From patchwork Tue Aug  5 16:43:33 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 68096
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 2536AC87FCB
	for <webhook@archiver.kernel.org>; Tue,  5 Aug 2025 16:43:46 +0000 (UTC)
Received: from mail-pg1-f182.google.com (mail-pg1-f182.google.com
 [209.85.215.182])
 by mx.groups.io with SMTP id smtpd.web10.4078.1754412225017320463
 for <openembedded-core@lists.openembedded.org>;
 Tue, 05 Aug 2025 09:43:45 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=sQU99DOX;
 spf=softfail (domain: sakoman.com, ip: 209.85.215.182,
 mailfrom: steve@sakoman.com)
Received: by mail-pg1-f182.google.com with SMTP id
 41be03b00d2f7-b3aa2a0022cso5718413a12.1
        for <openembedded-core@lists.openembedded.org>;
 Tue, 05 Aug 2025 09:43:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1754412224;
 x=1755017024; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=1u07H4P8xgxBzJ4szKuMVXnwX1kLLs1B+czWnFppxqY=;
        b=sQU99DOX/BWiOLp/IcHoK4oaM3MbSeDGnWd6WtKq8iFUesUAUoPJ/7em2++G+SIQca
         0GkVEASoOpfTmnhARTwNZ9kJerQBSvqWw1GDbYmYmU06F+U4VeLH1cbUXBH+Vs8t+GHA
         pHU41mHcuzB42mSzQSu9jV0OKWdxcTH2t9VJPhCQ+XkRXHU5aRz2NXaIFh8gIrZgISAw
         LwriQTTUcUgbvuFw34xxnv6W2CIiKCpaxmd+vk7iS+XpWu4uC8zbQ7BoXrrcJXCOLRUc
         8uFlqA7Peag/XtcgD04eTo/lMICAQKAwEqVQnLHZfiVP6nHFv1soaFxI3yvDRpRZbm3V
         oM8Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1754412224; x=1755017024;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=1u07H4P8xgxBzJ4szKuMVXnwX1kLLs1B+czWnFppxqY=;
        b=p5METfwoXuisTe5Q61Ec/F/mLF3j/VnQGm6vbpxnMkvfOQzWOiGevXDNpPIQE8xTw2
         g7TmkIXqtZmEt5Sx6CLXqoqgHjD5mAr7pgZxGOMKVNfvjquPO/+RenNCjJUGc/CkRcEl
         Wne8KngTtBI4iVzq7nl8HpZShEkKrzYQTSRYKMDZTh/hFDKxH0tOsp8owuz2zEg/s3QH
         JHsVT7XDiy+GlHRDqTEQnLheVxJpaTAlfNNKq+JbIsgC7nClMDgDQI2zuNv0yOx0EPiK
         xwj4QneiOJXG4as0+HwqmPfjQT/qXKE8gkeVjIZ6D8/XFO0j/s1PXjX4LfUeJwGz53/x
         3/7w==
X-Gm-Message-State: AOJu0YyV2PW2/g/s3yxSmN8NMEZQO0H3pvNdnUIazgy589z4HLsztp5w
	OrIJzdlSrrnMdfMhnwT2HtQXszQsY1uyrZ2WGOZDKD6UxP9SCFiXEPED9bEVDFQkmnR6lrzYxZw
	ptAUv
X-Gm-Gg: ASbGncs0iFDmdJqXUUvuLBFZl1BxR6toYPXAppXt08x5dCwrzUaYkcVrnAZK6MM+ige
	iauGOqfbIMWV7wByg/VI+3ZQuVmZGBhWwZN8lXYEItP/0s6aW28TF0hvnguI70kPBXajZSHn8J7
	4Kj3Un4OvQn8b9PPCaoeeteGM0dW1oj56b7hnJNO9JpNZMPpicyLcwTMamKbkT5h363ubi9XaD2
	Rqs7Kxjx/i6G3aelgpCZZiSRalZwCnT4VoCqK94MVzZe2ZaNRjoO4a4IkUhbQvQ9AwuFpQwD5VI
	aaZC8lyEkcNWmn36Jd67/LHCyoQKjWT04jS528422FenJk8uDBbfWDFFkj1y+q0H49Wid9mQPmV
	h65jIBAz4WhCa
X-Google-Smtp-Source: 
 AGHT+IGS9oP5lv3ZdqHTVXUqf96YhgmP+ZYyHo2yBk7HYSnhX4sutJxDPPOiit8PNTiHweepomSa7Q==
X-Received: by 2002:a17:902:cec4:b0:240:48f4:40d5 with SMTP id
 d9443c01a7336-24247023e9cmr176354945ad.39.1754412223955;
        Tue, 05 Aug 2025 09:43:43 -0700 (PDT)
Received: from hexa.. ([2602:feb4:3b:2100:3554:164c:182:30f5])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-241d1f0e7d8sm137633135ad.42.2025.08.05.09.43.43
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 05 Aug 2025 09:43:43 -0700 (PDT)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 1/4] avahi: fix CVE-2024-52615
Date: Tue,  5 Aug 2025 09:43:33 -0700
Message-ID: 
 <7bd9fee6d654326ea921b51113de99f793e11545.1754412086.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1754412086.git.steve@sakoman.com>
References: <cover.1754412086.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Tue, 05 Aug 2025 16:43:46 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/221480

From: Zhang Peng <peng.zhang1.cn@windriver.com>

CVE-2024-52615:
A flaw was found in Avahi-daemon, which relies on fixed source ports for wide-area
DNS queries. This issue simplifies attacks where malicious DNS responses are injected.

Reference:
[https://nvd.nist.gov/vuln/detail/CVE-2024-52615]
[https://github.com/avahi/avahi/security/advisories/GHSA-x6vp-f33h-h32g]

Upstream patches:
[https://github.com/avahi/avahi/commit/4e2e1ea0908d7e6ad7f38ae04fdcdf2411f8b942]

Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-connectivity/avahi/avahi_0.8.bb  |   1 +
 .../avahi/files/CVE-2024-52615.patch          | 228 ++++++++++++++++++
 2 files changed, 229 insertions(+)
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2024-52615.patch

diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb b/meta/recipes-connectivity/avahi/avahi_0.8.bb
index b3739ad2c0..20b2791ef3 100644
--- a/meta/recipes-connectivity/avahi/avahi_0.8.bb
+++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb
@@ -36,6 +36,7 @@ SRC_URI = "https://github.com/lathiat/avahi/releases/download/v${PV}/avahi-${PV}
            file://CVE-2023-38472.patch \
            file://CVE-2023-38473.patch \
            file://CVE-2024-52616.patch \
+           file://CVE-2024-52615.patch \
            "
 
