36 files changed, 799 insertions, 168 deletions
diff --git a/meta-oe/recipes-graphics/feh/feh_3.11.3.bb b/meta-oe/recipes-graphics/feh/feh_3.12.1.bb
index c79ad488ba..2ac504a551 100644
--- a/meta-oe/recipes-graphics/feh/feh_3.11.3.bb
+++ b/meta-oe/recipes-graphics/feh/feh_3.12.1.bb
@@ -9,7 +9,7 @@ DEPENDS = "\
 "
 SRC_URI = "https://feh.finalrewind.org/feh-${PV}.tar.bz2"
-SRC_URI[sha256sum] = "f2cca3592a433922c0db7a9365fd63e5402c121d932a9327e279c71be6501063"
+SRC_URI[sha256sum] = "6772f48e7956a16736e4c165a8367f357efc413b895f5b04133366e01438f95d"
 inherit mime-xdg features_check
 # depends on virtual/libx11
diff --git a/meta-oe/recipes-graphics/framebuffer-vncserver/framebuffer-vncserver/cmake.patch b/meta-oe/recipes-graphics/framebuffer-vncserver/framebuffer-vncserver/cmake.patch
new file mode 100644
index 0000000000..03673ce323
--- /dev/null
+++ b/meta-oe/recipes-graphics/framebuffer-vncserver/framebuffer-vncserver/cmake.patch
@@ -0,0 +1,24 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?J=C3=B6rg=20Sommer?= <joerg@jo-so.de>
+Date: Tue, 21 Apr 2026 20:20:42 +0200
+Subject: [PATCH] CMakeLists: Raise minimum version to 3.10
+CMake 4 requires at least 3.5, but suggests 3.10.
+Signed-off-by: Jörg Sommer <joerg@jo-so.de>
+Upstream-Status: Submitted [https://github.com/ponty/framebuffer-vncserver/pull/30]
+---
+ CMakeLists.txt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index c8b8f90..d342734 100644
+--- a/CMakeLists.txt
+++ b/CMakeLists.txt
+@@ -1,5 +1,5 @@
+ PROJECT(framebuffer-vncserver)
+-CMAKE_MINIMUM_REQUIRED(VERSION 2.6)
+CMAKE_MINIMUM_REQUIRED(VERSION 3.10)
+ 
+ 
+ FILE(GLOB SOURCES src/*.c)
diff --git a/meta-oe/recipes-graphics/framebuffer-vncserver/framebuffer-vncserver_git.bb b/meta-oe/recipes-graphics/framebuffer-vncserver/framebuffer-vncserver_git.bb
new file mode 100644
index 0000000000..d7ce066cb2
--- /dev/null
+++ b/meta-oe/recipes-graphics/framebuffer-vncserver/framebuffer-vncserver_git.bb
@@ -0,0 +1,28 @@
+SUMMARY = "VNC server for Linux framebuffer devices"
+DESCRIPTION = "\
+    The goal is to access remote embedded Linux systems without X. Implemented \
+    features: remote display, touchscreen, keyboard, rotation. Not implemented: \
+    file transfer, ... \
+"
+HOMEPAGE = "https://github.com/ponty/framebuffer-vncserver"
+BUGTRACKER = "https://github.com/ponty/framebuffer-vncserver/issues"
+SECTION = "graphics"
+LICENSE = "GPL-2.0-only"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=8264535c0c4e9c6c335635c4026a8022"
+DEPENDS = "libvncserver"
+SRC_URI = "\
+    git://github.com/ponty/framebuffer-vncserver.git;protocol=https;branch=master \
+    file://cmake.patch \
+"
+SRCREV = "1963e57bebfde420baeecbb2c6848a2382488413"
+inherit cmake systemd
+do_install:append() {
+    install -m 644 -D -t ${D}${systemd_system_unitdir} ${S}/fbvnc.service
+}
+SYSTEMD_SERVICE:${PN} = "fbvnc.service"
diff --git a/meta-oe/recipes-graphics/fvwm/fvwm_2.7.0.bb b/meta-oe/recipes-graphics/fvwm/fvwm_2.7.0.bb
index e8ad2aad0f..959463e962 100644
--- a/meta-oe/recipes-graphics/fvwm/fvwm_2.7.0.bb
+++ b/meta-oe/recipes-graphics/fvwm/fvwm_2.7.0.bb
@@ -119,6 +119,9 @@ FILES:${PN}-doc = " \
    ${mandir} \
    ${datadir}/fvwm \
 "
+RDEPENDS:${PN} = " \
+    xuser-account \
+"
 RDEPENDS:${PN}-extra += "\
    perl \
    python3-core \
diff --git a/meta-oe/recipes-graphics/gphoto2/gphoto2/0001-Match-prototypes-of-callbacks-with-libgphoto.patch b/meta-oe/recipes-graphics/gphoto2/gphoto2/0001-Match-prototypes-of-callbacks-with-libgphoto.patch
deleted file mode 100644
index e0c3de469a..0000000000
--- a/meta-oe/recipes-graphics/gphoto2/gphoto2/0001-Match-prototypes-of-callbacks-with-libgphoto.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 366930ccc1a261c3eb883da2bf3c655162ccd75f Mon Sep 17 00:00:00 2001
-From: Khem Raj <raj.khem@gmail.com>
-Date: Wed, 1 Mar 2023 22:58:37 -0800
-Subject: [PATCH] Match prototypes of callbacks with libgphoto
-In https://github.com/gphoto/gphoto2/pull/535/commits/ccc4c1f092bd21ebc713f4d7b9be85be49f92f1e
-we tried to fix by using pthread_t but it also needs to make changes in
-libgphoto and these changes can be invasive, therefore lets revert to
-older types and to fix musl problem fix it via type casts
-Upstream-Status: Backport [https://github.com/gphoto/gphoto2/pull/569]
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
- gphoto2/main.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-diff --git a/gphoto2/main.c b/gphoto2/main.c
-index 0dac947..cd3c990 100644
--- a/gphoto2/main.c
-+++ b/gphoto2/main.c
-@@ -1198,7 +1198,7 @@ thread_func (void *data)
-        pthread_cleanup_pop (1);
- }
- 
-static pthread_t
-+static unsigned int
- start_timeout_func (Camera *camera, unsigned int timeout,
-                    CameraTimeoutFunc func, void __unused__ *data)
- {
-@@ -1215,14 +1215,14 @@ start_timeout_func (Camera *camera, unsigned int timeout,
- 
-        pthread_create (&tid, NULL, thread_func, td);
- 
-       return (tid);
-+       return (unsigned int)tid;
- }
- 
- static void
-stop_timeout_func (Camera __unused__ *camera, pthread_t id,
-+stop_timeout_func (Camera __unused__ *camera, unsigned int id,
-                   void __unused__ *data)
- {
-       pthread_t tid = id;
-+       pthread_t tid = (pthread_t)id;
- 
-        pthread_cancel (tid);
-        pthread_join (tid, NULL);
-- 
-2.39.2
diff --git a/meta-oe/recipes-graphics/gphoto2/gphoto2/0001-configure-Filter-out-buildpaths-from-CC.patch b/meta-oe/recipes-graphics/gphoto2/gphoto2/0001-configure-Filter-out-buildpaths-from-CC.patch
index 3d54d58e18..bd916e339a 100644
--- a/meta-oe/recipes-graphics/gphoto2/gphoto2/0001-configure-Filter-out-buildpaths-from-CC.patch
+++ b/meta-oe/recipes-graphics/gphoto2/gphoto2/0001-configure-Filter-out-buildpaths-from-CC.patch
@@ -14,13 +14,13 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com>
 --- a/configure.ac
 +++ b/configure.ac
 @@ -26,7 +26,9 @@ AC_PROG_INSTALL
- AC_SYS_LARGEFILE
+ ])
 
- GP_CONFIG_MSG([Compiler],[${CC}])
+ GP_CONFIG_MSG([Compiler], [${CC}])
-AC_DEFINE_UNQUOTED([HAVE_CC],"$CC",[The C compiler we're using])
+-AC_DEFINE_UNQUOTED([HAVE_CC], ["$CC"], [The C compiler we are using])
 +CC_NO_SYSROOT=`echo $CC | sed -e \
 +       's|--sysroot=.*\b||g'`
-+AC_DEFINE_UNQUOTED([HAVE_CC], ["$CC_NO_SYSROOT"], [The C compiler we're using])
+AC_DEFINE_UNQUOTED([HAVE_CC], ["$CC_NO_SYSROOT"], [The C compiler we are using])
 
 dnl AC_STRUCT_TIMEZONE
 
diff --git a/meta-oe/recipes-graphics/gphoto2/gphoto2/0001-configure.ac-remove-AM_PO_SUBDIRS.patch b/meta-oe/recipes-graphics/gphoto2/gphoto2/0001-configure.ac-remove-AM_PO_SUBDIRS.patch
index 14976ffb72..358dbbb51a 100644
--- a/meta-oe/recipes-graphics/gphoto2/gphoto2/0001-configure.ac-remove-AM_PO_SUBDIRS.patch
+++ b/meta-oe/recipes-graphics/gphoto2/gphoto2/0001-configure.ac-remove-AM_PO_SUBDIRS.patch
@@ -14,10 +14,10 @@ Upstream-Status: Pending
 --- a/configure.ac
 +++ b/configure.ac
 @@ -46,7 +46,6 @@ dnl i18n support
