From patchwork Tue Jun 10 19:38:07 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 64769 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D9ADEC61DB2 for ; Tue, 10 Jun 2025 19:38:39 +0000 (UTC) Received: from mail-pg1-f174.google.com (mail-pg1-f174.google.com [209.85.215.174]) by mx.groups.io with SMTP id smtpd.web10.96523.1749584310180260801 for ; Tue, 10 Jun 2025 12:38:30 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=GJFO0SZ8; spf=softfail (domain: sakoman.com, ip: 209.85.215.174, mailfrom: steve@sakoman.com) Received: by mail-pg1-f174.google.com with SMTP id 41be03b00d2f7-b2c4476d381so197340a12.0 for ; Tue, 10 Jun 2025 12:38:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1749584309; x=1750189109; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=1jkSVEdjphHODdTmOhvbvSR8WE0eRj2aIRxQ5J173/s=; b=GJFO0SZ8R9wN04NEsVkL9UlvugSaUoVyRoHuPIbXYzkjHgXu8OWw6KFEJwocNQsqkv t4mlw4B5DCdzdRnI8GIPl59KpDkwrs0pgLqlQyCTZNFJCmMxtHpJwN+/jCL0LrHNM8uW 2iWAX5VgXMyX8Y9BaTx3Kai7N3n96T2SgRqOuoFQwYHUhjFhVxG9Iwg+DNR5KDQYH1aN 40Z687ruQBjnDjSWGcgxJpcHayXeFT06QHePVDIh/M3/PaDHwQrDdJXv/tQDA2MlqJNc VmzMBSGJxSLdDYSUTQGj0LkvueF1sNTF0GR6mJkvrfUYhwVo9deYy6uSAiOTFd3xbFdY 6/hg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1749584309; x=1750189109; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=1jkSVEdjphHODdTmOhvbvSR8WE0eRj2aIRxQ5J173/s=; b=P5mLVaM5h4JCmJSy6498/Zq7Cso9lmzkeBMjni6bqYfCV7c2hzPZSZbtPCQ77CnYCc WinkDiX0hzG7R8/ilX1vpktFAnx9FieJvOSifPKnAS7RgHfTAxPi2OPHBsPb1/XRrGUU hnl/mEtu73BGqOWczUH37v03M+1fPjqqyxNggfllsHiebBClaKCEWdimVLXrVhv0QOml vHte7PgwXEA7oHGDRl8/UGFiRF80TR8Km0/w5DJYQ8jhasevKEKiSfb+pQvpxflGljgP yL4J/HZDfRDYdSqkkMxfAoRaAHEteqRF9IT0jnLnPpWNtFpkQ0yR6woHu7evOHNwb2+6 VNUA== X-Gm-Message-State: AOJu0YzaKG3JCXQYq04vYFJbcDf9VGlziX30eg0TCnzwRQfy8CKtoLmR RfEEnmucOTNn1BlcVvDvxcem/xR1oR2HvEPmgHQxW6LGPz/ZgtYWRUXvF7itQAM0L7+cNyb+ktq SEORh X-Gm-Gg: ASbGncuxC8BtG7+inF6/lsArtCCH6ETXNweYkM8p98nYIQU2DyVIRZnl13LtV34y4z0 /YbxR6BF27Pia4u00lV8BmX+GaTgzhlGaoyoGZyYSH6+K5bOXjeY4svJC/7EylTKiYlA/Gfx6Yz xGFZ41Fnenc+73fwAcQw+Xyzmmu3uAxU6DpX8xrkz66GiS4TGeldvimX4p82L073C7YjTdmYuNO kxQjp1Saz3mKsWAJD7JMPwAS3QUyPuCOGppddyPrcQA7Pv/HZkTL5DpMZdmRdNZStIjy+8tQa9+ qtLffNKgeaWr8IO4wbHSPWpWAhWNleWFjZbY/J5ww25PXyps1uP6AQ== X-Google-Smtp-Source: AGHT+IHyMheW95s4tggKq6dAmB4H4JiWF5tPMgd/Q5P0re2QEQVJAy4SIJVqD3zrnp/HDOJ1BHcMAw== X-Received: by 2002:a05:6a20:7d9b:b0:21f:5283:4fa5 with SMTP id adf61e73a8af0-21f86dea0fbmr938326637.3.1749584309403; Tue, 10 Jun 2025 12:38:29 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:7bc4:2c75:fa51:ff16]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-b2f5f7827c0sm7198595a12.62.2025.06.10.12.38.28 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Jun 2025 12:38:28 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 01/15] ghostscript: fix CVE-2025-48708 Date: Tue, 10 Jun 2025 12:38:07 -0700 Message-ID: <7052a81e4f9b19b5640b414c10b19f8232d81572.1749584149.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 10 Jun 2025 19:38:39 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/218423 From: Archana Polampalli gs_lib_ctx_stash_sanitized_arg in base/gslibctx.c in Artifex Ghostscript before 10.05.1 lacks argument sanitization for the # case. A created PDF document includes its password in cleartext. Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- .../ghostscript/CVE-2025-48708.patch | 46 +++++++++++++++++++ .../ghostscript/ghostscript_9.55.0.bb | 1 + 2 files changed, 47 insertions(+) create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2025-48708.patch diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-48708.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-48708.patch new file mode 100644 index 0000000000..5c8069a4ea --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-48708.patch @@ -0,0 +1,46 @@ +From 5b5968c306b3e35cdeec83bb15026fd74a7334de Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Sat, 12 Apr 2025 10:24:43 +0100 +Subject: [PATCH] Argument sanitisation - handle '#' as per '=' + +Bug 708446 + +CVE: CVE-2025-48708 + +Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=5b5968c306b3e35cdeec83bb15026fd74a7334de] + +Signed-off-by: Archana Polampalli +--- + base/gslibctx.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/base/gslibctx.c b/base/gslibctx.c +index 2cf5c9dda..40ff984f9 100644 +--- a/base/gslibctx.c ++++ b/base/gslibctx.c +@@ -1225,9 +1225,9 @@ gs_lib_ctx_stash_sanitized_arg(gs_lib_ctx_t *ctx, const char *arg) + case '-': /* Need to check for permitted file lists */ + /* By default, we want to keep the key, but lose the value */ + p = arg+2; +- while (*p && *p != '=') ++ while (*p && *p != '=' && *p != '#') + p++; +- if (*p == '=') ++ if (*p == '=' || *p == '#') + p++; + if (*p == 0) + break; /* No value to elide */ +@@ -1269,9 +1269,9 @@ gs_lib_ctx_stash_sanitized_arg(gs_lib_ctx_t *ctx, const char *arg) + case 'S': + /* By default, we want to keep the key, but lose the value */ + p = arg+2; +- while (*p && *p != '=') ++ while (*p && *p != '=' && *p != '#') + p++; +- if (*p == '=') ++ if (*p == '=' || *p == '#') + p++; + if (*p == 0) + break; /* No value to elide */ +-- +2.40.0 diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb index e872fbe88c..3b50ac1409 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb @@ -73,6 +73,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d file://CVE-2025-27835.patch \ file://CVE-2025-27836-1.patch \ file://CVE-2025-27836-2.patch \ + file://CVE-2025-48708.patch \ " SRC_URI = "${SRC_URI_BASE} \ From patchwork Tue Jun 10 19:38:08 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 64773 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 11C56C71136 for ; Tue, 10 Jun 2025 19:38:40 +0000 (UTC) Received: from mail-pf1-f175.google.com (mail-pf1-f175.google.com [209.85.210.175]) by mx.groups.io with SMTP id smtpd.web10.96525.1749584311896289107 for ; Tue, 10 Jun 2025 12:38:31 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=HtJgJTix; spf=softfail (domain: sakoman.com, ip: 209.85.210.175, mailfrom: steve@sakoman.com) Received: by mail-pf1-f175.google.com with SMTP id d2e1a72fcca58-7390d21bb1cso4812158b3a.2 for ; Tue, 10 Jun 2025 12:38:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1749584311; x=1750189111; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=UkBBiS+lB+k62SBufSTZAVUcqwzbwTi8K4OUxwNV83c=; b=HtJgJTixhSNA7W/o1kI8OfQULgjZwqLSypGrChywykPg51JlJgMCkf71j9FCC4S+dn nBT3nn+aCVXKOrBW9H4WvSBHJLbgSCXTH3wvYHQR/ey1qIR62a5RHN2Wzl77t9ZfSc1w r3rPCzhOkdwiw1ffZ1NPOolenVMtJpMTklevspraGYopDcVHUW6Y40sh4X+//j+nl+mX F1Vio2lXpX1Bo0nBHysMmYsHpgFAdycPDbjMyzs5OkrpnEQIRyOBt0CIL3kT4/Ov/hMj 2xD2HqGcox60kYOEi7nbWxawkz7WIZwkFXb7dVC+4ulxCCtsCaMVBmB6SMCM+rO26KPC ZqPQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1749584311; x=1750189111; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=UkBBiS+lB+k62SBufSTZAVUcqwzbwTi8K4OUxwNV83c=; b=P2Vf2DWJKCawep1B/oaNnkbruBPbCsPlWVn7fBhkLm1t4eNdJWWRov6BayIauqzXf7 ++bFzJNPUIw09GuRVhJ8HxGQvMJSTaoOjiVoUu3By07Q0pdKuQe3TuOZ6eVp6Bo5e+25 1Z79PNmNoYoyIv19X1crvWUbqG/ASboj1wZzlIshg8Q9rf+Kfgy5as5sVWXlD91bYUdq hEuUWLPxrnMm568MLE7Q/j2jlED0Imv4PHId7+vsw/fjU5dGyqAQxSy+TSz5NF0utqOa 5fSF/jAqvkWyV5nDRVRgepU0IDBq6exzoAf2YQAr1IX/Lg+zRhHYsLbr31W53HJh0xUE J+tQ== X-Gm-Message-State: AOJu0Ywq5Etpkp1PaFxypLvGUr3GOvLZoAScGLlv7YTAW9LJV0aGG4jP BkFwhSu88ss/30xnhgwsK+BmTD6IMCY5rhh0ado2cfOrb9NPEKH2hTA/pZRpLhIKsCgu6oEdt9w +kzgB X-Gm-Gg: ASbGncss6bRRAKLrUf5stSR0qFitEidARPbibvD1bepJeWeDJ5s0mi9PFYcZCwt/hnr UAl082wRHP3s0R7LR0eUQmQ24sndEjOSgFsUjioqKtH5xhAzwaz98Pj80F0WvjCKNgT7niSJ/JZ OAbGfq9JAJZ4bsvJKkJZJEBIlYNsNFrse4GNEH+8jwM2i/K0xQ6foRDO2e4stV3G+6v/alJvLRF QT7Y2YYGVelk4ID+vfd0Zfv63TG3qdIRURdTBw54HNPUNBOUgph/K2FQxaQ51OV6IELaijeVo5M rDrx7yIkc9HYfROqt/5QhN0XkvB7qH5eX/Uq2wWDKoI85XpQhjb2+AGihufKY/e1 X-Google-Smtp-Source: AGHT+IGR1ohmgs+TO8b/wY6/SWZ+Fx4vEQlsHe56tOPg4pDqKJ4HQYJkhfa3tmTe8rwsytugJVD5oQ== X-Received: by 2002:a05:6a21:7a43:b0:1f5:8678:1820 with SMTP id adf61e73a8af0-21f8660e5c3mr1156874637.12.1749584311077; Tue, 10 Jun 2025 12:38:31 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:7bc4:2c75:fa51:ff16]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-b2f5f7827c0sm7198595a12.62.2025.06.10.12.38.30 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Jun 2025 12:38:30 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 02/15] icu: fix CVE-2025-5222 Date: Tue, 10 Jun 2025 12:38:08 -0700 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 10 Jun 2025 19:38:40 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/218424 From: Hitendra Prajapati Upstream-Status: Backport from https://github.com/unicode-org/icu/commit/2c667e31cfd0b6bb1923627a932fd3453a5bac77 Signed-off-by: Hitendra Prajapati Signed-off-by: Steve Sakoman --- .../icu/icu/CVE-2025-5222.patch | 164 ++++++++++++++++++ meta/recipes-support/icu/icu_70.1.bb | 1 + 2 files changed, 165 insertions(+) create mode 100644 meta/recipes-support/icu/icu/CVE-2025-5222.patch diff --git a/meta/recipes-support/icu/icu/CVE-2025-5222.patch b/meta/recipes-support/icu/icu/CVE-2025-5222.patch new file mode 100644 index 0000000000..f71287c935 --- /dev/null +++ b/meta/recipes-support/icu/icu/CVE-2025-5222.patch @@ -0,0 +1,164 @@ +From 2c667e31cfd0b6bb1923627a932fd3453a5bac77 Mon Sep 17 00:00:00 2001 +From: Frank Tang +Date: Wed, 22 Jan 2025 11:50:59 -0800 +Subject: [PATCH] ICU-22973 Fix buffer overflow by using CharString + +Upstream-Status: Backport [https://github.com/unicode-org/icu/commit/2c667e31cfd0b6bb1923627a932fd3453a5bac77] +CVE: CVE-2025-5222 +Signed-off-by: Hitendra Prajapati +--- + tools/genrb/parse.cpp | 47 +++++++++++++++++++++--------------- + 1 file changed, 28 insertions(+), 19 deletions(-) + +diff --git a/tools/genrb/parse.cpp b/tools/genrb/parse.cpp +index 7d5ffe1..175def0 100644 +--- a/tools/genrb/parse.cpp ++++ b/tools/genrb/parse.cpp +@@ -818,7 +818,7 @@ addCollation(ParseState* state, TableResource *result, const char *collationTyp + struct UString *tokenValue; + struct UString comment; + enum ETokenType token; +- char subtag[1024]; ++ CharString subtag; + UnicodeString rules; + UBool haveRules = FALSE; + UVersionInfo version; +@@ -854,7 +854,8 @@ addCollation(ParseState* state, TableResource *result, const char *collationTyp + return NULL; + } + +- u_UCharsToChars(tokenValue->fChars, subtag, u_strlen(tokenValue->fChars) + 1); ++ subtag.clear(); ++ subtag.appendInvariantChars(tokenValue->fChars, u_strlen(tokenValue->fChars), *status); + + if (U_FAILURE(*status)) + { +@@ -862,7 +863,7 @@ addCollation(ParseState* state, TableResource *result, const char *collationTyp + return NULL; + } + +- member = parseResource(state, subtag, NULL, status); ++ member = parseResource(state, subtag.data(), NULL, status); + + if (U_FAILURE(*status)) + { +@@ -873,7 +874,7 @@ addCollation(ParseState* state, TableResource *result, const char *collationTyp + { + // Ignore the parsed resources, continue parsing. + } +- else if (uprv_strcmp(subtag, "Version") == 0 && member->isString()) ++ else if (uprv_strcmp(subtag.data(), "Version") == 0 && member->isString()) + { + StringResource *sr = static_cast(member); + char ver[40]; +@@ -890,11 +891,11 @@ addCollation(ParseState* state, TableResource *result, const char *collationTyp + result->add(member, line, *status); + member = NULL; + } +- else if(uprv_strcmp(subtag, "%%CollationBin")==0) ++ else if(uprv_strcmp(subtag.data(), "%%CollationBin")==0) + { + /* discard duplicate %%CollationBin if any*/ + } +- else if (uprv_strcmp(subtag, "Sequence") == 0 && member->isString()) ++ else if (uprv_strcmp(subtag.data(), "Sequence") == 0 && member->isString()) + { + StringResource *sr = static_cast(member); + rules = sr->fString; +@@ -1047,7 +1048,7 @@ parseCollationElements(ParseState* state, char *tag, uint32_t startline, UBool n + struct UString *tokenValue; + struct UString comment; + enum ETokenType token; +- char subtag[1024], typeKeyword[1024]; ++ CharString subtag, typeKeyword; + uint32_t line; + + result = table_open(state->bundle, tag, NULL, status); +@@ -1089,7 +1090,8 @@ parseCollationElements(ParseState* state, char *tag, uint32_t startline, UBool n + return NULL; + } + +- u_UCharsToChars(tokenValue->fChars, subtag, u_strlen(tokenValue->fChars) + 1); ++ subtag.clear(); ++ subtag.appendInvariantChars(tokenValue->fChars, u_strlen(tokenValue->fChars), *status); + + if (U_FAILURE(*status)) + { +@@ -1097,9 +1099,9 @@ parseCollationElements(ParseState* state, char *tag, uint32_t startline, UBool n + return NULL; + } + +- if (uprv_strcmp(subtag, "default") == 0) ++ if (uprv_strcmp(subtag.data(), "default") == 0) + { +- member = parseResource(state, subtag, NULL, status); ++ member = parseResource(state, subtag.data(), NULL, status); + + if (U_FAILURE(*status)) + { +@@ -1118,22 +1120,28 @@ parseCollationElements(ParseState* state, char *tag, uint32_t startline, UBool n + if(token == TOK_OPEN_BRACE) { + token = getToken(state, &tokenValue, &comment, &line, status); + TableResource *collationRes; +- if (keepCollationType(subtag)) { +- collationRes = table_open(state->bundle, subtag, NULL, status); ++ if (keepCollationType(subtag.data())) { ++ collationRes = table_open(state->bundle, subtag.data(), NULL, status); + } else { + collationRes = NULL; + } + // need to parse the collation data regardless +- collationRes = addCollation(state, collationRes, subtag, startline, status); ++ collationRes = addCollation(state, collationRes, subtag.data(), startline, status); + if (collationRes != NULL) { + result->add(collationRes, startline, *status); + } + } else if(token == TOK_COLON) { /* right now, we'll just try to see if we have aliases */ + /* we could have a table too */ + token = peekToken(state, 1, &tokenValue, &line, &comment, status); +- u_UCharsToChars(tokenValue->fChars, typeKeyword, u_strlen(tokenValue->fChars) + 1); +- if(uprv_strcmp(typeKeyword, "alias") == 0) { +- member = parseResource(state, subtag, NULL, status); ++ typeKeyword.clear(); ++ typeKeyword.appendInvariantChars(tokenValue->fChars, u_strlen(tokenValue->fChars), *status); ++ if (U_FAILURE(*status)) ++ { ++ res_close(result); ++ return nullptr; ++ } ++ if(uprv_strcmp(typeKeyword.data(), "alias") == 0) { ++ member = parseResource(state, subtag.data(), NULL, status); + if (U_FAILURE(*status)) + { + res_close(result); +@@ -1175,7 +1183,7 @@ realParseTable(ParseState* state, TableResource *table, char *tag, uint32_t star + struct UString *tokenValue=NULL; + struct UString comment; + enum ETokenType token; +- char subtag[1024]; ++ CharString subtag; + uint32_t line; + UBool readToken = FALSE; + +@@ -1214,7 +1222,8 @@ realParseTable(ParseState* state, TableResource *table, char *tag, uint32_t star + } + + if(uprv_isInvariantUString(tokenValue->fChars, -1)) { +- u_UCharsToChars(tokenValue->fChars, subtag, u_strlen(tokenValue->fChars) + 1); ++ subtag.clear(); ++ subtag.appendInvariantChars(tokenValue->fChars, u_strlen(tokenValue->fChars), *status); + } else { + *status = U_INVALID_FORMAT_ERROR; + error(line, "invariant characters required for table keys"); +@@ -1227,7 +1236,7 @@ realParseTable(ParseState* state, TableResource *table, char *tag, uint32_t star + return NULL; + } + +- member = parseResource(state, subtag, &comment, status); ++ member = parseResource(state, subtag.data(), &comment, status); + + if (member == NULL || U_FAILURE(*status)) + { +-- +2.49.0 + diff --git a/meta/recipes-support/icu/icu_70.1.bb b/meta/recipes-support/icu/icu_70.1.bb index dd684fe5b9..0a4e7f90f6 100644 --- a/meta/recipes-support/icu/icu_70.1.bb +++ b/meta/recipes-support/icu/icu_70.1.bb @@ -107,6 +107,7 @@ SRC_URI = "${BASE_SRC_URI};name=code \ file://filter.json \ file://fix-install-manx.patch \ file://0001-icu-Added-armeb-support.patch \ + file://CVE-2025-5222.patch \ " SRC_URI:append:class-target = "\ From patchwork Tue Jun 10 19:38:09 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 64768 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DB845C71130 for ; Tue, 10 Jun 2025 19:38:39 +0000 (UTC) Received: from mail-pf1-f180.google.com (mail-pf1-f180.google.com [209.85.210.180]) by mx.groups.io with SMTP id smtpd.web11.95884.1749584313532804057 for ; Tue, 10 Jun 2025 12:38:33 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=z4F3zhNu; spf=softfail (domain: sakoman.com, ip: 209.85.210.180, mailfrom: steve@sakoman.com) Received: by mail-pf1-f180.google.com with SMTP id d2e1a72fcca58-742c46611b6so7410033b3a.1 for ; Tue, 10 Jun 2025 12:38:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1749584313; x=1750189113; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=P9pkqILmneTRVudU3G+pjLKGvOiuRA/0W/YmLZubtDY=; b=z4F3zhNuDSdt/zRWrDrQFv0L6GCtTCjVYW2/Qwx1G9F6AJhwhR96A1+k8+k8NKeYSY XzyuDQmboaPLiNSv/LbFS1RE3/o0A3iUvQ5UrI5ySWRcfloDkxPnt3x0n4+Evdi8+vDj r3N1il/79Ppow/DAPg3kph7ZkmNY6dOOsex3QtdDC07quOFM4JzVEZvxPdtqB9BsMryE lPAtMPVmkxqa8PJffWWxEG8MlxI+JjucforSdrnzsbXJeS1yjcs/TiW5uLU1MJpti+5b grwtJkfCeBGsCSOVRkF1H8T5iQz7SzXGQUw41/ZA0gOt1ejBgH+qTTpwZsX9JXtOvFWv KZIA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1749584313; x=1750189113; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=P9pkqILmneTRVudU3G+pjLKGvOiuRA/0W/YmLZubtDY=; b=mPTZbq6897xlIIEeOP6pVjbPQL9c7VpkNEtnbdQgeA6P8R1f0mc7tCu3L1L/Z4krab 8MhfQc6sLGh8Wi9MIl2IExKyI8d4hMjWcjk7pxn8Kv098VHETvPksqBtoFA/TkATJAUX PX7Ok4btto5pM41KlAcCSiel0SHCFW3rowg/Fmq0ear0iDpjq0OzIIyi9orJUEpe7Arz PpcYtEAjpZEpHhbebwqQPeU1uQqC7bbfprUcAnpCRJ261WSJk4nnv/dR02Wl8H3S3Tn3 QtRVJoD+UBj3WRflrZMgs+MKw3uPtpzypaUIMRs+WCBmBFSGt9W/svcvz7le1yN/Qu9f SSHA== X-Gm-Message-State: AOJu0YwLgYKU7TNKEHQLfkHbohWy6q7Z1QPADuTbsGYcGAvJeDLbQ0u5 hn2nyjE+4cH1VXFpYvgtOvQfxzuYWSrtfHi+oJT4tZVkfwwvOZ+3dOGV76FVPhCv88H5RGEpgy0 Gv8/f X-Gm-Gg: ASbGnctu3Hf6j2GPrLTiQdoZywVlMnKhVVnWtiy9Ps3YQ58D9vA+3I6olAZ5vlyEos+ Mi5RZSxPFnbjI8HJl3Id6ZUs1ke6ziXw57SMdPonYteecK5CFMlk+FVAxRpp7qdlQa9dHDC7deR aOGxV3zmAfAgqiHZMSRe+4JS8DmDUweKXpLVL7Gz8l3aO/oygOQWrsoqXpL9zyJAeH714F+8DjP +rv6A93D5azEvN8+fsDwH7h8pPg9Mi9pvGlFRZuWn0LdenXl0m+xugR1j6+NnSc99MLLIpbDePw cR1uR0s1V44gcQqGOuPE7QhONUnau2qM9Xljk8c1Ut2vsCEQAT6hWA== X-Google-Smtp-Source: AGHT+IHXDObIiIkTKEdXPPbcVGL7jj0HCkdVY4UYkP/Vf1m0U0msx4pgBRbk7ANQyDnj6tekdBfK6Q== X-Received: by 2002:a05:6a21:8cca:b0:20b:a75e:fa32 with SMTP id adf61e73a8af0-21f89129cbdmr15074637.40.1749584312710; Tue, 10 Jun 2025 12:38:32 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:7bc4:2c75:fa51:ff16]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-b2f5f7827c0sm7198595a12.62.2025.06.10.12.38.32 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Jun 2025 12:38:32 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 03/15] libsoup-2.4: Backport auth tests for CVE-2025-32910 Date: Tue, 10 Jun 2025 12:38:09 -0700 Message-ID: <05d14768b5edf41c89b05725e06fd86b5376e6fd.1749584149.