From patchwork Mon Jun 29 14:19:46 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 91283 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E15D2C43638 for ; Mon, 29 Jun 2026 14:20:27 +0000 (UTC) Received: from mail-wr1-f47.google.com (mail-wr1-f47.google.com [209.85.221.47]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.38581.1782742826895807713 for ; Mon, 29 Jun 2026 07:20:27 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=S/0fP2M0; spf=pass (domain: smile.fr, ip: 209.85.221.47, mailfrom: yoann.congal@smile.fr) Received: by mail-wr1-f47.google.com with SMTP id ffacd0b85a97d-4720d22c94aso1414622f8f.1 for ; Mon, 29 Jun 2026 07:20:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1782742825; x=1783347625; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=ImZMZhbeGjtAgc7ZwLbu+TFD8y4QHEAP5FYo4gO7RFU=; b=S/0fP2M0O3JhIAsqOtwHy7VqJNpSgGdn/7fRirqojaJsacruqxfBn0zfYch9zfhWIL U4nTbBngqzWQwJFI/DG6XNgJHGHzbwHERkHHuU16YT1kljW2mFta2ZcsDmba3LNOnYts eGBDEobiuzMtVbOj1SVZxaDEXrilIOx3ht/eQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782742825; x=1783347625; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=ImZMZhbeGjtAgc7ZwLbu+TFD8y4QHEAP5FYo4gO7RFU=; b=Ye2tPEyEOH9FvnQ/+MFkV0KCUZBS9aNWDfTuq0j3PSXh6fm2Oj7oQtJ2fCuWtz4KkN 0XFtDRaDl6UGUJnShCU2Lbwk0gOpRbkBYRkn+IS5HZb3cODg2l528joGD+IFc+GqClrl /0dwKqAKJV+wyQm8LbIX5E5I2ZgmVaq9I7AOvzrKP8UhR2OHYg8GcWJWunsCcNIKXndC /rqJHrFPynYh616DCUL7ZGS58e5hrVTWTsQmwnBEdTG0ZuDCKf2IdDPIO3TTtsNnWped 1Mn/4qUdzjc8ECTPP9lELJ0E8iS7QKg3UrI3V/Bq5ZbgzBFrMWEJWP0Ftz8dsZFO6nbl 3c/Q== X-Gm-Message-State: AOJu0Yx1YI4Q6isEU0dh0WPpREyK5UYveML+42xXZYXG/bqTuhLF4QJ9 MinOqc9YiKXs4LELKs4dd3EJ/1axJMxjGlT8To39jwquhb5L5lVkhc6Fc0j2QEdEcdsBmLLwpbA Aa++Szcw= X-Gm-Gg: AfdE7ckZMU9BjM2GHZUE57tD11lutJjcz0OhFdmW5Pt/mQnWWlZ+DIvyfE6RuEz+rFn 6Iv/TI4vatpBVEeR50f6YQ3s4A/bg4a3fsQpJMomw9gUb9UevFc4EZJNLmdpmgElwPZNaFvjg1t usAvQBGRPQEairFMa8wFwdMC6VAgDAdTbcOpfBs0xqS6FYKlPDhUrcHyEi3/Zy6JEYTkUAkUbLK d8P8oyqy0IT3BVsqcL/MDHIqbExR5ZuY19t7F8ejHRfmvZ38eoJJw0RwHx1JHUbVvr4nw8zHA5S Rh6b45vPYvoIi4VPeBaSlmiMORlMsdhJi7snZ2aTcxpuJM73h/B7qS2J0ywVNuMXW9CDuLeWlYU TFAX1ySpr0HIScXXK28LVcwAJbtvGBbI7JTPIYPGpkQudnXD8oNfQswh/J8zSefGo5Ox//EvJd5 PAC1bsySk6EFTmBP9+uNxtF7MQ/JvcBesrx2qMcqu3ukeYYd6HXsWrc3QZnlngsWwrQsL2M4Pxo iJrlf0hpXCXNxRbH/Waz0w= X-Received: by 2002:a05:6000:2087:b0:474:3b78:b229 with SMTP id ffacd0b85a97d-4743b78b4cbmr3869270f8f.11.1782742824995; Mon, 29 Jun 2026 07:20:24 -0700 (PDT) Received: from FRSMI25-LASER.idf.intranet (static-css-ccs-204145.business.bouyguestelecom.com. [176.157.204.145]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-46f8d6f10absm44958410f8f.5.2026.06.29.07.20.24 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Jun 2026 07:20:24 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 01/19] gawk: use native gawk when building glibc and grub Date: Mon, 29 Jun 2026 16:19:46 +0200 Message-ID: <288ecfd7d9cd24222cc0f1277105c15cf0889718.1782742373.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 29 Jun 2026 14:20:27 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239789 From: Alexander Kanavin Different versions of gawk can produce different output, so depending on which version is installed on the build host, reproducibility issues can occur: https://bugzilla.yoctoproject.org/show_bug.cgi?id=16072 So far only glibc and grub have been identified to have the issue; probably more fixes of similar nature will be required going forward. Adjust the gawk recipe to apply target-only tweaks (particularly the removal of awk symlink to allow for alternatives) to only target and nativesdk variants, so that native installs both awk and gawk executables. [YOCTO #16072] Signed-off-by: Alexander Kanavin Signed-off-by: Richard Purdie (cherry picked from commit c5bbf0a60b1d63e68f849a63e5d3872954e7cd3f) Signed-off-by: Yoann Congal --- meta/recipes-bsp/grub/grub2.inc | 2 +- meta/recipes-core/glibc/glibc.inc | 2 +- meta/recipes-extended/gawk/gawk_5.3.0.bb | 11 ++++++++++- 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 3160708113e..a2173bee04b 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -51,7 +51,7 @@ CVE_STATUS[CVE-2023-4001] = "not-applicable-platform: Applies only to RHEL/Fedo CVE_STATUS[CVE-2024-1048] = "not-applicable-platform: Applies only to RHEL/Fedora" CVE_STATUS[CVE-2024-2312] = "not-applicable-platform: Applies only to Ubuntu" -DEPENDS = "flex-native bison-native gettext-native" +DEPENDS = "flex-native bison-native gettext-native gawk-replacement-native" GRUB_COMPATIBLE_HOST = '(x86_64.*|i.86.*|arm.*|aarch64.*|riscv.*)-(linux.*|freebsd.*)' COMPATIBLE_HOST = "${GRUB_COMPATIBLE_HOST}" diff --git a/meta/recipes-core/glibc/glibc.inc b/meta/recipes-core/glibc/glibc.inc index 225d0539a01..60e3daaf326 100644 --- a/meta/recipes-core/glibc/glibc.inc +++ b/meta/recipes-core/glibc/glibc.inc @@ -1,7 +1,7 @@ require glibc-common.inc require glibc-ld.inc -DEPENDS = "virtual/${HOST_PREFIX}gcc virtual/${HOST_PREFIX}binutils libgcc-initial linux-libc-headers" +DEPENDS = "virtual/${HOST_PREFIX}gcc virtual/${HOST_PREFIX}binutils libgcc-initial linux-libc-headers gawk-replacement-native" PROVIDES = "virtual/libc" PROVIDES += "virtual/libintl virtual/libiconv" diff --git a/meta/recipes-extended/gawk/gawk_5.3.0.bb b/meta/recipes-extended/gawk/gawk_5.3.0.bb index ac9d8500d60..a05ec3b34bc 100644 --- a/meta/recipes-extended/gawk/gawk_5.3.0.bb +++ b/meta/recipes-extended/gawk/gawk_5.3.0.bb @@ -34,13 +34,21 @@ ALTERNATIVE:${PN} = "awk" ALTERNATIVE_TARGET[awk] = "${bindir}/gawk" ALTERNATIVE_PRIORITY = "100" -do_install:append() { +target_tweaks() { # remove the link since we don't package it rm ${D}${bindir}/awk # Strip non-reproducible build flags (containing build paths) sed -i -e 's|^CC.*|CC=""|g' -e 's|^CFLAGS.*|CFLAGS=""|g' ${D}${bindir}/gawkbug } +do_install:append:class-target() { + target_tweaks +} + +do_install:append:class-nativesdk() { + target_tweaks +} + inherit ptest do_install_ptest() { @@ -87,4 +95,5 @@ RDEPENDS:${PN}-ptest += "make locale-base-en-us coreutils" RDEPENDS:${PN}-ptest:append:libc-glibc = " locale-base-en-us.iso-8859-1" RDEPENDS:${PN}-ptest:append:libc-musl = " musl-locales" +PROVIDES:append:class-native = " gawk-replacement-native" BBCLASSEXTEND = "native nativesdk" From patchwork Mon Jun 29 14:19:47 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 91285 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C857BC43327 for ; Mon, 29 Jun 2026 14:20:37 +0000 (UTC) Received: from mail-wr1-f54.google.com (mail-wr1-f54.google.com [209.85.221.54]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.93235.1782742827419384837 for ; Mon, 29 Jun 2026 07:20:27 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=T0WDi+Iy; spf=pass (domain: smile.fr, ip: 209.85.221.54, mailfrom: yoann.congal@smile.fr) Received: by mail-wr1-f54.google.com with SMTP id ffacd0b85a97d-470174001a0so1491771f8f.0 for ; Mon, 29 Jun 2026 07:20:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1782742826; x=1783347626; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=eYxudwPqD6Vu2nOqb9IemCfdpST4RcV1eQKwzYiQ8ZQ=; b=T0WDi+IyTs/K811nCDHLx2PVcLzTnaa4Pe0nBTsHXPt2s09oHpnN9aS6UA/ORgyW4H CNdy/tdgKVIRaf0XPODrFmhhhUBaEfkJeXOoeTzxs54PiMZZmgdRNNvHGM6Y7YaTz4OB sVgf/19gZx/C/f1n4YUQ0ZWg0OpGjdBNKiv5c= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782742826; x=1783347626; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=eYxudwPqD6Vu2nOqb9IemCfdpST4RcV1eQKwzYiQ8ZQ=; b=Dnr/aeY+6UiyMiZNf2JQ9T/EA7FLZqj3WxgfGYfv8qFfcriVO7Gr/k+OCGwDWv/Wdp qGFSDcQENQP/B93+lo5mYQL1IX7UbdRZzYUx+86QqikQlA3VWeD1bzJQUMW4iOWA3Bjv VpN3SNtKy+VRvSaeT84hksjKjQVSV2U56z7PGAb/Hyah/41Ya0jZc7KT+jyCGUlOzQeE Rz2+o4FaSy5VaVn7cV72OOAwhGl5DHG9u7wlUz8G2825Y2+rMDvBvCqb6U081Z6v6loV FyZTEb4KwbhjXF32ZeJghw3/YNQPqYVjH2HAace0Rcni8UNi5O/jvs+Iz+mndEEVFZVd d7mA== X-Gm-Message-State: AOJu0YwL6MLRhBEtP5W0gkDwUBbZDcWv3kDE6irF8iYP2Lv2U7AhISZP mgwNGq7rDgXqVdWfsw1lFFonUGgqNvcCvSWBSXiltUVeiKK2+aTSCZozWRLrz0iFlzLK0FI1jXZ ZHiveOnE= X-Gm-Gg: AfdE7cmA9nRF6y89LuADWLbKz0uRtU/FfCEgYAWjbYQZck/plS6HiuYqc9JWj6ajqPA tPxUwWD+HAdr0I+LcMLZnc0sHH1WxoJh9lJxmwskEFY2DUa/Jp8JvabX+z64QB31v8zl6EzFSs+ u/qdLwMy6VUWoadD//RrR8J+ufPESTa2a60feA5PJ3c2WeqgU6jwfkZR/Oxs4yIQp1z/tbF08h2 eQpH5BKMpvwq0SiTzRrNxRWgFFX/jqOX8phD9OTsWEyjYDAKdPlKKV5hE53o3qEjua1kyzGAjNm 6sC6zymDP3YEUrFJ77zLCxp9yjeJTFmRIeTjxAjUqwFZvlxMK2ohRjJb5aaD8jddO5bPhcEM35S zfFMrOlJqvgdy0PdIsfbncZ6uM8RD3IOiY/VFifibZMMAMQ3QVl/XbOVoJsO1ASNQNZGDfF1aEw lQ26PpRFGrvYbjxJ8LYp5XLURsOIKCJnjvgr5HhmhXjgqdro3sn/bLHYyd/p87SWd+3NZVxw6jr Tu917cy0TRuH/4gq1LByqU= X-Received: by 2002:a05:6000:46ca:b0:46f:8cc5:4548 with SMTP id ffacd0b85a97d-46f8cc546c8mr12381127f8f.9.1782742825573; Mon, 29 Jun 2026 07:20:25 -0700 (PDT) Received: from FRSMI25-LASER.idf.intranet (static-css-ccs-204145.business.bouyguestelecom.com. [176.157.204.145]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-46f8d6f10absm44958410f8f.5.2026.06.29.07.20.25 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Jun 2026 07:20:25 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 02/19] grub/glibc: Bump versions to resolve hashequiv/reproducibility issues Date: Mon, 29 Jun 2026 16:19:47 +0200 Message-ID: X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 29 Jun 2026 14:20:37 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239790 From: Richard Purdie After the gawk dependency change, we need to change PR/hashequiv version to replace the corrupted sstate/hashequiv data. Signed-off-by: Richard Purdie (cherry picked from commit f0f7632595792a73ea0a935b924e8bdf9954ec7b) Signed-off-by: Yoann Congal --- meta/recipes-bsp/grub/grub2.inc | 4 ++++ meta/recipes-core/glibc/glibc.inc | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index a2173bee04b..dfc87eaa94d 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -44,6 +44,10 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://CVE-2025-61663_61664.patch \ " +# remove at next version upgrade or when output changes +PR = "r1" +HASHEQUIV_HASH_VERSION .= ".1" + SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91" CVE_STATUS[CVE-2019-14865] = "not-applicable-platform: applies only to RHEL" diff --git a/meta/recipes-core/glibc/glibc.inc b/meta/recipes-core/glibc/glibc.inc index 60e3daaf326..a3d0bb40713 100644 --- a/meta/recipes-core/glibc/glibc.inc +++ b/meta/recipes-core/glibc/glibc.inc @@ -3,6 +3,10 @@ require glibc-ld.inc DEPENDS = "virtual/${HOST_PREFIX}gcc virtual/${HOST_PREFIX}binutils libgcc-initial linux-libc-headers gawk-replacement-native" +# remove at next version upgrade or when output changes +PR = "r1" +HASHEQUIV_HASH_VERSION .= ".1" + PROVIDES = "virtual/libc" PROVIDES += "virtual/libintl virtual/libiconv" inherit autotools texinfo systemd From patchwork Mon Jun 29 14:19:48 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 91292 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 97F3FC44507 for ; Mon, 29 Jun 2026 14:20:38 +0000 (UTC) Received: from mail-wr1-f52.google.com (mail-wr1-f52.google.com [209.85.221.52]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.38582.1782742827893622269 for ; Mon, 29 Jun 2026 07:20:28 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=oOOJsVEY; spf=pass (domain: smile.fr, ip: 209.85.221.52, mailfrom: yoann.congal@smile.fr) Received: by mail-wr1-f52.google.com with SMTP id ffacd0b85a97d-47122683cf3so962551f8f.0 for ; Mon, 29 Jun 2026 07:20:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1782742826; x=1783347626; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=ejGm2IJG5YnbEOWqbCTqO7CbKg46gZpL/uN/xLgfCR4=; b=oOOJsVEYzb1Gh0jI1NvaZSbSs8IiiZF5zjPuwmOkCP3yYzUYbJfFFNgYOZwDdeChsw y4PPwNnPB/Lyj3pIJKWv3cpuD7HtRnk2bmP9mE+Y1uSu5iaJwBtF88R/J4RZy05AkE3D ZK2GsmQ1zzyj6iilptIj0cWvcn5idC3dnaExY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782742826; x=1783347626; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=ejGm2IJG5YnbEOWqbCTqO7CbKg46gZpL/uN/xLgfCR4=; b=AmEHUBuDLFULE3tZhdwaX2+UQpD+Leusp7Ffm+vKlvxX9zLV0UVL/K2Nnfbct9G5Wa km/MKKorMTKV/zmXBR6hLOSRe8HUNOFbBCO8OutgHADINJViuTOwVvnR2HHQwjgY12bK LdFGdlJtBqXc7/fnx6M65KfCrejLK1OHo3rDds0vNnIrqMVpVzAePtO2MtUmS3jL/jmY 3KzQ/VQgruIs5yq1wWNHnGhr9W3VE7zoBM0m1nyDPOPF7rWLSuV8+uHKd++APXMKtsnt vzLw9Oewm+0xOQMZau1f1HbX6XhgeejinfbSAdKho6MS/7iD27gzoxun6cF7DRnwSGEl 1Orw== X-Gm-Message-State: AOJu0YzwTQVKy41DNDEZWDtsHGUPxz238K4nTcTPib2NXZFCqXz2pkSd iLHFSTsvLe12FmsJwHvlfdFBZto4Dm+wgv09UXr28iT3mkF9QMzODujDNThXxX8rNV6zFSy+IJq wR7CMnLc= X-Gm-Gg: AfdE7clllhydv7PeIzzXEqPUNUew5YRI+loz6lYWDMTk1B8kl/NpOLoW04rAMZmVlOa bFxS+0Ei49diPc6Ym6TvkBMqKWHoRPQpfUkC0VVagInAtndce7W7L3oczP0DNAuPJPaI/jgqCmO BFXOSal2w8I/Wm5wh0pG3IDfGZsUuoJL3wOm/E0qJzsjipDyZhpDsz4uWqkLYJXlqbPBZ+MX584 SLFbLU3y4H47190lS5/28u1mrg9ipQzQ0eCyJ7K8E9SU2pSnGS3GfkFcBruDMIuuXH1MsKherYM 7I88Hoe43UaP7A0qgVtjYMlNYGYjh6wU6GF8kiXf8EON/a5DeObsulXEKNFmPI/lEXhVl7pjfc9 ZIXqzJV2QWASkEg/QgLdbMfg+PafXCKNpE+JVuwShcHt6uIcyfkrgZ/xLc7kEqCfE1k8jVhrnhp HsLOBGjE6UGnZG8WOx9aCMt98HJZgLSoJEgBgU+FqxOaqAUNMhJjPQ3G+SbCPx+JUaTyPcOTeTo 0QxaduSuxVX7OrCz8FDNS0= X-Received: by 2002:a5d:6a48:0:b0:46d:32:3340 with SMTP id ffacd0b85a97d-46fb8d93892mr14394711f8f.36.1782742826056; Mon, 29 Jun 2026 07:20:26 -0700 (PDT) Received: from FRSMI25-LASER.idf.intranet (static-css-ccs-204145.business.bouyguestelecom.com. [176.157.204.145]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-46f8d6f10absm44958410f8f.5.2026.06.29.07.20.25 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Jun 2026 07:20:25 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 03/19] gawk: trim native build configuration Date: Mon, 29 Jun 2026 16:19:48 +0200 Message-ID: X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 29 Jun 2026 14:20:38 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239791 From: Ross Burton When we build gawk-native it is only for use in builds where the host gawk output isn't reproducible across versions[1]. As such it doesn't need support for readline or mprf, and by removing those from gawk-native we can get building gawk-native sooner. [1] oe-core c5bbf0a60b ("gawk: use native gawk when building glibc and grub") Signed-off-by: Ross Burton Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Ross Burton Signed-off-by: Richard Purdie (cherry picked from commit 1e6b810f60fd45856fc6a57270bf85342bcd9415) Signed-off-by: Yoann Congal --- meta/recipes-extended/gawk/gawk_5.3.0.bb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta/recipes-extended/gawk/gawk_5.3.0.bb b/meta/recipes-extended/gawk/gawk_5.3.0.bb index a05ec3b34bc..e38c1f84366 100644 --- a/meta/recipes-extended/gawk/gawk_5.3.0.bb +++ b/meta/recipes-extended/gawk/gawk_5.3.0.bb @@ -12,6 +12,9 @@ LICENSE = "GPL-3.0-only" LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" PACKAGECONFIG ??= "readline" +# Make native builds lean +PACKAGECONFIG:class-native = "" + PACKAGECONFIG[readline] = "--with-readline,--without-readline,readline" PACKAGECONFIG[mpfr] = "--with-mpfr,--without-mpfr, mpfr" From patchwork Mon Jun 29 14:19:49 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 91295 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 73AA6C44503 for ; Mon, 29 Jun 2026 14:20:38 +0000 (UTC) Received: from mail-wm1-f53.google.com (mail-wm1-f53.google.com [209.85.128.53]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.93236.1782742828856643690 for ; Mon, 29 Jun 2026 07:20:29 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=wJGVtwje; spf=pass (domain: smile.fr, ip: 209.85.128.53, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f53.google.com with SMTP id 5b1f17b1804b1-493b68b4643so3023405e9.0 for ; Mon, 29 Jun 2026 07:20:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1782742827; x=1783347627; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=HZdurTAp8abezk+0dADuhG4qtzdfP51zr9UJ2hL8LYE=; b=wJGVtwjedcZbSImYeajH4Gp4jP8jP2EQkTz0o2nFMPbDV3D6Y9x7p530C74v5KyzxY QdZE1Pm9j8e7ErCbnPSrO7qOfy2/gF0w0SkhNkKh2cc0UeDdym6+dFrRnjv2S5zLF9A1 YlHDiVU6PckGWEHsU6N6YmPyq4wESJgj6e8b8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782742827; x=1783347627; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=HZdurTAp8abezk+0dADuhG4qtzdfP51zr9UJ2hL8LYE=; b=Y0i/FZV7YdFHslhqaxiMYAvk1ityB/BNuMdHijR3oS6qZFufk0+VpfceZjGTB0N2Pg viCURBT1nIFX1js5rygTM0upcd4IsAqMCgAkbdAVZ2+YzjxSWfRUU4CGEe6gx0QX3mNS xf0HtVQ31n/6tw/XMYigpI5NCoFa1G2G944wP9OkRlMGxUdPBaAIGq3EjuX/hGrtdwed 6TZ1u6UCPh0nDeQYUoCcu1sDj2O4usf1eiJN3guIVAT3guH0inocMw5uQMpg8E23bAQS G3QTyvvxM5JQ8RMr1EXtEVEPPv5XmJPEv1C3mei761x6zBLkY9QwYFsVA4kDEobBlcPj jYsg== X-Gm-Message-State: AOJu0YzPY8qJXvGLvsu0e43ZKA0uqR54TSIWr9Qq12bteCjn0GV/OYGl Dd1iyjDlkkZgtMHoAQIy/sNPkIOHUMOu3qJPusUgurJUNk7dubLrB3bz59QItLM59nObFVGwj3w bHrkGCLo= X-Gm-Gg: AfdE7ckRUnR7T2KM/+XOn8fpbwa2rnc8bNw6XETZycIEzMkB4pMimsPEJT7Wz8pKHS1 8ZhtVDwokj4C1q1eIX738KjecV+8sLy1J3lMkPBdvrd3aBK1lxEay7LYhpxMdY4dfqJ4AFQMqMy xwt+Zxzi+dLyPovSsYz1mwfo6Bd4f34Rk1YBHzjnhJKRAipiM+4SJUVKyux5Cj2hqsbo5+Kkye9 dqDj5XyQpxjynNmjn2+jJ/e6dPxZcp6QD+SvOTOZZdaZjcCjmbD/c2Edveo53+2MSAuXbUKVCH2 WT+svI4OAbjwe/XAWIW7QRni+GyIJAmAP1KSr/NUmZJ28GJwJaO2ksiQ0QFRGYjTZOeXNoMGmQ6 2g/LrDQlBBGzuAg781T6UGsKvTTlmDV7wC8xwvwcpX/pOcantQ0EeQPvBmkS1PMrLOZO6Slzvx0 1UO0HP5sHfXWUWX5Yf8JMjEPdxVKUMSUOuxGrebCfSUuLCZnEaWPU1lld/qE66mu4PDXGrDqjXP lNYPcEYwAZxRjGUqo5ia4U= X-Received: by 2002:a05:600c:1908:b0:492:465c:56f6 with SMTP id 5b1f17b1804b1-49266873d4emr254955825e9.10.1782742826702; Mon, 29 Jun 2026 07:20:26 -0700 (PDT) Received: from FRSMI25-LASER.idf.intranet (static-css-ccs-204145.business.bouyguestelecom.com. [176.157.204.145]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-46f8d6f10absm44958410f8f.5.2026.06.29.07.20.26 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Jun 2026 07:20:26 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 04/19] gawk-native: fix gcc-15/C23 compilation issues Date: Mon, 29 Jun 2026 16:19:49 +0200 Message-ID: <790bccfd8b82809e87311b24f71cf9f8e6a02b5e.1782742373.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 29 Jun 2026 14:20:38 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239792 From: Yoann Congal On Ubuntu 26.04, GCC 15 defaults to std=c23 and that results in build failure: | ../gawk-5.3.0/io.c: In function ‘iop_alloc’: | ../gawk-5.3.0/io.c:3389:31: error: assignment to ‘ssize_t (*)(int, void *, size_t)’ {aka ‘long int (*)(int, void *, long unsigned int)’} from incompatible pointer type ‘ssize_t (*)(void)’ {aka ‘long int (*)(void)’} [-Wincompatible-pointer-types] | 3389 | iop->public.read_func = ( ssize_t(*)() ) read; | | ^ Fix this by (partially) backporting an upstream patch. Signed-off-by: Yoann Congal --- .../0001-Fix-some-C23-compilatio-issues.patch | 35 +++++++++++++++++++ meta/recipes-extended/gawk/gawk_5.3.0.bb | 1 + 2 files changed, 36 insertions(+) create mode 100644 meta/recipes-extended/gawk/gawk/0001-Fix-some-C23-compilatio-issues.patch diff --git a/meta/recipes-extended/gawk/gawk/0001-Fix-some-C23-compilatio-issues.patch b/meta/recipes-extended/gawk/gawk/0001-Fix-some-C23-compilatio-issues.patch new file mode 100644 index 00000000000..7082e62beb6 --- /dev/null +++ b/meta/recipes-extended/gawk/gawk/0001-Fix-some-C23-compilatio-issues.patch @@ -0,0 +1,35 @@ +From e4015d209ddc31bd1256fa568612372407e0b9c5 Mon Sep 17 00:00:00 2001 +From: Arnold D. Robbins +Date: Mon, 12 Aug 2024 06:33:28 +0300 +Subject: [PATCH] Fix some C23 compilatio issues. + + +Upstream-Status: Backport [https://cgit.git.savannah.gnu.org/cgit/gawk.git/commit/?id=7a521fe4b37f8554ca53ef3236f0352e391aaa1d (in v5.3.1)] +Backport: Only kept the code change, dropped comment changes +Signed-off-by: Yoann Congal +--- + io.