build-appliance-image: Update to kirkstone head revision

(From OE-Core rev: 5a794fd244f7fdeb426bd5e3def6b4effc0e8c62)

Signed-off-by: Steve Sakoman <steve@sakoman.com>

bitbake/lib/bb/tests/fetch.py

@@ -1621,6 +1621,8 @@ class GitShallowTest(FetcherTest):
         if cwd is None:
             cwd = self.gitdir
         actual_refs = self.git(['for-each-ref', '--format=%(refname)'], cwd=cwd).splitlines()
+        # Resolve references into the same format as the comparision (needed by git 2.48 onwards)
+        actual_refs = self.git(['rev-parse', '--symbolic-full-name'] + actual_refs, cwd=cwd).splitlines()
         full_expected = self.git(['rev-parse', '--symbolic-full-name'] + expected_refs, cwd=cwd).splitlines()
         self.assertEqual(sorted(set(full_expected)), sorted(set(actual_refs)))
 

documentation/dev-manual/building.rst

@@ -280,7 +280,9 @@ Follow these steps to create an :term:`Initramfs` image:
 #. *Create the Initramfs Image Recipe:* You can reference the
    ``core-image-minimal-initramfs.bb`` recipe found in the
    ``meta/recipes-core`` directory of the :term:`Source Directory`
-   as an example from which to work.
+   as an example from which to work. The ``core-image-minimal-initramfs`` recipe
+   is based on the :ref:`initramfs-framework <dev-manual/building:Customizing an
+   Initramfs using \`\`initramfs-framework\`\`>` recipe described below.
 
 #. *Decide if You Need to Bundle the Initramfs Image Into the Kernel
    Image:* If you want the :term:`Initramfs` image that is built to be bundled
@@ -308,6 +310,86 @@ Follow these steps to create an :term:`Initramfs` image:
    and bundled with the kernel image if you used the
    :term:`INITRAMFS_IMAGE_BUNDLE` variable described earlier.
 
+Customizing an Initramfs using ``initramfs-framework``
+------------------------------------------------------
+
+The ``core-image-minimal-initramfs.bb`` recipe found in
+:oe_git:`meta/recipes-core/images
+</openembedded-core/tree/meta/recipes-core/images>` uses the
+:oe_git:`initramfs-framework_1.0.bb
+</openembedded-core/tree/meta/recipes-core/initrdscripts/initramfs-framework_1.0.bb>`
+recipe as its base component. The goal of the ``initramfs-framework`` recipe is
+to provide the building blocks to build a customized :term:`Initramfs`.
+
+The ``initramfs-framework`` recipe relies on shell initialization scripts
+defined in :oe_git:`meta/recipes-core/initrdscripts/initramfs-framework
+</openembedded-core/tree/meta/recipes-core/initrdscripts/initramfs-framework>`. Since some of
+these scripts do not apply for all use cases, the ``initramfs-framework`` recipe
+defines different packages:
+
+-  ``initramfs-framework-base``: this package installs the basic components of
+   an :term:`Initramfs`, such as the ``init`` script or the ``/dev/console``
+   character special file. As this package is a runtime dependency of all
+   modules listed below, it is automatically pulled in when one of the modules
+   is installed in the image.
+-  ``initramfs-module-exec``: support for execution of applications.
+-  ``initramfs-module-mdev``: support for `mdev
+   <https://wiki.gentoo.org/wiki/Mdev>`__.
+-  ``initramfs-module-udev``: support for :wikipedia:`Udev <Udev>`.
+-  ``initramfs-module-e2fs``: support for :wikipedia:`ext4/ext3/ext2
+   <Extended_file_system>` filesystems.
+-  ``initramfs-module-nfsrootfs``: support for locating and mounting the root
+   partition via :wikipedia:`NFS <Network_File_System>`.
+-  ``initramfs-module-rootfs``: support for locating and mounting the root
+   partition.
+-  ``initramfs-module-debug``: dynamic debug support.
+-  ``initramfs-module-lvm``: :wikipedia:`LVM <Logical_volume_management>` rootfs support.
+-  ``initramfs-module-overlayroot``: support for mounting a read-write overlay
+   on top of a read-only root filesystem.
+
+In addition to the packages defined by the ``initramfs-framework`` recipe
+itself, the following packages are defined by the recipes present in
+:oe_git:`meta/recipes-core/initrdscripts </openembedded-core/tree/meta/recipes-core/initrdscripts>`:
+
+-  ``initramfs-module-install``: module to create and install a partition layout
+   on a selected block device.
+-  ``initramfs-module-install-efi``: module to create and install an EFI
+   partition layout on a selected block device.
+-  ``initramfs-module-setup-live``: module to start a shell in the
+   :term:`Initramfs` if ``root=/dev/ram0`` in passed in the `Kernel command-line
+   <https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html>`__
+   or the ``root=`` parameter was not passed.
+
+To customize the :term:`Initramfs`, you can add or remove packages listed
+earlier from the :term:`PACKAGE_INSTALL` variable with a :ref:`bbappend
+<dev-manual/layers:Appending Other Layers Metadata With Your Layer>` on the
+``core-image-minimal-initramfs`` recipe, or create a custom recipe for the
+:term:`Initramfs` taking ``core-image-minimal-initramfs`` as example.
+
+Custom scripts can be added to the :term:`Initramfs` by writing your own
+recipes. The recipes are conventionally named ``initramfs-module-<module name>``
+where ``<module name>`` is the name of the module. The recipe should set its
+:term:`RDEPENDS` package-specific variables to include
+``initramfs-framework-base`` and the other packages on which the module depends
+at runtime.
+
+The recipe must install shell initialization scripts in :term:`${D} <D>`\
+``/init.d`` and must follow the ``<number>-<script name>`` naming scheme where:
+
+-  ``<number>`` is a *two-digit* number that affects the execution order of the
+   script compared to others. For example, the script ``80-setup-live`` would be
+   executed after ``01-udev`` because 80 is greater than 01.
+
+   This number being two-digits is important here as the scripts are executed
+   alphabetically. For example, the script ``10-script`` would be executed
+   before the script ``8-script``, because ``1`` is inferior to ``8``.
+   Therefore, the script should be named ``08-script``.
+
+-  ``<script name>`` is the script name which you can choose freely.
+
+   If two script use the same ``<number>``, they are sorted alphabetically based
+   on ``<script name>``.
+
 Bundling an Initramfs Image From a Separate Multiconfig
 -------------------------------------------------------
 

documentation/migration-guides/release-4.0.rst

@@ -30,4 +30,4 @@ Release 4.0 (kirkstone)
    release-notes-4.0.21
    release-notes-4.0.22
    release-notes-4.0.23
-
+   release-notes-4.0.24

documentation/migration-guides/release-notes-4.0.24.rst

@@ -0,0 +1,383 @@
+Release notes for Yocto-4.0.24 (Kirkstone)
+------------------------------------------
+
+Security Fixes in Yocto-4.0.24
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+-  coreutils: Fix :cve_nist:`2024-0684`
+-  cpio: Ignore :cve_nist:`2023-7216`
+-  diffoscope: Fix :cve_nist:`2024-25711`
+-  ffmpeg: fix :cve_mitre:`2023-47342`, :cve_nist:`2023-50007`, :cve_nist:`2023-50008`,
+   :cve_nist:`2023-51793`, :cve_nist:`2023-51794`, :cve_nist:`2023-51796`, :cve_nist:`2023-51798`,
+   :cve_nist:`2024-7055`, :cve_nist:`2024-31578`, :cve_nist:`2024-31582`, :cve_nist:`2024-32230`,
+   :cve_nist:`2024-35366`, :cve_nist:`2024-35367` and :cve_nist:`2024-35368`
+-  ghostscript: Fix :cve_nist:`2024-46951`, :cve_nist:`2024-46952`, :cve_nist:`2024-46953`,
+   :cve_nist:`2024-46955` and :cve_nist:`2024-46956`
+-  ghostscript: Ignore :cve_nist:`2024-46954`
+-  glib-2.0: Fix :cve_nist:`2024-52533`
+-  gnupg: Ignore :cve_nist:`2022-3515`
+-  grub: Ignore :cve_nist:`2024-1048` and :cve_nist:`2023-4001`
+-  gstreame1.0: Ignore :cve_nist:`2023-40474`, :cve_nist:`2023-40475`, :cve_nist:`2023-40476`,
+   :cve_nist:`2023-44429`, :cve_nist:`2023-44446`, :cve_nist:`2023-50186` and :cve_nist:`2024-0444`
+-  gstreamer1.0-plugins-base: Fix :cve_nist:`2024-47538`, :cve_nist:`2024-47541`,
+   :cve_nist:`2024-47542`, :cve_nist:`2024-47600`, :cve_nist:`2024-47607`, :cve_nist:`2024-47615`
+   and :cve_nist:`2024-47835`
+-  gstreamer1.0-plugins-good: Fix :cve_nist:`2024-47537`, :cve_nist:`2024-47539`,
+   :cve_nist:`2024-47540`, :cve_nist:`2024-47543`, :cve_nist:`2024-47544`, :cve_nist:`2024-47545`,
+   :cve_nist:`2024-47546`, :cve_nist:`2024-47596`, :cve_nist:`2024-47597`, :cve_nist:`2024-47598`,
+   :cve_nist:`2024-47599`, :cve_nist:`2024-47601`, :cve_nist:`2024-47602`, :cve_nist:`2024-47603`,
+   :cve_nist:`2024-47606`, :cve_nist:`2024-47613`, :cve_nist:`2024-47774`, :cve_nist:`2024-47775`,
+   :cve_nist:`2024-47776`, :cve_nist:`2024-47777`, :cve_nist:`2024-47778` and :cve_nist:`2024-47834`
+-  gstreamer1.0: Fix :cve_nist:`2024-47606`
+-  libarchive: Fix :cve_nist:`2024-20696`
+-  libpam: Fix :cve_nist:`2024-10041`
+-  libsdl2: Ignore :cve_nist:`2020-14409` and :cve_nist:`2020-14410`
+-  libsndfile1: Fix :cve_nist:`2022-33065` and :cve_nist:`2024-50612`
+-  libsoup-2.4: Fix :cve_nist:`2024-52530`, :cve_nist:`2024-52531` and :cve_nist:`2024-52532`
+-  libsoup: Fix :cve_nist:`2024-52530`, :cve_nist:`2024-52531` and :cve_nist:`2024-52532`
+-  linux-yocto/5.10: Fix :cve_nist:`2023-52889`, :cve_nist:`2023-52917`, :cve_nist:`2023-52918`,
+   :cve_nist:`2024-41011`, :cve_nist:`2024-42259`, :cve_nist:`2024-42271`, :cve_nist:`2024-42272`,
+   :cve_nist:`2024-42280`, :cve_nist:`2024-42283`, :cve_nist:`2024-42284`, :cve_nist:`2024-42285`,
+   :cve_nist:`2024-42286`, :cve_nist:`2024-42287`, :cve_nist:`2024-42288`, :cve_nist:`2024-42289`,
+   :cve_nist:`2024-42301`, :cve_nist:`2024-42302`, :cve_nist:`2024-42309`, :cve_nist:`2024-42310`,
+   :cve_nist:`2024-42311`, :cve_nist:`2024-42313`, :cve_nist:`2024-43828`, :cve_nist:`2024-43856`,
+   :cve_nist:`2024-43858`, :cve_nist:`2024-43860`, :cve_nist:`2024-43861`, :cve_nist:`2024-43871`,
+   :cve_nist:`2024-43882`, :cve_nist:`2024-43889`, :cve_nist:`2024-43890`, :cve_nist:`2024-43893`,
+   :cve_nist:`2024-43894`, :cve_nist:`2024-43907`, :cve_nist:`2024-43908`, :cve_nist:`2024-43914`,
+   :cve_nist:`2024-44935`, :cve_nist:`2024-44944`, :cve_nist:`2024-44947`, :cve_nist:`2024-44954`,
+   :cve_nist:`2024-44960`, :cve_nist:`2024-44965`, :cve_nist:`2024-44969`, :cve_nist:`2024-44971`,
+   :cve_nist:`2024-44987`, :cve_nist:`2024-44988`, :cve_nist:`2024-44989`, :cve_nist:`2024-44990`,
+   :cve_nist:`2024-44995`, :cve_nist:`2024-44998`, :cve_nist:`2024-44999`, :cve_nist:`2024-45003`,
+   :cve_nist:`2024-45006`, :cve_nist:`2024-45016`, :cve_nist:`2024-45018`, :cve_nist:`2024-45021`,
+   :cve_nist:`2024-45025`, :cve_nist:`2024-45026`, :cve_nist:`2024-45028`, :cve_nist:`2024-46673`,
+   :cve_nist:`2024-46674`, :cve_nist:`2024-46675`, :cve_nist:`2024-46676`, :cve_nist:`2024-46677`,
+   :cve_nist:`2024-46679`, :cve_nist:`2024-46685`, :cve_nist:`2024-46689`, :cve_nist:`2024-46702`,
+   :cve_nist:`2024-46707`, :cve_nist:`2024-46714`, :cve_nist:`2024-46719`, :cve_nist:`2024-46721`,
+   :cve_nist:`2024-46722`, :cve_nist:`2024-46723`, :cve_nist:`2024-46724`, :cve_nist:`2024-46725`,
+   :cve_nist:`2024-46731`, :cve_nist:`2024-46737`, :cve_nist:`2024-46738`, :cve_nist:`2024-46739`,
+   :cve_nist:`2024-46740`, :cve_nist:`2024-46743`, :cve_nist:`2024-46744`, :cve_nist:`2024-46747`,
+   :cve_nist:`2024-46750`, :cve_nist:`2024-46755`, :cve_nist:`2024-46759`, :cve_nist:`2024-46761`,
+   :cve_nist:`2024-46763`, :cve_nist:`2024-46771`, :cve_nist:`2024-46777`, :cve_nist:`2024-46780`,
+   :cve_nist:`2024-46781`, :cve_nist:`2024-46782`, :cve_nist:`2024-46783`, :cve_nist:`2024-46791`,
+   :cve_nist:`2024-46798`, :cve_nist:`2024-46800`, :cve_nist:`2024-46804`, :cve_nist:`2024-46814`,
+   :cve_nist:`2024-46815`, :cve_nist:`2024-46817`, :cve_nist:`2024-46818`, :cve_nist:`2024-46819`,
+   :cve_nist:`2024-46822`, :cve_nist:`2024-46828`, :cve_nist:`2024-46829`, :cve_nist:`2024-46832`,
+   :cve_nist:`2024-46840`, :cve_nist:`2024-46844`, :cve_nist:`2024-47659`, :cve_nist:`2024-47660`,
+   :cve_nist:`2024-47663`, :cve_nist:`2024-47667`, :cve_nist:`2024-47668`, :cve_nist:`2024-47669`,
+   :cve_nist:`2024-47679`, :cve_nist:`2024-47684`, :cve_nist:`2024-47685`, :cve_nist:`2024-47692`,
+   :cve_nist:`2024-47697`, :cve_nist:`2024-47698`, :cve_nist:`2024-47699`, :cve_nist:`2024-47701`,
+   :cve_nist:`2024-47705`, :cve_nist:`2024-47706`, :cve_nist:`2024-47710`, :cve_nist:`2024-47712`,
+   :cve_nist:`2024-47713`, :cve_nist:`2024-47718`, :cve_nist:`2024-47723`, :cve_nist:`2024-47735`,
+   :cve_nist:`2024-47737`, :cve_nist:`2024-47739`, :cve_nist:`2024-47742`, :cve_nist:`2024-47747`,
+   :cve_nist:`2024-47748`, :cve_nist:`2024-47749`, :cve_nist:`2024-47757`, :cve_nist:`2024-49851`,
+   :cve_nist:`2024-49858`, :cve_nist:`2024-49860`, :cve_nist:`2024-49863`, :cve_nist:`2024-49867`,
+   :cve_nist:`2024-49868`, :cve_nist:`2024-49875`, :cve_nist:`2024-49877`, :cve_nist:`2024-49878`,
+   :cve_nist:`2024-49879`, :cve_nist:`2024-49881`, :cve_nist:`2024-49882`, :cve_nist:`2024-49883`,
+   :cve_nist:`2024-49884`, :cve_nist:`2024-49889`, :cve_nist:`2024-49890`, :cve_nist:`2024-49892`,
+   :cve_nist:`2024-49894`, :cve_nist:`2024-49895`, :cve_nist:`2024-49896`, :cve_nist:`2024-49900`,
+   :cve_nist:`2024-49902`, :cve_nist:`2024-49903`, :cve_nist:`2024-49907`, :cve_nist:`2024-49913`,
+   :cve_nist:`2024-49924`, :cve_nist:`2024-49930`, :cve_nist:`2024-49933`, :cve_nist:`2024-49936`,
+   :cve_nist:`2024-49938`, :cve_nist:`2024-49944`, :cve_nist:`2024-49948`, :cve_nist:`2024-49949`,
+   :cve_nist:`2024-49952`, :cve_nist:`2024-49955`, :cve_nist:`2024-49957`, :cve_nist:`2024-49958`,
+   :cve_nist:`2024-49959`, :cve_nist:`2024-49962`, :cve_nist:`2024-49963`, :cve_nist:`2024-49965`,
+   :cve_nist:`2024-49966`, :cve_nist:`2024-49969`, :cve_nist:`2024-49973`, :cve_nist:`2024-49975`,
+   :cve_nist:`2024-49977`, :cve_nist:`2024-49981`, :cve_nist:`2024-49982`, :cve_nist:`2024-49983`,
+   :cve_nist:`2024-49985`, :cve_nist:`2024-49995`, :cve_nist:`2024-49997`, :cve_nist:`2024-50001`,
+   :cve_nist:`2024-50006`, :cve_nist:`2024-50007`, :cve_nist:`2024-50008`, :cve_nist:`2024-50013`,
+   :cve_nist:`2024-50015`, :cve_nist:`2024-50024`, :cve_nist:`2024-50033`, :cve_nist:`2024-50035`,
+   :cve_nist:`2024-50039`, :cve_nist:`2024-50040`, :cve_nist:`2024-50044`, :cve_nist:`2024-50045`,
+   :cve_nist:`2024-50046`, :cve_nist:`2024-50049`, :cve_nist:`2024-50059`, :cve_nist:`2024-50095`,
+   :cve_nist:`2024-50096`, :cve_nist:`2024-50179`, :cve_nist:`2024-50180`, :cve_nist:`2024-50181`,
+   :cve_nist:`2024-50184` and :cve_nist:`2024-50188`
+-  linux-yocto/5.15: Fix :cve_nist:`2022-48695`, :cve_nist:`2023-52530`, :cve_nist:`2023-52917`,
+   :cve_nist:`2024-45009`, :cve_nist:`2024-46714`, :cve_nist:`2024-46719`, :cve_nist:`2024-46721`,
+   :cve_nist:`2024-46722`, :cve_nist:`2024-46723`, :cve_nist:`2024-46724`, :cve_nist:`2024-46725`,
+   :cve_nist:`2024-46731`, :cve_nist:`2024-46732`, :cve_nist:`2024-46737`, :cve_nist:`2024-46738`,
+   :cve_nist:`2024-46739`, :cve_nist:`2024-46740`, :cve_nist:`2024-46743`, :cve_nist:`2024-46744`,
+   :cve_nist:`2024-46746`, :cve_nist:`2024-46747`, :cve_nist:`2024-46750`, :cve_nist:`2024-46755`,
+   :cve_nist:`2024-46759`, :cve_nist:`2024-46761`, :cve_nist:`2024-46763`, :cve_nist:`2024-46771`,
+   :cve_nist:`2024-46777`, :cve_nist:`2024-46780`, :cve_nist:`2024-46781`, :cve_nist:`2024-46782`,
+   :cve_nist:`2024-46783`, :cve_nist:`2024-46791`, :cve_nist:`2024-46795`, :cve_nist:`2024-46798`,
+   :cve_nist:`2024-46800`, :cve_nist:`2024-46804`, :cve_nist:`2024-46805`, :cve_nist:`2024-46807`,
+   :cve_nist:`2024-46810`, :cve_nist:`2024-46814`, :cve_nist:`2024-46815`, :cve_nist:`2024-46817`,
+   :cve_nist:`2024-46818`, :cve_nist:`2024-46819`, :cve_nist:`2024-46822`, :cve_nist:`2024-46828`,
+   :cve_nist:`2024-46829`, :cve_nist:`2024-46832`, :cve_nist:`2024-46840`, :cve_nist:`2024-46844`,
+   :cve_nist:`2024-47659`, :cve_nist:`2024-47660`, :cve_nist:`2024-47663`, :cve_nist:`2024-47665`,
+   :cve_nist:`2024-47667`, :cve_nist:`2024-47668`, :cve_nist:`2024-47669`, :cve_nist:`2024-47674`,
+   :cve_nist:`2024-47679`, :cve_nist:`2024-47684`, :cve_nist:`2024-47685`, :cve_nist:`2024-47690`,
+   :cve_nist:`2024-47692`, :cve_nist:`2024-47693`, :cve_nist:`2024-47695`, :cve_nist:`2024-47696`,
+   :cve_nist:`2024-47697`, :cve_nist:`2024-47698`, :cve_nist:`2024-47699`, :cve_nist:`2024-47701`,
+   :cve_nist:`2024-47705`, :cve_nist:`2024-47706`, :cve_nist:`2024-47710`, :cve_nist:`2024-47712`,
+   :cve_nist:`2024-47713`, :cve_nist:`2024-47718`, :cve_nist:`2024-47720`, :cve_nist:`2024-47723`,
+   :cve_nist:`2024-47734`, :cve_nist:`2024-47735`, :cve_nist:`2024-47737`, :cve_nist:`2024-47739`,
+   :cve_nist:`2024-47742`, :cve_nist:`2024-47747`, :cve_nist:`2024-47748`, :cve_nist:`2024-47749`,
+   :cve_nist:`2024-47757`, :cve_nist:`2024-49851`, :cve_nist:`2024-49852`, :cve_nist:`2024-49854`,
+   :cve_nist:`2024-49856`, :cve_nist:`2024-49858`, :cve_nist:`2024-49860`, :cve_nist:`2024-49863`,
+   :cve_nist:`2024-49866`, :cve_nist:`2024-49867`, :cve_nist:`2024-49868`, :cve_nist:`2024-49871`,
+   :cve_nist:`2024-49875`, :cve_nist:`2024-49877`, :cve_nist:`2024-49878`, :cve_nist:`2024-49879`,
+   :cve_nist:`2024-49881`, :cve_nist:`2024-49882`, :cve_nist:`2024-49883`, :cve_nist:`2024-49884`,
+   :cve_nist:`2024-49886`, :cve_nist:`2024-49889`, :cve_nist:`2024-49890`, :cve_nist:`2024-49892`,
+   :cve_nist:`2024-49894`, :cve_nist:`2024-49895`, :cve_nist:`2024-49896`, :cve_nist:`2024-49900`,
+   :cve_nist:`2024-49902`, :cve_nist:`2024-49903`, :cve_nist:`2024-49907`, :cve_nist:`2024-49913`,
+   :cve_nist:`2024-49924`, :cve_nist:`2024-49927`, :cve_nist:`2024-49930`, :cve_nist:`2024-49933`,
+   :cve_nist:`2024-49935`, :cve_nist:`2024-49936`, :cve_nist:`2024-49938`, :cve_nist:`2024-49944`,
+   :cve_nist:`2024-49946`, :cve_nist:`2024-49948`, :cve_nist:`2024-49949`, :cve_nist:`2024-49952`,
+   :cve_nist:`2024-49954`, :cve_nist:`2024-49955`, :cve_nist:`2024-49957`, :cve_nist:`2024-49958`,
+   :cve_nist:`2024-49959`, :cve_nist:`2024-49962`, :cve_nist:`2024-49963`, :cve_nist:`2024-49965`,
+   :cve_nist:`2024-49966`, :cve_nist:`2024-49969`, :cve_nist:`2024-49973`, :cve_nist:`2024-49975`,
+   :cve_nist:`2024-49977`, :cve_nist:`2024-49981`, :cve_nist:`2024-49982`, :cve_nist:`2024-49983`,
+   :cve_nist:`2024-49985`, :cve_nist:`2024-49995`, :cve_nist:`2024-49997`, :cve_nist:`2024-50000`,
+   :cve_nist:`2024-50001`, :cve_nist:`2024-50002`, :cve_nist:`2024-50003`, :cve_nist:`2024-50006`,
+   :cve_nist:`2024-50007`, :cve_nist:`2024-50008`, :cve_nist:`2024-50013`, :cve_nist:`2024-50015`,
+   :cve_nist:`2024-50019`, :cve_nist:`2024-50024`, :cve_nist:`2024-50031`, :cve_nist:`2024-50033`,
+   :cve_nist:`2024-50035`, :cve_nist:`2024-50038`, :cve_nist:`2024-50039`, :cve_nist:`2024-50040`,
+   :cve_nist:`2024-50041`, :cve_nist:`2024-50044`, :cve_nist:`2024-50045`, :cve_nist:`2024-50046`,
+   :cve_nist:`2024-50049`, :cve_nist:`2024-50059`, :cve_nist:`2024-50062`, :cve_nist:`2024-50074`,
+   :cve_nist:`2024-50082`, :cve_nist:`2024-50083`, :cve_nist:`2024-50093`, :cve_nist:`2024-50095`,
+   :cve_nist:`2024-50096`, :cve_nist:`2024-50099`, :cve_nist:`2024-50101`, :cve_nist:`2024-50103`,
+   :cve_nist:`2024-50110`, :cve_nist:`2024-50115`, :cve_nist:`2024-50116`, :cve_nist:`2024-50117`,
+   :cve_nist:`2024-50127`, :cve_nist:`2024-50128`, :cve_nist:`2024-50131`, :cve_nist:`2024-50134`,
+   :cve_nist:`2024-50141`, :cve_nist:`2024-50142`, :cve_nist:`2024-50143`, :cve_nist:`2024-50148`,
+   :cve_nist:`2024-50150`, :cve_nist:`2024-50151`, :cve_nist:`2024-50153`, :cve_nist:`2024-50154`,
+   :cve_nist:`2024-50156`, :cve_nist:`2024-50160`, :cve_nist:`2024-50162`, :cve_nist:`2024-50163`,
+   :cve_nist:`2024-50167`, :cve_nist:`2024-50168`, :cve_nist:`2024-50171`, :cve_nist:`2024-50179`,
+   :cve_nist:`2024-50180`, :cve_nist:`2024-50181`, :cve_nist:`2024-50182`, :cve_nist:`2024-50184`,
+   :cve_nist:`2024-50185`, :cve_nist:`2024-50186`, :cve_nist:`2024-50188`, :cve_nist:`2024-50189`,
+   :cve_nist:`2024-50191`, :cve_nist:`2024-50192`, :cve_nist:`2024-50193`, :cve_nist:`2024-50194`,
+   :cve_nist:`2024-50195`, :cve_nist:`2024-50196`, :cve_nist:`2024-50198`, :cve_nist:`2024-50201`,
+   :cve_nist:`2024-50202`, :cve_nist:`2024-50205`, :cve_nist:`2024-50208`, :cve_nist:`2024-50209`,
+   :cve_nist:`2024-50229`, :cve_nist:`2024-50230`, :cve_nist:`2024-50232`, :cve_nist:`2024-50233`,
+   :cve_nist:`2024-50234`, :cve_nist:`2024-50236`, :cve_nist:`2024-50237`, :cve_nist:`2024-50244`,
+   :cve_nist:`2024-50245`, :cve_nist:`2024-50247`, :cve_nist:`2024-50251`, :cve_nist:`2024-50257`,
+   :cve_nist:`2024-50259`, :cve_nist:`2024-50262`, :cve_nist:`2024-50264`, :cve_nist:`2024-50265`,
+   :cve_nist:`2024-50267`, :cve_nist:`2024-50268`, :cve_nist:`2024-50269`, :cve_nist:`2024-50273`,
+   :cve_nist:`2024-50278`, :cve_nist:`2024-50279`, :cve_nist:`2024-50282`, :cve_nist:`2024-50287`,
+   :cve_nist:`2024-50292`, :cve_nist:`2024-50296`, :cve_nist:`2024-50299`, :cve_nist:`2024-50301`,
+   :cve_nist:`2024-50302`, :cve_nist:`2024-53052`, :cve_nist:`2024-53055`, :cve_nist:`2024-53057`,
+   :cve_nist:`2024-53058`, :cve_nist:`2024-53059`, :cve_nist:`2024-53060`, :cve_nist:`2024-53061`,
+   :cve_nist:`2024-53063`, :cve_nist:`2024-53066`, :cve_nist:`2024-53088`, :cve_nist:`2024-53096`,
+   :cve_nist:`2024-53101`, :cve_nist:`2024-53103`, :cve_nist:`2024-53145`, :cve_nist:`2024-53146`,
+   :cve_nist:`2024-53150`, :cve_nist:`2024-53151`, :cve_nist:`2024-53155`, :cve_nist:`2024-53156`,
+   :cve_nist:`2024-53157`, :cve_nist:`2024-53165`, :cve_nist:`2024-53171`, :cve_nist:`2024-53173`,
+   :cve_nist:`2024-53226`, :cve_nist:`2024-53227`, :cve_nist:`2024-53237`, :cve_nist:`2024-56567`,
+   :cve_nist:`2024-56572`, :cve_nist:`2024-56574`, :cve_nist:`2024-56578`, :cve_nist:`2024-56581`,
+   :cve_nist:`2024-56593`, :cve_nist:`2024-56600`, :cve_nist:`2024-56601`, :cve_nist:`2024-56602`,
+   :cve_nist:`2024-56603`, :cve_nist:`2024-56605`, :cve_nist:`2024-56606`, :cve_nist:`2024-56614`,
+   :cve_nist:`2024-56622`, :cve_nist:`2024-56623`, :cve_nist:`2024-56629`, :cve_nist:`2024-56634`,
+   :cve_nist:`2024-56640`, :cve_nist:`2024-56642`, :cve_nist:`2024-56643`, :cve_nist:`2024-56648`,
+   :cve_nist:`2024-56650`, :cve_nist:`2024-56659`, :cve_nist:`2024-56662`, :cve_nist:`2024-56670`,
+   :cve_nist:`2024-56688`, :cve_nist:`2024-56694`, :cve_nist:`2024-56704`, :cve_nist:`2024-56708`,
+   :cve_nist:`2024-56720`, :cve_nist:`2024-56723`, :cve_nist:`2024-56724`, :cve_nist:`2024-56726`,
+   :cve_nist:`2024-56728`, :cve_nist:`2024-56739`, :cve_nist:`2024-56741`, :cve_nist:`2024-56745`,
+   :cve_nist:`2024-56746`, :cve_nist:`2024-56747`, :cve_nist:`2024-56748`, :cve_nist:`2024-56754`,
+   :cve_nist:`2024-56756`, :cve_nist:`2024-56770`, :cve_nist:`2024-56774`, :cve_nist:`2024-56776`,
+   :cve_nist:`2024-56777`, :cve_nist:`2024-56778`, :cve_nist:`2024-56779`, :cve_nist:`2024-56780`,
+   :cve_nist:`2024-56781`, :cve_nist:`2024-56785` and :cve_nist:`2024-56787`
+-  ovmf: Fix :cve_nist:`2022-36763`, :cve_nist:`2022-36764`, :cve_nist:`2022-36765`,
+   :cve_nist:`2023-45229`, :cve_nist:`2023-45230`, :cve_nist:`2023-45231`, :cve_nist:`2023-45232`,
+   :cve_nist:`2023-45233`, :cve_nist:`2023-45234`, :cve_nist:`2023-45235`, :cve_nist:`2023-45236`,
+   :cve_nist:`2023-45237`, :cve_nist:`2024-1298` and :cve_nist:`2024-38796`
+-  pixman: Ignore :cve_nist:`2023-37769`
+-  python3: Fix :cve_nist:`2024-9287`, :cve_nist:`2024-11168` and :cve_nist:`2024-50602`
+-  python3-pip: Fix :cve_nist:`2023-5752`
+-  python3-requests: Fix :cve_nist:`2024-35195`
+-  python3-zipp: Fix :cve_nist:`2024-5569`
+-  qemu: Fix :cve_nist:`2024-3446`, :cve_nist:`2024-3447` and :cve_nist:`2024-6505`
+-  qemu: Ignore :cve_nist:`2022-36648`
+-  subversion: Fix :cve_nist:`2024-46901`
+-  tiff: Fix :cve_nist:`2023-3164`
+-  tiff: Ignore :cve_nist:`2023-2731`
+-  webkitgtk: Fix :cve_nist:`2024-40776` and :cve_nist:`2024-40780`
+-  xserver-xorg: Fix :cve_nist:`2024-9632`
+-  xwayland: Fix :cve_nist:`2023-5380` and :cve_nist:`2024-0229`
+
+
+Fixes in Yocto-4.0.24
+~~~~~~~~~~~~~~~~~~~~~
+
+-  base-passwd: Add the sgx group
+-  base-passwd: Regenerate the patches
+-  base-passwd: Update the status for two patches
+-  base-passwd: Update to 3.5.52
+-  base-passwd: add the wheel group
+-  base-passwd: fix patchreview warning
+-  bitbake: fetch2: use persist_data context managers
+-  bitbake: fetch/wget: Increase timeout to 100s from 30s
+-  bitbake: persist_data: close connection in SQLTable __exit__
+-  build-appliance-image: Update to kirkstone head revision
+-  builder: set :term:`CVE_PRODUCT`
+-  contributor-guide: submit-changes.rst: suggest to remove the git signature
+-  cve-update-nvd2-native: Tweak to work better with NFS :term:`DL_DIR`
+-  dbus: disable assertions and enable only modular tests
+-  do_package/sstate/sstatesig: Change timestamp clamping to hash output only
+-  docs: Gather dependencies in poky.yaml.in
+-  docs: standards.md: add a section on admonitions
+-  gstreamer1.0: improve test reliability
+-  linux-yocto/5.10: update to v5.10.227
+-  linux-yocto/5.15: update to v5.15.175
+-  llvm: reduce size of -dbg package
+-  lttng-modules: fix build error after kernel update to 5.15.171
+-  migration-guides: add release notes for 4.0.23
+-  ninja: fix build with python 3.13
+-  oeqa/utils/gitarchive: Return tag name and improve exclude handling
+-  ovmf-native: remove .pyc files from install
+-  package.bbclass: Use shlex instead of deprecated pipes
+-  package_rpm: restrict rpm to 4 threads
+-  package_rpm: use zstd's default compression level
+-  poky.conf: add new tested distros
+-  poky.conf: bump version for 4.0.24
+-  poky.yaml.in: add missing locales dependency
+-  python3: upgrade to 3.10.16
+-  ref-manual: SSTATE_MIRRORS/SOURCE_MIRROR_URL: add instructions for mirror authentication
+-  ref-manual: classes: fix bin_package description
+-  ref-manual: devtool-reference: add warning note on deploy-target and shared objects
+-  ref-manual: move runtime-testing section to the test-manual
+-  ref-manual: packages: move ptest section to the test-manual
+-  ref-manual: system-requirements: update list of supported distros
+-  ref-manual: use standardized method accross both ubuntu and debian for locale install
+-  resulttool: Add --logfile-archive option to store mode
+-  resulttool: Allow store to filter to specific revisions
+-  resulttool: Clean up repoducible build logs
+-  resulttool: Fix passthrough of --all files in store mode
+-  resulttool: Handle ltp rawlogs as well as ptest
+-  resulttool: Improve repo layout for oeselftest results
+-  resulttool: Trim the precision of duration information
+-  resulttool: Use single space indentation in json output
+-  rootfs-postcommands.bbclass: make opkg status reproducible
+-  rxvt-unicode.inc: disable the terminfo installation by setting TIC to :
+-  sanity: check for working user namespaces
+-  scripts/install-buildtools: Update to 4.0.22
+-  selftest/reproducible: Clean up pathnames
+-  selftest/reproducible: Drop rawlogs
+-  test-manual: reproducible-builds.rst: document :term:`OEQA_REPRODUCIBLE_TEST_TARGET` and
+   :term:`OEQA_REPRODUCIBLE_TEST_SSTATE_TARGETS`
+-  test-manual: reproducible-builds.rst: show how to build a single package
+-  toolchain-shar-extract.sh: exit when post-relocate-setup.sh fails
+-  tzdata & tzcode-native: upgrade 2024b
+-  udev-extraconf: fix network.sh script did not configure hotplugged interfaces
+-  unzip: Fix configure tests to use modern C
+-  webkitgtk: Fix build on 32bit arm
+-  webkitgtk: fix perl-native dependency
+-  webkitgtk: reduce size of -dbg package
+-  wireless-regdb: upgrade to 2024.10.07
+
+
+Known Issues in Yocto-4.0.24
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+- N/A
+
+Contributors to Yocto-4.0.24
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Thanks to the following people who contributed to this release:
+
+-  Aleksandar Nikolic
+-  Alex Kiernan
+-  Alexander Kanavin
+-  Alexandre Belloni
+-  Antonin Godard
+-  Archana Polampalli
+-  Bruce Ashfield
+-  Changqing Li
+-  Chen Qi
+-  Chris Laplante
+-  Divya Chellam
+-  Ernst Persson
+-  Guénaël Muller
+-  Hitendra Prajapati
+-  Hongxu Jia
+-  Jiaying Song
+-  Jinfeng Wang
+-  Khem Raj
+-  Lee Chee Yang
+-  Liyin Zhang
+-  Louis Rannou
+-  Markus Volk
+-  Mikko Rapeli
+-  Ovidiu Panait
+-  Peter Kjellerstedt
+-  Peter Marko
+-  Regis Dargent
+-  Richard Purdie
+-  Rohini Sangam
+-  Ross Burton
+-  Soumya Sambu
+-  Steve Sakoman
+-  Trevor Gamblin
+-  Vijay Anusuri
+-  Wang Mingyu
+-  Yogita Urade
+-  Zahir Hussain
+
+
+Repositories / Downloads for Yocto-4.0.24
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+poky
+
+-  Repository Location: :yocto_git:`/poky`
+-  Branch: :yocto_git:`kirkstone </poky/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.24 </poky/log/?h=yocto-4.0.24>`
+-  Git Revision: :yocto_git:`f50532593651dff82bc952288d786c55038c2c86 </poky/commit/?id=f50532593651dff82bc952288d786c55038c2c86>`
+-  Release Artefact: poky-f50532593651dff82bc952288d786c55038c2c86
+-  sha: 0aa062d19510394748db9a2d6ded2d764f435383296d9c94fb6b25755280556e
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.24/poky-f50532593651dff82bc952288d786c55038c2c86.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-4.0.24/poky-f50532593651dff82bc952288d786c55038c2c86.tar.bz2
+
+openembedded-core
+
+-  Repository Location: :oe_git:`/openembedded-core`
+-  Branch: :oe_git:`kirkstone </openembedded-core/log/?h=kirkstone>`
+-  Tag:  :oe_git:`yocto-4.0.24 </openembedded-core/log/?h=yocto-4.0.24>`
+-  Git Revision: :oe_git:`a270d4c957259761bcc7382fcc54642a02f9fc7d </openembedded-core/commit/?id=a270d4c957259761bcc7382fcc54642a02f9fc7d>`
+-  Release Artefact: oecore-a270d4c957259761bcc7382fcc54642a02f9fc7d
+-  sha: b08b9b16c8ffa587d521ad28e24e38c79d757a6f0839d18165ebac3081a34b68
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.24/oecore-a270d4c957259761bcc7382fcc54642a02f9fc7d.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-4.0.24/oecore-a270d4c957259761bcc7382fcc54642a02f9fc7d.tar.bz2
+
+meta-mingw
+
+-  Repository Location: :yocto_git:`/meta-mingw`
+-  Branch: :yocto_git:`kirkstone </meta-mingw/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.24 </meta-mingw/log/?h=yocto-4.0.24>`
+-  Git Revision: :yocto_git:`87c22abb1f11be430caf4372e6b833dc7d77564e </meta-mingw/commit/?id=87c22abb1f11be430caf4372e6b833dc7d77564e>`
+-  Release Artefact: meta-mingw-87c22abb1f11be430caf4372e6b833dc7d77564e
+-  sha: f0bc4873e2e0319fb9d6d6ab9b98eb3f89664d4339a167d2db6a787dd12bc1a8
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.24/meta-mingw-87c22abb1f11be430caf4372e6b833dc7d77564e.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-4.0.24/meta-mingw-87c22abb1f11be430caf4372e6b833dc7d77564e.tar.bz2
+
+meta-gplv2
+
+-  Repository Location: :yocto_git:`/meta-gplv2`
+-  Branch: :yocto_git:`kirkstone </meta-gplv2/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.24 </meta-gplv2/log/?h=yocto-4.0.24>`
+-  Git Revision: :yocto_git:`d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a </meta-gplv2/commit/?id=d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a>`
+-  Release Artefact: meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a
+-  sha: c386f59f8a672747dc3d0be1d4234b6039273d0e57933eb87caa20f56b9cca6d
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.24/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-4.0.24/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2
+
+bitbake
+
+-  Repository Location: :oe_git:`/bitbake`
+-  Branch: :oe_git:`2.0 </bitbake/log/?h=2.0>`
+-  Tag:  :oe_git:`yocto-4.0.24 </bitbake/log/?h=yocto-4.0.24>`
+-  Git Revision: :oe_git:`3f88b005244a0afb5d5c7260e54a94a453ec9b3e </bitbake/commit/?id=3f88b005244a0afb5d5c7260e54a94a453ec9b3e>`
+-  Release Artefact: bitbake-3f88b005244a0afb5d5c7260e54a94a453ec9b3e
+-  sha: 31f442b72ec7d81ca75509b1a7179c3fe3942528b1e31c823b21a413244bd15b
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.24/bitbake-3f88b005244a0afb5d5c7260e54a94a453ec9b3e.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-4.0.24/bitbake-3f88b005244a0afb5d5c7260e54a94a453ec9b3e.tar.bz2
+
+yocto-docs
+
+-  Repository Location: :yocto_git:`/yocto-docs`
+-  Branch: :yocto_git:`kirkstone </yocto-docs/log/?h=kirkstone>`
+-  Tag: :yocto_git:`yocto-4.0.24 </yocto-docs/log/?h=yocto-4.0.24>`
+-  Git Revision: :yocto_git:`3128bf149f40928e6c2a3e264590a0c6c9778c6a </yocto-docs/commit/?id=3128bf149f40928e6c2a3e264590a0c6c9778c6a>`
+