 UPSTREAM_CHECK_URI = "https://github.com/lathiat/avahi/releases/"
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2024-52615.patch b/meta/recipes-connectivity/avahi/files/CVE-2024-52615.patch
new file mode 100644
index 0000000000..9737f52837
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2024-52615.patch
@@ -0,0 +1,228 @@
+From 4e2e1ea0908d7e6ad7f38ae04fdcdf2411f8b942 Mon Sep 17 00:00:00 2001
+From: Michal Sekletar <msekleta@redhat.com>
+Date: Wed, 27 Nov 2024 18:07:32 +0100
+Subject: [PATCH] core/wide-area: fix for CVE-2024-52615
+
+CVE: CVE-2024-52615
+Upstream-Status: Backport [https://github.com/avahi/avahi/commit/4e2e1ea0908d7e6ad7f38ae04fdcdf2411f8b942]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ avahi-core/wide-area.c | 128 ++++++++++++++++++++++-------------------
+ 1 file changed, 69 insertions(+), 59 deletions(-)
+
+diff --git a/avahi-core/wide-area.c b/avahi-core/wide-area.c
+index 00a15056e..06df7afc6 100644
+--- a/avahi-core/wide-area.c
++++ b/avahi-core/wide-area.c
+@@ -81,6 +81,10 @@ struct AvahiWideAreaLookup {
+ 
+     AvahiAddress dns_server_used;
+ 
++    int fd;
++    AvahiWatch *watch;
++    AvahiProtocol proto;
++
+     AVAHI_LLIST_FIELDS(AvahiWideAreaLookup, lookups);
+     AVAHI_LLIST_FIELDS(AvahiWideAreaLookup, by_key);
+ };
+@@ -88,9 +92,6 @@ struct AvahiWideAreaLookup {
+ struct AvahiWideAreaLookupEngine {
+     AvahiServer *server;
+ 
+-    int fd_ipv4, fd_ipv6;
+-    AvahiWatch *watch_ipv4, *watch_ipv6;
+-
+     /* Cache */
+     AVAHI_LLIST_HEAD(AvahiWideAreaCacheEntry, cache);
+     AvahiHashmap *cache_by_key;
+@@ -125,35 +126,67 @@ static AvahiWideAreaLookup* find_lookup(AvahiWideAreaLookupEngine *e, uint16_t i
+     return l;
+ }
+ 
++static void socket_event(AVAHI_GCC_UNUSED AvahiWatch *w, int fd, AVAHI_GCC_UNUSED AvahiWatchEvent events, void *userdata);
++
+ static int send_to_dns_server(AvahiWideAreaLookup *l, AvahiDnsPacket *p) {
++    AvahiWideAreaLookupEngine *e;
+     AvahiAddress *a;
++    AvahiServer *s;
++    AvahiWatch *w;
++    int r;
+ 
+     assert(l);
+     assert(p);
+ 
+-    if (l->engine->n_dns_servers <= 0)
++    e = l->engine;
++    assert(e);
++
++    s = e->server;
++    assert(s);
++
++    if (e->n_dns_servers <= 0)
+         return -1;
+ 
+-    assert(l->engine->current_dns_server < l->engine->n_dns_servers);
++    assert(e->current_dns_server < e->n_dns_servers);
+ 
+-    a = &l->engine->dns_servers[l->engine->current_dns_server];
++    a = &e->dns_servers[e->current_dns_server];
+     l->dns_server_used = *a;
+ 
+-    if (a->proto == AVAHI_PROTO_INET) {
++    if (l->fd >= 0) {
++        /* We are reusing lookup object and sending packet to another server so let's cleanup before we establish connection to new server. */
++        s->poll_api->watch_free(l->watch);
++        l->watch = NULL;
+ 
+-        if (l->engine->fd_ipv4 < 0)
+-            return -1;
++        close(l->fd);
++        l->fd = -EBADF;
++    }
+ 
+-        return avahi_send_dns_packet_ipv4(l->engine->fd_ipv4, AVAHI_IF_UNSPEC, p, NULL, &a->data.ipv4, AVAHI_DNS_PORT);
++    assert(a->proto == AVAHI_PROTO_INET || a->proto == AVAHI_PROTO_INET6);
+ 
+-    } else {
+-        assert(a->proto == AVAHI_PROTO_INET6);
++    if (a->proto == AVAHI_PROTO_INET)
++        r = s->config.use_ipv4 ? avahi_open_unicast_socket_ipv4() : -1;
++    else
++        r = s->config.use_ipv6 ? avahi_open_unicast_socket_ipv6() : -1;
+ 
+-        if (l->engine->fd_ipv6 < 0)
+-            return -1;
++    if (r < 0) {
++        avahi_log_error(__FILE__ ": Failed to create socket for wide area lookup");
++        return -1;
++    }
+ 
+-        return avahi_send_dns_packet_ipv6(l->engine->fd_ipv6, AVAHI_IF_UNSPEC, p, NULL, &a->data.ipv6, AVAHI_DNS_PORT);
++    w = s->poll_api->watch_new(s->poll_api, r, AVAHI_WATCH_IN, socket_event, l);
++    if (!w) {
++        close(r);
++        avahi_log_error(__FILE__ ": Failed to create socket watch for wide area lookup");
++        return -1;
+     }
++
++    l->fd = r;
++    l->watch = w;
++    l->proto = a->proto;
++
++    return a->proto == AVAHI_PROTO_INET ?
++                avahi_send_dns_packet_ipv4(l->fd, AVAHI_IF_UNSPEC, p, NULL, &a->data.ipv4, AVAHI_DNS_PORT):
++                avahi_send_dns_packet_ipv6(l->fd, AVAHI_IF_UNSPEC, p, NULL, &a->data.ipv6, AVAHI_DNS_PORT);
+ }
+ 
+ static void next_dns_server(AvahiWideAreaLookupEngine *e) {
+@@ -246,6 +279,9 @@ AvahiWideAreaLookup *avahi_wide_area_lookup_new(
+     l->dead = 0;
+     l->key = avahi_key_ref(key);
+     l->cname_key = avahi_key_new_cname(l->key);
++    l->fd = -EBADF;
++    l->watch = NULL;
++    l->proto = AVAHI_PROTO_UNSPEC;
+     l->callback = callback;
+     l->userdata = userdata;
+ 
+@@ -314,6 +350,12 @@ static void lookup_destroy(AvahiWideAreaLookup *l) {
+     if (l->cname_key)
+         avahi_key_unref(l->cname_key);
+ 
++    if (l->watch)
++            l->engine->server->poll_api->watch_free(l->watch);
++
++    if (l->fd >= 0)
++        close(l->fd);
++
+     avahi_free(l);
+ }
+ 
+@@ -572,14 +614,20 @@ static void handle_packet(AvahiWideAreaLookupEngine *e, AvahiDnsPacket *p) {
+ }
+ 
+ static void socket_event(AVAHI_GCC_UNUSED AvahiWatch *w, int fd, AVAHI_GCC_UNUSED AvahiWatchEvent events, void *userdata) {
+-    AvahiWideAreaLookupEngine *e = userdata;
++    AvahiWideAreaLookup *l = userdata;
++    AvahiWideAreaLookupEngine *e = l->engine;
+     AvahiDnsPacket *p = NULL;
+ 
+-    if (fd == e->fd_ipv4)
+-        p = avahi_recv_dns_packet_ipv4(e->fd_ipv4, NULL, NULL, NULL, NULL, NULL);
++    assert(l);
++    assert(e);
++    assert(l->fd == fd);
++
++    if (l->proto == AVAHI_PROTO_INET)
++        p = avahi_recv_dns_packet_ipv4(l->fd, NULL, NULL, NULL, NULL, NULL);
+     else {
+-        assert(fd == e->fd_ipv6);
+-        p = avahi_recv_dns_packet_ipv6(e->fd_ipv6, NULL, NULL, NULL, NULL, NULL);
++        assert(l->proto == AVAHI_PROTO_INET6);
++
++        p = avahi_recv_dns_packet_ipv6(l->fd, NULL, NULL, NULL, NULL, NULL);
+     }
+ 
+     if (p) {
+@@ -598,32 +646,6 @@ AvahiWideAreaLookupEngine *avahi_wide_area_engine_new(AvahiServer *s) {
+     e->server = s;
+     e->cleanup_dead = 0;
+ 
+-    /* Create sockets */
+-    e->fd_ipv4 = s->config.use_ipv4 ? avahi_open_unicast_socket_ipv4() : -1;
+-    e->fd_ipv6 = s->config.use_ipv6 ? avahi_open_unicast_socket_ipv6() : -1;
+-
+-    if (e->fd_ipv4 < 0 && e->fd_ipv6 < 0) {
+-        avahi_log_error(__FILE__": Failed to create wide area sockets: %s", strerror(errno));
+-
+-        if (e->fd_ipv6 >= 0)
+-            close(e->fd_ipv6);
+-
+-        if (e->fd_ipv4 >= 0)
+-            close(e->fd_ipv4);
+-
+-        avahi_free(e);
+-        return NULL;
+-    }
+-
+-    /* Create watches */
+-
+-    e->watch_ipv4 = e->watch_ipv6 = NULL;
+-
+-    if (e->fd_ipv4 >= 0)
+-        e->watch_ipv4 = s->poll_api->watch_new(e->server->poll_api, e->fd_ipv4, AVAHI_WATCH_IN, socket_event, e);
+-    if (e->fd_ipv6 >= 0)
+-        e->watch_ipv6 = s->poll_api->watch_new(e->server->poll_api, e->fd_ipv6, AVAHI_WATCH_IN, socket_event, e);
+-
+     e->n_dns_servers = e->current_dns_server = 0;
+ 
+     /* Initialize cache */
+@@ -651,18 +673,6 @@ void avahi_wide_area_engine_free(AvahiWideAreaLookupEngine *e) {
+     avahi_hashmap_free(e->lookups_by_id);
+     avahi_hashmap_free(e->lookups_by_key);
+ 
+-    if (e->watch_ipv4)
+-        e->server->poll_api->watch_free(e->watch_ipv4);
+-
+-    if (e->watch_ipv6)
+-        e->server->poll_api->watch_free(e->watch_ipv6);
+-
+-    if (e->fd_ipv6 >= 0)
+-        close(e->fd_ipv6);
+-
+-    if (e->fd_ipv4 >= 0)
+-        close(e->fd_ipv4);
+-
+     avahi_free(e);
+ }
+ 
+@@ -680,7 +690,7 @@ void avahi_wide_area_set_servers(AvahiWideAreaLookupEngine *e, const AvahiAddres
+ 
+     if (a) {
+         for (e->n_dns_servers = 0; n > 0 && e->n_dns_servers < AVAHI_WIDE_AREA_SERVERS_MAX; a++, n--)
+-            if ((a->proto == AVAHI_PROTO_INET && e->fd_ipv4 >= 0) || (a->proto == AVAHI_PROTO_INET6 && e->fd_ipv6 >= 0))
++            if (a->proto == AVAHI_PROTO_INET || a->proto == AVAHI_PROTO_INET6)
+                 e->dns_servers[e->n_dns_servers++] = *a;
+     } else {
+         assert(n == 0);

