build-appliance-image: Update to kirkstone head revision

(From OE-Core rev: c4194cadb1180da37514c55cd97827eb0269c8e2)

Signed-off-by: Paul Barker <paul@pbarker.dev>

documentation/overview-manual/concepts.rst

@@ -454,7 +454,7 @@ typically find in the distribution layer:
    (``conf/distro/distro.conf``), and any distribution-wide include
    files.
 
--  *recipes-*:* Recipes and append files that affect common
+-  *recipes-\*:* Recipes and append files that affect common
    functionality across the distribution. This area could include
    recipes and append files to add distribution-specific configuration,
    initialization scripts, custom image recipes, and so forth. Examples

documentation/ref-manual/system-requirements.rst

@@ -84,6 +84,7 @@ organizations publishing them no longer make updates publicly available:
 
 -  Fedora 39
 -  Fedora 40
+-  Fedora 41
 
 Note that the Yocto Project doesn't have access to private updates
 that some of these versions may have. Therefore, our testing has

meta/lib/oe/lsb.py

@@ -14,7 +14,7 @@ def get_os_release():
                     key, val = line.rstrip().split('=', 1)
                 except ValueError:
                     continue
-                data[key.strip()] = val.strip('"')
+                data[key.strip()] = val.strip('"\'')
     return data
 
 def release_dict_osr():

meta/recipes-connectivity/inetutils/inetutils/CVE-2026-28372.patch

@@ -0,0 +1,86 @@
+From 4db2f19f4caac03c7f4da6363c140bd70df31386 Mon Sep 17 00:00:00 2001
+From: Erik Auerswald <auerswal@unix-ag.uni-kl.de>
+Date: Sun, 15 Feb 2026 15:38:50 +0100
+Subject: [PATCH] telnetd: don't allow systemd service credentials
+
+The login(1) implementation of util-linux added support for
+systemd service credentials in release 2.40.  This allows to
+bypass authentication by specifying a directory name in the
+environment variable CREDENTIALS_DIRECTORY.  If this directory
+contains a file named 'login.noauth' with the content of 'yes',
+login(1) skips authentication.
+
+GNU Inetutils telnetd supports to set arbitrary environment
+variables using the 'Environment' and 'New Environment'
+Telnet options.  This allows specifying a directory containing
+'login.noauth'.  A local user can create such a directory
+and file, and, e.g., specify the user name 'root' to escalate
+privileges.
+
+This problem was reported by Ron Ben Yizhak in
+<https://lists.gnu.org/archive/html/bug-inetutils/2026-02/msg00000.html>.
+
+This commit clears CREDENTIALS_DIRECTORY from the environment
+before executing login(1) to implement a simple fix that can
+be backported easily.
+
+* NEWS.md: Mention fix.
+* THANKS: Mention Ron Ben Yizhak.
+* telnetd/pty.c: Clear CREDENTIALS_DIRECTORY from the environment
+before executing 'login'.
+
+CVE: CVE-2026-28372
+Upstream-Status: Backport [https://cgit.git.savannah.gnu.org/cgit/inetutils.git/commit/?id=4db2f19f4caac03c7f4da6363c140bd70df31386]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ NEWS          | 5 +++++
+ THANKS        | 1 +
+ telnetd/pty.c | 8 ++++++++
+ 3 files changed, 14 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index 877ca53b..f5172a71 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,5 +1,10 @@
+ GNU inetutils NEWS -- history of user-visible changes.
+ 
++** Prevent privilege escalation via telnetd abusing systemd service
++credentials support added to the login(1) implementation of util-linux
++in release 2.40.  Reported by Ron Ben Yizhak in
++<https://lists.gnu.org/archive/html/bug-inetutils/2026-02/msg00000.html>.
++
+ * Noteworthy changes in release 2.2 (2021-09-01) [stable]
+ 
+ ** ftp
+diff --git a/THANKS b/THANKS
+index 8d1d3dbb..ef5f6063 100644
+--- a/THANKS
++++ b/THANKS
+@@ -9,6 +9,7 @@ In particular:
+   NIIBE Yutaka		 (Security fixes & making talk finally work)
+   Nathan Neulinger       (tftpd)
+   Thomas Bushnell        (sockaddr sin_len field)
++  Ron Ben Yizhak         (reported privilege escalation via telnetd)
+ 
+ Please see version control logs and ChangeLog.? for full credits.
+ 
+diff --git a/telnetd/pty.c b/telnetd/pty.c
+index c727e7be..f3518049 100644
+--- a/telnetd/pty.c
++++ b/telnetd/pty.c
+@@ -132,6 +132,14 @@ start_login (char *host, int autologin, char *name)
+   if (!cmd)
+     fatal (net, "can't expand login command line");
+   argcv_get (cmd, "", &argc, &argv);
++
++  /* util-linux's "login" introduced an authentication bypass method
++   * via environment variable "CREDENTIALS_DIRECTORY" in version 2.40.
++   * Clear it from the environment before executing "login" to prevent
++   * abuse via Telnet.
++   */
++  unsetenv ("CREDENTIALS_DIRECTORY");
++
+   execv (argv[0], argv);
+   syslog (LOG_ERR, "%s: %m\n", cmd);
+   fatalperror (net, cmd);

meta/recipes-connectivity/inetutils/inetutils_2.2.bb

@@ -26,6 +26,7 @@ SRC_URI = "${GNU_MIRROR}/inetutils/inetutils-${PV}.tar.xz \
            file://0002-CVE-2023-40303-Indent-changes-in-previous-commit.patch \
            file://CVE-2026-24061-01.patch \
            file://CVE-2026-24061-02.patch \
+           file://CVE-2026-28372.patch \
 "
 
