From patchwork Wed Mar 5 22:11:00 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 58397 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 73AD9C28B22 for ; Wed, 5 Mar 2025 22:11:36 +0000 (UTC) Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com [209.85.214.180]) by mx.groups.io with SMTP id smtpd.web10.6369.1741212686369059761 for ; Wed, 05 Mar 2025 14:11:26 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=JYKUOY5k; spf=softfail (domain: sakoman.com, ip: 209.85.214.180, mailfrom: steve@sakoman.com) Received: by mail-pl1-f180.google.com with SMTP id d9443c01a7336-223fd89d036so19279435ad.1 for ; Wed, 05 Mar 2025 14:11:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1741212685; x=1741817485; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=GH7M4gR9/TU2+1DJ80sAOgADYycJSRd6dtAtJaBtVjA=; b=JYKUOY5kjXY+nq/BX3lAOiqN4irXf8gSWPZO+rl9tm83c0WB2ty3McSW5BmplayDYD 434M1Zx43jBd8RxuMflNwyrVs3bESn+w51SujN+0VtvYZCqLr4R4dH7FYDDLBdPr8zT0 aVLrFWLlGl7ZF5e1HMZTSu1NKfGWaN9g/TTb746MYdTcRsHG2z1rZf14Mnw6zcnQzmd2 NfxNsclgzTXn4nQGjqHkSFgTncDWKr/AQoEYigBy66AMbVllz0UCyBcZgIik6KVaLcNB Hk/9m8n6fLucIdAhQTO98RtiuyJe5Y/BKobg360RHTruM2ZwHBtyNOWqr04gSxvZ03f/ +Ozw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741212685; x=1741817485; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=GH7M4gR9/TU2+1DJ80sAOgADYycJSRd6dtAtJaBtVjA=; b=QbChdz8VZXjh0lTuf+GVDWxRqDonEEjFdb/zqLn43Ow2qIeLgmz8GU0KnjY4AGCDCQ RZ8n/FiwwmDSQ//YoVryXUa9EDALw0dfTNGcWSRdIIXt9zZaZ/bXyy2shJcD6nCAsRfK xqF4GxiuDINKQQjpY7TKApJh0IW6MJ10zPWBXB56TK88gyZ+ac6ZOh4jmXDG/+BT3CrB UQNat6sg0QvmS0goz6duyxalPEXik5V76d9CMgC/7lfMaqk4oF6txBAC0euLg1RcpuSF sDt8CgXpzR63hbup/He7/4hd3ulbnlN2gCUf+ELiMExBTyIDVJTWKHFWBUEArK4tVSaK ij0A== X-Gm-Message-State: AOJu0YzZjA1qjelmEqLftzuZdzqexbMuLNrX/BVGLMkpfLoXLNTkSNSh Ylqet1zKst//+7AqEr/xRt2DRYNj9eva3kc703V3uVslepxw1iUmDDgAEXoKyl/zNsN+cxDzgvU N X-Gm-Gg: ASbGnctkfKRNOwMuyOhJYSewpFwyorQZeG6u7kGQNJHE2S0lRUmhiRXpzTgURr4mMV+ gDZOi5D/zIcCjzKvE0MQ99oL0nPHcO6GTPDGppIMGTZNgrImREk8/ELZQPxaz5by+clR2Wr9EDd xa8ydq/7dgg3PuHixH85qJdQCu3Yy2d3622qHudlOtCrpw9PmX14ei96QFixcHMklnZIALKJnf1 dSsF2lZLGRbDmlftXn+4W2xCve71jSnyvedkZJa0gBWZEhI2h7nRdJ+ISlD1zGFvhfvcHh5aU5u gO+HRhRrzFxHihH7FZKVSbU+9+oi+6mV0io= X-Google-Smtp-Source: AGHT+IFJ9ir+9wWLEX21jUnFBOYUP1TtnSDoadmFOSZ8qxrmrjkSeX/tvIWvIjLflqUiA0y6iCfHBg== X-Received: by 2002:a17:903:32c2:b0:223:66bc:f1e6 with SMTP id d9443c01a7336-223f1c6afa6mr89522905ad.5.1741212685592; Wed, 05 Mar 2025 14:11:25 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:2308:d28:2350:a5eb]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7362e19fd7bsm10204855b3a.43.2025.03.05.14.11.25 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 14:11:25 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 01/16] openssh: Fix CVE-2025-26466 Date: Wed, 5 Mar 2025 14:11:00 -0800 Message-ID: <7360f3998939e202f9611644a8bed0c3fe0c782a.1741206348.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 05 Mar 2025 22:11:36 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212351 From: Vijay Anusuri sshd(8) in OpenSSH versions 9.5p1 to 9.9p1 (inclusive) is vulnerable to a memory/CPU denial-of-service related to the handling of SSH2_MSG_PING packets. This condition may be mitigated using the existing PerSourcePenalties feature. Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/6ce00f0c2ecbb9f75023dbe627ee6460bcec78c2] Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../openssh/openssh/CVE-2025-26466.patch | 38 +++++++++++++++++++ .../openssh/openssh_9.6p1.bb | 1 + 2 files changed, 39 insertions(+) create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2025-26466.patch diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2025-26466.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2025-26466.patch new file mode 100644 index 0000000000..27b2fa7143 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2025-26466.patch @@ -0,0 +1,38 @@ +From 6ce00f0c2ecbb9f75023dbe627ee6460bcec78c2 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Tue, 18 Feb 2025 08:02:12 +0000 +Subject: [PATCH] upstream: Don't reply to PING in preauth phase or during KEX + +Reported by the Qualys Security Advisory team. ok markus@ + +OpenBSD-Commit-ID: c656ac4abd1504389d1733d85152044b15830217 + +Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/6ce00f0c2ecbb9f75023dbe627ee6460bcec78c2] +CVE: CVE-2025-26466 +Signed-off-by: Vijay Anusuri +--- + packet.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/packet.c b/packet.c +index beb214f..aeab98c 100644 +--- a/packet.c ++++ b/packet.c +@@ -1773,6 +1773,14 @@ ssh_packet_read_poll_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) + if ((r = sshpkt_get_string_direct(ssh, &d, &len)) != 0) + return r; + DBG(debug("Received SSH2_MSG_PING len %zu", len)); ++ if (!ssh->state->after_authentication) { ++ DBG(debug("Won't reply to PING in preauth")); ++ break; ++ } ++ if (ssh_packet_is_rekeying(ssh)) { ++ DBG(debug("Won't reply to PING during KEX")); ++ break; ++ } + if ((r = sshpkt_start(ssh, SSH2_MSG_PONG)) != 0 || + (r = sshpkt_put_string(ssh, d, len)) != 0 || + (r = sshpkt_send(ssh)) != 0) +-- +2.25.1 + diff --git a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb index a8ba67e360..ea5face097 100644 --- a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb @@ -29,6 +29,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar file://CVE-2024-6387.patch \ file://CVE-2024-39894.patch \ file://0001-Fix-missing-header-for-systemd-notification.patch \ + file://CVE-2025-26466.patch \ " SRC_URI[sha256sum] = "910211c07255a8c5ad654391b40ee59800710dd8119dd5362de09385aa7a777c" From patchwork Wed Mar 5 22:11:01 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 58396 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9CC8BC28B26 for ; Wed, 5 Mar 2025 22:11:36 +0000 (UTC) Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com [209.85.214.176]) by mx.groups.io with SMTP id smtpd.web11.6412.1741212687984970982 for ; Wed, 05 Mar 2025 14:11:28 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=lwTavx9R; spf=softfail (domain: sakoman.com, ip: 209.85.214.176, mailfrom: steve@sakoman.com) Received: by mail-pl1-f176.google.com with SMTP id d9443c01a7336-22382657540so93566055ad.2 for ; Wed, 05 Mar 2025 14:11:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1741212687; x=1741817487; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=LYXyDo1ZR4IO30ZrckVhdwe+/emlvfJZE68pQzSqjuo=; b=lwTavx9RBhthkL0LOuzQt0Fva7AD1UfH3FJBQCjIGL6xw8taJFImx7ebuDU/M0LSqF z+8eW+h/vndzY+2QvUdI7lPP8c93EiEO/5iiKJ3oICJfGfEANQ0V2VfxkbqvyorcKB6J W8/UzrhwnN6M4dgc1RBroC6dm0cR6AlwUC1WBp4x396s8wRJkr+ZHDRYgqWCAOmKLKlS GzeRmt7zpD2dAiMG+dRP5d0pRie8DV8XaISPfFsDA7dRshAB1zdr5HNOEj8UDy3uwngd aQo/c/6wkFaUmT7DdkfLiksBPPUxmr0y4Deg4k1FlMJdPbSeueCtLt+qaYn3bLRKCxgh QeZw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741212687; x=1741817487; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=LYXyDo1ZR4IO30ZrckVhdwe+/emlvfJZE68pQzSqjuo=; b=jRem08fBMc9exRcJJ6KYg6b3TmP1xuCPooVj65B4tGkaDgvXtYkzNlOu2qTt8EA9gs 95ajo3J/byBXK/o8U2t5cS8LYJHki0/mJKB8dlzkTo+nqunoCTI5bttEunBv+4mMjMLq C4s8MnNNGHi40WPNoRP4lWcwTAyVFrNcWw7VQl8V7dh88rHwzxQRObz9onDtU3OUFNhG nQ8wMNVMwqe+1O+oXI5qeMvi4j3yQy98NQ6XJW5rRCCf5YFsk0kMPTTnixp2UP2yD4AV Yds9WB07OGdOid46+HAPSlv8y5Yx87OjhN0sicjcEojKF4iX+MqW+u69i77f87qmvG7/ Ebig== X-Gm-Message-State: AOJu0YwFGZw4f67vDp3cE2iXHm68pea8H6R+/59SzdsOOAMmx7427Vb1 FoWyirnizlUumKsAqzWqaq46lE6fZQmWut88INrOlnf89+6M+yacsboHqgnzzCU8sAc0dwcQjU9 Z X-Gm-Gg: ASbGncv7qKCb/05qvcVUY9+CLz1mhy1aWuMvwayRDC5chJmh8x+5+mf19hegXKIra8r i5alyQVDSQt01iRJYLlLrefSJhF5SHPOWZVvTZ6ZrGphdAA/IEIXAW69hb7AhS+4Ed28skH/H1R F6y/WPGaYIFKZavoAYpwNcN7czQVBaDaRD0jj4KjmEHM22QwCB284oYr2Vm5Itp5f/TQyFqZYHa 7yHFvk4CWJ4Q+LmDFQR2Ys1sPwIntizHfkNJoPG5pssjkPMe/56URsunlLs6npCg83stDdp8Aen yIlrDMtb+qNHX6jRXiYGyLVNVJo8ORe+2gY= X-Google-Smtp-Source: AGHT+IH0FHneT04aOzA9Hnr4SRrDlkuXcEz4/RtCPA8m53fwYoNnuzf6k1t1B5BO1fJyws1YRsqzCQ== X-Received: by 2002:a17:903:1984:b0:220:eade:d77e with SMTP id d9443c01a7336-223f1d20e5fmr81102825ad.40.1741212687287; Wed, 05 Mar 2025 14:11:27 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:2308:d28:2350:a5eb]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7362e19fd7bsm10204855b3a.43.2025.03.05.14.11.26 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 14:11:27 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 02/16] curl: ignore CVE-2025-0725 Date: Wed, 5 Mar 2025 14:11:01 -0800 Message-ID: <8c3b4a604b40260e7ca9575715dd8017e17d35c0.1741206348.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 05 Mar 2025 22:11:36 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212352 From: Poonam Jadhav CVE-2025-0725 can only trigger for curl when using a runtime zlib version 1.2.0.3 or older and scarthgap supports zlib 1.3.1 version, hence ignore cve for scarthgap https://curl.se/docs/CVE-2025-0725.html Signed-off-by: Poonam Jadhav Signed-off-by: Steve Sakoman --- meta/recipes-support/curl/curl_8.7.1.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes-support/curl/curl_8.7.1.bb index 439fcb7881..ddd591dd96 100644 --- a/meta/recipes-support/curl/curl_8.7.1.bb +++ b/meta/recipes-support/curl/curl_8.7.1.bb @@ -27,6 +27,8 @@ SRC_URI[sha256sum] = "6fea2aac6a4610fbd0400afb0bcddbe7258a64c63f1f68e5855ebc0c65 CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl daniel_stenberg:curl" CVE_STATUS[CVE-2024-32928] = "ignored: CURLOPT_SSL_VERIFYPEER was disabled on google cloud services causing a potential man in the middle attack" +CVE_STATUS[CVE-2025-0725] = "not-applicable-config: gzip decompression of content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option, using zlib 1.2.0.3 or older" + inherit autotools pkgconfig binconfig multilib_header ptest # Entropy source for random PACKAGECONFIG option From patchwork Wed Mar 5 22:11:02 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 58393 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7264AC19F32 for ; Wed, 5 Mar 2025 22:11:36 +0000 (UTC) Received: from mail-pl1-f182.google.com (mail-pl1-f182.google.com [209.85.214.182]) by mx.groups.io with SMTP id smtpd.web10.6370.1741212689887984756 for ; Wed, 05 Mar 2025 14:11:29 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=VCXS3os/; spf=softfail (domain: sakoman.com, ip: 209.85.214.182, mailfrom: steve@sakoman.com) Received: by mail-pl1-f182.google.com with SMTP id d9443c01a7336-22349bb8605so141990565ad.0 for ; Wed, 05 Mar 2025 14:11:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1741212689; x=1741817489; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=G2xX6tYnSY64PudW7GOk+qiDunRa8L0pwVzxEG9TjGI=; b=VCXS3os/2gIECo+ZSJ/wdoE9Nojhb1jrCgJW/1CC36s9qO6ptLYlJXXqOYsLPUCCNf iS/Ijj3o5A+q2Py+3RqKitsrgQ+Ne7vWvAbnZuijfHEVZ18ED5OYzljSCF6ST3b7jFNI GI9qidEjfpGyFA+cPrWnoxD6NqyEzejQWqqybQ4BsQm+nwgAUI+qRZPuSbzAOVlvlXp4 lsGTnOoQsYQxjqCHcr9eQ6UzSA/bwkHCcnxYtVC+AWG7wonLsBpFohJkqzGX/IaxkHGI GcwMWPpb2qvmD4i+qLme+O0AJTMZ6SWBMGVreu0nEAn6iTqrgPqVqNzHUokuZMMTHlx6 aKYA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741212689; x=1741817489; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=G2xX6tYnSY64PudW7GOk+qiDunRa8L0pwVzxEG9TjGI=; b=NFa85EVVhXPatyWrcLH5jotBjwGG7U8Y8SzH7STepYlaCunISaUwuvWKqqIdz8MS6I QNkOIw8krVrL8lWKz130cOoKORmySK177Z5chA3q01DYgUPDFAp2Wm9jbpZ/aIUx9w9v K0huu2l7K0YN6iA18EvFa79jE3Y4YDWW7UnXSgftdNJOl34eyCkVDguLa/raZHnROtNg 3T0lHyLmyWLuphL7DQfIIllSQoTgmGX5hD8ajFJ0VzextYBDcAXdLBP70iR1vdXMjG2Z jAN8KfL3VtXzRPumrYIyfmd1/luV4uNy/wymyfFEy+PuGDIP6O0LMXISX7c/X3kY1nyH 4Zgg== X-Gm-Message-State: AOJu0Yzsig1s8Dw1MawyZDRkBx68gWRDAJHREBwctzzKhh5HSnsbzP9N 7X8yUydWKFwUzCnfeJafrHn2yIkjz506BJMAneJRVIZzZVSE6VZs48GPLxOXpbLmsMmvrgUbI88 V X-Gm-Gg: ASbGnctVTVzxNZCOwUnLD3nMZgXtH63rnAY9zeP4wv6lmww3fRcH7uIXmBJeoLKHFoj wVyfKFiXAvOysoYAW/je3fXTOlLMkvn7YeoKTtDyTb+Jomf/oiQ56fMKGBrnD4NBhc+HaNPsW76 ZRxSHbi4PoRV141gIK7wmWuZhKZk3aUv/xGfAgaFPU8xZCmaNCHQSne6hI9HuQtRa5rY6aITv38 p88lCXJIAaxYS+EBlBjrG+QryhkE3K8UYZFQ2vuNdu/2Y1pHQRVWCcm4uj5OoT/UZTeKUlkteQA PH02MPq/pKgv89YjfcREdz0NBV9sHYruH24= X-Google-Smtp-Source: AGHT+IH/TgKtRiFvjMvhvEM+MN0K5wF645Q4nmSP1n6UMXILPskxVUWDgr8LEyQJKF0VLBz1fAVRBg== X-Received: by 2002:a05:6a00:14d5:b0:736:2d84:74da with SMTP id d2e1a72fcca58-73682b84ef1mr6819432b3a.10.1741212689004; Wed, 05 Mar 2025 14:11:29 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:2308:d28:2350:a5eb]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7362e19fd7bsm10204855b3a.43.2025.03.05.14.11.28 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 14:11:28 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 03/16] xwayland: Fix CVE-2024-9632 Date: Wed, 5 Mar 2025 14:11:02 -0800 Message-ID: <634a10db7da46688413d26f3fc9d5510f239b40b.1741206348.