From patchwork Wed May 28 14:43:04 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 63736 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8DC83C5B552 for ; Wed, 28 May 2025 14:43:28 +0000 (UTC) Received: from mail-pl1-f178.google.com (mail-pl1-f178.google.com [209.85.214.178]) by mx.groups.io with SMTP id smtpd.web11.17460.1748443403567543611 for ; Wed, 28 May 2025 07:43:23 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=GlgWsxnW; spf=softfail (domain: sakoman.com, ip: 209.85.214.178, mailfrom: steve@sakoman.com) Received: by mail-pl1-f178.google.com with SMTP id d9443c01a7336-2301ac32320so40147255ad.1 for ; Wed, 28 May 2025 07:43:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1748443403; x=1749048203; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=WcV6RXVl2W/k8OYrFCz9d9PsMuwv9JO1cGtQOucJn9o=; b=GlgWsxnWHpktqJxVmwrbxi0Q0lstqMeipojov+mAuqoPUt05W9b/5i+VlbK/sPLQtb 5Oq1IUCvlMYh1oLzKLYTLJyuAWMtNI+IB6h9prrscLZtnCLUi+sPsnOXA+VYUaQw3ZuV YYU9djZ+tvtLZbd3EgfxQIwikehPPPfVYXPnM/+fMmbclQEtU2xuAQ6lewbUlyrmbis0 CiWRQ1UP83oB2ZH6+WRkOmQ/JVdgdvrl08PYjq3DTs7HbZQqIzgbXjWzcj9pC1y1hhcU eWPvKOZDZspNZgjMl94GdJKf2HtNbvs1w1mAGUhxdzbR4ZWzTA5Aoa3okgFWUQfIBVZw QyGw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1748443403; x=1749048203; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=WcV6RXVl2W/k8OYrFCz9d9PsMuwv9JO1cGtQOucJn9o=; b=UTVpWeZIeWANMG7CLP9MQ1tlqWIwuvUm4LUAbrKkmP/WWhr5F9OvpX/L+X4BGymOBz 1MkQHXpGFLyCyAYbGYkzFjbu9bkbzVdOVFZ1538mTD5TT8BfTGyjtjD+S9vykGnCNLKz dbjVutpo/6rQ/lu436Qzu3oX1g1s51OESbVV2IkFlSkZnfUSEALK7afudRHdMPaOhrnB 59OyVBlKrMXIj4PLOfVEppcLUVCUv9JfyISw8F4FVzLWcg7AcX/XTPXzIi5N5vMd05A/ /Ymx0lkW5TKIeR3XxGGepCcmueKCIPD9HQgqzCD/rySUuJ551i1VUuQ6FQbeRfN05wV0 wSIA== X-Gm-Message-State: AOJu0YxE6drf/hvs3zj1R08Rrnq8ruGEmyW6S7IZjfK1aWzbz4ft+5jp QqmsMSu38CQuLNFoGIwuaJ+potsi7B/t093AhS5XpNvdOs2ZcL/Wqa3jT8P/sFI5+uOEbO1urJr /duha X-Gm-Gg: ASbGncvLlb4TeNc45s0omeo5/F2ftMd8+KHdTqtBPbwqYFH88aEcYuADk08DP6q/BBe gDnEjzPwnwQGkFLJvzPtsq8bkKf8aUy9jKgUohUpexK7hrOcFiQEcCtL18ogaPVnwvWE0Ps8+Es QSE/gTjnKcAefSMo8wnhVRrQgYxkZAIOv16iMSEGo84ySgZtXXNl9vrHyB4xl8Pvb1j1kZd8944 OAdRTOTwlRCFNEa4sht3f7iWicRv8h6UIw/lK+j3Har9S9LA7WdNTexYuIy8RUcOjHIfhqKyIvg AH5yoy6D0ffQdnM8zP63eaLMAEdqabw49Mecu7RzSLgdp9N1F2kKUQ== X-Google-Smtp-Source: AGHT+IEfN+8WaTtmuk5+Ytb5dPgwBwFt3VIIM/XpJigds6KK0vzG2x1IpPpu0qtNTh/r0bIlFd5HGQ== X-Received: by 2002:a17:903:230c:b0:231:ba23:c7e5 with SMTP id d9443c01a7336-23414f55ee4mr246568135ad.6.1748443402715; Wed, 28 May 2025 07:43:22 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:2f2f:1884:f4cc:456c]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-234d358f1e2sm12626285ad.140.2025.05.28.07.43.21 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 28 May 2025 07:43:22 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 01/11] libsoup-2.4: Fix CVE-2025-32910 Date: Wed, 28 May 2025 07:43:04 -0700 Message-ID: <0fc936f23e6f70021acf4e711ef49d3a5cc966fe.1748443238.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 28 May 2025 14:43:28 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/217353 From: Vijay Anusuri import patch from debian to fix CVE-2025-32910 Upstream-Status: Backport [import from debian https://salsa.debian.org/gnome-team/libsoup/-/tree/debian/bullseye/debian/patches?ref_type=heads Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/e40df6d48a1cbab56f5d15016cc861a503423cfe & https://gitlab.gnome.org/GNOME/libsoup/-/commit/405a8a34597a44bd58c4759e7d5e23f02c3b556a & https://gitlab.gnome.org/GNOME/libsoup/-/commit/ea16eeacb052e423eb5c3b0b705e5eab34b13832] Reference: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/417 https://security-tracker.debian.org/tracker/CVE-2025-32910 Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../libsoup-2.4/CVE-2025-32910-1.patch | 97 ++++++++++++ .../libsoup-2.4/CVE-2025-32910-2.patch | 148 ++++++++++++++++++ .../libsoup-2.4/CVE-2025-32910-3.patch | 26 +++ .../libsoup/libsoup-2.4_2.74.3.bb | 3 + 4 files changed, 274 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-1.patch create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-2.patch create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-3.patch diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-1.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-1.patch new file mode 100644 index 0000000000..de4faf5380 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-1.patch @@ -0,0 +1,97 @@ +From: Patrick Griffis +Date: Sun, 8 Dec 2024 20:00:35 -0600 +Subject: auth-digest: Handle missing realm in authenticate header + +(cherry picked from commit e40df6d48a1cbab56f5d15016cc861a503423cfe) + +Upstream-Status: Backport [import from debian https://salsa.debian.org/gnome-team/libsoup/-/blob/debian/bullseye/debian/patches/CVE-2025-32910-1.patch?ref_type=heads +Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/e40df6d48a1cbab56f5d15016cc861a503423cfe] +CVE: CVE-2025-32910 +Signed-off-by: Vijay Anusuri +--- + libsoup/soup-auth-digest.c | 3 +++ + tests/auth-test.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 53 insertions(+) + +diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c +index e8ba990..263a15a 100644 +--- a/libsoup/soup-auth-digest.c ++++ b/libsoup/soup-auth-digest.c +@@ -142,6 +142,9 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg, + guint qop_options; + gboolean ok = TRUE; + ++ if (!soup_auth_get_realm (auth)) ++ return FALSE; ++ + g_free (priv->domain); + g_free (priv->nonce); + g_free (priv->opaque); +diff --git a/tests/auth-test.c b/tests/auth-test.c +index 8295ec3..dfc6b09 100644 +--- a/tests/auth-test.c ++++ b/tests/auth-test.c +@@ -1549,6 +1549,55 @@ do_cancel_after_retry_test (void) + soup_test_session_abort_unref (session); + } + ++static void ++on_request_read_for_missing_realm (SoupServer *server, ++ SoupServerMessage *msg, ++ gpointer user_data) ++{ ++ SoupMessageHeaders *response_headers = soup_server_message_get_response_headers (msg); ++ soup_message_headers_replace (response_headers, "WWW-Authenticate", "Digest qop=\"auth\""); ++} ++ ++static void ++do_missing_realm_test (void) ++{ ++ SoupSession *session; ++ SoupMessage *msg; ++ SoupServer *server; ++ SoupAuthDomain *digest_auth_domain; ++ gint status; ++ GUri *uri; ++ ++ server = soup_test_server_new (SOUP_TEST_SERVER_IN_THREAD); ++ soup_server_add_handler (server, NULL, ++ server_callback, NULL, NULL); ++ uri = soup_test_server_get_uri (server, "http", NULL); ++ ++ digest_auth_domain = soup_auth_domain_digest_new ( ++ "realm", "auth-test", ++ "auth-callback", server_digest_auth_callback, ++ NULL); ++ soup_auth_domain_add_path (digest_auth_domain, "/"); ++ soup_server_add_auth_domain (server, digest_auth_domain); ++ g_object_unref (digest_auth_domain); ++ ++ g_signal_connect (server, "request-read", ++ G_CALLBACK (on_request_read_for_missing_realm), ++ NULL); ++ ++ session = soup_test_session_new (NULL); ++ msg = soup_message_new_from_uri ("GET", uri); ++ g_signal_connect (msg, "authenticate", ++ G_CALLBACK (on_digest_authenticate), ++ NULL); ++ ++ status = soup_test_session_send_message (session, msg); ++ ++ g_assert_cmpint (status, ==, SOUP_STATUS_UNAUTHORIZED); ++ g_uri_unref (uri); ++ soup_test_server_quit_unref (server); ++} ++ + int + main (int argc, char **argv) + { +@@ -1576,6 +1625,7 @@ main (int argc, char **argv) + g_test_add_func ("/auth/async-message-do-not-use-auth-cache", do_async_message_do_not_use_auth_cache_test); + g_test_add_func ("/auth/authorization-header-request", do_message_has_authorization_header_test); + g_test_add_func ("/auth/cancel-after-retry", do_cancel_after_retry_test); ++ g_test_add_func ("/auth/missing-realm", do_missing_realm_test); + + ret = g_test_run (); + diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-2.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-2.patch new file mode 100644 index 0000000000..0d72afa1d6 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-2.patch @@ -0,0 +1,148 @@ +From: Patrick Griffis +Date: Thu, 26 Dec 2024 18:18:35 -0600 +Subject: auth-digest: Handle missing nonce + +(cherry picked from commit 405a8a34597a44bd58c4759e7d5e23f02c3b556a) + +Upstream-Status: Backport [import from debian https://salsa.debian.org/gnome-team/libsoup/-/blob/debian/bullseye/debian/patches/CVE-2025-32910-2.patch?ref_type=heads +Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/405a8a34597a44bd58c4759e7d5e23f02c3b556a] +CVE: CVE-2025-32910 +Signed-off-by: Vijay Anusuri +--- + libsoup/soup-auth-digest.c | 45 +++++++++++++++++++++++++++++++++++---------- + tests/auth-test.c | 19 +++++++++++-------- + 2 files changed, 46 insertions(+), 18 deletions(-) + +diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c +index 263a15a..393adb6 100644 +--- a/libsoup/soup-auth-digest.c ++++ b/libsoup/soup-auth-digest.c +@@ -132,6 +132,19 @@ soup_auth_digest_get_qop (SoupAuthDigestQop qop) + return g_string_free (out, FALSE); + } + ++static gboolean ++validate_params (SoupAuthDigest *auth_digest) ++{ ++ SoupAuthDigestPrivate *priv = soup_auth_digest_get_instance_private (auth_digest); ++ ++ if (priv->qop || priv->algorithm == SOUP_AUTH_DIGEST_ALGORITHM_MD5_SESS) { ++ if (!priv->nonce) ++ return FALSE; ++ } ++ ++ return TRUE; ++} ++ + static gboolean + soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg, + GHashTable *auth_params) +@@ -169,16 +182,21 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg, + if (priv->algorithm == -1) + ok = FALSE; + +- stale = g_hash_table_lookup (auth_params, "stale"); +- if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp) +- recompute_hex_a1 (priv); +- else { +- g_free (priv->user); +- priv->user = NULL; +- g_free (priv->cnonce); +- priv->cnonce = NULL; +- memset (priv->hex_urp, 0, sizeof (priv->hex_urp)); +- memset (priv->hex_a1, 0, sizeof (priv->hex_a1)); ++ if (!validate_params (auth_digest)) ++ ok = FALSE; ++ ++ if (ok) { ++ stale = g_hash_table_lookup (auth_params, "stale"); ++ if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp) ++ recompute_hex_a1 (priv); ++ else { ++ g_free (priv->user); ++ priv->user = NULL; ++ g_free (priv->cnonce); ++ priv->cnonce = NULL; ++ memset (priv->hex_urp, 0, sizeof (priv->hex_urp)); ++ memset (priv->hex_a1, 0, sizeof (priv->hex_a1)); ++ } + } + + return ok; +@@ -269,6 +287,8 @@ soup_auth_digest_compute_hex_a1 (const char *hex_urp, + + /* In MD5-sess, A1 is hex_urp:nonce:cnonce */ + ++ g_assert (nonce && cnonce); ++ + checksum = g_checksum_new (G_CHECKSUM_MD5); + g_checksum_update (checksum, (guchar *)hex_urp, strlen (hex_urp)); + g_checksum_update (checksum, (guchar *)":", 1); +@@ -359,6 +379,8 @@ soup_auth_digest_compute_response (const char *method, + if (qop) { + char tmp[9]; + ++ g_assert (cnonce); ++ + g_snprintf (tmp, 9, "%.8x", nc); + g_checksum_update (checksum, (guchar *)tmp, strlen (tmp)); + g_checksum_update (checksum, (guchar *)":", 1); +@@ -422,6 +444,9 @@ soup_auth_digest_get_authorization (SoupAuth *auth, SoupMessage *msg) + g_return_val_if_fail (uri != NULL, NULL); + url = soup_uri_to_string (uri, TRUE); + ++ g_assert (priv->nonce); ++ g_assert (!priv->qop || priv->cnonce); ++ + soup_auth_digest_compute_response (msg->method, url, priv->hex_a1, + priv->qop, priv->nonce, + priv->cnonce, priv->nc, +diff --git a/tests/auth-test.c b/tests/auth-test.c +index dfc6b09..6fb1e4a 100644 +--- a/tests/auth-test.c ++++ b/tests/auth-test.c +@@ -1550,16 +1550,17 @@ do_cancel_after_retry_test (void) + } + + static void +-on_request_read_for_missing_realm (SoupServer *server, +- SoupServerMessage *msg, +- gpointer user_data) ++on_request_read_for_missing_params (SoupServer *server, ++ SoupServerMessage *msg, ++ gpointer user_data) + { ++ const char *auth_header = user_data; + SoupMessageHeaders *response_headers = soup_server_message_get_response_headers (msg); +- soup_message_headers_replace (response_headers, "WWW-Authenticate", "Digest qop=\"auth\""); ++ soup_message_headers_replace (response_headers, "WWW-Authenticate", auth_header); + } + + static void +-do_missing_realm_test (void) ++do_missing_params_test (gconstpointer auth_header) + { + SoupSession *session; + SoupMessage *msg; +@@ -1582,8 +1583,8 @@ do_missing_realm_test (void) + g_object_unref (digest_auth_domain); + + g_signal_connect (server, "request-read", +- G_CALLBACK (on_request_read_for_missing_realm), +- NULL); ++ G_CALLBACK (on_request_read_for_missing_params), ++ (gpointer)auth_header); + + session = soup_test_session_new (NULL); + msg = soup_message_new_from_uri ("GET", uri); +@@ -1625,7 +1626,9 @@ main (int argc, char **argv) + g_test_add_func ("/auth/async-message-do-not-use-auth-cache", do_async_message_do_not_use_auth_cache_test); + g_test_add_func ("/auth/authorization-header-request", do_message_has_authorization_header_test); + g_test_add_func ("/auth/cancel-after-retry", do_cancel_after_retry_test); +- g_test_add_func ("/auth/missing-realm", do_missing_realm_test); ++ g_test_add_data_func ("/auth/missing-params/realm", "Digest qop=\"auth\"", do_missing_params_test); ++ g_test_add_data_func ("/auth/missing-params/nonce", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"", do_missing_params_test); ++ g_test_add_data_func ("/auth/missing-params/nonce-md5-sess", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\" algorithm=\"MD5-sess\"", do_missing_params_test); + + ret = g_test_run (); + diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-3.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-3.patch new file mode 100644 index 0000000000..ab0f650804 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-3.patch @@ -0,0 +1,26 @@ +From: Patrick Griffis +Date: Fri, 27 Dec 2024 13:52:52 -0600 +Subject: auth-digest: Fix leak + +(cherry picked from commit ea16eeacb052e423eb5c3b0b705e5eab34b13832) + +Upstream-Status: Backport [import from debian https://salsa.debian.org/gnome-team/libsoup/-/blob/debian/bullseye/debian/patches/CVE-2025-32910-3.patch?ref_type=heads +Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/ea16eeacb052e423eb5c3b0b705e5eab34b13832] +CVE: CVE-2025-32910 +Signed-off-by: Vijay Anusuri +--- + libsoup/soup-auth-digest.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c +index 393adb6..a1db188 100644 +--- a/libsoup/soup-auth-digest.c ++++ b/libsoup/soup-auth-digest.c +@@ -66,6 +66,7 @@ soup_auth_digest_finalize (GObject *object) + g_free (priv->nonce); + g_free (priv->domain); + g_free (priv->cnonce); ++ g_free (priv->opaque); + + memset (priv->hex_urp, 0, sizeof (priv->hex_urp)); + memset (priv->hex_a1, 0, sizeof (priv->hex_a1)); diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index fa4dece0e9..b27c56895b 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -23,6 +23,9 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32906-2.patch \ file://CVE-2025-32909.patch \ file://CVE-2025-46420.patch \ + file://CVE-2025-32910-1.patch \ + file://CVE-2025-32910-2.patch \ + file://CVE-2025-32910-3.patch \ " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13" From patchwork Wed May 28 14:43:05 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 63734 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7C7EFC3ABB2 for ; Wed, 28 May 2025 14:43:28 +0000 (UTC) Received: from mail-pl1-f177.google.com (mail-pl1-f177.google.com [209.85.214.177]) by mx.groups.io with SMTP id smtpd.web10.17582.1748443405370528031 for ; Wed, 28 May 2025 07:43:25 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=OaM/sIie; spf=softfail (domain: sakoman.com, ip: 209.85.214.177, mailfrom: steve@sakoman.com) Received: by mail-pl1-f177.google.com with SMTP id d9443c01a7336-2345c60507bso23063875ad.0 for ; Wed, 28 May 2025 07:43:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1748443404; x=1749048204; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=kTyS9t7U0u++9m6Z3nCxe39ZPajc0eM8YarhcsuI+Gk=; b=OaM/sIiejv460QftawfzRp7ZNFTgZQ5zPGg2XlX3xZAZDHTKdUNJaONVD37d/rqZO+ J9jMupMCmJQWpPgXs0RDMpt4U1oOv8TndQ8p6By4JdRrOWGhQoTpRjJTJJWm6eKbAmKO yku9vgieF8+82iB+IOY61baouaO9HhdvV9tlMzGBN4WbkXRP1J0NIcqN01gzfpq42Xvr wmlL5KfJQikA2k8GqoPuZEEX/71p3M20JF6KGmnwtLex1rOp8zFt2FzB2U4PkbIl4t5P QMsR+IXaKOahuevkQHKc4Jmebvrk8sO0IfNc3cS4eKyqDbihxh4PQkUoesjI3cvz/gM8 oqLg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1748443404; x=1749048204; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=kTyS9t7U0u++9m6Z3nCxe39ZPajc0eM8YarhcsuI+Gk=; b=FOjyBl+qfK8GfJMJEuBMHH6gUoTR0cjKw5FjPdEiRm9BjQIvR4YdyILr4QZQQZsrvi KZPiZnUHg6kMB415C/EAbLkVCqGtXk2f3Cuqj2VEhDnkxEnnJchd0QGj5rj8OTJjgLmk q3LIDTjmU9vs1OFaL4il/85mvEzIZoX4/E8gm2D6kCzWrrclQ8j9DJkvVaBn6T2l+Sxz VO7sEkK9+cWnsA3ZMTN3ssqK1jDeuSHAm3IPtHeCWg1/WKPpJQJK/1F9zx+S2LtW/WXT o3XZAMOP1qz7UO/Ox2Nqu+Roz/tmlDbeSIAvAubWqoLOOjADlunDXJivowfa0glhfOPe TNfQ== X-Gm-Message-State: AOJu0YyATirrrxDv/JnbFMKzs++alfjboullXxJO6vFSVnwfujldmEJO Jlx8Zz/1aS0N8UBv4o4hrAHQaVR1YEiln+Eo+di7LHwd3wC24wTlIC1G683o5ozeXYC/5+AaUTp IErt/ X-Gm-Gg: ASbGncvv/kir3piieJhnkWVmk9u6F5lJLGvD9yt+RP76rgLyyJbDopKqVjpDzrehO56 u5lUAMMQPh3R+Kgxj3QqzECHP0SQwK662StY2KDj2Al9az/RnuhX9cniVJoL4e4+4fhYZ5M6xQe R48LctvEJMjy+KjSajItIfjM30WgyqI+EDbnaBdK4/3X15hU8x2gH3YYcickPpYP7fzkpNfZkNU Gs7DEqolaJImANgyhVgOQMphK+YJpLg1CyJ9pcjhE4OQgIgsjeYlTUUWiST8LZ6S3Gd152tfhSb M1jSdRA0wnUbRFYhatgrJXRlIpOezjeOQPfT6cPSL1w= X-Google-Smtp-Source: AGHT+IE5qZAwrSGhx6wfiIzeBkqh/njgJfzdhe9Lz3ZVPwHsWwQbZNQLaIrNJeORLEZJtK2nIsS7xQ== X-Received: by 2002:a17:903:3a86:b0:224:23ab:b88b with SMTP id d9443c01a7336-23414f48ec8mr234204785ad.8.1748443404547; Wed, 28 May 2025 07:43:24 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:2f2f:1884:f4cc:456c]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-234d358f1e2sm12626285ad.140.2025.05.28.07.43.23 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 28 May 2025 07:43:24 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 02/11] libsoup-2.4: Fix CVE-2025-32911 & CVE-2025-32913 Date: Wed, 28 May 2025 07:43:05 -0700 Message-ID: <7bdeb2217253a86c941edb7c4c28ba57d855c606.1748443238.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 28 May 2025 14:43:28 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/217354 From: Vijay Anusuri Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libsoup/-/commit/7b4ef0e004ece3a308ccfaa714c284f4c96ade34 & https://gitlab.gnome.org/GNOME/libsoup/-/commit/f4a761fb66512fff59798765e8ac5b9e57dceef0 Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../CVE-2025-32911_CVE-2025-32913-1.patch | 72 +++++++++++++++++++ .../CVE-2025-32911_CVE-2025-32913-2.patch | 44 ++++++++++++ .../libsoup/libsoup-2.4_2.74.3.bb | 2 + 3 files changed, 118 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32911_CVE-2025-32913-1.patch create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32911_CVE-2025-32913-2.patch diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32911_CVE-2025-32913-1.