From patchwork Fri Jul 10 16:36:16 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 92215 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 98B63C44509 for ; Fri, 10 Jul 2026 16:37:13 +0000 (UTC) Received: from mail-wm1-f42.google.com (mail-wm1-f42.google.com [209.85.128.42]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.1849.1783701423897572460 for ; Fri, 10 Jul 2026 09:37:04 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=t0Gv/ORE; spf=pass (domain: smile.fr, ip: 209.85.128.42, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f42.google.com with SMTP id 5b1f17b1804b1-493bb510ce4so8414835e9.1 for ; Fri, 10 Jul 2026 09:37:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1783701422; x=1784306222; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to:content-type; bh=zXY9HEBPIXXxf+Hf7T5eH9vLsSEqbQSEa5VBsdUq3sw=; b=t0Gv/ORE3S8J5PZyRweucZdOKeV9MJA2HcMA+HPUi3OHIB+MXokqQEVt7Dn9DoEw2G AbtNlnqfF6ZeVPOBWZIFPCHkrI2is+KzG31KKzlbAA4RfP+GajYCvy8lzCUjAifKWAcj MpMyO4+thED6pmMCkzitQh58PEGWjrLR7+gqs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1783701422; x=1784306222; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to:content-type; bh=zXY9HEBPIXXxf+Hf7T5eH9vLsSEqbQSEa5VBsdUq3sw=; b=guFXhoHkSboQ0DbQAds816jul4b8kR1xq3Q76MSh2Y4ZFQyef+G2sibSjym8Z0LCGU 7qC+MqEvgL2AcvHArQyHMqQCHB51+XebaS8VFT+cB3U9TVl+YNiujU62XJJ7596yDk87 AJ8LTU0EWYE4R9UpBSUU4g53FawJXi7pTucyYALmuvnawNL1vn9STlt3JQZNAl5DAe5M RBe+zbdrvoqE3Vjv1PSvYVpoDzv2THvoUihUaWdIFuU/SE5XbarlzM2z22SSGdZfOfB0 0zPKYr0JToKlNW+XOEupFsVxYIxOTSG3yP0WKR7VHQNCs5MttxVEUJIAH+2HoV4Vlz2B /qkQ== X-Gm-Message-State: AOJu0Yxrene8YgEbPQKtcwd5YxGn7H1OMNq/h6fniEs4PWUgzqbE7mmJ QB1VQGshFeJISObWtnZYHMwcIGMRgbJ9SoQIZmi3W4wWpcTanpCmT9dTWGldMs28ilrkLjl8tdm vYvPW/rE= X-Gm-Gg: AfdE7ck9PJ8gz6xVJwDp0tHQRXPBSgm+/InnKJ3ibGe4Zc1csKlrzImJBPjzsIbkyxD 0wDk8JmLEjzoT0gAec289ApGCCsw/ACZOYEJTn5WafqvnioNXGCrAsDzlfoGp9Jc0cP4BSV3Q0P r6pzDypOa+NpQ1J2pdT/rG+WPlcubUM5L5LUbGSGyy219xGKepfI59L6u/pY6wbMvgzSVOqZYAB +RVGK67xU5CxaWyfzPJLv8iqJ3pTmrvhGgfetw7EuEfCB+K2u4zQud98V6ww92kqKm9AYnMfGPw 6y32fm13oO5Ziq+MHwz/2FDZyAtFTabtDwBx3J3avnhuCSj2xmRYTP3Ng0LSdmLAOaetQ7jTKDR H2n51jwX8c3p/Dn7aSsbXd1hyHSkNcOpDS4e/Oueej+Uorn4FdQgNPf/cECXay8pio5QLw9Kj7e bxVw6Zv7J+VObd5SW0KOa71fWiBWrg3nIa55BmoOd+7+rKNt3d2E7rtsGUzzdntpxdHTp6hxclm gDILCUsyuJpGvyYH0s= X-Received: by 2002:a05:600c:1914:b0:493:bcba:46a4 with SMTP id 5b1f17b1804b1-493e68df746mr119940605e9.20.1783701421590; Fri, 10 Jul 2026 09:37:01 -0700 (PDT) Received: from localhost.localdomain (2a02-8440-2608-8c5f-3a92-eb6f-dc01-ac58.rev.sfr.net. [2a02:8440:2608:8c5f:3a92:eb6f:dc01:ac58]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-493eb6d4f9fsm150758695e9.4.2026.07.10.09.37.01 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 10 Jul 2026 09:37:01 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][wrynose 01/18] gdb: Upgrade 17.1 -> 17.2 Date: Fri, 10 Jul 2026 18:36:16 +0200 Message-ID: X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 10 Jul 2026 16:37:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/240662 From: Deepesh Varatharajan This is a corrective release over GDB 17.1, fixing the following issues: * PR dap/33228 ([gdb/dap] error while listing register children) * PR gdb/33737 (gdb --help says 'For more information, type "stream" from within GDB', but "stream" is not a defined command) * PR build/33747 (Incompatible with MUSL libc: no member named 'c_ospeed' in 'termios') * PR gdb/33748 (gdb17 regression with displaying ANSI colors) * PR gdb/33753 (Out-of-bounds writes in string_{v}printf -- threads and static data don't mix) * PR cli/33761 (Setting style colors is broken on MS-Windows) * PR gdb/33768 (Loading compressed GDB scripts from .debug_gdb_scripts fails) * PR symtab/33775 ([gdb/symtab] data race in dwarf2_per_cu::{set_addr_size,set_offset_size,set_ref_addr_size}) * PR symtab/33777 ([gdb/symtab] dw2_get_file_names doesn't cache result for dummy CU) * PR symtab/33825 ([dwz] Extremely slow symbol lookup with DWZ-compressed debug info (thousands of partial units)) * PR testsuite/33845 (gdb: There are 4 unexpected failures in breakpoint-in-ro-region.exp) * PR gdb/33872 (`skip -gfile` has inverted logic) * PR gdb/33926 (GDB 17.1 AArch64: redefinition of user_gcs struct on musl) * PR breakpoints/34112 (rbreak `file:regex` sets breakpoints for matches outside of `file` [reproducer attached]) Although gdb 17.2 includes the commit 17d05df7da1 ("gdb/ser-unix: add POSIX cfsetispeed/cfsetospeed support for custom baud rates"), which appears to be a feature addition, it is actually the upstream integration of the previously carried patch 0009-PR-gdb-33747-gdb-ser-unix-modernize-Linux-custom-bau.patch for PR build/33747. As such, it is appropriate for this corrective release. Drop patches merged upstream: * 0009-PR-gdb-33747-gdb-ser-unix-modernize-Linux-custom-bau.patch * PR build/33747 (Incompatible with MUSL libc: no member named 'c_ospeed' in 'termios') * 0010-GDB-aarch64-linux-Fix-build-failure-on-musl-systems.patch * PR gdb/33926 (GDB 17.1 AArch64: redefinition of user_gcs struct on musl) Signed-off-by: Deepesh Varatharajan Signed-off-by: Yoann Congal --- ...ian_17.1.bb => gdb-cross-canadian_17.2.bb} | 0 .../{gdb-cross_17.1.bb => gdb-cross_17.2.bb} | 0 meta/recipes-devtools/gdb/gdb.inc | 4 +- ...-ser-unix-modernize-Linux-custom-bau.patch | 248 ------------------ ...ux-Fix-build-failure-on-musl-systems.patch | 196 -------------- .../gdb/{gdb_17.1.bb => gdb_17.2.bb} | 0 6 files changed, 1 insertion(+), 447 deletions(-) rename meta/recipes-devtools/gdb/{gdb-cross-canadian_17.1.bb => gdb-cross-canadian_17.2.bb} (100%) rename meta/recipes-devtools/gdb/{gdb-cross_17.1.bb => gdb-cross_17.2.bb} (100%) delete mode 100644 meta/recipes-devtools/gdb/gdb/0009-PR-gdb-33747-gdb-ser-unix-modernize-Linux-custom-bau.patch delete mode 100644 meta/recipes-devtools/gdb/gdb/0010-GDB-aarch64-linux-Fix-build-failure-on-musl-systems.patch rename meta/recipes-devtools/gdb/{gdb_17.1.bb => gdb_17.2.bb} (100%) diff --git a/meta/recipes-devtools/gdb/gdb-cross-canadian_17.1.bb b/meta/recipes-devtools/gdb/gdb-cross-canadian_17.2.bb similarity index 100% rename from meta/recipes-devtools/gdb/gdb-cross-canadian_17.1.bb rename to meta/recipes-devtools/gdb/gdb-cross-canadian_17.2.bb diff --git a/meta/recipes-devtools/gdb/gdb-cross_17.1.bb b/meta/recipes-devtools/gdb/gdb-cross_17.2.bb similarity index 100% rename from meta/recipes-devtools/gdb/gdb-cross_17.1.bb rename to meta/recipes-devtools/gdb/gdb-cross_17.2.bb diff --git a/meta/recipes-devtools/gdb/gdb.inc b/meta/recipes-devtools/gdb/gdb.inc index d367486d026..cbb58854598 100644 --- a/meta/recipes-devtools/gdb/gdb.inc +++ b/meta/recipes-devtools/gdb/gdb.inc @@ -13,7 +13,5 @@ SRC_URI = "${GNU_MIRROR}/gdb/gdb-${PV}.tar.xz \ file://0006-Fix-invalid-sigprocmask-call.patch \ file://0007-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch \ file://0008-Add-fix-for-packages-that-are-not-compatible-with-C2.patch \ - file://0009-PR-gdb-33747-gdb-ser-unix-modernize-Linux-custom-bau.patch \ - file://0010-GDB-aarch64-linux-Fix-build-failure-on-musl-systems.patch \ " -SRC_URI[sha256sum] = "14996f5f74c9f68f5a543fdc45bca7800207f91f92aeea6c2e791822c7c6d876" +SRC_URI[sha256sum] = "1c036c0d72e4b3d1fb5c94c88632add6f9d76f4d7c4d2ea793c12a9f19a3228c" diff --git a/meta/recipes-devtools/gdb/gdb/0009-PR-gdb-33747-gdb-ser-unix-modernize-Linux-custom-bau.patch b/meta/recipes-devtools/gdb/gdb/0009-PR-gdb-33747-gdb-ser-unix-modernize-Linux-custom-bau.patch deleted file mode 100644 index 30d22b21f92..00000000000 --- a/meta/recipes-devtools/gdb/gdb/0009-PR-gdb-33747-gdb-ser-unix-modernize-Linux-custom-bau.patch +++ /dev/null @@ -1,248 +0,0 @@ -From 1a77c71303b552140613d49595baebdff1a4716e Mon Sep 17 00:00:00 2001 -From: Sunil Dora -Date: Tue, 17 Mar 2026 01:58:55 -0700 -Subject: [PATCH] PR gdb/33747: gdb/ser-unix: modernize Linux custom baud rate - support - -The Linux custom baud rate implementation previously accessed the -struct termios members c_ispeed and c_ospeed directly. These fields -exist in glibc but are not exposed by musl, causing builds to fail on -musl-based systems. - -Update set_custom_baudrate_linux to use a capability-based approach, -with three distinct code paths: - -1) If POSIX cfsetispeed/cfsetospeed accept arbitrary baud rates - (HAVE_CFSETSPEED_ARBITRARY), use them to set input and output - speeds. - -2) Else if Linux termios2 interface is available (TCGETS2/BOTHER), - use it to support arbitrary baud rates. - -3) Else if legacy struct termios supports c_ispeed/c_ospeed, use - the TCGETS/TCSETS fallback (primarily for glibc on older - architectures). - -4) Otherwise, emit an error indicating that custom baud rates are - unsupported on this platform. - -This preserves existing behavior on glibc systems while restoring -build compatibility with musl and other libc implementations. - -Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=33747 - -Upstream-Status: Submitted [https://sourceware.org/pipermail/gdb-patches/2026-March/225952.html] - -Suggested-by: Kevin Buettner -Suggested-by: Maciej W. Rozycki -Signed-off-by: Sunil Dora ---- - gdb/config.in | 6 ++++++ - gdb/configure | 52 +++++++++++++++++++++++++++++++++++++++++++++ - gdb/configure.ac | 22 +++++++++++++++++++ - gdb/ser-unix.c | 55 ++++++++++++++++++++++++++++++++++-------------- - 4 files changed, 119 insertions(+), 16 deletions(-) - -diff --git a/gdb/config.in b/gdb/config.in -index efc3100cb9e..b2469c8dabd 100644 ---- a/gdb/config.in -+++ b/gdb/config.in -@@ -110,6 +110,9 @@ - the CoreFoundation framework. */ - #undef HAVE_CFPREFERENCESCOPYAPPVALUE - -+/* Define if cfsetispeed/cfsetospeed accept arbitrary baud rates */ -+#undef HAVE_CFSETSPEED_ARBITRARY -+ - /* Define if compiling support to gdb compile. */ - #undef HAVE_COMPILE - -@@ -517,6 +520,9 @@ - /* Define to 1 if `st_blocks' is a member of `struct stat'. */ - #undef HAVE_STRUCT_STAT_ST_BLOCKS - -+/* Define to 1 if `c_ospeed' is a member of `struct termios'. */ -+#undef HAVE_STRUCT_TERMIOS_C_OSPEED -+ - /* Define to 1 if `td_pcb' is a member of `struct thread'. */ - #undef HAVE_STRUCT_THREAD_TD_PCB - -diff --git a/gdb/configure b/gdb/configure -index d0bdba6eb36..8a0e2fa2771 100755 ---- a/gdb/configure -+++ b/gdb/configure -@@ -27336,6 +27336,58 @@ if test "$ac_res" != no; then : - fi - - -+# Check whether cfsetispeed/cfsetospeed accept arbitrary baud rates. -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether cfsetispeed/cfsetospeed accept arbitrary baud rates" >&5 -+$as_echo_n "checking whether cfsetispeed/cfsetospeed accept arbitrary baud rates... " >&6; } -+if ${gdb_cv_cfsetspeed_arbitrary+:} false; then : -+ $as_echo_n "(cached) " >&6 -+else -+ -+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext -+/* end confdefs.h. */ -+#include -+int -+main () -+{ -+ -+ #if B9600 != 9600 -+ #error B-constants are not numeric symbols -+ #endif -+ -+ ; -+ return 0; -+} -+_ACEOF -+if ac_fn_c_try_compile "$LINENO"; then : -+ gdb_cv_cfsetspeed_arbitrary=yes -+else -+ gdb_cv_cfsetspeed_arbitrary=no -+fi -+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -+ -+fi -+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $gdb_cv_cfsetspeed_arbitrary" >&5 -+$as_echo "$gdb_cv_cfsetspeed_arbitrary" >&6; } -+ -+if test "$gdb_cv_cfsetspeed_arbitrary" = yes; then -+ -+$as_echo "#define HAVE_CFSETSPEED_ARBITRARY 1" >>confdefs.h -+ -+fi -+ -+# Check for members required by the legacy Linux custom baud rate path. -+ac_fn_c_check_member "$LINENO" "struct termios" "c_ospeed" "ac_cv_member_struct_termios_c_ospeed" "#include -+" -+if test "x$ac_cv_member_struct_termios_c_ospeed" = xyes; then : -+ -+cat >>confdefs.h <<_ACEOF -+#define HAVE_STRUCT_TERMIOS_C_OSPEED 1 -+_ACEOF -+ -+ -+fi -+ -+ - - - # Check whether --with-jit-reader-dir was given. -diff --git a/gdb/configure.ac b/gdb/configure.ac -index 52924106bca..26e8d1ee276 100644 ---- a/gdb/configure.ac -+++ b/gdb/configure.ac -@@ -733,6 +733,28 @@ AC_CONFIG_FILES([jit-reader.h:jit-reader.in]) - - AC_SEARCH_LIBS(dlopen, dl) - -+# Check whether cfsetispeed/cfsetospeed accept arbitrary baud rates. -+AC_CACHE_CHECK([whether cfsetispeed/cfsetospeed accept arbitrary baud rates], -+ [gdb_cv_cfsetspeed_arbitrary], [ -+ AC_COMPILE_IFELSE( -+ [AC_LANG_PROGRAM([[#include ]], -+ [[ -+ #if B9600 != 9600 -+ #error B-constants are not numeric symbols -+ #endif -+ ]])], -+ [gdb_cv_cfsetspeed_arbitrary=yes], -+ [gdb_cv_cfsetspeed_arbitrary=no]) -+]) -+ -+if test "$gdb_cv_cfsetspeed_arbitrary" = yes; then -+ AC_DEFINE([HAVE_CFSETSPEED_ARBITRARY], [1], -+ [Define if cfsetispeed/cfsetospeed accept arbitrary baud rates]) -+fi -+ -+# Check for members required by the legacy Linux custom baud rate path. -+AC_CHECK_MEMBERS([struct termios.c_ospeed], [], [], [[#include ]]) -+ - GDB_AC_WITH_DIR([JIT_READER_DIR], [jit-reader-dir], - [directory to load the JIT readers from], - [${libdir}/gdb]) -diff --git a/gdb/ser-unix.c b/gdb/ser-unix.c -index 6f2766518be..fbd73970dbb 100644 ---- a/gdb/ser-unix.c -+++ b/gdb/ser-unix.c -@@ -508,36 +508,59 @@ set_baudcode_baudrate (struct serial *scb, int baud_code) - - #if HAVE_CUSTOM_BAUDRATE_SUPPORT && defined(BOTHER) - --/* Set a custom baud rate using the termios BOTHER. */ -+/* Set a custom baud rate. -+ -+ Prefer the POSIX cfsetispeed/cfsetospeed interface when it accepts -+ arbitrary baud rates. Otherwise fall back to Linux-specific termios2 -+ (BOTHER) or legacy termios interfaces. */ - - static void - set_custom_baudrate_linux (int fd, int rate) - { --#ifdef TCGETS2 -- struct termios2 tio; -- const unsigned long req_get = TCGETS2; -- const unsigned long req_set = TCSETS2; --#else -+#if defined(HAVE_CFSETSPEED_ARBITRARY) - struct termios tio; -- const unsigned long req_get = TCGETS; -- const unsigned long req_set = TCSETS; --#endif -+ if (tcgetattr (fd, &tio) < 0) -+ perror_with_name (_("Cannot get current baud rate")); -+ -+ cfsetispeed (&tio, rate); -+ cfsetospeed (&tio, rate); -+ -+ if (tcsetattr (fd, TCSANOW, &tio) < 0) -+ perror_with_name (_("Cannot set custom baud rate")); -+ -+#elif defined(TCGETS2) -+ struct termios2 tio2; -+ if (ioctl (fd, TCGETS2, &tio2) < 0) -+ perror_with_name (_("Cannot get current baud rate")); -+ -+ tio2.c_cflag &= ~CBAUD; -+ tio2.c_cflag |= BOTHER; -+ tio2.c_ospeed = rate; -+ tio2.c_cflag &= ~(CBAUD << IBSHIFT); -+ tio2.c_cflag |= BOTHER << IBSHIFT; -+ tio2.c_ispeed = rate; - -- if (ioctl (fd, req_get, &tio) < 0) -- perror_with_name (_("Can not get current baud rate")); -+ if (ioctl (fd, TCSETS2, &tio2) < 0) -+ perror_with_name (_("Cannot set custom baud rate")); -+ -+#elif defined(HAVE_STRUCT_TERMIOS_C_OSPEED) -+ struct termios tio; -+ if (ioctl (fd, TCGETS, &tio) < 0) -+ perror_with_name (_("Cannot get current baud rate")); - -- /* Clear the current output baud rate and fill a new value. */ - tio.c_cflag &= ~CBAUD; - tio.c_cflag |= BOTHER; - tio.c_ospeed = rate; -- -- /* Clear the current input baud rate and fill a new value. */ - tio.c_cflag &= ~(CBAUD << IBSHIFT); - tio.c_cflag |= BOTHER << IBSHIFT; - tio.c_ispeed = rate; - -- if (ioctl (fd, req_set, &tio) < 0) -- perror_with_name (_("Can not set custom baud rate")); -+ if (ioctl (fd, TCSETS, &tio) < 0) -+ perror_with_name (_("Cannot set custom baud rate")); -+ -+#else -+ error (_("Custom baud rate not supported on this platform")); -+#endif - } - - #elif HAVE_CUSTOM_BAUDRATE_SUPPORT && defined(IOSSIOSPEED) --- -2.49.0 - diff --git a/meta/recipes-devtools/gdb/gdb/0010-GDB-aarch64-linux-Fix-build-failure-on-musl-systems.patch b/meta/recipes-devtools/gdb/gdb/0010-GDB-aarch64-linux-Fix-build-failure-on-musl-systems.patch deleted file mode 100644 index 2d91a351d2b..00000000000 --- a/meta/recipes-devtools/gdb/gdb/0010-GDB-aarch64-linux-Fix-build-failure-on-musl-systems.patch +++ /dev/null @@ -1,196 +0,0 @@ -From 654223c799910837c80d0964a971fbdf7808864a Mon Sep 17 00:00:00 2001 -From: Thiago Jung Bauermann -Date: Tue, 17 Mar 2026 02:24:48 -0700 -Subject: [PATCH] GDB: aarch64-linux: Fix build failure on musl systems - -(cherry picked from commit 02090062127d59978ccc312dabf63c6ea838cd85) - -When building against musl (e.g. on Alpine Linux), the following error -happens: - - CXX linux-aarch64-low.o - In file included from /home/bauermann/src/binutils-gdb/gdbserver/linux-aarch64-low.cc:42: - /home/bauermann/src/binutils-gdb/gdbserver/../gdb/arch/aarch64-gcs-linux.h:35:8: error: redefinition of 'struct user_gcs' - 35 | struct user_gcs - | ^~~~~~~~ - In file included from /home/bauermann/src/binutils-gdb/gdbserver/linux-aarch64-low.cc:35: - /usr/include/asm/ptrace.h:329:8: note: previous definition of 'struct user_gcs' - 329 | struct user_gcs { - | ^~~~~~~~ - make[2]: *** [Makefile:565: linux-aarch64-low.o] Error 1 - -aarch64-linux-tdep.c fails to build in the same way. This happens because -aarch64-gcs-linux.h uses GCS_MAGIC to see whether the system headers -have GCS-related definitions. The problem is that GCS_MAGIC is defined in - while struct gcs_user is defined in . -It's fine on glibc systems because in the set of system headers that -linux-aarch64-low.cc and aarch64-linux-tdep.c include, -ends up being included implicitly as well. This doesn't happen when using -musl's headers though. - -There isn't a macro in whose presence is correlated with -the presence of the struct user_gcs definition, so a configure check is -needed to detect it and conditionally define the struct. - -Also, this change requires aarch64-linux-tdep.c to stop using -struct user_gcs because target-dependent code can't include -and thus even if HAVE_STRUCT_USER_GCS is set, the file won't have the -struct definition available. To fix this problem, also backport the -definition of AARCH64_LINUX_SIZEOF_GCS_REGSET and use it there. - -Note that there's another build issue with musl, described in -PR gdb/33747 affecting compilation of gdb/ser-unix.c. In order to be -able to test this patch, I applied the patch in comment 11 there. - -Tested with a native build on an Alpine Linux aarch64 system, and also -verified that all gdb.arch/aarch64-gcs*.exp tests pass on it. - -Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=33926 - -Upstream-Status: Submitted [https://sourceware.org/pipermail/gdb-patches/2026-March/226049.html] - -Co-authored-by: Chris Packham -Signed-off-by: Sunil Dora ---- - gdb/aarch64-linux-tdep.c | 5 +++-- - gdb/arch/aarch64-gcs-linux.h | 8 +++++--- - gdbsupport/config.in | 3 +++ - gdbsupport/configure | 36 ++++++++++++++++++++++++++++++++++++ - gdbsupport/configure.ac | 19 +++++++++++++++++++ - 5 files changed, 66 insertions(+), 5 deletions(-) - -diff --git a/gdb/aarch64-linux-tdep.c b/gdb/aarch64-linux-tdep.c -index 76bde85188b..6c402e7ecdd 100644 ---- a/gdb/aarch64-linux-tdep.c -+++ b/gdb/aarch64-linux-tdep.c -@@ -1684,8 +1684,9 @@ aarch64_linux_iterate_over_regset_sections (struct gdbarch *gdbarch, - gcs_regmap, regcache_supply_regset, regcache_collect_regset - }; - -- cb (".reg-aarch-gcs", sizeof (user_gcs), sizeof (user_gcs), -- &aarch64_linux_gcs_regset, "GCS registers", cb_data); -+ cb (".reg-aarch-gcs", AARCH64_LINUX_SIZEOF_GCS_REGSET, -+ AARCH64_LINUX_SIZEOF_GCS_REGSET, &aarch64_linux_gcs_regset, -+ "GCS registers", cb_data); - } - } - -diff --git a/gdb/arch/aarch64-gcs-linux.h b/gdb/arch/aarch64-gcs-linux.h -index 018ca37a522..632823a8120 100644 ---- a/gdb/arch/aarch64-gcs-linux.h -+++ b/gdb/arch/aarch64-gcs-linux.h -@@ -27,8 +27,7 @@ - #define HWCAP_GCS (1ULL << 32) - #endif - --/* Make sure we only define these if the kernel header doesn't. */ --#ifndef GCS_MAGIC -+#ifndef HAVE_STRUCT_USER_GCS - - /* GCS state (NT_ARM_GCS). */ - -@@ -39,6 +38,9 @@ struct user_gcs - uint64_t gcspr_el0; - }; - --#endif /* GCS_MAGIC */ -+#endif /* HAVE_STRUCT_USER_GCS */ -+ -+/* The GCS regset consists of 3 64-bit registers. */ -+#define AARCH64_LINUX_SIZEOF_GCS_REGSET (3 * 8) - - #endif /* GDB_ARCH_AARCH64_GCS_LINUX_H */ -diff --git a/gdbsupport/config.in b/gdbsupport/config.in -index 0beacf22c05..2957ee0f030 100644 ---- a/gdbsupport/config.in -+++ b/gdbsupport/config.in -@@ -271,6 +271,9 @@ - /* Define to 1 if `st_blocks' is a member of `struct stat'. */ - #undef HAVE_STRUCT_STAT_ST_BLOCKS - -+/* Define to 1 if your system has struct user_gcs. */ -+#undef HAVE_STRUCT_USER_GCS -+ - /* Define to 1 if you have the header file. */ - #undef HAVE_SYS_PARAM_H - -diff --git a/gdbsupport/configure b/gdbsupport/configure -index 133ddfa7f6c..66135791aa5 100755 ---- a/gdbsupport/configure -+++ b/gdbsupport/configure -@@ -14307,6 +14307,42 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu - - - -+# Check for `struct user_gcs` -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for struct user_gcs" >&5 -+$as_echo_n "checking for struct user_gcs... " >&6; } -+if ${gdb_cv_struct_user_gcs+:} false; then : -+ $as_echo_n "(cached) " >&6 -+else -+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext -+/* end confdefs.h. */ -+#include -+ #include -+int -+main () -+{ -+struct user_gcs u; -+ -+ ; -+ return 0; -+} -+_ACEOF -+if ac_fn_c_try_compile "$LINENO"; then : -+ gdb_cv_struct_user_gcs=yes -+else -+ gdb_cv_struct_user_gcs=no -+ -+fi -+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -+ -+fi -+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $gdb_cv_struct_user_gcs" >&5 -+$as_echo "$gdb_cv_struct_user_gcs" >&6; } -+if test "$gdb_cv_struct_user_gcs" = yes; then -+ -+$as_echo "#define HAVE_STRUCT_USER_GCS 1" >>confdefs.h -+ -+fi -+ - # Set the 'development' global. - . $srcdir/../bfd/development.sh - -diff --git a/gdbsupport/configure.ac b/gdbsupport/configure.ac -index b7ccfabd6c6..d3b4c05daeb 100644 ---- a/gdbsupport/configure.ac -+++ b/gdbsupport/configure.ac -@@ -68,6 +68,25 @@ GDB_AC_PTRACE - AM_GDB_COMPILER_TYPE - AM_GDB_WARNINGS - -+# Check for `struct user_gcs` -+AC_CACHE_CHECK( -+ [for struct user_gcs], -+ [gdb_cv_struct_user_gcs], -+ [AC_COMPILE_IFELSE( -+ [AC_LANG_PROGRAM( -+ [#include -+ #include ], -+ [struct user_gcs u;] -+ )], -+ [gdb_cv_struct_user_gcs=yes], -+ [gdb_cv_struct_user_gcs=no] -+ )] -+) -+if test "$gdb_cv_struct_user_gcs" = yes; then -+ AC_DEFINE(HAVE_STRUCT_USER_GCS, 1, -+ [Define to 1 if your system has struct user_gcs.]) -+fi -+ - # Set the 'development' global. - . $srcdir/../bfd/development.sh - --- -2.49.0 - diff --git a/meta/recipes-devtools/gdb/gdb_17.1.bb b/meta/recipes-devtools/gdb/gdb_17.2.bb similarity index 100% rename from meta/recipes-devtools/gdb/gdb_17.1.bb rename to meta/recipes-devtools/gdb/gdb_17.2.bb From patchwork Fri Jul 10 16:36:17 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 92216 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id CA49AC4450C for ; Fri, 10 Jul 2026 16:37:13 +0000 (UTC) Received: from mail-wm1-f48.google.com (mail-wm1-f48.google.com [209.85.128.48]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.1850.1783701424131227370 for ; Fri, 10 Jul 2026 09:37:04 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=SBwM6z/T; spf=pass (domain: smile.fr, ip: 209.85.128.48, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f48.google.com with SMTP id 5b1f17b1804b1-493c5220cb7so8800755e9.3 for ; Fri, 10 Jul 2026 09:37:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1783701422; x=1784306222; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to:content-type; bh=4wLyGaheEV6iDycwgEzyG91CFAQotZNSEAse3OwCQlE=; b=SBwM6z/TZGJ9EiW1GvFvfDLOZhEDx/ZlILHSgqbooWk7PIHGyw+xKOIQ/Zbjz1AidW 9qOw+D7+rnmifafm1nKU6VuvWryQAupaKD9KnuRv20/jhaXpm8IqyqYVMGT1loLV5Pb4 SBjvQtwSYUU5Lx4iiGx7FwN7P0DF50GO2Xdf4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1783701422; x=1784306222; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to:content-type; bh=4wLyGaheEV6iDycwgEzyG91CFAQotZNSEAse3OwCQlE=; b=QrjZ/keZpNFSQ4jzw/74PEIau9xg1AH8XzRzophSPT6SPygaoZ5pqkqckT6ys14OzQ sJ9psJBPQWS0nwB3wf4CiWlhrRKnLMh3NcGnAHVbqd5Lwm+YHc6SIY1ooUhE9gcdZLMo gKDbzmXVOiJarQHS968W+0zm1BaDKQHHHllsSELfTwhS1vYHrpcQ9aNRP3M2GonMii7F 7mw8u0sYTfvt4eOxsY8hZFndYdEwP5KBOdiL3rL4t1+z71LbRPMCUYyullieNPIQOc9h GKm3mDPdJ9pNPbNaNy8lqmQJQRMIsM6g7EYRIqRlJGKGcHVMBkWn9hogV8BaVtqesBe9 WvUQ== X-Gm-Message-State: AOJu0YwPt32eEwg+KuGb+YHgXW9vehZKNCbZeYVkSdBNuStFFNPo6W75 tJeNpS4dj7bUWMVXrJ9iGyugwKMMtsWf729H43TkH7iznmTvI26u2++fJyfmhPlCRMqBKwXVKkk tIGVNBP8= X-Gm-Gg: AfdE7clArQYX0qvYeQ2ka1B0b/ak1VUQMNVjtY/O3j938uA0P9GHijNwj3ddemv/2Uf 0X/x7yMi0GNhzAxqlv/csxVSfAVegjkuNI5E3XW+x3SUB2hTyq5Tr6vnY6f3yaftdfAl1XTjnPX ALhEf8Sutp0A3EPETQ0w9uNwhgXGvuxDK0j1nr4axKFv/jpY0egaBrqrcnGu0Eq/z9WiXq3EF9q VhiZMU1VZaodrj1/mZ/zzR2GKuhgBX8kpyqv4vNdQL55BS3FG+SF3qgI6deLz9ycHUoxV4fECb4 rHe968Us/JbFyNezdd0caRaOsZe2PhQ0DoYUizLoyxGv3EVR8mVM5up3FlRHzBxtPIGm3oehnVt VXZCdhgegHgTWZ5OiZaAyEaqanhT3LnJfwM5tIO00NWHBV+N3BHZ5MuH7KIguYZo2jr4F1JX/qo XWb4pJt1mSUyNyXzRF0nBoROTrCRXg84iJbE9SFkab9nbxGDIsKRbRclyizEUb/RAsgWhaJm/pb 0qXd2nId8Dg+iLIHwM= X-Received: by 2002:a05:600c:e547:20b0:493:a5d0:d1a1 with SMTP id 5b1f17b1804b1-493e68d2040mr85582015e9.31.1783701422278; Fri, 10 Jul 2026 09:37:02 -0700 (PDT) Received: from localhost.localdomain (2a02-8440-2608-8c5f-3a92-eb6f-dc01-ac58.rev.sfr.net. [2a02:8440:2608:8c5f:3a92:eb6f:dc01:ac58]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-493eb6d4f9fsm150758695e9.4.2026.07.10.09.37.01 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 10 Jul 2026 09:37:02 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][wrynose 02/18] curl: fix CVE-2026-5773 - wrong reuse of SMB connection Date: Fri, 10 Jul 2026 18:36:17 +0200 Message-ID: <7d0cefac29aa7b4af645ed08d6f0dd18f6149a77.1783697455.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 10 Jul 2026 16:37:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/240663 From: Jaipaul Cheernam Remove PROTOPT_CONN_REUSE from SMB handler flags to prevent connection pooling. Without this, a second SMB request to the same host reuses a connection authenticated for a different share. Reference: https://curl.se/docs/CVE-2026-5773.html Signed-off-by: Jaipaul Cheernam Signed-off-by: Yoann Congal --- .../curl/curl/CVE-2026-5773.patch | 47 +++++++++++++++++++ meta/recipes-support/curl/curl_8.19.0.bb | 1 + 2 files changed, 48 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2026-5773.patch diff --git a/meta/recipes-support/curl/curl/CVE-2026-5773.patch b/meta/recipes-support/curl/curl/CVE-2026-5773.patch new file mode 100644 index 00000000000..a9973712426 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2026-5773.patch @@ -0,0 +1,47 @@ +From e5c7f93734345260820ca46b29db85f75d277399 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sun, 5 Apr 2026 18:23:35 +0200 +Subject: [PATCH] protocol: disable connection reuse for SMB(S) + +Connections should only be reused when using the same "share" (and +perhaps some additional conditions), but instead of fixing this flaw, +this change completely disables connection reuse for SMB. This protocol +is about to get dropped soon anyway. + +Reported-by: Osama Hamad +Closes #21238 + +CVE: CVE-2026-5773 +Upstream-Status: Backport [https://github.com/curl/curl/commit/74a169575d6412dc0ff532acdf94de35a6c2a571] + +Note: The upstream fix targets lib/protocol.c which was introduced in +curl 8.20.0. In 8.19.0 the SMB handler flags are still in lib/smb.c, +so this patch removes PROTOPT_CONN_REUSE there instead. The effect is +identical: SMB connections are no longer pooled for reuse. + +Signed-off-by: Jaipaul Cheernam +--- + lib/smb.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/smb.c b/lib/smb.c +index 00297ad..c15fdce 100644 +--- a/lib/smb.c ++++ b/lib/smb.c +@@ -1242,7 +1242,7 @@ const struct Curl_scheme Curl_scheme_smb = { + #endif + CURLPROTO_SMB, /* protocol */ + CURLPROTO_SMB, /* family */ +- PROTOPT_CONN_REUSE, /* flags */ ++ PROTOPT_NONE, /* flags */ + PORT_SMB, /* defport */ + }; + +@@ -1259,6 +1259,6 @@ const struct Curl_scheme Curl_scheme_smbs = { + #endif + CURLPROTO_SMBS, /* protocol */ + CURLPROTO_SMB, /* family */ +- PROTOPT_SSL | PROTOPT_CONN_REUSE, /* flags */ ++ PROTOPT_SSL, /* flags */ + PORT_SMBS, /* defport */ + }; diff --git a/meta/recipes-support/curl/curl_8.19.0.bb b/meta/recipes-support/curl/curl_8.19.0.bb index d58b7740112..3326f478b5c 100644 --- a/meta/recipes-support/curl/curl_8.19.0.bb +++ b/meta/recipes-support/curl/curl_8.19.0.bb @@ -15,6 +15,7 @@ SRC_URI = " \ file://disable-tests \ file://no-test-timeout.patch \ file://CVE-2026-6276.patch \ + file://CVE-2026-5773.patch \ file://mbedtls.patch \ " From patchwork Fri Jul 10 16:36:18 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 92220 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1F811C4450F for ; Fri, 10 Jul 2026 16:37:14 +0000 (UTC) Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com [209.85.128.54]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.1852.1783701425337274502 for ; Fri, 10 Jul 2026 09:37:05 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=TeWbaWby; spf=pass (domain: smile.fr, ip: 209.85.128.54, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f54.google.com with SMTP id 5b1f17b1804b1-493ba701891so9982555e9.3 for ; Fri, 10 Jul 2026 09:37:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1783701423; x=1784306223; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to:content-type; bh=pFJydgOp+PkWbjJ8RdqdGto70lXvxKY/GwS6+G0ENP8=; b=TeWbaWbyhRlENBeAtEssE5VHsQNAuHG5g4Rj/x16ihnI2i5bt0sSy4/cHkKs3piM3L eSOZLtZmuY0A8GBtfdxDat7PKByCs9bZRHpMDFZUjDKlbr8HlqWeUbQ2DYyqVU9adQQ3 vjorGA7xCWobBE/u45JsBqCeSiR2wr8E07mPs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1783701423; x=1784306223; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to:content-type; bh=pFJydgOp+PkWbjJ8RdqdGto70lXvxKY/GwS6+G0ENP8=; b=hmnIHkGBxcQZXfQPvm0AwfiH7pdOlCBfptuOw9Q9tT5s5icdtYODQB0uef8zeB3dr5 m7xMlVfCbVCGZyNxNeiKlypHYbBOyeUgfxO8Q5Pwc607ijoQjLqMbWCtBmSsj77prlZp 4Ly1EF1Ofp5QDy4MeuNt+a47JsFAOBpXXVkgZzDY2JK4+Khc+baxZnNU57QIfWHASfU8 uqjE99Bpq917naYBuy7f9JWJOOoRnE8FCrt2jKFrrt6Sgq1uys/H/xbowd+xsFsgGTSn w65q4na8zjNIgAJ+kGkdlW56W19o9H5iK7oLqf8+6R2Lv+IL9J/zP476/6EBjf/6ywnT 2VSA== X-Gm-Message-State: AOJu0YydHd66ctE/oi2NczctPrINCfWzKsXFSvX7UhU/nom11O4iT5VO 7jb+UMiX2EzBopQhhaH5okAeCmM9+Q32dNTkGl1bqQpeGDWQq/aTpJxp2VpLFd3HwjRTcSv2JOL G7YaPCFI= X-Gm-Gg: AfdE7cmsKmOctLNrLz7vkVv1gNU+inS/U5ZVk4/psZiaKMz2GrkepsGBHZPJ9LAQX+t sDSLPFp1aMTslCOnitmJFXOdt/x1WaAVN0B0bv/oZI62oQscwmd09ZibAYWR9UYjl7mox4X+SQ3 QHhgYM3EOc/SZLh5Gcu/O13YpEZ/8zQ7hWCADkKqj1CwRtF24P/ogZyd7NeDXbPvrgSQzbwRvP2 69+Q/8yLFOfipJQAgODzYKajNvhD5AQompkiifTYug1NyF94Ai6JfC7Vmffvz9czYNwXH4lwC1G aXF0+aCznSW7dTOY5ndnGkasHa8zhMluKOqijp3veCm323WZSjxhb0zEG6Du5C1QLdrjBMmQZGl B7Q6ad9y3VwXF9Ph04hC3arBUpFI87qWW7GByUzSJztwhOAgqCT2l5GhHPRWZixo+GyejmlHi08 nnwHHbENTVTKne7zpwXyO77wPFlvlfzGtR08fRznDhCr5swKCkD1/Bc5ilA64xvVYAVHorOMCTK BZ0YKAWfBRYzITU5fE= X-Received: by 2002:a05:600c:6289:b0:493:b647:1acd with SMTP id 5b1f17b1804b1-493e68dbd98mr121707075e9.36.1783701422995; Fri, 10 Jul 2026 09:37:02 -0700 (PDT) Received: from localhost.localdomain (2a02-8440-2608-8c5f-3a92-eb6f-dc01-ac58.rev.sfr.net. [2a02:8440:2608:8c5f:3a92:eb6f:dc01:ac58]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-493eb6d4f9fsm150758695e9.4.2026.07.10.09.37.02 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 10 Jul 2026 09:37:02 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][wrynose 03/18] expat: patch CVE-2026-45186 Date: Fri, 10 Jul 2026 18:36:18 +0200 Message-ID: X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 10 Jul 2026 16:37:14 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/240664 From: Theo Gaige (Schneider Electric) Backport patches from [1] also mentioned in [2]. [1] https://github.com/libexpat/libexpat/pull/1216 [2] https://security-tracker.debian.org/tracker/CVE-2026-45186 Signed-off-by: Theo Gaige (Schneider Electric) Signed-off-by: Yoann Congal --- .../expat/expat/CVE-2026-45186-01.patch | 70 ++++ .../expat/expat/CVE-2026-45186-02.patch | 318 ++++++++++++++++++ .../expat/expat/CVE-2026-45186-03.patch | 46 +++ .../expat/expat/CVE-2026-45186-04.patch | 32 ++ .../expat/expat/CVE-2026-45186-05.patch | 32 ++ .../expat/expat/CVE-2026-45186-06.patch | 87 +++++ .../expat/expat/CVE-2026-45186-07.patch | 52 +++ meta/recipes-core/expat/expat_2.7.5.bb | 7 + 8 files changed, 644 insertions(+) create mode 100644 meta/recipes-core/expat/expat/CVE-2026-45186-01.