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 10 Jun 2025 19:38:39 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/218425 From: Vijay Anusuri libsoup-2.74.2/tests/auth-test.c:1554:39: error: unknown type name 'SoupServerMessage'; did you mean 'SoupServerClass'? Fix auth-test.c compilation failure caused by CVE-2025-32910 patch Link: https://gitlab.gnome.org/GNOME/libsoup/-/commit/9af7d0fc751f7afcd8b03bc827a4d3af0c4556f8 Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- ...ckport-auth-tests-for-CVE-2025-32910.patch | 76 +++++++++++++++++++ .../libsoup/libsoup-2.4_2.74.2.bb | 1 + 2 files changed, 77 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/Backport-auth-tests-for-CVE-2025-32910.patch diff --git a/meta/recipes-support/libsoup/libsoup-2.4/Backport-auth-tests-for-CVE-2025-32910.patch b/meta/recipes-support/libsoup/libsoup-2.4/Backport-auth-tests-for-CVE-2025-32910.patch new file mode 100644 index 0000000000..2c23f57ccf --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/Backport-auth-tests-for-CVE-2025-32910.patch @@ -0,0 +1,76 @@ +From: Andreas Henriksson +Date: Sat, 26 Apr 2025 20:09:29 +0200 +Subject: Backport auth tests for CVE-2025-32910 + +Upstream-Status: Backport [import from debian https://salsa.debian.org/gnome-team/libsoup/-/blob/debian/bullseye/debian/patches/Backport-auth-tests-for-CVE-2025-32910.patch?ref_type=heads +Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/9af7d0fc751f7afcd8b03bc827a4d3af0c4556f8] +CVE: CVE-2025-32910 +Signed-off-by: Vijay Anusuri +--- + tests/auth-test.c | 28 ++++++++++++++++++++-------- + 1 file changed, 20 insertions(+), 8 deletions(-) + +diff --git a/tests/auth-test.c b/tests/auth-test.c +index 548ac94..f582033 100644 +--- a/tests/auth-test.c ++++ b/tests/auth-test.c +@@ -1549,14 +1549,26 @@ do_cancel_after_retry_test (void) + soup_test_session_abort_unref (session); + } + ++//from upstream commit 9af7d0fc751f7afcd8b03bc827a4d3af0c4556f8 ++static gboolean ++on_digest_authenticate (SoupMessage *msg, ++ SoupAuth *auth, ++ gboolean retrying, ++ gpointer user_data) ++{ ++ g_assert_false (retrying); ++ soup_auth_authenticate (auth, "user", "good"); ++ return TRUE; ++} ++ + static void + on_request_read_for_missing_params (SoupServer *server, +- SoupServerMessage *msg, ++ SoupMessage *msg, ++ SoupClientContext *client, + gpointer user_data) + { + const char *auth_header = user_data; +- SoupMessageHeaders *response_headers = soup_server_message_get_response_headers (msg); +- soup_message_headers_replace (response_headers, "WWW-Authenticate", auth_header); ++ soup_message_headers_replace (msg->response_headers, "WWW-Authenticate", auth_header); + } + + static void +@@ -1567,7 +1579,7 @@ do_missing_params_test (gconstpointer auth_header) + SoupServer *server; + SoupAuthDomain *digest_auth_domain; + gint status; +- GUri *uri; ++ SoupURI *uri; + + server = soup_test_server_new (SOUP_TEST_SERVER_IN_THREAD); + soup_server_add_handler (server, NULL, +@@ -1586,16 +1598,16 @@ do_missing_params_test (gconstpointer auth_header) + G_CALLBACK (on_request_read_for_missing_params), + (gpointer)auth_header); + +- session = soup_test_session_new (NULL); ++ session = soup_test_session_new (SOUP_TYPE_SESSION_ASYNC, NULL); + msg = soup_message_new_from_uri ("GET", uri); +- g_signal_connect (msg, "authenticate", ++ g_signal_connect (session, "authenticate", + G_CALLBACK (on_digest_authenticate), + NULL); + +- status = soup_test_session_send_message (session, msg); ++ status = soup_session_send_message (session, msg); + + g_assert_cmpint (status, ==, SOUP_STATUS_UNAUTHORIZED); +- g_uri_unref (uri); ++ soup_uri_free (uri); + soup_test_server_quit_unref (server); + } + diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb index 46b9e10ac5..bb15e8b926 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb @@ -26,6 +26,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32910-1.patch \ file://CVE-2025-32910-2.patch \ file://CVE-2025-32910-3.patch \ + file://Backport-auth-tests-for-CVE-2025-32910.patch \ file://CVE-2025-32911_CVE-2025-32913-1.patch \ file://CVE-2025-32911_CVE-2025-32913-2.patch \ file://CVE-2025-32912-1.patch \ From patchwork Tue Jun 10 19:38:10 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 64772 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E7341C677C4 for ; Tue, 10 Jun 2025 19:38:39 +0000 (UTC) Received: from mail-pf1-f182.google.com (mail-pf1-f182.google.com [209.85.210.182]) by mx.groups.io with SMTP id smtpd.web10.96528.1749584315072715682 for ; Tue, 10 Jun 2025 12:38:35 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=a9myqkFk; spf=softfail (domain: sakoman.com, ip: 209.85.210.182, mailfrom: steve@sakoman.com) Received: by mail-pf1-f182.google.com with SMTP id d2e1a72fcca58-7406c6dd2b1so206619b3a.0 for ; Tue, 10 Jun 2025 12:38:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1749584314; x=1750189114; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=AS/m67inTHt7YFn9ROWlOYyUO8vyBUDb5T0uaRXBwHw=; b=a9myqkFk5/kuUWQOvZwE0W3LMAh/C5vnu24ZCJThW0Qu/bvxGsXgQVftaUtGFuWnfa gSQxnnqGMDSn9/0v4ZMyyKQn6RgoYpsnY3hW/IydbQpH7HzcphP5/4qlg8k4A74JjyAh hwZ7tYX0GjfqVrcMJHaWAkQUr7qQocwGNKXGA/xXOvGiveknCHHtBUx+nv8/EF27vxlQ RpKNEJZFgvZYH5Uk/OU/oNAWq4nfDAyHQj4wrRWdA3Jcyx6f2h/QvTH3HzOqXLSq0sGz mj+TEW6FZ1uppSczSfdTw+kW1kayyUF174TVHkY0ym05+m+LeaCdBlJ8V2rv89FdcunV WbyA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1749584314; x=1750189114; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=AS/m67inTHt7YFn9ROWlOYyUO8vyBUDb5T0uaRXBwHw=; b=r6QZajyCft78tmZ+MLvz41GuzHlJsPcYvV8B9ADDsHb5l205WTHkwZ4Yt7Hmnv4QhR v5zxdTsl2wPeDbcvjC6IqCZm7GJjp30j3ZlobLav60uxgIaLRfuRG0/0OVKBpKWLICSI EHp19/tAFl3nUNUdzQULnYyEjsFgiJ0IPspB1xXEhXRloMJOaE8v70mh05YPjneYW7iz vBWPkNIfLdYCnaxYAPTCYTtqb7ixIHFzA32QzQM1yfFF0zK7viyBtBcZXdPFjJfst6ua 8oxJx+ljlWub+CQdOne6t4j5Of7EggJ7ymWMtFx+mKuAAhUYahtH+EX5hkNI7U3QGFyQ Wz9g== X-Gm-Message-State: AOJu0Yw8Ik/YqQGPbagJDO3zim37J2+t0TVJo96DCCfVuslA7ckAs8RH qjCxAbZrBIluaJfjrB9yihyX6SorqfGVlwH9hJc/82bca4Y7afISSL39yBFww3UxEnmx0MrDVd0 DZNoU X-Gm-Gg: ASbGncvaZdqIMnSh/xacp8HjqL+ALDJ7yICvCQckeGX6NUeoxnQwEbh+AaCohxZh33S CCbQI50CiLf1QN8LjaS10xK/E3bYJr2fyxHm6wThA1CFz3tNr1pjlvXiRWCqJvOGYn1II6QtzNp SgU8iO9J9pIoWu1NROIE/Uq2vM7Eekn4SoCy1LV+VgTqgbE8ydIT4kD4Nz/zIv8txRjnOjcNIMc I1aTIya+pNnv5QiXOwDNlOOgcPAqmQ0D9+XUtKfecwGplu3P/0BHxfy80XWssGBRR9ew4/ffckc NeSLquXJkWgt5P/lxa3AP26bSwn8u9U0KTRbzXlFkgzbkAnKWKELiQ== X-Google-Smtp-Source: AGHT+IFQtsNgFAxM0UhnDk1PdUU1o7FpHa9ggRES8iYQwrGjNlFV9NXV/61heSPE4DrqSPhdGvAMcA== X-Received: by 2002:a05:6a21:9212:b0:215:dacf:5746 with SMTP id adf61e73a8af0-21f86fb0d29mr768825637.19.1749584314276; Tue, 10 Jun 2025 12:38:34 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:7bc4:2c75:fa51:ff16]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-b2f5f7827c0sm7198595a12.62.2025.06.10.12.38.33 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Jun 2025 12:38:33 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 04/15] taglib: fix CVE-2023-47466 Date: Tue, 10 Jun 2025 12:38:10 -0700 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 10 Jun 2025 19:38:39 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/218426 From: Jiaying Song TagLib before 2.0 allows a segmentation violation and application crash during tag writing via a crafted WAV file in which an id3 chunk is the only valid chunk. Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-47466 Upstream patch: https://github.com/taglib/taglib/commit/dfa33bec0806cbb45785accb8cc6c2048a7d40cf Signed-off-by: Jiaying Song Signed-off-by: Steve Sakoman --- .../taglib/files/CVE-2023-47466.patch | 38 +++++++++++++++++++ meta/recipes-support/taglib/taglib_1.12.bb | 4 +- 2 files changed, 41 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-support/taglib/files/CVE-2023-47466.patch diff --git a/meta/recipes-support/taglib/files/CVE-2023-47466.patch b/meta/recipes-support/taglib/files/CVE-2023-47466.patch new file mode 100644 index 0000000000..8ea8793e0a --- /dev/null +++ b/meta/recipes-support/taglib/files/CVE-2023-47466.patch @@ -0,0 +1,38 @@ +From 41c1c2b3609fc542e357cc80185d90a9a6fccc1a Mon Sep 17 00:00:00 2001 +From: Urs Fleisch +Date: Sun, 5 Nov 2023 14:40:18 +0100 +Subject: [PATCH] Fix crash with invalid WAV files (#1163) (#1164) + +With specially crafted WAV files having the "id3 " chunk as the +only valid chunk, when trying to write the tags, the existing +"id3 " chunk is removed, and then vector::front() is called on +the now empty chunks vector. +Now it is checked if the vector is empty to avoid the crash. + +CVE: CVE-2023-47466 + +Upstream-Status: Backport +[https://github.com/taglib/taglib/commit/dfa33bec0806cbb45785accb8cc6c2048a7d40cf] + +Signed-off-by: Jiaying Song +--- + taglib/riff/rifffile.cpp | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/taglib/riff/rifffile.cpp b/taglib/riff/rifffile.cpp +index 005551f..f615e6c 100644 +--- a/taglib/riff/rifffile.cpp ++++ b/taglib/riff/rifffile.cpp +@@ -361,6 +361,9 @@ void RIFF::File::writeChunk(const ByteVector &name, const ByteVector &data, + + void RIFF::File::updateGlobalSize() + { ++ if(d->chunks.empty()) ++ return; ++ + const Chunk first = d->chunks.front(); + const Chunk last = d->chunks.back(); + d->size = last.offset + last.size + last.padding - first.offset + 12; +-- +2.34.1 + diff --git a/meta/recipes-support/taglib/taglib_1.12.bb b/meta/recipes-support/taglib/taglib_1.12.bb index 47ad8aacb6..51e03888b4 100644 --- a/meta/recipes-support/taglib/taglib_1.12.bb +++ b/meta/recipes-support/taglib/taglib_1.12.bb @@ -9,7 +9,9 @@ LIC_FILES_CHKSUM = "file://COPYING.LGPL;md5=4fbd65380cdd255951079008b364516c \ DEPENDS = "zlib" -SRC_URI = "http://taglib.github.io/releases/${BP}.tar.gz" +SRC_URI = "http://taglib.github.io/releases/${BP}.tar.gz \ + file://CVE-2023-47466.patch \ + " SRC_URI[md5sum] = "4313ed2671234e029b7af8f97c84e9af" SRC_URI[sha256sum] = "7fccd07669a523b07a15bd24c8da1bbb92206cb19e9366c3692af3d79253b703" From patchwork Tue Jun 10 19:38:11 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 64770 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E8290C71133 for ; Tue, 10 Jun 2025 19:38:39 +0000 (UTC) Received: from mail-pl1-f173.google.com (mail-pl1-f173.google.com [209.85.214.173]) by mx.groups.io with SMTP id smtpd.web11.95891.1749584316810852410 for ; Tue, 10 Jun 2025 12:38:36 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=R/53WJqG; spf=softfail (domain: sakoman.com, ip: 209.85.214.173, mailfrom: steve@sakoman.com) Received: by mail-pl1-f173.google.com with SMTP id d9443c01a7336-236192f8770so1668995ad.0 for ; Tue, 10 Jun 2025 12:38:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1749584316; x=1750189116; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=93mf7hk/khpH0AHKI0KXpNH1rK2qS2Rrxu2hT+Lncy0=; b=R/53WJqGDsbWRcOzoYTcUEggM5OXiN5/5xQTaUr6YG70qPi9AUnMzBhcefjEjrmY6L uWm/M2vCp59FJfEboCnb+bnG5arw7aOy1qN2imewQHpb7hdfjKHaoPtIjyZqzE8JiQ/R FD/sBRCLoVExizSE4aDXLHrTuxS9xS4qgmm9P7PNssjGKXlBw2SJr27+LcrVUDENPuAj 3zNfcxhkHq4E22bLo2I698BoqNpkCk3KGv4/zNv1DeA849iT0zJhvB2YdBxRoseAAbb/ 5wn2PMF4AbF8U4CpMr8PmUI4ZeY8ehpEs35sZHLsd3krFdtlMvtkPVzQ0svFkDbj7oYt 50Rg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1749584316; x=1750189116; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=93mf7hk/khpH0AHKI0KXpNH1rK2qS2Rrxu2hT+Lncy0=; b=ADAqegdK+ytGRcNzj3yfdRekiSgexeaA+9jHFQqKdfkq5nWLArdTnC3nwn/LZZ8ha8 +yKwmAHcCIxKz3vJQuO3l3kF9f7UyEtzhoZ396kzn6N5vabEuMqv0e+GHVxAfHL51wOX 9WerRblBlHBgy0vUo7TsYoE+Js73BnaDrmI2nYlkYd/1bf4X2LoqwUwIiqRLtZJt271g VPfgvKU/RqDJ2PByJCJxraPx2cMe886CCr+K/rzjde0sMbHQsZVEJOdw34tCmy0i90aB h6vFrLMIiHQZKepX4i7ghUvv+polIetzvz8tWECe97QPqYdSC9sdVrc1J5BLuaaIuN2y 8CDg== X-Gm-Message-State: AOJu0YwP/Ed+h4THYeqlZ1ru9NxJppBIVmX94JTYKKhK3dnWhDobJwHd tQr2R6jKUhDW4Oj+lJO0kmJL6j/OJbyREHFN9cnBlJFObDXl9HhTnAwNM4QEIU7ziLR2vRTQv44 n3gIp X-Gm-Gg: ASbGncuims01yes/e/mjDkd9jcW7XAAJahoUd0AN8Itm0gIDicNUCQBmJvOaf67y4cU fI/vTtRL2YB4kwRm8+GSP3GhJlOx9S/6eoQBroyd5bI6RTiF3OZZDRqHKlNo5qdZPxKno+RN967 /Y952lhWAjdhqddmuHtecGMlTfwIXrEtRFS++iJueHW5rmlfrhLhPBFWOB06lLZrVZydSkNnSnh 0Ln8gOEjpkKUEKkfR4m5kjpwml55WRPVJ+HBDOcolYliOgS1ajkBcfNpHmZbL0gxLVrmn/r+Dxi 29RZEEcAwHp9Mucm3nFwGZTbu4GbAQPLRLHqKF5JFj43yAUmoIPlrg== X-Google-Smtp-Source: AGHT+IHE0wKYVez99w0sodQUdYk9nCJepytLegfbD+bFoqX6Dd0aVwN35E7OlpGmJK6WoaMYIwholA== X-Received: by 2002:a17:902:ef07:b0:234:24a8:bee9 with SMTP id d9443c01a7336-2364169f471mr7256865ad.4.1749584315845; Tue, 10 Jun 2025 12:38:35 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:7bc4:2c75:fa51:ff16]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-b2f5f7827c0sm7198595a12.62.2025.06.10.12.38.35 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Jun 2025 12:38:35 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 05/15] ffmpeg: upgrade 5.0.1 -> 5.0.3 Date: Tue, 10 Jun 2025 12:38:11 -0700 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 10 Jun 2025 19:38:39 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/218427 From: Archana Polampalli Refreshed CVE-2024-36613.patch against to the current version Removed below patches since already fixed in this version 0001-avcodec-rpzaenc-stop-accessing-out-of-bounds-frame.patch [1] 0001-avcodec-smcenc-stop-accessing-out-of-bounds-frame.patch [2] 0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch [3] 0001-avformat-nutdec-Add-check-for-avformat_new_stream.patch [4] CVE-2022-48434.patch [5] [1] https://github.com/FFmpeg/FFmpeg/commit/1eb002596e3761d88de4aeea3158692b82fb6307 [2] https://github.com/FFmpeg/FFmpeg/commit/293dc39bcaa99f213c6b7a703e11f146abf5d3be [3] https://github.com/FFmpeg/FFmpeg/commit/2cdddcd6ec90c7a248ffe792d85faa4d89eab9f7 [4] https://github.com/FFmpeg/FFmpeg/commit/481e81be1271ac9a0124ee615700390c2371bd89 [5] https://github.com/FFmpeg/FFmpeg/commit/3bc28e9d1ab33627cea3c632dd6b0c33e22e93ba Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- .../ffmpeg/ffmpeg/CVE-2024-36613.patch | 18 +++++++++--------- .../{ffmpeg_5.0.1.bb => ffmpeg_5.0.3.bb} | 7 +------ 2 files changed, 10 insertions(+), 15 deletions(-) rename meta/recipes-multimedia/ffmpeg/{ffmpeg_5.0.1.bb => ffmpeg_5.0.3.bb} (96%) diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36613.