- dnl ---------------------------------------------------------------------------
+ GP_GETTEXT_SETUP([GETTEXT_PACKAGE_GPHOTO2],
- GP_GETTEXT_HACK([],[Lutz Müller and others],[${MAIL_GPHOTO_TRANSLATION}])
+                  [gphoto2],
- ALL_LINGUAS="az cs da de en_GB es eu fi fr hu id is it ja nl pa pl pt_BR ro ru rw sk sr sv uk vi zh_CN zh_TW"
+                  [po])
 -AM_PO_SUBDIRS()
- AM_GNU_GETTEXT_VERSION([0.14.1])
+ AM_GNU_GETTEXT_VERSION([0.19.1])
 AM_GNU_GETTEXT([external])
 AM_ICONV()
diff --git a/meta-oe/recipes-graphics/gphoto2/gphoto2/0001-gphoto2-Use-pthread_t-abstract-type-for-thead-IDs.patch b/meta-oe/recipes-graphics/gphoto2/gphoto2/0001-gphoto2-Use-pthread_t-abstract-type-for-thead-IDs.patch
deleted file mode 100644
index a27c02cefc..0000000000
--- a/meta-oe/recipes-graphics/gphoto2/gphoto2/0001-gphoto2-Use-pthread_t-abstract-type-for-thead-IDs.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 23c67e93e51f700d0aeecfc08277e39f51201fc3 Mon Sep 17 00:00:00 2001
-From: Khem Raj <raj.khem@gmail.com>
-Date: Fri, 2 Sep 2022 12:59:46 -0700
-Subject: [PATCH] gphoto2: Use pthread_t abstract type for thead IDs
-This is not a plain old datatype in every libc, e.g. with musl this
-would fail in type conversion
-Upstream-Status: Submitted [https://github.com/gphoto/gphoto2/pull/535]
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
- gphoto2/main.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-diff --git a/gphoto2/main.c b/gphoto2/main.c
-index 2bf5964..9a6b05d 100644
--- a/gphoto2/main.c
-+++ b/gphoto2/main.c
-@@ -1198,7 +1198,7 @@ thread_func (void *data)
-        pthread_cleanup_pop (1);
- }
- 
-static unsigned int
-+static pthread_t
- start_timeout_func (Camera *camera, unsigned int timeout,
-                    CameraTimeoutFunc func, void __unused__ *data)
- {
-@@ -1219,7 +1219,7 @@ start_timeout_func (Camera *camera, unsigned int timeout,
- }
- 
- static void
-stop_timeout_func (Camera __unused__ *camera, unsigned int id,
-+stop_timeout_func (Camera __unused__ *camera, pthread_t id,
-                   void __unused__ *data)
- {
-        pthread_t tid = id;
-- 
-2.37.3
diff --git a/meta-oe/recipes-graphics/gphoto2/gphoto2/0001-gphoto2-fix-const-qualifier-violations.patch b/meta-oe/recipes-graphics/gphoto2/gphoto2/0001-gphoto2-fix-const-qualifier-violations.patch
new file mode 100644
index 0000000000..a8f85d034c
--- /dev/null
+++ b/meta-oe/recipes-graphics/gphoto2/gphoto2/0001-gphoto2-fix-const-qualifier-violations.patch
@@ -0,0 +1,73 @@
+From 55edc241e9b61b14153c61fd0baaefac927ad89f Mon Sep 17 00:00:00 2001
+From: Khem Raj <khem.raj@oss.qualcomm.com>
+Date: Tue, 21 Apr 2026 17:39:43 -0700
+Subject: [PATCH] gphoto2: fix const qualifier violations
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+No logic is changed. The patch is a pure
+type-correctness fix that makes the variable
+declarations match the actual semantics —
+const char * for pointers into string literals
+or function parameters that must not be mutated,
+and char * only for owned heap memory. This
+satisfies Clang's strict qualifier checking without
+needing any casts or warning suppressions.
+Fixes errors seen on clang with
+  -Werror,-Wincompatible-pointer-types-discards-qualifiers
+Upstream-Status: Pending
+Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
+---
+ gphoto2/main.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+diff --git a/gphoto2/main.c b/gphoto2/main.c
+index 5a3c5c1..086f9df 100644
+--- a/gphoto2/main.c
+++ b/gphoto2/main.c
+@@ -146,7 +146,8 @@ static int
+ get_path_for_file (const char *folder, const char *name, CameraFileType type, CameraFile *file, char **path)
+ {
+        unsigned int i, l;
+-       char *s = NULL, b[1024];
+       const char *s = NULL;
+       char *p = NULL; char b[1024];
+        time_t t = 0;
+        struct tm *tm;
+        int hour12;
+@@ -339,18 +340,18 @@ get_path_for_file (const char *folder, const char *name, CameraFileType type, Ca
+                        b[1] = '\0';
+                }
+ 
+-               s = *path ? realloc (*path, strlen (*path) + strlen (b) + 1) :
+               p = *path ? realloc (*path, strlen (*path) + strlen (b) + 1) :
+                            malloc (strlen (b) + 1);
+-               if (!s) {
+               if (!p) {
+                        free (*path);
+                        *path = NULL;
+                        return (GP_ERROR_NO_MEMORY);
+                }
+                if (*path) {
+-                       *path = s;
+                       *path = p;
+                        strcat (*path, b);
+                } else {
+-                       *path = s;
+                       *path = p;
+                        strcpy (*path, b);
+                }
+        }
+@@ -696,7 +697,8 @@ dissolve_filename (
+        const char *folder, const char *filename,
+        char **newfolder, char **newfilename
+ ) {
+-       char *nfolder, *s;
+       char *nfolder;
+       const char *s;
+ 
+        s = strrchr (filename, '/');
+        if (!s) {
diff --git a/meta-oe/recipes-graphics/gphoto2/gphoto2_2.5.28.bb b/meta-oe/recipes-graphics/gphoto2/gphoto2_2.5.32.bb
index 40409ed388..dbd2b0e748 100644
--- a/meta-oe/recipes-graphics/gphoto2/gphoto2_2.5.28.bb
+++ b/meta-oe/recipes-graphics/gphoto2/gphoto2_2.5.32.bb
@@ -8,11 +8,10 @@ RDEPENDS:gphoto2 = "libgphoto2"
 SRC_URI = "${SOURCEFORGE_MIRROR}/gphoto/${BP}.tar.bz2;name=gphoto2 \
           file://0001-configure.ac-remove-AM_PO_SUBDIRS.patch \
-           file://0001-gphoto2-Use-pthread_t-abstract-type-for-thead-IDs.patch \
-           file://0001-Match-prototypes-of-callbacks-with-libgphoto.patch \
           file://0001-configure-Filter-out-buildpaths-from-CC.patch \
+           file://0001-gphoto2-fix-const-qualifier-violations.patch \
 "
-SRC_URI[gphoto2.sha256sum] = "2a648dcdf12da19e208255df4ebed3e7d2a02f905be4165f2443c984cf887375"
+SRC_URI[gphoto2.sha256sum] = "4e379a0f12f72b49ee5ee2283ffd806b5d12d099939d75197a3f4bbc7f27a1a1"
 inherit autotools pkgconfig gettext
diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2/0001-libgphoto2-fix-const-correctness-for-c23-builds.patch b/meta-oe/recipes-graphics/gphoto2/libgphoto2/0001-libgphoto2-fix-const-correctness-for-c23-builds.patch
new file mode 100644
index 0000000000..9ded174095
--- /dev/null
+++ b/meta-oe/recipes-graphics/gphoto2/libgphoto2/0001-libgphoto2-fix-const-correctness-for-c23-builds.patch
@@ -0,0 +1,84 @@
+From bfa786a260bfd4660e8186ebad8778718e85e8cd Mon Sep 17 00:00:00 2001
+From: Khem Raj <khem.raj@oss.qualcomm.com>
+Date: Sat, 4 Apr 2026 14:56:01 -0700
+Subject: [PATCH] libgphoto2: fix const-correctness for c23 builds
+C23 treats the return values of strrchr() and strchr() as const char *
+when the input string is const-qualified. Update local variables to use
+const char * where appropriate to avoid discarded-qualifier warnings and
+build failures with -std=gnu23.
+No functional change intended.