 inherit autotools gettext update-alternatives texinfo

meta/recipes-core/busybox/busybox/CVE-2025-60876.patch

@@ -0,0 +1,38 @@
+From 32c0f6f240fcb041ae7df44a9bbf958d627a8212 Mon Sep 17 00:00:00 2001
+From: Radoslav Kolev <radoslav.kolev@suse.com>
+Date: Fri, 21 Nov 2025 11:21:18 +0200
+Subject: [PATCH] wget: don't allow control characters or spaces in the URL
+
+Fixes CVE-2025-60876 malicious URL can be used to inject
+HTTP headers in the request.
+
+Signed-off-by: Radoslav Kolev <radoslav.kolev@suse.com>
+Reviewed-by: Emmanuel Deloget <logout@free.fr>
+
+CVE: CVE-2025-60876
+Upstream-Status: Submitted [https://lists.busybox.net/pipermail/busybox/2025-November/091840.html]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ networking/wget.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/networking/wget.c b/networking/wget.c
+index 9ec0e67..7602563 100644
+--- a/networking/wget.c
++++ b/networking/wget.c
+@@ -536,6 +536,15 @@ static void parse_url(const char *src_url, struct host_info *h)
+ {
+ 	char *url, *p, *sp;
+ 
++	/* Fix for CVE-2025-60876 - don't allow control characters or spaces in the URL */
++	/* otherwise a malicious URL can be used to inject HTTP headers in the request */
++	const unsigned char *u = (void *) src_url;
++	while (*u) {
++		if (*u <= ' ')
++			bb_simple_error_msg_and_die("Unencoded control character found in the URL!");
++		u++;
++	}
++
+ 	free(h->allocated);
+ 	h->allocated = url = xstrdup(src_url);
+ 

meta/recipes-core/busybox/busybox_1.35.0.bb

@@ -61,6 +61,7 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
            file://CVE-2023-39810.patch \
            file://CVE-2025-46394-01.patch \
            file://CVE-2025-46394-02.patch \
+           file://CVE-2025-60876.patch \
            "
 SRC_URI:append:libc-musl = " file://musl.cfg "
 

meta/recipes-core/images/build-appliance-image_15.0.0.bb

@@ -24,7 +24,7 @@ IMAGE_FSTYPES = "wic.vmdk wic.vhd wic.vhdx"
 
 inherit core-image setuptools3
 
-SRCREV ?= "974e67818b583f5638c389e7bce662633e09a1bf"
+SRCREV ?= "1aee6e9648661c1e6159127c2b6e4690576020f7"
 SRC_URI = "git://git.yoctoproject.org/poky;branch=kirkstone \
            file://Yocto_Build_Appliance.vmx \
            file://Yocto_Build_Appliance.vmxf \

meta/recipes-devtools/createrepo-c/createrepo-c/0001-Use-proper-cast-for-PyMethodDef.ml_meth.patch

@@ -0,0 +1,41 @@
+From d2dd32bcdcc717a0da48d5e983c4396ccc79fc9c Mon Sep 17 00:00:00 2001
+From: Yoann Congal <yoann.congal@smile.fr>
+Date: Sun, 15 Mar 2026 23:25:16 +0100
+Subject: [PATCH] Use proper cast for PyMethodDef.ml_meth
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+PyMethodDef.ml_meth is of PyCFunction type. Using a
+PyCFunctionWithKeywords cast for its initializer trigger build failure
+with GCC >=14 [0]:
+| FAILED: src/python/CMakeFiles/_createrepo_c.dir/createrepo_cmodule.c.o
+| build/tmp-glibc/hosttools/gcc [...] python/createrepo_cmodule.c
+| python/createrepo_cmodule.c:82:41: error: initialization of ‘PyObject * (*)(PyObject *, PyObject *)’ {aka ‘struct _object * (*)(struct _object *, struct _object *)’} from incompatible pointer type ‘PyObject * (*)(PyObject *, PyObject *, PyObject *)’ {aka ‘struct _object * (*)(struct _object *, struct _object *, struct _object *)’} [-Wincompatible-pointer-types]
+|    82 |     {"xml_parse_main_metadata_together",(PyCFunctionWithKeywords)py_xml_parse_main_metadata_together,
+|       |                                         ^
+| src/python/createrepo_cmodule.c:82:41: note: (near initialization for ‘createrepo_c_methods[15].ml_meth’)
+
+Fix this by using the proper (PyCFunction) cast.
+
+[0]: https://gcc.gnu.org/gcc-14/porting_to.html#incompatible-pointer-types
+
+Upstream-Status: Inappropriate [Upstream removed the patched code in 7092ab2 (Remove python bindings for xml_parse_main_metadata_together, 2022-03-17)]
+Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
+---
+ src/python/createrepo_cmodule.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/python/createrepo_cmodule.c b/src/python/createrepo_cmodule.c
+index c0b9200..94a206d 100644
+--- a/src/python/createrepo_cmodule.c
++++ b/src/python/createrepo_cmodule.c
+@@ -79,7 +79,7 @@ static struct PyMethodDef createrepo_c_methods[] = {
+         METH_VARARGS, xml_parse_repomd__doc__},
+     {"xml_parse_updateinfo",    (PyCFunction)py_xml_parse_updateinfo,
+         METH_VARARGS, xml_parse_updateinfo__doc__},
+-    {"xml_parse_main_metadata_together",(PyCFunctionWithKeywords)py_xml_parse_main_metadata_together,
++    {"xml_parse_main_metadata_together",(PyCFunction)py_xml_parse_main_metadata_together,
+         METH_VARARGS | METH_KEYWORDS, xml_parse_main_metadata_together__doc__},
+     {"checksum_name_str",       (PyCFunction)py_checksum_name_str,
+         METH_VARARGS, checksum_name_str__doc__},

meta/recipes-devtools/createrepo-c/createrepo-c_0.19.0.bb

@@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
 
 SRC_URI = "git://github.com/rpm-software-management/createrepo_c;branch=master;protocol=https \
            file://0001-Do-not-set-PYTHON_INSTALL_DIR-by-running-python.patch \
+           file://0001-Use-proper-cast-for-PyMethodDef.ml_meth.patch \
            "
 
