build-appliance-image: Update to kirkstone head revision

(From OE-Core rev: 1efbe1004bc82e7c14c1e8bd4ce644f5015c3346)

Signed-off-by: Steve Sakoman <steve@sakoman.com>

bitbake/lib/bb/cache.py

@@ -27,7 +27,7 @@ import re
 
 logger = logging.getLogger("BitBake.Cache")
 
-__cache_version__ = "154"
+__cache_version__ = "155"
 
 def getCacheFile(path, filename, mc, data_hash):
     mcspec = ''

bitbake/lib/bb/siggen.py

@@ -331,7 +331,7 @@ class SignatureGeneratorBasic(SignatureGenerator):
         for dep in self.runtaskdeps[tid]:
             data += self.get_unihash(dep)
 
-        for (f, cs) in self.file_checksum_values[tid]:
+        for (f, cs) in sorted(self.file_checksum_values[tid], key=clean_checksum_file_path):
             if cs:
                 if "/./" in f:
                     data += "./" + f.split("/./")[1]
@@ -393,7 +393,7 @@ class SignatureGeneratorBasic(SignatureGenerator):
         if runtime and tid in self.taskhash:
             data['runtaskdeps'] = self.runtaskdeps[tid]
             data['file_checksum_values'] = []
-            for f,cs in self.file_checksum_values[tid]:
+            for f,cs in sorted(self.file_checksum_values[tid], key=clean_checksum_file_path):
                 if "/./" in f:
                     data['file_checksum_values'].append(("./" + f.split("/./")[1], cs))
                 else:
@@ -720,6 +720,12 @@ class SignatureGeneratorTestMulticonfigDepends(SignatureGeneratorBasicHash):
     name = "TestMulticonfigDepends"
     supports_multiconfig_datacaches = True
 
+def clean_checksum_file_path(file_checksum_tuple):
+    f, cs = file_checksum_tuple
+    if "/./" in f:
+        return "./" + f.split("/./")[1]
+    return f
+
 def dump_this_task(outfile, d):
     import bb.parse
     fn = d.getVar("BB_FILENAME")

documentation/conf.py

@@ -136,6 +136,7 @@ except ImportError:
     sys.exit(1)
 
 html_logo = 'sphinx-static/YoctoProject_Logo_RGB.jpg'
+html_favicon = 'sphinx-static/favicon.ico'
 
 # Add any paths that contain custom static files (such as style sheets) here,
 # relative to this directory. They are copied after the builtin static files,

documentation/contributor-guide/submit-changes.rst

@@ -791,3 +791,52 @@ Other layers may have similar testing branches but there is no formal
 requirement or standard for these so please check the documentation for the
 layers you are contributing to.
 
+Acceptance of AI Generated Code
+===============================
+
+The Yocto Project and OpenEmbedded follow the guidance of the Linux Foundation
+in regards to the use of generative AI tools. See:
+https://www.linuxfoundation.org/legal/generative-ai.
+
+All of the existing guidelines in this document are expected to be followed,
+including in the :doc:`recipe-style-guide`, and contributing the changes with
+additional requirements to the items in section
+:ref:`contributor-guide/submit-changes:Implement and commit changes`.
+
+All AI Generated Code must be labeled as such in the commit message,
+prior to your ``Signed-off-by`` line. It is also strongly recommended,
+that any patches or code within the commit also have a comment or other
+indication that this code was AI generated.
+
+For example, here is a properly formatted commit message::
+
+   component: Add the ability to ...
+
+   AI-Generated: Uses GitHub Copilot
+
+   Signed-off-by: Your Name <your.name@domain>
+
+The ``Signed-off-by`` line must be written by you, and not the AI helper.
+As a reminder, when contributing a change, your ``Signed-off-by`` line is
+required and the stipulations in the `Developer's Statement of Origin
+1.1 <https://developercertificate.org/>`__ still apply.
+
+Additionally, you must stipulate AI contributions conform to the Linux
+Foundation policy, specifically:
+
+#. Contributors should ensure that the terms and conditions of the generative AI
+   tool do not place any contractual restrictions on how the tool's output can
+   be used that are inconsistent with the project's open source software
+   license, the project's intellectual property policies, or the Open Source
+   Definition.
+
+#. If any pre-existing copyrighted materials (including pre-existing open
+   source code) authored or owned by third parties are included in the AI tool's
+   output, prior to contributing such output to the project, the Contributor
+   should confirm that they have permission from the third party
+   owners -- such as the form of an open source license or public domain
+   declaration that complies with the project's licensing policies -- to use and
+   modify such pre-existing materials and contribute them to the project.
+   Additionally, the contributor should provide notice and attribution of such
+   third party rights, along with information about the applicable license
+   terms, with their contribution.

documentation/dev-manual/customizing-images.rst

@@ -80,15 +80,14 @@ recipe that are enabled with :term:`IMAGE_FEATURES`. The value of
 :term:`EXTRA_IMAGE_FEATURES` is added to :term:`IMAGE_FEATURES` within
 ``meta/conf/bitbake.conf``.
 
-To illustrate how you can use these variables to modify your image,
-consider an example that selects the SSH server. The Yocto Project ships
-with two SSH servers you can use with your images: Dropbear and OpenSSH.
-Dropbear is a minimal SSH server appropriate for resource-constrained
-environments, while OpenSSH is a well-known standard SSH server
-implementation. By default, the ``core-image-sato`` image is configured
-to use Dropbear. The ``core-image-full-cmdline`` and ``core-image-lsb``
-images both include OpenSSH. The ``core-image-minimal`` image does not
-contain an SSH server.
+To illustrate how you can use these variables to modify your image, consider an
+example that selects the SSH server. The Yocto Project ships with two SSH
+servers you can use with your images: Dropbear and OpenSSH. Dropbear is a
+minimal SSH server appropriate for resource-constrained environments, while
+OpenSSH is a well-known standard SSH server implementation. By default, the
+``core-image-sato`` image is configured to use Dropbear. The
+``core-image-full-cmdline`` image includes OpenSSH. The ``core-image-minimal``
+image does not contain an SSH server.
 
 You can customize your image and change these defaults. Edit the
 :term:`IMAGE_FEATURES` variable in your recipe or use the

documentation/dev-manual/qemu.rst

@@ -287,12 +287,11 @@ present, the toolchain is also automatically used.
       networking.
 
    -  SSH servers are available in some QEMU images. The ``core-image-sato``
-      QEMU image has a Dropbear secure shell (SSH) server that runs with
-      the root password disabled. The ``core-image-full-cmdline`` and
-      ``core-image-lsb`` QEMU images have OpenSSH instead of Dropbear.
-      Including these SSH servers allow you to use standard ``ssh`` and
-      ``scp`` commands. The ``core-image-minimal`` QEMU image, however,
-      contains no SSH server.
+      QEMU image has a Dropbear secure shell (SSH) server that runs with the
+      root password disabled. The ``core-image-full-cmdline`` QEMU image has
+      OpenSSH instead of Dropbear. Including these SSH servers allow you to use
+      standard ``ssh`` and ``scp`` commands. The ``core-image-minimal`` QEMU
+      image, however, contains no SSH server.
 
    -  You can use a provided, user-space NFS server to boot the QEMU
       session using a local copy of the root filesystem on the host. In

documentation/dev-manual/vulnerabilities.rst

@@ -62,37 +62,77 @@ found in ``build/tmp/deploy/cve``.
 
 For example the CVE check report for the ``flex-native`` recipe looks like::
 
-   $ cat poky/build/tmp/deploy/cve/flex-native
-   LAYER: meta
-   PACKAGE NAME: flex-native
-   PACKAGE VERSION: 2.6.4
-   CVE: CVE-2016-6354
-   CVE STATUS: Patched
-   CVE SUMMARY: Heap-based buffer overflow in the yy_get_next_buffer function in Flex before 2.6.1 might allow context-dependent attackers to cause a denial of service or possibly execute arbitrary code via vectors involving num_to_read.
-   CVSS v2 BASE SCORE: 7.5
-   CVSS v3 BASE SCORE: 9.8
-   VECTOR: NETWORK
-   MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6354
-
-   LAYER: meta
-   PACKAGE NAME: flex-native
-   PACKAGE VERSION: 2.6.4
-   CVE: CVE-2019-6293
-   CVE STATUS: Ignored
-   CVE SUMMARY: An issue was discovered in the function mark_beginning_as_normal in nfa.c in flex 2.6.4. There is a stack exhaustion problem caused by the mark_beginning_as_normal function making recursive calls to itself in certain scenarios involving lots of '*' characters. Remote attackers could leverage this vulnerability to cause a denial-of-service.
-   CVSS v2 BASE SCORE: 4.3
-   CVSS v3 BASE SCORE: 5.5
-   VECTOR: NETWORK
-   MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-6293
+   $ cat ./tmp/deploy/cve/flex-native_cve.json
+   {
+     "version": "1",
+     "package": [
+       {
+         "name": "flex-native",
+         "layer": "meta",
+         "version": "2.6.4",
+         "products": [
+           {
+             "product": "flex",
+             "cvesInRecord": "No"
+           },
+           {
+             "product": "flex",
+             "cvesInRecord": "Yes"
+           }
+         ],
+         "issue": [
+           {
+             "id": "CVE-2006-0459",
+             "status": "Patched",
+             "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0459",
+             "summary": "flex.skl in Will Estes and John Millaway Fast Lexical Analyzer Generator (flex) before 2.5.33 does not allocate enough memory for grammars containing (1) REJECT statements or (2) trailing context rules, which causes flex to generate code that contains a buffer overflow that might allow context-dependent attackers to execute arbitrary code.",
+             "scorev2": "7.5",
+             "scorev3": "0.0",
+             "scorev4": "0.0",
+             "modified": "2024-11-21T00:06Z",
+             "vector": "NETWORK",
+             "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
+             "detail": "version-not-in-range"
+           },
+           {
+             "id": "CVE-2016-6354",
+             "status": "Patched",
+             "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6354",
+             "summary": "Heap-based buffer overflow in the yy_get_next_buffer function in Flex before 2.6.1 might allow context-dependent attackers to cause a denial of service or possibly execute arbitrary code via vectors involving num_to_read.",
+             "scorev2": "7.5",
+             "scorev3": "9.8",
+             "scorev4": "0.0",
+             "modified": "2024-11-21T02:55Z",
+             "vector": "NETWORK",
+             "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
+             "detail": "version-not-in-range"
+           },
+           {
+             "id": "CVE-2019-6293",
+             "status": "Ignored",
+             "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-6293",
+             "summary": "An issue was discovered in the function mark_beginning_as_normal in nfa.c in flex 2.6.4. There is a stack exhaustion problem caused by the mark_beginning_as_normal function making recursive calls to itself in certain scenarios involving lots of '*' characters. Remote attackers could leverage this vulnerability to cause a denial-of-service.",
+             "scorev2": "4.3",
+             "scorev3": "5.5",
+             "scorev4": "0.0",
+             "modified": "2024-11-21T04:46Z",
+             "vector": "NETWORK",
+             "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
+             "detail": "upstream-wontfix",
+             "description": "there is stack exhaustion but no bug and it is building the parser, not running it, effectively similar to a compiler ICE. Upstream no plans to address this."
+           }
+         ]
+       }
+     ]
+   }
 
 For images, a summary of all recipes included in the image and their CVEs is also
-generated in textual and JSON formats. These ``.cve`` and ``.json`` reports can be found
+generated in the JSON format. These ``.json`` reports can be found
 in the ``tmp/deploy/images`` directory for each compiled image.
 
 At build time CVE check will also throw warnings about ``Unpatched`` CVEs::
 
-   WARNING: flex-2.6.4-r0 do_cve_check: Found unpatched CVE (CVE-2019-6293), for more information check /poky/build/tmp/work/core2-64-poky-linux/flex/2.6.4-r0/temp/cve.log
-   WARNING: libarchive-3.5.1-r0 do_cve_check: Found unpatched CVE (CVE-2021-36976), for more information check /poky/build/tmp/work/core2-64-poky-linux/libarchive/3.5.1-r0/temp/cve.log
+   WARNING: qemu-native-9.2.0-r0 do_cve_check: Found unpatched CVE (CVE-2023-1386)
 
 It is also possible to check the CVE status of individual packages as follows::
 
@@ -111,10 +151,10 @@ upstream `NIST CVE database <https://nvd.nist.gov/>`__.
 
 The variable supports using vendor and product names like this::
 
-   CVE_PRODUCT = "flex_project:flex"
+   CVE_PRODUCT = "flex_project:flex westes:flex"
 
-In this example the vendor name used in the CVE database is ``flex_project`` and the
-product is ``flex``. With this setting the ``flex`` recipe only maps to this specific
+In this example we have two possible vendors names,  ``flex_project`` and ``westes``,
+with the product name ``flex``. With this setting the ``flex`` recipe only maps to this specific
 product and not products from other vendors with same name ``flex``.
 
 Similarly, when the recipe version :term:`PV` is not compatible with software versions used by

documentation/migration-guides/release-4.0.rst

@@ -31,3 +31,4 @@ Release 4.0 (kirkstone)
    release-notes-4.0.22
    release-notes-4.0.23
    release-notes-4.0.24
+   release-notes-4.0.25

documentation/migration-guides/release-notes-4.0.25.rst

@@ -0,0 +1,167 @@
+Release notes for Yocto-4.0.25 (Kirkstone)
+------------------------------------------
+
+Security Fixes in Yocto-4.0.25
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+-  avahi: Fix :cve_nist:`2024-52616`
+-  binutils: Fix :cve_nist:`2024-53589`
+-  gdb: Fix :cve_nist:`2024-53589`
+-  go: Fix :cve_nist:`2024-34155`, :cve_nist:`2024-34156`, :cve_nist:`2024-34158` and
+   :cve_nist:`2024-45336`
+-  gstreamer1.0: Ignore :cve_nist:`2024-47537`, :cve_nist:`2024-47539`, :cve_nist:`2024-47540`,
+   :cve_nist:`2024-47543`, :cve_nist:`2024-47544`, :cve_nist:`2024-47545`, :cve_nist:`2024-47538`,
+   :cve_nist:`2024-47541`, :cve_nist:`2024-47542`, :cve_nist:`2024-47600`, :cve_nist:`2024-47607`,
+   :cve_nist:`2024-47615`, :cve_nist:`2024-47835`, :cve_nist:`2024-47546`, :cve_nist:`2024-47596`,
+   :cve_nist:`2024-47597`, :cve_nist:`2024-47598`, :cve_nist:`2024-47599`, :cve_nist:`2024-47601`,
+   :cve_nist:`2024-47777`, :cve_nist:`2024-47778`, :cve_nist:`2024-47834`, :cve_nist:`2024-47602`,
+   :cve_nist:`2024-47603`, :cve_nist:`2024-47613`, :cve_nist:`2024-47774`, :cve_nist:`2024-47775`
+   and :cve_nist:`2024-47776`
+-  linux-yocto/5.15: Fix :cve_nist:`2024-36476`, :cve_nist:`2024-55916`, :cve_nist:`2024-56369`,
+   :cve_nist:`2024-56626`, :cve_nist:`2024-56627`, :cve_nist:`2024-56715`, :cve_nist:`2024-56716`,
+   :cve_nist:`2024-57802`, :cve_nist:`2024-57807`, :cve_nist:`2024-57841`, :cve_nist:`2024-57890`,
+   :cve_nist:`2024-57896`, :cve_nist:`2024-57900`, :cve_nist:`2024-57910`, :cve_nist:`2024-57911`,
+   :cve_nist:`2024-57938`, :cve_nist:`2024-57951`, :cve_nist:`2025-21631`, :cve_nist:`2025-21665`,
+   :cve_nist:`2025-21666`, :cve_nist:`2025-21669`, :cve_nist:`2025-21680`, :cve_nist:`2025-21683`,
+   :cve_nist:`2025-21694`, :cve_nist:`2025-21697` and :cve_nist:`2025-21699`
+-  ofono: Fix :cve_nist:`2024-7539`, :cve_nist:`2024-7540`, :cve_nist:`2024-7541`,
+   :cve_nist:`2024-7542`, :cve_nist:`2024-7543`, :cve_nist:`2024-7544`, :cve_nist:`2024-7545`,
+   :cve_nist:`2024-7546` and :cve_nist:`2024-7547`
+-  openssl: Fix :cve_nist:`2024-13176`
+-  rsync: Fix :cve_nist:`2024-12084`, :cve_nist:`2024-12085`, :cve_nist:`2024-12086`,
+   :cve_nist:`2024-12087`, :cve_nist:`2024-12088` and :cve_nist:`2024-12747`
+-  ruby: Fix :cve_nist:`2024-49761`
+-  socat: Fix :cve_nist:`2024-54661`
+-  vte: Fix :cve_nist:`2024-37535`
+-  wget: Fix :cve_nist:`2024-10524`
+
+
+Fixes in Yocto-4.0.25
+~~~~~~~~~~~~~~~~~~~~~
+
+-  bitbake: tests/fetch: Fix git shallow test failure with git >= 2.48
+-  build-appliance-image: Update to kirkstone head revision
+-  classes-global/insane: Look up all runtime providers for file-rdeps
+-  classes/nativesdk: also override :term:`TUNE_PKGARCH`
+-  classes/qemu: use tune to select QEMU_EXTRAOPTIONS, not package architecture
+-  cmake: apply parallel build settings to ptest tasks
+-  dev-manual/building: document the initramfs-framework recipe
+-  docs: Update autobuilder URLs to valkyrie
+-  documentation: Fix typo in standards.md
+-  glibc: Suppress GCC -Os warning on user2netname for sunrpc
+-  glibc: stable 2.35 branch updates
+-  lib/packagedata.py: Add API to iterate over rprovides
+-  linux-yocto/5.15: upgrade to v5.15.178
+-  migration-guides: add release notes for 4.0.24
+-  openssl: upgrade to 3.0.16
+-  poky.conf: bump version for 4.0.25
+-  python3: Treat UID/GID overflow as failure
+-  rsync: Delete pedantic errors re-ordering patch
+-  rsync: upgrade to 3.2.7
+-  rust-common.bbclass: soft assignment for RUSTLIB path
+-  scripts/install-buildtools: Update to 4.0.23
+-  test-manual/reproducible-builds: fix reproducible links
+
+
+Known Issues in Yocto-4.0.25
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+- N/A
+
+
+Contributors to Yocto-4.0.25
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+-  Aleksandar Nikolic
+-  Alexander Kanavin
+-  Antonin Godard
+-  Archana Polampalli
+-  Bruce Ashfield
+-  Deepesh Varatharajan
+-  Divya Chellam
+-  Joshua Watt
+-  Khem Raj
+-  Lee Chee Yang
+-  Nikhil R
+-  Pedro Ferreira
+-  Peter Marko
+-  Praveen Kumar
+-  Richard Purdie
+-  Ross Burton
+-  Simon A. Eugster
+-  Steve Sakoman
+-  Yash Shinde
+-  Yogita Urade
+-  Zhang Peng
+
+
+Repositories / Downloads for Yocto-4.0.25
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+poky
+
+-  Repository Location: :yocto_git:`/poky`
+-  Branch: :yocto_git:`kirkstone </poky/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.25 </poky/log/?h=yocto-4.0.25>`
+-  Git Revision: :yocto_git:`b5aa03f336c121269551f9e7baed4c677c76bb39 </poky/commit/?id=b5aa03f336c121269551f9e7baed4c677c76bb39>`
+-  Release Artefact: poky-b5aa03f336c121269551f9e7baed4c677c76bb39
+-  sha: 7afbcb25f0dd89a4fb6dd4c5945061705ef9ce79a6863806278603273c2b3b4a
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.25/poky-b5aa03f336c121269551f9e7baed4c677c76bb39.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-4.0.25/poky-b5aa03f336c121269551f9e7baed4c677c76bb39.tar.bz2
+
+openembedded-core
+
+-  Repository Location: :oe_git:`/openembedded-core`
+-  Branch: :oe_git:`kirkstone </openembedded-core/log/?h=kirkstone>`
+-  Tag:  :oe_git:`yocto-4.0.25 </openembedded-core/log/?h=yocto-4.0.25>`
+-  Git Revision: :oe_git:`5a794fd244f7fdeb426bd5e3def6b4effc0e8c62 </openembedded-core/commit/?id=5a794fd244f7fdeb426bd5e3def6b4effc0e8c62>`
+-  Release Artefact: oecore-5a794fd244f7fdeb426bd5e3def6b4effc0e8c62
+-  sha: 8fc93109693e5f4702b3fe0633b6be833605291b3d595dc8bdeb6379f40cd2de
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.25/oecore-5a794fd244f7fdeb426bd5e3def6b4effc0e8c62.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-4.0.25/oecore-5a794fd244f7fdeb426bd5e3def6b4effc0e8c62.tar.bz2
+
+meta-mingw
+
+-  Repository Location: :yocto_git:`/meta-mingw`
+-  Branch: :yocto_git:`kirkstone </meta-mingw/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.25 </meta-mingw/log/?h=yocto-4.0.25>`
+-  Git Revision: :yocto_git:`87c22abb1f11be430caf4372e6b833dc7d77564e </meta-mingw/commit/?id=87c22abb1f11be430caf4372e6b833dc7d77564e>`
+-  Release Artefact: meta-mingw-87c22abb1f11be430caf4372e6b833dc7d77564e
+-  sha: f0bc4873e2e0319fb9d6d6ab9b98eb3f89664d4339a167d2db6a787dd12bc1a8
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.25/meta-mingw-87c22abb1f11be430caf4372e6b833dc7d77564e.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-4.0.25/meta-mingw-87c22abb1f11be430caf4372e6b833dc7d77564e.tar.bz2
+
+meta-gplv2
+
+-  Repository Location: :yocto_git:`/meta-gplv2`
+-  Branch: :yocto_git:`kirkstone </meta-gplv2/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.25 </meta-gplv2/log/?h=yocto-4.0.25>`
+-  Git Revision: :yocto_git:`d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a </meta-gplv2/commit/?id=d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a>`
+-  Release Artefact: meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a
+-  sha: c386f59f8a672747dc3d0be1d4234b6039273d0e57933eb87caa20f56b9cca6d
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.25/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-4.0.25/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2
+
+bitbake
+
+-  Repository Location: :oe_git:`/bitbake`
+-  Branch: :oe_git:`2.0 </bitbake/log/?h=2.0>`
+-  Tag:  :oe_git:`yocto-4.0.25 </bitbake/log/?h=yocto-4.0.25>`
+-  Git Revision: :oe_git:`e71f1ce53cf3b8320caa481ae62d1ce2900c4670 </bitbake/commit/?id=e71f1ce53cf3b8320caa481ae62d1ce2900c4670>`
+-  Release Artefact: bitbake-e71f1ce53cf3b8320caa481ae62d1ce2900c4670
+-  sha: 007eef35174586c85b233f4ec91578956fe21e0236f7ca2c3f90f9d034f94b5b
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.25/bitbake-e71f1ce53cf3b8320caa481ae62d1ce2900c4670.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-4.0.25/bitbake-e71f1ce53cf3b8320caa481ae62d1ce2900c4670.tar.bz2
+
+yocto-docs
+
+-  Repository Location: :yocto_git:`/yocto-docs`
+-  Branch: :yocto_git:`kirkstone </yocto-docs/log/?h=kirkstone>`
+-  Tag: :yocto_git:`yocto-4.0.25 </yocto-docs/log/?h=yocto-4.0.25>`
+-  Git Revision: :yocto_git:`c6dce0c77481dee7b0a0fcdc803f755ceccef234 </yocto-docs/commit/?id=c6dce0c77481dee7b0a0fcdc803f755ceccef234>`
+

documentation/ref-manual/classes.rst

@@ -488,7 +488,7 @@ You can also look for vulnerabilities in specific packages by passing
 ``-c cve_check`` to BitBake.
 
 After building the software with Bitbake, CVE check output reports are available in ``tmp/deploy/cve``
-and image specific summaries in ``tmp/deploy/images/*.cve`` or ``tmp/deploy/images/*.json`` files.
+and image specific summaries in ``tmp/deploy/images/*.json`` files.
 
 When building, the CVE checker will emit build time warnings for any detected
 issues which are in the state ``Unpatched``, meaning that CVE issue seems to affect the software component

documentation/ref-manual/features.rst

@@ -12,7 +12,7 @@ Features provide a mechanism for working out which packages should be
 included in the generated images. Distributions can select which
 features they want to support through the :term:`DISTRO_FEATURES` variable,
 which is set or appended to in a distribution's configuration file such
-as ``poky.conf``, ``poky-tiny.conf``, ``poky-lsb.conf`` and so forth.
+as ``poky.conf``, ``poky-tiny.conf``, ``poky-altcfg.conf`` and so forth.
 Machine features are set in the :term:`MACHINE_FEATURES` variable, which is
 set in the machine configuration file and specifies the hardware
 features for a given machine.

documentation/ref-manual/images.rst

@@ -51,27 +51,6 @@ Here is a list of supported recipes:
 -  ``core-image-full-cmdline``: A console-only image with more
    full-featured Linux system functionality installed.
 
--  ``core-image-lsb``: An image that conforms to the Linux Standard Base
-   (LSB) specification. This image requires a distribution configuration
-   that enables LSB compliance (e.g. ``poky-lsb``). If you build
-   ``core-image-lsb`` without that configuration, the image will not be
-   LSB-compliant.
-
--  ``core-image-lsb-dev``: A ``core-image-lsb`` image that is suitable
-   for development work using the host. The image includes headers and
-   libraries you can use in a host development environment. This image
-   requires a distribution configuration that enables LSB compliance
-   (e.g. ``poky-lsb``). If you build ``core-image-lsb-dev`` without that
-   configuration, the image will not be LSB-compliant.
-
--  ``core-image-lsb-sdk``: A ``core-image-lsb`` that includes everything
-   in the cross-toolchain but also includes development headers and
-   libraries to form a complete standalone SDK. This image requires a
-   distribution configuration that enables LSB compliance (e.g.
-   ``poky-lsb``). If you build ``core-image-lsb-sdk`` without that
-   configuration, the image will not be LSB-compliant. This image is
-   suitable for development using the target.
-
 -  ``core-image-minimal``: A small image just capable of allowing a
    device to boot.
 

meta-poky/conf/distro/poky.conf

@@ -1,7 +1,7 @@
 DISTRO = "poky"
 DISTRO_NAME = "Poky (Yocto Project Reference Distro)"
 #DISTRO_VERSION = "3.4+snapshot-${METADATA_REVISION}"
-DISTRO_VERSION = "4.0.25"
+DISTRO_VERSION = "4.0.26"
 DISTRO_CODENAME = "kirkstone"
 SDK_VENDOR = "-pokysdk"
 SDK_VERSION = "${@d.getVar('DISTRO_VERSION').replace('snapshot-${METADATA_REVISION}', 'snapshot')}"
@@ -37,6 +37,7 @@ SANITY_TESTED_DISTROS ?= " \
             ubuntu-18.04 \n \
             ubuntu-20.04 \n \
             ubuntu-22.04 \n \
+            ubuntu-24.04 \n \
             fedora-37 \n \
             fedora-39 \n \
             fedora-40 \n \

meta/conf/distro/include/yocto-uninative.inc

@@ -6,10 +6,10 @@
 # to the distro running on the build machine.
 #
 
-UNINATIVE_MAXGLIBCVERSION = "2.40"
-UNINATIVE_VERSION = "4.6"
+UNINATIVE_MAXGLIBCVERSION = "2.41"
+UNINATIVE_VERSION = "4.7"
 
 UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/${UNINATIVE_VERSION}/"
-UNINATIVE_CHECKSUM[aarch64] ?= "c2d36338272eba101580f648dd8dff5352cdb4c1809db7dedf8fc4d7e7df716c"
-UNINATIVE_CHECKSUM[i686] ?= "0041584678109c18deca48fb59eaf14cf725cf024a170ab537b354b63240c504"
-UNINATIVE_CHECKSUM[x86_64] ?= "6bf00154c5a7bc48adbf63fd17684bb87eb07f4814fbb482a3fbd817c1ccf4c5"
+UNINATIVE_CHECKSUM[aarch64] ?= "ac440e4fc80665c79f9718c665c6e28d771e51609c088c3c97ba3ad5cfed197a"
+UNINATIVE_CHECKSUM[i686] ?= "c5efa31450f3bbd63ea961d4e7c747ae41317937d429f65e1d5cf2050338e27a"
+UNINATIVE_CHECKSUM[x86_64] ?= "5800d4e9a129d1be09cf548918d25f74e91a7c1193ae5239d5b0c9246c486d2c"

meta/files/toolchain-shar-extract.sh

@@ -1,6 +1,11 @@
 #!/bin/sh
 
 export LC_ALL=en_US.UTF-8
+
+# The pipefail option is now part of POSIX (POSIX.1-2024) and available in more
+# and more shells. Enable it if available to make the SDK installer more robust.
+(set -o pipefail 2> /dev/null) && set -o pipefail
+
 #Make sure at least one python is installed
 INIT_PYTHON=$(which python3 2>/dev/null )
 [ -z "$INIT_PYTHON" ] && INIT_PYTHON=$(which python2 2>/dev/null)

meta/recipes-bsp/grub/files/0001-misc-Implement-grub_strlcpy.patch

@@ -0,0 +1,68 @@
+From ea703528a8581a2ea7e0bad424a70fdf0aec7d8f Mon Sep 17 00:00:00 2001
+From: B Horn <b@horn.uk>
+Date: Sat, 15 Jun 2024 02:33:08 +0100
+Subject: [PATCH 1/2] misc: Implement grub_strlcpy()
+
+grub_strlcpy() acts the same way as strlcpy() does on most *NIX,
+returning the length of src and ensuring dest is always NUL
+terminated except when size is 0.
+
+Signed-off-by: B Horn <b@horn.uk>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=ea703528a8581a2ea7e0bad424a70fdf0aec7d8f]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ include/grub/misc.h | 39 +++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 39 insertions(+)
+
+diff --git a/include/grub/misc.h b/include/grub/misc.h
+index 1578f36c3..14d8f37ac 100644
+--- a/include/grub/misc.h
++++ b/include/grub/misc.h
+@@ -64,6 +64,45 @@ grub_stpcpy (char *dest, const char *src)
+   return d - 1;
+ }
+ 
++static inline grub_size_t
++grub_strlcpy (char *dest, const char *src, grub_size_t size)
++{
++  char *d = dest;
++  grub_size_t res = 0;
++  /*
++   * We do not subtract one from size here to avoid dealing with underflowing
++   * the value, which is why to_copy is always checked to be greater than one
++   * throughout this function.
++   */
++  grub_size_t to_copy = size;
++
++  /* Copy size - 1 bytes to dest. */
++  if (to_copy > 1)
++    while ((*d++ = *src++) != '\0' && ++res && --to_copy > 1)
++      ;
++
++  /*
++   * NUL terminate if size != 0. The previous step may have copied a NUL byte
++   * if it reached the end of the string, but we know dest[size - 1] must always
++   * be a NUL byte.
++   */
++  if (size != 0)
++    dest[size - 1] = '\0';
++
++  /* If there is still space in dest, but are here, we reached the end of src. */
++  if (to_copy > 1)
++    return res;
++
++  /*
++   * If we haven't reached the end of the string, iterate through to determine
++   * the strings total length.
++   */
++  while (*src++ != '\0' && ++res)
++   ;
++
++  return res;
++}
++
+ /* XXX: If grub_memmove is too slow, we must implement grub_memcpy.  */
+ static inline void *
+ grub_memcpy (void *dest, const void *src, grub_size_t n)

meta/recipes-bsp/grub/files/CVE-2024-45774.patch

@@ -0,0 +1,40 @@
+From 2c34af908ebf4856051ed29e46d88abd2b20387f Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Fri, 8 Mar 2024 22:47:20 +1100
+Subject: [PATCH] video/readers/jpeg: Do not permit duplicate SOF0 markers in
+ JPEG
+
+Otherwise a subsequent header could change the height and width
+allowing future OOB writes.
+
+Fixes: CVE-2024-45774
+
+Reported-by: Nils Langius <nils@langius.de>
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+CVE: CVE-2024-45774
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=2c34af908ebf4856051ed29e46d88abd2b20387f]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/video/readers/jpeg.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
+index 6019b6a..5e5e39c 100644
+--- a/grub-core/video/readers/jpeg.c
++++ b/grub-core/video/readers/jpeg.c
+@@ -330,6 +330,10 @@ grub_jpeg_decode_sof (struct grub_jpeg_data *data)
+   if (grub_errno != GRUB_ERR_NONE)
+     return grub_errno;
+ 
++  if (data->image_height != 0 || data->image_width != 0)
++    return grub_error (GRUB_ERR_BAD_FILE_TYPE,
++		       "jpeg: cannot have duplicate SOF0 markers");
++
+   if (grub_jpeg_get_byte (data) != 8)
+     return grub_error (GRUB_ERR_BAD_FILE_TYPE,
+ 		       "jpeg: only 8-bit precision is supported");
+-- 
+2.25.1
+

meta/recipes-bsp/grub/files/CVE-2024-45775.patch

@@ -0,0 +1,41 @@
+From 05be856a8c3aae41f5df90cab7796ab7ee34b872 Mon Sep 17 00:00:00 2001
+From: Lidong Chen <lidong.chen@oracle.com>
+Date: Fri, 22 Nov 2024 06:27:55 +0000
+Subject: [PATCH] commands/extcmd: Missing check for failed allocation
+
+The grub_extcmd_dispatcher() calls grub_arg_list_alloc() to allocate
+a grub_arg_list struct but it does not verify the allocation was successful.
+In case of failed allocation the NULL state pointer can be accessed in
+parse_option() through grub_arg_parse() which may lead to a security issue.
+
+Fixes: CVE-2024-45775
+
+Reported-by: Nils Langius <nils@langius.de>
+Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Reviewed-by: Alec Brown <alec.r.brown@oracle.com>
+
+CVE: CVE-2024-45775
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=05be856a8c3aae41f5df90cab7796ab7ee34b872]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/commands/extcmd.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/grub-core/commands/extcmd.c b/grub-core/commands/extcmd.c
+index 90a5ca2..c236be1 100644
+--- a/grub-core/commands/extcmd.c
++++ b/grub-core/commands/extcmd.c
+@@ -49,6 +49,9 @@ grub_extcmd_dispatcher (struct grub_command *cmd, int argc, char **args,
+     }
+ 
+   state = grub_arg_list_alloc (ext, argc, args);
++  if (state == NULL)
++    return grub_errno;
++
+   if (grub_arg_parse (ext, argc, args, state, &new_args, &new_argc))
+     {
+       context.state = state;
+-- 
+2.25.1
+