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32911_CVE-2025-32913-1.patch new file mode 100644 index 0000000000..4652635294 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32911_CVE-2025-32913-1.patch @@ -0,0 +1,72 @@ +From 7b4ef0e004ece3a308ccfaa714c284f4c96ade34 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Fri, 27 Dec 2024 17:53:50 -0600 +Subject: [PATCH] soup_message_headers_get_content_disposition: Fix NULL deref + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/7b4ef0e004ece3a308ccfaa714c284f4c96ade34] +CVE: CVE-2025-32911 CVE-2025-32913 #Dependency Patch +Signed-off-by: Vijay Anusuri +--- + libsoup/soup-message-headers.c | 13 +++++++++---- + tests/header-parsing-test.c | 14 ++++++++++++++ + 2 files changed, 23 insertions(+), 4 deletions(-) + +diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c +index 56cc1e9d..04f4c302 100644 +--- a/libsoup/soup-message-headers.c ++++ b/libsoup/soup-message-headers.c +@@ -1660,10 +1660,15 @@ soup_message_headers_get_content_disposition (SoupMessageHeaders *hdrs, + */ + if (params && g_hash_table_lookup_extended (*params, "filename", + &orig_key, &orig_value)) { +- char *filename = strrchr (orig_value, '/'); +- +- if (filename) +- g_hash_table_insert (*params, g_strdup (orig_key), filename + 1); ++ if (orig_value) { ++ char *filename = strrchr (orig_value, '/'); ++ ++ if (filename) ++ g_hash_table_insert (*params, g_strdup (orig_key), filename + 1); ++ } else { ++ /* filename with no value isn't valid. */ ++ g_hash_table_remove (*params, "filename"); ++ } + } + return TRUE; + } +diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c +index 5e423d2b..d0b360c8 100644 +--- a/tests/header-parsing-test.c ++++ b/tests/header-parsing-test.c +@@ -1039,6 +1039,7 @@ do_param_list_tests (void) + #define RFC5987_TEST_HEADER_FALLBACK "attachment; filename*=Unknown''t%FF%FF%FFst.txt; filename=\"test.txt\"" + #define RFC5987_TEST_HEADER_NO_TYPE "filename=\"test.txt\"" + #define RFC5987_TEST_HEADER_NO_TYPE_2 "filename=\"test.txt\"; foo=bar" ++#define RFC5987_TEST_HEADER_EMPTY_FILENAME ";filename" + + static void + do_content_disposition_tests (void) +@@ -1139,6 +1140,19 @@ do_content_disposition_tests (void) + g_assert_cmpstr (parameter2, ==, "bar"); + g_hash_table_destroy (params); + ++ /* Empty filename */ ++ soup_message_headers_clear (hdrs); ++ soup_message_headers_append (hdrs, "Content-Disposition", ++ RFC5987_TEST_HEADER_EMPTY_FILENAME); ++ if (!soup_message_headers_get_content_disposition (hdrs, ++ &disposition, ++ ¶ms)) { ++ soup_test_assert (FALSE, "empty filename decoding FAILED"); ++ return; ++ } ++ g_assert_false (g_hash_table_contains (params, "filename")); ++ g_hash_table_destroy (params); ++ + soup_message_headers_free (hdrs); + + /* Ensure that soup-multipart always quotes filename */ +-- +GitLab + diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32911_CVE-2025-32913-2.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32911_CVE-2025-32913-2.patch new file mode 100644 index 0000000000..5d9f33c736 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32911_CVE-2025-32913-2.patch @@ -0,0 +1,44 @@ +From f4a761fb66512fff59798765e8ac5b9e57dceef0 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Fri, 27 Dec 2024 18:00:39 -0600 +Subject: [PATCH] soup_message_headers_get_content_disposition: strdup + truncated filenames + +This table frees the strings it contains. + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/f4a761fb66512fff59798765e8ac5b9e57dceef0] +CVE: CVE-2025-32911 CVE-2025-32913 +Signed-off-by: Vijay Anusuri +--- + libsoup/soup-message-headers.c | 2 +- + tests/header-parsing-test.c | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c +index 04f4c302..ee7a3cb1 100644 +--- a/libsoup/soup-message-headers.c ++++ b/libsoup/soup-message-headers.c +@@ -1664,7 +1664,7 @@ soup_message_headers_get_content_disposition (SoupMessageHeaders *hdrs, + char *filename = strrchr (orig_value, '/'); + + if (filename) +- g_hash_table_insert (*params, g_strdup (orig_key), filename + 1); ++ g_hash_table_insert (*params, g_strdup (orig_key), g_strdup (filename + 1)); + } else { + /* filename with no value isn't valid. */ + g_hash_table_remove (*params, "filename"); +diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c +index d0b360c8..07ea2866 100644 +--- a/tests/header-parsing-test.c ++++ b/tests/header-parsing-test.c +@@ -1150,6 +1150,7 @@ do_content_disposition_tests (void) + soup_test_assert (FALSE, "empty filename decoding FAILED"); + return; + } ++ g_free (disposition); + g_assert_false (g_hash_table_contains (params, "filename")); + g_hash_table_destroy (params); + +-- +GitLab + diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index b27c56895b..8d974c2d59 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -26,6 +26,8 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32910-1.patch \ file://CVE-2025-32910-2.patch \ file://CVE-2025-32910-3.patch \ + file://CVE-2025-32911_CVE-2025-32913-1.patch \ + file://CVE-2025-32911_CVE-2025-32913-2.patch \ " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13" From patchwork Wed May 28 14:43:06 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 63733 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7D76BC5AD49 for ; Wed, 28 May 2025 14:43:28 +0000 (UTC) Received: from mail-pl1-f175.google.com (mail-pl1-f175.google.com [209.85.214.175]) by mx.groups.io with SMTP id smtpd.web10.17585.1748443406850528698 for ; Wed, 28 May 2025 07:43:26 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=EXQfGQ64; spf=softfail (domain: sakoman.com, ip: 209.85.214.175, mailfrom: steve@sakoman.com) Received: by mail-pl1-f175.google.com with SMTP id d9443c01a7336-234b9dfb842so14767795ad.1 for ; Wed, 28 May 2025 07:43:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1748443406; x=1749048206; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=zCZb+XlXEchNmrzOVu+nDXdy6z9c+9K14oZmiIgy6aY=; b=EXQfGQ64ZZ9+C+v1cNI2yieOkCPS9B2BlaNafN3WFr/qVpHima9khD5Wq0D6O1163C qO45P7tKN9VMubyWDexJ/UL1gu6cMlKvjmx3h4bRp8wUg2gYmMwkD1WY2aTWF7qM4XYf jqsJs4NSgRPI5HGyZoXvZbjSRJHgCceMEEibRelnKihBqV2hxq7Mw+sV/0HkfH+3nKzl Mt/9ooVUr3MvNjLd1RHA6NHsBirAT0v0ygn1myvuMcZz7ZxeleBxCg8ba4muBcwfLsE7 talfBVikbNcQnSxl/xOygtXCurbwNFsBVRXYWzXFtD1j1zwKX5Sll62b0Mt7D0xpcGy/ yqcg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1748443406; x=1749048206; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=zCZb+XlXEchNmrzOVu+nDXdy6z9c+9K14oZmiIgy6aY=; b=gQDKrQjOc+SAHDXFI+FYRmRD0fYJBVXGeJSL9FuSeqZMuI69qSHXU1kblP8GmE29cp 4W8mMhtqu+jVBldbfJM1i5WmAkn0AxR5/t9P1APXHs98Ki5n7ouPQrX0ww/sLU30vo8v Gy15xZk5qXBScxecQ5vfk5/eYIiFd6WtpddF9bU62eg/TfxGBOITMzdHqVBhAf0yqBRt awoLx+oKyfyV7DxIw7ApF2Rg6jUQI1UYP5nxqpDiGkRW9YAnOX9/e7qbMUulusfkbLGk sk612DWKnwyB76HC3v7g8jeiMIKqnDqTnfU15ow5vSMlo7wTW3SRWlFx4hlD52kT7q83 ecxQ== X-Gm-Message-State: AOJu0YxwvhROyVW2R365KcHAjpIYYTXopqWQRnkB186n6wlp6KbVUfKN NHbSL/nKMUtEaY3wki7M19Rar+X1egpn7t8lhZpm8IAUWCe8MxSoFpEBFe20zK6EwyTiuuD7j88 N+Dak X-Gm-Gg: ASbGncs5M+1uRnpVQZU4ftJHYdSI+C8RxsEn+jxb98bGERQjc7yuXbznyYjfPxDYTaS Kt1dY6yGcV/Yqu09UMcLrARHrPzqIye7193QYQvrwt88Ie+62aMmM0oi77te0dVnGLw4gP/+EyU zpfAQVKsxxC1VzuUSNr00p0+X1qrnQVCWmCTNVFCSr+j/oWPxlDesXDCpsZ1+qnHNL8YZREEYpz X45G8Nw1kdGglpVhCptca1TCJayCtQol8afGAEb5cMjL6d7XYukzDFPMgSg3LtcqFc29NtKyBqd 6kixJ4y6pYOpztjuGEkNkj/5FjxptMxLufGYOuUQbnw= X-Google-Smtp-Source: AGHT+IEt4F8i8NYj+wOqtx6gii/Y55rPy3CMG8MUk8Z7TCcP5FAzoquEcWHd7rcdMQw2tm+KMCH4jA== X-Received: by 2002:a17:902:f786:b0:234:a734:4ab1 with SMTP id d9443c01a7336-234a7344c4cmr82458735ad.3.1748443406049; Wed, 28 May 2025 07:43:26 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:2f2f:1884:f4cc:456c]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-234d358f1e2sm12626285ad.140.2025.05.28.07.43.25 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 28 May 2025 07:43:25 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 03/11] libsoup-2.4: Fix CVE-2025-32912 Date: Wed, 28 May 2025 07:43:06 -0700 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 28 May 2025 14:43:28 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/217355 From: Vijay Anusuri Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libsoup/-/commit/cd077513f267e43ce4b659eb18a1734d8a369992 & https://gitlab.gnome.org/GNOME/libsoup/-/commit/910ebdcd3dd82386717a201c13c834f3a63eed7f Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../libsoup-2.4/CVE-2025-32912-1.patch | 41 +++++++++++++++++++ .../libsoup-2.4/CVE-2025-32912-2.patch | 30 ++++++++++++++ .../libsoup/libsoup-2.4_2.74.3.bb | 2 + 3 files changed, 73 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32912-1.patch create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32912-2.patch diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32912-1.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32912-1.patch new file mode 100644 index 0000000000..2a6f37cb58 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32912-1.patch @@ -0,0 +1,41 @@ +From cd077513f267e43ce4b659eb18a1734d8a369992 Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Wed, 5 Feb 2025 14:03:05 -0600 +Subject: [PATCH 1/2] auth-digest: Handle missing nonce + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/cd077513f267e43ce4b659eb18a1734d8a369992] +CVE: CVE-2025-32912 +Signed-off-by: Vijay Anusuri +--- + libsoup/soup-auth-digest.c | 2 +- + tests/auth-test.c | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c +index a1db188..f0edb81 100644 +--- a/libsoup/soup-auth-digest.c ++++ b/libsoup/soup-auth-digest.c +@@ -156,7 +156,7 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg, + guint qop_options; + gboolean ok = TRUE; + +- if (!soup_auth_get_realm (auth)) ++ if (!soup_auth_get_realm (auth) || !g_hash_table_contains (auth_params, "nonce")) + return FALSE; + + g_free (priv->domain); +diff --git a/tests/auth-test.c b/tests/auth-test.c +index 6fb1e4a..343d7a5 100644 +--- a/tests/auth-test.c ++++ b/tests/auth-test.c +@@ -1629,6 +1629,7 @@ main (int argc, char **argv) + g_test_add_data_func ("/auth/missing-params/realm", "Digest qop=\"auth\"", do_missing_params_test); + g_test_add_data_func ("/auth/missing-params/nonce", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"", do_missing_params_test); + g_test_add_data_func ("/auth/missing-params/nonce-md5-sess", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\" algorithm=\"MD5-sess\"", do_missing_params_test); ++ g_test_add_data_func ("/auth/missing-params/nonce-and-qop", "Digest realm=\"auth-test\"", do_missing_params_test); + + ret = g_test_run (); + +-- +2.25.1 + diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32912-2.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32912-2.patch new file mode 100644 index 0000000000..4898068115 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32912-2.patch @@ -0,0 +1,30 @@ +From 910ebdcd3dd82386717a201c13c834f3a63eed7f Mon Sep 17 00:00:00 2001 +From: Patrick Griffis +Date: Sat, 8 Feb 2025 12:30:13 -0600 +Subject: [PATCH 2/2] digest-auth: Handle NULL nonce + +`contains` only handles a missing nonce, `lookup` handles both missing and empty. + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/910ebdcd3dd82386717a201c13c834f3a63eed7f] +CVE: CVE-2025-32912 +Signed-off-by: Vijay Anusuri +--- + libsoup/soup-auth-digest.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c +index f0edb81..c49ffd9 100644 +--- a/libsoup/soup-auth-digest.c ++++ b/libsoup/soup-auth-digest.c +@@ -156,7 +156,7 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg, + guint qop_options; + gboolean ok = TRUE; + +- if (!soup_auth_get_realm (auth) || !g_hash_table_contains (auth_params, "nonce")) ++ if (!soup_auth_get_realm (auth) || !g_hash_table_lookup (auth_params, "nonce")) + return FALSE; + + g_free (priv->domain); +-- +2.25.1 + diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index 8d974c2d59..509026c4ff 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -28,6 +28,8 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32910-3.patch \ file://CVE-2025-32911_CVE-2025-32913-1.patch \ file://CVE-2025-32911_CVE-2025-32913-2.patch \ + file://CVE-2025-32912-1.patch \ + file://CVE-2025-32912-2.patch \ " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13" From patchwork Wed May 28 14:43:07 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 63737 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 77458C5AD49 for ; Wed, 28 May 2025 14:43:38 +0000 (UTC) Received: from mail-pl1-f179.google.com (mail-pl1-f179.google.com [209.85.214.179]) by mx.groups.io with SMTP id smtpd.web10.17587.1748443408848431237 for ; Wed, 28 May 2025 07:43:28 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=u71F7/4o; spf=softfail (domain: sakoman.com, ip: 209.85.214.179, mailfrom: steve@sakoman.com) Received: by mail-pl1-f179.google.com with SMTP id d9443c01a7336-2347012f81fso37080865ad.2 for ; Wed, 28 May 2025 07:43:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1748443408; x=1749048208; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=7Hcpk/NR3WX9Q4Sm8Bb0hd9k9Ivt2M8HXlfWkulHX0k=; b=u71F7/4o2e8icGmFBuiCz/RyhPF+6Z+HEPm9xLfwqCVo2UPgVyQ1MO6Y0H9ti9VDXM k+F2a4We1+C67Ny9CIW2tsdhOZGL4J8uEIk+TsOvAHFE+LNnvGaMXN3xjl3a+LFFIRzB xL8a6P7cyGtUixcAF8H/JwUKzTQvjWDSddQ8tnBBVP7u5ijPJc3AWoQLPKtq2abzFMS6 OOlIvBzgyMp/Y9l6z3R4FNhySCYAFtuY8zgDB+COaELtkhBlsL2rsMgLOvoI9rPGLc9i 9sNI41kXk6zbfmRrZxQ0yhIJZbugvL/oz7mfo9Tr3BhcUPKwly9PcPc/4+iETEQahKsn Wqjg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1748443408; x=1749048208; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=7Hcpk/NR3WX9Q4Sm8Bb0hd9k9Ivt2M8HXlfWkulHX0k=; b=hr1X2YPYKj667bG2d8he6J6pI5uFLMIkPQoiwogksNrddSJGIgBS+CVLDY4k44PH0B fZ1X3YDvMXsEtmrKUZfaO6TajgDzvMJIDcnMOh2mC6MtUuO7bDBAK8mqCUjxEKtZExQQ vdyozN8E+E2xSKlZRBkBZbaAr1crJNh5dOhjosg7TFn2XY3unQ5OvHPMR/JpHx8T+vC0 M4ivVV8W1qCPO2X++6YPqaguLP/nQMFvu0WU+zgd+/8lYUd812LR6KJZ9Y2NQTU7kpAs +ukhiGQt08wNsExF9C8rwl9U7ponV2g9Fr7g4ol7SlgZvAPBwR5gr2ikVQKDnNu8eSRh fg+A== X-Gm-Message-State: AOJu0YwdnDKVdwEQQpgHY1VGIwCdpUdc1WfP0eOsRvUBNMf7mVqEOasI V+rtQ8xlODXYbLXxh8Jvv/MnAJGLsMsGGXtg3iwDOPutimTzRyMlGYT0cSWqNPnHXf7EXN+F0NH hKsUV X-Gm-Gg: ASbGncthdpKbNv2SK90gQlUajwxJuIi92bgcZwFx4CjrCeja7gPBNAeswSKluabL49A EIFWdPc6ZeYd6atGhNY2jG5EsO8Hv4BqXL4x9dW/CzfZHm6IxTCaQMyuPOyndMKfXMnFwW2Xos4 meqQLqjP4Tf4R7oQ4nAqdWLlIY0L9OLoW210SoYUe/Y2hXQCMHpJ7dHebRiP4TzofERFGZ06ftE EeJ6gq16lCe7DrlZ95SHbtCi5K7cfJ5u/ns6v8hrVS16skottmQhccGSBnqPZYDrpXJURW3WS5M rXNVTO3tnTzNgFoka+OwKYKCpkU0ggtDAPR3Z+2cVFU= X-Google-Smtp-Source: AGHT+IH1exyjMoHRz1ysldhzrKbmVJz0L0S1hsannXM5igtZG80j+Q2La9qIAlWKxckfpTWaJQ/O8A== X-Received: by 2002:a17:902:cf0e:b0:234:de0a:b36e with SMTP id d9443c01a7336-234de0ab44cmr22223955ad.49.1748443407980; Wed, 28 May 2025 07:43:27 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:2f2f:1884:f4cc:456c]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-234d358f1e2sm12626285ad.140.2025.05.28.07.43.27 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 28 May 2025 07:43:27 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 04/11] libsoup-2.4: Fix CVE-2025-32914 Date: Wed, 28 May 2025 07:43:07 -0700 Message-ID: <8eba970123aca651cbce13e52d43ddaddd76a7cc.1748443238.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 28 May 2025 14:43:38 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/217356 From: Vijay Anusuri import patch from debian to fix CVE-2025-32914 Upstream-Status: Backport [import from debian https://salsa.debian.org/gnome-team/libsoup/-/tree/debian/bullseye/debian/patches?ref_type=heads Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/5bfcf8157597f2d327050114fb37ff600004dbcf] Reference: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/450 https://security-tracker.debian.org/tracker/CVE-2025-32914 Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../libsoup/libsoup-2.4/CVE-2025-32914.patch | 137 ++++++++++++++++++ .../libsoup/libsoup-2.4_2.74.3.bb | 1 + 2 files changed, 138 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32914.patch diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32914.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32914.patch new file mode 100644 index 0000000000..e6d4607b5e --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32914.patch @@ -0,0 +1,137 @@ +From: Milan Crha +Date: Tue, 15 Apr 2025 09:03:00 +0200 +Subject: multipart: Fix read out of buffer bounds under + soup_multipart_new_from_message() + +This is CVE-2025-32914, special crafted input can cause read out of buffer bounds +of the body argument. + +Closes #436 + +(cherry picked from commit 5bfcf8157597f2d327050114fb37ff600004dbcf) + +Upstream-Status: Backport [import from debian https://salsa.debian.org/gnome-team/libsoup/-/blob/debian/bullseye/debian/patches/CVE-2025-32914.patch?ref_type=heads +Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/5bfcf8157597f2d327050114fb37ff600004dbcf] +CVE: CVE-2025-32914 +Signed-off-by: Vijay Anusuri +--- + libsoup/soup-multipart.c | 2 +- + tests/multipart-test.c | 85 ++++++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 86 insertions(+), 1 deletion(-) + +diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c +index a7e550f..dd93973 100644 +--- a/libsoup/soup-multipart.c ++++ b/libsoup/soup-multipart.c +@@ -181,7 +181,7 @@ soup_multipart_new_from_message (SoupMessageHeaders *headers, + return NULL; + } + +- split = strstr (start, "\r\n\r\n"); ++ split = g_strstr_len (start, body_end - start, "\r\n\r\n"); + if (!split || split > end) { + soup_multipart_free (multipart); + soup_buffer_free (flattened); +diff --git a/tests/multipart-test.c b/tests/multipart-test.c +index 64a5ebf..834b181 100644 +--- a/tests/multipart-test.c ++++ b/tests/multipart-test.c +@@ -479,6 +479,89 @@ test_multipart (gconstpointer data) + g_main_loop_unref (loop); + } + ++static void ++test_multipart_bounds_good (void) ++{ ++ #define TEXT "line1\r\nline2" ++ SoupMultipart *multipart; ++ SoupMessageHeaders *headers, *set_headers = NULL; ++ //GBytes *bytes, *set_bytes = NULL; ++ GBytes *bytes; ++ const char *raw_data = "--123\r\nContent-Type: text/plain;\r\n\r\n" TEXT "\r\n--123--\r\n"; ++ gboolean success; ++ SoupMessageBody *body = soup_message_body_new (); ++ SoupBuffer *set_buffer = NULL; ++ gconstpointer data; ++ gsize size; ++ ++ headers = soup_message_headers_new (SOUP_MESSAGE_HEADERS_MULTIPART); ++ soup_message_headers_append (headers, "Content-Type", "multipart/mixed; boundary=\"123\""); ++ ++ bytes = g_bytes_new (raw_data, strlen (raw_data)); ++ ++ data = g_bytes_get_data(bytes, NULL); ++ size = g_bytes_get_size(bytes); ++ ++ soup_message_body_append(body, SOUP_MEMORY_STATIC, data, size); ++ ++ //multipart = soup_multipart_new_from_message (headers, bytes); ++ multipart = soup_multipart_new_from_message (headers, body); ++ ++ soup_message_body_free (body); ++ ++ g_assert_nonnull (multipart); ++ g_assert_cmpint (soup_multipart_get_length (multipart), ==, 1); ++ success = soup_multipart_get_part (multipart, 0, &set_headers, &set_buffer); ++ g_assert_true (success); ++ g_assert_nonnull (set_headers); ++ //g_assert_nonnull (set_bytes); ++ g_assert_nonnull (set_buffer); ++ //g_assert_cmpint (strlen (TEXT), ==, g_bytes_get_size (set_bytes)); ++ g_assert_cmpint (strlen (TEXT), ==, set_buffer->length); ++ g_assert_cmpstr ("text/plain", ==, soup_message_headers_get_content_type (set_headers, NULL)); ++ //g_assert_cmpmem (TEXT, strlen (TEXT), g_bytes_get_data (set_bytes, NULL), g_bytes_get_size (set_bytes)); ++ g_assert_cmpmem(TEXT, strlen(TEXT), set_buffer->data, set_buffer->length); ++ ++ soup_message_headers_free (headers); ++ g_bytes_unref (bytes); ++ ++ soup_multipart_free (multipart); ++ ++ #undef TEXT ++} ++ ++static void ++test_multipart_bounds_bad (void) ++{ ++ SoupMultipart *multipart; ++ SoupMessageHeaders *headers; ++ GBytes *bytes; ++ const char *raw_data = "--123\r\nContent-Type: text/plain;\r\nline1\r\nline2\r\n--123--\r\n"; ++ SoupMessageBody *body = soup_message_body_new (); ++ gconstpointer data; ++ gsize size; ++ ++ headers = soup_message_headers_new (SOUP_MESSAGE_HEADERS_MULTIPART); ++ soup_message_headers_append (headers, "Content-Type", "multipart/mixed; boundary=\"123\""); ++ ++ bytes = g_bytes_new (raw_data, strlen (raw_data)); ++ ++ data = g_bytes_get_data(bytes, NULL); ++ size = g_bytes_get_size(bytes); ++ ++ soup_message_body_append(body, SOUP_MEMORY_STATIC, data, size); ++ ++ /* it did read out of raw_data/bytes bounds */ ++ //multipart = soup_multipart_new_from_message (headers, bytes); ++ multipart = soup_multipart_new_from_message (headers, body); ++ g_assert_null (multipart); ++ ++ soup_message_body_free (body); ++ ++ soup_message_headers_free (headers); ++ g_bytes_unref (bytes); ++} ++ + int + main (int argc, char **argv) + { +@@ -508,6 +591,8 @@ main (int argc, char **argv) + g_test_add_data_func ("/multipart/sync", GINT_TO_POINTER (SYNC_MULTIPART), test_multipart); + g_test_add_data_func ("/multipart/async", GINT_TO_POINTER (ASYNC_MULTIPART), test_multipart); + g_test_add_data_func ("/multipart/async-small-reads", GINT_TO_POINTER (ASYNC_MULTIPART_SMALL_READS), test_multipart); ++ g_test_add_func ("/multipart/bounds-good", test_multipart_bounds_good); ++ g_test_add_func ("/multipart/bounds-bad", test_multipart_bounds_bad); + + ret = g_test_run (); + diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb index 509026c4ff..b986e2eea2 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb @@ -30,6 +30,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32911_CVE-2025-32913-2.patch \ file://CVE-2025-32912-1.patch \ file://CVE-2025-32912-2.patch \ + file://CVE-2025-32914.patch \ " SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13" From patchwork Wed May 28 14:43:08 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 63742 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B0A00C5B552 for ; Wed, 28 May 2025 14:43:38 +0000 (UTC) Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com [209.85.214.180]) by mx.groups.io with SMTP id smtpd.web10.17588.1748443411224211819 for ; Wed, 28 May 2025 07:43:31 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=CDPM4GmF; spf=softfail (domain: sakoman.com, ip: 209.85.214.180, mailfrom: steve@sakoman.com) Received: by mail-pl1-f180.google.com with SMTP id d9443c01a7336-231e98e46c0so39314095ad.3 for ; Wed, 28 May 2025 07:43:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1748443410; x=1749048210; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=p2lmgwRK8On1u/JPoOty3Nt3K2xTH+rDZIsKuvF+q08=; b=CDPM4GmF87Gk8wI4vdm02rCfNEW6m/lpQ3kiGnGt76BhVQ/cr25Ya5SjEGUKCVXCjE I3l7Vp9gdA+dxRGE7G5UiphXBNBXC/6HkI/vqC1mb+tprn04TEwVquWCvAM7BxpNSeQk Vc7AMxubQzP7NOqGeQVadW1Y1GqZ3X9KOEgdlAda+kkjKDhL43PxPMzhk6A4Yfx5iWux TztNcQgGSKS49Fsl2Ih2P5MZ6uQ7eVkawsQPnJ845LSyCablcUIKX0oJ+gVUlXDbjAn7 QwJPkVXv5GWVsmwToLdPX0JZ+OCN7J2udbiimKUlaszlJVswCL03rLzxu8DDj+Mkzu2H j+rQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1748443410; x=1749048210; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=p2lmgwRK8On1u/JPoOty3Nt3K2xTH+rDZIsKuvF+q08=; b=aqfY4HiF5NWz241w9HNY7G1P2ylsguDftolxijiMBR3zr222yALQxZRliWRUhYZD0n MQKrGRBTFo1psFNaAPd00yGIOGk9L75syEhU/Tbob/rXMmnrZE1P4Mfm3SBwcYMOoHJw puylEhpRz5VnHN9QuP4DSXw8Omyivqe88OL3I9nyiJueuGgh8RYFIt/B+OO/bOeZFb5t UhUTETKrR7xn/IPDaCYiOfzTeozgMoZrO71lMmRB4aNsZ46TY/AnhugmHOKnlcMCPoyK Nx+mGimZwiUA9e2wnc58FMyDh/Gv2EumTNkM6LgZ8272UErtw9FCDtcEdc8AuW4jcM+5 1gwA== X-Gm-Message-State: AOJu0YyZ6QfYeWmBlFfKZ/JNjnLKwbwAaAOhefofculRuu4gI/OPY9ig uMqSyX4tV4PMXqA4bjzjWBssIueglogtiTM8FaXfGl3XbntsSzslq9JGcPVFdC19vBXlSUDBM2j xgbtp X-Gm-Gg: ASbGncvB9OBlBYjYC5AW4tcXA4eSEGfeyaf56G0elztcG6d8nL0qYtOFwjC9hDIgOw5 wo2zJICVxIb6ZcgT+5yvY4hDyZtbUtXkCEKzgx/AGgE1uKGnPC6qQZMfnXHNkn8a90kx4UfkZAz qmgcQPVnpuRBY5K2dfh43ZrqFVsTHD5QdidHxNnmVBhU2auhszN3ondS2ysR7wl/dJFbDh25d2F YCmY/P59qr1lUCabEBsQeGgR5r2S3gU23qXEYrdPDbk+MS4Uj/H28SLfvp4bo9r8nmoRKfH99L4 j5enpjAuRhZ9AEGo7OwgKaOLpf3mf5MOC1JNcT9Flig= X-Google-Smtp-Source: AGHT+IHdIxaS/AaMvEQFqi+vLYHkd8Xe1L4xXk6LXgfqz1k2WS9OhaalY9iGkF6e8SgApry1Pci6qw== X-Received: by 2002:a17:903:1947:b0:234:c8ec:51b5 with SMTP id d9443c01a7336-234c8ec551cmr52259085ad.53.1748443409881; Wed, 28 May 2025 07:43:29 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:2f2f:1884:f4cc:456c]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-234d358f1e2sm12626285ad.140.2025.05.28.07.43.28 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 28 May 2025 07:43:29 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 05/11] binutils: Fix CVE-2025-1179 Date: Wed, 28 May 2025 07:43:08 -0700 Message-ID: <8f54548f784ef60eaf7fb6b3f539d48b0f7192a3.1748443238.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 28 May 2025 14:43:38 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/217357 From: Harish Sadineni CVE-2025-1179-pre.patch is dependency patch for CVE-2025-1179.patch Upstream-Status: Submitted [https://sourceware.org/pipermail/binutils/2025-May/141322.html && https://sourceware.org/pipermail/binutils/2025-May/141321.html] CVE: CVE-2025-1179 cherry picked from upstream commit: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=67e30b15212adc1502b898a1ca224fdf65dc110d https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=1d68a49ac5d71b648304f69af978fce0f4413800 Signed-off-by: Harish Sadineni Signed-off-by: Steve Sakoman --- .../binutils/binutils-2.42.inc | 2 + .../binutils/binutils/CVE-2025-1179-pre.patch | 1086 +++++++++++++++++ .../binutils/binutils/CVE-2025-1179.patch | 269 ++++ 3 files changed, 1357 insertions(+) create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-1179-pre.patch create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-1179.patch diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc index bc826753cf..6d0390b5a9 100644 --- a/meta/recipes-devtools/binutils/binutils-2.42.inc +++ b/meta/recipes-devtools/binutils/binutils-2.42.inc @@ -48,5 +48,7 @@ SRC_URI = "\ file://0019-CVE-2025-1153-1.patch \ file://0020-CVE-2025-1153-2.patch \ file://0021-CVE-2025-1153-3.patch \ + file://CVE-2025-1179-pre.patch \ + file://CVE-2025-1179.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-1179-pre.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-1179-pre.patch new file mode 100644 index 0000000000..b5bf27ec6d --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-1179-pre.patch @@ -0,0 +1,1086 @@ +From 1d68a49ac5d71b648304f69af978fce0f4413800 Mon Sep 17 00:00:00 2001 +From: "H.J. Lu" +Date: Tue, 23 Jul 2024 23:39:50 -0700 +Subject: [PATCH 1/2] x86: Improve TLS transition error check + +Provide detailed TLS transition errors when unsupported instructions are +used. Treat R_X86_64_CODE_4_GOTTPOFF and R_X86_64_CODE_6_GOTTPOFF as +R_X86_64_GOTTPOFF when performing TLS transition. + +bfd/ + + PR ld/32017 + * elf32-i386.c (elf_i386_check_tls_transition): Return different + enums for different errors. + (elf_i386_tls_transition): Change argument from r_symndx to sym. + Call _bfd_x86_elf_link_report_tls_transition_error to report TLS + transition errors. + (elf_i386_scan_relocs): Pass isym instead of r_symndx to + elf_i386_tls_transition. + (elf_i386_relocate_section): Pass sym instead of r_symndx to + elf_i386_tls_transition. + * elf64-x86-64.c (elf_x86_64_check_tls_transition): Return + different enums for different errors. + (elf_x86_64_tls_transition): Change argument from r_symndx to sym. + Treat R_X86_64_CODE_4_GOTTPOFF and R_X86_64_CODE_6_GOTTPOFF as + R_X86_64_GOTTPOFF. Call + _bfd_x86_elf_link_report_tls_transition_error to report TLS + transition errors. + (elf_x86_64_scan_relocs): Pass isym instead of r_symndx to + elf_x86_64_tls_transition. + (elf_x86_64_relocate_section): Pass sym instead of r_symndx to + elf_x86_64_tls_transition. + * elfxx-x86.c (_bfd_x86_elf_link_report_tls_transition_error): New. + * elfxx-x86.h (elf_x86_tls_error_type): Likewise. + (_bfd_x86_elf_link_report_tls_transition_error): Likewise. + +ld/ + + PR ld/32017 + * testsuite/ld-i386/i386.exp: Run tlsgdesc1 and tlsgdesc2. + * testsuite/ld-i386/tlsie2.d: Updated. + * testsuite/ld-i386/tlsie3.d: Likewise. + * testsuite/ld-i386/tlsie4.d: Likewise. + * testsuite/ld-i386/tlsie5.d: Likewise. + * testsuite/ld-x86-64/tlsie2.d: Likewise. + * testsuite/ld-x86-64/tlsie3.d: Likewise. + * testsuite/ld-i386/tlsgdesc1.d: New file. + * testsuite/ld-i386/tlsgdesc1.s: Likewise. + * testsuite/ld-i386/tlsgdesc2.d: Likewise. + * testsuite/ld-i386/tlsgdesc2.s: Likewise. + * testsuite/ld-x86-64/tlsdesc3.d: Likewise. + * testsuite/ld-x86-64/tlsdesc3.s: Likewise. + * testsuite/ld-x86-64/tlsdesc4.d: Likewise. + * testsuite/ld-x86-64/tlsdesc4.s: Likewise. + * testsuite/ld-x86-64/tlsie5.d: Likewise. + * testsuite/ld-x86-64/tlsie5.s: Likewise. + * testsuite/ld-x86-64/x86-64.exp: Run tlsie5, tlsdesc3 and + tlsdesc4. + +(cherry picked from commit:1d68a49ac5d71b648304f69af978fce0f4413800) +Upstream-Status: Submitted [https://sourceware.org/pipermail/binutils/2025-May/141322.html] +CVE: CVE-2025-1179 + +Signed-off-by: Harish Sadineni +--- + bfd/elf32-i386.c | 118 +++++++++++++------------- + bfd/elf64-x86-64.c | 133 ++++++++++++++++-------------- + bfd/elfxx-x86.c | 85 +++++++++++++++++++ + bfd/elfxx-x86.h | 18 ++++ + ld/testsuite/ld-i386/i386.exp | 2 + + ld/testsuite/ld-i386/tlsgdesc1.d | 4 + + ld/testsuite/ld-i386/tlsgdesc1.s | 11 +++ + ld/testsuite/ld-i386/tlsgdesc2.d | 4 + + ld/testsuite/ld-i386/tlsgdesc2.s | 11 +++ + ld/testsuite/ld-i386/tlsie2.d | 2 +- + ld/testsuite/ld-i386/tlsie3.d | 2 +- + ld/testsuite/ld-i386/tlsie4.d | 2 +- + ld/testsuite/ld-i386/tlsie5.d | 2 +- + ld/testsuite/ld-x86-64/tlsdesc3.d | 4 + + ld/testsuite/ld-x86-64/tlsdesc3.s | 13 +++ + ld/testsuite/ld-x86-64/tlsdesc4.d | 4 + + ld/testsuite/ld-x86-64/tlsdesc4.s | 13 +++ + ld/testsuite/ld-x86-64/tlsie2.d | 2 +- + ld/testsuite/ld-x86-64/tlsie3.d | 2 +- + ld/testsuite/ld-x86-64/tlsie5.d | 4 + + ld/testsuite/ld-x86-64/tlsie5.s | 12 +++ + ld/testsuite/ld-x86-64/x86-64.exp | 3 + + 22 files changed, 319 insertions(+), 132 deletions(-) + create mode 100644 ld/testsuite/ld-i386/tlsgdesc1.d + create mode 100644 ld/testsuite/ld-i386/tlsgdesc1.s + create mode 100644 ld/testsuite/ld-i386/tlsgdesc2.d + create mode 100644 ld/testsuite/ld-i386/tlsgdesc2.s + create mode 100644 ld/testsuite/ld-x86-64/tlsdesc3.d + create mode 100644 ld/testsuite/ld-x86-64/tlsdesc3.s + create mode 100644 ld/testsuite/ld-x86-64/tlsdesc4.d + create mode 100644 ld/testsuite/ld-x86-64/tlsdesc4.s + create mode 100644 ld/testsuite/ld-x86-64/tlsie5.d + create mode 100644 ld/testsuite/ld-x86-64/tlsie5.s + +diff --git a/bfd/elf32-i386.c b/bfd/elf32-i386.c +index e2f88a11487..18a28d2491c 100644 +--- a/bfd/elf32-i386.c ++++ b/bfd/elf32-i386.c +@@ -839,7 +839,7 @@ static const struct elf_x86_non_lazy_plt_layout elf_i386_non_lazy_ibt_plt = + /* Return TRUE if the TLS access code sequence support transition + from R_TYPE. */ + +-static bool ++static enum elf_x86_tls_error_type + elf_i386_check_tls_transition (asection *sec, + bfd_byte *contents, + Elf_Internal_Shdr *symtab_hdr, +@@ -861,7 +861,7 @@ elf_i386_check_tls_transition (asection *sec, + case R_386_TLS_GD: + case R_386_TLS_LDM: + if (offset < 2 || (rel + 1) >= relend) +- return false; ++ return elf_x86_tls_error_yes; + + indirect_call = false; + call = contents + offset + 4; +@@ -884,19 +884,19 @@ elf_i386_check_tls_transition (asection *sec, + can transit to different access model. */ + if ((offset + 10) > sec->size + || (type != 0x8d && type != 0x04)) +- return false; ++ return elf_x86_tls_error_yes; + + if (type == 0x04) + { + /* leal foo@tlsgd(,%ebx,1), %eax + call ___tls_get_addr@PLT */ + if (offset < 3) +- return false; ++ return elf_x86_tls_error_yes; + + if (*(call - 7) != 0x8d + || val != 0x1d + || call[0] != 0xe8) +- return false; ++ return elf_x86_tls_error_yes; + } + else + { +@@ -914,7 +914,7 @@ elf_i386_check_tls_transition (asection *sec, + is used to pass parameter to ___tls_get_addr. */ + reg = val & 7; + if ((val & 0xf8) != 0x80 || reg == 4 || reg == 0) +- return false; ++ return elf_x86_tls_error_yes; + + indirect_call = call[0] == 0xff; + if (!(reg == 3 && call[0] == 0xe8 && call[5] == 0x90) +@@ -922,7 +922,7 @@ elf_i386_check_tls_transition (asection *sec, + && !(indirect_call + && (call[1] & 0xf8) == 0x90 + && (call[1] & 0x7) == reg)) +- return false; ++ return elf_x86_tls_error_yes; + } + } + else +@@ -937,13 +937,13 @@ elf_i386_check_tls_transition (asection *sec, + addr32 call ___tls_get_addr + can transit to different access model. */ + if (type != 0x8d || (offset + 9) > sec->size) +- return false; ++ return elf_x86_tls_error_yes; + + /* %eax can't be used as the GOT base register since it is + used to pass parameter to ___tls_get_addr. */ + reg = val & 7; + if ((val & 0xf8) != 0x80 || reg == 4 || reg == 0) +- return false; ++ return elf_x86_tls_error_yes; + + indirect_call = call[0] == 0xff; + if (!(reg == 3 && call[0] == 0xe8) +@@ -951,23 +951,27 @@ elf_i386_check_tls_transition (asection *sec, + && !(indirect_call + && (call[1] & 0xf8) == 0x90 + && (call[1] & 0x7) == reg)) +- return false; ++ return elf_x86_tls_error_yes; + } + + r_symndx = ELF32_R_SYM (rel[1].r_info); + if (r_symndx < symtab_hdr->sh_info) +- return false; ++ return elf_x86_tls_error_yes; + + h = sym_hashes[r_symndx - symtab_hdr->sh_info]; + if (h == NULL + || !((struct elf_x86_link_hash_entry *) h)->tls_get_addr) +- return false; ++ return elf_x86_tls_error_yes; + else if (indirect_call) +- return (ELF32_R_TYPE (rel[1].r_info) == R_386_GOT32X +- || ELF32_R_TYPE (rel[1].r_info) == R_386_GOT32); ++ return ((ELF32_R_TYPE (rel[1].r_info) == R_386_GOT32X ++ || ELF32_R_TYPE (rel[1].r_info) == R_386_GOT32) ++ ? elf_x86_tls_error_none ++ : elf_x86_tls_error_yes); + else +- return (ELF32_R_TYPE (rel[1].r_info) == R_386_PC32 +- || ELF32_R_TYPE (rel[1].r_info) == R_386_PLT32); ++ return ((ELF32_R_TYPE (rel[1].r_info) == R_386_PC32 ++ || ELF32_R_TYPE (rel[1].r_info) == R_386_PLT32) ++ ? elf_x86_tls_error_none ++ : elf_x86_tls_error_yes); + + case R_386_TLS_IE: + /* Check transition from IE access model: +@@ -977,20 +981,23 @@ elf_i386_check_tls_transition (asection *sec, + */ + + if (offset < 1 || (offset + 4) > sec->size) +- return false; ++ return elf_x86_tls_error_yes; + + /* Check "movl foo@tpoff(%rip), %eax" first. */ + val = bfd_get_8 (abfd, contents + offset - 1); + if (val == 0xa1) +- return true; ++ return elf_x86_tls_error_none; + + if (offset < 2) +- return false; ++ return elf_x86_tls_error_yes; + + /* Check movl|addl foo@tpoff(%rip), %reg. */ + type = bfd_get_8 (abfd, contents + offset - 2); +- return ((type == 0x8b || type == 0x03) +- && (val & 0xc7) == 0x05); ++ if (type != 0x8b && type != 0x03) ++ return elf_x86_tls_error_add_mov; ++ return ((val & 0xc7) == 0x05 ++ ? elf_x86_tls_error_none ++ : elf_x86_tls_error_yes); + + case R_386_TLS_GOTIE: + case R_386_TLS_IE_32: +@@ -1001,14 +1008,16 @@ elf_i386_check_tls_transition (asection *sec, + */ + + if (offset < 2 || (offset + 4) > sec->size) +- return false; ++ return elf_x86_tls_error_yes; + + val = bfd_get_8 (abfd, contents + offset - 1); + if ((val & 0xc0) != 0x80 || (val & 7) == 4) +- return false; ++ return elf_x86_tls_error_yes; + + type = bfd_get_8 (abfd, contents + offset - 2); +- return type == 0x8b || type == 0x2b || type == 0x03; ++ return (type == 0x8b || type == 0x2b || type == 0x03 ++ ? elf_x86_tls_error_none ++ : elf_x86_tls_error_add_sub_mov); + + case R_386_TLS_GOTDESC: + /* Check transition from GDesc access model: +@@ -1019,13 +1028,15 @@ elf_i386_check_tls_transition (asection *sec, + going to be eax. */ + + if (offset < 2 || (offset + 4) > sec->size) +- return false; ++ return elf_x86_tls_error_yes; + + if (bfd_get_8 (abfd, contents + offset - 2) != 0x8d) +- return false; ++ return elf_x86_tls_error_lea; + + val = bfd_get_8 (abfd, contents + offset - 1); +- return (val & 0xc7) == 0x83; ++ return ((val & 0xc7) == 0x83 ++ ? elf_x86_tls_error_none ++ : elf_x86_tls_error_yes); + + case R_386_TLS_DESC_CALL: + /* Check transition from GDesc access model: +@@ -1035,10 +1046,12 @@ elf_i386_check_tls_transition (asection *sec, + { + /* Make sure that it's a call *x@tlsdesc(%eax). */ + call = contents + offset; +- return call[0] == 0xff && call[1] == 0x10; ++ return (call[0] == 0xff && call[1] == 0x10 ++ ? elf_x86_tls_error_none ++ : elf_x86_tls_error_indirect_call); + } + +- return false; ++ return elf_x86_tls_error_yes; + + default: + abort (); +@@ -1057,7 +1070,7 @@ elf_i386_tls_transition (struct bfd_link_info *info, bfd *abfd, + const Elf_Internal_Rela *rel, + const Elf_Internal_Rela *relend, + struct elf_link_hash_entry *h, +- unsigned long r_symndx, ++ Elf_Internal_Sym *sym, + bool from_relocate_section) + { + unsigned int from_type = *r_type; +@@ -1142,43 +1155,24 @@ elf_i386_tls_transition (struct bfd_link_info *info, bfd *abfd, + return true; + + /* Check if the transition can be performed. */ ++ enum elf_x86_tls_error_type tls_error; + if (check +- && ! elf_i386_check_tls_transition (sec, contents, +- symtab_hdr, sym_hashes, +- from_type, rel, relend)) ++ && ((tls_error = elf_i386_check_tls_transition (sec, contents, ++ symtab_hdr, ++ sym_hashes, ++ from_type, rel, ++ relend)) ++ != elf_x86_tls_error_none)) + { + reloc_howto_type *from, *to; +- const char *name; + + from = elf_i386_rtype_to_howto (from_type); + to = elf_i386_rtype_to_howto (to_type); + +- if (h) +- name = h->root.root.string; +- else +- { +- struct elf_x86_link_hash_table *htab; +- +- htab = elf_x86_hash_table (info, I386_ELF_DATA); +- if (htab == NULL) +- name = "*unknown*"; +- else +- { +- Elf_Internal_Sym *isym; +- +- isym = bfd_sym_from_r_symndx (&htab->elf.sym_cache, +- abfd, r_symndx); +- name = bfd_elf_sym_name (abfd, symtab_hdr, isym, NULL); +- } +- } ++ _bfd_x86_elf_link_report_tls_transition_error ++ (info, abfd, sec, symtab_hdr, h, sym, rel, from->name, ++ to->name, tls_error); + +- _bfd_error_handler +- /* xgettext:c-format */ +- (_("%pB: TLS transition from %s to %s against `%s'" +- " at %#" PRIx64 " in section `%pA' failed"), +- abfd, from->name, to->name, name, +- (uint64_t) rel->r_offset, sec); +- bfd_set_error (bfd_error_bad_value); + return false; + } + +@@ -1600,7 +1594,7 @@ elf_i386_scan_relocs (bfd *abfd, + if (! elf_i386_tls_transition (info, abfd, sec, contents, + symtab_hdr, sym_hashes, + &r_type, GOT_UNKNOWN, +- rel, rel_end, h, r_symndx, false)) ++ rel, rel_end, h, isym, false)) + goto error_return; + + /* Check if _GLOBAL_OFFSET_TABLE_ is referenced. */ +@@ -2875,7 +2869,7 @@ elf_i386_relocate_section (bfd *output_bfd, + input_section, contents, + symtab_hdr, sym_hashes, + &r_type_tls, tls_type, rel, +- relend, h, r_symndx, true)) ++ relend, h, sym, true)) + return false; + + expected_tls_le = htab->elf.target_os == is_solaris +@@ -3365,7 +3359,7 @@ elf_i386_relocate_section (bfd *output_bfd, + input_section, contents, + symtab_hdr, sym_hashes, + &r_type, GOT_UNKNOWN, rel, +- relend, h, r_symndx, true)) ++ relend, h, sym, true)) + return false; + + if (r_type != R_386_TLS_LDM) +diff --git a/bfd/elf64-x86-64.c b/bfd/elf64-x86-64.c +index 2ed120af780..f116e423f61 100644 +--- a/bfd/elf64-x86-64.c ++++ b/bfd/elf64-x86-64.c +@@ -1120,7 +1120,7 @@ elf32_x86_64_elf_object_p (bfd *abfd) + /* Return TRUE if the TLS access code sequence support transition + from R_TYPE. */ + +-static bool ++static enum elf_x86_tls_error_type + elf_x86_64_check_tls_transition (bfd *abfd, + struct bfd_link_info *info, + asection *sec, +@@ -1147,7 +1147,7 @@ elf_x86_64_check_tls_transition (bfd *abfd, + case R_X86_64_TLSGD: + case R_X86_64_TLSLD: + if ((rel + 1) >= relend) +- return false; ++ return elf_x86_tls_error_yes; + + if (r_type == R_X86_64_TLSGD) + { +@@ -1184,7 +1184,7 @@ elf_x86_64_check_tls_transition (bfd *abfd, + static const unsigned char leaq[] = { 0x66, 0x48, 0x8d, 0x3d }; + + if ((offset + 12) > sec->size) +- return false; ++ return elf_x86_tls_error_yes; + + call = contents + offset + 4; + if (call[0] != 0x66 +@@ -1208,20 +1208,20 @@ elf_x86_64_check_tls_transition (bfd *abfd, + || call[14] != 0xd0 + || !