I don't really see the relation between these and the gimp patches... For mozjs you could take a look at this[1] patch - I believe it solves the same problem. For libjxl, Khem has commited a line some time ago[2] that touches CFLAGS. Try to do the same, but for CXXFLAGS.
[1]: https://github.com/OSSystems/meta-browser/blob/master/meta-firefox/recipes-browser/firefox/firefox/0001-add-musl-support.patch [2]: https://git.openembedded.org/meta-openembedded/tree/meta-oe/recipes-multimedia/libjxl/libjxl_0.11.1.bb#n47 On 1/6/26 05:42, Ankur Tyagi wrote: > Hi Gyorgy, > > This is causing following build failures on qemuarm with musl and clang > > mozjs: > | > /usr/src/debug/mozjs-128/128.5.2/mozglue/misc/StackWalk.cpp:810:(.text._ZL15unwind_callbackP15_Unwind_ContextPv+0x4): > undefined reference to `_Unwind_GetIP' > | arm-poky-linux-musleabi-clang++: error: linker command failed with > exit code 1 (use -v to see invocation) > > libjxl: > FAILED: [code=1] lib/CMakeFiles/jxl_dec-obj.dir/jxl/convolve_separable5.cc.o > /yocto/bitbake-builds/poky-whinlatter/build/tmp/work/cortexa15t2hf-neon-poky-linux-musleabi/libjxl/0.11.1/recipe-sysroot-native/usr/bin/arm-poky-linux-musleabi/arm-poky-linux-musleabi-clang++ > --sysroot=/yocto/bitbake-builds/poky-whinlatter/build/tmp/work/cortexa15t2hf-neon-poky-linux-musleabi/libjxl/0.11.1/recipe-sysroot > -DFJXL_ENABLE_AVX512=0 -DJXL_INTERNAL_LIBRARY_BUILD > -D__DATE__=\"redacted\" -D__TIMESTAMP__=\"redacted\" > -D__TIME__=\"redacted\" > -I/yocto/bitbake-builds/poky-whinlatter/build/tmp/work/cortexa15t2hf-neon-poky-linux-musleabi/libjxl/0.11.1/sources/libjxl-0.11.1 > -isystem > /yocto/bitbake-builds/poky-whinlatter/build/tmp/work/cortexa15t2hf-neon-poky-linux-musleabi/libjxl/0.11.1/build/lib/include > -mthumb -mfpu=neon -mfloat-abi=hard -mcpu=cortex-a15 > --dyld-prefix=/usr -fstack-protector-strong -O2 -D_FORTIFY_SOURCE=2 > -Wformat -Wformat-security -Werror=format-security -D_TIME_BITS=64 > -D_FILE_OFFSET_BITS=64 > --sysroot=/yocto/bitbake-builds/poky-whinlatter/build/tmp/work/cortexa15t2hf-neon-poky-linux-musleabi/libjxl/0.11.1/recipe-sysroot > -O2 -g > -ffile-prefix-map=/yocto/bitbake-builds/poky-whinlatter/build/tmp/work/cortexa15t2hf-neon-poky-linux-musleabi/libjxl/0.11.1/sources/libjxl-0.11.1=/usr/src/debug/libjxl/0.11.1 > > -ffile-prefix-map=/yocto/bitbake-builds/poky-whinlatter/build/tmp/work/cortexa15t2hf-neon-poky-linux-musleabi/libjxl/0.11.1/build=/usr/src/debug/libjxl/0.11.1 > > -ffile-prefix-map=/yocto/bitbake-builds/poky-whinlatter/build/tmp/work/cortexa15t2hf-neon-poky-linux-musleabi/libjxl/0.11.1/recipe-sysroot= > > -ffile-prefix-map=/yocto/bitbake-builds/poky-whinlatter/build/tmp/work/cortexa15t2hf-neon-poky-linux-musleabi/libjxl/0.11.1/recipe-sysroot-native= > -pipe -fvisibility-inlines-hidden -fno-rtti -DNDEBUG -std=c++17 -fPIC > -fvisibility=hidden -fvisibility-inlines-hidden > -fmacro-prefix-map=/yocto/bitbake-builds/poky-whinlatter/build/tmp/work/cortexa15t2hf-neon-poky-linux-musleabi/libjxl/0.11.1/sources/libjxl-0.11.1=. > "-DHWY_DISABLED_TARGETS=(HWY_SSSE3|HWY_AVX3|HWY_AVX3_SPR|HWY_AVX3_ZEN4)" > -funwind-tables -Xclang -mrelax-all -fno-omit-frame-pointer > -Wno-builtin-macro-redefined -Wall -fmerge-all-constants > -fno-builtin-fwrite -fno-builtin-fread -Wextra -Wc++11-compat > -Warray-bounds -Wformat-security -Wimplicit-fallthrough -Wno-register > -Wno-unused-function -Wno-unused-parameter -Wnon-virtual-dtor > -Woverloaded-virtual -Wvla -Wdeprecated-increment-bool > -Wfloat-overflow-conversion -Wfloat-zero-conversion > -Wfor-loop-analysis -Wgnu-redeclared-enum -Winfinite-recursion > -Wliteral-conversion -Wno-c++98-compat > -Wno-unused-command-line-argument -Wprivate-header -Wself-assign > -Wstring-conversion -Wtautological-overlap-compare > -Wthread-safety-analysis -Wundefined-func-template -Wunreachable-code > -Wunused-comparison -fsized-deallocation -fno-exceptions -fmath-errno > -fnew-alignment=8 -fno-cxx-exceptions -fno-slp-vectorize > -fno-vectorize -disable-free -disable-llvm-verifier > -DJPEGXL_ENABLE_SKCMS=1 -DJPEGXL_ENABLE_TRANSCODE_JPEG=1 > -DJPEGXL_ENABLE_BOXES=1 -MD -MT > lib/CMakeFiles/jxl_dec-obj.dir/jxl/convolve_separable5.cc.o -MF > lib/CMakeFiles/jxl_dec-obj.dir/jxl/convolve_separable5.cc.o.d -o > lib/CMakeFiles/jxl_dec-obj.dir/jxl/convolve_separable5.cc.o -c > /yocto/bitbake-builds/poky-whinlatter/build/tmp/work/cortexa15t2hf-neon-poky-linux-musleabi/libjxl/0.11.1/sources/libjxl-0.11.1/lib/jxl/convolve_separable5.cc > error: out of range pc-relative fixup value > 1 error generated. > ninja: build stopped: subcommand failed. > > It builds on qemux86 with musl and clang though. > > Having said that, I don't think the problem is due to your patch as > gimp fails to build on qemuarm with musl and clang even without your > patches. > > So this needs to be investigated separately. > > cheers > Ankur > > On Mon, Jan 5, 2026 at 11:02 PM Gyorgy Sarvari via > lists.openembedded.org <[email protected]> > wrote: >> Details: https://nvd.nist.gov/vuln/detail/CVE-2025-14422 >> >> Pick the patch referenced by the NVD report. >> >> Signed-off-by: Gyorgy Sarvari <[email protected]> >> Signed-off-by: Khem Raj <[email protected]> >> (cherry picked from commit a0b41204afe57f9b2b3f2e8ff496be72d04e0eb7) >> Signed-off-by: Gyorgy Sarvari <[email protected]> >> --- >> .../gimp/gimp/CVE-2025-14422.patch | 66 +++++++++++++++++++ >> meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb | 12 ++-- >> 2 files changed, 73 insertions(+), 5 deletions(-) >> create mode 100644 meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14422.patch >> >> diff --git a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14422.patch >> b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14422.patch >> new file mode 100644 >> index 0000000000..420e013916 >> --- /dev/null >> +++ b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-14422.patch >> @@ -0,0 +1,66 @@ >> +From 0a941cab81396d65a8ab547847f8c542039e214f Mon Sep 17 00:00:00 2001 >> +From: Gyorgy Sarvari <[email protected]> >> +Date: Sun, 23 Nov 2025 16:43:51 +0000 >> +Subject: [PATCH] plug-ins: Fix ZDI-CAN-28273 >> + >> +From: Alx Sa <[email protected]> >> + >> +Resolves #15286 >> +Adds a check to the memory allocation >> +in pnm_load_raw () with g_size_checked_mul () >> +to see if the size would go out of bounds. >> +If so, we don't try to allocate and load the >> +image. >> + >> +CVE: CVE-2025-14422 >> +Upstream-Status: Backport >> [https://gitlab.gnome.org/GNOME/gimp/-/commit/4ff2d773d58064e6130495de498e440f4a6d5edb] >> +Signed-off-by: Gyorgy Sarvari <[email protected]> >> +--- >> + plug-ins/common/file-pnm.c | 13 +++++++++++-- >> + 1 file changed, 11 insertions(+), 2 deletions(-) >> + >> +diff --git a/plug-ins/common/file-pnm.c b/plug-ins/common/file-pnm.c >> +index 32a33a4..9d349e9 100644 >> +--- a/plug-ins/common/file-pnm.c >> ++++ b/plug-ins/common/file-pnm.c >> +@@ -674,7 +674,7 @@ load_image (GFile *file, >> + GError **error) >> + { >> + GInputStream *input; >> +- GeglBuffer *buffer; >> ++ GeglBuffer *buffer = NULL; >> + GimpImage * volatile image = NULL; >> + GimpLayer *layer; >> + char buf[BUFLEN + 4]; /* buffer for random things like >> scanning */ >> +@@ -708,6 +708,9 @@ load_image (GFile *file, >> + g_object_unref (input); >> + g_free (pnminfo); >> + >> ++ if (buffer) >> ++ g_object_unref (buffer); >> ++ >> + if (image) >> + gimp_image_delete (image); >> + >> +@@ -1060,6 +1063,7 @@ pnm_load_raw (PNMScanner *scan, >> + const Babl *format = NULL; >> + gint bpc; >> + guchar *data, *d; >> ++ gsize data_size; >> + gushort *s; >> + gint x, y, i; >> + gint start, end, scanlines; >> +@@ -1070,7 +1074,12 @@ pnm_load_raw (PNMScanner *scan, >> + bpc = 1; >> + >> + /* No overflow as long as gimp_tile_height() < 1365 = 2^(31 - 18) / 6 */ >> +- data = g_new (guchar, gimp_tile_height () * info->xres * info->np * bpc); >> ++ if (! g_size_checked_mul (&data_size, gimp_tile_height (), info->xres) || >> ++ ! g_size_checked_mul (&data_size, data_size, info->np) || >> ++ ! g_size_checked_mul (&data_size, data_size, bpc)) >> ++ CHECK_FOR_ERROR (FALSE, info->jmpbuf, _("Unsupported maximum value.")); >> ++ >> ++ data = g_new (guchar, data_size); >> + >> + input = pnmscanner_input (scan); >> + >> diff --git a/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb >> b/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb >> index 9f38cdcd03..f529930dff 100644 >> --- a/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb >> +++ b/meta-gnome/recipes-gimp/gimp/gimp_3.0.6.bb >> @@ -56,11 +56,13 @@ GIDOCGEN_MESON_OPTION = "gi-docgen" >> GIDOCGEN_MESON_ENABLE_FLAG = "enabled" >> GIDOCGEN_MESON_DISABLE_FLAG = "disabled" >> >> -SRC_URI = "https://download.gimp.org/gimp/v3.0/${BP}.tar.xz"; >> -SRC_URI += "file://0001-gimp-cross-compile-fix-for-bz2.patch" >> -SRC_URI += "file://0002-meson.build-reproducibility-fix.patch" >> -SRC_URI += "file://0001-meson.build-dont-check-for-lgi.patch" >> -SRC_URI += "file://0001-meson.build-require-iso-codes-native.patch" >> +SRC_URI = "https://download.gimp.org/gimp/v3.0/${BP}.tar.xz \ >> + file://0001-gimp-cross-compile-fix-for-bz2.patch \ >> + file://0002-meson.build-reproducibility-fix.patch \ >> + file://0001-meson.build-dont-check-for-lgi.patch \ >> + file://0001-meson.build-require-iso-codes-native.patch \ >> + file://CVE-2025-14422.patch \ >> + " >> SRC_URI[sha256sum] = >> "246c225383c72ef9f0dc7703b7d707084bbf177bd2900e94ce466a62862e296b" >> >> PACKAGECONFIG[aa] = "-Daa=enabled,-Daa=disabled,aalib" >> >> >>
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#123168): https://lists.openembedded.org/g/openembedded-devel/message/123168 Mute This Topic: https://lists.openembedded.org/mt/117084023/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