 SRCREV = "a531ee881a8f1d9273b4383fb9fa604c56fff138"

meta/recipes-devtools/libcomps/libcomps/0001-Fix-build-use-correct-variable-for-category-and-env.patch

@@ -0,0 +1,48 @@
+From adcf4aaca08ea712af4b4e886931fd8ed59c7bf7 Mon Sep 17 00:00:00 2001
+From: Aleš Matěj <amatej@redhat.com>
+Date: Tue, 2 Jan 2024 08:32:55 +0100
+Subject: [PATCH] Fix build: use correct variable for category and env
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes:
+- error: assignment to ‘COMPS_DocGroup *’ from incompatible pointer type ‘COMPS_DocCategory *’
+- error: assignment to ‘COMPS_DocGroup *’ from incompatible pointer type ‘COMPS_DocEnv *’
+
+For: https://fedoraproject.org/wiki/Changes/PortingToModernC
+(https://fedoraproject.org/wiki/Toolchain/PortingToModernC)
+(https://gitlab.com/fweimer-rh/fedora-modernc-logs/-/blob/main/logs/l/libcomps.log)
+
+Upstream-Status: Backport [https://github.com/rpm-software-management/libcomps/commit/a71bce7e62990550a57688e51b14eb82d6de196b]
+Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
+---
+ libcomps/tests/check_parse.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/libcomps/tests/check_parse.c b/libcomps/tests/check_parse.c
+index e5935e1..689cb98 100644
+--- a/libcomps/tests/check_parse.c
++++ b/libcomps/tests/check_parse.c
+@@ -585,8 +585,8 @@ START_TEST(test_arch)
+     list = comps_doc_categories(doc2);
+     ck_assert(list->len == 2);
+     for (it = list->first, x=0; it != NULL; it = it->next, x++) {
+-        g = (COMPS_DocCategory*)it->comps_obj;
+-        str = (COMPS_Str*)comps_doccategory_get_id(g);
++        c = (COMPS_DocCategory*)it->comps_obj;
++        str = (COMPS_Str*)comps_doccategory_get_id(c);
+         ck_assert_msg(strcmp(str->val, cats[0][x]) == 0, "%s != %s",
+                       str->val, cats[0][x]);
+         COMPS_OBJECT_DESTROY(str);
+@@ -605,8 +605,8 @@ START_TEST(test_arch)
+     list = comps_doc_environments(doc2);
+     ck_assert(list->len == 2);
+     for (it = list->first, x=0; it != NULL; it = it->next, x++) {
+-        g = (COMPS_DocEnv*)it->comps_obj;
+-        str = (COMPS_Str*)comps_docenv_get_id(g);
++        e = (COMPS_DocEnv*)it->comps_obj;
++        str = (COMPS_Str*)comps_docenv_get_id(e);
+         ck_assert_msg(strcmp(str->val, envs[0][x]) == 0, "%s != %s",
+                       str->val, envs[0][x]);
+         COMPS_OBJECT_DESTROY(str);

meta/recipes-devtools/libcomps/libcomps_0.1.18.bb

@@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
 
 SRC_URI = "git://github.com/rpm-software-management/libcomps.git;branch=master;protocol=https \
            file://0002-Do-not-set-PYTHON_INSTALL_DIR-by-running-python.patch \
+           file://0001-Fix-build-use-correct-variable-for-category-and-env.patch \
            "
 
 SRCREV = "dee4ae37f7818709802de28c4d16fa823bd83ae2"

meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch

@@ -0,0 +1,37 @@
+From 4c651b70d60ed91b13663bcda9b3ed41748d0124 Mon Sep 17 00:00:00 2001
+From: Seth Michael Larson <seth@python.org>
+Date: Fri, 30 Jan 2026 09:49:11 -0600
+Subject: [PATCH] Use os.path.commonpath() instead of commonprefix()
+
+Upstream-Status: Backport [https://github.com/pypa/pip/commit/4c651b70d60ed91b13663bcda9b3ed41748d0124]
+CVE: CVE-2026-1703
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ news/+1ee322a1.bugfix.rst            | 1 +
+ src/pip/_internal/utils/unpacking.py | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+ create mode 100644 news/+1ee322a1.bugfix.rst
+
+diff --git a/news/+1ee322a1.bugfix.rst b/news/+1ee322a1.bugfix.rst
+new file mode 100644
+index 0000000..edb1b32
+--- /dev/null
++++ b/news/+1ee322a1.bugfix.rst
+@@ -0,0 +1 @@
++Use a path-segment prefix comparison, not char-by-char.
+diff --git a/src/pip/_internal/utils/unpacking.py b/src/pip/_internal/utils/unpacking.py
+index 5f63f97..3cebbf7 100644
+--- a/src/pip/_internal/utils/unpacking.py
++++ b/src/pip/_internal/utils/unpacking.py
+@@ -81,7 +81,7 @@ def is_within_directory(directory: str, target: str) -> bool:
+     abs_directory = os.path.abspath(directory)
+     abs_target = os.path.abspath(target)
+ 
+-    prefix = os.path.commonprefix([abs_directory, abs_target])
++    prefix = os.path.commonpath([abs_directory, abs_target])
+     return prefix == abs_directory
+ 
+ 
+-- 
+2.25.1
+

