From patchwork Tue Apr 15 20:52:22 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 61380
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id E088CC369C1
	for <webhook@archiver.kernel.org>; Tue, 15 Apr 2025 20:52:38 +0000 (UTC)
Received: from mail-pl1-f171.google.com (mail-pl1-f171.google.com
 [209.85.214.171])
 by mx.groups.io with SMTP id smtpd.web10.4855.1744750354777655443
 for <openembedded-core@lists.openembedded.org>;
 Tue, 15 Apr 2025 13:52:34 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=bOUWjEGm;
 spf=softfail (domain: sakoman.com, ip: 209.85.214.171,
 mailfrom: steve@sakoman.com)
Received: by mail-pl1-f171.google.com with SMTP id
 d9443c01a7336-227b650504fso60105865ad.0
        for <openembedded-core@lists.openembedded.org>;
 Tue, 15 Apr 2025 13:52:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1744750354;
 x=1745355154; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=PfbBE02/GYbGAop480tyacnnE52Ddmv7AQnbQ8fg4qg=;
        b=bOUWjEGmlYxiGIkzMDllNQwtyb1yineS+wbkw+qOANZxjLtyNKO0EGCszI2T4S/5Ds
         riA6NP4fRpwXLsdvXDuD4vR2R6yORqGnfagsRjJKJ5fp4pdo1grDSfuXw5gBRfVXt72N
         38CTgL7iJT/NWfGWBxm8XufqCPVZKhcclGqLGM9S50IUaCxZ1tzoZM9w1bduq6FifFYw
         X3V4kiXMXcyQrXVotiT5xVxBPqMXK8lIGhQuR2wJxBNKf6tMSuGkJ1fwFQrWHkG57y9n
         3CmOyTA0B/zI2bKhsTnguEVo0hGMCiJLxQYyK8ntk/ObjVcQ/DWqfgsE2qXdNPHmRF0H
         GocA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1744750354; x=1745355154;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=PfbBE02/GYbGAop480tyacnnE52Ddmv7AQnbQ8fg4qg=;
        b=ZsrqsMZg73oXlbvg7z5pjyzoET3DkkH8iN+PTWkmAl4yOgGzd78kMktSOZKXQKqSCJ
         6ydn2wtaUzBtjgWGNa1fdUnjBlzPmWGDj254mhDw2WqTAgkl+7YXXpoGkg05fSc80srk
         7lQdr/ilqdDLRkWVbSAcd02b7dZpJ1vQog4F0Vs4/5TQzlWNzEx2aJcAKqlC4Ff08dmX
         A0AhXvYuY+ZBb7uJdozU77IYX5FiLB0LsfCQgOccTvlbGLhW67nXjIkJRzKtTbPfhl5G
         ryAdncJzVBed2h7757PxvHFUm7k4/5C5IzNhh++xRnnEinOT30bKlbFZxEpaXF83bogH
         DMmA==
X-Gm-Message-State: AOJu0YzByFiHwgaGpy2ZspDXb6hqhbK3xfbQri7T2JFziGqmZqDdB2W5
	ZtPgfSKBJKFw6yu5L7aKZqmy3RfBqyiwKv3E9pkmMeFhihGvXMzDp9/kPrdQVXeeZQ4RJA7BKQU
	w
X-Gm-Gg: ASbGncsmuXfnG0YCxJMVr5vqnLGjajYgV/Y95rMAQDDrWsJw1i3gAHu8sLBdpmVau7Q
	IOL1NjWlDyYY0GTHHBazb1xPRW2lH1ELgXBNox5ZPWQU8d/Iip1vOaeIe5vEcR/MAqx+Gle8PRq
	/Olel3CY0lhM2lNapdrL44dNnytEG3LshAyDE0Df6GeeIgiffh2ny51KnqFUjoJkS2eG4dYjVto
	duw9q8Vr4Da+Z5YjDZItyXp4GtQh/+RC0p437rzQ0pE9LHT1PIJ4UHgwLA4PTYtp6sInurB9Lxe
	4h9LfhvS2RDF7GGt+tHg56Elk2qjlzdq
X-Google-Smtp-Source: 
 AGHT+IEQLarWazTTN4D+ovpl9/sWvs+PbBfKUFEXda0ZmJVc2sUUCpVun3INbhxMZKdYinTjpXHAZg==
X-Received: by 2002:a17:903:1c5:b0:220:ca08:8986 with SMTP id
 d9443c01a7336-22c31a33701mr9537095ad.22.1744750354058;
        Tue, 15 Apr 2025 13:52:34 -0700 (PDT)
Received: from hexa.. ([2602:feb4:3b:2100:6144:9704:3eb2:ee31])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-73bd23332a3sm8978307b3a.161.2025.04.15.13.52.33
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 15 Apr 2025 13:52:33 -0700 (PDT)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 1/4] cve-update-nvd2-native: add workaround for
 json5 style list
Date: Tue, 15 Apr 2025 13:52:22 -0700
Message-ID: 
 <cee817c0c3653cc96833815bfe2c87d2d85cc19e.1744750227.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1744750227.git.steve@sakoman.com>
References: <cover.1744750227.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Tue, 15 Apr 2025 20:52:38 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/214968

