From patchwork Wed Sep 24 21:17:48 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 70963 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 58F35CAC5A5 for ; Wed, 24 Sep 2025 21:18:01 +0000 (UTC) Received: from mail-pl1-f182.google.com (mail-pl1-f182.google.com [209.85.214.182]) by mx.groups.io with SMTP id smtpd.web11.26133.1758748679402542089 for ; Wed, 24 Sep 2025 14:17:59 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=xpP3ufso; spf=softfail (domain: sakoman.com, ip: 209.85.214.182, mailfrom: steve@sakoman.com) Received: by mail-pl1-f182.google.com with SMTP id d9443c01a7336-27c369f898fso3331375ad.3 for ; Wed, 24 Sep 2025 14:17:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1758748679; x=1759353479; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=rlxKiunrNz98S/F4lrc7d22CNIZbzsnwcpM6twnOVJ8=; b=xpP3ufsowK2SS11R5cEhASH/386VXwhk8MS1gruPm+2PekVDirIgnMIbydIJMH/NyV lRGQRbWbF8F6RaIbm4fpt+P74CR3PmqZdiw0x1d0LrHCG4tDroUxiBPDmyhtCTG0mi/p wlbj1u8da1j2BM6uKJxw6CSF7KkTpHUxKVAtYirLMKF9scURCH2JnyGewm1QJCfrhBqf gkjC3kvsGaCnOngqtgE65KZOsCEuDW3NgZjLyWkYnzEYUJpdo6N2e86c2Ynh49in5iYF 09a+fGgChl0tCNSrN4fJ6N0+lTpd3ay63wRGennNsxS6A0hobfZLF0p50f6yVR+N1rPd b9eQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1758748679; x=1759353479; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=rlxKiunrNz98S/F4lrc7d22CNIZbzsnwcpM6twnOVJ8=; b=BfhjACtrfYbyRVrghuwZ6soIgQmVtZ4Gua0n/G76O4aCgXoW5A7L5+ICVMrUk+j4o5 3lIIhjg/uefMpubV8n7/iBa2kUFUl2DQ/G0W3fq1er0xO4JPMrvkCFSvUlVvZkppS9Nl fOMuGQ/81ktgLqLV80/IGiqOOYU7vXmXg4bVnv5EcQY39OnNdHtWEr1R7++5o8AHPG88 bp64RNv0UJy2a2XXX1hshboCUpCVfEsVVlslTpUrR7F42EpiEEabYzcjl1bA/tZc1Nw5 AhC5eNJ9ZQziOHrTeuP2yP0OF85Ii2l4jAZdvM8gAV/qVRI4vInfcfbw1Y2sNyHWSguz 2Gvw== X-Gm-Message-State: AOJu0YycO0/zPK48rEYmPmBq+7tgAX8PxwWAprGqnodq5j8i5c+HQ7Wi PtdBBugA733D+morpjecqFugI62QunL1v6GbmJH3TV+wrXSVBwzY4lFiamQkOqmqZFTMZs53HQe 6OO7mZtY= X-Gm-Gg: ASbGncu5BLwB98l+v++q49qAzEyqb22xWyA3YEeX1aQ4sFmRV0i7WO+AY8mSQpvHQyC szonjFE4+yoXYqaMeParfXgDJmRKqzUrgmpmWms4TNH3us4ddCk3O2Zv+pjyn67DqSoFEQX1k/+ fuwxIIsFR+5iYs3A9qGfsM70FLbxQVrjadJwYAzUcFaOKvF7k2QnvfBUXdHqoNzXvk1qN33zU09 ubyH1BFSnCq4XAPy/85qI+bCEodTqMOHG7z+SmarNHwYHt25MgL/plS/fW9IyR59KVe5f1hPJcb ag/y2kPyKSCxVoUe2Mpq8SPbpuTzPWjnJeZUlkt+YvjL0yfHSrbWB7DLFixV1/uH5Hits1bxlmD NRZWK166c15JkZQ== X-Google-Smtp-Source: AGHT+IG61WkL7noM6a8BDi27EXNzzaJuO4cKTQjpFvAnrXxxuipGfMKhaLsZ9U3D5lSAuQv+IsGixw== X-Received: by 2002:a17:903:19e6:b0:266:f01a:98c4 with SMTP id d9443c01a7336-27ed49dece8mr10519135ad.13.1758748678581; Wed, 24 Sep 2025 14:17:58 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:5e34:462b:e2f0:5898]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-27ed6702cf9sm2194555ad.38.2025.09.24.14.17.57 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 Sep 2025 14:17:58 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][walnascar 1/3] curl: fix CVE-2025-9086 Date: Wed, 24 Sep 2025 14:17:48 -0700 Message-ID: <95ab3c3e3745e7e0ca74760683e42ae7531b4199.1758748538.