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2026-45186-02.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2026-45186-03.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2026-45186-04.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2026-45186-05.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2026-45186-06.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2026-45186-07.patch diff --git a/meta/recipes-core/expat/expat/CVE-2026-45186-01.patch b/meta/recipes-core/expat/expat/CVE-2026-45186-01.patch new file mode 100644 index 00000000000..478978f4ca2 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-45186-01.patch @@ -0,0 +1,70 @@ +From b659bf974f29b991870ba1f66af687c73e07fbf8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Berkay=20Eren=20=C3=9Cr=C3=BCn?= +Date: Fri, 13 Mar 2026 13:26:45 +0100 +Subject: [PATCH 1/7] Make "counting_start_element_handler" count default attrs + +(cherry picked from commit 0802a5892030610144b736dec6e2f63e8600fe85) + +CVE: CVE-2026-45186 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/pull/1216/commits/0802a5892030610144b736dec6e2f63e8600fe85] +Signed-off-by: Theo Gaige +--- + tests/basic_tests.c | 8 ++++---- + tests/handlers.c | 2 +- + tests/handlers.h | 1 + + 3 files changed, 6 insertions(+), 5 deletions(-) + +diff --git a/tests/basic_tests.c b/tests/basic_tests.c +index 02d1d5f..8c025a2 100644 +--- a/tests/basic_tests.c ++++ b/tests/basic_tests.c +@@ -2466,9 +2466,9 @@ START_TEST(test_attributes) { + {XCS("id"), XCS("one")}, + {NULL, NULL}}; + AttrInfo tag_info[] = {{XCS("c"), XCS("3")}, {NULL, NULL}}; +- ElementInfo info[] = {{XCS("doc"), 3, XCS("id"), NULL}, +- {XCS("tag"), 1, NULL, NULL}, +- {NULL, 0, NULL, NULL}}; ++ ElementInfo info[] = {{XCS("doc"), 3, 0, XCS("id"), NULL}, ++ {XCS("tag"), 1, 0, NULL, NULL}, ++ {NULL, 0, 0, NULL, NULL}}; + info[0].attributes = doc_info; + info[1].attributes = tag_info; + +@@ -5543,7 +5543,7 @@ START_TEST(test_deep_nested_attribute_entity) { + (long unsigned)(N_LINES - 1)); + + AttrInfo doc_info[] = {{XCS("name"), XCS("deepText")}, {NULL, NULL}}; +- ElementInfo info[] = {{XCS("foo"), 1, NULL, NULL}, {NULL, 0, NULL, NULL}}; ++ ElementInfo info[] = {{XCS("foo"), 1, 0, NULL, NULL}, {NULL, 0, 0, NULL, NULL}}; + info[0].attributes = doc_info; + + XML_Parser parser = XML_ParserCreate(NULL); +diff --git a/tests/handlers.c b/tests/handlers.c +index e456df2..bd1b54e 100644 +--- a/tests/handlers.c ++++ b/tests/handlers.c +@@ -137,7 +137,7 @@ counting_start_element_handler(void *userData, const XML_Char *name, + fail("ID does not have the correct name"); + return; + } +- for (i = 0; i < info->attr_count; i++) { ++ for (i = 0; i < info->attr_count + info->default_attr_count; i++) { + attr = info->attributes; + while (attr->name != NULL) { + if (! xcstrcmp(atts[0], attr->name)) +diff --git a/tests/handlers.h b/tests/handlers.h +index fcde27a..27a53f2 100644 +--- a/tests/handlers.h ++++ b/tests/handlers.h +@@ -88,6 +88,7 @@ typedef struct attrInfo { + typedef struct elementInfo { + const XML_Char *name; + int attr_count; ++ int default_attr_count; + const XML_Char *id_name; + AttrInfo *attributes; + } ElementInfo; +-- +2.43.0 + diff --git a/meta/recipes-core/expat/expat/CVE-2026-45186-02.patch b/meta/recipes-core/expat/expat/CVE-2026-45186-02.patch new file mode 100644 index 00000000000..6c90e15b47d --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-45186-02.patch @@ -0,0 +1,318 @@ +From 32848241057dfaa4c68fae475f51fbe1a182c004 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Berkay=20Eren=20=C3=9Cr=C3=BCn?= +Date: Fri, 13 Mar 2026 13:27:31 +0100 +Subject: [PATCH 2/7] test(attlist): Cover duplicate attribute names + +Co-authored-by: Sebastian Pipping +(cherry picked from commit e569f47181c43dca5d262089e541ddf9a9c09927) + +CVE: CVE-2026-45186 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/pull/1216/commits/e569f47181c43dca5d262089e541ddf9a9c09927] +Signed-off-by: Theo Gaige +--- + tests/basic_tests.c | 282 ++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 282 insertions(+) + +diff --git a/tests/basic_tests.c b/tests/basic_tests.c +index 8c025a2..83c453c 100644 +--- a/tests/basic_tests.c ++++ b/tests/basic_tests.c +@@ -2489,6 +2489,279 @@ START_TEST(test_attributes) { + } + END_TEST + ++START_TEST(test_duplicate_cdata_attribute) { ++ /* ++ https://www.w3.org/TR/xml/#attdecls ++ ++ Test the following statement from the linked specification: ++ When more than one definition is provided for the same attribute of a given ++ element type, the first declaration is binding and later declarations are ++ ignored. ++ */ ++ ++ const char *text ++ = "\n" ++ "]>\n" ++ "\n"; ++ AttrInfo doc_info[] = {{XCS("attribute"), XCS("expected")}, {NULL, NULL}}; ++ ElementInfo info[] ++ = {{XCS("doc"), 0, 1, NULL, doc_info}, {NULL, 0, 0, NULL, NULL}}; ++ ++ XML_Parser parser = XML_ParserCreate(NULL); ++ assert_true(parser != NULL); ++ ++ ParserAndElementInfo parserAndElementInfos = { ++ parser, ++ info, ++ }; ++ ++ XML_SetStartElementHandler(parser, counting_start_element_handler); ++ XML_SetUserData(parser, &parserAndElementInfos); ++ ++ if (_XML_Parse_SINGLE_BYTES(parser, text, (int)strlen(text), XML_TRUE) ++ != XML_STATUS_OK) ++ xml_failure(parser); ++ ++ XML_ParserFree(parser); ++} ++END_TEST ++ ++START_TEST(test_duplicate_id_attribute_1) { ++ /* ++ https://www.w3.org/TR/xml/#attdecls ++ ++ Test the following statement from the linked specification: ++ When more than one definition is provided for the same attribute of a given ++ element type, the first declaration is binding and later declarations are ++ ignored. ++ */ ++ ++ const char *text ++ = "\n" ++ "]>\n" ++ "\n"; ++ AttrInfo doc_info[] = {{XCS("identifier"), XCS("expected")}, {NULL, NULL}}; ++ ElementInfo info[] ++ = {{XCS("doc"), 0, 1, NULL, doc_info}, {NULL, 0, 0, NULL, NULL}}; ++ ++ XML_Parser parser = XML_ParserCreate(NULL); ++ assert_true(parser != NULL); ++ ++ ParserAndElementInfo parserAndElementInfos = { ++ parser, ++ info, ++ }; ++ ++ XML_SetStartElementHandler(parser, counting_start_element_handler); ++ XML_SetUserData(parser, &parserAndElementInfos); ++ ++ if (_XML_Parse_SINGLE_BYTES(parser, text, (int)strlen(text), XML_TRUE) ++ != XML_STATUS_OK) ++ xml_failure(parser); ++ ++ XML_ParserFree(parser); ++} ++END_TEST ++ ++START_TEST(test_duplicate_id_attribute_2) { ++ /* ++ https://www.w3.org/TR/xml/#attdecls ++ ++ Test the following statement from the linked specification: ++ When more than one definition is provided for the same attribute of a given ++ element type, the first declaration is binding and later declarations are ++ ignored. ++ */ ++ ++ const char *text ++ = "\n" ++ "]>\n" ++ "\n"; ++ AttrInfo doc_info[] = {{NULL, NULL}}; ++ ++ ElementInfo info[] ++ = {{XCS("doc"), 0, 0, NULL, doc_info}, {NULL, 0, 0, NULL, NULL}}; ++ ++ XML_Parser parser = XML_ParserCreate(NULL); ++ assert_true(parser != NULL); ++ ++ ParserAndElementInfo parserAndElementInfos = { ++ parser, ++ info, ++ }; ++ ++ XML_SetStartElementHandler(parser, counting_start_element_handler); ++ XML_SetUserData(parser, &parserAndElementInfos); ++ ++ if (_XML_Parse_SINGLE_BYTES(parser, text, (int)strlen(text), XML_TRUE) ++ != XML_STATUS_OK) ++ xml_failure(parser); ++ ++ XML_ParserFree(parser); ++} ++END_TEST ++ ++START_TEST(test_duplicate_cdata_attribute_multiple_attlistdecl) { ++ /* ++ https://www.w3.org/TR/xml/#attdecls ++ ++ Test the following statement from the linked specification: ++ When more than one AttlistDecl is provided for a given element type, ++ the contents of all those provided are merged. ++ */ ++ const char *text = "\n" ++ " \n" ++ "]>\n" ++ "\n"; ++ AttrInfo doc_info[] = {{XCS("attribute"), XCS("expected")}, {NULL, NULL}}; ++ ElementInfo info[] ++ = {{XCS("doc"), 0, 1, NULL, doc_info}, {NULL, 0, 0, NULL, NULL}}; ++ ++ XML_Parser parser = XML_ParserCreate(NULL); ++ assert_true(parser != NULL); ++ ++ ParserAndElementInfo parserAndElementInfos = { ++ parser, ++ info, ++ }; ++ ++ XML_SetStartElementHandler(parser, counting_start_element_handler); ++ XML_SetUserData(parser, &parserAndElementInfos); ++ ++ if (_XML_Parse_SINGLE_BYTES(parser, text, (int)strlen(text), XML_TRUE) ++ != XML_STATUS_OK) ++ xml_failure(parser); ++ ++ XML_ParserFree(parser); ++} ++END_TEST ++ ++START_TEST(test_duplicate_cdata_attribute_multiple_attlistdecl_2) { ++ /* ++ https://www.w3.org/TR/xml/#attdecls ++ ++ Test the following statement from the linked specification: ++ When more than one AttlistDecl is provided for a given element type, ++ the contents of all those provided are merged. ++ */ ++ const char *text = "\n" ++ " \n" ++ " \n" ++ "]>\n" ++ "\n"; ++ AttrInfo doc_info[] = {{XCS("attribute"), XCS("expected_doc")}, {NULL, NULL}}; ++ AttrInfo tag_info[] = {{XCS("attribute"), XCS("expected_tag")}, {NULL, NULL}}; ++ ElementInfo info[] = {{XCS("doc"), 0, 1, NULL, doc_info}, ++ {XCS("tag"), 0, 1, NULL, tag_info}, ++ {NULL, 0, 0, NULL, NULL}}; ++ ++ XML_Parser parser = XML_ParserCreate(NULL); ++ assert_true(parser != NULL); ++ ++ ParserAndElementInfo parserAndElementInfos = { ++ parser, ++ info, ++ }; ++ ++ XML_SetStartElementHandler(parser, counting_start_element_handler); ++ XML_SetUserData(parser, &parserAndElementInfos); ++ ++ if (_XML_Parse_SINGLE_BYTES(parser, text, (int)strlen(text), XML_TRUE) ++ != XML_STATUS_OK) ++ xml_failure(parser); ++ ++ XML_ParserFree(parser); ++} ++END_TEST ++ ++START_TEST(test_duplicate_cdata_attribute_multiple_attlistdecl_3) { ++ /* ++ https://www.w3.org/TR/xml/#attdecls ++ ++ Test the following statement from the linked specification: ++ When more than one AttlistDecl is provided for a given element type, ++ the contents of all those provided are merged. ++ */ ++ const char *text ++ = "\n" ++ " \n" ++ " \n" ++ "]>\n" ++ "\n"; ++ AttrInfo doc_info[] = {{XCS("attribute"), XCS("expected_doc")}, ++ {XCS("second_attribute"), XCS("second_expected_doc")}, ++ {NULL, NULL}}; ++ AttrInfo tag_info[] = {{XCS("attribute"), XCS("expected_tag")}, {NULL, NULL}}; ++ ElementInfo info[] = {{XCS("doc"), 0, 2, NULL, doc_info}, ++ {XCS("tag"), 0, 1, NULL, tag_info}, ++ {NULL, 0, 0, NULL, NULL}}; ++ ++ XML_Parser parser = XML_ParserCreate(NULL); ++ assert_true(parser != NULL); ++ ++ ParserAndElementInfo parserAndElementInfos = { ++ parser, ++ info, ++ }; ++ ++ XML_SetStartElementHandler(parser, counting_start_element_handler); ++ XML_SetUserData(parser, &parserAndElementInfos); ++ ++ if (_XML_Parse_SINGLE_BYTES(parser, text, (int)strlen(text), XML_TRUE) ++ != XML_STATUS_OK) ++ xml_failure(parser); ++ ++ XML_ParserFree(parser); ++} ++END_TEST ++ ++START_TEST(test_duplicate_id_attribute_multiple_attlistdecl) { ++ /* ++ https://www.w3.org/TR/xml/#attdecls ++ ++ Test the following statement from the linked specification: ++ When more than one AttlistDecl is provided for a given element type, ++ the contents of all those provided are merged. ++ */ ++ const char *text = "\n" ++ " \n" ++ " \n" ++ "]>\n" ++ "\n"; ++ AttrInfo doc_info[] ++ = {{XCS("identifier"), XCS("doc_identity")}, {NULL, NULL}}; ++ AttrInfo tag_info[] ++ = {{XCS("identifier"), XCS("identifier_tag")}, {NULL, NULL}}; ++ ElementInfo info[] = {{XCS("doc"), 1, 0, XCS("identifier"), doc_info}, ++ {XCS("tag"), 0, 1, NULL, tag_info}, ++ {NULL, 0, 0, NULL, NULL}}; ++ ++ XML_Parser parser = XML_ParserCreate(NULL); ++ assert_true(parser != NULL); ++ ++ ParserAndElementInfo parserAndElementInfos = { ++ parser, ++ info, ++ }; ++ ++ XML_SetStartElementHandler(parser, counting_start_element_handler); ++ XML_SetUserData(parser, &parserAndElementInfos); ++ ++ if (_XML_Parse_SINGLE_BYTES(parser, text, (int)strlen(text), XML_TRUE) ++ != XML_STATUS_OK) ++ xml_failure(parser); ++ ++ XML_ParserFree(parser); ++} ++END_TEST ++ + /* Test reset works correctly in the middle of processing an internal + * entity. Exercises some obscure code in XML_ParserReset(). + */ +@@ -6374,6 +6647,15 @@ make_basic_test_case(Suite *s) { + tcase_add_test__ifdef_xml_dtd(tc_basic, test_empty_foreign_dtd); + tcase_add_test(tc_basic, test_set_base); + tcase_add_test(tc_basic, test_attributes); ++ tcase_add_test(tc_basic, test_duplicate_cdata_attribute); ++ tcase_add_test(tc_basic, test_duplicate_id_attribute_1); ++ tcase_add_test(tc_basic, test_duplicate_id_attribute_2); ++ tcase_add_test(tc_basic, test_duplicate_cdata_attribute_multiple_attlistdecl); ++ tcase_add_test(tc_basic, ++ test_duplicate_cdata_attribute_multiple_attlistdecl_2); ++ tcase_add_test(tc_basic, ++ test_duplicate_cdata_attribute_multiple_attlistdecl_3); ++ tcase_add_test(tc_basic, test_duplicate_id_attribute_multiple_attlistdecl); + tcase_add_test__if_xml_ge(tc_basic, test_reset_in_entity); + tcase_add_test(tc_basic, test_resume_invalid_parse); + tcase_add_test(tc_basic, test_resume_resuspended); +-- +2.43.0 + diff --git a/meta/recipes-core/expat/expat/CVE-2026-45186-03.patch b/meta/recipes-core/expat/expat/CVE-2026-45186-03.patch new file mode 100644 index 00000000000..f3b0614b8df --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-45186-03.patch @@ -0,0 +1,46 @@ +From 468d6f44264e7ad73f3045f6487baccc846014e6 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Mon, 20 Apr 2026 13:44:43 +0200 +Subject: [PATCH 3/7] tests: Define .attributes the first time around + +(cherry picked from commit 05307d352a5aa858cdda57ec53a53b597b3a4a82) + +CVE: CVE-2026-45186 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/pull/1216/commits/05307d352a5aa858cdda57ec53a53b597b3a4a82] +Signed-off-by: Theo Gaige +--- + tests/basic_tests.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/tests/basic_tests.c b/tests/basic_tests.c +index 83c453c..810ff5e 100644 +--- a/tests/basic_tests.c ++++ b/tests/basic_tests.c +@@ -2466,11 +2466,9 @@ START_TEST(test_attributes) { + {XCS("id"), XCS("one")}, + {NULL, NULL}}; + AttrInfo tag_info[] = {{XCS("c"), XCS("3")}, {NULL, NULL}}; +- ElementInfo info[] = {{XCS("doc"), 3, 0, XCS("id"), NULL}, +- {XCS("tag"), 1, 0, NULL, NULL}, ++ ElementInfo info[] = {{XCS("doc"), 3, 0, XCS("id"), doc_info}, ++ {XCS("tag"), 1, 0, NULL, tag_info}, + {NULL, 0, 0, NULL, NULL}}; +- info[0].attributes = doc_info; +- info[1].attributes = tag_info; + + XML_Parser parser = XML_ParserCreate(NULL); + assert_true(parser != NULL); +@@ -5816,8 +5814,8 @@ START_TEST(test_deep_nested_attribute_entity) { + (long unsigned)(N_LINES - 1)); + + AttrInfo doc_info[] = {{XCS("name"), XCS("deepText")}, {NULL, NULL}}; +- ElementInfo info[] = {{XCS("foo"), 1, 0, NULL, NULL}, {NULL, 0, 0, NULL, NULL}}; +- info[0].attributes = doc_info; ++ ElementInfo info[] ++ = {{XCS("foo"), 1, 0, NULL, doc_info}, {NULL, 0, 0, NULL, NULL}}; + + XML_Parser parser = XML_ParserCreate(NULL); + ParserAndElementInfo parserPlusElemenInfo = {parser, info}; +-- +2.43.0 + diff --git a/meta/recipes-core/expat/expat/CVE-2026-45186-04.patch b/meta/recipes-core/expat/expat/CVE-2026-45186-04.patch new file mode 100644 index 00000000000..d30ffa3f512 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-45186-04.patch @@ -0,0 +1,32 @@ +From 0582bcabb773d4600d7c85516132b016f0163deb Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Mon, 13 Apr 2026 01:34:03 +0200 +Subject: [PATCH 4/7] tests: Make counting_start_element_handler enforce + complete attribute lists + +(cherry picked from commit 4176aff73840711060913e0ac6aa1168d8ba5c8d) + +CVE: CVE-2026-45186 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/pull/1216/commits/4176aff73840711060913e0ac6aa1168d8ba5c8d] +Signed-off-by: Theo Gaige +--- + tests/handlers.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/tests/handlers.c b/tests/handlers.c +index bd1b54e..8cda3a8 100644 +--- a/tests/handlers.c ++++ b/tests/handlers.c +@@ -155,6 +155,9 @@ counting_start_element_handler(void *userData, const XML_Char *name, + /* Remember, two entries in atts per attribute (see above) */ + atts += 2; + } ++ ++ // Self-test that the test case's list of expected attributes is complete ++ assert_true(atts[0] == NULL); + } + + void XMLCALL +-- +2.43.0 + diff --git a/meta/recipes-core/expat/expat/CVE-2026-45186-05.patch b/meta/recipes-core/expat/expat/CVE-2026-45186-05.patch new file mode 100644 index 00000000000..6d98a3cd091 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-45186-05.patch @@ -0,0 +1,32 @@ +From ebe5486739006105629b0bca6022f664566e56de Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Sun, 8 Mar 2026 22:14:41 +0100 +Subject: [PATCH 5/7] lib: Extract a constant for upcoming reuse + +(cherry picked from commit fb35f2d2040d114f355bae8a7450942533237530) + +CVE: CVE-2026-45186 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/pull/1216/commits/fb35f2d2040d114f355bae8a7450942533237530] +Signed-off-by: Theo Gaige +--- + lib/xmlparse.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index 0248b66..e833520 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -7719,8 +7719,9 @@ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd, + newE->prefix = (PREFIX *)lookup(oldParser, &(newDtd->prefixes), + oldE->prefix->name, 0); + for (i = 0; i < newE->nDefaultAtts; i++) { ++ const XML_Char *const attributeName = oldE->defaultAtts[i].id->name; + newE->defaultAtts[i].id = (ATTRIBUTE_ID *)lookup( +- oldParser, &(newDtd->attributeIds), oldE->defaultAtts[i].id->name, 0); ++ oldParser, &(newDtd->attributeIds), attributeName, 0); + newE->defaultAtts[i].isCdata = oldE->defaultAtts[i].isCdata; + if (oldE->defaultAtts[i].value) { + newE->defaultAtts[i].value +-- +2.43.0 + diff --git a/meta/recipes-core/expat/expat/CVE-2026-45186-06.patch b/meta/recipes-core/expat/expat/CVE-2026-45186-06.patch new file mode 100644 index 00000000000..1b47776a172 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-45186-06.patch @@ -0,0 +1,87 @@ +From 41f9f3c8479e8f8547d5bce6355b0484c2744d1e Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Sun, 8 Mar 2026 23:05:49 +0100 +Subject: [PATCH 6/7] lib: Introduce ELEMENT_TYPE.defaultAttsNames + +(cherry picked from commit 7f0f1b9e70d937072d2e9e37ae9edf27784cc080) + +CVE: CVE-2026-45186 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/pull/1216/commits/7f0f1b9e70d937072d2e9e37ae9edf27784cc080] +Signed-off-by: Theo Gaige +--- + lib/xmlparse.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index e833520..b7e2d72 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -388,6 +388,7 @@ typedef struct { + int nDefaultAtts; + int allocDefaultAtts; + DEFAULT_ATTRIBUTE *defaultAtts; ++ HASH_TABLE defaultAttsNames; + } ELEMENT_TYPE; + + typedef struct { +@@ -3853,6 +3854,8 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr, + sizeof(ELEMENT_TYPE)); + if (! elementType) + return XML_ERROR_NO_MEMORY; ++ if (! elementType->defaultAttsNames.parser) ++ hashTableInit(&(elementType->defaultAttsNames), parser); + if (parser->m_ns && ! setElementTypePrefix(parser, elementType)) + return XML_ERROR_NO_MEMORY; + } +@@ -7561,6 +7564,7 @@ dtdReset(DTD *p, XML_Parser parser) { + ELEMENT_TYPE *e = (ELEMENT_TYPE *)hashTableIterNext(&iter); + if (! e) + break; ++ hashTableDestroy(&(e->defaultAttsNames)); + if (e->allocDefaultAtts != 0) + FREE(parser, e->defaultAtts); + } +@@ -7602,6 +7606,7 @@ dtdDestroy(DTD *p, XML_Bool isDocEntity, XML_Parser parser) { + ELEMENT_TYPE *e = (ELEMENT_TYPE *)hashTableIterNext(&iter); + if (! e) + break; ++ hashTableDestroy(&(e->defaultAttsNames)); + if (e->allocDefaultAtts != 0) + FREE(parser, e->defaultAtts); + } +@@ -7695,6 +7700,10 @@ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd, + sizeof(ELEMENT_TYPE)); + if (! newE) + return 0; ++ ++ if (! newE->defaultAttsNames.parser) ++ hashTableInit(&(newE->defaultAttsNames), parser); ++ + if (oldE->nDefaultAtts) { + /* Detect and prevent integer overflow. + * The preprocessor guard addresses the "always false" warning +@@ -7730,6 +7739,12 @@ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd, + return 0; + } else + newE->defaultAtts[i].value = NULL; ++ ++ NAMED *const nameAddedOrFound = (NAMED *)lookup( ++ parser, &(newE->defaultAttsNames), attributeName, sizeof(NAMED)); ++ if (! nameAddedOrFound) { ++ return 0; ++ } + } + } + +@@ -8474,6 +8489,8 @@ getElementType(XML_Parser parser, const ENCODING *enc, const char *ptr, + sizeof(ELEMENT_TYPE)); + if (! ret) + return NULL; ++ if (! ret->defaultAttsNames.parser) ++ hashTableInit(&(ret->defaultAttsNames), getRootParserOf(parser, NULL)); + if (ret->name != name) + poolDiscard(&dtd->pool); + else { +-- +2.43.0 + diff --git a/meta/recipes-core/expat/expat/CVE-2026-45186-07.patch b/meta/recipes-core/expat/expat/CVE-2026-45186-07.patch new file mode 100644 index 00000000000..5551d10243c --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-45186-07.patch @@ -0,0 +1,52 @@ +From 141a3c12639f9a4066293e81dbedde4c15b0881f Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Sun, 8 Mar 2026 23:06:29 +0100 +Subject: [PATCH 7/7] lib: Leverage ELEMENT_TYPE.defaultAttsNames for attribute + collision detection + +.. to resolve quadratic runtime behavior + +(cherry picked from commit 4cd4eb0683e04cd45a2ffc81a08ca2a2663994b5) + +CVE: CVE-2026-45186 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/pull/1216/commits/4cd4eb0683e04cd45a2ffc81a08ca2a2663994b5] +Signed-off-by: Theo Gaige +--- + lib/xmlparse.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index b7e2d72..04195cb 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -7189,10 +7189,10 @@ defineAttribute(ELEMENT_TYPE *type, ATTRIBUTE_ID *attId, XML_Bool isCdata, + if (value || isId) { + /* The handling of default attributes gets messed up if we have + a default which duplicates a non-default. */ +- int i; +- for (i = 0; i < type->nDefaultAtts; i++) +- if (attId == type->defaultAtts[i].id) +- return 1; ++ NAMED *const nameFound ++ = (NAMED *)lookup(parser, &(type->defaultAttsNames), attId->name, 0); ++ if (nameFound) ++ return 1; + if (isId && ! type->idAtt && ! attId->xmlns) + type->idAtt = attId; + } +@@ -7239,6 +7239,12 @@ defineAttribute(ELEMENT_TYPE *type, ATTRIBUTE_ID *attId, XML_Bool isCdata, + att->isCdata = isCdata; + if (! isCdata) + attId->maybeTokenized = XML_TRUE; ++ ++ NAMED *const nameAddedOrFound = (NAMED *)lookup( ++ parser, &(type->defaultAttsNames), attId->name, sizeof(NAMED)); ++ if (! nameAddedOrFound) ++ return 0; ++ + type->nDefaultAtts += 1; + return 1; + } +-- +2.43.0 + diff --git a/meta/recipes-core/expat/expat_2.7.5.bb b/meta/recipes-core/expat/expat_2.7.5.bb index 4f2578292d9..210398fb505 100644 --- a/meta/recipes-core/expat/expat_2.7.5.bb +++ b/meta/recipes-core/expat/expat_2.7.5.bb @@ -10,6 +10,13 @@ VERSION_TAG = "${@d.getVar('PV').replace('.', '_')}" SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \ file://run-ptest \ + file://CVE-2026-45186-01.patch \ + file://CVE-2026-45186-02.patch \ + file://CVE-2026-45186-03.patch \ + file://CVE-2026-45186-04.patch \ + file://CVE-2026-45186-05.patch \ + file://CVE-2026-45186-06.patch \ + file://CVE-2026-45186-07.patch \ " GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/" From patchwork Fri Jul 10 16:36:19 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 92222 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5E005C44510 for ; Fri, 10 Jul 2026 16:37:14 +0000 (UTC) Received: from mail-wm1-f51.google.com (mail-wm1-f51.google.com [209.85.128.51]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.1853.1783701425978516509 for ; Fri, 10 Jul 2026 09:37:06 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=Ob8DaYA0; spf=pass (domain: smile.fr, ip: 209.85.128.51, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f51.google.com with SMTP id 5b1f17b1804b1-493c733f15aso10752205e9.0 for ; Fri, 10 Jul 2026 09:37:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1783701424; x=1784306224; darn=lists.openembedded.org; h=content-transfer-encoding:content-type:mime-version:references :in-reply-to:message-id:date:subject:to:from:from:to:cc:subject:date :message-id:reply-to:content-type; bh=fFmXYBksF7XCM1OfqVr1ptVDZ0okAou5ilu62UFj5l4=; b=Ob8DaYA06SqORIL/gBqtmxU4k4ulfnQXIA2skt82usZT3XPdo8OPuWS6Hk6a9Y+j27 l+bK479b1CjbSlbIhMaMhhCtKPQwMoupCpnbvBxyVt/cwg/BsvQFQUL+fzlTZWdheX06 1xQ2f4RtnXaVfZVn41+xQR5XAVxow+luyQDps= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1783701424; x=1784306224; h=content-transfer-encoding:content-type:mime-version:references :in-reply-to:message-id:date:subject:to:from:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to :content-type; bh=fFmXYBksF7XCM1OfqVr1ptVDZ0okAou5ilu62UFj5l4=; b=N/IylgkF03nHOLL6yTAioGw2bAIekC6o0VFGuihqWM004DEiyW4Y4XM7Fj8Jggu8nU vaot4urX94td2NZtQi2Uf5s85u90lHAHwOlY+hSv3kuInP/DKO+a6GPkEPtEes2VglM3 v6+6nCuThaRZYRk0Jmn9kA4ES6kbX3x30GUrF6bMXIUs1W8QLZzVr1JmVcyO6Imsh5Hh tZdQbKGcrhkA1V0visl48OdUXvi3Y6wkAJ9Ll6C6IJkS3Oc3asVA/YWHPYGMRbHP1knc y/293Z2tlrlLj6KEsDcnsUlM77s2L++jQx+vqCLqv5kBKCAhTQ8Ik36uXg8DWnSyL1wS jOWg== X-Gm-Message-State: AOJu0YzopxOK5VpG0gBq1HobR5d7CkWAQW9b+xQXdOSCvC8OPfVmzLnO 18RK3iru57P9wt/ZaasJo95X/5hWzSONA4fva4M4PAHp1R6mCWF91L2+l5DQPJU8Vy3DTzVkx2s 3Y6zPjd0= X-Gm-Gg: AfdE7cngLSaB1uPtasIVUJnjKIyY/qZCcIFM77I1AFyiz9YOQ3ECa5ZW57gukLn6K8T KnghhuAfTyfQk4t9/q+VvJLp5J5Ot6m1CYH+V2Be1V8o6T10yjNTagYRmDITsDQ5yeKXvw0NsHg 9tX0a7oU8X9qugatrg3Zwk6FDgdBJJ0PnOJUXnvX72TgQNWTO1VFXud3K71c51mmCUiNSHL4uCt yJIc3PtnMyNDgkHfMpIyZmKYjFOERkxH/4l2C43cKt3v5ppI1H+jx4VY6j0L2bsRz4e9YxsUvoM WfCU81copgbNgkqJoRXU4EQa42RAV0sgpisznrG1gCzWnmBGDnNeLLbQebofeBL4W0j3+IhyLiD 8ImQqYujm22JY5299uEv6cOMYIHCBvqnCf1zxPYOIrMqOZzaQCUG5l6qeb45M9cjhW0tVroM3lC GkCDMz4bHXA8gBaqCZBwpVnzpuHHg9eUiB3YH8/Uk1gV2hT+pPPqSeHZF2znHyGthVcPCXuVMfZ +OBsfCYyJhsgZWCc96W8YomF8pLFQ== X-Received: by 2002:a05:600c:e54a:20b0:493:be08:c372 with SMTP id 5b1f17b1804b1-493e68a9aeemr91353155e9.17.1783701423767; Fri, 10 Jul 2026 09:37:03 -0700 (PDT) Received: from localhost.localdomain (2a02-8440-2608-8c5f-3a92-eb6f-dc01-ac58.rev.sfr.net. [2a02:8440:2608:8c5f:3a92:eb6f:dc01:ac58]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-493eb6d4f9fsm150758695e9.4.2026.07.10.09.37.03 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 10 Jul 2026 09:37:03 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][wrynose 04/18] expat: fix CVE-2026-41080 Date: Fri, 10 Jul 2026 18:36:19 +0200 Message-ID: <21042df15008ce90b76958d74200298d09d71254.1783697455.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 10 Jul 2026 16:37:14 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/240665 From: Amaury Couderc The existing hash flooding protection (based on SipHash) only used 4 to 8 bytes of entropy for a salt, when 16 bytes of salt are supported by the implementation of SipHash used by Expat. Now full 16 bytes of entropy are used to improve protection against hash flooding attacks. Introduces new API function XML_SetHashSalt16Bytes and deprecates the legacy XML_SetHashSalt which is limited to 4-8 bytes. The fix is split into 2 patches for reviewability: 1. Main CVE fix: migrates hash salt to 128-bit struct sipkey, extracts 16 bytes of entropy, removes dead get_hash_secret_salt function (copy_salt_to_sipkey accesses the struct directly), adds XML_SetHashSalt16Bytes API, deprecates XML_SetHashSalt, adds symbol export, backport feature macro, tests, and documentation. 2. Windows/cmake: adds the missing .def export for the new symbol. Note: the prerequisite commits that Peter Marko needed for scarthgap (clang-tidy misc-no-recursion fix and WASI getpid removal) are already present in expat 2.7.5, so they are not needed here. Backport patch to fix CVE-2026-41080 https://nvd.nist.gov/vuln/detail/CVE-2026-41080 Upstream fix: https://github.com/libexpat/libexpat/pull/1183 CVE: CVE-2026-41080 Signed-off-by: Amaury Couderc [YC: This is quite invasive as a CVE fix: For reasoning, see https://lore.kernel.org/all/2030b4435c8bc81bb4452637c0517ac33ab94d20.camel@pbarker.dev/] Signed-off-by: Yoann Congal --- .../expat/expat/CVE-2026-41080-1.patch | 517 ++++++++++++++++++ .../expat/expat/CVE-2026-41080-2.patch | 33 ++ meta/recipes-core/expat/expat_2.7.5.bb | 2 + 3 files changed, 552 insertions(+) create mode 100644 meta/recipes-core/expat/expat/CVE-2026-41080-1.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2026-41080-2.patch diff --git a/meta/recipes-core/expat/expat/CVE-2026-41080-1.patch b/meta/recipes-core/expat/expat/CVE-2026-41080-1.patch new file mode 100644 index 00000000000..e93ad093f25 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-41080-1.patch @@ -0,0 +1,517 @@ +From fa1ebd60bfcc6d32f329803e5e837251e2387ed1 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Sun, 30 Mar 2025 19:26:55 +0200 +Subject: [PATCH v2 1/2] expat: fix CVE-2026-41080 + +The existing hash flooding protection in libexpat (based on SipHash) +only used 4 to 8 bytes of entropy for a salt, when 16 bytes are +supported by the SipHash implementation. This allows attackers to more +feasibly guess the hash salt and craft inputs that cause hash +collisions, leading to denial of service. + +Backport upstream changes that: +- Migrate hash salt storage to larger struct sipkey (128-bit) +- Drop unused parameter from generate_hash_secret_salt +- Drop unneeded void * casts in generate_hash_secret_salt +- Extract full 16 bytes of entropy for hash flooding protection +- Introduce internal flag m_hash_secret_salt_set +- Remove now-dead get_hash_secret_salt function (copy_salt_to_sipkey + accesses the struct directly) +- Add XML_SetHashSalt16Bytes API function +- Deprecate XML_SetHashSalt +- Add symbol export in libexpat.map.in (LIBEXPAT_2.7.6) +- Add backport feature macro XML_BACKPORT_SET_HASH_SALT_16_BYTES +- Add test_hash_salt_setter unit test +- Update documentation and Changes file + +Squashed backport of upstream PR #1183 commits 909201a8, bc193afc, +08697a9b, f5eacefb, fa1ebd60, f76124e7, e3349d85, c8c5caf4, +592d5fa3, 8ad3ef57, ec9fcd2e, and 8017e11e. + +CVE: CVE-2026-41080 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/pull/1183] +Signed-off-by: Amaury Couderc +--- + Changes | 17 ++++++ + doc/reference.html | 55 +++++++++++++++++-- + lib/expat.h | 15 ++++++ + lib/internal.h | 2 + + lib/libexpat.map.in | 5 ++ + lib/xmlparse.c | 124 +++++++++++++++++++++++++++++++++---------- + tests/basic_tests.c | 25 +++++++++ + 7 files changed, 212 insertions(+), 31 deletions(-) + +diff --git a/Changes b/Changes +index 2b3704a6..1d8227ec 100644 +--- a/Changes ++++ b/Changes +@@ -29,6 +29,23 @@ + !! THANK YOU! Sebastian Pipping -- Berlin, 2026-03-17 !! + !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! + ++Patches ++ Security fixes: ++ #47 #1183 CVE-2026-41080 -- The existing hash flooding protection ++ (based on SipHash) only used 4 to 8 bytes of entropy for ++ a salt, when 16 bytes of salt are supported by the ++ implementation of SipHash used by Expat. Now full 16 bytes ++ of entropy are used to improve protection against hash ++ flooding attacks. ++ Existing API function XML_SetHashSalt is now deprecated ++ because of its limitations, and its use should be ++ considered a vulnerability. Please either use the new API ++ function XML_SetHashSalt16Bytes (with known-high-quality ++ entropy input only!) instead, or leave the derivation of ++ a 16-bytes hash salt from high quality entropy to Expat's ++ internal machinery (by *not* calling either of the two ++ XML_SetHashSalt* functions). ++ + Release 2.7.5 Tue March 17 2026 + Security fixes: + #1158 CVE-2026-32776 -- Fix NULL function pointer dereference for +diff --git a/doc/reference.html b/doc/reference.html +index 5faa8d65..64b9fd67 100644 +--- a/doc/reference.html ++++ b/doc/reference.html +@@ -404,7 +404,11 @@ + + +
  • +- XML_SetHashSalt ++ XML_SetHashSalt (deprecated) ++
  • ++ ++
  • ++ XML_SetHashSalt16Bytes +
  • + +
  • +@@ -3449,22 +3453,35 @@ XML_SetParamEntityParsing(XML_Parser p, + + +