From patchwork Tue Aug  5 16:43:34 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 68098
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 07105C87FDA
	for <webhook@archiver.kernel.org>; Tue,  5 Aug 2025 16:43:56 +0000 (UTC)
Received: from mail-pl1-f178.google.com (mail-pl1-f178.google.com
 [209.85.214.178])
 by mx.groups.io with SMTP id smtpd.web11.4197.1754412226340104794
 for <openembedded-core@lists.openembedded.org>;
 Tue, 05 Aug 2025 09:43:46 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=sP6wkb2L;
 spf=softfail (domain: sakoman.com, ip: 209.85.214.178,
 mailfrom: steve@sakoman.com)
Received: by mail-pl1-f178.google.com with SMTP id
 d9443c01a7336-2401b855980so44183615ad.1
        for <openembedded-core@lists.openembedded.org>;
 Tue, 05 Aug 2025 09:43:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1754412225;
 x=1755017025; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=ojF/h0cpnP5QKxpyR4BkpB2WD253Bol3cXusDp0l8Wc=;
        b=sP6wkb2LPMKvQZ1Uae37hhTaD7SVxMaMchcptPQIFy6VDDKcdcRM1fOXY9nAJN9fk1
         A/kGpwtK/N91oHg4nyDlrEWeCXtYDTCIEY+gpLMvO8lYYMGxWbGiDrnQ/6TlK3vFOLHv
         7Vu3CLF4wyj8OxRt1OPytPyw4XbJ7nmmAEJ53znHfrCwhFwAopbu2KT05kofMSz4Vstt
         /33zB6xVGwzgFXNkIre92j7T5krR06vhvqT93MgF4PelWAHWMaOJLtddjfqf7OU8kmvS
         iGZkf58IoNky8errdWdxDbq54iWtx10Tel3tf8zj4JrchjU27qUBoW/ITAxCpFBqOcdz
         FYKw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1754412225; x=1755017025;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=ojF/h0cpnP5QKxpyR4BkpB2WD253Bol3cXusDp0l8Wc=;
        b=r4f2ezoxC8TIZXGaw15aodfpH+7F9jjfYaXN9a2SMEFPGTcRy1S7vy0WTK04Kxy8zV
         jZ/8pW9XvovYod3iejcNg6WlNyBkbx7/0hZz9MZNo31KiK64A4tvZocnfcka03gawak7
         iYUbJC6S+kE7qu/0ruHgRkYcF6lIncyQwFSPE34sABInsumDt/3rL+g6uSSi9oTICy+/
         VNjzadljyzWgFxpk0N2Ca6J2kwSdVhq2rgoi210ybMb0fk0SrZ6WujXD2hpL5Bi6sdpI
         fRJirOyVkcGRdZE3EQLM3HOhVfaKlbLHLeRZKqqz9Rot6PqdBJHVw71RMlO3qYRo70wN
         lRHA==
X-Gm-Message-State: AOJu0YzbHHsXouyo5fY2FZQCaIQ1tIbAw8FS5FovtSnae+qyhks5gpCd
	ZHKb+Ade4kmv6VUqR2A5vSgFb88th9mhaF/7Aft0s6uwuXr9rXnUBgToMrFEJNaVzpQsSxlAfvC
	Vue97
X-Gm-Gg: ASbGnctpFiYmUJurxps4abvy6DRjYvlvk0iiEawhXY/W2pAVcVhe3rTXKO+VjWz98xn
	yULuw0/Ae1kmhWpxGs7y1OrOH522Otg763W76RkFAD+LF6dSTnicnpb/1K67NdtslUHanqn1OnZ
	pdvXzxMYoD3xZmUAu2QTs98kdW8AQlLSvymA4FBTs9LTO40OhDZinyQJfAnvI1PbjBWPDysUwwJ
	DKF2Mawtn0gbZ6QS6Xw166uRiMIbQwaUbhkZPISeTmBZCRo5UFh8IPrr3lvUwHK+iPQA6tEXkyk
	nOZesU2ViNKhaHjRc0JnbPjJcMWGoVjpHBfMSf3MKeIG/eUmLzXy0pqRMrg7fxDMQyJzqEsXp9J
	TAjrq6qjdAPZ2
X-Google-Smtp-Source: 
 AGHT+IHVu2DiH0bQOKxNGgSysktHBAYhOjrOYKJEMnPxH9vMOlEnv8Co+4kI98S8CDSPjWJZwNlA0Q==
X-Received: by 2002:a17:903:18c:b0:23f:f707:f97e with SMTP id
 d9443c01a7336-24246f724d7mr207363945ad.17.1754412225413;
        Tue, 05 Aug 2025 09:43:45 -0700 (PDT)
Received: from hexa.. ([2602:feb4:3b:2100:3554:164c:182:30f5])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-241d1f0e7d8sm137633135ad.42.2025.08.05.09.43.44
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 05 Aug 2025 09:43:45 -0700 (PDT)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 2/4] sqlite3: patch CVE-2025-7458
Date: Tue,  5 Aug 2025 09:43:34 -0700
Message-ID: 
 <4d5093e5103016c08b3a32fd83b1ec9edd87cd5a.1754412086.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1754412086.git.steve@sakoman.com>
References: <cover.1754412086.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Tue, 05 Aug 2025 16:43:56 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/221481

From: Peter Marko <peter.marko@siemens.com>

Pick patch [1] listed in [2].
Also pick another patch which is precondition to this one introducing
variable needed for the check.

