[meta-security,scarthgap] suricata: Fix CVE-2026-22262

Message ID	20260309115038.329072-1-hprajapati@mvista.com
State	New
Headers	show Return-Path: <hprajapati@mvista.com> ip: 74.125.82.175, mailfrom: hprajapati@mvista.com) From: Hitendra Prajapati <hprajapati@mvista.com> To: yocto-patches@lists.yoctoproject.org Cc: scott.murray@konsulko.com, Hitendra Prajapati <hprajapati@mvista.com> Subject: [meta-security][scarthgap][PATCH] suricata: Fix CVE-2026-22262 Date: Mon, 9 Mar 2026 17:20:38 +0530 Message-ID: <20260309115038.329072-1-hprajapati@mvista.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[meta-security,scarthgap] suricata: Fix CVE-2026-22262 \| expand [meta-security,scarthgap] suricata: Fix CVE-2026-22262

Message ID

20260309115038.329072-1-hprajapati@mvista.com

State

New

Headers

From: Hitendra Prajapati <hprajapati@mvista.com>
To: yocto-patches@lists.yoctoproject.org
Cc: scott.murray@konsulko.com,
	Hitendra Prajapati <hprajapati@mvista.com>
Subject: [meta-security][scarthgap][PATCH] suricata: Fix CVE-2026-22262
Date: Mon,  9 Mar 2026 17:20:38 +0530
Message-ID: <20260309115038.329072-1-hprajapati@mvista.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[meta-security,scarthgap] suricata: Fix CVE-2026-22262 | expand

Commit Message

Hitendra Prajapati March 9, 2026, 11:50 a.m. UTC

Pick patch mentioned in NVD report [1]

[1] https://nvd.nist.gov/vuln/detail/CVE-2026-22262

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
 .../suricata/files/CVE-2026-22262-01.patch    | 42 ++++++++++++
 .../suricata/files/CVE-2026-22262-02.patch    | 66 +++++++++++++++++++
 recipes-ids/suricata/suricata_7.0.13.bb       |  2 +
 3 files changed, 110 insertions(+)
 create mode 100644 recipes-ids/suricata/files/CVE-2026-22262-01.patch
 create mode 100644 recipes-ids/suricata/files/CVE-2026-22262-02.patch