meta/recipes-devtools/python/python3-pip_22.0.3.bb

@@ -38,6 +38,7 @@ SRC_URI += "file://0001-change-shebang-to-python3.patch \
             file://no_shebang_mangling.patch \
             file://reproducible.patch \
             file://CVE-2023-5752.patch \
+            file://CVE-2026-1703.patch \
            "
 
 SRC_URI[sha256sum] = "f29d589df8c8ab99c060e68ad294c4a9ed896624f6368c5349d70aa581b333d0"

meta/recipes-extended/pam/libpam/CVE-2024-10963.patch

@@ -0,0 +1,229 @@
+From f9ccee5c4c6cb0d4197b08ebeb36c1dceffe82e8 Mon Sep 17 00:00:00 2001
+From: Thorsten Kukuk <kukuk@suse.com>
+Date: Thu, 14 Nov 2024 10:27:28 +0100
+Subject: [PATCH] pam_access: rework resolving of tokens as hostname
+
+* modules/pam_access/pam_access.c: separate resolving of IP addresses
+  from hostnames. Don't resolve TTYs or display variables as hostname
+  (#834).
+  Add "nodns" option to disallow resolving of tokens as hostname.
+* modules/pam_access/pam_access.8.xml: document nodns option
+* modules/pam_access/access.conf.5.xml: document that hostnames should
+  be written as FQHN.
+
+CVE: CVE-2024-10963
+Upstream-Status: Backport [https://github.com/linux-pam/linux-pam/commit/940747f88c16e029b69a74e80a2e94f65cb3e628]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ modules/pam_access/access.conf.5.xml |  4 ++
+ modules/pam_access/pam_access.8.xml  | 46 ++++++++++++------
+ modules/pam_access/pam_access.c      | 72 +++++++++++++++++++++++++++-
+ 3 files changed, 105 insertions(+), 17 deletions(-)
+
+diff --git a/modules/pam_access/access.conf.5.xml b/modules/pam_access/access.conf.5.xml
+index 8fdbc31..dc505a6 100644
+--- a/modules/pam_access/access.conf.5.xml
++++ b/modules/pam_access/access.conf.5.xml
+@@ -226,6 +226,10 @@
+       item and the line will be most probably ignored. For this reason, it is not
+       recommended to put spaces around the ':' characters.
+     </para>
++    <para>
++      Hostnames should be written as Fully-Qualified Host Name (FQHN) to avoid
++      confusion with device names or PAM service names.
++    </para>
+   </refsect1>
+ 
+   <refsect1 id="access.conf-see_also">
+diff --git a/modules/pam_access/pam_access.8.xml b/modules/pam_access/pam_access.8.xml
+index 9a6556c..eab9d9f 100644
+--- a/modules/pam_access/pam_access.8.xml
++++ b/modules/pam_access/pam_access.8.xml
+@@ -25,11 +25,14 @@
+       <arg choice="opt">
+         debug
+       </arg>
++      <arg choice="opt" rep="norepeat">
++        noaudit
++      </arg>
+       <arg choice="opt">
+         nodefgroup
+       </arg>
+       <arg choice="opt">
+-        noaudit
++        nodns
+       </arg>
+       <arg choice="opt">
+         accessfile=<replaceable>file</replaceable>
+@@ -112,6 +115,33 @@
+         </listitem>
+       </varlistentry>
+ 
++      <varlistentry>
++        <term>
++          nodefgroup
++        </term>
++        <listitem>
++          <para>
++            User tokens which are not enclosed in parentheses will not be
++	    matched against the group database. The backwards compatible default is
++            to try the group database match even for tokens not enclosed
++            in parentheses.
++          </para>
++        </listitem>
++      </varlistentry>
++
++      <varlistentry>
++        <term>
++          nodns
++        </term>
++        <listitem>
++          <para>
++	    Do not try to resolve tokens as hostnames, only IPv4 and IPv6
++	    addresses will be resolved. Which means to allow login from a
++	    remote host, the IP addresses need to be specified in <filename>access.conf</filename>.
++          </para>
++        </listitem>
++      </varlistentry>
++
+       <varlistentry>
+         <term>
+           <option>fieldsep=<replaceable>separators</replaceable></option>
+@@ -153,20 +183,6 @@
+         </listitem>
+       </varlistentry>
+ 
+-      <varlistentry>
+-        <term>
+-          <option>nodefgroup</option>
+-        </term>
+-        <listitem>
+-          <para>
+-            User tokens which are not enclosed in parentheses will not be
+-	    matched against the group database. The backwards compatible default is
+-            to try the group database match even for tokens not enclosed
+-            in parentheses.
+-          </para>
+-        </listitem>
+-      </varlistentry>
+-
+     </variablelist>
+   </refsect1>
+ 
+diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c
+index bca424f..00a0a77 100644
+--- a/modules/pam_access/pam_access.c
++++ b/modules/pam_access/pam_access.c
+@@ -92,6 +92,7 @@ struct login_info {
+     int debug;				/* Print debugging messages. */
+     int only_new_group_syntax;		/* Only allow group entries of the form "(xyz)" */
+     int noaudit;			/* Do not audit denials */
++    int nodns;                          /* Do not try to resolve tokens as hostnames */
+     const char *fs;			/* field separator */
+     const char *sep;			/* list-element separator */
+     int from_remote_host;               /* If PAM_RHOST was used for from */
+@@ -143,6 +144,8 @@ parse_args(pam_handle_t *pamh, struct login_info *loginfo,
+ 	    loginfo->only_new_group_syntax = YES;
+ 	} else if (strcmp (argv[i], "noaudit") == 0) {
+ 	    loginfo->noaudit = YES;
++	} else if (strcmp (argv[i], "nodns") == 0) {
++	    loginfo->nodns = YES;
+ 	} else {
+ 	    pam_syslog(pamh, LOG_ERR, "unrecognized option [%s]", argv[i]);
+ 	}
+@@ -637,7 +640,7 @@ remote_match (pam_handle_t *pamh, char *tok, struct login_info *item)
+       if ((str_len = strlen(string)) > tok_len
+ 	  && strcasecmp(tok, string + str_len - tok_len) == 0)
+ 	return YES;
+-    } else if (tok[tok_len - 1] == '.') {       /* internet network numbers (end with ".") */
++    } else if (tok[tok_len - 1] == '.') {       /* internet network numbers/subnet (end with ".") */
+       struct addrinfo hint;
+ 
+       memset (&hint, '\0', sizeof (hint));
+@@ -712,6 +715,39 @@ string_match (pam_handle_t *pamh, const char *tok, const char *string,
+ }
+ 
+ 
++static int
++is_device (pam_handle_t *pamh, const char *tok)
++{
++  struct stat st;
++  const char *dev = "/dev/";
++  char *devname;
++
++  devname = malloc (strlen(dev) + strlen (tok) + 1);
++  if (devname == NULL) {
++      pam_syslog(pamh, LOG_ERR, "Cannot allocate memory for device name: %m");
++      /*
++       * We should return an error and abort, but pam_access has no good
++       * error handling.
++       */
++      return NO;
++  }
++
++  char *cp = stpcpy (devname, dev);
++  strcpy (cp, tok);
++
++  if (lstat(devname, &st) != 0)
++    {
++      free (devname);
++      return NO;
++    }
++  free (devname);
++
++  if (S_ISCHR(st.st_mode))
++    return YES;
++
++  return NO;
++}
++
+ /* network_netmask_match - match a string against one token
+  * where string is a hostname or ip (v4,v6) address and tok
+  * represents either a hostname, a single ip (v4,v6) address
+@@ -773,10 +809,42 @@ network_netmask_match (pam_handle_t *pamh,
+ 	    return NO;
+ 	  }
+       }
++    else if (isipaddr(tok, NULL, NULL) == YES)
++      {
++	if (getaddrinfo (tok, NULL, NULL, &ai) != 0)
++	  {
++	    if (item->debug)
++	      pam_syslog(pamh, LOG_DEBUG, "cannot resolve IP address \"%s\"", tok);
++
++	    return NO;
++	  }
++	netmask_ptr = NULL;
++      }
++    else if (item->nodns)
++      {
++	/* Only hostnames are left, which we would need to resolve via DNS */
++	return NO;
++      }
+     else
+       {
++	/* Bail out on X11 Display entries and ttys. */
++	if (tok[0] == ':')
++	  {
++	    if (item->debug)
++	      pam_syslog (pamh, LOG_DEBUG,
++			  "network_netmask_match: tok=%s is X11 display", tok);
++	    return NO;
++	  }
++	if (is_device (pamh, tok))
++	  {
++	    if (item->debug)
++	      pam_syslog (pamh, LOG_DEBUG,
++			  "network_netmask_match: tok=%s is a TTY", tok);
++	    return NO;
++	  }
++
+         /*
+-	 * It is either an IP address or a hostname.
++	 * It is most likely a hostname.
+ 	 * Let getaddrinfo sort everything out
+ 	 */
+ 	if (getaddrinfo (tok, NULL, NULL, &ai) != 0)
+-- 
+2.50.1
+

