| Message ID | 20260317172346.2862459-2-skandigraun@gmail.com |
|---|---|
| State | Under Review |
| Headers | show |
| Series | [meta-oe,1/7] libsodium: mark CVE-2025-69277 patched | expand |
On Wed, Mar 18, 2026 at 6:23 AM Gyorgy Sarvari via lists.openembedded.org <skandigraun=gmail.com@lists.openembedded.org> wrote: > > Details: https://nvd.nist.gov/vuln/detail/CVE-2025-61147 > > Backport the patch that is referenced by the NVD advisory. > New version 1.0.17 is available which includes fix for this CVE. We can drop this patch and upgrade the recipe[1] [1] https://lists.openembedded.org/g/openembedded-devel/message/125336 cheers Ankur > Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> > --- > .../libde265/libde265/CVE-2025-61147.patch | 103 ++++++++++++++++++ > .../libde265/libde265_1.0.16.bb | 4 +- > 2 files changed, 106 insertions(+), 1 deletion(-) > create mode 100644 meta-multimedia/recipes-multimedia/libde265/libde265/CVE-2025-61147.patch > > diff --git a/meta-multimedia/recipes-multimedia/libde265/libde265/CVE-2025-61147.patch b/meta-multimedia/recipes-multimedia/libde265/libde265/CVE-2025-61147.patch > new file mode 100644 > index 0000000000..56d48f2a7d > --- /dev/null > +++ b/meta-multimedia/recipes-multimedia/libde265/libde265/CVE-2025-61147.patch > @@ -0,0 +1,103 @@ > +From d73508b7578964f2115ddf051b8fe9b4445978d4 Mon Sep 17 00:00:00 2001 > +From: Dirk Farin <dirk.farin@gmail.com> > +Date: Tue, 9 Sep 2025 15:14:05 +0200 > +Subject: [PATCH] check for valid integer command line parameters (#484) > + > +CVE: CVE-2025-61147 > +Upstream-Status: Backport [https://github.com/strukturag/libde265/commit/8b17e0930f77db07f55e0b89399a8f054ddbecf7] > +Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> > +--- > + CMakeLists.txt | 2 +- > + dec265/dec265.cc | 44 +++++++++++++++++++++++++++++++++++++++++--- > + 2 files changed, 42 insertions(+), 4 deletions(-) > + > +diff --git a/CMakeLists.txt b/CMakeLists.txt > +index 4da99216..997945a9 100644 > +--- a/CMakeLists.txt > ++++ b/CMakeLists.txt > +@@ -5,7 +5,7 @@ project (libde265 > + VERSION 1.0.16 > + ) > + > +-set(CMAKE_CXX_STANDARD 11) > ++set(CMAKE_CXX_STANDARD 17) > + set(CMAKE_CXX_STANDARD_REQUIRED ON) > + set(CMAKE_CXX_EXTENSIONS OFF) > + set(CMAKE_POSITION_INDEPENDENT_CODE ON) > +diff --git a/dec265/dec265.cc b/dec265/dec265.cc > +index 79f67cd3..ecf5d131 100644 > +--- a/dec265/dec265.cc > ++++ b/dec265/dec265.cc > +@@ -27,6 +27,10 @@ > + #define DO_MEMORY_LOGGING 0 > + > + #include "de265.h" > ++#include <stdexcept> > ++#include <iostream> > ++#include <optional> > ++ > + #ifdef HAVE_CONFIG_H > + #include "config.h" > + #endif > +@@ -563,6 +567,40 @@ void (*volatile __malloc_initialize_hook)(void) = init_my_hooks; > + #endif > + > + > ++int parse_param(const char* arg, std::optional<int> lower_bound, std::optional<int> upper_bound, const char* arg_name) > ++{ > ++ int value; > ++ > ++ try { > ++ size_t len; > ++ value = std::stoi(optarg, &len); > ++ if (arg[len] != 0) { > ++ std::cerr << "invalid argument to " << arg_name << "\n"; > ++ exit(5); > ++ } > ++ } catch (std::invalid_argument const& ex) { > ++ std::cerr << "invalid argument to " << arg_name << "\n"; > ++ exit(5); > ++ } > ++ catch (std::out_of_range const& ex) { > ++ std::cerr << "argument to -T is out of range\n"; > ++ exit(5); > ++ } > ++ > ++ if (lower_bound && value < *lower_bound) { > ++ std::cerr << "argument to " << arg_name << " may not be smaller than " << *lower_bound << "\n"; > ++ exit(5); > ++ } > ++ > ++ if (upper_bound && value > *upper_bound) { > ++ std::cerr << "argument to " << arg_name << " may not be larger than " << *upper_bound << "\n"; > ++ exit(5); > ++ } > ++ > ++ return value; > ++} > ++ > ++ > + int main(int argc, char** argv) > + { > + while (1) { > +@@ -578,9 +616,9 @@ int main(int argc, char** argv) > + > + switch (c) { > + case 'q': quiet++; break; > +- case 't': nThreads=atoi(optarg); break; > ++ case 't': nThreads=parse_param(optarg, 0, std::nullopt, "-t"); break; > + case 'c': check_hash=true; break; > +- case 'f': max_frames=atoi(optarg); break; > ++ case 'f': max_frames=parse_param(optarg, 1, std::nullopt, "-f"); break; > + case 'o': write_yuv=true; output_filename=optarg; break; > + case 'h': show_help=true; break; > + case 'd': dump_headers=true; break; > +@@ -592,7 +630,7 @@ int main(int argc, char** argv) > + case 'm': measure_quality=true; reference_filename=optarg; break; > + case 's': show_ssim_map=true; break; > + case 'e': show_psnr_map=true; break; > +- case 'T': highestTID=atoi(optarg); break; > ++ case 'T': highestTID = parse_param(optarg, 0, std::nullopt, "-T"); break; > + case 'v': verbosity++; break; > + } > + } > diff --git a/meta-multimedia/recipes-multimedia/libde265/libde265_1.0.16.bb b/meta-multimedia/recipes-multimedia/libde265/libde265_1.0.16.bb > index 40910633e8..701f0e5f69 100644 > --- a/meta-multimedia/recipes-multimedia/libde265/libde265_1.0.16.bb > +++ b/meta-multimedia/recipes-multimedia/libde265/libde265_1.0.16.bb > @@ -8,7 +8,9 @@ LICENSE = "LGPL-3.0-only & MIT" > LICENSE_FLAGS = "commercial" > LIC_FILES_CHKSUM = "file://COPYING;md5=695b556799abb2435c97a113cdca512f" > > -SRC_URI = "git://github.com/strukturag/libde265.git;branch=master;protocol=https;tag=v${PV}" > +SRC_URI = "git://github.com/strukturag/libde265.git;branch=master;protocol=https;tag=v${PV} \ > + file://CVE-2025-61147.patch \ > + " > SRCREV = "7ba65889d3d6d8a0d99b5360b028243ba843be3a" > > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#125324): https://lists.openembedded.org/g/openembedded-devel/message/125324 > Mute This Topic: https://lists.openembedded.org/mt/118368211/3619737 > Group Owner: openembedded-devel+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [ankur.tyagi85@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/meta-multimedia/recipes-multimedia/libde265/libde265/CVE-2025-61147.patch b/meta-multimedia/recipes-multimedia/libde265/libde265/CVE-2025-61147.patch new file mode 100644 index 0000000000..56d48f2a7d --- /dev/null +++ b/meta-multimedia/recipes-multimedia/libde265/libde265/CVE-2025-61147.patch @@ -0,0 +1,103 @@ +From d73508b7578964f2115ddf051b8fe9b4445978d4 Mon Sep 17 00:00:00 2001 +From: Dirk Farin <dirk.farin@gmail.com> +Date: Tue, 9 Sep 2025 15:14:05 +0200 +Subject: [PATCH] check for valid integer command line parameters (#484) + +CVE: CVE-2025-61147 +Upstream-Status: Backport [https://github.com/strukturag/libde265/commit/8b17e0930f77db07f55e0b89399a8f054ddbecf7] +Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> +--- + CMakeLists.txt | 2 +- + dec265/dec265.cc | 44 +++++++++++++++++++++++++++++++++++++++++--- + 2 files changed, 42 insertions(+), 4 deletions(-) + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 4da99216..997945a9 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -5,7 +5,7 @@ project (libde265 + VERSION 1.0.16 + ) + +-set(CMAKE_CXX_STANDARD 11) ++set(CMAKE_CXX_STANDARD 17) + set(CMAKE_CXX_STANDARD_REQUIRED