From patchwork Wed Jul 9 15:19:04 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 66497 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5AC6CC83F0F for ; Wed, 9 Jul 2025 15:19:25 +0000 (UTC) Received: from mail-pj1-f42.google.com (mail-pj1-f42.google.com [209.85.216.42]) by mx.groups.io with SMTP id smtpd.web10.18415.1752074362194235605 for ; Wed, 09 Jul 2025 08:19:22 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=rvH/pNko; spf=softfail (domain: sakoman.com, ip: 209.85.216.42, mailfrom: steve@sakoman.com) Received: by mail-pj1-f42.google.com with SMTP id 98e67ed59e1d1-31332cff2d5so98923a91.1 for ; Wed, 09 Jul 2025 08:19:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1752074361; x=1752679161; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=Clp4Zzv4lp/5my0Ec+R76LEGQ+wb4RhPXhQx5cjx/kg=; b=rvH/pNkoGwzZR9TXzKYRts345l4U/p1xjmQVHwlw0CzXt5BLLv6krs/oOpPAUBYXkk 8aR9UPDePxxP8BHnerUDlahuWSOmh6AUDYCZsGKXSZqHnJ1MpKbDIyX0E+MpTWxCQ9t6 6A/PADpVhVfofeeidoYW7SYgxn5117hHWSbaBNnsTxT5A1UjK0v0X2r+AKnwUsY7ZIrf xus9Kta96HLUdoowNhQrbvKc9GozX+56bIL16LS1vyWG3JXtj5cJwgkE2zxeWYIPTxXL nNMDskgX5tWnRhYoR+pHglw/h3NKmwtxUj/NfzD7hl3mfvtoKkIyTm0jszRrmI9muaxX CSqA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1752074361; x=1752679161; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Clp4Zzv4lp/5my0Ec+R76LEGQ+wb4RhPXhQx5cjx/kg=; b=CwkvY4SgITDge9vHwM+7WBzi+TmKx/lwBuoX6cRhZlF+SJkV16DIkDQo90o9ZMhAlH DWOaTnfsymFbATCVXpf6o3jtaAJjVVr7EzJKgNaH+44X9ekTWw0lM+7RGl0Vfq1gzKrz gy3OdmJX6CpPKQn/WIiynFA3dJ9loHsxd4QXrLNAXo/fOSzXLFzXBpSE+cZQEXdfCwZx Hy5g6zHtuqszm5KQw/fFTy6DYdTOecKVQySL97WABEp4Y2Rz7+KP6CHYlN6r4ybtbBCY PfemeuvTniGo6tfDncE/k45ulbp1rjFfc14z3ssmVwVZo0zdWQDQGI1MbozeJ94FCxlh OBPA== X-Gm-Message-State: AOJu0Yx/Qndn7pg5JfYSPp07TYmiGvdRayZ1/ovvq7u0UEC2S3VfbxKe 55dIDZrxwLpS37SchfzumO8xPV2RgwWby0bwMvw67yoC1MPKk77hiDGX5UBkMzA6umLpW3smVDr DmcpJ X-Gm-Gg: ASbGnctTo29LowFEDndW+EnwU7MTJwpiWga1VSRAtEinbfIFZue7wJQ2AndUw67tSvo 8gB4bztV8d30aUFO6t8hjv6GOM8UkszdGFeS5MRl/Y9Y7sCvY7BWjzEZJNnJ8Fk6cW/wGVzQMdB o0UC1vqtfRuLQhCjmnU5bVO0BpQt2QVzu2UNUekgbNS4XlDGSYCJcbk7ys/FU9yZDDZJHsn0pIq cPjX7zEAAb3Qx4PcWjLtWAJ5jVVHZNcAbfU1mR07cIQOvdxvNYCfVwKkqAz0oOhN6ZqQ1JoQkCC z4xailVmF3jJS7oQaJoiqIVVkUb6tGe10nLEjFd+3m8Ju32f+sflEA== X-Google-Smtp-Source: AGHT+IGBZtFzwuoF8TIe6Z2L/AUg8NDd73aCFUSVe3uyDKk8c6an2TocSdtA3l9HmZJmvbz5PJpMnA== X-Received: by 2002:a17:90b:1b08:b0:315:aa28:9501 with SMTP id 98e67ed59e1d1-31c2fddc381mr5174495a91.24.1752074361248; Wed, 09 Jul 2025 08:19:21 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:a6e1:d218:3fcc:fd7d]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-31c3019e934sm2340536a91.33.2025.07.09.08.19.20 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 09 Jul 2025 08:19:20 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 01/11] libsoup-2.4: refresh CVE-2025-4969.patch Date: Wed, 9 Jul 2025 08:19:04 -0700 Message-ID: <4a0135992778110f2b523f436538c1197ef971b8.1752073806.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 09 Jul 2025 15:19:25 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/220092 From: Changqing Li refresh CVE-2025-4969.patch to fix the following build failure for libsoup-2.4-native on fedora40/41: ../libsoup-2.74.3/tests/multipart-test.c:578:63: error: passing argument 2 of ‘soup_multipart_new_from_message’ from incompatible pointer type [-Wincompatible-pointer-types] 578 | multipart = soup_multipart_new_from_message (headers, bytes); | ^~~~~ | | | GBytes * {aka struct _GBytes *} Signed-off-by: Changqing Li Signed-off-by: Steve Sakoman --- .../libsoup/libsoup-2.4/CVE-2025-4969.patch | 54 +++++-------------- 1 file changed, 12 insertions(+), 42 deletions(-) diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4969.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4969.patch index d45b2a2cb0..c1936b0b0c 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4969.patch +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4969.patch @@ -13,10 +13,20 @@ Closes https://gitlab.gnome.org/GNOME/libsoup/-/issues/447 Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/07b94e27afafebf31ef3cd868866a1e383750086] CVE: CVE-2025-4969 Signed-off-by: Hitendra Prajapati + +Refresh the patch, remove the test part, following commit in libsoup3 has a +type refactor, which make the test is not suitable for libsoup2 +[0d7e672e forms: Use GBytes instead of SoupMessageBody] +The test part will cause libsoup-2.3-native build failed on fedora40/41: +../libsoup-2.74.3/tests/multipart-test.c:578:63: error: passing argument 2 of ‘soup_multipart_new_from_message’ from incompatible pointer type [-Wincompatible-pointer-types] + 578 | multipart = soup_multipart_new_from_message (headers, bytes); + | ^~~~~ + | | + | GBytes * {aka struct _GBytes *} + --- libsoup/soup-multipart.c | 2 +- - tests/multipart-test.c | 22 ++++++++++++++++++++++ - 2 files changed, 23 insertions(+), 1 deletion(-) + 1 files changed, 1 insertions(+), 1 deletion(-) diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c index dd93973..b3611db 100644 @@ -31,46 +41,6 @@ index dd93973..b3611db 100644 continue; /* Check for "--" or "\r\n" after boundary */ -diff --git a/tests/multipart-test.c b/tests/multipart-test.c -index 834b181..980eb68 100644 ---- a/tests/multipart-test.c -+++ b/tests/multipart-test.c -@@ -562,6 +562,27 @@ test_multipart_bounds_bad (void) - g_bytes_unref (bytes); - } - -+static void -+test_multipart_bounds_bad_2 (void) -+{ -+ SoupMultipart *multipart; -+ SoupMessageHeaders *headers; -+ GBytes *bytes; -+ const char *raw_data = "\n--123\r\nline\r\n--123--\r"; -+ -+ headers = soup_message_headers_new (SOUP_MESSAGE_HEADERS_MULTIPART); -+ soup_message_headers_append (headers, "Content-Type", "multipart/mixed; boundary=\"123\""); -+ -+ bytes = g_bytes_new (raw_data, strlen (raw_data)); -+ -+ multipart = soup_multipart_new_from_message (headers, bytes); -+ g_assert_nonnull (multipart); -+ -+ soup_multipart_free (multipart); -+ soup_message_headers_free (headers); -+ g_bytes_unref (bytes); -+} -+ - int - main (int argc, char **argv) - { -@@ -593,6 +614,7 @@ main (int argc, char **argv) - g_test_add_data_func ("/multipart/async-small-reads", GINT_TO_POINTER (ASYNC_MULTIPART_SMALL_READS), test_multipart); - g_test_add_func ("/multipart/bounds-good", test_multipart_bounds_good); - g_test_add_func ("/multipart/bounds-bad", test_multipart_bounds_bad); -+ g_test_add_func ("/multipart/bounds-bad-2", test_multipart_bounds_bad_2); - - ret = g_test_run (); - -- 2.49.0 From patchwork Wed Jul 9 15:19:05 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 66496 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 580D3C83F03 for ; Wed, 9 Jul 2025 15:19:25 +0000 (UTC) Received: from mail-pg1-f180.google.com (mail-pg1-f180.google.com [209.85.215.180]) by mx.groups.io with SMTP id smtpd.web11.18575.1752074363797594227 for ; Wed, 09 Jul 2025 08:19:23 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=BhMV4rXf; spf=softfail (domain: sakoman.com, ip: 209.85.215.180, mailfrom: steve@sakoman.com) Received: by mail-pg1-f180.google.com with SMTP id 41be03b00d2f7-b0b2d0b2843so79658a12.2 for ; Wed, 09 Jul 2025 08:19:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1752074363; x=1752679163; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=LK1BOe0wecN7gUJcpd0PmOqXnTs4Y9AUeiKuFtUig6g=; b=BhMV4rXf0Jm4iIzoutm5H9K3xn+CsSZ1K2t5PR6QfrOpEbWUezpHkQ4Kmdo6THcTca VG/ET3lKbwHkC+60ulge+tNdxUh6XHGWAKveAjNkj8mZXn8fVSlIybbidzxzjpRxvrc3 6jykVyW0dmMhD615EuPZJIazy/rRM0gJ9tuoNzsgqrBBH5P1O+rL3TDPc/wVYTMckQ9u PlmOJUAAYCvQGgBNAvouPap/AldXJc8tIOzVERydi33kv9jcQFp1bfSizgE3Ii+PSid+ ls/u1TnbgtuUgNz3kaxxlFIBsAQdCOkYnVJ/pXhoBCwPA6ZHdmerGkilioz/7F0BwYzt CkPg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1752074363; x=1752679163; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=LK1BOe0wecN7gUJcpd0PmOqXnTs4Y9AUeiKuFtUig6g=; b=N25OleHZW8TSR/0VUrBNKO1FCOtjHcNPvbaAiyRVgoqwwtN+d28CSxKi7fwV8c2+Q0 s3BxJg2e6YoRiq1WhZrzYPeBVZdp6ah/h3crYp/5oyRKeP/GZN5vom2MlW86IklW8Vbi gayZEqMpaxpsaXjrYK6+7w2cBuea/BLf4FMrWncF/HX40GSN3eFA+yHIla4WEXIST+oP 59lJgJWUyzt/eOPLHuvOPCceSn3WKNSnrDgb2pCx29spx4V7yxrcXLBUpj2vtUIWvAkH ntQGPupk6btSwCYNUMmczfJJXoRM+aynVLa6o0xWHDp1VN45wOxNWmcB4Wp2sLtG2/ho rkiw== X-Gm-Message-State: AOJu0Yxm378ugI0ezYRtfNl9CSVCQr+pdYcuTDE4jXs23zr+QzoTFjPG t8G/4xG5frCP7GvuDyH1ZYW9TpJlgpct4uXmozWAnLDneAHjnV6V9zJQ3SVoOwA3tdPqwJqo3Ag 1N5tT X-Gm-Gg: ASbGncv8dlt6ACuMfqry3wJxA2UTd2aJ7D31GeQgCA9X/BqHoPw1hlfmZUYZOtGmfXK OL4/OmjBNsbWRWcwpNDB0fnsc1m4yTpv9PjYFMpYTOawJJgb9x41j3Qbf6dRSoHgl8Vn2QkqF6H 4vF7T5jA+3CQ6V7CTRFAZqqq+QXnX7EqeZpGTu/jnF5B/LrrOpup/JyTUnjQnBU0KhoEDZvDQ8a 3GL9tAr/b8fnZsvF13GqqpUExF1JEDOSRESuzDUJ4z+JofN8GBsBBGkKrfO6p9CyqjG+NqGs+sd /8B6RMsR64QkkkwUenHtIZP0ToP+Ro7WJ8Rxdbho3xCXCTh1/1aP1g== X-Google-Smtp-Source: AGHT+IHHlpAOJwmLDj1mC1ajIOBRtFFpnfwETSvwAqrxX0YqIeQSq3p4gxf67+z7AMzoMaCGPhZP/w== X-Received: by 2002:a17:90b:2dd1:b0:315:af43:12ee with SMTP id 98e67ed59e1d1-31c2fdb9d3fmr4775281a91.16.1752074362677; Wed, 09 Jul 2025 08:19:22 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:a6e1:d218:3fcc:fd7d]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-31c3019e934sm2340536a91.33.2025.07.09.08.19.22 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 09 Jul 2025 08:19:22 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 02/11] libxml2: fix CVE-2025-6021 Date: Wed, 9 Jul 2025 08:19:05 -0700 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 09 Jul 2025 15:19:25 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/220093 From: Hitendra Prajapati Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libxml2/-/commit/acbbeef9f5dcdcc901c5f3fa14d583ef8cfd22f0 Signed-off-by: Hitendra Prajapati Signed-off-by: Steve Sakoman --- .../libxml/libxml2/CVE-2025-6021.patch | 56 +++++++++++++++++++ meta/recipes-core/libxml/libxml2_2.9.14.bb | 1 + 2 files changed, 57 insertions(+) create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2025-6021.patch diff --git a/meta/recipes-core/libxml/libxml2/CVE-2025-6021.patch b/meta/recipes-core/libxml/libxml2/CVE-2025-6021.patch new file mode 100644 index 0000000000..9ec58e33c2 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2025-6021.patch @@ -0,0 +1,56 @@ +From acbbeef9f5dcdcc901c5f3fa14d583ef8cfd22f0 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 27 May 2025 12:53:17 +0200 +Subject: [PATCH] tree: Fix integer overflow in xmlBuildQName + +This issue affects memory safety. + +Fixes #926. + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/acbbeef9f5dcdcc901c5f3fa14d583ef8cfd22f0] +CVE: CVE-2025-6021 +Signed-off-by: Hitendra Prajapati +--- + tree.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/tree.c b/tree.c +index 6e04dfb..cdf863c 100644 +--- a/tree.c ++++ b/tree.c +@@ -50,6 +50,10 @@ + #include "buf.h" + #include "save.h" + ++#ifndef SIZE_MAX ++#define SIZE_MAX ((size_t) -1) ++#endif ++ + int __xmlRegisterCallbacks = 0; + + /************************************************************************ +@@ -222,16 +226,18 @@ xmlGetParameterEntityFromDtd(const xmlDtd *dtd, const xmlChar *name) { + xmlChar * + xmlBuildQName(const xmlChar *ncname, const xmlChar *prefix, + xmlChar *memory, int len) { +- int lenn, lenp; ++ size_t lenn, lenp; + xmlChar *ret; + +- if (ncname == NULL) return(NULL); ++ if ((ncname == NULL) || (len < 0)) return(NULL); + if (prefix == NULL) return((xmlChar *) ncname); + + lenn = strlen((char *) ncname); + lenp = strlen((char *) prefix); ++ if (lenn >= SIZE_MAX - lenp - 1) ++ return(NULL); + +- if ((memory == NULL) || (len < lenn + lenp + 2)) { ++ if ((memory == NULL) || ((size_t) len < lenn + lenp + 2)) { + ret = (xmlChar *) xmlMallocAtomic(lenn + lenp + 2); + if (ret == NULL) { + xmlTreeErrMemory("building QName"); +-- +2.49.0 + diff --git a/meta/recipes-core/libxml/libxml2_2.9.14.bb b/meta/recipes-core/libxml/libxml2_2.9.14.bb index bd6dd88dee..45424e59ff 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.14.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.14.bb @@ -39,6 +39,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar;subdir=${BP};name=testt file://CVE-2025-24928.patch \ file://CVE-2025-32414.patch \ file://CVE-2025-32415.patch \ + file://CVE-2025-6021.patch \ " SRC_URI[archive.sha256sum] = "60d74a257d1ccec0475e749cba2f21559e48139efba6ff28224357c7c798dfee" From patchwork Wed Jul 9 15:19:06 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 66498 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3C0C0C83F0F for ; Wed, 9 Jul 2025 15:19:35 +0000 (UTC) Received: from mail-pj1-f49.google.com (mail-pj1-f49.google.com [209.85.216.49]) by mx.groups.io with SMTP id smtpd.web10.18419.1752074365265137169 for ; Wed, 09 Jul 2025 08:19:25 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=0O/1cJcg; spf=softfail (domain: sakoman.com, ip: 209.85.216.49, mailfrom: steve@sakoman.com) Received: by mail-pj1-f49.google.com with SMTP id 98e67ed59e1d1-315cd33fa79so61057a91.3 for ; Wed, 09 Jul 2025 08:19:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1752074364; x=1752679164; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=0NfiUGgjFCLjSW2ysKVHYiOZJsNfXeA3HQhosmrULZo=; b=0O/1cJcgdNO/DWdNCw11+PoAdmngj8qxvkPAiSg1EScEmc0AGP9KzimuvewzSoLAeW pEOIghFUJAdpwCus5Esau5pbepgIIOj6xW525mesguFGZNkWHYzIVMwd8W2Hi+rjY1gP NU4kyUIH2u0XT6w7qTov0ncENeVoE3NMLk27X/tcl19r78PYUNihoss0wWujrOyh2VTb ocsMOOy1BWVtLnFpW4a9fY3THATB74PvVfBWLgQ8ZaWIRIcfTt+TuGU9tDaIHN3ro9Jp fi+r0rDAbUGqd4pxyK3ONtSX/o3c8NwsV2ZY1haiCvz7fN2pgHohaGRi7MkBLKm2py2c 1DHw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1752074364; x=1752679164; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=0NfiUGgjFCLjSW2ysKVHYiOZJsNfXeA3HQhosmrULZo=; b=iGIrvWIPhbbCY5WWRVThDYiVgeORhcQGQqNzg9dWFyMxWV6rOgiJ6sHRm9QS7SXelD OLs4Cl/0PoeFiuu5gfrVTo2p/Wa0IryOM5DNhXFho0k/zI0MPwNgzjgb3MskoLvxdggr kev5QI9yA8b7x8SC4ndTyr29M57fNYgGKDUCOAWJJoiuXNnTGXKCfueknudr4MNfS7oF fW5bdLk7dRU+DySCEYAJX9Rae+ttKi9H3apcu+9aCq0NBm2IaBIMeyP1cOTclCNOmO8T EylyNpaLqvxNdnNm1W60zaDtQq8K+uvCZXC9X0kw8VLeE6z04guWqffa7yu9fDszKDjT ucNA== X-Gm-Message-State: AOJu0Yx5appBDjBs0GRUH5GuASfaTN08QigRGIUZAtG10uV48a73xcY+ z7JwpYJEdbKQZk+sLeMzoCMI5kv9BZXRwJvv3AvC4KkIp+5TI06tJH5KtXzBloIniz4NWB701Hd AtdHz X-Gm-Gg: ASbGncs8JFL8CMZ3vjcAg49gp1RT65BHCj2EKv0AgA1mWvGnq6budsQFA96Uq8fRyy1 pfyGzcAziiQfPl0kwd3CEzu7qG1WvwryBsXRSNAX+0nORpQOIt+JH4YSxLPtrtVX6MyfMqPf8ek Dbeq7Ks1sh/xFIlT8txhDBuzi6k7HutGS4vZM9463Ufs+wYvG7IthaT2HXE2G/vN6SaiWysEjT9 Y4ANgy07dT7syINJ3RY6O+y+2xRBtHUEQczOtmGAoFQg1NmYAo1aKyP6K46f34AieZjSYMEsNwX 03n1rp7V13mZK3fKlCLqbCJrp185e6uyWn3GCrFIs/JM1bq0JfKSJw== X-Google-Smtp-Source: AGHT+IFtgRYGMU4Zy9m0j7A7J+00/+ZIcmD099mblAEN5vIpYG2TSsYO89gPbYg/DZJ61z62NWWnvA== X-Received: by 2002:a17:90b:3c87:b0:30e:5c7f:5d26 with SMTP id 98e67ed59e1d1-31c2fdd15d0mr5531450a91.24.1752074364184; Wed, 09 Jul 2025 08:19:24 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:a6e1:d218:3fcc:fd7d]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-31c3019e934sm2340536a91.33.2025.07.09.08.19.23 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 09 Jul 2025 08:19:23 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 03/11] coreutils: fix CVE-2025-5278 Date: Wed, 9 Jul 2025 08:19:06 -0700 Message-ID: <4e55668ef07d99d8c1141c2f4270f43f5b280159.1752073806.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 09 Jul 2025 15:19:35 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/220094 From: Chen Qi Backport patch to fix CVE-2025-5278. The patch is adjusted to fit 9.0 version. Signed-off-by: Chen Qi Signed-off-by: Steve Sakoman --- .../coreutils/coreutils/CVE-2025-5278.patch | 113 ++++++++++++++++++ meta/recipes-core/coreutils/coreutils_9.0.bb | 1 + 2 files changed, 114 insertions(+) create mode 100644 meta/recipes-core/coreutils/coreutils/CVE-2025-5278.patch diff --git a/meta/recipes-core/coreutils/coreutils/CVE-2025-5278.patch b/meta/recipes-core/coreutils/coreutils/CVE-2025-5278.patch new file mode 100644 index 0000000000..34434a65fa --- /dev/null +++ b/meta/recipes-core/coreutils/coreutils/CVE-2025-5278.patch @@ -0,0 +1,113 @@ +From 84a061ea3d1fad42188493c4e5d8396aff4a0f67 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?P=C3=A1draig=20Brady?= +Date: Tue, 20 May 2025 16:03:44 +0100 +Subject: [PATCH] sort: fix buffer under-read (CWE-127) + +* src/sort.c (begfield): Check pointer adjustment +to avoid Out-of-range pointer offset (CWE-823). +(limfield): Likewise. +* tests/sort/sort-field-limit.sh: Add a new test, +which triggers with ASAN or Valgrind. +* tests/local.mk: Reference the new test. +* NEWS: Mention bug fix introduced in v7.2 (2009). +Fixes https://bugs.gnu.org/78507 + +CVE: CVE-2025-5278 + +Upstream-Status: Backport [https://cgit.git.savannah.gnu.org/cgit/coreutils.git/commit/?id=8c9602e3a145e9596dc1a63c6ed67865814b6633] +[Adjusted for 9.0 version] + +Signed-off-by: Chen Qi +--- + src/sort.c | 12 ++++++++++-- + tests/local.mk | 1 + + tests/misc/sort-field-limit.sh | 35 ++++++++++++++++++++++++++++++++++ + 3 files changed, 46 insertions(+), 2 deletions(-) + create mode 100755 tests/misc/sort-field-limit.sh + +diff --git a/src/sort.c b/src/sort.c +index 5f4c817de..07b96d34b 100644 +--- a/src/sort.c ++++ b/src/sort.c +@@ -1642,7 +1642,11 @@ begfield (struct line const *line, struct keyfield const *key) + ++ptr; + + /* Advance PTR by SCHAR (if possible), but no further than LIM. */ +- ptr = MIN (lim, ptr + schar); ++ size_t remaining_bytes = lim - ptr; ++ if (schar < remaining_bytes) ++ ptr += schar; ++ else ++ ptr = lim; + + return ptr; + } +@@ -1743,7 +1747,11 @@ limfield (struct line const *line, struct keyfield const *key) + ++ptr; + + /* Advance PTR by ECHAR (if possible), but no further than LIM. */ +- ptr = MIN (lim, ptr + echar); ++ size_t remaining_bytes = lim - ptr; ++ if (echar < remaining_bytes) ++ ptr += echar; ++ else ++ ptr = lim; + } + + return ptr; +diff --git a/tests/local.mk b/tests/local.mk +index 228d0e368..ced85c44c 100644 +--- a/tests/local.mk ++++ b/tests/local.mk +@@ -373,6 +373,7 @@ all_tests = \ + tests/misc/sort-debug-keys.sh \ + tests/misc/sort-debug-warn.sh \ + tests/misc/sort-discrim.sh \ ++ tests/misc/sort-field-limit.sh \ + tests/misc/sort-files0-from.pl \ + tests/misc/sort-float.sh \ + tests/misc/sort-h-thousands-sep.sh \ +diff --git a/tests/misc/sort-field-limit.sh b/tests/misc/sort-field-limit.sh +new file mode 100755 +index 000000000..52d8e1d17 +--- /dev/null ++++ b/tests/misc/sort-field-limit.sh +@@ -0,0 +1,35 @@ ++#!/bin/sh ++# From 7.2-9.7, this would trigger an out of bounds mem read ++ ++# Copyright (C) 2025 Free Software Foundation, Inc. ++ ++# This program is free software: you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation, either version 3 of the License, or ++# (at your option) any later version. ++ ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++ ++# You should have received a copy of the GNU General Public License ++# along with this program. If not, see . ++ ++. "${srcdir=.}/tests/init.sh"; path_prepend_ ./src ++print_ver_ sort ++getlimits_ ++ ++# This issue triggers with valgrind or ASAN ++valgrind --error-exitcode=1 sort --version 2>/dev/null && ++ VALGRIND='valgrind --error-exitcode=1' ++ ++{ printf '%s\n' aa bb; } > in || framework_failure_ ++ ++_POSIX2_VERSION=200809 $VALGRIND sort +0.${SIZE_MAX}R in > out || fail=1 ++compare in out || fail=1 ++ ++_POSIX2_VERSION=200809 $VALGRIND sort +1 -1.