From patchwork Tue Jun 23 13:13:42 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 90712 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DEABFCDB479 for ; Tue, 23 Jun 2026 13:14:35 +0000 (UTC) Received: from mail-wr1-f41.google.com (mail-wr1-f41.google.com [209.85.221.41]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.20441.1782220467618867207 for ; Tue, 23 Jun 2026 06:14:27 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=TqvY5tWh; spf=pass (domain: smile.fr, ip: 209.85.221.41, mailfrom: yoann.congal@smile.fr) Received: by mail-wr1-f41.google.com with SMTP id ffacd0b85a97d-4629d80fa08so5347659f8f.3 for ; Tue, 23 Jun 2026 06:14:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1782220466; x=1782825266; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=FbE9Pd6luAnxk6H8jtLKUvoGLuG03WOVQBvo9b1KoRY=; b=TqvY5tWhXCAlB0m1PyRRS/gUzQ6amI2wSNmmpWzPvLIKnPfF363qGeWHVwy5ndz9mB 4+4RqNosu5Kr2Htv+szGsSkyaCY1mau4obF9VR6EwPcWs3OqO6WYedlcRNyO3hui4nNU A382GUnITyNrndANFuw0dZGK+82CrGuNP+KMQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782220466; x=1782825266; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=FbE9Pd6luAnxk6H8jtLKUvoGLuG03WOVQBvo9b1KoRY=; b=HoSHfoMJ0L07ke8vYjJeH1QvdZmAFLHbcI1e2j/f69pJ/HLEuT5+cwJSv57T//6jP3 cxmcw0LbpBNMy6Eive/y8NmZSxEvsKLP0nPnRcD54KF7q1Em0aqkwZQyJb4GQjfp+AxM MVBZlcPgK4KUGYd+JYcTdEkgXGOpHXZxdWYxj4fy5vzBN/37ldA5U5j12pjjMpSGydqz m+kDkC5fp6jcDwkjfl7U2MqiuJ1fBdxGEmu/xmK6TwL/m7T6kkTGUpxaPPBu3huKomKb LeDc8BYEQWQc80pgsBzjtYJDhRGjzO7tX8tgBws1hnBHfNoRwk/WxbVr+Jw+HXOSHSQM 1SzQ== X-Gm-Message-State: AOJu0Yx61LVlf4RHjzRlfjipBDqaH5Fw+l/xqRrAqqyZosu3MSZBJY+7 410j7fNeOUeorCFgJcWxsXIUJcyOv9JqyPxh6scFQOzxp8Ieh4goTMHmm1rWyA1K+kL+NPQxeO6 C3Vwq X-Gm-Gg: AfdE7cnkGbAaRxAYL2eJiX2g0V4qcliivpy4fxm62YWWm9M/RNplMbxppXvqmOX0VJN B+RvkEKl7KyZQ5biT5vnZnwjcOaDztDFk2uuKI9J6vVH80qVP+yySDZDQM69EqKiOwurgcXK39j sMOFz1VlTwFIXTwso2/nx8tcgnqyVBPgcbo1HIX0kz3ogEX0HLCsPTcaSJFr3zFcCHg/E+YNkOb 1DdXw4GyKiXY+x9ycppw+DE4mSp1vNdIBPFUX4WOTcDjab5Ldwzu4cP2TD3JYFxLAdPmmzcsIPb VURKmWLuqMWtW8iBYzAybaXU6E9M91S+/5hPgTbJurJtCpReKDzATJHkcxTxhsTDF1gixiOoutN VMkjimFeEobOSLF9cPZeVd74bFpBlFfCJToQ2atysdCAHwhG6+E721jjAEvFyc1/jjuJzWn2Vxm dBmZ7un5BoK5Q72hGDAClSeqLC7bDz9RtCIsfUfofIAIkuM04bp2mgEKKbrX6UuTIEbMXsaITCt FlBvQPibaFkXBzhzQ== X-Received: by 2002:a05:600c:190a:b0:492:3071:1db7 with SMTP id 5b1f17b1804b1-49240e6ca7dmr311970635e9.28.1782220465733; Tue, 23 Jun 2026 06:14:25 -0700 (PDT) Received: from FRSMI25-LASER.home (2a01cb001331aa008234f3c115adbb1a.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:8234:f3c1:15ad:bb1a]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4925d013a69sm24334285e9.3.2026.06.23.06.14.25 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Jun 2026 06:14:25 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 01/26] pseudo: Update to version 1.9.8 Date: Tue, 23 Jun 2026 15:13:42 +0200 Message-ID: X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Jun 2026 13:14:35 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239367 From: Mark Hatle Changelog: Makefile.in: Bump to 1.9.8 pseudo_client.h: Fix typo in the comment client: permissions drop setuid and setgid tests: Add setuid permission check pseudo_client.h: Add +s to PSEUDO_DB_MODE for mkdir tests: Add test that returned stat is correct pseudo_client.h: Make it clear both macros must be updated together Makefile.in: Add pseudo_client.h as a dependency Signed-off-by: Mark Hatle Signed-off-by: Richard Purdie (cherry picked from commit fa302de94c7da77a49ca0701580467ebaa8eda18) Signed-off-by: Yoann Congal --- meta/recipes-devtools/pseudo/pseudo_git.bb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta/recipes-devtools/pseudo/pseudo_git.bb b/meta/recipes-devtools/pseudo/pseudo_git.bb index 1ca1ebd6bf2..3d7dd62448f 100644 --- a/meta/recipes-devtools/pseudo/pseudo_git.bb +++ b/meta/recipes-devtools/pseudo/pseudo_git.bb @@ -12,9 +12,9 @@ SRC_URI:append:class-nativesdk = " \ file://older-glibc-symbols.patch" SRC_URI[prebuilt.sha256sum] = "ed9f456856e9d86359f169f46a70ad7be4190d6040282b84c8d97b99072485aa" -SRCREV = "5b7c4b59e7e198aab54b35ea194aeb6d99794f96" +SRCREV = "823895ba708c63f6ae4dcbfc266210f26c02c698" S = "${WORKDIR}/git" -PV = "1.9.7" +PV = "1.9.8" # largefile and 64bit time_t support adds these macros via compiler flags globally # remove them for pseudo since pseudo intercepts some of the functions which will be From patchwork Tue Jun 23 13:13:43 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 90715 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DB801CDB46F for ; Tue, 23 Jun 2026 13:14:35 +0000 (UTC) Received: from mail-wm1-f47.google.com (mail-wm1-f47.google.com [209.85.128.47]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.20442.1782220468298262584 for ; Tue, 23 Jun 2026 06:14:28 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=tLj5u1c4; spf=pass (domain: smile.fr, ip: 209.85.128.47, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f47.google.com with SMTP id 5b1f17b1804b1-49230a567a9so27426705e9.0 for ; Tue, 23 Jun 2026 06:14:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1782220466; x=1782825266; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=PWT6QzVXv/ZRn4fXwCA9Gf6z5vdbWetVKd/vio4rYXQ=; b=tLj5u1c4ZcbrrjlDqFLELF9QUkICBYbhFWlGcuN/Jo1eApZfU6qVskH24imS0xUlWE voUwQYTG0tnnFOpiBkGmyQ+wjHn+ua9R99covWXZ+mIeLR3odtKjWk3u8gpy62u80uKU tBmCaliYDzvJ6eOYAJIb6usL5jnRUleNm+0fc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782220466; x=1782825266; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=PWT6QzVXv/ZRn4fXwCA9Gf6z5vdbWetVKd/vio4rYXQ=; b=A02gFMECs9NxG+8b5rHHPiZRdCWIkZT8Bw0tFlcwDq/HtCLyipWOhm+/+jH4DKokjL o2FMqSqBZeT5SeQsvJSxLpN/jpFejHCb+g56J0oijHX3DZRA0skwyx1vWSO67oyn3+PT NL+9/xzIglHIWv3PcjnBXUc+Mt9/lUL3oUeDD7eZ3hP52Z45lqmaLjux/4pqFSjL08fJ cqdp2hsIGhQ9dlHxWt3+pWFkRCtPpwaTMrviv0aIo7xyN6iud7GTVjD8qMT+MrdNhwQO FraUD0nPc4aX3YrjP2hvxZ+eSJ15t9H+foNyM+GtZYeI0ayTJwKWVRRVU5JzINj3iFxF GzDQ== X-Gm-Message-State: AOJu0YyLJXLKKpEMZ/yojxfSmG31zhPPPUShFBpv2Vtw+EfRs0HmQDo7 pf+AnOhzmRXq6AHmYzJHnfxRykcGYJMFwgNxJ9P4/RmjFP7U+VyJ0xSkA6j/Q3Zd7sps/bpvVoG 3r2oz X-Gm-Gg: AfdE7ckFqhj8eClc+hReE1CCgmal6KMRSWohyZ9iIr+kEpO6XYyPDZOAfK+FWhCNiPD tdarNwK8yZhYBTlgD+qV//I0QoDH8weuTUzguJdFhCyUGpzOvcWbN09NssIHCZyJUlBU2djz6B3 N3HRRg4SwbjENsC/w0PmP9TTDDGClUZJdtnAOvUz0hFcJ+GOary9hY8P6qpusxFdn5bARp+kdDh rJua05O0w0TVsK6QOVtNkdu8TjZcbmCDaypk6OcUcGOlrK71UqqhEuoU6Bg+b75q9ZZO+6MqKa6 2RxLrb5oewTZw/FcrjIAC/cp7fLMp0WHObhKyIhyzZEF8AJnr9vPaeM7XuOyy2ijQcY4WbpwXtx nbPdE0J+vQDwo1vm3VQUiwwhGxD0QbJXgV4lcUjWXPDlUTBR0t/xKHKcEssFEpn21ZtGi8xDSjg ZtlLQAzDHNUKX/b07EBsr7HuujufmO+aWYE7wBDnCOelYh5A+BbN5nmLE2amCaOy5/4IOdTZ13h t9PRLfGa6FIf7MOBw== X-Received: by 2002:a05:600c:8716:b0:490:c032:ae92 with SMTP id 5b1f17b1804b1-49240ea870emr289029655e9.33.1782220466488; Tue, 23 Jun 2026 06:14:26 -0700 (PDT) Received: from FRSMI25-LASER.home (2a01cb001331aa008234f3c115adbb1a.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:8234:f3c1:15ad:bb1a]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4925d013a69sm24334285e9.3.2026.06.23.06.14.25 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Jun 2026 06:14:26 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 02/26] openssh: fix CVE-2026-35386 Date: Tue, 23 Jun 2026 15:13:43 +0200 Message-ID: <36ee08f01311253bca4c4f8387446d35a55cc840.1782220259.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Jun 2026 13:14:35 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239368 From: Adarsh Jagadish Kamini CVE-2026-35386 is already fixed by the existing CVE-2025-61984 backport. Rename CVE-2025-61984.patch to CVE-2025-61984_CVE-2026-35386.patch and add the second CVE tag to document that one patch covers both CVEs. https://nvd.nist.gov/vuln/detail/CVE-2026-35386 Signed-off-by: Adarsh Jagadish Kamini Signed-off-by: Yoann Congal --- ...CVE-2025-61984.patch => CVE-2025-61984_CVE-2026-35386.patch} | 2 +- meta/recipes-connectivity/openssh/openssh_9.6p1.bb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) rename meta/recipes-connectivity/openssh/openssh/{CVE-2025-61984.patch => CVE-2025-61984_CVE-2026-35386.patch} (99%) diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2025-61984.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2025-61984_CVE-2026-35386.patch similarity index 99% rename from meta/recipes-connectivity/openssh/openssh/CVE-2025-61984.patch rename to meta/recipes-connectivity/openssh/openssh/CVE-2025-61984_CVE-2026-35386.patch index f705410b240..7fcb02d613e 100644 --- a/meta/recipes-connectivity/openssh/openssh/CVE-2025-61984.patch +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2025-61984_CVE-2026-35386.patch @@ -32,7 +32,7 @@ Slightly modified since variable expansion of user names was first released in 10.0, commit bd30cf784d6e8" Upstream-Status: Backport [Upstream commit https://github.com/openssh/openssh-portable/commit/35d5917652106aede47621bb3f64044604164043] -CVE: CVE-2025-61984 +CVE: CVE-2025-61984 CVE-2026-35386 Signed-off-by: David Nyström --- ssh.c | 26 +++++++++++++++++++++++--- diff --git a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb index a1b5d4a5535..ea158b56b41 100644 --- a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb @@ -33,7 +33,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar file://CVE-2025-26465.patch \ file://CVE-2025-32728.patch \ file://CVE-2025-61985.patch \ - file://CVE-2025-61984.patch \ + file://CVE-2025-61984_CVE-2026-35386.patch \ file://CVE-2026-35385.patch \ file://CVE-2026-35387.patch \ file://CVE-2026-35388.patch \ From patchwork Tue Jun 23 13:13:44 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 90718 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 52E46CDB480 for ; Tue, 23 Jun 2026 13:14:36 +0000 (UTC) Received: from mail-wm1-f41.google.com (mail-wm1-f41.google.com [209.85.128.41]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.20830.1782220468810352355 for ; Tue, 23 Jun 2026 06:14:29 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=OqlmW9+g; spf=pass (domain: smile.fr, ip: 209.85.128.41, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f41.google.com with SMTP id 5b1f17b1804b1-49249072f03so17653325e9.0 for ; Tue, 23 Jun 2026 06:14:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1782220467; x=1782825267; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=J7HTIT7KL14pv8dycKDzjC1yP/3zN1SOR+YQyVfkw4s=; b=OqlmW9+g0lfwoNMmdvOCdyiTxJpuZUk8ZQk7OskuGEpKbaSTCE3AaPEi7ijBNNlumX svlAdWPD6LcBKk7RPxEfG9vssxLFJggB3IsfGtuNiZblqrdJk4IPWfFR3YkygtlgnYf/ XYAkqcoRAVAWYWoqS5C1x1BMiPG09VdbtRn9U= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782220467; x=1782825267; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=J7HTIT7KL14pv8dycKDzjC1yP/3zN1SOR+YQyVfkw4s=; b=aovi9PdAPEdQlrSCS160cBP3SUVoBhrQNwLHHxg1xqYQq3TvzAsfa5sLAG0PuR8dPh +oXAuN0eCnYcu8Xc0OnH/SU4Ky1DJu2HGcc+e5FBPDsrkBrw5b1jZCQW0TwKufPBoiZe RPhAI4ST6CdbvKCFEeV4ZRb6mZxHGZxTIywzGZEESTn+gcfKV187h0KxFO4mTG9pBaeF w2ytG3eClE7McPyflimcpJiOPYl5jWd7KiNpv+XxdUZR0o+Ri8anU4iuR8j/hRlW03kv Syr38214fMyXTZOL79ravTjY3XxMtZtTUiYoEO2aItGRyGcvnpvsT4uMU4n98KNvygZu c2lg== X-Gm-Message-State: AOJu0YzBw+Gjr4SGrvLUegB4n9zJw3W7d7S1FFVPge3whKyFk8SnfIk2 pK3bzgbWu5XWPITpyKr6RuQoy5vxn95yZLS7aJbOelDCRqnTK7CoQXDO9qeQ5bKqecw/lWHgBEk uyw7t X-Gm-Gg: AfdE7cm80CKL5MtHrIePW8zHDUaHMcsiTxPFsRPr0pxoFNZjEPzV3nME10DAOekl0rU hYcdMuOpu/P5thav0PcdtEQ5KQNmQWpXflYkCCmq88DGp0taFrlWtxL1dTeHnsyUC0yNHXBQVgQ gO1htyIgxupIqiFxO/ZxElyviUtCBNE101qw11T/o6P2xiYUzy272NqHIvSV0z4+slUGBEi7fy1 d/Iq/F7oufL3jQAyQ1knha2znpHUF+wseV2hnyf5CEJ0wI0UDEiWRaohQN092zanU1D73ZIayan aD4KcfbV/MOUJYwppwQekhmFgdNG7cleXLpcDLFVklIbeo/czRnhW141CLU3iDcR9AbKa71A5QE rK1D72aSnkSxOOxaCH3UzIuTNpbFQJtY3fa/Bf1iwPKafIWhX0EczfeqCFk4tLsn4XHMj8Zog1J o9A1vT01lU0TSC33TgqiBPD6mF4m5CIeS3+JAm+tozBC0YoEWNO2G+u4/jqV7vh0lM6i2IONbDu KjpSNY5tRBAuX0IQQ== X-Received: by 2002:a05:600c:4747:b0:492:1e36:85dc with SMTP id 5b1f17b1804b1-4925b3bea23mr45353905e9.36.1782220467032; Tue, 23 Jun 2026 06:14:27 -0700 (PDT) Received: from FRSMI25-LASER.home (2a01cb001331aa008234f3c115adbb1a.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:8234:f3c1:15ad:bb1a]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4925d013a69sm24334285e9.3.2026.06.23.06.14.26 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Jun 2026 06:14:26 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 03/26] tiff: fix CVE-2026-4775 Date: Tue, 23 Jun 2026 15:13:44 +0200 Message-ID: <5a9bd4598fb446330c991fb51eaed372d96f39ff.1782220259.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Jun 2026 13:14:36 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239369 From: Naman Jain Fix CVE-2026-4775 Reference: https://gitlab.com/libtiff/libtiff/-/commit/782a11d6b5b61c6dc21e714950a4af5bf89f023c Signed-off-by: Naman Jain Signed-off-by: Yoann Congal --- .../libtiff/tiff/CVE-2026-4775.patch | 59 +++++++++++++++++++ meta/recipes-multimedia/libtiff/tiff_4.6.0.bb | 1 + 2 files changed, 60 insertions(+) create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2026-4775.patch diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2026-4775.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2026-4775.patch new file mode 100644 index 00000000000..ed5f0714a61 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2026-4775.patch @@ -0,0 +1,59 @@ +From 782a11d6b5b61c6dc21e714950a4af5bf89f023c Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Sun, 22 Feb 2026 23:32:47 +0100 +Subject: [PATCH] TIFFReadRGBAImage(): prevent integer overflow and later heap + overflow on images with huge width in YCbCr tile decoding functions + +Fixes https://gitlab.com/libtiff/libtiff/-/issues/787 + +CVE: CVE-2026-4775 +Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/782a11d6b5b61c6dc21e714950a4af5bf89f023c] + +Signed-off-by: Naman Jain +--- + libtiff/tif_getimage.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c +index 4543dddae..fa82d0910 100644 +--- a/libtiff/tif_getimage.c ++++ b/libtiff/tif_getimage.c +@@ -2224,7 +2224,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr44tile) + uint32_t *cp1 = cp + w + toskew; + uint32_t *cp2 = cp1 + w + toskew; + uint32_t *cp3 = cp2 + w + toskew; +- int32_t incr = 3 * w + 4 * toskew; ++ const tmsize_t incr = 3 * (tmsize_t)w + 4 * (tmsize_t)toskew; + + (void)y; + /* adjust fromskew */ +@@ -2364,7 +2364,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr44tile) + DECLAREContigPutFunc(putcontig8bitYCbCr42tile) + { + uint32_t *cp1 = cp + w + toskew; +- int32_t incr = 2 * toskew + w; ++ const tmsize_t incr = 2 * (tmsize_t)toskew + w; + + (void)y; + fromskew = (fromskew / 4) * (4 * 2 + 2); +@@ -2522,7 +2522,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr41tile) + DECLAREContigPutFunc(putcontig8bitYCbCr22tile) + { + uint32_t *cp2; +- int32_t incr = 2 * toskew + w; ++ const tmsize_t incr = 2 * (tmsize_t)toskew + w; + (void)y; + fromskew = (fromskew / 2) * (2 * 2 + 2); + cp2 = cp + w + toskew; +@@ -2625,7 +2625,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr21tile) + DECLAREContigPutFunc(putcontig8bitYCbCr12tile) + { + uint32_t *cp2; +- int32_t incr = 2 * toskew + w; ++ const tmsize_t incr = 2 * (tmsize_t)toskew + w; + (void)y; + fromskew = (fromskew / 1) * (1 * 2 + 2); + cp2 = cp + w + toskew; +-- +GitLab + diff --git a/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb index 07540692fcf..fca846589fd 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb @@ -18,6 +18,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ file://CVE-2023-52356.patch \ file://CVE-2024-7006.patch \ file://CVE-2025-9900.patch \ + file://CVE-2026-4775.patch \ " SRC_URI[sha256sum] = "88b3979e6d5c7e32b50d7ec72fb15af724f6ab2cbf7e10880c360a77e4b5d99a" From patchwork Tue Jun 23 13:13:45 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 90719 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5EB28CDE001 for ; Tue, 23 Jun 2026 13:14:36 +0000 (UTC) Received: from mail-wr1-f54.google.com (mail-wr1-f54.google.com [209.85.221.54]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.20831.1782220469566199259 for ; Tue, 23 Jun 2026 06:14:29 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=Z9rtzGWD; spf=pass (domain: smile.fr, ip: 209.85.221.54, mailfrom: yoann.congal@smile.fr) Received: by mail-wr1-f54.google.com with SMTP id ffacd0b85a97d-46019b190b6so4334603f8f.3 for ; Tue, 23 Jun 2026 06:14:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1782220468; x=1782825268; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=6o79g/SLJQl4RlHERpP4a6Mkds7gttqIZTFFIgM4Xek=; b=Z9rtzGWDsHY51shvqZBvgUYyeAsVP9r1OGMWtYEDVQUWWC+NSXCAdT51WL7jy0ywSJ jLkS99Re16n2EMgdVgOi1QnpvctciMeHg3qozpft+U/67TLNKG1aj54iHUzxU/tRDnK9 ratamMRwgfZsMo2cTxLM+SY5kew37p5p48UT0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782220468; x=1782825268; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=6o79g/SLJQl4RlHERpP4a6Mkds7gttqIZTFFIgM4Xek=; b=K+LeCHcJwspQreEEfSU/JT0+lHOynNZOpwcBAqWnyT9qqNl8rPhihnuAW1JAS/ZqSB pTbqixRL3vo5ACmcxZPPQ8gkD71rU4KA9mIVnK4FU4ZNRDKPildcAjeH7A52omLHOyiO Y78hjP7oDcICet4GrcLyJZfUgevwAebDPk8qC3m17yIaU4bdpLDDm51Xt3ahqoKc5CfL UQ58uhdLV4MmHvbBUzNeb0FPGdhdCFqLzyeY3M5tHctdiXfhDSe5tRWRY7rofshwkVew 3ebjTCXQ0GbVkXs0qkvALtio+kTjjY+Jmpok9vMfc2Ej7O0ciE6WBNxh+Dk3RB8Ymmo0 zs3Q== X-Gm-Message-State: AOJu0Yzvct2xGKAwffHRSb9UFgz73jQPXt+HS5Zpfob+a11LqOWEK+sw 3gsxtq/aq6F/oP6vPzbRocXHUr8wZhIAIUucOhZ+QA0Lsv3m9YA+gXsQNCPNXD8Nktp2KnR4rOW tKzbv X-Gm-Gg: AfdE7clBl+4tDviSQRi4n9KmJMMe6tbobizkOgl4NCmOd7+GwHPW30FOFignxlMHqCV 5+BfNar2QDay/Z92cSMdM2T981czFcFWJkBtu6ctl126Kb7br7evxaxYIHnK4KSDga3b7bTDdq+ 97xZm1bs1JAbI3rkFGU0LfwoptxVqS86f1dvl+D7qQs/aeQ0XFvgjT1WzjTx1nywklR18BVZ9x7 zvQbT/NVRGa5VneDPAr1xbbIwqNHW9a7Iqw+wmwrhi5XRmfEPUmFBHZrZFWbTYzj9/+nNmxeNUc 9Dff2RAUjJQ8wGot3qwGUtSbM34nqnMJepUEJOhtjPM51wQQtcvC+r/X9fgdNSznApwYR8NsMyM DvZPMRK0xlvZAYaCXbwrRrzmZ2sZnAp8QoeTmA8JX/0k3NjB+v4gObFrYc+m0MS2jivAeVImFNd raoSzFgVu1TWPmH7t/YhKSgcnxL6aYOTQCX2oKMnFeOYfCWm/6qkvYXrv560NX6GZ8PbeG3gfs+ +B9mZd0yLuajQDXQQ== X-Received: by 2002:a05:600c:e547:20b0:490:b629:286c with SMTP id 5b1f17b1804b1-4925b38fd0cmr29422765e9.12.1782220467712; Tue, 23 Jun 2026 06:14:27 -0700 (PDT) Received: from FRSMI25-LASER.home (2a01cb001331aa008234f3c115adbb1a.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:8234:f3c1:15ad:bb1a]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4925d013a69sm24334285e9.3.2026.06.23.06.14.27 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Jun 2026 06:14:27 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 04/26] go: fix CVE-2025-58183 Date: Tue, 23 Jun 2026 15:13:45 +0200 Message-ID: X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Jun 2026 13:14:36 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239370 From: Sudhir Dumbhare This patch applies the upstream fix [1], as referenced in [2], to address unbounded memory consumption when reading GNU tar pax 1.0 sparse file regions in archive/tar. [1] https://github.com/golang/go/commit/613e746327381d820759ebea6ce722720b343556 [2] https://security-tracker.debian.org/tracker/CVE-2025-58183 Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-58183 Signed-off-by: Sudhir Dumbhare Signed-off-by: Yoann Congal --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2025-58183.patch | 107 ++++++++++++++++++ 2 files changed, 108 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2025-58183.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index 7016acd0616..f6feb1d0b5f 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -58,6 +58,7 @@ SRC_URI += "\ file://CVE-2026-42501.patch \ file://CVE-2026-42504.patch \ file://CVE-2026-42507.patch \ + file://CVE-2025-58183.