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36613.patch index 300b8d1e49..8dc43c3b68 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36613.patch +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36613.patch @@ -1,8 +1,7 @@ From 1f6fcc64179377114b4ecc3b9f63bd5774a64edf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2023 00:51:29 +0200 -Subject: [PATCH 2/4] avformat/dxa: Adjust order of operations around block - align +Subject: [PATCH] avformat/dxa: Adjust order of operations around block align Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_DXA_fuzzer-5730576523198464 Fixes: signed integer overflow: 2147483566 + 82 cannot be represented in type 'int' @@ -22,17 +21,18 @@ Signed-off-by: Archana Polampalli 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/dxa.c b/libavformat/dxa.c -index 16fbb08..53747c8 100644 +index 474b852..b4d9d00 100644 --- a/libavformat/dxa.c +++ b/libavformat/dxa.c -@@ -120,7 +120,7 @@ static int dxa_read_header(AVFormatContext *s) - } - c->bpc = (fsize + c->frames - 1) / c->frames; - if(ast->codecpar->block_align) +@@ -122,7 +122,7 @@ static int dxa_read_header(AVFormatContext *s) + if(ast->codecpar->block_align) { + if (c->bpc > INT_MAX - ast->codecpar->block_align + 1) + return AVERROR_INVALIDDATA; - c->bpc = ((c->bpc + ast->codecpar->block_align - 1) / ast->codecpar->block_align) * ast->codecpar->block_align; + c->bpc = ((c->bpc - 1 + ast->codecpar->block_align) / ast->codecpar->block_align) * ast->codecpar->block_align; + } c->bytes_left = fsize; c->wavpos = avio_tell(pb); - avio_seek(pb, c->vidpos, SEEK_SET); --- +-- 2.40.0 + diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb similarity index 96% rename from meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb rename to meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb index 4b99c0fa21..127552396d 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb @@ -24,11 +24,6 @@ LIC_FILES_CHKSUM = "file://COPYING.GPLv2;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ file://0001-libavutil-include-assembly-with-full-path-from-sourc.patch \ - file://0001-avcodec-rpzaenc-stop-accessing-out-of-bounds-frame.patch \ - file://0001-avcodec-smcenc-stop-accessing-out-of-bounds-frame.patch \ - file://0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch \ - file://0001-avformat-nutdec-Add-check-for-avformat_new_stream.patch \ - file://CVE-2022-48434.patch \ file://CVE-2024-32230.patch \ file://CVE-2023-51793.patch \ file://CVE-2023-50008.patch \ @@ -53,7 +48,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ file://CVE-2025-25473.patch \ " -SRC_URI[sha256sum] = "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a93007b" +SRC_URI[sha256sum] = "04c70c377de233a4b217c2fdf76b19aeb225a287daeb2348bccd978c47b1a1db" # CVE-2023-39018 issue belongs to ffmpeg-cli-wrapper (Java wrapper around the FFmpeg CLI) # and not ffmepg itself. From patchwork Tue Jun 10 19:38:12 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 64771 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0324CC71134 for ; Tue, 10 Jun 2025 19:38:40 +0000 (UTC) Received: from mail-pg1-f177.google.com (mail-pg1-f177.google.com [209.85.215.177]) by mx.groups.io with SMTP id smtpd.web11.95892.1749584318298784056 for ; Tue, 10 Jun 2025 12:38:38 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=Edr7d4GV; spf=softfail (domain: sakoman.com, ip: 209.85.215.177, mailfrom: steve@sakoman.com) Received: by mail-pg1-f177.google.com with SMTP id 41be03b00d2f7-b2fa3957661so2295133a12.2 for ; Tue, 10 Jun 2025 12:38:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1749584317; x=1750189117; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=DyjQsQPbwsn19/0ExxyLxv4grr0i1kY4c+WUZjZF9mU=; b=Edr7d4GVCLh+JRjJfefZqng+6ozOcrp2VGLpHkDb9dc7TOt65ttGhlvWpaAJ+nkqoS p7v7Bel0BdVEHlMsPgqB70us3jg1b4zj8WxpvaOyPcu2ETZzkBbjowO3XA8kJf9Pre60 vkVvkb1nnz/KFqDK4gBXWyhhENZ52gl/IdQG29qP94umwq8PLRFJpAnJTE+UXRExm4QK n2Zgqttqo3B0cCu0AE94UGtPH7IwMpZZOMWQiR1iSS8RoHkgaK7+7Rwko2SjzfJAu3X1 h7lqnVkeXyRsS46/ucwH6t1LRrcI3Cpl0Qv2+X3epm2T+9DHQZldI7hPF0oSRg/Yu7MR VdBw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1749584317; x=1750189117; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=DyjQsQPbwsn19/0ExxyLxv4grr0i1kY4c+WUZjZF9mU=; b=vhaTygWAOUGwMPNlzK4lJWXSm1VrAO2WqTBe6T7HZsu6q57GylGW/fXsRYoGLUZk+j Cwr3rhQKvg/hWgRBdbebDexV77vno8eTIX2U2s+8w34SmRW9b/OKU51hR69h0i7FqILb yT9AXkhFWdLlX2xmscVUu5j/phwxzqFx6NbQo8JB8ynrRRMI9N7G32Hf493nRBf/Cd8h It4rrlPTvyoG2GVSrTxk+AvbfOHkT+wxWgx4xJjROjGU4UlqiXUuH4ZNvhoCZu+URPRo TdHsKLmbzAX/yaacM7Yh8tvCi7ZCJkxJSpPbU9FV7/CHZ3HlNzLRRgDo9Oj1x/Q5jjA3 wDZw== X-Gm-Message-State: AOJu0Yzc7xcEfpA6MIlGe7o5j6Fw4qkOwHUH1NkIO0KmEuvvDkgqlpXt 2cVyihodPc2ThbD2gIShI/YlrzbxaPcTJHoXQ5Frtwjsma6deLMQc6vXnV9POsdOKWwjBUdYSxE /+Tnh X-Gm-Gg: ASbGnctjrI1TurXLmlVq7/tnqom6G9aU10p4j1kziE1Xqz6DCmt0xE17a7DlYnSm5cR jnePX/uL8OX+zXTiGJJA7JPs+D+stZnaIhWIW6cIYrNBp6kss5K+S0rf+k2t8eS2dUc1wPNMgPh 75/ncbkd4nbuWPvK8saof5gC2oMJYyIb+XKOgPN3GRO++3Dz6errluAk4PYwLM62s2xl4LCYPmc Su/vV7XWl3pzmp7x9mxTlHOAErP5dBRKjkxwfarEjwUrWwlbq03naUEN61t1YyoX9mLpNJoT9j5 6WP7gNMXPO2nBFTCIjS17bdGk791MM6DqS8czVoYZtGSorCYY7xFHA== X-Google-Smtp-Source: AGHT+IFLtmCeckwGBoJOSNyFxtTASRyU9DZKVJSvUZiIEQbNsRLOWeHI9tS7WtCjRBP/Mp1ca7mg1w== X-Received: by 2002:a05:6a21:99a3:b0:1f5:9208:3ac7 with SMTP id adf61e73a8af0-21f89129c89mr15699637.41.1749584317532; Tue, 10 Jun 2025 12:38:37 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:7bc4:2c75:fa51:ff16]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-b2f5f7827c0sm7198595a12.62.2025.06.10.12.38.36 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Jun 2025 12:38:37 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 06/15] ffmpeg: fix CVE-2025-22919 Date: Tue, 10 Jun 2025 12:38:12 -0700 Message-ID: <2494f863a163d13967d927618a101078f6980538.1749584149.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 10 Jun 2025 19:38:40 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/218428 From: Archana Polampalli A reachable assertion in FFmpeg git-master commit N-113007-g8d24a28d06 allows attackers to cause a Denial of Service (DoS) via opening a crafted AAC file. Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- .../ffmpeg/ffmpeg/CVE-2025-22919.patch | 41 +++++++++++++++++++ .../recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb | 1 + 2 files changed, 42 insertions(+) create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-22919.patch diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-22919.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-22919.patch new file mode 100644 index 0000000000..5e27ad9d5b --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-22919.patch @@ -0,0 +1,41 @@ +From 145a3a84550a1c3a3b848c12a64b53c3c41d2888 Mon Sep 17 00:00:00 2001 +From: James Almer +Date: Mon, 30 Dec 2024 00:25:41 -0300 +Subject: [PATCH] avfilter/buffersrc: check for valid sample rate + +A sample rate <= 0 is invalid. + +Fixes an assert in ffmpeg_enc.c that assumed a valid sample rate would be set. +Fixes ticket #11385. + +Signed-off-by: James Almer +(cherry picked from commit 1446e37d3d032e1452844778b3e6ba2c20f0c322) + +CVE: CVE-2025-22919 + +Upstream-Status: Backport [https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/145a3a84550a1c3a3b848c12a64b53c3c41d2888] + +Signed-off-by: Archana Polampalli +--- + libavfilter/buffersrc.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/libavfilter/buffersrc.c b/libavfilter/buffersrc.c +index b061187..cd2b05d 100644 +--- a/libavfilter/buffersrc.c ++++ b/libavfilter/buffersrc.c +@@ -335,6 +335,11 @@ static av_cold int init_audio(AVFilterContext *ctx) + "channel layout specified\n"); + return AVERROR(EINVAL); + } ++ ++ if (s->sample_rate <= 0) { ++ av_log(ctx, AV_LOG_ERROR, "Sample rate not set\n"); ++ return AVERROR(EINVAL); ++ } + + if (!s->time_base.num) + s->time_base = (AVRational){1, s->sample_rate}; +-- +2.40.0 + diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb index 127552396d..49277f9e2b 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb @@ -46,6 +46,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ file://CVE-2024-28661.patch \ file://CVE-2024-35369.patch \ file://CVE-2025-25473.patch \ + file://CVE-2025-22919.patch \ " SRC_URI[sha256sum] = "04c70c377de233a4b217c2fdf76b19aeb225a287daeb2348bccd978c47b1a1db" From patchwork Tue Jun 10 19:38:13 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 64774 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0B52CC71130 for ; Tue, 10 Jun 2025 19:38:50 +0000 (UTC) Received: from mail-pg1-f179.google.com (mail-pg1-f179.google.com [209.85.215.179]) by mx.groups.io with SMTP id smtpd.web10.96532.1749584319947589310 for ; Tue, 10 Jun 2025 12:38:40 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=u4VS2ryv; spf=softfail (domain: sakoman.com, ip: 209.85.215.179, mailfrom: steve@sakoman.com) Received: by mail-pg1-f179.google.com with SMTP id 41be03b00d2f7-b2c3c689d20so3742798a12.3 for ; Tue, 10 Jun 2025 12:38:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1749584319; x=1750189119; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=Uwvrp0V3Gzrt+h7HV27d0TkWaxlpNRudHjN6bTQqZMM=; b=u4VS2ryvH7J3yYveu56gYHu3XWnPEMbXflW3DKDln/LKAMn0vo+JXhfnXxkWYwRTKO gb1/5V2QNxJVgNHSQaf+ac8c1vf4GaXvGXDzmbcR7pNz7cIcs3ucIaa8mazTYpksJCwj 8pXAHEJtjhazkUqQ4a9YL/kJkMrHEpUIclSbz+JRWjG3rpOF6X+cHhbpTaHgZsOglXaw 9vallaV07hqpMTi5aOXwMzRuXLKg4evSJIaTmPaqfCNClDDOH93dh5SOkgCbxWXMxk6m IDxHvdgk2n6jC4tG7aYskXvXs8KE6imKRCuLHPwIvKj+wq1aHVlL/z1TM5SXEoFUOzHp /ukQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1749584319; x=1750189119; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Uwvrp0V3Gzrt+h7HV27d0TkWaxlpNRudHjN6bTQqZMM=; b=KprhkPI2gdC4CI2E8Cyy839uaaKb9DYMi+ui3uc2RPfjREIzVRwfKJaFAq4XnPwz6m ki0AGHxn4doqDRuPFml1YJroHFJNJ+MHCVU799zGbi1xUTATlU1HjrXRyTwMNTc1P8gc jYx4weRYgRCt+d5UnhDd9haXlBIR4sb0fpGwt5RsAR5Mx4gPHYngZSSzdhsPzq8lm8r4 QJfdC0aQc2g9h/lelTCI7RR94Jzt72mAmR/w5tw9T7MESwfc9S1IQq6XX0d98W0hpF1o K3S6JuM5Hrn//hC2R9V7HVSO6jdgPys1g8tSRHOcZ3GnJ8rN38uIec+iy7D0hNTd0nQN BQXg== X-Gm-Message-State: AOJu0YxqyDPu5M6iUfjbcmeGc6mt27O6KbFdDl8F8lBwctgNfO5xsuaU yDIJJwbBHbaAl7VM52ifl/+HUjXEQ4GuBkvslj7Bp0/WQm2ydFXA7Ru/gTO109OlZ1apvzGyxDy lLCm0 X-Gm-Gg: ASbGnctrv3yjMVON1u6o74PDMifT7eYgfjI7+w/jDZ9qU7nLYEs0qIEqE+MqgCCrbJY VGjy6u83fgI1nJafAryQYU4eCKV5b08oQnABxhf45dOQaZ3/touDLG2tM0eIlGPoFp0hHuBETwx CbSrwHBejekjUEFUA588O7CxQPhaQnjZdIrDeJQoG5peStTxXQ2wIL5oWdFLsyyLg6TWGzkpiki Kr4CY9ujJrK8W9IfupDPzy0iXiBSBjV1jPsvLSsCdKpH7mw+iTPy+YDa/yvjBroWf3UXRebaHGW 3hy3EKbgsZ3pkn7NuckBRNB0QT600Y8BStgYNlVpvtTN0AgUSYlUGg== X-Google-Smtp-Source: AGHT+IH0vjmAcaHFyrsX2Q6iSWnhz1TyqsYMmkX9eQgfq5SwdpF6Cod+52UlHGBtw/bvvnesYq2vMg== X-Received: by 2002:a05:6a20:1584:b0:21f:5aa1:3124 with SMTP id adf61e73a8af0-21f865fa6f4mr1235114637.13.1749584319230; Tue, 10 Jun 2025 12:38:39 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:7bc4:2c75:fa51:ff16]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-b2f5f7827c0sm7198595a12.62.2025.06.10.12.38.38 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Jun 2025 12:38:38 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 07/15] ffmpeg: fix CVE-2025-22921 Date: Tue, 10 Jun 2025 12:38:13 -0700 Message-ID: <948e3fe6d4a0762bcd56e1cc04c4100c46915669.1749584149.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 10 Jun 2025 19:38:50 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/218429 From: Archana Polampalli FFmpeg git-master,N-113007-g8d24a28d06 was discovered to contain a segmentation violation via the component /libavcodec/jpeg2000dec.c. Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- .../ffmpeg/ffmpeg/CVE-2025-22921.patch | 34 +++++++++++++++++++ .../recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb | 1 + 2 files changed, 35 insertions(+) create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-22921.patch diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-22921.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-22921.patch new file mode 100644 index 0000000000..1319dd6a7c --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-22921.patch @@ -0,0 +1,34 @@ +From 7f9c7f9849a2155224711f0ff57ecdac6e4bfb57 Mon Sep 17 00:00:00 2001 +From: James Almer +Date: Wed, 1 Jan 2025 23:58:39 -0300 +Subject: [PATCH] avcodec/jpeg2000dec: clear array length when freeing it + +Fixes NULL pointer dereferences. +Fixes ticket #11393. + +Reviewed-by: Michael Niedermayer +Signed-off-by: James Almer + +CVE: CVE-2025-22921 + +Upstream-Status: Backport [https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/7f9c7f9849a2155224711f0ff57ecdac6e4bfb57] + +Signed-off-by: Archana Polampalli +--- + libavcodec/jpeg2000dec.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c +index a317040..6c0bd25 100644 +--- a/libavcodec/jpeg2000dec.c ++++ b/libavcodec/jpeg2000dec.c +@@ -1280,6 +1280,7 @@ static int jpeg2000_decode_packet(Jpeg2000DecoderContext *s, Jpeg2000Tile *tile, + } + } + av_freep(&cblk->lengthinc); ++ cblk->nb_lengthinc = 0; + } + } + // Save state of stream +-- +2.40.0 diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb index 49277f9e2b..4ae444258f 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb @@ -47,6 +47,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ file://CVE-2024-35369.patch \ file://CVE-2025-25473.patch \ file://CVE-2025-22919.patch \ + file://CVE-2025-22921.patch \ " SRC_URI[sha256sum] = "04c70c377de233a4b217c2fdf76b19aeb225a287daeb2348bccd978c47b1a1db" From patchwork Tue Jun 10 19:38:14 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 64776 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 27743C71134 for ; Tue, 10 Jun 2025 19:38:50 +0000 (UTC) Received: from mail-pf1-f169.google.com (mail-pf1-f169.google.com [209.85.210.169]) by mx.groups.io with SMTP id smtpd.web11.95894.1749584321371611383 for ; Tue, 10 Jun 2025 12:38:41 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=Zt/+S6fK; spf=softfail (domain: sakoman.com, ip: 209.85.210.169, mailfrom: steve@sakoman.com) Received: by mail-pf1-f169.google.com with SMTP id d2e1a72fcca58-739b3fe7ce8so4624993b3a.0 for ; Tue, 10 Jun 2025 12:38:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1749584321; x=1750189121; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=Yw49X4cSStN80mOTz3qz0CK3CEv2NRBM0MBq5aWOQYU=; b=Zt/+S6fK7lN9HQrQiExXFvHHGRC4Fdv7+aibDXATcctIG3814VvosMMqb3Bg+2zUkx cLys1yH3Ud8ApECrpyohVzlczHNyfEL/SR4fGuuyb8M9zKnTgtVYbd1s5ZtfhtEsZY1k LZQWJsLUXFeB+lylJ3DjQ2vwHbJxVmZpPn/FzXAo2v1lAyULGXJ+N/MXHvb7cMvRsyi1 WhooEpaKsYcO3uqM6ZpZcdjQbG6HwsRHHTwbPGOraGT1nyef12gIc4MpsbU5V423fwK9 7rR1JR5KWUOwYwAiwOAnQcfnHBhdmkLDrCPOpNPqXO9MrizoItw3FTe09Rjh+y+i+EL0 STZw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1749584321; x=1750189121; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Yw49X4cSStN80mOTz3qz0CK3CEv2NRBM0MBq5aWOQYU=; b=SE6ce2ho7J0ut8ULDkEC7TnZqs3SB641Y4sIxsIGu3KCjimn2I8Zfsln4z8bIwviCz 3yqCfLj7fheesjSETs/82C88Lw66dX6VC42KRdSEJxYkOEWJlJMp9FE/MX/yIT1Ay2hl UTrXmfqdJzvOtlbb5oqt2kif/RRA6U3i3Ek/UHPWE0B0UsLS2X7riHHZTh2bDqFspBy7 29oBupf6VHFTucIe17UReQPbDMPQ0nsBjHd8YxDWuWfRUPnxVE9NFhGXyZWN48ts0eg7 H5ms6MeozFQ9UXkqx4Gg1LRwfDavLke0Mzn5yN5o/o7mX4xr9PYxOrq8xLddn/EtLlHH Be8Q== X-Gm-Message-State: AOJu0Ywg9ODRw9GnDAXfftzyoWIrrbOQK0oJG1u9v3249KW7a8yI9xTP Fw1ea46NxuQ9J947/t11st06MGEo5dZxarYPDq56Rp1hGf5UA3IF4N2TKd7IqBo6xt8MNjYNdod umJI+ X-Gm-Gg: ASbGnct8XFuNlu0BEa1Ohsu/WN6ldgRhWjyWdXJ6lxRNFQeYb0d3/Sz+/qDEEW5fzYO aExuqZlddxjD+EP3luHTfhFBrGoPovGRHEiPD9sgIWhBthmouUES7kKqEvpiVfvEklsq3vHg28z Lv1TPgB7mjjprNjOm/DSWiVq2+41KkaqvHN3lKmzAK7M+CZ1JNvXEeAkdw5IiVvC2NGiu27k//r 3xXoMapCQhBlrDENw4nDyVsZehGcbTJD9Sl6Zdmfr88sdDVPJ58TNz6KXy/wCclXUT9H3OTfBN+ tqj2Sd5e9xkKv04sU8ALsUcCaQsoCNlcq5/uEqPYbWDkCAKq5hCGIw== X-Google-Smtp-Source: AGHT+IEWawpkmEN7awUVz0wGSeO1JWEXW/rpq7mvh/J2au2iCDaUehh44dVxmhb6mOrbJneBtoBzjA== X-Received: by 2002:a05:6a20:9186:b0:218:96ad:720d with SMTP id adf61e73a8af0-21f865bd1bamr1219715637.1.1749584320664; Tue, 10 Jun 2025 12:38:40 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:7bc4:2c75:fa51:ff16]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-b2f5f7827c0sm7198595a12.62.2025.06.10.12.38.40 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Jun 2025 12:38:40 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 08/15] binutils: add CVE-2025-1182 patch file to SRC_URI Date: Tue, 10 Jun 2025 12:38:14 -0700 Message-ID: <131f93b8efcddac984965a250b5391c43ca54ac8.1749584149.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 10 Jun 2025 19:38:50 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/218430 From: Harish Sadineni Forgot to add CVE-2025-1182 patch file to SRC_URI in the following commit https://lists.openembedded.org/g/openembedded-core/message/217350 After rebasing the CVE-2025-1180.patch, we encountered hunk errors while applying the CVE-2025-1182.patch, so I have modified the patch accordingly. Signed-off-by: Harish Sadineni Signed-off-by: Steve Sakoman --- .../binutils/binutils-2.38.inc | 1 + .../binutils/binutils/0040-CVE-2025-1182.patch | 18 +++++++++--------- 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/meta/recipes-devtools/binutils/binutils-2.38.inc b/meta/recipes-devtools/binutils/binutils-2.38.inc index 01fd03d2f4..085ca2301e 100644 --- a/meta/recipes-devtools/binutils/binutils-2.38.inc +++ b/meta/recipes-devtools/binutils/binutils-2.38.inc @@ -75,5 +75,6 @@ SRC_URI = "\ file://0038-CVE-2025-0840.patch \ file://0039-CVE-2025-1178.patch \ file://0040-CVE-2025-1180.patch \ + file://0040-CVE-2025-1182.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/0040-CVE-2025-1182.patch b/meta/recipes-devtools/binutils/binutils/0040-CVE-2025-1182.patch index 682f633927..03604bfdd4 100644 --- a/meta/recipes-devtools/binutils/binutils/0040-CVE-2025-1182.patch +++ b/meta/recipes-devtools/binutils/binutils/0040-CVE-2025-1182.patch @@ -18,14 +18,14 @@ Signed-off-by: Harish Sadineni diff --git a/bfd/elflink.c b/bfd/elflink.c --- a/bfd/elflink.c +++ b/bfd/elflink.c -@@ -14711,6 +14711,10 @@ - } +@@ -14712,6 +14712,10 @@ + } else - { -+ if (r_symndx >= rcookie->locsymcount) -+ /* This can happen with corrupt input. */ -+ return false; + { ++ if (r_symndx >= rcookie->locsymcount) ++ /* This can happen with corrupt input. */ ++ return false; + - /* It's not a relocation against a global symbol, - but it could be a relocation against a local - symbol for a discarded section. */ + /* It's not a relocation against a global symbol, + but it could be a relocation against a local + symbol for a discarded section. */ From patchwork Tue Jun 10 19:38:15 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 64775 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0B49DC61DB2 for ; Tue, 10 Jun 2025 19:38:50 +0000 (UTC) Received: from mail-pf1-f171.google.com (mail-pf1-f171.google.com [209.85.210.171]) by mx.groups.io with SMTP id smtpd.web11.95896.1749584322963333946 for ; Tue, 10 Jun 2025 12:38:43 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=sOKXkT8B; spf=softfail (domain: sakoman.com, ip: 209.85.210.171, mailfrom: steve@sakoman.com) Received: by mail-pf1-f171.google.com with SMTP id d2e1a72fcca58-742c27df0daso5389405b3a.1 for ; Tue, 10 Jun 2025 12:38:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1749584322; x=1750189122; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=NSvB0c0rdGgV15drkOMNjy29LQqrRmEqedNdv5DfH8E=; b=sOKXkT8B8CGcrl9RrFbIbTWYbQmPpdZJzGKJ04hVOdPLIInZo1Z2eRQademrXPr+/N Yy1GsyDyBvqfcLRAgE43XmROt8prsIoFHGycxceMGQbdPZUrSLd6/yiHt2xyPtHzZfJg SAohuV8VWZ5jLGTQoQj+//ORsjmEJlCs8+BGACXwL5KosTMAWDewjei198Ep8WH1iHin r4sCzjzK0c4p3Gp8rN7DK2SnKk7nUBnEK/Ec906MtCH3rcyC4tZM7SWQP+bwS8ERYOaw 6eHsxOVQss4VO2QPmOtgJJwcAp8PC30qB4blWFc6dLuNhXUMCzLBccIlU6pb1dPD7lAK eOEA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1749584322; x=1750189122; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=NSvB0c0rdGgV15drkOMNjy29LQqrRmEqedNdv5DfH8E=; b=EzZHP0wtun7cJNs4SLHkmAYcj2YDIuS+ARRm04H2Hhr9VYJ4//W2p5IriHWEItalGQ kcciXZy9YmsoW1ImXNVCKcW/Ig8S4HIYjPlViTUNE8faNOwSmv+A4QE75X3CdmFhLNeD gqqq9LcW4C3XI3lpa3lccMCd98oMIac5KZ7jdrwbNMcZyj0d8RvHxkGCCTXNwjbXdWQZ HneG0H4t4zCpqgRXqHNMIDXkiGUTads1r0sLblAJjQb6snXCrSqFFEt/2YLd3krAFf6k s4qevkYLfyH4GRpsZEmrXQv41Nuq8rSQiXf0R1KRgIOPrNpOL/UNHm8XSB1IjFSzO1E4 RqhA== X-Gm-Message-State: AOJu0Yyj00IcwAeaKVTScuv94AqcFG8QLUvhy7pGL8gl1GmACOOFo9mA yR0jzMX0G2nsTGaoyTwvZVViLD7OjxVoUvPDx4uMJaoNYdopFwDJeBzBmnC+oI0tZgd2DXd8Qko qbGWM X-Gm-Gg: ASbGncs0VwiIgpKhDtxlVG1JdEEPLAbSxvhfDQkttJ+WrNTyQ42m0zp0NNZaHi7gdDv ceBB8z0xA4I1un3I3KqtmZ9Ru0yT7a/TnP/iA6VotLsjITn3b/Epm7Eciz5v05I3YCbW8pty8AY 2EuW3C3SoPKiquufTJLl3W7xI1vF2gVoxOYwfVidpAvLlZS/d/FxpenlxOvrxYoJOj3qpSc+18i Qm/hNS6bS5IGfGaN2b07CZ+ws4BlPPM6AvHncx4vFDpE4oVC+HS3IBXWRvVUs+smOjs/ICSbHzf j8RxN3pl8idaQKvCAEal4CKrKxnn14dg86C/UG+IyKo7N8y3BiFI/w== X-Google-Smtp-Source: AGHT+IGoIHB1o45cT660r9Miey07eTzVYOFK4NF4Y1QigSuNHJyidwg5FDjTTxzHLUiGa2CK0lS+cA== X-Received: by 2002:a05:6a21:6d8b:b0:21a:de8e:5cc3 with SMTP id adf61e73a8af0-21f865b941dmr1172514637.4.1749584322166; Tue, 10 Jun 2025 12:38:42 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:7bc4:2c75:fa51:ff16]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-b2f5f7827c0sm7198595a12.62.2025.06.10.12.38.41 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Jun 2025 12:38:41 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 09/15] python3-setuptools: Fix CVE-2025-47273 Date: Tue, 10 Jun 2025 12:38:15 -0700 Message-ID: <6b6e556a226100205427c85e8064f7640a9da25e.1749584149.