diff --git a/recipes-ids/suricata/files/CVE-2026-22262-01.patch b/recipes-ids/suricata/files/CVE-2026-22262-01.patch
new file mode 100644
index 0000000..de54c28
--- /dev/null
+++ b/recipes-ids/suricata/files/CVE-2026-22262-01.patch
@@ -0,0 +1,42 @@ 
+From 32609e6896f9079c175665a94005417cec7637eb Mon Sep 17 00:00:00 2001
+From: Philippe Antoine <pantoine@oisf.net>
+Date: Mon, 17 Nov 2025 13:27:54 +0100
+Subject: [PATCH] datasets: explicitly errors on too long string
+
+Also avoids stack allocation
+
+Ticket: 8110
+(cherry picked from commit 0eff24213763c2aa2bb0957901d5dc1e18414dbf)
+
+CVE: CVE-2026-22262
+Upstream-Status: Backport [https://github.com/OISF/suricata/commit/32609e6896f9079c175665a94005417cec7637eb]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/datasets-string.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/src/datasets-string.c b/src/datasets-string.c
+index 0a8f499..524a60a 100644
+--- a/src/datasets-string.c
++++ b/src/datasets-string.c
+@@ -49,12 +49,13 @@ int StringAsBase64(const void *s, char *out, size_t out_size)
+     const StringType *str = s;
+ 
+     unsigned long len = Base64EncodeBufferSize(str->len);
+-    uint8_t encoded_data[len];
+-    if (Base64Encode((unsigned char *)str->ptr, str->len,
+-        encoded_data, &len) != SC_BASE64_OK)
++    if (len + 2 > out_size) {
++        // linefeed and final zero
++        return 0;
++    }
++    if (Base64Encode((unsigned char *)str->ptr, str->len, (uint8_t *)out, &len) != SC_BASE64_OK)
+         return 0;
+ 
+-    strlcpy(out, (const char *)encoded_data, out_size);
+     strlcat(out, "\n", out_size);
+     return strlen(out);
+ }
+-- 
+2.50.1
+
diff --git a/recipes-ids/suricata/files/CVE-2026-22262-02.patch b/recipes-ids/suricata/files/CVE-2026-22262-02.patch
new file mode 100644
index 0000000..93e6546
--- /dev/null
+++ b/recipes-ids/suricata/files/CVE-2026-22262-02.patch
@@ -0,0 +1,66 @@ 
+From 27a2180bceaa3477419c78c54fce364398d011f1 Mon Sep 17 00:00:00 2001
+From: Philippe Antoine <pantoine@oisf.net>
+Date: Tue, 25 Nov 2025 14:43:18 +0100
+Subject: [PATCH] datasets: allocates on the heap if string base64 is long
+
+Ticket: 8110
+(cherry picked from commit d6bc718e303ecbec5999066b8bc88eeeca743658)
+
+CVE: CVE-2026-22262
+Upstream-Status: Backport [https://github.com/OISF/suricata/commit/32609e6896f9079c175665a94005417cec7637eb]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/datasets-string.c |  4 ++--
+ src/util-thash.c      | 21 ++++++++++++++++++++-
+ 2 files changed, 22 insertions(+), 3 deletions(-)
+
+diff --git a/src/datasets-string.c b/src/datasets-string.c
+index 524a60a..53a179a 100644
+--- a/src/datasets-string.c
++++ b/src/datasets-string.c
+@@ -50,8 +50,8 @@ int StringAsBase64(const void *s, char *out, size_t out_size)
+ 
+     unsigned long len = Base64EncodeBufferSize(str->len);
+     if (len + 2 > out_size) {
+-        // linefeed and final zero
+-        return 0;
++        // linefeed and final zero : signal we need more space
++        return len + 2;
+     }
+     if (Base64Encode((unsigned char *)str->ptr, str->len, (uint8_t *)out, &len) != SC_BASE64_OK)
+         return 0;
+diff --git a/src/util-thash.c b/src/util-thash.c
+index 5486379..c6df02c 100644
+--- a/src/util-thash.c
++++ b/src/util-thash.c
+@@ -390,7 +390,26 @@ int THashWalk(THashTableContext *ctx, THashFormatFunc FormatterFunc, THashOutput
+             char output_string[1024] = "";
+             int size = FormatterFunc(h->data, output_string, sizeof(output_string));
+             if (size > 0) {
+-                if (OutputterFunc(output_ctx, (const uint8_t *)output_string, size) < 0) {
++                if (size > 1024) {
++                    // we did not provide enough space on the stack, let's allocate on the heap
++                    char *out_alloc = SCCalloc(1, size);
++                    if (out_alloc == NULL) {
++                        err = true;
++                        break;
++                    }
++                    size = FormatterFunc(h->data, out_alloc, size);
++                    if (size == 0) {
++                        err = true;
++                        SCFree(out_alloc);
++                        break;
++                    }
++                    if (OutputterFunc(output_ctx, (const uint8_t *)out_alloc, size) < 0) {
++                        err = true;
++                        SCFree(out_alloc);
++                        break;
++                    }
++                    SCFree(out_alloc);
++                } else if (OutputterFunc(output_ctx, (const uint8_t *)output_string, size) < 0) {
+                     err = true;
+                     break;
+                 }
+-- 
+2.50.1
+
diff --git a/recipes-ids/suricata/suricata_7.0.13.bb b/recipes-ids/suricata/suricata_7.0.13.bb
index 75e523e..728c7f1 100644
--- a/recipes-ids/suricata/suricata_7.0.13.bb
+++ b/recipes-ids/suricata/suricata_7.0.13.bb
@@ -16,6 +16,8 @@  SRC_URI += " \
     file://suricata.service \
     file://run-ptest \
     file://0001-Skip-pkg-Makefile-from-using-its-own-rust-steps.patch \
+    file://CVE-2026-22262-01.patch \
+    file://CVE-2026-22262-02.patch \
     "
 
 inherit autotools pkgconfig python3native systemd ptest cargo cargo-update-recipe-crates

[meta-security,scarthgap] suricata: Fix CVE-2026-22262

Commit Message

Patch