${SIZE_MAX}R in > out || fail=1 ++compare in out || fail=1 ++ ++Exit $fail +-- +2.34.1 + diff --git a/meta/recipes-core/coreutils/coreutils_9.0.bb b/meta/recipes-core/coreutils/coreutils_9.0.bb index 1cce9192ec..7c975708f4 100644 --- a/meta/recipes-core/coreutils/coreutils_9.0.bb +++ b/meta/recipes-core/coreutils/coreutils_9.0.bb @@ -19,6 +19,7 @@ SRC_URI = "${GNU_MIRROR}/coreutils/${BP}.tar.xz \ file://0001-uname-report-processor-and-hardware-correctly.patch \ file://0001-local.mk-fix-cross-compiling-problem.patch \ file://e8b56ebd536e82b15542a00c888109471936bfda.patch \ + file://CVE-2025-5278.patch \ file://run-ptest \ file://0001-split-do-not-shrink-hold-buffer.patch \ " From patchwork Wed Jul 9 15:19:07 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 66499 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3C089C83F0A for ; Wed, 9 Jul 2025 15:19:35 +0000 (UTC) Received: from mail-pl1-f181.google.com (mail-pl1-f181.google.com [209.85.214.181]) by mx.groups.io with SMTP id smtpd.web11.18576.1752074366733455559 for ; Wed, 09 Jul 2025 08:19:26 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=m4y03CEO; spf=softfail (domain: sakoman.com, ip: 209.85.214.181, mailfrom: steve@sakoman.com) Received: by mail-pl1-f181.google.com with SMTP id d9443c01a7336-23c8f179e1bso379695ad.1 for ; Wed, 09 Jul 2025 08:19:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1752074366; x=1752679166; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=kdBzgWbisVkh6H5X/hWSlf3yKJGXEWhQ/5M6ADGdXpc=; b=m4y03CEOlEfZrQD8enplP6WmTG2k9Ua81R+3hPXGNBI3upvaY/zrV9seM8Q2cJOJli Q1tc0FatKXq36GPMUCcvb8JWY9a9H3zJ1tIxwl5OI2kZwGmuq4I4odPywA5xpbe1D6vI h2n2YqedgCmhP/khcRrxg2wqLXfQ171xr3sziA561jX/vTgUmHd9NjVasgDHwtY7v2cb m5S8i7MAh7sXdB0vCyMuGSOxdgUuyRkUvdZliCMh4KbGB0NGBXRTZ1iiBsLhLwHp+nd+ L9Sr9D2+lMk+jjx2ETfGxeiofgrMIwK2mYzZpd6j0MI/01erDGbWgvaY9UPxX8ope65Y rsrg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1752074366; x=1752679166; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=kdBzgWbisVkh6H5X/hWSlf3yKJGXEWhQ/5M6ADGdXpc=; b=OLBz0Atu/hDhBweWOcJBcl7McVESoZ5S/q9ieeeTugyzoWt4p1LOMrpnoJ6jlvMTG3 Op7jTR7JITTEJGKFsIiJe8QTO+lpvgH/r9m9thS37EiyMkwXIUXxQU1PR27sq/Ul4sB+ MwFC0d5DQ1fFbn2+eIdAD1gjp49jxutGxs2WQ/u5UYCaHfc05XWHhmZ2rVEccHQjjwUH AB0R33Vo5hT10KB2aL8XaunYUodWnfPNNlvfOrj/0UVSlBA3/G+OfoupJ6p2sEhEEWK/ rdP3KXiuD5psgqYeKNSKGgA7bOThUXz0n8z4rhZHMh/l2gJRXGih5Je0xNWjUU92UpXN yXeQ== X-Gm-Message-State: AOJu0YzIGc+9hQiZ+FdWkhRhqJrUvtmq7wQbWaLuj8ndEF9N6OzQhzlc RerJw+aiVL5zCi3983FpJ9h1sx3Ab5pEoNbY1+/tmu6FcfVGmlb+eIWSn28unuEcYZqGfxTReLE uN9Kv X-Gm-Gg: ASbGnctXG0aXNcWXCt4nrmAYdP8bnV/TGQKM4hzNyKMIjeYk/GzrS5tc6Gz8dNStkp8 3gdF8lflYvpatE2CmwCwrgtWmLBwAx263U1RlPq4E1Z7/tjhUzqfmMI/rEYs/pKYSfrBH4fVhxg udHydIP8H0L5BqPbclnEG7dVs1uWZpJOrdCZYKkXJJPUGf3blhTpLF7cBPTWUqEB7CNQ6PXnwG6 KCx/weiaYHChoVp8tnMc9G3gHcqSYBaFp6nW08Id2MuJVNkxMdtf3bwGXaeaDf3yWKbuW2skeV6 IDlXXR+9+uH32MIrrcIGwsTGaL+8tfnPrq50l6ozlGW5zPOGycFxQtPaLaNMKpx1 X-Google-Smtp-Source: AGHT+IH5QXtrEcmqkp1q+PRSZW4qNK3o/fUEjX9oCu4gwSdlLSknly5aSMYo338qwQUYeiemchmCtA== X-Received: by 2002:a17:903:2f87:b0:235:e96b:191c with SMTP id d9443c01a7336-23ddb34fa56mr53711705ad.29.1752074365914; Wed, 09 Jul 2025 08:19:25 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:a6e1:d218:3fcc:fd7d]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-31c3019e934sm2340536a91.33.2025.07.09.08.19.25 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 09 Jul 2025 08:19:25 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 04/11] libsoup-2.4: fix CVE-2025-4945 Date: Wed, 9 Jul 2025 08:19:07 -0700 Message-ID: <2169742d4b88f9072501819b5842efbed04939f2.1752073806.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 09 Jul 2025 15:19:35 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/220095 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/448 Signed-off-by: Changqing Li Signed-off-by: Steve Sakoman --- .../libsoup/libsoup-2.4/CVE-2025-4945.patch | 117 ++++++++++++++++++ .../libsoup/libsoup-2.4_2.74.2.bb | 1 + 2 files changed, 118 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4945.patch diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4945.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4945.patch new file mode 100644 index 0000000000..c9fbdbacc8 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4945.patch @@ -0,0 +1,117 @@ +From 3844026f74a41dd9ccab955899e005995293d246 Mon Sep 17 00:00:00 2001 +From: Changqing Li +Date: Tue, 8 Jul 2025 14:58:30 +0800 +Subject: [PATCH] soup-date-utils: Add value checks for date/time parsing + +Reject date/time when it does not represent a valid value. + +Closes #448 + +CVE: CVE-2025-4945 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/8988379984e33dcc7d3aa58551db13e48755959f] + +Signed-off-by: Changqing Li +--- + libsoup/soup-date.c | 21 +++++++++++++++------ + tests/cookies-test.c | 10 ++++++++++ + 2 files changed, 25 insertions(+), 6 deletions(-) + +diff --git a/libsoup/soup-date.c b/libsoup/soup-date.c +index 9602d1f..4c114c1 100644 +--- a/libsoup/soup-date.c ++++ b/libsoup/soup-date.c +@@ -284,7 +284,7 @@ parse_day (SoupDate *date, const char **date_string) + while (*end == ' ' || *end == '-') + end++; + *date_string = end; +- return TRUE; ++ return date->day >= 1 && date->day <= 31; + } + + static inline gboolean +@@ -324,7 +324,7 @@ parse_year (SoupDate *date, const char **date_string) + while (*end == ' ' || *end == '-') + end++; + *date_string = end; +- return TRUE; ++ return date->year > 0 && date->year < 9999; + } + + static inline gboolean +@@ -348,7 +348,7 @@ parse_time (SoupDate *date, const char **date_string) + while (*p == ' ') + p++; + *date_string = p; +- return TRUE; ++ return date->hour >= 0 && date->hour < 24 && date->minute >= 0 && date->minute < 60 && date->second >= 0 && date->second < 60; + } + + static inline gboolean +@@ -361,8 +361,15 @@ parse_timezone (SoupDate *date, const char **date_string) + gulong val; + int sign = (**date_string == '+') ? -1 : 1; + val = strtoul (*date_string + 1, (char **)date_string, 10); ++ if (val > 9999) ++ return FALSE; + if (**date_string == ':') +- val = 60 * val + strtoul (*date_string + 1, (char **)date_string, 10); ++ { ++ gulong val2 = strtoul (*date_string + 1, (char **)date_string, 10); ++ if (val > 99 || val2 > 99) ++ return FALSE; ++ val = 60 * val + val2; ++ } + else + val = 60 * (val / 100) + (val % 100); + date->offset = sign * val; +@@ -407,7 +414,8 @@ parse_textual_date (SoupDate *date, const char *date_string) + if (!parse_month (date, &date_string) || + !parse_day (date, &date_string) || + !parse_time (date, &date_string) || +- !parse_year (date, &date_string)) ++ !parse_year (date, &date_string) || ++ !g_date_valid_dmy(date->day, date->month, date->year)) + return FALSE; + + /* There shouldn't be a timezone, but check anyway */ +@@ -419,7 +427,8 @@ parse_textual_date (SoupDate *date, const char *date_string) + if (!parse_day (date, &date_string) || + !parse_month (date, &date_string) || + !parse_year (date, &date_string) || +- !parse_time (date, &date_string)) ++ !parse_time (date, &date_string) || ++ !g_date_valid_dmy(date->day, date->month, date->year)) + return FALSE; + + /* This time there *should* be a timezone, but we +diff --git a/tests/cookies-test.c b/tests/cookies-test.c +index 2e2a54f..6035a86 100644 +--- a/tests/cookies-test.c ++++ b/tests/cookies-test.c +@@ -413,6 +413,15 @@ do_remove_feature_test (void) + soup_uri_free (uri); + } + ++static void ++do_cookies_parsing_int32_overflow (void) ++{ ++ SoupCookie *cookie = soup_cookie_parse ("Age=1;expires=3Mar9 999:9:9+ 999999999-age=main=gne=", NULL); ++ g_assert_nonnull (cookie); ++ g_assert_null (soup_cookie_get_expires (cookie)); ++ soup_cookie_free (cookie); ++} ++ + int + main (int argc, char **argv) + { +@@ -434,6 +443,7 @@ main (int argc, char **argv) + g_test_add_func ("/cookies/accept-policy-subdomains", do_cookies_subdomain_policy_test); + g_test_add_func ("/cookies/parsing", do_cookies_parsing_test); + g_test_add_func ("/cookies/parsing/no-path-null-origin", do_cookies_parsing_nopath_nullorigin); ++ g_test_add_func ("/cookies/parsing/int32-overflow", do_cookies_parsing_int32_overflow); + g_test_add_func ("/cookies/get-cookies/empty-host", do_get_cookies_empty_host_test); + g_test_add_func ("/cookies/remove-feature", do_remove_feature_test); + g_test_add_func ("/cookies/secure-cookies", do_cookies_strict_secure_test); +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb index 686e3b6720..0cc90a17cc 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb @@ -42,6 +42,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-46421.patch \ file://CVE-2025-4948.patch \ file://CVE-2025-4476.patch \ + file://CVE-2025-4945.patch \ " SRC_URI[sha256sum] = "f0a427656e5fe19e1df71c107e88dfa1b2e673c25c547b7823b6018b40d01159" From patchwork Wed Jul 9 15:19:08 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 66500 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 46FECC83F14 for ; Wed, 9 Jul 2025 15:19:35 +0000 (UTC) Received: from mail-pg1-f178.google.com (mail-pg1-f178.google.com [209.85.215.178]) by mx.groups.io with SMTP id smtpd.web10.18420.1752074368511981922 for ; Wed, 09 Jul 2025 08:19:28 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=fjaoP7S3; spf=softfail (domain: sakoman.com, ip: 209.85.215.178, mailfrom: steve@sakoman.com) Received: by mail-pg1-f178.google.com with SMTP id 41be03b00d2f7-b3226307787so80945a12.1 for ; Wed, 09 Jul 2025 08:19:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1752074368; x=1752679168; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=S91+qJ9k35eHnFbbsDEBi2PJfod2PESeNTle5wkmViM=; b=fjaoP7S3jMzfHFjaOy+cyo05gievLxyv96e+Swb+qoDyTIPq5puKI8AVje9pFP30lq ouU3RA7UrA9Ug/JXY3oXnWFUWL/opChvBtEoetF6M58qW2fleDtHMO1rR3/s5uOTwsXa ofvTBQIOJFCijwJ7eqW8vUjai+pJiPTgWBevCTU3ePSf8EMSTkL/xI1akSrRhLb7pvxk 746ZWRMoBgSAQQ7oiyQTAm/XP/Cfx2ZLZUb4SssMk2HAc1cOIydpqyhgxakweLLZlkew zMVLqWWl3cPhIHexTSbwiJ2ryPvLIxm7oxpUiZZALu5UGs5Yu4an/Covr95mItfGvuI7 cakA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1752074368; x=1752679168; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=S91+qJ9k35eHnFbbsDEBi2PJfod2PESeNTle5wkmViM=; b=QhiAjP7pXRDf+HPclGWBpcIf3Ths7QlTS6Gg6JnluewJ1RVrQ/ZCKqNH5MN2CkbzXq YunhjPX1LRJibm+W8WuA6/7Rwr+r1dH6caJFdqW3uxWJ1IzjYRugIUy6KnwIyW8dwq8A QVa8N46fxV+iZ7UmwIl4w2w2o5j/GlRKA+OUFq+KKOaVDUxUkaGjzcUEVdDhrH1bH8sg HyBnZ/v1NF/PgeIZhLypcjr0nYr7qzHrbME/6U65CExhutvUAaOQI5l7awSSS3jJKw4O 4YmCjO6yG+mr5QmVyazmPZy85vOVVYIFattCqfbdubNt1PhGjB5ZMNQN+/6puIPOb2Aa BYKA== X-Gm-Message-State: AOJu0Yw8beUID8InFeC9WyVQSziYHTI5F0n7YZcvxOK308gsh7QxZdfC a6be8nCR9RCADfqPM56QrPXck2S1qKGjsiV//ied8VkiLEgWP82AsurPnAmPsrRxa2w+Q4icqxI aue7a X-Gm-Gg: ASbGncu4AwXgzOgj1vEdsvGPlkyMPD+nsaUUqyu/Uc3LN1mLx32hwunK7RdFLqHN5xH ND7viufkZBq1nPB08WO5dtrlhWMgna0vTYQ6xq85ersyuOljVK1FgWA354S9qyI2cgr1qTYA4qI tkVS77VuTnN7Ll+Bd0ARyui+9lkAtSpwXOeZhP3ggywaPkqCPpzODUwFECK83aBN3cTznK2MI4i onNz51nZcpD94icnhaSM7BvOeax+K7k62Izd0WtDKoXTvoR/hT3G8YJYEO6k8C+ZGyVaHY9T7wE KRVS6GfWiTi1lzYLQ3WXWgLrUyBhI0sDnUoudTpi02XlnLb86UQERg== X-Google-Smtp-Source: AGHT+IH01DieBrwY5lm82YoNMkMae5kRWaSxq7Iwonv54XgqU5hIHRlSXlMRp4vUyn03J8JOaEbYMQ== X-Received: by 2002:a17:90b:4a4c:b0:311:d670:a10d with SMTP id 98e67ed59e1d1-31c2fe21d62mr4468845a91.26.1752074367452; Wed, 09 Jul 2025 08:19:27 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:a6e1:d218:3fcc:fd7d]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-31c3019e934sm2340536a91.33.2025.07.09.08.19.26 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 09 Jul 2025 08:19:27 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 05/11] libsoup: fix CVE-2025-4945 Date: Wed, 9 Jul 2025 08:19:08 -0700 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 09 Jul 2025 15:19:35 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/220096 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/448 Signed-off-by: Changqing Li Signed-off-by: Steve Sakoman --- .../libsoup/libsoup/CVE-2025-4945.patch | 118 ++++++++++++++++++ meta/recipes-support/libsoup/libsoup_3.0.7.bb | 1 + 2 files changed, 119 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-4945.patch diff --git a/meta/recipes-support/libsoup/libsoup/CVE-2025-4945.patch b/meta/recipes-support/libsoup/libsoup/CVE-2025-4945.patch new file mode 100644 index 0000000000..cb6640a6c6 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup/CVE-2025-4945.patch @@ -0,0 +1,118 @@ +From ee76a57af0e9fe1e43d3ab5a146a3da233573819 Mon Sep 17 00:00:00 2001 +From: Milan Crha +Date: Thu, 15 May 2025 07:59:14 +0200 +Subject: [PATCH] soup-date-utils: Add value checks for date/time parsing + +Reject date/time when it does not represent a valid value. + +Closes https://gitlab.gnome.org/GNOME/libsoup/-/issues/448 + +CVE: CVE-2025-4945 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/8988379984e33dcc7d3aa58551db13e48755959f] + +Signed-off-by: Changqing Li +--- + libsoup/soup-date-utils.c | 23 +++++++++++++++-------- + tests/cookies-test.c | 10 ++++++++++ + 2 files changed, 25 insertions(+), 8 deletions(-) + +diff --git a/libsoup/soup-date-utils.c b/libsoup/soup-date-utils.c +index 061057e..43616d6 100644 +--- a/libsoup/soup-date-utils.c ++++ b/libsoup/soup-date-utils.c +@@ -138,7 +138,7 @@ parse_day (int *day, const char **date_string) + while (*end == ' ' || *end == '-') + end++; + *date_string = end; +- return TRUE; ++ return *day >= 1 && *day <= 31; + } + + static inline gboolean +@@ -178,7 +178,7 @@ parse_year (int *year, const char **date_string) + while (*end == ' ' || *end == '-') + end++; + *date_string = end; +- return TRUE; ++ return *year > 0 && *year < 9999; + } + + static inline gboolean +@@ -202,7 +202,7 @@ parse_time (int *hour, int *minute, int *second, const char **date_string) + while (*p == ' ') + p++; + *date_string = p; +- return TRUE; ++ return *hour >= 0 && *hour < 24 && *minute >= 0 && *minute < 60 && *second >= 0 && *second < 60; + } + + static inline gboolean +@@ -218,9 +218,14 @@ parse_timezone (GTimeZone **timezone, const char **date_string) + gulong val; + int sign = (**date_string == '+') ? 1 : -1; + val = strtoul (*date_string + 1, (char **)date_string, 10); +- if (**date_string == ':') +- val = 60 * val + strtoul (*date_string + 1, (char **)date_string, 10); +- else ++ if (val > 9999) ++ return FALSE; ++ if (**date_string == ':') { ++ gulong val2 = strtoul (*date_string + 1, (char **)date_string, 10); ++ if (val > 99 || val2 > 99) ++ return FALSE; ++ val = 60 * val + val2; ++ } else + val = 60 * (val / 100) + (val % 100); + offset_minutes = sign * val; + utc = (sign == -1) && !val; +@@ -273,7 +278,8 @@ parse_textual_date (const char *date_string) + if (!parse_month (&month, &date_string) || + !parse_day (&day, &date_string) || + !parse_time (&hour, &minute, &second, &date_string) || +- !parse_year (&year, &date_string)) ++ !parse_year (&year, &date_string) || ++ !g_date_valid_dmy (day, month, year)) + return NULL; + + /* There shouldn't be a timezone, but check anyway */ +@@ -285,7 +291,8 @@ parse_textual_date (const char *date_string) + if (!parse_day (&day, &date_string) || + !parse_month (&month, &date_string) || + !parse_year (&year, &date_string) || +- !parse_time (&hour, &minute, &second, &date_string)) ++ !parse_time (&hour, &minute, &second, &date_string) || ++ !g_date_valid_dmy (day, month, year)) + return NULL; + + /* This time there *should* be a timezone, but we +diff --git a/tests/cookies-test.c b/tests/cookies-test.c +index 1c04534..6ba4458 100644 +--- a/tests/cookies-test.c ++++ b/tests/cookies-test.c +@@ -419,6 +419,15 @@ do_remove_feature_test (void) + g_uri_unref (uri); + } + ++static void ++do_cookies_parsing_int32_overflow (void) ++{ ++ SoupCookie *cookie = soup_cookie_parse ("Age=1;expires=3Mar9 999:9:9+ 999999999-age=main=gne=", NULL); ++ g_assert_nonnull (cookie); ++ g_assert_null (soup_cookie_get_expires (cookie)); ++ soup_cookie_free (cookie); ++} ++ + int + main (int argc, char **argv) + { +@@ -440,6 +449,7 @@ main (int argc, char **argv) + g_test_add_func ("/cookies/accept-policy-subdomains", do_cookies_subdomain_policy_test); + g_test_add_func ("/cookies/parsing", do_cookies_parsing_test); + g_test_add_func ("/cookies/parsing/no-path-null-origin", do_cookies_parsing_nopath_nullorigin); ++ g_test_add_func ("/cookies/parsing/int32-overflow", do_cookies_parsing_int32_overflow); + g_test_add_func ("/cookies/get-cookies/empty-host", do_get_cookies_empty_host_test); + g_test_add_func ("/cookies/remove-feature", do_remove_feature_test); + g_test_add_func ("/cookies/secure-cookies", do_cookies_strict_secure_test); +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup_3.0.7.bb b/meta/recipes-support/libsoup/libsoup_3.0.7.bb index 3ddcb3e568..af8554aa78 100644 --- a/meta/recipes-support/libsoup/libsoup_3.0.7.bb +++ b/meta/recipes-support/libsoup/libsoup_3.0.7.bb @@ -44,6 +44,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-32051-2.patch \ file://CVE-2025-46421.patch \ file://CVE-2025-4948.patch \ + file://CVE-2025-4945.patch \ " SRC_URI[sha256sum] = "ebdf90cf3599c11acbb6818a9d9e3fc9d2c68e56eb829b93962972683e1bf7c8" From patchwork Wed Jul 9 15:19:09 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 66503 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 55927C83F15 for ; Wed, 9 Jul 2025 15:19:35 +0000 (UTC) Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com [209.85.214.176]) by mx.groups.io with SMTP id smtpd.web10.18423.1752074371356918601 for ; Wed, 09 Jul 2025 08:19:31 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=vJoN3ipg; spf=softfail (domain: sakoman.com, ip: 209.85.214.176, mailfrom: steve@sakoman.com) Received: by mail-pl1-f176.google.com with SMTP id d9443c01a7336-236470b2dceso587065ad.0 for ; Wed, 09 Jul 2025 08:19:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1752074370; x=1752679170; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=DAIDXxsQdxSTbeqHkEos+zedWH9Uj4B04aiCdDoY2QU=; b=vJoN3ipgi6qHpPbnM9F9wGF1OjkkGf3QYldPzCA8McK8qNrO8cfmiVuz7WC8e1eqng w11kYm9t6TkIJpzMyl7U8esTCnn8b/M6qfHL3y8vnagqCo3upkV2cSrbgkwaCOX6SBrT Xs3dy0YVU88qZeCePEhvBJcQaPxjpPz/k7wbRc8/sBvr/cBiaakrcXfguMShl1km/eS5 werVeolRVSSkKivhHtCLuhrEKLaQZcHzwv6O1aBgrTcwUvclj3axg8URaKY7u7psSLON Ki9isXlmoJHHQeQD1YaYHJsq2E3gejsM8Wr0ZDzH0BAE4tvkibANnwzPIrE6Sg2rpJbT 1ruQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1752074370; x=1752679170; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=DAIDXxsQdxSTbeqHkEos+zedWH9Uj4B04aiCdDoY2QU=; b=p7HXyEPaqDoXV6DmieN3NM1Z9mDycUBGJDhnPcKBkaomvIuKNzlC5osRCL5glwSEVG xIJr9JT2PbEPhfPk3l0Zr8vw5a1AQCIq+XgQAbyL+6CVhj0CKthVFzOJB1tmh59vQiml c26TFIKVp0nir0XLn9zIqMQptiZ06IW23qutg4hZBH+VwUkiCb+EV00aq3shCfj06Mbh iyS1787HbWO/yG4znYM53GTy0+yZNBP4m5rqczHrbNA3xRcdv/Fmf2FIz43B2NM2pfo8 YxCu14Y/63FOD0GR0P4Cd7vjjaGi17+el6O2oBhCkXYWX3Jx2oW9r0KvHDAOVSk6CkCd T55A== X-Gm-Message-State: AOJu0Yz6FiDR0FDDmM35aWYSQtvKXTgrOArPhaca90421Yfa8fgVumZL VJcok6PrWNX27wK8qGhAML/68DKTXUaSiFu9deeDt5TSY+mwvrvdtvNosmrFxLXoQUS7YVACHBY WTmIJ X-Gm-Gg: ASbGncvBZAqouOp31TerJ1tQtXnkZZiYNU2Ok+/CJqis9P7BxaWARTfpCoWuF2mglHa 0bWUnxNNn57+n0eicud+ozUyTJrz+LFUWNBulNNy2ztqcY5RGnz8jOmdE4Y5t2uhgofwRAaLa88 OFMQcKmV8yrLjHa6AmvJpWkIGqcJ/ZzwWDkK0wX21RoAxiz87iqW5RfNgIFsm4aqNRxpsLrmpHW DnoOdPkH1d8ltjwKSLYxoINeXEU0vYpaBxqXZXFGs2M6h/g/BFiHiiGrlqJ0R722vwNEY++1Q9q NKkOiK1ddbd5IMI43CHgCjMA72p9l1HV7ro5iNOjGKf5I4N8c+2gUOe8ojC53Q78 X-Google-Smtp-Source: AGHT+IEXfXJZbUBlcUJXAHqu/5rhouVFTYigqvPTrLko6hbAJ/UskuYlQhF7GKSDztHhw+GM4LyrHw== X-Received: by 2002:a17:90b:2811:b0:311:a314:c2d1 with SMTP id 98e67ed59e1d1-31c2fd27addmr4236344a91.6.1752074369467; Wed, 09 Jul 2025 08:19:29 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:a6e1:d218:3fcc:fd7d]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-31c3019e934sm2340536a91.33.2025.07.09.08.19.28 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 09 Jul 2025 08:19:29 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 06/11] curl: fix CVE-2024-11053 Date: Wed, 9 Jul 2025 08:19:09 -0700 Message-ID: <87823ff05a4f90b42c138902639a59231fa17def.1752073806.