From: Peter Marko <peter.marko@siemens.com>

NVD responses changed to an invalid json between:
* April 5, 2025 at 3:03:44 AM GMT+2
* April 5, 2025 at 4:19:48 AM GMT+2

The last response is since then in format
{
  "resultsPerPage": 625,
  "startIndex": 288000,
  "totalResults": 288625,
  "format": "NVD_CVE",
  "version": "2.0",
  "timestamp": "2025-04-07T07:17:17.534",
  "vulnerabilities": [
    {...},
    ...
    {...},
  ]
}

Json does not allow trailing , in responses, that is json5 format.
So cve-update-nvd2-native do_Fetch task fails with log backtrace ending:

...
File: '/builds/ccp/meta-siemens/projects/ccp/../../poky/meta/recipes-core/meta/cve-update-nvd2-native.bb', lineno: 234, function: update_db_file
     0230:            if raw_data is None:
     0231:                # We haven't managed to download data
     0232:                return False
     0233:
 *** 0234:            data = json.loads(raw_data)
     0235:
     0236:            index = data["startIndex"]
     0237:            total = data["totalResults"]
     0238:            per_page = data["resultsPerPage"]
...
File: '/usr/lib/python3.11/json/decoder.py', lineno: 355, function: raw_decode
     0351:        """
     0352:        try:
     0353:            obj, end = self.scan_once(s, idx)
     0354:        except StopIteration as err:
 *** 0355:            raise JSONDecodeError("Expecting value", s, err.value) from None
     0356:        return obj, end
Exception: json.decoder.JSONDecodeError: Expecting value: line 1 column 1442633 (char 1442632)
...

There was no announcement about json format of API v2.0 by nvd.
Also this happens only if whole database is queried (database update is
fine, even when multiple pages as queried).
And lastly it's only the cve list, all other lists inside are fine.
So this looks like a bug in NVD 2.0 introduced with some update.

Patch this with simple character deletion for now and let's monitor the
situation and possibly switch to json5 in the future.
Note that there is no native json5 support in python, we'd have to use
one of external libraries for it.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 6e526327f5c9e739ac7981e4a43a4ce53a908945)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-core/meta/cve-update-nvd2-native.bb | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb b/meta/recipes-core/meta/cve-update-nvd2-native.bb
index b8faee68d6..9808120cab 100644
--- a/meta/recipes-core/meta/cve-update-nvd2-native.bb
+++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb
@@ -226,6 +226,11 @@ def update_db_file(db_tmp_file, d, database_time):
                 # We haven't managed to download data
                 return False
 
+            # hack for json5 style responses
+            if raw_data[-3:] == ',]}':
+                bb.note("Removing trailing ',' from nvd response")
+                raw_data = raw_data[:-3] + ']}'
+
             data = json.loads(raw_data)
 
             index = data["startIndex"]

