From patchwork Sun Apr 26 13:03:43 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ankur Tyagi <ankur.tyagi85@gmail.com>
X-Patchwork-Id: 86957
X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com
Return-Path: <ankur.tyagi85@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 8FC93FF885D
	for <webhook@archiver.kernel.org>; Sun, 26 Apr 2026 13:04:12 +0000 (UTC)
Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com
 [209.85.214.174])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.18123.1777208644507457521
 for <openembedded-devel@lists.openembedded.org>;
 Sun, 26 Apr 2026 06:04:04 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20251104 header.b=cN4k+3Hk;
 spf=pass (domain: gmail.com, ip: 209.85.214.174,
 mailfrom: ankur.tyagi85@gmail.com)
Received: by mail-pl1-f174.google.com with SMTP id
 d9443c01a7336-2b2589c26e3so87656685ad.1
        for <openembedded-devel@lists.openembedded.org>;
 Sun, 26 Apr 2026 06:04:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1777208644; x=1777813444;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=zVRltIeADG09vYG7bqOgxREwOvWV0aIIfA0dP1iXb9A=;
        b=cN4k+3HkBhskC5lXjNNkMFG35Te48+CI4gVKJp7R2SFsGS4V8/FQe5lBUCfD2OsNz8
         GrUsjmZ5CjMDbKIBbcJesL3BKjD4K33HeM5C8bmdvEg2757YyATzP7J/q8klpf/erLsq
         8mZ5S3LuksyJiZSS64xssKHCw3f0pM/Zcy7mLgDj9BsarrQE/XTB77mgqlwNM11asYJp
         smqREtq4PHfTmKHTWgQF/beYsKBovDz0FGgPgNpPndFr5tNq34upISquGBrGclB8o99H
         KyxYFZiSQImOB5H1ETah6ZLH8J/r4RDUR/fkUHARUhCm+GI0FWaOzABF9Xpf+8IOJRli
         Hwhg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1777208644; x=1777813444;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=zVRltIeADG09vYG7bqOgxREwOvWV0aIIfA0dP1iXb9A=;
        b=RSFWCNWWNrpGmW7E/nB0i56M+fE4CDf0l8ACDKoVgtPdsiTmBy7ntC3r40bJgO8rIW
         7SL7hWneOz5y5uBEN1uClaFjYcQYJOLafYA3MUYhK2fv4ym1N92XNiwHlZiFfYjwfdu+
         UUywJIkY2S21lsSrTGRwt9FCPf4hynGyC1o7XPzlthnGutO9mwQUUJ4fbYDAfgjniafC
         +GH3zx5wcUl/HdzRpDpfKjAav5KGUqtbEM126Kf0S17O7zDNSGEUDBKr+wdJW21tmnFm
         le/dVZZTaVq60R5GebypAYYUrbpUsgCqUM41rF4vxgDeBvEH9ol6CTyM+KuRZ+gXFqCf
         RmyQ==
X-Gm-Message-State: AOJu0YynPWrSRyMzeady0ZS6IrTQ9KTLp2RhoFKVqYMsnDQi73V0lTl4
	1HYNv8wh7bf0ifHd2p6yVQJFIrmrOLdD1fzoVXcocwyxVNoJaPVn9Ps+twBFdGoY
X-Gm-Gg: AeBDieswAzfwWfd38MAsxwayhNpkFNIzt63E4/GG6rtXyZ5kdYO/VTYKxgR/EsJHcjj
	8gMSXR0Zrn+Mvmb6jpvxOX2n5cxzLAbH1jOpmzc2vwEW3KvsznJdjYcmi9mLaaQQuHiEEYClx7O
	MXRFRc5QNf4zfx08TB3rvqnkBp0W9YWXyUm3ZAgla9N8FZACnXizt1DKDFBymkANkjZcTAmWGDS
	f9BGACuNvxfFAWvSeNkp/9flH2olpqSCj0FRD0O7kr5fqmItV/9/tvrucmNQjh0feyLKlawvVL4
	OPK2s6Js5WgLSiQg+jyRxEmg4Cu26Ks8E/Ex8t78xtk+Se4jcWnShBG0KGToG/r/mpyI5ALMz2R
	mNy/IQYNGEU0B7rCq4Xlq1So9cpKyrfz1UMXbZHv+tiZ4rEEoOBCQ8JWiSSbhwQSL4LDOyzHrwd
	kO27calk9vQEwzUmGCJZhQUcproEBZieHA7xpNQkiOHsecnlc=
X-Received: by 2002:a17:903:1987:b0:2b0:6e12:bb21 with SMTP id
 d9443c01a7336-2b5fa01a8admr419155525ad.41.1777208643501;
        Sun, 26 Apr 2026 06:04:03 -0700 (PDT)
Received: from NVAPF55DW0D-IPD.. ([203.211.108.128])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-2b5fa9ff98csm277490935ad.3.2026.04.26.06.04.00
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 26 Apr 2026 06:04:02 -0700 (PDT)
From: ankur.tyagi85@gmail.com
To: openembedded-devel@lists.openembedded.org
Cc: Ankur Tyagi <ankur.tyagi85@gmail.com>
Subject: [oe][meta-oe][scarthgap][PATCH 1/9] jq: patch CVE-2026-32316
Date: Mon, 27 Apr 2026 01:03:43 +1200
Message-ID: <20260426130351.793052-1-ankur.tyagi85@gmail.com>
X-Mailer: git-send-email 2.43.0
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Sun, 26 Apr 2026 13:04:12 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/126617

From: Ankur Tyagi <ankur.tyagi85@gmail.com>

Details: https://nvd.nist.gov/vuln/detail/CVE-2026-32316

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 .../jq/jq/CVE-2026-32316.patch                | 55 +++++++++++++++++++
 meta-oe/recipes-devtools/jq/jq_1.7.1.bb       |  1 +
 2 files changed, 56 insertions(+)
 create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2026-32316.patch

diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-32316.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-32316.patch
new file mode 100644
index 0000000000..2f2ff2145f
--- /dev/null
+++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-32316.patch
@@ -0,0 +1,55 @@
+From 0814c321b08415c18165deac419f0d60a4a7664f Mon Sep 17 00:00:00 2001
+From: itchyny <itchyny@cybozu.co.jp>
+Date: Thu, 12 Mar 2026 20:28:43 +0900
+Subject: [PATCH] Fix heap buffer overflow in `jvp_string_append` and
+ `jvp_string_copy_replace_bad`
+
+In `jvp_string_append`, the allocation size `(currlen + len) * 2` could
+overflow `uint32_t` when `currlen + len` exceeds `INT_MAX`, causing a small
+allocation followed by a large `memcpy`.
+
+In `jvp_string_copy_replace_bad`, the output buffer size calculation
+`length * 3 + 1` could overflow `uint32_t`, again resulting in a small
+allocation followed by a large write.
+
+Add overflow checks to both functions to return an error for strings
+that would exceed `INT_MAX` in length. Fixes CVE-2026-32316.
+
+(cherry picked from commit e47e56d226519635768e6aab2f38f0ab037c09e5)
+
+CVE: CVE-2026-32316
+Upstream-Status: Backport [https://github.com/jqlang/jq/commit/e47e56d226519635768e6aab2f38f0ab037c09e5]
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/jv.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/src/jv.c b/src/jv.c
+index 18dbb54..73387d8 100644
+--- a/src/jv.c
++++ b/src/jv.c
+@@ -1091,7 +1091,12 @@ static jv jvp_string_copy_replace_bad(const char* data, uint32_t length) {
+   const char* end = data + length;
+   const char* i = data;
+ 
+-  uint32_t maxlength = length * 3 + 1; // worst case: all bad bytes, each becomes a 3-byte U+FFFD
++  // worst case: all bad bytes, each becomes a 3-byte U+FFFD
++  uint64_t maxlength = (uint64_t)length * 3 + 1;
++  if (maxlength >= INT_MAX) {
++    return jv_invalid_with_msg(jv_string("String too long"));
++  }
++
+   jvp_string* s = jvp_string_alloc(maxlength);
+   char* out = s->data;
+   int c = 0;
+@@ -1151,6 +1156,10 @@ static uint32_t jvp_string_remaining_space(jvp_string* s) {
+ static jv jvp_string_append(jv string, const char* data, uint32_t len) {
+   jvp_string* s = jvp_string_ptr(string);
+   uint32_t currlen = jvp_string_length(s);
++  if ((uint64_t)currlen + len >= INT_MAX) {
++    jv_free(string);
++    return jv_invalid_with_msg(jv_string("String too long"));
++  }
+ 
+   if (jvp_refcnt_unshared(string.u.ptr) &&
+       jvp_string_remaining_space(s) >= len) {
diff --git a/meta-oe/recipes-devtools/jq/jq_1.7.1.bb b/meta-oe/recipes-devtools/jq/jq_1.7.1.bb
index dfc8dda7ee..c3b547383d 100644
--- a/meta-oe/recipes-devtools/jq/jq_1.7.1.bb
+++ b/meta-oe/recipes-devtools/jq/jq_1.7.1.bb
@@ -15,6 +15,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/${BPN}-${PV}/${BPN}-${PV}.tar.gz \
     file://CVE-2024-53427.patch \
     file://CVE-2025-48060.patch \
     file://CVE-2025-9403.patch \
+    file://CVE-2026-32316.patch \
     "
 SRC_URI[sha256sum] = "478c9ca129fd2e3443fe27314b455e211e0d8c60bc8ff7df703873deeee580c2"
 