meta/recipes-bsp/grub/files/CVE-2024-45776.patch

@@ -0,0 +1,42 @@
+From 09bd6eb58b0f71ec273916070fa1e2de16897a91 Mon Sep 17 00:00:00 2001
+From: Lidong Chen <lidong.chen@oracle.com>
+Date: Fri, 22 Nov 2024 06:27:56 +0000
+Subject: [PATCH] gettext: Integer overflow leads to heap OOB write or read
+
+Calculation of ctx->grub_gettext_msg_list size in grub_mofile_open() may
+overflow leading to subsequent OOB write or read. This patch fixes the
+issue by replacing grub_zalloc() and explicit multiplication with
+grub_calloc() which does the same thing in safe manner.
+
+Fixes: CVE-2024-45776
+
+Reported-by: Nils Langius <nils@langius.de>
+Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Reviewed-by: Alec Brown <alec.r.brown@oracle.com>
+
+CVE: CVE-2024-45776
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=09bd6eb58b0f71ec273916070fa1e2de16897a91]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/gettext/gettext.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/gettext/gettext.c b/grub-core/gettext/gettext.c
+index 4d02e62..55d8b67 100644
+--- a/grub-core/gettext/gettext.c
++++ b/grub-core/gettext/gettext.c
+@@ -323,8 +323,8 @@ grub_mofile_open (struct grub_gettext_context *ctx,
+   for (ctx->grub_gettext_max_log = 0; ctx->grub_gettext_max >> ctx->grub_gettext_max_log;
+        ctx->grub_gettext_max_log++);
+ 
+-  ctx->grub_gettext_msg_list = grub_zalloc (ctx->grub_gettext_max
+-					    * sizeof (ctx->grub_gettext_msg_list[0]));
++  ctx->grub_gettext_msg_list = grub_calloc (ctx->grub_gettext_max,
++					    sizeof (ctx->grub_gettext_msg_list[0]));
+   if (!ctx->grub_gettext_msg_list)
+     {
+       grub_file_close (fd);
+-- 
+2.25.1
+

meta/recipes-bsp/grub/files/CVE-2024-45777.patch

@@ -0,0 +1,60 @@
+From b970a5ed967816bbca8225994cd0ee2557bad515 Mon Sep 17 00:00:00 2001
+From: Lidong Chen <lidong.chen@oracle.com>
+Date: Fri, 22 Nov 2024 06:27:57 +0000
+Subject: [PATCH] gettext: Integer overflow leads to heap OOB write
+
+The size calculation of the translation buffer in
+grub_gettext_getstr_from_position() may overflow
+to 0 leading to heap OOB write. This patch fixes
+the issue by using grub_add() and checking for
+an overflow.
+
+Fixes: CVE-2024-45777
+
+Reported-by: Nils Langius <nils@langius.de>
+Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Reviewed-by: Alec Brown <alec.r.brown@oracle.com>
+
+CVE: CVE-2024-45777
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=b970a5ed967816bbca8225994cd0ee2557bad515]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/gettext/gettext.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/gettext/gettext.c b/grub-core/gettext/gettext.c
+index 55d8b67..85ea44a 100644
+--- a/grub-core/gettext/gettext.c
++++ b/grub-core/gettext/gettext.c
+@@ -26,6 +26,7 @@
+ #include <grub/file.h>
+ #include <grub/kernel.h>
+ #include <grub/i18n.h>
++#include <grub/safemath.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -99,6 +100,7 @@ grub_gettext_getstr_from_position (struct grub_gettext_context *ctx,
+   char *translation;
+   struct string_descriptor desc;
+   grub_err_t err;
++  grub_size_t alloc_sz;
+ 
+   internal_position = (off + position * sizeof (desc));
+ 
+@@ -109,7 +111,10 @@ grub_gettext_getstr_from_position (struct grub_gettext_context *ctx,
+   length = grub_cpu_to_le32 (desc.length);
+   offset = grub_cpu_to_le32 (desc.offset);
+ 
+-  translation = grub_malloc (length + 1);
++  if (grub_add (length, 1, &alloc_sz))
++    return NULL;
++
++  translation = grub_malloc (alloc_sz);
+   if (!translation)
+     return NULL;
+ 
+-- 
+2.25.1
+

meta/recipes-bsp/grub/files/CVE-2024-45778_CVE-2024-45779.patch

@@ -0,0 +1,58 @@
+From 26db6605036bd9e5b16d9068a8cc75be63b8b630 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Sat, 23 Mar 2024 15:59:43 +1100
+Subject: [PATCH] fs/bfs: Disable under lockdown
+
+The BFS is not fuzz-clean. Don't allow it to be loaded under lockdown.
+This will also disable the AFS.
+
+Fixes: CVE-2024-45778
+Fixes: CVE-2024-45779
+
+Reported-by: Nils Langius <nils@langius.de>
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+CVE: CVE-2024-45778
+CVE: CVE-2024-45779
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=26db6605036bd9e5b16d9068a8cc75be63b8b630]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/fs/bfs.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/fs/bfs.c b/grub-core/fs/bfs.c
+index 47dbe20..8d704e2 100644
+--- a/grub-core/fs/bfs.c
++++ b/grub-core/fs/bfs.c
+@@ -30,6 +30,7 @@
+ #include <grub/types.h>
+ #include <grub/i18n.h>
+ #include <grub/fshelp.h>
++#include <grub/lockdown.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -1104,7 +1105,10 @@ GRUB_MOD_INIT (bfs)
+ {
+   COMPILE_TIME_ASSERT (1 << LOG_EXTENT_SIZE ==
+ 		       sizeof (struct grub_bfs_extent));
+-  grub_fs_register (&grub_bfs_fs);
++  if (!grub_is_lockdown ())
++    {
++      grub_fs_register (&grub_bfs_fs);
++    }
+ }
+ 
+ #ifdef MODE_AFS
+@@ -1113,5 +1117,6 @@ GRUB_MOD_FINI (afs)
+ GRUB_MOD_FINI (bfs)
+ #endif
+ {
+-  grub_fs_unregister (&grub_bfs_fs);
++  if (!grub_is_lockdown ())
++    grub_fs_unregister (&grub_bfs_fs);
+ }
+-- 
+2.25.1
+

meta/recipes-bsp/grub/files/CVE-2024-45780.patch

@@ -0,0 +1,96 @@
+From 0087bc6902182fe5cedce2d034c75a79cf6dd4f3 Mon Sep 17 00:00:00 2001
+From: Lidong Chen <lidong.chen@oracle.com>
+Date: Fri, 22 Nov 2024 06:27:58 +0000
+Subject: [PATCH] fs/tar: Integer overflow leads to heap OOB write
+
+Both namesize and linksize are derived from hd.size, a 12-digit octal
+number parsed by read_number(). Later direct arithmetic calculation like
+"namesize + 1" and "linksize + 1" may exceed the maximum value of
+grub_size_t leading to heap OOB write. This patch fixes the issue by
+using grub_add() and checking for an overflow.
+
+Fixes: CVE-2024-45780
+
+Reported-by: Nils Langius <nils@langius.de>
+Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Reviewed-by: Alec Brown <alec.r.brown@oracle.com>
+
+CVE: CVE-2024-45780
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=0087bc6902182fe5cedce2d034c75a79cf6dd4f3]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/fs/tar.c | 23 ++++++++++++++++++-----
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/grub-core/fs/tar.c b/grub-core/fs/tar.c
+index c551ed6..a9e39b0 100644
+--- a/grub-core/fs/tar.c
++++ b/grub-core/fs/tar.c
+@@ -25,6 +25,7 @@
+ #include <grub/mm.h>
+ #include <grub/dl.h>
+ #include <grub/i18n.h>
++#include <grub/safemath.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -76,6 +77,7 @@ grub_cpio_find_file (struct grub_archelp_data *data, char **name,
+ {
+   struct head hd;
+   int reread = 0, have_longname = 0, have_longlink = 0;
++  grub_size_t sz;
+ 
+   data->hofs = data->next_hofs;
+ 
+@@ -97,7 +99,11 @@ grub_cpio_find_file (struct grub_archelp_data *data, char **name,
+ 	{
+ 	  grub_err_t err;
+ 	  grub_size_t namesize = read_number (hd.size, sizeof (hd.size));
+-	  *name = grub_malloc (namesize + 1);
++
++	  if (grub_add (namesize, 1, &sz))
++	    return grub_error (GRUB_ERR_BAD_FS, N_("name size overflow"));
++
++	  *name = grub_malloc (sz);
+ 	  if (*name == NULL)
+ 	    return grub_errno;
+ 	  err = grub_disk_read (data->disk, 0,
+@@ -117,15 +123,19 @@ grub_cpio_find_file (struct grub_archelp_data *data, char **name,
+ 	{
+ 	  grub_err_t err;
+ 	  grub_size_t linksize = read_number (hd.size, sizeof (hd.size));
+-	  if (data->linkname_alloc < linksize + 1)
++
++	  if (grub_add (linksize, 1, &sz))
++	    return grub_error (GRUB_ERR_BAD_FS, N_("link size overflow"));
++
++	  if (data->linkname_alloc < sz)
+ 	    {
+ 	      char *n;
+-	      n = grub_calloc (2, linksize + 1);
++	      n = grub_calloc (2, sz);
+ 	      if (!n)
+ 		return grub_errno;
+ 	      grub_free (data->linkname);
+ 	      data->linkname = n;
+-	      data->linkname_alloc = 2 * (linksize + 1);
++	      data->linkname_alloc = 2 * (sz);
+ 	    }
+ 
+ 	  err = grub_disk_read (data->disk, 0,
+@@ -148,7 +158,10 @@ grub_cpio_find_file (struct grub_archelp_data *data, char **name,
+ 	  while (extra_size < sizeof (hd.prefix)
+ 		 && hd.prefix[extra_size])
+ 	    extra_size++;
+-	  *name = grub_malloc (sizeof (hd.name) + extra_size + 2);
++
++	  if (grub_add (sizeof (hd.name) + 2, extra_size, &sz))
++	    return grub_error (GRUB_ERR_BAD_FS, N_("long name size overflow"));
++	  *name = grub_malloc (sz);
+ 	  if (*name == NULL)
+ 	    return grub_errno;
+ 	  if (hd.prefix[0])
+-- 
+2.25.1
+

meta/recipes-bsp/grub/files/CVE-2024-45781.patch

@@ -0,0 +1,38 @@
+From c1a291b01f4f1dcd6a22b61f1c81a45a966d16ba Mon Sep 17 00:00:00 2001
+From: B Horn <b@horn.uk>
+Date: Sun, 12 May 2024 02:03:33 +0100
+Subject: [PATCH 2/2] fs/ufs: Fix a heap OOB write
+
+grub_strcpy() was used to copy a symlink name from the filesystem
+image to a heap allocated buffer. This led to a OOB write to adjacent
+heap allocations. Fix by using grub_strlcpy().
+
+Fixes: CVE-2024-45781
+
+Reported-by: B Horn <b@horn.uk>
+Signed-off-by: B Horn <b@horn.uk>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+CVE: CVE-2024-45781
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=c1a291b01f4f1dcd6a22b61f1c81a45a966d16ba]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/fs/ufs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grub-core/fs/ufs.c b/grub-core/fs/ufs.c
+index 34a698b..4727266 100644
+--- a/grub-core/fs/ufs.c
++++ b/grub-core/fs/ufs.c
+@@ -463,7 +463,7 @@ grub_ufs_lookup_symlink (struct grub_ufs_data *data, int ino)
+   /* Check against zero is paylindromic, no need to swap.  */
+   if (data->inode.nblocks == 0
+       && INODE_SIZE (data) <= sizeof (data->inode.symlink))
+-    grub_strcpy (symlink, (char *) data->inode.symlink);
++    grub_strlcpy (symlink, (char *) data->inode.symlink, sz);
+   else
+     {
+       if (grub_ufs_read_file (data, 0, 0, 0, sz, symlink) < 0)
+-- 
+2.25.1
+

meta/recipes-bsp/grub/files/CVE-2024-45782_CVE-2024-56737.patch

@@ -0,0 +1,39 @@
+From 417547c10410b714e43f08f74137c24015f8f4c3 Mon Sep 17 00:00:00 2001
+From: B Horn <b@horn.uk>
+Date: Sun, 12 May 2024 02:48:33 +0100
+Subject: [PATCH] fs/hfs: Fix stack OOB write with grub_strcpy()
+
+Replaced with grub_strlcpy().
+
+Fixes: CVE-2024-45782
+Fixes: CVE-2024-56737
+Fixes: https://savannah.gnu.org/bugs/?66599
+
+Reported-by: B Horn <b@horn.uk>
+Signed-off-by: B Horn <b@horn.uk>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+CVE: CVE-2024-45782
+CVE: CVE-2024-56737
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=417547c10410b714e43f08f74137c24015f8f4c3]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/fs/hfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grub-core/fs/hfs.c b/grub-core/fs/hfs.c
+index f419965..bb7af5f 100644
+--- a/grub-core/fs/hfs.c
++++ b/grub-core/fs/hfs.c
+@@ -379,7 +379,7 @@ grub_hfs_mount (grub_disk_t disk)
+      volume name.  */
+   key.parent_dir = grub_cpu_to_be32_compile_time (1);
+   key.strlen = data->sblock.volname[0];
+-  grub_strcpy ((char *) key.str, (char *) (data->sblock.volname + 1));
++  grub_strlcpy ((char *) key.str, (char *) (data->sblock.volname + 1), sizeof (key.str));
+ 
+   if (grub_hfs_find_node (data, (char *) &key, data->cat_root,
+ 			  0, (char *) &dir, sizeof (dir)) == 0)
+-- 
+2.25.1
+

meta/recipes-bsp/grub/files/CVE-2024-45783.patch

@@ -0,0 +1,42 @@
+From f7c070a2e28dfab7137db0739fb8db1dc02d8898 Mon Sep 17 00:00:00 2001
+From: B Horn <b@horn.uk>
+Date: Sun, 12 May 2024 06:22:51 +0100
+Subject: [PATCH] fs/hfsplus: Set a grub_errno if mount fails
+
+It was possible for mount to fail but not set grub_errno. This led to
+a possible double decrement of the module reference count if the NULL
+page was mapped.
+
+Fixing in general as a similar bug was fixed in commit 61b13c187
+(fs/hfsplus: Set grub_errno to prevent NULL pointer access) and there
+are likely more variants around.
+
+Fixes: CVE-2024-45783
+
+Reported-by: B Horn <b@horn.uk>
+Signed-off-by: B Horn <b@horn.uk>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+CVE: CVE-2024-45783
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=f7c070a2e28dfab7137db0739fb8db1dc02d8898]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/fs/hfsplus.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grub-core/fs/hfsplus.c b/grub-core/fs/hfsplus.c
+index 19c7b33..e7fd98a 100644
+--- a/grub-core/fs/hfsplus.c
++++ b/grub-core/fs/hfsplus.c
+@@ -393,7 +393,7 @@ grub_hfsplus_mount (grub_disk_t disk)
+ 
+  fail:
+ 
+-  if (grub_errno == GRUB_ERR_OUT_OF_RANGE)
++  if (grub_errno == GRUB_ERR_OUT_OF_RANGE || grub_errno == GRUB_ERR_NONE)
+     grub_error (GRUB_ERR_BAD_FS, "not a HFS+ filesystem");
+ 
+   grub_free (data);
+-- 
+2.25.1
+

meta/recipes-bsp/grub/files/CVE-2025-0622-01.patch

@@ -0,0 +1,39 @@
+From 2123c5bca7e21fbeb0263df4597ddd7054700726 Mon Sep 17 00:00:00 2001
+From: B Horn <b@horn.uk>
+Date: Fri, 1 Nov 2024 19:24:29 +0000
+Subject: [PATCH 1/3] commands/pgp: Unregister the "check_signatures" hooks on
+ module unload
+
+If the hooks are not removed they can be called after the module has
+been unloaded leading to an use-after-free.
+
+Fixes: CVE-2025-0622
+
+Reported-by: B Horn <b@horn.uk>
+Signed-off-by: B Horn <b@horn.uk>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+CVE: CVE-2025-0622
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=2123c5bca7e21fbeb0263df4597ddd7054700726]
+
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/commands/pgp.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/grub-core/commands/pgp.c b/grub-core/commands/pgp.c
+index 5daa1e9..1abdea6 100644
+--- a/grub-core/commands/pgp.c
++++ b/grub-core/commands/pgp.c
+@@ -1010,6 +1010,8 @@ GRUB_MOD_INIT(pgp)
+ 
+ GRUB_MOD_FINI(pgp)
+ {
++  grub_register_variable_hook ("check_signatures", NULL, NULL);
++  grub_env_unset ("check_signatures");
+   grub_verifier_unregister (&grub_pubkey_verifier);
+   grub_unregister_extcmd (cmd);
+   grub_unregister_extcmd (cmd_trust);
+-- 
+2.25.1
+

meta/recipes-bsp/grub/files/CVE-2025-0622-02.patch

@@ -0,0 +1,44 @@
+From 9c16197734ada8d0838407eebe081117799bfe67 Mon Sep 17 00:00:00 2001
+From: B Horn <b@horn.uk>
+Date: Fri, 1 Nov 2024 23:46:55 +0000
+Subject: [PATCH 2/3] normal: Remove variables hooks on module unload
+
+The normal module does not entirely cleanup after itself in
+its GRUB_MOD_FINI() leaving a few variables hooks in place.
+It is not possible to unload normal module now but fix the
+issues for completeness.
+
+On the occasion replace 0s with NULLs for "pager" variable
+hooks unregister.
+
+Fixes: CVE-2025-0622
+
+Reported-by: B Horn <b@horn.uk>
+Signed-off-by: B Horn <b@horn.uk>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+CVE: CVE-2025-0622
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=9c16197734ada8d0838407eebe081117799bfe67]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/normal/main.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c
+index c4ebe9e..31c53a6 100644
+--- a/grub-core/normal/main.c
++++ b/grub-core/normal/main.c
+@@ -581,7 +581,9 @@ GRUB_MOD_FINI(normal)
+   grub_xputs = grub_xputs_saved;
+ 
+   grub_set_history (0);
+-  grub_register_variable_hook ("pager", 0, 0);
++  grub_register_variable_hook ("pager", NULL, NULL);
++  grub_register_variable_hook ("color_normal", NULL, NULL);
++  grub_register_variable_hook ("color_highlight", NULL, NULL);
+   grub_fs_autoload_hook = 0;
+   grub_unregister_command (cmd_clear);
+ }
+-- 
+2.25.1
+

meta/recipes-bsp/grub/files/CVE-2025-0622-03.patch

@@ -0,0 +1,41 @@
+From 7580addfc8c94cedb0cdfd7a1fd65b539215e637 Mon Sep 17 00:00:00 2001
+From: B Horn <b@horn.uk>
+Date: Fri, 1 Nov 2024 23:52:06 +0000
+Subject: [PATCH 3/3] gettext: Remove variables hooks on module unload
+
+The gettext module does not entirely cleanup after itself in
+its GRUB_MOD_FINI() leaving a few variables hooks in place.
+It is not possible to unload gettext module because normal
+module depends on it. Though fix the issues for completeness.
+
+Fixes: CVE-2025-0622
+
+Reported-by: B Horn <b@horn.uk>
+Signed-off-by: B Horn <b@horn.uk>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+CVE: CVE-2025-0622
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=7580addfc8c94cedb0cdfd7a1fd65b539215e637]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/gettext/gettext.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/grub-core/gettext/gettext.c b/grub-core/gettext/gettext.c
+index 85ea44a..7a25c9d 100644
+--- a/grub-core/gettext/gettext.c
++++ b/grub-core/gettext/gettext.c
+@@ -540,6 +540,10 @@ GRUB_MOD_INIT (gettext)
+ 
+ GRUB_MOD_FINI (gettext)
+ {
++  grub_register_variable_hook ("locale_dir", NULL, NULL);
++  grub_register_variable_hook ("secondary_locale_dir", NULL, NULL);
++  grub_register_variable_hook ("lang", NULL, NULL);
++
+   grub_gettext_delete_list (&main_context);
+   grub_gettext_delete_list (&secondary_context);
+ 
+-- 
+2.25.1
+

meta/recipes-bsp/grub/files/CVE-2025-0624.patch

@@ -0,0 +1,87 @@
+From 5eef88152833062a3f7e017535372d64ac8ef7e1 Mon Sep 17 00:00:00 2001
+From: B Horn <b@horn.uk>
+Date: Fri, 15 Nov 2024 13:12:09 +0000
+Subject: [PATCH] net: Fix OOB write in grub_net_search_config_file()
+
+The function included a call to grub_strcpy() which copied data from an
+environment variable to a buffer allocated in grub_cmd_normal(). The
+grub_cmd_normal() didn't consider the length of the environment variable.
+So, the copy operation could exceed the allocation and lead to an OOB
+write. Fix the issue by replacing grub_strcpy() with grub_strlcpy() and
+pass the underlying buffers size to the grub_net_search_config_file().
+
+Fixes: CVE-2025-0624
+
+Reported-by: B Horn <b@horn.uk>
+Signed-off-by: B Horn <b@horn.uk>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+CVE: CVE-2025-0624
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=5eef88152833062a3f7e017535372d64ac8ef7e1]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/net/net.c     | 7 ++++---
+ grub-core/normal/main.c | 2 +-
+ include/grub/net.h      | 2 +-
+ 3 files changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/grub-core/net/net.c b/grub-core/net/net.c
+index 4d3eb5c..ec7f01c 100644
+--- a/grub-core/net/net.c
++++ b/grub-core/net/net.c
+@@ -1773,14 +1773,15 @@ grub_config_search_through (char *config, char *suffix,
+ }
+ 
+ grub_err_t
+-grub_net_search_config_file (char *config)
++grub_net_search_config_file (char *config, grub_size_t config_buf_len)
+ {
+-  grub_size_t config_len;
++  grub_size_t config_len, suffix_len;
+   char *suffix;
+ 
+   config_len = grub_strlen (config);
+   config[config_len] = '-';
+   suffix = config + config_len + 1;
++  suffix_len = config_buf_len - (config_len + 1);
+ 
+   struct grub_net_network_level_interface *inf;
+   FOR_NET_NETWORK_LEVEL_INTERFACES (inf)
+@@ -1806,7 +1807,7 @@ grub_net_search_config_file (char *config)
+ 
+       if (client_uuid)
+         {
+-          grub_strcpy (suffix, client_uuid);
++          grub_strlcpy (suffix, client_uuid, suffix_len);
+           if (grub_config_search_through (config, suffix, 1, 0) == 0)
+             return GRUB_ERR_NONE;
+         }
+diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c
+index 31c53a6..a95c25e 100644
+--- a/grub-core/normal/main.c
++++ b/grub-core/normal/main.c
+@@ -344,7 +344,7 @@ grub_cmd_normal (struct grub_command *cmd __attribute__ ((unused)),
+ 
+           if (grub_strncmp (prefix + 1, "tftp", sizeof ("tftp") - 1) == 0 &&
+               !disable_net_search)
+-            grub_net_search_config_file (config);
++            grub_net_search_config_file (config, config_len);
+ 
+ 	  grub_enter_normal_mode (config);
+ 	  grub_free (config);
+diff --git a/include/grub/net.h b/include/grub/net.h
+index 7ae4b6b..d6ba8b1 100644
+--- a/include/grub/net.h
++++ b/include/grub/net.h
+@@ -570,7 +570,7 @@ void
+ grub_net_remove_dns_server (const struct grub_net_network_level_address *s);
+ 
+ grub_err_t
+-grub_net_search_config_file (char *config);
++grub_net_search_config_file (char *config, grub_size_t config_buf_len);
+ 
+ extern char *grub_net_default_server;
+ 
+-- 
+2.25.1
+

meta/recipes-bsp/grub/files/CVE-2025-0677_CVE-2025-0684_CVE-2025-0685_CVE-2025-0686_CVE-2025-0689.patch

@@ -0,0 +1,380 @@
+From 47b2dfc7953f70f98ddf35dfdd6e7f4f20283b10 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Sat, 23 Mar 2024 16:20:45 +1100
+Subject: [PATCH] fs: Disable many filesystems under lockdown
+
+The idea is to permit the following: btrfs, cpio, exfat, ext, f2fs, fat,
+hfsplus, iso9660, squash4, tar, xfs and zfs.
+
+The JFS, ReiserFS, romfs, UDF and UFS security vulnerabilities were
+reported by Jonathan Bar Or <jonathanbaror@gmail.com>.
+
+Fixes: CVE-2025-0677
+Fixes: CVE-2025-0684
+Fixes: CVE-2025-0685
+Fixes: CVE-2025-0686
+Fixes: CVE-2025-0689
+
+Suggested-by: Daniel Axtens <dja@axtens.net>
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+CVE: CVE-2025-0677
+CVE: CVE-2025-0684
+CVE: CVE-2025-0685
+CVE: CVE-2025-0686
+CVE: CVE-2025-0689
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=47b2dfc7953f70f98ddf35dfdd6e7f4f20283b10]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/fs/affs.c     | 9 +++++++--
+ grub-core/fs/cbfs.c     | 9 +++++++--
+ grub-core/fs/jfs.c      | 9 +++++++--
+ grub-core/fs/minix.c    | 9 +++++++--
+ grub-core/fs/nilfs2.c   | 9 +++++++--
+ grub-core/fs/ntfs.c     | 9 +++++++--
+ grub-core/fs/reiserfs.c | 9 +++++++--
+ grub-core/fs/romfs.c    | 9 +++++++--
+ grub-core/fs/sfs.c      | 9 +++++++--
+ grub-core/fs/udf.c      | 9 +++++++--
+ grub-core/fs/ufs.c      | 9 +++++++--
+ 11 files changed, 77 insertions(+), 22 deletions(-)
+
+diff --git a/grub-core/fs/affs.c b/grub-core/fs/affs.c
+index cafcd0f..d676532 100644
+--- a/grub-core/fs/affs.c
++++ b/grub-core/fs/affs.c
+@@ -26,6 +26,7 @@
+ #include <grub/types.h>
+ #include <grub/fshelp.h>
+ #include <grub/charset.h>
++#include <grub/lockdown.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -699,11 +700,15 @@ static struct grub_fs grub_affs_fs =
+ 
+ GRUB_MOD_INIT(affs)
+ {
+-  grub_fs_register (&grub_affs_fs);
++  if (!grub_is_lockdown ())
++    {
++      grub_fs_register (&grub_affs_fs);
++    }
+   my_mod = mod;
+ }
+ 
+ GRUB_MOD_FINI(affs)
+ {
+-  grub_fs_unregister (&grub_affs_fs);
++  if (!grub_is_lockdown ())
++    grub_fs_unregister (&grub_affs_fs);
+ }
+diff --git a/grub-core/fs/cbfs.c b/grub-core/fs/cbfs.c
+index 581215e..477a14e 100644
+--- a/grub-core/fs/cbfs.c
++++ b/grub-core/fs/cbfs.c
+@@ -26,6 +26,7 @@
+ #include <grub/dl.h>
+ #include <grub/i18n.h>
+ #include <grub/cbfs_core.h>
++#include <grub/lockdown.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -390,12 +391,16 @@ GRUB_MOD_INIT (cbfs)
+ #if (defined (__i386__) || defined (__x86_64__)) && !defined (GRUB_UTIL) && !defined (GRUB_MACHINE_EMU) && !defined (GRUB_MACHINE_XEN)
+   init_cbfsdisk ();
+ #endif
+-  grub_fs_register (&grub_cbfs_fs);
++  if (!grub_is_lockdown ())
++    {
++      grub_fs_register (&grub_cbfs_fs);
++    }
+ }
+ 
+ GRUB_MOD_FINI (cbfs)
+ {
+-  grub_fs_unregister (&grub_cbfs_fs);
++  if (!grub_is_lockdown ())
++    grub_fs_unregister (&grub_cbfs_fs);
+ #if (defined (__i386__) || defined (__x86_64__)) && !defined (GRUB_UTIL) && !defined (GRUB_MACHINE_EMU) && !defined (GRUB_MACHINE_XEN)
+   fini_cbfsdisk ();
+ #endif
+diff --git a/grub-core/fs/jfs.c b/grub-core/fs/jfs.c
+index 6f7c439..c0bbab8 100644
+--- a/grub-core/fs/jfs.c
++++ b/grub-core/fs/jfs.c
+@@ -26,6 +26,7 @@
+ #include <grub/types.h>
+ #include <grub/charset.h>
+ #include <grub/i18n.h>
++#include <grub/lockdown.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -963,11 +964,15 @@ static struct grub_fs grub_jfs_fs =
+ 
+ GRUB_MOD_INIT(jfs)
+ {
+-  grub_fs_register (&grub_jfs_fs);
++  if (!grub_is_lockdown ())
++    {
++      grub_fs_register (&grub_jfs_fs);
++    }
+   my_mod = mod;
+ }
+ 
+ GRUB_MOD_FINI(jfs)
+ {
+-  grub_fs_unregister (&grub_jfs_fs);
++  if (!grub_is_lockdown ())
++    grub_fs_unregister (&grub_jfs_fs);
+ }
+diff --git a/grub-core/fs/minix.c b/grub-core/fs/minix.c
+index 3cd18c8..7588835 100644
+--- a/grub-core/fs/minix.c
++++ b/grub-core/fs/minix.c
+@@ -25,6 +25,7 @@
+ #include <grub/dl.h>
+ #include <grub/types.h>
+ #include <grub/i18n.h>
++#include <grub/lockdown.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -732,7 +733,10 @@ GRUB_MOD_INIT(minix)
+ #endif
+ #endif
+ {
+-  grub_fs_register (&grub_minix_fs);
++  if (!grub_is_lockdown ())
++    {
++      grub_fs_register (&grub_minix_fs);
++    }
+   my_mod = mod;
+ }
+ 
+@@ -754,5 +758,6 @@ GRUB_MOD_FINI(minix)
+ #endif
+ #endif
+ {
+-  grub_fs_unregister (&grub_minix_fs);
++  if (!grub_is_lockdown ())
++    grub_fs_unregister (&grub_minix_fs);
+ }
+diff --git a/grub-core/fs/nilfs2.c b/grub-core/fs/nilfs2.c
+index 3c248a9..3f8e495 100644
+--- a/grub-core/fs/nilfs2.c
++++ b/grub-core/fs/nilfs2.c
+@@ -34,6 +34,7 @@
+ #include <grub/dl.h>
+ #include <grub/types.h>
+ #include <grub/fshelp.h>
++#include <grub/lockdown.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -1231,11 +1232,15 @@ GRUB_MOD_INIT (nilfs2)
+ 				  grub_nilfs2_dat_entry));
+   COMPILE_TIME_ASSERT (1 << LOG_INODE_SIZE
+ 		       == sizeof (struct grub_nilfs2_inode));
+-  grub_fs_register (&grub_nilfs2_fs);
++  if (!grub_is_lockdown ())
++    {
++      grub_fs_register (&grub_nilfs2_fs);
++    }
+   my_mod = mod;
+ }
+ 
+ GRUB_MOD_FINI (nilfs2)
+ {
+-  grub_fs_unregister (&grub_nilfs2_fs);
++  if (!grub_is_lockdown ())
++    grub_fs_unregister (&grub_nilfs2_fs);
+ }
+diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
+index 8f63c83..713e24d 100644
+--- a/grub-core/fs/ntfs.c
++++ b/grub-core/fs/ntfs.c
+@@ -27,6 +27,7 @@
+ #include <grub/fshelp.h>
+ #include <grub/ntfs.h>
+ #include <grub/charset.h>
++#include <grub/lockdown.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -1254,11 +1255,15 @@ static struct grub_fs grub_ntfs_fs =
+ 
+ GRUB_MOD_INIT (ntfs)
+ {
+-  grub_fs_register (&grub_ntfs_fs);
++  if (!grub_is_lockdown ())
++    {
++      grub_fs_register (&grub_ntfs_fs);
++    }
+   my_mod = mod;
+ }
+ 
+ GRUB_MOD_FINI (ntfs)
+ {
+-  grub_fs_unregister (&grub_ntfs_fs);
++  if (!grub_is_lockdown ())
++    grub_fs_unregister (&grub_ntfs_fs);
+ }
+diff --git a/grub-core/fs/reiserfs.c b/grub-core/fs/reiserfs.c
+index af6a226..76cb231 100644
+--- a/grub-core/fs/reiserfs.c
++++ b/grub-core/fs/reiserfs.c
+@@ -39,6 +39,7 @@
+ #include <grub/types.h>
+ #include <grub/fshelp.h>
+ #include <grub/i18n.h>
++#include <grub/lockdown.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -1417,11 +1418,15 @@ static struct grub_fs grub_reiserfs_fs =
+ 
+ GRUB_MOD_INIT(reiserfs)
+ {
+-  grub_fs_register (&grub_reiserfs_fs);
++  if (!grub_is_lockdown ())
++    {
++      grub_fs_register (&grub_reiserfs_fs);
++    }
+   my_mod = mod;
+ }
+ 
+ GRUB_MOD_FINI(reiserfs)
+ {
+-  grub_fs_unregister (&grub_reiserfs_fs);
++  if (!grub_is_lockdown ())
++    grub_fs_unregister (&grub_reiserfs_fs);
+ }
+diff --git a/grub-core/fs/romfs.c b/grub-core/fs/romfs.c
+index d97b8fb..d174449 100644
+--- a/grub-core/fs/romfs.c
++++ b/grub-core/fs/romfs.c
+@@ -23,6 +23,7 @@
+ #include <grub/disk.h>
+ #include <grub/fs.h>
+ #include <grub/fshelp.h>
++#include <grub/lockdown.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -475,10 +476,14 @@ static struct grub_fs grub_romfs_fs =
+ 
+ GRUB_MOD_INIT(romfs)
+ {
+-  grub_fs_register (&grub_romfs_fs);
++  if (!grub_is_lockdown ())
++    {
++      grub_fs_register (&grub_romfs_fs);
++    }
+ }
+ 
+ GRUB_MOD_FINI(romfs)
+ {
+-  grub_fs_unregister (&grub_romfs_fs);
++  if (!grub_is_lockdown ())
++    grub_fs_unregister (&grub_romfs_fs);
+ }
+diff --git a/grub-core/fs/sfs.c b/grub-core/fs/sfs.c
+index 983e880..f64bdd2 100644
+--- a/grub-core/fs/sfs.c
++++ b/grub-core/fs/sfs.c
+@@ -26,6 +26,7 @@
+ #include <grub/types.h>
+ #include <grub/fshelp.h>
+ #include <grub/charset.h>
++#include <grub/lockdown.h>
+ #include <grub/safemath.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+@@ -779,11 +780,15 @@ static struct grub_fs grub_sfs_fs =
+ 
+ GRUB_MOD_INIT(sfs)
+ {
+-  grub_fs_register (&grub_sfs_fs);
++  if (!grub_is_lockdown ())
++    {
++      grub_fs_register (&grub_sfs_fs);
++    }
+   my_mod = mod;
+ }
+ 
+ GRUB_MOD_FINI(sfs)
+ {
+-  grub_fs_unregister (&grub_sfs_fs);
++  if (!grub_is_lockdown ())
++    grub_fs_unregister (&grub_sfs_fs);
+ }
+diff --git a/grub-core/fs/udf.c b/grub-core/fs/udf.c
+index 2ac5c1d..f89c6b0 100644
+--- a/grub-core/fs/udf.c
++++ b/grub-core/fs/udf.c
+@@ -27,6 +27,7 @@
+ #include <grub/fshelp.h>
+ #include <grub/charset.h>
+ #include <grub/datetime.h>
++#include <grub/lockdown.h>
+ #include <grub/udf.h>
+ #include <grub/safemath.h>
+ 
+@@ -1382,11 +1383,15 @@ static struct grub_fs grub_udf_fs = {
+ 
+ GRUB_MOD_INIT (udf)
+ {
+-  grub_fs_register (&grub_udf_fs);
++  if (!grub_is_lockdown ())
++    {
++      grub_fs_register (&grub_udf_fs);
++    }
+   my_mod = mod;
+ }
+ 
+ GRUB_MOD_FINI (udf)
+ {
+-  grub_fs_unregister (&grub_udf_fs);
++  if (!grub_is_lockdown ())
++    grub_fs_unregister (&grub_udf_fs);
+ }
+diff --git a/grub-core/fs/ufs.c b/grub-core/fs/ufs.c
+index 4727266..90fda07 100644
+--- a/grub-core/fs/ufs.c
++++ b/grub-core/fs/ufs.c
+@@ -25,6 +25,7 @@
+ #include <grub/dl.h>
+ #include <grub/types.h>
+ #include <grub/i18n.h>
++#include <grub/lockdown.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -899,7 +900,10 @@ GRUB_MOD_INIT(ufs1)
+ #endif
+ #endif
+ {
+-  grub_fs_register (&grub_ufs_fs);
++  if (!grub_is_lockdown ())
++    {
++      grub_fs_register (&grub_ufs_fs);
++    }
+   my_mod = mod;
+ }
+ 
+@@ -913,6 +917,7 @@ GRUB_MOD_FINI(ufs1)
+ #endif
+ #endif
+ {
+-  grub_fs_unregister (&grub_ufs_fs);
++  if (!grub_is_lockdown ())
++    grub_fs_unregister (&grub_ufs_fs);
+ }
+ 
+-- 
+2.25.1
+

