From patchwork Fri Jul 4 15:10:24 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 66234 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8C884C83F03 for ; Fri, 4 Jul 2025 15:10:48 +0000 (UTC) Received: from mail-pf1-f178.google.com (mail-pf1-f178.google.com [209.85.210.178]) by mx.groups.io with SMTP id smtpd.web11.14486.1751641844306452552 for ; Fri, 04 Jul 2025 08:10:44 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=lViYcuqJ; spf=softfail (domain: sakoman.com, ip: 209.85.210.178, mailfrom: steve@sakoman.com) Received: by mail-pf1-f178.google.com with SMTP id d2e1a72fcca58-74931666cbcso924466b3a.0 for ; Fri, 04 Jul 2025 08:10:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1751641843; x=1752246643; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=0pX5wqYP7larv/otUKyhHlH8hfcppCfqluBsG49Aqs8=; b=lViYcuqJY6dAq85sOuLFUSUkO7GPVNUA3YSp2wldhGh1ylQ8fnKxtdR6T2qGlccBP6 PJTWrSJTjAz625BVIQBnHrWDHoPrOkyKkmrQaPoubg1zNafOiZP3ZwII0bskvt19wiQh sYvOy8AfKhyGOKytix4hLkweDHYSKGcUmXcTtQK0S9FCtb2kPfC727/0caN4699UXs1H GciMrvlk1AT5UdTBjGstYD87suJEAsyN2IywqXDQfrskH3WkipK5uMvlFLDNUgFRJW2j qES36GdEgveqJ32SvC74phi2XZOl4BtTqLkk8ldgE4JhoK411Q1ZAZZnSJ99UkKDZ1Kj B8iw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1751641843; x=1752246643; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=0pX5wqYP7larv/otUKyhHlH8hfcppCfqluBsG49Aqs8=; b=DvVFVancP/WHg/3nMob/EdUCh6Qhn8/Fo6mp2WnrMH2LmWUepHNmVsIUnAnQxmu6Xy TZjUd5pSblAkvKRAjGYVQnLqXt2gRic5K17GGj+tZmbleZh3idGoapYtMJ7shZIAnSCw vBBS4pAjw2dwYdtakGUr1qJjdER26iU2BMdcbuWpXe0NrU736i+8aXrUsEiAh9jL7sMa VDX9GLXeGRYsmWPfbtgSLxnOgpkjdD32JxTXIVDEOWp5XxCz2QsNnaMMtJjdowELdNjc lbjzWzDSLSwQb2Ua9g9KrEN9hWRAgFxFQqzWg/PxH3aLNfk6QDRcUKcbABBS1V6nuVRo tTcA== X-Gm-Message-State: AOJu0YzDsZFb/FsPHkJAELCVxsFD9K1JROWMkbk+y9xtw46hwpjL0cMv IRCc/8H0fR4fYerpgLxkcq9VPC7+w7TDAlUumtQfS4F+QK2j5Jl0YbTyOR8koqVSpQyKL4AbuZi 8kjcY X-Gm-Gg: ASbGnctByPbu7qlZxCq+Zy17J3y1NDI4Iu45nHnXh4iSpY8uOGVJT9C5jNWjourwkkE dMx4A04sDlhw21D9hyZl6I7Gh9BJCwxhFUJFDUzfPszyu4NRRXpZJIdutUeN6kBGRk/fwJujncE wxnHMymVyeVVHjDTCxc8hS0UKgg49vc6S2DJRVB7MGlpOEhOvOb89o+h7ZMuIxHLRpDsHE0RJvB r1sA98jDrzyPdi1vc4JAMWrZsM8bKtxD18g0af4YOfmRPrtOlQ5glQwhzgD6TPAXJqjmPxZxXjS PHrRX76X65irhRNUQtFR0y0229bFAX0pccoLS2lhb5lrldBkGaqmTw== X-Google-Smtp-Source: AGHT+IFeW1zKHZjHccToCp2z8N1EAk01o77a9MfG//7wThnwmmOhctatgKa559wb0NbMAyNSaBFCQQ== X-Received: by 2002:a05:6a00:2e02:b0:749:9c2:e154 with SMTP id d2e1a72fcca58-74ce68e4bccmr4211411b3a.4.1751641843311; Fri, 04 Jul 2025 08:10:43 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:d985:cb7d:ae84:68cc]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-74ce417e869sm2159592b3a.82.2025.07.04.08.10.42 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 04 Jul 2025 08:10:43 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 01/11] libarchive: fix CVE-2025-5914 Date: Fri, 4 Jul 2025 08:10:24 -0700 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 04 Jul 2025 15:10:48 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/219927 From: Divya Chellam A vulnerability has been identified in the libarchive library, specifically within the archiv e_read_format_rar_seek_data() function. This flaw involves an integer overflow that can ultim ately lead to a double-free condition. Exploiting a double-free vulnerability can result in m emory corruption, enabling an attacker to execute arbitrary code or cause a denial-of-service condition. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-5914 Upstream-patch: https://github.com/libarchive/libarchive/commit/09685126fcec664e2b8ca595e1fc371bd494d209 Signed-off-by: Divya Chellam Signed-off-by: Steve Sakoman --- .../libarchive/libarchive/CVE-2025-5914.patch | 48 +++++++++++++++++++ .../libarchive/libarchive_3.7.9.bb | 1 + 2 files changed, 49 insertions(+) create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2025-5914.patch diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2025-5914.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2025-5914.patch new file mode 100644 index 0000000000..89022b38fd --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2025-5914.patch @@ -0,0 +1,48 @@ +From 09685126fcec664e2b8ca595e1fc371bd494d209 Mon Sep 17 00:00:00 2001 +From: Tobias Stoeckmann +Date: Sun, 11 May 2025 02:17:19 +0200 +Subject: [PATCH] rar: Fix double free with over 4 billion nodes (#2598) + +If a system is capable of handling 4 billion nodes in memory, a double +free could occur because of an unsigned integer overflow leading to a +realloc call with size argument of 0. Eventually, the client will +release that memory again, triggering a double free. + +Signed-off-by: Tobias Stoeckmann + +CVE: CVE-2025-5914 + +Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/09685126fcec664e2b8ca595e1fc371bd494d209] + +Signed-off-by: Divya Chellam +--- + libarchive/archive_read_support_format_rar.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c +index 9d155c6..9eb3c84 100644 +--- a/libarchive/archive_read_support_format_rar.c ++++ b/libarchive/archive_read_support_format_rar.c +@@ -335,8 +335,8 @@ struct rar + int found_first_header; + char has_endarc_header; + struct data_block_offsets *dbo; +- unsigned int cursor; +- unsigned int nodes; ++ size_t cursor; ++ size_t nodes; + char filename_must_match; + + /* LZSS members */ +@@ -1186,7 +1186,7 @@ archive_read_format_rar_seek_data(struct archive_read *a, int64_t offset, + int whence) + { + int64_t client_offset, ret; +- unsigned int i; ++ size_t i; + struct rar *rar = (struct rar *)(a->format->data); + + if (rar->compression_method == COMPRESS_METHOD_STORE) +-- +2.40.0 + diff --git a/meta/recipes-extended/libarchive/libarchive_3.7.9.bb b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb index 4dd6794bb1..c26a14e32e 100644 --- a/meta/recipes-extended/libarchive/libarchive_3.7.9.bb +++ b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb @@ -31,6 +31,7 @@ EXTRA_OECONF += "--enable-largefile --without-iconv" SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \ file://configurehack.patch \ + file://CVE-2025-5914.patch \ " UPSTREAM_CHECK_URI = "http://libarchive.org/" From patchwork Fri Jul 4 15:10:25 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 66237 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9AF8BC83F0B for ; Fri, 4 Jul 2025 15:10:48 +0000 (UTC) Received: from mail-pf1-f177.google.com (mail-pf1-f177.google.com [209.85.210.177]) by mx.groups.io with SMTP id smtpd.web11.14488.1751641846045543905 for ; Fri, 04 Jul 2025 08:10:46 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=hpBQmC3g; spf=softfail (domain: sakoman.com, ip: 209.85.210.177, mailfrom: steve@sakoman.com) Received: by mail-pf1-f177.google.com with SMTP id d2e1a72fcca58-74931666cbcso924491b3a.0 for ; Fri, 04 Jul 2025 08:10:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1751641845; x=1752246645; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=xPWSWXZcFMJ9WtW6+vK+0dl5jIP3NNXfqA6qzvIJrQg=; b=hpBQmC3gvs/LCw5b297hwn6bk5q4h3UGHIJ5nBEIr7dco5AcGkAcpH3Qhy5lccfxuL l35nkGehWXwi+Bid9Ju7kfYPybrWwRY8jRxGKtLjVPvsERwuHmJqlbcX+K5xnFbkkwJD MROitGtk6v4xksSS4esZU2f+jKbuckx9H8tWbbYzR9Htw6Hoh3/Cysw0vgpGKkg/W6U8 S3jyBAJLY5iP8ubvWpc1OOFFipgfr7cAzpPTWwSGeFjmyf3+AW+cKza3aUTyyIGYcAjg HaWgA48pf7DJ1nRB/I7QAm2xciKlWTiy39jhJM653EBTCXb3qrs4yn1koX74utWc/Ttl +ujQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1751641845; x=1752246645; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=xPWSWXZcFMJ9WtW6+vK+0dl5jIP3NNXfqA6qzvIJrQg=; b=LB/qUYqMT6AAS7bqP8U1whtaVDgi7PItUhYs65kQayfNBp3hKSOKcp/FPxDxAevnEy JestVI7DU+upaGU6WuRsdhyYj9XDHvERqbtsLhHBR/lPIhU2336GDR1TdO0fENM/UcbE /ubOMTTzU6L6FM3FVLSyuW2qEs/GpFGm6zz3EAcQ0r6ZPuppluEjjzX57MPecdgBTgXk fkFbXBfCkHwWHtAvXk/XWeVIZZ1Pxvtt6FzCbdMs6KSA8WBJoCiEUh+eYqKOUKK1vC77 odTnDZRiVTV2hjQVbm6XajdnUfNxx7Kg6aHNIowqukgyDogysg4COUGYH/fpm+jbRfuO Xliw== X-Gm-Message-State: AOJu0YxaCgfzvP26BIsq7G33+B+f7VgtxmJ2AiXNNXuPmmbWNCwzUsBc 4vCeXfKy5wbZv8kiTE4dKPsqabi5xMvH7XkavDzvJrR7hwO7Kw0tckqlWC/YGax7cOJB79yToHU Ill3+ X-Gm-Gg: ASbGncvApHgN4txVkpXdxxs7fHsnSXFVhvt3apSKVVBYKPo/slwhGFD6BtJNuPwH7kR TpWhyPEZbSWQj/ngPlU0GzJGvCReQLpYtiI4T6syuoxMutCd0pV0XWdU5kJ7XMgksBa0Xwl6paV mXKByeAb4YKXbB0MUuCNF0kvvCgK8A40jVR9A8P54VLEs9v5uc0AktbbgZWpaaayOpvT3Z+xv9t Y/8Lh6f9/4bAVYKUOvcijiRuW/NV/sz75yBp1dpwdOnI/rMc3AKKsCg+1TGBtDzeBb2eHsJK0Pi 6PcP/wiD/H2caUvJTUPqjjVV/C2ktjYo8SS2g6bKgKRdY+QMyQ2wiw== X-Google-Smtp-Source: AGHT+IFB/xBKipzS4JgRo6x6pcfuoH6yfqYQBFpPzIDjz4Bfwlli+z/DXO2o2K4Ah+jTcjGF76UCEw== X-Received: by 2002:a05:6a00:22c7:b0:748:f1ba:9aff with SMTP id d2e1a72fcca58-74ce68e4dbbmr3714519b3a.5.1751641845098; Fri, 04 Jul 2025 08:10:45 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:d985:cb7d:ae84:68cc]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-74ce417e869sm2159592b3a.82.2025.07.04.08.10.44 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 04 Jul 2025 08:10:44 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 02/11] libarchive: fix CVE-2025-5915 Date: Fri, 4 Jul 2025 08:10:25 -0700 Message-ID: <99fdc86ad57db4d8829a33033918cf78419977af.1751641631.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 04 Jul 2025 15:10:48 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/219928 From: Divya Chellam A vulnerability has been identified in the libarchive library. This flaw can lead to a heap b uffer over-read due to the size of a filter block potentially exceeding the Lempel-Ziv-Storer -Schieber (LZSS) window. This means the library may attempt to read beyond the allocated memo ry buffer, which can result in unpredictable program behavior, crashes (denial of service), o r the disclosure of sensitive information from adjacent memory regions. Reference: https://security-tracker.debian.org/tracker/CVE-2025-5915 Upstream-patches: https://github.com/libarchive/libarchive/commit/a612bf62f86a6faa47bd57c52b94849f0a404d8c Signed-off-by: Divya Chellam Signed-off-by: Steve Sakoman --- .../libarchive/libarchive/CVE-2025-5915.patch | 217 ++++++++++++++++++ .../libarchive/libarchive_3.7.9.bb | 1 + 2 files changed, 218 insertions(+) create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2025-5915.patch diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2025-5915.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2025-5915.patch new file mode 100644 index 0000000000..3c911ce9d9 --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2025-5915.patch @@ -0,0 +1,217 @@ +From a612bf62f86a6faa47bd57c52b94849f0a404d8c Mon Sep 17 00:00:00 2001 +From: Tobias Stoeckmann +Date: Sun, 11 May 2025 19:00:11 +0200 +Subject: [PATCH] rar: Fix heap-buffer-overflow (#2599) + +A filter block size must not be larger than the lzss window, which is +defined +by dictionary size, which in turn can be derived from unpacked file +size. + +While at it, improve error messages and fix lzss window wrap around +logic. + +Fixes https://github.com/libarchive/libarchive/issues/2565 + +--------- + +Signed-off-by: Tobias Stoeckmann +Co-authored-by: Tim Kientzle + +CVE: CVE-2025-5915 + +Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/a612bf62f86a6faa47bd57c52b94849f0a404d8c] + +Signed-off-by: Divya Chellam +--- + Makefile.am | 2 + + libarchive/archive_read_support_format_rar.c | 17 ++++--- + libarchive/test/CMakeLists.txt | 1 + + .../test/test_read_format_rar_overflow.c | 48 +++++++++++++++++++ + .../test/test_read_format_rar_overflow.rar.uu | 11 +++++ + 5 files changed, 72 insertions(+), 7 deletions(-) + create mode 100644 libarchive/test/test_read_format_rar_overflow.c + create mode 100644 libarchive/test/test_read_format_rar_overflow.rar.uu + +diff --git a/Makefile.am b/Makefile.am +index 4fafc41..9f3a6d1 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -519,6 +519,7 @@ libarchive_test_SOURCES= \ + libarchive/test/test_read_format_rar_encryption_header.c \ + libarchive/test/test_read_format_rar_filter.c \ + libarchive/test/test_read_format_rar_invalid1.c \ ++ libarchive/test/test_read_format_rar_overflow.c \ + libarchive/test/test_read_format_rar5.c \ + libarchive/test/test_read_format_raw.c \ + libarchive/test/test_read_format_tar.c \ +@@ -889,6 +890,7 @@ libarchive_test_EXTRA_DIST=\ + libarchive/test/test_read_format_rar_multivolume.part0003.rar.uu \ + libarchive/test/test_read_format_rar_multivolume.part0004.rar.uu \ + libarchive/test/test_read_format_rar_noeof.rar.uu \ ++ libarchive/test/test_read_format_rar_overflow.rar.uu \ + libarchive/test/test_read_format_rar_ppmd_lzss_conversion.rar.uu \ + libarchive/test/test_read_format_rar_ppmd_use_after_free.rar.uu \ + libarchive/test/test_read_format_rar_ppmd_use_after_free2.rar.uu \ +diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c +index 9eb3c84..88eab62 100644 +--- a/libarchive/archive_read_support_format_rar.c ++++ b/libarchive/archive_read_support_format_rar.c +@@ -451,7 +451,7 @@ static int read_filter(struct archive_read *, int64_t *); + static int rar_decode_byte(struct archive_read*, uint8_t *); + static int execute_filter(struct archive_read*, struct rar_filter *, + struct rar_virtual_machine *, size_t); +-static int copy_from_lzss_window(struct archive_read *, void *, int64_t, int); ++static int copy_from_lzss_window(struct archive_read *, uint8_t *, int64_t, int); + static inline void vm_write_32(struct rar_virtual_machine*, size_t, uint32_t); + static inline uint32_t vm_read_32(struct rar_virtual_machine*, size_t); + +@@ -2929,7 +2929,7 @@ expand(struct archive_read *a, int64_t *end) + } + + if ((symbol = read_next_symbol(a, &rar->maincode)) < 0) +- return (ARCHIVE_FATAL); ++ goto bad_data; + + if (symbol < 256) + { +@@ -2956,14 +2956,14 @@ expand(struct archive_read *a, int64_t *end) + else + { + if (parse_codes(a) != ARCHIVE_OK) +- return (ARCHIVE_FATAL); ++ goto bad_data; + continue; + } + } + else if(symbol==257) + { + if (!read_filter(a, end)) +- return (ARCHIVE_FATAL); ++ goto bad_data; + continue; + } + else if(symbol==258) +@@ -3048,7 +3048,7 @@ expand(struct archive_read *a, int64_t *end) + { + if ((lowoffsetsymbol = + read_next_symbol(a, &rar->lowoffsetcode)) < 0) +- return (ARCHIVE_FATAL); ++ goto bad_data; + if(lowoffsetsymbol == 16) + { + rar->numlowoffsetrepeats = 15; +@@ -3096,7 +3096,7 @@ bad_data: + } + + static int +-copy_from_lzss_window(struct archive_read *a, void *buffer, ++copy_from_lzss_window(struct archive_read *a, uint8_t *buffer, + int64_t startpos, int length) + { + int windowoffs, firstpart; +@@ -3111,7 +3111,7 @@ copy_from_lzss_window(struct archive_read *a, void *buffer, + } + if (firstpart < length) { + memcpy(buffer, &rar->lzss.window[windowoffs], firstpart); +- memcpy(buffer, &rar->lzss.window[0], length - firstpart); ++ memcpy(buffer + firstpart, &rar->lzss.window[0], length - firstpart); + } else { + memcpy(buffer, &rar->lzss.window[windowoffs], length); + } +@@ -3266,6 +3266,9 @@ parse_filter(struct archive_read *a, const uint8_t *bytes, uint16_t length, uint + else + blocklength = prog ? prog->oldfilterlength : 0; + ++ if (blocklength > rar->dictionary_size) ++ return 0; ++ + registers[3] = PROGRAM_SYSTEM_GLOBAL_ADDRESS; + registers[4] = blocklength; + registers[5] = prog ? prog->usagecount : 0; +diff --git a/libarchive/test/CMakeLists.txt b/libarchive/test/CMakeLists.txt +index 5d7a5d2..59c5f5d 100644 +--- a/libarchive/test/CMakeLists.txt ++++ b/libarchive/test/CMakeLists.txt +@@ -163,6 +163,7 @@ IF(ENABLE_TEST) + test_read_format_rar_encryption_partially.c + test_read_format_rar_invalid1.c + test_read_format_rar_filter.c ++ test_read_format_rar_overflow.c + test_read_format_rar5.c + test_read_format_raw.c + test_read_format_tar.c +diff --git a/libarchive/test/test_read_format_rar_overflow.c b/libarchive/test/test_read_format_rar_overflow.c +new file mode 100644 +index 0000000..b39ed6b +--- /dev/null ++++ b/libarchive/test/test_read_format_rar_overflow.c +@@ -0,0 +1,48 @@ ++/*- ++ * Copyright (c) 2003-2025 Tim Kientzle ++ * All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS OR ++ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES ++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. ++ * IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT, ++ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, ++ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY ++ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT ++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF ++ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ++ */ ++#include "test.h" ++ ++DEFINE_TEST(test_read_format_rar_overflow) ++{ ++ struct archive *a; ++ struct archive_entry *ae; ++ const char reffile[] = "test_read_format_rar_overflow.rar"; ++ const void *buff; ++ size_t size; ++ int64_t offset; ++ ++ extract_reference_file(reffile); ++ assert((a = archive_read_new()) != NULL); ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_support_filter_all(a)); ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_support_format_all(a)); ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_open_filename(a, reffile, 1024)); ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_next_header(a, &ae)); ++ assertEqualInt(48, archive_entry_size(ae)); ++ /* The next call should reproduce Issue #2565 */ ++ assertEqualIntA(a, ARCHIVE_FATAL, archive_read_data_block(a, &buff, &size, &offset)); ++ ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_close(a)); ++ assertEqualInt(ARCHIVE_OK, archive_read_free(a)); ++} +diff --git a/libarchive/test/test_read_format_rar_overflow.rar.uu b/libarchive/test/test_read_format_rar_overflow.rar.uu +new file mode 100644 +index 0000000..48fd3fd +--- /dev/null ++++ b/libarchive/test/test_read_format_rar_overflow.rar.uu +@@ -0,0 +1,11 @@ ++begin 644 test_read_format_rar_overflow.rar ++M4F%R(1H'`,($=```(0`@`0``,`````(````````````S`0``````,`"_B%_: ++MZ?^[:7``?S!!,`@P,KB@,T@RN33)MTEB@5Z3<`DP`K35`.0P63@P<,Q&0?#, ++MA##,,",S,(@P,#,@##`&,#":(3`!,#"(`9HPS,,S13`P,#`P,*`PHPS,,S1A ++M,!,!,#","9H@S12D#$PP!C`P`*'F03":,,T8H`@\,/DPJS!/,"30,#`3N%LP ++MCQ6:S3"!,#LP22<-,$5%B"5B$S!)(&*>G#+@!`E`%0ODC])62=DO,)BYJX'P ++M=/LPZ3!!008?%S`P,#`P,#`P,#`P,#`P,#`P,#`P2$PP,#`P03!(,#`P,#`& ++M,`7),#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P ++-,#`P,#`P,#`P,#`P,``` ++` ++end +-- +2.40.0 + diff --git a/meta/recipes-extended/libarchive/libarchive_3.7.9.bb b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb index c26a14e32e..42c91e641e 100644 --- a/meta/recipes-extended/libarchive/libarchive_3.7.9.bb +++ b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb @@ -32,6 +32,7 @@ EXTRA_OECONF += "--enable-largefile --without-iconv" SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \ file://configurehack.patch \ file://CVE-2025-5914.patch \ + file://CVE-2025-5915.patch \ " UPSTREAM_CHECK_URI = "http://libarchive.org/" From patchwork Fri Jul 4 15:10:26 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 66235 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8D8B7C83F09 for ; Fri, 4 Jul 2025 15:10:48 +0000 (UTC) Received: from mail-pf1-f182.google.com (mail-pf1-f182.google.com [209.85.210.182]) by mx.groups.io with SMTP id smtpd.web10.14463.1751641847321551658 for ; Fri, 04 Jul 2025 08:10:47 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=GKouSTAD; spf=softfail (domain: sakoman.com, ip: 209.85.210.182, mailfrom: steve@sakoman.com) Received: by mail-pf1-f182.google.com with SMTP id d2e1a72fcca58-73c17c770a7so1396261b3a.2 for ; Fri, 04 Jul 2025 08:10:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1751641846; x=1752246646; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=ncMR0oyeGhhz30FBN0mxvOGXXCXkcihQcttmLxO1GcA=; b=GKouSTADv8x9zF2PeOt4+v0ZCeH7sCdd//Bk9koVFEOz0Gc2v+t/o7SGBu66nUqRMN yT0ZBcPyHm6pm/CuEg70TOWftt4S5VWi3Zwrnkt3UnemBGhMFBnI9sjnuJbgGQBy5hpX fDkoKvu8cOR0C+ZwzBI/DZrb9dl+s72MMwp82TAi1DkYaMC/w03BdSnTBF3mHALTa7hX WD52gqrQlZdWBD9rEzryVJHOaQdM+5htgu7dT9cr1ZyoNFeqzRyFc3ir7Z/n03ulYcy2 SG4ZvGe8FEi4s8wxSMBGFZzep8iVaLoFMY0QMQmUt/ynHJTTr4mINhW9XPB9YPePuMmI yZbg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1751641846; x=1752246646; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ncMR0oyeGhhz30FBN0mxvOGXXCXkcihQcttmLxO1GcA=; b=ea1oHUMb5lR5xCtaGQOry9x9VVWW6LXUo/xVS3xGS09SgiBckOsYzFSqJQ5sb/zUs1 zBWJGAg+3hbSYsOQ2ElACDil7d6Qu8qNriIYK/5IeILjzeYOUYyxTNbzAMQA8g0Oq/xx qBX6pIX8a8V7Qphx885vlsfQBts7JCoyABDdufw7WO+SvHkvmq5sTfJggqEviZeAvUnu I02Umkk1nnBhoodq92TIk3twydBv6lVVfoh8NVfJYK+OdwXjKWqORNnrQ/rO8dybb/T/ fVc2Lm6oIUHjB9gRdBjtugHMG293tec/sPJEzLCjMKzPDj87Gq2YX1/0yD4wv//oI+b6 /2Bg== X-Gm-Message-State: AOJu0YyFpK2TKKMeFCdnPrkmxrLG3WfL8IZUfeGDZkVz0iB4h/h5PXAj y2+j1iJbNoupfz9IXN3mTcmkNOGZ73a2AUQQgq2YyTrunv+K64ojyCAXObVy1JgQdi09QpfHC79 Lb4Cp X-Gm-Gg: ASbGncvnj8OVGkmsxuAv0DZ2+T/9WR4G3w/PlZvki21JMPq6KB1lbg0d8K7BMCVrac5 Eq57vQbU9I7F6M2kNgC2+AC2ZGz88jlRq0CQlCnajcxvTf99LaTn4V+8OY70hOTNbngpEiHJwMW RUpHoLGBv1pcDPLWBjXgdhUyia/b4OH290PLR1FAjYUFAndZQPGgt7oTzoCO/k3wcdj5flF0PJs vt5ph14yBsm0fwJ5qpHXdGdaQrEvmtroBWkGwkn3qnH9zSoBypMiOXO90BkRUglEniDai6zlquo QwemI8a2wdwUNLWMVioggfgMvbp6P2utai0hpOH+QBCHzHR/K+neng== X-Google-Smtp-Source: AGHT+IGV8JDeEYM5ZtRycEuSkMj3y6845yDX24Wyl7BqtBCm10PUGAPS6Yesqy0FdUW2qoebveC4/w== X-Received: by 2002:a05:6a20:e687:b0:220:83e1:4996 with SMTP id adf61e73a8af0-2260c83932emr3502300637.28.1751641846496; Fri, 04 Jul 2025 08:10:46 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:d985:cb7d:ae84:68cc]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-74ce417e869sm2159592b3a.82.2025.07.04.08.10.45 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 04 Jul 2025 08:10:46 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 03/11] libarchive: fix CVE-2025-5916 Date: Fri, 4 Jul 2025 08:10:26 -0700 Message-ID: <9c74d3a096fed68d173f8711b373a42f158d6cc7.1751641631.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 04 Jul 2025 15:10:48 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/219929 From: Divya Chellam A vulnerability has been identified in the libarchive library. This flaw involves an integer overflow that can be triggered when processing a Web Archive (WARC) file that claims to have more than INT64_MAX - 4 content bytes. An attacker could craft a malicious WARC archive to induce this overflow, potentially leading to unpredictable program behavior, memory corruption, or a denial-of-service condition within applications that process such archives using libarchive. Reference: https://security-tracker.debian.org/tracker/CVE-2025-5916 Upstream-patch: https://github.com/libarchive/libarchive/commit/ef093729521fcf73fa4007d5ae77adfe4df42403 Signed-off-by: Divya Chellam Signed-off-by: Steve Sakoman --- .../libarchive/libarchive/CVE-2025-5916.patch | 116 ++++++++++++++++++ .../libarchive/libarchive_3.7.9.bb | 1 + 2 files changed, 117 insertions(+) create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2025-5916.patch diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2025-5916.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2025-5916.patch new file mode 100644 index 0000000000..a1dfc7b286 --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2025-5916.patch @@ -0,0 +1,116 @@ +From ef093729521fcf73fa4007d5ae77adfe4df42403 Mon Sep 17 00:00:00 2001 +From: Tobias Stoeckmann +Date: Mon, 7 Apr 2025 00:24:13 +0200 +Subject: [PATCH] warc: Prevent signed integer overflow (#2568) + +If a warc archive claims to have more than INT64_MAX - 4 content bytes, +the inevitable failure to skip all these bytes could lead to parsing +data which should be ignored instead. + +The test case contains a conversation entry with that many bytes and if +the entry is not properly skipped, the warc implementation would read +the conversation data as a new file entry. + +Signed-off-by: Tobias Stoeckmann + +CVE: CVE-2025-5916 + +Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/ef093729521fcf73fa4007d5ae77adfe4df42403] + +Signed-off-by: Divya Chellam +--- + Makefile.am | 1 + + libarchive/archive_read_support_format_warc.c | 7 ++++-- + libarchive/test/test_read_format_warc.c | 24 +++++++++++++++++++ + .../test_read_format_warc_incomplete.warc.uu | 10 ++++++++ + 4 files changed, 40 insertions(+), 2 deletions(-) + create mode 100644 libarchive/test/test_read_format_warc_incomplete.warc.uu + +diff --git a/Makefile.am b/Makefile.am +index 9f3a6d1..7627ec5 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -964,6 +964,7 @@ libarchive_test_EXTRA_DIST=\ + libarchive/test/test_read_format_ustar_filename_eucjp.tar.Z.uu \ + libarchive/test/test_read_format_ustar_filename_koi8r.tar.Z.uu \ + libarchive/test/test_read_format_warc.warc.uu \ ++ libarchive/test/test_read_format_warc_incomplete.warc.uu \ + libarchive/test/test_read_format_xar_doublelink.xar.uu \ + libarchive/test/test_read_format_xar_duplicate_filename_node.xar.uu \ + libarchive/test/test_read_format_zip.zip.uu \ +diff --git a/libarchive/archive_read_support_format_warc.c