520f64ef3c
ImageMagick: Fix CVE-2025-53014
...
Backport the fix for CVE-2025-53014
Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/29d82726c7ec20c07c49ba263bdcea16c2618e03 ]
Add below patch to fix CVE-2025-53014
0001-ImageMagick-Fix-CVE-2025-53014.patch
Signed-off-by: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-12-12 22:06:46 +01:00
cac725f7d2
gflags: switch Git branch from master to main
...
Update SRC_URI to use the 'main' branch instead of 'master' since
the upstream GitHub repository has renamed its default branch.
Signed-off-by: Viswanath Kraleti <viswanath.kraleti@oss.qualcomm.com >
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-12-12 19:22:39 +01:00
d95d7c8e7b
xrdp: add ptest support
...
It takes under 10 seconds to run the suite.
Executed succesfully on x86-64, with musl and glibc.
The recipe requires pam DISTRO_FEATURE to be present.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 54ca51b6c6skandigraun@gmail.com >
2025-12-06 19:34:17 +01:00
dcc7681d01
xrdp: patch CVE-2022-23493
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23493
Pick the patch that mentions this vulnerability explicitly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-12-06 17:33:13 +01:00
fc2c0460ab
xrdp: patch CVE-2022-23484
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23484
Pick the patch that mentions this vulnerability explicitly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-12-06 17:33:11 +01:00
e89a73a759
xrdp: patch CVE-2022-23483
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23483
Pick the patch that mentions this vulnerability explicitly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-12-06 17:33:10 +01:00
e0e34a0615
xrdp: patch CVE-2022-23481
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23481
Pick the patch that mentions this vulnerability explicitly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-12-06 17:33:09 +01:00
07291c5d65
xrdp: patch CVE-2022-23480
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23480
Pick the patch that mentions this vulnerability explicitly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-12-06 17:33:09 +01:00
d2a493539f
xrdp: patch CVE-2022-23479
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23479
Pick the patch that mentions this vulnerability explicitly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-12-06 17:33:08 +01:00
444c8f69d2
xrdp: patch CVE-2022-23478
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23478
Pick the patch that mentions this vulnerability explicitly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-12-06 17:33:07 +01:00
74b0b81579
xrdp: patch CVE-2022-23477
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23477
Pick the patch that mentions this vulnerability explicitly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-12-06 17:33:06 +01:00
5709e8f6ec
xrdp: patch CVE-2022-23468
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23468
Pick the patch that mentions this vulnerability explicitly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-12-06 17:33:05 +01:00
f218f0373f
xrdp: upgrade 0.9.18 -> 0.9.18.1
...
Contains fix for CVE-2022-23613
Changelog: https://github.com/neutrinolabs/xrdp/releases/tag/v0.9.18.1
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-12-06 17:33:04 +01:00
edb07bc11e
scsirastools: Fix build with usrmerge
...
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 4448cd9ee7skandigraun@gmail.com >
2025-12-02 13:54:27 +01:00
4a70d6f944
gradm: fix installation with usrmerge enabled
...
In case usrmerge DISTRO_FEATURE is enabled, the recipe installs its
binaries into /sbin folder, which however supposed to be a symlink
to /usr/sbin folder, thus ultimately failing the installation.
To avoid this problem, backport a patch from master branch that allows
specifying the installation location.
This is a partial backport of 682657248cskandigraun@gmail.com >
2025-12-02 13:54:16 +01:00
6416254c0b
fontforge: patch CVE-2024-25081 and CVE-2024-25082
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-25081
https://nvd.nist.gov/vuln/detail/CVE-2024-25082
The same patch fixes both vulnerabilities.
Take the patch from the pull request that is referenced by the
nv report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 20:48:08 +01:00
2491ea2ffb
fontforge: patch CVE-2020-5395, CVE-2020-25690 and CVE-2020-5496
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2020-5395
https://nvd.nist.gov/vuln/detail/CVE-2020-25690
https://nvd.nist.gov/vuln/detail/CVE-2020-5496
The same patch fixes all three.
The patch for CVE-2020-25690 is mentioned in the RedHat bug, which is
referenced in the nvd report.
The patch for CVE-2020-5395 is mentioned in the Github issue that
is referenced in the nvd report.
The patch for CVE-2020-5496 is mentioned in the comments of the issue
that is linked in the nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 20:48:07 +01:00
48d2305f48
fontforge: ignore CVE-2019-15785
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2019-15785
The vulnerability is not present in the currently used version, so
ignore it.
Current version: 20190801
First vulnerable version: 20190813
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 20:48:06 +01:00
67bb8e4b16
yasm: patch CVE-2021-33456
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-33465
The patch was taken from Debian:
https://sources.debian.org/patches/yasm/1.3.0-8/1020-hash-null-CVE-2021-33456.patch/
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 1e2731fce0
2025-11-30 20:48:05 +01:00
68a44fe280
yasm: patch CVE-2021-33464
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-33464
The patch was taken from Debian:
https://sources.debian.org/patches/yasm/1.3.0-8/1010-nasm-pp-no-env-CVE-2021-33464.patch/
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 66a0b01b52
2025-11-30 20:48:04 +01:00
5fb0376aed
yasm: patch CVE-2023-29579
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-29579
The patch was taken from Debian:
https://sources.debian.org/patches/yasm/1.3.0-8/1000-x86-dir-cpu-CVE-2023-29579.patch/
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit cc30757a7f
2025-11-30 20:48:03 +01:00
b6eb044866
yasm: add alternative CVE_PRODUCT
...