documentation/poky.yaml.in

@@ -12,7 +12,6 @@ DISTRO_REL_TAG : "yocto-4.0"
 DOCCONF_VERSION : "dev"
 BITBAKE_SERIES : ""
 YOCTO_DL_URL : "https://downloads.yoctoproject.org"
-YOCTO_AB_URL : "https://autobuilder.yoctoproject.org"
 YOCTO_RELEASE_DL_URL : "&YOCTO_DL_URL;/releases/yocto/yocto-&DISTRO;"
 MIN_PYTHON_VERSION : "3.6.0"
 MIN_TAR_VERSION : "1.28"

documentation/ref-manual/release-process.rst

@@ -196,7 +196,7 @@ effort has been made to automate the tests so that more people can use
 them and the Yocto Project development team can run them faster and more
 efficiently.
 
-The Yocto Project's main Autobuilder (&YOCTO_AB_URL;) publicly tests each Yocto
+The Yocto Project's main :yocto_ab:`Autobuilder <>` publicly tests each Yocto
 Project release's code in the :oe_git:`openembedded-core </openembedded-core>`,
 :yocto_git:`poky </poky>` and :oe_git:`bitbake </bitbake>` repositories. The
 testing occurs for both the current state of the "master" branch and also for

documentation/standards.md

@@ -1,6 +1,6 @@
 # Standards for contributing to Yocto Project documentation
 
-This document attemps to standardize the way the Yocto Project
+This document attempts to standardize the way the Yocto Project
 documentation is created.
 
 It is currently a work in progress.

documentation/test-manual/reproducible-builds.rst

@@ -119,12 +119,8 @@ https://autobuilder.yocto.io/pub/repro-fail/ in the form ``oe-reproducible +
 The project's current reproducibility status can be seen at
 :yocto_home:`/reproducible-build-results/`
 
-You can also check the reproducibility status on supported host distributions:
-
--  CentOS: :yocto_ab:`/typhoon/#/builders/reproducible-centos`
--  Debian: :yocto_ab:`/typhoon/#/builders/reproducible-debian`
--  Fedora: :yocto_ab:`/typhoon/#/builders/reproducible-fedora`
--  Ubuntu: :yocto_ab:`/typhoon/#/builders/reproducible-ubuntu`
+You can also check the reproducibility status on the Autobuilder:
+:yocto_ab:`/valkyrie/#/builders/reproducible`.
 
 ===============================
 Can I test my layer or recipes?

documentation/test-manual/test-process.rst

@@ -20,7 +20,7 @@ helps review and test patches and this is his testing tree).
 We have two broad categories of test builds, including "full" and
 "quick". On the Autobuilder, these can be seen as "a-quick" and
 "a-full", simply for ease of sorting in the UI. Use our Autobuilder
-:yocto_ab:`console view </typhoon/#/console>` to see where we manage most
+:yocto_ab:`console view </valkyrie/#/console>` to see where we manage most
 test-related items.
 
 Builds are triggered manually when the test branches are ready. The

documentation/test-manual/understand-autobuilder.rst

@@ -10,7 +10,7 @@ Execution Flow within the Autobuilder
 The "a-full" and "a-quick" targets are the usual entry points into the
 Autobuilder and it makes sense to follow the process through the system
 starting there. This is best visualized from the :yocto_ab:`Autobuilder
-Console view </typhoon/#/console>`.
+Console view </valkyrie/#/console>`.
 
 Each item along the top of that view represents some "target build" and
 these targets are all run in parallel. The 'full' build will trigger the

meta-poky/conf/distro/poky.conf

@@ -1,7 +1,7 @@
 DISTRO = "poky"
 DISTRO_NAME = "Poky (Yocto Project Reference Distro)"
 #DISTRO_VERSION = "3.4+snapshot-${METADATA_REVISION}"
-DISTRO_VERSION = "4.0.24"
+DISTRO_VERSION = "4.0.25"
 DISTRO_CODENAME = "kirkstone"
 SDK_VENDOR = "-pokysdk"
 SDK_VERSION = "${@d.getVar('DISTRO_VERSION').replace('snapshot-${METADATA_REVISION}', 'snapshot')}"

meta/classes/cmake.bbclass

@@ -62,6 +62,8 @@ EXTRA_OECMAKE:append = " ${PACKAGECONFIG_CONFARGS}"
 export CMAKE_BUILD_PARALLEL_LEVEL
 CMAKE_BUILD_PARALLEL_LEVEL:task-compile = "${@oe.utils.parallel_make(d, False)}"
 CMAKE_BUILD_PARALLEL_LEVEL:task-install = "${@oe.utils.parallel_make(d, True)}"
+CMAKE_BUILD_PARALLEL_LEVEL:task-compile-ptest-base = "${@oe.utils.parallel_make(d, False)}"
+CMAKE_BUILD_PARALLEL_LEVEL:task-install-ptest-base = "${@oe.utils.parallel_make(d, True)}"
 
 OECMAKE_TARGET_COMPILE ?= "all"
 OECMAKE_TARGET_INSTALL ?= "install"

meta/classes/insane.bbclass

@@ -761,13 +761,7 @@ def package_qa_check_rdepends(pkg, pkgdest, skip, taskdeps, packages, d):
                     if rdep_data and 'PN' in rdep_data and rdep_data['PN'] in taskdeps:
                         continue
                     if not rdep_data or not 'PN' in rdep_data:
-                        pkgdata_dir = d.getVar("PKGDATA_DIR")
-                        try:
-                            possibles = os.listdir("%s/runtime-rprovides/%s/" % (pkgdata_dir, rdepend))
-                        except OSError:
-                            possibles = []
-                        for p in possibles:
-                            rdep_data = oe.packagedata.read_subpkgdata(p, d)
+                        for _, rdep_data in oe.packagedata.foreach_runtime_provider_pkgdata(d, rdepend):
                             if rdep_data and 'PN' in rdep_data and rdep_data['PN'] in taskdeps:
                                 break
                     if rdep_data and 'PN' in rdep_data and rdep_data['PN'] in taskdeps:
@@ -811,17 +805,17 @@ def package_qa_check_rdepends(pkg, pkgdest, skip, taskdeps, packages, d):
                     # perl
                     filerdepends.pop(rdep,None)
 
-                    # For Saving the FILERPROVIDES, RPROVIDES and FILES_INFO
-                    rdep_data = oe.packagedata.read_subpkgdata(rdep, d)
-                    for key in rdep_data:
-                        if key.startswith("FILERPROVIDES:") or key.startswith("RPROVIDES:"):
-                            for subkey in bb.utils.explode_deps(rdep_data[key]):
-                                filerdepends.pop(subkey,None)
-                        # Add the files list to the rprovides
-                        if key.startswith("FILES_INFO:"):
-                            # Use eval() to make it as a dict
-                            for subkey in eval(rdep_data[key]):
-                                filerdepends.pop(subkey,None)
+                    for _, rdep_data in oe.packagedata.foreach_runtime_provider_pkgdata(d, rdep, True):
+                        for key in rdep_data:
+                            if key.startswith("FILERPROVIDES:") or key.startswith("RPROVIDES:"):
+                                for subkey in bb.utils.explode_deps(rdep_data[key]):
+                                    filerdepends.pop(subkey,None)
+                            # Add the files list to the rprovides
+                            if key.startswith("FILES_INFO:"):
+                                # Use eval() to make it as a dict
+                                for subkey in eval(rdep_data[key]):
+                                    filerdepends.pop(subkey,None)
+
                     if not filerdepends:
                         # Break if all the file rdepends are met
                         break

meta/classes/nativesdk.bbclass

@@ -23,6 +23,7 @@ RECIPE_SYSROOT = "${WORKDIR}/recipe-sysroot"
 #
 PACKAGE_ARCH = "${SDK_ARCH}-${SDKPKGSUFFIX}"
 PACKAGE_ARCHS = "${SDK_PACKAGE_ARCHS}"
+TUNE_PKGARCH = "${SDK_ARCH}"
 
 #
 # We need chrpath >= 0.14 to ensure we can deal with 32 and 64 bit

meta/classes/qemu.bbclass

@@ -54,8 +54,8 @@ def qemu_run_binary(data, rootfs_path, binary):
 # this dance). For others (e.g. arm) a -cpu option is not necessary, since the
 # qemu-arm default CPU supports all required architecture levels.
 
-QEMU_OPTIONS = "-r ${OLDEST_KERNEL} ${@d.getVar("QEMU_EXTRAOPTIONS_%s" % d.getVar('PACKAGE_ARCH')) or ""}"
-QEMU_OPTIONS[vardeps] += "QEMU_EXTRAOPTIONS_${PACKAGE_ARCH}"
+QEMU_OPTIONS = "-r ${OLDEST_KERNEL} ${@d.getVar("QEMU_EXTRAOPTIONS_%s" % d.getVar('TUNE_PKGARCH')) or ""}"
+QEMU_OPTIONS[vardeps] += "QEMU_EXTRAOPTIONS_${TUNE_PKGARCH}"
 
 QEMU_EXTRAOPTIONS_ppce500v2 = " -cpu e500v2"
 QEMU_EXTRAOPTIONS_ppce500mc = " -cpu e500mc"
@@ -65,7 +65,3 @@ QEMU_EXTRAOPTIONS_ppce6500 = " -cpu e500mc"
 QEMU_EXTRAOPTIONS_ppc64e6500 = " -cpu e500mc"
 QEMU_EXTRAOPTIONS_ppc7400 = " -cpu 7400"
 QEMU_EXTRAOPTIONS_powerpc64le = " -cpu POWER9"
-# Some packages e.g. fwupd sets PACKAGE_ARCH = MACHINE_ARCH and uses meson which
-# needs right options to usermode qemu
-QEMU_EXTRAOPTIONS_qemuppc = " -cpu 7400"
-QEMU_EXTRAOPTIONS_qemuppc64 = " -cpu POWER9"

meta/classes/rust-common.bbclass

@@ -6,7 +6,7 @@ FILES:${PN} += "${rustlibdir}/*.so"
 FILES:${PN}-dev += "${rustlibdir}/*.rlib ${rustlibdir}/*.rmeta"
 FILES:${PN}-dbg += "${rustlibdir}/.debug"
 
-RUSTLIB = "-L ${STAGING_LIBDIR}/rust"
+RUSTLIB ?= "-L ${STAGING_LIBDIR}/rust"
 RUST_DEBUG_REMAP = "--remap-path-prefix=${WORKDIR}=/usr/src/debug/${PN}/${EXTENDPE}${PV}-${PR}"
 RUSTFLAGS += "${RUSTLIB} ${RUST_DEBUG_REMAP}"
 RUSTLIB_DEP ?= "libstd-rs"

meta/lib/oe/packagedata.py

@@ -108,3 +108,18 @@ def recipename(pkg, d):
     """Return the recipe name for the given binary package name."""
 
     return pkgmap(d).get(pkg)
+
+def foreach_runtime_provider_pkgdata(d, rdep, include_rdep=False):
+    pkgdata_dir = d.getVar("PKGDATA_DIR")
+    possibles = set()
+    try:
+        possibles |= set(os.listdir("%s/runtime-rprovides/%s/" % (pkgdata_dir, rdep)))
+    except OSError:
+        pass
+
+    if include_rdep:
+        possibles.add(rdep)
+
+    for p in sorted(list(possibles)):
+        rdep_data = read_subpkgdata(p, d)
+        yield p, rdep_data

meta/recipes-connectivity/avahi/avahi_0.8.bb

@@ -35,6 +35,7 @@ SRC_URI = "https://github.com/lathiat/avahi/releases/download/v${PV}/avahi-${PV}
            file://CVE-2023-38471-2.patch \
            file://CVE-2023-38472.patch \
            file://CVE-2023-38473.patch \
+           file://CVE-2024-52616.patch \
            "
 
 UPSTREAM_CHECK_URI = "https://github.com/lathiat/avahi/releases/"

meta/recipes-connectivity/avahi/files/CVE-2024-52616.patch

@@ -0,0 +1,104 @@
+From f8710bdc8b29ee1176fe3bfaeabebbda1b7a79f7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Mon, 11 Nov 2024 00:56:09 +0100
+Subject: [PATCH] Properly randomize query id of DNS packets
+
+CVE: CVE-2024-52616
+Upstream-Status: Backport [https://github.com/avahi/avahi/commit/f8710bdc8b29ee1176fe3bfaeabebbda1b7a79f7]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ avahi-core/wide-area.c | 36 ++++++++++++++++++++++++++++--------
+ configure.ac           |  3 ++-
+ 2 files changed, 30 insertions(+), 9 deletions(-)
+
+diff --git a/avahi-core/wide-area.c b/avahi-core/wide-area.c
+index 971f5e714..00a15056e 100644
+--- a/avahi-core/wide-area.c
++++ b/avahi-core/wide-area.c
+@@ -40,6 +40,13 @@
+ #include "addr-util.h"
+ #include "rr-util.h"
+ 
++#ifdef HAVE_SYS_RANDOM_H
++#include <sys/random.h>
++#endif
++#ifndef HAVE_GETRANDOM
++#  define getrandom(d, len, flags) (-1)
++#endif
++
+ #define CACHE_ENTRIES_MAX 500
+ 
+ typedef struct AvahiWideAreaCacheEntry AvahiWideAreaCacheEntry;
+@@ -84,8 +91,6 @@ struct AvahiWideAreaLookupEngine {
+     int fd_ipv4, fd_ipv6;
+     AvahiWatch *watch_ipv4, *watch_ipv6;
+ 
+-    uint16_t next_id;
+-
+     /* Cache */
+     AVAHI_LLIST_HEAD(AvahiWideAreaCacheEntry, cache);
+     AvahiHashmap *cache_by_key;
+@@ -201,6 +206,26 @@ static void sender_timeout_callback(AvahiTimeEvent *e, void *userdata) {
+     avahi_time_event_update(e, avahi_elapse_time(&tv, 1000, 0));
+ }
+ 
++static uint16_t get_random_uint16(void) {
++    uint16_t next_id;
++
++    if (getrandom(&next_id, sizeof(next_id), 0) == -1)
++        next_id = (uint16_t) rand();
++    return next_id;
++}
++
++static uint16_t avahi_wide_area_next_id(AvahiWideAreaLookupEngine *e) {
++    uint16_t next_id;
++
++    next_id = get_random_uint16();
++    while (find_lookup(e, next_id)) {
++        /* This ID is already used, get new. */
++        next_id = get_random_uint16();
++    }
++    return next_id;
++}
++
++
+ AvahiWideAreaLookup *avahi_wide_area_lookup_new(
+     AvahiWideAreaLookupEngine *e,
+     AvahiKey *key,
+@@ -227,11 +252,7 @@ AvahiWideAreaLookup *avahi_wide_area_lookup_new(
+     /* If more than 65K wide area quries are issued simultaneously,
+      * this will break. This should be limited by some higher level */
+ 
+-    for (;; e->next_id++)
+-        if (!find_lookup(e, e->next_id))
+-            break; /* This ID is not yet used. */
+-
+-    l->id = e->next_id++;
++    l->id = avahi_wide_area_next_id(e);
+ 
+     /* We keep the packet around in case we need to repeat our query */
+     l->packet = avahi_dns_packet_new(0);
+@@ -604,7 +625,6 @@ AvahiWideAreaLookupEngine *avahi_wide_area_engine_new(AvahiServer *s) {
+         e->watch_ipv6 = s->poll_api->watch_new(e->server->poll_api, e->fd_ipv6, AVAHI_WATCH_IN, socket_event, e);
+ 
+     e->n_dns_servers = e->current_dns_server = 0;
+-    e->next_id = (uint16_t) rand();
+ 
+     /* Initialize cache */
+     AVAHI_LLIST_HEAD_INIT(AvahiWideAreaCacheEntry, e->cache);
+diff --git a/configure.ac b/configure.ac
+index a3211b80e..31bce3d76 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -367,7 +367,8 @@ AC_FUNC_SELECT_ARGTYPES
+ # whether libc's malloc does too. (Same for realloc.)
+ #AC_FUNC_MALLOC
+ #AC_FUNC_REALLOC
+-AC_CHECK_FUNCS([gethostname memchr memmove memset mkdir select socket strchr strcspn strdup strerror strrchr strspn strstr uname setresuid setreuid setresgid setregid strcasecmp gettimeofday putenv strncasecmp strlcpy gethostbyname seteuid setegid setproctitle getprogname])
++AC_CHECK_FUNCS([gethostname memchr memmove memset mkdir select socket strchr strcspn strdup strerror strrchr strspn strstr uname setresuid setreuid setresgid setregid strcasecmp gettimeofday putenv strncasecmp strlcpy gethostbyname seteuid setegid setproctitle getprogname getrandom])
++AC_CHECK_HEADERS([sys/random.h])
+ 
+ AC_FUNC_CHOWN
+ AC_FUNC_STAT
+

meta/recipes-connectivity/ofono/ofono/CVE-2024-7539.patch

@@ -0,0 +1,88 @@
+From 389e2344f86319265fb72ae590b470716e038fdc Mon Sep 17 00:00:00 2001
+From: "Sicelo A. Mhlongo" <absicsz@gmail.com>
+Date: Tue, 17 Dec 2024 11:31:29 +0200
+Subject: [PATCH] ussd: ensure ussd content fits in buffers
+
+Fixes: CVE-2024-7539
+
+CVE: CVE-2024-7539
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=389e2344f86319265fb72ae590b470716e038fdc]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ drivers/atmodem/ussd.c      | 5 ++++-
+ drivers/huaweimodem/ussd.c  | 5 ++++-
+ drivers/speedupmodem/ussd.c | 5 ++++-
+ 3 files changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/atmodem/ussd.c b/drivers/atmodem/ussd.c
+index 3be1832..29f86dc 100644
+--- a/drivers/atmodem/ussd.c
++++ b/drivers/atmodem/ussd.c
+@@ -106,7 +106,7 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd)
+	const char *content;
+	int dcs;
+	enum sms_charset charset;
+-	unsigned char msg[160];
++	unsigned char msg[160] = {0};
+	const unsigned char *msg_ptr = NULL;
+	long msg_len;
+
+@@ -124,6 +124,9 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd)
+	if (!g_at_result_iter_next_number(&iter, &dcs))
+		dcs = 0;
+
++	if (strlen(content) > sizeof(msg) * 2)
++		goto out;
++
+	if (!cbs_dcs_decode(dcs, NULL, NULL, &charset, NULL, NULL, NULL)) {
+		ofono_error("Unsupported USSD data coding scheme (%02x)", dcs);
+		status = 4; /* Not supported */
+diff --git a/drivers/huaweimodem/ussd.c b/drivers/huaweimodem/ussd.c
+index fbed3cd..4160b7d 100644
+--- a/drivers/huaweimodem/ussd.c
++++ b/drivers/huaweimodem/ussd.c
+@@ -50,7 +50,7 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd)
+	GAtResultIter iter;
+	int status, dcs;
+	const char *content;
+-	unsigned char msg[160];
++	unsigned char msg[160] = {0};
+	const unsigned char *msg_ptr = NULL;
+	long msg_len;
+
+@@ -68,6 +68,9 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd)
+	if (!g_at_result_iter_next_number(&iter, &dcs))
+		dcs = 0;
+
++	if (strlen(content) > sizeof(msg) * 2)
++		goto out;
++
+	msg_ptr = decode_hex_own_buf(content, -1, &msg_len, 0, msg);
+
+ out:
+diff --git a/drivers/speedupmodem/ussd.c b/drivers/speedupmodem/ussd.c
+index 57b91d7..99af19a 100644
+--- a/drivers/speedupmodem/ussd.c
++++ b/drivers/speedupmodem/ussd.c
+@@ -49,7 +49,7 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd)
+	GAtResultIter iter;
+	int status, dcs;
+	const char *content;
+-	unsigned char msg[160];
++	unsigned char msg[160] = {0};
+	const unsigned char *msg_ptr = NULL;
+	long msg_len;
+
+@@ -67,6 +67,9 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd)
+	if (!g_at_result_iter_next_number(&iter, &dcs))
+		dcs = 0;
+
++	if (strlen(content) > sizeof(msg) * 2)
++		goto out;
++
+	msg_ptr = decode_hex_own_buf(content, -1, &msg_len, 0, msg);
+
+ out:
+--
+2.40.0

meta/recipes-connectivity/ofono/ofono/CVE-2024-7540_CVE-2024-7541_CVE-2024-7542.patch

@@ -0,0 +1,52 @@
+From 29ff6334b492504ace101be748b256e6953d2c2f Mon Sep 17 00:00:00 2001
+From: "Sicelo A. Mhlongo" <absicsz@gmail.com>
+Date: Tue, 17 Dec 2024 11:31:28 +0200
+Subject: [PATCH] atmodem: sms: ensure buffer is initialized before use
+
+Fixes: CVE-2024-7540
+Fixes: CVE-2024-7541
+Fixes: CVE-2024-7542
+
+CVE: CVE-2024-7540
+CVE: CVE-2024-7541
+CVE: CVE-2024-7542
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=29ff6334b492504ace101be748b256e6953d2c2f]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ drivers/atmodem/sms.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/atmodem/sms.c b/drivers/atmodem/sms.c
+index d994856b..0668c631 100644
+--- a/drivers/atmodem/sms.c
++++ b/drivers/atmodem/sms.c
+@@ -412,7 +412,7 @@ static void at_cmt_notify(GAtResult *result, gpointer user_data)
+ 	struct sms_data *data = ofono_sms_get_data(sms);
+ 	GAtResultIter iter;
+ 	const char *hexpdu;
+-	unsigned char pdu[176];
++	unsigned char pdu[176] = {0};
+ 	long pdu_len;
+ 	int tpdu_len;
+ 
+@@ -479,7 +479,7 @@ static void at_cmgr_notify(GAtResult *result, gpointer user_data)
+ 	struct sms_data *data = ofono_sms_get_data(sms);
+ 	GAtResultIter iter;
+ 	const char *hexpdu;
+-	unsigned char pdu[176];
++	unsigned char pdu[176] = {0};
+ 	long pdu_len;
+ 	int tpdu_len;
+ 
+@@ -661,7 +661,7 @@ static void at_cmgl_notify(GAtResult *result, gpointer user_data)
+ 	struct sms_data *data = ofono_sms_get_data(sms);
+ 	GAtResultIter iter;
+ 	const char *hexpdu;
+-	unsigned char pdu[176];
++	unsigned char pdu[176] = {0};
+ 	long pdu_len;
+ 	int tpdu_len;
+ 	int index;
+-- 
+2.30.2
+

meta/recipes-connectivity/ofono/ofono/CVE-2024-7543.patch

@@ -0,0 +1,30 @@
+From 90e60ada012de42964214d8155260f5749d0dcc7 Mon Sep 17 00:00:00 2001
+From: Ivaylo Dimitrov <ivo.g.dimitrov.75@gmail.com>
+Date: Tue, 3 Dec 2024 21:43:50 +0200
+Subject: [PATCH] stkutil: Fix CVE-2024-7543
+
+CVE: CVE-2024-7543
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=90e60ada012de42964214d8155260f5749d0dcc7]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ src/stkutil.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/stkutil.c b/src/stkutil.c
+index 4f31af4..fdd11ad 100644
+--- a/src/stkutil.c
++++ b/src/stkutil.c
+@@ -1876,6 +1876,10 @@ static bool parse_dataobj_mms_reference(struct comprehension_tlv_iter *iter,
+
+	data = comprehension_tlv_iter_get_data(iter);
+	mr->len = len;
++
++	if (len > sizeof(mr->ref))
++		return false;
++
+	memcpy(mr->ref, data, len);
+
+	return true;
+--
+2.40.0

meta/recipes-connectivity/ofono/ofono/CVE-2024-7544.patch

@@ -0,0 +1,30 @@
+From a240705a0d5d41eca6de4125ab2349ecde4c873a Mon Sep 17 00:00:00 2001
+From: Ivaylo Dimitrov <ivo.g.dimitrov.75@gmail.com>
+Date: Tue, 3 Dec 2024 21:43:49 +0200
+Subject: [PATCH] stkutil: Fix CVE-2024-7544
+
+CVE: CVE-2024-7544
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=a240705a0d5d41eca6de4125ab2349ecde4c873a]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ src/stkutil.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/stkutil.c b/src/stkutil.c
+index fdd11ad..475caaa 100644
+--- a/src/stkutil.c
++++ b/src/stkutil.c
+@@ -1898,6 +1898,10 @@ static bool parse_dataobj_mms_id(struct comprehension_tlv_iter *iter,
+
+	data = comprehension_tlv_iter_get_data(iter);
+	mi->len = len;
++
++	if (len > sizeof(mi->id))
++		return false;
++
+	memcpy(mi->id, data, len);
+
+	return true;
+--
+2.40.0

meta/recipes-connectivity/ofono/ofono/CVE-2024-7545.patch

@@ -0,0 +1,32 @@
+From 556e14548c38c2b96d85881542046ee7ed750bb5 Mon Sep 17 00:00:00 2001
+From: Sicelo A. Mhlongo <absicsz@gmail.com>
+Date: Wed, Dec 4 12:07:34 2024 +0200
+Subject: [PATCH] stkutil: ensure data fits in buffer
+
+Fixes CVE-2024-7545
+
+CVE: CVE-2024-7545
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=556e14548c38c2b96d85881542046ee7ed750bb5]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ src/stkutil.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/stkutil.c b/src/stkutil.c
+index 475caaa..e1fd75c 100644
+--- a/src/stkutil.c
++++ b/src/stkutil.c
+@@ -1938,6 +1938,10 @@ static bool parse_dataobj_mms_content_id(
+
+	data = comprehension_tlv_iter_get_data(iter);
+	mci->len = len;
++
++	if (len > sizeof(mci->id))
++		return false;
++
+	memcpy(mci->id, data, len);
+
+	return true;
+--
+2.40.0

meta/recipes-connectivity/ofono/ofono/CVE-2024-7546.patch

@@ -0,0 +1,30 @@
+From 79ea6677669e50b0bb9c231765adb4f81c375f63 Mon Sep 17 00:00:00 2001
+From: Ivaylo Dimitrov <ivo.g.dimitrov.75@gmail.com>
+Date: Tue, 3 Dec 2024 21:43:52 +0200
+Subject: [PATCH] Fix CVE-2024-7546
+
+CVE: CVE-2024-7546
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=79ea6677669e50b0bb9c231765adb4f81c375f63]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ src/stkutil.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/stkutil.c b/src/stkutil.c
+index e1fd75c..88a715d 100644
+--- a/src/stkutil.c
++++ b/src/stkutil.c
+@@ -1783,6 +1783,10 @@ static bool parse_dataobj_frame_layout(struct comprehension_tlv_iter *iter,
+
+	fl->layout = data[0];
+	fl->len = len - 1;
++
++	if (fl->len > sizeof(fl->size))
++		return false;
++
+	memcpy(fl->size, data + 1, fl->len);
+
+	return true;
+--
+2.40.0

meta/recipes-connectivity/ofono/ofono/CVE-2024-7547.patch

@@ -0,0 +1,29 @@
+From 305df050d02aea8532f7625d6642685aa530f9b0 Mon Sep 17 00:00:00 2001
+From: Ivaylo Dimitrov <ivo.g.dimitrov.75@gmail.com>
+Date: Tue, 3 Dec 2024 21:43:51 +0200
+Subject: [PATCH] Fix CVE-2024-7547
+
+CVE: CVE-2024-7547
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=305df050d02aea8532f7625d6642685aa530f9b0]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ src/smsutil.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/smsutil.c b/src/smsutil.c
+index e073a06..f8ff428 100644
+--- a/src/smsutil.c
++++ b/src/smsutil.c
+@@ -1475,6 +1475,9 @@ static gboolean decode_command(const unsigned char *pdu, int len,
+	if ((len - offset) < out->command.cdl)
+		return FALSE;
+
++	if (out->command.cdl > sizeof(out->command.cd))
++		return FALSE;
++
+	memcpy(out->command.cd, pdu + offset, out->command.cdl);
+
+	return TRUE;
+--
+2.40.0