meta/recipes-bsp/grub/files/CVE-2025-0678_CVE-2025-1125.patch

@@ -0,0 +1,90 @@
+From 84bc0a9a68835952ae69165c11709811dae7634e Mon Sep 17 00:00:00 2001
+From: Lidong Chen <lidong.chen@oracle.com>
+Date: Tue, 21 Jan 2025 19:02:37 +0000
+Subject: [PATCH] fs: Prevent overflows when allocating memory for arrays
+
+Use grub_calloc() when allocating memory for arrays to ensure proper
+overflow checks are in place.
+
+The HFS+ and squash4 security vulnerabilities were reported by
+Jonathan Bar Or <jonathanbaror@gmail.com>.
+
+Fixes: CVE-2025-0678
+Fixes: CVE-2025-1125
+
+Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+CVE: CVE-2025-0678
+CVE: CVE-2025-1125
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=84bc0a9a68835952ae69165c11709811dae7634e]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/fs/btrfs.c       | 4 ++--
+ grub-core/fs/hfspluscomp.c | 9 +++++++--
+ grub-core/fs/squash4.c     | 8 ++++----
+ 3 files changed, 13 insertions(+), 8 deletions(-)
+
+diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c
+index 6320303..3b8b2f0 100644
+--- a/grub-core/fs/btrfs.c
++++ b/grub-core/fs/btrfs.c
+@@ -1197,8 +1197,8 @@ grub_btrfs_mount (grub_device_t dev)
+     }
+ 
+   data->n_devices_allocated = 16;
+-  data->devices_attached = grub_malloc (sizeof (data->devices_attached[0])
+-					* data->n_devices_allocated);
++  data->devices_attached = grub_calloc (data->n_devices_allocated,
++					sizeof (data->devices_attached[0]));
+   if (!data->devices_attached)
+     {
+       grub_free (data);
+diff --git a/grub-core/fs/hfspluscomp.c b/grub-core/fs/hfspluscomp.c
+index d76f3f1..4965ef1 100644
+--- a/grub-core/fs/hfspluscomp.c
++++ b/grub-core/fs/hfspluscomp.c
+@@ -244,14 +244,19 @@ hfsplus_open_compressed_real (struct grub_hfsplus_file *node)
+ 	  return 0;
+ 	}
+       node->compress_index_size = grub_le_to_cpu32 (index_size);
+-      node->compress_index = grub_malloc (node->compress_index_size
+-					  * sizeof (node->compress_index[0]));
++      node->compress_index = grub_calloc (node->compress_index_size,
++					  sizeof (node->compress_index[0]));
+       if (!node->compress_index)
+ 	{
+ 	  node->compressed = 0;
+ 	  grub_free (attr_node);
+ 	  return grub_errno;
+ 	}
++
++      /*
++       * The node->compress_index_size * sizeof (node->compress_index[0]) is safe here
++       * due to relevant checks done in grub_calloc() above.
++       */
+       if (grub_hfsplus_read_file (node, 0, 0,
+ 				  0x104 + sizeof (index_size),
+ 				  node->compress_index_size
+diff --git a/grub-core/fs/squash4.c b/grub-core/fs/squash4.c
+index 6dd731e..f79fc75 100644
+--- a/grub-core/fs/squash4.c
++++ b/grub-core/fs/squash4.c
+@@ -804,10 +804,10 @@ direct_read (struct grub_squash_data *data,
+ 	  break;
+ 	}
+       total_blocks = ((total_size + data->blksz - 1) >> data->log2_blksz);
+-      ino->block_sizes = grub_malloc (total_blocks
+-				      * sizeof (ino->block_sizes[0]));
+-      ino->cumulated_block_sizes = grub_malloc (total_blocks
+-						* sizeof (ino->cumulated_block_sizes[0]));
++      ino->block_sizes = grub_calloc (total_blocks,
++				      sizeof (ino->block_sizes[0]));
++      ino->cumulated_block_sizes = grub_calloc (total_blocks,
++						sizeof (ino->cumulated_block_sizes[0]));
+       if (!ino->block_sizes || !ino->cumulated_block_sizes)
+ 	{
+ 	  grub_free (ino->block_sizes);
+-- 
+2.25.1
+

meta/recipes-bsp/grub/files/CVE-2025-0690.patch

@@ -0,0 +1,75 @@
+From dad8f502974ed9ad0a70ae6820d17b4b142558fc Mon Sep 17 00:00:00 2001
+From: Jonathan Bar Or <jonathanbaror@gmail.com>
+Date: Thu, 23 Jan 2025 19:17:05 +0100
+Subject: [PATCH] commands/read: Fix an integer overflow when supplying more
+ than 2^31 characters
+
+The grub_getline() function currently has a signed integer variable "i"
+that can be overflown when user supplies more than 2^31 characters.
+It results in a memory corruption of the allocated line buffer as well
+as supplying large negative values to grub_realloc().
+
+Fixes: CVE-2025-0690
+
+Reported-by: Jonathan Bar Or <jonathanbaror@gmail.com>
+Signed-off-by: Jonathan Bar Or <jonathanbaror@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+CVE: CVE-2025-0690
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=dad8f502974ed9ad0a70ae6820d17b4b142558fc]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/commands/read.c | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+diff --git a/grub-core/commands/read.c b/grub-core/commands/read.c
+index fe3e88b..f3ff826 100644
+--- a/grub-core/commands/read.c
++++ b/grub-core/commands/read.c
+@@ -25,19 +25,21 @@
+ #include <grub/types.h>
+ #include <grub/command.h>
+ #include <grub/i18n.h>
++#include <grub/safemath.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+ static char *
+ grub_getline (void)
+ {
+-  int i;
++  grub_size_t i;
+   char *line;
+   char *tmp;
+   char c;
++  grub_size_t alloc_size;
+ 
+   i = 0;
+-  line = grub_malloc (1 + i + sizeof('\0'));
++  line = grub_malloc (1 + sizeof('\0'));
+   if (! line)
+     return NULL;
+ 
+@@ -50,8 +52,17 @@ grub_getline (void)
+       line[i] = c;
+       if (grub_isprint (c))
+ 	grub_printf ("%c", c);
+-      i++;
+-      tmp = grub_realloc (line, 1 + i + sizeof('\0'));
++      if (grub_add (i, 1, &i))
++        {
++          grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
++          return NULL;
++        }
++      if (grub_add (i, 1 + sizeof('\0'), &alloc_size))
++        {
++          grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
++          return NULL;
++        }
++      tmp = grub_realloc (line, alloc_size);
+       if (! tmp)
+ 	{
+ 	  grub_free (line);
+-- 
+2.25.1
+

meta/recipes-bsp/grub/files/CVE-2025-1118.patch

@@ -0,0 +1,40 @@
+From 34824806ac6302f91e8cabaa41308eaced25725f Mon Sep 17 00:00:00 2001
+From: B Horn <b@horn.uk>
+Date: Thu, 18 Apr 2024 20:29:39 +0100
+Subject: [PATCH] commands/minicmd: Block the dump command in lockdown mode
+
+The dump enables a user to read memory which should not be possible
+in lockdown mode.
+
+Fixes: CVE-2025-1118
+
+Reported-by: B Horn <b@horn.uk>
+Reported-by: Jonathan Bar Or <jonathanbaror@gmail.com>
+Signed-off-by: B Horn <b@horn.uk>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+CVE: CVE-2025-1118
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=34824806ac6302f91e8cabaa41308eaced25725f]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/commands/minicmd.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/commands/minicmd.c b/grub-core/commands/minicmd.c
+index fa49893..903af33 100644
+--- a/grub-core/commands/minicmd.c
++++ b/grub-core/commands/minicmd.c
+@@ -203,8 +203,8 @@ GRUB_MOD_INIT(minicmd)
+     grub_register_command ("help", grub_mini_cmd_help,
+ 			   0, N_("Show this message."));
+   cmd_dump =
+-    grub_register_command ("dump", grub_mini_cmd_dump,
+-			   N_("ADDR [SIZE]"), N_("Show memory contents."));
++    grub_register_command_lockdown ("dump", grub_mini_cmd_dump,
++				    N_("ADDR [SIZE]"), N_("Show memory contents."));
+   cmd_rmmod =
+     grub_register_command ("rmmod", grub_mini_cmd_rmmod,
+ 			   N_("MODULE"), N_("Remove a module."));
+-- 
+2.25.1
+

meta/recipes-bsp/grub/grub2.inc

@@ -41,6 +41,24 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
 	   file://CVE-2023-4692.patch \
            file://CVE-2023-4693.patch \
            file://0001-fs-fat-Don-t-error-when-mtime-is-0.patch \
+           file://0001-misc-Implement-grub_strlcpy.patch \
+           file://CVE-2024-45774.patch \
+           file://CVE-2024-45775.patch \
+           file://CVE-2024-45776.patch \
+           file://CVE-2024-45777.patch \
+           file://CVE-2024-45778_CVE-2024-45779.patch \
+           file://CVE-2024-45780.patch \
+           file://CVE-2024-45781.patch \
+           file://CVE-2024-45782_CVE-2024-56737.patch \
+           file://CVE-2024-45783.patch \
+           file://CVE-2025-0622-01.patch \
+           file://CVE-2025-0622-02.patch \
+           file://CVE-2025-0622-03.patch \
+           file://CVE-2025-0624.patch \
+           file://CVE-2025-0677_CVE-2025-0684_CVE-2025-0685_CVE-2025-0686_CVE-2025-0689.patch \
+           file://CVE-2025-0678_CVE-2025-1125.patch \
+           file://CVE-2025-0690.patch \
+           file://CVE-2025-1118.patch \
 "
 
 SRC_URI[sha256sum] = "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f"

meta/recipes-bsp/u-boot/files/0001-CVE-2022-30767.patch

@@ -0,0 +1,44 @@
+From bdbf7a05e26f3c5fd437c99e2755ffde186ddc80 Thr Jun 2 00:00:00 2022
+From: Andrea zi0Black Cappa <zi0Black@protonmail.com>
+Date: Tue, 14 Jun 2022 17:16:00 +0200
+Subject: [PATCH] net: nfs: Fix CVE-2022-30767 (old CVE-2019-14196)
+
+This patch mitigates the vulnerability identified via CVE-2019-14196.
+The previous patch was bypassed/ineffective, and now the vulnerability
+is identified via CVE-2022-30767. The patch removes the sanity check
+introduced to mitigate CVE-2019-14196 since it's ineffective.
+filefh3_length is changed to unsigned type integer, preventing negative
+numbers from being used during comparison with positive values during
+size sanity checks.
+
+CVE: CVE-2019-14196
+
+Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/bdbf7a05e26f3c5fd437c99e2755ffde186ddc80]
+Signed-off-by: Andrea zi0Black Cappa <zi0Black@protonmail.com>
+Signed-off-by: Carlos Dominguez <carlos.dominguez@windriver.com>
+---
+ net/nfs.c |    4 +---
+ 1 file changed, 1 insertions(+), 3 deletions(-)
+
+diff --git a/net/nfs.c b/net/nfs.c
+index 70d0e08bde..3003f54aac 100644
+--- a/net/nfs.c
++++ b/net/nfs.c
+@@ -57,7 +57,7 @@ static ulong nfs_timeout = NFS_TIMEOUT;
+ 
+ static char dirfh[NFS_FHSIZE];	/* NFSv2 / NFSv3 file handle of directory */
+ static char filefh[NFS3_FHSIZE]; /* NFSv2 / NFSv3 file handle */
+-static int filefh3_length;	/* (variable) length of filefh when NFSv3 */
++static unsigned int filefh3_length;	/* (variable) length of filefh when NFSv3 */
+ 
+ static enum net_loop_state nfs_download_state;
+ static struct in_addr nfs_server_ip;
+@@ -578,8 +578,6 @@ static int nfs_lookup_reply(uchar *pkt, unsigned len)
+ 		filefh3_length = ntohl(rpc_pkt.u.reply.data[1]);
+ 		if (filefh3_length > NFS3_FHSIZE)
+ 			filefh3_length  = NFS3_FHSIZE;
+-		if (((uchar *)&(rpc_pkt.u.reply.data[0]) - (uchar *)(&rpc_pkt) + filefh3_length) > len)
+-			return -NFS_RPC_DROP;
+ 		memcpy(filefh, rpc_pkt.u.reply.data + 2, filefh3_length);
+ 	}
+ 

meta/recipes-bsp/u-boot/files/CVE-2022-2347_1.patch

@@ -0,0 +1,129 @@
+From 9d2d2deabc49dbedf93a7192b25f55d9933fcede Mon Sep 17 00:00:00 2001
+From: Venkatesh Yadav Abbarapu <venkatesh.abbarapu@amd.com>
+Date: Thu, 3 Nov 2022 09:37:48 +0530
+Subject: [PATCH 1/2] usb: gadget: dfu: Fix the unchecked length field
+
+DFU implementation does not bound the length field in USB
+DFU download setup packets, and it does not verify that
+the transfer direction. Fixing the length and transfer
+direction.
+
+CVE-2022-2347
+
+Signed-off-by: Venkatesh Yadav Abbarapu <venkatesh.abbarapu@amd.com>
+Reviewed-by: Marek Vasut <marex@denx.de>
+
+CVE: CVE-2022-2347
+Upstream-Status: Backport [fbce985e28eaca3af82afecc11961aadaf971a7e]
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ drivers/usb/gadget/f_dfu.c | 56 +++++++++++++++++++++++++-------------
+ 1 file changed, 37 insertions(+), 19 deletions(-)
+
+diff --git a/drivers/usb/gadget/f_dfu.c b/drivers/usb/gadget/f_dfu.c
+index 4bedc7d3a1..33ef62f8ba 100644
+--- a/drivers/usb/gadget/f_dfu.c
++++ b/drivers/usb/gadget/f_dfu.c
+@@ -321,21 +321,29 @@ static int state_dfu_idle(struct f_dfu *f_dfu,
+ 	u16 len = le16_to_cpu(ctrl->wLength);
+ 	int value = 0;
+ 
++	len = len > DFU_USB_BUFSIZ ? DFU_USB_BUFSIZ : len;
++
+ 	switch (ctrl->bRequest) {
+ 	case USB_REQ_DFU_DNLOAD:
+-		if (len == 0) {
+-			f_dfu->dfu_state = DFU_STATE_dfuERROR;
+-			value = RET_STALL;
+-			break;
++		if (ctrl->bRequestType == USB_DIR_OUT) {
++			if (len == 0) {
++				f_dfu->dfu_state = DFU_STATE_dfuERROR;
++				value = RET_STALL;
++				break;
++			}
++			f_dfu->dfu_state = DFU_STATE_dfuDNLOAD_SYNC;
++			f_dfu->blk_seq_num = w_value;
++			value = handle_dnload(gadget, len);
+ 		}
+-		f_dfu->dfu_state = DFU_STATE_dfuDNLOAD_SYNC;
+-		f_dfu->blk_seq_num = w_value;
+-		value = handle_dnload(gadget, len);
+ 		break;
+ 	case USB_REQ_DFU_UPLOAD:
+-		f_dfu->dfu_state = DFU_STATE_dfuUPLOAD_IDLE;
+-		f_dfu->blk_seq_num = 0;
+-		value = handle_upload(req, len);
++		if (ctrl->bRequestType == USB_DIR_IN) {
++			f_dfu->dfu_state = DFU_STATE_dfuUPLOAD_IDLE;
++			f_dfu->blk_seq_num = 0;
++			value = handle_upload(req, len);
++			if (value >= 0 && value < len)
++				f_dfu->dfu_state = DFU_STATE_dfuIDLE;
++		}
+ 		break;
+ 	case USB_REQ_DFU_ABORT:
+ 		/* no zlp? */
+@@ -424,11 +432,15 @@ static int state_dfu_dnload_idle(struct f_dfu *f_dfu,
+ 	u16 len = le16_to_cpu(ctrl->wLength);
+ 	int value = 0;
+ 
++	len = len > DFU_USB_BUFSIZ ? DFU_USB_BUFSIZ : len;
++
+ 	switch (ctrl->bRequest) {
+ 	case USB_REQ_DFU_DNLOAD:
+-		f_dfu->dfu_state = DFU_STATE_dfuDNLOAD_SYNC;
+-		f_dfu->blk_seq_num = w_value;
+-		value = handle_dnload(gadget, len);
++		if (ctrl->bRequestType == USB_DIR_OUT) {
++			f_dfu->dfu_state = DFU_STATE_dfuDNLOAD_SYNC;
++			f_dfu->blk_seq_num = w_value;
++			value = handle_dnload(gadget, len);
++		}
+ 		break;
+ 	case USB_REQ_DFU_ABORT:
+ 		f_dfu->dfu_state = DFU_STATE_dfuIDLE;
+@@ -511,13 +523,17 @@ static int state_dfu_upload_idle(struct f_dfu *f_dfu,
+ 	u16 len = le16_to_cpu(ctrl->wLength);
+ 	int value = 0;
+ 
++	len = len > DFU_USB_BUFSIZ ? DFU_USB_BUFSIZ : len;
++
+ 	switch (ctrl->bRequest) {
+ 	case USB_REQ_DFU_UPLOAD:
+-		/* state transition if less data then requested */
+-		f_dfu->blk_seq_num = w_value;
+-		value = handle_upload(req, len);
+-		if (value >= 0 && value < len)
+-			f_dfu->dfu_state = DFU_STATE_dfuIDLE;
++		if (ctrl->bRequestType == USB_DIR_IN) {
++			/* state transition if less data then requested */
++			f_dfu->blk_seq_num = w_value;
++			value = handle_upload(req, len);
++			if (value >= 0 && value < len)
++				f_dfu->dfu_state = DFU_STATE_dfuIDLE;
++		}
+ 		break;
+ 	case USB_REQ_DFU_ABORT:
+ 		f_dfu->dfu_state = DFU_STATE_dfuIDLE;
+@@ -593,6 +609,8 @@ dfu_handle(struct usb_function *f, const struct usb_ctrlrequest *ctrl)
+ 	int value = 0;
+ 	u8 req_type = ctrl->bRequestType & USB_TYPE_MASK;
+ 
++	len = len > DFU_USB_BUFSIZ ? DFU_USB_BUFSIZ : len;
++
+ 	debug("w_value: 0x%x len: 0x%x\n", w_value, len);
+ 	debug("req_type: 0x%x ctrl->bRequest: 0x%x f_dfu->dfu_state: 0x%x\n",
+ 	       req_type, ctrl->bRequest, f_dfu->dfu_state);
+@@ -612,7 +630,7 @@ dfu_handle(struct usb_function *f, const struct usb_ctrlrequest *ctrl)
+ 		value = dfu_state[f_dfu->dfu_state] (f_dfu, ctrl, gadget, req);
+ 
+ 	if (value >= 0) {
+-		req->length = value;
++		req->length = value > DFU_USB_BUFSIZ ? DFU_USB_BUFSIZ : value;
+ 		req->zero = value < len;
+ 		value = usb_ep_queue(gadget->ep0, req, 0);
+ 		if (value < 0) {
+-- 
+2.32.0
+

meta/recipes-bsp/u-boot/files/CVE-2022-2347_2.patch

@@ -0,0 +1,66 @@
+From 0f465b3e81baa095b62a154a739c5378285526db Mon Sep 17 00:00:00 2001
+From: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
+Date: Wed, 30 Nov 2022 09:29:16 +0100
+Subject: [PATCH 2/2] usb: gadget: dfu: Fix check of transfer direction
+
+Commit fbce985e28eaca3af82afecc11961aadaf971a7e to fix CVE-2022-2347
+blocks DFU usb requests.
+The verification of the transfer direction was done by an equality
+but it is a bit mask.
+
+Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
+Reviewed-by: Fabio Estevam <festevam@denx.de>
+Reviewed-by: Sultan Qasim Khan <sultan.qasimkhan@nccgroup.com>
+Reviewed-by: Marek Vasut <marex@denx.de>
+Tested-by: Marek Vasut <marex@denx.de>
+
+CVE: CVE-2022-2347
+Upstream-Status: Backport [14dc0ab138988a8e45ffa086444ec8db48b3f103]
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ drivers/usb/gadget/f_dfu.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/usb/gadget/f_dfu.c b/drivers/usb/gadget/f_dfu.c
+index 33ef62f8ba..44877df4ec 100644
+--- a/drivers/usb/gadget/f_dfu.c
++++ b/drivers/usb/gadget/f_dfu.c
+@@ -325,7 +325,7 @@ static int state_dfu_idle(struct f_dfu *f_dfu,
+ 
+ 	switch (ctrl->bRequest) {
+ 	case USB_REQ_DFU_DNLOAD:
+-		if (ctrl->bRequestType == USB_DIR_OUT) {
++		if (!(ctrl->bRequestType & USB_DIR_IN)) {
+ 			if (len == 0) {
+ 				f_dfu->dfu_state = DFU_STATE_dfuERROR;
+ 				value = RET_STALL;
+@@ -337,7 +337,7 @@ static int state_dfu_idle(struct f_dfu *f_dfu,
+ 		}
+ 		break;
+ 	case USB_REQ_DFU_UPLOAD:
+-		if (ctrl->bRequestType == USB_DIR_IN) {
++		if (ctrl->bRequestType & USB_DIR_IN) {
+ 			f_dfu->dfu_state = DFU_STATE_dfuUPLOAD_IDLE;
+ 			f_dfu->blk_seq_num = 0;
+ 			value = handle_upload(req, len);
+@@ -436,7 +436,7 @@ static int state_dfu_dnload_idle(struct f_dfu *f_dfu,
+ 
+ 	switch (ctrl->bRequest) {
+ 	case USB_REQ_DFU_DNLOAD:
+-		if (ctrl->bRequestType == USB_DIR_OUT) {
++		if (!(ctrl->bRequestType & USB_DIR_IN)) {
+ 			f_dfu->dfu_state = DFU_STATE_dfuDNLOAD_SYNC;
+ 			f_dfu->blk_seq_num = w_value;
+ 			value = handle_dnload(gadget, len);
+@@ -527,7 +527,7 @@ static int state_dfu_upload_idle(struct f_dfu *f_dfu,
+ 
+ 	switch (ctrl->bRequest) {
+ 	case USB_REQ_DFU_UPLOAD:
+-		if (ctrl->bRequestType == USB_DIR_IN) {
++		if (ctrl->bRequestType & USB_DIR_IN) {
+ 			/* state transition if less data then requested */
+ 			f_dfu->blk_seq_num = w_value;
+ 			value = handle_upload(req, len);
+-- 
+2.32.0
+

meta/recipes-bsp/u-boot/files/CVE-2022-30790.patch

@@ -0,0 +1,149 @@
+From 1817c3824a08bbad7fd2fbae1a6e73be896e8e5e Mon Sep 17 00:00:00 2001
+From: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
+Date: Fri, 14 Oct 2022 19:43:39 +0200
+Subject: [PATCH] net: (actually/better) deal with CVE-2022-{30790,30552}
+
+I hit a strange problem with v2022.10: Sometimes my tftp transfer
+would seemingly just hang. It only happened for some files. Moreover,
+changing tftpblocksize from 65464 to 65460 or 65000 made it work again
+for all the files I tried. So I started suspecting it had something to
+do with the file sizes and in particular the way the tftp blocks get
+fragmented and reassembled.
+
+v2022.01 showed no problems with any of the files or any value of
+tftpblocksize.
+
+Looking at what had changed in net.c or tftp.c since January showed
+only one remotely interesting thing, b85d130ea0ca.
+
+So I fired up wireshark on my host to see if somehow one of the
+packets would be too small. But no, with both v2022.01 and v2022.10,
+the exact same sequence of packets were sent, all but the last of size
+1500, and the last being 1280 bytes.
+
+But then it struck me that 1280 is 5*256, so one of the two bytes
+on-the-wire is 0 and the other is 5, and when then looking at the code
+again the lack of endianness conversion becomes obvious. [ntohs is
+both applied to ip->ip_off just above, as well as to ip->ip_len just a
+little further down when the "len" is actually computed].
+
+IOWs the current code would falsely reject any packet which happens to
+be a multiple of 256 bytes in size, breaking tftp transfers somewhat
+randomly, and if it did get one of those "malicious" packets with
+ip_len set to, say, 27, it would be seen by this check as being 6912
+and hence not rejected.
+
+====
+
+Now, just adding the missing ntohs() would make my initial problem go
+away, in that I can now download the file where the last fragment ends
+up being 1280 bytes. But there's another bug in the code and/or
+analysis: The right-hand side is too strict, in that it is ok for the
+last fragment not to have a multiple of 8 bytes as payload - it really
+must be ok, because nothing in the IP spec says that IP datagrams must
+have a multiple of 8 bytes as payload. And comments in the code also
+mention this.
+
+To fix that, replace the comparison with <= IP_HDR_SIZE and add
+another check that len is actually a multiple of 8 when the "more
+fragments" bit is set - which it necessarily is for the case where
+offset8 ends up being 0, since we're only called when
+
+  (ip_off & (IP_OFFS | IP_FLAGS_MFRAG)).
+
+====
+
+So, does this fix CVE-2022-30790 for real? It certainly correctly
+rejects the POC code which relies on sending a packet of size 27 with
+the MFRAG flag set. Can the attack be carried out with a size 27
+packet that doesn't set MFRAG (hence must set a non-zero fragment
+offset)? I dunno. If we get a packet without MFRAG, we update
+h->last_byte in the hole we've found to be start+len, hence we'd enter
+one of
+
+	if ((h >= thisfrag) && (h->last_byte <= start + len)) {
+
+or
+
+	} else if (h->last_byte <= start + len) {
+
+and thus won't reach any of the
+
+		/* overlaps with initial part of the hole: move this hole */
+		newh = thisfrag + (len / 8);
+
+		/* fragment sits in the middle: split the hole */
+		newh = thisfrag + (len / 8);
+
+IOW these division are now guaranteed to be exact, and thus I think
+the scenario in CVE-2022-30790 cannot happen anymore.
+
+====
+
+However, there's a big elephant in the room, which has always been
+spelled out in the comments, and which makes me believe that one can
+still cause mayhem even with packets whose payloads are all 8-byte
+aligned:
+
+    This code doesn't deal with a fragment that overlaps with two
+    different holes (thus being a superset of a previously-received
+    fragment).
+
+Suppose each character below represents 8 bytes, with D being already
+received data, H being a hole descriptor (struct hole), h being
+non-populated chunks, and P representing where the payload of a just
+received packet should go:
+
+  DDDHhhhhDDDDHhhhDDDD
+        PPPPPPPPP
+
+I'm pretty sure in this case we'd end up with h being the first hole,
+enter the simple
+
+	} else if (h->last_byte <= start + len) {
+		/* overlaps with final part of the hole: shorten this hole */
+		h->last_byte = start;
+
+case, and thus in the memcpy happily overwrite the second H with our
+chosen payload. This is probably worth fixing...
+
+Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
+
+CVE: CVE-2022-30790
+Upstream-Status: Backport [1817c3824a08bbad7fd2fbae1a6e73be896e8e5e]
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ net/net.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/net/net.c b/net/net.c
+index 434c3b411e..987c25931e 100644
+--- a/net/net.c
++++ b/net/net.c
+@@ -924,7 +924,11 @@ static struct ip_udp_hdr *__net_defragment(struct ip_udp_hdr *ip, int *lenp)
+ 	int offset8, start, len, done = 0;
+ 	u16 ip_off = ntohs(ip->ip_off);
+ 
+-	if (ip->ip_len < IP_MIN_FRAG_DATAGRAM_SIZE)
++	/*
++	 * Calling code already rejected <, but we don't have to deal
++	 * with an IP fragment with no payload.
++	 */
++	if (ntohs(ip->ip_len) <= IP_HDR_SIZE)
+ 		return NULL;
+ 
+ 	/* payload starts after IP header, this fragment is in there */
+@@ -934,6 +938,10 @@ static struct ip_udp_hdr *__net_defragment(struct ip_udp_hdr *ip, int *lenp)
+ 	start = offset8 * 8;
+ 	len = ntohs(ip->ip_len) - IP_HDR_SIZE;
+ 
++	/* All but last fragment must have a multiple-of-8 payload. */
++	if ((len & 7) && (ip_off & IP_FLAGS_MFRAG))
++		return NULL;
++
+ 	if (start + len > IP_MAXUDP) /* fragment extends too far */
+ 		return NULL;
+ 
+-- 
+2.25.1
+

meta/recipes-bsp/u-boot/files/CVE-2024-57254.patch

@@ -0,0 +1,47 @@
+From 3f9deb424ecd6ecd50f165b42f0b0290d83853f5 Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Fri, 2 Aug 2024 18:36:45 +0200
+Subject: [PATCH 1/8] squashfs: Fix integer overflow in sqfs_inode_size()
+
+A carefully crafted squashfs filesystem can exhibit an extremly large
+inode size and overflow the calculation in sqfs_inode_size().
+As a consequence, the squashfs driver will read from wrong locations.
+
+Fix by using __builtin_add_overflow() to detect the overflow.
+
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
+
+CVE: CVE-2024-57254
+Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/c8e929e5758999933f9e905049ef2bf3fe6b140d]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ fs/squashfs/sqfs_inode.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/fs/squashfs/sqfs_inode.c b/fs/squashfs/sqfs_inode.c
+index d25cfb53..bb3ccd37 100644
+--- a/fs/squashfs/sqfs_inode.c
++++ b/fs/squashfs/sqfs_inode.c
+@@ -78,11 +78,16 @@ int sqfs_inode_size(struct squashfs_base_inode *inode, u32 blk_size)
+ 
+ 	case SQFS_SYMLINK_TYPE:
+ 	case SQFS_LSYMLINK_TYPE: {
++		int size;
++
+ 		struct squashfs_symlink_inode *symlink =
+ 			(struct squashfs_symlink_inode *)inode;
+ 
+-		return sizeof(*symlink) +
+-			get_unaligned_le32(&symlink->symlink_size);
++		if (__builtin_add_overflow(sizeof(*symlink),
++		    get_unaligned_le32(&symlink->symlink_size), &size))
++			return -EINVAL;
++
++		return size;
+ 	}
+ 
+ 	case SQFS_BLKDEV_TYPE:
+-- 
+2.34.1
+

meta/recipes-bsp/u-boot/files/CVE-2024-57255.patch

@@ -0,0 +1,53 @@
+From 5d7ca74388544bf8c95e104517a9120e94bfe40d Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Fri, 2 Aug 2024 18:36:44 +0200
+Subject: [PATCH 2/8] squashfs: Fix integer overflow in sqfs_resolve_symlink()
+
+A carefully crafted squashfs filesystem can exhibit an inode size of 0xffffffff,
+as a consequence malloc() will do a zero allocation.
+Later in the function the inode size is again used for copying data.
+So an attacker can overwrite memory.
+Avoid the overflow by using the __builtin_add_overflow() helper.
+
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
+
+CVE: CVE-2024-57255
+Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/233945eba63e24061dffeeaeb7cd6fe985278356]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ fs/squashfs/sqfs.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c
+index 1430e671..16a07c06 100644
+--- a/fs/squashfs/sqfs.c
++++ b/fs/squashfs/sqfs.c
+@@ -422,8 +422,10 @@ static char *sqfs_resolve_symlink(struct squashfs_symlink_inode *sym,
+ 	char *resolved, *target;
+ 	u32 sz;
+ 
+-	sz = get_unaligned_le32(&sym->symlink_size);
+-	target = malloc(sz + 1);
++	if (__builtin_add_overflow(get_unaligned_le32(&sym->symlink_size), 1, &sz))
++		return NULL;
++
++	target = malloc(sz);
+ 	if (!target)
+ 		return NULL;
+ 
+@@ -431,9 +433,9 @@ static char *sqfs_resolve_symlink(struct squashfs_symlink_inode *sym,
+ 	 * There is no trailling null byte in the symlink's target path, so a
+ 	 * copy is made and a '\0' is added at its end.
+ 	 */
+-	target[sz] = '\0';
++	target[sz - 1] = '\0';
+ 	/* Get target name (relative path) */
+-	strncpy(target, sym->symlink, sz);
++	strncpy(target, sym->symlink, sz - 1);
+ 
+ 	/* Relative -> absolute path conversion */
+ 	resolved = sqfs_get_abs_path(base_path, target);
+-- 
+2.34.1
+

