From patchwork Wed Jun 4 11:16:56 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Polampalli, Archana" X-Patchwork-Id: 64247 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DD007C5B543 for ; Wed, 4 Jun 2025 11:17:11 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.14128.1749035826561144204 for ; Wed, 04 Jun 2025 04:17:06 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=8250111c01=archana.polampalli@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5544o5KM014812 for ; Wed, 4 Jun 2025 11:17:05 GMT Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 471g9q2d45-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 04 Jun 2025 11:17:05 +0000 (GMT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Wed, 4 Jun 2025 04:17:04 -0700 Received: from blr-linux-engg1.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Wed, 4 Jun 2025 04:17:02 -0700 From: To: Subject: [oe-core][kirkstone][PATCH 1/4] ffmpeg: upgrade 5.0.1 -> 5.0.3 Date: Wed, 4 Jun 2025 16:46:56 +0530 Message-ID: <20250604111659.3136031-1-archana.polampalli@windriver.com> X-Mailer: git-send-email 2.49.0 MIME-Version: 1.0 X-Proofpoint-GUID: -sJ7oZHbHSHxrcElFQvtFWf7Updl4pbU X-Authority-Analysis: v=2.4 cv=X8RSKHTe c=1 sm=1 tr=0 ts=68402b31 cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=6IFa9wvqVegA:10 a=NEAV23lmAAAA:8 a=emhf11hzAAAA:8 a=t7CeM3EgAAAA:8 a=aH8uB08s4XoK1nAJ2LkA:9 a=HLUCug_QN4oeKp6PugZw:22 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjA0MDA4NiBTYWx0ZWRfX0GulEjAsHDMQ 3KBciTpxtF/uqL1kPR0x09bXp0UU77+FjuQ+WMpXyT8CzUXZcLOFhhzUj4cEcG1XZrVEKU++uuW K7whIc2LWkIov8DXpjSuVwBKkk7wAXicl/evLOlefR4gngGoyj7AxomuyJuvfmpuuC5HRIILg12 FGO2gdqILwrBR6Zpw/ry+SsFCni5OLYlay6Lu1I1LKah9Mzp+5O/KxTt9bG5vNPUDEE6i+SiptH jzMdswRCAd8TqRLBlSmn4khxbMHKZo23yTJHl3Y0psjpS2osdigeFDFuMC81rwITSNhRD6+GnpS GNtBDPJosJci25zQFngSoyVqc0B8TN8i4j8FIPiJzawo+Fw7JUxmdFkDrsYPk99/030FvvdTZGm CYlRRVaRWJ7+PxkyZReFMQwYvWRpYetXA5mDoKBeS7zAcE6l/NpsqN1bPBjBIHlU90i6kOSv X-Proofpoint-ORIG-GUID: -sJ7oZHbHSHxrcElFQvtFWf7Updl4pbU X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-04_03,2025-06-03_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 bulkscore=0 priorityscore=1501 mlxscore=0 malwarescore=0 impostorscore=0 suspectscore=0 adultscore=0 clxscore=1015 lowpriorityscore=0 phishscore=0 mlxlogscore=999 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2506040086 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 04 Jun 2025 11:17:11 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/217903 From: Archana Polampalli Refreshed CVE-2024-36613.patch against to the current version Removed below patches since already fixed in this version 0001-avcodec-rpzaenc-stop-accessing-out-of-bounds-frame.patch [1] 0001-avcodec-smcenc-stop-accessing-out-of-bounds-frame.patch [2] 0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch [3] 0001-avformat-nutdec-Add-check-for-avformat_new_stream.patch [4] CVE-2022-48434.patch [5] [1] https://github.com/FFmpeg/FFmpeg/commit/1eb002596e3761d88de4aeea3158692b82fb6307 [2] https://github.com/FFmpeg/FFmpeg/commit/293dc39bcaa99f213c6b7a703e11f146abf5d3be [3] https://github.com/FFmpeg/FFmpeg/commit/2cdddcd6ec90c7a248ffe792d85faa4d89eab9f7 [4] https://github.com/FFmpeg/FFmpeg/commit/481e81be1271ac9a0124ee615700390c2371bd89 [5] https://github.com/FFmpeg/FFmpeg/commit/3bc28e9d1ab33627cea3c632dd6b0c33e22e93ba Signed-off-by: Archana Polampalli --- .../ffmpeg/ffmpeg/CVE-2024-36613.patch | 18 +++++++++--------- .../{ffmpeg_5.0.1.bb => ffmpeg_5.0.3.bb} | 7 +------ 2 files changed, 10 insertions(+), 15 deletions(-) rename meta/recipes-multimedia/ffmpeg/{ffmpeg_5.0.1.bb => ffmpeg_5.0.3.bb} (96%) diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36613.