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/io.c b/io.c +index c595c009e..44671ebd1 100644 +--- a/io.c ++++ b/io.c +@@ -3386,7 +3386,7 @@ iop_alloc(int fd, const char *name, int errno_val) + + iop->public.fd = fd; + iop->public.name = name; +- iop->public.read_func = ( ssize_t(*)() ) read; ++ iop->public.read_func = ( ssize_t(*)(int, void *, size_t) ) read; + iop->valid = false; + iop->errcode = errno_val; + +@@ -4446,7 +4446,7 @@ get_read_timeout(IOBUF *iop) + tmout = read_default_timeout; /* initialized from env. variable in init_io() */ + + /* overwrite read routine only if an extension has not done so */ +- if ((iop->public.read_func == ( ssize_t(*)() ) read) && tmout > 0) ++ if ((iop->public.read_func == ( ssize_t(*)(int, void *, size_t) ) read) && tmout > 0) + iop->public.read_func = read_with_timeout; + + return tmout; diff --git a/meta/recipes-extended/gawk/gawk_5.3.0.bb b/meta/recipes-extended/gawk/gawk_5.3.0.bb index e38c1f84366..b1d1fe7ae47 100644 --- a/meta/recipes-extended/gawk/gawk_5.3.0.bb +++ b/meta/recipes-extended/gawk/gawk_5.3.0.bb @@ -21,6 +21,7 @@ PACKAGECONFIG[mpfr] = "--with-mpfr,--without-mpfr, mpfr" SRC_URI = "${GNU_MIRROR}/gawk/gawk-${PV}.tar.gz \ file://0001-m4-readline-add-missing-includes.patch \ file://run-ptest \ + file://0001-Fix-some-C23-compilatio-issues.patch \ " SRC_URI[sha256sum] = "378f8864ec21cfceaa048f7e1869ac9b4597b449087caf1eb55e440d30273336" From patchwork Mon Jun 29 14:19:50 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 91294 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 56108C44506 for ; Mon, 29 Jun 2026 14:20:38 +0000 (UTC) Received: from mail-wr1-f53.google.com (mail-wr1-f53.google.com [209.85.221.53]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.38586.1782742830007536254 for ; Mon, 29 Jun 2026 07:20:30 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=PDTtIUxs; spf=pass (domain: smile.fr, ip: 209.85.221.53, mailfrom: yoann.congal@smile.fr) Received: by mail-wr1-f53.google.com with SMTP id ffacd0b85a97d-46ee68c3b7aso2892292f8f.3 for ; Mon, 29 Jun 2026 07:20:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1782742828; x=1783347628; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=DUxj24+ewkYyKmnI56d56ri3XU9iJPknrJYvnSwWAiQ=; b=PDTtIUxsezZREv0tK3W1nSgLwB/J8pF7pt0dzoCAICNBS2L8jR8H6ePI/uNz+h2Ru8 Nqhy5BVsN3UdvLWMs3YZJNaHRk6y/RSYZlVZBQq1BNeg6rMER9EOlRSLYWwRICCZBEFB pAomEMQGaJY5CG59EFUyAvMF5vO/YQnRjbeHE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782742828; x=1783347628; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=DUxj24+ewkYyKmnI56d56ri3XU9iJPknrJYvnSwWAiQ=; b=cnEfGYH/v/54NmY7POsF/Tpg4JzcF0x6vLWBNkGRngZqnHYGlCgr7vX2yAoJZr9KiJ kZQ+vcFflZxfHLu55rspGlqQuKxlMvxyyi28gr3S5+0BV6rW6i+z5p3mHN2vCtf2/m5l 6LayyjqgCaWwkSVXwITaff2oW8XkrAJol9l14nfDy6C5egiw3acx/JkELSZDz7jy8eLS 0eQnJqJWo7Cvpm4Jk0WWs360u5Ad7u5qRvia929PnxGwOviiKuPo3DgR+IuG88+FEMoH sORo+lzPW3+0JTA3dpmvKv4WKjZccqtxCRKK83nlL8J7zHg3AII1FLrm8zuukwlcwIzz vF6w== X-Gm-Message-State: AOJu0Yw8yJOIsYFJIzrJPdVf+4ywmH1StcXjwKYhJEWMbl1Xo0YoydB+ DUtnuRQ0O30p1S9yfMbaLu532ldVrt0GX3AiDbdZu982cJ/qgGnJDJI7h3oXqigwjkpTItFNJeB Xgxzzai4= X-Gm-Gg: AfdE7cnCozsRtJGOYP6dxDX0DCwh5y5ofsErLtTQg6A3sn3yhW4/xGUyvrkX0NtSR0f A0H2w4ivGvFtfx+jiHMblxMc7NCbfKTVamq75eygXv6iNof+8oCBDgKG6P85CiGwW0+XoMDvgBQ yf/bJlo+H2pEdiZRZC29/uQUWOMsaa+jCsfw/sdRvq1sHwYLvZZULDjQD56sXOOtJnLGrQNKmtV EEZuy9RpsT+egXRrDk6WBhzD2+EuYB9gUthZYFPRDKXGjwuV66URor1dgzuvDH7g3G2zBKQV0Kr k6z9oQo7bTqP5j9vnt/n6qXRFU3Axx4NWmWAEhfi9oliDSemN3Vq4hkWOgPNmU7F5RNMbDSPXKi SMdAaAjblUQn7jJFbjuy7whHaaqkL0irz4czhy4rPdKOluCmBH7msp2jfEeJTJIOgMW86fa0T+h 7DHBOxyduBCAbpU6T8oHdnAIhcolz8vC94OAXSEDkD8/IMEm+FgmgQfhep8mO732JbdJWZNaU+C FbiEpqWliOh1K2pUbaXuew= X-Received: by 2002:a5d:5f8b:0:b0:46a:bcab:3c2 with SMTP id ffacd0b85a97d-46dc18a453fmr24226812f8f.34.1782742828116; Mon, 29 Jun 2026 07:20:28 -0700 (PDT) Received: from FRSMI25-LASER.idf.intranet (static-css-ccs-204145.business.bouyguestelecom.com. [176.157.204.145]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-46f8d6f10absm44958410f8f.5.2026.06.29.07.20.26 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Jun 2026 07:20:27 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 05/19] libsoup: fix for CVE-2025-11021 Date: Mon, 29 Jun 2026 16:19:50 +0200 Message-ID: X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 29 Jun 2026 14:20:38 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239793 From: Hitendra Prajapati Pick patch from [1] also mentioned at Debian report in [2] [1] https://gitlab.gnome.org/GNOME/libsoup/-/commit/9e1a427d2f047439d0320defe1593e6352595788 [2] https://security-tracker.debian.org/tracker/CVE-2025-11021 Signed-off-by: Hitendra Prajapati [YC: The CVE fixing patch is d010b0bbd in 3.6.6 (current master/wrynose)] Signed-off-by: Yoann Congal --- .../libsoup-3.4.4/CVE-2025-11021.patch | 57 +++++++++++++++++++ meta/recipes-support/libsoup/libsoup_3.4.4.bb | 1 + 2 files changed, 58 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-11021.patch diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-11021.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-11021.patch new file mode 100644 index 00000000000..9bba0929b7d --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-11021.patch @@ -0,0 +1,57 @@ +From 9e1a427d2f047439d0320defe1593e6352595788 Mon Sep 17 00:00:00 2001 +From: Alynx Zhou +Date: Sat, 11 Oct 2025 15:52:47 +0800 +Subject: [PATCH] cookies: Avoid expires attribute if date is invalid + +According to CVE-2025-11021, we may get invalid on processing date +string with timezone offset, this commit will ignore it. + +Closes #459 + +CVE: CVE-2025-11021 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/9e1a427d2f047439d0320defe1593e6352595788] +Signed-off-by: Hitendra Prajapati +--- + libsoup/cookies/soup-cookie.c | 9 +++++---- + libsoup/soup-date-utils.c | 3 +++ + 2 files changed, 8 insertions(+), 4 deletions(-) + +diff --git a/libsoup/cookies/soup-cookie.c b/libsoup/cookies/soup-cookie.c +index 7c41b1d..5af154d 100644 +--- a/libsoup/cookies/soup-cookie.c ++++ b/libsoup/cookies/soup-cookie.c +@@ -726,12 +726,13 @@ serialize_cookie (SoupCookie *cookie, GString *header, gboolean set_cookie) + + if (cookie->expires) { + char *timestamp; +- +- g_string_append (header, "; expires="); + timestamp = soup_date_time_to_string (cookie->expires, + SOUP_DATE_COOKIE); +- g_string_append (header, timestamp); +- g_free (timestamp); ++ if (timestamp) { ++ g_string_append (header, "; expires="); ++ g_string_append (header, timestamp); ++ g_free (timestamp); ++ } + } + if (cookie->path) { + g_string_append (header, "; path="); +diff --git a/libsoup/soup-date-utils.c b/libsoup/soup-date-utils.c +index 34ca995..ae5504d 100644 +--- a/libsoup/soup-date-utils.c ++++ b/libsoup/soup-date-utils.c +@@ -95,6 +95,9 @@ soup_date_time_to_string (GDateTime *date, + char *date_format; + char *formatted_date; + ++ if (!utcdate) ++ return NULL; ++ + // We insert days/months ourselves to avoid locale specific formatting + if (format == SOUP_DATE_HTTP) { + /* "Sun, 06 Nov 1994 08:49:37 GMT" */ +-- +2.50.1 + diff --git a/meta/recipes-support/libsoup/libsoup_3.4.4.bb b/meta/recipes-support/libsoup/libsoup_3.4.4.bb index fc4a286dcf0..8fe3775e1e4 100644 --- a/meta/recipes-support/libsoup/libsoup_3.4.4.bb +++ b/meta/recipes-support/libsoup/libsoup_3.4.4.bb @@ -51,6 +51,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32049-2.patch \ file://CVE-2025-32049-3.patch \ file://CVE-2025-32049-4.patch \ + file://CVE-2025-11021.patch \ " SRC_URI[sha256sum] = "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa" From patchwork Mon Jun 29 14:19:51 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 91291 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3E6BEC44502 for ; Mon, 29 Jun 2026 14:20:38 +0000 (UTC) Received: from mail-wm1-f47.google.com (mail-wm1-f47.google.com [209.85.128.47]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.38588.1782742831003118423 for ; Mon, 29 Jun 2026 07:20:31 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=M74nrRdQ; spf=pass (domain: smile.fr, ip: 209.85.128.47, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f47.google.com with SMTP id 5b1f17b1804b1-4938d5f86f3so13282685e9.1 for ; Mon, 29 Jun 2026 07:20:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1782742829; x=1783347629; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=rMourJBos371K0wOV3mBriAgNBa+4g9eD6xSAl3Hk4Y=; b=M74nrRdQrZEKwy3tfejyYUXdeFFcHlCQTQIAHaycEB3zA6PQTYuXI0wUEPPyYxYsgD AOFK5QWALU+bcWdLvH6mEGA+yKbg6rTy6metS1w52ugs7OjBnc4hjfz8Fmbeq72IVCu+ 32ZSBrDXHIBObqU7q0+1zewkLtsO3d0xP9vmo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782742829; x=1783347629; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=rMourJBos371K0wOV3mBriAgNBa+4g9eD6xSAl3Hk4Y=; b=rKwOWmn0IwMF3qVLvWR72tsBEwyzE4QTY5UNqeYXwMfh/xUKHiuDPzEb8hSgxD3FqC ImE0eFv+0+RpcsJBG4cvSMrJCB7xbuK8q28jE5jS9lDbC9QOJxjwy4Q/OIzk1aLaj7le F1TYPG8z6iouFBM0eLuRwzIuxwmr38068Yn8acKrfWZhAJ93p5Km6vJL0ZpbvG+mducN o/vdHAZoKQMiT7fIEu9C5t2jIDeVFaZSdFVyedFBSVL6Vi1jAWiw9NhK4YhiZFHNo0tJ sB18S1ENUQu2epWsv6fAgkK3EVWiFiBTkJwH9h10gdY2OYcWK3shQ19dQ37VNdDaiHpx gA4g== X-Gm-Message-State: AOJu0YzZprPpNm8Zyu+LayaHlKeyAEsh1dIvKtms/XAq/nkyR1gAOhcQ 9A++yq2PBsHKaEqvCIq4hpbsyS/ye2kPT7Yy5LWwQFwDIvzbd8KD2dMmLld/fVi2XrL1tLnrbQ6 1tDrygis= X-Gm-Gg: AfdE7cmzAvR0Z/ZvqTQBTACswoIZR//tMMHp6mbVmbaDXrGk9Vzw6P26GEB20JGslP8 rdUNNFqrX1QIlE3OrBRD76bjIm1QInlyWsNzZWaQZd/wWp3H3qemA8bDQpxP6rc03JigG8x2Euo MNihSUFtlKGhqBY/TV2RMJlyjqu8ww8cZMgbispd4TthhxqWgRLj9XZsGTe8D1Wd26CYbeiL3z+ o/CYgLsXBlFgnYsA/9mSo1JbHMubQoUAy+LifE6e6yL0fYdWJOCjYlN028piKmA3MfFERq9vxhz 5CJQe75NyigDr7bs4nSl2UPDRqaXAdWcwM901VMUf+Q01QpsjHSAWxKy6dUoKJUI9YEbb/TPujc kBw+9g+MGR58U2dM1ODPVHKBvDZDR9vmVvQ3252CWiyrvW44BqhCp305uDjgf1oSiZ2PI58Sh33 QRCkgdyocTT2RxYZyUZbHCWLWOMj8SpVq+n3PsENGWWx5OXkKyUKNh7uDcUoXtD/NpMjsO9CTbB RtLVP7o8w66ICaoezJ9y+U= X-Received: by 2002:a05:600c:3e1a:b0:492:70c9:c50d with SMTP id 5b1f17b1804b1-49270c9c64fmr131106305e9.9.1782742829188; Mon, 29 Jun 2026 07:20:29 -0700 (PDT) Received: from FRSMI25-LASER.idf.intranet (static-css-ccs-204145.business.bouyguestelecom.com. [176.157.204.145]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-46f8d6f10absm44958410f8f.5.2026.06.29.07.20.28 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Jun 2026 07:20:28 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 06/19] libsoup: fix for CVE-2026-2369 Date: Mon, 29 Jun 2026 16:19:51 +0200 Message-ID: <6ca4635dfe2c7fb277af3409931c66f7863af890.1782742373.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 29 Jun 2026 14:20:38 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239794 From: Hitendra Prajapati Pick patch from [1] also mentioned at Debian report in [2] [1] https://gitlab.gnome.org/GNOME/libsoup/-/commit/af4bde990270b825b7d110a495cc65de9e2ec32f [2] https://security-tracker.debian.org/tracker/CVE-2026-2369 Note: Issue introduced by the fix for CVE-2025-32052. Signed-off-by: Hitendra Prajapati Signed-off-by: Yoann Congal --- .../libsoup/libsoup-3.4.4/CVE-2026-2369.patch | 32 +++++++++++++++++++ meta/recipes-support/libsoup/libsoup_3.4.4.bb | 1 + 2 files changed, 33 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2026-2369.patch diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2026-2369.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2026-2369.patch new file mode 100644 index 00000000000..bee8a35323b --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2026-2369.patch @@ -0,0 +1,32 @@ +From af4bde990270b825b7d110a495cc65de9e2ec32f Mon Sep 17 00:00:00 2001 +From: Samuel Dainard <> +Date: Wed, 11 Feb 2026 10:19:04 -0600 +Subject: [PATCH] sniffer: Handle potential underflow + +Closes #498 + +CVE: CVE-2026-2369 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/af4bde990270b825b7d110a495cc65de9e2ec32f] +Signed-off-by: Hitendra Prajapati +--- + libsoup/content-sniffer/soup-content-sniffer.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/libsoup/content-sniffer/soup-content-sniffer.c b/libsoup/content-sniffer/soup-content-sniffer.c +index a5e18d5..594d0bb 100644 +--- a/libsoup/content-sniffer/soup-content-sniffer.c ++++ b/libsoup/content-sniffer/soup-content-sniffer.c +@@ -524,6 +524,10 @@ sniff_unknown (SoupContentSniffer *sniffer, GBytes *buffer, + if (!sniff_scriptable && type_row->scriptable) + continue; + ++ /* Ensure we have data to sniff - prevents underflow in resource_length - 1 */ ++ if (resource_length == 0) ++ continue; ++ + if (type_row->has_ws) { + guint index_stream = 0; + guint index_pattern = 0; +-- +2.50.1 + diff --git a/meta/recipes-support/libsoup/libsoup_3.4.4.bb b/meta/recipes-support/libsoup/libsoup_3.4.4.bb index 8fe3775e1e4..15164d940c1 100644 --- a/meta/recipes-support/libsoup/libsoup_3.4.4.bb +++ b/meta/recipes-support/libsoup/libsoup_3.4.4.bb @@ -52,6 +52,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32049-3.patch \ file://CVE-2025-32049-4.patch \ file://CVE-2025-11021.patch \ + file://CVE-2026-2369.patch \ " SRC_URI[sha256sum] = "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa" From patchwork Mon Jun 29 14:19:52 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 91289 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 308C2C44501 for ; Mon, 29 Jun 2026 14:20:38 +0000 (UTC) Received: from mail-wm1-f45.google.com (mail-wm1-f45.google.com [209.85.128.45]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.38589.1782742832231942311 for ; Mon, 29 Jun 2026 07:20:32 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=Hsb56sdd; spf=pass (domain: smile.fr, ip: 209.85.128.45, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f45.google.com with SMTP id 5b1f17b1804b1-493a7bd27c2so12668435e9.3 for ; Mon, 29 Jun 2026 07:20:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1782742830; x=1783347630; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=PkWxKLyJCbzXuQF05IBCsnC/IzzoRC0F/RHguMfg4VE=; b=Hsb56sddEZTpEcA49DBwi/yvrKo+0tMI06ZKcWWVOUiYZnvd1c+55w9rpr+oMZq5tb jNqBZnYlmTrsAjPbEjXtqUpDeSSde8D/uPtj2LcLKEaWqtw/akqocEgz7K80aAIPg4D9 Qi0WxQIRr8DzEnZxuq46z9sMCseDvoqExcuOY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782742830; x=1783347630; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=PkWxKLyJCbzXuQF05IBCsnC/IzzoRC0F/RHguMfg4VE=; b=AZE8Yuhw8n0/rBZVKG268V2s822ioCgyHuf0Dg+LBK1OP5PV75R45GRr/+Hb5YVOdH Xuex1shNJ0fGTRJvav9LuPKHjYAxSvSLMnHcgvhrdKf8DSCYonR38c0mvDG8zPLAxj+M RNxDZrClhrqXHKyfDG6q6dVTIHe6+K+KyJ4LwacBowD2VMBPy5JFpsaFgO5NYlJvaVDt EMWO3mjRP7LO8RcAyeLJMvWoj+ENUq9A84XiEHaiLMaAlYPjIIp+E31MZpoLnJxGIkHg 6qMR+qEefmwpkOzXYA6VETG5C048xFtunERz3O8PoO3T5MLX0TsOkz961r+lfYCXo5X0 Tbyg== X-Gm-Message-State: AOJu0Yz187v1em0XxDWIVbSRBRAMvcwcyLK3pvKFtG/QMbHGiGqjBagS FNcr2aoa6o88XdUczijjeMKQzruDROvFd9WK2K3AwFx7AxMuTGsRjbBaF5zz545O2JMPOeL2jez Xuq/ejEE= X-Gm-Gg: AfdE7ckCKRopEwk6n9gcTcR9J4wO81y6QFA3gvlj0duhrvCwhrhbS7i2/S29dtLjp+l CDd8IdhX+mKrnPpBCEXJ9pR6BILCIah06eckcpxYoqjWwUDF9vVwTBShwoxDNDar47/IsMZ9yv6 JptupbcfFgVJJqNyYr+xtoZzsB0zG5w5QYI0Svl0nP8zpuV3rmNcAwDe4awtk2Dn3qofQ1W/40L dIkAEORFYsAz4wXUU6HGvcUqdlJHzMNsRGkn4EA/7PX/+lkE7Rm+BHm8DOW6UY+W9h0Fg/mPxUU XpoBLRm9oG43VbgUryeeTqPumw3SHlp8B8CDCwXoEzUUctUd9gaFmw4i/4PtvV5SpADXMMAKcuG ZQAbWbac/RhnebO6vSCjNpHXOipojersxBYitiFluSJXWQ7Cs0R0TPXb1yuoirZ2gyCHvrSB4iP cylhUGI0ST8HWk1QKj3dEqD0eNUZyCn6Eqm5zqlbJpFpsT0kMv3V4T2tf+IdSeHJmxi8Iwu3YeS KLhRRg3gbK5s/EFNQC8LEI0Y+tNTbnP8g== X-Received: by 2002:a05:600c:528c:b0:490:b8c0:d470 with SMTP id 5b1f17b1804b1-493b71d2755mr14861635e9.19.1782742830427; Mon, 29 Jun 2026 07:20:30 -0700 (PDT) Received: from FRSMI25-LASER.idf.intranet (static-css-ccs-204145.business.bouyguestelecom.com. [176.157.204.145]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-46f8d6f10absm44958410f8f.5.2026.06.29.07.20.29 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Jun 2026 07:20:29 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 07/19] go: patch CVE-2026-27145 Date: Mon, 29 Jun 2026 16:19:52 +0200 Message-ID: <209a1b3a48b8e3996e1b53f2d7efe335855b7375.1782742373.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 29 Jun 2026 14:20:38 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239795 From: Theo Gaige (Schneider Electric) Backport patch from [1] [1] https://go.dev/cl/783621 Signed-off-by: Theo Gaige (Schneider Electric) Signed-off-by: Yoann Congal --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2026-27145.patch | 96 +++++++++++++++++++ 2 files changed, 97 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2026-27145.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index c825ebd25a3..99c5f8b63b6 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -61,6 +61,7 @@ SRC_URI += "\ file://CVE-2025-58183.patch \ file://CVE-2026-25679.patch \ file://CVE-2026-32288.patch \ + file://CVE-2026-27145.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2026-27145.patch b/meta/recipes-devtools/go/go/CVE-2026-27145.patch new file mode 100644 index 00000000000..f231aab458b --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2026-27145.patch @@ -0,0 +1,96 @@ +From 612753600a0184c8b792425dea62e530170ca811 Mon Sep 17 00:00:00 2001 +From: Ian Alexander +Date: Wed, 27 May 2026 04:22:31 -0400 +Subject: [PATCH] crypto/x509: split candidate hostname only once + +(*x509.Certificate).VerifyHostname previously called matchHostnames in a +loop over all DNS Subject Alternative Name (SAN) entries. This caused +strings.Split(host, ".") to execute repeatedly on the same input +hostname. + +With a large DNS SAN list, verification costs scaled quadratically based +on the number of SAN entries multiplied by the hostname's label count. +Because x509.Verify validates hostnames before building the certificate +chain, this overhead occurred even for untrusted certificates. + +Thanks to Jakub Ciolek for reporting this issue. + +Fixes #79694 +Fixes CVE-2026-27145 + +Change-Id: I2788b8ee22ffd28e45bcc7b0d860549084906a74 +Reviewed-on: https://go-review.googlesource.com/c/go/+/783621 +LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com +Reviewed-by: David Chase +Reviewed-by: Neal Patel + +CVE: CVE-2026-27145 +Upstream-Status: Backport [https://github.com/golang/go/commit/d01955d5d50ccb5f46c215f88c1781742b3f117d] +Signed-off-by: Theo Gaige (Schneider Electric) +--- + src/crypto/x509/verify.go | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go +index 1de06bc95b..4c423a5fca 100644 +--- a/src/crypto/x509/verify.go ++++ b/src/crypto/x509/verify.go +@@ -102,7 +102,7 @@ func (h HostnameError) Error() string { + c := h.Certificate + maxNamesIncluded := 100 + +- if !c.hasSANExtension() && matchHostnames(c.Subject.CommonName, h.Host) { ++ if !c.hasSANExtension() && matchHostnames(c.Subject.CommonName, splitHostname(h.Host)) { + return "x509: certificate relies on legacy Common Name field, use SANs instead" + } + +@@ -1081,16 +1081,14 @@ func matchExactly(hostA, hostB string) bool { + return toLowerCaseASCII(hostA) == toLowerCaseASCII(hostB) + } + +-func matchHostnames(pattern, host string) bool { ++func matchHostnames(pattern string, hostParts []string) bool { + pattern = toLowerCaseASCII(pattern) +- host = toLowerCaseASCII(strings.TrimSuffix(host, ".")) + +- if len(pattern) == 0 || len(host) == 0 { ++ if len(pattern) == 0 || len(hostParts) == 0 { + return false + } + + patternParts := strings.Split(pattern, ".") +- hostParts := strings.Split(host, ".") + + if len(patternParts) != len(hostParts) { + return false +@@ -1168,6 +1166,7 @@ func (c *Certificate) VerifyHostname(h string) error { + + candidateName := toLowerCaseASCII(h) // Save allocations inside the loop. + validCandidateName := validHostnameInput(candidateName) ++ hostParts := splitHostname(candidateName) + + for _, match := range c.DNSNames { + // Ideally, we'd only match valid hostnames according to RFC 6125 like +@@ -1176,7 +1175,7 @@ func (c *Certificate) VerifyHostname(h string) error { + // always allow perfect matches, and only apply wildcard and trailing + // dot processing to valid hostnames. + if validCandidateName && validHostnamePattern(match) { +- if matchHostnames(match, candidateName) { ++ if matchHostnames(match, hostParts) { + return nil + } + } else { +@@ -1189,6 +1188,10 @@ func (c *Certificate) VerifyHostname(h string) error { + return HostnameError{c, h} + } + ++func splitHostname(host string) []string { ++ return strings.Split(toLowerCaseASCII(strings.TrimSuffix(host, ".")), ".") ++} ++ + func checkChainForKeyUsage(chain []*Certificate, keyUsages []ExtKeyUsage) bool { + usages := make([]ExtKeyUsage, len(keyUsages)) + copy(usages, keyUsages) +-- +2.43.0 + From patchwork Mon Jun 29 14:19:53 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 91287 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 22290C43638 for ; Mon, 29 Jun 2026 14:20:38 +0000 (UTC) Received: from mail-wr1-f43.google.com (mail-wr1-f43.google.com [209.85.221.43]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.38590.1782742833620007593 for ; Mon, 29 Jun 2026 07:20:33 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=BFcPC+KB; spf=pass (domain: smile.fr, ip: 209.85.221.43, mailfrom: yoann.congal@smile.fr) Received: by mail-wr1-f43.google.com with SMTP id ffacd0b85a97d-474e7ba9fd6so211292f8f.1 for ; Mon, 29 Jun 2026 07:20:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1782742832; x=1783347632; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=8bPYCRu1Ec0lavrNgNrjyY+2sML1XSYu6EzSs3pv8VE=; b=BFcPC+KBqjWHOFqcgwKBPjBnFbD6isbcTpJtQ4fZ9RQmt0j/RgYQBwpsQPG1j6ah/4 MNXkgTWwTgpQZWAF2m/bFBhJQpZF+ZB+LhizTv+I61HqH7qf2h3kpopFURjqm4nynhsY pznYCv7Pla4ZVtDZXxkmKwP+6KM92b6qTOKo4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782742832; x=1783347632; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=8bPYCRu1Ec0lavrNgNrjyY+2sML1XSYu6EzSs3pv8VE=; b=fJvn/D/xEGFwYuNGtrh3TEPXdaSlaw716TuY5ErLXJzw5XcjQRhvu5Az2cMRA1eJsX rYmRflFjdYOR9w3jVlkugQRu2hSM7FQNamBiymgQI/uw16V6+4K68qsqY4RbuQLuXvaM DYKOLJp0WcVj6ejubbthCKb4GWWU+lWHGKZxc8+gVJdShm8GDBKDEEehNXSyI3q5c1rS rCPgtuVZjtb0bYMGVM4X8hISprZozdOrR0khHI+KFYviIup6blqa17DZ6h4hO4WJsonJ zv6cBTzgGZriWxcQrLw96/bd4vrIr/i6+U1yhpnqoeuPxfPGjd1FUe12XKHifWgDefC9 5rJQ== X-Gm-Message-State: AOJu0YyrZqorjtyg6qRONN4eD4IWyqJRo4axiSz+Y8gZItJ6WdwYm03B BYer92gzjAnP7uuIbvSxNACdbIGHnSwFpGYpRzzcimX46eo/7hF3tJRMjS//TjzDUBtDqaAbmgj Yi8GoAfo= X-Gm-Gg: AfdE7ckVD5qCH9S0OLfA9vFEmg4350kCAofL6bfjSLPtUfQ3QIFw6+iJwm5hPhn5KYL IoMYfA+KQbbmZlbd33CAMqoaMTbYOgd64qIHG3cFme8NffbRl1Bn/jYic4AxrtDjpfaY0++jTwt 7TYYHlprqsrlfvUJIdbhDWRdAOQjXG0S5riUbMtA9xRMIXP0XvWa3fye9xfGBgI6DQa4evcAROp Vx5OazYayh65SAkDu50Nj3M7pYoUtXsfYBKjO3aCYFzDGPFB2UnzCSkl+0Vwyeg57SvslmN9ERy zwPxgXRBOzl8kZ4GlvRu8+/UN9LIbwSVc1QYEKntAxgE1kCzoEYBTijWRhYY8immW38jfmcDSsX A4F2S+bOjD2fKiyyuy6Saak+2nvwlDaq6YEflaFZm9wKF1L6W8ZcihrvRjsFJsrmSWrFcTltAJ8 uE9533o83vCK8/GAP8c7/kpehx92v3ao9g519DzDDegFCxWdRvcdENUKJeYGY0TDRpu9VONi2s1 77Bje1LrG28J1bI6LQ4+1k= X-Received: by 2002:a5d:4565:0:b0:463:e582:a4a4 with SMTP id ffacd0b85a97d-46fb6bf30ecmr13549369f8f.10.1782742831809; Mon, 29 Jun 2026 07:20:31 -0700 (PDT) Received: from FRSMI25-LASER.idf.intranet (static-css-ccs-204145.business.bouyguestelecom.com. [176.157.204.145]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-46f8d6f10absm44958410f8f.5.2026.06.29.07.20.30 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Jun 2026 07:20:30 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 08/19] binutils: Fix for CVE-2025-69648 and CVE-2025-69646 Date: Mon, 29 Jun 2026 16:19:53 +0200 Message-ID: X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 29 Jun 2026 14:20:38 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239796 From: Harish Sadineni CVE-2025-69648 was marked as a duplicate of CVE-2025-69646. The existing patch already fixes the issue associated with both CVEs. Rename the patch and update the CVE tag to reference both identifiers. Signed-off-by: Harish Sadineni Signed-off-by: Yoann Congal --- meta/recipes-devtools/binutils/binutils-2.42.inc | 2 +- ...CVE-2025-69648.patch => CVE-2025-69646_CVE-2025-69648.patch} | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) rename meta/recipes-devtools/binutils/binutils/{CVE-2025-69648.patch => CVE-2025-69646_CVE-2025-69648.patch} (99%) diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc index 7e83f72632f..342229af26a 100644 --- a/meta/recipes-devtools/binutils/binutils-2.42.inc +++ b/meta/recipes-devtools/binutils/binutils-2.42.inc @@ -73,6 +73,6 @@ SRC_URI = "\ file://0029-CVE-2025-11839.patch \ file://0030-CVE-2025-11840.patch \ file://CVE-2025-69644-CVE-2025-69647.patch \ - file://CVE-2025-69648.patch \ + file://CVE-2025-69646_CVE-2025-69648.