From patchwork Wed Apr 30 02:53:26 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 62131 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 31B66C3ABAD for ; Wed, 30 Apr 2025 02:54:07 +0000 (UTC) Received: from mail-pj1-f41.google.com (mail-pj1-f41.google.com [209.85.216.41]) by mx.groups.io with SMTP id smtpd.web11.8199.1745981641149995018 for ; Tue, 29 Apr 2025 19:54:01 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=c/0e1/ng; spf=softfail (domain: sakoman.com, ip: 209.85.216.41, mailfrom: steve@sakoman.com) Received: by mail-pj1-f41.google.com with SMTP id 98e67ed59e1d1-30572effb26so6070225a91.0 for ; Tue, 29 Apr 2025 19:54:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1745981640; x=1746586440; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=kwD8tZpE7AfZJwk/n3UcfHfQf517jNai2B0D7r8eY68=; b=c/0e1/ng2ylcD4y7g/psCY8gNGGaEjOltFcuduRM7yjOMLQX1AkFFiuo0mhNsyBFU/ tccnvW5W5ISDQ0STz9xqSD7VCMknW5kkWxv7M/8YRy5iPAwJ+6zbB5pia9uSsLPcgvOl 7rF+NR9Dna9DSRKtnbyrqx3UFPwKXlbEeAIPdic/0GpT5bHAGx+9CXbA2l/9ZVTraDbP 5hu+NkEsxSOn7xeqLnJ8REKsxCaKb+jFwi7i1AuMeZNvBAc5Q07S7ubx6KbBVdvK02f2 /Ck+8RCCfGAtlHQrI9lloJ7mhKz3kzMnbXNGb2BIYTeT2YG2CXZfVfiTkCrzUHg9CRRs br8w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1745981640; x=1746586440; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=kwD8tZpE7AfZJwk/n3UcfHfQf517jNai2B0D7r8eY68=; b=xSVaSBhTSTmE1B4JZUdwW+gt6ToZpTsuzSRqSdgjXiSDNhzgVx4AqdtZnN7ecKhVlz n0JFZF749qVfh580ZYmw2WQ7WobIWApL57kEyealE9sTn7I0grB9cOTWcgMWezJMKAyK BhR6Zcbk2IbK0SvqqxGFYg5J8/BJvviDTjF/Y/j48UWYoXLgDucQo4CSJogJLTRqLTqP zFXYVqWx4R/S4987K4i699cSrd64gHS7ccUTriDDdi0/mHmDRi6wLzhqKvvmm9uILvVs zx1PsEWVtMUzoXEtgwzrzmTJUqPZfzF1CBU/3Ko6xq4N3a5ZxgHlYYJRy68g3b3U+RHB fvpg== X-Gm-Message-State: AOJu0Yxi6qdf1ZUKS/IiDhag6FH2NrGQy0FvQcHFnI4W1FFxXWYIfloY unTxaj2XlZ70G8pvhF26dX/HxV17PTq2SrU2b2eFaUUJPTsGcNIOJnzkNNZShhVGTZFZCExQVgf c X-Gm-Gg: ASbGncuvKmaV7HrOsp4leU3Y5+CyY2OnslqywOLD6XbNSy6ap6nfNPFhfGZGz+ry4AS /g17+SxGUeJMQyrSQXRLhGfyR3mbhaRqpToxrocSMdkVJK4wK0qRViIBSNwKp25URgy+B4aqVLP WxF0XMD2gBc14crzY0oqkvo6/iHK8fuxiYy/fbIoTJnC0c1nj5HBrBSYqXAmnq63qxLOy5aJwXE 338fclPPH9YsYaWubu9tkFLI3DQKyRYIGrk1LQvFpbpIhy0rhKfEU11lKVcbwlfJFddb+/MaTbb ke7cH7KfsFJcu1c4/9h5qqklPgr06oE= X-Google-Smtp-Source: AGHT+IHVMmtjeho/xrYA6Kg1HZtTcFIFYB/wE7+Hz4oOnt65wX9J4xBuVQh2luUKrK2anayj0jByDw== X-Received: by 2002:a17:90b:3cc8:b0:2fe:b470:dde4 with SMTP id 98e67ed59e1d1-30a332f2c30mr2657985a91.12.1745981640136; Tue, 29 Apr 2025 19:54:00 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:34b:e5e0:c38a:7e03]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-30a34a2ea46sm347852a91.31.2025.04.29.19.53.59 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 29 Apr 2025 19:53:59 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 01/14] sqlite3: patch CVE-2025-29088 Date: Tue, 29 Apr 2025 19:53:26 -0700 Message-ID: <70d2d56f89d6f4589d65a0b4f0cbda20d2172167.1745981510.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 30 Apr 2025 02:54:07 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/215692 From: Peter Marko Pick commit [1] mentioned in [2]. [1] https://github.com/sqlite/sqlite/commit/56d2fd008b108109f489339f5fd55212bb50afd4 [2] https://nvd.nist.gov/vuln/detail/CVE-2025-29088 Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- .../sqlite/files/CVE-2025-29088.patch | 179 ++++++++++++++++++ meta/recipes-support/sqlite/sqlite3_3.38.5.bb | 1 + 2 files changed, 180 insertions(+) create mode 100644 meta/recipes-support/sqlite/files/CVE-2025-29088.patch diff --git a/meta/recipes-support/sqlite/files/CVE-2025-29088.patch b/meta/recipes-support/sqlite/files/CVE-2025-29088.patch new file mode 100644 index 0000000000..470ee9564c --- /dev/null +++ b/meta/recipes-support/sqlite/files/CVE-2025-29088.patch @@ -0,0 +1,179 @@ +From 40f668e88d70d47b17652ca629d5f36fafaae0e8 Mon Sep 17 00:00:00 2001 +From: drh <> +Date: Mon, 17 Feb 2025 14:16:49 +0000 +Subject: [PATCH] Harden the SQLITE_DBCONFIG_LOOKASIDE interface against + misuse, such as described in [forum:/forumpost/48f365daec|forum post + 48f365daec]. Enhancements to the SQLITE_DBCONFIG_LOOKASIDE documentation. + Test cases in TH3. + +FossilOrigin-Name: 1ec4c308c76c69fba031184254fc3340f07607cfbf8342b13713ab445563d377 + +CVE: CVE-2025-29088 +Upstream-Status: Backport [https://github.com/sqlite/sqlite/commit/56d2fd008b108109f489339f5fd55212bb50afd4] +Signed-off-by: Peter Marko +--- + sqlite3.c | 42 +++++++++++++++++++++++--------------- + sqlite3.h | 60 +++++++++++++++++++++++++++++++++++++------------------ + 2 files changed, 67 insertions(+), 35 deletions(-) + +diff --git a/sqlite3.c b/sqlite3.c +index 0b979f7a7d..27bea6f2e0 100644 +--- a/sqlite3.c ++++ b/sqlite3.c +@@ -169267,17 +169267,22 @@ SQLITE_API int sqlite3_config(int op, ...){ + ** If lookaside is already active, return SQLITE_BUSY. + ** + ** The sz parameter is the number of bytes in each lookaside slot. +-** The cnt parameter is the number of slots. If pStart is NULL the +-** space for the lookaside memory is obtained from sqlite3_malloc(). +-** If pStart is not NULL then it is sz*cnt bytes of memory to use for +-** the lookaside memory. ++** The cnt parameter is the number of slots. If pBuf is NULL the ++** space for the lookaside memory is obtained from sqlite3_malloc() ++** or similar. If pBuf is not NULL then it is sz*cnt bytes of memory ++** to use for the lookaside memory. + */ +-static int setupLookaside(sqlite3 *db, void *pBuf, int sz, int cnt){ ++static int setupLookaside( ++ sqlite3 *db, /* Database connection being configured */ ++ void *pBuf, /* Memory to use for lookaside. May be NULL */ ++ int sz, /* Desired size of each lookaside memory slot */ ++ int cnt /* Number of slots to allocate */ ++){ + #ifndef SQLITE_OMIT_LOOKASIDE +- void *pStart; +- sqlite3_int64 szAlloc = sz*(sqlite3_int64)cnt; +- int nBig; /* Number of full-size slots */ +- int nSm; /* Number smaller LOOKASIDE_SMALL-byte slots */ ++ void *pStart; /* Start of the lookaside buffer */ ++ sqlite3_int64 szAlloc; /* Total space set aside for lookaside memory */ ++ int nBig; /* Number of full-size slots */ ++ int nSm; /* Number smaller LOOKASIDE_SMALL-byte slots */ + + if( sqlite3LookasideUsed(db,0)>0 ){ + return SQLITE_BUSY; +@@ -169290,17 +169295,22 @@ static int setupLookaside(sqlite3 *db, void *pBuf, int sz, int cnt){ + sqlite3_free(db->lookaside.pStart); + } + /* The size of a lookaside slot after ROUNDDOWN8 needs to be larger +- ** than a pointer to be useful. ++ ** than a pointer and small enough to fit in a u16. + */ +- sz = ROUNDDOWN8(sz); /* IMP: R-33038-09382 */ ++ sz = ROUNDDOWN8(sz); + if( sz<=(int)sizeof(LookasideSlot*) ) sz = 0; +- if( cnt<0 ) cnt = 0; +- if( sz==0 || cnt==0 ){ ++ if( sz>65528 ) sz = 65528; ++ /* Count must be at least 1 to be useful, but not so large as to use ++ ** more than 0x7fff0000 total bytes for lookaside. */ ++ if( cnt<1 ) cnt = 0; ++ if( sz>0 && cnt>(0x7fff0000/sz) ) cnt = 0x7fff0000/sz; ++ szAlloc = (i64)sz*(i64)cnt; ++ if( szAlloc==0 ){ + sz = 0; + pStart = 0; + }else if( pBuf==0 ){ + sqlite3BeginBenignMalloc(); +- pStart = sqlite3Malloc( szAlloc ); /* IMP: R-61949-35727 */ ++ pStart = sqlite3Malloc( szAlloc ); + sqlite3EndBenignMalloc(); + if( pStart ) szAlloc = sqlite3MallocSize(pStart); + }else{ +@@ -169309,10 +169319,10 @@ static int setupLookaside(sqlite3 *db, void *pBuf, int sz, int cnt){ + #ifndef SQLITE_OMIT_TWOSIZE_LOOKASIDE + if( sz>=LOOKASIDE_SMALL*3 ){ + nBig = szAlloc/(3*LOOKASIDE_SMALL+sz); +- nSm = (szAlloc - sz*nBig)/LOOKASIDE_SMALL; ++ nSm = (szAlloc - (i64)sz*(i64)nBig)/LOOKASIDE_SMALL; + }else if( sz>=LOOKASIDE_SMALL*2 ){ + nBig = szAlloc/(LOOKASIDE_SMALL+sz); +- nSm = (szAlloc - sz*nBig)/LOOKASIDE_SMALL; ++ nSm = (szAlloc - (i64)sz*(i64)nBig)/LOOKASIDE_SMALL; + }else + #endif /* SQLITE_OMIT_TWOSIZE_LOOKASIDE */ + if( sz>0 ){ +diff --git a/sqlite3.h b/sqlite3.h +index de393da9dc..04e6b616d5 100644 +--- a/sqlite3.h ++++ b/sqlite3.h +@@ -1914,13 +1914,16 @@ struct sqlite3_mem_methods { + ** + ** [[SQLITE_CONFIG_LOOKASIDE]]
SQLITE_CONFIG_LOOKASIDE
+ **
^(The SQLITE_CONFIG_LOOKASIDE option takes two arguments that determine +-** the default size of lookaside memory on each [database connection]. ++** the default size of [lookaside memory] on each [database connection]. + ** The first argument is the +-** size of each lookaside buffer slot and the second is the number of +-** slots allocated to each database connection.)^ ^(SQLITE_CONFIG_LOOKASIDE +-** sets the default lookaside size. The [SQLITE_DBCONFIG_LOOKASIDE] +-** option to [sqlite3_db_config()] can be used to change the lookaside +-** configuration on individual connections.)^
++** size of each lookaside buffer slot ("sz") and the second is the number of ++** slots allocated to each database connection ("cnt").)^ ++** ^(SQLITE_CONFIG_LOOKASIDE sets the default lookaside size. ++** The [SQLITE_DBCONFIG_LOOKASIDE] option to [sqlite3_db_config()] can ++** be used to change the lookaside configuration on individual connections.)^ ++** The [-DSQLITE_DEFAULT_LOOKASIDE] option can be used to change the ++** default lookaside configuration at compile-time. ++** + ** + ** [[SQLITE_CONFIG_PCACHE2]]
SQLITE_CONFIG_PCACHE2
+ **
^(The SQLITE_CONFIG_PCACHE2 option takes a single argument which is +@@ -2133,24 +2136,43 @@ struct sqlite3_mem_methods { + **
SQLITE_DBCONFIG_LOOKASIDE
+ **
^This option takes three additional arguments that determine the + ** [lookaside memory allocator] configuration for the [database connection]. +-** ^The first argument (the third parameter to [sqlite3_db_config()] is a ++**
    ++**

  1. The first argument ("buf") is a + ** pointer to a memory buffer to use for lookaside memory. +-** ^The first argument after the SQLITE_DBCONFIG_LOOKASIDE verb +-** may be NULL in which case SQLite will allocate the +-** lookaside buffer itself using [sqlite3_malloc()]. ^The second argument is the +-** size of each lookaside buffer slot. ^The third argument is the number of +-** slots. The size of the buffer in the first argument must be greater than +-** or equal to the product of the second and third arguments. The buffer +-** must be aligned to an 8-byte boundary. ^If the second argument to +-** SQLITE_DBCONFIG_LOOKASIDE is not a multiple of 8, it is internally +-** rounded down to the next smaller multiple of 8. ^(The lookaside memory ++** The first argument may be NULL in which case SQLite will allocate the ++** lookaside buffer itself using [sqlite3_malloc()]. ++**

  2. The second argument ("sz") is the ++** size of each lookaside buffer slot. Lookaside is disabled if "sz" ++** is less than 8. The "sz" argument should be a multiple of 8 less than ++** 65536. If "sz" does not meet this constraint, it is reduced in size until ++** it does. ++**

  3. The third argument ("cnt") is the number of slots. Lookaside is disabled ++** if "cnt"is less than 1. The "cnt" value will be reduced, if necessary, so ++** that the product of "sz" and "cnt" does not exceed 2,147,418,112. The "cnt" ++** parameter is usually chosen so that the product of "sz" and "cnt" is less ++** than 1,000,000. ++**

++**

If the "buf" argument is not NULL, then it must ++** point to a memory buffer with a size that is greater than ++** or equal to the product of "sz" and "cnt". ++** The buffer must be aligned to an 8-byte boundary. ++** The lookaside memory + ** configuration for a database connection can only be changed when that + ** connection is not currently using lookaside memory, or in other words +-** when the "current value" returned by +-** [sqlite3_db_status](D,[SQLITE_CONFIG_LOOKASIDE],...) is zero. ++** when the value returned by [SQLITE_DBSTATUS_LOOKASIDE_USED] is zero. + ** Any attempt to change the lookaside memory configuration when lookaside + ** memory is in use leaves the configuration unchanged and returns +-** [SQLITE_BUSY].)^

++** [SQLITE_BUSY]. ++** If the "buf" argument is NULL and an attempt ++** to allocate memory based on "sz" and "cnt" fails, then ++** lookaside is silently disabled. ++**

++** The [SQLITE_CONFIG_LOOKASIDE] configuration option can be used to set the ++** default lookaside configuration at initialization. The ++** [-DSQLITE_DEFAULT_LOOKASIDE] option can be used to set the default lookaside ++** configuration at compile-time. Typical values for lookaside are 1200 for ++** "sz" and 40 to 100 for "cnt". ++** + ** + ** [[SQLITE_DBCONFIG_ENABLE_FKEY]] + **

SQLITE_DBCONFIG_ENABLE_FKEY