meta/recipes-connectivity/ofono/ofono_1.34.bb

@@ -18,6 +18,13 @@ SRC_URI = "\
     file://CVE-2023-2794-0002.patch \
     file://CVE-2023-2794-0003.patch \
     file://CVE-2023-2794-0004.patch \
+    file://CVE-2024-7539.patch \
+    file://CVE-2024-7543.patch \
+    file://CVE-2024-7544.patch \
+    file://CVE-2024-7545.patch \
+    file://CVE-2024-7546.patch \
+    file://CVE-2024-7547.patch \
+    file://CVE-2024-7540_CVE-2024-7541_CVE-2024-7542.patch \
 "
 SRC_URI[sha256sum] = "c0b96d3013447ec2bcb74579bef90e4e59c68dbfa4b9c6fbce5d12401a43aac7"
 

meta/recipes-connectivity/openssl/openssl/CVE-2024-9143.patch

@@ -1,202 +0,0 @@
-From 72ae83ad214d2eef262461365a1975707f862712 Mon Sep 17 00:00:00 2001
-From: Viktor Dukhovni <viktor@openssl.org>
-Date: Thu, 19 Sep 2024 01:02:40 +1000
-Subject: [PATCH] Harden BN_GF2m_poly2arr against misuse.
-
-The BN_GF2m_poly2arr() function converts characteristic-2 field
-(GF_{2^m}) Galois polynomials from a representation as a BIGNUM bitmask,
-to a compact array with just the exponents of the non-zero terms.
-
-These polynomials are then used in BN_GF2m_mod_arr() to perform modular
-reduction.  A precondition of calling BN_GF2m_mod_arr() is that the
-polynomial must have a non-zero constant term (i.e. the array has `0` as
-its final element).
-
-Internally, callers of BN_GF2m_poly2arr() did not verify that
-precondition, and binary EC curve parameters with an invalid polynomial
-could lead to out of bounds memory reads and writes in BN_GF2m_mod_arr().
-
-The precondition is always true for polynomials that arise from the
-standard form of EC parameters for characteristic-two fields (X9.62).
-See the "Finite Field Identification" section of:
-
-    https://www.itu.int/ITU-T/formal-language/itu-t/x/x894/2018-cor1/ANSI-X9-62.html
-
-The OpenSSL GF(2^m) code supports only the trinomial and pentanomial
-basis X9.62 forms.
-
-This commit updates BN_GF2m_poly2arr() to return `0` (failure) when
-the constant term is zero (i.e. the input bitmask BIGNUM is not odd).
-
-Additionally, the return value is made unambiguous when there is not
-enough space to also pad the array with a final `-1` sentinel value.
-The return value is now always the number of elements (including the
-final `-1`) that would be filled when the output array is sufficiently
-large.  Previously the same count was returned both when the array has
-just enough room for the final `-1` and when it had only enough space
-for non-sentinel values.
-
-Finally, BN_GF2m_poly2arr() is updated to reject polynomials whose
-degree exceeds `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against
-CPU exhausition attacks via excessively large inputs.
-
-The above issues do not arise in processing X.509 certificates.  These
-generally have EC keys from "named curves", and RFC5840 (Section 2.1.1)
-disallows explicit EC parameters.  The TLS code in OpenSSL enforces this
-constraint only after the certificate is decoded, but, even if explicit
-parameters are specified, they are in X9.62 form, which cannot represent
-problem values as noted above.
-
-Initially reported as oss-fuzz issue 71623.
-
-A closely related issue was earlier reported in
-<https://github.com/openssl/openssl/issues/19826>.
-
-Severity: Low, CVE-2024-9143
-
-Reviewed-by: Matt Caswell <matt@openssl.org>
-Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
-Reviewed-by: Paul Dale <ppzgs1@gmail.com>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/25639)
-
-(cherry picked from commit 8e008cb8b23ec7dc75c45a66eeed09c815b11cd2)
-
-CVE: CVE-2024-9143
-Upstream-Status: Backport [https://github.com/openssl/openssl/commit/72ae83ad214d2eef262461365a1975707f862712]
-Signed-off-by: Peter Marko <peter.marko@siemens.com>
----
- crypto/bn/bn_gf2m.c     | 28 +++++++++++++++-------
- test/ec_internal_test.c | 51 +++++++++++++++++++++++++++++++++++++++++
- 2 files changed, 71 insertions(+), 8 deletions(-)
-
-diff --git a/crypto/bn/bn_gf2m.c b/crypto/bn/bn_gf2m.c
-index c811ae82d6b15..bcc66613cc14d 100644
---- a/crypto/bn/bn_gf2m.c
-+++ b/crypto/bn/bn_gf2m.c
-@@ -15,6 +15,7 @@
- #include "bn_local.h"
- 
- #ifndef OPENSSL_NO_EC2M
-+# include <openssl/ec.h>
- 
- /*
-  * Maximum number of iterations before BN_GF2m_mod_solve_quad_arr should
-@@ -1140,16 +1141,26 @@ int BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
- /*
-  * Convert the bit-string representation of a polynomial ( \sum_{i=0}^n a_i *
-  * x^i) into an array of integers corresponding to the bits with non-zero
-- * coefficient.  Array is terminated with -1. Up to max elements of the array
-- * will be filled.  Return value is total number of array elements that would
-- * be filled if array was large enough.
-+ * coefficient.  The array is intended to be suitable for use with
-+ * `BN_GF2m_mod_arr()`, and so the constant term of the polynomial must not be
-+ * zero.  This translates to a requirement that the input BIGNUM `a` is odd.
-+ *
-+ * Given sufficient room, the array is terminated with -1.  Up to max elements
-+ * of the array will be filled.
-+ *
-+ * The return value is total number of array elements that would be filled if
-+ * array was large enough, including the terminating `-1`.  It is `0` when `a`
-+ * is not odd or the constant term is zero contrary to requirement.
-+ *
-+ * The return value is also `0` when the leading exponent exceeds
-+ * `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against CPU exhaustion attacks,
-  */
- int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
- {
-     int i, j, k = 0;
-     BN_ULONG mask;
- 
--    if (BN_is_zero(a))
-+    if (!BN_is_odd(a))
-         return 0;
- 
-     for (i = a->top - 1; i >= 0; i--) {
-@@ -1167,12 +1178,13 @@ int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
-         }
-     }
- 
--    if (k < max) {
-+    if (k > 0 && p[0] > OPENSSL_ECC_MAX_FIELD_BITS)
-+        return 0;
-+
-+    if (k < max)
-         p[k] = -1;
--        k++;
--    }
- 
--    return k;
-+    return k + 1;
- }
- 
- /*
-diff --git a/test/ec_internal_test.c b/test/ec_internal_test.c
-index 8c2cd05631696..02cfd4e9d8858 100644
---- a/test/ec_internal_test.c
-+++ b/test/ec_internal_test.c
-@@ -155,6 +155,56 @@ static int field_tests_ecp_mont(void)
- }
- 
- #ifndef OPENSSL_NO_EC2M
-+/* Test that decoding of invalid GF2m field parameters fails. */
-+static int ec2m_field_sanity(void)
-+{
-+    int ret = 0;
-+    BN_CTX *ctx = BN_CTX_new();
-+    BIGNUM *p, *a, *b;
-+    EC_GROUP *group1 = NULL, *group2 = NULL, *group3 = NULL;
-+
-+    TEST_info("Testing GF2m hardening\n");
-+
-+    BN_CTX_start(ctx);
-+    p = BN_CTX_get(ctx);
-+    a = BN_CTX_get(ctx);
-+    if (!TEST_ptr(b = BN_CTX_get(ctx))
-+        || !TEST_true(BN_one(a))
-+        || !TEST_true(BN_one(b)))
-+        goto out;
-+
-+    /* Even pentanomial value should be rejected */
-+    if (!TEST_true(BN_set_word(p, 0xf2)))
-+        goto out;
-+    if (!TEST_ptr_null(group1 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
-+        TEST_error("Zero constant term accepted in GF2m polynomial");
-+
-+    /* Odd hexanomial should also be rejected */
-+    if (!TEST_true(BN_set_word(p, 0xf3)))
-+        goto out;
-+    if (!TEST_ptr_null(group2 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
-+        TEST_error("Hexanomial accepted as GF2m polynomial");
-+
-+    /* Excessive polynomial degree should also be rejected */
-+    if (!TEST_true(BN_set_word(p, 0x71))
-+        || !TEST_true(BN_set_bit(p, OPENSSL_ECC_MAX_FIELD_BITS + 1)))
-+        goto out;
-+    if (!TEST_ptr_null(group3 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
-+        TEST_error("GF2m polynomial degree > %d accepted",
-+                   OPENSSL_ECC_MAX_FIELD_BITS);
-+
-+    ret = group1 == NULL && group2 == NULL && group3 == NULL;
-+
-+ out:
-+    EC_GROUP_free(group1);
-+    EC_GROUP_free(group2);
-+    EC_GROUP_free(group3);
-+    BN_CTX_end(ctx);
-+    BN_CTX_free(ctx);
-+
-+    return ret;
-+}
-+
- /* test EC_GF2m_simple_method directly */
- static int field_tests_ec2_simple(void)
- {
-@@ -443,6 +493,7 @@ int setup_tests(void)
-     ADD_TEST(field_tests_ecp_simple);
-     ADD_TEST(field_tests_ecp_mont);
- #ifndef OPENSSL_NO_EC2M
-+    ADD_TEST(ec2m_field_sanity);
-     ADD_TEST(field_tests_ec2_simple);
- #endif
-     ADD_ALL_TESTS(field_tests_default, crv_len);

meta/recipes-connectivity/openssl/openssl_3.0.16.bb

@@ -12,14 +12,13 @@ SRC_URI = "https://github.com/openssl/openssl/releases/download/openssl-${PV}/op
            file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
            file://afalg.patch \
            file://0001-Configure-do-not-tweak-mips-cflags.patch \
-           file://CVE-2024-9143.patch \
            "
 
 SRC_URI:append:class-nativesdk = " \
            file://environment.d-openssl.sh \
            "
 
-SRC_URI[sha256sum] = "23c666d0edf20f14249b3d8f0368acaee9ab585b09e1de82107c66e1f3ec9533"
+SRC_URI[sha256sum] = "57e03c50feab5d31b152af2b764f10379aecd8ee92f16c985983ce4a99f7ef86"
 
 inherit lib_package multilib_header multilib_script ptest perlnative
 MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"

meta/recipes-connectivity/socat/socat/CVE-2024-54661.patch

@@ -0,0 +1,113 @@
+From 4ee1f31cf80019c5907876576d6dfd49368d660f Mon Sep 17 00:00:00 2001
+From: Gerhard Rieger <gerhard@dest-unreach.org>
+Date: Fri, 6 Dec 2024 11:42:09 +0100
+Subject: [PATCH] Version 1.8.0.2 - CVE-2024-54661: Arbitrary file overwrite in
+ readline.sh
+
+CVE: CVE-2024-54661
+Upstream-Status: Backport [https://repo.or.cz/socat.git/commitdiff/4ee1f31cf80019c5907876576d6dfd49368d660f]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ readline.sh | 10 +++++++--
+ test.sh     | 63 +++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 71 insertions(+), 2 deletions(-)
+
+diff --git a/readline.sh b/readline.sh
+index b6f8438..1045303 100755
+--- a/readline.sh
++++ b/readline.sh
+@@ -22,9 +22,15 @@ if [ "$withhistfile" ]; then
+ else
+     HISTOPT=
+ fi
+-mkdir -p /tmp/$USER || exit 1
+ #
+ #
+ 
+-exec socat -d readline"$HISTOPT",noecho='[Pp]assword:' exec:"$PROGRAM",sigint,pty,setsid,ctty,raw,echo=0,stderr 2>/tmp/$USER/stderr2
++if test -w .; then
++    STDERR=./socat-readline.${1##*/}.log
++    rm -f $STDERR
++else
++    STDERR=/dev/null
++fi
++
++exec socat -d readline"$HISTOPT",noecho='[Pp]assword:' exec:"$PROGRAM",sigint,pty,setsid,ctty,raw,echo=0,stderr 2>$STDERR
+ 
+diff --git a/test.sh b/test.sh
+index 46bebf8..5204ac7 100755
+--- a/test.sh
++++ b/test.sh
+@@ -15657,6 +15657,69 @@ esac
+ N=$((N+1))
+ 
+ 
++# Test the readline.sh file overwrite vulnerability
++NAME=READLINE_SH_OVERWRITE
++case "$TESTS" in
++*%$N%*|*%functions%*|*%bugs%*|*%readline%*|*%security%*|*%$NAME%*)
++TEST="$NAME: Test the readline.sh file overwrite vulnerability"
++# Create a symlink /tmp/$USER/stderr2 pointing to a temporary file,
++# run readline.sh
++# When the temporary file is kept the test succeeded
++if ! eval $NUMCOND; then :
++elif ! cond=$(checkconds \
++		  "" \
++		  "" \
++		  "readline.sh" \
++		  "" \
++		  "" \
++		  "" \
++		  "" ); then
++    $PRINTF "test $F_n $TEST... ${YELLOW}$cond${NORMAL}\n" $N
++    numCANT=$((numCANT+1))
++    listCANT="$listCANT $N"
++    namesCANT="$namesCANT $NAME"
++else
++    tf="$td/test$N.file"
++    te="$td/test$N.stderr"
++    tdiff="$td/test$N.diff"
++    da="test$N $(date) $RANDOM"
++    echo "$da" >"$tf"
++    ln -sf "$tf" /tmp/$USER/stderr2
++    CMD0="readline.sh cat"
++    printf "test $F_n $TEST... " $N
++    $CMD0 </dev/null >/dev/null 2>"${te}0"
++    rc0=$?
++#    if [ "$rc0" -ne 0 ]; then
++#	$PRINTF "$CANT (rc0=$rc0)\n"
++#	echo "$CMD0"
++#	cat "${te}0" >&2
++#	numCANT=$((numCANT+1))
++#	listCANT="$listCANT $N"
++#	namesCANT="$namesCANT $NAME"
++#    elif ! echo "$da" |diff - "$tf" >$tdiff; then
++    if ! echo "$da" |diff - "$tf" >$tdiff; then
++	$PRINTF "$FAILED (diff)\n"
++	echo "$CMD0 &"
++	cat "${te}0" >&2
++	echo "// diff:" >&2
++	cat "$tdiff" >&2
++	numFAIL=$((numFAIL+1))
++	listFAIL="$listFAIL $N"
++	namesFAIL="$namesFAIL $NAME"
++    else
++	$PRINTF "$OK\n"
++	if [ "$VERBOSE" ]; then echo "$CMD0 &"; fi
++	if [ "$DEBUG" ];   then cat "${te}0" >&2; fi
++	if [ "$VERBOSE" ]; then echo "$CMD1"; fi
++	if [ "$DEBUG" ];   then cat "${te}1" >&2; fi
++	numOK=$((numOK+1))
++	listOK="$listOK $N"
++    fi
++fi # NUMCOND
++ ;;
++esac
++N=$((N+1))
++
+ # end of common tests
+ 
+ ##################################################################################
+-- 
+2.30.2
+

meta/recipes-connectivity/socat/socat_1.7.4.4.bb

@@ -9,7 +9,9 @@ LICENSE = "GPL-2.0-with-OpenSSL-exception"
 LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
                     file://README;beginline=257;endline=287;md5=82520b052f322ac2b5b3dfdc7c7eea86"
 
-SRC_URI = "http://www.dest-unreach.org/socat/download/socat-${PV}.tar.bz2"
+SRC_URI = "http://www.dest-unreach.org/socat/download/socat-${PV}.tar.bz2 \
+           file://CVE-2024-54661.patch \
+          "
 
 SRC_URI[sha256sum] = "fbd42bd2f0e54a3af6d01bdf15385384ab82dbc0e4f1a5e153b3e0be1b6380ac"
 

meta/recipes-core/glibc/glibc-version.inc

@@ -1,6 +1,6 @@
 SRCBRANCH ?= "release/2.35/master"
 PV = "2.35"
-SRCREV_glibc ?= "37214df5f103f4075cf0a79a227e70f3e064701c"
+SRCREV_glibc ?= "549d8315791aa8176ff1537db3e09c185c6e602f"
 SRCREV_localedef ?= "794da69788cbf9bf57b59a852f9f11307663fa87"
 
 GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git"

meta/recipes-core/glibc/glibc/0003-sunrpc-suppress-gcc-os-warning-on-user2netname.patch

@@ -0,0 +1,61 @@
+From 6128e82ebe973163d2dd614d31753c88c0c4d645 Mon Sep 17 00:00:00 2001
+From: Adhemerval Zanella Netto <adhemerval.zanella@linaro.org>
+Date: Wed, 21 Sep 2022 10:51:07 -0300
+Subject: [PATCH] sunrpc: Suppress GCC -Os warning on user2netname
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+GCC with -Os warns that sprint might overflow:
+
+  netname.c: In function ‘user2netname’:
+  netname.c:51:28: error: ‘%s’ directive writing up to 255 bytes into a
+  region of size between 239 and 249 [-Werror=format-overflow=]
+     51 |   sprintf (netname, "%s.%d@%s", OPSYS, uid, dfltdom);
+        |                            ^~               ~~~~~~~
+  netname.c:51:3: note: ‘sprintf’ output between 8 and 273 bytes into a
+  destination of size 256
+     51 |   sprintf (netname, "%s.%d@%s", OPSYS, uid, dfltdom);
+        |   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+  cc1: all warnings being treated as errors
+
+However the code does test prior the sprintf call that dfltdom plus
+the required extra space for OPSYS, uid, and extra character will not
+overflow and return 0 instead.
+
+Checked on x86_64-linux-gnu and i686-linux-gnu.
+Reviewed-by: Carlos O'Donell <carlos@redhat.com>
+Tested-by: Carlos O'Donell <carlos@redhat.com>
+
+Upstream-Status: Backport [https://github.com/bminor/glibc/commit/6128e82ebe973163d2dd614d31753c88c0c4d645]
+Signed-off-by: nikhil <nikhil.r@kpit.com>
+
+---
+ sunrpc/netname.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/sunrpc/netname.c b/sunrpc/netname.c
+index bf7f0b81c43..c1d1c43e502 100644
+--- a/sunrpc/netname.c
++++ b/sunrpc/netname.c
+@@ -20,6 +20,7 @@
+ #include <string.h>
+ #include <rpc/rpc.h>
+ #include <shlib-compat.h>
++#include <libc-diag.h>
+ 
+ #include "nsswitch.h"
+ 
+@@ -48,7 +49,12 @@ user2netname (char netname[MAXNETNAMELEN + 1], const uid_t uid,
+   if ((strlen (dfltdom) + OPSYS_LEN + 3 + MAXIPRINT) > (size_t) MAXNETNAMELEN)
+     return 0;
+ 
++  /* GCC with -Os warns that sprint might overflow while handling dfltdom,
++     however the above test does check if an overflow would happen.  */
++  DIAG_PUSH_NEEDS_COMMENT;
++  DIAG_IGNORE_Os_NEEDS_COMMENT (8, "-Wformat-overflow");
+   sprintf (netname, "%s.%d@%s", OPSYS, uid, dfltdom);
++  DIAG_POP_NEEDS_COMMENT;
+   i = strlen (netname);
+   if (netname[i - 1] == '.')
+     netname[i - 1] = '\0';

meta/recipes-core/glibc/glibc_2.35.bb

@@ -64,6 +64,7 @@ SRC_URI =  "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
            \
            file://0001-Revert-Linux-Implement-a-useful-version-of-_startup_.patch \
            file://0002-get_nscd_addresses-Fix-subscript-typos-BZ-29605.patch \
+           file://0003-sunrpc-suppress-gcc-os-warning-on-user2netname.patch \
            "
 S = "${WORKDIR}/git"
 B = "${WORKDIR}/build-${TARGET_SYS}"

meta/recipes-core/images/build-appliance-image_15.0.0.bb

@@ -24,7 +24,7 @@ IMAGE_FSTYPES = "wic.vmdk wic.vhd wic.vhdx"
 
 inherit core-image setuptools3
 
-SRCREV ?= "cb03c7cf84b3e5a974395f7c02754a01913ddbe1"
+SRCREV ?= "285e878650919844f8194c9b5c2fc034b019c4a3"
 SRC_URI = "git://git.yoctoproject.org/poky;branch=kirkstone \
            file://Yocto_Build_Appliance.vmx \
            file://Yocto_Build_Appliance.vmxf \

meta/recipes-devtools/binutils/binutils-2.38.inc

@@ -71,5 +71,6 @@ SRC_URI = "\
      file://0034-CVE-2022-48064.patch \
      file://0035-CVE-2023-39129.patch \
      file://0036-CVE-2023-39130.patch \
+     file://0037-CVE-2024-53589.patch \
 "
 S  = "${WORKDIR}/git"

meta/recipes-devtools/binutils/binutils/0037-CVE-2024-53589.patch

@@ -0,0 +1,92 @@
+Author: Alan Modra <amodra@gmail.com>
+Date:   Mon Nov 11 10:24:09 2024 +1030
+
+    Re: tekhex object file output fixes
+
+    Commit 8b5a212495 supported *ABS* symbols by allowing "section" to be
+    bfd_abs_section, but bfd_abs_section needs to be treated specially.
+    In particular, bfd_get_next_section_by_name (.., bfd_abs_section_ptr)
+    is invalid.
+
+            PR 32347
+            * tekhex.c (first_phase): Guard against modification of
+            _bfd_std_section[] entries.
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=e0323071916878e0634a6e24d8250e4faff67e88]
+CVE: CVE-2024-53589
+
+Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com>
+
+diff --git a/bfd/tekhex.c b/bfd/tekhex.c
+index aea2ebb23df..b305c1f96f1 100644
+--- a/bfd/tekhex.c
++++ b/bfd/tekhex.c
+@@ -361,6 +361,7 @@ first_phase (bfd *abfd, int type, char *src, char * src_end)
+ {
+   asection *section, *alt_section;
+   unsigned int len;
++  bfd_vma addr;
+   bfd_vma val;
+   char sym[17];			/* A symbol can only be 16chars long.  */
+
+@@ -368,20 +369,16 @@ first_phase (bfd *abfd, int type, char *src, char * src_end)
+     {
+     case '6':
+       /* Data record - read it and store it.  */
+-      {
+-	bfd_vma addr;
+-
+-	if (!getvalue (&src, &addr, src_end))
+-	  return false;
+-
+-	while (*src && src < src_end - 1)
+-	  {
+-	    insert_byte (abfd, HEX (src), addr);
+-	    src += 2;
+-	    addr++;
+-	  }
+-	return true;
+-      }
++      if (!getvalue (&src, &addr, src_end))
++       return false;
++
++      while (*src && src < src_end - 1)
++       {
++         insert_byte (abfd, HEX (src), addr);
++         src += 2;
++         addr++;
++       }
++      return true;
+
+     case '3':
+       /* Symbol record, read the segment.  */
+@@ -406,13 +403,16 @@ first_phase (bfd *abfd, int type, char *src, char * src_end)
+	    {
+	    case '1':		/* Section range.  */
+	      src++;
+-	      if (!getvalue (&src, &section->vma, src_end))
++             if (!getvalue (&src, &addr, src_end))
+		return false;
+	      if (!getvalue (&src, &val, src_end))
+		return false;
+-	      if (val < section->vma)
+-		val = section->vma;
+-	      section->size = val - section->vma;
++             if (bfd_is_const_section (section))
++               break;
++             section->vma = addr;
++             if (val < addr)
++               val = addr;
++             section->size = val - addr;
+	      /* PR 17512: file: objdump-s-endless-loop.tekhex.
+		 Check for overlarge section sizes.  */
+	      if (section->size & 0x80000000)
+@@ -455,6 +455,8 @@ first_phase (bfd *abfd, int type, char *src, char * src_end)
+		  new_symbol->symbol.flags = BSF_LOCAL;
+		if (stype == '2' || stype == '6')
+		  new_symbol->symbol.section = bfd_abs_section_ptr;
++               else if (bfd_is_const_section (section))
++                 ;
+		else if (stype == '3' || stype == '7')
+		  {
+		    if ((section->flags & SEC_DATA) == 0)

meta/recipes-devtools/gcc/gcc-testsuite.inc

@@ -53,8 +53,10 @@ python check_prepare() {
         #   - valid for x86*, powerpc, arm, arm64
         if qemu_binary.lstrip("qemu-") in ["x86_64", "i386", "arm", "aarch64"]:
             args += ["-cpu", "max"]
-        elif qemu_binary.lstrip("qemu-") in ["ppc"]:
-            args += d.getVar("QEMU_EXTRAOPTIONS_%s" % d.getVar('PACKAGE_ARCH')).split()
+        else:
+            extra = d.getVar("QEMU_EXTRAOPTIONS_%s" % d.getVar('TUNE_PKGARCH'))
+            if extra:
+                args += extra.split()
         sysroot = d.getVar("RECIPE_SYSROOT")
         args += ["-L", sysroot]
         # lib paths are static here instead of using $libdir since this is used by a -cross recipe

meta/recipes-devtools/gdb/gdb.inc

@@ -17,5 +17,6 @@ SRC_URI = "${GNU_MIRROR}/gdb/gdb-${PV}.tar.xz \
            file://0011-CVE-2023-39128.patch \
 	   file://0012-CVE-2023-39129.patch \
 	   file://0013-CVE-2023-39130.patch \
+           file://0014-CVE-2024-53589.patch \
            "
 SRC_URI[sha256sum] = "1497c36a71881b8671a9a84a0ee40faab788ca30d7ba19d8463c3cc787152e32"

meta/recipes-devtools/gdb/gdb/0014-CVE-2024-53589.patch

@@ -0,0 +1,92 @@
+Author: Alan Modra <amodra@gmail.com>
+Date:   Mon Nov 11 10:24:09 2024 +1030
+
+    Re: tekhex object file output fixes
+
+    Commit 8b5a212495 supported *ABS* symbols by allowing "section" to be
+    bfd_abs_section, but bfd_abs_section needs to be treated specially.
+    In particular, bfd_get_next_section_by_name (.., bfd_abs_section_ptr)
+    is invalid.
+
+            PR 32347
+            * tekhex.c (first_phase): Guard against modification of
+            _bfd_std_section[] entries.
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=e0323071916878e0634a6e24d8250e4faff67e88]
+CVE: CVE-2024-53589
+
+Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com>
+
+diff --git a/bfd/tekhex.c b/bfd/tekhex.c
+index aea2ebb23df..b305c1f96f1 100644
+--- a/bfd/tekhex.c
++++ b/bfd/tekhex.c
+@@ -361,6 +361,7 @@ first_phase (bfd *abfd, int type, char *src, char * src_end)
+ {
+   asection *section, *alt_section;
+   unsigned int len;
++  bfd_vma addr;
+   bfd_vma val;
+   char sym[17];			/* A symbol can only be 16chars long.  */
+
+@@ -368,20 +369,16 @@ first_phase (bfd *abfd, int type, char *src, char * src_end)
+     {
+     case '6':
+       /* Data record - read it and store it.  */
+-      {
+-	bfd_vma addr;
+-
+-	if (!getvalue (&src, &addr, src_end))
+-	  return false;
+-
+-	while (*src && src < src_end - 1)
+-	  {
+-	    insert_byte (abfd, HEX (src), addr);
+-	    src += 2;
+-	    addr++;
+-	  }
+-	return true;
+-      }
++      if (!getvalue (&src, &addr, src_end))
++       return false;
++
++      while (*src && src < src_end - 1)
++       {
++         insert_byte (abfd, HEX (src), addr);
++         src += 2;
++         addr++;
++       }
++      return true;
+
+     case '3':
+       /* Symbol record, read the segment.  */
+@@ -406,13 +403,16 @@ first_phase (bfd *abfd, int type, char *src, char * src_end)
+	    {
+	    case '1':		/* Section range.  */
+	      src++;
+-	      if (!getvalue (&src, &section->vma, src_end))
++             if (!getvalue (&src, &addr, src_end))
+		return false;
+	      if (!getvalue (&src, &val, src_end))
+		return false;
+-	      if (val < section->vma)
+-		val = section->vma;
+-	      section->size = val - section->vma;
++             if (bfd_is_const_section (section))
++               break;
++             section->vma = addr;
++             if (val < addr)
++               val = addr;
++             section->size = val - addr;
+	      /* PR 17512: file: objdump-s-endless-loop.tekhex.
+		 Check for overlarge section sizes.  */
+	      if (section->size & 0x80000000)
+@@ -455,6 +455,8 @@ first_phase (bfd *abfd, int type, char *src, char * src_end)
+		  new_symbol->symbol.flags = BSF_LOCAL;
+		if (stype == '2' || stype == '6')
+		  new_symbol->symbol.section = bfd_abs_section_ptr;
++               else if (bfd_is_const_section (section))
++                 ;
+		else if (stype == '3' || stype == '7')
+		  {
+		    if ((section->flags & SEC_DATA) == 0)

meta/recipes-devtools/go/go-1.17.13.inc

@@ -58,6 +58,10 @@ SRC_URI += "\
     file://CVE-2023-45288.patch \
     file://CVE-2024-24789.patch \
     file://CVE-2024-24791.patch \
+    file://CVE-2024-34155.patch \
+    file://CVE-2024-34156.patch \
+    file://CVE-2024-34158.patch \
+    file://CVE-2024-45336.patch \
 "
 SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
 

meta/recipes-devtools/go/go-1.21/CVE-2024-34155.patch

@@ -0,0 +1,71 @@
+From b232596139dbe96a62edbe3a2a203e856bf556eb Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Mon, 10 Jun 2024 15:34:12 -0700
+Subject: [PATCH] go/parser: track depth in nested element lists
+
+Prevents stack exhaustion with extremely deeply nested literal values,
+i.e. field values in structs.
+
+Updates #69138
+Fixes #69142
+Fixes CVE-2024-34155
+
+Change-Id: I2e8e33b44105cc169d7ed1ae83fb56df0c10f1ee
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1520
+Reviewed-by: Robert Griesemer <gri@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-by: Russ Cox <rsc@google.com>
+(cherry picked from commit eb1b038c0d01761694e7a735ef87ac9164c6568e)
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1561
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/611181
+Reviewed-by: Michael Pratt <mpratt@google.com>
+TryBot-Bypass: Dmitri Shuralyov <dmitshur@google.com>
+Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+
+CVE: CVE-2024-34155
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/b232596139dbe96a62edbe3a2a203e856bf556eb]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ src/go/parser/parser.go      | 2 ++
+ src/go/parser/parser_test.go | 9 +++++----
+ 2 files changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/src/go/parser/parser.go b/src/go/parser/parser.go
+index 2c42b9f..a728d9a 100644
+--- a/src/go/parser/parser.go
++++ b/src/go/parser/parser.go
+@@ -1481,6 +1481,8 @@ func (p *parser) parseElementList() (list []ast.Expr) {
+ }
+
+ func (p *parser) parseLiteralValue(typ ast.Expr) ast.Expr {
++	defer decNestLev(incNestLev(p))
++
+	if p.trace {
+		defer un(trace(p, "LiteralValue"))
+	}
+diff --git a/src/go/parser/parser_test.go b/src/go/parser/parser_test.go
+index 993df63..b2cd501 100644
+--- a/src/go/parser/parser_test.go
++++ b/src/go/parser/parser_test.go
+@@ -607,10 +607,11 @@ var parseDepthTests = []struct {
+	{name: "chan2", format: "package main; var x «<-chan »int"},
+	{name: "interface", format: "package main; var x «interface { M() «int» }»", scope: true, scopeMultiplier: 2}, // Scopes: InterfaceType, FuncType
+	{name: "map", format: "package main; var x «map[int]»int"},
+-	{name: "slicelit", format: "package main; var x = «[]any{«»}»", parseMultiplier: 2},             // Parser nodes: UnaryExpr, CompositeLit
+-	{name: "arraylit", format: "package main; var x = «[1]any{«nil»}»", parseMultiplier: 2},         // Parser nodes: UnaryExpr, CompositeLit
+-	{name: "structlit", format: "package main; var x = «struct{x any}{«nil»}»", parseMultiplier: 2}, // Parser nodes: UnaryExpr, CompositeLit
+-	{name: "maplit", format: "package main; var x = «map[int]any{1:«nil»}»", parseMultiplier: 2},    // Parser nodes: CompositeLit, KeyValueExpr
++	{name: "slicelit", format: "package main; var x = []any{«[]any{«»}»}", parseMultiplier: 3},      // Parser nodes: UnaryExpr, CompositeLit
++	{name: "arraylit", format: "package main; var x = «[1]any{«nil»}»", parseMultiplier: 3},         // Parser nodes: UnaryExpr, CompositeLit
++	{name: "structlit", format: "package main; var x = «struct{x any}{«nil»}»", parseMultiplier: 3}, // Parser nodes: UnaryExpr, CompositeLit
++	{name: "maplit", format: "package main; var x = «map[int]any{1:«nil»}»", parseMultiplier: 3},    // Parser nodes: CompositeLit, KeyValueExpr
++	{name: "element", format: "package main; var x = struct{x any}{x: «{«»}»}"},
+	{name: "dot", format: "package main; var x = «x.»x"},
+	{name: "index", format: "package main; var x = x«[1]»"},
+	{name: "slice", format: "package main; var x = x«[1:2]»"},
+--
+2.40.0