b/libarchive/archive_read_support_format_warc.c +index fcec5bc..696f959 100644 +--- a/libarchive/archive_read_support_format_warc.c ++++ b/libarchive/archive_read_support_format_warc.c +@@ -386,7 +386,8 @@ start_over: + case LAST_WT: + default: + /* consume the content and start over */ +- _warc_skip(a); ++ if (_warc_skip(a) < 0) ++ return (ARCHIVE_FATAL); + goto start_over; + } + return (ARCHIVE_OK); +@@ -439,7 +440,9 @@ _warc_skip(struct archive_read *a) + { + struct warc_s *w = a->format->data; + +- __archive_read_consume(a, w->cntlen + 4U/*\r\n\r\n separator*/); ++ if (__archive_read_consume(a, w->cntlen) < 0 || ++ __archive_read_consume(a, 4U/*\r\n\r\n separator*/) < 0) ++ return (ARCHIVE_FATAL); + w->cntlen = 0U; + w->cntoff = 0U; + return (ARCHIVE_OK); +diff --git a/libarchive/test/test_read_format_warc.c b/libarchive/test/test_read_format_warc.c +index 91e6dc6..745aabf 100644 +--- a/libarchive/test/test_read_format_warc.c ++++ b/libarchive/test/test_read_format_warc.c +@@ -78,3 +78,27 @@ DEFINE_TEST(test_read_format_warc) + assertEqualIntA(a, ARCHIVE_OK, archive_read_close(a)); + assertEqualInt(ARCHIVE_OK, archive_read_free(a)); + } ++ ++DEFINE_TEST(test_read_format_warc_incomplete) ++{ ++ const char reffile[] = "test_read_format_warc_incomplete.warc"; ++ struct archive_entry *ae; ++ struct archive *a; ++ ++ extract_reference_file(reffile); ++ assert((a = archive_read_new()) != NULL); ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_support_filter_all(a)); ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_support_format_all(a)); ++ assertEqualIntA(a, ARCHIVE_OK, ++ archive_read_open_filename(a, reffile, 10240)); ++ ++ /* Entry cannot be parsed */ ++ assertEqualIntA(a, ARCHIVE_FATAL, archive_read_next_header(a, &ae)); ++ ++ /* Verify archive format. */ ++ assertEqualIntA(a, ARCHIVE_FILTER_NONE, archive_filter_code(a, 0)); ++ ++ /* Verify closing and resource freeing */ ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_close(a)); ++ assertEqualInt(ARCHIVE_OK, archive_read_free(a)); ++} +diff --git a/libarchive/test/test_read_format_warc_incomplete.warc.uu b/libarchive/test/test_read_format_warc_incomplete.warc.uu +new file mode 100644 +index 0000000..b91b97e +--- /dev/null ++++ b/libarchive/test/test_read_format_warc_incomplete.warc.uu +@@ -0,0 +1,10 @@ ++begin 644 test_read_format_warc_incomplete.warc ++M5T%20R\Q+C`-"E=!4D,M5'EP93H@8V]N=F5R'0-"E=!4D,M1&%T ++M93H@,C`R-2TP,RTS,%0Q-3HP,#HT,%H-"D-O;G1E;G0M5'EP93H@=&5X="]P ++M;&%I;@T*0V]N=&5N="U,96YG=&@Z(#,X#0H-"E1H92!R96%D;64N='AT('-H ++4;W5L9"!N;W0@8F4@=FES:6)L90H` ++` ++end +-- +2.40.0 + diff --git a/meta/recipes-extended/libarchive/libarchive_3.7.9.bb b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb index 42c91e641e..250a3c016f 100644 --- a/meta/recipes-extended/libarchive/libarchive_3.7.9.bb +++ b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb @@ -33,6 +33,7 @@ SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \ file://configurehack.patch \ file://CVE-2025-5914.patch \ file://CVE-2025-5915.patch \ + file://CVE-2025-5916.patch \ " UPSTREAM_CHECK_URI = "http://libarchive.org/" From patchwork Fri Jul 4 15:10:27 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 66238 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 84AB5C83F09 for ; Fri, 4 Jul 2025 15:10:58 +0000 (UTC) Received: from mail-pf1-f179.google.com (mail-pf1-f179.google.com [209.85.210.179]) by mx.groups.io with SMTP id smtpd.web11.14491.1751641849072603487 for ; Fri, 04 Jul 2025 08:10:49 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=JFHmIG1V; spf=softfail (domain: sakoman.com, ip: 209.85.210.179, mailfrom: steve@sakoman.com) Received: by mail-pf1-f179.google.com with SMTP id d2e1a72fcca58-74b56b1d301so686556b3a.1 for ; Fri, 04 Jul 2025 08:10:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1751641848; x=1752246648; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=feCF0EKDFluTJOxE8/vdasHeWqV7bZ0rtN0hkvbl848=; b=JFHmIG1VACQcpzHfxhQVNpqZssH/KQwFdsLNnq0L0miE0Zeue+2WCffVBZ6H+C32O8 RwboLs6MT80XS3/9HbzxL3nvfW1nA4yj0q0i68YcOlTOav4qfLOFcT1nSs2mCmKKS4yO LPjY83ApFrR7VucnFRBob8YVvWY/h+buLWE0Y4ECT0dWXk8BYaJYxGEHYKwKFP3EiJrx Aa/ddbkS1pLUUIoDEYsXtFxkm4pmV+P7e05t99P2u+7yVmm6jSw0kYKUOWu4Al9MKO38 8yvL8YrCrdZsvisnfzF5odLwZV5OfEWJjGZzgW54Dg0x4ZxFIJWSGcapSHtlEX5sVAB5 7TkQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1751641848; x=1752246648; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=feCF0EKDFluTJOxE8/vdasHeWqV7bZ0rtN0hkvbl848=; b=QG4lDmlUHXgRpRH9l4yyVKoSRZn8OHQCbNvcu8TIqGud8EgQOIfGRqbuAV40YO/fXY ySBgYCpSv6s+9OuO4KYiol5Dm31W5JLsQdbkXHAIs0J227ooJB8n/JYjYDuu4b5iBSiV fvIUc5j55xJunqZ5NRh/VQSXm9iFY4xyH55atnJfOHCbcJLnxvjE4HHfncLZwg2GhHrL BIPASUygpYI77r7avt4zcVIs/iRwuihQ8BRMo0173oYMV+0XYfNu/buUjZeu7A6r/CG0 BLdPy5YNCCHKnvIVoDYD4UKNTQQv3zv6JhKqDf8BfT808CcXg+qSr8fhhVMXFDksEbbR VBGQ== X-Gm-Message-State: AOJu0YxgRuihjJ93lWIrQ/FeFJbnxevbM/37xlPgAIHl0bQbSdTDRsuO bWj+4GFDyMuoEc+QSE9wIzW+hl1/wAmvuWla7B4LW4/rDh/44K9SwTjwxQgWl9OKRk9d0DiuYi0 EpVFF X-Gm-Gg: ASbGnctBC6ML9GKYYYxu4+UPBUuudwYnnStGikmnAB4dXRtH/T5VAXzRh90itX6Kodx HWaLDwK5FJQAW29pGZTgJoqjGAER5i0J6k339qdZq9j3k7WZIKdu2MHwWcRUKLeG3I7aUos50od iUP6i2yWPL4QlgZssXSCmYbBXYh9djuVWtAYNilhyreAXlwYEkF9rrP3Nr53ANbeOlwSfxQc2Iz 6oojSGZY+zFByZb1WnB73iuciBHa2NjVQH6MP6Xvx8UDZ3OfuJ/I+c5rXcr2dZIoOzapsVFKB8r +TxSibZlw6nMDwxFVAzbNGGvpbnw4iUU2bzv4sSNl4mGyeqXOUUo9Q== X-Google-Smtp-Source: AGHT+IG9sM5iaNg9sEk8NjZ5wjCpRXrsgJ9J5gb0tDT0M0OAlsqlLxvTmf0kiB6hs1c9qaCX9K2BWg== X-Received: by 2002:aa7:88c7:0:b0:742:a91d:b2f6 with SMTP id d2e1a72fcca58-74ce8aa58bfmr3498725b3a.13.1751641848082; Fri, 04 Jul 2025 08:10:48 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:d985:cb7d:ae84:68cc]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-74ce417e869sm2159592b3a.82.2025.07.04.08.10.47 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 04 Jul 2025 08:10:47 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 04/11] libarchive: fix CVE-2025-5917 Date: Fri, 4 Jul 2025 08:10:27 -0700 Message-ID: <2b6832b05bab414df1da7c74a0c6a5e5a9d75b29.1751641631.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 04 Jul 2025 15:10:58 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/219930 From: Divya Chellam A vulnerability has been identified in the libarchive library. This flaw involves an 'off-by- one' miscalculation when handling prefixes and suffixes for file names. This can lead to a 1- byte write overflow. While seemingly small, such an overflow can corrupt adjacent memory, lea ding to unpredictable program behavior, crashes, or in specific circumstances, could be lever aged as a building block for more sophisticated exploitation. Reference: https://security-tracker.debian.org/tracker/CVE-2025-5917 Upstream-patch: https://github.com/libarchive/libarchive/commit/7c02cde37a63580cd1859183fbbd2cf04a89be85 Signed-off-by: Divya Chellam Signed-off-by: Steve Sakoman --- .../libarchive/libarchive/CVE-2025-5917.patch | 54 +++++++++++++++++++ .../libarchive/libarchive_3.7.9.bb | 1 + 2 files changed, 55 insertions(+) create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2025-5917.patch diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2025-5917.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2025-5917.patch new file mode 100644 index 0000000000..28f7b6023a --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2025-5917.patch @@ -0,0 +1,54 @@ +From 7c02cde37a63580cd1859183fbbd2cf04a89be85 Mon Sep 17 00:00:00 2001 +From: Brian Campbell +Date: Sat, 26 Apr 2025 05:11:19 +0100 +Subject: [PATCH] Fix overflow in build_ustar_entry (#2588) + +The calculations for the suffix and prefix can increment the endpoint +for a trailing slash. Hence the limits used should be one lower than the +maximum number of bytes. + +Without this patch, when this happens for both the prefix and the +suffix, we end up with 156 + 100 bytes, and the write of the null at the +end will overflow the 256 byte buffer. This can be reproduced by running +``` +mkdir -p foo/bar +bsdtar cvf test.tar foo////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////bar +``` +when bsdtar is compiled with Address Sanitiser, although I originally +noticed this by accident with a genuine filename on a CHERI capability +system, which faults immediately on the buffer overflow. + +CVE: CVE-2025-5917 + +Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/7c02cde37a63580cd1859183fbbd2cf04a89be85] + +Signed-off-by: Divya Chellam +--- + libarchive/archive_write_set_format_pax.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libarchive/archive_write_set_format_pax.c b/libarchive/archive_write_set_format_pax.c +index 6e35f70..b2ba959 100644 +--- a/libarchive/archive_write_set_format_pax.c ++++ b/libarchive/archive_write_set_format_pax.c +@@ -1571,7 +1571,7 @@ build_ustar_entry_name(char *dest, const char *src, size_t src_length, + const char *filename, *filename_end; + char *p; + int need_slash = 0; /* Was there a trailing slash? */ +- size_t suffix_length = 99; ++ size_t suffix_length = 98; /* 99 - 1 for trailing slash */ + size_t insert_length; + + /* Length of additional dir element to be added. */ +@@ -1623,7 +1623,7 @@ build_ustar_entry_name(char *dest, const char *src, size_t src_length, + /* Step 2: Locate the "prefix" section of the dirname, including + * trailing '/'. */ + prefix = src; +- prefix_end = prefix + 155; ++ prefix_end = prefix + 154 /* 155 - 1 for trailing / */; + if (prefix_end > filename) + prefix_end = filename; + while (prefix_end > prefix && *prefix_end != '/') +-- +2.40.0 + diff --git a/meta/recipes-extended/libarchive/libarchive_3.7.9.bb b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb index 250a3c016f..bb8609dd09 100644 --- a/meta/recipes-extended/libarchive/libarchive_3.7.9.bb +++ b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb @@ -34,6 +34,7 @@ SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \ file://CVE-2025-5914.patch \ file://CVE-2025-5915.patch \ file://CVE-2025-5916.patch \ + file://CVE-2025-5917.patch \ " UPSTREAM_CHECK_URI = "http://libarchive.org/" From patchwork Fri Jul 4 15:10:28 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 66244 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A19DFC83F0E for ; Fri, 4 Jul 2025 15:10:58 +0000 (UTC) Received: from mail-pf1-f169.google.com (mail-pf1-f169.google.com [209.85.210.169]) by mx.groups.io with SMTP id smtpd.web10.14466.1751641850918477298 for ; Fri, 04 Jul 2025 08:10:50 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=M0SXvXTD; spf=softfail (domain: sakoman.com, ip: 209.85.210.169, mailfrom: steve@sakoman.com) Received: by mail-pf1-f169.google.com with SMTP id d2e1a72fcca58-74b50c71b0aso626785b3a.0 for ; Fri, 04 Jul 2025 08:10:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1751641850; x=1752246650; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=BFp2qn0cGGHpe8RNEl7rC5TdHr47C4lvGnlTwA/mkA4=; b=M0SXvXTDmew9WIDqbIhoG1lswkwGaKnc/GbwJNUi/mTkq7pL8sJu9VXC4421OsruYq M0Xm0VX8l0es8QqeDd7nuN+ako1AKMfIDxoT2vjxmH/9d3ZdCcqkGWFC4qblCSgYVZlQ 9Gd820CtErqetf7DvojxSkOxK2mvI9cGhJo1AH7lGpyGcucFFLQI5WVvtiEN5BLgqCmX 4+83INjsroUMOBzSJwlsqpEKAZWGnHyRfQgaFOUm4O865fEs27zygTx/02jOxX9i8Bip Hc5VAdiv5+rnUZ7GLDljPhN2qJ4DisKmcl4jv1wKFIvGLjcGfyFf2qkd5zspvzKGZzo7 0poQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1751641850; x=1752246650; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=BFp2qn0cGGHpe8RNEl7rC5TdHr47C4lvGnlTwA/mkA4=; b=XWO2uU9n0gw8umKZ4driBhTigD1qB/rYj9Rw6Rw77MNR/ip/4rm37Tpnp1DuKUYwO4 JGh634Ul7XIMeQJdL6zAJaNr5xZEM61S58cQBQyJXrRpBaqO0z1l/FHZSekWJje8OWv1 hc1Qb78BPYbxNdo33nv/Gz10xN/3IphLfYlRlpRNq0ZlRtXZEE/wf9gsmJOI9jyWkAdq wauEyf8MjbOt6HD6vXF7T0Vm6jEG9eSnw1V2QJTFSPAeHfeESuDUvLUGjMOIM+klbJxT DOJj2ZTHI1lCv62KNbj3Cz6gp95orXOKLy3WLyqiW8FADOWvWe7BmnIs0kRmqvILBml8 Qqaw== X-Gm-Message-State: AOJu0YzqxaZa/i9o51HcI6iN/9+VO/xuifii4/7pM+/IZxelQ2/s7Ob6 OWFqEIeo5X381N57MHQ6Lue/aPchNHQjUGBBuzDZGW3R4s1faGNzZHYeFuesd/sEURVXKsLvelA YBadt X-Gm-Gg: ASbGnct9/oxGjSLT7hS2CiYbGqy8soS1J7TLkqW4XJHAn3DTk5GPdhEGA8HoZmn+LLo 5rx2/O/tH0qqqXh5GW5d5eoNKKikrwwhAwCX/3+z+XYiscXspH6XycpCg7Pe1r12Qp3CyVctGy9 USRjsaJ5tUpZNtPMk1tviqSLdie/QiJ7jSQXyPhBtpLM+DUBXcaE1fvhEPtZq+q7+P3fUIuxZ5g poTrzP54zGsSqTc6ojh4mXWXKu8r5pLzodeL3RXjnCc3jBeiborElERFUAusEP5te89GxZFL0n4 4Dky5NxLQ3YlQVwz7b2i8lSMPs+K6Q7oEklgQvN36YqJHEyfapISvw== X-Google-Smtp-Source: AGHT+IHkAUMNazFw4yvWBaH2M+WRJY8kNUehPUz8wNVzVOaTAJBYBW+CRik1VOK8tqvidATWKIEHuQ== X-Received: by 2002:a05:6a00:b83:b0:74c:5a8e:dd37 with SMTP id d2e1a72fcca58-74ce8ac8c16mr3274227b3a.16.1751641849713; Fri, 04 Jul 2025 08:10:49 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:d985:cb7d:ae84:68cc]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-74ce417e869sm2159592b3a.82.2025.07.04.08.10.48 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 04 Jul 2025 08:10:49 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 05/11] libarchive: fix CVE-2025-5918 Date: Fri, 4 Jul 2025 08:10:28 -0700 Message-ID: <369c164a163b2c7f15ee5fc41130be9feaf7245e.1751641631.