meta/recipes-extended/pam/libpam/CVE-2025-6020-01.patch

@@ -1528,7 +1528,7 @@ diff --git a/modules/pam_namespace/pam_namespace.h b/modules/pam_namespace/pam_n
 index b51f284..abd570d 100644
 --- a/modules/pam_namespace/pam_namespace.h
 +++ b/modules/pam_namespace/pam_namespace.h
-@@ -44,21 +44,16 @@
+@@ -44,21 +44,17 @@
  #include <stdlib.h>
  #include <errno.h>
  #include <syslog.h>
@@ -1542,7 +1542,7 @@ index b51f284..abd570d 100644
 -#include <sys/resource.h>
  #include <sys/mount.h>
  #include <sys/wait.h>
--#include <libgen.h>
+ #include <libgen.h>
  #include <fcntl.h>
  #include <sched.h>
  #include <glob.h>

meta/recipes-extended/pam/libpam_1.5.2.bb

@@ -34,6 +34,7 @@ SRC_URI = "https://github.com/linux-pam/linux-pam/releases/download/v${PV}/Linux
            file://CVE-2025-6020-01.patch \
            file://CVE-2025-6020-02.patch \
            file://CVE-2025-6020-03.patch \
+           file://CVE-2024-10963.patch \
            "
 