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 09 Jul 2025 15:19:35 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/220097 From: Yogita Urade When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password. References: https://nvd.nist.gov/vuln/detail/CVE-2024-11053 https://git.launchpad.net/ubuntu/+source/curl/diff/debian/patches/CVE-2024-11053-pre1.patch?id=2126676d86041cabd7b1aa302fc1fdf47989df95 https://git.launchpad.net/ubuntu/+source/curl/diff/debian/patches/CVE-2024-11053.patch?id=2126676d86041cabd7b1aa302fc1fdf47989df95 Upstream patch: https://github.com/curl/curl/commit/9bee39bfed2c413b4cc4eb306a57ac92a1854907 https://github.com/curl/curl/commit/e9b9bbac22c26cf67316fa8e6c6b9e831af31949 Signed-off-by: Yogita Urade Signed-off-by: Steve Sakoman --- .../curl/curl/CVE-2024-11053-0001.patch | 340 ++++++++ .../curl/curl/CVE-2024-11053-0002.patch | 746 ++++++++++++++++++ meta/recipes-support/curl/curl_7.82.0.bb | 2 + 3 files changed, 1088 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2024-11053-0001.patch create mode 100644 meta/recipes-support/curl/curl/CVE-2024-11053-0002.patch diff --git a/meta/recipes-support/curl/curl/CVE-2024-11053-0001.patch b/meta/recipes-support/curl/curl/CVE-2024-11053-0001.patch new file mode 100644 index 0000000000..86ca27a694 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2024-11053-0001.patch @@ -0,0 +1,340 @@ +From 9bee39bfed2c413b4cc4eb306a57ac92a1854907 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sat, 12 Oct 2024 23:54:39 +0200 +Subject: [PATCH] url: use same credentials on redirect + +Previously it could lose the username and only use the password. + +Added test 998 and 999 to verify. + +Reported-by: Tobias Bora +Fixes #15262 +Closes #15282 + +CVE: CVE-2024-11053 +Upstream-Status: Backport [https://github.com/curl/curl/commit/9bee39bfed2c413b4cc4eb306a57ac92a1854907] + +Changes: +- Refresh patch context. +- Small change in the Makefile to add a new test. + +Signed-off-by: Yogita Urade +--- + lib/transfer.c | 3 ++ + lib/url.c | 18 ++++---- + lib/urldata.h | 8 ++++ + tests/data/Makefile.inc | 2 +- + tests/data/test998 | 92 +++++++++++++++++++++++++++++++++++++++++ + tests/data/test999 | 81 ++++++++++++++++++++++++++++++++++++ + 6 files changed, 194 insertions(+), 10 deletions(-) + create mode 100644 tests/data/test998 + create mode 100644 tests/data/test999 + +diff --git a/lib/transfer.c b/lib/transfer.c +index d567c4b..cd7365b 100644 +--- a/lib/transfer.c ++++ b/lib/transfer.c +@@ -1479,6 +1479,9 @@ CURLcode Curl_pretransfer(struct Curl_easy *data) + return CURLE_OUT_OF_MEMORY; + } + ++ if(data->set.str[STRING_USERNAME] || ++ data->set.str[STRING_PASSWORD]) ++ data->state.creds_from = CREDS_OPTION; + if(!result) + result = Curl_setstropt(&data->state.aptr.user, + data->set.str[STRING_USERNAME]); +diff --git a/lib/url.c b/lib/url.c +index 9406cca..99d1082 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -2098,10 +2098,10 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data, + return result; + + /* +- * User name and password set with their own options override the +- * credentials possibly set in the URL. ++ * username and password set with their own options override the credentials ++ * possibly set in the URL, but netrc does not. + */ +- if(!data->state.aptr.passwd) { ++ if(!data->state.aptr.passwd || (data->state.creds_from != CREDS_OPTION)) { + uc = curl_url_get(uh, CURLUPART_PASSWORD, &data->state.up.password, 0); + if(!uc) { + char *decoded; +@@ -2112,6 +2112,7 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data, + return result; + conn->passwd = decoded; + result = Curl_setstropt(&data->state.aptr.passwd, decoded); ++ data->state.creds_from = CREDS_URL; + if(result) + return result; + } +@@ -2119,7 +2120,7 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data, + return Curl_uc_to_curlcode(uc); + } + +- if(!data->state.aptr.user) { ++ if(!data->state.aptr.user || (data->state.creds_from != CREDS_OPTION)) { + /* we don't use the URL API's URL decoder option here since it rejects + control codes and we want to allow them for some schemes in the user + and password fields */ +@@ -2133,13 +2134,10 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data, + return result; + conn->user = decoded; + result = Curl_setstropt(&data->state.aptr.user, decoded); ++ data->state.creds_from = CREDS_URL; + } + else if(uc != CURLUE_NO_USER) + return Curl_uc_to_curlcode(uc); +- else if(data->state.aptr.passwd) { +- /* no user was set but a password, set a blank user */ +- result = Curl_setstropt(&data->state.aptr.user, ""); +- } + if(result) + return result; + } +@@ -3032,7 +3030,8 @@ static CURLcode override_login(struct Curl_easy *data, + if(result) + return result; + } +- if(data->state.aptr.user) { ++ if(data->state.aptr.user && ++ (data->state.creds_from != CREDS_NETRC)) { + uc = curl_url_set(data->state.uh, CURLUPART_USER, data->state.aptr.user, + CURLU_URLENCODE); + if(uc) +@@ -3048,6 +3047,7 @@ static CURLcode override_login(struct Curl_easy *data, + CURLcode result = Curl_setstropt(&data->state.aptr.passwd, *passwdp); + if(result) + return result; ++ data->state.creds_from = CREDS_NETRC; + } + if(data->state.aptr.passwd) { + uc = curl_url_set(data->state.uh, CURLUPART_PASSWORD, +diff --git a/lib/urldata.h b/lib/urldata.h +index e78a7e8..d252e73 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1324,6 +1324,11 @@ struct urlpieces { + char *query; + }; + ++#define CREDS_NONE 0 ++#define CREDS_URL 1 /* from URL */ ++#define CREDS_OPTION 2 /* set with a CURLOPT_ */ ++#define CREDS_NETRC 3 /* found in netrc */ ++ + struct UrlState { + /* Points to the connection cache */ + struct conncache *conn_cache; +@@ -1454,6 +1459,9 @@ struct UrlState { + char *proxypasswd; + } aptr; + ++ unsigned int creds_from:2; /* where is the server credentials originating ++ from, see the CREDS_* defines above */ ++ + #ifdef CURLDEBUG + BIT(conncache_lock); + #endif +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 5415f37..00cdfb8 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -123,7 +123,7 @@ test954 test955 test956 test957 test958 test959 test960 test961 test962 \ + test963 test964 test965 test966 test967 test968 test969 test970 test971 \ + test972 \ + \ +-test980 test981 test982 test983 test984 test985 test986 \ ++test980 test981 test982 test983 test984 test985 test986 test998 test999 \ + \ + test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \ + test1008 test1009 test1010 test1011 test1012 test1013 test1014 test1015 \ +diff --git a/tests/data/test998 b/tests/data/test998 +new file mode 100644 +index 0000000..6dcd95f +--- /dev/null ++++ b/tests/data/test998 +@@ -0,0 +1,92 @@ ++ ++ ++ ++HTTP ++--location-trusted ++ ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 301 redirect ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 0 ++Connection: close ++Content-Type: text/html ++Location: http://somewhere.else.example/a/path/%TESTNUMBER0002 ++ ++ ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Content-Length: 6 ++Content-Type: text/html ++Funny-head: yesyes ++ ++-foo- ++ ++ ++ ++HTTP/1.1 301 redirect ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 0 ++Connection: close ++Content-Type: text/html ++Location: http://somewhere.else.example/a/path/%TESTNUMBER0002 ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Content-Length: 6 ++Content-Type: text/html ++Funny-head: yesyes ++ ++-foo- ++ ++ ++ ++ ++# ++# Client-side ++ ++ ++proxy ++ ++ ++http ++ ++ ++HTTP with auth in URL redirected to another host ++ ++ ++-x %HOSTIP:%HTTPPORT http://alberto:einstein@somwhere.example/%TESTNUMBER --location-trusted ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++QUIT ++ ++ ++GET http://somwhere.example/998 HTTP/1.1 ++Host: somwhere.example ++Authorization: Basic YWxiZXJ0bzplaW5zdGVpbg== ++User-Agent: curl/%VERSION ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++GET http://somewhere.else.example/a/path/9980002 HTTP/1.1 ++Host: somewhere.else.example ++Authorization: Basic YWxiZXJ0bzplaW5zdGVpbg== ++User-Agent: curl/%VERSION ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++ ++ ++ +diff --git a/tests/data/test999 b/tests/data/test999 +new file mode 100644 +index 0000000..e805cde +--- /dev/null ++++ b/tests/data/test999 +@@ -0,0 +1,81 @@ ++ ++ ++ ++HTTP ++--location-trusted ++ ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Content-Length: 6 ++Content-Type: text/html ++Funny-head: yesyes ++ ++-foo- ++ ++ ++ ++HTTP/1.1 301 redirect ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 0 ++Connection: close ++Content-Type: text/html ++Location: http://somewhere.else.example/a/path/%TESTNUMBER0002 ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Content-Length: 6 ++Content-Type: text/html ++Funny-head: yesyes ++ ++-foo- ++ ++ ++ ++ ++# ++# Client-side ++ ++ ++proxy ++ ++ ++http ++ ++ ++HTTP with auth in first URL but not second ++ ++ ++-x %HOSTIP:%HTTPPORT http://alberto:einstein@somwhere.example/%TESTNUMBER http://somewhere.else.example/%TESTNUMBER ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++QUIT ++ ++ ++GET http://somwhere.example/%TESTNUMBER HTTP/1.1 ++Host: somwhere.example ++Authorization: Basic YWxiZXJ0bzplaW5zdGVpbg== ++User-Agent: curl/%VERSION ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++GET http://somewhere.else.example/%TESTNUMBER HTTP/1.1 ++Host: somewhere.else.example ++User-Agent: curl/%VERSION ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++ ++ ++ +-- +2.40.0 diff --git a/meta/recipes-support/curl/curl/CVE-2024-11053-0002.patch b/meta/recipes-support/curl/curl/CVE-2024-11053-0002.patch new file mode 100644 index 0000000000..5db0499987 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2024-11053-0002.patch @@ -0,0 +1,746 @@ +From e9b9bbac22c26cf67316fa8e6c6b9e831af31949 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 15 Nov 2024 11:06:36 +0100 +Subject: [PATCH] netrc: address several netrc parser flaws + +- make sure that a match that returns a username also returns a + password, that should be blank if no password is found + +- fix handling of multiple logins for same host where the password/login + order might be reversed. + +- reject credentials provided in the .netrc if they contain ASCII control + codes - if the used protocol does not support such (like HTTP and WS do) + +Reported-by: Harry Sintonen + +Add test 478, 479 and 480 to verify. Updated unit 1304. + +Closes #15586 + +Changes: +- Refresh patch context. +- Adjust `%LOGDIR/` to 'log/' due to its absence in code. +- Replaces the previous usage of the state_login, state_password, and + state_our_login variables with the found_state enum, which includes the + values NONE, LOGIN, and PASSWORD. As a result, all conditionals and memory + management logic associated with these variables were updated. +- Updates to use password and login instead of s_password and s_login, + which do not exist in the current version. This change preserves the + same logic while adapting the code to the current structure. +- test478 is disabled as this version of curl does not support searching + for a specific login in the netrc file. + (see https://github.com/curl/curl/issues/8241) +- test480 is disabled as this version of curl does not support quoted or + escaped strings in the netrc file. + (see https://github.com/curl/curl/issues/8908) +- Small change in the Makefile to add a new test + +CVE: CVE-2024-11053 +Upstream-Status: Backport [https://github.com/curl/curl/commit/e9b9bbac22c26cf67316fa8e6c6b9e831af31949] + +Signed-off-by: Yogita Urade +--- + lib/netrc.c | 121 ++++++++++++++++++++++------------------ + lib/url.c | 53 ++++++++++++------ + tests/data/DISABLED | 3 + + tests/data/Makefile.inc | 2 +- + tests/data/test478 | 73 ++++++++++++++++++++++++ + tests/data/test479 | 107 +++++++++++++++++++++++++++++++++++ + tests/data/test480 | 38 +++++++++++++ + tests/unit/unit1304.c | 81 +++++++-------------------- + 8 files changed, 348 insertions(+), 130 deletions(-) + create mode 100644 tests/data/test478 + create mode 100644 tests/data/test479 + create mode 100644 tests/data/test480 + +diff --git a/lib/netrc.c b/lib/netrc.c +index b771b60..23080b3 100644 +--- a/lib/netrc.c ++++ b/lib/netrc.c +@@ -46,6 +46,15 @@ enum host_lookup_state { + MACDEF + }; + ++enum found_state { ++ NONE, ++ LOGIN, ++ PASSWORD ++}; ++ ++#define FOUND_LOGIN 1 ++#define FOUND_PASSWORD 2 ++ + #define NETRC_FILE_MISSING 1 + #define NETRC_FAILED -1 + #define NETRC_SUCCESS 0 +@@ -54,7 +63,7 @@ enum host_lookup_state { + * Returns zero on success. + */ + static int parsenetrc(const char *host, +- char **loginp, ++ char **loginp, /* might point to a username */ + char **passwordp, + bool *login_changed, + bool *password_changed, +@@ -63,16 +72,14 @@ static int parsenetrc(const char *host, + FILE *file; + int retcode = NETRC_FILE_MISSING; + char *login = *loginp; +- char *password = *passwordp; +- bool specific_login = (login && *login != 0); +- bool login_alloc = FALSE; +- bool password_alloc = FALSE; ++ char *password = NULL; ++ bool specific_login = login; /* points to something */ + enum host_lookup_state state = NOTHING; + +- char state_login = 0; /* Found a login keyword */ +- char state_password = 0; /* Found a password keyword */ +- int state_our_login = FALSE; /* With specific_login, found *our* login +- name */ ++ enum found_state keyword = NONE; ++ unsigned char found = 0; /* login + password found bits, as they can come in ++ any order */ ++ bool our_login = FALSE; /* found our login name */ + + DEBUGASSERT(netrcfile); + +@@ -95,11 +102,7 @@ static int parsenetrc(const char *host, + if(tok && *tok == '#') + /* treat an initial hash as a comment line */ + continue; +- while(tok) { +- if((login && *login) && (password && *password)) { +- done = TRUE; +- break; +- } ++ while(tok && !done) { + + switch(state) { + case NOTHING: +@@ -115,6 +118,12 @@ static int parsenetrc(const char *host, + after this we need to search for 'login' and + 'password'. */ + state = HOSTFOUND; ++ keyword = NONE; ++ found = 0; ++ our_login = FALSE; ++ Curl_safefree(password); ++ if(!specific_login) ++ Curl_safefree(login); + } + else if(strcasecompare("default", tok)) { + state = HOSTVALID; +@@ -138,48 +147,55 @@ static int parsenetrc(const char *host, + break; + case HOSTVALID: + /* we are now parsing sub-keywords concerning "our" host */ +- if(state_login) { ++ if(keyword == LOGIN) { + if(specific_login) { +- state_our_login = !Curl_timestrcmp(login, tok); ++ our_login = !Curl_timestrcmp(login, tok); + } +- else if(!login || Curl_timestrcmp(login, tok)) { +- if(login_alloc) { +- free(login); +- login_alloc = FALSE; +- } ++ else { ++ our_login = TRUE; ++ free(login); + login = strdup(tok); + if(!login) { + retcode = NETRC_FAILED; /* allocation failed */ + goto out; + } +- login_alloc = TRUE; + } +- state_login = 0; ++ found |= FOUND_LOGIN; ++ keyword = NONE; + } +- else if(state_password) { +- if((state_our_login || !specific_login) +- && (!password || Curl_timestrcmp(password, tok))) { +- if(password_alloc) { +- free(password); +- password_alloc = FALSE; +- } +- password = strdup(tok); +- if(!password) { +- retcode = NETRC_FAILED; /* allocation failed */ +- goto out; +- } +- password_alloc = TRUE; ++ else if(keyword == PASSWORD) { ++ free(password); ++ password = strdup(tok); ++ if(!password) { ++ retcode = NETRC_FAILED; /* allocation failed */ ++ goto out; + } +- state_password = 0; ++ found |= FOUND_PASSWORD; ++ keyword = NONE; + } + else if(strcasecompare("login", tok)) +- state_login = 1; ++ keyword = LOGIN; + else if(strcasecompare("password", tok)) +- state_password = 1; ++ keyword = PASSWORD; + else if(strcasecompare("machine", tok)) { +- /* ok, there's machine here go => */ ++ /* a new machine here */ + state = HOSTFOUND; +- state_our_login = FALSE; ++ keyword = NONE; ++ found = 0; ++ Curl_safefree(password); ++ if(!specific_login) ++ Curl_safefree(login); ++ } ++ else if(strcasecompare("default", tok)) { ++ state = HOSTVALID; ++ retcode = NETRC_SUCCESS; /* we did find our host */ ++ Curl_safefree(password); ++ if(!specific_login) ++ Curl_safefree(login); ++ } ++ if((found == (FOUND_PASSWORD|FOUND_LOGIN)) && our_login) { ++ done = TRUE; ++ break; + } + break; + } /* switch (state) */ +@@ -189,28 +205,27 @@ static int parsenetrc(const char *host, + } /* while fgets() */ + + out: ++ if(!retcode && !password && our_login) { ++ /* success without a password, set a blank one */ ++ password = strdup(""); ++ if(!password) ++ retcode = 1; /* out of memory */ ++ } + if(!retcode) { + /* success */ + *login_changed = FALSE; + *password_changed = FALSE; +- if(login_alloc) { +- if(*loginp) +- free(*loginp); ++ if(!specific_login) { + *loginp = login; + *login_changed = TRUE; + } +- if(password_alloc) { +- if(*passwordp) +- free(*passwordp); +- *passwordp = password; +- *password_changed = TRUE; +- } ++ *passwordp = password; ++ *password_changed = TRUE; + } + else { +- if(login_alloc) ++ if(!specific_login) + free(login); +- if(password_alloc) +- free(password); ++ free(password); + } + fclose(file); + } +diff --git a/lib/url.c b/lib/url.c +index 99d1082..48835c9 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -2954,6 +2954,17 @@ static CURLcode parse_remote_port(struct Curl_easy *data, + return CURLE_OK; + } + ++static bool str_has_ctrl(const char *input) ++{ ++ const unsigned char *str = (const unsigned char *)input; ++ while(*str) { ++ if(*str < 0x20) ++ return TRUE; ++ str++; ++ } ++ return FALSE; ++} ++ + /* + * Override the login details from the URL with that in the CURLOPT_USERPWD + * option or a .netrc file, if applicable. +@@ -2995,22 +3006,32 @@ static CURLcode override_login(struct Curl_easy *data, + url_provided = TRUE; + } + +- ret = Curl_parsenetrc(conn->host.name, +- userp, passwdp, +- &netrc_user_changed, &netrc_passwd_changed, +- data->set.str[STRING_NETRC_FILE]); +- if(ret > 0) { +- infof(data, "Couldn't find host %s in the %s file; using defaults", +- conn->host.name, data->set.str[STRING_NETRC_FILE]); +- } +- else if(ret < 0) { +- return CURLE_OUT_OF_MEMORY; +- } +- else { +- /* set bits.netrc TRUE to remember that we got the name from a .netrc +- file, so that it is safe to use even if we followed a Location: to a +- different host or similar. */ +- conn->bits.netrc = TRUE; ++ if(!*passwdp) { ++ ret = Curl_parsenetrc(conn->host.name, ++ userp, passwdp, ++ &netrc_user_changed, &netrc_passwd_changed, ++ data->set.str[STRING_NETRC_FILE]); ++ if(ret > 0) { ++ infof(data, "Couldn't find host %s in the %s file; using defaults", ++ conn->host.name, data->set.str[STRING_NETRC_FILE]); ++ } ++ else if(ret < 0) { ++ return CURLE_OUT_OF_MEMORY; ++ } ++ else { ++ if(!