meta/recipes-devtools/go/go-1.21/CVE-2024-34156.patch

@@ -0,0 +1,150 @@
+From 2092294f2b097c5828f4eace6c98a322c1510b01 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Fri, 3 May 2024 09:21:39 -0400
+Subject: [PATCH] encoding/gob: cover missed cases when checking ignore depth
+
+This change makes sure that we are properly checking the ignored field
+recursion depth in decIgnoreOpFor consistently. This prevents stack
+exhaustion when attempting to decode a message that contains an
+extremely deeply nested struct which is ignored.
+
+Thanks to Md Sakib Anwar of The Ohio State University (anwar.40@osu.edu)
+for reporting this issue.
+
+Updates #69139
+Fixes #69144
+Fixes CVE-2024-34156
+
+Change-Id: Iacce06be95a5892b3064f1c40fcba2e2567862d6
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1440
+Reviewed-by: Russ Cox <rsc@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+(cherry picked from commit f0a11f9b3aaa362cb1d05e095e3c8d421d4f087f)
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1580
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/611182
+TryBot-Bypass: Dmitri Shuralyov <dmitshur@google.com>
+Reviewed-by: Michael Pratt <mpratt@google.com>
+Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+
+CVE: CVE-2024-34156
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/2092294f2b097c5828f4eace6c98a322c1510b01]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ src/encoding/gob/decode.go         | 19 +++++++++++--------
+ src/encoding/gob/decoder.go        |  2 ++
+ src/encoding/gob/gobencdec_test.go | 14 ++++++++++++++
+ 3 files changed, 27 insertions(+), 8 deletions(-)
+
+diff --git a/src/encoding/gob/decode.go b/src/encoding/gob/decode.go
+index 0e0ec75..92d64cb 100644
+--- a/src/encoding/gob/decode.go
++++ b/src/encoding/gob/decode.go
+@@ -874,8 +874,11 @@ func (dec *Decoder) decOpFor(wireId typeId, rt reflect.Type, name string, inProg
+ var maxIgnoreNestingDepth = 10000
+
+ // decIgnoreOpFor returns the decoding op for a field that has no destination.
+-func (dec *Decoder) decIgnoreOpFor(wireId typeId, inProgress map[typeId]*decOp, depth int) *decOp {
+-	if depth > maxIgnoreNestingDepth {
++func (dec *Decoder) decIgnoreOpFor(wireId typeId, inProgress map[typeId]*decOp) *decOp {
++	// Track how deep we've recursed trying to skip nested ignored fields.
++	dec.ignoreDepth++
++	defer func() { dec.ignoreDepth-- }()
++	if dec.ignoreDepth > maxIgnoreNestingDepth {
+		error_(errors.New("invalid nesting depth"))
+	}
+	// If this type is already in progress, it's a recursive type (e.g. map[string]*T).
+@@ -901,7 +904,7 @@ func (dec *Decoder) decIgnoreOpFor(wireId typeId, inProgress map[typeId]*decOp,
+			errorf("bad data: undefined type %s", wireId.string())
+		case wire.ArrayT != nil:
+			elemId := wire.ArrayT.Elem
+-			elemOp := dec.decIgnoreOpFor(elemId, inProgress, depth+1)
++			elemOp := dec.decIgnoreOpFor(elemId, inProgress)
+			op = func(i *decInstr, state *decoderState, value reflect.Value) {
+				state.dec.ignoreArray(state, *elemOp, wire.ArrayT.Len)
+			}
+@@ -909,15 +912,15 @@ func (dec *Decoder) decIgnoreOpFor(wireId typeId, inProgress map[typeId]*decOp,
+		case wire.MapT != nil:
+			keyId := dec.wireType[wireId].MapT.Key
+			elemId := dec.wireType[wireId].MapT.Elem
+-			keyOp := dec.decIgnoreOpFor(keyId, inProgress, depth+1)
+-			elemOp := dec.decIgnoreOpFor(elemId, inProgress, depth+1)
++			keyOp := dec.decIgnoreOpFor(keyId, inProgress)
++			elemOp := dec.decIgnoreOpFor(elemId, inProgress)
+			op = func(i *decInstr, state *decoderState, value reflect.Value) {
+				state.dec.ignoreMap(state, *keyOp, *elemOp)
+			}
+
+		case wire.SliceT != nil:
+			elemId := wire.SliceT.Elem
+-			elemOp := dec.decIgnoreOpFor(elemId, inProgress, depth+1)
++			elemOp := dec.decIgnoreOpFor(elemId, inProgress)
+			op = func(i *decInstr, state *decoderState, value reflect.Value) {
+				state.dec.ignoreSlice(state, *elemOp)
+			}
+@@ -1078,7 +1081,7 @@ func (dec *Decoder) compileSingle(remoteId typeId, ut *userTypeInfo) (engine *de
+ func (dec *Decoder) compileIgnoreSingle(remoteId typeId) *decEngine {
+	engine := new(decEngine)
+	engine.instr = make([]decInstr, 1) // one item
+-	op := dec.decIgnoreOpFor(remoteId, make(map[typeId]*decOp), 0)
++	op := dec.decIgnoreOpFor(remoteId, make(map[typeId]*decOp))
+	ovfl := overflow(dec.typeString(remoteId))
+	engine.instr[0] = decInstr{*op, 0, nil, ovfl}
+	engine.numInstr = 1
+@@ -1123,7 +1126,7 @@ func (dec *Decoder) compileDec(remoteId typeId, ut *userTypeInfo) (engine *decEn
+		localField, present := srt.FieldByName(wireField.Name)
+		// TODO(r): anonymous names
+		if !present || !isExported(wireField.Name) {
+-			op := dec.decIgnoreOpFor(wireField.Id, make(map[typeId]*decOp), 0)
++			op := dec.decIgnoreOpFor(wireField.Id, make(map[typeId]*decOp))
+			engine.instr[fieldnum] = decInstr{*op, fieldnum, nil, ovfl}
+			continue
+		}
+diff --git a/src/encoding/gob/decoder.go b/src/encoding/gob/decoder.go
+index b476aaa..8fab2fd 100644
+--- a/src/encoding/gob/decoder.go
++++ b/src/encoding/gob/decoder.go
+@@ -34,6 +34,8 @@ type Decoder struct {
+	freeList     *decoderState                           // list of free decoderStates; avoids reallocation
+	countBuf     []byte                                  // used for decoding integers while parsing messages
+	err          error
++       // ignoreDepth tracks the depth of recursively parsed ignored fields
++       ignoreDepth int
+ }
+
+ // NewDecoder returns a new decoder that reads from the io.Reader.
+diff --git a/src/encoding/gob/gobencdec_test.go b/src/encoding/gob/gobencdec_test.go
+index 1b52ecc..2b5f2a8 100644
+--- a/src/encoding/gob/gobencdec_test.go
++++ b/src/encoding/gob/gobencdec_test.go
+@@ -806,6 +806,8 @@ func TestIngoreDepthLimit(t *testing.T) {
+	defer func() { maxIgnoreNestingDepth = oldNestingDepth }()
+	b := new(bytes.Buffer)
+	enc := NewEncoder(b)
++
++	// Nested slice
+	typ := reflect.TypeOf(int(0))
+	nested := reflect.ArrayOf(1, typ)
+	for i := 0; i < 100; i++ {
+@@ -819,4 +821,16 @@ func TestIngoreDepthLimit(t *testing.T) {
+	if err := dec.Decode(&output); err == nil || err.Error() != expectedErr {
+		t.Errorf("Decode didn't fail with depth limit of 100: want %q, got %q", expectedErr, err)
+	}
++
++	// Nested struct
++	nested = reflect.StructOf([]reflect.StructField{{Name: "F", Type: typ}})
++	for i := 0; i < 100; i++ {
++		nested = reflect.StructOf([]reflect.StructField{{Name: "F", Type: nested}})
++	}
++	badStruct = reflect.New(reflect.StructOf([]reflect.StructField{{Name: "F", Type: nested}}))
++	enc.Encode(badStruct.Interface())
++	dec = NewDecoder(b)
++	if err := dec.Decode(&output); err == nil || err.Error() != expectedErr {
++		t.Errorf("Decode didn't fail with depth limit of 100: want %q, got %q", expectedErr, err)
++	}
+ }
+--
+2.40.0

meta/recipes-devtools/go/go-1.21/CVE-2024-34158.patch

@@ -0,0 +1,205 @@
+From d4c53812e6ce2ac368173d7fcd31d0ecfcffb002 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Thu, 20 Jun 2024 10:45:30 -0700
+Subject: [PATCH] go/build/constraint: add parsing limits
+
+Limit the size of build constraints that we will parse. This prevents a
+number of stack exhaustions that can be hit when parsing overly complex
+constraints. The imposed limits are unlikely to ever be hit in real
+world usage.
+
+Updates #69141
+Fixes #69148
+Fixes CVE-2024-34158
+
+Change-Id: I38b614bf04caa36eefc6a4350d848588c4cef3c4
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1540
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-by: Russ Cox <rsc@google.com>
+(cherry picked from commit 0c74dc9e0da0cf1e12494b514d822b5bebbc9f04)
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1582
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/611183
+Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+Reviewed-by: Michael Pratt <mpratt@google.com>
+TryBot-Bypass: Dmitri Shuralyov <dmitshur@google.com>
+
+CVE: CVE-2024-34158
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/d4c53812e6ce2ac368173d7fcd31d0ecfcffb002]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ src/go/build/constraint/expr.go      | 28 ++++++++++--
+ src/go/build/constraint/expr_test.go | 65 +++++++++++++++++++++++++++-
+ 2 files changed, 89 insertions(+), 4 deletions(-)
+
+diff --git a/src/go/build/constraint/expr.go b/src/go/build/constraint/expr.go
+index 957eb9b..85897e2 100644
+--- a/src/go/build/constraint/expr.go
++++ b/src/go/build/constraint/expr.go
+@@ -18,6 +18,10 @@ import (
+	"unicode/utf8"
+ )
+
++// maxSize is a limit used to control the complexity of expressions, in order
++// to prevent stack exhaustion issues due to recursion.
++const maxSize = 1000
++
+ // An Expr is a build tag constraint expression.
+ // The underlying concrete type is *AndExpr, *OrExpr, *NotExpr, or *TagExpr.
+ type Expr interface {
+@@ -153,7 +157,7 @@ func Parse(line string) (Expr, error) {
+		return parseExpr(text)
+	}
+	if text, ok := splitPlusBuild(line); ok {
+-		return parsePlusBuildExpr(text), nil
++		return parsePlusBuildExpr(text)
+	}
+	return nil, errNotConstraint
+ }
+@@ -203,6 +207,8 @@ type exprParser struct {
+	tok   string // last token read
+	isTag bool
+	pos   int // position (start) of last token
++
++	size int
+ }
+
+ // parseExpr parses a boolean build tag expression.
+@@ -251,6 +257,10 @@ func (p *exprParser) and() Expr {
+ // On entry, the next input token has not yet been lexed.
+ // On exit, the next input token has been lexed and is in p.tok.
+ func (p *exprParser) not() Expr {
++	p.size++
++	if p.size > maxSize {
++		panic(&SyntaxError{Offset: p.pos, Err: "build expression too large"})
++	}
+	p.lex()
+	if p.tok == "!" {
+		p.lex()
+@@ -391,7 +401,13 @@ func splitPlusBuild(line string) (expr string, ok bool) {
+ }
+
+ // parsePlusBuildExpr parses a legacy build tag expression (as used with “// +build”).
+-func parsePlusBuildExpr(text string) Expr {
++func parsePlusBuildExpr(text string) (Expr, error) {
++	// Only allow up to 100 AND/OR operators for "old" syntax.
++	// This is much less than the limit for "new" syntax,
++	// but uses of old syntax were always very simple.
++	const maxOldSize = 100
++	size := 0
++
+	var x Expr
+	for _, clause := range strings.Fields(text) {
+		var y Expr
+@@ -417,19 +433,25 @@ func parsePlusBuildExpr(text string) Expr {
+			if y == nil {
+				y = z
+			} else {
++				if size++; size > maxOldSize {
++					return nil, errComplex
++				}
+				y = and(y, z)
+			}
+		}
+		if x == nil {
+			x = y
+		} else {
++			if size++; size > maxOldSize {
++				return nil, errComplex
++			}
+			x = or(x, y)
+		}
+	}
+	if x == nil {
+		x = tag("ignore")
+	}
+-	return x
++	return x, nil
+ }
+
+ // isValidTag reports whether the word is a valid build tag.
+diff --git a/src/go/build/constraint/expr_test.go b/src/go/build/constraint/expr_test.go
+index 15d1890..ac38ba6 100644
+--- a/src/go/build/constraint/expr_test.go
++++ b/src/go/build/constraint/expr_test.go
+@@ -222,7 +222,7 @@ var parsePlusBuildExprTests = []struct {
+ func TestParsePlusBuildExpr(t *testing.T) {
+	for i, tt := range parsePlusBuildExprTests {
+		t.Run(fmt.Sprint(i), func(t *testing.T) {
+-			x := parsePlusBuildExpr(tt.in)
++			x, _ := parsePlusBuildExpr(tt.in)
+			if x.String() != tt.x.String() {
+				t.Errorf("parsePlusBuildExpr(%q):\nhave %v\nwant %v", tt.in, x, tt.x)
+			}
+@@ -319,3 +319,66 @@ func TestPlusBuildLines(t *testing.T) {
+		})
+	}
+ }
++
++func TestSizeLimits(t *testing.T) {
++	for _, tc := range []struct {
++		name string
++		expr string
++	}{
++		{
++			name: "go:build or limit",
++			expr: "//go:build " + strings.Repeat("a || ", maxSize+2),
++		},
++		{
++			name: "go:build and limit",
++			expr: "//go:build " + strings.Repeat("a && ", maxSize+2),
++		},
++		{
++			name: "go:build and depth limit",
++			expr: "//go:build " + strings.Repeat("(a &&", maxSize+2),
++		},
++		{
++			name: "go:build or depth limit",
++			expr: "//go:build " + strings.Repeat("(a ||", maxSize+2),
++		},
++	} {
++		t.Run(tc.name, func(t *testing.T) {
++			_, err := Parse(tc.expr)
++			if err == nil {
++				t.Error("expression did not trigger limit")
++			} else if syntaxErr, ok := err.(*SyntaxError); !ok || syntaxErr.Err != "build expression too large" {
++				if !ok {
++					t.Errorf("unexpected error: %v", err)
++				} else {
++					t.Errorf("unexpected syntax error: %s", syntaxErr.Err)
++				}
++			}
++		})
++	}
++}
++
++func TestPlusSizeLimits(t *testing.T) {
++	maxOldSize := 100
++	for _, tc := range []struct {
++		name string
++		expr string
++	}{
++		{
++			name: "+build or limit",
++			expr: "// +build " + strings.Repeat("a ", maxOldSize+2),
++		},
++		{
++			name: "+build and limit",
++			expr: "// +build " + strings.Repeat("a,", maxOldSize+2),
++		},
++	} {
++		t.Run(tc.name, func(t *testing.T) {
++			_, err := Parse(tc.expr)
++			if err == nil {
++				t.Error("expression did not trigger limit")
++			} else if err != errComplex {
++				t.Errorf("unexpected error: got %q, want %q", err, errComplex)
++			}
++		})
++	}
++}
+--
+2.40.0

meta/recipes-devtools/go/go-1.21/CVE-2024-45336.patch

@@ -0,0 +1,394 @@
+From b72d56f98d6620ebe07626dca4bb67ea8e185379 Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Fri, 22 Nov 2024 12:34:11 -0800
+Subject: [PATCH] net/http: persist header stripping across repeated redirects
+
+When an HTTP redirect changes the host of a request, we drop
+sensitive headers such as Authorization from the redirected request.
+Fix a bug where a chain of redirects could result in sensitive
+headers being sent to the wrong host:
+
+  1. request to a.tld with Authorization header
+  2. a.tld redirects to b.tld
+  3. request to b.tld with no Authorization header
+  4. b.tld redirects to b.tld
+  3. request to b.tld with Authorization header restored
+
+Thanks to Kyle Seely for reporting this issue.
+
+Fixes #70530
+For #71210
+Fixes CVE-2024-45336
+
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1641
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Commit-Queue: Roland Shoemaker <bracewell@google.com>
+Change-Id: Id7b1e3c90345566b8ee1a51f65dbb179da6eb427
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1765
+Reviewed-on: https://go-review.googlesource.com/c/go/+/643106
+Reviewed-by: Michael Pratt <mpratt@google.com>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Auto-Submit: Michael Knyszek <mknyszek@google.com>
+
+CVE: CVE-2024-45336
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/b72d56f98d6620ebe07626dca4bb67ea8e185379]
+
+Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
+---
+ src/net/http/client.go                     | 65 +++++++-------
+ src/net/http/client_test.go                | 98 +++++++++++++++++-----
+ src/net/http/internal/testcert/testcert.go | 84 +++++++++----------
+ 3 files changed, 153 insertions(+), 94 deletions(-)
+
+diff --git a/src/net/http/client.go b/src/net/http/client.go
+index b2dd445..13b6152 100644
+--- a/src/net/http/client.go
++++ b/src/net/http/client.go
+@@ -615,8 +615,9 @@ func (c *Client) do(req *Request) (retres *Response, reterr error) {
+		reqBodyClosed = false // have we closed the current req.Body?
+
+		// Redirect behavior:
+-		redirectMethod string
+-		includeBody    bool
++		redirectMethod        string
++		includeBody           = true
++		stripSensitiveHeaders = false
+	)
+	uerr := func(err error) error {
+		// the body may have been closed already by c.send()
+@@ -681,7 +682,12 @@ func (c *Client) do(req *Request) (retres *Response, reterr error) {
+			// in case the user set Referer on their first request.
+			// If they really want to override, they can do it in
+			// their CheckRedirect func.
+-			copyHeaders(req)
++			if !stripSensitiveHeaders && reqs[0].URL.Host != req.URL.Host {
++				if !shouldCopyHeaderOnRedirect(reqs[0].URL, req.URL) {
++					stripSensitiveHeaders = true
++				}
++			}
++			copyHeaders(req, stripSensitiveHeaders)
+
+			// Add the Referer header from the most recent
+			// request URL to the new one, if it's not https->http:
+@@ -747,7 +753,7 @@ func (c *Client) do(req *Request) (retres *Response, reterr error) {
+ // makeHeadersCopier makes a function that copies headers from the
+ // initial Request, ireq. For every redirect, this function must be called
+ // so that it can copy headers into the upcoming Request.
+-func (c *Client) makeHeadersCopier(ireq *Request) func(*Request) {
++func (c *Client) makeHeadersCopier(ireq *Request) func(req *Request, stripSensitiveHeaders bool) {
+	// The headers to copy are from the very initial request.
+	// We use a closured callback to keep a reference to these original headers.
+	var (
+@@ -761,8 +767,7 @@ func (c *Client) makeHeadersCopier(ireq *Request) func(*Request) {
+		}
+	}
+
+-	preq := ireq // The previous request
+-	return func(req *Request) {
++	return func(req *Request, stripSensitiveHeaders bool) {
+		// If Jar is present and there was some initial cookies provided
+		// via the request header, then we may need to alter the initial
+		// cookies as we follow redirects since each redirect may end up
+@@ -799,12 +804,15 @@ func (c *Client) makeHeadersCopier(ireq *Request) func(*Request) {
+		// Copy the initial request's Header values
+		// (at least the safe ones).
+		for k, vv := range ireqhdr {
+-			if shouldCopyHeaderOnRedirect(k, preq.URL, req.URL) {
++			sensitive := false
++			switch CanonicalHeaderKey(k) {
++			case "Authorization", "Www-Authenticate", "Cookie", "Cookie2":
++				sensitive = true
++			}
++			if !(sensitive && stripSensitiveHeaders) {
+				req.Header[k] = vv
+			}
+		}
+-
+-		preq = req // Update previous Request with the current request
+	}
+ }
+
+@@ -983,28 +991,23 @@ func (b *cancelTimerBody) Close() error {
+	return err
+ }
+
+-func shouldCopyHeaderOnRedirect(headerKey string, initial, dest *url.URL) bool {
+-	switch CanonicalHeaderKey(headerKey) {
+-	case "Authorization", "Www-Authenticate", "Cookie", "Cookie2":
+-		// Permit sending auth/cookie headers from "foo.com"
+-		// to "sub.foo.com".
+-
+-		// Note that we don't send all cookies to subdomains
+-		// automatically. This function is only used for
+-		// Cookies set explicitly on the initial outgoing
+-		// client request. Cookies automatically added via the
+-		// CookieJar mechanism continue to follow each
+-		// cookie's scope as set by Set-Cookie. But for
+-		// outgoing requests with the Cookie header set
+-		// directly, we don't know their scope, so we assume
+-		// it's for *.domain.com.
+-
+-		ihost := canonicalAddr(initial)
+-		dhost := canonicalAddr(dest)
+-		return isDomainOrSubdomain(dhost, ihost)
+-	}
+-	// All other headers are copied:
+-	return true
++func shouldCopyHeaderOnRedirect(initial, dest *url.URL) bool {
++	// Permit sending auth/cookie headers from "foo.com"
++	// to "sub.foo.com".
++
++	// Note that we don't send all cookies to subdomains
++	// automatically. This function is only used for
++	// Cookies set explicitly on the initial outgoing
++	// client request. Cookies automatically added via the
++	// CookieJar mechanism continue to follow each
++	// cookie's scope as set by Set-Cookie. But for
++	// outgoing requests with the Cookie header set
++	// directly, we don't know their scope, so we assume
++	// it's for *.domain.com.
++
++	ihost := canonicalAddr(initial)
++	dhost := canonicalAddr(dest)
++	return isDomainOrSubdomain(dhost, ihost)
+ }
+
+ // isDomainOrSubdomain reports whether sub is a subdomain (or exact
+diff --git a/src/net/http/client_test.go b/src/net/http/client_test.go
+index 7a0aa53..8bf1808 100644
+--- a/src/net/http/client_test.go
++++ b/src/net/http/client_test.go
+@@ -1551,6 +1551,54 @@ func TestClientCopyHeadersOnRedirect(t *testing.T) {
+		t.Errorf("result = %q; want ok", got)
+	}
+ }
++// Issue #70530: Once we strip a header on a redirect to a different host,
++// the header should stay stripped across any further redirects.
++func TestClientStripHeadersOnRepeatedRedirect(t *testing.T) {
++       run(t, testClientStripHeadersOnRepeatedRedirect)
++}
++func testClientStripHeadersOnRepeatedRedirect(t *testing.T, mode testMode) {
++       var proto string
++       ts := newClientServerTest(t, mode, HandlerFunc(func(w ResponseWriter, r *Request) {
++               if r.Host+r.URL.Path != "a.example.com/" {
++                       if h := r.Header.Get("Authorization"); h != "" {
++                               t.Errorf("on request to %v%v, Authorization=%q, want no header", r.Host, r.URL.Path, h)
++                       }
++               }
++               // Follow a chain of redirects from a to b and back to a.
++               // The Authorization header is stripped on the first redirect to b,
++               // and stays stripped even if we're sent back to a.
++               switch r.Host + r.URL.Path {
++               case "a.example.com/":
++                       Redirect(w, r, proto+"://b.example.com/", StatusFound)
++               case "b.example.com/":
++                       Redirect(w, r, proto+"://b.example.com/redirect", StatusFound)
++               case "b.example.com/redirect":
++                       Redirect(w, r, proto+"://a.example.com/redirect", StatusFound)
++               case "a.example.com/redirect":
++                       w.Header().Set("X-Done", "true")
++               default:
++                       t.Errorf("unexpected request to %v", r.URL)
++               }
++       })).ts
++       proto, _, _ = strings.Cut(ts.URL, ":")
++
++       c := ts.Client()
++       c.Transport.(*Transport).Dial = func(_ string, _ string) (net.Conn, error) {
++               return net.Dial("tcp", ts.Listener.Addr().String())
++       }
++
++       req, _ := NewRequest("GET", proto+"://a.example.com/", nil)
++       req.Header.Add("Cookie", "foo=bar")
++       req.Header.Add("Authorization", "secretpassword")
++       res, err := c.Do(req)
++       if err != nil {
++               t.Fatal(err)
++       }
++       defer res.Body.Close()
++       if res.Header.Get("X-Done") != "true" {
++               t.Fatalf("response missing expected header: X-Done=true")
++       }
++}
+
+ // Issue 22233: copy host when Client follows a relative redirect.
+ func TestClientCopyHostOnRedirect(t *testing.T) {
+@@ -1716,31 +1764,39 @@ func TestClientAltersCookiesOnRedirect(t *testing.T) {
+ // Part of Issue 4800
+ func TestShouldCopyHeaderOnRedirect(t *testing.T) {
+	tests := []struct {
+-		header     string
+		initialURL string
+		destURL    string
+		want       bool
+	}{
+-		{"User-Agent", "http://foo.com/", "http://bar.com/", true},
+-		{"X-Foo", "http://foo.com/", "http://bar.com/", true},
+-
+		// Sensitive headers:
+-		{"cookie", "http://foo.com/", "http://bar.com/", false},
+-		{"cookie2", "http://foo.com/", "http://bar.com/", false},
+-		{"authorization", "http://foo.com/", "http://bar.com/", false},
+-		{"www-authenticate", "http://foo.com/", "http://bar.com/", false},
+-		{"authorization", "http://foo.com/", "http://[::1%25.foo.com]/", false},
++               {"http://foo.com/", "http://bar.com/", false},
++               {"http://foo.com/", "http://bar.com/", false},
++               {"http://foo.com/", "http://bar.com/", false},
++               {"http://foo.com/", "https://foo.com/", true},
++               {"http://foo.com:1234/", "http://foo.com:4321/", true},
++               {"http://foo.com/", "http://bar.com/", false},
++               {"http://foo.com/", "http://[::1%25.foo.com]/", false},
+
+		// But subdomains should work:
+-		{"www-authenticate", "http://foo.com/", "http://foo.com/", true},
+-		{"www-authenticate", "http://foo.com/", "http://sub.foo.com/", true},
+-		{"www-authenticate", "http://foo.com/", "http://notfoo.com/", false},
+-		{"www-authenticate", "http://foo.com/", "https://foo.com/", false},
+-		{"www-authenticate", "http://foo.com:80/", "http://foo.com/", true},
+-		{"www-authenticate", "http://foo.com:80/", "http://sub.foo.com/", true},
+-		{"www-authenticate", "http://foo.com:443/", "https://foo.com/", true},
+-		{"www-authenticate", "http://foo.com:443/", "https://sub.foo.com/", true},
+-		{"www-authenticate", "http://foo.com:1234/", "http://foo.com/", false},
++               {"http://foo.com/", "http://foo.com/", true},
++               {"http://foo.com/", "http://sub.foo.com/", true},
++               {"http://foo.com/", "http://notfoo.com/", false},
++               {"http://foo.com/", "https://foo.com/", true},
++               {"http://foo.com:80/", "http://foo.com/", true},
++               {"http://foo.com:80/", "http://sub.foo.com/", true},
++               {"http://foo.com:443/", "https://foo.com/", true},
++               {"http://foo.com:443/", "https://sub.foo.com/", true},
++               {"http://foo.com:1234/", "http://foo.com/", true},
++
++               {"http://foo.com/", "http://foo.com/", true},
++               {"http://foo.com/", "http://sub.foo.com/", true},
++               {"http://foo.com/", "http://notfoo.com/", false},
++               {"http://foo.com/", "https://foo.com/", true},
++               {"http://foo.com:80/", "http://foo.com/", true},
++               {"http://foo.com:80/", "http://sub.foo.com/", true},
++               {"http://foo.com:443/", "https://foo.com/", true},
++               {"http://foo.com:443/", "https://sub.foo.com/", true},
++               {"http://foo.com:1234/", "http://foo.com/", true},
+	}
+	for i, tt := range tests {
+		u0, err := url.Parse(tt.initialURL)
+@@ -1753,10 +1809,10 @@ func TestShouldCopyHeaderOnRedirect(t *testing.T) {
+			t.Errorf("%d. dest URL %q parse error: %v", i, tt.destURL, err)
+			continue
+		}
+-		got := Export_shouldCopyHeaderOnRedirect(tt.header, u0, u1)
++		got := Export_shouldCopyHeaderOnRedirect(u0, u1)
+		if got != tt.want {
+-			t.Errorf("%d. shouldCopyHeaderOnRedirect(%q, %q => %q) = %v; want %v",
+-				i, tt.header, tt.initialURL, tt.destURL, got, tt.want)
++			t.Errorf("%d. shouldCopyHeaderOnRedirect(%q => %q) = %v; want %v",
++				i, tt.initialURL, tt.destURL, got, tt.want)
+		}
+	}
+ }
+diff --git a/src/net/http/internal/testcert/testcert.go b/src/net/http/internal/testcert/testcert.go
+index d510e79..78ce42e 100644
+--- a/src/net/http/internal/testcert/testcert.go
++++ b/src/net/http/internal/testcert/testcert.go
+@@ -10,56 +10,56 @@ import "strings"
+ // LocalhostCert is a PEM-encoded TLS cert with SAN IPs
+ // "127.0.0.1" and "[::1]", expiring at Jan 29 16:00:00 2084 GMT.
+ // generated from src/crypto/tls:
+-// go run generate_cert.go  --rsa-bits 2048 --host 127.0.0.1,::1,example.com --ca --start-date "Jan 1 00:00:00 1970" --duration=1000000h
++// go run generate_cert.go  --rsa-bits 2048 --host 127.0.0.1,::1,example.com,*.example.com --ca --start-date "Jan 1 00:00:00 1970" --duration=1000000h
+ var LocalhostCert = []byte(`-----BEGIN CERTIFICATE-----
+-MIIDOTCCAiGgAwIBAgIQSRJrEpBGFc7tNb1fb5pKFzANBgkqhkiG9w0BAQsFADAS
++MIIDSDCCAjCgAwIBAgIQEP/md970HysdBTpuzDOf0DANBgkqhkiG9w0BAQsFADAS
+ MRAwDgYDVQQKEwdBY21lIENvMCAXDTcwMDEwMTAwMDAwMFoYDzIwODQwMTI5MTYw
+ MDAwWjASMRAwDgYDVQQKEwdBY21lIENvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+-MIIBCgKCAQEA6Gba5tHV1dAKouAaXO3/ebDUU4rvwCUg/CNaJ2PT5xLD4N1Vcb8r
+-bFSW2HXKq+MPfVdwIKR/1DczEoAGf/JWQTW7EgzlXrCd3rlajEX2D73faWJekD0U
+-aUgz5vtrTXZ90BQL7WvRICd7FlEZ6FPOcPlumiyNmzUqtwGhO+9ad1W5BqJaRI6P
+-YfouNkwR6Na4TzSj5BrqUfP0FwDizKSJ0XXmh8g8G9mtwxOSN3Ru1QFc61Xyeluk
+-POGKBV/q6RBNklTNe0gI8usUMlYyoC7ytppNMW7X2vodAelSu25jgx2anj9fDVZu
+-h7AXF5+4nJS4AAt0n1lNY7nGSsdZas8PbQIDAQABo4GIMIGFMA4GA1UdDwEB/wQE
++MIIBCgKCAQEAxcl69ROJdxjN+MJZnbFrYxyQooADCsJ6VDkuMyNQIix/Hk15Nk/u
++FyBX1Me++aEpGmY3RIY4fUvELqT/srvAHsTXwVVSttMcY8pcAFmXSqo3x4MuUTG/
++jCX3Vftj0r3EM5M8ImY1rzA/jqTTLJg00rD+DmuDABcqQvoXw/RV8w1yTRi5BPoH
++DFD/AWTt/YgMvk1l2Yq/xI8VbMUIpjBoGXxWsSevQ5i2s1mk9/yZzu0Ysp1tTlzD
++qOPa4ysFjBitdXiwfxjxtv5nXqOCP5rheKO0sWLk0fetMp1OV5JSJMAJw6c2ZMkl
++U2WMqAEpRjdE/vHfIuNg+yGaRRqI07NZRQIDAQABo4GXMIGUMA4GA1UdDwEB/wQE
+ AwICpDATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1Ud
+-DgQWBBStsdjh3/JCXXYlQryOrL4Sh7BW5TAuBgNVHREEJzAlggtleGFtcGxlLmNv
+-bYcEfwAAAYcQAAAAAAAAAAAAAAAAAAAAATANBgkqhkiG9w0BAQsFAAOCAQEAxWGI
+-5NhpF3nwwy/4yB4i/CwwSpLrWUa70NyhvprUBC50PxiXav1TeDzwzLx/o5HyNwsv
+-cxv3HdkLW59i/0SlJSrNnWdfZ19oTcS+6PtLoVyISgtyN6DpkKpdG1cOkW3Cy2P2
+-+tK/tKHRP1Y/Ra0RiDpOAmqn0gCOFGz8+lqDIor/T7MTpibL3IxqWfPrvfVRHL3B
+-grw/ZQTTIVjjh4JBSW3WyWgNo/ikC1lrVxzl4iPUGptxT36Cr7Zk2Bsg0XqwbOvK
+-5d+NTDREkSnUbie4GeutujmX3Dsx88UiV6UY/4lHJa6I5leHUNOHahRbpbWeOfs/
+-WkBKOclmOV2xlTVuPw==
++DgQWBBQR5QIzmacmw78ZI1C4MXw7Q0wJ1jA9BgNVHREENjA0ggtleGFtcGxlLmNv
++bYINKi5leGFtcGxlLmNvbYcEfwAAAYcQAAAAAAAAAAAAAAAAAAAAATANBgkqhkiG
++9w0BAQsFAAOCAQEACrRNgiioUDzxQftd0fwOa6iRRcPampZRDtuaF68yNHoNWbOu
++LUwc05eOWxRq3iABGSk2xg+FXM3DDeW4HhAhCFptq7jbVZ+4Jj6HeJG9mYRatAxR
++Y/dEpa0D0EHhDxxVg6UzKOXB355n0IetGE/aWvyTV9SiDs6QsaC57Q9qq1/mitx5
++2GFBoapol9L5FxCc77bztzK8CpLujkBi25Vk6GAFbl27opLfpyxkM+rX/T6MXCPO
++6/YBacNZ7ff1/57Etg4i5mNA6ubCpuc4Gi9oYqCNNohftr2lkJr7REdDR6OW0lsL
++rF7r4gUnKeC7mYIH1zypY7laskopiLFAfe96Kg==
+ -----END CERTIFICATE-----`)
+
+ // LocalhostKey is the private key for LocalhostCert.
+ var LocalhostKey = []byte(testingKey(`-----BEGIN RSA TESTING KEY-----
+-MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDoZtrm0dXV0Aqi
+-4Bpc7f95sNRTiu/AJSD8I1onY9PnEsPg3VVxvytsVJbYdcqr4w99V3AgpH/UNzMS
+-gAZ/8lZBNbsSDOVesJ3euVqMRfYPvd9pYl6QPRRpSDPm+2tNdn3QFAvta9EgJ3sW
+-URnoU85w+W6aLI2bNSq3AaE771p3VbkGolpEjo9h+i42TBHo1rhPNKPkGupR8/QX
+-AOLMpInRdeaHyDwb2a3DE5I3dG7VAVzrVfJ6W6Q84YoFX+rpEE2SVM17SAjy6xQy
+-VjKgLvK2mk0xbtfa+h0B6VK7bmODHZqeP18NVm6HsBcXn7iclLgAC3SfWU1jucZK
+-x1lqzw9tAgMBAAECggEABWzxS1Y2wckblnXY57Z+sl6YdmLV+gxj2r8Qib7g4ZIk
+-lIlWR1OJNfw7kU4eryib4fc6nOh6O4AWZyYqAK6tqNQSS/eVG0LQTLTTEldHyVJL
+-dvBe+MsUQOj4nTndZW+QvFzbcm2D8lY5n2nBSxU5ypVoKZ1EqQzytFcLZpTN7d89
+-EPj0qDyrV4NZlWAwL1AygCwnlwhMQjXEalVF1ylXwU3QzyZ/6MgvF6d3SSUlh+sq
+-XefuyigXw484cQQgbzopv6niMOmGP3of+yV4JQqUSb3IDmmT68XjGd2Dkxl4iPki
+-6ZwXf3CCi+c+i/zVEcufgZ3SLf8D99kUGE7v7fZ6AQKBgQD1ZX3RAla9hIhxCf+O
+-3D+I1j2LMrdjAh0ZKKqwMR4JnHX3mjQI6LwqIctPWTU8wYFECSh9klEclSdCa64s
+-uI/GNpcqPXejd0cAAdqHEEeG5sHMDt0oFSurL4lyud0GtZvwlzLuwEweuDtvT9cJ
+-Wfvl86uyO36IW8JdvUprYDctrQKBgQDycZ697qutBieZlGkHpnYWUAeImVA878sJ
+-w44NuXHvMxBPz+lbJGAg8Cn8fcxNAPqHIraK+kx3po8cZGQywKHUWsxi23ozHoxo
+-+bGqeQb9U661TnfdDspIXia+xilZt3mm5BPzOUuRqlh4Y9SOBpSWRmEhyw76w4ZP
+-OPxjWYAgwQKBgA/FehSYxeJgRjSdo+MWnK66tjHgDJE8bYpUZsP0JC4R9DL5oiaA
+-brd2fI6Y+SbyeNBallObt8LSgzdtnEAbjIH8uDJqyOmknNePRvAvR6mP4xyuR+Bv
+-m+Lgp0DMWTw5J9CKpydZDItc49T/mJ5tPhdFVd+am0NAQnmr1MCZ6nHxAoGABS3Y
+-LkaC9FdFUUqSU8+Chkd/YbOkuyiENdkvl6t2e52jo5DVc1T7mLiIrRQi4SI8N9bN
+-/3oJWCT+uaSLX2ouCtNFunblzWHBrhxnZzTeqVq4SLc8aESAnbslKL4i8/+vYZlN
+-s8xtiNcSvL+lMsOBORSXzpj/4Ot8WwTkn1qyGgECgYBKNTypzAHeLE6yVadFp3nQ
+-Ckq9yzvP/ib05rvgbvrne00YeOxqJ9gtTrzgh7koqJyX1L4NwdkEza4ilDWpucn0
+-xiUZS4SoaJq6ZvcBYS62Yr1t8n09iG47YL8ibgtmH3L+svaotvpVxVK+d7BLevA/
+-ZboOWVe3icTy64BT3OQhmg==
++MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDFyXr1E4l3GM34
++wlmdsWtjHJCigAMKwnpUOS4zI1AiLH8eTXk2T+4XIFfUx775oSkaZjdEhjh9S8Qu
++pP+yu8AexNfBVVK20xxjylwAWZdKqjfHgy5RMb+MJfdV+2PSvcQzkzwiZjWvMD+O
++pNMsmDTSsP4Oa4MAFypC+hfD9FXzDXJNGLkE+gcMUP8BZO39iAy+TWXZir/EjxVs
++xQimMGgZfFaxJ69DmLazWaT3/JnO7RiynW1OXMOo49rjKwWMGK11eLB/GPG2/mde
++o4I/muF4o7SxYuTR960ynU5XklIkwAnDpzZkySVTZYyoASlGN0T+8d8i42D7IZpF
++GojTs1lFAgMBAAECggEAIYthUi1lFBDd5gG4Rzlu+BlBIn5JhcqkCqLEBiJIFfOr
++/4yuMRrvS3bNzqWt6xJ9MSAC4ZlN/VobRLnxL/QNymoiGYUKCT3Ww8nvPpPzR9OE
++sE68TUL9tJw/zZJcRMKwgvrGqSLimfq53MxxkE+kLdOc0v9C8YH8Re26mB5ZcWYa
++7YFyZQpKsQYnsmu/05cMbpOQrQWhtmIqRoyn8mG/par2s3NzjtpSE9NINyz26uFc
++k/3ovFJQIHkUmTS7KHD3BgY5vuCqP98HramYnOysJ0WoYgvSDNCWw3037s5CCwJT
++gCKuM+Ow6liFrj83RrdKBpm5QUGjfNpYP31o+QNP4QKBgQDSrUQ2XdgtAnibAV7u
++7kbxOxro0EhIKso0Y/6LbDQgcXgxLqltkmeqZgG8nC3Z793lhlSasz2snhzzooV5
++5fTy1y8ikXqjhG0nNkInFyOhsI0auE28CFoDowaQd+5cmCatpN4Grqo5PNRXxm1w
++HktfPEgoP11NNCFHvvN5fEKbbQKBgQDwVlOaV20IvW3IPq7cXZyiyabouFF9eTRo
++VJka1Uv+JtyvL2P0NKkjYHOdN8gRblWqxQtJoTNk020rVA4UP1heiXALy50gvj/p
++hMcybPTLYSPOhAGx838KIcvGR5oskP1aUCmFbFQzGELxhJ9diVVjxUtbG2DuwPKd
++tD9TLxT2OQKBgQCcdlHSjp+dzdgERmBa0ludjGfPv9/uuNizUBAbO6D690psPFtY
++JQMYaemgSd1DngEOFVWADt4e9M5Lose+YCoqr+UxpxmNlyv5kzJOFcFAs/4XeglB
++PHKdgNW/NVKxMc6H54l9LPr+x05sYdGlEtqnP/3W5jhEvhJ5Vjc8YiyVgQKBgQCl
++zwjyrGo+42GACy7cPYE5FeIfIDqoVByB9guC5bD98JXEDu/opQQjsgFRcBCJZhOY
++M0UsURiB8ROaFu13rpQq9KrmmF0ZH+g8FSzQbzcbsTLg4VXCDXmR5esOKowFPypr
++Sm667BfTAGP++D5ya7MLmCv6+RKQ5XD8uEQQAaV2kQKBgAD8qeJuWIXZT0VKkQrn
++nIhgtzGERF/6sZdQGW2LxTbUDWG74AfFkkEbeBfwEkCZXY/xmnYqYABhvlSex8jU
++supU6Eea21esIxIub2zv/Np0ojUb6rlqTPS4Ox1E27D787EJ3VOXpriSD10vyNnZ
++jel6uj2FOP9g54s+GzlSVg/T
+ -----END RSA TESTING KEY-----`))
+
+ func testingKey(s string) string { return strings.ReplaceAll(s, "TESTING KEY", "PRIVATE KEY") }
+--
+2.40.0