+Upstream-Status: Submitted [https://github.com/gphoto/libgphoto2/pull/1235]
+Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
+---
+ camlibs/directory/directory.c         | 2 +-
+ libgphoto2/gphoto2-file.c             | 6 +++---
+ libgphoto2/gphoto2-filesys.c          | 2 +-
+ packaging/generic/print-camera-list.c | 2 +-
+ 4 files changed, 6 insertions(+), 6 deletions(-)
+diff --git a/camlibs/directory/directory.c b/camlibs/directory/directory.c
+index 790405d54..cc63c6684 100644
+--- a/camlibs/directory/directory.c
+++ b/camlibs/directory/directory.c
+@@ -125,7 +125,7 @@ static const char *
+ get_mime_type (const char *filename)
+ {
+ 
+-       char *dot;
+       const char *dot;
+        int x=0;
+ 
+        dot = strrchr(filename, '.');
+diff --git a/libgphoto2/gphoto2-file.c b/libgphoto2/gphoto2-file.c
+index 04d4d5e3e..1a9dbc193 100644
+--- a/libgphoto2/gphoto2-file.c
+++ b/libgphoto2/gphoto2-file.c
+@@ -610,7 +610,7 @@ int
+ gp_file_open (CameraFile *file, const char *filename)
+ {
+        FILE *fp;
+-       char *name, *dot;
+       const char *name, *dot;
+        long size, size_read;
+        int  i;
+        struct stat s;
+@@ -906,8 +906,8 @@ gp_file_get_name (CameraFile *file, const char **name)
+ int
+ gp_file_get_name_by_type (CameraFile *file, const char *basename, CameraFileType type, char **newname)
+ {
+-       char *prefix = NULL, *s, *new, *slash = NULL;
+-       const char *suffix = NULL;
+       char *prefix = NULL, *new;
+       const char *suffix = NULL, *s, *slash = NULL;
+        int i;
+ 
+        C_PARAMS (file && basename && newname);
+diff --git a/libgphoto2/gphoto2-filesys.c b/libgphoto2/gphoto2-filesys.c
+index 45f957292..07decff24 100644
+--- a/libgphoto2/gphoto2-filesys.c
+++ b/libgphoto2/gphoto2-filesys.c
+@@ -521,7 +521,7 @@ append_to_folder (CameraFilesystemFolder *folder,
+        CameraFilesystemFolder **newfolder
+ ) {
+        CameraFilesystemFolder  *f;
+-       char    *s;
+       const char      *s;
+ 
+        GP_LOG_D ("Append to folder %p/%s - %s", folder, folder->name, foldername);
+        /* Handle multiple slashes, and slashes at the end */
+diff --git a/packaging/generic/print-camera-list.c b/packaging/generic/print-camera-list.c
+index 1707b4e87..44530b4ae 100644
+--- a/packaging/generic/print-camera-list.c
+++ b/packaging/generic/print-camera-list.c
+@@ -1138,7 +1138,7 @@ escape_html(const char *str) {
+        newstr = malloc(strlen(str)+1+inc);
+        s = str; ns = newstr;
+        do {
+-               char *x;
+               const char *x;
+                x = strchr(s,'&');
+                if (x) {
+                        memcpy (ns, s, x-s);
diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40333.patch b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40333.patch
new file mode 100644
index 0000000000..77c307e88d
--- /dev/null
+++ b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40333.patch
@@ -0,0 +1,150 @@
+From 8fefd2da7b9e2c7c448086cd251b108c0ebf1262 Mon Sep 17 00:00:00 2001
+From: Marcus Meissner <marcus@jet.franken.de>
+Date: Wed, 8 Apr 2026 15:18:42 +0200
+Subject: [PATCH] Fixed EOS ImageFormat/CustomFuncEx Parsers Lack Length
+ Parameter
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+ptp_unpack_EOS_ImageFormat() and ptp_unpack_EOS_CustomFuncEx() accept
+const unsigned char** data but no length/size parameter. They perform
+unbounded reads via dtoh32o calls (up to 36 bytes for ImageFormat,
+up to 1024 bytes for CustomFuncEx). Callers in ptp_unpack_EOS_events()
+have xsize available but never pass it.
+ CVE-2026-40333
+Reported-By: Sebastián Alba <sebasjosue84@gmail.com>
+CVE: CVE-2026-40333
+Upstream-Status: Backport [https://github.com/gphoto/libgphoto2/commit/1817ecead20c2aafa7549dac9619fe38f47b2f53]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ camlibs/ptp2/ptp-pack.c | 53 ++++++++++++++++++++++++++++++++++-------
+ 1 file changed, 44 insertions(+), 9 deletions(-)
+diff --git a/camlibs/ptp2/ptp-pack.c b/camlibs/ptp2/ptp-pack.c
+index 09421b7..09dcc24 100644
+--- a/camlibs/ptp2/ptp-pack.c
+++ b/camlibs/ptp2/ptp-pack.c
+@@ -1448,7 +1448,7 @@ ptp_unpack_Canon_EOS_FE (PTPParams *params, const unsigned char* data, unsigned
+ 
+ 
+ static inline uint16_t
+-ptp_unpack_EOS_ImageFormat (PTPParams* params, const unsigned char** data )
+ptp_unpack_EOS_ImageFormat (PTPParams* params, const unsigned char** data, unsigned int *size )
+ {
+        /*
+          EOS ImageFormat entries look are a sequence of u32 values:
+@@ -1492,30 +1492,57 @@ ptp_unpack_EOS_ImageFormat (PTPParams* params, const unsigned char** data )
+ 
+        const uint8_t* d = *data;
+        uint32_t offset = 0;
+-       uint32_t n = dtoh32o (d, offset);
+       uint32_t n;
+        uint32_t l, t1, s1, c1, t2 = 0, s2 = 0, c2 = 0;
+ 
+       if (*size < sizeof(uint32_t)) {
+               ptp_debug (params, "parsing EOS ImageFormat property failed 1 (size %d)", *size);
+               return 0;
+       }
+       n = dtoh32o (d, offset);
+       *size -= sizeof(uint32_t);
+
+        if (n != 1 && n !=2) {
+                ptp_debug (params, "parsing EOS ImageFormat property failed (n != 1 && n != 2: %d)", n);
+                return 0;
+        }
+-
+       if (*size < sizeof(uint32_t)) {
+               ptp_debug (params, "parsing EOS ImageFormat property failed 2 (size %d)", *size);
+               return 0;
+       }
+        l = dtoh32o (d, offset);
+       *size -= sizeof(uint32_t);
+
+        if (l != 0x10) {
+                ptp_debug (params, "parsing EOS ImageFormat property failed (l != 0x10: 0x%x)", l);
+                return 0;
+        }
+ 
+       if (*size < 3*sizeof(uint32_t)) {
+               ptp_debug (params, "parsing EOS ImageFormat property failed 3 (size %d)", *size);
+               return 0;
+       }
+        t1 = dtoh32o (d, offset);
+        s1 = dtoh32o (d, offset);
+        c1 = dtoh32o (d, offset);
+       *size -= 3*sizeof(uint32_t);
+ 
+        if (n == 2) {
+               if (*size < sizeof(uint32_t)) {
+                       ptp_debug (params, "parsing EOS ImageFormat property failed 4 (size %d)", *size);
+                       return 0;
+               }
+                l = dtoh32o (d, offset);
+               *size -= sizeof(uint32_t);
+
+                if (l != 0x10) {
+                        ptp_debug (params, "parsing EOS ImageFormat property failed (l != 0x10: 0x%x)", l);
+                        return 0;
+                }
+               if (*size < 3*sizeof(uint32_t)) {
+                       ptp_debug (params, "parsing EOS ImageFormat property failed 5 (size %d)", *size);
+                       return 0;
+               }
+                t2 = dtoh32o (d, offset);
+                s2 = dtoh32o (d, offset);
+                c2 = dtoh32o (d, offset);
+@@ -1668,12 +1695,20 @@ ptp_unpack_EOS_FocusInfoEx (PTPParams* params, const unsigned char** data, uint3
+ 
+ 
+ static inline char*
+-ptp_unpack_EOS_CustomFuncEx (PTPParams* params, const unsigned char** data )
+ptp_unpack_EOS_CustomFuncEx (PTPParams* params, const unsigned char** data, unsigned int *size )
+ {
+-       uint32_t s = dtoh32a( *data );
+-       uint32_t n = s/4, i;
+       uint32_t s, n, i;
+        char    *str, *p;
+ 
+       if (*size < sizeof(uint32_t))
+               return strdup("bad length");
+
+       s = dtoh32a( *data );