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-69648.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-69646_CVE-2025-69648.patch similarity index 99% rename from meta/recipes-devtools/binutils/binutils/CVE-2025-69648.patch rename to meta/recipes-devtools/binutils/binutils/CVE-2025-69646_CVE-2025-69648.patch index e04d7ed6c21..b02b5e05317 100644 --- a/meta/recipes-devtools/binutils/binutils/CVE-2025-69648.patch +++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-69646_CVE-2025-69648.patch @@ -19,7 +19,7 @@ length field. (display_debug_ranges): Check display_debug_rnglists_unit_header return status. Stop output on error. -CVE: CVE-2025-69648 +CVE: CVE-2025-69646 CVE-2025-69648 Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=598704a00cbac5e85c2bedd363357b5bf6fcee33] (cherry picked from commit 598704a00cbac5e85c2bedd363357b5bf6fcee33) From patchwork Mon Jun 29 14:19:54 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 91290 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id EA676C44500 for ; Mon, 29 Jun 2026 14:20:37 +0000 (UTC) Received: from mail-wr1-f43.google.com (mail-wr1-f43.google.com [209.85.221.43]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.38591.1782742834383282674 for ; Mon, 29 Jun 2026 07:20:34 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=RGpJ67Lo; spf=pass (domain: smile.fr, ip: 209.85.221.43, mailfrom: yoann.congal@smile.fr) Received: by mail-wr1-f43.google.com with SMTP id ffacd0b85a97d-474560436c3so608307f8f.0 for ; Mon, 29 Jun 2026 07:20:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1782742833; x=1783347633; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=DLqkdBSxCWMYmpZKzc6HznGsYpXCy3Y5Zle6Y9FmyL4=; b=RGpJ67LoYGVH4CDOvhCRPO8pmUaonIssl5PAYwhfhp+0OyVo/ccKLdYnSmDGTR1tsA PDKgmbx1nFMRtRnKAeKdFWb0w7rGvRCqF/jZxgdjXqRNP0z5UiUQ8A4pEQuGaFUT7cxP 7OMH4uhCj15hZQivi3DMG9ywQize3M888hJek= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782742833; x=1783347633; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=DLqkdBSxCWMYmpZKzc6HznGsYpXCy3Y5Zle6Y9FmyL4=; b=CiAAxa4W+75MxfGBHLTvqToxL2s+s/9fNSYk9ZkPJbR2TcFCMh6BYZZ7iW3xxkRYzf raMU0iLYgYevWsn3OuqTeoVY2sSsNpwy1r4Feao/ngZ/1jotsrUvh47ih8LtgWrcrje0 qOlvPv44mevzVIO6lvOlol41HNPTlolmpTpNybZwU7wcdBcoqOmqyFbtw/ey8Y8wkqbW bHbcT/NqkV68CfKhfzCu+a0U2lhSdK2SpbItks4yJcLmKVxD6ga6ONIng24Gl96W5/8g 8b5XCyd0EkBWqSjDRK0QFImHX39KbAz0eU9gH6hWZKqcH0+gCfZBmFQADYNGQe4X4p2q L3cg== X-Gm-Message-State: AOJu0Yz7IIgbWR19auULaPFzluGCuJfhgcA9M+XhHW1Q//s85vNcFsyj e/adff+FmHCMtxkUORRKf0vfft9G3OGOGnm/ICvGX19LH0dpsaiTGGiIP8xnb+Wz2dMFllGnORC +m+GiBGE= X-Gm-Gg: AfdE7cnUnt0PkD29/yrlitPtgLxJeC33VJ7BnWUZ5QdrtbOROavsEsLbFTUzN5mpwTJ BqPKOLHI7rCWUyvryDKNOZNEOB9lUWoBHNSapDvgv7mevFW6axBeUBa3rVCqVG9D/9U/Dgh7QN1 ncLhO/NJSGTXZthR05s2Fdnc9d50vfAYAJTEg67l3TR9Z8ceVShq7oZlkDT5MApIEb4eBw/tVWg 6UVAVvknKPvQOtS7+VMzVrP9FZojXGKwIZXKd0m3IB0+cPQCRKcFFOOY+0NvkpEx3e6BjvrmiyG bsCXYXiabdFjENaAY/eNo6Ei4Me1iQ0UhGs0Emk4gCKykmnIUVdXx7rylXaiLZx09hIM9puK5XA CKYbvzYSLavzepwgZIhbY2JewJ1MpKumiz2otWs3ri9fB8ErYR2zG4rZ9Os1P1FTeKIeLBMrGhM HVkcEcsQ1SS3Aa/85qWI2iMpEdeWNUSYKwGB148aFl4kfcADQOOINWOXcXoNZhcgLnjSYDeG0fB sSffNWDdQkU25JmrSGTHMg= X-Received: by 2002:a05:6000:26c1:b0:473:f4c3:4d51 with SMTP id ffacd0b85a97d-473f4c34e14mr5233228f8f.43.1782742832520; Mon, 29 Jun 2026 07:20:32 -0700 (PDT) Received: from FRSMI25-LASER.idf.intranet (static-css-ccs-204145.business.bouyguestelecom.com. [176.157.204.145]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-46f8d6f10absm44958410f8f.5.2026.06.29.07.20.31 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Jun 2026 07:20:32 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 09/19] xwayland: Fix CVE-2026-33999 Date: Mon, 29 Jun 2026 16:19:54 +0200 Message-ID: X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 29 Jun 2026 14:20:37 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239797 From: Vijay Anusuri Pick patch according to [2] [1] https://lists.x.org/archives/xorg-announce/2026-April/003679.html [2] https://security-tracker.debian.org/tracker/CVE-2026-33999 Signed-off-by: Vijay Anusuri Signed-off-by: Yoann Congal --- .../xwayland/xwayland/CVE-2026-33999.patch | 49 +++++++++++++++++++ .../xwayland/xwayland_23.2.5.bb | 1 + 2 files changed, 50 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2026-33999.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2026-33999.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2026-33999.patch new file mode 100644 index 00000000000..cd3bf47397d --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2026-33999.patch @@ -0,0 +1,49 @@ +From b024ae1749ee58c6fbf863b9a1f5dc440fee2e1b Mon Sep 17 00:00:00 2001 +From: Peter Harris +Date: Thu, 15 Jan 2026 15:54:09 -0500 +Subject: [PATCH] xkb: fix buffer re-use in _XkbSetCompatMap + +If the "compat" buffer has previously been truncated, there will be +unused space in the buffer. The code uses this space, but does not +update the number of valid entries in the buffer. + +In the best case, this leads to the new compat entries being ignored. In the +worst case, if there are any "skipped" compat entries, the number of +valid entries will be corrupted, potentially leading to a buffer read +overrun when processing a future request. + +Set the number of used "compat" entries when re-using previously +allocated space in the buffer. + +CVE-2026-33999, ZDI-CAN-28593 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with TrendAI Zero Day Initiative + +Signed-off-by: Peter Harris +Acked-by: Olivier Fourdan +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/b024ae1749ee58c6fbf863b9a1f5dc440fee2e1b] +CVE: CVE-2026-33999 +Signed-off-by: Vijay Anusuri +--- + xkb/xkb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 137d70d..2b9004a 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -3004,7 +3004,7 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev, + return BadAlloc; + } + } +- else if (req->truncateSI) { ++ else if (req->truncateSI || req->firstSI + req->nSI > compat->num_si) { + compat->num_si = req->firstSI + req->nSI; + } + sym = &compat->sym_interpret[req->firstSI]; +-- +2.43.0 + diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb index 362b110a0bb..65f1ed2ae07 100644 --- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb +++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb @@ -35,6 +35,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2025-62230-0001.patch \ file://CVE-2025-62230-0002.patch \ file://CVE-2025-62231.patch \ + file://CVE-2026-33999.patch \ " SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90" From patchwork Mon Jun 29 14:19:55 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 91288 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D8A8EC43602 for ; Mon, 29 Jun 2026 14:20:37 +0000 (UTC) Received: from mail-wm1-f51.google.com (mail-wm1-f51.google.com [209.85.128.51]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.38592.1782742835325758305 for ; Mon, 29 Jun 2026 07:20:35 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=CiO9tNuj; spf=pass (domain: smile.fr, ip: 209.85.128.51, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f51.google.com with SMTP id 5b1f17b1804b1-493b77b150aso1063085e9.2 for ; Mon, 29 Jun 2026 07:20:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1782742833; x=1783347633; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=6Qz1ZiYFdEDLjVgRWb0jfv6yfm0+ZUvmiKKAtWsWAmA=; b=CiO9tNujI5lVqCdzCr39g04x76nYBP5H92qawkcryDG0PVX6cqvUMy5alEQzRGvppI dAvqlSDXzljkABvPms/jJ66bvY9MGRh1NinPlqwtm93JGzeEtewdDs1iBi5LAA2vSw4X 8L9CDUQguOQokvGdxdgW/bR5j0Qdkc6H0d0fg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782742833; x=1783347633; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=6Qz1ZiYFdEDLjVgRWb0jfv6yfm0+ZUvmiKKAtWsWAmA=; b=nQTBo6yemCaYSYi7C76uGadcHkMLNT2kT+DlQuKKWMMB5PXDTnAg9r2RNrzH9t7gk2 esiYFFUd+hglONkOyKMY4mOgN5PDSn3Pyw22iznu9tc/eA8Cw1MT1EhRR1+PDhi69NJy De/r0gQEO0Cnw9jsOTyQe1jHUujdTXJZRlr2W+u2Kh9BxFhbNYaybKj5DLti20p/otPC n/dRV1Rjj7+2PtDZufIvrh4+zk4y8w+PLW4ypqOBU79gT0StzkHDJf+H8mwaVaYUrifk ulyxJP94L/mouu3nq2Q+jhiKcLa7cdt2LBvkuJhCi1gkhVUXuUyR3ncwrcYtksqw1XMz WRXw== X-Gm-Message-State: AOJu0Yztl/cibLRftB/sdVVeWiSR6BA8R6awVZLRdxuqb39rsOtvVCD3 sqAzicUrkEED4XoynygdOiveo/Wz7EJXwTz55kQ6oi+bDc21fOeYtBEhwrzlTKeejDYlzAnOHu9 hgu1ccoQ= X-Gm-Gg: AfdE7cmBH6b9kl2Bfl8CQDXUbwb0r5wAQKmpWVz+5Q8fqjkqwcNX0e1QhWET2flBO/d 8vJ/bISUIo6rIkTKaZ7y1YIXDZuUQmr+f0uAifLj66EG3O+Jby3QsanJOJH5Sl8knHvVfoGil7G yA4TZdk10hEElBkyYo8aIYx3hHJAAK7ogmgbydYlqeECzJDuRGHltANXp1okKI/9IRhGagrGUZ2 tcJtInSnXzNfBef15PupSJY55ynjVSwvMAomXhbqIJ+1XjCJRjpNvSBeyzSkbLFLlrZ39qFUAES T+aTZNyt2BFhJbSmau/ppkKa2DEiG3p3moATSbI2TCgIIkvk+4ZJaQQ1a8sW3vdUdYH0OrXkuXs 0wMcYqpkZh5nsBx8T85vVMcPSuxLdz52ya0TbKowNs8Nv5X7EwJQO93VIYWm9yCF96ynDadYo8Y gnd9OGc5x5bhfw+XuhjKnf+cXyUIjjjptAlLl+HmM5pS3V5teuzZWVoFywgHUhRM9Wxy5XBoC6v q9MEWh6ydScUAe5zI/wZwY= X-Received: by 2002:a05:600c:6097:b0:493:b55f:bca4 with SMTP id 5b1f17b1804b1-493b55fbd29mr29501375e9.29.1782742833517; Mon, 29 Jun 2026 07:20:33 -0700 (PDT) Received: from FRSMI25-LASER.idf.intranet (static-css-ccs-204145.business.bouyguestelecom.com. [176.157.204.145]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-46f8d6f10absm44958410f8f.5.2026.06.29.07.20.32 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Jun 2026 07:20:32 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 10/19] xwayland: Fix CVE-2026-34000 Date: Mon, 29 Jun 2026 16:19:55 +0200 Message-ID: <8d7485642161722dcfead25ef8d84ac316a10169.1782742373.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 29 Jun 2026 14:20:37 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239798 From: Vijay Anusuri Pick patch according to [2] [1] https://lists.x.org/archives/xorg-announce/2026-April/003679.html [2] https://security-tracker.debian.org/tracker/CVE-2026-34000 Signed-off-by: Vijay Anusuri Signed-off-by: Yoann Congal --- .../xwayland/xwayland/CVE-2026-34000.patch | 72 +++++++++++++++++++ .../xwayland/xwayland_23.2.5.bb | 1 + 2 files changed, 73 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2026-34000.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2026-34000.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2026-34000.patch new file mode 100644 index 00000000000..7ce7cfa80c0 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2026-34000.patch @@ -0,0 +1,72 @@ +From 81b6a34f90b28c32ad499a78a4f391b7c06daea2 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Wed, 18 Feb 2026 16:03:11 +0100 +Subject: [PATCH] xkb: Fix bounds check in _CheckSetGeom() + +As reported by valgrind: + + == Conditional jump or move depends on uninitialised value(s) + == at 0x5CBE66: SrvXkbAddGeomKeyAlias (XKBGAlloc.c:585) + == by 0x5AC7D5: _CheckSetGeom (xkb.c:5607) + == by 0x5AC952: _XkbSetGeometry (xkb.c:5643) + == by 0x5ACB58: ProcXkbSetGeometry (xkb.c:5684) + == by 0x5B0DAC: ProcXkbDispatch (xkb.c:7070) + == by 0x4A28C5: Dispatch (dispatch.c:553) + == by 0x4B0B24: dix_main (main.c:274) + == by 0x42915E: main (stubmain.c:34) + == Uninitialised value was created by a heap allocation + == at 0x4840B26: malloc (vg_replace_malloc.c:447) + == by 0x5E13B0: AllocateInputBuffer (io.c:981) + == by 0x5E05CD: InsertFakeRequest (io.c:516) + == by 0x4AA860: NextAvailableClient (dispatch.c:3629) + == by 0x5DE0D7: AllocNewConnection (connection.c:628) + == by 0x5DE2C6: EstablishNewConnections (connection.c:692) + == by 0x5DE600: HandleNotifyFd (connection.c:809) + == by 0x5E2598: ospoll_wait (ospoll.c:660) + == by 0x5DA00C: WaitForSomething (WaitFor.c:208) + == by 0x4A26E5: Dispatch (dispatch.c:493) + == by 0x4B0B24: dix_main (main.c:274) + == by 0x42915E: main (stubmain.c:34) + +Each key alias entry contains two key names (the alias and the real key +name), each of size XkbKeyNameLength. + +The current bounds check only validates the first name, allowing +XkbAddGeomKeyAlias to potentially read uninitialized memory when +accessing the second name at &wire[XkbKeyNameLength]. + +To fix this, change the value to check to use 2 * XkbKeyNameLength to +validate the bounds. + +CVE-2026-34000, ZDI-CAN-28679 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with TrendAI Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Acked-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/81b6a34f90b28c32ad499a78a4f391b7c06daea2] +CVE: CVE-2026-34000 +Signed-off-by: Vijay Anusuri +--- + xkb/xkb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 2b9004a..1ba638b 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -5603,7 +5603,7 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSetGeometryReq * req, ClientPtr client) + } + + for (i = 0; i < req->nKeyAliases; i++) { +- if (!_XkbCheckRequestBounds(client, req, wire, wire + XkbKeyNameLength)) ++ if (!_XkbCheckRequestBounds(client, req, wire, wire + 2 * XkbKeyNameLength)) + return BadLength; + + if (XkbAddGeomKeyAlias(geom, &wire[XkbKeyNameLength], wire) == NULL) +-- +2.43.0 + diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb index 65f1ed2ae07..1a076ab552f 100644 --- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb +++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb @@ -36,6 +36,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2025-62230-0002.patch \ file://CVE-2025-62231.patch \ file://CVE-2026-33999.patch \ + file://CVE-2026-34000.patch \ " SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90" From patchwork Mon Jun 29 14:19:56 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 91286 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C8541C43458 for ; Mon, 29 Jun 2026 14:20:37 +0000 (UTC) Received: from mail-wr1-f48.google.com (mail-wr1-f48.google.com [209.85.221.48]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.38593.1782742836622847505 for ; Mon, 29 Jun 2026 07:20:36 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=CpxRYo3t; spf=pass (domain: smile.fr, ip: 209.85.221.48, mailfrom: yoann.congal@smile.fr) Received: by mail-wr1-f48.google.com with SMTP id ffacd0b85a97d-46cbe01d4b6so1982544f8f.2 for ; Mon, 29 Jun 2026 07:20:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1782742835; x=1783347635; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=1wDpdZYxXnbxWMbqMDGvwm1UMYcZJLYu++CrXo9OKzk=; b=CpxRYo3tRMqs6Pfz7g0LOo9jgQ63x1TELGgssLYHOB5aaLxF84vU55XdAyZDNZPPUk WpQBRDN6dowKK9IjnA2YTMZ+0GwBCR/k1MJNeBauSPxsOb2gu2eaCuvaO4H11B4ks4TZ JeQq6b9MnqZsFh8mcHVPD0bNqtQw6RlEbiJZ0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782742835; x=1783347635; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=1wDpdZYxXnbxWMbqMDGvwm1UMYcZJLYu++CrXo9OKzk=; b=L/F7OLzp8FoZWvAf42jWe9KK/RV55gCoNwGUT0hwlNF15/2A8P8SO2uBprqg7tapd3 dgqqb5Zv31PdCk2FvmTkF+/NqIVCAc0vNeEhI3+Pzu66opmkvqFWRVKJHxTLTwH9ccO6 SK7eSwMSTD+6IoxyGOEnYNeVR5PbaqFWgJwf00IVNWuQBnSXb9so5a7hBChYHtJAL0k2 YORFAUefWJTQq/6t6HVLSyAtF6S9Yu2SWKPy6PEpjDFcYOaM7pN0Gx2+By9J9cp6VBz7 kkusrERX2DCQV1kje+oWvUk+QcB+1/wVp6BGfsANIImmP0CZBgP8B2gv/HTC3CjNHJVU 2r8g== X-Gm-Message-State: AOJu0YzPHUBShfuFRuFB+S4lb9WfdKPw79QuYeorl8YpRpPLK7NI7JlJ QWv8NsLu+q4XaQu2Al1KYFsRhYCns5AjkHKSCauaxJ/n75SaxyVL89HkJEMve2wA3Ca2mpdl/IP Cva8xPmQ= X-Gm-Gg: AfdE7cnukHaXO1MyhjwJfG5h4Gy2et9iNUHeY4jf0GV3GibdC/qqJ2+s9yVySx/A9Qj SKox8oE/jgS7vkZZ133mF29v2vVkWNCS5+pySMRGkuEeEuQwHVGg/T2X7DZf7ccDckEJ/JwHlPs PHDxyHXjUyRFjImkhDEjM9uHu9i4IZ4K1rHoaqG81STa53ckX2P/NMb2XRRxVnjDM8zOt0J6VNn 8Mk9pz0AOnF6z0rsQqELp/b415RzWYCNLlOQWlHGhyHDkqYlPx3FrOi9CkztZur2zAQNiKYvq8B zi7MiZdWF/oANc5sW3EY5tgToMvJ/I4bIsGQQbW9wQ2/aMXfnajepvl0XKm5+dlpBkNiEu1OliA mLwvlrW2eRDIfWZH+dUA7b0qs0Nei6E7Xi9xkaOahsz3b/jVRFjagX/wLLUy/xVRAmkyDlBMh3z GezyBjtkXTyT62h2egTRbyal07vDj6sC95muF2bTV0/ZlzOvDtWTWovg889Rjgrszjf9fpAqUmm DCmMBSTlz5/5nQTtvEnIO4= X-Received: by 2002:adf:f24e:0:b0:46d:d5da:f0a9 with SMTP id ffacd0b85a97d-475017f69a0mr1005281f8f.44.1782742834845; Mon, 29 Jun 2026 07:20:34 -0700 (PDT) Received: from FRSMI25-LASER.idf.intranet (static-css-ccs-204145.business.bouyguestelecom.com. [176.157.204.145]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-46f8d6f10absm44958410f8f.5.2026.06.29.07.20.33 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Jun 2026 07:20:33 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 11/19] xwayland: Fix CVE-2026-34001 Date: Mon, 29 Jun 2026 16:19:56 +0200 Message-ID: <8e5404f100491b564706a7975fc3ded97abca090.1782742373.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 29 Jun 2026 14:20:37 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239799 From: Vijay Anusuri Pick patch according to [2] [1] https://lists.x.org/archives/xorg-announce/2026-April/003679.html [2] https://security-tracker.debian.org/tracker/CVE-2026-34001 Signed-off-by: Vijay Anusuri Signed-off-by: Yoann Congal --- .../xwayland/xwayland/CVE-2026-34001.patch | 104 ++++++++++++++++++ .../xwayland/xwayland_23.2.5.bb | 1 + 2 files changed, 105 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2026-34001.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2026-34001.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2026-34001.patch new file mode 100644 index 00000000000..a438f5ffcdd --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2026-34001.patch @@ -0,0 +1,104 @@ +From f19ab94ba9c891d801231654267556dc7f32b5e0 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Wed, 18 Feb 2026 16:23:23 +0100 +Subject: [PATCH] miext/sync: Fix use-after-free in miSyncTriggerFence() + +As reported by valgrind: + + == Invalid read of size 8 + == at 0x568C14: miSyncTriggerFence (misync.c:140) + == by 0x540688: ProcSyncTriggerFence (sync.c:1957) + == by 0x540CCC: ProcSyncDispatch (sync.c:2152) + == by 0x4A28C5: Dispatch (dispatch.c:553) + == by 0x4B0B24: dix_main (main.c:274) + == by 0x42915E: main (stubmain.c:34) + == Address 0x17e35488 is 8 bytes inside a block of size 16 free'd + == at 0x4843E43: free (vg_replace_malloc.c:990) + == by 0x53D683: SyncDeleteTriggerFromSyncObject (sync.c:169) + == by 0x53F14D: FreeAwait (sync.c:1208) + == by 0x4DFB06: doFreeResource (resource.c:888) + == by 0x4DFC59: FreeResource (resource.c:918) + == by 0x53E349: SyncAwaitTriggerFired (sync.c:701) + == by 0x568C52: miSyncTriggerFence (misync.c:142) + == by 0x540688: ProcSyncTriggerFence (sync.c:1957) + == by 0x540CCC: ProcSyncDispatch (sync.c:2152) + == by 0x4A28C5: Dispatch (dispatch.c:553) + == by 0x4B0B24: dix_main (main.c:274) + == by 0x42915E: main (stubmain.c:34) + == Block was alloc'd at + == at 0x4840B26: malloc (vg_replace_malloc.c:447) + == by 0x5E50E1: XNFalloc (utils.c:1129) + == by 0x53D772: SyncAddTriggerToSyncObject (sync.c:206) + == by 0x53DCA8: SyncInitTrigger (sync.c:414) + == by 0x5409C7: ProcSyncAwaitFence (sync.c:2089) + == by 0x540D04: ProcSyncDispatch (sync.c:2160) + == by 0x4A28C5: Dispatch (dispatch.c:553) + == by 0x4B0B24: dix_main (main.c:274) + == by 0x42915E: main (stubmain.c:34) + +When walking the list of fences to trigger, miSyncTriggerFence() may +call TriggerFence() for the current trigger, which end up calling the +function SyncAwaitTriggerFired(). + +SyncAwaitTriggerFired() frees the entire await resource, which removes +all triggers from that await - including pNext which may be another +trigger from the same await attached to the same fence. + +On the next iteration, ptl = pNext points to freed memory... + +To avoid the issue, we need to restart the iteration from the beginning +of the list each time a trigger fires, since the callback can modify the +list. + +CVE-2026-34001, ZDI-CAN-28706 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with TrendAI Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Acked-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/f19ab94ba9c891d801231654267556dc7f32b5e0] +CVE: CVE-2026-34001 +Signed-off-by: Vijay Anusuri +--- + miext/sync/misync.