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 10 Jun 2025 19:38:50 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/218431 From: Vijay Anusuri Upstream-Status: Backport from https://github.com/pypa/setuptools/commit/d8390feaa99091d1ba9626bec0e4ba7072fc507a & https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../CVE-2025-47273-pre1.patch | 54 +++++++++++++++++ .../python3-setuptools/CVE-2025-47273.patch | 59 +++++++++++++++++++ .../python/python3-setuptools_59.5.0.bb | 2 + 3 files changed, 115 insertions(+) create mode 100644 meta/recipes-devtools/python/python3-setuptools/CVE-2025-47273-pre1.patch create mode 100644 meta/recipes-devtools/python/python3-setuptools/CVE-2025-47273.patch diff --git a/meta/recipes-devtools/python/python3-setuptools/CVE-2025-47273-pre1.patch b/meta/recipes-devtools/python/python3-setuptools/CVE-2025-47273-pre1.patch new file mode 100644 index 0000000000..b273551ffc --- /dev/null +++ b/meta/recipes-devtools/python/python3-setuptools/CVE-2025-47273-pre1.patch @@ -0,0 +1,54 @@ +From d8390feaa99091d1ba9626bec0e4ba7072fc507a Mon Sep 17 00:00:00 2001 +From: "Jason R. Coombs" +Date: Sat, 19 Apr 2025 12:49:55 -0400 +Subject: [PATCH] Extract _resolve_download_filename with test. + +Upstream-Status: Backport [https://github.com/pypa/setuptools/commit/d8390feaa99091d1ba9626bec0e4ba7072fc507a] +CVE: CVE-2025-47273 #Dependency Patch +Signed-off-by: Vijay Anusuri +--- + setuptools/package_index.py | 20 ++++++++++++++++---- + 1 file changed, 16 insertions(+), 4 deletions(-) + +diff --git a/setuptools/package_index.py b/setuptools/package_index.py +index 3a893df..f350e11 100644 +--- a/setuptools/package_index.py ++++ b/setuptools/package_index.py +@@ -786,9 +786,16 @@ class PackageIndex(Environment): + raise DistutilsError("Download error for %s: %s" + % (url, v)) from v + +- def _download_url(self, url, tmpdir): +- # Determine download filename +- # ++ @staticmethod ++ def _resolve_download_filename(url, tmpdir): ++ """ ++ >>> du = PackageIndex._resolve_download_filename ++ >>> root = getfixture('tmp_path') ++ >>> url = 'https://files.pythonhosted.org/packages/a9/5a/0db.../setuptools-78.1.0.tar.gz' ++ >>> import pathlib ++ >>> str(pathlib.Path(du(url, root)).relative_to(root)) ++ 'setuptools-78.1.0.tar.gz' ++ """ + name, fragment = egg_info_for_url(url) + if name: + while '..' in name: +@@ -799,8 +806,13 @@ class PackageIndex(Environment): + if name.endswith('.egg.zip'): + name = name[:-4] # strip the extra .zip before download + +- filename = os.path.join(tmpdir, name) ++ return os.path.join(tmpdir, name) + ++ def _download_url(self, url, tmpdir): ++ """ ++ Determine the download filename. ++ """ ++ filename = self._resolve_download_filename(url, tmpdir) + return self._download_vcs(url, filename) or self._download_other(url, filename) + + @staticmethod +-- +2.25.1 + diff --git a/meta/recipes-devtools/python/python3-setuptools/CVE-2025-47273.patch b/meta/recipes-devtools/python/python3-setuptools/CVE-2025-47273.patch new file mode 100644 index 0000000000..4b1a01cd34 --- /dev/null +++ b/meta/recipes-devtools/python/python3-setuptools/CVE-2025-47273.patch @@ -0,0 +1,59 @@ +From 250a6d17978f9f6ac3ac887091f2d32886fbbb0b Mon Sep 17 00:00:00 2001 +From: "Jason R. Coombs" +Date: Sat, 19 Apr 2025 13:03:47 -0400 +Subject: [PATCH] Add a check to ensure the name resolves relative to the + tmpdir. + +Closes #4946 + +Upstream-Status: Backport [https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b] +CVE: CVE-2025-47273 +Signed-off-by: Vijay Anusuri +--- + setuptools/package_index.py | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +diff --git a/setuptools/package_index.py b/setuptools/package_index.py +index f350e11..86bf851 100644 +--- a/setuptools/package_index.py ++++ b/setuptools/package_index.py +@@ -789,12 +789,20 @@ class PackageIndex(Environment): + @staticmethod + def _resolve_download_filename(url, tmpdir): + """ ++ >>> import pathlib + >>> du = PackageIndex._resolve_download_filename + >>> root = getfixture('tmp_path') + >>> url = 'https://files.pythonhosted.org/packages/a9/5a/0db.../setuptools-78.1.0.tar.gz' +- >>> import pathlib + >>> str(pathlib.Path(du(url, root)).relative_to(root)) + 'setuptools-78.1.0.tar.gz' ++ ++ Ensures the target is always in tmpdir. ++ ++ >>> url = 'https://anyhost/%2fhome%2fuser%2f.ssh%2fauthorized_keys' ++ >>> du(url, root) ++ Traceback (most recent call last): ++ ... ++ ValueError: Invalid filename... + """ + name, fragment = egg_info_for_url(url) + if name: +@@ -806,7 +814,13 @@ class PackageIndex(Environment): + if name.endswith('.egg.zip'): + name = name[:-4] # strip the extra .zip before download + +- return os.path.join(tmpdir, name) ++ filename = os.path.join(tmpdir, name) ++ ++ # ensure path resolves within the tmpdir ++ if not filename.startswith(str(tmpdir)): ++ raise ValueError(f"Invalid filename {filename}") ++ ++ return filename + + def _download_url(self, url, tmpdir): + """ +-- +2.25.1 + diff --git a/meta/recipes-devtools/python/python3-setuptools_59.5.0.bb b/meta/recipes-devtools/python/python3-setuptools_59.5.0.bb index 0c0f1e9d81..b106b188f3 100644 --- a/meta/recipes-devtools/python/python3-setuptools_59.5.0.bb +++ b/meta/recipes-devtools/python/python3-setuptools_59.5.0.bb @@ -13,6 +13,8 @@ SRC_URI += "\ file://0001-_distutils-sysconfig-append-STAGING_LIBDIR-python-sy.patch \ file://0001-Limit-the-amount-of-whitespace-to-search-backtrack.-.patch \ file://CVE-2024-6345.patch \ + file://CVE-2025-47273-pre1.patch \ + file://CVE-2025-47273.patch \ " SRC_URI[sha256sum] = "d144f85102f999444d06f9c0e8c737fd0194f10f2f7e5fdb77573f6e2fa4fad0" From patchwork Tue Jun 10 19:38:16 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 64780 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2D09CC61DB2 for ; Tue, 10 Jun 2025 19:39:00 +0000 (UTC) Received: from mail-qv1-f47.google.com (mail-qv1-f47.google.com [209.85.219.47]) by mx.groups.io with SMTP id smtpd.web10.96546.1749584336140845357 for ; Tue, 10 Jun 2025 12:38:56 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=ur/tFpKS; spf=softfail (domain: sakoman.com, ip: 209.85.219.47, mailfrom: steve@sakoman.com) Received: by mail-qv1-f47.google.com with SMTP id 6a1803df08f44-6fadd3ad18eso59500896d6.2 for ; Tue, 10 Jun 2025 12:38:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1749584335; x=1750189135; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=j25uhpM+ozHWS7bBQiXm2G1PecwmdEFSnLdjkldDgX8=; b=ur/tFpKSCz6s8J255Oe9u4objQds01PfBWH1SZVs2di74m5DdP8U8yrKaUepHDlTuY tDHu1RmZsjukMy4qHYw7quXLKtlJmlseh5qcSHmUiZc57RNc/LFbXQ98wjOvqMEV7D4/ N4V5TQaA/68OA1j7f1ELZNlKna9NeoZx944bB62E5kxiRp5IzntJOB/+hWnAhbhiXdRC zCaGNYzjDw2uN8cQuxO+hXs8qpVUvilaTShic3OHfGRj1V2YZToBtQO52GfRQhR9A/6k g56Blbs2HvtTAd26vDL77RxYpf4qut6kmhC8casUMWkDcQhbFzihdNROLz9PB9CUMXwF fk4Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1749584335; x=1750189135; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=j25uhpM+ozHWS7bBQiXm2G1PecwmdEFSnLdjkldDgX8=; b=G7CmK4xanskq/j52aeE0gUWW+oe5rg7+36N2A0WerrHGmyPecs42Wi7yJsMqltiGqo 6KyZzTO/pK6WWyCLvBfCO+0sXE/P/B8ouB+gQDxGFtnfEQPnLlXB+LI81oTZcEgxQ1+g 93EnKZhMZY4ladlZW940w5t+WKXwXBMqVxk7ke2VB+eRo1inSNjjBihArZyTukmpsQNN tKO3x/G2EHhr0+H7bq38YtIg1z1TAZ7JJXSgGoSXC+Cc6ncVur3D8g/lpMnId2PUGUN2 eLHIrQLGIGpdYhy+IlPX8JgyysT4HdEXHS4nTj6ZfvH8cSC9XYIvunWSCFRZK53Mr6tC jjSQ== X-Gm-Message-State: AOJu0YydWioK/I1MuOmgKbaysWPB7LOvWknLGZQoNLDgyn3TNUzK/Hzj AAPRtrJTy/1jfaHIiPw+2m5zETmX1HOxIOTFHUtvL9t6gHiO5owS0tuN1EP+Ba6ZRHBytTpvIxs xiv3H X-Gm-Gg: ASbGnctAx9k/Kkusqy3xR+nRA2CiNFGjSZ/jiDJntGo65KT1mc2ud/Pxr8/5CLcrS2c bco1Lm5Tz/QaK+ji+/u5RDimt7gTj28GXNMqn7uKILusXz4wgoRvjhBBwKJNJxEn1BbIeSTuuwt yj3x1AzcZi1AbYuf6Aa1hp5Ix7gGSeyyKGkJsb9L0d7VDjeG+RN/9L9V+x96K6djCaYDOACl+Vx Dv+7ypSreL2Hae0YGyUUJJUf9cuXyfVp8cIqVYd1YY9Txpnnn7CFtFyIe4L3DVszPkeo9S1GVcY 81r9PL9CDq8qGDViXCFRFtgIoEI/btv6ssT62Cjk+E0PAA9Yl0nvJw== X-Google-Smtp-Source: AGHT+IH/+Q0/HnYYciOROmbG//ORkgSPgK/mvAYDZH2uYmYIVIbXNoqM5uYZ0f6lHWAi0dIQasJfwg== X-Received: by 2002:a05:6a20:12c6:b0:1f5:889c:3cbd with SMTP id adf61e73a8af0-21f867441e9mr1153299637.35.1749584323728; Tue, 10 Jun 2025 12:38:43 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:7bc4:2c75:fa51:ff16]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-b2f5f7827c0sm7198595a12.62.2025.06.10.12.38.43 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Jun 2025 12:38:43 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 10/15] binutils: Fix CVE-2025-5244 & CVE-2025-5245 Date: Tue, 10 Jun 2025 12:38:16 -0700 Message-ID: <7eb29f802b272dec19c5bfdce93155d99bac918d.1749584149.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 10 Jun 2025 19:39:00 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/218437 From: Deepesh Varatharajan PR32858 ld segfault on fuzzed object We missed one place where it is necessary to check for empty groups. PR32829, SEGV on objdump function debug_type_samep u.kenum is always non-NULL, see debug_make_enum_type. Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=d1458933830456e54223d9fc61f0d9b3a19256f5] && [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=6c3458a8b7ee7d39f070c7b2350851cb2110c65a] Signed-off-by: Deepesh Varatharajan Signed-off-by: Steve Sakoman --- .../binutils/binutils-2.38.inc | 2 + .../binutils/0041-CVE-2025-5244.patch | 25 ++++++++++++ .../binutils/0042-CVE-2025-5245.patch | 38 +++++++++++++++++++ 3 files changed, 65 insertions(+) create mode 100644 meta/recipes-devtools/binutils/binutils/0041-CVE-2025-5244.patch create mode 100644 meta/recipes-devtools/binutils/binutils/0042-CVE-2025-5245.patch diff --git a/meta/recipes-devtools/binutils/binutils-2.38.inc b/meta/recipes-devtools/binutils/binutils-2.38.inc index 085ca2301e..f1c29015bc 100644 --- a/meta/recipes-devtools/binutils/binutils-2.38.inc +++ b/meta/recipes-devtools/binutils/binutils-2.38.inc @@ -76,5 +76,7 @@ SRC_URI = "\ file://0039-CVE-2025-1178.patch \ file://0040-CVE-2025-1180.patch \ file://0040-CVE-2025-1182.patch \ + file://0041-CVE-2025-5244.patch \ + file://0042-CVE-2025-5245.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/0041-CVE-2025-5244.patch b/meta/recipes-devtools/binutils/binutils/0041-CVE-2025-5244.patch new file mode 100644 index 0000000000..e8855a4b4b --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0041-CVE-2025-5244.patch @@ -0,0 +1,25 @@ +From: Alan Modra +Date: Thu, 10 Apr 2025 19:41:49 +0930 + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=d1458933830456e54223d9fc61f0d9b3a19256f5] +CVE: CVE-2025-5244 + +PR32858 ld segfault on fuzzed object +We missed one place where it is necessary to check for empty groups. + +Signed-off-by: Deepesh Varatharajan + +diff --git a/bfd/elflink.c b/bfd/elflink.c +index a76e8e38da7..549b7b7dd92 100644 +--- a/bfd/elflink.c ++++ b/bfd/elflink.c +@@ -14408,7 +14408,8 @@ elf_gc_sweep (bfd *abfd, struct bfd_link_info *info) + if (o->flags & SEC_GROUP) + { + asection *first = elf_next_in_group (o); +- o->gc_mark = first->gc_mark; ++ if (first != NULL) ++ o->gc_mark = first->gc_mark; + } + + if (o->gc_mark) diff --git a/meta/recipes-devtools/binutils/binutils/0042-CVE-2025-5245.patch b/meta/recipes-devtools/binutils/binutils/0042-CVE-2025-5245.patch new file mode 100644 index 0000000000..2de6abbe93 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0042-CVE-2025-5245.patch @@ -0,0 +1,38 @@ +From: Alan Modra +Date: Tue, 1 Apr 2025 22:36:54 +1030 + +PR32829, SEGV on objdump function debug_type_samep +u.kenum is always non-NULL, see debug_make_enum_type. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=6c3458a8b7ee7d39f070c7b2350851cb2110c65a] +CVE: CVE-2025-5245 + +Signed-off-by: Deepesh Varatharajan + +diff --git a/binutils/debug.c b/binutils/debug.c +index dcc8ccde..465b18e7 100644 +--- a/binutils/debug.c ++++ b/binutils/debug.c +@@ -2554,9 +2554,6 @@ debug_write_type (struct debug_handle *info, + case DEBUG_KIND_UNION_CLASS: + return debug_write_class_type (info, fns, fhandle, type, tag); + case DEBUG_KIND_ENUM: +- if (type->u.kenum == NULL) +- return (*fns->enum_type) (fhandle, tag, (const char **) NULL, +- (bfd_signed_vma *) NULL); + return (*fns->enum_type) (fhandle, tag, type->u.kenum->names, + type->u.kenum->values); + case DEBUG_KIND_POINTER: +@@ -3098,9 +3095,9 @@ debug_type_samep (struct debug_handle *info, struct debug_type_s *t1, + break; + + case DEBUG_KIND_ENUM: +- if (t1->u.kenum == NULL) +- ret = t2->u.kenum == NULL; +- else if (t2->u.kenum == NULL) ++ if (t1->u.kenum->names == NULL) ++ ret = t2->u.kenum->names == NULL; ++ else if (t2->u.kenum->names == NULL) + ret = false; + else + { From patchwork Tue Jun 10 19:38:17 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 64778 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 11C5BC677C4 for ; Tue, 10 Jun 2025 19:38:50 +0000 (UTC) Received: from mail-pf1-f178.google.com (mail-pf1-f178.google.com [209.85.210.178]) by mx.groups.io with SMTP id smtpd.web10.96534.1749584326018757921 for ; Tue, 10 Jun 2025 12:38:46 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=N93r77rm; spf=softfail (domain: sakoman.com, ip: 209.85.210.178, mailfrom: steve@sakoman.com) Received: by mail-pf1-f178.google.com with SMTP id d2e1a72fcca58-7390d21bb1cso4812365b3a.2 for ; Tue, 10 Jun 2025 12:38:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1749584325; x=1750189125; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=7qHfXtNJYhQv+11AqES5hXnxMO7QHIQtuebO4RNfdZg=; b=N93r77rmMGNYqzbDoJnZozwaMjiFDw+d9b+nuN5mRciahSsEhl7LleSjns/h4XN4hX ywQ/wBGb08s2z5/v67l4h/dQFicp/D/HqDOxPa3tNTo4bYmsalHpJUAn3wpJB00gjSlo +McwyOxVtw9EJhyMMMGmTodEumHCmNFBQAGgcx6bRgOPTMS8IawLmzMEte9HCAd7tT4/ CVxWqPQA4JrHEceYP52wgbQpeZOhoHbAMVTQfpECSuglZr2V+g6XjDMblZKW4hEQMK9j svaQFIiXvW0tWmZXDFjWYtmh34O1ABVwPC4huCb8qP/LHPHkgP0qoiaq4oNqFspybR7l REuQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1749584325; x=1750189125; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=7qHfXtNJYhQv+11AqES5hXnxMO7QHIQtuebO4RNfdZg=; b=TpYPgeb6R+2dQlv3qzH4NNCU5rEf4cFObcxN5MIluyQia4xGGsHPMXSSov+nmMdCux Sx5jxfP/5Q99N3eDzLh0UxRB8phN63OIPwsKkK3Ljxtha2l1YiRalRxnUooXlGr92OiF W09PCU3FMCgvxwm0DEfQCVXISk3Oe80LENqCcHtDr9Qm2WmK3ZDBufakLuUTewQKAK5m hXkx5YBdFIRlzYx5EHzctTDHkIijTHhWZ9D7DQSTBnfHGZi5+EeID/Z4EJZV6JvCzy41 RLb05m9IrKCxQlIFhBP5/hgl0WlqSpnxWBrRRkFfxRPLWMt5jIvuoH43xtTSJdQe70jA M4Xw== X-Gm-Message-State: AOJu0YyF2luuQCF5Z8rUGWw4YK0ng+zmrWHEd06IG2/JyiwNdO/+ehPG xgOO+lEPTn2s99IM301i5zRzlYSbbw24VuZ9g7x6EQQz1EdVoTO1MBCqav7kiRxI+cYVNzxH0jp BIyOH X-Gm-Gg: ASbGnctaVhZneXiN4iAStt/qzwX5yKsbn2oGFpf6/oKUlNxcrcpf/2AnxeTfTqpbQkN pqIK85ZyHmD0CR5xROw6VoN5L/O2UvfSp9Mfc7R3vvfcaztmdNpPclz9tL5hthtK4AR3WPoSD+D k+NIROVmd6Dg6VHjwJseUfaOcjU5XIEuurByVZg8JYWEejOdATp+r42kLFtfoSiaYzR6IhMEvUu ARDNLbvnWU9E+i64PxR6eChHOZWV7ywaSfV+NJ2qA21WttoZmqR0hzjGnKvCeRN97MzoS+oAWGK hghKPbiIKSlUYlo+MifzMiV9gPl3jkOvL68pueGkmmPbdGMlO39SjZmMH/xNKESf X-Google-Smtp-Source: AGHT+IG9OahOQUOAGi0DqH/oZCRTYFsLiqE9BdbpQLIsDciCyo0bCLMkTbQ8+uof5QOSKbujqcFUPQ== X-Received: by 2002:a05:6a21:689:b0:21d:85c:2906 with SMTP id adf61e73a8af0-21f8660e658mr1170062637.13.1749584325256; Tue, 10 Jun 2025 12:38:45 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:7bc4:2c75:fa51:ff16]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-b2f5f7827c0sm7198595a12.62.2025.06.10.12.38.44 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Jun 2025 12:38:44 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 11/15] screen: fix CVE-2025-46802 Date: Tue, 10 Jun 2025 12:38:17 -0700 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 10 Jun 2025 19:38:50 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/218432 From: Divya Chellam For a short time they PTY is set to mode 666, allowing any user on the system to connect to the screen session. Reference: https://security-tracker.debian.org/tracker/CVE-2025-46802 Upstream-patch: https://cgit.git.savannah.gnu.org/cgit/screen.git/commit/?id=049b26b22e197ba3be9c46e5c193032e01a4724a Signed-off-by: Divya Chellam Signed-off-by: Steve Sakoman --- .../screen/screen/CVE-2025-46802.patch | 146 ++++++++++++++++++ meta/recipes-extended/screen/screen_4.9.0.bb | 1 + 2 files changed, 147 insertions(+) create mode 100644 meta/recipes-extended/screen/screen/CVE-2025-46802.patch diff --git a/meta/recipes-extended/screen/screen/CVE-2025-46802.patch b/meta/recipes-extended/screen/screen/CVE-2025-46802.patch new file mode 100644 index 0000000000..aa2cbeac21 --- /dev/null +++ b/meta/recipes-extended/screen/screen/CVE-2025-46802.patch @@ -0,0 +1,146 @@ +From 049b26b22e197ba3be9c46e5c193032e01a4724a Mon Sep 17 00:00:00 2001 +From: Matthias Gerstner +Date: Mon, 12 May 2025 15:15:38 +0200 +Subject: [PATCH] fix CVE-2025-46802: attacher.c - prevent temporary 0666 mode + on PTYs + +This temporary chmod of the PTY to mode 0666 is most