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36613.patch index 300b8d1e49..8dc43c3b68 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36613.patch +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36613.patch @@ -1,8 +1,7 @@ From 1f6fcc64179377114b4ecc3b9f63bd5774a64edf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2023 00:51:29 +0200 -Subject: [PATCH 2/4] avformat/dxa: Adjust order of operations around block - align +Subject: [PATCH] avformat/dxa: Adjust order of operations around block align Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_DXA_fuzzer-5730576523198464 Fixes: signed integer overflow: 2147483566 + 82 cannot be represented in type 'int' @@ -22,17 +21,18 @@ Signed-off-by: Archana Polampalli 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/dxa.c b/libavformat/dxa.c -index 16fbb08..53747c8 100644 +index 474b852..b4d9d00 100644 --- a/libavformat/dxa.c +++ b/libavformat/dxa.c -@@ -120,7 +120,7 @@ static int dxa_read_header(AVFormatContext *s) - } - c->bpc = (fsize + c->frames - 1) / c->frames; - if(ast->codecpar->block_align) +@@ -122,7 +122,7 @@ static int dxa_read_header(AVFormatContext *s) + if(ast->codecpar->block_align) { + if (c->bpc > INT_MAX - ast->codecpar->block_align + 1) + return AVERROR_INVALIDDATA; - c->bpc = ((c->bpc + ast->codecpar->block_align - 1) / ast->codecpar->block_align) * ast->codecpar->block_align; + c->bpc = ((c->bpc - 1 + ast->codecpar->block_align) / ast->codecpar->block_align) * ast->codecpar->block_align; + } c->bytes_left = fsize; c->wavpos = avio_tell(pb); - avio_seek(pb, c->vidpos, SEEK_SET); --- +-- 2.40.0 + diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb similarity index 96% rename from meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb rename to meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb index 4b99c0fa21..127552396d 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb @@ -24,11 +24,6 @@ LIC_FILES_CHKSUM = "file://COPYING.GPLv2;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ file://0001-libavutil-include-assembly-with-full-path-from-sourc.patch \ - file://0001-avcodec-rpzaenc-stop-accessing-out-of-bounds-frame.patch \ - file://0001-avcodec-smcenc-stop-accessing-out-of-bounds-frame.patch \ - file://0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch \ - file://0001-avformat-nutdec-Add-check-for-avformat_new_stream.patch \ - file://CVE-2022-48434.patch \ file://CVE-2024-32230.patch \ file://CVE-2023-51793.patch \ file://CVE-2023-50008.patch \ @@ -53,7 +48,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ file://CVE-2025-25473.patch \ " -SRC_URI[sha256sum] = "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a93007b" +SRC_URI[sha256sum] = "04c70c377de233a4b217c2fdf76b19aeb225a287daeb2348bccd978c47b1a1db" # CVE-2023-39018 issue belongs to ffmpeg-cli-wrapper (Java wrapper around the FFmpeg CLI) # and not ffmepg itself. From patchwork Wed Jun 4 11:16:57 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Polampalli, Archana" X-Patchwork-Id: 64248 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DB620C5B549 for ; Wed, 4 Jun 2025 11:17:11 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web11.14129.1749035829813694019 for ; Wed, 04 Jun 2025 04:17:09 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=8250111c01=archana.polampalli@windriver.com) Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 55427bou023528 for ; Wed, 4 Jun 2025 04:17:09 -0700 Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 471g9rtc49-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 04 Jun 2025 04:17:09 -0700 (PDT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Wed, 4 Jun 2025 04:17:06 -0700 Received: from blr-linux-engg1.