(conn->handler->flags&PROTOPT_USERPWDCTRL)) { ++ /* if the protocol can't handle control codes in credentials, make ++ sure there are none */ ++ if(str_has_ctrl(*userp) || str_has_ctrl(*passwdp)) { ++ failf(data, "control code detected in .netrc credentials"); ++ return CURLE_READ_ERROR; ++ } ++ } ++ /* set bits.netrc TRUE to remember that we got the name from a .netrc ++ file, so that it is safe to use even if we followed a Location: to a ++ different host or similar. */ ++ conn->bits.netrc = TRUE; ++ } + } + if(url_provided) { + Curl_safefree(conn->user); +diff --git a/tests/data/DISABLED b/tests/data/DISABLED +index 7187ec3..4434c41 100644 +--- a/tests/data/DISABLED ++++ b/tests/data/DISABLED +@@ -85,3 +85,6 @@ + %if wolfssl + 313 + %endif ++# 478 and 480 are backported and do not work with this version of curl ++478 ++480 +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 00cdfb8..ad41a5e 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -73,7 +73,7 @@ test418 \ + \ + test430 test431 test432 test433 test434 test435 test436 \ + \ +-test446 \ ++test446 test478 test479 test480 \ + test490 test491 test492 test493 test494 \ + \ + test500 test501 test502 test503 test504 test505 test506 test507 test508 \ +diff --git a/tests/data/test478 b/tests/data/test478 +new file mode 100644 +index 0000000..c356ef5 +--- /dev/null ++++ b/tests/data/test478 +@@ -0,0 +1,73 @@ ++ ++ ++ ++netrc ++HTTP ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT ++ETag: "21025-dc7-39462498" ++Accept-Ranges: bytes ++Content-Length: 6 ++Connection: close ++Content-Type: text/html ++Funny-head: yesyes ++ ++-foo- ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ ++ ++proxy ++ ++ ++.netrc with multiple accounts for same host ++ ++ ++--netrc --netrc-file log/netrc%TESTNUMBER -x http://%HOSTIP:%HTTPPORT/ http://debbie@github.com/ ++ ++ ++ ++machine github.com ++password weird ++password firstone ++login daniel ++ ++machine github.com ++ ++machine github.com ++login debbie ++ ++machine github.com ++password weird ++password "second\r" ++login debbie ++ ++ ++ ++ ++ ++ ++GET http://github.com/ HTTP/1.1 ++Host: github.com ++Authorization: Basic %b64[debbie:second%0D]b64% ++User-Agent: curl/%VERSION ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++ ++ ++ +diff --git a/tests/data/test479 b/tests/data/test479 +new file mode 100644 +index 0000000..8d67fdf +--- /dev/null ++++ b/tests/data/test479 +@@ -0,0 +1,107 @@ ++ ++ ++ ++netrc ++HTTP ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 301 Follow this you fool ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT ++ETag: "21025-dc7-39462498" ++Accept-Ranges: bytes ++Content-Length: 6 ++Connection: close ++Location: http://b.com/%TESTNUMBER0002 ++ ++-foo- ++ ++ ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT ++ETag: "21025-dc7-39462498" ++Accept-Ranges: bytes ++Content-Length: 7 ++Connection: close ++ ++target ++ ++ ++ ++HTTP/1.1 301 Follow this you fool ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT ++ETag: "21025-dc7-39462498" ++Accept-Ranges: bytes ++Content-Length: 6 ++Connection: close ++Location: http://b.com/%TESTNUMBER0002 ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT ++ETag: "21025-dc7-39462498" ++Accept-Ranges: bytes ++Content-Length: 7 ++Connection: close ++ ++target ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ ++ ++proxy ++ ++ ++.netrc with redirect and default without password ++ ++ ++--netrc --netrc-file log/netrc%TESTNUMBER -L -x http://%HOSTIP:%HTTPPORT/ http://a.com/ ++ ++ ++ ++machine a.com ++ login alice ++ password alicespassword ++ ++default ++ login bob ++ ++ ++ ++ ++ ++ ++GET http://a.com/ HTTP/1.1 ++Host: a.com ++Authorization: Basic %b64[alice:alicespassword]b64% ++User-Agent: curl/%VERSION ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++GET http://b.com/%TESTNUMBER0002 HTTP/1.1 ++Host: b.com ++Authorization: Basic %b64[bob:]b64% ++User-Agent: curl/%VERSION ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++ ++ ++ +diff --git a/tests/data/test480 b/tests/data/test480 +new file mode 100644 +index 0000000..f097f81 +--- /dev/null ++++ b/tests/data/test480 +@@ -0,0 +1,38 @@ ++ ++ ++ ++netrc ++pop3 ++ ++ ++# ++# Server-side ++ ++ ++ ++ ++# ++# Client-side ++ ++ ++pop3 ++ ++ ++Reject .netrc with credentials using CRLF for POP3 ++ ++ ++--netrc --netrc-file log/netrc%TESTNUMBER pop3://%HOSTIP:%POP3PORT/%TESTNUMBER ++ ++ ++machine %HOSTIP ++ login alice ++ password "password\r\ncommand" ++ ++ ++ ++ ++ ++26 ++ ++ ++ +diff --git a/tests/unit/unit1304.c b/tests/unit/unit1304.c +index a6dc64d..d2dba14 100644 +--- a/tests/unit/unit1304.c ++++ b/tests/unit/unit1304.c +@@ -29,13 +29,8 @@ static char filename[64]; + + static CURLcode unit_setup(void) + { +- password = strdup(""); +- login = strdup(""); +- if(!password || !login) { +- Curl_safefree(password); +- Curl_safefree(login); +- return CURLE_OUT_OF_MEMORY; +- } ++ password = NULL; ++ login = NULL; + return CURLE_OK; + } + +@@ -59,86 +54,52 @@ UNITTEST_START + result = Curl_parsenetrc("test.example.com", &login, &password, + &login_changed, &password_changed, filename); + fail_unless(result == 1, "Host not found should return 1"); +- abort_unless(password != NULL, "returned NULL!"); +- fail_unless(password[0] == 0, "password should not have been changed"); +- abort_unless(login != NULL, "returned NULL!"); +- fail_unless(login[0] == 0, "login should not have been changed"); ++ abort_unless(password == NULL, "password did not return NULL!"); ++ abort_unless(login == NULL, "user did not return NULL!"); + + /* + * Test a non existent login in our netrc file. + */ +- free(login); +- login = strdup("me"); +- abort_unless(login != NULL, "returned NULL!"); ++ login = (char *)"me"; + result = Curl_parsenetrc("example.com", &login, &password, + &login_changed, &password_changed, filename); + fail_unless(result == 0, "Host should have been found"); +- abort_unless(password != NULL, "returned NULL!"); +- fail_unless(password[0] == 0, "password should not have been changed"); +- fail_unless(!password_changed, "password should not have been changed"); +- abort_unless(login != NULL, "returned NULL!"); +- fail_unless(strncmp(login, "me", 2) == 0, +- "login should not have been changed"); +- fail_unless(!login_changed, "login should not have been changed"); ++ abort_unless(password == NULL, "password is not NULL!"); + + /* + * Test a non existent login and host in our netrc file. + */ +- free(login); +- login = strdup("me"); +- abort_unless(login != NULL, "returned NULL!"); ++ login = (char *)"me"; + result = Curl_parsenetrc("test.example.com", &login, &password, + &login_changed, &password_changed, filename); + fail_unless(result == 1, "Host not found should return 1"); +- abort_unless(password != NULL, "returned NULL!"); +- fail_unless(password[0] == 0, "password should not have been changed"); +- abort_unless(login != NULL, "returned NULL!"); +- fail_unless(strncmp(login, "me", 2) == 0, +- "login should not have been changed"); ++ abort_unless(password == NULL, "password is not NULL!"); + + /* + * Test a non existent login (substring of an existing one) in our + * netrc file. + */ +- free(login); +- login = strdup("admi"); +- abort_unless(login != NULL, "returned NULL!"); ++ login = (char *)"admi"; + result = Curl_parsenetrc("example.com", &login, &password, + &login_changed, &password_changed, filename); + fail_unless(result == 0, "Host should have been found"); +- abort_unless(password != NULL, "returned NULL!"); +- fail_unless(password[0] == 0, "password should not have been changed"); +- fail_unless(!password_changed, "password should not have been changed"); +- abort_unless(login != NULL, "returned NULL!"); +- fail_unless(strncmp(login, "admi", 4) == 0, +- "login should not have been changed"); +- fail_unless(!login_changed, "login should not have been changed"); ++ abort_unless(password == NULL, "password is not NULL!"); + + /* + * Test a non existent login (superstring of an existing one) + * in our netrc file. + */ +- free(login); +- login = strdup("adminn"); +- abort_unless(login != NULL, "returned NULL!"); ++ login = (char *)"adminn"; + result = Curl_parsenetrc("example.com", &login, &password, + &login_changed, &password_changed, filename); + fail_unless(result == 0, "Host should have been found"); +- abort_unless(password != NULL, "returned NULL!"); +- fail_unless(password[0] == 0, "password should not have been changed"); +- fail_unless(!password_changed, "password should not have been changed"); +- abort_unless(login != NULL, "returned NULL!"); +- fail_unless(strncmp(login, "adminn", 6) == 0, +- "login should not have been changed"); +- fail_unless(!login_changed, "login should not have been changed"); ++ abort_unless(password == NULL, "password is not NULL!"); + + /* + * Test for the first existing host in our netrc file + * with login[0] = 0. + */ +- free(login); +- login = strdup(""); +- abort_unless(login != NULL, "returned NULL!"); ++ login = NULL; + result = Curl_parsenetrc("example.com", &login, &password, + &login_changed, &password_changed, filename); + fail_unless(result == 0, "Host should have been found"); +@@ -155,8 +116,9 @@ UNITTEST_START + * with login[0] != 0. + */ + free(password); +- password = strdup(""); +- abort_unless(password != NULL, "returned NULL!"); ++ free(login); ++ password = NULL; ++ login = NULL; + result = Curl_parsenetrc("example.com", &login, &password, + &login_changed, &password_changed, filename); + fail_unless(result == 0, "Host should have been found"); +@@ -173,11 +135,9 @@ UNITTEST_START + * with login[0] = 0. + */ + free(password); +- password = strdup(""); +- abort_unless(password != NULL, "returned NULL!"); ++ password = NULL; + free(login); +- login = strdup(""); +- abort_unless(login != NULL, "returned NULL!"); ++ login = NULL; + result = Curl_parsenetrc("curl.example.com", &login, &password, + &login_changed, &password_changed, filename); + fail_unless(result == 0, "Host should have been found"); +@@ -194,8 +154,9 @@ UNITTEST_START + * with login[0] != 0. + */ + free(password); +- password = strdup(""); +- abort_unless(password != NULL, "returned NULL!"); ++ free(login); ++ password = NULL; ++ login = NULL; + result = Curl_parsenetrc("curl.example.com", &login, &password, + &login_changed, &password_changed, filename); + fail_unless(result == 0, "Host should have been found"); +-- +2.40.0 diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb index 748afc1235..f40139418a 100644 --- a/meta/recipes-support/curl/curl_7.82.0.bb +++ b/meta/recipes-support/curl/curl_7.82.0.bb @@ -63,6 +63,8 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \ file://CVE-2024-8096.patch \ file://0001-url-free-old-conn-better-on-reuse.patch \ file://CVE-2024-9681.patch \ + file://CVE-2024-11053-0001.patch \ + file://CVE-2024-11053-0002.patch \ " SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c" From patchwork Wed Jul 9 15:19:10 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 66501 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 55E02C83F03 for ; Wed, 9 Jul 2025 15:19:35 +0000 (UTC) Received: from mail-pg1-f173.google.com (mail-pg1-f173.google.com [209.85.215.173]) by mx.groups.io with SMTP id smtpd.web10.18424.1752074372122807604 for ; Wed, 09 Jul 2025 08:19:32 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=KLmVc4fl; spf=softfail (domain: sakoman.com, ip: 209.85.215.173, mailfrom: steve@sakoman.com) Received: by mail-pg1-f173.google.com with SMTP id 41be03b00d2f7-b31d489a76dso92674a12.1 for ; Wed, 09 Jul 2025 08:19:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1752074371; x=1752679171; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=t/WXBE3n7i3uRdr0J7DEyEHcV83Nso5kBw5mZtn//TY=; b=KLmVc4flZM8bRapEHMYNI67OkUXRWMThAqodLz3pTmrPHQIBIkbctSxRfW3aG3t7Jg 961OSqmvkhYbFMg0b/hBeYWFiQQ78GJ80ms17RwJn0H3FK6v9W9PtCGuFKZXjtzk/3px 4IwzLeZ2Fg0G2sil3Q+QkLcqBmtsofdPTiVLKZY2q/Zcd1KJL0lpiKMdkWIdoHGFNkhf 27Onc6dkoekx+zNrpf4L4KnedEoZxgcqzKTxbnXlcz/6GbgPeOWN3nfJaa286rJkvHf3 dEQupnz8FLTNHiEl/Uywst3cHA4Zol6gq8nD1Tgdwk0YrpufJz1N9Xuw2ddfH6+4JzY0 Mz9A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1752074371; x=1752679171; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=t/WXBE3n7i3uRdr0J7DEyEHcV83Nso5kBw5mZtn//TY=; b=rcskwJ+oGg6MqiriBF0cTPJFwX/iTp4UHg4awAnlBRRrDnYPA2o842kYnckmwZsNCt aEfAfxETfjK3ETf9wCXLRYHjz5b6RY8UD0wZvzfXxOUtvpLV5SDvsPBUqCHqTx15KUgY IQ3HWqCs6AjhwYcLKC0NXEquGTmYYgSIVk9xbQoyBPCLQgYX6Ts+R2xkeLhpkpRSpWLt zkFi1/dpSpoig6ozIolP/DO3ISZz+LDmBsBZ1OYqduz4Cpr8zbXEGUraLfYTDyz3G0CB D0/BTPLzJCv2ZkHj9Y9se2SrOF4VDn5SpAWoSbkrPACZK9ZXKJwwQimTOAg7FOZVD8jR hK6w== X-Gm-Message-State: AOJu0YyduWiPxjiziXrqK857Lf9KS3SKkXnNyHjP/gR+2RgjpOHcq1XV S7gNBJBA82EhA3rc/SLuFkxfq+CApIHv7RjWCXUw734DMTuDbX/FzQ3A/AHOq5Q0fl/tL7iUUsk H6Ohx X-Gm-Gg: ASbGncvwlOQrHQcbR1nLpPUWnT+ZaVCx2BUgPFL+DwKMhtRY1ZVbHbgTAQz/T8BFzr6 xYH+lOc/SrgB0veq0mux3Zz76zsmar5vCkEHY1yBdfDY7zqeVuY69oyuwAnwP+BHD0lE7EY/h+t 8SMuNo9lunDMSUggfNUoHqL4z0oKwOAk/weuBRJ5ZDvZwXuED/FIfi2j42Cvd9EM/AwpW45ImIK wfc5/7sbK2xJ1nuecNsbHuFB4QWK1HbbItqMS7u3ypgQUqL+vydB/ij48J9aoQbQ7lQaxnoSft7 Trd3Zl/NyWenQG9rhvbe49Qm8fStzZrcCO04pFbOZez/Y6IiuXTQPQ== X-Google-Smtp-Source: AGHT+IGftDtBP4H1jNY52o4mwqfm1obX07T7cEKvjXEvIZRGJJsZGPWv3l1dkK5AKr19bCYGoR05Lw== X-Received: by 2002:a17:90b:1dce:b0:31c:38f8:7e84 with SMTP id 98e67ed59e1d1-31c38f87f76mr1982976a91.16.1752074371081; Wed, 09 Jul 2025 08:19:31 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:a6e1:d218:3fcc:fd7d]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-31c3019e934sm2340536a91.33.2025.07.09.08.19.30 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 09 Jul 2025 08:19:30 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 07/11] curl: fix CVE-2025-0167 Date: Wed, 9 Jul 2025 08:19:10 -0700 Message-ID: <7c5aee3066e4c8056d994cd50b26c18a16316c96.1752073806.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 09 Jul 2025 15:19:35 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/220098 From: Yogita Urade When asked to use a `.netrc` file for credentials *and* to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has a `default` entry that omits both login and password. A rare circumstance. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-0167 Upstream patch: https://github.com/curl/curl/commit/0e120c5b925e8ca75d5319e319e5ce4b8080d8eb Signed-off-by: Yogita Urade Signed-off-by: Steve Sakoman --- .../curl/curl/CVE-2025-0167.patch | 175 ++++++++++++++++++ meta/recipes-support/curl/curl_7.82.0.bb | 1 + 2 files changed, 176 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2025-0167.patch diff --git a/meta/recipes-support/curl/curl/CVE-2025-0167.patch b/meta/recipes-support/curl/curl/CVE-2025-0167.patch new file mode 100644 index 0000000000..b803cff0d2 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2025-0167.patch @@ -0,0 +1,175 @@ +From 0e120c5b925e8ca75d5319e319e5ce4b8080d8eb Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 3 Jan 2025 16:22:27 +0100 +Subject: [PATCH] netrc: 'default' with no credentials is not a match + +Test 486 verifies. + +Reported-by: Yihang Zhou + +Closes #15908 + +Changes: +- Test files are added in Makefile.inc. +- Adjust `%LOGDIR/` to 'log/' due to its absence in code. + +CVE: CVE-2025-0167 +Upstream-Status: Backport [https://github.com/curl/curl/commit/0e120c5b925e8ca75d5319e319e5ce4b8080d8eb] + +Signed-off-by: Yogita Urade +--- + lib/netrc.c | 7 ++- + tests/data/Makefile.in | 2 + + tests/data/test486 | 105 +++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 113 insertions(+), 1 deletion(-) + create mode 100644 tests/data/test486 + +diff --git a/lib/netrc.c b/lib/netrc.c +index 23080b3..6d87007 100644 +--- a/lib/netrc.c ++++ b/lib/netrc.c +@@ -205,12 +205,17 @@ static int parsenetrc(const char *host, + } /* while fgets() */ + + out: +- if(!retcode && !password && our_login) { ++ if(!retcode) { ++ if(!password && our_login) { + /* success without a password, set a blank one */ + password = strdup(""); + if(!password) + retcode = 1; /* out of memory */ + } ++ else if(!login && !password) ++ /* a default with no credentials */ ++ retcode = NETRC_FILE_MISSING; ++ } + if(!retcode) { + /* success */ + *login_changed = FALSE; +diff --git a/tests/data/Makefile.in b/tests/data/Makefile.in +index 3da7d31..5a3ec48 100644 +--- a/tests/data/Makefile.in ++++ b/tests/data/Makefile.in +@@ -431,6 +431,8 @@ test409 test410 \ + \ + test430 test431 test432 test433 test434 test435 test436 \ + \ ++test486 \ ++\ + test490 test491 test492 test493 test494 \ + \ + test500 test501 test502 test503 test504 test505 test506 test507 test508 \ +diff --git a/tests/data/test486 b/tests/data/test486 +new file mode 100644 +index 0000000..6926092 +--- /dev/null ++++ b/tests/data/test486 +@@ -0,0 +1,105 @@ ++ ++ ++ ++netrc ++HTTP ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 301 Follow this you fool ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT ++ETag: "21025-dc7-39462498" ++Accept-Ranges: bytes ++Content-Length: 6 ++Connection: close ++Location: http://b.com/%TESTNUMBER0002 ++ ++-foo- ++ ++ ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT ++ETag: "21025-dc7-39462498" ++Accept-Ranges: bytes ++Content-Length: 7 ++Connection: close ++ ++target ++ ++ ++ ++HTTP/1.1 301 Follow this you fool ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT ++ETag: "21025-dc7-39462498" ++Accept-Ranges: bytes ++Content-Length: 6 ++Connection: close ++Location: http://b.com/%TESTNUMBER0002 ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT ++ETag: "21025-dc7-39462498" ++Accept-Ranges: bytes ++Content-Length: 7 ++Connection: close ++ ++target ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ ++ ++proxy ++ ++ ++.netrc with redirect and "default" with no password or login ++ ++ ++--netrc --netrc-file log/netrc%TESTNUMBER -L -x http://%HOSTIP:%HTTPPORT/ http://a.com/ ++ ++ ++ ++machine a.com ++ login alice ++ password alicespassword ++ ++default ++ ++ ++ ++ ++ ++ ++GET http://a.com/ HTTP/1.1 ++Host: a.com ++Authorization: Basic %b64[alice:alicespassword]b64% ++User-Agent: curl/%VERSION ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++GET http://b.com/%TESTNUMBER0002 HTTP/1.1 ++Host: b.com ++User-Agent: curl/%VERSION ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++ ++ ++ +-- +2.40.0 diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb index f40139418a..623d8a4bc3 100644 --- a/meta/recipes-support/curl/curl_7.82.0.bb +++ b/meta/recipes-support/curl/curl_7.82.0.bb @@ -65,6 +65,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \ file://CVE-2024-9681.patch \ file://CVE-2024-11053-0001.patch \ file://CVE-2024-11053-0002.patch \ + file://CVE-2025-0167.patch \ " SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c" From patchwork Wed Jul 9 15:19:11 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 66502 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5A566C83F17 for ; Wed, 9 Jul 2025 15:19:35 +0000 (UTC) Received: from mail-pj1-f50.google.com (mail-pj1-f50.google.com [209.85.216.50]) by mx.groups.io with SMTP id smtpd.web10.18425.1752074374086991340 for ; Wed, 09 Jul 2025 08:19:34 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=Z5tK+avg; spf=softfail (domain: sakoman.com, ip: 209.85.216.50, mailfrom: steve@sakoman.com) Received: by mail-pj1-f50.google.com with SMTP id 98e67ed59e1d1-31a93a4b399so104556a91.0 for ; Wed, 09 Jul 2025 08:19:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1752074373; x=1752679173; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=AvVTIdt4QQ1siAm3nx2Dvc1k2cpc2Fiy1WlVqLNsx5Y=; b=Z5tK+avgZKsc/cmIPTaJy3biJ+xPxw5cxSkL2bT6kTNbcG+9wQqpEUpJA2RIoMBLbX duWShlrRur81aoSL/tPiOLzI5CDvm1tqakjpq7OyXEW8kqwE7g+Seb+FCfhmcte6Tab3 Sg7QDZdvCP2qRoRHvBcg83+5104QSTOj/EiZNW7CkV8h7e2MeNV34WbCga22zfFvmUXD h5VOTT+ltI7OpZ9NN2GVaSCdxsvTwQ7fd9LEZAbrH7rlB8yyOCM5QboNkmLEIgFsg3zj h/B3DXMmR7YBfRz10ZZ7u8g9TcBWa8TBj3tnGv2/ElYZKTF396yYju5xLZwF3/iWNjZa CbAg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1752074373; x=1752679173; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=AvVTIdt4QQ1siAm3nx2Dvc1k2cpc2Fiy1WlVqLNsx5Y=; b=TQ6gk+KFv7UP1fSW/EWu4fTfCuCINL0bwGMJ57mIFDKkV9O8HiRQ7+rN+G0CXRnfY/ HLsurCNbgPx4t9InoHVjGoadU5pACUUaVuPozaJAAByV86ufDt38MwHjqoVQ47jLwW4t DzZ1mc0rC1azx8XKMVI0nCyl9bORdLnEOeXjUVqjpkVTGp2QKHXx+IuTb5qc45j1TRl7 t0B0i3pDmOTsqJ8DTAN/dTUeHF9dGz9OEZXWeenK/PLHUNe7qhjWIo3fJQ69qSo2wLxz Gyc2vc3/1tpn1/V2r4uk1tzGSxOJcmHKddNFI9wzl9sYHqfTeKkCin2CoEgBkVgkOBVk TMGQ== X-Gm-Message-State: AOJu0YxxJNrr6LNQ4sjQUA6S0ZaJ+M/+4AaRZl36JWDuh9elQy+6WNJD 73nDYgQ9GUyBzvaJt4DXqXV0Al6U2m1KwjhTTUL3lbnSoEZIePxoCJzo5wcXfp9fm/wpOuj3WFL rj3n+ X-Gm-Gg: ASbGnctQrH+jvSDpUEtl459+834135U4liEaFoNotTChsZuxVljH4MA1gZR+koPvjC4 sXmIeUdSas6xhGIPBpr6RwRiTn3W3ohEEnYG06UjxlfpqGsAob+B6b98I8yv8jv8BCB372Bol1e j5pEzJMJT/vKZihdd7xU2ers7kwZ6H7v31I75vwMVVrS60sjgWkrcETKxvpcMmzDTCDERpaj4zL Qn0KNisQxcNCoQ024L16lVZn/iMpHXi7c9ktP87dM9gNXL6DMCXDcyXRKvwhdzu0IjDZL8gIg3s RyuSeZ0QM3BvU4nZiesmclnq5IkQxOVCi/kXwyHm8W62o4nn7kNT1g== X-Google-Smtp-Source: AGHT+IHXUafmNyg/kuV6vwbZZjyyGTHN08rc2JEPm9iCO1s6CMiN7S/6fenwqUzSaW48fMMoaFQw1w== X-Received: by 2002:a17:90b:4fc5:b0:312:e73e:cded with SMTP id 98e67ed59e1d1-31c2276a98cmr9501106a91.16.1752074372908; Wed, 09 Jul 2025 08:19:32 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:a6e1:d218:3fcc:fd7d]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-31c3019e934sm2340536a91.33.2025.07.09.08.19.32 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 09 Jul 2025 08:19:32 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 08/11] libarchive: fix CVE-2025-5915 Date: Wed, 9 Jul 2025 08:19:11 -0700 Message-ID: <41e7be4aa28481530d5e259d0f25b238b86c012d.1752073806.