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 04 Jul 2025 15:10:58 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/219931 From: Divya Chellam A vulnerability has been identified in the libarchive library. This flaw can be triggered whe n file streams are piped into bsdtar, potentially allowing for reading past the end of the fi le. This out-of-bounds read can lead to unintended consequences, including unpredictable prog ram behavior, memory corruption, or a denial-of-service condition. CVE-2025-5918-0001 is the dependent commit and CVE-2025-5918-0002 is the actual CVE fix. Reference: https://security-tracker.debian.org/tracker/CVE-2025-5918 Upstream-patches: https://github.com/libarchive/libarchive/commit/89b8c35ff4b5addc08a85bf5df02b407f8af1f6c https://github.com/libarchive/libarchive/commit/dcbf1e0ededa95849f098d154a25876ed5754bcf Signed-off-by: Divya Chellam Signed-off-by: Steve Sakoman --- .../libarchive/CVE-2025-5918-0001.patch | 326 ++++++++++++++++++ .../libarchive/CVE-2025-5918-0002.patch | 222 ++++++++++++ .../libarchive/libarchive_3.7.9.bb | 2 + 3 files changed, 550 insertions(+) create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2025-5918-0001.patch create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2025-5918-0002.patch diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2025-5918-0001.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2025-5918-0001.patch new file mode 100644 index 0000000000..b5586a46de --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2025-5918-0001.patch @@ -0,0 +1,326 @@ +From 89b8c35ff4b5addc08a85bf5df02b407f8af1f6c Mon Sep 17 00:00:00 2001 +From: Tobias Stoeckmann +Date: Sun, 6 Apr 2025 22:34:37 +0200 +Subject: [PATCH] Improve lseek handling (#2564) + +The skip functions are limited to 1 GB for cases in which libarchive +runs on a system with an off_t or long with 32 bits. This has negative +impact on 64 bit systems. + +Instead, make sure that _all_ subsequent functions truncate properly. +Some of them already did and some had regressions for over 10 years. + +Tests pass on Debian 12 i686 configured with --disable-largefile, i.e. +running with an off_t with 32 bits. + +Casts added where needed to still pass MSVC builds. + +--------- + +Signed-off-by: Tobias Stoeckmann + +CVE: CVE-2025-5918 + +Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/89b8c35ff4b5addc08a85bf5df02b407f8af1f6c] + +Signed-off-by: Divya Chellam +--- + libarchive/archive_read.c | 6 ---- + libarchive/archive_read_disk_posix.c | 3 +- + libarchive/archive_read_open_fd.c | 29 +++++++++++++------ + libarchive/archive_read_open_file.c | 35 ++++++++++++----------- + libarchive/archive_read_open_filename.c | 37 ++++++++++++++++++------- + libarchive/test/read_open_memory.c | 2 +- + libarchive/test/test_sparse_basic.c | 6 ++-- + libarchive/test/test_tar_large.c | 2 +- + 8 files changed, 75 insertions(+), 45 deletions(-) + +diff --git a/libarchive/archive_read.c b/libarchive/archive_read.c +index 822c534..50db870 100644 +--- a/libarchive/archive_read.c ++++ b/libarchive/archive_read.c +@@ -176,15 +176,9 @@ client_skip_proxy(struct archive_read_filter *self, int64_t request) + return 0; + + if (self->archive->client.skipper != NULL) { +- /* Seek requests over 1GiB are broken down into +- * multiple seeks. This avoids overflows when the +- * requests get passed through 32-bit arguments. */ +- int64_t skip_limit = (int64_t)1 << 30; + int64_t total = 0; + for (;;) { + int64_t get, ask = request; +- if (ask > skip_limit) +- ask = skip_limit; + get = (self->archive->client.skipper) + (&self->archive->archive, self->data, ask); + total += get; +diff --git a/libarchive/archive_read_disk_posix.c b/libarchive/archive_read_disk_posix.c +index 09965eb..4839d62 100644 +--- a/libarchive/archive_read_disk_posix.c ++++ b/libarchive/archive_read_disk_posix.c +@@ -778,7 +778,8 @@ _archive_read_data_block(struct archive *_a, const void **buff, + */ + if (t->current_sparse->offset > t->entry_total) { + if (lseek(t->entry_fd, +- (off_t)t->current_sparse->offset, SEEK_SET) < 0) { ++ (off_t)t->current_sparse->offset, SEEK_SET) != ++ t->current_sparse->offset) { + archive_set_error(&a->archive, errno, "Seek error"); + r = ARCHIVE_FATAL; + a->archive.state = ARCHIVE_STATE_FATAL; +diff --git a/libarchive/archive_read_open_fd.c b/libarchive/archive_read_open_fd.c +index debfde2..3fd536d 100644 +--- a/libarchive/archive_read_open_fd.c ++++ b/libarchive/archive_read_open_fd.c +@@ -131,7 +131,7 @@ static int64_t + file_skip(struct archive *a, void *client_data, int64_t request) + { + struct read_fd_data *mine = (struct read_fd_data *)client_data; +- int64_t skip = request; ++ off_t skip = (off_t)request; + int64_t old_offset, new_offset; + int skip_bits = sizeof(skip) * 8 - 1; /* off_t is a signed type. */ + +@@ -140,15 +140,15 @@ file_skip(struct archive *a, void *client_data, int64_t request) + + /* Reduce a request that would overflow the 'skip' variable. */ + if (sizeof(request) > sizeof(skip)) { +- int64_t max_skip = ++ const int64_t max_skip = + (((int64_t)1 << (skip_bits - 1)) - 1) * 2 + 1; + if (request > max_skip) +- skip = max_skip; ++ skip = (off_t)max_skip; + } + +- /* Reduce request to the next smallest multiple of block_size */ +- request = (request / mine->block_size) * mine->block_size; +- if (request == 0) ++ /* Reduce 'skip' to the next smallest multiple of block_size */ ++ skip = (off_t)(((int64_t)skip / mine->block_size) * mine->block_size); ++ if (skip == 0) + return (0); + + if (((old_offset = lseek(mine->fd, 0, SEEK_CUR)) >= 0) && +@@ -178,11 +178,24 @@ static int64_t + file_seek(struct archive *a, void *client_data, int64_t request, int whence) + { + struct read_fd_data *mine = (struct read_fd_data *)client_data; ++ off_t seek = (off_t)request; + int64_t r; ++ int seek_bits = sizeof(seek) * 8 - 1; /* off_t is a signed type. */ + + /* We use off_t here because lseek() is declared that way. */ +- /* See above for notes about when off_t is less than 64 bits. */ +- r = lseek(mine->fd, request, whence); ++ ++ /* Reduce a request that would overflow the 'seek' variable. */ ++ if (sizeof(request) > sizeof(seek)) { ++ const int64_t max_seek = ++ (((int64_t)1 << (seek_bits - 1)) - 1) * 2 + 1; ++ const int64_t min_seek = ~max_seek; ++ if (request > max_seek) ++ seek = (off_t)max_seek; ++ else if (request < min_seek) ++ seek = (off_t)min_seek; ++ } ++ ++ r = lseek(mine->fd, seek, whence); + if (r >= 0) + return r; + +diff --git a/libarchive/archive_read_open_file.c b/libarchive/archive_read_open_file.c +index ecd56dc..2829b9a 100644 +--- a/libarchive/archive_read_open_file.c ++++ b/libarchive/archive_read_open_file.c +@@ -145,7 +145,7 @@ FILE_skip(struct archive *a, void *client_data, int64_t request) + + /* If request is too big for a long or an off_t, reduce it. */ + if (sizeof(request) > sizeof(skip)) { +- int64_t max_skip = ++ const int64_t max_skip = + (((int64_t)1 << (skip_bits - 1)) - 1) * 2 + 1; + if (request > max_skip) + skip = max_skip; +@@ -176,39 +176,42 @@ FILE_seek(struct archive *a, void *client_data, int64_t request, int whence) + { + struct read_FILE_data *mine = (struct read_FILE_data *)client_data; + #if HAVE__FSEEKI64 +- int64_t skip = request; ++ int64_t seek = request; + #elif HAVE_FSEEKO +- off_t skip = (off_t)request; ++ off_t seek = (off_t)request; + #else +- long skip = (long)request; ++ long seek = (long)request; + #endif +- int skip_bits = sizeof(skip) * 8 - 1; ++ int seek_bits = sizeof(seek) * 8 - 1; + (void)a; /* UNUSED */ + +- /* If request is too big for a long or an off_t, reduce it. */ +- if (sizeof(request) > sizeof(skip)) { +- int64_t max_skip = +- (((int64_t)1 << (skip_bits - 1)) - 1) * 2 + 1; +- if (request > max_skip) +- skip = max_skip; ++ /* Reduce a request that would overflow the 'seek' variable. */ ++ if (sizeof(request) > sizeof(seek)) { ++ const int64_t max_seek = ++ (((int64_t)1 << (seek_bits - 1)) - 1) * 2 + 1; ++ const int64_t min_seek = ~max_seek; ++ if (request > max_seek) ++ seek = max_seek; ++ else if (request < min_seek) ++ seek = min_seek; + } + + #ifdef __ANDROID__ + /* Newer Android versions have fseeko...to meditate. */ +- int64_t ret = lseek(fileno(mine->f), skip, whence); ++ int64_t ret = lseek(fileno(mine->f), seek, whence); + if (ret >= 0) { + return ret; + } + #elif HAVE__FSEEKI64 +- if (_fseeki64(mine->f, skip, whence) == 0) { ++ if (_fseeki64(mine->f, seek, whence) == 0) { + return _ftelli64(mine->f); + } + #elif HAVE_FSEEKO +- if (fseeko(mine->f, skip, whence) == 0) { ++ if (fseeko(mine->f, seek, whence) == 0) { + return ftello(mine->f); + } + #else +- if (fseek(mine->f, skip, whence) == 0) { ++ if (fseek(mine->f, seek, whence) == 0) { + return ftell(mine->f); + } + #endif +@@ -226,4 +229,4 @@ FILE_close(struct archive *a, void *client_data) + free(mine->buffer); + free(mine); + return (ARCHIVE_OK); +-} +\ No newline at end of file ++} +diff --git a/libarchive/archive_read_open_filename.c b/libarchive/archive_read_open_filename.c +index 05f0ffb..3894b15 100644 +--- a/libarchive/archive_read_open_filename.c ++++ b/libarchive/archive_read_open_filename.c +@@ -479,20 +479,24 @@ file_skip_lseek(struct archive *a, void *client_data, int64_t request) + struct read_file_data *mine = (struct read_file_data *)client_data; + #if defined(_WIN32) && !defined(__CYGWIN__) + /* We use _lseeki64() on Windows. */ +- int64_t old_offset, new_offset; ++ int64_t old_offset, new_offset, skip = request; + #else +- off_t old_offset, new_offset; ++ off_t old_offset, new_offset, skip = (off_t)request; + #endif ++ int skip_bits = sizeof(skip) * 8 - 1; + + /* We use off_t here because lseek() is declared that way. */ + +- /* TODO: Deal with case where off_t isn't 64 bits. +- * This shouldn't be a problem on Linux or other POSIX +- * systems, since the configuration logic for libarchive +- * tries to obtain a 64-bit off_t. +- */ ++ /* Reduce a request that would overflow the 'skip' variable. */ ++ if (sizeof(request) > sizeof(skip)) { ++ const int64_t max_skip = ++ (((int64_t)1 << (skip_bits - 1)) - 1) * 2 + 1; ++ if (request > max_skip) ++ skip = max_skip; ++ } ++ + if ((old_offset = lseek(mine->fd, 0, SEEK_CUR)) >= 0 && +- (new_offset = lseek(mine->fd, request, SEEK_CUR)) >= 0) ++ (new_offset = lseek(mine->fd, skip, SEEK_CUR)) >= 0) + return (new_offset - old_offset); + + /* If lseek() fails, don't bother trying again. */ +@@ -540,11 +544,24 @@ static int64_t + file_seek(struct archive *a, void *client_data, int64_t request, int whence) + { + struct read_file_data *mine = (struct read_file_data *)client_data; ++ off_t seek = (off_t)request; + int64_t r; ++ int seek_bits = sizeof(seek) * 8 - 1; + + /* We use off_t here because lseek() is declared that way. */ +- /* See above for notes about when off_t is less than 64 bits. */ +- r = lseek(mine->fd, request, whence); ++ ++ /* Reduce a request that would overflow the 'seek' variable. */ ++ if (sizeof(request) > sizeof(seek)) { ++ const int64_t max_seek = ++ (((int64_t)1 << (seek_bits - 1)) - 1) * 2 + 1; ++ const int64_t min_seek = ~max_seek; ++ if (request > max_seek) ++ seek = (off_t)max_seek; ++ else if (request < min_seek) ++ seek = (off_t)min_seek; ++ } ++ ++ r = lseek(mine->fd, seek, whence); + if (r >= 0) + return r; + +diff --git a/libarchive/test/read_open_memory.c b/libarchive/test/read_open_memory.c +index 6d2468c..9262ab9 100644 +--- a/libarchive/test/read_open_memory.c ++++ b/libarchive/test/read_open_memory.c +@@ -167,7 +167,7 @@ memory_read_skip(struct archive *a, void *client_data, int64_t skip) + + (void)a; /* UNUSED */ + /* We can't skip by more than is available. */ +- if ((off_t)skip > (off_t)(mine->end - mine->p)) ++ if (skip > mine->end - mine->p) + skip = mine->end - mine->p; + /* Always do small skips by prime amounts. */ + if (skip > 71) +diff --git a/libarchive/test/test_sparse_basic.c b/libarchive/test/test_sparse_basic.c +index 23cde56..93710cb 100644 +--- a/libarchive/test/test_sparse_basic.c ++++ b/libarchive/test/test_sparse_basic.c +@@ -608,7 +608,8 @@ DEFINE_TEST(test_sparse_basic) + verify_sparse_file(a, "file2", sparse_file2, 20); + /* Encoded non sparse; expect a data block but no sparse entries. */ + verify_sparse_file(a, "file3", sparse_file3, 0); +- verify_sparse_file(a, "file4", sparse_file4, 2); ++ if (sizeof(off_t) > 4) ++ verify_sparse_file(a, "file4", sparse_file4, 2); + + assertEqualInt(ARCHIVE_OK, archive_read_free(a)); + +@@ -635,7 +636,8 @@ DEFINE_TEST(test_sparse_basic) + verify_sparse_file(a, "file1", sparse_file1, 0); + verify_sparse_file(a, "file2", sparse_file2, 0); + verify_sparse_file(a, "file3", sparse_file3, 0); +- verify_sparse_file(a, "file4", sparse_file4, 0); ++ if (sizeof(off_t) > 4) ++ verify_sparse_file(a, "file4", sparse_file4, 0); + + assertEqualInt(ARCHIVE_OK, archive_read_free(a)); + +diff --git a/libarchive/test/test_tar_large.c b/libarchive/test/test_tar_large.c +index c1f3791..1cde321 100644 +--- a/libarchive/test/test_tar_large.c ++++ b/libarchive/test/test_tar_large.c +@@ -175,7 +175,7 @@ memory_read_skip(struct archive *a, void *_private, int64_t skip) + } + if (private->filebytes > 0) { + if (private->filebytes < skip) +- skip = (off_t)private->filebytes; ++ skip = private->filebytes; + private->filebytes -= skip; + } else { + skip = 0; +-- +2.40.0 + diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2025-5918-0002.