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Wed, 4 Jun 2025 04:17:04 -0700 From: To: Subject: [oe-core][kirkstone][PATCH 2/4] ffmpeg: fix CVE-2025-22919 Date: Wed, 4 Jun 2025 16:46:57 +0530 Message-ID: <20250604111659.3136031-2-archana.polampalli@windriver.com> X-Mailer: git-send-email 2.49.0 In-Reply-To: <20250604111659.3136031-1-archana.polampalli@windriver.com> References: <20250604111659.3136031-1-archana.polampalli@windriver.com> MIME-Version: 1.0 X-Proofpoint-GUID: ie6Tyf7bJ6B_vn8oOwSqKL2VSpvATvdf X-Authority-Analysis: v=2.4 cv=VIHdn8PX c=1 sm=1 tr=0 ts=68402b35 cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=6IFa9wvqVegA:10 a=emhf11hzAAAA:8 a=t7CeM3EgAAAA:8 a=pGLkceISAAAA:8 a=7kzwKhblaiHzeQkmTegA:9 a=HLUCug_QN4oeKp6PugZw:22 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjA0MDA4NiBTYWx0ZWRfX0Wwn+97X/Onc ax2ThRpSWjOxLuwPjGBghVpAhU/uscTDPR80nt/xsz23XccCktWaDPEM/kMiL0bYOk6i8b3SQV+ rV2T5K8xc8soqKq/OXlpH1PCIv1eoSs8kRsj0n8YTxlUCln3dDZxawO6GreiGhu8BKgB6vs1cSF Oi64u6y1coVrWa50J42il4RW7QFzNF0BpXTLpHboyHXBzJgwUp0CDXha5pj9ob0fMeyA94/w8lP vjbD572OoEfcQDq/6BTpcWqg5oh7v6gaWWC3tS/0kIx4iloouJDIJa5tYRdm05TStO5mHtSNQGE nQSesmHy22xztlpEbCa/lTU38cpmcQwd/76dI87jvaAXQ6vl8c8mqeLQ//8Y9eHL26LhqBsi9xp lmmf/Qdr/s0IdmYUOOHoFBXRJRRoXJr3JGfxBY6HyRwQTf6I/12FEs81uR+M1PAiJjgKUZoz X-Proofpoint-ORIG-GUID: ie6Tyf7bJ6B_vn8oOwSqKL2VSpvATvdf X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-04_03,2025-06-03_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 mlxlogscore=712 adultscore=0 malwarescore=0 spamscore=0 impostorscore=0 mlxscore=0 priorityscore=1501 clxscore=1015 lowpriorityscore=0 bulkscore=0 suspectscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2506040086 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 04 Jun 2025 11:17:11 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/217904 From: Archana Polampalli A reachable assertion in FFmpeg git-master commit N-113007-g8d24a28d06 allows attackers to cause a Denial of Service (DoS) via opening a crafted AAC file. Signed-off-by: Archana Polampalli --- .../ffmpeg/ffmpeg/CVE-2025-22919.patch | 41 +++++++++++++++++++ .../recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb | 1 + 2 files changed, 42 insertions(+) create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-22919.patch diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-22919.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-22919.patch new file mode 100644 index 0000000000..5e27ad9d5b --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-22919.patch @@ -0,0 +1,41 @@ +From 145a3a84550a1c3a3b848c12a64b53c3c41d2888 Mon Sep 17 00:00:00 2001 +From: James Almer +Date: Mon, 30 Dec 2024 00:25:41 -0300 +Subject: [PATCH] avfilter/buffersrc: check for valid sample rate + +A sample rate <= 0 is invalid. + +Fixes an assert in ffmpeg_enc.c that assumed a valid sample rate would be set. +Fixes ticket #11385. + +Signed-off-by: James Almer +(cherry picked from commit 1446e37d3d032e1452844778b3e6ba2c20f0c322) + +CVE: CVE-2025-22919 + +Upstream-Status: Backport [https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/145a3a84550a1c3a3b848c12a64b53c3c41d2888] + +Signed-off-by: Archana Polampalli +--- + libavfilter/buffersrc.