meta/recipes-bsp/u-boot/files/CVE-2024-57256.patch

@@ -0,0 +1,51 @@
+From 49cab731abe7a98db4ac16666e3b5ab3bc799282 Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Fri, 9 Aug 2024 11:54:28 +0200
+Subject: [PATCH 3/8] ext4: Fix integer overflow in ext4fs_read_symlink()
+
+While zalloc() takes a size_t type, adding 1 to the le32 variable
+will overflow.
+A carefully crafted ext4 filesystem can exhibit an inode size of 0xffffffff
+and as consequence zalloc() will do a zero allocation.
+
+Later in the function the inode size is again used for copying data.
+So an attacker can overwrite memory.
+
+Avoid the overflow by using the __builtin_add_overflow() helper.
+
+Signed-off-by: Richard Weinberger <richard@nod.at>
+
+CVE: CVE-2024-57256
+Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/35f75d2a46e5859138c83a75cd2f4141c5479ab9]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ fs/ext4/ext4_common.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/fs/ext4/ext4_common.c b/fs/ext4/ext4_common.c
+index f50de7c0..a7798296 100644
+--- a/fs/ext4/ext4_common.c
++++ b/fs/ext4/ext4_common.c
+@@ -2188,13 +2188,18 @@ static char *ext4fs_read_symlink(struct ext2fs_node *node)
+ 	struct ext2fs_node *diro = node;
+ 	int status;
+ 	loff_t actread;
++	size_t alloc_size;
+ 
+ 	if (!diro->inode_read) {
+ 		status = ext4fs_read_inode(diro->data, diro->ino, &diro->inode);
+ 		if (status == 0)
+ 			return NULL;
+ 	}
+-	symlink = zalloc(le32_to_cpu(diro->inode.size) + 1);
++
++	if (__builtin_add_overflow(le32_to_cpu(diro->inode.size), 1, &alloc_size))
++		return NULL;
++
++	symlink = zalloc(alloc_size);
+ 	if (!symlink)
+ 		return NULL;
+ 
+-- 
+2.34.1
+

meta/recipes-bsp/u-boot/files/CVE-2024-57257.patch

@@ -0,0 +1,228 @@
+From 790a2005e7a44dba059f5dbf1b9eff3a13e9b5e7 Mon Sep 17 00:00:00 2001
+From: Hongxu Jia <hongxu.jia@windriver.com>
+Date: Wed, 19 Feb 2025 15:51:53 +0800
+Subject: [PATCH] squashfs: Fix stack overflow while symlink resolving
+
+The squashfs driver blindly follows symlinks, and calls sqfs_size()
+recursively. So an attacker can create a crafted filesystem and with
+a deep enough nesting level a stack overflow can be achieved.
+
+Fix by limiting the nesting level to 8.
+
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
+
+CVE: CVE-2024-57257
+Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/4f5cc096bfd0a591f8a11e86999e3d90a9484c34]
+
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ fs/squashfs/sqfs.c | 76 +++++++++++++++++++++++++++++++++++++---------
+ 1 file changed, 61 insertions(+), 15 deletions(-)
+
+diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c
+index 7f2af8e1f9..09c0911689 100644
+--- a/fs/squashfs/sqfs.c
++++ b/fs/squashfs/sqfs.c
+@@ -24,7 +24,12 @@
+ #include "sqfs_filesystem.h"
+ #include "sqfs_utils.h"
+ 
++#define MAX_SYMLINK_NEST 8
++
+ static struct squashfs_ctxt ctxt;
++static int symlinknest;
++
++static int sqfs_readdir_nest(struct fs_dir_stream *fs_dirs, struct fs_dirent **dentp);
+ 
+ static int sqfs_disk_read(__u32 block, __u32 nr_blocks, void *buf)
+ {
+@@ -502,7 +507,7 @@ static int sqfs_search_dir(struct squashfs_dir_stream *dirs, char **token_list,
+ 			goto out;
+ 		}
+ 
+-		while (!sqfs_readdir(dirsp, &dent)) {
++		while (!sqfs_readdir_nest(dirsp, &dent)) {
+ 			ret = strcmp(dent->name, token_list[j]);
+ 			if (!ret)
+ 				break;
+@@ -527,6 +532,11 @@ static int sqfs_search_dir(struct squashfs_dir_stream *dirs, char **token_list,
+ 
+ 		/* Check for symbolic link and inode type sanity */
+ 		if (get_unaligned_le16(&dir->inode_type) == SQFS_SYMLINK_TYPE) {
++			if (++symlinknest == MAX_SYMLINK_NEST) {
++				ret = -ELOOP;
++				goto out;
++			}
++
+ 			sym = (struct squashfs_symlink_inode *)table;
+ 			/* Get first j + 1 tokens */
+ 			path = sqfs_concat_tokens(token_list, j + 1);
+@@ -872,7 +882,7 @@ out:
+ 	return metablks_count;
+ }
+ 
+-int sqfs_opendir(const char *filename, struct fs_dir_stream **dirsp)
++static int sqfs_opendir_nest(const char *filename, struct fs_dir_stream **dirsp)
+ {
+ 	unsigned char *inode_table = NULL, *dir_table = NULL;
+ 	int j, token_count = 0, ret = 0, metablks_count;
+@@ -967,7 +977,19 @@ out:
+ 	return ret;
+ }
+ 
++int sqfs_opendir(const char *filename, struct fs_dir_stream **dirsp)
++{
++	symlinknest = 0;
++	return sqfs_opendir_nest(filename, dirsp);
++}
++
+ int sqfs_readdir(struct fs_dir_stream *fs_dirs, struct fs_dirent **dentp)
++{
++	symlinknest = 0;
++	return sqfs_readdir_nest(fs_dirs, dentp);
++}
++
++static int sqfs_readdir_nest(struct fs_dir_stream *fs_dirs, struct fs_dirent **dentp)
+ {
+ 	struct squashfs_super_block *sblk = ctxt.sblk;
+ 	struct squashfs_dir_stream *dirs;
+@@ -1311,8 +1333,8 @@ static int sqfs_get_lregfile_info(struct squashfs_lreg_inode *lreg,
+ 	return datablk_count;
+ }
+ 
+-int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len,
+-	      loff_t *actread)
++static int sqfs_read_nest(const char *filename, void *buf, loff_t offset,
++			  loff_t len, loff_t *actread)
+ {
+ 	char *dir = NULL, *fragment_block, *datablock = NULL, *data_buffer = NULL;
+ 	char *fragment = NULL, *file = NULL, *resolved, *data;
+@@ -1342,11 +1364,11 @@ int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len,
+ 	}
+ 
+ 	/*
+-	 * sqfs_opendir will uncompress inode and directory tables, and will
++	 * sqfs_opendir_nest will uncompress inode and directory tables, and will
+ 	 * return a pointer to the directory that contains the requested file.
+ 	 */
+ 	sqfs_split_path(&file, &dir, filename);
+-	ret = sqfs_opendir(dir, &dirsp);
++	ret = sqfs_opendir_nest(dir, &dirsp);
+ 	if (ret) {
+ 		goto out;
+ 	}
+@@ -1354,7 +1376,7 @@ int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len,
+ 	dirs = (struct squashfs_dir_stream *)dirsp;
+ 
+ 	/* For now, only regular files are able to be loaded */
+-	while (!sqfs_readdir(dirsp, &dent)) {
++	while (!sqfs_readdir_nest(dirsp, &dent)) {
+ 		ret = strcmp(dent->name, file);
+ 		if (!ret)
+ 			break;
+@@ -1403,9 +1425,14 @@ int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len,
+ 		break;
+ 	case SQFS_SYMLINK_TYPE:
+ 	case SQFS_LSYMLINK_TYPE:
++		if (++symlinknest == MAX_SYMLINK_NEST) {
++			ret = -ELOOP;
++			goto out;
++		}
++
+ 		symlink = (struct squashfs_symlink_inode *)ipos;
+ 		resolved = sqfs_resolve_symlink(symlink, filename);
+-		ret = sqfs_read(resolved, buf, offset, len, actread);
++		ret = sqfs_read_nest(resolved, buf, offset, len, actread);
+ 		free(resolved);
+ 		goto out;
+ 	case SQFS_BLKDEV_TYPE:
+@@ -1579,7 +1606,14 @@ out:
+ 	return ret;
+ }
+ 
+-int sqfs_size(const char *filename, loff_t *size)
++int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len,
++	      loff_t *actread)
++{
++	symlinknest = 0;
++	return sqfs_read_nest(filename, buf, offset, len, actread);
++}
++
++static int sqfs_size_nest(const char *filename, loff_t *size)
+ {
+ 	struct squashfs_super_block *sblk = ctxt.sblk;
+ 	struct squashfs_symlink_inode *symlink;
+@@ -1595,10 +1629,10 @@ int sqfs_size(const char *filename, loff_t *size)
+ 
+ 	sqfs_split_path(&file, &dir, filename);
+ 	/*
+-	 * sqfs_opendir will uncompress inode and directory tables, and will
++	 * sqfs_opendir_nest will uncompress inode and directory tables, and will
+ 	 * return a pointer to the directory that contains the requested file.
+ 	 */
+-	ret = sqfs_opendir(dir, &dirsp);
++	ret = sqfs_opendir_nest(dir, &dirsp);
+ 	if (ret) {
+ 		ret = -EINVAL;
+ 		goto free_strings;
+@@ -1606,7 +1640,7 @@ int sqfs_size(const char *filename, loff_t *size)
+ 
+ 	dirs = (struct squashfs_dir_stream *)dirsp;
+ 
+-	while (!sqfs_readdir(dirsp, &dent)) {
++	while (!sqfs_readdir_nest(dirsp, &dent)) {
+ 		ret = strcmp(dent->name, file);
+ 		if (!ret)
+ 			break;
+@@ -1639,6 +1673,11 @@ int sqfs_size(const char *filename, loff_t *size)
+ 		break;
+ 	case SQFS_SYMLINK_TYPE:
+ 	case SQFS_LSYMLINK_TYPE:
++		if (++symlinknest == MAX_SYMLINK_NEST) {
++			*size = 0;
++			return -ELOOP;
++		}
++
+ 		symlink = (struct squashfs_symlink_inode *)ipos;
+ 		resolved = sqfs_resolve_symlink(symlink, filename);
+ 		ret = sqfs_size(resolved, size);
+@@ -1678,10 +1717,11 @@ int sqfs_exists(const char *filename)
+ 
+ 	sqfs_split_path(&file, &dir, filename);
+ 	/*
+-	 * sqfs_opendir will uncompress inode and directory tables, and will
++	 * sqfs_opendir_nest will uncompress inode and directory tables, and will
+ 	 * return a pointer to the directory that contains the requested file.
+ 	 */
+-	ret = sqfs_opendir(dir, &dirsp);
++	symlinknest = 0;
++	ret = sqfs_opendir_nest(dir, &dirsp);
+ 	if (ret) {
+ 		ret = -EINVAL;
+ 		goto free_strings;
+@@ -1689,7 +1729,7 @@ int sqfs_exists(const char *filename)
+ 
+ 	dirs = (struct squashfs_dir_stream *)dirsp;
+ 
+-	while (!sqfs_readdir(dirsp, &dent)) {
++	while (!sqfs_readdir_nest(dirsp, &dent)) {
+ 		ret = strcmp(dent->name, file);
+ 		if (!ret)
+ 			break;
+@@ -1706,6 +1746,12 @@ free_strings:
+ 	return ret == 0;
+ }
+ 
++int sqfs_size(const char *filename, loff_t *size)
++{
++	symlinknest = 0;
++	return sqfs_size_nest(filename, size);
++}
++
+ void sqfs_close(void)
+ {
+ 	sqfs_decompressor_cleanup(&ctxt);
+-- 
+2.34.1
+

meta/recipes-bsp/u-boot/files/CVE-2024-57258-1.patch

@@ -0,0 +1,47 @@
+From 50ab41c3628dedeca1a331dd86dd203b73faea74 Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Fri, 2 Aug 2024 12:08:45 +0200
+Subject: [PATCH 5/8] dlmalloc: Fix integer overflow in sbrk()
+
+Make sure that the new break is within mem_malloc_start
+and mem_malloc_end before making progress.
+ulong new = old + increment; can overflow for extremely large
+increment values and memset() can get wrongly called.
+
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Reviewed-by: Simon Glass <sjg@chromium.org>
+
+CVE: CVE-2024-57258
+Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/0a10b49206a29b4aa2f80233a3e53ca0466bb0b3]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ common/dlmalloc.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/common/dlmalloc.c b/common/dlmalloc.c
+index de3f0422..bae2a27c 100644
+--- a/common/dlmalloc.c
++++ b/common/dlmalloc.c
+@@ -591,6 +591,9 @@ void *sbrk(ptrdiff_t increment)
+ 	ulong old = mem_malloc_brk;
+ 	ulong new = old + increment;
+ 
++	if ((new < mem_malloc_start) || (new > mem_malloc_end))
++		return (void *)MORECORE_FAILURE;
++
+ 	/*
+ 	 * if we are giving memory back make sure we clear it out since
+ 	 * we set MORECORE_CLEARS to 1
+@@ -598,9 +601,6 @@ void *sbrk(ptrdiff_t increment)
+ 	if (increment < 0)
+ 		memset((void *)new, 0, -increment);
+ 
+-	if ((new < mem_malloc_start) || (new > mem_malloc_end))
+-		return (void *)MORECORE_FAILURE;
+-
+ 	mem_malloc_brk = new;
+ 
+ 	return (void *)old;
+-- 
+2.34.1
+

meta/recipes-bsp/u-boot/files/CVE-2024-57258-2.patch

@@ -0,0 +1,43 @@
+From db7c626204f488a802a2e58b7a788b11fde6be7d Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Fri, 2 Aug 2024 12:08:44 +0200
+Subject: [PATCH 6/8] dlmalloc: Fix integer overflow in request2size()
+
+req is of type size_t, casting it to long opens the door
+for an integer overflow.
+Values between LONG_MAX - (SIZE_SZ + MALLOC_ALIGN_MASK) - 1 and LONG_MAX
+cause and overflow such that request2size() returns MINSIZE.
+
+Fix by removing the cast.
+The origin of the cast is unclear, it's in u-boot and ppcboot since ever
+and predates the CVS history.
+Doug Lea's original dlmalloc implementation also doesn't have it.
+
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Reviewed-by: Simon Glass <sjg@chromium.org>
+
+CVE: CVE-2024-57258
+Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/8642b2178d2c4002c99a0b69a845a48f2ae2706f]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ common/dlmalloc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/common/dlmalloc.c b/common/dlmalloc.c
+index bae2a27c..1ac4ee9f 100644
+--- a/common/dlmalloc.c
++++ b/common/dlmalloc.c
+@@ -379,8 +379,8 @@ nextchunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ /* pad request bytes into a usable size */
+ 
+ #define request2size(req) \
+- (((long)((req) + (SIZE_SZ + MALLOC_ALIGN_MASK)) < \
+-  (long)(MINSIZE + MALLOC_ALIGN_MASK)) ? MINSIZE : \
++ ((((req) + (SIZE_SZ + MALLOC_ALIGN_MASK)) < \
++  (MINSIZE + MALLOC_ALIGN_MASK)) ? MINSIZE : \
+    (((req) + (SIZE_SZ + MALLOC_ALIGN_MASK)) & ~(MALLOC_ALIGN_MASK)))
+ 
+ /* Check if m has acceptable alignment */
+-- 
+2.34.1
+

meta/recipes-bsp/u-boot/files/CVE-2024-57258-3.patch

@@ -0,0 +1,40 @@
+From 37095a204127b60b5e00c4c5d435d6e48a6a1c51 Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Fri, 2 Aug 2024 12:08:43 +0200
+Subject: [PATCH 7/8] x86: Fix ptrdiff_t for x86_64
+
+sbrk() assumes ptrdiff_t is large enough to enlarge/shrink the heap
+by LONG_MIN/LONG_MAX.
+So, use the long type, also to match the rest of the Linux ecosystem.
+
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Reviewed-by: Simon Glass <sjg@chromium.org>
+
+CVE: CVE-2024-57258
+Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/c17b2a05dd50a3ba437e6373093a0d6a359cdee0]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ arch/x86/include/asm/posix_types.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/include/asm/posix_types.h b/arch/x86/include/asm/posix_types.h
+index dbcea7f4..e1ed9bca 100644
+--- a/arch/x86/include/asm/posix_types.h
++++ b/arch/x86/include/asm/posix_types.h
+@@ -20,11 +20,12 @@ typedef unsigned short	__kernel_gid_t;
+ #if defined(__x86_64__)
+ typedef unsigned long	__kernel_size_t;
+ typedef long		__kernel_ssize_t;
++typedef long		__kernel_ptrdiff_t;
+ #else
+ typedef unsigned int	__kernel_size_t;
+ typedef int		__kernel_ssize_t;
+-#endif
+ typedef int		__kernel_ptrdiff_t;
++#endif
+ typedef long		__kernel_time_t;
+ typedef long		__kernel_suseconds_t;
+ typedef long		__kernel_clock_t;
+-- 
+2.34.1
+

meta/recipes-bsp/u-boot/files/CVE-2024-57259.patch

@@ -0,0 +1,41 @@
+From 2c08fe306c6cbc60ec4beb434c71e56bb7abb678 Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Fri, 2 Aug 2024 22:05:09 +0200
+Subject: [PATCH 8/8] squashfs: Fix heap corruption in sqfs_search_dir()
+
+res needs to be large enough to store both strings rem and target,
+plus the path separator and the terminator.
+Currently the space for the path separator is not accounted, so
+the heap is corrupted by one byte.
+
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
+
+CVE: CVE-2024-57259
+Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/048d795bb5b3d9c5701b4855f5e74bcf6849bf5e]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ fs/squashfs/sqfs.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c
+index a5b7890e..1bd9b2a4 100644
+--- a/fs/squashfs/sqfs.c
++++ b/fs/squashfs/sqfs.c
+@@ -563,8 +563,11 @@ static int sqfs_search_dir(struct squashfs_dir_stream *dirs, char **token_list,
+ 				ret = -ENOMEM;
+ 				goto out;
+ 			}
+-			/* Concatenate remaining tokens and symlink's target */
+-			res = malloc(strlen(rem) + strlen(target) + 1);
++			/*
++			 * Concatenate remaining tokens and symlink's target.
++			 * Allocate enough space for rem, target, '/' and '\0'.
++			 */
++			res = malloc(strlen(rem) + strlen(target) + 2);
+ 			if (!res) {
+ 				ret = -ENOMEM;
+ 				goto out;
+-- 
+2.34.1
+

meta/recipes-bsp/u-boot/u-boot_2022.01.bb

@@ -7,6 +7,18 @@ SRC_URI +=       " file://0001-riscv32-Use-double-float-ABI-for-rv32.patch \
                    file://0001-fs-squashfs-sqfs_read-Prevent-arbitrary-code-executi.patch \
                    file://0001-net-Check-for-the-minimum-IP-fragmented-datagram-siz.patch \
                    file://0001-fs-squashfs-Use-kcalloc-when-relevant.patch \
+                   file://0001-CVE-2022-30767.patch \
+                   file://CVE-2022-30790.patch \
+                   file://CVE-2022-2347_1.patch \
+                   file://CVE-2022-2347_2.patch \
+                   file://CVE-2024-57254.patch \
+                   file://CVE-2024-57255.patch \
+                   file://CVE-2024-57256.patch \
+                   file://CVE-2024-57257.patch \
+                   file://CVE-2024-57258-1.patch \
+                   file://CVE-2024-57258-2.patch \
+                   file://CVE-2024-57258-3.patch \
+                   file://CVE-2024-57259.patch \
                  "
 
 DEPENDS += "bc-native dtc-native python3-setuptools-native"

meta/recipes-connectivity/bind/bind_9.18.33.bb

@@ -20,7 +20,7 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.xz \
            file://0001-avoid-start-failure-with-bind-user.patch \
            "
 
-SRC_URI[sha256sum] = "e7cce9a165f7b619eefc4832f0a8dc16b005d29e3890aed6008c506ea286a5e7"
+SRC_URI[sha256sum] = "fb373fac5ebbc41c645160afd5a9fb451918f6c0e69ab1d9474154e2b515de40"
 
 UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/"
 # follow the ESV versions divisible by 2

meta/recipes-connectivity/openssh/openssh/CVE-2025-26465.patch

@@ -0,0 +1,140 @@
+From 0832aac79517611dd4de93ad0a83577994d9c907 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Tue, 18 Feb 2025 08:02:48 +0000
+Subject: [PATCH] upstream: Fix cases where error codes were not correctly set
+
+Reported by the Qualys Security Advisory team. ok markus@
+
+OpenBSD-Commit-ID: 7bcd4ffe0fa1e27ff98d451fb9c22f5fae6e610d
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/0832aac79517611dd4de93ad0a83577994d9c907]
+CVE: CVE-2025-26465
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ krl.c           | 2 ++
+ ssh-agent.c     | 3 +++
+ ssh-sk-client.c | 2 ++
+ sshconnect2.c   | 5 ++++-
+ sshsig.c        | 1 +
+ 5 files changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/krl.c b/krl.c
+index 17b88ed..aef2001 100644
+--- a/krl.c
++++ b/krl.c
+@@ -674,6 +674,7 @@ revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf)
+ 			break;
+ 		case KRL_SECTION_CERT_SERIAL_BITMAP:
+ 			if (rs->lo - bitmap_start > INT_MAX) {
++				r = SSH_ERR_INVALID_FORMAT;
+ 				error_f("insane bitmap gap");
+ 				goto out;
+ 			}
+@@ -1008,6 +1009,7 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp,
+ 		goto out;
+ 
+ 	if ((krl = ssh_krl_init()) == NULL) {
++		r = SSH_ERR_ALLOC_FAIL;
+ 		error_f("alloc failed");
+ 		goto out;
+ 	}
+diff --git a/ssh-agent.c b/ssh-agent.c
+index 4dbb4f3..6382ef4 100644
+--- a/ssh-agent.c
++++ b/ssh-agent.c
+@@ -1198,6 +1198,7 @@ parse_key_constraint_extension(struct sshbuf *m, char **sk_providerp,
+ 	    "restrict-destination-v00@openssh.com") == 0) {
+ 		if (*dcsp != NULL) {
+ 			error_f("%s already set", ext_name);
++			r = SSH_ERR_INVALID_FORMAT;
+ 			goto out;
+ 		}
+ 		if ((r = sshbuf_froms(m, &b)) != 0) {
+@@ -1207,6 +1208,7 @@ parse_key_constraint_extension(struct sshbuf *m, char **sk_providerp,
+ 		while (sshbuf_len(b) != 0) {
+ 			if (*ndcsp >= AGENT_MAX_DEST_CONSTRAINTS) {
+ 				error_f("too many %s constraints", ext_name);
++				r = SSH_ERR_INVALID_FORMAT;
+ 				goto out;
+ 			}
+ 			*dcsp = xrecallocarray(*dcsp, *ndcsp, *ndcsp + 1,
+@@ -1663,6 +1665,7 @@ process_ext_session_bind(SocketEntry *e)
+ 	/* record new key/sid */
+ 	if (e->nsession_ids >= AGENT_MAX_SESSION_IDS) {
+ 		error_f("too many session IDs recorded");
++		r = -1;
+ 		goto out;
+ 	}
+ 	e->session_ids = xrecallocarray(e->session_ids, e->nsession_ids,
+diff --git a/ssh-sk-client.c b/ssh-sk-client.c
+index 321fe53..750accb 100644
+--- a/ssh-sk-client.c
++++ b/ssh-sk-client.c
+@@ -439,6 +439,7 @@ sshsk_load_resident(const char *provider_path, const char *device,
+ 		}
+ 		if ((srk = calloc(1, sizeof(*srk))) == NULL) {
+ 			error_f("calloc failed");
++			r = SSH_ERR_ALLOC_FAIL;
+ 			goto out;
+ 		}
+ 		srk->key = key;
+@@ -450,6 +451,7 @@ sshsk_load_resident(const char *provider_path, const char *device,
+ 		if ((tmp = recallocarray(srks, nsrks, nsrks + 1,
+ 		    sizeof(*srks))) == NULL) {
+ 			error_f("recallocarray keys failed");
++			r = SSH_ERR_ALLOC_FAIL;
+ 			goto out;
+ 		}
+ 		debug_f("srks[%zu]: %s %s uidlen %zu", nsrks,
+diff --git a/sshconnect2.c b/sshconnect2.c
+index 83ae4a4..6cfae2a 100644
+--- a/sshconnect2.c
++++ b/sshconnect2.c
+@@ -97,7 +97,7 @@ static int
+ verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh)
+ {
+ 	if (verify_host_key(xxx_host, xxx_hostaddr, hostkey,
+-	    xxx_conn_info) == -1)
++	    xxx_conn_info) != 0)
+ 		fatal("Host key verification failed.");
+ 	return 0;
+ }
+@@ -713,6 +713,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
+ 
+ 	if ((pktype = sshkey_type_from_name(pkalg)) == KEY_UNSPEC) {
+ 		debug_f("server sent unknown pkalg %s", pkalg);
++		r = SSH_ERR_INVALID_FORMAT;
+ 		goto done;
+ 	}
+ 	if ((r = sshkey_from_blob(pkblob, blen, &key)) != 0) {
+@@ -723,6 +724,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
+ 		error("input_userauth_pk_ok: type mismatch "
+ 		    "for decoded key (received %d, expected %d)",
+ 		    key->type, pktype);
++		r = SSH_ERR_INVALID_FORMAT;
+ 		goto done;
+ 	}
+ 
+@@ -742,6 +744,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
+ 		    SSH_FP_DEFAULT);
+ 		error_f("server replied with unknown key: %s %s",
+ 		    sshkey_type(key), fp == NULL ? "<ERROR>" : fp);
++		r = SSH_ERR_INVALID_FORMAT;
+ 		goto done;
+ 	}
+ 	ident = format_identity(id);
+diff --git a/sshsig.c b/sshsig.c
+index 7736134..76d7c21 100644
+--- a/sshsig.c
++++ b/sshsig.c
+@@ -857,6 +857,7 @@ cert_filter_principals(const char *path, u_long linenum,
+ 	}
+ 	if ((principals = sshbuf_dup_string(nprincipals)) == NULL) {
+ 		error_f("buffer error");
++		r = SSH_ERR_ALLOC_FAIL;
+ 		goto out;
+ 	}
+ 	/* success */
+-- 
+2.25.1
+

meta/recipes-connectivity/openssh/openssh_8.9p1.bb

@@ -37,6 +37,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
            file://CVE-2023-51384.patch \
            file://CVE-2023-51385.patch \
            file://CVE-2024-6387.patch \
+           file://CVE-2025-26465.patch \
            "
 SRC_URI[sha256sum] = "fd497654b7ab1686dac672fb83dfb4ba4096e8b5ffcdaccd262380ae58bec5e7"
 

meta/recipes-core/images/build-appliance-image_15.0.0.bb

@@ -24,7 +24,7 @@ IMAGE_FSTYPES = "wic.vmdk wic.vhd wic.vhdx"
 
 inherit core-image setuptools3
 
-SRCREV ?= "285e878650919844f8194c9b5c2fc034b019c4a3"
+SRCREV ?= "91484dd59353b085bb6c463da9ecd5d2b51d8e64"
 SRC_URI = "git://git.yoctoproject.org/poky;branch=kirkstone \
            file://Yocto_Build_Appliance.vmx \
            file://Yocto_Build_Appliance.vmxf \

meta/recipes-core/libxcrypt/libxcrypt-compat_4.4.33.bb

@@ -13,6 +13,6 @@ API = "--enable-obsolete-api"
 do_install:append () {
 	rm -rf ${D}${includedir}
 	rm -rf ${D}${libdir}/pkgconfig
+	rm -rf ${D}${libdir}/libcrypt.so
 	rm -rf ${D}${datadir}
 }
-

meta/recipes-core/libxml/libxml2/CVE-2022-49043.patch

@@ -0,0 +1,38 @@
+From 5a19e21605398cef6a8b1452477a8705cb41562b Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Wed, 2 Nov 2022 16:13:27 +0100
+Subject: [PATCH] malloc-fail: Fix use-after-free in xmlXIncludeAddNode
+
+Found with libFuzzer, see #344.
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/5a19e21605398cef6a8b1452477a8705cb41562b]
+CVE: CVE-2022-49043
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ xinclude.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/xinclude.c b/xinclude.c
+index e5fdf0f..36fa8ec 100644
+--- a/xinclude.c
++++ b/xinclude.c
+@@ -612,14 +612,15 @@ xmlXIncludeAddNode(xmlXIncludeCtxtPtr ctxt, xmlNodePtr cur) {
+     }
+     URL = xmlSaveUri(uri);
+     xmlFreeURI(uri);
+-    xmlFree(URI);
+     if (URL == NULL) {
+ 	xmlXIncludeErr(ctxt, cur, XML_XINCLUDE_HREF_URI,
+ 	               "invalid value URI %s\n", URI);
+ 	if (fragment != NULL)
+ 	    xmlFree(fragment);
++	xmlFree(URI);
+ 	return(-1);
+     }
++    xmlFree(URI);
+ 
+     if (xmlStrEqual(URL, ctxt->doc->URL))
+ 	local = 1;
+-- 
+2.25.1
+

meta/recipes-core/libxml/libxml2/CVE-2024-56171.patch

@@ -0,0 +1,42 @@
+From 245b70d7d2768572ae1b05b3668ca858b9ec4ed4 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 10 Dec 2024 16:52:05 +0100
+Subject: [PATCH] [CVE-2024-56171] Fix use-after-free after
+ xmlSchemaItemListAdd
+
+xmlSchemaItemListAdd can reallocate the items array. Update local
+variables after adding item in
+
+- xmlSchemaIDCFillNodeTables
+- xmlSchemaBubbleIDCNodeTables
+
+Fixes #828.
+
+CVE: CVE-2024-56171
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/245b70d7d2768572ae1b05b3668ca858b9ec4ed4]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ xmlschemas.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/xmlschemas.c b/xmlschemas.c
+index a089ebc5..18e35e75 100644
+--- a/xmlschemas.c
++++ b/xmlschemas.c
+@@ -23647,6 +23647,7 @@ xmlSchemaIDCFillNodeTables(xmlSchemaValidCtxtPtr vctxt,
+ 			}
+ 			if (xmlSchemaItemListAdd(bind->dupls, bind->nodeTable[j]) == -1)
+ 			    goto internal_error;
++                        dupls = (xmlSchemaPSVIIDCNodePtr *) bind->dupls->items;
+ 			/*
+ 			* Remove the duplicate entry from the IDC node-table.
+ 			*/
+@@ -23863,6 +23864,8 @@ xmlSchemaBubbleIDCNodeTables(xmlSchemaValidCtxtPtr vctxt)
+ 				goto internal_error;
+ 			}
+ 			xmlSchemaItemListAdd(parBind->dupls, parNode);
++		        dupls = (xmlSchemaPSVIIDCNodePtr *)
++                            parBind->dupls->items;
+ 		    } else {
+ 			/*
+ 			* Add the node-table entry (node and key-sequence) of

meta/recipes-core/libxml/libxml2/CVE-2025-24928.patch

@@ -0,0 +1,58 @@
+From 858ca26c0689161a6b903a6682cc8a1cc10a0ea8 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 11 Feb 2025 17:30:40 +0100
+Subject: [PATCH] [CVE-2025-24928] Fix stack-buffer-overflow in
+ xmlSnprintfElements
+
+Fixes #847.
+
+CVE: CVE-2025-24928
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/858ca26c0689161a6b903a6682cc8a1cc10a0ea8]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ valid.c | 25 +++++++++++++------------
+ 1 file changed, 13 insertions(+), 12 deletions(-)
+
+diff --git a/valid.c b/valid.c
+index ed3c8503..36a0435b 100644
+--- a/valid.c
++++ b/valid.c
+@@ -5259,25 +5259,26 @@ xmlSnprintfElements(char *buf, int size, xmlNodePtr node, int glob) {
+ 	    return;
+ 	}
+         switch (cur->type) {
+-            case XML_ELEMENT_NODE:
++            case XML_ELEMENT_NODE: {
++                int qnameLen = xmlStrlen(cur->name);
++
++                if ((cur->ns != NULL) && (cur->ns->prefix != NULL))
++                    qnameLen += xmlStrlen(cur->ns->prefix) + 1;
++                if (size - len < qnameLen + 10) {
++                    if ((size - len > 4) && (buf[len - 1] != '.'))
++                        strcat(buf, " ...");
++                    return;
++                }
+ 		if ((cur->ns != NULL) && (cur->ns->prefix != NULL)) {
+-		    if (size - len < xmlStrlen(cur->ns->prefix) + 10) {
+-			if ((size - len > 4) && (buf[len - 1] != '.'))
+-			    strcat(buf, " ...");
+-			return;
+-		    }
+ 		    strcat(buf, (char *) cur->ns->prefix);
+ 		    strcat(buf, ":");
+ 		}
+-                if (size - len < xmlStrlen(cur->name) + 10) {
+-		    if ((size - len > 4) && (buf[len - 1] != '.'))
+-			strcat(buf, " ...");
+-		    return;
+-		}
+-	        strcat(buf, (char *) cur->name);
++                if (cur->name != NULL)
++	            strcat(buf, (char *) cur->name);
+ 		if (cur->next != NULL)
+ 		    strcat(buf, " ");
+ 		break;
++            }
+             case XML_TEXT_NODE:
+ 		if (xmlIsBlankNode(cur))
+ 		    break;

meta/recipes-core/libxml/libxml2/CVE-2025-27113.patch

@@ -0,0 +1,32 @@
+From 503f788e84f1c1f1d769c2c7258d77faee94b5a3 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Thu, 13 Feb 2025 16:48:53 +0100
+Subject: [PATCH] pattern: Fix compilation of explicit child axis
+
+The child axis is the default axis and should generate XML_OP_ELEM like
+the case without an axis.
+
+CVE: CVE-2025-27113
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/503f788e84f1c1f1d769c2c7258d77faee94b5a3]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ pattern.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/pattern.c b/pattern.c
+index 27e96946..3182794e 100644
+--- a/pattern.c
++++ b/pattern.c
+@@ -1178,10 +1178,10 @@ xmlCompileStepPattern(xmlPatParserContextPtr ctxt) {
+ 			    goto error;
+ 			}
+ 		    } else {
+-			PUSH(XML_OP_CHILD, token, URL);
++			PUSH(XML_OP_ELEM, token, URL);
+ 		    }
+ 		} else
+-		    PUSH(XML_OP_CHILD, name, NULL);
++		    PUSH(XML_OP_ELEM, name, NULL);
+ 		return;
+ 	    } else if (xmlStrEqual(name, (const xmlChar *) "attribute")) {
+ 		XML_PAT_FREE_STRING(ctxt, name)

meta/recipes-core/libxml/libxml2_2.9.14.bb

@@ -33,6 +33,10 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar;subdir=${BP};name=testt
            file://CVE-2023-45322-2.patch \
            file://CVE-2024-25062.patch \
            file://CVE-2024-34459.patch \
+           file://CVE-2022-49043.patch \
+           file://CVE-2025-27113.patch \
+           file://CVE-2024-56171.patch \
+           file://CVE-2025-24928.patch \
            "
 
