From patchwork Wed Oct 1 13:32:15 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: auh@yoctoproject.org X-Patchwork-Id: 71418 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B6BB3CCD19B for ; Wed, 1 Oct 2025 13:32:23 +0000 (UTC) Received: from a27-45.smtp-out.us-west-2.amazonses.com (a27-45.smtp-out.us-west-2.amazonses.com [54.240.27.45]) by mx.groups.io with SMTP id smtpd.web10.17938.1759325536021863842 for ; Wed, 01 Oct 2025 06:32:16 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@yoctoproject.org header.s=j46ser6a2yusdzubpv7m7ewqgesde2ie header.b=WBb3cKfK; dkim=pass header.i=@amazonses.com header.s=gdwg2y3kokkkj5a55z2ilkup5wp5hhxx header.b=mb8ZIBwv; spf=pass (domain: us-west-2.amazonses.com, ip: 54.240.27.45, mailfrom: 010101999ff93c9f-584b08e0-28fd-4b30-8daa-b0002996e17e-000000@us-west-2.amazonses.com) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=j46ser6a2yusdzubpv7m7ewqgesde2ie; d=yoctoproject.org; t=1759325535; h=Content-Type:MIME-Version:From:To:Cc:Subject:Message-Id:Date; bh=jFd1ZXBZjsOXQuDeLBn6gJQtqlAzS4ws570qBdEDy8M=; b=WBb3cKfK6H++pnFj3OzAVEgkvgTy+7Ydd0u2iPOLCe84qc6ek2/Upd8GLh0c1vyk NPaUv/AiBGYS9bHIzRqO4LSO2s8ggh3mgTPHlBcEjezQOoUAAfacGiGqeCmZK5bgyBq BiPjjjmyIZol59vSH6bQGlZsMp72JlUuaDqNc/Uw= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=gdwg2y3kokkkj5a55z2ilkup5wp5hhxx; d=amazonses.com; t=1759325535; h=Content-Type:MIME-Version:From:To:Cc:Subject:Message-Id:Date:Feedback-ID; bh=jFd1ZXBZjsOXQuDeLBn6gJQtqlAzS4ws570qBdEDy8M=; b=mb8ZIBwv4UQ9GiGAPknGCGBpDmYjd4kuXAbIqa1KZ8Km0a9DkePbHrjES5aW6C34 Zm8tZ4TUlaRpa/Ku1tnxncOMW5O9UmsPAERbBg7f6txr5WajGFAhvYIugG/dW5DUBhd UQ92NDyiXTe0fuJiSx+3BxPIkra2S+vFRVMEFtiM= MIME-Version: 1.0 From: auh@yoctoproject.org To: Chen Qi Cc: openembedded-core@lists.openembedded.org Subject: [AUH] coreutils: upgrading to 9.8 SUCCEEDED Message-ID: <010101999ff93c9f-584b08e0-28fd-4b30-8daa-b0002996e17e-000000@us-west-2.amazonses.com> Date: Wed, 1 Oct 2025 13:32:15 +0000 Feedback-ID: ::1.us-west-2.9np3MYPs3fEaOBysGKSlUD4KtcmPijcmS9Az2Hwf7iQ=:AmazonSES X-SES-Outgoing: 2025.10.01-54.240.27.45 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 01 Oct 2025 13:32:23 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/224225 Hello, this email is a notification from the Auto Upgrade Helper that the automatic attempt to upgrade the recipe(s) *coreutils* to *9.8* has Succeeded. Next steps: - apply the patch: git am 0001-coreutils-upgrade-9.7-9.8.patch - check the changes to upstream patches and summarize them in the commit message, - compile an image that contains the package - perform some basic sanity tests - amend the patch and sign it off: git commit -s --reset-author --amend - send it to the appropriate mailing list Alternatively, if you believe the recipe should not be upgraded at this time, you can fill RECIPE_NO_UPDATE_REASON in respective recipe file so that automatic upgrades would no longer be attempted. Please review the attached files for further information and build/update failures. Any problem please file a bug at https://bugzilla.yoctoproject.org/enter_bug.cgi?product=Automated%20Update%20Handler Regards, The Upgrade Helper -- >8 -- From 