From patchwork Sun Apr 26 13:03:44 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ankur Tyagi <ankur.tyagi85@gmail.com>
X-Patchwork-Id: 86956
X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com
Return-Path: <ankur.tyagi85@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 8381AFF8863
	for <webhook@archiver.kernel.org>; Sun, 26 Apr 2026 13:04:12 +0000 (UTC)
Received: from mail-pg1-f176.google.com (mail-pg1-f176.google.com
 [209.85.215.176])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.18282.1777208647470160407
 for <openembedded-devel@lists.openembedded.org>;
 Sun, 26 Apr 2026 06:04:07 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20251104 header.b=NdK/v4zE;
 spf=pass (domain: gmail.com, ip: 209.85.215.176,
 mailfrom: ankur.tyagi85@gmail.com)
Received: by mail-pg1-f176.google.com with SMTP id
 41be03b00d2f7-c795eacbeb0so4050316a12.2
        for <openembedded-devel@lists.openembedded.org>;
 Sun, 26 Apr 2026 06:04:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1777208647; x=1777813447;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=a8odJSTkHD7x+069OPYhEvAtaCclDQnuYqtkDME2nrw=;
        b=NdK/v4zEfT9wzY/iZ1q5yoQWqKIwJ+lAjgNG5C3OaKBDLB3bVmJxmTvf7qZBJFQeqg
         8rKFGa8WZlLjVJPq4uodw4kmrviXHx8zUoXvapiBw7q5hx5Ryr/vHec9HvtnssYxx+8C
         j0c58H/Moid5mWN4T9LtgpOz/lrdbGUHwySEOLGo2f94SMdhwuUUdXAsJ9SmgL5flomw
         tFqKWDvoBoBReUg7J1qksgzLRgYA7ZJWy4307U804Fje6anYI6Q2zAxxtryEyoVqduHk
         Z4hRD0dPxF/oTINNs31ug6gatzL34nhY8vicmlM7yNqhibrliru7Z7wgb7gsATaXyINM
         sluA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1777208647; x=1777813447;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=a8odJSTkHD7x+069OPYhEvAtaCclDQnuYqtkDME2nrw=;
        b=r3NTpCz/Kz2rHqwmCvqhtFv4zgQJ5RFaFQUVHDHsrrMzbfQgTIYOharuEXOx5DHYNa
         5hsZZr3vDlxI0uh/YiwoPCABTwl0NF0gomdQWoJPO7nDJeC+MUVpDAJ90RQCjjmvXckd
         x446Q1um7RGxy9i0RYi+xcvHjCOCQa3w4eAcuiFgMrSxkYg6/BAwLl0Gh53MEGCQ3Ked
         fZXKg3c1m/GY1sdhmc29eNrw3wd0Qufo6yNpX3ES6TwePyvUiQT+7PAPp24GSUQt8UGV
         5f6JVIfkBjt23SlpF6PObn8gRVewE150Bo1llqvKBZc0x2ILI6zgVjKbyXSW6u8S9sxq
         ROJQ==
X-Gm-Message-State: AOJu0YxBof8RFiHUOJ5Y8ECZV922TdLP90VMq53AOu/+9QcTV0x8AM52
	J2OSFj/kkS6DRHfghFWdwVk9ajrNRTNahpJNfaU9o2s9cE3/Vo33ovssWmQUpKUo
X-Gm-Gg: AeBDieu0amPbrUAjtadLRnBYYr4HZoF/oAfZTNrDDLMigYyKA+cFiiRFP8wIi4tpMXf
	vqEX0QfpOguSdFRkqDWvTR88+sPnQcKaZHXx3Sn3tU3H2hyO9cJ8ezq+y3dACDfTfQS7dxhYrHG
	Jcow6aA6CYLDuzjrer+517yrk8OU13yMiX5NXX1t+D18+ICW6HHBaQymBIU0XGzaEr5pWl3g3R5
	MXeTUmRcQlSDw2FYOY0B198THS6+w25qxXJU5VfAD+q9EjzxufWuvEM3gbv/2lV4SW8ej5+qCLl
	qe9oLQqLgl3tMA+SeuvNZEFpd0ptNbpeCX2cyZYY3xspnQNhePmyIxAIiEISg/ck1PdgGboh9LS
	fDfn7IEc2oFC3NcQsoQ1/bTU21UOVrmNI5/95TRyVDmJvN4EmPq1u39TLeN1bRXx3o/s+WuwEKJ
	e8FZIWdqQN1MwnxXlEO2V4V5mC01lYodVdEfun9Ag6NS9WvRc=
X-Received: by 2002:a17:903:2c0f:b0:2b9:4eaa:7153 with SMTP id
 d9443c01a7336-2b94eaa73b5mr41033375ad.19.1777208646594;
        Sun, 26 Apr 2026 06:04:06 -0700 (PDT)
Received: from NVAPF55DW0D-IPD.. ([203.211.108.128])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-2b5fa9ff98csm277490935ad.3.2026.04.26.06.04.03
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 26 Apr 2026 06:04:05 -0700 (PDT)
From: ankur.tyagi85@gmail.com
To: openembedded-devel@lists.openembedded.org
Cc: Ankur Tyagi <ankur.tyagi85@gmail.com>
Subject: [oe][meta-oe][scarthgap][PATCH 2/9] jq: patch CVE-2026-33947
Date: Mon, 27 Apr 2026 01:03:44 +1200
Message-ID: <20260426130351.793052-2-ankur.tyagi85@gmail.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20260426130351.793052-1-ankur.tyagi85@gmail.com>
References: <20260426130351.793052-1-ankur.tyagi85@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Sun, 26 Apr 2026 13:04:12 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/126618

From: Ankur Tyagi <ankur.tyagi85@gmail.com>

Details: https://nvd.nist.gov/vuln/detail/CVE-2026-33947

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 .../jq/jq/CVE-2026-33947.patch                | 107 ++++++++++++++++++
 meta-oe/recipes-devtools/jq/jq_1.7.1.bb       |   1 +
 2 files changed, 108 insertions(+)
 create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2026-33947.patch

diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-33947.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-33947.patch
new file mode 100644
index 0000000000..bf1a506311
--- /dev/null
+++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-33947.patch
@@ -0,0 +1,107 @@
+From d6a36423898f756355c270c4acae335318ac357c Mon Sep 17 00:00:00 2001
+From: itchyny <itchyny@cybozu.co.jp>
+Date: Mon, 13 Apr 2026 11:23:40 +0900
+Subject: [PATCH] Limit path depth to prevent stack overflow
+
+Deeply nested path arrays can cause unbounded recursion in
+`jv_setpath`, `jv_getpath`, and `jv_delpaths`, leading to
+stack overflow. Add a depth limit of 10000 to match the
+existing `tojson` depth limit. This fixes CVE-2026-33947.
+
+(cherry picked from commit fb59f1491058d58bdc3e8dd28f1773d1ac690a1f)
+
+CVE: CVE-2026-33947
+Upstream-Status: Backport [https://github.com/jqlang/jq/commit/fb59f1491058d58bdc3e8dd28f1773d1ac690a1f]
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/jv_aux.c  | 21 +++++++++++++++++++++
+ tests/jq.test | 25 +++++++++++++++++++++++++
+ 2 files changed, 46 insertions(+)
+
+diff --git a/src/jv_aux.c b/src/jv_aux.c
+index bbe1c0d..0855053 100644
+--- a/src/jv_aux.c
++++ b/src/jv_aux.c
+@@ -376,6 +376,10 @@ static jv jv_dels(jv t, jv keys) {
+   return t;
+ }
+ 
++#ifndef MAX_PATH_DEPTH
++#define MAX_PATH_DEPTH (10000)
++#endif
++
+ jv jv_setpath(jv root, jv path, jv value) {
+   if (jv_get_kind(path) != JV_KIND_ARRAY) {
+     jv_free(value);
+@@ -383,6 +387,12 @@ jv jv_setpath(jv root, jv path, jv value) {
+     jv_free(path);
+     return jv_invalid_with_msg(jv_string("Path must be specified as an array"));
+   }
++  if (jv_array_length(jv_copy(path)) > MAX_PATH_DEPTH) {
++    jv_free(value);
++    jv_free(root);
++    jv_free(path);
++    return jv_invalid_with_msg(jv_string("Path too deep"));
++  }
+   if (!jv_is_valid(root)){
+     jv_free(value);
+     jv_free(path);
+@@ -434,6 +444,11 @@ jv jv_getpath(jv root, jv path) {
+     jv_free(path);
+     return jv_invalid_with_msg(jv_string("Path must be specified as an array"));
+   }
++  if (jv_array_length(jv_copy(path)) > MAX_PATH_DEPTH) {
++    jv_free(root);
++    jv_free(path);
++    return jv_invalid_with_msg(jv_string("Path too deep"));
++  }
+   if (!jv_is_valid(root)) {
+     jv_free(path);
+     return root;
+@@ -511,6 +526,12 @@ jv jv_delpaths(jv object, jv paths) {
+       jv_free(elem);
+       return err;
+     }
++    if (jv_array_length(jv_copy(elem)) > MAX_PATH_DEPTH) {
++      jv_free(object);
++      jv_free(paths);
++      jv_free(elem);
++      return jv_invalid_with_msg(jv_string("Path too deep"));
++    }
+     jv_free(elem);
+   }
+   if (jv_array_length(jv_copy(paths)) == 0) {
+diff --git a/tests/jq.test b/tests/jq.test
+index ecb9116..4d57301 100644
+--- a/tests/jq.test
++++ b/tests/jq.test
+@@ -2129,3 +2129,28 @@ try ltrimstr("x") catch "x", try rtrimstr("x") catch "x" | "ok"
+ {"hey":[]}
+ "ok"
+ "ok"
++
++# regression test for CVE-2026-33947
++setpath([range(10000) | 0]; 0) | flatten
++null
++[0]
++
++try setpath([range(10001) | 0]; 0) catch .
++null
++"Path too deep"
++
++getpath([range(10000) | 0])
++null
++null
++
++try getpath([range(10001) | 0]) catch .
++null
++"Path too deep"
++
++delpaths([[range(10000) | 0]])
++null
++null
++
++try delpaths([[range(10001) | 0]]) catch .
++null
++"Path too deep"
+\ No newline at end of file
diff --git a/meta-oe/recipes-devtools/jq/jq_1.7.1.bb b/meta-oe/recipes-devtools/jq/jq_1.7.1.bb
index c3b547383d..7b7910bc72 100644
--- a/meta-oe/recipes-devtools/jq/jq_1.7.1.bb
+++ b/meta-oe/recipes-devtools/jq/jq_1.7.1.bb
@@ -16,6 +16,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/${BPN}-${PV}/${BPN}-${PV}.tar.gz \
     file://CVE-2025-48060.patch \
     file://CVE-2025-9403.patch \
     file://CVE-2026-32316.patch \
+    file://CVE-2026-33947.patch \
     "
 SRC_URI[sha256sum] = "478c9ca129fd2e3443fe27314b455e211e0d8c60bc8ff7df703873deeee580c2"
 

From patchwork Sun Apr 26 13:03:45 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ankur Tyagi <ankur.tyagi85@gmail.com>
X-Patchwork-Id: 86955
X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com
Return-Path: <ankur.tyagi85@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 74D43FF885C
	for <webhook@archiver.kernel.org>; Sun, 26 Apr 2026 13:04:12 +0000 (UTC)
Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com
 [209.85.214.180])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.18287.1777208650362984227
 for <openembedded-devel@lists.openembedded.org>;
 Sun, 26 Apr 2026 06:04:10 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20251104 header.b=ncz1LSD7;
 spf=pass (domain: gmail.com, ip: 209.85.214.180,
 mailfrom: ankur.tyagi85@gmail.com)
Received: by mail-pl1-f180.google.com with SMTP id
 d9443c01a7336-2b2ea1b3962so53481845ad.0
        for <openembedded-devel@lists.openembedded.org>;
 Sun, 26 Apr 2026 06:04:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1777208649; x=1777813449;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=JxUOvWEVG9kIcN9JhwvbfddG0jNqXRm0Ekf/Tr3qvak=;
        b=ncz1LSD7sRXwCjJa0RRaZLTE1rqtMlsUUXRYYdZxyAE3D6bmTuz9vhN/tipWBswl1j
         mhK9gZExLiUIzbSd+qhUhOeLzzjeDkYNL9DOyw8SXeiVRj0kgoHZiE576FopeT2NBPXJ
         N60yUgUjn8UCkRyCZqEm5+Z2GMsyeRVzZ7HDiWH4F8eyqxxpw7GlQGJ85s3e06kVOIbf
         3jZ0QcaA35ie3mRBK1H+Yo8plsYWQXW8TEYHeo2fu922UEPkhG7XBLv7xMSXbO5lbR0P
         rS9yqKP9n/zG/zIuMju7haIzXsQb0ab0ZCDcKgECBHNA23n8Txc8gEJWQ72aR5Y6m2P1
         8RgQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1777208649; x=1777813449;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=JxUOvWEVG9kIcN9JhwvbfddG0jNqXRm0Ekf/Tr3qvak=;
        b=qCVqhqLgISaZNqbvp1pKR5HeFpUz2hcHvLCfLjot6rmHShTy5ACSo2zlUSdxQ5+6GT
         94ZlmXWtQf5Y7bEajX3sMOXeeBAVTFTWzTayqjQ1Fn50Fzs8HulLZ6BtrK88YVA+6+lb
         hBJ2dSNQEdoxUqWI164sAV7FXm2gYDCITt4ATszu7GmxhQ8jc4Vm7Ns6x7OlkjQscYhn
         XqKvPHpnSb6MOZJmXUchRjqcwWsS3lfq/BOnr1m+AeHyrbJw61zIvTjHW/roOIsQIy6X
         LBeQgjIyKrbk1xOWCCu9DWXM9EFz7w/KOPRrJWlnXeQKTbuw5H9T2QCgBkLEmzPcDo2r
         cUQg==
X-Gm-Message-State: AOJu0YygNCP05+++J3JLj2/Mnzx0ukQV9FbZMZErqK0gcnZPLsBjUKUM
	NuqF8tsG3GSoQNleaGRWrx1dif6lNIpq4nqeqvkXEvxA2f5YgyttCTjt75zZ0NxJ
X-Gm-Gg: AeBDieti+Qf4Q9dtsE6SI/z2U7tFsqUp4kDWHYeh+YvtPO1XSyR5+NUq9LozlX6Z4sQ
	BAp/oVtmFPMzE2E04HbEkpw29F72CdyXY13k4/6EvqOFCjb0M8w0QEY9/nFMrtnHpIHlf09F25J
	zRxYsrEsHoPXHvdyJCDLa8N5JfBZgeTXc1ePP0xaKN6hsaED93q2m/DjR1BIUCWm5mP33jX4JiN
	nyZD5tA9FOXB20Cs6GaSpHoke9elKyG6ddLJhRIGt0JPjhIl+5LDE2YjuDiWsLOanqDW6DVOZ/o
	6Ne/xX/EpoI2V/SjmrRUrFuMkbbeDKnrDs3RoG+EV54W7ngXPLfFTCjsuEchWGprzpiSe8PAqej
	cAQpMjf5O2F2egJjjtijoeZ3ee1qEzeabHZzBXgyqfWXMU19CB0egMCvmwAuIOmDJj7FARamEfn
	riyofuZUbgopOcXz56IVQtS1Tf1ed2WIx4fgiVSNd8xnqjVzw=
X-Received: by 2002:a17:902:be10:b0:2b0:6f21:8289 with SMTP id
 d9443c01a7336-2b5f9f7d451mr285044645ad.25.1777208649321;
        Sun, 26 Apr 2026 06:04:09 -0700 (PDT)
Received: from NVAPF55DW0D-IPD.. ([203.211.108.128])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-2b5fa9ff98csm277490935ad.3.2026.04.26.06.04.07
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 26 Apr 2026 06:04:08 -0700 (PDT)
From: ankur.tyagi85@gmail.com
To: openembedded-devel@lists.openembedded.org
Cc: Ankur Tyagi <ankur.tyagi85@gmail.com>
Subject: [oe][meta-oe][scarthgap][PATCH 3/9] jq: patch CVE-2026-33948
Date: Mon, 27 Apr 2026 01:03:45 +1200
Message-ID: <20260426130351.793052-3-ankur.tyagi85@gmail.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20260426130351.793052-1-ankur.tyagi85@gmail.com>
References: <20260426130351.793052-1-ankur.tyagi85@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Sun, 26 Apr 2026 13:04:12 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/126619

