patch CVE-2026-40341 Date: Fri, 24 Apr 2026 00:48:13 +1200 Message-ID: <20260423124823.1983261-15-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260423124823.1983261-1-ankur.tyagi85@gmail.com> References: <20260423124823.1983261-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 23 Apr 2026 12:49:55 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/126591 From: Gyorgy Sarvari Details: https://nvd.nist.gov/vuln/detail/CVE-2026-40341 Backport the patch referenced by the NVD advisory. Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj (cherry picked from commit de5f93f95d420447043cedbedf798560925c44e1) Signed-off-by: Ankur Tyagi --- .../gphoto2/libgphoto2/CVE-2026-40341.patch | 69 +++++++++++++++++++ .../gphoto2/libgphoto2_2.5.33.bb | 1 + 2 files changed, 70 insertions(+) create mode 100644 meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40341.patch diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40341.patch b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40341.patch new file mode 100644 index 0000000000..b71792c185 --- /dev/null +++ b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40341.patch @@ -0,0 +1,69 @@ +From 3674dbeafa5157a264ca5e562ffdbef159a2185f Mon Sep 17 00:00:00 2001 +From: Marcus Meissner +Date: Wed, 8 Apr 2026 15:28:52 +0200 +Subject: [PATCH] Fixed OOB read in ptp_unpack_EOS_FocusInfoEx + +Do not read out values before checking there is sufficient size + +CVE-2026-40341 + +CVE: CVE-2026-40341 +Upstream-Status: Backport [https://github.com/gphoto/libgphoto2/commit/c385b34af260595dfbb5f9329526be5158985987] +Signed-off-by: Gyorgy Sarvari +--- + camlibs/ptp2/ptp-pack.c | 34 +++++++++++++++++++++++++--------- + 1 file changed, 25 insertions(+), 9 deletions(-) + +diff --git a/camlibs/ptp2/ptp-pack.c b/camlibs/ptp2/ptp-pack.c +index 9eba06f..11428ab 100644 +--- a/camlibs/ptp2/ptp-pack.c ++++ b/camlibs/ptp2/ptp-pack.c +@@ -1629,23 +1629,39 @@ ptp_pack_EOS_ImageFormat (PTPParams* params, unsigned char* data, uint16_t value + static inline char* + ptp_unpack_EOS_FocusInfoEx (PTPParams* params, const unsigned char** data, uint32_t datasize) + { +- uint32_t size = dtoh32a( *data ); +- uint32_t halfsize = dtoh16a( (*data) + 4); +- uint32_t version = dtoh16a( (*data) + 6); +- uint32_t focus_points_in_struct = dtoh16a( (*data) + 8); +- uint32_t focus_points_in_use = dtoh16a( (*data) + 10); +- uint32_t sizeX = dtoh16a( (*data) + 12); +- uint32_t sizeY = dtoh16a( (*data) + 14); +- uint32_t size2X = dtoh16a( (*data) + 16); +- uint32_t size2Y = dtoh16a( (*data) + 18); ++ uint32_t size; ++ uint32_t halfsize; ++ uint32_t version; ++ uint32_t focus_points_in_struct; ++ uint32_t focus_points_in_use; ++ uint32_t sizeX; ++ uint32_t sizeY; ++ uint32_t size2X; ++ uint32_t size2Y; + uint32_t i; + uint32_t maxlen; + char *str, *p; + ++ if (datasize<4) { ++ ptp_error(params, "FocusInfoEx has invalid size (%d)", datasize); ++ return strdup("bad size 0"); ++ } ++ ++ size = dtoh32a( *data ); + if ((size > datasize) || (size < 20)) { + ptp_error(params, "FocusInfoEx has invalid size (%d) vs datasize (%d)", size, datasize); + return strdup("bad size 1"); + } ++ ++ halfsize = dtoh16a( (*data) + 4); ++ version = dtoh16a( (*data) + 6); ++ focus_points_in_struct = dtoh16a( (*data) + 8); ++ focus_points_in_use = dtoh16a( (*data) + 10); ++ sizeX = dtoh16a( (*data) + 12); ++ sizeY = dtoh16a( (*data) + 14); ++ size2X = dtoh16a( (*data) + 16); ++ size2Y = dtoh16a( (*data) + 18); ++ + /* If data is zero-filled, then it is just a placeholder, so nothing + useful, but also not an error */ + if (!focus_points_in_struct || !focus_points_in_use) { diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb b/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb index 40ada8dd20..4ef9bf4272 100644 --- a/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb +++ b/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb @@ -19,6 +19,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/gphoto/${BP}.tar.xz;name=libgphoto2 \ file://CVE-2026-40338.patch \ file://CVE-2026-40339.patch \ file://CVE-2026-40340.patch \ + file://CVE-2026-40341.patch \ " SRC_URI[libgphoto2.sha256sum] = "28825f767a85544cb58f6e15028f8e53a5bb37a62148b3f1708b524781c3bef2" From patchwork Thu Apr 23 12:48:14 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 86724 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8AF65F589C4 for ; Thu, 23 Apr 2026 12:49:55 +0000 (UTC) Received: from mail-pj1-f44.google.com (mail-pj1-f44.google.com [209.85.216.44]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.18684.1776948589774223905 for ; Thu, 23 Apr 2026 05:49:49 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20251104 header.b=hZnoOaB4; spf=pass (domain: gmail.com, ip: 209.85.216.44, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pj1-f44.google.com with SMTP id 98e67ed59e1d1-35fc2b18363so7419950a91.0 for ; Thu, 23 Apr 2026 05:49:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776948589; x=1777553389; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=s4WQ2JMQ3mWa1zfTKtv6qC4WX7ypyxfbiVxAo+Atrsw=; b=hZnoOaB4ENwAiDJmW+azSVILF1QRNG7iHcaDAmZ6AWrTavCj6mnBOLy1IIya4gFba9 DuVvSlZASejBKPb81xgqTrvS4xQuNLTM5NUjSxVJksh3OTclWdovzCumq+llA7Z8bFoZ JWnkSsgkeYNViR/BOLIZ7WmjvHKZ+/GhWZvjhNf3fpPh7CxvsxzTNCEWWUIfas6cI5Tk hGF6cNg9yWjaaIFCAwU4UNBhPms9vyUy7L4PZBBU+OJ43+QD0zFzu1FbGXs+u9/aD+8H HmINeG/CGKqQzIG5qeyK3BQulqwO/VsJnk3DBDU5czAPm10eGsmVRzhNgCThy5jz5JpM bsTw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776948589; x=1777553389; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=s4WQ2JMQ3mWa1zfTKtv6qC4WX7ypyxfbiVxAo+Atrsw=; b=KPUuzEDMYlN/uuSsOdLB1/5E4Kk0yN5Yx0v58+JSQP14Q+WYdhnFdqBi0yYFtCpWvE Jacwclqu8u+HyyECzbD5h1a7iBBTgdSzozmUgkmlVRuEErINE2MP0KOnyiCsHmonYjQS IG3eb3FsVWXsYNLRFIJA4Q9ju1FJAcVkBINtTscY0B5jJxAa3eV7fq0uMiSMLnQ7WIgB xLxCyUPtyidcmt8Ran+xg5fM8kxz7eUV33uZAN762TU9E7NtSv4IGJQYV/UCkdi3v8jX 1yxbX6SSPK+/RmMMPr/CnTOL3FtKEpS9JC7UO1N0/iCzUN5QA9bYTkEGE9qeeQpcJREl X4Yg== X-Gm-Message-State: AOJu0Yy3SvV6a4G7Yvk8aobtF7BKah5Tr02Ramuuo8CG/i0zlsbhUISY eaHsRo7/jfKzm0Jf3WK8dDTa60kW+T05X8Y1WW3ky8TbqWGu9D/NijppKRM4ZBde X-Gm-Gg: AeBDietxM7XxYV9GNQV0FgNaiUZUVtHnd9metC0LXHsXstSyb6ibvYD7Y/w1FmGik2f Gu2xHlbYSO6gnQozRyCgyVt+t6VsVpXQXS44GeTJXc+xRm4XxPkY7Y/eqpnXKp44LeSva0KnYzJ TUdjNZ1AxeV8QflzzVXgc0qeBBRU0Us7hIbJtgglKdJeQFeY339kA2AXAxHxoipvxk60aOWHU78 Jm/nsBkpBVSOu3AmfM7fE/rlKmIaLF4dNqZyMW0/5LJ1bo2z8FsgsRuL9nedIN+Lzi6rIsNTHtu 9wS+DDwtYBDPrXCcaMV6uZHGxIYzmXYmaFgFOOEgSKFoRDrPiM+90OGrKmLqHWqM9y1/TsWpnws PhpjBF9HTsDDko1MyF/K8eOGFCoYRXXFRVM0z5FlFnb/qSkIoEy8Vx/Tl/lPa1DFAAjb8ed5Rzf Sb768LTRjblA62YkcSJlhh5y25VPSA2nNd+kjum6A97olJsA4= X-Received: by 2002:a17:90b:35c6:b0:35e:5aa5:ae38 with SMTP id 98e67ed59e1d1-361403ebe7cmr24665271a91.9.1776948589011; Thu, 23 Apr 2026 05:49:49 -0700 (PDT) Received: from NVAPF55DW0D-IPD.. ([203.211.108.128]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2b5faa14487sm204043415ad.18.2026.04.23.05.49.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 23 Apr 2026 05:49:48 -0700 (PDT) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Gyorgy Sarvari , Khem Raj , Ankur Tyagi Subject: [oe][meta-oe][whinlatter][PATCH 16/19] openjpeg: patch CVE-2026-6192 Date: Fri, 24 Apr 2026 00:48:14 +1200 Message-ID: <20260423124823.1983261-16-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260423124823.1983261-1-ankur.tyagi85@gmail.com> References: <20260423124823.1983261-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 23 Apr 2026 12:49:55 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/126592 From: Gyorgy Sarvari Details: https://nvd.nist.gov/vuln/detail/CVE-2026-6192 Backport the patch referenced by the NVD advisory. Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj (cherry picked from commit 09050325e6e0736beccc40d125e56430054b7cb8) Signed-off-by: Ankur Tyagi --- .../openjpeg/openjpeg/CVE-2026-6192.patch | 35 +++++++++++++++++++ .../openjpeg/openjpeg_2.5.4.bb | 1 + 2 files changed, 36 insertions(+) create mode 100644 meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2026-6192.patch diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2026-6192.