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/libavfilter/buffersrc.c b/libavfilter/buffersrc.c +index b061187..cd2b05d 100644 +--- a/libavfilter/buffersrc.c ++++ b/libavfilter/buffersrc.c +@@ -335,6 +335,11 @@ static av_cold int init_audio(AVFilterContext *ctx) + "channel layout specified\n"); + return AVERROR(EINVAL); + } ++ ++ if (s->sample_rate <= 0) { ++ av_log(ctx, AV_LOG_ERROR, "Sample rate not set\n"); ++ return AVERROR(EINVAL); ++ } + + if (!s->time_base.num) + s->time_base = (AVRational){1, s->sample_rate}; +-- +2.40.0 + diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb index 127552396d..49277f9e2b 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb @@ -46,6 +46,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ file://CVE-2024-28661.patch \ file://CVE-2024-35369.patch \ file://CVE-2025-25473.patch \ + file://CVE-2025-22919.patch \ " SRC_URI[sha256sum] = "04c70c377de233a4b217c2fdf76b19aeb225a287daeb2348bccd978c47b1a1db" From patchwork Wed Jun 4 11:16:58 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Polampalli, Archana" X-Patchwork-Id: 64249 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E321BC61CE7 for ; Wed, 4 Jun 2025 11:17:11 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web11.14130.1749035829981675987 for ; Wed, 04 Jun 2025 04:17:09 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=8250111c01=archana.polampalli@windriver.com) Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 55427bov023528 for ; Wed, 4 Jun 2025 04:17:09 -0700 Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 471g9rtc49-3 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 04 Jun 2025 04:17:09 -0700 (PDT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Wed, 4 Jun 2025 04:17:08 -0700 Received: from blr-linux-engg1.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Wed, 4 Jun 2025 04:17:07 -0700 From: To: Subject: [oe-core][kirkstone][PATCH 3/4] ffmpeg: fix CVE-2025-22921 Date: Wed, 4 Jun 2025 16:46:58 +0530 Message-ID: <20250604111659.3136031-3-archana.polampalli@windriver.com> X-Mailer: git-send-email 2.49.0 In-Reply-To: <20250604111659.3136031-1-archana.polampalli@windriver.com> References: <20250604111659.3136031-1-archana.polampalli@windriver.com> MIME-Version: 1.0 X-Proofpoint-GUID: 3G4cV714RveGA82SZHztvutlfBGBBcPP X-Authority-Analysis: v=2.4 cv=VIHdn8PX c=1 sm=1 tr=0 ts=68402b35 cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=6IFa9wvqVegA:10 a=emhf11hzAAAA:8 a=t7CeM3EgAAAA:8 a=pGLkceISAAAA:8 a=HzpPIQ4I_fSVEzk_PEAA:9 a=HLUCug_QN4oeKp6PugZw:22 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjA0MDA4NiBTYWx0ZWRfX6o1lneZWM5Js fltWtRrkGY5TAh6ETYMpz/ODXXLBg4IRQmnFFYls3D+TV9qLGtejdNGvhtn+coNryB8VzwGdSWV CXYasQNZzvLFK18OcjMIsYPun6Qa3qixkfETf1hECI1sRziZWTNhXkUXyEWNLyxSZ8+SdabdWto xCdxijxx+Ybi5NXQ/ewBEQ6Yg7mapUxn/SWtBIUIICDm2pyxib/ClZrKVRZUPxziraUktbM31TX 32Y3OKlHBaB5qOQppZm3edr0t7/8CNhkQ/R510ANTKyOc9xI5S1PbRODjn2DvtEliRkNSLCRODZ K4y8Wweb8Q15j6bXuDl9FJylna3gDrLAxAX/MdH8S1XGPq3OJ5FwL3KN++IzGIMYESkuXFKxaRX nVPvVyErbv/n/OTerT1DjjGx+31b628NkEP5WxEwqzvz1AV3UiuVnITlqDUa9q3ePGkNpT7F X-Proofpoint-ORIG-GUID: 3G4cV714RveGA82SZHztvutlfBGBBcPP X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-04_03,2025-06-03_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 mlxlogscore=752 adultscore=0 malwarescore=0 spamscore=0 impostorscore=0 mlxscore=0 priorityscore=1501 clxscore=1015 lowpriorityscore=0 bulkscore=0 suspectscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2506040086 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 04 Jun 2025 11:17:11 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/217905 From: Archana Polampalli FFmpeg git-master,N-113007-g8d24a28d06 was discovered to contain a segmentation violation via the component /libavcodec/jpeg2000dec.c. Signed-off-by: Archana Polampalli --- .../ffmpeg/ffmpeg/CVE-2025-22921.patch | 34 +++++++++++++++++++ .../recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb | 1 + 2 files changed, 35 insertions(+) create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-22921.patch diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-22921.