diff mbox series

[meta-oe,walnascar,1/2] spdlog: patch CVE-2025-6140

Message ID 20250712125820.3282479-1-peter.marko@siemens.com
State New
Headers show
Series [meta-oe,walnascar,1/2] spdlog: patch CVE-2025-6140 | expand

Commit Message

Peter Marko July 12, 2025, 12:58 p.m. UTC 
From: Peter Marko <peter.marko@siemens.com>

Pick commit [1] mentioned in [2] as listed in [3].

[1] https://github.com/gabime/spdlog/commit/10320184df1eb4638e253a34b1eb44ce78954094
[2] https://github.com/gabime/spdlog/issues/3360
[3] https://nvd.nist.gov/vuln/detail/CVE-2025-6140

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 .../spdlog/spdlog/CVE-2025-6140.patch         | 46 +++++++++++++++++++
 .../recipes-support/spdlog/spdlog_1.15.0.bb   |  4 +-
 2 files changed, 49 insertions(+), 1 deletion(-)
 create mode 100644 meta-oe/recipes-support/spdlog/spdlog/CVE-2025-6140.patch
diff mbox series

Patch

diff --git a/meta-oe/recipes-support/spdlog/spdlog/CVE-2025-6140.patch b/meta-oe/recipes-support/spdlog/spdlog/CVE-2025-6140.patch
new file mode 100644
index 0000000000..af135adee2
--- /dev/null
+++ b/meta-oe/recipes-support/spdlog/spdlog/CVE-2025-6140.patch
@@ -0,0 +1,46 @@ 
+From 10320184df1eb4638e253a34b1eb44ce78954094 Mon Sep 17 00:00:00 2001
+From: Gabi Melman <gmelman1@gmail.com>
+Date: Mon, 17 Mar 2025 15:46:31 +0200
+Subject: [PATCH] Fixed issue #3360 (#3361)
+
+CVE: CVE-2025-6140
+Upstream-Status: Backport [https://github.com/gabime/spdlog/commit/10320184df1eb4638e253a34b1eb44ce78954094]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ include/spdlog/pattern_formatter-inl.h | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/include/spdlog/pattern_formatter-inl.h b/include/spdlog/pattern_formatter-inl.h
+index b53d8051..fd408ed5 100644
+--- a/include/spdlog/pattern_formatter-inl.h
++++ b/include/spdlog/pattern_formatter-inl.h
+@@ -70,6 +70,9 @@ public:
+             pad_it(remaining_pad_);
+         } else if (padinfo_.truncate_) {
+             long new_size = static_cast<long>(dest_.size()) + remaining_pad_;
++            if (new_size < 0) {
++                new_size = 0;
++            }
+             dest_.resize(static_cast<size_t>(new_size));
+         }
+     }
+@@ -264,7 +267,7 @@ public:
+         : flag_formatter(padinfo) {}
+ 
+     void format(const details::log_msg &, const std::tm &tm_time, memory_buf_t &dest) override {
+-        const size_t field_size = 10;
++        const size_t field_size = 8;
+         ScopedPadder p(field_size, padinfo_, dest);
+ 
+         fmt_helper::pad2(tm_time.tm_mon + 1, dest);
+@@ -926,9 +929,8 @@ private:
+     memory_buf_t cached_datetime_;
+ 
+ #ifndef SPDLOG_NO_TLS
+-    mdc_formatter<null_scoped_padder> mdc_formatter_{padding_info{}};
++    mdc_formatter<null_scoped_padder> mdc_formatter_{padding_info {}};
+ #endif
+-
+ };
+ 
+ }  // namespace details
diff --git a/meta-oe/recipes-support/spdlog/spdlog_1.15.0.bb b/meta-oe/recipes-support/spdlog/spdlog_1.15.0.bb
index 963de54f73..dbe0e4c2aa 100644
--- a/meta-oe/recipes-support/spdlog/spdlog_1.15.0.bb
+++ b/meta-oe/recipes-support/spdlog/spdlog_1.15.0.bb
@@ -5,7 +5,9 @@  LIC_FILES_CHKSUM = "file://LICENSE;md5=9573510928429ad0cbe5ba4de77546e9"
 
 PV .= "+git"
 SRCREV = "96a8f6250cbf4e8c76387c614f666710a2fa9bad"
-SRC_URI = "git://github.com/gabime/spdlog.git;protocol=https;branch=v1.x"
+SRC_URI = "git://github.com/gabime/spdlog.git;protocol=https;branch=v1.x \
+    file://CVE-2025-6140.patch \
+"
 
 DEPENDS += "fmt"