From patchwork Fri Jul 4 15:28:47 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 66248 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D5EB3C83F0B for ; Fri, 4 Jul 2025 15:29:08 +0000 (UTC) Received: from mail-pf1-f181.google.com (mail-pf1-f181.google.com [209.85.210.181]) by mx.groups.io with SMTP id smtpd.web11.14854.1751642944146892637 for ; Fri, 04 Jul 2025 08:29:04 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=ilSOMlVJ; spf=softfail (domain: sakoman.com, ip: 209.85.210.181, mailfrom: steve@sakoman.com) Received: by mail-pf1-f181.google.com with SMTP id d2e1a72fcca58-7490702fc7cso697528b3a.1 for ; Fri, 04 Jul 2025 08:29:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1751642943; x=1752247743; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=JwY2tnW9pBDixL9msbdyPuY2Ns1nnrCCxP5JpeqW0Ek=; b=ilSOMlVJAxPICnlbgn+YLCdySqV3rCUFBjrbnvii3/fB+og0ZcfcLhfE8yVh16VeMQ dWupEmW1PCwEksYTw4F71KwzLg2dNvHeh9x4IBdANTIIm0u+NKGK32Ax7QohaWHuhR4S z7CKy5QDUr0dVGfwgvlZwEqW5J1q3rXoWySNU21QdpL4IN5fbXkKjz123mGi3YBtVa2Z J06rgGPCtY/D4ON1z7lzDVQuuenEoz18UceeVATu/caNCGu1jDrQopKPJ/rXq7AX+UNI LTJKiqCUHsgBszmzmjnYahciUk+NM02LT/DjCThYJpPDbs6TxTKn+EiK9WmXuy9sZIuu ZgHA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1751642943; x=1752247743; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=JwY2tnW9pBDixL9msbdyPuY2Ns1nnrCCxP5JpeqW0Ek=; b=mx4AUP0KxyqcVtCFH+xxN2aCKCwF9+YQJf6HPLqeoWOMFhe2Lk05rjb5/hX8L5QrHD N0AUeLwX/GE2O+vi1cfAEJfpECt6Z0643q8ddRsnIF3Rx/LXkbjhXqI5um/DXOIC6ZhC PXIh+wyvCi+BI4SOJcZfkLOTuSDO5fUXb+jR2nvPOBdaPg3LytYSnF7gqlHhGFFW7eSb a1mV+UgDkjnU641/khCxOa5G74G0zTiLpQQ20p8K08DqIowSlasziLlU1ca/eYYxRZQ+ oWJhSCYwPcMzt+DJIcEVDIk2Vk915l4mC0iBBsLaAPKgMnqOJPlpdfkIRhDTQ9RyGqly a/Uw== X-Gm-Message-State: AOJu0YzCzLseJZ4YAOvReqKC3km+9KafAjjj95DcuQKpEO0UXH51fiCp zZDcu5DKdRzK/D3O5vlca9opmNVnFbaXmusKzq/xoBuWiUR6B0mKsoeIUXgMCvx3DeBs6XwKlML Nm6mx X-Gm-Gg: ASbGnctU58eZtPPqyCvP43jRLoWhfWwxyIv7a9MTRuhvzT6vBn+lwTJDT3ZMkhaAe2r mLm7D/Ns/fk/Oev2Xo7h9CdYUi8+vw/B3Xn/kDO2wLG9KOb4mIvW362Otmh2JSyeFijBvqC5IHY U9iKO0EryeR6U7RJyL7mZa0D9DMP9OiYmYzZ0FwyvKYb1KojCsCiMGiXRe5I9l4Bm+Yp5+6gffc VtTyEwkdWS77iB6nBtlKn878k4nrvhhu1w6jImjuSdl61CejM62522nbe5Z7hykm+daH5MoTC2U DUvnK6sVK1D8UpTRWQp7g8aGWKfGjlyXGAYjdtQM8fglVs9p2f8icA== X-Google-Smtp-Source: AGHT+IHtRYnsz7S9wZbhWl0rik022xFbD9B/IibM3jUmZwBOW+fg95P/AmHj4UZCpfVDs9a7/rP9PA== X-Received: by 2002:a05:6a21:699:b0:220:2caa:3018 with SMTP id adf61e73a8af0-225c06e84c9mr5088280637.24.1751642943284; Fri, 04 Jul 2025 08:29:03 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:d985:cb7d:ae84:68cc]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-74ce42a1ca0sm2424232b3a.138.2025.07.04.08.29.02 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 04 Jul 2025 08:29:02 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 1/9] libarchive: Fix CVE-2025-5914 Date: Fri, 4 Jul 2025 08:28:47 -0700 Message-ID: <4a4c6e0382834e03480e07f30ed5efa23f6c6fe2.1751641924.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 04 Jul 2025 15:29:08 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/219940 From: Colin Pinnell McAllister Adds patch to backport fix for CVE-2025-5914. Signed-off-by: Colin Pinnell McAllister Signed-off-by: Steve Sakoman --- .../libarchive/libarchive/CVE-2025-5914.patch | 46 +++++++++++++++++++ .../libarchive/libarchive_3.6.2.bb | 1 + 2 files changed, 47 insertions(+) create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2025-5914.patch diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2025-5914.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2025-5914.patch new file mode 100644 index 0000000000..5607420093 --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2025-5914.patch @@ -0,0 +1,46 @@ +From cb0d2b0c9a7f1672d4edaa4beacdd96e5b53ead1 Mon Sep 17 00:00:00 2001 +From: Tobias Stoeckmann +Date: Sun, 11 May 2025 02:17:19 +0200 +Subject: [PATCH] rar: Fix double free with over 4 billion nodes (#2598) + +If a system is capable of handling 4 billion nodes in memory, a double +free could occur because of an unsigned integer overflow leading to a +realloc call with size argument of 0. Eventually, the client will +release that memory again, triggering a double free. + +Signed-off-by: Tobias Stoeckmann + +CVE: CVE-2025-5914 +Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/09685126fcec664e2b8ca595e1fc371bd494d209] +Signed-off-by: Colin Pinnell McAllister +--- + libarchive/archive_read_support_format_rar.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c +index 793e8e98..b9f5450d 100644 +--- a/libarchive/archive_read_support_format_rar.c ++++ b/libarchive/archive_read_support_format_rar.c +@@ -335,8 +335,8 @@ struct rar + int found_first_header; + char has_endarc_header; + struct data_block_offsets *dbo; +- unsigned int cursor; +- unsigned int nodes; ++ size_t cursor; ++ size_t nodes; + char filename_must_match; + + /* LZSS members */ +@@ -1186,7 +1186,7 @@ archive_read_format_rar_seek_data(struct archive_read *a, int64_t offset, + int whence) + { + int64_t client_offset, ret; +- unsigned int i; ++ size_t i; + struct rar *rar = (struct rar *)(a->format->data); + + if (rar->compression_method == COMPRESS_METHOD_STORE) +-- +2.49.0 + diff --git a/meta/recipes-extended/libarchive/libarchive_3.6.2.bb b/meta/recipes-extended/libarchive/libarchive_3.6.2.bb index 87d3794ab7..4d0e3f7179 100644 --- a/meta/recipes-extended/libarchive/libarchive_3.6.2.bb +++ b/meta/recipes-extended/libarchive/libarchive_3.6.2.bb @@ -35,6 +35,7 @@ SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \ file://CVE-2024-48958.patch \ file://CVE-2024-20696.patch \ file://CVE-2025-25724.patch \ + file://CVE-2025-5914.patch \ " UPSTREAM_CHECK_URI = "http://libarchive.org/" From patchwork Fri Jul 4 15:28:48 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 66249 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D5EF4C83F0C for ; Fri, 4 Jul 2025 15:29:08 +0000 (UTC) Received: from mail-pf1-f174.google.com (mail-pf1-f174.google.com [209.85.210.174]) by mx.groups.io with SMTP id smtpd.web10.14814.1751642946171501604 for ; Fri, 04 Jul 2025 08:29:06 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=uAb089F6; spf=softfail (domain: sakoman.com, ip: 209.85.210.174, mailfrom: steve@sakoman.com) Received: by mail-pf1-f174.google.com with SMTP id d2e1a72fcca58-74b27c1481bso680711b3a.2 for ; Fri, 04 Jul 2025 08:29:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1751642945; x=1752247745; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=v+yd7RTymY7fUKiKH4iAjuelM8uEBhKCgqcPdTEzAVs=; b=uAb089F6BsO6VZtF0AFTKdewIYOJPnl+sQRqv4oqQR/g+QO0aHL1PFA+8AQJw0nLH5 TDOb9Vyh5qL/jUQrujUC2+GkOwGF0EFagWuD64TpXYjcs/nbuuC/WT85KnUWBpndvODg JPo4+BU/Bymk6MYggJZXTpr/JAUt5tnNGrOLxuMfkw0AbDndGCRwBEwqtVQlW7ymaM+9 8GH1IxzTbUBe4x1xD+eCY5VOEKSHTHCik8bbe5vDkyf+lJ/XqxJp7im+JFRSQsA3y4JX ScfGV8mFLVUhF9LYn+4A3TJGvHT2WYc1bqNcD6lfBP+3siwuDBYO6IgRKSr2D2FC+nG7 y25A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1751642945; x=1752247745; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=v+yd7RTymY7fUKiKH4iAjuelM8uEBhKCgqcPdTEzAVs=; b=VYl+YfhCaj7L7fL65xHbM4geJfXisZy2Esbe9CCwP661vU16wvd6KnN/8V+tFFYh8T wT5oBaF3VsmFISGiaojCek1KHafwDujWIDKynNR9MtmDp3olUqvkSPV3vCEHcJ+oACND WX9cGEupl3buez7h7sr2jKt7hLJpZfCTR7DOqbROtvO2dnCePPvRAkZptJOBXT74zPVf 0xTrVp46OlJl7hSukSeS5xVex6OiQ6uJ5AdTNmplHKvtNv3Zyqo31m2tZ7ZNomYY8Ev6 8XDulgTHCGPimhzoI5nqZC9UKm8RtLJm85XTSd+sJvb1eCGuie9yFl5OhQgyGIXbOtvl jtkA== X-Gm-Message-State: AOJu0YwnPspJz24UyLfvkmZ449Zu5z6+Se5qqIZp8/AOcrNI330A90zv mEAwU85FwC9f6dRSwsVk3VSfCOrltxD5nGcyHIiyB3hEnVQNa+wwCSGUZAQKffcGh0CF9C6kE1c r4r+x X-Gm-Gg: ASbGncu8B7R2IYVwBEg+QT0RPabmAboZ9ZHDwAxgPjIRXL1wJtk4qI07GOeaHzRXub3 ibIb08Zr2OMQqbxF4OuEcPfiJg6xSAOe+y1UqH0MpgMtnGMYr7ACFq6bfLDo381eXHC+l8J+tQz 5L/twXbSInfE4PZrjFnrfHyQcoYM5zBJiSeuiVxkJuHtAVxzxG8mKNLhTaQYdx4g9WjjmKQaghi wzf2aQAb77JOQtlAlIIu5PutrSzyxZDsKneV2wARctfcUaTuiV5bL7V2TH/lv9iOjGCBFLOreQh RrWLIDH8Vhqv7Xm2fbOxM0mP1ufEXWwzLXxd3zBAlAxgXx3ZzlNPBA== X-Google-Smtp-Source: AGHT+IHwHnWaWsT8jdEwTDKV4A4NSyZUe1+y6cLuM6ORbPXa0Napd2zGvsOsoNxxIGmXdkoZ4DSNNQ== X-Received: by 2002:a05:6a20:1591:b0:21f:4ecc:11ab with SMTP id adf61e73a8af0-225be6e76d6mr4695204637.9.1751642944902; Fri, 04 Jul 2025 08:29:04 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:d985:cb7d:ae84:68cc]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-74ce42a1ca0sm2424232b3a.138.2025.07.04.08.29.04 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 04 Jul 2025 08:29:04 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 2/9] systemd: backport patches to fix CVE-2025-4598 Date: Fri, 4 Jul 2025 08:28:48 -0700 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 04 Jul 2025 15:29:08 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/219941 From: Chen Qi Patch 0003 is the actual patch to fix CVE. Patch 0002 is a preparation patch which systemd upstream uses for all actively maintained branches in preparation for patch 0003. Patch 0001 is a bug fix patch and is needed to avoid conflict introduced by patch 0002. Note that patch 0002 claims itself to be of no functional change, so this patch 0001 is really needed for patch 0002. Patch 0004 is a compilation fix patch which adds a macro needed by previous 0002 patch. Signed-off-by: Chen Qi Signed-off-by: Steve Sakoman --- .../systemd/systemd/CVE-2025-4598-0001.patch | 92 +++++++++++ .../systemd/systemd/CVE-2025-4598-0002.patch | 106 +++++++++++++ .../systemd/systemd/CVE-2025-4598-0003.patch | 144 ++++++++++++++++++ .../systemd/systemd/CVE-2025-4598-0004.patch | 36 +++++ meta/recipes-core/systemd/systemd_250.14.bb | 4 + 5 files changed, 382 insertions(+) create mode 100644 meta/recipes-core/systemd/systemd/CVE-2025-4598-0001.patch create mode 100644 meta/recipes-core/systemd/systemd/CVE-2025-4598-0002.patch create mode 100644 