From patchwork Mon Mar 24 19:36:48 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 59824 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 85AF0C3600C for ; Mon, 24 Mar 2025 19:37:05 +0000 (UTC) Received: from mail-pj1-f43.google.com (mail-pj1-f43.google.com [209.85.216.43]) by mx.groups.io with SMTP id smtpd.web10.48748.1742845021506070211 for ; Mon, 24 Mar 2025 12:37:01 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=c9brLOLp; spf=softfail (domain: sakoman.com, ip: 209.85.216.43, mailfrom: steve@sakoman.com) Received: by mail-pj1-f43.google.com with SMTP id 98e67ed59e1d1-2ff694d2d4dso7712430a91.0 for ; Mon, 24 Mar 2025 12:37:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1742845021; x=1743449821; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=vuiShd1WuSt3JsHHXLCo2txggTisp7O/Qy+zZOGdC34=; b=c9brLOLpkyfdjYNxEEMm4rOBChiiFV7BQHntYm40neNBx7IGRU9VDhVVjUt42lpLa2 rJK4nIf4G7ZMQSKpqLjNNgvXjngNLyib5WOBbuNU40CblAB594bJQ9LbWiKIVCTIs2Mk 0ASDZPSitCzzX+AvHe83ftVz3MyY5B9OTQNN4hlcaKrrHZPK1Wd1k8jtG1Rw8MwgpLDh lhswJ/ICKNfZDHHosnpEnNbJeptlVn+kMX74fIsVml0+kQGJ1aYKksbA/Kmg/jwOSWIH PJMbrp0C+VjNJiHK4KUm+J9Vg3ryAUHBz8MDkNiP0drjB2FD9xoT1rduhpaEqQr/ENRt 5SDQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1742845021; x=1743449821; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=vuiShd1WuSt3JsHHXLCo2txggTisp7O/Qy+zZOGdC34=; b=wdnQm3exYibaGuxD5BivicuLJpgUwXdvWJYSP5zGcDD3t+Q/fqnjsWZjQJRBbR6qZS W3hQbY0PQPdOfV9xkhXfRrCaOAUyhN3LFR2TGiTO2G0WXMl+awnPUPCaE5xXYYpFV1Fv 1BmofamD60YMKxgRAsXgUScKPuH7zr/AamrF5G9ZV90r1YZNk3b3cnKZuKI+FXkMd4ig sLY1A+M5QdPbAwJeOOWZB9mMou0boTv85/EvG0lLYRh2Exp69rXmj7fagQLTlv0cYZkz 9SpIzGlXUYG3IqcR/yG5GJ2l8L4Oxx01D9bULgQ67gJONuiiLbjVtduZUs1FUCX/s29j eTtg== X-Gm-Message-State: AOJu0YyapIvEUgp9Czg6agnkR7FKQ9tR9g1rnIV3C/1LNu44yxe/Qv9x yPVhxZkxYSaaHVj9mKAeLZISNIyjJmE3Tsgn4HSijujLhoHBDPZcHEDBo0GAOLmwpl96p+jrQv5 1 X-Gm-Gg: ASbGncvmtn47OQ4WS8EbJH3io6Nf6ybuwQ7plkVve7bsFwwCFErRKn6KvBi61bXueGP cXE1pCPSlLeOd35oKjLKwEnd3EhW//eNBXY4Acasz1WGCM4YKXICN0MsVR0xlqKBAENnka28gy/ jRS2bJv25a7eGF1aTlzKfD4csKqTQYJFA+DTSHiLbQXE2qlOo9afedioADxxT9EKb0E3FcNokhw NmF3J2mI+Qh43jF6cSu6L8ZkzhZbJy+2iSuHw5PpgnLUp29Wh1+qneYkfYKvhmXTGf+F86q/Prg N0CRR8tr3LcMPkYS8IeAORL3l88sjBCqVY4F X-Google-Smtp-Source: AGHT+IE0JHroTi4y/03IXg0hbQi26uJc7OIiJ5ptae5a3PRYuZg4XnIDnqf2dNvro+2lEViR5U+Kbw== X-Received: by 2002:a17:90b:1f81:b0:2ee:7c65:ae8e with SMTP id 98e67ed59e1d1-3030fe81de2mr23484810a91.11.1742845020599; Mon, 24 Mar 2025 12:37:00 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:ee18:96b4:93d3:b88c]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-3030f806b48sm8640876a91.44.2025.03.24.12.37.00 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 24 Mar 2025 12:37:00 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 1/6] tiff: mark CVE-2023-30774 as patched Date: Mon, 24 Mar 2025 12:36:48 -0700 Message-ID: <87893c72efbba029c5f2a9e8e3fff126b2a0cb71.1742844907.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 24 Mar 2025 19:37:05 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/213573 From: Peter Marko [1] points tu issue [2] which was fixed by [3] together with lot of other issues. We already have this patch, so mark CVE-2023-30774 in it. Also split CVE tag to separate entries. [1] https://nvd.nist.gov/vuln/detail/CVE-2023-30774 [2] https://gitlab.com/libtiff/libtiff/-/issues/463 [3] https://gitlab.com/libtiff/libtiff/-/merge_requests/385 Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- ...Revised-handling-of-TIFFTAG_INKNAMES-and-related-TIF.patch | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/meta/recipes-multimedia/libtiff/tiff/0001-Revised-handling-of-TIFFTAG_INKNAMES-and-related-TIF.patch b/meta/recipes-multimedia/libtiff/tiff/0001-Revised-handling-of-TIFFTAG_INKNAMES-and-related-TIF.patch index 17b37be041..261421b399 100644 --- a/meta/recipes-multimedia/libtiff/tiff/0001-Revised-handling-of-TIFFTAG_INKNAMES-and-related-TIF.patch +++ b/meta/recipes-multimedia/libtiff/tiff/0001-Revised-handling-of-TIFFTAG_INKNAMES-and-related-TIF.patch @@ -23,7 +23,9 @@ This MR will close the following issues: #149, #150, #152, #168 (to be checked) It also fixes the old bug at http://bugzilla.maptools.org/show_bug.cgi?id=2599, for which the limitation of `NumberOfInks = SPP` was introduced, which is in my opinion not necessary and does not solve the general issue. -CVE: CVE-2022-3599 CVE-2022-4645 +CVE: CVE-2022-3599 +CVE: CVE-2022-4645 +CVE: CVE-2023-30774 Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/e813112545942107551433d61afd16ac094ff246.patch] Signed-off-by: Ross Burton Signed-off-by: Pawan Badganchi From patchwork Mon Mar 24 19:36:49 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 59823 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7B3A4C3600D for ; Mon, 24 Mar 2025 19:37:05 +0000 (UTC) Received: from mail-pl1-f173.google.com (mail-pl1-f173.google.com [209.85.214.173]) by mx.groups.io with SMTP id smtpd.web10.48750.1742845023072388582 for ; Mon, 24 Mar 2025 12:37:03 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=yaWqwnN1; spf=softfail (domain: sakoman.com, ip: 209.85.214.173, mailfrom: steve@sakoman.com) Received: by mail-pl1-f173.google.com with SMTP id d9443c01a7336-227a8cdd241so15126685ad.3 for ; Mon, 24 Mar 2025 12:37:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1742845022; x=1743449822; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=LbOEYI2Lp5ZGG1wj/WiG4zjRBK+lGG2wFKkxJmYfwqs=; b=yaWqwnN1679VQnZVL//i0RuabBLe97rukyMUz8idAeYP8NCN9OqVmLlC8rq9PF2/Zu W11RZymIRsqIweqsbt9YHQXckz7MV5C5/VUf2igLRHhJFGgj35hIdvl3hgWpB82Hq0IT 0eqIEc910YWpu4AwZZeSwfW+Bd9bbpyPLjZeZOSZniS9A3rrx3dDXe+O6TqYXwYRSgUl jypX6HKBEvD70twzIvmsf39WGk5FCkeLg8V2bNoGbPYVjHdt1BdWN/oTyu5gckmW/pXK S4oGfVjFtaSywYJAR7/+JmQDnHCxuM6ZPqLOUbk1DJueUVm/+MRmRL2vwVoxQDNPftLp pE0g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1742845022; x=1743449822; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=LbOEYI2Lp5ZGG1wj/WiG4zjRBK+lGG2wFKkxJmYfwqs=; b=vN9/3HYjCKhaW42AIh5ruS6B+81A2LstQEUa/+cs144oauGlrJqGaSwwjlbEqW866X Trv42U9sIul/PdVgnT+bhmKoA9LrBwImM9EBQhWwRItcJ+BY5Ny2Hk1804HhePe+oORe S7+2ClOKP6oOU6Xon5eFxWNALknHmK88a7Mu+TaXDybymUfF7mm4t98/qvQyaH1sPDdY roDWA+b/gMFZCrtRF9cg0KWArzwVFqpswXYXjfopCh9/NpR5hxf6TUQHRGwKrYG4m/da Dzs0/TUOklK0vVbJC0KpfglBSoJPq4Mnk2w7a4i+GbB8hqXh3zb5BQQehuK/IfsK85EL tgXQ== X-Gm-Message-State: AOJu0YzuliQnxOblRvapzCXwHidiEXDYMOrvD2TMu0fKKeGnICFBOAd9 AelnADXfBMvU4GsVY+uSL+TDFVQHW4cvpmP3+HQ1WG0WJ1ALUDy4sF+3iXg5oS3Vie+1SePkhvP + X-Gm-Gg: ASbGncvh9PWmbExWXPPDZ0MVqir8JvaZkNDrcEB531w4k0QsNuwRjMjUSXXCSbZV97q vU5h9kKMHrz3ftH0mrD2kmf7rzHD5FeYHp4kWvNpOT0Y4/vz1jjqaFB0Ujx2MvLpL/HpTQPwW21 WZzFqZYPUzbvwRUT2jYfgvZ9fUSdA67oRYyqubAVjYG9JBPz4scLB080qOPpzOgz13PyywHAYV5 Uo/jyl3lC9KT74sOvrBEV3wEjbyst+Et0CTpiaG9x4Bb18/iu1vdeU8PLiwXDuLjmPIufPAl8W+ 9u4QCkoXBQZWHbhwB+0oUJ4pPkBOvfv0SmhX X-Google-Smtp-Source: AGHT+IHOXdP8Y+55m4vZbLWinwVvv/j0j5AF/ESjoio65wUipy0RefbJrqumTLV2lbg1UE/6oIGmog== X-Received: by 2002:a17:902:f70c:b0:224:c76:5e57 with SMTP id d9443c01a7336-22780e02a4emr252225915ad.39.1742845022109; Mon, 24 Mar 2025 12:37:02 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:ee18:96b4:93d3:b88c]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-3030f806b48sm8640876a91.44.2025.03.24.12.37.01 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 24 Mar 2025 12:37:01 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 2/6] libxslt: Fix for CVE-2024-55549 Date: Mon, 24 Mar 2025 12:36:49 -0700 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 24 Mar 2025 19:37:05 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/213574 From: Vijay Anusuri Upstream-Commit: https://gitlab.gnome.org/GNOME/libxslt/-/commit/46041b65f2fbddf5c284ee1a1332fa2c515c0515 Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../libxslt/libxslt/CVE-2024-55549.patch | 49 +++++++++++++++++++ .../recipes-support/libxslt/libxslt_1.1.35.bb | 4 +- 2 files changed, 52 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-support/libxslt/libxslt/CVE-2024-55549.patch diff --git a/meta/recipes-support/libxslt/libxslt/CVE-2024-55549.patch b/meta/recipes-support/libxslt/libxslt/CVE-2024-55549.patch new file mode 100644 index 0000000000..88a17a4d0c --- /dev/null +++ b/meta/recipes-support/libxslt/libxslt/CVE-2024-55549.patch @@ -0,0 +1,49 @@ +From 46041b65f2fbddf5c284ee1a1332fa2c515c0515 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 5 Dec 2024 12:43:19 +0100 +Subject: [PATCH] [CVE-2024-55549] Fix UAF related to excluded namespaces + +Definitions of excluded namespaces could be deleted in +xsltParseTemplateContent. Store excluded namespace URIs in the +stylesheet's dictionary instead of referencing the namespace definition. + +Thanks to Ivan Fratric for the report! + +Fixes #127. + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxslt/-/commit/46041b65f2fbddf5c284ee1a1332fa2c515c0515] +CVE: CVE-2024-55549 +Signed-off-by: Vijay Anusuri +--- + libxslt/xslt.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/libxslt/xslt.c b/libxslt/xslt.c +index 69116f2..02c2e3a 100644 +--- a/libxslt/xslt.c ++++ b/libxslt/xslt.c +@@ -153,10 +153,20 @@ xsltParseContentError(xsltStylesheetPtr style, + * in case of error + */ + static int +-exclPrefixPush(xsltStylesheetPtr style, xmlChar * value) ++exclPrefixPush(xsltStylesheetPtr style, xmlChar * orig) + { ++ xmlChar *value; + int i; + ++ /* ++ * orig can come from a namespace definition on a node which ++ * could be deleted later, for example in xsltParseTemplateContent. ++ * Store the string in stylesheet's dict to avoid use after free. ++ */ ++ value = (xmlChar *) xmlDictLookup(style->dict, orig, -1); ++ if (value == NULL) ++ return(-1); ++ + if (style->exclPrefixMax == 0) { + style->exclPrefixMax = 4; + style->exclPrefixTab = +-- +2.34.1 + diff --git