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 24 Sep 2025 21:18:01 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/223990 From: Yogita Urade 1, A cookie is set using the secure keyword for https://target 2, curl is redirected to or otherwise made to speak with http://target (same hostname, but using clear text HTTP) using the same cookie set 3, The same cookie name is set - but with just a slash as path (path="/"). Since this site is not secure, the cookie should just be ignored. 4, A bug in the path comparison logic makes curl read outside a heap buffer boundary The bug either causes a crash or it potentially makes the comparison come to the wrong conclusion and lets the clear-text site override the contents of the secure cookie, contrary to expectations and depending on the memory contents immediately following the single-byte allocation that holds the path. The presumed and correct behavior would be to plainly ignore the second set of the cookie since it was already set as secure on a secure host so overriding it on an insecure host should not be okay. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-9086 Upstream patch: https://github.com/curl/curl/commit/c6ae07c6a541e0e96d0040afb6 Signed-off-by: Yogita Urade Signed-off-by: Steve Sakoman --- .../curl/curl/CVE-2025-9086.patch | 55 +++++++++++++++++++ meta/recipes-support/curl/curl_8.12.1.bb | 1 + 2 files changed, 56 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2025-9086.patch diff --git a/meta/recipes-support/curl/curl/CVE-2025-9086.patch b/meta/recipes-support/curl/curl/CVE-2025-9086.patch new file mode 100644 index 0000000000..0055d23076 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2025-9086.patch @@ -0,0 +1,55 @@ +From c6ae07c6a541e0e96d0040afb62b45dd37711300 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 11 Aug 2025 20:23:05 +0200 +Subject: [PATCH] cookie: don't treat the leading slash as trailing + +If there is only a leading slash in the path, keep that. Also add an +assert to make sure the path is never blank. + +Reported-by: Google Big Sleep +Closes #18266 + +CVE: CVE-2025-9086 +Upstream-Status: Backport [https://github.com/curl/curl/commit/c6ae07c6a541e0e96d0040afb6] + +Signed-off-by: Yogita Urade +--- + lib/cookie.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/lib/cookie.c b/lib/cookie.c +index 9819768..d7ee757 100644 +--- a/lib/cookie.c ++++ b/lib/cookie.c +@@ -324,7 +324,7 @@ static char *sanitize_cookie_path(const char *cookie_path) + } + + /* convert /hoge/ to /hoge */ +- if(len && new_path[len - 1] == '/') { ++ if(len > 1 && new_path[len - 1] == '/') { + new_path[len - 1] = 0x0; + } + +@@ -1039,7 +1039,7 @@ replace_existing(struct Curl_easy *data, + clist->spath && co->spath && /* both have paths */ + clist->secure && !co->secure && !secure) { + size_t cllen; +- const char *sep; ++ const char *sep = NULL; + + /* + * A non-secure cookie may not overlay an existing secure cookie. +@@ -1048,8 +1048,9 @@ replace_existing(struct Curl_easy *data, + * "/loginhelper" is ok. + */ + +- sep = strchr(clist->spath + 1, '/'); +- ++ DEBUGASSERT(clist->spath[0]); ++ if(clist->spath[0]) ++ sep = strchr(clist->spath + 1, '/'); + if(sep) + cllen = sep - clist->spath; + else +-- +2.40.0 diff --git a/meta/recipes-support/curl/curl_8.12.1.bb b/meta/recipes-support/curl/curl_8.12.1.bb index 9e279bbad1..0fb3719ac2 100644 --- a/meta/recipes-support/curl/curl_8.12.1.bb +++ b/meta/recipes-support/curl/curl_8.12.1.bb @@ -14,6 +14,7 @@ SRC_URI = " \ file://run-ptest \ file://disable-tests \ file://no-test-timeout.patch \ + file://CVE-2025-9086.patch \ " SRC_URI:append:class-nativesdk = " \ From patchwork Wed Sep 24 21:17:49 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 70965 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3A592CAC5AE for ; Wed, 24 Sep 2025 21:18:11 +0000 (UTC) Received: from mail-pl1-f170.google.com (mail-pl1-f170.google.com [209.85.214.170]) by mx.groups.io with SMTP id smtpd.web10.26003.1758748681180809013 for ; Wed, 24 Sep 2025 14:18:01 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=awGYA+Lb; spf=softfail (domain: sakoman.com, ip: 209.85.214.170, mailfrom: steve@sakoman.com) Received: by mail-pl1-f170.google.com with SMTP id d9443c01a7336-26a0a694ea8so2771095ad.3 for ; Wed, 24 Sep 2025 14:18:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1758748680; x=1759353480; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=/LVvTKf8NJO3sE8Kr4LhlHMeVbbffvvVOtU6hhNi4Vo=; b=awGYA+Lby/FDoVsaOHY2tR+HOfxoxMzl8rJJpS16mLTT8uXBhudSOS65K3BS/k5Rj5 0xkhYd0oBNmRPaJ4jYd3Z76rzaJK3ZXXArk/JwmnIPcHpckTw7ejotv4opDkWKu1bXdm wuipBAMyGVAHqxDGORR60lo9D40ZwlatYmzuB2sRDm5DG+hmvUdeqX6OCDItHXmtCb4p vL3kFBxYKyfZDsGZIkMFXT+HKBb6sn1HKIH1bZthu2/6RY2fffryl2mkwQS0EEzfvB6W pKxG5VBNqt2BHbFYaA+doDTgFjkKiBAxbMmBIOew6L9fH8bXSzI+PNm083+wIZ0uwv85 mwEw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1758748680; x=1759353480; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=/LVvTKf8NJO3sE8Kr4LhlHMeVbbffvvVOtU6hhNi4Vo=; b=tnpmTDiLs4bR9pF7JV244uJJqqtvN+HCSdN91A68IG4mlRzpkyIk3saE4RlFbZvAQS VdauWMN6ajmPQl2yrYPD96BYF0U8tpwxTZfv7kYhMqLNFdLfwqFAY61ypzrGHwm9DRZY OBT1bGbcnU/l8sY19kgEZu5xuGpLPC5OmNF2w0xRG1GS+EI3S8StAYV1schyEI3Vm9gt clEpGB50/zMRMqo8Hamkt02YQepR5NQqQvmIz3tKuHtA58uRsyBDxnuhibXk2TWFzcz6 UqwkBBK7RUDGrLq5rMH6YFdjrRrDXYywhao5DfeOjqzwllcn+2PbGUA9+MFqglT02ZSZ VegA== X-Gm-Message-State: AOJu0YyMhvynsqfK977bkW4FEyHMLCN8A1hSLANUcJMdkGQR4SFpzaaP Y0ZnV8coYP3ucnL9bIPlHWNdBY4w7RiKJkTzINaDBW1C9eA60VC7cYyt1TDm3TaKbDwZ8ocFm90 A+A8frt0= X-Gm-Gg: ASbGncvVvuS100NcNKtCoTZj5bJ5foAzcM6oC5xlEz5EbOyxCki2Cq7vWp1RwfF++hu wci3691VV73ozViBAvtrIMVpi9Cijsr8ZYYxbjT6JQWnQF1jwdUnv7ey/jn9U4zUbxiTiTgy76N OyzCO6IQThGbNVs5jXwUZI9jd/b7hQJGyqaWtm2Faupqu/Akl9JnXP7Sdybnh8LJS9Uzd6uujxt