meta/recipes-core/systemd/systemd/CVE-2025-4598-0003.patch create mode 100644 meta/recipes-core/systemd/systemd/CVE-2025-4598-0004.patch diff --git a/meta/recipes-core/systemd/systemd/CVE-2025-4598-0001.patch b/meta/recipes-core/systemd/systemd/CVE-2025-4598-0001.patch new file mode 100644 index 0000000000..cf27acafe9 --- /dev/null +++ b/meta/recipes-core/systemd/systemd/CVE-2025-4598-0001.patch @@ -0,0 +1,92 @@ +From 2108812a76bd078a2bbd7583308ff18bf01f2383 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Tue, 29 Apr 2025 14:47:59 +0200 +Subject: [PATCH 1/3] coredump: restore compatibility with older patterns + +This was broken in f45b8015513d38ee5f7cc361db9c5b88c9aae704. Unfortunately +the review does not talk about backward compatibility at all. There are +two places where it matters: +- During upgrades, the replacement of kernel.core_pattern is asynchronous. + For example, during rpm upgrades, it would be updated a post-transaction + file trigger. In other scenarios, the update might only happen after + reboot. We have a potentially long window where the old pattern is in + place. We need to capture coredumps during upgrades too. +- With --backtrace. The interface of --backtrace, in hindsight, is not + great. But there are users of --backtrace which were written to use + a specific set of arguments, and we can't just break compatiblity. + One example is systemd-coredump-python, but there are also reports of + users using --backtrace to generate coredump logs. + +Thus, we require the original set of args, and will use the additional args if +found. + +A test is added to verify that --backtrace works with and without the optional +args. + +(cherry picked from commit ded0aac389e647d35bce7ec4a48e718d77c0435b) +(cherry picked from commit f9b8b75c11bba9b63096904be98cc529c304eb97) +(cherry picked from commit 385a33b043406ad79a7207f3906c3b15192a3333) +(cherry picked from commit c6f79626b6d175c6a5b62b8c5d957a83eb882301) +(cherry picked from commit 9f02346d50e33c24acf879ce4dd5937d56473325) +(cherry picked from commit ac0aa5d1fdc21db1ef035fce562cb6fc8602b544) + +Upstream-Status: Backport [https://github.com/systemd/systemd-stable/commit/cadd1b1a1f39fd13b1115a10f563017201d7b56a] + +Signed-off-by: Chen Qi +--- + src/coredump/coredump.c | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +diff --git a/src/coredump/coredump.c b/src/coredump/coredump.c +index 79280ab986..d598f6f59a 100644 +--- a/src/coredump/coredump.c ++++ b/src/coredump/coredump.c +@@ -84,8 +84,12 @@ enum { + META_ARGV_SIGNAL, /* %s: number of signal causing dump */ + META_ARGV_TIMESTAMP, /* %t: time of dump, expressed as seconds since the Epoch (we expand this to µs granularity) */ + META_ARGV_RLIMIT, /* %c: core file size soft resource limit */ +- META_ARGV_HOSTNAME, /* %h: hostname */ ++ _META_ARGV_REQUIRED, ++ /* The fields below were added to kernel/core_pattern at later points, so they might be missing. */ ++ META_ARGV_HOSTNAME = _META_ARGV_REQUIRED, /* %h: hostname */ + _META_ARGV_MAX, ++ /* If new fields are added, they should be added here, to maintain compatibility ++ * with callers which don't know about the new fields. */ + + /* The following indexes are cached for a couple of special fields we use (and + * thereby need to be retrieved quickly) for naming coredump files, and attaching +@@ -96,7 +100,7 @@ enum { + _META_MANDATORY_MAX, + + /* The rest are similar to the previous ones except that we won't fail if one of +- * them is missing. */ ++ * them is missing in a message sent over the socket. */ + + META_EXE = _META_MANDATORY_MAX, + META_UNIT, +@@ -1278,14 +1282,17 @@ static int gather_pid_metadata_from_argv( + char *t; + + /* We gather all metadata that were passed via argv[] into an array of iovecs that +- * we'll forward to the socket unit */ ++ * we'll forward to the socket unit. ++ * ++ * We require at least _META_ARGV_REQUIRED args, but will accept more. ++ * We know how to parse _META_ARGV_MAX args. The rest will be ignored. */ + +- if (argc < _META_ARGV_MAX) ++ if (argc < _META_ARGV_REQUIRED) + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), +- "Not enough arguments passed by the kernel (%i, expected %i).", +- argc, _META_ARGV_MAX); ++ "Not enough arguments passed by the kernel (%i, expected between %i and %i).", ++ argc, _META_ARGV_REQUIRED, _META_ARGV_MAX); + +- for (int i = 0; i < _META_ARGV_MAX; i++) { ++ for (int i = 0; i < MIN(argc, _META_ARGV_MAX); i++) { + + t = argv[i]; + +-- +2.34.1 + diff --git a/meta/recipes-core/systemd/systemd/CVE-2025-4598-0002.patch b/meta/recipes-core/systemd/systemd/CVE-2025-4598-0002.patch new file mode 100644 index 0000000000..0520bac87c --- /dev/null +++ b/meta/recipes-core/systemd/systemd/CVE-2025-4598-0002.patch @@ -0,0 +1,106 @@ +From fb22bb743556d4d14463b0f0373c24d07d2e7b28 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Mon, 26 May 2025 12:04:44 +0200 +Subject: [PATCH 2/3] coredump: get rid of _META_MANDATORY_MAX + +No functional change. This change is done in preparation for future changes. +Currently, the list of fields which are received on the command line is a +strict subset of the fields which are always expected to be received on a +socket. But when we add new kernel args in the future, we'll have two +non-overlapping sets and this approach will not work. Get rid of the variable +and enumerate the required fields. This set will never change, so this is +actually more maintainable. + +The message with the hint where to add new fields is switched with +_META_ARGV_MAX. The new order is more correct. + +(cherry-picked from 49f1f2d4a7612bbed5211a73d11d6a94fbe3bb69) +(cherry-picked from aea6a631bca93e8b04a11aaced694f25f4da155e) +(cherry picked from cf16b6b6b2e0a656531bfd73ad66be3817b155cd) + +(cherry picked from commit b46a4f023cd80b24c8f1aa7a95700bc0cb828cdc) +(cherry picked from commit 5855552310ed279180c21cb803408aa2ce36053d) +(cherry picked from commit cc31f2d4146831b9f2fe7bf584468908ff9c4de5) + +Upstream-Status: Backport [https://github.com/systemd/systemd-stable/commit/2c81e60fe0b8c506a4fe902e45bed6f58f482b39] + +Signed-off-by: Chen Qi +--- + src/coredump/coredump.c | 29 ++++++++++++++++++++--------- + 1 file changed, 20 insertions(+), 9 deletions(-) + +diff --git a/src/coredump/coredump.c b/src/coredump/coredump.c +index d598f6f59a..0b27086288 100644 +--- a/src/coredump/coredump.c ++++ b/src/coredump/coredump.c +@@ -71,7 +71,7 @@ + * size. See DATA_SIZE_MAX in journal-importer.h. */ + assert_cc(JOURNAL_SIZE_MAX <= DATA_SIZE_MAX); + +-enum { ++typedef enum { + /* We use these as array indexes for our process metadata cache. + * + * The first indices of the cache stores the same metadata as the ones passed by +@@ -87,9 +87,9 @@ enum { + _META_ARGV_REQUIRED, + /* The fields below were added to kernel/core_pattern at later points, so they might be missing. */ + META_ARGV_HOSTNAME = _META_ARGV_REQUIRED, /* %h: hostname */ +- _META_ARGV_MAX, + /* If new fields are added, they should be added here, to maintain compatibility + * with callers which don't know about the new fields. */ ++ _META_ARGV_MAX, + + /* The following indexes are cached for a couple of special fields we use (and + * thereby need to be retrieved quickly) for naming coredump files, and attaching +@@ -97,16 +97,15 @@ enum { + * environment. */ + + META_COMM = _META_ARGV_MAX, +- _META_MANDATORY_MAX, + + /* The rest are similar to the previous ones except that we won't fail if one of + * them is missing in a message sent over the socket. */ + +- META_EXE = _META_MANDATORY_MAX, ++ META_EXE, + META_UNIT, + META_PROC_AUXV, + _META_MAX +-}; ++} meta_argv_t; + + static const char * const meta_field_names[_META_MAX] = { + [META_ARGV_PID] = "COREDUMP_PID=", +@@ -1192,12 +1191,24 @@ static int process_socket(int fd) { + if (r < 0) + goto finish; + +- /* Make sure we received at least all fields we need. */ +- for (int i = 0; i < _META_MANDATORY_MAX; i++) ++ /* Make sure we received all the expected fields. We support being called by an *older* ++ * systemd-coredump from the outside, so we require only the basic set of fields that ++ * was being sent when the support for sending to containers over a socket was added ++ * in a108c43e36d3ceb6e34efe37c014fc2cda856000. */ ++ meta_argv_t i; ++ VA_ARGS_FOREACH(i, ++ META_ARGV_PID, ++ META_ARGV_UID, ++ META_ARGV_GID, ++ META_ARGV_SIGNAL, ++ META_ARGV_TIMESTAMP, ++ META_ARGV_RLIMIT, ++ META_ARGV_HOSTNAME, ++ META_COMM) + if (!context.meta[i]) { + r = log_error_errno(SYNTHETIC_ERRNO(EINVAL), +- "A mandatory argument (%i) has not been sent, aborting.", +- i); ++ "Mandatory argument %s not received on socket, aborting.", ++ meta_field_names[i]); + goto finish; + } + +-- +2.34.1 + diff --git a/meta/recipes-core/systemd/systemd/CVE-2025-4598-0003.patch b/meta/recipes-core/systemd/systemd/CVE-2025-4598-0003.patch new file mode 100644 index 0000000000..737121af12 --- /dev/null +++ b/meta/recipes-core/systemd/systemd/CVE-2025-4598-0003.patch @@ -0,0 +1,144 @@ +From 89730dea979b2d22fd548b622cd88bac99ff1d6b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Tue, 29 Apr 2025 14:47:59 +0200 +Subject: [PATCH 3/3] coredump: use %d in kernel core pattern +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The kernel provides %d which is documented as +"dump mode—same as value returned by prctl(2) PR_GET_DUMPABLE". + +We already query /proc/pid/auxv for this information, but unfortunately this +check is subject to a race, because the crashed process may be replaced by an +attacker before we read this data, for example replacing a SUID process that +was killed by a signal with another process that is not SUID, tricking us into +making the coredump of the original process readable by the attacker. + +With this patch, we effectively add one more check to the list of conditions +that need be satisfied if we are to make the coredump accessible to the user. + +Reportedy-by: Qualys Security Advisory + +(cherry-picked from commit 0c49e0049b7665bb7769a13ef346fef92e1ad4d6) +(cherry-picked from commit c58a8a6ec9817275bb4babaa2c08e0e35090d4e3) +(cherry picked from commit 19d439189ab85dd7222bdd59fd442bbcc8ea99a7) +(cherry picked from commit 254ab8d2a7866679cee006d844d078774cbac3c9) +(cherry picked from commit 7fc7aa5a4d28d7768dfd1eb85be385c3ea949168) +(cherry picked from commit 19b228662e0fcc6596c0395a0af8486a4b3f1627) + +CVE: CVE-2025-4598 + +Upstream-Status: Backport [https://github.com/systemd/systemd-stable/commit/2eb46dce078334805c547cbcf5e6462cf9d2f9f0] + +Signed-off-by: Chen Qi +--- + man/systemd-coredump.xml | 12 ++++++++++++ + src/coredump/coredump.c | 21 ++++++++++++++++++--- + sysctl.d/50-coredump.conf.in | 2 +- + 3 files changed, 31 insertions(+), 4 deletions(-) + +diff --git a/man/systemd-coredump.xml b/man/systemd-coredump.xml +index cb9f47745b..ba7cad12bc 100644 +--- a/man/systemd-coredump.xml ++++ b/man/systemd-coredump.xml +@@ -259,6 +259,18 @@ COREDUMP_FILENAME=/var/lib/systemd/coredump/core.Web….552351.