From: Ankur Tyagi <ankur.tyagi85@gmail.com>

Details: https://nvd.nist.gov/vuln/detail/CVE-2026-33948

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 .../jq/jq/CVE-2026-33948.patch                | 51 +++++++++++++++++++
 meta-oe/recipes-devtools/jq/jq_1.7.1.bb       |  1 +
 2 files changed, 52 insertions(+)
 create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2026-33948.patch

diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-33948.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-33948.patch
new file mode 100644
index 0000000000..a2aabec059
--- /dev/null
+++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-33948.patch
@@ -0,0 +1,51 @@
+From 4676c3e5675ba6e8422b021375acbd7c0ba450b0 Mon Sep 17 00:00:00 2001
+From: itchyny <itchyny@cybozu.co.jp>
+Date: Mon, 13 Apr 2026 08:46:11 +0900
+Subject: [PATCH] Fix NUL truncation in the JSON parser
+
+This fixes CVE-2026-33948.
+
+(cherry picked from commit 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b)
+
+CVE: CVE-2026-33948
+Upstream-Status: Backport [https://github.com/jqlang/jq/commit/6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b]
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/util.c   | 8 +-------
+ tests/shtest | 6 ++++++
+ 2 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/src/util.c b/src/util.c
+index de44fa6..422a8b8 100644
+--- a/src/util.c
++++ b/src/util.c
+@@ -311,13 +311,7 @@ static int jq_util_input_read_more(jq_util_input_state *state) {
+       if (p != NULL)
+         state->current_line++;
+ 
+-      if (p == NULL && state->parser != NULL) {
+-        /*
+-         * There should be no NULs in JSON texts (but JSON text
+-         * sequences are another story).
+-         */
+-        state->buf_valid_len = strlen(state->buf);
+-      } else if (p == NULL && feof(state->current_input)) {
++      if (p == NULL && feof(state->current_input)) {
+         size_t i;
+ 
+         /*
+diff --git a/tests/shtest b/tests/shtest
+index a471889..0397ca0 100755
+--- a/tests/shtest
++++ b/tests/shtest
+@@ -609,4 +609,10 @@ $VALGRIND $Q $JQ . <<\NUM
+ -10E-1000000001
+ NUM
+ 
++# CVE-2026-33948: No NUL truncation in the JSON parser
++if printf '{}\x00{}' | $JQ >/dev/null 2> /dev/null; then
++  printf 'Error expected but jq exited successfully\n' 1>&2
++  exit 1
++fi
++
+ exit 0
diff --git a/meta-oe/recipes-devtools/jq/jq_1.7.1.bb b/meta-oe/recipes-devtools/jq/jq_1.7.1.bb
index 7b7910bc72..975d7d7007 100644
--- a/meta-oe/recipes-devtools/jq/jq_1.7.1.bb
+++ b/meta-oe/recipes-devtools/jq/jq_1.7.1.bb
@@ -17,6 +17,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/${BPN}-${PV}/${BPN}-${PV}.tar.gz \
     file://CVE-2025-9403.patch \
     file://CVE-2026-32316.patch \
     file://CVE-2026-33947.patch \
+    file://CVE-2026-33948.patch \
     "
 SRC_URI[sha256sum] = "478c9ca129fd2e3443fe27314b455e211e0d8c60bc8ff7df703873deeee580c2"
 

From patchwork Sun Apr 26 13:03:46 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ankur Tyagi <ankur.tyagi85@gmail.com>
X-Patchwork-Id: 86960
X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com
Return-Path: <ankur.tyagi85@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id BB57EFF8863
	for <webhook@archiver.kernel.org>; Sun, 26 Apr 2026 13:04:22 +0000 (UTC)
Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com
 [209.85.214.180])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.18288.1777208652812611818
 for <openembedded-devel@lists.openembedded.org>;
 Sun, 26 Apr 2026 06:04:12 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20251104 header.b=ajzq/gxM;
 spf=pass (domain: gmail.com, ip: 209.85.214.180,
 mailfrom: ankur.tyagi85@gmail.com)
Received: by mail-pl1-f180.google.com with SMTP id
 d9443c01a7336-2ad21f437eeso59965635ad.0
        for <openembedded-devel@lists.openembedded.org>;
 Sun, 26 Apr 2026 06:04:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1777208652; x=1777813452;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=/N4GNV4PB5HHHryVU6X5g6aj8jsxfPwDfFv5enQ38YE=;
        b=ajzq/gxMqD9RS0AZbI//S2qObM7huoI+hDOX+liinsbUytZllqrPsf0LJsNka3CDgn
         KZ33IgWJQoZ//vj83yZXvV1gboZOORNiTsfd3sdG2K0629oAbGJ7GFAIux3yzgFUgynX
         qfreOOf8whXkxaIvfXD3WT6S2cWkLyCnGGb2V0CTuSQ2WFWpw3tjkMFe+q7ZV91sBS0H
         e1k6wNnBdSByXAUTUA02YvNBRIPNhbM6lYalGng/7PBah5bQRh9GWmIaO5cAPeBYvmwN
         pMsVGTx9pzdceyHBcM1LzLGLBlUGwCCPdlot82DtmNofY1z0hxQblrctUI7yOHA8RJFJ
         GRfA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1777208652; x=1777813452;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=/N4GNV4PB5HHHryVU6X5g6aj8jsxfPwDfFv5enQ38YE=;
        b=TTUaKi521DGAQQq0JoQKw5BWLqvwxLOgiCK1stZdnvlI2u3f2ZkFVJTeQXzb91E33D
         EXZcioJpFjF+Dc8UFGqGKOrbsLnjMVleJPl1rwqF1zRjOpUTIHr/sKwsJehQHbLoxbKp
         1Q3kSRtxriHX9TC0eSVJAwTmtPZp0dbHYagIXeCzifU0Y5GmRo/jnl7coRT+/Knb2veM
         xaVG3BYwYC1v9rwkl+hWV81j8sPSeGcZDWZkhawa8srR1KZLhofbRO1mtn7bpx84lZfT
         JhSUTy4P5LzLhEuNOYnQTJSuHEuai8fQ1kgTgW6f0/K7Ou2keFCqTebOZkRjvJIGsHug
         vTnA==
X-Gm-Message-State: AOJu0YxF3b9PDbG6f0sYX8+L1jBAPCfjU4Zn3faV5aNR9Aph5PBO8fKa
	8UJhn9PNF4+zb6pPoCgWy69cC34Lbk/mkgSJwjlRbTqvBh3f7jXOqB9snIqqHx21
X-Gm-Gg: AeBDievhkiKPSW7qDUEyTsoIR2D9Mwyggok7xEU+Qx0le2tBE3fIJnwOevkcpes9vDx
	4BZcxDVMHhvQBedvLAFx+0fiC1pjldLnwaaxVHlPg9EZrjgL1oqFjepfYCSAa7pzHVUyI397Kha
	fYtvfv6Kc/wXaP4+hqrvB34v1RJmdCxTqhaB99wbuYBxLhyf/Y4hd8NQWTVt/pdi2zc90nf4Dn9
	QbKdm5add+G1LQEt2JtfLVUR86/5mBr/qzyyQs/EUbK30zwjZLTV6xorU9RETELz2QQO2bHFyet
	64XqhhMNen4PIAfy/R0jaYFne+FnRusdRU7yCB3AeejW+jiRDLqGpkuckzD6/UIUjPDOqqauC2Y
	UhJmmJfu7j85XcysIvER/8+ok2S3ir+ljuT5Vox6tqvUCELToWcbR82nrd2KbuV2vufa3V50aBW
	WMmTCnwAuHLsuIAuH8vwRVgRlSgn6rNQF47kWy2feEc50efqQKXBCuXGBTLA==
X-Received: by 2002:a17:902:7b8f:b0:2ae:4ad5:b76c with SMTP id
 d9443c01a7336-2b5f9e5ec75mr225831075ad.10.1777208651944;
        Sun, 26 Apr 2026 06:04:11 -0700 (PDT)
Received: from NVAPF55DW0D-IPD.. ([203.211.108.128])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-2b5fa9ff98csm277490935ad.3.2026.04.26.06.04.09
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 26 Apr 2026 06:04:11 -0700 (PDT)
From: ankur.tyagi85@gmail.com
To: openembedded-devel@lists.openembedded.org
Cc: Ankur Tyagi <ankur.tyagi85@gmail.com>
Subject: [oe][meta-oe][scarthgap][PATCH 4/9] jq: patch CVE-2026-39979
Date: Mon, 27 Apr 2026 01:03:46 +1200
Message-ID: <20260426130351.793052-4-ankur.tyagi85@gmail.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20260426130351.793052-1-ankur.tyagi85@gmail.com>
References: <20260426130351.793052-1-ankur.tyagi85@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Sun, 26 Apr 2026 13:04:22 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/126620