meta/recipes-devtools/python/python3/0001-gh-107811-tarfile-treat-overflow-in-UID-GID-as-failu.patch

@@ -0,0 +1,40 @@
+From 999d4e74d34afa233ad8ad0c70b989d77a21957f Mon Sep 17 00:00:00 2001
+From: Petr Viktorin <encukou@gmail.com>
+Date: Wed, 23 Aug 2023 20:00:07 +0200
+Subject: [PATCH] gh-107811: tarfile: treat overflow in UID/GID as failure to
+ set it (#108369)
+
+Upstream-Status: Backport [https://github.com/python/cpython/pull/108369]
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ Lib/tarfile.py                                                 | 3 ++-
+ .../Library/2023-08-23-17-34-39.gh-issue-107811.3Fng72.rst     | 3 +++
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+ create mode 100644 Misc/NEWS.d/next/Library/2023-08-23-17-34-39.gh-issue-107811.3Fng72.rst
+
+diff --git a/Lib/tarfile.py b/Lib/tarfile.py
+index 3bbbcaa..473167d 100755
+--- a/Lib/tarfile.py
++++ b/Lib/tarfile.py
+@@ -2557,7 +2557,8 @@ class TarFile(object):
+                     os.lchown(targetpath, u, g)
+                 else:
+                     os.chown(targetpath, u, g)
+-            except OSError as e:
++            except (OSError, OverflowError) as e:
++                # OverflowError can be raised if an ID doesn't fit in `id_t`
+                 raise ExtractError("could not change owner") from e
+ 
+     def chmod(self, tarinfo, targetpath):
+diff --git a/Misc/NEWS.d/next/Library/2023-08-23-17-34-39.gh-issue-107811.3Fng72.rst b/Misc/NEWS.d/next/Library/2023-08-23-17-34-39.gh-issue-107811.3Fng72.rst
+new file mode 100644
+index 0000000..ffca413
+--- /dev/null
++++ b/Misc/NEWS.d/next/Library/2023-08-23-17-34-39.gh-issue-107811.3Fng72.rst
+@@ -0,0 +1,3 @@
++:mod:`tarfile`: extraction of members with overly large UID or GID (e.g. on
++an OS with 32-bit :c:type:`!id_t`) now fails in the same way as failing to
++set the ID.
+-- 
+2.45.0
+

meta/recipes-devtools/python/python3_3.10.16.bb

@@ -36,6 +36,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
            file://deterministic_imports.patch \
            file://0001-Avoid-shebang-overflow-on-python-config.py.patch \
            file://0001-test_storlines-skip-due-to-load-variability.patch \
+           file://0001-gh-107811-tarfile-treat-overflow-in-UID-GID-as-failu.patch \
            "
 
 SRC_URI:append:class-native = " \

meta/recipes-devtools/rsync/files/0001-Add-missing-prototypes-to-function-declarations.patch

@@ -1,4 +1,4 @@
-From 785c0072c80c2f6e0839478453cf65fdeac15da0 Mon Sep 17 00:00:00 2001
+From 651425fced0691d9063fe417388ba6ca1c38c40b Mon Sep 17 00:00:00 2001
 From: Khem Raj <raj.khem@gmail.com>
 Date: Mon, 29 Aug 2022 19:53:28 -0700
 Subject: [PATCH] Add missing prototypes to function declarations
@@ -15,6 +15,7 @@ Fixes errors like
 
 Upstream-Status: Submitted [https://lists.samba.org/archive/rsync/2022-August/032858.html]
 Signed-off-by: Khem Raj <raj.khem@gmail.com>
+
 ---
  checksum.c       | 2 +-
  exclude.c        | 2 +-
@@ -29,23 +30,23 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com>
  10 files changed, 12 insertions(+), 13 deletions(-)
 
 diff --git a/checksum.c b/checksum.c
-index fb8c0a0..174c28c 100644
+index 60de365..67a9e16 100644
 --- a/checksum.c
 +++ b/checksum.c
-@@ -629,7 +629,7 @@ int sum_end(char *sum)
- 	return csum_len_for_type(cursum_type, 0);
+@@ -778,7 +778,7 @@ static void verify_digest(struct name_num_item *nni, BOOL check_auth_list)
  }
+ #endif
  
 -void init_checksum_choices()
 +void init_checksum_choices(void)
  {
- #ifdef SUPPORT_XXH3
- 	char buf[32816];
+ #if defined SUPPORT_XXH3 || defined USE_OPENSSL
+ 	struct name_num_item *nni;
 diff --git a/exclude.c b/exclude.c
-index adc82e2..79f5a82 100644
+index ffe55b1..a85ea76 100644
 --- a/exclude.c
 +++ b/exclude.c
-@@ -358,7 +358,7 @@ void implied_include_partial_string(const char *s_start, const char *s_end)
+@@ -363,7 +363,7 @@ void implied_include_partial_string(const char *s_start, const char *s_end)
  	memcpy(partial_string_buf, s_start, partial_string_len);
  }
  
@@ -53,9 +54,9 @@ index adc82e2..79f5a82 100644
 +void free_implied_include_partial_string(void)
  {
  	if (partial_string_buf) {
- 		free(partial_string_buf);
+ 		if (partial_string_len)
 diff --git a/hlink.c b/hlink.c
-index 66810a3..6511dfb 100644
+index 20291f2..5c26a6b 100644
 --- a/hlink.c
 +++ b/hlink.c
 @@ -117,8 +117,7 @@ static void match_gnums(int32 *ndx_list, int ndx_count)
@@ -82,7 +83,7 @@ index a1a7245..4eae062 100644
  
  	/* statistical data */
 diff --git a/log.c b/log.c
-index 44344e2..991e359 100644
+index e4ba1cc..8482b71 100644
 --- a/log.c
 +++ b/log.c
 @@ -131,7 +131,7 @@ static void logit(int priority, const char *buf)
@@ -95,7 +96,7 @@ index 44344e2..991e359 100644
  	int options = LOG_PID;
  
 diff --git a/main.c b/main.c
-index 9ebfbea..affa244 100644
+index d2a7b9b..c50af45 100644
 --- a/main.c
 +++ b/main.c
 @@ -244,7 +244,7 @@ void read_del_stats(int f)
@@ -168,6 +169,3 @@ index bbba7b2..61f8dc9 100644
  {
      uLong flags;
  
--- 
-2.37.2
-

meta/recipes-devtools/rsync/files/0001-Turn-on-pedantic-errors-at-the-end-of-configure.patch

@@ -1,68 +0,0 @@
-From e64a58387db46239902b610871a0eb81626e99ff Mon Sep 17 00:00:00 2001
-From: Paul Eggert <eggert@cs.ucla.edu>
-Date: Thu, 18 Aug 2022 07:46:28 -0700
-Subject: [PATCH] Turn on -pedantic-errors at the end of 'configure'
-
-Problem reported by Khem Raj in:
-https://lists.gnu.org/r/autoconf-patches/2022-08/msg00009.html
-Upstream-Status: Submitted [https://lists.samba.org/archive/rsync/2022-August/032862.html]
----
- configure.ac | 35 ++++++++++++++++++++---------------
- 1 file changed, 20 insertions(+), 15 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index d185b2d3..7e9514f7 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -1071,21 +1071,6 @@ elif test x"$ac_cv_header_popt_h" != x"yes"; then
-     with_included_popt=yes
- fi
- 
--if test x"$GCC" = x"yes"; then
--    if test x"$with_included_popt" != x"yes"; then
--	# Turn pedantic warnings into errors to ensure an array-init overflow is an error.
--	CFLAGS="$CFLAGS -pedantic-errors"
--    else
--	# Our internal popt code cannot be compiled with pedantic warnings as errors, so try to
--	# turn off pedantic warnings (which will not lose the error for array-init overflow).
--	# Older gcc versions don't understand -Wno-pedantic, so check if --help=warnings lists
--	# -Wpedantic and use that as a flag.
--	case `$CC --help=warnings 2>/dev/null | grep Wpedantic` in
--	    *-Wpedantic*) CFLAGS="$CFLAGS -pedantic-errors -Wno-pedantic" ;;
--	esac
--    fi
--fi
--
- AC_MSG_CHECKING([whether to use included libpopt])
- if test x"$with_included_popt" = x"yes"; then
-     AC_MSG_RESULT($srcdir/popt)
-@@ -1444,6 +1429,26 @@ case "$CC" in
-     ;;
- esac
- 
-+# Enable -pedantic-errors last, so that it doesn't mess up other
-+# 'configure' tests.  For example, Autoconf uses empty function
-+# prototypes like 'int main () {}' which Clang 15's -pedantic-errors
-+# would reject.  Generally it's not a good idea to try to run
-+# 'configure' itself with strict compiler checking.
-+if test x"$GCC" = x"yes"; then
-+    if test x"$with_included_popt" != x"yes"; then
-+	# Turn pedantic warnings into errors to ensure an array-init overflow is an error.
-+	CFLAGS="$CFLAGS -pedantic-errors"
-+    else
-+	# Our internal popt code cannot be compiled with pedantic warnings as errors, so try to
-+	# turn off pedantic warnings (which will not lose the error for array-init overflow).
-+	# Older gcc versions don't understand -Wno-pedantic, so check if --help=warnings lists
-+	# -Wpedantic and use that as a flag.
-+	case `$CC --help=warnings 2>/dev/null | grep Wpedantic` in
-+	    *-Wpedantic*) CFLAGS="$CFLAGS -pedantic-errors -Wno-pedantic" ;;
-+	esac
-+    fi
-+fi
-+
- AC_CONFIG_FILES([Makefile lib/dummy zlib/dummy popt/dummy shconfig])
- AC_OUTPUT
- 
--- 
-2.37.1
-

meta/recipes-devtools/rsync/files/CVE-2024-12084-0001.patch

@@ -0,0 +1,156 @@
+From 0902b52f6687b1f7952422080d50b93108742e53 Mon Sep 17 00:00:00 2001
+From: Wayne Davison <wayne@opencoder.net>
+Date: Tue, 29 Oct 2024 22:55:29 -0700
+Subject: [PATCH] Some checksum buffer fixes.
+
+- Put sum2_array into sum_struct to hold an array of sum2 checksums
+  that are each xfer_sum_len bytes.
+- Remove sum2 buf from sum_buf.
+- Add macro sum2_at() to access each sum2 array element.
+- Throw an error if a sums header has an s2length larger than
+  xfer_sum_len.
+
+CVE: CVE-2024-12084
+
+Upstream-Status: Backport [https://git.samba.org/?p=rsync.git;a=commit;h=0902b52f6687b1f7952422080d50b93108742e53]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ io.c     | 3 ++-
+ match.c  | 8 ++++----
+ rsync.c  | 5 ++++-
+ rsync.h  | 4 +++-
+ sender.c | 4 +++-
+ 5 files changed, 16 insertions(+), 8 deletions(-)
+
+diff --git a/io.c b/io.c
+index a99ac0ec..bb60eeca 100644
+--- a/io.c
++++ b/io.c
+@@ -55,6 +55,7 @@ extern int read_batch;
+ extern int compat_flags;
+ extern int protect_args;
+ extern int checksum_seed;
++extern int xfer_sum_len;
+ extern int daemon_connection;
+ extern int protocol_version;
+ extern int remove_source_files;
+@@ -1977,7 +1978,7 @@ void read_sum_head(int f, struct sum_struct *sum)
+		exit_cleanup(RERR_PROTOCOL);
+	}
+	sum->s2length = protocol_version < 27 ? csum_length : (int)read_int(f);
+-	if (sum->s2length < 0 || sum->s2length > MAX_DIGEST_LEN) {
++	if (sum->s2length < 0 || sum->s2length > xfer_sum_len) {
+		rprintf(FERROR, "Invalid checksum length %d [%s]\n",
+			sum->s2length, who_am_i());
+		exit_cleanup(RERR_PROTOCOL);
+diff --git a/match.c b/match.c
+index cdb30a15..36e78ed2 100644
+--- a/match.c
++++ b/match.c
+@@ -232,7 +232,7 @@ static void hash_search(int f,struct sum_struct *s,
+				done_csum2 = 1;
+			}
+
+-			if (memcmp(sum2,s->sums[i].sum2,s->s2length) != 0) {
++			if (memcmp(sum2, sum2_at(s, i), s->s2length) != 0) {
+				false_alarms++;
+				continue;
+			}
+@@ -252,7 +252,7 @@ static void hash_search(int f,struct sum_struct *s,
+					if (i != aligned_i) {
+						if (sum != s->sums[aligned_i].sum1
+						 || l != s->sums[aligned_i].len
+-						 || memcmp(sum2, s->sums[aligned_i].sum2, s->s2length) != 0)
++						 || memcmp(sum2, sum2_at(s, aligned_i), s->s2length) != 0)
+							goto check_want_i;
+						i = aligned_i;
+					}
+@@ -271,7 +271,7 @@ static void hash_search(int f,struct sum_struct *s,
+						if (sum != s->sums[i].sum1)
+							goto check_want_i;
+						get_checksum2((char *)map, l, sum2);
+-						if (memcmp(sum2, s->sums[i].sum2, s->s2length) != 0)
++						if (memcmp(sum2, sum2_at(s, i), s->s2length) != 0)
+							goto check_want_i;
+						/* OK, we have a re-alignment match.  Bump the offset
+						 * forward to the new match point. */
+@@ -290,7 +290,7 @@ static void hash_search(int f,struct sum_struct *s,
+			 && (!updating_basis_file || s->sums[want_i].offset >= offset
+			  || s->sums[want_i].flags & SUMFLG_SAME_OFFSET)
+			 && sum == s->sums[want_i].sum1
+-			 && memcmp(sum2, s->sums[want_i].sum2, s->s2length) == 0) {
++			 && memcmp(sum2, sum2_at(s, want_i), s->s2length) == 0) {
+				/* we've found an adjacent match - the RLL coder
+				 * will be happy */
+				i = want_i;
+diff --git a/rsync.c b/rsync.c
+index cd288f57..b130aba5 100644
+--- a/rsync.c
++++ b/rsync.c
+@@ -437,7 +437,10 @@ int read_ndx_and_attrs(int f_in, int f_out, int *iflag_ptr, uchar *type_ptr, cha
+   */
+ void free_sums(struct sum_struct *s)
+ {
+-	if (s->sums) free(s->sums);
++	if (s->sums) {
++		free(s->sums);
++		free(s->sum2_array);
++	}
+	free(s);
+ }
+
+diff --git a/rsync.h b/rsync.h
+index d3709fe0..8ddbe702 100644
+--- a/rsync.h
++++ b/rsync.h
+@@ -958,12 +958,12 @@ struct sum_buf {
+	uint32 sum1;	        /**< simple checksum */
+	int32 chain;		/**< next hash-table collision */
+	short flags;		/**< flag bits */
+-	char sum2[SUM_LENGTH];	/**< checksum  */
+ };
+
+ struct sum_struct {
+	OFF_T flength;		/**< total file length */
+	struct sum_buf *sums;	/**< points to info for each chunk */
++	char *sum2_array;	/**< checksums of length xfer_sum_len */
+	int32 count;		/**< how many chunks */
+	int32 blength;		/**< block_length */
+	int32 remainder;	/**< flength % block_length */
+@@ -982,6 +982,8 @@ struct map_struct {
+	int status;		/* first errno from read errors		*/
+ };
+
++#define sum2_at(s, i)	((s)->sum2_array + ((OFF_T)(i) * xfer_sum_len))
++
+ #define NAME_IS_FILE		(0)    /* filter name as a file */
+ #define NAME_IS_DIR		(1<<0) /* filter name as a dir */
+ #define NAME_IS_XATTR		(1<<2) /* filter name as an xattr */
+diff --git a/sender.c b/sender.c
+index 3d4f052e..ab205341 100644
+--- a/sender.c
++++ b/sender.c
+@@ -31,6 +31,7 @@ extern int log_before_transfer;
+ extern int stdout_format_has_i;
+ extern int logfile_format_has_i;
+ extern int want_xattr_optim;
++extern int xfer_sum_len;
+ extern int csum_length;
+ extern int append_mode;
+ extern int copy_links;
+@@ -94,10 +95,11 @@ static struct sum_struct *receive_sums(int f)
+		return(s);
+
+	s->sums = new_array(struct sum_buf, s->count);
++	s->sum2_array = new_array(char, s->count * xfer_sum_len);
+
+	for (i = 0; i < s->count; i++) {
+		s->sums[i].sum1 = read_int(f);
+-		read_buf(f, s->sums[i].sum2, s->s2length);
++		read_buf(f, sum2_at(s, i), s->s2length);
+
+		s->sums[i].offset = offset;
+		s->sums[i].flags = 0;
+--
+2.40.0

meta/recipes-devtools/rsync/files/CVE-2024-12084-0002.patch

@@ -0,0 +1,43 @@
+From 42e2b56c4ede3ab164f9a5c6dae02aa84606a6c1 Mon Sep 17 00:00:00 2001
+From: Wayne Davison <wayne@opencoder.net>
+Date: Tue, 5 Nov 2024 11:01:03 -0800
+Subject: [PATCH] Another cast when multiplying integers.
+
+CVE: CVE-2024-12084
+
+Upstream-Status: Backport [https://git.samba.org/?p=rsync.git;a=commit;h=42e2b56c4ede3ab164f9a5c6dae02aa84606a6c1]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ rsync.h  | 2 +-
+ sender.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/rsync.h b/rsync.h
+index 8ddbe702..0f9e277f 100644
+--- a/rsync.h
++++ b/rsync.h
+@@ -982,7 +982,7 @@ struct map_struct {
+	int status;		/* first errno from read errors		*/
+ };
+
+-#define sum2_at(s, i)	((s)->sum2_array + ((OFF_T)(i) * xfer_sum_len))
++#define sum2_at(s, i)	((s)->sum2_array + ((size_t)(i) * xfer_sum_len))
+
+ #define NAME_IS_FILE		(0)    /* filter name as a file */
+ #define NAME_IS_DIR		(1<<0) /* filter name as a dir */
+diff --git a/sender.c b/sender.c
+index ab205341..2bbff2fa 100644
+--- a/sender.c
++++ b/sender.c
+@@ -95,7 +95,7 @@ static struct sum_struct *receive_sums(int f)
+		return(s);
+
+	s->sums = new_array(struct sum_buf, s->count);
+-	s->sum2_array = new_array(char, s->count * xfer_sum_len);
++	s->sum2_array = new_array(char, (size_t)s->count * xfer_sum_len);
+
+	for (i = 0; i < s->count; i++) {
+		s->sums[i].sum1 = read_int(f);
+--
+2.40.0

meta/recipes-devtools/rsync/files/CVE-2024-12085.patch

@@ -0,0 +1,32 @@
+From 589b0691e59f761ccb05ddb8e1124991440db2c7 Mon Sep 17 00:00:00 2001
+From: Andrew Tridgell <andrew@tridgell.net>
+Date: Thu, 14 Nov 2024 09:57:08 +1100
+Subject: [PATCH] prevent information leak off the stack
+
+prevent leak of uninitialised stack data in hash_search
+
+CVE: CVE-2024-12085
+
+Upstream-Status: Backport [https://git.samba.org/?p=rsync.git;a=commit;h=589b0691e59f761ccb05ddb8e1124991440db2c7]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ match.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/match.c b/match.c
+index 36e78ed2..dfd6af2c 100644
+--- a/match.c
++++ b/match.c
+@@ -147,6 +147,9 @@ static void hash_search(int f,struct sum_struct *s,
+	int more;
+	schar *map;
+
++	// prevent possible memory leaks
++	memset(sum2, 0, sizeof sum2);
++
+	/* want_i is used to encourage adjacent matches, allowing the RLL
+	 * coding of the output to work more efficiently. */
+	want_i = 0;
+--
+2.40.0

meta/recipes-devtools/rsync/files/CVE-2024-12086-0001.patch

@@ -0,0 +1,42 @@
+From 8ad4b5d912fad1df29717dddaa775724da77d299 Mon Sep 17 00:00:00 2001
+From: Andrew Tridgell <andrew@tridgell.net>
+Date: Sat, 23 Nov 2024 11:08:03 +1100
+Subject: [PATCH] refuse fuzzy options when fuzzy not selected
+
+this prevents a malicious server providing a file to compare to when
+the user has not given the fuzzy option
+
+CVE: CVE-2024-12086
+
+Upstream-Status: Backport [https://git.samba.org/?p=rsync.git;a=commit;h=8ad4b5d912fad1df29717dddaa775724da77d299]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ receiver.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/receiver.c b/receiver.c
+index 6b4b369e..2d7f6033 100644
+--- a/receiver.c
++++ b/receiver.c
+@@ -66,6 +66,7 @@ extern char sender_file_sum[MAX_DIGEST_LEN];
+ extern struct file_list *cur_flist, *first_flist, *dir_flist;
+ extern filter_rule_list daemon_filter_list;
+ extern OFF_T preallocated_len;
++extern int fuzzy_basis;
+
+ extern struct name_num_item *xfer_sum_nni;
+ extern int xfer_sum_len;
+@@ -716,6 +717,10 @@ int recv_files(int f_in, int f_out, char *local_name)
+				fnamecmp = get_backup_name(fname);
+				break;
+			case FNAMECMP_FUZZY:
++				if (fuzzy_basis == 0) {
++					rprintf(FERROR_XFER, "rsync: refusing malicious fuzzy operation for %s\n", xname);
++					exit_cleanup(RERR_PROTOCOL);
++				}
+				if (file->dirname) {
+					pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, file->dirname, xname);
+					fnamecmp = fnamecmpbuf;
+--
+2.40.0

meta/recipes-devtools/rsync/files/CVE-2024-12086-0002.patch

@@ -0,0 +1,108 @@
+From b4a27ca25d0abb6fcf14f41b7e11f3a6e1d8a4ff Mon Sep 17 00:00:00 2001
+From: Andrew Tridgell <andrew@tridgell.net>
+Date: Sat, 23 Nov 2024 12:26:10 +1100
+Subject: [PATCH] added secure_relative_open()
+
+this is an open that enforces no symlink following for all path
+components in a relative path
+
+CVE: CVE-2024-12086
+
+Upstream-Status: Backport [https://git.samba.org/?p=rsync.git;a=commit;h=b4a27ca25d0abb6fcf14f41b7e11f3a6e1d8a4ff]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ syscall.c | 74 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 74 insertions(+)
+
+diff --git a/syscall.c b/syscall.c
+index b4b0f1f1..cffc814b 100644
+--- a/syscall.c
++++ b/syscall.c
+@@ -33,6 +33,8 @@
+ #include <sys/syscall.h>
+ #endif
+
++#include "ifuncs.h"
++
+ extern int dry_run;
+ extern int am_root;
+ extern int am_sender;
+@@ -707,3 +709,75 @@ int do_open_nofollow(const char *pathname, int flags)
+
+	return fd;
+ }
++
++/*
++  open a file relative to a base directory. The basedir can be NULL,
++  in which case the current working directory is used. The relpath
++  must be a relative path, and the relpath must not contain any
++  elements in the path which follow symlinks (ie. like O_NOFOLLOW, but
++  applies to all path components, not just the last component)
++*/
++int secure_relative_open(const char *basedir, const char *relpath, int flags, mode_t mode)
++{
++	if (!relpath || relpath[0] == '/') {
++		// must be a relative path
++		errno = EINVAL;
++		return -1;
++	}
++
++#if !defined(O_NOFOLLOW) || !defined(O_DIRECTORY)
++	// really old system, all we can do is live with the risks
++	if (!basedir) {
++		return open(relpath, flags, mode);
++	}
++	char fullpath[MAXPATHLEN];
++	pathjoin(fullpath, sizeof fullpath, basedir, relpath);
++	return open(fullpath, flags, mode);
++#else
++	int dirfd = AT_FDCWD;
++	if (basedir != NULL) {
++		dirfd = openat(AT_FDCWD, basedir, O_RDONLY | O_DIRECTORY);
++		if (dirfd == -1) {
++			return -1;
++		}
++	}
++	int retfd = -1;
++
++	char *path_copy = my_strdup(relpath, __FILE__, __LINE__);
++	if (!path_copy) {
++		return -1;
++	}
++
++	for (const char *part = strtok(path_copy, "/");
++	     part != NULL;
++	     part = strtok(NULL, "/"))
++	{
++		int next_fd = openat(dirfd, part, O_RDONLY | O_DIRECTORY | O_NOFOLLOW);
++		if (next_fd == -1 && errno == ENOTDIR) {
++			if (strtok(NULL, "/") != NULL) {
++				// this is not the last component of the path
++				errno = ELOOP;
++				goto cleanup;
++			}
++			// this could be the last component of the path, try as a file
++			retfd = openat(dirfd, part, flags | O_NOFOLLOW, mode);
++			goto cleanup;
++		}
++		if (next_fd == -1) {
++			goto cleanup;
++		}
++		if (dirfd != AT_FDCWD) close(dirfd);
++		dirfd = next_fd;
++	}
++
++	// the path must be a directory
++	errno = EINVAL;
++
++cleanup:
++	free(path_copy);
++	if (dirfd != AT_FDCWD) {
++		close(dirfd);
++	}
++	return retfd;
++#endif // O_NOFOLLOW, O_DIRECTORY
++}
+--
+2.40.0

meta/recipes-devtools/rsync/files/CVE-2024-12086-0003.patch

@@ -0,0 +1,108 @@
+From c35e28331f10ba6eba370611abd78bde32d54da7 Mon Sep 17 00:00:00 2001
+From: Andrew Tridgell <andrew@tridgell.net>
+Date: Sat, 23 Nov 2024 12:28:13 +1100
+Subject: [PATCH] receiver: use secure_relative_open() for basis file
+
+this prevents attacks where the basis file is manipulated by a
+malicious sender to gain information about files outside the
+destination tree
+
+CVE: CVE-2024-12086
+
+Upstream-Status: Backport [https://git.samba.org/?p=rsync.git;a=commit;h=c35e28331f10ba6eba370611abd78bde32d54da7]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ receiver.c | 42 ++++++++++++++++++++++++++----------------
+ 1 file changed, 26 insertions(+), 16 deletions(-)
+
+diff --git a/receiver.c b/receiver.c
+index 2d7f6033..8031b8f4 100644
+--- a/receiver.c
++++ b/receiver.c
+@@ -552,6 +552,8 @@ int recv_files(int f_in, int f_out, char *local_name)
+	progress_init();
+
+	while (1) {
++		const char *basedir = NULL;
++
+		cleanup_disable();
+
+		/* This call also sets cur_flist. */
+@@ -722,27 +724,29 @@ int recv_files(int f_in, int f_out, char *local_name)
+					exit_cleanup(RERR_PROTOCOL);
+				}
+				if (file->dirname) {
+-					pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, file->dirname, xname);
+-					fnamecmp = fnamecmpbuf;
+-				} else
+-					fnamecmp = xname;
++					basedir = file->dirname;
++				}
++				fnamecmp = xname;
+				break;
+			default:
+				if (fnamecmp_type > FNAMECMP_FUZZY && fnamecmp_type-FNAMECMP_FUZZY <= basis_dir_cnt) {
+					fnamecmp_type -= FNAMECMP_FUZZY + 1;
+					if (file->dirname) {
+-						stringjoin(fnamecmpbuf, sizeof fnamecmpbuf,
+-							   basis_dir[fnamecmp_type], "/", file->dirname, "/", xname, NULL);
+-					} else
+-						pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basis_dir[fnamecmp_type], xname);
++						pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basis_dir[fnamecmp_type], file->dirname);
++						basedir = fnamecmpbuf;
++					} else {
++						basedir = basis_dir[fnamecmp_type];
++					}
++					fnamecmp = xname;
+				} else if (fnamecmp_type >= basis_dir_cnt) {
+					rprintf(FERROR,
+						"invalid basis_dir index: %d.\n",
+						fnamecmp_type);
+					exit_cleanup(RERR_PROTOCOL);
+-				} else
+-					pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basis_dir[fnamecmp_type], fname);
+-				fnamecmp = fnamecmpbuf;
++				} else {
++					basedir = basis_dir[fnamecmp_type];
++					fnamecmp = fname;
++				}
+				break;
+			}
+			if (!fnamecmp || (daemon_filter_list.head
+@@ -765,7 +769,7 @@ int recv_files(int f_in, int f_out, char *local_name)
+		}
+
+		/* open the file */
+-		fd1 = do_open(fnamecmp, O_RDONLY, 0);
++		fd1 = secure_relative_open(basedir, fnamecmp, O_RDONLY, 0);
+
+		if (fd1 == -1 && protocol_version < 29) {
+			if (fnamecmp != fname) {
+@@ -776,14 +780,20 @@ int recv_files(int f_in, int f_out, char *local_name)
+
+			if (fd1 == -1 && basis_dir[0]) {
+				/* pre-29 allowed only one alternate basis */
+-				pathjoin(fnamecmpbuf, sizeof fnamecmpbuf,
+-					 basis_dir[0], fname);
+-				fnamecmp = fnamecmpbuf;
++				basedir = basis_dir[0];
++				fnamecmp = fname;
+				fnamecmp_type = FNAMECMP_BASIS_DIR_LOW;
+-				fd1 = do_open(fnamecmp, O_RDONLY, 0);
++				fd1 = secure_relative_open(basedir, fnamecmp, O_RDONLY, 0);
+			}
+		}
+
++		if (basedir) {
++			// for the following code we need the full
++			// path name as a single string
++			pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basedir, fnamecmp);
++			fnamecmp = fnamecmpbuf;
++		}
++
+		one_inplace = inplace_partial && fnamecmp_type == FNAMECMP_PARTIAL_DIR;
+		updating_basis_or_equiv = one_inplace
+		    || (inplace && (fnamecmp == fname || fnamecmp_type == FNAMECMP_BACKUP));
+--
+2.40.0