 SRC_URI[sha256sum] = "e4ec7131a91da44512574268f493c6d8ca105c87091691b8e9b56ca685d4f94d"

meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2025-6199.patch

@@ -0,0 +1,36 @@
+From 140200be0b4d5355aab76a6fd474e17d117045ca Mon Sep 17 00:00:00 2001
+From: lumi <lumi@suwi.moe>
+Date: Sat, 7 Jun 2025 22:27:06 +0200
+Subject: [PATCH] lzw: Fix reporting of bytes written in decoder
+
+When the LZW decoder encounters an invalid code, it stops
+processing the image and returns the whole buffer size.
+It should return the amount of bytes written, instead.
+
+Fixes #257
+
+CVE: CVE-2025-6199
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/c4986342b241cdc075259565f3fa7a7597d32a32]
+
+Signed-off-by: Shaik Moin <moins@kpit.com>
+---
+ gdk-pixbuf/lzw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/gdk-pixbuf/lzw.c b/gdk-pixbuf/lzw.c
+index 15293560b..4f3dd8beb 100644
+--- a/gdk-pixbuf/lzw.c
++++ b/gdk-pixbuf/lzw.c
+@@ -208,7 +208,7 @@ lzw_decoder_feed (LZWDecoder *self,
+                                 /* Invalid code received - just stop here */
+                                 if (self->code >= self->code_table_size) {
+                                         self->last_code = self->eoi_code;
+-                                        return output_length;
++                                        return n_written;
+                                 }
+ 
+                                 /* Convert codeword into indexes */
+-- 
+2.34.1
+

meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.10.bb

@@ -21,6 +21,7 @@ SRC_URI = "${GNOME_MIRROR}/${BPN}/${MAJ_VER}/${BPN}-${PV}.tar.xz \
            file://fatal-loader.patch \
            file://0001-meson.build-allow-a-subset-of-tests-in-cross-compile.patch \
            file://CVE-2025-7345.patch \
+           file://CVE-2025-6199.patch \
            "
 
 SRC_URI[sha256sum] = "ee9b6c75d13ba096907a2e3c6b27b61bcd17f5c7ebeab5a5b439d2f2e39fe44b"

meta/recipes-gnome/gtk+/gtk+3/0001-Use-the-right-type-when-calling-GtkWidget-methods.patch

@@ -0,0 +1,28 @@
+From a3e82f20a1a1e7d8ffbc960a8bb4aa65b0d151ee Mon Sep 17 00:00:00 2001
+From: Yoann Congal <yoann.congal@smile.fr>
+Date: Tue, 6 Dec 2022 21:49:22 +0000
+Subject: [PATCH] Use the right type when calling GtkWidget methods
+
+From: Emmanuele Bassi <ebassi@gnome.org>
+
+Let's avoid complaints from the compiler.
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gtk/-/commit/a3e82f20a1a1e7d8ffbc960a8bb4aa65b0d151ee]
+Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
+---
+ gtk/gtklabel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/gtk/gtklabel.c b/gtk/gtklabel.c
+index 7933ab2af73..40a569004b6 100644
+--- a/gtk/gtklabel.c
++++ b/gtk/gtklabel.c
+@@ -4232,7 +4232,7 @@ gtk_label_style_updated (GtkWidget *widget)
+   if (change == NULL || gtk_css_style_change_affects (change, GTK_CSS_AFFECTS_FONT))
+     {
+       gtk_label_clear_layout (GTK_LABEL (widget));
+-      gtk_widget_queue_resize (label);
++      gtk_widget_queue_resize (widget);
+     }
+ 
+   if (change == NULL || gtk_css_style_change_affects (change, GTK_CSS_AFFECTS_TEXT_ATTRS) ||

meta/recipes-gnome/gtk+/gtk+3/0002-tests-Add-GdkEvent-casts-in-testinput.patch

@@ -0,0 +1,48 @@
+From 76bc2a57136fd6cf0374fa3f86a7ba646b779803 Mon Sep 17 00:00:00 2001
+From: Yoann Congal <yoann.congal@smile.fr>
+Date: Fri, 19 Jan 2024 10:41:33 +0000
+Subject: [PATCH] tests: Add GdkEvent casts in testinput
+
+From: David King <amigadave@amigadave.com>
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gtk/-/commit/76bc2a57136fd6cf0374fa3f86a7ba646b779803]
+Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
+---
+ tests/testinput.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/tests/testinput.c b/tests/testinput.c
+index b68552a4280..3d4d7f6f875 100644
+--- a/tests/testinput.c
++++ b/tests/testinput.c
+@@ -194,7 +194,7 @@ button_press_event (GtkWidget *widget, GdkEventButton *event)
+ 
+       print_axes (event->device, event->axes);
+       gdk_event_get_axis ((GdkEvent *)event, GDK_AXIS_PRESSURE, &pressure);
+-      draw_brush (widget, gdk_device_get_source (gdk_event_get_source_device (event)),
++      draw_brush (widget, gdk_device_get_source (gdk_event_get_source_device ((GdkEvent *)event)),
+                   event->x, event->y, pressure);
+ 
+       motion_time = event->time;
+@@ -239,10 +239,10 @@ motion_notify_event (GtkWidget *widget, GdkEventMotion *event)
+ 	      gdk_device_get_axis (event->device, events[i]->axes, GDK_AXIS_X, &x);
+ 	      gdk_device_get_axis (event->device, events[i]->axes, GDK_AXIS_Y, &y);
+ 	      gdk_device_get_axis (event->device, events[i]->axes, GDK_AXIS_PRESSURE, &pressure);
+-	      draw_brush (widget, gdk_device_get_source (gdk_event_get_source_device (event)),
++	      draw_brush (widget, gdk_device_get_source (gdk_event_get_source_device ((GdkEvent *)event)),
+                           x, y, pressure);
+ 
+-	      print_axes (gdk_event_get_source_device (event), events[i]->axes);
++	      print_axes (gdk_event_get_source_device ((GdkEvent *)event), events[i]->axes);
+ 	    }
+ 	  gdk_device_free_history (events, n_events);
+ 	}
+@@ -252,7 +252,7 @@ motion_notify_event (GtkWidget *widget, GdkEventMotion *event)
+ 
+ 	  gdk_event_get_axis ((GdkEvent *)event, GDK_AXIS_PRESSURE, &pressure);
+ 
+-	  draw_brush (widget, gdk_device_get_source (gdk_event_get_source_device (event)),
++	  draw_brush (widget, gdk_device_get_source (gdk_event_get_source_device ((GdkEvent *)event)),
+                       event->x, event->y, pressure);
+ 	}
+       motion_time = event->time;