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 05 Mar 2025 22:11:36 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212353 From: Vijay Anusuri Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-9632 Upstream patch: https://gitlab.freedesktop.org/xorg/xserver/-/commit/ba1d14f8eff2a123bd7ff4d48c02e1d5131358e0 Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../xwayland/xwayland/CVE-2024-9632.patch | 59 +++++++++++++++++++ .../xwayland/xwayland_23.2.5.bb | 4 +- 2 files changed, 62 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2024-9632.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2024-9632.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-9632.patch new file mode 100644 index 0000000000..54888f6347 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-9632.patch @@ -0,0 +1,59 @@ +From ba1d14f8eff2a123bd7ff4d48c02e1d5131358e0 Mon Sep 17 00:00:00 2001 +From: Matthieu Herrb +Date: Thu, 10 Oct 2024 10:37:28 +0200 +Subject: [PATCH] xkb: Fix buffer overflow in _XkbSetCompatMap() + +The _XkbSetCompatMap() function attempts to resize the `sym_interpret` +buffer. + +However, It didn't update its size properly. It updated `num_si` only, +without updating `size_si`. + +This may lead to local privilege escalation if the server is run as root +or remote code execution (e.g. x11 over ssh). + +CVE-2024-9632, ZDI-CAN-24756 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Reviewed-by: Peter Hutterer +Tested-by: Peter Hutterer +Reviewed-by: José Expósito +(cherry picked from commit 85b77657) + +Part-of: + +CVE: CVE-2024-9632 +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/ba1d14f8eff2a123bd7ff4d48c02e1d5131358e0] + +Signed-off-by: Yogita Urade +Signed-off-by: Vijay Anusuri +--- + xkb/xkb.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 276dc19..7da00a0 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -2992,13 +2992,13 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev, + XkbSymInterpretPtr sym; + unsigned int skipped = 0; + +- if ((unsigned) (req->firstSI + req->nSI) > compat->num_si) { +- compat->num_si = req->firstSI + req->nSI; ++ if ((unsigned) (req->firstSI + req->nSI) > compat->size_si) { ++ compat->num_si = compat->size_si = req->firstSI + req->nSI; + compat->sym_interpret = reallocarray(compat->sym_interpret, +- compat->num_si, ++ compat->size_si, + sizeof(XkbSymInterpretRec)); + if (!compat->sym_interpret) { +- compat->num_si = 0; ++ compat->num_si = compat->size_si = 0; + return BadAlloc; + } + } +-- +2.40.0 diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb index b934a873d1..c88fdb6e9f 100644 --- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb +++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb @@ -9,7 +9,9 @@ HOMEPAGE = "https://fedoraproject.org/wiki/Changes/XwaylandStandalone" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://COPYING;md5=5df87950af51ac2c5822094553ea1880" -SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz" +SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ + file://CVE-2024-9632.patch \ +" SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90" UPSTREAM_CHECK_REGEX = "xwayland-(?P\d+(\.(?!90\d)\d+)+)\.tar" From patchwork Wed Mar 5 22:11:03 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 58392 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7E0E7C282EC for ; Wed, 5 Mar 2025 22:11:36 +0000 (UTC) Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com [209.85.214.174]) by mx.groups.io with SMTP id smtpd.web10.6373.1741212691944950560 for ; Wed, 05 Mar 2025 14:11:32 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=K79ga96b; spf=softfail (domain: sakoman.com, ip: 209.85.214.174, mailfrom: steve@sakoman.com) Received: by mail-pl1-f174.google.com with SMTP id d9443c01a7336-22337bc9ac3so140566485ad.1 for ; Wed, 05 Mar 2025 14:11:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1741212691; x=1741817491; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=6bCGD/6NyZ10nfpO/DzGfWKXOY3Rma9RrjkaVk9DTO4=; b=K79ga96bRTwvVSZoblj+y7Veb2RricG+c7OFH1yYPNhmIypGLK47INfA6pgEHFWcIO M8HL1I916AigSqiElPmU3eefMr744nVukj1wchw0y3jsoRSRINqTfzO5Vrjo+De/hyAB EvjPto6O8meJPm2u/Wa0gB9XHLg9IaxgYPbOLg+dZ76kYi4gProWWVYut9pf1STqd/vl ULKJHk5uXVuJYUQs+WF1B5/M4iNP9zusyE3gFEnm2V5jrG/1vW1LYUDA0hzZyk9ZvLPw es075MTnwCO+EUytOC8Xc3Mklt/mUryjLcpGIj0Pl3E7VSMkX7Q2JMdHdumjrrrGjnvV kNYw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741212691; x=1741817491; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=6bCGD/6NyZ10nfpO/DzGfWKXOY3Rma9RrjkaVk9DTO4=; b=Nihju8nfbpaofaI7oZek/fyuGIYR3xsdlPKptd+/ek8bdeT/ZlpwR7MS4RCUpCuz9w wddrCtjoGGBVnP7V46osALenGObLaeKvpMV3zjUPt5FoD87vn57EzRDoFH4f/wcB8ULv LHItZiraRSHoEamSnYW69lybVAu8WVi3rpk8UbOliTWg5lNFS7WaUxsHmdiawVuOdXwZ Zh+Z0d1yF1A0x/NAyoFljhAJRAek0QPw0QZptymhWKgXQ8V99PjXLYPOx4NsEAhg9wdQ tGaVD3lHdW31nSYFtHP1OLjglkOHXsS/stJiqlz0jiRaBX3fKhYy4tdXrOiyniuZ3qkq Jtow== X-Gm-Message-State: AOJu0YyLk2HLL6eGaTtoaGNImMRvIkFFVQ9ipP9M7JD5tlZJPzq1pFes 9kHe3FMQq8AcEsEb7y4Bl1mrzYMXxobd9iODe5uahT3bTjyBK1+iK5nABNRY/O6iHLrwEpp5PL0 C X-Gm-Gg: ASbGncuh3iLULb77WeEz1ejv1UeLXnoW1COYuDYNteFvrfWMkA0B+t1Cfxdoc2reubB 0R0Q3ExxsojwxzuOBFb1JRQ0IsmWzhdNA/njT77nsaUoRDRTSnySFUp9eSQtSYQ73gIGAETAoUv Ag5EGoP4jEKJ8y4K0OfWFssB8DbTLRGME701+hBnwv1OLGr5JxUYBpPhuFI+UY9WQC2dUbrm05/ E1cflhPwQPhituwnDhjPuSKSsM0QE9eUaV1hrv548useCMMCq6Us+XIW+D7Y/AxONfBC07pPrTN kn66ghlJKT8E7eRT38wsb7rGI5kv0lr48EI= X-Google-Smtp-Source: AGHT+IEXXx+7C1sNM5a/YCoOci+11SqElRBs7jYfO4DUfSSZKFRh9OwedDU4DfTUWJUb9DLzs+r7bw== X-Received: by 2002:a05:6a00:3a1b:b0:736:8c0f:774f with SMTP id d2e1a72fcca58-7368c0f8a4dmr4374589b3a.22.1741212691142; Wed, 05 Mar 2025 14:11:31 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:2308:d28:2350:a5eb]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7362e19fd7bsm10204855b3a.43.2025.03.05.14.11.29 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 14:11:30 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 04/16] xwayland: Fix CVE-2025-26594 Date: Wed, 5 Mar 2025 14:11:03 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 05 Mar 2025 22:11:36 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212354 From: Vijay Anusuri Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/01642f26 & https://gitlab.freedesktop.org/xorg/xserver/-/commit/b0a09ba6 Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../xwayland/xwayland/CVE-2025-26594-1.patch | 54 +++++++++++++++++++ .../xwayland/xwayland/CVE-2025-26594-2.patch | 51 ++++++++++++++++++ .../xwayland/xwayland_23.2.5.bb | 2 + 3 files changed, 107 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26594-1.patch create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26594-2.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26594-1.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26594-1.patch new file mode 100644 index 0000000000..f34a89e6ea --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26594-1.patch @@ -0,0 +1,54 @@ +From 01642f263f12becf803b19be4db95a4a83f94acc Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Wed, 27 Nov 2024 11:27:05 +0100 +Subject: [PATCH] Cursor: Refuse to free the root cursor + +If a cursor reference count drops to 0, the cursor is freed. + +The root cursor however is referenced with a specific global variable, +and when the root cursor is freed, the global variable may still point +to freed memory. + +Make sure to prevent the rootCursor from being explicitly freed by a +client. + +CVE-2025-26594, ZDI-CAN-25544 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +v2: Explicitly forbid XFreeCursor() on the root cursor (Peter Hutterer +) +v3: Return BadCursor instead of BadValue (Michel Danzer +) + +Signed-off-by: Olivier Fourdan +Suggested-by: Peter Hutterer +Reviewed-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/01642f26] +CVE: CVE-2025-26594 +Signed-off-by: Vijay Anusuri +--- + dix/dispatch.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/dix/dispatch.c b/dix/dispatch.c +index 4602961..30b95c1 100644 +--- a/dix/dispatch.c ++++ b/dix/dispatch.c +@@ -3107,6 +3107,10 @@ ProcFreeCursor(ClientPtr client) + rc = dixLookupResourceByType((void **) &pCursor, stuff->id, RT_CURSOR, + client, DixDestroyAccess); + if (rc == Success) { ++ if (pCursor == rootCursor) { ++ client->errorValue = stuff->id; ++ return BadCursor; ++ } + FreeResource(stuff->id, RT_NONE); + return Success; + } +-- +2.25.1 + diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26594-2.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26594-2.patch new file mode 100644 index 0000000000..6ebf540ab9 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26594-2.patch @@ -0,0 +1,51 @@ +From b0a09ba6020147961acc62d9c73d807b4cccd9f7 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Wed, 4 Dec 2024 15:49:43 +1000 +Subject: [PATCH] dix: keep a ref to the rootCursor + +CreateCursor returns a cursor with refcount 1 - that refcount is used by +the resource system, any caller needs to call RefCursor to get their own +reference. That happens correctly for normal cursors but for our +rootCursor we keep a variable to the cursor despite not having a ref for +ourselves. + +Fix this by reffing/unreffing the rootCursor to ensure our pointer is +valid. + +Related to CVE-2025-26594, ZDI-CAN-25544 + +Reviewed-by: Olivier Fourdan +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/b0a09ba6] +CVE: CVE-2025-26594 +Signed-off-by: Vijay Anusuri +--- + dix/main.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/dix/main.c b/dix/main.c +index bfc8add..38e29ce 100644 +--- a/dix/main.c ++++ b/dix/main.c +@@ -231,6 +231,8 @@ dix_main(int argc, char *argv[], char *envp[]) + FatalError("could not open default cursor font"); + } + ++ rootCursor = RefCursor(rootCursor); ++ + #ifdef PANORAMIX + /* + * Consolidate window and colourmap information for each screen +@@ -271,6 +273,8 @@ dix_main(int argc, char *argv[], char *envp[]) + + Dispatch(); + ++ UnrefCursor(rootCursor); ++ + UndisplayDevices(); + DisableAllDevices(); + +-- +2.25.1 + diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb index c88fdb6e9f..3af0bb9012 100644 --- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb +++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb @@ -11,6 +11,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=5df87950af51ac2c5822094553ea1880" SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2024-9632.patch \ + file://CVE-2025-26594-1.patch \ + file://CVE-2025-26594-2.patch \ " SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90" From patchwork Wed Mar 5 22:11:04 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 58395 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 83BF1C28B25 for ; Wed, 5 Mar 2025 22:11:36 +0000 (UTC) Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com [209.85.214.174]) by mx.groups.io with SMTP id smtpd.web11.6414.1741212693418777469 for ; Wed, 05 Mar 2025 14:11:33 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=vU2OHZWH; spf=softfail (domain: sakoman.com, ip: 209.85.214.174, mailfrom: steve@sakoman.com) Received: by mail-pl1-f174.google.com with SMTP id d9443c01a7336-2234bec7192so137485415ad.2 for ; Wed, 05 Mar 2025 14:11:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1741212693; x=1741817493; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=uTdVspFTV2H0dBq9W6uLDAm5Vt686hEreR8F7/e4U6U=; b=vU2OHZWH6UcJHa0KK22QE9RpCg3pMnG9jVA/2+xdirKqqpcWopyI46yUPSZsuVZIKj SGAfITVeOqtEVwTKmBW+0R0CLae7b5LzB7Se0XubtxLtjeVih4hhplVb9UZXB93xrdgd jUZV+kBKzVB18yx15E8syA6c69wPw4Q/hPH/UnKgD3E3z4Sxp/DVqKgVbKb5kLqv6oCo HVX5r6VEwMhTvm1ScOTQ2VDu/MIGbf4eotyhKm2mxzAgTeVDxVCkpUTPyK8FsOTUciVg TnCNOFnS62V5U2SOpFXuNDwHS76LutasEjN0aZlFDxxp0LzskM7hiNtACpi6lAmj5QCX A1fQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741212693; x=1741817493; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=uTdVspFTV2H0dBq9W6uLDAm5Vt686hEreR8F7/e4U6U=; b=pWfc0uhJcRNzenAt4FKaTHJ3dk59FYSVL/bDwbL+qMgteWJplUxJ6egJxLAsqohqQw TVeQctbez4PYXqy5ShdeCVFrIwWtsac0uK4tR6YCgNLYLouJV6LiVt5q5TyIjZQ+XcJ5 xSsgaMOoM/hnNwn09hKLAGjlX+Yif87XqDy/aYuEEWZTw6yzHi3sbtgWxpYhDeQBIUUK XA6sJrOVz5Ss4x4kMwgQx0PLzSH3ZXp940SRXInoUkeKKnuCNbmoCYNahJEWVRxX1egK jzYuiWXH4ZQ/6cyASFQzMQRVbg25qBIoFxIyqFRTKashnYI4qEcw2D9VMyZgfqwvnBal pBlQ== X-Gm-Message-State: AOJu0YwVa6B5VYwa/M4dZDbagNWsACW77R2HmOBNbLz+kZKIns4It93c Msifjcl9ic8wFK/TQii8uHQrIw7wt3vjFRiIqdGrwdRjGpIPsjiNcp9oElaBoESAjEv0c1rHjso P X-Gm-Gg: ASbGncuJhK3k1JfAyrYBXgcZs6FEtG67vehu+j0lN3dhaOx1rmZoKx4RUqQC3j03Stg H1x2TNejH5F53OqGb86sHNRksO/oovKR1xy69Kf7S+JzFNvsTGXGt4HsW68tQkbtTPeowVbVPtz VVNZY6BvIfAMW3fdi79qo3ghQawCD8FnTYPe9ObYEWzgkoCl7WlXeb6QvkNY7J5DGhDjYcF/LYv Z2TzU/EC+aZv8ztrRX+YVFLzzPLQHYbcDu69vCNxM2fwInfS3e8xuAaRuFSTYNlkvFWQb5wtOiD 0USO3KI2KM8md+fruxqN33mHIxgXOsMqCcc= X-Google-Smtp-Source: AGHT+IEERS5unmraRDI2PmYjj50oAqTOYfGGfyyem7opIKKu/R1B23sSw700i5lispHhCd0GqPyhhw== X-Received: by 2002:a05:6a00:1804:b0:732:1840:8382 with SMTP id d2e1a72fcca58-736829e22cfmr6907506b3a.0.1741212692724; Wed, 05 Mar 2025 14:11:32 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:2308:d28:2350:a5eb]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7362e19fd7bsm10204855b3a.43.2025.03.05.14.11.32 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 14:11:32 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 05/16] xwayland: Fix CVE-2025-26595 Date: Wed, 5 Mar 2025 14:11:04 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 05 Mar 2025 22:11:36 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212355 From: Vijay Anusuri Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/11fcda87 Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../xwayland/xwayland/CVE-2025-26595.patch | 65 +++++++++++++++++++ .../xwayland/xwayland_23.2.5.bb | 1 + 2 files changed, 66 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26595.