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/miext/sync/misync.c b/miext/sync/misync.c +index 0931803..e11eba2 100644 +--- a/miext/sync/misync.c ++++ b/miext/sync/misync.c +@@ -131,16 +131,22 @@ miSyncDestroyFence(SyncFence * pFence) + void + miSyncTriggerFence(SyncFence * pFence) + { +- SyncTriggerList *ptl, *pNext; ++ SyncTriggerList *ptl; ++ Bool triggered; + + pFence->funcs.SetTriggered(pFence); + + /* run through triggers to see if any fired */ +- for (ptl = pFence->sync.pTriglist; ptl; ptl = pNext) { +- pNext = ptl->next; +- if ((*ptl->pTrigger->CheckTrigger) (ptl->pTrigger, 0)) +- (*ptl->pTrigger->TriggerFired) (ptl->pTrigger); +- } ++ do { ++ triggered = FALSE; ++ for (ptl = pFence->sync.pTriglist; ptl; ptl = ptl->next) { ++ if ((*ptl->pTrigger->CheckTrigger) (ptl->pTrigger, 0)) { ++ (*ptl->pTrigger->TriggerFired) (ptl->pTrigger); ++ triggered = TRUE; ++ break; ++ } ++ } ++ } while (triggered); + } + + SyncScreenFuncsPtr +-- +2.43.0 + diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb index 1a076ab552f..800d0a8f634 100644 --- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb +++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb @@ -37,6 +37,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2025-62231.patch \ file://CVE-2026-33999.patch \ file://CVE-2026-34000.patch \ + file://CVE-2026-34001.patch \ " SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90" From patchwork Mon Jun 29 14:19:57 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 91293 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2A751C44508 for ; Mon, 29 Jun 2026 14:20:39 +0000 (UTC) Received: from mail-wr1-f45.google.com (mail-wr1-f45.google.com [209.85.221.45]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.93239.1782742837883045142 for ; Mon, 29 Jun 2026 07:20:38 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=eZMTHvhs; spf=pass (domain: smile.fr, ip: 209.85.221.45, mailfrom: yoann.congal@smile.fr) Received: by mail-wr1-f45.google.com with SMTP id ffacd0b85a97d-46db1eb3100so361240f8f.1 for ; Mon, 29 Jun 2026 07:20:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1782742836; x=1783347636; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=I8ywHwmyAuiBl3RYyDgTSudSWXHHyKBmXCQsp22FxcI=; b=eZMTHvhsSV9zQ2wK6z1iv2h7dVTQsJWYffMl03MArjfdZrZ3uvJTJvWHNUtTQ/41P3 VJMXhHpCe1maNgo5fs6WPoh/niAmT4ZNagxwf0XXa0+W0PBgWd70SD3xhvsQOgzq/kAb dEtOBEP+r4Qqu9QxbCuBW8VaGIbVsoamqwvUw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782742836; x=1783347636; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=I8ywHwmyAuiBl3RYyDgTSudSWXHHyKBmXCQsp22FxcI=; b=nWBv/z0eGvdQGltShrcJJmWmFGdyFH/8sENd/62/CrZZgw3Gv/dSJIDpmlpGqn8rlq yWnIAqLYaeHY0P3b6x6U6/SxEHC3avLfW88tTJnDuaKfe5sp9TJZvOITleNgOn1zaWMk V9rc//MSzC6JT+GBnSdDycteIjXSxGiU/66vQ36pBNcGFWxzlXLIC5PV7wXWnCPuYcLH imjxsUlbVpxFAOw1bCSpXhK3iCblx+s6yZ7jLi2nEoINBTwGLsD6AJdbZIMTkOOjZmXk yZ7t/kHrAzDQlBL1PVWfAr2LXJMoResMY66Az2+WLIF46zW6lA7LYcNxVv3Afz1ziyT7 y54Q== X-Gm-Message-State: AOJu0YxqiApaFhPxKCvG5x9fWcSICcLN1h1Y6emI5SGCK0nvNc8ZvsY1 QsKbQ6TrepTJAXU0nsLBtxzoesUeD/9aofFrWeEoSKVD2ky0Xh8sxl+/o4GajDBC0xpBqDX73LE DKZ0skHM= X-Gm-Gg: AfdE7cnbMW7vgGe8chpjp5vmMRMxAS1sMAr+6ecsQpVgt04bE9tqWnGP9/RtgvoW2ub 1D94vqd7GlIy8aUn8AzFKRIJfhVaOzKrkTRXzo8ClHysUr3KZu+7LJ2x0frF8sSMKwZ1r274waJ Vf1thURh/DqMhXUUMJx+kohOxT/xa1YUfXZxGuhS76W9LI+4yoMjHQqNeQamkCMtWMi0TptNh/S KzqGn7qVFWBrcy2E8LwzEUKSukPQg7Zl4VQDrYKs9cAMYG9i6WkR8RHeyNLRIVvJGxvsc2OW4v4 gVHQECcGAkL+BEu7/BlJ5O56tulYeKt4bFaWY8RNKmlKer0iB0SJkkfsVtghMuoG8dUdgkToY22 jryAvBvLKTY0BZEk+ycHVPezelxldy9vBQytHS9mGQ1lOwY8q3Zljibg4o1UN6MdigJxDi0bRgT ZTLIThpyqWEF+ji/zWRXziKMJxBbsrVAvqZNT7lz3XZ6okAmILNmHLh0xMj57cX4XLJb2J4BXGe eNPqJmOaOA9pAj9igotWQI= X-Received: by 2002:a05:6000:4b0b:b0:470:80f7:9ef with SMTP id ffacd0b85a97d-47080f70cb1mr13247665f8f.19.1782742835996; Mon, 29 Jun 2026 07:20:35 -0700 (PDT) Received: from FRSMI25-LASER.idf.intranet (static-css-ccs-204145.business.bouyguestelecom.com. [176.157.204.145]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-46f8d6f10absm44958410f8f.5.2026.06.29.07.20.34 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Jun 2026 07:20:35 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 12/19] xwayland: Fix CVE-2026-34002 Date: Mon, 29 Jun 2026 16:19:57 +0200 Message-ID: X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 29 Jun 2026 14:20:39 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239800 From: Vijay Anusuri Pick patch according to [2] [1] https://lists.x.org/archives/xorg-announce/2026-April/003679.html [2] https://security-tracker.debian.org/tracker/CVE-2026-34002 Signed-off-by: Vijay Anusuri Signed-off-by: Yoann Congal --- .../xwayland/xwayland/CVE-2026-34002.patch | 93 +++++++++++++++++++ .../xwayland/xwayland_23.2.5.bb | 1 + 2 files changed, 94 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2026-34002.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2026-34002.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2026-34002.patch new file mode 100644 index 00000000000..131caefcd5e --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2026-34002.patch @@ -0,0 +1,93 @@ +From f056ce1cc96ed9261052c31524162c78e458f98c Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Wed, 18 Feb 2026 17:02:09 +0100 +Subject: [PATCH] xkb: Fix out-of-bounds read in CheckModifierMap() + +As reported by valgrind: + + == Conditional jump or move depends on uninitialised value(s) + == at 0x547E5B: CheckModifierMap (xkb.c:1972) + == by 0x54A086: _XkbSetMapChecks (xkb.c:2574) + == by 0x54A845: ProcXkbSetMap (xkb.c:2741) + == by 0x556EF4: ProcXkbDispatch (xkb.c:7048) + == by 0x454A8C: Dispatch (dispatch.c:553) + == by 0x462CEB: dix_main (main.c:274) + == by 0x405EA7: main (stubmain.c:34) + == Uninitialised value was created by a heap allocation + == at 0x4840B26: malloc (vg_replace_malloc.c:447) + == by 0x592D5A: AllocateInputBuffer (io.c:981) + == by 0x591F77: InsertFakeRequest (io.c:516) + == by 0x45CA27: NextAvailableClient (dispatch.c:3629) + == by 0x58FA81: AllocNewConnection (connection.c:628) + == by 0x58FC70: EstablishNewConnections (connection.c:692) + == by 0x58FFAA: HandleNotifyFd (connection.c:809) + == by 0x593F42: ospoll_wait (ospoll.c:660) + == by 0x58B9B6: WaitForSomething (WaitFor.c:208) + == by 0x4548AC: Dispatch (dispatch.c:493) + == by 0x462CEB: dix_main (main.c:274) + == by 0x405EA7: main (stubmain.c:34) + +The issue is that the loop in CheckModifierMap() reads from wire without +verifying that the data is within the request bounds. + +The req->totalModMapKeys value could exceed the actual data provided, +causing reads of uninitialized memory. + +To fix that issue, we add a bounds check using _XkbCheckRequestBounds, +but for that, we need to also pass a ClientPtr parameter, which is not +a problem since CheckModifierMap() is a private, static function. + +CVE-2026-34002, ZDI-CAN-28737 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Acked-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/f056ce1cc96ed9261052c31524162c78e458f98c] +CVE: CVE-2026-34002 +Signed-off-by: Vijay Anusuri +--- + xkb/xkb.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 1ba638b..3fcc6c4 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -1940,8 +1940,8 @@ CheckKeyExplicit(XkbDescPtr xkb, + } + + static int +-CheckModifierMap(XkbDescPtr xkb, xkbSetMapReq * req, CARD8 **wireRtrn, +- int *errRtrn) ++CheckModifierMap(ClientPtr client, XkbDescPtr xkb, xkbSetMapReq * req, ++ CARD8 **wireRtrn, int *errRtrn) + { + register CARD8 *wire = *wireRtrn; + CARD8 *start; +@@ -1965,6 +1965,10 @@ CheckModifierMap(XkbDescPtr xkb, xkbSetMapReq * req, CARD8 **wireRtrn, + } + start = wire; + for (i = 0; i < req->totalModMapKeys; i++, wire += 2) { ++ if (!_XkbCheckRequestBounds(client, req, wire, wire + 2)) { ++ *errRtrn = _XkbErrCode3(0x64, req->totalModMapKeys, i); ++ return 0; ++ } + if ((wire[0] < first) || (wire[0] > last)) { + *errRtrn = _XkbErrCode4(0x63, first, last, wire[0]); + return 0; +@@ -2568,7 +2572,7 @@ _XkbSetMapChecks(ClientPtr client, DeviceIntPtr dev, xkbSetMapReq * req, + return BadValue; + } + if ((req->present & XkbModifierMapMask) && +- (!CheckModifierMap(xkb, req, (CARD8 **) &values, &error))) { ++ (!CheckModifierMap(client, xkb, req, (CARD8 **) &values, &error))) { + client->errorValue = error; + return BadValue; + } +-- +2.43.0 + diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb index 800d0a8f634..e7412e20116 100644 --- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb +++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb @@ -38,6 +38,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2026-33999.patch \ file://CVE-2026-34000.patch \ file://CVE-2026-34001.patch \ + file://CVE-2026-34002.patch \ " SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90" From patchwork Mon Jun 29 14:19:58 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 91301 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id F376EC43638 for ; Mon, 29 Jun 2026 14:20:48 +0000 (UTC) Received: from mail-wr1-f53.google.com (mail-wr1-f53.google.com [209.85.221.53]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.93240.1782742838624266652 for ; Mon, 29 Jun 2026 07:20:38 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=UxhLxGzT; spf=pass (domain: smile.fr, ip: 209.85.221.53, mailfrom: yoann.congal@smile.fr) Received: by mail-wr1-f53.google.com with SMTP id ffacd0b85a97d-4704d652e9cso1388119f8f.3 for ; Mon, 29 Jun 2026 07:20:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1782742837; x=1783347637; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=gd/Fsm9SNXDS87ozyE2YiIFb/cUbd3/eOgy2h38u1BM=; b=UxhLxGzTlDCCxpvl5mkL+9De4mSBJX2P+BGpIpjYSnaqvQC+//A0gSz3APrslIYsHH G3JA6H4IQ05vF+52tVL8p8J0v7lBK2+v6VnO26mAnETyjwWHKo/buw8uCW5QTIpoYSsb ABRxbVWjDWUnFkZHOINS7lzBDuKpn7DshVREs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782742837; x=1783347637; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=gd/Fsm9SNXDS87ozyE2YiIFb/cUbd3/eOgy2h38u1BM=; b=GVwUwMf69tf15tgxX4vPjp6YAqKCzv+tjhsR49Ka9KtRsM101vgLoUlrgNGy/79N77 /e/aaI1gbzVTc6UDXGrenu1fM3hRt0+Akk7IW8Jpqgzn8eAKJIY83pFvxRuLAuJKbvyu 7CJ8o/PdQgJtxWYzUvhXxvUPtSw+Kts2iktXdxy8QnAyjdM45tp6doEBIDwZLotx6Ngj 0AjTf7ep3xQMq9PRrLHRkYipuHzmUNKIn9iOaPDsg504GUwkJCNhJ1yvfKshT+jdXCbO vkN/m3CTTGHRLQR/RcW1gNJkdoleiRbj2EHVzBv4WC8/yz0AArLB8XsjieJw/f2MlDPV 91Rg== X-Gm-Message-State: AOJu0YyTsuJOMZgrlDI0a0QGTL7YYDQMwgqAhKfFggy8rWPpqlNiGfci OUKdGSGTwCZZO6/9qYKofkfgTq34lJEslR/DdWDxv7MeARAoXZJo6Fz68UgXCHsqiHSOex4AqP7 Qb0zglXs= X-Gm-Gg: AfdE7ckVszYzq1gio6OIKGgmlBLXfv3Oi5/PzxoA5LjSY+BQAi+PPK6VVJTiookJSW6 dU2C9eQ2ugjvS2rctJcFotNoYHnPA39ml2Umw3rr/Cceey+hpTrePMy6tNALcfGkhC+SqbGtroo WBMINx5hAE8ILqfpIBvdIo2NwANzTKOborR1ks58u9Vq3CVWPDfAycISk1pN5VPzq3t/I+VHthg CpItpqIgMVHZSt6qRJFk+gEmEcN13/vq3dKJ0yX1/yWqz2oAOdpRC53We3wiaovBMGHR2c/ApBB rzzPpkM8rAbyO7m6c+QHRRkYHGbXVrwVchA12FEMQxljMhsblm8eWdWfuR9Ag6pihPb5zwa5Ghb EIMlcLZR1SDpV7yQj+xCCFFWfxBqroruOXh4a9mBaDCrxENpDaa9v4CpNy/tJEY+BwVAKL1n04y QwWP3jfVVbij5UBqmTybayBHC+gx1XxBkWutxrRcaBsItAgi4aFMeLwfxBKUjLjCUuPti706xId BXfHSkTGfgh6G4nO/nOYq8= X-Received: by 2002:a05:600c:848e:b0:490:3d62:f5e1 with SMTP id 5b1f17b1804b1-49266880e8fmr231003625e9.22.1782742836718; Mon, 29 Jun 2026 07:20:36 -0700 (PDT) Received: from FRSMI25-LASER.idf.intranet (static-css-ccs-204145.business.bouyguestelecom.com. [176.157.204.145]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-46f8d6f10absm44958410f8f.5.2026.06.29.07.20.36 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Jun 2026 07:20:36 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 13/19] xwayland: Fix CVE-2026-34003 Date: Mon, 29 Jun 2026 16:19:58 +0200 Message-ID: X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 29 Jun 2026 14:20:48 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239801 From: Vijay Anusuri Pick patch according to [2] [1] https://lists.x.org/archives/xorg-announce/2026-April/003679.html [2] https://security-tracker.debian.org/tracker/CVE-2026-34003 Signed-off-by: Vijay Anusuri Signed-off-by: Yoann Congal --- .../xwayland/xwayland/CVE-2026-34003-1.patch | 113 +++++++++ .../xwayland/xwayland/CVE-2026-34003-2.patch | 223 ++++++++++++++++++ .../xwayland/xwayland_23.2.5.bb | 2 + 3 files changed, 338 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2026-34003-1.patch create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2026-34003-2.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2026-34003-1.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2026-34003-1.patch new file mode 100644 index 00000000000..3a1a9db8cb3 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2026-34003-1.patch @@ -0,0 +1,113 @@ +From b85b00dd7b9eee05e3c12e7ad1fce4fc6671507b Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 23 Feb 2026 15:52:49 +0100 +Subject: [PATCH] xkb: Add additional bound checking in CheckKeyTypes() + +The function CheckKeyTypes() will loop over the client's request but +won't perform any additional bound checking to ensure that the data +read remains within the request bounds. + +As a result, a specifically crafted request may cause CheckKeyTypes() to +read past the request data, as reported by valgrind: + + == Invalid read of size 2 + == at 0x5A3D1D: CheckKeyTypes (xkb.c:1694) + == by 0x5A6A9C: _XkbSetMapChecks (xkb.c:2515) + == by 0x5A759E: ProcXkbSetMap (xkb.c:2736) + == by 0x5BF832: SProcXkbSetMap (xkbSwap.c:245) + == by 0x5C05ED: SProcXkbDispatch (xkbSwap.c:501) + == by 0x4A20DF: Dispatch (dispatch.c:551) + == by 0x4B03B4: dix_main (main.c:277) + == by 0x428941: main (stubmain.c:34) + == Address is 30 bytes after a block of size 28,672 in arena "client" + == + == Invalid read of size 2 + == at 0x5A3AB6: CheckKeyTypes (xkb.c:1669) + == by 0x5A6A9C: _XkbSetMapChecks (xkb.c:2515) + == by 0x5A759E: ProcXkbSetMap (xkb.c:2736) + == by 0x5BF832: SProcXkbSetMap (xkbSwap.c:245) + == by 0x5C05ED: SProcXkbDispatch (xkbSwap.c:501) + == by 0x4A20DF: Dispatch (dispatch.c:551) + == by 0x4B03B4: dix_main (main.c:277) + == by 0x428941: main (stubmain.c:34) + == Address is 2 bytes after a block of size 28,672 alloc'd + == at 0x4848897: realloc (vg_replace_malloc.c:1804) + == by 0x5E357A: ReadRequestFromClient (io.c:336) + == by 0x4A1FAB: Dispatch (dispatch.c:519) + == by 0x4B03B4: dix_main (main.c:277) + == by 0x428941: main (stubmain.c:34) + == + == Invalid write of size 2 + == at 0x5A3AD7: CheckKeyTypes (xkb.c:1669) + == by 0x5A6A9C: _XkbSetMapChecks (xkb.c:2515) + == by 0x5A759E: ProcXkbSetMap (xkb.c:2736) + == by 0x5BF832: SProcXkbSetMap (xkbSwap.c:245) + == by 0x5C05ED: SProcXkbDispatch (xkbSwap.c:501) + == by 0x4A20DF: Dispatch (dispatch.c:551) + == by 0x4B03B4: dix_main (main.c:277) + == by 0x428941: main (stubmain.c:34) + == Address is 2 bytes after a block of size 28,672 alloc'd + == at 0x4848897: realloc (vg_replace_malloc.c:1804) + == by 0x5E357A: ReadRequestFromClient (io.c:336) + == by 0x4A1FAB: Dispatch (dispatch.c:519) + == by 0x4B03B4: dix_main (main.c:277) + == by 0x428941: main (stubmain.c:34) + == + +To avoid that issue, add additional bounds checking within the loops by +calling _XkbCheckRequestBounds() and report an error if we are to read +past the client's request. + +CVE-2026-34003, ZDI-CAN-28736 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with TrendAI Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Acked-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/b85b00dd7b9eee05e3c12e7ad1fce4fc6671507b] +CVE: CVE-2026-34003 +Signed-off-by: Vijay Anusuri +--- + xkb/xkb.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 3fcc6c4..0ef634b 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -1639,6 +1639,10 @@ CheckKeyTypes(ClientPtr client, + for (i = 0; i < req->nTypes; i++) { + unsigned width; + ++ if (!_XkbCheckRequestBounds(client, req, wire, wire + 1)) { ++ *nMapsRtrn = _XkbErrCode3(0x0b, req->nTypes, i); ++ return 0; ++ } + if (client->swapped && doswap) { + swaps(&wire->virtualMods); + } +@@ -1664,7 +1668,18 @@ CheckKeyTypes(ClientPtr client, + xkbModsWireDesc *preWire; + + mapWire = (xkbKTSetMapEntryWireDesc *) &wire[1]; ++ if (!_XkbCheckRequestBounds(client, req, mapWire, ++ &mapWire[wire->nMapEntries])) { ++ *nMapsRtrn = _XkbErrCode3(0x0c, i, wire->nMapEntries); ++ return 0; ++ } + preWire = (xkbModsWireDesc *) &mapWire[wire->nMapEntries]; ++ if (wire->preserve && ++ !_XkbCheckRequestBounds(client, req, preWire, ++ &preWire[wire->nMapEntries])) { ++ *nMapsRtrn = _XkbErrCode3(0x0d, i, wire->nMapEntries); ++ return 0; ++ } + for (n = 0; n < wire->nMapEntries; n++) { + if (client->swapped && doswap) { + swaps(&mapWire[n].virtualMods); +-- +2.43.0 + diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2026-34003-2.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2026-34003-2.patch new file mode 100644 index 00000000000..15b2b946d50 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2026-34003-2.patch @@ -0,0 +1,223 @@ +From d38c563fab5c4a554e0939da39e4d1dadef7cbae Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 2 Mar 2026 14:09:57 +0100 +Subject: [PATCH] xkb: Add more _XkbCheckRequestBounds() + +Similar to the recent fixes, add more _XkbCheckRequestBounds() to the +functions that loop over the request data, i.e.: + + * CheckKeySyms() + * CheckKeyActions() + * CheckKeyBehaviors() + * CheckVirtualMods() + * CheckKeyExplicit() + * CheckVirtualModMap() + * _XkbSetMapChecks() + +All these are static functions so we can add the client to the parameters +without breaking any API. + +See also: +CVE-2026-34003, ZDI-CAN-28736, CVE-2026-34002, ZDI-CAN-28737 + +v2: Check for "nSyms != 0" in CheckKeySyms() to avoid false positives. + +Signed-off-by: Olivier Fourdan +Acked-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/d38c563fab5c4a554e0939da39e4d1dadef7cbae] +CVE: CVE-2026-34003 +Signed-off-by: Vijay Anusuri +--- + xkb/xkb.c | 69 ++++++++++++++++++++++++++++++++++++++++++++----------- + 1 file changed, 55 insertions(+), 14 deletions(-) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 0ef634b..6320914 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -1752,6 +1752,11 @@ CheckKeySyms(ClientPtr client, + KeySym *pSyms; + register unsigned nG; + ++ /* Check we received enough data to read the next xkbSymMapWireDesc */ ++ if (!_XkbCheckRequestBounds(client, req, wire, wire + 1)) { ++ *errorRtrn = _XkbErrCode3(0x18, i + req->firstKeySym, i); ++ return 0; ++ } + if (client->swapped && doswap) { + swaps(&wire->nSyms); + } +@@ -1790,6 +1795,12 @@ CheckKeySyms(ClientPtr client, + return 0; + } + pSyms = (KeySym *) &wire[1]; ++ if (wire->nSyms != 0) { ++ if (!_XkbCheckRequestBounds(client, req, pSyms, &pSyms[wire->nSyms])) { ++ *errorRtrn = _XkbErrCode3(0x19, i + req->firstKeySym, wire->nSyms); ++ return 0; ++ } ++ } + wire = (xkbSymMapWireDesc *) &pSyms[wire->nSyms]; + } + +@@ -1813,11 +1824,12 @@ CheckKeySyms(ClientPtr client, + } + + static int +-CheckKeyActions(XkbDescPtr xkb, +- xkbSetMapReq * req, +- int nTypes, +- CARD8 *mapWidths, +- CARD16 *symsPerKey, CARD8 **wireRtrn, int *nActsRtrn) ++CheckKeyActions(ClientPtr client, ++ XkbDescPtr xkb, ++ xkbSetMapReq * req, ++ int nTypes, ++ CARD8 *mapWidths, ++ CARD16 *symsPerKey, CARD8 **wireRtrn, int *nActsRtrn) + { + int nActs; + CARD8 *wire = *wireRtrn; +@@ -1828,6 +1840,11 @@ CheckKeyActions(XkbDescPtr xkb, + CHK_REQ_KEY_RANGE2(0x21, req->firstKeyAct, req->nKeyActs, req, (*nActsRtrn), + 0); + for (nActs = i = 0; i < req->nKeyActs; i++) { ++ /* Check we received enough data to read the next byte on the wire */ ++ if (!_XkbCheckRequestBounds(client, req, wire, wire + 1)) { ++ *nActsRtrn = _XkbErrCode3(0x24, i + req->firstKeyAct, i); ++ return 0; ++ } + if (wire[0] != 0) { + if (wire[0] == symsPerKey[i + req->firstKeyAct]) + nActs += wire[0]; +@@ -1846,7 +1863,8 @@ CheckKeyActions(XkbDescPtr xkb, + } + + static int +-CheckKeyBehaviors(XkbDescPtr xkb, ++CheckKeyBehaviors(ClientPtr client, ++ XkbDescPtr xkb, + xkbSetMapReq * req, + xkbBehaviorWireDesc ** wireRtrn, int *errorRtrn) + { +@@ -1872,6 +1890,11 @@ CheckKeyBehaviors(XkbDescPtr xkb, + } + + for (i = 0; i < req->totalKeyBehaviors; i++, wire++) { ++ /* Check we received enough data to read the next behavior */ ++ if (!_XkbCheckRequestBounds(client, req, wire, wire + 1)) { ++ *errorRtrn = _XkbErrCode3(0x36, first, i); ++ return 0; ++ } + if ((wire->key < first) || (wire->key > last)) { + *errorRtrn = _XkbErrCode4(0x33, first, last, wire->key); + return 0; +@@ -1897,7 +1920,8 @@ CheckKeyBehaviors(XkbDescPtr xkb, + } + + static int +-CheckVirtualMods(XkbDescRec * xkb, ++CheckVirtualMods(ClientPtr client, ++ XkbDescRec * xkb, + xkbSetMapReq * req, CARD8 **wireRtrn, int *errorRtrn) + { + register CARD8 *wire = *wireRtrn; +@@ -1909,12 +1933,18 @@ CheckVirtualMods(XkbDescRec * xkb, + if (req->virtualMods & bit) + nMods++; + } ++ /* Check we received enough data for the number of virtual mods expected */ ++ if (!_XkbCheckRequestBounds(client, req, wire, wire + XkbPaddedSize(nMods))) { ++ *errorRtrn = _XkbErrCode3(0x37, nMods, i); ++ return 0; ++ } + *wireRtrn = (wire + XkbPaddedSize(nMods)); + return 1; + } + + static int +-CheckKeyExplicit(XkbDescPtr xkb, ++CheckKeyExplicit(ClientPtr client, ++ XkbDescPtr xkb, + xkbSetMapReq * req, CARD8 **wireRtrn, int *errorRtrn) + { + register CARD8 *wire = *wireRtrn; +@@ -1940,6 +1970,11 @@ CheckKeyExplicit(XkbDescPtr xkb, + } + start = wire; + for (i = 0; i < req->totalKeyExplicit; i++, wire += 2) { ++ /* Check we received enough data to read the next two bytes */ ++ if (!_XkbCheckRequestBounds(client, req, wire, wire + 2)) { ++ *errorRtrn = _XkbErrCode4(0x54, first, last, i); ++ return 0; ++ } + if ((wire[0] < first) || (wire[0] > last)) { + *errorRtrn = _XkbErrCode4(0x53, first, last, wire[0]); + return 0; +@@ -1995,7 +2030,8 @@ CheckModifierMap(ClientPtr client, XkbDescPtr xkb, xkbSetMapReq * req, + } + + static int +-CheckVirtualModMap(XkbDescPtr xkb, ++CheckVirtualModMap(ClientPtr client, ++ XkbDescPtr xkb, + xkbSetMapReq * req, + xkbVModMapWireDesc ** wireRtrn, int *errRtrn) + { +@@ -2019,6 +2055,11 @@ CheckVirtualModMap(XkbDescPtr xkb, + return 0; + } + for (i = 0; i < req->totalVModMapKeys; i++, wire++) { ++ /* Check we received enough data to read the next virtual mod map key */ ++ if (!