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2026-6192.patch new file mode 100644 index 0000000000..49be9bd0a6 --- /dev/null +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2026-6192.patch @@ -0,0 +1,35 @@ +From 776b00ff792a3c54b65f3bd92dbe7476a5a54106 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Sun, 5 Apr 2026 13:25:27 +0200 +Subject: [PATCH] opj_pi_initialise_encode() (write code path): avoid potential + integer overflow leading to insufficient memory allocation + +Fixes #1619 + +CVE: CVE-2026-6192 +Upstream-Status: Backport [https://github.com/uclouvain/openjpeg/commit/839936aa33eb8899bbbd80fda02796bb65068951] +Signed-off-by: Gyorgy Sarvari +--- + src/lib/openjp2/pi.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/src/lib/openjp2/pi.c b/src/lib/openjp2/pi.c +index 15ac3314..4abb87af 100644 +--- a/src/lib/openjp2/pi.c ++++ b/src/lib/openjp2/pi.c +@@ -1694,9 +1694,12 @@ opj_pi_iterator_t *opj_pi_initialise_encode(const opj_image_t *p_image, + l_current_pi = l_pi; + + /* memory allocation for include*/ +- l_current_pi->include_size = l_tcp->numlayers * l_step_l; +- l_current_pi->include = (OPJ_INT16*) opj_calloc(l_current_pi->include_size, +- sizeof(OPJ_INT16)); ++ l_current_pi->include = NULL; ++ if (l_step_l <= UINT_MAX / l_tcp->numlayers) { ++ l_current_pi->include_size = l_tcp->numlayers * l_step_l; ++ l_current_pi->include = (OPJ_INT16*) opj_calloc(l_current_pi->include_size, ++ sizeof(OPJ_INT16)); ++ } + if (!l_current_pi->include) { + opj_free(l_tmp_data); + opj_free(l_tmp_ptr); diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.5.4.bb b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.5.4.bb index 971cdb2ff9..6f89551a21 100644 --- a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.5.4.bb +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.5.4.bb @@ -8,6 +8,7 @@ DEPENDS = "libpng tiff lcms zlib" SRC_URI = "git://github.com/uclouvain/openjpeg.git;branch=master;protocol=https \ file://0001-Do-not-ask-cmake-to-export-binaries-they-don-t-make-.patch \ file://CVE-2023-39327.patch \ + file://CVE-2026-6192.patch \ " SRCREV = "6c4a29b00211eb0430fa0e5e890f1ce5c80f409f" From patchwork Thu Apr 23 12:48:15 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 86726 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 96FFBF589C3 for ; Thu, 23 Apr 2026 12:49:55 +0000 (UTC) Received: from mail-pl1-f175.google.com (mail-pl1-f175.google.com [209.85.214.175]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.18556.1776948592753741303 for ; Thu, 23 Apr 2026 05:49:52 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20251104 header.b=HY0aRlgK; spf=pass (domain: gmail.com, ip: 209.85.214.175, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pl1-f175.google.com with SMTP id d9443c01a7336-2adff872068so32693515ad.1 for ; Thu, 23 Apr 2026 05:49:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776948592; x=1777553392; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=3kMo6Xh4FHlFIdRi5wD7IYMG1VgdrCt9/OxFD/VMsLM=; b=HY0aRlgKhT3yb/Vwnp0iaS3uapuCeNh2tT9R71B5eElD9c5fuhXs68rki9sna+MGbX cuI7DDwvS+EYC2fEz8/FUN2jFsJ4n5I8iPgMu5GRNbsj7MWHX5G1W5KRkyIlLNm36SKp jVPTI/bLVuROu3m4NWoZsY496k7bpFqyYq5vBUDPYcmPQmv409zRJ3rbL5KVWd9UMyrN 0CPJX/ZHlFQHRyIc65oPTfs32PuDxKUbw1c3uC0dtILhd90rpybePXLkvedv+jTODlFF ctwdoT3FHzOy4lGLMjRCGDAgIzdA7EnEX0ffXe+DJGAdtPtda2fyA8WrsezNDDI0/wU+ U6fw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776948592; x=1777553392; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=3kMo6Xh4FHlFIdRi5wD7IYMG1VgdrCt9/OxFD/VMsLM=; b=KCmRmPY9Gpso2ZiUYNIf2VKxmScG4cAXUMYBps9WWwNPuvRDqt0taP823mkgqz+8ls DZzF/MjkLTq/DxsvKEA4mRJ5IQ78f4T/xROq/p6sDBAPnSS+J3QjHLGWA/iMgyRSB5zM OXPTJmR14fJfltqFCr0UEoc2+uLvKuF/LUCeCFKcHjbs/z2txXNtOgTyakbhEXSnNDJq Assav0o85TcA/tW5piG6MhLGD9yKiBqPw+RWP636Jl+ukLIp/++WpfJFiclc834FWhOI CFLSK25GeY9LcFyi9J2/mB7tRND+4zGpVaWfL2b87gk7Y+0MjZkCAJ9LrdtJNhvIhF0p QyZQ== X-Gm-Message-State: AOJu0YxKW7CJqmIZ1K77RqMDygUoaY48z6B/o7YmlwOR7FAeEriU+BtO +RAHw1YHZSIpDxRnL2YNnmU6WeVG3JHTy1KOHALhjS+jwlm5eX7jvGoXjDYF0WGm X-Gm-Gg: AeBDieuzWY0PlJO5C1gSO85d9lDZFigl3rBx4rocAHWvqqjT3TBYQkZO40fWZ7QcKUX 72IaTukwsWPr+lYh/07S+Z/E/9Yas9Q+QEV3P9oowJgM/5/BY1oBdNUqF/0SLAv63Fl5e/ep9yU h8Ez2k+PCNaV0V7/fciheIHiFnvXEJ/nq7lHgtKirwh7V7qEr2Q3wTOqKJF3zRCSt+HSztdy8Zt 7Imvm6mnMLGcB8FhDPJHWRUXZiQplQVKBwUm6KLBWxYprmTLMOtt6CHLzpIeKG7NCOVnZe9gV9g zuk0GB1do4oxL5SuxhDVIPSN2Ky5s6KtFeZ+AlGwERxNijEaVpxUtmAKeDEernwg3Mp1hrPUD+o TNiEF91IVGEPewkhGIZ8Sm9zZgYcYf384+qXkBBXUgxYB8Mgs7rTWbIwg0ejMUYKCN6gLA3zs9I zFduPhDimpM44BVbG4XIfzJmP70LcsNVYRby8NI/RxnFjXfYU= X-Received: by 2002:a17:903:17cb:b0:2b4:6083:6c15 with SMTP id d9443c01a7336-2b5fa055a6bmr257063375ad.41.1776948591970; Thu, 23 Apr 2026 05:49:51 -0700 (PDT) Received: from NVAPF55DW0D-IPD.. ([203.211.108.128]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2b5faa14487sm204043415ad.18.2026.04.23.05.49.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 23 Apr 2026 05:49:51 -0700 (PDT) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Gyorgy Sarvari , Khem Raj , Ankur Tyagi Subject: [oe][meta-oe][whinlatter][PATCH 17/19] protobuf, python3-protobuf: ignore CVE-2026-6409 Date: Fri, 24 Apr 2026 00:48:15 +1200 Message-ID: <20260423124823.1983261-17-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260423124823.1983261-1-ankur.tyagi85@gmail.com> References: <20260423124823.1983261-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 23 Apr 2026 12:49:55 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/126593 From: Gyorgy Sarvari Details: https://nvd.nist.gov/vuln/detail/CVE-2026-6409 The vulnerability impacts only the PHP library component, not the cpp/python one. Ignore this CVE due to this. Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj (cherry picked from commit aef8bc34225cd0a56057749d0db1dfac773b17cb) Signed-off-by: Ankur Tyagi --- meta-oe/recipes-devtools/protobuf/protobuf_6.31.1.bb | 1 + meta-python/recipes-devtools/python/python3-protobuf_6.33.5.bb | 1 + 2 files changed, 2 insertions(+) diff --git a/meta-oe/recipes-devtools/protobuf/protobuf_6.31.1.bb b/meta-oe/recipes-devtools/protobuf/protobuf_6.31.1.bb index 4356ebeecf..cce2ad11f4 100644 --- a/meta-oe/recipes-devtools/protobuf/protobuf_6.31.1.bb +++ b/meta-oe/recipes-devtools/protobuf/protobuf_6.31.1.bb @@ -27,6 +27,7 @@ UPSTREAM_CHECK_GITTAGREGEX = "v(?P\d\.\d+\.\d+)" CVE_PRODUCT = "google:protobuf protobuf:protobuf google-protobuf protobuf-cpp" CVE_STATUS[CVE-2026-0994] = "cpe-incorrect: the vulnerability affects only python3-protobuf recipe" +CVE_STATUS[CVE-2026-6409] = "cpe-incorrect: the vulnerability affects only the php library" inherit cmake pkgconfig ptest diff --git a/meta-python/recipes-devtools/python/python3-protobuf_6.33.5.bb b/meta-python/recipes-devtools/python/python3-protobuf_6.33.5.bb index af9ff85f20..3abee615d5 100644 --- a/meta-python/recipes-devtools/python/python3-protobuf_6.33.5.bb +++ b/meta-python/recipes-devtools/python/python3-protobuf_6.33.5.bb @@ -14,6 +14,7 @@ SRC_URI[sha256sum] = "6ddcac2a081f8b7b9642c09406bc6a4290128fce5f471cddd165960bb9 CVE_PRODUCT += "google:protobuf protobuf:protobuf google-protobuf protobuf-python" CVE_STATUS[CVE-2026-0994] = "fixed-version: it is fixed in 6.33.5" +CVE_STATUS[CVE-2026-6409] = "cpe-incorrect: the vulnerability affects only the php library" # http://errors.yoctoproject.org/Errors/Details/184715/ # Can't find required file: ../src/google/protobuf/descriptor.proto From patchwork Thu Apr 23 12:48:16 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 86727 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9153CF589C4 for ; Thu, 23 Apr 2026 12:50:05 +0000 (UTC) Received: from mail-pj1-f52.google.com (mail-pj1-f52.google.com [209.85.216.52]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.18558.1776948595557913286 for ; Thu, 23 Apr 2026 05:49:55 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20251104 header.b=k6X6YwQg; spf=pass (domain: gmail.com, ip: 209.85.216.52, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pj1-f52.google.com with SMTP id 98e67ed59e1d1-356337f058aso4250413a91.2 for ; Thu, 23 Apr 2026 