 SRC_URI[archive.sha256sum] = "60d74a257d1ccec0475e749cba2f21559e48139efba6ff28224357c7c798dfee"

meta/recipes-core/meta/cve-update-nvd2-native.bb

@@ -333,7 +333,7 @@ def update_db(conn, elt):
     accessVector = None
     vectorString = None
     cveId = elt['cve']['id']
-    if elt['cve']['vulnStatus'] ==  "Rejected":
+    if elt['cve'].get('vulnStatus') ==  "Rejected":
         c = conn.cursor()
         c.execute("delete from PRODUCTS where ID = ?;", [cveId])
         c.execute("delete from NVD where ID = ?;", [cveId])

meta/recipes-core/ovmf/ovmf/CVE-2023-45236.patch

@@ -1,829 +0,0 @@
-From 1904a64bcc18199738e5be183d28887ac5d837d7 Mon Sep 17 00:00:00 2001
-From: Doug Flick <dougflick@microsoft.com>
-Date: Wed, 8 May 2024 22:56:29 -0700
-Subject: [PATCH] NetworkPkg TcpDxe: SECURITY PATCH CVE-2023-45236
-
-REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4541
-REF: https://www.rfc-editor.org/rfc/rfc1948.txt
-REF: https://www.rfc-editor.org/rfc/rfc6528.txt
-REF: https://www.rfc-editor.org/rfc/rfc9293.txt
-
-Bug Overview:
-PixieFail Bug #8
-CVE-2023-45236
-CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
-CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
-
-Updates TCP ISN generation to use a cryptographic hash of the
-connection's identifying parameters and a secret key.
-This prevents an attacker from guessing the ISN used for some other
-connection.
-
-This is follows the guidance in RFC 1948, RFC 6528, and RFC 9293.
-
-RFC: 9293 Section 3.4.1.  Initial Sequence Number Selection
-
-   A TCP implementation MUST use the above type of "clock" for clock-
-   driven selection of initial sequence numbers (MUST-8), and SHOULD
-   generate its initial sequence numbers with the expression:
-
-   ISN = M + F(localip, localport, remoteip, remoteport, secretkey)
-
-   where M is the 4 microsecond timer, and F() is a pseudorandom
-   function (PRF) of the connection's identifying parameters ("localip,
-   localport, remoteip, remoteport") and a secret key ("secretkey")
-   (SHLD-1).  F() MUST NOT be computable from the outside (MUST-9), or
-   an attacker could still guess at sequence numbers from the ISN used
-   for some other connection.  The PRF could be implemented as a
-   cryptographic hash of the concatenation of the TCP connection
-   parameters and some secret data.  For discussion of the selection of
-   a specific hash algorithm and management of the secret key data,
-   please see Section 3 of [42].
-
-   For each connection there is a send sequence number and a receive
-   sequence number.  The initial send sequence number (ISS) is chosen by
-   the data sending TCP peer, and the initial receive sequence number
-   (IRS) is learned during the connection-establishing procedure.
-
-   For a connection to be established or initialized, the two TCP peers
-   must synchronize on each other's initial sequence numbers.  This is
-   done in an exchange of connection-establishing segments carrying a
-   control bit called "SYN" (for synchronize) and the initial sequence
-   numbers.  As a shorthand, segments carrying the SYN bit are also
-   called "SYNs".  Hence, the solution requires a suitable mechanism for
-   picking an initial sequence number and a slightly involved handshake
-   to exchange the ISNs.
-
-Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
-Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
-
-Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
-Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
-
-CVE: CVE-2023-45236
-
-Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/1904a64bcc18199738e5be183d28887ac5d837d7]
-
-Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
----
- NetworkPkg/SecurityFixes.yaml |  22 +++
- NetworkPkg/TcpDxe/TcpDriver.c |  92 ++++++++++++-
- NetworkPkg/TcpDxe/TcpDxe.inf  |   8 +-
- NetworkPkg/TcpDxe/TcpFunc.h   |  23 ++--
- NetworkPkg/TcpDxe/TcpInput.c  |  13 +-
- NetworkPkg/TcpDxe/TcpMain.h   |  59 ++++++--
- NetworkPkg/TcpDxe/TcpMisc.c   | 244 ++++++++++++++++++++++++++++++++--
- NetworkPkg/TcpDxe/TcpTimer.c  |   3 +-
- 8 files changed, 415 insertions(+), 49 deletions(-)
-
-diff --git a/NetworkPkg/SecurityFixes.yaml b/NetworkPkg/SecurityFixes.yaml
-index 2b2c794697..ab355419cc 100644
---- a/NetworkPkg/SecurityFixes.yaml
-+++ b/NetworkPkg/SecurityFixes.yaml
-@@ -121,6 +121,28 @@ CVE_2023_45235:
-     - http://www.openwall.com/lists/oss-security/2024/01/16/2
-     - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html
-     - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html
-+CVE_2023_45236:
-+  commit_titles:
-+    - "NetworkPkg: TcpDxe: SECURITY PATCH CVE-2023-45236 Patch"
-+  cve: CVE-2023-45236
-+  date_reported: 2023-08-28 13:56 UTC
-+  description: "Bug 08 - edk2/NetworkPkg: Predictable TCP Initial Sequence Numbers"
-+  note:
-+  files_impacted:
-+    - NetworkPkg/Include/Library/NetLib.h
-+    - NetworkPkg/TcpDxe/TcpDriver.c
-+    - NetworkPkg/TcpDxe/TcpDxe.inf
-+    - NetworkPkg/TcpDxe/TcpFunc.h
-+    - NetworkPkg/TcpDxe/TcpInput.c
-+    - NetworkPkg/TcpDxe/TcpMain.h
-+    - NetworkPkg/TcpDxe/TcpMisc.c
-+    - NetworkPkg/TcpDxe/TcpTimer.c
-+  links:
-+    - https://bugzilla.tianocore.org/show_bug.cgi?id=4541
-+    - https://nvd.nist.gov/vuln/detail/CVE-2023-45236
-+    - http://www.openwall.com/lists/oss-security/2024/01/16/2
-+    - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html
-+    - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html
- CVE_2023_45237:
-   commit_titles:
-     - "NetworkPkg:: SECURITY PATCH CVE 2023-45237"
-diff --git a/NetworkPkg/TcpDxe/TcpDriver.c b/NetworkPkg/TcpDxe/TcpDriver.c
-index 8fe6badd68..40bba4080c 100644
---- a/NetworkPkg/TcpDxe/TcpDriver.c
-+++ b/NetworkPkg/TcpDxe/TcpDriver.c
-@@ -83,6 +83,12 @@ EFI_SERVICE_BINDING_PROTOCOL  gTcpServiceBinding = {
-   TcpServiceBindingDestroyChild
- };
- 
-+//
-+// This is the handle for the Hash2ServiceBinding Protocol instance this driver produces
-+// if the platform does not provide one.
-+//
-+EFI_HANDLE  mHash2ServiceHandle = NULL;
-+
- /**
-   Create and start the heartbeat timer for the TCP driver.
- 
-@@ -165,6 +171,23 @@ TcpDriverEntryPoint (
-   EFI_STATUS  Status;
-   UINT32      Random;
- 
-+  //
-+  // Initialize the Secret used for hashing TCP sequence numbers
-+  //
-+  // Normally this should be regenerated periodically, but since
-+  // this is only used for UEFI networking and not a general purpose
-+  // operating system, it is not necessary to regenerate it.
-+  //
-+  Status = PseudoRandomU32 (&mTcpGlobalSecret);
-+  if (EFI_ERROR (Status)) {
-+    DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status));
-+    return Status;
-+  }
-+
-+  //
-+  // Get a random number used to generate a random port number
-+  // Intentionally not linking this to mTcpGlobalSecret to avoid leaking information about the secret
-+  //
-   Status = PseudoRandomU32 (&Random);
-   if (EFI_ERROR (Status)) {
-     DEBUG ((DEBUG_ERROR, "%a Failed to generate random number: %r\n", __func__, Status));
-@@ -207,9 +230,8 @@ TcpDriverEntryPoint (
-   }
- 
-   //
--  // Initialize ISS and random port.
-+  // Initialize the random port.
-   //
--  mTcpGlobalIss   = Random % mTcpGlobalIss;
-   mTcp4RandomPort = (UINT16)(TCP_PORT_KNOWN + (Random % TCP_PORT_KNOWN));
-   mTcp6RandomPort = mTcp4RandomPort;
- 
-@@ -224,6 +246,8 @@ TcpDriverEntryPoint (
-   @param[in]  IpVersion          IP_VERSION_4 or IP_VERSION_6.
- 
-   @retval EFI_OUT_OF_RESOURCES   Failed to allocate some resources.
-+  @retval EFI_UNSUPPORTED        Service Binding Protocols are unavailable.
-+  @retval EFI_ALREADY_STARTED    The TCP driver is already started on the controller.
-   @retval EFI_SUCCESS            A new IP6 service binding private was created.
- 
- **/
-@@ -234,11 +258,13 @@ TcpCreateService (
-   IN UINT8       IpVersion
-   )
- {
--  EFI_STATUS        Status;
--  EFI_GUID          *IpServiceBindingGuid;
--  EFI_GUID          *TcpServiceBindingGuid;
--  TCP_SERVICE_DATA  *TcpServiceData;
--  IP_IO_OPEN_DATA   OpenData;
-+  EFI_STATUS                    Status;
-+  EFI_GUID                      *IpServiceBindingGuid;
-+  EFI_GUID                      *TcpServiceBindingGuid;
-+  TCP_SERVICE_DATA              *TcpServiceData;
-+  IP_IO_OPEN_DATA               OpenData;
-+  EFI_SERVICE_BINDING_PROTOCOL  *Hash2ServiceBinding;
-+  EFI_HASH2_PROTOCOL            *Hash2Protocol;
- 
-   if (IpVersion == IP_VERSION_4) {
-     IpServiceBindingGuid  = &gEfiIp4ServiceBindingProtocolGuid;
-@@ -272,6 +298,33 @@ TcpCreateService (
-     return EFI_UNSUPPORTED;
-   }
- 
-+  Status = gBS->LocateProtocol (&gEfiHash2ProtocolGuid, NULL, (VOID **)&Hash2Protocol);
-+  if (EFI_ERROR (Status)) {
-+    //
-+    // If we can't find the Hashing protocol, then we need to create one.
-+    //
-+
-+    //
-+    // Platform is expected to publish the hash service binding protocol to support TCP.
-+    //
-+    Status = gBS->LocateProtocol (
-+                    &gEfiHash2ServiceBindingProtocolGuid,
-+                    NULL,
-+                    (VOID **)&Hash2ServiceBinding
-+                    );
-+    if (EFI_ERROR (Status) || (Hash2ServiceBinding == NULL) || (Hash2ServiceBinding->CreateChild == NULL)) {
-+      return EFI_UNSUPPORTED;
-+    }
-+
-+    //
-+    // Create an instance of the hash protocol for this controller.
-+    //
-+    Status = Hash2ServiceBinding->CreateChild (Hash2ServiceBinding, &mHash2ServiceHandle);
-+    if (EFI_ERROR (Status)) {
-+      return EFI_UNSUPPORTED;
-+    }
-+  }
-+
-   //
-   // Create the TCP service data.
-   //
-@@ -423,6 +476,7 @@ TcpDestroyService (
-   EFI_STATUS                               Status;
-   LIST_ENTRY                               *List;
-   TCP_DESTROY_CHILD_IN_HANDLE_BUF_CONTEXT  Context;
-+  EFI_SERVICE_BINDING_PROTOCOL             *Hash2ServiceBinding;
- 
-   ASSERT ((IpVersion == IP_VERSION_4) || (IpVersion == IP_VERSION_6));
- 
-@@ -439,6 +493,30 @@ TcpDestroyService (
-     return EFI_SUCCESS;
-   }
- 
-+  //
-+  // Destroy the Hash2ServiceBinding instance if it is created by Tcp driver.
-+  //
-+  if (mHash2ServiceHandle != NULL) {
-+    Status = gBS->LocateProtocol (
-+                    &gEfiHash2ServiceBindingProtocolGuid,
-+                    NULL,
-+                    (VOID **)&Hash2ServiceBinding
-+                    );
-+    if (EFI_ERROR (Status) || (Hash2ServiceBinding == NULL) || (Hash2ServiceBinding->DestroyChild == NULL)) {
-+      return EFI_UNSUPPORTED;
-+    }
-+
-+    //
-+    // Destroy the instance of the hashing protocol for this controller.
-+    //
-+    Status = Hash2ServiceBinding->DestroyChild (Hash2ServiceBinding, &mHash2ServiceHandle);
-+    if (EFI_ERROR (Status)) {
-+      return EFI_UNSUPPORTED;
-+    }
-+
-+    mHash2ServiceHandle = NULL;
-+  }
-+
-   Status = gBS->OpenProtocol (
-                   NicHandle,
-                   ServiceBindingGuid,
-diff --git a/NetworkPkg/TcpDxe/TcpDxe.inf b/NetworkPkg/TcpDxe/TcpDxe.inf
-index cf5423f4c5..76de4cf9ec 100644
---- a/NetworkPkg/TcpDxe/TcpDxe.inf
-+++ b/NetworkPkg/TcpDxe/TcpDxe.inf
-@@ -6,6 +6,7 @@
- #  stack has been loaded in system. This driver supports both IPv4 and IPv6 network stack.
- #
- #  Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
-+#  Copyright (c) Microsoft Corporation
- #
- #  SPDX-License-Identifier: BSD-2-Clause-Patent
- #
-@@ -68,7 +69,6 @@
-   NetLib
-   IpIoLib
- 
--
- [Protocols]
-   ## SOMETIMES_CONSUMES
-   ## SOMETIMES_PRODUCES
-@@ -81,6 +81,12 @@
-   gEfiIp6ServiceBindingProtocolGuid             ## TO_START
-   gEfiTcp6ProtocolGuid                          ## BY_START
-   gEfiTcp6ServiceBindingProtocolGuid            ## BY_START
-+  gEfiHash2ProtocolGuid                         ## BY_START
-+  gEfiHash2ServiceBindingProtocolGuid           ## BY_START
-+
-+[Guids]
-+  gEfiHashAlgorithmMD5Guid                      ## CONSUMES
-+  gEfiHashAlgorithmSha256Guid                   ## CONSUMES
- 
- [Depex]
-   gEfiHash2ServiceBindingProtocolGuid
-diff --git a/NetworkPkg/TcpDxe/TcpFunc.h b/NetworkPkg/TcpDxe/TcpFunc.h
-index a7af01fff2..c707bee3e5 100644
---- a/NetworkPkg/TcpDxe/TcpFunc.h
-+++ b/NetworkPkg/TcpDxe/TcpFunc.h
-@@ -2,7 +2,7 @@
-   Declaration of external functions shared in TCP driver.
- 
-   Copyright (c) 2009 - 2014, Intel Corporation. All rights reserved.<BR>
--
-+  Copyright (c) Microsoft Corporation
-   SPDX-License-Identifier: BSD-2-Clause-Patent
- 
- **/
-@@ -36,8 +36,11 @@ VOID
- 
-   @param[in, out]  Tcb               Pointer to the TCP_CB of this TCP instance.
- 
-+  @retval EFI_SUCCESS             The operation completed successfully
-+  @retval others                  The underlying functions failed and could not complete the operation
-+
- **/
--VOID
-+EFI_STATUS
- TcpInitTcbLocal (
-   IN OUT TCP_CB  *Tcb
-   );
-@@ -128,17 +131,6 @@ TcpCloneTcb (
-   IN TCP_CB  *Tcb
-   );
- 
--/**
--  Compute an ISS to be used by a new connection.
--
--  @return The result ISS.
--
--**/
--TCP_SEQNO
--TcpGetIss (
--  VOID
--  );
--
- /**
-   Get the local mss.
- 
-@@ -202,8 +194,11 @@ TcpFormatNetbuf (
-   @param[in, out]  Tcb          Pointer to the TCP_CB that wants to initiate a
-                                 connection.
- 
-+  @retval EFI_SUCCESS             The operation completed successfully
-+  @retval others                  The underlying functions failed and could not complete the operation
-+
- **/
--VOID
-+EFI_STATUS
- TcpOnAppConnect (
-   IN OUT TCP_CB  *Tcb
-   );
-diff --git a/NetworkPkg/TcpDxe/TcpInput.c b/NetworkPkg/TcpDxe/TcpInput.c
-index fb1aa827f8..0477a15d0c 100644
---- a/NetworkPkg/TcpDxe/TcpInput.c
-+++ b/NetworkPkg/TcpDxe/TcpInput.c
-@@ -724,6 +724,7 @@ TcpInput (
-   TCP_SEQNO   Urg;
-   UINT16      Checksum;
-   INT32       Usable;
-+  EFI_STATUS  Status;
- 
-   ASSERT ((Version == IP_VERSION_4) || (Version == IP_VERSION_6));
- 
-@@ -872,7 +873,17 @@ TcpInput (
-       Tcb->LocalEnd.Port  = Head->DstPort;
-       Tcb->RemoteEnd.Port = Head->SrcPort;
- 
--      TcpInitTcbLocal (Tcb);
-+      Status = TcpInitTcbLocal (Tcb);
-+      if (EFI_ERROR (Status)) {
-+        DEBUG (
-+          (DEBUG_ERROR,
-+           "TcpInput: discard a segment because failed to init local end for TCB %p\n",
-+           Tcb)
-+          );
-+
-+        goto DISCARD;
-+      }
-+
-       TcpInitTcbPeer (Tcb, Seg, &Option);
- 
-       TcpSetState (Tcb, TCP_SYN_RCVD);
-diff --git a/NetworkPkg/TcpDxe/TcpMain.h b/NetworkPkg/TcpDxe/TcpMain.h
-index c0c9b7f46e..4d5566ab93 100644
---- a/NetworkPkg/TcpDxe/TcpMain.h
-+++ b/NetworkPkg/TcpDxe/TcpMain.h
-@@ -3,7 +3,7 @@
-   It is the common head file for all Tcp*.c in TCP driver.
- 
-   Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.<BR>
--
-+  Copyright (c) Microsoft Corporation
-   SPDX-License-Identifier: BSD-2-Clause-Patent
- 
- **/
-@@ -13,6 +13,7 @@
- 
- #include <Protocol/ServiceBinding.h>
- #include <Protocol/DriverBinding.h>
-+#include <Protocol/Hash2.h>
- #include <Library/IpIoLib.h>
- #include <Library/DevicePathLib.h>
- #include <Library/PrintLib.h>
-@@ -31,7 +32,7 @@ extern EFI_UNICODE_STRING_TABLE      *gTcpControllerNameTable;
- 
- extern LIST_ENTRY  mTcpRunQue;
- extern LIST_ENTRY  mTcpListenQue;
--extern TCP_SEQNO   mTcpGlobalIss;
-+extern TCP_SEQNO   mTcpGlobalSecret;
- extern UINT32      mTcpTick;
- 
- ///
-@@ -45,14 +46,6 @@ extern UINT32      mTcpTick;
- 
- #define TCP_EXPIRE_TIME  65535
- 
--///
--/// The implementation selects the initial send sequence number and the unit to
--/// be added when it is increased.
--///
--#define TCP_BASE_ISS         0x4d7e980b
--#define TCP_ISS_INCREMENT_1  2048
--#define TCP_ISS_INCREMENT_2  100
--
- typedef union {
-   EFI_TCP4_CONFIG_DATA    Tcp4CfgData;
-   EFI_TCP6_CONFIG_DATA    Tcp6CfgData;
-@@ -774,4 +767,50 @@ Tcp6Poll (
-   IN EFI_TCP6_PROTOCOL  *This
-   );
- 
-+/**
-+  Retrieves the Initial Sequence Number (ISN) for a TCP connection identified by local
-+  and remote IP addresses and ports.
-+
-+  This method is based on https://datatracker.ietf.org/doc/html/rfc9293#section-3.4.1
-+  Where the ISN is computed as follows:
-+    ISN = TimeStamp + MD5(LocalIP, LocalPort, RemoteIP, RemotePort, Secret)
-+
-+  Otherwise:
-+    ISN = M + F(localip, localport, remoteip, remoteport, secretkey)
-+
-+    "Here M is the 4 microsecond timer, and F() is a pseudorandom function (PRF) of the
-+    connection's identifying parameters ("localip, localport, remoteip, remoteport")
-+    and a secret key ("secretkey") (SHLD-1). F() MUST NOT be computable from the
-+    outside (MUST-9), or an attacker could still guess at sequence numbers from the
-+    ISN used for some other connection. The PRF could be implemented as a
-+    cryptographic hash of the concatenation of the TCP connection parameters and some
-+    secret data. For discussion of the selection of a specific hash algorithm and
-+    management of the secret key data."
-+
-+  @param[in]       LocalIp        A pointer to the local IP address of the TCP connection.
-+  @param[in]       LocalIpSize    The size, in bytes, of the LocalIp buffer.
-+  @param[in]       LocalPort      The local port number of the TCP connection.
-+  @param[in]       RemoteIp       A pointer to the remote IP address of the TCP connection.
-+  @param[in]       RemoteIpSize   The size, in bytes, of the RemoteIp buffer.
-+  @param[in]       RemotePort     The remote port number of the TCP connection.
-+  @param[out]      Isn            A pointer to the variable that will receive the Initial
-+                                  Sequence Number (ISN).
-+
-+  @retval EFI_SUCCESS             The operation completed successfully, and the ISN was
-+                                  retrieved.
-+  @retval EFI_INVALID_PARAMETER   One or more of the input parameters are invalid.
-+  @retval EFI_UNSUPPORTED         The operation is not supported.
-+
-+**/
-+EFI_STATUS
-+TcpGetIsn (
-+  IN UINT8       *LocalIp,
-+  IN UINTN       LocalIpSize,
-+  IN UINT16      LocalPort,
-+  IN UINT8       *RemoteIp,
-+  IN UINTN       RemoteIpSize,
-+  IN UINT16      RemotePort,
-+  OUT TCP_SEQNO  *Isn
-+  );
-+
- #endif
-diff --git a/NetworkPkg/TcpDxe/TcpMisc.c b/NetworkPkg/TcpDxe/TcpMisc.c
-index c93212d47d..3310306f63 100644
---- a/NetworkPkg/TcpDxe/TcpMisc.c
-+++ b/NetworkPkg/TcpDxe/TcpMisc.c
-@@ -3,7 +3,7 @@
- 
-   (C) Copyright 2014 Hewlett-Packard Development Company, L.P.<BR>
-   Copyright (c) 2009 - 2017, Intel Corporation. All rights reserved.<BR>
--
-+  Copyright (c) Microsoft Corporation
-   SPDX-License-Identifier: BSD-2-Clause-Patent
- 
- **/
-@@ -20,7 +20,34 @@ LIST_ENTRY  mTcpListenQue = {
-   &mTcpListenQue
- };
- 
--TCP_SEQNO  mTcpGlobalIss = TCP_BASE_ISS;
-+//
-+// The Session secret
-+// This must be initialized to a random value at boot time
-+//
-+TCP_SEQNO  mTcpGlobalSecret;
-+
-+//
-+// Union to hold either an IPv4 or IPv6 address
-+// This is used to simplify the ISN hash computation
-+//
-+typedef union {
-+  UINT8    IPv4[4];
-+  UINT8    IPv6[16];
-+} NETWORK_ADDRESS;
-+
-+//
-+// The ISN is computed by hashing this structure
-+// It is initialized with the local and remote IP addresses and ports
-+// and the secret
-+//
-+//
-+typedef struct {
-+  UINT16             LocalPort;
-+  UINT16             RemotePort;
-+  NETWORK_ADDRESS    LocalAddress;
-+  NETWORK_ADDRESS    RemoteAddress;
-+  TCP_SEQNO          Secret;
-+} ISN_HASH_CTX;
- 
- CHAR16  *mTcpStateName[] = {
-   L"TCP_CLOSED",
-@@ -41,12 +68,18 @@ CHAR16  *mTcpStateName[] = {
- 
-   @param[in, out]  Tcb               Pointer to the TCP_CB of this TCP instance.
- 
-+  @retval EFI_SUCCESS             The operation completed successfully
-+  @retval others                  The underlying functions failed and could not complete the operation
-+
- **/
--VOID
-+EFI_STATUS
- TcpInitTcbLocal (
-   IN OUT TCP_CB  *Tcb
-   )
- {
-+  TCP_SEQNO   Isn;
-+  EFI_STATUS  Status;
-+
-   //
-   // Compute the checksum of the fixed parts of pseudo header
-   //
-@@ -57,6 +90,16 @@ TcpInitTcbLocal (
-                      0x06,
-                      0
-                      );
-+
-+    Status = TcpGetIsn (
-+               Tcb->LocalEnd.Ip.v4.Addr,
-+               sizeof (IPv4_ADDRESS),
-+               Tcb->LocalEnd.Port,
-+               Tcb->RemoteEnd.Ip.v4.Addr,
-+               sizeof (IPv4_ADDRESS),
-+               Tcb->RemoteEnd.Port,
-+               &Isn
-+               );
-   } else {
-     Tcb->HeadSum = NetIp6PseudoHeadChecksum (
-                      &Tcb->LocalEnd.Ip.v6,
-@@ -64,9 +107,25 @@ TcpInitTcbLocal (
-                      0x06,
-                      0
-                      );
-+
-+    Status = TcpGetIsn (
-+               Tcb->LocalEnd.Ip.v6.Addr,
-+               sizeof (IPv6_ADDRESS),
-+               Tcb->LocalEnd.Port,
-+               Tcb->RemoteEnd.Ip.v6.Addr,
-+               sizeof (IPv6_ADDRESS),
-+               Tcb->RemoteEnd.Port,
-+               &Isn
-+               );
-+  }
-+
-+  if (EFI_ERROR (Status)) {
-+    DEBUG ((DEBUG_ERROR, "TcpInitTcbLocal: failed to get isn\n"));
-+    ASSERT (FALSE);
-+    return Status;
-   }
- 
--  Tcb->Iss    = TcpGetIss ();
-+  Tcb->Iss    = Isn;
-   Tcb->SndUna = Tcb->Iss;
-   Tcb->SndNxt = Tcb->Iss;
- 
-@@ -82,6 +141,8 @@ TcpInitTcbLocal (
-   Tcb->RetxmitSeqMax = 0;
- 
-   Tcb->ProbeTimerOn = FALSE;
-+
-+  return EFI_SUCCESS;
- }
- 
- /**
-@@ -506,18 +567,162 @@ TcpCloneTcb (
- }
- 
- /**
--  Compute an ISS to be used by a new connection.
--
--  @return The resulting ISS.
-+  Retrieves the Initial Sequence Number (ISN) for a TCP connection identified by local
-+  and remote IP addresses and ports.
-+
-+  This method is based on https://datatracker.ietf.org/doc/html/rfc9293#section-3.4.1
-+  Where the ISN is computed as follows:
-+    ISN = TimeStamp + MD5(LocalIP, LocalPort, RemoteIP, RemotePort, Secret)
-+
-+  Otherwise:
-+    ISN = M + F(localip, localport, remoteip, remoteport, secretkey)
-+
-+    "Here M is the 4 microsecond timer, and F() is a pseudorandom function (PRF) of the
-+    connection's identifying parameters ("localip, localport, remoteip, remoteport")
-+    and a secret key ("secretkey") (SHLD-1). F() MUST NOT be computable from the
-+    outside (MUST-9), or an attacker could still guess at sequence numbers from the
-+    ISN used for some other connection. The PRF could be implemented as a
-+    cryptographic hash of the concatenation of the TCP connection parameters and some
-+    secret data. For discussion of the selection of a specific hash algorithm and
-+    management of the secret key data."
-+
-+  @param[in]       LocalIp        A pointer to the local IP address of the TCP connection.
-+  @param[in]       LocalIpSize    The size, in bytes, of the LocalIp buffer.
-+  @param[in]       LocalPort      The local port number of the TCP connection.
-+  @param[in]       RemoteIp       A pointer to the remote IP address of the TCP connection.
-+  @param[in]       RemoteIpSize   The size, in bytes, of the RemoteIp buffer.
-+  @param[in]       RemotePort     The remote port number of the TCP connection.
-+  @param[out]      Isn            A pointer to the variable that will receive the Initial
-+                                  Sequence Number (ISN).
-+
-+  @retval EFI_SUCCESS             The operation completed successfully, and the ISN was
-+                                  retrieved.
-+  @retval EFI_INVALID_PARAMETER   One or more of the input parameters are invalid.
-+  @retval EFI_UNSUPPORTED         The operation is not supported.
- 
- **/
--TCP_SEQNO
--TcpGetIss (
--  VOID
-+EFI_STATUS
-+TcpGetIsn (
-+  IN UINT8       *LocalIp,
-+  IN UINTN       LocalIpSize,
-+  IN UINT16      LocalPort,
-+  IN UINT8       *RemoteIp,
-+  IN UINTN       RemoteIpSize,
-+  IN UINT16      RemotePort,
-+  OUT TCP_SEQNO  *Isn
-   )
- {
--  mTcpGlobalIss += TCP_ISS_INCREMENT_1;
--  return mTcpGlobalIss;
-+  EFI_STATUS          Status;
-+  EFI_HASH2_PROTOCOL  *Hash2Protocol;
-+  EFI_HASH2_OUTPUT    HashResult;
-+  ISN_HASH_CTX        IsnHashCtx;
-+  EFI_TIME            TimeStamp;
-+
-+  //
-+  // Check that the ISN pointer is valid
-+  //
-+  if (Isn == NULL) {
-+    return EFI_INVALID_PARAMETER;
-+  }
-+
-+  //
-+  // The local ip may be a v4 or v6 address and may not be NULL
-+  //
-+  if ((LocalIp == NULL) || (LocalIpSize == 0) || (RemoteIp == NULL) || (RemoteIpSize == 0)) {
-+    return EFI_INVALID_PARAMETER;
-+  }
-+
-+  //
-+  // the local ip may be a v4 or v6 address
-+  //
-+  if ((LocalIpSize != sizeof (EFI_IPv4_ADDRESS)) && (LocalIpSize != sizeof (EFI_IPv6_ADDRESS))) {
-+    return EFI_INVALID_PARAMETER;
-+  }
-+
-+  //
-+  // Locate the Hash Protocol
-+  //
-+  Status = gBS->LocateProtocol (&gEfiHash2ProtocolGuid, NULL, (VOID **)&Hash2Protocol);
-+  if (EFI_ERROR (Status)) {
-+    DEBUG ((DEBUG_NET, "Failed to locate Hash Protocol: %r\n", Status));
-+
-+    //
-+    // TcpCreateService(..) is expected to be called prior to this function
-+    //
-+    ASSERT_EFI_ERROR (Status);
-+    return Status;
-+  }
-+
-+  //
-+  // Initialize the hash algorithm
-+  //
-+  Status = Hash2Protocol->HashInit (Hash2Protocol, &gEfiHashAlgorithmSha256Guid);
-+  if (EFI_ERROR (Status)) {
-+    DEBUG ((DEBUG_NET, "Failed to initialize sha256 hash algorithm: %r\n", Status));
-+    return Status;
-+  }
-+
-+  IsnHashCtx.LocalPort  = LocalPort;
-+  IsnHashCtx.RemotePort = RemotePort;
-+  IsnHashCtx.Secret     = mTcpGlobalSecret;
-+
-+  //
-+  // Check the IP address family and copy accordingly
-+  //
-+  if (LocalIpSize == sizeof (EFI_IPv4_ADDRESS)) {
-+    CopyMem (&IsnHashCtx.LocalAddress.IPv4, LocalIp, LocalIpSize);
-+  } else if (LocalIpSize == sizeof (EFI_IPv6_ADDRESS)) {
-+    CopyMem (&IsnHashCtx.LocalAddress.IPv6, LocalIp, LocalIpSize);
-+  } else {
-+    return EFI_INVALID_PARAMETER; // Unsupported address size
-+  }
-+
-+  //
-+  // Repeat the process for the remote IP address
-+  //
-+  if (RemoteIpSize == sizeof (EFI_IPv4_ADDRESS)) {
-+    CopyMem (&IsnHashCtx.RemoteAddress.IPv4, RemoteIp, RemoteIpSize);
-+  } else if (RemoteIpSize == sizeof (EFI_IPv6_ADDRESS)) {
-+    CopyMem (&IsnHashCtx.RemoteAddress.IPv6, RemoteIp, RemoteIpSize);
-+  } else {
-+    return EFI_INVALID_PARAMETER; // Unsupported address size
-+  }
-+
-+  //
-+  // Compute the hash
-+  // Update the hash with the data
-+  //
-+  Status = Hash2Protocol->HashUpdate (Hash2Protocol, (UINT8 *)&IsnHashCtx, sizeof (IsnHashCtx));
-+  if (EFI_ERROR (Status)) {
-+    DEBUG ((DEBUG_NET, "Failed to update hash: %r\n", Status));
-+    return Status;
-+  }
-+
-+  //
-+  // Finalize the hash and retrieve the result
-+  //
-+  Status = Hash2Protocol->HashFinal (Hash2Protocol, &HashResult);
-+  if (EFI_ERROR (Status)) {
-+    DEBUG ((DEBUG_NET, "Failed to finalize hash: %r\n", Status));
-+    return Status;
-+  }
-+
-+  Status = gRT->GetTime (&TimeStamp, NULL);
-+  if (EFI_ERROR (Status)) {
-+    return Status;
-+  }
-+
-+  //
-+  // copy the first 4 bytes of the hash result into the ISN
-+  //
-+  CopyMem (Isn, HashResult.Md5Hash, sizeof (*Isn));
-+
-+  //
-+  // now add the timestamp to the ISN as 4 microseconds units (1000 / 4 = 250)
-+  //
-+  *Isn += (TCP_SEQNO)TimeStamp.Nanosecond * 250;
-+
-+  return Status;
- }
- 
- /**
-@@ -721,17 +926,28 @@ TcpFormatNetbuf (
-   @param[in, out]  Tcb          Pointer to the TCP_CB that wants to initiate a
-                                 connection.
- 
-+  @retval EFI_SUCCESS             The operation completed successfully
-+  @retval others                  The underlying functions failed and could not complete the operation
-+
- **/
--VOID
-+EFI_STATUS
- TcpOnAppConnect (
-   IN OUT TCP_CB  *Tcb
-   )
- {
--  TcpInitTcbLocal (Tcb);
-+  EFI_STATUS  Status;
-+
-+  Status = TcpInitTcbLocal (Tcb);
-+  if (EFI_ERROR (Status)) {
-+    return Status;
-+  }
-+
-   TcpSetState (Tcb, TCP_SYN_SENT);
- 
-   TcpSetTimer (Tcb, TCP_TIMER_CONNECT, Tcb->ConnectTimeout);
-   TcpToSendData (Tcb, 1);
-+
-+  return EFI_SUCCESS;
- }
- 
- /**
-diff --git a/NetworkPkg/TcpDxe/TcpTimer.c b/NetworkPkg/TcpDxe/TcpTimer.c
-index 5d2e124977..065b1bdf5f 100644
---- a/NetworkPkg/TcpDxe/TcpTimer.c
-+++ b/NetworkPkg/TcpDxe/TcpTimer.c
-@@ -2,7 +2,7 @@
-   TCP timer related functions.
- 
-   Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR>
--
-+  Copyright (c) Microsoft Corporation
-   SPDX-License-Identifier: BSD-2-Clause-Patent
- 
- **/
-@@ -483,7 +483,6 @@ TcpTickingDpc (
-   INT16       Index;
- 
-   mTcpTick++;
--  mTcpGlobalIss += TCP_ISS_INCREMENT_2;
- 
-   //
-   // Don't use LIST_FOR_EACH, which isn't delete safe.
--- 
-2.40.0
-