    +- XML_SetHashSalt ++ XML_SetHashSalt (deprecated) +

    + +
    + int XMLCALL
    +-XML_SetHashSalt(XML_Parser p,
    ++XML_SetHashSalt(XML_Parser parser,
    +                 unsigned long hash_salt);
    + 
    +
    + Sets the hash salt to use for internal hash calculations. Helps in preventing DoS + attacks based on predicting hash function behavior. In order to have an effect + this must be called before parsing has started. Returns 1 if successful, 0 when +- called after XML_Parse or XML_ParseBuffer. ++ called after XML_Parse or XML_ParseBuffer or when ++ parser is NULL. ++

    ++ Note: Function XML_SetHashSalt is ++ deprecated. Please use function XML_SetHashSalt16Bytes instead for better ++ security. XML_SetHashSalt only provides 4 to 8 bytes of entropy ++ (depending on the size of type unsigned long) while the SipHash ++ implementation used by Expat can leverage up to 16 bytes of entropy — at least ++ twice as much. Function XML_SetHashSalt16Bytes of Expat >=2.7.6 ++ (and where backported) matches the amount of entropy supported by SipHash. ++

    ++ +

    + Note: This call is optional, as the parser will auto-generate a new +- random salt value if no value has been set at the start of parsing. ++ random salt value internally if no value has been set by the start of parsing. +

    + +

    +@@ -3475,6 +3492,34 @@ XML_SetHashSalt(XML_Parser p, +

    +
    + ++

    ++ XML_SetHashSalt16Bytes ++

    ++ ++
    ++/* Added in Expat 2.7.6. */
    ++XML_Bool XMLCALL
    ++XML_SetHashSalt16Bytes(XML_Parser parser,
    ++                       const uint8_t entropy[16]);
    ++
    ++
    ++ Sets the hash salt to use for internal hash calculations. Helps in preventing DoS ++ attacks based on predicting hash function behavior. In order to have an effect ++ this must be called before parsing has started. Returns XML_TRUE if ++ successful, XML_FALSE when called after XML_Parse or ++ XML_ParseBuffer or when parser is NULL. ++

    ++ Note: Setting a salt that is not from a source of high quality ++ entropy (like getentropy(3)) will make the parser vulnerable to ++ hash flooding attacks. ++

    ++ ++

    ++ Note: This call is optional, as the parser will auto-generate a new ++ random salt value internally if no value has been set by the start of parsing. ++