pq/wxVSsGbo751CDWLLtZafixbRiM/3adV7Nw8cZq17CX5RnZ0R1yTM4CzTiETybgZ6aVf4utCd fN1EpcTYDaIRWilGLAy1GYm0q5IlQYkTxAap8eKKiOQTT4v3QqU4gGlBG6M9Ke4EbTpQWzAwoDL A5U31KNBvGopM7g== X-Google-Smtp-Source: AGHT+IF87Xh1Lj5pzYOeAUntEWZS1FUFaVgshOyTrQI+SyaNU4m5TA35iIWL6xDnPA2ob86vgSYcDA== X-Received: by 2002:a17:902:f60f:b0:262:661d:eb1d with SMTP id d9443c01a7336-27ed49b301amr13064125ad.1.1758748680084; Wed, 24 Sep 2025 14:18:00 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:5e34:462b:e2f0:5898]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-27ed6702cf9sm2194555ad.38.2025.09.24.14.17.59 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 Sep 2025 14:17:59 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][walnascar 2/3] curl: fix CVE-2025-10148 Date: Wed, 24 Sep 2025 14:17:49 -0700 Message-ID: <83420a408551688ebb298b88b16d2e384e9b7bfd.1758748538.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 24 Sep 2025 21:18:11 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/223991 From: Yogita Urade curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection. A predictable mask pattern allows for a malicious server to induce traffic between the two communicating parties that could be interpreted by an involved proxy (configured or transparent) as genuine, real, HTTP traffic with content and thereby poison its cache. That cached poisoned content could then be served to all users of that proxy. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-10148 Upstream patch: https://github.com/curl/curl/commit/84db7a9eae8468c0445b15aa806fa Signed-off-by: Yogita Urade Signed-off-by: Steve Sakoman --- .../curl/curl/CVE-2025-10148.patch | 57 +++++++++++++++++++ meta/recipes-support/curl/curl_8.12.1.bb | 1 + 2 files changed, 58 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2025-10148.patch diff --git a/meta/recipes-support/curl/curl/CVE-2025-10148.patch b/meta/recipes-support/curl/curl/CVE-2025-10148.patch new file mode 100644 index 0000000000..7bc5d18396 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2025-10148.patch @@ -0,0 +1,57 @@ +From 84db7a9eae8468c0445b15aa806fa7fa806fa0f2 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 8 Sep 2025 14:14:15 +0200 +Subject: [PATCH] ws: get a new mask for each new outgoing frame + +Reported-by: Calvin Ruocco +Closes #18496 + +CVE: CVE-2025-10148 +Upstream-Status: Backport [https://github.com/curl/curl/commit/84db7a9eae8468c0445b15aa806fa] + +Signed-off-by: Yogita Urade +--- + lib/ws.c | 21 +++++++++++++-------- + 1 file changed, 13 insertions(+), 8 deletions(-) + +diff --git a/lib/ws.c b/lib/ws.c +index 25d19c6..029172d 100644 +--- a/lib/ws.c ++++ b/lib/ws.c +@@ -637,6 +637,18 @@ static ssize_t ws_enc_write_head(struct Curl_easy *data, + enc->payload_remain = enc->payload_len = payload_len; + ws_enc_info(enc, data, "sending"); + ++ /* 4 bytes random */ ++ ++ result = Curl_rand(data, (unsigned char *)&enc->mask, sizeof(enc->mask)); ++ if(result) ++ return result; ++ ++#ifdef DEBUGBUILD ++ if(getenv("CURL_WS_FORCE_ZERO_MASK")) ++ /* force the bit mask to 0x00000000, effectively disabling masking */ ++ memset(&enc->mask, 0, sizeof(enc->mask)); ++#endif ++ + /* add 4 bytes mask */ + memcpy(&head[hlen], &enc->mask, 4); + hlen += 4; +@@ -819,14 +831,7 @@ CURLcode Curl_ws_accept(struct Curl_easy *data, + subprotocol not requested by the client), the client MUST Fail + the WebSocket Connection. */ + +- /* 4 bytes random */ +- +- result = Curl_rand(data, (unsigned char *)&ws->enc.mask, +- sizeof(ws->enc.mask)); +- if(result) +- return result; +- infof(data, "Received 101, switch to WebSocket; mask %02x%02x%02x%02x", +- ws->enc.mask[0], ws->enc.mask[1], ws->enc.mask[2], ws->enc.mask[3]); ++ infof(data, "Received 101, switch to WebSocket"); + + /* Install our client writer that decodes WS frames payload */ + result = Curl_cwriter_create(&ws_dec_writer, data, &ws_cw_decode, +-- +2.40.0 diff --git a/meta/recipes-support/curl/curl_8.12.1.bb b/meta/recipes-support/curl/curl_8.12.1.bb index 0fb3719ac2..bfe0075af7 100644 --- a/meta/recipes-support/curl/curl_8.12.1.bb +++ b/meta/recipes-support/curl/curl_8.12.1.bb @@ -15,6 +15,7 @@ SRC_URI = " \ file://disable-tests \ file://no-test-timeout.patch \ file://CVE-2025-9086.patch \ + file://CVE-2025-10148.patch \ " SRC_URI:append:class-nativesdk = " \ From patchwork Wed Sep 24 21:17:50 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 70964 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3BE29CAC5B5 for ; Wed, 24 Sep 2025 21:18:11 +0000 (UTC) Received: from mail-pg1-f179.google.com (mail-pg1-f179.google.com [209.85.215.179]) by mx.groups.io with SMTP id smtpd.web11.26137.1758748682350307760 for ; Wed, 24 Sep 2025 14:18:02 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=E49KDiW6; spf=softfail (domain: sakoman.com, ip: 209.85.215.179, mailfrom: steve@sakoman.com) Received: by mail-pg1-f179.google.com with SMTP id 41be03b00d2f7-b5565f0488bso196608a12.2 for ; Wed, 24 Sep 2025 14:18:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1758748682; x=1759353482; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=fFLweNG8XigoGg6rmJDM0SCUL9de10Eae6jf0kYOkwM=; b=E49KDiW6VikvtvUgjav050eg967y5CcIw1j+XxibFqC/0ifppXXNjDkhI30mbdYsCM zPcP89d1xnjDe6wHwlkV1XU/DVSYiMDEqUtSNqN7n5R+YqeS9JOMuZEN5qjgoIXcoGcq AEi4ETOApeaNTEAvm2G1us1LZu9tgldlD/KjEr5nCjJdVZlIGhSCFYoWXJUQR+bQkr2c lUOmnl6+QoDB3m8kBkFIwMTSeOlMu4WHYJl6hrpfgmrXRr28aAPicDtgLWg/omH+fWf1 88luR9a7scxDfPZSXQKpSBQDMDcgd17lRO1JaGUqXviYtrtUV49YuPb9AAGfIZpIgIpx GBiw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1758748682; x=1759353482; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=fFLweNG8XigoGg6rmJDM0SCUL9de10Eae6jf0kYOkwM=; b=lu8+qqjkgr883i+GMHcjr2FAQzOJdHdE26myqoSrn0DZkHnwMpCPZiv3v44QMvjyP8 OEuTiVJIgCf2BKVXrqngAwyHm4G/vBsORcQrRWejvOvqvLQoNSzx0H28hLfT3aPsXnMU XQcR+e6MXLyLGZDgC+cb1tP/818p1YNTwR3BNBIWcI1Xca6yWWw7aZiwrtcFUx5u7uPF