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26595.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26595.patch new file mode 100644 index 0000000000..a7478d9e2a --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26595.patch @@ -0,0 +1,65 @@ +From 11fcda8753e994e15eb915d28cf487660ec8e722 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Wed, 27 Nov 2024 14:41:45 +0100 +Subject: [PATCH] xkb: Fix buffer overflow in XkbVModMaskText() + +The code in XkbVModMaskText() allocates a fixed sized buffer on the +stack and copies the virtual mod name. + +There's actually two issues in the code that can lead to a buffer +overflow. + +First, the bound check mixes pointers and integers using misplaced +parenthesis, defeating the bound check. + +But even though, if the check fails, the data is still copied, so the +stack overflow will occur regardless. + +Change the logic to skip the copy entirely if the bound check fails. + +CVE-2025-26595, ZDI-CAN-25545 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/11fcda87] +CVE: CVE-2025-26595 +Signed-off-by: Vijay Anusuri +--- + xkb/xkbtext.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/xkb/xkbtext.c b/xkb/xkbtext.c +index 0184664207..93262528bb 100644 +--- a/xkb/xkbtext.c ++++ b/xkb/xkbtext.c +@@ -173,14 +173,14 @@ XkbVModMaskText(XkbDescPtr xkb, + len = strlen(tmp) + 1 + (str == buf ? 0 : 1); + if (format == XkbCFile) + len += 4; +- if ((str - (buf + len)) <= VMOD_BUFFER_SIZE) { +- if (str != buf) { +- if (format == XkbCFile) +- *str++ = '|'; +- else +- *str++ = '+'; +- len--; +- } ++ if ((str - buf) + len > VMOD_BUFFER_SIZE) ++ continue; /* Skip */ ++ if (str != buf) { ++ if (format == XkbCFile) ++ *str++ = '|'; ++ else ++ *str++ = '+'; ++ len--; + } + if (format == XkbCFile) + sprintf(str, "%sMask", tmp); +-- +GitLab + diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb index 3af0bb9012..2215d2fe4d 100644 --- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb +++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb @@ -13,6 +13,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2024-9632.patch \ file://CVE-2025-26594-1.patch \ file://CVE-2025-26594-2.patch \ + file://CVE-2025-26595.patch \ " SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90" From patchwork Wed Mar 5 22:11:05 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 58394 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 905ECC28B23 for ; Wed, 5 Mar 2025 22:11:36 +0000 (UTC) Received: from mail-pj1-f54.google.com (mail-pj1-f54.google.com [209.85.216.54]) by mx.groups.io with SMTP id smtpd.web11.6415.1741212695173211883 for ; Wed, 05 Mar 2025 14:11:35 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=ohnMXl+y; spf=softfail (domain: sakoman.com, ip: 209.85.216.54, mailfrom: steve@sakoman.com) Received: by mail-pj1-f54.google.com with SMTP id 98e67ed59e1d1-2fee05829edso71748a91.3 for ; Wed, 05 Mar 2025 14:11:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1741212694; x=1741817494; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=Xf0W5IHJ3WSNIBbXtvG9qNceS3UeBXYlrnO3YTQSpZA=; b=ohnMXl+yxddAl14wkC6HXRn/3u/+jIUlbaD34HmblhNuzN034DZL5AWsYDiUHYH6Wc bIL5EYkvnlYxur6VJRxie0FY9aG3wwq94MZFntn/iJre2MOGkEp/K9PQMczmATwn8K6q vApkhyKUAGb3gO4XFFEIbAK7YChqemJ2ISmqjUlp4fNFgP9UqKE+F7gaDjQ586OLUVlK S0wyve6jG6LgySs2+346pLy2fjxzlpHqm9PUayYfjNi8QvHcQk3ErYi4ksoanAwPd/AG AfnNZvwRqBessbSSBekZTzNapu4dpZuP2r7td8dT0qDSMXwz7goOFzJ3BZQdjS0qeyzf ZoXA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741212694; x=1741817494; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Xf0W5IHJ3WSNIBbXtvG9qNceS3UeBXYlrnO3YTQSpZA=; b=Hgu7D5vusxsQfKZZ3J/zOQCQqGJ0EjnKaJl7+XzzfFYmXamiRUpKpbHyMVUIN2+Zj9 PdzULKtP+5XOLcV66bfCvDD92VHyGfGJupSL6SfIlUpNshNy5FckjySzu7Wf+ZgbdSsa YrR6qTmyi69TatVh6AyACGNJF05voUP5cQ1zeQXEliQLtLjj06oYpojFhl5BykVURI2i g0009t7Z8qb/bqQiTMgUrXaAlOQjE3yz/MuA1ZuheSK27zzjw103HVTABTHazVtvYe0y +WiBRqWc/Gd6/I3xPIGRWol9KvM9f8X+7dkdEkK9aUlIpQfRvoMeWorNIbzUkagfC+kV A1Yg== X-Gm-Message-State: AOJu0YxHrggYpXYzRD45YoLgULsIq3Dmkn5aLK19xePWbZB8aP7hjKgu wksSPie5HGHVVsV52ddTgCx8YQ88ZSwz92qPPcPqxDefxNWgX+SFnANWkmpilVHBxOHRaHFvKo1 9 X-Gm-Gg: ASbGncvkfxLwQ1zRIjIVFhgXTASc13zxkK6Dzi24RNucTwP1IGAmw9OakHEcQaTORf4 RstblVOlsel3ZJS5pDlwDa8/hGIG44RBykuGBU1DubS7ZI/2mGYVL/67qmIjXxAHt95Elm6IvE/ 8YvnDjfYeIK04bX19icTQ0adFoQDzKhZ4Jng291R7f0XoYTaQe/T3GotmDSy3NWAIyvZPXWws4b 3QSz93sQ8q/SK7ZufAve1yh66wjotZKnSrGMPzaY48/IKMiNz5o+eyAXIhFCpgb/mO5Lgw6icwg 9kQBuKXPWi0ly6rK5BlWjLZkeB7eUD7mRQA= X-Google-Smtp-Source: AGHT+IHAZ0qsMzUXPW22xET2X4N1l87Rfc06Nf9kvl5sZkUMYCTaVuTsdtXZppD3dTorzpvBejqspw== X-Received: by 2002:a05:6a21:32a7:b0:1f0:e7e2:b295 with SMTP id adf61e73a8af0-1f34944b70amr7313972637.5.1741212694324; Wed, 05 Mar 2025 14:11:34 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:2308:d28:2350:a5eb]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7362e19fd7bsm10204855b3a.43.2025.03.05.14.11.33 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 14:11:34 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 06/16] xwayland: Fix CVE-2025-26596 Date: Wed, 5 Mar 2025 14:11:05 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 05 Mar 2025 22:11:36 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212356 From: Vijay Anusuri Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/80d69f01 Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../xwayland/xwayland/CVE-2025-26596.patch | 49 +++++++++++++++++++ .../xwayland/xwayland_23.2.5.bb | 1 + 2 files changed, 50 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26596.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26596.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26596.patch new file mode 100644 index 0000000000..f9df8d75ea --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26596.patch @@ -0,0 +1,49 @@ +From 80d69f01423fc065c950e1ff4e8ddf9f675df773 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Thu, 28 Nov 2024 11:49:34 +0100 +Subject: [PATCH] xkb: Fix computation of XkbSizeKeySyms + +The computation of the length in XkbSizeKeySyms() differs from what is +actually written in XkbWriteKeySyms(), leading to a heap overflow. + +Fix the calculation in XkbSizeKeySyms() to match what kbWriteKeySyms() +does. + +CVE-2025-26596, ZDI-CAN-25543 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/80d69f01] +CVE: CVE-2025-26596 +Signed-off-by: Vijay Anusuri +--- + xkb/xkb.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 85659382da..744dba63d7 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -1095,10 +1095,10 @@ XkbSizeKeySyms(XkbDescPtr xkb, xkbGetMapReply * rep) + len = rep->nKeySyms * SIZEOF(xkbSymMapWireDesc); + symMap = &xkb->map->key_sym_map[rep->firstKeySym]; + for (i = nSyms = 0; i < rep->nKeySyms; i++, symMap++) { +- if (symMap->offset != 0) { +- nSymsThisKey = XkbNumGroups(symMap->group_info) * symMap->width; +- nSyms += nSymsThisKey; +- } ++ nSymsThisKey = XkbNumGroups(symMap->group_info) * symMap->width; ++ if (nSymsThisKey == 0) ++ continue; ++ nSyms += nSymsThisKey; + } + len += nSyms * 4; + rep->totalSyms = nSyms; +-- +GitLab + diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb index 2215d2fe4d..63803a7a44 100644 --- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb +++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb @@ -14,6 +14,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2025-26594-1.patch \ file://CVE-2025-26594-2.patch \ file://CVE-2025-26595.patch \ + file://CVE-2025-26596.patch \ " SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90" From patchwork Wed Mar 5 22:11:06 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 58400 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 96602C28B22 for ; Wed, 5 Mar 2025 22:11:46 +0000 (UTC) Received: from mail-pl1-f181.google.com (mail-pl1-f181.google.com [209.85.214.181]) by mx.groups.io with SMTP id smtpd.web11.6416.1741212696657803010 for ; Wed, 05 Mar 2025 14:11:36 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=aBqMYeoZ; spf=softfail (domain: sakoman.com, ip: 209.85.214.181, mailfrom: steve@sakoman.com) Received: by mail-pl1-f181.google.com with SMTP id d9443c01a7336-224019ad9edso21561195ad.1 for ; Wed, 05 Mar 2025 14:11:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1741212696; x=1741817496; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=jIKHo1sQoxAz+9Uu7TU29bnW0F57Zpf+hPjdtDmPvtY=; b=aBqMYeoZ8GD8llfHXTtLFO/Sc2lVBruA1TUJSZ4lGZY1DtOqfdG0cdL21c7BmmjyUv djrmiTRmXXczecB5qc76QbLIRnw0WIMTQ+JoXWSpnpP8gJJd5x+nnKWoEYB7hL0Nvt99 uMI1o/q3HJzYdI+Ep/wo+Ny9KLmpovLLGUXDzpk9kgMa5WcfNEoEgcZzHnz2+TuSXsB4 SPnfF/yXcFSu/E8XM4bocfQzv2+lNU5cQaRJfMsFdHQBE47UTm0NPm/jUwjx0BOGH749 JabX2MW3pXjoIo7VRQ7GgET4f0PGrtScDkQ5yeCwB57OkmSFo79QyppZ78f0MRQ2Hck+ 9CvA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741212696; x=1741817496; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=jIKHo1sQoxAz+9Uu7TU29bnW0F57Zpf+hPjdtDmPvtY=; b=OMJi/snKGLKYO+JYlAsVEw6yFKL73NNDDDmtUrZVTunlsRMPTUE5Fq9PwH3VoPLF26 ZRyoZqsfp3JSYUfz4xPLbpFvdRiKHRz/5Gpixaw38WZ9/zC1RHQ4cmfZVh0yBVVtJz2A FdpVKfz27EmEpiEN/GgumSHOrCIj/JkR+M8+QEDQnMgKMPLh9wsdJ3e1V8pFry2L7CBp VshBGWgbOnY6Z4bmHfuHcfZyt3C1zClykY/+8E8GgVKstK34E1XKPhPPNLKj9npJFDGj W7DjCA0rxtzLNa5vatzbvn0UegFzJrsQlyr73nky2xIKZBuYgDsbFTGN7nw+GJokblxC NUtQ== X-Gm-Message-State: AOJu0YwDTTeGXUoBqTGPaAbc4B40vdIgV60e8/3KIFNKQQuWljJ/mfA2 pradYjqSZx+IhU/X2S7CquxssNvrhd5twFAPpn5fRk+lsl4+YvBJRUvvcSSd/M5cYvXJOn36QUE i X-Gm-Gg: ASbGncu1nYNVFyL2dA/IxJMazWKVVz+JsfpTkJIhBxZuzJAAVu1WtIUhHFNd62gzpsZ ktxwuQtfwDtn567Dn82SczzFFuesTv6UDBEk2Ggs3dnPFDudRtQOiTWgnBEAHNayt0t6tAFwksS If2GJdZh96ocvlAlJ8Q/xoYGsrt08ba1M+HUyfDQi4pDhTbSp756KrEZ345t9LSZsj9o6HGNRN/ rxM/gcZknmePyLxu170BUZxPY3u8vMfiEP5fpSztRgAdJm/h3iN85k05u5LGruK3DDF5MOZ7KcM nutK3OsK9on5h6ChyCIcv0qMSlNVoc+m7gY= X-Google-Smtp-Source: AGHT+IE48uwPwd81vE1TqiY/NDCbSskhCdeqTIROmNvnI92aqHyX8eUOa1/QaZRhkumfsjhZYb7WGQ== X-Received: by 2002:a05:6a00:3d14:b0:736:6202:3530 with SMTP id d2e1a72fcca58-73682caa185mr7165766b3a.22.1741212695944; Wed, 05 Mar 2025 14:11:35 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:2308:d28:2350:a5eb]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7362e19fd7bsm10204855b3a.43.2025.03.05.14.11.35 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 14:11:35 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 07/16] xwayland: Fix CVE-2025-26597 Date: Wed, 5 Mar 2025 14:11:06 -0800 Message-ID: <6e19f26f4f152316badf3668b74cfc50d8d12528.1741206348.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 05 Mar 2025 22:11:46 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212357 From: Vijay Anusuri Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/0e4ed949 Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../xwayland/xwayland/CVE-2025-26597.patch | 46 +++++++++++++++++++ .../xwayland/xwayland_23.2.5.bb | 1 + 2 files changed, 47 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26597.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26597.