05:49:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776948595; x=1777553395; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=hi3hEtFKJB4DbjefTneMbapQ6EpjXo3mDZM0IHyERho=; b=k6X6YwQg9nwrlKk3mXFvwss52aQMjqdcPSHzKJeNeNsd30kyYx9s0LIytdGxqW5Qxa UTMLdkl9HEBbl8W7omPEI6xipgXI57j/Ur04zxAevkOFbigG5HAzfkAT7OwCbKqn781z YQ9lKUI3RHE/f0ogMptSX3BGcaDZaEKNas/I0h3/9B4IW/doa21nBIvmfcg8Eo+PrA47 uhgg88o70pwTmivpx+nXjC04m3WxySowx13FN3H4m5wDrOdDQs5lLapDau7B2+NIy9G8 xxdxH+zWrS8AyINmvtqAtynJtEthZgYdmAvXULfEltrgecyWfBhzFy3r/J/2bZqYD64F p33A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776948595; x=1777553395; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=hi3hEtFKJB4DbjefTneMbapQ6EpjXo3mDZM0IHyERho=; b=jlvMUURlRPXCdyuWT5/Hk8AJjVB6PyOsJDob9o56CRYQwANd87epQQ+nuqigqInCeM cvXPMf3s9r/5fPsiOmsGFozJjkVukqTYsV8t9xZxcLNxNze6RBQw66I3wsc5/+L1bxvI YifguRdMOtxuv49XupZhgumYlQLGR5/M2ipfRqxurR2dwpE+T0lIYUczvN0wYs8+10mi 18k/AnhhgRaZpgMMLqFRzD5TgkZRk/2xqvVMdv34XeZKkk7Y1CvoVNnSphCOyK0Z7qZF /jYbeqKyuSSxEDOqV2FVddY3H4PMyGGUNVQtjMBO/ONcPewkWJJ8wJTZrnunul5mPaX5 8zjQ== X-Gm-Message-State: AOJu0Yxa46IIn5cqGWfnD6RPySotpCGygMUocy6GQH+ls+1WWfLjsTXi VodNNMhA0HMv+bXgR35l/323Tri4zJb+AYON8TsgSV/6LOcdQnn0VABbnXtHs+TK X-Gm-Gg: AeBDievAQuukqQ0s5yKU2bhR4H6dP4xwXA8IsWrRKzQxJEEvqmtwuJnOsHDsxI5Zgpw Yxs4VvsSKj7cABvum53ReNNBDy6zV8WsiG44Hx76G0WxVa+uE39kzbq8Ip9NfnamrdnO5YJuC3w WwJKesGAEntSrgJH69Z0/SvxcL+FshKAxX/NQJoRPhh62R6UUg7pbNOf3rS7wyopBAPU0TGGhXQ Y4Q+dovD3IkiNqLcTgaxvlJDbFRfSV/i81Pl/SFYbEDLMv0Ds9gP3HsDOwotus97d1DnKXAj5+d 9pkPX+zNCL5mJorRwx3wI5mdr7koD/7zz+UWi1i5uwTaaJ8PgOkc2TPoYrHPCspdgsiU0dRjU/x VUHvsKrudj+Zwhwb26S1JQwSMl5VS9Tev3IcU0j3Ymr0O/6YZCz5//LD6WiPKIGCOrHzzcbSfUY d/KeyGoQXrS62KkZOCnU9b+YPFpWOyq4Gy81i551KQrPHKc1k= X-Received: by 2002:a17:902:a98a:b0:2ae:5eab:132e with SMTP id d9443c01a7336-2b5f9eb0965mr200231405ad.12.1776948594743; Thu, 23 Apr 2026 05:49:54 -0700 (PDT) Received: from NVAPF55DW0D-IPD.. ([203.211.108.128]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2b5faa14487sm204043415ad.18.2026.04.23.05.49.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 23 Apr 2026 05:49:54 -0700 (PDT) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Gyorgy Sarvari , Khem Raj , Ankur Tyagi Subject: [oe][meta-python][whinlatter][PATCH 18/19] python3-grpcio: ignore CVE-2026-33186 Date: Fri, 24 Apr 2026 00:48:16 +1200 Message-ID: <20260423124823.1983261-18-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260423124823.1983261-1-ankur.tyagi85@gmail.com> References: <20260423124823.1983261-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 23 Apr 2026 12:50:05 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/126594 From: Gyorgy Sarvari Details: https://nvd.nist.gov/vuln/detail/CVE-2026-33186 The vulnerability only affects the Go implememtation of the library, not the Python one. Ignore this CVE due to this. Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj (cherry picked from commit 468ee626f88272eedf275efe6f68640ee643c3f4) Signed-off-by: Ankur Tyagi --- meta-python/recipes-devtools/python/python3-grpcio_1.76.0.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta-python/recipes-devtools/python/python3-grpcio_1.76.0.bb b/meta-python/recipes-devtools/python/python3-grpcio_1.76.0.bb index 037614da3e..6dbffaf7b9 100644 --- a/meta-python/recipes-devtools/python/python3-grpcio_1.76.0.bb +++ b/meta-python/recipes-devtools/python/python3-grpcio_1.76.0.bb @@ -44,3 +44,4 @@ BBCLASSEXTEND = "native nativesdk" CCACHE_DISABLE = "1" CVE_PRODUCT += "grpc:grpc" +CVE_STATUS[CVE-2026-33186] = "cpe-incorrect: the vulnerabilty affects only the go implementation" From patchwork Thu Apr 23 12:48:17 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 86728 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9EADDF589C7 for ; Thu, 23 Apr 2026 12:50:05 +0000 (UTC) Received: from mail-pj1-f44.google.com (mail-pj1-f44.google.com [209.85.216.44]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.18562.1776948599218304629 for ; Thu, 23 Apr 2026 05:49:59 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20251104 header.b=hSY/ai72; spf=pass (domain: gmail.com, ip: 209.85.216.44, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pj1-f44.google.com with SMTP id 98e67ed59e1d1-35da9692ec3so5747682a91.1 for ; Thu, 23 Apr 2026 05:49:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776948598; x=1777553398; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=bYzM3cLnLAIf6fXAp2Km1/rrB+9y1lzsMJyBWZMlhIg=; b=hSY/ai720cCeiEnEEG1HmM+IaMiBlmwV1FRL7gCwisXHL6qDXaJen9hq+ClL4klaNU BVYo/wH5FeUyIJZ3z9lrZMgqgMlqBMShZXJ20oeJYOC19BSDIoAkheqI8zx4xP0y9QgX fK8n/pHuFmE/iuL+gVToNpb00d+01ah40/CS1evtGDCNU14K/cXTkklnwXmQTfdCGHUS zkOhg0foktKbPeLIukOUnGwOc4uE2EeCMa4UpteL7cc6+lP+QjhSBAAvCXhLRB+WMFzH HJqE4Bg382eTaPY7G/r4+3GF69vgrIUO/4NHMKsjENCyf5TZvTqlzueEybFUJW3M47b9 YImA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776948598; x=1777553398; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=bYzM3cLnLAIf6fXAp2Km1/rrB+9y1lzsMJyBWZMlhIg=; b=DuHYzhAfyDdEA+GZYU8LArX6V5rGvB1dqk4HUJq5hOlin+N5nNYbg3Mb9LnJfCkvot EYkC7RY8eyq7vGaVsp7NF4vTr70PHm1IlUXKtp2GGX/PJSqooVglXDliaplZfk9x5nn/ 6XBALY5imTmmqWlKI4VPgR/kWIiMS3VBICq9sEm6JP4P/cKmlJ9Ro3xh/KNkiiL0Fzqt xq44sgNaepOBtg0VtKC++RuICLkBjS6SlI1JYr5jZzUq/4XRjnW1DPXrSX87sjbAGewO 1KuUzPpZGi5qWMv2DxSW8roHA/vxeZH3seNS4Qv1EcVHlhom5QR25W3fBDz/VacS5vPl RjIw== X-Gm-Message-State: AOJu0YwSbF10PWWZuFYliJvSAZu3NuRaM0UmUGBoVDsgv0OvgnexX5Vc uF/UB3XNlSruUdWbH5Je9OJdLgpunxtjyBgI4DURtZNDuyNmDKZDRsuI6Ut23+Z3 X-Gm-Gg: AeBDiesJv2PGSFu5sst1UnKrKuZ+WVdsfEon6dm+sFYJT0RlkAX5hPL9WeFxJGNotin E0BmbA2GXEpObyl7rzwASAELsRix/HL1ypECwqLNy8ocVeR4Z82TogJTO3RD1QD3/MyuKsFvb8i TX27MckKYGveOdEKMz6WeHGkN9D55ylOMHuCK0QW8KGi6qXNUqNz7YAhOHLTnGr2C0MK6hZTMEr 52cwZFyXfPLGJ/RXe59wwx7oOfgLPEBGFmYctmwJ0EkmNns6ieicr1eW4L3CK9peMcmvkkLrAQY mT+Cw+Pugk9tw9xrKKT/UXbdas6HVTM3QEwftGtgCF90fqzbpbET6nE6RhC/gssUve9L4RBnaCl mMkJCKGwPt0c3wezknCEv/M2vSpZovzxjUOmdfCyBuwmYiwkYguN8+IvtGCWDeijYsi0/qVZoOH YARfGsZRbebd9Bqae/zNl/M8y8K5uja9uBg++1xxkSlWYi78g= X-Received: by 2002:a17:90a:60f:b0:35f:b137:5a63 with SMTP id 98e67ed59e1d1-361403add26mr19573640a91.5.1776948598048; Thu, 23 Apr 2026 05:49:58 -0700 (PDT) Received: from NVAPF55DW0D-IPD.. ([203.211.108.128]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2b5faa14487sm204043415ad.18.2026.04.23.05.49.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 23 Apr 2026 05:49:57 -0700 (PDT) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Changqing Li , Khem Raj , Ankur Tyagi Subject: [oe][meta-oe][whinlatter][PATCH 19/19] libsoup-2.4: fix several CVEs Date: Fri, 24 Apr 2026 00:48:17 +1200 Message-ID: <20260423124823.1983261-19-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260423124823.1983261-1-ankur.tyagi85@gmail.com> References: <20260423124823.1983261-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 23 Apr 2026 12:50:05 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/126595 From: Changqing Li Fix CVE-2026-1539,CVE-2026-1761,CVE-2026-1801,CVE-2026-2443, CVE-2026-2369,CVE-2026-1760,CVE-2025-14523,CVE-2025-32049,CVE-2026-1467 Refer: CVE-2026-1801 https://gitlab.gnome.org/GNOME/libsoup/-/issues/481 CVE-2026-1761 https://gitlab.gnome.org/GNOME/libsoup/-/issues/493 CVE-2026-2443 https://gitlab.gnome.org/GNOME/libsoup/-/issues/487 CVE-2026-1539 https://gitlab.gnome.org/GNOME/libsoup/-/issues/489 CVE-2026-2369 https://gitlab.gnome.org/GNOME/libsoup/-/issues/498 CVE-2026-1760 https://gitlab.gnome.org/GNOME/libsoup/-/issues/475 CVE-2025-14523 https://gitlab.gnome.org/GNOME/libsoup/-/issues/472 CVE-2025-32049 https://gitlab.gnome.org/GNOME/libsoup/-/issues/390 CVE-2026-1467 https://gitlab.gnome.org/GNOME/libsoup/-/issues/488 Signed-off-by: Changqing Li Signed-off-by: Khem Raj (cherry picked from commit 07d67228162018f5f619dce7183f85e79293378d) Signed-off-by: Ankur Tyagi --- .../libsoup/libsoup-2.4/CVE-2025-14523.patch | 52 ++++ .../libsoup-2.4/CVE-2025-32049-1.patch | 229 ++++++++++++++++++ .../libsoup-2.4/CVE-2025-32049-2.patch | 131 ++++++++++ .../libsoup/libsoup-2.4/CVE-2026-1467.patch | 151 ++++++++++++ .../libsoup/libsoup-2.4/CVE-2026-1539.patch | 31 +++ .../libsoup/libsoup-2.4/CVE-2026-1760.patch | 153 ++++++++++++ .../libsoup/libsoup-2.4/CVE-2026-1761.patch | 36 +++ .../libsoup/libsoup-2.4/CVE-2026-1801.patch | 126 ++++++++++ .../libsoup/libsoup-2.4/CVE-2026-2369.patch | 33 +++ .../libsoup/libsoup-2.4/CVE-2026-2443.patch | 135 +++++++++++ .../libsoup/libsoup-2.4_2.74.3.bb | 10 + 11 files changed, 1087 insertions(+) create mode 100644 meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-14523.patch create mode 100644 meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32049-1.patch create mode 100644 meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32049-2.patch create mode 100644 meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2026-1467.patch create mode 100644 meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2026-1539.patch create mode 100644 meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2026-1760.patch create mode 100644 meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2026-1761.patch create mode 100644 meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2026-1801.patch create mode 100644 meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2026-2369.patch create mode 100644 meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2026-2443.patch diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-14523.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-14523.patch new file mode 100644 index 0000000000..7815dba55a --- /dev/null +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-14523.patch @@ -0,0 +1,52 @@ +From d6028a6e6a8417b7fb6c89f6c10fb94781435ee6 Mon Sep 17 00:00:00 2001 +From: Changqing Li +Date: Wed, 4 Feb 2026 15:08:50 +0800 +Subject: [PATCH] Reject duplicate Host headers (for libsoup 2) + +This is a simplified version of my patch for libsoup 3: + +!491 + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/d3db5a6f8f03e1f0133754872877c92c0284c472] +CVE: CVE-2025-14523 + +This patch is a MR for branch 2-74, but not merged yet, maybe it will +not be merged. + +Signed-off-by: Changqing Li +--- + libsoup/soup-headers.c | 3 +++ + libsoup/soup-message-headers.c | 3 +++ + 2 files changed, 6 insertions(+) + +diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c +index ea2f986..6cd3dad 100644 +--- a/libsoup/soup-headers.c ++++ b/libsoup/soup-headers.c +@@ -138,6 +138,9 @@ soup_headers_parse (const char *str, int len, SoupMessageHeaders *dest) + for (p = strchr (value, '\r'); p; p = strchr (p, '\r')) + *p = ' '; + ++ if (g_ascii_strcasecmp (name, "Host") == 0 && soup_message_headers_get_one (dest, "Host")) ++ goto done; ++ + soup_message_headers_append (dest, name, value); + } + success = TRUE; +diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c +index f612bff..bb20bbb 100644 +--- a/libsoup/soup-message-headers.c ++++ b/libsoup/soup-message-headers.c +@@ -220,6 +220,9 @@ soup_message_headers_append (SoupMessageHeaders *hdrs, + } + #endif + ++ if (g_ascii_strcasecmp (name, "Host") == 0 && soup_message_headers_get_one (hdrs, "Host")) ++ return; ++ + header.name = intern_header_name (name, &setter); + header.value = g_strdup (value); + g_array_append_val (hdrs->array, header); +-- +2.34.1 + diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32049-1.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32049-1.patch new file mode 100644 index 0000000000..64e87cb1ec --- /dev/null +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32049-1.patch @@ -0,0 +1,229 @@ +From c574e659c41c18fad3973bbaa3b3ec75664b3137 Mon Sep 17 00:00:00 2001 +From: Changqing Li +Date: Thu, 5 Feb 2026 16:20:02 +0800 +Subject: [PATCH 1/2] websocket: add a way to restrict the total message size + +Otherwise a client could send small packages smaller than +total-incoming-payload-size but still to break the server +with a big allocation + +Fixes: #390 + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/db87805ab565d67533dfed2cb409dbfd63c7fdce] +CVE: CVE-2025-32049 + +libsoup2 is not maintained, the patch is backported from libsoup3, and +change accordingly + +Signed-off-by: Changqing Li +--- + libsoup/soup-websocket-connection.c | 104 ++++++++++++++++++++++++++-- + libsoup/soup-websocket-connection.h | 7 ++ + 2 files changed, 107 insertions(+), 4 deletions(-) + +diff --git a/libsoup/soup-websocket-connection.c b/libsoup/soup-websocket-connection.c +index 9d5f4f8..3dad477 100644 +--- a/libsoup/soup-websocket-connection.c ++++ b/libsoup/soup-websocket-connection.c +@@ -85,7 +85,8 @@ enum { + PROP_STATE, + PROP_MAX_INCOMING_PAYLOAD_SIZE, + PROP_KEEPALIVE_INTERVAL, +- PROP_EXTENSIONS ++ PROP_EXTENSIONS, ++ PROP_MAX_TOTAL_MESSAGE_SIZE, + }; + + enum { +@@ -120,6 +121,7 @@ struct _SoupWebsocketConnectionPrivate { + char *origin; + char *protocol; + guint64 max_incoming_payload_size; ++ guint64 max_total_message_size; + guint keepalive_interval; + + gushort peer_close_code; +@@ -152,6 +154,7 @@ struct _SoupWebsocketConnectionPrivate { + }; + + #define MAX_INCOMING_PAYLOAD_SIZE_DEFAULT 128 * 1024 ++#define MAX_TOTAL_MESSAGE_SIZE_DEFAULT 128 * 1024 + #define READ_BUFFER_SIZE 1024 + #define MASK_LENGTH 4 + +@@ -664,7 +667,7 @@ bad_data_error_and_close (SoupWebsocketConnection *self) + } + + static void +-too_big_error_and_close (SoupWebsocketConnection *self, ++too_big_incoming_payload_error_and_close (SoupWebsocketConnection *self, + guint64 payload_len) + { + GError *error; +@@ -680,6 +683,23 @@ too_big_error_and_close (SoupWebsocketConnection *self, + emit_error_and_close (self, error, TRUE); + } + ++static void ++too_big_message_error_and_close (SoupWebsocketConnection *self, ++ guint64 len) ++{ ++ GError *error; ++ ++ error = g_error_new_literal (SOUP_WEBSOCKET_ERROR, ++ SOUP_WEBSOCKET_CLOSE_TOO_BIG, ++ self->pv->connection_type == SOUP_WEBSOCKET_CONNECTION_SERVER ? ++ "Received WebSocket payload from the client larger than configured max-total-message-size" : ++ "Received WebSocket payload from the server larger than configured max-total-message-size"); ++ g_debug ("%s received message of size %" G_GUINT64_FORMAT " or greater, but max supported size is %" G_GUINT64_FORMAT, ++ self->pv->connection_type == SOUP_WEBSOCKET_CONNECTION_SERVER ? "server" : "client", ++ len, self->pv->max_total_message_size); ++ emit_error_and_close (self, error, TRUE); ++} ++ + static void + close_connection (SoupWebsocketConnection *self, + gushort code, +@@ -913,6 +933,12 @@ process_contents (SoupWebsocketConnection *self, + switch (pv->message_opcode) { + case 0x01: + case 0x02: ++ /* Safety valve */ ++ if (pv->max_total_message_size > 0 && ++ (pv->message_data->len + payload_len) > pv->max_total_message_size) { ++ too_big_message_error_and_close (self, (pv->message_data->len + payload_len)); ++ return; ++ } + g_byte_array_append (pv->message_data, payload, payload_len); + break; + default: +@@ -1050,7 +1076,7 @@ process_frame (SoupWebsocketConnection *self) + /* Safety valve */ + if (self->pv->max_incoming_payload_size > 0 && + payload_len >= self->pv->max_incoming_payload_size) { +- too_big_error_and_close (self, payload_len); ++ too_big_incoming_payload_error_and_close (self, payload_len); + return FALSE; + } + +@@ -1357,6 +1383,10 @@ soup_websocket_connection_get_property (GObject *object, + g_value_set_pointer (value, pv->extensions); + break; + ++ case PROP_MAX_TOTAL_MESSAGE_SIZE: ++ g_value_set_uint64 (value, pv->max_total_message_size); ++ break; ++ + default: + G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec); + break; +@@ -1410,6 +1440,10 @@ soup_websocket_connection_set_property (GObject *object, + pv->extensions = g_value_get_pointer (value); + break; + ++ case PROP_MAX_TOTAL_MESSAGE_SIZE: ++ pv->max_total_message_size = g_value_get_uint64 (value); ++ break; ++ + default: + G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec); + break; +@@ -1631,7 +1665,24 @@ soup_websocket_connection_class_init (SoupWebsocketConnectionClass *klass) + G_PARAM_READWRITE | + G_PARAM_CONSTRUCT_ONLY | + G_PARAM_STATIC_STRINGS)); +- ++ /** ++ * SoupWebsocketConnection:max-total-message-size: ++ * ++ * The total message size for incoming packets. ++ * ++ * The protocol expects or 0 to not limit it. ++ * ++ */ ++ g_object_class_install_property (gobject_class, PROP_MAX_TOTAL_MESSAGE_SIZE, ++ g_param_spec_uint64 ("max-total-message-size", ++ "Max total message size", ++ "Max total message size ", ++ 0, ++ G_MAXUINT64, ++ MAX_TOTAL_MESSAGE_SIZE_DEFAULT, ++ G_PARAM_READWRITE | ++ G_PARAM_CONSTRUCT | ++ G_PARAM_STATIC_STRINGS)); + /** + * SoupWebsocketConnection::message: + * @self: the WebSocket +@@ -2145,6 +2196,51 @@ soup_websocket_connection_set_max_incoming_payload_size (SoupWebsocketConnection + } + } + ++/** ++ * soup_websocket_connection_get_max_total_message_size: ++ * @self: the WebSocket ++ * ++ * Gets the maximum total message size allowed for packets. ++ * ++ * Returns: the maximum total message size. ++ * ++ */ ++guint64 ++soup_websocket_connection_get_max_total_message_size (SoupWebsocketConnection *self) ++{ ++ SoupWebsocketConnectionPrivate *pv; ++ ++ g_return_val_if_fail (SOUP_IS_WEBSOCKET_CONNECTION (self), MAX_TOTAL_MESSAGE_SIZE_DEFAULT); ++ pv = self->pv; ++ ++ return pv->max_total_message_size; ++} ++ ++/** ++ * soup_websocket_connection_set_max_total_message_size: ++ * @self: the WebSocket ++ * @max_total_message_size: the maximum total message size ++ * ++ * Sets the maximum total message size allowed for packets. ++ * ++ * It does not limit the outgoing packet size. ++ * ++ */ ++void ++soup_websocket_connection_set_max_total_message_size (SoupWebsocketConnection *self, ++ guint64 max_total_message_size) ++{ ++ SoupWebsocketConnectionPrivate *pv; ++ ++ g_return_if_fail (SOUP_IS_WEBSOCKET_CONNECTION (self)); ++ pv = self->pv; ++ ++ if (pv->max_total_message_size != max_total_message_size) { ++ pv->max_total_message_size = max_total_message_size; ++ g_object_notify (G_OBJECT (self), "max-total-message-size"); ++ } ++} ++ + /** + * soup_websocket_connection_get_keepalive_interval: + * @self: the WebSocket +diff --git a/libsoup/soup-websocket-connection.h b/libsoup/soup-websocket-connection.h +index f82d723..d2a60e9 100644 +--- a/libsoup/soup-websocket-connection.h ++++ b/libsoup/soup-websocket-connection.h +@@ -136,6 +136,13 @@ SOUP_AVAILABLE_IN_2_58 + void soup_websocket_connection_set_keepalive_interval (SoupWebsocketConnection *self, + guint interval); + ++SOUP_AVAILABLE_IN_2_72 ++guint64 soup_websocket_connection_get_max_total_message_size (SoupWebsocketConnection *self); ++ ++SOUP_AVAILABLE_IN_2_72 ++void soup_websocket_connection_set_max_total_message_size (SoupWebsocketConnection *self, ++ guint64 max_total_message_size); ++ + G_END_DECLS + + #endif /* __SOUP_WEBSOCKET_CONNECTION_H__ */ +-- +2.34.1 + diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32049-2.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32049-2.patch new file mode 100644 index 0000000000..f9c894aaec --- /dev/null +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2025-32049-2.patch @@ -0,0 +1,131 @@ +From 0bfc66f1082f5d47df99b6fc03f742ef7fa1051e Mon Sep 17 00:00:00 2001 +From: Changqing Li +Date: Thu, 5 Feb 2026 17:19:51 +0800 +Subject: [PATCH] Set message size limit in SoupServer rather than + SoupWebsocketConnection + +We're not sure about the compatibility implications of having a default +size limit for clients. + +Also not sure whether the server limit is actually set appropriately, +but there is probably very little server usage of +SoupWebsocketConnection in the wild, so it's not so likely to break +things. + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/2df34d9544cabdbfdedd3b36f098cf69233b1df7] +CVE: CVE-2025-32049 + +Signed-off-by: Changqing Li +--- + libsoup/soup-server.c | 24 +++++++++++++++++++----- + libsoup/soup-websocket-connection.c | 23 ++++++++++++++++------- + 2 files changed, 35 insertions(+), 12 deletions(-) + +diff --git a/libsoup/soup-server.c b/libsoup/soup-server.c +index 63875f3..a3f8597 100644 +--- a/libsoup/soup-server.c ++++ b/libsoup/soup-server.c +@@ -216,6 +216,16 @@ enum { + + G_DEFINE_TYPE_WITH_PRIVATE (SoupServer, soup_server, G_TYPE_OBJECT) + ++/* SoupWebsocketConnection by default limits only maximum packet size. But a ++ * message may consist of multiple packets, so SoupServer additionally restricts ++ * total message size to mitigate denial of service attacks on the server. ++ * SoupWebsocketConnection does not do this by default because I don't know ++ * whether that would or would not cause compatibility problems for websites. ++ * ++ * This size is in bytes and it is arbitrary. ++ */ ++#define MAX_TOTAL_MESSAGE_SIZE_DEFAULT 128 * 1024 ++ + static SoupClientContext *soup_client_context_ref (SoupClientContext *client); + static void soup_client_context_unref (SoupClientContext *client); + +@@ -1445,11 +1455,15 @@ complete_websocket_upgrade (SoupMessage *msg, gpointer user_data) + + soup_client_context_ref (client); + stream = soup_client_context_steal_connection (client); +- conn = soup_websocket_connection_new_with_extensions (stream, uri, +- SOUP_WEBSOCKET_CONNECTION_SERVER, +- soup_message_headers_get_one (msg->request_headers, "Origin"), +- soup_message_headers_get_one (msg->response_headers, "Sec-WebSocket-Protocol"), +- handler->websocket_extensions); ++ conn = SOUP_WEBSOCKET_CONNECTION (g_object_new (SOUP_TYPE_WEBSOCKET_CONNECTION, ++ "io-stream", stream, ++ "uri", uri, ++ "connection-type", SOUP_WEBSOCKET_CONNECTION_SERVER, ++ "origin", soup_message_headers_get_one (msg->request_headers, "Origin"), ++ "protocol", soup_message_headers_get_one (msg->response_headers, "Sec-WebSocket-Protocol"), ++ "extensions", handler->websocket_extensions, ++ "max-total-message-size", (guint64)MAX_TOTAL_MESSAGE_SIZE_DEFAULT, ++ NULL)); + handler->websocket_extensions = NULL; + g_object_unref (stream); + soup_client_context_unref (client); +diff --git a/libsoup/soup-websocket-connection.c b/libsoup/soup-websocket-connection.c +index 3dad477..e7fa9b7 100644 +--- a/libsoup/soup-websocket-connection.c ++++ b/libsoup/soup-websocket-connection.c +@@ -154,7 +154,6 @@ struct _SoupWebsocketConnectionPrivate { + }; + + #define MAX_INCOMING_PAYLOAD_SIZE_DEFAULT 128 * 1024 +-#define MAX_TOTAL_MESSAGE_SIZE_DEFAULT 128 * 1024 + #define READ_BUFFER_SIZE 1024 + #define MASK_LENGTH 4 + +@@ -1615,8 +1614,9 @@ soup_websocket_connection_class_init (SoupWebsocketConnectionClass *klass) + /** + * SoupWebsocketConnection:max-incoming-payload-size: + * +- * The maximum payload size for incoming packets the protocol expects +- * or 0 to not limit it. ++ * The maximum payload size for incoming packets, or 0 to not limit it. ++ * Each message may consist of multiple packets, so also refer to ++ * [property@WebSocketConnection:max-total-message-size]. + * + * Since: 2.56 + */ +@@ -1668,9 +1668,18 @@ soup_websocket_connection_class_init (SoupWebsocketConnectionClass *klass) + /** + * SoupWebsocketConnection:max-total-message-size: + * +- * The total message size for incoming packets. ++ * The maximum size for incoming messages. ++ * Set to a value to limit the total message size, or 0 to not ++ * limit it. + * +- * The protocol expects or 0 to not limit it. ++ * [method@Server.add_websocket_handler] will set this to a nonzero ++ * default value to mitigate denial of service attacks. Clients must ++ * choose their own default if they need to mitigate denial of service ++ * attacks. You also need to set your own default if creating your own ++ * server SoupWebsocketConnection without using SoupServer. ++ * ++ * Each message may consist of multiple packets, so also refer to ++ *[property@WebSocketConnection:max-incoming-payload-size]. + * + */ + g_object_class_install_property (gobject_class, PROP_MAX_TOTAL_MESSAGE_SIZE, +@@ -1679,7 +1688,7 @@ soup_websocket_connection_class_init (SoupWebsocketConnectionClass *klass) + "Max total message size ", + 0, + G_MAXUINT64, +- MAX_TOTAL_MESSAGE_SIZE_DEFAULT, ++ 0, + G_PARAM_READWRITE | + G_PARAM_CONSTRUCT | + G_PARAM_STATIC_STRINGS)); +@@ -2210,7 +2219,7 @@ soup_websocket_connection_get_max_total_message_size (SoupWebsocketConnection *s + { + SoupWebsocketConnectionPrivate *pv; + +- g_return_val_if_fail (SOUP_IS_WEBSOCKET_CONNECTION (self), MAX_TOTAL_MESSAGE_SIZE_DEFAULT); ++ g_return_val_if_fail (SOUP_IS_WEBSOCKET_CONNECTION (self), 0); + pv = self->pv; + + return pv->max_total_message_size; +-- +2.34.1 + diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2026-1467.