PG0KsT63u3xOWvKIuQkUjfYU+8TnxdFtMTV6NkaxOs/BWG2+q/+uMfckqTos26YQ82gf 698vLzpjHf0QsWpHDDh1y81tanQCvA7k5PAAqVHO792rto8F92fXIzLmq9+hqbHLR25j lnsA== X-Gm-Message-State: AOJu0YyjQKUOXD0+FRrzr2sdXEMXPW68EFmwlAQNH/zRL5Xlm4LpZFnx lBJlX5A7eeOkXQfTBo82/hremsiLV4WDhGw/wXyfiPZknbm+Nys7TP/dwsmynCi8RQkSTC3X3wx Ec4UWxWE= X-Gm-Gg: ASbGncurt4PfFQQ2eDdTT4WlyUKoAtRzvi6sUFhKlrdQ+q/QczZ19HJnGgYotv+iuio Ry3Nr5Hfg8K81x4ydY1G9+ZNcewBtIf+TabuUlF0rpgwq4fAwSrdyuMRJNT3kmpgr3/Hl7dMukR mWYpI1FXw1nXP9CRSZ3/IFUPSBP3AwYnVZJfkb3Yg2lvt2xPkuZbYe5DbP8PAGuOb9AWMjUAExu Uf3UuuknA1lg4aaP3D0HWlowpX047IKO4cMP8AsOSUTcbrMLkpKP41lGlU8TytmSTWcChAG+8cM QpnKjPjJT1mI09/kfr5kS7EQ4CZuxkTT3lCyoiuUGpJ/Ex09j4ODrmGiqDvhzixzBosKpHQcwPu 16DLeqD8yppejYhyuxkfw7Iff X-Google-Smtp-Source: AGHT+IErpme+6jgrjvoIirEChF7CGZfQX/UbR4zo60ahxn850FarzC8NQriKm2KF/iW2NEBJRdwPyQ== X-Received: by 2002:a17:903:3847:b0:269:a75f:e9d5 with SMTP id d9443c01a7336-27ed4a96168mr14285955ad.42.1758748681391; Wed, 24 Sep 2025 14:18:01 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:5e34:462b:e2f0:5898]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-27ed6702cf9sm2194555ad.38.2025.09.24.14.18.00 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 Sep 2025 14:18:01 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][walnascar 3/3] expat: upgrade to 2.7.2 Date: Wed, 24 Sep 2025 14:17:50 -0700 Message-ID: <924d83d081ab69a111961be447c5fe7c55bc23df.1758748538.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 24 Sep 2025 21:18:11 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/223992 From: Ross Burton Primarily to fix CVE-2025-59375 (Disallow use of disproportional amounts of dynamic memory from within an Expat parser) but the full list of changes are available: https://github.com/libexpat/libexpat/blob/R_2_7_2/expat/Changes (From OE-Core rev: fbe5f76ba6af0983cd90a05d4077e453e2ebb475) Signed-off-by: Ross Burton Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie Signed-off-by: Yogita Urade Signed-off-by: Steve Sakoman --- meta/recipes-core/expat/{expat_2.7.1.bb => expat_2.7.2.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta/recipes-core/expat/{expat_2.7.1.bb => expat_2.7.2.bb} (92%) diff --git a/meta/recipes-core/expat/expat_2.7.1.bb b/meta/recipes-core/expat/expat_2.7.2.bb similarity index 92% rename from meta/recipes-core/expat/expat_2.7.1.bb rename to meta/recipes-core/expat/expat_2.7.2.bb index 2da1532922..952235d7a0 100644 --- a/meta/recipes-core/expat/expat_2.7.1.bb +++ b/meta/recipes-core/expat/expat_2.7.2.bb @@ -15,7 +15,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \ GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/" UPSTREAM_CHECK_REGEX = "releases/tag/R_(?P.+)" -SRC_URI[sha256sum] = "45c98ae1e9b5127325d25186cf8c511fa814078e9efeae7987a574b482b79b3d" +SRC_URI[sha256sum] = "976f6c2d358953c22398d64cd93790ba5abc62e02a1bbc204a3a264adea149b8" EXTRA_OECMAKE:class-native += "-DEXPAT_BUILD_DOCS=OFF"