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26597.patch new file mode 100644 index 0000000000..b0735d0b46 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26597.patch @@ -0,0 +1,46 @@ +From 0e4ed94952b255c04fe910f6a1d9c852878dcd64 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Thu, 28 Nov 2024 14:09:04 +0100 +Subject: [PATCH] xkb: Fix buffer overflow in XkbChangeTypesOfKey() + +If XkbChangeTypesOfKey() is called with nGroups == 0, it will resize the +key syms to 0 but leave the key actions unchanged. + +If later, the same function is called with a non-zero value for nGroups, +this will cause a buffer overflow because the key actions are of the wrong +size. + +To avoid the issue, make sure to resize both the key syms and key actions +when nGroups is 0. + +CVE-2025-26597, ZDI-CAN-25683 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/0e4ed949] +CVE: CVE-2025-26597 +Signed-off-by: Vijay Anusuri +--- + xkb/XKBMisc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/xkb/XKBMisc.c b/xkb/XKBMisc.c +index abbfed90eb..fd180fad2c 100644 +--- a/xkb/XKBMisc.c ++++ b/xkb/XKBMisc.c +@@ -553,6 +553,7 @@ XkbChangeTypesOfKey(XkbDescPtr xkb, + i = XkbSetNumGroups(i, 0); + xkb->map->key_sym_map[key].group_info = i; + XkbResizeKeySyms(xkb, key, 0); ++ XkbResizeKeyActions(xkb, key, 0); + return Success; + } + +-- +GitLab + diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb index 63803a7a44..7f94c5e2e2 100644 --- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb +++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb @@ -15,6 +15,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2025-26594-2.patch \ file://CVE-2025-26595.patch \ file://CVE-2025-26596.patch \ + file://CVE-2025-26597.patch \ " SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90" From patchwork Wed Mar 5 22:11:07 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 58404 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B67BEC28B27 for ; Wed, 5 Mar 2025 22:11:46 +0000 (UTC) Received: from mail-pl1-f178.google.com (mail-pl1-f178.google.com [209.85.214.178]) by mx.groups.io with SMTP id smtpd.web10.6378.1741212698395016699 for ; Wed, 05 Mar 2025 14:11:38 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=XeIG60O1; spf=softfail (domain: sakoman.com, ip: 209.85.214.178, mailfrom: steve@sakoman.com) Received: by mail-pl1-f178.google.com with SMTP id d9443c01a7336-2234e5347e2so151223815ad.1 for ; Wed, 05 Mar 2025 14:11:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1741212698; x=1741817498; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=J77vBoRYpun6es0dbmbwZ8LAS2r0Zy14pSnmvX6yNhM=; b=XeIG60O1JPI4+2gErVqEavbVzV1iBF3N/UGSYyreL3R2Qcw0E6ZSKfRPjfZSMVbmcw GrLWAewbLL+A4bicRkZfzKAoCinjTDS0YKYVONfyEY8QkShmy1/rfMLK8ofrp0iTpMU0 brSB0gIe6bcNNEPOYYyEWfgpwf1+Xybh5PfsiYMjkyDVnZwzc/vTK7CHHhTzcXiCvrKx fOE691xpJXTy/1j9YnhyiWvUP/l2Dc2zWZ/j44vHlhSagmWtgt9mkP2tWEhH3cCx9ifm aYSNlnnFXl/XDUY7/+e9NIICloc6gSAtVbYpR4Qyy9Rib4i/wEZjLt0Lay9ItJzyUGZZ Xg5A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741212698; x=1741817498; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=J77vBoRYpun6es0dbmbwZ8LAS2r0Zy14pSnmvX6yNhM=; b=svAMKuAESxO7dJPUPUnLNHb1hBxEIC5gJp4+euNGBBHq4k3tpq0Kzizodx0qYjXxmn yMtWDJwCQCnxUGX+fVEeL+luucpFVhauYLepNe7VFSO2NXw58FxTb4vGnQiPDziDZyYO 374n1K3yp17klNGgmJxi4FWcTfaEAZlr51cQNSsQvux7A73fU0VRrf2+QRfm08f7qPK8 0p003oqQeNTvTh1bZqhxCxmlXsO1u1ySwN907kGY2KA7eeNnC3f/3CsJVSwzsf6ShMSE AIhubCqf+IGG3DRIaqJ9H+OH3AP++j2xS87y8kjdf3WvlVJewChD1x8+Dzb8gkCh/ARJ 2IPw== X-Gm-Message-State: AOJu0YzwPkc3gAXMRimiEpBKJ3b00S3LoLEC/ouDsEBv6bwD8E9akyP8 PGr2xd2LWAGDLek8sOyqDJXdJeOCwBXtrzAmjmBx9Mkuv3u5wUp5rBKDnYDWdVog13b9QrhU3GX J X-Gm-Gg: ASbGnctYc0K0DokyNFsx9MNJDQ/6OCgKHs116uF4JN9gKV/by6fx0Wc/r7q5rFn/TV7 FQuFW8S/zKMCPc4k5aclI+jedD22pD3/npZ5VB6RcQJHxYvG49Mi00ouG3xrdpAr3RORUGufNPY KB5GJhJEJh+9TGCGKPJQHkdvZIuCmckZ05+H9J+SbuRU0DIjC8XOy/o7iJyr9nW+wMey5IvlesR 2xLhaEKTUGItzc5U6YqGB4dURqkD279IJdpULKN2QFDYQJTi/y++ZXJ/I9511I41lIBKxMncoA2 Wj4qCVct0fUA2rOber7rMWaaomo/4tOkWIM= X-Google-Smtp-Source: AGHT+IGBnssb34yOThnE4GoiWm+b0OsdK11BDq/pFQZjDYbSuPorFoHfs3FgpL0aPo3kbAZRdoaonA== X-Received: by 2002:a17:902:eccf:b0:224:162:a3e0 with SMTP id d9443c01a7336-2240171e861mr38569355ad.49.1741212697358; Wed, 05 Mar 2025 14:11:37 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:2308:d28:2350:a5eb]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7362e19fd7bsm10204855b3a.43.2025.03.05.14.11.36 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 14:11:37 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 08/16] xwayland: Fix CVE-2025-26598 Date: Wed, 5 Mar 2025 14:11:07 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 05 Mar 2025 22:11:46 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212358 From: Vijay Anusuri Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/bba9df1a Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../xwayland/xwayland/CVE-2025-26598.patch | 120 ++++++++++++++++++ .../xwayland/xwayland_23.2.5.bb | 1 + 2 files changed, 121 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26598.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26598.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26598.patch new file mode 100644 index 0000000000..210a76262a --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26598.patch @@ -0,0 +1,120 @@ +From bba9df1a9d57234c76c0b93f88dacb143d01bca2 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 16 Dec 2024 11:25:11 +0100 +Subject: [PATCH] Xi: Fix barrier device search + +The function GetBarrierDevice() would search for the pointer device +based on its device id and return the matching value, or supposedly NULL +if no match was found. + +Unfortunately, as written, it would return the last element of the list +if no matching device id was found which can lead to out of bounds +memory access. + +Fix the search function to return NULL if not matching device is found, +and adjust the callers to handle the case where the device cannot be +found. + +CVE-2025-26598, ZDI-CAN-25740 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/bba9df1a] +CVE: CVE-2025-26598 +Signed-off-by: Vijay Anusuri +--- + Xi/xibarriers.c | 27 +++++++++++++++++++++++---- + 1 file changed, 23 insertions(+), 4 deletions(-) + +diff --git a/Xi/xibarriers.c b/Xi/xibarriers.c +index 700b2b8c53..6761bcb49a 100644 +--- a/Xi/xibarriers.c ++++ b/Xi/xibarriers.c +@@ -132,14 +132,15 @@ static void FreePointerBarrierClient(struct PointerBarrierClient *c) + + static struct PointerBarrierDevice *GetBarrierDevice(struct PointerBarrierClient *c, int deviceid) + { +- struct PointerBarrierDevice *pbd = NULL; ++ struct PointerBarrierDevice *p, *pbd = NULL; + +- xorg_list_for_each_entry(pbd, &c->per_device, entry) { +- if (pbd->deviceid == deviceid) ++ xorg_list_for_each_entry(p, &c->per_device, entry) { ++ if (p->deviceid == deviceid) { ++ pbd = p; + break; ++ } + } + +- BUG_WARN(!pbd); + return pbd; + } + +@@ -340,6 +341,9 @@ barrier_find_nearest(BarrierScreenPtr cs, DeviceIntPtr dev, + double distance; + + pbd = GetBarrierDevice(c, dev->id); ++ if (!pbd) ++ continue; ++ + if (pbd->seen) + continue; + +@@ -448,6 +452,9 @@ input_constrain_cursor(DeviceIntPtr dev, ScreenPtr screen, + nearest = &c->barrier; + + pbd = GetBarrierDevice(c, master->id); ++ if (!pbd) ++ continue; ++ + new_sequence = !pbd->hit; + + pbd->seen = TRUE; +@@ -488,6 +495,9 @@ input_constrain_cursor(DeviceIntPtr dev, ScreenPtr screen, + int flags = 0; + + pbd = GetBarrierDevice(c, master->id); ++ if (!pbd) ++ continue; ++ + pbd->seen = FALSE; + if (!pbd->hit) + continue; +@@ -682,6 +692,9 @@ BarrierFreeBarrier(void *data, XID id) + continue; + + pbd = GetBarrierDevice(c, dev->id); ++ if (!pbd) ++ continue; ++ + if (!pbd->hit) + continue; + +@@ -741,6 +754,8 @@ static void remove_master_func(void *res, XID id, void *devid) + barrier = container_of(b, struct PointerBarrierClient, barrier); + + pbd = GetBarrierDevice(barrier, *deviceid); ++ if (!pbd) ++ return; + + if (pbd->hit) { + BarrierEvent ev = { +@@ -905,6 +920,10 @@ ProcXIBarrierReleasePointer(ClientPtr client) + barrier = container_of(b, struct PointerBarrierClient, barrier); + + pbd = GetBarrierDevice(barrier, dev->id); ++ if (!pbd) { ++ client->errorValue = dev->id; ++ return BadDevice; ++ } + + if (pbd->barrier_event_id == event_id) + pbd->release_event_id = event_id; +-- +GitLab + diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb index 7f94c5e2e2..b46a02e5c3 100644 --- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb +++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb @@ -16,6 +16,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2025-26595.patch \ file://CVE-2025-26596.patch \ file://CVE-2025-26597.patch \ + file://CVE-2025-26598.patch \ " SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90" From patchwork Wed Mar 5 22:11:08 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 58399 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 93D30C19F32 for ; Wed, 5 Mar 2025 22:11:46 +0000 (UTC) Received: from mail-pl1-f182.google.com (mail-pl1-f182.google.com [209.85.214.182]) by mx.groups.io with SMTP id smtpd.web10.6380.1741212699761053660 for ; Wed, 05 Mar 2025 14:11:39 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=TYrvTb5n; spf=softfail (domain: sakoman.com, ip: 209.85.214.182, mailfrom: steve@sakoman.com) Received: by mail-pl1-f182.google.com with SMTP id d9443c01a7336-2235908a30aso137273995ad.3 for ; Wed, 05 Mar 2025 14:11:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1741212699; x=1741817499; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=JL0ThBNQyg7ZetjvvAQV2NNy3Xq/PCHq0AK6zbQPHRY=; b=TYrvTb5nNNUYM4KWJQTgHEENxzUS4mYaPVnQfhPctqZYQIQz7y/PpCbjB3hP/YCX+Y I7iC1AJ2ZgWAIWJYYUkqFTwsYdCzT7d+J3VJKRq9xbtYSkdEZR9YsKxA8mglIiJnhHrj rsn4RGGdmM5/Wx3M52A8YJFl0cfb9gHTi+DavlyXZKfS8ps9FGR/sjLzvPRMssAwHIKm GldeOGFNoei5sInVz/7HR8admqfwPd919oFcgAWlto7ePavn3Q/55YpeHQHmHq3+8POS wZE0+WwvDKmmTBvNnzNY1q8QcsUM1Uswnb5FCV9bU63Ch0oFCRoXsOs/LlMSvaKmNxo5 V8ew== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741212699; x=1741817499; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=JL0ThBNQyg7ZetjvvAQV2NNy3Xq/PCHq0AK6zbQPHRY=; b=esqeM+bfC5vV3tXfkuat2HWmkSI3bGR6iV2wFbv1cWIAT7AAb24cOvmUOuRS9ZUgYI sIY2JShLeWj1tnPstq30C5D55+i2akdfgaVEYcxNrq7UYCpw/NnZN+xqTyoALTqS5zWm udJCTNVwmna4q6AZQkGNtY3kXn87dDpgfV93YiwZ8aGrKTq2Bl3CNJ+vFT2CTvzTiS9f eJWYK6lFidhubOvlu8xBcNqZspLMAdHJnUgoEdvT4nwEnscRArzdmGx2piKVk2MmDBnB +xlaKT5r6PXfAVzDXGNgc8OkBf0kjn68iw+UkF3/v/TBqsyaCRWtgNx6WBxGQfyTNotw mrVQ== X-Gm-Message-State: AOJu0YzY1DoeSwMX5/t+pY8qAORJRTtbl/+fDYwm1NY8gHa7fNJixy6I Q9OMhvM+dmn1Hiuaz4dZAhvGIRZZsWJ2LiUJV5I3/N01GTGHi1CPtDgwzsGWzWVqVndaBB2P/yk / X-Gm-Gg: ASbGncsgxsngu3hzlAecfJQGH3hzpryWqtoNGg8feOpS/DU/Qyaati8Ftkb5aStJmUf nMK99ekfmnoIPAjr4ihEbXSJ+FXQLHF1WXmiej33vcAWvpnMyP4PQH+LaGxwNFZzMg8bGcFzLBt W49l6kp4fOcyQS3N8+vB3ZvqUlwW5q5p0pVTWdpgxzhz2Rv9JerDsW+NziAjetbocvksmhRAxf1 IgjCDL35z53J9MAyt1Flq0vjlhYL6q7BuNH8n6Ynra29k70og2QtTqCGlRYbqSs0xUYGkmDbGc5 9oi4qA8X7I1GOwNaD2M8THuZmFqw6LsHt7A= X-Google-Smtp-Source: AGHT+IGYluduCbrGm6cfdfsm4rZr0b8TFFAlKNHoVn9y512KAsFg4eefW4+knOyw2XvSjFTVOZaALg== X-Received: by 2002:a17:903:192:b0:216:69ca:770b with SMTP id d9443c01a7336-223f1c8035amr69728285ad.12.1741212698956; Wed, 05 Mar 2025 14:11:38 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:2308:d28:2350:a5eb]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7362e19fd7bsm10204855b3a.43.2025.03.05.14.11.38 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 14:11:38 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 09/16] xwayland: Fix CVE-2025-26599 Date: Wed, 5 Mar 2025 14:11:08 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 05 Mar 2025 22:11:46 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212359 From: Vijay Anusuri Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/c1ff84be & https://gitlab.freedesktop.org/xorg/xserver/-/commit/b07192a8 Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../xwayland/xwayland/CVE-2025-26599-1.patch | 66 +++++++++ .../xwayland/xwayland/CVE-2025-26599-2.patch | 129 ++++++++++++++++++ .../xwayland/xwayland_23.2.5.bb | 2 + 3 files changed, 197 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26599-1.patch create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26599-2.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26599-1.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26599-1.patch new file mode 100644 index 0000000000..60b68a0d9a --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26599-1.patch @@ -0,0 +1,66 @@ +From c1ff84bef2569b4ba4be59323cf575d1798ba9be Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Tue, 17 Dec 2024 15:19:45 +0100 +Subject: [PATCH] composite: Handle failure to redirect in compRedirectWindow() + +The function compCheckRedirect() may fail if it cannot allocate the +backing pixmap. + +In that case, compRedirectWindow() will return a BadAlloc error. + +However that failure code path will shortcut the validation of the +window tree marked just before, which leaves the validate data partly +initialized. + +That causes a use of uninitialized pointer later. + +The fix is to not shortcut the call to compHandleMarkedWindows() even in +the case of compCheckRedirect() returning an error. + +CVE-2025-26599, ZDI-CAN-25851 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Acked-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/c1ff84be] +CVE: CVE-2025-26599 +Signed-off-by: Vijay Anusuri +--- + composite/compalloc.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/composite/compalloc.c b/composite/compalloc.c +index eaabf0d..0bbbc55 100644 +--- a/composite/compalloc.c ++++ b/composite/compalloc.c +@@ -140,6 +140,7 @@ compRedirectWindow(ClientPtr pClient, WindowPtr pWin, int update) + CompScreenPtr cs = GetCompScreen(pWin->drawable.pScreen); + WindowPtr pLayerWin; + Bool anyMarked = FALSE; ++ int status = Success; + + if (pWin == cs->pOverlayWin) { + return Success; +@@ -218,13 +219,13 @@ compRedirectWindow(ClientPtr pClient, WindowPtr pWin, int update) + + if (!compCheckRedirect(pWin)) { + FreeResource(ccw->id, RT_NONE); +- return BadAlloc; ++ status = BadAlloc; + } + + if (anyMarked) + compHandleMarkedWindows(pWin, pLayerWin); + +- return Success; ++ return status; + } + + void +-- +2.25.1 + diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26599-2.