+       n = s/4;
+
+       if (*size < 4+s)
+               return strdup("bad length");
+
+        if (s > 1024) {
+                ptp_debug (params, "customfuncex data is larger than 1k / %d... unexpected?", s);
+                return strdup("bad length");
+@@ -1962,7 +1997,7 @@ ptp_unpack_EOS_events (PTPParams *params, const unsigned char* data, unsigned in
+                        case PTP_DPC_CANON_EOS_ImageFormatExtHD:
+                                /* special handling of ImageFormat properties */
+                                for (j=0;j<dpd_count;j++) {
+-                                       dpd->FORM.Enum.SupportedValue[j].u16 = ptp_unpack_EOS_ImageFormat( params, &xdata );
+                                       dpd->FORM.Enum.SupportedValue[j].u16 = ptp_unpack_EOS_ImageFormat( params, &xdata, &xsize );
+                                        ptp_debug (params, INDENT "prop %x option[%2d] == 0x%04x", dpc, j, dpd->FORM.Enum.SupportedValue[j].u16);
+                                }
+                                break;
+@@ -2267,7 +2302,7 @@ ptp_unpack_EOS_events (PTPParams *params, const unsigned char* data, unsigned in
+                        case PTP_DPC_CANON_EOS_ImageFormatSD:
+                        case PTP_DPC_CANON_EOS_ImageFormatExtHD:
+                                dpd->DataType = PTP_DTC_UINT16;
+-                               dpd->DefaultValue.u16 = ptp_unpack_EOS_ImageFormat( params, &xdata );
+                               dpd->DefaultValue.u16 = ptp_unpack_EOS_ImageFormat( params, &xdata, &xsize );
+                                dpd->CurrentValue.u16 = dpd->DefaultValue.u16;
+                                ptp_debug (params, INDENT "prop %x value == 0x%04x (u16)", dpc, dpd->CurrentValue.u16);
+                                break;
+@@ -2275,7 +2310,7 @@ ptp_unpack_EOS_events (PTPParams *params, const unsigned char* data, unsigned in
+                                dpd->DataType = PTP_DTC_STR;
+                                free (dpd->DefaultValue.str);
+                                free (dpd->CurrentValue.str);
+-                               dpd->DefaultValue.str = ptp_unpack_EOS_CustomFuncEx( params, &xdata );
+                               dpd->DefaultValue.str = ptp_unpack_EOS_CustomFuncEx( params, &xdata, &xsize );
+                                dpd->CurrentValue.str = strdup( (char*)dpd->DefaultValue.str );
+                                ptp_debug (params, INDENT "prop %x value == %s", dpc, dpd->CurrentValue.str);
+                                break;
diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40334.patch b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40334.patch
new file mode 100644
index 0000000000..883582dff0
--- /dev/null
+++ b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40334.patch
@@ -0,0 +1,37 @@
+From 20b33a26b2efdbf2c35c5cacc54a041855ec764b Mon Sep 17 00:00:00 2001
+From: Marcus Meissner <marcus@jet.franken.de>
+Date: Wed, 8 Apr 2026 15:15:54 +0200
+Subject: [PATCH] Fixed Canon FolderEntry Missing Null Termination
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+ptp_unpack_Canon_FE() copies filename with strncpy into a 13-byte
+buffer without explicit null termination. The EOS variant at line
+1451–1452 correctly adds fe->Filename[PTP_CANON_FilenameBufferLen-1]
+= 0; confirming this was recognized as necessary but not applied to the
+original Canon path.
+ CVE-2026-40334
+Reported-By: Sebastián Alba <sebasjosue84@gmail.com>
+CVE: CVE-2026-40334
+Upstream-Status: Backport [https://github.com/gphoto/libgphoto2/commit/259fc7d3bfe534ce4b114c464f55b448670ab873]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ camlibs/ptp2/ptp-pack.c | 1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/camlibs/ptp2/ptp-pack.c b/camlibs/ptp2/ptp-pack.c
+index 09dcc24..982b4f4 100644
+--- a/camlibs/ptp2/ptp-pack.c
+++ b/camlibs/ptp2/ptp-pack.c
+@@ -1369,6 +1369,7 @@ ptp_unpack_Canon_FE (PTPParams *params, const unsigned char* data, PTPCANONFolde
+        fe->ObjectSize       = dtoh32a(data + PTP_cfe_ObjectSize);
+        fe->Time     = (time_t)dtoh32a(data + PTP_cfe_Time);
+        strncpy(fe->Filename, (char*)data + PTP_cfe_Filename, PTP_CANON_FilenameBufferLen);
+       fe->Filename[PTP_CANON_FilenameBufferLen-1] = '\0';
+ }
+ 
+ /*
diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40335.patch b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40335.patch
new file mode 100644
index 0000000000..dfe832e6c8
--- /dev/null
+++ b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40335.patch
@@ -0,0 +1,43 @@
+From edcdf804662eb4340fdc371af4853d6579e969ab Mon Sep 17 00:00:00 2001
+From: Marcus Meissner <marcus@jet.franken.de>
+Date: Wed, 8 Apr 2026 15:07:38 +0200
+Subject: [PATCH] =?UTF-8?q?Fixed=20UINT128/INT128=20Unchecked=20Offset=20A?=
+ =?UTF-8?q?dvance=20(CWE-125)=20=E2=80=94=20MEDIUM?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Finding 5: UINT128/INT128 Unchecked Offset Advance (CWE-125) — MEDIUM
+In ptp_unpack_DPV(), the PTP_DTC_UINT128 and PTP_DTC_INT128 cases advance *offset += 16 without verifying 16 bytes remain. The entry check at line 609 only guarantees *offset < total (at least 1 byte available). After the unchecked advance, *offset can exceed total, and the CTVAL macro's bounds check (total - *offset < sizeof(target)) wraps due to unsigned arithmetic.
+CVE-2026-40335
+Reported-By: Sebastián Alba <sebasjosue84@gmail.com>
+CVE: CVE-2026-40335
+Upstream-Status: Backport [https://github.com/gphoto/libgphoto2/commit/433bde9888d70aa726e32744cd751d7dbe94379a]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ camlibs/ptp2/ptp-pack.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+diff --git a/camlibs/ptp2/ptp-pack.c b/camlibs/ptp2/ptp-pack.c
+index 982b4f4..7fc120d 100644
+--- a/camlibs/ptp2/ptp-pack.c
+++ b/camlibs/ptp2/ptp-pack.c
+@@ -614,10 +614,14 @@ ptp_unpack_DPV (
+        case PTP_DTC_UINT64: CTVAL(value->u64,dtoh64a); break;
+ 
+        case PTP_DTC_UINT128:
+               if (total - *offset < 16)
+                       return 0;
+                *offset += 16;
+                /*fprintf(stderr,"unhandled unpack of uint128n");*/
+                break;
+        case PTP_DTC_INT128:
+               if (total - *offset < 16)
+                       return 0;
+                *offset += 16;
+                /*fprintf(stderr,"unhandled unpack of int128n");*/
+                break;
diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40336.patch b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40336.patch
new file mode 100644
index 0000000000..1a809b4f25
--- /dev/null
+++ b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40336.patch
@@ -0,0 +1,44 @@
+From e19c45d3530f1585805711e14aa4ea788e499f46 Mon Sep 17 00:00:00 2001
+From: Marcus Meissner <marcus@jet.franken.de>
+Date: Wed, 8 Apr 2026 15:13:51 +0200
+Subject: [PATCH] Fixed Sony DPD Secondary Enum List Memory Leak
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Finding 4: Sony DPD Secondary Enum List Memory Leak (CWE-401) — LOW
+File: ptp-pack.c:884-885
+When processing a secondary enumeration list (2024+ Sony cameras), line
+884–885 overwrites dpd->FORM.Enum.SupportedValue with a new calloc()
+without freeing the previous allocation from line 857. The original
+array and any string values it contains are leaked.