From: Ankur Tyagi <ankur.tyagi85@gmail.com>

Details: https://nvd.nist.gov/vuln/detail/CVE-2026-39979

Ptests passed:
root@qemux86:~# ptest-runner jq
START: ptest-runner
2026-04-26T11:09
BEGIN: /usr/lib/jq/ptest
PASS: optionaltest
PASS: mantest
PASS: jqtest
PASS: onigtest
PASS: shtest
PASS: utf8test
PASS: base64test
=== Test Summary ===
TOTAL: 7
PASSED: 7
FAILED: 0
SKIPPED: 0
DURATION: 44
END: /usr/lib/jq/ptest
2026-04-26T11:10
STOP: ptest-runner
TOTAL: 1 FAIL: 0

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 .../jq/jq/CVE-2026-39979.patch                | 32 +++++++++++++++++++
 meta-oe/recipes-devtools/jq/jq_1.7.1.bb       |  1 +
 2 files changed, 33 insertions(+)
 create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2026-39979.patch

diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-39979.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-39979.patch
new file mode 100644
index 0000000000..7ab7e6fcdf
--- /dev/null
+++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-39979.patch
@@ -0,0 +1,32 @@
+From 46fac767d5007849b9a63cae2e74c0fc7afaa093 Mon Sep 17 00:00:00 2001
+From: itchyny <itchyny@cybozu.co.jp>
+Date: Mon, 13 Apr 2026 11:04:52 +0900
+Subject: [PATCH] Fix out-of-bounds read in jv_parse_sized()
+
+This fixes CVE-2026-39979.
+
+Co-authored-by: Mattias Wadman <mattias.wadman@gmail.com>
+(cherry picked from commit 2f09060afab23fe9390cce7cb860b10416e1bf5f)
+
+CVE: CVE-2026-39979
+Upstream-Status: Backport [https://github.com/jqlang/jq/commit/2f09060afab23fe9390cce7cb860b10416e1bf5f]
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/jv_parse.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/jv_parse.c b/src/jv_parse.c
+index 9755b8a..84a847f 100644
+--- a/src/jv_parse.c
++++ b/src/jv_parse.c
+@@ -890,8 +890,9 @@ jv jv_parse_sized_custom_flags(const char* string, int length, int flags) {
+ 
+   if (!jv_is_valid(value) && jv_invalid_has_msg(jv_copy(value))) {
+     jv msg = jv_invalid_get_msg(value);
+-    value = jv_invalid_with_msg(jv_string_fmt("%s (while parsing '%s')",
++    value = jv_invalid_with_msg(jv_string_fmt("%s (while parsing '%.*s')",
+                                               jv_string_value(msg),
++                                              length,
+                                               string));
+     jv_free(msg);
+   }
diff --git a/meta-oe/recipes-devtools/jq/jq_1.7.1.bb b/meta-oe/recipes-devtools/jq/jq_1.7.1.bb
index 975d7d7007..24f49bcb13 100644
--- a/meta-oe/recipes-devtools/jq/jq_1.7.1.bb
+++ b/meta-oe/recipes-devtools/jq/jq_1.7.1.bb
@@ -18,6 +18,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/${BPN}-${PV}/${BPN}-${PV}.tar.gz \
     file://CVE-2026-32316.patch \
     file://CVE-2026-33947.patch \
     file://CVE-2026-33948.patch \
+    file://CVE-2026-39979.patch \
     "
 SRC_URI[sha256sum] = "478c9ca129fd2e3443fe27314b455e211e0d8c60bc8ff7df703873deeee580c2"
 

From patchwork Sun Apr 26 13:03:47 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ankur Tyagi <ankur.tyagi85@gmail.com>
X-Patchwork-Id: 86961
X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com
Return-Path: <ankur.tyagi85@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id B4A36FF8864
	for <webhook@archiver.kernel.org>; Sun, 26 Apr 2026 13:04:22 +0000 (UTC)
Received: from mail-pg1-f170.google.com (mail-pg1-f170.google.com
 [209.85.215.170])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.18128.1777208656342461751
 for <openembedded-devel@lists.openembedded.org>;
 Sun, 26 Apr 2026 06:04:16 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20251104 header.b=VIyWcbXh;
 spf=pass (domain: gmail.com, ip: 209.85.215.170,
 mailfrom: ankur.tyagi85@gmail.com)
Received: by mail-pg1-f170.google.com with SMTP id
 41be03b00d2f7-c79662668bbso3460847a12.1
        for <openembedded-devel@lists.openembedded.org>;
 Sun, 26 Apr 2026 06:04:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1777208655; x=1777813455;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=kONViNeGPF9c9MdYm6pTMMW9wgMZFQeHtamrtCBQxgw=;
        b=VIyWcbXh1PGiGuel0N7erIvW4vi+AqPrvXwRTfbyLlDc+22NP47iWeukxllHQN9AEN
         WU957fR9Z1DHndMSRMUH7YYEmkqXhVMiQi32RNUKrcGMcp1i0Uz1R7iJck//wjZl8Vxz
         1Kht25kvIWpfQswy/cloGsiv9pxzLDYxvWpDVyc0+Ht305U80buT6CHrQWGNNG27x6gd
         1Fcd3sFF1dbj6dXm0do0fkB956O6TeVwAfS5gijiNmWf/2DsMRnFi9L8QgeD0E6TX77t
         DFMmMURDOqMH2jWIKkTkfV1f9TcQN00GAfKU5B1blGlVDsu4h9DzcRD48TTAxtVvdgqo
         BUYA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1777208655; x=1777813455;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=kONViNeGPF9c9MdYm6pTMMW9wgMZFQeHtamrtCBQxgw=;
        b=oqu/jikuSDyCQGy2nNby+FciS8cR9PPrLevBD9DDRSSLSGmmyUPlt7MQyKXp9WrnU1
         ooiOH/DcHcuZ6jiFMmFOb+0sK9s51Jg0KCoyUBCsislwX2nI4k8dGSiNkTQY9UH3/gAF
         ADwObFY+jgTYBOw9UftlCiXYo2Afll14u0Me2rySICw09HUhhObjFtqYXGEIDJTYPpDq
         VXnIkAoWlxs8SepCbDPbZ9fVBpidHhBXJ+YhrKnrBZaJg6gG+OfbESwBRd6AbruB5npP
         +ejZAciywocwgZGhpwOqJadxLMin1c1Ye9dtnXTLJPkbaWoZMe7WvKDQicvc25gUVfOK
         IbNA==
X-Gm-Message-State: AOJu0Yzp7a154eX2DCEZjc93UETjXzxRWUt3+QAdvafOuNS3eXvoBvWD
	XOxqsnhE4l+9vuaoT0EWVwavGANfxeU/JzYNsEGrUPuw57qe918kixW53QII1Yj9
X-Gm-Gg: AeBDiesofWoVvzOMmUK9PTeENqIoMLgR57EqC1gIhdGaNWkiLylv/+ZAf/whh6pEyoP
	BNkIUR8Tt2Gkum+F1UAvdcdOqhqnHbMIRbEYfndYehyTgmema5POXiIVUCN807IYGhpmEsh8T/t
	GZF2hCNFjzzBqEMx6XpQjC7RZh0ePCdZmyDY/455FTxRxbjoAy4SEl8NEhEf2TUt7d0GZP+QyAZ
	Umq1mPO2Cu57RJQuWXblgr/SucsUTfFLrM8iZqaA683gkIQO3wkRXrIxCU+gTrtlyOsRWvk85rV
	9wUmY9jFLYMi1+hT3aj79b9/xRVs8Yj0olyz0QYErEY2ytmpUE9C0gG9HVPoRqp8M/usDSBXyop
	x2olDE2eGNEIE68LUsIPR8iwfd5Ykpn6inJW0HnQ1J91qiXeP7xowmKPR6c/x5xOAk0RoKq2AGy
	iGMsOCmMnU8DSXXQP9D0GHS9q8Z6dkxcmNfxUhDv+ZWTnPtWw=
X-Received: by 2002:a17:902:d501:b0:2b2:5099:2f3e with SMTP id
 d9443c01a7336-2b5f9e7be29mr430485265ad.4.1777208655470;
        Sun, 26 Apr 2026 06:04:15 -0700 (PDT)
Received: from NVAPF55DW0D-IPD.. ([203.211.108.128])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-2b5fa9ff98csm277490935ad.3.2026.04.26.06.04.12
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 26 Apr 2026 06:04:14 -0700 (PDT)
From: ankur.tyagi85@gmail.com
To: openembedded-devel@lists.openembedded.org
Cc: Gyorgy Sarvari <skandigraun@gmail.com>,
	Khem Raj <khem.raj@oss.qualcomm.com>,
	Ankur Tyagi <ankur.tyagi85@gmail.com>
Subject: [oe][meta-oe][scarthgap][PATCH 5/9] openjpeg: patch CVE-2026-6192
Date: Mon, 27 Apr 2026 01:03:47 +1200
Message-ID: <20260426130351.793052-5-ankur.tyagi85@gmail.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20260426130351.793052-1-ankur.tyagi85@gmail.com>
References: <20260426130351.793052-1-ankur.tyagi85@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Sun, 26 Apr 2026 13:04:22 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/126621

From: Gyorgy Sarvari <skandigraun@gmail.com>

Details: https://nvd.nist.gov/vuln/detail/CVE-2026-6192

Backport the patch referenced by the NVD advisory.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
(cherry picked from commit 09050325e6e0736beccc40d125e56430054b7cb8)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 .../openjpeg/openjpeg/CVE-2026-6192.patch     | 35 +++++++++++++++++++
 .../openjpeg/openjpeg_2.5.4.bb                |  1 +
 2 files changed, 36 insertions(+)
 create mode 100644 meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2026-6192.patch

diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2026-6192.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2026-6192.patch
new file mode 100644
index 0000000000..49be9bd0a6
--- /dev/null
+++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2026-6192.patch
@@ -0,0 +1,35 @@
+From 776b00ff792a3c54b65f3bd92dbe7476a5a54106 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sun, 5 Apr 2026 13:25:27 +0200
+Subject: [PATCH] opj_pi_initialise_encode() (write code path): avoid potential
+ integer overflow leading to insufficient memory allocation
+
+Fixes #1619
+
+CVE: CVE-2026-6192
+Upstream-Status: Backport [https://github.com/uclouvain/openjpeg/commit/839936aa33eb8899bbbd80fda02796bb65068951]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/lib/openjp2/pi.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/src/lib/openjp2/pi.c b/src/lib/openjp2/pi.c
+index 15ac3314..4abb87af 100644
+--- a/src/lib/openjp2/pi.c
++++ b/src/lib/openjp2/pi.c
+@@ -1694,9 +1694,12 @@ opj_pi_iterator_t *opj_pi_initialise_encode(const opj_image_t *p_image,
+     l_current_pi = l_pi;
+ 
+     /* memory allocation for include*/
+-    l_current_pi->include_size = l_tcp->numlayers * l_step_l;
+-    l_current_pi->include = (OPJ_INT16*) opj_calloc(l_current_pi->include_size,
+-                            sizeof(OPJ_INT16));
++    l_current_pi->include = NULL;
++    if (l_step_l <= UINT_MAX / l_tcp->numlayers) {
++        l_current_pi->include_size = l_tcp->numlayers * l_step_l;
++        l_current_pi->include = (OPJ_INT16*) opj_calloc(l_current_pi->include_size,
++                                sizeof(OPJ_INT16));
++    }
+     if (!l_current_pi->include) {
+         opj_free(l_tmp_data);
+         opj_free(l_tmp_ptr);
diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.5.4.bb b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.5.4.bb
index d559cc9f7a..6dd3dd7542 100644
--- a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.5.4.bb
+++ b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.5.4.bb
@@ -8,6 +8,7 @@ DEPENDS = "libpng tiff lcms zlib"
 SRC_URI = "git://github.com/uclouvain/openjpeg.git;branch=master;protocol=https \
            file://0001-Do-not-ask-cmake-to-export-binaries-they-don-t-make-.patch \
            file://CVE-2023-39327.patch \
+           file://CVE-2026-6192.patch \
            "
 SRCREV = "6c4a29b00211eb0430fa0e5e890f1ce5c80f409f"
 S = "${WORKDIR}/git"