….zst + + + ++ ++ COREDUMP_DUMPABLE= ++ ++ The PR_GET_DUMPABLE field as reported by the kernel, see ++ prctl2. ++ ++ ++ ++ ++ ++ + + COREDUMP_OPEN_FDS= + +diff --git a/src/coredump/coredump.c b/src/coredump/coredump.c +index 0b27086288..aca6a2eb6b 100644 +--- a/src/coredump/coredump.c ++++ b/src/coredump/coredump.c +@@ -87,6 +87,7 @@ typedef enum { + _META_ARGV_REQUIRED, + /* The fields below were added to kernel/core_pattern at later points, so they might be missing. */ + META_ARGV_HOSTNAME = _META_ARGV_REQUIRED, /* %h: hostname */ ++ META_ARGV_DUMPABLE, /* %d: as set by the kernel */ + /* If new fields are added, they should be added here, to maintain compatibility + * with callers which don't know about the new fields. */ + _META_ARGV_MAX, +@@ -115,6 +116,7 @@ static const char * const meta_field_names[_META_MAX] = { + [META_ARGV_TIMESTAMP] = "COREDUMP_TIMESTAMP=", + [META_ARGV_RLIMIT] = "COREDUMP_RLIMIT=", + [META_ARGV_HOSTNAME] = "COREDUMP_HOSTNAME=", ++ [META_ARGV_DUMPABLE] = "COREDUMP_DUMPABLE=", + [META_COMM] = "COREDUMP_COMM=", + [META_EXE] = "COREDUMP_EXE=", + [META_UNIT] = "COREDUMP_UNIT=", +@@ -125,6 +127,7 @@ typedef struct Context { + const char *meta[_META_MAX]; + size_t meta_size[_META_MAX]; + pid_t pid; ++ unsigned dumpable; + bool is_pid1; + bool is_journald; + } Context; +@@ -470,14 +473,16 @@ static int grant_user_access(int core_fd, const Context *context) { + if (r < 0) + return r; + +- /* We allow access if we got all the data and at_secure is not set and +- * the uid/gid matches euid/egid. */ ++ /* We allow access if dumpable on the command line was exactly 1, we got all the data, ++ * at_secure is not set, and the uid/gid match euid/egid. */ + bool ret = ++ context->dumpable == 1 && + at_secure == 0 && + uid != UID_INVALID && euid != UID_INVALID && uid == euid && + gid != GID_INVALID && egid != GID_INVALID && gid == egid; +- log_debug("Will %s access (uid="UID_FMT " euid="UID_FMT " gid="GID_FMT " egid="GID_FMT " at_secure=%s)", ++ log_debug("Will %s access (dumpable=%u uid="UID_FMT " euid="UID_FMT " gid="GID_FMT " egid="GID_FMT " at_secure=%s)", + ret ? "permit" : "restrict", ++ context->dumpable, + uid, euid, gid, egid, yes_no(at_secure)); + return ret; + } +@@ -1102,6 +1107,16 @@ static int save_context(Context *context, const struct iovec_wrapper *iovw) { + if (r < 0) + return log_error_errno(r, "Failed to parse PID \"%s\": %m", context->meta[META_ARGV_PID]); + ++ /* The value is set to contents of /proc/sys/fs/suid_dumpable, which we set to 2, ++ * if the process is marked as not dumpable, see PR_SET_DUMPABLE(2const). */ ++ if (context->meta[META_ARGV_DUMPABLE]) { ++ r = safe_atou(context->meta[META_ARGV_DUMPABLE], &context->dumpable); ++ if (r < 0) ++ return log_error_errno(r, "Failed to parse dumpable field \"%s\": %m", context->meta[META_ARGV_DUMPABLE]); ++ if (context->dumpable > 2) ++ log_notice("Got unexpected %%d/dumpable value %u.", context->dumpable); ++ } ++ + unit = context->meta[META_UNIT]; + context->is_pid1 = streq(context->meta[META_ARGV_PID], "1") || streq_ptr(unit, SPECIAL_INIT_SCOPE); + context->is_journald = streq_ptr(unit, SPECIAL_JOURNALD_SERVICE); +diff --git a/sysctl.d/50-coredump.conf.in b/sysctl.d/50-coredump.conf.in +index 5fb551a8cf..9c10a89828 100644 +--- a/sysctl.d/50-coredump.conf.in ++++ b/sysctl.d/50-coredump.conf.in +@@ -13,7 +13,7 @@ + # the core dump. + # + # See systemd-coredump(8) and core(5). +-kernel.core_pattern=|{{ROOTLIBEXECDIR}}/systemd-coredump %P %u %g %s %t %c %h ++kernel.core_pattern=|{{ROOTLIBEXECDIR}}/systemd-coredump %P %u %g %s %t %c %h %d + + # Allow 16 coredumps to be dispatched in parallel by the kernel. + # We collect metadata from /proc/%P/, and thus need to make sure the crashed +-- +2.34.1 + diff --git a/meta/recipes-core/systemd/systemd/CVE-2025-4598-0004.patch b/meta/recipes-core/systemd/systemd/CVE-2025-4598-0004.patch new file mode 100644 index 0000000000..a3aed25e27 --- /dev/null +++ b/meta/recipes-core/systemd/systemd/CVE-2025-4598-0004.patch @@ -0,0 +1,36 @@ +From a0c698c720441782fcf2cb7dfd01e69baf8f1f39 Mon Sep 17 00:00:00 2001 +From: Dan Streetman +Date: Thu, 2 Feb 2023 15:58:10 -0500 +Subject: [PATCH] basic/macro: add macro to iterate variadic args + +(cherry picked from commit e179f2d89c9f0c951636d74de00136b4075cd1ac) +(cherry picked from commit cd4f43bf378ff33ce5cfeacd96f7f3726603bddc) + +Upstream-Status: Backport [https://github.com/systemd/systemd-stable/commit/c288a3aafdf11cd93eb7a21e4d587c6fc218a29c] + +Signed-off-by: Chen Qi +--- + src/basic/macro.h | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/src/basic/macro.h b/src/basic/macro.h +index 9e62f9c71c..16242902ec 100644 +--- a/src/basic/macro.h ++++ b/src/basic/macro.h +@@ -454,4 +454,13 @@ typedef struct { + + assert_cc(sizeof(dummy_t) == 0); + ++/* Iterate through each variadic arg. All must be the same type as 'entry' or must be implicitly ++ * convertable. The iteration variable 'entry' must already be defined. */ ++#define VA_ARGS_FOREACH(entry, ...) \ ++ _VA_ARGS_FOREACH(entry, UNIQ_T(_entries_, UNIQ), UNIQ_T(_current_, UNIQ), ##__VA_ARGS__) ++#define _VA_ARGS_FOREACH(entry, _entries_, _current_, ...) \ ++ for (typeof(entry) _entries_[] = { __VA_ARGS__ }, *_current_ = _entries_; \ ++ ((long)(_current_ - _entries_) < (long)ELEMENTSOF(_entries_)) && ({ entry = *_current_; true; }); \ ++ _current_++) ++ + #include "log.h" +-- +2.34.1 + diff --git a/meta/recipes-core/systemd/systemd_250.14.bb b/meta/recipes-core/systemd/systemd_250.14.bb index b3e31e1f23..66d20a46fd 100644 --- a/meta/recipes-core/systemd/systemd_250.14.bb +++ b/meta/recipes-core/systemd/systemd_250.14.bb @@ -31,6 +31,10 @@ SRC_URI += "file://touchscreen.rules \ file://0001-core-fix-build-when-seccomp-is-off.patch \ file://0001-journal-Make-sd_journal_previous-next-return-0-at-HE.patch \ file://0001-basic-do-not-warn-in-mkdir_p-when-parent-directory-e.patch \ + file://CVE-2025-4598-0001.patch \ + file://CVE-2025-4598-0002.patch \ + file://CVE-2025-4598-0003.patch \ + file://CVE-2025-4598-0004.patch \ " # patches needed by musl From patchwork Fri Jul 4 15:28:49 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 66247 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C04BBC83F03 for ; Fri, 4 Jul 2025 15:29:08 +0000 (UTC) Received: from mail-pf1-f178.google.com (mail-pf1-f178.google.com [209.85.210.178]) by mx.groups.io with SMTP id smtpd.web11.14857.1751642947385086911 for ; Fri, 04 Jul 2025 08:29:07 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=jtpMAR2d; spf=softfail (domain: sakoman.com, ip: 209.85.210.178, mailfrom: steve@sakoman.com) Received: by mail-pf1-f178.google.com with SMTP id d2e1a72fcca58-7490acf57b9so845398b3a.2 for ; Fri, 04 Jul 2025 08:29:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1751642946; x=1752247746; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=4+rntfSZnTEPOC87os16XidX80sbGb8hHFq8WXEf9mQ=; b=jtpMAR2dj9rVa6jKdfHTlhr9a69czm4syQDJsRzZG6Ao1Hg1zXDQd7dg0c8k5oYmre ahGYA9+dtL5aFZSJ1Kjvgd8ADPWPFnI9yDqDQuktZvbDfylAXv07hCDxSLdud0+Zd7vA /sc/i+wB5pzqLnhoP89v4XwIIu2vXe+uP1AFgA6bZ1CO5TeXY6TAt9fIjR3DGGID6NBA GwXe1SBcyjMN42086sy28BRErHXzIKKuPq5uzpAhWH1wiNj+HFExribBZvfwCKSKdL44 lM8qOh9BqUGmz6jOPQhcjKzVAj/y6Ojxa3BA1xIJSK0llnsXnrISOWyJoh3orK3qyHMA A5Gw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1751642946; x=1752247746; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=4+rntfSZnTEPOC87os16XidX80sbGb8hHFq8WXEf9mQ=; b=IPZDVR9GNJY/oKMWdD9HXHOBENslcpyME8Q35kxmsquo5oLp98cxPV5GBxoe3355yg 9SII04Zpcn33YtBDiHz1Sv/UmnzLRF/ZjjSqIiEImQo2VgDob6FpoRUnKdXAcy0GcERy GlwnDhYtWBDff7w8eR2kMPIJ91i9K1b0gLtYzL3OTWGZeUuWRXMoVFfpSUEkWR1MrvQl b2FkqeMOc5oWMhabypLbOh1HUsSlNShIQaGf6hwvM+YrXcit1L/T3qAY2jdTPMIwSnXY /zqKh0jM9xjrEhxZRvp3vw9hIZW4dL8nz18ljOyevWHaslND5quKMHGV/e24CpPQLZiF 0Ktg== X-Gm-Message-State: AOJu0YyARDyxQb/jifCFON2q1J2U3qUONOalWC4/Ft0z95uTNO1STJIX +6t9h+c99qIuqJ8Rmx8nEoYp+09tBnKvvfXm66riUjaSBIt4ZZ0ghPJ03jZ/lNyQA11yL8Du5Bj +dhyi X-Gm-Gg: ASbGncuSRByKDtt/z2Zo5nGJrv7ea7XFzqMJe+qmslmu61AmSbA8woMaLLLcxTddQ1/ uTtffZGyVK3omLmZm6PoFAIM83x1+wWFpM4IwY0+Uy3T5m/CvHSBLIekzIMaDBb2npXp50ZE0XD AAuRb2GEeMYUBEA1hx0KKkLGZ9oVaa+jP/PGMOmqz0gQrauvL5/JQ3QfTOSUYHlXIhxuXI5jy2a RPvcu+iRN5LDZ4rxbRyUyzs+np4Nx2vim2Oz3LRBk8NSdQdlpdYWApgV0TJq5J2QZavsUVG9naH 0U+xK7+kJIiskTEVMHtygR2WmqHEJLQttMAbRV+nzydjYQLDuYj7Jw== X-Google-Smtp-Source: AGHT+IHPihw/VZUmq41mzf4xj7giQL3G2Pcn/VFlJJosP6UrItLWUzYWIamN/D47yjFELVgssxLgqA== X-Received: by 2002:a05:6a00:3a28:b0:749:156e:f2ff with SMTP id d2e1a72fcca58-74ce64184e6mr4660618b3a.7.1751642946437; Fri, 04 Jul 2025 08:29:06 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:d985:cb7d:ae84:68cc]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-74ce42a1ca0sm2424232b3a.138.2025.07.04.08.29.05 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 04 Jul 2025 08:29:06 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 3/9] python3-urllib3: fix CVE-2025-50181 Date: Fri, 4 Jul 2025 08:28:49 -0700 Message-ID: <574146765ea3f9b36532abf4ebc8bd2976396f0b.1751641924.