5ec6cb64ca05bc07beaca12c140d677c9c937e96 Mon Sep 17 00:00:00 2001 From: Upgrade Helper Date: Wed, 1 Oct 2025 08:02:31 +0000 Subject: [PATCH] coreutils: upgrade 9.7 -> 9.8 --- ...1-sort-fix-buffer-under-read-CWE-127.patch | 112 ------------------ .../remove-usr-local-lib-from-m4.patch | 4 +- .../{coreutils_9.7.bb => coreutils_9.8.bb} | 3 +- 3 files changed, 3 insertions(+), 116 deletions(-) delete mode 100644 meta/recipes-core/coreutils/coreutils/0001-sort-fix-buffer-under-read-CWE-127.patch rename meta/recipes-core/coreutils/{coreutils_9.7.bb => coreutils_9.8.bb} (98%) diff --git a/meta/recipes-core/coreutils/coreutils/0001-sort-fix-buffer-under-read-CWE-127.patch b/meta/recipes-core/coreutils/coreutils/0001-sort-fix-buffer-under-read-CWE-127.patch deleted file mode 100644 index 41be1635b5..0000000000 --- a/meta/recipes-core/coreutils/coreutils/0001-sort-fix-buffer-under-read-CWE-127.patch +++ /dev/null @@ -1,112 +0,0 @@ -From 8763c305c29d0abb7e2be4695212b42917d054b2 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?P=C3=A1draig=20Brady?= -Date: Tue, 20 May 2025 16:03:44 +0100 -Subject: [PATCH] sort: fix buffer under-read (CWE-127) - -* src/sort.c (begfield): Check pointer adjustment -to avoid Out-of-range pointer offset (CWE-823). -(limfield): Likewise. -* tests/sort/sort-field-limit.sh: Add a new test, -which triggers with ASAN or Valgrind. -* tests/local.mk: Reference the new test. -* NEWS: Mention bug fix introduced in v7.2 (2009). -Fixes https://bugs.gnu.org/78507 - -CVE: CVE-2025-5278 - -Upstream-Status: Backport [https://cgit.git.savannah.gnu.org/cgit/coreutils.git/commit/?id=8c9602e3a145e9596dc1a63c6ed67865814b6633] - -Signed-off-by: Chen Qi ---- - src/sort.c | 12 ++++++++++-- - tests/local.mk | 1 + - tests/sort/sort-field-limit.sh | 35 ++++++++++++++++++++++++++++++++++ - 3 files changed, 46 insertions(+), 2 deletions(-) - create mode 100755 tests/sort/sort-field-limit.sh - -diff --git a/src/sort.c b/src/sort.c -index b10183b6f..7af1a2512 100644 ---- a/src/sort.c -+++ b/src/sort.c -@@ -1644,7 +1644,11 @@ begfield (struct line const *line, struct keyfield const *key) - ++ptr; - - /* Advance PTR by SCHAR (if possible), but no further than LIM. */ -- ptr = MIN (lim, ptr + schar); -+ size_t remaining_bytes = lim - ptr; -+ if (schar < remaining_bytes) -+ ptr += schar; -+ else -+ ptr = lim; - - return ptr; - } -@@ -1746,7 +1750,11 @@ limfield (struct line const *line, struct keyfield const *key) - ++ptr; - - /* Advance PTR by ECHAR (if possible), but no further than LIM. */ -- ptr = MIN (lim, ptr + echar); -+ size_t remaining_bytes = lim - ptr; -+ if (echar < remaining_bytes) -+ ptr += echar; -+ else -+ ptr = lim; - } - - return ptr; -diff --git a/tests/local.mk b/tests/local.mk -index 4da6756ac..642d225fa 100644 ---- a/tests/local.mk -+++ b/tests/local.mk -@@ -388,6 +388,7 @@ all_tests = \ - tests/sort/sort-debug-keys.sh \ - tests/sort/sort-debug-warn.sh \ - tests/sort/sort-discrim.sh \ -+ tests/sort/sort-field-limit.sh \ - tests/sort/sort-files0-from.pl \ - tests/sort/sort-float.sh \ - tests/sort/sort-h-thousands-sep.sh \ -diff --git a/tests/sort/sort-field-limit.sh b/tests/sort/sort-field-limit.sh -new file mode 100755 -index 000000000..52d8e1d17 ---- /dev/null -+++ b/tests/sort/sort-field-limit.sh -@@ -0,0 +1,35 @@ -+#!