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2025-58183.patch b/meta/recipes-devtools/go/go/CVE-2025-58183.patch new file mode 100644 index 00000000000..51a4f02ddcd --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2025-58183.patch @@ -0,0 +1,107 @@ +From c25bf45db0b232e8ad9d2bc53e61678ebc5efe90 Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Thu, 11 Sep 2025 13:32:10 -0700 +Subject: [PATCH] [release-branch.go1.24] archive/tar: set a limit on the + size of GNU sparse file 1.0 regions + +Sparse files in tar archives contain only the non-zero components +of the file. There are several different encodings for sparse +files. When reading GNU tar pax 1.0 sparse files, archive/tar did +not set a limit on the size of the sparse region data. A malicious +archive containing a large number of sparse blocks could cause +archive/tar to read an unbounded amount of data from the archive +into memory. + +Since a malicious input can be highly compressable, a small +compressed input could cause very large allocations. + +Cap the size of the sparse block data to the same limit used +for PAX headers (1 MiB). + +Thanks to Harshit Gupta (Mr HAX) (https://www.linkedin.com/in/iam-harshit-gupta/) +for reporting this issue. + +Fixes CVE-2025-58183 +For #75677 +Fixes #75710 + +CVE: CVE-2025-58183 +Upstream-Status: Backport [https://github.com/golang/go/commit/613e746327381d820759ebea6ce722720b343556] + +Backport Changes: +- The upstream fix includes a testdata tarball as a git binary diff. + However, quilt cannot apply git binary diffs and fails with the error: + "File src/archive/tar/testdata/gnu-sparse-many-zeros.tar.bz2: + git binary diffs are not supported." +- As a result, the unnecessary bzip2 test file + src/archive/tar/testdata/gnu-sparse-many-zeros.tar.bz2 + has been removed. +- Furthermore, in src/archive/tar/reader_test.go, within the TestReader() + function, the test vector entry for testdata/gnu-sparse-many-zeros.tar.bz2 + has been removed. + +Change-Id: I70b907b584a7b8676df8a149a1db728ae681a770 +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2800 +Reviewed-by: Roland Shoemaker +Reviewed-by: Nicholas Husin +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2967 +Reviewed-by: Damien Neil +Reviewed-on: https://go-review.googlesource.com/c/go/+/709843 +Reviewed-by: Carlos Amedee +TryBot-Bypass: Michael Pratt +Auto-Submit: Michael Pratt +(cherry picked from commit 613e746327381d820759ebea6ce722720b343556) +Signed-off-by: Sudhir Dumbhare +--- + src/archive/tar/common.go | 1 + + src/archive/tar/reader.go | 9 +++++++-- + 2 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/src/archive/tar/common.go b/src/archive/tar/common.go +index 4910908f81e..ec1b8668547 100644 +--- a/src/archive/tar/common.go ++++ b/src/archive/tar/common.go +@@ -38,6 +38,7 @@ var ( + errMissData = errors.New("archive/tar: sparse file references non-existent data") + errUnrefData = errors.New("archive/tar: sparse file contains unreferenced data") + errWriteHole = errors.New("archive/tar: write non-NUL byte in sparse hole") ++ errSparseTooLong = errors.New("archive/tar: sparse map too long") + ) + + type headerError []string +diff --git a/src/archive/tar/reader.go b/src/archive/tar/reader.go +index 0811779adda..71d0b20b76d 100644 +--- a/src/archive/tar/reader.go ++++ b/src/archive/tar/reader.go +@@ -531,12 +531,17 @@ func readGNUSparseMap1x0(r io.Reader) (sparseDatas, error) { + cntNewline int64 + buf bytes.Buffer + blk block ++ totalSize int + ) + + // feedTokens copies data in blocks from r into buf until there are + // at least cnt newlines in buf. It will not read more blocks than needed. + feedTokens := func(n int64) error { + for cntNewline < n { ++ totalSize += len(blk) ++ if totalSize > maxSpecialFileSize { ++ return errSparseTooLong ++ } + if _, err := mustReadFull(r, blk[:]); err != nil { + return err + } +@@ -569,8 +574,8 @@ func readGNUSparseMap1x0(r io.Reader) (sparseDatas, error) { + } + + // Parse for all member entries. +- // numEntries is trusted after this since a potential attacker must have +- // committed resources proportional to what this library used. ++ // numEntries is trusted after this since feedTokens limits the number of ++ // tokens based on maxSpecialFileSize. + if err := feedTokens(2 * numEntries); err != nil { + return nil, err + } +-- +2.35.6 + From patchwork Tue Jun 23 13:13:46 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 90717 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2D3ADCDE000 for ; Tue, 23 Jun 2026 13:14:36 +0000 (UTC) Received: from mail-wm1-f45.google.com (mail-wm1-f45.google.com [209.85.128.45]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.20832.1782220470269156522 for ; Tue, 23 Jun 2026 06:14:30 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=Vzc8duOn; spf=pass (domain: smile.fr, ip: 209.85.128.45, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f45.google.com with SMTP id 5b1f17b1804b1-4924944fe6bso21883965e9.0 for ; Tue, 23 Jun 2026 06:14:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1782220468; x=1782825268; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=wtIGJjN4cCXp6gpRLPSzWtp2fT9zanqghlNhYCKBnrM=; b=Vzc8duOnqSlXlY3VmRODY9O3oBZxTeS8JKUMvW/V3R1IFMq4DjhgFPc514UUDcjqs+ tarWq75sPtilpQ3LKdWmC8erMe/l3bnnA6BFB7OQ6kws8pfs41Z5AgurysfHJSkY14iU QsvHQV7q8ft72IwBNWdl5g7SYb+W0wajLhwYA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782220468; x=1782825268; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=wtIGJjN4cCXp6gpRLPSzWtp2fT9zanqghlNhYCKBnrM=; b=pkZj1ZDG1XVe35MBUsMjaQAEFnUR96O3zmkwZ4+j4nLw+j33p9UZbNobLTXyX2Jzhd VxKZ3Paru6l/z9s8wjCK0we73JCjntXx7q3mcdSg+oGS7aBeanO8OPQaAXVBLEmfjZuV oNsXSIFHO0kX5iPN0ih+bYo94wQGdjcEAhNplBlwcUbNcQokgP4zYKoIpjiohXqCNkZ3 zdTWpzi5r3M0xvh/EhJZhw+SjkPIN62RRdOSjpehe+a+2mrehmrXsy0hKIQSWvfmprPt EhGCEx/ALQduMlbsF2UYo3l5qdQYEZj+XXGIKrqr0SAwm7VyWr30KHdfLEigOmkQJ6NI hA1w== X-Gm-Message-State: AOJu0YzrlHmPlI8P4fv8USv8UNlXh3HC9ZYmt33H2j9oEHOedH3DrGVL 63+n3C9kTb0EdpomXAnXBz2Zlj9jsykU5oioODGYdutKBe5sqDIyoJ4JxAOovzCtkh6yQnPkX/q 27sfh X-Gm-Gg: AfdE7cntMYpqX7uJso09v2Z5n5YPFijy/Tg9gaPT1NTxcKY25SYswfYOxsPnjJ0dQR/ M01eW5mGDAbKmg2O4t99yzxcq2JULcXIm8HcxfTEhyUP33N6EdJRAi598nvSNXn9AMxp9mckZWg XRQi7/FPZu1SksT60NK290m42EQMhUuIoLf/g905EanD0dfsa7fnt81kQy5ruchvbNoIRxMtlCQ AxqSYM7er4M+3OjGBoBYn1mW9egEAw1der4q9za++p9aYEazJkk9U25qqBaJ+ndfYXKnMwgm3Kf TZ5sr2zMN+kh3oBR2PY26ElKddWZGXvob0lbytFvjjYOqmtvnQlcWC2JTbuXTm4bUFRRO12RN9/ GtJmKbdSiTb9ZjNMGJykZfMNzBdwQ/wamw4pO3T1kD+EziPD5xSvEPWxk/jeQnTVfcXyCILVXK9 2ilWgWjqaM3fyf5qKeAFaqj23JSjNtDAwAll53dYcOWoqvX5z/j6I+a226g3lq97JL1n5Z29o+K kb5ob71dqpmL6FdtQ== X-Received: by 2002:a05:600d:844f:10b0:490:b355:9c70 with SMTP id 5b1f17b1804b1-49240e061e9mr236191405e9.11.1782220468309; Tue, 23 Jun 2026 06:14:28 -0700 (PDT) Received: from FRSMI25-LASER.home (2a01cb001331aa008234f3c115adbb1a.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:8234:f3c1:15ad:bb1a]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4925d013a69sm24334285e9.3.2026.06.23.06.14.27 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Jun 2026 06:14:27 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 05/26] go: fix CVE-2026-25679 Date: Tue, 23 Jun 2026 15:13:46 +0200 Message-ID: <913b9dc19ea14edbbaf4b7a677507949e454e685.1782220259.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Jun 2026 13:14:36 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239371 From: Sudhir Dumbhare This patch applies the upstream fix [1], as referenced in [2], to address insufficient validation in `url.Parse`. Debian marks older Go branches as not affected because the vulnerable parseHost surface was introduced by the earlier CVE-2025-47912 fix. This Scarthgap recipe already carries CVE-2025-47912.patch, so the fix is applicable to the patched Go 1.22.12 source used here. [1] https://github.com/golang/go/commit/d8174a9500d53784594b198f6195d1fae8dfe803 [2] https://security-tracker.debian.org/tracker/CVE-2026-25679 Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-25679 Signed-off-by: Sudhir Dumbhare Signed-off-by: Yoann Congal --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2026-25679.patch | 74 +++++++++++++++++++ 2 files changed, 75 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2026-25679.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index f6feb1d0b5f..7d4274b4eb4 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -59,6 +59,7 @@ SRC_URI += "\ file://CVE-2026-42504.patch \ file://CVE-2026-42507.patch \ file://CVE-2025-58183.patch \ + file://CVE-2026-25679.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2026-25679.patch b/meta/recipes-devtools/go/go/CVE-2026-25679.patch new file mode 100644 index 00000000000..13800564f00 --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2026-25679.patch @@ -0,0 +1,74 @@ +From c8f96fce4d34123a920558a1a3f5c0ddf2bf678e Mon Sep 17 00:00:00 2001 +From: Ian Alexander +Date: Wed, 28 Jan 2026 15:29:52 -0500 +Subject: [PATCH] [release-branch.go1.25] net/url: reject IPv6 literal not + at start of host + +This change rejects IPv6 literals that do not appear at the start of the +host subcomponent of a URL. + +For example: + http://example.com[::1] -> rejects + http://[::1] -> accepts + +Thanks to Masaki Hara (https://github.com/qnighy) of Wantedly. + +Updates #77578 +Fixes #77969 +Fixes CVE-2026-25679 + +CVE: CVE-2026-25679 +Upstream-Status: Backport [https://github.com/golang/go/commit/d8174a9500d53784594b198f6195d1fae8dfe803] + +Change-Id: I7109031880758f7c1eb4eca513323328feace33c +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3400 +Reviewed-by: Neal Patel +Reviewed-by: Roland Shoemaker +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3642 +Reviewed-on: https://go-review.googlesource.com/c/go/+/752100 +Reviewed-by: Cherry Mui +Auto-Submit: Gopher Robot +TryBot-Bypass: Gopher Robot +Reviewed-by: Dmitri Shuralyov +(cherry picked from commit d8174a9500d53784594b198f6195d1fae8dfe803) +Signed-off-by: Sudhir Dumbhare +--- + src/net/url/url.go | 4 +++- + src/net/url/url_test.go | 6 ++++++ + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/src/net/url/url.go b/src/net/url/url.go +index 5219e3c130b..ab59c63adfa 100644 +--- a/src/net/url/url.go ++++ b/src/net/url/url.go +@@ -623,7 +623,9 @@ func parseAuthority(authority string) (user *Userinfo, host string, err error) { + // parseHost parses host as an authority without user + // information. That is, as host[:port]. + func parseHost(host string) (string, error) { +- if openBracketIdx := strings.LastIndex(host, "["); openBracketIdx != -1 { ++ if openBracketIdx := strings.LastIndex(host, "["); openBracketIdx > 0 { ++ return "", errors.New("invalid IP-literal") ++ } else if openBracketIdx == 0 { + // Parse an IP-Literal in RFC 3986 and RFC 6874. + // E.g., "[fe80::1]", "[fe80::1%25en0]", "[fe80::1]:80". + closeBracketIdx := strings.LastIndex(host, "]") +diff --git a/src/net/url/url_test.go b/src/net/url/url_test.go +index b2f8bd95fcf..8ffbf075cb8 100644 +--- a/src/net/url/url_test.go ++++ b/src/net/url/url_test.go +@@ -1722,6 +1722,12 @@ func TestParseErrors(t *testing.T) { + {"http://[fe80::1", true}, // missing closing bracket + {"http://fe80::1]/", true}, // missing opening bracket + {"http://[test.com]/", true}, // domain name in brackets ++ {"http://example.com[::1]", true}, // IPv6 literal doesn't start with '[' ++ {"http://example.com[::1", true}, ++ {"http://[::1", true}, ++ {"http://.[::1]", true}, ++ {"http:// [::1]", true}, ++ {"hxxp://mathepqo[.]serveftp(.)com:9059", true}, + } + for _, tt := range tests { + u, err := Parse(tt.in) +-- +2.35.6 + From patchwork Tue Jun 23 13:13:47 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 90720 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7AD28CDE002 for ; Tue, 23 Jun 2026 13:14:36 +0000 (UTC) Received: from mail-wm1-f43.google.com (mail-wm1-f43.google.com [209.85.128.43]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.20445.1782220471361892483 for ; Tue, 23 Jun 2026 06:14:31 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=y7PXCfu4; spf=pass (domain: smile.fr, ip: 209.85.128.43, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f43.google.com with SMTP id 5b1f17b1804b1-490b613a17bso47000545e9.3 for ; Tue, 23 Jun 2026 06:14:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1782220470; x=1782825270; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=QRoLi/EHBoW8jRLSyzK42vHVNktka9GhxhFhhS+3ZFE=; b=y7PXCfu4Wmd/VyPofH3GGmJjT0LYu8Q17IhX/vJf3n8AATfRzCyVN8YqIrGmpQtXNu 4+b+Bsbyzrpy5yVxHA4Zdwjl8PwESZpkLiunEksUSkMSeeFEhcEtz30xUvBzPBDlWVSY r4VdZU2tq6Kk9LfpZ3oumhidW0csFkQCwaZD8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782220470; x=1782825270; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=QRoLi/EHBoW8jRLSyzK42vHVNktka9GhxhFhhS+3ZFE=; b=adCJU4WKPOg8yHkZz3M9WQp2t+hDyTAWbMEdrWU/vu1I4wTUIi6BMc/fMkAstWpwUT IbqSMDizr9TFCaMqjR5/iI9n8HnIueldN19jFfruni8IIMkd/BokYz0IX1jaZ0kl7gTQ 3r4KjY/hntXmLhlPIRBiyQcaBp0P3FYa4MfSaB5nOGeh3lPzkEpYSwQqRbpJtE/1xCSO W0tpyO5y/Rv5v9FY3PU/R15iQicInZ93VL91DlygUAlExf0SjNIQA5WN/9U955TkQ+VI yvjASM2VjXDQnEeAB3UkfmXurBuAW1eODlh4UMV5K0GYzt+Y0DjGc26IWlMGpS7QQ3i4 tQ8A== X-Gm-Message-State: AOJu0YyO5stOjoaml23URoe7VFq8aGvhVnPhltq3LrGO81N/4eKi9SEJ B8LKnU9qYi7xDx9HEUJkWlwkue5bFcWmS2WBmdXnhHs5nMmOUBrpu/3EyOryYtBKQ8TWs4KxkD/ Pm/3n X-Gm-Gg: AfdE7cnZLa1BScVtf7L2p8KuJgZwXX3L4igEzYhqYejKpMMEBcMTkZ/TUAeO0790sYN CSrgKqU0gAQF3ype/IYAvDJsAC6lXzGpwgrcR1YxWj9baQDLpwGCdva68FjpBvPC0eYAJ5JTVtS 5jpJfUrVrOhgtxmWBWhgXJ/JtVxcMdYjF3oDhsOGik0Lv1MHi01tHTqi3JQOnR7EFdc8d3pmKi7 OPNi+h4eXuML22E3rTUHYUoWPn7n1sO40g9ixt8W8ekFHPazouogDzFTn4blvPnHCPAFFxVZvtf ld6/LmO8QXJfmyrMTaI32KvlIAdSpP3yF5A8BJdbDi3lIXprUyanclEpFX3+F8TtTIDzcMYq4MJ gTM20qq90qso4XOWzLuc56RgD1T5yh/bZqbwUYIWMw4xnvWgIxheKhHvk1YdiuQUnuSatJGHCtK fZ1ck2fUou9jWO8SXUrtYKdWRQa+6e3AH5tDsETo5ywNRE8aaeOFhBFRiMc/UMevadsk6N5zEM+ A49dFNwOwNs3BNlqA== X-Received: by 2002:a05:600c:c0c5:b0:492:4ff5:fb9e with SMTP id 5b1f17b1804b1-4924ff5fe1fmr138149625e9.37.1782220469333; Tue, 23 Jun 2026 06:14:29 -0700 (PDT) Received: from FRSMI25-LASER.home (2a01cb001331aa008234f3c115adbb1a.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:8234:f3c1:15ad:bb1a]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4925d013a69sm24334285e9.3.2026.06.23.06.14.28 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Jun 2026 06:14:28 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 06/26] go: fix CVE-2026-32288 Date: Tue, 23 Jun 2026 15:13:47 +0200 Message-ID: <775c3af36899eebe5612844accdfd2a8a2a9327a.1782220259.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Jun 2026 13:14:36 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239372 From: Sudhir Dumbhare This patch applies the upstream fix [1], as referenced in [2], to address unbounded sparse map handling in `archive/tar`. [1] https://github.com/golang/go/commit/82b0cdb7411ea2cf02d3a45e6983cc7c8c009d9e [2] https://security-tracker.debian.org/tracker/CVE-2026-32288 Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-32288 Signed-off-by: Sudhir Dumbhare Signed-off-by: Yoann Congal --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2026-32288.patch | 162 ++++++++++++++++++ 2 files changed, 163 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2026-32288.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index 7d4274b4eb4..f85104d6f15 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -60,6 +60,7 @@ SRC_URI += "\ file://CVE-2026-42507.patch \ file://CVE-2025-58183.patch \ file://CVE-2026-25679.patch \ + file://CVE-2026-32288.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2026-32288.patch b/meta/recipes-devtools/go/go/CVE-2026-32288.patch new file mode 100644 index 00000000000..a80029ede0a --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2026-32288.patch @@ -0,0 +1,162 @@ +From 12bbeb57c20d32519c3f891b428c6f7765db8f55 Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Mon, 23 Mar 2026 13:12:44 -0700 +Subject: [PATCH] [release-branch.go1.25] archive/tar: limit the number of + old GNU sparse format entries + +We did not set a limit on the maximum size of sparse maps in +the old GNU sparse format. Set a limit based on the cumulative +size of the extension blocks used to encode the map (consistent +with how we limit the sparse map size for other formats). + +Add an additional limit to the total number of sparse file entries, +regardless of encoding, to all sparse formats. + +Thanks to Colin Walters (walters@verbum.org), +Uuganbayar Lkhamsuren (https://github.com/uug4na), +and Jakub Ciolek for reporting this issue. + +Fixes #78301 +Fixes CVE-2026-32288 + +CVE: CVE-2026-32288 +Upstream-Status: Backport [https://github.com/golang/go/commit/82b0cdb7411ea2cf02d3a45e6983cc7c8c009d9e] + +Change-Id: I84877345d7b41cc60c58771860ba70e16a6a6964 +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3901 +Reviewed-by: Damien Neil +Reviewed-by: Roland Shoemaker +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/4003 +Reviewed-by: Nicholas Husin +Reviewed-by: Neal Patel +Reviewed-on: https://go-review.googlesource.com/c/go/+/763554 +TryBot-Bypass: Gopher Robot +Auto-Submit: Gopher Robot +Reviewed-by: Junyang Shao +Reviewed-by: David Chase +(cherry picked from commit 82b0cdb7411ea2cf02d3a45e6983cc7c8c009d9e) +Signed-off-by: Sudhir Dumbhare +--- + src/archive/tar/format.go | 6 ++++++ + src/archive/tar/reader.go | 28 ++++++++++++++++++++++++---- + src/archive/tar/reader_test.go | 11 +++++++++++ + 3 files changed, 41 insertions(+), 4 deletions(-) + +diff --git a/src/archive/tar/format.go b/src/archive/tar/format.go +index 9954b4d9f55..32e58a9d9b4 100644 +--- a/src/archive/tar/format.go ++++ b/src/archive/tar/format.go +@@ -147,6 +147,12 @@ const ( + // Max length of a special file (PAX header, GNU long name or link). + // This matches the limit used by libarchive. + maxSpecialFileSize = 1 << 20 ++ ++ // Maximum number of sparse file entries. ++ // We should never actually hit this limit ++ // (every sparse encoding will first be limited by maxSpecialFileSize), ++ // but this adds an additional layer of defense. ++ maxSparseFileEntries = 1 << 20 + ) + + // blockPadding computes the number of bytes needed to pad offset up to the +diff --git a/src/archive/tar/reader.go b/src/archive/tar/reader.go +index 71d0b20b76d..3bb8d62106c 100644 +--- a/src/archive/tar/reader.go ++++ b/src/archive/tar/reader.go +@@ -490,7 +490,8 @@ func (tr *Reader) readOldGNUSparseMap(hdr *Header, blk *block) (sparseDatas, err + } + s := blk.toGNU().sparse() + spd := make(sparseDatas, 0, s.maxEntries()) +- for { ++ totalSize := len(s) ++ for totalSize < maxSpecialFileSize { + for i := 0; i < s.maxEntries(); i++ { + // This termination condition is identical to GNU and BSD tar. + if s.entry(i).offset()[0] == 0x00 { +@@ -501,7 +502,11 @@ func (tr *Reader) readOldGNUSparseMap(hdr *Header, blk *block) (sparseDatas, err + if p.err != nil { + return nil, p.err + } +- spd = append(spd, sparseEntry{Offset: offset, Length: length}) ++ var err error ++ spd, err = appendSparseEntry(spd, sparseEntry{Offset: offset, Length: length}) ++ if err != nil { ++ return nil, err ++ } + } + + if s.isExtended()[0] > 0 { +@@ -510,10 +515,12 @@ func (tr *Reader) readOldGNUSparseMap(hdr *Header, blk *block) (sparseDatas, err + return nil, err + } + s = blk.toSparse() ++ totalSize += len(s) + continue + } + return spd, nil // Done + } ++ return nil, errSparseTooLong + } + + // readGNUSparseMap1x0 reads the sparse map as stored in GNU's PAX sparse format +@@ -586,7 +593,10 @@ func readGNUSparseMap1x0(r io.Reader) (sparseDatas, error) { + if err1 != nil || err2 != nil { + return nil, ErrHeader + } +- spd = append(spd, sparseEntry{Offset: offset, Length: length}) ++ spd, err = appendSparseEntry(spd, sparseEntry{Offset: offset, Length: length}) ++ if err != nil { ++ return nil, err ++ } + } + return spd, nil + } +@@ -620,12 +630,22 @@ func readGNUSparseMap0x1(paxHdrs map[string]string) (sparseDatas, error) { + if err1 != nil || err2 != nil { + return nil, ErrHeader + } +- spd = append(spd, sparseEntry{Offset: offset, Length: length}) ++ spd, err = appendSparseEntry(spd, sparseEntry{Offset: offset, Length: length}) ++ if err != nil { ++ return nil, err ++ } + sparseMap = sparseMap[2:] + } + return spd, nil + } + ++func appendSparseEntry(spd sparseDatas, ent sparseEntry) (sparseDatas, error) { ++ if len(spd) >= maxSparseFileEntries { ++ return nil, errSparseTooLong ++ } ++ return append(spd, ent), nil ++} ++ + // Read reads from the current file in the tar archive. + // It returns (0, io.EOF) when it reaches the end of that file, + // until [Next] is called to advance to the next file. +diff --git a/src/archive/tar/reader_test.go b/src/archive/tar/reader_test.go +index 7e0462c3f88..4a527766ba8 100644 +--- a/src/archive/tar/reader_test.go ++++ b/src/archive/tar/reader_test.go +@@ -1126,6 +1126,17 @@ func TestReadOldGNUSparseMap(t *testing.T) { + input: makeInput(FormatGNU, "", + makeSparseStrings(sparseDatas{{10 << 30, 512}, {20 << 30, 512}})...), + wantMap: sparseDatas{{10 << 30, 512}, {20 << 30, 512}}, ++ }, { ++ input: makeInput(FormatGNU, "", ++ makeSparseStrings(func() sparseDatas { ++ var datas sparseDatas ++ // This is more than enough entries to exceed our limit. ++ for i := range int64(1 << 20) { ++ datas = append(datas, sparseEntry{i * 2, (i * 2) + 1}) ++ } ++ return datas ++ }())...), ++ wantErr: errSparseTooLong, + }} + + for i, v := range vectors { +-- +2.35.6 + From patchwork Tue Jun 23 13:13:48 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 90714 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id ED87FCDB47F for ; Tue, 23 Jun 2026 13:14:35 +0000 (UTC) Received: from mail-wm1-f45.google.com (mail-wm1-f45.google.com [209.85.128.45]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.20833.1782220472765060261 for ; Tue, 23 Jun 2026 06:14:33 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=oNSSSLsU; spf=pass (domain: smile.fr, ip: 209.85.128.45, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f45.google.com with SMTP id 5b1f17b1804b1-490ace40f4bso57946045e9.3 for ; Tue, 23 Jun 2026 06:14:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1782220471; x=1782825271; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=PGUGz12nZ0mMLDekPxUOI0sbehsmwysFzGylWX/PYcw=; b=oNSSSLsUa99ZShn2PhUwuqKLGAx4n96kHUJUMZAa3wXtQ3KBhkMSwTf0a9+/r6bpuE 4UR9HL7ITGbQVYU/AtqvKdKvb3ow9XEh7BoNSAshbZzRph+PRnZLM9ObAnSnM58xDN2p LwtvfKCY7HpxQp83hJxUlEVVajQkN3efr7SuY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782220471; x=1782825271; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=PGUGz12nZ0mMLDekPxUOI0sbehsmwysFzGylWX/PYcw=; b=B+mTByASzSuV/Zd9aZYxqW02gAe+9O2Dqaw69W6pSypMxGjr4qds+h64ZxP/ZkJVd9 PoiMwkJ2EA9fdH6BHXYYal+Ec5UpAO9PQ4ENr+S2ftP9KDL13tmw3tDmTGl5GswEUZC0 Cu3EASR6rA6FIFxxKO7BoNKKeWjRseGyW9nXQAop2xJvtJRVgZzw6F4ibxG2f+NDhwQt KBb2/BCBwJwpt/8HFRa3QQnPwQUqQbKKCGDPDHw61DWaxgI3cx1DH8JGoZFDRLCkS3M3 df2gP+7zOtw/mxVTABMfc3GWaHh/CAnWuPgPukme21YfMPk4pw4Zbgsm1qB974P7gLkK 6umg== X-Gm-Message-State: AOJu0YzWrwCjuvMfAplVuqiVK9YidysuOoacuMB8HHno3pY8bFJ7/BVL difsULBJneQVwC7SJeuVvyvXmre/+GdY9DgKsPlnV1NPAn4TRBlUgtYdbcrHcm8dh9jsfUIjw0g Bgmcq X-Gm-Gg: AfdE7ckfYZkocKO2E/o847N36RcqhQYRlelaTjm4Ox7tIo1SeRhf4kpw1/KJVxaaGsb ncV1vnhq1I8gcmbBHWPva+IFhNimN55GSD970743OgSNrV4wjH3+4y3Okq4qu+e/rVzh5N8BM6W OSvkIKnZ9FPKtn0JNemuQR7j838Wz1zfXD4FH+99UZ3ZTemwx5JMtBHTxA/yiUQKV0F6OH6CmBS GtkR8Da1wyNBjZw0HbO9JSTUAXVMUMlum6Nl+oQDu5xERYa/ebPv/SiFzRHydcaXZ3ay42jw6ed TAkj3/dPBPncSa+muEO9E81QaCri2SvWunhAgkRqkGhLEpRsWPpqN7IBei8JcKPdb6f/3B5ZOAM x8L2QYGVL10669UdDifeQWp0kH1W0ZZAenNfCisjDNMd230FCvc71kWXyG07u19kh8h5JvFWP2G NvA2TUcGiK2x3qaa+d84l2+g+qtq2Bn3BLGCcWSBN7g8BysxNVx1+1X75Cr+vBr52ZA7T7JPam7 rDGJ69hUWwudYfwXCRdpmcEZ3+W X-Received: by 2002:a05:600c:8b75:b0:490:d946:47cf with SMTP id 5b1f17b1804b1-4925b389c82mr42210975e9.4.1782220470748; Tue, 23 Jun 2026 06:14:30 -0700 (PDT) Received: from FRSMI25-LASER.home (2a01cb001331aa008234f3c115adbb1a.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:8234:f3c1:15ad:bb1a]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4925d013a69sm24334285e9.3.2026.06.23.06.14.29 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Jun 2026 06:14:29 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 07/26] binutils: Fix CVE-2025-69644 Date: Tue, 23 Jun 2026 15:13:48 +0200 Message-ID: <267ff299a6fe6f65e0dd86f5e59bb013921526ce.1782220259.