((call[10] == 0x48 && call[12] == 0xd8) + || (call[10] == 0x4c && call[12] == 0xf8))) +- return false; ++ return elf_x86_tls_error_yes; + largepic = true; + } + else if (ABI_64_P (abfd)) + { + if (offset < 4 + || memcmp (contents + offset - 4, leaq, 4) != 0) +- return false; ++ return elf_x86_tls_error_yes; + } + else + { + if (offset < 3 + || memcmp (contents + offset - 3, leaq + 1, 3) != 0) +- return false; ++ return elf_x86_tls_error_yes; + } + indirect_call = call[2] == 0xff; + } +@@ -1250,10 +1250,10 @@ elf_x86_64_check_tls_transition (bfd *abfd, + static const unsigned char lea[] = { 0x48, 0x8d, 0x3d }; + + if (offset < 3 || (offset + 9) > sec->size) +- return false; ++ return elf_x86_tls_error_yes; + + if (memcmp (contents + offset - 3, lea, 3) != 0) +- return false; ++ return elf_x86_tls_error_yes; + + call = contents + offset + 4; + if (!(call[0] == 0xe8 +@@ -1268,7 +1268,7 @@ elf_x86_64_check_tls_transition (bfd *abfd, + || call[14] != 0xd0 + || !((call[10] == 0x48 && call[12] == 0xd8) + || (call[10] == 0x4c && call[12] == 0xf8))) +- return false; ++ return elf_x86_tls_error_yes; + largepic = true; + } + indirect_call = call[0] == 0xff; +@@ -1276,22 +1276,30 @@ elf_x86_64_check_tls_transition (bfd *abfd, + + r_symndx = htab->r_sym (rel[1].r_info); + if (r_symndx < symtab_hdr->sh_info) +- return false; ++ return elf_x86_tls_error_yes; + + h = sym_hashes[r_symndx - symtab_hdr->sh_info]; + if (h == NULL + || !((struct elf_x86_link_hash_entry *) h)->tls_get_addr) +- return false; ++ return elf_x86_tls_error_yes; + else + { + r_type = (ELF32_R_TYPE (rel[1].r_info) + & ~R_X86_64_converted_reloc_bit); + if (largepic) +- return r_type == R_X86_64_PLTOFF64; ++ return (r_type == R_X86_64_PLTOFF64 ++ ? elf_x86_tls_error_none ++ : elf_x86_tls_error_yes); + else if (indirect_call) +- return (r_type == R_X86_64_GOTPCRELX || r_type == R_X86_64_GOTPCREL); ++ return ((r_type == R_X86_64_GOTPCRELX ++ || r_type == R_X86_64_GOTPCREL) ++ ? elf_x86_tls_error_none ++ : elf_x86_tls_error_yes); + else +- return (r_type == R_X86_64_PC32 || r_type == R_X86_64_PLT32); ++ return ((r_type == R_X86_64_PC32 ++ || r_type == R_X86_64_PLT32) ++ ? elf_x86_tls_error_none ++ : elf_x86_tls_error_yes); + } + + case R_X86_64_CODE_4_GOTTPOFF: +@@ -1303,7 +1311,7 @@ elf_x86_64_check_tls_transition (bfd *abfd, + if (offset < 4 + || (offset + 4) > sec->size + || contents[offset - 4] != 0xd5) +- return false; ++ return elf_x86_tls_error_yes; + + goto check_gottpoff; + +@@ -1315,14 +1323,16 @@ elf_x86_64_check_tls_transition (bfd *abfd, + if (offset < 6 + || (offset + 4) > sec->size + || contents[offset - 6] != 0x62) +- return false; ++ return elf_x86_tls_error_yes; + + val = bfd_get_8 (abfd, contents + offset - 2); + if (val != 0x01 && val != 0x03) +- return false; ++ return elf_x86_tls_error_add; + + val = bfd_get_8 (abfd, contents + offset - 1); +- return (val & 0xc7) == 5; ++ return ((val & 0xc7) == 5 ++ ? elf_x86_tls_error_none ++ : elf_x86_tls_error_yes); + + case R_X86_64_GOTTPOFF: + /* Check transition from IE access model: +@@ -1338,25 +1348,27 @@ elf_x86_64_check_tls_transition (bfd *abfd, + { + /* X32 may have 0x44 REX prefix or no REX prefix. */ + if (ABI_64_P (abfd)) +- return false; ++ return elf_x86_tls_error_yes; + } + } + else + { + /* X32 may not have any REX prefix. */ + if (ABI_64_P (abfd)) +- return false; ++ return elf_x86_tls_error_yes; + if (offset < 2 || (offset + 3) > sec->size) +- return false; ++ return elf_x86_tls_error_yes; + } + + check_gottpoff: + val = bfd_get_8 (abfd, contents + offset - 2); + if (val != 0x8b && val != 0x03) +- return false; ++ return elf_x86_tls_error_add_mov; + + val = bfd_get_8 (abfd, contents + offset - 1); +- return (val & 0xc7) == 5; ++ return ((val & 0xc7) == 5 ++ ? elf_x86_tls_error_none ++ : elf_x86_tls_error_yes); + + case R_X86_64_CODE_4_GOTPC32_TLSDESC: + /* Check transition from GDesc access model: +@@ -1366,7 +1378,7 @@ elf_x86_64_check_tls_transition (bfd *abfd, + if (offset < 4 + || (offset + 4) > sec->size + || contents[offset - 4] != 0xd5) +- return false; ++ return elf_x86_tls_error_yes; + + goto check_tlsdesc; + +@@ -1380,19 +1392,21 @@ elf_x86_64_check_tls_transition (bfd *abfd, + going to be rax. */ + + if (offset < 3 || (offset + 4) > sec->size) +- return false; ++ return elf_x86_tls_error_yes; + + val = bfd_get_8 (abfd, contents + offset - 3); + val &= 0xfb; + if (val != 0x48 && (ABI_64_P (abfd) || val != 0x40)) +- return false; ++ return elf_x86_tls_error_yes; + + check_tlsdesc: + if (bfd_get_8 (abfd, contents + offset - 2) != 0x8d) +- return false; ++ return elf_x86_tls_error_lea; + + val = bfd_get_8 (abfd, contents + offset - 1); +- return (val & 0xc7) == 0x05; ++ return ((val & 0xc7) == 0x05 ++ ? elf_x86_tls_error_none ++ : elf_x86_tls_error_yes); + + case R_X86_64_TLSDESC_CALL: + /* Check transition from GDesc access model: +@@ -1411,14 +1425,16 @@ elf_x86_64_check_tls_transition (bfd *abfd, + { + prefix = 1; + if (offset + 3 > sec->size) +- return false; ++ return elf_x86_tls_error_yes; + } + } + /* Make sure that it's a call *x@tlsdesc(%rax). */ +- return call[prefix] == 0xff && call[1 + prefix] == 0x10; ++ return (call[prefix] == 0xff && call[1 + prefix] == 0x10 ++ ? elf_x86_tls_error_none ++ : elf_x86_tls_error_indirect_call); + } + +- return false; ++ return elf_x86_tls_error_yes; + + default: + abort (); +@@ -1437,7 +1453,7 @@ elf_x86_64_tls_transition (struct bfd_link_info *info, bfd *abfd, + const Elf_Internal_Rela *rel, + const Elf_Internal_Rela *relend, + struct elf_link_hash_entry *h, +- unsigned long r_symndx, ++ Elf_Internal_Sym *sym, + bool from_relocate_section) + { + unsigned int from_type = *r_type; +@@ -1488,7 +1504,12 @@ elf_x86_64_tls_transition (struct bfd_link_info *info, bfd *abfd, + /* We checked the transition before when we were called from + elf_x86_64_scan_relocs. We only want to check the new + transition which hasn't been checked before. */ +- check = new_to_type != to_type && from_type == to_type; ++ check = (new_to_type != to_type ++ && (from_type == to_type ++ || (from_type == R_X86_64_CODE_4_GOTTPOFF ++ && to_type == R_X86_64_GOTTPOFF) ++ || (from_type == R_X86_64_CODE_6_GOTTPOFF ++ && to_type == R_X86_64_GOTTPOFF))); + to_type = new_to_type; + } + +@@ -1512,13 +1533,18 @@ elf_x86_64_tls_transition (struct bfd_link_info *info, bfd *abfd, + return true; + + /* Check if the transition can be performed. */ ++ enum elf_x86_tls_error_type tls_error; + if (check +- && ! elf_x86_64_check_tls_transition (abfd, info, sec, contents, +- symtab_hdr, sym_hashes, +- from_type, rel, relend)) ++ && ((tls_error = elf_x86_64_check_tls_transition (abfd, info, sec, ++ contents, ++ symtab_hdr, ++ sym_hashes, ++ from_type, rel, ++ relend)) ++ != elf_x86_tls_error_none)) ++ + { + reloc_howto_type *from, *to; +- const char *name; + + from = elf_x86_64_rtype_to_howto (abfd, from_type); + to = elf_x86_64_rtype_to_howto (abfd, to_type); +@@ -1526,31 +1552,10 @@ elf_x86_64_tls_transition (struct bfd_link_info *info, bfd *abfd, + if (from == NULL || to == NULL) + return false; + +- if (h) +- name = h->root.root.string; +- else +- { +- struct elf_x86_link_hash_table *htab; +- +- htab = elf_x86_hash_table (info, X86_64_ELF_DATA); +- if (htab == NULL) +- name = "*unknown*"; +- else +- { +- Elf_Internal_Sym *isym; ++ _bfd_x86_elf_link_report_tls_transition_error ++ (info, abfd, sec, symtab_hdr, h, sym, rel, from->name, ++ to->name, tls_error); + +- isym = bfd_sym_from_r_symndx (&htab->elf.sym_cache, +- abfd, r_symndx); +- name = bfd_elf_sym_name (abfd, symtab_hdr, isym, NULL); +- } +- } +- +- _bfd_error_handler +- /* xgettext:c-format */ +- (_("%pB: TLS transition from %s to %s against `%s' at %#" PRIx64 +- " in section `%pA' failed"), +- abfd, from->name, to->name, name, (uint64_t) rel->r_offset, sec); +- bfd_set_error (bfd_error_bad_value); + return false; + } + +@@ -2198,7 +2203,7 @@ elf_x86_64_scan_relocs (bfd *abfd, struct bfd_link_info *info, + if (! elf_x86_64_tls_transition (info, abfd, sec, contents, + symtab_hdr, sym_hashes, + &r_type, GOT_UNKNOWN, +- rel, rel_end, h, r_symndx, false)) ++ rel, rel_end, h, isym, false)) + goto error_return; + + /* Check if _GLOBAL_OFFSET_TABLE_ is referenced. */ +@@ -3648,7 +3653,7 @@ elf_x86_64_relocate_section (bfd *output_bfd, + input_section, contents, + symtab_hdr, sym_hashes, + &r_type_tls, tls_type, rel, +- relend, h, r_symndx, true)) ++ relend, h, sym, true)) + return false; + + if (r_type_tls == R_X86_64_TPOFF32) +@@ -4308,7 +4313,7 @@ elf_x86_64_relocate_section (bfd *output_bfd, + input_section, contents, + symtab_hdr, sym_hashes, + &r_type, GOT_UNKNOWN, rel, +- relend, h, r_symndx, true)) ++ relend, h, sym, true)) + return false; + + if (r_type != R_X86_64_TLSLD) +diff --git a/bfd/elfxx-x86.c b/bfd/elfxx-x86.c +index 508fd771da3..b17dad759c8 100644 +--- a/bfd/elfxx-x86.c ++++ b/bfd/elfxx-x86.c +@@ -3202,6 +3202,91 @@ _bfd_x86_elf_link_report_relative_reloc + asect, abfd); + } + ++/* Report TLS transition error. */ ++ ++void ++_bfd_x86_elf_link_report_tls_transition_error ++ (struct bfd_link_info *info, bfd *abfd, asection *asect, ++ Elf_Internal_Shdr *symtab_hdr, struct elf_link_hash_entry *h, ++ Elf_Internal_Sym *sym, const Elf_Internal_Rela *rel, ++ const char *from_reloc_name, const char *to_reloc_name, ++ enum elf_x86_tls_error_type tls_error) ++{ ++ const char *name; ++ ++ if (h) ++ name = h->root.root.string; ++ else ++ { ++ const struct elf_backend_data *bed ++ = get_elf_backend_data (abfd); ++ struct elf_x86_link_hash_table *htab ++ = elf_x86_hash_table (info, bed->target_id); ++ if (htab == NULL) ++ name = "*unknown*"; ++ else ++ name = bfd_elf_sym_name (abfd, symtab_hdr, sym, NULL); ++ } ++ ++ switch (tls_error) ++ { ++ case elf_x86_tls_error_yes: ++ info->callbacks->einfo ++ /* xgettext:c-format */ ++ (_("%pB: TLS transition from %s to %s against `%s' at 0x%v in " ++ "section `%pA' failed"), ++ abfd, from_reloc_name, to_reloc_name, name, rel->r_offset, ++ asect); ++ break; ++ ++ case elf_x86_tls_error_add: ++ info->callbacks->einfo ++ /* xgettext:c-format */ ++ (_("%pB(%pA+0x%v): relocation %s against `%s' must be used " ++ "in ADD only"), ++ abfd, asect, rel->r_offset, from_reloc_name, name); ++ break; ++ ++ case elf_x86_tls_error_add_mov: ++ info->callbacks->einfo ++ /* xgettext:c-format */ ++ (_("%pB(%pA+0x%v): relocation %s against `%s' must be used " ++ "in ADD or MOV only"), ++ abfd, asect, rel->r_offset, from_reloc_name, name); ++ break; ++ ++ case elf_x86_tls_error_add_sub_mov: ++ info->callbacks->einfo ++ /* xgettext:c-format */ ++ (_("%pB(%pA+0x%v): relocation %s against `%s' must be used " ++ "in ADD, SUB or MOV only"), ++ abfd, asect, rel->r_offset, from_reloc_name, name); ++ break; ++ ++ case elf_x86_tls_error_indirect_call: ++ info->callbacks->einfo ++ /* xgettext:c-format */ ++ (_("%pB(%pA+0x%v): relocation %s against `%s' must be used " ++ "in indirect CALL only"), ++ abfd, asect, rel->r_offset, from_reloc_name, name); ++ break; ++ ++ case elf_x86_tls_error_lea: ++ info->callbacks->einfo ++ /* xgettext:c-format */ ++ (_("%pB(%pA+0x%v): relocation %s against `%s' must be used " ++ "in LEA only"), ++ abfd, asect, rel->r_offset, from_reloc_name, name); ++ break; ++ ++ default: ++ abort (); ++ break; ++ } ++ ++ bfd_set_error (bfd_error_bad_value); ++} ++ + /* Return TRUE if symbol should be hashed in the `.gnu.hash' section. */ + + bool +diff --git a/bfd/elfxx-x86.h b/bfd/elfxx-x86.h +index 110bcb9ad71..02e2efa6c56 100644 +--- a/bfd/elfxx-x86.h ++++ b/bfd/elfxx-x86.h +@@ -767,6 +767,18 @@ struct elf_x86_plt + long count; + }; + ++enum elf_x86_tls_error_type ++{ ++ elf_x86_tls_error_none, ++ elf_x86_tls_error_add, ++ elf_x86_tls_error_add_mov, ++ elf_x86_tls_error_add_sub_mov, ++ elf_x86_tls_error_indirect_call, ++ elf_x86_tls_error_lea, ++ elf_x86_tls_error_yes ++}; ++ ++ + /* Set if a relocation is converted from a GOTPCREL relocation. */ + #define R_X86_64_converted_reloc_bit (1 << 7) + +@@ -908,6 +920,12 @@ extern void _bfd_x86_elf_link_fixup_ifunc_symbol + extern void _bfd_x86_elf_link_report_relative_reloc + (struct bfd_link_info *, asection *, struct elf_link_hash_entry *, + Elf_Internal_Sym *, const char *, const void *); ++extern void _bfd_x86_elf_link_report_tls_transition_error ++ (struct bfd_link_info *, bfd *, asection *, Elf_Internal_Shdr *, ++ struct elf_link_hash_entry *, Elf_Internal_Sym *, ++ const Elf_Internal_Rela *, const char *, const char *, ++ enum elf_x86_tls_error_type); ++ + + #define bfd_elf64_mkobject \ + _bfd_x86_elf_mkobject +diff --git a/ld/testsuite/ld-i386/i386.exp b/ld/testsuite/ld-i386/i386.exp +index 18d1c9198ca..a8db2c713f3 100644 +--- a/ld/testsuite/ld-i386/i386.exp ++++ b/ld/testsuite/ld-i386/i386.exp +@@ -541,6 +541,8 @@ run_dump_test "tlsdesc2" + run_dump_test "report-reloc-1" + run_dump_test "pr27998a" + run_dump_test "pr27998b" ++run_dump_test "tlsgdesc1" ++run_dump_test "tlsgdesc2" + + proc undefined_weak {cflags ldflags} { + set testname "Undefined weak symbol" +diff --git a/ld/testsuite/ld-i386/tlsgdesc1.d b/ld/testsuite/ld-i386/tlsgdesc1.d +new file mode 100644 +index 00000000000..2a70e81c444 +--- /dev/null ++++ b/ld/testsuite/ld-i386/tlsgdesc1.d +@@ -0,0 +1,4 @@ ++#name: TLS GDesc->LE transition check (LEA) ++#as: --32 ++#ld: -melf_i386 ++#error: .*: relocation R_386_TLS_GOTDESC against `foo' must be used in LEA only +diff --git a/ld/testsuite/ld-i386/tlsgdesc1.s b/ld/testsuite/ld-i386/tlsgdesc1.s +new file mode 100644 +index 00000000000..c30f7523462 +--- /dev/null ++++ b/ld/testsuite/ld-i386/tlsgdesc1.s +@@ -0,0 +1,11 @@ ++ .text ++ .globl _start ++_start: ++ movl foo@tlsdesc(%ebx), %eax ++ call *foo@tlscall(%eax) ++ .section .tdata,"awT",@progbits ++ .align 4 ++ .type foo, @object ++ .size foo, 4 ++foo: ++ .long 100 +diff --git a/ld/testsuite/ld-i386/tlsgdesc2.d b/ld/testsuite/ld-i386/tlsgdesc2.d +new file mode 100644 +index 00000000000..2e6a66d372c +--- /dev/null ++++ b/ld/testsuite/ld-i386/tlsgdesc2.d +@@ -0,0 +1,4 @@ ++#name: TLS GDesc->LE transition check (indirect CALL) ++#as: --32 ++#ld: -melf_i386 ++#error: .*: relocation R_386_TLS_DESC_CALL against `foo' must be used in indirect CALL only +diff --git a/ld/testsuite/ld-i386/tlsgdesc2.s b/ld/testsuite/ld-i386/tlsgdesc2.s +new file mode 100644 +index 00000000000..7d9d556e2ab +--- /dev/null ++++ b/ld/testsuite/ld-i386/tlsgdesc2.s +@@ -0,0 +1,11 @@ ++ .text ++ .globl _start ++_start: ++ leal foo@tlsdesc(%ebx), %eax ++ jmp *foo@tlscall(%eax) ++ .section .tdata,"awT",@progbits ++ .align 4 ++ .type foo, @object ++ .size foo, 4 ++foo: ++ .long 100 +diff --git a/ld/testsuite/ld-i386/tlsie2.d b/ld/testsuite/ld-i386/tlsie2.d +index ebb85fde7e7..9f9e63029d6 100644 +--- a/ld/testsuite/ld-i386/tlsie2.d ++++ b/ld/testsuite/ld-i386/tlsie2.d +@@ -1,4 +1,4 @@ + #name: TLS IE->LE transition check (R_386_TLS_GOTIE with %eax) + #as: --32 + #ld: -melf_i386 +-#error: .*TLS transition from R_386_TLS_GOTIE to R_386_TLS_LE_32 against `foo'.*failed.* ++#error: .*: relocation R_386_TLS_GOTIE against `foo' must be used in ADD, SUB or MOV only +diff --git a/ld/testsuite/ld-i386/tlsie3.d b/ld/testsuite/ld-i386/tlsie3.d +index d993f303c25..506f1a02605 100644 +--- a/ld/testsuite/ld-i386/tlsie3.d ++++ b/ld/testsuite/ld-i386/tlsie3.d +@@ -1,4 +1,4 @@ + #name: TLS IE->LE transition check (R_386_TLS_GOTIE) + #as: --32 + #ld: -melf_i386 +-#error: .*TLS transition from R_386_TLS_GOTIE to R_386_TLS_LE_32 against `foo'.*failed.* ++#error: .*: relocation R_386_TLS_GOTIE against `foo' must be used in ADD, SUB or MOV only +diff --git a/ld/testsuite/ld-i386/tlsie4.d b/ld/testsuite/ld-i386/tlsie4.d +index 3ca8fddf5dd..a516d002660 100644 +--- a/ld/testsuite/ld-i386/tlsie4.d ++++ b/ld/testsuite/ld-i386/tlsie4.d +@@ -1,4 +1,4 @@ + #name: TLS IE->LE transition check (R_386_TLS_IE with %eax) + #as: --32 + #ld: -melf_i386 +-#error: .*TLS transition from R_386_TLS_IE to R_386_TLS_LE_32 against `foo'.*failed.* ++#error: .*: relocation R_386_TLS_IE against `foo' must be used in ADD or MOV only +diff --git a/ld/testsuite/ld-i386/tlsie5.d b/ld/testsuite/ld-i386/tlsie5.d +index 3febeb159a9..d3447182e19 100644 +--- a/ld/testsuite/ld-i386/tlsie5.d ++++ b/ld/testsuite/ld-i386/tlsie5.d +@@ -1,4 +1,4 @@ + #name: TLS IE->LE transition check (R_386_TLS_IE) + #as: --32 + #ld: -melf_i386 +-#error: .*TLS transition from R_386_TLS_IE to R_386_TLS_LE_32 against `foo'.*failed.* ++#error: .*: relocation R_386_TLS_IE against `foo' must be used in ADD or MOV only +diff --git a/ld/testsuite/ld-x86-64/tlsdesc3.d b/ld/testsuite/ld-x86-64/tlsdesc3.d +new file mode 100644 +index 00000000000..bbf22ebeafe +--- /dev/null ++++ b/ld/testsuite/ld-x86-64/tlsdesc3.d +@@ -0,0 +1,4 @@ ++#name: TLS GDesc->LE transition check (LEA) ++#as: --64 ++#ld: -melf_x86_64 ++#error: .*: relocation R_X86_64_GOTPC32_TLSDESC against `foo' must be used in LEA only +diff --git a/ld/testsuite/ld-x86-64/tlsdesc3.s b/ld/testsuite/ld-x86-64/tlsdesc3.s +new file mode 100644 +index 00000000000..45310654ffc +--- /dev/null ++++ b/ld/testsuite/ld-x86-64/tlsdesc3.s +@@ -0,0 +1,13 @@ ++ .text ++ .globl _start ++ .type _start,@function ++_start: ++ movq foo@tlsdesc(%rip), %rax ++ call *foo@tlscall(%rax) ++ .globl foo ++ .section .tdata,"awT",@progbits ++ .align 8 ++ .type foo, @object ++ .size foo, 8 ++foo: ++ .quad 100 +diff --git a/ld/testsuite/ld-x86-64/tlsdesc4.d b/ld/testsuite/ld-x86-64/tlsdesc4.d +new file mode 100644 +index 00000000000..b50115c7178 +--- /dev/null ++++ b/ld/testsuite/ld-x86-64/tlsdesc4.d +@@ -0,0 +1,4 @@ ++#name: TLS GDesc->LE transition check (indirect CALL) ++#as: --64 ++#ld: -melf_x86_64 ++#error: .*: relocation R_X86_64_TLSDESC_CALL against `foo' must be used in indirect CALL only +diff --git a/ld/testsuite/ld-x86-64/tlsdesc4.s b/ld/testsuite/ld-x86-64/tlsdesc4.s +new file mode 100644 +index 00000000000..b3d6c12d4fc +--- /dev/null ++++ b/ld/testsuite/ld-x86-64/tlsdesc4.s +@@ -0,0 +1,13 @@ ++ .text ++ .globl _start ++ .type _start,@function ++_start: ++ leaq foo@tlsdesc(%rip), %rax ++ jmp *foo@tlscall(%rax) ++ .globl foo ++ .section .tdata,"awT",@progbits ++ .align 8 ++ .type foo, @object ++ .size foo, 8 ++foo: ++ .quad 100 +diff --git a/ld/testsuite/ld-x86-64/tlsie2.d b/ld/testsuite/ld-x86-64/tlsie2.d +index 97dcc288a3d..bf8a8198b5b 100644 +--- a/ld/testsuite/ld-x86-64/tlsie2.d ++++ b/ld/testsuite/ld-x86-64/tlsie2.d +@@ -1,4 +1,4 @@ + #name: TLS IE->LE transition check + #as: --64 + #ld: -melf_x86_64 +-#error: .*TLS transition from R_X86_64_GOTTPOFF to R_X86_64_TPOFF32 against `foo'.*failed.* ++#error: .*: relocation R_X86_64_GOTTPOFF against `foo' must be used in ADD or MOV only +diff --git a/ld/testsuite/ld-x86-64/tlsie3.d b/ld/testsuite/ld-x86-64/tlsie3.d +index 8c982a69838..49d8464fbaf 100644 +--- a/ld/testsuite/ld-x86-64/tlsie3.d ++++ b/ld/testsuite/ld-x86-64/tlsie3.d +@@ -1,4 +1,4 @@ + #name: TLS IE->LE transition check (%r12) + #as: --64 + #ld: -melf_x86_64 +-#error: .*TLS transition from R_X86_64_GOTTPOFF to R_X86_64_TPOFF32 against `foo'.