meta/recipes-gnome/gtk+/gtk+3_3.24.34.bb

@@ -7,6 +7,8 @@ SRC_URI = "${GNOME_MIRROR}/gtk+/${MAJ_VER}/gtk+-${PV}.tar.xz \
            file://0003-Add-disable-opengl-configure-option.patch \
            file://link_fribidi.patch \
            file://CVE-2024-6655.patch \
+           file://0001-Use-the-right-type-when-calling-GtkWidget-methods.patch \
+           file://0002-tests-Add-GdkEvent-casts-in-testinput.patch \
            "
 SRC_URI[sha256sum] = "dbc69f90ddc821b8d1441f00374dc1da4323a2eafa9078e61edbe5eeefa852ec"
 

meta/recipes-multimedia/alsa/alsa-lib/CVE-2026-25068.patch

@@ -0,0 +1,34 @@
+From 5f7fe33002d2d98d84f72e381ec2cccc0d5d3d40 Mon Sep 17 00:00:00 2001
+From: Jaroslav Kysela <perex@perex.cz>
+Date: Thu, 29 Jan 2026 16:51:09 +0100
+Subject: [PATCH] topology: decoder - add boundary check for channel mixer
+ count
+
+Malicious binary topology file may cause heap corruption.
+
+CVE: CVE-2026-25068
+
+Signed-off-by: Jaroslav Kysela <perex@perex.cz>
+
+Upstream-Status: Backport [https://github.com/alsa-project/alsa-lib/commit/5f7fe33002d2d98d84f72e381ec2cccc0d5d3d40]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ src/topology/ctl.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/topology/ctl.c b/src/topology/ctl.c
+index a0c24518..322c461c 100644
+--- a/src/topology/ctl.c
++++ b/src/topology/ctl.c
+@@ -1246,6 +1246,11 @@ int tplg_decode_control_mixer1(snd_tplg_t *tplg,
+ 	if (mc->num_channels > 0) {
+ 		map = tplg_calloc(heap, sizeof(*map));
+ 		map->num_channels = mc->num_channels;
++		if (map->num_channels > SND_TPLG_MAX_CHAN ||
++		    map->num_channels > SND_SOC_TPLG_MAX_CHAN) {
++			SNDERR("mixer: unexpected channel count %d", map->num_channels);
++			return -EINVAL;
++		}
+ 		for (i = 0; i < map->num_channels; i++) {
+ 			map->channel[i].reg = mc->channel[i].reg;
+ 			map->channel[i].shift = mc->channel[i].shift;

meta/recipes-multimedia/alsa/alsa-lib_1.2.6.1.bb

@@ -10,6 +10,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=a916467b91076e631dd8edb7424769c7 \
                     "
 
 SRC_URI = "https://www.alsa-project.org/files/pub/lib/${BP}.tar.bz2"
+SRC_URI += "file://CVE-2026-25068.patch"
 SRC_URI[sha256sum] = "ad582993d52cdb5fb159a0beab60a6ac57eab0cc1bdf85dc4db6d6197f02333f"
 
 inherit autotools pkgconfig

meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-10256.patch

@@ -0,0 +1,31 @@
+From a25462482c02c004d685a8fcf2fa63955aaa0931 Mon Sep 17 00:00:00 2001
+From: Jiasheng Jiang <jiashengjiangcool@gmail.com>
+Date: Wed, 6 Aug 2025 16:39:47 +0000
+Subject: [PATCH] libavfilter/af_firequalizer: Add check for av_malloc_array()
+
+Add check for the return value of av_malloc_array() to avoid potential NULL pointer dereference.
+
+Fixes: d3be186ed1 ("avfilter/firequalizer: add dumpfile and dumpscale option")
+Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+
+CVE: CVE-2025-10256
+Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/a25462482c02c004d685a8fcf2fa63955aaa0931]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ libavfilter/af_firequalizer.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/libavfilter/af_firequalizer.c b/libavfilter/af_firequalizer.c
+index 38663200eb..f14983b431 100644
+--- a/libavfilter/af_firequalizer.c
++++ b/libavfilter/af_firequalizer.c
+@@ -793,6 +793,8 @@ static int config_input(AVFilterLink *inlink)
+     if (s->dumpfile) {
+         s->analysis_rdft = av_rdft_init(rdft_bits, DFT_R2C);
+         s->dump_buf = av_malloc_array(s->analysis_rdft_len, sizeof(*s->dump_buf));
++        if (!s->dump_buf)
++            return AVERROR(ENOMEM);
+     }
+ 
+     s->analysis_buf = av_malloc_array(s->analysis_rdft_len, sizeof(*s->analysis_buf));

meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb

@@ -53,6 +53,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
            file://CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0002.patch \
            file://CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0003.patch \
            file://CVE-2025-1594.patch \
+           file://CVE-2025-10256.patch \
           "
 
