[meta-oe,scarthgap,1/1] yasm: fix CVE-2024-22653

Message ID	20251015115942.2061723-1-praveen.kumar@windriver.com
State	New
Headers	show Return-Path: <praveen.kumar@windriver.com> ip: 205.220.166.238, mailfrom: prvs=23839a5c94=praveen.kumar@windriver.com) From: <praveen.kumar@windriver.com> To: <openembedded-devel@lists.openembedded.org> Subject: [oe][meta-oe][scarthgap][PATCH 1/1] yasm: fix CVE-2024-22653 Date: Wed, 15 Oct 2025 17:29:42 +0530 Message-ID: <20251015115942.2061723-1-praveen.kumar@windriver.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain
Series	[meta-oe,scarthgap,1/1] yasm: fix CVE-2024-22653 \| expand [meta-oe,scarthgap,1/1] yasm: fix CVE-2024-22653

Message ID

20251015115942.2061723-1-praveen.kumar@windriver.com

State

New

Headers

From: <praveen.kumar@windriver.com>
To: <openembedded-devel@lists.openembedded.org>
Subject: [oe][meta-oe][scarthgap][PATCH 1/1] yasm: fix CVE-2024-22653
Date: Wed, 15 Oct 2025 17:29:42 +0530
Message-ID: <20251015115942.2061723-1-praveen.kumar@windriver.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain

Series

[meta-oe,scarthgap,1/1] yasm: fix CVE-2024-22653 | expand

Commit Message

pkumar7 Oct. 15, 2025, 11:59 a.m. UTC

From: Praveen Kumar <praveen.kumar@windriver.com>

yasm commit 9defefae was discovered to contain a NULL pointer
dereference via the yasm_section_bcs_append function at section.c.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-22653

Upstream-patch:
https://github.com/yasm/yasm/commit/121ab150b3577b666c79a79f4a511798d7ad2432

Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
---
 .../yasm/yasm/CVE-2024-22653.patch            | 32 +++++++++++++++++++
 meta-oe/recipes-devtools/yasm/yasm_git.bb     |  1 +
 2 files changed, 33 insertions(+)
 create mode 100644 meta-oe/recipes-devtools/yasm/yasm/CVE-2024-22653.patch

diff --git a/meta-oe/recipes-devtools/yasm/yasm/CVE-2024-22653.patch b/meta-oe/recipes-devtools/yasm/yasm/CVE-2024-22653.patch
new file mode 100644
index 0000000000..dbbd4b94ef
--- /dev/null
+++ b/meta-oe/recipes-devtools/yasm/yasm/CVE-2024-22653.patch
@@ -0,0 +1,32 @@ 
+From 121ab150b3577b666c79a79f4a511798d7ad2432 Mon Sep 17 00:00:00 2001
+From: haruki3hhh <135201297+haruki3hhh@users.noreply.github.com>
+Date: Mon, 24 Jun 2024 18:08:27 -0500
+Subject: [PATCH] Fix null pointer dereference in yasm_section_bcs_append
+ (#263)
+
+CVE: CVE-2024-22653
+
+Upstream-Status: Backport [https://github.com/yasm/yasm/commit/121ab150b3577b666c79a79f4a511798d7ad2432]
+
+Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
+---
+ libyasm/section.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/libyasm/section.c b/libyasm/section.c
+index ba582bfa..1c1ba710 100644
+--- a/libyasm/section.c
++++ b/libyasm/section.c
+@@ -611,6 +611,10 @@ yasm_bytecode *
+ yasm_section_bcs_append(yasm_section *sect, yasm_bytecode *bc)
+ {
+     if (bc) {
++        if (!sect) {
++            yasm_error_set(YASM_ERROR_VALUE, "Attempt to append bytecode to a NULL section or with a NULL bytecode");
++            return NULL;
++        }
+         if (bc->callback) {
+             bc->section = sect;     /* record parent section */
+             STAILQ_INSERT_TAIL(&sect->bcs, bc, link);
+--
+2.40.0
diff --git a/meta-oe/recipes-devtools/yasm/yasm_git.bb b/meta-oe/recipes-devtools/yasm/yasm_git.bb
index 216b777667..99717d3a32 100644
--- a/meta-oe/recipes-devtools/yasm/yasm_git.bb
+++ b/meta-oe/recipes-devtools/yasm/yasm_git.bb
@@ -16,6 +16,7 @@  SRC_URI = "git://github.com/yasm/yasm.git;branch=master;protocol=https \
            file://CVE-2023-37732.patch \
            file://0001-yasm-Set-build-date-to-SOURCE_DATE_EPOCH.patch \
            file://0002-yasm-Use-BUILD_DATE-for-reproducibility.patch \
+           file://CVE-2024-22653.patch \
 "
 
 S = "${WORKDIR}/git"

[meta-oe,scarthgap,1/1] yasm: fix CVE-2024-22653

Commit Message

Patch