From patchwork Tue Apr 15 20:52:23 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 61379
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id EDFD7C369BD
	for <webhook@archiver.kernel.org>; Tue, 15 Apr 2025 20:52:38 +0000 (UTC)
Received: from mail-pf1-f179.google.com (mail-pf1-f179.google.com
 [209.85.210.179])
 by mx.groups.io with SMTP id smtpd.web10.4857.1744750356592044010
 for <openembedded-core@lists.openembedded.org>;
 Tue, 15 Apr 2025 13:52:36 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=jMlhNWB5;
 spf=softfail (domain: sakoman.com, ip: 209.85.210.179,
 mailfrom: steve@sakoman.com)
Received: by mail-pf1-f179.google.com with SMTP id
 d2e1a72fcca58-736c277331eso51643b3a.1
        for <openembedded-core@lists.openembedded.org>;
 Tue, 15 Apr 2025 13:52:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1744750356;
 x=1745355156; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=WXieEfS+8UMNLWsbwn0dr/sD3mK+Sj9teizFx6Ol4aw=;
        b=jMlhNWB58ItCAjYATZxvsXWNY0hkDlK4Qb7HYbTd7/p83muu/AJl7GkZPGr1vacab2
         XBUp3WvKFieJtYs05G5ajl3gMiP/yaWPIIoPlWAH5L9L67IWmEGR4AaHYT2OnKm0JVYn
         jDQNubrsWCMAH6ZGIh+IsRqBlhlm8uQf22SSEmUO0AluOJirx1dkTaKMJQqvk4ErLqiD
         WKrurDc6Kp4Kav9HxEMdO57uUM3K4jeelD0oyr7ufQYyeQNYUYkiAZSNFKue9ZdVwNOn
         fsMj+2UqQO8oh4997qg6zdyy0Q2vEYgdURANCazBaP3nQkjd/3jMfHpF/ng9YnYpsOwt
         0grg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1744750356; x=1745355156;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=WXieEfS+8UMNLWsbwn0dr/sD3mK+Sj9teizFx6Ol4aw=;
        b=tuSyeJTZUMYcnXqEOZpeXpxidI1q/TDrHM72nvgKMxfO/e2WRxxZ6C165gQ+r7KZRL
         b8eo92EsPxYRKWcnPPy8rHyMrj6cJnAiao3h/H/Md9yK/UgxNTapFmR1AI7Eplkbrm7t
         vB8b5JP2oWrRG72JfL6rgMJbWSKvz0gGi1XrP5kW0kosh4rc5CnfflVqKVhzv41EexLa
         vX0FnPEtghL7Ur8/2PyVIS0+PDzadz+vXA2zhUSfAXek06GK5GCAi1UaERT/fXy7O1e+
         rjLkm1XtqiRRy7W6mNr+EFfJ68yB4Y6VSOu/RMnTnRyWgUXW8b0tJfserIt4jCEunfRt
         9peg==
X-Gm-Message-State: AOJu0YzCkeiMOGKrJxws0AoV0prmtF2aHVMHQlyrIfzj6ifc4R12sS+n
	OZtIfsNmyx9jvIQkMCS7OMBAxC4/Jq+sDaMrPSKRGI6bG+wi21TbfmR1EWQpOUWaQup0Qn3XUUS
	a
X-Gm-Gg: ASbGncsPjl6OJ4RmGsJUb3hsUuMBEtRpgIgXTkaUXxPBwa+IROcuNRRfADgj+1tD8JX
	QgHNoAgovb/omFK7YQMr6cx+K++RASguDe1Vtdp9i95+of1ZrKFtxv9PdYYEJgrAAWFrWCfGO4c
	BLj9LT4hdYd35zXvfcw6EHddGELJBjKuCJiz+LlKrV2MVjiCTUNOp4u6d6LhgmGcmMOkBcCOEW7
	MNm2RvvcpFp7i8oa3aZGQbjeT7tuKpATG+hkOYemV2eT/XWq8prwWfsjFc8SV/LV8wIrLfyVnDK
	qEj9DB7M5SaXp9UdrB/vMu748UMoEIsF
X-Google-Smtp-Source: 
 AGHT+IHnOrXLLwv+USVBNb2MDBAI2v4rRhOhgBiJjRXQIn6eRWuNppcwWWzlKr4eENPAnTzLU9XWJA==
X-Received: by 2002:a05:6a21:107:b0:1fd:f4df:ab67 with SMTP id
 adf61e73a8af0-203acb7139fmr1238361637.21.1744750355687;
        Tue, 15 Apr 2025 13:52:35 -0700 (PDT)
Received: from hexa.. ([2602:feb4:3b:2100:6144:9704:3eb2:ee31])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-73bd23332a3sm8978307b3a.161.2025.04.15.13.52.35
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 15 Apr 2025 13:52:35 -0700 (PDT)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 2/4] systemd: ignore CVEs which reappeared after
 upgrade to 250.14
Date: Tue, 15 Apr 2025 13:52:23 -0700
Message-ID: 
 <b86129da823c55a3e08ee72c99675301948949f8.1744750227.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1744750227.git.steve@sakoman.com>
References: <cover.1744750227.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Tue, 15 Apr 2025 20:52:38 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/214969

From: Peter Marko <peter.marko@siemens.com>

Upgrade from 250.5 to 250.14 removed patches for these CVEs because they
were interated in the new version.
However NVD DB does not contain information about these backports to
v250 branch, so they need to be ignored.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-core/systemd/systemd.inc | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta/recipes-core/systemd/systemd.inc b/meta/recipes-core/systemd/systemd.inc
index 86ae4793c3..70ba1d1f77 100644
--- a/meta/recipes-core/systemd/systemd.inc
+++ b/meta/recipes-core/systemd/systemd.inc
@@ -19,3 +19,6 @@ SRCBRANCH = "v250-stable"
 SRC_URI = "git://github.com/systemd/systemd-stable.git;protocol=https;branch=${SRCBRANCH}"
 
 S = "${WORKDIR}/git"
+
+# cpe-stable-backport: patches were backported to v250 stable branch
+CVE_CHECK_IGNORE += "CVE-2022-3821 CVE-2022-4415 CVE-2022-45873"