From patchwork Sun Apr 26 13:03:48 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ankur Tyagi <ankur.tyagi85@gmail.com>
X-Patchwork-Id: 86958
X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com
Return-Path: <ankur.tyagi85@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id A56FDFF885D
	for <webhook@archiver.kernel.org>; Sun, 26 Apr 2026 13:04:22 +0000 (UTC)
Received: from mail-pj1-f43.google.com (mail-pj1-f43.google.com
 [209.85.216.43])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.18289.1777208658648178521
 for <openembedded-devel@lists.openembedded.org>;
 Sun, 26 Apr 2026 06:04:18 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20251104 header.b=D/kC5T5Q;
 spf=pass (domain: gmail.com, ip: 209.85.216.43,
 mailfrom: ankur.tyagi85@gmail.com)
Received: by mail-pj1-f43.google.com with SMTP id
 98e67ed59e1d1-35da1af3e10so8666933a91.3
        for <openembedded-devel@lists.openembedded.org>;
 Sun, 26 Apr 2026 06:04:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1777208658; x=1777813458;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=1cKITANQvp9RKO6UfOOy3O4CDjDMlXkgSEuwUWN9qCI=;
        b=D/kC5T5Q5yxAkew51Jl5Tl+kDRrVsUmjil71dklY0S/bGPRgmUeIV33vdeIChHPbYZ
         6C8DYLTqDC0odgP495b860Hr6uPRmJ6qHV1jbFomlEzTUDPSmLe4BQ6hOq1kKgPlst/Z
         Zx4+iC2O5QWEsrrZF7NiLAZdpxjWT+83WyLVzX2cR/seVen7RUrPU4NMEbK9Ya05bCzL
         0r5qnN4nFWD6idvGvhJAto7W29ATJgZfcX+0vJPlucdINQGOqxO3SvdShLFBwyBJnUGX
         aQpZJjnCN3AXHUd9B7e4RepkgS2A+Q+XMF59Sc9DfR3xirCQt6k12kkNS+4yOATpwstj
         1S+Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1777208658; x=1777813458;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=1cKITANQvp9RKO6UfOOy3O4CDjDMlXkgSEuwUWN9qCI=;
        b=WnwmW/DIo4ojWRklKWiGhsSqbu23YqyJcohg3WDrQ3Fcj+OVu9RFAL4F3k2fqloac3
         UOSS8LxSbj1QyFKjHyilF4IjnvptM8GGHWJei9BlE6OejP9Nt2boJcpb/nec1bKFaZt1
         d1pML4vu4Yje9sr/T0iSmnyrTwxFGtxZG+ecgpjzlBe7aJ25xbATIFVEuNnrqGk/MSVU
         BaCdwo8VlZdM7+vpHmt5vr4muZtvauAh84FOQo0Ep3c9NGSWGCMeXBdnjEbnUbQ954Fq
         62T2naaIyeWPgCZY52L342PqxOd/PlQrmTyGji/8N9ljcuPhVeX4d+06OFkbxn3vHl6A
         i8lQ==
X-Gm-Message-State: AOJu0YxOxpsk3w2H9eE2yohLmWiH3FKT3Jl53p/sv4NEaJkuUBK/C+hY
	wsWr/Xg3Gf5HOztvzaPRfYhQ31hC+GBRsjxq5lncsHRcPioKZY22NaHYUUhdHYUI
X-Gm-Gg: AeBDieuXY/d/lIPe4PNJByZqA2FMdnrgY/sn62gc0mi6BW6RLaVB0kj8EpJHC8RxZOP
	OZMzuFYDniHUj2JrS3h4CyR+LhXnQurlJx/dvbJ/uWTgUf0bYlwiJkv+zh1R6uKlF7vajj2I6h9
	Rmr9zHuA7Mw+9Lb9ClJu3CADHDgONqc5B02VDAGF4JSC6VH1VSj0RE3eclveEVihjYNBKAuwYAv
	zCBZtpWZnGhzPxOfyQdYLxS09ZAwg8NPe6wzbKOiEZqh58VbZ+uKaByCfbD55QdiPOF0l40p/83
	s5H5iBWnoDG5p/h36S2tzc6QQOOnTLtRKupx4WOPuTZHIfTy6dyiYZnM4NgpCFFziXHlv/Foiqj
	SJM4//NUcIOCJTcOOnSUVBOce9ajiaSbgqCGlYYzKlOSo5FluwV68iU207Rtuz4HztnA6vEZQaO
	CIXDzHb29lghjbVFeAQNi8m2G8clOqdsTh+osf4Jmg5JwmOg8=
X-Received: by 2002:a17:90b:1a8d:b0:35f:b987:4dac with SMTP id
 98e67ed59e1d1-361403fa894mr39382703a91.12.1777208657829;
        Sun, 26 Apr 2026 06:04:17 -0700 (PDT)
Received: from NVAPF55DW0D-IPD.. ([203.211.108.128])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-2b5fa9ff98csm277490935ad.3.2026.04.26.06.04.15
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 26 Apr 2026 06:04:17 -0700 (PDT)
From: ankur.tyagi85@gmail.com
To: openembedded-devel@lists.openembedded.org
Cc: Ankur Tyagi <ankur.tyagi85@gmail.com>
Subject: [oe][meta-oe][scarthgap][PATCH 6/9] opensc: patch CVE-2025-49010
Date: Mon, 27 Apr 2026 01:03:48 +1200
Message-ID: <20260426130351.793052-6-ankur.tyagi85@gmail.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20260426130351.793052-1-ankur.tyagi85@gmail.com>
References: <20260426130351.793052-1-ankur.tyagi85@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Sun, 26 Apr 2026 13:04:22 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/126622

From: Ankur Tyagi <ankur.tyagi85@gmail.com>

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-49010

Backport the patch referenced by the wiki[1] mentioned in the nvd.

[1] https://github.com/OpenSC/OpenSC/wiki/CVE-2025-49010

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 .../opensc/files/CVE-2025-49010.patch         | 72 +++++++++++++++++++
 .../recipes-support/opensc/opensc_0.25.1.bb   |  1 +
 2 files changed, 73 insertions(+)
 create mode 100644 meta-oe/recipes-support/opensc/files/CVE-2025-49010.patch

diff --git a/meta-oe/recipes-support/opensc/files/CVE-2025-49010.patch b/meta-oe/recipes-support/opensc/files/CVE-2025-49010.patch
new file mode 100644
index 0000000000..a0ac9fdad9
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2025-49010.patch
@@ -0,0 +1,72 @@
+From fd4c54b4571b2e1593a8331906b5f0ca2aa39283 Mon Sep 17 00:00:00 2001
+From: Frank Morgner <frankmorgner@gmail.com>
+Date: Thu, 22 May 2025 00:24:32 +0200
+Subject: [PATCH] fixed Stack-buffer-overflow WRITE in GET RESPONSE
+
+The do-while loop in apdu.c requires the output data to be set in any
+case, otherwise non existent data may be copied to the output data.
+
+fixes https://issues.oss-fuzz.com/issues/416351800
+fixes https://issues.oss-fuzz.com/issues/416295951
+
+(cherry picked from commit 953986f65db61871bbbff72788d861d67d5140c6)
+CVE: CVE-2025-49010
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/953986f65db61871bbbff72788d861d67d5140c6]
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/libopensc/card-nqApplet.c | 11 ++++++-----
+ src/libopensc/iso7816.c       |  5 +++--
+ 2 files changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/src/libopensc/card-nqApplet.c b/src/libopensc/card-nqApplet.c
+index f9075b948..90706f4b1 100644
+--- a/src/libopensc/card-nqApplet.c
++++ b/src/libopensc/card-nqApplet.c
+@@ -190,9 +190,10 @@ static int nqapplet_finish(struct sc_card *card)
+ 	LOG_FUNC_RETURN(card->ctx, SC_SUCCESS);
+ }
+ 
+-static int nqapplet_get_response(struct sc_card *card, size_t *cb_resp, u8 *resp)
++static int
++nqapplet_get_response(struct sc_card *card, size_t *cb_resp, u8 *resp)
+ {
+-	struct sc_apdu apdu;
++	struct sc_apdu apdu = {0};
+ 	int rv;
+ 	size_t resplen;
+ 
+@@ -204,12 +205,12 @@ static int nqapplet_get_response(struct sc_card *card, size_t *cb_resp, u8 *resp
+ 
+ 	rv = sc_transmit_apdu(card, &apdu);
+ 	LOG_TEST_RET(card->ctx, rv, "APDU transmit failed");
+-	if (apdu.resplen == 0) {
+-		LOG_FUNC_RETURN(card->ctx, sc_check_sw(card, apdu.sw1, apdu.sw2));
+-	}
+ 
+ 	*cb_resp = apdu.resplen;
+ 
++	if (apdu.resplen == 0) {
++		LOG_FUNC_RETURN(card->ctx, sc_check_sw(card, apdu.sw1, apdu.sw2));
++	}
+ 	if (apdu.sw1 == 0x90 && apdu.sw2 == 0x00) {
+ 		rv = SC_SUCCESS;
+ 	} else if (apdu.sw1 == 0x61) {
+diff --git a/src/libopensc/iso7816.c b/src/libopensc/iso7816.c
+index 2fea84078..dc2f03c00 100644
+--- a/src/libopensc/iso7816.c
++++ b/src/libopensc/iso7816.c
+@@ -920,11 +920,12 @@ iso7816_get_response(struct sc_card *card, size_t *count, u8 *buf)
+ 
+ 	r = sc_transmit_apdu(card, &apdu);
+ 	LOG_TEST_RET(card->ctx, r, "APDU transmit failed");
+-	if (apdu.resplen == 0)
+-		LOG_FUNC_RETURN(card->ctx, sc_check_sw(card, apdu.sw1, apdu.sw2));
+ 
+ 	*count = apdu.resplen;
+ 
++	if (apdu.resplen == 0) {
++		LOG_FUNC_RETURN(card->ctx, sc_check_sw(card, apdu.sw1, apdu.sw2));
++	}
+ 	if (apdu.sw1 == 0x90 && apdu.sw2 == 0x00)
+ 		r = 0;					/* no more data to read */
+ 	else if (apdu.sw1 == 0x61)
diff --git a/meta-oe/recipes-support/opensc/opensc_0.25.1.bb b/meta-oe/recipes-support/opensc/opensc_0.25.1.bb
index e41c457fa8..bcdf5900ea 100644
--- a/meta-oe/recipes-support/opensc/opensc_0.25.1.bb
+++ b/meta-oe/recipes-support/opensc/opensc_0.25.1.bb
@@ -17,6 +17,7 @@ SRC_URI = "git://github.com/OpenSC/OpenSC;branch=stable-0.25;protocol=https \
            file://0001-PR-Fixes-for-uninitialized-memory-issues.patch \
            file://CVE-2024-8443-0001.patch \
            file://CVE-2024-8443-0002.patch \
+           file://CVE-2025-49010.patch \
          "
 DEPENDS = "virtual/libiconv openssl"
 