*failed.* ++#error: .*: relocation R_X86_64_GOTTPOFF against `foo' must be used in ADD or MOV only +diff --git a/ld/testsuite/ld-x86-64/tlsie5.d b/ld/testsuite/ld-x86-64/tlsie5.d +new file mode 100644 +index 00000000000..29de1cebf8e +--- /dev/null ++++ b/ld/testsuite/ld-x86-64/tlsie5.d +@@ -0,0 +1,4 @@ ++#name: TLS IE->LE transition check (APX) ++#as: --64 ++#ld: -melf_x86_64 ++#error: .*: relocation R_X86_64_CODE_6_GOTTPOFF against `foo' must be used in ADD only +diff --git a/ld/testsuite/ld-x86-64/tlsie5.s b/ld/testsuite/ld-x86-64/tlsie5.s +new file mode 100644 +index 00000000000..c39e46fd97b +--- /dev/null ++++ b/ld/testsuite/ld-x86-64/tlsie5.s +@@ -0,0 +1,12 @@ ++ .text ++ .globl _start ++_start: ++ xorq %rax, foo@GOTTPOFF(%rip), %rax ++ movq (%rax), %rax ++ .globl foo ++ .section .tdata,"awT",@progbits ++ .align 4 ++ .type foo, @object ++ .size foo, 4 ++foo: ++ .long 100 +diff --git a/ld/testsuite/ld-x86-64/x86-64.exp b/ld/testsuite/ld-x86-64/x86-64.exp +index 2a40f0b095b..811813466f8 100644 +--- a/ld/testsuite/ld-x86-64/x86-64.exp ++++ b/ld/testsuite/ld-x86-64/x86-64.exp +@@ -741,6 +741,9 @@ run_dump_test "pr27016b" + run_dump_test "report-reloc-1" + run_dump_test "report-reloc-1-x32" + run_dump_test "pr29820" ++run_dump_test "tlsie5" ++run_dump_test "tlsdesc3" ++run_dump_test "tlsdesc4" + + proc undefined_weak {cflags ldflags} { + set testname "Undefined weak symbol" +-- +2.49.0 + diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-1179.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-1179.patch new file mode 100644 index 0000000000..89312d8501 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-1179.patch @@ -0,0 +1,269 @@ +From 67e30b15212adc1502b898a1ca224fdf65dc110d Mon Sep 17 00:00:00 2001 +From: "H.J. Lu" +Date: Thu, 29 Aug 2024 08:47:00 -0700 +Subject: [PATCH] x86: Check invalid TLS descriptor call TLS descriptor + call, + +call *x@tlsdesc(%rax) + +or + +call *x@tlsdesc(%eax) + +calls _dl_tlsdesc_return which expects that RAX/EAX points to the TLS +descriptor. Update x86 linker to issue an error with or without TLS +transition. + +bfd/ + + PR ld/32123 + * elf32-i386.c (elf_i386_check_tls_transition): Move + R_386_TLS_DESC_CALL to ... + (elf_i386_tls_transition): Here. + * elf64-x86-64.c (elf_x86_64_check_tls_transition): Move. + R_X86_64_TLSDESC_CALL check to ... + (elf_x86_64_tls_transition): Here. + +ld/ + + PR ld/32123 + * testsuite/ld-i386/i386.exp: Run tlsgdesc3. + * testsuite/ld-i386/tlsgdesc3.d: New file. + * testsuite/ld-x86-64/tlsdesc5.d: Likewise. + * testsuite/ld-x86-64/x86-64.exp: Run tlsdesc5. + +(cherry picked from commit:67e30b15212adc1502b898a1ca224fdf65dc110d) +Upstream-Status: Submitted [https://sourceware.org/pipermail/binutils/2025-May/141321.html] +CVE: CVE-2025-1179 + +Signed-off-by: Harish Sadineni +--- + bfd/elf32-i386.c | 44 +++++++++++++------ + bfd/elf64-x86-64.c | 71 +++++++++++++++++++------------ + ld/testsuite/ld-i386/i386.exp | 1 + + ld/testsuite/ld-i386/tlsgdesc3.d | 5 +++ + ld/testsuite/ld-x86-64/tlsdesc5.d | 5 +++ + ld/testsuite/ld-x86-64/x86-64.exp | 1 + + 6 files changed, 86 insertions(+), 41 deletions(-) + create mode 100644 ld/testsuite/ld-i386/tlsgdesc3.d + create mode 100644 ld/testsuite/ld-x86-64/tlsdesc5.d + +diff --git a/bfd/elf32-i386.c b/bfd/elf32-i386.c +index 18a28d2491c..9dea465f721 100644 +--- a/bfd/elf32-i386.c ++++ b/bfd/elf32-i386.c +@@ -1039,19 +1039,8 @@ elf_i386_check_tls_transition (asection *sec, + : elf_x86_tls_error_yes); + + case R_386_TLS_DESC_CALL: +- /* Check transition from GDesc access model: +- call *x@tlsdesc(%eax) +- */ +- if (offset + 2 <= sec->size) +- { +- /* Make sure that it's a call *x@tlsdesc(%eax). */ +- call = contents + offset; +- return (call[0] == 0xff && call[1] == 0x10 +- ? elf_x86_tls_error_none +- : elf_x86_tls_error_indirect_call); +- } +- +- return elf_x86_tls_error_yes; ++ /* It has been checked in elf_i386_tls_transition. */ ++ return elf_x86_tls_error_none; + + default: + abort (); +@@ -1077,6 +1066,8 @@ elf_i386_tls_transition (struct bfd_link_info *info, bfd *abfd, + unsigned int to_type = from_type; + bool check = true; + unsigned int to_le_type, to_ie_type; ++ bfd_vma offset; ++ bfd_byte *call; + + /* Skip TLS transition for functions. */ + if (h != NULL +@@ -1098,9 +1089,34 @@ elf_i386_tls_transition (struct bfd_link_info *info, bfd *abfd, + + switch (from_type) + { ++ case R_386_TLS_DESC_CALL: ++ /* Check valid GDesc call: ++ call *x@tlsdesc(%eax) ++ */ ++ offset = rel->r_offset; ++ call = NULL; ++ if (offset + 2 <= sec->size) ++ { ++ /* Make sure that it's a call *x@tlsdesc(%eax). */ ++ call = contents + offset; ++ if (call[0] != 0xff || call[1] != 0x10) ++ call = NULL; ++ } ++ ++ if (call == NULL) ++ { ++ _bfd_x86_elf_link_report_tls_transition_error ++ (info, abfd, sec, symtab_hdr, h, sym, rel, ++ "R_386_TLS_DESC_CALL", NULL, ++ elf_x86_tls_error_indirect_call); ++ ++ return false; ++ } ++ ++ /* Fall through. */ ++ + case R_386_TLS_GD: + case R_386_TLS_GOTDESC: +- case R_386_TLS_DESC_CALL: + case R_386_TLS_IE_32: + case R_386_TLS_IE: + case R_386_TLS_GOTIE: +diff --git a/bfd/elf64-x86-64.c b/bfd/elf64-x86-64.c +index f116e423f61..7af2e607b02 100644 +--- a/bfd/elf64-x86-64.c ++++ b/bfd/elf64-x86-64.c +@@ -1409,32 +1409,8 @@ elf_x86_64_check_tls_transition (bfd *abfd, + : elf_x86_tls_error_yes); + + case R_X86_64_TLSDESC_CALL: +- /* Check transition from GDesc access model: +- call *x@tlsdesc(%rax) <--- LP64 mode. +- call *x@tlsdesc(%eax) <--- X32 mode. +- */ +- if (offset + 2 <= sec->size) +- { +- unsigned int prefix; +- call = contents + offset; +- prefix = 0; +- if (!ABI_64_P (abfd)) +- { +- /* Check for call *x@tlsdesc(%eax). */ +- if (call[0] == 0x67) +- { +- prefix = 1; +- if (offset + 3 > sec->size) +- return elf_x86_tls_error_yes; +- } +- } +- /* Make sure that it's a call *x@tlsdesc(%rax). */ +- return (call[prefix] == 0xff && call[1 + prefix] == 0x10 +- ? elf_x86_tls_error_none +- : elf_x86_tls_error_indirect_call); +- } +- +- return elf_x86_tls_error_yes; ++ /* It has been checked in elf_x86_64_tls_transition. */ ++ return elf_x86_tls_error_none; + + default: + abort (); +@@ -1459,6 +1435,8 @@ elf_x86_64_tls_transition (struct bfd_link_info *info, bfd *abfd, + unsigned int from_type = *r_type; + unsigned int to_type = from_type; + bool check = true; ++ bfd_vma offset; ++ bfd_byte *call; + + /* Skip TLS transition for functions. */ + if (h != NULL +@@ -1468,10 +1446,49 @@ elf_x86_64_tls_transition (struct bfd_link_info *info, bfd *abfd, + + switch (from_type) + { ++ case R_X86_64_TLSDESC_CALL: ++ /* Check valid GDesc call: ++ call *x@tlsdesc(%rax) <--- LP64 mode. ++ call *x@tlsdesc(%eax) <--- X32 mode. ++ */ ++ offset = rel->r_offset; ++ call = NULL; ++ if (offset + 2 <= sec->size) ++ { ++ unsigned int prefix; ++ call = contents + offset; ++ prefix = 0; ++ if (!ABI_64_P (abfd)) ++ { ++ /* Check for call *x@tlsdesc(%eax). */ ++ if (call[0] == 0x67) ++ { ++ prefix = 1; ++ if (offset + 3 > sec->size) ++ call = NULL; ++ } ++ } ++ ++ /* Make sure that it's a call *x@tlsdesc(%rax). */ ++ if (call != NULL ++ && (call[prefix] != 0xff || call[1 + prefix] != 0x10)) ++ call = NULL; ++ } ++ ++ if (call == NULL) ++ { ++ _bfd_x86_elf_link_report_tls_transition_error ++ (info, abfd, sec, symtab_hdr, h, sym, rel, ++ "R_X86_64_TLSDESC_CALL", NULL, ++ elf_x86_tls_error_indirect_call); ++ return false; ++ } ++ ++ /* Fall through. */ ++ + case R_X86_64_TLSGD: + case R_X86_64_GOTPC32_TLSDESC: + case R_X86_64_CODE_4_GOTPC32_TLSDESC: +- case R_X86_64_TLSDESC_CALL: + case R_X86_64_GOTTPOFF: + case R_X86_64_CODE_4_GOTTPOFF: + case R_X86_64_CODE_6_GOTTPOFF: +diff --git a/ld/testsuite/ld-i386/i386.exp b/ld/testsuite/ld-i386/i386.exp +index a8db2c713f3..41e8725d059 100644 +--- a/ld/testsuite/ld-i386/i386.exp ++++ b/ld/testsuite/ld-i386/i386.exp +@@ -543,6 +543,7 @@ run_dump_test "pr27998a" + run_dump_test "pr27998b" + run_dump_test "tlsgdesc1" + run_dump_test "tlsgdesc2" ++run_dump_test "tlsgdesc3" + + proc undefined_weak {cflags ldflags} { + set testname "Undefined weak symbol" +diff --git a/ld/testsuite/ld-i386/tlsgdesc3.d b/ld/testsuite/ld-i386/tlsgdesc3.d +new file mode 100644 +index 00000000000..f2c29d880f2 +--- /dev/null ++++ b/ld/testsuite/ld-i386/tlsgdesc3.d +@@ -0,0 +1,5 @@ ++#source: tlsgdesc2.s ++#name: TLS GDesc call (indirect CALL) ++#as: --32 ++#ld: -shared -melf_i386 ++#error: .*: relocation R_386_TLS_DESC_CALL against `foo' must be used in indirect CALL with EAX register only +diff --git a/ld/testsuite/ld-x86-64/tlsdesc5.d b/ld/testsuite/ld-x86-64/tlsdesc5.d +new file mode 100644 +index 00000000000..6a0158b44b7 +--- /dev/null ++++ b/ld/testsuite/ld-x86-64/tlsdesc5.d +@@ -0,0 +1,5 @@ ++#source: tlsdesc4.s ++#name: TLS GDesc call (indirect CALL) ++#as: --64 ++#ld: -shared -melf_x86_64 ++#error: .*: relocation R_X86_64_TLSDESC_CALL against `foo' must be used in indirect CALL with RAX register only +diff --git a/ld/testsuite/ld-x86-64/x86-64.exp b/ld/testsuite/ld-x86-64/x86-64.exp +index 811813466f8..82b0520c52a 100644 +--- a/ld/testsuite/ld-x86-64/x86-64.exp ++++ b/ld/testsuite/ld-x86-64/x86-64.exp +@@ -744,6 +744,7 @@ run_dump_test "pr29820" + run_dump_test "tlsie5" + run_dump_test "tlsdesc3" + run_dump_test "tlsdesc4" ++run_dump_test "tlsdesc5" + + proc undefined_weak {cflags ldflags} { + set testname "Undefined weak symbol" +-- +2.49.0 + From patchwork Wed May 28 14:43:09 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 63741 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8726FC3ABB2 for ; Wed, 28 May 2025 14:43:38 +0000 (UTC) Received: from mail-pl1-f171.google.com (mail-pl1-f171.google.com [209.85.214.171]) by mx.groups.io with SMTP id smtpd.web10.17590.1748443412368331045 for ; Wed, 28 May 2025 07:43:32 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=YLvCR0hb; spf=softfail (domain: sakoman.com, ip: 209.85.214.171, mailfrom: steve@sakoman.com) Received: by mail-pl1-f171.google.com with SMTP id d9443c01a7336-23446bb8785so43813155ad.0 for ; Wed, 28 May 2025 07:43:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1748443412; x=1749048212; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=hnJHojSTOYyn883xISPor3Ox9/nCxQBKkROgc63bpXk=; b=YLvCR0hbs3MkvkXDSpZS+B9ZQ0MIAsQovuXM7AjlRMWRTxWbs0fDKd7jsaWUgdsp7O xc9IxUa5bBK/wzLj/wlbO/HNHw15wM98bIR5cGrOWNl/qTD7sIu45EKuEE8HCBeeyaSA UT1OE8H4GSFP/EhDeFkeNtDYA9sPOAJ+Eu3tHEeQBx94LUeGk8/5Wz3uaJltI2tLko1F 7Ss2EkfpujrcNr0v6G/ezQusQ/SYJv3EpkFr0ba0Sp5Z7ktcnOO/LU0sYHP6fZG1AyqG DmitbqeBJ2zdAvL1u6jdKUDfd07GH1HnpZVVj26nm7qHDyr7ZTQhSZVi8vckSmaDUG4R gYRA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1748443412; x=1749048212; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=hnJHojSTOYyn883xISPor3Ox9/nCxQBKkROgc63bpXk=; b=HdlHLpeNiHHzjcZCuLxN8CqlfM1wvdCpZlZ6gZhFgrlHOVkrUfVTLvbilYGBTAmMoZ t0Z6vtlIj2v8XZOFr60+JxAmN8826vaIQPSl5wAwsBJaCaEGDVJGnc+Cqpdy+KEv7yhH G0I0/+0/eP7Uy+OuoPFzVvEm9+rQX//0rCOHeDkONNC1RvGtIn5jwUYCwgRowyKEWfsY 74UJ4ELlxidKB+DNkqU8jQGC5FQHjpEXMZ0biWmduHaIF3aAmqMSBSa6OgyrgLzbiM4M AgUedSXyLPsgrUdjaMn/ufBoetZOjg2Av2h4QUoGdYPOPaUEcnjI5CfCUkGSlzTt0vf/ HEtA== X-Gm-Message-State: AOJu0YyjZtCikGcWN/pN7M6QbQjjiXgKfLbruqNZHmxfnrbXbsN25Ci2 23otWdRlWikiS9OPbTJNaXMRoP9z+VknyBKhlyviHlQYrIUmpqN9PeGpjXc+A8CZficcBRJSzKQ Jy0D5 X-Gm-Gg: ASbGncugs6Z2EK4nAxp03i+ql93/baFgKx2uTABHPElpgKEV234luKLyAi8LyYeB85e 3BtRwLxnfDPdoHYea6IZEKrtcgjlYCf33BseuBgCFalLDR1LAXM+p6maF0bMTC6n87bgsMTlV44 YCFvPpd2yfgP90k0j1yeLo+dhpBBldKwKfZV0HVfIRpC5BMzZT/1KqzmqQI0lqRPu9dL09AzvB+ uFgVfCLdNxsHb+Y70r5OckoODFd+KikvlqZFW0jDIbpU315U4ERsFDZoJgIhlmWtJOg35QSl507 m/cdK1Fww1P4NtSJumGfZsShcLBa7rpA6I0oqRvan5AAR2dezpSzpg== X-Google-Smtp-Source: AGHT+IFQNgfnhY2sQhPg73YfmuewYNoq7LW3iqOYhwwGenTJRYleh5d+18px28PbH2TRyvISyK002Q== X-Received: by 2002:a17:902:f68f:b0:231:b7e1:c978 with SMTP id d9443c01a7336-23414f6229fmr253225815ad.16.1748443411572; Wed, 28 May 2025 07:43:31 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:2f2f:1884:f4cc:456c]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-234d358f1e2sm12626285ad.140.2025.05.28.07.43.30 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 28 May 2025 07:43:31 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 06/11] ruby: fix CVE-2025-27221 Date: Wed, 28 May 2025 07:43:09 -0700 Message-ID: <421d7011269f4750f5942b815d68f77fa4559d69.1748443238.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 28 May 2025 14:43:38 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/217358 From: Divya Chellam In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host. Reference: https://security-tracker.debian.org/tracker/CVE-2025-27221 Upstream-patches: https://github.com/ruby/uri/commit/3675494839112b64d5f082a9068237b277ed1495 https://github.com/ruby/uri/commit/2789182478f42ccbb62197f952eb730e4f02bfc5 Signed-off-by: Divya Chellam Signed-off-by: Steve Sakoman --- .../ruby/ruby/CVE-2025-27221-0001.patch | 57 +++++++++++++++ .../ruby/ruby/CVE-2025-27221-0002.patch | 73 +++++++++++++++++++ meta/recipes-devtools/ruby/ruby_3.3.5.bb | 2 + 3 files changed, 132 insertions(+) create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0001.patch create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0002.patch diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0001.patch b/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0001.patch new file mode 100644 index 0000000000..95802d04f9 --- /dev/null +++ b/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0001.patch @@ -0,0 +1,57 @@ +From 3675494839112b64d5f082a9068237b277ed1495 Mon Sep 17 00:00:00 2001 +From: Hiroshi SHIBATA +Date: Fri, 21 Feb 2025 16:29:36 +0900 +Subject: [PATCH] Truncate userinfo with URI#join, URI#merge and URI#+ + +CVE: CVE-2025-27221 + +Upstream-Status: Backport [https://github.com/ruby/uri/commit/3675494839112b64d5f082a9068237b277ed1495] + +Signed-off-by: Divya Chellam +--- + lib/uri/generic.rb | 6 +++++- + test/uri/test_generic.rb | 11 +++++++++++ + 2 files changed, 16 insertions(+), 1 deletion(-) + +diff --git a/lib/uri/generic.rb b/lib/uri/generic.rb +index f3540a2..ecc78c5 100644 +--- a/lib/uri/generic.rb ++++ b/lib/uri/generic.rb +@@ -1141,7 +1141,11 @@ module URI + end + + # RFC2396, Section 5.2, 7) +- base.set_userinfo(rel.userinfo) if rel.userinfo ++ if rel.userinfo ++ base.set_userinfo(rel.userinfo) ++ else ++ base.set_userinfo(nil) ++ end + base.set_host(rel.host) if rel.host + base.set_port(rel.port) if rel.port + base.query = rel.query if rel.query +diff --git a/test/uri/test_generic.rb b/test/uri/test_generic.rb +index e661937..17ba2b6 100644 +--- a/test/uri/test_generic.rb ++++ b/test/uri/test_generic.rb +@@ -164,6 +164,17 @@ class URI::TestGeneric < Test::Unit::TestCase + # must be empty string to identify as path-abempty, not path-absolute + assert_equal('', url.host) + assert_equal('http:////example.com', url.to_s) ++ ++ # sec-2957667 ++ url = URI.parse('http://user:pass@example.com').merge('//example.net') ++ assert_equal('http://example.net', url.to_s) ++ assert_nil(url.userinfo) ++ url = URI.join('http://user:pass@example.com', '//example.net') ++ assert_equal('http://example.net', url.to_s) ++ assert_nil(url.userinfo) ++ url = URI.parse('http://user:pass@example.com') + '//example.net' ++ assert_equal('http://example.net', url.to_s) ++ assert_nil(url.userinfo) + end + + def test_parse_scheme_with_symbols +-- +2.40.0 + diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0002.patch b/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0002.patch new file mode 100644 index 0000000000..4435b87c34 --- /dev/null +++ b/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0002.patch @@ -0,0 +1,73 @@ +From 2789182478f42ccbb62197f952eb730e4f02bfc5 Mon Sep 17 00:00:00 2001 +From: Hiroshi SHIBATA +Date: Fri, 21 Feb 2025 18:16:28 +0900 +Subject: [PATCH] Fix merger of URI with authority component + +https://hackerone.com/reports/2957667 + +Co-authored-by: Nobuyoshi Nakada + +CVE: CVE-2025-27221 + +Upstream-Status: Backport [https://github.com/ruby/uri/commit/2789182478f42ccbb62197f952eb730e4f02bfc5] + +Signed-off-by: Divya Chellam +--- + lib/uri/generic.rb | 19 +++++++------------ + test/uri/test_generic.rb | 7 +++++++ + 2 files changed, 14 insertions(+), 12 deletions(-) + +diff --git a/lib/uri/generic.rb b/lib/uri/generic.rb +index ecc78c5..2c0a88d 100644 +--- a/lib/uri/generic.rb ++++ b/lib/uri/generic.rb +@@ -1133,21 +1133,16 @@ module URI + base.fragment=(nil) + + # RFC2396, Section 5.2, 4) +- if !authority +- base.set_path(merge_path(base.path, rel.path)) if base.path && rel.path +- else +- # RFC2396, Section 5.2, 4) +- base.set_path(rel.path) if rel.path ++ if authority ++ base.set_userinfo(rel.userinfo) ++ base.set_host(rel.host) ++ base.set_port(rel.port || base.default_port) ++ base.set_path(rel.path) ++ elsif base.path && rel.path ++ base.set_path(merge_path(base.path, rel.path)) + end + + # RFC2396, Section 5.2, 7) +- if rel.userinfo +- base.set_userinfo(rel.userinfo) +- else +- base.set_userinfo(nil) +- end +- base.set_host(rel.host) if rel.host +- base.set_port(rel.port) if rel.port + base.query = rel.query if rel.query + base.fragment=(rel.fragment) if rel.fragment + +diff --git a/test/uri/test_generic.rb b/test/uri/test_generic.rb +index 17ba2b6..1a70dd4 100644 +--- a/test/uri/test_generic.rb ++++ b/test/uri/test_generic.rb +@@ -267,6 +267,13 @@ class URI::TestGeneric < Test::Unit::TestCase + assert_equal(u0, u1) + end + ++ def test_merge_authority ++ u = URI.parse('http://user:pass@example.com:8080') ++ u0 = URI.parse('http://new.example.org/path') ++ u1 = u.merge('//new.example.org/path') ++ assert_equal(u0, u1) ++ end ++ + def test_route + url = URI.parse('http://hoge/a.html').route_to('http://hoge/b.html') + assert_equal('b.html', url.to_s) +-- +2.40.0 + diff --git a/meta/recipes-devtools/ruby/ruby_3.3.5.bb b/meta/recipes-devtools/ruby/ruby_3.3.5.bb index c91c51657f..b37f0d03e7 100644 --- a/meta/recipes-devtools/ruby/ruby_3.3.5.bb +++ b/meta/recipes-devtools/ruby/ruby_3.3.5.bb @@ -28,6 +28,8 @@ SRC_URI = "http://cache.ruby-lang.org/pub/ruby/${SHRT_VER}/ruby-${PV}.tar.gz \ file://0001-vm_dump.c-Define-REG_S1-and-REG_S2-for-musl-riscv.patch \ file://CVE-2025-27219.patch \ file://CVE-2025-27220.patch \ + file://CVE-2025-27221-0001.patch \ + file://CVE-2025-27221-0002.patch \ " UPSTREAM_CHECK_URI = "https://www.ruby-lang.org/en/downloads/" From patchwork Wed May 28 14:43:10 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 63739 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 91B5BC5B54E for ; Wed, 28 May 2025 14:43:38 +0000 (UTC) Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com [209.85.214.176]) by mx.groups.io with SMTP id smtpd.web10.17593.1748443414351109290 for ; Wed, 28 May 2025 07:43:34 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=g81DuBNO; spf=softfail (domain: sakoman.com, ip: 209.85.214.176, mailfrom: steve@sakoman.com) Received: by mail-pl1-f176.google.com with SMTP id d9443c01a7336-2341814895bso36413425ad.0 for ; Wed, 28 May 2025 07:43:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1748443413; x=1749048213; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=/WMrM9TsXwBuW+aYuAoHbQ2WsdPLOlBZrutw229olbY=; b=g81DuBNOyllrS5koKI/7HUEVcc/Smx2qtSPexH8nHUU3tJR4UrCECH5c5y0npiHGVh HPUxHnjj/zjfia80jWVzKC7qchF5dkhrx6p5M5tFb02VauN9IGlDxEM71q9E6af6KEjq EEpUtw4zSJiyJnQWsVxUQ59lGDMlhSgpUHYYRzFmE/og4h6tYQZ695EYG25thTGQ3bs1 suhAmDZmRtVjoJ6MReu7JoJK1peYhOen7EfuMprq2HNPwKecO5c7NF2g/7Es31yMM/RB UzMMNvavhEzlMG8RNJXQ7lnE+y1NznZuiAfP4C1LJTlK8Q5GHtvpIRAvftZXhlx5LNM9 Ggwg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1748443413; x=1749048213; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=/WMrM9TsXwBuW+aYuAoHbQ2WsdPLOlBZrutw229olbY=; b=dCDNB94ScAANcaPSya68n3GP+57ASzN1AUkffyk6ZgP5Sh5+JmB2vxnmSQ4edQKraE G4sEdJg1R3xRQLQiDTr892dsZ92YpA54PKRXvQRrd03LuLPqrHKd1bIv/EnvNInIdNsQ r78XX7hzw7XArkhIKGS2ABv+mcmDi01vpmn4ibtZRzSKwotXtZPKJj6/MaCne8KnOrVh KY12IwJeBBtK41S5Brv87v+8OyQm82ZDoC6rvHeclM06D2HiThhK2ewTspq1ggtXapPE h0Bkmm17Q/KCYGRDnUE+TuNX/a2IcMq4KFajIp/tIgF8ISHHVca8sNrr/Un5cS5CCVix 2OsQ== X-Gm-Message-State: AOJu0Yxz9EgSGduUjHRzka3976NUbiCCaCXQQ8tGpnL0vPSygRv6Bppx TR9jnQzc2kmgGElyT++d0rC0qCoMNNqMGGjM+o+8LoKw+Dk0YRMeaoJMmmt2JObvY6HCKzvn2C5 XkzNz X-Gm-Gg: ASbGncu/gVf5bNikDCv6qu9yiVI/Nbwq6b0ccorNJzlB+4NWIaCWDssh3gXiPlgQHcY OOUJqfFbjUDr9EY13ARvECxMgDxl8vwLMUXoCMmiY4TqUop2O0SVq/IdvVcXbUI0BZFk9nQRfoC N7nz0o0rauXoHJc1iGLCz9HFh6sKH6l67urYoMDkEI8qQ3JS8qZP3lfE/2YEL6NZxvNOayqKZXW 5i5a285w3i1JrjNvuUhi/B5dOnwX3ThLJ8pgG/IjOIoau+v9sWtT+Bgz1PivG3kDCS8/Yrvd5pY O8uMngliS9kX30GGBz6s0dk8OaW9Obar/z+jbD7bI0U= X-Google-Smtp-Source: AGHT+IF4msbJpcMFJ8Z9rNsXfcNa5UCKIKew6akjaoOpS4xIyU1PYQhz0LfBFTe3Dpm5HA2bO+dWvw== X-Received: by 2002:a17:902:ea05:b0:234:e3b7:5d0f with SMTP id d9443c01a7336-234e3b75fabmr21459375ad.0.1748443413555; Wed, 28 May 2025 07:43:33 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:2f2f:1884:f4cc:456c]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-234d358f1e2sm12626285ad.140.2025.05.28.07.43.32 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 28 May 2025 07:43:33 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 07/11] libsoup: patch CVE-2025-4476 Date: Wed, 28 May 2025 07:43:10 -0700 Message-ID: <91231813d04680f93a08cb29540073bb4749e22f.1748443238.