From patchwork Tue Apr 15 20:52:24 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 61378
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id DEA67C369AB
	for <webhook@archiver.kernel.org>; Tue, 15 Apr 2025 20:52:38 +0000 (UTC)
Received: from mail-pf1-f172.google.com (mail-pf1-f172.google.com
 [209.85.210.172])
 by mx.groups.io with SMTP id smtpd.web11.4834.1744750358112344999
 for <openembedded-core@lists.openembedded.org>;
 Tue, 15 Apr 2025 13:52:38 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=BJG6NJTS;
 spf=softfail (domain: sakoman.com, ip: 209.85.210.172,
 mailfrom: steve@sakoman.com)
Received: by mail-pf1-f172.google.com with SMTP id
 d2e1a72fcca58-73972a54919so5129735b3a.3
        for <openembedded-core@lists.openembedded.org>;
 Tue, 15 Apr 2025 13:52:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1744750357;
 x=1745355157; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=c3naalz5Scpa1mY4p+tqQ9ebFIOrYxiLCNFdFYz37ZI=;
        b=BJG6NJTSrm/H4vAhf35iKkR/rrFSKn6WRXeHo5V/lLkxeKsuXzi5iYk6UEsvTHlHsx
         IMaA9iKXZtdWdbgoTJFVgIFwT/YXJ3/fWgNFO+RrPwl4bNvUF4ws9Q/P0PUa3fDfNjMy
         935hrjvcLvIEajUwzQRNiGuUbkg37IchJ5+eddz8fLCJzoqYk9YUi4+nzI7rE2doq00v
         MbS65eC0ZAVIlBPxQYIeDKszikFb2mWCf3lpfi/aFeGSSAGJFpdJrxwTbWEXkbYR9jz9
         T2sywilrlkvTO+95pj60RAhoUIqopci+7bi3RtWoYZvphceUmrCNhhfwPRVwjiPDF2xK
         a3ZA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1744750357; x=1745355157;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=c3naalz5Scpa1mY4p+tqQ9ebFIOrYxiLCNFdFYz37ZI=;
        b=h0Y8WdLq7irzsnHaCKMpUpoBeKL4/Gb2wM5Opgg8iTYWqij1UW6/IZSlCpjxocMQrK
         cKzqiceWnev/lPoTe3/1iOAwym4x927ykowQvGxliMNkInGuvt+RuQIiBUFzSw0hg0Nw
         e5vLzG+aeknFajRV8TtLTmaL5kp1RbNnrBQFEDuso1zF0M1pWZXcXl4dEeu/EWBG1Q7+
         RydlTxd4+2YDS8ugNBSOptOUG4bg1DkEav8CuImfGJKWknoRP1JzLXTjcKOkMlEIWSNo
         AX7TAAg6H6pD7OO7HPC8/1QLgNXEecbM/GBQm0NZ5Wwm/jEC+sSbp4iJO659EWV9De/H
         yHYw==
X-Gm-Message-State: AOJu0YwZ8RQfP92rUz2UKyvlULHkjO00Q9nTChpr7akH9QHp5wMLrG6V
	rxq31671eNXAiCPDxfceXJsBaHk1vqOVUHmjWzazoNyDMIqaxSq2+BOciNqVBYWErv/jEVoCwrB
	8
X-Gm-Gg: ASbGncuub8oDUZ18ReThwotvL3B+jfTzc9j/AM6hIWVJ4alHGyNstZnUd/6HxaT6gwT
	VWhFUta+/E+kNUOjjj7jEvMzwdIKpAK1skXPE4sLPk1VQRkz29nn8w4mEzS5xgiY/VTvK5klkdV
	HWtBvEFYB14DeETmytfH3OutxMlubyO7nwck7c/8vZI/TuxeaWulAw/OwR6ETtmv9a4wC6tCoL6
	3n/ljjmvdrvvATT/cgngxhloy0iIQ9w9WMixjXVkrigQfdOwt7oNlagLZ21SSUHGEEgexUXoqLZ
	fBFyyKc6OlqNZT8L6wK/k7C7XoHDTxKK
X-Google-Smtp-Source: 
 AGHT+IFFHeebCRbS2+66nRwTUGptCbLnFw3EPtCzEfBkJrcD0s8MyJiwLfoOcHocwuVaqEfenIIOuw==
X-Received: by 2002:a05:6a00:ac86:b0:736:6279:ca25 with SMTP id
 d2e1a72fcca58-73c1fb2800cmr1466922b3a.24.1744750357130;
        Tue, 15 Apr 2025 13:52:37 -0700 (PDT)
Received: from hexa.. ([2602:feb4:3b:2100:6144:9704:3eb2:ee31])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-73bd23332a3sm8978307b3a.161.2025.04.15.13.52.36
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 15 Apr 2025 13:52:36 -0700 (PDT)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 3/4] go: fix CVE-2025-22871
Date: Tue, 15 Apr 2025 13:52:24 -0700
Message-ID: 
 <2a9f47eb507cf57b58c4aa1baf0ef645b699fd6c.1744750227.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1744750227.git.steve@sakoman.com>
References: <cover.1744750227.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Tue, 15 Apr 2025 20:52:38 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/214970