From patchwork Sun Apr 26 13:03:49 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ankur Tyagi <ankur.tyagi85@gmail.com>
X-Patchwork-Id: 86959
X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com
Return-Path: <ankur.tyagi85@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id AECECFF885C
	for <webhook@archiver.kernel.org>; Sun, 26 Apr 2026 13:04:22 +0000 (UTC)
Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com
 [209.85.214.174])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.18129.1777208661928522020
 for <openembedded-devel@lists.openembedded.org>;
 Sun, 26 Apr 2026 06:04:21 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20251104 header.b=QIKoH2xl;
 spf=pass (domain: gmail.com, ip: 209.85.214.174,
 mailfrom: ankur.tyagi85@gmail.com)
Received: by mail-pl1-f174.google.com with SMTP id
 d9443c01a7336-2ad617d5b80so54462455ad.1
        for <openembedded-devel@lists.openembedded.org>;
 Sun, 26 Apr 2026 06:04:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1777208661; x=1777813461;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=HbzV6gIqRzK2VF370Bt9+VenCzbfyuQjn5lO9PVVt6M=;
        b=QIKoH2xlg1g9GWASqueaIyZrcp07yC6lThtgIFKe6FWHN3o1mwuAeAQOJ9KMQg6drH
         8V1w3c2x2zKkcFjQVGhiUTaGAul4lzr8gNpZWi4DiPFEQj1oP4M+0TdNCM8t+if2ydkI
         KgWayW+0Pix674PSeBvb64IuJjJtP+B00pq6QekiO83TrKMnQEd/n/UrwvUV10JYW2jf
         b2nwV/ru3OY9RRMPRYFXsX58RPlX5kKFoE/DPjJA0zyfXSo9pbB+hHQUhxCKIfu3wphP
         uHvG9psbKO2masp5v4LUH+uD7bSzI3l+sPkiCOLuztmjLbXJ+gYnal9nsbv1nhumalD+
         157A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1777208661; x=1777813461;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=HbzV6gIqRzK2VF370Bt9+VenCzbfyuQjn5lO9PVVt6M=;
        b=F1JgLtsTWvYQ88EJL5p6cLTdqETZ7qbEce9qfXSK2LumdIyrY/OyIlf0mZiNHLQiyE
         PgcbfVW4vzI1jTkrBA1rYwnzrpBFhru2f7PAj6m6df9RN6gsV7ctGeAB3eiGnjpOSvWa
         UGTsUaGmPdHgLK86qqu3nvhxd3byehaVqH1/SfSoMh5GirGT+8ulJ4wemK6xHxsgudpa
         4L7AKEhEZUzzBXEEw8+SkF+DZ/ITBeTEjxBRT6DW15vOwBtC9+RziyXmJPh1lg2dsc/y
         Cgt1US5Cn7THzEGTWAcDtC9TaJHU4s9haOErDRQcfg9L4VLlvW5zdHWBGybWDLkKo6kv
         R/SA==
X-Gm-Message-State: AOJu0YyQ3XMgPM40IW6516Y4LYlgB7F9qsWIbe81aNndUUVVfk/2wi/Q
	rIoXLKubvJAQmAj5PmV5FkeykTXeSy4nRwupVU5L/sN64+DvbjV67HEK94QlX1uz
X-Gm-Gg: AeBDievTXUKSHRWgYUG04pxkk8XYOS5B3L7sdqH9+2/Qw6q7a7ydP3Xn0A7Ad7j7slD
	953f9pKFiyfmW7Z97fVetU3XwVluT0Gc9228EQhatpAD88VcltcE5oKq9HAcloxXK+mOx50d6Q2
	tdcRhAYl8IAXGSwtS9J9Gb+KkO/akydTcrQqm8mVFLzAipR85JGv8QV6BOYTR7O4Vlyi2+Zt25J
	h3yD47Bz1sNT+ZFdGsxIS2UytKffD13LUKgmIuzYEupyhxxXnj0m0Gm7SJKJHxxRn5iJwSEE249
	FjqRCE3EXyg9YFONpk0ZR6oZgApat929bfHp+Fi5lXWypArOqVkNtbxhOX5AWtZyG3wrQ3zaKOW
	HdsU/pQhX4Vq0+ndOKuGX/UloddttKTP49pgJrB/ChkoXubBYTJEABWhdtGzCo2/9Uw2lLd54+m
	7k68ewxuxWzQ1kWWETAREk00/PRRSV8ihkN7i1o6hSwtxEIH59fhjL/Xkcdw==
X-Received: by 2002:a17:903:88e:b0:2b2:ec46:dfed with SMTP id
 d9443c01a7336-2b5f9f79455mr278981495ad.31.1777208660966;
        Sun, 26 Apr 2026 06:04:20 -0700 (PDT)
Received: from NVAPF55DW0D-IPD.. ([203.211.108.128])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-2b5fa9ff98csm277490935ad.3.2026.04.26.06.04.18
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 26 Apr 2026 06:04:20 -0700 (PDT)
From: ankur.tyagi85@gmail.com
To: openembedded-devel@lists.openembedded.org
Cc: Ankur Tyagi <ankur.tyagi85@gmail.com>
Subject: [oe][meta-oe][scarthgap][PATCH 7/9] opensc: patch CVE-2025-66037
Date: Mon, 27 Apr 2026 01:03:49 +1200
Message-ID: <20260426130351.793052-7-ankur.tyagi85@gmail.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20260426130351.793052-1-ankur.tyagi85@gmail.com>
References: <20260426130351.793052-1-ankur.tyagi85@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Sun, 26 Apr 2026 13:04:22 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/126623

From: Ankur Tyagi <ankur.tyagi85@gmail.com>

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-66037

Backport the patch referenced by the wiki[1] mentioned in the nvd.

[1] https://github.com/OpenSC/OpenSC/wiki/CVE-2025-66037

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 .../opensc/files/CVE-2025-66037.patch         | 35 +++++++++++++++++++
 .../recipes-support/opensc/opensc_0.25.1.bb   |  1 +
 2 files changed, 36 insertions(+)
 create mode 100644 meta-oe/recipes-support/opensc/files/CVE-2025-66037.patch

diff --git a/meta-oe/recipes-support/opensc/files/CVE-2025-66037.patch b/meta-oe/recipes-support/opensc/files/CVE-2025-66037.patch
new file mode 100644
index 0000000000..91ffe53373
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2025-66037.patch
@@ -0,0 +1,35 @@
+From b1a6f86298af7dfbaa1110b86662a9d1393a7678 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Tue, 25 Nov 2025 15:58:02 +0100
+Subject: [PATCH] pkcs15: Avoid buffer overrun on invalid data
+
+Invalid data can contain zero-length buffer, which after copying
+was dereferenced without length check
+
+Credit: Aldo Ristori
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+(cherry picked from commit 65fc211015cfcac27b10d0876054156c97225f50)
+
+CVE: CVE-2025-66037
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/65fc211015cfcac27b10d0876054156c97225f50]
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/libopensc/pkcs15-pubkey.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/libopensc/pkcs15-pubkey.c b/src/libopensc/pkcs15-pubkey.c
+index a759efa45..48fb08cac 100644
+--- a/src/libopensc/pkcs15-pubkey.c
++++ b/src/libopensc/pkcs15-pubkey.c
+@@ -1328,6 +1328,10 @@ sc_pkcs15_pubkey_from_spki_fields(struct sc_context *ctx, struct sc_pkcs15_pubke
+ 	       "sc_pkcs15_pubkey_from_spki_fields() called: %p:%"SC_FORMAT_LEN_SIZE_T"u\n%s",
+ 	       buf, buflen, sc_dump_hex(buf, buflen));
+ 
++	if (buflen < 1) {
++		LOG_TEST_RET(ctx, SC_ERROR_INVALID_DATA, "subjectPublicKeyInfo can not be empty");
++	}
++
+ 	tmp_buf = malloc(buflen);
+ 	if (!tmp_buf) {
+ 		r = SC_ERROR_OUT_OF_MEMORY;
diff --git a/meta-oe/recipes-support/opensc/opensc_0.25.1.bb b/meta-oe/recipes-support/opensc/opensc_0.25.1.bb
index bcdf5900ea..999ae34b12 100644
--- a/meta-oe/recipes-support/opensc/opensc_0.25.1.bb
+++ b/meta-oe/recipes-support/opensc/opensc_0.25.1.bb
@@ -18,6 +18,7 @@ SRC_URI = "git://github.com/OpenSC/OpenSC;branch=stable-0.25;protocol=https \
            file://CVE-2024-8443-0001.patch \
            file://CVE-2024-8443-0002.patch \
            file://CVE-2025-49010.patch \
+           file://CVE-2025-66037.patch \
          "
 DEPENDS = "virtual/libiconv openssl"
 

From patchwork Sun Apr 26 13:03:50 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ankur Tyagi <ankur.tyagi85@gmail.com>
X-Patchwork-Id: 86962
X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com
Return-Path: <ankur.tyagi85@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id CADFEFF885D
	for <webhook@archiver.kernel.org>; Sun, 26 Apr 2026 13:04:32 +0000 (UTC)
Received: from mail-pj1-f46.google.com (mail-pj1-f46.google.com
 [209.85.216.46])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.18130.1777208665044615905
 for <openembedded-devel@lists.openembedded.org>;
 Sun, 26 Apr 2026 06:04:25 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20251104 header.b=DAp32m8E;
 spf=pass (domain: gmail.com, ip: 209.85.216.46,
 mailfrom: ankur.tyagi85@gmail.com)
Received: by mail-pj1-f46.google.com with SMTP id
 98e67ed59e1d1-35691a231a7so6193778a91.3
        for <openembedded-devel@lists.openembedded.org>;
 Sun, 26 Apr 2026 06:04:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1777208664; x=1777813464;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=coZ9mKeOmTbUWRUsv6miH4O+Riqo7RfRnfXVWjntEkw=;
        b=DAp32m8EoezC0lgd4+DDzHSZfJbvOPSYYejmYeYUOpUPQaRm4FO4bi3WoxtyNiJSKo
         sr9r02mcfmUpHNC2pJ3pk0DRtHj7SAljF6MK2+U5vCmkNjap9UQQwZzO0Vc4xovm75S/
         vabM/PGkPrPJ+SEzM9E1HUn1bsQsfzt9mWw+hnC38OLP3MNHZg4+OJG2Jfxep/7PL7mz
         fPei7FDpS2SuT7u5gRORb/HE7EInlxsqe7BkueVpvrrMu/kWGnC71H+x0HSBJ6dUTQyI
         07eZJxpxURREbMyq25uhOeo7GORDn1fuCP3t420AHl2hEs9080AElGckRYtvGC5EzpmI
         wwzA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1777208664; x=1777813464;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=coZ9mKeOmTbUWRUsv6miH4O+Riqo7RfRnfXVWjntEkw=;
        b=G6Ngi0e8rTBlapwteHWUBV3WZJmsNOC+gvHICsOLZE3t55zcZdS/FpsszrWHvt9oG/
         Z1nO2oSWoL+4mRiZE/anqvpY77TBR/tuy9ssU4vmXVSPuIgyJy6WHZulIG8BTfYi/QuB
         CyU/J5j6JeBMFh5qL2AYfUIAyXvCJD3PQQDeBDkTe1k47rwp+MF2TCL1W428xiw3Zt4f
         i6ZrB4oInREGQyRqGcqVrxVdSE61nonvcs7VoPyNhNqut/o7fWUaVA1XCIBPnk/3WLDE
         XYEE7uCVZfD6jKpFo1S58AozF0GfJc7b9JH7AuPQLCfSl07PmLRbPevCOFpyTkWtOMM7
         4+bA==
X-Gm-Message-State: AOJu0YzJQxsvRR0MfXHcEnDyFv9rRQWkULul2+6LKxs6bZiDO64vBI9b
	6Jg/5lkNGeqtabbBN7ua7cDNBcllRk1tawjgy1ggE84RzTxV1QYkWiESQ/eyNGS9
X-Gm-Gg: AeBDieu4w+EwC3YfM8wtVdgCC+NnTnGlmtRWmjQe6CwIxPOZcnnPNnIhf1iFHt89ZBe
	8jDmdMMAxiJYQNqph9/eoyXJ6zbpGu3d7LJfeUakLlmk5CDr6Wr/IhXZ8S7l0TIyRx6aZD+vaJg
	jsGk81Y4f71JkcEtD1r0mS2rkyeQMcU2JeH8MtOn58h+h2hJMtUfR8IXtJ4jOyTshVo9eEDf81J
	CqMUwwrNd8K7vZKiH+lEMeI8/q5d57r28g5zN296z2kGxCcO0FH6cQT1H+xapTZep7WT67pjP3X
	3DLQBxfPPF/2JDy8ridu6n4XxrcAIq20VCHo2pXIM6k1H68TdtIH7Z/B0rhmEpgJNuLCflJK6l9
	Yj3zs69R+nngjUhRlFBLXLJ0dsVhtUnlPSXf0Dq1wXVm6+9sfxhSn/xwOHrkUg/THDSs+usqeFj
	6q8Vb9JTbOTBAAaoZWT+VNmzBzUFeZIWhKqP0kmpsa2dBQPFk=
X-Received: by 2002:a17:903:b47:b0:2b0:c90f:449d with SMTP id
 d9443c01a7336-2b5f9f1ca53mr407655275ad.19.1777208664085;
        Sun, 26 Apr 2026 06:04:24 -0700 (PDT)
Received: from NVAPF55DW0D-IPD.. ([203.211.108.128])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-2b5fa9ff98csm277490935ad.3.2026.04.26.06.04.21
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 26 Apr 2026 06:04:22 -0700 (PDT)
From: ankur.tyagi85@gmail.com
To: openembedded-devel@lists.openembedded.org
Cc: Ankur Tyagi <ankur.tyagi85@gmail.com>
Subject: [oe][meta-oe][scarthgap][PATCH 8/9] opensc: patch CVE-2025-66038
Date: Mon, 27 Apr 2026 01:03:50 +1200
Message-ID: <20260426130351.793052-8-ankur.tyagi85@gmail.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20260426130351.793052-1-ankur.tyagi85@gmail.com>
References: <20260426130351.793052-1-ankur.tyagi85@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Sun, 26 Apr 2026 13:04:32 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/126624