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Jun 2026 13:14:35 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239373 From: Deepak Rathore This patch updates the existing CVE-2025-69647 backport metadata for CVE-2025-69644. NVD records for CVE-2025-69644 and CVE-2025-69647 reference the same upstream binutils fix commit [1], and the public CVE advisories are referenced in [2] and [3]. [1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=455446bbdc8675f34808187de2bbad4682016ff7 [2] https://nvd.nist.gov/vuln/detail/CVE-2025-69644 [3] https://nvd.nist.gov/vuln/detail/CVE-2025-69647 Signed-off-by: Deepak Rathore Signed-off-by: Yoann Congal --- meta/recipes-devtools/binutils/binutils-2.42.inc | 2 +- ...VE-2025-69647.patch => CVE-2025-69644-CVE-2025-69647.patch} | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) rename meta/recipes-devtools/binutils/binutils/{CVE-2025-69647.patch => CVE-2025-69644-CVE-2025-69647.patch} (96%) diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc index 1a865c45f4f..7e83f72632f 100644 --- a/meta/recipes-devtools/binutils/binutils-2.42.inc +++ b/meta/recipes-devtools/binutils/binutils-2.42.inc @@ -72,7 +72,7 @@ SRC_URI = "\ file://0028-CVE-2025-11494.patch \ file://0029-CVE-2025-11839.patch \ file://0030-CVE-2025-11840.patch \ - file://CVE-2025-69647.patch \ + file://CVE-2025-69644-CVE-2025-69647.patch \ file://CVE-2025-69648.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-69647.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-69644-CVE-2025-69647.patch similarity index 96% rename from meta/recipes-devtools/binutils/binutils/CVE-2025-69647.patch rename to meta/recipes-devtools/binutils/binutils/CVE-2025-69644-CVE-2025-69647.patch index 8e3c1c79e7d..c6b3cefed2b 100644 --- a/meta/recipes-devtools/binutils/binutils/CVE-2025-69647.patch +++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-69644-CVE-2025-69647.patch @@ -12,11 +12,12 @@ length too. length too small to read header. Limit length to section size. Limit offset count similarly. -CVE: CVE-2025-69647 +CVE: CVE-2025-69644 CVE-2025-69647 Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=455446bbdc8675f34808187de2bbad4682016ff7] Signed-off-by: Adarsh Jagadish Kamini +Signed-off-by: Deepak Rathore --- binutils/dwarf.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) From patchwork Tue Jun 23 13:13:49 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 90716 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2D358CD98F2 for ; Tue, 23 Jun 2026 13:14:36 +0000 (UTC) Received: from mail-wr1-f53.google.com (mail-wr1-f53.google.com [209.85.221.53]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.20834.1782220473692656383 for ; Tue, 23 Jun 2026 06:14:34 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=J/biFXcC; spf=pass (domain: smile.fr, ip: 209.85.221.53, mailfrom: yoann.congal@smile.fr) Received: by mail-wr1-f53.google.com with SMTP id ffacd0b85a97d-4624a44e152so4752055f8f.2 for ; Tue, 23 Jun 2026 06:14:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1782220472; x=1782825272; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=Y4fOYFJwrmpqDxb+WZQvYPrsUeIZdJW+sW+HIn6iD0M=; b=J/biFXcCRgNi3JVbOk9zAEp7ab14pAtFmHdk/B1EakpWi1fQWW0J/6YjAmAoY0kDUg cJXaT/OUHRfTW1+36gAbF6cTzX02DdytPE0fKamknsOaPPJAHp26rqM9pbYkBqD4B2oY ri2H2UMhhTorZOzxlfvkvnOyzRdOZKlJpxRmc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782220472; x=1782825272; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=Y4fOYFJwrmpqDxb+WZQvYPrsUeIZdJW+sW+HIn6iD0M=; b=FZHMLfUO/ww3AjsJRWrQZMUjIIJeqS/4prxcUnAwidWQbfH6z9+7sPMFJQbgst8TzC OAu/e7nv40L4uVHYtXSSz1KdkjEkTlDZS1SE2qey7xcQ4wdZehSy9qtyqnfPdxtagMV+ r2lHOuiEQNnuKgKv9/4P7moj5CLsGwL2jXYnnwGsCb5qEOFy0W7Q08KqXEgQHdbqOr6f XOD6dB/iAg5bItQwsPTnmyzp7QOTC/mJIYBFq8ZVDQoL8BO2wizqKYazNMglAKlZ/eUN GFREE0egc8By7U0m4FMcE1UN2jCLY/L+OLREYLiuALrSMwr/SULVm2waAPjqWcCx6idE 3UbA== X-Gm-Message-State: AOJu0Yxlp0XVYdwfRp3iE2BpCA4WrnbEQiLdge2y7GLGkGA8aKWZBevi mrqP0BlAB/z8n/kYd8AYs811M28BZ6rcsPt/26GFBbFSF3RAI0GEal1nEF8iIocc6VAA9a4vMgd UCr2Y X-Gm-Gg: AfdE7cm+2xQzvWyB8BlrWvHMa4SF0xA+L9bQtcrJR7SO9meGGM1Lh1yDadEV45qd23i 7V9AVLSMwXd4wFOGYNY7XB66Q7eZI7EexKueTOluKhqk8QkhOlwcCe4ieLsQZ2j/0E4LxLEquvp cQJ29xcEqg7pD+2wmrLIoZuFL5TTuNnDo6qd8Ydpj45ld8nme75KRwTOGcDTlkDNzk3oQFyT/rT buuZVgyAzAiwtOqoTRpPmkmYschF4BoduCSNj8SYTrkjIUjkzNB76AxuJDetAjSSd/eEjcvCV/9 9ZJMWZ2dG8htEYfVyIN/8pXQhHpmwANP/1ie9NLgdq3DXGr015pvc47H70KLmiae57D5Zusp6n2 wat99+Bp/DbzHMmxKQH+ZrtBXGFu1BRKWgixMhiRJLf8w9fl4p6Ct0oy08RUBLL4Ry0vaHxwwpq ULS/KBrGV7Yst5LjaRXQew0zkfYuYocZ+UKcTNG0ewl91nwQAKf9Ki6QDfrE+mplR56zTgmMrj0 4koNp8ls+mJWgCeUQ== X-Received: by 2002:a05:600c:8114:b0:490:cb90:3e00 with SMTP id 5b1f17b1804b1-49240e1960amr292651195e9.14.1782220471574; Tue, 23 Jun 2026 06:14:31 -0700 (PDT) Received: from FRSMI25-LASER.home (2a01cb001331aa008234f3c115adbb1a.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:8234:f3c1:15ad:bb1a]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4925d013a69sm24334285e9.3.2026.06.23.06.14.30 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Jun 2026 06:14:31 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 08/26] python3: Fix CVE-2026-3644 and CVE-2026-0672 Date: Tue, 23 Jun 2026 15:13:49 +0200 Message-ID: X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Jun 2026 13:14:36 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239374 From: Sudhir Dumbhare Apply the upstream v3.13 fix [1], as referenced in [2], to address CVE-2026-3644 by rejecting control characters in http.cookies.Morsel.update(), the |= operator, and unpickling paths. CVE-2026-3644 [2] revealed the CVE-2026-0672 fix was incomplete, as Morsel.update(), |=, and unpickling could bypass input validation. The fix also adds output validation to BaseCookie.js_output(), matching the control-character safeguards already present in BaseCookie.output(). [1] https://github.com/python/cpython/commit/d16ecc6c3626f0e2cc8f08c309c83934e8a979dd [2] https://security-tracker.debian.org/tracker/CVE-2026-3644 References: https://security-tracker.debian.org/tracker/CVE-2026-3644 https://security-tracker.debian.org/tracker/CVE-2026-0672 https://nvd.nist.gov/vuln/detail/CVE-2026-3644 https://nvd.nist.gov/vuln/detail/CVE-2026-0672 Signed-off-by: Sudhir Dumbhare Signed-off-by: Yoann Congal --- .../python3/CVE-2026-3644_CVE-2026-0672.patch | 154 ++++++++++++++++++ .../python/python3_3.12.13.bb | 1 + 2 files changed, 155 insertions(+) create mode 100644 meta/recipes-devtools/python/python3/CVE-2026-3644_CVE-2026-0672.patch diff --git a/meta/recipes-devtools/python/python3/CVE-2026-3644_CVE-2026-0672.patch b/meta/recipes-devtools/python/python3/CVE-2026-3644_CVE-2026-0672.patch new file mode 100644 index 00000000000..42d8133a183 --- /dev/null +++ b/meta/recipes-devtools/python/python3/CVE-2026-3644_CVE-2026-0672.patch @@ -0,0 +1,154 @@ +From 6e291d2eba0b6820bc924e68f1db750328bf6c75 Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@users.noreply.github.com> +Date: Mon, 16 Mar 2026 15:05:13 +0100 +Subject: [PATCH] [3.13] gh-145599, CVE 2026-3644: Reject control + characters in `http.cookies.Morsel.update()` (GH-145600) (#146024) + +gh-145599, CVE 2026-3644: Reject control characters in `http.cookies.Morsel.update()` (GH-145600) + +Reject control characters in `http.cookies.Morsel.update()` and `http.cookies.BaseCookie.js_output`. + +CVE: CVE-2026-3644 CVE-2026-0672 +Upstream-Status: Backport [https://github.com/python/cpython/commit/d16ecc6c3626f0e2cc8f08c309c83934e8a979dd] + +Backport Changes: +- This file is not present in the current version and is therefore omitted + Misc/NEWS.d/next/Security/2026-03-06-17-03-38.gh-issue-145599.kchwZV.rst + +(cherry picked from commit 57e88c1cf95e1481b94ae57abe1010469d47a6b4) + +Co-authored-by: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com> +Co-authored-by: Victor Stinner +Co-authored-by: Victor Stinner +(cherry picked from commit d16ecc6c3626f0e2cc8f08c309c83934e8a979dd) +Signed-off-by: Sudhir Dumbhare +--- + Lib/http/cookies.py | 24 ++++++++++++++++++---- + Lib/test/test_http_cookies.py | 38 +++++++++++++++++++++++++++++++++++ + 2 files changed, 58 insertions(+), 4 deletions(-) + +diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py +index d0a69cbe191..63d119ad46c 100644 +--- a/Lib/http/cookies.py ++++ b/Lib/http/cookies.py +@@ -335,9 +335,16 @@ class Morsel(dict): + key = key.lower() + if key not in self._reserved: + raise CookieError("Invalid attribute %r" % (key,)) ++ if _has_control_character(key, val): ++ raise CookieError("Control characters are not allowed in " ++ f"cookies {key!r} {val!r}") + data[key] = val + dict.update(self, data) + ++ def __ior__(self, values): ++ self.update(values) ++ return self ++ + def isReservedKey(self, K): + return K.lower() in self._reserved + +@@ -363,9 +370,15 @@ class Morsel(dict): + } + + def __setstate__(self, state): +- self._key = state['key'] +- self._value = state['value'] +- self._coded_value = state['coded_value'] ++ key = state['key'] ++ value = state['value'] ++ coded_value = state['coded_value'] ++ if _has_control_character(key, value, coded_value): ++ raise CookieError("Control characters are not allowed in cookies " ++ f"{key!r} {value!r} {coded_value!r}") ++ self._key = key ++ self._value = value ++ self._coded_value = coded_value + + def output(self, attrs=None, header="Set-Cookie:"): + return "%s %s" % (header, self.OutputString(attrs)) +@@ -377,13 +390,16 @@ class Morsel(dict): + + def js_output(self, attrs=None): + # Print javascript ++ output_string = self.OutputString(attrs) ++ if _has_control_character(output_string): ++ raise CookieError("Control characters are not allowed in cookies") + return """ + +- """ % (self.OutputString(attrs).replace('"', r'\"')) ++ """ % (output_string.replace('"', r'\"')) + + def OutputString(self, attrs=None): + # Build up our result +diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py +index f196bcc48e3..2478a6c630f 100644 +--- a/Lib/test/test_http_cookies.py ++++ b/Lib/test/test_http_cookies.py +@@ -573,6 +573,14 @@ class MorselTests(unittest.TestCase): + with self.assertRaises(cookies.CookieError): + morsel["path"] = c0 + ++ # .__setstate__() ++ with self.assertRaises(cookies.CookieError): ++ morsel.__setstate__({'key': c0, 'value': 'val', 'coded_value': 'coded'}) ++ with self.assertRaises(cookies.CookieError): ++ morsel.__setstate__({'key': 'key', 'value': c0, 'coded_value': 'coded'}) ++ with self.assertRaises(cookies.CookieError): ++ morsel.__setstate__({'key': 'key', 'value': 'val', 'coded_value': c0}) ++ + # .setdefault() + with self.assertRaises(cookies.CookieError): + morsel.setdefault("path", c0) +@@ -587,6 +595,18 @@ class MorselTests(unittest.TestCase): + with self.assertRaises(cookies.CookieError): + morsel.set("path", "val", c0) + ++ # .update() ++ with self.assertRaises(cookies.CookieError): ++ morsel.update({"path": c0}) ++ with self.assertRaises(cookies.CookieError): ++ morsel.update({c0: "val"}) ++ ++ # .__ior__() ++ with self.assertRaises(cookies.CookieError): ++ morsel |= {"path": c0} ++ with self.assertRaises(cookies.CookieError): ++ morsel |= {c0: "val"} ++ + def test_control_characters_output(self): + # Tests that even if the internals of Morsel are modified + # that a call to .output() has control character safeguards. +@@ -607,6 +627,24 @@ class MorselTests(unittest.TestCase): + with self.assertRaises(cookies.CookieError): + cookie.output() + ++ # Tests that .js_output() also has control character safeguards. ++ for c0 in support.control_characters_c0(): ++ morsel = cookies.Morsel() ++ morsel.set("key", "value", "coded-value") ++ morsel._key = c0 # Override private variable. ++ cookie = cookies.SimpleCookie() ++ cookie["cookie"] = morsel ++ with self.assertRaises(cookies.CookieError): ++ cookie.js_output() ++ ++ morsel = cookies.Morsel() ++ morsel.set("key", "value", "coded-value") ++ morsel._coded_value = c0 # Override private variable. ++ cookie = cookies.SimpleCookie() ++ cookie["cookie"] = morsel ++ with self.assertRaises(cookies.CookieError): ++ cookie.js_output() ++ + + def load_tests(loader, tests, pattern): + tests.addTest(doctest.DocTestSuite(cookies)) +-- +2.35.6 + diff --git a/meta/recipes-devtools/python/python3_3.12.13.bb b/meta/recipes-devtools/python/python3_3.12.13.bb index 4865178572c..c59d9fba80d 100644 --- a/meta/recipes-devtools/python/python3_3.12.13.bb +++ b/meta/recipes-devtools/python/python3_3.12.13.bb @@ -36,6 +36,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ file://0001-test_readline-skip-limited-history-test.patch \ file://CVE-2026-1502.patch \ file://CVE-2026-6100.patch \ + file://CVE-2026-3644_CVE-2026-0672.patch \ " SRC_URI:append:class-native = " \ From patchwork Tue Jun 23 13:13:50 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 90713 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DF64BCDB47C for ; Tue, 23 Jun 2026 13:14:35 +0000 (UTC) Received: from mail-wm1-f53.google.com (mail-wm1-f53.google.com [209.85.128.53]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.20446.1782220474412280537 for ; Tue, 23 Jun 2026 06:14:34 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=E56bwKaa; spf=pass (domain: smile.fr, ip: 209.85.128.53, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f53.google.com with SMTP id 5b1f17b1804b1-4923139e940so32759365e9.3 for ; Tue, 23 Jun 2026 06:14:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1782220473; x=1782825273; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=upfIrUGtLuI5jOcq96eXY/vjdYqspMcYk+QX5txZhKk=; b=E56bwKaaqwOamXPyPHGs1zkSA8J7IW3zPV8kwB31XAh9ttrjIOF1zl3YLQmI5c7oEv YZTLTs6j4rwqTU8cZO3ILe/CXkqIriKyeVUQ1nbL3I9NHfODKu0rP7WgGpBEqXXQL1Sz n+fEeXR1ohI2qJnobq9RZ6YBBKlAyKrT9dOk0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782220473; x=1782825273; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=upfIrUGtLuI5jOcq96eXY/vjdYqspMcYk+QX5txZhKk=; b=eot+ZSA33yq7CmE6061INsp51PnagZcbpmhcm7OOYrN8dv5UqWVhDIFjjpq1rUAoEO 2CAnxrzIKy5iKaNSXT6SPnkV36SA0pcpOYX/GAmYQRP5uJI95Cf+h0nZvKNnMJBnePnI vJ75/Z6NBVSw6GBoJt6QPqn/wVbq2aiI3e3pxsIhIbulY3C+Xc/rbanuhctQLyPu0azO 2ofjaSLJf+uYfxe6Ym1yHZ58aHBiwqCMca2R+m52JhJJ+3fNuK+w5azl2P3yZOdqWY8B zxe5tkRnZEKqy7xs2qnoWFJ1utbXt64myjIJtP/rdNn7wlIfFAdMqmTjf5dsrE5ieiky AxZA== X-Gm-Message-State: AOJu0Yzej4QnMoMVNsAy0UXuERidNRgFr1yRAoVL/XC/n3DY0mPF7jT8 cySzQQ3jpTpI2WiC0mBODoJqmzCKMp2J7xV/hH7Jm09AJx+dhFwD9K9Aiu8oKfF/pTKuXK6WYax +lVHU X-Gm-Gg: AfdE7ck8Gm5AMYWP/iK6noUq2Pe3asvy16qirLyojP++T0qna/wlavcn7/9f3N5qFCz ahVbpG5TfnCk5UsoSiecJInhr+Y00g0C1GGLwcV2x08NEr9GJJDNY0N37D3jR4xqKyyldyRLIfF PLSLVLBX575dtR0g9sM4gTHSf6SzrwRzzbU+R2QMP4ZhjmBUec1svYvtwHSSYmdzUGG3JTOun3U AgzaJCPBGEAsmiYr1eaxof+QOC6imC98sF4cs9zJPhEEt+01x7VPC4xmx1bYkfFuytFPlFsOjyH //O0P0LH+y1rzIp6regjONy+w1s6JBNcG0e4T+6+1xELwazzTdOHo59h4tAz7bP8TE0QSoJUKuW eaOQPzU7rB1vraSnSNzvfoXozHSvE8VhLXen9zJcnJrLqM8viUPQe5Y6YKDGaL+io3FSOx1Zcrx PEIgFCpA6RRDjKy4Dapq+TmYgwR8X7xjYbnaQkQvGcQH985of38tTIUDac1fwsDQuxKC5ro+rt1 40siDl9Nwskr5yzZg== X-Received: by 2002:a05:600c:c165:b0:490:b58b:a8ca with SMTP id 5b1f17b1804b1-4925b3864a2mr39853915e9.27.1782220472383; Tue, 23 Jun 2026 06:14:32 -0700 (PDT) Received: from FRSMI25-LASER.home (2a01cb001331aa008234f3c115adbb1a.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:8234:f3c1:15ad:bb1a]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4925d013a69sm24334285e9.3.2026.06.23.06.14.31 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Jun 2026 06:14:31 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 09/26] python3: Fix CVE-2026-4519 and CVE-2026-4786 Date: Tue, 23 Jun 2026 15:13:50 +0200 Message-ID: X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Jun 2026 13:14:35 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239375 From: Sudhir Dumbhare Apply the upstream v3.12 fix [1], aligned with the original v3.11 fix [2], and follow-up fix [3] to address CVE-2026-4519 by disallowing URLs with leading dashes when invoking browser commands, as referenced in [5]. CVE-2026-4786 [6] revealed the CVE-2026-4519 fix was incomplete, as %action in URLs could bypass dash-prefix checks. Apply follow-up fix [4], noted in [5], to revalidate the URL after %action expansion. [1] https://github.com/python/cpython/commit/cbba6119391112aba9c5aebf7b94aea447922c48 [2] https://github.com/python/cpython/commit/ceac1efc66516ac387eef2c9a0ce671895b44f03 [3] https://github.com/python/cpython/commit/96fc5048605863c7b6fd6289643feb0e97edd96c [4] https://github.com/python/cpython/commit/f4654824ae0850ac87227fb270f9057477946769 [5] https://security-tracker.debian.org/tracker/CVE-2026-4519 [6] https://security-tracker.debian.org/tracker/CVE-2026-4786 References: https://nvd.nist.gov/vuln/detail/CVE-2026-4519 https://nvd.nist.gov/vuln/detail/CVE-2026-4786 Signed-off-by: Sudhir Dumbhare Signed-off-by: Yoann Congal --- .../python3/CVE-2026-4519_CVE-2026-4786.patch | 66 ++++++++ .../python/python3/CVE-2026-4519_p1.patch | 107 ++++++++++++ .../python/python3/CVE-2026-4519_p2.patch | 159 ++++++++++++++++++ .../python/python3_3.12.13.bb | 3 + 4 files changed, 335 insertions(+) create mode 100644 meta/recipes-devtools/python/python3/CVE-2026-4519_CVE-2026-4786.patch create mode 100644 meta/recipes-devtools/python/python3/CVE-2026-4519_p1.patch create mode 100644 meta/recipes-devtools/python/python3/CVE-2026-4519_p2.patch diff --git a/meta/recipes-devtools/python/python3/CVE-2026-4519_CVE-2026-4786.patch b/meta/recipes-devtools/python/python3/CVE-2026-4519_CVE-2026-4786.patch new file mode 100644 index 00000000000..6a4714f25ae --- /dev/null +++ b/meta/recipes-devtools/python/python3/CVE-2026-4519_CVE-2026-4786.patch @@ -0,0 +1,66 @@ +From b9af29b9f2f880cdcdc49a1460743680f59dcb4e Mon Sep 17 00:00:00 2001 +From: Stan Ulbrych +Date: Mon, 13 Apr 2026 22:41:51 +0100 +Subject: [PATCH] [3.11] gh-148169: Fix webbrowser `%action` substitution + bypass of dash-prefix check (GH-148170) (#148520) + +CVE: CVE-2026-4519 CVE-2026-4786 +Upstream-Status: Backport [https://github.com/python/cpython/commit/f4654824ae0850ac87227fb270f9057477946769] + +Backport Changes: +- This file is not present in the current version and is therefore omitted. + Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst + +(cherry picked from commit d22922c8a7958353689dc4763dd72da2dea03fff) +(cherry picked from commit f4654824ae0850ac87227fb270f9057477946769) +Signed-off-by: Sudhir Dumbhare +--- + Lib/test/test_webbrowser.py | 8 ++++++++ + Lib/webbrowser.py | 5 +++-- + 2 files changed, 11 insertions(+), 2 deletions(-) + +diff --git a/Lib/test/test_webbrowser.py b/Lib/test/test_webbrowser.py +index c9bf525360d..1d21f133725 100644 +--- a/Lib/test/test_webbrowser.py ++++ b/Lib/test/test_webbrowser.py +@@ -103,6 +103,14 @@ class ChromeCommandTest(CommandTestMixin, unittest.TestCase): + options=[], + arguments=[URL]) + ++ def test_reject_action_dash_prefixes(self): ++ browser = self.browser_class(name=CMD_NAME) ++ with self.assertRaises(ValueError): ++ browser.open('%action--incognito') ++ # new=1: action is "--new-window", so "%action" itself expands to ++ # a dash-prefixed flag even with no dash in the original URL. ++ with self.assertRaises(ValueError): ++ browser.open('%action', new=1) + + class EdgeCommandTest(CommandTestMixin, unittest.TestCase): + +diff --git a/Lib/webbrowser.py b/Lib/webbrowser.py +index 000e89275b7..97c4eec9080 100755 +--- a/Lib/webbrowser.py ++++ b/Lib/webbrowser.py +@@ -268,7 +268,6 @@ class UnixBrowser(BaseBrowser): + + def open(self, url, new=0, autoraise=True): + sys.audit("webbrowser.open", url) +- self._check_url(url) + if new == 0: + action = self.remote_action + elif new == 1: +@@ -282,7 +281,9 @@ class UnixBrowser(BaseBrowser): + raise Error("Bad 'new' parameter to open(); " + + "expected 0, 1, or 2, got %s" % new) + +- args = [arg.replace("%s", url).replace("%action", action) ++ self._check_url(url.replace("%action", action)) ++ ++ args = [arg.replace("%action", action).replace("%s", url) + for arg in self.remote_args] + args = [arg for arg in args if arg] + success = self._invoke(args, True, autoraise, url) +-- +2.35.6 + diff --git a/meta/recipes-devtools/python/python3/CVE-2026-4519_p1.patch b/meta/recipes-devtools/python/python3/CVE-2026-4519_p1.patch new file mode 100644 index 00000000000..1514d2c5414 --- /dev/null +++ b/meta/recipes-devtools/python/python3/CVE-2026-4519_p1.patch @@ -0,0 +1,107 @@ +From 7df48dd3c6330611a04d85a5159c0ea424dc1e62 Mon Sep 17 00:00:00 2001 +From: Pinky +Date: Wed, 25 Mar 2026 01:02:37 +0530 +Subject: [PATCH] [3.12] gh-143930: Reject leading dashes in webbrowser + URLs (GH-146360) + +CVE: CVE-2026-4519 +Upstream-Status: Backport [https://github.com/python/cpython/commit/cbba6119391112aba9c5aebf7b94aea447922c48] + +Backport Changes: +- This file is not present in the current version and is therefore omitted + Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst + +(cherry picked from commit 82a24a4442312bdcfc4c799885e8b3e00990f02b) + +Co-authored-by: Seth Michael Larson +(cherry picked from commit cbba6119391112aba9c5aebf7b94aea447922c48) +Signed-off-by: Sudhir Dumbhare +--- + Lib/test/test_webbrowser.py | 5 +++++ + Lib/webbrowser.py | 12 ++++++++++++ + 2 files changed, 17 insertions(+) + +diff --git a/Lib/test/test_webbrowser.py b/Lib/test/test_webbrowser.py +index 2d695bc8831..60f094fd6a1 100644 +--- a/Lib/test/test_webbrowser.py ++++ b/Lib/test/test_webbrowser.py +@@ -59,6 +59,11 @@ class GenericBrowserCommandTest(CommandTestMixin, unittest.TestCase): + options=[], + arguments=[URL]) + ++ def test_reject_dash_prefixes(self): ++ browser = self.browser_class(name=CMD_NAME) ++ with self.assertRaises(ValueError): ++ browser.open(f"--key=val {URL}") ++ + + class BackgroundBrowserCommandTest(CommandTestMixin, unittest.TestCase): + +diff --git a/Lib/webbrowser.py b/Lib/webbrowser.py +index 13b9e85f9e1..0bdb644d7db 100755 +--- a/Lib/webbrowser.py ++++ b/Lib/webbrowser.py +@@ -158,6 +158,12 @@ class BaseBrowser(object): + def open_new_tab(self, url): + return self.open(url, 2) + ++ @staticmethod ++ def _check_url(url): ++ """Ensures that the URL is safe to pass to subprocesses as a parameter""" ++ if url and url.lstrip().startswith("-"): ++ raise ValueError(f"Invalid URL: {url}") ++ + + class GenericBrowser(BaseBrowser): + """Class for all browsers started with a command +@@ -175,6 +181,7 @@ class GenericBrowser(BaseBrowser): + + def open(self, url, new=0, autoraise=True): + sys.audit("webbrowser.open", url) ++ self._check_url(url) + cmdline = [self.name] + [arg.replace("%s", url) + for