meta/recipes-core/ovmf/ovmf/CVE-2023-45237-0001.patch

@@ -1,78 +0,0 @@
-From cf07238e5fa4f8b1138ac1c9e80530b4d4e59f1c Mon Sep 17 00:00:00 2001
-From: Pierre Gondois <pierre.gondois@arm.com>
-Date: Fri, 11 Aug 2023 16:33:06 +0200
-Subject: [PATCH] MdePkg/Rng: Add GUID to describe Arm Rndr Rng algorithms
-
-BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4441
-
-The EFI_RNG_PROTOCOL can rely on the RngLib. The RngLib has multiple
-implementations, some of them are unsafe (e.g. BaseRngLibTimerLib).
-To allow the RngDxe to detect when such implementation is used,
-a GetRngGuid() function is added in a following patch.
-
-Prepare GetRngGuid() return values and add a gEfiRngAlgorithmArmRndr
-to describe a Rng algorithm accessed through Arm's RNDR instruction.
-[1] states that the implementation of this algorithm should be
-compliant to NIST SP900-80. The compliance is not guaranteed.
-
-[1] Arm Architecture Reference Manual Armv8, for A-profile architecture
-sK12.1 'Properties of the generated random number'
-
-Signed-off-by: Pierre Gondois <pierre.gondois@arm.com>
-Reviewed-by: Sami Mujawar <sami.mujawar@arm.com>
-Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>
-Acked-by: Ard Biesheuvel <ardb@kernel.org>
-Tested-by: Kun Qin <kun.qin@microsoft.com>
-
-CVE: CVE-2023-45237
-
-Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/cf07238e5fa4f8b1138ac1c9e80530b4d4e59f1c]
-
-Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
----
- MdePkg/Include/Protocol/Rng.h | 10 ++++++++++
- MdePkg/MdePkg.dec             |  1 +
- 2 files changed, 11 insertions(+)
-
-diff --git a/MdePkg/Include/Protocol/Rng.h b/MdePkg/Include/Protocol/Rng.h
-index baf425587b..38bde53240 100644
---- a/MdePkg/Include/Protocol/Rng.h
-+++ b/MdePkg/Include/Protocol/Rng.h
-@@ -67,6 +67,15 @@ typedef EFI_GUID EFI_RNG_ALGORITHM;
-   { \
-     0xe43176d7, 0xb6e8, 0x4827, {0xb7, 0x84, 0x7f, 0xfd, 0xc4, 0xb6, 0x85, 0x61 } \
-   }
-+///
-+/// The Arm Architecture states the RNDR that the DRBG algorithm should be compliant
-+/// with NIST SP800-90A, while not mandating a particular algorithm, so as to be
-+/// inclusive of different geographies.
-+///
-+#define EFI_RNG_ALGORITHM_ARM_RNDR \
-+  { \
-+    0x43d2fde3, 0x9d4e, 0x4d79,  {0x02, 0x96, 0xa8, 0x9b, 0xca, 0x78, 0x08, 0x41} \
-+  }
- 
- /**
-   Returns information about the random number generation implementation.
-@@ -146,5 +155,6 @@ extern EFI_GUID  gEfiRngAlgorithmSp80090Ctr256Guid;
- extern EFI_GUID  gEfiRngAlgorithmX9313DesGuid;
- extern EFI_GUID  gEfiRngAlgorithmX931AesGuid;
- extern EFI_GUID  gEfiRngAlgorithmRaw;
-+extern EFI_GUID  gEfiRngAlgorithmArmRndr;
- 
- #endif
-diff --git a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec
-index 59b405928b..a449dbc556 100644
---- a/MdePkg/MdePkg.dec
-+++ b/MdePkg/MdePkg.dec
-@@ -594,6 +594,7 @@
-   gEfiRngAlgorithmX9313DesGuid       = { 0x63c4785a, 0xca34, 0x4012, {0xa3, 0xc8, 0x0b, 0x6a, 0x32, 0x4f, 0x55, 0x46 }}
-   gEfiRngAlgorithmX931AesGuid        = { 0xacd03321, 0x777e, 0x4d3d, {0xb1, 0xc8, 0x20, 0xcf, 0xd8, 0x88, 0x20, 0xc9 }}
-   gEfiRngAlgorithmRaw                = { 0xe43176d7, 0xb6e8, 0x4827, {0xb7, 0x84, 0x7f, 0xfd, 0xc4, 0xb6, 0x85, 0x61 }}
-+  gEfiRngAlgorithmArmRndr            = { 0x43d2fde3, 0x9d4e, 0x4d79, {0x02, 0x96, 0xa8, 0x9b, 0xca, 0x78, 0x08, 0x41 }}
- 
-   ## Include/Protocol/AdapterInformation.h
-   gEfiAdapterInfoMediaStateGuid       = { 0xD7C74207, 0xA831, 0x4A26, {0xB1, 0xF5, 0xD1, 0x93, 0x06, 0x5C, 0xE8, 0xB6 }}
--- 
-2.40.0
-

meta/recipes-core/ovmf/ovmf_git.bb

@@ -47,9 +47,6 @@ SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \
            file://CVE-2023-45229-0002.patch \
            file://CVE-2023-45229-0003.patch \
            file://CVE-2023-45229-0004.patch \
-           file://CVE-2023-45237-0001.patch \
-           file://CVE-2023-45237-0002.patch \
-           file://CVE-2023-45236.patch \
            file://CVE-2022-36765-0001.patch \
            file://CVE-2022-36765-0002.patch \
            file://CVE-2022-36765-0003.patch \

meta/recipes-core/systemd/systemd.inc

@@ -14,7 +14,7 @@ LICENSE = "GPL-2.0-only & LGPL-2.1-only"
 LIC_FILES_CHKSUM = "file://LICENSE.GPL2;md5=751419260aa954499f7abaabaa882bbe \
                     file://LICENSE.LGPL2.1;md5=4fbd65380cdd255951079008b364516c"
 
-SRCREV = "4a31fa2fb040005b73253da75cf84949b8485175"
+SRCREV = "4ada1290584745ab6643eece9e1756a8c0e079ca"
 SRCBRANCH = "v250-stable"
 SRC_URI = "git://github.com/systemd/systemd-stable.git;protocol=https;branch=${SRCBRANCH}"
 

meta/recipes-core/systemd/systemd/0001-Adjust-for-musl-headers.patch

@@ -1,4 +1,4 @@
-From 9a1841402ce3ef21a10a7314a07a615f8196d406 Mon Sep 17 00:00:00 2001
+From 10ec14bf4a75891a99defa37f5e9452ac6fe12b3 Mon Sep 17 00:00:00 2001
 From: Khem Raj <raj.khem@gmail.com>
 Date: Fri, 21 Jan 2022 22:19:37 -0800
 Subject: [PATCH] Adjust for musl headers
@@ -174,7 +174,7 @@ index d15766cd7b..60728b4f94 100644
  #include "conf-parser.h"
  #include "ipvlan.h"
 diff --git a/src/network/netdev/macsec.c b/src/network/netdev/macsec.c
-index f1a566a9ca..1f37927a83 100644
+index df0d924443..6400032f96 100644
 --- a/src/network/netdev/macsec.c
 +++ b/src/network/netdev/macsec.c
 @@ -1,7 +1,7 @@
@@ -200,7 +200,7 @@ index c41be6e78f..ee2660c5bf 100644
  #include "conf-parser.h"
  #include "macvlan.h"
 diff --git a/src/network/netdev/netdev.c b/src/network/netdev/netdev.c
-index 8e7fe11c18..701ab2bd69 100644
+index b46b9ecc90..e6e58c5f0f 100644
 --- a/src/network/netdev/netdev.c
 +++ b/src/network/netdev/netdev.c
 @@ -2,7 +2,7 @@
@@ -275,7 +275,7 @@ index c946e81fc0..d1a6be73f9 100644
  
  #include "netlink-util.h"
 diff --git a/src/network/netdev/vlan.c b/src/network/netdev/vlan.c
-index af3e77963e..efa4b0a164 100644
+index 58c2da32dd..f4a5fd7343 100644
 --- a/src/network/netdev/vlan.c
 +++ b/src/network/netdev/vlan.c
 @@ -2,7 +2,7 @@
@@ -327,7 +327,7 @@ index 30b0855598..a065158801 100644
  #include "conf-parser.h"
  #include "alloc-util.h"
 diff --git a/src/network/netdev/wireguard.c b/src/network/netdev/wireguard.c
-index 88f668753a..5fc753384b 100644
+index 6c251b3a2e..000e3d01a9 100644
 --- a/src/network/netdev/wireguard.c
 +++ b/src/network/netdev/wireguard.c
 @@ -6,7 +6,7 @@
@@ -373,7 +373,7 @@ index 10025a97ae..a0239ea83a 100644
  #define STATIC_BRIDGE_MDB_ENTRIES_PER_NETWORK_MAX 1024U
  
 diff --git a/src/network/networkd-dhcp-common.c b/src/network/networkd-dhcp-common.c
-index 7996960bd1..e870b9ba26 100644
+index 4f13eada05..7e3ea2108b 100644
 --- a/src/network/networkd-dhcp-common.c
 +++ b/src/network/networkd-dhcp-common.c
 @@ -1,7 +1,8 @@
@@ -421,7 +421,7 @@ index 9acfd17d49..3108289602 100644
  
  #include "sd-dhcp-server.h"
 diff --git a/src/network/networkd-dhcp4.c b/src/network/networkd-dhcp4.c
-index cb9c428ae9..a35d58f3f1 100644
+index f97e8033b8..21026ac0bf 100644
 --- a/src/network/networkd-dhcp4.c
 +++ b/src/network/networkd-dhcp4.c
 @@ -3,7 +3,7 @@
@@ -434,7 +434,7 @@ index cb9c428ae9..a35d58f3f1 100644
  #include "alloc-util.h"
  #include "dhcp-client-internal.h"
 diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c
-index b62a154828..75949e6094 100644
+index 090da53a1e..8b402a5b04 100644
 --- a/src/network/networkd-link.c
 +++ b/src/network/networkd-link.c
 @@ -3,7 +3,7 @@
@@ -447,7 +447,7 @@ index b62a154828..75949e6094 100644
  #include <linux/netdevice.h>
  #include <sys/socket.h>
 diff --git a/src/network/networkd-route.c b/src/network/networkd-route.c
-index ee7a535075..ce6ed64133 100644
+index f3b6f38967..5793fd93f8 100644
 --- a/src/network/networkd-route.c
 +++ b/src/network/networkd-route.c
 @@ -1,9 +1,5 @@
@@ -472,7 +472,7 @@ index ee7a535075..ce6ed64133 100644
          _cleanup_(route_freep) Route *route = NULL;
  
 diff --git a/src/network/networkd-setlink.c b/src/network/networkd-setlink.c
-index e00cc1e589..e392c7e1a2 100644
+index 1ab58a5bd2..72860cc542 100644
 --- a/src/network/networkd-setlink.c
 +++ b/src/network/networkd-setlink.c
 @@ -2,7 +2,7 @@

meta/recipes-core/systemd/systemd/0001-Move-sysusers.d-sysctl.d-binfmt.d-modules-load.d-to-.patch

@@ -1,4 +1,4 @@
-From beb0219b71510bc63aed81d2a970a04349d6c616 Mon Sep 17 00:00:00 2001
+From e06212833237dd639a843b5f9733f8a49f3a9119 Mon Sep 17 00:00:00 2001
 From: Khem Raj <raj.khem@gmail.com>
 Date: Tue, 29 Sep 2020 18:01:41 -0700
 Subject: [PATCH] Move sysusers.d/sysctl.d/binfmt.d/modules-load.d to /usr
@@ -7,21 +7,26 @@ These directories are moved to /lib since systemd v246, commit
 4a56315a990b ("path: use ROOTPREFIX properly"), but in oe-core/yocto,
 the old /usr/lib is still being used.
 
+Modified to resolve the merge conflict introduced by systemd v250.14
+version.
+
 Upstream-Status: Inappropriate (OE-specific)
 Signed-off-by: Khem Raj <raj.khem@gmail.com>
 Signed-off-by: Jiaqing Zhao <jiaqing.zhao@linux.intel.com>
+Signed-off-by: Narpat Mali <narpat.falna@gmail.com>
+
 ---
  src/core/systemd.pc.in           | 8 ++++----
  src/libsystemd/sd-path/sd-path.c | 8 ++++----
  2 files changed, 8 insertions(+), 8 deletions(-)
 
 diff --git a/src/core/systemd.pc.in b/src/core/systemd.pc.in
-index fc0f8c34fa..65996bbed8 100644
+index 693433b34b..8368a3ff02 100644
 --- a/src/core/systemd.pc.in
 +++ b/src/core/systemd.pc.in
-@@ -65,16 +65,16 @@ systemdshutdowndir=${systemd_shutdown_dir}
- tmpfiles_dir=${prefix}/lib/tmpfiles.d
- tmpfilesdir=${tmpfiles_dir}
+@@ -67,16 +67,16 @@ tmpfilesdir=${tmpfiles_dir}
+
+ user_tmpfiles_dir=${prefix}/share/user-tmpfiles.d
  
 -sysusers_dir=${rootprefix}/lib/sysusers.d
 +sysusers_dir=${prefix}/lib/sysusers.d
@@ -68,6 +73,3 @@ index ff1e0d5f8e..19a001f47e 100644
                  return 0;
  
          case SD_PATH_CATALOG:
--- 
-2.34.1
-

meta/recipes-core/systemd/systemd/0001-core-fix-build-when-seccomp-is-off.patch

@@ -0,0 +1,41 @@
+From 10c567204edcd2926ce4f762d7015d5894756d52 Mon Sep 17 00:00:00 2001
+From: Jonas Gorski <jonas.gorski@bisdn.de>
+Date: Thu, 12 Sep 2024 15:46:29 +0200
+Subject: [PATCH] core: fix build when seccomp is off
+
+Something went wrong when 6aa2c55522d7cac62ecfd5d5687a86a84f158d18 was
+cherry-picked for v250-stable, causing it to fail to build when seccomp
+is disabled.
+
+Fix this by changing the code to how it looks like in other versions of
+the backported commit, slightly adapted to the file's style in v250.
+
+Fixes the following build error:
+
+| ../git/src/core/main.c: In function 'parse_config_file':
+| ../git/src/core/main.c:721:101: error: lvalue required as unary '&' operand
+|   721 |                 { "Manager", "SystemCallArchitectures",      config_parse_syscall_archs,         0, &DISABLED_CONFIGURATION                },
+|       |                                                                                                     ^
+
+Fixes: 8e8c7d51140b ("pid1: generate compat warning for SystemCallArchitectures= if seccomp is off")
+
+Upstream-Status: Backport [https://github.com/systemd/systemd-stable/commit/b19b7c67e9cb74c44c43a0daf6172f9d32f134ec]
+Signed-off-by: Jonas Gorski <jonas.gorski@bisdn.de>
+Signed-off-by: Narpat Mali <narpat.falna@gmail.com>
+---
+ src/core/main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/core/main.c b/src/core/main.c
+index 19686fa475..5914be6a83 100644
+--- a/src/core/main.c
++++ b/src/core/main.c
+@@ -718,7 +718,7 @@ static int parse_config_file(void) {
+ #if HAVE_SECCOMP
+                 { "Manager", "SystemCallArchitectures",      config_parse_syscall_archs,         0, &arg_syscall_archs                     },
+ #else
+-                { "Manager", "SystemCallArchitectures",      config_parse_syscall_archs,         0, &DISABLED_CONFIGURATION                },
++                { "Manager", "SystemCallArchitectures",      config_parse_warn_compat,           DISABLED_CONFIGURATION, NULL              },
+ #endif
+                 { "Manager", "TimerSlackNSec",               config_parse_nsec,                  0, &arg_timer_slack_nsec                  },
+                 { "Manager", "DefaultTimerAccuracySec",      config_parse_sec,                   0, &arg_default_timer_accuracy_usec       },

meta/recipes-core/systemd/systemd/0001-pass-correct-parameters-to-getdents64.patch

@@ -1,4 +1,4 @@
-From dab02796780f00d689cc1c7a0ba81abe7c5f28d0 Mon Sep 17 00:00:00 2001
+From 2252b9a6c598f8ed4efe95d2a149f68db7fb9cc4 Mon Sep 17 00:00:00 2001
 From: Khem Raj <raj.khem@gmail.com>
 Date: Fri, 21 Jan 2022 15:15:11 -0800
 Subject: [PATCH] pass correct parameters to getdents64
@@ -12,14 +12,33 @@ Fixes
         n = getdents64(fd, &buffer, sizeof(buffer));
                            ^~~~~~~
 
+Modified to resolve the merge conflict introduced by systemd v250.14 version.
+
 Upstream-Status: Inappropriate [musl specific]
 Signed-off-by: Khem Raj <raj.khem@gmail.com>
 Signed-off-by: Jiaqing Zhao <jiaqing.zhao@linux.intel.com>
----
- src/basic/recurse-dir.c | 2 +-
- src/basic/stat-util.c   | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
+Signed-off-by: Narpat Mali <narpat.falna@gmail.com>
 
+---
+ src/basic/dirent-util.h | 6 ++++++
+ src/basic/recurse-dir.c | 2 +-
+ src/basic/stat-util.c   | 8 ++++++--
+ 3 files changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/src/basic/dirent-util.h b/src/basic/dirent-util.h
+index 04bc53003f..5fde9043a3 100644
+--- a/src/basic/dirent-util.h
++++ b/src/basic/dirent-util.h
+@@ -51,3 +51,9 @@ assert_cc(sizeof_field(struct dirent, d_name) == sizeof_field(struct dirent64, d
+         for (void *_end = (uint8_t*) ({ (de) = (buf); }) + (sz);        \
+              (uint8_t*) (de) < (uint8_t*) _end;                         \
+              (de) = (struct dirent*) ((uint8_t*) (de) + (de)->d_reclen))
++
++#define DEFINE_DIRENT_BUFFER(name, sz)                                  \
++        union {                                                         \
++                struct dirent de;                                       \
++                uint8_t data[(sz) * DIRENT_SIZE_MAX];                   \
++        } name
 diff --git a/src/basic/recurse-dir.c b/src/basic/recurse-dir.c
 index efa1797b7b..03ff10ebe9 100644
 --- a/src/basic/recurse-dir.c
@@ -34,18 +53,28 @@ index efa1797b7b..03ff10ebe9 100644
                          return -errno;
                  if (n == 0)
 diff --git a/src/basic/stat-util.c b/src/basic/stat-util.c
-index c2269844f8..7cd6c7fa42 100644
+index db22f06d0f..cb76726c37 100644
 --- a/src/basic/stat-util.c
 +++ b/src/basic/stat-util.c
-@@ -99,7 +99,7 @@ int dir_is_empty_at(int dir_fd, const char *path) {
+@@ -66,6 +66,10 @@ int is_device_node(const char *path) {
+ int dir_is_empty_at(int dir_fd, const char *path) {
+         _cleanup_close_ int fd = -1;
+         _cleanup_closedir_ DIR *d = NULL;
++        /* Allocate space for at least 3 full dirents, since every dir has at least two entries ("."  +
++         * ".."), and only once we have seen if there's a third we know whether the dir is empty or not. */
++        DEFINE_DIRENT_BUFFER(buffer, 3);
++        ssize_t n;
+
+         if (path) {
+                 assert(dir_fd >= 0 || dir_fd == AT_FDCWD);
+@@ -85,8 +89,8 @@ int dir_is_empty_at(int dir_fd, const char *path) {
                          return fd;
          }
  
--        n = getdents64(fd, &buffer, sizeof(buffer));
+-        d = take_fdopendir(&fd);
+-        if (!d)
 +        n = getdents64(fd, (struct dirent *)&buffer, sizeof(buffer));
-         if (n < 0)
++        if (n < 0)
                  return -errno;
  
--- 
-2.34.1
-
+         FOREACH_DIRENT(de, d, return -errno)

meta/recipes-core/systemd/systemd/0001-shared-json-allow-json_variant_dump-to-return-an-err.patch

@@ -1,60 +0,0 @@
-From 25492154b42f68a48752a7f61eaf1fb61e454e52 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
-Date: Tue, 18 Oct 2022 18:09:06 +0200
-Subject: [PATCH] shared/json: allow json_variant_dump() to return an error
-
-Upstream-Status: Backport [https://github.com/systemd/systemd/commit/7922ead507e0d83e4ec72a8cbd2b67194766e58c]
-
-Needed to fix CVE-2022-45873.patch backported from systemd/main,
-otherwise it fails to build with:
-
-| ../git/src/shared/elf-util.c: In function 'parse_elf_object':
-| ../git/src/shared/elf-util.c:792:27: error: void value not ignored as it ought to be
-|   792 |                         r = json_variant_dump(package_metadata, JSON_FORMAT_FLUSH, json_out, NULL);
-|       |                           ^
-
-Signed-off-by: Martin Jansa <martin2.jansa@lgepartner.com>
----
- src/shared/json.c | 7 ++++---
- src/shared/json.h | 2 +-
- 2 files changed, 5 insertions(+), 4 deletions(-)
-
-diff --git a/src/shared/json.c b/src/shared/json.c
-index dff95eda26..81c05efe22 100644
---- a/src/shared/json.c
-+++ b/src/shared/json.c
-@@ -1792,9 +1792,9 @@ int json_variant_format(JsonVariant *v, JsonFormatFlags flags, char **ret) {
-         return (int) sz - 1;
- }
- 
--void json_variant_dump(JsonVariant *v, JsonFormatFlags flags, FILE *f, const char *prefix) {
-+int json_variant_dump(JsonVariant *v, JsonFormatFlags flags, FILE *f, const char *prefix) {
-         if (!v)
--                return;
-+                return 0;
- 
-         if (!f)
-                 f = stdout;
-@@ -1820,7 +1820,8 @@ void json_variant_dump(JsonVariant *v, JsonFormatFlags flags, FILE *f, const cha
-                 fputc('\n', f); /* In case of SSE add a second newline */
- 
-         if (flags & JSON_FORMAT_FLUSH)
--                fflush(f);
-+                return fflush_and_check(f);
-+        return 0;
- }
- 
- int json_variant_filter(JsonVariant **v, char **to_remove) {
-diff --git a/src/shared/json.h b/src/shared/json.h
-index 8760354b66..c712700763 100644
---- a/src/shared/json.h
-+++ b/src/shared/json.h
-@@ -187,7 +187,7 @@ typedef enum JsonFormatFlags {
- } JsonFormatFlags;
- 
- int json_variant_format(JsonVariant *v, JsonFormatFlags flags, char **ret);
--void json_variant_dump(JsonVariant *v, JsonFormatFlags flags, FILE *f, const char *prefix);
-+int json_variant_dump(JsonVariant *v, JsonFormatFlags flags, FILE *f, const char *prefix);
- 
- int json_variant_filter(JsonVariant **v, char **to_remove);
- 

meta/recipes-core/systemd/systemd/0002-Add-sys-stat.h-for-S_IFDIR.patch

@@ -1,4 +1,4 @@
-From 4b731a5e2547b5292f9a774b849e14c0cf7b3955 Mon Sep 17 00:00:00 2001
+From 2e7d75e9a045f7580c60436dbee44301393a66c3 Mon Sep 17 00:00:00 2001
 From: Khem Raj <raj.khem@gmail.com>
 Date: Fri, 21 Jan 2022 15:17:37 -0800
 Subject: [PATCH] Add sys/stat.h for S_IFDIR
@@ -14,10 +14,10 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com>
  1 file changed, 1 insertion(+)
 
 diff --git a/src/shared/mkdir-label.c b/src/shared/mkdir-label.c
-index d36a6466d7..63b764cd83 100644
+index 5b1ac5d1e0..fa5802b894 100644
 --- a/src/shared/mkdir-label.c
 +++ b/src/shared/mkdir-label.c
-@@ -4,6 +4,7 @@
+@@ -6,6 +6,7 @@
  #include "selinux-util.h"
  #include "smack-util.h"
  #include "user-util.h"

meta/recipes-core/systemd/systemd/0003-missing_type.h-add-comparison_fn_t.patch

@@ -1,4 +1,4 @@
-From 5513b918d02900a3a78fd0e0300a118b163edfef Mon Sep 17 00:00:00 2001
+From a134b05d2cbc0d05a5ad7d9ebbb4ba57d424752c Mon Sep 17 00:00:00 2001
 From: Chen Qi <Qi.Chen@windriver.com>
 Date: Mon, 25 Feb 2019 13:55:12 +0800
 Subject: [PATCH] missing_type.h: add comparison_fn_t
@@ -14,6 +14,7 @@ Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
 Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
 [Rebased for v250, Drop __compare_fn_t]
 Signed-off-by: Jiaqing Zhao <jiaqing.zhao@linux.intel.com>
+
 ---
  src/basic/missing_type.h            | 4 ++++
  src/basic/sort-util.h               | 1 +
@@ -56,6 +57,3 @@ index 8fc87b131a..36a6efdbd8 100644
  
  const char * const catalog_file_dirs[] = {
          "/usr/local/lib/systemd/catalog/",
--- 
-2.34.1
-

meta/recipes-core/systemd/systemd/0004-add-fallback-parse_printf_format-implementation.patch

@@ -1,4 +1,4 @@
-From 3d9910dcda697b1e361bba49c99050ee0d116742 Mon Sep 17 00:00:00 2001
+From e53661c4dc9b15397a87077169fe729934ce5e13 Mon Sep 17 00:00:00 2001
 From: Alexander Kanavin <alex.kanavin@gmail.com>
 Date: Sat, 22 May 2021 20:26:24 +0200
 Subject: [PATCH] add fallback parse_printf_format implementation
@@ -23,10 +23,10 @@ Signed-off-by: Scott Murray <scott.murray@konsulko.com>
  create mode 100644 src/basic/parse-printf-format.h
 
 diff --git a/meson.build b/meson.build
-index cb9936ee8b..ae53345260 100644
+index 01c4b4dc70..29129a83e2 100644
 --- a/meson.build
 +++ b/meson.build
-@@ -686,6 +686,7 @@ endif
+@@ -705,6 +705,7 @@ endif
  foreach header : ['crypt.h',
                    'linux/memfd.h',
                    'linux/vm_sockets.h',

meta/recipes-core/systemd/systemd/0005-src-basic-missing.h-check-for-missing-strndupa.patch

@@ -1,4 +1,4 @@
-From 106b7bd7186c9d6c1dcd72bd4ca6457d3fa72d0b Mon Sep 17 00:00:00 2001
+From 38c8e75938a439dd8f961a9ea4084deca0c46269 Mon Sep 17 00:00:00 2001
 From: Chen Qi <Qi.Chen@windriver.com>
 Date: Mon, 25 Feb 2019 14:18:21 +0800
 Subject: [PATCH] src/basic/missing.h: check for missing strndupa
@@ -17,6 +17,7 @@ Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
 [rebased for systemd 244]
 [Rebased for v247]
 Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
+
 ---
  meson.build                                |  1 +
  src/backlight/backlight.c                  |  1 +
@@ -73,10 +74,10 @@ Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
  52 files changed, 63 insertions(+)
 
 diff --git a/meson.build b/meson.build
-index cb9936ee8b..7ab201c6d9 100644
+index 29129a83e2..3fec6aac3e 100644
 --- a/meson.build
 +++ b/meson.build
-@@ -507,6 +507,7 @@ foreach ident : ['secure_getenv', '__secure_getenv']
+@@ -526,6 +526,7 @@ foreach ident : ['secure_getenv', '__secure_getenv']
  endforeach
  
  foreach ident : [
@@ -97,7 +98,7 @@ index 5a3095cbba..22cfa4d526 100644
  static int help(void) {
          _cleanup_free_ char *link = NULL;
 diff --git a/src/basic/cgroup-util.c b/src/basic/cgroup-util.c
-index a626ecf2e2..f7dc6c8421 100644
+index e65ad678ab..d3bed80620 100644
 --- a/src/basic/cgroup-util.c
 +++ b/src/basic/cgroup-util.c
 @@ -37,6 +37,7 @@
@@ -121,7 +122,7 @@ index 885967e7f3..d0b7dc845e 100644
  /* We follow bash for the character set. Different shells have different rules. */
  #define VALID_BASH_ENV_NAME_CHARS               \
 diff --git a/src/basic/log.c b/src/basic/log.c
-index 12071e2ebd..15254c7bbc 100644
+index 10de8bd7c0..4f0e7eaad3 100644
 --- a/src/basic/log.c
 +++ b/src/basic/log.c
 @@ -36,6 +36,7 @@
@@ -153,7 +154,7 @@ index 8c76f93eb2..9068bfb4f0 100644
 +  })
 +#endif
 diff --git a/src/basic/mkdir.c b/src/basic/mkdir.c
-index 51a0d74e87..03569f71f8 100644
+index 27144dd45a..0395c124da 100644
 --- a/src/basic/mkdir.c
 +++ b/src/basic/mkdir.c
 @@ -15,6 +15,7 @@
@@ -237,7 +238,7 @@ index 65f96abb06..e485a0196b 100644
  int procfs_get_pid_max(uint64_t *ret) {
          _cleanup_free_ char *value = NULL;
 diff --git a/src/basic/time-util.c b/src/basic/time-util.c
-index b659d6905d..020112be24 100644
+index 89dc593d44..ffbaffd451 100644
 --- a/src/basic/time-util.c
 +++ b/src/basic/time-util.c
 @@ -26,6 +26,7 @@
@@ -273,7 +274,7 @@ index f0d8759e85..b4c1053e64 100644
  
  BUS_DEFINE_PROPERTY_GET(bus_property_get_tasks_max, "t", TasksMax, tasks_max_resolve);
 diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c
-index 5c499e5d06..e7ab1bb9a5 100644
+index db1698393c..77cc8bb507 100644
 --- a/src/core/dbus-execute.c
 +++ b/src/core/dbus-execute.c
 @@ -44,6 +44,7 @@
@@ -297,10 +298,10 @@ index 32a2ec0ff9..36be2511e4 100644
  int bus_property_get_triggered_unit(
                  sd_bus *bus,
 diff --git a/src/core/execute.c b/src/core/execute.c
-index 0b20d386d3..fccfb9268c 100644
+index da0cd2dcbe..d2a7bf7e7b 100644
 --- a/src/core/execute.c
 +++ b/src/core/execute.c
-@@ -102,6 +102,7 @@
+@@ -103,6 +103,7 @@
  #include "unit-serialize.h"
  #include "user-util.h"
  #include "utmp-wtmp.h"
@@ -321,7 +322,7 @@ index d054668b8e..9b4caa7651 100644
  #if HAVE_KMOD
  #include "module-util.h"
 diff --git a/src/core/service.c b/src/core/service.c
-index 87f0d34c8c..ccda3feb29 100644
+index e02c2e38ad..2a64a14647 100644
 --- a/src/core/service.c
 +++ b/src/core/service.c
 @@ -42,6 +42,7 @@
@@ -369,7 +370,7 @@ index 3e3646e45f..6a8fc60f6d 100644
  #define PRIV_KEY_FILE CERTIFICATE_ROOT "/private/journal-remote.pem"
  #define CERT_FILE     CERTIFICATE_ROOT "/certs/journal-remote.pem"
 diff --git a/src/journal/journalctl.c b/src/journal/journalctl.c
-index 3c4a7c0a7a..6a792404f2 100644
+index d4a751c575..b175b11a8f 100644
 --- a/src/journal/journalctl.c
 +++ b/src/journal/journalctl.c
 @@ -73,6 +73,7 @@
@@ -381,7 +382,7 @@ index 3c4a7c0a7a..6a792404f2 100644
  #define DEFAULT_FSS_INTERVAL_USEC (15*USEC_PER_MINUTE)
  #define PROCESS_INOTIFY_INTERVAL 1024   /* Every 1,024 messages processed */
 diff --git a/src/libsystemd/sd-bus/bus-message.c b/src/libsystemd/sd-bus/bus-message.c
-index 96529b422b..ddb5e9c698 100644
+index ca0b290ed2..3fa703eb61 100644
 --- a/src/libsystemd/sd-bus/bus-message.c
 +++ b/src/libsystemd/sd-bus/bus-message.c
 @@ -20,6 +20,7 @@
@@ -393,11 +394,11 @@ index 96529b422b..ddb5e9c698 100644
  static int message_append_basic(sd_bus_message *m, char type, const void *p, const void **stored);
  
 diff --git a/src/libsystemd/sd-bus/bus-objects.c b/src/libsystemd/sd-bus/bus-objects.c
-index 28d8336718..5d3ce88a53 100644
+index 5c6c6c5c5f..00499d53d1 100644
 --- a/src/libsystemd/sd-bus/bus-objects.c
 +++ b/src/libsystemd/sd-bus/bus-objects.c
-@@ -12,6 +12,7 @@
- #include "set.h"
+@@ -11,6 +11,7 @@
+ #include "missing_capability.h"
  #include "string-util.h"
  #include "strv.h"
 +#include "missing_stdlib.h"
@@ -405,7 +406,7 @@ index 28d8336718..5d3ce88a53 100644
  static int node_vtable_get_userdata(
                  sd_bus *bus,
 diff --git a/src/libsystemd/sd-bus/bus-socket.c b/src/libsystemd/sd-bus/bus-socket.c
-index 14951ccb33..b7f86ca501 100644
+index af67fc70eb..f80afa8327 100644
 --- a/src/libsystemd/sd-bus/bus-socket.c
 +++ b/src/libsystemd/sd-bus/bus-socket.c
 @@ -28,6 +28,7 @@
@@ -417,7 +418,7 @@ index 14951ccb33..b7f86ca501 100644
  #define SNDBUF_SIZE (8*1024*1024)
  
 diff --git a/src/libsystemd/sd-bus/sd-bus.c b/src/libsystemd/sd-bus/sd-bus.c
-index 9e1d29cc1d..8c3165f0ce 100644
+index 8f12be6d56..01945df0c4 100644
 --- a/src/libsystemd/sd-bus/sd-bus.c
 +++ b/src/libsystemd/sd-bus/sd-bus.c
 @@ -43,6 +43,7 @@
@@ -441,7 +442,7 @@ index 317653bedc..d028216c48 100644
  #define MAX_SIZE (2*1024*1024)
  
 diff --git a/src/libsystemd/sd-journal/sd-journal.c b/src/libsystemd/sd-journal/sd-journal.c
-index 7a6cc4aca3..b7f7cd65c5 100644
+index de9deb2e6d..6f4e1856d5 100644
 --- a/src/libsystemd/sd-journal/sd-journal.c
 +++ b/src/libsystemd/sd-journal/sd-journal.c
 @@ -41,6 +41,7 @@
@@ -450,10 +451,10 @@ index 7a6cc4aca3..b7f7cd65c5 100644
  #include "syslog-util.h"
 +#include "missing_stdlib.h"
  
