From patchwork Tue May 20 20:20:26 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Marko, Peter" X-Patchwork-Id: 63344 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BC128C3DA6D for ; Tue, 20 May 2025 20:21:44 +0000 (UTC) Received: from mta-65-228.siemens.flowmailer.net (mta-65-228.siemens.flowmailer.net [185.136.65.228]) by mx.groups.io with SMTP id smtpd.web10.1095.1747772496169926608 for ; Tue, 20 May 2025 13:21:37 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=Buv+CUtn; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.228, mailfrom: fm-256628-20250520202132b3e0d6512d52d0c7e8-a4yovt@rts-flowmailer.siemens.com) Received: by mta-65-228.siemens.flowmailer.net with ESMTPSA id 20250520202132b3e0d6512d52d0c7e8 for ; Tue, 20 May 2025 22:21:33 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc; bh=7VtKvAbZXZNXHoC9VagnMmbfwwsvVGQDo7AqXnW6SjQ=; b=Buv+CUtnmc+ywKQY98CNVSO/EG3F6IBJ4hlKN8lfU+4mNr36XHDyUG6swMJHr4V3b7vxfT OH8n8T+f4sL3MZnBsFUxkf0rSasu1AU/kshRfAWIG2jcXjtTSnT3CTSyARkpeFvLiVhtQkwf k9rJudli1DL3+psuElZMCjXwdrKgVcd4p4H8wjwGl2dgPNHa4Qn3fetQLdFKkb3T9bqAeavP H1xUrxGWa7I296G0Qc4+4nCiSGd6FQLD6xlVJtdLgiCzreASmHUq+DyLaYD7+MQuJyZ6SNXs QZPaPOFVUCr1NoJDCdvZx0HtNWRod0xVn1C7d6ctjJuZLhasyutsSNwA==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][walnascar][PATCH 1/8] sqlite3: patch CVE-2025-3277 Date: Tue, 20 May 2025 22:20:26 +0200 Message-Id: <20250520202033.2352749-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 20 May 2025 20:21:44 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/216943 From: Peter Marko Pick commit [1] mentioned in [2]. [1] https://sqlite.org/src/info/498e3f1cf57f164f [2] https://nvd.nist.gov/vuln/detail/CVE-2025-3277 Signed-off-by: Peter Marko --- .../sqlite/sqlite3/CVE-2025-3277.patch | 28 +++++++++++++++++++ meta/recipes-support/sqlite/sqlite3_3.48.0.bb | 4 ++- 2 files changed, 31 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-support/sqlite/sqlite3/CVE-2025-3277.patch diff --git a/meta/recipes-support/sqlite/sqlite3/CVE-2025-3277.patch b/meta/recipes-support/sqlite/sqlite3/CVE-2025-3277.patch new file mode 100644 index 0000000000..8264d4443a --- /dev/null +++ b/meta/recipes-support/sqlite/sqlite3/CVE-2025-3277.patch @@ -0,0 +1,28 @@ +From d7f45414935e4ef6e3361f02a22876f1ee7a04aa Mon Sep 17 00:00:00 2001 +From: drh <> +Date: Sun, 16 Feb 2025 10:57:25 +0000 +Subject: [PATCH] Add a typecast to avoid 32-bit integer overflow in the + concat_ws() function with an enormous separator values and many arguments. + +FossilOrigin-Name: 498e3f1cf57f164fbd8380e92bf91b9f26d6aa05d092fcd135d754abf1e5b1b5 + +CVE: CVE-2025-3277 +Upstream-Status: Backport [https://sqlite.org/src/info/498e3f1cf57f164f] +Signed-off-by: Peter Marko +--- + sqlite3.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sqlite3.c b/sqlite3.c +index 08c593e55c..24d0d954d9 100644 +--- a/sqlite3.c ++++ b/sqlite3.c +@@ -130954,7 +130954,7 @@ static void concatFuncCore( + for(i=0; i X-Patchwork-Id: 63346 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 70644C54E90 for ; Tue, 20 May 2025 20:21:54 +0000 (UTC) Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net [185.136.64.227]) by mx.groups.io with SMTP id smtpd.web11.1130.1747772504849132049 for ; Tue, 20 May 2025 13:21:45 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=fhrdXGwa; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227, mailfrom: fm-256628-202505202021425f9c3a0a51c31f5313-na9idb@rts-flowmailer.siemens.com) Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 202505202021425f9c3a0a51c31f5313 for ; Tue, 20 May 2025 22:21:42 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=1WOuO5yJP6TPGO/nRPZcZSnsAeK1nXFpopNbw0L2QvA=; b=fhrdXGwaLD+BoVJuqWkYyjECvB0qE0Ef962LTYEZ+K/xqp93NqtcXe1sl5CAqLq0i+QQ/i e6N0/uVQNZKrq04cqENf5usziryRIsFL1+r3/EWW6heSctQ+gzqgxiuBmXAp1SCR8feyr9tT vy5txwIC+GY64sxu/4+dXznlOyUYz0yblv17hlE1DFQFb/8hedajvOQVOFcaMZ8U8iEm8P2x 27z25n1n1jHRtqjmNRh0T6wGM7Zi91vNmczqPB3+F/H3ZCS2wJwQMGM2ccrJwtkNb1V9wZgp 4NeDZt8bjWbc7JvBSt3nQA55h20x2Y96HsTLDhulLaQlQ5MhdFsATJhg==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][walnascar][PATCH 2/8] sqlite3: patch CVE-2025-29088 Date: Tue, 20 May 2025 22:20:27 +0200 Message-Id: <20250520202033.2352749-2-peter.marko@siemens.com> In-Reply-To: <20250520202033.2352749-1-peter.marko@siemens.com> References: <20250520202033.2352749-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 20 May 2025 20:21:54 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/216944 From: Peter Marko Pick commit [1] mentioned in [2]. [1] https://github.com/sqlite/sqlite/commit/56d2fd008b108109f489339f5fd55212bb50afd4 [2] https://nvd.nist.gov/vuln/detail/CVE-2025-29088 Signed-off-by: Peter Marko --- .../sqlite/sqlite3/CVE-2025-29088.patch | 179 ++++++++++++++++++ meta/recipes-support/sqlite/sqlite3_3.48.0.bb | 1 + 2 files changed, 180 insertions(+) create mode 100644 meta/recipes-support/sqlite/sqlite3/CVE-2025-29088.patch diff --git a/meta/recipes-support/sqlite/sqlite3/CVE-2025-29088.patch b/meta/recipes-support/sqlite/sqlite3/CVE-2025-29088.patch new file mode 100644 index 0000000000..12a025fdd8 --- /dev/null +++ b/meta/recipes-support/sqlite/sqlite3/CVE-2025-29088.patch @@ -0,0 +1,179 @@ +From 57d1e61dda969659f59a0b7841c7d0287d724bc6 Mon Sep 17 00:00:00 2001 +From: drh <> +Date: Mon, 17 Feb 2025 14:16:49 +0000 +Subject: [PATCH] Harden the SQLITE_DBCONFIG_LOOKASIDE interface against + misuse, such as described in [forum:/forumpost/48f365daec|forum post + 48f365daec]. Enhancements to the SQLITE_DBCONFIG_LOOKASIDE documentation. + Test cases in TH3. + +FossilOrigin-Name: 1ec4c308c76c69fba031184254fc3340f07607cfbf8342b13713ab445563d377 + +CVE: CVE-2025-29088 +Upstream-Status: Backport [https://github.com/sqlite/sqlite/commit/56d2fd008b108109f489339f5fd55212bb50afd4] +Signed-off-by: Peter Marko +--- + sqlite3.c | 42 +++++++++++++++++++++++--------------- + sqlite3.h | 60 +++++++++++++++++++++++++++++++++++++------------------ + 2 files changed, 67 insertions(+), 35 deletions(-) + +diff --git a/sqlite3.c b/sqlite3.c +index 24d0d954d9..2574a43f3e 100644 +--- a/sqlite3.c ++++ b/sqlite3.c +@@ -182001,17 +182001,22 @@ SQLITE_API int sqlite3_config(int op, ...){ + ** If lookaside is already active, return SQLITE_BUSY. + ** + ** The sz parameter is the number of bytes in each lookaside slot. +-** The cnt parameter is the number of slots. If pStart is NULL the +-** space for the lookaside memory is obtained from sqlite3_malloc(). +-** If pStart is not NULL then it is sz*cnt bytes of memory to use for +-** the lookaside memory. ++** The cnt parameter is the number of slots. If pBuf is NULL the ++** space for the lookaside memory is obtained from sqlite3_malloc() ++** or similar. If pBuf is not NULL then it is sz*cnt bytes of memory ++** to use for the lookaside memory. + */ +-static int setupLookaside(sqlite3 *db, void *pBuf, int sz, int cnt){ ++static int setupLookaside( ++ sqlite3 *db, /* Database connection being configured */ ++ void *pBuf, /* Memory to use for lookaside. May be NULL */ ++ int sz, /* Desired size of each lookaside memory slot */ ++ int cnt /* Number of slots to allocate */ ++){ + #ifndef SQLITE_OMIT_LOOKASIDE +- void *pStart; +- sqlite3_int64 szAlloc = sz*(sqlite3_int64)cnt; +- int nBig; /* Number of full-size slots */ +- int nSm; /* Number smaller LOOKASIDE_SMALL-byte slots */ ++ void *pStart; /* Start of the lookaside buffer */ ++ sqlite3_int64 szAlloc; /* Total space set aside for lookaside memory */ ++ int nBig; /* Number of full-size slots */ ++ int nSm; /* Number smaller LOOKASIDE_SMALL-byte slots */ + + if( sqlite3LookasideUsed(db,0)>0 ){ + return SQLITE_BUSY; +@@ -182024,17 +182029,22 @@ static int setupLookaside(sqlite3 *db, void *pBuf, int sz, int cnt){ + sqlite3_free(db->lookaside.pStart); + } + /* The size of a lookaside slot after ROUNDDOWN8 needs to be larger +- ** than a pointer to be useful. ++ ** than a pointer and small enough to fit in a u16. + */ +- sz = ROUNDDOWN8(sz); /* IMP: R-33038-09382 */ ++ sz = ROUNDDOWN8(sz); + if( sz<=(int)sizeof(LookasideSlot*) ) sz = 0; +- if( cnt<0 ) cnt = 0; +- if( sz==0 || cnt==0 ){ ++ if( sz>65528 ) sz = 65528; ++ /* Count must be at least 1 to be useful, but not so large as to use ++ ** more than 0x7fff0000 total bytes for lookaside. */ ++ if( cnt<1 ) cnt = 0; ++ if( sz>0 && cnt>(0x7fff0000/sz) ) cnt = 0x7fff0000/sz; ++ szAlloc = (i64)sz*(i64)cnt; ++ if( szAlloc==0 ){ + sz = 0; + pStart = 0; + }else if( pBuf==0 ){ + sqlite3BeginBenignMalloc(); +- pStart = sqlite3Malloc( szAlloc ); /* IMP: R-61949-35727 */ ++ pStart = sqlite3Malloc( szAlloc ); + sqlite3EndBenignMalloc(); + if( pStart ) szAlloc = sqlite3MallocSize(pStart); + }else{ +@@ -182043,10 +182053,10 @@ static int setupLookaside(sqlite3 *db, void *pBuf, int sz, int cnt){ + #ifndef SQLITE_OMIT_TWOSIZE_LOOKASIDE + if( sz>=LOOKASIDE_SMALL*3 ){ + nBig = szAlloc/(3*LOOKASIDE_SMALL+sz); +- nSm = (szAlloc - sz*nBig)/LOOKASIDE_SMALL; ++ nSm = (szAlloc - (i64)sz*(i64)nBig)/LOOKASIDE_SMALL; + }else if( sz>=LOOKASIDE_SMALL*2 ){ + nBig = szAlloc/(LOOKASIDE_SMALL+sz); +- nSm = (szAlloc - sz*nBig)/LOOKASIDE_SMALL; ++ nSm = (szAlloc - (i64)sz*(i64)nBig)/LOOKASIDE_SMALL; + }else + #endif /* SQLITE_OMIT_TWOSIZE_LOOKASIDE */ + if( sz>0 ){ +diff --git a/sqlite3.h b/sqlite3.h +index 2618b37a7b..056511f577 100644 +--- a/sqlite3.h ++++ b/sqlite3.h +@@ -1989,13 +1989,16 @@ struct sqlite3_mem_methods { + ** + ** [[SQLITE_CONFIG_LOOKASIDE]]
SQLITE_CONFIG_LOOKASIDE
+ **
^(The SQLITE_CONFIG_LOOKASIDE option takes two arguments that determine +-** the default size of lookaside memory on each [database connection]. ++** the default size of [lookaside memory] on each [database connection]. + ** The first argument is the +-** size of each lookaside buffer slot and the second is the number of +-** slots allocated to each database connection.)^ ^(SQLITE_CONFIG_LOOKASIDE +-** sets the default lookaside size. The [SQLITE_DBCONFIG_LOOKASIDE] +-** option to [sqlite3_db_config()] can be used to change the lookaside +-** configuration on individual connections.)^
++** size of each lookaside buffer slot ("sz") and the second is the number of ++** slots allocated to each database connection ("cnt").)^ ++** ^(SQLITE_CONFIG_LOOKASIDE sets the default lookaside size. ++** The [SQLITE_DBCONFIG_LOOKASIDE] option to [sqlite3_db_config()] can ++** be used to change the lookaside configuration on individual connections.)^ ++** The [-DSQLITE_DEFAULT_LOOKASIDE] option can be used to change the ++** default lookaside configuration at compile-time. ++** + ** + ** [[SQLITE_CONFIG_PCACHE2]]
SQLITE_CONFIG_PCACHE2
+ **
^(The SQLITE_CONFIG_PCACHE2 option takes a single argument which is +@@ -2225,24 +2228,43 @@ struct sqlite3_mem_methods { + **
SQLITE_DBCONFIG_LOOKASIDE
+ **
^This option takes three additional arguments that determine the + ** [lookaside memory allocator] configuration for the [database connection]. +-** ^The first argument (the third parameter to [sqlite3_db_config()] is a ++**
    ++**

  1. The first argument ("buf") is a + ** pointer to a memory buffer to use for lookaside memory. +-** ^The first argument after the SQLITE_DBCONFIG_LOOKASIDE verb +-** may be NULL in which case SQLite will allocate the +-** lookaside buffer itself using [sqlite3_malloc()]. ^The second argument is the +-** size of each lookaside buffer slot. ^The third argument is the number of +-** slots. The size of the buffer in the first argument must be greater than +-** or equal to the product of the second and third arguments. The buffer +-** must be aligned to an 8-byte boundary. ^If the second argument to +-** SQLITE_DBCONFIG_LOOKASIDE is not a multiple of 8, it is internally +-** rounded down to the next smaller multiple of 8. ^(The lookaside memory ++** The first argument may be NULL in which case SQLite will allocate the ++** lookaside buffer itself using [sqlite3_malloc()]. ++**