 SRC_URI[sha256sum] = "04c70c377de233a4b217c2fdf76b19aeb225a287daeb2348bccd978c47b1a1db"

meta/recipes-multimedia/libtheora/libtheora_1.1.1.bb

@@ -17,6 +17,8 @@ SRC_URI[sha256sum] = "b6ae1ee2fa3d42ac489287d3ec34c5885730b1296f0801ae577a35193d
 
 UPSTREAM_CHECK_REGEX = "libtheora-(?P<pver>\d+(\.\d)+)\.(tar\.gz|tgz)"
 
+CVE_PRODUCT = "theora"
+
 inherit autotools pkgconfig
 
 EXTRA_OECONF = "--disable-examples"

meta/recipes-multimedia/libtiff/tiff/CVE-2025-61143.patch

@@ -0,0 +1,44 @@
+From 4d28af5fe61b1760f10981f5072ff1e6fd44f210 Mon Sep 17 00:00:00 2001
+From: Lee Howard <faxguy@howardsilvan.com>
+Date: Fri, 5 Sep 2025 21:44:49 +0000
+Subject: [PATCH] tiffcrop: avoid nullptr dereference
+
+Fixes #734
+
+CVE: CVE-2025-61143
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/4d28af5fe61b1760f10981f5072ff1e6fd44f210]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ tools/tiffcrop.c   | 2 +-
+ tools/tiffdither.c | 5 +++++
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index ae414efc..1cbb49b6 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -2561,7 +2561,7 @@ main(int argc, char* argv[])
+ 
+     if (dump.outfile != NULL)
+       {
+-      dump_info (dump.outfile, dump.format, "", "Completed run for %s", TIFFFileName(out));
++      dump_info (dump.outfile, dump.format, "", "Completed run for %s", out ? TIFFFileName(out) : "(not opened)");
+       fclose (dump.outfile);
+       }
+     }
+diff --git a/tools/tiffdither.c b/tools/tiffdither.c
+index 3c64fdc0..405527c7 100644
+--- a/tools/tiffdither.c
++++ b/tools/tiffdither.c
+@@ -84,6 +84,11 @@ fsdither(TIFF* in, TIFF* out)
+ 	    fprintf(stderr, "Out of memory.\n");
+ 	    goto skip_on_error;
+ 	}
++	if (imagewidth > TIFFScanlineSize(in))
++	{
++	    fprintf(stderr, "Image width exceeds scanline size.\n");
++	    goto skip_on_error;
++	}
+ 
+ 	/*
+ 	 * Get first line

meta/recipes-multimedia/libtiff/tiff/CVE-2025-61144.patch

@@ -0,0 +1,27 @@
+From 88cf9dbb48f6e172629795ecffae35d5052f68aa Mon Sep 17 00:00:00 2001
+From: Lee Howard <faxguy@howardsilvan.com>
+Date: Fri, 5 Sep 2025 21:46:03 +0000
+Subject: [PATCH] tiffcrop: avoid buffer overflow
+
+Fixes #740
+
+CVE: CVE-2025-61144
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/88cf9dbb48f6e172629795ecffae35d5052f68aa]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ tools/tiffcrop.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index ae414efc..afa1cce5 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -3913,7 +3913,7 @@ combineSeparateSamplesBytes (unsigned char *srcbuffs[], unsigned char *out,
+     {
+     if ((dumpfile != NULL) && (level == 2))
+       {
+-      for (s = 0; s < spp; s++)
++      for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
+         {
+         dump_info (dumpfile, format, "combineSeparateSamplesBytes","Input data, Sample %"PRIu16, s);
+         dump_buffer(dumpfile, format, 1, cols, row, srcbuffs[s] + (row * src_rowsize));

meta/recipes-multimedia/libtiff/tiff/CVE-2025-8961.patch

@@ -6,6 +6,7 @@ Subject: [PATCH] tiffcrop: fix double-free and memory leak exposed by issue
 
 Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/0ac97aa7a5bffddd88f7cdbe517264e9db3f5bd5]
 CVE: CVE-2025-8961
+CVE: CVE-2025-61145
 Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
 ---
  tools/tiffcrop.c | 8 +++++++-

meta/recipes-multimedia/libtiff/tiff_4.3.0.bb

@@ -65,6 +65,8 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
            file://CVE-2025-9900.patch \
            file://CVE-2025-8961.patch \
            file://CVE-2025-9165.patch \
+           file://CVE-2025-61143.patch \
+           file://CVE-2025-61144.patch \
            "
 
 SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"

scripts/install-buildtools

@@ -57,8 +57,8 @@ logger = scriptutils.logger_create(PROGNAME, stream=sys.stdout)
 
 DEFAULT_INSTALL_DIR = os.path.join(os.path.split(scripts_path)[0],'buildtools')
 DEFAULT_BASE_URL = 'https://downloads.yoctoproject.org/releases/yocto'
-DEFAULT_RELEASE = 'yocto-4.0.32'
-DEFAULT_INSTALLER_VERSION = '4.0.32'
+DEFAULT_RELEASE = 'yocto-4.0.33'
+DEFAULT_INSTALLER_VERSION = '4.0.33'
 DEFAULT_BUILDDATE = '202110XX'
 
 # Python version sanity check