arg in self.args] + try: +@@ -195,6 +202,7 @@ class BackgroundBrowser(GenericBrowser): + cmdline = [self.name] + [arg.replace("%s", url) + for arg in self.args] + sys.audit("webbrowser.open", url) ++ self._check_url(url) + try: + if sys.platform[:3] == 'win': + p = subprocess.Popen(cmdline) +@@ -260,6 +268,7 @@ class UnixBrowser(BaseBrowser): + + def open(self, url, new=0, autoraise=True): + sys.audit("webbrowser.open", url) ++ self._check_url(url) + if new == 0: + action = self.remote_action + elif new == 1: +@@ -350,6 +359,7 @@ class Konqueror(BaseBrowser): + + def open(self, url, new=0, autoraise=True): + sys.audit("webbrowser.open", url) ++ self._check_url(url) + # XXX Currently I know no way to prevent KFM from opening a new win. + if new == 2: + action = "newTab" +@@ -554,6 +564,7 @@ if sys.platform[:3] == "win": + class WindowsDefault(BaseBrowser): + def open(self, url, new=0, autoraise=True): + sys.audit("webbrowser.open", url) ++ self._check_url(url) + try: + os.startfile(url) + except OSError: +@@ -638,6 +649,7 @@ if sys.platform == 'darwin': + + def open(self, url, new=0, autoraise=True): + sys.audit("webbrowser.open", url) ++ self._check_url(url) + if self.name == 'default': + script = 'open location "%s"' % url.replace('"', '%22') # opens in default browser + else: +-- +2.35.6 + diff --git a/meta/recipes-devtools/python/python3/CVE-2026-4519_p2.patch b/meta/recipes-devtools/python/python3/CVE-2026-4519_p2.patch new file mode 100644 index 00000000000..7ee145e5e80 --- /dev/null +++ b/meta/recipes-devtools/python/python3/CVE-2026-4519_p2.patch @@ -0,0 +1,159 @@ +From 3ca64ff1722d2410a4e50e760de70f6279fa99fa Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@users.noreply.github.com> +Date: Sat, 4 Apr 2026 00:53:49 +0200 +Subject: [PATCH] [3.11] gh-143930: Tweak the exception message and + increase test coverage (GH-146476) (GH-148045) (GH-148051) (GH-148052) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +CVE: CVE-2026-4519 +Upstream-Status: Backport [https://github.com/python/cpython/commit/96fc5048605863c7b6fd6289643feb0e97edd96c] + +Backport Changes: +- This file is not present in the current version and is therefore omitted. + Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst +- The file introduced in v3.12 by this commit; + https://github.com/python/cpython/commit/cbba6119391112aba9c5aebf7b94aea447922c48 + +(cherry picked from commit cc023511238ad93ecc8796157c6f9139a2bb2932) +(cherry picked from commit 89bfb8e5ed3c7caa241028f1a4eac5f6275a46a4) +(cherry picked from commit 3681d47a440865aead912a054d4599087b4270dd) + +Co-authored-by: Łukasz Langa +(cherry picked from commit 96fc5048605863c7b6fd6289643feb0e97edd96c) +Signed-off-by: Sudhir Dumbhare +--- + Lib/test/test_webbrowser.py | 81 ++++++++++++++++++++++++++++++++++--- + Lib/webbrowser.py | 2 +- + 2 files changed, 76 insertions(+), 7 deletions(-) + +diff --git a/Lib/test/test_webbrowser.py b/Lib/test/test_webbrowser.py +index 60f094fd6a1..c9bf525360d 100644 +--- a/Lib/test/test_webbrowser.py ++++ b/Lib/test/test_webbrowser.py +@@ -1,6 +1,7 @@ ++import io ++import os + import webbrowser + import unittest +-import os + import sys + import subprocess + from unittest import mock +@@ -49,6 +50,14 @@ class CommandTestMixin: + popen_args.pop(popen_args.index(option)) + self.assertEqual(popen_args, arguments) + ++ def test_reject_dash_prefixes(self): ++ browser = self.browser_class(name=CMD_NAME) ++ with self.assertRaisesRegex( ++ ValueError, ++ r"^Invalid URL \(leading dash disallowed\): '--key=val http.*'$" ++ ): ++ browser.open(f"--key=val {URL}") ++ + + class GenericBrowserCommandTest(CommandTestMixin, unittest.TestCase): + +@@ -59,11 +68,6 @@ class GenericBrowserCommandTest(CommandTestMixin, unittest.TestCase): + options=[], + arguments=[URL]) + +- def test_reject_dash_prefixes(self): +- browser = self.browser_class(name=CMD_NAME) +- with self.assertRaises(ValueError): +- browser.open(f"--key=val {URL}") +- + + class BackgroundBrowserCommandTest(CommandTestMixin, unittest.TestCase): + +@@ -224,6 +228,71 @@ class ELinksCommandTest(CommandTestMixin, unittest.TestCase): + arguments=['openURL({},new-tab)'.format(URL)]) + + ++class MockPopenPipe: ++ def __init__(self, cmd, mode): ++ self.cmd = cmd ++ self.mode = mode ++ self.pipe = io.StringIO() ++ self._closed = False ++ ++ def write(self, buf): ++ self.pipe.write(buf) ++ ++ def close(self): ++ self._closed = True ++ return None ++ ++ ++@unittest.skipUnless(sys.platform == "darwin", "macOS specific test") ++class MacOSXOSAScriptTest(unittest.TestCase): ++ def setUp(self): ++ # Ensure that 'BROWSER' is not set to 'open' or something else. ++ # See: https://github.com/python/cpython/issues/131254. ++ env = self.enterContext(os_helper.EnvironmentVarGuard()) ++ env.unset("BROWSER") ++ ++ support.patch(self, os, "popen", self.mock_popen) ++ self.browser = webbrowser.MacOSXOSAScript("default") ++ ++ def mock_popen(self, cmd, mode): ++ self.popen_pipe = MockPopenPipe(cmd, mode) ++ return self.popen_pipe ++ ++ def test_default(self): ++ browser = webbrowser.get() ++ assert isinstance(browser, webbrowser.MacOSXOSAScript) ++ self.assertEqual(browser.name, "default") ++ ++ def test_default_open(self): ++ url = "https://python.org" ++ self.browser.open(url) ++ self.assertTrue(self.popen_pipe._closed) ++ self.assertEqual(self.popen_pipe.cmd, "osascript") ++ script = self.popen_pipe.pipe.getvalue() ++ self.assertEqual(script.strip(), f'open location "{url}"') ++ ++ def test_url_quote(self): ++ self.browser.open('https://python.org/"quote"') ++ script = self.popen_pipe.pipe.getvalue() ++ self.assertEqual( ++ script.strip(), 'open location "https://python.org/%22quote%22"' ++ ) ++ ++ def test_explicit_browser(self): ++ browser = webbrowser.MacOSXOSAScript("safari") ++ browser.open("https://python.org") ++ script = self.popen_pipe.pipe.getvalue() ++ self.assertIn('tell application "safari"', script) ++ self.assertIn('open location "https://python.org"', script) ++ ++ def test_reject_dash_prefixes(self): ++ with self.assertRaisesRegex( ++ ValueError, ++ r"^Invalid URL \(leading dash disallowed\): '--key=val http.*'$" ++ ): ++ self.browser.open(f"--key=val {URL}") ++ ++ + class BrowserRegistrationTest(unittest.TestCase): + + def setUp(self): +diff --git a/Lib/webbrowser.py b/Lib/webbrowser.py +index 0bdb644d7db..000e89275b7 100755 +--- a/Lib/webbrowser.py ++++ b/Lib/webbrowser.py +@@ -162,7 +162,7 @@ class BaseBrowser(object): + def _check_url(url): + """Ensures that the URL is safe to pass to subprocesses as a parameter""" + if url and url.lstrip().startswith("-"): +- raise ValueError(f"Invalid URL: {url}") ++ raise ValueError(f"Invalid URL (leading dash disallowed): {url!r}") + + + class GenericBrowser(BaseBrowser): +-- +2.35.6 + diff --git a/meta/recipes-devtools/python/python3_3.12.13.bb b/meta/recipes-devtools/python/python3_3.12.13.bb index c59d9fba80d..ec9ea94824e 100644 --- a/meta/recipes-devtools/python/python3_3.12.13.bb +++ b/meta/recipes-devtools/python/python3_3.12.13.bb @@ -37,6 +37,9 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ file://CVE-2026-1502.patch \ file://CVE-2026-6100.patch \ file://CVE-2026-3644_CVE-2026-0672.patch \ + file://CVE-2026-4519_p1.patch \ + file://CVE-2026-4519_p2.patch \ + file://CVE-2026-4519_CVE-2026-4786.patch \ " SRC_URI:append:class-native = " \ From patchwork Tue Jun 23 13:13:51 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 90722 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id ABE97CDE003 for ; Tue, 23 Jun 2026 13:14:36 +0000 (UTC) Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com [209.85.128.49]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.20835.1782220474880924451 for ; Tue, 23 Jun 2026 06:14:35 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=E/67sAf3; spf=pass (domain: smile.fr, ip: 209.85.128.49, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f49.google.com with SMTP id 5b1f17b1804b1-4924f8db066so15389705e9.2 for ; Tue, 23 Jun 2026 06:14:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1782220473; x=1782825273; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=0MraQ6tvhm2y7hfkdi90CD4uwdt6iTPHXX5P2IRgoHY=; b=E/67sAf3stX65RdVi0xaUnKBtKV0t7+ae90TlF9gK48zSG8vl4zi8GVYl6ru1hQfoL DtVP+ZH8P5PqI/kH0Tz3pk9q+yYtmk0sES3517M6FOjRnCMWTEdiFmaTDUUjOCbBwf7U eK6laF32XC0YjzdshZhXvL+EDKLV5CBl7SYZQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782220473; x=1782825273; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=0MraQ6tvhm2y7hfkdi90CD4uwdt6iTPHXX5P2IRgoHY=; b=igOxilqEttbgSeYQlX/orQA8aKYyYJr1snHFSJBgjptdfLzLUwCC3Bv+2hST5MyoLa RJLjxgPJO8rILPw4Gl8oC2c8x3kaa9GrMWaiVRyRBkTMuOD/7Z+IqBa17DEMadIlQ5QL vJJ90shzXFCplF3LSRqZUO4qKMNtFWE1LzzRJtwZrS61nyoluqCPBr7gWoB5KI/xBM8e N5oK0DsAxdjXf2MdEKEdrfFF9ZxZYwH3WQF36h3MCjMXXyDFBYYCKjUbP/cxKBf28t+9 IQElOI9rDC8PKFpxzQODNuv+Wig0AhB3hcV06VZzr7iB4aosBcV5IQR2XCn+iCpuCtfh XArg== X-Gm-Message-State: AOJu0YyCCEe9upjcpKnRL/0Ntpp8Rtl07uNLg+e4QlBwHycvFWiqvo+F whW+1xLctsPe3DJtf/Ab2P4jIyL1ri0OOumWGxI8QolIRzPR0fSGtXeovhWknXpee5GXVRu+MH7 0Jpqz X-Gm-Gg: AfdE7ckgr5nZq9QDSuAeYrdSzH11ZZFMigo9uGgUtYVeobwazcIo5B0QeBtME2YNrzL ynVLg5mGsphEh8BlzlEeUsxobHeCJbSAKlMXXtmHYdfOtXycXnpSD0Ar5WSL5UZj9tuWuGidfJG EbU0QShdTKqhkvfi72E0+Jawo6THEymgJTG/1fqj6Ke95AXS02pixcgdBJz1//Efx4coc9RCXx1 ygHcOssVKnmsgtQitv9WD8MqT2i1YKYvG3bsx9uOtz9WFwxnAbWJLRKKOQE9svK9c2euSTfl0k3 Hr0T5tiHJiITyqpBF0SASg6CQUrXjSJBlL1SZv8diIYDveXHgTjqh3TYybt7OKRY7tw0WFdgML1 Mm7i64gAvQO4NggshsjtK35DoHyzZFxbGrjkL1Qklnrc6nZwIY9Ztb1yvNqD7iKOhFvFyGw5KOn mjSJJoJdfYfxu2ToT9//hSOnVb8PbY2jvqSR1cu+g3b3Kd29K9SkCyP9gI3l2704gIGlegP4soE +w8xSaQ1tH4uJrczw== X-Received: by 2002:a05:600c:c4a5:b0:490:bcf6:469f with SMTP id 5b1f17b1804b1-4925b316213mr42882435e9.0.1782220473075; Tue, 23 Jun 2026 06:14:33 -0700 (PDT) Received: from FRSMI25-LASER.home (2a01cb001331aa008234f3c115adbb1a.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:8234:f3c1:15ad:bb1a]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4925d013a69sm24334285e9.3.2026.06.23.06.14.32 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Jun 2026 06:14:32 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 10/26] python3: Fix CVE-2026-6019 Date: Tue, 23 Jun 2026 15:13:51 +0200 Message-ID: X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Jun 2026 13:14:36 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239376 From: Sudhir Dumbhare This patch applies the upstream fix [1] and follow-up fix [2], as referenced in [3] and [4], to address an http.cookies.Morsel.js_output() flaw where inline JavaScript output escaped quotes but did not neutralize the HTML parser-sensitive sequence. [1] https://github.com/python/cpython/commit/3c59b8b53fc75c7f9578d16fb8201ceb43e8f76c [2] https://github.com/python/cpython/commit/e7d4c3ff421916986223690a8425d2383f6f3802 [3] https://github.com/python/cpython/issues/149144 [4] https://security-tracker.debian.org/tracker/CVE-2026-6019 Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-6019 Signed-off-by: Sudhir Dumbhare Signed-off-by: Yoann Congal --- .../python/python3/CVE-2026-6019_p1.patch | 133 ++++++++++++++++++ .../python/python3/CVE-2026-6019_p2.patch | 129 +++++++++++++++++ .../python/python3_3.12.13.bb | 2 + 3 files changed, 264 insertions(+) create mode 100644 meta/recipes-devtools/python/python3/CVE-2026-6019_p1.patch create mode 100644 meta/recipes-devtools/python/python3/CVE-2026-6019_p2.patch diff --git a/meta/recipes-devtools/python/python3/CVE-2026-6019_p1.patch b/meta/recipes-devtools/python/python3/CVE-2026-6019_p1.patch new file mode 100644 index 00000000000..78b01574c91 --- /dev/null +++ b/meta/recipes-devtools/python/python3/CVE-2026-6019_p1.patch @@ -0,0 +1,133 @@ +From be751c3f3a11d40c2133bee5fb6ab6931df31936 Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@users.noreply.github.com> +Date: Thu, 23 Apr 2026 15:05:17 +0200 +Subject: [PATCH] [3.13] gh-90309: Base64-encode cookie values embedded in + JS (GH-148888) + +CVE: CVE-2026-6019 +Upstream-Status: Backport [https://github.com/python/cpython/commit/3c59b8b53fc75c7f9578d16fb8201ceb43e8f76c] + +Backport Changes: +- This file is not present in the current version and is therefore omitted. + Misc/NEWS.d/next/Security/2026-04-21-13-46-30.gh-issue-90309.srvj9q.rst + +(cherry picked from commit 76b3923d688c0efc580658476c5f525ec8735104) + +Co-authored-by: Seth Larson +(cherry picked from commit 3c59b8b53fc75c7f9578d16fb8201ceb43e8f76c) +Signed-off-by: Sudhir Dumbhare +--- + Lib/http/cookies.py | 8 ++++++-- + Lib/test/test_http_cookies.py | 29 ++++++++++++++++++----------- + 2 files changed, 24 insertions(+), 13 deletions(-) + +diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py +index 63d119ad46c..aebc2a163e4 100644 +--- a/Lib/http/cookies.py ++++ b/Lib/http/cookies.py +@@ -389,17 +389,21 @@ class Morsel(dict): + return '<%s: %s>' % (self.__class__.__name__, self.OutputString()) + + def js_output(self, attrs=None): ++ import base64 + # Print javascript + output_string = self.OutputString(attrs) + if _has_control_character(output_string): + raise CookieError("Control characters are not allowed in cookies") ++ # Base64-encode value to avoid template ++ # injection in cookie values. ++ output_encoded = base64.b64encode(output_string.encode('utf-8')).decode("ascii") + return """ + +- """ % (output_string.replace('"', r'\"')) ++ """ % (output_encoded,) + + def OutputString(self, attrs=None): + # Build up our result +diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py +index 2478a6c630f..6aa5df068f9 100644 +--- a/Lib/test/test_http_cookies.py ++++ b/Lib/test/test_http_cookies.py +@@ -1,5 +1,5 @@ + # Simple test suite for http/cookies.py +- ++import base64 + import copy + import unittest + import doctest +@@ -152,17 +152,19 @@ class CookieTests(unittest.TestCase): + + self.assertEqual(C.output(['path']), + 'Set-Cookie: Customer="WILE_E_COYOTE"; Path=/acme') +- self.assertEqual(C.js_output(), r""" ++ cookie_encoded = base64.b64encode(b'Customer="WILE_E_COYOTE"; Path=/acme; Version=1').decode('ascii') ++ self.assertEqual(C.js_output(), fr""" + + """) +- self.assertEqual(C.js_output(['path']), r""" ++ cookie_encoded = base64.b64encode(b'Customer="WILE_E_COYOTE"; Path=/acme').decode('ascii') ++ self.assertEqual(C.js_output(['path']), fr""" + + """) +@@ -259,17 +261,19 @@ class CookieTests(unittest.TestCase): + + self.assertEqual(C.output(['path']), + 'Set-Cookie: Customer="WILE_E_COYOTE"; Path=/acme') +- self.assertEqual(C.js_output(), r""" ++ expected_encoded_cookie = base64.b64encode(b'Customer=\"WILE_E_COYOTE\"; Path=/acme; Version=1').decode('ascii') ++ self.assertEqual(C.js_output(), fr""" + + """) +- self.assertEqual(C.js_output(['path']), r""" ++ expected_encoded_cookie = base64.b64encode(b'Customer=\"WILE_E_COYOTE\"; Path=/acme').decode('ascii') ++ self.assertEqual(C.js_output(['path']), fr""" + + """) +@@ -360,13 +364,16 @@ class MorselTests(unittest.TestCase): + self.assertEqual( + M.output(), + "Set-Cookie: %s=%s; Path=/foo" % (i, "%s_coded_val" % i)) ++ expected_encoded_cookie = base64.b64encode( ++ ("%s=%s; Path=/foo" % (i, "%s_coded_val" % i)).encode("ascii") ++ ).decode('ascii') + expected_js_output = """ + +- """ % (i, "%s_coded_val" % i) ++ """ % (expected_encoded_cookie,) + self.assertEqual(M.js_output(), expected_js_output) + for i in ["foo bar", "foo@bar"]: + # Try some illegal characters +-- +2.35.6 + diff --git a/meta/recipes-devtools/python/python3/CVE-2026-6019_p2.patch b/meta/recipes-devtools/python/python3/CVE-2026-6019_p2.patch new file mode 100644 index 00000000000..0646bd2133f --- /dev/null +++ b/meta/recipes-devtools/python/python3/CVE-2026-6019_p2.patch @@ -0,0 +1,129 @@ +From de449bbc6ff4ce869c17fb551dacc69de25d73a9 Mon Sep 17 00:00:00 2001 +From: Stan Ulbrych +Date: Mon, 8 Jun 2026 20:15:21 +0100 +Subject: [PATCH] [3.13] gh-149144: Use `decodeURIComponent()` for UTF-8 + support in `js_output()` (GH-149157) (#150949) + +CVE: CVE-2026-6019 +Upstream-Status: Backport [https://github.com/python/cpython/commit/e7d4c3ff421916986223690a8425d2383f6f3802] + +Co-authored-by: Seth Larson +(cherry picked from commit e7d4c3ff421916986223690a8425d2383f6f3802) +Signed-off-by: Sudhir Dumbhare +--- + Lib/http/cookies.py | 6 +++--- + Lib/test/test_http_cookies.py | 27 ++++++++++++++------------- + 2 files changed, 17 insertions(+), 16 deletions(-) + +diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py +index aebc2a163e4..2cffa2a9ad6 100644 +--- a/Lib/http/cookies.py ++++ b/Lib/http/cookies.py +@@ -389,18 +389,18 @@ class Morsel(dict): + return '<%s: %s>' % (self.__class__.__name__, self.OutputString()) + + def js_output(self, attrs=None): +- import base64 ++ import urllib.parse + # Print javascript + output_string = self.OutputString(attrs) + if _has_control_character(output_string): + raise CookieError("Control characters are not allowed in cookies") + # Base64-encode value to avoid template + # injection in cookie values. +- output_encoded = base64.b64encode(output_string.encode('utf-8')).decode("ascii") ++ output_encoded = urllib.parse.quote(output_string, safe='', encoding='utf-8') + return """ + + """ % (output_encoded,) +diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py +index 6aa5df068f9..b9cc59cd1db 100644 +--- a/Lib/test/test_http_cookies.py ++++ b/Lib/test/test_http_cookies.py +@@ -1,10 +1,10 @@ + # Simple test suite for http/cookies.py +-import base64 + import copy + import unittest + import doctest + from http import cookies + import pickle ++import urllib.parse + from test import support + + +@@ -152,19 +152,19 @@ class CookieTests(unittest.TestCase): + + self.assertEqual(C.output(['path']), + 'Set-Cookie: Customer="WILE_E_COYOTE"; Path=/acme') +- cookie_encoded = base64.b64encode(b'Customer="WILE_E_COYOTE"; Path=/acme; Version=1').decode('ascii') ++ cookie_encoded = urllib.parse.quote('Customer="WILE_E_COYOTE"; Path=/acme; Version=1', safe='', encoding='utf-8') + self.assertEqual(C.js_output(), fr""" + + """) +- cookie_encoded = base64.b64encode(b'Customer="WILE_E_COYOTE"; Path=/acme').decode('ascii') ++ cookie_encoded = urllib.parse.quote('Customer="WILE_E_COYOTE"; Path=/acme', safe='', encoding='utf-8') + self.assertEqual(C.js_output(['path']), fr""" + + """) +@@ -261,19 +261,19 @@ class CookieTests(unittest.TestCase): + + self.assertEqual(C.output(['path']), + 'Set-Cookie: Customer="WILE_E_COYOTE"; Path=/acme') +- expected_encoded_cookie = base64.b64encode(b'Customer=\"WILE_E_COYOTE\"; Path=/acme; Version=1').decode('ascii') ++ expected_encoded_cookie = urllib.parse.quote('Customer=\"WILE_E_COYOTE\"; Path=/acme; Version=1', safe='', encoding='utf-8') + self.assertEqual(C.js_output(), fr""" + + """) +- expected_encoded_cookie = base64.b64encode(b'Customer=\"WILE_E_COYOTE\"; Path=/acme').decode('ascii') ++ expected_encoded_cookie = urllib.parse.quote('Customer=\"WILE_E_COYOTE\"; Path=/acme', safe='', encoding='utf-8') + self.assertEqual(C.js_output(['path']), fr""" + + """) +@@ -364,13 +364,14 @@ class MorselTests(unittest.TestCase): + self.assertEqual( + M.output(), + "Set-Cookie: %s=%s; Path=/foo" % (i, "%s_coded_val" % i)) +- expected_encoded_cookie = base64.b64encode( +- ("%s=%s; Path=/foo" % (i, "%s_coded_val" % i)).encode("ascii") +- ).decode('ascii') ++ expected_encoded_cookie = urllib.parse.quote( ++ "%s=%s; Path=/foo" % (i, "%s_coded_val" % i), ++ safe='', encoding='utf-8', ++ ) + expected_js_output = """ + + """ % (expected_encoded_cookie,) +-- +2.35.6 + diff --git a/meta/recipes-devtools/python/python3_3.12.13.bb b/meta/recipes-devtools/python/python3_3.12.13.bb index ec9ea94824e..be080c6a362 100644 --- a/meta/recipes-devtools/python/python3_3.12.13.bb +++ b/meta/recipes-devtools/python/python3_3.12.13.bb @@ -40,6 +40,8 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ file://CVE-2026-4519_p1.patch \ file://CVE-2026-4519_p2.patch \ file://CVE-2026-4519_CVE-2026-4786.patch \ + file://CVE-2026-6019_p1.patch \ + file://CVE-2026-6019_p2.patch \ " SRC_URI:append:class-native = " \ From patchwork Tue Jun 23 13:13:52 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 90723 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BA474CDE005 for ; Tue, 23 Jun 2026 13:14:36 +0000 (UTC) Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com [209.85.128.54]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.20836.1782220475683681476 for ; Tue, 23 Jun 2026 06:14:36 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=oV3Zus6v; spf=pass (domain: smile.fr, ip: 209.85.128.54, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f54.google.com with SMTP id 5b1f17b1804b1-490a76757e5so35503615e9.2 for ; Tue, 23 Jun 2026 06:14:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1782220474; x=1782825274; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=O3AV1TB8FYe9eINH+XA5/rWkSGE0mC2exO7JfYy/+n0=; b=oV3Zus6vLd/uXl/gwNXY3HQlsMwEw/u1Do5qfPoIfa1cb5UGg+wjWPChStiAs8DvNt +5Pbd7STXmuSAH0L3vp2k2lFJiO5EJxe2ZNm72T7AYPQKfKJlOSkQj7I+7p7n+EmTLVw F/AZ2t1anEjJl5zfN7vbJF4xvWWw038nSUotI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782220474; x=1782825274; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=O3AV1TB8FYe9eINH+XA5/rWkSGE0mC2exO7JfYy/+n0=; b=CUMKjjXUKC4IVLd06/7C7KS0EtxzFxtlaThhAJM3v2LczZV7q4UrzPe3+0dq0NZ4qX L5j1w6+vtb0uVdkH7YrtmVyuX82IhuW41Tofi2UT6WTdCSB7ZDQApJZ5F3Py2kAuyNND /GEiStC26nZ4JHJmcqHg+9cDDjY8PRglxx/i4RJCz9Xc+kafE368LyBDp0YrygPjCdGh TK0mZKJX7KHEgEEfKk5xRi7eJSR3Flrn/nyraD5ihLZx9EcRNAK4SY8vShMT8YkSiraN L0xYZSyIbuYOB3FqIGzOHDZIYlg5G0HTN3YTu0ESByt74SxlvjhWBZUruyKzv5PIqd8t IAug== X-Gm-Message-State: AOJu0YwNnpS6Mgq2RWSuBPsXrP6dWmPCQWun2xK5L4YjAW7W61VukRP6 L4lm1J31dvRpqvJjrxpjv0XXl1FjIDiYIBxI7p/EuLjm8+zZe88L/z4lGfhdH5C2zdWayUKGoLL yeT4q X-Gm-Gg: AfdE7cm9Sy0+ri+Rlk2T6tsVR/OJZbiSIzG/IPFW9DIhkpPTUrnBJQKlyaHgokN76pr wpXXGEqciPcYwdgbg9x1drxruuofksmKz4Jhlh/t1qdvX2HRDg3fHoV5mOjj+ickTvLye/mGHu2 J1d5wGUGSCHV210OQsoXjs3XgiGx0kqBModLEPhs5/ieICOJyOvNEIqB5Xwq4h66mtCtVQgR7MD +5Eefr9/FVRrnXyWmHtSRFe9Z0CSr1wBFeu1YyY7cJCBdT7OEujcOXjqKBXR0QG1AgWLLYMkNrP QHe6c+e4I+uucaVjCluogjA9Y4r26HzsRJCzcebv0GltwNetvaifm+ttaJPgZR1fB96Bm8cf/OS OSVbSlzcipaRN8mpT0VlUIKvtDHrsfNbSumQHksKrXFDH3ksE3kiPHme4i1pU+gdX1re/0CPy+3 PvzyoW+Xr9mw4GPaEDGAbAuz15Hp7r1jTKm+CDCgdOo+4LdzuCS8HZ+Z3ouKWjlunvzwYcf3c4a U+rj9wmXeiactOJeQ== X-Received: by 2002:a05:600c:818e:b0:492:4d56:d5fe with SMTP id 5b1f17b1804b1-4925b39249dmr40881995e9.14.1782220473798; Tue, 23 Jun 2026 06:14:33 -0700 (PDT) Received: from FRSMI25-LASER.home (2a01cb001331aa008234f3c115adbb1a.