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 09 Jul 2025 15:19:35 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/220099 From: Divya Chellam A vulnerability has been identified in the libarchive library. This flaw can lead to a heap b uffer over-read due to the size of a filter block potentially exceeding the Lempel-Ziv-Storer -Schieber (LZSS) window. This means the library may attempt to read beyond the allocated memo ry buffer, which can result in unpredictable program behavior, crashes (denial of service), o r the disclosure of sensitive information from adjacent memory regions. Reference: https://security-tracker.debian.org/tracker/CVE-2025-5915 Upstream-patches: https://github.com/libarchive/libarchive/commit/a612bf62f86a6faa47bd57c52b94849f0a404d8c Signed-off-by: Divya Chellam Signed-off-by: Steve Sakoman --- .../libarchive/libarchive/CVE-2025-5915.patch | 217 ++++++++++++++++++ .../libarchive/libarchive_3.6.2.bb | 1 + 2 files changed, 218 insertions(+) create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2025-5915.patch diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2025-5915.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2025-5915.patch new file mode 100644 index 0000000000..c83f4f1abc --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2025-5915.patch @@ -0,0 +1,217 @@ +From a612bf62f86a6faa47bd57c52b94849f0a404d8c Mon Sep 17 00:00:00 2001 +From: Tobias Stoeckmann +Date: Sun, 11 May 2025 19:00:11 +0200 +Subject: [PATCH] rar: Fix heap-buffer-overflow (#2599) + +A filter block size must not be larger than the lzss window, which is +defined +by dictionary size, which in turn can be derived from unpacked file +size. + +While at it, improve error messages and fix lzss window wrap around +logic. + +Fixes https://github.com/libarchive/libarchive/issues/2565 + +--------- + +Signed-off-by: Tobias Stoeckmann +Co-authored-by: Tim Kientzle + +CVE: CVE-2025-5915 + +Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/a612bf62f86a6faa47bd57c52b94849f0a404d8c] + +Signed-off-by: Divya Chellam +--- + Makefile.am | 2 + + libarchive/archive_read_support_format_rar.c | 17 ++++--- + libarchive/test/CMakeLists.txt | 1 + + .../test/test_read_format_rar_overflow.c | 48 +++++++++++++++++++ + .../test/test_read_format_rar_overflow.rar.uu | 11 +++++ + 5 files changed, 72 insertions(+), 7 deletions(-) + create mode 100644 libarchive/test/test_read_format_rar_overflow.c + create mode 100644 libarchive/test/test_read_format_rar_overflow.rar.uu + +diff --git a/Makefile.am b/Makefile.am +index 3fd2fdb..e486a8d 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -505,6 +505,7 @@ libarchive_test_SOURCES= \ + libarchive/test/test_read_format_rar_encryption_header.c \ + libarchive/test/test_read_format_rar_filter.c \ + libarchive/test/test_read_format_rar_invalid1.c \ ++ libarchive/test/test_read_format_rar_overflow.c \ + libarchive/test/test_read_format_rar5.c \ + libarchive/test/test_read_format_raw.c \ + libarchive/test/test_read_format_tar.c \ +@@ -848,6 +849,7 @@ libarchive_test_EXTRA_DIST=\ + libarchive/test/test_read_format_rar_multivolume.part0003.rar.uu \ + libarchive/test/test_read_format_rar_multivolume.part0004.rar.uu \ + libarchive/test/test_read_format_rar_noeof.rar.uu \ ++ libarchive/test/test_read_format_rar_overflow.rar.uu \ + libarchive/test/test_read_format_rar_ppmd_lzss_conversion.rar.uu \ + libarchive/test/test_read_format_rar_ppmd_use_after_free.rar.uu \ + libarchive/test/test_read_format_rar_ppmd_use_after_free2.rar.uu \ +diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c +index 091a993..4d3b966 100644 +--- a/libarchive/archive_read_support_format_rar.c ++++ b/libarchive/archive_read_support_format_rar.c +@@ -451,7 +451,7 @@ static int read_filter(struct archive_read *, int64_t *); + static int rar_decode_byte(struct archive_read*, uint8_t *); + static int execute_filter(struct archive_read*, struct rar_filter *, + struct rar_virtual_machine *, size_t); +-static int copy_from_lzss_window(struct archive_read *, void *, int64_t, int); ++static int copy_from_lzss_window(struct archive_read *, uint8_t *, int64_t, int); + static inline void vm_write_32(struct rar_virtual_machine*, size_t, uint32_t); + static inline uint32_t vm_read_32(struct rar_virtual_machine*, size_t); + +@@ -2899,7 +2899,7 @@ expand(struct archive_read *a, int64_t *end) + } + + if ((symbol = read_next_symbol(a, &rar->maincode)) < 0) +- return (ARCHIVE_FATAL); ++ goto bad_data; + + if (symbol < 256) + { +@@ -2926,14 +2926,14 @@ expand(struct archive_read *a, int64_t *end) + else + { + if (parse_codes(a) != ARCHIVE_OK) +- return (ARCHIVE_FATAL); ++ goto bad_data; + continue; + } + } + else if(symbol==257) + { + if (!read_filter(a, end)) +- return (ARCHIVE_FATAL); ++ goto bad_data; + continue; + } + else if(symbol==258) +@@ -3018,7 +3018,7 @@ expand(struct archive_read *a, int64_t *end) + { + if ((lowoffsetsymbol = + read_next_symbol(a, &rar->lowoffsetcode)) < 0) +- return (ARCHIVE_FATAL); ++ goto bad_data; + if(lowoffsetsymbol == 16) + { + rar->numlowoffsetrepeats = 15; +@@ -3066,7 +3066,7 @@ bad_data: + } + + static int +-copy_from_lzss_window(struct archive_read *a, void *buffer, ++copy_from_lzss_window(struct archive_read *a, uint8_t *buffer, + int64_t startpos, int length) + { + int windowoffs, firstpart; +@@ -3081,7 +3081,7 @@ copy_from_lzss_window(struct archive_read *a, void *buffer, + } + if (firstpart < length) { + memcpy(buffer, &rar->lzss.window[windowoffs], firstpart); +- memcpy(buffer, &rar->lzss.window[0], length - firstpart); ++ memcpy(buffer + firstpart, &rar->lzss.window[0], length - firstpart); + } else { + memcpy(buffer, &rar->lzss.window[windowoffs], length); + } +@@ -3228,6 +3228,9 @@ parse_filter(struct archive_read *a, const uint8_t *bytes, uint16_t length, uint + else + blocklength = prog ? prog->oldfilterlength : 0; + ++ if (blocklength > rar->dictionary_size) ++ return 0; ++ + registers[3] = PROGRAM_SYSTEM_GLOBAL_ADDRESS; + registers[4] = blocklength; + registers[5] = prog ? prog->usagecount : 0; +diff --git a/libarchive/test/CMakeLists.txt b/libarchive/test/CMakeLists.txt +index bbbff22..05c6fd7 100644 +--- a/libarchive/test/CMakeLists.txt ++++ b/libarchive/test/CMakeLists.txt +@@ -154,6 +154,7 @@ IF(ENABLE_TEST) + test_read_format_rar_encryption_partially.c + test_read_format_rar_invalid1.c + test_read_format_rar_filter.c ++ test_read_format_rar_overflow.c + test_read_format_rar5.c + test_read_format_raw.c + test_read_format_tar.c +diff --git a/libarchive/test/test_read_format_rar_overflow.c b/libarchive/test/test_read_format_rar_overflow.c +new file mode 100644 +index 0000000..b39ed6b +--- /dev/null ++++ b/libarchive/test/test_read_format_rar_overflow.c +@@ -0,0 +1,48 @@ ++/*- ++ * Copyright (c) 2003-2025 Tim Kientzle ++ * All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS OR ++ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES ++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. ++ * IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT, ++ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, ++ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY ++ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT ++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF ++ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ++ */ ++#include "test.h" ++ ++DEFINE_TEST(test_read_format_rar_overflow) ++{ ++ struct archive *a; ++ struct archive_entry *ae; ++ const char reffile[] = "test_read_format_rar_overflow.rar"; ++ const void *buff; ++ size_t size; ++ int64_t offset; ++ ++ extract_reference_file(reffile); ++ assert((a = archive_read_new()) != NULL); ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_support_filter_all(a)); ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_support_format_all(a)); ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_open_filename(a, reffile, 1024)); ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_next_header(a, &ae)); ++ assertEqualInt(48, archive_entry_size(ae)); ++ /* The next call should reproduce Issue #2565 */ ++ assertEqualIntA(a, ARCHIVE_FATAL, archive_read_data_block(a, &buff, &size, &offset)); ++ ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_close(a)); ++ assertEqualInt(ARCHIVE_OK, archive_read_free(a)); ++} +diff --git a/libarchive/test/test_read_format_rar_overflow.rar.uu b/libarchive/test/test_read_format_rar_overflow.rar.uu +new file mode 100644 +index 0000000..48fd3fd +--- /dev/null ++++ b/libarchive/test/test_read_format_rar_overflow.rar.uu +@@ -0,0 +1,11 @@ ++begin 644 test_read_format_rar_overflow.rar ++M4F%R(1H'`,($=```(0`@`0``,`````(````````````S`0``````,`"_B%_: ++MZ?^[:7``?S!!,`@P,KB@,T@RN33)MTEB@5Z3<`DP`K35`.0P63@P<,Q&0?#, ++MA##,,",S,(@P,#,@##`&,#":(3`!,#"(`9HPS,,S13`P,#`P,*`PHPS,,S1A ++M,!,!,#","9H@S12D#$PP!C`P`*'F03":,,T8H`@\,/DPJS!/,"30,#`3N%LP ++MCQ6:S3"!,#LP22<-,$5%B"5B$S!)(&*>G#+@!`E`%0ODC])62=DO,)BYJX'P ++M=/LPZ3!!008?%S`P,#`P,#`P,#`P,#`P,#`P,#`P2$PP,#`P03!(,#`P,#`& ++M,`7),#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P ++-,#`P,#`P,#`P,#`P,``` ++` ++end +-- +2.40.0 + diff --git a/meta/recipes-extended/libarchive/libarchive_3.6.2.bb b/meta/recipes-extended/libarchive/libarchive_3.6.2.bb index 4d0e3f7179..c612c1b7e0 100644 --- a/meta/recipes-extended/libarchive/libarchive_3.6.2.bb +++ b/meta/recipes-extended/libarchive/libarchive_3.6.2.bb @@ -36,6 +36,7 @@ SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \ file://CVE-2024-20696.patch \ file://CVE-2025-25724.patch \ file://CVE-2025-5914.patch \ + file://CVE-2025-5915.patch \ " UPSTREAM_CHECK_URI = "http://libarchive.org/" From patchwork Wed Jul 9 15:19:12 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 66505 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 562AFC83F03 for ; Wed, 9 Jul 2025 15:19:45 +0000 (UTC) Received: from mail-pf1-f182.google.com (mail-pf1-f182.google.com [209.85.210.182]) by mx.groups.io with SMTP id smtpd.web11.18577.1752074375476644728 for ; Wed, 09 Jul 2025 08:19:35 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=iJ1kPFcJ; spf=softfail (domain: sakoman.com, ip: 209.85.210.182, mailfrom: steve@sakoman.com) Received: by mail-pf1-f182.google.com with SMTP id d2e1a72fcca58-7494999de5cso3600119b3a.3 for ; Wed, 09 Jul 2025 08:19:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1752074375; x=1752679175; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=PiKokZTdeh8PGJt/RQN3Wxs1Q435JQazaanc0c3ko9c=; b=iJ1kPFcJc141BNrIpv80lurEUkGYVtT4HDWjodHLSk/Ak5h4Sx/ldqyM+ipKgbl0GC k+0HhiTWyVDD76FC2JFP7yji5hVVt+Y2rgY1T2gb+1sjxfbFMr5RH5rKyV2t6fDDnE5B YNr7gI70TRUw0jJWg7FgpCnJRgQhEnnDjJSIDG50kIX6h/iJUmk72ycrsj19AAuBVn9K cOQ7oBlVPdSoeNUi6qrGbt6j4rUq2uj/Fcahs9bw2eERm54FBtJB5weJRhDFeOq1oEAb AxffbhAq41O/Q83duiknYYUtzCi3zW2ANgutE8sZEAEhKL6k5Vh2nCgQzq8F6oUSRW96 g7xA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1752074375; x=1752679175; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=PiKokZTdeh8PGJt/RQN3Wxs1Q435JQazaanc0c3ko9c=; b=InmIKfU9l18LwcCIdu45XvKXEoSrg5WlJRPCk//S9JCqXwWchMo6ONvJjlgXsHW3+Z HRdP8cSd+vwLiXPnaPZmoosAQe8jdypR2uLvIqU+fEnX50VAlTKM4iq2F/E1SA/nbIo2 0BkclIFTM1gxaaZx1i32ofUL5Zuo4Iw+xxHLU8eJwGjjbd9Y/ndAzC8EmbbgFN9rT6QR EOHKbKWd7h9D9HmmHJv30S+O4baKhCZXUddFkhZJkAVacWFSMq0IKw7F4E3GqgT4yqwJ SiupJMk65TwCGEcLTQoJoW7QwocrLzzeYTT9y+p0mi6OOp0/E245wMLLICETbrYUS2WO CfCw== X-Gm-Message-State: AOJu0Yw0bZuBcYzWZVmS3zU6mKSIZi1EAPGgDH12bxETIeC0jMZd1ldD qD0isjfPsF1N/qMagHvjoSl6ANTkDgpF+TUD6ePwe9PPGUwpFg6aRQWq3pDm0RyD+sok2NCY5qc bNZus X-Gm-Gg: ASbGnctG6dPQvGR53QtKf6lA30Oryy2txDlqbjeaLWzNPYl9cgFUkSaZEHcapx/8nK5 BAO24PbIB2Fp1EDCvVmlQmyt6k712S6kjsfagp4njtv0JhQpZq4LpUUSTqhsHDSkI9aNgHv7A2Q WikF6ncY+tCC8lmLCZjidhcoFyPBnBUZY0nOsNyyeM5HEBHWsRGXB+fvqplw0on5Whe3pO307Dc NQus60Q8n/9X62MKB9KYqyvFoPNQGIC+BabFmvHwvDKSGu4s5t6z/wE+YbsdtNtsXjjT5pbA3Yc oR4uxsngWQIy7ODRLDxgoauam9NMNKStnVVEfdLYZRewjyDqKvHt7w== X-Google-Smtp-Source: AGHT+IH+LHWzw0W1iYKSSYR3UIi8vJv5oiZjoMqvUektX3Oq/FZZbCdjBignCGLWZHXsBik3EvftPg== X-Received: by 2002:a17:903:1665:b0:232:1daf:6f06 with SMTP id d9443c01a7336-23ddb34bc13mr48235015ad.47.1752074374545; Wed, 09 Jul 2025 08:19:34 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:a6e1:d218:3fcc:fd7d]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-31c3019e934sm2340536a91.33.2025.07.09.08.19.33 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 09 Jul 2025 08:19:34 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 09/11] libarchive: fix CVE-2025-5916 Date: Wed, 9 Jul 2025 08:19:12 -0700 Message-ID: <0e939bf5fc7412c7357fcd7d8ae760f023ac40eb.1752073806.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 09 Jul 2025 15:19:45 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/220100 From: Divya Chellam A vulnerability has been identified in the libarchive library. This flaw involves an integer overflow that can be triggered when processing a Web Archive (WARC) file that claims to have more than INT64_MAX - 4 content bytes. An attacker could craft a malicious WARC archive to induce this overflow, potentially leading to unpredictable program behavior, memory corruption, or a denial-of-service condition within applications that process such archives using libarchive. Reference: https://security-tracker.debian.org/tracker/CVE-2025-5916 Upstream-patch: https://github.com/libarchive/libarchive/commit/ef093729521fcf73fa4007d5ae77adfe4df42403 Signed-off-by: Divya Chellam Signed-off-by: Steve Sakoman --- .../libarchive/libarchive/CVE-2025-5916.patch | 116 ++++++++++++++++++ .../libarchive/libarchive_3.6.2.bb | 1 + 2 files changed, 117 insertions(+) create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2025-5916.patch diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2025-5916.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2025-5916.patch new file mode 100644 index 0000000000..d32c8ee84e --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2025-5916.patch @@ -0,0 +1,116 @@ +From ef093729521fcf73fa4007d5ae77adfe4df42403 Mon Sep 17 00:00:00 2001 +From: Tobias Stoeckmann +Date: Mon, 7 Apr 2025 00:24:13 +0200 +Subject: [PATCH] warc: Prevent signed integer overflow (#2568) + +If a warc archive claims to have more than INT64_MAX - 4 content bytes, +the inevitable failure to skip all these bytes could lead to parsing +data which should be ignored instead. + +The test case contains a conversation entry with that many bytes and if +the entry is not properly skipped, the warc implementation would read +the conversation data as a new file entry. + +Signed-off-by: Tobias Stoeckmann + +CVE: CVE-2025-5916 + +Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/ef093729521fcf73fa4007d5ae77adfe4df42403] + +Signed-off-by: Divya Chellam +--- + Makefile.am | 1 + + libarchive/archive_read_support_format_warc.c | 7 ++++-- + libarchive/test/test_read_format_warc.c | 24 +++++++++++++++++++ + .../test_read_format_warc_incomplete.warc.uu | 10 ++++++++ + 4 files changed, 40 insertions(+), 2 deletions(-) + create mode 100644 libarchive/test/test_read_format_warc_incomplete.warc.uu + +diff --git a/Makefile.am b/Makefile.am +index e486a8d..dd1620d 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -913,6 +913,7 @@ libarchive_test_EXTRA_DIST=\ + libarchive/test/test_read_format_ustar_filename_eucjp.tar.Z.uu \ + libarchive/test/test_read_format_ustar_filename_koi8r.tar.Z.uu \ + libarchive/test/test_read_format_warc.warc.uu \ ++ libarchive/test/test_read_format_warc_incomplete.warc.uu \ + libarchive/test/test_read_format_zip.zip.uu \ + libarchive/test/test_read_format_zip_7075_utf8_paths.zip.uu \ + libarchive/test/test_read_format_zip_7z_deflate.zip.uu \ +diff --git a/libarchive/archive_read_support_format_warc.c b/libarchive/archive_read_support_format_warc.c +index 2732996..19cf5a3 100644 +--- a/libarchive/archive_read_support_format_warc.c ++++ b/libarchive/archive_read_support_format_warc.c +@@ -379,7 +379,8 @@ start_over: + case LAST_WT: + default: + /* consume the content and start over */ +- _warc_skip(a); ++ if (_warc_skip(a) < 0) ++ return (ARCHIVE_FATAL); + goto start_over; + } + return (ARCHIVE_OK); +@@ -432,7 +433,9 @@ _warc_skip(struct archive_read *a) + { + struct warc_s *w = a->format->data; + +- __archive_read_consume(a, w->cntlen + 4U/*\r\n\r\n separator*/); ++ if (__archive_read_consume(a, w->cntlen) < 0 || ++ __archive_read_consume(a, 4U/*\r\n\r\n separator*/) < 0) ++ return (ARCHIVE_FATAL); + w->cntlen = 0U; + w->cntoff = 0U; + return (ARCHIVE_OK); +diff --git a/libarchive/test/test_read_format_warc.c b/libarchive/test/test_read_format_warc.c +index 658ab8a..8a6d178 100644 +--- a/libarchive/test/test_read_format_warc.c ++++ b/libarchive/test/test_read_format_warc.c +@@ -80,3 +80,27 @@ DEFINE_TEST(test_read_format_warc) + assertEqualIntA(a, ARCHIVE_OK, archive_read_close(a)); + assertEqualInt(ARCHIVE_OK, archive_read_free(a)); + } ++ ++DEFINE_TEST(test_read_format_warc_incomplete) ++{ ++ const char reffile[] = "test_read_format_warc_incomplete.warc"; ++ struct archive_entry *ae; ++ struct archive *a; ++ ++ extract_reference_file(reffile); ++ assert((a = archive_read_new()) != NULL); ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_support_filter_all(a)); ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_support_format_all(a)); ++ assertEqualIntA(a, ARCHIVE_OK, ++ archive_read_open_filename(a, reffile, 10240)); ++ ++ /* Entry cannot be parsed */ ++ assertEqualIntA(a, ARCHIVE_FATAL, archive_read_next_header(a, &ae)); ++ ++ /* Verify archive format. */ ++ assertEqualIntA(a, ARCHIVE_FILTER_NONE, archive_filter_code(a, 0)); ++ ++ /* Verify closing and resource freeing */ ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_close(a)); ++ assertEqualInt(ARCHIVE_OK, archive_read_free(a)); ++} +diff --git a/libarchive/test/test_read_format_warc_incomplete.warc.uu b/libarchive/test/test_read_format_warc_incomplete.warc.uu +new file mode 100644 +index 0000000..b91b97e +--- /dev/null ++++ b/libarchive/test/test_read_format_warc_incomplete.warc.uu +@@ -0,0 +1,10 @@ ++begin 644 test_read_format_warc_incomplete.warc ++M5T%20R\Q+C`-"E=!4D,M5'EP93H@8V]N=F5R'0-"E=!4D,M1&%T ++M93H@,C`R-2TP,RTS,%0Q-3HP,#HT,%H-"D-O;G1E;G0M5'EP93H@=&5X="]P ++M;&%I;@T*0V]N=&5N="U,96YG=&@Z(#,X#0H-"E1H92!R96%D;64N='AT('-H ++4;W5L9"!N;W0@8F4@=FES:6)L90H` ++` ++end +-- +2.40.0 + diff --git a/meta/recipes-extended/libarchive/libarchive_3.6.2.bb