a/meta/recipes-support/libxslt/libxslt_1.1.35.bb b/meta/recipes-support/libxslt/libxslt_1.1.35.bb index 2fd777766c..1f0d845421 100644 --- a/meta/recipes-support/libxslt/libxslt_1.1.35.bb +++ b/meta/recipes-support/libxslt/libxslt_1.1.35.bb @@ -13,7 +13,9 @@ LIC_FILES_CHKSUM = "file://Copyright;md5=0cd9a07afbeb24026c9b03aecfeba458" SECTION = "libs" DEPENDS = "libxml2" -SRC_URI = "https://download.gnome.org/sources/libxslt/1.1/libxslt-${PV}.tar.xz" +SRC_URI = "https://download.gnome.org/sources/libxslt/1.1/libxslt-${PV}.tar.xz \ + file://CVE-2024-55549.patch \ + " SRC_URI[sha256sum] = "8247f33e9a872c6ac859aa45018bc4c4d00b97e2feac9eebc10c93ce1f34dd79" From patchwork Mon Mar 24 19:36:50 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 59825 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 75384C36008 for ; Mon, 24 Mar 2025 19:37:05 +0000 (UTC) Received: from mail-pj1-f53.google.com (mail-pj1-f53.google.com [209.85.216.53]) by mx.groups.io with SMTP id smtpd.web10.48753.1742845024708503699 for ; Mon, 24 Mar 2025 12:37:04 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=Wqwo/2T3; spf=softfail (domain: sakoman.com, ip: 209.85.216.53, mailfrom: steve@sakoman.com) Received: by mail-pj1-f53.google.com with SMTP id 98e67ed59e1d1-30332dfc821so2987092a91.3 for ; Mon, 24 Mar 2025 12:37:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1742845024; x=1743449824; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=dmafGn9/Blnfs0qqsq3Z8EmHAbx1BfnNsCq/g8q28gI=; b=Wqwo/2T3kFqj/1F0OdA4ilnNJr5gaG66ltKyVc7CbrPlgoJ1neXmnLegh7jd1WiMJu pQFT/g6o/igKOrzMox9g+ao8/vpA8tv7rtALh8C2CIfzn6Dijm7e9zWgern29KCpC+g+ 1qptkjFu/cg57i+nPoOb303yyxidnZke0/1eoTlY3egb0RXBqhK0G+Cd9qgY4jdhpkXy hCLmoFZ4NFVsukOA19iiie8LDNw+1I5s3PXLhGSb8fNjFHGhnkM8y9cFIxNmns6+v0mx R/Xzvaq3ZT+Qcqla4Zr4UYQ1e3AA3nkuu+/kLoZIzLCxn0dqi7dAxhMDR5C4psHzwz4y KAkw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1742845024; x=1743449824; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=dmafGn9/Blnfs0qqsq3Z8EmHAbx1BfnNsCq/g8q28gI=; b=iJCv06dz+bCRE/8/xC4FyAOLoU3b3t/cC7prwUSWD6sC6EWNnkuPeVZH4Af4k91Z9y l9faf0xXzSzmvXQbIuZZjauujuy/P2tjx9GQQAXYb+YWixyQXUSVmao4ndgGG5Q2f4D+ GkGyX6LV3/tAIaHqkuH2AtU0V9shJq+6zMDp/0HFrdnbvQAbByeIBPFVcODMI2CLsw26 1a8z2hXcIgGC1mImPZY2h9ORTg47w3OeApIH1TfzWR16zE76SLfJeSKY2bQndaXF12ia SLZInq14gGQvW3VfZhGcfDGELVgRh1cICEYuq0yehucJ45TWopRO/aEREtRnUpA036oD N6CA== X-Gm-Message-State: AOJu0YxfcQGFIFt6WEzpjMKIYYOZgnF7PBMLsMmuFLfhKxU4z2x9xsya dF+LUUHgL91Jf/1sKhOX2uasx/g+DkqHW9Ds0BNDJ9/mcntEG+dh4cvAVel25oOJESELtfdMmUY H X-Gm-Gg: ASbGnctD3hBBgtkirZJydob7jHPE2ZRHuQ1KaXGaeXPtpkeKZy2QxQR5zcdwAOgwwtn 8n/hSDDihH9uOTC8m3lg9OHb1mRDCUn1tJhumesEoeyj3CMJIJhCgqQzeU8EkN31kep/S+Thd3r 3UhPU9efiLrbkxIqSiV7G3FKlvnBLeNcREsOedTGMKwGQrAcl9Pvkn4SPFfGOQKTTRegaBDPuv4 Pw0bbMY6kSu1B0w02f6ewWECIdl5l7Oakd+mjujFx3A83Qgoc6GyQZlnMNrfJZHzg6JWg1WaHev RSHkzxg5YYrNWDUaU6Dis3l6FWZT3z5kxdmM X-Google-Smtp-Source: AGHT+IF7iQHGK2I+QhsmMIclHwAo/BPqE6EYXNFNdM7SzhwOrxD6vqfz4fSnSY0AVW8eZdC8yNZiPA== X-Received: by 2002:a17:90b:5105:b0:2ea:37b4:5373 with SMTP id 98e67ed59e1d1-3030fea47e8mr24509986a91.10.1742845023690; Mon, 24 Mar 2025 12:37:03 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:ee18:96b4:93d3:b88c]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-3030f806b48sm8640876a91.44.2025.03.24.12.37.03 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 24 Mar 2025 12:37:03 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 3/6] libxslt: Fix for CVE-2025-24855 Date: Mon, 24 Mar 2025 12:36:50 -0700 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 24 Mar 2025 19:37:05 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/213575 From: Vijay Anusuri Upstream-Commit: https://gitlab.gnome.org/GNOME/libxslt/-/commit/c7c7f1f78dd202a053996fcefe57eb994aec8ef2 Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../libxslt/libxslt/CVE-2025-24855.patch | 134 ++++++++++++++++++ .../recipes-support/libxslt/libxslt_1.1.35.bb | 1 + 2 files changed, 135 insertions(+) create mode 100644 meta/recipes-support/libxslt/libxslt/CVE-2025-24855.patch diff --git a/meta/recipes-support/libxslt/libxslt/CVE-2025-24855.patch b/meta/recipes-support/libxslt/libxslt/CVE-2025-24855.patch new file mode 100644 index 0000000000..b8c2f5b0c8 --- /dev/null +++ b/meta/recipes-support/libxslt/libxslt/CVE-2025-24855.patch @@ -0,0 +1,134 @@ +From c7c7f1f78dd202a053996fcefe57eb994aec8ef2 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 17 Dec 2024 15:56:21 +0100 +Subject: [PATCH] [CVE-2025-24855] Fix use-after-free of XPath context node + +There are several places where the XPath context node isn't restored +after modifying it, leading to use-after-free errors with nested XPath +evaluations and dynamically allocated context nodes. + +Restore XPath context node in + +- xsltNumberFormatGetValue +- xsltEvalXPathPredicate +- xsltEvalXPathStringNs +- xsltComputeSortResultInternal + +In some