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-22921.patch new file mode 100644 index 0000000000..1319dd6a7c --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-22921.patch @@ -0,0 +1,34 @@ +From 7f9c7f9849a2155224711f0ff57ecdac6e4bfb57 Mon Sep 17 00:00:00 2001 +From: James Almer +Date: Wed, 1 Jan 2025 23:58:39 -0300 +Subject: [PATCH] avcodec/jpeg2000dec: clear array length when freeing it + +Fixes NULL pointer dereferences. +Fixes ticket #11393. + +Reviewed-by: Michael Niedermayer +Signed-off-by: James Almer + +CVE: CVE-2025-22921 + +Upstream-Status: Backport [https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/7f9c7f9849a2155224711f0ff57ecdac6e4bfb57] + +Signed-off-by: Archana Polampalli +--- + libavcodec/jpeg2000dec.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c +index a317040..6c0bd25 100644 +--- a/libavcodec/jpeg2000dec.c ++++ b/libavcodec/jpeg2000dec.c +@@ -1280,6 +1280,7 @@ static int jpeg2000_decode_packet(Jpeg2000DecoderContext *s, Jpeg2000Tile *tile, + } + } + av_freep(&cblk->lengthinc); ++ cblk->nb_lengthinc = 0; + } + } + // Save state of stream +-- +2.40.0 diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb index 49277f9e2b..4ae444258f 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb @@ -47,6 +47,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ file://CVE-2024-35369.patch \ file://CVE-2025-25473.patch \ file://CVE-2025-22919.patch \ + file://CVE-2025-22921.patch \ " SRC_URI[sha256sum] = "04c70c377de233a4b217c2fdf76b19aeb225a287daeb2348bccd978c47b1a1db" From patchwork Wed Jun 4 11:16:59 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Polampalli, Archana" X-Patchwork-Id: 64250 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C3F63C5B543 for ; Wed, 4 Jun 2025 11:17:21 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.14132.1749035833287132621 for ; Wed, 04 Jun 2025 04:17:13 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=8250111c01=archana.polampalli@windriver.com) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5544wnMI017294 for ; Wed, 4 Jun 2025 11:17:12 GMT Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 471g9t2c9d-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 04 Jun 2025 11:17:12 +0000 (GMT) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Wed, 4 Jun 2025 04:17:11 -0700 Received: from blr-linux-engg1.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Wed, 4 Jun 2025 04:17:09 -0700 From: To: Subject: [oe-core][kirkstone][PATCH 4/4] ghostscript: fix CVE-2025-48708 Date: Wed, 4 Jun 2025 16:46:59 +0530 Message-ID: <20250604111659.3136031-4-archana.polampalli@windriver.com> X-Mailer: git-send-email 2.49.0 In-Reply-To: <20250604111659.3136031-1-archana.polampalli@windriver.com> References: <20250604111659.3136031-1-archana.polampalli@windriver.com> MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: 6FQzt_UizXooMFijCefqRegOcwF6hQn6 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjA0MDA4NiBTYWx0ZWRfX2OEiQD5tWDzb CgLzlDy/o5jaRLY/KXZpZR+1NYj0iFjAUEToHnuN55XIwMKmXQ40BH1sHgyl4GdpqZkwdWbxdrM b37ad9T1kPwsVeOli+9RrPtJyS3N/jvB0oN8hxxEgMBv9AuqiJrp6Im7gFxTRmzPNtwgL7MV2K7 