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:8234:f3c1:15ad:bb1a]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4925d013a69sm24334285e9.3.2026.06.23.06.14.33 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Jun 2026 06:14:33 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 11/26] python3: Fix CVE-2025-13462 Date: Tue, 23 Jun 2026 15:13:52 +0200 Message-ID: <0b990a354ef858d903d4bed937b1233537c2c478.1782220259.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Jun 2026 13:14:36 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239377 From: Sudhir Dumbhare Apply the upstream v3.12 fix [1], aligned with the original v3.13 fix [2], to address incorrect tarfile handling where GNU long name follow-up headers could be normalized as directories, as referenced in [3]. [1] https://github.com/python/cpython/commit/d10950739a78f54d0718d88fb5a868374603c084 [2] https://github.com/python/cpython/commit/ae99fe3a33b43e303a05f012815cef60b611a9c7 [3] https://security-tracker.debian.org/tracker/CVE-2025-13462 Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-13462 Signed-off-by: Sudhir Dumbhare Signed-off-by: Yoann Congal --- .../python/python3/CVE-2025-13462.patch | 142 ++++++++++++++++++ .../python/python3_3.12.13.bb | 1 + 2 files changed, 143 insertions(+) create mode 100644 meta/recipes-devtools/python/python3/CVE-2025-13462.patch diff --git a/meta/recipes-devtools/python/python3/CVE-2025-13462.patch b/meta/recipes-devtools/python/python3/CVE-2025-13462.patch new file mode 100644 index 00000000000..36d492338ba --- /dev/null +++ b/meta/recipes-devtools/python/python3/CVE-2025-13462.patch @@ -0,0 +1,142 @@ +From 14d7d2e8f51a17c23c98f13f33743253a0b7a18a Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@users.noreply.github.com> +Date: Mon, 18 May 2026 19:43:51 +0200 +Subject: [PATCH] [3.12] gh-141707: Skip TarInfo DIRTYPE normalization during + GNU long name handling (#145817) + +gh-141707: Skip TarInfo DIRTYPE normalization during GNU long name handling + +CVE: CVE-2025-13462 +Upstream-Status: Backport [https://github.com/python/cpython/commit/d10950739a78f54d0718d88fb5a868374603c084] + +Backport Changes: +- This file is not present in the current version and is therefore omitted + Misc/NEWS.d/next/Library/2025-11-18-06-35-53.gh-issue-141707.DBmQIy.rst + +(cherry picked from commit 42d754e34c06e57ad6b8e7f92f32af679912d8ab) + +Co-authored-by: Seth Michael Larson +Co-authored-by: Eashwar Ranganathan +(cherry picked from commit d10950739a78f54d0718d88fb5a868374603c084) +Signed-off-by: Sudhir Dumbhare +--- + Lib/tarfile.py | 29 +++++++++++++++++++++++++---- + Lib/test/test_tarfile.py | 19 +++++++++++++++++++ + Misc/ACKS | 1 + + 3 files changed, 45 insertions(+), 4 deletions(-) + +diff --git a/Lib/tarfile.py b/Lib/tarfile.py +index 99451aa765..70fdbe85b0 100755 +--- a/Lib/tarfile.py ++++ b/Lib/tarfile.py +@@ -1246,6 +1246,20 @@ class TarInfo(object): + @classmethod + def frombuf(cls, buf, encoding, errors): + """Construct a TarInfo object from a 512 byte bytes object. ++ ++ To support the old v7 tar format AREGTYPE headers are ++ transformed to DIRTYPE headers if their name ends in '/'. ++ """ ++ return cls._frombuf(buf, encoding, errors) ++ ++ @classmethod ++ def _frombuf(cls, buf, encoding, errors, *, dircheck=True): ++ """Construct a TarInfo object from a 512 byte bytes object. ++ ++ If ``dircheck`` is set to ``True`` then ``AREGTYPE`` headers will ++ be normalized to ``DIRTYPE`` if the name ends in a trailing slash. ++ ``dircheck`` must be set to ``False`` if this function is called ++ on a follow-up header such as ``GNUTYPE_LONGNAME``. + """ + if len(buf) == 0: + raise EmptyHeaderError("empty header") +@@ -1276,7 +1290,7 @@ class TarInfo(object): + + # Old V7 tar format represents a directory as a regular + # file with a trailing slash. +- if obj.type == AREGTYPE and obj.name.endswith("/"): ++ if dircheck and obj.type == AREGTYPE and obj.name.endswith("/"): + obj.type = DIRTYPE + + # The old GNU sparse format occupies some of the unused +@@ -1311,8 +1325,15 @@ class TarInfo(object): + """Return the next TarInfo object from TarFile object + tarfile. + """ ++ return cls._fromtarfile(tarfile) ++ ++ @classmethod ++ def _fromtarfile(cls, tarfile, *, dircheck=True): ++ """ ++ See dircheck documentation in _frombuf(). ++ """ + buf = tarfile.fileobj.read(BLOCKSIZE) +- obj = cls.frombuf(buf, tarfile.encoding, tarfile.errors) ++ obj = cls._frombuf(buf, tarfile.encoding, tarfile.errors, dircheck=dircheck) + obj.offset = tarfile.fileobj.tell() - BLOCKSIZE + return obj._proc_member(tarfile) + +@@ -1370,7 +1391,7 @@ class TarInfo(object): + + # Fetch the next header and process it. + try: +- next = self.fromtarfile(tarfile) ++ next = self._fromtarfile(tarfile, dircheck=False) + except HeaderError as e: + raise SubsequentHeaderError(str(e)) from None + +@@ -1505,7 +1526,7 @@ class TarInfo(object): + + # Fetch the next header. + try: +- next = self.fromtarfile(tarfile) ++ next = self._fromtarfile(tarfile, dircheck=False) + except HeaderError as e: + raise SubsequentHeaderError(str(e)) from None + +diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py +index 759fa03ead..82637841ed 100644 +--- a/Lib/test/test_tarfile.py ++++ b/Lib/test/test_tarfile.py +@@ -1134,6 +1134,25 @@ class LongnameTest: + self.assertIsNotNone(tar.getmember(longdir)) + self.assertIsNotNone(tar.getmember(longdir.removesuffix('/'))) + ++ def test_longname_file_not_directory(self): ++ # Test reading a longname file and ensure it is not handled as a directory ++ # Issue #141707 ++ buf = io.BytesIO() ++ with tarfile.open(mode='w', fileobj=buf, format=self.format) as tar: ++ ti = tarfile.TarInfo() ++ ti.type = tarfile.AREGTYPE ++ ti.name = ('a' * 99) + '/' + ('b' * 3) ++ tar.addfile(ti) ++ ++ expected = {t.name: t.type for t in tar.getmembers()} ++ ++ buf.seek(0) ++ with tarfile.open(mode='r', fileobj=buf) as tar: ++ actual = {t.name: t.type for t in tar.getmembers()} ++ ++ self.assertEqual(expected, actual) ++ ++ + class GNUReadTest(LongnameTest, ReadTest, unittest.TestCase): + + subdir = "gnu" +diff --git a/Misc/ACKS b/Misc/ACKS +index a6e63a991f..30d5f99ebb 100644 +--- a/Misc/ACKS ++++ b/Misc/ACKS +@@ -1492,6 +1492,7 @@ Dhushyanth Ramasamy + Ashwin Ramaswami + Jeff Ramnani + Bayard Randel ++Eashwar Ranganathan + Varpu Rantala + Brodie Rao + Rémi Rampin +-- +2.35.6 + diff --git a/meta/recipes-devtools/python/python3_3.12.13.bb b/meta/recipes-devtools/python/python3_3.12.13.bb index be080c6a362..3e28a3942bd 100644 --- a/meta/recipes-devtools/python/python3_3.12.13.bb +++ b/meta/recipes-devtools/python/python3_3.12.13.bb @@ -42,6 +42,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ file://CVE-2026-4519_CVE-2026-4786.patch \ file://CVE-2026-6019_p1.patch \ file://CVE-2026-6019_p2.patch \ + file://CVE-2025-13462.patch \ " SRC_URI:append:class-native = " \ From patchwork Tue Jun 23 13:13:53 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 90725 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BF6BFCD98F2 for ; Tue, 23 Jun 2026 13:14:46 +0000 (UTC) Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com [209.85.128.44]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.20449.1782220476572791298 for ; Tue, 23 Jun 2026 06:14:36 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=lelfz6jg; spf=pass (domain: smile.fr, ip: 209.85.128.44, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f44.google.com with SMTP id 5b1f17b1804b1-49222fb062bso58794545e9.1 for ; Tue, 23 Jun 2026 06:14:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1782220475; x=1782825275; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=xdkV6azQymZ3hJHg3AaLd69YJ3BWVqOAMcByxKARz+o=; b=lelfz6jgFZQ8pmfZ4ggY7MWVZH0Dw9fvfKrNrYlRkS8U7cLWySGYfS01KTg/SG6qn6 MgOPF1xbJ2QqlfrtxIzrpCyJSIdXn/vfk+qK7QzTkVe69Pw6M2Lsit/rbIoKcPxrfsJe 7N9+Y9WFPGHkrAkF8iqq5FOu+23oaqjIgcMd0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782220475; x=1782825275; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=xdkV6azQymZ3hJHg3AaLd69YJ3BWVqOAMcByxKARz+o=; b=e+HWkvdzJDqk3S2TuS+HrLrNXLPrurOnpZGhxQVfXixTyc6fpnHLwm+NArApwBp2uM XDRCX4OPKz7BTX6JBH9+6NG4uUWD78ai3S+kUMJBWzw7ukx25noOxWz2yt2w9ep+C6UG /8Tdzt37Y2JgGep1ak9G50Qe4iZIMgG9KKatjhCgHBIPDwO1Fbg0LAxqohfX75qNrw8N H2sXZaBsAufNSrbhBOdDE4seYIWZtp3OD8SvfkVLncPIGvgQI6c1OyIYiVLydkELLcjr EgoEqmgy9+bfxyiELuJ27WXlK92zJQkF40uoyPgtxrRrZe8Fqtcz/L3SUYXGE4RiZ91P yzVA== X-Gm-Message-State: AOJu0YwodbNMimrg3v0bhuk8pnOBXagpSvR59R8cTo6jCbgGWk0hY7UI SRywxd7RMo3PrT2dFvfMUipFueSKEJrX+BQ7CQR0sXeSVqK1Nz2CQ26KHbrdTPWYwMOfyTsk2lV uVXoc X-Gm-Gg: AfdE7ckqgPSk6D4HUqaBaSRWWE22LeTppGJtCeZzmeirQXnJAtzYDoIRktLLpGDeRRE FjUSfDtr2HWJFFlhOedgOrLN08okQPnz3mXfrrTsCeQvOcfo4dJ0xUbzJfE0ZMA5ZaXKshAWlKi nyQ732pgUS2OK6+9LjJICFjDDGseKSKLZO+xnOiA0DsEA9H6/jXdbK1LnYu9B15+WoGRMzHQeiu AFvEW2JHL8+iViq/eaE4calFoc+3li0ml8MtuttHpkQlhyL4sCba5kYo6swivyXc1Z6TKZ/fuXv fNnEjdU4b8mR9qeYL3s5/wdM0IYVpkiUok/1y3IxSEWGjaupB0TqKDZjlMNsi3synsH4rPgTl6g 9/xAGdnrxC7Zhn6mbXMrxP8wJmBBo4IboZoerMgwEqNekxOOCWfPfnU5VhcP6P8id1iKM7a24mr xiUPpBeLv6MqCbuRs/iUNJ34830CVVoKJ/NE0Xgt5MF1O3IdNHWCnOMt3P6hD2qTbsRRd3qA5gY yCUf4YSyA6CYakyww== X-Received: by 2002:a05:600d:6451:20b0:492:25a0:1730 with SMTP id 5b1f17b1804b1-49240ea820bmr240124915e9.32.1782220474713; Tue, 23 Jun 2026 06:14:34 -0700 (PDT) Received: from FRSMI25-LASER.home (2a01cb001331aa008234f3c115adbb1a.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:8234:f3c1:15ad:bb1a]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4925d013a69sm24334285e9.3.2026.06.23.06.14.33 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Jun 2026 06:14:34 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 12/26] qemu: Fix CVE-2024-6519 Date: Tue, 23 Jun 2026 15:13:53 +0200 Message-ID: X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Jun 2026 13:14:46 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239378 From: Deepak Rathore This patch applies the upstream v11.0.0-rc2 backport for CVE-2024-6519. The upstream fix commit is referenced in [1], and the public CVE advisory is referenced in [2]. The individual backported commit link is recorded in the embedded patch header. [1] https://gitlab.com/qemu-project/qemu/-/commit/4862d2c95104d9fd0430cc003c205094f8ada1f9 [2] https://security-tracker.debian.org/tracker/CVE-2024-6519 Signed-off-by: Deepak Rathore Signed-off-by: Yoann Congal --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2024-6519.patch | 51 +++++++++++++++++++ 2 files changed, 52 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2024-6519.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index b688c2bd125..ff8877e54b7 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -47,6 +47,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://0002-python-backport-avoid-creating-additional-event-loop.patch \ file://CVE-2025-11234-01.patch \ file://CVE-2025-11234-02.patch \ + file://CVE-2024-6519.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2024-6519.patch b/meta/recipes-devtools/qemu/qemu/CVE-2024-6519.patch new file mode 100644 index 00000000000..431afbbc60a --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2024-6519.patch @@ -0,0 +1,51 @@ +From 86bc714d9d02a23ea6be878febdc327bbfc9ff50 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Fri, 27 Mar 2026 17:37:31 +0100 +Subject: [PATCH] lsi53c895a: keep a reference to the device while SCRIPTS + execute + +SCRIPTS execution can trigger PCI device unplug and consequently +a use-after-free after the unplug returns. Avoid this by keeping +the device alive. + +Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3090 + +CVE: CVE-2024-6519 +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/4862d2c95104d9fd0430cc003c205094f8ada1f9] + +Cc: qemu-stable@nongnu.org +Signed-off-by: Paolo Bonzini +(cherry picked from commit 4862d2c95104d9fd0430cc003c205094f8ada1f9) +Signed-off-by: Deepak Rathore +--- + hw/scsi/lsi53c895a.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c +index 4d0c5fcd9b7..37dd38d7a87 100644 +--- a/hw/scsi/lsi53c895a.c ++++ b/hw/scsi/lsi53c895a.c +@@ -1158,6 +1158,7 @@ static void lsi_execute_script(LSIState *s) + s->waiting = LSI_NOWAIT; + } + ++ object_ref(s); + reentrancy_level++; + + s->istat1 |= LSI_ISTAT1_SRUN; +@@ -1177,6 +1178,7 @@ again: + s->waiting = LSI_WAIT_SCRIPTS; + lsi_scripts_timer_start(s); + reentrancy_level--; ++ object_unref(s); + return; + } + insn = read_dword(s, s->dsp); +@@ -1625,6 +1627,7 @@ again: + trace_lsi_execute_script_stop(); + + reentrancy_level--; ++ object_unref(s); + } + + static uint8_t lsi_reg_readb(LSIState *s, int offset) From patchwork Tue Jun 23 13:13:54 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 90736 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D2552CDE005 for ; Tue, 23 Jun 2026 13:14:47 +0000 (UTC) Received: from mail-wr1-f52.google.com (mail-wr1-f52.google.com [209.85.221.52]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.20450.1782220477538984815 for ; Tue, 23 Jun 2026 06:14:37 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=szrRbfA5; spf=pass (domain: smile.fr, ip: 209.85.221.52, mailfrom: yoann.congal@smile.fr) Received: by mail-wr1-f52.google.com with SMTP id ffacd0b85a97d-4629051c9d1so3789142f8f.2 for ; Tue, 23 Jun 2026 06:14:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1782220476; x=1782825276; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=2O9T1NtPpGo9tEjHqNOh/jIePn3GjMVmOxL8ryjK/jI=; b=szrRbfA5iRMX0qbl5h4NpLxgClr/1mcFMWUPy6GcmE2h0qx/zkxtRkUUl/n4/PSsLK jTLjwT+kE6LM8TEv4xg09LZDAYUrWUrMsY0fydfl6pbmApIEPlK9Qs8NPpc8f6Z3jeJB ZNt63ZilaDdvk85V+2k0C0eGEDpKnjgYWf7HA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782220476; x=1782825276; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=2O9T1NtPpGo9tEjHqNOh/jIePn3GjMVmOxL8ryjK/jI=; b=HwRE9nchj780SCo9Ma/4I+b5yFw3+bpvmej6EKx1Umcl54zhqsfJCwerl/ybrVEWKH Xh/B+2WOMmYwlggGaoa+0vWBqmIW7Shkgyx7ALCnDJtNclApt1wuvmw6BRgni+AU87uJ Nmb8LGfK1UKHECVTjTQiJsKIA0wqNnB5/LSMig9J/1ZYIw0nGmot+oGsWTGfWpE/UOma sN6YzbN4+SSeXg84bG5rWdt0spBgQTUvnG+Y8HmoZlMSe9k+/WEf3/qBN+0ve7ZnjW4o Ufr6YofAKvvAMnRth5BOcmf6PrM9iIK1na942AnS2ATZvzblMo5nfd17txkcCUQOnrly +fSA== X-Gm-Message-State: AOJu0YyOG7F2+u/q9jLsBy5XyCBMB0fEoBwaSqKLBlnnCTSC9FPqc3TI Bz+o5W3bK1cRynD5u6pqiNUp8HaidSyXiulM2C1krV3BZFv5oUCvp3TdS2GJ3DT8rhx48Wl6OJ+ eClHE X-Gm-Gg: AfdE7cmTTfHHYII6dBfTOFY3IwO/IN8V7+lbM8aX6R0Vg628HhXeIe6Gg4SfNdtY+In +a6tsBaIrm3J/KZ0OcJRmMxFIu9E2wOS9+NyPR+4BSmwaTjTGfPnQJQ+AHEBEJBIP90EF9uvNRx b1LfOaenA+2vTSK3l+gIZo8aLoIKBcnAaJmYvWTnqlOZYxsDmQ6JQybA+cfUfgWpSMsKEMrCSkB bD2o3wCU0/i29zL4Y19CK37boEas33HPbipYgFHKIFUzdi4VEIvIqauH1EistLQY1Zz54yIPdRP cU2APLU2z/aS3FSiAzzepCj2PCkGaDKanr3trLUzSzSKqA926eJaPuw4dxEO+YfqFPdsLO3bznq 3byDvUIzj2+Owm7JOzR2VQDeLZelpaxIlg+Oia9gx6S/ztxoJao3wt9zE2rKVrAk9mp0LaZ7kvi TuTZXcVLf/O0+I3YeBPlhmeatKmYJlrA7fiPqJSHNPjMmEYq4+rQGBClZG2/yAF+RObDU5sQRX5 gLt/F8LHKIAXE5QCw== X-Received: by 2002:a05:600c:2054:b0:492:3754:15f2 with SMTP id 5b1f17b1804b1-49240ea86b3mr222727125e9.32.1782220475518; Tue, 23 Jun 2026 06:14:35 -0700 (PDT) Received: from FRSMI25-LASER.home (2a01cb001331aa008234f3c115adbb1a.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:8234:f3c1:15ad:bb1a]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4925d013a69sm24334285e9.3.2026.06.23.06.14.34 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Jun 2026 06:14:34 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 13/26] dpkg: Fix CVE-2026-2219 Date: Tue, 23 Jun 2026 15:13:54 +0200 Message-ID: <66055d7f179d0d838c2139d9d2399a968c6f6529.1782220259.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Jun 2026 13:14:47 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239379 From: Shubham Pushpkar This patch applies the upstream fix as referenced in [2], using the commit shown in [1]. [1] https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=6610297a62c0780dd0e80b0e302ef64fdcc9d313 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-2219 Signed-off-by: Shubham Pushpkar Signed-off-by: Yoann Congal --- .../dpkg/dpkg/CVE-2026-2219.patch | 47 +++++++++++++++++++ meta/recipes-devtools/dpkg/dpkg_1.22.0.bb | 1 + 2 files changed, 48 insertions(+) create mode 100644 meta/recipes-devtools/dpkg/dpkg/CVE-2026-2219.patch diff --git a/meta/recipes-devtools/dpkg/dpkg/CVE-2026-2219.patch b/meta/recipes-devtools/dpkg/dpkg/CVE-2026-2219.patch new file mode 100644 index 00000000000..779ab924de6 --- /dev/null +++ b/meta/recipes-devtools/dpkg/dpkg/CVE-2026-2219.patch @@ -0,0 +1,47 @@ +From 6610297a62c0780dd0e80b0e302ef64fdcc9d313 Mon Sep 17 00:00:00 2001 +From: Guillem Jover +Date: Sat, 7 Feb 2026 00:57:55 +0100 +Subject: [PATCH] libdpkg: Terminate zstd decompression when we have no more + data + +We should be checking whether the input buffer is zero-sized, and then +mark the stream as finished. Otherwise the zstd implementation does not +detect that as an end of stream situation and we get stuck in an +infinite loop spinning the CPU. This means the decompression process +in dpkg-deb does not terminate, so no EPIPE gets generated and the +other processes that are part of the unpacking do not stop either. + +Reported-by: Yashashree Gund +Fixes: commit 2c2f7066bd8c3209762762fa6905fa567b08ca5a +Fixes: CVE-2026-2219 +Closes: #1129722 +Stable-Candidate: 1.21.x 1.22.x + +CVE: CVE-2026-2219 +Upstream-Status: Backport [https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=6610297a62c0780dd0e80b0e302ef64fdcc9d313] + +(cherry picked from commit 6610297a62c0780dd0e80b0e302ef64fdcc9d313) +Signed-off-by: Shubham Pushpkar +--- + lib/dpkg/compress.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/lib/dpkg/compress.c b/lib/dpkg/compress.c +index adf26ea7..bf73affe 100644 +--- a/lib/dpkg/compress.c ++++ b/lib/dpkg/compress.c +@@ -1070,6 +1070,11 @@ filter_unzstd_code(struct io_zstd *io, struct io_zstd_stream *s) + ZSTD_outBuffer buf_out = { s->next_out, s->avail_out, 0 }; + size_t ret; + ++ if (buf_in.size == 0) { ++ s->status = DPKG_STREAM_END; ++ return; ++ } ++ + ret = ZSTD_decompressStream(s->ctx.d, &buf_out, &buf_in); + if (ZSTD_isError(ret)) + filter_zstd_error(io, ret); +-- +2.35.6 + diff --git a/meta/recipes-devtools/dpkg/dpkg_1.22.0.bb b/meta/recipes-devtools/dpkg/dpkg_1.22.0.bb index 41f51235085..16162ca926f 100644 --- a/meta/recipes-devtools/dpkg/dpkg_1.22.0.bb +++ b/meta/recipes-devtools/dpkg/dpkg_1.22.0.bb @@ -15,6 +15,7 @@ SRC_URI = "git://salsa.debian.org/dpkg-team/dpkg.git;protocol=https;branch=main file://pager.patch \ file://0001-Add-support-for-riscv32-CPU.patch \ file://CVE-2025-6297.patch \ + file://CVE-2026-2219.patch \ " SRC_URI:append:class-native = " file://0001-build.c-ignore-return-of-1-from-tar-cf.patch" From patchwork Tue Jun 23 13:13:55 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 90728 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 04346CDB479 for ; Tue, 23 Jun 2026 13:14:47 +0000 (UTC) Received: from mail-wm1-f47.google.com (mail-wm1-f47.google.com [209.85.128.47]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.20451.1782220478318593655 for ; Tue, 23 Jun 2026 06:14:38 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=nmTe05nR; spf=pass (domain: smile.fr, ip: 209.85.128.47, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f47.google.com with SMTP id 5b1f17b1804b1-49222fb062bso58794905e9.1 for ; Tue, 23 Jun 2026 06:14:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1782220476; x=1782825276; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=SDlW9px/ITHJH1bEiwBWyNBF+qICPHtYFcNZ7pZgGyQ=; b=nmTe05nRHINjTQMBXGYvOM8jxGod4hrSCUopuMi4P6GHmLZUN96BGyPjAHZPfwI/+s 5/GGUMdf9ukR3OCd0dYg0YMZoqEza0kS+ukLu+g46OgZz+0CPKD/+Kfm9hSdu13mpQN5 3guOJL+tv2uG78HDXFT+/3vt7OLz6D5q7B6pU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782220476; x=1782825276; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=SDlW9px/ITHJH1bEiwBWyNBF+qICPHtYFcNZ7pZgGyQ=; b=fhkhLTCyO556u0kLJcONzv/7cD/3pxlyx3Wvn8w+ydLLyEE6Rw2EkDiP+xd9YQyUSi qWpjEUNAeIwpQX1H4fKUcVU5UnKCKbZhKzZtV2c0HYXuO1RWWabEYr2AkmjlEeUXL22G 9rAX7WQl0SqjM/2BTQIleOAhCpTfvrYWhqQd5ln4C8zeEfiBtUR2YvKUSF+EkwPy2VOq E3/lQxNuXU/s86gVLEFNy3Nkd3KSY9MvGbtsGdJBzllYLLubouvl6HoTHTWyesS1tIgU JMR2CYBXWM06iczZl4iSdULvd1G2u28uLGA3JMAUSYXgV7MM4KrIkqF5cT8qWc+yN2u4 FShg== X-Gm-Message-State: AOJu0YxkNCLbI/PNCl2O1qAoqDzdh8fBw5FOEHkqQDez1raS3iTONtmt 60I7TTX8ANdDz3VfQbK0STD9kdJVMLNjWwqIOBk8KDoelpw8/2GvpTPlMo2+9wuoN/xtwy0YM9f kmKRl X-Gm-Gg: AfdE7cldTqNSxEAa2EnXpXegLVQhvthFxiADtvqpfFLTAf4/nCZEZxRiZFN765XqQVb Nu62yu+PbUBAljo0/1Nmv4ZIxDspce5dFZgbiTzQYp2ah0dn7yigAkohXUSUrUNjGrWpzXHOhDY OHWd6pukTyYfts4n4DAkoUK74oAppc1VYe8UsbZVwvVhDp217necGOPwi+/P2rQGCcE6b4W6Sv3 HAj8JzHdJN3LaK1EngjoUPGJbBN5vz12yYc0Pl5xb5XAhWCS9DhHARpBsC+ruNQZAvvO33/Hvtg 4o/GuVSXyGom/R5uBFZEoBsjFyTV11ma4cWgB5W2Ap4HvoENtaMp/wz/o/3GZrQ0nxR+X8gUS4y VNJsjbpPPWv4DG66BvM68HcwiJ5x8/OzeBA/m0orrvxZ1bELeXW0YouqlYu1OB0ZcTcU/a+rzX0 ecatwrbzUi3ZT1Q9ES86upMickhNFiaW8AGTneJGTz5woW4a59HMgAHrexDMo562FqOAES/sbS/ DOt18F7snVWGldf3A== X-Received: by 2002:a05:600c:c4b7:b0:492:3773:a230 with SMTP id 5b1f17b1804b1-49240e9cb38mr310794325e9.27.1782220476301; Tue, 23 Jun 2026 06:14:36 -0700 (PDT) Received: from FRSMI25-LASER.home (2a01cb001331aa008234f3c115adbb1a.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:8234:f3c1:15ad:bb1a]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4925d013a69sm24334285e9.3.2026.06.23.06.14.35 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Jun 2026 06:14:35 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 14/26] libsolv: fix CVE-2026-9150 Date: Tue, 23 Jun 2026 15:13:55 +0200 Message-ID: <42214e12ad205e1da59cb839849e8bfb5c300de5.1782220259.