places, the transformation context node was saved and restored +which shouldn't be necessary. + +Thanks to Ivan Fratric for the report! + +Fixes #128. + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxslt/-/commit/c7c7f1f78dd202a053996fcefe57eb994aec8ef2] +CVE: CVE-2025-24855 +Signed-off-by: Vijay Anusuri +--- + libxslt/numbers.c | 5 +++++ + libxslt/templates.c | 9 ++++++--- + libxslt/xsltutils.c | 4 ++-- + 3 files changed, 13 insertions(+), 5 deletions(-) + +diff --git a/libxslt/numbers.c b/libxslt/numbers.c +index 0e1fa136..741124d1 100644 +--- a/libxslt/numbers.c ++++ b/libxslt/numbers.c +@@ -733,9 +733,12 @@ xsltNumberFormatGetValue(xmlXPathContextPtr context, + int amount = 0; + xmlBufferPtr pattern; + xmlXPathObjectPtr obj; ++ xmlNodePtr oldNode; + + pattern = xmlBufferCreate(); + if (pattern != NULL) { ++ oldNode = context->node; ++ + xmlBufferCCat(pattern, "number("); + xmlBufferCat(pattern, value); + xmlBufferCCat(pattern, ")"); +@@ -748,6 +751,8 @@ xsltNumberFormatGetValue(xmlXPathContextPtr context, + xmlXPathFreeObject(obj); + } + xmlBufferFree(pattern); ++ ++ context->node = oldNode; + } + return amount; + } +diff --git a/libxslt/templates.c b/libxslt/templates.c +index f08b9bda..1c8d96e2 100644 +--- a/libxslt/templates.c ++++ b/libxslt/templates.c +@@ -61,6 +61,7 @@ xsltEvalXPathPredicate(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp, + int oldNsNr; + xmlNsPtr *oldNamespaces; + xmlNodePtr oldInst; ++ xmlNodePtr oldNode; + int oldProximityPosition, oldContextSize; + + if ((ctxt == NULL) || (ctxt->inst == NULL)) { +@@ -69,6 +70,7 @@ xsltEvalXPathPredicate(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp, + return(0); + } + ++ oldNode = ctxt->xpathCtxt->node; + oldContextSize = ctxt->xpathCtxt->contextSize; + oldProximityPosition = ctxt->xpathCtxt->proximityPosition; + oldNsNr = ctxt->xpathCtxt->nsNr; +@@ -96,8 +98,9 @@ xsltEvalXPathPredicate(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp, + ctxt->state = XSLT_STATE_STOPPED; + ret = 0; + } +- ctxt->xpathCtxt->nsNr = oldNsNr; + ++ ctxt->xpathCtxt->node = oldNode; ++ ctxt->xpathCtxt->nsNr = oldNsNr; + ctxt->xpathCtxt->namespaces = oldNamespaces; + ctxt->inst = oldInst; + ctxt->xpathCtxt->contextSize = oldContextSize; +@@ -137,7 +140,7 @@ xsltEvalXPathStringNs(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp, + } + + oldInst = ctxt->inst; +- oldNode = ctxt->node; ++ oldNode = ctxt->xpathCtxt->node; + oldPos = ctxt->xpathCtxt->proximityPosition; + oldSize = ctxt->xpathCtxt->contextSize; + oldNsNr = ctxt->xpathCtxt->nsNr; +@@ -167,7 +170,7 @@ xsltEvalXPathStringNs(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp, + "xsltEvalXPathString: returns %s\n", ret)); + #endif + ctxt->inst = oldInst; +- ctxt->node = oldNode; ++ ctxt->xpathCtxt->node = oldNode; + ctxt->xpathCtxt->contextSize = oldSize; + ctxt->xpathCtxt->proximityPosition = oldPos; + ctxt->xpathCtxt->nsNr = oldNsNr; +diff --git a/libxslt/xsltutils.c b/libxslt/xsltutils.c +index 0e9dc62f..a20da961 100644 +--- a/libxslt/xsltutils.c ++++ b/libxslt/xsltutils.c +@@ -1065,8 +1065,8 @@ xsltComputeSortResultInternal(xsltTransformContextPtr ctxt, xmlNodePtr sort, + return(NULL); + } + +- oldNode = ctxt->node; + oldInst = ctxt->inst; ++ oldNode = ctxt->xpathCtxt->node; + oldPos = ctxt->xpathCtxt->proximityPosition; + oldSize = ctxt->xpathCtxt->contextSize; + oldNsNr = ctxt->xpathCtxt->nsNr; +@@ -1137,8 +1137,8 @@ xsltComputeSortResultInternal(xsltTransformContextPtr ctxt, xmlNodePtr sort, + results[i] = NULL; + } + } +- ctxt->node = oldNode; + ctxt->inst = oldInst; ++ ctxt->xpathCtxt->node = oldNode; + ctxt->xpathCtxt->contextSize = oldSize; + ctxt->xpathCtxt->proximityPosition = oldPos; + ctxt->xpathCtxt->nsNr = oldNsNr; +-- +GitLab + diff --git a/meta/recipes-support/libxslt/libxslt_1.1.35.bb b/meta/recipes-support/libxslt/libxslt_1.1.35.bb index 1f0d845421..3df372b267 100644 --- a/meta/recipes-support/libxslt/libxslt_1.1.35.bb +++ b/meta/recipes-support/libxslt/libxslt_1.1.35.bb @@ -15,6 +15,7 @@ DEPENDS = "libxml2" SRC_URI = "https://download.gnome.org/sources/libxslt/1.1/libxslt-${PV}.tar.xz \ file://CVE-2024-55549.patch \ + file://CVE-2025-24855.patch \ " SRC_URI[sha256sum] = "8247f33e9a872c6ac859aa45018bc4c4d00b97e2feac9eebc10c93ce1f34dd79" From patchwork Mon Mar 24 19:36:51 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 59828 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5BDF4C36002 for ; Mon, 24 Mar 2025 19:37:15 +0000 (UTC) Received: from mail-pj1-f47.google.com (mail-pj1-f47.google.com [209.85.216.47]) by mx.groups.io with SMTP id smtpd.web11.48389.1742845026136281783 for ; Mon, 24 Mar 2025 12:37:06 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=FeJd1iWp; spf=softfail (domain: sakoman.com, ip: 209.85.216.47, mailfrom: steve@sakoman.com) Received: by mail-pj1-f47.google.com with SMTP id 98e67ed59e1d1-3012a0c8496so6066132a91.2 