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 04 Jul 2025 15:29:08 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/219942 From: Yogita Urade urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a PoolManager and specifying retries in a way that disable redirects. By default, requests and botocore users are not affected. An application attempting to mitigate SSRF or open redirect vulnerabilities by disabling redirects at the PoolManager level will remain vulnerable. This issue has been patched in version 2.5.0. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-50181 Upstream patch: https://github.com/urllib3/urllib3/commit/f05b1329126d5be6de501f9d1e3e36738bc08857 Signed-off-by: Yogita Urade Signed-off-by: Steve Sakoman --- .../python3-urllib3/CVE-2025-50181.patch | 214 ++++++++++++++++++ .../python/python3-urllib3_1.26.18.bb | 4 + 2 files changed, 218 insertions(+) create mode 100644 meta/recipes-devtools/python/python3-urllib3/CVE-2025-50181.patch diff --git a/meta/recipes-devtools/python/python3-urllib3/CVE-2025-50181.patch b/meta/recipes-devtools/python/python3-urllib3/CVE-2025-50181.patch new file mode 100644 index 0000000000..61bdcc3e62 --- /dev/null +++ b/meta/recipes-devtools/python/python3-urllib3/CVE-2025-50181.patch @@ -0,0 +1,214 @@ +From f05b1329126d5be6de501f9d1e3e36738bc08857 Mon Sep 17 00:00:00 2001 +From: Illia Volochii +Date: Wed, 18 Jun 2025 16:25:01 +0300 +Subject: [PATCH] Merge commit from fork + +* Apply Quentin's suggestion + +Co-authored-by: Quentin Pradet + +* Add tests for disabled redirects in the pool manager + +* Add a possible fix for the issue with not raised `MaxRetryError` + +* Make urllib3 handle redirects instead of JS when JSPI is used + +* Fix info in the new comment + +* State that redirects with XHR are not controlled by urllib3 + +* Remove excessive params from new test requests + +* Add tests reaching max non-0 redirects + +* Test redirects with Emscripten + +* Fix `test_merge_pool_kwargs` + +* Add a changelog entry + +* Parametrize tests + +* Drop a fix for Emscripten + +* Apply Seth's suggestion to docs + +Co-authored-by: Seth Michael Larson + +* Use a minor release instead of the patch one + +--------- + +Co-authored-by: Quentin Pradet +Co-authored-by: Seth Michael Larson + +Changes: +- skip docs/reference/contrib/emscripten.rst, dummyserver/app.py and +test/contrib/emscripten/test_emscripten.py files which are not presented. + +CVE: CVE-2025-50181 +Upstream-Status: Backport [https://github.com/urllib3/urllib3/commit/f05b1329126d5be6de501f9d1e3e36738bc08857] + +Signed-off-by: Yogita Urade +--- + src/urllib3/poolmanager.py | 18 +++- + test/with_dummyserver/test_poolmanager.py | 101 ++++++++++++++++++++++ + 2 files changed, 118 insertions(+), 1 deletion(-) + +diff --git a/src/urllib3/poolmanager.py b/src/urllib3/poolmanager.py +index fb51bf7..a8de7c6 100644 +--- a/src/urllib3/poolmanager.py ++++ b/src/urllib3/poolmanager.py +@@ -170,6 +170,22 @@ class PoolManager(RequestMethods): + + def __init__(self, num_pools=10, headers=None, **connection_pool_kw): + RequestMethods.__init__(self, headers) ++ if "retries" in connection_pool_kw: ++ retries = connection_pool_kw["retries"] ++ if not isinstance(retries, Retry): ++ # When Retry is initialized, raise_on_redirect is based ++ # on a redirect boolean value. ++ # But requests made via a pool manager always set ++ # redirect to False, and raise_on_redirect always ends ++ # up being False consequently. ++ # Here we fix the issue by setting raise_on_redirect to ++ # a value needed by the pool manager without considering ++ # the redirect boolean. ++ raise_on_redirect = retries is not False ++ retries = Retry.from_int(retries, redirect=False) ++ retries.raise_on_redirect = raise_on_redirect ++ connection_pool_kw = connection_pool_kw.copy() ++ connection_pool_kw["retries"] = retries + self.connection_pool_kw = connection_pool_kw + self.pools = RecentlyUsedContainer(num_pools) + +@@ -389,7 +405,7 @@ class PoolManager(RequestMethods): + kw["body"] = None + kw["headers"] = HTTPHeaderDict(kw["headers"])._prepare_for_method_change() + +- retries = kw.get("retries") ++ retries = kw.get("retries", response.retries) + if not isinstance(retries, Retry): + retries = Retry.from_int(retries, redirect=redirect) + +diff --git a/test/with_dummyserver/test_poolmanager.py b/test/with_dummyserver/test_poolmanager.py +index 509daf2..f84f169 100644 +--- a/test/with_dummyserver/test_poolmanager.py ++++ b/test/with_dummyserver/test_poolmanager.py +@@ -82,6 +82,89 @@ class TestPoolManager(HTTPDummyServerTestCase): + assert r.status == 200 + assert r.data == b"Dummy server!" + ++ @pytest.mark.parametrize( ++ "retries", ++ (0, Retry(total=0), Retry(redirect=0), Retry(total=0, redirect=0)), ++ ) ++ def test_redirects_disabled_for_pool_manager_with_0( ++ self, retries: typing.Literal[0] | Retry ++ ) -> None: ++ """ ++ Check handling redirects when retries is set to 0 on the pool ++ manager. ++ """ ++ with PoolManager(retries=retries) as http: ++ with pytest.raises(MaxRetryError): ++ http.request("GET", f"{self.base_url}/redirect") ++ ++ # Setting redirect=True should not change the behavior. ++ with pytest.raises(MaxRetryError): ++ http.request("GET", f"{self.base_url}/redirect", redirect=True) ++ ++ # Setting redirect=False should not make it follow the redirect, ++ # but MaxRetryError should not be raised. ++ response = http.request("GET", f"{self.base_url}/redirect", redirect=False) ++ assert response.status == 303 ++ ++ @pytest.mark.parametrize( ++ "retries", ++ ( ++ False, ++ Retry(total=False), ++ Retry(redirect=False), ++ Retry(total=False, redirect=False), ++ ), ++ ) ++ def test_redirects_disabled_for_pool_manager_with_false( ++ self, retries: typing.Literal[False] | Retry ++ ) -> None: ++ """ ++ Check that setting retries set to False on the pool manager disables ++ raising MaxRetryError and redirect=True does not change the ++ behavior. ++ """ ++ with PoolManager(retries=retries) as http: ++ response = http.request("GET", f"{self.base_url}/redirect") ++ assert response.status == 303 ++ ++ response = http.request("GET", f"{self.base_url}/redirect", redirect=True) ++ assert response.status == 303 ++ ++ response = http.request("GET", f"{self.base_url}/redirect", redirect=False) ++ assert response.status == 303 ++ ++ def test_redirects_disabled_for_individual_request(self) -> None: ++ """ ++ Check handling redirects when they are meant to be disabled ++ on the request level. ++ """ ++ with PoolManager() as http: ++ # Check when redirect is not passed. ++ with pytest.raises(MaxRetryError): ++ http.request("GET", f"{self.base_url}/redirect", retries=0) ++ response = http.request("GET", f"{self.base_url}/redirect", retries=False) ++ assert response.status == 303 ++ ++ # Check when redirect=True. ++ with pytest.raises(MaxRetryError): ++ http.request( ++ "GET", f"{self.base_url}/redirect", retries=0, redirect=True ++ ) ++ response = http.request( ++ "GET", f"{self.base_url}/redirect", retries=False, redirect=True ++ ) ++ assert response.status == 303 ++ ++ # Check when redirect=False. ++ response = http.request( ++ "GET", f"{self.base_url}/redirect", retries=0, redirect=False ++ ) ++ assert response.status == 303 ++ response = http.request( ++ "GET", f"{self.base_url}/redirect", retries=False, redirect=False ++ ) ++ assert response.status == 303 ++ + def test_cross_host_redirect(self): + with PoolManager() as http: + cross_host_location = "%s/echo?a=b" % self.base_url_alt +@@ -136,6 +219,24 @@ class TestPoolManager(HTTPDummyServerTestCase): + pool = http.connection_from_host(self.host, self.port) + assert pool.num_connections == 1 + ++ # Check when retries are configured for the pool manager. ++ with PoolManager(retries=1) as http: ++ with pytest.raises(MaxRetryError): ++ http.request( ++ "GET", ++ f"{self.base_url}/redirect", ++ fields={"target": f"/redirect?target={self.base_url}/"}, ++ ) ++ ++ # Here we allow more retries for the request. ++ response = http.request( ++ "GET", ++ f"{self.base_url}/redirect", ++ fields={"target": f"/redirect?target={self.base_url}/"}, ++ retries=2, ++ ) ++ assert response.status == 200 ++ + def test_redirect_cross_host_remove_headers(self): + with PoolManager() as http: + r = http.request( +-- +2.40.0 diff --git a/meta/recipes-devtools/python/python3-urllib3_1.26.18.bb b/meta/recipes-devtools/python/python3-urllib3_1.26.18.bb index d384b5eb2f..b26c9ad2fa 100644 --- a/meta/recipes-devtools/python/python3-urllib3_1.26.18.bb +++ b/meta/recipes-devtools/python/python3-urllib3_1.26.18.bb @@ -7,6 +7,10 @@ SRC_URI[sha256sum] = "f8ecc1bba5667413457c529ab955bf8c67b45db799d159066261719e32 inherit pypi setuptools3 +SRC_URI += " \ + file://CVE-2025-50181.patch \ +" + RDEPENDS:${PN} += "\ ${PYTHON_PN}-certifi \ ${PYTHON_PN}-cryptography \ From patchwork Fri Jul 4 15:28:50 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 66251 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D6124C83F03 for ; Fri, 4 Jul 2025 15:29:18 +0000 (UTC) Received: from mail-pf1-f177.google.com (mail-pf1-f177.google.com [209.85.210.177]) by mx.groups.io with SMTP id smtpd.web10.14815.1751642948963643198 for ; Fri, 04 Jul 2025 08:29:09 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=bU0tVvGw; spf=softfail (domain: sakoman.com, ip: 209.85.210.177, mailfrom: steve@sakoman.com) Received: by mail-pf1-f177.google.com with SMTP id d2e1a72fcca58-74801bc6dc5so884201b3a.1 for ; Fri, 04 Jul 2025 08:29:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1751642948; x=1752247748; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=MumNgmGaBXZtO/aVbVPmXug4hfst4F85syJONZUdz/k=; b=bU0tVvGwGszDB9Io0qKy75q0cw4W7TcXofG/KBaqIZYRTLzj+rfM8fjtJ0RiQosvMA edwpxlhaNlwQRmn+TBIjLahPvcUCf0kLNYeuWi/+RKA4/gWMEXejOEYu/D2enCrWWHwD SxWY55wRZ8hm1fzWDGx8ayrFKz92yZlYXcTnfpjngcjAGBsak/2L/OndhBhdy56EYz7q dLHVFHkOnt9qcZIyF1T07u2iol7oTxVsGV/+P9g+aQ7s1nVsOrPOuw4wkWkHLmJx3lhT JomyBJz1/tWrFH7tfSicjwWzZPSwkeW5YgF8wqkfZhpIPDbmgrto7FvUWs8CxA71yQct uv9w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1751642948; x=1752247748; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=MumNgmGaBXZtO/aVbVPmXug4hfst4F85syJONZUdz/k=; b=lTAhdVy1mBVWM6qX1EtkuiZY2z0za+OoEB0QPhK2GPyS/qDP2BuP3vWMmjMngtLXFV hiJ6Pt5qGxUYzVhVPGqKy83X9HVxSQ5tGvOAE9+00GDhVkG+3G8/iRBwtLt6nbhtabjL Vgffo2Ohk66GQZr9pfTDeO4ruggAeH5ZUrPXn2AdC7YGXn8fabIyN6xFWyeE/Ty+hAr6 YGtcJ6cpczS3vZC6P82sBtQvoHogFN5ZgY/JUB06A8DbBaPGfzjQEycsa/ppk8kVk5sI 2jIiInqpFtFhb9d8dJ0uO4BE+gEvACUnqgtOcXkjguH8Pp6EPk2h0gv4bwXLQbi5aVuL SWAQ== X-Gm-Message-State: AOJu0Yx6w1etHzBDyf066ur6CUViSj2y/4R0fK+cugRlWpYAMXC5PHPA 78Nb0KVUusG5vz1TlHrpNvjeaxWrWkQ8jXOAfFWTzwGHLrdlM0GWpn6dSH3kUJlhY/QHc1S86EK pC2tP X-Gm-Gg: ASbGnctORlb5bHVLE1OGeOw9ccqy/xjl4+2MMT6TFRmWYuAMTyyaM+GPYKeg7BAVTDV V3TVF5nDVilabeDhy0UmVL8VU0ch0FXVLNF6KJjKamnuOMkh5il/m2BFyZUuFi6nyzf8lUWzM/M l+xJu9CrZqN5MWI7XxXrbVn2c9RMZo48vC8y4kaDUVHQzqfaL+MGBrSTom02tXGFltifT80qv4c KGJ42FMtMeLlL6f32Om5lrB+i+KkZqgbd2KrjBFUQq2pRqZsVLqbacNQ5Gkj8dLKvUzbq4dlM38 IPWO4MF188r3IiR65hpE+x2Y5NwW5C3fscJXnvPnIRPJzg045xmqDw== X-Google-Smtp-Source: AGHT+IEcIITWCIKQJI3QPoFjJFc8qUAcdQDgdGr4Mchro9LMwMvOUyXAwQfgkm4vKx+gHwT4sN5ICw== X-Received: by 2002:a05:6a20:d492:b0:1f3:31fe:c1da with SMTP id adf61e73a8af0-225af054ca1mr4382649637.11.1751642948039; Fri, 04 Jul 2025 08:29:08 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:d985:cb7d:ae84:68cc]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-74ce42a1ca0sm2424232b3a.138.2025.07.04.08.29.07 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 04 Jul 2025 08:29:07 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 4/9] xwayland: fix CVE-2025-49175 Date: Fri, 4 Jul 2025 08:28:50 -0700 Message-ID: <2c8e82f860792e7fb99c78c512be57ce74774a34.1751641924.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 04 Jul 2025 15:29:18 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/219943 From: Archana Polampalli A flaw was found in the X Rendering extension's handling of animated cursors. If a client provides no cursors, the server assumes at least one is present, leading to an out-of-bounds read and potential crash. Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- .../xwayland/xwayland/CVE-2025-49175.patch | 92 +++++++++++++++++++ .../xwayland/xwayland_22.1.8.bb | 1 + 2 files changed, 93 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49175.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49175.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49175.patch new file mode 100644 index 0000000000..bfb37fcea0 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49175.patch @@ -0,0 +1,92 @@ +From 0885e0b26225c90534642fe911632ec0779eebee Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Fri, 28 Mar 2025 09:43:52 +0100 +Subject: [PATCH] render: Avoid 0 or less animated cursors +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Animated cursors use a series of cursors that the client can set. + +By default, the Xserver assumes at least one cursor is specified +while a client may actually pass no cursor at all. + +That causes an out-of-bound read creating the animated cursor and a +crash of the Xserver: + + | Invalid read of size 8 + | at 0x5323F4: AnimCursorCreate (animcur.c:325) + | by 0x52D4C5: ProcRenderCreateAnimCursor (render.c:1817) + | by 0x52DC80: ProcRenderDispatch (render.c:1999) + | by 0x4A1E9D: Dispatch (dispatch.c:560) + | by 0x4B0169: dix_main (main.c:284) + | by 0x4287F5: main (stubmain.c:34) + | Address 0x59aa010 is 0 bytes after a block of size 0 alloc'd + | at 0x48468D3: reallocarray (vg_replace_malloc.c:1803) + | by 0x52D3DA: ProcRenderCreateAnimCursor (render.c:1802) + | by 0x52DC80: ProcRenderDispatch (render.c:1999) + | by 0x4A1E9D: Dispatch (dispatch.c:560) + | by 0x4B0169: dix_main (main.c:284) + | by 0x4287F5: main (stubmain.c:34) + | + | Invalid read of size 2 + | at 0x5323F7: AnimCursorCreate (animcur.c:325) + | by 0x52D4C5: ProcRenderCreateAnimCursor (render.c:1817) + | by 0x52DC80: ProcRenderDispatch (render.c:1999) + | by 0x4A1E9D: Dispatch (dispatch.c:560) + | by 0x4B0169: dix_main (main.c:284) + | by 0x4287F5: main (stubmain.c:34) + | Address 0x8 is not stack'd, malloc'd or (recently) free'd + +To avoid the issue, check the number of cursors specified and return a +BadValue error in both the proc handler (early) and the animated cursor +creation (as this is a public function) if there is 0 or less cursor. + +CVE-2025-49175 + +This issue was discovered by Nils Emmerich and +reported by Julian Suleder via ERNW Vulnerability Disclosure. + +Signed-off-by: Olivier Fourdan +Reviewed-by: José Expósito +Part-of: + +CVE: CVE-2025-49175 + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/0885e0b26225c90534642fe911632ec0779eebee] + +Signed-off-by: Archana Polampalli +--- + render/animcur.c | 3 +++ + render/render.c | 2 ++ + 2 files changed, 5 insertions(+) + +diff --git a/render/animcur.c b/render/animcur.c +index ef27bda..77942d8 100644 +--- a/render/animcur.c ++++ b/render/animcur.c +@@ -304,6 +304,9 @@ AnimCursorCreate(CursorPtr *cursors, CARD32 *deltas, int ncursor, + int rc = BadAlloc, i; + AnimCurPtr ac; + ++ if (ncursor <= 0) ++ return BadValue; ++ + for (i = 0; i < screenInfo.numScreens; i++) + if (!GetAnimCurScreen(screenInfo.screens[i])) + return BadImplementation; +diff --git a/render/render.c b/render/render.c +index 5bc2a20..a8c2da0 100644 +--- a/render/render.c ++++ b/render/render.c +@@ -1795,6 +1795,8 @@ ProcRenderCreateAnimCursor(ClientPtr client) + ncursor = + (client->req_len - + (bytes_to_int32(sizeof(xRenderCreateAnimCursorReq)))) >> 1; ++ if (ncursor <= 0) ++ return BadValue; + cursors = xallocarray(ncursor, sizeof(CursorPtr) + sizeof(CARD32)); + if (!cursors) + return BadAlloc; +-- +2.40.0 diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb index 8b1fc85aab..55d381f868 100644 --- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb +++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb @@ -43,6 +43,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2025-26601-3.patch \ file://CVE-2025-26601-4.patch \ file://CVE-2022-49737.patch \ + file://CVE-2025-49175.patch \ " SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73" From patchwork Fri Jul 4 15:28:51 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 66253 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id EEB5EC83F0C for ; Fri, 4 Jul 2025 15:29:18 +0000 (UTC) Received: from mail-pf1-f169.google.com (mail-pf1-f169.google.com [209.85.210.169]) by mx.groups.io with SMTP id smtpd.web11.14858.1751642950498860605 for ; Fri, 04 Jul 2025 08:29:10 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=1blTLoWE; spf=softfail (domain: sakoman.com, ip: 209.85.210.169, mailfrom: steve@sakoman.com) Received: by mail-pf1-f169.google.com with SMTP id d2e1a72fcca58-74b27c1481bso680746b3a.2 for ; Fri, 04 Jul 2025 08:29:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1751642950; x=1752247750; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=42ZjTNiR1butv7dyJ+HCm60kzsgq+bIs8V25I3Ko4bQ=; b=1blTLoWEHdhN/kbccv3RE2HsoDxC3CawyKLXefK8FurXE7zarFHzwGrLbuTDTSsGz2 yVtokfpW4qOn41aks2VDeIlrqXF47vLmjPbHcGFh/qLtIfkJwSjkWEEOOJ97/K36CF+e QNQWi7dkXr+fwxFoZOcn+pA7c0Ro9AmKTSiNPTFf3ixuAe6giXU9c3Rn1BWgBrOofbeX oBb9FWGImTkXCYvqW34GhDg6CH/3KjmK9/24B4Bcubv2KaG50iw1yLsfJD/CRrRJ33P+ qYKr4kc+VLoi/AZZam0Gun+7oaBT2BMFMt1EZZE/kuauNa35pCgFG/M0NMeC2Fk/LZYc ki/w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1751642950; x=1752247750; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=42ZjTNiR1butv7dyJ+HCm60kzsgq+bIs8V25I3Ko4bQ=; b=ZeTHyBl7iMN6cfMVopnDCapQITW7W5XvBiGAxcsvEOo5YlUrN9fbpxYjmMFCm/YrIF ngBl7Lumca6nEHbTSEc8QBq3PGlOPnQxDLPnJganKgHT7Y5eP/6XHpq4ITb9oN06sBH5 Zvss3r2DGTlVshwjpY+nt1sGzvZtnrMDezN8o4nScM/xj4QaxGtCE1K9QxIKUksFeLZh xbg9ObXKaVKGdePCB8wRF39UuHmRqKNLxbNdkmULgQdoImEVwFLWZonx+hkerqeQzVfm lAynUtDCOMInC0yoH45BUS9Oqdt87GhUXHgiOUFs+QtQnKMoxfbueQW1u98rWACMomVf h2jA== X-Gm-Message-State: AOJu0Ywu1h6EMo3nwpSepVV/0PBS7kw0yVV8IC1WrKuW3J8jy1r3iEyW v5MGGlaptCACngb1A8SCTK33MavDzaf08gRgbErU8i/m9rjR4YFmVQeFUo3Wx91+PqvScmgj+m8 2QFp+ X-Gm-Gg: ASbGncuV4EMnm4DPgdP1H/DCkmC9fmWmK9vZeQLi5zswZ0TEIF03vhQi5tVpBtrILi8 CK1wjZBbI2hsFC4byMkVqIyo89NU7w0oRs6/aUFBHyPUoc/qv86bic5MifpaWACPLnBVJpaSXwA cJbKdiTlPcIPrp0DCSSILOhGp6cWbAZDIlERAH5Fg9Ow8W/iTLsRAfQ+9u+5dZ/qBZT1C7gbj5z RCcoIQRl2lCj5OlpX9op73MpSEfMTt6Kl61N9Xav1t3+1C7xaEBmuQ3UDIapbQvpQ9p4q2fAP71 RlNeYa5QiJdP8jOnHufjusuDrUkAs3kROFGgBP4FA/dVZVAgBwEC7A== X-Google-Smtp-Source: AGHT+IHtZAlz4vHB19H8wGVxgybRDGrDvyd+wHPwy5sWpj0bG5Y5yHM1eTEMv0m0N/rW3wTkpGnMbw== X-Received: by 2002:a05:6a00:3d56:b0:748:f1ba:9af8 with SMTP id d2e1a72fcca58-74ce69f212emr4566186b3a.21.1751642949552; Fri, 04 Jul 2025 08:29:09 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:d985:cb7d:ae84:68cc]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-74ce42a1ca0sm2424232b3a.138.2025.07.04.08.29.08 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 04 Jul 2025 08:29:09 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 5/9] xwayland: fix CVE-2025-49176 Date: Fri, 4 Jul 2025 08:28:51 -0700 Message-ID: <17033023d679a597e31964b0fed2b2e89cdf61ec.1751641924.