[1] https://sqlite.org/src/info/12ad822d9b827777
[2] https://nvd.nist.gov/vuln/detail/CVE-2025-7458

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 ...mpts-to-improve-the-detection-of-cov.patch | 91 +++++++++++++++++++
 .../sqlite/files/CVE-2025-7458.patch          | 32 +++++++
 meta/recipes-support/sqlite/sqlite3_3.38.5.bb |  2 +
 3 files changed, 125 insertions(+)
 create mode 100644 meta/recipes-support/sqlite/files/0001-This-branch-attempts-to-improve-the-detection-of-cov.patch
 create mode 100644 meta/recipes-support/sqlite/files/CVE-2025-7458.patch

diff --git a/meta/recipes-support/sqlite/files/0001-This-branch-attempts-to-improve-the-detection-of-cov.patch b/meta/recipes-support/sqlite/files/0001-This-branch-attempts-to-improve-the-detection-of-cov.patch
new file mode 100644
index 0000000000..8fb037bb0f
--- /dev/null
+++ b/meta/recipes-support/sqlite/files/0001-This-branch-attempts-to-improve-the-detection-of-cov.patch
@@ -0,0 +1,91 @@
+From f55a7dad195994f2bb24db7df0a0515502386fe2 Mon Sep 17 00:00:00 2001
+From: drh <>
+Date: Sat, 22 Oct 2022 14:16:02 +0000
+Subject: [PATCH] This branch attempts to improve the detection of covering
+ indexes.  This first check-in merely improves a parameter name to
+ sqlite3WhereBegin() to be more descriptive of what it contains, and ensures
+ that a subroutine is not inlines so that sqlite3WhereBegin() runs slightly
+ faster.
+
+FossilOrigin-Name: cadf5f6bb1ce0492ef858ada476288e8057afd3609caa18b09c818d3845d7244
+
+Upstream-Status: Backport [https://github.com/sqlite/sqlite/commit/f55a7dad195994f2bb24db7df0a0515502386fe2]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ sqlite3.c | 28 +++++++++++++---------------
+ 1 file changed, 13 insertions(+), 15 deletions(-)
+
+diff --git a/sqlite3.c b/sqlite3.c
+index 4cbc2d0..b7ed991 100644
+--- a/sqlite3.c
++++ b/sqlite3.c
+@@ -147371,9 +147371,7 @@ struct WhereInfo {
+   ExprList *pOrderBy;       /* The ORDER BY clause or NULL */
+   ExprList *pResultSet;     /* Result set of the query */
+   Expr *pWhere;             /* The complete WHERE clause */
+-#ifndef SQLITE_OMIT_VIRTUALTABLE
+-  Select *pLimit;           /* Used to access LIMIT expr/registers for vtabs */
+-#endif
++  Select *pSelect;          /* The entire SELECT statement containing WHERE */
+   int aiCurOnePass[2];      /* OP_OpenWrite cursors for the ONEPASS opt */
+   int iContinue;            /* Jump here to continue with next record */
+   int iBreak;               /* Jump here to break out of the loop */
+@@ -149070,9 +149068,9 @@ SQLITE_PRIVATE Bitmask sqlite3WhereCodeOneLoopStart(
+          && pLoop->u.vtab.bOmitOffset
+         ){
+           assert( pTerm->eOperator==WO_AUX );
+-          assert( pWInfo->pLimit!=0 );
+-          assert( pWInfo->pLimit->iOffset>0 );
+-          sqlite3VdbeAddOp2(v, OP_Integer, 0, pWInfo->pLimit->iOffset);
++          assert( pWInfo->pSelect!=0 );
++          assert( pWInfo->pSelect->iOffset>0 );
++          sqlite3VdbeAddOp2(v, OP_Integer, 0, pWInfo->pSelect->iOffset);
+           VdbeComment((v,"Zero OFFSET counter"));
+         }
+       }
+@@ -151830,10 +151828,10 @@ static void whereAddLimitExpr(
+ ** exist only so that they may be passed to the xBestIndex method of the
+ ** single virtual table in the FROM clause of the SELECT.
+ */
+-SQLITE_PRIVATE void sqlite3WhereAddLimit(WhereClause *pWC, Select *p){
+-  assert( p==0 || (p->pGroupBy==0 && (p->selFlags & SF_Aggregate)==0) );
+-  if( (p && p->pLimit)                                          /* 1 */
+-   && (p->selFlags & (SF_Distinct|SF_Aggregate))==0             /* 2 */
++SQLITE_PRIVATE void SQLITE_NOINLINE sqlite3WhereAddLimit(WhereClause *pWC, Select *p){
++  assert( p!=0 && p->pLimit!=0 );                 /* 1 -- checked by caller */
++  assert( p->pGroupBy==0 && (p->selFlags & SF_Aggregate)==0 );
++  if( (p->selFlags & (SF_Distinct|SF_Aggregate))==0             /* 2 */
+    && (p->pSrc->nSrc==1 && IsVirtual(p->pSrc->a[0].pTab))       /* 3 */
+   ){
+     ExprList *pOrderBy = p->pOrderBy;
+@@ -157427,7 +157425,7 @@ SQLITE_PRIVATE WhereInfo *sqlite3WhereBegin(
+   Expr *pWhere,           /* The WHERE clause */
+   ExprList *pOrderBy,     /* An ORDER BY (or GROUP BY) clause, or NULL */
+   ExprList *pResultSet,   /* Query result set.  Req'd for DISTINCT */
+-  Select *pLimit,         /* Use this LIMIT/OFFSET clause, if any */
++  Select *pSelect,        /* The entire SELECT statement */
+   u16 wctrlFlags,         /* The WHERE_* flags defined in sqliteInt.h */
+   int iAuxArg             /* If WHERE_OR_SUBCLAUSE is set, index cursor number
+                           ** If WHERE_USE_LIMIT, then the limit amount */
+@@ -157504,9 +157502,7 @@ SQLITE_PRIVATE WhereInfo *sqlite3WhereBegin(
+   pWInfo->wctrlFlags = wctrlFlags;
+   pWInfo->iLimit = iAuxArg;
+   pWInfo->savedNQueryLoop = pParse->nQueryLoop;
+-#ifndef SQLITE_OMIT_VIRTUALTABLE
+-  pWInfo->pLimit = pLimit;
+-#endif
++  pWInfo->pSelect = pSelect;
+   memset(&pWInfo->nOBSat, 0,
+          offsetof(WhereInfo,sWC) - offsetof(WhereInfo,nOBSat));
+   memset(&pWInfo->a[0], 0, sizeof(WhereLoop)+nTabList*sizeof(WhereLevel));
+@@ -157575,7 +157571,9 @@ SQLITE_PRIVATE WhereInfo *sqlite3WhereBegin(
+ 
+   /* Analyze all of the subexpressions. */
+   sqlite3WhereExprAnalyze(pTabList, &pWInfo->sWC);
+-  sqlite3WhereAddLimit(&pWInfo->sWC, pLimit);
++  if( pSelect && pSelect->pLimit ){
++    sqlite3WhereAddLimit(&pWInfo->sWC, pSelect);
++  }
+   if( db->mallocFailed ) goto whereBeginError;
+ 
+   /* Special case: WHERE terms that do not refer to any tables in the join
diff --git a/meta/recipes-support/sqlite/files/CVE-2025-7458.patch b/meta/recipes-support/sqlite/files/CVE-2025-7458.patch
new file mode 100644
index 0000000000..6b041d9332
--- /dev/null
+++ b/meta/recipes-support/sqlite/files/CVE-2025-7458.patch
@@ -0,0 +1,32 @@
+From b816ca9994e03a8bc829b49452b8158a731e81a9 Mon Sep 17 00:00:00 2001
+From: drh <>
+Date: Thu, 16 Mar 2023 20:54:29 +0000
+Subject: [PATCH] Correctly handle SELECT DISTINCT ... ORDER BY when all of the
+ result set terms are constant and there are more result set terms than ORDER
+ BY terms. Fix for these tickets: [c36cdb4afd504dc1], [4051a7f931d9ba24],
+ [d6fd512f50513ab7].
+
+FossilOrigin-Name: 12ad822d9b827777526ca5ed5bf3e678d600294fc9b5c25482dfff2a021328a4
+
+CVE: CVE-2025-7458
+Upstream-Status: Backport [github.com/sqlite/sqlite/commit/b816ca9994e03a8bc829b49452b8158a731e81a9]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ sqlite3.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/sqlite3.c b/sqlite3.c
+index 19d0438..6d92184 100644
+--- a/sqlite3.c
++++ b/sqlite3.c
+@@ -156989,6 +156989,10 @@ static int wherePathSolver(WhereInfo *pWInfo, LogEst nRowEst){
+       if( pFrom->isOrdered==pWInfo->pOrderBy->nExpr ){
+         pWInfo->eDistinct = WHERE_DISTINCT_ORDERED;
+       }
++      if( pWInfo->pSelect->pOrderBy
++       && pWInfo->nOBSat > pWInfo->pSelect->pOrderBy->nExpr ){
++        pWInfo->nOBSat = pWInfo->pSelect->pOrderBy->nExpr;
++      }
+     }else{
+       pWInfo->nOBSat = pFrom->isOrdered;
+       pWInfo->revMask = pFrom->revLoop;
diff --git a/meta/recipes-support/sqlite/sqlite3_3.38.5.bb b/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
index 656e2d8bd8..86d9b4b33b 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
+++ b/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
@@ -10,6 +10,8 @@ SRC_URI = "http://www.sqlite.org/2022/sqlite-autoconf-${SQLITE_PV}.tar.gz \
            file://CVE-2023-7104.patch \
            file://CVE-2025-29088.patch \
            file://CVE-2025-6965.patch \
+           file://0001-This-branch-attempts-to-improve-the-detection-of-cov.patch \
+           file://CVE-2025-7458.patch \
            "
 SRC_URI[sha256sum] = "5af07de982ba658fd91a03170c945f99c971f6955bc79df3266544373e39869c"
 