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Jun 2026 13:14:47 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239380 From: Adarsh Jagadish Kamini Backport patch to fix CVE-2026-9150. https://nvd.nist.gov/vuln/detail/CVE-2026-9150 Upstream fix: https://github.com/openSUSE/libsolv/pull/616 Signed-off-by: Adarsh Jagadish Kamini Signed-off-by: Yoann Congal --- .../libsolv/libsolv/CVE-2026-9150.patch | 68 +++++++++++++++++++ .../libsolv/libsolv_0.7.28.bb | 1 + 2 files changed, 69 insertions(+) create mode 100644 meta/recipes-extended/libsolv/libsolv/CVE-2026-9150.patch diff --git a/meta/recipes-extended/libsolv/libsolv/CVE-2026-9150.patch b/meta/recipes-extended/libsolv/libsolv/CVE-2026-9150.patch new file mode 100644 index 00000000000..4903edb5998 --- /dev/null +++ b/meta/recipes-extended/libsolv/libsolv/CVE-2026-9150.patch @@ -0,0 +1,68 @@ +From bea261fd0924ecd5c7e5579f460133ec023c6def Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Wed, 22 Apr 2026 09:18:29 +0200 +Subject: [PATCH] Fix a buffer overflow when copying SHA-384/512 checksum from + a Debian repository + +When parsing Debian repository, control2solvable() copies a package +checksum string from the repository into a stack-allocated "char +checksum[32 * 2 + 1]" array. + +If the repository defined a SHA384 or SHA512 tag, a buffer overflow +occured (as can be seen when compiling libsolv with CFLAGS='-O0 -g +-fsanitize=address') because those tag values are longer: + + $ cat /tmp/Packages + Package: p + Version: 1 + Architecture: all + SHA512: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + + $ /tmp/b/tools/deb2solv -r /tmp/Packages + ================================================================= + ==3695==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7b685ecf0071 at pc 0x7f6861683722 b + p 0x7fff37e3e7a0 sp 0x7fff37e3df60 + WRITE of size 129 at 0x7b685ecf0071 thread T0 + #0 0x7f6861683721 in strcpy.part.0 (/lib64/libasan.so.8+0x83721) (BuildId: 80bfc4ae44fdec6ef5fecfb01e2b57d28660991c) + #1 0x7f6861d7f34d in control2solvable /home/test/libsolv/ext/repo_deb.c:491 + #2 0x7f6861d804ea in repo_add_debpackages /home/test/libsolv/ext/repo_deb.c:622 + #3 0x000000400fd5 in main /home/test/libsolv/tools/deb2solv.c:134 + #4 0x7f686123c680 in __libc_start_call_main (/lib64/libc.so.6+0x3680) (BuildId: c04494d63bca865bedf571a4075ef8867ccf9fa9) + #5 0x7f686123c797 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x3797) (BuildId: c04494d63bca865bedf571a4075ef8867ccf9fa9) + #6 0x000000400694 in _start (/tmp/b/tools/deb2solv+0x400694) (BuildId: a3350337819a51edd0c75293970d3458b5033bc9) + + Address 0x7b685ecf0071 is located in stack of thread T0 at offset 113 in frame + #0 0x7f6861d7de2a in control2solvable /home/test/libsolv/ext/repo_deb.c:365 + + This frame has 1 object(s): + [48, 113) 'checksum' (line 371) <== Memory access at offset 113 overflows this variable + +This patch fixes it by enlarging the buffer to accomodate the longest +supported digest string. + +This flaw was introduced with c8164bfecf2ba8bcf4c24329534d3104f19da73c +commit ("[ABI BREAKAGE] add support for SHA224/384/512"). + +Reported by Aisle Research. + +CVE: CVE-2026-9150 +Upstream-Status: Backport [https://github.com/openSUSE/libsolv/commit/c5b5db52aebde00bdeacecf4d0569c217ab3187d] + +Signed-off-by: Adarsh Jagadish Kamini +--- + ext/repo_deb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ext/repo_deb.c b/ext/repo_deb.c +index d400f959..25eaf8cb 100644 +--- a/ext/repo_deb.c ++++ b/ext/repo_deb.c +@@ -368,7 +368,7 @@ control2solvable(Solvable *s, Repodata *data, char *control) + char *p, *q, *end, *tag; + int x, l; + int havesource = 0; +- char checksum[32 * 2 + 1]; ++ char checksum[64 * 2 + 1]; + Id checksumtype = 0; + Id newtype; + diff --git a/meta/recipes-extended/libsolv/libsolv_0.7.28.bb b/meta/recipes-extended/libsolv/libsolv_0.7.28.bb index 201059323aa..63534dce260 100644 --- a/meta/recipes-extended/libsolv/libsolv_0.7.28.bb +++ b/meta/recipes-extended/libsolv/libsolv_0.7.28.bb @@ -10,6 +10,7 @@ DEPENDS = "expat zlib zstd" SRC_URI = "git://github.com/openSUSE/libsolv.git;branch=master;protocol=https \ file://0001-utils-Conside-musl-when-wrapping-qsort_r.patch \ + file://CVE-2026-9150.patch \ " SRCREV = "c8dbb3a77c86600ce09d4f80a504cf4e78a3c359" From patchwork Tue Jun 23 13:13:56 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 90733 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 756FFCDE002 for ; Tue, 23 Jun 2026 13:14:47 +0000 (UTC) Received: from mail-wm1-f45.google.com (mail-wm1-f45.google.com [209.85.128.45]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.20452.1782220478937373428 for ; Tue, 23 Jun 2026 06:14:39 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=xZDbtygI; spf=pass (domain: smile.fr, ip: 209.85.128.45, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f45.google.com with SMTP id 5b1f17b1804b1-49241a577d8so29160165e9.3 for ; Tue, 23 Jun 2026 06:14:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1782220477; x=1782825277; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=c5JGxmSM7GHnAgKiYWOOIKowHux69fx9+s0sP1H2H2Q=; b=xZDbtygINpqekoOxfX+mkGCb1asIzvCU6c+PRDpirWkUY/lBbOPdwT4xYMoSwQOMQz TKvetd891zZCuMilrW7/PU/5+yme0v/pFXFJlFdJzebcrjlJCANLIDJbZCttVscOeXkZ p7pPXGM7spxERK84uwdSd9urMUqMyp7eIAVfM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782220477; x=1782825277; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=c5JGxmSM7GHnAgKiYWOOIKowHux69fx9+s0sP1H2H2Q=; b=eKxyAJUq9KWDGxWkwQdHVVHuTyOWXGcPFMuh9U0hTP1XxUCZd/Y3knznJktkdv4+Nl mNpvaOISOULQicg8dRFnOxo/SoCDlP5NCO1SisFvPuSzQjWhpaint2umeaN8wg5Tzcq6 6cOdkV/0Zx4ka4WOXRico8+aSjEuj6UOODFbm9Xwed2eP6Ms5Iy6KEssZLkk4hi9IF6d ITOcx/Cr4/1VwrJwwwhZkIJfrDVw9kX6rU1F434KLxOljcXf2o01lEgSOWCITBpqvK5+ FtXR16EtiO2z+sbMBSzuvQ3WztTFsbXJXzLQ0al7m/KMctfENcS7UZnDlivfW8v7fNvE euyg== X-Gm-Message-State: AOJu0YzXKunSTfTnGyrbO08DZt1a8wjTFsnXYALS6PeeCgnuidvFRtxs iXaI4dda3rgou5AfGX7jtLKOcij24DtynBLBzQEDNOuixCtjcuLU5UJ5ij2X3VWFEbvnAW6gl5P U3ET7 X-Gm-Gg: AfdE7clg6+lDA07l6a9uMpf/lw0svxBGBYgIAHYkNSCBH2kLbIp3KnaFh7sMUrmHkFX xqbB7O3L6h2OYyeAuBA+PUqrr0peuFgxcSqnWCEWgl+cKat1k6Hth/swhWZjTW5iq9YV/49cDiz lBo1rGi3Qgm2GEOVHUq5JLIAxVHkv65NBNY6e8nAQPOBlzi+bHW9vKyFRF8Q4u+GlScEbmEDF3E azk/DpdyPWvQC+hec8X7uuHmJNzwgiuJZyV8OoGp5sXlHNz9AyRzegqqdvxGoUVa5LI4QOeTeVF 3LhjvTrOfgrLakZy9vRSDF9anqO32ZVH4kMg5SjccsFnkAFeqgqnFiuGivY+VoHPw5ppQCuxYJg 1O0bVBK9WkyD6Cg0P8wFKc0QC1hHxBPRadfNTvNpK8AS2BiGCUxCW/VaJuYVQq4lv6w/NMN1qSd b4hCU5IfKv9M0qYpx5+YlovdAuhXnt02sujKDrOWVKt4EACwL/Dqwz6qJ9ZR0F7PqzcHg5cn67N FnQp68rvbfEeyESSg== X-Received: by 2002:a05:600c:3e06:b0:492:4fc6:75e with SMTP id 5b1f17b1804b1-4924fc613bamr197535825e9.0.1782220476995; Tue, 23 Jun 2026 06:14:36 -0700 (PDT) Received: from FRSMI25-LASER.home (2a01cb001331aa008234f3c115adbb1a.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:8234:f3c1:15ad:bb1a]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4925d013a69sm24334285e9.3.2026.06.23.06.14.36 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Jun 2026 06:14:36 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 15/26] openssl: upgrade 3.5.6 -> 3.5.7 Date: Tue, 23 Jun 2026 15:13:56 +0200 Message-ID: X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Jun 2026 13:14:47 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239381 From: Peter Marko Release information [1]: OpenSSL 3.5.7 is a security patch release. The most severe CVE fixed in this release is High. This release incorporates the following bug fixes and mitigations: * Fixed heap use-after-free in PKCS7_verify(). (CVE-2026-45447) * Fixed CMS AuthEnvelopedData processing may accept forged messages. (CVE-2026-34182) * Fixed unbounded memory growth in the QUIC PATH_CHALLENGE handler. (CVE-2026-34183) * Fixed NULL pointer dereference in QUIC server initial packet handling. (CVE-2026-42764) * Fixed AES-OCB IV ignored on EVP_Cipher() path. (CVE-2026-45445) * Fixed possible heap buffer overflow in ASN.1 multibyte string conversion. (CVE-2026-7383) * Fixed out-of-bounds read in CMS password-based decryption. (CVE-2026-9076) * Fixed heap buffer over-read in ASN.1 content parsing. (CVE-2026-34180) * Fixed PKCS#12 files with PBMAC1 are accepted with short HMAC keys. (CVE-2026-34181) * Fixed possible NULL dereference in password-dased CMS decryption. (CVE-2026-42766) * Fixed NULL pointer dereference in CRMF EncryptedValue decryption. (CVE-2026-42767) * Fixed multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt() and PKCS7_decrypt(). (CVE-2026-42768) * Fixed trust anchor substitution via cert/issuer typo in CMP rootCaKeyUpdate. (CVE-2026-42769) * Fixed FFC-DH peer validation uses attacker-supplied q. (CVE-2026-42770) * Fixed incorrect tag processing for empty messages in AES-GCM-SIV and AES-SIV modes. (CVE-2026-45446) Refreshed patches. Installed new test files to pass ptests. [1] https://github.com/openssl/openssl/blob/openssl-3.5/NEWS.md#major-changes-between-openssl-356-and-openssl-357-9-jun-2026 Signed-off-by: Peter Marko Signed-off-by: Richard Purdie (From OE-Core rev: 9365ac47f994a7d6be92b8c011c51ecf48e8ef87) Signed-off-by: Peter Marko Signed-off-by: Yoann Congal --- .../openssl/0001-Configure-do-not-tweak-mips-cflags.patch | 2 +- .../openssl/{openssl_3.5.6.bb => openssl_3.5.7.bb} | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) rename meta/recipes-connectivity/openssl/{openssl_3.5.6.bb => openssl_3.5.7.bb} (98%) diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch index cf5ff356ee7..cd8906df675 100644 --- a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch +++ b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch @@ -20,7 +20,7 @@ diff --git a/Configure b/Configure index fff97bd..5ee54c1 100755 --- a/Configure +++ b/Configure -@@ -1552,16 +1552,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help 2>&1` =~ m/-mno-cygwin/m) +@@ -1557,16 +1557,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help 2>&1` =~ m/-mno-cygwin/m) push @{$config{shared_ldflag}}, "-mno-cygwin"; } diff --git a/meta/recipes-connectivity/openssl/openssl_3.5.6.bb b/meta/recipes-connectivity/openssl/openssl_3.5.7.bb similarity index 98% rename from meta/recipes-connectivity/openssl/openssl_3.5.6.bb rename to meta/recipes-connectivity/openssl/openssl_3.5.7.bb index 3bf78eff5c2..0b8e8afec81 100644 --- a/meta/recipes-connectivity/openssl/openssl_3.5.6.bb +++ b/meta/recipes-connectivity/openssl/openssl_3.5.7.bb @@ -19,7 +19,7 @@ SRC_URI:append:class-nativesdk = " \ file://environment.d-openssl.sh \ " -SRC_URI[sha256sum] = "deae7c80cba99c4b4f940ecadb3c3338b13cb77418409238e57d7f31f2a3b736" +SRC_URI[sha256sum] = "a8c0d28a529ca480f9f36cf5792e2cd21984552a3c8e4aa11a24aa31aeac98e8" inherit lib_package multilib_header multilib_script ptest perlnative manpages MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" @@ -215,7 +215,7 @@ do_install_ptest() { ln -s ${bindir}/openssl ${D}${PTEST_PATH}/apps cd ${S} - find test/certs test/ct test/d2i-tests test/recipes test/ocsp-tests test/ssl-tests test/smime-certs -type f -exec install -m644 -D {} ${D}${PTEST_PATH}/{} \; + find test/certs test/ct test/d2i-tests test/recipes test/ocsp-tests test/ssl-tests test/smime-certs test/smime-eml -type f -exec install -m644 -D {} ${D}${PTEST_PATH}/{} \; find apps test -name \*.cnf -exec install -m644 -D {} ${D}${PTEST_PATH}/{} \; find apps test -name \*.der -exec install -m644 -D {} ${D}${PTEST_PATH}/{} \; find apps test -name \*.pem -exec install -m644 -D {} ${D}${PTEST_PATH}/{} \; From patchwork Tue Jun 23 13:13:57 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 90732 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 49EB9CDE001 for ; Tue, 23 Jun 2026 13:14:47 +0000 (UTC) Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com [209.85.128.54]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.20453.1782220479586325354 for ; Tue, 23 Jun 2026 06:14:39 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=DghPXFEs; spf=pass (domain: smile.fr, ip: 209.85.128.54, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f54.google.com with SMTP id 5b1f17b1804b1-490ac357c55so60812025e9.1 for ; Tue, 23 Jun 2026 06:14:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1782220478; x=1782825278; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=L+DesP1lolvDkn7SIcZSk0omXQlmPhDeCuLhPxvonv8=; b=DghPXFEsL1oC1ohj2ksxtzDfT8KloWzcGXp2Y58C3JSXR0BivAAOCS7CEa8UiRuhmR KVI1NygcVEstQOpi3YFTJ1xHwhh3zLxW9qKCQQMdaI56VnrHyYPOhEO+AgRCDusOr3IM iVxgtSCf6eyWs/WBseuPGydiYJsPZNcXONLyk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782220478; x=1782825278; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=L+DesP1lolvDkn7SIcZSk0omXQlmPhDeCuLhPxvonv8=; b=S2HwF2KDB6AV1rgDjlm2srx6Zcov5Zk1H1c5F2iu0tmBLr2FDhoIaBc17bGOSDM1hh ApiR5RtELNeLEb6ubqbd2iv8TBYC/+D8dllMHvFenC4S/rF9bzJhcJg8QOa2JnY5XRrh IB2KLf4dioxHI3Darfc5jispl+dlwAN3PsQ8nYL5bdU2+RIL8mpvNT8dfeaCXR8tL064 By7VuabXuty9k2MZmN7JpgGjc/NFLOXowifciF3PWhIKmWanl4InZjc4kt/0p2cPliCB iUoAJzXzlBQeRI4itQUL7N9Nj40zzuHzde3owSqudo+sKc1GQoNyB50bhv6fEH6iIimB xuaQ== X-Gm-Message-State: AOJu0YxIYYiGskWFLaIq83GPLAfQnlSNA8iyuxLYBAvuX7SqPgS3dtHf CIzOIPpdNHRQ9cS+AQ2pnPb+kXfkkvW6b987fx/p1hBkRyU/4jdkPNWhlX+vwJaMeW9X+2oSwX9 s2k5b X-Gm-Gg: AfdE7ckzur/gpAlRYkNyepOjQXahbCGWkdRWNorciZxAhwg1zWsrzRUXKD+2OIrqGrW 55oZy+YpsxcgbPENClKBCbjQ1qL07WJNOy6dk5wd9Erzb4KEApSMxo99DO5Xkfa3kruHvQ7u1iN 3uSgm3IuyWJIwG1Z0btXjXjDaTr2OXOtiNmOOqatsO7PlYOZcMCBekLYNxMsrEwRHCCIH4qnkux 2iRuhAkGMK6SX5lsI+sFpXy/UO2YgXEyjP9XJtqFAj6qa+eLYS+fa+1WO9dIkjRHSoFRrdXLesS fqsktBRtFRhDET1YhKAjbkY+Bl7FLcBNjfBYathvWAqbbcIuCJB/qSxdHC80Z9I6sBMesXAjbkC bvbscx+s+jVRYTWeaLPs+Mal5AITUfKQLOh/+w9esTSHV0/+tA87j8cdeOhQEdCHsQ8/cAkkQCL CGDWMFUOLjz84v9Jijgr7Iidvk/xf2jNkdcBmezXsDSwoPFobcNNfN3U5UkXGjQJi02aK+KcVdY rHnk2B39hd3IVG5zw== X-Received: by 2002:a05:600c:348f:b0:492:4d52:315f with SMTP id 5b1f17b1804b1-4924d52327cmr191563365e9.0.1782220477700; Tue, 23 Jun 2026 06:14:37 -0700 (PDT) Received: from FRSMI25-LASER.home (2a01cb001331aa008234f3c115adbb1a.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:8234:f3c1:15ad:bb1a]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4925d013a69sm24334285e9.3.2026.06.23.06.14.37 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Jun 2026 06:14:37 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 16/26] libinput: fix for CVE-2026-50292 Date: Tue, 23 Jun 2026 15:13:57 +0200 Message-ID: <19fc681a3fca99801e2e50d6a9c6c921c66a2ce9.1782220259.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Jun 2026 13:14:47 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239382 From: Hitendra Prajapati Pick patch from [1] & [2] also mentioned at Debian report in [3]. [1] https://gitlab.freedesktop.org/libinput/libinput/-/commit/fc2262e1c1847021239065e84f39f15492ef05cc [2] https://gitlab.freedesktop.org/libinput/libinput/-/commit/b2bde9504d42a5976d76e1f27c640dc561fbd99b [3] https://security-tracker.debian.org/tracker/CVE-2026-50292 More details : 1. https://nvd.nist.gov/vuln/detail/CVE-2026-50292 2. https://www.openwall.com/lists/oss-security/2026/06/04/5 Signed-off-by: Hitendra Prajapati Signed-off-by: Yoann Congal --- .../wayland/libinput/CVE-2026-50292-01.patch | 109 ++++++++++++++++++ .../wayland/libinput/CVE-2026-50292-02.patch | 99 ++++++++++++++++ .../wayland/libinput_1.25.0.bb | 2 + 3 files changed, 210 insertions(+) create mode 100644 meta/recipes-graphics/wayland/libinput/CVE-2026-50292-01.patch create mode 100644 meta/recipes-graphics/wayland/libinput/CVE-2026-50292-02.patch diff --git a/meta/recipes-graphics/wayland/libinput/CVE-2026-50292-01.patch b/meta/recipes-graphics/wayland/libinput/CVE-2026-50292-01.patch new file mode 100644 index 00000000000..35b2734d7a5 --- /dev/null +++ b/meta/recipes-graphics/wayland/libinput/CVE-2026-50292-01.patch @@ -0,0 +1,109 @@ +From fc2262e1c1847021239065e84f39f15492ef05cc Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Mon, 1 Jun 2026 10:12:29 +1000 +Subject: [PATCH] util: sanitize control characters in str_sanitize() + +str_sanitize() only escaped '%' characters for format string safety. +Device names from uinput devices can contain arbitrary bytes including +ANSI escape sequences (ESC, 0x1b) and other control characters. When +these strings are included in log messages and printed to a terminal, +the escape sequences are interpreted by the terminal emulator. This +could allow an attacker to manipulate terminal output (change colors, +set window title, clear screen) when an administrator views libinput +logs. + +Replace all control characters (0x00-0x1f and 0x7f) with '?' in +addition to the existing '%' escaping. This prevents terminal escape +sequence injection through device names in log output. + +Assisted-by: Claude:claude-opus-4-6 +(cherry picked from commit 71a2c5cae2a80a1e3bb29e3f3a07ccc3f3de5acb) + +Part-of: + +CVE: CVE-2026-50292 +Upstream-Status: Backport [https://gitlab.freedesktop.org/libinput/libinput/-/commit/fc2262e1c1847021239065e84f39f15492ef05cc] +Signed-off-by: Hitendra Prajapati +--- + src/util-strings.h | 30 +++++++++++++++++++++++------- + test/test-utils.c | 10 ++++++++++ + 2 files changed, 33 insertions(+), 7 deletions(-) + +diff --git a/src/util-strings.h b/src/util-strings.h +index b0916815..3429ec9c 100644 +--- a/src/util-strings.h ++++ b/src/util-strings.h +@@ -456,26 +456,42 @@ trunkname(const char *filename); + + /** + * Return a copy of str with all % converted to %% to make the string +- * acceptable as printf format. ++ * acceptable as printf format, and all non-NUL control characters ++ * (bytes 0x01-0x1f, 0x7f) replaced with '?' to prevent terminal ++ * escape sequence injection. NUL bytes are excluded implicitly ++ * because the string is null-terminated. + */ + static inline char * + str_sanitize(const char *str) + { + if (!str) + return NULL; ++ size_t slen = strlen(str); ++ slen = min(slen, 512); + +- if (!strchr(str, '%')) ++ bool needs_sanitization = false; ++ for (size_t i = 0; i < slen; i++) { ++ unsigned char c = str[i]; ++ if (c == '%' || c < 0x20 || c == 0x7f) { ++ needs_sanitization = true; ++ break; ++ } ++ } ++ if (!needs_sanitization) + return strdup(str); +- +- size_t slen = min(strlen(str), 512); + char *sanitized = zalloc(2 * slen + 1); + const char *src = str; + char *dst = sanitized; +- + for (size_t i = 0; i < slen; i++) { +- if (*src == '%') ++ unsigned char c = *src++; ++ if (c == '%') { + *dst++ = '%'; +- *dst++ = *src++; ++ *dst++ = '%'; ++ } else if (c < 0x20 || c == 0x7f) { ++ *dst++ = '?'; ++ } else { ++ *dst++ = c; ++ } + } + *dst = '\0'; + +diff --git a/test/test-utils.c b/test/test-utils.c +index fa307031..88aede23 100644 +--- a/test/test-utils.c ++++ b/test/test-utils.c +@@ -1388,6 +1388,16 @@ START_TEST(strsanitize_test) + { "x %", "x %%" }, + { "%sx", "%%sx" }, + { "%s%s", "%%s%%s" }, ++ { "\t", "?" }, ++ { "\n", "?" }, ++ { "\r", "?" }, ++ { "\x1b[31m", "?[31m" }, ++ { "foo\tbar", "foo?bar" }, ++ { "foo\nbar", "foo?bar" }, ++ { "\x01\x1f\x7f", "???" }, ++ { "clean", "clean" }, ++ { "a\x1b[0mb", "a?[0mb" }, ++ { "%\n", "%%?" }, + { NULL, NULL }, + }; + +-- +2.50.1 + diff --git a/meta/recipes-graphics/wayland/libinput/CVE-2026-50292-02.patch b/meta/recipes-graphics/wayland/libinput/CVE-2026-50292-02.patch new file mode 100644 index 00000000000..f78c9f90663 --- /dev/null +++ b/meta/recipes-graphics/wayland/libinput/CVE-2026-50292-02.patch @@ -0,0 +1,99 @@ +From b2bde9504d42a5976d76e1f27c640dc561fbd99b Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Mon, 1 Jun 2026 10:48:24 +1000 +Subject: [PATCH] libinput-device-group: sanitize phys before printing it + +Bug: https://gitlab.freedesktop.org/libinput/libinput/-/work_items/1296 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-50292 + +A malicious uinput device could set the phys value (via UI_SET_PHYS) +to contain a '\n'. When the value is printed as part of the device group +the udev rules will interpret it as separate property. + +Depending on the property this can cause local privilege escalation. + +Closes #1296 + +Found-by: Csome +(cherry picked from commit 76f0d8a7f57e2868882864b4611281f12f704b55) + +Part-of: + +CVE: CVE-2026-50292 +Upstream-Status: Backport [https://gitlab.freedesktop.org/libinput/libinput/-/commit/b2bde9504d42a5976d76e1f27c640dc561fbd99b] +Signed-off-by: Hitendra Prajapati +--- + udev/libinput-device-group.