There are multiple vendors for yasm:
$ sqlite3 ./nvdcve_2-2.db "select distinct vendor, product from products where product = 'yasm';"
tortall|yasm
yasm_project|yasm
Both products refer to the same application
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 93f85e4fd2
2025-11-30 20:48:01 +01:00
a12478e722
libraw: patch CVE-2025-43964
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-43964
Pick the patch that is referenced by the nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:58 +01:00
0e30e2ab37
libraw: patch CVE-2025-43963
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-43963
Pick the patch that is referenced in the nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:58 +01:00
cb0fcd1ae4
libraw: patch CVE-2025-43961 and CVE-2025-43962
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-43961
https://nvd.nist.gov/vuln/detail/CVE-2025-43962
Pick the patch that is mentioned by the nvd reports - the
same patch fixes both vulnerabilities.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:58 +01:00
309e9688d5
libraw: patch CVE-2023-1729
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-1729
Pick the patch that is mentioned to solve the issue in the issue
linked from the nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:58 +01:00
730f4c000c
libraw: ignore CVE-2020-35535
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2020-35535
The fix is already included in the used revision.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:58 +01:00
298f329594
libraw: ignore CVE-2020-35534
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2020-35534
The fix is already included in the currently used revision.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:58 +01:00
ce9b6df403
libraw: ignore CVE-2020-35533
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2020-35533
The fix is already included in the currently used revision.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:58 +01:00
73891ac756
libraw: ignore CVE-2020-35532
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2020-35532
The fix is already included in the currently used revision.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:58 +01:00
34f34b93d9
libraw: ignore CVE-2020-35531
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2020-35531
The fix is already included in the currently used revision.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:58 +01:00
27f77ae006
libraw: ignore CVE-2020-35530
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2020-35530
The fix is already included in the currently used revision.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:58 +01:00
8f89a8c732
tigervnc: ignore CVE-2014-8241
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2014-8241
The vulnerability is about a potential null-pointer dereference, because
of a malloc result is not verified[1].
The vulnerable code has been refactored since completely[2], and the code isn't
present anymore in the codebase.
[1]: https://github.com/TigerVNC/tigervnc/issues/993#issuecomment-612874972 - attachment
[2]: https://github.com/TigerVNC/tigervnc/commit/b8a24f055f1a29886d8b18bb3f0902144dc5bd14
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:58 +01:00
7965aa0704
links: set CVE_PRODUCT
...
There are some unrelated software called "links", which cases
false-positive CVEs to be reported by the CVE checker.
Set the vendor/product pairs that were historically used with
CVEs for this software.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 62a5309732
2025-11-30 15:13:57 +01:00
afb1296723
jasper: patch CVE-2025-8837
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-8837
Pick the patch that is referenced by the nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
42058c8120
jasper: patch CVE-2025-8836
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-8836
Pick the patch that is referenced by the nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
95ecb0c563
jasper: patch CVE-2025-8835
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-8835
Pick the patch that is referenced by the nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
163eb9faca
jasper: patch CVE-2023-51257
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-51257
Pick the patch that's marked to solve the issue linked in the
nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
89e6b49f2d
redis-7: ignore CVE-2022-3734 and CVE-2022-0543
...
CVE-2022-3734 only affects Windows.
CVE-2022-0543 affects only packages that were packaged for Debian and
Debian-derivative distros.
Neither of these issues is present in upstream Redis.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
a5217f562a
redis: upgrade 7.0.13 -> 7.0.15
...
Contains fixes for CVE-2023-41056 and CVE-2023-45145.
Dropped the backported patches that are included.
Release notes: https://github.com/redis/redis/blob/7.0.15/00-RELEASENOTES
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
d86503aa21
redis: upgrade 6.2.12 -> 6.2.21
...
This upgrade contains a list of vunerability fixes: CVE-2025-49844,
CVE-2025-46817, CVE-2025-46818, CVE-2025-46819, CVE-2025-32023,
CVE-2025-48367, CVE-2025-21605, CVE-2024-46981, CVE-2024-31449,
CVE-2024-31228, CVE-2023-45145, CVE-2022-24834
Dropped the CVE patches that are included above.
Release notes: https://github.com/redis/redis/blob/6.2.21/00-RELEASENOTES
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
caea02d115
redis: ignore CVE-2022-3734 and CVE-2022-0543
...
CVE-2022-3734 only affects Windows.
CVE-2022-0543 affects only packages that were packaged for Debian and
Debian-derivative distros.
Neither of these issues is present in upstream Redis.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 8f1269507askandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
8602562caa
exiv2: patch CVE-2021-34335
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-34335
Pick the patches from the PR mentioned in the nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
41e6c428c8
exiv2: patch CVE-2021-34334
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-34334
Pick the patches from the PR mentioned in the nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
0f89f58111
exiv2: patch CVE-2021-32815
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-32815
Pick the patch from the PR mentioned in he nvd report.
This patch is a combination of 3 commits, which are so
small, that it is still very readable in this form also.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
19fb28a912
exiv2: patch CVE-2021-32617
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-32617
Pick the patch from the PR that's mentioned by the nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
3a8bb65960
exiv2: add missing CVE tag to patch
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-29458
https://nvd.nist.gov/vuln/detail/CVE-2021-31292
The patch is already present, but it was missing the CVE tag, which
is added in this change.
The same patch fixes both CVEs.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
aa979d9766
exiv2: patch CVE-2021-29623
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-29623
Pick the patch from the PR mentioned in teh nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
b91b961b3f
libtorrent: ignore CVE-2016-5301
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2016-5301
This vulnerability is for another libtorrent (https://github.com/arvidn/libtorrent )
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
de561a26c0
poco: patch CVE-2023-52389
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-52389
Pick the patch from the PR mentioned in the nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-11-30 15:13:57 +01:00
Divyanshu Rathore
Viswanath Kraleti
Gyorgy Sarvari
Khem Raj