diff --git a/boot/uboot/Config.in b/boot/uboot/Config.in index 2d2c3f9d415..1eabd10407a 100644 --- a/boot/uboot/Config.in +++ b/boot/uboot/Config.in @@ -41,7 +41,7 @@ choice Select the specific U-Boot version you want to use config BR2_TARGET_UBOOT_LATEST_VERSION - bool "2026.04" + bool "2026.07" config BR2_TARGET_UBOOT_CUSTOM_VERSION bool "Custom version" @@ -85,7 +85,7 @@ endif config BR2_TARGET_UBOOT_VERSION string - default "2026.04" if BR2_TARGET_UBOOT_LATEST_VERSION + default "2026.07" if BR2_TARGET_UBOOT_LATEST_VERSION default BR2_TARGET_UBOOT_CUSTOM_VERSION_VALUE \ if BR2_TARGET_UBOOT_CUSTOM_VERSION default "custom" if BR2_TARGET_UBOOT_CUSTOM_TARBALL @@ -368,7 +368,7 @@ config BR2_TARGET_UBOOT_USE_BINMAN help Use binman tool for generation and signing of boot images. - https://docs.u-boot.org/en/v2026.04/develop/package/binman.html + https://docs.u-boot.org/en/v2026.07/develop/package/binman.html menu "U-Boot binary format" diff --git a/boot/uboot/uboot.hash b/boot/uboot/uboot.hash index 69164982560..e992835582d 100644 --- a/boot/uboot/uboot.hash +++ b/boot/uboot/uboot.hash @@ -1,3 +1,3 @@ # Locally computed: -sha256 ac7c04b8b7004923b00a4e5d6699c5df4d21233bac9fda690d8cfbc209fff2fd u-boot-2026.04.tar.bz2 +sha256 78e8bfc382fe388f9b55aa1daf8c563522a037779b5d4c349d1415e381f1243e u-boot-2026.07.tar.bz2 sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 Licenses/gpl-2.0.txt diff --git a/package/babeld/0001-Fix-uclibc-build-issue.patch b/package/babeld/0001-Fix-uclibc-build-issue.patch deleted file mode 100644 index fb2f69e98bb..00000000000 --- a/package/babeld/0001-Fix-uclibc-build-issue.patch +++ /dev/null @@ -1,38 +0,0 @@ -From f8e5fbb33690b516b8516590def5136e6619de4c Mon Sep 17 00:00:00 2001 -From: Dario Binacchi -Date: Tue, 17 Sep 2024 21:48:01 +0200 -Subject: [PATCH] Fix uclibc build issue - -This patch fixes the following compilation error raised by the bump to -version 1.13.1 in Buildroot [1] using uclibc as the C library for the -cross-compilation toolchain: - -net.c: In function 'babel_send': -net.c:199:27: error: 'IPV6_DONTFRAG' undeclared (first use in this function) - 199 | cmsg->cmsg_type = IPV6_DONTFRAG;; - -[1] https://patchwork.ozlabs.org/project/buildroot/patch/20240917201030.11583-1-dario.binacchi@amarulasolutions.com/ -Signed-off-by: Dario Binacchi -Upstream: https://github.com/jech/babeld/pull/121 ---- - net.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/net.c b/net.c -index 7a7b57844e6c..30de3dafe1d9 100644 ---- a/net.c -+++ b/net.c -@@ -37,6 +37,10 @@ THE SOFTWARE. - #include - #include - -+#if defined(__UCLIBC__) -+#include -+#endif -+ - #include "babeld.h" - #include "util.h" - #include "net.h" --- -2.43.0 - diff --git a/package/babeld/babeld.hash b/package/babeld/babeld.hash index ab2ffc6ef81..d24649dcd22 100644 --- a/package/babeld/babeld.hash +++ b/package/babeld/babeld.hash @@ -1,3 +1,3 @@ # Locally computed -sha256 15f24d26da0ccfc073abcdef0309f281e4684f2aa71126f826572c4c845e8dd9 babeld-1.13.1.tar.gz +sha256 c4ed13c04880ccc3a85a99645dcb64134beac8ab0607fe32a4d07e1057ad73b7 babeld-1.14.tar.gz sha256 b415c41292cedef6c97b243609e50552887c29343566c639f23282d31efd2afd LICENCE diff --git a/package/babeld/babeld.mk b/package/babeld/babeld.mk index e9d20111f93..e20cadf9c03 100644 --- a/package/babeld/babeld.mk +++ b/package/babeld/babeld.mk @@ -4,7 +4,7 @@ # ################################################################################ -BABELD_VERSION = 1.13.1 +BABELD_VERSION = 1.14 BABELD_SITE = https://www.irif.fr/~jch/software/files BABELD_LICENSE = MIT BABELD_LICENSE_FILES = LICENCE diff --git a/package/dracut/0001-fix-functions-prevent-find_binary-from-dropping-last.patch b/package/dracut/0001-fix-functions-prevent-find_binary-from-dropping-last.patch deleted file mode 100644 index ad312d0b855..00000000000 --- a/package/dracut/0001-fix-functions-prevent-find_binary-from-dropping-last.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 94c4274e32467235fb580a27ea182169f253ca5f Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C3=A9o=20Pourrier?= -Date: Tue, 28 Apr 2026 17:23:23 +0200 -Subject: [PATCH] fix(functions): prevent find_binary from dropping last PATH - element -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -When `read` encounters EOF before the delimiter, it returns a non-zero -exit status, causing the while loop to terminate immediately. As a result, -if the PATH string doesn't end with a colon, the very last directory in -PATH is ignored by find_binary(). - -This caused regressions on split-usr architectures where critical -binaries reside exclusively in /bin, and /bin happens to be -appended at the very end of the PATH by dracut.sh. - -Appending a virtual colon to the Here-String ensures the loop processes -all directories correctly. - -Fixes dracut-ng issue #1467 : https://github.com/dracut-ng/dracut-ng/issues/1467 - -Upstream: https://github.com/dracut-ng/dracut-ng/pull/2416 -Signed-off-by: Matéo Pourrier ---- - dracut-functions.sh | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/dracut-functions.sh b/dracut-functions.sh -index f430a28e..5046f45e 100755 ---- a/dracut-functions.sh -+++ b/dracut-functions.sh -@@ -94,7 +94,7 @@ find_binary() { - printf "%s\n" "${_path}" - return 0 - fi -- done <<< "$PATH" -+ done <<< "${PATH}:" - - [[ -n ${dracutsysrootdir-} ]] && return 1 - type -P "${1##*/}" --- -2.34.1 - diff --git a/package/dracut/dracut.hash b/package/dracut/dracut.hash index 3288ed6ad4b..1b5b3dce55c 100644 --- a/package/dracut/dracut.hash +++ b/package/dracut/dracut.hash @@ -1,3 +1,3 @@ # Locally computed -sha256 0d357853f8cf2371d89a8ebcbbb1fd2c1c85a79d8866925fd7385eaeb20a27dc dracut-110.tar.gz +sha256 ca949190692e91611ef16ea3642c0f764f63948860f3f742524310728c991493 dracut-111.tar.gz sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING diff --git a/package/dracut/dracut.mk b/package/dracut/dracut.mk index b40f618fe81..3a1c1567e85 100644 --- a/package/dracut/dracut.mk +++ b/package/dracut/dracut.mk @@ -4,7 +4,7 @@ # ################################################################################ -DRACUT_VERSION = 110 +DRACUT_VERSION = 111 DRACUT_SITE = $(call github,dracut-ng,dracut-ng,$(DRACUT_VERSION)) DRACUT_LICENSE = GPL-2.0 DRACUT_LICENSE_FILES = COPYING diff --git a/package/fmt/0001-fix-fallback-uint128-bitwise-not.patch b/package/fmt/0001-fix-fallback-uint128-bitwise-not.patch new file mode 100644 index 00000000000..123c43ab2ce --- /dev/null +++ b/package/fmt/0001-fix-fallback-uint128-bitwise-not.patch @@ -0,0 +1,42 @@ +From 588b3a0f8f6a8bcf2a959cae882d5b2703e86737 Mon Sep 17 00:00:00 2001 +From: Vinay Kumar +Date: Thu, 18 Jun 2026 12:22:12 +0530 +Subject: [PATCH] Fix fallback uint128 bitwise not (#4813) + +Upstream: https://github.com/fmtlib/fmt/commit/588b3a0f8f6a8bcf2a959cae882d5b2703e86737 +Signed-off-by: Michael Nosthoff +--- + include/fmt/format.h | 3 +++ + test/format-test.cc | 5 +++++ + 2 files changed, 8 insertions(+) + +diff --git a/include/fmt/format.h b/include/fmt/format.h +index 5044befdd863..570627922c62 100644 +--- a/include/fmt/format.h ++++ b/include/fmt/format.h +@@ -326,6 +326,9 @@ class uint128 { + -> uint128 { + return {lhs.hi_ & rhs.hi_, lhs.lo_ & rhs.lo_}; + } ++ friend constexpr auto operator~(const uint128& n) -> uint128 { ++ return {~n.hi_, ~n.lo_}; ++ } + friend FMT_CONSTEXPR auto operator+(const uint128& lhs, const uint128& rhs) + -> uint128 { + auto result = uint128(lhs); +diff --git a/test/format-test.cc b/test/format-test.cc +index 9a2258d5921f..8c2670a19fc3 100644 +--- a/test/format-test.cc ++++ b/test/format-test.cc +@@ -82,6 +82,11 @@ TEST(uint128_test, minus) { + EXPECT_EQ(n - 2, 40); + } + ++TEST(uint128_test, bitwise_not) { ++ auto n = ~uint128(0x123456789abcdef0, 0x0fedcba987654321); ++ EXPECT_EQ(n, uint128(0xedcba9876543210f, 0xf0123456789abcde)); ++} ++ + TEST(uint128_test, plus_assign) { + auto n = uint128(32); + n += uint128(10); diff --git a/package/gnutls/gnutls.mk b/package/gnutls/gnutls.mk index 6411a7d6211..ae1caaa221d 100644 --- a/package/gnutls/gnutls.mk +++ b/package/gnutls/gnutls.mk @@ -43,7 +43,8 @@ GNUTLS_CONF_ENV = gl_cv_socket_ipv6=yes \ gl_cv_func_gettimeofday_clobber=no GNUTLS_INSTALL_STAGING = YES -HOST_GNUTLS_DEPENDENCIES = host-pkgconf host-libtasn1 host-libunistring host-nettle +HOST_GNUTLS_DEPENDENCIES = host-pkgconf host-libtasn1 host-libunistring \ + host-nettle host-p11-kit HOST_GNUTLS_CONF_OPTS = \ --disable-doc \ --disable-libdane \ @@ -64,7 +65,7 @@ HOST_GNUTLS_CONF_OPTS = \ --disable-openssl-compatibility \ --without-brotli \ --without-idn \ - --without-p11-kit \ + --with-p11-kit \ --without-zlib \ --without-zstd diff --git a/package/intel-mediadriver/intel-mediadriver.hash b/package/intel-mediadriver/intel-mediadriver.hash index 6fbe8689ea1..99764cef985 100644 --- a/package/intel-mediadriver/intel-mediadriver.hash +++ b/package/intel-mediadriver/intel-mediadriver.hash @@ -1,3 +1,3 @@ # Locally computed -sha256 2e10b1565f45fd2052c9704639bb6144fc56b21979039f3b44151dfe5b281e18 intel-media-26.2.3.tar.gz +sha256 a23185fca05c8fa8bdec09ea9ee8a20361163c87035ec978de4e2bb048a55534 intel-media-26.2.4.tar.gz sha256 74979d5aaee78b8da82e3aafd415a216b6131dfff6d95d6930927c8a4e3bded3 LICENSE.md diff --git a/package/intel-mediadriver/intel-mediadriver.mk b/package/intel-mediadriver/intel-mediadriver.mk index a197c2a6dee..6c77ef83a74 100644 --- a/package/intel-mediadriver/intel-mediadriver.mk +++ b/package/intel-mediadriver/intel-mediadriver.mk @@ -6,7 +6,7 @@ # based on https://software.intel.com/en-us/articles/build-and-debug-open-source-media-stack -INTEL_MEDIADRIVER_VERSION = 26.2.3 +INTEL_MEDIADRIVER_VERSION = 26.2.4 INTEL_MEDIADRIVER_SITE = https://github.com/intel/media-driver/archive INTEL_MEDIADRIVER_SOURCE= intel-media-$(INTEL_MEDIADRIVER_VERSION).tar.gz INTEL_MEDIADRIVER_LICENSE = MIT, BSD-3-Clause diff --git a/package/intel-vpl-gpu-rt/intel-vpl-gpu-rt.hash b/package/intel-vpl-gpu-rt/intel-vpl-gpu-rt.hash index 325ceff9ffd..ab25475be03 100644 --- a/package/intel-vpl-gpu-rt/intel-vpl-gpu-rt.hash +++ b/package/intel-vpl-gpu-rt/intel-vpl-gpu-rt.hash @@ -1,3 +1,3 @@ # Locally computed -sha256 7cb0ce0c3b22e7f370053db5c363244feb8900fbd63da84f1e13f82776f8fddb intel-vpl-gpu-rt-26.2.3.tar.gz +sha256 c103d936d708a3910ef8572e9403aabf423197cfce6c8a6fcf870072b6564ada intel-vpl-gpu-rt-26.2.4.tar.gz sha256 c31c3cc5fd66d1250dbca1c3d9011a9f874537442ac71c8de80f2f0fed13f297 LICENSE diff --git a/package/intel-vpl-gpu-rt/intel-vpl-gpu-rt.mk b/package/intel-vpl-gpu-rt/intel-vpl-gpu-rt.mk index b2bef9c6dd1..3cdcb40d9a8 100644 --- a/package/intel-vpl-gpu-rt/intel-vpl-gpu-rt.mk +++ b/package/intel-vpl-gpu-rt/intel-vpl-gpu-rt.mk @@ -4,7 +4,7 @@ # ################################################################################ -INTEL_VPL_GPU_RT_VERSION = 26.2.3 +INTEL_VPL_GPU_RT_VERSION = 26.2.4 INTEL_VPL_GPU_RT_SITE = $(call github,intel,vpl-gpu-rt,intel-onevpl-$(INTEL_VPL_GPU_RT_VERSION)) INTEL_VPL_GPU_RT_LICENSE = MIT INTEL_VPL_GPU_RT_LICENSE_FILES = LICENSE diff --git a/package/jansson/jansson.hash b/package/jansson/jansson.hash index 747f9e4420b..af376253d46 100644 --- a/package/jansson/jansson.hash +++ b/package/jansson/jansson.hash @@ -1,3 +1,3 @@ -# From https://github.com/akheron/jansson/releases/tag/v2.15.0 -sha256 a7eac7765000373165f9373eb748be039c10b2efc00be9af3467ec92357d8954 jansson-2.15.0.tar.bz2 +# From https://github.com/akheron/jansson/releases/tag/v2.15.1 +sha256 f9aa4b3ec8496fee69db94f06f3d76fd4a26b012ee9bf1e917078c2cd2841881 jansson-2.15.1.tar.bz2 sha256 150d90904cd8de73609bb177b42edd3867b07b4b7b786dbba319f30de39fcda2 LICENSE diff --git a/package/jansson/jansson.mk b/package/jansson/jansson.mk index e60bb1aab69..29d43c9a0c7 100644 --- a/package/jansson/jansson.mk +++ b/package/jansson/jansson.mk @@ -4,7 +4,7 @@ # ################################################################################ -JANSSON_VERSION = 2.15.0 +JANSSON_VERSION = 2.15.1 JANSSON_SOURCE = jansson-$(JANSSON_VERSION).tar.bz2 JANSSON_SITE = \ https://github.com/akheron/jansson/releases/download/v$(JANSSON_VERSION) diff --git a/package/jpeg-turbo/jpeg-turbo.hash b/package/jpeg-turbo/jpeg-turbo.hash index 382f780f23e..40314214f97 100644 --- a/package/jpeg-turbo/jpeg-turbo.hash +++ b/package/jpeg-turbo/jpeg-turbo.hash @@ -1,5 +1,5 @@ -# From https://github.com/libjpeg-turbo/libjpeg-turbo/releases/tag/3.1.4.1 -sha256 ecae8008e2cc9ade2f2c1bb9d5e6d4fb73e7c433866a056bd82980741571a022 libjpeg-turbo-3.1.4.1.tar.gz +# From