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +diff --git a/udev/libinput-device-group.c b/udev/libinput-device-group.c +index 3da904e0..d0522685 100644 +--- a/udev/libinput-device-group.c ++++ b/udev/libinput-device-group.c +@@ -109,7 +109,8 @@ wacom_handle_ekr(struct udev_device *device, + + udev_list_entry_foreach(entry, udev_enumerate_get_list_entry(e)) { + struct udev_device *d; +- const char *path, *phys; ++ char *phys = NULL; ++ const char *path; + const char *pidstr, *vidstr; + int pid, vid, dist; + +@@ -124,7 +125,7 @@ wacom_handle_ekr(struct udev_device *device, + + vidstr = udev_device_get_property_value(d, "ID_VENDOR_ID"); + pidstr = udev_device_get_property_value(d, "ID_MODEL_ID"); +- phys = udev_device_get_sysattr_value(d, "phys"); ++ phys = str_sanitize(udev_device_get_sysattr_value(d, "phys")); + + if (vidstr && pidstr && phys && + safe_atoi_base(vidstr, &vid, 16) && +@@ -138,11 +139,13 @@ wacom_handle_ekr(struct udev_device *device, + best_dist = dist; + + free(*phys_attr); +- *phys_attr = safe_strdup(phys); ++ *phys_attr = phys; ++ phys = NULL; + } + } + + udev_device_unref(d); ++ free(phys); + } + + udev_enumerate_unref(e); +@@ -154,8 +157,8 @@ int main(int argc, char **argv) + int rc = 1; + struct udev *udev = NULL; + struct udev_device *device = NULL; +- const char *syspath, +- *phys = NULL; ++ char *phys = NULL; ++ const char *syspath = NULL; + const char *product; + int bustype, vendor_id, product_id, version; + char group[1024]; +@@ -179,8 +182,7 @@ int main(int argc, char **argv) + * bit and use the remainder as device group identifier */ + while (device != NULL) { + struct udev_device *parent; +- +- phys = udev_device_get_sysattr_value(device, "phys"); ++ phys = str_sanitize(udev_device_get_sysattr_value(device, "phys")); + if (phys) + break; + +@@ -249,6 +251,8 @@ int main(int argc, char **argv) + + printf("LIBINPUT_DEVICE_GROUP=%s\n", group); + ++ free(phys); ++ + rc = 0; + out: + if (device) +-- +2.50.1 + diff --git a/meta/recipes-graphics/wayland/libinput_1.25.0.bb b/meta/recipes-graphics/wayland/libinput_1.25.0.bb index 894858e3617..1a33d16f3a6 100644 --- a/meta/recipes-graphics/wayland/libinput_1.25.0.bb +++ b/meta/recipes-graphics/wayland/libinput_1.25.0.bb @@ -14,6 +14,8 @@ DEPENDS = "libevdev udev mtdev" SRC_URI = "git://gitlab.freedesktop.org/libinput/libinput.git;protocol=https;branch=main \ file://run-ptest \ + file://CVE-2026-50292-01.patch \ + file://CVE-2026-50292-02.patch \ " SRCREV = "3fd38d89276b679ac3565efd7c2150fd047902cb" S = "${WORKDIR}/git" From patchwork Tue Jun 23 13:13:58 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 90735 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id AD985CDE004 for ; Tue, 23 Jun 2026 13:14:47 +0000 (UTC) Received: from mail-wm1-f43.google.com (mail-wm1-f43.google.com [209.85.128.43]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.20454.1782220480463769913 for ; Tue, 23 Jun 2026 06:14:40 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=jqZV2TOB; spf=pass (domain: smile.fr, ip: 209.85.128.43, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f43.google.com with SMTP id 5b1f17b1804b1-4923fb1f095so44265525e9.1 for ; Tue, 23 Jun 2026 06:14:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1782220479; x=1782825279; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=r5/BHU7e0twfuoZnwOLKzgFb3+uZTuhTDmM2R7efeqI=; b=jqZV2TOBkOzBLfEuKNZ2EFrVELrXXIWyjcaNAefiRtMwYZnvlHEoq0cRv+ka4jCSiw 8Rdjle3FqfITPUVCyuAUPC4ZomFQIMY5QPEpeiWF+3OVQEWT4E/Dqt8kj91DwoSDcsS2 +WGJren3u8HnhM1Miryj5Ny72JDfE7+t3ULk8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782220479; x=1782825279; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=r5/BHU7e0twfuoZnwOLKzgFb3+uZTuhTDmM2R7efeqI=; b=PpRYvMpPAwPoGrmb/XWP444JwQBNPXuzxCKNDAsuWlp2yDT+vHvENjP9SHNx6C5Y1h 4eOUHBbO1N2iHjq6l1yrJuHZrg1+rZ3iBwDq02x8ufLXPnsJzcHWLVFvv+zulLt/6byQ SVhp48KwhlG2r+TlqonyZO/NPpwPL17ZZo//kMBmKZz34MwW4DYaiJ7FNaTEnHKgEOpi PMIhF8K5fwDzyPRe2k8oVRkU+PdklO4tZKwSSeXgboOo2nlFyJ0+w8c5BUatBOPPOAKl QyfzgUW4gPNV8fDpn3qY+S4qoJf5VTLL4CjJ4rYgeOUcCAxuUHVUtt7n2QMLpZu5Aefu /9lw== X-Gm-Message-State: AOJu0YwD/1NiyarRivq3XHO/hcJwofQHghZDlSh95lwYybH+oXpRQlVm yWw39ShsgvhM6fNAvx0OHKp3t+JA4MwedHSC0hnqnLeAa3Thc1WoFD6uuo38zjNh/DiNZI820JG CRL5j X-Gm-Gg: AfdE7cm0R+4DQcbFsioOFVmYti4zA0XGeIPKebhmavB2w+kZy+8z6V0QsvMBqB8GhnT dXWsaXHwLCQyHk/uKw+yZ1Ygj2QELg6NNNCl9UzH1FshZibRICfl0Ki67HrSvG/sMGVvmdsrRwe HUQP55FzpEL/eN/kiD1HWwUa95EshgD12cJrc+IoKP9UUDrMNj8qgC8IbrzGdiSTyNNJPf5UG0p o9dQ10jT7qcmsi/GmM9+hlwxWSpFkM99LjYRHkiu4fkUq5/zRsWZDU3BvM68aR7WHmEcw6hexuC LrSLD9X8szA93jM/UWGUFk2UN129p23XDXlD9vmKvgUKStPlXwioWL4J7TeNx5y9s5aN9vKWBAZ 98ZPWAc2UY7QHWtT1Gk070edguQ/fWR6KSK7ThCzyFoZHuKa5tZfh48cgL5a9ceXwzqEcvGXl6u m2pHCOJzAu0YqwzZ4k3QoYZ8S91/cVIraYAF4MsHiXf962eWAvni+bgEp77aPgbEkiQGQtteC5N oX7V4IpwkhMN9tHFAuCWBUtwT+p X-Received: by 2002:a05:600c:628d:b0:490:d079:2919 with SMTP id 5b1f17b1804b1-4925b35a137mr36831245e9.14.1782220478548; Tue, 23 Jun 2026 06:14:38 -0700 (PDT) Received: from FRSMI25-LASER.home (2a01cb001331aa008234f3c115adbb1a.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:8234:f3c1:15ad:bb1a]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4925d013a69sm24334285e9.3.2026.06.23.06.14.37 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Jun 2026 06:14:37 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 17/26] gdb: backport a patch to fix static_assert in recent GCC Date: Tue, 23 Jun 2026 15:13:58 +0200 Message-ID: <92a57b28a4e8e4fe917e4aa3d58079257ee9a41f.1782220259.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Jun 2026 13:14:47 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239383 From: Yoann Congal On Ubuntu 26.04, gcc 15.2 defaults to --std=gnu23 in which static_assert is a keyword, and not a macro to define like with older GCC. This make MIPS64 code in gdb fail to compile with: | In file included from ../../gdb-14.2/opcodes/mips16-opc.c:25: | ../../gdb-14.2/opcodes/mips16-opc.c: In function ‘decode_mips16_operand’: | ../../gdb-14.2/opcodes/mips-formats.h:86:7: error: expected identifier or ‘(’ before ‘static_assert’ | 86 | static_assert[(1 << (SIZE)) == ARRAY_SIZE (MAP)]; \ | | ^~~~~~~~~~~~~ | ../../gdb-14.2/opcodes/mips16-opc.c:52:15: note: in expansion of macro ‘MAPPED_REG’ | 52 | case '.': MAPPED_REG (0, 0, GP, reg_0_map); | | ^~~~~~~~~~ Signed-off-by: Yoann Congal --- meta/recipes-devtools/gdb/gdb.inc | 1 + ...gnu23-compatibility-wrt-static_asser.patch | 75 +++++++++++++++++++ 2 files changed, 76 insertions(+) create mode 100644 meta/recipes-devtools/gdb/gdb/0001-opcodes-fix-std-gnu23-compatibility-wrt-static_asser.patch diff --git a/meta/recipes-devtools/gdb/gdb.inc b/meta/recipes-devtools/gdb/gdb.inc index 81ac441462a..d806a66ac43 100644 --- a/meta/recipes-devtools/gdb/gdb.inc +++ b/meta/recipes-devtools/gdb/gdb.inc @@ -13,5 +13,6 @@ SRC_URI = "${GNU_MIRROR}/gdb/gdb-${PV}.tar.xz \ file://0006-resolve-restrict-keyword-conflict.patch \ file://0007-Fix-invalid-sigprocmask-call.patch \ file://0008-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch \ + file://0001-opcodes-fix-std-gnu23-compatibility-wrt-static_asser.patch \ " SRC_URI[sha256sum] = "2d4dd8061d8ded12b6c63f55e45344881e8226105f4d2a9b234040efa5ce7772" diff --git a/meta/recipes-devtools/gdb/gdb/0001-opcodes-fix-std-gnu23-compatibility-wrt-static_asser.patch b/meta/recipes-devtools/gdb/gdb/0001-opcodes-fix-std-gnu23-compatibility-wrt-static_asser.patch new file mode 100644 index 00000000000..d0d4aa5bd20 --- /dev/null +++ b/meta/recipes-devtools/gdb/gdb/0001-opcodes-fix-std-gnu23-compatibility-wrt-static_asser.patch @@ -0,0 +1,75 @@ +From 2b8d72efbe1af100ea4dad4c976b2d3a1fbad676 Mon Sep 17 00:00:00 2001 +From: Sam James +Date: Sat, 16 Nov 2024 05:03:52 +0000 +Subject: [PATCH] opcodes: fix -std=gnu23 compatibility wrt static_assert + + +static_assert is declared in C23 so we can't reuse that identifier: +* Define our own static_assert conditionally; + +* Rename "static assert" hacks to _N as we do already in some places + to avoid a conflict. + +ChangeLog: + PR ld/32372 + + * i386-gen.c (static_assert): Define conditionally. + * mips-formats.h (MAPPED_INT): Rename identifier. + (MAPPED_REG): Rename identifier. + (OPTIONAL_MAPPED_REG): Rename identifier. + * s390-opc.c (static_assert): Define conditionally. + +Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8ebe62f3f0d27806b1bf69f301f5e188b4acd2b4] +Backport: +* No static_assert to patch in this version of s390-opc.c. +Signed-off-by: Yoann Congal +--- + opcodes/i386-gen.c | 2 ++ + opcodes/mips-formats.h | 6 +++--- + 2 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/opcodes/i386-gen.c b/opcodes/i386-gen.c +index cfc5a7a6172..d5901b9667d 100644 +--- a/opcodes/i386-gen.c ++++ b/opcodes/i386-gen.c +@@ -30,7 +30,9 @@ + + /* Build-time checks are preferrable over runtime ones. Use this construct + in preference where possible. */ ++#ifndef static_assert + #define static_assert(e) ((void)sizeof (struct { int _:1 - 2 * !(e); })) ++#endif + + static const char *program_name = NULL; + static int debug = 0; +diff --git a/opcodes/mips-formats.h b/opcodes/mips-formats.h +index ac73f060a3e..790e23f1783 100644 +--- a/opcodes/mips-formats.h ++++ b/opcodes/mips-formats.h +@@ -49,7 +49,7 @@ + #define MAPPED_INT(SIZE, LSB, MAP, PRINT_HEX) \ + { \ + typedef char ATTRIBUTE_UNUSED \ +- static_assert[(1 << (SIZE)) == ARRAY_SIZE (MAP)]; \ ++ static_assert_3[(1 << (SIZE)) == ARRAY_SIZE (MAP)]; \ + static const struct mips_mapped_int_operand op = { \ + { OP_MAPPED_INT, SIZE, LSB }, MAP, PRINT_HEX \ + }; \ +@@ -83,7 +83,7 @@ + #define MAPPED_REG(SIZE, LSB, BANK, MAP) \ + { \ + typedef char ATTRIBUTE_UNUSED \ +- static_assert[(1 << (SIZE)) == ARRAY_SIZE (MAP)]; \ ++ static_assert_4[(1 << (SIZE)) == ARRAY_SIZE (MAP)]; \ + static const struct mips_reg_operand op = { \ + { OP_REG, SIZE, LSB }, OP_REG_##BANK, MAP \ + }; \ +@@ -93,7 +93,7 @@ + #define OPTIONAL_MAPPED_REG(SIZE, LSB, BANK, MAP) \ + { \ + typedef char ATTRIBUTE_UNUSED \ +- static_assert[(1 << (SIZE)) == ARRAY_SIZE (MAP)]; \ ++ static_assert_5[(1 << (SIZE)) == ARRAY_SIZE (MAP)]; \ + static const struct mips_reg_operand op = { \ + { OP_OPTIONAL_REG, SIZE, LSB }, OP_REG_##BANK, MAP \ + }; \ From patchwork Tue Jun 23 13:13:59 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 90729 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 290F0CDE000 for ; Tue, 23 Jun 2026 13:14:47 +0000 (UTC) Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com [209.85.128.49]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.20455.1782220481046041156 for ; Tue, 23 Jun 2026 06:14:41 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=n5nZXsCn; spf=pass (domain: smile.fr, ip: 209.85.128.49, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f49.google.com with SMTP id 5b1f17b1804b1-490b8ac62baso9844605e9.0 for ; Tue, 23 Jun 2026 06:14:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1782220479; x=1782825279; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=FztXDc0Ggh+2S1cZPE/sTwbrlJIo+v4a+px6yXZO+4s=; b=n5nZXsCnq2ozkKYO2+h2Bjmq3TNwpPFBOv4AjcIx9psysPRzDgvZ89iF2RDiElzaN+ Abi3JeWMLzj99EIwpjNqVTFPrsQeoJb2yg8kwVpMlD0Nky7IhmvSst5pefdvHWmfA8pM nbhNg50xrNWwB02kN3eHXNlmcR3DTHUz154mQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782220479; x=1782825279; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=FztXDc0Ggh+2S1cZPE/sTwbrlJIo+v4a+px6yXZO+4s=; b=H3om9jVbbvhE+ZruVup8CjAyNL9mFGAMc43D0W0oQsgku8zpYWEIr1duuPUNMcTKLK HY48PL6Upe2fAwiKVt1JU8Rm+9DCZNjEfvJf5EQ2WA+TXj4gnS2E/hJ7324SGgFfv4Mi 7pEkU9Qv0M5tP/kmnYm+Oth89vxex459C5aOmJscDZXiD9/FO2YxpnnoP77EWaDZdD8j tW4ZXK+Xe6FyD+EFzBuJdxFVDoO8yiLFe1xuuOOXQwUDcoRpnEq8IGtYspSWepZ68y+L ix5SUNxefi9spORToHTPGDeJzHQE97DRjaFt9KlEejhGbCn8lhFp3ar3OokrAmIzBSqj 0V9g== X-Gm-Message-State: AOJu0YzwDYL0i7ZXl24UisZq4RT2OdVi3MA7Y1cprfPPr3PapGft2Lcj GEX8FJg5phXPCktyfkHy3OeG1vGGWOQ4lxQjTHlk3M+fSTb3LIO196DOpsuAR8m28q7tfQIBEJE 1H/Hv X-Gm-Gg: AfdE7cmUpsDcrL7n8LrEo45FbYmp/HJqVS3Nkh4+JU/Cp/ltD8BZ7k2lc4yLl/sKRtj MbXEewRcKO07+Qir/BE3w8XJN9BJj/Z/fkVQ91bH6EZiutW2VnB1CZ9ApBj451UHZ1m2UGfxN4q mWsne+d49e/P8Jvxz2IpGwF0p7KuelRUng7EFmsrgIaO8XrCqtH8Rl+pktiozMFsT5B49IBzRb1 Mhm7TbpMPi8ETJUikP97IndDuIdZjZ1orjKT3lPfkCYq6S05sjlYMXgYbzvSSiPVJ7xM4UmNFRx C1Oed1TZREoDnckRBhvzluFLBZPoc8P9iW9X196k2J6EIDAlvegGVkTKx4asAd/muXn7BvNY1B8 auRQHOvaW3j6M5xP0FKJA3/slrDC/aYJt8k3UpeZzuVN1uD0m5pdvWib5FIsq4cJ4l64a5BY0kJ /aVC3ymrsvA3gudyYgA562F9bDioZzRfSmjC3BcWCtPz6GM1DbeN5nbx+I/jeYpcyL2YlFTNA+W xjJ0d1KDiPRLztIjw== X-Received: by 2002:a05:600c:5287:b0:490:b26c:64ad with SMTP id 5b1f17b1804b1-4925a0a775dmr47833035e9.5.1782220479308; Tue, 23 Jun 2026 06:14:39 -0700 (PDT) Received: from FRSMI25-LASER.home (2a01cb001331aa008234f3c115adbb1a.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:8234:f3c1:15ad:bb1a]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4925d013a69sm24334285e9.3.2026.06.23.06.14.38 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Jun 2026 06:14:38 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 18/26] oeqa/core/runner: stub addDuration in OETestResult Date: Tue, 23 Jun 2026 15:13:59 +0200 Message-ID: <9105e2bbf3245bfa02d2f4c55a010a7d2c3da6c2.1782220259.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Jun 2026 13:14:47 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239384 From: Ross Burton We have a custom TestResult implementation, and Python 3.12 added a new method addDuration() to the TestResult interface. This would be useful to implement correctly, but for now stub it out to silence the warning when running under Python 3.12: /usr/lib64/python3.12/unittest/case.py:580: RuntimeWarning: TestResult has no addDuration method warnings.warn("TestResult has no addDuration method", Signed-off-by: Ross Burton Signed-off-by: Richard Purdie (cherry picked from commit 2d6fff81b34476b890f6943997615fbf8d3d133f) Signed-off-by: Yoann Congal --- meta/lib/oeqa/core/runner.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/meta/lib/oeqa/core/runner.py b/meta/lib/oeqa/core/runner.py index b683d9b80a7..0d2bc3a3ed0 100644 --- a/meta/lib/oeqa/core/runner.py +++ b/meta/lib/oeqa/core/runner.py @@ -78,6 +78,10 @@ class OETestResult(_TestResult): self.shownmsg.append(test.id()) break + # Python 3.12 added this, stub it out for now + def addDuration(self, test, elapsed): + pass + def logSummary(self, component, context_msg=''): elapsed_time = self.tc._run_end_time - self.tc._run_start_time self.tc.logger.info("SUMMARY:") From patchwork Tue Jun 23 13:14:00 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 90726 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 12629CDB47F for ; Tue, 23 Jun 2026 13:14:47 +0000 (UTC) Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com [209.85.128.54]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.20456.1782220482056607275 for ; Tue, 23 Jun 2026 06:14:42 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=o57qVcpx; spf=pass (domain: smile.fr, ip: 209.85.128.54, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f54.google.com with SMTP id 5b1f17b1804b1-490b3637b90so43820835e9.3 for ; Tue, 23 Jun 2026 06:14:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1782220480; x=1782825280; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=/S1Bia18xO+cq+GYNzHbU1JiQlMuw22mJyf1K1HG1a8=; b=o57qVcpxo7Gmfvk7p9DGBG6IPCjlCW/k14awsg3OImUMhP1/HkB98FgsP23GsVfbz2 rh9rpocrqmqDXHbwPjBf0RSR6kM/uWXFusmoJki6lj1D6Tt1Z5ykbEUp1uxkaYylD08J DwukIuwSWnjlQcKQXXaVIwBqka0XmylB5R5pI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782220480; x=1782825280; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=/S1Bia18xO+cq+GYNzHbU1JiQlMuw22mJyf1K1HG1a8=; b=tNEGEZPbiKy/R0d59bQcERYjBTkKGIf/UpoIv4rYv9ZMRoIS0QLzb3KuXefloRxOv7 7ysJbkVp8p4p4/EONp3UXBm1dIpCdYxihaorXIT4d8KDqBAzHxWZs/8nuSTJnnaZFqJT AuwXNCInKJ0LKR+XPHL+RTfPUuZWpvlnMYKMMnqBksbek/87zC6eX5y+ZoXIpzukhtvo ZEub0IBRQ9kCl8wHTLeBeiW2ECfW/NBZSv0VCQanyBdu0yUx/HdLo58jenwYr/QVIKD9 RwZ8VMsQsW1+rRssQIrUgNBoQkrqjl80tpawOZCb+AJ4sY/Nrs5mnuQ6r6TIi94+hSw6 qnlQ== X-Gm-Message-State: AOJu0YyFH8H2mxdGIvcKFD9/1YQ+OzuTFY9DJk7ZK+pl1McKs5QyzqXM ViWfR0a3UGksuRzfZNKGL8Py6m/MoFjGYQS+Xp0hv4GagerIBkjrei3kiV7mve4koYASWw3n7Yi qmeqx X-Gm-Gg: AfdE7ckqNnTUX10l0CV5oVCLmTm2bxcaKkPtKJB7JH3ruvZX01y3g6b1AtTtddepjtH X1TvX2UwVUELKpSJ5qXjXfjVnMjg/OeT5si5lnXaozGx+TnO4DNIpsms7Ik2lZSgJtyrOw3pI0r RrkS+q64Del1GtDD6mXbNAX8zILURTwkvEcosTrvoviRjtHyixaFPfvAGml+jXy6gOIZRmU4fHz aKR7tTBysx+3fzYVxjNyJQr5WCTnFXcEa04LIVxDcv8Uhc5+msv5Mx1yJC/ytfyiwd76+eaHogi ebl8whyaVkQNuZw2OoWbe9YCNmp8t7asQSZy9G/F9qlFWraAY4UM8uPmUv9LatfV7Xf+KCwDDqF ncqW04HX0YeFm5Zy9JPh3FLcbyG19MptIvXO/eUR7Pje+aRUO3Wwj/Y2N/IctKXf/LbJwmu+he3 uN/H4GopFhbl5oB/xMiKz4CnqqIIFMWsqxQ55ihV0y7/Vmrk4+JaBSuSFZEUvXnYwhWwmkvLh0G OdRSnAA+Dfi2oiatg== X-Received: by 2002:a05:600c:2481:b0:491:7325:39c4 with SMTP id 5b1f17b1804b1-4925b3bc013mr25470395e9.34.1782220479978; Tue, 23 Jun 2026 06:14:39 -0700 (PDT) Received: from FRSMI25-LASER.home (2a01cb001331aa008234f3c115adbb1a.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:8234:f3c1:15ad:bb1a]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4925d013a69sm24334285e9.3.2026.06.23.06.14.39 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Jun 2026 06:14:39 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 19/26] classes/gtk-icon-cache: fix libdir passed to the postrm intercept Date: Tue, 23 Jun 2026 15:14:00 +0200 Message-ID: X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Jun 2026 13:14:47 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239385 From: Ross Burton Back in 2015[1] I fixed the libdir passed to the postinst intercept, but I forgot to also update the postrm intercept. This should also be libdir_native, not libdir. [ YOCTO #13896 ] [1] oe-core 0fe8400717 ("gtk-icon-cache: pass the native libdir to the intercept") Signed-off-by: Ross Burton Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie (cherry picked from commit 92dd67114be325e019c149bddaf5f874f6917094) Signed-off-by: Yoann Congal --- meta/classes-recipe/gtk-icon-cache.bbclass | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/classes-recipe/gtk-icon-cache.bbclass b/meta/classes-recipe/gtk-icon-cache.bbclass index 9ecb49916c2..2ff10c21181 100644 --- a/meta/classes-recipe/gtk-icon-cache.bbclass +++ b/meta/classes-recipe/gtk-icon-cache.bbclass @@ -46,7 +46,7 @@ gtk_icon_cache_postrm() { if [ "x$D" != "x" ]; then $INTERCEPT_DIR/postinst_intercept update_gtk_icon_cache ${PKG} \ mlprefix=${MLPREFIX} \ - libdir=${libdir} + libdir_native=${libdir_native} else for icondir in /usr/share/icons/* ; do if [ -d $icondir ] ; then From patchwork Tue Jun 23 13:14:01 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 90730 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1E5D3CDB480 for ; Tue, 23 Jun 2026 13:14:47 +0000 (UTC) Received: from mail-wm1-f48.google.com (mail-wm1-f48.google.com [209.85.128.48]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.20839.1782220482650604179 for ; Tue, 23 Jun 2026 06:14:42 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=fauaj724; spf=pass (domain: smile.fr, ip: 209.85.128.48, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f48.google.com with SMTP id 5b1f17b1804b1-490b1bbcf3aso36864495e9.1 for ; Tue, 23 Jun 2026 06:14:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1782220481; x=1782825281; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=y/XdRCiD9YdIdvd5aoaNtBrMyOSMJjU6xvlaofT5HDs=; b=fauaj724bbSsw1XO0dcWYRd6rYJDzBVvS679mKNgyJnPoiTGrX4Fu29VCX863zdnfi /7HBmR+/56Nu/Y81M0BHQ89YwLa79eB0TxBmQ/JZLWg4J7gUq1Ujvjfkp6YaFbMekdtj +t+2XixHxddgNBRZEYeCPnQ8483mqR0bmyxKs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782220481; x=1782825281; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=y/XdRCiD9YdIdvd5aoaNtBrMyOSMJjU6xvlaofT5HDs=; b=AlgdKYnVlMNFC5YdurT+B48B6mRMlpCHRWd92n8+tlXtEO5Z0gp8ephbaeQXjxF/Sj EfBXRCwJ9x76772iqkE6+FvofE+e5oKlQEPrY8AjjpGmrligbCJldZbiwXnhPtpA+eSM gWxME8AZpeqQwZmwbMoMVp4+ALIp9CVPHBq7wLXvXvv/HhDBN0oimEs8NzpUs4IodgE3 YJoqDYVQ5tJJywMpHyd6m9m+q7/oZGV7/1k7roxp2l3pW4d0K8MrJkdsYhC6JACQdJiV B/DtAonICAr5lI8eHZA6tdJls+WocrijysG1JSgykoUVh86DwKMROtXKVre3e64eAcnX LgEQ== X-Gm-Message-State: AOJu0YxcnKJvYC7SWStsLLuVcwnfDfKXYG0MKunNuDZynB8rOC42QAsP m7Nx+HdO2zwRJxb+NuxIOYMD8WMOuTNIFMgzQ+X6V5jXt/GgP18h3MJj2Pbf6Nh5/9BCmN6belN RHp4W X-Gm-Gg: AfdE7ckLnK5IVpaOA4NY6L7u3dnjhhQ4rhXvlcUJYKyPtii9yTZpP4YpNFD/HfFZ3u6 tSngDB4g1nANLHupHGQ51oyF6zuE0iedcT8BxZCia7eXfsSw496q+QGTWi26tBuQHXx2QopMn7I WaFxnNmrwOGEDisMHNXKLDAAiwSeRsRD3X/ZLVCbJKHdDm9MeouGk64+268GNAAEflgQbwI2kRt suADegqHkKRJN6tWRgQfdXIPg7ezHcRvhPZM09KvswsCifDrkiCdNo1YzC9njZL5fEBFqijDB+E 36dAWNAg8hiIVmbOfhOBcpc95qaPFfQUfuxuOSY+BB3mIiRVxjo7y/HtE/46hdGiOSRl5tOvz84 Ldr9PpEXGB/psoyP5YVDmpi0KqqQ4OcrAJU3FflrkoBQf+BYMp2qV9sVKalg+7vP/+uMeQ9IQ1b 2ZOrKQixFa9Tkx7VYB1gAMdcQcBD7vwyGiZajFZC/yGEYpYJJbpf0a2xO8NYie9tFdQIgrOmQUS nTMfbw6CV+nr8zj1g== X-Received: by 2002:a05:600c:a117:b0:492:4b22:79ed with SMTP id 5b1f17b1804b1-4924b227be1mr161321015e9.4.1782220480847; Tue, 23 Jun 2026 06:14:40 -0700 (PDT) Received: from FRSMI25-LASER.home (2a01cb001331aa008234f3c115adbb1a.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:8234:f3c1:15ad:bb1a]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4925d013a69sm24334285e9.3.2026.06.23.06.14.40 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Jun 2026 06:14:40 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 20/26] python3: CVE-2026-3087 not applicable Date: Tue, 23 Jun 2026 15:14:01 +0200 Message-ID: <96efecfbb2d1eaa24e1c96fbd6593a7087464844.1782220259.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Jun 2026 13:14:47 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239386 From: Adarsh Jagadish Kamini CVE link: https://nvd.nist.gov/vuln/detail/CVE-2026-3087 The CVE is only applicable to Windows OS Signed-off-by: Adarsh Jagadish Kamini Signed-off-by: Yoann Congal --- meta/recipes-devtools/python/python3_3.12.13.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/recipes-devtools/python/python3_3.12.13.bb b/meta/recipes-devtools/python/python3_3.12.13.bb index 3e28a3942bd..bf0e1702d54 100644 --- a/meta/recipes-devtools/python/python3_3.12.13.bb +++ b/meta/recipes-devtools/python/python3_3.12.13.bb @@ -63,6 +63,7 @@ CVE_STATUS[CVE-2022-26488] = "not-applicable-platform: Issue only applies on Win # The module will be removed in the future and flaws documented. CVE_STATUS[CVE-2015-20107] = "upstream-wontfix: The mailcap module is insecure by design, so this can't be fixed in a meaningful way" CVE_STATUS[CVE-2023-36632] = "disputed: Not an issue, in fact expected behaviour" +CVE_STATUS[CVE-2026-3087] = "not-applicable-platform: Issue only applies on Windows" PYTHON_MAJMIN = "3.12" From patchwork Tue Jun 23 13:14:02 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 90727 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id EB712CDB47C for ; Tue, 23 Jun 2026 13:14:46 +0000 (UTC) Received: from mail-wm1-f51.google.com (mail-wm1-f51.google.com [209.85.128.51]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.20840.1782220483515625816 for ; Tue, 23 Jun 2026 06:14:43 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=Us5H0kcP; spf=pass (domain: smile.fr, ip: 209.85.128.51, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f51.google.com with SMTP id 5b1f17b1804b1-490a76757e5so35504595e9.2 for ; Tue, 23 Jun 2026 06:14:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1782220482; x=1782825282; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=bW0wf28jLOy+Ca9B6aGkD6Rs4nTYm923FLflNVQsWhE=; b=Us5H0kcPbd4KNdI4R4QS6DKvuZaaMnOQXGJgnxPaEL+nKYz82InIlHOuM1Yj41OUiW QMkdvJhxtsCUHnkivWf2TAv88LWD3LXbBD3j9NIc2YkyU72mu3GuCoKEKKE40aOdK2qo qEflMvExIhpcm+UHOCbbi0KjWhCYFkDkxeJYk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782220482; x=1782825282; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=bW0wf28jLOy+Ca9B6aGkD6Rs4nTYm923FLflNVQsWhE=; b=VitLd+5FMUCvjytiT9mfVmi8JolDbOmhMEcRoNz+wAluXRTT4f2UAtscK9ZRcTbdcj 7bOI1nRmJjqmfxMoYTtC8/lZog0hhap7ZTbZwmGbcpHOdv+UfEltnLoG6fjopHrLtL3C PZvea9EtiLblhnAIW32c3aLVwbk/uQt8dcVWLdh05vnu6l2g0mgfbvdg/4yn6Dx8EDrM tECdKBT0n58aSwb7KQmguEJhAQ9GrMFt4sQkjrKmBlG6+S+Vzul/08q8cmirLg53VLim ejs001Kb4x0ICoJBbYCI3sRnFOhApGzY/NOSqTJVYHxvbr1lb06/LOvZ6b9Nu5mCHeZr 0b9g== X-Gm-Message-State: AOJu0Yz3SHD55L8WHZlE7zB+33zy9l+j6aVK/JkqZNKGvbAhJF+znEHM e1ZDlLmV8qoIxVkTbg33GgpnFQXliI0E0Tt0t3kRJwvV9LaeUJo0afLUclphBTUKbBJgEXS5kt5 SBJzZ X-Gm-Gg: AfdE7cmNk8HJAkqsT5gqkUKLELq90IJvLAGo+rZ0EdSyX6MotiqS7euefjqBnYliKxs 3ADq+aPbjEzjLu5/IIjlvs8pqgjw3w7fE9HCa8ZNPfoM9hcj3RPEmbU9N8XMUwUczpxOIGABJaj R3FMDtBwZ3o2Nglww4YQIjEUBsVECbf0uQbXA7BvbipNGU0E1Nmo50JV2ApThQ3r60UEgeaH17N IW2whjerCRqx3n9IEDHd6Xdc5ftKpfaBA/Z9vUZLQtmDNPJkCVo8BEAIXKOKsGWdXvZGsbeEiF6 5z+tOaWpg+OfkCgeHFTcBUI3Zufv8O7OxUDRPVXrFoYTYqNuKOqhdHWbB/X9HY5kHGkTq0BHBeE UW0FrcIbje3KoCdjPYOxBkSucm7gRFXZQMLxe3wPDXk3AwNCeErnG1Svv8ObBTihKZ6uXPBvnzI /RAqIRK59nzrmveEZWuD3aoAOAFvBByZ1f5vBTGcdPRfvSY8ZbbMP2DNKRhUyno6uTQdDATbc9O z7/F9ntgnE8yZBIag== X-Received: by 2002:a05:600c:3acb:b0:490:b642:ce31 with SMTP id 5b1f17b1804b1-4925b386802mr37407825e9.2.1782220481677; Tue, 23 Jun 2026 06:14:41 -0700 (PDT) Received: from FRSMI25-LASER.home (2a01cb001331aa008234f3c115adbb1a.