likely a remnant of +past times, before the PTY file descriptor was passed to the target +session via the UNIX domain socket. + +This chmod() causes a race condition during which any other user in the +system can open the PTY for reading and writing, and thus allows PTY +hijacking. + +Simply remove this logic completely. + +CVE: CVE-2025-46802 + +Upstream-Status: Backport [https://cgit.git.savannah.gnu.org/cgit/screen.git/commit/?id=049b26b22e197ba3be9c46e5c193032e01a4724a] + +Signed-off-by: Divya Chellam +--- + attacher.c | 27 --------------------------- + screen.c | 19 ------------------- + 2 files changed, 46 deletions(-) + +diff --git a/attacher.c b/attacher.c +index 18ba43c..257bd75 100644 +--- a/attacher.c ++++ b/attacher.c +@@ -73,7 +73,6 @@ extern int MasterPid, attach_fd; + #ifdef MULTIUSER + extern char *multi; + extern int multiattach, multi_uid, own_uid; +-extern int tty_mode, tty_oldmode; + # ifndef USE_SETEUID + static int multipipe[2]; + # endif +@@ -160,9 +159,6 @@ int how; + + if (pipe(multipipe)) + Panic(errno, "pipe"); +- if (chmod(attach_tty, 0666)) +- Panic(errno, "chmod %s", attach_tty); +- tty_oldmode = tty_mode; + eff_uid = -1; /* make UserContext fork */ + real_uid = multi_uid; + if ((ret = UserContext()) <= 0) +@@ -174,11 +170,6 @@ int how; + Panic(errno, "UserContext"); + close(multipipe[1]); + read(multipipe[0], &dummy, 1); +- if (tty_oldmode >= 0) +- { +- chmod(attach_tty, tty_oldmode); +- tty_oldmode = -1; +- } + ret = UserStatus(); + #ifdef LOCK + if (ret == SIG_LOCK) +@@ -224,9 +215,6 @@ int how; + xseteuid(multi_uid); + xseteuid(own_uid); + #endif +- if (chmod(attach_tty, 0666)) +- Panic(errno, "chmod %s", attach_tty); +- tty_oldmode = tty_mode; + } + # endif /* USE_SETEUID */ + #endif /* MULTIUSER */ +@@ -423,13 +411,6 @@ int how; + ContinuePlease = 0; + # ifndef USE_SETEUID + close(multipipe[1]); +-# else +- xseteuid(own_uid); +- if (tty_oldmode >= 0) +- if (chmod(attach_tty, tty_oldmode)) +- Panic(errno, "chmod %s", attach_tty); +- tty_oldmode = -1; +- xseteuid(real_uid); + # endif + } + #endif +@@ -505,14 +486,6 @@ AttacherFinit SIGDEFARG + close(s); + } + } +-#ifdef MULTIUSER +- if (tty_oldmode >= 0) +- { +- if (setuid(own_uid)) +- Panic(errno, "setuid"); +- chmod(attach_tty, tty_oldmode); +- } +-#endif + exit(0); + SIGRETURN; + } +diff --git a/screen.c b/screen.c +index 8bce303..f2e8171 100644 +--- a/screen.c ++++ b/screen.c +@@ -230,8 +230,6 @@ char *multi_home; + int multi_uid; + int own_uid; + int multiattach; +-int tty_mode; +-int tty_oldmode = -1; + #endif + + char HostName[MAXSTR]; +@@ -1009,9 +1007,6 @@ int main(int ac, char** av) + + /* ttyname implies isatty */ + SetTtyname(true, &st); +-#ifdef MULTIUSER +- tty_mode = (int)st.st_mode & 0777; +-#endif + + fl = fcntl(0, F_GETFL, 0); + if (fl != -1 && (fl & (O_RDWR|O_RDONLY|O_WRONLY)) == O_RDWR) +@@ -2170,20 +2165,6 @@ DEFINE_VARARGS_FN(Panic) + if (D_userpid) + Kill(D_userpid, SIG_BYE); + } +-#ifdef MULTIUSER +- if (tty_oldmode >= 0) { +- +-# ifdef USE_SETEUID +- if (setuid(own_uid)) +- xseteuid(own_uid); /* may be a loop. sigh. */ +-# else +- setuid(own_uid); +-# endif +- +- debug1("Panic: changing back modes from %s\n", attach_tty); +- chmod(attach_tty, tty_oldmode); +- } +-#endif + eexit(1); + } + +-- +2.40.0 + diff --git a/meta/recipes-extended/screen/screen_4.9.0.bb b/meta/recipes-extended/screen/screen_4.9.0.bb index d137c85600..540a78e04b 100644 --- a/meta/recipes-extended/screen/screen_4.9.0.bb +++ b/meta/recipes-extended/screen/screen_4.9.0.bb @@ -23,6 +23,7 @@ SRC_URI = "${GNU_MIRROR}/screen/screen-${PV}.tar.gz \ file://0001-Remove-more-compatibility-stuff.patch \ file://CVE-2023-24626.patch \ file://CVE-2025-46805.patch \ + file://CVE-2025-46802.patch \ " SRC_URI[sha256sum] = "f9335281bb4d1538ed078df78a20c2f39d3af9a4e91c57d084271e0289c730f4" From patchwork Tue Jun 10 19:38:18 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 64777 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 19111C71133 for ; Tue, 10 Jun 2025 19:38:50 +0000 (UTC) Received: from mail-pf1-f177.google.com (mail-pf1-f177.google.com [209.85.210.177]) by mx.groups.io with SMTP id smtpd.web10.96537.1749584327708931261 for ; Tue, 10 Jun 2025 12:38:47 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=FQU4+ywI; spf=softfail (domain: sakoman.com, ip: 209.85.210.177, mailfrom: steve@sakoman.com) Received: by mail-pf1-f177.google.com with SMTP id d2e1a72fcca58-7406c6dd2b1so206781b3a.0 for ; Tue, 10 Jun 2025 12:38:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1749584327; x=1750189127; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=lPhgO0zkeQd0e+knpR+1urDJD3tgfo1lwsDaWVVDe90=; b=FQU4+ywIelQwV5E4pZOw9wbEE3vUhreGSQrObjONAB2w/Jhl/X9pb3RifFCK5Ac6Fh TDkJWqNZyuy/COqLo8LJsNObySApwkxjI/LJPiAD56TrwdjKdV2J6uLVAW87gsNSco/K /od6pFOA02aelq/lolkMxUo687/xPc9O6f1zGxmW0KT25t5H6CJL0CkFIdRJe8exeo7r 1fe8lpbEecOgtFVskRBpov5pN7XPU60lD4HTETMqmiUer7LxxmvzopvKl8qtuIY2JAMy pw+TgctBLLBgz/uxJTWrLx4OkBlwcTbMC7X20wM7XZ5GZAf1YfaBVHS43HXg/8HpJSdL ft+g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1749584327; x=1750189127; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=lPhgO0zkeQd0e+knpR+1urDJD3tgfo1lwsDaWVVDe90=; b=ahNc701QI8CJQKLblr9lf7PKBJc0wjqeR1zcYgQ3b2hb1uZNB2i7eHyQE9zJvmjz5Y ntYu+XhmR+qHX6x4y2/798vnRP1Rk+6gNhiB9n1NLZ42uOSiQIVn25cN82f7VsgpFDwO /r0CZge5LDUnFxb+nnNWQssXfXIXhvsHG8xTamEPzUr1yYFKBN/aolRDZCpSivkzSLTv IB/VaryRTbh4dx+u+SXYzC5is27ktSdKkDRskHj2SSL6hdhKAB2eznN136WtxC7AAXHw RdqcaLgVLp0zTkA7y9l0v4Ywo7N5gYkPIW+HYQsZUMICWP3F1p2WM1odxmflhyVdnqpO Ll5w== X-Gm-Message-State: AOJu0YxGGeqIcX3L4PFbJluAO5rsyrlRIzG6nlpm+RB/CFKrWy1t9AmV aDHmk6DFjruKPNVEnbvL3lPDWv3DMeSFHhhoqqwYzmwVOqaIw/NSwB7ZcI0ejlBjB8M8SE96eKM Ldr3b X-Gm-Gg: ASbGncuWUkCyrjb16Ry5Rl25dwXztQ/1AaorstC+I81nEaIgSWFve6EA/6+RzhilPyQ YXKM1muZtNqpJsLUKT+8iCwEADW+7bhJGZP88JR3ixZCPZhjWn+r9GwUJ/Q3btAJ3QOsd+vLE3E cUW81MQ4//uTF6BsdWn0UVbBIWit1fCg1iQlmomTzykcbqMot/psUG5pWAsrBMDy6kRtBD3eWUs LWjlcmzq0qvDh1Xg0UHOaxTuE9rxeUb1brKup5BNPrUF6F6X/hWcPKL9Q7yeAMr9NJpioq0PgD7 qOlNc7P/MKBUmRMv7XSn7y0agqqAiAH77C1+k3oxVQfAkg6irTtNgHR1RhU+EWHc X-Google-Smtp-Source: AGHT+IHaeqqcSnLgZ5/PDoipiXbD9yr4IswzW9huitB9GlwCRnO/4ICb7Z1CUR+mOJoEUbEYUEU8eA== X-Received: by 2002:a05:6a20:4313:b0:218:159f:1e87 with SMTP id adf61e73a8af0-21f86ffca68mr887013637.19.1749584326769; Tue, 10 Jun 2025 12:38:46 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:7bc4:2c75:fa51:ff16]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-b2f5f7827c0sm7198595a12.62.2025.06.10.12.38.46 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Jun 2025 12:38:46 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 12/15] screen: fix CVE-2025-46804 Date: Tue, 10 Jun 2025 12:38:18 -0700 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 10 Jun 2025 19:38:50 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/218433 From: Divya Chellam A minor information leak when running Screen with setuid-root privileges allosw unprivileged users to deduce information about a path that would otherwise not be available. Affected are older Screen versions, as well as version 5.0.0. Reference: https://security-tracker.debian.org/tracker/CVE-2025-46804 Upstream-patch: https://cgit.git.savannah.gnu.org/cgit/screen.git/commit/?id=e0eef5aac453fa98a2664416a56c50ad1d00cb30 Signed-off-by: Divya Chellam Signed-off-by: Steve Sakoman --- .../screen/screen/CVE-2025-46804.patch | 131 ++++++++++++++++++ meta/recipes-extended/screen/screen_4.9.0.bb | 1 + 2 files changed, 132 insertions(+) create mode 100644 meta/recipes-extended/screen/screen/CVE-2025-46804.patch diff --git a/meta/recipes-extended/screen/screen/CVE-2025-46804.patch b/meta/recipes-extended/screen/screen/CVE-2025-46804.patch new file mode 100644 index 0000000000..4cb1465535 --- /dev/null +++ b/meta/recipes-extended/screen/screen/CVE-2025-46804.patch @@ -0,0 +1,131 @@ +From e0eef5aac453fa98a2664416a56c50ad1d00cb30 Mon Sep 17 00:00:00 2001 +From: Matthias Gerstner +Date: Mon, 12 May 2025 15:26:11 +0200 +Subject: [PATCH] fix CVE-2025-46804: avoid file existence test information + leaks + +In setuid-root context the current error messages give away whether +certain paths not accessible by the real user exist and what type they +have. To prevent this only output generic error messages in setuid-root +context. + +In some situations, when an error is pertaining a directory and the +directory is owner by the real user then we can still output more +detailed diagnostics. + +This change can lead to less helpful error messages when Screen is +install setuid-root. More complex changes would be needed to avoid this +(e.g. only open the `SocketPath` with raised privileges when +multi-attach is requested). + +There might still be lingering some code paths that allow such +information leaks, since `SocketPath` is a global variable that is used +across the code base. The majority of issues should be caught with this +fix, however. + +CVE: CVE-2025-46804 + +Upstream-Status: Backport [https://cgit.git.savannah.gnu.org/cgit/screen.git/commit/?id=e0eef5aac453fa98a2664416a56c50ad1d00cb30] + +Signed-off-by: Divya Chellam +--- + screen.c | 45 ++++++++++++++++++++++++++++++++++----------- + socket.c | 9 +++++++-- + 2 files changed, 41 insertions(+), 13 deletions(-) + +diff --git a/screen.c b/screen.c +index f2e8171..ef6c26a 100644 +--- a/screen.c ++++ b/screen.c +@@ -1122,15 +1122,28 @@ int main(int ac, char** av) + #endif + } + +- if (stat(SockPath, &st) == -1) +- Panic(errno, "Cannot access %s", SockPath); +- else +- if (!S_ISDIR(st.st_mode)) ++ if (stat(SockPath, &st) == -1) { ++ if (eff_uid == real_uid) { ++ Panic(errno, "Cannot access %s", SockPath); ++ } else { ++ Panic(0, "Error accessing %s", SockPath); ++ } ++ } else if (!S_ISDIR(st.st_mode)) { ++ if (eff_uid == real_uid || st.st_uid == real_uid) { + Panic(0, "%s is not a directory.", SockPath); ++ } else { ++ Panic(0, "Error accessing %s", SockPath); ++ } ++ } + #ifdef MULTIUSER + if (multi) { +- if ((int)st.st_uid != multi_uid) +- Panic(0, "%s is not the owner of %s.", multi, SockPath); ++ if ((int)st.st_uid != multi_uid) { ++ if (eff_uid == real_uid || st.st_uid == real_uid) { ++ Panic(0, "%s is not the owner of %s.", multi, SockPath); ++ } else { ++ Panic(0, "Error accessing %s", SockPath); ++ } ++ } + } + else + #endif +@@ -1144,9 +1157,13 @@ int main(int ac, char** av) + Panic(0, "You are not the owner of %s.", SockPath); + #endif + } +- +- if ((st.st_mode & 0777) != 0700) +- Panic(0, "Directory %s must have mode 700.", SockPath); ++ if ((st.st_mode & 0777) != 0700) { ++ if (eff_uid == real_uid || st.st_uid == real_uid) { ++ Panic(0, "Directory %s must have mode 700.", SockPath); ++ } else { ++ Panic(0, "Error accessing %s", SockPath); ++ } ++ } + if (SockMatch && index(SockMatch, '/')) + Panic(0, "Bad session name '%s'", SockMatch); + SockName = SockPath + strlen(SockPath) + 1; +@@ -1184,8 +1201,14 @@ int main(int ac, char** av) + else + exit(9 + (fo || oth ? 1 : 0) + fo); + } +- if (fo == 0) +- Panic(0, "No Sockets found in %s.\n", SockPath); ++ if (fo == 0) { ++ if (eff_uid == real_uid || st.st_uid == real_uid) { ++ Panic(0, "No Sockets found in %s.\n", SockPath); ++ } else { ++ Panic(0, "Error accessing %s", SockPath); ++ } ++ } ++ + Msg(0, "%d Socket%s in %s.", fo, fo > 1 ? "s" : "", SockPath); + eexit(0); + } +diff --git a/socket.c b/socket.c +index 3bbd64e..5661e6e 100644 +--- a/socket.c ++++ b/socket.c +@@ -169,8 +169,13 @@ bool *is_sock; + xsetegid(real_gid); + #endif + +- if ((dirp = opendir(SockPath)) == 0) +- Panic(errno, "Cannot opendir %s", SockPath); ++ if ((dirp = opendir(SockPath)) == 0) { ++ if (eff_uid == real_uid) { ++ Panic(errno, "Cannot opendir %s", SockPath); ++ } else { ++ Panic(0, "Error accessing %s", SockPath); ++ } ++ } + + slist = 0; + slisttail = &slist; +-- +2.40.0 + diff --git a/meta/recipes-extended/screen/screen_4.9.0.bb b/meta/recipes-extended/screen/screen_4.9.0.bb index 540a78e04b..574b738dbf 100644 --- a/meta/recipes-extended/screen/screen_4.9.0.bb +++ b/meta/recipes-extended/screen/screen_4.9.0.bb @@ -24,6 +24,7 @@ SRC_URI = "${GNU_MIRROR}/screen/screen-${PV}.tar.gz \ file://CVE-2023-24626.patch \ file://CVE-2025-46805.patch \ file://CVE-2025-46802.patch \ + file://CVE-2025-46804.patch \ " SRC_URI[sha256sum] = "f9335281bb4d1538ed078df78a20c2f39d3af9a4e91c57d084271e0289c730f4" From patchwork Tue Jun 10 19:38:19 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 64779 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2F588C71135 for ; Tue, 10 Jun 2025 19:38:50 +0000 (UTC) Received: from mail-pf1-f169.google.com (mail-pf1-f169.google.com [209.85.210.169]) by mx.groups.io with SMTP id smtpd.web10.96539.1749584329946856888 for ; Tue, 10 Jun 2025 12:38:50 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=PU5VT15K; spf=softfail (domain: sakoman.com, ip: 209.85.210.169, mailfrom: steve@sakoman.com) Received: by mail-pf1-f169.google.com with SMTP id d2e1a72fcca58-747fc7506d4so5550370b3a.0 for ; Tue, 10 Jun 2025 12:38:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1749584329; x=1750189129; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=wxivQ2oAS2r2fDfDiRzKYS1lB9RhfkwHSW3O6ZHZzZ8=; b=PU5VT15Kp4+cBlOOUohIM++S7HCZ/CEsu5+MjfonIwRhzHWBxFNr8BOvCDU+DwmWrN 8uQTj3sEf3TXN32pnqhqkG0Pr0uyTcnPPUv+zUhzyq9sOZ3Q9n2522nXjxWNP1fO0Jlz +JWv9nmVJ53FR/PNg7btkM9lDZNBaMM9iSlllhoVWNIcUJU0LKayZ4+fNLJFYkX2EbDJ I5kgCrfT0y/nrQI58RvBsTw1p47dq39RNn98IwGT2uV1aQ/R85HEVBCkNaK23Kfg3qp/ uvlt85hYAcEgO9mnxT4zPTcBjbCyDmz/rqt5N9gkbDrldLfWCFOLkFcFZnk4V6fd+JqM BJIg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1749584329; x=1750189129; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=wxivQ2oAS2r2fDfDiRzKYS1lB9RhfkwHSW3O6ZHZzZ8=; b=T1le5CsWpWnXYeKv3P7yRlTS9+XQRm9PUjc3qvyrMhGaYaJ/8PHyQwaWVH+8fTq4Xj 8RdNJgXtDojia/PL8JkdR9X6UqYpqviNJz6OSRpCVd/ctam/kw4AFyfOBJEv+1W7i47r ApeYSRPI+uMBLb6lJstKHmDrSZEOLeIRarNTJ2r3bFui/u5Yku9hvr5AAcqP+qSmCrNs yCeLMh7paej+EQ42LBSZYV7uxy02474OpLSsFzdE1DyzIPjpJPP+6kPKWWr13fCg/fwv TePVN07tcqp8SikYfl/8ARnqBw12MEuK7rh1be0ybV6EI4Trw6CqRxUb+kYuJ2HZNFBz N4Fg== X-Gm-Message-State: AOJu0YxydbqejEykzfrSDsI93IUyHDjw4RMqwKLcFaU5h6ie2aTqU2df bbvLGFz3Ce9yRaC3jQjwkZd7so1rP8UrQPext/4s1+ycJJYq85NP9pauhuf5f3GMUzuDddIHXCp j+LNa X-Gm-Gg: ASbGnctqFiVlvq4CHVvMzp9fQNrrFKKlOkcRwscQ9CuQyT267Xvw7J4dt/bQk+Ua93S DMe8MOw4Y9JasALnMA5Q0KnNqVOoTbHnNb9eJ90WHD24Wua+l39CBOeYMNYvH4GTUOwd961/1Pp k/aOSYnu9UH3zWU38aj73MW3phjHSWQnn3gdf+gs9r0JTL6rrlibMQPLOmup1+iEzogseX6hS+c excaCOlPrIktjyTILVG1z0MAMpVTWU69qgwMzwUdC4mBP0K+GahF7AZmBMdO1sNSKyTODDBxrS7 plJts8cYsEBKhset77iRqbF23C8rik+GCYDntO/2aaA8dDL/HohGFg== X-Google-Smtp-Source: AGHT+IFE+MPBrLHX7gk71Zd2UIdvpVQdbR7GC0fMO1QJgcylcJ10mmqg3hbH0KbTXk3Eq13nGkOB4g== X-Received: by 2002:a05:6a21:900e:b0:1f5:95a7:8159 with SMTP id adf61e73a8af0-21f8664f2f3mr1109367637.10.1749584328747; Tue, 10 Jun 2025 12:38:48 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:7bc4:2c75:fa51:ff16]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-b2f5f7827c0sm7198595a12.62.2025.06.10.12.38.47 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Jun 2025 12:38:48 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 13/15] git: Fix CVE-2024-50349 and CVE-2024-52006 Date: Tue, 10 Jun 2025 12:38:19 -0700 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 10 Jun 2025 19:38:50 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/218434 From: Vijay Anusuri Upstream-Status: Backport from https://github.com/git/git/commit/c903985bf7e772e2d08275c1a95c8a55ab011577 & https://github.com/git/git/commit/7725b8100ffbbff2750ee4d61a0fcc1f53a086e8 & https://github.com/git/git/commit/b01b9b81d36759cdcd07305e78765199e1bc2060 Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../git/git/CVE-2024-50349-0001.patch | 100 ++++++ .../git/git/CVE-2024-50349-0002.patch | 321 ++++++++++++++++++ .../git/git/CVE-2024-52006.patch | 165 +++++++++ meta/recipes-devtools/git/git_2.35.7.bb | 3 + 4 files changed, 589 insertions(+) create mode 100644 meta/recipes-devtools/git/git/CVE-2024-50349-0001.patch create mode 100644 meta/recipes-devtools/git/git/CVE-2024-50349-0002.patch create mode 100644 meta/recipes-devtools/git/git/CVE-2024-52006.patch diff --git a/meta/recipes-devtools/git/git/CVE-2024-50349-0001.patch b/meta/recipes-devtools/git/git/CVE-2024-50349-0001.patch new file mode 100644 index 0000000000..a4567f83f5 --- /dev/null +++ b/meta/recipes-devtools/git/git/CVE-2024-50349-0001.patch @@ -0,0 +1,100 @@ +From c903985bf7e772e2d08275c1a95c8a55ab011577 Mon Sep 17 00:00:00 2001 +From: Johannes Schindelin +Date: Thu, 7 Nov 2024 08:57:52 +0100 +Subject: [PATCH] credential_format(): also encode [:] + +An upcoming change wants to sanitize the credential password prompt +where a URL is displayed that may potentially come from a `.gitmodules` +file. To this end, the `credential_format()` function is employed. + +To sanitize the host name (and optional port) part of the URL, we need a +new mode of the `strbuf_add_percentencode()` function because the +current mode is both too strict and too lenient: too strict because it +encodes `:`, `[` and `]` (which should be left unencoded in +`:` and in IPv6 addresses), and too lenient because it does +not encode invalid host name characters `/`, `_` and `~`. + +So let's introduce and use a new mode specifically to encode the host +name and optional port part of a URI, leaving alpha-numerical +characters, periods, colons and brackets alone and encoding all others. + +This only leads to a change of behavior for URLs that contain invalid +host names. + +Signed-off-by: Johannes Schindelin + +Upstream-Status: Backport [https://github.com/git/git/commit/c903985bf7e772e2d08275c1a95c8a55ab011577] +CVE: CVE-2024-50349 +Signed-off-by: Vijay Anusuri +--- + credential.c | 3 ++- + strbuf.c | 4 +++- + strbuf.h | 1 + + t/t0300-credentials.sh | 13 +++++++++++++ + 4 files changed, 19 insertions(+), 2 deletions(-) + +diff --git a/credential.c b/credential.c +index f32011343f9400..572f1785da7d3e 100644 +--- a/credential.c ++++ b/credential.c +@@ -164,7 +164,8 @@ static void credential_format(struct credential *c, struct strbuf *out) + strbuf_addch(out, '@'); + } + if (c->host) +- strbuf_addstr(out, c->host); ++ strbuf_add_percentencode(out, c->host, ++ STRBUF_ENCODE_HOST_AND_PORT); + if (c->path) { + strbuf_addch(out, '/'); + strbuf_add_percentencode(out, c->path, 0); +diff --git a/strbuf.c b/strbuf.c +index c383f41a3c5ccc..756b96c56157c3 100644 +--- a/strbuf.c ++++ b/strbuf.c +@@ -492,7 +492,9 @@ void strbuf_add_percentencode(struct strbuf *dst, const char *src, int flags) + unsigned char ch = src[i]; + if (ch <= 0x1F || ch >= 0x7F || + (ch == '/' && (flags & STRBUF_ENCODE_SLASH)) || +- strchr(URL_UNSAFE_CHARS, ch)) ++ ((flags & STRBUF_ENCODE_HOST_AND_PORT) ? ++ !isalnum(ch) && !strchr("-.:[]", ch) : ++ !!strchr(URL_UNSAFE_CHARS, ch))) + strbuf_addf(dst, "%%%02X", (unsigned char)ch); + else + strbuf_addch(dst, ch); +diff --git a/strbuf.h b/strbuf.h +index f6dbb9681ee768..f9f8bb0381b3c5 100644 +--- a/strbuf.h ++++ b/strbuf.h +@@ -380,6 +380,7 @@ size_t strbuf_expand_dict_cb(struct strbuf *sb, + void strbuf_addbuf_percentquote(struct strbuf *dst, const struct strbuf *src); + + #define STRBUF_ENCODE_SLASH 1 ++#define STRBUF_ENCODE_HOST_AND_PORT 2 + + /** + * Append the contents of a string to a strbuf, percent-encoding any characters +diff --git a/t/t0300-credentials.sh b/t/t0300-credentials.sh +index c66d91e82d8bc7..cb91be1427f1d2 100755 +--- a/t/t0300-credentials.sh ++++ b/t/t0300-credentials.sh +@@ -514,6 +514,19 @@ test_expect_success 'match percent-encoded values in username' ' + EOF + ' + ++test_expect_success 'match percent-encoded values in hostname' ' ++ test_config "credential.https://a%20b%20c/.helper" "$HELPER" && ++ check fill <<-\EOF ++ url=https://a b c/ ++ -- ++ protocol=https ++ host=a b c ++ username=foo ++ password=bar ++ -- ++ EOF ++' ++ + test_expect_success 'fetch with multiple path components' ' + test_unconfig credential.helper && + test_config credential.https://example.com/foo/repo.git.helper "verbatim foo bar" && diff --git a/meta/recipes-devtools/git/git/CVE-2024-50349-0002.patch b/meta/recipes-devtools/git/git/CVE-2024-50349-0002.patch new file mode 100644 index 0000000000..6135b00737 --- /dev/null +++ b/meta/recipes-devtools/git/git/CVE-2024-50349-0002.patch @@ -0,0 +1,321 @@ +From 7725b8100ffbbff2750ee4d61a0fcc1f53a086e8 Mon Sep 17 00:00:00 2001 +From: Johannes Schindelin +Date: Wed, 30 Oct 2024 13:26:10 +0100 +Subject: [PATCH] credential: sanitize the user prompt + +When asking the user interactively for credentials, we want to avoid +misleading them e.g. via control sequences that pretend that the URL +targets a trusted host when it does not. + +While Git learned, over the course of the preceding commits, to disallow +URLs containing URL-encoded control characters by default, credential +helpers are still allowed to specify values very freely (apart from Line +Feed and NUL characters, anything is allowed), and this would allow, +say, a username containing control characters to be specified that would +then be displayed in the interactive terminal prompt asking the user for +the password, potentially sending those control characters directly to +the terminal. This is undesirable because control characters can be used +to mislead users to divulge secret information to untrusted sites. + +To prevent such an attack vector, let's add a `git_prompt()` that forces +the displayed text to be sanitized, i.e. displaying question marks +instead of control characters. + +Note: While this commit's diff changes a lot of `user@host` strings to +`user%40host`, which may look suspicious on the surface, there is a good +reason for that: this string specifies a user name, not a +@ combination! In the context of t5541, the actual +combination looks like this: `user%40@127.0.0.1:5541`. Therefore, these +string replacements document a net improvement introduced by this +commit, as `user@host@127.0.0.1` could have left readers wondering where +the user name ends and where the host name begins. + +Hinted-at-by: Jeff King +Signed-off-by: Johannes Schindelin + +Upstream-Status: Backport [https://github.com/git/git/commit/7725b8100ffbbff2750ee4d61a0fcc1f53a086e8] +CVE: CVE-2024-50349 +Signed-off-by: Vijay Anusuri +--- + Documentation/config/credential.txt | 6 ++++++ + credential.c | 7 ++++++- + credential.h | 4 +++- + t/t0300-credentials.sh | 20 ++++++++++++++++++++ + t/t5541-http-push-smart.sh | 6 +++--- + t/t5550-http-fetch-dumb.sh | 14 +++++++------- + t/t5551-http-fetch-smart.sh | 16 ++++++++-------- + 7 files changed, 53 insertions(+), 20 deletions(-) + +diff --git a/Documentation/config/credential.txt b/Documentation/config/credential.txt +index 512f318..fd8113d 100644 +--- a/Documentation/config/credential.txt ++++ b/Documentation/config/credential.txt +@@ -14,6 +14,12 @@ credential.useHttpPath:: + or https URL to be important. Defaults to false. See + linkgit:gitcredentials[7] for more information. + ++credential.sanitizePrompt:: ++ By default, user names and hosts that are shown as part of the ++ password prompt are not allowed to contain control characters (they ++ will be URL-encoded by default). Configure this setting to `false` to ++ override that behavior. ++ + credential.username:: + If no username is set for a network authentication, use this username + by default. See credential..* below, and +diff --git a/credential.c b/credential.c +index 195556d..a071ead 100644 +--- a/credential.c ++++ b/credential.c +@@ -66,6 +66,8 @@ static int credential_config_callback(const char *var, const char *value, + } + else if (!strcmp(key, "usehttppath")) + c->use_http_path = git_config_bool(var, value); ++ else if (!strcmp(key, "sanitizeprompt")) ++ c->sanitize_prompt = git_config_bool(var, value); + + return 0; + } +@@ -177,7 +179,10 @@ static char *credential_ask_one(const char *what, struct credential *c, + struct strbuf prompt = STRBUF_INIT; + char *r; + +- credential_describe(c, &desc); ++ if (c->sanitize_prompt) ++ credential_format(c, &desc); ++ else ++ credential_describe(c, &desc); + if (desc.len) + strbuf_addf(&prompt, "%s for '%s': ", what, desc.buf); + else +diff --git a/credential.h b/credential.h +index f430e77..222bbf1 100644 +--- a/credential.h ++++ b/credential.h +@@ -119,7 +119,8 @@ struct credential { + configured:1, + quit:1, + use_http_path:1, +- username_from_proto:1; ++ username_from_proto:1, ++ sanitize_prompt:1; + + char *username; + char *password; +@@ -130,6 +131,7 @@ struct credential { + + #define CREDENTIAL_INIT { \ + .helpers = STRING_LIST_INIT_DUP, \ ++ .sanitize_prompt = 1, \ + } + + /* Initialize a credential structure, setting all fields to empty. */ +diff --git a/t/t0300-credentials.sh b/t/t0300-credentials.sh +index c13be4f..9e27499 100755 +--- a/t/t0300-credentials.sh ++++ b/t/t0300-credentials.sh +@@ -35,6 +35,10 @@ test_expect_success 'setup helper scripts' ' + test -z "$pass" || echo password=$pass + EOF + ++ write_script git-credential-cntrl-in-username <<-\EOF && ++ printf "username=\\007latrix Lestrange\\n" ++ EOF ++ + PATH="$PWD:$PATH" + ' + +@@ -731,4 +735,20 @@ test_expect_success 'credential config with partial URLs' ' + test_i18ngrep "skipping credential lookup for key" stderr + ' + ++BEL="$(printf '\007')" ++ ++test_expect_success 'interactive prompt is sanitized' ' ++ check fill cntrl-in-username <<-EOF ++ protocol=https ++ host=example.org ++ -- ++ protocol=https ++ host=example.org ++ username=${BEL}latrix Lestrange ++ password=askpass-password ++ -- ++ askpass: Password for ${SQ}https://%07latrix%20Lestrange@example.org${SQ}: ++ EOF ++' ++ + test_done +diff --git a/t/t5541-http-push-smart.sh b/t/t5541-http-push-smart.sh +index 8ca50f8..66e7da0 100755 +--- a/t/t5541-http-push-smart.sh ++++ b/t/t5541-http-push-smart.sh +@@ -363,7 +363,7 @@ test_expect_success 'push over smart http with auth' ' + git push "$HTTPD_URL"/auth/smart/test_repo.git && + git --git-dir="$HTTPD_DOCUMENT_ROOT_PATH/test_repo.git" \ + log -1 --format=%s >actual && +- expect_askpass both user@host && ++ expect_askpass both user%40host && + test_cmp expect actual + ' + +@@ -375,7 +375,7 @@ test_expect_success 'push to auth-only-for-push repo' ' + git push "$HTTPD_URL"/auth-push/smart/test_repo.git && + git --git-dir="$HTTPD_DOCUMENT_ROOT_PATH/test_repo.git" \ + log -1 --format=%s >actual && +- expect_askpass both user@host && ++ expect_askpass both user%40host && + test_cmp expect actual + ' + +@@ -405,7 +405,7 @@ test_expect_success 'push into half-auth-complete requires password' ' + git push "$HTTPD_URL/half-auth-complete/smart/half-auth.git" && + git --git-dir="$HTTPD_DOCUMENT_ROOT_PATH/half-auth.git" \ + log -1 --format=%s >actual && +- expect_askpass both user@host && ++ expect_askpass both user%40host && + test_cmp expect actual + ' + +diff --git a/t/t5550-http-fetch-dumb.sh b/t/t5550-http-fetch-dumb.sh +index 2592039..fed22e5 100755 +--- a/t/t5550-http-fetch-dumb.sh ++++ b/t/t5550-http-fetch-dumb.sh +@@ -95,13 +95,13 @@ test_expect_success 'http auth can use user/pass in URL' ' + test_expect_success 'http auth can use just user in URL' ' + set_askpass wrong pass@host && + git clone "$HTTPD_URL_USER/auth/dumb/repo.git" clone-auth-pass && +- expect_askpass pass user@host ++ expect_askpass pass user%40host + ' + + test_expect_success 'http auth can request both user and pass' ' + set_askpass user@host pass@host && + git clone "$HTTPD_URL/auth/dumb/repo.git" clone-auth-both && +- expect_askpass both user@host ++ expect_askpass both user%40host + ' + + test_expect_success 'http auth respects credential helper config' ' +@@ -119,14 +119,14 @@ test_expect_success 'http auth can get username from config' ' + test_config_global "credential.$HTTPD_URL.username" user@host && + set_askpass wrong pass@host && + git clone "$HTTPD_URL/auth/dumb/repo.git" clone-auth-user && +- expect_askpass pass user@host ++ expect_askpass pass user%40host + ' + + test_expect_success 'configured username does not override URL' ' + test_config_global "credential.$HTTPD_URL.username" wrong && + set_askpass wrong pass@host && + git clone "$HTTPD_URL_USER/auth/dumb/repo.git" clone-auth-user2 && +- expect_askpass pass user@host ++ expect_askpass pass user%40host + ' + + test_expect_success 'set up repo with http submodules' ' +@@ -147,7 +147,7 @@ test_expect_success 'cmdline credential config passes to submodule via clone' ' + set_askpass wrong pass@host && + git -c "credential.$HTTPD_URL.username=user@host" \ + clone --recursive super super-clone && +- expect_askpass pass user@host ++ expect_askpass pass user%40host + ' + + test_expect_success 'cmdline credential config passes submodule via fetch' ' +@@ -158,7 +158,7 @@ test_expect_success 'cmdline credential config passes submodule via fetch' ' + git -C super-clone \ + -c "credential.$HTTPD_URL.username=user@host" \ + fetch --recurse-submodules && +- expect_askpass pass user@host ++ expect_askpass pass user%40host + ' + + test_expect_success 'cmdline credential config passes submodule update' ' +@@ -175,7 +175,7 @@ test_expect_success 'cmdline credential config passes submodule update' ' + git -C super-clone \ + -c "credential.$HTTPD_URL.username=user@host" \ + submodule update && +- expect_askpass pass user@host ++ expect_askpass pass user%40host + ' + + test_expect_success 'fetch changes via http' ' +diff --git a/t/t5551-http-fetch-smart.sh b/t/t5551-http-fetch-smart.sh +index f92c79c..53a21f6 100755 +--- a/t/t5551-http-fetch-smart.sh ++++ b/t/t5551-http-fetch-smart.sh +@@ -142,7 +142,7 @@ test_expect_success 'clone from password-protected repository' ' + echo two >expect && + set_askpass user@host pass@host && + git clone --bare "$HTTPD_URL/auth/smart/repo.git" smart-auth && +- expect_askpass both user@host && ++ expect_askpass both user%40host && + git --git-dir=smart-auth log -1 --format=%s >actual && + test_cmp expect actual + ' +@@ -160,7 +160,7 @@ test_expect_success 'clone from auth-only-for-objects repository' ' + echo two >expect && + set_askpass user@host pass@host && + git clone --bare "$HTTPD_URL/auth-fetch/smart/repo.git" half-auth && +- expect_askpass both user@host && ++ expect_askpass both user%40host && + git --git-dir=half-auth log -1 --format=%s >actual && + test_cmp expect actual + ' +@@ -185,14 +185,14 @@ test_expect_success 'redirects send auth to new location' ' + set_askpass user@host pass@host && + git -c credential.useHttpPath=true \ + clone $HTTPD_URL/smart-redir-auth/repo.git repo-redir-auth && +- expect_askpass both user@host auth/smart/repo.git ++ expect_askpass both user%40host auth/smart/repo.git + ' + + test_expect_success 'GIT_TRACE_CURL redacts auth details' ' + rm -rf redact-auth trace && + set_askpass user@host pass@host && + GIT_TRACE_CURL="$(pwd)/trace" git clone --bare "$HTTPD_URL/auth/smart/repo.git" redact-auth && +- expect_askpass both user@host && ++ expect_askpass both user%40host && + + # Ensure that there is no "Basic" followed by a base64 string, but that + # the auth details are redacted +@@ -204,7 +204,7 @@ test_expect_success 'GIT_CURL_VERBOSE redacts auth details' ' + rm -rf redact-auth trace && + set_askpass user@host pass@host && + GIT_CURL_VERBOSE=1 git clone --bare "$HTTPD_URL/auth/smart/repo.git" redact-auth 2>trace && +- expect_askpass both user@host && ++ expect_askpass both user%40host && + + # Ensure that there is no "Basic" followed by a base64 string, but that + # the auth details are redacted +@@ -217,7 +217,7 @@ test_expect_success 'GIT_TRACE_CURL does not redact auth details if GIT_TRACE_RE + set_askpass user@host pass@host && + GIT_TRACE_REDACT=0 GIT_TRACE_CURL="$(pwd)/trace" \ + git clone --bare "$HTTPD_URL/auth/smart/repo.git" redact-auth && +- expect_askpass both user@host && ++ expect_askpass both user%40host && + + grep -i "Authorization: Basic [0-9a-zA-Z+/]" trace + ' +@@ -524,7 +524,7 @@ test_expect_success 'http auth remembers successful credentials' ' + # the first request prompts the user... + set_askpass user@host pass@host && + git ls-remote "$HTTPD_URL/auth/smart/repo.git" >/dev/null && +- expect_askpass both user@host && ++ expect_askpass both user%40host && + + # ...and the second one uses the stored value rather than + # prompting the user. +@@ -555,7 +555,7 @@ test_expect_success 'http auth forgets bogus credentials' ' + # us to prompt the user again. + set_askpass user@host pass@host && + git ls-remote "$HTTPD_URL/auth/smart/repo.git" >/dev/null && +- expect_askpass both user@host ++ expect_askpass both user%40host + ' + + test_expect_success 'client falls back from v2 to v0 to match server' ' +-- +2.25.1 + diff --git a/meta/recipes-devtools/git/git/CVE-2024-52006.patch b/meta/recipes-devtools/git/git/CVE-2024-52006.patch new file mode 100644 index 0000000000..403f9752b7 --- /dev/null +++ b/meta/recipes-devtools/git/git/CVE-2024-52006.patch @@ -0,0 +1,165 @@ +From b01b9b81d36759cdcd07305e78765199e1bc2060 Mon Sep 17 00:00:00 2001 +From: Johannes Schindelin +Date: Mon, 4 Nov 2024 14:48:22 +0100 +Subject: [PATCH] credential: disallow Carriage Returns in the protocol by + default + +While Git has documented that the credential protocol is line-based, +with newlines as terminators, the exact shape of a newline has not been +documented. + +From Git's perspective, which is firmly rooted in the Linux ecosystem, +it is clear that "a newline" means a Line Feed character. + +However, even Git's credential protocol respects Windows line endings +(a Carriage Return character followed by a Line Feed character, "CR/LF") +by virtue of using `strbuf_getline()`. + +There is a third category of line endings that has been used originally +by MacOS, and that is respected by the default line readers of .NET and +node.js: bare Carriage Returns. + +Git cannot handle those, and what is worse: Git's remedy against +CVE-2020-5260 does not catch when credential helpers are used that +interpret bare Carriage Returns as newlines. + +Git Credential Manager addressed this as CVE-2024-50338, but other +credential helpers may still be vulnerable. So let's not only disallow +Line Feed characters as part of the values in the credential protocol, +but also disallow Carriage Return characters. + +In the unlikely event that a credential helper relies on Carriage +Returns in the protocol, introduce an escape hatch via the +`credential.protectProtocol` config setting. + +This addresses CVE-2024-52006. + +Signed-off-by: Johannes Schindelin + +Upstream-Status: Backport [https://github.com/git/git/commit/b01b9b81d36759cdcd07305e78765199e1bc2060] +CVE: CVE-2024-52006 +Signed-off-by: Vijay Anusuri +--- + Documentation/config/credential.txt | 5 +++++ + credential.c | 19 +++++++++++++------ + credential.h | 4 +++- + t/t0300-credentials.sh | 16 ++++++++++++++++ + 4 files changed, 37 insertions(+), 7 deletions(-) + +diff --git a/Documentation/config/credential.txt b/Documentation/config/credential.txt +index fd8113d..9cadca7 100644 +--- a/Documentation/config/credential.txt ++++ b/Documentation/config/credential.txt +@@ -20,6 +20,11 @@ credential.sanitizePrompt:: + will be URL-encoded by default). Configure this setting to `false` to + override that behavior. + ++credential.protectProtocol:: ++ By default, Carriage Return characters are not allowed in the protocol ++ that is used when Git talks to a credential helper. This setting allows ++ users to override this default. ++ + credential.username:: + If no username is set for a network authentication, use this username + by default. See credential..