    ++
    ++ +

    + XML_UseForeignDTD +

    +diff --git a/lib/expat.h b/lib/expat.h +index 18dbaebd..7693f62c 100644 +--- a/lib/expat.h ++++ b/lib/expat.h +@@ -45,6 +45,7 @@ + #ifndef Expat_INCLUDED + # define Expat_INCLUDED 1 + ++# include // for uint8_t + # include + # include "expat_external.h" + +@@ -917,10 +918,25 @@ XML_SetParamEntityParsing(XML_Parser parser, + function behavior. This must be called before parsing is started. + Returns 1 if successful, 0 when called after parsing has started. + Note: If parser == NULL, the function will do nothing and return 0. ++ DEPRECATED since Expat 2.7.6. + */ + XMLPARSEAPI(int) + XML_SetHashSalt(XML_Parser parser, unsigned long hash_salt); + ++/* Sets the hash salt to use for internal hash calculations. ++ Helps in preventing DoS attacks based on predicting hash function behavior. ++ This must be called before parsing is started. ++ Returns XML_TRUE if successful, XML_FALSE when called after parsing has ++ started or when parser is NULL. ++ Added in Expat 2.7.6. ++*/ ++XMLPARSEAPI(XML_Bool) ++XML_SetHashSalt16Bytes(XML_Parser parser, const uint8_t entropy[16]); ++ ++/* Backport feature macro: signals that XML_SetHashSalt16Bytes is available ++ even though XML_COMBINED_VERSION < 20800. */ ++# define XML_BACKPORT_SET_HASH_SALT_16_BYTES 1 ++ + /* If XML_Parse or XML_ParseBuffer have returned XML_STATUS_ERROR, then + XML_GetErrorCode returns information about the error. + */ +diff --git a/lib/internal.h b/lib/internal.h +index 61266ebb..1995c17b 100644 +--- a/lib/internal.h ++++ b/lib/internal.h +@@ -113,6 +113,7 @@ + #if defined(_WIN32) \ + && (! defined(__USE_MINGW_ANSI_STDIO) \ + || (1 - __USE_MINGW_ANSI_STDIO - 1 == 0)) ++# define EXPAT_FMT_LLX(midpart) "%" midpart "I64x" + # define EXPAT_FMT_ULL(midpart) "%" midpart "I64u" + # if defined(_WIN64) // Note: modifiers "td" and "zu" do not work for MinGW + # define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "I64d" +@@ -122,6 +123,7 @@ + # define EXPAT_FMT_SIZE_T(midpart) "%" midpart "u" + # endif + #else ++# define EXPAT_FMT_LLX(midpart) "%" midpart "llx" + # define EXPAT_FMT_ULL(midpart) "%" midpart "llu" + # if ! defined(ULONG_MAX) + # error Compiler did not define ULONG_MAX for us +diff --git a/lib/libexpat.map.in b/lib/libexpat.map.in +index 52e59ed3..8527eb54 100644 +--- a/lib/libexpat.map.in ++++ b/lib/libexpat.map.in +@@ -117,3 +117,8 @@ LIBEXPAT_2.7.2 { + @_EXPAT_COMMENT_DTD_OR_GE@ XML_SetAllocTrackerActivationThreshold; + @_EXPAT_COMMENT_DTD_OR_GE@ XML_SetAllocTrackerMaximumAmplification; + } LIBEXPAT_2.6.0; ++ ++LIBEXPAT_2.7.6 { ++ global: ++ XML_SetHashSalt16Bytes; ++} LIBEXPAT_2.7.2; +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index 0248b665..75a7e5d0 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -604,7 +604,7 @@ static ELEMENT_TYPE *getElementType(XML_Parser parser, const ENCODING *enc, + + static XML_Char *copyString(const XML_Char *s, XML_Parser parser); + +-static unsigned long generate_hash_secret_salt(XML_Parser parser); ++static struct sipkey generate_hash_secret_salt(void); + static XML_Bool startParsing(XML_Parser parser); + + static XML_Parser parserCreate(const XML_Char *encodingName, +@@ -777,7 +777,8 @@ struct XML_ParserStruct { + XML_Bool m_useForeignDTD; + enum XML_ParamEntityParsing m_paramEntityParsing; + #endif +- unsigned long m_hash_secret_salt; ++ struct sipkey m_hash_secret_salt_128; ++ XML_Bool m_hash_secret_salt_set; + #if XML_GE == 1 + ACCOUNTING m_accounting; + MALLOC_TRACKER m_alloc_tracker; +@@ -1192,69 +1193,65 @@ gather_time_entropy(void) { + + #endif /* ! defined(HAVE_ARC4RANDOM_BUF) && ! defined(HAVE_ARC4RANDOM) */ + +-static unsigned long +-ENTROPY_DEBUG(const char *label, unsigned long entropy) { ++static struct sipkey ++ENTROPY_DEBUG(const char *label, struct sipkey entropy_128) { + if (getDebugLevel("EXPAT_ENTROPY_DEBUG", 0) >= 1u) { +- fprintf(stderr, "expat: Entropy: %s --> 0x%0*lx (%lu bytes)\n", label, +- (int)sizeof(entropy) * 2, entropy, (unsigned long)sizeof(entropy)); ++ fprintf(stderr, ++ "expat: Entropy: %s --> [0x" EXPAT_FMT_LLX( ++ "016") ", 0x" EXPAT_FMT_LLX("016") "] (16 bytes)\n", ++ label, (unsigned long long)entropy_128.k[0], ++ (unsigned long long)entropy_128.k[1]); + } +- return entropy; ++ return entropy_128; + } + +-static unsigned long +-generate_hash_secret_salt(XML_Parser parser) { +- unsigned long entropy; +- (void)parser; ++static struct sipkey ++generate_hash_secret_salt(void) { ++ struct sipkey entropy; + + /* "Failproof" high quality providers: */ + #if defined(HAVE_ARC4RANDOM_BUF) + arc4random_buf(&entropy, sizeof(entropy)); + return ENTROPY_DEBUG("arc4random_buf", entropy); + #elif defined(HAVE_ARC4RANDOM) +- writeRandomBytes_arc4random((void *)&entropy, sizeof(entropy)); ++ writeRandomBytes_arc4random(&entropy, sizeof(entropy)); + return ENTROPY_DEBUG("arc4random", entropy); + #else + /* Try high quality providers first .. */ + # ifdef _WIN32 +- if (writeRandomBytes_rand_s((void *)&entropy, sizeof(entropy))) { ++ if (writeRandomBytes_rand_s(&entropy, sizeof(entropy))) { + return ENTROPY_DEBUG("rand_s", entropy); + } + # elif defined(HAVE_GETRANDOM) || defined(HAVE_SYSCALL_GETRANDOM) +- if (writeRandomBytes_getrandom_nonblock((void *)&entropy, sizeof(entropy))) { ++ if (writeRandomBytes_getrandom_nonblock(&entropy, sizeof(entropy))) { + return ENTROPY_DEBUG("getrandom", entropy); + } + # endif + # if ! defined(_WIN32) && defined(XML_DEV_URANDOM) +- if (writeRandomBytes_dev_urandom((void *)&entropy, sizeof(entropy))) { ++ if (writeRandomBytes_dev_urandom(&entropy, sizeof(entropy))) { + return ENTROPY_DEBUG("/dev/urandom", entropy); + } + # endif /* ! defined(_WIN32) && defined(XML_DEV_URANDOM) */ + /* .. and self-made low quality for backup: */ + +- entropy = gather_time_entropy(); ++ entropy.k[0] = 0; ++ entropy.k[1] = gather_time_entropy(); + # if ! defined(__wasi__) + /* Process ID is 0 bits entropy if attacker has local access */ +- entropy ^= getpid(); ++ entropy.k[1] ^= getpid(); + # endif + + /* Factors are 2^31-1 and 2^61-1 (Mersenne primes M31 and M61) */ + if (sizeof(unsigned long) == 4) { +- return ENTROPY_DEBUG("fallback(4)", entropy * 2147483647); ++ entropy.k[1] *= 2147483647; ++ return ENTROPY_DEBUG("fallback(4)", entropy); + } else { +- return ENTROPY_DEBUG("fallback(8)", +- entropy * (unsigned long)2305843009213693951ULL); ++ entropy.k[1] *= 2305843009213693951ULL; ++ return ENTROPY_DEBUG("fallback(8)", entropy); + } + #endif + } + +-static unsigned long +-get_hash_secret_salt(XML_Parser parser) { +- const XML_Parser rootParser = getRootParserOf(parser, NULL); +- assert(! rootParser->m_parentParser); +- +- return rootParser->m_hash_secret_salt; +-} +- + static enum XML_Error + callProcessor(XML_Parser parser, const char *start, const char *end, + const char **endPtr) { +@@ -1323,8 +1320,10 @@ callProcessor(XML_Parser parser, const char *start, const char *end, + static XML_Bool /* only valid for root parser */ + startParsing(XML_Parser parser) { + /* hash functions must be initialized before setContext() is called */ +- if (parser->m_hash_secret_salt == 0) +- parser->m_hash_secret_salt = generate_hash_secret_salt(parser); ++ if (parser->m_hash_secret_salt_set != XML_TRUE) { ++ parser->m_hash_secret_salt_128 = generate_hash_secret_salt(); ++ parser->m_hash_secret_salt_set = XML_TRUE; ++ } + if (parser->m_ns) { + /* implicit context only set for root parser, since child + parsers (i.e. external entity parsers) will inherit it +@@ -1612,7 +1611,9 @@ parserInit(XML_Parser parser, const XML_Char *encodingName) { + parser->m_useForeignDTD = XML_FALSE; + parser->m_paramEntityParsing = XML_PARAM_ENTITY_PARSING_NEVER; + #endif +- parser->m_hash_secret_salt = 0; ++ parser->m_hash_secret_salt_128.k[0] = 0; ++ parser->m_hash_secret_salt_128.k[1] = 0; ++ parser->m_hash_secret_salt_set = XML_FALSE; + + #if XML_GE == 1 + memset(&parser->m_accounting, 0, sizeof(ACCOUNTING)); +@@ -1779,7 +1780,8 @@ XML_ExternalEntityParserCreate(XML_Parser oldParser, const XML_Char *context, + from hash tables associated with either parser without us having + to worry which hash secrets each table has. + */ +- unsigned long oldhash_secret_salt; ++ struct sipkey oldhash_secret_salt_128; ++ XML_Bool oldhash_secret_salt_set; + XML_Bool oldReparseDeferralEnabled; + + /* Validate the oldParser parameter before we pull everything out of it */ +@@ -1825,7 +1827,8 @@ XML_ExternalEntityParserCreate(XML_Parser oldParser, const XML_Char *context, + from hash tables associated with either parser without us having + to worry which hash secrets each table has. + */ +- oldhash_secret_salt = parser->m_hash_secret_salt; ++ oldhash_secret_salt_128 = parser->m_hash_secret_salt_128; ++ oldhash_secret_salt_set = parser->m_hash_secret_salt_set; + oldReparseDeferralEnabled = parser->m_reparseDeferralEnabled; + + #ifdef XML_DTD +@@ -1880,7 +1883,8 @@ XML_ExternalEntityParserCreate(XML_Parser oldParser, const XML_Char *context, + parser->m_externalEntityRefHandlerArg = oldExternalEntityRefHandlerArg; + parser->m_defaultExpandInternalEntities = oldDefaultExpandInternalEntities; + parser->m_ns_triplets = oldns_triplets; +- parser->m_hash_secret_salt = oldhash_secret_salt; ++ parser->m_hash_secret_salt_128 = oldhash_secret_salt_128; ++ parser->m_hash_secret_salt_set = oldhash_secret_salt_set; + parser->m_reparseDeferralEnabled = oldReparseDeferralEnabled; + parser->m_parentParser = oldParser; + #ifdef XML_DTD +@@ -2327,6 +2331,7 @@ XML_SetParamEntityParsing(XML_Parser parser, + #endif + } + ++// DEPRECATED since Expat 2.7.6. + int XMLCALL + XML_SetHashSalt(XML_Parser parser, unsigned long hash_salt) { + if (parser == NULL) +@@ -2337,10 +2342,46 @@ XML_SetHashSalt(XML_Parser parser, unsigned long hash_salt) { + /* block after XML_Parse()/XML_ParseBuffer() has been called */ + if (parserBusy(rootParser)) + return 0; +- rootParser->m_hash_secret_salt = hash_salt; ++ ++ rootParser->m_hash_secret_salt_128.k[0] = 0; ++ rootParser->m_hash_secret_salt_128.k[1] = hash_salt; ++ ++ if (hash_salt != 0) { // to remain backwards compatible ++ rootParser->m_hash_secret_salt_set = XML_TRUE; ++ ++ if (sizeof(unsigned long) == 4) ++ ENTROPY_DEBUG("explicit(4)", rootParser->m_hash_secret_salt_128); ++ else ++ ENTROPY_DEBUG("explicit(8)", rootParser->m_hash_secret_salt_128); ++ } ++ + return 1; + } + ++XML_Bool XMLCALL ++XML_SetHashSalt16Bytes(XML_Parser parser, const uint8_t entropy[16]) { ++ if (parser == NULL) ++ return XML_FALSE; ++ ++ if (entropy == NULL) ++ return XML_FALSE; ++ ++ const XML_Parser rootParser = getRootParserOf(parser, NULL); ++ assert(! rootParser->m_parentParser); ++ ++ /* block after XML_Parse()/XML_ParseBuffer() has been called */ ++ if (parserBusy(rootParser)) ++ return XML_FALSE; ++ ++ sip_tokey(&(rootParser->m_hash_secret_salt_128), entropy); ++ ++ rootParser->m_hash_secret_salt_set = XML_TRUE; ++ ++ ENTROPY_DEBUG("explicit(16)", rootParser->m_hash_secret_salt_128); ++ ++ return XML_TRUE; ++} ++ + enum XML_Status XMLCALL + XML_Parse(XML_Parser parser, const char *s, int len, int isFinal) { + if ((parser == NULL) || (len < 0) || ((s == NULL) && (len != 0))) { +@@ -7842,8 +7883,10 @@ keylen(KEY s) { + + static void + copy_salt_to_sipkey(XML_Parser parser, struct sipkey *key) { +- key->k[0] = 0; +- key->k[1] = get_hash_secret_salt(parser); ++ const XML_Parser rootParser = getRootParserOf(parser, NULL); ++ assert(! rootParser->m_parentParser); ++ ++ *key = rootParser->m_hash_secret_salt_128; + } + + static unsigned long FASTCALL +diff --git a/tests/basic_tests.c b/tests/basic_tests.c +index 02d1d5fd..26662fee 100644 +--- a/tests/basic_tests.c ++++ b/tests/basic_tests.c +@@ -204,6 +204,30 @@ START_TEST(test_hash_collision) { + END_TEST + #undef COLLIDING_HASH_SALT + ++START_TEST(test_hash_salt_setter) { ++ const uint8_t entropy[16] = {'0', '1', '2', '3', '4', '5', '6', '7', ++ '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'}; ++ XML_Parser parser = XML_ParserCreate(NULL); ++ ++ // NULL parser should be rejected ++ assert_true(XML_SetHashSalt16Bytes(NULL, entropy) == XML_FALSE); ++ ++ // NULL entropy should be rejected ++ assert_true(XML_SetHashSalt16Bytes(parser, NULL) == XML_FALSE); ++ ++ // Setting should be allowed more than once ++ assert_true(XML_SetHashSalt16Bytes(parser, entropy) == XML_TRUE); ++ assert_true(XML_SetHashSalt16Bytes(parser, entropy) == XML_TRUE); ++ ++ // But not after parsing has started ++ assert_true(XML_Parse(parser, "", 0, XML_FALSE /* isFinal */) ++ == XML_STATUS_OK); ++ assert_true(XML_SetHashSalt16Bytes(parser, entropy) == XML_FALSE); ++ ++ XML_ParserFree(parser); ++} ++END_TEST ++ + /* Regression test for SF bug #491986. */ + START_TEST(test_danish_latin1) { + const char *text = "\n" +@@ -6292,6 +6316,7 @@ make_basic_test_case(Suite *s) { + tcase_add_test(tc_basic, test_bom_utf16_le); + tcase_add_test(tc_basic, test_nobom_utf16_le); + tcase_add_test(tc_basic, test_hash_collision); ++ tcase_add_test(tc_basic, test_hash_salt_setter); + tcase_add_test(tc_basic, test_illegal_utf8); + tcase_add_test(tc_basic, test_utf8_auto_align); + tcase_add_test(tc_basic, test_utf16); +-- +2.34.1 diff --git a/meta/recipes-core/expat/expat/CVE-2026-41080-2.patch b/meta/recipes-core/expat/expat/CVE-2026-41080-2.patch new file mode 100644 index 00000000000..0410f8b070f --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-41080-2.patch @@ -0,0 +1,33 @@ +From 3cdd1df2644388aff25dd0ed7128c7bb1de1a7d8 Mon Sep 17 00:00:00 2001 +From: Christoph Reiter +Date: Wed, 10 Jun 2026 21:27:51 +0200 +Subject: [PATCH 2/2] cmake|windows: add missing export for new + XML_SetHashSalt16Bytes + +A new XML_SetHashSalt16Bytes symbol was added in #1183, but it +wasn't added to the def file, so the export is missing when building +libexpat on Windows with cmake. + +Add the new symbol to the .def template. + +CVE: CVE-2026-41080 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/3cdd1df2644388aff25dd0ed7128c7bb1de1a7d8] + +Signed-off-by: Christoph Reiter +Signed-off-by: Amaury Couderc +--- + lib/libexpat.def.cmake | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/lib/libexpat.def.cmake b/lib/libexpat.def.cmake +index 9b9e22cb..948135a5 100644 +--- a/lib/libexpat.def.cmake ++++ b/lib/libexpat.def.cmake +@@ -83,3 +83,5 @@ EXPORTS + ; added with version 2.7.2 + @_EXPAT_COMMENT_DTD_OR_GE@ XML_SetAllocTrackerMaximumAmplification @72 + @_EXPAT_COMMENT_DTD_OR_GE@ XML_SetAllocTrackerActivationThreshold @73 ++; added with version 2.7.6 ++ XML_SetHashSalt16Bytes @74 +-- +2.34.1 diff --git a/meta/recipes-core/expat/expat_2.7.5.bb b/meta/recipes-core/expat/expat_2.7.5.bb index 210398fb505..ae90ec04e36 100644 --- a/meta/recipes-core/expat/expat_2.7.5.bb +++ b/meta/recipes-core/expat/expat_2.7.5.bb @@ -17,6 +17,8 @@ SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \ file://CVE-2026-45186-05.patch \ file://CVE-2026-45186-06.patch \ file://CVE-2026-45186-07.patch \ + file://CVE-2026-41080-1.patch \ + file://CVE-2026-41080-2.patch \ " GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/" From patchwork Fri Jul 10 16:36:20 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 92217 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BEED0C4450A for ; Fri, 10 Jul 2026 16:37:13 +0000 (UTC) Received: from mail-wr1-f44.google.com (mail-wr1-f44.google.com [209.85.221.44]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.1949.1783701426519276037 for ; Fri, 10 Jul 2026 09:37:06 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=QAAwlH6B; spf=pass (domain: smile.fr, ip: 209.85.221.44, mailfrom: yoann.congal@smile.fr) Received: by mail-wr1-f44.google.com with SMTP id ffacd0b85a97d-475cb71a4ebso1099424f8f.0 for ; Fri, 10 Jul 2026 09:37:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1783701425; x=1784306225; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to:content-type; bh=HZ1LqezeGrE6RoYLj+1Ype3a2wkhoeDrXG1grhqlBLc=; b=QAAwlH6B47L1s7kMMyEJutpO7vbARwTR12J/trCxdx25u2Bl35YePKOmjHjsByW2XJ I4Y8+qMgH0j0IFdkSTDOPhHhJwljEvW3xdr7CttHe5YgxZ+IIlapxiPBnXtjM+lhNZUW vFQYmknUlrLRGgUsOYrpNkWRZ29Zdo+nlz9Qw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1783701425; x=1784306225; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to:content-type; bh=HZ1LqezeGrE6RoYLj+1Ype3a2wkhoeDrXG1grhqlBLc=; b=g5SBwhUZRndbAb6EqxOGP6ydda0kLnZAQMYaXPcHwLz6TIUYW3bWSmSBkDvjnlYntq R9vyL3O14ITdVChSxwY+MvAbg2nhYloUqSTu5ES7MfVdmeHNAwtSJ+MCbQ2CacOc+GcA wkl7ir2swggeOot/1XPYWZx/Tr7wkzgH7bILhZKxwYALZrLHWeqeArEu16lAZ3O28lXf I7EcpQiIBYo1gDHbxgTtu6hASOwv4nlzFv4DbbBuNlk0VD+gH1q4E7BnDACR6urfOXae a0z/TqGWlvS4jFFp1rDUrSht/51mZIwS+Qnjt3abtpvwjMLdAG1nzAFFg0NmafKHg+2b 7Hew== X-Gm-Message-State: AOJu0YwGfxgqYTERYyMEvAkzwLttOAGBrbLfPHMdPXCQ9d8ecak0aYac S2p7ldV9K35pnrkMgzAxV0c7WNQf8OkWYy3/6mykEPHnQ9LHqGSvNnWoUNNzRjPYjhduGVnfIot Xein37jk= X-Gm-Gg: AfdE7cnUnBBxnmoP5DCVy/azi8ML6SdAB64jooxc7QLobSXfM6egpQ5TWjd5I8tVXAT Sz965pKxI5GupTxI4+iMSBJ/lUA5i83+Ib0AGgbHp3HJvYX2KCkg93VdjJUtlCr7w3VU2MCEKqn A7X0y1gG0DGSnYsOH0x592konUKyQyXgrO/wkTmD2aVXpzgGr07VfxQ6bxxHOqGG3yX95Uqmew4 zWZXVvVoJ4O9ueUaX0h9UMXCcCXHBZhMHJwjYa+VR3UxNJsbuQl25esunTEQA6yR35xLKvTr05C HzfgjCzA5T9UhAqfLg9V0ZgLfQNdPkpwb4tw1VpJldKpdd9+wYlfd8KOjPES94B7jQkFcKzxre5 dXBtZoeH7bPbmQUB42z3i8TfYtcQ7YPmgWJ3Ijr3v/CJZ6/1hif2Kk3NgrjsdbAQ4BIT3X+nlOV khQfITsSGDQ3YTWGGDtoN6NS5+HWerncOi0r94jcVi1crZOmYB5v3941HU3zwpS53E7zVXDADIU VdUssYd/nxw46CDQL4eEVHft7bLhQ== X-Received: by 2002:a05:600c:c1c8:10b0:493:c3c9:218c with SMTP id 5b1f17b1804b1-493e68cebf6mr101421365e9.30.1783701424414; Fri, 10 Jul 2026 09:37:04 -0700 (PDT) Received: from localhost.localdomain (2a02-8440-2608-8c5f-3a92-eb6f-dc01-ac58.rev.sfr.net. [2a02:8440:2608:8c5f:3a92:eb6f:dc01:ac58]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-493eb6d4f9fsm150758695e9.4.2026.07.10.09.37.03 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 10 Jul 2026 09:37:04 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][wrynose 05/18] python3: upgrade 3.14.5 -> 3.14.6 Date: Fri, 10 Jul 2026 18:36:20 +0200 Message-ID: X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 10 Jul 2026 16:37:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/240666 From: Peter Marko Release notes: [1] Resolves following CVEs from reports: * CVE-2026-3276 * CVE-2026-7210 * CVE-2026-7774 * CVE-2026-8328 * CVE-2026-9669 Resolves also: * shutil.move symlink-based bypass (CVE assignment unknown) Removed obsolete CVE_STATUS entries. Removed patch included in this release. [1] https://docs.python.org/3/whatsnew/changelog.html#python-3-14-6-final [2] https://security-tracker.debian.org/tracker/CVE-2026-7210 Signed-off-by: Peter Marko Signed-off-by: Richard Purdie (cherry picked from commit 8ad179c8dd8809ab8861147e5967e7d199ad0fe4) Signed-off-by: Yoann Congal --- ...eadingMock-call-count-race-condition.patch | 37 ------------------- .../{python3_3.14.5.bb => python3_3.14.6.bb} | 7 +--- 2 files changed, 2 insertions(+), 42 deletions(-) delete mode 100644 meta/recipes-devtools/python/python3/0001-Fix-ThreadingMock-call-count-race-condition.patch rename meta/recipes-devtools/python/{python3_3.14.5.bb => python3_3.14.6.bb} (98%) diff --git a/meta/recipes-devtools/python/python3/0001-Fix-ThreadingMock-call-count-race-condition.patch b/meta/recipes-devtools/python/python3/0001-Fix-ThreadingMock-call-count-race-condition.patch deleted file mode 100644 index aba3188a59a..00000000000 --- a/meta/recipes-devtools/python/python3/0001-Fix-ThreadingMock-call-count-race-condition.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 388e023fe1197c1ffed374520ed45df4ac72b8f5 Mon Sep 17 00:00:00 2001 -From: Sai Sneha -Date: Thu, 21 May 2026 13:08:07 +0530 -Subject: [PATCH] Fix ThreadingMock call_count race condition - -ThreadingMock._increment_mock_call() was not thread-safe. -Multiple threads calling the mock simultaneously could lose -increments due to race conditions on call_count and other -attributes. - -Fix by overriding _increment_mock_call in ThreadingMixin -and wrapping it with the existing _mock_calls_events_lock. - -Upstream-Status: Backport [https://github.com/python/cpython/pull/150176] - -Signed-off-by: Sai Sneha ---- - Lib/unittest/mock.py | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/Lib/unittest/mock.py b/Lib/unittest/mock.py -index 16f3699e89..56cdc37942 100644 ---- a/Lib/unittest/mock.py -+++ b/Lib/unittest/mock.py -@@ -3113,6 +3113,10 @@ def _mock_call(self, *args, **kwargs): - - return ret_value - -+ def _increment_mock_call(self, /, *args, **kwargs): -+ with self._mock_calls_events_lock: -+ super()._increment_mock_call(*args, **kwargs) -+ - def wait_until_called(self, *, timeout=_timeout_unset): - """Wait until the mock object is called. - --- -2.34.1 diff --git a/meta/recipes-devtools/python/python3_3.14.5.bb b/meta/recipes-devtools/python/python3_3.14.6.bb similarity index 98% rename from meta/recipes-devtools/python/python3_3.14.5.bb rename to meta/recipes-devtools/python/python3_3.14.6.bb index fd407c96035..e7db713ded1 100644 --- a/meta/recipes-devtools/python/python3_3.14.5.bb +++ b/meta/recipes-devtools/python/python3_3.14.6.bb @@ -35,13 +35,12 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ file://0001-Skip-flaky-test_default_timeout-tests.patch \ file://0001-test_only_active_thread-skip-problematic-test.patch \ file://0001-prefer-valid-entrypoints.patch \ - file://0001-Fix-ThreadingMock-call-count-race-condition.patch \ " SRC_URI:append:class-native = " \ file://0001-Lib-sysconfig.py-use-prefix-value-from-build-configu.patch \ " -SRC_URI[sha256sum] = "7e32597b99e5d9a39abed35de4693fa169df3e5850d4c334337ffd6a19a36db6" +SRC_URI[sha256sum] = "143b1dddefaec3bd2e21e3b839b34a2b7fb9842272883c576420d605e9f30c63" # exclude pre-releases for both python 2.x and 3.x UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P\d+(\.\d+)+).tar" @@ -531,7 +530,5 @@ py3_sysroot_cleanup () { rm -rf ${SYSROOT_DESTDIR}${libdir}/python${PYTHON_MAJMIN}/test } -CVE_STATUS[CVE-2026-4786] = "cpe-stable-backport: backported to v3.14.5" -CVE_STATUS[CVE-2026-5713] = "cpe-stable-backport: backported to v3.14.5" CVE_STATUS[CVE-2026-6019] = "cpe-stable-backport: backported to v3.14.5" -CVE_STATUS[CVE-2026-6100] = "cpe-stable-backport: backported to v3.14.5" +CVE_STATUS[CVE-2026-7210] = "cpe-stable-backport: backported to v3.14.6" From patchwork Fri Jul 10 16:36:21 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 92212 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 59547C44507 for ; Fri, 10 Jul 2026 16:37:13 +0000 (UTC) Received: from mail-wm1-f46.google.com (mail-wm1-f46.google.com [209.85.128.46]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.1950.1783701426842609805 for ; Fri, 10 Jul 2026 09:37:07 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=06LroGBr; spf=pass (domain: smile.fr, ip: 209.85.128.46, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f46.google.com with SMTP id 5b1f17b1804b1-493ae59eca6so5824025e9.1 for ; Fri, 10 Jul 2026 09:37:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1783701425; x=1784306225; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to:content-type; bh=BwZSNwyJreqe214qhJ8Rx2I5nElYTJyC4owvRlMCnKM=; b=06LroGBrYsjZlkVXwvoTUqsuoTZuIfUDy93de9vawVM5fWA3WWnfmoJRDYBJ+OzhSS h+yKgzK1mhyzEGSguC536bN3lRSiS2+6+6Ux2c5qyvKjRVVdJhw35lwUT0eYm+NAsSgl Qr8Xt+acpoHpgRhSDbpageAV1TNHrCJ8g2i8I= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1783701425; x=1784306225; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to:content-type; bh=BwZSNwyJreqe214qhJ8Rx2I5nElYTJyC4owvRlMCnKM=; b=BMMGRtYMx5wYS8zebjL4AiSm2CHT7RLR/x5X1lFFhb2p3fuWwuUla3c6G3+YUgk5eR gES95//V4UPwbhZdcXXDdecmAexzDzNjAmk3S0XitzCBGXToofRczAYfnzN+z6RLduMo dAcQxXXfV+EMn01Ks+GmdAV6AII8oa+WLOSmKdRWJR1iegZjyzcKvmgXD308lW/pAh40 4tM0KnorPbX8vtV9Ziz60LUIyZk8u/qMZ2d1WoHfRd0DjmYIhJp3j57O11xWH/WyDD4V gKgTiKE4EQ0enIeEXEkKCzlb/8zXedCeXSYeoxlkV0ZfcgpFU6MDjy4MgdFEy9MUCsAu cXqQ== X-Gm-Message-State: AOJu0YzjbnhAwlHP8BSrbQ1+bikOd0CnVfaTWJgj+wzICVAbY2oXQ7Zt n9gLNEfL5+l3HL5iecX2ox00IYgYvS1IdCncqT8FBUw37DmcDR02PoUU8fUyTUqmCvpTvUC5aZU HslxX2i0= X-Gm-Gg: AfdE7cn9DNVBDxUohUBQErYoR+2+AhFPXUR0xfEcek6dtcJxp10HlgpmK5SEtbkvXq6 XO0Iu0c3+Af6wEu/sOlPKP4EG/xqqNT6oYqDfiasK6VG69WvvUiML3NhRbWjXHZ4OBy3XePeUyQ 8tYy/1kBKl5r0oOflqqT6V6N3K57lI+EgSy8clsTvrZiZZCK4PbS+533uPWIZ7lPJNtsOxRGYe+ fF0qx/nHtQUyf7kB6ByEyuS4q0OG7Hf5kyUpc4dFqZ/G0WIp97pKeJnrl8nltUgaql6s5pZIpjv ICh8i8eFI/iZOcyHapZI0IVHJEiel1/qICR9wIwyriAa/eKtjN6k+2Nn5z9892DLTzvmHaeiyVb mIALENfBfQ5K138T83m45Gs7S7e5jbv2KjlUDjOpsyR5MEoCX0Gh2gscs2tThsKBpzb5OsTwTl7 q6EKnlu+gnh7g+0fCUuMYDJ5UOINg1+uIVNXqRHqVj4g7S76JSE9Y8a8Vxv43PeT5FlOEg3LTTR iElP+zpiRBlw2fafkY= X-Received: by 2002:a05:600c:6218:b0:493:f80c:5455 with SMTP id 5b1f17b1804b1-493f80c5fd3mr2854925e9.5.1783701425125; Fri, 10 Jul 2026 09:37:05 -0700 (PDT) Received: from localhost.localdomain (2a02-8440-2608-8c5f-3a92-eb6f-dc01-ac58.rev.sfr.net. [2a02:8440:2608:8c5f:3a92:eb6f:dc01:ac58]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-493eb6d4f9fsm150758695e9.4.2026.07.10.09.37.04 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 10 Jul 2026 09:37:04 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][wrynose 06/18] python3: fix CVE-2026-11940 Date: Fri, 10 Jul 2026 18:36:21 +0200 Message-ID: <163ac5caf6191146fd5259dce198832b3b2589d0.1783697455.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 10 Jul 2026 16:37:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/240667 From: Benjamin Robin (Schneider Electric) tarfile.extractall() with the 'data' or 'tar' filter could be bypassed by a crafted archive where a hardlink references a symlink stored at a deeper name than the hardlink itself. Signed-off-by: Benjamin Robin (Schneider Electric) Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie (cherry picked from commit 85f043e207cc59bb3d0a7d1eac5088714dcf4611) Signed-off-by: Yoann Congal --- .../python/python3/CVE-2026-11940.patch | 67 +++++++++++++++++++ .../recipes-devtools/python/python3_3.14.6.bb | 1 + 2 files changed, 68 insertions(+) create mode 100644 meta/recipes-devtools/python/python3/CVE-2026-11940.patch diff --git a/meta/recipes-devtools/python/python3/CVE-2026-11940.patch b/meta/recipes-devtools/python/python3/CVE-2026-11940.patch new file mode 100644 index 00000000000..05a5802c396 --- /dev/null +++ b/meta/recipes-devtools/python/python3/CVE-2026-11940.patch @@ -0,0 +1,67 @@ +From e24b4e95524fbe8cd0f46aa3292e8040f0e07c83 Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@users.noreply.github.com> +Date: Tue, 23 Jun 2026 15:58:47 +0200 +Subject: [PATCH 1/2] gh-151558: Fix symlink escape via `tarfile` + hardlink-extraction fallback (GH-151559) + +CVE: CVE-2026-11940 +Upstream-Status: Backport [https://github.com/python/cpython/commit/27dd970bf6b17ebca7c8ed486a40ab043ed7af8f] + +Signed-off-by: Benjamin Robin +--- + Lib/tarfile.py | 3 +++ + Lib/test/test_tarfile.py | 24 ++++++++++++++++++++++++ + 2 files changed, 27 insertions(+) + +diff --git a/Lib/tarfile.py b/Lib/tarfile.py +index e6734db24f64..63f23490e8a1 100644 +--- a/Lib/tarfile.py ++++ b/Lib/tarfile.py +@@ -2782,6 +2782,9 @@ def makelink_with_filter(self, tarinfo, targetpath, + "makelink_with_filter: if filter_function is not None, " + + "extraction_root must also not be None") + try: ++ filter_function( ++ unfiltered.replace(name=tarinfo.name, deep=False), ++ extraction_root) + filtered = filter_function(unfiltered, extraction_root) + except _FILTER_ERRORS as cause: + raise LinkFallbackError(tarinfo, unfiltered.name) from cause +diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py +index d974c7d46ec1..0fc7413be8db 100644 +--- a/Lib/test/test_tarfile.py ++++ b/Lib/test/test_tarfile.py +@@ -4344,6 +4344,30 @@ def test_sneaky_hardlink_fallback(self): + self.expect_file("boom", symlink_to='../../link_here') + self.expect_file("c", symlink_to='b') + ++ @symlink_test ++ def test_sneaky_hardlink_fallback_deep(self): ++ # (CVE-2026-11940) ++ with ArchiveMaker() as arc: ++ arc.add("a/b/s", symlink_to=os.path.join("..", "escape")) ++ arc.add("s", hardlink_to=os.path.join("a", "b", "s")) ++ ++ with self.check_context(arc.open(), 'data'): ++ e = self.expect_exception( ++ tarfile.LinkFallbackError, ++ "link 's' would be extracted as a copy of " ++ + "'a/b/s', which was rejected") ++ self.assertIsInstance(e.__cause__, ++ tarfile.LinkOutsideDestinationError) ++ ++ for filter in 'tar', 'fully_trusted': ++ with self.subTest(filter), self.check_context(arc.open(), filter): ++ if not os_helper.can_symlink(): ++ self.expect_file("a/") ++ self.expect_file("a/b/") ++ else: ++ self.expect_file("a/b/s", symlink_to=os.path.join('..', 'escape')) ++ self.expect_file("s", symlink_to=os.path.join('..', 'escape')) ++ + @symlink_test + def test_exfiltration_via_symlink(self): + # (CVE-2025-4138) +-- +2.54.0 diff --git a/meta/recipes-devtools/python/python3_3.14.6.bb b/meta/recipes-devtools/python/python3_3.14.6.bb index e7db713ded1..80be938ed50 100644 --- a/meta/recipes-devtools/python/python3_3.14.6.bb +++ b/meta/recipes-devtools/python/python3_3.14.6.bb @@ -35,6 +35,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ file://0001-Skip-flaky-test_default_timeout-tests.patch \ file://0001-test_only_active_thread-skip-problematic-test.patch \ file://0001-prefer-valid-entrypoints.patch \ + file://CVE-2026-11940.patch \ " SRC_URI:append:class-native = " \ file://0001-Lib-sysconfig.py-use-prefix-value-from-build-configu.patch \ From patchwork Fri Jul 10 16:36:22 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 92213 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8D795C44508 for ; Fri, 10 Jul 2026 16:37:13 +0000 (UTC) Received: from mail-wm1-f45.google.com (mail-wm1-f45.google.com [209.85.128.45]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.1854.1783701427680979083 for ; Fri, 10 Jul 2026 09:37:07 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=iP+/Osnp; spf=pass (domain: smile.fr, ip: 209.85.128.45, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f45.google.com with SMTP id 5b1f17b1804b1-493bb510ce4so8415195e9.1 for ; Fri, 10 Jul 2026 09:37:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1783701426; x=1784306226; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to:content-type; bh=mfXk0h1YU6lGn7Tt2W0spfD0cq5jmLIpZwDKkrzZa4M=; b=iP+/OsnpdH+KHCwVaQjqszaFszC779Mwo3jl8Pj0tLZTOSGC7rYO48CvdmRQxYS9BD fAeM0he1OBwf0fekStl2YF91YRXwT2/34KJ8whZsHvYOs3zcP0+gkq54Ft0QAlWTFvQ5 BjbjnWBZvzvOMykIhbxMji6IDVPnXSyeY4ii4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1783701426; x=1784306226; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to:content-type; bh=mfXk0h1YU6lGn7Tt2W0spfD0cq5jmLIpZwDKkrzZa4M=; b=R7RggYaZ0Jq0s2lGlWP5+iaBHnYQKOKpjbsNmLnaKpYXM8UiNJsHYJUpG2KZi1Iibc UUbKg1a7yMTd4L9shCV92YwChSUSho0hiyYfd+W+o2VXTWGRwmT4WThXKuv0ma5xD5iP pGAqiI5hLac6BqwpensN4t3U/AGPl2XLFzyYEHUkP4BXIwD8qzqexmXOM/gqgoBhCLua c8ZU3URfcYu0bAKaj4RSm/VOe0K4YJASZpQmfsZWqDPvtpiR0gO7BgXLyrcwehKkQldV 8G1VEUNeZsPstARr9Kes/AT5K8pXgVrg7bg8/wYadoY50pr09S082JyhgGKhnqAIwFtM Epsg== X-Gm-Message-State: AOJu0YyKFDq7PI5p19ex5dIx4pyGJK+8oDt2Ys2KKvtk5DypG9vs5Qrt VbE+ShNX60wLfpYwBMrGlp2TJ4w9JqmsrhGD3yuIg1A8h8U/N8MqMI+dQYjm4AwVjUTCODGIXql cLLQaD7w= X-Gm-Gg: AfdE7ckhwlZsx0ydp8R9wZIbABVgM06UCI2EqVXQNO1/zVDdF+vvfY8KjB/5zX3zCFx Z1rzq6se7TXuAds6O0lZljLlS+weadhQkET0YxItNsxBHl1XqMT9hw3jPvrGwnhtUu0xWKoZDPw 4GJ5r/kngCj4sswPvTlHyUPlXaResArqMSzOeXuSeI+VN0ATrRC18yD6Qrl6oSplyWOXT4SHSLe kwC/KlOf31v0jSRgsk1Ms9k/80oV+hJgSDvSpQhHxz/bAeELULc/Ha0WSJU76XD4P2vK4EIVA9N e1FejdnT7PkZP7M4aL95kwTvSz7Jg9u2JK77P6azDB9zo+iMXIT5O/TSwehfcEUxT79fuU5sBMt iegL8o0TB9JrniyqOOUZJHbTqUL/VxRtN1tHSxpY0zZcDaMyydAPm5J8FIG3St/qpT59CU5UK2t /3ejexAg4T0Msf37ft+VS6CScyynf8X+p06z+UmVA7KoZLApN4Shv0BFuIvdMsy6l8VzvXN3cVj 8jI+MHOAt5Ug0nHbmo= X-Received: by 2002:a05:600c:34c9:b0:493:bc4a:fb50 with SMTP id 5b1f17b1804b1-493e68fd540mr122348175e9.38.1783701425892; Fri, 10 Jul 2026 09:37:05 -0700 (PDT) Received: from localhost.localdomain (2a02-8440-2608-8c5f-3a92-eb6f-dc01-ac58.rev.sfr.net. [2a02:8440:2608:8c5f:3a92:eb6f:dc01:ac58]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-493eb6d4f9fsm150758695e9.4.2026.07.10.09.37.05 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 10 Jul 2026 09:37:05 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][wrynose 07/18] python3: fix CVE-2026-11972 Date: Fri, 10 Jul 2026 18:36:22 +0200 Message-ID: <3f317501a830ef4f57ff494ca73b45fa662e72b6.1783697455.