for ; Mon, 24 Mar 2025 12:37:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1742845025; x=1743449825; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=cX7fF3I+fMLqXu77EdamZbDuztb6k9ULUTHnPrsF3h4=; b=FeJd1iWpBVfHUtsl9Tei7KYM569hiuG+eWv9YwuAtDEfa87YVqID1kts5w4F9cxWvE +fbyEkoitlZ17n2ZGQeCkbPPDT8OLZrQswMtMkfkVEcVEeqm+6fW3nQIwXbsg0+3sOKm khh+6KR3TNqwkfzB/sLaxkBAPNVgwk4Y+pH/Z3Jr/ZfpQM1fCwYxe3kM/30sLN1Lt0iQ n8znYzxNiAIOcXpNb9ISSVCv4pRDfiBYOlCTPWq8zlwXsIMmDeyt7Ui2qVxzlZFW3uL7 kilFKdCyogYbwemq2hD5Z8oE7Z+XIvWGU8GXCfQZuBUTzJgtSziYW0EdzI6k/cKPyLSw ta3Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1742845025; x=1743449825; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=cX7fF3I+fMLqXu77EdamZbDuztb6k9ULUTHnPrsF3h4=; b=TKfgBSDL51YQ3AFcQBtYQlZiObX+5Z/dzypAfGRjPgza6bnJeSUejbZXLGIMgSurHy SkCpjQ8uEgAuqAemlP+urRZoMNT9cAkBxp7n2wNfvdJl/1YttFAksWkaJTyBJQL0shIe eHyLNhfRNtnLrUzjn5Rd3IIJdLp8VaITJSs6VO0qY7mE2nXKfby47DIsoIiu1VwVElYb NblxkqzKfYSjJe35z2O7dVmWT1o4gnD6/wmGWZNb24D5R3fOAi4ZB8JtBM4BpTW+MABh Yj56+yotBDb/2S4Nd1JWTK4jw+A/eXdtcRlSEwJPFbA0qUxkHtDaNg9L/ztNzSbuIwJU pXrA== X-Gm-Message-State: AOJu0Yyqz8fRMo5LV+WlLmYR+2CXyIQ+vVJ/U0JcrAWb42TjIaEhbFoD 4WoDi17AOI/0pKEBII5TwXA0vK8OJzm1TPgUgNQoB/76letOq8ZlWHno8/PiSq7HdPBYlSMWvpq P X-Gm-Gg: ASbGncsUB0F1jYvVBchBbpfsDMbzxI0yiF1214fUSIF1J/1LwkscTxwalgROgaTIrTA nLOrsTog4j6q75daVWbZBbBeA09Rnlt++A6/njAl0C+jL3jSRoJ8PMOZSJT4CBfcpuAP/3XV9wQ w9Z3/8EE71Db5vilIq3hFQWfUnN2iWIqhm6worc5PLqVz/sGntgn2ayDajSO6kIA+GPCUM347Xs hbNfxEX27bN6bL+C0S4N1u67qMhYXPBaJ/lPsK5qbOVcJmAtK9wPmxfwP5gkmkcB8DqHdG12Rqu wAy+7Q8XVYkY7UBBiwF8ylu5ic+j7vmiVCqOLOr+Z7N6Zw8= X-Google-Smtp-Source: AGHT+IECZzZclhr6zqYw+sO5/seuk/4Q8zOSE1U+TaR+F1ly3DLLceysDC7/ElKr90MMaPUxj5ndcw== X-Received: by 2002:a17:90b:3948:b0:301:1d9f:4ba2 with SMTP id 98e67ed59e1d1-3030fee95demr23705902a91.28.1742845025073; Mon, 24 Mar 2025 12:37:05 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:ee18:96b4:93d3:b88c]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-3030f806b48sm8640876a91.44.2025.03.24.12.37.04 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 24 Mar 2025 12:37:04 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 4/6] xserver-xorg: fix CVE-2022-49737 Date: Mon, 24 Mar 2025 12:36:51 -0700 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 24 Mar 2025 19:37:15 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/213576 From: Yogita Urade In X.Org X server 20.11 through 21.1.16, when a client application uses easystroke for mouse gestures, the main thread modifies various data structures used by the input thread without acquiring a lock, aka a race condition. In particular, AttachDevice in dix/devices.c does not acquire an input lock. Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-49737 Upstream patch: https://gitlab.freedesktop.org/xorg/xserver/-/commit/dc7cb45482cea6ccec22d117ca0b489500b4d0a0 Signed-off-by: Yogita Urade Signed-off-by: Steve Sakoman --- .../xserver-xorg/CVE-2022-49737.patch | 90 +++++++++++++++++++ .../xorg-xserver/xserver-xorg_21.1.8.bb | 1 + 2 files changed, 91 insertions(+) create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-49737.patch diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-49737.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-49737.patch new file mode 100644 index 0000000000..86c9f59f8c --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-49737.patch @@ -0,0 +1,90 @@ +From dc7cb45482cea6ccec22d117ca0b489500b4d0a0 Mon Sep 17 00:00:00 2001 +From: tholin +Date: Tue, 4 Jan 2022 12:08:11 +0000 +Subject: [PATCH] dix: Hold input lock for AttachDevice() + +Fix the following race: + +Possible data race during read of size 8 at 0xA112510 by thread #6 +Locks held: 1, at address 0x366B40 + at 0x14C8B9: GetMaster (devices.c:2691) + by 0x15CFC5: IsFloating (events.c:346) + by 0x2B9554: miPointerGetScreen (mipointer.c:527) + by 0x1A5136: xf86PostButtonEventM (xf86Xinput.c:1379) + by 0x1A52BD: xf86PostButtonEvent (xf86Xinput.c:1345) + by 0x485F45B: EvdevProcessEvent (in /usr/lib64/xorg/modules/input/evdev_drv.so) + by 0x485FDAC: EvdevReadInput (in /usr/lib64/xorg/modules/input/evdev_drv.so) + by 0x195427: xf86ReadInput (xf86Events.c:247) + by 0x2CC113: InputReady (inputthread.c:180) + by 0x2CE4EA: ospoll_wait (ospoll.c:657) + by 0x2CC077: InputThreadDoWork (inputthread.c:369) + by 0x484A336: mythread_wrapper (hg_intercepts.c:406) + +This conflicts with a previous write of size 8 by thread #1 +Locks held: none + at 0x14D2C6: AttachDevice (devices.c:2609) + by 0x15CF85: ReattachToOldMaster (events.c:1457) + by 0x1647DD: DeactivateKeyboardGrab (events.c:1700) + by 0x25D7F1: ProcXIUngrabDevice (xigrabdev.c:169) + by 0x2552AD: ProcIDispatch (extinit.c:398) + by 0x155291: Dispatch (dispatch.c:479) + by 0x158CBA: dix_main (main.c:276) + by 0x143A3D: main (stubmain.c:34) + Address 0xa112510 is 336 bytes inside a block of size 904 alloc'd + at 0x4846571: calloc (vg_replace_malloc.c:1328) + by 0x14A0B3: AddInputDevice (devices.c:260) + by 0x1A31A0: xf86ActivateDevice (xf86Xinput.c:365) + by 0x1A4549: xf86NewInputDevice (xf86Xinput.c:948) + by 0x1A4B44: NewInputDeviceRequest (xf86Xinput.c:1090) + by 0x1B81FE: device_added (udev.c:282) + by 0x1B8516: config_udev_init (udev.c:439) + by 0x1B7091: config_init (config.c:50) + by 0x197970: InitInput (xf86Init.c:814) + by 0x158C6B: dix_main (main.c:250) + by 0x143A3D: main (stubmain.c:34) + Block was alloc'd by thread #1 + +The steps to trigger the race are: +1. Main thread does cleanup at mipointer.c:360 setting the slave device's + miPointerPtr to null. +2. Input thread use MIPOINTER in mipointer.c and get the slave's + miPointerPtr = null. +3. Main thread updates dev->master at devices.c:2609. +4. MIPOINTER would now return the master's miPointerPtr but the input + thread already got the slave's miPointerPtr in step 2 and segfaults by + null ptr deref. + +Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1260 +Signed-off-by: Thomas Lindroth + +CVE: CVE-2022-49737 +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/dc7cb45482cea6ccec22d117ca0b489500b4d0a0] + +Signed-off-by: Yogita Urade +--- + dix/devices.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/dix/devices.c b/dix/devices.c +index 459f1ed..e5a6f02 100644 +--- a/dix/devices.c ++++ b/dix/devices.c +@@ -2671,6 +2671,8 @@ AttachDevice(ClientPtr client, DeviceIntPtr dev, DeviceIntPtr master) + if (IsFloating(dev) && !master && dev->enabled) + return Success; + ++ input_lock(); ++ + /* free the existing sprite. */ + if (IsFloating(dev) && dev->spriteInfo->paired == dev) { + screen = miPointerGetScreen(dev); +@@ -2711,6 +2713,7 @@ AttachDevice(ClientPtr client, DeviceIntPtr dev, DeviceIntPtr master) + RecalculateMasterButtons(master); + } + ++ input_unlock(); + /* XXX: in theory, the MD should change back to its old, original + * classes when the last SD is detached. Thanks to the XTEST devices, + * we'll always have an SD attached until the MD is removed. +-- +2.40.0 diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb index e77b81eed6..6790eb0921 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb @@ -35,6 +35,7 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat file://CVE-2025-26601-2.patch \ file://CVE-2025-26601-3.patch \ file://CVE-2025-26601-4.patch \ + file://CVE-2022-49737.patch \ " SRC_URI[sha256sum] = "38aadb735650c8024ee25211c190bf8aad844c5f59632761ab1ef4c4d5aeb152" From patchwork Mon Mar 24 19:36:52 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 59827 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 73696C3600C for ; Mon, 24 Mar 2025 19:37:15 +0000 (UTC) Received: from mail-pj1-f45.google.com (mail-pj1-f45.google.com [209.85.216.45]) by mx.groups.io with SMTP id smtpd.web11.48390.1742845027694094704 for ; Mon, 24 Mar 2025 12:37:07 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=gc3EnWQ8; spf=softfail (domain: sakoman.com, ip: 209.85.216.45, mailfrom: steve@sakoman.com) Received: by mail-pj1-f45.google.com with SMTP id 98e67ed59e1d1-3015001f862so6002160a91.3 for ; Mon, 24 Mar 2025 12:37:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1742845027; x=1743449827; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=3ii6DtFK/vJFbtwa8ylFkR6czi57/S1Mv6CMoUNFxTk=; b=gc3EnWQ8ZZi1lBfYnqSY12qQQXwW6ulh/9HaRr9LjGGn25GeTCou+7suuAmc1gmgRP YxlrtnrEUKzf62ogIAZMEy4woZ8h+Let6IdFWXd5J0BTDQK5PEwMS4/1Wda1x53BPrKV SMLNMlgMAxGNapIK5czUcZEzcwt93PO09/1j1jfl6Y8vOmA72wQhOXbIHV1zIHX9rrcH qlx4gDo1PrrgvW1zsMGldzgfPO9QH1rUvH6lHb07iNoIRk5GmVp3jpQzmIGgPdSjru6t iWpQFMNY7yirdwl4SDVUkRdmbgrGtZWo4ExDOZD1+O03gkMHFg62W0xWweHH71XmgUMS zKqw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1742845027; x=1743449827; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=3ii6DtFK/vJFbtwa8ylFkR6czi57/S1Mv6CMoUNFxTk=; b=J57lWFRDRM0Zqe5OS77hE3FuzbGz9U3Bber1OrQlMiP3NwTGZ0Ui4uNL+PazD+qA6d y+KqftxZS6+KT0D31DN9mv1mgQrTNEV7tf+Suwj8buFAQbTreEz5WUqHZkj0Bb/aXW8z 7V2urDm34nzm1TH9HTRyHx0MBZRwxl2CuksQwzW1coD/zp6dk2lwytNv7YDk8kdAU9Jh ASrzuUrLlUo3h5LhOQ0siDYZNlwLA/r+6LN1CDOnAreckmOLz43vFDwEF/NtAIewYrtC oD1w4A5GACNESEKoXhvzatmhRzoUEWRCO8JV0UEATkXxGWPHZKxnRZ6TDNeWv07zfBM4 2u2w== X-Gm-Message-State: AOJu0Yz9BopS7X1HeE0QFO9kZe33YosAo60sFDoqt/Hes0rvGuQnOlWS p0dum2QMMYKjG+OEkf9PB8FhIR8KQc9sm32B0MvnzBmwb9VBcGsSb4AV+Ivip5sG+mNiT+DAYvY r X-Gm-Gg: ASbGncupLVFRzNTmIYmzJNl0CTQZ7vJirdU8/IsIRgTDp5btAOWpKt8tv5Qaex/oeoe qTycex5rED3YVTmcrokmudkKBA2e/Z8We2+5kIfjIlVKnbrEsxRWLluQxsK7YiJCcH0tjDs3RV2 tFOTofXAoVtp5j4QniAtdOs10OkkxptCkU/GxjM1C4soYWl1wrJ7ZJfYlmsaypiuzB+qSlp2O8u +yz8d4aJm9cE6pVtMo3IGLqEaF+aJW9toqUMphzbOZv7Mrd9vBa+BBsdyGzzheRlzf/fP1MKy2j DoUN6lQ61+gMHpGSUOft7IJ9RISRSZan1tdt X-Google-Smtp-Source: AGHT+IE9AiXn7juizqlcxee7RuY+m7xLGC9+XjJsmSEW4ywnfoYjreCsavFKXUJ0xujHcjGJ7jgAOA== X-Received: by 2002:a17:90b:184e:b0:2ff:6e72:b8e2 with SMTP id 98e67ed59e1d1-3030ff24b2dmr21582501a91.31.1742845026693; Mon, 24 Mar 2025 12:37:06 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:ee18:96b4:93d3:b88c]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-3030f806b48sm8640876a91.44.2025.03.24.12.37.06 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 24 Mar 2025 12:37:06 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 5/6] xwayland: fix CVE-2022-49737 Date: Mon, 24 Mar 2025 12:36:52 -0700 Message-ID: <740ea9019cf5cf309c5a4ef380eac17d21078ac8.1742844907.