From: Hitendra Prajapati <hprajapati@mvista.com>

Upstream-Status: Backport from https://github.com/golang/go/commit/15e01a2e43ecb8c7e15ff7e9d62fe3f10dcac931

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-devtools/go/go-1.17.13.inc       |   1 +
 .../go/go-1.21/CVE-2025-22871.patch           | 172 ++++++++++++++++++
 2 files changed, 173 insertions(+)
 create mode 100644 meta/recipes-devtools/go/go-1.21/CVE-2025-22871.patch

diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc
index 34ad70572f..e54205d48c 100644
--- a/meta/recipes-devtools/go/go-1.17.13.inc
+++ b/meta/recipes-devtools/go/go-1.17.13.inc
@@ -62,6 +62,7 @@ SRC_URI += "\
     file://CVE-2024-34156.patch \
     file://CVE-2024-34158.patch \
     file://CVE-2024-45336.patch \
+    file://CVE-2025-22871.patch \
 "
 SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
 
diff --git a/meta/recipes-devtools/go/go-1.21/CVE-2025-22871.patch b/meta/recipes-devtools/go/go-1.21/CVE-2025-22871.patch
new file mode 100644
index 0000000000..06e0fa77de
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.21/CVE-2025-22871.patch
@@ -0,0 +1,172 @@
+From 15e01a2e43ecb8c7e15ff7e9d62fe3f10dcac931 Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Wed, 26 Feb 2025 13:40:00 -0800
+Subject: [PATCH] [release-branch.go1.23] net/http: reject newlines in
+ chunk-size lines
+
+Unlike request headers, where we are allowed to leniently accept
+a bare LF in place of a CRLF, chunked bodies must always use CRLF
+line terminators. We were already enforcing this for chunk-data lines;
+do so for chunk-size lines as well. Also reject bare CRs anywhere
+other than as part of the CRLF terminator.
+
+Fixes CVE-2025-22871
+Fixes #72010
+For #71988
+
+Change-Id: Ib0e21af5a8ba28c2a1ca52b72af8e2265ec79e4a
+Reviewed-on: https://go-review.googlesource.com/c/go/+/652998
+Reviewed-by: Jonathan Amsterdam <jba@google.com>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+(cherry picked from commit d31c805535f3fde95646ee4d87636aaaea66847b)
+Reviewed-on: https://go-review.googlesource.com/c/go/+/657216
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/15e01a2e43ecb8c7e15ff7e9d62fe3f10dcac931]
+CVE: CVE-2025-22871
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/net/http/internal/chunked.go      | 19 +++++++++--
+ src/net/http/internal/chunked_test.go | 27 +++++++++++++++
+ src/net/http/serve_test.go            | 49 +++++++++++++++++++++++++++
+ 3 files changed, 92 insertions(+), 3 deletions(-)
+
+diff --git a/src/net/http/internal/chunked.go b/src/net/http/internal/chunked.go
+index ddbaacb..dd79afc 100644
+--- a/src/net/http/internal/chunked.go
++++ b/src/net/http/internal/chunked.go
+@@ -159,6 +159,19 @@ func readChunkLine(b *bufio.Reader) ([]byte, error) {
+ 		}
+ 		return nil, err
+ 	}
++
++	// RFC 9112 permits parsers to accept a bare \n as a line ending in headers,
++	// but not in chunked encoding lines. See https://www.rfc-editor.org/errata/eid7633,
++	// which explicitly rejects a clarification permitting \n as a chunk terminator.
++	//
++	// Verify that the line ends in a CRLF, and that no CRs appear before the end.
++	if idx := bytes.IndexByte(p, '\r'); idx == -1 {
++		return nil, errors.New("chunked line ends with bare LF")
