From patchwork Mon Oct 27 21:38:40 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Marko, Peter" X-Patchwork-Id: 73126 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id AED3DCCF9EA for ; Mon, 27 Oct 2025 21:38:54 +0000 (UTC) Received: from mta-65-228.siemens.flowmailer.net (mta-65-228.siemens.flowmailer.net [185.136.65.228]) by mx.groups.io with SMTP id smtpd.web10.3362.1761601124767026662 for ; Mon, 27 Oct 2025 14:38:45 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm2 header.b=dO2A1rjt; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.228, mailfrom: fm-256628-20251027213842ab888cf67400020725-grkk_c@rts-flowmailer.siemens.com) Received: by mta-65-228.siemens.flowmailer.net with ESMTPSA id 20251027213842ab888cf67400020725 for ; Mon, 27 Oct 2025 22:38:42 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc; bh=zMLp1rRnfbdrsk8hYOt3pKi6KyXgWClnEIMF2Ep2tmc=; b=dO2A1rjt08/G0Tl0Kyijj+OGR0hc/wzrngQrtkc8B/lZW4MLdd5h5J1GlntVkf0WWDs0a4 R1G4Xegu3htj+rTizgijutwzV0YnhH7dx9eKjrMCPLC8g2kuvvoRqXjH79VTy6HRkp+viuyz iDyIOnVA7EpzNX5Benij5ZOkQ3NXbHPw4IsZ5LD19JA7s5FwsPKjaCKmUdvQKRzzYE6y2MVH WM8TZavdrRLA7xmvh5BOGoLn6k76XYUcgiz+yyy4yAnSyutVxlaaogRLcXa+Nl98jk88LvrA ef7kF9qeXzsuVnEUsr3VXtgM7nSdqoZCjcf0QrSg4f1cM5usAJRQ0l8A==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][kirkstone][PATCH] lz4: patch CVE-2025-62813 Date: Mon, 27 Oct 2025 22:38:40 +0100 Message-Id: <20251027213840.3983437-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 27 Oct 2025 21:38:54 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/225363 Pick commit mentioned in NVD report. Signed-off-by: Peter Marko --- .../lz4/files/CVE-2025-62813.patch | 69 +++++++++++++++++++ meta/recipes-support/lz4/lz4_1.9.4.bb | 4 +- 2 files changed, 72 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-support/lz4/files/CVE-2025-62813.patch diff --git a/meta/recipes-support/lz4/files/CVE-2025-62813.patch b/meta/recipes-support/lz4/files/CVE-2025-62813.patch new file mode 100644 index 0000000000..cb4d497d7c --- /dev/null +++ b/meta/recipes-support/lz4/files/CVE-2025-62813.patch @@ -0,0 +1,69 @@ +From f64efec011c058bd70348576438abac222fe6c82 Mon Sep 17 00:00:00 2001 +From: louislafosse +Date: Mon, 31 Mar 2025 20:48:52 +0200 +Subject: [PATCH] fix(null) : improve error handlings when passing a null + pointer to some functions from lz4frame + +CVE: CVE-2025-62813 +Upstream-Status: Backport [https://github.com/lz4/lz4/commit/f64efec011c058bd70348576438abac222fe6c82] +Signed-off-by: Peter Marko +--- + lib/lz4frame.c | 15 +++++++++++++-- + tests/frametest.c | 9 ++++++--- + 2 files changed, 19 insertions(+), 5 deletions(-) + +diff --git a/lib/lz4frame.c b/lib/lz4frame.c +index 85daca7b..c9e4a3cf 100644 +--- a/lib/lz4frame.c ++++ b/lib/lz4frame.c +@@ -530,9 +530,16 @@ LZ4F_CDict* + LZ4F_createCDict_advanced(LZ4F_CustomMem cmem, const void* dictBuffer, size_t dictSize) + { + const char* dictStart = (const char*)dictBuffer; +- LZ4F_CDict* const cdict = (LZ4F_CDict*)LZ4F_malloc(sizeof(*cdict), cmem); ++ LZ4F_CDict* cdict = NULL; ++ + DEBUGLOG(4, "LZ4F_createCDict_advanced"); +- if (!cdict) return NULL; ++ ++ if (!dictStart) ++ return NULL; ++ cdict = (LZ4F_CDict*)LZ4F_malloc(sizeof(*cdict), cmem); ++ if (!cdict) ++ return NULL; ++ + cdict->cmem = cmem; + if (dictSize > 64 KB) { + dictStart += dictSize - 64 KB; +@@ -1429,6 +1436,10 @@ LZ4F_errorCode_t LZ4F_getFrameInfo(LZ4F_dctx* dctx, + LZ4F_frameInfo_t* frameInfoPtr, + const void* srcBuffer, size_t* srcSizePtr) + { ++ assert(dctx != NULL); ++ RETURN_ERROR_IF(frameInfoPtr == NULL, parameter_null); ++ RETURN_ERROR_IF(srcSizePtr == NULL, parameter_null); ++ + LZ4F_STATIC_ASSERT(dstage_getFrameHeader < dstage_storeFrameHeader); + if (dctx->dStage > dstage_storeFrameHeader) { + /* frameInfo already decoded */ +diff --git a/tests/frametest.c b/tests/frametest.c +index de0fe643..90247547 100644 +--- a/tests/frametest.c ++++ b/tests/frametest.c +@@ -589,10 +589,13 @@ int basicTests(U32 seed, double compressibility) + size_t const srcSize = 65 KB; /* must be > 64 KB to avoid short-size optimizations */ + size_t const dstCapacity = LZ4F_compressFrameBound(srcSize, NULL); + size_t cSizeNoDict, cSizeWithDict; +- LZ4F_CDict* const cdict = LZ4F_createCDict(CNBuffer, dictSize); +- if (cdict == NULL) goto _output_error; +- CHECK( LZ4F_createCompressionContext(&cctx, LZ4F_VERSION) ); ++ LZ4F_CDict* cdict = NULL; + ++ CHECK( LZ4F_createCompressionContext(&cctx, LZ4F_VERSION) ); ++ cdict = LZ4F_createCDict(CNBuffer, dictSize); ++ if (cdict == NULL) ++ goto _output_error; ++ + DISPLAYLEVEL(3, "Testing LZ4F_createCDict_advanced : "); + { LZ4F_CDict* const cda = LZ4F_createCDict_advanced(lz4f_cmem_test, CNBuffer, dictSize); + if (cda == NULL) goto _output_error; diff --git a/meta/recipes-support/lz4/lz4_1.9.4.bb b/meta/recipes-support/lz4/lz4_1.9.4.bb index a2a178bab5..16bb4d0823 100644 --- a/meta/recipes-support/lz4/lz4_1.9.4.bb +++ b/meta/recipes-support/lz4/lz4_1.9.4.bb @@ -12,7 +12,9 @@ PE = "1" SRCREV = "5ff839680134437dbf4678f3d0c7b371d84f4964" -SRC_URI = "git://github.com/lz4/lz4.git;branch=release;protocol=https" +SRC_URI = "git://github.com/lz4/lz4.git;branch=release;protocol=https \ + file://CVE-2025-62813.patch \ +" UPSTREAM_CHECK_GITTAGREGEX = "v(?P.*)" S = "${WORKDIR}/git"