From: Ankur Tyagi <ankur.tyagi85@gmail.com>

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-66038

Backport the patch referenced by the wiki[1] mentioned in the nvd.

[1] https://github.com/OpenSC/OpenSC/wiki/CVE-2025-66038

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 .../opensc/files/CVE-2025-66038.patch         | 41 +++++++++++++++++++
 .../recipes-support/opensc/opensc_0.25.1.bb   |  1 +
 2 files changed, 42 insertions(+)
 create mode 100644 meta-oe/recipes-support/opensc/files/CVE-2025-66038.patch

diff --git a/meta-oe/recipes-support/opensc/files/CVE-2025-66038.patch b/meta-oe/recipes-support/opensc/files/CVE-2025-66038.patch
new file mode 100644
index 0000000000..e5a27deae5
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2025-66038.patch
@@ -0,0 +1,41 @@
+From 2f5582340ac3fd2062d0f6561a13aa9b269062dd Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Tue, 18 Nov 2025 14:13:59 +0100
+Subject: [PATCH] compacttlv: Fix possible buffer overrun
+
+Fixes: GHSA-72x5-fwjx-2459
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+(cherry picked from commit a20b91adc2fc66785c0df98abc8ef456c0eaab9d)
+
+CVE: CVE-2025-66038
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/a20b91adc2fc66785c0df98abc8ef456c0eaab9d]
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/libopensc/sc.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/src/libopensc/sc.c b/src/libopensc/sc.c
+index 7c9e0d25e..eb88b9abe 100644
+--- a/src/libopensc/sc.c
++++ b/src/libopensc/sc.c
+@@ -1082,13 +1082,15 @@ const u8 *sc_compacttlv_find_tag(const u8 *buf, size_t len, u8 tag, size_t *outl
+ 		size_t expected_len = tag & 0x0F;
+ 
+ 	        for (idx = 0; idx < len; idx++) {
+-			if ((buf[idx] & 0xF0) == plain_tag && idx + expected_len < len &&
+-			    (expected_len == 0 || expected_len == (buf[idx] & 0x0F))) {
++			u8 ctag = buf[idx] & 0xF0;
++			size_t ctag_len = buf[idx] & 0x0F;
++			if (ctag == plain_tag && idx + ctag_len < len &&
++					(expected_len == 0 || expected_len == ctag_len)) {
+ 				if (outlen != NULL)
+-					*outlen = buf[idx] & 0x0F;
++					*outlen = ctag_len;
+ 				return buf + (idx + 1);
+ 			}
+-			idx += (buf[idx] & 0x0F);
++			idx += ctag_len;
+                 }
+         }
+ 	return NULL;
diff --git a/meta-oe/recipes-support/opensc/opensc_0.25.1.bb b/meta-oe/recipes-support/opensc/opensc_0.25.1.bb
index 999ae34b12..6772fe02f7 100644
--- a/meta-oe/recipes-support/opensc/opensc_0.25.1.bb
+++ b/meta-oe/recipes-support/opensc/opensc_0.25.1.bb
@@ -19,6 +19,7 @@ SRC_URI = "git://github.com/OpenSC/OpenSC;branch=stable-0.25;protocol=https \
            file://CVE-2024-8443-0002.patch \
            file://CVE-2025-49010.patch \
            file://CVE-2025-66037.patch \
+           file://CVE-2025-66038.patch \
          "
 DEPENDS = "virtual/libiconv openssl"
 

From patchwork Sun Apr 26 13:03:51 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ankur Tyagi <ankur.tyagi85@gmail.com>
X-Patchwork-Id: 86963
X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com
Return-Path: <ankur.tyagi85@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id CBEBDFF8863
	for <webhook@archiver.kernel.org>; Sun, 26 Apr 2026 13:04:32 +0000 (UTC)
Received: from mail-pl1-f182.google.com (mail-pl1-f182.google.com
 [209.85.214.182])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.18293.1777208667580039314
 for <openembedded-devel@lists.openembedded.org>;
 Sun, 26 Apr 2026 06:04:27 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20251104 header.b=kMP0i41p;
 spf=pass (domain: gmail.com, ip: 209.85.214.182,
 mailfrom: ankur.tyagi85@gmail.com)
Received: by mail-pl1-f182.google.com with SMTP id
 d9443c01a7336-2b7adb38d65so31705015ad.2
        for <openembedded-devel@lists.openembedded.org>;
 Sun, 26 Apr 2026 06:04:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1777208667; x=1777813467;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=fRaQJ1pKtPYxyXz2lWB+jghY3qu8OBl9InkPUKLOsko=;
        b=kMP0i41pzbnw7q0PKXtmg7WVPMkxTUYf+4YiBKR+m1XHLOiNmOh1irdsem6wec3Mwn
         jQ/FeyBptCzSX4irKg1oj8qv8WEvkNBiEbmgIMxCU9KKHd6+MVm+e/I3gUsdnpLQFfGP
         kZB4z8HjD0gGsfSovDVY/X26+ZDuPomliV1ck8ExGFyBFmN9/K24EyJBd24nuAg5NkM+
         1H/Ni4/bu7PC0JF2m88jlX6+NniIjLe0KI/7bBuvU5RXmT6AGoKoX4Ie24fXDFORI5N9
         X79WTqP5yVW1RP2SJzFdnlT9jgw54osM4D/fA/Khcjul/PCxyECWtxy6LO+ugiBquLg2
         /Vyg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1777208667; x=1777813467;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=fRaQJ1pKtPYxyXz2lWB+jghY3qu8OBl9InkPUKLOsko=;
        b=Tm7FHMpqP5wtHAOqX6JeNjgx+yjgtp2W5vK8zD2oIg8JMivZM0CTnIRPz5pTxWQef8
         4mB3B7adB98GFmDR3l3Pvpdb+RHEEJnQbFHgfC5f28gWyTf4CSUnbHPQIwv1bSTLoHmC
         fjauOLk3PqkEa69HW9cpKRZn+XYYAgG5/1XVBe8mKY0muEZRBaT4lQfx19xaPaYdTq+c
         w8yDUL49M4/0L/BgB1/k2eSRJ77fMd9FAbUuEebht9TgvwJ2IAtjdeDQKi69fRWNxU7V
         4Xefe1G4SSXrEkFb1q0VXU4gxYBA9zNM2m799XammpDDHUc/cFLk+j5Uu9UvS62nAPQr
         YK6A==
X-Gm-Message-State: AOJu0YwBsWJh4LF2C5r90lEO/myAh1UcUVrNKFRFvPCYJ5oYy2a1yAZD
	ImdYHorQc5QLYtKItOjhxTMBHjtknPLATu3VOK0QYXspUtw77DIzIDaPb3Ji3IKN
X-Gm-Gg: AeBDieuqMxYPQhZ1rVtrf5a6IKgqbV0EMI31jl4oW9CJZNGA/DW+RkvHHQA+JE8Meib
	433PALNx0d9fqCuglcYOq+lunYjEGIswwGWkC0b0ZPcgTSiyJkguQDdveiY5Z2ve2Zqc14YkY09
	wfAdh65BTxwStQQYTb+HiRAeGdqvuT3QoD99IqRamp4mAtpJ3nlTScgkBpeNsjgAh/haWz412vH
	i7h0VbFxDEiJDdA1ZQ5xIKvZFswSoSaq62q9CPNn1KPIdGedkvOdt403VSgdEHPGMMGBpXY5pMZ
	ugcsk7isDPxE+MwTJs/Gp15sybPZJlcIB4VzWzk+kOguhqnyP/oVUSQetQfLezQqssUTr5ILqsA
	fbl0u7eLg+8UBYE7sblrPPUpEgnB0GuYrlyD0UGnY+aapLIqt6mBUFnuaNiOf9ruZUkqhGK2TQW
	Q7ZwXT8zl8GXe1pqT4W4ztFBO1kU9nh6S2i+XV1EbDCdLq9bs=
X-Received: by 2002:a17:903:fa3:b0:2b2:53f5:4627 with SMTP id
 d9443c01a7336-2b5f9e64dd5mr425740285ad.4.1777208666724;
        Sun, 26 Apr 2026 06:04:26 -0700 (PDT)
Received: from NVAPF55DW0D-IPD.. ([203.211.108.128])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-2b5fa9ff98csm277490935ad.3.2026.04.26.06.04.24
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 26 Apr 2026 06:04:26 -0700 (PDT)
From: ankur.tyagi85@gmail.com
To: openembedded-devel@lists.openembedded.org
Cc: Ankur Tyagi <ankur.tyagi85@gmail.com>
Subject: [oe][meta-oe][scarthgap][PATCH 9/9] opensc: patch CVE-2025-66215
Date: Mon, 27 Apr 2026 01:03:51 +1200
Message-ID: <20260426130351.793052-9-ankur.tyagi85@gmail.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20260426130351.793052-1-ankur.tyagi85@gmail.com>
References: <20260426130351.793052-1-ankur.tyagi85@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Sun, 26 Apr 2026 13:04:32 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/126625

From: Ankur Tyagi <ankur.tyagi85@gmail.com>

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-66215

Backport the patches referenced by the PR[1] mentioned in the nvd.
Dropped the formatting commit from the backport.