* below, and +diff --git a/credential.c b/credential.c +index a071ead..b427d55 100644 +--- a/credential.c ++++ b/credential.c +@@ -68,6 +68,8 @@ static int credential_config_callback(const char *var, const char *value, + c->use_http_path = git_config_bool(var, value); + else if (!strcmp(key, "sanitizeprompt")) + c->sanitize_prompt = git_config_bool(var, value); ++ else if (!strcmp(key, "protectprotocol")) ++ c->protect_protocol = git_config_bool(var, value); + + return 0; + } +@@ -255,7 +257,8 @@ int credential_read(struct credential *c, FILE *fp) + return 0; + } + +-static void credential_write_item(FILE *fp, const char *key, const char *value, ++static void credential_write_item(const struct credential *c, ++ FILE *fp, const char *key, const char *value, + int required) + { + if (!value && required) +@@ -264,16 +267,20 @@ static void credential_write_item(FILE *fp, const char *key, const char *value, + return; + if (strchr(value, '\n')) + die("credential value for %s contains newline", key); ++ if (c->protect_protocol && strchr(value, '\r')) ++ die("credential value for %s contains carriage return\n" ++ "If this is intended, set `credential.protectProtocol=false`", ++ key); + fprintf(fp, "%s=%s\n", key, value); + } + + void credential_write(const struct credential *c, FILE *fp) + { +- credential_write_item(fp, "protocol", c->protocol, 1); +- credential_write_item(fp, "host", c->host, 1); +- credential_write_item(fp, "path", c->path, 0); +- credential_write_item(fp, "username", c->username, 0); +- credential_write_item(fp, "password", c->password, 0); ++ credential_write_item(c, fp, "protocol", c->protocol, 1); ++ credential_write_item(c, fp, "host", c->host, 1); ++ credential_write_item(c, fp, "path", c->path, 0); ++ credential_write_item(c, fp, "username", c->username, 0); ++ credential_write_item(c, fp, "password", c->password, 0); + } + + static int run_credential_helper(struct credential *c, +diff --git a/credential.h b/credential.h +index 222bbf1..b4b837c 100644 +--- a/credential.h ++++ b/credential.h +@@ -120,7 +120,8 @@ struct credential { + quit:1, + use_http_path:1, + username_from_proto:1, +- sanitize_prompt:1; ++ sanitize_prompt:1, ++ protect_protocol:1; + + char *username; + char *password; +@@ -132,6 +133,7 @@ struct credential { + #define CREDENTIAL_INIT { \ + .helpers = STRING_LIST_INIT_DUP, \ + .sanitize_prompt = 1, \ ++ .protect_protocol = 1, \ + } + + /* Initialize a credential structure, setting all fields to empty. */ +diff --git a/t/t0300-credentials.sh b/t/t0300-credentials.sh +index 9e27499..ca158fe 100755 +--- a/t/t0300-credentials.sh ++++ b/t/t0300-credentials.sh +@@ -626,6 +626,22 @@ test_expect_success 'url parser rejects embedded newlines' ' + test_cmp expect stderr + ' + ++test_expect_success 'url parser rejects embedded carriage returns' ' ++ test_config credential.helper "!true" && ++ test_must_fail git credential fill 2>stderr <<-\EOF && ++ url=https://example%0d.com/ ++ EOF ++ cat >expect <<-\EOF && ++ fatal: credential value for host contains carriage return ++ If this is intended, set `credential.protectProtocol=false` ++ EOF ++ test_cmp expect stderr && ++ GIT_ASKPASS=true \ ++ git -c credential.protectProtocol=false credential fill <<-\EOF ++ url=https://example%0d.com/ ++ EOF ++' ++ + test_expect_success 'host-less URLs are parsed as empty host' ' + check fill "verbatim foo bar" <<-\EOF + url=cert:///path/to/cert.pem +-- +2.25.1 + diff --git a/meta/recipes-devtools/git/git_2.35.7.bb b/meta/recipes-devtools/git/git_2.35.7.bb index 94352d38ef..765180a38d 100644 --- a/meta/recipes-devtools/git/git_2.35.7.bb +++ b/meta/recipes-devtools/git/git_2.35.7.bb @@ -23,6 +23,9 @@ SRC_URI = "${KERNELORG_MIRROR}/software/scm/git/git-${PV}.tar.gz;name=tarball \ file://CVE-2024-32021-0001.patch \ file://CVE-2024-32021-0002.patch \ file://CVE-2024-32465.patch \ + file://CVE-2024-50349-0001.patch \ + file://CVE-2024-50349-0002.patch \ + file://CVE-2024-52006.patch \ " S = "${WORKDIR}/git-${PV}" From patchwork Tue Jun 10 19:38:20 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 64781 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 34EE9C71130 for ; Tue, 10 Jun 2025 19:39:00 +0000 (UTC) Received: from mail-pg1-f175.google.com (mail-pg1-f175.google.com [209.85.215.175]) by mx.groups.io with SMTP id smtpd.web10.96542.1749584332232033172 for ; Tue, 10 Jun 2025 12:38:52 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=vz0Tfd9e; spf=softfail (domain: sakoman.com, ip: 209.85.215.175, mailfrom: steve@sakoman.com) Received: by mail-pg1-f175.google.com with SMTP id 41be03b00d2f7-af6a315b491so4806167a12.1 for ; Tue, 10 Jun 2025 12:38:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1749584331; x=1750189131; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=JC79uzMV+j5sdbZdVsrLPDhtUDRz1rYLqEVZFVqxS6E=; b=vz0Tfd9exOOODkFdCjycWw6yWx/REHn1WQk2r+4JfEDa3xwavZ5ERbPy8QHI1jLbSD Lt2wdCYKaruQiknovPyp32tN3Gxjj80B/ZyjTUTh5nOoaZvqz05W07bstfBsNp8sND4S 0lhrIiF19vfrDgokluYwN9EMVJW4H1qsXJHE1hgy/kwOobzGcyrx0vpVgY5UP+no9rIT LGyKJ5bO3hfm7jEf59S1vhGWrioNoR6cD/HNF9ZStvo6u+FPyuNGrErj97xzT+oxNm1D nvUKSpqHKD6+9e8O+ukof+ScZo09psx6zoZZ9xAzQAXX7CBzCbh8UFKZ/Hu2dBuyZwfI hqIA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1749584331; x=1750189131; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=JC79uzMV+j5sdbZdVsrLPDhtUDRz1rYLqEVZFVqxS6E=; b=FQ5KWpO3mIsr3sg+qbq6r+Hh8VkBbN8JpuXrRCbTrN8yy2sjgTN0X9ul9d0grhq1Zi 83KPbDxUk1c9mh1BZ9IdLhD5hA5QlGZ3psoElCIndieaDQ2YTQwKhk9iMiWloUPgebe6 vydgRelcMMbs5ak4yRNnAqdw1A6ePxCsTod4XluH0mUPXWMmDjDo6LxOfwrPxZ/M4V/S uoINLYh78ZpLP66BDEXygbHhO7OwTEvmZWjHG+WQLTCGF5zdk+23MIfv8l+qojoId8rU BwfYyKQHiM2OdG5EH2rx7y4DdfXnqt8A9q4G0uYtIQ2f/czr04ML0GEEplibZvWvz3Mv AA3A== X-Gm-Message-State: AOJu0Yxx2gKp7f5DJ0UwXaZCpJub1yiH93LuM1wfrsPV6nWrH1upaeT3 qCoKbD4E7gEseYCLavQSnxTo3Ko8I3vdiZI/bF1+ZmecVSyHWz5Erb/5Bzi+6SO1EJdvuZh9k5H NIhLT X-Gm-Gg: ASbGncv0gRN220HvEgQIxDNBqPF0IL6L1ijm9wEgDoHo1TWqTQgoCHTOSi1MTpvMhyo ayY6Z654I1bJvek5VUFuQQT2pNWzcpYqFkNMvXW74ccBrN817GhmzASROXu18CeG/tUPl3WMUyT sMmC3Jfz/27mM1sew1BKJPGkHViqml1Ixz8vl7pnykCCStRq82iz/u/H8m1nS9XX6ANjxGBdM4U xgvcSRarnSU7IddEMouF0j+jOIDNUVzxikhzdvP41GnUFhjFiUo6EfSKAtLWyHJqAXVv5b3u47D aTYzZTBoaz4w1zzOKnae6BbkRDC0g352Lxpw1EwgbkOr8dCUnk869g== X-Google-Smtp-Source: AGHT+IFUeryogNDnEnxqXaFpSfb0G1Ua4w8zjvV00nzmFEO0IzjTLiF6V9I9SycH8AwcBbor52Efvw== X-Received: by 2002:a05:6a21:3286:b0:21f:5b6f:36d5 with SMTP id adf61e73a8af0-21f88fd47a2mr41867637.10.1749584330933; Tue, 10 Jun 2025 12:38:50 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:7bc4:2c75:fa51:ff16]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-b2f5f7827c0sm7198595a12.62.2025.06.10.12.38.50 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Jun 2025 12:38:50 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 14/15] python3: upgrade 3.10.16 -> 3.10.18 Date: Tue, 10 Jun 2025 12:38:20 -0700 Message-ID: <838a8b5ca148dfa6c6c2c76f1705d1e358a31648.1749584149.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 10 Jun 2025 19:39:00 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/218435 From: Peter Marko Drop upstreamed patch and refresh remaining patches. * https://www.python.org/downloads/release/python-31017/ Security content in this release * gh-131809: Upgrade vendored expat to 2.7.1 * gh-80222: Folding of quoted string in display_name violates RFC * gh-121284: Invalid RFC 2047 address header after refolding with email.policy.default * gh-131261: Update libexpat to 2.7.0 * gh-105704: CVE-2025-0938 urlparse does not flag hostname containing [ or ] as incorrect * gh-119511: OOM vulnerability in the imaplib module * https://www.python.org/downloads/release/python-31018/ Security content in this release * gh-135034: [CVE 2024-12718] [CVE 2025-4138] [CVE 2025-4330] [CVE 2025-4435] [CVE 2025-4517] Fixes multiple issues that allowed tarfile extraction filters (filter="data" and filter="tar") to be bypassed using crafted symlinks and hard links. * gh-133767: Fix use-after-free in the “unicode-escape” decoder with a non-“strict” error handler. * gh-128840: Short-circuit the processing of long IPv6 addresses early in ipaddress to prevent excessive memory consumption and a minor denial-of-service. gh-133767 got meawhile CVE-2025-4516 assigned. Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- ...ib-termcap-to-linker-flags-to-avoid-.patch | 2 +- ...hell-version-of-python-config-that-w.patch | 2 +- ...file-do-not-compile-.pyc-in-parallel.patch | 2 +- ...sts-due-to-load-variability-on-YP-AB.patch | 6 +- ...e-treat-overflow-in-UID-GID-as-failu.patch | 2 +- ...asename-to-replace-CC-for-checking-c.patch | 16 +-- ...detect-multiarch-paths-when-cross-co.patch | 2 +- ...orlines-skip-due-to-load-variability.patch | 2 +- ...report-missing-dependencies-for-disa.patch | 2 +- ...up.py-do-not-add-a-curses-include-pa.patch | 4 +- .../python/python3/CVE-2025-0938.patch | 131 ------------------ .../python3/avoid_warning_about_tkinter.patch | 2 +- .../python/python3/makerace.patch | 2 +- ...{python3_3.10.16.bb => python3_3.10.18.bb} | 3 +- 14 files changed, 23 insertions(+), 155 deletions(-) delete mode 100644 meta/recipes-devtools/python/python3/CVE-2025-0938.patch rename meta/recipes-devtools/python/{python3_3.10.16.bb => python3_3.10.18.bb} (99%) diff --git a/meta/recipes-devtools/python/python3/0001-Do-not-add-usr-lib-termcap-to-linker-flags-to-avoid-.patch b/meta/recipes-devtools/python/python3/0001-Do-not-add-usr-lib-termcap-to-linker-flags-to-avoid-.patch index 62ef6efc28..47637d24d8 100644 --- a/meta/recipes-devtools/python/python3/0001-Do-not-add-usr-lib-termcap-to-linker-flags-to-avoid-.patch +++ b/meta/recipes-devtools/python/python3/0001-Do-not-add-usr-lib-termcap-to-linker-flags-to-avoid-.patch @@ -15,7 +15,7 @@ diff --git a/setup.py b/setup.py index 43e807f..11b5cf5 100644 --- a/setup.py +++ b/setup.py -@@ -1149,7 +1149,6 @@ class PyBuildExt(build_ext): +@@ -1153,7 +1153,6 @@ class PyBuildExt(build_ext): 'termcap'): readline_libs.append('termcap') self.add(Extension('readline', ['readline.c'], diff --git a/meta/recipes-devtools/python/python3/0001-Do-not-use-the-shell-version-of-python-config-that-w.patch b/meta/recipes-devtools/python/python3/0001-Do-not-use-the-shell-version-of-python-config-that-w.patch index d98f243cb1..c74a1c58a1 100644 --- a/meta/recipes-devtools/python/python3/0001-Do-not-use-the-shell-version-of-python-config-that-w.patch +++ b/meta/recipes-devtools/python/python3/0001-Do-not-use-the-shell-version-of-python-config-that-w.patch @@ -18,7 +18,7 @@ diff --git a/Makefile.pre.in b/Makefile.pre.in index ee85f35..f0aedb7 100644 --- a/Makefile.pre.in +++ b/Makefile.pre.in -@@ -1640,12 +1640,9 @@ python-config: $(srcdir)/Misc/python-config.in Misc/python-config.sh +@@ -1641,12 +1641,9 @@ python-config: $(srcdir)/Misc/python-config.in Misc/python-config.sh sed -e "s,@EXENAME@,$(BINDIR)/python$(LDVERSION)$(EXE)," < $(srcdir)/Misc/python-config.in >python-config.py @ # Replace makefile compat. variable references with shell script compat. ones; $(VAR) -> ${VAR} LC_ALL=C sed -e 's,\$$(\([A-Za-z0-9_]*\)),\$$\{\1\},g' < Misc/python-config.sh >python-config diff --git a/meta/recipes-devtools/python/python3/0001-Makefile-do-not-compile-.pyc-in-parallel.patch b/meta/recipes-devtools/python/python3/0001-Makefile-do-not-compile-.pyc-in-parallel.patch index 2f037ecb09..88ba84d64d 100644 --- a/meta/recipes-devtools/python/python3/0001-Makefile-do-not-compile-.pyc-in-parallel.patch +++ b/meta/recipes-devtools/python/python3/0001-Makefile-do-not-compile-.pyc-in-parallel.patch @@ -26,7 +26,7 @@ diff --git a/Makefile.pre.in b/Makefile.pre.in index edd70d4..5e13ba2 100644 --- a/Makefile.pre.in +++ b/Makefile.pre.in -@@ -1601,30 +1601,30 @@ libinstall: build_all $(srcdir)/Modules/xxmodule.c +@@ -1602,30 +1602,30 @@ libinstall: build_all $(srcdir)/Modules/xxmodule.c fi -PYTHONPATH=$(DESTDIR)$(LIBDEST) $(RUNSHARED) \ $(PYTHON_FOR_BUILD) -Wi $(DESTDIR)$(LIBDEST)/compileall.py \ diff --git a/meta/recipes-devtools/python/python3/0001-Skip-failing-tests-due-to-load-variability-on-YP-AB.patch b/meta/recipes-devtools/python/python3/0001-Skip-failing-tests-due-to-load-variability-on-YP-AB.patch index 96c5a3c840..07ab4ed540 100644 --- a/meta/recipes-devtools/python/python3/0001-Skip-failing-tests-due-to-load-variability-on-YP-AB.patch +++ b/meta/recipes-devtools/python/python3/0001-Skip-failing-tests-due-to-load-variability-on-YP-AB.patch @@ -20,7 +20,7 @@ diff --git a/Lib/test/_test_multiprocessing.py b/Lib/test/_test_multiprocessing. index 3bc5b8f..a6e106d 100644 --- a/Lib/test/_test_multiprocessing.py +++ b/Lib/test/_test_multiprocessing.py -@@ -568,6 +568,7 @@ class _TestProcess(BaseTestCase): +@@ -575,6 +575,7 @@ class _TestProcess(BaseTestCase): close_queue(q) @@ -28,7 +28,7 @@ index 3bc5b8f..a6e106d 100644 def test_many_processes(self): if self.TYPE == 'threads': self.skipTest('test not appropriate for {}'.format(self.TYPE)) -@@ -4817,6 +4818,7 @@ class TestWait(unittest.TestCase): +@@ -4829,6 +4830,7 @@ class TestWait(unittest.TestCase): sem.release() time.sleep(period) @@ -40,7 +40,7 @@ diff --git a/Lib/test/test_time.py b/Lib/test/test_time.py index 875615a..aebaa8c 100644 --- a/Lib/test/test_time.py +++ b/Lib/test/test_time.py -@@ -474,6 +474,7 @@ class TimeTestCase(unittest.TestCase): +@@ -475,6 +475,7 @@ class TimeTestCase(unittest.TestCase): def test_perf_counter(self): time.perf_counter() diff --git a/meta/recipes-devtools/python/python3/0001-gh-107811-tarfile-treat-overflow-in-UID-GID-as-failu.patch b/meta/recipes-devtools/python/python3/0001-gh-107811-tarfile-treat-overflow-in-UID-GID-as-failu.patch index 88b84c6024..e6d7778ccd 100644 --- a/meta/recipes-devtools/python/python3/0001-gh-107811-tarfile-treat-overflow-in-UID-GID-as-failu.patch +++ b/meta/recipes-devtools/python/python3/0001-gh-107811-tarfile-treat-overflow-in-UID-GID-as-failu.patch @@ -16,7 +16,7 @@ diff --git a/Lib/tarfile.py b/Lib/tarfile.py index 3bbbcaa..473167d 100755 --- a/Lib/tarfile.py +++ b/Lib/tarfile.py -@@ -2557,7 +2557,8 @@ class TarFile(object): +@@ -2675,7 +2675,8 @@ class TarFile(object): os.lchown(targetpath, u, g) else: os.chown(targetpath, u, g) diff --git a/meta/recipes-devtools/python/python3/0001-python3-use-cc_basename-to-replace-CC-for-checking-c.patch b/meta/recipes-devtools/python/python3/0001-python3-use-cc_basename-to-replace-CC-for-checking-c.patch index 6bb85fcb34..49c918b3b0 100644 --- a/meta/recipes-devtools/python/python3/0001-python3-use-cc_basename-to-replace-CC-for-checking-c.patch +++ b/meta/recipes-devtools/python/python3/0001-python3-use-cc_basename-to-replace-CC-for-checking-c.patch @@ -47,7 +47,7 @@ index 0c06914..299786b 100644 gcc) AC_PATH_TOOL(CXX, [g++], [g++], [notfound]) ;; cc) AC_PATH_TOOL(CXX, [c++], [c++], [notfound]) ;; clang|*/clang) AC_PATH_TOOL(CXX, [clang++], [clang++], [notfound]) ;; -@@ -976,7 +977,7 @@ rmdir CaseSensitiveTestDir +@@ -981,7 +982,7 @@ rmdir CaseSensitiveTestDir case $ac_sys_system in hp*|HP*) @@ -56,7 +56,7 @@ index 0c06914..299786b 100644 cc|*/cc) CC="$CC -Ae";; esac;; esac -@@ -1374,7 +1375,7 @@ else +@@ -1379,7 +1380,7 @@ else fi], [AC_MSG_RESULT(no)]) if test "$Py_LTO" = 'true' ; then @@ -65,7 +65,7 @@ index 0c06914..299786b 100644 *clang*) AC_SUBST(LLVM_AR) AC_PATH_TOOL(LLVM_AR, llvm-ar, '', ${llvm_path}) -@@ -1467,7 +1468,7 @@ then +@@ -1472,7 +1473,7 @@ then fi fi LLVM_PROF_ERR=no @@ -74,7 +74,7 @@ index 0c06914..299786b 100644 *clang*) # Any changes made here should be reflected in the GCC+Darwin case below PGO_PROF_GEN_FLAG="-fprofile-instr-generate" -@@ -1528,7 +1529,7 @@ esac +@@ -1533,7 +1534,7 @@ esac # compiler and platform. BASECFLAGS tweaks need to be made even if the # user set OPT. @@ -83,7 +83,7 @@ index 0c06914..299786b 100644 *clang*) cc_is_clang=1 ;; -@@ -1664,7 +1665,7 @@ yes) +@@ -1669,7 +1670,7 @@ yes) # ICC doesn't recognize the option, but only emits a warning ## XXX does it emit an unused result warning and can it be disabled? @@ -92,7 +92,7 @@ index 0c06914..299786b 100644 *icc*) ac_cv_disable_unused_result_warning=no ;; -@@ -2018,7 +2019,7 @@ yes) +@@ -2023,7 +2024,7 @@ yes) ;; esac @@ -101,7 +101,7 @@ index 0c06914..299786b 100644 *icc*) # ICC needs -fp-model strict or floats behave badly CFLAGS_NODIST="$CFLAGS_NODIST -fp-model strict" -@@ -2836,7 +2837,7 @@ then +@@ -2841,7 +2842,7 @@ then then LINKFORSHARED="-Wl,--export-dynamic" fi;; @@ -110,7 +110,7 @@ index 0c06914..299786b 100644 *gcc*) if $CC -Xlinker --help 2>&1 | grep export-dynamic >/dev/null then -@@ -5622,7 +5623,7 @@ if test "$have_gcc_asm_for_x87" = yes; then +@@ -5628,7 +5629,7 @@ if test "$have_gcc_asm_for_x87" = yes; then # Some versions of gcc miscompile inline asm: # http://gcc.gnu.org/bugzilla/show_bug.cgi?id=46491 # http://gcc.gnu.org/ml/gcc/2010-11/msg00366.html diff --git a/meta/recipes-devtools/python/python3/0001-setup.py-Do-not-detect-multiarch-paths-when-cross-co.patch b/meta/recipes-devtools/python/python3/0001-setup.py-Do-not-detect-multiarch-paths-when-cross-co.patch index 1844e0efa3..0e243325c7 100644 --- a/meta/recipes-devtools/python/python3/0001-setup.py-Do-not-detect-multiarch-paths-when-cross-co.patch +++ b/meta/recipes-devtools/python/python3/0001-setup.py-Do-not-detect-multiarch-paths-when-cross-co.patch @@ -27,7 +27,7 @@ diff --git a/setup.py b/setup.py index 2e7f263..f7a3d39 100644 --- a/setup.py +++ b/setup.py -@@ -840,7 +840,8 @@ class PyBuildExt(build_ext): +@@ -839,7 +839,8 @@ class PyBuildExt(build_ext): # only change this for cross builds for 3.3, issues on Mageia if CROSS_COMPILING: self.add_cross_compiling_paths() diff --git a/meta/recipes-devtools/python/python3/0001-test_storlines-skip-due-to-load-variability.patch b/meta/recipes-devtools/python/python3/0001-test_storlines-skip-due-to-load-variability.patch