  2. The second argument ("sz") is the ++** size of each lookaside buffer slot. Lookaside is disabled if "sz" ++** is less than 8. The "sz" argument should be a multiple of 8 less than ++** 65536. If "sz" does not meet this constraint, it is reduced in size until ++** it does. ++**

  3. The third argument ("cnt") is the number of slots. Lookaside is disabled ++** if "cnt"is less than 1. The "cnt" value will be reduced, if necessary, so ++** that the product of "sz" and "cnt" does not exceed 2,147,418,112. The "cnt" ++** parameter is usually chosen so that the product of "sz" and "cnt" is less ++** than 1,000,000. ++**

++**

If the "buf" argument is not NULL, then it must ++** point to a memory buffer with a size that is greater than ++** or equal to the product of "sz" and "cnt". ++** The buffer must be aligned to an 8-byte boundary. ++** The lookaside memory + ** configuration for a database connection can only be changed when that + ** connection is not currently using lookaside memory, or in other words +-** when the "current value" returned by +-** [sqlite3_db_status](D,[SQLITE_DBSTATUS_LOOKASIDE_USED],...) is zero. ++** when the value returned by [SQLITE_DBSTATUS_LOOKASIDE_USED] is zero. + ** Any attempt to change the lookaside memory configuration when lookaside + ** memory is in use leaves the configuration unchanged and returns +-** [SQLITE_BUSY].)^

++** [SQLITE_BUSY]. ++** If the "buf" argument is NULL and an attempt ++** to allocate memory based on "sz" and "cnt" fails, then ++** lookaside is silently disabled. ++**

++** The [SQLITE_CONFIG_LOOKASIDE] configuration option can be used to set the ++** default lookaside configuration at initialization. The ++** [-DSQLITE_DEFAULT_LOOKASIDE] option can be used to set the default lookaside ++** configuration at compile-time. Typical values for lookaside are 1200 for ++** "sz" and 40 to 100 for "cnt". ++** + ** + ** [[SQLITE_DBCONFIG_ENABLE_FKEY]] + **

SQLITE_DBCONFIG_ENABLE_FKEY
diff --git a/meta/recipes-support/sqlite/sqlite3_3.48.0.bb b/meta/recipes-support/sqlite/sqlite3_3.48.0.bb index 86983f21bd..11f103dddc 100644 --- a/meta/recipes-support/sqlite/sqlite3_3.48.0.bb +++ b/meta/recipes-support/sqlite/sqlite3_3.48.0.bb @@ -5,6 +5,7 @@ LIC_FILES_CHKSUM = "file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed0 SRC_URI = "http://www.sqlite.org/2025/sqlite-autoconf-${SQLITE_PV}.tar.gz \ file://CVE-2025-3277.patch \ + file://CVE-2025-29088.patch \ " SRC_URI[sha256sum] = "ac992f7fca3989de7ed1fe99c16363f848794c8c32a158dafd4eb927a2e02fd5" From patchwork Tue May 20 20:20:28 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Marko, Peter" X-Patchwork-Id: 63345 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6F1A2C54E71 for ; Tue, 20 May 2025 20:21:54 +0000 (UTC) Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net [185.136.64.227]) by mx.groups.io with SMTP id smtpd.web10.1102.1747772509859627251 for ; Tue, 20 May 2025 13:21:50 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=TTm8sx6b; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227, mailfrom: fm-256628-20250520202147d3e8fb74bfc50d4540-9j_txf@rts-flowmailer.siemens.com) Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 20250520202147d3e8fb74bfc50d4540 for ; Tue, 20 May 2025 22:21:48 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=WIsB0Ak1TGGUOT+QCbOVhOHQzLTOpeEfPfgA6hT+VR0=; b=TTm8sx6boExVhfIM9OwJ8xIlmzozZxdUmTm9VBZY2TzTf3oLHCs5OQM3nitzaPWI/noJ1m X9t4Jry2Ga1+ezT6oN/LmBnIWsrd+2NDGAHePmH4pTjaUrA6/EAeNw9Au/R1ZBV9rf33hKrp gcZCo6hsrd8tHjM3EdzyAaqc3Uwm8HCDQRNNQLiajdVxLhFHXuFwY6cYu8h1VZrhQf5rgd7S Tv+KiiAh5B/HkzIKi80SYbbRe+fy6ryxUY96v1/+OFaoCA8jcG7JCigMD0It1cKfDs/EcvLM s9OrNtMcP+J+K1oiANnmv+NCydelrR8cMhKuKqv+2gYziypjem7vmgig==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][walnascar][PATCH 3/8] sqlite3: mark CVE-2025-29087 as patched Date: Tue, 20 May 2025 22:20:28 +0200 Message-Id: <20250520202033.2352749-3-peter.marko@siemens.com> In-Reply-To: <20250520202033.2352749-1-peter.marko@siemens.com> References: <20250520202033.2352749-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 20 May 2025 20:21:54 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/216945 From: Peter Marko Description of CVE-2025-29087 and CVE-2025-3277 are very similar. There is no lonk from NVD, but [1] and [2] from Debian mark these two CVEs as duplicates with the same link for patch. [1] https://security-tracker.debian.org/tracker/CVE-2025-29087 [2] https://security-tracker.debian.org/tracker/CVE-2025-3277 Signed-off-by: Peter Marko --- meta/recipes-support/sqlite/sqlite3/CVE-2025-3277.patch | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/recipes-support/sqlite/sqlite3/CVE-2025-3277.patch b/meta/recipes-support/sqlite/sqlite3/CVE-2025-3277.patch index 8264d4443a..60da0b773d 100644 --- a/meta/recipes-support/sqlite/sqlite3/CVE-2025-3277.patch +++ b/meta/recipes-support/sqlite/sqlite3/CVE-2025-3277.patch @@ -7,6 +7,7 @@ Subject: [PATCH] Add a typecast to avoid 32-bit integer overflow in the FossilOrigin-Name: 498e3f1cf57f164fbd8380e92bf91b9f26d6aa05d092fcd135d754abf1e5b1b5 CVE: CVE-2025-3277 +CVE: CVE-2025-29087 Upstream-Status: Backport [https://sqlite.org/src/info/498e3f1cf57f164f] Signed-off-by: Peter Marko --- From patchwork Tue May 20 20:20:29 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Marko, Peter" X-Patchwork-Id: 63348 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 727CEC3DA6D for ; Tue, 20 May 2025 20:22:04 +0000 (UTC) Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net [185.136.64.227]) by mx.groups.io with SMTP id smtpd.web10.1105.1747772519227244388 for ; Tue, 20 May 2025 13:21:59 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=FcjBUjZv; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227, mailfrom: fm-256628-2025052020215389bdffd492074cc0f0-ddw5tf@rts-flowmailer.siemens.com) Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 2025052020215389bdffd492074cc0f0 for ; Tue, 20 May 2025 22:21:53 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=EK1qbg5ISxw6p+C9akK1WuBvbSLeMcciLVJmaiZ/5h8=; b=FcjBUjZvpL0nGziUqwyxjsj5S0AEr+m2dlXiUv9FV6et2pXz4+LLLaL+xTN5FI12r62BG2 enuuEbkph5mZEhVnxdyCCztMD+VYd6TUcM86YpUh5cyphVoTtzW6qIKg1jSIRnSTNeyv1spm PIUPSN8ObcyE8JE2hHZWCn9Ds71PyQhxh+YTd5J9QGF6oKIzWYWZsv8gtOqYNyUhtTpwD4V7 Vx2j3xOy0/y+FK6JzBtQjNzFPc6Z8MrPdFLi6JtxYMDqpDCUco2OcHjcD0P/FLml5kuIY1TW LaOvlZeJz13HhZ5m23axg1myEbpYDDa9bjrz4UEImTS96QET2R6AJrOQ==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][walnascar][PATCH 4/8] ofono: patch CVE-2024-7537 Date: Tue, 20 May 2025 22:20:29 +0200 Message-Id: <20250520202033.2352749-4-peter.marko@siemens.com> In-Reply-To: <20250520202033.2352749-1-peter.marko@siemens.com> References: <20250520202033.2352749-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 20 May 2025 20:22:04 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/216946 From: Peter Marko Pick commit https://web.git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=e6d8d526d5077c0b6ab459efeb6b882c28e0fdeb Signed-off-by: Peter Marko --- .../ofono/ofono/CVE-2024-7537.patch | 59 +++++++++++++++++++ meta/recipes-connectivity/ofono/ofono_2.15.bb | 1 + 2 files changed, 60 insertions(+) create mode 100644 meta/recipes-connectivity/ofono/ofono/CVE-2024-7537.patch diff --git a/meta/recipes-connectivity/ofono/ofono/CVE-2024-7537.patch b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7537.patch new file mode 100644 index 0000000000..4a7cd12297 --- /dev/null +++ b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7537.patch @@ -0,0 +1,59 @@ +From e6d8d526d5077c0b6ab459efeb6b882c28e0fdeb Mon Sep 17 00:00:00 2001 +From: Ivaylo Dimitrov +Date: Sun, 16 Mar 2025 12:26:42 +0200 +Subject: [PATCH] qmi: sms: Fix possible out-of-bounds read + +Fixes: CVE-2024-7537 + +CVE: CVE-2024-7537 +Upstream-Status: Backport [https://web.git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=e6d8d526d5077c0b6ab459efeb6b882c28e0fdeb] +Signed-off-by: Peter Marko +--- + drivers/qmimodem/sms.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/drivers/qmimodem/sms.c b/drivers/qmimodem/sms.c +index 3e2bef6e..75863480 100644 +--- a/drivers/qmimodem/sms.c ++++ b/drivers/qmimodem/sms.c +@@ -442,6 +442,8 @@ static void get_msg_list_cb(struct qmi_result *result, void *user_data) + const struct qmi_wms_result_msg_list *list; + uint32_t cnt = 0; + uint16_t tmp; ++ uint16_t length; ++ size_t msg_size; + + DBG(""); + +@@ -451,7 +453,7 @@ static void get_msg_list_cb(struct qmi_result *result, void *user_data) + goto done; + } + +- list = qmi_result_get(result, QMI_WMS_RESULT_MSG_LIST, NULL); ++ list = qmi_result_get(result, QMI_WMS_RESULT_MSG_LIST, &length); + if (list == NULL) { + DBG("Err: get msg list empty"); + goto done; +@@ -460,6 +462,13 @@ static void get_msg_list_cb(struct qmi_result *result, void *user_data) + cnt = L_LE32_TO_CPU(list->cnt); + DBG("msgs found %d", cnt); + ++ msg_size = cnt * sizeof(list->msg[0]); ++ ++ if (length != sizeof(list->cnt) + msg_size) { ++ DBG("Err: invalid msg list count"); ++ goto done; ++ } ++ + for (tmp = 0; tmp < cnt; tmp++) { + DBG("unread type %d ndx %d", list->msg[tmp].type, + L_LE32_TO_CPU(list->msg[tmp].ndx)); +@@ -473,8 +482,6 @@ static void get_msg_list_cb(struct qmi_result *result, void *user_data) + + /* save list and get 1st msg */ + if (cnt) { +- int msg_size = cnt * sizeof(list->msg[0]); +- + data->msg_list = l_malloc(sizeof(list->cnt) + msg_size); + data->msg_list->cnt = cnt; + memcpy(data->msg_list->msg, list->msg, msg_size); diff --git a/meta/recipes-connectivity/ofono/ofono_2.15.bb b/meta/recipes-connectivity/ofono/ofono_2.15.bb index 40eeb3a086..07d7ac6095 100644 --- a/meta/recipes-connectivity/ofono/ofono_2.15.bb +++ b/meta/recipes-connectivity/ofono/ofono_2.15.bb @@ -9,6 +9,7 @@ DEPENDS = "dbus glib-2.0 udev mobile-broadband-provider-info ell" SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \ file://ofono \ + file://CVE-2024-7537.patch \ " SRC_URI[sha256sum] = "1af93ab72a70502452fe3d0297a6eaea13750cacae1fff3b643dd2245a6408ca" From patchwork Tue May 20 20:20:30 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Marko, Peter" X-Patchwork-Id: 63347 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 734E2C54E90 for ; Tue, 20 May 2025 20:22:04 +0000 (UTC) Received: from mta-64-225.siemens.flowmailer.net (mta-64-225.siemens.flowmailer.net [185.136.64.225]) by mx.groups.io with SMTP id smtpd.web10.1106.1747772520386310440 for ; Tue, 20 May 2025 13:22:00 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=bWkoyNDg; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.225, mailfrom: fm-256628-20250520202158cde83d4f2b54cecbab-vvofpi@rts-flowmailer.siemens.com) Received: by mta-64-225.siemens.flowmailer.net with ESMTPSA id 20250520202158cde83d4f2b54cecbab for ; Tue, 20 May 2025 22:21:58 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=SXci/0W8ZsqBZyaA7aas6edhRsx5v81uryOF6Ni15B8=; b=bWkoyNDgyCgYsbf744XoJYQxwD+EuSc0OvrUVZGbQz8jngpxyUO841twSs34r79cT+c5JQ s5/BELDcIrK9WfEShurZ47/90Bow9rvlL9W+PBqoR7VhkUIaeFVNuOYI7WOY8UNJvI3JjhVa 2pruP7ZmfX1i10fuhxePqA5X55rB07zh9vxyb2aafu+P2PtQ/3xbpeMyIYPOBUew4DxD9/wK JCrgChbe18HcH5+3zISDIcvoAm56dwDo1HnEsnWs4ZIw7msbcQNNOGcpxQZP7jDJo/Bw5r9O 2OkuRVkno03+xCB61WsrGtN3JIasEMxQLYl8jcvgusnGY4HEMEv5j5Qw==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko , Mathieu Dubois-Briand , Richard Purdie Subject: [OE-core][walnascar][PATCH 5/8] libarchive: upgrade 3.7.8 -> 3.7.9 Date: Tue, 20 May 2025 22:20:30 +0200 Message-Id: <20250520202033.2352749-5-peter.marko@siemens.com> In-Reply-To: <20250520202033.2352749-1-peter.marko@siemens.com> References: <20250520202033.2352749-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 20 May 2025 20:22:04 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/216947 