- #define JOURNAL_FILES_MAX 7168
+ #define JOURNAL_FILES_RECHECK_USEC (2 * USEC_PER_SEC)
  
 diff --git a/src/locale/keymap-util.c b/src/locale/keymap-util.c
-index 10d2ed7aec..4fbe3f6b4a 100644
+index eaa1c6f0d2..7014c1e227 100644
 --- a/src/locale/keymap-util.c
 +++ b/src/locale/keymap-util.c
 @@ -24,6 +24,7 @@
@@ -489,7 +490,7 @@ index 063ad08d80..f9823a433b 100644
  /*
    # .network
 diff --git a/src/nspawn/nspawn-settings.c b/src/nspawn/nspawn-settings.c
-index 1f58bf3ed4..8457a3b0e3 100644
+index c4be8f5d4e..04ab34f165 100644
 --- a/src/nspawn/nspawn-settings.c
 +++ b/src/nspawn/nspawn-settings.c
 @@ -17,6 +17,7 @@
@@ -513,7 +514,7 @@ index c64e79bdff..eda26b0b9a 100644
  static void setup_logging_once(void) {
          static pthread_once_t once = PTHREAD_ONCE_INIT;
 diff --git a/src/portable/portable.c b/src/portable/portable.c
-index 0e6461ba93..54148d5924 100644
+index 3f73151bfe..452cadb764 100644
 --- a/src/portable/portable.c
 +++ b/src/portable/portable.c
 @@ -39,6 +39,7 @@
@@ -525,7 +526,7 @@ index 0e6461ba93..54148d5924 100644
  /* Markers used in the first line of our 20-portable.conf unit file drop-in to determine, that a) the unit file was
   * dropped there by the portable service logic and b) for which image it was dropped there. */
 diff --git a/src/resolve/resolvectl.c b/src/resolve/resolvectl.c
-index 5b3ceeff36..d36d1d57ae 100644
+index 5ec4b63568..5a6a32f691 100644
 --- a/src/resolve/resolvectl.c
 +++ b/src/resolve/resolvectl.c
 @@ -43,6 +43,7 @@
@@ -561,7 +562,7 @@ index 87c0334fec..402ab3493b 100644
  struct CGroupInfo {
          char *cgroup_path;
 diff --git a/src/shared/bus-unit-util.c b/src/shared/bus-unit-util.c
-index dcce530c99..faf5a5bda0 100644
+index ef134bcee4..48a5c3bec6 100644
 --- a/src/shared/bus-unit-util.c
 +++ b/src/shared/bus-unit-util.c
 @@ -49,6 +49,7 @@
@@ -585,7 +586,7 @@ index 4a2b7684bc..ee6d687c58 100644
  static int name_owner_change_callback(sd_bus_message *m, void *userdata, sd_bus_error *ret_error) {
          sd_event *e = userdata;
 diff --git a/src/shared/dns-domain.c b/src/shared/dns-domain.c
-index f54b187a1b..299758c7e4 100644
+index 5e0d921487..f9a39b60d9 100644
 --- a/src/shared/dns-domain.c
 +++ b/src/shared/dns-domain.c
 @@ -17,6 +17,7 @@
@@ -609,7 +610,7 @@ index c6caf9330a..ebe33bd44a 100644
  enum {
          IMPORTER_STATE_LINE = 0,    /* waiting to read, or reading line */
 diff --git a/src/shared/logs-show.c b/src/shared/logs-show.c
-index cf83eb6bca..e672a003a3 100644
+index e2315e6eb1..65533b412c 100644
 --- a/src/shared/logs-show.c
 +++ b/src/shared/logs-show.c
 @@ -42,6 +42,7 @@
@@ -669,7 +670,7 @@ index cc9a7cb838..a679614a47 100644
  
  TEST(hexchar) {
 diff --git a/src/udev/udev-builtin-path_id.c b/src/udev/udev-builtin-path_id.c
-index ae92e45205..1e6f3205cb 100644
+index 1084eb2d81..db07b84124 100644
 --- a/src/udev/udev-builtin-path_id.c
 +++ b/src/udev/udev-builtin-path_id.c
 @@ -22,6 +22,7 @@
@@ -693,7 +694,7 @@ index a60e4f294c..571c43765b 100644
  typedef struct Spawn {
          sd_device *device;
 diff --git a/src/udev/udev-rules.c b/src/udev/udev-rules.c
-index 1a384d6b38..0089833e3f 100644
+index cf461e1e68..9d6431d865 100644
 --- a/src/udev/udev-rules.c
 +++ b/src/udev/udev-rules.c
 @@ -34,6 +34,7 @@
@@ -704,6 +705,3 @@ index 1a384d6b38..0089833e3f 100644
  
  #define RULES_DIRS (const char* const*) CONF_PATHS_STRV("udev/rules.d")
  
--- 
-2.34.1
-

meta/recipes-core/systemd/systemd/0007-don-t-fail-if-GLOB_BRACE-and-GLOB_ALTDIRFUNC-is-not-.patch

@@ -1,4 +1,4 @@
-From 74c664bcd6b9a5fcf3466310c07f608d12456f7f Mon Sep 17 00:00:00 2001
+From 5de6ab5196cfd629f4a15f8d0d34f69b1e425715 Mon Sep 17 00:00:00 2001
 From: Chen Qi <Qi.Chen@windriver.com>
 Date: Mon, 25 Feb 2019 14:56:21 +0800
 Subject: [PATCH] don't fail if GLOB_BRACE and GLOB_ALTDIRFUNC is not defined
@@ -115,7 +115,7 @@ index ec8b74f48f..d99a6095df 100644
  
          (void) rm_rf(template, REMOVE_ROOT|REMOVE_PHYSICAL);
 diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c
-index fcab51c208..fdef1807ae 100644
+index 07ef3af0a0..8293661aa7 100644
 --- a/src/tmpfiles/tmpfiles.c
 +++ b/src/tmpfiles/tmpfiles.c
 @@ -67,6 +67,12 @@
@@ -131,7 +131,7 @@ index fcab51c208..fdef1807ae 100644
  /* This reads all files listed in /etc/tmpfiles.d/?*.conf and creates
   * them in the file system. This is intended to be used to create
   * properly owned directories beneath /tmp, /var/tmp, /run, which are
-@@ -1961,7 +1967,9 @@ finish:
+@@ -1958,7 +1964,9 @@ finish:
  
  static int glob_item(Item *i, action_t action) {
          _cleanup_globfree_ glob_t g = {
@@ -141,7 +141,7 @@ index fcab51c208..fdef1807ae 100644
          };
          int r = 0, k;
          char **fn;
-@@ -1981,7 +1989,9 @@ static int glob_item(Item *i, action_t action) {
+@@ -1978,7 +1986,9 @@ static int glob_item(Item *i, action_t action) {
  
  static int glob_item_recursively(Item *i, fdaction_t action) {
          _cleanup_globfree_ glob_t g = {

meta/recipes-core/systemd/systemd/0008-add-missing-FTW_-macros-for-musl.patch

@@ -1,4 +1,4 @@
-From a0450f7909348e7ff1d58adc0aee4119a0519c1f Mon Sep 17 00:00:00 2001
+From 427534fec8c205a9a97b20a4075dd84e1faca611 Mon Sep 17 00:00:00 2001
 From: Chen Qi <Qi.Chen@windriver.com>
 Date: Mon, 25 Feb 2019 15:00:06 +0800
 Subject: [PATCH] add missing FTW_ macros for musl
@@ -49,7 +49,7 @@ index 6c0456349d..5140892e22 100644
 +#define FTW_SKIP_SIBLINGS 3
 +#endif
 diff --git a/src/shared/mount-setup.c b/src/shared/mount-setup.c
-index 7917968497..cc3d5baaab 100644
+index 7ba579ef63..2d62b1978f 100644
 --- a/src/shared/mount-setup.c
 +++ b/src/shared/mount-setup.c
 @@ -32,6 +32,7 @@

meta/recipes-core/systemd/systemd/0009-fix-missing-of-__register_atfork-for-non-glibc-build.patch

@@ -1,4 +1,4 @@
-From 3ca0920429f7eaf8c59f9ac8afd30a43b83d95ed Mon Sep 17 00:00:00 2001
+From fefd1b6ae9dd75133f86c373ce17d4f15ef05e2d Mon Sep 17 00:00:00 2001
 From: Chen Qi <Qi.Chen@windriver.com>
 Date: Mon, 25 Feb 2019 15:03:47 +0800
 Subject: [PATCH] fix missing of __register_atfork for non-glibc builds
@@ -15,7 +15,7 @@ Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
  1 file changed, 7 insertions(+)
 
 diff --git a/src/basic/process-util.c b/src/basic/process-util.c
-index c971852158..df6e85b1fc 100644
+index 5e27097cbb..db252b8dfe 100644
 --- a/src/basic/process-util.c
 +++ b/src/basic/process-util.c
 @@ -18,6 +18,9 @@
@@ -28,7 +28,7 @@ index c971852158..df6e85b1fc 100644
  
  #include "alloc-util.h"
  #include "architecture.h"
-@@ -1161,11 +1164,15 @@ void reset_cached_pid(void) {
+@@ -1165,11 +1168,15 @@ void reset_cached_pid(void) {
          cached_pid = CACHED_PID_UNSET;
  }
  

meta/recipes-core/systemd/systemd/0010-Use-uintmax_t-for-handling-rlim_t.patch

@@ -1,4 +1,4 @@
-From 48a791aae7a47a2a08e9e60c18054071a43b8cda Mon Sep 17 00:00:00 2001
+From 4bf0a67c097c53129c772aab6123740d07b66823 Mon Sep 17 00:00:00 2001
 From: Chen Qi <Qi.Chen@windriver.com>
 Date: Mon, 25 Feb 2019 15:12:41 +0800
 Subject: [PATCH] Use uintmax_t for handling rlim_t
@@ -87,10 +87,10 @@ index 33dfde9d6c..e018fd81fd 100644
          return 1;
  }
 diff --git a/src/core/execute.c b/src/core/execute.c
-index fccfb9268c..90f00e10a5 100644
+index d2a7bf7e7b..0cc806b929 100644
 --- a/src/core/execute.c
 +++ b/src/core/execute.c
-@@ -5633,9 +5633,9 @@ void exec_context_dump(const ExecContext *c, FILE* f, const char *prefix) {
+@@ -5671,9 +5671,9 @@ void exec_context_dump(const ExecContext *c, FILE* f, const char *prefix) {
          for (unsigned i = 0; i < RLIM_NLIMITS; i++)
                  if (c->rlimit[i]) {
                          fprintf(f, "%sLimit%s: " RLIM_FMT "\n",

meta/recipes-core/systemd/systemd/0011-test-sizeof.c-Disable-tests-for-missing-typedefs-in-.patch

@@ -1,4 +1,4 @@
-From e8025c8eefdf1be4bba34c48f3430838f3859c52 Mon Sep 17 00:00:00 2001
+From 755d647dc2e0842b89c29211af839c4e61faf006 Mon Sep 17 00:00:00 2001
 From: Chen Qi <Qi.Chen@windriver.com>
 Date: Wed, 28 Feb 2018 21:25:22 -0800
 Subject: [PATCH] test-sizeof.c: Disable tests for missing typedefs in musl

meta/recipes-core/systemd/systemd/0012-don-t-pass-AT_SYMLINK_NOFOLLOW-flag-to-faccessat.patch

@@ -1,4 +1,4 @@
-From 46fdc959257d60d9b32953cae0152ae118f8564b Mon Sep 17 00:00:00 2001
+From 5667af9b7ee73ee5a003221aaca5337c306469c7 Mon Sep 17 00:00:00 2001
 From: Andre McCurdy <armccurdy@gmail.com>
 Date: Tue, 10 Oct 2017 14:33:30 -0700
 Subject: [PATCH] don't pass AT_SYMLINK_NOFOLLOW flag to faccessat()
@@ -65,7 +65,7 @@ index 0bbb3f6298..3dc494dbfb 100644
  int touch_file(const char *path, bool parents, usec_t stamp, uid_t uid, gid_t gid, mode_t mode);
  int touch(const char *path);
 diff --git a/src/shared/base-filesystem.c b/src/shared/base-filesystem.c
-index 5f5328c8cf..d396bc99fe 100644
+index 2847bcb0fb..fc534435d3 100644
 --- a/src/shared/base-filesystem.c
 +++ b/src/shared/base-filesystem.c
 @@ -117,7 +117,7 @@ int base_filesystem_create(const char *root, uid_t uid, gid_t gid) {

meta/recipes-core/systemd/systemd/0013-Define-glibc-compatible-basename-for-non-glibc-syste.patch

@@ -1,4 +1,4 @@
-From d0bdce977b7acc5e45e82cf84256c4bedc0e74c4 Mon Sep 17 00:00:00 2001
+From 1a1ae5dfb989af0e5f6294e26e0c12f49705860b Mon Sep 17 00:00:00 2001
 From: Khem Raj <raj.khem@gmail.com>
 Date: Sun, 27 May 2018 08:36:44 -0700
 Subject: [PATCH] Define glibc compatible basename() for non-glibc systems

meta/recipes-core/systemd/systemd/0014-Do-not-disable-buffering-when-writing-to-oom_score_a.patch

@@ -1,4 +1,4 @@
-From e480d28305907c3874f4e58b722b8aa43c3ac7a2 Mon Sep 17 00:00:00 2001
+From 61158232373ec55693e8fa4513b8fcdfb875ecda Mon Sep 17 00:00:00 2001
 From: Chen Qi <Qi.Chen@windriver.com>
 Date: Wed, 4 Jul 2018 15:00:44 +0800
 Subject: [PATCH] Do not disable buffering when writing to oom_score_adj
@@ -25,10 +25,10 @@ Signed-off-by: Scott Murray <scott.murray@konsulko.com>
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/src/basic/process-util.c b/src/basic/process-util.c
-index df6e85b1fc..635dbb5d26 100644
+index db252b8dfe..66bdc74b3f 100644
 --- a/src/basic/process-util.c
 +++ b/src/basic/process-util.c
-@@ -1489,7 +1489,7 @@ int set_oom_score_adjust(int value) {
+@@ -1493,7 +1493,7 @@ int set_oom_score_adjust(int value) {
          xsprintf(t, "%i", value);
  
          return write_string_file("/proc/self/oom_score_adj", t,

meta/recipes-core/systemd/systemd/0015-distinguish-XSI-compliant-strerror_r-from-GNU-specif.patch

@@ -1,4 +1,4 @@
-From 0542d27ebbb250c09bdcfcf9f2ea3d27426fe522 Mon Sep 17 00:00:00 2001
+From 3a3c61daffa79ce7b70b6b851110ce13c652d731 Mon Sep 17 00:00:00 2001
 From: Chen Qi <Qi.Chen@windriver.com>
 Date: Tue, 10 Jul 2018 15:40:17 +0800
 Subject: [PATCH] distinguish XSI-compliant strerror_r from GNU-specifi

meta/recipes-core/systemd/systemd/0018-avoid-redefinition-of-prctl_mm_map-structure.patch

@@ -1,4 +1,4 @@
-From e1d0210b47906dd121f936f3181092835df6a95c Mon Sep 17 00:00:00 2001
+From b90e69cab3da08fa890e8d276be4d02e39cd83aa Mon Sep 17 00:00:00 2001
 From: Chen Qi <Qi.Chen@windriver.com>
 Date: Mon, 25 Feb 2019 15:44:54 +0800
 Subject: [PATCH] avoid redefinition of prctl_mm_map structure

meta/recipes-core/systemd/systemd/0021-test-json.c-define-M_PIl.patch

@@ -1,4 +1,4 @@
-From e10a73de254b570bbc29b26423dbb86b4265bb05 Mon Sep 17 00:00:00 2001
+From 4f39aa56e738d99ac04e73ba75713db7e05f7252 Mon Sep 17 00:00:00 2001
 From: Chen Qi <Qi.Chen@windriver.com>
 Date: Mon, 25 Feb 2019 16:53:06 +0800
 Subject: [PATCH] test-json.c: define M_PIl
@@ -19,7 +19,7 @@ Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
  1 file changed, 4 insertions(+)
 
 diff --git a/src/test/test-json.c b/src/test/test-json.c
-index b385edc269..5e5830238c 100644
+index 2aecbe3557..f7112dc374 100644
 --- a/src/test/test-json.c
 +++ b/src/test/test-json.c
 @@ -14,6 +14,10 @@

meta/recipes-core/systemd/systemd/0022-do-not-disable-buffer-in-writing-files.patch

@@ -1,4 +1,4 @@
-From 414e2f97008a1f3c26a260a6dc4d51a8c1fa6900 Mon Sep 17 00:00:00 2001
+From e79028fbfcc3036df8c2de9d199e4d89cbfff017 Mon Sep 17 00:00:00 2001
 From: Chen Qi <Qi.Chen@windriver.com>
 Date: Fri, 1 Mar 2019 15:22:15 +0800
 Subject: [PATCH] do not disable buffer in writing files
@@ -44,10 +44,10 @@ Signed-off-by: Scott Murray <scott.murray@konsulko.com>
  21 files changed, 39 insertions(+), 40 deletions(-)
 
 diff --git a/src/basic/cgroup-util.c b/src/basic/cgroup-util.c
-index f7dc6c8421..5f7a27c2c4 100644
+index d3bed80620..9af2339353 100644
 --- a/src/basic/cgroup-util.c
 +++ b/src/basic/cgroup-util.c
-@@ -390,7 +390,7 @@ int cg_kill_kernel_sigkill(const char *controller, const char *path) {
+@@ -399,7 +399,7 @@ int cg_kill_kernel_sigkill(const char *controller, const char *path) {
          if (r < 0)
                  return r;
  
@@ -56,7 +56,7 @@ index f7dc6c8421..5f7a27c2c4 100644
          if (r < 0)
                  return r;
  
-@@ -803,7 +803,7 @@ int cg_install_release_agent(const char *controller, const char *agent) {
+@@ -812,7 +812,7 @@ int cg_install_release_agent(const char *controller, const char *agent) {
  
          sc = strstrip(contents);
          if (isempty(sc)) {
@@ -65,7 +65,7 @@ index f7dc6c8421..5f7a27c2c4 100644
                  if (r < 0)
                          return r;
          } else if (!path_equal(sc, agent))
-@@ -821,7 +821,7 @@ int cg_install_release_agent(const char *controller, const char *agent) {
+@@ -830,7 +830,7 @@ int cg_install_release_agent(const char *controller, const char *agent) {
  
          sc = strstrip(contents);
          if (streq(sc, "0")) {
@@ -74,7 +74,7 @@ index f7dc6c8421..5f7a27c2c4 100644
                  if (r < 0)
                          return r;
  
-@@ -848,7 +848,7 @@ int cg_uninstall_release_agent(const char *controller) {
+@@ -857,7 +857,7 @@ int cg_uninstall_release_agent(const char *controller) {
          if (r < 0)
                  return r;
  
@@ -83,7 +83,7 @@ index f7dc6c8421..5f7a27c2c4 100644
          if (r < 0)
                  return r;
  
-@@ -858,7 +858,7 @@ int cg_uninstall_release_agent(const char *controller) {
+@@ -867,7 +867,7 @@ int cg_uninstall_release_agent(const char *controller) {
          if (r < 0)
                  return r;
  
@@ -92,7 +92,7 @@ index f7dc6c8421..5f7a27c2c4 100644
          if (r < 0)
                  return r;
  
-@@ -1704,7 +1704,7 @@ int cg_set_attribute(const char *controller, const char *path, const char *attri
+@@ -1713,7 +1713,7 @@ int cg_set_attribute(const char *controller, const char *path, const char *attri
          if (r < 0)
                  return r;
  
@@ -198,7 +198,7 @@ index 18231c2618..6c598d55c8 100644
                          log_warning_errno(r, "Failed to flush binfmt_misc rules, ignoring: %m");
                  else
 diff --git a/src/core/cgroup.c b/src/core/cgroup.c
-index f58de95a49..7a97ab6f99 100644
+index 79681c65be..a346e5d35c 100644
 --- a/src/core/cgroup.c
 +++ b/src/core/cgroup.c
 @@ -4140,7 +4140,7 @@ int unit_cgroup_freezer_action(Unit *u, FreezerAction action) {
@@ -211,10 +211,10 @@ index f58de95a49..7a97ab6f99 100644
                  return r;
  
 diff --git a/src/core/main.c b/src/core/main.c
-index 57aedb9b93..7ef36d22f5 100644
+index 5914be6a83..a4706203f1 100644
 --- a/src/core/main.c
 +++ b/src/core/main.c
-@@ -1466,7 +1466,7 @@ static int bump_unix_max_dgram_qlen(void) {
+@@ -1468,7 +1468,7 @@ static int bump_unix_max_dgram_qlen(void) {
          if (v >= DEFAULT_UNIX_MAX_DGRAM_QLEN)
                  return 0;
  
@@ -223,7 +223,7 @@ index 57aedb9b93..7ef36d22f5 100644
                                 "%lu", DEFAULT_UNIX_MAX_DGRAM_QLEN);
          if (r < 0)
                  return log_full_errno(IN_SET(r, -EROFS, -EPERM, -EACCES) ? LOG_DEBUG : LOG_WARNING, r,
-@@ -1737,7 +1737,7 @@ static void initialize_core_pattern(bool skip_setup) {
+@@ -1739,7 +1739,7 @@ static void initialize_core_pattern(bool skip_setup) {
          if (getpid_cached() != 1)
                  return;
  
@@ -285,10 +285,10 @@ index 9fdc74b775..9858a2b415 100644
                  log_warning_errno(r, "Failed to drop caches, ignoring: %m");
          else
 diff --git a/src/libsystemd/sd-device/sd-device.c b/src/libsystemd/sd-device/sd-device.c
-index b163a0fb6b..fd6c5301d6 100644
+index 718a92549d..104222bb16 100644
 --- a/src/libsystemd/sd-device/sd-device.c
 +++ b/src/libsystemd/sd-device/sd-device.c
-@@ -2108,7 +2108,7 @@ _public_ int sd_device_set_sysattr_value(sd_device *device, const char *sysattr,
+@@ -2111,7 +2111,7 @@ _public_ int sd_device_set_sysattr_value(sd_device *device, const char *sysattr,
          if (!value)
                  return -ENOMEM;
  
@@ -311,10 +311,10 @@ index d472e80c03..c7780c7fc6 100644
                  log_error_errno(r, "Failed to move process: %m");
                  goto finish;
 diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
-index fb6af295b5..0d83f1e4d2 100644
+index 573419d7f3..97a81ff8f8 100644
 --- a/src/nspawn/nspawn.c
 +++ b/src/nspawn/nspawn.c
-@@ -2759,7 +2759,7 @@ static int reset_audit_loginuid(void) {
+@@ -2768,7 +2768,7 @@ static int reset_audit_loginuid(void) {
          if (streq(p, "4294967295"))
                  return 0;
  
@@ -323,7 +323,7 @@ index fb6af295b5..0d83f1e4d2 100644
          if (r < 0) {
                  log_error_errno(r,
                                  "Failed to reset audit login UID. This probably means that your kernel is too\n"
-@@ -4175,7 +4175,7 @@ static int setup_uid_map(
+@@ -4184,7 +4184,7 @@ static int setup_uid_map(
                  return log_oom();
  
          xsprintf(uid_map, "/proc/" PID_FMT "/uid_map", pid);
@@ -332,7 +332,7 @@ index fb6af295b5..0d83f1e4d2 100644
          if (r < 0)
                  return log_error_errno(r, "Failed to write UID map: %m");
  
-@@ -4185,7 +4185,7 @@ static int setup_uid_map(
+@@ -4194,7 +4194,7 @@ static int setup_uid_map(
                  return log_oom();
  
          xsprintf(uid_map, "/proc/" PID_FMT "/gid_map", pid);
@@ -441,7 +441,7 @@ index 7064f3a905..8f2a7d9da2 100644
                          return 0;
                  log_debug_errno(k, "Failed to write '%s' to /sys/power/state: %m", *state);
 diff --git a/src/udev/udev-rules.c b/src/udev/udev-rules.c
-index 0089833e3f..0a6a3abbb4 100644
+index 9d6431d865..c162b6dbfe 100644
 --- a/src/udev/udev-rules.c
 +++ b/src/udev/udev-rules.c
 @@ -2181,7 +2181,6 @@ static int udev_rule_apply_token_to_event(

meta/recipes-core/systemd/systemd/0025-Handle-__cpu_mask-usage.patch

@@ -1,4 +1,4 @@
-From 8871f78c559f37169c0cfaf20b0af1dbec0399af Mon Sep 17 00:00:00 2001
+From 7a270f66384e95635ac512429b4cd51f817e3494 Mon Sep 17 00:00:00 2001
 From: Scott Murray <scott.murray@konsulko.com>
 Date: Fri, 13 Sep 2019 19:26:27 -0400
 Subject: [PATCH] Handle __cpu_mask usage

meta/recipes-core/systemd/systemd/0026-Handle-missing-gshadow.patch

@@ -1,4 +1,4 @@
-From ec519727bb1ceda6e7787ccf86237a6aad07137c Mon Sep 17 00:00:00 2001
+From cac47a8efdf76eec005275162fbf28300dffc13c Mon Sep 17 00:00:00 2001
 From: Alex Kiernan <alex.kiernan@gmail.com>
 Date: Tue, 10 Mar 2020 11:05:20 +0000
 Subject: [PATCH] Handle missing gshadow
@@ -139,7 +139,7 @@ index 22ab04d6ee..4e52e7a911 100644
  #include <shadow.h>
  
 diff --git a/src/shared/userdb.c b/src/shared/userdb.c
-index 0eddd382e6..d506b8e263 100644
+index ec0c835cad..5e4b1028c6 100644
 --- a/src/shared/userdb.c
 +++ b/src/shared/userdb.c
 @@ -1046,13 +1046,15 @@ int groupdb_iterator_get(UserDBIterator *iterator, GroupRecord **ret) {

meta/recipes-core/systemd/systemd/0028-missing_syscall.h-Define-MIPS-ABI-defines-for-musl.patch

@@ -1,4 +1,4 @@
-From 754a16eeb255c06dbdd4655632276573f0f075ec Mon Sep 17 00:00:00 2001
+From bf6d00a780db808de6a5dfc28e24906f699fd60e Mon Sep 17 00:00:00 2001
 From: Khem Raj <raj.khem@gmail.com>
 Date: Mon, 12 Apr 2021 23:44:53 -0700
 Subject: [PATCH] missing_syscall.h: Define MIPS ABI defines for musl
@@ -34,7 +34,7 @@ index 793d111c55..9665848b88 100644
  #include "missing_keyctl.h"
  #include "missing_stat.h"
 diff --git a/src/shared/base-filesystem.c b/src/shared/base-filesystem.c
-index d396bc99fe..7e9c0c3412 100644
+index fc534435d3..5929ca1fce 100644
 --- a/src/shared/base-filesystem.c
 +++ b/src/shared/base-filesystem.c
 @@ -19,6 +19,7 @@

meta/recipes-core/systemd/systemd/CVE-2022-3821.patch

@@ -1,45 +0,0 @@
-From bff52d96598956163d73b7c7bdec7b0ad5b3c2d4 Mon Sep 17 00:00:00 2001
-From: Hitendra Prajapati <hprajapati@mvista.com>
-Date: Tue, 15 Nov 2022 16:52:03 +0530
-Subject: [PATCH] CVE-2022-3821
-
-Upstream-Status: Backport [https://github.com/systemd/systemd-stable/commit/72d4c15a946d20143cd4c6783c802124bc894dc7]
-CVE: CVE-2022-3821
-Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
----
- src/basic/time-util.c     | 2 +-
- src/test/test-time-util.c | 5 +++++
- 2 files changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/src/basic/time-util.c b/src/basic/time-util.c
-index b659d6905d..89dc593d44 100644
---- a/src/basic/time-util.c
-+++ b/src/basic/time-util.c
-@@ -588,7 +588,7 @@ char *format_timespan(char *buf, size_t l, usec_t t, usec_t accuracy) {
-                         t = b;
-                 }
- 
--                n = MIN((size_t) k, l);
-+                n = MIN((size_t) k, l-1);
- 
-                 l -= n;
-                 p += n;
-diff --git a/src/test/test-time-util.c b/src/test/test-time-util.c
-index 4d0131827e..8db6b25279 100644
---- a/src/test/test-time-util.c
-+++ b/src/test/test-time-util.c
-@@ -238,6 +238,11 @@ TEST(format_timespan) {
-         test_format_timespan_accuracy(1);
-         test_format_timespan_accuracy(USEC_PER_MSEC);
-         test_format_timespan_accuracy(USEC_PER_SEC);
-+
-+        /* See issue #23928. */
-+        _cleanup_free_ char *buf;
-+        assert_se(buf = new(char, 5));
-+        assert_se(buf == format_timespan(buf, 5, 100005, 1000));
- }
- 
- TEST(verify_timezone) {
--- 
-2.25.1
-

meta/recipes-core/systemd/systemd/CVE-2022-4415-1.patch

@@ -1,109 +0,0 @@
-From 45d323fc889a55fae400a5b08a56273d5724ef4a Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
-Date: Tue, 29 Nov 2022 09:00:16 +0100
-Subject: [PATCH 1/2] coredump: adjust whitespace
-
-(cherry picked from commit 510a146634f3e095b34e2a26023b1b1f99dcb8c0)
-(cherry picked from commit cc2eb7a9b5fd6d9dd8ea35fb045ce6e5e16e1187)
-(cherry picked from commit cb044d734c44cd3c05a6e438b5b995b2a9cfa73c)
-
-Preparation to avoid conflicts when applying CVE CVE-2022-4415
-Upstream-Status: Backport [https://github.com/systemd/systemd-stable/commit/45d323fc889a55fae400a5b08a56273d5724ef4a]
-
-Signed-off-by: Peter Marko <peter.marko@siemens.com>
----
- src/coredump/coredump.c | 56 ++++++++++++++++++++---------------------
- 1 file changed, 28 insertions(+), 28 deletions(-)
-
-diff --git a/src/coredump/coredump.c b/src/coredump/coredump.c
-index eaea63f682..8295b03ac7 100644
---- a/src/coredump/coredump.c
-+++ b/src/coredump/coredump.c
-@@ -103,16 +103,16 @@ enum {
- };
- 
- static const char * const meta_field_names[_META_MAX] = {
--        [META_ARGV_PID]          = "COREDUMP_PID=",
--        [META_ARGV_UID]          = "COREDUMP_UID=",
--        [META_ARGV_GID]          = "COREDUMP_GID=",
--        [META_ARGV_SIGNAL]       = "COREDUMP_SIGNAL=",
--        [META_ARGV_TIMESTAMP]    = "COREDUMP_TIMESTAMP=",
--        [META_ARGV_RLIMIT]       = "COREDUMP_RLIMIT=",
--        [META_ARGV_HOSTNAME]     = "COREDUMP_HOSTNAME=",
--        [META_COMM]              = "COREDUMP_COMM=",
--        [META_EXE]               = "COREDUMP_EXE=",
--        [META_UNIT]              = "COREDUMP_UNIT=",
-+        [META_ARGV_PID]       = "COREDUMP_PID=",
-+        [META_ARGV_UID]       = "COREDUMP_UID=",
-+        [META_ARGV_GID]       = "COREDUMP_GID=",
-+        [META_ARGV_SIGNAL]    = "COREDUMP_SIGNAL=",
-+        [META_ARGV_TIMESTAMP] = "COREDUMP_TIMESTAMP=",
-+        [META_ARGV_RLIMIT]    = "COREDUMP_RLIMIT=",
-+        [META_ARGV_HOSTNAME]  = "COREDUMP_HOSTNAME=",
-+        [META_COMM]           = "COREDUMP_COMM=",
-+        [META_EXE]            = "COREDUMP_EXE=",
-+        [META_UNIT]           = "COREDUMP_UNIT=",
- };
- 
- typedef struct Context {
-@@ -131,9 +131,9 @@ typedef enum CoredumpStorage {
- } CoredumpStorage;
- 
- static const char* const coredump_storage_table[_COREDUMP_STORAGE_MAX] = {
--        [COREDUMP_STORAGE_NONE] = "none",
-+        [COREDUMP_STORAGE_NONE]     = "none",
-         [COREDUMP_STORAGE_EXTERNAL] = "external",
--        [COREDUMP_STORAGE_JOURNAL] = "journal",
-+        [COREDUMP_STORAGE_JOURNAL]  = "journal",
- };
- 
- DEFINE_PRIVATE_STRING_TABLE_LOOKUP(coredump_storage, CoredumpStorage);
-@@ -149,13 +149,13 @@ static uint64_t arg_max_use = UINT64_MAX;
- 
- static int parse_config(void) {
-         static const ConfigTableItem items[] = {
--                { "Coredump", "Storage",          config_parse_coredump_storage,           0, &arg_storage           },
--                { "Coredump", "Compress",         config_parse_bool,                       0, &arg_compress          },
--                { "Coredump", "ProcessSizeMax",   config_parse_iec_uint64,                 0, &arg_process_size_max  },
--                { "Coredump", "ExternalSizeMax",  config_parse_iec_uint64_infinity,        0, &arg_external_size_max },
--                { "Coredump", "JournalSizeMax",   config_parse_iec_size,                   0, &arg_journal_size_max  },
--                { "Coredump", "KeepFree",         config_parse_iec_uint64,                 0, &arg_keep_free         },
--                { "Coredump", "MaxUse",           config_parse_iec_uint64,                 0, &arg_max_use           },
-+                { "Coredump", "Storage",          config_parse_coredump_storage,     0, &arg_storage           },
-+                { "Coredump", "Compress",         config_parse_bool,                 0, &arg_compress          },
-+                { "Coredump", "ProcessSizeMax",   config_parse_iec_uint64,           0, &arg_process_size_max  },
-+                { "Coredump", "ExternalSizeMax",  config_parse_iec_uint64_infinity,  0, &arg_external_size_max },
-+                { "Coredump", "JournalSizeMax",   config_parse_iec_size,             0, &arg_journal_size_max  },
-+                { "Coredump", "KeepFree",         config_parse_iec_uint64,           0, &arg_keep_free         },
-+                { "Coredump", "MaxUse",           config_parse_iec_uint64,           0, &arg_max_use           },
-                 {}
-         };
- 
-@@ -201,15 +201,15 @@ static int fix_acl(int fd, uid_t uid) {
- static int fix_xattr(int fd, const Context *context) {
- 
-         static const char * const xattrs[_META_MAX] = {
--                [META_ARGV_PID]          = "user.coredump.pid",
--                [META_ARGV_UID]          = "user.coredump.uid",
--                [META_ARGV_GID]          = "user.coredump.gid",
--                [META_ARGV_SIGNAL]       = "user.coredump.signal",
--                [META_ARGV_TIMESTAMP]    = "user.coredump.timestamp",
--                [META_ARGV_RLIMIT]       = "user.coredump.rlimit",
--                [META_ARGV_HOSTNAME]     = "user.coredump.hostname",
--                [META_COMM]              = "user.coredump.comm",
--                [META_EXE]               = "user.coredump.exe",
-+                [META_ARGV_PID]       = "user.coredump.pid",
-+                [META_ARGV_UID]       = "user.coredump.uid",
-+                [META_ARGV_GID]       = "user.coredump.gid",
-+                [META_ARGV_SIGNAL]    = "user.coredump.signal",
-+                [META_ARGV_TIMESTAMP] = "user.coredump.timestamp",
-+                [META_ARGV_RLIMIT]    = "user.coredump.rlimit",
-+                [META_ARGV_HOSTNAME]  = "user.coredump.hostname",
-+                [META_COMM]           = "user.coredump.comm",
-+                [META_EXE]            = "user.coredump.exe",
-         };
- 
-         int r = 0;
--- 
-2.30.2
-