index 199031d42a..20d125963f 100644 --- a/meta/recipes-devtools/python/python3/0001-test_storlines-skip-due-to-load-variability.patch +++ b/meta/recipes-devtools/python/python3/0001-test_storlines-skip-due-to-load-variability.patch @@ -19,7 +19,7 @@ diff --git a/Lib/test/test_ftplib.py b/Lib/test/test_ftplib.py index 082a90d46b..508814d56a 100644 --- a/Lib/test/test_ftplib.py +++ b/Lib/test/test_ftplib.py -@@ -629,6 +629,7 @@ def test_storbinary_rest(self): +@@ -629,6 +629,7 @@ class TestFTPClass(TestCase): self.client.storbinary('stor', f, rest=r) self.assertEqual(self.server.handler_instance.rest, str(r)) diff --git a/meta/recipes-devtools/python/python3/0017-setup.py-do-not-report-missing-dependencies-for-disa.patch b/meta/recipes-devtools/python/python3/0017-setup.py-do-not-report-missing-dependencies-for-disa.patch index 8c554feb4b..025239df1d 100644 --- a/meta/recipes-devtools/python/python3/0017-setup.py-do-not-report-missing-dependencies-for-disa.patch +++ b/meta/recipes-devtools/python/python3/0017-setup.py-do-not-report-missing-dependencies-for-disa.patch @@ -23,7 +23,7 @@ diff --git a/setup.py b/setup.py index 85a2b26357..7605347bf5 100644 --- a/setup.py +++ b/setup.py -@@ -517,6 +517,14 @@ def print_three_column(lst): +@@ -517,6 +517,14 @@ class PyBuildExt(build_ext): print("%-*s %-*s %-*s" % (longest, e, longest, f, longest, g)) diff --git a/meta/recipes-devtools/python/python3/0020-configure.ac-setup.py-do-not-add-a-curses-include-pa.patch b/meta/recipes-devtools/python/python3/0020-configure.ac-setup.py-do-not-add-a-curses-include-pa.patch index 30d2906439..78295e6791 100644 --- a/meta/recipes-devtools/python/python3/0020-configure.ac-setup.py-do-not-add-a-curses-include-pa.patch +++ b/meta/recipes-devtools/python/python3/0020-configure.ac-setup.py-do-not-add-a-curses-include-pa.patch @@ -21,7 +21,7 @@ diff --git a/configure.ac b/configure.ac index e5e3df8..bfdd987 100644 --- a/configure.ac +++ b/configure.ac -@@ -5092,12 +5092,6 @@ then +@@ -5097,12 +5097,6 @@ then [Define if you have struct stat.st_mtimensec]) fi @@ -38,7 +38,7 @@ diff --git a/setup.py b/setup.py index 62f0e18..c190002 100644 --- a/setup.py +++ b/setup.py -@@ -1169,8 +1169,6 @@ class PyBuildExt(build_ext): +@@ -1173,8 +1173,6 @@ class PyBuildExt(build_ext): panel_library = 'panel' if curses_library == 'ncursesw': curses_defines.append(('HAVE_NCURSESW', '1')) diff --git a/meta/recipes-devtools/python/python3/CVE-2025-0938.patch b/meta/recipes-devtools/python/python3/CVE-2025-0938.patch deleted file mode 100644 index 5730008f4b..0000000000 --- a/meta/recipes-devtools/python/python3/CVE-2025-0938.patch +++ /dev/null @@ -1,131 +0,0 @@ -From b8b4b713c5f8ec0958c7ef8d29d6711889bc94ab Mon Sep 17 00:00:00 2001 -From: "Miss Islington (bot)" - <31488909+miss-islington@users.noreply.github.com> -Date: Wed, 19 Feb 2025 14:36:23 +0100 -Subject: [PATCH] [3.10] gh-105704: Disallow square brackets (`[` and `]`) in - domain names for parsed URLs (GH-129418) (#129529) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -(cherry picked from commit d89a5f6a6e65511a5f6e0618c4c30a7aa5aba56a) - -Co-authored-by: Seth Michael Larson -Co-authored-by: Peter Bierma -Co-authored-by: Łukasz Langa - -CVE: CVE-2025-0938 -Upstream-Status: Backport [https://github.com/python/cpython/commit/b8b4b713c5f8ec0958c7ef8d29d6711889bc94ab] -Signed-off-by: Peter Marko ---- - Lib/test/test_urlparse.py | 37 ++++++++++++++++++- - Lib/urllib/parse.py | 20 +++++++++- - ...-01-28-14-08-03.gh-issue-105704.EnhHxu.rst | 4 ++ - 3 files changed, 58 insertions(+), 3 deletions(-) - create mode 100644 Misc/NEWS.d/next/Security/2025-01-28-14-08-03.gh-issue-105704.EnhHxu.rst - -diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py -index f2ffc452e5..280644ef0b 100644 ---- a/Lib/test/test_urlparse.py -+++ b/Lib/test/test_urlparse.py -@@ -1149,16 +1149,51 @@ class UrlParseTestCase(unittest.TestCase): - self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[0439:23af::2309::fae7:1234]/Path?Query') - self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[0439:23af:2309::fae7:1234:2342:438e:192.0.2.146]/Path?Query') - self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@]v6a.ip[/Path') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[v6a.ip]') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[v6a.ip].suffix') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[v6a.ip]/') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[v6a.ip].suffix/') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[v6a.ip]?') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[v6a.ip].suffix?') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]/') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix/') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]?') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix?') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:a') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix:a') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:a1') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix:a1') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:1a') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix:1a') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix:/') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:?') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://user@prefix.[v6a.ip]') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://user@[v6a.ip].suffix') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[v6a.ip') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://v6a.ip]') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://]v6a.ip[') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://]v6a.ip') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://v6a.ip[') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[v6a.ip') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://v6a.ip].suffix') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix]v6a.ip[suffix') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix]v6a.ip') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://v6a.ip[suffix') - - def test_splitting_bracketed_hosts(self): -- p1 = urllib.parse.urlsplit('scheme://user@[v6a.ip]/path?query') -+ p1 = urllib.parse.urlsplit('scheme://user@[v6a.ip]:1234/path?query') - self.assertEqual(p1.hostname, 'v6a.ip') - self.assertEqual(p1.username, 'user') - self.assertEqual(p1.path, '/path') -+ self.assertEqual(p1.port, 1234) - p2 = urllib.parse.urlsplit('scheme://user@[0439:23af:2309::fae7%test]/path?query') - self.assertEqual(p2.hostname, '0439:23af:2309::fae7%test') - self.assertEqual(p2.username, 'user') - self.assertEqual(p2.path, '/path') -+ self.assertIs(p2.port, None) - p3 = urllib.parse.urlsplit('scheme://user@[0439:23af:2309::fae7:1234:192.0.2.146%test]/path?query') - self.assertEqual(p3.hostname, '0439:23af:2309::fae7:1234:192.0.2.146%test') - self.assertEqual(p3.username, 'user') -diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py -index 07e3248504..e1ee36d98e 100644 ---- a/Lib/urllib/parse.py -+++ b/Lib/urllib/parse.py -@@ -442,6 +442,23 @@ def _checknetloc(netloc): - raise ValueError("netloc '" + netloc + "' contains invalid " + - "characters under NFKC normalization") - -+def _check_bracketed_netloc(netloc): -+ # Note that this function must mirror the splitting -+ # done in NetlocResultMixins._hostinfo(). -+ hostname_and_port = netloc.rpartition('@')[2] -+ before_bracket, have_open_br, bracketed = hostname_and_port.partition('[') -+ if have_open_br: -+ # No data is allowed before a bracket. -+ if before_bracket: -+ raise ValueError("Invalid IPv6 URL") -+ hostname, _, port = bracketed.partition(']') -+ # No data is allowed after the bracket but before the port delimiter. -+ if port and not port.startswith(":"): -+ raise ValueError("Invalid IPv6 URL") -+ else: -+ hostname, _, port = hostname_and_port.partition(':') -+ _check_bracketed_host(hostname) -+ - # Valid bracketed hosts are defined in - # https://www.rfc-editor.org/rfc/rfc3986#page-49 and https://url.spec.whatwg.org/ - def _check_bracketed_host(hostname): -@@ -505,8 +522,7 @@ def urlsplit(url, scheme='', allow_fragments=True): - (']' in netloc and '[' not in netloc)): - raise ValueError("Invalid IPv6 URL") - if '[' in netloc and ']' in netloc: -- bracketed_host = netloc.partition('[')[2].partition(']')[0] -- _check_bracketed_host(bracketed_host) -+ _check_bracketed_netloc(netloc) - if allow_fragments and '#' in url: - url, fragment = url.split('#', 1) - if '?' in url: -diff --git a/Misc/NEWS.d/next/Security/2025-01-28-14-08-03.gh-issue-105704.EnhHxu.rst b/Misc/NEWS.d/next/Security/2025-01-28-14-08-03.gh-issue-105704.EnhHxu.rst -new file mode 100644 -index 0000000000..bff1bc6b0d ---- /dev/null -+++ b/Misc/NEWS.d/next/Security/2025-01-28-14-08-03.gh-issue-105704.EnhHxu.rst -@@ -0,0 +1,4 @@ -+When using :func:`urllib.parse.urlsplit` and :func:`urllib.parse.urlparse` host -+parsing would not reject domain names containing square brackets (``[`` and -+``]``). Square brackets are only valid for IPv6 and IPvFuture hosts according to -+`RFC 3986 Section 3.2.2 `__. diff --git a/meta/recipes-devtools/python/python3/avoid_warning_about_tkinter.patch b/meta/recipes-devtools/python/python3/avoid_warning_about_tkinter.patch index 2de72b7199..3b4b170f7f 100644 --- a/meta/recipes-devtools/python/python3/avoid_warning_about_tkinter.patch +++ b/meta/recipes-devtools/python/python3/avoid_warning_about_tkinter.patch @@ -18,7 +18,7 @@ diff --git a/setup.py b/setup.py index 11b5cf5..2be4738 100644 --- a/setup.py +++ b/setup.py -@@ -1895,8 +1895,8 @@ class PyBuildExt(build_ext): +@@ -1902,8 +1902,8 @@ class PyBuildExt(build_ext): self.detect_decimal() self.detect_ctypes() self.detect_multiprocessing() diff --git a/meta/recipes-devtools/python/python3/makerace.patch b/meta/recipes-devtools/python/python3/makerace.patch index 2c06784ffc..cfcc798c05 100644 --- a/meta/recipes-devtools/python/python3/makerace.patch +++ b/meta/recipes-devtools/python/python3/makerace.patch @@ -21,7 +21,7 @@ diff --git a/Makefile.pre.in b/Makefile.pre.in index 5e13ba2..026bffd 100644 --- a/Makefile.pre.in +++ b/Makefile.pre.in -@@ -1527,7 +1527,7 @@ TESTSUBDIRS= ctypes/test \ +@@ -1528,7 +1528,7 @@ TESTSUBDIRS= ctypes/test \ unittest/test unittest/test/testmock TEST_MODULES=@TEST_MODULES@ diff --git a/meta/recipes-devtools/python/python3_3.10.16.bb b/meta/recipes-devtools/python/python3_3.10.18.bb similarity index 99% rename from meta/recipes-devtools/python/python3_3.10.16.bb rename to meta/recipes-devtools/python/python3_3.10.18.bb index 932791f38d..0b57a0ebee 100644 --- a/meta/recipes-devtools/python/python3_3.10.16.bb +++ b/meta/recipes-devtools/python/python3_3.10.18.bb @@ -37,7 +37,6 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ file://0001-Avoid-shebang-overflow-on-python-config.py.patch \ file://0001-test_storlines-skip-due-to-load-variability.patch \ file://0001-gh-107811-tarfile-treat-overflow-in-UID-GID-as-failu.patch \ - file://CVE-2025-0938.patch \ " SRC_URI:append:class-native = " \ @@ -46,7 +45,7 @@ SRC_URI:append:class-native = " \ file://12-distutils-prefix-is-inside-staging-area.patch \ file://0001-Don-t-search-system-for-headers-libraries.patch \ " -SRC_URI[sha256sum] = "bfb249609990220491a1b92850a07135ed0831e41738cf681d63cf01b2a8fbd1" +SRC_URI[sha256sum] = "ae665bc678abd9ab6a6e1573d2481625a53719bc517e9a634ed2b9fefae3817f" # exclude pre-releases for both python 2.x and 3.x UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P\d+(\.\d+)+).tar" From patchwork Tue Jun 10 19:38:21 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 64782 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3FA76C677C4 for ; Tue, 10 Jun 2025 19:39:00 +0000 (UTC) Received: from mail-pg1-f178.google.com (mail-pg1-f178.google.com [209.85.215.178]) by mx.groups.io with SMTP id smtpd.web10.96543.1749584333271668620 for ; Tue, 10 Jun 2025 12:38:53 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=rsZRWBrq; spf=softfail (domain: sakoman.com, ip: 209.85.215.178, mailfrom: steve@sakoman.com) Received: by mail-pg1-f178.google.com with SMTP id 41be03b00d2f7-af51596da56so4135938a12.0 for ; Tue, 10 Jun 2025 12:38:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1749584332; x=1750189132; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=k352XmtB3s9BOBQ6BWI4rjNRV6i5QhbMdTM0Ly6mS74=; b=rsZRWBrqfXHNU8icCS21GCtZfwU9Md2hoQ65gyz5F9pKV6a/GxUqRS4o9+tAdcYQQ3 qoV7LEgYehiG7qdVavxHpcdSwajhtVz/1io5NyIHdeZe41RKUABeBz4hWcyvzgRgQsSb JotNnh3H1Bkx3iRMZYL61OIMhJaop/2xVN4FRXGa7BgZI0L6aCiRvpQdRifRKWT4/ztS Y/YfzSzrlRzpVl/M2u4nZTyaHesK2Llq7l5mbdd1YZ/FPU/yKuSaGkTSkEQ7Gq442MHH OQlG5IMLh/+/f91Fw8IxcNJhTKiDI1fiXaAWFwvMCuXtogx0/4Tq0NxpGU6IU2gLZmrM IyyA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1749584332; x=1750189132; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=k352XmtB3s9BOBQ6BWI4rjNRV6i5QhbMdTM0Ly6mS74=; b=uoLBw8pu7AdRy5/Gva+p0nsKgScfegS+jBEFr6d90flj5nsxvBlhhJmTDliLFg6kx2 NqtzqD0FF2qTqaGklgJbXmuqmzoDfYTLuZffQYjk5O0sqXQ9xK6O35eYYnIiJF8naELu eatsYkFpHGHqxDF6XuuEE/Mc9HiSpqB31QQ+T3CP1QPNsFygXucTQa86k6YQHGlgRuEe e4l+CAiDOJpX7/701QD5/CUmpfAbkgQRhpv7CIRB22C3mQ9VcIT5qKHU/lQ5Y2X8+kAy KeyCLBOaMNTE3MSh4LPygtoPHnAffHGRHtfHHMlfEddJcLT2Z1Q9FMN5yx5iS3ljdERo JA7Q== X-Gm-Message-State: AOJu0Ywe8GbiRBZVXQNmf4DDLCbqe6fxNgmFmwSq5ltv6nPsY2dMbdvW JzFINQ2N/nLYc++GDGgGh8h1BeWsLmZMy+ZloN41ghrBGXsEB4u2AxiInS4AuualRZK9jdUerGl sPx5H X-Gm-Gg: ASbGncsF4ni9pmMpZVXILcqEOFvgPFn1VEGl/feRuPzJQ19lsayPAUehlZjUDO2609q FrSfpYO8VtjIbwQSq7RhOyt5C1a8JhKNyCFVPGfKh0EkcFAfaVXa/WPghT9y/gdWQ7XO28qLQSi cv7FxAIzLHtjnvXD/bQl/2dBH84hzIhVl5kYIXLtQZ0vmQmYA1TXcVu4sB9kdjhCOp6ajMAnsAR Z7rX6E74eBp5yfJ1Tcdz4uK/Wo34y54KsKHLbjgMfQMPioEch0H59yRl0lxGEtobe5dmYjKk3w5 NL0sd3RDiaHaHc4gDxaBw7comdR626QI2WceQ9CAnfqK3mB1KodIUuphgpHF52AH X-Google-Smtp-Source: AGHT+IG6xgjG0nMJj6CP1Z15NZuRKlGiT7a4PgiaaJwVZYLjK+up6bGegRpKfKw6GSODERiBU36wqQ== X-Received: by 2002:a05:6a20:938e:b0:21a:de8e:44b4 with SMTP id adf61e73a8af0-21f865fa9b4mr1000411637.16.1749584332364; Tue, 10 Jun 2025 12:38:52 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:7bc4:2c75:fa51:ff16]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-b2f5f7827c0sm7198595a12.62.2025.06.10.12.38.51 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Jun 2025 12:38:52 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 15/15] kernel.bbclass: add original package name to RPROVIDES for -image and -base Date: Tue, 10 Jun 2025 12:38:21 -0700 Message-ID: <350513959f6800eef6579153c2ae95960ca24ea7.1749584149.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 10 Jun 2025 19:39:00 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/218436 From: Martin Jansa * -image and -base change PKG to: PKG:${KERNEL_PACKAGE_NAME}-image = "${KERNEL_PACKAGE_NAME}-image-${@legitimize_package_name(d.getVar(KERNEL_VERSION))}" PKG:${KERNEL_PACKAGE_NAME}-base = "${KERNEL_PACKAGE_NAME}-${@legitimize_package_name(d.getVar(KERNEL_VERSION))}" * but only when debian.bbclass is inheritted they add the original package name into RPROVIDES by: https://git.openembedded.org/openembedded-core/commit/?id=3409c4379559afbb1d1d29045582995147a33bbc * fixes the build if some packagegroup or something RDEPENDS on kernel-image or kernel-base and the DISTRO doesn't inherit debian.bbclass * as shown in pkgdata: linux-raspberrypi $ egrep "^(PKG:)|(RPRO)" 6.6.36+git-*/pkgdata/runtime/kernel-image 6.6.36+git-debian/pkgdata/runtime/kernel-image:RPROVIDES:kernel-image: kernel-image (=6.6.36+git@PRSERV_PV_AUTOINC@+733366844f_769634f344) 6.6.36+git-debian/pkgdata/runtime/kernel-image:PKG:kernel-image: kernel-image-6.6.36-v8 6.6.36+git-without-debian/pkgdata/runtime/kernel-image:PKG:kernel-image: kernel-image-6.6.36-v8 linux-raspberrypi $ egrep "^(PKG:)|(RPRO)" 6.6.36+git-*/pkgdata/runtime/kernel-image-image 6.6.36+git-debian/pkgdata/runtime/kernel-image-image:RPROVIDES:kernel-image-image: kernel-image-image (=6.6.36+git@PRSERV_PV_AUTOINC@+733366844f_769634f344) 6.6.36+git-debian/pkgdata/runtime/kernel-image-image:PKG:kernel-image-image: kernel-image-image-6.6.36-v8 6.6.36+git-without-debian/pkgdata/runtime/kernel-image-image:PKG:kernel-image-image: kernel-image-image-6.6.36-v8 (From OE-Core rev: 05498781657a3f8b38b000f91594ecd78850ce47) Signed-off-by: Martin Jansa Signed-off-by: Richard Purdie (cherry picked from commit 9cb954884bc3905defa1ff533e668dea13e17cba) Signed-off-by: Jörg Sommer Signed-off-by: Steve Sakoman --- meta/classes/kernel.bbclass | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/meta/classes/kernel.bbclass b/meta/classes/kernel.bbclass index 988a489396..54fbba5b2e 100644 --- a/meta/classes/kernel.bbclass +++ b/meta/classes/kernel.bbclass @@ -706,9 +706,10 @@ RDEPENDS:${KERNEL_PACKAGE_NAME} = "${KERNEL_PACKAGE_NAME}-base (= ${EXTENDPKGV}) # not wanted in images as standard RRECOMMENDS:${KERNEL_PACKAGE_NAME}-base ?= "${KERNEL_PACKAGE_NAME}-image (= ${EXTENDPKGV})" PKG:${KERNEL_PACKAGE_NAME}-image = "${KERNEL_PACKAGE_NAME}-image-${@legitimize_package_name(d.getVar('KERNEL_VERSION'))}" +RPROVIDES:${KERNEL_PACKAGE_NAME}-image += "${KERNEL_PACKAGE_NAME}-image" RDEPENDS:${KERNEL_PACKAGE_NAME}-image += "${@oe.utils.conditional('KERNEL_IMAGETYPE', 'vmlinux', '${KERNEL_PACKAGE_NAME}-vmlinux (= ${EXTENDPKGV})', '', d)}" PKG:${KERNEL_PACKAGE_NAME}-base = "${KERNEL_PACKAGE_NAME}-${@legitimize_package_name(d.getVar('KERNEL_VERSION'))}" -RPROVIDES:${KERNEL_PACKAGE_NAME}-base += "${KERNEL_PACKAGE_NAME}-${KERNEL_VERSION}" +RPROVIDES:${KERNEL_PACKAGE_NAME}-base += "${KERNEL_PACKAGE_NAME}-${KERNEL_VERSION} ${KERNEL_PACKAGE_NAME}-base" ALLOW_EMPTY:${KERNEL_PACKAGE_NAME} = "1" ALLOW_EMPTY:${KERNEL_PACKAGE_NAME}-base = "1" ALLOW_EMPTY:${KERNEL_PACKAGE_NAME}-image = "1"