diff --git a/meta/recipes-support/sqlite/sqlite3_3.38.5.bb b/meta/recipes-support/sqlite/sqlite3_3.38.5.bb index 0a7a136c53..f47a9871e2 100644 --- a/meta/recipes-support/sqlite/sqlite3_3.38.5.bb +++ b/meta/recipes-support/sqlite/sqlite3_3.38.5.bb @@ -8,6 +8,7 @@ SRC_URI = "http://www.sqlite.org/2022/sqlite-autoconf-${SQLITE_PV}.tar.gz \ file://CVE-2022-46908.patch \ file://CVE-2023-36191.patch \ file://CVE-2023-7104.patch \ + file://CVE-2025-29088.patch \ " SRC_URI[sha256sum] = "5af07de982ba658fd91a03170c945f99c971f6955bc79df3266544373e39869c" From patchwork Wed Apr 30 02:53:27 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 62136 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 57132C3ABB2 for ; Wed, 30 Apr 2025 02:54:17 +0000 (UTC) Received: from mail-pj1-f41.google.com (mail-pj1-f41.google.com [209.85.216.41]) by mx.groups.io with SMTP id smtpd.web10.8285.1745981642696756617 for ; Tue, 29 Apr 2025 19:54:07 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=2w8vNM7a; spf=softfail (domain: sakoman.com, ip: 209.85.216.41, mailfrom: steve@sakoman.com) Received: by mail-pj1-f41.google.com with SMTP id 98e67ed59e1d1-30863b48553so513503a91.0 for ; Tue, 29 Apr 2025 19:54:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1745981642; x=1746586442; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=X8AObFzL2BA1m/HRpC5rtWdX84Cr2FLra/sd8k9G1z4=; b=2w8vNM7aRR28OJcYiuR/tL3y1jz29sRbD7WjFvX/qQTk2XnhDWqMBuPGJcQKtJp5Lf XdWPpRPBc2K09ttpnl+6CAJJr2C/Fvsw87aGcRslPeschYgzwsTQCjU7khxhphKj88d0 rYgzplg8fRdkBd22f29lupKANyW7n8Q5MlVaMopokvbbmQNGlvDmG3hig0276xE2yRAX 02xWH0uvVIrBZafjTbeHP6ekOXftlmdOzv47yJwoPMQXQguBM9kzzptN/fZBhYanI/Z+ TUffpDVPmOEQe2EIzdV9AAzKLBOB1ST9HbN3gm1A2ot2uim/eJnqkf+YFayc6RYTEWIe z5zQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1745981642; x=1746586442; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=X8AObFzL2BA1m/HRpC5rtWdX84Cr2FLra/sd8k9G1z4=; b=PyKFWRTHZx03DFtuKdCiN6otGkh/fvcrcLxKZpl0XdBez42dQpwvdfLW7oEp4ogcE7 Cm4hsySJJMvUOXDQft2p/fc/yI8AeXGDOQb2gVee5ZKVj2TzLtTJaU8J3UCdvzyeaTt5 qCAhTxaEp3+Bw48HRvOSXA3hM6AAIsRF/DwmEktDUE2qc3+PXgsrR4RBHnE7Y8ZINKXz JbffbQTFIBJkL753fPc4QxWPvR/FNcP4ql/qGrVLcrku3usV8T2R5mtGJopIggdvmjDn TpZK3yEaExY95OTREwmuwznXolfL9+spZxBK5DCRdrZfeeQxvRq4bfo1ArnLYz87mpyv UAZw== X-Gm-Message-State: AOJu0YzvPgr3aBMIIIKmIc6mr8aq1CSG22gijY7x7fViekhvJKdDDF4C Oyx4EvTPrENkdnGExRW+NNW7cfTPjQjqrKsb9LyJuRqbtq1RtZ9/L33+uCCPeE5nYzQdTsfsr2X t X-Gm-Gg: ASbGncvIXzQH5IZDKrh+ivgQK5e/w9QqdxhwNqNgoU1ptItDL8Xr13XzEFrfdE6cwLZ BZZyOv9eZJXWXzf+TXEi1S301Hl649b4c+sYEphIdL6NDYH9shbrtuqfQbnWrGQe+G2zttiiyXJ QZvogIpGPcJ2F9XmtLiwf8GG7FFzH4jIqM9iM53LwWr/AiSr06h+0q0udz8HrXeBrzZEJQoDRs2 HJ+c6AbRrKiUioHmmx/SF3DpJjdDBW2nPAY27MnDJhfVzzp0GSiTifehurBY+/8bM20xo1j2siz bw/uXB+7knaI9WmrkWUXmJ07cImfaxk= X-Google-Smtp-Source: AGHT+IFawb4kuyKLjOP6V6srI4tAS5EHptua1asSEV5b2UTYHu8r0QYtkl0BIgebG5MVs76dfqoVuQ== X-Received: by 2002:a17:90b:2c8d:b0:2e2:c2b0:d03e with SMTP id 98e67ed59e1d1-30a33cb4785mr1657023a91.5.1745981641699; Tue, 29 Apr 2025 19:54:01 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:34b:e5e0:c38a:7e03]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-30a34a2ea46sm347852a91.31.2025.04.29.19.54.00 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 29 Apr 2025 19:54:01 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 02/14] libpam: Update fix for CVE-2024-10041 Date: Tue, 29 Apr 2025 19:53:27 -0700 Message-ID: <71035c8c5907f7103ce40b92490a10bd3dde7226.1745981510.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 30 Apr 2025 02:54:17 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/215696 From: Shubham Kulkarni Initially, PAM community fixed CVE-2024-10041 in the version v1.6.0 via commit b3020da. But not all cases were covered with this fix and issues were reported after the release. In the v1.6.1 release, PAM community fixed these issues via commit b7b9636. Backport this commit b7b9636, which Fixes: b3020da ("pam_unix/passverify: always run the helper to obtain shadow password file entries") Backport from https://github.com/linux-pam/linux-pam/commit/b7b96362087414e52524d3d9d9b3faa21e1db620 Signed-off-by: Shubham Kulkarni Signed-off-by: Steve Sakoman --- ...024-10041.patch => CVE-2024-10041-1.patch} | 0 .../pam/libpam/CVE-2024-10041-2.patch | 77 +++++++++++++++++++ meta/recipes-extended/pam/libpam_1.5.2.bb | 3 +- 3 files changed, 79 insertions(+), 1 deletion(-) rename meta/recipes-extended/pam/libpam/{CVE-2024-10041.patch => CVE-2024-10041-1.patch} (100%) create mode 100644 meta/recipes-extended/pam/libpam/CVE-2024-10041-2.patch diff --git a/meta/recipes-extended/pam/libpam/CVE-2024-10041.patch b/meta/recipes-extended/pam/libpam/CVE-2024-10041-1.patch similarity index 100% rename from meta/recipes-extended/pam/libpam/CVE-2024-10041.patch rename to meta/recipes-extended/pam/libpam/CVE-2024-10041-1.patch diff --git a/meta/recipes-extended/pam/libpam/CVE-2024-10041-2.patch b/meta/recipes-extended/pam/libpam/CVE-2024-10041-2.patch new file mode 100644 index 0000000000..6070a26266 --- /dev/null +++ b/meta/recipes-extended/pam/libpam/CVE-2024-10041-2.patch @@ -0,0 +1,77 @@ +From b7b96362087414e52524d3d9d9b3faa21e1db620 Mon Sep 17 00:00:00 2001 +From: Tobias Stoeckmann +Date: Wed, 24 Jan 2024 18:57:42 +0100 +Subject: [PATCH] pam_unix: try to set uid to 0 for unix_chkpwd + +The geteuid check does not cover all cases. If a program runs with +elevated capabilities like CAP_SETUID then we can still check +credentials of other users. + +Keep logging for future analysis though. + +Resolves: https://github.com/linux-pam/linux-pam/issues/747 +Fixes: b3020da7da38 ("pam_unix/passverify: always run the helper to obtain shadow password file entries") + +Signed-off-by: Tobias Stoeckmann + +Upstream-Status: Backport [https://github.com/linux-pam/linux-pam/commit/b7b96362087414e52524d3d9d9b3faa21e1db620] +CVE: CVE-2024-10041 +Signed-off-by: Shubham Kulkarni +--- + modules/pam_unix/pam_unix_acct.c | 17 +++++++++-------- + modules/pam_unix/support.c | 14 +++++++------- + 2 files changed, 16 insertions(+), 15 deletions(-) + +diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c +index 8f5ed3e0df..7ffcb9e3f2 100644 +--- a/modules/pam_unix/pam_unix_acct.c ++++ b/modules/pam_unix/pam_unix_acct.c +@@ -110,14 +110,15 @@ int _unix_run_verify_binary(pam_handle_t *pamh, unsigned long long ctrl, + _exit(PAM_AUTHINFO_UNAVAIL); + } + +- if (geteuid() == 0) { +- /* must set the real uid to 0 so the helper will not error +- out if pam is called from setuid binary (su, sudo...) */ +- if (setuid(0) == -1) { +- pam_syslog(pamh, LOG_ERR, "setuid failed: %m"); +- printf("-1\n"); +- fflush(stdout); +- _exit(PAM_AUTHINFO_UNAVAIL); ++ /* must set the real uid to 0 so the helper will not error ++ out if pam is called from setuid binary (su, sudo...) */ ++ if (setuid(0) == -1) { ++ uid_t euid = geteuid(); ++ pam_syslog(pamh, euid == 0 ? LOG_ERR : LOG_DEBUG, "setuid failed: %m"); ++ if (euid == 0) { ++ printf("-1\n"); ++ fflush(stdout); ++ _exit(PAM_AUTHINFO_UNAVAIL); + } + } + +diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c +index d391973f95..69811048e6 100644 +--- a/modules/pam_unix/support.c ++++ b/modules/pam_unix/support.c +@@ -562,13 +562,13 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd, + _exit(PAM_AUTHINFO_UNAVAIL); + } + +- if (geteuid() == 0) { +- /* must set the real uid to 0 so the helper will not error +- out if pam is called from setuid binary (su, sudo...) */ +- if (setuid(0) == -1) { +- D(("setuid failed")); +- _exit(PAM_AUTHINFO_UNAVAIL); +- } ++ /* must set the real uid to 0 so the helper will not error ++ out if pam is called from setuid binary (su, sudo...) */ ++ if (setuid(0) == -1) { ++ D(("setuid failed")); ++ if (geteuid() == 0) { ++ _exit(PAM_AUTHINFO_UNAVAIL); ++ } + } + + /* exec binary helper */ diff --git a/meta/recipes-extended/pam/libpam_1.5.2.bb b/meta/recipes-extended/pam/libpam_1.5.2.bb index 05fe232f6a..567f9741cb 100644 --- a/meta/recipes-extended/pam/libpam_1.5.2.bb +++ b/meta/recipes-extended/pam/libpam_1.5.2.bb @@ -27,7 +27,8 @@ SRC_URI = "https://github.com/linux-pam/linux-pam/releases/download/v${PV}/Linux file://CVE-2022-28321-0002.patch \ file://0001-pam_motd-do-not-rely-on-all-filesystems-providing-a-.patch \ file://CVE-2024-22365.patch \ - file://CVE-2024-10041.patch \ + file://CVE-2024-10041-1.patch \ + file://CVE-2024-10041-2.patch \ " SRC_URI[sha256sum] = "e4ec7131a91da44512574268f493c6d8ca105c87091691b8e9b56ca685d4f94d" From patchwork Wed Apr 30 02:53:28 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 62130 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 25603C3ABAC for ; Wed, 30 Apr 2025 02:54:07 +0000 (UTC) Received: from mail-pj1-f52.google.com (mail-pj1-f52.google.com [209.85.216.52]) by mx.groups.io with SMTP id smtpd.web11.8201.1745981644255530521 for ; Tue, 29 Apr 2025 19:54:04 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=eDXUy+KG; spf=softfail (domain: sakoman.com, ip: 209.85.216.52, mailfrom: steve@sakoman.com) Received: by mail-pj1-f52.google.com with SMTP id 98e67ed59e1d1-3031354f134so5586328a91.3 for ; Tue, 29 Apr 2025 19:54:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1745981643; x=1746586443; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=FRmayhogbtjsj87u/plzGlAZpBTPjZHWNuxBJ4AgwAk=; b=eDXUy+KGWjZ+HXgtSPGTqdX79hyoTu/lgq/CAiXo4rlZpPpyCkXn7kNNlAVA4U10eO A3LIXE4RZ2bem4OdvohdNNb5ZqLu2jGRiKaCyuF3DVEtJByn6ZO/d52U/7PaIMlS72lb di8iMDUk0aEoYju9BusH15ZV5PprEjQOwFWcqS1QA8dyHNxL+a/tlgjmLaFdVeUvaFe9 mX5u335huUxv4VV4vvarbyL5kzx0PCQbMXemHFhhqIEscCzQ9IzpyRjwAG353UyxdYzc 6HA35taqYlfKb59peERMaTBtK9af5PUKO61pWj9LQsBPnKM0aQXNAAXy13xHlpHylfQ0 7I+g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1745981643; x=1746586443; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=FRmayhogbtjsj87u/plzGlAZpBTPjZHWNuxBJ4AgwAk=; b=fCUEg2ycFKcOy2Um7HF8hZ1l9ubr+euy9sItj2af3d4PWtz8M1ZtHpZ27TvX07yuP5 D7+I9t9ze2z/UkDYT2ZgZA1wx5dtcZYeT7yawEXFT1lb9fO2dq1cba0JnyiEMmow5oQn lvM9tEzHkbQ2fjdDTpMotAJhrXctKyWySv4h2lP3JUes0Vy/zLbDVNFPNp3BD2g6glqt doqpSgQF1juUoGWgvAwFasSzsNaK7KfxEqrm72I1P9kxHVmd5g1jMrnMwCs9O7h20KK0 NB6r7ZJ3C0ym7HFaEPANgIfV0RtNBVGaepI6JdqolMXLD51rn5N7bVmR6XoyuJrTG+Q5 fJWQ== X-Gm-Message-State: AOJu0Yx4az06EuIbUh175xd/gUyfxAdBxxYkuCH6Irf4B7SVKgnJSb/f gvz+ST+BbvJ+Sd4Vx0rHzXU/qLYPGg7AxzoHqloE+EGGPQNLBFmgcBSK9L1wIohnyuPN6ap6Ps6 9 X-Gm-Gg: ASbGnctBevmklSE/8FKF7kppl6cwKgTuEU4elvCj8lactbhFQwwGFcft+WciRDr0xSr UZMX2ml1Ks1oUdnKDNJaI2iCtZqD34fq/0ySdJsTta/KD/szm5pw8DeUVUoc4N4fhMErbQZ05vO cq/9aib4Aq+2V5smOWDarFYBg/CP2HFozPD6+JzDcge9QLtzVH1fFBAtF9IuKSzbKhhv6C/yiOL Lbhob/S70SC3cy6f8ima71b70bwGZOGa3Y6TeyC5W503Lfoj6RzJhyDuOdVdRY+xh6Q40ywS8dR s6yD+OPQK/0E+nfTYdqZd0RYd5ksPnE= X-Google-Smtp-Source: AGHT+IHgh+etB/pJsRN13PfeIkDv9l7jjlflSu8DaqlMjIqLZVUBaIvzu1Zv3Q0lwwbghRkkh/3Wtw== X-Received: by 2002:a17:90b:3941:b0:301:1bce:c255 with SMTP id 98e67ed59e1d1-30a333594e1mr1768592a91.27.1745981643324; Tue, 29 Apr 2025 19:54:03 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:34b:e5e0:c38a:7e03]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-30a34a2ea46sm347852a91.31.2025.04.29.19.54.02 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 29 Apr 2025 19:54:02 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 03/14] ppp: patch CVE-2024-58250 Date: Tue, 29 Apr 2025 19:53:28 -0700 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 30 Apr 2025 02:54:07 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/215693 From: Peter Marko Backport patch to remove vulnerable component. This is a breaking change, but there will be no other fix for this CVE as upstream did the deletion without providing a fix first. If someone really needs this feature, which the commit message describes as deprecated, bbappend with patch removal is possible. License-Update: passprompt plugin removed Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- .../ppp/ppp/CVE-2024-58250.patch | 185 ++++++++++++++++++ meta/recipes-connectivity/ppp/ppp_2.4.9.bb | 2 +- 2 files changed, 186 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-connectivity/ppp/ppp/CVE-2024-58250.patch diff --git a/meta/recipes-connectivity/ppp/ppp/CVE-2024-58250.patch b/meta/recipes-connectivity/ppp/ppp/CVE-2024-58250.patch new file mode 100644 index 0000000000..b07d28253f --- /dev/null +++ b/meta/recipes-connectivity/ppp/ppp/CVE-2024-58250.patch @@ -0,0 +1,185 @@ +From 0a66ad22e54c72690ec2a29a019767c55c5281fc Mon Sep 17 00:00:00 2001 +From: Paul Mackerras +Date: Fri, 18 Oct 2024 20:22:57 +1100 +Subject: [PATCH] pppd: Remove passprompt plugin + +This is prompted by a number of factors: + +* It was more useful back in the dial-up days, but no-one uses dial-up + any more + +* In many cases there will be no terminal accessible to the prompter + program at the point where the prompter is run + +* The passwordfd plugin does much the same thing but does it more + cleanly and securely + +* The handling of privileges and file descriptors needs to be audited + thoroughly. + +Signed-off-by: Paul Mackerras + +CVE: CVE-2024-58250 +Upstream-Status: Backport [https://github.com/ppp-project/ppp/commit/0a66ad22e54c72690ec2a29a019767c55c5281fc] +Signed-off-by: Peter Marko +--- + pppd/plugins/Makefile.linux | 2 +- + pppd/plugins/Makefile.sol2 | 6 -- + pppd/plugins/passprompt.c | 119 ------------------------------------ + 3 files changed, 1 insertion(+), 126 deletions(-) + delete mode 100644 pppd/plugins/passprompt.c + +diff --git a/pppd/plugins/Makefile.linux b/pppd/plugins/Makefile.linux +index 6403e3d..fcc36e4 100644 +--- a/pppd/plugins/Makefile.linux ++++ b/pppd/plugins/Makefile.linux +@@ -17,7 +17,7 @@ CFLAGS += -DUSE_EAPTLS=1 + SUBDIRS := pppoe pppoatm pppol2tp + # Uncomment the next line to include the radius authentication plugin + SUBDIRS += radius +-PLUGINS := minconn.so passprompt.so passwordfd.so winbind.so ++PLUGINS := minconn.so passwordfd.so winbind.so + + # This setting should match the one in ../Makefile.linux + MPPE=y +diff --git a/pppd/plugins/Makefile.sol2 b/pppd/plugins/Makefile.sol2 +index bc7d85d..f77ea1d 100644 +--- a/pppd/plugins/Makefile.sol2 ++++ b/pppd/plugins/Makefile.sol2 +@@ -17,11 +17,5 @@ minconn.so: minconn.o + minconn.o: minconn.c + $(CC) $(CFLAGS) -c $? + +-passprompt.so: passprompt.o +- ld -o $@ $(LDFLAGS) -h $@ passprompt.o +- +-passprompt.o: passprompt.c +- $(CC) $(CFLAGS) -c $? +- + clean: + rm -f *.o *.so +diff --git a/pppd/plugins/passprompt.c b/pppd/plugins/passprompt.c +deleted file mode 100644 +index 7779d51..0000000 +--- a/pppd/plugins/passprompt.c ++++ /dev/null +@@ -1,119 +0,0 @@ +-/* +- * passprompt.c - pppd plugin to invoke an external PAP password prompter +- * +- * Copyright 1999 Paul Mackerras, Alan Curry. +- * +- * This program is free software; you can redistribute it and/or +- * modify it under the terms of the GNU General Public License +- * as published by the Free Software Foundation; either version +- * 2 of the License, or (at your option) any later version. +- */ +-#include +-#include +-#include +-#include +-#include "pppd.h" +- +-char pppd_version[] = VERSION; +- +-static char promptprog[PATH_MAX+1]; +-static int promptprog_refused = 0; +- +-static option_t options[] = { +- { "promptprog", o_string, promptprog, +- "External PAP password prompting program", +- OPT_STATIC, NULL, PATH_MAX }, +- { NULL } +-}; +- +-static int promptpass(char *user, char *passwd) +-{ +- int p[2]; +- pid_t kid; +- int readgood, wstat; +- ssize_t red; +- +- if (promptprog_refused || promptprog[0] == 0 || access(promptprog, X_OK) < 0) +- return -1; /* sorry, can't help */ +- +- if (!passwd) +- return 1; +- +- if (pipe(p)) { +- warn("Can't make a pipe for %s", promptprog); +- return 0; +- } +- if ((kid = fork()) == (pid_t) -1) { +- warn("Can't fork to run %s", promptprog); +- close(p[0]); +- close(p[1]); +- return 0; +- } +- if (!kid) { +- /* we are the child, exec the program */ +- char *argv[5], fdstr[32]; +- sys_close(); +- closelog(); +- close(p[0]); +- seteuid(getuid()); +- setegid(getgid()); +- argv[0] = promptprog; +- argv[1] = user; +- argv[2] = remote_name; +- sprintf(fdstr, "%d", p[1]); +- argv[3] = fdstr; +- argv[4] = 0; +- execv(*argv, argv); +- _exit(127); +- } +- +- /* we are the parent, read the password from the pipe */ +- close(p[1]); +- readgood = 0; +- do { +- red = read(p[0], passwd + readgood, MAXSECRETLEN-1 - readgood); +- if (red == 0) +- break; +- if (red < 0) { +- if (errno == EINTR && !got_sigterm) +- continue; +- error("Can't read secret from %s: %m", promptprog); +- readgood = -1; +- break; +- } +- readgood += red; +- } while (readgood < MAXSECRETLEN - 1); +- close(p[0]); +- +- /* now wait for child to exit */ +- while (waitpid(kid, &wstat, 0) < 0) { +- if (errno != EINTR || got_sigterm) { +- warn("error waiting for %s: %m", promptprog); +- break; +- } +- } +- +- if (readgood < 0) +- return 0; +- passwd[readgood] = 0; +- if (!WIFEXITED(wstat)) +- warn("%s terminated abnormally", promptprog); +- if (WEXITSTATUS(wstat)) { +- warn("%s exited with code %d", promptprog, WEXITSTATUS(wstat)); +- /* code when cancel was hit in the prompt prog */ +- if (WEXITSTATUS(wstat) == 128) { +- promptprog_refused = 1; +- } +- return -1; +- } +- return 1; +-} +- +-void plugin_init(void) +-{ +- add_options(options); +- pap_passwd_hook = promptpass; +-#ifdef USE_EAPTLS +- eaptls_passwd_hook = promptpass; +-#endif +-} diff --git a/meta/recipes-connectivity/ppp/ppp_2.4.9.bb b/meta/recipes-connectivity/ppp/ppp_2.4.9.bb index b7f71b673d..e25929febf 100644 --- a/meta/recipes-connectivity/ppp/ppp_2.4.9.bb +++ b/meta/recipes-connectivity/ppp/ppp_2.4.9.bb @@ -7,7 +7,6 @@ BUGTRACKER = "http://ppp.samba.org/cgi-bin/ppp-bugs" DEPENDS = "libpcap openssl virtual/crypt" LICENSE = "BSD-3-Clause & BSD-3-Clause-Attribution & GPL-2.0-or-later & LGPL-2.0-or-later & PD & RSA-MD" LIC_FILES_CHKSUM = "file://pppd/ccp.c;beginline=1;endline=29;md5=e2c43fe6e81ff77d87dc9c290a424dea \ - file://pppd/plugins/passprompt.c;beginline=1;endline=10;md5=3bcbcdbf0e369c9a3e0b8c8275b065d8 \ file://pppd/tdb.c;beginline=1;endline=27;md5=4ca3a9991b011038d085d6675ae7c4e6 \ file://chat/chat.c;beginline=1;endline=15;md5=0d374b8545ee5c62d7aff1acbd38add2" @@ -26,6 +25,7 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/${BP}.tar.gz \ file://ppp@.service \ file://0001-ppp-fix-build-against-5.15-headers.patch \ file://CVE-2022-4603.patch \ + file://CVE-2024-58250.patch \ " SRC_URI[sha256sum] = "f938b35eccde533ea800b15a7445b2f1137da7f88e32a16898d02dee8adc058d" From patchwork Wed Apr 30 02:53:29 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 62127 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 24317C3ABA5 for ; Wed, 30 Apr 2025 02:54:07 +0000 (UTC) Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com [209.85.214.174]) by mx.groups.io with SMTP id smtpd.web11.8203.1745981645608633639 for ; Tue, 29 Apr 2025 19:54:05 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=LCRYyU1S; spf=softfail (domain: sakoman.com, ip: 209.85.214.174, mailfrom: steve@sakoman.com) Received: by mail-pl1-f174.google.com with SMTP id d9443c01a7336-22da3b26532so58082715ad.0 for ; Tue, 29 Apr 2025 19:54:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1745981645; x=1746586445; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=NEzCE+eHkAcKTIz5/LUCWkKogaZfVj4KmgWDJkrSwXU=; b=LCRYyU1S9i1xED2LrDjsSN/8QRtReTJF60r0RTD+S5Wm8Mr5jeuBaobXyPg0zjAPUb k+6JHkJDaH4f11/QZI/XTbrxyu9End7EehpJ1cXoI/NTERosKU7YeyZ/CRq+OIU5VjMg Zbfu5C9V26B8wbthnJ+VSlPzYIf1WyY63fVbkY81pB18ejpF61gqAGp6J+UnlzoPitTu VU5V39tnOlqeAG4RwaC3tCGU45J3BcB73AgnOlY86Sjmme0KK4g93qlytBUiS4tWnEAd Qw+NrMEl+jhjgIGdysTqSfSqyroogFisC+qTbQTwdGRJQnxL0geU8Kgb3TwfOLCUtYaj Yv1A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1745981645; x=1746586445; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=NEzCE+eHkAcKTIz5/LUCWkKogaZfVj4KmgWDJkrSwXU=; b=s0ExSTSboQs8ftFKfYHPGm9tXc5X7Y0YTblu31HluIhgzpnC5mXZclwH++99/nHzsi vOAehso4N+MybqTZb7KthudGtFIdJ729x3N1gKL5wKKAnGr9tipBp2q4M+opkDjOICaF cbC6iN0yYPiaGXYIpVoqxqFsHZhXB2EzjXC6OQOaIqGPw6WeL0mDlkz8Fafblh1xHO2Z LjEzMKVyN8SnWryK/l2CxCoiqnZW9Rrv/p5PHFLRJQmhMtfV6jLNJxCS+p79C3rMpeUO mIfnOxZpQjmDqwriySWJlpkiuZNgNcQ7QnIplyI3j5hoAkZeU2mgcdTjnjfDayVl/URj bbUg== X-Gm-Message-State: AOJu0YzPDrl6+VP5pa29Sso3ixcisAy8Se4qNZt0Jzo5g0i9K8EzdiHd GJJPH8kP5KlWsXzLBsfaOyq93OjjYUYTkZDvjZWzBT0r5ayyGG28qN9XAhbZBbpmgxx1jKBj63U H X-Gm-Gg: ASbGncvwykM2O3/FRYxnB/bGNdO8lktgPG0uIj0HkXYaMhLoi7sVwK9vYkh0QwC7OUh EWYcI4/Ai9DFSu6Vj6SHIQ1jTJipMehYvwKWuIJpSJwa3S4vc2rbmjYbpA+/OdyWX+UI0QpLOeD AqzBphQ1mSuWixSAlMQTlw9QFniyJxWtbTtwcVO/ZbzoNRe3XwNdPb8kjE+KBi6+gJZ8HiHFBEK +kLyHRuLzzmH1vmN/kT+EnzAj8y/1gtMLHCRU9saLV3lZOSUqI+mh1kTTXaC8ZJMAilNSHJkBN7 gOEqrcaZoeW+8yv/WMNMoNvc/qMBMj8= X-Google-Smtp-Source: AGHT+IG9xVWSqU0agdSHOQ9/g8WjWarrHVq+o+f2FybjmWAgMf6rx8nDKVbKEbZEGgTfbWLKvvDTTQ== X-Received: by 2002:a17:902:e784:b0:223:5e76:637a with SMTP id d9443c01a7336-22df3502ba2mr26803355ad.23.1745981644828; Tue, 29 Apr 2025 19:54:04 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:34b:e5e0:c38a:7e03]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-30a34a2ea46sm347852a91.31.2025.04.29.19.54.04 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 29 Apr 2025 19:54:04 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 04/14] ghostscript: ignore CVE-2025-27833 Date: Tue, 29 Apr 2025 19:53:29 -0700 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 30 Apr 2025 02:54:07 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/215694 From: Peter Marko Vulnerable code was introduced in 9.56.0, so 9.55.0 is not affected yet Commit introducing vulnerable feature: * https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/pdf/pdf_fmap.c?id=0a1d08d91a95746f41e8c1d578a4e4af81ee5949 Commit fixing the vulnerability: * https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=477e36cfa1faa0037069a22eeeb4fc750733f120 Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb index 8499bb3676..3d4ac77cfa 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb @@ -22,9 +22,10 @@ UPSTREAM_CHECK_REGEX = "(?P\d+(\.\d+)+)\.tar" # As of ghostscript 9.54.0 the jpeg issue in the CVE is present in the gs jpeg sources # however we use an external jpeg which doesn't have the issue. CVE_CHECK_IGNORE += "CVE-2013-6629" - # Issue in the GhostPCL. GhostPCL not part of this GhostScript recipe. CVE_CHECK_IGNORE += "CVE-2023-38560 CVE-2024-46954" +# Vulnerable code was introduced in 9.56.0, so 9.55.0 is not affected yet +CVE_CHECK_IGNORE += "CVE-2025-27833" def gs_verdir(v): return "".join(v.split(".")) From patchwork Wed Apr 30 02:53:30 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 62129 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 30A75C3ABAA for ; Wed, 30 Apr 2025 02:54:07 +0000 (UTC) Received: from mail-pj1-f50.google.com (mail-pj1-f50.google.com [209.85.216.50]) by mx.groups.io with SMTP id smtpd.web11.8205.1745981646880824098 for ; Tue, 29 Apr 2025 19:54:06 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=kUK5RJ1W; spf=softfail (domain: sakoman.com, ip: 209.85.216.50, mailfrom: steve@sakoman.com) Received: by mail-pj1-f50.google.com with SMTP id 98e67ed59e1d1-301c4850194so5522754a91.2 for ; Tue, 29 Apr 2025 19:54:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1745981646; x=1746586446; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=TWd2+eBXOvObDiHCCbmyD1T/y0Lj9m3J5GIrrPp37PM=; b=kUK5RJ1WkFZQEzBT5QeZAlsF6r1UIJ2tPi0wkcl/TcdBqwyDZzHD2yeKVgCCnWdSUc +drXziIPRNep94Bdy4zdsy3vlmWS6FA5Wh2VAaN6krUYdYHYYodzObMh2OpOJ1qrRG0v /jqhWZFOG9AuTZuToAQTQWbnf05G07+yCaLi+lGy9Tt8Lp2tgPb+gyIZ0GOhCm4PAeNg QBi50qXgB3WOeRxEijPet3CAFmjvzxcdKeUcHiaSFIra5LoPrCoya1arfVZdHfTEkZaZ cp1Fy88o+z03ImSysaUxUjqcRjVF3nvgPT4HuluyholHUlkYBHPVgdtvZVR45lizcH+o qk3w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1745981646; x=1746586446; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=TWd2+eBXOvObDiHCCbmyD1T/y0Lj9m3J5GIrrPp37PM=; b=VkO8NCgBdlr4KhYwJMVl8j637v0E/nvtWTfnR0x7GH7XiXRGyeZi8PNAg5DY5iU3z6 cddZB6co/zDCm4dmNOGENZY2VS56bGDCuYqSLqJ7DMk1ZHijWBOyQeyE13HWeHKb71Hm dZMN1Pvd12qFJKGJ54/+5QknEgiXVl6Am3hsXNySx/H+u291y/A8oGCyaJW0t92fGK8Y 5jc6z40Oz0p4TePy7qfiO9yFEixmo+LQnizBvd37LjIGp5uvbuaXm6WvyxfQMb1toSL4 Co2sKD5Gx3+EoJwczLQzvm+3REH2Vd7L4M7ND3dBN1Uc1is94ElHvCK630ggTVUPed1O cKIQ== X-Gm-Message-State: AOJu0YztF7TUx3mEKgx3FPE9YUOD6f2UzNLgSulzRmvvIwbJUvnc87vo nhaKJQZe0cSbhqN9eXGgfN1l4q71NmyetmaqaxrgVRqGxR+T0HngTsq9tLZVBKcnFmBR7/mK9/F t X-Gm-Gg: ASbGncsPysRwaCAZtxdRH0oDibrcdYQtMgGiGR+fPLjLM7Ti14zdWInkdlp+1e2GAIk wzMgLt9g/1pvftk2hpvo5GotDB6g60+X9arVXFbxN+Xj0GuR4iCPCQHrZyVxZB5GG9WazV3P2Mf 1SKF8Bj2qgY5tx6t+DuoLZs86p5xbVutODdoSSyzoqwCN9W1JAWwwaICpTOgZqyCzrserpNPOXj ybh/HLu/om7wHOoejMrYANqPo8/sKHgS4R/Ybaz3MsYH8EO1zYW7xGL2FD7UW6I19MtPhF/GpkV FOqtHoUbUdCyW5F1bKc8Pq6i+TkToLM= X-Google-Smtp-Source: AGHT+IG4yTEGQk4RHA2xiOXebzbnd7QLsOpEELeB9wMnOL4fVh/mXDBEBEx6xdLQSDaThk/1vfFzIA== X-Received: by 2002:a17:90b:1804:b0:301:1d03:93cf with SMTP id 98e67ed59e1d1-30a3447ef20mr1287012a91.30.1745981646132; Tue, 29 Apr 2025 19:54:06 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:34b:e5e0:c38a:7e03]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-30a34a2ea46sm347852a91.31.2025.04.29.19.54.05 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 29 Apr 2025 19:54:05 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 05/14] libarchive: ignore CVE-2024-48615 Date: Tue, 29 Apr 2025 19:53:30 -0700 Message-ID: <60390a3a28242efba32360426b0a3be6af5fb54b.1745981510.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 30 Apr 2025 02:54:07 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/215695 From: Peter Marko Fix for this CVE [1] is patchong code introduced by [2] in v3.7.5. So v3.6.2 is not affected yet and the CVE can be safely ignored. Also Debian tracker [3] contains this statement. [1] https://github.com/libarchive/libarchive/commit/565b5aea491671ae33df1ca63697c10d54c00165 [2] https://github.com/libarchive/libarchive/commit/2d8a5760c5ec553283a95a1aaca746f6eb472d0f [3] https://security-tracker.debian.org/tracker/CVE-2024-48615 Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- meta/recipes-extended/libarchive/libarchive_3.6.2.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-extended/libarchive/libarchive_3.6.2.bb b/meta/recipes-extended/libarchive/libarchive_3.6.2.bb index f7e576b688..87d3794ab7 100644 --- a/meta/recipes-extended/libarchive/libarchive_3.6.2.bb +++ b/meta/recipes-extended/libarchive/libarchive_3.6.2.bb @@ -46,6 +46,8 @@ CVE_CHECK_IGNORE += "CVE-2023-30571" CVE_CHECK_IGNORE += "CVE-2024-37407" # cpe-incorrect: bsdtar was introduced in v3.7.0, so 3.6.2 is not affected yet CVE_CHECK_IGNORE += "CVE-2025-1632" +# cpe-incorrect: vulnerable code introduced in v3.7.5, so 3.6.2 is not affected yet +CVE_CHECK_IGNORE += "CVE-2024-48615" inherit autotools update-alternatives pkgconfig From patchwork Wed Apr 30 02:53:31 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 62133 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 37C74C3ABAA for ; Wed, 30 Apr 2025 02:54:17 +0000 (UTC) Received: from mail-pj1-f50.google.com (mail-pj1-f50.google.com [209.85.216.50]) by mx.groups.io with SMTP id smtpd.web11.8206.1745981648433453819 for ; Tue, 29 Apr 2025 19:54:08 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=PrzEi4zv; spf=softfail (domain: sakoman.com, ip: 209.85.216.50, mailfrom: steve@sakoman.com) Received: by mail-pj1-f50.google.com with SMTP id 98e67ed59e1d1-30332dfc820so8001053a91.2 for ; Tue, 29 Apr 2025 19:54:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1745981648; x=1746586448; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=PtVu8rKqN/ZtvdZYbGy7DCLFaspGdjAuPVgsMP7Mkt0=; b=PrzEi4zvVUyyHSbFeL+0WTH+KvRKZ5/94CTiHidyRLKAl7XOX0PVedi2F2ILftMb9l trZJBf2mPJTmfNCHhsmofXWldKdzIQB2Bxd7U95AD/5EBfMPgmE30xk5ETnHUhWVOpFl NEe5kqFuCuvIj3Vj4+F211jVkDcbIhk5gL0qxlaDodrfSr+Rs9dkkLAS9Xq0Hd/qBJt1 SeJtQTK3vZ5Sate9Sc6L4SsL8uScSJiUZYDdJcOyBrsz6XSmRytciC5h42rnOIWIXiH/ jRV9UuIWBqqcTLCT8jHRqwvT+NIVudQcX8wF4237Js1NXHSSARbHEJZTDhWF5gmsp7gO dMQQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1745981648; x=1746586448; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=PtVu8rKqN/ZtvdZYbGy7DCLFaspGdjAuPVgsMP7Mkt0=; b=cOUPOEmLjHuDY7OEAPeKr/Yn/sJ3Dd/vKnuB1CW3I4EtX4y5B2PfSe8CZWEqNg1Vzx 2VWRy12qcI8JWLH3TwzYGApu/O+Osdml/5x7nbJ+TwtaL9Bpiy8pVm621iy6fn2M+nIe vhEWTZD1VxUrHlSjDfkW/D2EAPJFT+g4z8w3ourozGvCE/vJPshblr/voMwbxXBkJcUM TVi/WddVhp5Dyh9lJYCB7KT9IbtujGzIUluFCu0RM+bEj6V6loFwnm4gumJy8zukMjHv 7KDanE9bGoHaklIF+whMndt4dBo62Y9tTe0Cp5qQxYfN2Mx8Q6bcrHasiFNfC9X5MUb0 c+sQ== X-Gm-Message-State: AOJu0Yx/RM9GM4wZDzZvhLmu0QXfhMBWZ57KEz1Gy3ilzBek7pO4I1Go haIU3+PksOXBQNUXE6r/zJ4iaz8bzWTiI3HglRBw2NFvHRQhVqam+y7RpDfAmG9DH1boBuYZPy6 H X-Gm-Gg: ASbGncueBj5xuYFaVcOlUpiVxJx1FME8LftCbKYAWwWRDt5pN3+RRV5ipddkjN0eqrB F2Z0435oSvBedn6bYwkPEDIMnhKypPPA1pQFkS87g5rSOoWAVdvO+Z/3xEpjQO5PB4Tec5fyarq UItpPjsGTxY9AM4qnc/5NOACIPJJ97urJIszk0r2xUj85tnNFdJP+aw+PsseoqaZ0s3FaBerzQE Y6Z3hLgviTsiFeq5X9zQLsY5IRGGXcwhwgWk/t+OAfIBZ+zg+hb9/z/Whcw206IqDyXS7r9zRYy pnLeDOeVK6OIAEo9TcA2Xox28D1Ofvk= X-Google-Smtp-Source: AGHT+IHAgmUkafUen89n7bbLeaGYepeWoisEXavDT1bjNZjvK5FGU7cwxv0IIOFmYGaFu7rxtoSidw== X-Received: by 2002:a17:90b:2d4b:b0:2fe:b735:87da with SMTP id 98e67ed59e1d1-30a331d4e32mr2626002a91.0.1745981647594; Tue, 29 Apr 2025 19:54:07 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:34b:e5e0:c38a:7e03]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-30a34a2ea46sm347852a91.31.2025.04.29.19.54.07 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 29 Apr 2025 19:54:07 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 06/14] libxml2: patch CVE-2025-32414 Date: Tue, 29 Apr 2025 19:53:31 -0700 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 30 Apr 2025 02:54:17 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/215697 From: Peter Marko Pick commit from 2.12 branch as 2.9 branch is unmaintained now. Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- .../libxml/libxml2/CVE-2025-32414.patch | 74 +++++++++++++++++++ meta/recipes-core/libxml/libxml2_2.9.14.bb | 1 + 2 files changed, 75 insertions(+) create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2025-32414.patch diff --git a/meta/recipes-core/libxml/libxml2/CVE-2025-32414.patch b/meta/recipes-core/libxml/libxml2/CVE-2025-32414.patch new file mode 100644 index 0000000000..23a2316672 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2025-32414.patch @@ -0,0 +1,74 @@ +From d7657811964eac1cb9743bb98649278ad948f0d2 Mon Sep 17 00:00:00 2001 +From: Maks Verver +Date: Tue, 8 Apr 2025 13:13:55 +0200 +Subject: [PATCH] [CVE-2025-32414] python: Read at most len/4 characters. + +Fixes #889 by reserving space in the buffer for UTF-8 encoding of text. + +CVE: CVE-2025-32414 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/d7657811964eac1cb9743bb98649278ad948f0d2] +Signed-off-by: Peter Marko +--- + python/libxml.c | 28 ++++++++++++++++++---------- + 1 file changed, 18 insertions(+), 10 deletions(-) + +diff --git a/python/libxml.c b/python/libxml.c +index 1fe8d685..2bf14078 100644 +--- a/python/libxml.c ++++ b/python/libxml.c +@@ -287,7 +287,9 @@ xmlPythonFileReadRaw (void * context, char * buffer, int len) { + #endif + file = (PyObject *) context; + if (file == NULL) return(-1); +- ret = PyEval_CallMethod(file, (char *) "read", (char *) "(i)", len); ++ /* When read() returns a string, the length is in characters not bytes, so ++ request at most len / 4 characters to leave space for UTF-8 encoding. */ ++ ret = PyEval_CallMethod(file, (char *) "read", (char *) "(i)", len / 4); + if (ret == NULL) { + printf("xmlPythonFileReadRaw: result is NULL\n"); + return(-1); +@@ -322,10 +324,12 @@ xmlPythonFileReadRaw (void * context, char * buffer, int len) { + Py_DECREF(ret); + return(-1); + } +- if (lenread > len) +- memcpy(buffer, data, len); +- else +- memcpy(buffer, data, lenread); ++ if (lenread < 0 || lenread > len) { ++ printf("xmlPythonFileReadRaw: invalid lenread\n"); ++ Py_DECREF(ret); ++ return(-1); ++ } ++ memcpy(buffer, data, lenread); + Py_DECREF(ret); + return(lenread); + } +@@ -352,7 +356,9 @@ xmlPythonFileRead (void * context, char * buffer, int len) { + #endif + file = (PyObject *) context; + if (file == NULL) return(-1); +- ret = PyEval_CallMethod(file, (char *) "io_read", (char *) "(i)", len); ++ /* When io_read() returns a string, the length is in characters not bytes, so ++ request at most len / 4 characters to leave space for UTF-8 encoding. */ ++ ret = PyEval_CallMethod(file, (char *) "io_read", (char *) "(i)", len / 4); + if (ret == NULL) { + printf("xmlPythonFileRead: result is NULL\n"); + return(-1); +@@ -387,10 +393,12 @@ xmlPythonFileRead (void * context, char * buffer, int len) { + Py_DECREF(ret); + return(-1); + } +- if (lenread > len) +- memcpy(buffer, data, len); +- else +- memcpy(buffer, data, lenread); ++ if (lenread < 0 || lenread > len) { ++ printf("xmlPythonFileRead: invalid lenread\n"); ++ Py_DECREF(ret); ++ return(-1); ++ } ++ memcpy(buffer, data, lenread); + Py_DECREF(ret); + return(lenread); + } diff --git a/meta/recipes-core/libxml/libxml2_2.9.14.bb b/meta/recipes-core/libxml/libxml2_2.9.14.bb index 1cbd620b34..e281a39fd4 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.14.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.14.bb @@ -37,6 +37,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar;subdir=${BP};name=testt file://CVE-2025-27113.patch \ file://CVE-2024-56171.patch \ file://CVE-2025-24928.patch \ + file://CVE-2025-32414.patch \ " SRC_URI[archive.sha256sum] = "60d74a257d1ccec0475e749cba2f21559e48139efba6ff28224357c7c798dfee" From patchwork Wed Apr 30 02:53:32 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 62135 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 52094C3ABAF for ; Wed, 30 Apr 2025 02:54:17 +0000 (UTC) Received: from mail-pj1-f41.google.com (mail-pj1-f41.google.com [209.85.216.41]) by mx.groups.io with SMTP id smtpd.web11.8209.1745981650081017636 for ; Tue, 29 Apr 2025 19:54:10 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=Ogvmpn1x; spf=softfail (domain: sakoman.com, ip: 209.85.216.41, mailfrom: steve@sakoman.com) Received: by mail-pj1-f41.google.com with SMTP id 98e67ed59e1d1-2ff6e91cff5so6221949a91.2 for ; Tue, 29 Apr 2025 19:54:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1745981649; x=1746586449; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=QZWRdMQFALM0SGInq8/+ihs9XpdSePPRkVAFSYjABow=; b=Ogvmpn1xn4isRe4W4ga6rVyrJfpmwaWtcsqz2tE56mIP3gWQYIEF0bp5TRIjIbsFGl 44H4rf1RQqp6oOlzSYBfER+84gF746TOeTrYiNwcRVuRZ3kKt0KUbr1/G4JUuDwyoMYF hpwm5b1u/7OZbBjHuPzMdNWWF3xxrrRMQSNyIDt7TxePLmq0g2CNhr0rlsFI4+ll0puE MQnvssB7UHMYHAtFm/ZVAIiUHu1gDoCcL2yrgsKx0JGmDrvco4WZaj+e9k9puiiMBhI5 PuQq3OvoZkVQI/1alMuV+cnR/yUGQc4cUkTVFejNxroRDC7skyR6V/HRP9CnHxLZI/Ma d0kA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1745981649; x=1746586449; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=QZWRdMQFALM0SGInq8/+ihs9XpdSePPRkVAFSYjABow=; b=ewTa9tWp4En2ccPm9IqxRIivY1HzZvN8WpS8yWLz3rfaJdeTd22W3nNTCYJxP6wMf+ i89rdJBoq7KMTrO+dZt5U4HUu+IEX9MuScmqGNTdAVxTFGgLIn1ivuqWC/BMrIfD7/p2 6JlI6ST+tSqMGI8xOv7NRXkIxIjGIyhJeyoxdZODBRROxBOcOVJhO6z5h6i06NEGu0cC LIIfFzN5+pfoicEvbLhzkxyEuz0EFlGVeS1OyW6PKjUtzTNPceqoMjGzAodR6Tejnw4Y 1nhSOjUo47J9mJtjhUv5cJR/FHu5d+XB+70XZdSjpCRx/APnqUYUQ1spSPpbyFdp8huC Kytw== X-Gm-Message-State: AOJu0YyQvbKoH914qOV6LgkkAbsKWUyCp6gAmxbsZaFmg4sX3v2RuX/h 5IohFE44B9wahHVblaNbFHVGOcgE1DKzyBBzxscUiBUmXdMJOt8PiciZpIG5ofRem6IuL6D+HTD R X-Gm-Gg: ASbGnct0PoSKzNXBO3MZOEsxn9qBkM0V8FUXIhkucaWHTtb1cBvo9ZXoValf+FqDjeR BO65dbc9j6g1WTktN2DKmeK31F6c6XYiCyeKwTgcHPKfEuW/M0x042vyTIftH9GX70Pox4DqRBt IHmZG60vMV7+3GrkKaKStG8SBS3selNCGkzdAwEMyPwXrka0xf6UNuhxdDnTh2XEq1v1LoglskH jb+7JiZBZ9XJmiXtRInb0gMfW/JvU9mbh9o8EFEapePkgdvgPepGPeXbV71PDf0BBmrIjERgh7d tiljI331EZuzSLfQtF1KmeKvG6CHkv4= X-Google-Smtp-Source: AGHT+IFH7ZpQ/D4SWB4kEdXUtlUWegiMx7dx89ZCsY0Qa8qd2i0v2Bwmt7H9OtH8BgPlfIuz4rhMeA== X-Received: by 2002:a17:90b:2812:b0:309:e195:59d4 with SMTP id 98e67ed59e1d1-30a332e99ccmr2649966a91.12.1745981649188; Tue, 29 Apr 2025 19:54:09 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:34b:e5e0:c38a:7e03]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-30a34a2ea46sm347852a91.31.2025.04.29.19.54.08 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 29 Apr 2025 19:54:08 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 07/14] libxml2: patch CVE-2025-32415 Date: Tue, 29 Apr 2025 19:53:32 -0700 Message-ID: <7777cd6b28988a0981b990d9da9d448dcdfe7b8b.1745981510.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 30 Apr 2025 02:54:17 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/215698 From: Peter Marko Pick commit from 2.13 branch as 2.9 branch is unmaintained now. Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- .../libxml/libxml2/CVE-2025-32415.patch | 39 +++++++++++++++++++ meta/recipes-core/libxml/libxml2_2.9.14.bb | 1 + 2 files changed, 40 insertions(+) create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2025-32415.patch diff --git a/meta/recipes-core/libxml/libxml2/CVE-2025-32415.patch b/meta/recipes-core/libxml/libxml2/CVE-2025-32415.patch new file mode 100644 index 0000000000..4f39bb824b --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2025-32415.patch @@ -0,0 +1,39 @@ +From 384cc7c182fc00c6d5e2ab4b5e3671b2e3f93c84 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 6 Apr 2025 12:41:11 +0200 +Subject: [PATCH] [CVE-2025-32415] schemas: Fix heap buffer overflow in + xmlSchemaIDCFillNodeTables + +Don't use local variable which could contain a stale value. + +Fixes #890. + +CVE: CVE-2025-32415 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/384cc7c182fc00c6d5e2ab4b5e3671b2e3f93c84] +Signed-off-by: Peter Marko +--- + xmlschemas.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/xmlschemas.c b/xmlschemas.c +index 28b14bd4..428e3c82 100644 +--- a/xmlschemas.c ++++ b/xmlschemas.c +@@ -23607,7 +23607,7 @@ xmlSchemaIDCFillNodeTables(xmlSchemaValidCtxtPtr vctxt, + j++; + } while (j < nbDupls); + } +- if (nbNodeTable) { ++ if (bind->nbNodes) { + j = 0; + do { + if (nbFields == 1) { +@@ -23657,7 +23657,7 @@ xmlSchemaIDCFillNodeTables(xmlSchemaValidCtxtPtr vctxt, + + next_node_table_entry: + j++; +- } while (j < nbNodeTable); ++ } while (j < bind->nbNodes); + } + /* + * If everything is fine, then add the IDC target-node to diff --git a/meta/recipes-core/libxml/libxml2_2.9.14.bb b/meta/recipes-core/libxml/libxml2_2.9.14.bb index e281a39fd4..bd6dd88dee 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.14.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.14.bb @@ -38,6 +38,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar;subdir=${BP};name=testt file://CVE-2024-56171.patch \ file://CVE-2025-24928.patch \ file://CVE-2025-32414.patch \ + file://CVE-2025-32415.patch \ " SRC_URI[archive.sha256sum] = "60d74a257d1ccec0475e749cba2f21559e48139efba6ff28224357c7c798dfee" From patchwork Wed Apr 30 02:53:33 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 62137 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 41D26C3ABAC for ; Wed, 30 Apr 2025 02:54:17 +0000 (UTC) Received: from mail-pj1-f44.google.com (mail-pj1-f44.google.com [209.85.216.44]) by mx.groups.io with SMTP id smtpd.web11.8210.1745981651794505936 for ; Tue, 29 Apr 2025 19:54:11 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=l44ZfB9Z; spf=softfail (domain: sakoman.com, ip: 209.85.216.44, mailfrom: steve@sakoman.com) Received: by mail-pj1-f44.google.com with SMTP id 98e67ed59e1d1-3081fe5987eso6446772a91.3 for ; Tue, 29 Apr 2025 19:54:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1745981651; x=1746586451; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=TN+HnO0mjM4osJm/o83W9d0py3Pb3VyKilP6+/D5ecc=; b=l44ZfB9ZD3B6AgSWtkAn/AsgbCKucB8iWbWWf03zI0ZdnP3JG7QnaC2ZmQpfEloNBV 7L5/HRtINx4LpmAOHtMmVlF4Q9MJdlJJc0Eq+vAS2dgDt/c+UJO0wpQ5Ru2hc2tEwtou M2ZBP19u480fTzZ1DoRRdDlWM1gC+P2Y9GUM+UhhYBy1VtcW56VCU564RV71O0ICbIRc RuK+MsqkTdX9h2AGpZu5IdcKtS+kJEb0ljL72p7Dglg9F9Nz11ZQPY/mvPjqfR3Y4rCX Pcl+gydgYLvxlQalxVosWEPebFIxS67gZroBuZdPE+5RhE2NuIt228ju1MdLbW72Zk0N x6qw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1745981651; x=1746586451; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=TN+HnO0mjM4osJm/o83W9d0py3Pb3VyKilP6+/D5ecc=; b=tx7H12VhbEOIJKxoh8wSTd82oFnTUHxoKdWyeIp5WmxVV3JncewTjJFpyYl/SlX1K0 SbICgQPYGyaKuOeN73JZTlHQshes/b8jOLKAh8cHmbr0sykbnezxPthx/N3WFXTr2pbm J/LtPVtXSpZ81lHnRULOUZiDGtI4IJgF1/3frjRD8IhnyD4z51V4S7XcjPhfJz2N2Nhr jXfPfTfNU5iyP3ohBQbmzg5Bb/7Hqj8KoTIoVpREBMXQJa4PHOihprEY1fe66JxAcUzP +ErVdfRedKIgC0l7ypWog+mevkLfASgm855A46MsyRbAciVdKwOJ2dXLfq87Il3t9hKr Lp5w== X-Gm-Message-State: AOJu0YwNxaecgfR5gC8cj34cRwhCrU+CIpM5dhp/eGnVvxKC129whlrN YPzNNkkknKzcipOy8iVZHQQFAc28bgYINdG/j+OkACh5mCpjpBjRTVgPM4+Q+8DLLGlKCUuT2Tp o X-Gm-Gg: ASbGncshuSAGiauzQx4GsEo9iQUQUt6p6y2Md2AAnrXIZD6RJA4nzfZhn0KHMGv0PN5 lCqXSQ44Rp/h9An/2mQ3h6pDDKmXt+wkbM+DtFdrk7mMZoaxjVf6gf1GVyJ4pFhal7xUbMvhWNj YZJDfaX4P082SUCWASd5e/PhWKZiGigNU+FTr3km+2RJSVvHE46uOUAXeHh4DZISLi3SVCmQz66 7gP9dvb/6xeR+AckOuy1BjL2TffnwWcetskSRZyzlx+8K0jHCyu6ZqhXo5pVZRdKrC8PxRjTPF5 Ge/ki2+bRfRvnBAbRvByZgzGibF+SPk= X-Google-Smtp-Source: AGHT+IGdweW3HSEEnnHgZVaq8I4OqWikXKYv/uA3QLOQso+U1jikZgjU/+zgpksNAKgz1LSpskZcHw== X-Received: by 2002:a17:90a:c888:b0:301:1d9f:4ba2 with SMTP id 98e67ed59e1d1-30a34450bdcmr1430887a91.28.1745981650766; Tue, 29 Apr 2025 19:54:10 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:34b:e5e0:c38a:7e03]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-30a34a2ea46sm347852a91.31.2025.04.29.19.54.10 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 29 Apr 2025 19:54:10 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 08/14] glib-2.0: patch CVE-2025-3360 Date: Tue, 29 Apr 2025 19:53:33 -0700 Message-ID: <606cc539ab19ae2bceb366eda7d4872c3763400f.1745981510.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 30 Apr 2025 02:54:17 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/215699 From: Peter Marko Backport commits from [1] fixing [2] for 2.82.x. [1] https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4499 [2] https://gitlab.gnome.org/GNOME/glib/-/issues/3647x Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- .../glib-2.0/glib-2.0/CVE-2025-3360-01.patch | 57 ++++++++++++++ .../glib-2.0/glib-2.0/CVE-2025-3360-02.patch | 53 +++++++++++++ .../glib-2.0/glib-2.0/CVE-2025-3360-03.patch | 36 +++++++++ .../glib-2.0/glib-2.0/CVE-2025-3360-04.patch | 76 +++++++++++++++++++ .../glib-2.0/glib-2.0/CVE-2025-3360-05.patch | 57 ++++++++++++++ .../glib-2.0/glib-2.0/CVE-2025-3360-06.patch | 50 ++++++++++++ meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb | 6 ++ 7 files changed, 335 insertions(+) create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-01.patch create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-02.patch create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-03.patch create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-04.patch create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-05.patch create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-06.patch diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-01.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-01.patch new file mode 100644 index 0000000000..91ea6c3748 --- /dev/null +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-01.patch @@ -0,0 +1,57 @@ +From fe6af80931c35fafc6a2cd0651b6de052d1bffae Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Tue, 18 Feb 2025 16:44:58 +0000 +Subject: [PATCH 1/6] gdatetime: Fix integer overflow when parsing very long + ISO8601 inputs + +This will only happen with invalid (or maliciously invalid) potential +ISO8601 strings, but `g_date_time_new_from_iso8601()` needs to be robust +against that. + +Prevent `length` overflowing by correctly defining it as a `size_t`. +Similarly for `date_length`, but additionally track its validity in a +boolean rather than as its sign. + +Spotted by chamalsl as #YWH-PGM9867-43. + +Signed-off-by: Philip Withnall + +CVE: CVE-2025-3360 +Upstream-Status: Backport [https://github.com/GNOME/glib/commit/fe6af80931c35fafc6a2cd0651b6de052d1bffae] +Signed-off-by: Peter Marko +--- + glib/gdatetime.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/glib/gdatetime.c b/glib/gdatetime.c +index ad9c190b6..b33db2c20 100644 +--- a/glib/gdatetime.c ++++ b/glib/gdatetime.c +@@ -1493,7 +1493,8 @@ parse_iso8601_time (const gchar *text, gsize length, + GDateTime * + g_date_time_new_from_iso8601 (const gchar *text, GTimeZone *default_tz) + { +- gint length, date_length = -1; ++ size_t length, date_length = 0; ++ gboolean date_length_set = FALSE; + gint hour = 0, minute = 0; + gdouble seconds = 0.0; + GTimeZone *tz = NULL; +@@ -1504,11 +1505,14 @@ g_date_time_new_from_iso8601 (const gchar *text, GTimeZone *default_tz) + /* Count length of string and find date / time separator ('T', 't', or ' ') */ + for (length = 0; text[length] != '\0'; length++) + { +- if (date_length < 0 && (text[length] == 'T' || text[length] == 't' || text[length] == ' ')) +- date_length = length; ++ if (!date_length_set && (text[length] == 'T' || text[length] == 't' || text[length] == ' ')) ++ { ++ date_length = length; ++ date_length_set = TRUE; ++ } + } + +- if (date_length < 0) ++ if (!date_length_set) + return NULL; + + if (!parse_iso8601_time (text + date_length + 1, length - (date_length + 1), diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-02.