From patchwork Tue Aug  5 16:43:35 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 68097
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 070B6C87FCB
	for <webhook@archiver.kernel.org>; Tue,  5 Aug 2025 16:43:56 +0000 (UTC)
Received: from mail-pg1-f169.google.com (mail-pg1-f169.google.com
 [209.85.215.169])
 by mx.groups.io with SMTP id smtpd.web11.4198.1754412227506008128
 for <openembedded-core@lists.openembedded.org>;
 Tue, 05 Aug 2025 09:43:47 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=g0TKcbhB;
 spf=softfail (domain: sakoman.com, ip: 209.85.215.169,
 mailfrom: steve@sakoman.com)
Received: by mail-pg1-f169.google.com with SMTP id
 41be03b00d2f7-b4239091facso2891236a12.0
        for <openembedded-core@lists.openembedded.org>;
 Tue, 05 Aug 2025 09:43:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1754412227;
 x=1755017027; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=xI29tis/zq4yh2cJ8xeO6J3AalT9ondU+45XoignnXI=;
        b=g0TKcbhB4lujGERjaevcI+JVE54tMRPBDfDZkboCc4ZnnNnW2mExDODjFPNcphfHl9
         0QpJCW3ZgPwdVRZsjJn1XfbN6e3JiIGiGkNWiRoEm0vblec1ifxoUDB9u8IQkUKWGhc9
         YePNxe2shNWyz1CkvpD0v3O3z0/iqL1FiC/KQcAzoYReN/r3KRhYOiUlF2GT3YDLL/aK
         KFwFBn3WxgyVd+X/X2wmw4wXBlZlZSIqY6qyuPs+RgXtO7WZ7qOvK/GStYAvYqaoPcUE
         iRObl4EasTGG3ZttyOWnjOk0MzLDoTqqHsO9NYCPvM7o6vH1U2J92GEE7A+JXzTv3+Xd
         KSNg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1754412227; x=1755017027;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=xI29tis/zq4yh2cJ8xeO6J3AalT9ondU+45XoignnXI=;
        b=g4CLl02GCucXSybhpsWdL+XPFaPFDlMrjJLTZToeB31ssWC/w1rJh8AZSXspEz+bd0
         KmTpFLArGpyTFOytXvZ07rPQazBy/E2m3qEtfX6dGSfIAYK77puf3JJW1zapVPmbm5wo
         2IHx/k2g73SyDiAMWhf/kQqedqnHIxmfEMNQ3J8CwasoW9naRkvElstYgAfmqf0rbQ4w
         aan0Z5BG0yJYLRsOzzN5LxjrSOAcSqSe8drEFzRxo9PpLMGANeTMHi+Zk+GBoYhQLbWr
         0ZlJhcGi1HzrdUQSCV/kBRpBw+l4axPSF28iYPUgvmS7WELBDBWcTqzoUYhK9gIvoIE0
         cl5A==
X-Gm-Message-State: AOJu0YzEn+etECA2zq8anwsr+IxcIT5Skyx7InfQop7y5v2cI0aW7G5J
	ugHtFtkNlwTZqjM6saTQiUKGRDgpnX0Kp/VETN7XEfpbBEKTLe9h6rkU2GyNLFPD2WcKB8TzJ6H
	q3XZs
X-Gm-Gg: ASbGncvXm85i3j6AzPEsKm0cpqGPFxF83QTN/P5PSAst8RFCDp/L43KTgDlWqP1D1O/
	3Svg36jPQqAHWDLetsvQm/s+eL8zIo/S/ZqdEZjg2jKyHpJKlqzrs8/x5pGqsQgIU4EXoiusiu1
	C7kyZEyj2+eHrAPL8pbiqh+I6C6PgdUjaOc2Q57DNl8muS+eaewiyNd0C2KHitZoklSkqMnSA6W
	905RBzncNpjNdMK+wtA/3mz130QjPFZwOEnEhVdBerIFeTTHquBMbl96Pc1lG9writItZJ+BWJ4
	JcP3zQF68TUPLBaqCL/XriQmVCXCSeAqP8vrBAdFUWLBnhVsNm6yxvKP0EENF5OZom8kVs2qsKi
	AJxkTGG2pk9wOwF6RL+M81tQ=
X-Google-Smtp-Source: 
 AGHT+IEMbg/MP+AYbSAV/ZYVugHSm0SNZoMA6ZpEnvXyi9fU3nNShE943SoNVa9bLsyB2Ao9ZZ5/xA==
X-Received: by 2002:a17:903:1c8:b0:240:9f9:46b1 with SMTP id
 d9443c01a7336-2424701d55cmr194153835ad.37.1754412226786;
        Tue, 05 Aug 2025 09:43:46 -0700 (PDT)
Received: from hexa.. ([2602:feb4:3b:2100:3554:164c:182:30f5])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-241d1f0e7d8sm137633135ad.42.2025.08.05.09.43.46
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 05 Aug 2025 09:43:46 -0700 (PDT)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 3/4] sqlite3: ignore CVE-2025-3277
Date: Tue,  5 Aug 2025 09:43:35 -0700
Message-ID: 
 <ebacd5cd2827c1a9a45a92353518f9d976597526.1754412086.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1754412086.git.steve@sakoman.com>
References: <cover.1754412086.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Tue, 05 Aug 2025 16:43:56 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/221482