+CVE-2026-40336
+Reported-By: Sebastián Alba <sebasjosue84@gmail.com>
+CVE: CVE-2026-40336
+Upstream-Status: Backport [https://github.com/gphoto/libgphoto2/commit/404ff02c75f3cb280196fc260a63c4d26cf1a8f6]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ camlibs/ptp2/ptp-pack.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+diff --git a/camlibs/ptp2/ptp-pack.c b/camlibs/ptp2/ptp-pack.c
+index 7fc120d..fc51d77 100644
+--- a/camlibs/ptp2/ptp-pack.c
+++ b/camlibs/ptp2/ptp-pack.c
+@@ -879,6 +879,11 @@ ptp_unpack_Sony_DPD (PTPParams *params, const unsigned char* data, PTPDeviceProp
+                /* check if we have a secondary list of items, this is for newer Sonys (2024) */
+                if (val < 0x200) {      /* if a secondary list is not provided, this will be the next property code - 0x5XXX or 0xDxxx */
+                        if (dpd->FormFlag == PTP_DPFF_Enumeration) {
+                               /* free old enum variables */
+                               for (i=0;i<dpd->FORM.Enum.NumberOfValues;i++)
+                                       ptp_free_propvalue (dpd->DataType, dpd->FORM.Enum.SupportedValue+i);
+                               free (dpd->FORM.Enum.SupportedValue);
+
+                                N = dtoh16o(data, *poffset);
+                                dpd->FORM.Enum.SupportedValue = calloc(N,sizeof(dpd->FORM.Enum.SupportedValue[0]));
+                                if (!dpd->FORM.Enum.SupportedValue)
diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40338.patch b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40338.patch
new file mode 100644
index 0000000000..9f233f2ec9
--- /dev/null
+++ b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40338.patch
@@ -0,0 +1,34 @@
+From 43cc20e807cd2935869617a7d8b9488070712c0e Mon Sep 17 00:00:00 2001
+From: Marcus Meissner <marcus@jet.franken.de>
+Date: Sat, 11 Apr 2026 10:47:52 +0200
+Subject: [PATCH] =?UTF-8?q?Fixed=20Sony=20DPD=20Enum=20Count=20OOB=20Read?=
+ =?UTF-8?q?=20(CWE-125)=20=E2=80=94=20MEDIUM?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+In the PTP_DPFF_Enumeration case of ptp_unpack_Sony_DPD(), dtoh16o(data, *poffset) reads 2 bytes for enumeration count N without verifying 2 bytes remain. The standard parser at line 704 has this check.
+CVE-2026-40338
+Reported-By: Sebastián Alba <sebasjosue84@gmail.com>
+CVE: CVE-2026-40338
+Upstream-Status: Backport [https://github.com/gphoto/libgphoto2/commit/3b9f9696be76ae51dca983d9dd8ce586a2561845]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ camlibs/ptp2/ptp-pack.c | 1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/camlibs/ptp2/ptp-pack.c b/camlibs/ptp2/ptp-pack.c
+index fc51d77..f90d2a5 100644
+--- a/camlibs/ptp2/ptp-pack.c
+++ b/camlibs/ptp2/ptp-pack.c
+@@ -851,6 +851,7 @@ ptp_unpack_Sony_DPD (PTPParams *params, const unsigned char* data, PTPDeviceProp
+                break;
+        case PTP_DPFF_Enumeration: {
+ #define N      dpd->FORM.Enum.NumberOfValues
+               if (*poffset + sizeof(uint16_t) > dpdlen) goto outofmemory;
+                N = dtoh16o(data, *poffset);
+                dpd->FORM.Enum.SupportedValue = calloc(N,sizeof(dpd->FORM.Enum.SupportedValue[0]));
+                if (!dpd->FORM.Enum.SupportedValue)
diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40339.patch b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40339.patch
new file mode 100644
index 0000000000..b00ac72772
--- /dev/null
+++ b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40339.patch
@@ -0,0 +1,41 @@
+From 585e8113b541469347d09c341c2e8b468b431adb Mon Sep 17 00:00:00 2001
+From: Marcus Meissner <marcus@jet.franken.de>
+Date: Sat, 11 Apr 2026 10:50:47 +0200
+Subject: [PATCH] =?UTF-8?q?Fixed=20Sony=20DPD=20FormFlag=20OOB=20Read=20(C?=
+ =?UTF-8?q?WE-125)=20=E2=80=94=20MEDIUM?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+ptp_unpack_Sony_DPD() reads the FormFlag byte via dtoh8o(data, *poffset)
+without a prior bounds check. The standard ptp_unpack_DPD() at line
+686–687 correctly validates *offset + sizeof(uint8_t) > dpdlen before
+this same read, but the Sony variant omits this check.
+CVE-2026-40339
+Reported-By: Sebastián Alba <sebasjosue84@gmail.com>
+CVE: CVE-2026-40339
+Upstream-Status: Backport [https://github.com/gphoto/libgphoto2/commit/09f8a940b1e418b5693f5c11e3016a1ad2cea62d]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ camlibs/ptp2/ptp-pack.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+diff --git a/camlibs/ptp2/ptp-pack.c b/camlibs/ptp2/ptp-pack.c
+index f90d2a5..28648a5 100644
+--- a/camlibs/ptp2/ptp-pack.c
+++ b/camlibs/ptp2/ptp-pack.c
+@@ -833,9 +833,10 @@ ptp_unpack_Sony_DPD (PTPParams *params, const unsigned char* data, PTPDeviceProp
+           code or the Data Type is a string (with two empty strings as
+           values). In both cases Form Flag should be set to 0x00 and FORM is
+           not present. */
+-
+        if (*poffset==PTP_dpd_Sony_DefaultValue)
+                return 1;
+       if (*poffset + sizeof(uint8_t) > dpdlen)
+               return 1;
+ 
+        dpd->FormFlag = dtoh8o(data, *poffset);
+        ptp_debug (params, "formflag 0x%04x", dpd->FormFlag);
diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40340.patch b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40340.patch
new file mode 100644
index 0000000000..a0852692b0
--- /dev/null
+++ b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40340.patch
@@ -0,0 +1,40 @@
+From fd9f234df894caec6c65144b5a4f0264aadf0989 Mon Sep 17 00:00:00 2001
+From: Marcus Meissner <marcus@jet.franken.de>
+Date: Wed, 8 Apr 2026 16:01:48 +0200
+Subject: [PATCH] Fixed ObjectInfo Parser OOB Read
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+ptp_unpack_OI() validates len < PTP_oi_SequenceNumber (i.e., len < 48) but then accesses:
+    Offsets 48–51: dtoh32a(data + PTP_oi_SequenceNumber) at line 563 (4 bytes OOB)
+    Offset 52: data[PTP_oi_filenamelen] at line 547 (5 bytes OOB)
+    Offset 56: data[PTP_oi_filenamelen+4] at line 547 (9 bytes OOB)
+The Samsung Galaxy 64-bit objectsize detection heuristic reads up to 9 bytes beyond the validated boundary.
+ CVE-2026-40340
+Reported-By: Sebastián Alba <sebasjosue84@gmail.com>
+CVE: CVE-2026-40340
+Upstream-Status: Backport [https://github.com/gphoto/libgphoto2/commit/7c7f515bc88c3d0c4098ac965d313518e0ccbe33]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ camlibs/ptp2/ptp-pack.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/camlibs/ptp2/ptp-pack.c b/camlibs/ptp2/ptp-pack.c
+index 28648a5..9eba06f 100644
+--- a/camlibs/ptp2/ptp-pack.c
+++ b/camlibs/ptp2/ptp-pack.c
+@@ -526,7 +526,7 @@ ptp_unpack_OI (PTPParams *params, const unsigned char* data, PTPObjectInfo *oi,
+ {
+        char *capture_date;
+ 
+-       if (!data || len < PTP_oi_SequenceNumber)
+       if (!data || len < PTP_oi_filenamelen + 5)
+                return;
+ 
+        oi->Filename = oi->Keywords = NULL;
diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40341.patch b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40341.patch
new file mode 100644
index 0000000000..b71792c185
--- /dev/null
+++ b/meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40341.patch
@@ -0,0 +1,69 @@
+From 3674dbeafa5157a264ca5e562ffdbef159a2185f Mon Sep 17 00:00:00 2001
+From: Marcus Meissner <marcus@jet.franken.de>
+Date: Wed, 8 Apr 2026 15:28:52 +0200
+Subject: [PATCH] Fixed OOB read in ptp_unpack_EOS_FocusInfoEx
+Do not read out values before checking there is sufficient size
+CVE-2026-40341
+CVE: CVE-2026-40341
+Upstream-Status: Backport [https://github.com/gphoto/libgphoto2/commit/c385b34af260595dfbb5f9329526be5158985987]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ camlibs/ptp2/ptp-pack.c | 34 +++++++++++++++++++++++++---------
+ 1 file changed, 25 insertions(+), 9 deletions(-)
+diff --git a/camlibs/ptp2/ptp-pack.c b/camlibs/ptp2/ptp-pack.c
+index 9eba06f..11428ab 100644
+--- a/camlibs/ptp2/ptp-pack.c
+++ b/camlibs/ptp2/ptp-pack.c
+@@ -1629,23 +1629,39 @@ ptp_pack_EOS_ImageFormat (PTPParams* params, unsigned char* data, uint16_t value
+ static inline char*
+ ptp_unpack_EOS_FocusInfoEx (PTPParams* params, const unsigned char** data, uint32_t datasize)
+ {
+-       uint32_t size                   = dtoh32a( *data );
+-       uint32_t halfsize               = dtoh16a( (*data) + 4);
+-       uint32_t version                = dtoh16a( (*data) + 6);
+-       uint32_t focus_points_in_struct = dtoh16a( (*data) + 8);
+-       uint32_t focus_points_in_use    = dtoh16a( (*data) + 10);
+-       uint32_t sizeX                  = dtoh16a( (*data) + 12);
+-       uint32_t sizeY                  = dtoh16a( (*data) + 14);
+-       uint32_t size2X                 = dtoh16a( (*data) + 16);
+-       uint32_t size2Y                 = dtoh16a( (*data) + 18);
+       uint32_t size;
+       uint32_t halfsize;
+       uint32_t version;
+       uint32_t focus_points_in_struct;
+       uint32_t focus_points_in_use;
+       uint32_t sizeX;
+       uint32_t sizeY;
+       uint32_t size2X;
+       uint32_t size2Y;
+        uint32_t i;
+        uint32_t maxlen;
+        char    *str, *p;
+ 
+       if (datasize<4) {
+               ptp_error(params, "FocusInfoEx has invalid size (%d)", datasize);
+               return strdup("bad size 0");
+       }
+
+       size                    = dtoh32a( *data );
+        if ((size > datasize) || (size < 20)) {
+                ptp_error(params, "FocusInfoEx has invalid size (%d) vs datasize (%d)", size, datasize);
+                return strdup("bad size 1");
+        }
+
+       halfsize                = dtoh16a( (*data) + 4);
+       version                 = dtoh16a( (*data) + 6);
+       focus_points_in_struct  = dtoh16a( (*data) + 8);
+       focus_points_in_use     = dtoh16a( (*data) + 10);
+       sizeX                   = dtoh16a( (*data) + 12);
+       sizeY                   = dtoh16a( (*data) + 14);
+       size2X                  = dtoh16a( (*data) + 16);
+       size2Y                  = dtoh16a( (*data) + 18);
+
+        /* If data is zero-filled, then it is just a placeholder, so nothing
+           useful, but also not an error */
+        if (!focus_points_in_struct || !focus_points_in_use) {
diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb b/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb
index 6b5e6c21b9..04c4786f84 100644
--- a/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb
+++ b/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb
@@ -12,7 +12,16 @@ DEPENDS = "libtool jpeg virtual/libusb0 libexif zlib libxml2"
 SRC_URI = "${SOURCEFORGE_MIRROR}/gphoto/${BP}.tar.xz;name=libgphoto2 \
           file://40-libgphoto2.rules \
           file://0001-configure-Filter-out-buildpaths-from-CC.patch \
-"
+           file://0001-libgphoto2-fix-const-correctness-for-c23-builds.patch \
+           file://CVE-2026-40333.patch \
+           file://CVE-2026-40334.patch \
+           file://CVE-2026-40335.patch \
+           file://CVE-2026-40336.patch \
+           file://CVE-2026-40338.patch \
+           file://CVE-2026-40339.patch \
+           file://CVE-2026-40340.patch \
+           file://CVE-2026-40341.patch \
+           "
 SRC_URI[libgphoto2.sha256sum] = "28825f767a85544cb58f6e15028f8e53a5bb37a62148b3f1708b524781c3bef2"
 UPSTREAM_CHECK_URI = "https://sourceforge.net/projects/gphoto/files/libgphoto/"
diff --git a/meta-oe/recipes-graphics/graphviz/graphviz_14.1.3.bb b/meta-oe/recipes-graphics/graphviz/graphviz_14.1.5.bb
index d885dc43ac..388de9b452 100644
--- a/meta-oe/recipes-graphics/graphviz/graphviz_14.1.3.bb
+++ b/meta-oe/recipes-graphics/graphviz/graphviz_14.1.5.bb
@@ -1,7 +1,7 @@
 SUMMARY = "Graph Visualization Tools"
 HOMEPAGE = "http://www.graphviz.org"
-LICENSE = "EPL-1.0"
+LICENSE = "EPL-2.0"
-LIC_FILES_CHKSUM = "file://COPYING;md5=9109f5fc16cf963fb3cdd32781b3ce04"
+LIC_FILES_CHKSUM = "file://COPYING;md5=d9fc0efef5228704e7f5b37f27192723"
 DEPENDS = " \
    bison-native \
@@ -23,7 +23,7 @@ SRC_URI = "https://gitlab.com/api/v4/projects/4207231/packages/generic/${BPN}-re
 SRC_URI:append:class-nativesdk = "\
           file://graphviz-setup.sh \
 "
-SRC_URI[sha256sum] = "fe76529477c22c0cf833ec5a35b430cf710f4705afc465d86292bf13560be584"
+SRC_URI[sha256sum] = "b017378835f7ca12f1a3f1db5c338d7e7af16b284b7007ad73ccec960c1b45b3"
 UPSTREAM_CHECK_URI = "https://graphviz.org/download/"
 UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)"
@@ -68,7 +68,7 @@ do_install:append:class-nativesdk() {
    install -d ${D}${SDKPATHNATIVE}/post-relocate-setup.d
    install -m 0755 ${UNPACKDIR}/graphviz-setup.sh ${D}${SDKPATHNATIVE}/post-relocate-setup.d
 }
-FILES:${PN}:class-nativesdk += "${SDKPATHNATIVE}"
+FILES:${PN}:append:class-nativesdk = " ${SDKPATHNATIVE}"
 # create /usr/lib/graphviz/config6
 graphviz_sstate_postinst() {
diff --git a/meta-oe/recipes-graphics/kmscon/kmscon_9.3.2.bb b/meta-oe/recipes-graphics/kmscon/kmscon_9.3.3.bb
index 2db5162857..46550bb6d1 100644
--- a/meta-oe/recipes-graphics/kmscon/kmscon_9.3.2.bb
+++ b/meta-oe/recipes-graphics/kmscon/kmscon_9.3.3.bb
@@ -17,15 +17,17 @@ DEPENDS = "\
    libtsm \
    libxkbcommon \
    udev \
+    zlib \
 "
 SRC_URI = "git://github.com/kmscon/kmscon;protocol=https;branch=main;tag=v${PV}"
-SRCREV = "9ce1dc0dc639e54e243a21d93e13f502a746f0a8"
+SRCREV = "03e50c7db0489daaa41b5f62946fd6aaeab63a6e"
 inherit meson pkgconfig systemd
 PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'opengl', d)}"
+PACKAGECONFIG[font_freetype] = "-Dfont_freetype=enabled, -Dfont_freetype=disabled, fontconfig freetype"
 PACKAGECONFIG[font_pango] = "-Dfont_pango=enabled, -Dfont_pango=disabled, pango"
 PACKAGECONFIG[multi_seat] = "-Dmulti_seat=enabled, -Dmulti_seat=disabled, systemd"
 PACKAGECONFIG[opengl] = "-Drenderer_gltex=enabled -Dvideo_drm3d=enabled, -Drenderer_gltex=disabled -Dvideo_drm3d=disabled, libdrm virtual/egl virtual/libgles2 virtual/libgbm"
diff --git a/meta-oe/recipes-graphics/libraqm/libraqm_0.10.5.bb b/meta-oe/recipes-graphics/libraqm/libraqm_0.10.5.bb