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2025-5918-0002.patch new file mode 100644 index 0000000000..a5fb33c8f1 --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2025-5918-0002.patch @@ -0,0 +1,222 @@ +From dcbf1e0ededa95849f098d154a25876ed5754bcf Mon Sep 17 00:00:00 2001 +From: Tobias Stoeckmann +Date: Tue, 15 Apr 2025 06:02:17 +0200 +Subject: [PATCH] Do not skip past EOF while reading (#2584) + +Make sure to not skip past end of file for better error messages. One +such example is now visible with rar testsuite. You can see the +difference already by an actually not useless use of cat: + +``` +$ cat .../test_read_format_rar_ppmd_use_after_free.rar | bsdtar -t +bsdtar: Archive entry has empty or unreadable filename ... skipping. +bsdtar: Archive entry has empty or unreadable filename ... skipping. +bsdtar: Truncated input file (needed 119 bytes, only 0 available) +bsdtar: Error exit delayed from previous errors. +``` + +compared to + +``` +$ bsdtar -tf .../test_read_format_rar_ppmd_use_after_free.rar +bsdtar: Archive entry has empty or unreadable filename ... skipping. +bsdtar: Archive entry has empty or unreadable filename ... skipping. +bsdtar: Error exit delayed from previous errors. +``` + +Since the former cannot lseek, the error is a different one +(ARCHIVE_FATAL vs ARCHIVE_EOF). The piped version states explicitly that +truncation occurred, while the latter states EOF because the skip past +the end of file was successful. + +Signed-off-by: Tobias Stoeckmann + +CVE: CVE-2025-5918 + +Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/dcbf1e0ededa95849f098d154a25876ed5754bcf] + +Signed-off-by: Divya Chellam +--- + libarchive/archive_read_open_fd.c | 13 +++++++--- + libarchive/archive_read_open_file.c | 33 +++++++++++++++++++------ + libarchive/archive_read_open_filename.c | 16 +++++++++--- + libarchive/test/test_read_format_rar.c | 6 ++--- + 4 files changed, 50 insertions(+), 18 deletions(-) + +diff --git a/libarchive/archive_read_open_fd.c b/libarchive/archive_read_open_fd.c +index 3fd536d..dc7c9e5 100644 +--- a/libarchive/archive_read_open_fd.c ++++ b/libarchive/archive_read_open_fd.c +@@ -52,6 +52,7 @@ + struct read_fd_data { + int fd; + size_t block_size; ++ int64_t size; + char use_lseek; + void *buffer; + }; +@@ -95,6 +96,7 @@ archive_read_open_fd(struct archive *a, int fd, size_t block_size) + if (S_ISREG(st.st_mode)) { + archive_read_extract_set_skip_file(a, st.st_dev, st.st_ino); + mine->use_lseek = 1; ++ mine->size = st.st_size; + } + #if defined(__CYGWIN__) || defined(_WIN32) + setmode(mine->fd, O_BINARY); +@@ -151,9 +153,14 @@ file_skip(struct archive *a, void *client_data, int64_t request) + if (skip == 0) + return (0); + +- if (((old_offset = lseek(mine->fd, 0, SEEK_CUR)) >= 0) && +- ((new_offset = lseek(mine->fd, skip, SEEK_CUR)) >= 0)) +- return (new_offset - old_offset); ++ if ((old_offset = lseek(mine->fd, 0, SEEK_CUR)) >= 0) { ++ if (old_offset >= mine->size || ++ skip > mine->size - old_offset) { ++ /* Do not seek past end of file. */ ++ errno = ESPIPE; ++ } else if ((new_offset = lseek(mine->fd, skip, SEEK_CUR)) >= 0) ++ return (new_offset - old_offset); ++ } + + /* If seek failed once, it will probably fail again. */ + mine->use_lseek = 0; +diff --git a/libarchive/archive_read_open_file.c b/libarchive/archive_read_open_file.c +index 2829b9a..6ed18a0 100644 +--- a/libarchive/archive_read_open_file.c ++++ b/libarchive/archive_read_open_file.c +@@ -52,6 +52,7 @@ + struct read_FILE_data { + FILE *f; + size_t block_size; ++ int64_t size; + void *buffer; + char can_skip; + }; +@@ -91,6 +92,7 @@ archive_read_open_FILE(struct archive *a, FILE *f) + archive_read_extract_set_skip_file(a, st.st_dev, st.st_ino); + /* Enable the seek optimization only for regular files. */ + mine->can_skip = 1; ++ mine->size = st.st_size; + } + + #if defined(__CYGWIN__) || defined(_WIN32) +@@ -130,6 +132,7 @@ FILE_skip(struct archive *a, void *client_data, int64_t request) + #else + long skip = (long)request; + #endif ++ int64_t old_offset, new_offset; + int skip_bits = sizeof(skip) * 8 - 1; + + (void)a; /* UNUSED */ +@@ -153,19 +156,33 @@ FILE_skip(struct archive *a, void *client_data, int64_t request) + + #ifdef __ANDROID__ + /* fileno() isn't safe on all platforms ... see above. */ +- if (lseek(fileno(mine->f), skip, SEEK_CUR) < 0) ++ old_offset = lseek(fileno(mine->f), 0, SEEK_CUR); + #elif HAVE__FSEEKI64 +- if (_fseeki64(mine->f, skip, SEEK_CUR) != 0) ++ old_offset = _ftelli64(mine->f); + #elif HAVE_FSEEKO +- if (fseeko(mine->f, skip, SEEK_CUR) != 0) ++ old_offset = ftello(mine->f); + #else +- if (fseek(mine->f, skip, SEEK_CUR) != 0) ++ old_offset = ftell(mine->f); + #endif +- { +- mine->can_skip = 0; +- return (0); ++ if (old_offset >= 0) { ++ if (old_offset < mine->size && ++ skip <= mine->size - old_offset) { ++#ifdef __ANDROID__ ++ new_offset = lseek(fileno(mine->f), skip, SEEK_CUR); ++#elif HAVE__FSEEKI64 ++ new_offset = _fseeki64(mine->f, skip, SEEK_CUR); ++#elif HAVE_FSEEKO ++ new_offset = fseeko(mine->f, skip, SEEK_CUR); ++#else ++ new_offset = fseek(mine->f, skip, SEEK_CUR); ++#endif ++ if (new_offset >= 0) ++ return (new_offset - old_offset); ++ } + } +- return (request); ++ ++ mine->can_skip = 0; ++ return (0); + } + + /* +diff --git a/libarchive/archive_read_open_filename.c b/libarchive/archive_read_open_filename.c +index 3894b15..5f5b3f1 100644 +--- a/libarchive/archive_read_open_filename.c ++++ b/libarchive/archive_read_open_filename.c +@@ -74,6 +74,7 @@ struct read_file_data { + size_t block_size; + void *buffer; + mode_t st_mode; /* Mode bits for opened file. */ ++ int64_t size; + char use_lseek; + enum fnt_e { FNT_STDIN, FNT_MBS, FNT_WCS } filename_type; + union { +@@ -400,8 +401,10 @@ file_open(struct archive *a, void *client_data) + mine->st_mode = st.st_mode; + + /* Disk-like inputs can use lseek(). */ +- if (is_disk_like) ++ if (is_disk_like) { + mine->use_lseek = 1; ++ mine->size = st.st_size; ++ } + + return (ARCHIVE_OK); + fail: +@@ -495,9 +498,14 @@ file_skip_lseek(struct archive *a, void *client_data, int64_t request) + skip = max_skip; + } + +- if ((old_offset = lseek(mine->fd, 0, SEEK_CUR)) >= 0 && +- (new_offset = lseek(mine->fd, skip, SEEK_CUR)) >= 0) +- return (new_offset - old_offset); ++ if ((old_offset = lseek(mine->fd, 0, SEEK_CUR)) >= 0) { ++ if (old_offset >= mine->size || ++ skip > mine->size - old_offset) { ++ /* Do not seek past end of file. */ ++ errno = ESPIPE; ++ } else if ((new_offset = lseek(mine->fd, skip, SEEK_CUR)) >= 0) ++ return (new_offset - old_offset); ++ } + + /* If lseek() fails, don't bother trying again. */ + mine->use_lseek = 0; +diff --git a/libarchive/test/test_read_format_rar.c b/libarchive/test/test_read_format_rar.c +index dce567a..fce44a9 100644 +--- a/libarchive/test/test_read_format_rar.c ++++ b/libarchive/test/test_read_format_rar.c +@@ -3829,8 +3829,8 @@ DEFINE_TEST(test_read_format_rar_ppmd_use_after_free) + assertA(ARCHIVE_OK == archive_read_next_header(a, &ae)); + assertA(archive_read_data(a, buf, sizeof(buf)) <= 0); + +- /* Test EOF */ +- assertA(1 == archive_read_next_header(a, &ae)); ++ /* Test for truncation */ ++ assertA(ARCHIVE_FATAL == archive_read_next_header(a, &ae)); + + assertEqualIntA(a, ARCHIVE_OK, archive_read_close(a)); + assertEqualInt(ARCHIVE_OK, archive_read_free(a)); +@@ -3856,7 +3856,7 @@ DEFINE_TEST(test_read_format_rar_ppmd_use_after_free2) + assertA(archive_read_data(a, buf, sizeof(buf)) <= 0); + + /* Test EOF */ +- assertA(1 == archive_read_next_header(a, &ae)); ++ assertA(ARCHIVE_FATAL == archive_read_next_header(a, &ae)); + + assertEqualIntA(a, ARCHIVE_OK, archive_read_close(a)); + assertEqualInt(ARCHIVE_OK, archive_read_free(a)); +-- +2.40.0 + diff --git a/meta/recipes-extended/libarchive/libarchive_3.7.9.bb b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb index bb8609dd09..f08673ea3b 100644 --- a/meta/recipes-extended/libarchive/libarchive_3.7.9.bb +++ b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb @@ -35,6 +35,8 @@ SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \ file://CVE-2025-5915.patch \ file://CVE-2025-5916.patch \ file://CVE-2025-5917.patch \ + file://CVE-2025-5918-0001.patch \ + file://CVE-2025-5918-0002.patch \ " UPSTREAM_CHECK_URI = "http://libarchive.org/" From patchwork Fri Jul 4 15:10:29 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 66242 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A90C9C83F0D for ; Fri, 4 Jul 2025 15:10:58 +0000 (UTC) Received: from mail-pf1-f180.google.com (mail-pf1-f180.google.com [209.85.210.180]) by mx.groups.io with SMTP id smtpd.web10.14467.1751641852130049537 for ; Fri, 04 Jul 2025 08:10:52 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=p4PoPh3T; spf=softfail (domain: sakoman.com, ip: 209.85.210.180, mailfrom: steve@sakoman.com) Received: by mail-pf1-f180.google.com with SMTP id d2e1a72fcca58-74b54af901bso718178b3a.2 for ; Fri, 04 Jul 2025 08:10:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1751641851; x=1752246651; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=tXNro1H4OhHE21SejcnhjoIAmxtKAMvo2d0N3leqZTg=; b=p4PoPh3T9kQzM++ATw20eCxvwq3Wv43/tPhhUJVfpJFwgZkpY7KeH7szBvBKX1Q2BU qqqmE1BhRKT4Av06qxntDbQQ7Rh4tt4SCYsIA2qwOh9cjyJpIIx76nrAy4NTwDNDVz/o XbNpRm7UbM30AcuECkCErPUti+ssIVURjUxznzRR5znzK8SLv4CrAFxLk4lzjBObLJwc MntHfW+R3iPVGWs5vSnxfltKS0uM9aUhucp9sGPrpDqGdOC8MRU5BSurGYQR1grkpaof x9ejA8WPKRmBnRIf19e1+tOJyBlRCMbCFZ/sMTlcP4CLcSvCxzINRSfBKNBEKxLdwWu6 +M4w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1751641851; x=1752246651; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=tXNro1H4OhHE21SejcnhjoIAmxtKAMvo2d0N3leqZTg=; b=ejUqoLJYVk58nASwXAZqehHjCZ09iEufqGi0rAewXGye4cszliKX73VbIsHxsZQM5W ihe/w93OUO6Hn6kMDT7njh3I3do2Y3DqHKAd0QOikAjodziRWs83Yc3jPnv6SAUsNDql LMXFdj7Y1OY2b5KR1WtXsociMZB/27oLubvMKbsWqf1ksaKyEKb43OGl5dOEdQl5uzkU 1mKWHH2UlDtSc0T3/2byodZ+WHcm2H8bx4bDLNe+tQMm+FxyzYzZqVsGWumDWofwLqzx G8nASLw/ZSLFV6UmNPEAgPtK3PgeNhnrKVFlPgEVAuw71kqN1K7kRsQLWC69+EouiQ0r vsTA== X-Gm-Message-State: AOJu0YziCn3a3K63KbeCK/ab21Tm8uCWAdZaokN9W+Xdamf8d1qqy26w hPb8q32Q8UIPHOdOKwfQreR33TF6BVxfPP41zhrMPurWJwVtyUVqilC8aXbH3ZH1Jn6D13SCNcu nSCda X-Gm-Gg: ASbGnct8XJh+DQpFodtYuT4DomZLBiZA6579sUcrLF3IkNn80ja2gb69qGIMwcO57ln DRufJYDVIPLs+pZt+ymBOacweJRwtVfDxvwN6j1ekWsCg44kH5d96+zn34gPvUQVCn1ILZ9ZtpU jJLfs20AkMojyH2yjaE+ddtjCy8501PXuxaobfhlLd+mCvylOKucU0nMqJoG4vys22lGXA8Bn9C NRkQMzppb2jCCfM3B2MEOEafRlBqXKAH98gXrhKd5PUl972SGCAZvnz6iAkmB5CVIrrW2LHkXxW VnBFHekie7llk64NIXNKbDU+7ymnVz3enwc3oxGJrSn6dyXhnW+4Ew== X-Google-Smtp-Source: AGHT+IFjq0/CKgrndQF6Q+qKrjKN8yfuwCLjmWbydIgtk6nGOFmgDUFgVAW+71AmbLa7AsdgPcFswQ== X-Received: by 2002:a05:6a00:4f90:b0:742:a77b:8c3 with SMTP id d2e1a72fcca58-74ce68ce9c5mr4425140b3a.4.1751641851216; Fri, 04 Jul 2025 08:10:51 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:d985:cb7d:ae84:68cc]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-74ce417e869sm2159592b3a.82.2025.07.04.08.10.50 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 04 Jul 2025 08:10:50 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 06/11] xwayland: fix CVE-2025-49175 Date: Fri, 4 Jul 2025 08:10:29 -0700 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 04 Jul 2025 15:10:58 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/219932 From: Archana Polampalli A flaw was found in the X Rendering extension's handling of animated cursors. If a client provides no cursors, the server assumes at least one is present, leading to an out-of-bounds read and potential crash. Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- .../xwayland/xwayland/CVE-2025-49175.patch | 92 +++++++++++++++++++ .../xwayland/xwayland_23.2.5.bb | 1 + 2 files changed, 93 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49175.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49175.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49175.patch new file mode 100644 index 0000000000..bfb37fcea0 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49175.patch @@ -0,0 +1,92 @@ +From 0885e0b26225c90534642fe911632ec0779eebee Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Fri, 28 Mar 2025 09:43:52 +0100 +Subject: [PATCH] render: Avoid 0 or less animated cursors +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Animated cursors use a series of cursors that the client can set. + +By default, the Xserver assumes at least one cursor is specified +while a client may actually pass no cursor at all. + +That causes an out-of-bound read creating the animated cursor and a +crash of the Xserver: + + | Invalid read of size 8 + | at 0x5323F4: AnimCursorCreate (animcur.c:325) + | by 0x52D4C5: ProcRenderCreateAnimCursor (render.c:1817) + | by 0x52DC80: ProcRenderDispatch (render.c:1999) + | by 0x4A1E9D: Dispatch (dispatch.c:560) + | by 0x4B0169: dix_main (main.c:284) + | by 0x4287F5: main (stubmain.c:34) + | Address 0x59aa010 is 0 bytes after a block of size 0 alloc'd + | at 0x48468D3: reallocarray (vg_replace_malloc.c:1803) + | by 0x52D3DA: ProcRenderCreateAnimCursor (render.c:1802) + | by 0x52DC80: ProcRenderDispatch (render.c:1999) + | by 0x4A1E9D: Dispatch (dispatch.c:560) + | by 0x4B0169: dix_main (main.c:284) + | by 0x4287F5: main (stubmain.c:34) + | + | Invalid read of size 2 + | at 0x5323F7: AnimCursorCreate (animcur.c:325) + | by 0x52D4C5: ProcRenderCreateAnimCursor (render.c:1817) + | by 0x52DC80: ProcRenderDispatch (render.c:1999) + | by 0x4A1E9D: Dispatch (dispatch.c:560) + | by 0x4B0169: dix_main (main.c:284) + | by 0x4287F5: main (stubmain.c:34) + | Address 0x8 is not stack'd, malloc'd or (recently) free'd + +To avoid the issue, check the number of cursors specified and return a +BadValue error in both the proc handler (early) and the animated cursor +creation (as this is a public function) if there is 0 or less cursor. + +CVE-2025-49175 + +This issue was discovered by Nils Emmerich and +reported by Julian Suleder via ERNW Vulnerability Disclosure. + +Signed-off-by: Olivier Fourdan +Reviewed-by: José Expósito +Part-of: + +CVE: CVE-2025-49175 + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/0885e0b26225c90534642fe911632ec0779eebee] + +Signed-off-by: Archana Polampalli +--- + render/animcur.c | 3 +++ + render/render.c | 2 ++ + 2 files changed, 5 insertions(+) + +diff --git a/render/animcur.c b/render/animcur.c +index ef27bda..77942d8 100644 +--- a/render/animcur.c ++++ b/render/animcur.c +@@ -304,6 +304,9 @@ AnimCursorCreate(CursorPtr *cursors, CARD32 *deltas, int ncursor, + int rc = BadAlloc, i; + AnimCurPtr ac; + ++ if (ncursor <= 0) ++ return BadValue; ++ + for (i = 0; i < screenInfo.numScreens; i++) + if (!GetAnimCurScreen(screenInfo.screens[i])) + return BadImplementation; +diff --git a/render/render.c b/render/render.c +index 5bc2a20..a8c2da0 100644 +--- a/render/render.c ++++ b/render/render.c +@@ -1795,6 +1795,8 @@ ProcRenderCreateAnimCursor(ClientPtr client) + ncursor = + (client->req_len - + (bytes_to_int32(sizeof(xRenderCreateAnimCursorReq)))) >> 1; ++ if (ncursor <= 0) ++ return BadValue; + cursors = xallocarray(ncursor, sizeof(CursorPtr) + sizeof(CARD32)); + if (!cursors) + return BadAlloc; +-- +2.40.0 diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb index 0265366393..b9b4aa1a6a 100644 --- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb +++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb @@ -24,6 +24,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2025-26601-2.patch \ file://CVE-2025-26601-3.patch \ file://CVE-2025-26601-4.patch \ + file://CVE-2025-49175.patch \ " SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90" From patchwork Fri Jul 4 15:10:30 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 66239 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 84A77C8303D for ; Fri, 4 Jul 2025 15:10:58 +0000 (UTC) Received: from mail-pf1-f174.google.com (mail-pf1-f174.google.com [209.85.210.174]) by mx.groups.io with SMTP id smtpd.web11.14493.1751641853519380292 for ; Fri, 04 Jul 2025 08:10:53 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=LvkX05p9; spf=softfail (domain: sakoman.com, ip: 209.85.210.174, mailfrom: steve@sakoman.com) Received: by mail-pf1-f174.google.com with SMTP id d2e1a72fcca58-74b50c71b0aso626793b3a.0 for ; Fri, 04 Jul 2025 08:10:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1751641853; x=1752246653; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=bvJiY2dZo3pNiujZpKtOlAnOocLspC8eh6GM0lveI1k=; b=LvkX05p9pczJ2rxRmXbdwLDqfThI0U1EOhK11K0wJZlYd6fDmWelUSELbYV1/kJlTJ uUOEtA/31grnuI0lIsbNNoEmEQ6RnmEvtaGwwggidj7OXBI7YJGUQ3KbQur9UoQashCt b+IO5XZmD02Xm6zv4iHpCUEtzXJLU5/hBlMD2wC4LGKyoxsFW9HQavqmNAtNdrrC2EEz DlPm1CNBm7ssP4u30jZC/ZZIf3k5jgMv7zjIverDsHKSs9l0OHZUiiW+doQm0gLwpvxu KK3DhE43n4p7uNnZpw3gbxpbXAS9A9zFuqwj5Wr++QzlsKNnYYJwNPs46heHJLHzZ4Z2 KdkA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1751641853; x=1752246653; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=bvJiY2dZo3pNiujZpKtOlAnOocLspC8eh6GM0lveI1k=; b=MgvslhI8S59IrzMrZbNEfvp0pUWabUASENeLvoE3/JPu0bVycPEu8Eil9/XfcsBjPS BDafUby5s06RntjTnnGgm3rzUxArold3rvmRHzctYcWe3Hr4UON2KEgc/98GcUDi9WNn RTQV0mXJZjAGicatD43KicfRV9/jhS0H7mvHfdjR2VZj9KypU6rHNptlTN9WnonKEMa/ yiIqqFwRyv1gBnOuZNy4CjeqFAum4I3XSoERBQhsYmlVVeePpG86TE3FWQwJ7UYf2tSA KyFLkV79UahZdKb0vmsxFtjUFkh0h7hsEGFL7SdGASfiomWlVZYnjGXEnL6wPGv7aCh2 toog== X-Gm-Message-State: AOJu0Yyb8dtrLtqvxZGzHt7Ea7S2mRd1LqsJHaP5djWPIbaluJd0r36A WFMgCEUJm4nu3mKWXJJ5/2AG4gOW8vT8k5KiKhIduKSBTgXJp+WdpMlv2XL7apaPugenrofc1xP DCVjf X-Gm-Gg: ASbGncsPOMCx1nzaoMo3xLVQTs7/wjBSzQqjojfoY2/qP47+PevsikvKyjle4Mfm4z1 NGmdcRrjHhOJreOlk2zmkIs37sm/ETOgQDzRmiufh54q5GZwIUx0HmCeOfVJ3GBZ8/t6EzvR3Ih LZLpEa55i44e6EolX3tP5ST03nYO4708+UsPntQJ+O/eQLpiRmgdP2RHmDucbvZ8qOpT4bSVRJu b5BIHKC1SORHIozij4RBfLhd6iJtN5RYeWm1HWves8Qbblh/txVP26huae4d3LhS5f/eycg67Yc UKMsFJm3bZg4EzrEvTJ/iO4cEU0yxD85UkocHQJFsjWRl5SHnPWquA== X-Google-Smtp-Source: AGHT+IHoD+eH32kInKwLuzILS8BmoxH0dDQ5dqvDyCiBk+Wda7nazrYh7mrD66XWdK+gPg1MIuXQqA== X-Received: by 2002:a05:6a00:391d:b0:748:f854:b765 with SMTP id d2e1a72fcca58-74ce88249c1mr3736731b3a.4.1751641852704; Fri, 04 Jul 2025 08:10:52 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:d985:cb7d:ae84:68cc]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-74ce417e869sm2159592b3a.82.2025.07.04.08.10.52 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 04 Jul 2025 08:10:52 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 07/11] xwayland: fix CVE-2025-49176 Date: Fri, 4 Jul 2025 08:10:30 -0700 Message-ID: <0a2c5179e1f08ccd0fcaccb6f95c892ebafac8a8.1751641631.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 04 Jul 2025 15:10:58 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/219933 From: Archana Polampalli A flaw was found in the Big Requests extension. The request length is multiplied by 4 before checking against the maximum allowed size, potentially causing an integer overflow and bypassing the size check. Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- .../xwayland/CVE-2025-49176-0001.patch | 93 +++++++++++++++++++ .../xwayland/CVE-2025-49176-0002.patch | 38 ++++++++ .../xwayland/xwayland_23.2.5.bb | 2 + 3 files changed, 133 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49176-0001.patch create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49176-0002.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49176-0001.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49176-0001.patch new file mode 100644 index 0000000000..fd3b1d936b --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49176-0001.patch @@ -0,0 +1,93 @@ +From 03731b326a80b582e48d939fe62cb1e2b10400d9 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 7 Apr 2025 16:13:34 +0200 +Subject: [PATCH] os: Do not overflow the integer size with BigRequest +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The BigRequest extension allows requests larger than the 16-bit length +limit. + +It uses integers for the request length and checks for the size not to +exceed the maxBigRequestSize limit, but does so after translating the +length to integer by multiplying the given size in bytes by 4. + +In doing so, it might overflow the integer size limit before actually +checking for the overflow, defeating the purpose of the test. + +To avoid the issue, make sure to check that the request size does not +overflow the maxBigRequestSize limit prior to any conversion. + +The caller Dispatch() function however expects the return value to be in +bytes, so we cannot just return the converted value in case of error, as +that would also overflow the integer size. + +To preserve the existing API, we use a negative value for the X11 error +code BadLength as the function only return positive values, 0 or -1 and +update the caller Dispatch() function to take that case into account to +return the error code to the offending client. + +CVE-2025-49176 + +This issue was discovered by Nils Emmerich and +reported by Julian Suleder via ERNW Vulnerability Disclosure. + +Signed-off-by: Olivier Fourdan +Reviewed-by: Michel Dänzer +Part-of: + +CVE: CVE-2025-49176 + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/03731b326a80b582e48d939fe62cb1e2b10400d9] + +Signed-off-by: Archana Polampalli +--- + dix/dispatch.c | 9 +++++---- + os/io.c | 4 ++++ + 2 files changed, 9 insertions(+), 4 deletions(-) + +diff --git a/dix/dispatch.c b/dix/dispatch.c +index 9e98d54..20473f1 100644 +--- a/dix/dispatch.c ++++ b/dix/dispatch.c +@@ -513,9 +513,10 @@ Dispatch(void) + + /* now, finally, deal with client requests */ + result = ReadRequestFromClient(client); +- if (result <= 0) { +- if (result < 0) +- CloseDownClient(client); ++ if (result == 0) ++ break; ++ else if (result == -1) { ++ CloseDownClient(client); + break; + } + +@@ -536,7 +537,7 @@ Dispatch(void) + client->index, + client->requestBuffer); + #endif +- if (result > (maxBigRequestSize << 2)) ++ if (result < 0 || result > (maxBigRequestSize << 2)) + result = BadLength; + else { + result = XaceHookDispatch(client, client->majorOp); +diff --git a/os/io.c b/os/io.c +index 841a0ee..aeece86 100644 +--- a/os/io.c ++++ b/os/io.c +@@ -296,6 +296,10 @@ ReadRequestFromClient(ClientPtr client) + needed = get_big_req_len(request, client); + } + client->req_len = needed; ++ if (needed > MAXINT >> 2) { ++ /* Check for potential integer overflow */ ++ return -(BadLength); ++ } + needed <<= 2; /* needed is in bytes now */ + } + if (gotnow < needed) { +-- +2.40.0 diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49176-0002.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49176-0002.patch new file mode 100644 index 0000000000..6d7df79111 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49176-0002.patch @@ -0,0 +1,38 @@ +From 4fc4d76b2c7aaed61ed2653f997783a3714c4fe1 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Wed, 18 Jun 2025 08:39:02 +0200 +Subject: [PATCH] os: Check for integer overflow on BigRequest length + +Check for another possible integer overflow once we get a complete xReq +with BigRequest. + +Related to CVE-2025-49176 + +Signed-off-by: Olivier Fourdan +Suggested-by: Peter Harris +Part-of: + +CVE: CVE-2025-49176 + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/4fc4d76b2c7aaed61ed2653f997783a3714c4fe1] + +Signed-off-by: Archana Polampalli +--- + os/io.