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26599-2.patch new file mode 100644 index 0000000000..252b033261 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26599-2.patch @@ -0,0 +1,129 @@ +From b07192a8bedb90b039dc0f70ae69daf047ff9598 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 13 Jan 2025 16:09:43 +0100 +Subject: [PATCH] composite: initialize border clip even when pixmap alloc + fails + +If it fails to allocate the pixmap, the function compAllocPixmap() would +return early and leave the borderClip region uninitialized, which may +lead to the use of uninitialized value as reported by valgrind: + + Conditional jump or move depends on uninitialised value(s) + at 0x4F9B33: compClipNotify (compwindow.c:317) + by 0x484FC9: miComputeClips (mivaltree.c:476) + by 0x48559A: miValidateTree (mivaltree.c:679) + by 0x4F0685: MapWindow (window.c:2693) + by 0x4A344A: ProcMapWindow (dispatch.c:922) + by 0x4A25B5: Dispatch (dispatch.c:560) + by 0x4B082A: dix_main (main.c:282) + by 0x429233: main (stubmain.c:34) + Uninitialised value was created by a heap allocation + at 0x4841866: malloc (vg_replace_malloc.c:446) + by 0x4F47BC: compRedirectWindow (compalloc.c:171) + by 0x4FA8AD: compCreateWindow (compwindow.c:592) + by 0x4EBB89: CreateWindow (window.c:925) + by 0x4A2E6E: ProcCreateWindow (dispatch.c:768) + by 0x4A25B5: Dispatch (dispatch.c:560) + by 0x4B082A: dix_main (main.c:282) + by 0x429233: main (stubmain.c:34) + + Conditional jump or move depends on uninitialised value(s) + at 0x48EEDBC: pixman_region_translate (pixman-region.c:2233) + by 0x4F9255: RegionTranslate (regionstr.h:312) + by 0x4F9B7E: compClipNotify (compwindow.c:319) + by 0x484FC9: miComputeClips (mivaltree.c:476) + by 0x48559A: miValidateTree (mivaltree.c:679) + by 0x4F0685: MapWindow (window.c:2693) + by 0x4A344A: ProcMapWindow (dispatch.c:922) + by 0x4A25B5: Dispatch (dispatch.c:560) + by 0x4B082A: dix_main (main.c:282) + by 0x429233: main (stubmain.c:34) + Uninitialised value was created by a heap allocation + at 0x4841866: malloc (vg_replace_malloc.c:446) + by 0x4F47BC: compRedirectWindow (compalloc.c:171) + by 0x4FA8AD: compCreateWindow (compwindow.c:592) + by 0x4EBB89: CreateWindow (window.c:925) + by 0x4A2E6E: ProcCreateWindow (dispatch.c:768) + by 0x4A25B5: Dispatch (dispatch.c:560) + by 0x4B082A: dix_main (main.c:282) + by 0x429233: main (stubmain.c:34) + + Conditional jump or move depends on uninitialised value(s) + at 0x48EEE33: UnknownInlinedFun (pixman-region.c:2241) + by 0x48EEE33: pixman_region_translate (pixman-region.c:2225) + by 0x4F9255: RegionTranslate (regionstr.h:312) + by 0x4F9B7E: compClipNotify (compwindow.c:319) + by 0x484FC9: miComputeClips (mivaltree.c:476) + by 0x48559A: miValidateTree (mivaltree.c:679) + by 0x4F0685: MapWindow (window.c:2693) + by 0x4A344A: ProcMapWindow (dispatch.c:922) + by 0x4A25B5: Dispatch (dispatch.c:560) + by 0x4B082A: dix_main (main.c:282) + by 0x429233: main (stubmain.c:34) + Uninitialised value was created by a heap allocation + at 0x4841866: malloc (vg_replace_malloc.c:446) + by 0x4F47BC: compRedirectWindow (compalloc.c:171) + by 0x4FA8AD: compCreateWindow (compwindow.c:592) + by 0x4EBB89: CreateWindow (window.c:925) + by 0x4A2E6E: ProcCreateWindow (dispatch.c:768) + by 0x4A25B5: Dispatch (dispatch.c:560) + by 0x4B082A: dix_main (main.c:282) + by 0x429233: main (stubmain.c:34) + +Fix compAllocPixmap() to initialize the border clip even if the creation +of the backing pixmap has failed, to avoid depending later on +uninitialized border clip values. + +Related to CVE-2025-26599, ZDI-CAN-25851 + +Signed-off-by: Olivier Fourdan +Acked-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/b07192a8] +CVE: CVE-2025-26599 +Signed-off-by: Vijay Anusuri +--- + composite/compalloc.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/composite/compalloc.c b/composite/compalloc.c +index 7cf7351e00..4a1243170d 100644 +--- a/composite/compalloc.c ++++ b/composite/compalloc.c +@@ -605,9 +605,12 @@ compAllocPixmap(WindowPtr pWin) + int h = pWin->drawable.height + (bw << 1); + PixmapPtr pPixmap = compNewPixmap(pWin, x, y, w, h); + CompWindowPtr cw = GetCompWindow(pWin); ++ Bool status; + +- if (!pPixmap) +- return FALSE; ++ if (!pPixmap) { ++ status = FALSE; ++ goto out; ++ } + if (cw->update == CompositeRedirectAutomatic) + pWin->redirectDraw = RedirectDrawAutomatic; + else +@@ -621,14 +624,16 @@ compAllocPixmap(WindowPtr pWin) + DamageRegister(&pWin->drawable, cw->damage); + cw->damageRegistered = TRUE; + } ++ status = TRUE; + ++out: + /* Make sure our borderClip is up to date */ + RegionUninit(&cw->borderClip); + RegionCopy(&cw->borderClip, &pWin->borderClip); + cw->borderClipX = pWin->drawable.x; + cw->borderClipY = pWin->drawable.y; + +- return TRUE; ++ return status; + } + + void +-- +GitLab + diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb index b46a02e5c3..cafddc62b5 100644 --- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb +++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb @@ -17,6 +17,8 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2025-26596.patch \ file://CVE-2025-26597.patch \ file://CVE-2025-26598.patch \ + file://CVE-2025-26599-1.patch \ + file://CVE-2025-26599-2.patch \ " SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90" From patchwork Wed Mar 5 22:11:09 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 58398 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9AC3FC28B23 for ; Wed, 5 Mar 2025 22:11:46 +0000 (UTC) Received: from mail-pl1-f172.google.com (mail-pl1-f172.google.com [209.85.214.172]) by mx.groups.io with SMTP id smtpd.web10.6382.1741212701793371449 for ; Wed, 05 Mar 2025 14:11:41 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=yaruHZO9; spf=softfail (domain: sakoman.com, ip: 209.85.214.172, mailfrom: steve@sakoman.com) Received: by mail-pl1-f172.google.com with SMTP id d9443c01a7336-2239c066347so82065065ad.2 for ; Wed, 05 Mar 2025 14:11:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1741212701; x=1741817501; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=eOMO08UvIv8CPZWqkf26wKyUYNwVrMwGZgBoih0CUbI=; b=yaruHZO9R2XfNDYD7jc3YI5inj4PeOMrD0sB1vVItbReCa8IisHDUVxcps/biPx3J8 bnk3vD9PANiLj1+9yg5WiNwkuDn/Z9hlojD4QUTcIzBKFQT6z1NWlrQRLBl5pff8Tlyw XuTYZgWe/4REeHkZWPrLeKdPP6ThwdxgxGRCCtlUNYKJY/wGjVGFBzxPUtPyw8PruZE1 rbp1AiqOdu+H0eUfDf/aYSkaqPxiEOD6duP19A/fXjEXSn2+G0badMFuJmOCVYaOqGA8 JmMLwHqE9WZHiew3D6NR6EpX11g4ysQafje1wtDzGQSpO/gnpr2nQu+QhAO5E26IL2y0 8/Mw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741212701; x=1741817501; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=eOMO08UvIv8CPZWqkf26wKyUYNwVrMwGZgBoih0CUbI=; b=sOiLIhmQYIa+WK/ZIiaqiyWPmaXzPHHm9tZFMLmIDa12QDvMRD6ymUMG4QTRKLN2Qo z1LllTVaxmijYLodnDC+6+Rken1ARVqMUAhtCQ5IqYombps8kk9z62JZv4VohqlJeHZN rKwsmVjZitSoE2gnd9dvHR7uyTe/nV5tFU+vunCZu97QneklzJ1UCwKUPOaYezTNMcDb Pf1VcfVYuTKSSUqejJmcPJzf2N265GRrmp8qtJ93k4u5F+3WVQVga5Jm4i3cwtWeMRsu saVEPcqXkw9gtxCdOaV6fzJzaD14IGgoF42a0IA9yC0aDkJykKVRP4cWuL6LNzWIbpao 0ukg== X-Gm-Message-State: AOJu0Yy5ATpDo0yMnT400AACXl8uFLGpXxOm2rAzH9MmVbHzlN8sf6Fz bJ4ufHE2kaGH1f2yLWWswcSZwKLPyfvlDsR1pl6ImZz6VwubEMkghVMX1a4Gh3l+KhuDRbeyEmh i X-Gm-Gg: ASbGncsWKYJBa8Xe216ECqljprv9M1D7z659C4ZzphDM7403dblBQHmvd6lNFCu72rw GuNiPlcTDFS1eG6qdOY9DvZbt43cZm30sJTMyFrALkEOW7IWqxUTJ27MIJkVsD+QS8H3xobk4NT 3OD7M9rsAMrPhu2dKHYv1xi75+XTeVjrNj3QXC0NwAHt2runI2N9wsr80p+GSY55YUkrAyZtEcB +decF52Mt4ly2SwM44FVE6S5+Lg6Lz+TbrpoxGGe+lB2QAaZMHcMPZN9T1x6qOCpBbxHjKBPzFJ 0Im3JGKLSagkJq/KsZLC/TJi2rOXujxyEuU= X-Google-Smtp-Source: AGHT+IHNuStyRaEA2WaQslB3/0n76Cdb21o3dfvDSZ+rbyjqO9tgpK2NIz51o9Cr2Epe1GR453n9Jw== X-Received: by 2002:a05:6a00:4b01:b0:736:5b46:489b with SMTP id d2e1a72fcca58-73682b55238mr7592001b3a.1.1741212701009; Wed, 05 Mar 2025 14:11:41 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:2308:d28:2350:a5eb]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7362e19fd7bsm10204855b3a.43.2025.03.05.14.11.40 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 14:11:40 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 10/16] xwayland: Fix CVE-2025-26600 Date: Wed, 5 Mar 2025 14:11:09 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 05 Mar 2025 22:11:46 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212360 From: Vijay Anusuri Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/6e0f332b Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../xwayland/xwayland/CVE-2025-26600.patch | 68 +++++++++++++++++++ .../xwayland/xwayland_23.2.5.bb | 1 + 2 files changed, 69 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26600.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26600.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26600.patch new file mode 100644 index 0000000000..43b47b3ca3 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26600.patch @@ -0,0 +1,68 @@ +From 6e0f332ba4c8b8c9a9945dc9d7989bfe06f80e14 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 16 Dec 2024 16:18:04 +0100 +Subject: [PATCH] dix: Dequeue pending events on frozen device on removal + +When a device is removed while still frozen, the events queued for that +device remain while the device itself is freed. + +As a result, replaying the events will cause a use after free. + +To avoid the issue, make sure to dequeue and free any pending events on +a frozen device when removed. + +CVE-2025-26600, ZDI-CAN-25871 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/6e0f332b] +CVE: CVE-2025-26600 +Signed-off-by: Vijay Anusuri +--- + dix/devices.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/dix/devices.c b/dix/devices.c +index 1516147..459f1ed 100644 +--- a/dix/devices.c ++++ b/dix/devices.c +@@ -962,6 +962,23 @@ FreeAllDeviceClasses(ClassesPtr classes) + + } + ++static void ++FreePendingFrozenDeviceEvents(DeviceIntPtr dev) ++{ ++ QdEventPtr qe, tmp; ++ ++ if (!dev->deviceGrab.sync.frozen) ++ return; ++ ++ /* Dequeue any frozen pending events */ ++ xorg_list_for_each_entry_safe(qe, tmp, &syncEvents.pending, next) { ++ if (qe->device == dev) { ++ xorg_list_del(&qe->next); ++ free(qe); ++ } ++ } ++} ++ + /** + * Close down a device and free all resources. + * Once closed down, the driver will probably not expect you that you'll ever +@@ -1026,6 +1043,7 @@ CloseDevice(DeviceIntPtr dev) + free(dev->last.touches[j].valuators); + free(dev->last.touches); + dev->config_info = NULL; ++ FreePendingFrozenDeviceEvents(dev); + dixFreePrivates(dev->devPrivates, PRIVATE_DEVICE); + free(dev); + } +-- +2.25.1 + diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb index cafddc62b5..ac0408ea67 100644 --- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb +++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb @@ -19,6 +19,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2025-26598.patch \ file://CVE-2025-26599-1.patch \ file://CVE-2025-26599-2.patch \ + file://CVE-2025-26600.patch \ " SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90" From patchwork Wed Mar 5 22:11:10 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 58403 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A8219C282EC for ; Wed, 5 Mar 2025 22:11:46 +0000 (UTC) Received: from mail-pl1-f177.google.com (mail-pl1-f177.google.com [209.85.214.177]) by mx.groups.io with SMTP id smtpd.web11.6422.1741212703252648186 for ; Wed, 05 Mar 2025 14:11:43 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=1Rr/fliz; spf=softfail (domain: sakoman.com, ip: 209.85.214.177, mailfrom: steve@sakoman.com) Received: by mail-pl1-f177.google.com with SMTP id d9443c01a7336-22409077c06so7940825ad.1 for ; Wed, 05 Mar 2025 14:11:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1741212702; x=1741817502; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=S/1aCcJfYhN0AAaU2BnnqgXGhts2Tm+OcbYRifJZp3E=; b=1Rr/flizftv0nnzHBQEjN6FFK2ky9izMJjBcPlGwO6sOneNayc/Y5kdnAAS+3XbgRy X4+UV1U83W5UC8hb/SjiCr12ls5xVDW5gm0iwxTY6mqO7QQLr27OANG26GQNAHIRQCpa PiD78i4CdzMcL0Iv7cyeT93PPVsfrDwzFSjF/1q/F2nOE+SYX4YX2pRPVOjw+kRIaUNE 761dSV1/HxtPZXuhK8VAtkijFcpt/N23WXFi318muJFMU6R9Kh5SXgH7C2FYFjv+NwQo YCwAEamwMZ7YzgKPOTEh82/s3Z79Iv7nC88lcO/fvIscCogCyNZrtZLuHzRgq7V6GLp7 +DYg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741212702; x=1741817502; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=S/1aCcJfYhN0AAaU2BnnqgXGhts2Tm+OcbYRifJZp3E=; b=Ud1a1B890aByK8gDpNy+zg3IMszV2/3E2beo3eNoDkrj0i7IXQORJ6EtFOkTJoDbig I4IjsdrMcPNA3GG3o3+aSVoi71UpchVvAdMom8fCDbmsLosm3DLuKEWfiK5emiaesfpo 9otGMvOSXqAY6ciplpeD9ZWj52nGwV2+AlwTtUGEeEvqJWXPIUr9gt+XI0i+SO/w7TIQ cxp4rmmJKGPQz0Tc5CsnTLmEkgH9ZlLxA3se9YxfukR2phy9+zSM41+oVmiEqQ7d+sEX gWI7e2Gw4orCzVbBLFZN72e9EDXC9kY2J9u7xX4HbJEiIQWPvzsuAIMrIcBb5KABVY/p zcow== X-Gm-Message-State: AOJu0Yzb2qAbi7wRuDIensOACgofzxqvraZa20fPh6IxQap7aYUdd+5M +RjDqMDj/3rhb8av5jic/27oVgj3JMMySjSepA6PE3IUX/KyUvwi7vSzxb3Bkd5IXz2Uk+9MOOA h X-Gm-Gg: ASbGncv0Cg/zu+4NFZAXhNDmmp92CoAkWpzO4p36Li9Ykjm8TA7s/dQeeVfqJUmxOM6 Mry87bJOSUQD75tYt77wJ7B35t8Ykh2PDicb9j8o8Co0EP6UMHKQ8/x6Mr1pnFNJyYfkZJ/Dy6u TYL1N+ifjdjH1Za6abWYyPTNsdjnzYMGNlfb3ON5K4BOI+WWHLItipTLXVMelfpbEgsH+/Lze/V dVgpOrt43OMTgt8YDabcZ6+/0zjHMKYSLAg7rsV0DUuaR3pqOnUJG4BnrD6+Sv8H6JOVoRPsGiD cACnJfnPFJJwovt9Gc5aklIB7+vEgZhnza0= X-Google-Smtp-Source: AGHT+IF1iKaC1JL/zLC6XPNWWecNL0vdrhshGt7EddrETqxTFXLQ2nN4qdjb+TRLanP0YG6a3F+gWw== X-Received: by 2002:a17:902:db07:b0:224:584:6f05 with SMTP id d9443c01a7336-22405847225mr26937035ad.41.1741212702434; Wed, 05 Mar 2025 14:11:42 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:2308:d28:2350:a5eb]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7362e19fd7bsm10204855b3a.43.2025.03.05.14.11.41 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 14:11:42 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 11/16] xwayland: Fix CVE-2025-26601 Date: Wed, 5 Mar 2025 14:11:10 -0800 Message-ID: <165032003e3f7fb5fde7322c5ad64c26f286228a.1741206348.