/bin/sh -+# From 7.2-9.7, this would trigger an out of bounds mem read -+ -+# Copyright (C) 2025 Free Software Foundation, Inc. -+ -+# This program is free software: you can redistribute it and/or modify -+# it under the terms of the GNU General Public License as published by -+# the Free Software Foundation, either version 3 of the License, or -+# (at your option) any later version. -+ -+# This program is distributed in the hope that it will be useful, -+# but WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+# GNU General Public License for more details. -+ -+# You should have received a copy of the GNU General Public License -+# along with this program. If not, see . -+ -+. "${srcdir=.}/tests/init.sh"; path_prepend_ ./src -+print_ver_ sort -+getlimits_ -+ -+# This issue triggers with valgrind or ASAN -+valgrind --error-exitcode=1 sort --version 2>/dev/null && -+ VALGRIND='valgrind --error-exitcode=1' -+ -+{ printf '%s\n' aa bb; } > in || framework_failure_ -+ -+_POSIX2_VERSION=200809 $VALGRIND sort +0.${SIZE_MAX}R in > out || fail=1 -+compare in out || fail=1 -+ -+_POSIX2_VERSION=200809 $VALGRIND sort +1 -1.${SIZE_MAX}R in > out || fail=1 -+compare in out || fail=1 -+ -+Exit $fail --- -2.34.1 - diff --git a/meta/recipes-core/coreutils/coreutils/remove-usr-local-lib-from-m4.patch b/meta/recipes-core/coreutils/coreutils/remove-usr-local-lib-from-m4.patch index 718de0ab78..0829112005 100644 --- a/meta/recipes-core/coreutils/coreutils/remove-usr-local-lib-from-m4.patch +++ b/meta/recipes-core/coreutils/coreutils/remove-usr-local-lib-from-m4.patch @@ -1,4 +1,4 @@ -From f53ffb5b27ab7d4a4c62df00ebd6a1a6936d1709 Mon Sep 17 00:00:00 2001 +From 6552c48cab4f4dfb100d62af030e4135871325d5 Mon Sep 17 00:00:00 2001 From: Khem Raj Date: Wed, 3 Aug 2011 14:12:30 -0700 Subject: [PATCH] coreutils: Fix build on uclibc @@ -17,7 +17,7 @@ Upstream-Status: Inappropriate [Upstream does care for AIX while we may not] 1 file changed, 12 deletions(-) diff --git a/m4/getloadavg.m4 b/m4/getloadavg.m4 -index 9d0236f..68f7c52 100644 +index 0d80b64..7ed11e5 100644 --- a/m4/getloadavg.m4 +++ b/m4/getloadavg.m4 @@ -46,18 +46,6 @@ if test $ac_cv_func_getloadavg != yes; then diff --git a/meta/recipes-core/coreutils/coreutils_9.7.bb b/meta/recipes-core/coreutils/coreutils_9.8.bb similarity index 98% rename from meta/recipes-core/coreutils/coreutils_9.7.bb rename to meta/recipes-core/coreutils/coreutils_9.8.bb index 201be4144c..795d74582b 100644 --- a/meta/recipes-core/coreutils/coreutils_9.7.bb +++ b/meta/recipes-core/coreutils/coreutils_9.8.bb @@ -15,10 +15,9 @@ inherit autotools gettext texinfo SRC_URI = "${GNU_MIRROR}/coreutils/${BP}.tar.xz \ file://remove-usr-local-lib-from-m4.patch \ - file://0001-sort-fix-buffer-under-read-CWE-127.patch \ file://run-ptest \ " -SRC_URI[sha256sum] = "e8bb26ad0293f9b5a1fc43fb42ba970e312c66ce92c1b0b16713d7500db251bf" +SRC_URI[sha256sum] = "e6d4fd2d852c9141a1c2a18a13d146a0cd7e45195f72293a4e4c044ec6ccca15" # http://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=v8.27-101-gf5d7c0842 #