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 10 Jul 2026 16:37:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/240668 From: Benjamin Robin (Schneider Electric) When using the "tarfile" module with a file opened in "streaming mode" (mode="r|") the tarfile module did not properly handle EOF, making archive parsing take exponentially longer. Signed-off-by: Benjamin Robin (Schneider Electric) Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie (cherry picked from commit bbd9c82298880ab61b9befea97dfe8a0a4943836) [YC: re-added removed Co-authored-by: trailer to the patch] Signed-off-by: Yoann Congal --- .../python/python3/CVE-2026-11972.patch | 61 +++++++++++++++++++ .../recipes-devtools/python/python3_3.14.6.bb | 1 + 2 files changed, 62 insertions(+) create mode 100644 meta/recipes-devtools/python/python3/CVE-2026-11972.patch diff --git a/meta/recipes-devtools/python/python3/CVE-2026-11972.patch b/meta/recipes-devtools/python/python3/CVE-2026-11972.patch new file mode 100644 index 00000000000..12a79754feb --- /dev/null +++ b/meta/recipes-devtools/python/python3/CVE-2026-11972.patch @@ -0,0 +1,61 @@ +From 2d256d4bfd654bdcaf2d96733799be73b8ff8f69 Mon Sep 17 00:00:00 2001 +From: Petr Viktorin +Date: Tue, 23 Jun 2026 15:13:30 +0200 +Subject: [PATCH 2/2] gh-151981: Make tarfile._Stream.seek break at EOF + (GH-151982) + +Co-authored-by: Stan Ulbrych + +CVE: CVE-2026-11972 +Upstream-Status: Backport [https://github.com/python/cpython/commit/f50bf13566189c8d0ce5a814f33eff3d89951896] + +Signed-off-by: Benjamin Robin +--- + Lib/tarfile.py | 4 +++- + Lib/test/test_tarfile.py | 16 ++++++++++++++++ + 2 files changed, 19 insertions(+), 1 deletion(-) + +diff --git a/Lib/tarfile.py b/Lib/tarfile.py +index 63f23490e8a1..399f906efdff 100644 +--- a/Lib/tarfile.py ++++ b/Lib/tarfile.py +@@ -524,7 +524,9 @@ def seek(self, pos=0): + if pos - self.pos >= 0: + blocks, remainder = divmod(pos - self.pos, self.bufsize) + for i in range(blocks): +- self.read(self.bufsize) ++ data = self.read(self.bufsize) ++ if not data: ++ break + self.read(remainder) + else: + raise StreamError("seeking backwards is not allowed") +diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py +index 0fc7413be8db..045377d620cc 100644 +--- a/Lib/test/test_tarfile.py ++++ b/Lib/test/test_tarfile.py +@@ -4786,6 +4786,22 @@ def valueerror_filter(tarinfo, path): + with self.check_context(arc.open(errorlevel='boo!'), filtererror_filter): + self.expect_exception(TypeError) # errorlevel is not int + ++ @support.subTests('format', [tarfile.GNU_FORMAT, tarfile.PAX_FORMAT]) ++ def test_getmembers_big_size(self, format): ++ # gh-151981: A loop in seek() for streaming files tried to read the ++ # declared number of blocks even at EOF ++ tinfo = tarfile.TarInfo("huge-file") ++ tinfo.size = 1 << 64 ++ bio = io.BytesIO() ++ # Write header without data ++ bio.write(tinfo.tobuf(format)) ++ ++ # Reset & try to get contents ++ bio.seek(0) ++ with tarfile.open(fileobj=bio, mode="r|") as tar: ++ with self.assertRaises(tarfile.ReadError): ++ tar.getmembers() ++ + + class OverwriteTests(archiver_tests.OverwriteTests, unittest.TestCase): + testdir = os.path.join(TEMPDIR, "testoverwrite") +-- +2.54.0 diff --git a/meta/recipes-devtools/python/python3_3.14.6.bb b/meta/recipes-devtools/python/python3_3.14.6.bb index 80be938ed50..0a9e82d445f 100644 --- a/meta/recipes-devtools/python/python3_3.14.6.bb +++ b/meta/recipes-devtools/python/python3_3.14.6.bb @@ -36,6 +36,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ file://0001-test_only_active_thread-skip-problematic-test.patch \ file://0001-prefer-valid-entrypoints.patch \ file://CVE-2026-11940.patch \ + file://CVE-2026-11972.patch \ " SRC_URI:append:class-native = " \ file://0001-Lib-sysconfig.py-use-prefix-value-from-build-configu.patch \ From patchwork Fri Jul 10 16:36:23 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 92214 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B15D2C4450B for ; Fri, 10 Jul 2026 16:37:13 +0000 (UTC) Received: from mail-wm1-f42.google.com (mail-wm1-f42.google.com [209.85.128.42]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.1951.1783701428406199027 for ; Fri, 10 Jul 2026 09:37:08 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=1/WL8pRu; spf=pass (domain: smile.fr, ip: 209.85.128.42, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f42.google.com with SMTP id 5b1f17b1804b1-493f25d47dcso8948635e9.1 for ; Fri, 10 Jul 2026 09:37:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1783701427; x=1784306227; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to:content-type; bh=uSAzx0pqCDNWGeTM1PUC8935CV+Y6g65IUJ2sjj1ZQU=; b=1/WL8pRugdnEnLVa7zGsy8IWnYGo9LDXPsw3MlkcDiMv86kvnoGczJ5ucPLqNwRCWU HgFBYAXO8in/vkZxtoDPzxerhiyNf5WvAqXHguILjAwIqI4jnZZd8oB3j3SrVPZRNCJ9 j2KNOh9RPDANCAbJ5yjVPSfPUN52+TTTMykSs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1783701427; x=1784306227; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to:content-type; bh=uSAzx0pqCDNWGeTM1PUC8935CV+Y6g65IUJ2sjj1ZQU=; b=m3QNiDTPI9U6sKtYRIGGji0qjBh+Qf8vEsVMV8DInf0Az4p4wGrgfwu2rZrbXCyjBM Q/5ELoCC4nOEKdjnDkP9RD81qTWp+0BhVIbyGNbTCPjG9Uoy19FeCGgpTgnA1S1DOkCN yzWiKQICLTZTJM1nLCCMVBVaUDcC+qwg7ogdgHAHcLHcSYBAVPQw60xfXrTCxJ6+o2yU DJBCRxFquFIovb1HNv9Q4D2Y8D5zjgZ2ph1Y6aMOloQkUKh3Js3CMDw7j9JbKYPqfdqp jlvtb79om9/TGC7aCF+Ilo0tuxKiRlVxa7IygS6ZH7eSvVNiaiuIO+5ZrUmYTSXshMYV 8F4w== X-Gm-Message-State: AOJu0YyRYOqdER6FljwFCy6NJu2rtZGjv5r5VCrYWIuNeYi/fRCMO2+2 JEK1ef2u8SzYLxDbFNq9gkY9nB/5lGJH7HhMz3Boqltc6OOWbLcI+w8Oun7q7xRka0i9jIiyTpk waPd/p08= X-Gm-Gg: AfdE7cn6KCuVFOrdodDBmgFdND1Fw5WUbWsAXnniJ65jYXD2MXS6r2gx5R5mxkKFWAX slcdCtzbGyiVoa7xwuU3+oMQebw8C33BG/z6nTqKRKFGN7x+oPLCYLtFjFdYtxjEXhAEFXe+Z5h 0nDq9ZA//lROisHdhamtspazrxRE9fo58g3Pn9wLJ9YgCgj45m9IfikuOmpGiPl5F5qyCcKxnQH +A037UzxI/8J3mewXRtBaRllePd9HNzkRQUWl/AMSDu3UN8do8omk39vTCdqJXY+rMjhTsu4ANB QUIq6ELns/FLG1HxwyIyuz384xlZPa/aILGYP6QaFhpa77acFP8P3b3qfYwH8L/W9QEVFA0Zn8R 0om9IUsTlv2Jh3GQdwIg+TdBEN86g9X4nOlKiERNpH6McgEM2IaA58FxhZ+i+XrnwxVVrougZ4U iBmIPpWT9en9XtFXq2hoQkEul6+Ake+HWbCmUnuV1fHImgTuEFwEwOkYG1TEOQkOcXXDWhfPWNS IgMKTHcp8zlEnKerMs= X-Received: by 2002:a05:600c:821a:b0:493:a570:df7d with SMTP id 5b1f17b1804b1-493e68bef51mr125319625e9.20.1783701426546; Fri, 10 Jul 2026 09:37:06 -0700 (PDT) Received: from localhost.localdomain (2a02-8440-2608-8c5f-3a92-eb6f-dc01-ac58.rev.sfr.net. [2a02:8440:2608:8c5f:3a92:eb6f:dc01:ac58]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-493eb6d4f9fsm150758695e9.4.2026.07.10.09.37.06 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 10 Jul 2026 09:37:06 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][wrynose 08/18] opensbi: don't override ELFFLAGS, silence ldflags QA for bare-metal ELFs Date: Fri, 10 Jul 2026 18:36:23 +0200 Message-ID: X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 10 Jul 2026 16:37:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/240669 From: Gustavo Henrique Nihei opensbi_1.8.1.bb passes ELFFLAGS="${LDFLAGS}" via EXTRA_OEMAKE. Being a make command-line assignment, it overrides OpenSBI's in-Makefile "ELFFLAGS +=" and drops the mandatory firmware link flags: -Wl,--gc-sections -Wl,--exclude-libs,ALL -Wl,--build-id=none -Wl,--no-dynamic-linker -Wl,-pie Losing --gc-sections retains unused fdt_*/atomic_* code and grows .text; losing -pie/--no-dynamic-linker drops the M-mode firmware hardening. The distro LDFLAGS were not reaching the link regardless: OpenSBI rebuilds CC from CROSS_COMPILE (Makefile: CC = $(CROSS_COMPILE)gcc), so oe's CC and its TARGET_CC_ARCH += "${LDFLAGS}" do not apply, and passing them via ELFFLAGS was the only path in. They are also dynamic-linking flags with no role in bare-metal firmware, so drop the override; REPRODUCIBLE=y and CROSS_COMPILE stay. Removing it re-exposes an ldflags QA warning that the injected --hash-style=gnu had been satisfying. These firmware ELFs are bare-metal M-mode binaries (--build-id=none, no dynamic linker) that legitimately carry no GNU_HASH, so add INSANE_SKIP += "ldflags", as linux-firmware does. Tested on oe-core master (DISTRO=nodistro, MACHINE=qemuriscv64) via the oe-nodistro-master bitbake-setup config: bitbake opensbi grep -c gc-sections .../opensbi/*/temp/log.do_compile # 0 -> 4 Before, the fw_jump.elf link carries only the LDFLAGS content (-Wl,-O1, --hash-style=gnu, --as-needed, -z relro/now) with OpenSBI's flags absent, and do_package_qa reports ldflags errors on all three firmware ELFs. After, the link carries OpenSBI's flags (-Wl,--gc-sections, --exclude-libs,ALL, --build-id=none, --no-dynamic-linker, -pie) and QA passes. On a single-SoC defconfig, restoring --gc-sections roughly halves fw_jump.bin. Fixes: 9f95660886db ("opensbi: Pass CROSS_COMPILE and REPRODUCIBLE flags") AI-Generated: Uses Cursor Signed-off-by: Gustavo Henrique Nihei Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie (cherry picked from commit 9bf56df6decf3b0a07e5a0814f4ad2d6317568f9) Signed-off-by: Yoann Congal --- meta/recipes-bsp/opensbi/opensbi_1.8.1.bb | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/meta/recipes-bsp/opensbi/opensbi_1.8.1.bb b/meta/recipes-bsp/opensbi/opensbi_1.8.1.bb index 0a9652c2831..255bab2b58f 100644 --- a/meta/recipes-bsp/opensbi/opensbi_1.8.1.bb +++ b/meta/recipes-bsp/opensbi/opensbi_1.8.1.bb @@ -16,7 +16,7 @@ TARGET_DBGSRC_DIR = "/share/opensbi/*/generic/firmware/" TARGET_CC_ARCH += "${LDFLAGS}" RISCV_SBI_FW_TEXT_START ??= "0x80000000" -EXTRA_OEMAKE += "REPRODUCIBLE=y CROSS_COMPILE=${HOST_PREFIX} ELFFLAGS="${LDFLAGS}" PLATFORM=${RISCV_SBI_PLAT} I=${D} FW_TEXT_START=${RISCV_SBI_FW_TEXT_START}" +EXTRA_OEMAKE += "REPRODUCIBLE=y CROSS_COMPILE=${HOST_PREFIX} PLATFORM=${RISCV_SBI_PLAT} I=${D} FW_TEXT_START=${RISCV_SBI_FW_TEXT_START}" EXTRA_OEMAKE:append:toolchain-clang = " LLVM=y" # If RISCV_SBI_PAYLOAD is set then include it as a payload EXTRA_OEMAKE:append = " ${@riscv_get_extra_oemake_image(d)}" @@ -50,4 +50,8 @@ FILES:${PN} += "/share/opensbi/*/${RISCV_SBI_PLAT}/firmware/fw_jump.*" FILES:${PN} += "/share/opensbi/*/${RISCV_SBI_PLAT}/firmware/fw_payload.*" FILES:${PN} += "/share/opensbi/*/${RISCV_SBI_PLAT}/firmware/fw_dynamic.*" +# OpenSBI firmware ELFs are bare-metal M-mode binaries (--build-id=none, +# no dynamic linker) and intentionally do not carry GNU_HASH. +INSANE_SKIP += "ldflags" + COMPATIBLE_HOST = "(riscv64|riscv32).*" From patchwork Fri Jul 10 16:36:24 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 92211 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 57288C44506 for ; Fri, 10 Jul 2026 16:37:13 +0000 (UTC) Received: from mail-wm1-f47.google.com (mail-wm1-f47.google.com [209.85.128.47]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.1856.1783701428993274554 for ; Fri, 10 Jul 2026 09:37:09 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=OefmqOFW; spf=pass (domain: smile.fr, ip: 209.85.128.47, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f47.google.com with SMTP id 5b1f17b1804b1-493ba701891so9983085e9.3 for ; Fri, 10 Jul 2026 09:37:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1783701427; x=1784306227; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to:content-type; bh=K2NMAT89X0pOYDzdDZblvU1/M7EvlW2+wR33hHTCjrc=; b=OefmqOFW+Q7NVPFbuu0XbSviyGmkLc32A/B3b4C0oY7iyy9px/2AXlgsC5+HgU80sT Ax8pTSQ+R6GIAhLdTYmvc8zUoeHEot+C09JLgwku173/FJbNLgohtuzMgVsrniOGb4yc ffkoRyfNW1Y2h//D26Um68MuBGUtes7EDLYnI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1783701427; x=1784306227; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to:content-type; bh=K2NMAT89X0pOYDzdDZblvU1/M7EvlW2+wR33hHTCjrc=; b=XvXwDv547Up6lGbXxbl4qEaYthvl/W1Mc7gar+3X5Tvj6lYJLCHyO90pVKwRtlqk7k hfKFrVvyZ5GuWO/mBYX5QZ6V0DOqZjVwwxBBCDt2gp435jSMTk7RuaBfnbkz5ZF6yP/t svKvDEAknXjFJjgJc81nUhpHRT0nEVeilVARaun2oirrPyZLXOpTwRbxA3fcKHVqEvFd fbay4sRwWi4ZGPgQVB5To1+K/Yois67uCzMAVyLtNsD0T6Z3+fR73uao6o6QC0LCxzF2 aDsG4MxhidKCKfagx8VJ/OxCyVc5m/aW2nGub+KiTTrGL8utQl2HZp4amjyp9Q6v82LF GeOg== X-Gm-Message-State: AOJu0Yyl+keXil5pO1Lz5gsH2AtPOX55uqH6jdt4JEw4ujQuKW9c8eLs 9XKBvi7HQMW0eULnwmVjSa8m9oCYGPQeFeGpnu3pdmx2/EJwI5ElBfXkZc2lg74XSX1yN1jGzAY Vz8OvGqo= X-Gm-Gg: AfdE7clvUj/8bpYgerL8h5g+6knW+mGISPMSWOxNQ1Z8Duph+ISLrOdTD/XgTGsMHLZ q1iBSd0//pZ8hs10ozslFdYFO8hsGyAzj8xPFbK/jAhdtLpBg96LQyR+Odn8FrP87QX31sDxamm DIM0DRpeksBlX+6DmoywKqSsHqyFsA5d1kAtd+TI3Wu/803AZjmOYn4Y/z0fV47nacM2VqEqWvs s1b8Uf/DzVkqLlb59Bxo4tJ4j6b+mXQVggY6GDNvLfZh8lBxee3KVgqiSR19Y176LVlU13iFr57 X4tSww9aVB+u4kxOYOr8qHFYrBB2YW+y+2zGmCn9R3f7RaergzXd4uAfQ3RKe559hQUd7FcBLU2 bc46ZIAKPfaGQ2byQNWtiGWbQf7yy6tAX6fZtIln/GSuuQQzBUDsOBfRSYdOI05OUDm0dyMkhV1 jbgezeKVncegLOe9giEF5tMrkXklRzuBnNG9X2nIXyj7k3Xm6OxypuGCQKB6tQw1rm8BwLoE2SI bAUWu2T/5pqMb/CUD6TvNnfMb/SgQ== X-Received: by 2002:a05:600c:e557:10b0:490:e19b:bd99 with SMTP id 5b1f17b1804b1-493e68d05e3mr88371275e9.30.1783701427171; Fri, 10 Jul 2026 09:37:07 -0700 (PDT) Received: from localhost.localdomain (2a02-8440-2608-8c5f-3a92-eb6f-dc01-ac58.rev.sfr.net. [2a02:8440:2608:8c5f:3a92:eb6f:dc01:ac58]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-493eb6d4f9fsm150758695e9.4.2026.07.10.09.37.06 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 10 Jul 2026 09:37:06 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][wrynose 09/18] create-spdx-image-3.0: correct SSTATE_SKIP_CREATION key for do_create_image_sbom_spdx Date: Fri, 10 Jul 2026 18:36:24 +0200 Message-ID: X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 10 Jul 2026 16:37:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/240670 From: Eric Meyers The override was "task-create-image-sbom" but BitBake derives it as "task-create-image-sbom-spdx" (do_ stripped, underscores to hyphens), so the skip was never applied. The task then cached an ${IMAGE_NAME}-stamped SBOM in sstate, letting a stale spdx.json be restored via setscene. A later do_sbom_cve_check would compute the current IMAGE_NAME and fail with "No such file or directory" on the missing timestamped SBOM. Correct the key so the image SBOM is always regenerated, never restored from sstate. Signed-off-by: Eric Meyers Cc: Joshua Watt Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie (cherry picked from commit 45302ff5cfaf91ece74d4065acf710507f27da15) Signed-off-by: Yoann Congal --- meta/classes-recipe/create-spdx-image-3.0.bbclass | 2 +- meta/classes-recipe/nospdx.bbclass | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/meta/classes-recipe/create-spdx-image-3.0.bbclass b/meta/classes-recipe/create-spdx-image-3.0.bbclass index 15a91e90e26..cf79ef5b013 100644 --- a/meta/classes-recipe/create-spdx-image-3.0.bbclass +++ b/meta/classes-recipe/create-spdx-image-3.0.bbclass @@ -71,7 +71,7 @@ python do_create_image_sbom_spdx() { } addtask do_create_image_sbom_spdx after do_create_rootfs_spdx do_create_image_spdx before do_build SSTATETASKS += "do_create_image_sbom_spdx" -SSTATE_SKIP_CREATION:task-create-image-sbom = "1" +SSTATE_SKIP_CREATION:task-create-image-sbom-spdx = "1" do_create_image_sbom_spdx[sstate-inputdirs] = "${SPDXIMAGEDEPLOYDIR}" do_create_image_sbom_spdx[sstate-outputdirs] = "${DEPLOY_DIR_IMAGE}" do_create_image_sbom_spdx[stamp-extra-info] = "${MACHINE_ARCH}" diff --git a/meta/classes-recipe/nospdx.bbclass b/meta/classes-recipe/nospdx.bbclass index 925dc7c5b7a..6ccb93ba018 100644 --- a/meta/classes-recipe/nospdx.bbclass +++ b/meta/classes-recipe/nospdx.bbclass @@ -11,4 +11,4 @@ deltask do_create_spdx_runtime deltask do_create_package_spdx deltask do_create_rootfs_spdx deltask do_create_image_spdx -deltask do_create_image_sbom +deltask do_create_image_sbom_spdx From patchwork Fri Jul 10 16:36:25 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 92210 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 49B62C44501 for ; Fri, 10 Jul 2026 16:37:13 +0000 (UTC) Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com [209.85.128.54]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.1953.1783701429749774725 for ; Fri, 10 Jul 2026 09:37:10 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=hbZQJP1M; spf=pass (domain: smile.fr, ip: 209.85.128.54, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f54.google.com with SMTP id 5b1f17b1804b1-493f6de72faso3402705e9.0 for ; Fri, 10 Jul 2026 09:37:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1783701428; x=1784306228; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to:content-type; bh=DkRPF5yKHeHYy5EUWsRHqSr4eTaDL4GPxV3DqfWUJfE=; b=hbZQJP1MQTxC87w57C+ihfl3txm5NUhtmGFMWwr00NQDibIXVbQcGBFbiziH3G43yX Fr5KUWVkQ3ONz8VlJIqcqzLDy26ybM2XXjL9IRjcxonWfu/o8jh9C3a5fBwhkmqw02Cb xEMKFRsmVPYOqC9Le08TpBTxAcl9jLfG7OHsI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1783701428; x=1784306228; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to:content-type; bh=DkRPF5yKHeHYy5EUWsRHqSr4eTaDL4GPxV3DqfWUJfE=; b=d60zZCZQvPGgWkeOmvewRGjfSHITVTwFGUVQnZigzNpcTKb2DLnrDaVLa26ojOFqCU Fi1JBzSBLrWjUgg6+f6Qn1vLnfpNLq4LPgVTPh+eTEHdaMwdTghawJnyIjP6VB3lRQ1i HmfAcwstnKaC3ZXbDUeutM2kBgXWZk+AVof9j7bDveCv3c3I2XnSQldCpOrzLmzxor+z Tu/iYsDJ+3nQIM+EuPNNMkYxF34fvPRtfyZbI9uuiTi0tMSr+M3ofuvv+aQx3SheTg4H 9G1qHssbGcx0Z3ZEJImef2IfK2F62ZYysCtlNQAVM3FvosCw/CJQDVwRLxUKIPE1mAfM ZIbQ== X-Gm-Message-State: AOJu0YwF/55wHip6sOy9XrzHBB3z+J2t7WKlG3ywHhGtiXqobKsHV1Xf OdT+t0OcMzU/996pgaawxdhGXrYrL30AN3LQRy8zcw7BLg48KbqJujH36pK+nBegBIiaGhjVqIV aE4yZqu0= X-Gm-Gg: AfdE7cm4ARqx7Y/vU0pxUOaCQq7TWg1LoboKifUJRK0LFDOkANvt0W8cDeJznd1vxI4 D8YUH8ewJ5egl0cYZceBb5pQ+71728A1IyBEAFDRBE0OnjHP24iN8vYflk6OhkhrbKRibhz/8J9 SPpOH7GVeqhqnESnqpGO4oL/RnZA+N8khck38gzfX12aWLzQaPZTAWxWmpgtWUGwqL+eT1Kgf+Q UMhsS43pvVz501i5/HBZHAamvig1Pyx49v9BzHYx7My9NbMU5N5A3ItL5TB9vPEzOABJMTmZJ/J zW8cfKJydG2L0rdQ1qUQC+j7c0f1O7IyDCwtCk1CYSRp63aHirdHOWAD9nzeNdNxsVogeGt45ea a9lcAPQaXJqWfyugcHK/dZMXCBNNRl1C2Z6SzncFTC3WxxtYyRZzUceF5bDYa3b+DeCDHmiwQB/ uhOgz94UA6HDjcfZWneTCauZlD4eHOg5+UYoh+zd4eO+Xv2ytECvihgUiPnsSBvG1SEAFOWMT6s o4Uyr+aQA90mM/eeeU= X-Received: by 2002:a05:600c:46cd:b0:492:6f5c:fd8c with SMTP id 5b1f17b1804b1-493f2b3fedcmr41983725e9.15.1783701427855; Fri, 10 Jul 2026 09:37:07 -0700 (PDT) Received: from localhost.localdomain (2a02-8440-2608-8c5f-3a92-eb6f-dc01-ac58.rev.sfr.net. [2a02:8440:2608:8c5f:3a92:eb6f:dc01:ac58]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-493eb6d4f9fsm150758695e9.4.2026.07.10.09.37.07 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 10 Jul 2026 09:37:07 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][wrynose 10/18] python3-urllib3: Fix CVE-2026-44431 Date: Fri, 10 Jul 2026 18:36:25 +0200 Message-ID: X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 10 Jul 2026 16:37:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/240671 From: Sudhir Dumbhare Applies the upstream fix [1] referenced in [2] and addresses the sensitive-header redirect handling issue in proxied low-level urllib3 requests. [1] https://github.com/urllib3/urllib3/commit/5ec0de499b9166ca71c65ab04f2a7e4eb0d66fcc [2] https://ubuntu.com/security/CVE-2026-44431 References: https://nvd.nist.gov/vuln/detail/CVE-2026-44431 Signed-off-by: Sudhir Dumbhare [YC: moved the new SRC_URI block up following the Recipe Style Guide] Signed-off-by: Yoann Congal --- .../python3-urllib3/CVE-2026-44431.patch | 157 ++++++++++++++++++ .../python/python3-urllib3_2.6.3.bb | 3 + 2 files changed, 160 insertions(+) create mode 100644 meta/recipes-devtools/python/python3-urllib3/CVE-2026-44431.patch diff --git a/meta/recipes-devtools/python/python3-urllib3/CVE-2026-44431.patch b/meta/recipes-devtools/python/python3-urllib3/CVE-2026-44431.patch new file mode 100644 index 00000000000..d7063b136a8 --- /dev/null +++ b/meta/recipes-devtools/python/python3-urllib3/CVE-2026-44431.patch @@ -0,0 +1,157 @@ +From ca72cfc9233edcf886b9e0dd187a9c4bca780f9b Mon Sep 17 00:00:00 2001 +From: Illia Volochii +Date: Thu, 7 May 2026 18:40:31 +0300 +Subject: [PATCH] Merge commit from fork + +* Remove sensitive headers in proxy pools too + +* Add a changelog entry + +* Check retries history in tests + +Co-authored-by: Copilot + +--------- + +Co-authored-by: Copilot + +CVE: CVE-2026-44431 +Upstream-Status: Backport [https://github.com/urllib3/urllib3/commit/5ec0de499b9166ca71c65ab04f2a7e4eb0d66fcc] + +Backport Changes: +- Omitted changelog/GHSA-qccp-gfcp-xxvc.bugfix.rst because it is not + present in the current version. + +(cherry picked from commit 5ec0de499b9166ca71c65ab04f2a7e4eb0d66fcc) +Signed-off-by: Sudhir Dumbhare +--- + dummyserver/asgi_proxy.py | 1 + + src/urllib3/connectionpool.py | 12 ++++ + .../test_proxy_poolmanager.py | 72 +++++++++++++++++++ + 3 files changed, 85 insertions(+) + +diff --git a/dummyserver/asgi_proxy.py b/dummyserver/asgi_proxy.py +index 00c0a1b8..3ff18673 100755 +--- a/dummyserver/asgi_proxy.py ++++ b/dummyserver/asgi_proxy.py +@@ -56,6 +56,7 @@ class ProxyApp: + client_response = await client.request( + method=scope["method"], + url=scope["path"], ++ params=scope["query_string"].decode(), + headers=list(scope["headers"]), + content=await _read_body(receive), + ) +diff --git a/src/urllib3/connectionpool.py b/src/urllib3/connectionpool.py +index 3a0685b4..0f33863c 100644 +--- a/src/urllib3/connectionpool.py ++++ b/src/urllib3/connectionpool.py +@@ -896,6 +896,18 @@ class HTTPConnectionPool(ConnectionPool, RequestMethods): + body = None + headers = HTTPHeaderDict(headers)._prepare_for_method_change() + ++ # Strip headers marked as unsafe to forward to the redirected location. ++ # Check remove_headers_on_redirect to avoid a potential network call within ++ # self.is_same_host() which may use socket.gethostbyname() in the future. ++ if retries.remove_headers_on_redirect and not self.is_same_host( ++ redirect_location ++ ): ++ new_headers = headers.copy() # type: ignore[union-attr] ++ for header in headers: ++ if header.lower() in retries.remove_headers_on_redirect: ++ new_headers.pop(header, None) ++ headers = new_headers ++ + try: + retries = retries.increment(method, url, response=response, _pool=self) + except MaxRetryError: +diff --git a/test/with_dummyserver/test_proxy_poolmanager.py b/test/with_dummyserver/test_proxy_poolmanager.py +index 4a932c0d..6921bc6d 100644 +--- a/test/with_dummyserver/test_proxy_poolmanager.py ++++ b/test/with_dummyserver/test_proxy_poolmanager.py +@@ -37,6 +37,7 @@ from urllib3.exceptions import ( + SSLError, + ) + from urllib3.poolmanager import ProxyManager, proxy_from_url ++from urllib3.util.retry import RequestHistory + from urllib3.util.ssl_ import create_urllib3_context + from urllib3.util.timeout import Timeout + +@@ -300,6 +301,77 @@ class TestHTTPProxyManager(HypercornDummyProxyTestCase): + assert r._pool is not None + assert r._pool.host != self.http_host_alt + ++ _sensitive_headers = { ++ "Authorization": "foo", ++ "Proxy-Authorization": "bar", ++ "Cookie": "foo=bar", ++ } ++ ++ @pytest.mark.parametrize( ++ "sensitive_headers", ++ (_sensitive_headers, {k.lower(): v for k, v in _sensitive_headers.items()}), ++ ids=("capitalized", "lowercase"), ++ ) ++ def test_cross_host_redirect_remove_headers_via_proxy_manager( ++ self, sensitive_headers: dict[str, str] ++ ) -> None: ++ headers_url = f"{self.http_url_alt}/headers" ++ initial_url = f"{self.http_url}/redirect?target={headers_url}" ++ with proxy_from_url(self.proxy_url) as proxy_mgr: ++ r = proxy_mgr.request( ++ "GET", initial_url, headers=sensitive_headers, retries=1 ++ ) ++ assert r.status == 200 ++ assert r.retries is not None ++ assert r.retries.history == ( ++ RequestHistory( ++ method="GET", ++ url=initial_url, ++ error=None, ++ status=303, ++ redirect_location=headers_url, ++ ), ++ ) ++ data = r.json() ++ for header in sensitive_headers: ++ assert header not in data ++ ++ @pytest.mark.parametrize( ++ "sensitive_headers", ++ (_sensitive_headers, {k.lower(): v for k, v in _sensitive_headers.items()}), ++ ids=("capitalized", "lowercase"), ++ ) ++ def test_cross_host_redirect_remove_headers_via_pool( ++ self, sensitive_headers: dict[str, str] ++ ) -> None: ++ headers_url = f"{self.http_url_alt}/headers" ++ initial_url = f"{self.http_url}/redirect?target={headers_url}" ++ with proxy_from_url(self.proxy_url) as proxy_mgr: ++ pool = proxy_mgr.connection_from_url(self.http_url) ++ r = pool.urlopen( ++ "GET", ++ initial_url, ++ headers=sensitive_headers, ++ retries=1, ++ redirect=True, ++ assert_same_host=False, ++ preload_content=True, ++ ) ++ assert r.status == 200 ++ assert r.retries is not None ++ assert r.retries.history == ( ++ RequestHistory( ++ method="GET", ++ url=initial_url, ++ error=None, ++ status=303, ++ redirect_location=headers_url, ++ ), ++ ) ++ data = r.json() ++ for header in sensitive_headers: ++ assert header not in data ++ + def test_cross_protocol_redirect(self) -> None: + with proxy_from_url(self.proxy_url, ca_certs=DEFAULT_CA) as http: + cross_protocol_location = f"{self.https_url}/echo?a=b" diff --git a/meta/recipes-devtools/python/python3-urllib3_2.6.3.bb b/meta/recipes-devtools/python/python3-urllib3_2.6.3.bb index e63791a8f45..5976c5c3b44 100644 --- a/meta/recipes-devtools/python/python3-urllib3_2.6.3.bb +++ b/meta/recipes-devtools/python/python3-urllib3_2.6.3.bb @@ -3,6 +3,9 @@ HOMEPAGE = "https://github.com/urllib3/urllib3" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=52d273a3054ced561275d4d15260ecda" +SRC_URI += " \ + file://CVE-2026-44431.patch \ +" SRC_URI[sha256sum] = "1b62b6884944a57dbe321509ab94fd4d3b307075e0c2eae991ac71ee15ad38ed" inherit pypi python_hatchling From patchwork Fri Jul 10 16:36:26 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 92219 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0D547C4450D for ; Fri, 10 Jul 2026 16:37:14 +0000 (UTC) Received: from mail-wm1-f41.google.com (mail-wm1-f41.google.com [209.85.128.41]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.1858.1783701430622107991 for ; Fri, 10 Jul 2026 09:37:10 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=DeifoGjA; spf=pass (domain: smile.fr, ip: 209.85.128.41, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f41.google.com with SMTP id 5b1f17b1804b1-493f60208a5so6393675e9.3 for ; Fri, 10 Jul 2026 09:37:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1783701429; x=1784306229; darn=lists.openembedded.org; h=content-transfer-encoding:content-type:mime-version:references :in-reply-to:message-id:date:subject:to:from:from:to:cc:subject:date :message-id:reply-to:content-type; bh=tsEASsnRT8LuZZrM46wcdAXBk2kJbCTQHq2aKYF869w=; b=DeifoGjAN+Yupm+XHSrlbdgoezuISKWQFaiC6slzws4ywzShHaSUWOIVe4m+KD/MwV X7AOWN8nGK3VW0td6Yk/4iO93MbrCMvsZs37pprjAeuSgMq8yt7I2CyAqydszYsfyZe4 vn2naOmiEdku0BBgz7Rc9XXDDIdhdh73/4de4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1783701429; x=1784306229; h=content-transfer-encoding:content-type:mime-version:references :in-reply-to:message-id:date:subject:to:from:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to :content-type; bh=tsEASsnRT8LuZZrM46wcdAXBk2kJbCTQHq2aKYF869w=; b=kP/MYCmTJAg160FAj+ctceKZjP3OkEFWkI3bePfwc98P+l7RUVLe43xqOiQolpj4KL URjSpSWvEStk6a6hV3zmGLmuAqWteajC3LO5hwCglEacYMySz0Ii3fO8MQJli6lgjeRG zhk+7jOjDxt4bhzh4VE1lMyJvu2K8pKPekXyGoZqDunxQxrGml9puLLz248vz35dHJJl 079wXep3miBUo7+L1zLLRmdAclqmY0Xz3N5Uumubrv8paQniw7aYyAc30lgMvJtlfJEF d/tMFNrcIxFx++ChFlqOKR+ABmQ+az9sBsAdJL/AGoVD02KHKbnd6Gjj1YH7hwpVt5BE JJng== X-Gm-Message-State: AOJu0Yx/kCZFD59hUKWDR2V8GkZ2ouesWoe7g38yW+IpaEN9/+aSMGc7 i18pEMwaLywQu3TqHkArKQocstuwUHms/P18Ip5fWbmjf7Y7R/wdstv7lxdGEnaK+OICF5PBVkp yOSXSwZg= X-Gm-Gg: AfdE7cljSpOJSQSs9dVwi1NnNp2gQdfzur/ro1YjmXC5m/QTPfTSaf2lBmxztXAKCqm jUWFgACQKmqu1HUyB9r9k1Bc5+275SVlmW3N6k7PXfRe9lT1sj79cGOemnvhtO3jkmfpGCV2lXs o/QGPCu2Gm8z+N5Dm0Q4UwADf7AAL4gSxaMe3nGVnAARH4IGA6NC6fdXYLNyOkLkxfL9jMOxzFZ 3AAXxSBLiU8jiX+oVQjMVmKXIyiYOFNuGQtvUpQkd287vlb0wIHTzOCT10jLPH6BcDnkn0wXh5J w9MpYnx7C30oFgLQalWgpgUvAo3AzmigcAEJlkNX3YnnvyLio02On3VSpC8MPi/o+pH2oEZlLeu CEZpRYo4nx63h9uD94EAHL5OaKT3uzDwQNqESNJtICeTuZ29P841knZv7IliX7RNzFse/FzmyFk 5Tl63965TQ2m1o/lRwZ523PxE9yB0pXuUXHi5fcw1itJMyojo3Tsi9UfKm2nC7Lr1VwKSBKnNwN KI12o1WDzpTKDOhLz4= X-Received: by 2002:a05:600c:e558:10b0:493:e57e:7aa5 with SMTP id 5b1f17b1804b1-493e68c6e63mr85071195e9.22.1783701428647; Fri, 10 Jul 2026 09:37:08 -0700 (PDT) Received: from localhost.localdomain (2a02-8440-2608-8c5f-3a92-eb6f-dc01-ac58.rev.sfr.net. [2a02:8440:2608:8c5f:3a92:eb6f:dc01:ac58]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-493eb6d4f9fsm150758695e9.4.2026.07.10.09.37.08 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 10 Jul 2026 09:37:08 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][wrynose 11/18] glib-2.0: fix CVE-2026-58016 Date: Fri, 10 Jul 2026 18:36:26 +0200 Message-ID: X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 10 Jul 2026 16:37:14 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/240672 From: Benjamin Robin (Schneider Electric) A flaw was found in GLib. A state confusion issue exists in g_dbus_node_info_new_for_xml() in the gio/gdbusintrospection.c file when processing malformed D-Bus introspection XML, specifically with a element nested within other elements like , , or . This issue can cause an unsigned integer overflow and lead to an out-of-bounds read, resulting in a denial of service. The CVE NVD entry is wrong, it indicates that the CVE is fixed in 2.88.1 but the fix was realized in 2.89.0, see [1]. The fix is not present in 2.88.2. [1] https://gitlab.gnome.org/GNOME/glib/-/commit/c9da977c178fbfc0e4caf99f9fdf5dc433d6fcc2 Signed-off-by: Benjamin Robin (Schneider Electric) Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie (cherry picked from commit d52f4d582cc71ada3c8ebe54be1a5b70278ea1ca) [YC: re-added the removed Signed-off-bys from the patches] Signed-off-by: Yoann Congal --- .../glib-2.0/files/CVE-2026-58016-1.patch | 94 ++++++++++++++++++ .../glib-2.0/files/CVE-2026-58016-2.patch | 98 +++++++++++++++++++ meta/recipes-core/glib-2.0/glib.inc | 2 + 3 files changed, 194 insertions(+) create mode 100644 meta/recipes-core/glib-2.0/files/CVE-2026-58016-1.patch create mode 100644 meta/recipes-core/glib-2.0/files/CVE-2026-58016-2.patch diff --git a/meta/recipes-core/glib-2.0/files/CVE-2026-58016-1.patch b/meta/recipes-core/glib-2.0/files/CVE-2026-58016-1.patch new file mode 100644 index 00000000000..2c4b248b97b --- /dev/null +++ b/meta/recipes-core/glib-2.0/files/CVE-2026-58016-1.patch @@ -0,0 +1,94 @@ +From 38eee3870fbcf6bdf8e6b1281bc7a98d32b68521 Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Thu, 16 Apr 2026 15:27:37 +0100 +Subject: [PATCH 1/2] gdbusintrospection: Fix XML parser state handling for + element nesting + +The check for whether a `` element in D-Bus introspection XML was +nested correctly was broken. `` elements can only be at the top +level, or nested immediately within another `` element. + +Fix the check and add some unit tests for it. + +Spotted by linhlhq as #YWH-PGM9867-204. The fix is mine, and the unit test +uses example XML strings adapted from their report. + +Signed-off-by: Philip Withnall + +Fixes: #3932 + +CVE: CVE-2026-58016 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/c9da977c178fbfc0e4caf99f9fdf5dc433d6fcc2] + +Signed-off-by: Benjamin Robin +--- + gio/gdbusintrospection.c | 2 +- + gio/tests/gdbus-introspection.c | 33 +++++++++++++++++++++++++++++++++ + 2 files changed, 34 insertions(+), 1 deletion(-) + +diff --git a/gio/gdbusintrospection.c b/gio/gdbusintrospection.c +index c7be334ce2f7..6f722ee6153d 100644 +--- a/gio/gdbusintrospection.c ++++ b/gio/gdbusintrospection.c +@@ -1272,7 +1272,7 @@ parser_start_element (GMarkupParseContext *context, + /* ---------------------------------------------------------------------------------------------------- */ + if (strcmp (element_name, "node") == 0) + { +- if (!(g_slist_length (stack) >= 1 || strcmp (stack->next->data, "node") != 0)) ++ if (stack->next != NULL && strcmp (stack->next->data, "node") != 0) + { + g_set_error_literal (error, + G_MARKUP_ERROR, +diff --git a/gio/tests/gdbus-introspection.c b/gio/tests/gdbus-introspection.c +index 44cb7a96af45..daca313f77e7 100644 +--- a/gio/tests/gdbus-introspection.c ++++ b/gio/tests/gdbus-introspection.c +@@ -299,6 +299,38 @@ test_extra_data (void) + g_dbus_node_info_unref (info); + } + ++static void ++test_invalid (void) ++{ ++ const struct ++ { ++ const char *xml; ++ GMarkupError expected_error_code; ++ } ++ vectors[] = ++ { ++ { "", G_MARKUP_ERROR_EMPTY }, ++ { "", G_MARKUP_ERROR_INVALID_CONTENT }, ++ { "", G_MARKUP_ERROR_INVALID_CONTENT }, ++ { "", G_MARKUP_ERROR_INVALID_CONTENT }, ++ { "", G_MARKUP_ERROR_INVALID_CONTENT }, ++ }; ++ ++ for (size_t i = 0; i < G_N_ELEMENTS (vectors); i++) ++ { ++ GDBusNodeInfo *node; ++ GError *local_error = NULL; ++ ++ g_test_message ("Testing parsing of %s gives an error", vectors[i].xml); ++ ++ node = g_dbus_node_info_new_for_xml (vectors[i].xml, &local_error); ++ g_assert_error (local_error, G_MARKUP_ERROR, (int) vectors[i].expected_error_code); ++ g_assert_null (node); ++ ++ g_clear_error (&local_error); ++ } ++} ++ + /* ---------------------------------------------------------------------------------------------------- */ + + int +@@ -316,6 +348,7 @@ main (int argc, + g_test_add_func ("/gdbus/introspection-generate", test_generate); + g_test_add_func ("/gdbus/introspection-default-direction", test_default_direction); + g_test_add_func ("/gdbus/introspection-extra-data", test_extra_data); ++ g_test_add_func ("/gdbus/introspection/invalid", test_invalid); + + ret = session_bus_run (); + +-- +2.54.0 diff --git a/meta/recipes-core/glib-2.0/files/CVE-2026-58016-2.patch b/meta/recipes-core/glib-2.0/files/CVE-2026-58016-2.patch new file mode 100644 index 00000000000..a61e35ad8a7 --- /dev/null +++ b/meta/recipes-core/glib-2.0/files/CVE-2026-58016-2.patch @@ -0,0 +1,98 @@ +From a75052ceeebea434f271b670766acd5416bc83b9 Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Thu, 16 Apr 2026 15:08:10 +0100 +Subject: [PATCH 2/2] gdbusintrospection: Add some assertions before array + dereferences +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The state handling inside the D-Bus introspection XML parser is +complicated, and it’s possible that these dereferences of the +`len - 1`th element might get reached when the array is empty. + +Make failures like that more debuggable by adding an assertion on the +length beforehand. + +Signed-off-by: Philip Withnall + +Helps: #3932 + +CVE: CVE-2026-58016 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/656ad4582cb1d7a7fa8bafe3ce8aec6aa3c17da0] + +Signed-off-by: Benjamin Robin +--- + gio/gdbusintrospection.