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 24 Mar 2025 19:37:15 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/213577 From: Yogita Urade In X.Org X server 20.11 through 21.1.16, when a client application uses easystroke for mouse gestures, the main thread modifies various data structures used by the input thread without acquiring a lock, aka a race condition. In particular, AttachDevice in dix/devices.c does not acquire an input lock. Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-49737 Upstream patch: https://gitlab.freedesktop.org/xorg/xserver/-/commit/dc7cb45482cea6ccec22d117ca0b489500b4d0a0 Signed-off-by: Yogita Urade Signed-off-by: Steve Sakoman --- .../xwayland/xwayland/CVE-2022-49737.patch | 90 +++++++++++++++++++ .../xwayland/xwayland_22.1.8.bb | 1 + 2 files changed, 91 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2022-49737.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2022-49737.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2022-49737.patch new file mode 100644 index 0000000000..86c9f59f8c --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2022-49737.patch @@ -0,0 +1,90 @@ +From dc7cb45482cea6ccec22d117ca0b489500b4d0a0 Mon Sep 17 00:00:00 2001 +From: tholin +Date: Tue, 4 Jan 2022 12:08:11 +0000 +Subject: [PATCH] dix: Hold input lock for AttachDevice() + +Fix the following race: + +Possible data race during read of size 8 at 0xA112510 by thread #6 +Locks held: 1, at address 0x366B40 + at 0x14C8B9: GetMaster (devices.c:2691) + by 0x15CFC5: IsFloating (events.c:346) + by 0x2B9554: miPointerGetScreen (mipointer.c:527) + by 0x1A5136: xf86PostButtonEventM (xf86Xinput.c:1379) + by 0x1A52BD: xf86PostButtonEvent (xf86Xinput.c:1345) + by 0x485F45B: EvdevProcessEvent (in /usr/lib64/xorg/modules/input/evdev_drv.so) + by 0x485FDAC: EvdevReadInput (in /usr/lib64/xorg/modules/input/evdev_drv.so) + by 0x195427: xf86ReadInput (xf86Events.c:247) + by 0x2CC113: InputReady (inputthread.c:180) + by 0x2CE4EA: ospoll_wait (ospoll.c:657) + by 0x2CC077: InputThreadDoWork (inputthread.c:369) + by 0x484A336: mythread_wrapper (hg_intercepts.c:406) + +This conflicts with a previous write of size 8 by thread #1 +Locks held: none + at 0x14D2C6: AttachDevice (devices.c:2609) + by 0x15CF85: ReattachToOldMaster (events.c:1457) + by 0x1647DD: DeactivateKeyboardGrab (events.c:1700) + by 0x25D7F1: ProcXIUngrabDevice (xigrabdev.c:169) + by 0x2552AD: ProcIDispatch (extinit.c:398) + by 0x155291: Dispatch (dispatch.c:479) + by 0x158CBA: dix_main (main.c:276) + by 0x143A3D: main (stubmain.c:34) + Address 0xa112510 is 336 bytes inside a block of size 904 alloc'd + at 0x4846571: calloc (vg_replace_malloc.c:1328) + by 0x14A0B3: AddInputDevice (devices.c:260) + by 0x1A31A0: xf86ActivateDevice (xf86Xinput.c:365) + by 0x1A4549: xf86NewInputDevice (xf86Xinput.c:948) + by 0x1A4B44: NewInputDeviceRequest (xf86Xinput.c:1090) + by 0x1B81FE: device_added (udev.c:282) + by 0x1B8516: config_udev_init (udev.c:439) + by 0x1B7091: config_init (config.c:50) + by 0x197970: InitInput (xf86Init.c:814) + by 0x158C6B: dix_main (main.c:250) + by 0x143A3D: main (stubmain.c:34) + Block was alloc'd by thread #1 + +The steps to trigger the race are: +1. Main thread does cleanup at mipointer.c:360 setting the slave device's + miPointerPtr to null. +2. Input thread use MIPOINTER in mipointer.c and get the slave's + miPointerPtr = null. +3. Main thread updates dev->master at devices.c:2609. +4. MIPOINTER would now return the master's miPointerPtr but the input + thread already got the slave's miPointerPtr in step 2 and segfaults by + null ptr deref. + +Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1260 +Signed-off-by: Thomas Lindroth + +CVE: CVE-2022-49737 +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/dc7cb45482cea6ccec22d117ca0b489500b4d0a0] + +Signed-off-by: Yogita Urade +--- + dix/devices.