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 04 Jul 2025 15:29:18 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/219944 From: Archana Polampalli A flaw was found in the Big Requests extension. The request length is multiplied by 4 before checking against the maximum allowed size, potentially causing an integer overflow and bypassing the size check. Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- .../xwayland/CVE-2025-49176-0001.patch | 93 +++++++++++++++++++ .../xwayland/CVE-2025-49176-0002.patch | 38 ++++++++ .../xwayland/xwayland_22.1.8.bb | 2 + 3 files changed, 133 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49176-0001.patch create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49176-0002.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49176-0001.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49176-0001.patch new file mode 100644 index 0000000000..fd3b1d936b --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49176-0001.patch @@ -0,0 +1,93 @@ +From 03731b326a80b582e48d939fe62cb1e2b10400d9 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 7 Apr 2025 16:13:34 +0200 +Subject: [PATCH] os: Do not overflow the integer size with BigRequest +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The BigRequest extension allows requests larger than the 16-bit length +limit. + +It uses integers for the request length and checks for the size not to +exceed the maxBigRequestSize limit, but does so after translating the +length to integer by multiplying the given size in bytes by 4. + +In doing so, it might overflow the integer size limit before actually +checking for the overflow, defeating the purpose of the test. + +To avoid the issue, make sure to check that the request size does not +overflow the maxBigRequestSize limit prior to any conversion. + +The caller Dispatch() function however expects the return value to be in +bytes, so we cannot just return the converted value in case of error, as +that would also overflow the integer size. + +To preserve the existing API, we use a negative value for the X11 error +code BadLength as the function only return positive values, 0 or -1 and +update the caller Dispatch() function to take that case into account to +return the error code to the offending client. + +CVE-2025-49176 + +This issue was discovered by Nils Emmerich and +reported by Julian Suleder via ERNW Vulnerability Disclosure. + +Signed-off-by: Olivier Fourdan +Reviewed-by: Michel Dänzer +Part-of: + +CVE: CVE-2025-49176 + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/03731b326a80b582e48d939fe62cb1e2b10400d9] + +Signed-off-by: Archana Polampalli +--- + dix/dispatch.c | 9 +++++---- + os/io.c | 4 ++++ + 2 files changed, 9 insertions(+), 4 deletions(-) + +diff --git a/dix/dispatch.c b/dix/dispatch.c +index 9e98d54..20473f1 100644 +--- a/dix/dispatch.c ++++ b/dix/dispatch.c +@@ -513,9 +513,10 @@ Dispatch(void) + + /* now, finally, deal with client requests */ + result = ReadRequestFromClient(client); +- if (result <= 0) { +- if (result < 0) +- CloseDownClient(client); ++ if (result == 0) ++ break; ++ else if (result == -1) { ++ CloseDownClient(client); + break; + } + +@@ -536,7 +537,7 @@ Dispatch(void) + client->index, + client->requestBuffer); + #endif +- if (result > (maxBigRequestSize << 2)) ++ if (result < 0 || result > (maxBigRequestSize << 2)) + result = BadLength; + else { + result = XaceHookDispatch(client, client->majorOp); +diff --git a/os/io.c b/os/io.c +index 841a0ee..aeece86 100644 +--- a/os/io.c ++++ b/os/io.c +@@ -296,6 +296,10 @@ ReadRequestFromClient(ClientPtr client) + needed = get_big_req_len(request, client); + } + client->req_len = needed; ++ if (needed > MAXINT >> 2) { ++ /* Check for potential integer overflow */ ++ return -(BadLength); ++ } + needed <<= 2; /* needed is in bytes now */ + } + if (gotnow < needed) { +-- +2.40.0 diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49176-0002.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49176-0002.patch new file mode 100644 index 0000000000..6d7df79111 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49176-0002.patch @@ -0,0 +1,38 @@ +From 4fc4d76b2c7aaed61ed2653f997783a3714c4fe1 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Wed, 18 Jun 2025 08:39:02 +0200 +Subject: [PATCH] os: Check for integer overflow on BigRequest length + +Check for another possible integer overflow once we get a complete xReq +with BigRequest. + +Related to CVE-2025-49176 + +Signed-off-by: Olivier Fourdan +Suggested-by: Peter Harris +Part-of: + +CVE: CVE-2025-49176 + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/4fc4d76b2c7aaed61ed2653f997783a3714c4fe1] + +Signed-off-by: Archana Polampalli +--- + os/io.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/os/io.c b/os/io.c +index aeece86..67465f9 100644 +--- a/os/io.c ++++ b/os/io.c +@@ -395,6 +395,8 @@ ReadRequestFromClient(ClientPtr client) + needed = get_big_req_len(request, client); + } + client->req_len = needed; ++ if (needed > MAXINT >> 2) ++ return -(BadLength); + needed <<= 2; + } + if (gotnow < needed) { +-- +2.40.0 diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb index 55d381f868..40f010865e 100644 --- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb +++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb @@ -44,6 +44,8 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2025-26601-4.patch \ file://CVE-2022-49737.patch \ file://CVE-2025-49175.patch \ + file://CVE-2025-49176-0001.patch \ + file://CVE-2025-49176-0002.patch \ " SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73" From patchwork Fri Jul 4 15:28:52 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 66255 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0130DC83F0E for ; Fri, 4 Jul 2025 15:29:19 +0000 (UTC) Received: from mail-pf1-f177.google.com (mail-pf1-f177.google.com [209.85.210.177]) by mx.groups.io with SMTP id smtpd.web10.14819.1751642952214989226 for ; Fri, 04 Jul 2025 08:29:12 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=ASxxoyau; spf=softfail (domain: sakoman.com, ip: 209.85.210.177, mailfrom: steve@sakoman.com) Received: by mail-pf1-f177.google.com with SMTP id d2e1a72fcca58-74b27c1481bso680759b3a.2 for ; Fri, 04 Jul 2025 08:29:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1751642951; x=1752247751; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=FeiMRS5ZYXWINlnMBTnTt9ZQnHdfQOaX157141oCVZc=; b=ASxxoyaufzJyMmCcPJDvZhXFST8uzih1DiOQJlEH3z9zSm4aT6riOBdgRVzsxM7zXh WHf+imLYqauPA2duvMW82sg0cfTTQhC4HWjxWg2h3THuvVNV31Fzy4NG0zKYqkoHn1LA nMJc/SGjD9WEALfhDxiU9dSRTYl+ssyDYqJK2KAKtbmMd+Tftj/gd1lH7NzmYOAnZ5wl 7LmHVvZzHUD5RQo4qBfC3blcv6OruCNhXZb6K26C4i7W/FJkj3rtIR+3gga/naLViEB1 SbBgzMqmsZZSAmjDVBfY0sG3acnjreYs0YWLblk3ZhpGSUODc+gyjs5ZCao0nLgSGCBI 4juA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1751642951; x=1752247751; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=FeiMRS5ZYXWINlnMBTnTt9ZQnHdfQOaX157141oCVZc=; b=e+BduhRg7Cri+Px4uL2j477fXf7OU6oAcNVjB/YKysgs0tfLYTUkBZfgmGDrUrR96I 0aWctW6TZW4s+CMxvJxnRNBwkLZHBMXyUM1p3d8ZPIWEq4aSsz7s5QQ9o3cfBX7EzJtN amkEUsewfA2yyFYoopSvBjlk5kcyuZT120qPxkmpTEDb68fcv2jMgvfvIU5qzy325wDb cNwDhZWr/7HakQvy8OVWTsaiMCuMtCPngiEGy99UB6K66IkPELMKCaxZPmKNML7RABYN s23nCRF7pEgN+S6QUXNiVOO4jA/vCOL83JBvZSghcdlbvfgahVNrQYMA2W4sjJ20Eo07 Lb/w== X-Gm-Message-State: AOJu0Yzc8/XKsHxar1q1MdUae+/SMYDa3FkK1eA36NcaJnh8ad9/CEqh ulnXJmTnJkuDQUnt1YB/ZwLa7ZxRnWk1PQEQiEtaRjuyqhQmm6+FnCyWG/J+s4l3HkIbqV7ddW7 R99Qh X-Gm-Gg: ASbGncslJY8Z0lcL9JpgJjzZST8F6mU705JyU42cjkhbyj+D5fAH2x3I9GgIo7hzule LJS3NXS5iFTuX/G4nqXTsUKk2TZTmIgIyRheDuqEIEhXP9w7o3rCLT4z3Xcjyb7V+PKygVgp9Ky A5+7b+8EAIkH+hNYNrSX5PiM8IbbuB/l7lzVuf8lxLK42q/TfBhb8gnD/yuo4PTrhrHVMql4XW5 flaIoOgA7ZNMD+/vLW/K2gBZZ/bb9ZVG75auVoANNGM+dA6G6HgzAQvQLVk9E+Hf01jnigig+7+ PTgZb8IiN1uzCVq8l3/WXod3asjibYVSx3WDS8sxX8xa8hTbwq+PMA== X-Google-Smtp-Source: AGHT+IGt1qVkmDm0ibXDAmcVAUFoBOLXSIETdmPmkjZEHD9VppvWxwld1VSLG0+PyhLfRgh6BBM2FA== X-Received: by 2002:a05:6a00:2289:b0:742:aecc:c46b with SMTP id d2e1a72fcca58-74ce698eed7mr4685895b3a.15.1751642951438; Fri, 04 Jul 2025 08:29:11 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:d985:cb7d:ae84:68cc]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-74ce42a1ca0sm2424232b3a.138.2025.07.04.08.29.10 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 04 Jul 2025 08:29:11 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 6/9] xwayland: fix CVE-2025-49177 Date: Fri, 4 Jul 2025 08:28:52 -0700 Message-ID: <89dde7f86e1c2e61ed71ecf92e908dbe402a2668.1751641924.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 04 Jul 2025 15:29:19 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/219945 From: Archana Polampalli A flaw was found in the XFIXES extension. The XFixesSetClientDisconnectMode handler does not validate the request length, allowing a client to read unintended memory from previous requests Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- .../xwayland/xwayland/CVE-2025-49177.patch | 55 +++++++++++++++++++ .../xwayland/xwayland_22.1.8.bb | 1 + 2 files changed, 56 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49177.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49177.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49177.patch new file mode 100644 index 0000000000..56ae1de800 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49177.patch @@ -0,0 +1,55 @@ +From ab02fb96b1c701c3bb47617d965522c34befa6af Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 28 Apr 2025 10:05:36 +0200 +Subject: [PATCH] xfixes: Check request length for SetClientDisconnectMode + +The handler of XFixesSetClientDisconnectMode does not check the client +request length. + +A client could send a shorter request and read data from a former +request. + +Fix the issue by checking the request size matches. + +CVE-2025-49177 + +This issue was discovered by Nils Emmerich and +reported by Julian Suleder via ERNW Vulnerability Disclosure. + +Fixes: e167299f6 - xfixes: Add ClientDisconnectMode +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: + +CVE: CVE-2025-49177 + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/ab02fb96b1c701c3bb47617d965522c34befa6af] + +Signed-off-by: Archana Polampalli +--- + xfixes/disconnect.