_XkbCheckRequestBounds(client, req, wire, wire + 1)) { ++ *errRtrn = _XkbErrCode3(0x74, first, i); ++ return 0; ++ } + if ((wire->key < first) || (wire->key > last)) { + *errRtrn = _XkbErrCode4(0x73, first, last, wire->key); + return 0; +@@ -2563,7 +2604,7 @@ _XkbSetMapChecks(ClientPtr client, DeviceIntPtr dev, xkbSetMapReq * req, + } + + if ((req->present & XkbKeyActionsMask) && +- (!CheckKeyActions(xkb, req, nTypes, mapWidths, symsPerKey, ++ (!CheckKeyActions(client, xkb, req, nTypes, mapWidths, symsPerKey, + (CARD8 **) &values, &nActions))) { + client->errorValue = nActions; + return BadValue; +@@ -2571,18 +2612,18 @@ _XkbSetMapChecks(ClientPtr client, DeviceIntPtr dev, xkbSetMapReq * req, + + if ((req->present & XkbKeyBehaviorsMask) && + (!CheckKeyBehaviors +- (xkb, req, (xkbBehaviorWireDesc **) &values, &error))) { ++ (client, xkb, req, (xkbBehaviorWireDesc **) &values, &error))) { + client->errorValue = error; + return BadValue; + } + + if ((req->present & XkbVirtualModsMask) && +- (!CheckVirtualMods(xkb, req, (CARD8 **) &values, &error))) { ++ (!CheckVirtualMods(client, xkb, req, (CARD8 **) &values, &error))) { + client->errorValue = error; + return BadValue; + } + if ((req->present & XkbExplicitComponentsMask) && +- (!CheckKeyExplicit(xkb, req, (CARD8 **) &values, &error))) { ++ (!CheckKeyExplicit(client, xkb, req, (CARD8 **) &values, &error))) { + client->errorValue = error; + return BadValue; + } +@@ -2593,7 +2634,7 @@ _XkbSetMapChecks(ClientPtr client, DeviceIntPtr dev, xkbSetMapReq * req, + } + if ((req->present & XkbVirtualModMapMask) && + (!CheckVirtualModMap +- (xkb, req, (xkbVModMapWireDesc **) &values, &error))) { ++ (client, xkb, req, (xkbVModMapWireDesc **) &values, &error))) { + client->errorValue = error; + return BadValue; + } +-- +2.43.0 + diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb index e7412e20116..8d5cb05beb9 100644 --- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb +++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb @@ -39,6 +39,8 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2026-34000.patch \ file://CVE-2026-34001.patch \ file://CVE-2026-34002.patch \ + file://CVE-2026-34003-1.patch \ + file://CVE-2026-34003-2.patch \ " SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90" From patchwork Mon Jun 29 14:19:59 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 91300 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 45C3CC44501 for ; Mon, 29 Jun 2026 14:20:49 +0000 (UTC) Received: from mail-wr1-f51.google.com (mail-wr1-f51.google.com [209.85.221.51]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.93241.1782742840151955116 for ; Mon, 29 Jun 2026 07:20:40 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=kCX/mm5y; spf=pass (domain: smile.fr, ip: 209.85.221.51, mailfrom: yoann.congal@smile.fr) Received: by mail-wr1-f51.google.com with SMTP id ffacd0b85a97d-45fd464d51fso1942212f8f.3 for ; Mon, 29 Jun 2026 07:20:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1782742838; x=1783347638; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=AASe5hNtm3+pyHRJiSSUb8NINtGmY8YOjsgGM8RCKwM=; b=kCX/mm5ycq3Pd2eFJTU9ac6c/CXKX0bEtPeqIzicIgVx8Moy7tYE24iXrdCLcZ33A6 3aLKIvnMgvqHi2M1vYLNi0msDHjIlPt1VT8+HqrVC7cbOi4ISrrzgGB0AsFs6m9kz1j9 o3g5ANuFZnLMu1YWig+olqKJt03ONxbo7TBJc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782742838; x=1783347638; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=AASe5hNtm3+pyHRJiSSUb8NINtGmY8YOjsgGM8RCKwM=; b=Ar0rViy3PTCVXDflLc0VGSIc2+iRcTELQ+LMRJPm8bsY2zDbHhU6sFfeXiEVmb5H7+ X7h1YYdd/5JX0aJTWkgwYJUKS4FBh2vVUTCxE9nqrI7TOlZx96PlD/I73WGUxjvopbwR 3JtprIeYX1TsIzTCfMzeHfupIiKtndOucUKLvdHp4VNBPJ3+qz82hqi6K6Is8jNeACxb AuKA/OK+HKEU5BCtKG9kafrv/HkZKmrd2eWGjCwnUz9xzxMLoR18F7b27t3cp6xXFEHs PgSIwbCB7m5zTK3wuocLNmdpC26YX06RT+5o4YtfKh4bKpZRqBcNLqchbijSW7glkuXj VE0Q== X-Gm-Message-State: AOJu0YzHPS2SqKfhANaahqQnMVxF+rkFqGZvfvhjiT/CwXs8R9I1gtuK ijDsBycyq6kiJlDV7p8U3OYFPyk5Sfm/3r4+vQsAChX8MbGh6CbvM52Zlh/hrATwXFUifd/wzjR zw9OpNP8= X-Gm-Gg: AfdE7cmnGfKPK5ESCfrssqmV4XfTkicjsn6goTPdDKb4HJ2pgnKt0bU3QD8UQMRkLqv 2i+6ZlOKbH0uw8iQuifurl8dlsTMqPXaCydOXfuWCkRzcW9UAMMisGSwtINWpq6H0vVWISWbstI 2ln8lINYtwTM/cyUwYhyXNSN8VweLV9OPmPazL3SipMy+Qzwg+ZTdbHRs6nXSKw1h00bExcKmIg BT7UOzg69SB2JddAL8iNx0SgUWdpgX2f6jHAm7e5pXYakXyuJx81MvDSwNNQaPR0cUEwNOibvii VwHaYUQ9THffZEo3F0pX6Dt97f77gmS9vzJjM5Xrj3FsYL+hEuCISZ5wfbkB2TT83ERwg+p+YpI S6NtbgTwBvEcocH51iLSl07zVL0TTciGu6shYxagwyFkb2TETgNjbBLLcCkogwN5R1Ta3G71MMD pxwKlapjvzgEfeHDEWXDn0BttTCRYL0YYJiIUUzP+5bCZss/qVIWwm6QJ9U+VKGEHrpxdWAWaum nbskuk2M6vNjrF846GDGsfRGIu9FRr72g== X-Received: by 2002:a05:6000:4210:b0:468:7ca1:2368 with SMTP id ffacd0b85a97d-46dc2a17107mr30603045f8f.29.1782742837701; Mon, 29 Jun 2026 07:20:37 -0700 (PDT) Received: from FRSMI25-LASER.idf.intranet (static-css-ccs-204145.business.bouyguestelecom.com. [176.157.204.145]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-46f8d6f10absm44958410f8f.5.2026.06.29.07.20.36 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Jun 2026 07:20:36 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 14/19] libusb1: fix CVE-2026-23679 and CVE-2026-47104 Date: Mon, 29 Jun 2026 16:19:59 +0200 Message-ID: <22580c001cc7426a6844cdc128120031c47d0d3b.1782742373.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 29 Jun 2026 14:20:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239802 From: Anil Dongare - Pick the upstream patch [1] as mentioned in [2] and [3]. - To successfully apply the fixed commit, apply the dependent commits [4], which are included in v1.0.28. [1] https://github.com/libusb/libusb/commit/bc0886173ea15b8cc9bba2918f58a97a7f185231 [2] https://security-tracker.debian.org/tracker/CVE-2026-23679. [3] https://security-tracker.debian.org/tracker/CVE-2026-47104. [4] https://github.com/libusb/libusb/commit/016a0de33ac94b19c7772d6c20fbea7fec23bf68 Signed-off-by: Anil Dongare Signed-off-by: Yoann Congal --- ...-2026-23679_CVE-2026-47104-dependent.patch | 46 ++++++++++ .../CVE-2026-23679_CVE-2026-47104.patch | 88 +++++++++++++++++++ meta/recipes-support/libusb/libusb1_1.0.27.bb | 2 + 3 files changed, 136 insertions(+) create mode 100644 meta/recipes-support/libusb/libusb1/CVE-2026-23679_CVE-2026-47104-dependent.patch create mode 100644 meta/recipes-support/libusb/libusb1/CVE-2026-23679_CVE-2026-47104.patch diff --git a/meta/recipes-support/libusb/libusb1/CVE-2026-23679_CVE-2026-47104-dependent.patch b/meta/recipes-support/libusb/libusb1/CVE-2026-23679_CVE-2026-47104-dependent.patch new file mode 100644 index 00000000000..04f1e684263 --- /dev/null +++ b/meta/recipes-support/libusb/libusb1/CVE-2026-23679_CVE-2026-47104-dependent.patch @@ -0,0 +1,46 @@ +From 2c1bb758e3b61355f50df61b6eb474d90bec2fab Mon Sep 17 00:00:00 2001 +From: Sean McBride +Date: Sat, 3 Feb 2024 22:32:52 -0500 +Subject: [PATCH] descriptor: Fix potential offsetting of pointer by too + much + +This was checking that `size` is at least `LIBUSB_DT_CONFIG_SIZE` (9) +bytes long, but then increments the pointer with `buf += +header.bLength`. That could end up pointing past of the end of the +buffer. There is a subsequent check that would prevent dereferencing it, +but it's still undefined behaviour to even create such a pointer. + +Add a check with a similar pattern as elsewhere in this file. + +CVE: CVE-2026-23679 CVE-2026-47104 +Upstream-Status: Backport [https://github.com/libusb/libusb/commit/016a0de33ac94b19c7772d6c20fbea7fec23bf68] + +Backport Changes: +- The upstream version_nano.h bump is omitted because this is a security + backport to libusb 1.0.27, not a version upgrade. + +(cherry picked from commit 016a0de33ac94b19c7772d6c20fbea7fec23bf68) +Signed-off-by: Anil Dongare +--- + libusb/descriptor.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/libusb/descriptor.c b/libusb/descriptor.c +index 4623ad1..4862c69 100644 +--- a/libusb/descriptor.c ++++ b/libusb/descriptor.c +@@ -1233,6 +1233,11 @@ static int parse_iad_array(struct libusb_context *ctx, + header.bLength); + return LIBUSB_ERROR_IO; + } ++ else if (header.bLength > size) { ++ usbi_warn(ctx, "short config descriptor read %d/%u", ++ size, header.bLength); ++ return LIBUSB_ERROR_IO; ++ } + if (header.bDescriptorType == LIBUSB_DT_INTERFACE_ASSOCIATION) + iad_array->length++; + buf += header.bLength; +-- +2.43.7 + diff --git a/meta/recipes-support/libusb/libusb1/CVE-2026-23679_CVE-2026-47104.patch b/meta/recipes-support/libusb/libusb1/CVE-2026-23679_CVE-2026-47104.patch new file mode 100644 index 00000000000..d868207e9aa --- /dev/null +++ b/meta/recipes-support/libusb/libusb1/CVE-2026-23679_CVE-2026-47104.patch @@ -0,0 +1,88 @@ +From 0735213e5118d5c9c732b7c891446b35e0d6b8d5 Mon Sep 17 00:00:00 2001 +From: MarkLee131 +Date: Sat, 25 Apr 2026 18:33:17 +0800 +Subject: [PATCH] descriptor: Fix two memory-safety bugs in malformed + config descriptor handling + +Two issues reachable from a malformed config descriptor returned by an +attached USB device, both surfaced by the same libFuzzer + ASan run. + +1) parse_interface() reads bNumEndpoints from the interface descriptor and + increments usb_interface->num_altsetting before entering the inner loop + that skips class/vendor specific descriptors ahead of the endpoint + array. If that loop's bLength > size short-read branch fires, the + function returns before the endpoint array is allocated, leaving the + caller with bNumEndpoints > 0 and endpoint == NULL. libusb.h documents + endpoint as an array sized by bNumEndpoints, and the testlibusb and + xusb examples both iterate it accordingly, so a NULL deref follows. + Reset bNumEndpoints to 0 before returning so the invariant holds. + +2) The first-pass loop in parse_iad_array() compares header.bLength + against the original size argument instead of the remaining bytes, + so a single descriptor with bLength == size - 1 lets consumed reach + size - 1 and the next iteration enters with only one byte of buffer + left. The buf[1] read on the second line of the loop body lands one + byte past the malloc allocation that backs the descriptor data. The + sibling parsers parse_configuration() and parse_interface() in the + same file already use the remaining-bytes form. Switch the IAD parser + loop guard and bound check to match. + +Both code paths are reachable from public APIs (libusb_get_*_config_descriptor +and libusb_get_*_interface_association_descriptors), with the malformed +input supplied by the attached device. Minimal reproducers are 20 and +9 bytes respectively. + +Fixes #1813 + +CVE: CVE-2026-23679 CVE-2026-47104 +Upstream-Status: Backport [https://github.com/libusb/libusb/commit/bc0886173ea15b8cc9bba2918f58a97a7f185231] + +Backport Changes: +- The upstream version_nano.h bump is omitted because this is a security + backport to libusb 1.0.27, not a version upgrade. + +Signed-off-by: MarkLee131 +(cherry picked from commit bc0886173ea15b8cc9bba2918f58a97a7f185231) +Signed-off-by: Anil Dongare +--- + libusb/descriptor.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/libusb/descriptor.c b/libusb/descriptor.c +index 4862c69..97143bb 100644 +--- a/libusb/descriptor.c ++++ b/libusb/descriptor.c +@@ -260,6 +260,10 @@ static int parse_interface(libusb_context *ctx, + usbi_warn(ctx, + "short extra intf desc read %d/%u", + size, header->bLength); ++ /* Keep the invariant: bNumEndpoints > 0 implies ++ * endpoint != NULL. The endpoint array isn't ++ * allocated yet on this early return. */ ++ ifp->bNumEndpoints = 0; + return parsed; + } + +@@ -1226,16 +1230,16 @@ static int parse_iad_array(struct libusb_context *ctx, + + // First pass: Iterate through desc list, count number of IADs + iad_array->length = 0; +- while (consumed < size) { ++ while (size - consumed >= DESC_HEADER_LENGTH) { + parse_descriptor(buf, "bb", &header); + if (header.bLength < 2) { + usbi_err(ctx, "invalid descriptor bLength %d", + header.bLength); + return LIBUSB_ERROR_IO; + } +- else if (header.bLength > size) { ++ else if (header.bLength > size - consumed) { + usbi_warn(ctx, "short config descriptor read %d/%u", +- size, header.bLength); ++ size - consumed, header.bLength); + return LIBUSB_ERROR_IO; + } + if (header.bDescriptorType == LIBUSB_DT_INTERFACE_ASSOCIATION) +-- +2.43.7 + diff --git a/meta/recipes-support/libusb/libusb1_1.0.27.bb b/meta/recipes-support/libusb/libusb1_1.0.27.bb index 5bf854f95d4..3c463301644 100644 --- a/meta/recipes-support/libusb/libusb1_1.0.27.bb +++ b/meta/recipes-support/libusb/libusb1_1.0.27.bb @@ -14,6 +14,8 @@ BBCLASSEXTEND = "native nativesdk" SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/libusb-${PV}.tar.bz2 \ file://run-ptest \ + file://CVE-2026-23679_CVE-2026-47104-dependent.patch \ + file://CVE-2026-23679_CVE-2026-47104.patch \ " GITHUB_BASE_URI = "https://github.com/libusb/libusb/releases" From patchwork Mon Jun 29 14:20:00 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 91302 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 336B1C44502 for ; Mon, 29 Jun 2026 14:20:49 +0000 (UTC) Received: from mail-ej1-f54.google.com (mail-ej1-f54.google.com [209.85.218.54]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.38595.1782742841130034222 for ; Mon, 29 Jun 2026 07:20:41 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=dEdwUqKl; spf=pass (domain: smile.fr, ip: 209.85.218.54, mailfrom: yoann.congal@smile.fr) Received: by mail-ej1-f54.google.com with SMTP id a640c23a62f3a-c126eb4e003so100202566b.0 for ; Mon, 29 Jun 2026 07:20:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1782742839; x=1783347639; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=Jpc5VEF3jLWa/JeXDqcMX0BYDrSL59zb6v+f0iZ3lUE=; b=dEdwUqKlUttSoW7hqsOZ7vAYhRrRX8OrhYLzkkQVUdCf9gwxkfvEJVfcG9pAetdqM4 ESqlXD7w1Bn45L7IKxUbP3Geu+qEL0rJOIC95MC8bCkFlWYhoYIPsKEZsRnhK4vLq0Dv tsgNYYre5MhGGN3jcLpQhimrjS9psKCP4kuHI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782742839; x=1783347639; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=Jpc5VEF3jLWa/JeXDqcMX0BYDrSL59zb6v+f0iZ3lUE=; b=CiuUW81UTwbr2pihoqnsnFxydOIp29koA/V2+9SUGKrIkJaGCRCh0if4ee2jYjUDoL T+V/E6zaRqn/J81nO6b/yQvAD7SBTXYw857HU4R83rEiDdJwiZTY8Ku2Dkfk2v05VYig 8rl1fCvxhGII9+QqOeIm2rKANwqScimjHDk11xxOhNl2bcYHjvGpOzoWX9GgrI0T/Anz FuLeU5kLU++gb2EF2BngrzV9RQTEnoi/8wGvOkHabEpmZlBDTm1A/ZW7WloSc22R8S0C EDgG6DxNaKyRdlDsdZLonYo/N4a6kLd1izptpcEz+qAO5J3ZkCzzBC5A6YjcubiBeVPI pu+g== X-Gm-Message-State: AOJu0Yw4OBd7cQfCSVc7rxZIkYBrH2+Kl8p8rlXNjZZKVgsiMEI8Y83z 8bqFwDk9HSQU05tnmIiCmaRuO//+SijuTLk5KJbVonsJB7+A72V5QXqW9Yabks5+PUPXRQ6QIXc QdhInk2s= X-Gm-Gg: AfdE7cm3MWGCdZof/kQXDII91h6pxx9HM5eMZ9hozbGSHrKaOAo/DMuc75Yv++nezAr j6h5BUhhE9Ug7SskTAnK92nlU/J1B9Rb0LrIGv3dduhuZw/Z+GLWy4HjJEavjI460Sxsl3WC+x/ 41KkXW1iWslGyMlKTvJPkUXqlagOXf2i2aRGWtZnR9biVeT5PxpflOY1PxCsi42aVYS7PRIm7F2 s9r1RkOMf3uYORxtgdWnCQzfmK5lUBJAny7POM9ZFFoVDUd/7xwbJIwIOncWPhPdZM0D02mJv/u w0ZvZGRZovjdidFEuhou+ktWCbKjmrA+zsECgC9nEbfwcHqjDp42WEdL7TJdHqQnzztu89vEK4g KAS9s5KBPMWT0pMfU4VfraGT9Lfao/MDKbtNDC6uWrGONjLIEdqPRkg9UL7bO37wqzyzCQEzCCM xlEJj+yqvMoqQMqlByJtqhgzqZtC94FZ/YlY1+Pg0oISz2BeiP5hxXgjzCyUGJxNby7Azcsfclr 2p4kB2Ij/6Ack7uiMvFssY= X-Received: by 2002:a17:906:6a84:b0:c12:557a:7533 with SMTP id a640c23a62f3a-c12816d8f6amr36628266b.58.1782742838733; Mon, 29 Jun 2026 07:20:38 -0700 (PDT) Received: from FRSMI25-LASER.idf.intranet (static-css-ccs-204145.business.bouyguestelecom.com. [176.157.204.145]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-46f8d6f10absm44958410f8f.5.2026.06.29.07.20.37 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Jun 2026 07:20:38 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 15/19] nfs-utils: fix CVE-2025-12801 Date: Mon, 29 Jun 2026 16:20:00 +0200 Message-ID: X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 29 Jun 2026 14:20:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239803 From: Sudhir Dumbhare - This patch applies the upstream fix [5] as referenced in [7]. - To successfully apply the fixed commit, apply the dependent commits [2] to [4] which are included in v2.8.6, as referenced in [7]. - Additionally, include dependent commit [1] from v2.8.3, as referenced in [8] under the [2.5.4-38.2] description, along with compilation fix commit [6] from v2.7.1 - Reference: [1] https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=cd90f2925790 [2] https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=7e8b36522f58 [3] https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=42f01e6a78fe [4] https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=51738ae56d92 [5] https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=f36bd900a899 [6] https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=a2c95e4f557a [7] https://security-tracker.debian.org/tracker/CVE-2025-12801 [8] https://linux.oracle.com/errata/ELSA-2026-3940.html Signed-off-by: Sudhir Dumbhare Signed-off-by: Yoann Congal --- .../nfs-utils/CVE-2025-12801-build-fix.patch | 44 ++ .../CVE-2025-12801-dependent_p1.patch | 450 +++++++++++++++++ .../CVE-2025-12801-dependent_p2.patch | 81 +++ .../CVE-2025-12801-dependent_p3.patch | 181 +++++++ .../CVE-2025-12801-dependent_p4.patch | 468 ++++++++++++++++++ .../nfs-utils/nfs-utils/CVE-2025-12801.patch | 254 ++++++++++ .../nfs-utils/nfs-utils_2.6.4.bb | 6 + 7 files changed, 1484 insertions(+) create mode 100644 meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-build-fix.patch create mode 100644 meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p1.patch create mode 100644 meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p2.patch create mode 100644 meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p3.patch create mode 100644 meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p4.patch create mode 100644 meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801.patch diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-build-fix.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-build-fix.patch new file mode 100644 index 00000000000..d7aaca22425 --- /dev/null +++ b/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-build-fix.patch @@ -0,0 +1,44 @@ +From 30e0f57fff545b0bb3071fa071c7b12c2923bac8 Mon Sep 17 00:00:00 2001 +From: Steve Dickson +Date: Mon, 22 Jan 2024 13:23:57 -0500 +Subject: [PATCH] reexport.c: Some Distros need the following include to + avoid the following error + +reexport.c: In function ‘connect_fsid_service’: +reexport.c:41:28: error: implicit declaration of function ‘offsetof’ [-Werror=implicit-function-declaration] + 41 | addr_len = offsetof(struct sockaddr_un, sun_path) + strlen(addr.sun_path); + | ^~~~~~~~ +reexport.c:19:1: note: ‘offsetof’ is defined in header ‘’; did you forget to ‘#include ’? + 18 | #include "xlog.h" + +++ |+#include + 19 | +reexport.c:41:37: error: expected expression before ‘struct’ + 41 | addr_len = offsetof(struct sockaddr_un, sun_path) + strlen(addr.sun_path); + | ^~~~~~ +cc1: some warnings being treated as errors + +CVE: CVE-2025-12801 +Upstream-Status: Backport [https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=a2c95e4f557a71b482bb62bad6d93ddde51e5dc6] + +Signed-off-by: Steve Dickson +(cherry picked from commit a2c95e4f557a71b482bb62bad6d93ddde51e5dc6) +Signed-off-by: Sudhir Dumbhare +--- + support/reexport/reexport.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/support/reexport/reexport.c b/support/reexport/reexport.c +index 78516586..16dde0fb 100644 +--- a/support/reexport/reexport.c ++++ b/support/reexport/reexport.c +@@ -8,6 +8,7 @@ + #include + #include + #include ++#include + + #include "nfsd_path.h" + #include "conffile.h" +-- +2.44.4 + diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p1.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p1.patch new file mode 100644 index 00000000000..c1fb7c2f12e --- /dev/null +++ b/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p1.patch @@ -0,0 +1,450 @@ +From bbec1c68cbf9a9b3b28aad213b4573d288879a6f Mon Sep 17 00:00:00 2001 +From: Christopher Bii +Date: Wed, 15 Jan 2025 12:10:48 -0500 +Subject: [PATCH] NFS export symlink vulnerability fix + +Replaced dangerous use of realpath within support/nfs/export.c with +nfsd_realpath variant that is executed within the chrooted thread +rather than main thread. + +Implemented nfsd_path.h methods to work securely within chrooted +thread using nfsd_run_task() help + +CVE: CVE-2025-12801 +Upstream-Status: Backport [https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=cd90f29257904f36509ea5a04a86f42398fbe94a] + +Signed-off-by: Christopher Bii +Signed-off-by: Steve Dickson +(cherry picked from commit cd90f29257904f36509ea5a04a86f42398fbe94a) +Signed-off-by: Sudhir Dumbhare +--- + support/export/cache.c | 2 +- + support/include/nfsd_path.h | 5 +- + support/misc/nfsd_path.c | 257 +++++++++++------------------------- + support/nfs/exports.c | 3 +- + 4 files changed, 83 insertions(+), 184 deletions(-) + +diff --git a/support/export/cache.c b/support/export/cache.c +index 6c0a44a3..a4c339f2 100644 +--- a/support/export/cache.c ++++ b/support/export/cache.c +@@ -65,7 +65,7 @@ static ssize_t cache_read(int fd, char *buf, size_t len) + return nfsd_path_read(fd, buf, len); + } + +-static ssize_t cache_write(int fd, const char *buf, size_t len) ++static ssize_t cache_write(int fd, void *buf, size_t len) + { + return nfsd_path_write(fd, buf, len); + } +diff --git a/support/include/nfsd_path.h b/support/include/nfsd_path.h +index aa1e1dd0..f600fb5a 100644 +--- a/support/include/nfsd_path.h ++++ b/support/include/nfsd_path.h +@@ -8,6 +8,7 @@ + + struct file_handle; + struct statfs; ++struct nfsd_task_t; + + void nfsd_path_init(void); + +@@ -23,8 +24,8 @@ int nfsd_path_statfs(const char *pathname, + + char * nfsd_realpath(const char *path, char *resolved_path); + +-ssize_t nfsd_path_read(int fd, char *buf, size_t len); +-ssize_t nfsd_path_write(int fd, const char *buf, size_t len); ++ssize_t nfsd_path_read(int fd, void* buf, size_t len); ++ssize_t nfsd_path_write(int fd, void* buf, size_t len); + + int nfsd_name_to_handle_at(int fd, const char *path, + struct file_handle *fh, +diff --git a/support/misc/nfsd_path.c b/support/misc/nfsd_path.c +index c3dea4f0..caec33ca 100644 +--- a/support/misc/nfsd_path.c ++++ b/support/misc/nfsd_path.c +@@ -19,7 +19,20 @@ + #include "nfsd_path.h" + #include "workqueue.h" + +-static struct xthread_workqueue *nfsd_wq; ++static struct xthread_workqueue *nfsd_wq = NULL; ++ ++struct nfsd_task_t { ++ int ret; ++ void* data; ++}; ++/* Function used to offload tasks that must be ran within the correct ++ * chroot environment. ++ */ ++static void ++nfsd_run_task(void (*func)(void*), void* data){ ++ nfsd_wq ? xthread_work_run_sync(nfsd_wq, func, data) : func(data); ++}; ++ + + static int + nfsd_path_isslash(const char *path) +@@ -124,224 +137,119 @@ nfsd_path_init(void) + } + + struct nfsd_stat_data { +- const char *pathname; +- struct stat *statbuf; +- int ret; +- int err; ++ const char *pathname; ++ struct stat *statbuf; ++ int (*stat_handler)(const char*, struct stat*); + }; + + static void +-nfsd_statfunc(void *data) +-{ +- struct nfsd_stat_data *d = data; +- +- d->ret = xstat(d->pathname, d->statbuf); +- if (d->ret < 0) +- d->err = errno; +-} +- +-static void +-nfsd_lstatfunc(void *data) ++nfsd_handle_stat(void *data) + { +- struct nfsd_stat_data *d = data; +- +- d->ret = xlstat(d->pathname, d->statbuf); +- if (d->ret < 0) +- d->err = errno; ++ struct nfsd_task_t* t = data; ++ struct nfsd_stat_data* d = t->data; ++ t->ret = d->stat_handler(d->pathname, d->statbuf); + } + + static int +-nfsd_run_stat(struct xthread_workqueue *wq, +- void (*func)(void *), +- const char *pathname, +- struct stat *statbuf) ++nfsd_run_stat(const char *pathname, ++ struct stat *statbuf, ++ int (*handler)(const char*, struct stat*)) + { +- struct nfsd_stat_data data = { +- pathname, +- statbuf, +- 0, +- 0 +- }; +- xthread_work_run_sync(wq, func, &data); +- if (data.ret < 0) +- errno = data.err; +- return data.ret; ++ struct nfsd_task_t t; ++ struct nfsd_stat_data d = { pathname, statbuf, handler }; ++ t.data = &d; ++ nfsd_run_task(nfsd_handle_stat, &t); ++ return t.ret; + } + + int + nfsd_path_stat(const char *pathname, struct stat *statbuf) + { +- if (!nfsd_wq) +- return xstat(pathname, statbuf); +- return nfsd_run_stat(nfsd_wq, nfsd_statfunc, pathname, statbuf); ++ return nfsd_run_stat(pathname, statbuf, stat); + } + + int +-nfsd_path_lstat(const char *pathname, struct stat *statbuf) +-{ +- if (!nfsd_wq) +- return xlstat(pathname, statbuf); +- return nfsd_run_stat(nfsd_wq, nfsd_lstatfunc, pathname, statbuf); +-} +- +-struct nfsd_statfs_data { +- const char *pathname; +- struct statfs *statbuf; +- int ret; +- int err; ++nfsd_path_lstat(const char* pathname, struct stat* statbuf){ ++ return nfsd_run_stat(pathname, statbuf, lstat); + }; + +-static void +-nfsd_statfsfunc(void *data) +-{ +- struct nfsd_statfs_data *d = data; +- +- d->ret = statfs(d->pathname, d->statbuf); +- if (d->ret < 0) +- d->err = errno; +-} +- +-static int +-nfsd_run_statfs(struct xthread_workqueue *wq, +- const char *pathname, +- struct statfs *statbuf) +-{ +- struct nfsd_statfs_data data = { +- pathname, +- statbuf, +- 0, +- 0 +- }; +- xthread_work_run_sync(wq, nfsd_statfsfunc, &data); +- if (data.ret < 0) +- errno = data.err; +- return data.ret; +-} +- + int +-nfsd_path_statfs(const char *pathname, struct statfs *statbuf) ++nfsd_path_statfs(const char* pathname, struct statfs* statbuf) + { +- if (!nfsd_wq) +- return statfs(pathname, statbuf); +- return nfsd_run_statfs(nfsd_wq, pathname, statbuf); +-} ++ return nfsd_run_stat(pathname, (struct stat*)statbuf, (int (*)(const char*, struct stat*))statfs); ++}; + +-struct nfsd_realpath_data { +- const char *pathname; +- char *resolved; +- int err; ++struct nfsd_realpath_t { ++ const char* path; ++ char* resolved_buf; ++ char* res_ptr; + }; + + static void + nfsd_realpathfunc(void *data) + { +- struct nfsd_realpath_data *d = data; +- +- d->resolved = realpath(d->pathname, d->resolved); +- if (!d->resolved) +- d->err = errno; ++ struct nfsd_realpath_t *d = data; ++ d->res_ptr = realpath(d->path, d->resolved_buf); + } + +-char * +-nfsd_realpath(const char *path, char *resolved_path) ++char* ++nfsd_realpath(const char *path, char *resolved_buf) + { +- struct nfsd_realpath_data data = { +- path, +- resolved_path, +- 0 +- }; +- +- if (!nfsd_wq) +- return realpath(path, resolved_path); +- +- xthread_work_run_sync(nfsd_wq, nfsd_realpathfunc, &data); +- if (!data.resolved) +- errno = data.err; +- return data.resolved; ++ struct nfsd_realpath_t realpath_buf = { ++ .path = path, ++ .resolved_buf = resolved_buf ++ }; ++ nfsd_run_task(nfsd_realpathfunc, &realpath_buf); ++ return realpath_buf.res_ptr; + } + +-struct nfsd_read_data { +- int fd; +- char *buf; +- size_t len; +- ssize_t ret; +- int err; ++struct nfsd_rw_data { ++ int fd; ++ void* buf; ++ size_t len; ++ ssize_t bytes_read; + }; + + static void + nfsd_readfunc(void *data) + { +- struct nfsd_read_data *d = data; +- +- d->ret = read(d->fd, d->buf, d->len); +- if (d->ret < 0) +- d->err = errno; ++ struct nfsd_rw_data* t = (struct nfsd_rw_data*)data; ++ t->bytes_read = read(t->fd, t->buf, t->len); + } + + static ssize_t +-nfsd_run_read(struct xthread_workqueue *wq, int fd, char *buf, size_t len) ++nfsd_run_read(int fd, void* buf, size_t len) + { +- struct nfsd_read_data data = { +- fd, +- buf, +- len, +- 0, +- 0 +- }; +- xthread_work_run_sync(wq, nfsd_readfunc, &data); +- if (data.ret < 0) +- errno = data.err; +- return data.ret; ++ struct nfsd_rw_data d = { .fd = fd, .buf = buf, .len = len }; ++ nfsd_run_task(nfsd_readfunc, &d); ++ return d.bytes_read; + } + + ssize_t +-nfsd_path_read(int fd, char *buf, size_t len) ++nfsd_path_read(int fd, void* buf, size_t len) + { +- if (!nfsd_wq) +- return read(fd, buf, len); +- return nfsd_run_read(nfsd_wq, fd, buf, len); ++ return nfsd_run_read(fd, buf, len); + } + +-struct nfsd_write_data { +- int fd; +- const char *buf; +- size_t len; +- ssize_t ret; +- int err; +-}; +- + static void + nfsd_writefunc(void *data) + { +- struct nfsd_write_data *d = data; +- +- d->ret = write(d->fd, d->buf, d->len); +- if (d->ret < 0) +- d->err = errno; ++ struct nfsd_rw_data* d = data; ++ d->bytes_read = write(d->fd, d->buf, d->len); + } + + static ssize_t +-nfsd_run_write(struct xthread_workqueue *wq, int fd, const char *buf, size_t len) ++nfsd_run_write(int fd, void* buf, size_t len) + { +- struct nfsd_write_data data = { +- fd, +- buf, +- len, +- 0, +- 0 +- }; +- xthread_work_run_sync(wq, nfsd_writefunc, &data); +- if (data.ret < 0) +- errno = data.err; +- return data.ret; ++ struct nfsd_rw_data d = { .fd = fd, .buf = buf, .len = len }; ++ nfsd_run_task(nfsd_writefunc, &d); ++ return d.bytes_read; + } + + ssize_t +-nfsd_path_write(int fd, const char *buf, size_t len) ++nfsd_path_write(int fd, void* buf, size_t len) + { +- if (!nfsd_wq) +- return write(fd, buf, len); +- return nfsd_run_write(nfsd_wq, fd, buf, len); ++ return nfsd_run_write(fd, buf, len); + } + + #if defined(HAVE_NAME_TO_HANDLE_AT) +@@ -352,23 +260,18 @@ struct nfsd_handle_data { + int *mount_id; + int flags; + int ret; +- int err; + }; + + static void + nfsd_name_to_handle_func(void *data) + { + struct nfsd_handle_data *d = data; +- +- d->ret = name_to_handle_at(d->fd, d->path, +- d->fh, d->mount_id, d->flags); +- if (d->ret < 0) +- d->err = errno; ++ d->ret = name_to_handle_at(d->fd, d->path, d->fh, d->mount_id, d->flags); + } + + static int +-nfsd_run_name_to_handle_at(struct xthread_workqueue *wq, +- int fd, const char *path, struct file_handle *fh, ++nfsd_run_name_to_handle_at(int fd, const char *path, ++ struct file_handle *fh, + int *mount_id, int flags) + { + struct nfsd_handle_data data = { +@@ -377,25 +280,19 @@ nfsd_run_name_to_handle_at(struct xthread_workqueue *wq, + fh, + mount_id, + flags, +- 0, + 0 + }; + +- xthread_work_run_sync(wq, nfsd_name_to_handle_func, &data); +- if (data.ret < 0) +- errno = data.err; ++ nfsd_run_task(nfsd_name_to_handle_func, &data); + return data.ret; + } + + int +-nfsd_name_to_handle_at(int fd, const char *path, struct file_handle *fh, ++nfsd_name_to_handle_at(int fd, const char *path, ++ struct file_handle *fh, + int *mount_id, int flags) + { +- if (!nfsd_wq) +- return name_to_handle_at(fd, path, fh, mount_id, flags); +- +- return nfsd_run_name_to_handle_at(nfsd_wq, fd, path, fh, +- mount_id, flags); ++ return nfsd_run_name_to_handle_at(fd, path, fh, mount_id, flags); + } + #else + int +diff --git a/support/nfs/exports.c b/support/nfs/exports.c +index 15dc574c..c47e3d0a 100644 +--- a/support/nfs/exports.c ++++ b/support/nfs/exports.c +@@ -32,6 +32,7 @@ + #include "xio.h" + #include "pseudoflavors.h" + #include "reexport.h" ++#include "nfsd_path.h" + + #define EXPORT_DEFAULT_FLAGS \ + (NFSEXP_READONLY|NFSEXP_ROOTSQUASH|NFSEXP_GATHERED_WRITES|NFSEXP_NOSUBTREECHECK) +@@ -200,7 +201,7 @@ getexportent(int fromkernel, int fromexports) + return NULL; + } + /* resolve symlinks */ +- if (realpath(ee.e_path, rpath) != NULL) { ++ if (nfsd_realpath(ee.e_path, rpath) != NULL) { + rpath[sizeof (rpath) - 1] = '\0'; + strncpy(ee.e_path, rpath, sizeof (ee.e_path) - 1); + ee.e_path[sizeof (ee.e_path) - 1] = '\0'; +-- +2.35.6 + diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p2.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p2.patch new file mode 100644 index 00000000000..f088eadb4bd --- /dev/null +++ b/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p2.patch @@ -0,0 +1,81 @@ +From a6ddd0e9594884cf61816478e8c561f1b3aac709 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Mon, 10 Nov 2025 11:26:03 -0500 +Subject: [PATCH] mountd: Minor refactor of get_rootfh() + +Perform the mountpoint checks before checking the user path. + +CVE: CVE-2025-12801 +Upstream-Status: Backport [https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=7e8b36522f58657359c6842119fc516c6dd1baa4] + +Reviewed-by: Jeff Layton +Signed-off-by: Trond Myklebust +Signed-off-by: Steve Dickson +(cherry picked from commit 7e8b36522f58657359c6842119fc516c6dd1baa4) +Signed-off-by: Sudhir Dumbhare +--- + utils/mountd/mountd.c | 34 +++++++++++++++++----------------- + 1 file changed, 17 insertions(+), 17 deletions(-) + +diff --git a/utils/mountd/mountd.c b/utils/mountd/mountd.c +index dbd5546d..39afd4aa 100644 +--- a/utils/mountd/mountd.c ++++ b/utils/mountd/mountd.c +@@ -412,6 +412,23 @@ get_rootfh(struct svc_req *rqstp, dirpath *path, nfs_export **expret, + *error = MNT3ERR_ACCES; + return NULL; + } ++ if (nfsd_path_stat(exp->m_export.e_path, &estb) < 0) { ++ xlog(L_WARNING, "can't stat export point %s: %s", ++ p, strerror(errno)); ++ *error = MNT3ERR_NOENT; ++ return NULL; ++ } ++ if (exp->m_export.e_mountpoint && ++ !check_is_mountpoint(exp->m_export.e_mountpoint[0]? ++ exp->m_export.e_mountpoint: ++ exp->m_export.e_path, ++ nfsd_path_lstat)) { ++ xlog(L_WARNING, "request to export an unmounted filesystem: %s", ++ p); ++ *error = MNT3ERR_NOENT; ++ return NULL; ++ } ++ + if (nfsd_path_stat(p, &stb) < 0) { + xlog(L_WARNING, "can't stat exported dir %s: %s", + p, strerror(errno)); +@@ -426,12 +443,6 @@ get_rootfh(struct svc_req *rqstp, dirpath *path, nfs_export **expret, + *error = MNT3ERR_NOTDIR; + return NULL; + } +- if (nfsd_path_stat(exp->m_export.e_path, &estb) < 0) { +- xlog(L_WARNING, "can't stat export point %s: %s", +- p, strerror(errno)); +- *error = MNT3ERR_NOENT; +- return NULL; +- } + if (estb.st_dev != stb.st_dev + && !(exp->m_export.e_flags & NFSEXP_CROSSMOUNT)) { + xlog(L_WARNING, "request to export directory %s below nearest filesystem %s", +@@ -439,17 +450,6 @@ get_rootfh(struct svc_req *rqstp, dirpath *path, nfs_export **expret, + *error = MNT3ERR_ACCES; + return NULL; + } +- if (exp->m_export.e_mountpoint && +- !check_is_mountpoint(exp->m_export.e_mountpoint[0]? +- exp->m_export.e_mountpoint: +- exp->m_export.e_path, +- nfsd_path_lstat)) { +- xlog(L_WARNING, "request to export an unmounted filesystem: %s", +- p); +- *error = MNT3ERR_NOENT; +- return NULL; +- } +- + /* This will be a static private nfs_export with just one + * address. We feed it to kernel then extract the filehandle, + */ +-- +2.44.4 + diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p3.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p3.patch new file mode 100644 index 00000000000..901069e3b9f --- /dev/null +++ b/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p3.patch @@ -0,0 +1,181 @@ +From 57732919d26ce523161392d688e3b67d6fc50839 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Mon, 10 Nov 2025 11:28:39 -0500 +Subject: [PATCH] mountd: Separate lookup of the exported directory and the + mount path + +When the caller asks to mount a path that does not terminate with an +exported directory, we want to split up the lookups so that we can +look up the exported directory using the mountd privileged credential, +and the remaining subdirectory lookups using the RPC caller's +credential. + +CVE: CVE-2025-12801 +Upstream-Status: Backport [https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=42f01e6a78fed98f12437ac8b28cfb12b6bad056] + +Reviewed-by: Jeff Layton +Signed-off-by: Trond Myklebust +Signed-off-by: Steve Dickson +(cherry picked from commit 42f01e6a78fed98f12437ac8b28cfb12b6bad056) +Signed-off-by: Sudhir Dumbhare +--- + support/include/nfsd_path.h | 1 + + support/misc/nfsd_path.c | 31 ++++++++++++++++++ + utils/mountd/mountd.c | 63 +++++++++++++++++++++++++++++++------ + 3 files changed, 86 insertions(+), 9 deletions(-) + +diff --git a/support/include/nfsd_path.h b/support/include/nfsd_path.h +index f600fb5a..3e5a2f5d 100644 +--- a/support/include/nfsd_path.h ++++ b/support/include/nfsd_path.h +@@ -18,6 +18,7 @@ char * nfsd_path_prepend_dir(const char *dir, const char *pathname); + + int nfsd_path_stat(const char *pathname, struct stat *statbuf); + int nfsd_path_lstat(const char *pathname, struct stat *statbuf); ++int nfsd_openat(int dirfd, const char *path, int flags); + + int nfsd_path_statfs(const char *pathname, + struct statfs *statbuf); +diff --git a/support/misc/nfsd_path.c b/support/misc/nfsd_path.c +index caec33ca..dfe88e4f 100644 +--- a/support/misc/nfsd_path.c ++++ b/support/misc/nfsd_path.c +@@ -203,6 +203,37 @@ nfsd_realpath(const char *path, char *resolved_buf) + return realpath_buf.res_ptr; + } + ++struct nfsd_openat_t { ++ const char *path; ++ int dirfd; ++ int flags; ++ int res_fd; ++ int res_error; ++}; ++ ++static void nfsd_openatfunc(void *data) ++{ ++ struct nfsd_openat_t *d = data; ++ ++ d->res_fd = openat(d->dirfd, d->path, d->flags); ++ if (d->res_fd == -1) ++ d->res_error = errno; ++} ++ ++int nfsd_openat(int dirfd, const char *path, int flags) ++{ ++ struct nfsd_openat_t open_buf = { ++ .path = path, ++ .dirfd = dirfd, ++ .flags = flags, ++ }; ++ ++ nfsd_run_task(nfsd_openatfunc, &open_buf); ++ if (open_buf.res_fd == -1) ++ errno = open_buf.res_error; ++ return open_buf.res_fd; ++} ++ + struct nfsd_rw_data { + int fd; + void* buf; +diff --git a/utils/mountd/mountd.c b/utils/mountd/mountd.c +index 39afd4aa..f43ebef5 100644 +--- a/utils/mountd/mountd.c ++++ b/utils/mountd/mountd.c +@@ -392,7 +392,10 @@ get_rootfh(struct svc_req *rqstp, dirpath *path, nfs_export **expret, + struct nfs_fh_len *fh; + char rpath[MAXPATHLEN+1]; + char *p = *path; ++ char *subpath; + char buf[INET6_ADDRSTRLEN]; ++ size_t epathlen; ++ int dirfd; + + if (*p == '\0') + p = "/"; +@@ -412,12 +415,21 @@ get_rootfh(struct svc_req *rqstp, dirpath *path, nfs_export **expret, + *error = MNT3ERR_ACCES; + return NULL; + } +- if (nfsd_path_stat(exp->m_export.e_path, &estb) < 0) { +- xlog(L_WARNING, "can't stat export point %s: %s", ++ ++ dirfd = nfsd_openat(AT_FDCWD, exp->m_export.e_path, O_PATH); ++ if (dirfd == -1) { ++ xlog(L_WARNING, "can't open export point %s: %s", + p, strerror(errno)); + *error = MNT3ERR_NOENT; + return NULL; + } ++ if (fstat(dirfd, &estb) == -1) { ++ xlog(L_WARNING, "can't stat export point %s: %s", ++ p, strerror(errno)); ++ *error = MNT3ERR_ACCES; ++ close(dirfd); ++ return NULL; ++ } + if (exp->m_export.e_mountpoint && + !check_is_mountpoint(exp->m_export.e_mountpoint[0]? + exp->m_export.e_mountpoint: +@@ -426,18 +438,51 @@ get_rootfh(struct svc_req *rqstp, dirpath *path, nfs_export **expret, + xlog(L_WARNING, "request to export an unmounted filesystem: %s", + p); + *error = MNT3ERR_NOENT; ++ close(dirfd); + return NULL; + } + +- if (nfsd_path_stat(p, &stb) < 0) { +- xlog(L_WARNING, "can't stat exported dir %s: %s", +- p, strerror(errno)); +- if (errno == ENOENT) +- *error = MNT3ERR_NOENT; +- else +- *error = MNT3ERR_ACCES; ++ epathlen = strlen(exp->m_export.e_path); ++ if (epathlen > strlen(p)) { ++ xlog(L_WARNING, "raced with change of exported path: %s", p); ++ *error = MNT3ERR_NOENT; ++ close(dirfd); + return NULL; + } ++ subpath = &p[epathlen]; ++ while (*subpath == '/') ++ subpath++; ++ if (*subpath != '\0') { ++ int fd; ++ ++ /* Just perform a lookup of the path */ ++ fd = nfsd_openat(dirfd, subpath, O_PATH); ++ close(dirfd); ++ if (fd == -1) { ++ xlog(L_WARNING, "can't open exported dir %s: %s", p, ++ strerror(errno)); ++ if (errno == ENOENT) ++ *error = MNT3ERR_NOENT; ++ else ++ *error = MNT3ERR_ACCES; ++ return NULL; ++ } ++ if (fstat(fd, &stb) == -1) { ++ xlog(L_WARNING, "can't open exported dir %s: %s", p, ++ strerror(errno)); ++ if (errno == ENOENT) ++ *error = MNT3ERR_NOENT; ++ else ++ *error = MNT3ERR_ACCES; ++ close(fd); ++ return NULL; ++ } ++ close(fd); ++ } else { ++ close(dirfd); ++ stb = estb; ++ } ++ + if (!S_ISDIR(stb.st_mode) && !S_ISREG(stb.st_mode)) { + xlog(L_WARNING, "%s is not a directory or regular file", p); + *error = MNT3ERR_NOTDIR; +-- +2.35.6 + diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p4.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p4.patch new file mode 100644 index 00000000000..4ef529e7373 --- /dev/null +++ b/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p4.patch @@ -0,0 +1,468 @@ +From 7eef498b6bd01adc45415b03ddf321c84f82aa45 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Mon, 10 Nov 2025 12:18:38 -0500 +Subject: [PATCH] support: Add a mini-library to extract and apply RPC + credentials + +Add server functionality to extract the credentials from the client RPC +call, and apply them. This is needed in order to perform access checking +on the requested path in the mountd daemon. + +CVE: CVE-2025-12801 +Upstream-Status: Backport [https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=51738ae56d922d4961e60dad73ad1c2d97d8d99b] + +Backport Changes: +- In support/misc/Makefile.am, the non-essential file.c was omitted + as it does not exist in the current nfs-utils version. + +Reviewed-by: Jeff Layton +Signed-off-by: Trond Myklebust +Signed-off-by: Steve Dickson +(cherry picked from commit 51738ae56d922d4961e60dad73ad1c2d97d8d99b) +Signed-off-by: Sudhir Dumbhare +--- + aclocal/libtirpc.m4 | 11 +++ + support/include/Makefile.am | 1 + + support/include/nfs_ucred.h | 44 ++++++++++ + support/misc/Makefile.am | 2 +- + support/misc/ucred.c | 162 ++++++++++++++++++++++++++++++++++++ + support/nfs/Makefile.am | 2 +- + support/nfs/ucred.c | 147 ++++++++++++++++++++++++++++++++ + 7 files changed, 367 insertions(+), 2 deletions(-) + create mode 100644 support/include/nfs_ucred.h + create mode 100644 support/misc/ucred.c + create mode 100644 support/nfs/ucred.c + +diff --git a/aclocal/libtirpc.m4 b/aclocal/libtirpc.m4 +index bddae022..84e18f7e 100644 +--- a/aclocal/libtirpc.m4 ++++ b/aclocal/libtirpc.m4 +@@ -26,6 +26,17 @@ AC_DEFUN([AC_LIBTIRPC], [ + [Define to 1 if your tirpc library provides libtirpc_set_debug])],, + [${LIBS}])]) + ++ AS_IF([test -n "${LIBTIRPC}"], ++ [AC_CHECK_LIB([tirpc], [rpc_gss_getcred], ++ [AC_DEFINE([HAVE_TIRPC_GSS_GETCRED], [1], ++ [Define to 1 if your tirpc library provides rpc_gss_getcred])],, ++ [${LIBS}])]) ++ ++ AS_IF([test -n "${LIBTIRPC}"], ++ [AC_CHECK_LIB([tirpc], [authdes_getucred], ++ [AC_DEFINE([HAVE_TIRPC_AUTHDES_GETUCRED], [1], ++ [Define to 1 if your tirpc library provides authdes_getucred])],, ++ [${LIBS}])]) + AC_SUBST([AM_CPPFLAGS]) + AC_SUBST(LIBTIRPC) + +diff --git a/support/include/Makefile.am b/support/include/Makefile.am +index 1373891a..631a84f8 100644 +--- a/support/include/Makefile.am ++++ b/support/include/Makefile.am +@@ -10,6 +10,7 @@ noinst_HEADERS = \ + misc.h \ + nfs_mntent.h \ + nfs_paths.h \ ++ nfs_ucred.h \ + nfsd_path.h \ + nfslib.h \ + nfsrpc.h \ +diff --git a/support/include/nfs_ucred.h b/support/include/nfs_ucred.h +new file mode 100644 +index 00000000..d58b61e4 +--- /dev/null ++++ b/support/include/nfs_ucred.h +@@ -0,0 +1,44 @@ ++#ifndef _NFS_UCRED_H ++#define _NFS_UCRED_H ++ ++#include ++ ++struct nfs_ucred { ++ uid_t uid; ++ gid_t gid; ++ int ngroups; ++ gid_t *groups; ++}; ++ ++struct svc_req; ++struct exportent; ++ ++int nfs_ucred_get(struct nfs_ucred **credp, struct svc_req *rqst, ++ const struct exportent *ep); ++ ++void nfs_ucred_squash_groups(struct nfs_ucred *cred, ++ const struct exportent *ep); ++int nfs_ucred_reload_groups(struct nfs_ucred *cred, const struct exportent *ep); ++int nfs_ucred_swap_effective(const struct nfs_ucred *cred, ++ struct nfs_ucred **savedp); ++ ++static inline void nfs_ucred_free(struct nfs_ucred *cred) ++{ ++ free(cred->groups); ++ free(cred); ++} ++ ++static inline void nfs_ucred_init_groups(struct nfs_ucred *cred, gid_t *groups, ++ int ngroups) ++{ ++ cred->groups = groups; ++ cred->ngroups = ngroups; ++} ++ ++static inline void nfs_ucred_free_groups(struct nfs_ucred *cred) ++{ ++ free(cred->groups); ++ nfs_ucred_init_groups(cred, NULL, 0); ++} ++ ++#endif /* _NFS_UCRED_H */ +diff --git a/support/misc/Makefile.am b/support/misc/Makefile.am +index 8b0e9db9..ea970064 100644 +--- a/support/misc/Makefile.am ++++ b/support/misc/Makefile.am +@@ -2,6 +2,6 @@ + + noinst_LIBRARIES = libmisc.a + libmisc_a_SOURCES = tcpwrapper.c from_local.c mountpoint.c misc.c \ +- nfsd_path.c workqueue.c xstat.c ++ nfsd_path.c ucred.c workqueue.c xstat.c + + MAINTAINERCLEANFILES = Makefile.in +diff --git a/support/misc/ucred.c b/support/misc/ucred.c +new file mode 100644 +index 00000000..92d97912 +--- /dev/null ++++ b/support/misc/ucred.c +@@ -0,0 +1,162 @@ ++#ifdef HAVE_CONFIG_H ++#include ++#endif ++ ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include "exportfs.h" ++#include "nfs_ucred.h" ++ ++#include "xlog.h" ++ ++void nfs_ucred_squash_groups(struct nfs_ucred *cred, const struct exportent *ep) ++{ ++ int i; ++ ++ if (!