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-02.patch new file mode 100644 index 0000000000..ca5ae2866c --- /dev/null +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-02.patch @@ -0,0 +1,53 @@ +From 495c85278f9638fdf3ebf002c759e1bdccebaf2f Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Tue, 18 Feb 2025 16:51:36 +0000 +Subject: [PATCH 2/6] gdatetime: Fix potential integer overflow in timezone + offset handling + +This one is much harder to trigger than the one in the previous commit, +but mixing `gssize` and `gsize` always runs the risk of the former +overflowing for very (very very) long input strings. + +Avoid that possibility by not using the sign of the `tz_offset` to +indicate its validity, and instead using the return value of the +function. + +Signed-off-by: Philip Withnall + +CVE: CVE-2025-3360 +Upstream-Status: Backport [https://github.com/GNOME/glib/commit/495c85278f9638fdf3ebf002c759e1bdccebaf2f] +Signed-off-by: Peter Marko +--- + glib/gdatetime.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/glib/gdatetime.c b/glib/gdatetime.c +index b33db2c20..792c2ed15 100644 +--- a/glib/gdatetime.c ++++ b/glib/gdatetime.c +@@ -1342,8 +1342,10 @@ parse_iso8601_date (const gchar *text, gsize length, + return FALSE; + } + ++/* Value returned in tz_offset is valid if and only if the function return value ++ * is non-NULL. */ + static GTimeZone * +-parse_iso8601_timezone (const gchar *text, gsize length, gssize *tz_offset) ++parse_iso8601_timezone (const gchar *text, gsize length, size_t *tz_offset) + { + gint i, tz_length, offset_hours, offset_minutes; + gint offset_sign = 1; +@@ -1411,11 +1413,11 @@ static gboolean + parse_iso8601_time (const gchar *text, gsize length, + gint *hour, gint *minute, gdouble *seconds, GTimeZone **tz) + { +- gssize tz_offset = -1; ++ size_t tz_offset = 0; + + /* Check for timezone suffix */ + *tz = parse_iso8601_timezone (text, length, &tz_offset); +- if (tz_offset >= 0) ++ if (*tz != NULL) + length = tz_offset; + + /* hh:mm:ss(.sss) */ diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-03.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-03.patch new file mode 100644 index 0000000000..25eb0c6fdd --- /dev/null +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-03.patch @@ -0,0 +1,36 @@ +From 5e8a3c19fcad2936dc5e070cf0767a5c5af907c5 Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Tue, 18 Feb 2025 16:55:18 +0000 +Subject: [PATCH 3/6] gdatetime: Track timezone length as an unsigned size_t +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +It’s guaranteed to be in (0, length] by the calculations above. + +This avoids the possibility of integer overflow through `gssize` not +being as big as `size_t`. + +Signed-off-by: Philip Withnall + +CVE: CVE-2025-3360 +Upstream-Status: Backport [https://github.com/GNOME/glib/commit/5e8a3c19fcad2936dc5e070cf0767a5c5af907c5] +Signed-off-by: Peter Marko +--- + glib/gdatetime.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/glib/gdatetime.c b/glib/gdatetime.c +index 792c2ed15..6335bcbe2 100644 +--- a/glib/gdatetime.c ++++ b/glib/gdatetime.c +@@ -1347,7 +1347,8 @@ parse_iso8601_date (const gchar *text, gsize length, + static GTimeZone * + parse_iso8601_timezone (const gchar *text, gsize length, size_t *tz_offset) + { +- gint i, tz_length, offset_hours, offset_minutes; ++ size_t tz_length; ++ gint i, offset_hours, offset_minutes; + gint offset_sign = 1; + GTimeZone *tz; + diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-04.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-04.patch new file mode 100644 index 0000000000..e62604d600 --- /dev/null +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-04.patch @@ -0,0 +1,76 @@ +From 804a3957720449dcfac601da96bd5f5db2b71ef1 Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Tue, 18 Feb 2025 17:07:24 +0000 +Subject: [PATCH 4/6] gdatetime: Factor out some string pointer arithmetic +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Makes the following code a little clearer, but doesn’t introduce any +functional changes. + +Signed-off-by: Philip Withnall + +CVE: CVE-2025-3360 +Upstream-Status: Backport [https://github.com/GNOME/glib/commit/804a3957720449dcfac601da96bd5f5db2b71ef1] +Signed-off-by: Peter Marko +--- + glib/gdatetime.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/glib/gdatetime.c b/glib/gdatetime.c +index 6335bcbe2..de5dd7af0 100644 +--- a/glib/gdatetime.c ++++ b/glib/gdatetime.c +@@ -1351,6 +1351,7 @@ parse_iso8601_timezone (const gchar *text, gsize length, size_t *tz_offset) + gint i, offset_hours, offset_minutes; + gint offset_sign = 1; + GTimeZone *tz; ++ const char *tz_start; + + /* UTC uses Z suffix */ + if (length > 0 && text[length - 1] == 'Z') +@@ -1368,34 +1369,35 @@ parse_iso8601_timezone (const gchar *text, gsize length, size_t *tz_offset) + } + if (i < 0) + return NULL; ++ tz_start = text + i; + tz_length = length - i; + + /* +hh:mm or -hh:mm */ +- if (tz_length == 6 && text[i+3] == ':') ++ if (tz_length == 6 && tz_start[3] == ':') + { +- if (!get_iso8601_int (text + i + 1, 2, &offset_hours) || +- !get_iso8601_int (text + i + 4, 2, &offset_minutes)) ++ if (!get_iso8601_int (tz_start + 1, 2, &offset_hours) || ++ !get_iso8601_int (tz_start + 4, 2, &offset_minutes)) + return NULL; + } + /* +hhmm or -hhmm */ + else if (tz_length == 5) + { +- if (!get_iso8601_int (text + i + 1, 2, &offset_hours) || +- !get_iso8601_int (text + i + 3, 2, &offset_minutes)) ++ if (!get_iso8601_int (tz_start + 1, 2, &offset_hours) || ++ !get_iso8601_int (tz_start + 3, 2, &offset_minutes)) + return NULL; + } + /* +hh or -hh */ + else if (tz_length == 3) + { +- if (!get_iso8601_int (text + i + 1, 2, &offset_hours)) ++ if (!get_iso8601_int (tz_start + 1, 2, &offset_hours)) + return NULL; + offset_minutes = 0; + } + else + return NULL; + +- *tz_offset = i; +- tz = g_time_zone_new_identifier (text + i); ++ *tz_offset = tz_start - text; ++ tz = g_time_zone_new_identifier (tz_start); + + /* Double-check that the GTimeZone matches our interpretation of the timezone. + * This can fail because our interpretation is less strict than (for example) diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-05.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-05.patch new file mode 100644 index 0000000000..4d633aaba0 --- /dev/null +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-05.patch @@ -0,0 +1,57 @@ +From 4c56ff80344e0d8796eb2307091f7b24ec198aa9 Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Tue, 18 Feb 2025 17:28:33 +0000 +Subject: [PATCH 5/6] gdatetime: Factor out an undersized variable + +For long input strings, it would have been possible for `i` to overflow. +Avoid that problem by using the `tz_length` instead, so that we count up +rather than down. + +This commit introduces no functional changes (outside of changing +undefined behaviour), and can be verified using the identity +`i === length - tz_length`. + +Signed-off-by: Philip Withnall + +CVE: CVE-2025-3360 +Upstream-Status: Backport [https://github.com/GNOME/glib/commit/4c56ff80344e0d8796eb2307091f7b24ec198aa9] +Signed-off-by: Peter Marko +--- + glib/gdatetime.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/glib/gdatetime.c b/glib/gdatetime.c +index de5dd7af0..2f8c864a1 100644 +--- a/glib/gdatetime.c ++++ b/glib/gdatetime.c +@@ -1348,7 +1348,7 @@ static GTimeZone * + parse_iso8601_timezone (const gchar *text, gsize length, size_t *tz_offset) + { + size_t tz_length; +- gint i, offset_hours, offset_minutes; ++ gint offset_hours, offset_minutes; + gint offset_sign = 1; + GTimeZone *tz; + const char *tz_start; +@@ -1361,16 +1361,15 @@ parse_iso8601_timezone (const gchar *text, gsize length, size_t *tz_offset) + } + + /* Look for '+' or '-' of offset */ +- for (i = length - 1; i >= 0; i--) +- if (text[i] == '+' || text[i] == '-') ++ for (tz_length = 1; tz_length <= length; tz_length++) ++ if (text[length - tz_length] == '+' || text[length - tz_length] == '-') + { +- offset_sign = text[i] == '-' ? -1 : 1; ++ offset_sign = text[length - tz_length] == '-' ? -1 : 1; + break; + } +- if (i < 0) ++ if (tz_length > length) + return NULL; +- tz_start = text + i; +- tz_length = length - i; ++ tz_start = text + length - tz_length; + + /* +hh:mm or -hh:mm */ + if (tz_length == 6 && tz_start[3] == ':') diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-06.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-06.patch new file mode 100644 index 0000000000..2452b69e2e --- /dev/null +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-3360-06.patch @@ -0,0 +1,50 @@ +From 7f6d81130ec05406a8820bc753ed03859e88daea Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Tue, 18 Feb 2025 18:20:56 +0000 +Subject: [PATCH 6/6] tests: Add some missing GDateTime ISO8601 parsing tests +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This improves test coverage, adding coverage for some lines which I +spotted were not covered while testing the preceding commits. + +It doesn’t directly test the preceding commits, though. + +Signed-off-by: Philip Withnall + +CVE: CVE-2025-3360 +Upstream-Status: Backport [https://github.com/GNOME/glib/commit/7f6d81130ec05406a8820bc753ed03859e88daea] +Signed-off-by: Peter Marko +--- + glib/tests/gdatetime.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/glib/tests/gdatetime.c b/glib/tests/gdatetime.c +index 9e1acd097..94dd028a3 100644 +--- a/glib/tests/gdatetime.c ++++ b/glib/tests/gdatetime.c +@@ -857,6 +857,23 @@ test_GDateTime_new_from_iso8601 (void) + * NaN */ + dt = g_date_time_new_from_iso8601 ("0005306 000001,666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666600080000-00", NULL); + g_assert_null (dt); ++ ++ /* Various invalid timezone offsets which look like they could be in ++ * `+hh:mm`, `-hh:mm`, `+hhmm`, `-hhmm`, `+hh` or `-hh` format */ ++ dt = g_date_time_new_from_iso8601 ("2025-02-18T18:14:00+01:xx", NULL); ++ g_assert_null (dt); ++ dt = g_date_time_new_from_iso8601 ("2025-02-18T18:14:00+xx:00", NULL); ++ g_assert_null (dt); ++ dt = g_date_time_new_from_iso8601 ("2025-02-18T18:14:00+xx:xx", NULL); ++ g_assert_null (dt); ++ dt = g_date_time_new_from_iso8601 ("2025-02-18T18:14:00+01xx", NULL); ++ g_assert_null (dt); ++ dt = g_date_time_new_from_iso8601 ("2025-02-18T18:14:00+xx00", NULL); ++ g_assert_null (dt); ++ dt = g_date_time_new_from_iso8601 ("2025-02-18T18:14:00+xxxx", NULL); ++ g_assert_null (dt); ++ dt = g_date_time_new_from_iso8601 ("2025-02-18T18:14:00+xx", NULL); ++ g_assert_null (dt); + } + + typedef struct { diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb index b8c75eaa49..cebd84dd50 100644 --- a/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb +++ b/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb @@ -54,6 +54,12 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \ file://gdatetime-test-fail-0001.patch \ file://gdatetime-test-fail-0002.patch \ file://gdatetime-test-fail-0003.patch \ + file://CVE-2025-3360-01.patch \ + file://CVE-2025-3360-02.patch \ + file://CVE-2025-3360-03.patch \ + file://CVE-2025-3360-04.patch \ + file://CVE-2025-3360-05.patch \ + file://CVE-2025-3360-06.patch \ " SRC_URI:append:class-native = " file://relocate-modules.patch" From patchwork Wed Apr 30 02:53:34 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 62134 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4555AC3ABAD for ; Wed, 30 Apr 2025 02:54:17 +0000 (UTC) Received: from mail-pl1-f170.google.com (mail-pl1-f170.google.com [209.85.214.170]) by mx.groups.io with SMTP id smtpd.web11.8211.1745981652995869095 for ; Tue, 29 Apr 2025 19:54:13 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=VFVFKy5D; spf=softfail (domain: sakoman.com, ip: 209.85.214.170, mailfrom: steve@sakoman.com) Received: by mail-pl1-f170.google.com with SMTP id d9443c01a7336-22423adf751so68136185ad.2 for ; Tue, 29 Apr 2025 19:54:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1745981652; x=1746586452; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=mysJHprIr3k236125K9uYFA/ww1PTdCAwfeUTzO+Zxo=; b=VFVFKy5DWe1aC8QX545oM5J/pfTuntmOZ9Ul3RNo6wqyej/mmW11csXK1rKCwLT5Yb kGUZzAKjtZevwIxy9ENoPodem6962z4VwQPmvuc8WVjuVnvCwXZ76FKF+PEVXy2mmwYm mfergekAoitEzHTCYdHuguPu/4HZ6EhCsidyyyTPhcC7FB8SS1+B8Fbvbsh3NVGSisBP m2fy6MsK8P1CmI2VrR6zB+nq6xAJbWt1bB5Us3MRNS6xgdRCSQowzKKVmEEmh/xgeymA LyHX2N+DJp3QgOXNsLSF2bDqI2/NhfJGVtwyu69l5fu5eeZOd+8Fr1Z4iFkXRiybUId9 nqVw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1745981652; x=1746586452; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=mysJHprIr3k236125K9uYFA/ww1PTdCAwfeUTzO+Zxo=; b=UjLal/Aa42IDllUVwaVWHFcwrLnpMG4feIGu8i1y1a4v+xEjSh6cSQ9G86gP63s8tD TuY8qE08Bujl+X+8I5QPNIcSUcLFFVHPah5jzIRBHMX/8rYEhTn1dPTgcYe3lVTOYqxf FvJGCQSXNoFQFb79JpScSiqnlqFl2UmHXXiUUb6C2EHkKM7aDzjN9+9DYtPNmHFdaB9E NO5RHCpHIaY71vAjXyMj5vqAQlyX7PRxHCSeSQDGUpVgq1ChKs/koNRFaTbVzqqagZyQ Va3NX7PlYvNntuR17KIBTBfv0V5YVfyZDSaP0kSqs7jX0zoYe2XWHrGMD2QlFhPLp4nH PNRw== X-Gm-Message-State: AOJu0YwNz3ANXDNzytYQcve7SjYnawIarimDwIjVDHtJqhWzace9sfiN OPMnK+oRjfFWTA+GYwf/gxu92GEpNYTWrj0TA2eJFH889sd0+epjyR/1ckxHn6+BTpR1dm5ULTq D X-Gm-Gg: ASbGncsPBRYgy89IB9kGX5DuXAT7pDJJfOjkHnhV4qTCgZpFyTiKNDU97SkzHiF0ECY a5gG1/KENMnURhfYyQvtaiq5yO2jSGXthNxTOP/fjrVQTYGgpFZc957D04PQr1GCT+Fdq/fn43I xHVGlt1tEcIA5cN3TQGKXphDW4Cr3vG94jQ3ER5uOXBH9GKFVsQJuIiv5WafRMuz8ziZ3h/XG9U PA+VHBS5b3hun70bFtkmXbT8TR9pYUJ3AbJEWqbusUZJkGL53olks2PAa+zxoKMrFXAlQPxXtcI 9BGTPMoWOP8L8z5cQDYK/iZGBXQN3V0M8yYMO2aYlw== X-Google-Smtp-Source: AGHT+IHTr6hclmnAY2AQbqa+PHbSVrz8HXV3ioGYX/Y+uVl4nzDcVPyyhcrLufSTeDyeUEEWvB02zA== X-Received: by 2002:a17:903:18b:b0:220:c911:3f60 with SMTP id d9443c01a7336-22df35ca8a0mr21740775ad.47.1745981652268; Tue, 29 Apr 2025 19:54:12 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:34b:e5e0:c38a:7e03]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-30a34a2ea46sm347852a91.31.2025.04.29.19.54.11 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 29 Apr 2025 19:54:11 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 09/14] binutils: Fix CVE-2025-1178 Date: Tue, 29 Apr 2025 19:53:34 -0700 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 30 Apr 2025 02:54:17 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/215700 From: Deepesh Varatharajan Prevent an abort in the bfd linker when attempting to generate dynamic relocs for a corrupt input file. PR 32638 Backport a patch from upstream to fix CVE-2025-1178 Upstream-Status: Backport from [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=75086e9de1707281172cc77f178e7949a4414ed0] Signed-off-by: Deepesh Varatharajan Signed-off-by: Steve Sakoman --- .../binutils/binutils-2.38.inc | 1 + .../binutils/0039-CVE-2025-1178.patch | 33 +++++++++++++++++++ 2 files changed, 34 insertions(+) create mode 100644 meta/recipes-devtools/binutils/binutils/0039-CVE-2025-1178.patch diff --git a/meta/recipes-devtools/binutils/binutils-2.38.inc b/meta/recipes-devtools/binutils/binutils-2.38.inc index 26d0b570f3..82dd5c9eb6 100644 --- a/meta/recipes-devtools/binutils/binutils-2.38.inc +++ b/meta/recipes-devtools/binutils/binutils-2.38.inc @@ -73,5 +73,6 @@ SRC_URI = "\ file://0036-CVE-2023-39130.patch \ file://0037-CVE-2024-53589.patch \ file://0038-CVE-2025-0840.patch \ + file://0039-CVE-2025-1178.