From: Peter Marko https://github.com/libarchive/libarchive/releases/tag/v3.7.9 Libarchive 3.7.9 is a bugfix release Important bugfixes: * a regression in libarchive 3.7.8 regarding GNU sparse entries was fixed (#2558) Also remove CVE_STATUS which was obsolete already before this upgrade. (From OE-Core rev: 670f3fa028f3e873acf4c5265d3f5e4a3aa0ec89) Signed-off-by: Peter Marko Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie --- .../libarchive/{libarchive_3.7.8.bb => libarchive_3.7.9.bb} | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) rename meta/recipes-extended/libarchive/{libarchive_3.7.8.bb => libarchive_3.7.9.bb} (91%) diff --git a/meta/recipes-extended/libarchive/libarchive_3.7.8.bb b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb similarity index 91% rename from meta/recipes-extended/libarchive/libarchive_3.7.8.bb rename to meta/recipes-extended/libarchive/libarchive_3.7.9.bb index d78b38d3e9..9d134f7d38 100644 --- a/meta/recipes-extended/libarchive/libarchive_3.7.8.bb +++ b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb @@ -33,9 +33,7 @@ SRC_URI = "https://libarchive.org/downloads/libarchive-${PV}.tar.gz" UPSTREAM_CHECK_URI = "http://libarchive.org/" -SRC_URI[sha256sum] = "a123d87b1bd8adb19e8c187da17ae2d957c7f9596e741b929e6b9ceefea5ad0f" - -CVE_STATUS[CVE-2023-30571] = "upstream-wontfix: upstream has documented that reported function is not thread-safe" +SRC_URI[sha256sum] = "aa90732c5a6bdda52fda2ad468ac98d75be981c15dde263d7b5cf6af66fd009f" inherit autotools update-alternatives pkgconfig From patchwork Tue May 20 20:20:31 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Marko, Peter" X-Patchwork-Id: 63349 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7B370C54E92 for ; Tue, 20 May 2025 20:22:04 +0000 (UTC) Received: from mta-64-225.siemens.flowmailer.net (mta-64-225.siemens.flowmailer.net [185.136.64.225]) by mx.groups.io with SMTP id smtpd.web10.1106.1747772520386310440 for ; Tue, 20 May 2025 13:22:03 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=CnV20HCX; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.225, mailfrom: fm-256628-2025052020220255a91aede5b07f93cc-perrdm@rts-flowmailer.siemens.com) Received: by mta-64-225.siemens.flowmailer.net with ESMTPSA id 2025052020220255a91aede5b07f93cc for ; Tue, 20 May 2025 22:22:02 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=EbFpGqrcoQfaZAvQWtCk29wkcTwux/7bK1Tndalbg3w=; b=CnV20HCXzubam2Jogrut0jcJQcDnTHukMMVEotKio0QfL1ri+L4SnMZ6rUpXQbgKwu0rjM tdMIkgHjXjuJPEE9G4+G1mmWJ6+IwdFHkoFI/APf3OKtA+aWpgnUpa1m641d+qO/xqQzPPh5 pI06wJffESOwi5d++O1B+8WdjrFQn2koA1DHw0+0tUPGgHLbKo6yVPktn8i1qt2YaMMFoPqW VU1Biy9SINaq+FfAB+E4I1PAvdqSVf6OtxXbPQPG8NHtrsLQUisDHLQAZ0muqEEUzVprKpPe HKZm8qKSJK4/bHfjQh6n4rHQLibwZkj4vIEYmb0kL+Bdckr7QTpWNH5Q==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko , Richard Purdie Subject: [OE-core][walnascar][PATCH 6/8] binutils: drop obsolete CVE_STATUS Date: Tue, 20 May 2025 22:20:31 +0200 Message-Id: <20250520202033.2352749-6-peter.marko@siemens.com> In-Reply-To: <20250520202033.2352749-1-peter.marko@siemens.com> References: <20250520202033.2352749-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 20 May 2025 20:22:04 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/216948 From: Peter Marko NVD has CVE-2023-25584 listed as < 2.40, so we don't need to ignore it for version 2.44 anymore. (From OE-Core rev: eaf80096f96e5bebed53076c1dfe7e35e539f383) Signed-off-by: Peter Marko Signed-off-by: Richard Purdie --- meta/recipes-devtools/binutils/binutils-2.44.inc | 2 -- 1 file changed, 2 deletions(-) diff --git a/meta/recipes-devtools/binutils/binutils-2.44.inc b/meta/recipes-devtools/binutils/binutils-2.44.inc index 7a19aa31d5..41071fada1 100644 --- a/meta/recipes-devtools/binutils/binutils-2.44.inc +++ b/meta/recipes-devtools/binutils/binutils-2.44.inc @@ -18,8 +18,6 @@ SRCBRANCH ?= "binutils-2_44-branch" UPSTREAM_CHECK_GITTAGREGEX = "binutils-(?P\d+_(\d_?)*)" -CVE_STATUS[CVE-2023-25584] = "cpe-incorrect: Applies only for version 2.40 and earlier" - SRCREV ?= "819d713b6340ed3657e00ad0bc8d5f2b73094a0f" BINUTILS_GIT_URI ?= "git://sourceware.org/git/binutils-gdb.git;branch=${SRCBRANCH};protocol=https" SRC_URI = "\ From patchwork Tue May 20 20:20:32 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Marko, Peter" X-Patchwork-Id: 63350 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6D700C54E71 for ; Tue, 20 May 2025 20:22:14 +0000 (UTC) Received: from mta-64-228.siemens.flowmailer.net (mta-64-228.siemens.flowmailer.net [185.136.64.228]) by mx.groups.io with SMTP id smtpd.web11.1142.1747772529913649848 for ; Tue, 20 May 2025 13:22:10 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=Y4TTeMKO; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.228, mailfrom: fm-256628-20250520202207f7f75bc2bd4627664a-nyp9c_@rts-flowmailer.siemens.com) Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id 20250520202207f7f75bc2bd4627664a for ; Tue, 20 May 2025 22:22:07 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=8HlConhfNC0pQsdoKMS4ve+atTSnID7W9wHIz7ZSgG8=; b=Y4TTeMKOtt9741vKqwUnEHdt7sr1jb+aAr5mLYNvSpGj79lNF72rbRCttGnIBzBWlLxVhB lOJX23Q9tehtpd8G/tk0v14Iq1LBvlDbauJCT1klhn+S+2x/0B+scJT1K34rDng4KneZDbz0 wJnV9bi10HPo1IkAIw3f/ezZAOVV40bRZaUy4Lubc0lLFfqCT4QpslziTWueexmO/i/vOSmM uuxSj3/JiRWMrJEHWpS1b4WAG7HkCUMtaK22Imnayx1jVkBeqA8+Q9Hy+jpnGdXigHtoNPgh hkN8GNG8q3dffCnEBoqWoDLXI2v4IK6m3NZq2ErraUeEj2FPBfp2yYPw==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko , Richard Purdie Subject: [OE-core][walnascar][PATCH 7/8] binutils: mark CVE-2025-1153 as fixed Date: Tue, 20 May 2025 22:20:32 +0200 Message-Id: <20250520202033.2352749-7-peter.marko@siemens.com> In-Reply-To: <20250520202033.2352749-1-peter.marko@siemens.com> References: <20250520202033.2352749-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 20 May 2025 20:22:14 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/216949 From: Peter Marko We had this CVE patched but the patch was removed with last 2.44 branch updates as it is now included. Since there is no new version which could be set in NVD DB, this needs to be explicitly handled. (From OE-Core rev: 32f18145dee54f61203506daef339cd132908287) Signed-off-by: Peter Marko Signed-off-by: Richard Purdie --- meta/recipes-devtools/binutils/binutils-2.44.inc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-devtools/binutils/binutils-2.44.inc b/meta/recipes-devtools/binutils/binutils-2.44.inc index 41071fada1..28100abbe9 100644 --- a/meta/recipes-devtools/binutils/binutils-2.44.inc +++ b/meta/recipes-devtools/binutils/binutils-2.44.inc @@ -18,6 +18,8 @@ SRCBRANCH ?