++	} else if idx != len(p)-2 {
++		return nil, errors.New("invalid CR in chunked line")
++	}
++	p = p[:len(p)-2] // trim CRLF
++
+ 	if len(p) >= maxLineLength {
+ 		return nil, ErrLineTooLong
+ 	}
+@@ -166,14 +179,14 @@ func readChunkLine(b *bufio.Reader) ([]byte, error) {
+ }
+ 
+ func trimTrailingWhitespace(b []byte) []byte {
+-	for len(b) > 0 && isASCIISpace(b[len(b)-1]) {
++	for len(b) > 0 && isOWS(b[len(b)-1]) {
+ 		b = b[:len(b)-1]
+ 	}
+ 	return b
+ }
+ 
+-func isASCIISpace(b byte) bool {
+-	return b == ' ' || b == '\t' || b == '\n' || b == '\r'
++func isOWS(b byte) bool {
++	return b == ' ' || b == '\t'
+ }
+ 
+ // removeChunkExtension removes any chunk-extension from p.
+diff --git a/src/net/http/internal/chunked_test.go b/src/net/http/internal/chunked_test.go
+index 5fbeb08..51ecd62 100644
+--- a/src/net/http/internal/chunked_test.go
++++ b/src/net/http/internal/chunked_test.go
+@@ -251,6 +251,33 @@ func TestChunkReaderByteAtATime(t *testing.T) {
+ 	}
+ }
+ 
++func TestChunkInvalidInputs(t *testing.T) {
++	for _, test := range []struct {
++		name string
++		b    string
++	}{{
++		name: "bare LF in chunk size",
++		b:    "1\na\r\n0\r\n",
++	}, {
++		name: "extra LF in chunk size",
++		b:    "1\r\r\na\r\n0\r\n",
++	}, {
++		name: "bare LF in chunk data",
++		b:    "1\r\na\n0\r\n",
++	}, {
++		name: "bare LF in chunk extension",
++		b:    "1;\na\r\n0\r\n",
++	}} {
++		t.Run(test.name, func(t *testing.T) {
++			r := NewChunkedReader(strings.NewReader(test.b))
++			got, err := io.ReadAll(r)
++			if err == nil {
++				t.Fatalf("unexpectedly parsed invalid chunked data:\n%q", got)
++			}
++		})
++	}
++}
++
+ type funcReader struct {
+ 	f   func(iteration int) ([]byte, error)
+ 	i   int
+diff --git a/src/net/http/serve_test.go b/src/net/http/serve_test.go
+index bfac783..944cd46 100644
+--- a/src/net/http/serve_test.go
++++ b/src/net/http/serve_test.go
+@@ -6610,3 +6610,52 @@ func testQuerySemicolon(t *testing.T, query string, wantX string, allowSemicolon
+ 		}
+ 	}
+ }
++
++func TestInvalidChunkedBodies(t *testing.T) {
++	for _, test := range []struct {
++		name string
++		b    string
++	}{{
++		name: "bare LF in chunk size",
++		b:    "1\na\r\n0\r\n\r\n",
++	}, {
++		name: "bare LF at body end",
++		b:    "1\r\na\r\n0\r\n\n",
++	}} {
++		t.Run(test.name, func(t *testing.T) {
++			reqc := make(chan error)
++			ts := newClientServerTest(t, http1Mode, HandlerFunc(func(w ResponseWriter, r *Request) {
++				got, err := io.ReadAll(r.Body)
++				if err == nil {
++					t.Logf("read body: %q", got)
++				}
++				reqc <- err
++			})).ts
++
++			serverURL, err := url.Parse(ts.URL)
++			if err != nil {
++				t.Fatal(err)
++			}
++
++			conn, err := net.Dial("tcp", serverURL.Host)
++			if err != nil {
++				t.Fatal(err)
++			}
++
++			if _, err := conn.Write([]byte(
++				"POST / HTTP/1.1\r\n" +
++					"Host: localhost\r\n" +
++					"Transfer-Encoding: chunked\r\n" +
++					"Connection: close\r\n" +
++					"\r\n" +
++					test.b)); err != nil {
++				t.Fatal(err)
++			}
++			conn.(*net.TCPConn).CloseWrite()
++
++			if err := <-reqc; err == nil {
++				t.Errorf("server handler: io.ReadAll(r.Body) succeeded, want error")
++			}
++		})
++	}
++}
+-- 
+2.25.1
+

