diff mbox series

[meta-security] suricata: fix CVE-2025-64332 && CVE-2025-64344

Message ID 20260112051833.59731-1-hprajapati@mvista.com
State New
Headers show
Series [meta-security] suricata: fix CVE-2025-64332 && CVE-2025-64344 | expand

Commit Message

Hitendra Prajapati Jan. 12, 2026, 5:18 a.m. UTC 
Backport fixes for:

* CVE-2025-64332 - Upstream-Status: Backport from https://github.com/OISF/suricata/commit/ad446c9006a77490af51c468aae0ce934f4d2117
* CVE-2025-64344 - Upstream-Status: Backport from https://github.com/OISF/suricata/commit/d364b04a595facd5980c44f4f9ea39319999bf66

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
 .../suricata/files/CVE-2025-64332.patch       | 44 ++++++++++++++++
 .../suricata/files/CVE-2025-64344.patch       | 50 +++++++++++++++++++
 recipes-ids/suricata/suricata_7.0.12.bb       |  2 +
 3 files changed, 96 insertions(+)
 create mode 100644 recipes-ids/suricata/files/CVE-2025-64332.patch
 create mode 100644 recipes-ids/suricata/files/CVE-2025-64344.patch

Comments

Clayton Casciato Jan. 12, 2026, 1:51 p.m. UTC | #1 
> Backport fixes for:
>@
> * CVE-2025-64332 - Upstream-Status: Backport from https://github.com/OISF/suricata/commit/ad446c9006a77490af51c468aae0ce934f4d2117
> * CVE-2025-64344 - Upstream-Status: Backport from https://github.com/OISF/suricata/commit/d364b04a595facd5980c44f4f9ea39319999bf66
>@
> Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Hi, Hitendra

These are not an issue as of 1a0643fa366f ("suricata: update to 7.0.13")
https://git.yoctoproject.org/meta-security/commit/?id=1a0643fa366f31d439b4300bea5e3a87088e59a2

Please note Scott's previous direction:
"Going forward, I would prefer suricata and libhtp upgrades over
accruing a large set of CVE patches [...]"
https://lists.yoctoproject.org/g/yocto-patches/message/2658