= "binutils-2_44-branch" UPSTREAM_CHECK_GITTAGREGEX = "binutils-(?P\d+_(\d_?)*)" +CVE_STATUS[CVE-2025-1153] = "cpe-stable-backport: fix available in used git hash" + SRCREV ?= "819d713b6340ed3657e00ad0bc8d5f2b73094a0f" BINUTILS_GIT_URI ?= "git://sourceware.org/git/binutils-gdb.git;branch=${SRCBRANCH};protocol=https" SRC_URI = "\ From patchwork Tue May 20 20:20:33 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Marko, Peter" X-Patchwork-Id: 63351 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7A1D6C3DA6D for ; Tue, 20 May 2025 20:22:14 +0000 (UTC) Received: from mta-64-228.siemens.flowmailer.net (mta-64-228.siemens.flowmailer.net [185.136.64.228]) by mx.groups.io with SMTP id smtpd.web11.1142.1747772529913649848 for ; Tue, 20 May 2025 13:22:13 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=UL/pPgB/; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.228, mailfrom: fm-256628-20250520202212035cb5283476f20661-ox_1xj@rts-flowmailer.siemens.com) Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id 20250520202212035cb5283476f20661 for ; Tue, 20 May 2025 22:22:12 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=5KrjcqejfETbTKkTsSTDMwDg6qFuQE2vIfE4Y3dhis0=; b=UL/pPgB/5G4Jzy/6imf/9vL7HZq4PRIRV7lf3UXxaNgZW/48JJCVlUp1IvHExdPW+y3Bt9 jLwMiVYin4HQmMcNU5EzzE42f9mQ4ocA4pirN2p+BySAH+8snE/fw2hluyqXhfcb64Rb+xRt Zc9FzlrrsBmlf5ELqmKNQgmP07WuohWeypYZXF5Xys5QolRRpkjfx/Zv8O9XUyXi7do1QqDA s3Jga12OakNo+cuO6GubVtNtozWqp+yoLsxn7EpGd5HGKKT0UHR8iDVpGWfM+nINjXyrikio 2uAJb/J5ZFIiZjl5myp8dihMuNy7ZWTTfMb7k+uvA12TxfoaQKP6cMKQ==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][walnascar][PATCH 8/8] xz: patch CVE-2025-31115 Date: Tue, 20 May 2025 22:20:33 +0200 Message-Id: <20250520202033.2352749-8-peter.marko@siemens.com> In-Reply-To: <20250520202033.2352749-1-peter.marko@siemens.com> References: <20250520202033.2352749-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 20 May 2025 20:22:14 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/216950 From: Peter Marko Cherry-pick commits from [1] linked from [2] from branch v5.6 [1] https://tukaani.org/xz/xz-cve-2025-31115.patch [2] https://tukaani.org/xz/threaded-decoder-early-free.html Signed-off-by: Peter Marko --- .../xz/xz/CVE-2025-31115-01.patch | 29 ++++ .../xz/xz/CVE-2025-31115-02.patch | 152 ++++++++++++++++++ .../xz/xz/CVE-2025-31115-03.patch | 98 +++++++++++ .../xz/xz/CVE-2025-31115-04.patch | 56 +++++++ meta/recipes-extended/xz/xz_5.6.4.bb | 4 + 5 files changed, 339 insertions(+) create mode 100644 meta/recipes-extended/xz/xz/CVE-2025-31115-01.patch create mode 100644 meta/recipes-extended/xz/xz/CVE-2025-31115-02.patch create mode 100644 meta/recipes-extended/xz/xz/CVE-2025-31115-03.patch create mode 100644 meta/recipes-extended/xz/xz/CVE-2025-31115-04.patch diff --git a/meta/recipes-extended/xz/xz/CVE-2025-31115-01.patch b/meta/recipes-extended/xz/xz/CVE-2025-31115-01.patch new file mode 100644 index 0000000000..d6e75f8201 --- /dev/null +++ b/meta/recipes-extended/xz/xz/CVE-2025-31115-01.patch @@ -0,0 +1,29 @@ +From c1a91b8baeb947c5b232a6c3d6319267131830bc Mon Sep 17 00:00:00 2001 +From: Lasse Collin +Date: Thu, 3 Apr 2025 14:34:42 +0300 +Subject: [PATCH 1/4] liblzma: mt dec: Fix a comment + +Reviewed-by: Sebastian Andrzej Siewior +Thanks-to: Sam James +(cherry picked from commit 831b55b971cf579ee16a854f177c36b20d3c6999) + +CVE: CVE-2025-31115 +Upstream-Status: Backport [https://github.com/tukaani-project/xz/commit/c1a91b8baeb947c5b232a6c3d6319267131830bc] +Signed-off-by: Peter Marko +--- + src/liblzma/common/stream_decoder_mt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/liblzma/common/stream_decoder_mt.c b/src/liblzma/common/stream_decoder_mt.c +index 244624a4..6f06f1d1 100644 +--- a/src/liblzma/common/stream_decoder_mt.c ++++ b/src/liblzma/common/stream_decoder_mt.c +@@ -347,7 +347,7 @@ worker_enable_partial_update(void *thr_ptr) + + + /// Things do to at THR_STOP or when finishing a Block. +-/// This is called with thr->mutex locked. ++/// This is called with thr->coder->mutex locked. + static void + worker_stop(struct worker_thread *thr) + { diff --git a/meta/recipes-extended/xz/xz/CVE-2025-31115-02.patch b/meta/recipes-extended/xz/xz/CVE-2025-31115-02.patch new file mode 100644 index 0000000000..7b36ae551a --- /dev/null +++ b/meta/recipes-extended/xz/xz/CVE-2025-31115-02.patch @@ -0,0 +1,152 @@ +From f74cf18ad084a9185d8ae148d89265860aa8004c Mon Sep 17 00:00:00 2001 +From: Lasse Collin +Date: Thu, 3 Apr 2025 14:34:42 +0300 +Subject: [PATCH 2/4] liblzma: mt dec: Simplify by removing the THR_STOP state + +The main thread can directly set THR_IDLE in threads_stop() which is +called when errors are detected. threads_stop() won't return the stopped +threads to the pool or free the memory pointed by thr->in anymore, but +it doesn't matter because the existing workers won't be reused after +an error. The resources will be cleaned up when threads_end() is +called (reinitializing the decoder always calls threads_end()). + +Reviewed-by: Sebastian Andrzej Siewior +Thanks-to: Sam James +(cherry picked from commit c0c835964dfaeb2513a3c0bdb642105152fe9f34) + +CVE: CVE-2025-31115 +Upstream-Status: Backport [https://github.com/tukaani-project/xz/commit/f74cf18ad084a9185d8ae148d89265860aa8004c] +Signed-off-by: Peter Marko +--- + src/liblzma/common/stream_decoder_mt.c | 75 ++++++++++---------------- + 1 file changed, 29 insertions(+), 46 deletions(-) + +diff --git a/src/liblzma/common/stream_decoder_mt.c b/src/liblzma/common/stream_decoder_mt.c +index 6f06f1d1..e1d07007 100644 +--- a/src/liblzma/common/stream_decoder_mt.c ++++ b/src/liblzma/common/stream_decoder_mt.c +@@ -23,15 +23,10 @@ typedef enum { + THR_IDLE, + + /// Decoding is in progress. +- /// Main thread may change this to THR_STOP or THR_EXIT. ++ /// Main thread may change this to THR_IDLE or THR_EXIT. + /// The worker thread may change this to THR_IDLE. + THR_RUN, + +- /// The main thread wants the thread to stop whatever it was doing +- /// but not exit. Main thread may change this to THR_EXIT. +- /// The worker thread may change this to THR_IDLE. +- THR_STOP, +- + /// The main thread wants the thread to exit. + THR_EXIT, + +@@ -346,27 +341,6 @@ worker_enable_partial_update(void *thr_ptr) + } + + +-/// Things do to at THR_STOP or when finishing a Block. +-/// This is called with thr->coder->mutex locked. +-static void +-worker_stop(struct worker_thread *thr) +-{ +- // Update memory usage counters. +- thr->coder->mem_in_use -= thr->in_size; +- thr->in_size = 0; // thr->in was freed above. +- +- thr->coder->mem_in_use -= thr->mem_filters; +- thr->coder->mem_cached += thr->mem_filters; +- +- // Put this thread to the stack of free threads. +- thr->next = thr->coder->threads_free; +- thr->coder->threads_free = thr; +- +- mythread_cond_signal(&thr->coder->cond); +- return; +-} +- +- + static MYTHREAD_RET_TYPE + worker_decoder(void *thr_ptr) + { +@@ -397,17 +371,6 @@ next_loop_unlocked: + return MYTHREAD_RET_VALUE; + } + +- if (thr->state == THR_STOP) { +- thr->state = THR_IDLE; +- mythread_mutex_unlock(&thr->mutex); +- +- mythread_sync(thr->coder->mutex) { +- worker_stop(thr); +- } +- +- goto next_loop_lock; +- } +- + assert(thr->state == THR_RUN); + + // Update progress info for get_progress(). +@@ -510,7 +473,22 @@ next_loop_unlocked: + && thr->coder->thread_error == LZMA_OK) + thr->coder->thread_error = ret; + +- worker_stop(thr); ++ // Return the worker thread to the stack of available ++ // threads. ++ { ++ // Update memory usage counters. ++ thr->coder->mem_in_use -= thr->in_size; ++ thr->in_size = 0; // thr->in was freed above. ++ ++ thr->coder->mem_in_use -= thr->mem_filters; ++ thr->coder->mem_cached += thr->mem_filters; ++ ++ // Put this thread to the stack of free threads. ++ thr->next = thr->coder->threads_free; ++ thr->coder->threads_free = thr; ++ } ++ ++ mythread_cond_signal(&thr->coder->cond); + } + + goto next_loop_lock; +@@ -544,17 +522,22 @@ threads_end(struct lzma_stream_coder *coder, const lzma_allocator *allocator) + } + + ++/// Tell worker threads to stop without doing any cleaning up. ++/// The clean up will be done when threads_exit() is called; ++/// it's not possible to reuse the threads after threads_stop(). ++/// ++/// This is called before returning an unrecoverable error code ++/// to the application. It would be waste of processor time ++/// to keep the threads running in such a situation. + static void + threads_stop(struct lzma_stream_coder *coder) + { + for (uint32_t i = 0; i < coder->threads_initialized; ++i) { ++ // The threads that are in the THR_RUN state will stop ++ // when they check the state the next time. There's no ++ // need to signal coder->threads[i].cond. + mythread_sync(coder->threads[i].mutex) { +- // The state must be changed conditionally because +- // THR_IDLE -> THR_STOP is not a valid state change. +- if (coder->threads[i].state != THR_IDLE) { +- coder->threads[i].state = THR_STOP; +- mythread_cond_signal(&coder->threads[i].cond); +- } ++ coder->threads[i].state = THR_IDLE; + } + } + +@@ -1948,7 +1931,7 @@ stream_decoder_mt_init(lzma_next_coder *next, const lzma_allocator *allocator, + // accounting from scratch, too. Changes in filter and block sizes may + // affect number of threads. + // +- // FIXME? Reusing should be easy but unlike the single-threaded ++ // Reusing threads doesn't seem worth it. Unlike the single-threaded + // decoder, with some types of input file combinations reusing + // could leave quite a lot of memory allocated but unused (first + // file could allocate a lot, the next files could use fewer diff --git a/meta/recipes-extended/xz/xz/CVE-2025-31115-03.patch b/meta/recipes-extended/xz/xz/CVE-2025-31115-03.patch new file mode 100644 index 0000000000..892249d0b4 --- /dev/null +++ b/meta/recipes-extended/xz/xz/CVE-2025-31115-03.patch @@ -0,0 +1,98 @@ +From 1b874b4f04909b7bb5259cb612ecef39a434dde8 Mon Sep 17 00:00:00 2001 +From: Lasse Collin +Date: Thu, 3 Apr 2025 14:34:42 +0300 +Subject: [PATCH 3/4] liblzma: mt dec: Don't free the input buffer too early + (CVE-2025-31115) + +The input buffer must be valid as long as the main thread is writing +to the worker-specific input buffer. Fix it by making the worker +thread not free the buffer on errors and not return the worker thread to +the pool. The input buffer will be freed when threads_end() is called. + +With invalid input, the bug could at least result in a crash. The +effects include heap use after free and writing to an address based +on the null pointer plus an offset. + +The bug has been there since the first committed version of the threaded +decoder and thus affects versions from 5.3.3alpha to 5.8.0. + +As the commit message in 4cce3e27f529 says, I had made significant +changes on top of Sebastian's patch. This bug was indeed introduced +by my changes; it wasn't in Sebastian's version. + +Thanks to Harri K. Koskinen for discovering and reporting this issue. + +Fixes: 4cce3e27f529 ("liblzma: Add threaded .xz decompressor.") +Reported-by: Harri K. Koskinen +Reviewed-by: Sebastian Andrzej Siewior +Thanks-to: Sam James +(cherry