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:8234:f3c1:15ad:bb1a]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4925d013a69sm24334285e9.3.2026.06.23.06.14.40 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Jun 2026 06:14:41 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 21/26] bzip2: set CVE_PRODUCT Date: Tue, 23 Jun 2026 15:14:02 +0200 Message-ID: X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Jun 2026 13:14:46 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239387 From: Jonas Munsin Add CVE_PRODUCT to bzip2 Signed-off-by: Jonas Munsin Signed-off-by: Maxin John Signed-off-by: Richard Purdie (cherry picked from commit bc889ea799cc82f7fa018baabca0b821c1209897) Signed-off-by: Himanshu Jadon Signed-off-by: Yoann Congal --- meta/recipes-extended/bzip2/bzip2_1.0.8.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-extended/bzip2/bzip2_1.0.8.bb b/meta/recipes-extended/bzip2/bzip2_1.0.8.bb index 4e3a06f2408..f9224908685 100644 --- a/meta/recipes-extended/bzip2/bzip2_1.0.8.bb +++ b/meta/recipes-extended/bzip2/bzip2_1.0.8.bb @@ -66,5 +66,7 @@ FILES:libbz2 = "${libdir}/lib*${SOLIBS}" RDEPENDS:${PN}-ptest += "make bash" +CVE_PRODUCT = "bzip:bzip2" + PROVIDES:append:class-native = " bzip2-replacement-native" BBCLASSEXTEND = "native nativesdk" From patchwork Tue Jun 23 13:14:03 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 90724 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D09CBCDB46F for ; Tue, 23 Jun 2026 13:14:46 +0000 (UTC) Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com [209.85.128.44]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.20841.1782220484227881661 for ; Tue, 23 Jun 2026 06:14:44 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=GMmRZlPA; spf=pass (domain: smile.fr, ip: 209.85.128.44, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f44.google.com with SMTP id 5b1f17b1804b1-490b7866869so55594735e9.2 for ; Tue, 23 Jun 2026 06:14:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1782220482; x=1782825282; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=p0M1v6M9AN7y0F8rum/iWIFJ8EiM9u40kMzPowt9N4k=; b=GMmRZlPA+2is0+f8cwNjLmkTthPi4g5isy2a627suYcmumwOYwKQ0kWDwcTmPZ/g42 MOqRc6QHuZh0W82QTqWMqDu3PpVhXjCVYgR0z6vwThmph/T5WBOYl7js2kncVPeIJR97 nFWgrItCPTxgmXCDxZlPwwI7pw0m2JuXgpGRQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782220482; x=1782825282; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=p0M1v6M9AN7y0F8rum/iWIFJ8EiM9u40kMzPowt9N4k=; b=W1bCu45LpCJavnbei/JI9iouSDWic9uLwPMmUaJxUXZx/KR+p6QuOqWhD1NAB/bQHZ cpOs60SUshyxhPyETxN9C13tLmxGwN+azCEYxRJpfsG7AaJi2lWAA/Jm3jRo8kehclyX H6DtAlnbyncJWeOnLJXz5SZ5TFr8MkfnH3/biyg9vfDEaxu/dWDfTkePq38kwGAuxq8L RIQ7+2OFOAtuXkG9Y+9FR/oDaCzGoYFaVxoSc/WHIQI+0g9fi+V+gPVV8aRE0FoZYhpq /In45/JyecPZi9x6QftZEc2187gPVT56tSReKM3baF3LYXFTkMAHKeM9HVHImfVTQZdS zEvA== X-Gm-Message-State: AOJu0Yz9cuUZdNlXHQ8gpOcDhBizhbevO1geaWujW7FJl2CKQklDiYPJ oOOOlLpaqVRc4rQx7p5CgO1i4FqSbCx+MPQNdzljkFmvX8EuHsmtf0eFxo6Xa8XqmIc2vBsWCp+ uFFou X-Gm-Gg: AfdE7cnVqp5AYuNwqjro/ks+03H/ja1hkWNgQQnSks1U1CHWQYtD9mKYTbixnZr0V4n ZkUK5H6v2a9AxzieLU0XQthRt6/9m88IGxwFJsV8IpYbat+LbVrx4yqosxhWPfcJzMw2Z1wjvBb TZcw5Fy+1eYk1e5jfgp4ibQnntM0Dp6ymaWmaoUKZ/+6e6lrHVDaxtHqp04bOaSaLjJkXMeJkv1 EykOucKGiH8WRkXCY7VYN2+zDA0UNTW5bCIve6kmHMaYyEb65C8GKusupvqpp8lxcGzLiK1rX+U smj9vKKCpZwPE3Wo8BphTXEAtZd6iHuWiAmzEwvsU4CdO9PTy5/eCK/fnrfA9EUMZbEQkNQ27c6 CgVzgPVly3Y+9duKZ5LCw67v6O9uP6GO1AxYeQFU3jrDnw/pWQAFYgN69124QKsrHklkLXGPUqX +yRbdm/KBsxoRJLR36H2AUNJpeyqVVgm+2bFUNsv6U9xnz2VDi/i856cscjBotHJ/7hmxCbtKIR so6ggY13Q9Au4OwLQMaEI+4Vpr/ X-Received: by 2002:a05:600c:870f:b0:492:3445:ecf8 with SMTP id 5b1f17b1804b1-4925b34a38amr40976235e9.3.1782220482433; Tue, 23 Jun 2026 06:14:42 -0700 (PDT) Received: from FRSMI25-LASER.home (2a01cb001331aa008234f3c115adbb1a.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:8234:f3c1:15ad:bb1a]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4925d013a69sm24334285e9.3.2026.06.23.06.14.41 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Jun 2026 06:14:41 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 22/26] apr-util: Add CVE_PRODUCT to support product name Date: Tue, 23 Jun 2026 15:14:03 +0200 Message-ID: <3a157840148e14ec9019a008ab94e7f708baac05.1782220259.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Jun 2026 13:14:46 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239388 From: Himanshu Jadon apr-util is tracked in NVD under apache:apr-util, while a smaller set of newer CVEs also appears under apache:portable_runtime_utility. Set CVE_PRODUCT accordingly so cve-check can cover both the historical and current NVD product identities used for APR-util. Signed-off-by: Himanshu Jadon Signed-off-by: Mathieu Dubois-Briand (cherry picked from commit 927b505c982ed7443aed348ca54b0073ac63d938) Signed-off-by: Himanshu Jadon Signed-off-by: Yoann Congal --- meta/recipes-support/apr/apr-util_1.6.3.bb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta/recipes-support/apr/apr-util_1.6.3.bb b/meta/recipes-support/apr/apr-util_1.6.3.bb index 1371e262ddb..3a5f52d2501 100644 --- a/meta/recipes-support/apr/apr-util_1.6.3.bb +++ b/meta/recipes-support/apr/apr-util_1.6.3.bb @@ -95,3 +95,6 @@ do_install_ptest() { cp -r ${B}/test/$i $t; \ done } + +# Add CVE_PRODUCT to match the NVD CPE product name +CVE_PRODUCT = "apache:apr-util apache:portable_runtime_utility" From patchwork Tue Jun 23 13:14:04 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 90731 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5504FCDE003 for ; Tue, 23 Jun 2026 13:14:47 +0000 (UTC) Received: from mail-wm1-f43.google.com (mail-wm1-f43.google.com [209.85.128.43]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.20457.1782220484893417670 for ; Tue, 23 Jun 2026 06:14:45 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=gcGFxTts; spf=pass (domain: smile.fr, ip: 209.85.128.43, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f43.google.com with SMTP id 5b1f17b1804b1-490a76757e5so35504735e9.2 for ; Tue, 23 Jun 2026 06:14:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1782220483; x=1782825283; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=IGleD6hhpZ+IyQpm/s4yTdo4tp1DsJfwgTMKkfLK6fw=; b=gcGFxTtsvDWYoF1amEIqGYu1e5jwDTo8TNIUBJyePrpmqhL49rdgqelK/c/VMac84k 28M6adxdjZLn0t/Yzb58awxivoMRbh5X4j9A/npy8ToICi7PP24aVeDJ8pZmMBVRTwmY +eOGvdfzQ5XFiqyHIXQAF4Fo4olXjViVow6Fg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782220483; x=1782825283; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=IGleD6hhpZ+IyQpm/s4yTdo4tp1DsJfwgTMKkfLK6fw=; b=jm4eC/XgaaYipcUzKJ+h+dgsKgLA8oRnWPGXGxS+lJ4MzcgvE3JVg/6J9dQax/tZ/c I6xWDQzSVNqj+6tQP8wAaXEU/RsYpJlQm1J6xjfalX5xMbhHRE7K4SHrL2twZ10a3WyQ 8YbxkXPhA++xkxZWGWPCqIb28pOcmH13dz4uYIZjED+U3xqA7oRtI6w6b0yIo+gDgkzb 3yqhrNPRI6eYt5rBxgYvRW/ZBjoQYzTv68WMB12IWE7LbpwIdqVwdhd7h43P+Y4ZAoTd PS8S8SEhcGYJOpEdAXO6MwsQWclKiinJKVrUVQkwZ6dx5JTVxpXhVsl/WDY3ohM4i8ev LtXA== X-Gm-Message-State: AOJu0YwqXQ9TG9e9x3dj/YZItnXNpQHD1mCHzwDNfHpjKH0b90fltJ9G U/Ewtjq6ArwSLf5XL4vPhruEpg1zyB/DeBuoa8adveKertg+6VS6VWtlodfja89Zyek+NPtdBKE k07Kp X-Gm-Gg: AfdE7cnQNHM1S35u8j4ap1L7OVizm78BD5+ItZ3MKMCau4apNSxrX8Ko8+bVwjk9pDr ++yikyG8/EtUImnhnIpBOZKbDs+bzUAkKM6S/jHbobxhSpfg/KUWiz7Vm52SVi2D/cTqZJhRZMe 3hk8/bPTzWkbuE3SPLvs0lJ8Wo4HCTYg+kM8znHXPGS0k980yo1d7Hk3GlRcnA7mSXO+WDXANYO YUmepHC6goGd/WTrZxRuQGei/B23LqUSgHKUkpPkQdvEEChJvtGeuVxnGubwtUTx4Dtwk0H8QXG tdhmGbZk2BctyB+oau662WtkeXEuiDvg9OeyzQx+7XwE+6WAeIHKdGaxphhiHLP4RqdA/uUIKNq d9orNCm/BsIRxiCUSPmTUIoNti7zrhFbiALnAm+oacWSb8gRsmpAQ4njPTQqjWKq96sPlS/nUnA Xy+M8eBToxNX2VRoBSEUIQ7hLI1llLdSjrDCvvhUGwLY465nvHetAX514UUiIRcz6W+0rQc6Tgl ImyYhV/f50KkgbpWA== X-Received: by 2002:a05:600c:818e:b0:492:4d56:d5fe with SMTP id 5b1f17b1804b1-4925b39249dmr40891505e9.14.1782220483121; Tue, 23 Jun 2026 06:14:43 -0700 (PDT) Received: from FRSMI25-LASER.home (2a01cb001331aa008234f3c115adbb1a.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:8234:f3c1:15ad:bb1a]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4925d013a69sm24334285e9.3.2026.06.23.06.14.42 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Jun 2026 06:14:42 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 23/26] apr: Add CVE_PRODUCT to support product name Date: Tue, 23 Jun 2026 15:14:04 +0200 Message-ID: X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Jun 2026 13:14:47 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239389 From: Himanshu Jadon apr is tracked in NVD under apache:portable_runtime rather than the recipe name apr. Set CVE_PRODUCT accordingly so cve-check uses the correct NVD product identity for APR. No additional alias was found to be necessary for this recipe. Signed-off-by: Himanshu Jadon Signed-off-by: Mathieu Dubois-Briand (cherry picked from commit bc3803e12d4938e2de514c39bd5d0f011f883ace) Signed-off-by: Himanshu Jadon Signed-off-by: Yoann Congal --- meta/recipes-support/apr/apr_1.7.5.bb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta/recipes-support/apr/apr_1.7.5.bb b/meta/recipes-support/apr/apr_1.7.5.bb index 78796476e22..7a3445aa201 100644 --- a/meta/recipes-support/apr/apr_1.7.5.bb +++ b/meta/recipes-support/apr/apr_1.7.5.bb @@ -136,3 +136,6 @@ do_install_ptest() { } export CONFIG_SHELL="/bin/bash" + +# Add CVE_PRODUCT to match the NVD CPE product name +CVE_PRODUCT = "apache:portable_runtime" From patchwork Tue Jun 23 13:14:05 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 90738 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 04531CDE006 for ; Tue, 23 Jun 2026 13:14:48 +0000 (UTC) Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com [209.85.128.49]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.20459.1782220486869729017 for ; Tue, 23 Jun 2026 06:14:47 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=Cs8nJcfs; spf=pass (domain: smile.fr, ip: 209.85.128.49, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f49.google.com with SMTP id 5b1f17b1804b1-490c0c92cffso38930025e9.2 for ; Tue, 23 Jun 2026 06:14:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1782220485; x=1782825285; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=64hfPaR3ZCGTt0j3dgFtHIXQWCvzcBg66HuUDhzXeqk=; b=Cs8nJcfse1PM+Mxsj3pcauHwbIseMAKmfky1G34DliRkQLfzU7aXQqpDFSFhaB6CzC 9STazK6Hs54mafsUjKm93FPBhr4D80WS3ogVegQ4YTMDbe9gS9tVBSuc8p4+oLKPlf/P qzHhkbpfBHHaNPHewtkFXE8yEUy5zBdKkxHHw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782220485; x=1782825285; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=64hfPaR3ZCGTt0j3dgFtHIXQWCvzcBg66HuUDhzXeqk=; b=gblrpF1okk4GQboT3kKOvtlllY+zHHRSHe2ZbAYtq5NU3wvIhuvyql7bnxjKFo+aA4 p6M2jqGK7FqDFHaqCh4gsjv9n09sLW7hseuCGjVGNYiMOXa5mzvtpfbtMbywvs7QbbaF dkK02Crq81q5juwgH3p8c7R9gyBeXVQoYO5F0lzWRMQsK8SMJksefe+p4tPjzlOv7akP 9Y0emgL3hMwf+AFOAl8WHyU0kCg6TEWWRCylp2D94+mCIXYNlEb8u5TmUmce3E0TC21m oqAaYxWYhd0TOvbKdmQugUBp3KiQktvnfSvnMnq+L2P8l2weTXGGLtY/6cFNr9K3zC1e 4FdQ== X-Gm-Message-State: AOJu0YzT26ufXC6crzWlhtwKlNesKdRMN9hGYG8IFH41Na0+xmOKe2p2 VrnG5KxCGSbhvP9xiCxwZTXnORAMytnHNP4qT2gGcFYaypRoimtNEiaTu3mFKzwADJYwM056p41 ksXOJ X-Gm-Gg: AfdE7cngMMLVWNvYZA1WCi2mK0ZC1WBPutmc5evOfGRa2H4rnfl5VKQgfmCFa7W+2hr zXdkzU6+dirLLIkel6+Wrr7qINQ1PEaIQBrEGQvuy4R+W/WqFKPawnG6gEtyNhuAwlVBYC0hcHj Q2yDrSNLvTxmQZyCXOZpq7VcmZ3VzQAN52Yn9yKvxsgLSEZWq0lpwWnaW+5GKu2ocKu7B77Novo HG7lhTQjhf+um2xrVBwO3XSbc8bkHDpRyklWhIFdGy9VuVIGbLeQ8/u1PZA61Z+/qYWpNrUBBQW tdtk5dkCofLH1gEZZv2CnCctQGZC5BFRo/jlL+wYbWCYn4mX/wYSI/kp+Qk4WERQ36Nu02uBF20 gE35PquVfOw+VBGD51GT+U5lDF1uQLP1yX3yyV0FF/H+YMSFg+d3c4vch6wap3p5K2jIOLBcbBq Ad7xgo00BOx2MhgRWWI3iBnmnqsX0e0toK0ZMg+WVXhOXUpJ5hy1zl8qj+5BChfpRXkzoXqig/p E9oQ05ZtDuagH1uEbb2l9689bN/ X-Received: by 2002:a05:600c:350f:b0:492:564f:5603 with SMTP id 5b1f17b1804b1-492564f563amr137229305e9.14.1782220484116; Tue, 23 Jun 2026 06:14:44 -0700 (PDT) Received: from FRSMI25-LASER.home (2a01cb001331aa008234f3c115adbb1a.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:8234:f3c1:15ad:bb1a]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4925d013a69sm24334285e9.3.2026.06.23.06.14.43 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Jun 2026 06:14:43 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 24/26] go-binary-native: set status for CVE-2026-39836 Date: Tue, 23 Jun 2026 15:14:05 +0200 Message-ID: <8aab8b31425b3820ef65fc40061b9377c574607b.1782220259.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Jun 2026 13:14:48 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239391 From: Sudhir Dumbhare This issue affects Windows only. The net.Dial and net.LookupPort functions can panic when given input containing a NUL byte. Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-39836 https://security-tracker.debian.org/tracker/CVE-2026-39836 Signed-off-by: Sudhir Dumbhare Signed-off-by: Yoann Congal --- meta/recipes-devtools/go/go-binary-native_1.22.12.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/recipes-devtools/go/go-binary-native_1.22.12.bb b/meta/recipes-devtools/go/go-binary-native_1.22.12.bb index 7688a090f40..dd84021cc9e 100644 --- a/meta/recipes-devtools/go/go-binary-native_1.22.12.bb +++ b/meta/recipes-devtools/go/go-binary-native_1.22.12.bb @@ -19,6 +19,7 @@ UPSTREAM_CHECK_REGEX = "go(?P\d+(\.\d+)+)\.linux" CVE_PRODUCT = "golang:go" CVE_STATUS[CVE-2024-3566] = "not-applicable-platform: Issue only applies on Windows" CVE_STATUS[CVE-2025-0913] = "not-applicable-platform: Issue only applies on Windows" +CVE_STATUS[CVE-2026-39836] = "not-applicable-platform: Issue only applies on Windows" S = "${WORKDIR}/go" From patchwork Tue Jun 23 13:14:06 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 90737 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DD827CDE007 for ; Tue, 23 Jun 2026 13:14:47 +0000 (UTC) Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com [209.85.128.49]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.20458.1782220486740769692 for ; Tue, 23 Jun 2026 06:14:47 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=3q9zeNKP; spf=pass (domain: smile.fr, ip: 209.85.128.49, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f49.google.com with SMTP id 5b1f17b1804b1-4908b92904fso80113905e9.0 for ; Tue, 23 Jun 2026 06:14:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1782220485; x=1782825285; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=XX/kHUxfa+LCnYOehDouzHV9/zTtokhkAeJ8FtJb7XU=; b=3q9zeNKPhoevKNBL6ePfNxxArloRmcm6mDDbk0bW1I9dAG9W0nraEzWG78RvOL10hq 4J7UynPnmI1n0kfkcvW1bA83i7f+jID8xymLQAq60JxVLdvxZ/99CI77unwrvqq5mjo/ Dzm+jpkHUn+rj7dmsMAwEy1iDg7DIoOeR4l/U= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782220485; x=1782825285; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=XX/kHUxfa+LCnYOehDouzHV9/zTtokhkAeJ8FtJb7XU=; b=atE+Ai3foDdMrfoZeRVHkatOtp8R6J96e3hdLusX16k86qU36HBaDyzI0XEzJlC0bb wTQoQJfLAizOcBngEGr+TYSrh3wmBZJRs+3zSkD6VuY42clwD/88du479hbHOArvPPK2 daVpb5EOP5tIRcfexuQ2IP+kZ05YuZqr4xvZ8rRY///Nnnjllw9aiWgKhXqSrg1l/+q8 wfPtHUE2JVcAQVlVdmGrhiqRMUCPYksVKDQG04v2sQNcA9BfZDOYgqj7pG1J0Sbi/1qw a9OiAJ7reHVj8ukYG/g/sS/SXmnZHz3h06wZXByxrPizRhGKraeIf1A9lbX6JAtTT0bC J7zw== X-Gm-Message-State: AOJu0YwNhOdajDaptw56pfPa+dnj1Q/f1AmbcS/8UYljJhxsXpe2TgSt /shIXhCSWsHPLwdmD7avvURqDTjGiJpVrvbpvVGE+UpcSOia1HyOJlVqtSk8HOkNJRYj6r5xU6N w8EVp X-Gm-Gg: AfdE7clZvtTRDhsLA85HK8dpKDLZo88cZqxF1xrtbiJMCqS+ZCotYLvUFBqOjJJL2yC h7DsroaCN1KYPHMW+/h+aSu1tfS/ViZA2CXunNjh8bNzXtZYiXSeZ1af2ouqMv1daKyDJLz9MR4 v72K9pY8krrh6VqF9xKoN0ITqVismTas1WTk9XnU9YbUQqRiw6LoFKfSREffIa9majgjUxz0Ver 11s/3r4PX1mQFhslK23mxdRTYKY9TgWsW24FBU9b+IWBls6NR9A5mdGAyPLm4VHxweRMbLHqzAW 4qMxbNoJkJ8mg2GA/1PlP2/52y53c3dBzJUBn2IueSe8VmjqqB0mglHTKcMHpfF/B8s49/PKEc9 xF5lNmhnLJW3EBLPViy/IkA9cv83E8CsTeC3gfHsY8Pz6AO+vpwwDlmmY4GBAdygLZB58DZlvWy G9vPDo6HJlRlfrzzcKkIAOt09DCqLBfUt8QpoqjUpfw6avGxLPUPySYINrQKVr1hEXkNWJi5XRh XWQ4e3iQVFXZSSW6Q== X-Received: by 2002:a05:600c:81c5:b0:492:4ed1:77cf with SMTP id 5b1f17b1804b1-4925b35338bmr36013445e9.11.1782220484753; Tue, 23 Jun 2026 06:14:44 -0700 (PDT) Received: from FRSMI25-LASER.home (2a01cb001331aa008234f3c115adbb1a.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:8234:f3c1:15ad:bb1a]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4925d013a69sm24334285e9.3.2026.06.23.06.14.44 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Jun 2026 06:14:44 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 25/26] go: set status for CVE-2026-39836 Date: Tue, 23 Jun 2026 15:14:06 +0200 Message-ID: <324359dcb7cbeb15ef51f5cc18924f590c81b1de.1782220259.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Jun 2026 13:14:47 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239390 From: Sudhir Dumbhare This issue affects Windows only. The net.Dial and net.LookupPort functions can panic when given input containing a NUL byte. Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-39836 https://security-tracker.debian.org/tracker/CVE-2026-39836 Signed-off-by: Sudhir Dumbhare Signed-off-by: Yoann Congal --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index f85104d6f15..c825ebd25a3 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -65,3 +65,4 @@ SRC_URI += "\ SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" CVE_STATUS[CVE-2025-0913] = "not-applicable-platform: Issue only applies on Windows" +CVE_STATUS[CVE-2026-39836] = "not-applicable-platform: Issue only applies on Windows" From patchwork Tue Jun 23 13:14:07 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 90734 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2A45BCDE008 for ; Tue, 23 Jun 2026 13:14:48 +0000 (UTC) Received: from mail-wm1-f48.google.com (mail-wm1-f48.google.com [209.85.128.48]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.20843.1782220487409542042 for ; Tue, 23 Jun 2026 06:14:47 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=HGzT+7jw; spf=pass (domain: smile.fr, ip: 209.85.128.48, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f48.google.com with SMTP id 5b1f17b1804b1-490b8ac62baso9846185e9.0 for ; Tue, 23 Jun 2026 06:14:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1782220486; x=1782825286; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=7WPRV6tNRd22hIPzNE58QF8SoiX9yip6gF0cBKnZ4jU=; b=HGzT+7jwoPtk6YwfczfX4cBqiX+z5gdpfM3DGi33B6s44izzB5Z3lSkx9yVEvga+VR zjgSdwLDeSQM5spNVdnQTsOhvgaYDyP+pgjVdfvB+5TbZ9KkIKtjpkILDkwOktHMErL2 0APdIA88rBw+ULusLmlmauKuq11K9NeTxIemA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782220486; x=1782825286; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=7WPRV6tNRd22hIPzNE58QF8SoiX9yip6gF0cBKnZ4jU=; b=OeSE7f3B0yVSace3D8y7lxGPDpCrOJqvrGiUzYxNihdv+8lw2BJIS+iwhvkUa5pv5t rzDv2KgUCkSK1e7qFspWgffnqbnBKgUsNPVvJYE1QXmgO/weuN1VRC5oBedhjhOKGAJn jJnCPDVVNyczaoTNnVRlzeDYvTKplXrM9UpmuAP0vDNfjsIDjtw1rY4kftYjUS8vfoRJ v1Bdq2RR8X5P8HIRiQc1HvnAg0GnMVMAv6GcdSIfojzx08QpNCIxp7V61mqJT2AbLP6a SPMBUkJnHV2CcFj8MPWL+lYNqVqQ879VtmiG49EOwZAma87/VUkQ4h0QmieOWrZDZtuL mV5Q== X-Gm-Message-State: AOJu0Yw9JkuJQQXdm++xEYDkTPXbpDYz/OKFrACxsrahqxXbSbNBvOj7 7YXnFXpYPk9L5S6K9P5Ztko0PXhxkGAB1Uu5lTIwINbL3gcKIpjRM71hs+x51e3G93dkml+s/nY +lIiK X-Gm-Gg: AfdE7cnUk3GRLLLZVGP+clMKJCXaXmtnojFCog2wFDMZh1vZFQz17GnLEiUG06d7jAM iQCx0qQzQeGlBArV6bgw4ssw8M7PLvaeMdvIsfXR47ULqiPqxy+/O3gU3Qbb5sII6aPH3vwC77H 7uSV0W+eecQO/ErIqcUvTm+CoU6nanyJgLE9KBDJtT00i0gMQC1dSfw1idQ9Yfh6AV9ZVdCBX4L PmCHCm5cxkGJUzBfsmqV0GYwHcPwysO+pnsZObv0jITGEjilKcYbFOA9u71kTZ7V5Bn/X1BtzJq CIXteyaskFplhNlLYk+WthEIX7dsD00chD1CRGbOney8hWNp03NZuQmK0LAaqLuUCzYauTZGfYm Z6ql4WE+Mg97JrGQIcpPiFojYTRNYkBgc2Cu5bYDHOn8EWyq75VlqRpxt33XqkhFCxin+Crvkn1 xDaRcGnYTSfCs1ExE6vOG5wqtz3aLRbNGP/us0Yqi7Y7iU4EL7xJNlHoxe8aD+A2fgSOVdY4DET rGT7BIKCMpsZsh7mA== X-Received: by 2002:a05:600c:83c8:b0:492:4889:3d18 with SMTP id 5b1f17b1804b1-4925a0b434emr49490805e9.9.1782220485492; Tue, 23 Jun 2026 06:14:45 -0700 (PDT) Received: from FRSMI25-LASER.home (2a01cb001331aa008234f3c115adbb1a.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:8234:f3c1:15ad:bb1a]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4925d013a69sm24334285e9.3.2026.06.23.06.14.44 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Jun 2026 06:14:45 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 26/26] rust,libstd-rs: set status for CVE-2024-3566 Date: Tue, 23 Jun 2026 15:14:07 +0200 Message-ID: <8c56e85dd02063da5630c9b73fb242686a970e20.1782220259.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 Jun 2026 13:14:48 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239392 From: Sudhir Dumbhare The vulnerability is Windows-specific and depends on command-line handling through CreateProcess, which does not apply to Linux/Yocto builds. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-3566 Signed-off-by: Sudhir Dumbhare Signed-off-by: Yoann Congal --- meta/recipes-devtools/rust/rust-source.inc | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/recipes-devtools/rust/rust-source.inc b/meta/recipes-devtools/rust/rust-source.inc index 5b433ceae78..318c7f0e293 100644 --- a/meta/recipes-devtools/rust/rust-source.inc +++ b/meta/recipes-devtools/rust/rust-source.inc @@ -23,3 +23,4 @@ UPSTREAM_CHECK_REGEX = "rustc-(?P\d+(\.\d+)+)-src" CVE_STATUS[CVE-2024-24576] = "not-applicable-platform: Issue only applies on Windows" CVE_STATUS[CVE-2024-43402] = "not-applicable-platform: Issue only applies on Windows" +CVE_STATUS[CVE-2024-3566] = "not-applicable-platform: Issue only applies on Windows"