From: Peter Marko <peter.marko@siemens.com>

The vulnerable code was introduced in 3.44.0 via [1].
(See fix commit [2])
Also Debian says "not vulnerabele yet for 3.40.1 in [3]

[1] https://github.com/sqlite/sqlite/commit/e1e67abc5cf67f931aab1e471eda23d73f51d456
[2] https://sqlite.org/src/info/498e3f1cf57f164f
[3] https://security-tracker.debian.org/tracker/CVE-2025-3277

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-support/sqlite/sqlite3_3.38.5.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-support/sqlite/sqlite3_3.38.5.bb b/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
index 86d9b4b33b..280342204a 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
+++ b/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
@@ -21,3 +21,5 @@ CVE_CHECK_IGNORE += "CVE-2019-19242"
 CVE_CHECK_IGNORE += "CVE-2015-3717"
 # Issue in an experimental extension we don't have/use. Fixed by https://sqlite.org/src/info/b1e0c22ec981cf5f
 CVE_CHECK_IGNORE += "CVE-2021-36690"
+# Issue was introduced in 3.44.0
+CVE_CHECK_IGNORE += "CVE-2025-3277"

From patchwork Tue Aug  5 16:43:36 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 68099
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 12FA8CA0EC0
	for <webhook@archiver.kernel.org>; Tue,  5 Aug 2025 16:43:56 +0000 (UTC)
Received: from mail-pf1-f182.google.com (mail-pf1-f182.google.com
 [209.85.210.182])
 by mx.groups.io with SMTP id smtpd.web10.4082.1754412229644000427
 for <openembedded-core@lists.openembedded.org>;
 Tue, 05 Aug 2025 09:43:49 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=CmHoJ/0q;
 spf=softfail (domain: sakoman.com, ip: 209.85.210.182,
 mailfrom: steve@sakoman.com)
Received: by mail-pf1-f182.google.com with SMTP id
 d2e1a72fcca58-76bd6e84eddso5777145b3a.0
        for <openembedded-core@lists.openembedded.org>;
 Tue, 05 Aug 2025 09:43:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1754412229;
 x=1755017029; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=b9zTCg731aPfgmJw5ig6Z0G9zxMI95lUEDqH3nGe9v8=;
        b=CmHoJ/0qfb75qiJlbnDUZ42xWnxvtMq0viIZEKX7wnZt7jsnbFlj0H7lEj3q6Uc7/4
         vtqhpKbgb10vtEEMmFdER3QmYZIpe75f1Pg6p8OjWnx5gKyE5qWdgVxF3beFi/OpJmnr
         JjQw5ObYlbl9nZXiGD+kozUm+3GMg9VLnGDpbR5zPAo+TsnxI6HDLH7oNdi6/8YRv8Zh
         90iBddNop+2XkCGDAGT9vDvNqqaZbQnH/Z61p3LOqKNpL+ABBF6b2L2KaVi3WbeOidpy
         FkSjW8uJOMNHW/utZ3cNQmUaPaYNmUTIF+Vf+fPHlYtUcKwlpT97E/wdLjNb/79sdwS+
         kZTA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1754412229; x=1755017029;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=b9zTCg731aPfgmJw5ig6Z0G9zxMI95lUEDqH3nGe9v8=;
        b=HxURvS3hMiroiO1qi7gm1DOm+7Bivm8yDARmopU8xHiosX3HaVaxZDTyl0vNE2HX4j
         ICDW6+UP2C4coQzgtDQqPlAA12Zef1e3Pr8biFqxsRpUmf++K5Tv3jSfmfK0lMxEa0UP
         /wCg2UexFgvf+AfE/SBSuQQpLpedt9+Jkp4vffAJbYBjU8gslcCIvGXQoD6Ly8/8RuiT
         SlyHgRurMdoDwciTuENbe9lwegFKvKu28xTA1Eae6LUbqgLpkWgzkwQsLA9MnK77CK4e
         jdzVI9uBOtyEDNqQ2VdmrLflER7zvj3qm+QkrlcTquBHRoPFsB0/62USd1Q1V5fbGJwc
         WVuw==
X-Gm-Message-State: AOJu0Yw9mtfovOhBNRC6I+He17hNTPo8w3iAJrNLNoafB6XFqWpchPrv
	K313YYsKqlqsuGDGQFBCTu5WrkTIM82/iJWLyYueTu22g9Hlrt35vG7wI/cD8N8HW9vQmLFhIiP
	XDR57
X-Gm-Gg: ASbGncvd0uS5E7SPOqROo8Bd1Wc8hJ2MHRQUVWy4kNZ0wKllvagi/LDKZWJ9AvD3Fyi
	ujtH6jDctPFf3lAl+7dSBfncY85393FW7AHc0HnisNF2J91BSrgErP9LGlYoH5Vdw4QKo4i4qtY
	/ykC/KSalvstt57kj957nj/ziH9Jw4U8z9ZYU5q1ohV2TFLN4IOx7DHlRwv8uZO1UVnQZbcFBMW
	V+FNtbke6s6p9rO1hJ8rOIwJ0BuNqCcaFdyeTZ4kZ+ZAtz8Po2tpsW31+0zgp9TLyJNte/UegIA
	XkomRN15CJr5ZzckQdbAaqfpOhKhSxg652/HZaXsb9h0Jsc9gXWaZrECKp+2Qs6ykX/fbmRVqhm
	WMJMMEqspgNiD
X-Google-Smtp-Source: 
 AGHT+IEUu2TkQ37OanE0489ogkh59iAdOBp0aFuWVn1spyl+dpnkMLllaaW5/nhRszI8oyKxjERVXw==
X-Received: by 2002:a17:903:1251:b0:23f:df36:5f17 with SMTP id
 d9443c01a7336-24246f7f2d7mr210563805ad.22.1754412228507;
        Tue, 05 Aug 2025 09:43:48 -0700 (PDT)
Received: from hexa.. ([2602:feb4:3b:2100:3554:164c:182:30f5])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-241d1f0e7d8sm137633135ad.42.2025.08.05.09.43.47
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 05 Aug 2025 09:43:48 -0700 (PDT)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 4/4] glibc: stable 2.35 branch updates
Date: Tue,  5 Aug 2025 09:43:36 -0700
Message-ID: 
 <3921549f6420e44a250d06cdef2c9d423fb6e39f.1754412086.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1754412086.git.steve@sakoman.com>
References: <cover.1754412086.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Tue, 05 Aug 2025 16:43:56 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/221483