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/dix/devices.c b/dix/devices.c +index 459f1ed..e5a6f02 100644 +--- a/dix/devices.c ++++ b/dix/devices.c +@@ -2671,6 +2671,8 @@ AttachDevice(ClientPtr client, DeviceIntPtr dev, DeviceIntPtr master) + if (IsFloating(dev) && !master && dev->enabled) + return Success; + ++ input_lock(); ++ + /* free the existing sprite. */ + if (IsFloating(dev) && dev->spriteInfo->paired == dev) { + screen = miPointerGetScreen(dev); +@@ -2711,6 +2713,7 @@ AttachDevice(ClientPtr client, DeviceIntPtr dev, DeviceIntPtr master) + RecalculateMasterButtons(master); + } + ++ input_unlock(); + /* XXX: in theory, the MD should change back to its old, original + * classes when the last SD is detached. Thanks to the XTEST devices, + * we'll always have an SD attached until the MD is removed. +-- +2.40.0 diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb index 6affd80e22..8b1fc85aab 100644 --- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb +++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb @@ -42,6 +42,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2025-26601-2.patch \ file://CVE-2025-26601-3.patch \ file://CVE-2025-26601-4.patch \ + file://CVE-2022-49737.patch \ " SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73" From patchwork Mon Mar 24 19:36:53 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 59829 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 736FCC3600D for ; Mon, 24 Mar 2025 19:37:15 +0000 (UTC) Received: from mail-pj1-f53.google.com (mail-pj1-f53.google.com [209.85.216.53]) by mx.groups.io with SMTP id smtpd.web11.48391.1742845029097298150 for ; Mon, 24 Mar 2025 12:37:09 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=zCXjxdyh; spf=softfail (domain: sakoman.com, ip: 209.85.216.53, mailfrom: steve@sakoman.com) Received: by mail-pj1-f53.google.com with SMTP id 98e67ed59e1d1-3032aa1b764so2862434a91.1 for ; Mon, 24 Mar 2025 12:37:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1742845028; x=1743449828; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=O9C5wnGc5srPKNLqnDHSnAAZYLlb+NV4RQ+LEwIO9RI=; b=zCXjxdyhEdGc30wLkNyBoHeE1I9qtalSbBhHvNcejP4Z+7OCYztmu+BKsVMdOriYra YUzkvFpXziBObQMpmQ6k+HB0ASXFbvrtPSM9e3J6ubUQe8NyYHbT1Uq0JWFs1Idvmfwj HJXpB6lQ92PLHXVLXw3eialrKWtcxpWeoPu0icDHRxzH64qZioeDjkx13J/sWIv5NtGS TXoTx+l2CGnr+d/VqygcDlQfez5PBLOIo+tDBtatPk8j4Jd21I+OFpZ5jyvRFbGcjXTf sY7h8gok5ffMsogvmhd12sfkmLEQeuBFPyaHiLvaBtoMNo+qdyaG9CrybEl9EAcoSkw8 uYfw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1742845028; x=1743449828; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=O9C5wnGc5srPKNLqnDHSnAAZYLlb+NV4RQ+LEwIO9RI=; b=rKSuxspVO26lP8iB/Czvz7iRn2ZV47sWweYCrRmy/DQvyTh+//DhNT4yq5srwM5PwM u8S1VoS3IS/ceGdiDXSU9fvrzMhCM4eQAwuqQWiW56oTB9YiMKmZSCl8yxYzxMO6/VhC 8dX98l5dY1vatSrbl3NO03R3e7fhFTnb9Y2tg7D/DKIq6Q8dBST4J8YQ7R6tUmdmpoWz xHdTC5EKrq/2ykEHR8YdXpxmSDwjekAXG/SI5B/5R5k/305HO7zjpnGeBuo2tpcctBgQ 8sd5R+TBHzNjDAZ9a+A/+X00J5j1eM0kid/CPThNM0A/I/EBQ3GJwBFLlELYeS9ky/XK pJ7w== X-Gm-Message-State: AOJu0Yywd1eLuraPkUbnY6AtmCo5JRQBzuMIcIfI7PtKVecbyLaqKEBp oOjhvJ/O4/BYO8D9/6hfnuH6UJ6DRX/p9CN3Gnd22+RrXr7JRecnyf6crHmcRBvjKFGY8Q4kD6t R X-Gm-Gg: ASbGncuNvixxnReUK3aKkd+O1s/aUqzDInVaoAmH9QUv2HrCLa/ziy0PFAZXXe+YGzv g7R/2xCkKWS27vme+wU8ocTIP+QyXk6iT8Ono7IZSoWkYYIqGMoi9GcVRTaKGtN8XEeo5fJGVcq TfbcDu8057KQXystIv+201EDzK2msIO3awI+3iEUVAfXjhbioJiYlguyRBWTKoGaWsw0iGk99rD 5oZ5fXYlUJeESke8905QWHkpHQTcDI+ilg5IBxVhCs9uvP1k1YUYT8hTcdMrzTCzawDOiJq1GqR 6Gh0+AS4X5KZ9G23uOzY3oYUk8pbOYuHWjay X-Google-Smtp-Source: AGHT+IHn9rgc8wn8R2wzRhRyAvmS6Ssbt8K4ZuszHdzXrbV8c7veWIr07cOB0t4TvOwiEsrR5xC/UA== X-Received: by 2002:a17:90b:1f86:b0:2fe:9783:afd3 with SMTP id 98e67ed59e1d1-3030fe7575emr23876940a91.2.1742845028141; Mon, 24 Mar 2025 12:37:08 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:ee18:96b4:93d3:b88c]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-3030f806b48sm8640876a91.44.2025.03.24.12.37.07 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 24 Mar 2025 12:37:07 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 6/6] libxcrypt-compat: Remove libcrypt.so to fix conflict with libcrypt Date: Mon, 24 Mar 2025 12:36:53 -0700 Message-ID: <1172a71f2104454a13e64886adbdb381aa8d6e0e.1742844907.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 24 Mar 2025 19:37:15 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/213578 From: Robert Yang Fixed: IMAGE_INSTALL:append = " libxcrypt-compat" $ bitbake -cpopulate_sdk file /usr/lib/libcrypt.so from install of libxcrypt-compat-dev-4.4.33-r0.0.aarch64 conflicts with file from package libcrypt-dev-4.4.33-r0.2.aarch64 Remove libcrypt.so like other files to fix the error. (From OE-Core rev: dc0c7a8c3d1d4f02869b7f0d42f704fd24bf0dde) Signed-off-by: Robert Yang Signed-off-by: Richard Purdie Signed-off-by: Steve Sakoman --- meta/recipes-core/libxcrypt/libxcrypt-compat_4.4.33.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-core/libxcrypt/libxcrypt-compat_4.4.33.bb b/meta/recipes-core/libxcrypt/libxcrypt-compat_4.4.33.bb index ec9f9f4fa3..d5546ce9ba 100644 --- a/meta/recipes-core/libxcrypt/libxcrypt-compat_4.4.33.bb +++ b/meta/recipes-core/libxcrypt/libxcrypt-compat_4.4.33.bb @@ -13,6 +13,6 @@ API = "--enable-obsolete-api" do_install:append () { rm -rf ${D}${includedir} rm -rf ${D}${libdir}/pkgconfig + rm -rf ${D}${libdir}/libcrypt.so rm -rf ${D}${datadir} } -