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 28 May 2025 14:43:38 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/217359 From: Ashish Sharma Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/e64c221f9c7d09b48b610c5626b3b8c400f0907c] Signed-off-by: Ashish Sharma Signed-off-by: Steve Sakoman --- .../libsoup/libsoup-3.4.4/CVE-2025-4476.patch | 38 +++++++++++++++++++ meta/recipes-support/libsoup/libsoup_3.4.4.bb | 1 + 2 files changed, 39 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-4476.patch diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-4476.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-4476.patch new file mode 100644 index 0000000000..cd5619d620 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-4476.patch @@ -0,0 +1,38 @@ +From e64c221f9c7d09b48b610c5626b3b8c400f0907c Mon Sep 17 00:00:00 2001 +From: Michael Catanzaro +Date: Thu, 8 May 2025 09:27:01 -0500 +Subject: [PATCH] auth-digest: fix crash in + soup_auth_digest_get_protection_space() + +We need to validate the Domain parameter in the WWW-Authenticate header. + +Unfortunately this crash only occurs when listening on default ports 80 +and 443, so there's no good way to test for this. The test would require +running as root. + +Fixes #440 + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/e64c221f9c7d09b48b610c5626b3b8c400f0907c] +CVE: CVE-2025-4476 +Signed-off-by: Ashish Sharma + + + libsoup/auth/soup-auth-digest.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libsoup/auth/soup-auth-digest.c b/libsoup/auth/soup-auth-digest.c +index d8bb2910..292f2045 100644 +--- a/libsoup/auth/soup-auth-digest.c ++++ b/libsoup/auth/soup-auth-digest.c +@@ -220,7 +220,7 @@ soup_auth_digest_get_protection_space (SoupAuth *auth, GUri *source_uri) + if (uri && + g_strcmp0 (g_uri_get_scheme (uri), g_uri_get_scheme (source_uri)) == 0 && + g_uri_get_port (uri) == g_uri_get_port (source_uri) && +- !strcmp (g_uri_get_host (uri), g_uri_get_host (source_uri))) ++ !g_strcmp0 (g_uri_get_host (uri), g_uri_get_host (source_uri))) + dir = g_strdup (g_uri_get_path (uri)); + else + dir = NULL; +-- +GitLab + diff --git a/meta/recipes-support/libsoup/libsoup_3.4.4.bb b/meta/recipes-support/libsoup/libsoup_3.4.4.bb index 8cca980faf..d3a0840044 100644 --- a/meta/recipes-support/libsoup/libsoup_3.4.4.bb +++ b/meta/recipes-support/libsoup/libsoup_3.4.4.bb @@ -30,6 +30,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32906-2.patch \ file://CVE-2025-46420.patch \ file://CVE-2025-32914.patch \ + file://CVE-2025-4476.patch \ " SRC_URI[sha256sum] = "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa" From patchwork Wed May 28 14:43:11 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 63740 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A4AEDC5B553 for ; Wed, 28 May 2025 14:43:38 +0000 (UTC) Received: from mail-pl1-f172.google.com (mail-pl1-f172.google.com [209.85.214.172]) by mx.groups.io with SMTP id smtpd.web11.17465.1748443415789793737 for ; Wed, 28 May 2025 07:43:35 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=yNFMYx3H; spf=softfail (domain: sakoman.com, ip: 209.85.214.172, mailfrom: steve@sakoman.com) Received: by mail-pl1-f172.google.com with SMTP id d9443c01a7336-22d95f0dda4so50468915ad.2 for ; Wed, 28 May 2025 07:43:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1748443415; x=1749048215; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=yAnFlkA8So27/5ZaH5B/oXMHV6qrwY0cZc5r1ufpqBw=; b=yNFMYx3HGYwl91b9MFy5kXSv9n7PjZtcwFiIgZeUpd8XkSMduV3uJ53G68BNpQoFOW ByFMWn4OU18TEOTHlzs7DK1S0DWt4aiZc04qA4Xe7X05DrmqagVP04W7pAlrZyBQ24qO 7IlI96gIJmOd2rI6Hu1oOW0jC/0S52Je5Vg+dhuc/fnKGINSDgQJqwH7w27PmUjBq9j1 VhtBh/t5Q2zRb5ZBcfoSA4DzUZpVBzs91zrHZe9LJ/4FDvb2fsNwHhBgtt1mXXRJZPK7 Uti5BcLo3lfaAAdn78oUdSV9IsFYaAanC/tvbT3BQSv5Q83++7WbKGBocN4SLGlihewy ZMxw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1748443415; x=1749048215; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=yAnFlkA8So27/5ZaH5B/oXMHV6qrwY0cZc5r1ufpqBw=; b=AjY8cmaamyZEbKRbDJ1CpXJL2Sd5ep4j9Ox/k82qBel4bK2dE53xEcRpyrvuBcxx1C 1Hr+dd7yOCgvRXup64i7CSF9NAC6N7lPQm1uRIsI46x+r1d8YqkX4GecSJO6RHyXF6jf NCF4HcgLr151/3GYFXCmIk36KIIyg5eCI3tR/bnUiErwR1ZmaQnzyvdtnr/SsUNw+TU6 WYEgLnZHKp0Xol7d2e1PBDjWdJ8Lw1U04u4JiPa3xLPTND7J8U1xeOkewYIHu/tukfb2 DpBv/QBzLnZDgmWvubfCF6aiBomZ6kyMcxWro36Yk0zBSKx8Jjza3E6ouodCLzhTd2u6 AxdA== X-Gm-Message-State: AOJu0YyZi7gOilzL97q9kleLSsxwcJTYTNWaLzkYaCQwSeDKB5oRDkAH NIbmrFbn3wNUl6pb6dGPMNgWXCc2tBQ34fIGCPHd83GadhGISX4fNdfRIj7TVtrNx9P58aPlIAB C6E6n X-Gm-Gg: ASbGncsmKSL2Ee5DqeGlUjFrp32yCfIundqBiKWB8Y7afmWfzKc50IVpLZraPAqBC7t k87BZaPOZC2Q8xxHLaiCbAn4sIkuLCMFbhEepocMwbAFbsNsZEc5pjx6V6EWfMZ8ftiA9oLVYzl o5yoQKY6UHnbOdu7rEJdJakwnjbGFjRA38WDNEs0ml64pbkqvBrv/j8AFgO8XorljQoJH/NksA0 g5uH66u9swKkRsfJo2ZwOAlCGs/oFSaiDEqQN0b5/2J39X2uaf3KjWn99F//kPV4Z5cn8zAUU4B FY8I/C0396HUfQpKUReSakA2T3JWl/O3IuM1dZwahJI= X-Google-Smtp-Source: AGHT+IEaRMI+UvNwWStRCpAs7HJdQrTo0Ohdozg/QyWZ0m3Xd7lINgNgYX6wOMVaE2ErBrJTfHknrA== X-Received: by 2002:a17:902:d2c5:b0:234:a992:96d8 with SMTP id d9443c01a7336-234a992983fmr86143375ad.19.1748443414966; Wed, 28 May 2025 07:43:34 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:2f2f:1884:f4cc:456c]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-234d358f1e2sm12626285ad.140.2025.05.28.07.43.34 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 28 May 2025 07:43:34 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 08/11] binutils: set CVE_STATUS for CVE-2025-1180 Date: Wed, 28 May 2025 07:43:11 -0700 Message-ID: <9c63f1c73426532a94f01fbbe26c9f52a3c4fdf7.1748443238.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 28 May 2025 14:43:38 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/217360 From: Harish Sadineni CVE-2025-1180 is fixed with patch from CVE-2025-1176. More details about CVE is here: https://nvd.nist.gov/vuln/detail/CVE-2025-1179 Signed-off-by: Harish Sadineni Signed-off-by: Steve Sakoman --- meta/recipes-devtools/binutils/binutils-2.42.inc | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc index 6d0390b5a9..16db8bc05e 100644 --- a/meta/recipes-devtools/binutils/binutils-2.42.inc +++ b/meta/recipes-devtools/binutils/binutils-2.42.inc @@ -19,6 +19,7 @@ SRCBRANCH ?= "binutils-2_42-branch" UPSTREAM_CHECK_GITTAGREGEX = "binutils-(?P\d+_(\d_?)*)" CVE_STATUS[CVE-2023-25584] = "cpe-incorrect: Applies only for version 2.40 and earlier" +CVE_STATUS[CVE-2025-1180] = "patched: fixed by patch for CVE-2025-1176" SRCREV ?= "6558f9f5f0ccc107a083ae7fbf106ebcb5efa817" BINUTILS_GIT_URI ?= "git://sourceware.org/git/binutils-gdb.git;branch=${SRCBRANCH};protocol=https" From patchwork Wed May 28 14:43:12 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 63738 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7E2AFC5B543 for ; Wed, 28 May 2025 14:43:38 +0000 (UTC) Received: from mail-pl1-f169.google.com (mail-pl1-f169.google.com [209.85.214.169]) by mx.groups.io with SMTP id smtpd.web11.17466.1748443417716839878 for ; Wed, 28 May 2025 07:43:37 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=sUghfHZW; spf=softfail (domain: sakoman.com, ip: 209.85.214.169, mailfrom: steve@sakoman.com) Received: by mail-pl1-f169.google.com with SMTP id d9443c01a7336-2347b7d6aeeso31771005ad.2 for ; Wed, 28 May 2025 07:43:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1748443417; x=1749048217; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=+Xt8AOhIxnzKX3d+dhcIMui3uDInPFRFG1qujt5o3h4=; b=sUghfHZWePHbRAaw+uk2ObLAEKAAzYlq6LLyLKWN/YipeNtDr2eiv743u5NerGqeCY Ec6VPoi+wC8kaB0PSSNobmsqOcly53HTug2qeUcMZu6ea6TnZsLqVrJS8Kx96Si13fBk Rw8/5Qq//aLChOIa/8/dpvtpTzeSOovJAafDJoIUMOVwRUeutQw/pH/CABAQX/CyhTPc XylrQz1gGta3chjJb1KFjFyRBOo6gt+43ZEpVXJOz05IlkbeqF+wvEuxMt/RqbWtYi5I OQhgbUCLhmV90iaFu6RqGSk/HAZGk6dOtqq12vhbuiUWNLZKTT8MKekEKPo1cFJgd9uF a5Bw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1748443417; x=1749048217; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=+Xt8AOhIxnzKX3d+dhcIMui3uDInPFRFG1qujt5o3h4=; b=TfC2dOJwhbgkUWjKziuJxXRW78M8Lad6Jdqm2iapbbAAOthT9ZeuDxH7Y+GMrje4ed 793uhhzjiX2vpvUG9TlzQZGPeQ79vKncPJHThhsEjdAg1B8TSsOVut/DqACMe8uwNOeQ 4CQUTWw7CilBE8XuQ/+SpAhSO44LoE1OHuKN/Aa3qGAvJeWdi27Lk/7lCu7EEX9wOHKe 8TyV6oY385yRfGGCr0dBadamj0WjPNINfF7ISPUQ3crbgczkil37c93K8Jt+rxb9Fyo0 W7QWydsQAGMmjZqtIPeIt8+ImfGJCUrLScTiINpTkiNJeZ8VmjRub/yTQMVJdCRP3NIf PTXA== X-Gm-Message-State: AOJu0YzRS6DC6Ib5goqNGHg4DYwMoFC4tSAR1wT8hrn+s+oAEe+6pLfv H9cxUh9ebfO2eE3B6q0GnNlHvn6NcBrAIe12+elu6x7CwN5jvwWWa3uxqpNw/V27VXnLlRUgKmq DC1Zj X-Gm-Gg: ASbGncsj/yG6EoHpdUWAPpZHpHnW7lhghcKrgQpnV0Ms3d7fQwlGPkHk4FFFNdfuwVT HddFgFoTofMZrjRoLP2nOyq0Op+nmwHc3GWlFmcjdkB+gyPD/7QTudtI/iU0yvJy381l3YR1q1g 64ErVoRc6pfUkP+V+VXdQ22HB1QdPIWy0rX1AcA6wWe9OBYF4EaylZBezoiE4CWhalg6tLTZb+c WGMLdAfZyyJOS07B1Ku/+wuimzROyz1Tk9lz7X9rcpgQdeubyM0JQqz8hXFvwMPvtxJS8DK0YmG 8+aZpNaaexS/MhQMTrITHKCf3Ou8GZJNEidyRnxDeRiFiqgzHEqsUw== X-Google-Smtp-Source: AGHT+IHFJUMDQGw0waIeSjJcTVHQ1dZWblYnsq6k2QxX+V1WWlsGecZl8qiwdykQy8gx7AJcoro0iA== X-Received: by 2002:a17:902:d485:b0:234:9094:3fb1 with SMTP id d9443c01a7336-23490943fc3mr141208765ad.35.1748443416760; Wed, 28 May 2025 07:43:36 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:2f2f:1884:f4cc:456c]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-234d358f1e2sm12626285ad.140.2025.05.28.07.43.35 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 28 May 2025 07:43:36 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 09/11] ffmpeg: upgrade 6.1.1 -> 6.1.2 Date: Wed, 28 May 2025 07:43:12 -0700 Message-ID: <57e25585abf34677451c68d581374245e5b4b418.1748443238.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 28 May 2025 14:43:38 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/217361 From: Divyanshu Rathore ffmpeg_6.1.2 is the newest available stable release for 6.1. It introduces quite a few bug and CVE fixes, which should help all. CVEs that are fixed in the upgrade: CVE-2024-32230 CVE-2024-35366 CVE-2024-36613 CVE-2024-36616 CVE-2024-36617 CVE-2024-36619 CVE-2024-7055 During upgrade it was noticed that the CVE scan doesn't pick up the CVEs as unpatched (CVE-2025-0518, CVE-2025-22919, CVE-2025-22921, CVE-2025-25473, CVE-2024-36618, CVE-2024-35369, CVE-2024-35368, CVE-2024-35367, CVE-2024-35365, CVE-2024-28661, CVE-2023-50007, CVE-2023-49528, CVE-2023-49501), due to improper versioning in NVD, they are affecting 6.1.2 and hence we are leaving the patches in. check the changelog mention below for information about fixes. changelog: https://git.ffmpeg.org/gitweb/ffmpeg.git/shortlog/n6.1.2 This upgrade fixes CVE's hence remove those patches. Refresh vulkan_av1_stable_API.patch as per new codebase. Signed-off-by: Divyanshu Rathore Signed-off-by: Steve Sakoman --- .../ffmpeg/ffmpeg/CVE-2024-32230.patch | 36 ----------------- .../ffmpeg/ffmpeg/CVE-2024-35366.patch | 35 ---------------- .../ffmpeg/ffmpeg/CVE-2024-36613.patch | 37 ----------------- .../ffmpeg/ffmpeg/CVE-2024-36616.patch | 35 ---------------- .../ffmpeg/ffmpeg/CVE-2024-36617.patch | 36 ----------------- .../ffmpeg/ffmpeg/CVE-2024-36619.patch | 36 ----------------- .../ffmpeg/ffmpeg/CVE-2024-7055.patch | 38 ------------------ .../ffmpeg/ffmpeg/vulkan_av1_stable_API.patch | 40 +++++++++---------- .../{ffmpeg_6.1.1.bb => ffmpeg_6.1.2.bb} | 9 +---- 9 files changed, 21 insertions(+), 281 deletions(-) delete mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-32230.patch delete mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35366.patch delete mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36613.patch delete mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36616.patch delete mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36617.patch delete mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36619.patch delete mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-7055.patch rename meta/recipes-multimedia/ffmpeg/{ffmpeg_6.1.1.bb => ffmpeg_6.1.2.bb} (96%) diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-32230.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-32230.patch deleted file mode 100644 index 0f30c9ecf5..0000000000 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-32230.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 96449cfeaeb95fcfd7a2b8d9ccf7719e97471ed1 Mon Sep 17 00:00:00 2001 -From: Michael Niedermayer -Date: Mon, 8 Apr 2024 18:38:42 +0200 -Subject: [PATCH] avcodec/mpegvideo_enc: Fix 1 line and one column images - -Fixes: Ticket10952 -Fixes: poc21ffmpeg -Signed-off-by: Michael Niedermayer - -CVE: CVE-2024-32230 - -Upstream-Status: Backport [https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=96449cfeaeb95fcfd7a2b8d9ccf7719e97471ed1] - -Signed-off-by: Archana Polampalli ---- - libavcodec/mpegvideo_enc.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c -index e460ca4..fb4aaa2 100644 ---- a/libavcodec/mpegvideo_enc.c -+++ b/libavcodec/mpegvideo_enc.c -@@ -1198,8 +1198,8 @@ static int load_input_picture(MpegEncContext *s, const AVFrame *pic_arg) - int dst_stride = i ? s->uvlinesize : s->linesize; - int h_shift = i ? s->chroma_x_shift : 0; - int v_shift = i ? s->chroma_y_shift : 0; -- int w = s->width >> h_shift; -- int h = s->height >> v_shift; -+ int w = AV_CEIL_RSHIFT(s->width , h_shift); -+ int h = AV_CEIL_RSHIFT(s->height, v_shift); - const uint8_t *src = pic_arg->data[i]; - uint8_t *dst = pic->f->data[i]; - int vpad = 16; --- -2.40.0 - diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35366.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35366.patch deleted file mode 100644 index f7f16a5b92..0000000000 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35366.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 0bed22d597b78999151e3bde0768b7fe763fc2a6 Mon Sep 17 00:00:00 2001 -From: Michael Niedermayer -Date: Tue, 26 Mar 2024 00:39:49 +0100 -Subject: [PATCH] avformat/sbgdec: Check for negative duration - -Fixes: signed integer overflow: 9223372036854775807 - -8000000 cannot be represented in type 'long' -Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-5133181743136768 - -Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg -Signed-off-by: Michael Niedermayer - -CVE: CVE-2024-35366 - -Upstream-Status: Backport [https://github.com/ffmpeg/ffmpeg/commit/0bed22d597b78999151e3bde0768b7fe763fc2a6] - -Signed-off-by: Archana Polampalli ---- - libavformat/sbgdec.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c -index b2662ea..281fe62 100644 ---- a/libavformat/sbgdec.c -+++ b/libavformat/sbgdec.c -@@ -386,7 +386,7 @@ static int parse_options(struct sbg_parser *p) - case 'L': - FORWARD_ERROR(parse_optarg(p, opt, &oarg)); - r = str_to_time(oarg.s, &p->scs.opt_duration); -- if (oarg.e != oarg.s + r) { -+ if (oarg.e != oarg.s + r || p->scs.opt_duration < 0) { - snprintf(p->err_msg, sizeof(p->err_msg), - "syntax error for option -L"); - return AVERROR_INVALIDDATA; --- -2.40.0 diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36613.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36613.patch deleted file mode 100644 index 0061b7ad98..0000000000 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36613.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 50d8e4f27398fd5778485a827d7a2817921f8540 Mon Sep 17 00:00:00 2001 -From: Michael Niedermayer -Date: Sat, 30 Sep 2023 00:51:29 +0200 -Subject: [PATCH] avformat/dxa: Adjust order of operations around block align - -Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_DXA_fuzzer-5730576523198464 -Fixes: signed integer overflow: 2147483566 + 82 cannot be represented in type 'int' - -Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg -Signed-off-by: Michael Niedermayer -(cherry picked from commit 50d8e4f27398fd5778485a827d7a2817921f8540) -Signed-off-by: Michael Niedermayer - -CVE: CVE-2024-36613 - -Upstream-Status: Backport [https://github.com/ffmpeg/ffmpeg/commit/50d8e4f27398fd5778485a827d7a2817921f8540] - -Signed-off-by: Archana Polampalli ---- - libavformat/dxa.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/libavformat/dxa.c b/libavformat/dxa.c -index 474b852..b4d9d00 100644 ---- a/libavformat/dxa.c -+++ b/libavformat/dxa.c -@@ -122,7 +122,7 @@ static int dxa_read_header(AVFormatContext *s) - if(ast->codecpar->block_align) { - if (c->bpc > INT_MAX - ast->codecpar->block_align + 1) - return AVERROR_INVALIDDATA; -- c->bpc = ((c->bpc + ast->codecpar->block_align - 1) / ast->codecpar->block_align) * ast->codecpar->block_align; -+ c->bpc = ((c->bpc - 1 + ast->codecpar->block_align) / ast->codecpar->block_align) * ast->codecpar->block_align; - } - c->bytes_left = fsize; - c->wavpos = avio_tell(pb); --- -2.40.0 diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36616.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36616.patch deleted file mode 100644 index 3f02c45b33..0000000000 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36616.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 86f73277bf014e2ce36dd2594f1e0fb8b3bd6661 Mon Sep 17 00:00:00 2001 -From: Michael Niedermayer -Date: Tue, 26 Mar 2024 01:00:13 +0100 -Subject: [PATCH] avformat/westwood_vqa: Fix 2g packets - -Fixes: signed integer overflow: 2147483424 * 2 cannot be represented in type 'int' -Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_WSVQA_fuzzer-4576211411795968 - -Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg -Signed-off-by: Michael Niedermayer - -CVE: CVE-2024-36616 - -Upstream-Status: Backport [https://github.com/ffmpeg/ffmpeg/commit/86f73277bf014e2ce36dd2594f1e0fb8b3bd6661] - -Signed-off-by: Archana Polampalli ---- - libavformat/westwood_vqa.