meta/recipes-core/systemd/systemd/CVE-2022-4415-2.patch

@@ -1,391 +0,0 @@
-From 1d5e0e9910500f3c3584485f77bfc35e601036e3 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
-Date: Mon, 28 Nov 2022 12:12:55 +0100
-Subject: [PATCH 2/2] coredump: do not allow user to access coredumps with
- changed uid/gid/capabilities
-
-When the user starts a program which elevates its permissions via setuid,
-setgid, or capabilities set on the file, it may access additional information
-which would then be visible in the coredump. We shouldn't make the the coredump
-visible to the user in such cases.
-
-Reported-by: Matthias Gerstner <mgerstner@suse.de>
-
-This reads the /proc/<pid>/auxv file and attaches it to the process metadata as
-PROC_AUXV. Before the coredump is submitted, it is parsed and if either
-at_secure was set (which the kernel will do for processes that are setuid,
-setgid, or setcap), or if the effective uid/gid don't match uid/gid, the file
-is not made accessible to the user. If we can't access this data, we assume the
-file should not be made accessible either. In principle we could also access
-the auxv data from a note in the core file, but that is much more complex and
-it seems better to use the stand-alone file that is provided by the kernel.
-
-Attaching auxv is both convient for this patch (because this way it's passed
-between the stages along with other fields), but I think it makes sense to save
-it in general.
-
-We use the information early in the core file to figure out if the program was
-32-bit or 64-bit and its endianness. This way we don't need heuristics to guess
-whether the format of the auxv structure. This test might reject some cases on
-fringe architecutes. But the impact would be limited: we just won't grant the
-user permissions to view the coredump file. If people report that we're missing
-some cases, we can always enhance this to support more architectures.
-
-I tested auxv parsing on amd64, 32-bit program on amd64, arm64, arm32, and
-ppc64el, but not the whole coredump handling.
-
-(cherry picked from commit 3e4d0f6cf99f8677edd6a237382a65bfe758de03)
-(cherry picked from commit 9b75a3d0502d6741c8ecb7175794345f8eb3827c)
-(cherry picked from commit efca5283dc791a07171f80eef84e14fdb58fad57)
-
-CVE: CVE-2022-4415
-Upstream-Status: Backport [https://github.com/systemd/systemd-stable/commit/1d5e0e9910500f3c3584485f77bfc35e601036e3]
-
-Signed-off-by: Peter Marko <peter.marko@siemens.com>
----
- src/basic/io-util.h     |   9 ++
- src/coredump/coredump.c | 196 +++++++++++++++++++++++++++++++++++++---
- 2 files changed, 192 insertions(+), 13 deletions(-)
-
-diff --git a/src/basic/io-util.h b/src/basic/io-util.h
-index 39728e06bc..3afb134266 100644
---- a/src/basic/io-util.h
-+++ b/src/basic/io-util.h
-@@ -91,7 +91,16 @@ struct iovec_wrapper *iovw_new(void);
- struct iovec_wrapper *iovw_free(struct iovec_wrapper *iovw);
- struct iovec_wrapper *iovw_free_free(struct iovec_wrapper *iovw);
- void iovw_free_contents(struct iovec_wrapper *iovw, bool free_vectors);
-+
- int iovw_put(struct iovec_wrapper *iovw, void *data, size_t len);
-+static inline int iovw_consume(struct iovec_wrapper *iovw, void *data, size_t len) {
-+        /* Move data into iovw or free on error */
-+        int r = iovw_put(iovw, data, len);
-+        if (r < 0)
-+                free(data);
-+        return r;
-+}
-+
- int iovw_put_string_field(struct iovec_wrapper *iovw, const char *field, const char *value);
- int iovw_put_string_field_free(struct iovec_wrapper *iovw, const char *field, char *value);
- void iovw_rebase(struct iovec_wrapper *iovw, char *old, char *new);
-diff --git a/src/coredump/coredump.c b/src/coredump/coredump.c
-index 8295b03ac7..79280ab986 100644
---- a/src/coredump/coredump.c
-+++ b/src/coredump/coredump.c
-@@ -4,6 +4,7 @@
- #include <stdio.h>
- #include <sys/prctl.h>
- #include <sys/statvfs.h>
-+#include <sys/auxv.h>
- #include <sys/xattr.h>
- #include <unistd.h>
- 
-@@ -99,6 +100,7 @@ enum {
- 
-         META_EXE = _META_MANDATORY_MAX,
-         META_UNIT,
-+        META_PROC_AUXV,
-         _META_MAX
- };
- 
-@@ -113,10 +115,12 @@ static const char * const meta_field_names[_META_MAX] = {
-         [META_COMM]           = "COREDUMP_COMM=",
-         [META_EXE]            = "COREDUMP_EXE=",
-         [META_UNIT]           = "COREDUMP_UNIT=",
-+        [META_PROC_AUXV]      = "COREDUMP_PROC_AUXV=",
- };
- 
- typedef struct Context {
-         const char *meta[_META_MAX];
-+        size_t meta_size[_META_MAX];
-         pid_t pid;
-         bool is_pid1;
-         bool is_journald;
-@@ -178,13 +182,16 @@ static uint64_t storage_size_max(void) {
-         return 0;
- }
- 
--static int fix_acl(int fd, uid_t uid) {
-+static int fix_acl(int fd, uid_t uid, bool allow_user) {
-+        assert(fd >= 0);
-+        assert(uid_is_valid(uid));
- 
- #if HAVE_ACL
-         int r;
- 
--        assert(fd >= 0);
--        assert(uid_is_valid(uid));
-+        /* We don't allow users to read coredumps if the uid or capabilities were changed. */
-+        if (!allow_user)
-+                return 0;
- 
-         if (uid_is_system(uid) || uid_is_dynamic(uid) || uid == UID_NOBODY)
-                 return 0;
-@@ -244,7 +251,8 @@ static int fix_permissions(
-                 const char *filename,
-                 const char *target,
-                 const Context *context,
--                uid_t uid) {
-+                uid_t uid,
-+                bool allow_user) {
- 
-         int r;
- 
-@@ -254,7 +262,7 @@ static int fix_permissions(
- 
-         /* Ignore errors on these */
-         (void) fchmod(fd, 0640);
--        (void) fix_acl(fd, uid);
-+        (void) fix_acl(fd, uid, allow_user);
-         (void) fix_xattr(fd, context);
- 
-         r = fsync_full(fd);
-@@ -324,6 +332,153 @@ static int make_filename(const Context *context, char **ret) {
-         return 0;
- }
- 
-+static int parse_auxv64(
-+                const uint64_t *auxv,
-+                size_t size_bytes,
-+                int *at_secure,
-+                uid_t *uid,
-+                uid_t *euid,
-+                gid_t *gid,
-+                gid_t *egid) {
-+
-+        assert(auxv || size_bytes == 0);
-+
-+        if (size_bytes % (2 * sizeof(uint64_t)) != 0)
-+                return log_warning_errno(SYNTHETIC_ERRNO(EIO), "Incomplete auxv structure (%zu bytes).", size_bytes);
-+
-+        size_t words = size_bytes / sizeof(uint64_t);
-+
-+        /* Note that we set output variables even on error. */
-+
-+        for (size_t i = 0; i + 1 < words; i += 2)
-+                switch (auxv[i]) {
-+                case AT_SECURE:
-+                        *at_secure = auxv[i + 1] != 0;
-+                        break;
-+                case AT_UID:
-+                        *uid = auxv[i + 1];
-+                        break;
-+                case AT_EUID:
-+                        *euid = auxv[i + 1];
-+                        break;
-+                case AT_GID:
-+                        *gid = auxv[i + 1];
-+                        break;
-+                case AT_EGID:
-+                        *egid = auxv[i + 1];
-+                        break;
-+                case AT_NULL:
-+                        if (auxv[i + 1] != 0)
-+                                goto error;
-+                        return 0;
-+                }
-+ error:
-+        return log_warning_errno(SYNTHETIC_ERRNO(ENODATA),
-+                                 "AT_NULL terminator not found, cannot parse auxv structure.");
-+}
-+
-+static int parse_auxv32(
-+                const uint32_t *auxv,
-+                size_t size_bytes,
-+                int *at_secure,
-+                uid_t *uid,
-+                uid_t *euid,
-+                gid_t *gid,
-+                gid_t *egid) {
-+
-+        assert(auxv || size_bytes == 0);
-+
-+        size_t words = size_bytes / sizeof(uint32_t);
-+
-+        if (size_bytes % (2 * sizeof(uint32_t)) != 0)
-+                return log_warning_errno(SYNTHETIC_ERRNO(EIO), "Incomplete auxv structure (%zu bytes).", size_bytes);
-+
-+        /* Note that we set output variables even on error. */
-+
-+        for (size_t i = 0; i + 1 < words; i += 2)
-+                switch (auxv[i]) {
-+                case AT_SECURE:
-+                        *at_secure = auxv[i + 1] != 0;
-+                        break;
-+                case AT_UID:
-+                        *uid = auxv[i + 1];
-+                        break;
-+                case AT_EUID:
-+                        *euid = auxv[i + 1];
-+                        break;
-+                case AT_GID:
-+                        *gid = auxv[i + 1];
-+                        break;
-+                case AT_EGID:
-+                        *egid = auxv[i + 1];
-+                        break;
-+                case AT_NULL:
-+                        if (auxv[i + 1] != 0)
-+                                goto error;
-+                        return 0;
-+                }
-+ error:
-+        return log_warning_errno(SYNTHETIC_ERRNO(ENODATA),
-+                                 "AT_NULL terminator not found, cannot parse auxv structure.");
-+}
-+
-+static int grant_user_access(int core_fd, const Context *context) {
-+        int at_secure = -1;
-+        uid_t uid = UID_INVALID, euid = UID_INVALID;
-+        uid_t gid = GID_INVALID, egid = GID_INVALID;
-+        int r;
-+
-+        assert(core_fd >= 0);
-+        assert(context);
-+
-+        if (!context->meta[META_PROC_AUXV])
-+                return log_warning_errno(SYNTHETIC_ERRNO(ENODATA), "No auxv data, not adjusting permissions.");
-+
-+        uint8_t elf[EI_NIDENT];
-+        errno = 0;
-+        if (pread(core_fd, &elf, sizeof(elf), 0) != sizeof(elf))
-+                return log_warning_errno(errno_or_else(EIO),
-+                                         "Failed to pread from coredump fd: %s", errno != 0 ? strerror_safe(errno) : "Unexpected EOF");
-+
-+        if (elf[EI_MAG0] != ELFMAG0 ||
-+            elf[EI_MAG1] != ELFMAG1 ||
-+            elf[EI_MAG2] != ELFMAG2 ||
-+            elf[EI_MAG3] != ELFMAG3 ||
-+            elf[EI_VERSION] != EV_CURRENT)
-+                return log_info_errno(SYNTHETIC_ERRNO(EUCLEAN),
-+                                      "Core file does not have ELF header, not adjusting permissions.");
-+        if (!IN_SET(elf[EI_CLASS], ELFCLASS32, ELFCLASS64) ||
-+            !IN_SET(elf[EI_DATA], ELFDATA2LSB, ELFDATA2MSB))
-+                return log_info_errno(SYNTHETIC_ERRNO(EUCLEAN),
-+                                      "Core file has strange ELF class, not adjusting permissions.");
-+
-+        if ((elf[EI_DATA] == ELFDATA2LSB) != (__BYTE_ORDER == __LITTLE_ENDIAN))
-+                return log_info_errno(SYNTHETIC_ERRNO(EUCLEAN),
-+                                      "Core file has non-native endianness, not adjusting permissions.");
-+
-+        if (elf[EI_CLASS] == ELFCLASS64)
-+                r = parse_auxv64((const uint64_t*) context->meta[META_PROC_AUXV],
-+                                 context->meta_size[META_PROC_AUXV],
-+                                 &at_secure, &uid, &euid, &gid, &egid);
-+        else
-+                r = parse_auxv32((const uint32_t*) context->meta[META_PROC_AUXV],
-+                                 context->meta_size[META_PROC_AUXV],
-+                                 &at_secure, &uid, &euid, &gid, &egid);
-+        if (r < 0)
-+                return r;
-+
-+        /* We allow access if we got all the data and at_secure is not set and
-+         * the uid/gid matches euid/egid. */
-+        bool ret =
-+                at_secure == 0 &&
-+                uid != UID_INVALID && euid != UID_INVALID && uid == euid &&
-+                gid != GID_INVALID && egid != GID_INVALID && gid == egid;
-+        log_debug("Will %s access (uid="UID_FMT " euid="UID_FMT " gid="GID_FMT " egid="GID_FMT " at_secure=%s)",
-+                  ret ? "permit" : "restrict",
-+                  uid, euid, gid, egid, yes_no(at_secure));
-+        return ret;
-+}
-+
- static int save_external_coredump(
-                 const Context *context,
-                 int input_fd,
-@@ -446,6 +601,8 @@ static int save_external_coredump(
-                                 context->meta[META_ARGV_PID], context->meta[META_COMM]);
-         truncated = r == 1;
- 
-+        bool allow_user = grant_user_access(fd, context) > 0;
-+
- #if HAVE_COMPRESSION
-         if (arg_compress) {
-                 _cleanup_(unlink_and_freep) char *tmp_compressed = NULL;
-@@ -483,7 +640,7 @@ static int save_external_coredump(
-                         uncompressed_size += partial_uncompressed_size;
-                 }
- 
--                r = fix_permissions(fd_compressed, tmp_compressed, fn_compressed, context, uid);
-+                r = fix_permissions(fd_compressed, tmp_compressed, fn_compressed, context, uid, allow_user);
-                 if (r < 0)
-                         return r;
- 
-@@ -510,7 +667,7 @@ static int save_external_coredump(
-                            "SIZE_LIMIT=%zu", max_size,
-                            "MESSAGE_ID=" SD_MESSAGE_TRUNCATED_CORE_STR);
- 
--        r = fix_permissions(fd, tmp, fn, context, uid);
-+        r = fix_permissions(fd, tmp, fn, context, uid, allow_user);
-         if (r < 0)
-                 return log_error_errno(r, "Failed to fix permissions and finalize coredump %s into %s: %m", coredump_tmpfile_name(tmp), fn);
- 
-@@ -758,7 +915,7 @@ static int change_uid_gid(const Context *context) {
- }
- 
- static int submit_coredump(
--                Context *context,
-+                const Context *context,
-                 struct iovec_wrapper *iovw,
-                 int input_fd) {
- 
-@@ -919,16 +1076,15 @@ static int save_context(Context *context, const struct iovec_wrapper *iovw) {
-                 struct iovec *iovec = iovw->iovec + n;
- 
-                 for (size_t i = 0; i < ELEMENTSOF(meta_field_names); i++) {
--                        char *p;
--
-                         /* Note that these strings are NUL terminated, because we made sure that a
-                          * trailing NUL byte is in the buffer, though not included in the iov_len
-                          * count (see process_socket() and gather_pid_metadata_*()) */
-                         assert(((char*) iovec->iov_base)[iovec->iov_len] == 0);
- 
--                        p = startswith(iovec->iov_base, meta_field_names[i]);
-+                        const char *p = startswith(iovec->iov_base, meta_field_names[i]);
-                         if (p) {
-                                 context->meta[i] = p;
-+                                context->meta_size[i] = iovec->iov_len - strlen(meta_field_names[i]);
-                                 count++;
-                                 break;
-                         }
-@@ -1170,6 +1326,7 @@ static int gather_pid_metadata(struct iovec_wrapper *iovw, Context *context) {
-         uid_t owner_uid;
-         pid_t pid;
-         char *t;
-+        size_t size;
-         const char *p;
-         int r;
- 
-@@ -1234,13 +1391,26 @@ static int gather_pid_metadata(struct iovec_wrapper *iovw, Context *context) {
-                 (void) iovw_put_string_field_free(iovw, "COREDUMP_PROC_LIMITS=", t);
- 
-         p = procfs_file_alloca(pid, "cgroup");
--        if (read_full_virtual_file(p, &t, NULL) >=0)
-+        if (read_full_virtual_file(p, &t, NULL) >= 0)
-                 (void) iovw_put_string_field_free(iovw, "COREDUMP_PROC_CGROUP=", t);
- 
-         p = procfs_file_alloca(pid, "mountinfo");
--        if (read_full_virtual_file(p, &t, NULL) >=0)
-+        if (read_full_virtual_file(p, &t, NULL) >= 0)
-                 (void) iovw_put_string_field_free(iovw, "COREDUMP_PROC_MOUNTINFO=", t);
- 
-+        /* We attach /proc/auxv here. ELF coredumps also contain a note for this (NT_AUXV), see elf(5). */
-+        p = procfs_file_alloca(pid, "auxv");
-+        if (read_full_virtual_file(p, &t, &size) >= 0) {
-+                char *buf = malloc(strlen("COREDUMP_PROC_AUXV=") + size + 1);
-+                if (buf) {
-+                        /* Add a dummy terminator to make save_context() happy. */
-+                        *((uint8_t*) mempcpy(stpcpy(buf, "COREDUMP_PROC_AUXV="), t, size)) = '\0';
-+                        (void) iovw_consume(iovw, buf, size + strlen("COREDUMP_PROC_AUXV="));
-+                }
-+
-+                free(t);
-+        }
-+
-         if (get_process_cwd(pid, &t) >= 0)
-                 (void) iovw_put_string_field_free(iovw, "COREDUMP_CWD=", t);
- 
--- 
-2.30.2
-

meta/recipes-core/systemd/systemd/CVE-2022-45873.patch

@@ -1,124 +0,0 @@
-From 076b807be472630692c5348c60d0c2b7b28ad437 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
-Date: Tue, 18 Oct 2022 18:23:53 +0200
-Subject: [PATCH] coredump: avoid deadlock when passing processed backtrace
- data
-
-We would deadlock when passing the data back from the forked-off process that
-was doing backtrace generation back to the coredump parent. This is because we
-fork the child and wait for it to exit. The child tries to write too much data
-to the output pipe, and and after the first 64k blocks on the parent because
-the pipe is full. The bug surfaced in Fedora because of a combination of four
-factors:
-- 87707784c70dc9894ec613df0a6e75e732a362a3 was backported to v251.5, which
-  allowed coredump processing to be successful.
-- 1a0281a3ebf4f8c16d40aa9e63103f16cd23bb2a was NOT backported, so the output
-  was very verbose.
-- Fedora has the ELF package metadata available, so a lot of output can be
-  generated. Most other distros just don't have the information.
-- gnome-calendar crashes and has a bazillion modules and 69596 bytes of output
-  are generated for it.
-
-Fixes https://bugzilla.redhat.com/show_bug.cgi?id=2135778.
-
-The code is changed to try to write data opportunistically. If we get partial
-information, that is still logged. In is generally better to log partial
-backtrace information than nothing at all.
-
-Upstream-Status: Backport [https://github.com/systemd/systemd/commit/076b807be472630692c5348c60d0c2b7b28ad437]
-CVE: CVE-2022-45873
-Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
----
- src/shared/elf-util.c | 37 +++++++++++++++++++++++++++++++------
- 1 file changed, 31 insertions(+), 6 deletions(-)
-
-diff --git a/src/shared/elf-util.c b/src/shared/elf-util.c
-index 6d9fcfbbf2..bd27507346 100644
---- a/src/shared/elf-util.c
-+++ b/src/shared/elf-util.c
-@@ -30,6 +30,9 @@
- #define THREADS_MAX 64
- #define ELF_PACKAGE_METADATA_ID 0xcafe1a7e
- 
-+/* The amount of data we're willing to write to each of the output pipes. */
-+#define COREDUMP_PIPE_MAX (1024*1024U)
-+
- static void *dw_dl = NULL;
- static void *elf_dl = NULL;
- 
-@@ -700,13 +703,13 @@ int parse_elf_object(int fd, const char *executable, bool fork_disable_dump, cha
-                 return r;
- 
-         if (ret) {
--                r = RET_NERRNO(pipe2(return_pipe, O_CLOEXEC));
-+                r = RET_NERRNO(pipe2(return_pipe, O_CLOEXEC|O_NONBLOCK));
-                 if (r < 0)
-                         return r;
-         }
- 
-         if (ret_package_metadata) {
--                r = RET_NERRNO(pipe2(json_pipe, O_CLOEXEC));
-+                r = RET_NERRNO(pipe2(json_pipe, O_CLOEXEC|O_NONBLOCK));
-                 if (r < 0)
-                         return r;
-         }
-@@ -750,8 +753,24 @@ int parse_elf_object(int fd, const char *executable, bool fork_disable_dump, cha
-                         goto child_fail;
- 
-                 if (buf) {
--                        r = loop_write(return_pipe[1], buf, strlen(buf), false);
--                        if (r < 0)
-+                        size_t len = strlen(buf);
-+
-+                        if (len > COREDUMP_PIPE_MAX) {
-+                                /* This is iffy. A backtrace can be a few hundred kilobytes, but too much is
-+                                 * too much. Let's log a warning and ignore the rest. */
-+                                log_warning("Generated backtrace is %zu bytes (more than the limit of %u bytes), backtrace will be truncated.",
-+                                            len, COREDUMP_PIPE_MAX);
-+                                len = COREDUMP_PIPE_MAX;
-+                        }
-+
-+                        /* Bump the space for the returned string.
-+                         * Failure is ignored, because partial output is still useful. */
-+                        (void) fcntl(return_pipe[1], F_SETPIPE_SZ, len);
-+
-+                        r = loop_write(return_pipe[1], buf, len, false);
-+                        if (r == -EAGAIN)
-+                                log_warning("Write failed, backtrace will be truncated.");
-+                        else if (r < 0)
-                                 goto child_fail;
- 
-                         return_pipe[1] = safe_close(return_pipe[1]);
-@@ -760,13 +779,19 @@ int parse_elf_object(int fd, const char *executable, bool fork_disable_dump, cha
-                 if (package_metadata) {
-                         _cleanup_fclose_ FILE *json_out = NULL;
- 
-+                        /* Bump the space for the returned string. We don't know how much space we'll need in
-+                         * advance, so we'll just try to write as much as possible and maybe fail later. */
-+                        (void) fcntl(json_pipe[1], F_SETPIPE_SZ, COREDUMP_PIPE_MAX);
-+
-                         json_out = take_fdopen(&json_pipe[1], "w");
-                         if (!json_out) {
-                                 r = -errno;
-                                 goto child_fail;
-                         }
- 
--                        json_variant_dump(package_metadata, JSON_FORMAT_FLUSH, json_out, NULL);
-+                        r = json_variant_dump(package_metadata, JSON_FORMAT_FLUSH, json_out, NULL);
-+                        if (r < 0)
-+                                log_warning_errno(r, "Failed to write JSON package metadata, ignoring: %m");
-                 }
- 
-                 _exit(EXIT_SUCCESS);
-@@ -801,7 +826,7 @@ int parse_elf_object(int fd, const char *executable, bool fork_disable_dump, cha
- 
-                 r = json_parse_file(json_in, NULL, 0, &package_metadata, NULL, NULL);
-                 if (r < 0 && r != -EINVAL) /* EINVAL: json was empty, so we got nothing, but that's ok */
--                        return r;
-+                        log_warning_errno(r, "Failed to read or parse json metadata, ignoring: %m");
-         }
- 
-         if (ret)
--- 
-2.25.1
-

meta/recipes-core/systemd/systemd/CVE-2023-7008.patch

@@ -1,40 +0,0 @@
-From 3b4cc1437b51fcc0b08da8cc3f5d1175eed25eb1 Mon Sep 17 00:00:00 2001
-From: Michal Sekletar <msekleta@redhat.com>
-Date: Wed, 20 Dec 2023 16:44:14 +0100
-Subject: [PATCH] resolved: actually check authenticated flag of SOA
- transaction
-
-Fixes #25676
-
-Upstream-Status: Backport [https://github.com/systemd/systemd/commit/3b4cc1437b51fcc0b08da8cc3f5d1175eed25eb1]
-CVE: CVE-2023-7008
-Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
----
- src/resolve/resolved-dns-transaction.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c
-index f937f9f7b5..7deb598400 100644
---- a/src/resolve/resolved-dns-transaction.c
-+++ b/src/resolve/resolved-dns-transaction.c
-@@ -2761,7 +2761,7 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord *
-                         if (r == 0)
-                                 continue;
- 
--                        return FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
-+                        return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
-                 }
- 
-                 return true;
-@@ -2788,7 +2788,7 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord *
-                         /* We found the transaction that was supposed to find the SOA RR for us. It was
-                          * successful, but found no RR for us. This means we are not at a zone cut. In this
-                          * case, we require authentication if the SOA lookup was authenticated too. */
--                        return FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
-+                        return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
-                 }
- 
-                 return true;
--- 
-2.25.1
-

meta/recipes-core/systemd/systemd_250.14.bb

@@ -25,15 +25,10 @@ SRC_URI += "file://touchscreen.rules \
            file://0003-implment-systemd-sysv-install-for-OE.patch \
            file://0001-Move-sysusers.d-sysctl.d-binfmt.d-modules-load.d-to-.patch \
            file://0001-resolve-Use-sockaddr-pointer-type-for-bind.patch \
-           file://CVE-2022-3821.patch \
-           file://CVE-2022-45873.patch \
-           file://0001-shared-json-allow-json_variant_dump-to-return-an-err.patch \
-           file://CVE-2022-4415-1.patch \
-           file://CVE-2022-4415-2.patch \
            file://0001-network-remove-only-managed-configs-on-reconfigure-o.patch \
            file://0001-nspawn-make-sure-host-root-can-write-to-the-uidmappe.patch \
-           file://CVE-2023-7008.patch \
            file://fix-vlan-qos-mapping.patch \
+           file://0001-core-fix-build-when-seccomp-is-off.patch \
            "
 
 # patches needed by musl

meta/recipes-core/zlib/zlib/CVE-2014-9485.patch

@@ -0,0 +1,64 @@
+From 14a5f8f266c16c87ab6c086fc52b770b27701e01 Mon Sep 17 00:00:00 2001
+From: Matt Wilson <msw@amazon.com>
+Date: Wed, 17 Jan 2024 14:46:18 -0800
+Subject: [PATCH] Neutralize zip file traversal attacks in miniunz.
+
+Archive formats such as .zip files are generally susceptible to
+so-called "traversal attacks". This allows an attacker to craft
+an archive that writes to unexpected locations of the file system
+(e.g., /etc/shadow) if an unspecting root user were to unpack a
+malicious archive.
+
+This patch neutralizes absolute paths such as /tmp/moo and deeply
+relative paths such as dummy/../../../../../../../../../../tmp/moo
+
+The Debian project requested CVE-2014-9485 be allocated for the
+first identified weakness. The fix was incomplete, resulting in a
+revised patch applied here. Since there wasn't an updated version
+released by Debian with the incomplete fix, I suggest we use this
+CVE to identify both issues.
+
+Link: https://security.snyk.io/research/zip-slip-vulnerability
+Link: https://bugs.debian.org/774321
+Link: https://bugs.debian.org/776831
+Link: https://nvd.nist.gov/vuln/detail/CVE-2014-9485
+Reported-by: Jakub Wilk <jwilk@debian.org>
+Fixed-by: Michael Gilbert <mgilbert@debian.org>
+
+CVE: CVE-2014-9485
+
+Upstream-Status: Backport [https://github.com/madler/zlib/commit/14a5f8f266c16c87ab6c086fc52b770b27701e01]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ contrib/minizip/miniunz.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/contrib/minizip/miniunz.c b/contrib/minizip/miniunz.c
+index 3d65401..479e475 100644
+--- a/contrib/minizip/miniunz.c
++++ b/contrib/minizip/miniunz.c
+@@ -367,6 +367,20 @@ int do_extract_currentfile(uf,popt_extract_without_path,popt_overwrite,password)
+         else
+             write_filename = filename_withoutpath;
+ 
++        if (write_filename[0]!='\0')
++        {
++            const char* relative_check = write_filename;
++            while (relative_check[1]!='\0')
++            {
++                if (relative_check[0]=='.' && relative_check[1]=='.')
++                    write_filename = relative_check;
++                relative_check++;
++            }
++        }
++
++        while (write_filename[0]=='/' || write_filename[0]=='.')
++            write_filename++;
++
+         err = unzOpenCurrentFilePassword(uf,password);
+         if (err!=UNZ_OK)
+         {
+-- 
+2.40.0
+

meta/recipes-core/zlib/zlib_1.2.11.bb

@@ -13,6 +13,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/libpng/${BPN}/${PV}/${BPN}-${PV}.tar.xz \
            file://run-ptest \
 	    file://CVE-2022-37434.patch \
            file://CVE-2023-45853.patch \
+           file://CVE-2014-9485.patch \
            "
 UPSTREAM_CHECK_URI = "http://zlib.net/"
 

meta/recipes-devtools/binutils/binutils-2.38.inc

@@ -72,5 +72,6 @@ SRC_URI = "\
      file://0035-CVE-2023-39129.patch \
      file://0036-CVE-2023-39130.patch \
      file://0037-CVE-2024-53589.patch \
+     file://0038-CVE-2025-0840.patch \
 "
 S  = "${WORKDIR}/git"

meta/recipes-devtools/binutils/binutils/0038-CVE-2025-0840.patch

@@ -0,0 +1,53 @@
+Author: Alan Modra <amodra@gmail.com>
+Date:   Wed, 15 Jan 2025 19:13:43 +1030
+
+PR32560 stack-buffer-overflow at objdump disassemble_bytes
+
+There's always someone pushing the boundaries.
+
+	PR 32560
+	* objdump.c (MAX_INSN_WIDTH): Define.
+	(insn_width): Make it an unsigned long.
+	(disassemble_bytes): Use MAX_INSN_WIDTH to size buffer.
+	(main <OPTION_INSN_WIDTH>): Restrict size of insn_width.
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=baac6c221e9d69335bf41366a1c7d87d8ab2f893]
+CVE: CVE-2025-0840
+
+Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
+
+diff --git a/binutils/objdump.c b/binutils/objdump.c
+index 59f454b0..bd6180be 100644
+--- a/binutils/objdump.c
++++ b/binutils/objdump.c
+@@ -110,7 +110,8 @@ static bool disassemble_all;		/* -D */
+ static int disassemble_zeroes;		/* --disassemble-zeroes */
+ static bool formats_info;		/* -i */
+ static int wide_output;			/* -w */
+-static int insn_width;			/* --insn-width */
++#define MAX_INSN_WIDTH 49
++static unsigned long insn_width;        /* --insn-width */
+ static bfd_vma start_address = (bfd_vma) -1; /* --start-address */
+ static bfd_vma stop_address = (bfd_vma) -1;  /* --stop-address */
+ static int dump_debugging;		/* --debugging */
+@@ -2897,7 +2898,7 @@ disassemble_bytes (struct disassemble_info *inf,
+ 	}
+       else
+ 	{
+-	  char buf[50];
++	  char buf[MAX_INSN_WIDTH + 1];
+ 	  unsigned int bpc = 0;
+ 	  unsigned int pb = 0;
+ 
+@@ -5457,8 +5458,9 @@ main (int argc, char **argv)
+ 	  break;
+ 	case OPTION_INSN_WIDTH:
+ 	  insn_width = strtoul (optarg, NULL, 0);
+-	  if (insn_width <= 0)
+-	    fatal (_("error: instruction width must be positive"));
++	  if (insn_width - 1 >= MAX_INSN_WIDTH)
++	    fatal (_("error: instruction width must be in the range 1 to "
++                     XSTRING (MAX_INSN_WIDTH)));
+ 	  break;
+ 	case OPTION_INLINES:
+ 	  unwind_inlines = true;

meta/recipes-devtools/elfutils/elfutils_0.186.bb

@@ -23,6 +23,8 @@ SRC_URI = "https://sourceware.org/elfutils/ftp/${PV}/${BP}.tar.bz2 \
            file://0001-tests-Makefile.am-compile-test_nlist-with-standard-C.patch \
            file://0001-debuginfod-fix-compilation-on-platforms-without-erro.patch \
            file://0001-debuginfod-debuginfod-client.c-use-long-for-cache-ti.patch \
+           file://CVE-2025-1352.patch \
+           file://CVE-2025-1372.patch \
            "
 SRC_URI:append:libc-musl = " \
            file://0003-musl-utils.patch \