https://github.com/libjpeg-turbo/libjpeg-turbo/releases/tag/3.2.0 +sha256 6f30092cef9fb839779646608f4ee14ae3cbac989c47fa05e841b0841f09878e libjpeg-turbo-3.2.0.tar.gz # Locally computed -sha256 e10114e6e40f3d0311c401ca25245ac5ef459a43c20f976fd63f03e816f5741f LICENSE.md +sha256 ba6bceebcba0fdd35488477c2cca8c4632ce82c74dbfbc87d886ce6fc4433579 LICENSE.md sha256 75815e3bf6484201a3c3d17a1bbf10f2e8e3237f84df10a2357ea896db2a81d6 README.ijg diff --git a/package/jpeg-turbo/jpeg-turbo.mk b/package/jpeg-turbo/jpeg-turbo.mk index b00a71a2317..9a101107666 100644 --- a/package/jpeg-turbo/jpeg-turbo.mk +++ b/package/jpeg-turbo/jpeg-turbo.mk @@ -4,7 +4,7 @@ # ################################################################################ -JPEG_TURBO_VERSION = 3.1.4.1 +JPEG_TURBO_VERSION = 3.2.0 JPEG_TURBO_SOURCE = libjpeg-turbo-$(JPEG_TURBO_VERSION).tar.gz JPEG_TURBO_SITE = https://github.com/libjpeg-turbo/libjpeg-turbo/releases/download/$(JPEG_TURBO_VERSION) JPEG_TURBO_LICENSE = IJG (libjpeg), BSD-3-Clause (TurboJPEG), Zlib (SIMD) diff --git a/package/libcamera/libcamera.mk b/package/libcamera/libcamera.mk index 945207888ba..256909ebc80 100644 --- a/package/libcamera/libcamera.mk +++ b/package/libcamera/libcamera.mk @@ -4,7 +4,7 @@ # ################################################################################ -LIBCAMERA_SITE = https://git.linuxtv.org/libcamera.git +LIBCAMERA_SITE = https://gitlab.freedesktop.org/camera/libcamera.git LIBCAMERA_VERSION = v0.7.1 LIBCAMERA_SITE_METHOD = git LIBCAMERA_DEPENDENCIES = \ diff --git a/package/libva-utils/libva-utils.hash b/package/libva-utils/libva-utils.hash index 68886478657..d7b1a0789b6 100644 --- a/package/libva-utils/libva-utils.hash +++ b/package/libva-utils/libva-utils.hash @@ -1,3 +1,3 @@ # Locally computed -sha256 fa7ff29847b55010fbbb775b35382f97f29b7b97abe9a2f6fb3e22b36db5440a libva-utils-2.23.0.tar.gz +sha256 bf959a1ced3cde8176a7ff50ad358ee98e93301ac068581a8b2617c5b83afcb3 libva-utils-2.24.0.tar.gz sha256 c6220c9f87832c27abcb8a32eafdd2823e13ce146b3ea63d5deae2a76798ef50 COPYING diff --git a/package/libva-utils/libva-utils.mk b/package/libva-utils/libva-utils.mk index 3fdb6bcf704..38dd14610c4 100644 --- a/package/libva-utils/libva-utils.mk +++ b/package/libva-utils/libva-utils.mk @@ -4,7 +4,7 @@ # ################################################################################ -LIBVA_UTILS_VERSION = 2.23.0 +LIBVA_UTILS_VERSION = 2.24.0 LIBVA_UTILS_SITE = $(call github,intel,libva-utils,$(LIBVA_UTILS_VERSION)) LIBVA_UTILS_LICENSE = MIT LIBVA_UTILS_LICENSE_FILES = COPYING diff --git a/package/libva/libva.hash b/package/libva/libva.hash index 2d7e8b7ee8d..918230e1c06 100644 --- a/package/libva/libva.hash +++ b/package/libva/libva.hash @@ -1,3 +1,3 @@ # Locally computed -sha256 b10aceb30e93ddf13b2030eb70079574ba437be9b3b76065caf28a72c07e23e7 libva-2.23.0.tar.gz +sha256 0b4a3649ee8d683b9cce2ef094df4fb039d276c0cef7e49337c43d3b297b9f42 libva-2.24.1.tar.gz sha256 c86a782ee845b52472dae9b9d79fb915d333628ac0efe49cdce63644814931de COPYING diff --git a/package/libva/libva.mk b/package/libva/libva.mk index f41a0c00ffc..9f044293d86 100644 --- a/package/libva/libva.mk +++ b/package/libva/libva.mk @@ -4,7 +4,7 @@ # ################################################################################ -LIBVA_VERSION = 2.23.0 +LIBVA_VERSION = 2.24.1 LIBVA_SITE = $(call github,intel,libva,$(LIBVA_VERSION)) LIBVA_LICENSE = MIT LIBVA_LICENSE_FILES = COPYING diff --git a/package/libvpl/libvpl.hash b/package/libvpl/libvpl.hash index 08b2de31fcb..684de90837d 100644 --- a/package/libvpl/libvpl.hash +++ b/package/libvpl/libvpl.hash @@ -1,3 +1,3 @@ # Locally computed -sha256 d60931937426130ddad9f1975c010543f0da99e67edb1c6070656b7947f633b6 libvpl-2.16.0.tar.gz +sha256 4de3e2faf1e8307fb282e4a43f443191810f6a6b0a484fffa7995ba1c814c6ec libvpl-2.17.0.tar.gz sha256 bf1cfac2e2792b6e1e995ce103d70796aecaf2ec7e4c5fe5474f7acec7b4a677 LICENSE diff --git a/package/libvpl/libvpl.mk b/package/libvpl/libvpl.mk index 4e3c4807cda..e5ab9ac8ee1 100644 --- a/package/libvpl/libvpl.mk +++ b/package/libvpl/libvpl.mk @@ -4,7 +4,7 @@ # ################################################################################ -LIBVPL_VERSION = 2.16.0 +LIBVPL_VERSION = 2.17.0 LIBVPL_SITE = $(call github,intel,libvpl,v$(LIBVPL_VERSION)) LIBVPL_LICENSE = MIT LIBVPL_LICENSE_FILES = LICENSE diff --git a/package/odhcp6c/0001-odhcp6c-const-cast-for-c23-compatibility.patch b/package/odhcp6c/0001-odhcp6c-const-cast-for-c23-compatibility.patch deleted file mode 100644 index cdb26a74342..00000000000 --- a/package/odhcp6c/0001-odhcp6c-const-cast-for-c23-compatibility.patch +++ /dev/null @@ -1,102 +0,0 @@ -From 3b69378125aba61b3391bf5fe607983ce75b839c Mon Sep 17 00:00:00 2001 -From: Rosen Penev -Date: Wed, 8 Apr 2026 14:14:56 -0700 -Subject: [PATCH] odhcp6c: const cast for c23 compatibility - -strpbrk is now a macro that returns const based on the parameter. Cast -it away when we don't want const. - -Signed-off-by: Rosen Penev - -Upstream: https://github.com/openwrt/odhcp6c/pull/156 - -Signed-off-by: Bernd Kuhls ---- - src/config.c | 18 +++++++++--------- - 1 file changed, 9 insertions(+), 9 deletions(-) - -diff --git a/src/config.c b/src/config.c -index 54e2d35..c1a3a99 100644 ---- a/src/config.c -+++ b/src/config.c -@@ -338,7 +338,7 @@ static int config_parse_opt_u8(const char *src, uint8_t **dst) - static int config_parse_opt_string(const char *src, uint8_t **dst, const bool array) - { - int o_len = 0; -- char *sep = strpbrk(src, ARRAY_SEP); -+ char *sep = strpbrk((char*)src, ARRAY_SEP); - - if (sep && !array) - return -1; -@@ -362,7 +362,7 @@ static int config_parse_opt_string(const char *src, uint8_t **dst, const bool ar - src = sep; - - if (sep) -- sep = strpbrk(src, ARRAY_SEP); -+ sep = strpbrk((char*)src, ARRAY_SEP); - } while (src); - - return o_len; -@@ -371,7 +371,7 @@ static int config_parse_opt_string(const char *src, uint8_t **dst, const bool ar - static int config_parse_opt_dns_string(const char *src, uint8_t **dst, const bool array) - { - int o_len = 0; -- char *sep = strpbrk(src, ARRAY_SEP); -+ char *sep = strpbrk((char*)src, ARRAY_SEP); - - if (sep && !array) - return -1; -@@ -399,7 +399,7 @@ static int config_parse_opt_dns_string(const char *src, uint8_t **dst, const boo - src = sep; - - if (sep) -- sep = strpbrk(src, ARRAY_SEP); -+ sep = strpbrk((char*)src, ARRAY_SEP); - } while (src); - - return o_len; -@@ -408,7 +408,7 @@ static int config_parse_opt_dns_string(const char *src, uint8_t **dst, const boo - static int config_parse_opt_ip6(const char *src, uint8_t **dst, const bool array) - { - int o_len = 0; -- char *sep = strpbrk(src, ARRAY_SEP); -+ char *sep = strpbrk((char*)src, ARRAY_SEP); - - if (sep && !array) - return -1; -@@ -433,7 +433,7 @@ static int config_parse_opt_ip6(const char *src, uint8_t **dst, const bool array - src = sep; - - if (sep) -- sep = strpbrk(src, ARRAY_SEP); -+ sep = strpbrk((char*)src, ARRAY_SEP); - } while (src); - - return o_len; -@@ -442,7 +442,7 @@ static int config_parse_opt_ip6(const char *src, uint8_t **dst, const bool array - static int config_parse_opt_user_class(const char *src, uint8_t **dst, const bool array) - { - int o_len = 0; -- char *sep = strpbrk(src, ARRAY_SEP); -+ char *sep = strpbrk((char*)src, ARRAY_SEP); - - if (sep && !array) - return -1; -@@ -471,7 +471,7 @@ static int config_parse_opt_user_class(const char *src, uint8_t **dst, const boo - src = sep; - - if (sep) -- sep = strpbrk(src, ARRAY_SEP); -+ sep = strpbrk((char*)src, ARRAY_SEP); - } while (src); - - return o_len; -@@ -555,7 +555,7 @@ int config_parse_opt(const char *opt) - struct odhcp6c_opt *dopt = NULL; - int ret = -1; - -- data = strpbrk(opt, ":"); -+ data = strpbrk((char*)opt, ":"); - if (!data) - return -1; - diff --git a/package/odhcp6c/0002-dhcpv6-use-stable-IAID-for-IA_NA.patch b/package/odhcp6c/0002-dhcpv6-use-stable-IAID-for-IA_NA.patch deleted file mode 100644 index fc70205cccb..00000000000 --- a/package/odhcp6c/0002-dhcpv6-use-stable-IAID-for-IA_NA.patch +++ /dev/null @@ -1,95 +0,0 @@ -From 9a4d6fe802d21e4fc1b84f7d55b5c3c23e71d6ba Mon Sep 17 00:00:00 2001 -From: Paul Donald -Date: Thu, 18 Dec 2025 15:10:24 +0100 -Subject: [PATCH] dhcpv6: use stable IAID for IA_NA -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -https://www.rfc-editor.org/rfc/rfc8415.html#section-12 - - ........ The IAID is chosen by the client. For any given use of an - IA by the client, the IAID for that IA MUST be consistent across - restarts of the DHCP client. The client may maintain consistency by - either storing the IAID in non-volatile storage or using an algorithm - that will consistently produce the same IAID as long as the - configuration of the client has not changed. - -Signed-off-by: Paul Donald -Link: https://github.com/openwrt/odhcp6c/pull/140 -Signed-off-by: Álvaro Fernández Rojas - -Upstream: https://github.com/openwrt/odhcp6c/commit/9a4d6fe802d21e4fc1b84f7d55b5c3c23e71d6ba - -Signed-off-by: Bernd Kuhls ---- - src/dhcpv6.c | 15 +++++++++++++-- - src/odhcp6c.h | 1 + - 2 files changed, 14 insertions(+), 2 deletions(-) - -diff --git a/src/dhcpv6.c b/src/dhcpv6.c -index d8bb8be..97860b1 100644 ---- a/src/dhcpv6.c -+++ b/src/dhcpv6.c -@@ -262,6 +262,9 @@ static struct dhcpv6_stats dhcpv6_stats = {0}; - // config - static struct config_dhcp* config_dhcp = NULL; - -+// store unique ifname hash to use as IA->IAID -+static uint32_t ifname_hash_iaid = 0; -+ - static uint32_t ntohl_unaligned(const uint8_t *data) - { - uint32_t buf; -@@ -542,6 +545,12 @@ void dhcpv6_reset_stats(void) - memset(&dhcpv6_stats, 0, sizeof(dhcpv6_stats)); - } - -+uint32_t hash_ifname(const char *s) { -+ uint32_t h = 0; -+ while (*s) h = h * 31 + *s++; -+ return h; -+} -+ - int init_dhcpv6(const char *ifname) - { - config_dhcp = config_dhcp_get(); -@@ -566,6 +575,8 @@ int init_dhcpv6(const char *ifname) - if (ioctl(sock, SIOCGIFINDEX, &ifr) < 0) - goto failure; - -+ ifname_hash_iaid = hash_ifname(ifname); -+ - ifindex = ifr.ifr_ifindex; - - // Set the socket to non-blocking mode -@@ -838,7 +849,7 @@ static void dhcpv6_send(enum dhcpv6_msg req_msg_type, uint8_t trid[3], uint32_t - struct dhcpv6_ia_hdr hdr_ia_na = { - .type = htons(DHCPV6_OPT_IA_NA), - .len = htons(sizeof(hdr_ia_na) - DHCPV6_OPT_HDR_SIZE), -- .iaid = htonl(ifindex), -+ .iaid = htonl(ifname_hash_iaid), - .t1 = 0, - .t2 = 0, - }; -@@ -1392,7 +1403,7 @@ static int dhcpv6_handle_reply(enum dhcpv6_msg orig, _o_unused const int rc, - continue; - - // Test ID -- if (ia_hdr->iaid != htonl(ifindex) && otype == DHCPV6_OPT_IA_NA) -+ if (ia_hdr->iaid != htonl(ifname_hash_iaid) && otype == DHCPV6_OPT_IA_NA) - continue; - - uint16_t code = DHCPV6_Success; -diff --git a/src/odhcp6c.h b/src/odhcp6c.h -index aa73bbc..c57f885 100644 ---- a/src/odhcp6c.h -+++ b/src/odhcp6c.h -@@ -540,6 +540,7 @@ struct odhcp6c_opt { - const char *str; - }; - -+uint32_t hash_ifname(const char *s); - int init_dhcpv6(const char *ifname); - int dhcpv6_get_ia_mode(void); - int dhcpv6_promote_server_cand(void); diff --git a/package/odhcp6c/odhcp6c.hash b/package/odhcp6c/odhcp6c.hash index 86c9c659c4b..1e0b829b7ad 100644 --- a/package/odhcp6c/odhcp6c.hash +++ b/package/odhcp6c/odhcp6c.hash @@ -1,3 +1,3 @@ # Locally computed -sha256 e9cfddfcc12c4ca0bf8d8211bb72c7018c0e0f8da6903d680da122b4ce551c56 odhcp6c-f19dd37fb467c9cf10cad57aefa0d048312d7dfd-git4.tar.gz +sha256 d2f48c57adbe2c2304ca7a8900429797e46267c6f2e376ac0166fceb85095847 odhcp6c-10a52220aec9d45803518d8cc4d63e552484ed61-git4.tar.gz sha256 e6d6a009505e345fe949e1310334fcb0747f28dae2856759de102ab66b722cb4 COPYING diff --git a/package/odhcp6c/odhcp6c.mk b/package/odhcp6c/odhcp6c.mk index 92688b72376..b935596312e 100644 --- a/package/odhcp6c/odhcp6c.mk +++ b/package/odhcp6c/odhcp6c.mk @@ -4,7 +4,7 @@ # ################################################################################ -ODHCP6C_VERSION = f19dd37fb467c9cf10cad57aefa0d048312d7dfd +ODHCP6C_VERSION = 10a52220aec9d45803518d8cc4d63e552484ed61 ODHCP6C_SITE = https://git.openwrt.org/project/odhcp6c.git ODHCP6C_SITE_METHOD = git ODHCP6C_LICENSE = GPL-2.0 diff --git a/package/p11-kit/p11-kit.mk b/package/p11-kit/p11-kit.mk index 68b18941839..4f4b76d543a 100644 --- a/package/p11-kit/p11-kit.mk +++ b/package/p11-kit/p11-kit.mk @@ -44,4 +44,13 @@ P11_KIT_CONF_OPTS += \ --without-libtasn1 endif +HOST_P11_KIT_DEPENDENCIES = host-pkgconf + +HOST_P11_KIT_CONF_OPTS = \ + --without-libffi \ + --without-trust-paths \ + --disable-trust-module \ + --without-libtasn1 + $(eval $(autotools-package)) +$(eval $(host-autotools-package)) diff --git a/package/pahole/pahole.hash b/package/pahole/pahole.hash index efa12184687..f70ab020d73 100644 --- a/package/pahole/pahole.hash +++ b/package/pahole/pahole.hash @@ -1,3 +1,3 @@ # Locally computed -sha256 9a319c214b38554be8430a672043d85735564e8e1e78db5a41cba7a03d038056 pahole-1.28.tar.gz +sha256 a0b9d79bdb8d3028a87afd402a61d0ff5b05c982b15f6bab1be08ca1662cd0e9 pahole-1.31.tar.gz sha256 ab15fd526bd8dd18a9e77ebc139656bf4d33e97fc7238cd11bf60e2b9b8666c6 COPYING diff --git a/package/pahole/pahole.mk b/package/pahole/pahole.mk index 150373fd7e1..cf5bd584efb 100644 --- a/package/pahole/pahole.mk +++ b/package/pahole/pahole.mk @@ -4,7 +4,7 @@ # ################################################################################ -PAHOLE_VERSION = 1.28 +PAHOLE_VERSION = 1.31 PAHOLE_SITE = https://git.kernel.org/pub/scm/devel/pahole/pahole.git/snapshot HOST_PAHOLE_DEPENDENCIES = \ host-elfutils \ diff --git a/package/python3/0012-3.14-gh-143927-Normalize-all-line-endings-CR-CRLF-an.patch b/package/python3/0012-3.14-gh-143927-Normalize-all-line-endings-CR-CRLF-an.patch new file mode 100644 index 00000000000..8c9b35a8d2e --- /dev/null +++ b/package/python3/0012-3.14-gh-143927-Normalize-all-line-endings-CR-CRLF-an.patch @@ -0,0 +1,71 @@ +From 71f2e02a52d47417a6fd69f456346cd8aa7aca98 Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@users.noreply.github.com> +Date: Wed, 24 Jun 2026 11:46:33 +0200 +Subject: [PATCH] [3.14] gh-143927: Normalize all line endings (CR, CRLF, and + LF) in configparser (GH-143929) (GH-152003) + +gh-143927: Normalize all line endings (CR, CRLF, and LF) in configparser (GH-143929) +(cherry picked from commit 5858e42c539dac8394636a6e9b30472b8994851f) + +Co-authored-by: Seth Larson + +Upstream: https://github.com/python/cpython/commit/71f2e02a52d47417a6fd69f456346cd8aa7aca98 +CVE: CVE-2026-0864 + +Signed-off-by: Bernd Kuhls +--- + Lib/configparser.py | 4 +++- + Lib/test/test_configparser.py | 11 +++++++++++ + .../2026-01-16-11-58-19.gh-issue-143927.aviFeG.rst | 2 ++ + 3 files changed, 16 insertions(+), 1 deletion(-) + create mode 100644 Misc/NEWS.d/next/Security/2026-01-16-11-58-19.gh-issue-143927.aviFeG.rst + +diff --git a/Lib/configparser.py b/Lib/configparser.py +index a53ac872764..3c452afe8ad 100644 +--- a/Lib/configparser.py ++++ b/Lib/configparser.py +@@ -992,7 +992,9 @@ def _write_section(self, fp, section_name, section_items, delimiter, unnamed=Fal + value = self._interpolation.before_write(self, section_name, key, + value) + if value is not None or not self._allow_no_value: +- value = delimiter + str(value).replace('\n', '\n\t') ++ # Convert all possible line-endings into '\n\t' ++ value = (delimiter + str(value).replace('\r\n', '\n') ++ .replace('\r', '\n').replace('\n', '\n\t')) + else: + value = "" + fp.write("{}{}\n".format(key, value)) +diff --git a/Lib/test/test_configparser.py b/Lib/test/test_configparser.py +index 8d8dd2a2bf2..4783943f71a 100644 +--- a/Lib/test/test_configparser.py ++++ b/Lib/test/test_configparser.py +@@ -526,6 +526,17 @@ def test_default_case_sensitivity(self): + cf.get(self.default_section, "Foo"), "Bar", + "could not locate option, expecting case-insensitive defaults") + ++ def test_crlf_normalization(self): ++ cf = self.newconfig({"key1": "a\nb","key2": "a\rb", "key3": "a\r\nb", "key4": "a\r\nb"}) ++ buf = io.StringIO() ++ cf.write(buf) ++ cf_str = buf.getvalue() ++ self.assertNotIn("\r", cf_str) ++ self.assertNotIn("\r\n", cf_str) ++ self.assertEqual(cf_str.count("\n"), 10) ++ self.assertEqual(cf_str.count("\n\t"), 4) ++ self.assertTrue(cf_str.endswith("\n\n")) ++ + def test_parse_errors(self): + cf = self.newconfig() + self.parse_error(cf, configparser.ParsingError, +diff --git a/Misc/NEWS.d/next/Security/2026-01-16-11-58-19.gh-issue-143927.aviFeG.rst b/Misc/NEWS.d/next/Security/2026-01-16-11-58-19.gh-issue-143927.aviFeG.rst +new file mode 100644 +index 00000000000..ca554997e5c +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2026-01-16-11-58-19.gh-issue-143927.aviFeG.rst +@@ -0,0 +1,2 @@ ++Normalize all line endings (CR, CRLF, and LF) to LF+TAB when writing ++multi-line configparser values. +-- +2.47.3 + diff --git a/package/python3/0013-3.14-gh-151981-Make-tarfile._Stream.seek-break-at-EO.patch b/package/python3/0013-3.14-gh-151981-Make-tarfile._Stream.seek-break-at-EO.patch new file mode 100644 index 00000000000..7db9439639d --- /dev/null +++ b/package/python3/0013-3.14-gh-151981-Make-tarfile._Stream.seek-break-at-EO.patch @@ -0,0 +1,76 @@ +From e86666c9dd256d52d0fbef6feb1ea4a51768fdec Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@users.noreply.github.com> +Date: Tue, 23 Jun 2026 15:46:18 +0200 +Subject: [PATCH] [3.14] gh-151981: Make tarfile._Stream.seek break at EOF + (GH-151982) (#151992) + +(cherry picked from commit f50bf13566189c8d0ce5a814f33eff3d89951896) + +Co-authored-by: Petr Viktorin +Co-authored-by: Stan Ulbrych + +Upstream: https://github.com/python/cpython/commit/e86666c9dd256d52d0fbef6feb1ea4a51768fdec +CVE: CVE-2026-11972 + +Signed-off-by: Bernd Kuhls +--- + Lib/tarfile.py | 4 +++- + Lib/test/test_tarfile.py | 16 ++++++++++++++++ + ...026-06-23-13-28-16.gh-issue-151981.xBHEcU.rst | 2 ++ + 3 files changed, 21 insertions(+), 1 deletion(-) + create mode 100644 Misc/NEWS.d/next/Security/2026-06-23-13-28-16.gh-issue-151981.xBHEcU.rst + +diff --git a/Lib/tarfile.py b/Lib/tarfile.py +index e6734db24f6..39b1cd6514c 100644 +--- a/Lib/tarfile.py ++++ b/Lib/tarfile.py +@@ -524,7 +524,9 @@ def seek(self, pos=0): + if pos - self.pos >= 0: + blocks, remainder = divmod(pos - self.pos, self.bufsize) + for i in range(blocks): +- self.read(self.bufsize) ++ data = self.read(self.bufsize) ++ if not data: ++ break + self.read(remainder) + else: + raise StreamError("seeking backwards is not allowed") +diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py +index d974c7d46ec..8503024a690 100644 +--- a/Lib/test/test_tarfile.py ++++ b/Lib/test/test_tarfile.py +@@ -4762,6 +4762,22 @@ def valueerror_filter(tarinfo, path): + with self.check_context(arc.open(errorlevel='boo!'), filtererror_filter): + self.expect_exception(TypeError) # errorlevel is not int + ++ @support.subTests('format', [tarfile.GNU_FORMAT, tarfile.PAX_FORMAT]) ++ def test_getmembers_big_size(self, format): ++ # gh-151981: A loop in seek() for streaming files tried to read the ++ # declared number of blocks even at EOF ++ tinfo = tarfile.TarInfo("huge-file") ++ tinfo.size = 1 << 64 ++ bio = io.BytesIO() ++ # Write header without data ++ bio.write(tinfo.tobuf(format)) ++ ++ # Reset & try to get contents ++ bio.seek(0) ++ with tarfile.open(fileobj=bio, mode="r|") as tar: ++ with self.assertRaises(tarfile.ReadError): ++ tar.getmembers() ++ + + class OverwriteTests(archiver_tests.OverwriteTests, unittest.TestCase): + testdir = os.path.join(TEMPDIR, "testoverwrite") +diff --git a/Misc/NEWS.d/next/Security/2026-06-23-13-28-16.gh-issue-151981.xBHEcU.rst b/Misc/NEWS.d/next/Security/2026-06-23-13-28-16.gh-issue-151981.xBHEcU.rst +new file mode 100644 +index 00000000000..2123ab8e081 +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2026-06-23-13-28-16.gh-issue-151981.xBHEcU.rst +@@ -0,0 +1,2 @@ ++In :mod:`tarfile`, seeking a stream now stops when end of the stream is ++reached. +-- +2.47.3 + diff --git a/package/python3/0014-3.14-gh-151987-Pass-filter_function-to-TarFile._extr.patch b/package/python3/0014-3.14-gh-151987-Pass-filter_function-to-TarFile._extr.patch new file mode 100644 index 00000000000..3b38594c758 --- /dev/null +++ b/package/python3/0014-3.14-gh-151987-Pass-filter_function-to-TarFile._extr.patch @@ -0,0 +1,151 @@ +From 5e0ef3f1afe892e4f64eb83368db57ac4c40cba0 Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@users.noreply.github.com> +Date: Mon, 29 Jun 2026 21:11:22 +0200 +Subject: [PATCH] [3.14] gh-151987: Pass filter_function to + `TarFile._extract_one()` during `.extract()` (GH-151988) (#152609) + +(cherry picked from commit 7ccdbaba2c54250a70d7f25632152df7655a5e0a) + +Co-authored-by: Petr Viktorin +Co-authored-by: Seth Michael Larson + +Upstream: https://github.com/python/cpython/commit/5e0ef3f1afe892e4f64eb83368db57ac4c40cba0 +CVE: CVE-2026-4360 + +Signed-off-by: Bernd Kuhls +--- + Lib/tarfile.py | 3 +- + Lib/test/test_tarfile.py | 92 +++++++++++++++++++ + ...-06-23-14-19-30.gh-issue-151987.8mNIMf.rst | 2 + + 3 files changed, 96 insertions(+), 1 deletion(-) + create mode 100644 Misc/NEWS.d/next/Security/2026-06-23-14-19-30.gh-issue-151987.8mNIMf.rst + +diff --git a/Lib/tarfile.py b/Lib/tarfile.py +index cb09e307c46..d3c48999700 100644 +--- a/Lib/tarfile.py ++++ b/Lib/tarfile.py +@@ -2538,7 +2538,8 @@ def extract(self, member, path="", set_attrs=True, *, numeric_owner=False, + tarinfo, unfiltered = self._get_extract_tarinfo( + member, filter_function, path) + if tarinfo is not None: +- self._extract_one(tarinfo, path, set_attrs, numeric_owner) ++ self._extract_one(tarinfo, path, set_attrs, numeric_owner, ++ filter_function=filter_function) + + def _get_extract_tarinfo(self, member, filter_function, path): + """Get (filtered, unfiltered) TarInfos from *member* +diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py +index 804c3e6d809..f3b61d9fbad 100644 +--- a/Lib/test/test_tarfile.py ++++ b/Lib/test/test_tarfile.py +@@ -4470,6 +4470,98 @@ def test_chmod_outside_dir(self): + st_mode = cc.outerdir.stat().st_mode + self.assertNotEqual(st_mode & 0o777, 0o777) + ++ @symlink_test ++ @unittest.skipUnless(hasattr(os, 'chown'), "missing os.chown") ++ @unittest.skipUnless(hasattr(os, 'lchown'), "missing os.lchown") ++ @unittest.skipUnless(hasattr(os, 'geteuid'), "missing os.geteuid") ++ @support.subTests('link_type', (tarfile.SYMTYPE, tarfile.LNKTYPE)) ++ def test_chown_links_on_extract(self, link_type): ++ with ArchiveMaker() as arc: ++ arc.add("test.txt", ++ uid=1337, gid=1337, uname="", gname="", mode='-rwxr-xr-x') ++ arc.add("link", ++ type=link_type, ++ linkname='test.txt', ++ uid=1337, gid=1337, uname="", gname="", mode='-rwxr-xr-x') ++ ++ with ( ++ os_helper.temp_dir() as tmpdir, ++ arc.open() as tar, ++ unittest.mock.patch("os.chown") as mock_chown, ++ unittest.mock.patch("os.lchown") as mock_lchown, ++ unittest.mock.patch("os.geteuid") as mock_geteuid, ++ ): ++ # Set UID to 0 so chown() is attempted. ++ mock_geteuid.return_value = 0 ++ tar.extract("link", path=tmpdir, filter='data') ++ extract_path = os.path.join(tmpdir, "link") ++ ++ if link_type == tarfile.SYMTYPE: ++ mock_chown.assert_not_called() ++ mock_lchown.assert_called_once_with(extract_path, -1, -1) ++ else: ++ mock_chown.assert_has_calls([ ++ unittest.mock.call(extract_path, -1, -1), ++ unittest.mock.call(extract_path, -1, -1) ++ ]) ++ mock_lchown.assert_not_called() ++ ++ @symlink_test ++ @unittest.skipUnless(hasattr(os, 'chown'), "missing os.chown") ++ @unittest.skipUnless(hasattr(os, 'lchown'), "missing os.lchown") ++ @unittest.skipUnless(hasattr(os, 'geteuid'), "missing os.geteuid") ++ @support.subTests('link_type', (tarfile.SYMTYPE, tarfile.LNKTYPE)) ++ def test_chown_links_on_extractall(self, link_type): ++ with ArchiveMaker() as arc: ++ arc.add("test.txt", ++ uid=1337, gid=1337, uname="", gname="", mode='-rwxr-xr-x') ++ arc.add("link", ++ type=link_type, ++ linkname='test.txt', ++ uid=1337, gid=1337, uname="", gname="", mode='-rwxr-xr-x') ++ ++ with ( ++ os_helper.temp_dir() as tmpdir, ++ arc.open() as tar, ++ unittest.mock.patch("os.chown") as mock_chown, ++ unittest.mock.patch("os.lchown") as mock_lchown, ++ unittest.mock.patch("os.geteuid") as mock_geteuid, ++ ): ++ # Set UID to 0 so chown() is attempted. ++ mock_geteuid.return_value = 0 ++ tar.extractall(path=tmpdir, filter='data') ++ extract_link_path = os.path.join(tmpdir, "link") ++ extract_file_path = os.path.join(tmpdir, "test.txt") ++ ++ if link_type == tarfile.SYMTYPE: ++ mock_chown.assert_called_once_with(extract_file_path, -1, -1) ++ mock_lchown.assert_called_once_with(extract_link_path, -1, -1) ++ else: ++ mock_chown.assert_has_calls([ ++ unittest.mock.call(extract_file_path, -1, -1), ++ unittest.mock.call(extract_link_path, -1, -1) ++ ]) ++ mock_lchown.assert_not_called() ++ ++ def test_extract_filters_target(self): ++ # Test that when extract() falls back to extracting (rather than ++ # linking) a hardlink target, it filters the target. ++ with ArchiveMaker() as arc: ++ arc.add("target") ++ arc.add("link", hardlink_to="target") ++ def testing_filter(member, path): ++ if member.name == 'target': ++ # target: set read-only ++ return member.replace(mode=stat.S_IRUSR) ++ # link: don't overwrite the mode ++ return member.replace(mode=None) ++ tempdir = pathlib.Path(TEMPDIR) / 'extract' ++ with os_helper.temp_dir(tempdir), arc.open() as tar: ++ tar.extract("link", path=tempdir, filter=testing_filter) ++ path = tempdir / 'link' ++ if os_helper.can_chmod(): ++ self.assertFalse(path.stat().st_mode & stat.S_IWUSR) ++ + def test_link_fallback_normalizes(self): + # Make sure hardlink fallbacks work for non-normalized paths for all + # filters +diff --git a/Misc/NEWS.d/next/Security/2026-06-23-14-19-30.gh-issue-151987.8mNIMf.rst b/Misc/NEWS.d/next/Security/2026-06-23-14-19-30.gh-issue-151987.8mNIMf.rst +new file mode 100644 +index 00000000000..9eea7b32c4d +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2026-06-23-14-19-30.gh-issue-151987.8mNIMf.rst +@@ -0,0 +1,2 @@ ++The :meth:`tarfile.TarFile.extract` method now applies the given filter when ++it extracts a link target from the archive as a fallback. +-- +2.47.3 + diff --git a/package/python3/0015-3.14-gh-153030-Fix-quadratic-complexity-in-increment.patch b/package/python3/0015-3.14-gh-153030-Fix-quadratic-complexity-in-increment.patch new file mode 100644 index 00000000000..e9c3f40cc0a --- /dev/null +++ b/package/python3/0015-3.14-gh-153030-Fix-quadratic-complexity-in-increment.patch @@ -0,0 +1,123 @@ +From 07efb08123ba9367a7107325adb9d5626dca1ca9 Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@users.noreply.github.com> +Date: Sat, 4 Jul 2026 20:08:05 +0200 +Subject: [PATCH] [3.14] gh-153030: Fix quadratic complexity in incremental + parsing in HTMLParser (GH-153031) (GH-153039) + +When an unterminated construct (e.g. a tag or comment) spanned many +feed() calls, rescanning the growing buffer and concatenating new data +onto it were both quadratic. New data is now accumulated in a list and +only joined and parsed once enough has piled up. +(cherry picked from commit bcf98ddbc40ec9b3ee87da0124a5660b19b7e606) + +Co-authored-by: Serhiy Storchaka +Co-authored-by: Claude Opus 4.8 + +Upstream: https://github.com/python/cpython/commit/07efb08123ba9367a7107325adb9d5626dca1ca9 +CVE: CVE-2026-15308 + +Signed-off-by: Bernd Kuhls +--- + Lib/html/parser.py | 32 +++++++++++++++++-- + Lib/test/test_htmlparser.py | 20 ++++++++++++ + ...-07-04-17-00-00.gh-issue-153030.RovkP6.rst | 3 ++ + 3 files changed, 53 insertions(+), 2 deletions(-) + create mode 100644 Misc/NEWS.d/next/Security/2026-07-04-17-00-00.gh-issue-153030.RovkP6.rst + +diff --git a/Lib/html/parser.py b/Lib/html/parser.py +index 38ddf9ef442..fbe0d3665e0 100644 +--- a/Lib/html/parser.py ++++ b/Lib/html/parser.py +@@ -157,6 +157,9 @@ def reset(self): + self.cdata_elem = None + self._support_cdata = True + self._escapable = True ++ self._pending = [] ++ self._pending_len = 0 ++ self._parse_threshold = 1 + super().reset() + + def feed(self, data): +@@ -165,11 +168,36 @@ def feed(self, data): + Call this as often as you want, with as little or as much text + as you want (may include '\n'). + """ +- self.rawdata = self.rawdata + data +- self.goahead(0) ++ # Accumulate new data in a list and only join and parse it once ++ # enough has piled up. Rescanning an unparsed buffer (e.g. an ++ # unterminated tag) and concatenating onto it on every call would ++ # both be quadratic in the input size. ++ self._pending_len += len(data) ++ if self._pending_len < self._parse_threshold: ++ self._pending.append(data) ++ else: ++ if not self._pending: ++ self.rawdata += data ++ else: ++ self._pending.append(data) ++ self.rawdata += ''.join(self._pending) ++ self._pending.clear() ++ self._pending_len = 0 ++ n = len(self.rawdata) ++ self.goahead(0) ++ if len(self.rawdata) < n: ++ # Some data was parsed; resume on the next call. ++ self._parse_threshold = 1 ++ else: ++ # Nothing was parsed; wait until the buffer doubles. ++ self._parse_threshold = len(self.rawdata) + + def close(self): + """Handle any buffered data.""" ++ if self._pending: ++ self.rawdata += ''.join(self._pending) ++ self._pending.clear() ++ self._pending_len = 0 + self.goahead(1) + + __starttag_text = None +diff --git a/Lib/test/test_htmlparser.py b/Lib/test/test_htmlparser.py +index 6b7624f1150..3fdaed4ff46 100644 +--- a/Lib/test/test_htmlparser.py ++++ b/Lib/test/test_htmlparser.py +@@ -1041,6 +1041,26 @@ def check(source): + check("") # comment ++ check("") # processing instruction ++ check("") # doctype ++ check("") # CDATA section ++ check("") # start tag ++ check("") # RAWTEXT element ++ + + class AttributesTestCase(TestCaseBase): + +diff --git a/Misc/NEWS.d/next/Security/2026-07-04-17-00-00.gh-issue-153030.RovkP6.rst b/Misc/NEWS.d/next/Security/2026-07-04-17-00-00.gh-issue-153030.RovkP6.rst +new file mode 100644 +index 00000000000..d1d60593f4b +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2026-07-04-17-00-00.gh-issue-153030.RovkP6.rst +@@ -0,0 +1,3 @@ ++Fixed quadratic complexity in incremental parsing of long unterminated ++constructs (such as tags or comments) in :class:`html.parser.HTMLParser`, ++which could be exploited for a denial of service. +-- +2.47.3 + diff --git a/package/python3/python3.mk b/package/python3/python3.mk index fabbdac3844..9a47a1f3065 100644 --- a/package/python3/python3.mk +++ b/package/python3/python3.mk @@ -16,6 +16,18 @@ PYTHON3_CPE_ID_PRODUCT = python # 0011-3.14-gh-151558-Fix-symlink-escape-via-tarfile-hardli.patch PYTHON3_IGNORE_CVES += CVE-2026-11940 +# 0012-3.14-gh-143927-Normalize-all-line-endings-CR-CRLF-an.patch +PYTHON3_IGNORE_CVES += CVE-2026-0864 + +# 0013-3.14-gh-151981-Make-tarfile._Stream.seek-break-at-EO.patch +PYTHON3_IGNORE_CVES += CVE-2026-11972 + +# 0014-3.14-gh-151987-Pass-filter_function-to-TarFile._extr.patch +PYTHON3_IGNORE_CVES += CVE-2026-4360 + +# 0015-3.14-gh-153030-Fix-quadratic-complexity-in-increment.patch +PYTHON3_IGNORE_CVES += CVE-2026-15308 + # This host Python is installed in $(HOST_DIR), as it is needed when # cross-compiling third-party Python modules. diff --git a/package/samba4/Config.in b/package/samba4/Config.in index e1d3dd9bf7f..59f040e96ab 100644 --- a/package/samba4/Config.in +++ b/package/samba4/Config.in @@ -4,6 +4,10 @@ comment "samba4 needs a uClibc or glibc toolchain w/ wchar, dynamic library, NPT || BR2_STATIC_LIBS || !BR2_TOOLCHAIN_HAS_THREADS_NPTL depends on BR2_USE_MMU +comment "samba4 needs a toolchain w/ gcc >= 7" + depends on BR2_m68k + depends on !BR2_TOOLCHAIN_GCC_AT_LEAST_7 + config BR2_PACKAGE_SAMBA4 bool "samba4" depends on BR2_USE_MMU # fork() @@ -12,6 +16,7 @@ config BR2_PACKAGE_SAMBA4 depends on !BR2_STATIC_LIBS # cmocka, python, gnutls depends on BR2_TOOLCHAIN_HAS_SYNC_4 depends on !BR2_TOOLCHAIN_USES_MUSL + depends on !BR2_m68k || BR2_TOOLCHAIN_GCC_AT_LEAST_7 # m68k needs gcc >= 7.x select BR2_PACKAGE_CMOCKA select BR2_PACKAGE_E2FSPROGS select BR2_PACKAGE_GNUTLS diff --git a/package/samba4/samba4.hash b/package/samba4/samba4.hash index 83e77f039b3..7c44ed747a5 100644 --- a/package/samba4/samba4.hash +++ b/package/samba4/samba4.hash @@ -1,4 +1,4 @@ # Locally calculated after checking pgp signature -# https://download.samba.org/pub/samba/stable/samba-4.24.3.tar.asc -sha256 4a5e0ed1ea192b798c873d9957c50a5767c10c2767cccb00d56ecc427e94f8e9 samba-4.24.3.tar.gz +# https://download.samba.org/pub/samba/stable/samba-4.24.4.tar.asc +sha256 df2c51ab4361ec626ab9988e5946efcca8465bc7afae834291d5558468265ff8 samba-4.24.4.tar.gz sha256 8ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903 COPYING diff --git a/package/samba4/samba4.mk b/package/samba4/samba4.mk index 2d6bc80b9ed..d481f9d417f 100644 --- a/package/samba4/samba4.mk +++ b/package/samba4/samba4.mk @@ -4,7 +4,7 @@ # ################################################################################ -SAMBA4_VERSION = 4.24.3 +SAMBA4_VERSION = 4.24.4 SAMBA4_SITE = https://download.samba.org/pub/samba/stable SAMBA4_SOURCE = samba-$(SAMBA4_VERSION).tar.gz SAMBA4_INSTALL_STAGING = YES @@ -32,6 +32,11 @@ SAMBA4_CONF_ENV = \ XSLTPROC=false \ WAF_NO_PREFORK=1 +# m68k needs 32-bit offsets in switch tables to build +ifeq ($(BR2_m68k),y) +SAMBA4_CFLAGS += -mlong-jump-table-offsets +endif + SAMBA4_PYTHON = PYTHON="$(HOST_DIR)/bin/python3" ifeq ($(BR2_PACKAGE_PYTHON3),y) SAMBA4_PYTHON += PYTHON_CONFIG="$(STAGING_DIR)/usr/bin/python3-config" diff --git a/package/socat/socat.hash b/package/socat/socat.hash index 3a4eec60c1c..2fc8e408531 100644 --- a/package/socat/socat.hash +++ b/package/socat/socat.hash @@ -1,7 +1,7 @@ # From http://www.dest-unreach.org/socat/download.md5sum -md5 5456f0f0c5d4505b68edcb10e23ef128 socat-1.8.1.1.tar.bz2 +md5 1a5b8ddff793847d80aa100d54b7cf76 socat-1.8.1.3.tar.bz2 # From http://www.dest-unreach.org/socat/download.sha256sum -sha256 5ebc636b7f427053f98806696521653a614c7e06464910353cbf54e2327adc1b socat-1.8.1.1.tar.bz2 +sha256 25bc6476292b2e614220989c77b0b6fca87bb2525d9747b31a6639b1fb602418 socat-1.8.1.3.tar.bz2 # Locally calculated sha256 86e46422f9381b386bd2eb6606f9d6c3ff479f905660d0f318c571292ab304b8 README sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING diff --git a/package/socat/socat.mk b/package/socat/socat.mk index 3d40540599d..311bdfda3ab 100644 --- a/package/socat/socat.mk +++ b/package/socat/socat.mk @@ -4,7 +4,7 @@ # ################################################################################ -SOCAT_VERSION = 1.8.1.1 +SOCAT_VERSION = 1.8.1.3 SOCAT_SOURCE = socat-$(SOCAT_VERSION).tar.bz2 SOCAT_SITE = http://www.dest-unreach.org/socat/download SOCAT_LICENSE = GPL-2.0 with OpenSSL exception diff --git a/package/stellarium/stellarium.hash b/package/stellarium/stellarium.hash index b3f2a9ec9f5..d0dd53f900b 100644 --- a/package/stellarium/stellarium.hash +++ b/package/stellarium/stellarium.hash @@ -1,8 +1,8 @@ # From https://github.com/Stellarium/stellarium/releases -sha256 578bada2531e39146ccefcf6a0d202867e403b559f54239e8db9f9c003e04443 stellarium-26.1.tar.xz -# From https://github.com/Stellarium/stellarium/blob/v26.1/CMakeLists.txt#L858 +sha256 9a068d00aac82151f2b24c7f278847a2f9416f31f17c0326fc56ee4cc4cb1aed stellarium-26.2.tar.xz +# From https://github.com/Stellarium/stellarium/blob/v26.2/CMakeLists.txt#L857 sha256 55d0111d48fb11883aaee91465e642b8b640775a4d6993c2d0e7a8092758ef21 release-0.5.2.tar.gz -# From https://github.com/Stellarium/stellarium/blob/v26.1/plugins/LensDistortionEstimator/src/CMakeLists.txt#L6 +# From https://github.com/Stellarium/stellarium/blob/v26.2/plugins/LensDistortionEstimator/src/CMakeLists.txt#L6 sha256 6e899e297485e457ec1bf84844de29921aeef674f9d5caf60277df45dca6ff76 v2.9.0.tar.gz # Locally computed sha256 3aeeb5bb98bf7041ab82cffe15efa28ac58ee2bdf162b71301f5c192be631259 COPYING diff --git a/package/stellarium/stellarium.mk b/package/stellarium/stellarium.mk index f36a3a14df7..a3ab725017e 100644 --- a/package/stellarium/stellarium.mk +++ b/package/stellarium/stellarium.mk @@ -4,7 +4,7 @@ # ################################################################################ -STELLARIUM_VERSION = 26.1 +STELLARIUM_VERSION = 26.2 STELLARIUM_SOURCE = stellarium-$(STELLARIUM_VERSION).tar.xz STELLARIUM_SITE = https://github.com/Stellarium/stellarium/releases/download/v$(STELLARIUM_VERSION) STELLARIUM_LICENSE = GPL-2.0+ diff --git a/package/wireshark/wireshark.hash b/package/wireshark/wireshark.hash index 2c15d4f0f44..917ac47471c 100644 --- a/package/wireshark/wireshark.hash +++ b/package/wireshark/wireshark.hash @@ -1,6 +1,6 @@ -# From https://www.wireshark.org/download/src/all-versions/SIGNATURES-4.4.16.txt -sha1 1424ea22b4959f94eb85c1fc3c510f281766144e wireshark-4.4.16.tar.xz -sha256 0bda0e34a4c5da72ea9009134d733783d08189c07462198e53a4f533fd1201fd wireshark-4.4.16.tar.xz +# From https://www.wireshark.org/download/src/all-versions/SIGNATURES-4.4.17.txt +sha1 d46443d5bbca3580f944f3effcdfcc59e24eb7f4 wireshark-4.4.17.tar.xz +sha256 b89a8c60b9282f29be4db91437a6e969e61bc17e8c92ddd980cc38c7304dd772 wireshark-4.4.17.tar.xz # Locally calculated sha256 edaef632cbb643e4e7a221717a6c441a4c1a7c918e6e4d56debc3d8739b233f6 COPYING diff --git a/package/wireshark/wireshark.mk b/package/wireshark/wireshark.mk index ab393b8a48b..1fd81515c14 100644 --- a/package/wireshark/wireshark.mk +++ b/package/wireshark/wireshark.mk @@ -4,7 +4,7 @@ # ################################################################################ -WIRESHARK_VERSION = 4.4.16 +WIRESHARK_VERSION = 4.4.17 WIRESHARK_SOURCE = wireshark-$(WIRESHARK_VERSION).tar.xz WIRESHARK_SITE = https://www.wireshark.org/download/src/all-versions WIRESHARK_LICENSE = wireshark license