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/libavformat/westwood_vqa.c b/libavformat/westwood_vqa.c -index 03b2d9e..024f5d3 100644 ---- a/libavformat/westwood_vqa.c -+++ b/libavformat/westwood_vqa.c -@@ -262,7 +262,7 @@ static int wsvqa_read_packet(AVFormatContext *s, - break; - case SND2_TAG: - /* 2 samples/byte, 1 or 2 samples per frame depending on stereo */ -- pkt->duration = (chunk_size * 2) / wsvqa->channels; -+ pkt->duration = (chunk_size * 2LL) / wsvqa->channels; - break; - } - break; --- -2.40.0 diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36617.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36617.patch deleted file mode 100644 index 5d751213e3..0000000000 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36617.patch +++ /dev/null @@ -1,36 +0,0 @@ -From d973fcbcc2f944752ff10e6a76b0b2d9329937a7 Mon Sep 17 00:00:00 2001 -From: Michael Niedermayer -Date: Sat, 30 Sep 2023 00:38:17 +0200 -Subject: [PATCH] avformat/cafdec: dont seek beyond 64bit - -Fixes: signed integer overflow: 64 + 9223372036854775807 cannot be represented in type 'long long' -Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6418242730328064 -Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6418242730328064 - -Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg -Signed-off-by: Michael Niedermayer - -CVE: CVE-2024-36617 - -Upstream-Status: Backport [https://github.com/ffmpeg/ffmpeg/commit/d973fcbcc2f944752ff10e6a76b0b2d9329937a7] - -Signed-off-by: Archana Polampalli ---- - libavformat/cafdec.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c -index f5ba0f4..e92e327 100644 ---- a/libavformat/cafdec.c -+++ b/libavformat/cafdec.c -@@ -271,7 +271,7 @@ static int read_pakt_chunk(AVFormatContext *s, int64_t size) - } - } - -- if (avio_tell(pb) - ccount > size) { -+ if (avio_tell(pb) - ccount > size || size > INT64_MAX - ccount) { - av_log(s, AV_LOG_ERROR, "error reading packet table\n"); - return AVERROR_INVALIDDATA; - } --- -2.40.0 diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36619.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36619.patch deleted file mode 100644 index 63d08eabcc..0000000000 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36619.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 28c7094b25b689185155a6833caf2747b94774a4 Mon Sep 17 00:00:00 2001 -From: Michael Niedermayer -Date: Thu, 4 Apr 2024 00:15:27 +0200 -Subject: [PATCH] avcodec/wavarc: fix signed integer overflow in block type - 6/19 - -Fixes: signed integer overflow: -2088796289 + -91276551 cannot be represented in type 'int' -Fixes: 67772/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVARC_fuzzer-6533568953122816 - -Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg -Signed-off-by: Michael Niedermayer - -CVE: CVE-2024-36619 - -Upstream-Status: Backport [https://github.com/ffmpeg/ffmpeg/commit/28c7094b25b689185155a6833caf2747b94774a4] - -Signed-off-by: Archana Polampalli ---- - libavcodec/wavarc.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/libavcodec/wavarc.c b/libavcodec/wavarc.c -index 09ed4d4..51d91a4 100644 ---- a/libavcodec/wavarc.c -+++ b/libavcodec/wavarc.c -@@ -648,7 +648,7 @@ static int decode_5elp(AVCodecContext *avctx, - for (int o = 0; o < order; o++) - sum += s->filter[ch][o] * (unsigned)samples[n + 70 - o - 1]; - -- samples[n + 70] += ac_out[n] + (sum >> 4); -+ samples[n + 70] += ac_out[n] + (unsigned)(sum >> 4); - } - - for (int n = 0; n < 70; n++) --- -2.40.0 diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-7055.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-7055.patch deleted file mode 100644 index afd857ceac..0000000000 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-7055.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 587acd0d4020859e67d1f07aeff2c885797ebcce Mon Sep 17 00:00:00 2001 -From: Michael Niedermayer -Date: Thu, 18 Jul 2024 21:12:54 +0200 -Subject: [PATCH] avcodec/pnmdec: Use 64bit for input size check - -Fixes: out of array read -Fixes: poc3 - -Reported-by: VulDB CNA Team -Found-by: CookedMelon -Signed-off-by: Michael Niedermayer -(cherry picked from commit 3faadbe2a27e74ff5bb5f7904ec27bb1f5287dc8) -Signed-off-by: Michael Niedermayer - -CVE: CVE-2024-7055 - -Upstream-Status: Backport [https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=587acd0d4020859e67d1f07aeff2c885797ebcce] - -Signed-off-by: Archana Polampalli ---- - libavcodec/pnmdec.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/libavcodec/pnmdec.c b/libavcodec/pnmdec.c -index acd77ea..40cc2ae 100644 ---- a/libavcodec/pnmdec.c -+++ b/libavcodec/pnmdec.c -@@ -264,7 +264,7 @@ static int pnm_decode_frame(AVCodecContext *avctx, AVFrame *p, - break; - case AV_PIX_FMT_GBRPF32: - if (!s->half) { -- if (avctx->width * avctx->height * 12 > s->bytestream_end - s->bytestream) -+ if (avctx->width * avctx->height * 12LL > s->bytestream_end - s->bytestream) - return AVERROR_INVALIDDATA; - scale = 1.f / s->scale; - if (s->endian) { --- -2.40.0 diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/vulkan_av1_stable_API.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/vulkan_av1_stable_API.patch index 74db148b3b..be6c6b7416 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg/vulkan_av1_stable_API.patch +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/vulkan_av1_stable_API.patch @@ -6,6 +6,9 @@ Subject: [PATCH] vulkan_av1: port to the new stable API Co-Authored-by: Dave Airlie Signed-off-by: Dmitry Baryshkov Upstream-Status: Backport [https://git.ffmpeg.org/gitweb/ffmpeg.git/commitdiff/ecdc94b97f809d5f2b88640842fd0541951ad295] + +Comment: Patch is refreshed as per codebase of 6.1.2 +Signed-off-by: Divyanshu Rathore --- configure | 4 +- libavcodec/Makefile | 5 +- @@ -26,7 +29,7 @@ diff --git a/configure b/configure index e853deb51d..9fa639fca6 100755 --- a/configure +++ b/configure -@@ -7300,8 +7300,8 @@ enabled vdpau && +@@ -7160,8 +7160,8 @@ enabled crystalhd && check_lib crystalhd "in maintaining it." if enabled vulkan; then @@ -41,21 +44,19 @@ diff --git a/libavcodec/Makefile b/libavcodec/Makefile index 7ef2e03ca6..9ce6d445c1 100644 --- a/libavcodec/Makefile +++ b/libavcodec/Makefile -@@ -1258,8 +1258,7 @@ SKIPHEADERS += %_tablegen.h \ +@@ -1284,7 +1284,6 @@ SKIPHEADERS + aacenc_quantization.h \ aacenc_quantization_misc.h \ bitstream_template.h \ -- vulkan_video_codec_av1std.h \ -- $(ARCH)/vpx_arith.h \ -+ $(ARCH)/vpx_arith.h \ +- vulkan_video_codec_av1std_mesa.h \ + $(ARCH)/vpx_arith.h \ SKIPHEADERS-$(CONFIG_AMF) += amfenc.h - SKIPHEADERS-$(CONFIG_D3D11VA) += d3d11va.h dxva2_internal.h -@@ -1280,7 +1279,7 @@ SKIPHEADERS-$(CONFIG_QSVENC) += qsvenc.h +@@ -1306,7 +1305,7 @@ SKIPHEADERS-$(CONFIG_XVMC) + SKIPHEADERS-$(CONFIG_VAAPI) += vaapi_decode.h vaapi_hevc.h vaapi_encode.h SKIPHEADERS-$(CONFIG_VDPAU) += vdpau.h vdpau_internal.h SKIPHEADERS-$(CONFIG_VIDEOTOOLBOX) += videotoolbox.h vt_internal.h --SKIPHEADERS-$(CONFIG_VULKAN) += vulkan.h vulkan_video.h vulkan_decode.h vulkan_video_codec_av1std_decode.h +-SKIPHEADERS-$(CONFIG_VULKAN) += vulkan.h vulkan_video.h vulkan_decode.h vulkan_video_codec_av1std_decode_mesa.h +SKIPHEADERS-$(CONFIG_VULKAN) += vulkan.h vulkan_video.h vulkan_decode.h SKIPHEADERS-$(CONFIG_V4L2_M2M) += v4l2_buffers.h v4l2_context.h v4l2_m2m.h SKIPHEADERS-$(CONFIG_ZLIB) += zlib_wrapper.h @@ -866,19 +867,19 @@ diff --git a/libavcodec/vulkan_video.h b/libavcodec/vulkan_video.h index bb69e920bb..01a1de7d9d 100644 --- a/libavcodec/vulkan_video.h +++ b/libavcodec/vulkan_video.h -@@ -22,8 +22,6 @@ +@@ -23,8 +23,6 @@ #include "vulkan.h" #include --#include "vulkan_video_codec_av1std.h" --#include "vulkan_video_codec_av1std_decode.h" +-#include "vulkan_video_codec_av1std_mesa.h" +-#include "vulkan_video_codec_av1std_decode_mesa.h" #define CODEC_VER_MAJ(ver) (ver >> 22) #define CODEC_VER_MIN(ver) ((ver >> 12) & ((1 << 10) - 1)) -diff --git a/libavcodec/vulkan_video_codec_av1std_decode.h b/libavcodec/vulkan_video_codec_av1std_decode.h +diff --git a/libavcodec/vulkan_video_codec_av1std_decode_mesa.h b/libavcodec/vulkan_video_codec_av1std_decode_mesa.h deleted file mode 100644 index e2f37b4e6e..0000000000 ---- a/libavcodec/vulkan_video_codec_av1std_decode.h +--- a/libavcodec/vulkan_video_codec_av1std_decode_mesa.h +++ /dev/null @@ -1,36 +0,0 @@ -/* Copyright 2023 Lynne @@ -897,8 +898,8 @@ index e2f37b4e6e..0000000000 - * limitations under the License. - */ - --#ifndef VULKAN_VIDEO_CODEC_AV1STD_DECODE_H_ --#define VULKAN_VIDEO_CODEC_AV1STD_DECODE_H_ 1 +-#ifndef VULKAN_VIDEO_CODEC_AV1STD_DECODE_MESA_H_ +-#define VULKAN_VIDEO_CODEC_AV1STD_DECODE_MESA_H_ 1 - -/* -** This header is NOT YET generated from the Khronos Vulkan XML API Registry. @@ -917,10 +918,10 @@ index e2f37b4e6e..0000000000 -#endif - -#endif -diff --git a/libavcodec/vulkan_video_codec_av1std.h b/libavcodec/vulkan_video_codec_av1std.h +diff --git a/libavcodec/vulkan_video_codec_av1std_mesa.h b/libavcodec/vulkan_video_codec_av1std_mesa.h deleted file mode 100644 index c91589eee2..0000000000 ---- a/libavcodec/vulkan_video_codec_av1std.h +--- a/libavcodec/vulkan_video_codec_av1std_mesa.h +++ /dev/null @@ -1,403 +0,0 @@ -/* Copyright 2023 Lynne @@ -939,8 +940,8 @@ index c91589eee2..0000000000 - * limitations under the License. - */ - --#ifndef VULKAN_VIDEO_CODEC_AV1STD_H_ --#define VULKAN_VIDEO_CODEC_AV1STD_H_ 1 +-#ifndef VULKAN_VIDEO_CODEC_AV1STD_MESA_H_ +-#define VULKAN_VIDEO_CODEC_AV1STD_MESA_H_ 1 - -/* -** This header is NOT YET generated from the Khronos Vulkan XML API Registry. @@ -1379,4 +1380,3 @@ diff --git a/libavcodec/vulkan_video.c b/libavcodec/vulkan_video.c -- 2.25.1 - diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.2.bb similarity index 96% rename from meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb rename to meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.2.bb index 3d766c3fc7..04356b9932 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.2.bb @@ -31,21 +31,14 @@ SRC_URI = " \ file://CVE-2024-31578.patch \ file://CVE-2024-31582.patch \ file://CVE-2023-50008.patch \ - file://CVE-2024-32230.patch \ file://CVE-2023-49501.patch \ file://CVE-2024-28661.patch \ file://CVE-2023-50007.patch \ file://CVE-2023-49528.patch \ - file://CVE-2024-7055.patch \ - file://CVE-2024-35366.patch \ file://CVE-2024-35367.patch \ file://CVE-2024-35368.patch \ file://CVE-2024-35365.patch \ - file://CVE-2024-36613.patch \ - file://CVE-2024-36616.patch \ - file://CVE-2024-36617.patch \ file://CVE-2024-36618.patch \ - file://CVE-2024-36619.patch \ file://CVE-2024-35369.patch \ file://CVE-2025-25473.patch \ file://CVE-2025-22919.patch \ @@ -53,7 +46,7 @@ SRC_URI = " \ file://CVE-2025-0518.patch \ " -SRC_URI[sha256sum] = "8684f4b00f94b85461884c3719382f1261f0d9eb3d59640a1f4ac0873616f968" +SRC_URI[sha256sum] = "3b624649725ecdc565c903ca6643d41f33bd49239922e45c9b1442c63dca4e38" # https://nvd.nist.gov/vuln/detail/CVE-2023-39018 # https://github.com/bramp/ffmpeg-cli-wrapper/issues/291 From patchwork Wed May 28 14:43:13 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 63744 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A89E6C3ABB2 for ; Wed, 28 May 2025 14:43:48 +0000 (UTC) Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com [209.85.214.174]) by mx.groups.io with SMTP id smtpd.web11.17469.1748443419811710736 for ; Wed, 28 May 2025 07:43:39 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=v5vM43Ox; spf=softfail (domain: sakoman.com, ip: 209.85.214.174, mailfrom: steve@sakoman.com) Received: by mail-pl1-f174.google.com with SMTP id d9443c01a7336-234477e3765so29958795ad.2 for ; Wed, 28 May 2025 07:43:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1748443419; x=1749048219; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=Zplq//LQ3z4ESF6fgkLYdT5RBZ6GYAqpT6qDa9bS1wE=; b=v5vM43Oxh/BwsBLDFM06G0RrCf1CYJ+hmhxr/1mnL8NaTRpfjAx1ni0vUTAdR97+Lt gIHpPmIgIqeuNJcjGfQj/wQbgrGGGVeLVCRMcM9rRpbFs5Ypb/MKPk5qjcSCb5QTDtf0 kG6Sra3t+8ipk7PN0kzzYJB9FHlaF1KPwRtQM/at5M7E0dCqDh7Ph9lhc8sZRlIR9Gm1 YUaDvkyEKITpPDcMWaPeujJA4UB8WiFLZk7LhHGY61NhXd/sApnLnenm8y4tc1aEg5mx FZcgYT3dg+fHe2u/S68DorUhN8otaPbgpcl/oMW8s2IOSw9ZxEgo1UpTlT/0B0X9JuBZ pMog== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1748443419; x=1749048219; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Zplq//LQ3z4ESF6fgkLYdT5RBZ6GYAqpT6qDa9bS1wE=; b=W5ulUx82/ypL8RSKRe08Epq5pcXla7HbbobQjqvO6MfEs+wJfmpUvkWX59uQvfFvSF qsH6f6OdZDvXeDkkXuvgkTVRml+F1V09DgQh8uSKWqWLODDcuRvH0Ha9Rs4X/kNpOE1p LTH7adynVMDMqa72oPGIKNp/csry81Q5aei3Sx8l8dD+ZMfx65A/sOWLBhGcfGJ2+2Yi yPtgF0g1xvEH4MDyKxHr1T6kjMXikzwo0fhsg5cT8wcEj7Apkv9fTkEf+ugxAZt8XCA0 B+l1e8w91uf0QIr7L3HObHthiKKjOvymMXbQRv+Cx4hPaakfAJLJBevHCv4chBiPV9+c UbGA== X-Gm-Message-State: AOJu0Yyn76q+mUMNfsSOd2eQiGIvOPGGnjOQg/sA8qx9YkBEGHSan9UO l5qlL0MjXzZbW9zpeHAAh9gOhrKeRsEGO1r7BaEJiyeF3nkKo2a67HQ5oc71WeuCJDmhxvC6jIH C4Bb+ X-Gm-Gg: ASbGncuAx0EF7qHBxXuvhwWv4O715lkfoU4PnEpIJUKKO14EnsqQYdGpmIgbrQab+pW 8VWtJX+bdz9+CUQ492W5rwYamipVRWhF3zLrGvYwVyHises/Sh80W1WR6kuEuOLYtZQ1yIalaYc PTlsIvF7Qz+kDhOukHKCm/8Gtg80q/oM4oXqGq35D/6g/Kfy2hkABVLy7q6nWbVHv9R/xe1fhkB n3ALN4mpDzM8Gd9cqGY2He1NIaTAMp3s0KFOLPSBvPjH61NFgWtvQBYDcqdRnpSEh1bGF8fIRUH 2e0kS7wIfMO6OCskuqgv325F2Qh07M9zoVvsK5rZs/4= X-Google-Smtp-Source: AGHT+IEDyT9RKab5mRXTCTxPaU+9wcNiPUWuZjcKjnJaQpqQ0pTb0M+3DS7Qro9eXj8bRN0Y+by2eA== X-Received: by 2002:a17:902:db06:b0:234:ba37:8797 with SMTP id d9443c01a7336-234d2a62b3dmr34135115ad.6.1748443418738; Wed, 28 May 2025 07:43:38 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:2f2f:1884:f4cc:456c]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-234d358f1e2sm12626285ad.140.2025.05.28.07.43.37 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 28 May 2025 07:43:38 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 10/11] util-linux: Add fix to isolate test fstab entries using CUSTOM_FSTAB Date: Wed, 28 May 2025 07:43:13 -0700 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 28 May 2025 14:43:48 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/217362 From: Virendra Thakur During ptest execution, util-linux adds mount entries in /etc/fstab and runs `mount -a`, which mounts all available entries from /etc/fstab. This can cause unintended mounts that are unrelated to the test, leading to incorrect test behavior. To avoid this, upstream util-linux introduced a mechanism using CUSTOM_FSTAB,which isolates test-specific fstab entries. Only entries listed in CUSTOM_FSTAB are mounted during test execution, ensuring tests do not interfere with or depend on the system's /etc/fstab. This commit backports below upstream changes to use CUSTOM_FSTAB. https://github.com/util-linux/util-linux/commit/ed3d33faff17fb702a3acfca2f9f24e69f4920de https://github.com/util-linux/util-linux/commit/b1580bd760519a2cf052f023057846e54de47484 https://github.com/util-linux/util-linux/commit/6aa8d17b6b53b86a46c5da68c02a893113130496 Signed-off-by: Virendra Thakur Signed-off-by: Steve Sakoman --- meta/recipes-core/util-linux/util-linux.inc | 1 + .../util-linux/fstab-isolation.patch | 448 ++++++++++++++++++ 2 files changed, 449 insertions(+) create mode 100644 meta/recipes-core/util-linux/util-linux/fstab-isolation.patch diff --git a/meta/recipes-core/util-linux/util-linux.inc b/meta/recipes-core/util-linux/util-linux.inc index 48520ef951..1ecf5c7b39 100644 --- a/meta/recipes-core/util-linux/util-linux.inc +++ b/meta/recipes-core/util-linux/util-linux.inc @@ -42,6 +42,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/utils/util-linux/v${MAJOR_VERSION}/util-lin file://fcntl-lock.c \ file://CVE-2024-28085-0001.patch \ file://CVE-2024-28085-0002.patch \ + file://fstab-isolation.patch \ " SRC_URI[sha256sum] = "7b6605e48d1a49f43cc4b4cfc59f313d0dd5402fa40b96810bd572e167dfed0f" diff --git a/meta/recipes-core/util-linux/util-linux/fstab-isolation.patch b/meta/recipes-core/util-linux/util-linux/fstab-isolation.patch new file mode 100644 index 0000000000..51d209ec60 --- /dev/null +++ b/meta/recipes-core/util-linux/util-linux/fstab-isolation.patch @@ -0,0 +1,448 @@ +From 51f1e56cc8b6843bf65ceadc5eca1545258bf020 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= +Date: Sat, 22 Apr 2023 17:48:58 +0200 +Subject: [PATCH 1/3] tests: (functions.sh) create variable for test fstab + location +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Thomas Weißschuh +(cherry picked from commit ed3d33faff17fb702a3acfca2f9f24e69f4920de) +Upstream-Status: Backport [https://github.com/util-linux/util-linux/commit/ed3d33faff17fb702a3acfca2f9f24e69f4920de] +Signed-off-by: Virendra Thakur +--- + tests/functions.sh | 13 +++++++------ + tests/ts/mount/fstab-broken | 2 +- + 2 files changed, 8 insertions(+), 7 deletions(-) + +diff --git a/tests/functions.sh b/tests/functions.sh +index 5a562a39a..c2e2f33ae 100644 +--- a/tests/functions.sh ++++ b/tests/functions.sh +@@ -386,6 +386,7 @@ function ts_init_env { + TS_ENABLE_UBSAN="yes" + fi + ++ TS_FSTAB="/etc/fstab" + BLKID_FILE="$TS_OUTDIR/${TS_TESTNAME}.blkidtab" + + declare -a TS_SUID_PROGS +@@ -824,12 +825,12 @@ function ts_is_mounted { + } + + function ts_fstab_open { +- echo "# " >> /etc/fstab +- sync /etc/fstab 2>/dev/null ++ echo "# -->" >> "$TS_FSTAB" ++ sync "$TS_FSTAB" 2>/dev/null + } + + function ts_fstab_addline { +@@ -838,7 +839,7 @@ function ts_fstab_addline { + local FS=${3:-"auto"} + local OPT=${4:-"defaults"} + +- echo "$SPEC $MNT $FS $OPT 0 0" >> /etc/fstab ++ echo "$SPEC $MNT $FS $OPT 0 0" >> "$TS_FSTAB" + } + + function ts_fstab_lock { +@@ -862,9 +863,9 @@ function ts_fstab_clean { + ba + } + s/# //; +-/^$/d" /etc/fstab ++/^$/d" "$TS_FSTAB" + +- sync /etc/fstab 2>/dev/null ++ sync "$TS_FSTAB" 2>/dev/null + ts_unlock "fstab" + } + +diff --git a/tests/ts/mount/fstab-broken b/tests/ts/mount/fstab-broken +index 19edc5fe3..3b7a1ee9d 100755 +--- a/tests/ts/mount/fstab-broken ++++ b/tests/ts/mount/fstab-broken +@@ -34,7 +34,7 @@ mkdir -p $MNT + + ts_fstab_lock + ts_fstab_open +-echo "tmpd $MNT tmpfs" >> /etc/fstab ++echo "tmpd $MNT tmpfs" >> "$TS_FSTAB" + ts_fstab_close + + ts_init_subtest "mount" +-- +2.34.1 + + +From 1e4a9141ca7d310030311e09123a81591f994f83 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= +Date: Sat, 22 Apr 2023 17:20:45 +0200 +Subject: [PATCH 2/3] tests: (functions.sh) use per-test fstab file +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Thomas Weißschuh +(cherry picked from commit 6aa8d17b6b53b86a46c5da68c02a893113130496) +Upstream-Status: Backport [https://github.com/util-linux/util-linux/commit/6aa8d17b6b53b86a46c5da68c02a893113130496] +Signed-off-by: Virendra Thakur +--- + tests/functions.