b/meta/recipes-extended/libarchive/libarchive_3.6.2.bb index c612c1b7e0..f90063ba3a 100644 --- a/meta/recipes-extended/libarchive/libarchive_3.6.2.bb +++ b/meta/recipes-extended/libarchive/libarchive_3.6.2.bb @@ -37,6 +37,7 @@ SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \ file://CVE-2025-25724.patch \ file://CVE-2025-5914.patch \ file://CVE-2025-5915.patch \ + file://CVE-2025-5916.patch \ " UPSTREAM_CHECK_URI = "http://libarchive.org/" From patchwork Wed Jul 9 15:19:13 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 66504 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 562ECC83F0F for ; Wed, 9 Jul 2025 15:19:45 +0000 (UTC) Received: from mail-pg1-f174.google.com (mail-pg1-f174.google.com [209.85.215.174]) by mx.groups.io with SMTP id smtpd.web10.18429.1752074377319600320 for ; Wed, 09 Jul 2025 08:19:37 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=TLh2mHKM; spf=softfail (domain: sakoman.com, ip: 209.85.215.174, mailfrom: steve@sakoman.com) Received: by mail-pg1-f174.google.com with SMTP id 41be03b00d2f7-b3226307787so81092a12.1 for ; Wed, 09 Jul 2025 08:19:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1752074376; x=1752679176; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=QooaHR9Uf9LtrD+Z2HjV/rMswvfY/cx5T3KLK6xdxoo=; b=TLh2mHKMEKc1mmSKFyxIDVzcbHZlIykqln/rcWcwKewuh20eWr+PMhAPJHB6WNJv5J 5BqHraGYrRpLo7y0+q47JhFSO0XZ+QaSA9cuZnU9ngneP+zR2X6ljbP86cKjhKGqiKA0 AJZMnirHS+lLMNxp2avrsKphNqPtArOa0/MJyEUAWr1n7IF2vX+oEztKhhXLZBRlr1tO pnOr13V2lE6FQ/dAk5pQPS3p+rwbwcOi+0r9XZrzcJv0Ncx1f8zSc4vzTyei+HpzhF0m IS7cJnTSmWsMJvM7LfXSKLgcyTieWDio5y+rNaQ9EDgZTyoaHaCs/HqQy1jS7auOtubw ZWzg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1752074376; x=1752679176; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=QooaHR9Uf9LtrD+Z2HjV/rMswvfY/cx5T3KLK6xdxoo=; b=OZKjRaZdaeN83y3hm30IYy693c8mNzB0xSEcdZlB/4ytQJs4CsBGJ6V8E1eJI4VmZx oiKLUPP72hMKjq6kGX5TgzRJBCGy4CPc1YK6Ta4t7Vh+TND6NsaHD5X0oCczgJ3R8yDJ rMtz3EXlU35dehLBNaFuV7kpWoI5kZH+aI0ITAYddB1n0Hrj39FMUpQwB5Wmfhy4rrkG JSTUxllAI7XVgQ3duxc5VfhUnL56V0QlPHocTYPRKeHkDyjVuIKlUV/FQTcaA+KunVyD 2M4vEAmYa0i9M0t2GxEMrWGhPRKtEvfX1X1FBR1Sh8lFygTnyfwWsizk6llYaPK7Sa65 jS2w== X-Gm-Message-State: AOJu0YzztHzabJ+AfV3qv5izL0MMjbKWlChK9u14gezqv9iIM+L9SRf9 Xl81MmIZ7E37UK10kYYrF2w3EOlGHv89rlzW2rMyJKiND1Gi3bA+RWzTDA27t1DuqJ9awsIFD+t YAWcq X-Gm-Gg: ASbGnctFPOrDPRJtPfV2HvpOripkS6Ba+3zJUzNcmyrSr+x2r89f01CL8SPD0HkU4QL uKm/2G5wUObM+9VEPnLe5XJGtZDzUfZjyz5BsAjQTFFUMtXcXjGQfE0wpr7NHVzyHr6APoQ/5No pDWVVZr1p9gT3oSoCdZd0628GXjKpzMHEaEbT5WnRGXVmsXEMvLaF9iQz+yD9Gr5QM1DSZ49KkM +q8kW8uypHuGqhlnA3JpYG7Zp5r9Ge3hyn/c0zKX7Ts7IfSUKz8Wlk9aMZNd+roftyD5q+Oowpn A8nUtNK73V/pqHhcZbV+LLOEYZRQHXgEc5NT1zTc/e1qZcBb/cEgow== X-Google-Smtp-Source: AGHT+IHkA//32UWflxmdYPMY79SkCKxx0G7rSQra7mxBVJF3kaOOqdAeiwfymU7dg7p+gLHV1yWxRw== X-Received: by 2002:a17:90b:2fc6:b0:311:c1ec:7cfb with SMTP id 98e67ed59e1d1-31c2fe00208mr4274279a91.21.1752074376278; Wed, 09 Jul 2025 08:19:36 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:a6e1:d218:3fcc:fd7d]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-31c3019e934sm2340536a91.33.2025.07.09.08.19.35 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 09 Jul 2025 08:19:35 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 10/11] libarchive: fix CVE-2025-5917 Date: Wed, 9 Jul 2025 08:19:13 -0700 Message-ID: <2b2a2fce345c9bfcad44cc8ef3419f43dd07b022.1752073806.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 09 Jul 2025 15:19:45 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/220101 From: Divya Chellam A vulnerability has been identified in the libarchive library. This flaw involves an 'off-by- one' miscalculation when handling prefixes and suffixes for file names. This can lead to a 1- byte write overflow. While seemingly small, such an overflow can corrupt adjacent memory, lea ding to unpredictable program behavior, crashes, or in specific circumstances, could be lever aged as a building block for more sophisticated exploitation. Reference: https://security-tracker.debian.org/tracker/CVE-2025-5917 Upstream-patch: https://github.com/libarchive/libarchive/commit/7c02cde37a63580cd1859183fbbd2cf04a89be85 Signed-off-by: Divya Chellam Signed-off-by: Steve Sakoman --- .../libarchive/libarchive/CVE-2025-5917.patch | 54 +++++++++++++++++++ .../libarchive/libarchive_3.6.2.bb | 1 + 2 files changed, 55 insertions(+) create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2025-5917.patch diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2025-5917.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2025-5917.patch new file mode 100644 index 0000000000..9c2003e574 --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2025-5917.patch @@ -0,0 +1,54 @@ +From 7c02cde37a63580cd1859183fbbd2cf04a89be85 Mon Sep 17 00:00:00 2001 +From: Brian Campbell +Date: Sat, 26 Apr 2025 05:11:19 +0100 +Subject: [PATCH] Fix overflow in build_ustar_entry (#2588) + +The calculations for the suffix and prefix can increment the endpoint +for a trailing slash. Hence the limits used should be one lower than the +maximum number of bytes. + +Without this patch, when this happens for both the prefix and the +suffix, we end up with 156 + 100 bytes, and the write of the null at the +end will overflow the 256 byte buffer. This can be reproduced by running +``` +mkdir -p foo/bar +bsdtar cvf test.tar foo////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////bar +``` +when bsdtar is compiled with Address Sanitiser, although I originally +noticed this by accident with a genuine filename on a CHERI capability +system, which faults immediately on the buffer overflow. + +CVE: CVE-2025-5917 + +Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/7c02cde37a63580cd1859183fbbd2cf04a89be85] + +Signed-off-by: Divya Chellam +--- + libarchive/archive_write_set_format_pax.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libarchive/archive_write_set_format_pax.c b/libarchive/archive_write_set_format_pax.c +index cf1f477..8e6aade 100644 +--- a/libarchive/archive_write_set_format_pax.c ++++ b/libarchive/archive_write_set_format_pax.c +@@ -1546,7 +1546,7 @@ build_ustar_entry_name(char *dest, const char *src, size_t src_length, + const char *filename, *filename_end; + char *p; + int need_slash = 0; /* Was there a trailing slash? */ +- size_t suffix_length = 99; ++ size_t suffix_length = 98; /* 99 - 1 for trailing slash */ + size_t insert_length; + + /* Length of additional dir element to be added. */ +@@ -1598,7 +1598,7 @@ build_ustar_entry_name(char *dest, const char *src, size_t src_length, + /* Step 2: Locate the "prefix" section of the dirname, including + * trailing '/'. */ + prefix = src; +- prefix_end = prefix + 155; ++ prefix_end = prefix + 154 /* 155 - 1 for trailing / */; + if (prefix_end > filename) + prefix_end = filename; + while (prefix_end > prefix && *prefix_end != '/') +-- +2.40.0 + diff --git a/meta/recipes-extended/libarchive/libarchive_3.6.2.bb b/meta/recipes-extended/libarchive/libarchive_3.6.2.bb index f90063ba3a..3937bfb82d 100644 --- a/meta/recipes-extended/libarchive/libarchive_3.6.2.bb +++ b/meta/recipes-extended/libarchive/libarchive_3.6.2.bb @@ -38,6 +38,7 @@ SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \ file://CVE-2025-5914.patch \ file://CVE-2025-5915.patch \ file://CVE-2025-5916.patch \ + file://CVE-2025-5917.patch \ " UPSTREAM_CHECK_URI = "http://libarchive.org/" From patchwork Wed Jul 9 15:19:14 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 66506 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 67293C83F0A for ; Wed, 9 Jul 2025 15:19:45 +0000 (UTC) Received: from mail-pj1-f42.google.com (mail-pj1-f42.google.com [209.85.216.42]) by mx.groups.io with SMTP id smtpd.web11.18579.1752074380358010240 for ; Wed, 09 Jul 2025 08:19:40 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=BrOPRAGv; spf=softfail (domain: sakoman.com, ip: 209.85.216.42, mailfrom: steve@sakoman.com) Received: by mail-pj1-f42.google.com with SMTP id 98e67ed59e1d1-3141b84bf65so96094a91.1 for ; Wed, 09 Jul 2025 08:19:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1752074379; x=1752679179; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=Wcfa2nGwbbtaI7wnik1JWU/+VekY/HOwIe18lzPDGo8=; b=BrOPRAGvIIYX2It5CH1P4xe/eNul55dEgAma941IkiLpsNtQsfUz4xH2jres422WTE gNQaxXI22ywtlAvIviAePyFg5yV2s9hZEfjwxkc2OW/+a5BkJSvW05+0IzjyGiPYLW8R 8GZbb+vIQNbzzMaqxZHJG5yaTMDIitTbQqevIgqQOz5vEn3xUcOyK4v2hJz8Qxup74Y7 mMNbi02gI2VRUU696abrny1DQFvr+xIQEIWHvSwgnToPU9kFwbQbBCGLPMfNv3wklkbm tAXFJgl7kY3gDbg3ObKi4PX4Jg1y4bTBAC+0wqFLL1sf1yHrFpA95Ht0JU0JUoE0Wcnx wzIA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1752074379; x=1752679179; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Wcfa2nGwbbtaI7wnik1JWU/+VekY/HOwIe18lzPDGo8=; b=enVDwt8wIVD2QoFYG4GIynEpYrEXEBTRkrrQcBnXNdvUqZ4AB26q3DlQbytwuBrwRy yS0WiP+Hx9TmHVZFuBK8bF6Xy7YsCSu/mmd10mA+EyuyrCDwnd1uAIE8oIeh/Ti4JfEM HXtGgEvVIctMuxr95gdnTxSdvy0kV+vNPvDeX6IZztAZ2Ajd+0BRxTsD6TSSidw4+byt TQOX6Yrj2HJpBD+mHMEnRLKseSQd9QoXprSBik9QG14t9CoSjKdrTXj5b42w5AlTJlg+ 7FF+p6oP78A5gSNzS16jvbZd7Mnj3owzM2bfuOK9sD6afsihZlFoDtG+zx5yIbZtjw33 UN+A== X-Gm-Message-State: AOJu0YyT8BynLVRk6HR6H0PIBcay0Lt5yc2pQYVKGUarH+YGa+qvJV59 v4OHopFqgkZASX/Qlq+zVyOQMmwsrnp7MjQ8zqrJ8Mc+5pZuKuRGn7QHUgPFQuBO4WBnmzh0Rs4 MYMCp X-Gm-Gg: ASbGncuPCgHzQDHMcgwk9LH/dOZJDkmZ/f1s8u+0AAP9jB58G4/6pxSpynxxm7QFFzi jNInYYmeYhEfJBpnYZO0k2zgl4swI3nRm/fnnKW3gZ6NunxD3IAznNxyLJgEuS7A3pBurKIPzn7 CQHG5sKXnAvFbDwaPtbcx9YOiBQlJx/kNmrhCNxi/btd4//8C46BGkH97SdmkdDpXXNizK/Ttuy /hy6387QsEa/XqvMC4rBqihJNdrOwd9FTCT5kf1WnDvLArVuiEvvefsc82yomNfcpR1LQmZwU4q B1ajFZ0MrzMcQVGtXlYZEmjPCOJW8BpK0Anw8Q8bKZ1P6DFoX98nSw== X-Google-Smtp-Source: AGHT+IFl6bLjc6SUcKrFbbKRoMHWLXcSH4w8u+6z+uJ4q1oMJcxA+ONZde9TSmNiMRBq+3MXQWyyIQ== X-Received: by 2002:a17:90b:510a:b0:313:f883:5d36 with SMTP id 98e67ed59e1d1-31c2fcc389amr4239760a91.1.1752074378513; Wed, 09 Jul 2025 08:19:38 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:a6e1:d218:3fcc:fd7d]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-31c3019e934sm2340536a91.33.2025.07.09.08.19.37 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 09 Jul 2025 08:19:38 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 11/11] linux-yocto/5.15: update to v5.15.186 Date: Wed, 9 Jul 2025 08:19:14 -0700 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 09 Jul 2025 15:19:45 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/220102 From: Bruce Ashfield Updating linux-yocto/5.15 to the latest korg -stable release that comprises the following commits: 3dea0e7f549e Linux 5.15.186 e3ff9f86cdb7 scsi: qedf: Use designated initializer for struct qed_fcoe_cb_ops 8e31c6cc3cba scsi: elx: efct: Fix memory leak in efct_hw_parse_filter() 92750bfe7b0d arm64/ptrace: Fix stack-out-of-bounds read in regs_get_kernel_stack_nth() a9f6aab7910a perf: Fix sample vs do_exit() 4be8065eace7 s390/pci: Fix __pcilg_mio_inuser() inline assembly 6d7fcd8a7a42 bpf: Fix L4 csum update on IPv6 in CHECKSUM_COMPLETE f02c9c448e50 net: Fix checksum update for ILA adj-transport ecbea1a5fec5 ext4: avoid remount errors with 'abort' mount option 1578f57a3fc3 ext4: make 'abort' mount option handling standard ef5706bed97e mm/huge_memory: fix dereferencing invalid pmd migration entry 956b5aebb349 net_sched: sch_sfq: reject invalid perturb period 6c589aa31802 net_sched: sch_sfq: move the limit validation 6b96d7a9e8e7 net_sched: sch_sfq: use a temporary work area for validating configuration 1b562b7f9231 net_sched: sch_sfq: don't allow 1 packet limit 548cf048b426 net_sched: sch_sfq: handle bigger packets 8a1eca898580 net_sched: sch_sfq: annotate data-races around q->perturb_period 98236b25d03f arm64: proton-pack: Add new CPUs 'k' values for branch mitigation df53d4187092 arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users 993f63239c21 arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs d759395f25ca arm64: spectre: increase parameters that can be used to turn off bhb mitigation individually fc061c32e327 arm64: proton-pack: Expose whether the branchy loop k value 005f3b7bd378 arm64: proton-pack: Expose whether the platform is mitigated by firmware 3af65d4123fe arm64: insn: Add support for encoding DSB 803228bb5ad9 arm64: insn: add encoders for atomic operations 0fc6db6d17bb arm64: move AARCH64_BREAK_FAULT into insn-def.h cebd765ba328 Revert "cpufreq: tegra186: Share policy per cluster" 9051e4373dd1 serial: sh-sci: Increment the runtime usage counter for the earlycon device ee195051be2d ARM: dts: am335x-bone-common: Increase MDIO reset deassert delay to 50ms 1a233520de8c ARM: dts: am335x-bone-common: Increase MDIO reset deassert time 57a00096a11b ARM: dts: am335x-bone-common: Add GPIO PHY reset on revision C3 board ca3829c18c8d net: atm: fix /proc/net/atm/lec handling 17e156a94e94 net: atm: add lec_mutex dc724bd34d56 calipso: Fix null-ptr-deref in calipso_req_{set,del}attr(). 8595350615f9 tipc: fix null-ptr-deref when acquiring remote ip of ethernet bearer d54e0c077b7c tcp: fix tcp_packet_delayed() for tcp_is_non_sack_preventing_reopen() behavior 1b0ad1870491 atm: atmtcp: Free invalid length skb in atmtcp_c_send(). d8cd847fb862 mpls: Use rcu_dereference_rtnl() in mpls_route_input_rcu(). 527fad1ae32f wifi: carl9170: do not ping device which has failed to load firmware 5adc79cfdd21 ptp: fix breakage after ptp_vclock_in_use() rework b52215848977 net: ice: Perform accurate aRFS flow match ef0b5bbbed7f aoe: clean device rq_list in aoedev_downdev() f90220fc4a5f pldmfw: Select CRC32 when PLDMFW is selected ef3f3face5d0 hwmon: (occ) fix unaligned accesses a5537ce4a98a hwmon: (occ) Rework attribute registration for stack usage 6e757e3c5728 hwmon: (occ) Add soft minimum power cap attribute f4999111956a drm/nouveau/bl: increase buffer size to avoid truncate warning 3fc1401476cb drm/msm/dsi/dsi_phy_10nm: Fix missing initial VCO rate 760e9efae70f erofs: remove unused trace event erofs_destroy_inode a3d864c901a3 mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race 8410996eb6fe mm: hugetlb: independent PMD page table shared count 366298f2b04d mm/hugetlb: unshare page tables during VMA split, not before 37d49f91e523 iio: accel: fxls8962af: Fix temperature calculation 8f5fcf574eed ALSA: hda/realtek: enable headset mic on Latitude 5420 Rugged 639b31e38853 ALSA: hda/intel: Add Thinkpad E15 to PM deny list a8aec0d35e93 ALSA: usb-audio: Rename ALSA kcontrol PCM and PCM1 for the KTMicro sound card a4a4abc818de Input: sparcspkr - avoid unannotated fall-through add2a8e193f3 block: default BLOCK_LEGACY_AUTOLOAD to y 1df80d748f98 HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse() 287b4f085d2c atm: Revert atm_account_tx() if copy_from_iter_full() fails. 6500f360a435 selinux: fix selinux_xfrm_alloc_user() to set correct ctx_len 06780dbaa929 selftests/x86: Add a test to detect infinite SIGTRAP handler loop 9d83ca27a634 udmabuf: use sgtable-based scatterlist wrappers 3f6e9a24abeb scsi: s390: zfcp: Ensure synchronous unit_add f65f2291e795 scsi: storvsc: Increase the timeouts to storvsc_timeout f41c62532877 jffs2: check jffs2_prealloc_raw_node_refs() result in few other places 4adee34098a6 jffs2: check that raw node were preallocated before writing summary 58f664614f8c drivers/rapidio/rio_cm.c: prevent possible heap overwrite a41f447cb27a Revert "x86/bugs: Make spectre user default depend on MITIGATION_SPECTRE_V2" on v6.6 and older 96baba48722b powerpc/eeh: Fix missing PE bridge reconfiguration during VFIO EEH recovery 25375f0d0b6c platform/x86: dell_rbu: Stop overwriting data buffer 07d7b8e7ef7d platform/x86: dell_rbu: Fix list usage b90dd5b12152 Revert "bus: ti-sysc: Probe for l4_wkup and l4_cfg interconnect devices first" dd89a7e18c9c tee: Prevent size calculation wraparound on 32-bit kernels a5cc6ccac4d9 ARM: OMAP2+: Fix l4ls clk domain handling in STANDBY 73f3d6261ac4 bus: fsl-mc: increase MC_CMD_COMPLETION_TIMEOUT_MS value 04584bba3249 watchdog: da9052_wdt: respect TWDMIN 5e615cecf32e octeontx2-pf: Add error log forcn10k_map_unmap_rq_policer() 5badeca146b2 bpf, sockmap: Fix data lost during EAGAIN retries fecb2fc3fc10 i40e: fix MMIO write access to an invalid page in i40e_clear_hw cafc3c567e4e sock: Correct error checking condition for (assign|release)_proto_idx() d34f2384d6df scsi: lpfc: Use memcpy() for BIOS version eb295874a43c pinctrl: mcp23s08: Reset all pins to input at probe 56ce76e8d406 software node: Correct a OOB check in software_node_get_reference_args() 9d9513b44446 vxlan: Do not treat dst cache initialization errors as fatal 410a033bfa8c net: bridge: mcast: re-implement br_multicast_{enable, disable}_port functions c9bfb30b75c3 iommu/amd: Ensure GA log notifier callbacks finish running before module unload 7cf3c7bd83ee scsi: lpfc: Fix lpfc_check_sli_ndlp() handling for GEN_REQUEST64 commands 2fc2e9e865cc libbpf: Add identical pointer detection to btf_dedup_is_equiv() 59bbff4eedff clk: rockchip: rk3036: mark ddrphy as critical d7ef254e7207 wifi: mac80211: do not offer a mesh path if forwarding is disabled 0d4a81c341eb net: mlx4: add SOF_TIMESTAMPING_TX_SOFTWARE flag when getting ts info 4bcc11448b16 pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get() c871d2b85c57 pinctrl: armada-37xx: propagate error from armada_37xx_pmx_gpio_set_direction() 0245c91f4fdc pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get_direction() 017035aaff2b pinctrl: armada-37xx: propagate error from armada_37xx_pmx_set_by_name() fbab07112a9e net: atlantic: generate software timestamp just before the doorbell c1ee5f16757a ipv4/route: Use this_cpu_inc() for stats on PREEMPT_RT 97033659fc83 tcp: fix initial tp->rcvq_space.space value for passive TS enabled flows a7d4705f60b6 tcp: always seek for minimal rtt in tcp_rcv_rtt_update() 8ce9d65726d5 net: dlink: add synchronization for stats update ef1b88325c74 i2c: npcm: Add clock toggle recovery b08e4cebc034 cpufreq: scmi: Skip SCMI devices that aren't used by the CPUs c0952a626fd9 sctp: Do not wake readers in __sctp_write_space() 70da1f7eb88a wifi: mt76: mt76x2: Add support for LiteOn WN4516R,WN4519R add1804ea2e0 emulex/benet: correct command version selection in be_cmd_get_stats() b0e79c9cc207 i2c: designware: Invoke runtime suspend on quick slave re-registration d99e45521ebb tipc: use kfree_sensitive() for aead cleanup 722e716966c2 net: macb: Check return value of dma_set_mask_and_coherent() 1cf0a6f43399 cpufreq: Force sync policy boost with global boost on sysfs update ca41c10be569 thermal/drivers/qcom/tsens: Update conditions to strictly evaluate for IP v2+ 9a317e436265 pmdomain: ti: Fix STANDBY handling of PER power domain 794b0efb20a8 nios2: force update_mmu_cache on spurious tlb-permission--related pagefaults febbe1ce4c77 media: i2c: imx334: update mode_3840x2160_regs array bb97dfab7615 media: platform: exynos4-is: Add hardware sync wait to fimc_is_hw_change_mode() 7a209e4b6b2a media: tc358743: ignore video while HPD is low ba5026e805cb drm/amdkfd: Set SDMA_RLCx_IB_CNTL/SWITCH_INSIDE_IB 0a51b85b9960 drm/msm/dpu: don't select single flush for active CTL blocks 4a8cb9908b51 jfs: Fix null-ptr-deref in jfs_ioc_trim 258c755b28f6 drm/amdgpu/gfx9: fix CSIB handling 7715a25c8930 drm/amdgpu/gfx8: fix CSIB handling 603c8dd458da ext4: prevent stale extent cache entries caused by concurrent get es_cache 05aba2d316db sunrpc: fix race in cache cleanup causing stale nextcheck time 979408dbd76f media: rkvdec: Initialize the m2m context before the controls f29503cd7a1e media: ti: cal: Fix wrong goto on error path 44618bee303b jfs: fix array-index-out-of-bounds read in add_missing_indices e3bb0c5a3071 ext4: ext4: unify EXT4_EX_NOCACHE|NOFAIL flags in ext4_ext_remove_space() 5179d4cf092e drm/amdgpu/gfx7: fix CSIB handling 9cb5da9c83a8 media: uapi: v4l: Change V4L2_TYPE_IS_CAPTURE condition dc2aa8079d78 media: ccs-pll: Better validate VT PLL branch b6fa8b7b8a64 drm/amdgpu/gfx10: fix CSIB handling 1db83a0b4f1f media: i2c: imx334: Fix runtime PM handling in remove function 498e95513b5b drm/msm/a6xx: Increase HFI response timeout 6a4d3708dec4 drm/amd/display: Add NULL pointer checks in dm_force_atomic_commit() bc487c490b75 media: uapi: v4l: Fix V4L2_TYPE_IS_OUTPUT condition b905b9926ee1 drm/msm/hdmi: add runtime PM calls to DDC transfer function fce2d5e2b3ce media: i2c: imx334: Enable runtime PM before sub-device registration bcc8724b34c5 drm/bridge: anx7625: change the gpiod_set_value API 66e84439ec2a exfat: fix double free in delayed_free 3742e777735a drm/bridge: analogix_dp: Add irq flag IRQF_NO_AUTOEN instead of calling disable_irq() fbee3fe40ca2 sunrpc: update nextcheck time when adding new cache entries 767e4d5300ea drm/amdgpu/gfx6: fix CSIB handling 767af6fc3787 ACPI: battery: negate current when discharging abd7d5fb3394 PM: runtime: fix denying of auto suspend in pm_suspend_timer_fn() 82608027b6e7 ASoC: tegra210_ahub: Add check to of_device_get_match_data() 64cc1a4a4440 ACPICA: utilities: Fix overflow check in vsnprintf() 6336d96ae88f power: supply: bq27xxx: Retrieve again when busy 960236150cd3 ACPICA: fix acpi parse and parseext cache leaks 49047b184f2b ACPI: bus: Bail out if acpi_kobj registration fails 15fa571eedf1 ASoC: tas2770: Power cycle amp on ISENSE/VSENSE change 6448774d5889 ACPICA: Avoid sequence overread in call to strncmp() 106a648780bf clocksource: Fix the CPUs' choice in the watchdog per CPU verification 5a68893b594e ACPICA: fix acpi operand cache leak in dswstate.c bf68c0f4c75f iio: adc: ad7606_spi: fix reg write value mask 4b2fac04ed6f iio: imu: inv_icm42600: Fix temperature calculation e401d55901a8 iio: accel: fxls8962af: Fix temperature scan element sign fe551adf4bd3 PCI: dw-rockchip: Fix PHY function call sequence in rockchip_pcie_phy_deinit() ff1283be679c PCI: Fix lock symmetry in pci_slot_unlock() a040e7effbb6 PCI: Add ACS quirk for Loongson PCIe 2fd7537ffd9c PCI: cadence-ep: Correct PBA offset in .set_msix() callback 8ec133fb054a uio_hv_generic: Use correct size for interrupt and monitor pages 3562c09feeb8 remoteproc: core: Release rproc->clean_table after rproc_attach() fails c56d6ef2711e remoteproc: core: Cleanup acquired resources when rproc_handle_resources() fails in rproc_attach() fbf3da023bd2 regulator: max14577: Add error check for max14577_read_reg() 5155f04287e5 mips: Add -std= flag specified in KBUILD_CFLAGS to vdso CFLAGS 2ec9fda98d1a staging: iio: ad5933: Correct settling cycles encoding per datasheet 9da3e442714f net: ch9200: fix uninitialised access during mii_nway_restart 6805582abb72 ftrace: Fix UAF when lookup kallsym after ftrace disabled 445e7055a68d dm-mirror: fix a tiny race condition ee3639385312 mtd: nand: sunxi: Add randomizer configuration before randomizer enable 45413b242513 mtd: rawnand: sunxi: Add randomizer configuration in sunxi_nfc_hw_ecc_write_chunk 6fe586c14d8f mm: fix ratelimit_pages update error in dirty_ratio_handler() 3b4a50d733ac RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction 74bc813d11c3 ipc: fix to protect IPCS lookups using RCU b0dba0c78323 clk: meson-g12a: add missing fclk_div2 to spicc 1fd94aa3fff0 parisc: fix building with gcc-15 bf9c07864765 vgacon: Add check for vc_origin address range in vgacon_scroll() 1a10d91766eb fbdev: Fix fb_set_var to prevent null-ptr-deref in fb_videomode_to_var 1ee9bab20949 EDAC/altera: Use correct write width with the INTTEST register ac6992f72bd8 NFC: nci: uart: Set tty->disc_data only in success path 38ef48a8afef f2fs: fix to do sanity check on sit_bitmap_size fbfe8446cd32 f2fs: prevent kernel warning due to negative i_nlink from corrupted image e5a2481dc2a0 Input: ims-pcu - check record size in ims_pcu_flash_firmware() a597a609bfd4 ext4: ensure i_size is smaller than maxbytes 9004a1cc5cfc ext4: factor out ext4_get_maxbytes() c6187eb191a2 ext4: fix calculation of credits for extent tree modification 9d1d1c5bf4fc ext4: inline: fix len overflow in ext4_prepare_inline_data 01cf92dfced5 bus: fsl-mc: fix GET/SET_TAILDROP command ids 0997566153bd bus: fsl-mc: do not add a device-link for the UAPI used DPMCP device 7fc89c218fc9 ata: pata_via: Force PIO for ATAPI devices on VT6415/VT6330 312c121beb9c can: tcan4x5x: fix power regulator retrieval during probe 516fdd430171 bus: mhi: host: Fix conflict between power_up and SYSERR 0e8878685902 ARM: omap: pmic-cpcap: do not mess around without CPCAP or OMAP4 22441bf144ad ARM: 9447/1: arm/memremap: fix arch_memremap_can_ram_remap() b592691f650c media: uvcvideo: Fix deferred probing error 739359516f96 media: uvcvideo: Send control events for partial succeeds e1019ff183fb media: uvcvideo: Return the number of processed controls 89b5ab822bf6 media: vivid: Change the siize of the composing 7e62be1f3b24 media: vidtv: Terminating the subsequent process of initialization failure 230c37b5948d media: videobuf2: use sgtable-based scatterlist wrappers 42f3fdd39fbd media: venus: Fix probe error handling 8b451a9a46f2 media: v4l2-dev: fix error handling in __video_register_device() a4c47df59539 media: gspca: Add error handling for stv06xx_read_sensor() 41807a5f6742 media: cxusb: no longer judge rbuf when the write fails 6f79b25ddfe9 media: ccs-pll: Check for too high VT PLL multiplier in dual PLL case 0220fe256b44 media: ccs-pll: Correct the upper limit of maximum op_pre_pll_clk_div 64f7f8c362ab media: ccs-pll: Start OP pre-PLL multiplier search from correct value fe52765d1c90 media: ccs-pll: Start VT pre-PLL multiplier search from correct value 7fce1722991d media: ov8856: suppress probe deferral errors 55fed78e52fe wifi: rtlwifi: disable ASPM for RTL8723BE with subsystem ID 11ad:1723 43d5e3bb5f1d jbd2: fix data-race and null-ptr-deref in jbd2_journal_dirty_metadata() 0fccf5f01ed2 nfsd: Initialize ssc before laundromat_work to prevent NULL dereference 425efc6b3292 nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request 1f7f8168abe8 wifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback() 8d5510e94dab net/mlx5: Add error handling in mlx5_query_nic_vport_node_guid() ea4b1cb6561e net/mlx5_core: Add error handling inmlx5_query_nic_vport_qkey_viol_cntr() b0e86598e073 powerpc/pseries/msi: Avoid reading PCI device registers in reduced power states 2023dea8dd9b ASoC: meson: meson-card-utils: use of_property_present() for DT parsing 190dcc1e3f6b ASoC: qcom: sdm845: Add error handling in sdm845_slim_snd_hw_params() 5a16ebe0050e gfs2: move msleep to sleepable context e4da95e1246f crypto: marvell/cesa - Do not chain submitted requests 8cb51a55b26e configfs: Do not override creating attribute file failure in populate_attrs() 4ad892bdacb6 xfs: allow inode inactivation during a ro mount log recovery 7eac413a3ea3 kbuild: hdrcheck: fix cross build with clang 1b8763684529 kbuild: userprogs: fix bitsize and target detection on clang 117ea3f4e59c drm/meson: Use 1000ULL when operating with mode->clock 56e5419b5f5c net: usb: aqc111: debug info before sanitation 3f77ba79a36d calipso: unlock rcu before returning -EAFNOSUPPORT 2dace5e016c9 x86/iopl: Cure TIF_IO_BITMAP inconsistencies 2a04a591170f xen/arm: call uaccess_ttbr0_enable for dm_op hypercall e67c0dac405a usb: typec: tcpm/tcpci_maxim: Fix bounds check in process_rx() 8bc30532b978 usb: Flush altsetting 0 endpoints before reinitializating them after reset. f78b3fdd2c7f usb: cdnsp: Fix issue with detecting USB 3.2 speed 8c65ca53c2e6 usb: cdnsp: Fix issue with detecting command completion event b4209e4b778e VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify 6d929bef6bda usb: usbtmc: Fix read_stb function and get_stb ioctl 4751118c3ed8 drm/amd/display: Do not add '-mhard-float' to dcn2{1,0}_resource.o for clang 510ce6a1393c kbuild: Add KBUILD_CPPFLAGS to as-option invocation 0690824cc325 kbuild: add $(CLANG_FLAGS) to KBUILD_CPPFLAGS f85d6a08cc9f kbuild: Add CLANG_FLAGS to as-instr d36719f29376 mips: Include KBUILD_CPPFLAGS in CHECKFLAGS invocation d08146795689 drm/amd/display: Do not add '-mhard-float' to dml_ccflags for clang cefb372db498 kbuild: Update assembler calls to use proper flags and language target 3b68784d1439 MIPS: Prefer cc-option for additions to cflags 3ef47d2b7a41 MIPS: Move '-Wa,-msoft-float' check from as-option to cc-option aaf384815bc1 x86/boot/compressed: prefer cc-option for CFLAGS additions 2f3daa04a932 posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() c8c4f0c2684a ALSA: usb-audio: Add implicit feedback quirk for RODE AI-1 4a07125cc40d perf: Ensure bpf_perf_link path is properly serialized 929d62e86f0c nvmet-fcloop: access fcpreq only when holding reqlock 64007aab1cf6 fs/filesystems: Fix potential unsigned integer underflow in fs_name() 0b479d0aa488 net_sched: ets: fix a race in ets_qdisc_change() 52247723c300 sch_ets: make est_qlen_notify() idempotent 852d27f773a7 net_sched: tbf: fix a race in tbf_change() 110a47efcf23 net_sched: red: fix a race in __red_change() 20f68e6a9e41 net_sched: prio: fix a race in prio_tune() dc84c55f121d net/mlx5: Fix return value when searching for existing flow group 7ec31c2003f9 net/mlx5: Ensure fw pages are always allocated on same NUMA 014ad9210373 net/mdiobus: Fix potential out-of-bounds read/write access 694456462ed6 net: mdio: C22 is now optional, EOPNOTSUPP if not provided 268625b73e4c macsec: MACsec SCI assignment for ES = 0 6fa68d7eab34 net: Fix TOCTOU issue in sk_is_readable() 15e46043bc46 i40e: retry VFLR handling if there is ongoing VF reset 5008c550c634 i40e: return false from i40e_reset_vf if reset is in progress 597b481ca1ce drm/meson: fix more rounding issues with 59.94Hz modes bd27ff504e4d drm/meson: use vclk_freq instead of pixel_freq in debug print f5d21eae4d7c drm/meson: fix debug log statement when setting the HDMI clocks 363e63997798 drm/meson: use unsigned long long / Hz for frequency types 7298df96179b powerpc/vas: Return -EINVAL if the offset is non-zero in mmap() 81260c41b518 powerpc/powernv/memtrace: Fix out of bounds issue in memtrace mmap 5814a7fc3abb net_sched: sch_sfq: fix a potential crash on gso_skb handling 75ad1ca646ee scsi: iscsi: Fix incorrect error path labels for flashnode operations 5c89dc8c3461 ath10k: snoc: fix unbalanced IRQ enable in crash recovery 5d217e7031a5 ptp: remove ptp->n_vclocks check logic in ptp_vclock_in_use() f592eb12b43f scsi: core: ufs: Fix a hang in the error handler 5f30a81fc188 serial: sh-sci: Clean sci_ports[0] after at earlycon exit b7f05abd60f0 serial: sh-sci: Move runtime PM enable to sci_probe_single() 7857505af578 serial: sh-sci: Check if TX data was written to device in .tx_empty() e82d6c45db4f arm64: dts: ti: k3-am65-main: Add missing taps to sdhci0 c3b4bc986af5 arm64: dts: ti: k3-am65-main: Fix sdhci node properties 29f0cd61d6b5 arm64: dts: ti: k3-am65-main: Drop deprecated ti,otap-del-sel property f3c2b179b413 Input: synaptics-rmi - fix crash with unsupported versions of F34 17e5ca8ef81c Input: synaptics-rmi4 - convert to use sysfs_emit() APIs ef0c767a559b pmdomain: core: Fix error checking in genpd_dev_pm_attach_by_id() 432a171d6005 do_change_type(): refuse to operate on unmounted/not ours mounts eb34dc108e3e fix propagation graph breakage by MOVE_MOUNT_SET_GROUP move_mount(2) 668923c47460 seg6: Fix validation of nexthop addresses 18e65229a328 wireguard: device: enable threaded NAPI b5ad58285f92 netfilter: nf_set_pipapo_avx2: fix initial map fill ae98a1787fdc gve: add missing NULL check for gve_alloc_pending_packet() in TX DQO 277006dd681e PM: sleep: Fix power.is_suspended cleanup for direct-complete devices 61f418cd4ea5 vmxnet3: correctly report gso type for UDP tunnels 6ef8dfb1b68f net: dsa: tag_brcm: legacy: fix pskb_may_pull length d94c6f53b0a7 ice: create new Tx scheduler nodes for new queues only 96bc5ce57b16 Bluetooth: L2CAP: Fix not responding with L2CAP_CR_LE_ENCRYPTION 02f56169e6eb spi: bcm63xx-hsspi: fix shared reset bb9c9e989a80 spi: bcm63xx-spi: fix shared reset 417e17c44f3d net/mlx4_en: Prevent potential integer overflow calculating Hz 605f09ae583e driver: net: ethernet: mtk_star_emac: fix suspend/resume issue e0b11227c4e8 net: tipc: fix refcount warning in tipc_aead_encrypt 54e7ce239d69 gve: Fix RX_BUFFERS_POSTED stat to report per-queue fill_cnt 28dd08343cc5 net: stmmac: platform: guarantee uniqueness of bus_id dae5b8818593 vt: remove VT_RESIZE and VT_RESIZEX from vt_compat_ioctl() 38c5712df50d MIPS: Loongson64: Add missing '#interrupt-cells' for loongson64c_ls7a 2659abc74cb3 iio: adc: ad7124: Fix 3dB filter frequency reading 19fd9f5a6936 serial: Fix potential null-ptr-deref in mlb_usio_probe() 0a1e16a6cbf4 usb: renesas_usbhs: Reorder clock handling and power management in probe 6c1344a5bb1c PCI/DPC: Initialize aer_err_info before using it 9f133e04c622 dmaengine: ti: Add NULL check in udma_probe() 3e7061f62bd7 PCI: cadence: Fix runtime atomic count underflow 19f0d83e1450 rtc: sh: assign correct interrupts with DT 92270f14a8c1 nfs: ignore SB_RDONLY when remounting nfs 3293cc462518 nfs: clear SB_RDONLY before getting superblock 477c4882e53e perf record: Fix incorrect --user-regs comments 00b96ed79bce perf tests switch-tracking: Fix timestamp comparison f93ea1e5e185 mfd: stmpe-spi: Correct the name used in MODULE_DEVICE_TABLE f79f8d8dda3a mfd: exynos-lpass: Avoid calling exynos_lpass_disable() twice in exynos_lpass_remove() e009779acc04 rpmsg: qcom_smd: Fix uninitialized return variable in __qcom_smd_send() e8461ec67a36 remoteproc: qcom_wcnss_iris: Add missing put_device() on error in probe 8d39a6fd9843 perf scripts python: exported-sql-viewer.py: Fix pattern matching with Python 3 9d06ac32c202 backlight: pm8941: Add NULL check in wled_configure() 07a4014cc66b perf ui browser hists: Set actions->thread before calling do_zoom_thread() c6dbaf7e31cb perf build: Warn when libdebuginfod devel files are not available 2d63433e8eaa fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod() 1fd889c14572 soc: aspeed: Add NULL check in aspeed_lpc_enable_snoop() 0fab016dc4aa soc: aspeed: lpc: Fix impossible judgment condition 3a2249e91547 arm64: dts: rockchip: disable unrouted USB controllers and PHY on RK3399 Puma with Haikou 26e868438691 ARM: dts: qcom: apq8064 merge hw splinlock into corresponding syscon device 7002b954c4a8 bus: fsl-mc: fix double-free on mc_dev 1ce784ddfb31 nilfs2: do not propagate ENOENT error from nilfs_btree_propagate() c155d46ff02c nilfs2: add pointer check for nilfs_direct_propagate() 1a955db41131 ocfs2: fix possible memory leak in ocfs2_finish_quota_recovery 5c51aa862cbe Squashfs: check return result of sb_min_blocksize ca87e905ff3c arm64: dts: imx8mn-beacon: Fix RTC capacitive load 485f23661881 arm64: dts: imx8mm-beacon: Fix RTC capacitive load d274c1372926 ARM: dts: at91: at91sam9263: fix NAND chip selects dac5dfede03f ARM: dts: at91: usb_a9263: fix GPIO for Dataflash chip select 8636cafb2c67 f2fs: fix to correct check conditions in f2fs_cross_rename e61079985c54 f2fs: use d_inode(dentry) cleanup dentry->d_inode 92dd2d870e7b net: phy: mscc: Stop clearing the the UDPv4 checksum for L2 frames ad17eb86d042 net: openvswitch: Fix the dead loop of MPLS parse 26ce90f1ce60 calipso: Don't call calipso functions for AF_INET sk. 7d589b470f39 net: lan743x: rename lan743x_reset_phy to lan743x_hw_reset_phy e7fb4ebee6e9 bpf: Avoid __bpf_prog_ret0_warn when jit fails f398d2dfe450 net: usb: aqc111: fix error handling of usbnet read calls 42a44e25eee4 netfilter: nft_tunnel: fix geneve_opt dump 4edb40b05cb6 bpf, sockmap: Avoid using sk_socket after free when sending d796723b1481 vfio/type1: Fix error unwind in migration dirty bitmap allocation 83c1ed5c83ca netfilter: nf_tables: nft_fib_ipv6: fix VRF ipv4/ipv6 result discrepancy 7ee3fb6258da wifi: ath9k_htc: Abort software beacon handling if disabled 1ee8ea6937d1 wifi: rtw88: fix the 'para' buffer size to avoid reading out of bounds 7f9efa13f2af s390/bpf: Store backchain even for leaf progs 2b901bf2fa23 clk: qcom: gcc-msm8939: Fix mclk0 & mclk1 for 24 MHz ee90be48edb3 bpf: Fix WARN() in get_bpf_raw_tp_regs 2ecafe59668d pinctrl: at91: Fix possible out-of-boundary access 12cda7fcc4cf libbpf: Use proper errno value in nlattr 2fef0e86682f ktls, sockmap: Fix missing uncharge operation 54ce9bcdaee5 clk: bcm: rpi: Add NULL check in raspberrypi_clk_register() c22099a64880 clk: qcom: gcc-sm6350: Add *_wait_val values for GDSCs 9c5268e5d633 bpf: Fix uninitialized values in BPF_{CORE,PROBE}_READ f9784da76ad7 RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction e9022196bdbe netfilter: nft_quota: match correctly when the quota just depleted ba18b0b9272f netfilter: bridge: Move specific fragmented packet to slow_path instead of dropping it c6c7e7ab962b libbpf: Use proper errno value in linker a6412e93cf4a f2fs: fix to detect gcing page in f2fs_is_cp_guaranteed() ce6849b76dad f2fs: clean up w/ fscrypt_is_bounce_page() 65b935d4e5c4 iommu: Protect against overflow in iommu_pgsize() 5c3e52ab7887 RDMA/hns: Include hnae3.h in hns_roce_hw_v2.h f1ba4e35fb3f wifi: rtw88: do not ignore hardware read error during DPK 6dfe62db59f3 libbpf: Fix buffer overflow in bpf_object__init_prog f4b0ce074bd6 net: ncsi: Fix GCPS 64-bit member variables 6a324d77f7ea f2fs: fix to do sanity check on sbi->total_valid_block_count d6181bd1dfa1 bpf, sockmap: fix duplicated data transmission 2160dcc38acf IB/cm: use rwlock for MAD agent lock f9507cf2dd0e wifi: ath11k: fix node corruption in ar->arvifs list e74b9a7269aa firmware: SDEI: Allow sdei initialization without ACPI_APEI_GHES 809b522315a0 drm/tegra: rgb: Fix the unbound reference count afc9153b1e57 drm/vkms: Adjust vkms_state->active_planes allocation type 58d0e3088812 drm: rcar-du: Fix memory leak in rcar_du_vsps_init() 39044a10d912 selftests/seccomp: fix syscall_restart test for arm compat 7287af1ec4d3 firmware: psci: Fix refcount leak in psci_dt_init 1b6780143d59 m68k: mac: Fix macintosh_config for Mac II 5390b3d4c6d4 fs/ntfs3: handle hdr_first_de() return value 892a242ca5b1 media: rkvdec: Fix frame size enumeration 85cdcb834fb4 drm/amd/pp: Fix potential NULL pointer dereference in atomctrl_initialize_mc_reg_table 259b74c2b329 spi: sh-msiof: Fix maximum DMA transfer size cfc61c34077e ACPI: OSI: Stop advertising support for "3.0 _SCP Extensions" 92322500c1aa x86/mtrr: Check if fixed-range MTRRs exist in mtrr_save_fixed_ranges() 3319b48d1ba2 PM: wakeup: Delete space in the end of string shown by pm_show_wakelocks() b227c27359a0 power: reset: at91-reset: Optimize at91_reset() bf6a8502a5f4 EDAC/skx_common: Fix general protection fault 03657814c828 crypto: sun8i-ce - move fallback ahash_request to the end of the struct 02b661940874 crypto: xts - Only add ecb if it is not already there 200b752c0066 crypto: lrw - Only add ecb if it is not already there 9bacddcf6886 crypto: marvell/cesa - Avoid empty transfer descriptor e1cc69da6195 crypto: marvell/cesa - Handle zero-length skcipher requests c798023fa973 x86/cpu: Sanitize CPUID(0x80000000) output ada335e8475d crypto: sun8i-ss - do not use sg_dma_len before calling DMA functions fb2671376bbf perf/core: Fix broken throttling when max_samples_per_tick=1 333f2d85b615 gfs2: gfs2_create_inode error handling fix 2f62eda4d974 thunderbolt: Do not double dequeue a configuration request 2e74fd21b845 usb: usbtmc: Fix timeout value in get_stb 547f3e678922 USB: serial: pl2303: add new chip PL2303GC-Q20 and PL2303GT-2AB 3f1aac91fc36 usb: storage: Ignore UAS driver for SanDisk 3.2 Gen2 storage device cfd327ad2e00 usb: quirks: Add NO_LPM quirk for