(ep->e_flags & NFSEXP_ROOTSQUASH)) ++ return; ++ if (cred->gid == 0) ++ cred->gid = ep->e_anongid; ++ for (i = 0; i < cred->ngroups; i++) { ++ if (cred->groups[i] == 0) ++ cred->groups[i] = ep->e_anongid; ++ } ++} ++ ++static int nfs_ucred_init_effective(struct nfs_ucred *cred) ++{ ++ int ngroups = getgroups(0, NULL); ++ ++ if (ngroups > 0) { ++ size_t sz = ngroups * sizeof(gid_t); ++ gid_t *groups = malloc(sz); ++ if (groups == NULL) ++ return ENOMEM; ++ if (getgroups(ngroups, groups) == -1) { ++ free(groups); ++ return errno; ++ } ++ nfs_ucred_init_groups(cred, groups, ngroups); ++ } else ++ nfs_ucred_init_groups(cred, NULL, 0); ++ cred->uid = geteuid(); ++ cred->gid = getegid(); ++ return 0; ++} ++ ++static size_t nfs_ucred_getpw_r_size_max(void) ++{ ++ long buflen = sysconf(_SC_GETPW_R_SIZE_MAX); ++ ++ if (buflen == -1) ++ return 16384; ++ return buflen; ++} ++ ++int nfs_ucred_reload_groups(struct nfs_ucred *cred, const struct exportent *ep) ++{ ++ struct passwd pwd, *pw; ++ uid_t uid = cred->uid; ++ gid_t gid = cred->gid; ++ size_t buflen; ++ char *buf; ++ int ngroups = 0; ++ int ret; ++ ++ if (ep->e_flags & (NFSEXP_ALLSQUASH | NFSEXP_ROOTSQUASH) && ++ (int)uid == ep->e_anonuid) ++ return 0; ++ buflen = nfs_ucred_getpw_r_size_max(); ++ buf = alloca(buflen); ++ ret = getpwuid_r(uid, &pwd, buf, buflen, &pw); ++ if (ret != 0) ++ return ret; ++ if (!pw) ++ return ENOENT; ++ if (getgrouplist(pw->pw_name, gid, NULL, &ngroups) == -1 && ++ ngroups > 0) { ++ gid_t *groups = malloc(ngroups * sizeof(groups[0])); ++ if (groups == NULL) ++ return ENOMEM; ++ if (getgrouplist(pw->pw_name, gid, groups, &ngroups) == -1) { ++ free(groups); ++ return ENOMEM; ++ } ++ free(cred->groups); ++ nfs_ucred_init_groups(cred, groups, ngroups); ++ nfs_ucred_squash_groups(cred, ep); ++ } else ++ nfs_ucred_free_groups(cred); ++ return 0; ++} ++ ++static int nfs_ucred_set_effective(const struct nfs_ucred *cred, ++ const struct nfs_ucred *saved) ++{ ++ uid_t suid = saved ? saved->uid : geteuid(); ++ gid_t sgid = saved ? saved->gid : getegid(); ++ int ret; ++ ++ /* Start with a privileged effective user */ ++ if (setresuid(-1, 0, -1) < 0) { ++ xlog(L_WARNING, "can't change privileged user %u-%u. %s", ++ geteuid(), getegid(), strerror(errno)); ++ return errno; ++ } ++ ++ if (setgroups(cred->ngroups, cred->groups) == -1) { ++ xlog(L_WARNING, "can't change groups for user %u-%u. %s", ++ geteuid(), getegid(), strerror(errno)); ++ return errno; ++ } ++ if (setresgid(-1, cred->gid, sgid) == -1) { ++ xlog(L_WARNING, "can't change gid for user %u-%u. %s", ++ geteuid(), getegid(), strerror(errno)); ++ ret = errno; ++ goto restore_groups; ++ } ++ if (setresuid(-1, cred->uid, suid) == -1) { ++ xlog(L_WARNING, "can't change uid for user %u-%u. %s", ++ geteuid(), getegid(), strerror(errno)); ++ ret = errno; ++ goto restore_gid; ++ } ++ return 0; ++restore_gid: ++ if (setresgid(-1, sgid, -1) < 0) { ++ xlog(L_WARNING, "can't restore privileged user %u-%u. %s", ++ geteuid(), getegid(), strerror(errno)); ++ } ++restore_groups: ++ if (saved) ++ setgroups(saved->ngroups, saved->groups); ++ else ++ setgroups(0, NULL); ++ return ret; ++} ++ ++int nfs_ucred_swap_effective(const struct nfs_ucred *cred, ++ struct nfs_ucred **savedp) ++{ ++ struct nfs_ucred *saved = malloc(sizeof(*saved)); ++ int ret; ++ ++ if (saved == NULL) ++ return ENOMEM; ++ ret = nfs_ucred_init_effective(saved); ++ if (ret != 0) { ++ free(saved); ++ return ret; ++ } ++ ret = nfs_ucred_set_effective(cred, saved); ++ if (savedp == NULL || ret != 0) ++ nfs_ucred_free(saved); ++ else ++ *savedp = saved; ++ return ret; ++} +diff --git a/support/nfs/Makefile.am b/support/nfs/Makefile.am +index 2e1577cc..f6921265 100644 +--- a/support/nfs/Makefile.am ++++ b/support/nfs/Makefile.am +@@ -7,7 +7,7 @@ libnfs_la_SOURCES = exports.c rmtab.c xio.c rpcmisc.c rpcdispatch.c \ + xcommon.c wildmat.c mydaemon.c \ + rpc_socket.c getport.c \ + svc_socket.c cacheio.c closeall.c nfs_mntent.c \ +- svc_create.c atomicio.c strlcat.c strlcpy.c ++ svc_create.c atomicio.c strlcat.c strlcpy.c ucred.c + libnfs_la_LIBADD = libnfsconf.la + libnfs_la_CPPFLAGS = $(AM_CPPFLAGS) $(CPPFLAGS) -I$(top_srcdir)/support/reexport + +diff --git a/support/nfs/ucred.c b/support/nfs/ucred.c +new file mode 100644 +index 00000000..6ea8efdf +--- /dev/null ++++ b/support/nfs/ucred.c +@@ -0,0 +1,147 @@ ++#ifdef HAVE_CONFIG_H ++#include ++#endif ++ ++#include ++#include ++#include ++#include ++ ++#include "exportfs.h" ++#include "nfs_ucred.h" ++ ++#ifdef HAVE_TIRPC_GSS_GETCRED ++#include ++#endif /* HAVE_TIRPC_GSS_GETCRED */ ++#ifdef HAVE_TIRPC_AUTHDES_GETUCRED ++#include ++#endif /* HAVE_TIRPC_AUTHDES_GETUCRED */ ++ ++static int nfs_ucred_copy_cred(struct nfs_ucred *cred, uid_t uid, gid_t gid, ++ const gid_t *groups, int ngroups) ++{ ++ if (ngroups > 0) { ++ size_t sz = ngroups * sizeof(groups[0]); ++ cred->groups = malloc(sz); ++ if (cred->groups == NULL) ++ return ENOMEM; ++ cred->ngroups = ngroups; ++ memcpy(cred->groups, groups, sz); ++ } else ++ nfs_ucred_init_groups(cred, NULL, 0); ++ cred->uid = uid; ++ cred->gid = gid; ++ return 0; ++} ++ ++static int nfs_ucred_init_cred_squashed(struct nfs_ucred *cred, ++ const struct exportent *ep) ++{ ++ cred->uid = ep->e_anonuid; ++ cred->gid = ep->e_anongid; ++ nfs_ucred_init_groups(cred, NULL, 0); ++ return 0; ++} ++ ++static int nfs_ucred_init_cred(struct nfs_ucred *cred, uid_t uid, gid_t gid, ++ const gid_t *groups, int ngroups, ++ const struct exportent *ep) ++{ ++ if (ep->e_flags & NFSEXP_ALLSQUASH) { ++ nfs_ucred_init_cred_squashed(cred, ep); ++ } else if (ep->e_flags & NFSEXP_ROOTSQUASH && uid == 0) { ++ nfs_ucred_init_cred_squashed(cred, ep); ++ if (gid != 0) ++ cred->gid = gid; ++ } else { ++ int ret = nfs_ucred_copy_cred(cred, uid, gid, groups, ngroups); ++ if (ret != 0) ++ return ret; ++ nfs_ucred_squash_groups(cred, ep); ++ } ++ return 0; ++} ++ ++static int nfs_ucred_init_null(struct nfs_ucred *cred, ++ const struct exportent *ep) ++{ ++ return nfs_ucred_init_cred_squashed(cred, ep); ++} ++ ++static int nfs_ucred_init_unix(struct nfs_ucred *cred, struct svc_req *rqst, ++ const struct exportent *ep) ++{ ++ struct authunix_parms *aup; ++ ++ aup = (struct authunix_parms *)rqst->rq_clntcred; ++ return nfs_ucred_init_cred(cred, aup->aup_uid, aup->aup_gid, ++ aup->aup_gids, aup->aup_len, ep); ++} ++ ++#ifdef HAVE_TIRPC_GSS_GETCRED ++static int nfs_ucred_init_gss(struct nfs_ucred *cred, struct svc_req *rqst, ++ const struct exportent *ep) ++{ ++ rpc_gss_ucred_t *gss_ucred = NULL; ++ ++ if (!rpc_gss_getcred(rqst, NULL, &gss_ucred, NULL) || gss_ucred == NULL) ++ return EINVAL; ++ return nfs_ucred_init_cred(cred, gss_ucred->uid, gss_ucred->gid, ++ gss_ucred->gidlist, gss_ucred->gidlen, ep); ++} ++#endif /* HAVE_TIRPC_GSS_GETCRED */ ++ ++#ifdef HAVE_TIRPC_AUTHDES_GETUCRED ++int authdes_getucred(struct authdes_cred *adc, uid_t *uid, gid_t *gid, ++ int *grouplen, gid_t *groups); ++ ++static int nfs_ucred_init_des(struct nfs_ucred *cred, struct svc_req *rqst, ++ const struct exportent *ep) ++{ ++ struct authdes_cred *des_cred; ++ uid_t uid; ++ gid_t gid; ++ int grouplen; ++ gid_t groups[NGROUPS]; ++ ++ des_cred = (struct authdes_cred *)rqst->rq_clntcred; ++ if (!authdes_getucred(des_cred, &uid, &gid, &grouplen, &groups[0])) ++ return EINVAL; ++ return nfs_ucred_init_cred(cred, uid, gid, groups, grouplen, ep); ++} ++#endif /* HAVE_TIRPC_AUTHDES_GETUCRED */ ++ ++int nfs_ucred_get(struct nfs_ucred **credp, struct svc_req *rqst, ++ const struct exportent *ep) ++{ ++ struct nfs_ucred *cred = malloc(sizeof(*cred)); ++ int ret; ++ ++ *credp = NULL; ++ if (cred == NULL) ++ return ENOMEM; ++ switch (rqst->rq_cred.oa_flavor) { ++ case AUTH_UNIX: ++ ret = nfs_ucred_init_unix(cred, rqst, ep); ++ break; ++#ifdef HAVE_TIRPC_GSS_GETCRED ++ case RPCSEC_GSS: ++ ret = nfs_ucred_init_gss(cred, rqst, ep); ++ break; ++#endif /* HAVE_TIRPC_GSS_GETCRED */ ++#ifdef HAVE_TIRPC_AUTHDES_GETUCRED ++ case AUTH_DES: ++ ret = nfs_ucred_init_des(cred, rqst, ep); ++ break; ++#endif /* HAVE_TIRPC_AUTHDES_GETUCRED */ ++ default: ++ ret = nfs_ucred_init_null(cred, ep); ++ break; ++ } ++ if (ret == 0) { ++ *credp = cred; ++ return 0; ++ } ++ free(cred); ++ return ret; ++} +-- +2.44.4 + diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801.patch new file mode 100644 index 00000000000..9f01604af0f --- /dev/null +++ b/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801.patch @@ -0,0 +1,254 @@ +From a94b2b6002f31acc5a66893b7c6d368c6b7b8806 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Thu, 5 Mar 2026 10:41:02 -0500 +Subject: [PATCH] Fix access checks when mounting subdirectories in NFSv3 + +If a NFSv3 client asks to mount a subdirectory of one of the exported +directories, then apply the RPC credential together with any root +or all squash rules that would apply to the client in question. + +CVE: CVE-2025-12801 +Upstream-Status: Backport [https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=f36bd900a899088ca1925de079bd58d6205a1f3c] + +Reviewed-by: Jeff Layton +Signed-off-by: Trond Myklebust +Signed-off-by: Scott Mayhew +Signed-off-by: Steve Dickson +(cherry picked from commit f36bd900a899088ca1925de079bd58d6205a1f3c) +Signed-off-by: Sudhir Dumbhare +--- + nfs.conf | 1 + + support/include/nfsd_path.h | 9 ++++++++- + support/misc/nfsd_path.c | 32 ++++++++++++++++++++++++++++++-- + utils/mountd/mountd.c | 28 ++++++++++++++++++++++++++-- + utils/mountd/mountd.man | 26 ++++++++++++++++++++++++++ + 5 files changed, 91 insertions(+), 5 deletions(-) + +diff --git a/nfs.conf b/nfs.conf +index 323f072b..e08cd9a9 100644 +--- a/nfs.conf ++++ b/nfs.conf +@@ -45,6 +45,7 @@ + # ttl=1800 + [mountd] + # debug="all|auth|call|general|parse" ++# apply-root-cred=n + # manage-gids=n + # descriptors=0 + # port=0 +diff --git a/support/include/nfsd_path.h b/support/include/nfsd_path.h +index 3e5a2f5d..06c0f2f4 100644 +--- a/support/include/nfsd_path.h ++++ b/support/include/nfsd_path.h +@@ -9,6 +9,7 @@ + struct file_handle; + struct statfs; + struct nfsd_task_t; ++struct nfs_ucred; + + void nfsd_path_init(void); + +@@ -18,7 +19,8 @@ char * nfsd_path_prepend_dir(const char *dir, const char *pathname); + + int nfsd_path_stat(const char *pathname, struct stat *statbuf); + int nfsd_path_lstat(const char *pathname, struct stat *statbuf); +-int nfsd_openat(int dirfd, const char *path, int flags); ++int nfsd_cred_openat(const struct nfs_ucred *cred, int dirfd, ++ const char *path, int flags); + + int nfsd_path_statfs(const char *pathname, + struct statfs *statbuf); +@@ -31,4 +33,9 @@ ssize_t nfsd_path_write(int fd, void* buf, size_t len); + int nfsd_name_to_handle_at(int fd, const char *path, + struct file_handle *fh, + int *mount_id, int flags); ++ ++static inline int nfsd_openat(int dirfd, const char *path, int flags) ++{ ++ return nfsd_cred_openat(NULL, dirfd, path, flags); ++} + #endif +diff --git a/support/misc/nfsd_path.c b/support/misc/nfsd_path.c +index dfe88e4f..6466666d 100644 +--- a/support/misc/nfsd_path.c ++++ b/support/misc/nfsd_path.c +@@ -17,6 +17,7 @@ + #include "xstat.h" + #include "nfslib.h" + #include "nfsd_path.h" ++#include "nfs_ucred.h" + #include "workqueue.h" + + static struct xthread_workqueue *nfsd_wq = NULL; +@@ -204,6 +205,7 @@ nfsd_realpath(const char *path, char *resolved_buf) + } + + struct nfsd_openat_t { ++ const struct nfs_ucred *cred; + const char *path; + int dirfd; + int flags; +@@ -220,15 +222,41 @@ static void nfsd_openatfunc(void *data) + d->res_error = errno; + } + +-int nfsd_openat(int dirfd, const char *path, int flags) ++static void nfsd_cred_openatfunc(void *data) ++{ ++ struct nfsd_openat_t *d = data; ++ struct nfs_ucred *saved = NULL; ++ int ret; ++ ++ ret = nfs_ucred_swap_effective(d->cred, &saved); ++ if (ret != 0) { ++ d->res_fd = -1; ++ d->res_error = ret; ++ return; ++ } ++ ++ nfsd_openatfunc(data); ++ ++ if (saved != NULL) { ++ nfs_ucred_swap_effective(saved, NULL); ++ nfs_ucred_free(saved); ++ } ++} ++ ++int nfsd_cred_openat(const struct nfs_ucred *cred, int dirfd, const char *path, ++ int flags) + { + struct nfsd_openat_t open_buf = { ++ .cred = cred, + .path = path, + .dirfd = dirfd, + .flags = flags, + }; + +- nfsd_run_task(nfsd_openatfunc, &open_buf); ++ if (cred) ++ nfsd_run_task(nfsd_cred_openatfunc, &open_buf); ++ else ++ nfsd_run_task(nfsd_openatfunc, &open_buf); + if (open_buf.res_fd == -1) + errno = open_buf.res_error; + return open_buf.res_fd; +diff --git a/utils/mountd/mountd.c b/utils/mountd/mountd.c +index f43ebef5..6e6777cd 100644 +--- a/utils/mountd/mountd.c ++++ b/utils/mountd/mountd.c +@@ -31,6 +31,7 @@ + #include "nfsd_path.h" + #include "nfslib.h" + #include "export.h" ++#include "nfs_ucred.h" + + extern void my_svc_run(void); + +@@ -40,6 +41,7 @@ static struct nfs_fh_len *get_rootfh(struct svc_req *, dirpath *, nfs_export **, + + int reverse_resolve = 0; + int manage_gids; ++int apply_root_cred; + int use_ipaddr = -1; + + /* PRC: a high-availability callout program can be specified with -H +@@ -74,9 +76,10 @@ static struct option longopts[] = + { "log-auth", 0, 0, 'l'}, + { "cache-use-ipaddr", 0, 0, 'i'}, + { "ttl", 1, 0, 'T'}, ++ { "apply-root-cred", 0, 0, 'c' }, + { NULL, 0, 0, 0 } + }; +-static char shortopts[] = "o:nFd:p:P:hH:N:V:vurs:t:gliT:"; ++static char shortopts[] = "o:nFd:p:P:hH:N:V:vurs:t:gliT:c"; + + #define NFSVERSBIT(vers) (0x1 << (vers - 1)) + #define NFSVERSBIT_ALL (NFSVERSBIT(2) | NFSVERSBIT(3) | NFSVERSBIT(4)) +@@ -453,11 +456,27 @@ get_rootfh(struct svc_req *rqstp, dirpath *path, nfs_export **expret, + while (*subpath == '/') + subpath++; + if (*subpath != '\0') { ++ struct nfs_ucred *cred = NULL; + int fd; + ++ /* Load the user cred */ ++ if (!apply_root_cred) { ++ nfs_ucred_get(&cred, rqstp, &exp->m_export); ++ if (cred == NULL) { ++ xlog(L_WARNING, "can't retrieve credential"); ++ *error = MNT3ERR_ACCES; ++ close(dirfd); ++ return NULL; ++ } ++ if (manage_gids) ++ nfs_ucred_reload_groups(cred, &exp->m_export); ++ } ++ + /* Just perform a lookup of the path */ +- fd = nfsd_openat(dirfd, subpath, O_PATH); ++ fd = nfsd_cred_openat(cred, dirfd, subpath, O_PATH); + close(dirfd); ++ if (cred) ++ nfs_ucred_free(cred); + if (fd == -1) { + xlog(L_WARNING, "can't open exported dir %s: %s", p, + strerror(errno)); +@@ -681,6 +700,8 @@ read_mountd_conf(char **argv) + ttl = conf_get_num("mountd", "ttl", default_ttl); + if (ttl > 0) + default_ttl = ttl; ++ apply_root_cred = conf_get_bool("mountd", "apply-root-cred", ++ apply_root_cred); + } + + int +@@ -794,6 +815,9 @@ main(int argc, char **argv) + } + default_ttl = ttl; + break; ++ case 'c': ++ apply_root_cred = 1; ++ break; + case 0: + break; + case '?': +diff --git a/utils/mountd/mountd.man b/utils/mountd/mountd.man +index a206a3e2..f4f1fc23 100644 +--- a/utils/mountd/mountd.man ++++ b/utils/mountd/mountd.man +@@ -242,6 +242,32 @@ can support both NFS version 2 and the newer version 3. + Print the version of + .B rpc.mountd + and exit. ++.TP ++.B \-c " or " \-\-apply-root-cred ++When mountd is asked to allow a NFSv3 mount to a subdirectory of the ++exported directory, then it will check if the user asking to mount has ++lookup rights to the directories below that exported directory. When ++performing the check, mountd will apply any root squash or all squash ++rules that were specified for that client. ++ ++Performing lookup checks as the user requires that the mountd daemon ++be run as root or that it be given CAP_SETUID and CAP_SETGID privileges ++so that it can change its own effective user and effective group settings. ++When troubleshooting, please also note that LSM frameworks such as SELinux ++can sometimes prevent the daemon from changing the effective user/groups ++despite the capability settings. ++ ++In earlier versions of mountd, the same checks were performed using the ++mountd daemon's root privileges, meaning that it could authorise access ++to directories that are not normally accessible to the user requesting ++to mount them. This option enables that legacy behaviour. ++ ++.BR Note: ++If there is a need to provide access to specific subdirectories that ++are not normally accessible to a client, it is always possible to add ++export entries that explicitly grant such access. That ability does ++not depend on this option being enabled. ++ + .TP + .B \-g " or " \-\-manage-gids + Accept requests from the kernel to map user id numbers into lists of +-- +2.35.6 + diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils_2.6.4.bb b/meta/recipes-connectivity/nfs-utils/nfs-utils_2.6.4.bb index 2f2644f9a83..91c74fe5ef7 100644 --- a/meta/recipes-connectivity/nfs-utils/nfs-utils_2.6.4.bb +++ b/meta/recipes-connectivity/nfs-utils/nfs-utils_2.6.4.bb @@ -33,6 +33,12 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/utils/nfs-utils/${PV}/nfs-utils-${PV}.tar.x file://0001-locktest-Makefile.am-Do-not-use-build-flags.patch \ file://0001-tools-locktest-Use-intmax_t-to-print-off_t.patch \ file://0001-reexport.h-Include-unistd.h-to-compile-with-musl.patch \ + file://CVE-2025-12801-dependent_p1.patch \ + file://CVE-2025-12801-dependent_p2.patch \ + file://CVE-2025-12801-dependent_p3.patch \ + file://CVE-2025-12801-dependent_p4.patch \ + file://CVE-2025-12801.patch \ + file://CVE-2025-12801-build-fix.patch \ " SRC_URI[sha256sum] = "01b3b0fb9c7d0bbabf5114c736542030748c788ec2fd9734744201e9b0a1119d" From patchwork Mon Jun 29 14:20:01 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 91298 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0CD27C43327 for ; Mon, 29 Jun 2026 14:20:49 +0000 (UTC) Received: from mail-wr1-f49.google.com (mail-wr1-f49.google.com [209.85.221.49]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.93242.1782742841597650981 for ; Mon, 29 Jun 2026 07:20:41 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=tYx6ntp3; spf=pass (domain: smile.fr, ip: 209.85.221.49, mailfrom: yoann.congal@smile.fr) Received: by mail-wr1-f49.google.com with SMTP id ffacd0b85a97d-463f1165e16so3449315f8f.0 for ; Mon, 29 Jun 2026 07:20:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1782742840; x=1783347640; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to:content-type; bh=AQbpIMm9OR6yMXXb0p7b6zR1Y+HkhkiT3qDFzDjjrR0=; b=tYx6ntp3ZwX6AuvlVVa4B/xzfboyeLz83G8P6F4UHEiFMwoayV9ytioEAo/PiTMzPI 5JSriOb4E6ww8pISCD6SdXy9ioYgZdTpRKeJswPXHSWCk4Kj7tcUj1TZlHxadXSunO99 e51oZuunm1jabx87GQRbkxbxXzAze23n0U6sg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782742840; x=1783347640; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to:content-type; bh=AQbpIMm9OR6yMXXb0p7b6zR1Y+HkhkiT3qDFzDjjrR0=; b=ZpIXeSo6p9B1g4Qv+fNDudCr6xSbFlMxPKGTXrrL92nzHaJO9hhjykYSByIpEuPCdL iV/0mYRZ1XCyGHGO972Wo9YzwlPvwYdWM8w1bwMeSspReWQ+UWKUGAPwyuyk95pyye/c g3C/EOv/9SDH42XzU1fe20N9vprqb7U/z6Kj4xSanR8vrzUyvOaFQ+IYjau6hlnMwzrt w16QvwtXuGNIV8BdZEM3E7ImpwIHk1wPF4tUn5dTuSmtuvBdwjf+wVqX7kiNA24QyClh QtmSYBKJMkzZPEgZRnQoiNN2kzVjmi5F5JaFIudy4d6ypazCj4wkuEEtZjlkhaMiQCWA 5LnQ== X-Gm-Message-State: AOJu0Yw1Ousb4JP3rNN33xHxw9vQfck2QPJkeaVcIQbVK4chmM/trdzr 2Xj4FhPPk+zknPhrYKHvmy7uC8xa9cjlhVyfP2YHVjJY/4UpI+j9LhLcrx0n2dhwMGkK8KJ494V g4pQyR54= X-Gm-Gg: AfdE7cloMoRgfheTBIZqk1zcjsYVaZlWhLcutbfBVeY/m6PDwZb8+BBCjSOksxqL8S7 XwKHeDC38LMAftz2uZoyy8PTT5/LZPf4sx8UIAEKde5/phvtZ3b2RvY8N88NhdxaUL/FxKk9bz9 ekKcr4nVBa0gpy9xu25/oMelV7fe7ANLyOaIY6kHUYDOOybwAon3sbOOJwBRdN0/4fkGUfOZRhP rawBOsBVjvHArEIV+OhqCEuws7yVzEk/HOJ6aiazbmBxn0tmcQeqUYYuqpIwTi2ZGoVG/tg+saW BLb8VdE5ycHwI51N4O43myp+CVvSA/Vlrm/VQZEHrFyGugK/stG2oU73HJX23Qw4uTFBdz7Dc7i Gq+H7jOa9S4SNdx/aCT+wlTjCjA2sgMsg38H+G+km4wLC7rdyQlhI+10b/N+CHQgecn6F/4GUbO RI+oWejKihDJBrEyMiAKwcO6zl8K+JqpBzQ8w9V1d1mlxqxbl+87i9JKAjyszMjgaBSSlbxjjsi 0Qsvr9WfVg21hwpkZ2d1tNR4WRm9xGYqQ== X-Received: by 2002:a05:6000:4687:b0:475:2171:add with SMTP id ffacd0b85a97d-47521710e40mr272091f8f.22.1782742839806; Mon, 29 Jun 2026 07:20:39 -0700 (PDT) Received: from FRSMI25-LASER.idf.intranet (static-css-ccs-204145.business.bouyguestelecom.com. [176.157.204.145]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-46f8d6f10absm44958410f8f.5.2026.06.29.07.20.38 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Jun 2026 07:20:39 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 16/19] cve-update-nvd2-native: allow setting resultsPerPage Date: Mon, 29 Jun 2026 16:20:01 +0200 Message-ID: <1e55fa5f3adf26d81d138947af94f6775c3902b8.1782742373.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 29 Jun 2026 14:20:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239804 From: Awais B It is seen that during bulk updates on the NVD side the server struggles to keep up with the default/max of 2000 entries per page and we see a lot of incomplete read errors resulting in proper db sync failures most of the times. Lowering the per page value noticably increases the reliability of the process and hence should ideally be configurable. Signed-off-by: Awais B Signed-off-by: Yoann Congal --- meta/recipes-core/meta/cve-update-nvd2-native.bb | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb b/meta/recipes-core/meta/cve-update-nvd2-native.bb index 945bd1d927c..731cbb5d886 100644 --- a/meta/recipes-core/meta/cve-update-nvd2-native.bb +++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb @@ -34,6 +34,10 @@ CVE_DB_INCR_UPDATE_AGE_THRES ?= "10368000" # Number of attempts for each http query to nvd server before giving up CVE_DB_UPDATE_ATTEMPTS ?= "5" +# Maximum number of CVE records per API response. +# Lowering this value can help avoid incomplete read errors during bulk NVD updates. +CVE_DB_RESULTS_PER_PAGE ?= "" + CVE_CHECK_DB_DLDIR_FILE ?= "${DL_DIR}/CVE_CHECK/${CVE_CHECK_DB_FILENAME}" CVE_CHECK_DB_DLDIR_LOCK ?= "${CVE_CHECK_DB_DLDIR_FILE}.lock" CVE_CHECK_DB_TEMP_FILE ?