meta/recipes-devtools/rsync/files/CVE-2024-12086-0004.patch

@@ -0,0 +1,41 @@
+From 9f86ddc9652247233f32b241a79d5aa4fb9d4afa Mon Sep 17 00:00:00 2001
+From: Andrew Tridgell <andrew@tridgell.net>
+Date: Tue, 26 Nov 2024 09:16:31 +1100
+Subject: [PATCH] disallow ../ elements in relpath for secure_relative_open
+
+CVE: CVE-2024-12086
+
+Upstream-Status: Backport [https://git.samba.org/?p=rsync.git;a=commit;h=9f86ddc9652247233f32b241a79d5aa4fb9d4afa]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ syscall.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/syscall.c b/syscall.c
+index cffc814b..081357bb 100644
+--- a/syscall.c
++++ b/syscall.c
+@@ -716,6 +716,8 @@ int do_open_nofollow(const char *pathname, int flags)
+   must be a relative path, and the relpath must not contain any
+   elements in the path which follow symlinks (ie. like O_NOFOLLOW, but
+   applies to all path components, not just the last component)
++
++  The relpath must also not contain any ../ elements in the path
+ */
+ int secure_relative_open(const char *basedir, const char *relpath, int flags, mode_t mode)
+ {
+@@ -724,6 +726,11 @@ int secure_relative_open(const char *basedir, const char *relpath, int flags, mo
+		errno = EINVAL;
+		return -1;
+	}
++	if (strncmp(relpath, "../", 3) == 0 || strstr(relpath, "/../")) {
++		// no ../ elements allowed in the relpath
++		errno = EINVAL;
++		return -1;
++	}
+
+ #if !defined(O_NOFOLLOW) || !defined(O_DIRECTORY)
+	// really old system, all we can do is live with the risks
+--
+2.40.0

meta/recipes-devtools/rsync/files/CVE-2024-12087-0001.patch

@@ -0,0 +1,49 @@
+From 688f5c379a433038bde36897a156d589be373a98 Mon Sep 17 00:00:00 2001
+From: Wayne Davison <wayne@opencoder.net>
+Date: Thu, 14 Nov 2024 15:46:50 -0800
+Subject: [PATCH] Refuse a duplicate dirlist.
+
+CVE: CVE-2024-12087
+
+Upstream-Status: Backport [https://git.samba.org/?p=rsync.git;a=commit;h=688f5c379a433038bde36897a156d589be373a98]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ flist.c | 9 +++++++++
+ rsync.h | 1 +
+ 2 files changed, 10 insertions(+)
+
+diff --git a/flist.c b/flist.c
+index 464d556e..847b1054 100644
+--- a/flist.c
++++ b/flist.c
+@@ -2584,6 +2584,15 @@ struct file_list *recv_file_list(int f, int dir_ndx)
+		init_hard_links();
+ #endif
+
++	if (inc_recurse && dir_ndx >= 0) {
++		struct file_struct *file = dir_flist->files[dir_ndx];
++		if (file->flags & FLAG_GOT_DIR_FLIST) {
++			rprintf(FERROR_XFER, "rsync: refusing malicious duplicate flist for dir %d\n", dir_ndx);
++			exit_cleanup(RERR_PROTOCOL);
++		}
++		file->flags |= FLAG_GOT_DIR_FLIST;
++	}
++
+	flist = flist_new(0, "recv_file_list");
+	flist_expand(flist, FLIST_START_LARGE);
+
+diff --git a/rsync.h b/rsync.h
+index 0f9e277f..b9a7101a 100644
+--- a/rsync.h
++++ b/rsync.h
+@@ -84,6 +84,7 @@
+ #define FLAG_DUPLICATE (1<<4)	/* sender */
+ #define FLAG_MISSING_DIR (1<<4)	/* generator */
+ #define FLAG_HLINKED (1<<5)	/* receiver/generator (checked on all types) */
++#define FLAG_GOT_DIR_FLIST (1<<5)/* sender/receiver/generator - dir_flist only */
+ #define FLAG_HLINK_FIRST (1<<6)	/* receiver/generator (w/FLAG_HLINKED) */
+ #define FLAG_IMPLIED_DIR (1<<6)	/* sender/receiver/generator (dirs only) */
+ #define FLAG_HLINK_LAST (1<<7)	/* receiver/generator */
+--
+2.40.0

meta/recipes-devtools/rsync/files/CVE-2024-12087-0002.patch

@@ -0,0 +1,31 @@
+From 344327385fa47fa5bb67a32c237735e6240cfb93 Mon Sep 17 00:00:00 2001
+From: Andrew Tridgell <andrew@tridgell.net>
+Date: Tue, 26 Nov 2024 16:12:45 +1100
+Subject: [PATCH] range check dir_ndx before use
+
+CVE: CVE-2024-12087
+
+Upstream-Status: Backport [https://git.samba.org/?p=rsync.git;a=commit;h=344327385fa47fa5bb67a32c237735e6240cfb93]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ flist.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/flist.c b/flist.c
+index 847b1054..087f9da6 100644
+--- a/flist.c
++++ b/flist.c
+@@ -2585,6 +2585,10 @@ struct file_list *recv_file_list(int f, int dir_ndx)
+ #endif
+
+	if (inc_recurse && dir_ndx >= 0) {
++		if (dir_ndx >= dir_flist->used) {
++			rprintf(FERROR_XFER, "rsync: refusing invalid dir_ndx %u >= %u\n", dir_ndx, dir_flist->used);
++			exit_cleanup(RERR_PROTOCOL);
++		}
+		struct file_struct *file = dir_flist->files[dir_ndx];
+		if (file->flags & FLAG_GOT_DIR_FLIST) {
+			rprintf(FERROR_XFER, "rsync: refusing malicious duplicate flist for dir %d\n", dir_ndx);
+--
+2.40.0

meta/recipes-devtools/rsync/files/CVE-2024-12087-0003.patch

@@ -0,0 +1,40 @@
+From 996af4a79f9afe4d7158ecdd87c78cee382c6b39 Mon Sep 17 00:00:00 2001
+From: Natanael Copa <ncopa@alpinelinux.org>
+Date: Wed, 15 Jan 2025 15:10:24 +0100
+Subject: [PATCH] Fix FLAG_GOT_DIR_FLIST collission with FLAG_HLINKED
+
+fixes commit 688f5c379a43 (Refuse a duplicate dirlist.)
+
+Fixes: https://github.com/RsyncProject/rsync/issues/702
+Fixes: https://github.com/RsyncProject/rsync/issues/697
+CVE: CVE-2024-12087
+
+Upstream-Status: Backport [https://github.com/RsyncProject/rsync/commit/996af4a79f9afe4d7158ecdd87c78cee382c6b39]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ rsync.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/rsync.h b/rsync.h
+index 9be1297b..479ac484 100644
+--- a/rsync.h
++++ b/rsync.h
+@@ -84,7 +84,6 @@
+ #define FLAG_DUPLICATE (1<<4)	/* sender */
+ #define FLAG_MISSING_DIR (1<<4)	/* generator */
+ #define FLAG_HLINKED (1<<5)	/* receiver/generator (checked on all types) */
+-#define FLAG_GOT_DIR_FLIST (1<<5)/* sender/receiver/generator - dir_flist only */
+ #define FLAG_HLINK_FIRST (1<<6)	/* receiver/generator (w/FLAG_HLINKED) */
+ #define FLAG_IMPLIED_DIR (1<<6)	/* sender/receiver/generator (dirs only) */
+ #define FLAG_HLINK_LAST (1<<7)	/* receiver/generator */
+@@ -93,6 +92,7 @@
+ #define FLAG_SKIP_GROUP (1<<10)	/* receiver/generator */
+ #define FLAG_TIME_FAILED (1<<11)/* generator */
+ #define FLAG_MOD_NSEC (1<<12)	/* sender/receiver/generator */
++#define FLAG_GOT_DIR_FLIST (1<<13)/* sender/receiver/generator - dir_flist only */
+
+ /* These flags are passed to functions but not stored. */
+
+--
+2.40.0

meta/recipes-devtools/rsync/files/CVE-2024-12088.patch

@@ -0,0 +1,141 @@
+From 407c71c7ce562137230e8ba19149c81ccc47c387 Mon Sep 17 00:00:00 2001
+From: Andrew Tridgell <andrew@tridgell.net>
+Date: Sat, 23 Nov 2024 15:15:53 +1100
+Subject: [PATCH] make --safe-links stricter
+
+when --safe-links is used also reject links where a '../' component is
+included in the destination as other than the leading part of the
+filename
+
+CVE: CVE-2024-12088
+
+Upstream-Status: Backport [https://git.samba.org/?p=rsync.git;a=commit;h=407c71c7ce562137230e8ba19149c81ccc47c387]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ testsuite/safe-links.test    | 55 ++++++++++++++++++++++++++++++++++++
+ testsuite/unsafe-byname.test |  2 +-
+ util1.c                      | 26 ++++++++++++++++-
+ 3 files changed, 81 insertions(+), 2 deletions(-)
+ create mode 100644 testsuite/safe-links.test
+
+diff --git a/testsuite/safe-links.test b/testsuite/safe-links.test
+new file mode 100644
+index 00000000..6e95a4b9
+--- /dev/null
++++ b/testsuite/safe-links.test
+@@ -0,0 +1,55 @@
++#!/bin/sh
++
++. "$suitedir/rsync.fns"
++
++test_symlink() {
++	is_a_link "$1" || test_fail "File $1 is not a symlink"
++}
++
++test_regular() {
++	if [ ! -f "$1" ]; then
++		test_fail "File $1 is not regular file or not exists"
++	fi
++}
++
++test_notexist() {
++        if [ -e "$1" ]; then
++                test_fail "File $1 exists"
++	fi
++        if [ -h "$1" ]; then
++                test_fail "File $1 exists as a symlink"
++	fi
++}
++
++cd "$tmpdir"
++
++mkdir from
++
++mkdir "from/safe"
++mkdir "from/unsafe"
++
++mkdir "from/safe/files"
++mkdir "from/safe/links"
++
++touch "from/safe/files/file1"
++touch "from/safe/files/file2"
++touch "from/unsafe/unsafefile"
++
++ln -s ../files/file1 "from/safe/links/"
++ln -s ../files/file2 "from/safe/links/"
++ln -s ../../unsafe/unsafefile "from/safe/links/"
++ln -s a/a/a/../../../unsafe2 "from/safe/links/"
++
++#echo "LISTING FROM"
++#ls -lR from
++
++echo "rsync with relative path and just -a"
++$RSYNC -avv --safe-links from/safe/ to
++
++#echo "LISTING TO"
++#ls -lR to
++
++test_symlink to/links/file1
++test_symlink to/links/file2
++test_notexist to/links/unsafefile
++test_notexist to/links/unsafe2
+diff --git a/testsuite/unsafe-byname.test b/testsuite/unsafe-byname.test
+index 75e72014..d2e318ef 100644
+--- a/testsuite/unsafe-byname.test
++++ b/testsuite/unsafe-byname.test
+@@ -40,7 +40,7 @@ test_unsafe ..//../dest 		from/dir			unsafe
+ test_unsafe ..				from/file			safe
+ test_unsafe ../..			from/file			unsafe
+ test_unsafe ..//..			from//file			unsafe
+-test_unsafe dir/..			from				safe
++test_unsafe dir/..			from				unsafe
+ test_unsafe dir/../..			from				unsafe
+ test_unsafe dir/..//..			from				unsafe
+
+diff --git a/util1.c b/util1.c
+index da50ff1e..f260d398 100644
+--- a/util1.c
++++ b/util1.c
+@@ -1318,7 +1318,14 @@ int handle_partial_dir(const char *fname, int create)
+  *
+  * "src" is the top source directory currently applicable at the level
+  * of the referenced symlink.  This is usually the symlink's full path
+- * (including its name), as referenced from the root of the transfer. */
++ * (including its name), as referenced from the root of the transfer.
++ *
++ * NOTE: this also rejects dest names with a .. component in other
++ * than the first component of the name ie. it rejects names such as
++ * a/b/../x/y. This needs to be done as the leading subpaths 'a' or
++ * 'b' could later be replaced with symlinks such as a link to '.'
++ * resulting in the link being transferred now becoming unsafe
++ */
+ int unsafe_symlink(const char *dest, const char *src)
+ {
+	const char *name, *slash;
+@@ -1328,6 +1335,23 @@ int unsafe_symlink(const char *dest, const char *src)
+	if (!dest || !*dest || *dest == '/')
+		return 1;
+
++	// reject destinations with /../ in the name other than at the start of the name
++	const char *dest2 = dest;
++	while (strncmp(dest2, "../", 3) == 0) {
++	    dest2 += 3;
++	    while (*dest2 == '/') {
++		// allow for ..//..///../foo
++		dest2++;
++	    }
++	}
++	if (strstr(dest2, "/../"))
++	    return 1;
++
++	// reject if the destination ends in /..
++	const size_t dlen = strlen(dest);
++	if (dlen > 3 && strcmp(&dest[dlen-3], "/..") == 0)
++	    return 1;
++
+	/* find out what our safety margin is */
+	for (name = src; (slash = strchr(name, '/')) != 0; name = slash+1) {
+		/* ".." segment starts the count over.  "." segment is ignored. */
+--
+2.40.0

meta/recipes-devtools/rsync/files/CVE-2024-12747.patch

@@ -0,0 +1,192 @@
+From 0590b09d9a34ae72741b91ec0708a820650198b0 Mon Sep 17 00:00:00 2001
+From: Andrew Tridgell <andrew@tridgell.net>
+Date: Wed, 18 Dec 2024 08:59:42 +1100
+Subject: [PATCH] fixed symlink race condition in sender
+
+when we open a file that we don't expect to be a symlink use
+O_NOFOLLOW to prevent a race condition where an attacker could change
+a file between being a normal file and a symlink
+
+CVE: CVE-2024-12747
+
+Upstream-Status: Backport [https://git.samba.org/?p=rsync.git;a=commit;h=0590b09d9a34ae72741b91ec0708a820650198b0]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ checksum.c  |  2 +-
+ flist.c     |  2 +-
+ generator.c |  4 ++--
+ receiver.c  |  2 +-
+ sender.c    |  2 +-
+ syscall.c   | 20 ++++++++++++++++++++
+ t_unsafe.c  |  3 +++
+ tls.c       |  3 +++
+ trimslash.c |  2 ++
+ util1.c     |  2 +-
+ 10 files changed, 35 insertions(+), 7 deletions(-)
+
+diff --git a/checksum.c b/checksum.c
+index cb21882c..66e80896 100644
+--- a/checksum.c
++++ b/checksum.c
+@@ -406,7 +406,7 @@ void file_checksum(const char *fname, const STRUCT_STAT *st_p, char *sum)
+	int32 remainder;
+	int fd;
+
+-	fd = do_open(fname, O_RDONLY, 0);
++	fd = do_open_checklinks(fname);
+	if (fd == -1) {
+		memset(sum, 0, file_sum_len);
+		return;
+diff --git a/flist.c b/flist.c
+index 087f9da6..17832533 100644
+--- a/flist.c
++++ b/flist.c
+@@ -1390,7 +1390,7 @@ struct file_struct *make_file(const char *fname, struct file_list *flist,
+
+	if (copy_devices && am_sender && IS_DEVICE(st.st_mode)) {
+		if (st.st_size == 0) {
+-			int fd = do_open(fname, O_RDONLY, 0);
++			int fd = do_open_checklinks(fname);
+			if (fd >= 0) {
+				st.st_size = get_device_size(fd, fname);
+				close(fd);
+diff --git a/generator.c b/generator.c
+index 110db28f..3f13bb95 100644
+--- a/generator.c
++++ b/generator.c
+@@ -1798,7 +1798,7 @@ static void recv_generator(char *fname, struct file_struct *file, int ndx,
+
+	if (write_devices && IS_DEVICE(sx.st.st_mode) && sx.st.st_size == 0) {
+		/* This early open into fd skips the regular open below. */
+-		if ((fd = do_open(fnamecmp, O_RDONLY, 0)) >= 0)
++		if ((fd = do_open_nofollow(fnamecmp, O_RDONLY)) >= 0)
+			real_sx.st.st_size = sx.st.st_size = get_device_size(fd, fnamecmp);
+	}
+
+@@ -1867,7 +1867,7 @@ static void recv_generator(char *fname, struct file_struct *file, int ndx,
+	}
+
+	/* open the file */
+-	if (fd < 0 && (fd = do_open(fnamecmp, O_RDONLY, 0)) < 0) {
++	if (fd < 0 && (fd = do_open_checklinks(fnamecmp)) < 0) {
+		rsyserr(FERROR, errno, "failed to open %s, continuing",
+			full_fname(fnamecmp));
+	  pretend_missing:
+diff --git a/receiver.c b/receiver.c
+index 8031b8f4..edfbb210 100644
+--- a/receiver.c
++++ b/receiver.c
+@@ -775,7 +775,7 @@ int recv_files(int f_in, int f_out, char *local_name)
+			if (fnamecmp != fname) {
+				fnamecmp = fname;
+				fnamecmp_type = FNAMECMP_FNAME;
+-				fd1 = do_open(fnamecmp, O_RDONLY, 0);
++				fd1 = do_open_nofollow(fnamecmp, O_RDONLY);
+			}
+
+			if (fd1 == -1 && basis_dir[0]) {
+diff --git a/sender.c b/sender.c
+index 2bbff2fa..a4d46c39 100644
+--- a/sender.c
++++ b/sender.c
+@@ -350,7 +350,7 @@ void send_files(int f_in, int f_out)
+			exit_cleanup(RERR_PROTOCOL);
+		}
+
+-		fd = do_open(fname, O_RDONLY, 0);
++		fd = do_open_checklinks(fname);
+		if (fd == -1) {
+			if (errno == ENOENT) {
+				enum logcode c = am_daemon && protocol_version < 28 ? FERROR : FWARNING;
+diff --git a/syscall.c b/syscall.c
+index 081357bb..8cea2900 100644
+--- a/syscall.c
++++ b/syscall.c
+@@ -45,6 +45,8 @@ extern int preallocate_files;
+ extern int preserve_perms;
+ extern int preserve_executability;
+ extern int open_noatime;
++extern int copy_links;
++extern int copy_unsafe_links;
+
+ #ifndef S_BLKSIZE
+ # if defined hpux || defined __hpux__ || defined __hpux
+@@ -788,3 +790,21 @@ cleanup:
+	return retfd;
+ #endif // O_NOFOLLOW, O_DIRECTORY
+ }
++
++/*
++  varient of do_open/do_open_nofollow which does do_open() if the
++  copy_links or copy_unsafe_links options are set and does
++  do_open_nofollow() otherwise
++
++  This is used to prevent a race condition where an attacker could be
++  switching a file between being a symlink and being a normal file
++
++  The open is always done with O_RDONLY flags
++ */
++int do_open_checklinks(const char *pathname)
++{
++	if (copy_links || copy_unsafe_links) {
++		return do_open(pathname, O_RDONLY, 0);
++	}
++	return do_open_nofollow(pathname, O_RDONLY);
++}
+diff --git a/t_unsafe.c b/t_unsafe.c
+index 010cac50..e10619a2 100644
+--- a/t_unsafe.c
++++ b/t_unsafe.c
+@@ -28,6 +28,9 @@ int am_root = 0;
+ int am_sender = 1;
+ int read_only = 0;
+ int list_only = 0;
++int copy_links = 0;
++int copy_unsafe_links = 0;
++
+ short info_levels[COUNT_INFO], debug_levels[COUNT_DEBUG];
+
+ int
+diff --git a/tls.c b/tls.c
+index e6b0708a..858f8f10 100644
+--- a/tls.c
++++ b/tls.c
+@@ -49,6 +49,9 @@ int list_only = 0;
+ int link_times = 0;
+ int link_owner = 0;
+ int nsec_times = 0;
++int safe_symlinks = 0;
++int copy_links = 0;
++int copy_unsafe_links = 0;
+
+ #ifdef SUPPORT_XATTRS
+
+diff --git a/trimslash.c b/trimslash.c
+index 1ec928ca..f2774cd7 100644
+--- a/trimslash.c
++++ b/trimslash.c
+@@ -26,6 +26,8 @@ int am_root = 0;
+ int am_sender = 1;
+ int read_only = 1;
+ int list_only = 0;
++int copy_links = 0;
++int copy_unsafe_links = 0;
+
+ int
+ main(int argc, char **argv)
+diff --git a/util1.c b/util1.c
+index f260d398..d84bc414 100644
+--- a/util1.c
++++ b/util1.c
+@@ -365,7 +365,7 @@ int copy_file(const char *source, const char *dest, int tmpfilefd, mode_t mode)
+	int len;   /* Number of bytes read into `buf'. */
+	OFF_T prealloc_len = 0, offset = 0;
+
+-	if ((ifd = do_open(source, O_RDONLY, 0)) < 0) {
++	if ((ifd = do_open_nofollow(source, O_RDONLY)) < 0) {
+		int save_errno = errno;
+		rsyserr(FERROR_XFER, errno, "open %s", full_fname(source));
+		errno = save_errno;
+--
+2.40.0

meta/recipes-devtools/rsync/rsync_3.2.7.bb

@@ -15,10 +15,21 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/src/${BP}.tar.gz \
            file://makefile-no-rebuild.patch \
            file://determism.patch \
            file://0001-Add-missing-prototypes-to-function-declarations.patch \
-           file://0001-Turn-on-pedantic-errors-at-the-end-of-configure.patch \
+           file://CVE-2024-12084-0001.patch \
+           file://CVE-2024-12084-0002.patch \
+           file://CVE-2024-12085.patch \
+           file://CVE-2024-12086-0001.patch \
+           file://CVE-2024-12086-0002.patch \
+           file://CVE-2024-12086-0003.patch \
+           file://CVE-2024-12086-0004.patch \
+           file://CVE-2024-12087-0001.patch \
+           file://CVE-2024-12087-0002.patch \
+           file://CVE-2024-12087-0003.patch \
+           file://CVE-2024-12088.patch \
+           file://CVE-2024-12747.patch \
            "
 
-SRC_URI[sha256sum] = "2ac4d21635cdf791867bc377c35ca6dda7f50d919a58be45057fd51600c69aba"
+SRC_URI[sha256sum] = "4e7d9d3f6ed10878c58c5fb724a67dacf4b6aac7340b13e488fb2dc41346f2bb"
 
 # -16548 required for v3.1.3pre1. Already in v3.1.3.
 CVE_CHECK_IGNORE += " CVE-2017-16548 "

meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0001.patch

@@ -0,0 +1,391 @@
+From 810d2285235d5501a0a124f300832e6e9515da3c Mon Sep 17 00:00:00 2001
+From: NAITOH Jun <naitoh@gmail.com>
+Date: Wed, 17 Jan 2024 15:32:57 +0900
+Subject: [PATCH] Use string scanner with baseparser (#105)
+
+Using StringScanner reduces the string copying process and speeds up the
+process.
+
+And I removed unnecessary methods.
+
+https://github.com/ruby/rexml/actions/runs/7549990000/job/20554906140?pr=105
+
+```
+ruby 3.3.0 (2023-12-25 revision 5124f9ac75) [x86_64-linux]
+Calculating -------------------------------------
+                     rexml 3.2.6      master  3.2.6(YJIT)  master(YJIT)
+                 dom       4.868       5.077        8.137         8.303 i/s -     100.000 times in 20.540529s 19.696590s 12.288900s 12.043666s
+                 sax      13.597      13.953       19.206        20.948 i/s -     100.000 times in 7.354343s 7.167142s 5.206745s 4.773765s
+                pull      15.641      16.918       22.266        25.378 i/s -     100.000 times in 6.393424s 5.910955s 4.491201s 3.940471s
+              stream      14.339      15.844       19.810        22.206 i/s -     100.000 times in 6.973856s 6.311350s 5.047957s 4.503244s
+
+Comparison:
+                              dom
+        master(YJIT):         8.3 i/s
+         3.2.6(YJIT):         8.1 i/s - 1.02x  slower
+              master:         5.1 i/s - 1.64x  slower
+         rexml 3.2.6:         4.9 i/s - 1.71x  slower
+
+                              sax
+        master(YJIT):        20.9 i/s
+         3.2.6(YJIT):        19.2 i/s - 1.09x  slower
+              master:        14.0 i/s - 1.50x  slower
+         rexml 3.2.6:        13.6 i/s - 1.54x  slower
+
+                             pull
+        master(YJIT):        25.4 i/s
+         3.2.6(YJIT):        22.3 i/s - 1.14x  slower
+              master:        16.9 i/s - 1.50x  slower
+         rexml 3.2.6:        15.6 i/s - 1.62x  slower
+
+                           stream
+        master(YJIT):        22.2 i/s
+         3.2.6(YJIT):        19.8 i/s - 1.12x  slower
+              master:        15.8 i/s - 1.40x  slower
+         rexml 3.2.6:        14.3 i/s - 1.55x  slower
+```
+
+- YJIT=ON : 1.02x - 1.14x faster
+- YJIT=OFF : 1.02x - 1.10x faster
+
+---------
+
+Co-authored-by: Sutou Kouhei <kou@cozmixng.org>
+
+CVE: CVE-2024-49761
+
+Upstream-Status: Backport [https://github.com/ruby/rexml/commit/810d2285235d5501a0a124f300832e6e9515da3c]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ .../lib/rexml/parsers/baseparser.rb           |  21 ++-
+ .bundle/gems/rexml-3.2.5/lib/rexml/source.rb  | 149 ++++++------------
+ 2 files changed, 56 insertions(+), 114 deletions(-)
+
+diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+index 305b120..65bad26 100644
+--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+@@ -96,7 +96,7 @@ module REXML
+       ENTITYDEF = "(?:#{ENTITYVALUE}|(?:#{EXTERNALID}(#{NDATADECL})?))"
+       PEDECL = "<!ENTITY\\s+(%)\\s+#{NAME}\\s+#{PEDEF}\\s*>"
+       GEDECL = "<!ENTITY\\s+#{NAME}\\s+#{ENTITYDEF}\\s*>"
+-      ENTITYDECL = /\s*(?:#{GEDECL})|(?:#{PEDECL})/um
++      ENTITYDECL = /\s*(?:#{GEDECL})|\s*(?:#{PEDECL})/um
+
+       NOTATIONDECL_START = /\A\s*<!NOTATION/um
+       EXTERNAL_ID_PUBLIC = /\A\s*PUBLIC\s+#{PUBIDLITERAL}\s+#{SYSTEMLITERAL}\s*/um
+@@ -259,7 +259,7 @@ module REXML
+           else
+             @document_status = :after_doctype
+             if @source.encoding == "UTF-8"
+-              @source.buffer.force_encoding(::Encoding::UTF_8)
++              @source.buffer_encoding = ::Encoding::UTF_8
+             end
+           end
+         end
+@@ -274,8 +274,7 @@ module REXML
+             return [ :elementdecl, @source.match( ELEMENTDECL_PATTERN, true )[1] ]
+
+           when ENTITY_START
+-            match = @source.match( ENTITYDECL, true ).to_a.compact
+-            match[0] = :entitydecl
++            match = [:entitydecl, *@source.match( ENTITYDECL, true ).captures.compact]
+             ref = false
+             if match[1] == '%'
+               ref = true
+@@ -392,6 +391,7 @@ module REXML
+               unless md
+                 raise REXML::ParseException.new("malformed XML: missing tag start", @source)
+               end
++              tag = md[1]
+               @document_status = :in_element
+               prefixes = Set.new
+               prefixes << md[2] if md[2]
+@@ -405,23 +405,20 @@ module REXML
+               end
+
+               if closed
+-                @closed = md[1]
++                @closed = tag
+                 @nsstack.shift
+               else
+-                @tags.push( md[1] )
++                @tags.push( tag )
+               end
+-              return [ :start_element, md[1], attributes ]
++              return [ :start_element, tag, attributes ]
+             end
+           else
+             md = @source.match( TEXT_PATTERN, true )
++            text = md[1]
+             if md[0].length == 0
+               @source.match( /(\s+)/, true )
+             end
+-            #STDERR.puts "GOT #{md[1].inspect}" unless md[0].length == 0
+-            #return [ :text, "" ] if md[0].length == 0
+-            # unnormalized = Text::unnormalize( md[1], self )
+-            # return PullEvent.new( :text, md[1], unnormalized )
+-            return [ :text, md[1] ]
++            return [ :text, text ]
+           end
+         rescue REXML::UndefinedNamespaceException
+           raise
+diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb
+index 90b370b..71b08f9 100644
+--- a/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb
++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb
+@@ -30,8 +30,6 @@ module REXML
+   # objects and provides consumption of text
+   class Source
+     include Encoding
+-    # The current buffer (what we're going to read next)
+-    attr_reader :buffer
+     # The line number of the last consumed text
+     attr_reader :line
+     attr_reader :encoding
+@@ -41,7 +39,8 @@ module REXML
+     # @param encoding if non-null, sets the encoding of the source to this
+     # value, overriding all encoding detection
+     def initialize(arg, encoding=nil)
+-      @orig = @buffer = arg
++      @orig = arg
++      @scanner = StringScanner.new(@orig)
+       if encoding
+         self.encoding = encoding
+       else
+@@ -50,6 +49,14 @@ module REXML
+       @line = 0
+     end
+
++    # The current buffer (what we're going to read next)
++    def buffer
++      @scanner.rest
++    end
++
++    def buffer_encoding=(encoding)
++      @scanner.string.force_encoding(encoding)
++    end
+
+     # Inherited from Encoding
+     # Overridden to support optimized en/decoding
+@@ -58,98 +65,57 @@ module REXML
+       encoding_updated
+     end
+
+-    # Scans the source for a given pattern.  Note, that this is not your
+-    # usual scan() method.  For one thing, the pattern argument has some
+-    # requirements; for another, the source can be consumed.  You can easily
+-    # confuse this method.  Originally, the patterns were easier
+-    # to construct and this method more robust, because this method
+-    # generated search regexps on the fly; however, this was
+-    # computationally expensive and slowed down the entire REXML package
+-    # considerably, since this is by far the most commonly called method.
+-    # @param pattern must be a Regexp, and must be in the form of
+-    # /^\s*(#{your pattern, with no groups})(.*)/.  The first group
+-    # will be returned; the second group is used if the consume flag is
+-    # set.
+-    # @param consume if true, the pattern returned will be consumed, leaving
+-    # everything after it in the Source.
+-    # @return the pattern, if found, or nil if the Source is empty or the
+-    # pattern is not found.
+-    def scan(pattern, cons=false)
+-      return nil if @buffer.nil?
+-      rv = @buffer.scan(pattern)
+-      @buffer = $' if cons and rv.size>0
+-      rv
+-    end
+-
+     def read
+     end
+
+-    def consume( pattern )
+-      @buffer = $' if pattern.match( @buffer )
+-    end
+-
+-    def match_to( char, pattern )
+-      return pattern.match(@buffer)
+-    end
+-
+-    def match_to_consume( char, pattern )
+-      md = pattern.match(@buffer)
+-      @buffer = $'
+-      return md
+-    end
+-
+     def match(pattern, cons=false)
+-      md = pattern.match(@buffer)
+-      @buffer = $' if cons and md
+-      return md
++      if cons
++        @scanner.scan(pattern).nil? ? nil : @scanner
++      else
++        @scanner.check(pattern).nil? ? nil : @scanner
++      end
+     end
+
+     # @return true if the Source is exhausted
+     def empty?
+-      @buffer == ""
+-    end
+-
+-    def position
+-      @orig.index( @buffer )
++      @scanner.eos?
+     end
+
+     # @return the current line in the source
+     def current_line
+       lines = @orig.split
+-      res = lines.grep @buffer[0..30]
++      res = lines.grep @scanner.rest[0..30]
+       res = res[-1] if res.kind_of? Array
+       lines.index( res ) if res
+     end
+
+     private
++
+     def detect_encoding
+-      buffer_encoding = @buffer.encoding
++      scanner_encoding = @scanner.rest.encoding
+       detected_encoding = "UTF-8"
+       begin
+-        @buffer.force_encoding("ASCII-8BIT")
+-        if @buffer[0, 2] == "\xfe\xff"
+-          @buffer[0, 2] = ""
++        @scanner.string.force_encoding("ASCII-8BIT")
++        if @scanner.scan(/\xfe\xff/n)
+           detected_encoding = "UTF-16BE"
+-        elsif @buffer[0, 2] == "\xff\xfe"
+-          @buffer[0, 2] = ""
++        elsif @scanner.scan(/\xff\xfe/n)
+           detected_encoding = "UTF-16LE"
+-        elsif @buffer[0, 3] == "\xef\xbb\xbf"
+-          @buffer[0, 3] = ""
++        elsif @scanner.scan(/\xef\xbb\xbf/n)
+           detected_encoding = "UTF-8"
+         end
+       ensure
+-        @buffer.force_encoding(buffer_encoding)
++        @scanner.string.force_encoding(scanner_encoding)
+       end
+       self.encoding = detected_encoding
+     end
+
+     def encoding_updated
+       if @encoding != 'UTF-8'
+-        @buffer = decode(@buffer)
++        @scanner.string = decode(@scanner.rest)
+         @to_utf = true
+       else
+         @to_utf = false
+-        @buffer.force_encoding ::Encoding::UTF_8
++        @scanner.string.force_encoding(::Encoding::UTF_8)
+       end
+     end
+   end
+@@ -172,7 +138,7 @@ module REXML
+       end
+
+       if !@to_utf and
+-          @buffer.respond_to?(:force_encoding) and
++          @orig.respond_to?(:force_encoding) and
+           @source.respond_to?(:external_encoding) and
+           @source.external_encoding != ::Encoding::UTF_8
+         @force_utf8 = true
+@@ -181,65 +147,44 @@ module REXML
+       end
+     end
+
+-    def scan(pattern, cons=false)
+-      rv = super
+-      # You'll notice that this next section is very similar to the same
+-      # section in match(), but just a liiittle different.  This is
+-      # because it is a touch faster to do it this way with scan()
+-      # than the way match() does it; enough faster to warrant duplicating
+-      # some code
+-      if rv.size == 0
+-        until @buffer =~ pattern or @source.nil?
+-          begin
+-            @buffer << readline
+-          rescue Iconv::IllegalSequence
+-            raise
+-          rescue
+-            @source = nil
+-          end
+-        end
+-        rv = super
+-      end
+-      rv.taint if RUBY_VERSION < '2.7'
+-      rv
+-    end
+-
+     def read
+       begin
+-        @buffer << readline
++        # NOTE: `@scanner << readline` does not free memory, so when parsing huge XML in JRuby's DOM,
++        # out-of-memory error `Java::JavaLang::OutOfMemoryError: Java heap space` occurs.
++        # `@scanner.string = @scanner.rest + readline` frees memory that is already consumed
++        # and avoids this problem.
++        @scanner.string = @scanner.rest + readline
+       rescue Exception, NameError
+         @source = nil
+       end
+     end
+
+-    def consume( pattern )
+-      match( pattern, true )
+-    end
+-
+     def match( pattern, cons=false )
+-      rv = pattern.match(@buffer)
+-      @buffer = $' if cons and rv
+-      while !rv and @source
++      if cons
++        md = @scanner.scan(pattern)
++      else
++        md = @scanner.check(pattern)
++      end
++      while md.nil? and @source
+         begin
+-          @buffer << readline
+-          rv = pattern.match(@buffer)
+-          @buffer = $' if cons and rv
++          @scanner << readline
++          if cons
++            md = @scanner.scan(pattern)
++          else
++            md = @scanner.check(pattern)
++          end
+         rescue
+           @source = nil
+         end
+       end
+-      rv.taint if RUBY_VERSION < '2.7'
+-      rv
++
++      md.nil? ? nil : @scanner
+     end
+
+     def empty?
+       super and ( @source.nil? || @source.eof? )
+     end
+
+-    def position
+-      @er_source.pos rescue 0
+-    end
+-
+     # @return the current line in the source
+     def current_line
+       begin
+@@ -290,7 +235,7 @@ module REXML
+         @source.set_encoding(@encoding, @encoding)
+       end
+       @line_break = encode(">")
+-      @pending_buffer, @buffer = @buffer, ""
++      @pending_buffer, @scanner.string = @scanner.rest, ""
+       @pending_buffer.force_encoding(@encoding)
+       super
+     end
+--
+2.40.0

meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0002.patch

@@ -0,0 +1,104 @@
+From 83ca5c4b0f76cf7b307dd1be1dc934e1e8199863 Mon Sep 17 00:00:00 2001
+From: NAITOH Jun <naitoh@gmail.com>
+Date: Sun, 21 Jan 2024 06:11:42 +0900
+Subject: [PATCH] Reduce calls to `Source#buffer`(`StringScanner#rest`) (#106)
+
+Reduce calls to `Source#buffer`(`StringScanner#rest`)
+
+## Why
+`Source#buffer` calling `StringScanner#rest`.
+`StringScanner#rest` is slow.
+Reduce calls to `Source#buffer`.
+
+## Benchmark
+
+```
+RUBYLIB= BUNDLER_ORIG_RUBYLIB= /Users/naitoh/.rbenv/versions/3.3.0/bin/ruby -v -S benchmark-driver /Users/naitoh/ghq/github.com/naitoh/rexml/benchmark/parse.yaml
+ruby 3.3.0 (2023-12-25 revision 5124f9ac75) [arm64-darwin22]
+Calculating -------------------------------------
+                         before       after  before(YJIT)  after(YJIT)
+                 dom     10.639      10.985        16.213       16.221 i/s -     100.000 times in 9.399033s 9.103461s 6.167962s 6.164794s
+                 sax     28.357      29.440        42.900       44.375 i/s -     100.000 times in 3.526479s 3.396688s 2.331024s 2.253511s
+                pull     32.852      34.210        48.976       51.273 i/s -     100.000 times in 3.043965s 2.923140s 2.041816s 1.950344s
+              stream     30.821      31.908        43.953       44.697 i/s -     100.000 times in 3.244539s 3.134020s 2.275172s 2.237310s
+
+Comparison:
+                              dom
+         after(YJIT):        16.2 i/s
+        before(YJIT):        16.2 i/s - 1.00x  slower
+               after:        11.0 i/s - 1.48x  slower
+              before:        10.6 i/s - 1.52x  slower
+
+                              sax
+         after(YJIT):        44.4 i/s
+        before(YJIT):        42.9 i/s - 1.03x  slower
+               after:        29.4 i/s - 1.51x  slower
+              before:        28.4 i/s - 1.56x  slower
+
+                             pull
+         after(YJIT):        51.3 i/s
+        before(YJIT):        49.0 i/s - 1.05x  slower
+               after:        34.2 i/s - 1.50x  slower
+              before:        32.9 i/s - 1.56x  slower
+
+                           stream
+         after(YJIT):        44.7 i/s
+        before(YJIT):        44.0 i/s - 1.02x  slower
+               after:        31.9 i/s - 1.40x  slower
+              before:        30.8 i/s - 1.45x  slower
+
+```
+
+- YJIT=ON : 1.00x - 1.05x faster
+- YJIT=OFF : 1.03x - 1.04x faster
+
+CVE: CVE-2024-49761
+
+Upstream-Status: Backport [https://github.com/ruby/rexml/commit/83ca5c4b0f76cf7b307dd1be1dc934e1e8199863]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ .../rexml-3.2.5/lib/rexml/parsers/baseparser.rb    | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+index 65bad26..7126a12 100644
+--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+@@ -348,9 +348,13 @@ module REXML
+           @source.match(/\A\s*/um, true)
+         end
+         begin
+-          @source.read if @source.buffer.size<2
+-          if @source.buffer[0] == ?<
+-            if @source.buffer[1] == ?/
++          next_data = @source.buffer
++          if next_data.size < 2
++            @source.read
++            next_data = @source.buffer
++          end
++          if next_data[0] == ?<
++            if next_data[1] == ?/
+               @nsstack.shift
+               last_tag = @tags.pop
+               md = @source.match( CLOSE_MATCH, true )
+@@ -364,7 +368,7 @@ module REXML
+                 raise REXML::ParseException.new(message, @source)
+               end
+               return [ :end_element, last_tag ]
+-            elsif @source.buffer[1] == ?!
++            elsif next_data[1] == ?!
+               md = @source.match(/\A(\s*[^>]*>)/um)
+               #STDERR.puts "SOURCE BUFFER = #{source.buffer}, #{source.buffer.size}"
+               raise REXML::ParseException.new("Malformed node", @source) unless md
+@@ -383,7 +387,7 @@ module REXML
+               end
+               raise REXML::ParseException.new( "Declarations can only occur "+
+                 "in the doctype declaration.", @source)
+-            elsif @source.buffer[1] == ??
++            elsif next_data[1] == ??
+               return process_instruction
+             else
+               # Get the next tag
+--
+2.40.0

meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0003.patch

@@ -0,0 +1,85 @@
+From 51217dbcc64ecc34aa70f126b103bedf07e153fc Mon Sep 17 00:00:00 2001
+From: NAITOH Jun <naitoh@gmail.com>
+Date: Wed, 31 Jan 2024 16:35:55 +0900
+Subject: [PATCH] Reduce calls to StringScanner.new() (#108)
+
+## Why
+
+`StringScanner.new()` instances can be reused within parse_attributes,
+reducing initialization costs.
+
+## Benchmark
+
+```
+RUBYLIB= BUNDLER_ORIG_RUBYLIB= /Users/naitoh/.rbenv/versions/3.3.0/bin/ruby -v -S benchmark-driver /Users/naitoh/ghq/github.com/naitoh/rexml/benchmark/parse.yaml
+ruby 3.3.0 (2023-12-25 revision 5124f9ac75) [arm64-darwin22]
+Calculating -------------------------------------
+                         before       after  before(YJIT)  after(YJIT)
+                 dom     11.018      11.207        17.059       16.660 i/s -     100.000 times in 9.075992s 8.923280s 5.861969s 6.002555s
+                 sax     29.843      30.821        45.518       47.505 i/s -     100.000 times in 3.350909s 3.244524s 2.196940s 2.105037s
+                pull     34.480      35.937        52.816       57.098 i/s -     100.000 times in 2.900205s 2.782632s 1.893370s 1.751378s
+              stream     32.430      33.516        46.247       48.412 i/s -     100.000 times in 3.083536s 2.983607s 2.162288s 2.065584s
+
+Comparison:
+                              dom
+        before(YJIT):        17.1 i/s
+         after(YJIT):        16.7 i/s - 1.02x  slower
+               after:        11.2 i/s - 1.52x  slower
+              before:        11.0 i/s - 1.55x  slower
+
+                              sax
+         after(YJIT):        47.5 i/s
+        before(YJIT):        45.5 i/s - 1.04x  slower
+               after:        30.8 i/s - 1.54x  slower
+              before:        29.8 i/s - 1.59x  slower
+
+                             pull
+         after(YJIT):        57.1 i/s
+        before(YJIT):        52.8 i/s - 1.08x  slower
+               after:        35.9 i/s - 1.59x  slower
+              before:        34.5 i/s - 1.66x  slower
+
+                           stream
+         after(YJIT):        48.4 i/s
+        before(YJIT):        46.2 i/s - 1.05x  slower
+               after:        33.5 i/s - 1.44x  slower
+              before:        32.4 i/s - 1.49x  slower
+
+```
+
+- YJIT=ON : 1.02x - 1.08x faster
+- YJIT=OFF : 1.01x - 1.04x faster
+
+CVE: CVE-2024-49761
+
+Upstream-Status: Backport [https://github.com/ruby/rexml/commit/51217dbcc64ecc34aa70f126b103bedf07e153fc]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ .bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+index 7126a12..b66b0ed 100644
+--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+@@ -115,6 +115,7 @@ module REXML
+       def initialize( source )
+         self.stream = source
+         @listeners = []
++        @attributes_scanner = StringScanner.new('')
+       end
+
+       def add_listener( listener )
+@@ -601,7 +602,8 @@ module REXML
+         return attributes, closed if raw_attributes.nil?
+         return attributes, closed if raw_attributes.empty?
+
+-        scanner = StringScanner.new(raw_attributes)
++        @attributes_scanner.string = raw_attributes
++        scanner = @attributes_scanner
+         until scanner.eos?
+           if scanner.scan(/\s+/)
+             break if scanner.eos?
+--
+2.40.0

meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0004.patch

@@ -0,0 +1,71 @@
+From 7e4049f6a68c99c4efec2df117057ee080680c9f Mon Sep 17 00:00:00 2001
+From: NAITOH Jun <naitoh@gmail.com>
+Date: Wed, 31 Jan 2024 17:17:51 +0900
+Subject: [PATCH] Change loop in parse_attributes to `while true`. (#109)
+
+loop is slower than `while true`.
+
+```
+RUBYLIB= BUNDLER_ORIG_RUBYLIB= /Users/naitoh/.rbenv/versions/3.3.0/bin/ruby -v -S benchmark-driver /Users/naitoh/ghq/github.com/naitoh/rexml/benchmark/parse.yaml
+ruby 3.3.0 (2023-12-25 revision 5124f9ac75) [arm64-darwin22]
+Calculating -------------------------------------
+                         before       after  before(YJIT)  after(YJIT)
+                 dom     11.186      11.304        17.395       17.450 i/s -     100.000 times in 8.940144s 8.846590s 5.748718s 5.730793s
+                 sax     30.811      31.629        47.352       48.040 i/s -     100.000 times in 3.245601s 3.161619s 2.111854s 2.081594s
+                pull     35.793      36.621        56.924       57.313 i/s -     100.000 times in 2.793829s 2.730693s 1.756732s 1.744812s
+              stream     33.157      34.757        46.792       50.536 i/s -     100.000 times in 3.015940s 2.877088s 2.137106s 1.978787s
+
+Comparison:
+                              dom
+         after(YJIT):        17.4 i/s
+        before(YJIT):        17.4 i/s - 1.00x  slower
+               after:        11.3 i/s - 1.54x  slower
+              before:        11.2 i/s - 1.56x  slower
+
+                              sax
+         after(YJIT):        48.0 i/s
+        before(YJIT):        47.4 i/s - 1.01x  slower
+               after:        31.6 i/s - 1.52x  slower
+              before:        30.8 i/s - 1.56x  slower
+
+                             pull
+         after(YJIT):        57.3 i/s
+        before(YJIT):        56.9 i/s - 1.01x  slower
+               after:        36.6 i/s - 1.57x  slower
+              before:        35.8 i/s - 1.60x  slower
+
+                           stream
+         after(YJIT):        50.5 i/s
+        before(YJIT):        46.8 i/s - 1.08x  slower
+               after:        34.8 i/s - 1.45x  slower
+              before:        33.2 i/s - 1.52x  slower
+
+```
+
+- YJIT=ON : 1.00x - 1.08x faster
+- YJIT=OFF : 1.01x - 1.04x faster
+
+CVE: CVE-2024-49761
+
+Upstream-Status: Backport [https://github.com/ruby/rexml/commit/7e4049f6a68c99c4efec2df117057ee080680c9f]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ .bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+index b66b0ed..3fe5c29 100644
+--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+@@ -610,7 +610,7 @@ module REXML
+           end
+
+           pos = scanner.pos
+-          loop do
++          while true
+             break if scanner.scan(ATTRIBUTE_PATTERN)
+             unless scanner.scan(QNAME)
+               message = "Invalid attribute name: <#{scanner.rest}>"
+--
+2.40.0

meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0005.patch

@@ -0,0 +1,51 @@
+From fc6cad570b849692a28f26a963ceb58edc282bbc Mon Sep 17 00:00:00 2001
+From: NAITOH Jun <naitoh@gmail.com>
+Date: Fri, 16 Feb 2024 04:51:16 +0900
+Subject: [PATCH] Remove unnecessary checks in baseparser (#112)
+
+https://github.com/ruby/rexml/blob/444c9ce7449d3c5a75ae50087555ec73ae1963a8/lib/rexml/parsers/baseparser.rb#L352-L425
+```
+          next_data = @source.buffer
+          if next_data.size < 2
+            @source.read
+            next_data = @source.buffer
+          end
+          if next_data[0] == ?<
+              :
+            (omit)
+              :
+          else # next_data is a string of one or more characters other than '<'.
+            md = @source.match( TEXT_PATTERN, true ) # TEXT_PATTERN = /\A([^<]*)/um
+            text = md[1]
+            if md[0].length == 0 # md[0].length is greater than or equal to 1.
+              @source.match( /(\s+)/, true )
+            end
+```
+This is an unnecessary check because md[0].length is greater than or
+equal to 1.
+
+CVE: CVE-2024-49761
+
+Upstream-Status: Backport [https://github.com/ruby/rexml/commit/fc6cad570b849692a28f26a963ceb58edc282bbc]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ .bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+index 3fe5c29..595669c 100644
+--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+@@ -420,9 +420,6 @@ module REXML
+           else
+             md = @source.match( TEXT_PATTERN, true )
+             text = md[1]
+-            if md[0].length == 0
+-              @source.match( /(\s+)/, true )
+-            end
+             return [ :text, text ]
+           end
+         rescue REXML::UndefinedNamespaceException
+--
+2.40.0

meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0006.patch

@@ -0,0 +1,79 @@
+From 77128555476cb0db798e2912fb3a07d6411dc320 Mon Sep 17 00:00:00 2001
+From: NAITOH Jun <naitoh@gmail.com>
+Date: Sun, 21 Jan 2024 20:02:00 +0900
+Subject: [PATCH] Use `@scanner << readline` instead of `@scanner.string =
+ @scanner.rest + readline` (#107)
+
+JRuby's `StringScanner#<<` and `StringScanner#scan` OutOfMemoryError has
+been resolved in strscan gem 3.0.9.
+
+https://github.com/ruby/strscan/issues/83
+
+```
+RUBYLIB= BUNDLER_ORIG_RUBYLIB= /Users/naitoh/.rbenv/versions/3.3.0/bin/ruby -v -S benchmark-driver /Users/naitoh/ghq/github.com/naitoh/rexml/benchmark/parse.yaml
+ruby 3.3.0 (2023-12-25 revision 5124f9ac75) [arm64-darwin22]
+Calculating -------------------------------------
+                         before       after  before(YJIT)  after(YJIT)
+                 dom     10.958      11.044        16.615       16.783 i/s -     100.000 times in 9.126104s 9.055023s 6.018799s 5.958437s
+                 sax     29.624      29.609        44.390       45.370 i/s -     100.000 times in 3.375641s 3.377372s 2.252774s 2.204080s
+                pull     33.868      34.695        51.173       53.492 i/s -     100.000 times in 2.952679s 2.882229s 1.954138s 1.869422s
+              stream     31.719      32.351        43.604       45.403 i/s -     100.000 times in 3.152713s 3.091052s 2.293356s 2.202514s
+
+Comparison:
+                              dom
+         after(YJIT):        16.8 i/s
+        before(YJIT):        16.6 i/s - 1.01x  slower
+               after:        11.0 i/s - 1.52x  slower
+              before:        11.0 i/s - 1.53x  slower
+
+                              sax
+         after(YJIT):        45.4 i/s
+        before(YJIT):        44.4 i/s - 1.02x  slower
+              before:        29.6 i/s - 1.53x  slower
+               after:        29.6 i/s - 1.53x  slower
+
+                             pull
+         after(YJIT):        53.5 i/s
+        before(YJIT):        51.2 i/s - 1.05x  slower
+               after:        34.7 i/s - 1.54x  slower
+              before:        33.9 i/s - 1.58x  slower
+
+                           stream
+         after(YJIT):        45.4 i/s
+        before(YJIT):        43.6 i/s - 1.04x  slower
+               after:        32.4 i/s - 1.40x  slower
+              before:        31.7 i/s - 1.43x  slower
+
+```
+
+- YJIT=ON : 1.01x - 1.05x faster
+- YJIT=OFF : 1.00x - 1.02x faster
+
+CVE: CVE-2024-49761
+
+Upstream-Status: Backport [https://github.com/ruby/rexml/commit/77128555476cb0db798e2912fb3a07d6411dc320]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ .bundle/gems/rexml-3.2.5/lib/rexml/source.rb | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb
+index 71b08f9..db78a12 100644
+--- a/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb
++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb
+@@ -149,11 +149,7 @@ module REXML
+
+     def read
+       begin
+-        # NOTE: `@scanner << readline` does not free memory, so when parsing huge XML in JRuby's DOM,
+-        # out-of-memory error `Java::JavaLang::OutOfMemoryError: Java heap space` occurs.
+-        # `@scanner.string = @scanner.rest + readline` frees memory that is already consumed
+-        # and avoids this problem.
+-        @scanner.string = @scanner.rest + readline
++        @scanner << readline
+       rescue Exception, NameError
+         @source = nil
+       end
+--
+2.40.0

meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0007.patch

@@ -0,0 +1,561 @@
+From 370666e314816b57ecd5878e757224c3b6bc93f5 Mon Sep 17 00:00:00 2001
+From: NAITOH Jun <naitoh@gmail.com>
+Date: Tue, 27 Feb 2024 09:48:35 +0900
+Subject: [PATCH] Use more StringScanner based API to parse XML (#114)
+
+## Why?
+
+Improve maintainability by optimizing the process so that the parsing
+process proceeds using StringScanner#scan.
+
+## Changed
+- Change `REXML::Parsers::BaseParser` from `frozen_string_literal:
+false` to `frozen_string_literal: true`.
+- Added `Source#string=` method for error message output.
+- Added TestParseDocumentTypeDeclaration#test_no_name test case.
+- Of the `intSubset` of DOCTYPE, "<!" added consideration for processing
+`Comments` that begin with "<!".
+
+## [Benchmark]
+
+```
+RUBYLIB= BUNDLER_ORIG_RUBYLIB= /Users/naitoh/.rbenv/versions/3.3.0/bin/ruby -v -S benchmark-driver /Users/naitoh/ghq/github.com/naitoh/rexml/benchmark/parse.yaml
+ruby 3.3.0 (2023-12-25 revision 5124f9ac75) [arm64-darwin22]
+Calculating -------------------------------------
+                         before       after  before(YJIT)  after(YJIT)
+                 dom     11.240      10.569        17.173       18.219 i/s -     100.000 times in 8.896882s 9.461267s 5.823007s 5.488884s
+                 sax     31.812      30.716        48.383       52.532 i/s -     100.000 times in 3.143500s 3.255655s 2.066861s 1.903600s
+                pull     36.855      36.354        56.718       61.443 i/s -     100.000 times in 2.713300s 2.750693s 1.763099s 1.627523s
+              stream     34.176      34.758        49.801       54.622 i/s -     100.000 times in 2.925991s 2.877065s 2.008003s 1.830779s
+
+Comparison:
+                              dom
+         after(YJIT):        18.2 i/s
+        before(YJIT):        17.2 i/s - 1.06x  slower
+              before:        11.2 i/s - 1.62x  slower
+               after:        10.6 i/s - 1.72x  slower
+
+                              sax
+         after(YJIT):        52.5 i/s
+        before(YJIT):        48.4 i/s - 1.09x  slower
+              before:        31.8 i/s - 1.65x  slower
+               after:        30.7 i/s - 1.71x  slower
+
+                             pull
+         after(YJIT):        61.4 i/s
+        before(YJIT):        56.7 i/s - 1.08x  slower
+              before:        36.9 i/s - 1.67x  slower
+               after:        36.4 i/s - 1.69x  slower
+
+                           stream
+         after(YJIT):        54.6 i/s
+        before(YJIT):        49.8 i/s - 1.10x  slower
+               after:        34.8 i/s - 1.57x  slower
+              before:        34.2 i/s - 1.60x  slower
+
+```
+
+- YJIT=ON : 1.06x - 1.10x faster
+- YJIT=OFF : 0.94x - 1.01x faster
+
+---------
+
+Co-authored-by: Sutou Kouhei <kou@clear-code.com>
+
+CVE: CVE-2024-49761
+
+Upstream-Status: Backport [https://github.com/ruby/rexml/commit/370666e314816b57ecd5878e757224c3b6bc93f5]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ .../lib/rexml/parsers/baseparser.rb           | 325 +++++++++---------
+ .bundle/gems/rexml-3.2.5/lib/rexml/source.rb  |  31 +-
+ 2 files changed, 188 insertions(+), 168 deletions(-)
+
+diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+index 595669c..bc59bcd 100644
+--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+@@ -1,4 +1,4 @@
+-# frozen_string_literal: false
++# frozen_string_literal: true
+ require_relative '../parseexception'
+ require_relative '../undefinednamespaceexception'
+ require_relative '../source'
+@@ -112,6 +112,19 @@ module REXML
+         "apos" => [/&apos;/, "&apos;", "'", /'/]
+       }
+
++      module Private
++        INSTRUCTION_END = /#{NAME}(\s+.*?)?\?>/um
++        TAG_PATTERN = /((?>#{QNAME_STR}))/um
++        CLOSE_PATTERN = /(#{QNAME_STR})\s*>/um
++        ATTLISTDECL_END = /\s+#{NAME}(?:#{ATTDEF})*\s*>/um
++        NAME_PATTERN = /\s*#{NAME}/um
++        GEDECL_PATTERN = "\\s+#{NAME}\\s+#{ENTITYDEF}\\s*>"
++        PEDECL_PATTERN = "\\s+(%)\\s+#{NAME}\\s+#{PEDEF}\\s*>"
++        ENTITYDECL_PATTERN = /(?:#{GEDECL_PATTERN})|(?:#{PEDECL_PATTERN})/um
++      end
++      private_constant :Private
++      include Private
++
+       def initialize( source )
+         self.stream = source
+         @listeners = []
+@@ -198,183 +211,172 @@ module REXML
+         #STDERR.puts @source.encoding
+         #STDERR.puts "BUFFER = #{@source.buffer.inspect}"
+         if @document_status == nil
+-          word = @source.match( /\A((?:\s+)|(?:<[^>]*>))/um )
+-          word = word[1] unless word.nil?
+-          #STDERR.puts "WORD = #{word.inspect}"
+-          case word
+-          when COMMENT_START
+-            return [ :comment, @source.match( COMMENT_PATTERN, true )[1] ]
+-          when XMLDECL_START
+-            #STDERR.puts "XMLDECL"
+-            results = @source.match( XMLDECL_PATTERN, true )[1]
+-            version = VERSION.match( results )
+-            version = version[1] unless version.nil?
+-            encoding = ENCODING.match(results)
+-            encoding = encoding[1] unless encoding.nil?
+-            if need_source_encoding_update?(encoding)
+-              @source.encoding = encoding
+-            end
+-            if encoding.nil? and /\AUTF-16(?:BE|LE)\z/i =~ @source.encoding
+-              encoding = "UTF-16"
+-            end
+-            standalone = STANDALONE.match(results)
+-            standalone = standalone[1] unless standalone.nil?
+-            return [ :xmldecl, version, encoding, standalone ]
+-          when INSTRUCTION_START
++          if @source.match("<?", true)
+             return process_instruction
+-          when DOCTYPE_START
+-            base_error_message = "Malformed DOCTYPE"
+-            @source.match(DOCTYPE_START, true)
+-            @nsstack.unshift(curr_ns=Set.new)
+-            name = parse_name(base_error_message)
+-            if @source.match(/\A\s*\[/um, true)
+-              id = [nil, nil, nil]
+-              @document_status = :in_doctype
+-            elsif @source.match(/\A\s*>/um, true)
+-              id = [nil, nil, nil]
+-              @document_status = :after_doctype
+-            else
+-              id = parse_id(base_error_message,
+-                            accept_external_id: true,
+-                            accept_public_id: false)
+-              if id[0] == "SYSTEM"
+-                # For backward compatibility
+-                id[1], id[2] = id[2], nil
++          elsif @source.match("<!", true)
++            if @source.match("--", true)
++              return [ :comment, @source.match(/(.*?)-->/um, true)[1] ]
++            elsif @source.match("DOCTYPE", true)
++              base_error_message = "Malformed DOCTYPE"
++              unless @source.match(/\s+/um, true)
++                if @source.match(">")
++                  message = "#{base_error_message}: name is missing"
++                else
++                  message = "#{base_error_message}: invalid name"
++                end
++                @source.string = "<!DOCTYPE" + @source.buffer
++                raise REXML::ParseException.new(message, @source)
+               end
+-              if @source.match(/\A\s*\[/um, true)
++              @nsstack.unshift(curr_ns=Set.new)
++              name = parse_name(base_error_message)
++              if @source.match(/\s*\[/um, true)
++                id = [nil, nil, nil]
+                 @document_status = :in_doctype
+-              elsif @source.match(/\A\s*>/um, true)
++              elsif @source.match(/\s*>/um, true)
++                id = [nil, nil, nil]
+                 @document_status = :after_doctype
+               else
+-                message = "#{base_error_message}: garbage after external ID"
+-                raise REXML::ParseException.new(message, @source)
++                id = parse_id(base_error_message,
++                              accept_external_id: true,
++                              accept_public_id: false)
++                if id[0] == "SYSTEM"
++                  # For backward compatibility
++                  id[1], id[2] = id[2], nil
++                end
++                if @source.match(/\s*\[/um, true)
++                  @document_status = :in_doctype
++                elsif @source.match(/\s*>/um, true)
++                  @document_status = :after_doctype
++                else
++                  message = "#{base_error_message}: garbage after external ID"
++                  raise REXML::ParseException.new(message, @source)
++                end
+               end
+-            end
+-            args = [:start_doctype, name, *id]
+-            if @document_status == :after_doctype
+-              @source.match(/\A\s*/um, true)
+-              @stack << [ :end_doctype ]
+-            end
+-            return args
+-          when /\A\s+/
+-          else
+-            @document_status = :after_doctype
+-            if @source.encoding == "UTF-8"
+-              @source.buffer_encoding = ::Encoding::UTF_8
++              args = [:start_doctype, name, *id]
++              if @document_status == :after_doctype
++                @source.match(/\s*/um, true)
++                @stack << [ :end_doctype ]
++              end
++              return args
++            else
++              message = "Invalid XML"
++              raise REXML::ParseException.new(message, @source)
+             end
+           end
+         end
+         if @document_status == :in_doctype
+-          md = @source.match(/\A\s*(.*?>)/um)
+-          case md[1]
+-          when SYSTEMENTITY
+-            match = @source.match( SYSTEMENTITY, true )[1]
+-            return [ :externalentity, match ]
+-
+-          when ELEMENTDECL_START
+-            return [ :elementdecl, @source.match( ELEMENTDECL_PATTERN, true )[1] ]
+-
+-          when ENTITY_START
+-            match = [:entitydecl, *@source.match( ENTITYDECL, true ).captures.compact]
+-            ref = false
+-            if match[1] == '%'
+-              ref = true
+-              match.delete_at 1
+-            end
+-            # Now we have to sort out what kind of entity reference this is
+-            if match[2] == 'SYSTEM'
+-              # External reference
+-              match[3] = match[3][1..-2] # PUBID
+-              match.delete_at(4) if match.size > 4 # Chop out NDATA decl
+-              # match is [ :entity, name, SYSTEM, pubid(, ndata)? ]
+-            elsif match[2] == 'PUBLIC'
+-              # External reference
+-              match[3] = match[3][1..-2] # PUBID
+-              match[4] = match[4][1..-2] # HREF
+-              match.delete_at(5) if match.size > 5 # Chop out NDATA decl
+-              # match is [ :entity, name, PUBLIC, pubid, href(, ndata)? ]
+-            else
+-              match[2] = match[2][1..-2]
+-              match.pop if match.size == 4
+-              # match is [ :entity, name, value ]
+-            end
+-            match << '%' if ref
+-            return match
+-          when ATTLISTDECL_START
+-            md = @source.match( ATTLISTDECL_PATTERN, true )
+-            raise REXML::ParseException.new( "Bad ATTLIST declaration!", @source ) if md.nil?
+-            element = md[1]
+-            contents = md[0]
+-
+-            pairs = {}
+-            values = md[0].scan( ATTDEF_RE )
+-            values.each do |attdef|
+-              unless attdef[3] == "#IMPLIED"
+-                attdef.compact!
+-                val = attdef[3]
+-                val = attdef[4] if val == "#FIXED "
+-                pairs[attdef[0]] = val
+-                if attdef[0] =~ /^xmlns:(.*)/
+-                  @nsstack[0] << $1
+-                end
++          @source.match(/\s*/um, true) # skip spaces
++          if @source.match("<!", true)
++            if @source.match("ELEMENT", true)
++              md = @source.match(/(.*?)>/um, true)
++              raise REXML::ParseException.new( "Bad ELEMENT declaration!", @source ) if md.nil?
++              return [ :elementdecl, "<!ELEMENT" + md[1] ]
++            elsif @source.match("ENTITY", true)
++              match = [:entitydecl, *@source.match(ENTITYDECL_PATTERN, true).captures.compact]
++              ref = false
++              if match[1] == '%'
++                ref = true
++                match.delete_at 1
+               end
+-            end
+-            return [ :attlistdecl, element, pairs, contents ]
+-          when NOTATIONDECL_START
+-            base_error_message = "Malformed notation declaration"
+-            unless @source.match(/\A\s*<!NOTATION\s+/um, true)
+-              if @source.match(/\A\s*<!NOTATION\s*>/um)
+-                message = "#{base_error_message}: name is missing"
++              # Now we have to sort out what kind of entity reference this is
++              if match[2] == 'SYSTEM'
++                # External reference
++                match[3] = match[3][1..-2] # PUBID
++                match.delete_at(4) if match.size > 4 # Chop out NDATA decl
++                # match is [ :entity, name, SYSTEM, pubid(, ndata)? ]
++              elsif match[2] == 'PUBLIC'
++                # External reference
++                match[3] = match[3][1..-2] # PUBID
++                match[4] = match[4][1..-2] # HREF
++                match.delete_at(5) if match.size > 5 # Chop out NDATA decl
++                # match is [ :entity, name, PUBLIC, pubid, href(, ndata)? ]
+               else
+-                message = "#{base_error_message}: invalid declaration name"
++                match[2] = match[2][1..-2]
++                match.pop if match.size == 4
++                # match is [ :entity, name, value ]
+               end
+-              raise REXML::ParseException.new(message, @source)
+-            end
+-            name = parse_name(base_error_message)
+-            id = parse_id(base_error_message,
+-                          accept_external_id: true,
+-                          accept_public_id: true)
+-            unless @source.match(/\A\s*>/um, true)
+-              message = "#{base_error_message}: garbage before end >"
+-              raise REXML::ParseException.new(message, @source)
++              match << '%' if ref
++              return match
++            elsif @source.match("ATTLIST", true)
++              md = @source.match(ATTLISTDECL_END, true)
++              raise REXML::ParseException.new( "Bad ATTLIST declaration!", @source ) if md.nil?
++              element = md[1]
++              contents = md[0]
++
++              pairs = {}
++              values = md[0].scan( ATTDEF_RE )
++              values.each do |attdef|
++                unless attdef[3] == "#IMPLIED"
++                  attdef.compact!
++                  val = attdef[3]
++                  val = attdef[4] if val == "#FIXED "
++                  pairs[attdef[0]] = val
++                  if attdef[0] =~ /^xmlns:(.*)/
++                    @nsstack[0] << $1
++                  end
++                end
++              end
++              return [ :attlistdecl, element, pairs, contents ]
++            elsif @source.match("NOTATION", true)
++              base_error_message = "Malformed notation declaration"
++              unless @source.match(/\s+/um, true)
++                if @source.match(">")
++                  message = "#{base_error_message}: name is missing"
++                else
++                  message = "#{base_error_message}: invalid name"
++                end
++                @source.string = " <!NOTATION" + @source.buffer
++                raise REXML::ParseException.new(message, @source)
++              end
++              name = parse_name(base_error_message)
++              id = parse_id(base_error_message,
++                            accept_external_id: true,
++                            accept_public_id: true)
++              unless @source.match(/\s*>/um, true)
++                message = "#{base_error_message}: garbage before end >"
++                raise REXML::ParseException.new(message, @source)
++              end
++              return [:notationdecl, name, *id]
++            elsif md = @source.match(/--(.*?)-->/um, true)
++              case md[1]
++              when /--/, /-\z/
++                raise REXML::ParseException.new("Malformed comment", @source)
++              end
++              return [ :comment, md[1] ] if md
+             end
+-            return [:notationdecl, name, *id]
+-          when DOCTYPE_END
++          elsif match = @source.match(/(%.*?;)\s*/um, true)
++            return [ :externalentity, match[1] ]
++          elsif @source.match(/\]\s*>/um, true)
+             @document_status = :after_doctype
+-            @source.match( DOCTYPE_END, true )
+             return [ :end_doctype ]
+           end
+         end
+         if @document_status == :after_doctype
+-          @source.match(/\A\s*/um, true)
++          @source.match(/\s*/um, true)
+         end
+         begin
+-          next_data = @source.buffer
+-          if next_data.size < 2
+-            @source.read
+-            next_data = @source.buffer
+-          end
+-          if next_data[0] == ?<
+-            if next_data[1] == ?/
++          if @source.match("<", true)
++            if @source.match("/", true)
+               @nsstack.shift
+               last_tag = @tags.pop
+-              md = @source.match( CLOSE_MATCH, true )
++              md = @source.match(CLOSE_PATTERN, true)
+               if md and !last_tag
+                 message = "Unexpected top-level end tag (got '#{md[1]}')"
+                 raise REXML::ParseException.new(message, @source)
+               end
+               if md.nil? or last_tag != md[1]
+                 message = "Missing end tag for '#{last_tag}'"
+-                message << " (got '#{md[1]}')" if md
++                message += " (got '#{md[1]}')" if md
++                @source.string = "</" + @source.buffer if md.nil?
+                 raise REXML::ParseException.new(message, @source)
+               end
+               return [ :end_element, last_tag ]
+-            elsif next_data[1] == ?!
+-              md = @source.match(/\A(\s*[^>]*>)/um)
++            elsif @source.match("!", true)
++              md = @source.match(/([^>]*>)/um)
+               #STDERR.puts "SOURCE BUFFER = #{source.buffer}, #{source.buffer.size}"
+               raise REXML::ParseException.new("Malformed node", @source) unless md
+-              if md[0][2] == ?-
+-                md = @source.match( COMMENT_PATTERN, true )
++              if md[0][0] == ?-
++                md = @source.match(/--(.*?)-->/um, true)
+
+                 case md[1]
+                 when /--/, /-\z/
+@@ -383,17 +385,18 @@ module REXML
+
+                 return [ :comment, md[1] ] if md
+               else
+-                md = @source.match( CDATA_PATTERN, true )
++                md = @source.match(/\[CDATA\[(.*?)\]\]>/um, true)
+                 return [ :cdata, md[1] ] if md
+               end
+               raise REXML::ParseException.new( "Declarations can only occur "+
+                 "in the doctype declaration.", @source)
+-            elsif next_data[1] == ??
++            elsif @source.match("?", true)
+               return process_instruction
+             else
+               # Get the next tag
+-              md = @source.match(TAG_MATCH, true)
++              md = @source.match(TAG_PATTERN, true)
+               unless md
++                @source.string = "<" + @source.buffer
+                 raise REXML::ParseException.new("malformed XML: missing tag start", @source)
+               end
+               tag = md[1]
+@@ -418,7 +421,7 @@ module REXML
+               return [ :start_element, tag, attributes ]
+             end
+           else
+-            md = @source.match( TEXT_PATTERN, true )
++            md = @source.match(/([^<]*)/um, true)
+             text = md[1]
+             return [ :text, text ]
+           end
+@@ -462,8 +465,7 @@ module REXML
+
+       # Unescapes all possible entities
+       def unnormalize( string, entities=nil, filter=nil )
+-        rv = string.clone
+-        rv.gsub!( /\r\n?/, "\n" )
++        rv = string.gsub( /\r\n?/, "\n" )
+         matches = rv.scan( REFERENCE_RE )
+         return rv if matches.size == 0
+         rv.gsub!( /&#0*((?:\d+)|(?:x[a-fA-F0-9]+));/ ) {
+@@ -498,9 +500,9 @@ module REXML
+       end
+
+       def parse_name(base_error_message)
+-        md = @source.match(/\A\s*#{NAME}/um, true)
++        md = @source.match(NAME_PATTERN, true)
+         unless md
+-          if @source.match(/\A\s*\S/um)
++          if @source.match(/\s*\S/um)
+             message = "#{base_error_message}: invalid name"
+           else
+             message = "#{base_error_message}: name is missing"
+@@ -577,11 +579,28 @@ module REXML
+       end
+
+       def process_instruction
+-        match_data = @source.match(INSTRUCTION_PATTERN, true)
++        match_data = @source.match(INSTRUCTION_END, true)
+         unless match_data
+           message = "Invalid processing instruction node"
++          @source.string = "<?" + @source.buffer
+           raise REXML::ParseException.new(message, @source)
+         end
++        if @document_status.nil? and match_data[1] == "xml"
++          content = match_data[2]
++          version = VERSION.match(content)
++          version = version[1] unless version.nil?
++          encoding = ENCODING.match(content)
++          encoding = encoding[1] unless encoding.nil?
++          if need_source_encoding_update?(encoding)
++            @source.encoding = encoding
++          end
++          if encoding.nil? and /\AUTF-16(?:BE|LE)\z/i =~ @source.encoding
++            encoding = "UTF-16"
++          end
++          standalone = STANDALONE.match(content)
++          standalone = standalone[1] unless standalone.nil?
++          return [ :xmldecl, version, encoding, standalone ]
++        end
+         [:processing_instruction, match_data[1], match_data[2]]
+       end
+
+diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb
+index db78a12..4111d1d 100644
+--- a/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb
++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb
+@@ -76,6 +76,10 @@ module REXML
+       end
+     end
+
++    def string=(string)
++      @scanner.string = string
++    end
++
+     # @return true if the Source is exhausted
+     def empty?
+       @scanner.eos?
+@@ -150,28 +154,25 @@ module REXML
+     def read
+       begin
+         @scanner << readline
++        true
+       rescue Exception, NameError
+         @source = nil
++        false
+       end
+     end
+
+     def match( pattern, cons=false )
+-      if cons
+-        md = @scanner.scan(pattern)
+-      else
+-        md = @scanner.check(pattern)
+-      end
+-      while md.nil? and @source
+-        begin
+-          @scanner << readline
+-          if cons
+-            md = @scanner.scan(pattern)
+-          else
+-            md = @scanner.check(pattern)
+-          end
+-        rescue
+-          @source = nil
++      read if @scanner.eos? && @source
++      while true
++        if cons
++          md = @scanner.scan(pattern)
++        else
++          md = @scanner.check(pattern)
+         end
++        break if md
++        return nil if pattern.is_a?(String) && pattern.bytesize <= @scanner.rest_size
++        return nil if @source.nil?
++        return nil unless read
+       end
+
+       md.nil? ? nil : @scanner
+--
+2.40.0

meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0008.patch

@@ -0,0 +1,107 @@
+From a579730f25ec7443796495541ec57c071b91805d Mon Sep 17 00:00:00 2001
+From: NAITOH Jun <naitoh@gmail.com>
+Date: Tue, 25 Jun 2024 09:07:11 +0900
+Subject: [PATCH] Optimize BaseParser#unnormalize method (#158)
+
+## Benchmark
+```
+RUBYLIB= BUNDLER_ORIG_RUBYLIB= /Users/naitoh/.rbenv/versions/3.3.3/bin/ruby -v -S benchmark-driver /Users/naitoh/ghq/github.com/naitoh/rexml/benchmark/parse.yaml
+ruby 3.3.3 (2024-06-12 revision f1c7b6f435) [arm64-darwin22]
+Calculating -------------------------------------
+                         before       after  before(YJIT)  after(YJIT)
+                 dom     17.704      18.106        34.215       33.806 i/s -     100.000 times in 5.648398s 5.523110s 2.922698s 2.958036s
+                 sax     25.664      25.302        48.429       48.602 i/s -     100.000 times in 3.896488s 3.952289s 2.064859s 2.057537s
+                pull     28.966      29.215        61.710       62.068 i/s -     100.000 times in 3.452275s 3.422901s 1.620480s 1.611129s
+              stream     28.291      28.426        53.860       55.548 i/s -     100.000 times in 3.534716s 3.517884s 1.856667s 1.800247s
+
+Comparison:
+                              dom
+        before(YJIT):        34.2 i/s
+         after(YJIT):        33.8 i/s - 1.01x  slower
+               after:        18.1 i/s - 1.89x  slower
+              before:        17.7 i/s - 1.93x  slower
+
+                              sax
+         after(YJIT):        48.6 i/s
+        before(YJIT):        48.4 i/s - 1.00x  slower
+              before:        25.7 i/s - 1.89x  slower
+               after:        25.3 i/s - 1.92x  slower
+
+                             pull
+         after(YJIT):        62.1 i/s
+        before(YJIT):        61.7 i/s - 1.01x  slower
+               after:        29.2 i/s - 2.12x  slower
+              before:        29.0 i/s - 2.14x  slower
+
+                           stream
+         after(YJIT):        55.5 i/s
+        before(YJIT):        53.9 i/s - 1.03x  slower
+               after:        28.4 i/s - 1.95x  slower
+              before:        28.3 i/s - 1.96x  slower
+
+```
+
+- YJIT=ON : 1.00x - 1.03x faster
+- YJIT=OFF : 0.98x - 1.02x faster
+
+CVE: CVE-2024-49761
+
+Upstream-Status: Backport [https://github.com/ruby/rexml/commit/a579730f25ec7443796495541ec57c071b91805d]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ .../rexml-3.2.5/lib/rexml/parsers/baseparser.rb   | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+index bc59bcd..9983d51 100644
+--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+@@ -121,6 +121,13 @@ module REXML
+         GEDECL_PATTERN = "\\s+#{NAME}\\s+#{ENTITYDEF}\\s*>"
+         PEDECL_PATTERN = "\\s+(%)\\s+#{NAME}\\s+#{PEDEF}\\s*>"
+         ENTITYDECL_PATTERN = /(?:#{GEDECL_PATTERN})|(?:#{PEDECL_PATTERN})/um
++        CARRIAGE_RETURN_NEWLINE_PATTERN = /\r\n?/
++        CHARACTER_REFERENCES = /&#0*((?:\d+)|(?:x[a-fA-F0-9]+));/
++        DEFAULT_ENTITIES_PATTERNS = {}
++        default_entities = ['gt', 'lt', 'quot', 'apos', 'amp']
++        default_entities.each do |term|
++          DEFAULT_ENTITIES_PATTERNS[term] = /&#{term};/
++        end
+       end
+       private_constant :Private
+       include Private
+@@ -465,10 +472,10 @@ module REXML
+ 
+       # Unescapes all possible entities
+       def unnormalize( string, entities=nil, filter=nil )
+-        rv = string.gsub( /\r\n?/, "\n" )
++        rv = string.gsub( Private::CARRIAGE_RETURN_NEWLINE_PATTERN, "\n" )
+         matches = rv.scan( REFERENCE_RE )
+         return rv if matches.size == 0
+-        rv.gsub!( /&#0*((?:\d+)|(?:x[a-fA-F0-9]+));/ ) {
++        rv.gsub!( Private::CHARACTER_REFERENCES ) {
+           m=$1
+           m = "0#{m}" if m[0] == ?x
+           [Integer(m)].pack('U*')
+@@ -479,7 +486,7 @@ module REXML
+             unless filter and filter.include?(entity_reference)
+               entity_value = entity( entity_reference, entities )
+               if entity_value
+-                re = /&#{entity_reference};/
++                re = Private::DEFAULT_ENTITIES_PATTERNS[entity_reference] || /&#{entity_reference};/
+                 rv.gsub!( re, entity_value )
+               else
+                 er = DEFAULT_ENTITIES[entity_reference]
+@@ -487,7 +494,7 @@ module REXML
+               end
+             end
+           end
+-          rv.gsub!( /&amp;/, '&' )
++          rv.gsub!( Private::DEFAULT_ENTITIES_PATTERNS['amp'], '&' )
+         end
+         rv
+       end
+-- 
+2.40.0
+

meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0009.patch

@@ -0,0 +1,46 @@
+From ce59f2eb1aeb371fe1643414f06618dbe031979f Mon Sep 17 00:00:00 2001
+From: Sutou Kouhei <kou@clear-code.com>
+Date: Thu, 24 Oct 2024 14:45:31 +0900
+Subject: [PATCH] parser: fix a bug that &#0x...; is accepted as a character 
+ reference
+
+CVE: CVE-2024-49761
+
+Upstream-Status: Backport [https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ .../gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb   | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+index 9983d51..661f0e2 100644
+--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+@@ -122,7 +122,7 @@ module REXML
+         PEDECL_PATTERN = "\\s+(%)\\s+#{NAME}\\s+#{PEDEF}\\s*>"
+         ENTITYDECL_PATTERN = /(?:#{GEDECL_PATTERN})|(?:#{PEDECL_PATTERN})/um
+         CARRIAGE_RETURN_NEWLINE_PATTERN = /\r\n?/
+-        CHARACTER_REFERENCES = /&#0*((?:\d+)|(?:x[a-fA-F0-9]+));/
++        CHARACTER_REFERENCES = /&#((?:\d+)|(?:x[a-fA-F0-9]+));/
+         DEFAULT_ENTITIES_PATTERNS = {}
+         default_entities = ['gt', 'lt', 'quot', 'apos', 'amp']
+         default_entities.each do |term|
+@@ -477,8 +477,12 @@ module REXML
+         return rv if matches.size == 0
+         rv.gsub!( Private::CHARACTER_REFERENCES ) {
+           m=$1
+-          m = "0#{m}" if m[0] == ?x
+-          [Integer(m)].pack('U*')
++          if m.start_with?("x")
++            code_point = Integer(m[1..-1], 16)
++          else
++            code_point = Integer(m, 10)
++          end
++          [code_point].pack('U*')
+         }
+         matches.collect!{|x|x[0]}.compact!
+         if matches.size > 0
+-- 
+2.40.0
+

meta/recipes-devtools/ruby/ruby_3.1.3.bb

@@ -36,6 +36,15 @@ SRC_URI = "http://cache.ruby-lang.org/pub/ruby/${SHRT_VER}/ruby-${PV}.tar.gz \
            file://CVE-2024-27281.patch \
            file://CVE-2024-27280.patch \
            file://CVE-2024-27282.patch \
+           file://CVE-2024-49761-0001.patch \
+           file://CVE-2024-49761-0002.patch \
+           file://CVE-2024-49761-0003.patch \
+           file://CVE-2024-49761-0004.patch \
+           file://CVE-2024-49761-0005.patch \
+           file://CVE-2024-49761-0006.patch \
+           file://CVE-2024-49761-0007.patch \
+           file://CVE-2024-49761-0008.patch \
+           file://CVE-2024-49761-0009.patch \
            "
 UPSTREAM_CHECK_URI = "https://www.ruby-lang.org/en/downloads/"
 

meta/recipes-extended/wget/wget/CVE-2024-10524.patch

@@ -0,0 +1,197 @@
+From c419542d956a2607bbce5df64b9d378a8588d778 Mon Sep 17 00:00:00 2001
+From: Tim Rühsen <tim.ruehsen@gmx.de>
+Date: Sun, 27 Oct 2024 19:53:14 +0100
+Subject: [PATCH] Fix CVE-2024-10524 (drop support for shorthand URLs)
+
+* doc/wget.texi: Add documentation for removed support for shorthand URLs.
+* src/html-url.c (src/html-url.c): Call maybe_prepend_scheme.
+* src/main.c (main): Likewise.
+* src/retr.c (getproxy): Likewise.
+* src/url.c: Rename definition of rewrite_shorthand_url to maybe_prepend_scheme,
+  add new function is_valid_port.
+* src/url.h: Rename declaration of rewrite_shorthand_url to maybe_prepend_scheme.
+
+Reported-by: Goni Golan <gonig@jfrog.com>
+
+CVE: CVE-2024-10524
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/wget.git/commit/?id=c419542d956a2607bbce5df64b9d378a8588d778]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ doc/wget.texi  | 12 ++++-------
+ src/html-url.c |  2 +-
+ src/main.c     |  2 +-
+ src/retr.c     |  2 +-
+ src/url.c      | 57 ++++++++++++++++----------------------------------
+ src/url.h      |  2 +-
+ 6 files changed, 26 insertions(+), 51 deletions(-)
+
+diff --git a/doc/wget.texi b/doc/wget.texi
+index 3c24de2..503a03d 100644
+--- a/doc/wget.texi
++++ b/doc/wget.texi
+@@ -314,8 +314,8 @@ for text files.  Here is an example:
+ ftp://host/directory/file;type=a
+ @end example
+ 
+-Two alternative variants of @sc{url} specification are also supported,
+-because of historical (hysterical?) reasons and their widespreaded use.
++The two alternative variants of @sc{url} specifications are no longer
++supported because of security considerations:
+ 
+ @sc{ftp}-only syntax (supported by @code{NcFTP}):
+ @example
+@@ -327,12 +327,8 @@ host:/dir/file
+ host[:port]/dir/file
+ @end example
+ 
+-These two alternative forms are deprecated, and may cease being
+-supported in the future.
+-
+-If you do not understand the difference between these notations, or do
+-not know which one to use, just use the plain ordinary format you use
+-with your favorite browser, like @code{Lynx} or @code{Netscape}.
++These two alternative forms have been deprecated long time ago,
++and support is removed with version 1.22.0.
+ 
+ @c man begin OPTIONS
+ 
+diff --git a/src/html-url.c b/src/html-url.c
+index 896d6fc..3deea9c 100644
+--- a/src/html-url.c
++++ b/src/html-url.c
+@@ -931,7 +931,7 @@ get_urls_file (const char *file)
+           url_text = merged;
+         }
+ 
+-      new_url = rewrite_shorthand_url (url_text);
++      new_url = maybe_prepend_scheme (url_text);
+       if (new_url)
+         {
+           xfree (url_text);
+diff --git a/src/main.c b/src/main.c
+index d1c3c3e..f1d7792 100644
+--- a/src/main.c
++++ b/src/main.c
+@@ -2126,7 +2126,7 @@ only if outputting to a regular file.\n"));
+       struct iri *iri = iri_new ();
+       struct url *url_parsed;
+ 
+-      t = rewrite_shorthand_url (argv[optind]);
++      t = maybe_prepend_scheme (argv[optind]);
+       if (!t)
+         t = argv[optind];
+ 
+diff --git a/src/retr.c b/src/retr.c
+index 38c9fcf..a124046 100644
+--- a/src/retr.c
++++ b/src/retr.c
+@@ -1493,7 +1493,7 @@ getproxy (struct url *u)
+ 
+   /* Handle shorthands.  `rewritten_storage' is a kludge to allow
+      getproxy() to return static storage. */
+-  rewritten_url = rewrite_shorthand_url (proxy);
++  rewritten_url = maybe_prepend_scheme (proxy);
+   if (rewritten_url)
+     return rewritten_url;
+ 
+diff --git a/src/url.c b/src/url.c
+index 0acd3f3..6868825 100644
+--- a/src/url.c
++++ b/src/url.c
+@@ -594,60 +594,39 @@ parse_credentials (const char *beg, const char *end, char **user, char **passwd)
+   return true;
+ }
+ 
+-/* Used by main.c: detect URLs written using the "shorthand" URL forms
+-   originally popularized by Netscape and NcFTP.  HTTP shorthands look
+-   like this:
+-
+-   www.foo.com[:port]/dir/file   -> http://www.foo.com[:port]/dir/file
+-   www.foo.com[:port]            -> http://www.foo.com[:port]
+-
+-   FTP shorthands look like this:
+-
+-   foo.bar.com:dir/file          -> ftp://foo.bar.com/dir/file
+-   foo.bar.com:/absdir/file      -> ftp://foo.bar.com//absdir/file
++static bool is_valid_port(const char *p)
++{
++  unsigned port = (unsigned) atoi (p);
++  if (port == 0 || port > 65535)
++    return false;
+ 
+-   If the URL needs not or cannot be rewritten, return NULL.  */
++  int digits = strspn (p, "0123456789");
++  return digits && (p[digits] == '/' || p[digits] == '\0');
++}
+ 
++/* Prepend "http://" to url if scheme is missing, otherwise return NULL. */
+ char *
+-rewrite_shorthand_url (const char *url)
++maybe_prepend_scheme (const char *url)
+ {
+-  const char *p;
+-  char *ret;
+-
+   if (url_scheme (url) != SCHEME_INVALID)
+     return NULL;
+ 
+-  /* Look for a ':' or '/'.  The former signifies NcFTP syntax, the
+-     latter Netscape.  */
+-  p = strpbrk (url, ":/");
++  const char *p = strchr (url, ':');
+   if (p == url)
+     return NULL;
+ 
+   /* If we're looking at "://", it means the URL uses a scheme we
+      don't support, which may include "https" when compiled without
+-     SSL support.  Don't bogusly rewrite such URLs.  */
++     SSL support.  Don't bogusly prepend "http://" to such URLs.  */
+   if (p && p[0] == ':' && p[1] == '/' && p[2] == '/')
+     return NULL;
+ 
+-  if (p && *p == ':')
+-    {
+-      /* Colon indicates ftp, as in foo.bar.com:path.  Check for
+-         special case of http port number ("localhost:10000").  */
+-      int digits = strspn (p + 1, "0123456789");
+-      if (digits && (p[1 + digits] == '/' || p[1 + digits] == '\0'))
+-        goto http;
+-
+-      /* Turn "foo.bar.com:path" to "ftp://foo.bar.com/path". */
+-      if ((ret = aprintf ("ftp://%s", url)) != NULL)
+-        ret[6 + (p - url)] = '/';
+-    }
+-  else
+-    {
+-    http:
+-      /* Just prepend "http://" to URL. */
+-      ret = aprintf ("http://%s", url);
+-    }
+-  return ret;
++  if (p && p[0] == ':' && !is_valid_port (p + 1))
++    return NULL;
++
++
++  fprintf(stderr, "Prepended http:// to '%s'\n", url);
++  return aprintf ("http://%s", url);
+ }
+ 
+ static void split_path (const char *, char **, char **);
+diff --git a/src/url.h b/src/url.h
+index fb9da33..5f99b0a 100644
+--- a/src/url.h
++++ b/src/url.h
+@@ -128,7 +128,7 @@ char *uri_merge (const char *, const char *);
+ 
+ int mkalldirs (const char *);
+ 
+-char *rewrite_shorthand_url (const char *);
++char *maybe_prepend_scheme (const char *);
+ bool schemes_are_similar_p (enum url_scheme a, enum url_scheme b);
+ 
+ bool are_urls_equal (const char *u1, const char *u2);
+-- 
+2.40.0
+

meta/recipes-extended/wget/wget_1.21.4.bb

@@ -1,6 +1,7 @@
 SRC_URI = "${GNU_MIRROR}/wget/wget-${PV}.tar.gz \
            file://0002-improve-reproducibility.patch \
            file://CVE-2024-38428.patch \
+           file://CVE-2024-10524.patch \
           "
 
 SRC_URI[sha256sum] = "81542f5cefb8faacc39bbbc6c82ded80e3e4a88505ae72ea51df27525bcde04c"

meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb

@@ -11,13 +11,13 @@ python () {
         raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
 }
 
-SRCREV_machine ?= "e44a864642ca01372ce3bc73985ae5c15039239d"
-SRCREV_meta ?= "d76891c15fa8b0734c3fd9513594ed6e5b9f620d"
+SRCREV_machine ?= "e7c2ec263d8c16095369ddd7523a9514aeff11e8"
+SRCREV_meta ?= "853814dcf5cf386ac47bcc85ef384d2055c8a4e7"
 
 SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.15;destsuffix=${KMETA}"
 
-LINUX_VERSION ?= "5.15.175"
+LINUX_VERSION ?= "5.15.178"
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
 

meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb

@@ -5,7 +5,7 @@ KCONFIG_MODE = "--allnoconfig"
 
 require recipes-kernel/linux/linux-yocto.inc
 
-LINUX_VERSION ?= "5.15.175"
+LINUX_VERSION ?= "5.15.178"
 LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
 
 DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
@@ -14,8 +14,8 @@ DEPENDS += "openssl-native util-linux-native"
 KMETA = "kernel-meta"
 KCONF_BSP_AUDIT_LEVEL = "2"
 
-SRCREV_machine ?= "21359d0259838662bde27fc0164bdc5b0786a01f"
-SRCREV_meta ?= "d76891c15fa8b0734c3fd9513594ed6e5b9f620d"
+SRCREV_machine ?= "ac353b3cfa6ce5383c90fa9f3dc742fac5ee5ea4"
+SRCREV_meta ?= "853814dcf5cf386ac47bcc85ef384d2055c8a4e7"
 
 PV = "${LINUX_VERSION}+git${SRCPV}"
 

meta/recipes-kernel/linux/linux-yocto_5.15.bb

@@ -14,24 +14,24 @@ KBRANCH:qemux86  ?= "v5.15/standard/base"
 KBRANCH:qemux86-64 ?= "v5.15/standard/base"
 KBRANCH:qemumips64 ?= "v5.15/standard/mti-malta64"
 
-SRCREV_machine:qemuarm ?= "71b7c06f25df2a8971d00ca9240fdc657ca12e14"
-SRCREV_machine:qemuarm64 ?= "d8355f2c75c6135afbf2e7af95beeb164c0f90a6"
-SRCREV_machine:qemumips ?= "06d279ec8ff88a1335d5545acb7e89cb779fd5d1"
-SRCREV_machine:qemuppc ?= "54de5d312356aabbccb7e7cbf9d2775792818755"
-SRCREV_machine:qemuriscv64 ?= "b516538c454980b6dea36a7163a3c182b41d45a2"
-SRCREV_machine:qemuriscv32 ?= "b516538c454980b6dea36a7163a3c182b41d45a2"
-SRCREV_machine:qemux86 ?= "b516538c454980b6dea36a7163a3c182b41d45a2"
-SRCREV_machine:qemux86-64 ?= "b516538c454980b6dea36a7163a3c182b41d45a2"
-SRCREV_machine:qemumips64 ?= "67003ffdcc2b524e27729b1734aad8f5ca9fa7b2"
-SRCREV_machine ?= "b516538c454980b6dea36a7163a3c182b41d45a2"
-SRCREV_meta ?= "d76891c15fa8b0734c3fd9513594ed6e5b9f620d"
+SRCREV_machine:qemuarm ?= "31fa49dbe9f3a64362078de6b59da96afcad718f"
+SRCREV_machine:qemuarm64 ?= "e46eb0a3250c9a5ee8ebea25a80298f693ae691c"
+SRCREV_machine:qemumips ?= "539bfe9f18782440707e86df545a47f425208797"
+SRCREV_machine:qemuppc ?= "c26ce5169b6964dcdafb09b4528c47b378f94528"
+SRCREV_machine:qemuriscv64 ?= "9026df72c466542d6a1592bdc12c9c8dfa54dd33"
+SRCREV_machine:qemuriscv32 ?= "9026df72c466542d6a1592bdc12c9c8dfa54dd33"
+SRCREV_machine:qemux86 ?= "9026df72c466542d6a1592bdc12c9c8dfa54dd33"
+SRCREV_machine:qemux86-64 ?= "9026df72c466542d6a1592bdc12c9c8dfa54dd33"
+SRCREV_machine:qemumips64 ?= "d633d7d27475d3615f5a33467c04b0b0cb14517c"
+SRCREV_machine ?= "9026df72c466542d6a1592bdc12c9c8dfa54dd33"
+SRCREV_meta ?= "853814dcf5cf386ac47bcc85ef384d2055c8a4e7"
 
 # set your preferred provider of linux-yocto to 'linux-yocto-upstream', and you'll
 # get the <version>/base branch, which is pure upstream -stable, and the same
 # meta SRCREV as the linux-yocto-standard builds. Select your version using the
 # normal PREFERRED_VERSION settings.
 BBCLASSEXTEND = "devupstream:target"
-SRCREV_machine:class-devupstream ?= "91786f140358b1e56efdb0feccb337ce3a59c031"
+SRCREV_machine:class-devupstream ?= "c16c81c81336c0912eb3542194f16215c0a40037"
 PN:class-devupstream = "linux-yocto-upstream"
 KBRANCH:class-devupstream = "v5.15/base"
 
@@ -39,7 +39,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.15;destsuffix=${KMETA}"
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
-LINUX_VERSION ?= "5.15.175"
+LINUX_VERSION ?= "5.15.178"
 
 DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
 DEPENDS += "openssl-native util-linux-native"

meta/recipes-multimedia/gstreamer/gstreamer1.0_1.20.7.bb

@@ -72,5 +72,14 @@ CVE_PRODUCT = "gstreamer"
 
 # these CVEs are patched in gstreamer1.0-plugins-bad
 CVE_CHECK_IGNORE += "CVE-2023-40474 CVE-2023-40475 CVE-2023-40476 CVE-2023-44429 CVE-2023-44446 CVE-2023-50186 CVE-2024-0444"
+# these CVEs are patched in gstreamer1.0-plugins-base
+CVE_CHECK_IGNORE += "CVE-2024-47538 CVE-2024-47541 CVE-2024-47542 CVE-2024-47600 CVE-2024-47607 CVE-2024-47615 CVE-2024-47835"
+# these CVEs are patched in gstreamer1.0-plugins-good
+CVE_CHECK_IGNORE += " \
+    CVE-2024-47537 CVE-2024-47539 CVE-2024-47540 CVE-2024-47543 CVE-2024-47544 CVE-2024-47545 \
+    CVE-2024-47546 CVE-2024-47596 CVE-2024-47597 CVE-2024-47598 CVE-2024-47599 CVE-2024-47601 \
+    CVE-2024-47602 CVE-2024-47603 CVE-2024-47613 CVE-2024-47774 CVE-2024-47775 CVE-2024-47776 \
+    CVE-2024-47777 CVE-2024-47778 CVE-2024-47834 \
+"
 
 PTEST_BUILD_HOST_FILES = ""

meta/recipes-support/vte/vte/CVE-2024-37535-0001.patch

@@ -0,0 +1,63 @@
+From 036bc3ddcbb56f05c6ca76712a53b89dee1369e2 Mon Sep 17 00:00:00 2001
+From: Christian Persch <chpe@src.gnome.org>
+Date: Sun, 2 Jun 2024 19:19:35 +0200
+Subject: [PATCH] emulation: Restrict resize request to sane numbers
+
+Fixes: https://gitlab.gnome.org/GNOME/vte/-/issues/2786
+(cherry picked from commit fd5511f24b7269195a7083f409244e9787c705dc)
+
+CVE: CVE-2024-37535
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/vte/-/commit/036bc3ddcbb56f05c6ca76712a53b89dee1369e2]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/vteseq.cc | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/src/vteseq.cc b/src/vteseq.cc
+index 2c5b1e128..5b3f398e2 100644
+--- a/src/vteseq.cc
++++ b/src/vteseq.cc
+@@ -213,9 +213,18 @@ Terminal::emit_bell()
+ /* Emit a "resize-window" signal.  (Grid size.) */
+ void
+ Terminal::emit_resize_window(guint columns,
+-                                       guint rows)
+-{
+-        _vte_debug_print(VTE_DEBUG_SIGNALS, "Emitting `resize-window'.\n");
++                             guint rows)
++{
++        // Ignore resizes with excessive number of rows or columns,
++        // see https://gitlab.gnome.org/GNOME/vte/-/issues/2786
++        if (columns < VTE_MIN_GRID_WIDTH ||
++            columns > 511 ||
++            rows < VTE_MIN_GRID_HEIGHT ||
++            rows > 511)
++                return;
++
++        _vte_debug_print(VTE_DEBUG_SIGNALS, "Emitting `resize-window' %d columns %d rows.\n",
++                         columns, rows);
+         g_signal_emit(m_terminal, signals[SIGNAL_RESIZE_WINDOW], 0, columns, rows);
+ }
+ 
+@@ -4467,8 +4476,6 @@ Terminal::DECSLPP(vte::parser::Sequence const& seq)
+         else if (param < 24)
+                 return;
+ 
+-        _vte_debug_print(VTE_DEBUG_EMULATION, "Resizing to %d rows.\n", param);
+-
+         emit_resize_window(m_column_count, param);
+ }
+ 
+@@ -8990,9 +8997,6 @@ Terminal::XTERM_WM(vte::parser::Sequence const& seq)
+                 seq.collect(1, {&height, &width});
+ 
+                 if (width != -1 && height != -1) {
+-                        _vte_debug_print(VTE_DEBUG_EMULATION,
+-                                         "Resizing window to %d columns, %d rows.\n",
+-                                         width, height);
+                         emit_resize_window(width, height);
+                 }
+                 break;
+-- 
+GitLab

meta/recipes-support/vte/vte/CVE-2024-37535-0002.patch

@@ -0,0 +1,85 @@
+From c313849c2e5133802e21b13fa0b141b360171d39 Mon Sep 17 00:00:00 2001
+From: Christian Persch <chpe@src.gnome.org>
+Date: Sun, 2 Jun 2024 19:19:35 +0200
+Subject: [PATCH] widget: Add safety limit to widget size requests
+
+https://gitlab.gnome.org/GNOME/vte/-/issues/2786
+(cherry picked from commit 1803ba866053a3d7840892b9d31fe2944a183eda)
+
+CVE: CVE-2024-37535
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/vte/-/commit/c313849c2e5133802e21b13fa0b141b360171d39]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/vtegtk.cc | 35 +++++++++++++++++++++++++++++++++++
+ 1 file changed, 35 insertions(+)
+
+diff --git a/src/vtegtk.cc b/src/vtegtk.cc
+index 24bdd7184..48cae79c1 100644
+--- a/src/vtegtk.cc
++++ b/src/vtegtk.cc
+@@ -91,6 +91,38 @@
+ template<typename T>
+ constexpr bool check_enum_value(T value) noexcept;
+ 
++static inline void
++sanitise_widget_size_request(int* minimum,
++                             int* natural) noexcept
++{
++        // Overly large size requests will make gtk happily allocate
++        // a window size over the window system's limits (see
++        // e.g. https://gitlab.gnome.org/GNOME/vte/-/issues/2786),
++        // leading to aborting the whole process.
++        // The toolkit should be in a better position to know about
++        // these limits and not exceed them (which here is certainly
++        // possible since our minimum sizes are very small), let's
++        // limit the widget's size request to some large value
++        // that hopefully is within the absolute limits of
++        // the window system (assumed here to be int16 range,
++        // and leaving some space for the widgets that contain
++        // the terminal).
++        auto const limit = (1 << 15) - (1 << 12);
++
++        if (*minimum > limit || *natural > limit) {
++                static auto warned = false;
++
++                if (!warned) {
++                        g_warning("Widget size request (minimum %d, natural %d) exceeds limits\n",
++                                  *minimum, *natural);
++                        warned = true;
++                }
++        }
++
++        *minimum = std::min(*minimum, limit);
++        *natural = std::clamp(*natural, *minimum, limit);
++}
++
+ struct _VteTerminalClassPrivate {
+         GtkStyleProvider *style_provider;
+ };
+@@ -510,6 +542,7 @@ try
+ {
+ 	VteTerminal *terminal = VTE_TERMINAL(widget);
+         WIDGET(terminal)->get_preferred_width(minimum_width, natural_width);
++        sanitise_widget_size_request(minimum_width, natural_width);
+ }
+ catch (...)
+ {
+@@ -524,6 +557,7 @@ try
+ {
+ 	VteTerminal *terminal = VTE_TERMINAL(widget);
+         WIDGET(terminal)->get_preferred_height(minimum_height, natural_height);
++        sanitise_widget_size_request(minimum_height, natural_height);
+ }
+ catch (...)
+ {
+@@ -781,6 +815,7 @@ try
+         WIDGET(terminal)->measure(orientation, for_size,
+                                   minimum, natural,
+                                   minimum_baseline, natural_baseline);
++        sanitise_widget_size_request(minimum, natural);
+ }
+ catch (...)
+ {
+-- 
+GitLab

meta/recipes-support/vte/vte_0.66.2.bb

@@ -19,8 +19,13 @@ GIR_MESON_OPTION = 'gir'
 inherit gnomebase gtk-doc features_check upstream-version-is-even gobject-introspection
 
 # vapigen.m4 is required when vala is not present (but the one from vala should be used normally)
-SRC_URI += "file://0001-Add-W_EXITCODE-macro-for-non-glibc-systems.patch \
-            file://0001-Makefile.docs-correctly-substitute-gtkdoc-qemu-wrapp.patch"
+SRC_URI += " \
+            file://0001-Add-W_EXITCODE-macro-for-non-glibc-systems.patch \
+            file://0001-Makefile.docs-correctly-substitute-gtkdoc-qemu-wrapp.patch \
+            file://CVE-2024-37535-0001.patch \
+            file://CVE-2024-37535-0002.patch \
+            "
+
 SRC_URI[archive.sha256sum] = "e89974673a72a0a06edac6d17830b82bb124decf0cb3b52cebc92ec3ff04d976"
 
 ANY_OF_DISTRO_FEATURES = "${GTK3DISTROFEATURES}"

scripts/install-buildtools

@@ -57,8 +57,8 @@ logger = scriptutils.logger_create(PROGNAME, stream=sys.stdout)
 
 DEFAULT_INSTALL_DIR = os.path.join(os.path.split(scripts_path)[0],'buildtools')
 DEFAULT_BASE_URL = 'https://downloads.yoctoproject.org/releases/yocto'
-DEFAULT_RELEASE = 'yocto-4.0.22'
-DEFAULT_INSTALLER_VERSION = '4.0.22'
+DEFAULT_RELEASE = 'yocto-4.0.23'
+DEFAULT_INSTALLER_VERSION = '4.0.23'
 DEFAULT_BUILDDATE = '202110XX'
 
 # Python version sanity check