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/gio/gdbusintrospection.c b/gio/gdbusintrospection.c +index 6f722ee6153d..ed0d291f99f0 100644 +--- a/gio/gdbusintrospection.c ++++ b/gio/gdbusintrospection.c +@@ -1110,6 +1110,7 @@ parse_data_get_annotation (ParseData *data, + { + if (create_new) + g_ptr_array_add (data->annotations, g_new0 (GDBusAnnotationInfo, 1)); ++ g_assert (data->annotations->len > 0); + return data->annotations->pdata[data->annotations->len - 1]; + } + +@@ -1119,6 +1120,7 @@ parse_data_get_arg (ParseData *data, + { + if (create_new) + g_ptr_array_add (data->args, g_new0 (GDBusArgInfo, 1)); ++ g_assert (data->args->len > 0); + return data->args->pdata[data->args->len - 1]; + } + +@@ -1128,6 +1130,7 @@ parse_data_get_out_arg (ParseData *data, + { + if (create_new) + g_ptr_array_add (data->out_args, g_new0 (GDBusArgInfo, 1)); ++ g_assert (data->out_args->len > 0); + return data->out_args->pdata[data->out_args->len - 1]; + } + +@@ -1137,6 +1140,7 @@ parse_data_get_method (ParseData *data, + { + if (create_new) + g_ptr_array_add (data->methods, g_new0 (GDBusMethodInfo, 1)); ++ g_assert (data->methods->len > 0); + return data->methods->pdata[data->methods->len - 1]; + } + +@@ -1146,6 +1150,7 @@ parse_data_get_signal (ParseData *data, + { + if (create_new) + g_ptr_array_add (data->signals, g_new0 (GDBusSignalInfo, 1)); ++ g_assert (data->signals->len > 0); + return data->signals->pdata[data->signals->len - 1]; + } + +@@ -1155,6 +1160,7 @@ parse_data_get_property (ParseData *data, + { + if (create_new) + g_ptr_array_add (data->properties, g_new0 (GDBusPropertyInfo, 1)); ++ g_assert (data->properties->len > 0); + return data->properties->pdata[data->properties->len - 1]; + } + +@@ -1164,6 +1170,7 @@ parse_data_get_interface (ParseData *data, + { + if (create_new) + g_ptr_array_add (data->interfaces, g_new0 (GDBusInterfaceInfo, 1)); ++ g_assert (data->interfaces->len > 0); + return data->interfaces->pdata[data->interfaces->len - 1]; + } + +@@ -1173,6 +1180,7 @@ parse_data_get_node (ParseData *data, + { + if (create_new) + g_ptr_array_add (data->nodes, g_new0 (GDBusNodeInfo, 1)); ++ g_assert (data->nodes->len > 0); + return data->nodes->pdata[data->nodes->len - 1]; + } + +-- +2.54.0 diff --git a/meta/recipes-core/glib-2.0/glib.inc b/meta/recipes-core/glib-2.0/glib.inc index dee94ec0600..fb35f84eec5 100644 --- a/meta/recipes-core/glib-2.0/glib.inc +++ b/meta/recipes-core/glib-2.0/glib.inc @@ -233,6 +233,8 @@ SRC_URI += "\ file://0001-gio-tests-resources.c-comment-out-a-build-host-only-.patch \ file://0010-Do-not-hardcode-python-path-into-various-tools.patch \ file://skip-timeout.patch \ + file://CVE-2026-58016-1.patch \ + file://CVE-2026-58016-2.patch \ " SRC_URI:append:class-native = " file://relocate-modules.patch \ file://0001-meson.build-do-not-enable-pidfd-features-on-native-g.patch \ From patchwork Fri Jul 10 16:36:27 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 92218 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E9B21C4450E for ; Fri, 10 Jul 2026 16:37:13 +0000 (UTC) Received: from mail-wm1-f43.google.com (mail-wm1-f43.google.com [209.85.128.43]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.1954.1783701432105959952 for ; Fri, 10 Jul 2026 09:37:12 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=Y5W05Gi2; spf=pass (domain: smile.fr, ip: 209.85.128.43, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f43.google.com with SMTP id 5b1f17b1804b1-493e497643fso7168185e9.0 for ; Fri, 10 Jul 2026 09:37:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1783701430; x=1784306230; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to:content-type; bh=Rjb71hM8t83ahj6hK3oRTkhtztznAj2oOC+XdB7lx90=; b=Y5W05Gi2IUOXjrFtGakxWzCsRbsZS+qdB8oMKzYo9rw4t4hxaKw7RgGx6oBfUyzVZS mHb+bMMXLtPJmq59ec/jOA0hqHOKNjeiRGOztwx1VaLx4peq4HJdFaLJ+3wI/0DlbDq+ 1AWCWYlRGgLMvwEBW+5+Aop1U1VnVmmSTQeBY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1783701430; x=1784306230; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to:content-type; bh=Rjb71hM8t83ahj6hK3oRTkhtztznAj2oOC+XdB7lx90=; b=g//DrOfjRkjZx0AP/cDzpr+E64YosBVC5X6iROB4+capzCNkQIRq/61zjlJits7RBr vdHHPM/FkV17mNzx4kqpYs/itB5NGyrfiQG4xc+awDpT9dIBpNd5XPTZ8+iYxjZFde1B z2fA+MeaX6HSiGgQH8VvRyHkXhhQJdDT0WXjVUEU5VuSgO1kdGWtFT5ko0zDjo9abWVI E0zwMPO7UrbYsNRsE+4wp69W2G1kmVQCbrexEPoWbywEIf82qqHLPFhx+rUGPjlE60q8 r0eUBRbxmbt26RIB8MH+2wHmb+xRMs1aw/X0o1iTRS/eaSbsLyW4BuUy1MZpiZusXcP7 nbCA== X-Gm-Message-State: AOJu0YwiFUsdo/gDtWyrveB1E/A2uY9TdS2VBLTMdeZ7PoBuTi8ECDvP wb9JngXluKBY0TJgw6JUMhKnhcREbn/04hhxVIGJlolNvqPqMWq1lziDNuyVVDIL+361rK2M09d nVeVUryw= X-Gm-Gg: AfdE7cn09RRvIOBBKTb1/iRsn5OHM5zHaWEaCTgrp6HphIXR60O7+sP849hnKgrxNjT uk7sIGYkz5Vfh/vxlwQGRWsiNBw/T0LCYHT8TAoPNhqx6ELl/oWL2TvEYXEboxkTWcZhFAbBlvo +0/4/+qrrRJJVatdFSyzf7c0sCyH8L/+HXzv089EGB8AaIsGBcKoWOZtzGbwD+IaB/SXGPG3Bny JtGk9PGDhCB7CAZvu+n7X+5zpdfTFQGFTzl/DemZOHQEqfPWusfleLXFKvmYvD/3TazhX0GTjyq jugkNQP6fd6LFWYJ3DgEFV97m9+Wy7l0pw1iSfb84KxV/LfNtBm5VNq7b+Nls3+X17+ejnw2I4k JumVzK1OUwy7VKITsXQMp9YAYvdAwGUqe5QAi52d3ynb9Zy5FUk7O6k13onXHcu8QZRDVQONfLD 2bMOiwpWMH03+D+Cs5tAFlC65fYY8MPwlAFcelVvToyzfeWPJVdKsptk2ppX0++9KuKM60Otx0R 3BrQi7j983L2FhSN/A= X-Received: by 2002:a05:600c:1d1e:b0:492:7084:32af with SMTP id 5b1f17b1804b1-493e68bf03amr127273865e9.23.1783701430211; Fri, 10 Jul 2026 09:37:10 -0700 (PDT) Received: from localhost.localdomain (2a02-8440-2608-8c5f-3a92-eb6f-dc01-ac58.rev.sfr.net. [2a02:8440:2608:8c5f:3a92:eb6f:dc01:ac58]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-493eb6d4f9fsm150758695e9.4.2026.07.10.09.37.08 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 10 Jul 2026 09:37:09 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][wrynose 12/18] util-linux: upgrade 2.41.3 -> 2.41.5 Date: Fri, 10 Jul 2026 18:36:27 +0200 Message-ID: <743ed34569e6c0db29b91a4e6035ace4a39bb55a.1783697455.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 10 Jul 2026 16:37:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/240673 From: Siva Balasubramanian 2.41.4 and 2.41.5 are point releases in the same 2.41 stable series and contain only bug fixes and security fixes (no new features, no API/ABI breaks), so the upgrade complies with the stable branch policy. Among the fixes pulled in: - Several mount(8) TOCTOU / symlink hardening fixes (incl. CVE-2026-27456) - libblkid integer overflow in parse_dos_extended() and a use-after-free in partition probing - pam_lastlog2: fix libpam linking in the autotools build so pam_lastlog2.so links against libpam (fixes the runtime "undefined symbol: pam_syslog" / dlopen failure) [YOCTO #16320] Drop two backports that are now part of the release: - 0001-loopdev-add-LOOPDEV_FL_NOFOLLOW-to-prevent-symlink-a.patch (upstream f55f9906, released in 2.41.4) - the pam_lastlog2 libpam linking backport (upstream 5683ed6320e0, cherry-picked to the 2.41 stable branch as c8d0af0421f6, released in 2.41.5) Full changes: https://github.com/util-linux/util-linux/compare/v2.41.3...v2.41.5 Signed-off-by: Siva Balasubramanian Signed-off-by: Yoann Congal --- ...2.41.3.bb => util-linux-libuuid_2.41.5.bb} | 0 meta/recipes-core/util-linux/util-linux.inc | 3 +- ...DEV_FL_NOFOLLOW-to-prevent-symlink-a.patch | 114 ------------------ ...l-linux_2.41.3.bb => util-linux_2.41.5.bb} | 0 4 files changed, 1 insertion(+), 116 deletions(-) rename meta/recipes-core/util-linux/{util-linux-libuuid_2.41.3.bb => util-linux-libuuid_2.41.5.bb} (100%) delete mode 100644 meta/recipes-core/util-linux/util-linux/0001-loopdev-add-LOOPDEV_FL_NOFOLLOW-to-prevent-symlink-a.patch rename meta/recipes-core/util-linux/{util-linux_2.41.3.bb => util-linux_2.41.5.bb} (100%) diff --git a/meta/recipes-core/util-linux/util-linux-libuuid_2.41.3.bb b/meta/recipes-core/util-linux/util-linux-libuuid_2.41.5.bb similarity index 100% rename from meta/recipes-core/util-linux/util-linux-libuuid_2.41.3.bb rename to meta/recipes-core/util-linux/util-linux-libuuid_2.41.5.bb diff --git a/meta/recipes-core/util-linux/util-linux.inc b/meta/recipes-core/util-linux/util-linux.inc index 02358626669..aec8721ca32 100644 --- a/meta/recipes-core/util-linux/util-linux.inc +++ b/meta/recipes-core/util-linux/util-linux.inc @@ -20,9 +20,8 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/utils/util-linux/v${MAJOR_VERSION}/util-lin file://0001-lsfd-mkfds-foreign-sockets-skip-when-lacking-sock_di.patch \ file://0001-ts-kill-decode-use-RTMIN-from-kill-L-instead-of-hard.patch \ file://0001-tests-script-Disable-size-option-test.patch \ - file://0001-loopdev-add-LOOPDEV_FL_NOFOLLOW-to-prevent-symlink-a.patch \ " -SRC_URI[sha256sum] = "3330d873f0fceb5560b89a7dc14e4f3288bbd880e96903ed9b50ec2b5799e58b" +SRC_URI[sha256sum] = "f586e35d320ff537aab3ffeca37e9ecd482ccbe013590db4429a414d8aa6a728" CVE_PRODUCT = "util-linux" diff --git a/meta/recipes-core/util-linux/util-linux/0001-loopdev-add-LOOPDEV_FL_NOFOLLOW-to-prevent-symlink-a.patch b/meta/recipes-core/util-linux/util-linux/0001-loopdev-add-LOOPDEV_FL_NOFOLLOW-to-prevent-symlink-a.patch deleted file mode 100644 index 0951c9f5fbe..00000000000 --- a/meta/recipes-core/util-linux/util-linux/0001-loopdev-add-LOOPDEV_FL_NOFOLLOW-to-prevent-symlink-a.patch +++ /dev/null @@ -1,114 +0,0 @@ -From f55f9906b4f6eeb2b4a4120317df9de935253c10 Mon Sep 17 00:00:00 2001 -From: Karel Zak -Date: Thu, 19 Feb 2026 13:59:46 +0100 -Subject: [PATCH] loopdev: add LOOPDEV_FL_NOFOLLOW to prevent symlink attacks - -Add a new LOOPDEV_FL_NOFOLLOW flag for loop device context that -prevents symlink following in both path canonicalization and file open. - -When set: -- loopcxt_set_backing_file() uses strdup() instead of - ul_canonicalize_path() (which calls realpath() and follows symlinks) -- loopcxt_setup_device() adds O_NOFOLLOW to open() flags - -The flag is set for non-root (restricted) mount operations in -libmount's loop device hook. This prevents a TOCTOU race condition -where an attacker could replace the backing file (specified in -/etc/fstab) with a symlink to an arbitrary root-owned file between -path resolution and open(). - -Vulnerable Code Flow: - - mount /mnt/point (non-root, SUID) - mount.c: sanitize_paths() on user args (mountpoint only) - mnt_context_mount() - mnt_context_prepare_mount() - mnt_context_apply_fstab() <-- source path from fstab - hooks run at MNT_STAGE_PREP_SOURCE - hook_loopdev.c: setup_loopdev() - backing_file = fstab source path ("/home/user/disk.img") - loopcxt_set_backing_file() <-- calls realpath() as ROOT - ul_canonicalize_path() <-- follows symlinks! - loopcxt_setup_device() - open(lc->filename, O_RDWR|O_CLOEXEC) <-- no O_NOFOLLOW - -Two vulnerabilities in the path: - -1) loopcxt_set_backing_file() calls ul_canonicalize_path() which uses - realpath() -- this follows symlinks as euid=0. If the attacker swaps - the file to a symlink before this call, lc->filename becomes the - resolved target path (e.g., /root/secret.img). - -2) loopcxt_setup_device() opens lc->filename without O_NOFOLLOW. Even - if canonicalization happened correctly, the file can be swapped to a - symlink between canonicalize and open. - -Addresses: https://github.com/util-linux/util-linux/security/advisories/GHSA-qq4x-vfq4-9h9g -Signed-off-by: Karel Zak -(cherry picked from commit 5e390467b26a3cf3fecc04e1a0d482dff3162fc4) - -CVE: CVE-2026-27456 -Upstream-Status: Backport -Signed-off-by: Ross Burton ---- - include/loopdev.h | 3 ++- - lib/loopdev.c | 7 ++++++- - libmount/src/hook_loopdev.c | 3 ++- - 3 files changed, 10 insertions(+), 3 deletions(-) - -diff --git a/include/loopdev.h b/include/loopdev.h -index e5ec1c98a..6bdb1393a 100644 ---- a/include/loopdev.h -+++ b/include/loopdev.h -@@ -140,7 +140,8 @@ enum { - LOOPDEV_FL_NOIOCTL = (1 << 6), - LOOPDEV_FL_DEVSUBDIR = (1 << 7), - LOOPDEV_FL_CONTROL = (1 << 8), /* system with /dev/loop-control */ -- LOOPDEV_FL_SIZELIMIT = (1 << 9) -+ LOOPDEV_FL_SIZELIMIT = (1 << 9), -+ LOOPDEV_FL_NOFOLLOW = (1 << 10) /* O_NOFOLLOW, don't follow symlinks */ - }; - - /* -diff --git a/lib/loopdev.c b/lib/loopdev.c -index 2359bf781..76685be70 100644 ---- a/lib/loopdev.c -+++ b/lib/loopdev.c -@@ -1267,7 +1267,10 @@ int loopcxt_set_backing_file(struct loopdev_cxt *lc, const char *filename) - if (!lc) - return -EINVAL; - -- lc->filename = canonicalize_path(filename); -+ if (lc->flags & LOOPDEV_FL_NOFOLLOW) -+ lc->filename = strdup(filename); -+ else -+ lc->filename = canonicalize_path(filename); - if (!lc->filename) - return -errno; - -@@ -1408,6 +1411,8 @@ int loopcxt_setup_device(struct loopdev_cxt *lc) - - if (lc->config.info.lo_flags & LO_FLAGS_DIRECT_IO) - flags |= O_DIRECT; -+ if (lc->flags & LOOPDEV_FL_NOFOLLOW) -+ flags |= O_NOFOLLOW; - - if ((file_fd = open(lc->filename, mode | flags)) < 0) { - if (mode != O_RDONLY && (errno == EROFS || errno == EACCES)) -diff --git a/libmount/src/hook_loopdev.c b/libmount/src/hook_loopdev.c -index 444d69d6f..34351116c 100644 ---- a/libmount/src/hook_loopdev.c -+++ b/libmount/src/hook_loopdev.c -@@ -272,7 +272,8 @@ static int setup_loopdev(struct libmnt_context *cxt, - } - - DBG(LOOP, ul_debugobj(cxt, "not found; create a new loop device")); -- rc = loopcxt_init(&lc, 0); -+ rc = loopcxt_init(&lc, -+ mnt_context_is_restricted(cxt) ? LOOPDEV_FL_NOFOLLOW : 0); - if (rc) - goto done_no_deinit; - if (mnt_opt_has_value(loopopt)) { --- -2.43.0 - diff --git a/meta/recipes-core/util-linux/util-linux_2.41.3.bb b/meta/recipes-core/util-linux/util-linux_2.41.5.bb similarity index 100% rename from meta/recipes-core/util-linux/util-linux_2.41.3.bb rename to meta/recipes-core/util-linux/util-linux_2.41.5.bb From patchwork Fri Jul 10 16:36:28 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 92221 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8929EC44511 for ; Fri, 10 Jul 2026 16:37:14 +0000 (UTC) Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com [209.85.128.54]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.1860.1783701433452680831 for ; Fri, 10 Jul 2026 09:37:13 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=YiBvoE1Z; spf=pass (domain: smile.fr, ip: 209.85.128.54, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f54.google.com with SMTP id 5b1f17b1804b1-493b77b150aso9915405e9.2 for ; Fri, 10 Jul 2026 09:37:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1783701432; x=1784306232; darn=lists.openembedded.org; h=content-transfer-encoding:content-type:mime-version:references :in-reply-to:message-id:date:subject:to:from:from:to:cc:subject:date :message-id:reply-to:content-type; bh=DsKYczZMZbXWq2RlZ9f3AEDr6XXQThDOrpJFKgK5l98=; b=YiBvoE1ZR+JGwl1q2sQ2oepO7wwvNOcq0efNxaZF++jiqfMuYaRl8j4wA+Xmej74+R NMbOC1Vxsj9R+iB1uSxGgfbd+hpY0NIymCm806TR9KXH+UW2YpPCVbjbMBqFoLKexZl4 x26P2Q4y0Jb+cELOdmlrEYfyGB75WTFoBR+T4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1783701432; x=1784306232; h=content-transfer-encoding:content-type:mime-version:references :in-reply-to:message-id:date:subject:to:from:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to :content-type; bh=DsKYczZMZbXWq2RlZ9f3AEDr6XXQThDOrpJFKgK5l98=; b=VQ4iGIvgaKaFn2j3Ao7IkfAL27nVh/+PHBMF5DkkDbG62ZA6xtpvZgdxI09EpLCX2y Hi4ylvoIjTRTJ5or9s+WNifU8Ms2WhR8OTJjksRx+Dea0cMVlX+9HhRag0waMawp7wvR eepR83C3/Xgq/uLOiic105TVTYa0YLiqX7wUTr/qR8U3ItbS3u1aeYAPut/FeaVSKD8/ QENMBgGrvDs0KWl5OTyOlMBx2HCg/HKfS+nsWZVnWN9DraB6hU8AT2nCPtYfXDGjN5aV HFkvXUQr7a8gvc4lx8TLxK7xEchcE699+1GuC+3WLISwYSAPn2KBGt6bTHQsF14Aznq8 8aOQ== X-Gm-Message-State: AOJu0YwdkT5SvVJ/9Mv9RcSmsePZ+nSkHQMBCq0AKu2QHCl/1UBayvXA 4Z5jiR/BqxkK+OO48iBCD+I4vV/51ou37de7vAo97b8Lro8kF7fnRgW6A8iB407JMVGB8WYHNu9 awfyxwLs= X-Gm-Gg: AfdE7ckbh6ZK5muNKJDkIpTmESwZDk5kED3btrWRbIDsUq5vD2skcNyPocAI85DVmqs QIeNFY7bdrFMC0TJKD6dM6v4rNR+2QnIveAz1EKJHF8QqppVJXC/mb948R+JqD7k+ZT9S4ips3W uBPeOc6/xcdlHCzpJ4kQUB4WIhd+8nhi7Luk2Fu2AnwH6Vf747PR2fMqugUf5zq8hDNp5NaDWN1 F4QD/RtA//y+1ZDApSvAyaMM9Eui+8EkfqfNxDJR4nhu5WQ0iViz6W40THHxwlOaEGiAmLjwjdo Figkkj5fT5xDUQxi2bfoWwoSE8okkioVQgTlnJZ/irxi6DF281V5+1e9NdVW95zpHqhSFS+B/7E ijbtJM186E9avUw6aitE9dwXLwjB7IO94Nj7/mj1RbVwmP9C9fpr6Sf8P96MGsaa2FZOPwDwCDK zcVch62/RtQBoCbMo1wYWo6NBN2iOG3gfHM4ErBfZPZ9tK47Ubd4ZtKtgmQ9Tc/L7mJ+s9UiQ9u FEjCG+eQLoGIRC1RFc= X-Received: by 2002:a05:600c:8711:b0:492:3e69:a86f with SMTP id 5b1f17b1804b1-493ec8a3680mr83084465e9.1.1783701431617; Fri, 10 Jul 2026 09:37:11 -0700 (PDT) Received: from localhost.localdomain (2a02-8440-2608-8c5f-3a92-eb6f-dc01-ac58.rev.sfr.net. [2a02:8440:2608:8c5f:3a92:eb6f:dc01:ac58]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-493eb6d4f9fsm150758695e9.4.2026.07.10.09.37.10 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 10 Jul 2026 09:37:11 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][wrynose 13/18] ovmf: fix tpm PACKAGECONFIG to use TPM2_ENABLE Date: Fri, 10 Jul 2026 18:36:28 +0200 Message-ID: X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 10 Jul 2026 16:37:14 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/240674 From: Eilís 'pidge' Ní Fhlannagáin The tpm PACKAGECONFIG passed "-D TPM_ENABLE=TRUE/FALSE", but ovmf renamed that macro to TPM2_ENABLE in edk2 commit 4de8d61bcec0 ("OvmfPkg: rework TPM configuration", first released in edk2-stable202202). Since then TPM_ENABLE has been an unknown macro that edk2 ignores, so TPM2 support was never compiled in, even for MACHINEs with 'tpm'/'tpm2' in MACHINE_FEATURES. Use TPM2_ENABLE (as defined in OvmfPkg/Include/Dsc/OvmfTpmDefines.dsc.inc and consumed by OvmfPkgX64.dsc) so the tpm PACKAGECONFIG actually enables TPM2 support. The same commit also added a separate TPM1_ENABLE macro (TPM 1.2 support, default TRUE), but its dsc.inc snippets are only included inside OvmfPkgX64.dsc's "!if $(TPM2_ENABLE) == TRUE" block, so it has no effect unless TPM2_ENABLE is TRUE. No separate PACKAGECONFIG knob is needed. Signed-off-by: Eilís 'pidge' Ní Fhlannagáin Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie (cherry picked from commit d6b434455544e5922d75ba07a74490e6a6df7a0c) Signed-off-by: Yoann Congal --- meta/recipes-core/ovmf/ovmf_git.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb index 19bcc4a96fa..01f840c2154 100644 --- a/meta/recipes-core/ovmf/ovmf_git.bb +++ b/meta/recipes-core/ovmf/ovmf_git.bb @@ -14,7 +14,7 @@ PACKAGECONFIG += "${@bb.utils.contains('MACHINE_FEATURES', 'tpm', 'tpm', '', d)} PACKAGECONFIG += "${@bb.utils.contains('MACHINE_FEATURES', 'tpm2', 'tpm', '', d)}" PACKAGECONFIG[debug] = ",,," PACKAGECONFIG[secureboot] = ",,," -PACKAGECONFIG[tpm] = "-D TPM_ENABLE=TRUE,-D TPM_ENABLE=FALSE,," +PACKAGECONFIG[tpm] = "-D TPM2_ENABLE=TRUE,-D TPM2_ENABLE=FALSE,," # GCC12 trips on it #see https://src.fedoraproject.org/rpms/edk2/blob/rawhide/f/0032-Basetools-turn-off-gcc12-warning.patch From patchwork Fri Jul 10 16:36:29 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 92224 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7138DC43458 for ; Fri, 10 Jul 2026 16:37:24 +0000 (UTC) Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com [209.85.128.49]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.1862.1783701434837365449 for ; Fri, 10 Jul 2026 09:37:15 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=xWXJbEKW; spf=pass (domain: smile.fr, ip: 209.85.128.49, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f49.google.com with SMTP id 5b1f17b1804b1-4938d5f86f3so8448555e9.1 for ; Fri, 10 Jul 2026 09:37:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1783701433; x=1784306233; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to:content-type; bh=MAazCRUchFyPQ9exVaNV58quNTX3DiX0gdUkmDaKnxI=; b=xWXJbEKWZ4n6DA/Xdu345C/pqhLVKBP1kQLcK0P2yS0xvJ+lHP700MQacjx1z1WMjs QSttbLCjUDqbS//hdfX0O65czq15GQyYUyTZqRaASgemFYYScXCow3JLhhnz955M2gYi yEmm35D1Np++oreyBTuF0BiF97VjrgHtH33Bw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1783701433; x=1784306233; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to:content-type; bh=MAazCRUchFyPQ9exVaNV58quNTX3DiX0gdUkmDaKnxI=; b=ViDsqD07pNZDpf2MM19X+2WA03LSKezydOX21RR/eg+0QTjEL1vuAo11OAszlew4C7 wGYP2rJzS40NG+FaaLDqsYdNNSGFDyhtesWV8c4arUPRA8hXaDPMJUgKFMDwsL7DZIy+ 0tR7y+O6BfOfq2h01zLSIAfY0O8v+z1+RzLPcUIBEZBkAoYuwEG4cOfGqDc6J9m8LqHf x83OiRHUYY0r6Ck9VesPZZNkS+r/PMNS0lhUtHs7j+SLOgQM8NqMeHf4eV3z3W40G7RT W5VDYBvndCjWjngVs27gG1l+noapOHtCfKB9hrxYtYhXn0sA6Ru5GhiBpQ9S0/eGx+QG 51iQ== X-Gm-Message-State: AOJu0Yymwh8jyFn0kj+15YSu0LEdpvUYeJRBfmLBVyvxYjCSRfX0wAxP OXVILLIVsv2ttuz+Pl+fERL+QrTlbIxcQXNsnuGjDpt0rUyKDX9+my8f+6R2vKzaUrqBAaav6fh oFGZyYcg= X-Gm-Gg: AfdE7cnFUF8ZHt0KOtZoHemlWRqjfAf9XBiheB1QOoEXA93AvdG1vEfikHDMyMieb8L oO/M0PbjnXz0PVjJj8RIpKrqwJxQk9lmfl32goG/nmUWNLAian+YBdIyixBnYGUngmVyfvplllv /WcB2R4mYrzaUcW2pk9H9zsw++U3wsmtDq2zNZZhog7kyL0/HKxX48iCZFtOho4aeoyHiPcJVaa K/JjQDNPHKOUOxtEmnhhOdlkPC38FFeP30bXN+syTG/ddQ0wtjInyBeeCKda2SBusov/DX/Zdj7 tPHbOQXnfNEHQ8uzMGgTSUrRYvgJGRPtuEoPI+C+hwvptejChhyiiJTx/YnVPCZJ4T3ocsmH4Wt GatxtrU+C5pLi2OEiIRsAwv8EqILpsySa1fqST/IYQtlnUrym6jJY4M9rE7zPDL8uxhmTrROoLJ jzTKlRZeg4YJQntf6QEZX9ZskeI3Q3DrNvcIupE4o5Qugqvg9PHtgOaB/U3cDopRVzSnZYMVBiE kU4cZ4rucIT7eCAdkU= X-Received: by 2002:a05:600c:8119:b0:493:ee34:d875 with SMTP id 5b1f17b1804b1-493f2b3369fmr43098095e9.10.1783701433024; Fri, 10 Jul 2026 09:37:13 -0700 (PDT) Received: from localhost.localdomain (2a02-8440-2608-8c5f-3a92-eb6f-dc01-ac58.rev.sfr.net. [2a02:8440:2608:8c5f:3a92:eb6f:dc01:ac58]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-493eb6d4f9fsm150758695e9.4.2026.07.10.09.37.11 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 10 Jul 2026 09:37:12 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][wrynose 14/18] libcap: Fix CVE-2026-4878 Date: Fri, 10 Jul 2026 18:36:29 +0200 Message-ID: <79ccba312aca8733e6f22b5349a9383de7645e10.1783697455.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 10 Jul 2026 16:37:24 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/240675 From: Deepak Rathore This patch applies the upstream backport for CVE-2026-4878. Wrynose libcap 2.77 still has the path-based cap_set_file() race fixed by upstream. The upstream fix commit is referenced in [1], and the public CVE advisory is referenced in [2]. The fix switches named file capability updates to an opened file descriptor and adds quicktest coverage for symlinked paths. [1] https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=286ace1259992bd0c5d9016715833f2e148ac596 [2] https://www.cve.org/CVERecord?id=CVE-2026-4878 Signed-off-by: Deepak Rathore Signed-off-by: Yoann Congal --- .../libcap/files/CVE-2026-4878.patch | 163 ++++++++++++++++++ meta/recipes-support/libcap/libcap_2.77.bb | 4 +- 2 files changed, 166 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-support/libcap/files/CVE-2026-4878.patch diff --git a/meta/recipes-support/libcap/files/CVE-2026-4878.patch b/meta/recipes-support/libcap/files/CVE-2026-4878.patch new file mode 100644 index 00000000000..955b540b8ac --- /dev/null +++ b/meta/recipes-support/libcap/files/CVE-2026-4878.patch @@ -0,0 +1,163 @@ +From 286ace1259992bd0c5d9016715833f2e148ac596 Mon Sep 17 00:00:00 2001 +From: "Andrew G. Morgan" +Date: Thu, 12 Mar 2026 07:38:05 -0700 +Subject: [PATCH] Address a potential TOCTOU race condition in cap_set_file(). + +This issue was researched and reported by Ali Raza (@locus-x64). It +has been assigned CVE-2026-4878. + +The finding is that while cap_set_file() checks if a file is a regular +file before applying or removing a capability attribute, a small +window existed after that check when the filepath could be overwritten +either with new content or a symlink to some other file. To do this +would imply that the caller of cap_set_file() was directing it to a +directory over which a local attacker has write access, and performed +the operation frequently enough that an attacker had a non-negligible +chance of exploiting the race condition. The code now locks onto the +intended file, eliminating the race condition. + +CVE: CVE-2026-4878 +Upstream-Status: Backport [https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=286ace1259992bd0c5d9016715833f2e148ac596] + +Signed-off-by: Andrew G. Morgan +(cherry picked from commit 286ace1259992bd0c5d9016715833f2e148ac596) +Signed-off-by: Deepak Rathore +--- + libcap/cap_file.c | 69 +++++++++++++++++++++++++++++++++++++++------- + progs/quicktest.sh | 14 +++++++++- + 2 files changed, 72 insertions(+), 11 deletions(-) + +diff --git a/libcap/cap_file.c b/libcap/cap_file.c +index 0bc07f7..f02bf9f 100644 +--- a/libcap/cap_file.c ++++ b/libcap/cap_file.c +@@ -8,8 +8,13 @@ + #define _DEFAULT_SOURCE + #endif + ++#ifndef _GNU_SOURCE ++#define _GNU_SOURCE ++#endif ++ + #include + #include ++#include + #include + #include + +@@ -322,26 +327,70 @@ int cap_set_file(const char *filename, cap_t cap_d) + struct vfs_ns_cap_data rawvfscap; + int sizeofcaps; + struct stat buf; ++ char fdpath[64]; ++ int fd, ret; ++ ++ _cap_debug("setting filename capabilities"); ++ fd = open(filename, O_RDONLY|O_NOFOLLOW); ++ if (fd >= 0) { ++ ret = cap_set_fd(fd, cap_d); ++ close(fd); ++ return ret; ++ } + +- if (lstat(filename, &buf) != 0) { +- _cap_debug("unable to stat file [%s]", filename); ++ /* ++ * Attempting to set a file capability on a file the process can't ++ * read the content of. This is considered a non-standard use case ++ * and the following (slower) code is complicated because it is ++ * trying to avoid a TOCTOU race condition. ++ */ ++ ++ fd = open(filename, O_PATH|O_NOFOLLOW); ++ if (fd < 0) { ++ _cap_debug("cannot find file at path [%s]", filename); ++ return -1; ++ } ++ if (fstat(fd, &buf) != 0) { ++ _cap_debug("unable to stat file [%s] descriptor %d", ++ filename, fd); ++ close(fd); + return -1; + } + if (S_ISLNK(buf.st_mode) || !S_ISREG(buf.st_mode)) { +- _cap_debug("file [%s] is not a regular file", filename); ++ _cap_debug("file [%s] descriptor %d for non-regular file", ++ filename, fd); ++ close(fd); + errno = EINVAL; + return -1; + } + +- if (cap_d == NULL) { +- _cap_debug("removing filename capabilities"); +- return removexattr(filename, XATTR_NAME_CAPS); ++ /* ++ * While the fd remains open, this named file is locked to the ++ * origin regular file. The size of the fdpath variable is ++ * sufficient to support a 160+ bit number. ++ */ ++ if (snprintf(fdpath, sizeof(fdpath), "/proc/self/fd/%d", fd) ++ >= sizeof(fdpath)) { ++ _cap_debug("file descriptor too large %d", fd); ++ errno = EINVAL; ++ ret = -1; ++ ++ } else if (cap_d == NULL) { ++ _cap_debug("dropping file caps on [%s] via [%s]", ++ filename, fdpath); ++ ret = removexattr(fdpath, XATTR_NAME_CAPS); ++ + } else if (_fcaps_save(&rawvfscap, cap_d, &sizeofcaps) != 0) { +- return -1; +- } ++ _cap_debug("problem converting cap_d to vfscap format"); ++ ret = -1; + +- _cap_debug("setting filename capabilities"); +- return setxattr(filename, XATTR_NAME_CAPS, &rawvfscap, sizeofcaps, 0); ++ } else { ++ _cap_debug("setting filename capabilities"); ++ ret = setxattr(fdpath, XATTR_NAME_CAPS, &rawvfscap, ++ sizeofcaps, 0); ++ } ++ close(fd); ++ return ret; + } + + /* +diff --git a/progs/quicktest.sh b/progs/quicktest.sh +index e6c48e6..5dc72f9 100755 +--- a/progs/quicktest.sh ++++ b/progs/quicktest.sh +@@ -148,7 +148,19 @@ pass_capsh --caps="cap_setpcap=p" --inh=cap_chown --current + pass_capsh --strict --caps="cap_chown=p" --inh=cap_chown --current + + # change the way the capability is obtained (make it inheritable) ++chmod 0000 ./privileged + ./setcap cap_setuid,cap_setgid=ei ./privileged ++if [ $? -ne 0 ]; then ++ echo "FAILED to set file capability" ++ exit 1 ++fi ++chmod 0755 ./privileged ++ln -s privileged unprivileged ++./setcap -r ./unprivileged ++if [ $? -eq 0 ]; then ++ echo "FAILED by removing a capability from a symlinked file" ++ exit 1 ++fi + + # Note, the bounding set (edited with --drop) only limits p + # capabilities, not i's. +@@ -246,7 +258,7 @@ EOF + pass_capsh --iab='!%cap_chown,^cap_setpcap,cap_setuid' + fail_capsh --mode=PURE1E --iab='!%cap_chown,^cap_setuid' + fi +-/bin/rm -f ./privileged ++/bin/rm -f ./privileged ./unprivileged + + echo "testing namespaced file caps" + +-- +2.35.6 diff --git a/meta/recipes-support/libcap/libcap_2.77.bb b/meta/recipes-support/libcap/libcap_2.77.bb index 9968cd5f504..66ac0f1d7df 100644 --- a/meta/recipes-support/libcap/libcap_2.77.bb +++ b/meta/recipes-support/libcap/libcap_2.77.bb @@ -12,7 +12,9 @@ LIC_FILES_CHKSUM = "file://License;md5=2965a646645b72ecee859b43c592dcaa \ DEPENDS = "hostperl-runtime-native gperf-native" -SRC_URI = "${KERNELORG_MIRROR}/linux/libs/security/linux-privs/${BPN}2/${BPN}-${PV}.tar.xz" +SRC_URI = "${KERNELORG_MIRROR}/linux/libs/security/linux-privs/${BPN}2/${BPN}-${PV}.tar.xz \ + file://CVE-2026-4878.patch \ + " SRC_URI:append:class-nativesdk = " \ file://0001-nativesdk-libcap-Raise-the-size-of-arrays-containing.patch \ " From patchwork Fri Jul 10 16:36:30 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 92223 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 84BDBC44501 for ; Fri, 10 Jul 2026 16:37:24 +0000 (UTC) Received: from mail-wm1-f48.google.com (mail-wm1-f48.google.com [209.85.128.48]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.1863.1783701435970363023 for ; Fri, 10 Jul 2026 09:37:16 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=bMpUTN7l; spf=pass (domain: smile.fr, ip: 209.85.128.48, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f48.google.com with SMTP id 5b1f17b1804b1-4921eed3fa2so10621445e9.0 for ; Fri, 10 Jul 2026 09:37:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1783701434; x=1784306234; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to:content-type; bh=YJHWdpgu7PFzXZMwbAXv/3DOATjShrsoUnV6hnTwxBY=; b=bMpUTN7lk7J847vv21qvAXfP1qxY7l1KNWvT4zEwxj0/HcmsxEqn4/x55xUacS9wQi /NNppFitHw1mKJkqShPm7cqhRDPnojg477VqsFGmHZP5j/IVJbNetDQfJVwoToIX7wvq Rpa/fIfb/sSTyxNOAMNAKQpGPUweAEDpvnaHU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1783701434; x=1784306234; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to:content-type; bh=YJHWdpgu7PFzXZMwbAXv/3DOATjShrsoUnV6hnTwxBY=; b=bQwkAr9Uwx+hpy0NevV2CMi5NoN43cdteUrLe3nCeLjTl2zXedSR8G4Rds8eaNg74c JZF2FSxRnrutqPRHmrdHUzJeFTVm31vVMBVGWi77ScLjCXoZ2CEMA2KK7cQmX/h8teWi /s0vuIyxhTWs5X878wnic8Z1HrxTEUPVOwbA01iPuretbC30+99xfycLaQGW8X4tH+6o FjXNojr/hIDWJoa/yg9v3ilLW22MNH1uyAR2fVQJLVFF8vZPasD36kVvxct3EB0Az8uD NoZI6IL1IIqqkiE+VT1tnvy3KjbHtxuneEZp31I7M6jLERGgpyWfHq3TwMVCSp9wRyyq Ynvg== X-Gm-Message-State: AOJu0YzN1GBNs31yq0L1fGsVIVtxYqKKyuVG8eUzm6KwEajDOqKHoHW3 +lJoTowBQxWCbUPo+0Fn5RvZAzB6vHeOPm0BhWgPpjpnACi3nClZPBenhfCd2UeZv+rX+C/uXxJ 1/KmAMjA= X-Gm-Gg: AfdE7clhcTjp/iXkQlAPc6S81y87e1UBOnvM3EbRTqDhlj7AqE1d0ldpxNgAmjjg6Xv mBqkzXPeynBIzt3mPbZ1/lNzWs4gxPO7YB8pmOedRDTK5jxdFbZlySf4pMaYA764G/OAOr4x/zy FYjdDJLKIvHYoO3B8zpqilCbWOCFt2GugrMj3640OLsm9JpZuXvIVXR+PAPNllWeVxuHq1eITOb NVFoFKaJAZ1mpTg6kHknLmOaJEe2yyDwPbaxK4tUOK1Xm1GbIOLrPcUjCb1FRCWR0D92+8Wpfdn ypEApCjPj6Jx12EGLIvtOcswy9+Ztsi8XWO+Zg8g83PA1NlopaJtrkN4Hum9P3Eea3u59CKANr1 E7GLNtfrgub/Cc3+O5OMGrpqa4cMdXZqeP3gVDN1DU4RB4DnDwBOr6XOomvC9Sq7H+OMn8thBKh 1uHhsl8CHexXjE/qI0Z5Zqc+tabYW70YwtOkyVqyakfSrZ5J84bpbY4ZkXwi6Z3egm1rqf8vEYW mE5LC7VyTBjXVkRk+8= X-Received: by 2002:a05:600d:8444:20b0:492:66fb:5dc5 with SMTP id 5b1f17b1804b1-493e68df9c2mr93183525e9.24.1783701433641; Fri, 10 Jul 2026 09:37:13 -0700 (PDT) Received: from localhost.localdomain (2a02-8440-2608-8c5f-3a92-eb6f-dc01-ac58.rev.sfr.net. [2a02:8440:2608:8c5f:3a92:eb6f:dc01:ac58]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-493eb6d4f9fsm150758695e9.4.2026.07.10.09.37.13 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 10 Jul 2026 09:37:13 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][wrynose 15/18] socat: upgrade 1.8.1.1 -> 1.8.1.3 Date: Fri, 10 Jul 2026 18:36:30 +0200 Message-ID: <225abf67bc9f2ebcf3b3c89c1f27b47e47554855.1783697455.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 10 Jul 2026 16:37:24 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/240676 From: Sudhir Dumbhare According to [1]: this upgrade includes the fix for Socat security advisory 10, CVE-2026-56123. The issue is a possible heap overflow in the SOCKS5 client code that can be triggered by connecting to a malicious SOCKS5 server with knowledge of details about the client binary code. It also introduced Test: SOCKS5_OVERFL as well. Version 1.8.1.3 also fixes a false positive in the SOCKS5_OVERFL regression test on platforms with a non-bash default shell. [1] http://www.dest-unreach.org/socat/CHANGES [2] https://nvd.nist.gov/vuln/detail/CVE-2026-56123 Signed-off-by: Sudhir Dumbhare Signed-off-by: Yoann Congal --- .../socat/{socat_1.8.1.1.bb => socat_1.8.1.3.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta/recipes-connectivity/socat/{socat_1.8.1.1.bb => socat_1.8.1.3.bb} (94%) diff --git a/meta/recipes-connectivity/socat/socat_1.8.1.1.bb b/meta/recipes-connectivity/socat/socat_1.8.1.3.bb similarity index 94% rename from meta/recipes-connectivity/socat/socat_1.8.1.1.bb rename to meta/recipes-connectivity/socat/socat_1.8.1.3.bb index e662c79a754..636c75b1172 100644 --- a/meta/recipes-connectivity/socat/socat_1.8.1.1.bb +++ b/meta/recipes-connectivity/socat/socat_1.8.1.3.bb @@ -13,7 +13,7 @@ SRC_URI = "http://www.dest-unreach.org/socat/download/socat-${PV}.tar.bz2 \ file://0001-fix-compile-procan.c-failed.patch \ " -SRC_URI[sha256sum] = "5ebc636b7f427053f98806696521653a614c7e06464910353cbf54e2327adc1b" +SRC_URI[sha256sum] = "25bc6476292b2e614220989c77b0b6fca87bb2525d9747b31a6639b1fb602418" inherit autotools From patchwork Fri Jul 10 16:36:31 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 92226 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E34A0C44507 for ; Fri, 10 Jul 2026 16:37:24 +0000 (UTC) Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com [209.85.128.54]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.1959.1783701436873369551 for ; Fri, 10 Jul 2026 09:37:17 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=yzuTUfhQ; spf=pass (domain: smile.fr, ip: 209.85.128.54, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f54.google.com with SMTP id 5b1f17b1804b1-493c52cde9eso9709765e9.3 for ; Fri, 10 Jul 2026 09:37:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1783701435; x=1784306235; darn=lists.openembedded.org; h=content-transfer-encoding:content-type:mime-version:references :in-reply-to:message-id:date:subject:to:from:from:to:cc:subject:date :message-id:reply-to:content-type; bh=3rujqNHW/MZQdMhlzKvT+HCdTHpx9ifRvlOX3Dg4lCc=; b=yzuTUfhQqfzPcUpjbB2pYE0ZE7ZEnZf9w0O1M6cZmS2lsXM1mvk/Ol6d7O8TdBMUaS O1uRkmGefgrTBdSYwOPbck1FCY4hqO/u22OtEd8V1fBq6XNyeOfVA+2LY5PikNQXlZh9 LkHvyHLV2J/ZbKJWMw9ZnV9MsnQM/Dg8v4s8M= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1783701435; x=1784306235; h=content-transfer-encoding:content-type:mime-version:references :in-reply-to:message-id:date:subject:to:from:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to :content-type; bh=3rujqNHW/MZQdMhlzKvT+HCdTHpx9ifRvlOX3Dg4lCc=; b=pdFy2R/RSEDCbqvuxgbTG3VIo4+gyUSdOdZB6yxkn7fFK4ixXJQbRODZlwfy1HEoV+ JKbgJ8Scg3LAOeY2fL7ltn1Gg4LVaccBAcJEAf9agFqM9jgI00tKnPApBFAhAqt/j+RS rK3kEBpVVtCot8+u1AjVlHxeI+hRP6/AlY09hkpC8y6GZCOJLGZyDAxLd5SI6g4OKZV1 aLOdlNUy0dABBkTg23KPmokq+mt+cVCr/1Id8H3v52pISEeZorZ/ynSyNnxl3ckxc1Dc mowheWqj9s+pXno3mdwpFH9JXDhIwD4VXH9+k7UOrRVJWm8ZJL8FsqC4Wlz/m4losrd6 +GIw== X-Gm-Message-State: AOJu0Yxq4uM7qz3/zAyTiBCjmhlxLdOr1RkPX2h7CTi6kDOMzcSr5jFw J8sULUtNvdyxqTAYdKnAIsQxtOI/sRTPnfgfZVaJVcw3vUV8i8ZEr7or8eZOUt29bzhnSLC90IH kn8cdS8I= X-Gm-Gg: AfdE7cl10FdQ0AaZ5Jz/9fAeE/dsBLwy4xfT/+4aE+psnwwpo+FQbg8tNGDXMwbD8tt kSmJfvGVp1tdPrWtT4idVK1zT4mmFTa7JVrS9FzcuHiE7kUl7MjE48gKuxMIkPvznV/FGW8ctjr HhDd/bq1hG8W2EEJ/QIC3nYJr8lpG18JI6mZIUpwtKX0HWCXOwtk55w1Q/XhlxETaKGVQjlF+8u YIlvNzAAJ515r/D4Gb+Se3AiQy1gXQycULRCTeZiL9YX5Pzbd9A50ky2TMlcoNhMu/K0rpBGYoQ w6smw+UEUKnmWUV8YVgYPnJFTE7pdwB41fjPRTOg6m+JbiFBGi5O99J5k+natwkrgEZqNpaHsMZ fzdBYhsSKJtslqz9N3dVkoxhy5J9EBuZmQaDcBstb+VRYcWQ8l44ednscpPv55H0yZN2l4DI/ia xGj64AyphH8HvZPYsoAd/HkahnHoGrHBwHYVBmQrRyFind3quiKqpPYSIpkg3J3hfg90bMJLERN zFYBsagBWPvrWbNWkM= X-Received: by 2002:a05:600c:4ec8:b0:493:e8bc:a75b with SMTP id 5b1f17b1804b1-493e8bca80fmr108563215e9.30.1783701434447; Fri, 10 Jul 2026 09:37:14 -0700 (PDT) Received: from localhost.localdomain (2a02-8440-2608-8c5f-3a92-eb6f-dc01-ac58.rev.sfr.net. [2a02:8440:2608:8c5f:3a92:eb6f:dc01:ac58]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-493eb6d4f9fsm150758695e9.4.2026.07.10.09.37.13 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 10 Jul 2026 09:37:14 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][wrynose 16/18] vim: Fix for CVE-2026-52858,CVE-2026-52859,CVE-2026-52860 Date: Fri, 10 Jul 2026 18:36:31 +0200 Message-ID: <7b6fdaa381f86ef49ba0a7611a607b8231dd4027.1783697455.