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 05 Mar 2025 22:11:46 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212361 From: Vijay Anusuri Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/16a1242d & https://gitlab.freedesktop.org/xorg/xserver/-/commit/f52cea2f & https://gitlab.freedesktop.org/xorg/xserver/-/commit/8cbc90c8 & https://gitlab.freedesktop.org/xorg/xserver/-/commit/c2857989 Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../xwayland/xwayland/CVE-2025-26601-1.patch | 71 ++++++++++ .../xwayland/xwayland/CVE-2025-26601-2.patch | 85 +++++++++++ .../xwayland/xwayland/CVE-2025-26601-3.patch | 52 +++++++ .../xwayland/xwayland/CVE-2025-26601-4.patch | 132 ++++++++++++++++++ .../xwayland/xwayland_23.2.5.bb | 4 + 5 files changed, 344 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-1.patch create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-2.patch create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-3.patch create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-4.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-1.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-1.patch new file mode 100644 index 0000000000..df5416a452 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-1.patch @@ -0,0 +1,71 @@ +From 16a1242d0ffc7f45ed3c595ee7564b5c04287e0b Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 20 Jan 2025 16:52:01 +0100 +Subject: [PATCH] sync: Do not let sync objects uninitialized + +When changing an alarm, the change mask values are evaluated one after +the other, changing the trigger values as requested and eventually, +SyncInitTrigger() is called. + +SyncInitTrigger() will evaluate the XSyncCACounter first and may free +the existing sync object. + +Other changes are then evaluated and may trigger an error and an early +return, not adding the new sync object. + +This can be used to cause a use after free when the alarm eventually +triggers. + +To avoid the issue, delete the existing sync object as late as possible +only once we are sure that no further error will cause an early exit. + +CVE-2025-26601, ZDI-CAN-25870 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/16a1242d] +CVE: CVE-2025-26601 +Signed-off-by: Vijay Anusuri +--- + Xext/sync.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/Xext/sync.c b/Xext/sync.c +index ee0010e657..585cfa6f68 100644 +--- a/Xext/sync.c ++++ b/Xext/sync.c +@@ -360,11 +360,6 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject, + client->errorValue = syncObject; + return rc; + } +- if (pSync != pTrigger->pSync) { /* new counter for trigger */ +- SyncDeleteTriggerFromSyncObject(pTrigger); +- pTrigger->pSync = pSync; +- newSyncObject = TRUE; +- } + } + + /* if system counter, ask it what the current value is */ +@@ -432,6 +427,14 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject, + } + } + ++ if (changes & XSyncCACounter) { ++ if (pSync != pTrigger->pSync) { /* new counter for trigger */ ++ SyncDeleteTriggerFromSyncObject(pTrigger); ++ pTrigger->pSync = pSync; ++ newSyncObject = TRUE; ++ } ++ } ++ + /* we wait until we're sure there are no errors before registering + * a new counter on a trigger + */ +-- +GitLab + diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-2.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-2.patch new file mode 100644 index 0000000000..22e751c017 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-2.patch @@ -0,0 +1,85 @@ +From f52cea2f93a0c891494eb3334894442a92368030 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 20 Jan 2025 16:54:30 +0100 +Subject: [PATCH] sync: Check values before applying changes + +In SyncInitTrigger(), we would set the CheckTrigger function before +validating the counter value. + +As a result, if the counter value overflowed, we would leave the +function SyncInitTrigger() with the CheckTrigger applied but without +updating the trigger object. + +To avoid that issue, move the portion of code checking for the trigger +check value before updating the CheckTrigger function. + +Related to CVE-2025-26601, ZDI-CAN-25870 + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/f52cea2f] +CVE: CVE-2025-26601 +Signed-off-by: Vijay Anusuri +--- + Xext/sync.c | 36 ++++++++++++++++++------------------ + 1 file changed, 18 insertions(+), 18 deletions(-) + +diff --git a/Xext/sync.c b/Xext/sync.c +index 585cfa6f68..10302160fb 100644 +--- a/Xext/sync.c ++++ b/Xext/sync.c +@@ -381,6 +381,24 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject, + } + } + ++ if (changes & (XSyncCAValueType | XSyncCAValue)) { ++ if (pTrigger->value_type == XSyncAbsolute) ++ pTrigger->test_value = pTrigger->wait_value; ++ else { /* relative */ ++ Bool overflow; ++ ++ if (pCounter == NULL) ++ return BadMatch; ++ ++ overflow = checked_int64_add(&pTrigger->test_value, ++ pCounter->value, pTrigger->wait_value); ++ if (overflow) { ++ client->errorValue = pTrigger->wait_value >> 32; ++ return BadValue; ++ } ++ } ++ } ++ + if (changes & XSyncCATestType) { + + if (pSync && SYNC_FENCE == pSync->type) { +@@ -409,24 +427,6 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject, + } + } + +- if (changes & (XSyncCAValueType | XSyncCAValue)) { +- if (pTrigger->value_type == XSyncAbsolute) +- pTrigger->test_value = pTrigger->wait_value; +- else { /* relative */ +- Bool overflow; +- +- if (pCounter == NULL) +- return BadMatch; +- +- overflow = checked_int64_add(&pTrigger->test_value, +- pCounter->value, pTrigger->wait_value); +- if (overflow) { +- client->errorValue = pTrigger->wait_value >> 32; +- return BadValue; +- } +- } +- } +- + if (changes & XSyncCACounter) { + if (pSync != pTrigger->pSync) { /* new counter for trigger */ + SyncDeleteTriggerFromSyncObject(pTrigger); +-- +GitLab + diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-3.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-3.patch new file mode 100644 index 0000000000..8d714f0302 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-3.patch @@ -0,0 +1,52 @@ +From 8cbc90c8817306af75a60f494ec9dbb1061e50db Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 20 Jan 2025 17:06:07 +0100 +Subject: [PATCH] sync: Do not fail SyncAddTriggerToSyncObject() + +We do not want to return a failure at the very last step in +SyncInitTrigger() after having all changes applied. + +SyncAddTriggerToSyncObject() must not fail on memory allocation, if the +allocation of the SyncTriggerList fails, trigger a FatalError() instead. + +Related to CVE-2025-26601, ZDI-CAN-25870 + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/8cbc90c8] +CVE: CVE-2025-26601 +Signed-off-by: Vijay Anusuri +--- + Xext/sync.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/Xext/sync.c b/Xext/sync.c +index 10302160fb..65f2d43780 100644 +--- a/Xext/sync.c ++++ b/Xext/sync.c +@@ -201,8 +201,8 @@ SyncAddTriggerToSyncObject(SyncTrigger * pTrigger) + return Success; + } + +- if (!(pCur = malloc(sizeof(SyncTriggerList)))) +- return BadAlloc; ++ /* Failure is not an option, it's succeed or burst! */ ++ pCur = XNFalloc(sizeof(SyncTriggerList)); + + pCur->pTrigger = pTrigger; + pCur->next = pTrigger->pSync->pTriglist; +@@ -439,8 +439,7 @@ SyncInitTrigger(ClientPtr client, SyncTrigger * pTrigger, XID syncObject, + * a new counter on a trigger + */ + if (newSyncObject) { +- if ((rc = SyncAddTriggerToSyncObject(pTrigger)) != Success) +- return rc; ++ SyncAddTriggerToSyncObject(pTrigger); + } + else if (pCounter && IsSystemCounter(pCounter)) { + SyncComputeBracketValues(pCounter); +-- +GitLab + diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-4.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-4.patch new file mode 100644 index 0000000000..e2261192fa --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-26601-4.patch @@ -0,0 +1,132 @@ +From c285798984c6bb99e454a33772cde23d394d3dcd Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 20 Jan 2025 17:10:31 +0100 +Subject: [PATCH] sync: Apply changes last in SyncChangeAlarmAttributes() + +SyncChangeAlarmAttributes() would apply the various changes while +checking for errors. + +If one of the changes triggers an error, the changes for the trigger, +counter or delta value would remain, possibly leading to inconsistent +changes. + +Postpone the actual changes until we're sure nothing else can go wrong. + +Related to CVE-2025-26601, ZDI-CAN-25870 + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/c2857989] +CVE: CVE-2025-26601 +Signed-off-by: Vijay Anusuri +--- + Xext/sync.c | 42 +++++++++++++++++++++++++++--------------- + 1 file changed, 27 insertions(+), 15 deletions(-) + +diff --git a/Xext/sync.c b/Xext/sync.c +index 65f2d43780..cab73be927 100644 +--- a/Xext/sync.c ++++ b/Xext/sync.c +@@ -830,8 +830,14 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask, + int status; + XSyncCounter counter; + Mask origmask = mask; ++ SyncTrigger trigger; ++ Bool select_events_changed = FALSE; ++ Bool select_events_value = FALSE; ++ int64_t delta; + +- counter = pAlarm->trigger.pSync ? pAlarm->trigger.pSync->id : None; ++ trigger = pAlarm->trigger; ++ delta = pAlarm->delta; ++ counter = trigger.pSync ? trigger.pSync->id : None; + + while (mask) { + int index2 = lowbit(mask); +@@ -847,24 +853,24 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask, + case XSyncCAValueType: + mask &= ~XSyncCAValueType; + /* sanity check in SyncInitTrigger */ +- pAlarm->trigger.value_type = *values++; ++ trigger.value_type = *values++; + break; + + case XSyncCAValue: + mask &= ~XSyncCAValue; +- pAlarm->trigger.wait_value = ((int64_t)values[0] << 32) | values[1]; ++ trigger.wait_value = ((int64_t)values[0] << 32) | values[1]; + values += 2; + break; + + case XSyncCATestType: + mask &= ~XSyncCATestType; + /* sanity check in SyncInitTrigger */ +- pAlarm->trigger.test_type = *values++; ++ trigger.test_type = *values++; + break; + + case XSyncCADelta: + mask &= ~XSyncCADelta; +- pAlarm->delta = ((int64_t)values[0] << 32) | values[1]; ++ delta = ((int64_t)values[0] << 32) | values[1]; + values += 2; + break; + +@@ -874,10 +880,8 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask, + client->errorValue = *values; + return BadValue; + } +- status = SyncEventSelectForAlarm(pAlarm, client, +- (Bool) (*values++)); +- if (status != Success) +- return status; ++ select_events_value = (Bool) (*values++); ++ select_events_changed = TRUE; + break; + + default: +@@ -886,25 +890,33 @@ SyncChangeAlarmAttributes(ClientPtr client, SyncAlarm * pAlarm, Mask mask, + } + } + ++ if (select_events_changed) { ++ status = SyncEventSelectForAlarm(pAlarm, client, select_events_value); ++ if (status != Success) ++ return status; ++ } ++ + /* "If the test-type is PositiveComparison or PositiveTransition + * and delta is less than zero, or if the test-type is + * NegativeComparison or NegativeTransition and delta is + * greater than zero, a Match error is generated." + */ + if (origmask & (XSyncCADelta | XSyncCATestType)) { +- if ((((pAlarm->trigger.test_type == XSyncPositiveComparison) || +- (pAlarm->trigger.test_type == XSyncPositiveTransition)) +- && pAlarm->delta < 0) ++ if ((((trigger.test_type == XSyncPositiveComparison) || ++ (trigger.test_type == XSyncPositiveTransition)) ++ && delta < 0) + || +- (((pAlarm->trigger.test_type == XSyncNegativeComparison) || +- (pAlarm->trigger.test_type == XSyncNegativeTransition)) +- && pAlarm->delta > 0) ++ (((trigger.test_type == XSyncNegativeComparison) || ++ (trigger.test_type == XSyncNegativeTransition)) ++ && delta > 0) + ) { + return BadMatch; + } + } + + /* postpone this until now, when we're sure nothing else can go wrong */ ++ pAlarm->delta = delta; ++ pAlarm->trigger = trigger; + if ((status = SyncInitTrigger(client, &pAlarm->trigger, counter, RTCounter, + origmask & XSyncCAAllTrigger)) != Success) + return status; +-- +GitLab + diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb index ac0408ea67..0265366393 100644 --- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb +++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb @@ -20,6 +20,10 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2025-26599-1.patch \ file://CVE-2025-26599-2.patch \ file://CVE-2025-26600.patch \ + file://CVE-2025-26601-1.patch \ + file://CVE-2025-26601-2.patch \ + file://CVE-2025-26601-3.patch \ + file://CVE-2025-26601-4.patch \ " SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90" From patchwork Wed Mar 5 22:11:11 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 58401 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A8C79C28B26 for ; Wed, 5 Mar 2025 22:11:46 +0000 (UTC) Received: from mail-pl1-f175.google.com (mail-pl1-f175.google.com [209.85.214.175]) by mx.groups.io with SMTP id smtpd.web10.6384.1741212704888350895 for ; Wed, 05 Mar 2025 14:11:44 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=ziRPPz14; spf=softfail (domain: sakoman.com, ip: 209.85.214.175, mailfrom: steve@sakoman.com) Received: by mail-pl1-f175.google.com with SMTP id d9443c01a7336-224019ad9edso21563015ad.1 for ; Wed, 05 Mar 2025 14:11:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1741212704; x=1741817504; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=uR/KnBSodRBHSsHirt1ZcCD20ekJB/6FSjlzFyuZlQ0=; b=ziRPPz148oli1acKiNkLII8ihZJUbicVmd+Yxsh8y0awhvF31IP0WRsM7wIdxAyYTR vqkf0DOcocJkD3q550QNyNZWCRFcGZrAjjJ/AoEfGzemai8Q2W/WXcpNJ+++YUqE2/MP kWFlpmhGCJmfG3Phjfn+kL4ADO189ZlhTAqAFQQhokfQv0Nx/MC14FpbcKxGfK+sPFmx IdQIk1m2UJN6L3yVq70+ZpwT7wKyx8UO+x4GgrFqTL+b0nJyaL64Bh17uBN881mCogDN /tiK3TiZ4Z/YDDDXyG40Jf1wtsIQ41jDEa3gpwFsO7FWTQW8lMcu6H+7o+RFW6Y65Da5 TT4w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741212704; x=1741817504; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=uR/KnBSodRBHSsHirt1ZcCD20ekJB/6FSjlzFyuZlQ0=; b=EIk787ABNuIMKcWY0ltbszEqW1qu+13q9kXKO5JHuVHeTboSUA6xEdGotUYP57P5ip TzSIErrnmTsdpActDJL6GOQmmGU+X83SUqNLZZ7oWBFBn0gJ6+OaJGKEY000HwFEiUiP oE8EBdwUI4MusV5GDFf1D08Mph483OIM5IFALqPThCgEY4YTAqnqbhbeIz2L8j+Q3xkW cpIQqnOU0lk0D8lOD17u4it14k6uZ/j6EBNsGHjeKLHKa9CE69aSk/tWxZQZtcmYTFYJ x87IA18DDtA6Ca+9xIphU4tPPwuTYDJvFdkMPTp05JJKyqr/fZt0X7TLQwcz41G6gwHl IPPw== X-Gm-Message-State: AOJu0YwxS4p3YyJwh0pPmX1WRD2U+NlV0WzsMm0oAbASJLfXshlSytSm Xiw2jerLrgF9vtsJ25dvO9t6p/+siKd1Y5Iq1tZZqkEc3C2UvQAodHINoUxgxRIsPncl8xFS2UZ 2 X-Gm-Gg: ASbGncvNhMHrNFuuT1v7Te/Pz/fUuKY+HhHlH+7Jt7v100rb+w87ueoQEcE4uO+jnsj /l1Gf3K+nO/HVKMoyra1JcPFAphqAOnjz73fUwAByKGYE0UtU/AMoYRlPVLVsEWQF7zygB50PN6 VuFUonUNkNacSNQoVrjEi/kjrRnmKW6hQ/7YqY5bbGAQhQN1QNpHsc5hnNnPJd1xXGDbWt97hw0 H+FYz/ZdBJCsxetba+f9gWzZwxkaqIJJ8xKL2BDi64m1wHNVIKA8Aj8ZVi8NA11g3OZD8gFeJlc KldBe8HemKXDgRAIc9RIRz4vCZTsA54LQRY= X-Google-Smtp-Source: AGHT+IF9/PseTmaEskb7dupbMAOXSPN3l0RNKc5Z0wNEOKMO5uX3AYBIZK5yFWomjF8r3qlO968QeQ== X-Received: by 2002:a05:6a00:14d5:b0:736:52d7:daca with SMTP id d2e1a72fcca58-73682c53742mr7013581b3a.18.1741212703966; Wed, 05 Mar 2025 14:11:43 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:2308:d28:2350:a5eb]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7362e19fd7bsm10204855b3a.43.2025.03.05.14.11.43 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 14:11:43 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 12/16] ffmpeg: fix CVE-2025-25473 Date: Wed, 5 Mar 2025 14:11:11 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 05 Mar 2025 22:11:46 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212362 From: Archana Polampalli FFmpeg git master before commit c08d30 was discovered to contain a NULL pointer dereference via the component libavformat/mov.c. Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- .../ffmpeg/ffmpeg/CVE-2025-25473.patch | 36 +++++++++++++++++++ .../recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb | 1 + 2 files changed, 37 insertions(+) create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-25473.patch diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-25473.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-25473.patch new file mode 100644 index 0000000000..ea619025d1 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-25473.patch @@ -0,0 +1,36 @@ +From c08d300481b8ebb846cd43a473988fdbc6793d1b Mon Sep 17 00:00:00 2001 +From: James Almer +Date: Fri, 17 Jan 2025 00:05:31 -0300 +Subject: [PATCH] avformat/avformat: also clear FFFormatContext packet queue + when closing a muxer + +packet_buffer is used in mux.c, and if a muxing process fails at a point where +packets remained in said queue, they will leak. + +Fixes ticket #11419 + +Signed-off-by: James Almer + +CVE: CVE-2025-25473 + +Upstream-Status: Backport [https://git.ffmpeg.org/gitweb/ffmpeg.git/commitdiff/c08d300481b8ebb846cd43a473988fdbc6793d1b] + +Signed-off-by: Archana Polampalli +--- + libavformat/avformat.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/libavformat/avformat.c b/libavformat/avformat.c +index 5b8bb78..73f31cd 100644 +--- a/libavformat/avformat.c ++++ b/libavformat/avformat.c +@@ -138,6 +138,7 @@ void avformat_free_context(AVFormatContext *s) + av_dict_free(&si->id3v2_meta); + av_packet_free(&si->pkt); + av_packet_free(&si->parse_pkt); ++ avpriv_packet_list_free(&si->packet_buffer); + av_freep(&s->streams); + ff_flush_packet_queue(s); + av_freep(&s->url); +-- +2.40.0 diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb index 91ee6c6b0d..cb6a50401b 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb @@ -47,6 +47,7 @@ SRC_URI = " \ file://CVE-2024-36618.patch \ file://CVE-2024-36619.patch \ file://CVE-2024-35369.patch \ + file://CVE-2025-25473.patch \ " SRC_URI[sha256sum] = "8684f4b00f94b85461884c3719382f1261f0d9eb3d59640a1f4ac0873616f968" From patchwork Wed Mar 5 22:11:12 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 58402 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B8BBDC28B28 for ; Wed, 5 Mar 2025 22:11:46 +0000 (UTC) Received: from mail-pl1-f175.google.com (mail-pl1-f175.google.com [209.85.214.175]) by mx.groups.io with SMTP id smtpd.web10.6385.1741212706489768856 for ; Wed, 05 Mar 2025 14:11:46 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=uXiY1kb2; spf=softfail (domain: sakoman.com, ip: 209.85.214.175, mailfrom: steve@sakoman.com) Received: by mail-pl1-f175.google.com with SMTP id d9443c01a7336-223fd89d036so19282805ad.1 for ; Wed, 05 Mar 2025 14:11:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1741212706; x=1741817506; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=ohevBRtr8buR/GRuE18HObtcg2UQMaHDLzlS1pf0aHw=; b=uXiY1kb2vfSehAXH+7sdn2TFliRY326etEnPWOkXvC9I+yfviFYxoed0QTkLoFGjSx AC03dgY2H6az70lO3m80YDDBK1z9rAfKbDeOPmonifFLbjE1/nmZFDzWxEKahcT2qdjc nKfxresrkdsl14PycmFa6BH385u1TvJfiBkWchTZLSbzKGRnVIfwBTC0hQMTytldFH// 5YraDTLc++F51uFSFTtD46dkz22i8VyNhUDW2sbJMDO2pB7f8ZD+5qk/00DJ66xE1zJ6 3TNmJHo7xH3FCBDVa+iU/rcpGV3tllVyJ0A86B7kmu8oWev/5t44r9VComttUdLxKiwd J+qw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741212706; x=1741817506; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ohevBRtr8buR/GRuE18HObtcg2UQMaHDLzlS1pf0aHw=; b=QDt1lwtZ6Yx2g01zo1zPgRgACZh4qnCjAoPcxiQBy21A4NMVBHZ+n2khCuGHhdLQDB bFGJVGTaJ5XdhefFshecO2q0BxFNJjXx8RJgxiA6hD7w/jLPijvj4DXUrDwm5W6zCG/w Kref6ZcqKBaV7AyLkRSA6748KifuEIvRqiIf8wPN9tjq5WviRkabJS3y6zarbHsPOF2h QBFDjXct7Ra1rHtixFawsg2QXcg7zF2VdzVbEHNsfOFBjCn+I4ZUeJHVebZ6N8t7DiO6 pullGkmj7EQNh5AFuFfmpDlZO1Y63BsUzdnN0tkgc32Hzfz9Fub2Td5KJHvf7BvoUHkp 3LYA== X-Gm-Message-State: AOJu0YxTfw/8NfB0hxZC4mdJD3g75Tp945vrBgdRT6GCJETY1ZTotNhn 5T8CjdroDYq9h7bRboLYgFHK4i8MDSnBVJ1fn4YGldhQJR5G3CdNKBNFPPi9grGg5rtVW9ecXcO P X-Gm-Gg: ASbGncughrtUeZb4MPqTHIG5EMMguYFfSHEYJU9dZHqIef9CyJpMhCDDRRjNf08gC8G YSl12/lny1yeL0aBVFP+0gmDxQPY8JMO1m2jJkAX2b7IKq9Ol9C6itvK6P6PseDGwOCoV/0RReB fDyi7ivYNlHODy1tF8qJFikP4y+DSY4uYj4OppuN8N4RW5EFoRaMq0QxzMgFZj22BoLZiO2tLTJ mynJuH7S8FswrVO5zbZS0CRvjZPp0vh8NXrLUROSuhKRvAgNUJDrGaYhCeJKdv64u5py6kpGjqX nHc0DuVt7BGpGHh8UWkhgKqMvk5jhdMgMSY= X-Google-Smtp-Source: AGHT+IGFym9ngsChKP4rszg20bZSxpQpX6fO07BWN3F727BkPw9+rt3FM536oqRlv2NWQe5q+11rVw== X-Received: by 2002:a05:6a00:998:b0:730:9946:5973 with SMTP id d2e1a72fcca58-73682b55115mr7111337b3a.5.1741212705556; Wed, 05 Mar 2025 14:11:45 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:2308:d28:2350:a5eb]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7362e19fd7bsm10204855b3a.43.2025.03.05.14.11.44 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 14:11:45 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 13/16] ffmpeg: fix CVE-2025-25471 Date: Wed, 5 Mar 2025 14:11:12 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 05 Mar 2025 22:11:46 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212363 From: Archana Polampalli FFmpeg git master before commit fd1772 was discovered to contain a NULL pointer dereference via the component libavformat/mov.c. Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- .../ffmpeg/ffmpeg/CVE-2025-25471.patch | 39 +++++++++++++++++++ .../recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb | 1 + 2 files changed, 40 insertions(+) create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-25471.patch diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-25471.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-25471.patch new file mode 100644 index 0000000000..6af01b298f --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-25471.patch @@ -0,0 +1,39 @@ +From 1446e37d3d032e1452844778b3e6ba2c20f0c322 Mon Sep 17 00:00:00 2001 +From: James Almer +Date: Mon, 30 Dec 2024 00:25:41 -0300 +Subject: [PATCH] avfilter/buffersrc: check for valid sample rate + +A sample rate <= 0 is invalid. + +Fixes an assert in ffmpeg_enc.c that assumed a valid sample rate would be set. +Fixes ticket #11385. + +Signed-off-by: James Almer + +CVE: CVE-2025-25471 + +Upstream-Status: Backport [https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/1446e37d3d032e1452844778b3e6ba2c20f0c322] + +Signed-off-by: Archana Polampalli +--- + libavfilter/buffersrc.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/libavfilter/buffersrc.c b/libavfilter/buffersrc.c +index 453fc0f..f49aa91 100644 +--- a/libavfilter/buffersrc.c ++++ b/libavfilter/buffersrc.c +@@ -401,6 +401,11 @@ FF_ENABLE_DEPRECATION_WARNINGS + av_channel_layout_describe(&s->ch_layout, buf, sizeof(buf)); + } + ++ if (s->sample_rate <= 0) { ++ av_log(ctx, AV_LOG_ERROR, "Sample rate not set\n"); ++ return AVERROR(EINVAL); ++ } ++ + if (!s->time_base.num) + s->time_base = (AVRational){1, s->sample_rate}; + +-- +2.40.0 diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb index cb6a50401b..6af43bcf37 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb @@ -48,6 +48,7 @@ SRC_URI = " \ file://CVE-2024-36619.patch \ file://CVE-2024-35369.patch \ file://CVE-2025-25473.patch \ + file://CVE-2025-25471.patch \ " SRC_URI[sha256sum] = "8684f4b00f94b85461884c3719382f1261f0d9eb3d59640a1f4ac0873616f968" From patchwork Wed Mar 5 22:11:13 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 58405 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B110AC19F32 for ; Wed, 5 Mar 2025 22:11:56 +0000 (UTC) Received: from mail-pl1-f179.google.com (mail-pl1-f179.google.com [209.85.214.179]) by mx.groups.io with SMTP id smtpd.web11.6426.1741212707973281168 for ; Wed, 05 Mar 2025 14:11:48 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=NhlVgB+o; spf=softfail (domain: sakoman.com, ip: 209.85.214.179, mailfrom: steve@sakoman.com) Received: by mail-pl1-f179.google.com with SMTP id d9443c01a7336-22359001f1aso169517365ad.3 for ; Wed, 05 Mar 2025 14:11:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1741212707; x=1741817507; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=h1PBaEbGhcUnJH8EAhGhC7WOOYRZ+Fz1DRNQI8XH03I=; b=NhlVgB+owQrQwb8WDZ7vPmPm/SVy180ygjbwrhGwcikUrvFvllbtJkJK18/mDuiTof sRUANji7UPqs1j1b5iRWxr5hPZrBsoVz2G/qSYl3uaE4jY6mBaGO73O6wza4uFPITRUU IM5mZ/04UIy4VK6+YOqexvXs/BW22Q09xcCQGLrdx3ZMk7ciiZkvSIZM6iI5s/Bs0rfw 12Mihv+JC+mV7ld2qHvwJTxkwmJHR10jg/BS/yoil52/gHNs60eied1cPYpeifmwGAEY 0LN7mKycAaXl0GItzuDaYLSz7k3fVdpeIjrPnbNOwqZQLKGrLsg9kcEeonqiroPXXP91 aGbw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741212707; x=1741817507; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=h1PBaEbGhcUnJH8EAhGhC7WOOYRZ+Fz1DRNQI8XH03I=; b=QeKWx53elTY/UwyTywlIXddgZRGXKvtDvRyEDL7WIy1gHWwJos4CkqcdaG9bEQl85X Hjvdjn725m4/vqYY8PNi3eG0IeVczp36XV6Xj3D+SOM76j+ouCFyMWgRkJZEN/Ud6aVm fBW95zAHvlHS18yqr6hti/zYTQf+IemCbWiJIySE/8Uj/3oxVHAqXMvTHuIlQCOiu372 RcTYZqx2OuhQcgYP1cK8akAhceifp07pFPh9tI/3sVy++y3Wi+hhLSJSKZXIJoZGktUj Z3iSOIzvZxRrYHU3a5TPMNwHp1ZTJ8mrl9UOBGj27WH16QE9UDuD1VsPIfgjF8UnMGPE DEkQ== X-Gm-Message-State: AOJu0Yye4tH5TI8QIzLGJjdSv2HKJDDNC0jsq4MJYY0shaiaySTlU98f I+RWrPlMJuD3ewwOuOAHX1Pn2wP4UYrLvheCQS1vrOEe/DH1V2fzkfSFWWwRBPlkC8PiHWAblp1 R X-Gm-Gg: ASbGncvdbFSk9P6NyBOE0jIMg+hqZtAasDgT3XOxi3R6NQ/8/tDNTUmVWNTsjpViGSI 5sN/dJeCBUVn1RqmIO39ixQiopaN3QQDkvotSMeRPkP1w8QUiUmefena26Ld04yd/HjGjhcJTXE lglddrj6AAJKVgEVEv57TnDdl9uYFSygA1oH66MopQzI6i8m9+PY8I8ndaBuY/dOLPHu8oOamfd 0aG0ACZ9itAmMGu5vp745/u58+N00rZF+2N0zKeoJM9dFr145QERN12lUfOZTtofdeF615unBna /2QBjH1UbE3Pfm2Qw3+1ZepFCPk0s7nAbns= X-Google-Smtp-Source: AGHT+IHM1rRuPC+ZCCGr7upPH91AOWp+RUWJC8V8nsUU5jZSlg33LnSie4a31k51ncCr46J+QtAazA== X-Received: by 2002:a05:6a00:3d4a:b0:736:4b08:cc0e with SMTP id d2e1a72fcca58-73682c53721mr5662083b3a.17.1741212706947; Wed, 05 Mar 2025 14:11:46 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:2308:d28:2350:a5eb]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7362e19fd7bsm10204855b3a.43.2025.03.05.14.11.46 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 14:11:46 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 14/16] ffmpeg: fix CVE-2025-22921 Date: Wed, 5 Mar 2025 14:11:13 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 05 Mar 2025 22:11:56 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212364 From: Archana Polampalli FFmpeg git-master,N-113007-g8d24a28d06 was discovered to contain a segmentation violation via the component /libavcodec/jpeg2000dec.c. Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- .../ffmpeg/ffmpeg/CVE-2025-22921.patch | 34 +++++++++++++++++++ .../recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb | 1 + 2 files changed, 35 insertions(+) create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-22921.patch diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-22921.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-22921.patch new file mode 100644 index 0000000000..20fac68d01 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-22921.patch @@ -0,0 +1,34 @@ +From 7f9c7f9849a2155224711f0ff57ecdac6e4bfb57 Mon Sep 17 00:00:00 2001 +From: James Almer +Date: Wed, 1 Jan 2025 23:58:39 -0300 +Subject: [PATCH] avcodec/jpeg2000dec: clear array length when freeing it + +Fixes NULL pointer dereferences. +Fixes ticket #11393. + +Reviewed-by: Michael Niedermayer +Signed-off-by: James Almer + +CVE: CVE-2025-22921 + +Upstream-Status: Backport [https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/7f9c7f9849a2155224711f0ff57ecdac6e4bfb57] + +Signed-off-by: Archana Polampalli +--- + libavcodec/jpeg2000dec.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c +index 691cfbd..b56902c 100644 +--- a/libavcodec/jpeg2000dec.c ++++ b/libavcodec/jpeg2000dec.c +@@ -1223,6 +1223,7 @@ static int jpeg2000_decode_packet(Jpeg2000DecoderContext *s, Jpeg2000Tile *tile, + } + } + av_freep(&cblk->lengthinc); ++ cblk->nb_lengthinc = 0; + } + } + // Save state of stream +-- +2.40.0 diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb index 6af43bcf37..bd1259d392 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb @@ -49,6 +49,7 @@ SRC_URI = " \ file://CVE-2024-35369.patch \ file://CVE-2025-25473.patch \ file://CVE-2025-25471.patch \ + file://CVE-2025-22921.patch \ " SRC_URI[sha256sum] = "8684f4b00f94b85461884c3719382f1261f0d9eb3d59640a1f4ac0873616f968" From patchwork Wed Mar 5 22:11:14 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 58406 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B64BBC28B22 for ; Wed, 5 Mar 2025 22:11:56 +0000 (UTC) Received: from mail-pl1-f169.google.com (mail-pl1-f169.google.com [209.85.214.169]) by mx.groups.io with SMTP id smtpd.web10.6388.1741212709184536776 for ; Wed, 05 Mar 2025 14:11:49 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=Q3ea8T1j; spf=softfail (domain: sakoman.com, ip: 209.85.214.169, mailfrom: steve@sakoman.com) Received: by mail-pl1-f169.google.com with SMTP id d9443c01a7336-22349bb8605so141993295ad.0 for ; Wed, 05 Mar 2025 14:11:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1741212708; x=1741817508; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=nf33gKvdJV97vDN/McP0e+AWow11PVgRO3pxESp0gVY=; b=Q3ea8T1jm3zXph4KfIrd3Vsi/O7BLxHFGcGl/wV42zO/w5ydBu9q22xByZGrmsXP6T zPcCTtT8LuOMzskoPt9JXJW73vAcj1nd6poFCd6vcrrO1n7DYmkTS6R6uy8tGt8BwCQf ujpRsDLqB8xKEEaaa9zp421N/aqepCGyAF6V3q9Knt5a+MZ+OKxla8Mslv/vRK90I7uS g33lRNmLgpV9tZwZ297s2z90yPDx6eKm3iEpmRnXv4qiPRWQ+eYlFD6K4l3b/HNh+2zO Wo6uE/LqmInnIZk3AOKkfVvlM9l+DWMj/lp4lefK23Rx5qYZOJ3nGbRI+cPue6EpV+YK CdUw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741212708; x=1741817508; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=nf33gKvdJV97vDN/McP0e+AWow11PVgRO3pxESp0gVY=; b=b7TpjxAvihGcUiF6bXX/IoTEfy74ixYR+vU6qeCjUjXs2LvZf6uHeWB9z25LV3QP5s 1g3NejGYkLWYD1NzY6Wbt+/XsY8SzAxs1e033yiiMBPXQNB1K9aBWNF978PvnC3rEV6f 0kEof/LImu96K0R8zOKPwt7tk+ObIjPcDUmgh3MtCxnEHPRQkIO2jpkRrtR8sWnPMVtn qQ5CUiDaQ9kdSFbUlsq1SdWzMBLLsf8+0wKx3OP1J71pyqhYqMtSHqi/okMcEgWumIfg T0475T5gDqVUbORlCKkWZBjs9qqNWPfyTlHu5M42v2Yz4PlaT4RhlGhY7SExgLLRRyYI lpNA== X-Gm-Message-State: AOJu0YxrVD9eE7EakHIY0/HlvUOguCHVL/Z2ST+xI2iGcWwdWhwiuqll OmwYmvG9c9f+lBWKF/cATDbG0o1TYf5dL5sdsN6sKJwocFuOurBt2q4izpBP60qB6t4CHDDX/A9 G X-Gm-Gg: ASbGnctVzNNLH4iyXSavt97IBFJddIitYz9ff9V1UVHO0KKAmdVbI+I6dlHhDz8hi5g 6G/6yZnhJLpUst+PEYRDw62U++A4jYDat/yPzlogP/weVNck/0P58MRuQ1f8O5H1yoJ+0t7E2je OMAFPVGcORfpXwmO+3//pcYrcvmivq+uDX66IWy9tqdAzJqgVsZG18+wW8bITJ/8x+BWCO7HENl YkiBOdS8sh9L4TOEhWV1pwFxZHGXykKFVS6u7mxqTcRDecx6vwr9hKx9xKoxSdu70EDYaj0nXhF W/eABLxrZ6dYOjxMbj4rfutIDFQy8/Bckxk= X-Google-Smtp-Source: AGHT+IFLRYp4hWkjFS6dA9QCG6i3VerUY84xxTuc4KO4RqCSN/t4s8io+tc99GEtiQe4j8EpIcBv8Q== X-Received: by 2002:a05:6a00:c95:b0:736:3bd3:1a64 with SMTP id d2e1a72fcca58-73682cd9709mr8105193b3a.24.1741212708387; Wed, 05 Mar 2025 14:11:48 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:2308:d28:2350:a5eb]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7362e19fd7bsm10204855b3a.43.2025.03.05.14.11.47 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 14:11:48 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 15/16] ffmpeg: fix CVE-2025-0518 Date: Wed, 5 Mar 2025 14:11:14 -0800 Message-ID: <75ad6e004de95ff6208820ccf2c0af01d9363749.1741206348.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 05 Mar 2025 22:11:56 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212365 From: Archana Polampalli Unchecked Return Value, Out-of-bounds Read vulnerability in FFmpeg allows Read Sensitive Constants Within an Executable. This vulnerability is associated with program files https://github.Com/FFmpeg/FFmpeg/blob/master/libavfilter/af_pan.C This issue affects FFmpeg: 7.1. Issue was fixed: https://github.com/FFmpeg/FFmpeg/commit/b5b6391d64807578ab872dc58fb8aa621dcfc38a https://github.com/FFmpeg/FFmpeg/commit/b5b6391d64807578ab872dc58fb8aa621dcfc38a This issue was discovered by: Simcha Kosma Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- .../ffmpeg/ffmpeg/CVE-2025-0518.patch | 34 +++++++++++++++++++ .../recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb | 1 + 2 files changed, 35 insertions(+) create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-0518.patch diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-0518.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-0518.patch new file mode 100644 index 0000000000..d3e02bebe6 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-0518.patch @@ -0,0 +1,34 @@ +From b5b6391d64807578ab872dc58fb8aa621dcfc38a Mon Sep 17 00:00:00 2001 +From: Michael Niedermayer +Date: Mon, 6 Jan 2025 22:01:39 +0100 +Subject: [PATCH] avfilter/af_pan: Fix sscanf() use + +Fixes: Memory Data Leak + +Found-by: Simcha Kosman +Signed-off-by: Michael Niedermayer + +CVE: CVE-2025-0518 + +Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/b5b6391d64807578ab872dc58fb8aa621dcfc38a] + +Signed-off-by: Archana Polampalli +--- + libavfilter/af_pan.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libavfilter/af_pan.c b/libavfilter/af_pan.c +index cfed9f1..ffcd214 100644 +--- a/libavfilter/af_pan.c ++++ b/libavfilter/af_pan.c +@@ -165,7 +165,7 @@ static av_cold int init(AVFilterContext *ctx) + sign = 1; + while (1) { + gain = 1; +- if (sscanf(arg, "%lf%n *%n", &gain, &len, &len)) ++ if (sscanf(arg, "%lf%n *%n", &gain, &len, &len) >= 1) + arg += len; + if (parse_channel_name(&arg, &in_ch_id, &named)){ + av_log(ctx, AV_LOG_ERROR, +-- +2.40.0 diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb index bd1259d392..06ca65a480 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb @@ -50,6 +50,7 @@ SRC_URI = " \ file://CVE-2025-25473.patch \ file://CVE-2025-25471.patch \ file://CVE-2025-22921.patch \ + file://CVE-2025-0518.patch \ " SRC_URI[sha256sum] = "8684f4b00f94b85461884c3719382f1261f0d9eb3d59640a1f4ac0873616f968" From patchwork Wed Mar 5 22:11:15 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 58407 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B1150C282EC for ; Wed, 5 Mar 2025 22:11:56 +0000 (UTC) Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com [209.85.214.174]) by mx.groups.io with SMTP id smtpd.web11.6427.1741212710475163223 for ; Wed, 05 Mar 2025 14:11:50 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=NW+ODfx6; spf=softfail (domain: sakoman.com, ip: 209.85.214.174, mailfrom: steve@sakoman.com) Received: by mail-pl1-f174.google.com with SMTP id d9443c01a7336-2235908a30aso137276415ad.3 for ; Wed, 05 Mar 2025 14:11:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1741212710; x=1741817510; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=WOs1upxweooqO71rb2FBnkDCKGISmF6bpjgnR4/WHjU=; b=NW+ODfx6RB0ewanOWk5SBG0Yg931qAAnhWipD65JucTyKX0fprVE7O2IqmmOiiQ50X yVa5F9pcdwYohQEt9IXZPIVSbSiwvofS7tvE5AKmeRftGXQqH/lDfcjeX061FRB+wIb5 O9woroWwXgvfH7ClSpDSgEk3X9TAzQ5Efev0KOjPBnf6wK4NYeTsSlFqUGxhX30T85v+ rnKVRG/wV4UH/7qQ1IgNPB3oY0vQwqlNNDVX1Yhr2DzCyk+adk/sWZd20ASLuz3fP2w8 OuaOjpwmFmbNXXyZn6FXZnk368zkBzOfTsyKEQNdIMQdHPtpOOci9mt/W61XDfORCRka MarQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741212710; x=1741817510; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=WOs1upxweooqO71rb2FBnkDCKGISmF6bpjgnR4/WHjU=; b=Iwhy7pG/TtRTJeSjHCFRHKrbrmBYpV125Rz1tRYq3bx1CLt/Yx1pxtwsMQVgY2USG7 j8bqdObyk5E1j5+XCU/0gWmprD6GrK4E/mFvXB+mTxZmk+01TEXfYzrm+uXFKknbvYsO D+Cge+9kwWFAXiQfFXW7molXEBIoEGHb9/EVpdN0Pd5t4YUBKPSxeCQ+z+LRiUoA3fsb apuXXjFymLjIraNCjCb1JM/cKaUY9zd9ktcvGUVyUsG0UZ7tdc8kxem5OOe91+irGVKU L1PWHmHRdJEt2H5zDVXUmIfJb+jfsosreATTgxYNfpsXeSzkywM4m7fcbZSD8cJi2HC3 91Uw== X-Gm-Message-State: AOJu0Yy6bEQF19cWRAdcJXufBvfu09zo6eu0EdM4ByCl6LPBPeLp2h3t 0gM0E6O6Nm7f+74hS1ALAeuS1K6IHXsZDvwx4sJIe514nE5DjLB4p/niH46iRr+IozD5Trq0eQe 7 X-Gm-Gg: ASbGncsxaLB7H5NYsdAgettMa//Q4f7M0EPEg8oQm7OUVW2gdYjFkX1Pfynq3rLeWyT Ig4m8Hz+GeVgUWXlujRBfm6lQipwv0GXtfoW8ycZJTf12+nNVaSdctvkPiGOlOOjz89BDqnL3VX pqnFOMAnijQHqzZRU2G6bJmbAonK1ZJdopqkQ4sG0k5QYqCNh7QEk/iLjVnANHpS13hqnTowCzK 32I05TlhipLvcdVZ1AsQPkWdFFldCfYAD7SMmBu49X7HreP+PCktKvzBzZg6SWJpIUgj4iDfM5z tlRj6oYwtrG6fjwW5X5b+0vZYMZFDJUU+lY= X-Google-Smtp-Source: AGHT+IHIm8t4AsruD+2wgn5WNUTEl7pmoPGA+bKPDi1hGgOtbXz9/33YdOcY+V2cQOu5ff8CP7eINg== X-Received: by 2002:a05:6a00:188b:b0:736:4b85:ee05 with SMTP id d2e1a72fcca58-73682beb998mr6152547b3a.11.1741212709711; Wed, 05 Mar 2025 14:11:49 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:2308:d28:2350:a5eb]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7362e19fd7bsm10204855b3a.43.2025.03.05.14.11.49 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 14:11:49 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 16/16] systemd: add libpcre2 as RRECOMMENDS if pcre2 is enabled Date: Wed, 5 Mar 2025 14:11:15 -0800 Message-ID: <5bf46aececa6c9175e7a98beca0e3848200f80cb.1741206348.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 05 Mar 2025 22:11:56 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/212366 From: Alexis Cellier The libpcre2 is now dlopen'ed, so it is not automatically added to the RDEPENDS anymore. Add it to the RRECOMMENDS list (and not RDEPENDS as systemd tags the library as "suggested"). This issue is not on master, the systemd v257 recipe uses a tool that systemd provides to get this kind of dependencies. But this cannot be backported to scarthgap as systemd v255 does not have this tool yet. Cc: Yoann Congal Signed-off-by: Alexis Cellier Signed-off-by: Steve Sakoman --- meta/recipes-core/systemd/systemd_255.17.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-core/systemd/systemd_255.17.bb b/meta/recipes-core/systemd/systemd_255.17.bb index 8f5170929f..f85ad61080 100644 --- a/meta/recipes-core/systemd/systemd_255.17.bb +++ b/meta/recipes-core/systemd/systemd_255.17.bb @@ -188,7 +188,7 @@ PACKAGECONFIG[oomd] = "-Doomd=true,-Doomd=false" PACKAGECONFIG[openssl] = "-Dopenssl=true,-Dopenssl=false,openssl" PACKAGECONFIG[p11kit] = "-Dp11kit=true,-Dp11kit=false,p11-kit" PACKAGECONFIG[pam] = "-Dpam=true,-Dpam=false,libpam,${PAM_PLUGINS}" -PACKAGECONFIG[pcre2] = "-Dpcre2=true,-Dpcre2=false,libpcre2" +PACKAGECONFIG[pcre2] = "-Dpcre2=true,-Dpcre2=false,libpcre2,,libpcre2" PACKAGECONFIG[polkit] = "-Dpolkit=true,-Dpolkit=false" # If polkit is disabled and networkd+hostnamed are in use, enabling this option and # using dbus-broker will allow networkd to be authorized to change the