picked from commit d5a2ffe41bb77b918a8c96084885d4dbe4bf6480) + +CVE: CVE-2025-31115 +Upstream-Status: Backport [https://github.com/tukaani-project/xz/commit/1b874b4f04909b7bb5259cb612ecef39a434dde8] +Signed-off-by: Peter Marko +--- + src/liblzma/common/stream_decoder_mt.c | 31 ++++++++++++++++++-------- + 1 file changed, 22 insertions(+), 9 deletions(-) + +diff --git a/src/liblzma/common/stream_decoder_mt.c b/src/liblzma/common/stream_decoder_mt.c +index e1d07007..ce5e54ac 100644 +--- a/src/liblzma/common/stream_decoder_mt.c ++++ b/src/liblzma/common/stream_decoder_mt.c +@@ -435,8 +435,7 @@ next_loop_unlocked: + } + + // Either we finished successfully (LZMA_STREAM_END) or an error +- // occurred. Both cases are handled almost identically. The error +- // case requires updating thr->coder->thread_error. ++ // occurred. + // + // The sizes are in the Block Header and the Block decoder + // checks that they match, thus we know these: +@@ -444,16 +443,30 @@ next_loop_unlocked: + assert(ret != LZMA_STREAM_END + || thr->out_pos == thr->block_options.uncompressed_size); + +- // Free the input buffer. Don't update in_size as we need +- // it later to update thr->coder->mem_in_use. +- lzma_free(thr->in, thr->allocator); +- thr->in = NULL; +- + mythread_sync(thr->mutex) { ++ // Block decoder ensures this, but do a sanity check anyway ++ // because thr->in_filled < thr->in_size means that the main ++ // thread is still writing to thr->in. ++ if (ret == LZMA_STREAM_END && thr->in_filled != thr->in_size) { ++ assert(0); ++ ret = LZMA_PROG_ERROR; ++ } ++ + if (thr->state != THR_EXIT) + thr->state = THR_IDLE; + } + ++ // Free the input buffer. Don't update in_size as we need ++ // it later to update thr->coder->mem_in_use. ++ // ++ // This step is skipped if an error occurred because the main thread ++ // might still be writing to thr->in. The memory will be freed after ++ // threads_end() sets thr->state = THR_EXIT. ++ if (ret == LZMA_STREAM_END) { ++ lzma_free(thr->in, thr->allocator); ++ thr->in = NULL; ++ } ++ + mythread_sync(thr->coder->mutex) { + // Move our progress info to the main thread. + thr->coder->progress_in += thr->in_pos; +@@ -474,8 +487,8 @@ next_loop_unlocked: + thr->coder->thread_error = ret; + + // Return the worker thread to the stack of available +- // threads. +- { ++ // threads only if no errors occurred. ++ if (ret == LZMA_STREAM_END) { + // Update memory usage counters. + thr->coder->mem_in_use -= thr->in_size; + thr->in_size = 0; // thr->in was freed above. diff --git a/meta/recipes-extended/xz/xz/CVE-2025-31115-04.patch b/meta/recipes-extended/xz/xz/CVE-2025-31115-04.patch new file mode 100644 index 0000000000..f80daceb4a --- /dev/null +++ b/meta/recipes-extended/xz/xz/CVE-2025-31115-04.patch @@ -0,0 +1,56 @@ +From 6ff5b8c55960f9ebc917b668bd3567ef217175fa Mon Sep 17 00:00:00 2001 +From: Lasse Collin +Date: Thu, 3 Apr 2025 14:34:42 +0300 +Subject: [PATCH 4/4] liblzma: mt dec: Don't modify thr->in_size in the worker + thread + +Don't set thr->in_size = 0 when returning the thread to the stack of +available threads. Not only is it useless, but the main thread may +read the value in SEQ_BLOCK_THR_RUN. With valid inputs, it made +no difference if the main thread saw the original value or 0. With +invalid inputs (when worker thread stops early), thr->in_size was +no longer modified after the previous commit with the security fix +("Don't free the input buffer too early"). + +So while the bug appears harmless now, it's important to fix it because +the variable was being modified without proper locking. It's trivial +to fix because there is no need to change the value. Only main thread +needs to set the value in (in SEQ_BLOCK_THR_INIT) when starting a new +Block before the worker thread is activated. + +Fixes: 4cce3e27f529 ("liblzma: Add threaded .xz decompressor.") +Reviewed-by: Sebastian Andrzej Siewior +Thanks-to: Sam James +(cherry picked from commit 8188048854e8d11071b8a50d093c74f4c030acc9) + +CVE: CVE-2025-31115 +Upstream-Status: Backport [https://github.com/tukaani-project/xz/commit/6ff5b8c55960f9ebc917b668bd3567ef217175fa] +Signed-off-by: Peter Marko +--- + src/liblzma/common/stream_decoder_mt.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/liblzma/common/stream_decoder_mt.c b/src/liblzma/common/stream_decoder_mt.c +index ce5e54ac..0cdb47d3 100644 +--- a/src/liblzma/common/stream_decoder_mt.c ++++ b/src/liblzma/common/stream_decoder_mt.c +@@ -491,8 +491,6 @@ next_loop_unlocked: + if (ret == LZMA_STREAM_END) { + // Update memory usage counters. + thr->coder->mem_in_use -= thr->in_size; +- thr->in_size = 0; // thr->in was freed above. +- + thr->coder->mem_in_use -= thr->mem_filters; + thr->coder->mem_cached += thr->mem_filters; + +@@ -1557,6 +1555,10 @@ stream_decode_mt(void *coder_ptr, const lzma_allocator *allocator, + } + + // Return if the input didn't contain the whole Block. ++ // ++ // NOTE: When we updated coder->thr->in_filled a few lines ++ // above, the worker thread might by now have finished its ++ // work and returned itself back to the stack of free threads. + if (coder->thr->in_filled < coder->thr->in_size) { + assert(*in_pos == in_size); + return LZMA_OK; diff --git a/meta/recipes-extended/xz/xz_5.6.4.bb b/meta/recipes-extended/xz/xz_5.6.4.bb index e48f4dbd7f..52bfd844b2 100644 --- a/meta/recipes-extended/xz/xz_5.6.4.bb +++ b/meta/recipes-extended/xz/xz_5.6.4.bb @@ -27,6 +27,10 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=c02de712b028a5cc7e22472e8f2b3db1 \ SRC_URI = "https://github.com/tukaani-project/xz/releases/download/v${PV}/xz-${PV}.tar.gz \ file://run-ptest \ + file://CVE-2025-31115-01.patch \ + file://CVE-2025-31115-02.patch \ + file://CVE-2025-31115-03.patch \ + file://CVE-2025-31115-04.patch \ " SRC_URI[sha256sum] = "269e3f2e512cbd3314849982014dc199a7b2148cf5c91cedc6db629acdf5e09b" UPSTREAM_CHECK_REGEX = "releases/tag/v(?P\d+(\.\d+)+)"