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2026-1467.patch new file mode 100644 index 0000000000..a1a130ee3a --- /dev/null +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2026-1467.patch @@ -0,0 +1,151 @@ +From b4f1dcb89a552fc03bfd0e65830b4f76fdc4a232 Mon Sep 17 00:00:00 2001 +From: Changqing Li +Date: Tue, 21 Apr 2026 17:10:37 +0800 +Subject: [PATCH] Fix CVE-2026-1467 + +CVE: CVE-2026-1467 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/6dfe506618d2d5856618e5c0f85bd93386dc8012] + +The original backport patch targets libsoup3. This patch has been +adapted accordingly for libsoup2, refer the openSUSE patch, see [1] + +[1] https://www.suse.com/security/cve/CVE-2026-1467.html + +Signed-off-by: Changqing Li +--- + libsoup/soup-auth.c | 2 +- + libsoup/soup-message.c | 5 +++- + libsoup/soup-uri.c | 60 ++++++++++++++++++++++++++++++++++++++++++ + libsoup/soup-uri.h | 2 ++ + 4 files changed, 67 insertions(+), 2 deletions(-) + +diff --git a/libsoup/soup-auth.c b/libsoup/soup-auth.c +index 1896aab..e205fe3 100644 +--- a/libsoup/soup-auth.c ++++ b/libsoup/soup-auth.c +@@ -535,7 +535,7 @@ GSList * + soup_auth_get_protection_space (SoupAuth *auth, SoupURI *source_uri) + { + g_return_val_if_fail (SOUP_IS_AUTH (auth), NULL); +- g_return_val_if_fail (source_uri != NULL, NULL); ++ g_return_val_if_fail (soup_uri_is_valid (source_uri), NULL); + + return SOUP_AUTH_GET_CLASS (auth)->get_protection_space (auth, source_uri); + } +diff --git a/libsoup/soup-message.c b/libsoup/soup-message.c +index da32b42..cc4f22b 100644 +--- a/libsoup/soup-message.c ++++ b/libsoup/soup-message.c +@@ -1044,7 +1044,7 @@ soup_message_new (const char *method, const char *uri_string) + uri = soup_uri_new (uri_string); + if (!uri) + return NULL; +- if (!uri->host) { ++ if (!soup_uri_is_valid (uri)) { + soup_uri_free (uri); + return NULL; + } +@@ -1066,6 +1066,8 @@ soup_message_new (const char *method, const char *uri_string) + SoupMessage * + soup_message_new_from_uri (const char *method, SoupURI *uri) + { ++ g_return_val_if_fail (soup_uri_is_valid (uri), NULL); ++ + return g_object_new (SOUP_TYPE_MESSAGE, + SOUP_MESSAGE_METHOD, method, + SOUP_MESSAGE_URI, uri, +@@ -1676,6 +1678,7 @@ soup_message_set_uri (SoupMessage *msg, SoupURI *uri) + SoupMessagePrivate *priv; + + g_return_if_fail (SOUP_IS_MESSAGE (msg)); ++ g_return_if_fail (soup_uri_is_valid (uri)); + priv = soup_message_get_instance_private (msg); + + if (priv->uri) +diff --git a/libsoup/soup-uri.c b/libsoup/soup-uri.c +index bdb7a17..d781ff1 100644 +--- a/libsoup/soup-uri.c ++++ b/libsoup/soup-uri.c +@@ -1342,6 +1342,66 @@ soup_uri_host_equal (gconstpointer v1, gconstpointer v2) + return g_ascii_strcasecmp (one->host, two->host) == 0; + } + ++static gboolean ++is_valid_character_for_host (char c) ++{ ++ static const char forbidden_chars[] = { '\t', '\n', '\r', ' ', '#', '/', ':', '<', '>', '?', '@', '[', '\\', ']', '^', '|' }; ++ int i; ++ ++ for (i = 0; i < G_N_ELEMENTS (forbidden_chars); ++i) { ++ if (c == forbidden_chars[i]) ++ return FALSE; ++ } ++ ++ return TRUE; ++} ++ ++static gboolean ++is_host_valid (const char* host) ++{ ++ int i; ++ gboolean is_valid; ++ char *ascii_host = NULL; ++ ++ if (!host || !host[0]) ++ return FALSE; ++ ++ if (g_hostname_is_non_ascii (host)) { ++ ascii_host = g_hostname_to_ascii (host); ++ if (!ascii_host) ++ return FALSE; ++ ++ host = ascii_host; ++ } ++ ++ if ((g_ascii_isdigit (host[0]) || strchr (host, ':')) && g_hostname_is_ip_address (host)) { ++ g_free (ascii_host); ++ return TRUE; ++ } ++ is_valid = TRUE; ++ for (i = 0; host[i] && is_valid; i++) ++ is_valid = is_valid_character_for_host (host[i]); ++ ++ g_free (ascii_host); ++ ++ return is_valid; ++} ++ ++gboolean ++soup_uri_is_valid (SoupURI *uri) ++{ ++ if (!uri) ++ return FALSE; ++ ++ if (!is_host_valid (soup_uri_get_host (uri))) ++ return FALSE; ++ ++ /* FIXME: validate other URI components? */ ++ ++ return TRUE; ++} ++ ++ + gboolean + soup_uri_is_http (SoupURI *uri, char **aliases) + { +diff --git a/libsoup/soup-uri.h b/libsoup/soup-uri.h +index 8015e4f..64099c3 100644 +--- a/libsoup/soup-uri.h ++++ b/libsoup/soup-uri.h +@@ -133,6 +133,8 @@ guint soup_uri_host_hash (gconstpointer key); + SOUP_AVAILABLE_IN_2_28 + gboolean soup_uri_host_equal (gconstpointer v1, + gconstpointer v2); ++SOUP_AVAILABLE_IN_2_68 ++gboolean soup_uri_is_valid (SoupURI *uri); + + #define SOUP_URI_IS_VALID(uri) ((uri) && (uri)->scheme && (uri)->path) + #define SOUP_URI_VALID_FOR_HTTP(uri) ((uri) && ((uri)->scheme == SOUP_URI_SCHEME_HTTP || (uri)->scheme == SOUP_URI_SCHEME_HTTPS) && (uri)->host && (uri)->path) +-- +2.34.1 + diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2026-1539.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2026-1539.patch new file mode 100644 index 0000000000..c6b813a98f --- /dev/null +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2026-1539.patch @@ -0,0 +1,31 @@ +From 285faea567e1e2a95226201175dbf745a64a2439 Mon Sep 17 00:00:00 2001 +From: Changqing Li +Date: Fri, 20 Mar 2026 15:04:22 +0800 +Subject: [PATCH 4/4] Also remove Proxy-Authorization header on cross origin + redirect + +Closes #489 + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/98c1285d9d78662c38bf14b4a128af01ccfdb446] +CVE: CVE-2026-1539 + +Signed-off-by: Changqing Li +--- + libsoup/soup-session.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/libsoup/soup-session.c b/libsoup/soup-session.c +index cc0d04c..0361856 100644 +--- a/libsoup/soup-session.c ++++ b/libsoup/soup-session.c +@@ -1190,6 +1190,7 @@ soup_session_redirect_message (SoupSession *session, SoupMessage *msg) + /* Strip all credentials on cross-origin redirect. */ + if (!soup_uri_host_equal (soup_message_get_uri (msg), new_uri)) { + soup_message_headers_remove (msg->request_headers, "Authorization"); ++ soup_message_headers_remove (msg->request_headers, "Proxy-Authorization"); + soup_message_set_auth (msg, NULL); + } + +-- +2.34.1 + diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2026-1760.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2026-1760.patch new file mode 100644 index 0000000000..a5547132a2 --- /dev/null +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2026-1760.patch @@ -0,0 +1,153 @@ +From 0fca37e0fce479284e62091ffb9b7d6caff1c7e4 Mon Sep 17 00:00:00 2001 +From: Carlos Garcia Campos +Date: Thu, 29 Jan 2026 16:43:28 +0100 +Subject: [PATCH] server: close the connection after responsing a request + containing Content-Length and Transfer-Encoding + +Closes #475 + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/6224df5a471e9040a99dd3dc2e91817a701b1bf6] +CVE: CVE-2026-1760 + +Signed-off-by: Changqing Li +--- + libsoup/soup-message-headers.c | 86 +++++++++++++++----------------- + libsoup/soup-message-server-io.c | 8 +++ + 2 files changed, 49 insertions(+), 45 deletions(-) + +diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c +index 535cf14..06d9600 100644 +--- a/libsoup/soup-message-headers.c ++++ b/libsoup/soup-message-headers.c +@@ -666,38 +666,13 @@ clear_special_headers (SoupMessageHeaders *hdrs) + static void + transfer_encoding_setter (SoupMessageHeaders *hdrs, const char *value) + { +- if (value) { +- /* "identity" is a wrong value according to RFC errata 408, +- * and RFC 7230 does not list it as valid transfer-coding. +- * Nevertheless, the obsolete RFC 2616 stated "identity" +- * as valid, so we can't handle it as unrecognized here +- * for compatibility reasons. +- */ +- if (g_ascii_strcasecmp (value, "chunked") == 0) +- hdrs->encoding = SOUP_ENCODING_CHUNKED; +- else if (g_ascii_strcasecmp (value, "identity") != 0) +- hdrs->encoding = SOUP_ENCODING_UNRECOGNIZED; +- } else +- hdrs->encoding = -1; ++ hdrs->encoding = -1; + } + + static void + content_length_setter (SoupMessageHeaders *hdrs, const char *value) + { +- /* Transfer-Encoding trumps Content-Length */ +- if (hdrs->encoding == SOUP_ENCODING_CHUNKED) +- return; +- +- if (value) { +- char *end; +- +- hdrs->content_length = g_ascii_strtoull (value, &end, 10); +- if (*end) +- hdrs->encoding = SOUP_ENCODING_UNRECOGNIZED; +- else +- hdrs->encoding = SOUP_ENCODING_CONTENT_LENGTH; +- } else +- hdrs->encoding = -1; ++ hdrs->encoding = -1; + } + + /** +@@ -730,29 +705,50 @@ SoupEncoding + soup_message_headers_get_encoding (SoupMessageHeaders *hdrs) + { + const char *header; ++ const char *content_length; ++ const char *transfer_encoding; + + if (hdrs->encoding != -1) + return hdrs->encoding; + +- /* If Transfer-Encoding was set, hdrs->encoding would already +- * be set. So we don't need to check that possibility. +- */ +- header = soup_message_headers_get_one (hdrs, "Content-Length"); +- if (header) { +- content_length_setter (hdrs, header); +- if (hdrs->encoding != -1) +- return hdrs->encoding; +- } ++ /* Transfer-Encoding is checked first because it overrides the Content-Length */ ++ transfer_encoding = soup_message_headers_get_one (hdrs, "Transfer-Encoding"); ++ if (transfer_encoding) { ++ /* "identity" is a wrong value according to RFC errata 408, ++ * and RFC 7230 does not list it as valid transfer-coding. ++ * Nevertheless, the obsolete RFC 2616 stated "identity" ++ * as valid, so we can't handle it as unrecognized here ++ * for compatibility reasons. ++ */ ++ if (g_ascii_strcasecmp (transfer_encoding, "chunked") == 0) ++ hdrs->encoding = SOUP_ENCODING_CHUNKED; ++ else if (g_ascii_strcasecmp (transfer_encoding, "identity") != 0) ++ hdrs->encoding = SOUP_ENCODING_UNRECOGNIZED; ++ } else { ++ content_length = soup_message_headers_get_one (hdrs, "Content-Length"); ++ if (content_length) { ++ char *end; ++ ++ hdrs->content_length = g_ascii_strtoull (content_length, &end, 10); ++ if (*end) ++ hdrs->encoding = SOUP_ENCODING_UNRECOGNIZED; ++ else ++ hdrs->encoding = SOUP_ENCODING_CONTENT_LENGTH; ++ } ++ } ++ ++ if (hdrs->encoding == -1) { ++ /* Per RFC 2616 4.4, a response body that doesn't indicate its ++ * encoding otherwise is terminated by connection close, and a ++ * request that doesn't indicate otherwise has no body. Note ++ * that SoupMessage calls soup_message_headers_set_encoding() ++ * to override the response body default for our own ++ * server-side messages. ++ */ ++ hdrs->encoding = (hdrs->type == SOUP_MESSAGE_HEADERS_RESPONSE) ? ++ SOUP_ENCODING_EOF : SOUP_ENCODING_NONE; ++ } + +- /* Per RFC 2616 4.4, a response body that doesn't indicate its +- * encoding otherwise is terminated by connection close, and a +- * request that doesn't indicate otherwise has no body. Note +- * that SoupMessage calls soup_message_headers_set_encoding() +- * to override the response body default for our own +- * server-side messages. +- */ +- hdrs->encoding = (hdrs->type == SOUP_MESSAGE_HEADERS_RESPONSE) ? +- SOUP_ENCODING_EOF : SOUP_ENCODING_NONE; + return hdrs->encoding; + } + +diff --git a/libsoup/soup-message-server-io.c b/libsoup/soup-message-server-io.c +index 71e943b..df5eafc 100644 +--- a/libsoup/soup-message-server-io.c ++++ b/libsoup/soup-message-server-io.c +@@ -80,6 +80,14 @@ parse_request_headers (SoupMessage *msg, char *headers, guint headers_len, + return SOUP_STATUS_BAD_REQUEST; + } + ++ /* A server MAY reject a request that contains both Content-Length and ++ * Transfer-Encoding or process such a request in accordance with the ++ * Transfer-Encoding alone. Regardless, the server MUST close the connection ++ * after responding to such a request to avoid the potential attacks ++ */ ++ if (*encoding == SOUP_ENCODING_CHUNKED && soup_message_headers_get_one (msg->request_headers, "Content-Length")) ++ soup_message_headers_replace (msg->request_headers, "Connection", "close"); ++ + /* Generate correct context for request */ + req_host = soup_message_headers_get_one (msg->request_headers, "Host"); + if (req_host && strchr (req_host, '/')) { +-- +2.34.1 + diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2026-1761.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2026-1761.patch new file mode 100644 index 0000000000..573e3e1dd0 --- /dev/null +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2026-1761.patch @@ -0,0 +1,36 @@ +From 07757b7feacfc660c6c463ff2b773c13bc42d2c9 Mon Sep 17 00:00:00 2001 +From: Changqing Li +Date: Thu, 19 Mar 2026 17:21:32 +0800 +Subject: [PATCH 3/4] multipart: check length of bytes read + soup_filter_input_stream_read_until() + +We do make sure the read length is smaller than the buffer length when +the boundary is not found, but we should do the same when the boundary +is found. + +Spotted in #YWH-PGM9867-149 +Closes #493 + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/cfa9d90d1a5c274233554a264c56551c13d6a6f0] +CVE: CVE-2026-1761 + +Signed-off-by: Changqing Li +--- + libsoup/soup-filter-input-stream.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libsoup/soup-filter-input-stream.c b/libsoup/soup-filter-input-stream.c +index 2c30bf9..c34510b 100644 +--- a/libsoup/soup-filter-input-stream.c ++++ b/libsoup/soup-filter-input-stream.c +@@ -272,6 +272,6 @@ soup_filter_input_stream_read_until (SoupFilterInputStream *fstream, + if (eof && !*got_boundary) + read_length = MIN (fstream->priv->buf->len, length); + else +- read_length = p - buf; ++ read_length = MIN ((gsize)(p - buf), length); + return read_from_buf (fstream, buffer, read_length); + } +-- +2.34.1 + diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2026-1801.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2026-1801.patch new file mode 100644 index 0000000000..5f445f7354 --- /dev/null +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2026-1801.patch @@ -0,0 +1,126 @@ +From f9c933e258e9ef2f221cca6395f8092a1c4b93dd Mon Sep 17 00:00:00 2001 +From: Changqing Li +Date: Thu, 19 Mar 2026 17:10:36 +0800 +Subject: [PATCH 2/4] Fix CVE-2026-1801 + +This patch merges 3 upstream patches + +Chery-pick the first two patches to make the context is the same as the +third patch that fix CVE-2026-1801 + +Upstream-Status: Backport +[https://gitlab.gnome.org/GNOME/libsoup/-/commit/1e32b5e123aa1689505472bdbfcbd897eac41977, +https://gitlab.gnome.org/GNOME/libsoup/-/commit/8a2e15c88512ae4517d2c2c887d39299725b22da, +https://gitlab.gnome.org/GNOME/libsoup/-/commit/b9a1c0663ff8ab6e79715db4b35b54f560416ddd] +CVE: CVE-2026-1801 + +Signed-off-by: Changqing Li +--- + libsoup/soup-body-input-stream.c | 66 ++++++++++++++++++++------------ + 1 file changed, 41 insertions(+), 25 deletions(-) + +diff --git a/libsoup/soup-body-input-stream.c b/libsoup/soup-body-input-stream.c +index 6b95884..25d9312 100644 +--- a/libsoup/soup-body-input-stream.c ++++ b/libsoup/soup-body-input-stream.c +@@ -159,15 +159,18 @@ soup_body_input_stream_read_chunked (SoupBodyInputStream *bistream, + again: + switch (bistream->priv->chunked_state) { + case SOUP_BODY_INPUT_STREAM_STATE_CHUNK_SIZE: +- nread = soup_filter_input_stream_read_line ( +- fstream, metabuf, sizeof (metabuf), blocking, +- &got_line, cancellable, error); +- if (nread <= 0) ++ nread = soup_filter_input_stream_read_until ( ++ fstream, metabuf, sizeof (metabuf), ++ "\r\n", 2, blocking, TRUE, ++ &got_line, cancellable, error); ++ if (nread < 0) + return nread; +- if (!got_line) { +- g_set_error_literal (error, G_IO_ERROR, +- G_IO_ERROR_PARTIAL_INPUT, +- _("Connection terminated unexpectedly")); ++ if (nread == 0 || !got_line) { ++ if (error && *error == NULL) { ++ g_set_error_literal (error, G_IO_ERROR, ++ G_IO_ERROR_PARTIAL_INPUT, ++ ("Connection terminated unexpectedly")); ++ } + return -1; + } + +@@ -180,9 +183,9 @@ again: + + case SOUP_BODY_INPUT_STREAM_STATE_CHUNK: + nread = soup_body_input_stream_read_raw ( +- bistream, buffer, +- MIN (count, bistream->priv->read_length), +- blocking, cancellable, error); ++ bistream, buffer, ++ MIN (count, bistream->priv->read_length), ++ blocking, cancellable, error); + if (nread > 0) { + bistream->priv->read_length -= nread; + if (bistream->priv->read_length == 0) +@@ -191,16 +194,19 @@ again: + return nread; + + case SOUP_BODY_INPUT_STREAM_STATE_CHUNK_END: +- nread = soup_filter_input_stream_read_line ( +- SOUP_FILTER_INPUT_STREAM (bistream->priv->base_stream), +- metabuf, sizeof (metabuf), blocking, +- &got_line, cancellable, error); +- if (nread <= 