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/os/io.c b/os/io.c +index aeece86..67465f9 100644 +--- a/os/io.c ++++ b/os/io.c +@@ -395,6 +395,8 @@ ReadRequestFromClient(ClientPtr client) + needed = get_big_req_len(request, client); + } + client->req_len = needed; ++ if (needed > MAXINT >> 2) ++ return -(BadLength); + needed <<= 2; + } + if (gotnow < needed) { +-- +2.40.0 diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb index b9b4aa1a6a..72396dcd40 100644 --- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb +++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb @@ -25,6 +25,8 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2025-26601-3.patch \ file://CVE-2025-26601-4.patch \ file://CVE-2025-49175.patch \ + file://CVE-2025-49176-0001.patch \ + file://CVE-2025-49176-0002.patch \ " SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90" From patchwork Fri Jul 4 15:10:31 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 66241 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 89598C83F03 for ; Fri, 4 Jul 2025 15:10:58 +0000 (UTC) Received: from mail-pf1-f178.google.com (mail-pf1-f178.google.com [209.85.210.178]) by mx.groups.io with SMTP id smtpd.web10.14468.1751641854883288548 for ; Fri, 04 Jul 2025 08:10:54 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=uNuwNP+b; spf=softfail (domain: sakoman.com, ip: 209.85.210.178, mailfrom: steve@sakoman.com) Received: by mail-pf1-f178.google.com with SMTP id d2e1a72fcca58-747e41d5469so1217740b3a.3 for ; Fri, 04 Jul 2025 08:10:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1751641854; x=1752246654; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=Ud4IC+OJeW6aHlhCyMZ3pgZzXSASkd+ehnm4nxpr3Ns=; b=uNuwNP+bxKdTYmOxXQnhoDvbkEe+RGQ3LYyBf6krqrmvOWQ0xte1hd/11CmYt53nqn +Lst5acPRkzXhttKbRECBuA5qTfqSgfWVQZA/CQWQnCGAovcWwD5spVA8HaFrqSRWcdk fyNnr6kSA663xjyP4FDT0rhs085AmFfvpm5+SCuYxBm2bsZwI9BhvV8AVYg7wMAHl2gG CQA7l6T79QwovHxBBkJvA3BgmPtFdVAEzT9YRfUW4q81EnNdwQammuXFjxfIiKiDPUDK EtP4Df0QgycTVG04U63uiXzCur72Sdt+XDIF73AfIllShcMhUrkwxSf9rwbCjb0kURab cxqA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1751641854; x=1752246654; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Ud4IC+OJeW6aHlhCyMZ3pgZzXSASkd+ehnm4nxpr3Ns=; b=WU9QJe7i+8suLs+MhAZ8b7rx4AUZpGpWt1kvwVMlUTuEInncYqK4dzvu+fe1MZiJyP nNlE0ypc6OGBp1+1oM6bykjbdR5sa0bjdlq/jCYCEZkryOXG9qKSzdAcqREHufgBU5E/ ZA3axW/MjGqXJCClIXmkbi/j/zX2IVnytO6WaMgtANHtKJe2qXu4C/Ts4qf6u8yKIiDI Ijb3GZTUP/vRPt6UlbwJMKE8/zdOhpxFHVfTFPDs5OdFrR50WEy7dpBOIG3hlGdchyz4 Kt/PzZd3Q65RqYkQK7p3zR1Ql/lct1IysrhNBl/Nz0il1bS12XWCRu/Fsnk5Hc0YLtgd FGbA== X-Gm-Message-State: AOJu0Yz0SWCFNxWaMbamVTGdGito5NOndRl1etcZoc9AG2gk11rVXIvT q+J0ai9hDEImn2vqJpU6D9/UxsxEQtdVIx0+4/h8c8K5zP9y3n7TY0b6U3WIjBoIOrEna+AbFsF 2lqcK X-Gm-Gg: ASbGnct7/d+Uu5+JhBZeTJLIP7b4elJAQgXdfLUeexuisp1XBuDl87xBfg9PEuCdiwi KQst7BLSAT2NL1GPdYyC2UZuC6EbJBemQnxp0VEfVfBB4cIhEijByU8kGvDakO2Zf35GihspC25 1iRN1HbUi1lPocFunWkSbu69Nd77yzKtEvXijkXb6PxVRmZNQMe3WQQcDfQgmQ3yaIfpKu9xaC/ Cb9ZgE71NBEeEmP0yqqBGX4HC0LSbwUxHogreAlpMbSKeHzgXNYoyGaBQ7UkG84c9uqERGYGKKQ RGuWiWkvCLuyO6ZqVrQo3xLNwyH+C9auT9KF7iMsEO0mL0FAZO9hFw== X-Google-Smtp-Source: AGHT+IHnHfoRWSMFrkCZWOM14Yo0FDgpYsCeufiflSivxt+5rUIH+iXL4l1N3u95Uoyq0n/6bOC0BQ== X-Received: by 2002:a05:6a21:6f07:b0:217:ff4b:cc57 with SMTP id adf61e73a8af0-2260cfebbdcmr3908009637.39.1751641854024; Fri, 04 Jul 2025 08:10:54 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:d985:cb7d:ae84:68cc]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-74ce417e869sm2159592b3a.82.2025.07.04.08.10.53 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 04 Jul 2025 08:10:53 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 08/11] xwayland: fix CVE-2025-49177 Date: Fri, 4 Jul 2025 08:10:31 -0700 Message-ID: <0b2afd59ce8c35083c1cb3596a2f7d4eaa7bd1c8.1751641631.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 04 Jul 2025 15:10:58 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/219934 From: Archana Polampalli A flaw was found in the XFIXES extension. The XFixesSetClientDisconnectMode handler does not validate the request length, allowing a client to read unintended memory from previous requests Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- .../xwayland/xwayland/CVE-2025-49177.patch | 55 +++++++++++++++++++ .../xwayland/xwayland_23.2.5.bb | 1 + 2 files changed, 56 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49177.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49177.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49177.patch new file mode 100644 index 0000000000..56ae1de800 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49177.patch @@ -0,0 +1,55 @@ +From ab02fb96b1c701c3bb47617d965522c34befa6af Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 28 Apr 2025 10:05:36 +0200 +Subject: [PATCH] xfixes: Check request length for SetClientDisconnectMode + +The handler of XFixesSetClientDisconnectMode does not check the client +request length. + +A client could send a shorter request and read data from a former +request. + +Fix the issue by checking the request size matches. + +CVE-2025-49177 + +This issue was discovered by Nils Emmerich and +reported by Julian Suleder via ERNW Vulnerability Disclosure. + +Fixes: e167299f6 - xfixes: Add ClientDisconnectMode +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: + +CVE: CVE-2025-49177 + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/ab02fb96b1c701c3bb47617d965522c34befa6af] + +Signed-off-by: Archana Polampalli +--- + xfixes/disconnect.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/xfixes/disconnect.c b/xfixes/disconnect.c +index 28aac45..d6da1f9 100644 +--- a/xfixes/disconnect.c ++++ b/xfixes/disconnect.c +@@ -67,6 +67,7 @@ ProcXFixesSetClientDisconnectMode(ClientPtr client) + ClientDisconnectPtr pDisconnect = GetClientDisconnect(client); + + REQUEST(xXFixesSetClientDisconnectModeReq); ++ REQUEST_SIZE_MATCH(xXFixesSetClientDisconnectModeReq); + + pDisconnect->disconnect_mode = stuff->disconnect_mode; + +@@ -80,7 +81,7 @@ SProcXFixesSetClientDisconnectMode(ClientPtr client) + + swaps(&stuff->length); + +- REQUEST_AT_LEAST_SIZE(xXFixesSetClientDisconnectModeReq); ++ REQUEST_SIZE_MATCH(xXFixesSetClientDisconnectModeReq); + + swapl(&stuff->disconnect_mode); + +-- +2.40.0 diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb index 72396dcd40..5ed8ca0365 100644 --- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb +++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb @@ -27,6 +27,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2025-49175.patch \ file://CVE-2025-49176-0001.patch \ file://CVE-2025-49176-0002.patch \ + file://CVE-2025-49177.patch \ " SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90" From patchwork Fri Jul 4 15:10:32 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 66240 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 91D2DC83F0B for ; Fri, 4 Jul 2025 15:10:58 +0000 (UTC) Received: from mail-pf1-f169.google.com (mail-pf1-f169.google.com [209.85.210.169]) by mx.groups.io with SMTP id smtpd.web11.14494.1751641856116832174 for ; Fri, 04 Jul 2025 08:10:56 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=WIa/kf6W; spf=softfail (domain: sakoman.com, ip: 209.85.210.169, mailfrom: steve@sakoman.com) Received: by mail-pf1-f169.google.com with SMTP id d2e1a72fcca58-74b52bf417cso738776b3a.0 for ; Fri, 04 Jul 2025 08:10:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1751641855; x=1752246655; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=QFZqLw5RtrZb//WwY1IeIXaGY9+JZHG55NxTeYU7Td8=; b=WIa/kf6Wv0ThU5qdBtaJ5nFQnibmlG9lxv3zr5lxBjaKm4q7aw1/vTTXeIVK6bppHQ yTDtDrZZuTzqIvhjnrHuP+2w5xrgzV5NhIz+VYG6MrEBmCRvI/9mY8IOXivVhTbnaVcT okBQ64Rd/DEFy/xu3R/9b1mcEnnvltQqG/NN+3WAqJq3v+66tNDvxVVo1yIaHjY+i6QU kB4V8sJzqKG2WB0xkkwTTKK6Z8eBbGoPhyKrA/Fa3rYpgWdULq3ckNllqiYZS/n60JPy +hGT35FmZONlTscSXSph0MsO6F+bZm85eHS3Mebak8qtWflvOLXlBhFLc+vZNmx3FBnz hSHw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1751641855; x=1752246655; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=QFZqLw5RtrZb//WwY1IeIXaGY9+JZHG55NxTeYU7Td8=; b=r7N+WfZEjkRWV6s2ZlnTsd8QHIdDYUMQvKhfvHmuMHR3slEaN4wFwCIByOwPbDpVI5 qCbt3c0CNtWPOZXb15Ou0wpOnozdR+OgOJFK66n0+A4JjnbOMqP1oPXVlo/7HSMh7Ze4 P2L0wGwoRaB0sFyxEvAZboQ/QzuYlGZr5H66fBOI3i8ilYGPm8uDjufN/QwbNCuwAAoJ sxhHscIoXjN7ofZ5gODg4u3E4XHEIZ23e2LwiwIcF9MdkKPHtFX2Cwi16E0i7D/ns6Xe fYyqP5L5GQhQZ4CyEAuC5Y6R7SNXpss1ckinlBap2Sku2vwgS0+iXR6n5qnNRHDfZ1ii ES1w== X-Gm-Message-State: AOJu0YyY1OT5ReS9CNSmEJSXS/UeszfjVqWwk5HT2zPpP+/CxMVZAlbZ cqoLF31cDp0RcOXfNcMKAFyP4ZZr+TEVsZIh/kEa7v1CMOCi3G/S2bzlwQGUSuqSZFj7z2K4amG ZpjVf X-Gm-Gg: ASbGncs2fTZf8cIGDG1e4GkLdPzOyT0qQOiY9ZCSn8UgrbPMIb/pd6+9trlaFfM6vNA Ng/biFPnk7KiNXRtvRk67IaFJTs62kyDkPBE/64Fu1pQIgUnooL5+4dNkLv3AjallUN01dg13Ft FuJc4L4Msy6vrFMgsr4BkdZEJwe/uhHmaqGGgXa9kMci0S00TGr7NEqOl1v8Yeg53Mov2WlYehI jFbUw2kBuuv89Kslvv0ZDAJ+xPvNJQDWS5GwtoJqIl50O3REzw56YySKmwFKNUGriUaE+p6TRqA HCnuls//xIupabF6imxIkyOSHo+HkVu4fjQaD9sBpooBAD2xXmo6XQ== X-Google-Smtp-Source: AGHT+IFh6er6y26aQqcRhtITSQ4J7ax5rLcNKfHcbHUVuFh4JqSHETHLquY/48V3j8ut4SPf/gon1Q== X-Received: by 2002:a05:6a00:929e:b0:742:8d52:62f1 with SMTP id d2e1a72fcca58-74ce6419a9emr5405152b3a.8.1751641855281; Fri, 04 Jul 2025 08:10:55 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:d985:cb7d:ae84:68cc]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-74ce417e869sm2159592b3a.82.2025.07.04.08.10.54 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 04 Jul 2025 08:10:55 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 09/11] xwayland: fix CVE-2025-49178 Date: Fri, 4 Jul 2025 08:10:32 -0700 Message-ID: <4c6df8320497c2ebf09902a62b6a3f3b061be917.1751641631.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 04 Jul 2025 15:10:58 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/219935 From: Archana Polampalli A flaw was found in the X server's request handling. Non-zero 'bytes to ignore' in a client's request can cause the server to skip processing another client's request, potentially leading to a denial of service. Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- .../xwayland/xwayland/CVE-2025-49178.patch | 50 +++++++++++++++++++ .../xwayland/xwayland_23.2.5.bb | 1 + 2 files changed, 51 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49178.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49178.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49178.patch new file mode 100644 index 0000000000..5ef2fea1c9 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49178.patch @@ -0,0 +1,50 @@ +From d55c54cecb5e83eaa2d56bed5cc4461f9ba318c2 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 28 Apr 2025 10:46:03 +0200 +Subject: [PATCH] os: Account for bytes to ignore when sharing input buffer + +When reading requests from the clients, the input buffer might be shared +and used between different clients. + +If a given client sends a full request with non-zero bytes to ignore, +the bytes to ignore may still be non-zero even though the request is +full, in which case the buffer could be shared with another client who's +request will not be processed because of those bytes to ignore, leading +to a possible hang of the other client request. + +To avoid the issue, make sure we have zero bytes to ignore left in the +input request when sharing the input buffer with another client. + +CVE-2025-49178 + +This issue was discovered by Nils Emmerich and +reported by Julian Suleder via ERNW Vulnerability Disclosure. + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: + +CVE: CVE-2025-49178 + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/d55c54cecb5e83eaa2d56bed5cc4461f9ba318c2] + +Signed-off-by: Archana Polampalli +--- + os/io.