| Message ID | 20250712125054.3281625-1-peter.marko@siemens.com |
|---|---|
| State | New |
| Headers | show |
| Series | [meta-oe,walnascar,1/2] spdlog: patch CVE-2025-6140 | expand |
Thank you for your submission. Patchtest identified one or more issues with the patch. Please see the log below for more information: --- Testing patch /home/patchtest/share/mboxes/meta-oe-walnascar-1-2-spdlog-patch-CVE-2025-6140.patch FAIL: test target mailing list: Series sent to the wrong mailing list or some patches from the series correspond to different mailing lists (test_mbox.TestMbox.test_target_mailing_list) PASS: test CVE tag format (test_patch.TestPatch.test_cve_tag_format) PASS: test Signed-off-by presence (test_mbox.TestMbox.test_signed_off_by_presence) PASS: test Signed-off-by presence (test_patch.TestPatch.test_signed_off_by_presence) PASS: test Upstream-Status presence (test_patch.TestPatch.test_upstream_status_presence_format) PASS: test author valid (test_mbox.TestMbox.test_author_valid) PASS: test commit message presence (test_mbox.TestMbox.test_commit_message_presence) PASS: test commit message user tags (test_mbox.TestMbox.test_commit_message_user_tags) PASS: test max line length (test_metadata.TestMetadata.test_max_line_length) PASS: test mbox format (test_mbox.TestMbox.test_mbox_format) PASS: test non-AUH upgrade (test_mbox.TestMbox.test_non_auh_upgrade) PASS: test shortlog format (test_mbox.TestMbox.test_shortlog_format) PASS: test shortlog length (test_mbox.TestMbox.test_shortlog_length) SKIP: pretest pylint: No python related patches, skipping test (test_python_pylint.PyLint.pretest_pylint) SKIP: pretest src uri left files: No modified recipes, skipping pretest (test_metadata.TestMetadata.pretest_src_uri_left_files) SKIP: test CVE check ignore: No modified recipes or older target branch, skipping test (test_metadata.TestMetadata.test_cve_check_ignore) SKIP: test bugzilla entry format: No bug ID found (test_mbox.TestMbox.test_bugzilla_entry_format) SKIP: test lic files chksum modified not mentioned: No modified recipes, skipping test (test_metadata.TestMetadata.test_lic_files_chksum_modified_not_mentioned) SKIP: test lic files chksum presence: No added recipes, skipping test (test_metadata.TestMetadata.test_lic_files_chksum_presence) SKIP: test license presence: No added recipes, skipping test (test_metadata.TestMetadata.test_license_presence) SKIP: test pylint: No python related patches, skipping test (test_python_pylint.PyLint.test_pylint) SKIP: test series merge on head: Merge test is disabled for now (test_mbox.TestMbox.test_series_merge_on_head) SKIP: test src uri left files: No modified recipes, skipping pretest (test_metadata.TestMetadata.test_src_uri_left_files) SKIP: test summary presence: No added recipes, skipping test (test_metadata.TestMetadata.test_summary_presence) --- Please address the issues identified and submit a new revision of the patch, or alternatively, reply to this email with an explanation of why the patch should be accepted. If you believe these results are due to an error in patchtest, please submit a bug at https://bugzilla.yoctoproject.org/ (use the 'Patchtest' category under 'Yocto Project Subprojects'). For more information on specific failures, see: https://wiki.yoctoproject.org/wiki/Patchtest. Thank you!
diff --git a/meta-oe/recipes-support/spdlog/spdlog/CVE-2025-6140.patch b/meta-oe/recipes-support/spdlog/spdlog/CVE-2025-6140.patch new file mode 100644 index 0000000000..af135adee2 --- /dev/null +++ b/meta-oe/recipes-support/spdlog/spdlog/CVE-2025-6140.patch @@ -0,0 +1,46 @@ +From 10320184df1eb4638e253a34b1eb44ce78954094 Mon Sep 17 00:00:00 2001 +From: Gabi Melman <gmelman1@gmail.com> +Date: Mon, 17 Mar 2025 15:46:31 +0200 +Subject: [PATCH] Fixed issue #3360 (#3361) + +CVE: CVE-2025-6140 +Upstream-Status: Backport [https://github.com/gabime/spdlog/commit/10320184df1eb4638e253a34b1eb44ce78954094] +Signed-off-by: Peter Marko <peter.marko@siemens.com> +--- + include/spdlog/pattern_formatter-inl.h | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/include/spdlog/pattern_formatter-inl.h b/include/spdlog/pattern_formatter-inl.h +index b53d8051..fd408ed5 100644 +--- a/include/spdlog/pattern_formatter-inl.h ++++ b/include/spdlog/pattern_formatter-inl.h +@@ -70,6 +70,9 @@ public: + pad_it(remaining_pad_); + } else if (padinfo_.truncate_) { + long new_size = static_cast<long>(dest_.size()) + remaining_pad_; ++ if (new_size < 0) { ++ new_size = 0; ++ } + dest_.resize(static_cast<size_t>(new_size)); + } + } +@@ -264,7 +267,7 @@ public: + : flag_formatter(padinfo) {} + + void format(const details::log_msg &, const std::tm &tm_time, memory_buf_t &dest) override { +- const size_t field_size = 10; ++ const size_t field_size = 8; + ScopedPadder p(field_size, padinfo_, dest); + + fmt_helper::pad2(tm_time.tm_mon + 1, dest); +@@ -926,9 +929,8 @@ private: + memory_buf_t cached_datetime_; + + #ifndef SPDLOG_NO_TLS +- mdc_formatter<null_scoped_padder> mdc_formatter_{padding_info{}}; ++ mdc_formatter<null_scoped_padder> mdc_formatter_{padding_info {}}; + #endif +- + }; + + } // namespace details diff --git a/meta-oe/recipes-support/spdlog/spdlog_1.15.0.bb b/meta-oe/recipes-support/spdlog/spdlog_1.15.0.bb index 963de54f73..dbe0e4c2aa 100644 --- a/meta-oe/recipes-support/spdlog/spdlog_1.15.0.bb +++ b/meta-oe/recipes-support/spdlog/spdlog_1.15.0.bb @@ -5,7 +5,9 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=9573510928429ad0cbe5ba4de77546e9" PV .= "+git" SRCREV = "96a8f6250cbf4e8c76387c614f666710a2fa9bad" -SRC_URI = "git://github.com/gabime/spdlog.git;protocol=https;branch=v1.x" +SRC_URI = "git://github.com/gabime/spdlog.git;protocol=https;branch=v1.x \ + file://CVE-2025-6140.patch \ +" DEPENDS += "fmt"