ON) + set(CMAKE_CXX_EXTENSIONS OFF) + set(CMAKE_POSITION_INDEPENDENT_CODE ON) +diff --git a/dec265/dec265.cc b/dec265/dec265.cc +index 79f67cd3..ecf5d131 100644 +--- a/dec265/dec265.cc ++++ b/dec265/dec265.cc +@@ -27,6 +27,10 @@ + #define DO_MEMORY_LOGGING 0 + + #include "de265.h" ++#include <stdexcept> ++#include <iostream> ++#include <optional> ++ + #ifdef HAVE_CONFIG_H + #include "config.h" + #endif +@@ -563,6 +567,40 @@ void (*volatile __malloc_initialize_hook)(void) = init_my_hooks; + #endif + + ++int parse_param(const char* arg, std::optional<int> lower_bound, std::optional<int> upper_bound, const char* arg_name) ++{ ++ int value; ++ ++ try { ++ size_t len; ++ value = std::stoi(optarg, &len); ++ if (arg[len] != 0) { ++ std::cerr << "invalid argument to " << arg_name << "\n"; ++ exit(5); ++ } ++ } catch (std::invalid_argument const& ex) { ++ std::cerr << "invalid argument to " << arg_name << "\n"; ++ exit(5); ++ } ++ catch (std::out_of_range const& ex) { ++ std::cerr << "argument to -T is out of range\n"; ++ exit(5); ++ } ++ ++ if (lower_bound && value < *lower_bound) { ++ std::cerr << "argument to " << arg_name << " may not be smaller than " << *lower_bound << "\n"; ++ exit(5); ++ } ++ ++ if (upper_bound && value > *upper_bound) { ++ std::cerr << "argument to " << arg_name << " may not be larger than " << *upper_bound << "\n"; ++ exit(5); ++ } ++ ++ return value; ++} ++ ++ + int main(int argc, char** argv) + { + while (1) { +@@ -578,9 +616,9 @@ int main(int argc, char** argv) + + switch (c) { + case 'q': quiet++; break; +- case 't': nThreads=atoi(optarg); break; ++ case 't': nThreads=parse_param(optarg, 0, std::nullopt, "-t"); break; + case 'c': check_hash=true; break; +- case 'f': max_frames=atoi(optarg); break; ++ case 'f': max_frames=parse_param(optarg, 1, std::nullopt, "-f"); break; + case 'o': write_yuv=true; output_filename=optarg; break; + case 'h': show_help=true; break; + case 'd': dump_headers=true; break; +@@ -592,7 +630,7 @@ int main(int argc, char** argv) + case 'm': measure_quality=true; reference_filename=optarg; break; + case 's': show_ssim_map=true; break; + case 'e': show_psnr_map=true; break; +- case 'T': highestTID=atoi(optarg); break; ++ case 'T': highestTID = parse_param(optarg, 0, std::nullopt, "-T"); break; + case 'v': verbosity++; break; + } + } diff --git a/meta-multimedia/recipes-multimedia/libde265/libde265_1.0.16.bb b/meta-multimedia/recipes-multimedia/libde265/libde265_1.0.16.bb index 40910633e8..701f0e5f69 100644 --- a/meta-multimedia/recipes-multimedia/libde265/libde265_1.0.16.bb +++ b/meta-multimedia/recipes-multimedia/libde265/libde265_1.0.16.bb @@ -8,7 +8,9 @@ LICENSE = "LGPL-3.0-only & MIT" LICENSE_FLAGS = "commercial" LIC_FILES_CHKSUM = "file://COPYING;md5=695b556799abb2435c97a113cdca512f" -SRC_URI = "git://github.com/strukturag/libde265.git;branch=master;protocol=https;tag=v${PV}" +SRC_URI = "git://github.com/strukturag/libde265.git;branch=master;protocol=https;tag=v${PV} \ + file://CVE-2025-61147.patch \ + " SRCREV = "7ba65889d3d6d8a0d99b5360b028243ba843be3a"
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-61147 Backport the patch that is referenced by the NVD advisory. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> --- .../libde265/libde265/CVE-2025-61147.patch | 103 ++++++++++++++++++ .../libde265/libde265_1.0.16.bb | 4 +- 2 files changed, 106 insertions(+), 1 deletion(-) create mode 100644 meta-multimedia/recipes-multimedia/libde265/libde265/CVE-2025-61147.patch