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 10 Jul 2026 16:37:24 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/240678 From: Hitendra Prajapati Pick patch from [1], [2] & [3] also mentioned at NVD report in [4,5 & 6] [1] https://github.com/vim/vim/commit/4b850457e12e1a678dd209f2868154f7553cbf8d [2] https://github.com/vim/vim/commit/63680c6d3d52477817b49cd1a66e7aabe8a7aa19 [3] https://github.com/vim/vim/commit/c8c63673bc4253212820626aeeb75999d9a539d2 [4] https://nvd.nist.gov/vuln/detail/CVE-2026-52858 [5] https://nvd.nist.gov/vuln/detail/CVE-2026-52859 [6] https://nvd.nist.gov/vuln/detail/CVE-2026-52860 Signed-off-by: Hitendra Prajapati Signed-off-by: Yoann Congal --- .../vim/files/CVE-2026-52858.patch | 167 +++++++ .../vim/files/CVE-2026-52859.patch | 274 +++++++++++ .../vim/files/CVE-2026-52860.patch | 446 ++++++++++++++++++ meta/recipes-support/vim/vim.inc | 3 + 4 files changed, 890 insertions(+) create mode 100644 meta/recipes-support/vim/files/CVE-2026-52858.patch create mode 100644 meta/recipes-support/vim/files/CVE-2026-52859.patch create mode 100644 meta/recipes-support/vim/files/CVE-2026-52860.patch diff --git a/meta/recipes-support/vim/files/CVE-2026-52858.patch b/meta/recipes-support/vim/files/CVE-2026-52858.patch new file mode 100644 index 00000000000..38d477eeb9b --- /dev/null +++ b/meta/recipes-support/vim/files/CVE-2026-52858.patch @@ -0,0 +1,167 @@ +From 4b850457e12e1a678dd209f2868154f7553cbf8d Mon Sep 17 00:00:00 2001 +From: Christian Brabandt +Date: Fri, 29 May 2026 19:05:53 +0000 +Subject: [PATCH] patch 9.2.0561: [security]: possible code execution with + python3complete + +Problem: [security]: possible code execution with python3complete +Solution: Disable execution of import/from statements + +Github Security Advisory: +https://github.com/vim/vim/security/advisories/GHSA-52mc-rq6p-rc7c + +Signed-off-by: Christian Brabandt + +Upstream-Status: Backport [https://github.com/vim/vim/commit/4b850457e12e1a678dd209f2868154f7553cbf8d] +CVE: CVE-2026-52858 +Signed-off-by: Hitendra Prajapati +--- + runtime/autoload/README.txt | 1 + + runtime/autoload/python3complete.vim | 17 ++++++++++++++--- + runtime/autoload/pythoncomplete.vim | 17 ++++++++++++++--- + runtime/doc/filetype.txt | 15 ++++++++++++++- + 4 files changed, 43 insertions(+), 7 deletions(-) + +diff --git a/runtime/autoload/README.txt b/runtime/autoload/README.txt +index 3b18d3dde5..b22581963e 100644 +--- a/runtime/autoload/README.txt ++++ b/runtime/autoload/README.txt +@@ -17,6 +17,7 @@ htmlcomplete.vim HTML + javascriptcomplete.vim Javascript + phpcomplete.vim PHP + pythoncomplete.vim Python ++python3complete.vim Python + rubycomplete.vim Ruby + syntaxcomplete.vim from syntax highlighting + xmlcomplete.vim XML (uses files in the xml directory) +diff --git a/runtime/autoload/python3complete.vim b/runtime/autoload/python3complete.vim +index 3e54433f41..2b6a652525 100644 +--- a/runtime/autoload/python3complete.vim ++++ b/runtime/autoload/python3complete.vim +@@ -14,6 +14,10 @@ + " i.e. "import url" + " Continue parsing on invalid line?? + " ++" v 0.10 by Vim project ++" * disables importing local modules, unless the global Vim variable ++" g:pythoncomplete_allow_import is set to non-zero ++" + " v 0.9 + " * Fixed docstring parsing for classes and functions + " * Fixed parsing of *args and **kwargs type arguments +@@ -132,11 +136,20 @@ class Completer(object): + + def evalsource(self,text,line=0): + sc = self.parser.parse(text,line) ++ try: allow_imports = int( ++ vim.eval("get(g:, 'pythoncomplete_allow_import', 0)")) ++ except Exception: ++ allow_imports = 0 + src = sc.get_code() + dbg("source: %s" % src) + try: exec(src,self.compldict) + except: dbg("parser: %s, %s" % (sys.exc_info()[0],sys.exc_info()[1])) + for l in sc.locals: ++ # Executing import/from statements harvested from the buffer runs ++ # arbitrary package code; only do so when the user opted in. ++ if not allow_imports and (l.startswith('import') ++ or l.startswith('from ')): ++ continue + try: exec(l,self.compldict) + except: dbg("locals: %s, %s [%s]" % (sys.exc_info()[0],sys.exc_info()[1],l)) + +@@ -300,13 +313,11 @@ class Scope(object): + def get_code(self): + str = "" + if len(self.docstr) > 0: str += '"""'+self.docstr+'"""\n' +- for l in self.locals: +- if l.startswith('import'): str += l+'\n' + str += 'class _PyCmplNoType:\n def __getattr__(self,name):\n return None\n' + for sub in self.subscopes: + str += sub.get_code() + for l in self.locals: +- if not l.startswith('import'): str += l+'\n' ++ if not l.startswith('import') and not l.startswith('from '): str += l+'\n' + + return str + +diff --git a/runtime/autoload/pythoncomplete.vim b/runtime/autoload/pythoncomplete.vim +index aa28bb721f..10147767ef 100644 +--- a/runtime/autoload/pythoncomplete.vim ++++ b/runtime/autoload/pythoncomplete.vim +@@ -12,6 +12,10 @@ + " i.e. "import url" + " Continue parsing on invalid line?? + " ++" v 0.10 by Vim project ++" * disables importing local modules, unless the global Vim variable ++" g:pythoncomplete_allow_import is set to non-zero ++" + " v 0.9 + " * Fixed docstring parsing for classes and functions + " * Fixed parsing of *args and **kwargs type arguments +@@ -146,11 +150,20 @@ class Completer(object): + + def evalsource(self,text,line=0): + sc = self.parser.parse(text,line) ++ try: allow_imports = int( ++ vim.eval("get(g:, 'pythoncomplete_allow_import', 0)")) ++ except Exception: ++ allow_imports = 0 + src = sc.get_code() + dbg("source: %s" % src) + try: exec(src) in self.compldict + except: dbg("parser: %s, %s" % (sys.exc_info()[0],sys.exc_info()[1])) + for l in sc.locals: ++ # Executing import/from statements harvested from the buffer runs ++ # arbitrary package code; only do so when the user opted in. ++ if not allow_imports and (l.startswith('import') ++ or l.startswith('from ')): ++ continue + try: exec(l) in self.compldict + except: dbg("locals: %s, %s [%s]" % (sys.exc_info()[0],sys.exc_info()[1],l)) + +@@ -315,13 +328,11 @@ class Scope(object): + def get_code(self): + str = "" + if len(self.docstr) > 0: str += '"""'+self.docstr+'"""\n' +- for l in self.locals: +- if l.startswith('import'): str += l+'\n' + str += 'class _PyCmplNoType:\n def __getattr__(self,name):\n return None\n' + for sub in self.subscopes: + str += sub.get_code() + for l in self.locals: +- if not l.startswith('import'): str += l+'\n' ++ if not l.startswith('import') and not l.startswith('from '): str += l+'\n' + + return str + +diff --git a/runtime/doc/filetype.txt b/runtime/doc/filetype.txt +index 461f801ccc..24d833cd54 100644 +--- a/runtime/doc/filetype.txt ++++ b/runtime/doc/filetype.txt +@@ -982,7 +982,20 @@ By default the following options are set, in accordance with PEP8: > + To disable this behavior, set the following variable in your vimrc: > + + let g:python_recommended_style = 0 +- ++< ++Python omni-completion |compl-omni| is provided by python3complete.vim (or ++pythoncomplete.vim) for Vim builds with the |+python|/|+python3| interpreter. ++By default it does not inspect the import / from statements found in the ++buffer. This means completion of names defined in the buffer itself (classes, ++functions, variables) works, but completion of members of imported modules is ++not offered. ++ ++To enable completion of imported module members, set: > ++ let g:pythoncomplete_allow_import = 1 ++< ++WARNING: enabling this causes omni-completion to execute the import statements ++found in the buffer through Python's import machinery, which runs the imported ++modules' top-level code. Only enable this for code you trust. + + QF QUICKFIX *qf.vim* *ft-qf-plugin* + +-- +2.34.1 + diff --git a/meta/recipes-support/vim/files/CVE-2026-52859.patch b/meta/recipes-support/vim/files/CVE-2026-52859.patch new file mode 100644 index 00000000000..7a91dab4961 --- /dev/null +++ b/meta/recipes-support/vim/files/CVE-2026-52859.patch @@ -0,0 +1,274 @@ +From 63680c6d3d52477817b49cd1a66e7aabe8a7aa19 Mon Sep 17 00:00:00 2001 +From: Christian Brabandt +Date: Sat, 30 May 2026 16:34:40 +0000 +Subject: [PATCH] patch 9.2.0565: [security]: out-of-bounds read in + update_snapshot() + +Problem: Out-of-bounds read in update_snapshot() when a terminal cell + fills all VTERM_MAX_CHARS_PER_CELL slots (a base character + plus five combining marks): the loop over cell.chars[] has no + upper bound and libvterm leaves the array unterminated when full, so + it reads past the array and appends out-of-bounds values to a + buffer sized for only VTERM_MAX_CHARS_PER_CELL characters. +Solution: Bound the loop with i < VTERM_MAX_CHARS_PER_CELL, mirroring + the loop in handle_pushline() (Christian Brabandt). + +Signed-off-by: Christian Brabandt + +Upstream-Status: Backport [https://github.com/vim/vim/commit/63680c6d3d52477817b49cd1a66e7aabe8a7aa19] +CVE: CVE-2026-52859 +Signed-off-by: Hitendra Prajapati +--- + src/terminal.c | 3 +- + src/testdir/samples/combining_chars.txt | 200 ++++++++++++++++++++++++ + src/testdir/test_terminal3.vim | 15 ++ + 3 files changed, 217 insertions(+), 1 deletion(-) + create mode 100644 src/testdir/samples/combining_chars.txt + +diff --git a/src/terminal.c b/src/terminal.c +index 6a9c286e29..f42125bf22 100644 +--- a/src/terminal.c ++++ b/src/terminal.c +@@ -2265,7 +2265,8 @@ update_snapshot(term_T *term) + int i; + int c; + +- for (i = 0; (c = cell.chars[i]) > 0 || i == 0; ++i) ++ for (i = 0; i < VTERM_MAX_CHARS_PER_CELL && ++ ((c = cell.chars[i]) > 0 || i == 0); ++i) + ga.ga_len += utf_char2bytes(c == NUL ? ' ' : c, + (char_u *)ga.ga_data + ga.ga_len); + } +diff --git a/src/testdir/samples/combining_chars.txt b/src/testdir/samples/combining_chars.txt +new file mode 100644 +index 0000000000..d9a3c171fb +--- /dev/null ++++ b/src/testdir/samples/combining_chars.txt +@@ -0,0 +1,200 @@ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ ++á́́́́ጁ ++á́́́́ጁ ++á́́́́ጁ ++á́́́́ጁ ++á́́́́ጁ ++á́́́́ጁ ++á́́́́ጁ ++á́́́́ጁ ++á́́́́ጁ ++á́́́́ጁ +diff --git a/src/testdir/test_terminal3.vim b/src/testdir/test_terminal3.vim +index 04c7c925e3..738a4c6284 100644 +--- a/src/testdir/test_terminal3.vim ++++ b/src/testdir/test_terminal3.vim +@@ -1241,4 +1241,19 @@ func Test_terminal_csi_args_overflow() + call StopVimInTerminal(buf) + endfunc + ++func Test_terminal_output_combining_chars() ++ CheckUnix ++ new ++ let cmd = "cat samples/combining_chars.txt" ++ let buf = term_start(cmd, {'curwin': 1, 'term_finish': 'open', 'term_rows': 10, 'term_cols': 30}) ++ call WaitForAssert({-> assert_match('finished', term_getstatus(buf))}) ++ call TermWait(buf) ++ let lines = getbufline(buf, 1, '$') ++ " get byte lengths to confirm combining chars present ++ let lens = map(copy(lines), 'len(v:val)') ++ let expected = repeat([11], 190) + repeat([14], 10) ++ call assert_equal(expected, lens) ++ bw! ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab +-- +2.34.1 + diff --git a/meta/recipes-support/vim/files/CVE-2026-52860.patch b/meta/recipes-support/vim/files/CVE-2026-52860.patch new file mode 100644 index 00000000000..1e370847f63 --- /dev/null +++ b/meta/recipes-support/vim/files/CVE-2026-52860.patch @@ -0,0 +1,446 @@ +From c8c63673bc4253212820626aeeb75999d9a539d2 Mon Sep 17 00:00:00 2001 +From: Christian Brabandt +Date: Thu, 4 Jun 2026 21:06:09 +0000 +Subject: [PATCH] patch 9.2.0597: [security]: possible code execution with + python complete + +Problem: [security]: another possible code execution with python complete + (David Carliez) +Solution: Strip default expressions and annotations from generated + source for pythoncomplete and python3complete. + +Github Security Advisory: +https://github.com/vim/vim/security/advisories/GHSA-65p9-mwwx-7468 + +Signed-off-by: Christian Brabandt + +Upstream-Status: Backport [https://github.com/vim/vim/commit/c8c63673bc4253212820626aeeb75999d9a539d2] +CVE: CVE-2026-52860 +Signed-off-by: Hitendra Prajapati +--- + runtime/autoload/python3complete.vim | 43 +++- + runtime/autoload/pythoncomplete.vim | 43 +++- + src/testdir/Make_all.mak | 2 + + src/testdir/test_plugin_python3complete.vim | 224 ++++++++++++++++++++ + 4 files changed, 304 insertions(+), 8 deletions(-) + create mode 100644 src/testdir/test_plugin_python3complete.vim + +diff --git a/runtime/autoload/python3complete.vim b/runtime/autoload/python3complete.vim +index 2b6a652525..c4ef19d82f 100644 +--- a/runtime/autoload/python3complete.vim ++++ b/runtime/autoload/python3complete.vim +@@ -1,8 +1,8 @@ + "python3complete.vim - Omni Completion for python + " Maintainer: + " Previous Maintainer: Aaron Griffin +-" Version: 0.9 +-" Last Updated: 2022 Mar 30 ++" Version: 0.10 ++" Last Updated: 2026 Jun 04 + " + " Roland Puntaier: this file contains adaptations for python3 and is parallel to pythoncomplete.vim + " +@@ -17,6 +17,11 @@ + " v 0.10 by Vim project + " * disables importing local modules, unless the global Vim variable + " g:pythoncomplete_allow_import is set to non-zero ++" * strip default values and annotations from function parameter lists ++" before exec(), and whitelist class base lists to dotted names: the ++" previous code passed buffer-supplied expressions to exec() which ++" Python evaluates at definition time, allowing arbitrary code ++" execution via crafted def/class headers + " + " v 0.9 + " * Fixed docstring parsing for classes and functions +@@ -100,6 +105,24 @@ warnings.simplefilter(action='ignore', category=FutureWarning) + + import sys, tokenize, io, types + from token import NAME, DEDENT, NEWLINE, STRING ++import re ++ ++# Used by Class.get_code(): a base class expression is only included in the ++# code passed to exec() if it is a pure dotted name (e.g. "Base", "mod.Base", ++# "pkg.sub.Cls"). Anything containing calls, subscripts, "=", ":" or other ++# operators is dropped, since exec()-ing it would evaluate buffer-supplied ++# expressions. See the security note in the file header. ++_DOTTED_NAME_RE = re.compile(r'^[A-Za-z_]\w*(\s*\.\s*[A-Za-z_]\w*)*$') ++ ++def _strip_param(p): ++ # Return the bare parameter name from a parameter spec harvested by ++ # _parenparse(), discarding any default value or annotation. Default ++ # values and annotations would otherwise be evaluated by exec() at ++ # function-definition time. Star prefixes ("*args", "**kw") and bare ++ # "*" / "/" are preserved as written. ++ p = p.split('=', 1)[0] ++ p = p.split(':', 1)[0] ++ return p.strip() + + debugstmts=[] + def dbg(s): debugstmts.append(s) +@@ -347,7 +370,13 @@ class Class(Scope): + return c + def get_code(self): + str = '%sclass %s' % (self.currentindent(),self.name) +- if len(self.supers) > 0: str += '(%s)' % ','.join(self.supers) ++ # Only include base class expressions that are pure dotted names. ++ # Anything else (calls, subscripts, conditionals, ...) is dropped ++ # because exec() would evaluate it at class-definition time. See ++ # the security note in the file header. ++ safe_supers = [s.strip() for s in self.supers ++ if _DOTTED_NAME_RE.match(s.strip())] ++ if len(safe_supers) > 0: str += '(%s)' % ','.join(safe_supers) + str += ':\n' + if len(self.docstr) > 0: str += self.childindent()+'"""'+self.docstr+'"""\n' + if len(self.subscopes) > 0: +@@ -364,8 +393,14 @@ class Function(Scope): + def copy_decl(self,indent=0): + return Function(self.name,self.params,indent, self.docstr) + def get_code(self): ++ # Strip default values and annotations from each parameter before ++ # joining: exec() evaluates these at definition time and a hostile ++ # buffer could otherwise execute arbitrary code via crafted def ++ # headers. See file header for details. ++ safe_params = [_strip_param(p) for p in self.params] ++ safe_params = [p for p in safe_params if p] + str = "%sdef %s(%s):\n" % \ +- (self.currentindent(),self.name,','.join(self.params)) ++ (self.currentindent(),self.name,','.join(safe_params)) + if len(self.docstr) > 0: str += self.childindent()+'"""'+self.docstr+'"""\n' + str += "%spass\n" % self.childindent() + return str +diff --git a/runtime/autoload/pythoncomplete.vim b/runtime/autoload/pythoncomplete.vim +index 10147767ef..39b1efd299 100644 +--- a/runtime/autoload/pythoncomplete.vim ++++ b/runtime/autoload/pythoncomplete.vim +@@ -1,8 +1,8 @@ + "pythoncomplete.vim - Omni Completion for python + " Maintainer: + " Previous Maintainer: Aaron Griffin +-" Version: 0.9 +-" Last Updated: 2020 Oct 9 ++" Version: 0.10 ++" Last Updated: 2026 Jun 04 + " + " Changes + " TODO: +@@ -15,6 +15,11 @@ + " v 0.10 by Vim project + " * disables importing local modules, unless the global Vim variable + " g:pythoncomplete_allow_import is set to non-zero ++" * strip default values and annotations from function parameter lists ++" before exec(), and whitelist class base lists to dotted names: the ++" previous code passed buffer-supplied expressions to exec() which ++" Python evaluates at definition time, allowing arbitrary code ++" execution via crafted def/class headers + " + " v 0.9 + " * Fixed docstring parsing for classes and functions +@@ -95,6 +100,24 @@ function! s:DefPython() + python << PYTHONEOF + import sys, tokenize, cStringIO, types + from token import NAME, DEDENT, NEWLINE, STRING ++import re ++ ++# Used by Class.get_code(): a base class expression is only included in the ++# code passed to exec() if it is a pure dotted name (e.g. "Base", "mod.Base", ++# "pkg.sub.Cls"). Anything containing calls, subscripts, "=", ":" or other ++# operators is dropped, since exec()-ing it would evaluate buffer-supplied ++# expressions. See the security note in the file header. ++_DOTTED_NAME_RE = re.compile(r'^[A-Za-z_]\w*(\s*\.\s*[A-Za-z_]\w*)*$') ++ ++def _strip_param(p): ++ # Return the bare parameter name from a parameter spec harvested by ++ # _parenparse(), discarding any default value or annotation. Default ++ # values and annotations would otherwise be evaluated by exec() at ++ # function-definition time. Star prefixes ("*args", "**kw") and bare ++ # "*" / "/" are preserved as written. ++ p = p.split('=', 1)[0] ++ p = p.split(':', 1)[0] ++ return p.strip() + + debugstmts=[] + def dbg(s): debugstmts.append(s) +@@ -362,7 +385,13 @@ class Class(Scope): + return c + def get_code(self): + str = '%sclass %s' % (self.currentindent(),self.name) +- if len(self.supers) > 0: str += '(%s)' % ','.join(self.supers) ++ # Only include base class expressions that are pure dotted names. ++ # Anything else (calls, subscripts, conditionals, ...) is dropped ++ # because exec() would evaluate it at class-definition time. See ++ # the security note in the file header. ++ safe_supers = [s.strip() for s in self.supers ++ if _DOTTED_NAME_RE.match(s.strip())] ++ if len(safe_supers) > 0: str += '(%s)' % ','.join(safe_supers) + str += ':\n' + if len(self.docstr) > 0: str += self.childindent()+'"""'+self.docstr+'"""\n' + if len(self.subscopes) > 0: +@@ -379,8 +408,14 @@ class Function(Scope): + def copy_decl(self,indent=0): + return Function(self.name,self.params,indent, self.docstr) + def get_code(self): ++ # Strip default values and annotations from each parameter before ++ # joining: exec() evaluates these at definition time and a hostile ++ # buffer could otherwise execute arbitrary code via crafted def ++ # headers. See file header for details. ++ safe_params = [_strip_param(p) for p in self.params] ++ safe_params = [p for p in safe_params if p] + str = "%sdef %s(%s):\n" % \ +- (self.currentindent(),self.name,','.join(self.params)) ++ (self.currentindent(),self.name,','.join(safe_params)) + if len(self.docstr) > 0: str += self.childindent()+'"""'+self.docstr+'"""\n' + str += "%spass\n" % self.childindent() + return str +diff --git a/src/testdir/Make_all.mak b/src/testdir/Make_all.mak +index f8c7f8bb46..b06d1af431 100644 +--- a/src/testdir/Make_all.mak ++++ b/src/testdir/Make_all.mak +@@ -250,6 +250,7 @@ NEW_TESTS = \ + test_plugin_man \ + test_plugin_matchparen \ + test_plugin_netrw \ ++ test_plugin_python3complete \ + test_plugin_osc52 \ + test_plugin_tar \ + test_plugin_termdebug \ +@@ -528,6 +529,7 @@ NEW_TESTS_RES = \ + test_plugin_man.res \ + test_plugin_matchparen.res \ + test_plugin_netrw.res \ ++ test_plugin_python3complete.res \ + test_plugin_osc52.res \ + test_plugin_tar.res \ + test_plugin_termdebug.res \ +diff --git a/src/testdir/test_plugin_python3complete.vim b/src/testdir/test_plugin_python3complete.vim +new file mode 100644 +index 0000000000..e2b0c6616d +--- /dev/null ++++ b/src/testdir/test_plugin_python3complete.vim +@@ -0,0 +1,224 @@ ++" Tests for the Python omni-completion plugin (runtime/autoload/python3complete.vim). ++" ++CheckFeature python3 ++ ++" Run omni-completion against the given buffer contents and assert that the ++" marker file was not created. Pre-patch behaviour exec()s reconstructed ++" def/class headers, which evaluates the buffer-supplied expression and ++" creates the marker file. Post-patch, the expressions are stripped. ++func s:CompleteAndExpectNoMarker(buffer_lines, marker_path, msg) ++ call delete(a:marker_path) ++ defer delete(a:marker_path) ++ let g:pythoncomplete_allow_import = 0 ++ new ++ setfiletype python ++ call setline(1, a:buffer_lines) ++ call cursor(line('$'), col([line('$'), '$'])) ++ ++ " The PoC trigger -- direct invocation of the omnifunc with an empty base. ++ " This is the same path Vim takes for CTRL-X CTRL-O. ++ silent! call python3complete#Complete(0, '') ++ ++ call assert_false(filereadable(a:marker_path), ++ \ a:msg . ' (marker ' . a:marker_path . ' was created)') ++ ++ bwipe! ++ unlet! g:pythoncomplete_allow_import ++endfunc ++ ++func Test_python3complete_no_exec_via_function_default() ++ let marker = tempname() ++ call s:CompleteAndExpectNoMarker([ ++ \ 'def f(x=open(' . string(marker) . ', "w").close()):', ++ \ ' pass', ++ \ 'f.', ++ \ ], marker, ++ \ 'function default expression was evaluated during omni-completion') ++endfunc ++ ++func Test_python3complete_no_exec_via_function_annotation() ++ let marker = tempname() ++ call s:CompleteAndExpectNoMarker([ ++ \ 'def f(x: open(' . string(marker) . ', "w").close()):', ++ \ ' pass', ++ \ 'f.', ++ \ ], marker, ++ \ 'function annotation expression was evaluated during omni-completion') ++endfunc ++ ++func Test_python3complete_no_exec_via_class_base() ++ let marker = tempname() ++ " "or object" gives the class a valid base after the side-effecting ++ " open().close() expression returns None. Without "or object" the ++ " exec would raise TypeError, but the file would still be created ++ " before the exception -- the assertion would still hold. Using ++ " "or object" keeps the buffer parseable as valid Python. ++ call s:CompleteAndExpectNoMarker([ ++ \ 'class Foo(open(' . string(marker) . ', "w").close() or object):', ++ \ ' pass', ++ \ 'Foo.', ++ \ ], marker, ++ \ 'class base expression was evaluated during omni-completion') ++endfunc ++ ++func Test_python3complete_no_exec_with_multiple_params() ++ " The strip must apply to every parameter, not just the first. ++ let marker = tempname() ++ call s:CompleteAndExpectNoMarker([ ++ \ 'def f(a, b=1, c=open(' . string(marker) . ', "w").close(), d=2):', ++ \ ' pass', ++ \ 'f.', ++ \ ], marker, ++ \ 'non-first parameter default was evaluated during omni-completion') ++endfunc ++ ++func Test_python3complete_no_exec_via_starargs_default() ++ " "*args" and "**kw" must still be preserved after stripping; ensure a ++ " default following them is also stripped. ++ let marker = tempname() ++ call s:CompleteAndExpectNoMarker([ ++ \ 'def f(*args, key=open(' . string(marker) . ', "w").close(), **kw):', ++ \ ' pass', ++ \ 'f.', ++ \ ], marker, ++ \ 'keyword-only default after *args was evaluated during omni-completion') ++endfunc ++ ++func Test_python3complete_normal_completion_still_works() ++ " Positive control: completion against a buffer with a legitimate class ++ " must still produce completion items. The stripping logic should not ++ " break the normal completion path. ++ let g:pythoncomplete_allow_import = 0 ++ ++ new ++ setfiletype python ++ call setline(1, [ ++ \ 'class MyHelper:', ++ \ ' def alpha(self): pass', ++ \ ' def beta(self): pass', ++ \ 'h = MyHelper()', ++ \ 'h.', ++ \ ]) ++ call cursor(5, 3) ++ ++ " First call returns the column to start completion at; second returns ++ " the list of completion items. ++ let start = python3complete#Complete(1, '') ++ call assert_true(start >= 0, ++ \ 'python3complete#Complete(1, "") returned ' . start) ++ ++ let items = python3complete#Complete(0, '') ++ " Items should be a list (possibly empty if the parser can't resolve "h", ++ " but should not be a parse error from our stripping changes). ++ call assert_equal(type([]), type(items), ++ \ 'python3complete#Complete(0, "") did not return a list') ++ ++ bwipe! ++ unlet! g:pythoncomplete_allow_import ++endfunc ++ ++func Test_python3complete_inherited_completion_via_dotted_base() ++ " Positive control for the class-base whitelist: a dotted-name base class ++ " (the common, safe case) must still be carried into the reconstructed ++ " source so that completion on a subclass can resolve inherited members. ++ let g:pythoncomplete_allow_import = 0 ++ ++ new ++ setfiletype python ++ call setline(1, [ ++ \ 'class Base:', ++ \ ' def shared(self): pass', ++ \ 'class Derived(Base):', ++ \ ' def own(self): pass', ++ \ 'd = Derived()', ++ \ 'd.', ++ \ ]) ++ call cursor(6, 3) ++ ++ let items = python3complete#Complete(0, '') ++ call assert_equal(type([]), type(items), ++ \ 'completion against a subclass with a dotted base did not return a list') ++ ++ bwipe! ++ unlet! g:pythoncomplete_allow_import ++endfunc ++ ++" Build a tiny Python module that creates a marker file as a side effect of ++" being imported, add its directory to sys.path, run omni-completion against ++" a buffer containing `import vimtest_marker_mod`, and report whether the ++" marker file was created. Used by the two allow_import tests below. ++func s:RunImportCompletion(allow_import_value) ++ let g:pythoncomplete_allow_import = a:allow_import_value ++ let marker = tempname() ++ let module_dir = tempname() ++ call mkdir(module_dir, 'R') ++ ++ call writefile([ ++ \ 'open(' . string(marker) . ', "w").close()', ++ \ ], module_dir . '/vimtest_marker_mod.py') ++ ++ defer delete(marker) ++ ++ " Pass module_dir to Python via a g: variable so vim.eval() can read it. ++ let g:pythoncomplete_test_module_dir = module_dir ++ py3 << EOF ++import sys, vim ++_p = vim.eval('g:pythoncomplete_test_module_dir') ++if _p not in sys.path: ++ sys.path.insert(0, _p) ++# Drop any cached copy so the module body re-runs and the marker side ++# effect fires on import. ++sys.modules.pop('vimtest_marker_mod', None) ++EOF ++ ++ new ++ setfiletype python ++ call setline(1, [ ++ \ 'import vimtest_marker_mod', ++ \ 'vimtest_marker_mod.', ++ \ ]) ++ call cursor(2, 2) ++ ++ silent! call python3complete#Complete(0, '') ++ ++ let ran = filereadable(marker) ++ ++ bwipe! ++ unlet g:pythoncomplete_allow_import ++ ++ " Teardown: restore sys.path, drop the cached module so a subsequent ++ " test run starts clean, clean up the temp module dir. ++ py3 << EOF ++import sys, vim ++_p = vim.eval('g:pythoncomplete_test_module_dir') ++if _p in sys.path: ++ sys.path.remove(_p) ++sys.modules.pop('vimtest_marker_mod', None) ++EOF ++ unlet g:pythoncomplete_test_module_dir ++ call delete(module_dir, 'rf') ++ call delete(marker) ++ unlet! g:pythoncomplete_allow_import ++ ++ return ran ++endfunc ++ ++func Test_python3complete_allow_import_off_blocks_imports() ++ " GHSA-52mc-rq6p-rc7c mitigation: with the default flag value (0), an ++ " `import` line harvested from the buffer must NOT be exec()'d. The ++ " marker module's side effect (creating a file when its body runs) is ++ " the observable proof that the exec did or did not happen. ++ call assert_false(s:RunImportCompletion(0), ++ \ 'g:pythoncomplete_allow_import=0 did not block the buffer import') ++endfunc ++ ++func Test_python3complete_allow_import_on_runs_imports() ++ " Symmetric positive control: with the flag set to non-zero, the harvested ++ " import IS exec()'d and the module loads. Without this control the ++ " negative test above could pass for unrelated reasons (e.g. completion ++ " failing to parse the buffer at all). ++ call assert_true(s:RunImportCompletion(1), ++ \ 'g:pythoncomplete_allow_import=1 did not run the buffer import') ++endfunc ++ ++" vim: shiftwidth=2 sts=2 expandtab +-- +2.34.1 + diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc index 6eafc53c746..e34cc17fe57 100644 --- a/meta/recipes-support/vim/vim.inc +++ b/meta/recipes-support/vim/vim.inc @@ -20,6 +20,9 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https;tag=v${PV} file://CVE-2026-41411.patch \ file://CVE-2026-45130.patch \ file://CVE-2026-46483.patch \ + file://CVE-2026-52858.patch \ + file://CVE-2026-52859.patch \ + file://CVE-2026-52860.patch \ " PV .= ".0340" From patchwork Fri Jul 10 16:36:32 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 92225 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A8277C44506 for ; Fri, 10 Jul 2026 16:37:24 +0000 (UTC) Received: from mail-wm1-f48.google.com (mail-wm1-f48.google.com [209.85.128.48]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.1960.1783701436989059512 for ; Fri, 10 Jul 2026 09:37:17 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=O230bBoZ; spf=pass (domain: smile.fr, ip: 209.85.128.48, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f48.google.com with SMTP id 5b1f17b1804b1-493bfe9f886so5846175e9.0 for ; Fri, 10 Jul 2026 09:37:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1783701435; x=1784306235; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to:content-type; bh=1Z3X2S5BWA6UutDHy07eFTsAMlP5eNKsNOIxh5XC5Jc=; b=O230bBoZDXitgmfMfe2Yg0/cy/0fV+dr4WmJgDGN2owB8bB5xuWmzNQdoMQzEzi774 umUbbI64o27GJCKtsSvKZWbEy9Jqc1p3ZxG0qckALaOI8QRtm6uA2X7mPv2Hd5wSD6FQ vMZf0OJfWJsNcX96fq+wqtswr5sO46V60oBqA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1783701435; x=1784306235; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to:content-type; bh=1Z3X2S5BWA6UutDHy07eFTsAMlP5eNKsNOIxh5XC5Jc=; b=mRD+OClXfShit1pBvgA9G3q97bvcHbaSAXz5jrKKSr7Q/cB53ZzpOJwU9tKzHEp/aT LXsvgPEfDeEPChi058TvZrSuBOA8GepU/CLgbgZq69MW52ykoNDakxfgK4wCaeHxHQtU l2cjsCf4SdqCg5ZYqgQ9hcjqhwpHcRex+5NQcvQYGzsKaIY1n9iiW1YwF/rdT0KRyTvU 6jmjkmRf8oeqVA4SShf25CHQFKX7WZikfYDld8B7p0FTa186TsleXzhPUh8fSS//4YME /9UJE4gXGz56C8Xj8+8pUMfKb4aeCXGFJFEiAQLCh7/8ErD+eL2LYWUKJNpigVpsUgE9 J2xA== X-Gm-Message-State: AOJu0YwbULyNd58MizM7aCjcVakDj3GuWos4CWaeIpRIgdaXSBwe25yg RtroEI9/hhQoQyL82V1Y4sgT9DbPSCS3eVwZ1Stk3QcMar1OdznxzuI56Ro5Q0fSp4BuZpYURQI tqtsDz1U= X-Gm-Gg: AfdE7cl0rqlEEz2ZX1h20JEpl7xCHh97AI5kRDxeYByMYKUQ7bGiweZVslurzt8OkWc 34Plzr679f/hkRWHqsrljqeMak8MeNPby56rAkFTYgqm8W0Oom/Klrh7gpDg83MZJoBBm6GpAxA 3qaa71PgzK6PVyPL4sUE7QKfQQy1AoP0d4TqufCfSAFl9ukPpmQuchdx1BRHs46Y7QpA3e3AH0x qXb39dsaakD1KbH1qw1qssiQaxaOymiy9LI3+xOfhjekNiF/W1hz8JBQbr2ra0yBhRNhXbSEChK nq8dAEnfdDXTbI0YxWPKJZ7A1A27yhgM9QIkCZsVkda2m7qLI0Md/np4innD5Ss0Lw2yhZOuk4J MlDDnK22nyInF4vxsfhNGzZN25X3umnn182Zj1nmdH3gxO6kglu7aidvdNOPihywT3Mgttc7XHO Bxz0eCng8QON4XcBqeYUcAnWaG3p3d0FPbe2aFHGaybHAvKzS5IpDt6cYGGfGkHwNIZD0M3KcpW uJ2Q3j9WjcW9dwBF78= X-Received: by 2002:a05:600c:3acd:b0:493:e57d:4f58 with SMTP id 5b1f17b1804b1-493e687b8d2mr120186965e9.36.1783701435186; Fri, 10 Jul 2026 09:37:15 -0700 (PDT) Received: from localhost.localdomain (2a02-8440-2608-8c5f-3a92-eb6f-dc01-ac58.rev.sfr.net. [2a02:8440:2608:8c5f:3a92:eb6f:dc01:ac58]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-493eb6d4f9fsm150758695e9.4.2026.07.10.09.37.14 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 10 Jul 2026 09:37:14 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][wrynose 17/18] xmlto: update SRC_URI Date: Fri, 10 Jul 2026 18:36:32 +0200 Message-ID: X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 10 Jul 2026 16:37:24 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/240677 From: Ross Burton xmlto was previously hosted on Fedora's pagure.io server, but this is being decomissioned. As xmlto isn't Fedora-specific the repository has migrated to codeberg.org. >From discussion with Michal Schorm : I became the new maintainer of the project upstream and after a discussion with Kevin Fenzi, migrated it to a new home on the codeberg.org: https://codeberg.org/xmlto/xmlto Signed-off-by: Ross Burton Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie (cherry picked from commit 0046c780bf612aa7946023f8993c45f0c0b65c08) Signed-off-by: Yoann Congal --- meta/recipes-devtools/xmlto/xmlto_0.0.29.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-devtools/xmlto/xmlto_0.0.29.bb b/meta/recipes-devtools/xmlto/xmlto_0.0.29.bb index 613d7973ec1..c26cd21dd07 100644 --- a/meta/recipes-devtools/xmlto/xmlto_0.0.29.bb +++ b/meta/recipes-devtools/xmlto/xmlto_0.0.29.bb @@ -7,7 +7,7 @@ LICENSE = "GPL-2.0-only" LIC_FILES_CHKSUM = "file://COPYING;md5=59530bdf33659b29e73d4adb9f9f6552" SRCREV = "74862a684907ada3d4ed2ce0f8111adf626e1456" -SRC_URI = "git://pagure.io/xmlto.git;protocol=https;branch=master" +SRC_URI = "git://codeberg.org/xmlto/xmlto.git;protocol=https;branch=master" inherit autotools From patchwork Fri Jul 10 16:36:33 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 92227 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 00286C44509 for ; Fri, 10 Jul 2026 16:37:25 +0000 (UTC) Received: from mail-wm1-f45.google.com (mail-wm1-f45.google.com [209.85.128.45]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.1961.1783701438345966139 for ; Fri, 10 Jul 2026 09:37:18 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=aOnfy4iZ; spf=pass (domain: smile.fr, ip: 209.85.128.45, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f45.google.com with SMTP id 5b1f17b1804b1-493e8d4f4dcso9826635e9.0 for ; Fri, 10 Jul 2026 09:37:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1783701436; x=1784306236; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to:content-type; bh=R14PumXbFuOD/7B/+fGiQFsisW6cke7HKbABD+nSlBE=; b=aOnfy4iZ4vydgvBCMV+fqT4H0rmb7wgXSzaiXeFEHTZOn47iFCKdns7p6sYECY2sfb RfDdiU6gIAilJ9BMq1ilp18WmW03bRe2nc7o2a9kXOMAWUhv2qOQdbE1guw/vHtqp3jS ermmVQIWi3PCZ8mvT/K/R3FrIDOJYB94ClU2M= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1783701437; x=1784306237; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to:content-type; bh=R14PumXbFuOD/7B/+fGiQFsisW6cke7HKbABD+nSlBE=; b=gaFFATz95qKA0PERk1t6bjYbCtLySgtD1TMQhqWv7Qmf5xnvRZi7B9+NGxf+1pmqpp 2Vjz9a361aeuoZf1pQMgvTYcFO3ZPse6FWiW74KFMo9q/oj4217QnsnL+cNKiuyx4lmY gKXrof2g7wA1G4NO1OP95lz2mCzYJQqzoJPgNjgzD3v81BMBykYn8tcpCrbf1lQQHpoX 8FN5AYNbuqMEbWCjpBOopHZ4zBcsHu/9ztCHVcT6rvgowTRdaAEST9RH06D78KOwoP2A KohpH8CuERIzh+hmdzszP8z0q4ZGWvDA4ijLeZrzVyOne9rMjxkgjLqGEtHedf318zzL 6Jpw== X-Gm-Message-State: AOJu0Yy7//Kdw/mVVc3E7nMBYfX7cEOCeZ0z8nXv6k3nw0rbF+Oy5R3r 8I8o1IJnPjrE9BCOIzeEitdOB8YmbhzynG9cECzpTBdaByuly4VeVXyjwdqAuQ/wy/QtBVjhQzz cDSYF2fA= X-Gm-Gg: AfdE7ckNX4OmL2X04Opf0t2UK4QK3PQGCpfa7+BMWCdcYsDx4nx0seX0XRtgmwSLzpo akFeI+l5CCcioxxFHiZOveha6xCo1hSivmiReZj9zf/6CA5e+ThSdpR05+Jr1js78NNvWmQQx14 B4jrjWSMMtKfSTRjyQI1bAOq91NqxVRqmQ4LIJ7fnNtxozA9gYWZ08PvTOi+NT6Y9QNixO0M+gq 9DtQwlaw05cJ+pEPUBw1Xps8YCwK3gcEwNKqquYuxIZanqEwC36I/qPuMsm8XINzhJ8ySR5bH2P IKFIqyUwT7izmNeEpF0BKbHfOPrwlgxJ1THbJoy5YyvSTi00t1qWnqTcVFHvFNetGZ2DYJqrWi6 6fj9Mv13pXBnaALliJOq1ApRkfwanAknz1t2gS5QJ2cohdyKyjgczXoQQtSH1uBLfXDFhHi6Uiu AsTG8XdcDzeapazYZ2roG41+UW3fIFi50kWR6n6TttAoy7S4A0O38leQpq1fHUwWLAog0L+TvXC Jw+WEim6nAsGVUjo4g= X-Received: by 2002:a05:600c:8119:b0:490:9d1b:f086 with SMTP id 5b1f17b1804b1-493e686ad70mr126343455e9.14.1783701436175; Fri, 10 Jul 2026 09:37:16 -0700 (PDT) Received: from localhost.localdomain (2a02-8440-2608-8c5f-3a92-eb6f-dc01-ac58.rev.sfr.net. [2a02:8440:2608:8c5f:3a92:eb6f:dc01:ac58]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-493eb6d4f9fsm150758695e9.4.2026.07.10.09.37.15 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 10 Jul 2026 09:37:15 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][wrynose 18/18] gnutls: fix CVE-2026-33846 Date: Fri, 10 Jul 2026 18:36:33 +0200 Message-ID: <73299cef1b7cd6446c918c361fd2c47534126361.1783697455.