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/xfixes/disconnect.c b/xfixes/disconnect.c +index 28aac45..d6da1f9 100644 +--- a/xfixes/disconnect.c ++++ b/xfixes/disconnect.c +@@ -67,6 +67,7 @@ ProcXFixesSetClientDisconnectMode(ClientPtr client) + ClientDisconnectPtr pDisconnect = GetClientDisconnect(client); + + REQUEST(xXFixesSetClientDisconnectModeReq); ++ REQUEST_SIZE_MATCH(xXFixesSetClientDisconnectModeReq); + + pDisconnect->disconnect_mode = stuff->disconnect_mode; + +@@ -80,7 +81,7 @@ SProcXFixesSetClientDisconnectMode(ClientPtr client) + + swaps(&stuff->length); + +- REQUEST_AT_LEAST_SIZE(xXFixesSetClientDisconnectModeReq); ++ REQUEST_SIZE_MATCH(xXFixesSetClientDisconnectModeReq); + + swapl(&stuff->disconnect_mode); + +-- +2.40.0 diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb index 40f010865e..fefc0d4e3a 100644 --- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb +++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb @@ -46,6 +46,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2025-49175.patch \ file://CVE-2025-49176-0001.patch \ file://CVE-2025-49176-0002.patch \ + file://CVE-2025-49177.patch \ " SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73" From patchwork Fri Jul 4 15:28:53 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 66250 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D6188C83F09 for ; Fri, 4 Jul 2025 15:29:18 +0000 (UTC) Received: from mail-pf1-f171.google.com (mail-pf1-f171.google.com [209.85.210.171]) by mx.groups.io with SMTP id smtpd.web10.14820.1751642953780092103 for ; Fri, 04 Jul 2025 08:29:13 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=j30d6hyE; spf=softfail (domain: sakoman.com, ip: 209.85.210.171, mailfrom: steve@sakoman.com) Received: by mail-pf1-f171.google.com with SMTP id d2e1a72fcca58-747c2cc3419so951847b3a.2 for ; Fri, 04 Jul 2025 08:29:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1751642953; x=1752247753; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=wXfBT4cvnKP7+K+zVEZ+FosN8fS8yv1NB8As+3UT9NQ=; b=j30d6hyEXEEyexg3eK5KmETBnzvqegZ2Fdz6vL26R+UrdtiC/Q3fI8FmymGqeVa/GZ 5fd1GGo2tEI6oYgHJyusey2VOeIwgl/HVlNG/1DgKiP5ZgmFC80rNbH5yfkk4LjgD5ia 1MDppVIbq672QZOkWXPWAa+YUkA69fKHPCOa4N0tQjq06C5a52UrG5nAPufS7t/szQ+d pbDIxyF8eK1L3rGU77GxBHl/dn2JMQZnXwR3/nXZ4O7PfS/3DO3pwj0MtCYM1rU4A/dJ 6K60okDbGd/Qr4LgTbVdVjvtSphZxrlHDkkl6PuDE5/1x6DEnS9evSqN/CGGjQYlvy/G qURg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1751642953; x=1752247753; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=wXfBT4cvnKP7+K+zVEZ+FosN8fS8yv1NB8As+3UT9NQ=; b=ux5N0ATTFJQNHpdct11Pv6I0xyF4N02zd9ZZIo9I1wLdrVgOJho37RDiMbPzVV4W3N 3kf0MoOwlukHDFh0bpx29jvUuYda5UcAj6OS6toFolqcnwstCYievURphDVgd/Pm0uPn 8E2KUOXEh9Skn3vNH4NwCnWSciqni316X0Xc+E/pWsMvM0Gy9GOujlx2ZasoK1ByL7WD 10yCQMx3ebid58KpEBWx0eWPD5bLrNXrmmceCBpESiyzqtwaSNPZuHfLf9Lds3ssifiS rySP6ZXlhF+dBWqCUK6Lob4o0JruAsZcFmHo+5x1EHjgo3xGBu3njuyh/di+NDYRokvL VdKg== X-Gm-Message-State: AOJu0YzpDyuJIUyzKfqMxynAVOe/IsWCyQw47N1ZuEpE24/Rype32Q4f kCym06ctfWW25+zBShePCtsIIEtdYCszYJ4zl5rbdYhm5tVyBB41EobUj0P6GzF4hHxWhVrB48y PL+eV X-Gm-Gg: ASbGnct8wPFXSDMZ5MW2mvj5GD8sv6Ad/QRB8jJnP+J8nNjlTzQXFP/c5WdG8Zsj+VC eOZDYizaodwhN91YMt2TJGqZL41+yzAid2N+rQt2Hexp2iy/ttNzf3mBTSHgSF9BeSyxKzOAT9i 1FGbqkg2jsTyjqQ4btEhAiQ3lY671xLCbcYJMSeOsCiCFx1Jg0Tcy8bejNB0mneluWq1cToIPrw pIW18sSMc+3DFjP/KJs53NbPYbKp7+AvrZQgvSQV9OLNuMaSISAa9xoNVXymD8Ab8t0G0qNuOTN /oEvV4C6h5z/MqmuZtYMqiiLne7e1FLk6lSzwR22nA7+obnHtbNLEA== X-Google-Smtp-Source: AGHT+IHK/MTvLW1C9hWRejp4LWia8wjStRht3xLt2NLbQCEy66iFFjiEw8JNmfXGu79SYapK1ciu2w== X-Received: by 2002:a05:6a00:4fc1:b0:748:e150:ac5c with SMTP id d2e1a72fcca58-74ce6d7ba84mr4359310b3a.23.1751642952920; Fri, 04 Jul 2025 08:29:12 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:d985:cb7d:ae84:68cc]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-74ce42a1ca0sm2424232b3a.138.2025.07.04.08.29.12 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 04 Jul 2025 08:29:12 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 7/9] xwayland: fix CVE-2025-49178 Date: Fri, 4 Jul 2025 08:28:53 -0700 Message-ID: <9ab0fb0deebd4abb22dbfc6b40fe962cb3388fbd.1751641924.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 04 Jul 2025 15:29:18 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/219946 From: Archana Polampalli A flaw was found in the X server's request handling. Non-zero 'bytes to ignore' in a client's request can cause the server to skip processing another client's request, potentially leading to a denial of service. Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- .../xwayland/xwayland/CVE-2025-49178.patch | 50 +++++++++++++++++++ .../xwayland/xwayland_22.1.8.bb | 1 + 2 files changed, 51 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49178.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49178.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49178.patch new file mode 100644 index 0000000000..5ef2fea1c9 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49178.patch @@ -0,0 +1,50 @@ +From d55c54cecb5e83eaa2d56bed5cc4461f9ba318c2 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 28 Apr 2025 10:46:03 +0200 +Subject: [PATCH] os: Account for bytes to ignore when sharing input buffer + +When reading requests from the clients, the input buffer might be shared +and used between different clients. + +If a given client sends a full request with non-zero bytes to ignore, +the bytes to ignore may still be non-zero even though the request is +full, in which case the buffer could be shared with another client who's +request will not be processed because of those bytes to ignore, leading +to a possible hang of the other client request. + +To avoid the issue, make sure we have zero bytes to ignore left in the +input request when sharing the input buffer with another client. + +CVE-2025-49178 + +This issue was discovered by Nils Emmerich and +reported by Julian Suleder via ERNW Vulnerability Disclosure. + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: + +CVE: CVE-2025-49178 + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/d55c54cecb5e83eaa2d56bed5cc4461f9ba318c2] + +Signed-off-by: Archana Polampalli +--- + os/io.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/os/io.c b/os/io.c +index 67465f9..f92a40e 100644 +--- a/os/io.c ++++ b/os/io.c +@@ -444,7 +444,7 @@ ReadRequestFromClient(ClientPtr client) + */ + + gotnow -= needed; +- if (!gotnow) ++ if (!gotnow && !oci->ignoreBytes) + AvailableInput = oc; + if (move_header) { + if (client->req_len < bytes_to_int32(sizeof(xBigReq) - sizeof(xReq))) { +-- +2.40.0 diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb index fefc0d4e3a..caca8ab0f6 100644 --- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb +++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb @@ -47,6 +47,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2025-49176-0001.patch \ file://CVE-2025-49176-0002.patch \ file://CVE-2025-49177.patch \ + file://CVE-2025-49178.patch \ " SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73" From patchwork Fri Jul 4 15:28:54 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 66252 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DB64FC8303D for ; Fri, 4 Jul 2025 15:29:18 +0000 (UTC) Received: from mail-pf1-f173.google.com (mail-pf1-f173.google.com [209.85.210.173]) by mx.groups.io with SMTP id smtpd.web11.14867.1751642955328418437 for ; Fri, 04 Jul 2025 08:29:15 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=C3STy7wG; spf=softfail (domain: sakoman.com, ip: 209.85.210.173, mailfrom: steve@sakoman.com) Received: by mail-pf1-f173.google.com with SMTP id d2e1a72fcca58-74801bc6dc5so884292b3a.1 for ; Fri, 04 Jul 2025 08:29:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1751642954; x=1752247754; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=+JqPf9UrISb6OWhmAEy3Jy9M8LXjbaDuVFu7tcMGfsc=; b=C3STy7wGvSPi1wyPDMGktoewVegFBdY5H2LyebPyDSYOwF1zFtPQovD2GFRxYWVbsP 4+Ivm57LVujJUMQEAVOktHSkW0Pr6AAy1gITtz8/whkzYlldW5qLAMVMTLAhUxHV+Cx7 CofFvxyQIcmX/fN2b628J6RR2wGlzW8kaqEja1hMZUBLwzM+14rSo2xzOGZerCN3cakF 1RvYXPheJD/1gUrnDdF5/kTB2Ii9Dh4Wl+/uHjXdYQvqP+MD62huP2wWUnHPZsoO/7Fh IIbwOs9PWpt89s+6QIpYvLBzfYiydYmD3ZYV2wdtsi6Koh7TykMriJufWI4ECZZqIn3k sxqw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1751642954; x=1752247754; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=+JqPf9UrISb6OWhmAEy3Jy9M8LXjbaDuVFu7tcMGfsc=; b=HkJxO8cndLkj6gMkU7ofBu1WiMumMRc1d7yUhgynC8980U93NyaOd+6q8bQ7WAkSTd 9a5cW4U0kiBmOTk539Ud2GnxHEohEBAfom3xp4fNnaXQaHu7+Q2M0A4fSjrdru8OlK93 vIW8g55eCBU0JfEAV4H/rGEOd+kc8P18XplXZ5nMjtigpI2Rz5nlcNBzIpiJyOjKC059 lANwMUMp6MRaV03qlfCfDVgnaA4mpKAWpkNDz82+RALAZqimJIcUyt2parUSqc9ttVpz cfuOFllQYkqgTjAWHrGMvsUA0MTVAiO7JRP0240MHvGkTlwvqJSVTRrYTgYz1Wi0xfa8 WCAA== X-Gm-Message-State: AOJu0YxQYWgW8bnGJH0vfBKhcKyCXuuH+Si3LkWsrNqyyU87OtjtYxRg vbJKefFvL4FXdw1LhU9I/S+12Sez3GwjXTo9pEcbxDXChs3YJxbI71uY3jZUKmFLMXCD46Dub/g 2DICq X-Gm-Gg: ASbGncv7KkaA4gqK29X0ttpi86fz2EDSQxXQqKQ5hCINPJQw5tphQ42R1gOi/2L8Vod FUC90hhzZuZrNgh44eCXnVYZw0GYAwejqMFxuz9RsMs1Sy0tSC4Kt65sV8qafcpUpgMIIRgYP4X dbITkkKlnWOle7h3Rrwr31BIwKsdxE854hlfcIXiSY+8giHQPE4/Pndv20+kGA8TlwYNh1tYdHb xitFiQfb1MZPW3aLZSc4FOfT28+3kmJQ1TbXy0JSwyj42zyduUACBwMbDPO7bCwS7Jo+uMD9DjP d0kjz+HK6QLuh/CD67czcoXsu280WrB5wUNXcz480faSTSt3BgG/HA== X-Google-Smtp-Source: AGHT+IG8pGP8JkJZTcrt1aqId+GCuT15eE74QWQ+Xs05Tvgz5IKS36SOJoVLY37iTLhbBpVDFrv04A== X-Received: by 2002:a05:6a00:2301:b0:74a:cd4d:c0a6 with SMTP id d2e1a72fcca58-74ce5057cf2mr5718552b3a.5.1751642954375; Fri, 04 Jul 2025 08:29:14 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:d985:cb7d:ae84:68cc]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-74ce42a1ca0sm2424232b3a.138.2025.07.04.08.29.13 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 04 Jul 2025 08:29:14 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 8/9] xwayland: fix CVE-2025-49178 Date: Fri, 4 Jul 2025 08:28:54 -0700 Message-ID: <24cf72e0fac261e335016e0b490f1fc10992bbbf.1751641924.