0) ++ nread = soup_filter_input_stream_read_until ( ++ SOUP_FILTER_INPUT_STREAM (bistream->priv->base_stream), ++ metabuf, sizeof (metabuf), ++ "\r\n", 2, blocking, TRUE, ++ &got_line, cancellable, error); ++ if (nread < 0) + return nread; +- if (!got_line) { +- g_set_error_literal (error, G_IO_ERROR, +- G_IO_ERROR_PARTIAL_INPUT, +- _("Connection terminated unexpectedly")); ++ if (nread == 0 || !got_line) { ++ if (error && *error == NULL) { ++ g_set_error_literal (error, G_IO_ERROR, ++ G_IO_ERROR_PARTIAL_INPUT, ++ _("Connection terminated unexpectedly")); ++ } + return -1; + } + +@@ -208,13 +214,23 @@ again: + break; + + case SOUP_BODY_INPUT_STREAM_STATE_TRAILERS: +- nread = soup_filter_input_stream_read_line ( +- fstream, buffer, count, blocking, +- &got_line, cancellable, error); +- if (nread <= 0) ++ nread = soup_filter_input_stream_read_until ( ++ fstream, metabuf, sizeof (metabuf), ++ "\r\n", 2, blocking, TRUE, ++ &got_line, cancellable, error); ++ if (nread < 0) + return nread; + +- if (strncmp (buffer, "\r\n", nread) || strncmp (buffer, "\n", nread)) { ++ if (nread == 0) { ++ if (error && *error == NULL) { ++ g_set_error_literal (error, G_IO_ERROR, ++ G_IO_ERROR_PARTIAL_INPUT, ++ _("Connection terminated unexpectedly")); ++ } ++ return -1; ++ } ++ ++ if (nread == 2 && strncmp (metabuf, "\r\n", nread) == 0) { + bistream->priv->chunked_state = SOUP_BODY_INPUT_STREAM_STATE_DONE; + bistream->priv->eof = TRUE; + } +-- +2.34.1 + diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2026-2369.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2026-2369.patch new file mode 100644 index 0000000000..814672caca --- /dev/null +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2026-2369.patch @@ -0,0 +1,33 @@ +From 5c4e65fd99ff4e3ae76c7985c5e160bb07ea0f92 Mon Sep 17 00:00:00 2001 +From: Changqing Li +Date: Wed, 25 Mar 2026 11:24:36 +0800 +Subject: [PATCH] sniffer: Handle potential underflow + +Closes #498 + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/b91bbd7d7888c85b17a8b33173caa806dff51681] +CVE: CVE-2026-2369 + +Signed-off-by: Changqing Li +--- + libsoup/soup-content-sniffer.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c +index 3edc568..b091bca 100644 +--- a/libsoup/soup-content-sniffer.c ++++ b/libsoup/soup-content-sniffer.c +@@ -504,6 +504,10 @@ sniff_unknown (SoupContentSniffer *sniffer, SoupBuffer *buffer, + if (!sniff_scriptable && type_row->scriptable) + continue; + ++ /* Ensure we have data to sniff - prevents underflow in resource_length - 1 */ ++ if (resource_length == 0) ++ continue; ++ + if (type_row->has_ws) { + guint index_stream = 0; + guint index_pattern = 0; +-- +2.34.1 + diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2026-2443.patch b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2026-2443.patch new file mode 100644 index 0000000000..99d42acb1e --- /dev/null +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4/CVE-2026-2443.patch @@ -0,0 +1,135 @@ +From 7bb3115a296154e3f465900ea5c984a493385a7f Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Fri, 19 Dec 2025 23:49:05 +0000 +Subject: [PATCH] Fix CVE-2026-2443 + +Upstream-Status: Backport [ +c1796442 soup-message-headers: Rework Range response statuses to match Apache +191ef313 soup-message-headers: Fix rejection of Range headers with trailing garbage +be677bea soup-message-headers: Fix parsing of invalid Range suffix lengths +2bbfdfe8 soup-message-headers: Reject ranges where end is before start +739bf7cb soup-message-headers: Reject invalid Range ends longer than the content +] +CVE: CVE-2026-2443 + +Signed-off-by: Changqing Li +--- + libsoup/soup-message-headers.c | 62 ++++++++++++++++++++++++---------- + 1 file changed, 44 insertions(+), 18 deletions(-) + +diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c +index bb20bbb..535cf14 100644 +--- a/libsoup/soup-message-headers.c ++++ b/libsoup/soup-message-headers.c +@@ -943,10 +943,16 @@ sort_ranges (gconstpointer a, gconstpointer b) + } + + /* like soup_message_headers_get_ranges(), except it returns: +- * SOUP_STATUS_OK if there is no Range or it should be ignored. +- * SOUP_STATUS_PARTIAL_CONTENT if there is at least one satisfiable range. +- * SOUP_STATUS_REQUESTED_RANGE_NOT_SATISFIABLE if @check_satisfiable +- * is %TRUE and the request is not satisfiable given @total_length. ++ * - SOUP_STATUS_OK if there is no Range or it should be ignored due to being ++ * entirely invalid. ++ * - SOUP_STATUS_PARTIAL_CONTENT if there is at least one satisfiable range. ++ * - SOUP_STATUS_REQUESTED_RANGE_NOT_SATISFIABLE if @check_satisfiable ++ * is %TRUE, the Range is valid, but no part of the request is satisfiable ++ * given @total_length. ++ * ++ * @ranges and @length are only set if SOUP_STATUS_PARTIAL_CONTENT is returned. ++ * ++ * See https://httpwg.org/specs/rfc9110.html#field.range + */ + guint + soup_message_headers_get_ranges_internal (SoupMessageHeaders *hdrs, +@@ -960,22 +966,28 @@ soup_message_headers_get_ranges_internal (SoupMessageHeaders *hdrs, + GArray *array; + char *spec, *end; + guint status = SOUP_STATUS_OK; ++ gboolean is_all_valid = TRUE; + + if (!range || strncmp (range, "bytes", 5) != 0) +- return status; ++ return SOUP_STATUS_OK; /* invalid header or unknown range unit */ + + range += 5; + while (g_ascii_isspace (*range)) + range++; + if (*range++ != '=') +- return status; ++ return SOUP_STATUS_OK; /* invalid header */ + while (g_ascii_isspace (*range)) + range++; + + range_list = soup_header_parse_list (range); + if (!range_list) +- return status; ++ return SOUP_STATUS_OK; /* invalid list */ + ++ /* Loop through the ranges and modify the status accordingly. Default to ++ * status 200 (OK, ignoring the ranges). Switch to status 206 (Partial ++ * Content) if there is at least one partially valid range. Switch to ++ * status 416 (Range Not Satisfiable) if there are no partially valid ++ * ranges at all. */ + array = g_array_new (FALSE, FALSE, sizeof (SoupRange)); + for (r = range_list; r; r = r->next) { + SoupRange cur; +@@ -988,30 +1000,44 @@ soup_message_headers_get_ranges_internal (SoupMessageHeaders *hdrs, + cur.start = g_ascii_strtoull (spec, &end, 10); + if (*end == '-') + end++; +- if (*end) { ++ if (*end) + cur.end = g_ascii_strtoull (end, &end, 10); +- if (cur.end < cur.start) { +- status = SOUP_STATUS_OK; +- break; +- } +- } else ++ else + cur.end = total_length - 1; + } ++ + if (*end) { +- status = SOUP_STATUS_OK; +- break; +- } else if (check_satisfiable && cur.start >= total_length) { +- if (status == SOUP_STATUS_OK) +- status = SOUP_STATUS_REQUESTED_RANGE_NOT_SATISFIABLE; ++ /* Junk after the range */ ++ is_all_valid = FALSE; ++ continue; ++ } ++ ++ if (cur.end < cur.start) { ++ is_all_valid = FALSE; ++ continue; ++ } ++ ++ g_assert (cur.start >= 0); ++ if (cur.end >= total_length) ++ cur.end = total_length - 1; ++ ++ if (cur.start >= total_length) { ++ /* Range is valid, but unsatisfiable */ + continue; + } + ++ /* We have at least one (at least partially) satisfiable range */ + g_array_append_val (array, cur); + status = SOUP_STATUS_PARTIAL_CONTENT; + } + soup_header_free_list (range_list); + + if (status != SOUP_STATUS_PARTIAL_CONTENT) { ++ g_assert (status == SOUP_STATUS_OK); ++ ++ if (is_all_valid && check_satisfiable) ++ status = SOUP_STATUS_REQUESTED_RANGE_NOT_SATISFIABLE; ++ + g_array_free (array, TRUE); + return status; + } +-- +2.34.1 + diff --git a/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index 68ec576d9b..e588e60cd5 100644 --- a/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta-oe/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -40,6 +40,16 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-4948.patch \ file://CVE-2025-4969.patch \ file://CVE-2025-4945.patch \ + file://CVE-2025-14523.patch \ + file://CVE-2025-32049-1.patch \ + file://CVE-2025-32049-2.patch \ + file://CVE-2026-2443.patch \ + file://CVE-2026-1801.patch \ + file://CVE-2026-1761.patch \ + file://CVE-2026-1539.patch \ + file://CVE-2026-2369.patch \ + file://CVE-2026-1760.patch \ + file://CVE-2026-1467.patch \ " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13"