From patchwork Tue Apr 15 20:52:25 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 61381
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id D19D6C369AB
	for <webhook@archiver.kernel.org>; Tue, 15 Apr 2025 20:52:48 +0000 (UTC)
Received: from mail-pf1-f178.google.com (mail-pf1-f178.google.com
 [209.85.210.178])
 by mx.groups.io with SMTP id smtpd.web11.4835.1744750359778839589
 for <openembedded-core@lists.openembedded.org>;
 Tue, 15 Apr 2025 13:52:39 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=sCKhbtgJ;
 spf=softfail (domain: sakoman.com, ip: 209.85.210.178,
 mailfrom: steve@sakoman.com)
Received: by mail-pf1-f178.google.com with SMTP id
 d2e1a72fcca58-7376dd56f60so4113195b3a.3
        for <openembedded-core@lists.openembedded.org>;
 Tue, 15 Apr 2025 13:52:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1744750359;
 x=1745355159; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=J1ixoJc/pEoZsZRNQ8WYMEES1DWOnnl+o7K7SfUzz9M=;
        b=sCKhbtgJlC9UYpFWo8rD5dnnxesn68CQh32f6zi+zHsNy510mCOEzxyYAPENVsjK2S
         2W+5oK0ZZGVv1qMSxY/xOe+p1puMqdoX2D551WBMiFRBaz6f+rlnPCnS0cUeRoWZtOvE
         3ISv1R/vdTrLCTLUqv5Ud52eUNFrejt9DzUHw/DceQNvJppEodvO3NOLmtrpjq/PbJXh
         bIO4QpSBHtKPGtQ+VnQuvw/glvd4XDOKNogJy0q1Rzp9HLOHltjAYYu2diarp6MZZ+9T
         Xc3tNnyGdTGaSindOJekXr2ZHfzK2UjYiqXFkbPrOjn2OeuW7i1rpiCxT8n2vGGAXA/e
         oX5w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1744750359; x=1745355159;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=J1ixoJc/pEoZsZRNQ8WYMEES1DWOnnl+o7K7SfUzz9M=;
        b=NrVHn81N6MhPosCOmUYgFMKXcIoLC1qwtqlfqn7zXwDdmWPBY2HJcjI7pNYs9PP/+0
         KUrEn/JtobE9OXl/23YSyyVZ/+gNRW8WRimABA1YzO7GrjcV3a1MbEC39njKuD0BlX1P
         LR5by5BhaRg67w98hi+/1XhWJraDV2nr6SPO5cjb9+P5DNfukKJEKIPFau6iUFfA/Qq+
         6bFWcLLrA85idHmBOW1hVLfjfldvE+S1E7J6NuoDzLa3N+7uYK+dqjxjO+X6eWd5dDPP
         RbE+AbcLUfWE0MrbtR1JcWk9D50jLnNkpKzMQu18GrOdYujU9LQElwGn1f0SiKsKFIa/
         7LEQ==
X-Gm-Message-State: AOJu0YyQ/Xm+R9CeLyeux36RNGzitqwn9lqzf3kTeYehdoGZiYw7RQBe
	35ox+O/Ic1QV50inXrOSFEs1A5ehS+5sVYQnpCyn2gzFvKON1guYud4AZb5kuNdhBjPAn9BH3OJ
	A
X-Gm-Gg: ASbGncu3trLMpNbi0ceK11UYkrotJSEuc3RVzhQooEMGbO+xXnWcMa1GdBj1mqkViEi
	h0yV3+wQ2rPaJLkLzWyWcdV5qlzqhSAvmjOpXje/vn4TETtrhyIN/n2PRnNztMWBiR/XzuVGJFe
	+r6/bZBpNmdSC/XGrT865Wr4dm/A5U7PSWp61AEfNFkTX4cnFe/pGLLfcDjfB2wqhNieakwtFk2
	ePHjRWaA8Aa2bAFRrp0WRC+2zYZlM/9UnX3tUSRwPZssvfm2Rhg7srSwqnOW4hIepC6ey8sFPwX
	dWD/wGw8H80Jrxf+AuIZ6gsKbb/ABJJ6
X-Google-Smtp-Source: 
 AGHT+IHMdTv+yRNFFyXsAma0Gehlhm4CFj7fiKZQT/4RKZtreDExdJjFtRPCxz3yX0BwLXCgvAmGHA==
X-Received: by 2002:a05:6a00:140c:b0:736:a694:1a0c with SMTP id
 d2e1a72fcca58-73c1fb5af29mr1313903b3a.21.1744750358778;
        Tue, 15 Apr 2025 13:52:38 -0700 (PDT)
Received: from hexa.. ([2602:feb4:3b:2100:6144:9704:3eb2:ee31])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-73bd23332a3sm8978307b3a.161.2025.04.15.13.52.38
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 15 Apr 2025 13:52:38 -0700 (PDT)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 4/4] ruby: fix CVE-2024-43398
Date: Tue, 15 Apr 2025 13:52:25 -0700
Message-ID: 
 <f23d1bfca0ea57150c397bc2e495191fb61423d0.1744750227.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1744750227.git.steve@sakoman.com>
References: <cover.1744750227.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Tue, 15 Apr 2025 20:52:48 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/214971

From: Divya Chellam <divya.chellam@windriver.com>

REXML is an XML toolkit for Ruby. The REXML gem before 3.3.6 has a DoS
vulnerability when it parses an XML that has many deep elements that have
same local name attributes. If you need to parse untrusted XMLs with tree
parser API like REXML::Document.new, you may be impacted to this vulnerability.
If you use other parser APIs such as stream parser API and SAX2 parser API,
this vulnerability is not affected. The REXML gem 3.3.6 or later include the
patch to fix the vulnerability.