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 04 Jul 2025 15:29:18 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/219947 From: Archana Polampalli A flaw was found in the X server's request handling. Non-zero 'bytes to ignore' in a client's request can cause the server to skip processing another client's request, potentially leading to a denial of service. Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- .../xwayland/xwayland/CVE-2025-49179.patch | 69 +++++++++++++++++++ .../xwayland/xwayland_22.1.8.bb | 1 + 2 files changed, 70 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49179.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49179.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49179.patch new file mode 100644 index 0000000000..48c7ed8c13 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49179.patch @@ -0,0 +1,69 @@ +From 9d205323894af62b9726fcbaeb5fc69b3c9f61ba Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 28 Apr 2025 11:47:15 +0200 +Subject: [PATCH] record: Check for overflow in + RecordSanityCheckRegisterClients() + +The RecordSanityCheckRegisterClients() checks for the request length, +but does not check for integer overflow. + +A client might send a very large value for either the number of clients +or the number of protocol ranges that will cause an integer overflow in +the request length computation, defeating the check for request length. + +To avoid the issue, explicitly check the number of clients against the +limit of clients (which is much lower than an maximum integer value) and +the number of protocol ranges (multiplied by the record length) do not +exceed the maximum integer value. + +This way, we ensure that the final computation for the request length +will not overflow the maximum integer limit. + +CVE-2025-49179 + +This issue was discovered by Nils Emmerich and +reported by Julian Suleder via ERNW Vulnerability Disclosure. + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +(cherry picked from commit 2bde9ca49a8fd9a1e6697d5e7ef837870d66f5d4) + +Part-of: + +CVE: CVE-2025-49179 + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/9d205323894af62b9726fcbaeb5fc69b3c9f61ba] + +Signed-off-by: Archana Polampalli +--- + record/record.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/record/record.c b/record/record.c +index e123867..018e53f 100644 +--- a/record/record.c ++++ b/record/record.c +@@ -45,6 +45,7 @@ and Jim Haggerty of Metheus. + #include "inputstr.h" + #include "eventconvert.h" + #include "scrnintstr.h" ++#include "opaque.h" + + #include + #include +@@ -1298,6 +1299,13 @@ RecordSanityCheckRegisterClients(RecordContextPtr pContext, ClientPtr client, + int i; + XID recordingClient; + ++ /* LimitClients is 2048 at max, way less that MAXINT */ ++ if (stuff->nClients > LimitClients) ++ return BadValue; ++ ++ if (stuff->nRanges > (MAXINT - 4 * stuff->nClients) / SIZEOF(xRecordRange)) ++ return BadValue; ++ + if (((client->req_len << 2) - SIZEOF(xRecordRegisterClientsReq)) != + 4 * stuff->nClients + SIZEOF(xRecordRange) * stuff->nRanges) + return BadLength; +-- +2.40.0 diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb index caca8ab0f6..691b017662 100644 --- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb +++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb @@ -48,6 +48,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2025-49176-0002.patch \ file://CVE-2025-49177.patch \ file://CVE-2025-49178.patch \ + file://CVE-2025-49179.patch \ " SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73" From patchwork Fri Jul 4 15:28:55 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 66254 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E1E50C83F0B for ; Fri, 4 Jul 2025 15:29:18 +0000 (UTC) Received: from mail-pf1-f180.google.com (mail-pf1-f180.google.com [209.85.210.180]) by mx.groups.io with SMTP id smtpd.web11.14869.1751642956678621283 for ; Fri, 04 Jul 2025 08:29:16 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=NNHGc6B7; spf=softfail (domain: sakoman.com, ip: 209.85.210.180, mailfrom: steve@sakoman.com) Received: by mail-pf1-f180.google.com with SMTP id d2e1a72fcca58-747c2cc3419so951869b3a.2 for ; Fri, 04 Jul 2025 08:29:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1751642956; x=1752247756; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=qoHdctT3Ap/OSJOFMYsfuIJZfCT/56gzGVbZnBgCmTY=; b=NNHGc6B7y8rT3A/6BhmCeowMYPLb4prFHMeTo4OhgwgxIVRuy3qKj04c+0TCgmT6Z8 KblWfDiQq34krpmTRDngS8r3DYSrUn0YGtayn7rtsvexWNkHny6OduOjbkbu++A1TNwr h3CimO8QMYkeqB9xlSli5xMvCAz8f7FFIHu/YPg5kW/XdixGNKLiFtfl8HiCE3UnCgYQ f3FzSfw6K5oUobqp4bxo1jlq0Ch1n+7hhnSRUICrfVrj5/LkD7TuHJK8y33gxI4uIae9 0CqDrFsmTpDEXxmWGNUIn1hWEVp0TkkyQLSRoq+ShzJFa54MDMWq42A2oQoc6Sosa4iB 8cMg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1751642956; x=1752247756; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=qoHdctT3Ap/OSJOFMYsfuIJZfCT/56gzGVbZnBgCmTY=; b=B+d4CVnj9Ymlqs1Sd+Y6EXeEgut4JW++U18vXCvfzpLIoI+5BRPFzoUgJ15gSGx8zz aDT4LkyxkUyqV5yKO01cX3z15i+CsyEJWSUS3urNgYSjDengwSAw8H1Vs0v/pkZPTQEm 3sAJ6+TjYL5wI4rqhy577iC/XJUxD+2Vy4JRhXUSm6d9C4nvbDuKvN2TqPjzc+JKxIXn YdXeKCQNnVpnYpYYEPv8NfUGzeN0qr2D8FuuCxbxpiukRiEW7rZVG5TvBD+fb402fRp4 wjMt8SCuzgsnza783ljNWyzglWoih+kHoYy1YIDOIhZqTRLSf48h4RPYP3UmLSEr4Xj8 Rlvw== X-Gm-Message-State: AOJu0YzTCQ0KKlJGvkF+kn4ahBMK14K/8qBxseZnJQ0UhzYcEj21xlIy dZ+ODFN4oYTK+UpXFa27I+HqnsWvuv5hudz8hMarP6zC1Qvg7vwDD3Dn7TIjev+qJDbyiZ6OmHx CQFrA X-Gm-Gg: ASbGncsvfEfh8+6+8f6i7XZy8SDfKgsqCLTguuNtWCCNR+ulD2tKKtTFMeBJGJVnTiU AG/4/fxUT1GRFU68L1pcRQ4+OoORVKoy3AnIqU3txhTbAjZLbIIzKe7TD8yPOwJeHFqKEdxXZ2s vCfiFaYSqLCdqLy6Of4ZI5dwnvdEFPznUwtkanfBHIuBrhBs/zDLEzPZGUExO2T0oH9FEjgQkTp 8lW6MextZRzvfvYHbbD45ji1jeszTjqOO+LB0ZTNOJgoP1SmPMGvTpaqKvD3kP/zqutqXNr0DLz ad+S/vXm1CfVfJcoZA2tEcgRMkv5fv2E5asU/1FgGjHb4f+12bE6fA== X-Google-Smtp-Source: AGHT+IEmI4dpOGOa6rxjBeDJpoVGVYCiXBXJPAAdvPW2naGRANeAqSjZ18CcwyoB/TQ7nHsuEcH38g== X-Received: by 2002:a05:6a00:bd04:b0:748:fb2c:6b95 with SMTP id d2e1a72fcca58-74ce6d4689amr4413708b3a.18.1751642955772; Fri, 04 Jul 2025 08:29:15 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:d985:cb7d:ae84:68cc]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-74ce42a1ca0sm2424232b3a.138.2025.07.04.08.29.15 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 04 Jul 2025 08:29:15 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 9/9] xwayland: fix CVE-2025-49180 Date: Fri, 4 Jul 2025 08:28:55 -0700 Message-ID: <928df4bd523cda32e1d9e6d24ef668581e8bbc31.1751641924.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 04 Jul 2025 15:29:18 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/219948 From: Archana Polampalli A flaw was found in the RandR extension, where the RRChangeProviderProperty function does not properly validate input. This issue leads to an integer overflow when computing the total size to allocate. Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- .../xwayland/xwayland/CVE-2025-49180.patch | 45 +++++++++++++++++++ .../xwayland/xwayland_22.1.8.bb | 1 + 2 files changed, 46 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49180.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49180.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49180.patch new file mode 100644 index 0000000000..51939acf63 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49180.patch @@ -0,0 +1,45 @@ +From 3c3a4b767b16174d3213055947ea7f4f88e10ec6 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Tue, 20 May 2025 15:18:19 +0200 +Subject: [PATCH] randr: Check for overflow in RRChangeProviderProperty() + +A client might send a request causing an integer overflow when computing +the total size to allocate in RRChangeProviderProperty(). + +To avoid the issue, check that total length in bytes won't exceed the +maximum integer value. + +CVE-2025-49180 + +This issue was discovered by Nils Emmerich and +reported by Julian Suleder via ERNW Vulnerability Disclosure. + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: + +CVE: CVE-2025-49180 + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/3c3a4b767b16174d3213055947ea7f4f88e10ec6] + +Signed-off-by: Archana Polampalli +--- + randr/rrproviderproperty.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c +index 90c5a9a..0aa35ad 100644 +--- a/randr/rrproviderproperty.c ++++ b/randr/rrproviderproperty.c +@@ -179,7 +179,8 @@ RRChangeProviderProperty(RRProviderPtr provider, Atom property, Atom type, + + if (mode == PropModeReplace || len > 0) { + void *new_data = NULL, *old_data = NULL; +- ++ if (total_len > MAXINT / size_in_bytes) ++ return BadValue; + total_size = total_len * size_in_bytes; + new_value.data = (void *) malloc(total_size); + if (!new_value.data && total_size) { +-- +2.40.0 diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb index 691b017662..73f5a05ce7 100644 --- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb +++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb @@ -49,6 +49,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2025-49177.patch \ file://CVE-2025-49178.patch \ file://CVE-2025-49179.patch \ + file://CVE-2025-49180.patch \ " SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73"