new file mode 100644
index 0000000000..8eaaee4492
--- /dev/null
+++ b/meta-oe/recipes-graphics/libraqm/libraqm_0.10.5.bb
@@ -0,0 +1,25 @@
+SUMMARY = "A library for complex text layout"
+DESCRIPTION = "\
+    Raqm is a small library that encapsulates the logic for complex text \
+    layout and provides a convenient API. It currently provides bidirectional \
+    text support (using FriBiDi or SheenBidi), shaping (using HarfBuzz), and \
+    proper script itemization. As a result, Raqm can support most writing \
+    systems covered by Unicode. \
+"
+HOMEPAGE = "https://github.com/HOST-Oman/libraqm"
+BUGTRACKER = "https://github.com/HOST-Oman/libraqm/issues"
+SECTION = "graphics"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://COPYING;md5=7dc444a99e2824eac906383266fe4fa6"
+SRC_URI = "git://github.com/HOST-Oman/libraqm.git;protocol=https;branch=main;tag=v${PV}"
+SRCREV = "3a6b891a3db0e0db1364aa38088422f68d8d81e6"
+DEPENDS = "freetype fribidi harfbuzz"
+inherit meson pkgconfig
+PACKAGECONFIG ?= ""
+PACKAGECONFIG[sheenbidi] = "-Dsheenbidi=true,-Dsheenbidi=false,sheenbidi"
diff --git a/meta-oe/recipes-graphics/libsdl/libsdl2-image_2.8.8.bb b/meta-oe/recipes-graphics/libsdl/libsdl2-image_2.8.10.bb
index c15e986dc3..27ddc35381 100644
--- a/meta-oe/recipes-graphics/libsdl/libsdl2-image_2.8.8.bb
+++ b/meta-oe/recipes-graphics/libsdl/libsdl2-image_2.8.10.bb
@@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=fbb0010b2f7cf6e8a13bcac1ef4d2455"
 DEPENDS = "tiff zlib libpng jpeg virtual/libsdl2 libwebp"
 SRC_URI = "http://www.libsdl.org/projects/SDL_image/release/SDL2_image-${PV}.tar.gz"
-SRC_URI[sha256sum] = "2213b56fdaff2220d0e38c8e420cbe1a83c87374190cba8c70af2156097ce30a"
+SRC_URI[sha256sum] = "ebc059d01c007a62f4b04f10cf858527c875062532296943174df9a80264fd65"
 S = "${UNPACKDIR}/SDL2_image-${PV}"
diff --git a/meta-oe/recipes-graphics/libsdl3/libsdl3-image_3.4.0.bb b/meta-oe/recipes-graphics/libsdl3/libsdl3-image_3.4.2.bb
index 324332eb84..0f7ce92efd 100644
--- a/meta-oe/recipes-graphics/libsdl3/libsdl3-image_3.4.0.bb
+++ b/meta-oe/recipes-graphics/libsdl3/libsdl3-image_3.4.2.bb
@@ -6,8 +6,8 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=df8f4d887d3997f6e9cf81bb7f43dbf7"
 DEPENDS = "tiff zlib libpng jpeg libsdl3 libwebp libjxl"
-SRC_URI = "git://github.com/libsdl-org/SDL_image.git;protocol=https;branch=release-3.4.x"
+SRC_URI = "git://github.com/libsdl-org/SDL_image.git;protocol=https;branch=release-3.4.x;tag=release-${PV}"
-SRCREV = "ad58ecfc27a1bd09e510ceff8bbbdb1094806476"
+SRCREV = "96a73a551a857b7c8d0ca3cc553a266eabbab6a7"
 EXTRA_OECMAKE += "-DSDLIMAGE_JXL=ON"
diff --git a/meta-oe/recipes-graphics/libsdl3/libsdl3-mixer_3.2.0.bb b/meta-oe/recipes-graphics/libsdl3/libsdl3-mixer_3.2.0.bb
new file mode 100644
index 0000000000..27a02fcc32
--- /dev/null
+++ b/meta-oe/recipes-graphics/libsdl3/libsdl3-mixer_3.2.0.bb
@@ -0,0 +1,28 @@
+SUMMARY = "Provides decoding of many popular audio file formats, mixing, various DSP processing effects and positional audio"
+LICENSE = "Zlib"
+LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=df8f4d887d3997f6e9cf81bb7f43dbf7"
+DEPENDS = "libsdl3"
+SRC_URI = "git://github.com/libsdl-org/SDL_mixer.git;protocol=https;branch=release-3.2.x;tag=release-${PV}"
+SRCREV = "cedfeef30e93db35eee6b25759117da63f8e5a4f"
+inherit cmake pkgconfig
+PACKAGECONFIG ?= "flac wave vorbis"
+PACKAGECONFIG[opus] = "-DSDLMIXER_OPUS=ON -DSDLMIXER_OPUS_SHARED=ON, -DSDLMIXER_OPUS=OFF,opusfile"
+PACKAGECONFIG[vorbis] = "-DSDLMIXER_VORBIS_VORBISFILE=ON -DSDLMIXER_VORBIS_STB=OFF -DSDLMIXER_VORBIS_TREMOR=OFF, -DSDLMIXER_VORBIS_VORBISFILE=OFF -DSDLMIXER_VORBIS_STB=OFF -DSDLMIXER_VORBIS_TREMOR=OFF,libvorbis"
+PACKAGECONFIG[flac] = "-DSDLMIXER_FLAC_LIBFLAC=ON -DSDLMIXER_FLAC_LIBFLAC_SHARED=ON, -DSDLMIXER_FLAC_LIBFLAC=OFF,flac"
+PACKAGECONFIG[xmp] = "-DSDLMIXER_MOD=ON -DSDLMIXER_MOD_XMP=ON -DSDLMIXER_MOD_XMP_SHARED=ON, -DSDLMIXER_MOD=OFF,libxmp,libxmp"
+PACKAGECONFIG[fluidsynth] = "-DSDLMIXER_MIDI=ON -DSDLMIXER_MIDI_FLUIDSYNTH_ENABLED=ON -DSDLMIXER_MIDI_FLUIDSYNTH_SHARED=ON, -DSDLMIXER_MIDI=OFF,fluidsynth,fluidsynth-bin"
+PACKAGECONFIG[wave] = "-DSDLMIXER_WAVE=ON -DSDLMIXER_WAVPACK=ON -DSDLMIXER_WAVPACK_SHARED=ON, -DSDLMIXER_WAVE=OFF,wavpack,wavpack wavpack-bin"
+PACKAGECONFIG[mpg123] = "-DSDLMIXER_MP3 -DSDLMIXER_MP3_MPG123_SHARED=ON -DSDLMIXER_MP3_MPG123=ON, -DSDLMIXER_MP3=OFF,mpg123"
+do_configure:prepend() {
+        touch ${STAGING_BINDIR}/wavpack
+        touch ${STAGING_BINDIR}/wvunpack
+        touch ${STAGING_BINDIR}/wvgain
+        touch ${STAGING_BINDIR}/wvtag
+}
+FILES:${PN} += "${datadir}/licenses"
diff --git a/meta-oe/recipes-graphics/libsdl3/libsdl3_3.4.2.bb b/meta-oe/recipes-graphics/libsdl3/libsdl3_3.4.4.bb
index d6501f855c..0159021280 100644
--- a/meta-oe/recipes-graphics/libsdl3/libsdl3_3.4.2.bb
+++ b/meta-oe/recipes-graphics/libsdl3/libsdl3_3.4.4.bb
@@ -18,7 +18,7 @@ SRC_URI = "http://www.libsdl.org/release/SDL3-${PV}.tar.gz"
 S = "${UNPACKDIR}/SDL3-${PV}"
-SRC_URI[sha256sum] = "ef39a2e3f9a8a78296c40da701967dd1b0d0d6e267e483863ce70f8a03b4050c"
+SRC_URI[sha256sum] = "ee712dbe6a89bb140bbfc2ce72358fb5ee5cc2240abeabd54855012db30b3864"
 inherit cmake lib_package binconfig-disabled pkgconfig upstream-version-is-even
diff --git a/meta-oe/recipes-graphics/libtsm/libtsm_4.4.2.bb b/meta-oe/recipes-graphics/libtsm/libtsm_4.4.3.bb
index 6f060cd0f5..8168360dec 100644
--- a/meta-oe/recipes-graphics/libtsm/libtsm_4.4.2.bb
+++ b/meta-oe/recipes-graphics/libtsm/libtsm_4.4.3.bb
@@ -22,7 +22,7 @@ LIC_FILES_CHKSUM = "\
 DEPENDS = "xkeyboard-config"
 SRC_URI = "git://github.com/kmscon/libtsm;protocol=https;branch=main;tag=v${PV}"
-SRCREV = "b052e48cc776be1cdb940be2dcc1603457c01c96"
+SRCREV = "6cdacfc452bf29d98e297fe3a96e55e94a88ce3e"
 inherit meson pkgconfig
diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2026-6192.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2026-6192.patch
new file mode 100644
index 0000000000..49be9bd0a6
--- /dev/null
+++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2026-6192.patch
@@ -0,0 +1,35 @@
+From 776b00ff792a3c54b65f3bd92dbe7476a5a54106 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sun, 5 Apr 2026 13:25:27 +0200
+Subject: [PATCH] opj_pi_initialise_encode() (write code path): avoid potential
+ integer overflow leading to insufficient memory allocation
+Fixes #1619
+CVE: CVE-2026-6192
+Upstream-Status: Backport [https://github.com/uclouvain/openjpeg/commit/839936aa33eb8899bbbd80fda02796bb65068951]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/lib/openjp2/pi.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+diff --git a/src/lib/openjp2/pi.c b/src/lib/openjp2/pi.c
+index 15ac3314..4abb87af 100644
+--- a/src/lib/openjp2/pi.c
+++ b/src/lib/openjp2/pi.c
+@@ -1694,9 +1694,12 @@ opj_pi_iterator_t *opj_pi_initialise_encode(const opj_image_t *p_image,
+     l_current_pi = l_pi;
+ 
+     /* memory allocation for include*/
+-    l_current_pi->include_size = l_tcp->numlayers * l_step_l;