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/functions.sh b/tests/functions.sh +index c2e2f33ae..3089e8cda 100644 +--- a/tests/functions.sh ++++ b/tests/functions.sh +@@ -386,7 +386,7 @@ function ts_init_env { + TS_ENABLE_UBSAN="yes" + fi + +- TS_FSTAB="/etc/fstab" ++ TS_FSTAB="$TS_OUTDIR/${TS_TESTNAME}.fstab" + BLKID_FILE="$TS_OUTDIR/${TS_TESTNAME}.blkidtab" + + declare -a TS_SUID_PROGS +-- +2.34.1 + + +From 02c483f982e23a86d58cd7c6a4eb4b6e4d5def1a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= +Date: Sat, 22 Apr 2023 17:34:28 +0200 +Subject: [PATCH 3/3] mount: (tests) explicitly use test fstab location +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Thomas Weißschuh +(cherry picked from commit b1580bd760519a2cf052f023057846e54de47484) +Upstream-Status: Backport [https://github.com/util-linux/util-linux/commit/b1580bd760519a2cf052f023057846e54de47484] +Signed-off-by: Virendra Thakur +--- + tests/ts/mount/fslists | 2 +- + tests/ts/mount/fstab-bind | 2 +- + tests/ts/mount/fstab-broken | 4 ++-- + tests/ts/mount/fstab-btrfs | 8 ++++---- + tests/ts/mount/fstab-devname | 4 ++-- + tests/ts/mount/fstab-devname2label | 2 +- + tests/ts/mount/fstab-devname2uuid | 2 +- + tests/ts/mount/fstab-label | 6 +++--- + tests/ts/mount/fstab-label2devname | 4 ++-- + tests/ts/mount/fstab-label2uuid | 4 ++-- + tests/ts/mount/fstab-loop | 4 ++-- + tests/ts/mount/fstab-none | 2 +- + tests/ts/mount/fstab-symlink | 2 +- + tests/ts/mount/fstab-uuid | 6 +++--- + tests/ts/mount/fstab-uuid2devname | 4 ++-- + tests/ts/mount/fstab-uuid2label | 4 ++-- + 16 files changed, 30 insertions(+), 30 deletions(-) + +diff --git a/tests/ts/mount/fslists b/tests/ts/mount/fslists +index 230186a1e..6ac72c3ce 100755 +--- a/tests/ts/mount/fslists ++++ b/tests/ts/mount/fslists +@@ -61,7 +61,7 @@ ts_finalize_subtest + ts_init_subtest "more-types-fstab" + [ -d "$TS_MOUNTPOINT" ] || mkdir -p $TS_MOUNTPOINT + ts_fstab_add $DEVICE $TS_MOUNTPOINT "foo,bar,ext2" +-$TS_CMD_MOUNT $TS_MOUNTPOINT >> $TS_OUTPUT 2>> $TS_ERRLOG ++$TS_CMD_MOUNT -T "$TS_FSTAB" $TS_MOUNTPOINT >> $TS_OUTPUT 2>> $TS_ERRLOG + ts_fstab_clean + ts_is_mounted $DEVICE || ts_die "Cannot find $DEVICE in /proc/mounts" + $TS_CMD_UMOUNT $TS_MOUNTPOINT +diff --git a/tests/ts/mount/fstab-bind b/tests/ts/mount/fstab-bind +index 2c799df78..cae016dd2 100755 +--- a/tests/ts/mount/fstab-bind ++++ b/tests/ts/mount/fstab-bind +@@ -20,7 +20,7 @@ ts_fstab_add $MY_SOURCE "$TS_MOUNTPOINT" "none" "bind,default,noauto" + mkdir -p $MY_SOURCE + mkdir -p $TS_MOUNTPOINT + +-$TS_CMD_MOUNT $TS_MOUNTPOINT >> $TS_OUTPUT 2>> $TS_ERRLOG ++$TS_CMD_MOUNT -T "$TS_FSTAB" $TS_MOUNTPOINT >> $TS_OUTPUT 2>> $TS_ERRLOG + [ "$?" = "0" ] || ts_log "error: mount $TS_MOUNTPOINT" + + $TS_CMD_FINDMNT --mountpoint "$TS_MOUNTPOINT" &> /dev/null +diff --git a/tests/ts/mount/fstab-broken b/tests/ts/mount/fstab-broken +index 3b7a1ee9d..ec4c34241 100755 +--- a/tests/ts/mount/fstab-broken ++++ b/tests/ts/mount/fstab-broken +@@ -38,7 +38,7 @@ echo "tmpd $MNT tmpfs" >> "$TS_FSTAB" + ts_fstab_close + + ts_init_subtest "mount" +-$TS_CMD_MOUNT $MNT &> /dev/null ++$TS_CMD_MOUNT -T "$TS_FSTAB" $MNT &> /dev/null + [ "$?" = "0" ] || ts_log "error: mount $MNT" + $TS_CMD_FINDMNT --kernel --mountpoint "$MNT" &> /dev/null + if [ "$?" != "0" ]; then +@@ -57,7 +57,7 @@ ts_finalize_subtest + + + ts_init_subtest "mount-all" +-$TS_CMD_MOUNT -a &> /dev/null ++$TS_CMD_MOUNT -T "$TS_FSTAB" -a &> /dev/null + [ "$?" = "0" ] || ts_log "error: mount -a" + $TS_CMD_FINDMNT --kernel --mountpoint "$MNT" &> /dev/null + if [ "$?" != "0" ]; then +diff --git a/tests/ts/mount/fstab-btrfs b/tests/ts/mount/fstab-btrfs +index a1003ab52..8e76dbba6 100755 +--- a/tests/ts/mount/fstab-btrfs ++++ b/tests/ts/mount/fstab-btrfs +@@ -94,8 +94,8 @@ ts_fstab_addline "$DEVICE" "$TS_MOUNTPOINT_SUBVOLID" "btrfs" "subvolid=$NON_DEFA + ts_fstab_addline "$TS_MOUNTPOINT_SUBVOLID" "$TS_MOUNTPOINT_BIND" "auto" "bind" + ts_fstab_close + +-$TS_CMD_MOUNT -a >> $TS_OUTPUT 2>> $TS_ERRLOG +-$TS_CMD_MOUNT -a >> $TS_OUTPUT 2>> $TS_ERRLOG ++$TS_CMD_MOUNT -T "$TS_FSTAB" -a >> $TS_OUTPUT 2>> $TS_ERRLOG ++$TS_CMD_MOUNT -T "$TS_FSTAB" -a >> $TS_OUTPUT 2>> $TS_ERRLOG + + $TS_CMD_UMOUNT "$TS_MOUNTPOINT_BIND" >> $TS_OUTPUT 2>> $TS_ERRLOG + $TS_CMD_UMOUNT "$TS_MOUNTPOINT_DEFAULT" >> $TS_OUTPUT 2>> $TS_ERRLOG +@@ -124,8 +124,8 @@ ts_fstab_addline "$DEVICE" "$TS_MOUNTPOINT_SUBVOLID" "auto" "subvolid=$NON_DEFAU + ts_fstab_addline "$TS_MOUNTPOINT_SUBVOL/bind-mnt" "$TS_MOUNTPOINT_BIND" "auto" "bind" + ts_fstab_close + +-$TS_CMD_MOUNT -a >> $TS_OUTPUT 2>> $TS_ERRLOG +-$TS_CMD_MOUNT -a >> $TS_OUTPUT 2>> $TS_ERRLOG ++$TS_CMD_MOUNT -T "$TS_FSTAB" -a >> $TS_OUTPUT 2>> $TS_ERRLOG ++$TS_CMD_MOUNT -T "$TS_FSTAB" -a >> $TS_OUTPUT 2>> $TS_ERRLOG + + $TS_CMD_UMOUNT "$TS_MOUNTPOINT_BIND" >> $TS_OUTPUT 2>> $TS_ERRLOG + $TS_CMD_UMOUNT "$TS_MOUNTPOINT_DEFAULT" >> $TS_OUTPUT 2>> $TS_ERRLOG +diff --git a/tests/ts/mount/fstab-devname b/tests/ts/mount/fstab-devname +index 5b64a32a6..6ac03b5a7 100755 +--- a/tests/ts/mount/fstab-devname ++++ b/tests/ts/mount/fstab-devname +@@ -42,13 +42,13 @@ MOUNTPOINT=$TS_MOUNTPOINT + ts_fstab_add $DEVICE + + ts_init_subtest "mountpoint" +-$TS_CMD_MOUNT $MOUNTPOINT >> $TS_OUTPUT 2>> $TS_ERRLOG ++$TS_CMD_MOUNT -T "$TS_FSTAB" $MOUNTPOINT >> $TS_OUTPUT 2>> $TS_ERRLOG + ts_is_mounted $DEVICE || ts_log "Cannot find $DEVICE in /proc/mounts" + $TS_CMD_UMOUNT $DEVICE || >> $TS_OUTPUT 2>> $TS_ERRLOG + ts_finalize_subtest + + ts_init_subtest "device-name" +-$TS_CMD_MOUNT $DEVICE >> $TS_OUTPUT 2>> $TS_ERRLOG ++$TS_CMD_MOUNT -T "$TS_FSTAB" $DEVICE >> $TS_OUTPUT 2>> $TS_ERRLOG + ts_is_mounted $DEVICE || ts_log "Cannot find $DEVICE in /proc/mounts" + $TS_CMD_UMOUNT $DEVICE >> $TS_OUTPUT 2>> $TS_ERRLOG + ts_finalize_subtest +diff --git a/tests/ts/mount/fstab-devname2label b/tests/ts/mount/fstab-devname2label +index 1d8562109..44066e153 100755 +--- a/tests/ts/mount/fstab-devname2label ++++ b/tests/ts/mount/fstab-devname2label +@@ -41,7 +41,7 @@ ts_device_has "LABEL" $LABEL $DEVICE \ + ts_fstab_add "LABEL=$LABEL" + ts_udevadm_settle "$DEVICE" "LABEL" + +-$TS_CMD_MOUNT $DEVICE >> $TS_OUTPUT 2>> $TS_ERRLOG ++$TS_CMD_MOUNT -T "$TS_FSTAB" $DEVICE >> $TS_OUTPUT 2>> $TS_ERRLOG + ts_is_mounted $DEVICE || ts_die "Cannot find $DEVICE in /proc/mounts" + $TS_CMD_UMOUNT $DEVICE || ts_die "Cannot umount $DEVICE" + +diff --git a/tests/ts/mount/fstab-devname2uuid b/tests/ts/mount/fstab-devname2uuid +index 8105fa028..503959103 100755 +--- a/tests/ts/mount/fstab-devname2uuid ++++ b/tests/ts/mount/fstab-devname2uuid +@@ -39,7 +39,7 @@ UUID=$(ts_uuid_by_devname "$DEVICE") || ts_die "Cannot find UUID on $DEVICE" + ts_fstab_add "UUID=$UUID" + ts_udevadm_settle "$DEVICE" "UUID" + +-$TS_CMD_MOUNT $DEVICE >> $TS_OUTPUT 2>> $TS_ERRLOG ++$TS_CMD_MOUNT -T "$TS_FSTAB" $DEVICE >> $TS_OUTPUT 2>> $TS_ERRLOG + ts_is_mounted $DEVICE || ts_die "Cannot find $DEVICE in /proc/mounts" + $TS_CMD_UMOUNT $DEVICE || ts_die "Cannot umount $DEVICE" + +diff --git a/tests/ts/mount/fstab-label b/tests/ts/mount/fstab-label +index 4b23e7fee..a3cc06d52 100755 +--- a/tests/ts/mount/fstab-label ++++ b/tests/ts/mount/fstab-label +@@ -42,19 +42,19 @@ ts_fstab_add "LABEL=$LABEL" + ts_udevadm_settle "$DEVICE" "LABEL" + + ts_init_subtest "no-option" +-$TS_CMD_MOUNT $MOUNTPOINT >> $TS_OUTPUT 2>> $TS_ERRLOG ++$TS_CMD_MOUNT -T "$TS_FSTAB" $MOUNTPOINT >> $TS_OUTPUT 2>> $TS_ERRLOG + ts_is_mounted $DEVICE || ts_log "Cannot find $DEVICE in /proc/mounts" + $TS_CMD_UMOUNT $DEVICE >> $TS_OUTPUT 2>> $TS_ERRLOG + ts_finalize_subtest + + ts_init_subtest "L-option" +-$TS_CMD_MOUNT -L $LABEL >> $TS_OUTPUT 2>> $TS_ERRLOG ++$TS_CMD_MOUNT -T "$TS_FSTAB" -L $LABEL >> $TS_OUTPUT 2>> $TS_ERRLOG + ts_is_mounted $DEVICE || ts_log "Cannot find $DEVICE in /proc/mounts" + $TS_CMD_UMOUNT $DEVICE >> $TS_OUTPUT 2>> $TS_ERRLOG + ts_finalize_subtest + + ts_init_subtest "LABEL-option" +-$TS_CMD_MOUNT LABEL=$LABEL >> $TS_OUTPUT 2>> $TS_ERRLOG ++$TS_CMD_MOUNT -T "$TS_FSTAB" LABEL=$LABEL >> $TS_OUTPUT 2>> $TS_ERRLOG + ts_is_mounted $DEVICE || ts_log "Cannot find $DEVICE in /proc/mounts" + $TS_CMD_UMOUNT $DEVICE >> $TS_OUTPUT 2>> $TS_ERRLOG + ts_finalize_subtest +diff --git a/tests/ts/mount/fstab-label2devname b/tests/ts/mount/fstab-label2devname +index 75ca05e8c..fddbfa0ba 100755 +--- a/tests/ts/mount/fstab-label2devname ++++ b/tests/ts/mount/fstab-label2devname +@@ -44,13 +44,13 @@ ts_udevadm_settle "$DEVICE" "LABEL" + [ -d "$TS_MOUNTPOINT" ] || mkdir -p $TS_MOUNTPOINT + + ts_init_subtest "L-option" +-$TS_CMD_MOUNT -L $LABEL >> $TS_OUTPUT 2>> $TS_ERRLOG ++$TS_CMD_MOUNT -T "$TS_FSTAB" -L $LABEL >> $TS_OUTPUT 2>> $TS_ERRLOG + ts_is_mounted $DEVICE || ts_log "Cannot find $DEVICE in /proc/mounts" + $TS_CMD_UMOUNT $DEVICE >> $TS_OUTPUT 2>> $TS_ERRLOG + ts_finalize_subtest + + ts_init_subtest "LABEL-option" +-$TS_CMD_MOUNT "LABEL=$LABEL" >> $TS_OUTPUT 2>> $TS_ERRLOG ++$TS_CMD_MOUNT -T "$TS_FSTAB" "LABEL=$LABEL" >> $TS_OUTPUT 2>> $TS_ERRLOG + ts_is_mounted $DEVICE || ts_log "Cannot find $DEVICE in /proc/mounts" + $TS_CMD_UMOUNT $DEVICE >> $TS_OUTPUT 2>> $TS_ERRLOG + ts_finalize_subtest +diff --git a/tests/ts/mount/fstab-label2uuid b/tests/ts/mount/fstab-label2uuid +index 4bfcae4b9..927cde9aa 100755 +--- a/tests/ts/mount/fstab-label2uuid ++++ b/tests/ts/mount/fstab-label2uuid +@@ -46,13 +46,13 @@ ts_udevadm_settle "$DEVICE" "LABEL" "UUID" + [ -d "$TS_MOUNTPOINT" ] || mkdir -p $TS_MOUNTPOINT + + ts_init_subtest "L-option" +-$TS_CMD_MOUNT -L $LABEL >> $TS_OUTPUT 2>> $TS_ERRLOG ++$TS_CMD_MOUNT -T "$TS_FSTAB" -L $LABEL >> $TS_OUTPUT 2>> $TS_ERRLOG + ts_is_mounted $DEVICE || ts_log "Cannot find $DEVICE in /proc/mounts" + $TS_CMD_UMOUNT $DEVICE >> $TS_OUTPUT 2>> $TS_ERRLOG + ts_finalize_subtest + + ts_init_subtest "LABEL-option" +-$TS_CMD_MOUNT "LABEL=$LABEL" >> $TS_OUTPUT 2>> $TS_ERRLOG ++$TS_CMD_MOUNT -T "$TS_FSTAB" "LABEL=$LABEL" >> $TS_OUTPUT 2>> $TS_ERRLOG + ts_is_mounted $DEVICE || ts_log "Cannot find $DEVICE in /proc/mounts" + $TS_CMD_UMOUNT $DEVICE >> $TS_OUTPUT 2>> $TS_ERRLOG + ts_finalize_subtest +diff --git a/tests/ts/mount/fstab-loop b/tests/ts/mount/fstab-loop +index 7cc589fd2..0541e3a74 100755 +--- a/tests/ts/mount/fstab-loop ++++ b/tests/ts/mount/fstab-loop +@@ -39,10 +39,10 @@ ts_fstab_lock + ts_fstab_open + + ts_fstab_addline "$IMG" "$TS_MOUNTPOINT-1" "ext2" "loop" +-$TS_CMD_MOUNT -a >> $TS_OUTPUT 2>> $TS_ERRLOG ++$TS_CMD_MOUNT -T "$TS_FSTAB" -a >> $TS_OUTPUT 2>> $TS_ERRLOG + + ts_fstab_addline "$IMG" "$TS_MOUNTPOINT-2" "ext2" "loop" +-$TS_CMD_MOUNT -a >> $TS_OUTPUT 2>> $TS_ERRLOG ++$TS_CMD_MOUNT -T "$TS_FSTAB" -a >> $TS_OUTPUT 2>> $TS_ERRLOG + + ts_fstab_close + +diff --git a/tests/ts/mount/fstab-none b/tests/ts/mount/fstab-none +index 6a4d05b62..95daa6cee 100755 +--- a/tests/ts/mount/fstab-none ++++ b/tests/ts/mount/fstab-none +@@ -17,7 +17,7 @@ ts_fstab_add "none" "$TS_MOUNTPOINT" "tmpfs" "rw,nosuid,nodev,relatime" + + mkdir -p $TS_MOUNTPOINT + +-$TS_CMD_MOUNT $TS_MOUNTPOINT >> $TS_OUTPUT 2>> $TS_ERRLOG ++$TS_CMD_MOUNT -T "$TS_FSTAB" $TS_MOUNTPOINT >> $TS_OUTPUT 2>> $TS_ERRLOG + [ "$?" = "0" ] || ts_log "error: mount $TS_MOUNTPOINT" + + $TS_CMD_FINDMNT --mountpoint "$TS_MOUNTPOINT" &> /dev/null +diff --git a/tests/ts/mount/fstab-symlink b/tests/ts/mount/fstab-symlink +index 4d3e37b19..6d419f9fe 100755 +--- a/tests/ts/mount/fstab-symlink ++++ b/tests/ts/mount/fstab-symlink +@@ -46,7 +46,7 @@ ln -s $DEVICE $LINKNAME + ts_fstab_add $LINKNAME $TS_MOUNTPOINT "auto" "defaults,user" + + # variant A) -- UID=0 +-$TS_CMD_MOUNT $LINKNAME >> $TS_OUTPUT 2>> $TS_ERRLOG ++$TS_CMD_MOUNT -T "$TS_FSTAB" $LINKNAME >> $TS_OUTPUT 2>> $TS_ERRLOG + ts_is_mounted $DEVICE || ts_die "A) Cannot find $DEVICE in /proc/mounts" + $TS_CMD_UMOUNT $LINKNAME || ts_die "A) Cannot umount $LINKNAME" + +diff --git a/tests/ts/mount/fstab-uuid b/tests/ts/mount/fstab-uuid +index 03917b782..f51bb294e 100755 +--- a/tests/ts/mount/fstab-uuid ++++ b/tests/ts/mount/fstab-uuid +@@ -42,19 +42,19 @@ ts_fstab_add "UUID=$UUID" + ts_udevadm_settle "$DEVICE" "UUID" + + ts_init_subtest "no-option" +-$TS_CMD_MOUNT $MOUNTPOINT >> $TS_OUTPUT 2>> $TS_ERRLOG ++$TS_CMD_MOUNT -T "$TS_FSTAB" $MOUNTPOINT >> $TS_OUTPUT 2>> $TS_ERRLOG + ts_is_mounted $DEVICE || ts_log "Cannot find $DEVICE in /proc/mounts" + $TS_CMD_UMOUNT $DEVICE >> $TS_OUTPUT 2>> $TS_ERRLOG + ts_finalize_subtest + + ts_init_subtest "U-option" +-$TS_CMD_MOUNT -U $UUID >> $TS_OUTPUT 2>> $TS_ERRLOG ++$TS_CMD_MOUNT -T "$TS_FSTAB" -U $UUID >> $TS_OUTPUT 2>> $TS_ERRLOG + ts_is_mounted $DEVICE || ts_log "Cannot find $DEVICE in /proc/mounts" + $TS_CMD_UMOUNT $DEVICE >> $TS_OUTPUT 2>> $TS_ERRLOG + ts_finalize_subtest + + ts_init_subtest "UUID-option" +-$TS_CMD_MOUNT UUID=$UUID >> $TS_OUTPUT 2>> $TS_ERRLOG ++$TS_CMD_MOUNT -T "$TS_FSTAB" UUID=$UUID >> $TS_OUTPUT 2>> $TS_ERRLOG + ts_is_mounted $DEVICE || ts_log "Cannot find $DEVICE in /proc/mounts" + $TS_CMD_UMOUNT $DEVICE >> $TS_OUTPUT 2>> $TS_ERRLOG + ts_finalize_subtest +diff --git a/tests/ts/mount/fstab-uuid2devname b/tests/ts/mount/fstab-uuid2devname +index 9bf165e16..2b338acb1 100755 +--- a/tests/ts/mount/fstab-uuid2devname ++++ b/tests/ts/mount/fstab-uuid2devname +@@ -42,13 +42,13 @@ ts_udevadm_settle "$DEVICE" "UUID" + [ -d "$TS_MOUNTPOINT" ] || mkdir -p $TS_MOUNTPOINT + + ts_init_subtest "U-option" +-$TS_CMD_MOUNT -U $UUID >> $TS_OUTPUT 2>> $TS_ERRLOG ++$TS_CMD_MOUNT -T "$TS_FSTAB" -U $UUID >> $TS_OUTPUT 2>> $TS_ERRLOG + ts_is_mounted $DEVICE || ts_log "Cannot find $DEVICE in /proc/mounts" + $TS_CMD_UMOUNT $DEVICE >> $TS_OUTPUT 2>> $TS_ERRLOG + ts_finalize_subtest + + ts_init_subtest "UUID-option" +-$TS_CMD_MOUNT "UUID=$UUID" >> $TS_OUTPUT 2>> $TS_ERRLOG ++$TS_CMD_MOUNT -T "$TS_FSTAB" "UUID=$UUID" >> $TS_OUTPUT 2>> $TS_ERRLOG + ts_is_mounted $DEVICE || ts_log "Cannot find $DEVICE in /proc/mounts" + $TS_CMD_UMOUNT $DEVICE >> $TS_OUTPUT 2>> $TS_ERRLOG + ts_finalize_subtest +diff --git a/tests/ts/mount/fstab-uuid2label b/tests/ts/mount/fstab-uuid2label +index de10ff0b0..02eb6b985 100755 +--- a/tests/ts/mount/fstab-uuid2label ++++ b/tests/ts/mount/fstab-uuid2label +@@ -45,13 +45,13 @@ ts_udevadm_settle "$DEVICE" "LABEL" "UUID" + [ -d "$TS_MOUNTPOINT" ] || mkdir -p $TS_MOUNTPOINT + + ts_init_subtest "U-option" +-$TS_CMD_MOUNT -U $UUID >> $TS_OUTPUT 2>> $TS_ERRLOG ++$TS_CMD_MOUNT -T "$TS_FSTAB" -U $UUID >> $TS_OUTPUT 2>> $TS_ERRLOG + ts_is_mounted $DEVICE || ts_log "Cannot find $DEVICE in /proc/mounts" + $TS_CMD_UMOUNT $DEVICE >> $TS_OUTPUT 2>> $TS_ERRLOG + ts_finalize_subtest + + ts_init_subtest "UUID-option" +-$TS_CMD_MOUNT "UUID=$UUID" >> $TS_OUTPUT 2>> $TS_ERRLOG ++$TS_CMD_MOUNT -T "$TS_FSTAB" "UUID=$UUID" >> $TS_OUTPUT 2>> $TS_ERRLOG + ts_is_mounted $DEVICE || ts_log "Cannot find $DEVICE in /proc/mounts" + $TS_CMD_UMOUNT $DEVICE >> $TS_OUTPUT 2>>$TS_ERRLOG + ts_finalize_subtest +-- +2.34.1 + From patchwork Wed May 28 14:43:14 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 63743 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B6A73C5B543 for ; Wed, 28 May 2025 14:43:48 +0000 (UTC) Received: from mail-pl1-f170.google.com (mail-pl1-f170.google.com [209.85.214.170]) by mx.groups.io with SMTP id smtpd.web10.17594.1748443422207602224 for ; Wed, 28 May 2025 07:43:42 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=uE9sHsM2; spf=softfail (domain: sakoman.com, ip: 209.85.214.170, mailfrom: steve@sakoman.com) Received: by mail-pl1-f170.google.com with SMTP id d9443c01a7336-2301ac32320so40150875ad.1 for ; Wed, 28 May 2025 07:43:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1748443421; x=1749048221; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=8w1iA2wvGv4PlUatZ1BQ0pumJKjotlnrZ/kuDwBWr7U=; b=uE9sHsM2jxdiNTEagX7U99l7/s6oi3soKvq0bkxXUUWoShxAHBdAUvgwxM4Vfn0hYC QbHSVa8xBjvOSspaZ4ZdVUx2XigcRtyKnT4u8iAHWIQrfXffSNfQdMqnvAgCYNe1RB5u m7bSTxBGrULHsul7fwFbwcCTwuq/p+DRSoHWGC/t6lzTYOGV656Wo6iaUlZJuQEg5EDB 1WI6Z0C1TdZWDP92uvMhs/Y+MJk06b7xCuF060QFV3R7ABPou0v3N6Vd9FhGcpa3zHuz eOuQDIOoYGmCSA0r7CO5X5yFOopnLMfIUojfIN+1Y37l6Hjksl36octSJGIPHFaiCb8U zmaA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1748443421; x=1749048221; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=8w1iA2wvGv4PlUatZ1BQ0pumJKjotlnrZ/kuDwBWr7U=; b=YL52i8HU6CruE8P/jd0BHTn7emWUXqIZwqXFLSaynyMrcunxuRNGPCeGoJH0yqO5Nf aWhkRE8HlG7rFnYmtJoW8AN7z5rIP4RahMly/vZsphy8NpXbDffgwih4Dlw3DjbgqNVz d16cPZzcBnPnKbCyDBNlFJoZUxlZdcec+FQbWpL5rFs1h2mkLgLu6AHRH39S1ymyT0Wr sr0pqU5iaSvFD97jkr4C1bJhHDyVmnhp8Vg7DeQDTwMcIZDP2Jmz1KDJlZMlU7rebtpd IIqm/95Gv6Ze7jQ5X60SDcI779akDF676O7qmbjRjlnqyysfhtZTKeGmKpOBs73Utgl1 MEIg== X-Gm-Message-State: AOJu0YztAXbw5W1Ozs05LVvcyNrAtcVy4DGL199KJ2Qt/Ocby6EPprRm 6DQidQRVg6jPOG+JO31qPsftXVnVrXfLhpQzs2rJTEm6tipb7rEPEDOTF8Y2Qjgdn3gt+UiCq5v BWx66 X-Gm-Gg: ASbGncspcefgG+MXnaUrWYaO8oesKSKAGpnasOZNO0/nQgmStZjqbU8+Jm2F0hz1E52 h8omvk50POQRcgclKw0S0Fs192gjVPXr89NJWyqd8WKG30d4NmXvDL9K9tQsyEMoqKldLpJ/lki a7CeQQ5TQsq6wJSfNOVaIl2oeWJpLVAAdtxP87aQqaEDHIV2ak4+1QvynGKB7qkAurvQWw3Z8CG YkudCow7+ycUONNs9gbFLBimRq0b7els/w2kxJfOU0nXhKPFZT5qgyHm7aSv+hNZLVga1pm9xKF 5EnVBK+39uYe7a2v2EIWKS+krBttReF0W/41zv0dEIA= X-Google-Smtp-Source: AGHT+IH4P9SmiQTFfcgjBOHpzYtqwMh8pSD07NMH2vgtcfK4p67I/l3pR6wp4amTEX7GINf3fWeFgQ== X-Received: by 2002:a17:903:11c5:b0:234:d2fb:2d0e with SMTP id d9443c01a7336-234d2fb2f7dmr43270895ad.10.1748443421461; Wed, 28 May 2025 07:43:41 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:2f2f:1884:f4cc:456c]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-234d358f1e2sm12626285ad.140.2025.05.28.07.43.40 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 28 May 2025 07:43:41 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 11/11] u-boot: ensure keys are generated before assembling U-Boot FIT image Date: Wed, 28 May 2025 07:43:14 -0700 Message-ID: <56431a98ac661eaa42803e83a9ede6eae0b72b67.1748443238.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 28 May 2025 14:43:48 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/217363 From: Rogerio Guerra Borin Add the task dependency: do_uboot_assemble_fitimage -> virtual/kernel:do_kernel_generate_rsa_keys to ensure the kernel FIT image signing keys are available when creating the U-Boot DTB. This is done only if the signing of the kernel FIT image is enabled (UBOOT_SIGN_ENABLE="1"). The lack of the dependency causes build errors when executing a build with no kernel FIT keys initially present in the keys directory. In such cases one would see an output like this in the Bitbake logs: Log data follows: | DEBUG: Executing shell function do_uboot_assemble_fitimage | Couldn't open RSA private key: '/workdir/build/keys/fit/dev.key': No such file or directory | Failed to sign 'signature' signature node in 'conf-1' conf node | FIT description: Kernel Image image with one or more FDT blobs | ... This issue was introduced by commit 259bfa86f384 where the dependency between U-Boot and the kernel was removed (for good reasons). Before that commit the dependency was set via DEPENDS so that, in terms of tasks, one had: u-boot:do_configure -> virtual/kernel:do_populate_sysroot and the chain leading to the key generation was: virtual/kernel:do_populate_sysroot -> virtual/kernel:do_install virtual/kernel:do_install -> virtual/kernel:do_assemble_fitimage virtual/kernel:do_assemble_fitimage -> virtual/kernel:do_kernel_generate_rsa_keys With the removal of the first dependency, no more guarantees exist that the keys would be present when assembling the U-Boot FIT image. That's the situation we are solving with the present commit. (From OE-Core rev: 036f20156b3c7d0a8b912e90aa29a9b986106d5a) Fixes: d7bd9c627661 ("u-boot: kernel-fitimage: Fix dependency loop if UBOOT_SIGN_ENABLE and UBOOT_ENV enabled") Signed-off-by: Rogerio Guerra Borin Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie Signed-off-by: Steve Sakoman --- meta/classes-recipe/uboot-sign.bbclass | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/classes-recipe/uboot-sign.bbclass b/meta/classes-recipe/uboot-sign.bbclass index 5c579a9fb0..699db248e1 100644 --- a/meta/classes-recipe/uboot-sign.bbclass +++ b/meta/classes-recipe/uboot-sign.bbclass @@ -94,6 +94,8 @@ python() { sign = d.getVar('UBOOT_SIGN_ENABLE') == '1' if d.getVar('UBOOT_FITIMAGE_ENABLE') == '1' or sign: d.appendVar('DEPENDS', " u-boot-tools-native dtc-native") + if d.getVar('FIT_GENERATE_KEYS') == '1' and sign: + d.appendVarFlag('do_uboot_assemble_fitimage', 'depends', ' virtual/kernel:do_kernel_generate_rsa_keys') } concat_dtb() {