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/os/io.c b/os/io.c +index 67465f9..f92a40e 100644 +--- a/os/io.c ++++ b/os/io.c +@@ -444,7 +444,7 @@ ReadRequestFromClient(ClientPtr client) + */ + + gotnow -= needed; +- if (!gotnow) ++ if (!gotnow && !oci->ignoreBytes) + AvailableInput = oc; + if (move_header) { + if (client->req_len < bytes_to_int32(sizeof(xBigReq) - sizeof(xReq))) { +-- +2.40.0 diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb index 5ed8ca0365..e150961882 100644 --- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb +++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb @@ -28,6 +28,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2025-49176-0001.patch \ file://CVE-2025-49176-0002.patch \ file://CVE-2025-49177.patch \ + file://CVE-2025-49178.patch \ " SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90" From patchwork Fri Jul 4 15:10:33 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 66243 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A1667C83F0C for ; Fri, 4 Jul 2025 15:10:58 +0000 (UTC) Received: from mail-pf1-f169.google.com (mail-pf1-f169.google.com [209.85.210.169]) by mx.groups.io with SMTP id smtpd.web10.14470.1751641857387629230 for ; Fri, 04 Jul 2025 08:10:57 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=Bp3xU1B4; spf=softfail (domain: sakoman.com, ip: 209.85.210.169, mailfrom: steve@sakoman.com) Received: by mail-pf1-f169.google.com with SMTP id d2e1a72fcca58-749068b9b63so669489b3a.0 for ; Fri, 04 Jul 2025 08:10:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1751641857; x=1752246657; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=ekHKzbNntvRoPyGRF/56B+P7k/K3XscMgPrXKgFCN6M=; b=Bp3xU1B4YHSc7Dvqd2+eY7xirM67vPtBlGpXaQINkIvceRgP5djTaHkZ9xbfWJ6BkY twan8o5FfDGzz2l0LpZySPDU1OaKIg/3l+x0qpb9FPqfLOY3OO4ywxJ9yrYWb2W00mpv +WByatRrTBRRRWfIJndb7BxCV62152sY54hOOPh17WLJtZHz/0D95cTbqXMvmLYSwfLf 0if782ojGIOlbmpkgki20wxXwD3/Sg6SPWL1jTHmpUafbO6qw1tZ5FSdobbESGKRHybY 6kmzyKYSsEbJLNfST1SN2uFMJlE08/nE6Y+oKaB+ymr2mGzhMO4k+ex4L+ej7aMdVkmA hENQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1751641857; x=1752246657; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ekHKzbNntvRoPyGRF/56B+P7k/K3XscMgPrXKgFCN6M=; b=LnuRDUW+5v6OPNjOuIaV5QaXZvgaKAdB73G2IrrEfR/Hl/AvFgSIvsaYkcfqdWyH+c a53QwgCv6tvN5/3wf0BFZmUTwAaKPYLUhw1uwNzBvq44t0mZTMq/YwhbSV78PANDX1m3 luABGtKxK1nAFTwReA0s7obD0+g44DGsNx1Ku7xr4nvzlYn23hi4+ginEJD8VtpgDw07 09iwOFFQDQk4Ks3JGVtO3rBoemX4m08EYSB1H9Ts+CN/gzmCBCBCcWSdCOD9WkSTphxH STsntaTSi9Y23+0V7hCpuH2/2V+V6BUYwNGjcjRP2dvSE4S8z+ThBjZvD01LSDolVDhZ nu4Q== X-Gm-Message-State: AOJu0YzKeyoSuAxT1+bJhpXiPkF/AhhnnqdHd/PvpKrqPB+eT47X8hCg CW8z2G6FrWeAb0ktlgb8wFFpW6Cd8FAWq8Ww8e/GZs+m6DB34IuYFL1yfGKJ86J/EDZEeWpOURh FoCcQ X-Gm-Gg: ASbGncvPe626lTQHJ4gFHbi+H/rm4Mpf0+/nISZu2wCsQ9rJzkZJjJccNjV9s8YXhU0 UPuJkSHQT7tWFrkoBQPjcfsVWZkIfG6VHBWG2rPar7jwS0kR33AmpatxKGeWB2dVYIRY9bxwgbp 0qFk5nt94Qvy9ZPSqo71y0jACa59uygnFkoPlDypEyI2A3nhiSLR5oypGeIHUMAUXfErvI8QHQz SfD9yZ+LNAKXNrd/qtUPuPXnbXVP2AsrbdO1F+TRAaA4vwvNfwP9CcdTF6zR8sXQ9LXj3luJQor jWMMgWT43ZOsN7Emq7uYfQDVvSKQBei8FfeTgpg6TNBhxUJiO+UQSg== X-Google-Smtp-Source: AGHT+IHvtumROupt+HsDHe6ziJ20KB0RUF1rC8/Q3myQkxy5pQ5fOGrYe1VNYKYOo7vHukphTkc9HQ== X-Received: by 2002:a05:6a00:3d56:b0:748:f1ba:9af8 with SMTP id d2e1a72fcca58-74ce69f212emr4480321b3a.21.1751641856543; Fri, 04 Jul 2025 08:10:56 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:d985:cb7d:ae84:68cc]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-74ce417e869sm2159592b3a.82.2025.07.04.08.10.56 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 04 Jul 2025 08:10:56 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 10/11] xwayland: fix CVE-2025-49179 Date: Fri, 4 Jul 2025 08:10:33 -0700 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 04 Jul 2025 15:10:58 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/219936 From: Archana Polampalli A flaw was found in the X Record extension. The RecordSanityCheckRegisterClients function does not check for an integer overflow when computing request length, which allows a client to bypass length checks. Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- .../xwayland/xwayland/CVE-2025-49179.patch | 69 +++++++++++++++++++ .../xwayland/xwayland_23.2.5.bb | 1 + 2 files changed, 70 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49179.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49179.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49179.patch new file mode 100644 index 0000000000..48c7ed8c13 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49179.patch @@ -0,0 +1,69 @@ +From 9d205323894af62b9726fcbaeb5fc69b3c9f61ba Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 28 Apr 2025 11:47:15 +0200 +Subject: [PATCH] record: Check for overflow in + RecordSanityCheckRegisterClients() + +The RecordSanityCheckRegisterClients() checks for the request length, +but does not check for integer overflow. + +A client might send a very large value for either the number of clients +or the number of protocol ranges that will cause an integer overflow in +the request length computation, defeating the check for request length. + +To avoid the issue, explicitly check the number of clients against the +limit of clients (which is much lower than an maximum integer value) and +the number of protocol ranges (multiplied by the record length) do not +exceed the maximum integer value. + +This way, we ensure that the final computation for the request length +will not overflow the maximum integer limit. + +CVE-2025-49179 + +This issue was discovered by Nils Emmerich and +reported by Julian Suleder via ERNW Vulnerability Disclosure. + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +(cherry picked from commit 2bde9ca49a8fd9a1e6697d5e7ef837870d66f5d4) + +Part-of: + +CVE: CVE-2025-49179 + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/9d205323894af62b9726fcbaeb5fc69b3c9f61ba] + +Signed-off-by: Archana Polampalli +--- + record/record.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/record/record.c b/record/record.c +index e123867..018e53f 100644 +--- a/record/record.c ++++ b/record/record.c +@@ -45,6 +45,7 @@ and Jim Haggerty of Metheus. + #include "inputstr.h" + #include "eventconvert.h" + #include "scrnintstr.h" ++#include "opaque.h" + + #include + #include +@@ -1298,6 +1299,13 @@ RecordSanityCheckRegisterClients(RecordContextPtr pContext, ClientPtr client, + int i; + XID recordingClient; + ++ /* LimitClients is 2048 at max, way less that MAXINT */ ++ if (stuff->nClients > LimitClients) ++ return BadValue; ++ ++ if (stuff->nRanges > (MAXINT - 4 * stuff->nClients) / SIZEOF(xRecordRange)) ++ return BadValue; ++ + if (((client->req_len << 2) - SIZEOF(xRecordRegisterClientsReq)) != + 4 * stuff->nClients + SIZEOF(xRecordRange) * stuff->nRanges) + return BadLength; +-- +2.40.0 diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb index e150961882..490e1ca05f 100644 --- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb +++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb @@ -29,6 +29,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2025-49176-0002.patch \ file://CVE-2025-49177.patch \ file://CVE-2025-49178.patch \ + file://CVE-2025-49179.patch \ " SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90" From patchwork Fri Jul 4 15:10:34 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 66245 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A8B67C83F03 for ; Fri, 4 Jul 2025 15:11:08 +0000 (UTC) Received: from mail-pf1-f177.google.com (mail-pf1-f177.google.com [209.85.210.177]) by mx.groups.io with SMTP id smtpd.web10.14472.1751641859825299862 for ; Fri, 04 Jul 2025 08:10:59 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=eJBS1KCa; spf=softfail (domain: sakoman.com, ip: 209.85.210.177, mailfrom: steve@sakoman.com) Received: by mail-pf1-f177.google.com with SMTP id d2e1a72fcca58-747fba9f962so869080b3a.0 for ; Fri, 04 Jul 2025 08:10:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1751641859; x=1752246659; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=XSCy+hAvJjc6SCVliRjDQ2tSi73cbg9+ujB4RYGHi9E=; b=eJBS1KCan4zDr9DZozjg40mkKqUKNufPB2bSfiKPdeVvBDsdGjDX6dGR34aY/3bjUl 1bbS7a7xY6gZmUZvUICU45f3sdujDeNH2zEd/JzXr2pUA3n/j9LZQlnXwYPOO/YNX0fX kioAdVmiQZ+gNUef/tEJymZDHMK+3aErDeC/iRbcm9mN2BVh5R9kJLfFyM+vaG5p/I60 mvzjxE/jEhoF49WvidSk62y+/6+7gWsRZN2x7Mqh2NB9kRlEvbshwGDzFIl7HcU0TLnl 6jdmG1pTLM7714iWwBc0wJFgM5zwCWIaWQWUIphoTBXieIz0VMN+/ry4cHUO+13MKx7m 2K+g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1751641859; x=1752246659; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=XSCy+hAvJjc6SCVliRjDQ2tSi73cbg9+ujB4RYGHi9E=; b=QyHEnJdV7XuKZ2XdMG7xb1Nj/dJYTgE3pt5Rftex1I+9R8y8GggZAr/N+Xs7POV58k zZKpnmVmUspdl0qMYK2V15zEGadb9lfvHVnhVmFFrop7ncjGsbNWHPcRJrlPKZQndVXy LeY/VMF0uY2PmDiVw6EACOQCJJ850NuBdtE0iO5jiqlnUGU+ZBMx8msNNJdGM5WQ5qaQ qUAOB0IlLw2xC8pI6T/I5A8vitXLfL2cm6Du8h657VbYSYTQA6fQREMp56wJ2I9F4OwR F1Ega4dMvSnajGtculV27TOe/zwMD8qF8W3WMdOQoBW7e5uaPrOtKk4lrH67mCG668u1 KEOg== X-Gm-Message-State: AOJu0YxcWTXhtRDYM14azmCqYEtq8HOoscpx+SUJHgh1ruMCPqyc0fzX s8pw2DO/7ljX+z5bvjBeR6iZ0a3VIl95oOJDVyZV5oX9Dfob75Vl6cxyQEPkgc/7I4JAFRLBK6c drmXX X-Gm-Gg: ASbGncvB6V61NPZ3U2AI924em0aoyeXw8mlCYLKfVs3klyZkmrJxpseo6kYMM97Qxu3 4du1i9bNdMzLyuR7x0fQNiU/RJJl7bsnnLoI2K5RnEYNx6LqoKfxzn0/YxsJu4TL28ybXartAO5 7LDgqtXPlt5EcmWcAskTTDCgGIYBA+IOOLLJ2YMRuUBsGRw66VVNl5eaCi3maCzWAESdrFTVY3Y dloBM/ySb7Xbgky6TYoTKl/7JntDX3/UlJ5KsZdoKmUJD4ezgi65659AZaUlYwsWN97tFMbivaQ ZdxEylNC59vBUQQyjyXaoEBSYJwC47otlbFD65Zua3UTI6w0+GHbTw== X-Google-Smtp-Source: AGHT+IHE/OUyT8XkHa25ogMkz2orW+FnutiCz2nYVzO9//vul6HB9M8dVNbO0gI/DlSzybJM5KoQOQ== X-Received: by 2002:a05:6a00:8a03:b0:74a:d2a3:80dd with SMTP id d2e1a72fcca58-74ce4fe8d4cmr3505394b3a.3.1751641858938; Fri, 04 Jul 2025 08:10:58 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:d985:cb7d:ae84:68cc]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-74ce417e869sm2159592b3a.82.2025.07.04.08.10.57 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 04 Jul 2025 08:10:58 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 11/11] xwayland: fix CVE-2025-49180 Date: Fri, 4 Jul 2025 08:10:34 -0700 Message-ID: <15881f41f8c00c5f0a68628c2d49ca1aa1999c2e.1751641631.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 04 Jul 2025 15:11:08 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/219937 From: Archana Polampalli A flaw was found in the RandR extension, where the RRChangeProviderProperty function does not properly validate input. This issue leads to an integer overflow when computing the total size to allocate. Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- .../xwayland/xwayland/CVE-2025-49180.patch | 45 +++++++++++++++++++ .../xwayland/xwayland_23.2.5.bb | 1 + 2 files changed, 46 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49180.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49180.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49180.patch new file mode 100644 index 0000000000..51939acf63 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49180.patch @@ -0,0 +1,45 @@ +From 3c3a4b767b16174d3213055947ea7f4f88e10ec6 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Tue, 20 May 2025 15:18:19 +0200 +Subject: [PATCH] randr: Check for overflow in RRChangeProviderProperty() + +A client might send a request causing an integer overflow when computing +the total size to allocate in RRChangeProviderProperty(). + +To avoid the issue, check that total length in bytes won't exceed the +maximum integer value. + +CVE-2025-49180 + +This issue was discovered by Nils Emmerich and +reported by Julian Suleder via ERNW Vulnerability Disclosure. + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: + +CVE: CVE-2025-49180 + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/3c3a4b767b16174d3213055947ea7f4f88e10ec6] + +Signed-off-by: Archana Polampalli +--- + randr/rrproviderproperty.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c +index 90c5a9a..0aa35ad 100644 +--- a/randr/rrproviderproperty.c ++++ b/randr/rrproviderproperty.c +@@ -179,7 +179,8 @@ RRChangeProviderProperty(RRProviderPtr provider, Atom property, Atom type, + + if (mode == PropModeReplace || len > 0) { + void *new_data = NULL, *old_data = NULL; +- ++ if (total_len > MAXINT / size_in_bytes) ++ return BadValue; + total_size = total_len * size_in_bytes; + new_value.data = (void *) malloc(total_size); + if (!new_value.data && total_size) { +-- +2.40.0 diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb index 490e1ca05f..49e35ca442 100644 --- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb +++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb @@ -30,6 +30,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2025-49177.patch \ file://CVE-2025-49178.patch \ file://CVE-2025-49179.patch \ + file://CVE-2025-49180.patch \ " SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90"