= "${CVE_CHECK_DB_FILE}.tmp" @@ -217,6 +221,15 @@ def update_db_file(db_tmp_file, d, database_time): api_key = d.getVar("NVDCVE_API_KEY") or None attempts = int(d.getVar("CVE_DB_UPDATE_ATTEMPTS")) + results_per_page = d.getVar("CVE_DB_RESULTS_PER_PAGE") + RESULTS_PER_PAGE_MAX = 2000 # imposed by NVD + if results_per_page: + results_per_page = int(results_per_page) + if results_per_page > RESULTS_PER_PAGE_MAX: + bb.warn("CVE_DB_RESULTS_PER_PAGE exceeds maximum of %d, capping" % RESULTS_PER_PAGE_MAX) + results_per_page = RESULTS_PER_PAGE_MAX + req_args['resultsPerPage'] = results_per_page + # Recommended by NVD wait_time = 6 if api_key: From patchwork Mon Jun 29 14:20:02 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 91299 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 33611C44500 for ; Mon, 29 Jun 2026 14:20:49 +0000 (UTC) Received: from mail-wm1-f51.google.com (mail-wm1-f51.google.com [209.85.128.51]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.38597.1782742842364761252 for ; Mon, 29 Jun 2026 07:20:42 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=M7ARB8b7; spf=pass (domain: smile.fr, ip: 209.85.128.51, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f51.google.com with SMTP id 5b1f17b1804b1-4924593f45dso44438595e9.1 for ; Mon, 29 Jun 2026 07:20:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1782742841; x=1783347641; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=Q5BshBFA+jYvWOFgvR8eHBwTzEi871Wd0OvaMdvfkH8=; b=M7ARB8b73kA7jeQj9K+efGaHVTHCH7abqeM/oxElA5PEL5aSlWeQDeuGOiuVeUHQq8 vxpMpC926/6MFKG3sdCgbuwlNNbSIdlTV3OR1Q8pLWRvf7dbZi8vJmK5oYJuOuuu9rk/ 4xEaklrTUatVAOVrej6sS8O5l3CJEihN90P9g= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782742841; x=1783347641; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=Q5BshBFA+jYvWOFgvR8eHBwTzEi871Wd0OvaMdvfkH8=; b=nIGuSR26bKu4U4IgQwec5Ay67oDTUxEGyyv0e7q3Lj6L8akfZmQByAc/YAgLiRGjPo HqLQvfj6T1/4Iags+shJ9c9/px8gwwRusN0bUt4Q+BnwN9kEJSmrksxQ3dLR2nYX3O6t 1hPjqcDvYCjrDGsgT5/kJtX5m/K+Z1uUxLWXHGfwwm+TUv8d+8ZtJF1rdaLs8TfKZcL3 OgVCqys9GCDKF9eUtnBFagR5hQh0RTCILlaa0VBmzmkYHLJQ1ehECyLpffBq51jXyE4y dHCNMgwsqvF/yia5Ii51CQ++64gmP2DasEhbZVzSsvH3PN6zofb0k5Fe23MXJQh5XBxW qgtA== X-Gm-Message-State: AOJu0YwVX2KPvL6TWDvUl02RZpw+IMrzFpy9NA07mLh9p6FWqs0HOMwj wPll78tXQDxc4vASvw2I6Vy1pBtBOSBMgXJ/O8pcSppdj1JCItLLF+GnHVEzfK46WbxAXpesPll FC18ko1g= X-Gm-Gg: AfdE7clu6O4no4BJaISNnqmdhNGUCMGYeGYNbDHCTYHrgl/agyVjv8rRDxIMDmyHQmX aD1vsDFV19/gLhWAMfeCn8vVkHI07aCAXS/1UR3WM0PL+FDmgEg/ebe3Sp6c+2rPRlwMBKnvthi GzhLu+zqz47A61rwSpNfgkkBv/LBsaKuCmzIe/7i9iIOIl+SHoOPCzx02wnXPv8ec1oTHG84hRU STsR7RwBtEJ55v9t4klAJ5+vXwTGfIcSCItsHi4fBVdkiVKrSu1Q3aoD5a3GULJyv7lHBh02+s+ ZEpsu96q53UD9QhfJYqYddLsjeCH94keh7k46EUCb/qSXFdq0OOtmWxCrgwXnVJF0wxuUjyW5bn W7VCVGggkVlwChtTZ9WY0AX0jSInC966cm/kYU5y6Wk4DF4wwTuQ7wMxeuLOexcPxQ4tGBTOpd/ 4mqXO1UqwA+K2VaVrqJgsxgel4Tn4r/6u94JIy1VouZsmiN9W0msixq7od7rniJp6EjyAje7NNN YPEdarLbCrw1w3/56vYkYw= X-Received: by 2002:a05:6000:2687:b0:473:1a35:7aa0 with SMTP id ffacd0b85a97d-4731a357b3bmr7580631f8f.5.1782742840398; Mon, 29 Jun 2026 07:20:40 -0700 (PDT) Received: from FRSMI25-LASER.idf.intranet (static-css-ccs-204145.business.bouyguestelecom.com. [176.157.204.145]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-46f8d6f10absm44958410f8f.5.2026.06.29.07.20.39 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Jun 2026 07:20:39 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 17/19] python3: fix CVE-2026-4224 Date: Mon, 29 Jun 2026 16:20:02 +0200 Message-ID: <046099f1fc88835dc7da62674403671c679f71b1.1782742373.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 29 Jun 2026 14:20:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239805 From: Amaury Couderc Backport patch to fix CVE-2026-4224. https://nvd.nist.gov/vuln/detail/CVE-2026-4224 Upstream fix: https://github.com/python/cpython/commit/642865ddf4b232da1f3b1f7abcfa3254c4bfe785 Tested with ptest: Before: PASSED: 40007, FAILED: 0, SKIPPED: 1877 After: PASSED: 40006, FAILED: 0, SKIPPED: 1877 Signed-off-by: Amaury Couderc Signed-off-by: Yoann Congal --- .../python/python3/CVE-2026-4224.patch | 121 ++++++++++++++++++ .../python/python3_3.12.13.bb | 1 + 2 files changed, 122 insertions(+) create mode 100644 meta/recipes-devtools/python/python3/CVE-2026-4224.patch diff --git a/meta/recipes-devtools/python/python3/CVE-2026-4224.patch b/meta/recipes-devtools/python/python3/CVE-2026-4224.patch new file mode 100644 index 00000000000..09dd2dda003 --- /dev/null +++ b/meta/recipes-devtools/python/python3/CVE-2026-4224.patch @@ -0,0 +1,121 @@ +From ca301e24e20d1d9d58bbd432ff103cab2cb87128 Mon Sep 17 00:00:00 2001 +From: Stan Ulbrych +Date: Wed, 8 Apr 2026 11:27:39 +0100 +Subject: [PATCH] gh-145986: Avoid unbound C recursion in `conv_content_model` + in `pyexpat.c` (CVE-2026-4224) (GH-145987) (#146000) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +* [3.11] gh-145986: Avoid unbound C recursion in `conv_content_model` in `pyexpat.c` (CVE-2026-4224) (GH-145987) + +Fix C stack overflow (CVE-2026-4224) when an Expat parser +with a registered `ElementDeclHandler` parses inline DTD +containing deeply nested content model. + +--------- +(cherry picked from commit eb0e8be3a7e11b87d198a2c3af1ed0eccf532768) +(cherry picked from commit e5caf45faac74b0ed869e3336420cffd3510ce6e) + +Co-authored-by: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com> +Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com> + +* Update Misc/NEWS.d/next/Security/2026-03-14-17-31-39.gh-issue-145986.ifSSr8.rst + +--------- + +Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com> + +CVE: CVE-2026-4224 +Upstream-Status: Backport [https://github.com/python/cpython/commit/642865ddf4b232da1f3b1f7abcfa3254c4bfe785] + +Signed-off-by: Amaury Couderc +--- + Lib/test/test_pyexpat.py | 18 ++++++++++++++++++ + ...6-03-14-17-31-39.gh-issue-145986.ifSSr8.rst | 4 ++++ + Modules/pyexpat.c | 9 ++++++++- + 3 files changed, 30 insertions(+), 1 deletion(-) + create mode 100644 Misc/NEWS.d/next/Security/2026-03-14-17-31-39.gh-issue-145986.ifSSr8.rst + +diff --git a/Lib/test/test_pyexpat.py b/Lib/test/test_pyexpat.py +index 38f951573f0..37d9086f40a 100644 +--- a/Lib/test/test_pyexpat.py ++++ b/Lib/test/test_pyexpat.py +@@ -675,6 +675,24 @@ class ChardataBufferTest(unittest.TestCase): + parser.Parse(xml2, True) + self.assertEqual(self.n, 4) + ++class ElementDeclHandlerTest(unittest.TestCase): ++ def test_deeply_nested_content_model(self): ++ # This should raise a RecursionError and not crash. ++ # See https://github.com/python/cpython/issues/145986. ++ N = 500_000 ++ data = ( ++ b'\n]>\n\n' ++ ) ++ ++ parser = expat.ParserCreate() ++ parser.ElementDeclHandler = lambda _1, _2: None ++ with support.infinite_recursion(): ++ with self.assertRaises(RecursionError): ++ parser.Parse(data) ++ ++ + class MalformedInputTest(unittest.TestCase): + def test1(self): + xml = b"\0\r\n" +diff --git a/Misc/NEWS.d/next/Security/2026-03-14-17-31-39.gh-issue-145986.ifSSr8.rst b/Misc/NEWS.d/next/Security/2026-03-14-17-31-39.gh-issue-145986.ifSSr8.rst +new file mode 100644 +index 00000000000..cb9dbadb72d +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2026-03-14-17-31-39.gh-issue-145986.ifSSr8.rst +@@ -0,0 +1,4 @@ ++:mod:`xml.parsers.expat`: Fixed a crash caused by unbounded C recursion when ++converting deeply nested XML content models with ++:meth:`~xml.parsers.expat.xmlparser.ElementDeclHandler`. ++This addresses `CVE-2026-4224 `_. +diff --git a/Modules/pyexpat.c b/Modules/pyexpat.c +index 79492ca5c4f..8673540f358 100644 +--- a/Modules/pyexpat.c ++++ b/Modules/pyexpat.c +@@ -3,6 +3,7 @@ + #endif + + #include "Python.h" ++#include "pycore_ceval.h" // _Py_EnterRecursiveCall() + #include "pycore_runtime.h" // _Py_ID() + #include + +@@ -578,6 +579,10 @@ static PyObject * + conv_content_model(XML_Content * const model, + PyObject *(*conv_string)(const XML_Char *)) + { ++ if (_Py_EnterRecursiveCall(" in conv_content_model")) { ++ return NULL; ++ } ++ + PyObject *result = NULL; + PyObject *children = PyTuple_New(model->numchildren); + int i; +@@ -589,7 +594,7 @@ conv_content_model(XML_Content * const model, + conv_string); + if (child == NULL) { + Py_XDECREF(children); +- return NULL; ++ goto done; + } + PyTuple_SET_ITEM(children, i, child); + } +@@ -597,6 +602,8 @@ conv_content_model(XML_Content * const model, + model->type, model->quant, + conv_string,model->name, children); + } ++done: ++ _Py_LeaveRecursiveCall(); + return result; + } + +-- +2.34.1 diff --git a/meta/recipes-devtools/python/python3_3.12.13.bb b/meta/recipes-devtools/python/python3_3.12.13.bb index bf0e1702d54..06dbc8e892d 100644 --- a/meta/recipes-devtools/python/python3_3.12.13.bb +++ b/meta/recipes-devtools/python/python3_3.12.13.bb @@ -43,6 +43,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ file://CVE-2026-6019_p1.patch \ file://CVE-2026-6019_p2.patch \ file://CVE-2025-13462.patch \ + file://CVE-2026-4224.patch \ " SRC_URI:append:class-native = " \ From patchwork Mon Jun 29 14:20:03 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 91297 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E3666C43602 for ; Mon, 29 Jun 2026 14:20:48 +0000 (UTC) Received: from mail-wr1-f46.google.com (mail-wr1-f46.google.com [209.85.221.46]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.93245.1782742843020216159 for ; Mon, 29 Jun 2026 07:20:43 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=OXp4D6b2; spf=pass (domain: smile.fr, ip: 209.85.221.46, mailfrom: yoann.congal@smile.fr) Received: by mail-wr1-f46.google.com with SMTP id ffacd0b85a97d-470174001a0so1492096f8f.0 for ; Mon, 29 Jun 2026 07:20:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1782742841; x=1783347641; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=MhZFgJ8cS+wJcyPOClcWZnf9lK9sdCtIONfkhNZiHoA=; b=OXp4D6b2iF6s7O0VCFlKQ2zDbxOSvAlbtZwhWxsuBLY6pVdsSya7r7VQknsABeaDpv dMIDuqi8Yo8eM1VInNG5jfnKa0ef0sMWnei2TWKjFCE0HZF9HsuVvCymOub+c31buuYj Piu27p4pKEuDKkQCtRBFUTA93romr9BsiOttQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782742841; x=1783347641; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=MhZFgJ8cS+wJcyPOClcWZnf9lK9sdCtIONfkhNZiHoA=; b=oKUDYyaING6GUBuyPxhKFsuvUpqO44BxFH2luiiv9QREx3VaqbLt3zX6tj315BzB38 nKBI5bvtlVwFgSvRmcrsPvfKS4RFHit5SoRl+IcUYTJhmuHCKCzp49e5YCK2loXSjC2G Ivpaa4KFFg/arlzof0Mb5O+4jJNqjV2tVrQfS9Nckt4GPWAv0ARMYlXujMkrSGgZb/bx XfiuNXi1NpDriqO/vpdj8FXjphpmLBIvKpFMopxHdNSz4iDKpwq+1eqOoAZLF/AsVIQS 9OqQplxnjm7oK6lI/pjosfCavukMz2rFCEDOozIR/lkMb9cby1WoQmF3iWK5mQwDkwUJ M+XA== X-Gm-Message-State: AOJu0Yy5s1jg0FjrRu4Rfe5/oaMtPhGCqKyL7z6atRIUwPKN3ON7DtZF UXei75D2pZ2KS0M+8fWVgwzg/sT8BvQAWkwCw4P6TI0y9evPDcjWNJSGuBZOhTC9u2aeTItJuUb vKN3Hq3k= X-Gm-Gg: AfdE7ckvRwevmYObw4fq58fUvC6aoLfdGMdagYvdOb7TpYe9Hde7twBXCYr9CYTs08K wYbTHHKnWcjC4BFFCpDNnWJak3fyilU3+ZQoKxrHgWMJGLl6jUxAsxanKXj1q9T9OjWfzM1Sur0 vdazyPxE1MGpWwBqNGLAfYPWBvEEY/VysfvLCvnZ7DyiXLMLQx2EQqfzAXQEnQzPFGLQ8BsZ0ZP IJkReBciVCabHXntZiT32ArFK3Yv35scbeujAeaA8SHgJH7mCioi1OacW/o4T5dL/hgwgvHkolR MpUfCvzkDHiDQQoP2iptRnaldgYcxytoS/D4o+zLh0oSO2Zbh4PsiQx36mvZNs/jGi6+56nh7Te 2vML9fntbBjG4mHSxpXifRyD1/GXPUjdPQM6uJWpn+r/cAuAtL0c0SoGJByx+vt9zbjNhhP28hX ZUOHKF+oYrZcq8XNakVVxyTCLQvBdIff+PZ8K3MqlkwUBwjtODia2davIDt4rH24oxEZ7Mo3Wbh VqKsPqXN3QUufTqrhrn5AA= X-Received: by 2002:a05:6000:41d0:b0:46f:a0f1:c346 with SMTP id ffacd0b85a97d-46fa0f1c3ccmr17299746f8f.29.1782742841114; Mon, 29 Jun 2026 07:20:41 -0700 (PDT) Received: from FRSMI25-LASER.idf.intranet (static-css-ccs-204145.business.bouyguestelecom.com. [176.157.204.145]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-46f8d6f10absm44958410f8f.5.2026.06.29.07.20.40 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Jun 2026 07:20:40 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 18/19] oeqa: Drop /git/ from our urls Date: Mon, 29 Jun 2026 16:20:03 +0200 Message-ID: <3cceb00e014a698f23da41cfe0f774eb9f1b7088.1782742373.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 29 Jun 2026 14:20:48 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239806 From: Richard Purdie Using /git/ in our urls is rather old school and not the preferred format now. Update the urls to the preferred form even if the other ones still work. Signed-off-by: Richard Purdie (cherry picked from commit 8ac7c0c3493a6141476093bb2c1c79004c55857d) Signed-off-by: Yoann Congal --- meta-selftest/recipes-test/gitrepotest/gitrepotest.bb | 2 +- .../recipes-test/gitunpackoffline/gitunpackoffline.inc | 4 ++-- meta/lib/oeqa/manual/toaster-managed-mode.json | 6 +++--- meta/lib/oeqa/sdkext/cases/devtool.py | 4 ++-- meta/lib/oeqa/selftest/cases/devtool.py | 4 ++-- meta/lib/oeqa/selftest/cases/recipetool.py | 2 +- 6 files changed, 11 insertions(+), 11 deletions(-) diff --git a/meta-selftest/recipes-test/gitrepotest/gitrepotest.bb b/meta-selftest/recipes-test/gitrepotest/gitrepotest.bb index f1b6c55833b..fa61fdce0bc 100644 --- a/meta-selftest/recipes-test/gitrepotest/gitrepotest.bb +++ b/meta-selftest/recipes-test/gitrepotest/gitrepotest.bb @@ -7,7 +7,7 @@ INHIBIT_DEFAULT_DEPS = "1" PATCHTOOL="git" -SRC_URI = "git://git.yoctoproject.org/git/matchbox-panel-2;branch=master;protocol=https \ +SRC_URI = "git://git.yoctoproject.org/matchbox-panel-2;branch=master;protocol=https \ file://0001-testpatch.patch \ " diff --git a/meta-selftest/recipes-test/gitunpackoffline/gitunpackoffline.inc b/meta-selftest/recipes-test/gitunpackoffline/gitunpackoffline.inc index 602e895199b..245c0bbdeef 100644 --- a/meta-selftest/recipes-test/gitunpackoffline/gitunpackoffline.inc +++ b/meta-selftest/recipes-test/gitunpackoffline/gitunpackoffline.inc @@ -1,5 +1,5 @@ SUMMARY = "Test recipe for fetching git submodules" -HOMEPAGE = "https://git.yoctoproject.org/git/matchbox-panel-2" +HOMEPAGE = "https://git.yoctoproject.org/matchbox-panel-2" LICENSE = "GPL-2.0-or-later" LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f" @@ -8,7 +8,7 @@ INHIBIT_DEFAULT_DEPS = "1" TAGVALUE = "2.10" # Deliberately have a tag which has to be resolved but ensure do_unpack doesn't access the network again. -SRC_URI = "git://git.yoctoproject.org/git/matchbox-panel-2;branch=master;protocol=https" +SRC_URI = "git://git.yoctoproject.org/matchbox-panel-2;branch=master;protocol=https" SRC_URI:append:gitunpack-enable-recipe = ";tag=${TAGVALUE}" SRCREV = "f82ca3f42510fb3ef10f598b393eb373a2c34ca7" SRCREV:gitunpack-enable-recipe = "" diff --git a/meta/lib/oeqa/manual/toaster-managed-mode.json b/meta/lib/oeqa/manual/toaster-managed-mode.json index 1a71985c3c1..d1d500864e5 100644 --- a/meta/lib/oeqa/manual/toaster-managed-mode.json +++ b/meta/lib/oeqa/manual/toaster-managed-mode.json @@ -2176,7 +2176,7 @@ ], "execution": { "1": { - "action": "Clone the poky environment git clone http://git.yoctoproject.org/git/poky", + "action": "Clone the poky environment git clone http://git.yoctoproject.org/poky", "expected_results": "" }, "2": { @@ -2458,7 +2458,7 @@ ], "execution": { "1": { - "action": "Clone the poky environment git clone http://git.yoctoproject.org/git/poky", + "action": "Clone the poky environment git clone http://git.yoctoproject.org/poky", "expected_results": "" }, "2": { @@ -2496,7 +2496,7 @@ ], "execution": { "1": { - "action": "Clone the poky environment git clone http://git.yoctoproject.org/git/poky\n", + "action": "Clone the poky environment git clone http://git.yoctoproject.org/poky\n", "expected_results": "" }, "2": { diff --git a/meta/lib/oeqa/sdkext/cases/devtool.py b/meta/lib/oeqa/sdkext/cases/devtool.py index d0746e68eba..a28d5b020c5 100644 --- a/meta/lib/oeqa/sdkext/cases/devtool.py +++ b/meta/lib/oeqa/sdkext/cases/devtool.py @@ -71,14 +71,14 @@ class DevtoolTest(OESDKExtTestCase): def test_extend_autotools_recipe_creation(self): recipe = "test-dbus-wait" self._run('devtool sdk-install dbus') - self._run('devtool add %s https://git.yoctoproject.org/git/dbus-wait' % (recipe) ) + self._run('devtool add %s https://git.yoctoproject.org/dbus-wait' % (recipe) ) try: self._run('devtool build %s' % recipe) finally: self._run('devtool reset %s' % recipe) def test_devtool_kernelmodule(self): - docfile = 'https://git.yoctoproject.org/git/kernel-module-hello-world' + docfile = 'https://git.yoctoproject.org/kernel-module-hello-world' recipe = 'kernel-module-hello-world' self._run('devtool add %s %s' % (recipe, docfile) ) try: diff --git a/meta/lib/oeqa/selftest/cases/devtool.py b/meta/lib/oeqa/selftest/cases/devtool.py index d56696c10dd..6af3e2417a3 100644 --- a/meta/lib/oeqa/selftest/cases/devtool.py +++ b/meta/lib/oeqa/selftest/cases/devtool.py @@ -440,7 +440,7 @@ class DevtoolAddTests(DevtoolBase): pn = 'dbus-wait' srcrev = '6cc6077a36fe2648a5f993fe7c16c9632f946517' # We choose an https:// git URL here to check rewriting the URL works - url = 'https://git.yoctoproject.org/git/dbus-wait' + url = 'https://git.yoctoproject.org/dbus-wait' # Force fetching to "noname" subdir so we verify we're picking up the name from autoconf # instead of the directory name result = runCmd('git clone %s noname' % url, cwd=tempdir) @@ -467,7 +467,7 @@ class DevtoolAddTests(DevtoolBase): checkvars['LIC_FILES_CHKSUM'] = 'file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263' checkvars['S'] = '${WORKDIR}/git' checkvars['PV'] = '0.1+git' - checkvars['SRC_URI'] = 'git://git.yoctoproject.org/git/dbus-wait;protocol=https;branch=master' + checkvars['SRC_URI'] = 'git://git.yoctoproject.org/dbus-wait;protocol=https;branch=master' checkvars['SRCREV'] = srcrev checkvars['DEPENDS'] = set(['dbus']) self._test_recipe_contents(recipefile, checkvars, []) diff --git a/meta/lib/oeqa/selftest/cases/recipetool.py b/meta/lib/oeqa/selftest/cases/recipetool.py index 126906df502..8c54e65ad62 100644 --- a/meta/lib/oeqa/selftest/cases/recipetool.py +++ b/meta/lib/oeqa/selftest/cases/recipetool.py @@ -738,7 +738,7 @@ class RecipetoolCreateTests(RecipetoolBase): self._test_recipe_contents(recipefile, checkvars, []) def test_recipetool_create_git_http(self): - self._test_recipetool_create_git('http://git.yoctoproject.org/git/matchbox-keyboard') + self._test_recipetool_create_git('http://git.yoctoproject.org/matchbox-keyboard') def test_recipetool_create_git_srcuri_master(self): self._test_recipetool_create_git('git://git.yoctoproject.org/matchbox-keyboard;branch=master;protocol=https') From patchwork Mon Jun 29 14:20:04 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 91296 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C4820C43458 for ; Mon, 29 Jun 2026 14:20:48 +0000 (UTC) Received: from mail-wr1-f54.google.com (mail-wr1-f54.google.com [209.85.221.54]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.93246.1782742843669119627 for ; Mon, 29 Jun 2026 07:20:43 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=mpBYINl/; spf=pass (domain: smile.fr, ip: 209.85.221.54, mailfrom: yoann.congal@smile.fr) Received: by mail-wr1-f54.google.com with SMTP id ffacd0b85a97d-472a14c9965so1284338f8f.1 for ; Mon, 29 Jun 2026 07:20:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1782742842; x=1783347642; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=mW+e/7DJFOaAiyIv8ftnsvWn4Bd08U2+LY+NJyoNksM=; b=mpBYINl/r8DiqDIqQyeOOmxd1Fu6NKLqAVC4l+iSWMzrijp8BQr4p5TAUCZ2EpSzpA JgscswnwuN+YCR6jLsgQ1tujszHT1k+P87hHiMkt1isgkHDrM6zGqrpnlRw5EAU9u+fC WLn5anEoApWUogpeYCOZaKVK796KcC2aQg/s0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782742842; x=1783347642; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=mW+e/7DJFOaAiyIv8ftnsvWn4Bd08U2+LY+NJyoNksM=; b=ftvTDEDqTT5kHguc2a3AqBRfIZD3r+5VhWNx0hZan++nIgDo+LmwSA20IphX7CvU0b hKX9nBr5uT49mhAeUNNoBacfDgI+P78dGu+oqKgV88vcz47M1KTQyAbq9dWGHODktn6N HAJDhblKI//qiA454BfvLEKKhSEi30ziJNcwdpnOZ446pf6UjmzmZVPKT8MLwQVFhf/i JGXNjfWBR+b1Z5I/LpymOnVD++KbB06hmqX9xWHuMxQpGS6BeFQTBzo28JcVhfwFS1ug fqAPyWXFo6YUW9Wx9SDN/NpOErZNZtMKMiuiR588kTsq5sIe9T4tgN1g3SY0pZz48QNZ x8ww== X-Gm-Message-State: AOJu0YzmP18WqIYKIFFcIjeV+9gsYiVbyYGuu0oaw0Rk/qj0ywW68qKY jTihGOwwVZTpqlqZzG+C2rSw8CXbGD1SfPwjPYULcbIAmnJwO1zymiKlBcZ+/kIB5epLz5fLdJy E11dlxXI= X-Gm-Gg: AfdE7cn7WVtGaSVRCAIJCPdLi9tgU4AMv+hcjr9ff/F6AlpWHTThrmDFOcUlIFEDQWp UXGzONhm+5Wo+YUBfjWJZTCKVC2OhAVfY5pwIK14SXw9DcT8ZcFZYCH75fPs+KguDl7J8M3/dVN 4OxfyHUCtahzalTvsGaN+Y5mxdtmM2uEmP2zknK/hMKM9ilP4AJ8KqvBET31t/49X5DgLoaDfiI kMzIpBZmxtDbcp5t8UAzVm42Iac7q38BoXnSg+Ht8YVS/gdbcAMV3+DLaWAKQdQ4J8j0gAhj2sa OaZQfoQXEoKDHOeINI2ID1/Qtzqa5wAkjChNr8BZCjF8zh7h6gZfjMavVdk/vLsPwY7EKTlSrzX jCm9rol7nFg+A2NCWZmPDftoUYhgmpyO3a6R8LyjNaoSrRtwagMTqUlWL06oBa5RPynqqpQt5oI h6wXvUHoRf43kLdUBQMR40ddj1P2K8xCpbTJWgNPZuiA9mlx2QMrL834qtyDDigR8kGmtjXMcVT iTy6IdNT7alTy6nnH1L0rM= X-Received: by 2002:a05:6000:2287:b0:472:aaba:faed with SMTP id ffacd0b85a97d-47500d5e48bmr1190805f8f.31.1782742841822; Mon, 29 Jun 2026 07:20:41 -0700 (PDT) Received: from FRSMI25-LASER.idf.intranet (static-css-ccs-204145.business.bouyguestelecom.com. [176.157.204.145]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-46f8d6f10absm44958410f8f.5.2026.06.29.07.20.41 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Jun 2026 07:20:41 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 19/19] recipetool: Recognise https://git. as git urls Date: Mon, 29 Jun 2026 16:20:04 +0200 Message-ID: <54ce24005721f5c82d42242524eaed93c8cbeafa.1782742373.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 29 Jun 2026 14:20:48 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239807 From: Richard Purdie If a url has git. in it, assume it is likely to be a git cloneable url and should be treated as such. This allows us to switch from https://git.yoctoproject.org/git/XXX urls to the preferred https://git.yoctoproject.org/XXX form. Signed-off-by: Richard Purdie (cherry picked from commit cedc9209e3bae0da8d61423b16c74c49a132aa63) Signed-off-by: Yoann Congal --- scripts/lib/recipetool/create.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/lib/recipetool/create.py b/scripts/lib/recipetool/create.py index 8e9ff38db6c..b6005b64766 100644 --- a/scripts/lib/recipetool/create.py +++ b/scripts/lib/recipetool/create.py @@ -366,7 +366,7 @@ def supports_srcrev(uri): def reformat_git_uri(uri): '''Convert any http[s]://....git URI into git://...;protocol=http[s]''' checkuri = uri.split(';', 1)[0] - if checkuri.endswith('.git') or '/git/' in checkuri or re.match('https?://git(hub|lab).com/[^/]+/[^/]+/?$', checkuri): + if checkuri.endswith('.git') or '/git/' in checkuri or re.match('https?://git(hub|lab).com/[^/]+/[^/]+/?$', checkuri) or re.match(r'https?://git\..*', checkuri): # Appends scheme if the scheme is missing if not '://' in uri: uri = 'git://' + uri