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 10 Jul 2026 16:37:24 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/240679 From: Pritam Srichandan Sahoo Backport upstream fixes for DTLS handshake fragment reassembly vulnerability (CVE-2026-33846). Includes: - 4f94e5cfe1f2: add basic DTLS fragment reassembly test - 9deffca528c2: shorten merge_handshake_packet using recv_buf - 65ab33fa54e3: add validation checks for DTLS fragment length and bounds - cf3f1955e58c: add reproducer for DTLS fragment reassembly bug (#1816) - bb427ff74dba: add fragmented ClientHello test coverage - 092c65d004e2: match DTLS datagrams by handshake sequence number - a2b41be83a1a: add test for mismatched message_seq handling (#1839) - 68b2fb63c8df: link mini-dtls-fragments test to gnulib These commits are included in gnutls 3.8.13 and are backported by both Debian (gnutls28_3.8.9-3+deb13u4) and CentOS 10-stream (gnutls-3.8.10-4.el10) using identical commit selection. Signed-off-by: Pritam Srichandan Sahoo Signed-off-by: Yoann Congal --- ...fragments-implement-a-basic-DTLS-tes.patch | 258 ++++++++++++++++++ ...merge_handshake_packet-using-recv_bu.patch | 96 +++++++ ...s-add-more-checks-to-DTLS-reassembly.patch | 65 +++++ ...fragments-extend-with-a-1816-reprodu.patch | 159 +++++++++++ ...fragments-extend-with-fragmenting-Cl.patch | 149 ++++++++++ ...ch-DTLS-datagrams-by-sequence-number.patch | 42 +++ ...fragments-1839-mismatching-message_s.patch | 104 +++++++ ...ts-mini-dtls-framents-link-to-gnulib.patch | 27 ++ meta/recipes-support/gnutls/gnutls_3.8.12.bb | 8 + 9 files changed, 908 insertions(+) create mode 100644 meta/recipes-support/gnutls/gnutls/0001-tests-mini-dtls-fragments-implement-a-basic-DTLS-tes.patch create mode 100644 meta/recipes-support/gnutls/gnutls/0002-buffers-shorten-merge_handshake_packet-using-recv_bu.patch create mode 100644 meta/recipes-support/gnutls/gnutls/0003-buffers-add-more-checks-to-DTLS-reassembly.patch create mode 100644 meta/recipes-support/gnutls/gnutls/0004-tests-mini-dtls-fragments-extend-with-a-1816-reprodu.patch create mode 100644 meta/recipes-support/gnutls/gnutls/0005-tests-mini-dtls-fragments-extend-with-fragmenting-Cl.patch create mode 100644 meta/recipes-support/gnutls/gnutls/0006-buffers-match-DTLS-datagrams-by-sequence-number.patch create mode 100644 meta/recipes-support/gnutls/gnutls/0007-tests-mini-dtls-fragments-1839-mismatching-message_s.patch create mode 100644 meta/recipes-support/gnutls/gnutls/0008-tests-mini-dtls-framents-link-to-gnulib.patch diff --git a/meta/recipes-support/gnutls/gnutls/0001-tests-mini-dtls-fragments-implement-a-basic-DTLS-tes.patch b/meta/recipes-support/gnutls/gnutls/0001-tests-mini-dtls-fragments-implement-a-basic-DTLS-tes.patch new file mode 100644 index 00000000000..8519bb2d2d6 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/0001-tests-mini-dtls-fragments-implement-a-basic-DTLS-tes.patch @@ -0,0 +1,258 @@ +From 9dce4b38fd94997c0fb2b3e33e997d1c33256e0e Mon Sep 17 00:00:00 2001 +From: Alexander Sosedkin +Date: Fri, 20 Mar 2026 16:09:40 +0100 +Subject: [PATCH 1/8] tests/mini-dtls-fragments: implement a basic DTLS test + +Signed-off-by: Alexander Sosedkin + +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/4f94e5cfe1f252a431e41642b0752e7e0daf43b9] +CVE: CVE-2026-33846 +Signed-off-by: Pritam Srichandan Sahoo +--- + tests/Makefile.am | 7 +- + tests/mini-dtls-fragments.c | 208 ++++++++++++++++++++++++++++++++++++ + 2 files changed, 214 insertions(+), 1 deletion(-) + create mode 100644 tests/mini-dtls-fragments.c + +diff --git a/tests/Makefile.am b/tests/Makefile.am +index db5aa4e3a..ee95198ff 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -241,7 +241,8 @@ ctests += mini-record-2 simple gnutls_hmac_fast set_pkcs12_cred cert certuniquei + x509cert-dntypes id-on-xmppAddr tls13-compat-mode ciphersuite-name \ + x509-upnconstraint xts-key-check cipher-padding pkcs7-verify-double-free \ + fips-rsa-sizes tls12-rehandshake-ticket pathbuf tls-force-ems \ +- psk-importer privkey-derive dh-compute2 ecdh-compute2 ++ psk-importer privkey-derive dh-compute2 ecdh-compute2 \ ++ mini-dtls-fragments + + ctests += tls-channel-binding + +@@ -505,6 +506,10 @@ pathbuf_CPPFLAGS = $(AM_CPPFLAGS) \ + -I$(top_srcdir)/gl \ + -I$(top_builddir)/gl + ++mini_dtls_fragments_CPPFLAGS = $(AM_CPPFLAGS) \ ++ -I$(top_srcdir)/gl \ ++ -I$(top_builddir)/gl ++ + if ENABLE_PKCS11 + if !WINDOWS + ctests += tls13/post-handshake-with-cert-pkcs11 pkcs11/tls-neg-pkcs11-no-key \ +diff --git a/tests/mini-dtls-fragments.c b/tests/mini-dtls-fragments.c +new file mode 100644 +index 000000000..ee75feeb6 +--- /dev/null ++++ b/tests/mini-dtls-fragments.c +@@ -0,0 +1,208 @@ ++/* ++ * Copyright (C) 2026 Red Hat, Inc. ++ * ++ * Author: Alexander Sosedkin ++ * ++ * This file is part of GnuTLS. ++ * ++ * GnuTLS is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 3 of the License, or ++ * (at your option) any later version. ++ * ++ * GnuTLS is distributed in the hope that it will be useful, but ++ * WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General Public License ++ * along with this program. If not, see ++ */ ++ ++#ifdef HAVE_CONFIG_H ++#include "config.h" ++#endif ++ ++#include ++#include ++ ++#if defined(_WIN32) ++ ++int main(void) ++{ ++ exit(77); ++} ++ ++#else ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include "cert-common.h" ++#include "utils.h" ++ ++#include "attribute.h" ++ ++static void server_log_func(int level, const char *str) ++{ ++ fprintf(stderr, "server|<%d>| %s", level, str); ++} ++ ++static void client_log_func(int level, const char *str) ++{ ++ fprintf(stderr, "client|<%d>| %s", level, str); ++} ++ ++#define QUEUE_SIZE 1024 ++#define PACKET_SIZE 2048 ++ ++typedef struct { ++ uint8_t buf[PACKET_SIZE]; ++ size_t len; ++} packet_t; ++typedef struct { ++ packet_t packets[QUEUE_SIZE]; ++ size_t head; ++ size_t tail; ++} queue_t; ++ ++static queue_t c2s, s2c; ++ ++static int queue_put(queue_t *q, const void *buf, size_t len) ++{ ++ assert(len <= PACKET_SIZE); ++ memcpy(q->packets[q->tail].buf, buf, len); ++ q->packets[q->tail].len = len; ++ q->tail++; ++ q->tail %= QUEUE_SIZE; ++ assert(q->tail != q->head); ++ return len; ++} ++ ++static ssize_t queue_get(queue_t *q, gnutls_session_t s, void *buf, size_t len) ++{ ++ if (q->head == q->tail) { ++ gnutls_transport_set_errno(s, EAGAIN); ++ return -1; ++ } ++ size_t n = q->packets[q->head].len; ++ memcpy(buf, q->packets[q->head].buf, n); ++ q->head++; ++ q->head %= QUEUE_SIZE; ++ return n; ++} ++ ++static void queue_reset(queue_t *q) ++{ ++ q->head = q->tail = 0; ++} ++ ++static int pull_timeout(gnutls_transport_ptr_t tr, unsigned ms) ++{ ++ return 1; ++} ++ ++static ssize_t server_pull(gnutls_transport_ptr_t tr, void *b, size_t l) ++{ ++ return queue_get(&c2s, (gnutls_session_t)tr, b, l); ++} ++ ++static ssize_t client_pull(gnutls_transport_ptr_t tr, void *b, size_t l) ++{ ++ return queue_get(&s2c, (gnutls_session_t)tr, b, l); ++} ++ ++static ssize_t server_push(gnutls_transport_ptr_t tr, const void *b, size_t l) ++{ ++ return queue_put(&s2c, b, l); ++} ++ ++static ssize_t client_push_normal(gnutls_transport_ptr_t tr, const void *b, ++ size_t l) ++{ ++ return queue_put(&c2s, b, l); ++} ++ ++static void test(gnutls_push_func client_push) ++{ ++ gnutls_session_t client, server; ++ gnutls_certificate_credentials_t ccred, scred; ++ int cr = 0, sr = 0; ++ bool cdone = false, sdone = false; ++ ++ if (debug) ++ gnutls_global_set_log_level(4711); ++ ++ gnutls_certificate_allocate_credentials(&scred); ++ gnutls_certificate_set_x509_key_mem(scred, &server_cert, &server_key, ++ GNUTLS_X509_FMT_PEM); ++ gnutls_certificate_allocate_credentials(&ccred); ++ ++ gnutls_init(&server, GNUTLS_SERVER | GNUTLS_DATAGRAM); ++ gnutls_init(&client, GNUTLS_CLIENT | GNUTLS_DATAGRAM); ++ ++ gnutls_priority_set_direct(server, "NORMAL:-VERS-ALL:+VERS-DTLS1.2", ++ NULL); ++ gnutls_priority_set_direct(client, "NORMAL:-VERS-ALL:+VERS-DTLS1.2", ++ NULL); ++ ++ gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, scred); ++ gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE, ccred); ++ ++ gnutls_dtls_set_timeouts(client, get_dtls_retransmit_timeout(), ++ get_timeout()); ++ gnutls_dtls_set_timeouts(server, get_dtls_retransmit_timeout(), ++ get_timeout()); ++ ++ gnutls_transport_set_ptr(client, client); ++ gnutls_transport_set_push_function(client, client_push); ++ gnutls_transport_set_pull_function(client, client_pull); ++ gnutls_transport_set_pull_timeout_function(client, pull_timeout); ++ ++ gnutls_transport_set_ptr(server, server); ++ gnutls_transport_set_push_function(server, server_push); ++ gnutls_transport_set_pull_function(server, server_pull); ++ gnutls_transport_set_pull_timeout_function(server, pull_timeout); ++ ++ while (!cdone || !sdone) { ++ gnutls_global_set_log_function(client_log_func); ++ if (!cdone) ++ cr = gnutls_handshake(client); ++ if (!cr || gnutls_error_is_fatal(cr)) ++ cdone = true; ++ ++ gnutls_global_set_log_function(server_log_func); ++ if (!sdone) ++ sr = gnutls_handshake(server); ++ if (!sr || gnutls_error_is_fatal(sr)) ++ sdone = true; ++ } ++ ++ if (cr) ++ fail("client: %s\n", gnutls_strerror(cr)); ++ if (sr) ++ fail("server: %s\n", gnutls_strerror(sr)); ++ ++ success("OK\n"); ++ ++ queue_reset(&c2s); ++ queue_reset(&s2c); ++ ++ gnutls_deinit(client); ++ gnutls_deinit(server); ++ gnutls_certificate_free_credentials(ccred); ++ gnutls_certificate_free_credentials(scred); ++} ++ ++void doit(void) ++{ ++ global_init(); ++ test(client_push_normal); ++ gnutls_global_deinit(); ++} ++ ++#endif /* _WIN32 */ +-- +2.53.0 + diff --git a/meta/recipes-support/gnutls/gnutls/0002-buffers-shorten-merge_handshake_packet-using-recv_bu.patch b/meta/recipes-support/gnutls/gnutls/0002-buffers-shorten-merge_handshake_packet-using-recv_bu.patch new file mode 100644 index 00000000000..aaf51992c27 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/0002-buffers-shorten-merge_handshake_packet-using-recv_bu.patch @@ -0,0 +1,96 @@ +From 3ff7f6be9bb08463dd06765ab501430c4965ee05 Mon Sep 17 00:00:00 2001 +From: Alexander Sosedkin +Date: Fri, 17 Apr 2026 17:49:31 +0200 +Subject: [PATCH 2/8] buffers: shorten merge_handshake_packet using recv_buf + +I had vague concerns about thread-safety of this, +but then this pattern already exists within the file. + +Signed-off-by: Alexander Sosedkin + +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/9deffca528c23bbb218f5ec3bd4bb1bf4cbd1fc0] +CVE: CVE-2026-33846 +Signed-off-by: Pritam Srichandan Sahoo +--- + lib/buffers.c | 52 +++++++++++++++++---------------------------------- + 1 file changed, 17 insertions(+), 35 deletions(-) + +diff --git a/lib/buffers.c b/lib/buffers.c +index 672380b05..d54c77022 100644 +--- a/lib/buffers.c ++++ b/lib/buffers.c +@@ -967,9 +967,11 @@ static int merge_handshake_packet(gnutls_session_t session, + int exists = 0, i, pos = 0; + int ret; + ++ handshake_buffer_st *recv_buf = ++ session->internals.handshake_recv_buffer; ++ + for (i = 0; i < session->internals.handshake_recv_buffer_size; i++) { +- if (session->internals.handshake_recv_buffer[i].htype == +- hsk->htype) { ++ if (recv_buf[i].htype == hsk->htype) { + exists = 1; + pos = i; + break; +@@ -1005,44 +1007,24 @@ static int merge_handshake_packet(gnutls_session_t session, + _gnutls_write_uint24(0, &hsk->header[6]); + _gnutls_write_uint24(hsk->length, &hsk->header[9]); + +- _gnutls_handshake_buffer_move( +- &session->internals.handshake_recv_buffer[pos], hsk); ++ _gnutls_handshake_buffer_move(&recv_buf[pos], hsk); + + } else { +- if (hsk->start_offset < +- session->internals.handshake_recv_buffer[pos] +- .start_offset && +- hsk->end_offset + 1 >= +- session->internals.handshake_recv_buffer[pos] +- .start_offset) { +- memcpy(&session->internals.handshake_recv_buffer[pos] +- .data.data[hsk->start_offset], ++ if (hsk->start_offset < recv_buf[pos].start_offset && ++ hsk->end_offset + 1 >= recv_buf[pos].start_offset) { ++ memcpy(&recv_buf[pos].data.data[hsk->start_offset], + hsk->data.data, hsk->data.length); +- session->internals.handshake_recv_buffer[pos] +- .start_offset = hsk->start_offset; +- session->internals.handshake_recv_buffer[pos] +- .end_offset = MIN( +- hsk->end_offset, +- session->internals.handshake_recv_buffer[pos] +- .end_offset); +- } else if (hsk->end_offset > +- session->internals.handshake_recv_buffer[pos] +- .end_offset && +- hsk->start_offset <= +- session->internals.handshake_recv_buffer[pos] +- .end_offset + +- 1) { +- memcpy(&session->internals.handshake_recv_buffer[pos] +- .data.data[hsk->start_offset], ++ recv_buf[pos].start_offset = hsk->start_offset; ++ recv_buf[pos].end_offset = ++ MIN(hsk->end_offset, recv_buf[pos].end_offset); ++ } else if (hsk->end_offset > recv_buf[pos].end_offset && ++ hsk->start_offset <= recv_buf[pos].end_offset + 1) { ++ memcpy(&recv_buf[pos].data.data[hsk->start_offset], + hsk->data.data, hsk->data.length); + +- session->internals.handshake_recv_buffer[pos] +- .end_offset = hsk->end_offset; +- session->internals.handshake_recv_buffer[pos] +- .start_offset = MIN( +- hsk->start_offset, +- session->internals.handshake_recv_buffer[pos] +- .start_offset); ++ recv_buf[pos].end_offset = hsk->end_offset; ++ recv_buf[pos].start_offset = MIN( ++ hsk->start_offset, recv_buf[pos].start_offset); + } + _gnutls_handshake_buffer_clear(hsk); + } +-- +2.53.0 + diff --git a/meta/recipes-support/gnutls/gnutls/0003-buffers-add-more-checks-to-DTLS-reassembly.patch b/meta/recipes-support/gnutls/gnutls/0003-buffers-add-more-checks-to-DTLS-reassembly.patch new file mode 100644 index 00000000000..d9c3c0d3c68 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/0003-buffers-add-more-checks-to-DTLS-reassembly.patch @@ -0,0 +1,65 @@ +From dcd891a02e11dc13417800042d5272777fca0e97 Mon Sep 17 00:00:00 2001 +From: Alexander Sosedkin +Date: Fri, 17 Apr 2026 18:21:36 +0200 +Subject: [PATCH 3/8] buffers: add more checks to DTLS reassembly + +Previously, gnutls didn't check that DTLS fragments claimed +a consistent message_length value. +Additionally, a crucial array size check was missing, +enabling an attacker to cause a heap overwrite. +The updated version rejects fragments with mismatching length +and adds a missing boundary check. + +Reported-by: Haruto Kimura (Stella) +Reported-by: Oscar Reparaz +Reported-by: Zou Dikai +Fixes: #1816 +Fixes: #1838 +Fixes: #1839 +Fixes: CVE-2026-33846 +Fixes: GNUTLS-SA-2026-04-29-1 +CVSS: 7.4 High CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H +CVSS: 7.5 High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H +Signed-off-by: Alexander Sosedkin + +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/65ab33fa54e34fba69d793735b7df3d383d1ff78] +CVE: CVE-2026-33846 +Signed-off-by: Pritam Srichandan Sahoo +--- + lib/buffers.c | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +diff --git a/lib/buffers.c b/lib/buffers.c +index d54c77022..5d4d16276 100644 +--- a/lib/buffers.c ++++ b/lib/buffers.c +@@ -1010,6 +1010,26 @@ static int merge_handshake_packet(gnutls_session_t session, + _gnutls_handshake_buffer_move(&recv_buf[pos], hsk); + + } else { ++ if (hsk->length != recv_buf[pos].length) { ++ /* inconsistent across fragments */ ++ _gnutls_handshake_buffer_clear(hsk); ++ return gnutls_assert_val( ++ GNUTLS_E_UNEXPECTED_PACKET_LENGTH); ++ } ++ /* start_offset + data.length <= hsk->length <= max_length */ ++ if (hsk->length < hsk->start_offset + hsk->data.length) { ++ /* impossible claims, overflow requested */ ++ _gnutls_handshake_buffer_clear(hsk); ++ return gnutls_assert_val( ++ GNUTLS_E_UNEXPECTED_PACKET_LENGTH); ++ } ++ if (hsk->length > recv_buf[pos].data.max_length) { ++ /* we don't have this much allocated, overflow guard */ ++ _gnutls_handshake_buffer_clear(hsk); ++ return gnutls_assert_val( ++ GNUTLS_E_UNEXPECTED_PACKET_LENGTH); ++ } ++ + if (hsk->start_offset < recv_buf[pos].start_offset && + hsk->end_offset + 1 >= recv_buf[pos].start_offset) { + memcpy(&recv_buf[pos].data.data[hsk->start_offset], +-- +2.53.0 + diff --git a/meta/recipes-support/gnutls/gnutls/0004-tests-mini-dtls-fragments-extend-with-a-1816-reprodu.patch b/meta/recipes-support/gnutls/gnutls/0004-tests-mini-dtls-fragments-extend-with-a-1816-reprodu.patch new file mode 100644 index 00000000000..9b4760450fa --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/0004-tests-mini-dtls-fragments-extend-with-a-1816-reprodu.patch @@ -0,0 +1,159 @@ +From 2fa72585f927d340827eccdf91bb69cf60ac169e Mon Sep 17 00:00:00 2001 +From: Alexander Sosedkin +Date: Wed, 1 Apr 2026 19:51:45 +0200 +Subject: [PATCH 4/8] tests/mini-dtls-fragments: extend with a #1816 reproducer + +Signed-off-by: Alexander Sosedkin + +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/cf3f1955e58cbcc10373b841bb101fb058565d87] +CVE: CVE-2026-33846 +Signed-off-by: Pritam Srichandan Sahoo +--- + tests/mini-dtls-fragments.c | 120 ++++++++++++++++++++++++++++++++++++ + 1 file changed, 120 insertions(+) + +diff --git a/tests/mini-dtls-fragments.c b/tests/mini-dtls-fragments.c +index ee75feeb6..8d5a18acd 100644 +--- a/tests/mini-dtls-fragments.c ++++ b/tests/mini-dtls-fragments.c +@@ -106,6 +106,11 @@ static int pull_timeout(gnutls_transport_ptr_t tr, unsigned ms) + return 1; + } + ++static int c2s_pull_timeout_once(gnutls_transport_ptr_t tr, unsigned ms) ++{ ++ return c2s.head != c2s.tail ? 1 : 0; ++} ++ + static ssize_t server_pull(gnutls_transport_ptr_t tr, void *b, size_t l) + { + return queue_get(&c2s, (gnutls_session_t)tr, b, l); +@@ -198,10 +203,125 @@ static void test(gnutls_push_func client_push) + gnutls_certificate_free_credentials(scred); + } + ++static void test_malicious1816(void) ++{ ++ /* dgram1: msg_len=50, frag_offset=25, frag_len=25 */ ++ static const uint8_t dgram1_hdr[] = { ++ 0x16, /* type: handshake */ ++ 0xfe, 0xfd, /* version: DTLS 1.2 */ ++ 0x00, 0x00, /* epoch: 0 */ ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* seq: 0 */ ++ 0x00, 0x25, /* record_length: 37 */ ++ 0x01, /* msg_type: ClientHello */ ++ 0x00, 0x00, 0x32, /* msg_length: 50 */ ++ 0x00, 0x00, /* msg_seq: 0 */ ++ 0x00, 0x00, 0x19, /* frag_offset: 25 */ ++ 0x00, 0x00, 0x19, /* frag_length: 25 */ ++ }; ++ /* dgram2: msg_len=3000, frag_offset=0, frag_len=48 */ ++ static const uint8_t dgram2_hdr[] = { ++ 0x16, /* type: handshake */ ++ 0xfe, 0xfd, /* version: DTLS 1.2 */ ++ 0x00, 0x00, /* epoch: 0 */ ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, /* seq: 1 */ ++ 0x00, 0x3c, /* record_length: 60 */ ++ 0x01, /* msg_type: ClientHello */ ++ 0x00, 0x0b, 0xb8, /* msg_length: 3000 */ ++ 0x00, 0x00, /* msg_seq: 0 */ ++ 0x00, 0x00, 0x00, /* frag_offset: 0 */ ++ 0x00, 0x00, 0x30, /* frag_length: 48 */ ++ }; ++ /* dgram3: msg_len=3000, frag_offset=40, frag_len=1475 */ ++ static const uint8_t dgram3_hdr[] = { ++ 0x16, /* type: handshake */ ++ 0xfe, 0xfd, /* version: DTLS 1.2 */ ++ 0x00, 0x00, /* epoch: 0 */ ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, /* seq: 2 */ ++ 0x05, 0xcf, /* record_length: 1487 */ ++ 0x01, /* msg_type: ClientHello */ ++ 0x00, 0x0b, 0xb8, /* msg_length: 3000 */ ++ 0x00, 0x00, /* msg_seq: 0 */ ++ 0x00, 0x00, 0x28, /* frag_offset: 40 */ ++ 0x00, 0x05, 0xc3, /* frag_length: 1475 */ ++ }; ++ /* dgram4: msg_len=3000, frag_offset=1500, frag_len=1475 */ ++ static const uint8_t dgram4_hdr[] = { ++ 0x16, /* type: handshake */ ++ 0xfe, 0xfd, /* version: DTLS 1.2 */ ++ 0x00, 0x00, /* epoch: 0 */ ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, /* seq: 3 */ ++ 0x05, 0xcf, /* record_length: 1487 */ ++ 0x01, /* msg_type: ClientHello */ ++ 0x00, 0x0b, 0xb8, /* msg_length: 3000 */ ++ 0x00, 0x00, /* msg_seq: 0 */ ++ 0x00, 0x05, 0xdc, /* frag_offset: 1500 */ ++ 0x00, 0x05, 0xc3, /* frag_length: 1475 */ ++ }; ++ gnutls_session_t server; ++ gnutls_certificate_credentials_t scred; ++ uint8_t dgram[1500]; ++ int sr; ++ ++ if (debug) ++ gnutls_global_set_log_level(4711); ++ ++ gnutls_certificate_allocate_credentials(&scred); ++ gnutls_certificate_set_x509_key_mem(scred, &server_cert, &server_key, ++ GNUTLS_X509_FMT_PEM); ++ ++ gnutls_init(&server, GNUTLS_SERVER | GNUTLS_DATAGRAM); ++ gnutls_priority_set_direct(server, "NORMAL:+VERS-DTLS1.2", NULL); ++ gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, scred); ++ ++ gnutls_dtls_set_timeouts(server, get_dtls_retransmit_timeout(), ++ get_timeout()); ++ ++ gnutls_transport_set_ptr(server, server); ++ gnutls_transport_set_push_function(server, server_push); ++ gnutls_transport_set_pull_function(server, server_pull); ++ gnutls_transport_set_pull_timeout_function(server, ++ c2s_pull_timeout_once); ++ ++ memset(dgram, 0, sizeof(dgram)); ++ memcpy(dgram, dgram1_hdr, 25); ++ queue_put(&c2s, dgram, 25 + 25); ++ ++ memset(dgram, 0, sizeof(dgram)); ++ memcpy(dgram, dgram2_hdr, 25); ++ queue_put(&c2s, dgram, 25 + 48); ++ ++ memset(dgram, 0, sizeof(dgram)); ++ memcpy(dgram, dgram3_hdr, 25); ++ queue_put(&c2s, dgram, 25 + 1475); ++ ++ memset(dgram, 0, sizeof(dgram)); ++ memcpy(dgram, dgram4_hdr, 25); ++ queue_put(&c2s, dgram, 25 + 1475); ++ ++ gnutls_global_set_log_function(server_log_func); ++ do { ++ sr = gnutls_handshake(server); /* invalid write if vulnerable */ ++ } while (c2s.head != c2s.tail && !gnutls_error_is_fatal(sr)); ++ if (sr != GNUTLS_E_UNEXPECTED_PACKET_LENGTH) ++ fail("server: expected GNUTLS_E_UNEXPECTED_PACKET_LENGTH, " ++ "got: %s\n", ++ gnutls_strerror(sr)); ++ ++ success("OK\n"); ++ ++ queue_reset(&c2s); ++ queue_reset(&s2c); ++ ++ gnutls_deinit(server); ++ gnutls_certificate_free_credentials(scred); ++} ++ + void doit(void) + { + global_init(); + test(client_push_normal); ++ success("malicious reassembly bug exploitation (#1816):\n"); ++ test_malicious1816(); + gnutls_global_deinit(); + } + +-- +2.53.0 + diff --git a/meta/recipes-support/gnutls/gnutls/0005-tests-mini-dtls-fragments-extend-with-fragmenting-Cl.patch b/meta/recipes-support/gnutls/gnutls/0005-tests-mini-dtls-fragments-extend-with-fragmenting-Cl.patch new file mode 100644 index 00000000000..83c201926d1 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/0005-tests-mini-dtls-fragments-extend-with-fragmenting-Cl.patch @@ -0,0 +1,149 @@ +From cee203d6ba4d49332a49e46a7d59e9ef7b33a741 Mon Sep 17 00:00:00 2001 +From: Alexander Sosedkin +Date: Mon, 20 Apr 2026 16:08:11 +0200 +Subject: [PATCH 5/8] tests/mini-dtls-fragments: extend with fragmenting + ClientHello + +Signed-off-by: Alexander Sosedkin + +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/bb427ff74dba849d40753ed9c8511e873f762743] +CVE: CVE-2026-33846 +Signed-off-by: Pritam Srichandan Sahoo +--- + tests/mini-dtls-fragments.c | 107 ++++++++++++++++++++++++++++++++++++ + 1 file changed, 107 insertions(+) + +diff --git a/tests/mini-dtls-fragments.c b/tests/mini-dtls-fragments.c +index 8d5a18acd..93490bac2 100644 +--- a/tests/mini-dtls-fragments.c ++++ b/tests/mini-dtls-fragments.c +@@ -132,6 +132,39 @@ static ssize_t client_push_normal(gnutls_transport_ptr_t tr, const void *b, + return queue_put(&c2s, b, l); + } + ++static void write_u16(uint8_t *p, uint16_t val) ++{ ++ p[0] = val >> 8; ++ p[1] = val & 0xff; ++} ++ ++static void write_u24(uint8_t *p, uint32_t val) ++{ ++ p[0] = (val >> 16) & 0xff; ++ p[1] = (val >> 8) & 0xff; ++ p[2] = val & 0xff; ++} ++ ++static void write_u48(uint8_t *p, uint64_t seq) ++{ ++ int i; ++ for (i = 5; i >= 0; i--) { ++ p[i] = seq & 0xff; ++ seq >>= 8; ++ } ++} ++ ++static uint64_t read_u48(const uint8_t *p) ++{ ++ uint64_t seq = 0; ++ int i; ++ for (i = 5; i >= 0; i--) { ++ seq <<= 8; ++ seq |= p[i]; ++ } ++ return seq; ++} ++ + static void test(gnutls_push_func client_push) + { + gnutls_session_t client, server; +@@ -316,12 +349,86 @@ static void test_malicious1816(void) + gnutls_certificate_free_credentials(scred); + } + ++static ssize_t queue_put_renumbered(queue_t *q, const uint8_t *data, size_t l, ++ int delta_n) ++{ ++ if (delta_n == 0 || l < 13 || data[3] != 0 || data[4] != 0) ++ return queue_put(&c2s, data, l); ++ ++ uint8_t *p = malloc(l); ++ assert(p); ++ memcpy(p, data, l); ++ write_u48(p + 5, read_u48(p + 5) + delta_n); ++ ssize_t ret = queue_put(q, p, l); ++ free(p); ++ return ret; ++} ++ ++static void split_client_hello(const uint8_t *data, size_t len, uint8_t **frag1, ++ size_t *frag1_len, uint8_t **frag2, ++ size_t *frag2_len) ++{ ++ size_t body_size = len - 25; ++ *frag1_len = 13 + 12 + 1; ++ *frag2_len = 13 + 12 + (body_size - 1); ++ ++ *frag1 = malloc(13 + 12 + 1); ++ assert(*frag1); ++ *frag2 = malloc(13 + 12 + body_size - 1); ++ assert(*frag2); ++ ++ /* first fragment: record header + handshake header + first body byte */ ++ memcpy(*frag1, data, 13); /* record header */ ++ write_u16(*frag1 + 11, 12 + 1); /* record length */ ++ memcpy(*frag1 + 13, data + 13, 12); /* handshake header */ ++ write_u24(*frag1 + 19, 0); /* fragment_offset = 0 */ ++ write_u24(*frag1 + 22, 1); /* fragment_length = 1 */ ++ (*frag1)[25] = data[25]; /* first body byte */ ++ ++ /* second fragment: record header + handshake header + remaining body */ ++ memcpy(*frag2, data, 13); /* record header */ ++ write_u16(*frag2 + 11, *frag2_len - 13); /* record length */ ++ write_u48(*frag2 + 5, read_u48(*frag2 + 5) + 1); /* sequence number */ ++ memcpy(*frag2 + 13, data + 13, 12); /* handshake header */ ++ write_u24(*frag2 + 19, 1); /* fragment_offset = 1 */ ++ write_u24(*frag2 + 22, body_size - 1); /* shortened fragment_length */ ++ memcpy(*frag2 + 25, data + 26, body_size - 1); /* remaining body */ ++} ++ ++static ssize_t client_push_split_hello(gnutls_transport_ptr_t tr, const void *b, ++ size_t l) ++{ ++ static int seq_offset = 0; /* for renumbering follow-up epoch0 ones */ ++ ++ const uint8_t *data = (const uint8_t *)b; ++ uint8_t *frag1, *frag2; ++ size_t frag1_len, frag2_len; ++ ++ /* Pass through anything that isn't an epoch0 ClientHello with body */ ++ if (l < 13 + 12 + 1 || /* too short for DTLS record header */ ++ data[0] != 22 || /* not a handshake record */ ++ data[3] != 0 || data[4] != 0 || /* not epoch 0 */ ++ data[13] != 1) /* not ClientHello */ ++ return queue_put_renumbered(&c2s, b, l, seq_offset); ++ ++ /* epoch0 Client Hello: special treatment of splitting into fragments */ ++ split_client_hello(data, l, &frag1, &frag1_len, &frag2, &frag2_len); ++ queue_put(&c2s, frag1, frag1_len); ++ queue_put(&c2s, frag2, frag2_len); ++ free(frag1); ++ free(frag2); ++ seq_offset++; ++ return l; ++} ++ + void doit(void) + { + global_init(); + test(client_push_normal); + success("malicious reassembly bug exploitation (#1816):\n"); + test_malicious1816(); ++ success("split client hello smoke-test\n"); ++ test(client_push_split_hello); + gnutls_global_deinit(); + } + +-- +2.53.0 + diff --git a/meta/recipes-support/gnutls/gnutls/0006-buffers-match-DTLS-datagrams-by-sequence-number.patch b/meta/recipes-support/gnutls/gnutls/0006-buffers-match-DTLS-datagrams-by-sequence-number.patch new file mode 100644 index 00000000000..16272915129 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/0006-buffers-match-DTLS-datagrams-by-sequence-number.patch @@ -0,0 +1,42 @@ +From bd8f76ce12a57962a62ce2818a6263fb04304c3f Mon Sep 17 00:00:00 2001 +From: Alexander Sosedkin +Date: Mon, 20 Apr 2026 16:32:02 +0200 +Subject: [PATCH 6/8] buffers: match DTLS datagrams by sequence number + +DTLS handshake fragment reassembly previously matched incoming fragments +by handshake type only, without checking the sequence number. +This allowed fragments from different handshake messages +to be merged into the same reassembly buffer. + +Now sequence number is accounted for during reassembly, +ensuring fragments are only merged when they belong +to the same handshake message. + +Reported-by: Zou Dikai +Fixes: #1839 +Signed-off-by: Alexander Sosedkin + +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/092c65d004e2f125f2fea3db84d801ac49a09f78] +CVE: CVE-2026-33846 +Signed-off-by: Pritam Srichandan Sahoo +--- + lib/buffers.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/lib/buffers.c b/lib/buffers.c +index 5d4d16276..62f140ed3 100644 +--- a/lib/buffers.c ++++ b/lib/buffers.c +@@ -971,7 +971,8 @@ static int merge_handshake_packet(gnutls_session_t session, + session->internals.handshake_recv_buffer; + + for (i = 0; i < session->internals.handshake_recv_buffer_size; i++) { +- if (recv_buf[i].htype == hsk->htype) { ++ if (recv_buf[i].htype == hsk->htype && ++ recv_buf[i].sequence == hsk->sequence) { + exists = 1; + pos = i; + break; +-- +2.53.0 + diff --git a/meta/recipes-support/gnutls/gnutls/0007-tests-mini-dtls-fragments-1839-mismatching-message_s.patch b/meta/recipes-support/gnutls/gnutls/0007-tests-mini-dtls-fragments-1839-mismatching-message_s.patch new file mode 100644 index 00000000000..34bae2f57bf --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/0007-tests-mini-dtls-fragments-1839-mismatching-message_s.patch @@ -0,0 +1,104 @@ +From f7a5e7f3a7d05c7d558abd2f56f86e4c201be48b Mon Sep 17 00:00:00 2001 +From: Alexander Sosedkin +Date: Mon, 20 Apr 2026 16:36:08 +0200 +Subject: [PATCH 7/8] tests/mini-dtls-fragments: #1839 mismatching message_seq + +Signed-off-by: Alexander Sosedkin + +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/a2b41be83a1a3529c551ccf54958da91a656550e] +CVE: CVE-2026-33846 +Signed-off-by: Pritam Srichandan Sahoo +--- + tests/mini-dtls-fragments.c | 54 ++++++++++++++++++++++++++++++++----- + 1 file changed, 47 insertions(+), 7 deletions(-) + +diff --git a/tests/mini-dtls-fragments.c b/tests/mini-dtls-fragments.c +index 93490bac2..499a92a92 100644 +--- a/tests/mini-dtls-fragments.c ++++ b/tests/mini-dtls-fragments.c +@@ -165,7 +165,7 @@ static uint64_t read_u48(const uint8_t *p) + return seq; + } + +-static void test(gnutls_push_func client_push) ++static void test(gnutls_push_func client_push, bool expect_success) + { + gnutls_session_t client, server; + gnutls_certificate_credentials_t ccred, scred; +@@ -218,12 +218,22 @@ static void test(gnutls_push_func client_push) + sr = gnutls_handshake(server); + if (!sr || gnutls_error_is_fatal(sr)) + sdone = true; ++ ++ if (c2s.head == c2s.tail && s2c.head == s2c.tail) ++ break; /* speed the test up */ + } + +- if (cr) +- fail("client: %s\n", gnutls_strerror(cr)); +- if (sr) +- fail("server: %s\n", gnutls_strerror(sr)); ++ if (expect_success) { ++ if (cr) ++ fail("client: %s\n", gnutls_strerror(cr)); ++ if (sr) ++ fail("server: %s\n", gnutls_strerror(sr)); ++ ++ } else { ++ if (cr == 0 && sr == 0) ++ fail("handshake unexpectedly succeeded: %s / %s\n", ++ gnutls_strerror(cr), gnutls_strerror(sr)); ++ } + + success("OK\n"); + +@@ -421,14 +431,44 @@ static ssize_t client_push_split_hello(gnutls_transport_ptr_t tr, const void *b, + return l; + } + ++static ssize_t client_push_split_hello_bad_seq(gnutls_transport_ptr_t tr, ++ const void *b, size_t l) ++{ ++ /* gnutls wasn't matching on message_seq on merging, see #1839 */ ++ static int seq_offset = 0; /* for renumbering follow-up epoch0 ones */ ++ ++ const uint8_t *data = (const uint8_t *)b; ++ uint8_t *frag1, *frag2; ++ size_t frag1_len, frag2_len; ++ ++ /* Pass through anything that isn't an epoch0 ClientHello with body */ ++ if (l < 13 + 12 + 1 || /* too short for DTLS record header */ ++ data[0] != 22 || /* not a handshake record */ ++ data[3] != 0 || data[4] != 0 || /* not epoch 0 */ ++ data[13] != 1) /* not ClientHello */ ++ return queue_put_renumbered(&c2s, b, l, seq_offset); ++ ++ /* epoch0 Client Hello: special treatment of splitting into fragments */ ++ split_client_hello(data, l, &frag1, &frag1_len, &frag2, &frag2_len); ++ queue_put(&c2s, frag1, frag1_len); ++ frag2[18]++; /* WRONG, message_seq mismatch must be rejected, #1839 */ ++ queue_put(&c2s, frag2, frag2_len); ++ free(frag1); ++ free(frag2); ++ seq_offset++; ++ return l; ++} ++ + void doit(void) + { + global_init(); +- test(client_push_normal); ++ test(client_push_normal, true); + success("malicious reassembly bug exploitation (#1816):\n"); + test_malicious1816(); + success("split client hello smoke-test\n"); +- test(client_push_split_hello); ++ test(client_push_split_hello, true); ++ success("split client hello smoke-test and mangle sequence number\n"); ++ test(client_push_split_hello_bad_seq, false); + gnutls_global_deinit(); + } + +-- +2.53.0 + diff --git a/meta/recipes-support/gnutls/gnutls/0008-tests-mini-dtls-framents-link-to-gnulib.patch b/meta/recipes-support/gnutls/gnutls/0008-tests-mini-dtls-framents-link-to-gnulib.patch new file mode 100644 index 00000000000..9c4cfa8a944 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/0008-tests-mini-dtls-framents-link-to-gnulib.patch @@ -0,0 +1,27 @@ +From ed40056cdcfdf9ff815f4e2df93f0a263769a563 Mon Sep 17 00:00:00 2001 +From: Alexander Sosedkin +Date: Thu, 30 Apr 2026 13:08:01 +0200 +Subject: [PATCH 8/8] tests/mini-dtls-framents: link to gnulib + +Signed-off-by: Alexander Sosedkin + +Upstream-Status: Backport [https://github.com/gnutls/gnutls/commit/68b2fb63c8df61d1480121a859f8c955f4910c01] +Signed-off-by: Pritam Srichandan Sahoo +--- + tests/Makefile.am | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tests/Makefile.am b/tests/Makefile.am +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -509,6 +509,7 @@ pathbuf_CPPFLAGS = $(AM_CPPFLAGS) \ + mini_dtls_fragments_CPPFLAGS = $(AM_CPPFLAGS) \ + -I$(top_srcdir)/gl \ + -I$(top_builddir)/gl ++mini_dtls_fragments_LDADD = $(LDADD) ../gl/libgnu.la + + if ENABLE_PKCS11 + if !WINDOWS +-- +2.53.0 + diff --git a/meta/recipes-support/gnutls/gnutls_3.8.12.bb b/meta/recipes-support/gnutls/gnutls_3.8.12.bb index 8554ab943d6..b92470768c2 100644 --- a/meta/recipes-support/gnutls/gnutls_3.8.12.bb +++ b/meta/recipes-support/gnutls/gnutls_3.8.12.bb @@ -24,6 +24,14 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar file://run-ptest \ file://Add-ptest-support.patch \ file://c99.patch \ + file://0001-tests-mini-dtls-fragments-implement-a-basic-DTLS-tes.patch \ + file://0002-buffers-shorten-merge_handshake_packet-using-recv_bu.patch \ + file://0003-buffers-add-more-checks-to-DTLS-reassembly.patch \ + file://0004-tests-mini-dtls-fragments-extend-with-a-1816-reprodu.patch \ + file://0005-tests-mini-dtls-fragments-extend-with-fragmenting-Cl.patch \ + file://0006-buffers-match-DTLS-datagrams-by-sequence-number.patch \ + file://0007-tests-mini-dtls-fragments-1839-mismatching-message_s.patch \ + file://0008-tests-mini-dtls-framents-link-to-gnulib.patch \ " SRC_URI[sha256sum] = "a7b341421bfd459acf7a374ca4af3b9e06608dcd7bd792b2bf470bea012b8e51"