From: Peter Marko <peter.marko@siemens.com>

This is a single commit bump containing only CVE fix
$ git log --oneline d80401002011f470d9c6eb604bf734715e9b3a8c..a66bc3941ff298e474d5f02d0c3303401951141f
a66bc3941f posix: Fix double-free after allocation failure in regcomp (bug 33185)

Test results didn't change except newly added test succeeding.
(tst-regcomp-bracket-free)

Also add CVE-2025-0395 ignore which was already included in previous
hash bumps.

Also drop an unreferenced patch.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-core/glibc/glibc-version.inc     |   2 +-
 .../glibc/glibc/0025-CVE-2025-4802.patch      | 250 ------------------
 meta/recipes-core/glibc/glibc_2.35.bb         |   2 +-
 3 files changed, 2 insertions(+), 252 deletions(-)
 delete mode 100644 meta/recipes-core/glibc/glibc/0025-CVE-2025-4802.patch

diff --git a/meta/recipes-core/glibc/glibc-version.inc b/meta/recipes-core/glibc/glibc-version.inc
index b269518af4..0b06005b25 100644
--- a/meta/recipes-core/glibc/glibc-version.inc
+++ b/meta/recipes-core/glibc/glibc-version.inc
@@ -1,6 +1,6 @@
 SRCBRANCH ?= "release/2.35/master"
 PV = "2.35"
-SRCREV_glibc ?= "80401002011f470d9c6eb604bf734715e9b3a8c2"
+SRCREV_glibc ?= "a66bc3941ff298e474d5f02d0c3303401951141f"
 SRCREV_localedef ?= "794da69788cbf9bf57b59a852f9f11307663fa87"
 
 GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git"
diff --git a/meta/recipes-core/glibc/glibc/0025-CVE-2025-4802.patch b/meta/recipes-core/glibc/glibc/0025-CVE-2025-4802.patch
deleted file mode 100644
index a1197c0318..0000000000
--- a/meta/recipes-core/glibc/glibc/0025-CVE-2025-4802.patch
+++ /dev/null
@@ -1,250 +0,0 @@
-From 32917e7ee972e7a01127a04454f12ef31dc312ed Mon Sep 17 00:00:00 2001
-From: Adhemerval Zanella <adhemerval.zanella@linaro.org>
-Date: Wed, 11 Jun 2025 03:19:10 -0700
-Subject: [PATCH] elf: Ignore LD_LIBRARY_PATH and debug env var for setuid for
- static
-
-It mimics the ld.so behavior.
-Checked on x86_64-linux-gnu.
-
-[New Test Case]
-elf: Test case for bug 32976
-[https://sourceware.org/bugzilla/show_bug.cgi?id=32976]
-
-Check that LD_LIBRARY_PATH is ignored for AT_SECURE statically
-linked binaries, using support_capture_subprogram_self_sgid.
-
-Upstream-Status: Backport [https://sourceware.org/cgit/glibc/commit/?id=5451fa962cd0a90a0e2ec1d8910a559ace02bba0 &&
-                            https://sourceware.org/cgit/glibc/commit/?id=d8f7a79335b0d861c12c42aec94c04cd5bb181e2]
-
-CVE: CVE-2025-4802
-
-Co-authored-by: Florian Weimer <fweimer@redhat.com>
-Signed-off-by: Sunil Dora <sunilkumar.dora@windriver.com>
----
- elf/Makefile              |   4 ++
- elf/dl-support.c          |  46 ++++++++---------
- elf/tst-dlopen-sgid-mod.c |   1 +
- elf/tst-dlopen-sgid.c     | 104 ++++++++++++++++++++++++++++++++++++++
- 4 files changed, 132 insertions(+), 23 deletions(-)
- create mode 100644 elf/tst-dlopen-sgid-mod.c
- create mode 100644 elf/tst-dlopen-sgid.c
-
-diff --git a/elf/Makefile b/elf/Makefile
-index 61c41ea6..3ad66ab6 100644
---- a/elf/Makefile
-+++ b/elf/Makefile
-@@ -274,6 +274,7 @@ tests-static-normal := \
-   tst-array1-static \
-   tst-array5-static \
-   tst-dl-iter-static \
-+  tst-dlopen-sgid \
-   tst-dst-static \
-   tst-env-setuid \
-   tst-env-setuid-tunables \
-@@ -807,6 +808,7 @@ modules-names = \
-   tst-dlmopen-gethostbyname-mod \
-   tst-dlmopen-twice-mod1 \
-   tst-dlmopen-twice-mod2 \
-+  tst-dlopen-sgid-mod \
-   tst-dlopenfaillinkmod \
-   tst-dlopenfailmod1 \
-   tst-dlopenfailmod2 \
-@@ -2913,3 +2915,5 @@ $(objpfx)tst-recursive-tls.out: \
-     0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15)
- $(objpfx)tst-recursive-tlsmod%.os: tst-recursive-tlsmodN.c
- 	$(compile-command.c) -DVAR=thread_$* -DFUNC=get_threadvar_$*
-+
-+$(objpfx)tst-dlopen-sgid.out: $(objpfx)tst-dlopen-sgid-mod.so
-diff --git a/elf/dl-support.c b/elf/dl-support.c
-index 09079c12..c2baed69 100644
---- a/elf/dl-support.c
-+++ b/elf/dl-support.c
-@@ -272,8 +272,6 @@ _dl_non_dynamic_init (void)
-   _dl_main_map.l_phdr = GL(dl_phdr);
-   _dl_main_map.l_phnum = GL(dl_phnum);
- 
--  _dl_verbose = *(getenv ("LD_WARN") ?: "") == '\0' ? 0 : 1;
--
-   /* Set up the data structures for the system-supplied DSO early,
-      so they can influence _dl_init_paths.  */
-   setup_vdso (NULL, NULL);
-@@ -281,27 +279,6 @@ _dl_non_dynamic_init (void)
-   /* With vDSO setup we can initialize the function pointers.  */
-   setup_vdso_pointers ();
- 
--  /* Initialize the data structures for the search paths for shared
--     objects.  */
--  _dl_init_paths (getenv ("LD_LIBRARY_PATH"), "LD_LIBRARY_PATH",
--		  /* No glibc-hwcaps selection support in statically
--		     linked binaries.  */
--		  NULL, NULL);
--
--  /* Remember the last search directory added at startup.  */
-_dl_verbose = *(getenv ("LD_WARN") ?: "") == '\0' ? 0 : 1;-  _dl_init_all_dirs = GL(dl_all_dirs);
--
--  _dl_lazy = *(getenv ("LD_BIND_NOW") ?: "") == '\0';
--
--  _dl_bind_not = *(getenv ("LD_BIND_NOT") ?: "") != '\0';
--
--  _dl_dynamic_weak = *(getenv ("LD_DYNAMIC_WEAK") ?: "") == '\0';
--
--  _dl_profile_output = getenv ("LD_PROFILE_OUTPUT");
--  if (_dl_profile_output == NULL || _dl_profile_output[0] == '\0')
--    _dl_profile_output
--      = &"/var/tmp\0/var/profile"[__libc_enable_secure ? 9 : 0];
--
-   if (__libc_enable_secure)
-     {
-       static const char unsecure_envvars[] =
- setup_vdso_pointers ();
-@@ -324,6 +301,29 @@ _dl_non_dynamic_init (void)
- #endif
-     }
- 
-+  _dl_verbose = *(getenv ("LD_WARN") ?: "") == '\0' ? 0 : 1;
-+
-+  /* Initialize the data structures for the search paths for shared
-+     objects.  */
-+  _dl_init_paths (getenv ("LD_LIBRARY_PATH"), "LD_LIBRARY_PATH",
-+		  /* No glibc-hwcaps selection support in statically
-+		     linked binaries.  */
-+		  NULL, NULL);
-+
-+  /* Remember the last search directory added at startup.  */
-+  _dl_init_all_dirs = GL(dl_all_dirs);
-+
-+  _dl_lazy = *(getenv ("LD_BIND_NOW") ?: "") == '\0';
-+
-+  _dl_bind_not = *(getenv ("LD_BIND_NOT") ?: "") != '\0';
-+
-+  _dl_dynamic_weak = *(getenv ("LD_DYNAMIC_WEAK") ?: "") == '\0';
-+
-+  _dl_profile_output = getenv ("LD_PROFILE_OUTPUT");
-+  if (_dl_profile_output == NULL || _dl_profile_output[0] == '\0')
-+    _dl_profile_output
-+      = &"/var/tmp\0/var/profile"[__libc_enable_secure ? 9 : 0];
-+
- #ifdef DL_PLATFORM_INIT
-   DL_PLATFORM_INIT;
- #endif
-diff --git a/elf/tst-dlopen-sgid-mod.c b/elf/tst-dlopen-sgid-mod.c
-new file mode 100644
-index 00000000..5eb79eef
---- /dev/null
-+++ b/elf/tst-dlopen-sgid-mod.c
-@@ -0,0 +1 @@
-+/* Opening this object should not succeed.  */
-diff --git a/elf/tst-dlopen-sgid.c b/elf/tst-dlopen-sgid.c
-new file mode 100644
-index 00000000..47829a40
---- /dev/null
-+++ b/elf/tst-dlopen-sgid.c
-@@ -0,0 +1,104 @@
-+/* Test case for ignored LD_LIBRARY_PATH in static startug (bug 32976).
-+   Copyright (C) 2025 Free Software Foundation, Inc.
-+   This file is part of the GNU C Library.
-+
-+   The GNU C Library is free software; you can redistribute it and/or
-+   modify it under the terms of the GNU Lesser General Public
-+   License as published by the Free Software Foundation; either
-+   version 2.1 of the License, or (at your option) any later version.
-+
-+   The GNU C Library is distributed in the hope that it will be useful,
-+   but WITHOUT ANY WARRANTY; without even the implied warranty of
-+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-+   Lesser General Public License for more details.
-+
-+   You should have received a copy of the GNU Lesser General Public
-+   License along with the GNU C Library; if not, see
-+   <https://www.gnu.org/licenses/>.  */
-+
-+#include <dlfcn.h>
-+#include <gnu/lib-names.h>
-+#include <stddef.h>
-+#include <stdint.h>
-+#include <stdlib.h>
-+#include <string.h>
-+#include <support/capture_subprocess.h>
-+#include <support/check.h>
-+#include <support/support.h>
-+#include <support/temp_file.h>
-+#include <unistd.h>
-+
-+/* This is the name of our test object.  Use a custom module for
-+   testing, so that this object does not get picked up from the system
-+   path.  */
-+static const char dso_name[] = "tst-dlopen-sgid-mod.so";
-+
-+/* Used to mark the recursive invocation.  */
-+static const char magic_argument[] = "run-actual-test";
-+
-+static int
-+do_test (void)
-+{
-+/* Pathname of the directory that receives the shared objects this
-+   test attempts to load.  */
-+  char *libdir = support_create_temp_directory ("tst-dlopen-sgid-");
-+
-+  /* This is supposed to be ignored and stripped.  */
-+  TEST_COMPARE (setenv ("LD_LIBRARY_PATH", libdir, 1), 0);
-+
-+  /* Copy of libc.so.6.  */
-+  {
-+    char *from = xasprintf ("%s/%s", support_objdir_root, LIBC_SO);
-+    char *to = xasprintf ("%s/%s", libdir, LIBC_SO);
-+    add_temp_file (to);
-+    support_copy_file (from, to);
-+    free (to);
-+    free (from);
-+  }
-+
-+  /* Copy of the test object.   */
-+  {
-+    char *from = xasprintf ("%s/elf/%s", support_objdir_root, dso_name);
-+    char *to = xasprintf ("%s/%s", libdir, dso_name);
-+    add_temp_file (to);
-+    support_copy_file (from, to);
-+    free (to);
-+    free (from);
-+  }
-+
-+  TEST_COMPARE (support_capture_subprogram_self_sgid (magic_argument), 0);
-+
-+  free (libdir);
-+
-+  return 0;
-+}
-+
-+static void
-+alternative_main (int argc, char **argv)
-+{
-+  if (argc == 2 && strcmp (argv[1], magic_argument) == 0)
-+    {
-+      if (getgid () == getegid ())
-+        /* This can happen if the file system is mounted nosuid.  */
-+        FAIL_UNSUPPORTED ("SGID failed: GID and EGID match (%jd)\n",
-+                          (intmax_t) getgid ());
-+
-+      /* Should be removed due to SGID.  */
-+      TEST_COMPARE_STRING (getenv ("LD_LIBRARY_PATH"), NULL);
-+
-+      TEST_VERIFY (dlopen (dso_name, RTLD_NOW) == NULL);
-+      {
-+        const char *message = dlerror ();
-+        TEST_COMPARE_STRING (message,
-+                             "tst-dlopen-sgid-mod.so:"
-+                             " cannot open shared object file:"
-+                             " No such file or directory");
-+      }
-+
-+      support_record_failure_barrier ();
-+      exit (EXIT_SUCCESS);
-+    }
-+}
-+
-+#define PREPARE alternative_main
-+#include <support/test-driver.c>
--- 
-2.49.0
-
diff --git a/meta/recipes-core/glibc/glibc_2.35.bb b/meta/recipes-core/glibc/glibc_2.35.bb
index df5f14984a..265dcb9129 100644
--- a/meta/recipes-core/glibc/glibc_2.35.bb
+++ b/meta/recipes-core/glibc/glibc_2.35.bb
@@ -27,7 +27,7 @@ CVE_CHECK_IGNORE += "CVE-2023-4527"
 CVE_CHECK_IGNORE += " \
     CVE-2023-0687 CVE-2023-4813 CVE-2023-4806 CVE-2023-4911 CVE-2023-5156 \
     CVE-2024-2961 CVE-2024-33599 CVE-2024-33600 CVE-2024-33601 CVE-2024-33602 \
-    CVE-2025-4802 \
+    CVE-2025-0395 CVE-2025-4802 CVE-2025-8058 \
 "
 
 DEPENDS += "gperf-native bison-native"