Reference:
https://security-tracker.debian.org/tracker/CVE-2024-43398

Upstream-patch:
https://github.com/ruby/rexml/commit/7cb5eaeb221c322b9912f724183294d8ce96bae3

Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../ruby/ruby/CVE-2024-43398.patch            | 81 +++++++++++++++++++
 meta/recipes-devtools/ruby/ruby_3.1.3.bb      |  1 +
 2 files changed, 82 insertions(+)
 create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-43398.patch

diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2024-43398.patch b/meta/recipes-devtools/ruby/ruby/CVE-2024-43398.patch
new file mode 100644
index 0000000000..02dc0a20be
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/CVE-2024-43398.patch
@@ -0,0 +1,81 @@
+From 7cb5eaeb221c322b9912f724183294d8ce96bae3 Mon Sep 17 00:00:00 2001
+From: Sutou Kouhei <kou@clear-code.com>
+Date: Sat, 17 Aug 2024 17:45:52 +0900
+Subject: [PATCH] parser tree: improve namespace conflicted attribute check 
+ performance
+
+It was slow for deep element.
+
+Reported by l33thaxor. Thanks!!!
+
+The changes to the test folder files are not included in this patch
+because the test folder was not generated during the devtool source build.
+
+CVE: CVE-2024-43398
+
+Upstream-Status: Backport [https://github.com/ruby/rexml/commit/7cb5eaeb221c322b9912f724183294d8ce96bae3]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ .bundle/gems/rexml-3.2.5/lib/rexml/element.rb     | 11 -----------
+ .../rexml-3.2.5/lib/rexml/parsers/baseparser.rb   | 15 +++++++++++++++
+ 2 files changed, 15 insertions(+), 11 deletions(-)
+
+diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/element.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/element.rb
+index 4c21dbd..78e78c2 100644
+--- a/.bundle/gems/rexml-3.2.5/lib/rexml/element.rb
++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/element.rb
+@@ -2388,17 +2388,6 @@ module REXML
+       elsif old_attr.kind_of? Hash
+         old_attr[value.prefix] = value
+       elsif old_attr.prefix != value.prefix
+-        # Check for conflicting namespaces
+-        if value.prefix != "xmlns" and old_attr.prefix != "xmlns"
+-          old_namespace = old_attr.namespace
+-          new_namespace = value.namespace
+-          if old_namespace == new_namespace
+-            raise ParseException.new(
+-                    "Namespace conflict in adding attribute \"#{value.name}\": "+
+-                    "Prefix \"#{old_attr.prefix}\" = \"#{old_namespace}\" and "+
+-                    "prefix \"#{value.prefix}\" = \"#{new_namespace}\"")
+-          end
+-        end
+         store value.name, {old_attr.prefix => old_attr,
+                            value.prefix    => value}
+       else
+diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+index e32c7f4..154f2ac 100644
+--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+@@ -634,6 +634,7 @@ module REXML
+ 
+       def parse_attributes(prefixes, curr_ns)
+         attributes = {}
++        expanded_names = {}
+         closed = false
+         match_data = @source.match(/^(.*?)(\/)?>/um, true)
+         if match_data.nil?
+@@ -641,6 +642,20 @@ module REXML
+           raise REXML::ParseException.new(message, @source)
+         end
+ 
++            unless prefix == "xmlns"
++              uri = @namespaces[prefix]
++              expanded_name = [uri, local_part]
++              existing_prefix = expanded_names[expanded_name]
++              if existing_prefix
++                message = "Namespace conflict in adding attribute " +
++                          "\"#{local_part}\": " +
++                          "Prefix \"#{existing_prefix}\" = \"#{uri}\" and " +
++                          "prefix \"#{prefix}\" = \"#{uri}\""
++                raise REXML::ParseException.new(message, @source, self)
++              end
++              expanded_names[expanded_name] = prefix
++            end
++
+         raw_attributes = match_data[1]
+         closed = !match_data[2].nil?
+         return attributes, closed if raw_attributes.nil?
+-- 
+2.40.0
+
diff --git a/meta/recipes-devtools/ruby/ruby_3.1.3.bb b/meta/recipes-devtools/ruby/ruby_3.1.3.bb
index 76e5ac81ed..ca061e7f70 100644
--- a/meta/recipes-devtools/ruby/ruby_3.1.3.bb
+++ b/meta/recipes-devtools/ruby/ruby_3.1.3.bb
@@ -48,6 +48,7 @@ SRC_URI = "http://cache.ruby-lang.org/pub/ruby/${SHRT_VER}/ruby-${PV}.tar.gz \
            file://CVE-2024-41946.patch \
            file://CVE-2025-27220.patch \
            file://CVE-2025-27219.patch \
+           file://CVE-2024-43398.patch \
            "
 UPSTREAM_CHECK_URI = "https://www.ruby-lang.org/en/downloads/"