MYGuyV2yCF/xVwukoTyJrRn4a0sUatuBJxcT72Xp5ukV4yBg3h8TPpivSXdfBs3n9cikFl/dRGR Mxv0Gya7goXXTaZfMCD2qdWdtn2EBX4NGEhMLpjXpmIlPm0vuAmwr+BbKRKbk7yGq1jfiwc/P5F LM/OhsSLddLrIrFFdhlqGCjJdoQ2koRaXUhrO5Fwz3tSSaGu0WUgQWYX/RvoreUrVIeq/2ESjDo 6dS5MjN8HT58SH83iZUwIBae4T8AJ65Xd/XL6ah3dUVA8zkQzz02P8eoPW1PT0od7X2lCNVz X-Proofpoint-GUID: 6FQzt_UizXooMFijCefqRegOcwF6hQn6 X-Authority-Analysis: v=2.4 cv=Q4DS452a c=1 sm=1 tr=0 ts=68402b38 cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=6IFa9wvqVegA:10 a=gDkh9niWAAAA:8 a=NEAV23lmAAAA:8 a=t7CeM3EgAAAA:8 a=slZ_zXfIAAAA:8 a=KSuMTYRfTUycT6UA_YAA:9 a=lGOMK5oLEwUwZHJ1FuQB:22 a=FdTzh2GWekK77mhwV6Dw:22 a=WUFrAgOMYDQKzGe6rZ6X:22 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-04_03,2025-06-03_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 mlxlogscore=902 suspectscore=0 bulkscore=0 impostorscore=0 mlxscore=0 priorityscore=1501 adultscore=0 malwarescore=0 phishscore=0 spamscore=0 lowpriorityscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2505280000 definitions=main-2506040086 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 04 Jun 2025 11:17:21 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/217906 From: Archana Polampalli gs_lib_ctx_stash_sanitized_arg in base/gslibctx.c in Artifex Ghostscript before 10.05.1 lacks argument sanitization for the # case. A created PDF document includes its password in cleartext. Signed-off-by: Archana Polampalli --- .../ghostscript/CVE-2025-48708.patch | 46 +++++++++++++++++++ .../ghostscript/ghostscript_9.55.0.bb | 1 + 2 files changed, 47 insertions(+) create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2025-48708.patch diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-48708.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-48708.patch new file mode 100644 index 0000000000..5c8069a4ea --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-48708.patch @@ -0,0 +1,46 @@ +From 5b5968c306b3e35cdeec83bb15026fd74a7334de Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Sat, 12 Apr 2025 10:24:43 +0100 +Subject: [PATCH] Argument sanitisation - handle '#' as per '=' + +Bug 708446 + +CVE: CVE-2025-48708 + +Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=5b5968c306b3e35cdeec83bb15026fd74a7334de] + +Signed-off-by: Archana Polampalli +--- + base/gslibctx.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/base/gslibctx.c b/base/gslibctx.c +index 2cf5c9dda..40ff984f9 100644 +--- a/base/gslibctx.c ++++ b/base/gslibctx.c +@@ -1225,9 +1225,9 @@ gs_lib_ctx_stash_sanitized_arg(gs_lib_ctx_t *ctx, const char *arg) + case '-': /* Need to check for permitted file lists */ + /* By default, we want to keep the key, but lose the value */ + p = arg+2; +- while (*p && *p != '=') ++ while (*p && *p != '=' && *p != '#') + p++; +- if (*p == '=') ++ if (*p == '=' || *p == '#') + p++; + if (*p == 0) + break; /* No value to elide */ +@@ -1269,9 +1269,9 @@ gs_lib_ctx_stash_sanitized_arg(gs_lib_ctx_t *ctx, const char *arg) + case 'S': + /* By default, we want to keep the key, but lose the value */ + p = arg+2; +- while (*p && *p != '=') ++ while (*p && *p != '=' && *p != '#') + p++; +- if (*p == '=') ++ if (*p == '=' || *p == '#') + p++; + if (*p == 0) + break; /* No value to elide */ +-- +2.40.0 diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb index e872fbe88c..3b50ac1409 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb @@ -73,6 +73,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d file://CVE-2025-27835.patch \ file://CVE-2025-27836-1.patch \ file://CVE-2025-27836-2.patch \ + file://CVE-2025-48708.patch \ " SRC_URI = "${SRC_URI_BASE} \