Clayton Casciato
diff mbox series

Patch

diff --git a/recipes-ids/suricata/files/CVE-2025-64332.patch b/recipes-ids/suricata/files/CVE-2025-64332.patch
new file mode 100644
index 0000000..9beb3f0
--- /dev/null
+++ b/recipes-ids/suricata/files/CVE-2025-64332.patch
@@ -0,0 +1,44 @@ 
+From ad446c9006a77490af51c468aae0ce934f4d2117 Mon Sep 17 00:00:00 2001
+From: Philippe Antoine <pantoine@oisf.net>
+Date: Thu, 30 Oct 2025 11:27:22 +0100
+Subject: [PATCH] util/swf: move allocation from stack to heap
+
+As it can overflow the stack
+
+Ticket: 8055
+(cherry picked from commit a84addb771846f6d4d55ec535a4591f58369e49c)
+
+CVE: CVE-2025-64332
+Upstream-Status: Backport [https://github.com/OISF/suricata/commit/ad446c9006a77490af51c468aae0ce934f4d2117]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/util-file-decompression.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/util-file-decompression.c b/src/util-file-decompression.c
+index dfafdc8..bf65b0b 100644
+--- a/src/util-file-decompression.c
++++ b/src/util-file-decompression.c
+@@ -169,7 +169,10 @@ int FileSwfDecompression(const uint8_t *buffer, uint32_t buffer_len,
+          * | LZMA properties | Uncompressed length | Compressed data |
+          */
+         compressed_data_len += 13;
+-        uint8_t compressed_data[compressed_data_len];
++        uint8_t *compressed_data = SCCalloc(1, compressed_data_len);
++        if (compressed_data == NULL) {
++            goto error;
++        }
+         /* put lzma properties */
+         memcpy(compressed_data, buffer + 12, 5);
+         /* put lzma end marker */
+@@ -183,6 +186,7 @@ int FileSwfDecompression(const uint8_t *buffer, uint32_t buffer_len,
+         r = FileSwfLzmaDecompression(det_ctx,
+                                      compressed_data, compressed_data_len,
+                                      out_buffer->buf + 8, out_buffer->len - 8);
++        SCFree(compressed_data);
+         if (r == 0)
+             goto error;
+     } else {
+-- 
+2.50.1
+
diff --git a/recipes-ids/suricata/files/CVE-2025-64344.patch b/recipes-ids/suricata/files/CVE-2025-64344.patch
new file mode 100644
index 0000000..0a0bc27
--- /dev/null
+++ b/recipes-ids/suricata/files/CVE-2025-64344.patch
@@ -0,0 +1,50 @@ 
+From d364b04a595facd5980c44f4f9ea39319999bf66 Mon Sep 17 00:00:00 2001
+From: Victor Julien <vjulien@oisf.net>
+Date: Fri, 31 Oct 2025 09:38:55 +0100
+Subject: [PATCH] lua: remove luajit pushlstring workaround
+
+81ee6f5aadeb ("lua: push correct length back through ScFlowvarGet, work around valgrind warning")
+added a workaround for valgrind warnings in pushing a string buffer
+into the lua state. This is no longer needed as tested with both
+address sanitizer and valgrind.
+
+(cherry picked from commit 52fd61dffdfa50c9a2d4ec24865a54da0b8f0a2a)
+
+CVE: CVE-2025-64344
+Upstream-Status: Backport [https://github.com/OISF/suricata/commit/d364b04a595facd5980c44f4f9ea39319999bf66]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/util-lua.c | 17 +----------------
+ 1 file changed, 1 insertion(+), 16 deletions(-)
+
+diff --git a/src/util-lua.c b/src/util-lua.c
+index 9e65c30..3dd1d31 100644
+--- a/src/util-lua.c
++++ b/src/util-lua.c
+@@ -328,22 +328,7 @@ void LuaPrintStack(lua_State *state) {
+ 
+ int LuaPushStringBuffer(lua_State *luastate, const uint8_t *input, size_t input_len)
+ {
+-    if (input_len % 4 != 0) {
+-        /* we're using a buffer sized at a multiple of 4 as lua_pushlstring generates
+-         * invalid read errors in valgrind otherwise. Adding in a nul to be sure.
+-         *
+-         * Buffer size = len + 1 (for nul) + whatever makes it a multiple of 4 */
+-        size_t buflen = input_len + 1 + ((input_len + 1) % 4);
+-        uint8_t buf[buflen];
+-        memset(buf, 0x00, buflen);
+-        memcpy(buf, input, input_len);
+-        buf[input_len] = '\0';
+-
+-        /* return value through luastate, as a luastring */
+-        lua_pushlstring(luastate, (char *)buf, input_len);
+-    } else {
+-        lua_pushlstring(luastate, (char *)input, input_len);
+-    }
++    lua_pushlstring(luastate, (char *)input, input_len);
+     return 1;
+ }
+ 
+-- 
+2.50.1
+
diff --git a/recipes-ids/suricata/suricata_7.0.12.bb b/recipes-ids/suricata/suricata_7.0.12.bb
index ff022e0..a87bd58 100644
--- a/recipes-ids/suricata/suricata_7.0.12.bb
+++ b/recipes-ids/suricata/suricata_7.0.12.bb
@@ -16,6 +16,8 @@  SRC_URI += " \
     file://suricata.service \
     file://run-ptest \
     file://0001-Skip-pkg-Makefile-from-using-its-own-rust-steps.patch \
+    file://CVE-2025-64332.patch \
+    file://CVE-2025-64344.patch \
     "
 
 inherit autotools pkgconfig python3native systemd ptest cargo cargo-update-recipe-crates