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/0039-CVE-2025-1178.patch b/meta/recipes-devtools/binutils/binutils/0039-CVE-2025-1178.patch new file mode 100644 index 0000000000..9d2054abab --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0039-CVE-2025-1178.patch @@ -0,0 +1,33 @@ +From 75086e9de1707281172cc77f178e7949a4414ed0 Mon Sep 17 00:00:00 2001 +From: Nick Clifton +Date: Wed, 5 Feb 2025 13:26:51 +0000 +Subject: [PATCH] Prevent an abort in the bfd linker when attempting to + generate dynamic relocs for a corrupt input file. + +PR 32638 + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=75086e9de1707281172cc77f178e7949a4414ed0] +CVE: CVE-2025-1178 + +Signed-off-by: Deepesh Varatharajan + +diff --git a/bfd/elf64-x86-64.c b/bfd/elf64-x86-64.c +index 970379de..cbd16abc 100644 +--- a/bfd/elf64-x86-64.c ++++ b/bfd/elf64-x86-64.c +@@ -4575,6 +4575,15 @@ elf_x86_64_finish_dynamic_symbol (bfd *output_bfd, + + if (generate_dynamic_reloc) + { ++ /* If the relgot section has not been created, then ++ generate an error instead of a reloc. cf PR 32638. */ ++ if (relgot == NULL || relgot->size == 0) ++ { ++ info->callbacks->einfo (_("%F%pB: Unable to generate dynamic relocs because a suitable section does not exist\n"), ++ output_bfd); ++ return false; ++ } ++ + if (relative_reloc_name != NULL + && htab->params->report_relative_reloc) + _bfd_x86_elf_link_report_relative_reloc From patchwork Wed Apr 30 02:53:35 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 62138 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 49AFEC3ABA5 for ; Wed, 30 Apr 2025 02:54:17 +0000 (UTC) Received: from mail-pj1-f49.google.com (mail-pj1-f49.google.com [209.85.216.49]) by mx.groups.io with SMTP id smtpd.web11.8212.1745981655051071960 for ; Tue, 29 Apr 2025 19:54:15 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=VU/ovdsO; spf=softfail (domain: sakoman.com, ip: 209.85.216.49, mailfrom: steve@sakoman.com) Received: by mail-pj1-f49.google.com with SMTP id 98e67ed59e1d1-301e05b90caso7414950a91.2 for ; Tue, 29 Apr 2025 19:54:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1745981654; x=1746586454; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=SA4Twf49ePQX/NU+0v7d6FEB87cF12hFE7Kh4mmF0/c=; b=VU/ovdsON5HK+ycXdrFGzQ56f4KC6kQy3MG5S3UpHJJGJ4WlWD6LKZBtkapcLCrBjW /amux6wxPCx6DKkiV6BwW0GWC3zSQ61MFC5GCOazY06NrXWJGphbvWKQTJeDuGsybqX1 5jJZ3hLsEIsJCvKcQd+nSyOvHGhCOryMp0ZuLcYpNiWsFQauTGY/n6myNS9fFCOUU9Ka HWArGB2bTM800Svy7szZiZtV2g3xBhuj17QrmzRwZYZ3fkSURNCjxhgQr2KAy5JcX+k9 Tn9b6AEFE1qi66BvPNU74RSpLRtybvMX3DF7Hf/zQ6g8nZT3OvN41mCzr53skRhmbM4h DkOg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1745981654; x=1746586454; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=SA4Twf49ePQX/NU+0v7d6FEB87cF12hFE7Kh4mmF0/c=; b=bHT67Ka1l/aL8TEv0ZtPRXzmfsk097tx4VhkvquPAv5cUAFQHPMsg/FTt/NYmtILGt v2Sb2b0Xa21uFO8FyuJcou7IpJYVlY5GzU35YgjiEvL5NQiBUuln2IyT4hicInDgkKBZ tsdDchl1DmXFyVS/GBwe+wguXEsrCUm3bakqOIOrMAgUPSvsO9PuftR38l+ErDADHSl4 R5xmRMnwX47T7m+PfX7YirytXZYNStzGEGXDMdbltr/ieAPoxW9QcDOzuUvbgn2AvcOH wMW8MXZgHu5UON++mfYEvFysF+jktZiChNa9icdNt8biFZxC1PSLDAsDrE/FNAy96zPP 2z2g== X-Gm-Message-State: AOJu0YzJWRI5VBY8yW6RQ1Hf9ubK3HSmLVSq5goK2MmZMK1zHQgtC54e cZXabtorN/qhARn0QEYBu9n1MVu5rm2gwsWLiCwbXuFcO0rPthZDsBjECd7pnjXGheqGCSRYAfY l X-Gm-Gg: ASbGncuy5ggFXzbr3KreHWxuYqXKIuE25+O3MV26Jq7+hbO6R4Wplo2dhCQnEolkUnb p0HEVe/hfuA5HVvgiRfxsJJZdmp+W2rpnBdjeuwjAZdiInqhTIAUAgabUH40n6MTKJyTEkBg1vb bitxYHZ/3Vwbq/fSuq6UZ3OLqtfIpyzT1V2TBeZBjRFrEBljUWWzH65kEe3wAT3fpiVaPv9bmv6 lxsD13AWe/Qqn3hpYPSWfy1Fnh/IRq+QIGK0cWQRVDzGHXljUdK4JBbn++amo///IJN4KHIMEKe VVddGTu0sfcYZrKFxDDcELAUMf2VpzybPU6yK5lepw== X-Google-Smtp-Source: AGHT+IES06KVI127F5OP9N80154q9CW14wrhuSrO8tuHmR3OIrNRHl72FGHYUbxz3NY3mA5WdMWTPQ== X-Received: by 2002:a17:90b:568d:b0:2ee:b8ac:73b0 with SMTP id 98e67ed59e1d1-30a343eb192mr1512598a91.2.1745981653798; Tue, 29 Apr 2025 19:54:13 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:34b:e5e0:c38a:7e03]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-30a34a2ea46sm347852a91.31.2025.04.29.19.54.13 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 29 Apr 2025 19:54:13 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 10/14] python3-setuptools: Fix CVE-2024-6345 Date: Tue, 29 Apr 2025 19:53:35 -0700 Message-ID: <238c305ba2c513a070818de4b6ad4316b54050a7.1745981510.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 30 Apr 2025 02:54:17 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/215701 From: Soumya Sambu A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0. References: https://nvd.nist.gov/vuln/detail/CVE-2024-6345 https://ubuntu.com/security/CVE-2024-6345 Upstream patch: https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0 Signed-off-by: Soumya Sambu Signed-off-by: Steve Sakoman --- .../python3-setuptools/CVE-2024-6345.patch | 353 ++++++++++++++++++ .../python/python3-setuptools_59.5.0.bb | 1 + 2 files changed, 354 insertions(+) create mode 100644 meta/recipes-devtools/python/python3-setuptools/CVE-2024-6345.patch diff --git a/meta/recipes-devtools/python/python3-setuptools/CVE-2024-6345.patch b/meta/recipes-devtools/python/python3-setuptools/CVE-2024-6345.patch new file mode 100644 index 0000000000..958ddf559b --- /dev/null +++ b/meta/recipes-devtools/python/python3-setuptools/CVE-2024-6345.patch @@ -0,0 +1,353 @@ +From 88807c7062788254f654ea8c03427adc859321f0 Mon Sep 17 00:00:00 2001 +From: Jason R. Coombs +Date: Mon Apr 29 20:01:38 2024 -0400 +Subject: [PATCH] Merge pull request #4332 from pypa/debt/package-index-vcs + +Modernize package_index VCS handling + +Source: https://git.launchpad.net/ubuntu/+source/setuptools/tree/debian/patches/CVE-2024-6345.patch?h=applied/ubuntu/jammy-devel + +CVE: CVE-2024-6345 + +Upstream-Status: Backport [https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0] + +Note: Cannot do exact upstream patch backport as the code changed. + +Signed-off-by: Soumya Sambu +--- + setup.cfg | 1 + + setuptools/package_index.py | 145 +++++++++++++++----------- + setuptools/tests/test_packageindex.py | 78 +++++++------- + 3 files changed, 123 insertions(+), 101 deletions(-) + +diff --git a/setup.cfg b/setup.cfg +index 0bc0101..b8585d7 100644 +--- a/setup.cfg ++++ b/setup.cfg +@@ -56,6 +56,7 @@ testing = + jaraco.envs>=2.2 + pytest-xdist + sphinx ++ pytest-subprocess + jaraco.path>=3.2.0 + docs = + sphinx +diff --git a/setuptools/package_index.py b/setuptools/package_index.py +index e93fcc6..3a893df 100644 +--- a/setuptools/package_index.py ++++ b/setuptools/package_index.py +@@ -1,5 +1,6 @@ + """PyPI and direct package downloading""" + import sys ++import subprocess + import os + import re + import io +@@ -566,7 +567,7 @@ class PackageIndex(Environment): + scheme = URL_SCHEME(spec) + if scheme: + # It's a url, download it to tmpdir +- found = self._download_url(scheme.group(1), spec, tmpdir) ++ found = self._download_url(spec, tmpdir) + base, fragment = egg_info_for_url(spec) + if base.endswith('.py'): + found = self.gen_setup(found, fragment, tmpdir) +@@ -785,7 +786,7 @@ class PackageIndex(Environment): + raise DistutilsError("Download error for %s: %s" + % (url, v)) from v + +- def _download_url(self, scheme, url, tmpdir): ++ def _download_url(self, url, tmpdir): + # Determine download filename + # + name, fragment = egg_info_for_url(url) +@@ -800,19 +801,57 @@ class PackageIndex(Environment): + + filename = os.path.join(tmpdir, name) + +- # Download the file +- # +- if scheme == 'svn' or scheme.startswith('svn+'): +- return self._download_svn(url, filename) +- elif scheme == 'git' or scheme.startswith('git+'): +- return self._download_git(url, filename) +- elif scheme.startswith('hg+'): +- return self._download_hg(url, filename) +- elif scheme == 'file': +- return urllib.request.url2pathname(urllib.parse.urlparse(url)[2]) +- else: +- self.url_ok(url, True) # raises error if not allowed +- return self._attempt_download(url, filename) ++ return self._download_vcs(url, filename) or self._download_other(url, filename) ++ ++ @staticmethod ++ def _resolve_vcs(url): ++ """ ++ >>> rvcs = PackageIndex._resolve_vcs ++ >>> rvcs('git+http://foo/bar') ++ 'git' ++ >>> rvcs('hg+https://foo/bar') ++ 'hg' ++ >>> rvcs('git:myhost') ++ 'git' ++ >>> rvcs('hg:myhost') ++ >>> rvcs('http://foo/bar') ++ """ ++ scheme = urllib.parse.urlsplit(url).scheme ++ pre, sep, post = scheme.partition('+') ++ # svn and git have their own protocol; hg does not ++ allowed = set(['svn', 'git'] + ['hg'] * bool(sep)) ++ return next(iter({pre} & allowed), None) ++ ++ def _download_vcs(self, url, spec_filename): ++ vcs = self._resolve_vcs(url) ++ if not vcs: ++ return ++ if vcs == 'svn': ++ return self._download_svn(url, spec_filename) ++ ++ filename, _, _ = spec_filename.partition('#') ++ url, rev = self._vcs_split_rev_from_url(url) ++ ++ self.info(f"Doing {vcs} clone from {url} to {filename}") ++ subprocess.check_call([vcs, 'clone', '--quiet', url, filename]) ++ ++ co_commands = dict( ++ git=[vcs, '-C', filename, 'checkout', '--quiet', rev], ++ hg=[vcs, '--cwd', filename, 'up', '-C', '-r', rev, '-q'], ++ ) ++ if rev is not None: ++ self.info(f"Checking out {rev}") ++ subprocess.check_call(co_commands[vcs]) ++ ++ return filename ++ ++ def _download_other(self, url, filename): ++ scheme = urllib.parse.urlsplit(url).scheme ++ if scheme == 'file': # pragma: no cover ++ return urllib.request.url2pathname(urllib.parse.urlparse(url).path) ++ # raise error if not allowed ++ self.url_ok(url, True) ++ return self._attempt_download(url, filename) + + def scan_url(self, url): + self.process_url(url, True) +@@ -842,7 +881,7 @@ class PackageIndex(Environment): + def _download_svn(self, url, filename): + warnings.warn("SVN download support is deprecated", UserWarning) + url = url.split('#', 1)[0] # remove any fragment for svn's sake +- creds = '' ++ creds = [] + if url.lower().startswith('svn:') and '@' in url: + scheme, netloc, path, p, q, f = urllib.parse.urlparse(url) + if not netloc and path.startswith('//') and '/' in path[2:]: +@@ -851,65 +890,49 @@ class PackageIndex(Environment): + if auth: + if ':' in auth: + user, pw = auth.split(':', 1) +- creds = " --username=%s --password=%s" % (user, pw) ++ creds.extend(["--username", user, "--password", pw]) + else: +- creds = " --username=" + auth ++ creds.extend(["--username", auth]) + netloc = host + parts = scheme, netloc, url, p, q, f + url = urllib.parse.urlunparse(parts) + self.info("Doing subversion checkout from %s to %s", url, filename) +- os.system("svn checkout%s -q %s %s" % (creds, url, filename)) ++ cmd = ["svn", "checkout", "-q"] + creds + [url, filename] ++ subprocess.check_call(cmd) ++ + return filename + + @staticmethod +- def _vcs_split_rev_from_url(url, pop_prefix=False): +- scheme, netloc, path, query, frag = urllib.parse.urlsplit(url) ++ def _vcs_split_rev_from_url(url): ++ """ ++ Given a possible VCS URL, return a clean URL and resolved revision if any. ++ ++ >>> vsrfu = PackageIndex._vcs_split_rev_from_url ++ >>> vsrfu('git+https://github.com/pypa/setuptools@v69.0.0#egg-info=setuptools') ++ ('https://github.com/pypa/setuptools', 'v69.0.0') ++ >>> vsrfu('git+https://github.com/pypa/setuptools#egg-info=setuptools') ++ ('https://github.com/pypa/setuptools', None) ++ >>> vsrfu('http://foo/bar') ++ ('http://foo/bar', None) ++ """ ++ parts = urllib.parse.urlsplit(url) + +- scheme = scheme.split('+', 1)[-1] ++ clean_scheme = parts.scheme.split('+', 1)[-1] + + # Some fragment identification fails +- path = path.split('#', 1)[0] +- +- rev = None +- if '@' in path: +- path, rev = path.rsplit('@', 1) ++ no_fragment_path, _, _ = parts.path.partition('#') + +- # Also, discard fragment +- url = urllib.parse.urlunsplit((scheme, netloc, path, query, '')) ++ pre, sep, post = no_fragment_path.rpartition('@') ++ clean_path, rev = (pre, post) if sep else (post, None) + +- return url, rev +- +- def _download_git(self, url, filename): +- filename = filename.split('#', 1)[0] +- url, rev = self._vcs_split_rev_from_url(url, pop_prefix=True) +- +- self.info("Doing git clone from %s to %s", url, filename) +- os.system("git clone --quiet %s %s" % (url, filename)) +- +- if rev is not None: +- self.info("Checking out %s", rev) +- os.system("git -C %s checkout --quiet %s" % ( +- filename, +- rev, +- )) ++ resolved = parts._replace( ++ scheme=clean_scheme, ++ path=clean_path, ++ # discard the fragment ++ fragment='', ++ ).geturl() + +- return filename +- +- def _download_hg(self, url, filename): +- filename = filename.split('#', 1)[0] +- url, rev = self._vcs_split_rev_from_url(url, pop_prefix=True) +- +- self.info("Doing hg clone from %s to %s", url, filename) +- os.system("hg clone --quiet %s %s" % (url, filename)) +- +- if rev is not None: +- self.info("Updating to %s", rev) +- os.system("hg --cwd %s up -C -r %s -q" % ( +- filename, +- rev, +- )) +- +- return filename ++ return resolved, rev + + def debug(self, msg, *args): + log.debug(msg, *args) +diff --git a/setuptools/tests/test_packageindex.py b/setuptools/tests/test_packageindex.py +index 8e9435e..cc7e86c 100644 +--- a/setuptools/tests/test_packageindex.py ++++ b/setuptools/tests/test_packageindex.py +@@ -6,7 +6,6 @@ import urllib.request + import urllib.error + import http.client + +-import mock + import pytest + + import setuptools.package_index +@@ -193,61 +192,60 @@ class TestPackageIndex: + assert dists[0].version == '' + assert dists[1].version == vc + +- def test_download_git_with_rev(self, tmpdir): ++ def test_download_git_with_rev(self, tmp_path, fp): + url = 'git+https://github.example/group/project@master#egg=foo' + index = setuptools.package_index.PackageIndex() + +- with mock.patch("os.system") as os_system_mock: +- result = index.download(url, str(tmpdir)) ++ expected_dir = tmp_path / 'project@master' ++ fp.register([ ++ 'git', ++ 'clone', ++ '--quiet', ++ 'https://github.example/group/project', ++ expected_dir, ++ ]) ++ fp.register(['git', '-C', expected_dir, 'checkout', '--quiet', 'master']) + +- os_system_mock.assert_called() ++ result = index.download(url, tmp_path) + +- expected_dir = str(tmpdir / 'project@master') +- expected = ( +- 'git clone --quiet ' +- 'https://github.example/group/project {expected_dir}' +- ).format(**locals()) +- first_call_args = os_system_mock.call_args_list[0][0] +- assert first_call_args == (expected,) ++ assert result == str(expected_dir) ++ assert len(fp.calls) == 2 + +- tmpl = 'git -C {expected_dir} checkout --quiet master' +- expected = tmpl.format(**locals()) +- assert os_system_mock.call_args_list[1][0] == (expected,) +- assert result == expected_dir +- +- def test_download_git_no_rev(self, tmpdir): ++ def test_download_git_no_rev(self, tmp_path, fp): + url = 'git+https://github.example/group/project#egg=foo' + index = setuptools.package_index.PackageIndex() + +- with mock.patch("os.system") as os_system_mock: +- result = index.download(url, str(tmpdir)) +- +- os_system_mock.assert_called() ++ expected_dir = tmp_path / 'project' ++ fp.register([ ++ 'git', ++ 'clone', ++ '--quiet', ++ 'https://github.example/group/project', ++ expected_dir, ++ ]) ++ result = index.download(url, tmp_path) + +- expected_dir = str(tmpdir / 'project') +- expected = ( +- 'git clone --quiet ' +- 'https://github.example/group/project {expected_dir}' +- ).format(**locals()) +- os_system_mock.assert_called_once_with(expected) ++ assert result == str(expected_dir) ++ assert len(fp.calls) == 1 + +- def test_download_svn(self, tmpdir): ++ def test_download_svn(self, tmp_path, fp): + url = 'svn+https://svn.example/project#egg=foo' + index = setuptools.package_index.PackageIndex() + +- with pytest.warns(UserWarning): +- with mock.patch("os.system") as os_system_mock: +- result = index.download(url, str(tmpdir)) +- +- os_system_mock.assert_called() ++ expected_dir = tmp_path / 'project' ++ fp.register([ ++ 'svn', ++ 'checkout', ++ '-q', ++ 'svn+https://svn.example/project', ++ expected_dir, ++ ]) + +- expected_dir = str(tmpdir / 'project') +- expected = ( +- 'svn checkout -q ' +- 'svn+https://svn.example/project {expected_dir}' +- ).format(**locals()) +- os_system_mock.assert_called_once_with(expected) ++ with pytest.warns(UserWarning, match="SVN download support is deprecated"): ++ result = index.download(url, tmp_path) + ++ assert result == str(expected_dir) ++ assert len(fp.calls) == 1 + + class TestContentCheckers: + def test_md5(self): +-- +2.40.0 + diff --git a/meta/recipes-devtools/python/python3-setuptools_59.5.0.bb b/meta/recipes-devtools/python/python3-setuptools_59.5.0.bb index 5f2676a04a..0c0f1e9d81 100644 --- a/meta/recipes-devtools/python/python3-setuptools_59.5.0.bb +++ b/meta/recipes-devtools/python/python3-setuptools_59.5.0.bb @@ -12,6 +12,7 @@ SRC_URI += "\ file://0001-change-shebang-to-python3.patch \ file://0001-_distutils-sysconfig-append-STAGING_LIBDIR-python-sy.patch \ file://0001-Limit-the-amount-of-whitespace-to-search-backtrack.-.patch \ + file://CVE-2024-6345.patch \ " SRC_URI[sha256sum] = "d144f85102f999444d06f9c0e8c737fd0194f10f2f7e5fdb77573f6e2fa4fad0" From patchwork Wed Apr 30 02:53:36 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 62132 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 37C3CC369DC for ; Wed, 30 Apr 2025 02:54:17 +0000 (UTC) Received: from mail-pg1-f177.google.com (mail-pg1-f177.google.com [209.85.215.177]) by mx.groups.io with SMTP id smtpd.web10.8290.1745981656914653269 for ; Tue, 29 Apr 2025 19:54:16 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=IvTXqZZ9; spf=softfail (domain: sakoman.com, ip: 209.85.215.177, mailfrom: steve@sakoman.com) Received: by mail-pg1-f177.google.com with SMTP id 41be03b00d2f7-b0db0b6a677so6677270a12.2 for ; Tue, 29 Apr 2025 19:54:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1745981656; x=1746586456; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=On4+AvefXgEbv845OyDzC6KQoiXavoVdDgY224a0T1I=; b=IvTXqZZ9A+NB65PuDCSPJw5UGt/LdqxZOLicnS8JmhiyCx+ILCngfBDEf4//ltB2RJ et6/VG5gUUpfsnPkbnwHtM4RykEL7iaq4/UlGzh0OnLvQqp5zxCmsO+BLWKNsaB/SlV3 9ieAnT3lmg8qbYh5XcEwpMx+sZrJDd7kL+/fjPlTte++uiUdondzPm2k7xWNEmp4+px/ Q32mV98i4gF9gun33L0MnqhbXGLBLmgNVgr1L0YcgTFwzS0qEAHdrmU4ifBCYvu+sBYk SksEaoNhM2zFBqeTOM06xagnYCLMGbMvxjBAgSKWeUHYQCeeD6oulYhqNLtGjAKPPWuo ospQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1745981656; x=1746586456; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=On4+AvefXgEbv845OyDzC6KQoiXavoVdDgY224a0T1I=; b=kzrvuEat3YD+ehJR6w6cHrBwkaqYxABQRrZvYpY7FkbnlZRq/PBPIHCFXhoUBLRlBj +cIRNt/FG2I4mXCxzZonkns9GiXMcZmXCk9hFhh6/cemiKhFSPHdcNjPEGKtZm/ta/pQ eceAlcNkBS6uT77y8jHJ1ZmvW6svbDdOWRadV/N16x42EQy4/RPKbNLWg6cYqjhjjWFA rpsacyup5rNoEPi86sqCtsh3S4SUUp3GDY4UJbt3O1E9MuqwyQYyApgLMrIlwp8vGzY/ YJfmW++JN4F4VPRF92Rkf/4W8wmVsDpy2MtA+3wQVWvFlFb2aWSbsqtaS206h84rgzrT i/gw== X-Gm-Message-State: AOJu0Yx7sfw0lz/HjsQeC5/z8hbB39i+MmUChgn5mwwseq9tVhbZvP8o bdABvWb0TnJ6KTgFcjucKxgiJLeApFjCxM5OGqJLTLSKcyW2esiix1Ep5mX1kUZRaKyLRDisQRI g X-Gm-Gg: ASbGncu9SQ4VZAMK+SnTTjExcKyaPJ+DgRNXSr6PJV6ukSn2V0unhuilbo+CWlLD65q QSzk1NuocKYgZ1kavWAA1rlxr0hk7FPx0+MPp533qTdsCDrn+LotUglEFz5kkphFao/C52Drvk3 Tx0FKK4+LyKL/o9SCizTsIyblz6OuwO7CTjiokwBwusKBXdNDJlRxtKIDyKzz6vbQtnKX6bUWVy LXfe3FSpyd4Yy61lMDYB4c6apZz7mD/77R+BDLWkfe7zZ9ujEqNFrZG9Hg9iujXv2P91uD4f9UR IMyvkAMs1GsUW69oDqFf4k9Od6d1vKA= X-Google-Smtp-Source: AGHT+IEmoSPULpsN0S6MHQ8oMo1abQ2ztiaZiIM9CWTCX7x1uDWpdKZzYRqP+YA7RLZYsVC9kC2lyQ== X-Received: by 2002:a17:90b:2e4a:b0:2ee:d024:e4fc with SMTP id 98e67ed59e1d1-30a3336490bmr2578805a91.33.1745981655497; Tue, 29 Apr 2025 19:54:15 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:34b:e5e0:c38a:7e03]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-30a34a2ea46sm347852a91.31.2025.04.29.19.54.14 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 29 Apr 2025 19:54:15 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 11/14] tzdata/tzcode-native: upgrade 2025a -> 2025b Date: Tue, 29 Apr 2025 19:53:36 -0700 Message-ID: <2568f7ce707d63df1f98b3eeec6639d7a5a2d642.1745981510.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 30 Apr 2025 02:54:17 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/215702 From: Priyal Doshi Signed-off-by: Priyal Doshi Signed-off-by: Steve Sakoman --- meta/recipes-extended/timezone/timezone.inc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/meta/recipes-extended/timezone/timezone.inc b/meta/recipes-extended/timezone/timezone.inc index 3fe6c3142b..bb81d77ccc 100644 --- a/meta/recipes-extended/timezone/timezone.inc +++ b/meta/recipes-extended/timezone/timezone.inc @@ -6,7 +6,7 @@ SECTION = "base" LICENSE = "PD & BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=c679c9d6b02bc2757b3eaf8f53c43fba" -PV = "2025a" +PV = "2025b" SRC_URI =" https://www.iana.org/time-zones/repository/releases/tzcode${PV}.tar.gz;name=tzcode;subdir=tz \ https://www.iana.org/time-zones/repository/releases/tzdata${PV}.tar.gz;name=tzdata;subdir=tz \ @@ -16,5 +16,5 @@ S = "${WORKDIR}/tz" UPSTREAM_CHECK_URI = "https://www.iana.org/time-zones" -SRC_URI[tzcode.sha256sum] = "119679d59f76481eb5e03d3d2a47d7870d592f3999549af189dbd31f2ebf5061" -SRC_URI[tzdata.sha256sum] = "4d5fcbc72c7c450ebfe0b659bd0f1c02fbf52fd7f517a9ea13fe71c21eb5f0d0" +SRC_URI[tzcode.sha256sum] = "05f8fedb3525ee70d49c87d3fae78a8a0dbae4fe87aa565c65cda9948ae135ec" +SRC_URI[tzdata.sha256sum] = "11810413345fc7805017e27ea9fa4885fd74cd61b2911711ad038f5d28d71474" From patchwork Wed Apr 30 02:53:37 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 62140 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 572EAC3ABAA for ; Wed, 30 Apr 2025 02:54:27 +0000 (UTC) Received: from mail-pj1-f51.google.com (mail-pj1-f51.google.com [209.85.216.51]) by mx.groups.io with SMTP id smtpd.web10.8291.1745981657825528852 for ; Tue, 29 Apr 2025 19:54:17 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=MnOIlLE4; spf=softfail (domain: sakoman.com, ip: 209.85.216.51, mailfrom: steve@sakoman.com) Received: by mail-pj1-f51.google.com with SMTP id 98e67ed59e1d1-301a4d5156aso9320724a91.1 for ; Tue, 29 Apr 2025 19:54:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1745981657; x=1746586457; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=6NmgpNueJyRmyWZ3mRJdK3/PU1Rsx+wCEbaQ1tHuMtk=; b=MnOIlLE4x7FbuMes/3k8+xBV+gsQtA04my2ota5hXF7UULU7nh6DPGyKqRAPq1IdRc gE+qZY6CU6VPrMYzbp8/O1U5fYWVNMUhAlevLcMDQ8GKLHXREmCm4Nf3PiqKFFwCacsV eyWRAYYXG7YjR2/Enrg5LrxkvHy/6Tt8COAdT1oao30EUpO9fUyN1++bmpQWzL1U+cI6 YQNqmnmciHkAGO7IEhM0caxfNutC/Ayph1ny6lgYOrU347TlhtSVPiuPtUG1CmdbaTMh Lm6QJd7H0Vd2XXNgL20oMd0EMEQjsJkC1/R1WOwD3QARVSUU78DcrX8CESrrTJkKf0oT HgBw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1745981657; x=1746586457; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=6NmgpNueJyRmyWZ3mRJdK3/PU1Rsx+wCEbaQ1tHuMtk=; b=BeQYNU/rNLYL5XrwHctc0Kt6GOM3OPfR5h1tWlitZufm7ANRWqSxTYORjETYlgnKRr 91TiTOUqHedE4K8I/+8RaTy31jxN0xe7nNrnJPekmmM9FjYafGuJsabI/sp/S1ib0j+F 4KTfo//O1fh6sPYn6mQs5YRgK3u1sPnjMbdd+T5OQf2D+2kNjal4ELCTOu/2F12u+MSr h+VIXY2bXmmOTdszwRrLkqN0LSbsagnF5G4TghCwZuHKp4bxTmeWGIVtTMA4S/0EUjnn bAJSZ58dQH+xQn00Xu7u5aXyQEINOeq5n6lcpAF4g21OA/p5rgk5ZAZoLiMqAqYIRHWp 7kjw== X-Gm-Message-State: AOJu0YzFn+8/uqlFAZT9ydxq0Oj0Ov+03sUzlQy79kXSRYBTeOvICDAr Oa50SHxTPMaq/tZIzd2+ESXHQziakjP6CYlRpJUmnXcTzD/GUX2uiBLbiA8226oSie6npStw05S 1 X-Gm-Gg: ASbGnctAYDfWk1obMuAhd9zLT/34OGRw0Gud2BNTlVrX6YwJC8sPiokJok3alaRqPQI PksWaQs1nfjzcN4zsGr2hhcNLwuvjY/Ov4JL41gx0g80CcxSwMNzVtaVFFmnVcwu06kRtJvAk5L XE2al3Pm36KWvO1Fme2H8gq5FGOopah1rOS2sY6kR4SQZIVqxFsFq6ba5U8KntFLyE4a/MTNqq5 5PNmHtENxadtx7qXZt4vli9ySQvv1jw/IiwNc7Ao2wRsOjvf4bUpOxgHkI9Ncsr6sjwm1rsgWLG 0LkOgHBBiA/t+cWqD5/GGCDihTx2XBnwopBqB3sVsA== X-Google-Smtp-Source: AGHT+IFfxJWbeyyCSqur3tI8XY/9Fg9CkGrtPwWpCiE7t4EpIja14Brq6THs9p6PTdfShxn5mQhOUg== X-Received: by 2002:a17:90b:1f8b:b0:2fe:a614:5cf7 with SMTP id 98e67ed59e1d1-30a332d5b79mr1880836a91.3.1745981656963; Tue, 29 Apr 2025 19:54:16 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:34b:e5e0:c38a:7e03]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-30a34a2ea46sm347852a91.31.2025.04.29.19.54.16 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 29 Apr 2025 19:54:16 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 12/14] systemd: backport patch to fix journal issue Date: Tue, 29 Apr 2025 19:53:37 -0700 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 30 Apr 2025 02:54:27 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/215703 From: Chen Qi Backport a patch to fix systemd journal issue about sd_journal_next not behaving correctly after sd_journal_seek_tail. Signed-off-by: Chen Qi Signed-off-by: Kai Kang Signed-off-by: Steve Sakoman --- ...journal_previous-next-return-0-at-HE.patch | 87 +++++++++++++++++++ meta/recipes-core/systemd/systemd_250.14.bb | 1 + 2 files changed, 88 insertions(+) create mode 100644 meta/recipes-core/systemd/systemd/0001-journal-Make-sd_journal_previous-next-return-0-at-HE.patch diff --git a/meta/recipes-core/systemd/systemd/0001-journal-Make-sd_journal_previous-next-return-0-at-HE.patch b/meta/recipes-core/systemd/systemd/0001-journal-Make-sd_journal_previous-next-return-0-at-HE.patch new file mode 100644 index 0000000000..17e83448e3 --- /dev/null +++ b/meta/recipes-core/systemd/systemd/0001-journal-Make-sd_journal_previous-next-return-0-at-HE.patch @@ -0,0 +1,87 @@ +From e8d0681eb49697d91f277e2f9f4cff32a30b316c Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Tue, 5 Jul 2022 15:22:01 +0200 +Subject: [PATCH] journal: Make sd_journal_previous/next() return 0 at + HEAD/TAIL + +Currently, both these functions don't return 0 if we're at HEAD/TAIL +and move in the corresponding direction. Let's fix that. + +Replaces #23480 + +Upstream-Status: Backport [https://github.com/systemd/systemd/commit/977ad21b5b8f6323515297bd8995dcaaca0905df] + +[Rebased for v250] +Signed-off-by: Chen Qi +--- + src/journal/test-journal-interleaving.c | 4 ++++ + src/libsystemd/sd-journal/sd-journal.c | 8 ++++---- + 2 files changed, 8 insertions(+), 4 deletions(-) + +diff --git a/src/journal/test-journal-interleaving.c b/src/journal/test-journal-interleaving.c +index c543b87b69..f0ed1b4c74 100644 +--- a/src/journal/test-journal-interleaving.c ++++ b/src/journal/test-journal-interleaving.c +@@ -158,6 +158,7 @@ static void test_skip(void (*setup)(void)) { + */ + assert_ret(sd_journal_open_directory(&j, t, 0)); + assert_ret(sd_journal_seek_head(j)); ++ assert_ret(sd_journal_previous(j) == 0); + assert_ret(sd_journal_next(j)); + test_check_numbers_down(j, 4); + sd_journal_close(j); +@@ -166,6 +167,7 @@ static void test_skip(void (*setup)(void)) { + */ + assert_ret(sd_journal_open_directory(&j, t, 0)); + assert_ret(sd_journal_seek_tail(j)); ++ assert_ret(sd_journal_next(j) == 0); + assert_ret(sd_journal_previous(j)); + test_check_numbers_up(j, 4); + sd_journal_close(j); +@@ -174,6 +176,7 @@ static void test_skip(void (*setup)(void)) { + */ + assert_ret(sd_journal_open_directory(&j, t, 0)); + assert_ret(sd_journal_seek_tail(j)); ++ assert_ret(sd_journal_next(j) == 0); + assert_ret(r = sd_journal_previous_skip(j, 4)); + assert_se(r == 4); + test_check_numbers_down(j, 4); +@@ -183,6 +186,7 @@ static void test_skip(void (*setup)(void)) { + */ + assert_ret(sd_journal_open_directory(&j, t, 0)); + assert_ret(sd_journal_seek_head(j)); ++ assert_ret(sd_journal_previous(j) == 0); + assert_ret(r = sd_journal_next_skip(j, 4)); + assert_se(r == 4); + test_check_numbers_up(j, 4); +diff --git a/src/libsystemd/sd-journal/sd-journal.c b/src/libsystemd/sd-journal/sd-journal.c +index 7a6cc4aca3..04cafdf1c8 100644 +--- a/src/libsystemd/sd-journal/sd-journal.c ++++ b/src/libsystemd/sd-journal/sd-journal.c +@@ -611,9 +611,9 @@ static int