[1] https://github.com/OpenSC/OpenSC/pull/3436

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 .../opensc/files/CVE-2025-66215-1.patch       | 29 +++++++++
 .../opensc/files/CVE-2025-66215-2.patch       | 37 +++++++++++
 .../opensc/files/CVE-2025-66215-3.patch       | 45 ++++++++++++++
 .../opensc/files/CVE-2025-66215-4.patch       | 62 +++++++++++++++++++
 .../recipes-support/opensc/opensc_0.25.1.bb   |  4 ++
 5 files changed, 177 insertions(+)
 create mode 100644 meta-oe/recipes-support/opensc/files/CVE-2025-66215-1.patch
 create mode 100644 meta-oe/recipes-support/opensc/files/CVE-2025-66215-2.patch
 create mode 100644 meta-oe/recipes-support/opensc/files/CVE-2025-66215-3.patch
 create mode 100644 meta-oe/recipes-support/opensc/files/CVE-2025-66215-4.patch

diff --git a/meta-oe/recipes-support/opensc/files/CVE-2025-66215-1.patch b/meta-oe/recipes-support/opensc/files/CVE-2025-66215-1.patch
new file mode 100644
index 0000000000..ac2926b5e6
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2025-66215-1.patch
@@ -0,0 +1,29 @@
+From 74a72d3a82d1f49d55ef822ededec74738a30ec4 Mon Sep 17 00:00:00 2001
+From: Frank Morgner <frankmorgner@gmail.com>
+Date: Wed, 4 Jun 2025 00:52:13 +0200
+Subject: [PATCH] fixed  Stack-buffer-overflow WRITE
+
+fixes https://issues.oss-fuzz.com/issues/421520684
+
+(cherry picked from commit eab4d17866bb457dd86d067b304294e9f6671d52)
+
+CVE: CVE-2025-66215
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/eab4d17866bb457dd86d067b304294e9f6671d52]
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/libopensc/card-oberthur.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libopensc/card-oberthur.c b/src/libopensc/card-oberthur.c
+index d5445f01a..a8aba7992 100644
+--- a/src/libopensc/card-oberthur.c
++++ b/src/libopensc/card-oberthur.c
+@@ -1135,7 +1135,7 @@ auth_compute_signature(struct sc_card *card, const unsigned char *in, size_t ile
+ 	apdu.lc = ilen;
+ 	apdu.le = olen > 256 ? 256 : olen;
+ 	apdu.resp = resp;
+-	apdu.resplen = olen;
++	apdu.resplen = SC_MAX_APDU_BUFFER_SIZE;
+ 
+ 	rv = sc_transmit_apdu(card, &apdu);
+ 	LOG_TEST_RET(card->ctx, rv, "APDU transmit failed");
diff --git a/meta-oe/recipes-support/opensc/files/CVE-2025-66215-2.patch b/meta-oe/recipes-support/opensc/files/CVE-2025-66215-2.patch
new file mode 100644
index 0000000000..316ac974b2
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2025-66215-2.patch
@@ -0,0 +1,37 @@
+From 5f8c904577cce1a6e21f793ba4aab1c473ff4136 Mon Sep 17 00:00:00 2001
+From: Frank Morgner <frankmorgner@gmail.com>
+Date: Wed, 4 Jun 2025 01:07:56 +0200
+Subject: [PATCH] oberthur: fixed potential Stack-buffer-overflow WRITE
+
+(cherry picked from commit 3402a90d8c9be223d4cf6abe009a4707117d7972)
+
+CVE: CVE-2025-66215
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/3402a90d8c9be223d4cf6abe009a4707117d7972]
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/libopensc/card-oberthur.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/libopensc/card-oberthur.c b/src/libopensc/card-oberthur.c
+index a8aba7992..216640ebd 100644
+--- a/src/libopensc/card-oberthur.c
++++ b/src/libopensc/card-oberthur.c
+@@ -2246,14 +2246,16 @@ auth_read_record(struct sc_card *card, unsigned int nr_rec, unsigned int idx,
+ 	if (flags & SC_RECORD_BY_REC_NR)
+ 		apdu.p2 |= 0x04;
+ 
+-	apdu.le = count;
+-	apdu.resplen = count;
++	apdu.le = count > SC_MAX_APDU_BUFFER_SIZE ? SC_MAX_APDU_BUFFER_SIZE : count;
++	apdu.resplen = SC_MAX_APDU_BUFFER_SIZE;
+ 	apdu.resp = recvbuf;
+ 
+ 	rv = sc_transmit_apdu(card, &apdu);
+ 	LOG_TEST_RET(card->ctx, rv, "APDU transmit failed");
+ 	if (apdu.resplen == 0)
+ 		LOG_FUNC_RETURN(card->ctx, sc_check_sw(card, apdu.sw1, apdu.sw2));
++	if (count < apdu.resplen)
++		LOG_FUNC_RETURN(card->ctx, SC_ERROR_WRONG_LENGTH);
+ 	memcpy(buf, recvbuf, apdu.resplen);
+ 
+ 	rv = sc_check_sw(card, apdu.sw1, apdu.sw2);
diff --git a/meta-oe/recipes-support/opensc/files/CVE-2025-66215-3.patch b/meta-oe/recipes-support/opensc/files/CVE-2025-66215-3.patch
new file mode 100644
index 0000000000..5857abe07f
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2025-66215-3.patch
@@ -0,0 +1,45 @@
+From 4db6d034c9566e903e4c1094beccaf05efc4e7e5 Mon Sep 17 00:00:00 2001
+From: Frank Morgner <frankmorgner@gmail.com>
+Date: Thu, 5 Jun 2025 13:18:15 +0200
+Subject: [PATCH] oberthur: use MIN where possible
+
+(cherry picked from commit a4bbf8a631537a4c0083b264095ed1cd36d307ab)
+
+CVE: CVE-2025-66215
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/a4bbf8a631537a4c0083b264095ed1cd36d307ab]
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/libopensc/card-oberthur.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/libopensc/card-oberthur.c b/src/libopensc/card-oberthur.c
+index 216640ebd..3e7a7b6b9 100644
+--- a/src/libopensc/card-oberthur.c
++++ b/src/libopensc/card-oberthur.c
+@@ -606,7 +606,7 @@ auth_list_files(struct sc_card *card, unsigned char *buf, size_t buflen)
+ 	if (apdu.resplen == 0x100 && rbuf[0]==0 && rbuf[1]==0)
+ 		LOG_FUNC_RETURN(card->ctx, 0);
+ 
+-	buflen = buflen < apdu.resplen ? buflen : apdu.resplen;
++	buflen = MIN(buflen, apdu.resplen);
+ 	memcpy(buf, rbuf, buflen);
+ 
+ 	LOG_FUNC_RETURN(card->ctx, (int)buflen);
+@@ -1133,7 +1133,7 @@ auth_compute_signature(struct sc_card *card, const unsigned char *in, size_t ile
+ 	apdu.datalen = ilen;
+ 	apdu.data = in;
+ 	apdu.lc = ilen;
+-	apdu.le = olen > 256 ? 256 : olen;
++	apdu.le = MIN(olen, 256);
+ 	apdu.resp = resp;
+ 	apdu.resplen = SC_MAX_APDU_BUFFER_SIZE;
+ 
+@@ -2246,7 +2246,7 @@ auth_read_record(struct sc_card *card, unsigned int nr_rec, unsigned int idx,
+ 	if (flags & SC_RECORD_BY_REC_NR)
+ 		apdu.p2 |= 0x04;
+ 
+-	apdu.le = count > SC_MAX_APDU_BUFFER_SIZE ? SC_MAX_APDU_BUFFER_SIZE : count;
++	apdu.le = MIN(count, SC_MAX_APDU_BUFFER_SIZE);
+ 	apdu.resplen = SC_MAX_APDU_BUFFER_SIZE;
+ 	apdu.resp = recvbuf;
+ 
diff --git a/meta-oe/recipes-support/opensc/files/CVE-2025-66215-4.patch b/meta-oe/recipes-support/opensc/files/CVE-2025-66215-4.patch
new file mode 100644
index 0000000000..80816aa57b
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2025-66215-4.patch
@@ -0,0 +1,62 @@
+From 665871f38aee0d52eba923783d4606becc7628d0 Mon Sep 17 00:00:00 2001
+From: Frank Morgner <frankmorgner@gmail.com>
+Date: Thu, 5 Jun 2025 14:04:35 +0200
+Subject: [PATCH] oberthur: use SC_MAX_APDU_RESP_SIZE where possible
+
+(cherry picked from commit 56bc5e9575965461d99a274be45d71c18ab6eae0)
+
+CVE: CVE-2025-66215
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/56bc5e9575965461d99a274be45d71c18ab6eae0]
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/libopensc/card-oberthur.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/src/libopensc/card-oberthur.c b/src/libopensc/card-oberthur.c
+index 3e7a7b6b9..159b84aed 100644
+--- a/src/libopensc/card-oberthur.c
++++ b/src/libopensc/card-oberthur.c
+@@ -1133,7 +1133,7 @@ auth_compute_signature(struct sc_card *card, const unsigned char *in, size_t ile
+ 	apdu.datalen = ilen;
+ 	apdu.data = in;
+ 	apdu.lc = ilen;
+-	apdu.le = MIN(olen, 256);
++	apdu.le = MIN(olen, SC_MAX_APDU_RESP_SIZE);
+ 	apdu.resp = resp;
+ 	apdu.resplen = SC_MAX_APDU_BUFFER_SIZE;
+ 
+@@ -1180,14 +1180,14 @@ auth_decipher(struct sc_card *card, const unsigned char *in, size_t inlen,
+ 	}
+ 
+ 	_inlen = inlen;
+-	if (_inlen == 256)   {
++	if (_inlen == SC_MAX_APDU_RESP_SIZE)   {
+ 		apdu.cla |= 0x10;
+ 		apdu.data = in;
+ 		apdu.datalen = 8;
+ 		apdu.resp = resp;
+ 		apdu.resplen = SC_MAX_APDU_BUFFER_SIZE;
+ 		apdu.lc = 8;
+-		apdu.le = 256;
++		apdu.le = SC_MAX_APDU_RESP_SIZE;
+ 
+ 		rv = sc_transmit_apdu(card, &apdu);
+ 		sc_log(card->ctx, "rv %i", rv);
+@@ -1504,7 +1504,7 @@ auth_read_component(struct sc_card *card, enum SC_CARDCTL_OBERTHUR_KEY_TYPE type
+ {
+ 	struct sc_apdu apdu;
+ 	int rv;
+-	unsigned char resp[256];
++	unsigned char resp[SC_MAX_APDU_RESP_SIZE];
+ 
+ 	LOG_FUNC_CALLED(card->ctx);
+ 	sc_log(card->ctx, "num %i, outlen %"SC_FORMAT_LEN_SIZE_T"u, type %i",
+@@ -2160,7 +2160,7 @@ auth_read_binary(struct sc_card *card, unsigned int offset,
+ 	if (auth_current_ef->magic==SC_FILE_MAGIC &&
+ 			auth_current_ef->ef_structure == SC_CARDCTL_OBERTHUR_KEY_RSA_PUBLIC)   {
+ 		int jj;
+-		unsigned char resp[256];
++		unsigned char resp[SC_MAX_APDU_RESP_SIZE];
+ 		size_t resp_len, out_len;
+ 		struct sc_pkcs15_pubkey_rsa key;
+ 
diff --git a/meta-oe/recipes-support/opensc/opensc_0.25.1.bb b/meta-oe/recipes-support/opensc/opensc_0.25.1.bb
index 6772fe02f7..5f4382642c 100644
--- a/meta-oe/recipes-support/opensc/opensc_0.25.1.bb
+++ b/meta-oe/recipes-support/opensc/opensc_0.25.1.bb
@@ -20,6 +20,10 @@ SRC_URI = "git://github.com/OpenSC/OpenSC;branch=stable-0.25;protocol=https \
            file://CVE-2025-49010.patch \
            file://CVE-2025-66037.patch \
            file://CVE-2025-66038.patch \
+           file://CVE-2025-66215-1.patch \
+           file://CVE-2025-66215-2.patch \
+           file://CVE-2025-66215-3.patch \
+           file://CVE-2025-66215-4.patch \
          "
 DEPENDS = "virtual/libiconv openssl"