SanDisk Extreme 55AE 0188c74bf3ac rtc: Fix offset calculation for .start_secs < 0 c360f8ff1bef rtc: Make rtc_time64_to_tm() support dates before 1970 6df0e243e757 acpi-cpufreq: Fix nominal_freq units to KHz in get_max_boost_ratio() e0a83d422a18 pinctrl: armada-37xx: set GPIO output value before setting direction bb9578e9f35f pinctrl: armada-37xx: use correct OUTPUT_VAL register for GPIOs > 31 ebf6f96c7993 tracing: Fix compilation warning on arm32 1c700860e8bc Linux 5.15.185 dcbee1061a46 perf/arm-cmn: Initialise cmn->cpu earlier dcb08fd2c6cb platform/x86: thinkpad_acpi: Ignore battery threshold change event notification dbc155cf4e70 platform/x86: fujitsu-laptop: Support Lifebook S2110 hotkeys 961caaf8ad35 tpm: tis: Double the timeout B to 4s 1706ef825254 nvme-pci: add NVME_QUIRK_NO_DEEPEST_PS quirk for SOLIDIGM P44 Pro 128b5f020651 spi: spi-sun4i: fix early activation 4916624695c0 um: let 'make clean' properly clean underlying SUBARCH as well 13108bf19da5 platform/x86: thinkpad_acpi: Support also NEC Lavie X1475JAS 49c13288c919 nfs: don't share pNFS DS connections between net namespaces 5c46ec760d3b HID: quirks: Add ADATA XPG alpha wireless mouse support 1686594d7285 coredump: hand a pidfd to the usermode coredump helper 5ff7313a1f45 fork: use pidfd_prepare() 7f8c3fd203fd pid: add pidfd_prepare() b06450fb3e73 coredump: fix error handling for replace_fd() 2c928b3a0b04 net_sched: hfsc: Address reentrant enqueue adding class to eltree twice cc6790f4b085 arm64: dts: qcom: sm8350: Fix typo in pil_camera_mem node 9fdb86f0bf65 smb: client: Reset all search buffer pointers when releasing buffer 1b197931fbc8 smb: client: Fix use-after-free in cifs_fill_dirent 5492aaea844e x86/its: Fix undefined reference to cpu_wants_rethunk_at() 8f8637b9d26d drm/i915/gvt: fix unterminated-string-initialization warning 3c2729dfcf30 xen/swiotlb: relax alignment requirements 34901631e6e3 i3c: master: svc: Fix implicit fallthrough in svc_i3c_master_ibi_work() 9d678b2976ec kbuild: Disable -Wdefault-const-init-unsafe 0e0cf836cfe4 spi: spi-fsl-dspi: Reset SR flags before sending a new message a3a147ef6d02 spi: spi-fsl-dspi: Halt the module after a new message transfer 0e989441cfbc spi: spi-fsl-dspi: restrict register range for regmap access 6fd4a4cb3ca1 Revert "arm64: dts: allwinner: h6: Use RSB for AXP805 PMIC connection" c6da28bc4e1f mm/page_alloc.c: avoid infinite retries caused by cpuset race 5dcdbb69aa3a memcg: always call cond_resched() after fn() ff887e77b777 Revert "drm/amd: Keep display off while going into S4" 26d20ea0f233 drm/edid: fixed the bug that hdr metadata was not reset fb7cde625872 platform/x86: dell-wmi-sysman: Avoid buffer overflow in current_password_store() 0f5d93ee3f8b llc: fix data loss when reading from a socket in llc_ui_recvmsg() 10217da9644a ALSA: pcm: Fix race of buffer access at PCM OSS layer 0622846db728 can: bcm: add missing rcu read protection for procfs content fbd8fdc2b218 can: bcm: add locking for bcm_op runtime updates 1a426abdf1c8 padata: do not leak refcount in reorder_work c3059d58f79f crypto: algif_hash - fix double free in hash_accept 24f942d9820b octeontx2-af: Set LMT_ENA bit for APR table entries f5c2c4eaaa5a net/tipc: fix slab-use-after-free Read in tipc_aead_encrypt_done 89c301e929a0 sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue() 207dabae49b2 net: dwmac-sun8i: Use parsed internal PHY address instead of 1 ec180b032459 bridge: netfilter: Fix forwarding of fragmented packets 069cbc318de5 Bluetooth: L2CAP: Fix not checking l2cap_chan security level 0995986ffd5e xfrm: Sanitize marks before insert 6a39058059f6 remoteproc: qcom_wcnss: Fix on platforms without fallback regulators f6d45fd92f62 __legitimize_mnt(): check for MNT_SYNC_UMOUNT should be under mount_lock 769dd92ef97e xenbus: Allow PVH dom0 a non-local xenstore a876703894a6 btrfs: correct the order of prelim_ref arguments in btrfs__prelim_ref fc01b547c3f8 nvmet-tcp: don't restore null sk_state_change 7bd0049e9699 ALSA: hda/realtek: Add quirk for HP Spectre x360 15-df1xxx e3bf273d9ad7 ASoC: Intel: bytcr_rt5640: Add DMI quirk for Acer Aspire SW3-013 2568cf939a64 pinctrl: meson: define the pull up/down resistor value as 60 kOhm 64ca70dee2cc ASoC: imx-card: Adjust over allocation of memory in imx_card_parse_of() 39db9b5a1673 drm: Add valid clones check 85a8dfc77227 drm/atomic: clarify the rules around drm_atomic_state->allow_modeset a0d2f4905b16 wifi: ath9k: return by of_get_mac_address 8d278ad829c2 regulator: ad5398: Add device tree support 8ed3d1784774 spi: zynqmp-gqspi: Always acknowledge interrupts d2c65c8be7a1 wifi: rtw88: Don't use static local variable in rtw8822b_set_tx_power_index_by_rate 3b61fb788954 perf/amd/ibs: Fix perf_ibs_op.cnt_mask for CurCnt 15c799f7f8e1 bpftool: Fix readlink usage in get_fd_type 164beeabcb1b drm/ast: Find VBIOS mode from regular display size d6fd1eee0767 HID: usbkbd: Fix the bit shift number for LED_KANA 2c6387f545be scsi: st: Restore some drive settings after reset 7e25573e1ac5 scsi: lpfc: Handle duplicate D_IDs in ndlp search-by D_ID routine 1f66789ad7de net/mana: fix warning in the writer of client oob 39ea4ca9d39a rcu: fix header guard for rcu_all_qs() b4d9a18fc87f rcu: handle quiescent states for PREEMPT_RCU=n, PREEMPT_COUNT=y 41097ac64d0d r8169: don't scan PHY addresses > 0 e033da39fc6a vxlan: Annotate FDB data races 4d20b4a861af media: qcom: camss: csid: Only add TPG v4l2 ctrl if TPG hardware is available eae500bc8dcc hwmon: (xgene-hwmon) use appropriate type for the latency value 7b99233dda9b clk: qcom: camcc-sm8250: Use clk_rcg2_shared_ops for some RCGs 3373abfa5d29 wifi: rtw88: Fix download_firmware_validate() for RTL8814AU c47f92ee6cfb r8152: add vendor/device ID pair for Dell Alienware AW1022z 14298c88e2dd ip: fib_rules: Fetch net from fib_rule in fib[46]_rule_configure(). 4d87acf13f28 arch/powerpc/perf: Check the instruction type before creating sample with perf_mem_data_src 711734c77fe4 wifi: mac80211: remove misplaced drv_mgd_complete_tx() call 11ab6d6ee7d8 wifi: mac80211: don't unconditionally call drv_mgd_complete_tx() e42329d27770 net/mlx5e: reduce rep rxq depth to 256 for ECPF a411de3091f6 net/mlx5e: set the tx_queue_len for pfifo_fast c74b91453b8c net/mlx5: Extend Ethtool loopback selftest to support non-linear SKB 99b713f4b7df drm/amd/display: Initial psr_version with correct setting cc958022666c drm/amdgpu: reset psp->cmd to NULL after releasing the buffer c48f7855988f phy: core: don't require set_mode() callback for phy_get_mode() to work c8128c04193b net/mlx4_core: Avoid impossible mlx4_db_alloc() order value 485dc9ef39f7 media: v4l: Memset argument to 0 before calling get_mbus_config pad op b4e81a758035 smack: recognize ipv4 CIPSO w/o categories 8de1d394e31e pinctrl: devicetree: do not goto err when probing hogs in pinctrl_dt_to_map b45a50fc1f4e ASoC: soc-dai: check return value at snd_soc_dai_set_tdm_slot() d95e6cf0df39 ASoC: tas2764: Power up/down amp on mute ops c1f0a98342d4 ASoC: ops: Enforce platform maximum on initial value d5db6ffb03fa net/mlx5: Apply rate-limiting to high temperature warning 937b9c41cc71 net/mlx5: Modify LSB bitmask in temperature event to include only the first bit 5611b5f79836 ACPI: HED: Always initialize before evged 94afbd920a51 PCI: Fix old_size lower bound in calculate_iosize() too af8431851b8e eth: mlx4: don't try to complete XDP frames in netpoll 30064eee8fe7 can: c_can: Use of_property_present() to test existence of DT property fc173cada345 RDMA/core: Fix best page size finding when it can cross SG entries 288813ddcc21 EDAC/ie31200: work around false positive build warning 128cdb617a87 net: pktgen: fix access outside of user given buffer in pktgen_thread_write() b2334244a421 wifi: rtw88: Fix rtw_desc_to_mcsrate() to handle MCS16-31 211539ee8d46 wifi: rtw88: Fix rtw_init_ht_cap() for RTL8814AU 94ba815f5110 wifi: rtw88: Fix rtw_init_vht_cap() for RTL8814AU f0b5f65aebcc scsi: mpt3sas: Send a diag reset if target reset fails 85cd3f245c15 clocksource: mips-gic-timer: Enable counter when CPUs start 51d70446278a MIPS: pm-cps: Use per-CPU variables as per-CPU, not per-core 6fd978a7117e MIPS: Use arch specific syscall name match function 9a3f2d08291b x86/kaslr: Reduce KASLR entropy on most x86 systems 17cf6821b758 libbpf: Fix out-of-bound read 14790abc8779 cpuidle: menu: Avoid discarding useful information 2579ca741b84 x86/nmi: Add an emergency handler in nmi_desc & use it in nmi_shootdown_cpus() 5eb9da3b7d2e drm/amd/display: handle max_downscale_src_width fail check eee2fb58449f x86/build: Fix broken copy command in genimage.sh when making isoimage db5833217f13 soc: ti: k3-socinfo: Do not use syscon helper to build regmap 32de1542f467 bonding: report duplicate MAC address in all situations 5fe40d499f50 net: xgene-v2: remove incorrect ACPI_PTR annotation cfc5a07f9330 drm/amdkfd: KFD release_work possible circular locking 2e04e067d4d6 selftests/net: have `gro.sh -t` return a correct exit code 2c48a122fa0a net/mlx5: Avoid report two health errors on same syndrome 97bab02f0b64 firmware: arm_ffa: Set dma_mask for ffa devices f5b5945c0bf2 PCI: brcmstb: Add a softdep to MIP MSI-X driver ee8274d80151 PCI: brcmstb: Expand inbound window size up to 64GB 0a9022295477 fpga: altera-cvp: Increase credit timeout 55883a34d309 drm/mediatek: mtk_dpi: Add checks for reg_h_fre_con existence b5c0bd07a48f ARM: at91: pm: fix at91_suspend_finish for ZQ calibration e62a64a000ba hwmon: (gpio-fan) Add missing mutex locks 4fc2d289b3cc x86/bugs: Make spectre user default depend on MITIGATION_SPECTRE_V2 c953cea9035c clk: imx8mp: inform CCF of maximum frequency of clocks 1bd5406866d0 media: uvcvideo: Add sanity check to uvc_ioctl_xu_ctrl_map e88247716dd7 ipv4: fib: Move fib_valid_key_len() to rtm_to_fib_config(). 674b969287f4 net: pktgen: fix mpls maximum labels list parsing c3a1354b631d net: ethernet: ti: cpsw_new: populate netdev of_node b91a5652610b pinctrl: bcm281xx: Use "unsigned int" instead of bare "unsigned" c91447e35b9b media: cx231xx: set device_caps for 417 fb26963bd247 drm/amdgpu: Do not program AGP BAR regs under SRIOV in gfxhub_v1_0.c 654c295f9079 remoteproc: qcom_wcnss: Handle platforms with only single power domain 5111227d7f1f orangefs: Do not truncate file size 025c8f477625 dm cache: prevent BUG_ON by blocking retries on failed device resumes 246346230486 media: c8sectpfe: Call of_node_put(i2c_bus) only once in c8sectpfe_probe() 5753a20bf23c ARM: tegra: Switch DSI-B clock parent to PLLD on Tegra114 8f12fab5a765 ieee802154: ca8210: Use proper setters and getters for bitwise types cc29d05861d0 rtc: ds1307: stop disabling alarms on probe f7dd2a729049 tcp: bring back NUMA dispersion in inet_ehash_locks_alloc() 5cb296e94210 powerpc/prom_init: Fixup missing #size-cells on PowerBook6,7 d3bb3258d105 arm64: tegra: p2597: Fix gpio for vdd-1v8-dis regulator 4b173bb2c466 crypto: lzo - Fix compression buffer overrun 2592aeda794c cpufreq: tegra186: Share policy per cluster f6535bc6556d ASoC: qcom: sm8250: explicitly set format in sm8250_be_hw_params_fixup() bc23966b90d9 auxdisplay: charlcd: Partially revert "Move hwidth and bwidth to struct hd44780_common" 2b572c409811 ipv6: save dontfrag in cork 1acb22d09f5c mmc: sdhci: Disable SD card clock before changing parameters 8d52676f791d arm64/mm: Check PUD_TYPE_TABLE in pud_bad() 066675bb11ab netfilter: conntrack: Bound nf_conntrack sysctl writes 3695ade72a9b timer_list: Don't use %pK through printk() 1351995ba665 posix-timers: Add cond_resched() to posix_timer_add() search loop 1a8df82d201e RDMA/uverbs: Propagate errors from rdma_lookup_get_uobject() 7258b92ceff3 xen: Add support for XenServer 6.1 platform device 8dbcb21f0926 dm: restrict dm device size to 2^63-512 bytes 91628988aca3 crypto: octeontx2 - suppress auth failure screaming due to negative tests 49a99ccec1c8 kbuild: fix argument parsing in scripts/config ac8fbc318cec ASoC: mediatek: mt6359: Add stub for mt6359_accdet_enable_jack_detect 317615342d2a rtc: rv3032: fix EERD location fe5a5b9d1441 tcp: reorganize tcp_in_ack_event() and tcp_count_delivered() fa7183cc13dd vfio/pci: Handle INTx IRQ_NOTCONNECTED 8f070ca005e4 scsi: st: ERASE does not change tape location 84e7b679f8d6 scsi: st: Tighten the page format heuristics with MODE SELECT db03d5b2db5c ext4: reorder capability check last 1ad3d069cf4d um: Update min_low_pfn to match changes in uml_reserved 3eac35c34a98 um: Store full CSGSFS and SS register from mcontext fdcd142d310c dlm: make tcp still work in multi-link env 30748ce7e156 i3c: master: svc: Fix missing STOP for master request ce8d1993b122 btrfs: send: return -ENAMETOOLONG when attempting a path that is too long 0175d448b2f8 btrfs: get zone unusable bytes while holding lock at btrfs_reclaim_bgs_work() 23a2379b0dd9 btrfs: avoid linker error in btrfs_find_create_tree_block() e98cb12ba84d btrfs: make btrfs_discard_workfn() block_group ref explicit 74314f8937ea i2c: pxa: fix call balance of i2c->clk handling routines d18963f219b3 i2c: qup: Vote for interconnect bandwidth to DRAM 7887df0fe9ec wifi: mt76: only mark tx-status-failed frames as ACKed on mt76x0/2 4b62412e985c mmc: host: Wait for Vdd to settle on card power off f49c337037df libnvdimm/labels: Fix divide error in nd_label_data_init() c7af649198dc PCI: vmd: Disable MSI remapping bypass under Xen 18282d8518bf pNFS/flexfiles: Report ENETDOWN as a connection error 0ea65822090b tools/build: Don't pass test log files to linker 11c24ad1ffde PCI: dwc: ep: Ensure proper iteration over outbound map windows ed30141557d1 lockdep: Fix wait context check on softirq for PREEMPT_RT 0a474eaf3574 dql: Fix dql->limit value when reset. 897a205ffc43 thermal/drivers/qoriq: Power down TMU on system suspend 2328a3bf513c SUNRPC: rpcbind should never reset the port to the value '0' 8a72549eaf12 SUNRPC: rpc_clnt_set_transport() must not change the autobind setting 01d50dfae8e9 NFSv4: Treat ENETUNREACH errors as fatal for state recovery 552baa350a2f fbdev: core: tileblit: Implement missing margin clearing for tileblit 442192330096 fbcon: Use correct erase colour for clearing in fbcon 5caaec485f37 fbdev: fsl-diu-fb: add missing device_remove_file() 84a2fccac8c8 mailbox: use error ret code of of_parse_phandle_with_args() 236bad68c007 tracing: Mark binary printing functions with __printf() attribute 2272e75d7a80 NFSv4: Check for delegation validity in nfs_start_delegation_return_locked() f41f9ce3c709 kconfig: merge_config: use an empty file as initfile bc9f8527198a samples/bpf: Fix compilation failure for samples/bpf on LoongArch Fedora af8a8fce197b bpf: fix possible endless loop in BPF map iteration 2391dc87e84a net: enetc: refactor bulk flipping of RX buffers to separate function 0b18c3a17bc7 cgroup: Fix compilation issue due to cgroup_mutex not being exported 41c810a06470 dma-mapping: avoid potential unused data compilation warning 02d2d6caee3a virtio_ring: Fix data race by tagging event_triggered as racy for KCSAN 019ca2804f3f scsi: target: iscsi: Fix timeout on deleted connection Signed-off-by: Bruce Ashfield Signed-off-by: Steve Sakoman --- .../linux/linux-yocto-rt_5.15.bb | 6 ++--- .../linux/linux-yocto-tiny_5.15.bb | 6 ++--- meta/recipes-kernel/linux/linux-yocto_5.15.bb | 26 +++++++++---------- 3 files changed, 19 insertions(+), 19 deletions(-) diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb index 2f6af169f4..73c3264016 100644 --- a/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb +++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb @@ -11,13 +11,13 @@ python () { raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it") } -SRCREV_machine ?= "90d8b830089647dcc97fd836c4f1fde65f24f6d6" -SRCREV_meta ?= "9c4fc176eca557a5763bda2831fa5ea2985fadeb" +SRCREV_machine ?= "76da2cf32fe004e10f581744496e71547d0a4361" +SRCREV_meta ?= "5932fcfa6982f5b86a13849b84ef3d80a557a030" SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \ git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.15;destsuffix=${KMETA}" -LINUX_VERSION ?= "5.15.184" +LINUX_VERSION ?= "5.15.186" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb index 0abc849545..0aa51c512c 100644 --- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb +++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb @@ -5,7 +5,7 @@ KCONFIG_MODE = "--allnoconfig" require recipes-kernel/linux/linux-yocto.inc -LINUX_VERSION ?= "5.15.184" +LINUX_VERSION ?= "5.15.186" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" @@ -14,8 +14,8 @@ DEPENDS += "openssl-native util-linux-native" KMETA = "kernel-meta" KCONF_BSP_AUDIT_LEVEL = "2" -SRCREV_machine ?= "660c504885ff7bd0edf06980c19539373e6bba05" -SRCREV_meta ?= "9c4fc176eca557a5763bda2831fa5ea2985fadeb" +SRCREV_machine ?= "4175c60a7b8e282d802be846bae75eeba398969e" +SRCREV_meta ?= "5932fcfa6982f5b86a13849b84ef3d80a557a030" PV = "${LINUX_VERSION}+git${SRCPV}" diff --git a/meta/recipes-kernel/linux/linux-yocto_5.15.bb b/meta/recipes-kernel/linux/linux-yocto_5.15.bb index 5bc6082e4d..43d77045bb 100644 --- a/meta/recipes-kernel/linux/linux-yocto_5.15.bb +++ b/meta/recipes-kernel/linux/linux-yocto_5.15.bb @@ -14,24 +14,24 @@ KBRANCH:qemux86 ?= "v5.15/standard/base" KBRANCH:qemux86-64 ?= "v5.15/standard/base" KBRANCH:qemumips64 ?= "v5.15/standard/mti-malta64" -SRCREV_machine:qemuarm ?= "27eaa24a0448c2ec0a7402e76fd208b6e2998eda" -SRCREV_machine:qemuarm64 ?= "f97f77899cbaf0bd844d15f9eeceac0ead4c8a76" -SRCREV_machine:qemumips ?= "a76e6f5b3fe8e298e66874f5e7e03acc3a0097ca" -SRCREV_machine:qemuppc ?= "1fc08762bbe900514d2a810a1b48d70e8c3f045e" -SRCREV_machine:qemuriscv64 ?= "9a9d15d3fcaa246682b1283a37af48a9c71b6b13" -SRCREV_machine:qemuriscv32 ?= "9a9d15d3fcaa246682b1283a37af48a9c71b6b13" -SRCREV_machine:qemux86 ?= "9a9d15d3fcaa246682b1283a37af48a9c71b6b13" -SRCREV_machine:qemux86-64 ?= "9a9d15d3fcaa246682b1283a37af48a9c71b6b13" -SRCREV_machine:qemumips64 ?= "19e099ff3a9f78fe5f88c4dc44ab4f28b2981c25" -SRCREV_machine ?= "9a9d15d3fcaa246682b1283a37af48a9c71b6b13" -SRCREV_meta ?= "9c4fc176eca557a5763bda2831fa5ea2985fadeb" +SRCREV_machine:qemuarm ?= "d93c7fcf604b572bf93497e00017f9cf34fa34c7" +SRCREV_machine:qemuarm64 ?= "9e9701d7239420165b342f3c363961ee3040a91e" +SRCREV_machine:qemumips ?= "be5800a6d9002fd12668c0f8ada68ad7cab4398c" +SRCREV_machine:qemuppc ?= "6fa52ff2eb31c6855f51a0d4f96339c50437d139" +SRCREV_machine:qemuriscv64 ?= "48702d462c58d69b4b382bb34984f2f0881d0bb1" +SRCREV_machine:qemuriscv32 ?= "48702d462c58d69b4b382bb34984f2f0881d0bb1" +SRCREV_machine:qemux86 ?= "48702d462c58d69b4b382bb34984f2f0881d0bb1" +SRCREV_machine:qemux86-64 ?= "48702d462c58d69b4b382bb34984f2f0881d0bb1" +SRCREV_machine:qemumips64 ?= "bb909213f7e13fd17e39d95e5d1b646a7b0bacf2" +SRCREV_machine ?= "48702d462c58d69b4b382bb34984f2f0881d0bb1" +SRCREV_meta ?= "5932fcfa6982f5b86a13849b84ef3d80a557a030" # set your preferred provider of linux-yocto to 'linux-yocto-upstream', and you'll # get the /base branch, which is pure upstream -stable, and the same # meta SRCREV as the linux-yocto-standard builds. Select your version using the # normal PREFERRED_VERSION settings. BBCLASSEXTEND = "devupstream:target" -SRCREV_machine:class-devupstream ?= "98f47d0e9b8c557d3063d3ea661cbea1489af330" +SRCREV_machine:class-devupstream ?= "1c700860e8bc079c5c71d73c55e51865d273943c" PN:class-devupstream = "linux-yocto-upstream" KBRANCH:class-devupstream = "v5.15/base" @@ -39,7 +39,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.15;destsuffix=${KMETA}" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" -LINUX_VERSION ?= "5.15.184" +LINUX_VERSION ?= "5.15.186" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" DEPENDS += "openssl-native util-linux-native"