find_location_for_match( + /* FIXME: missing: find by monotonic */ + + if (j->current_location.type == LOCATION_HEAD) +- return journal_file_next_entry_for_data(f, dp, DIRECTION_DOWN, ret, offset); ++ return direction == DIRECTION_DOWN ? journal_file_next_entry_for_data(f, dp, DIRECTION_DOWN, ret, offset) : 0; + if (j->current_location.type == LOCATION_TAIL) +- return journal_file_next_entry_for_data(f, dp, DIRECTION_UP, ret, offset); ++ return direction == DIRECTION_UP ? journal_file_next_entry_for_data(f, dp, DIRECTION_UP, ret, offset) : 0; + if (j->current_location.seqnum_set && sd_id128_equal(j->current_location.seqnum_id, f->header->seqnum_id)) + return journal_file_move_to_entry_by_seqnum_for_data(f, dp, j->current_location.seqnum, direction, ret, offset); + if (j->current_location.monotonic_set) { +@@ -704,9 +704,9 @@ static int find_location_with_matches( + /* No matches is simple */ + + if (j->current_location.type == LOCATION_HEAD) +- return journal_file_next_entry(f, 0, DIRECTION_DOWN, ret, offset); ++ return direction == DIRECTION_DOWN ? journal_file_next_entry(f, 0, DIRECTION_DOWN, ret, offset) : 0; + if (j->current_location.type == LOCATION_TAIL) +- return journal_file_next_entry(f, 0, DIRECTION_UP, ret, offset); ++ return direction == DIRECTION_UP ? journal_file_next_entry(f, 0, DIRECTION_UP, ret, offset) : 0; + if (j->current_location.seqnum_set && sd_id128_equal(j->current_location.seqnum_id, f->header->seqnum_id)) + return journal_file_move_to_entry_by_seqnum(f, j->current_location.seqnum, direction, ret, offset); + if (j->current_location.monotonic_set) { +-- +2.17.1 + diff --git a/meta/recipes-core/systemd/systemd_250.14.bb b/meta/recipes-core/systemd/systemd_250.14.bb index ef0476fad9..b79284d79c 100644 --- a/meta/recipes-core/systemd/systemd_250.14.bb +++ b/meta/recipes-core/systemd/systemd_250.14.bb @@ -29,6 +29,7 @@ SRC_URI += "file://touchscreen.rules \ file://0001-nspawn-make-sure-host-root-can-write-to-the-uidmappe.patch \ file://fix-vlan-qos-mapping.patch \ file://0001-core-fix-build-when-seccomp-is-off.patch \ + file://0001-journal-Make-sd_journal_previous-next-return-0-at-HE.patch \ " # patches needed by musl From patchwork Wed Apr 30 02:53:38 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 62141 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5E919C3ABA5 for ; Wed, 30 Apr 2025 02:54:27 +0000 (UTC) Received: from mail-pj1-f52.google.com (mail-pj1-f52.google.com [209.85.216.52]) by mx.groups.io with SMTP id smtpd.web11.8215.1745981659336181256 for ; Tue, 29 Apr 2025 19:54:19 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=3FubhBIB; spf=softfail (domain: sakoman.com, ip: 209.85.216.52, mailfrom: steve@sakoman.com) Received: by mail-pj1-f52.google.com with SMTP id 98e67ed59e1d1-301c4850194so5522888a91.2 for ; Tue, 29 Apr 2025 19:54:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1745981658; x=1746586458; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=z1KUZF6gfgZN4WGnoZE4k31FMMjBqKj5JPmBx8MwGVk=; b=3FubhBIBGShYB0ov1hIs10yVy6XXXHpldzUZjRT8Tneu8paiwEo37kXpvHuDmZEcNo UufS32ZyPajnwZoblXIscsCAv9hWf9+Nyzjx/rncAd77OeRovc95z+JGTeYd36ELPSu1 +UFq2Jsm67dpDP/64ONQRsBMyXLR7g5RWSKHgSlzBvUuGxfGgZ5FrTWkU81oYm44Z5YY 0k7Nkl4RVWvjA3mWt1nzvPyVhHzm+kUGwklLBbmg0zA16YFsYgxgs3qdV0OZr0R+iPpf BPZCyCncn52X/L/igxWdDqEkNhZMdqU07oqVUCdm7WhHqr4fGkCdrAu/jAyB/RNup38c nbew== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1745981658; x=1746586458; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=z1KUZF6gfgZN4WGnoZE4k31FMMjBqKj5JPmBx8MwGVk=; b=eaVHedR1NvQYbx47VC30DzPd/rSxMJQmicJhS2cz8KeQoibYK6oFf8wJrXgpuTV1uk 9YDNnl6Emik9sO5Wa6JT2X/bPtJ2faMVvETMLD3d6E4HuK3MqaiExHN6i3j9u0ozgfBZ VDQauGuILIvbyOBcuX783RK3o1oQdgmOUcryPd13fBWxlZYefCpUTZw1oHhiTvaX5afv 91yMxcRDRqR1mKQZkt+iyzcla1YqHJf5wVJd1v8LK4iSWU7MiaFNi+2YpQRyhpT2PRON rw3mgIx6h++Yr+gahYr9/2KYmznCYX97rzcpaA0b/yyZXaCic7mypeldXbfuogBEsiZN hZfA== X-Gm-Message-State: AOJu0YwCFmTCqYTXBbPNEOwy1QdZEVL94WIY5A6eEYTGfCMLQOnGSOC/ 90Kl/p02VU4Yibx07FB4bbwglDDav+05XtKX37wZ0xOQuLdQ+yquuQ0vjb51DU5nm6+OkiqV29C a X-Gm-Gg: ASbGncs4MbxsitSpn9f6UBlNvaZIk85vdTfPAxf/+N1rWlPG+lTk90oajzvIQI/mmTZ x/cVat7/t+3X8bmdqWki+hbX9hvObSuYI43xf4uuidvkyIah0uySQQtWzL7vvN+9wlXMpZaUHBX YzLT4UzYj478HOIAZbxSbrE6h1csTRMf/extz9E75ajkCeYG2BNLPT/vlL58rZXx+S6kx4iWGb0 bNwDeBlFoeEiUqOd5rSLqVsPqrCasQpxMKo9cVsjVeBSYKhhPaeGLql0HQvyWnZFnoYfnwpmdj2 5yqzrFSdyzGNiooQ0AMqw2Ud52E9KmY= X-Google-Smtp-Source: AGHT+IG0dHsM3Wkap8ZL3EnX7wOcmK20Hs8cCrz6q4dm7b9p3r/y/NYFgDSmjRUEMXjb/L4ZDHenoA== X-Received: by 2002:a17:90b:3c86:b0:2ee:693e:ed7a with SMTP id 98e67ed59e1d1-30a34486f2dmr1420901a91.35.1745981658375; Tue, 29 Apr 2025 19:54:18 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:34b:e5e0:c38a:7e03]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-30a34a2ea46sm347852a91.31.2025.04.29.19.54.17 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 29 Apr 2025 19:54:18 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 13/14] systemd: systemd-journald fails to setup LogNamespace Date: Tue, 29 Apr 2025 19:53:38 -0700 Message-ID: <8eb185024f9a9e57a9b710c70f09552729558892.1745981510.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 30 Apr 2025 02:54:27 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/215704 From: Haitao Liu A LogNamespace error for systemd v250: """ Apr 28 17:44:00 a-rinline2b systemd[467]: systemd-journald@tester.service: Failed to set up special execution directory in /var/log: Not a directory Apr 28 17:44:00 a-rinline2b systemd[467]: systemd-journald@tester.service: Failed at step LOGS_DIRECTORY spawning /lib/systemd/systemd-journald: Not a directory """ That's because that "/var/log/journal" couldn't be created during program runtime. Signed-off-by: Haitao Liu Signed-off-by: Kai Kang Signed-off-by: Steve Sakoman --- ...n-in-mkdir_p-when-parent-directory-e.patch | 78 +++++++++++++++++++ meta/recipes-core/systemd/systemd_250.14.bb | 1 + 2 files changed, 79 insertions(+) create mode 100644 meta/recipes-core/systemd/systemd/0001-basic-do-not-warn-in-mkdir_p-when-parent-directory-e.patch diff --git a/meta/recipes-core/systemd/systemd/0001-basic-do-not-warn-in-mkdir_p-when-parent-directory-e.patch b/meta/recipes-core/systemd/systemd/0001-basic-do-not-warn-in-mkdir_p-when-parent-directory-e.patch new file mode 100644 index 0000000000..723b8ca4f7 --- /dev/null +++ b/meta/recipes-core/systemd/systemd/0001-basic-do-not-warn-in-mkdir_p-when-parent-directory-e.patch @@ -0,0 +1,78 @@ +From e01e68e70ae1db9fe61adec3e7bdcced7adc1930 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Thu, 10 Feb 2022 08:30:08 +0100 +Subject: [PATCH] basic: do not warn in mkdir_p() when parent directory exists +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This effectively disables warnings about type/mode/ownership of existing +directories when recursively creating parent directories. (Or files. If there's +a file in a place we expect a directory, the code will later try to create +a file and fail. This follows the general pattern where we do (void)mkdir() +if the mkdir() is immediately followed by opening of a file.) + +I was recently debugging an issue with the fstab-generator [1], and it says: +'Directory "/tmp" already exists, but has mode 0777 that is too permissive (0644 was requested), refusing.' +which is very specific but totally wrong in this context. +This output was added in 37c1d5e97dbc869edd8fc178427714e2d9428d2b, and I still +think it is worth to do it, because if you actually *do* want the directory, if +there's something wrong, the precise error message will make it much easier to +diagnose. And we can't easily pass the information what failed up the call chain +because there are multiple things we check (ownership, permission mask, type)… +So passing a param whether to warn or not down into the library code seems like +the best solution, despite not being very elegant. + +[1] https://bugzilla.redhat.com/show_bug.cgi?id=2051285 + +Upstream-Status: Backport [https://github.com/systemd/systemd/commit/e01e68e70ae1db9fe61adec3e7bdcced7adc1930] + +Signed-off-by: Haitao Liu +Signed-off-by: Kai Kang +--- + src/basic/mkdir.c | 5 ++++- + src/basic/mkdir.h | 5 +++-- + 2 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/src/basic/mkdir.c b/src/basic/mkdir.c +index 27144dd45a..cf7cf4a357 100644 +--- a/src/basic/mkdir.c ++++ b/src/basic/mkdir.c +@@ -55,6 +55,9 @@ int mkdir_safe_internal( + return -errno; + } + ++ if (flags & MKDIR_IGNORE_EXISTING) ++ return 0; ++ + if (!S_ISDIR(st.st_mode)) + return log_full_errno(flags & MKDIR_WARN_MODE ? LOG_WARNING : LOG_DEBUG, SYNTHETIC_ERRNO(ENOTDIR), + "Path \"%s\" already exists and is not a directory, refusing.", path); +@@ -142,7 +145,7 @@ int mkdir_parents_internal(const char *prefix, const char *path, mode_t mode, ui + s[n] = '\0'; + + if (!prefix || !path_startswith_full(prefix, path, /* accept_dot_dot= */ false)) { +- r = mkdir_safe_internal(path, mode, uid, gid, flags, _mkdirat); ++ r = mkdir_safe_internal(path, mode, uid, gid, flags | MKDIR_IGNORE_EXISTING, _mkdirat); + if (r < 0 && r != -EEXIST) + return r; + } +diff --git a/src/basic/mkdir.h b/src/basic/mkdir.h +index 34a5227577..c0c0ea6c4f 100644 +--- a/src/basic/mkdir.h ++++ b/src/basic/mkdir.h +@@ -4,8 +4,9 @@ + #include + + typedef enum MkdirFlags { +- MKDIR_FOLLOW_SYMLINK = 1 << 0, +- MKDIR_WARN_MODE = 1 << 1, ++ MKDIR_FOLLOW_SYMLINK = 1 << 0, ++ MKDIR_IGNORE_EXISTING = 1 << 1, /* Quietly accept a preexisting directory (or file) */ ++ MKDIR_WARN_MODE = 1 << 2, /* Log at LOG_WARNING when mode doesn't match */ + } MkdirFlags; + + int mkdirat_errno_wrapper(int dirfd, const char *pathname, mode_t mode); +-- +2.25.1 + diff --git a/meta/recipes-core/systemd/systemd_250.14.bb b/meta/recipes-core/systemd/systemd_250.14.bb index b79284d79c..b3e31e1f23 100644 --- a/meta/recipes-core/systemd/systemd_250.14.bb +++ b/meta/recipes-core/systemd/systemd_250.14.bb @@ -30,6 +30,7 @@ SRC_URI += "file://touchscreen.rules \ file://fix-vlan-qos-mapping.patch \ file://0001-core-fix-build-when-seccomp-is-off.patch \ file://0001-journal-Make-sd_journal_previous-next-return-0-at-HE.patch \ + file://0001-basic-do-not-warn-in-mkdir_p-when-parent-directory-e.patch \ " # patches needed by musl From patchwork Wed Apr 30 02:53:39 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 62139 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 572B2C369DC for ; Wed, 30 Apr 2025 02:54:27 +0000 (UTC) Received: from mail-pj1-f41.google.com (mail-pj1-f41.google.com [209.85.216.41]) by mx.groups.io with SMTP id smtpd.web10.8292.1745981660824556462 for ; Tue, 29 Apr 2025 19:54:20 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=wcuGbNOg; spf=softfail (domain: sakoman.com, ip: 209.85.216.41, mailfrom: steve@sakoman.com) Received: by mail-pj1-f41.google.com with SMTP id 98e67ed59e1d1-30820167b47so529433a91.0 for ; Tue, 29 Apr 2025 19:54:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1745981660; x=1746586460; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=7BC9K8tEDNqYU7YZVfAOGDKfx2Pxk0m2wofLc/fASmg=; b=wcuGbNOguAiXVXvuuLXWMkwnYwGgCrH8muNOWZP0p22XEs0c6dP3oFzh+rz2egj8Mn hl90wiKUYYjW3NE4M+Wzety/aKICY6p2AvCKoSGHkMXKyt8kUdRKynPec7KKd47K4Ek5 cghmnmjQqAkX5sKZ9yqYosPVQWwXeZiXbzf+WrU9bx3JqgEtfhS+jWiSCx5yJwKM+wLk CINX22Ibb9tWdQ6hPmUAuf6vejDdoSbZV/4cOt/LAuO6Tke7Pyw3vEFfwiYNeFM6yJAN /6fjiOlap3mnH2WrTDs0LjLCdLoZyKBpTzcxxN8gStgC48GZpmyYOfwnKfqAqdaEJ39i v+wg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1745981660; x=1746586460; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=7BC9K8tEDNqYU7YZVfAOGDKfx2Pxk0m2wofLc/fASmg=; b=PNRG0RmWWjcgLUpYtojwh6kEauYI2xjBYGbL/PAIcDEs5gsh9baeBzu8V7ax8wOWAh DmUPpYlFSiiFstZp3SwDEcy9oIewu7/G+narFiVXcM8n/ajKacLS5uDvhvcm2sT7GzVR sn0HNmaPx7ElhmWYRsilYt6O9mfysk2nxNV4tMTfiqvqav6jYyiwO3rZGssEHxqzC6lY mnbov4YrisU5SWSr3yPZjM54wHFNv41YVucDGizl+yzar4tCiqyErptXU3X/XWLOKGYE bQPBQTE2Q+Wkz0ozggcCr1mvA6YiaFPA/kVHwDJCZjew3eBVlyMtlgl+RNruKhuPCyjL 0s4Q== X-Gm-Message-State: AOJu0YzSJYzg/8Zkh+2Ei/OwtDRqB2pMLBUcItGRmhdqxgIyu2gj/8YY Pad+2ZlaWj9daFyjw9nUn4DxadX9J8EXn4V0TpLNZ8XWf5PAXuGEdKj6gMyXhtXZ+5hQ1//0un8 2 X-Gm-Gg: ASbGnctZFMfh6eXS9BbUWhSYed4Qmu4mbElAhfayAlFD4dpdxznUcRYRfyXSHbqrwLa pwAwd4wL7laQ+hb3JgC2DbZrv711uoHYu2GmJNA7PY9/0RkThvuoAM6wTCsoZnKw78SZx9x5KTZ 1ZNxXWsBrG0bytIB6kjjJ2Yv1Gt89CfYPjwbtXELtBPOLg3175AJX/MSDUEORXI3dJrioXsy6IQ 0K18wjxE8A4EcXFZF03zs9uKJ4q5Nbmsoox4O/PNB8tmHE3UskRd462CR0gqCdEQYUVJ4F5smYs xqrJ1SR4e2qIVD2WrTg9HFYUatINnBk= X-Google-Smtp-Source: AGHT+IFywAwZ/eNoJEaJxb2OiofzWc+4gkAmzlmX0++wwlbTQKalQHJjFYzHVTc4SWQnY7PkfTXoRA== X-Received: by 2002:a17:90b:2e44:b0:2fa:1d9f:c80 with SMTP id 98e67ed59e1d1-30a33d5b51amr1933537a91.17.1745981660073; Tue, 29 Apr 2025 19:54:20 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:34b:e5e0:c38a:7e03]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-30a34a2ea46sm347852a91.31.2025.04.29.19.54.19 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 29 Apr 2025 19:54:19 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 14/14] Revert "cve-update-nvd2-native: Tweak to work better with NFS DL_DIR" Date: Tue, 29 Apr 2025 19:53:39 -0700 Message-ID: <25ba9895b98715adb66a06e50f644aea2e2c9eb6.1745981510.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 30 Apr 2025 02:54:27 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/215705 From: Peter Marko This reverts commit 7adaec468d3a61d88c990b1b319b34850bee7e44. It does not seem to fix the issue it was supposed to fix. Additionally it breaks code which decides in full/partial update, because it manipulates timestamp that code is relying on. Signed-off-by: Richard Purdie (cherry picked from commit ebc65fdddd7ce51f0f1008baa30d0ae7918ae0bb) Signed-off-by: Steve Sakoman --- meta/recipes-core/meta/cve-update-nvd2-native.bb | 2 -- 1 file changed, 2 deletions(-) diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb b/meta/recipes-core/meta/cve-update-nvd2-native.bb index 9808120cab..d50d9a2cea 100644 --- a/meta/recipes-core/meta/cve-update-nvd2-native.bb +++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb @@ -85,8 +85,6 @@ python do_fetch() { if update_db_file(db_tmp_file, d, database_time) == True: # Update downloaded correctly, can swap files shutil.move(db_tmp_file, db_file) - # Need to 'touch' the file to ensure NFS sees the data - os.utime(db_file) else: # Update failed, do not modify the database bb.warn("CVE database update failed")