+-    l_current_pi->include = (OPJ_INT16*) opj_calloc(l_current_pi->include_size,
+-                            sizeof(OPJ_INT16));
+    l_current_pi->include = NULL;
+    if (l_step_l <= UINT_MAX / l_tcp->numlayers) {
+        l_current_pi->include_size = l_tcp->numlayers * l_step_l;
+        l_current_pi->include = (OPJ_INT16*) opj_calloc(l_current_pi->include_size,
+                                sizeof(OPJ_INT16));
+    }
+     if (!l_current_pi->include) {
+         opj_free(l_tmp_data);
+         opj_free(l_tmp_ptr);
diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.5.4.bb b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.5.4.bb
index 33dc48b2ea..968b7a0a5c 100644
--- a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.5.4.bb
+++ b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.5.4.bb
@@ -8,6 +8,7 @@ DEPENDS = "libpng tiff lcms zlib"
 SRC_URI = "git://github.com/uclouvain/openjpeg.git;branch=master;protocol=https \
           file://0001-Do-not-ask-cmake-to-export-binaries-they-don-t-make-.patch \
           file://CVE-2023-39327.patch \
+           file://CVE-2026-6192.patch \
           "
 SRCREV = "6c4a29b00211eb0430fa0e5e890f1ce5c80f409f"
diff --git a/meta-oe/recipes-graphics/surf/surf/0001-config.ml-make-compatible-with-webkitgtk-2.34.0.patch b/meta-oe/recipes-graphics/surf/surf/0001-config.ml-make-compatible-with-webkitgtk-2.34.0.patch
deleted file mode 100644
index d273d1459f..0000000000
--- a/meta-oe/recipes-graphics/surf/surf/0001-config.ml-make-compatible-with-webkitgtk-2.34.0.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 0cd38e6dbcaff7eef39fd46a60ff8a47e5f488c4 Mon Sep 17 00:00:00 2001
-From: Alexander Kanavin <alex@linutronix.de>
-Date: Sun, 3 Oct 2021 23:08:48 +0200
-Subject: [PATCH] config.ml: make compatible with webkitgtk 2.34.0
-Signed-off-by: Alexander Kanavin <alex@linutronix.de>
---
-Upstream-Status: Pending
- config.mk | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
--- a/config.mk
-+++ b/config.mk
-@@ -2,6 +2,7 @@
- VERSION = 2.1
- 
- # Customize below to fit your system
-+PKG_CONFIG ?= pkg-config
- 
- # paths
- PREFIX = /usr/local
-@@ -9,13 +10,13 @@ MANPREFIX = $(PREFIX)/share/man
- LIBPREFIX = $(PREFIX)/lib
- LIBDIR = $(LIBPREFIX)/surf
- 
-X11INC = `pkg-config --cflags x11`
-X11LIB = `pkg-config --libs x11`
-+X11INC = $(shell $(PKG_CONFIG) --cflags x11)
-+X11LIB = $(shell $(PKG_CONFIG) --libs x11)
- 
-GTKINC = `pkg-config --cflags gtk+-3.0 gcr-3 webkit2gtk-4.0`
-GTKLIB = `pkg-config --libs gtk+-3.0 gcr-3 webkit2gtk-4.0`
-WEBEXTINC = `pkg-config --cflags webkit2gtk-4.0 webkit2gtk-web-extension-4.0 gio-2.0`
-WEBEXTLIBS = `pkg-config --libs webkit2gtk-4.0 webkit2gtk-web-extension-4.0 gio-2.0`
-+GTKINC = $(shell $(PKG_CONFIG) --cflags gtk+-3.0 gcr-3 webkit2gtk-4.1)
-+GTKLIB = $(shell $(PKG_CONFIG) --libs gtk+-3.0 gcr-3 webkit2gtk-4.1)
-+WEBEXTINC = $(shell $(PKG_CONFIG) --cflags webkit2gtk-4.1 webkit2gtk-web-extension-4.1 gio-2.0)
-+WEBEXTLIBS = $(shell $(PKG_CONFIG) --libs webkit2gtk-4.1 webkit2gtk-web-extension-4.1 gio-2.0)
- 
- # includes and libs
- INCS = $(X11INC) $(GTKINC)
diff --git a/meta-oe/recipes-graphics/surf/surf_2.1.bb b/meta-oe/recipes-graphics/surf/surf_2.1.bb
index 258c78e509..6da7a0d93e 100644
--- a/meta-oe/recipes-graphics/surf/surf_2.1.bb
+++ b/meta-oe/recipes-graphics/surf/surf_2.1.bb
@@ -9,20 +9,12 @@ DEPENDS = "webkitgtk3 gtk+3 glib-2.0 gcr3"
 REQUIRED_DISTRO_FEATURES = "x11 opengl"
-SRCREV = "665a709b522a6fa18c671f1fc41297603292d0e8"
+SRCREV = "48517e586cdc98bc1af7115674b554cc70c8bc2e"
 SRC_URI = "git://git.suckless.org/surf;branch=surf-webkit2 \
+           file://0001-config.mk-Fix-compiler-and-linker.patch \
           "
-SRC_URI += "${@bb.utils.contains('PACKAGECONFIG', 'soup3', 'file://0001-config.mk-Fix-compiler-and-linker.patch file://0001-config.ml-make-compatible-with-webkitgtk-2.34.0.patch', '', d)}"
 inherit pkgconfig features_check
-PACKAGECONFIG_SOUP ?= "soup3"
-PACKAGECONFIG ??= "${PACKAGECONFIG_SOUP}"
-PACKAGECONFIG[soup2] = ",,,"
-PACKAGECONFIG[soup3] = ",,,"
 TARGET_CC_ARCH += "${LDFLAGS}"
 do_install () {
diff --git a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.16.0.bb b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.16.2.bb
index 6e8e80f283..c9b0cd2404 100644
--- a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.16.0.bb
+++ b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.16.2.bb
@@ -16,9 +16,9 @@ REQUIRED_DISTRO_FEATURES = "x11 pam"
 # out-of-tree builds.
 B = "${S}"
-SRCREV = "dc50022844dfad0a0e195d54b8499fcf242fff0c"
+SRCREV = "b555312d70d7ff017f866649a7e7167af4eb8fca"
-SRC_URI = "git://github.com/TigerVNC/tigervnc.git;branch=1.16-branch;protocol=https \
+SRC_URI = "git://github.com/TigerVNC/tigervnc.git;branch=1.16-branch;protocol=https;tag=v${PV} \
           file://0001-do-not-build-tests-sub-directory.patch \
           file://0002-add-missing-dynamic-library-to-FLTK_LIBRARIES.patch \
           file://0003-tigervnc-add-fPIC-option-to-COMPILE_FLAGS.patch \
diff --git a/meta-oe/recipes-graphics/xorg-app/setxkbmap_1.3.4.bb b/meta-oe/recipes-graphics/xorg-app/setxkbmap_1.3.5.bb
index 9c522d6ae1..3b0fdf6077 100644
--- a/meta-oe/recipes-graphics/xorg-app/setxkbmap_1.3.4.bb
+++ b/meta-oe/recipes-graphics/xorg-app/setxkbmap_1.3.5.bb
@@ -16,4 +16,4 @@ DEPENDS += "libxkbfile xrandr"
 BBCLASSEXTEND = "native"
 SRC_URI_EXT = "xz"
-SRC_URI[sha256sum] = "be8d8554d40e981d1b93b5ff82497c9ad2259f59f675b38f1b5e84624c07fade"
+SRC_URI[sha256sum] = "360193cecc93f906d8383a8fb5c1f3a7eed35e6ced0e118a64ee56ae13c88cac"
diff --git a/meta-oe/recipes-graphics/xorg-app/xterm_407.bb b/meta-oe/recipes-graphics/xorg-app/xterm_408.bb
index 4aecd77f98..0f76bc1209 100644
--- a/meta-oe/recipes-graphics/xorg-app/xterm_407.bb
+++ b/meta-oe/recipes-graphics/xorg-app/xterm_408.bb
@@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://xterm.h;beginline=3;endline=31;md5=413ff95100710d7a81
 SRC_URI = "http://invisible-mirror.net/archives/${BPN}/${BP}.tgz \
           file://0001-include-missing-pty.h-header-for-openpty.patch \
          "
-SRC_URI[sha256sum] = "2136eba530068a1b7565abbf17823274f5cefb7fe3618355cbc89dc55c8b7b6a"
+SRC_URI[sha256sum] = "27dc9e770885f98fbd0b5b40bcda959dc11ec9ba21f0a33b12aafffcc7f9b813"
 PACKAGECONFIG ?= ""
 PACKAGECONFIG[xft] = "--enable-freetype,--disable-freetype,libxft fontconfig freetype-native"
diff --git a/meta-oe/recipes-graphics/xscreensaver/xscreensaver_6.04.bb b/meta-oe/recipes-graphics/xscreensaver/xscreensaver_6.04.bb
index 8710ec80dc..073b3f0912 100644
--- a/meta-oe/recipes-graphics/xscreensaver/xscreensaver_6.04.bb
+++ b/meta-oe/recipes-graphics/xscreensaver/xscreensaver_6.04.bb
@@ -19,6 +19,7 @@ DEPENDS = "intltool-native libx11 libxext libxt libxft libxi glib-2.0-native bc-
 # These are only needed as part of the stopgap screensaver implementation:
 RDEPENDS:${PN} = " \
    liberation-fonts \
+    xuser-account \
 "
 inherit systemd perlnative pkgconfig gettext autotools-brokensep features_check