From patchwork Tue Sep 30 19:50:03 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 71320 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7D767CCA476 for ; Tue, 30 Sep 2025 19:50:21 +0000 (UTC) Received: from mail-pf1-f178.google.com (mail-pf1-f178.google.com [209.85.210.178]) by mx.groups.io with SMTP id smtpd.web10.223.1759261819205176116 for ; Tue, 30 Sep 2025 12:50:19 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=ALOoiZ3N; spf=softfail (domain: sakoman.com, ip: 209.85.210.178, mailfrom: steve@sakoman.com) Received: by mail-pf1-f178.google.com with SMTP id d2e1a72fcca58-781db5068b8so3227853b3a.0 for ; Tue, 30 Sep 2025 12:50:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1759261818; x=1759866618; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=A0dFLo5BxVHB9lu3IgxM6PACZgApJPAPq0BxUF/+Bt0=; b=ALOoiZ3NPMjW+ZpRXaAlWkp2T3HD7ifd8QAAyQP+CjCa3BTVfPWSk/X0sZkwxuYsEK TBKm0KDpYF5Xl2ncuIEqBXKHuZlLybU43pLRDP07Gwh1itV8WI11+eWWizbieaxU1nFm OHV1/vXsnZw1hLlHUJRSamfaccv6nxZMnufNt624H98EZRAby7eXw0xPTImTvG4fGLbt p6deMFjRODOEHhMHvhKlbaTs68mwQNdwYYZq1C7MoWkCKqIzKIoTSZKgnEStNv6KtV5l afPaKjA6N/SQ+nGdfIF0aEDmat4D2LKpdV9ldIAOhNF8FKjFYtY/cySMgRVjp2VfzU00 Aw8w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1759261818; x=1759866618; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=A0dFLo5BxVHB9lu3IgxM6PACZgApJPAPq0BxUF/+Bt0=; b=atumG+3vnaKoFlOgFj0zv4ymItZpnynsUF8by+kLJUzHOc9aNBhBC57xM+dId2UIBm TmMsO3GiT7In4nWRe4Qw4FRS8YBcN77z6bLD+6KycqoUr/GCEMaZO19HpoQk34r7jfZr joUr7GioHl4Djw+5AeM+VVGw9t6woyQXOjeOmvyfbUG30xQH6Leu1H1LntWo4DS/q4cy gelMt2PlBac3ouegyiPfdGa6Ge/u1tHF1qQlZks2v7CIybr0sdOGU3s9HLPZsszTGghP NLCwVg5tv8HCyX6lhqUlLaNtCNWWS9b526H59/kpdeghElIifDN0syohPi+/6wqpJbHV L+EQ== X-Gm-Message-State: AOJu0Yx6MhJ42+FajQxPXyCrx8ztFaPU0cnBUBU50mNXqNjga4lonxLu 7i+i6A9FghPy8O/DQ/H1sfN5qYTflvBPDV7kGr/RcZl6clhG2OrK8FfPbb6M6+os6Wb3uTSzKpX fzzXm X-Gm-Gg: ASbGncs2qxbZXVd56o+v9x9wIR4rnLRvkx/tJhLEMSFdyt4gcohb/CDb+Zp5iEc2QqI ZI/2JQC/Lkq03nuHZ1xhOtRHcGnKBnVl4cFLYzlSQs5ijJ06q5xI1ciUycaWBRucT6xmL7jqOjJ VMctf0+avPkWdf1DIIzwvmFC6idVd6mkWK1Co2x0358R/ye0SAwQ6WvOmzvq73qbHZr56De4/5/ wLdOtv8dWJ/wJbsVeHHEeFutU5EcJIso8bQIoGCm3prfquwsEBjPAO4YOI5vuVSuFthN9IPeM6D BOJ7HIMDkGBlb4ufZ0RMbDlijjStsd0WjS368tyDOOb+6EKalD195gpN3JdULVK3fRbiGOhgYJX K5qFU/ySBwT76T7Xn+nfcd2U7Imoj6oSq8H9nk/frge3J7W0i X-Google-Smtp-Source: AGHT+IEVJhhyggrCRqeGNHws1KVnpbMRYRVUteOTyUZQZ7yqW4HyzDBa3omEmRlJQ65bbR41MF8dmQ== X-Received: by 2002:a05:6a00:b55:b0:781:1f5e:8bc5 with SMTP id d2e1a72fcca58-78af4205d72mr700983b3a.18.1759261817614; Tue, 30 Sep 2025 12:50:17 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:5e34:462b:e2f0:5898]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7810238ca6dsm14411202b3a.8.2025.09.30.12.50.16 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Sep 2025 12:50:17 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 1/7] go: fix CVE-2025-47907 Date: Tue, 30 Sep 2025 12:50:03 -0700 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 30 Sep 2025 19:50:21 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/224194 From: Praveen Kumar Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the expected results with those of another query, causing the call to Scan to return either unexpected results from the other query or an error. Made below changes for Go 1.17 backport: - Replaced `atomic.Pointer[error]` with `atomic.Value`, since atomic pointers are not supported in Go 1.17. - Used errp.(*error) to retrieve and dereference the stored *error, Without this, build fails with: invalid indirect of errp (type interface{}). - Replaced Go 1.18 `any` keyword with `interface{}` for backward compatibility with Go 1.17. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-47907 Upstream-patch: https://github.com/golang/go/commit/8a924caaf348fdc366bab906424616b2974ad4e9 https://github.com/golang/go/commit/298fe517a9333c05143a8a8e1f9d5499f0c6e59b https://github.com/golang/go/commit/c23579f031ecd09bf37c644723b33736dffa8b92 Signed-off-by: Praveen Kumar Signed-off-by: Steve Sakoman --- meta/recipes-devtools/go/go-1.17.13.inc | 125 ++++--- .../go/go-1.21/CVE-2025-47907-pre-0001.patch | 354 ++++++++++++++++++ .../go/go-1.21/CVE-2025-47907-pre-0002.patch | 232 ++++++++++++ .../go/go-1.21/CVE-2025-47907.patch | 327 ++++++++++++++++ 4 files changed, 977 insertions(+), 61 deletions(-) create mode 100644 meta/recipes-devtools/go/go-1.21/CVE-2025-47907-pre-0001.patch create mode 100644 meta/recipes-devtools/go/go-1.21/CVE-2025-47907-pre-0002.patch create mode 100644 meta/recipes-devtools/go/go-1.21/CVE-2025-47907.patch diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc index b17853035b..2052f4adbc 100644 --- a/meta/recipes-devtools/go/go-1.17.13.inc +++ b/meta/recipes-devtools/go/go-1.17.13.inc @@ -4,67 +4,70 @@ FILESEXTRAPATHS:prepend := "${FILE_DIRNAME}/go-1.21:${FILE_DIRNAME}/go-1.20:${FI LIC_FILES_CHKSUM = "file://LICENSE;md5=5d4950ecb7b26d2c5e4e7b4e0dd74707" -SRC_URI += "\ - file://0001-allow-CC-and-CXX-to-have-multiple-words.patch \ - file://0002-cmd-go-make-content-based-hash-generation-less-pedan.patch \ - file://0003-allow-GOTOOLDIR-to-be-overridden-in-the-environment.patch \ - file://0004-ld-add-soname-to-shareable-objects.patch \ - file://0005-make.bash-override-CC-when-building-dist-and-go_boot.patch \ - file://0006-cmd-dist-separate-host-and-target-builds.patch \ - file://0007-cmd-go-make-GOROOT-precious-by-default.patch \ - file://0008-use-GOBUILDMODE-to-set-buildmode.patch \ - file://0009-Revert-cmd-go-make-sure-CC-and-CXX-are-absolute.patch \ - file://0001-exec.go-do-not-write-linker-flags-into-buildids.patch \ - file://0001-src-cmd-dist-buildgo.go-do-not-hardcode-host-compile.patch \ - file://0010-net-Fix-issue-with-DNS-not-being-updated.patch \ - file://CVE-2022-27664.patch \ - file://0001-net-http-httputil-avoid-query-parameter-smuggling.patch \ - file://CVE-2022-41715.patch \ - file://CVE-2022-41717.patch \ - file://CVE-2022-2879.patch \ - file://CVE-2022-41720.patch \ - file://CVE-2022-41723.patch \ - file://cve-2022-41724.patch \ - file://add_godebug.patch \ - file://cve-2022-41725.patch \ - file://CVE-2022-41722.patch \ - file://CVE-2023-24537.patch \ - file://CVE-2023-24534.patch \ - file://CVE-2023-24538_1.patch \ - file://CVE-2023-24538_2.patch \ - file://CVE-2023-24540.patch \ - file://CVE-2023-24539.patch \ - file://CVE-2023-29404.patch \ - file://CVE-2023-29405.patch \ - file://CVE-2023-29402.patch \ - file://CVE-2023-29400.patch \ - file://CVE-2023-29406-1.patch \ - file://CVE-2023-29406-2.patch \ - file://CVE-2023-24536_1.patch \ - file://CVE-2023-24536_2.patch \ - file://CVE-2023-24536_3.patch \ - file://CVE-2023-24531_1.patch \ - file://CVE-2023-24531_2.patch \ - file://CVE-2023-29409.patch \ - file://CVE-2023-39319.patch \ - file://CVE-2023-39318.patch \ - file://CVE-2023-39326.patch \ - file://CVE-2023-45285.patch \ - file://CVE-2023-45287.patch \ - file://CVE-2023-45289.patch \ - file://CVE-2023-45290.patch \ - file://CVE-2024-24784.patch \ - file://CVE-2024-24785.patch \ - file://CVE-2023-45288.patch \ - file://CVE-2024-24789.patch \ - file://CVE-2024-24791.patch \ - file://CVE-2024-34155.patch \ - file://CVE-2024-34156.patch \ - file://CVE-2024-34158.patch \ - file://CVE-2024-45336.patch \ - file://CVE-2025-22871.patch \ - file://CVE-2025-4673.patch \ -" +SRC_URI = "https://golang.org/dl/go${PV}.src.tar.gz;name=main \ + file://0001-allow-CC-and-CXX-to-have-multiple-words.patch \ + file://0002-cmd-go-make-content-based-hash-generation-less-pedan.patch \ + file://0003-allow-GOTOOLDIR-to-be-overridden-in-the-environment.patch \ + file://0004-ld-add-soname-to-shareable-objects.patch \ + file://0005-make.bash-override-CC-when-building-dist-and-go_boot.patch \ + file://0006-cmd-dist-separate-host-and-target-builds.patch \ + file://0007-cmd-go-make-GOROOT-precious-by-default.patch \ + file://0008-use-GOBUILDMODE-to-set-buildmode.patch \ + file://0009-Revert-cmd-go-make-sure-CC-and-CXX-are-absolute.patch \ + file://0001-exec.go-do-not-write-linker-flags-into-buildids.patch \ + file://0001-src-cmd-dist-buildgo.go-do-not-hardcode-host-compile.patch \ + file://0010-net-Fix-issue-with-DNS-not-being-updated.patch \ + file://CVE-2022-27664.patch \ + file://0001-net-http-httputil-avoid-query-parameter-smuggling.patch \ + file://CVE-2022-41715.patch \ + file://CVE-2022-41717.patch \ + file://CVE-2022-2879.patch \ + file://CVE-2022-41720.patch \ + file://CVE-2022-41723.patch \ + file://cve-2022-41724.patch \ + file://add_godebug.patch \ + file://cve-2022-41725.patch \ + file://CVE-2022-41722.patch \ + file://CVE-2023-24537.patch \ + file://CVE-2023-24534.patch \ + file://CVE-2023-24538_1.patch \ + file://CVE-2023-24538_2.patch \ + file://CVE-2023-24540.patch \ + file://CVE-2023-24539.patch \ + file://CVE-2023-29404.patch \ + file://CVE-2023-29405.patch \ + file://CVE-2023-29402.patch \ + file://CVE-2023-29400.patch \ + file://CVE-2023-29406-1.patch \ + file://CVE-2023-29406-2.patch \ + file://CVE-2023-24536_1.patch \ + file://CVE-2023-24536_2.patch \ + file://CVE-2023-24536_3.patch \ + file://CVE-2023-24531_1.patch \ + file://CVE-2023-24531_2.patch \ + file://CVE-2023-29409.patch \ + file://CVE-2023-39319.patch \ + file://CVE-2023-39318.patch \ + file://CVE-2023-39326.patch \ + file://CVE-2023-45285.patch \ + file://CVE-2023-45287.patch \ + file://CVE-2023-45289.patch \ + file://CVE-2023-45290.patch \ + file://CVE-2024-24784.patch \ + file://CVE-2024-24785.patch \ + file://CVE-2023-45288.patch \ + file://CVE-2024-24789.patch \ + file://CVE-2024-24791.patch \ + file://CVE-2024-34155.patch \ + file://CVE-2024-34156.patch \ + file://CVE-2024-34158.patch \ + file://CVE-2024-45336.patch \ + file://CVE-2025-22871.patch \ + file://CVE-2025-4673.patch \ + file://CVE-2025-47907-pre-0001.patch \ + file://CVE-2025-47907-pre-0002.patch \ + file://CVE-2025-47907.patch \ + " SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd" # Upstream don't believe it is a signifiant real world issue and will only diff --git a/meta/recipes-devtools/go/go-1.21/CVE-2025-47907-pre-0001.patch b/meta/recipes-devtools/go/go-1.21/CVE-2025-47907-pre-0001.patch new file mode 100644 index 0000000000..97e7539dc3 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.21/CVE-2025-47907-pre-0001.patch @@ -0,0 +1,354 @@ +From 298fe517a9333c05143a8a8e1f9d5499f0c6e59b Mon Sep 17 00:00:00 2001 +From: Brad Fitzpatrick +Date: Tue, 23 May 2023 15:12:47 -0700 +Subject: [PATCH] database/sql: make RawBytes safely usable with contexts + +sql.RawBytes was added the very first Go release, Go 1. Its docs +say: + +> RawBytes is a byte slice that holds a reference to memory owned by +> the database itself. After a Scan into a RawBytes, the slice is only +> valid until the next call to Next, Scan, or Close. + +That "only valid until the next call" bit was true at the time, +until contexts were added to database/sql in Go 1.8. + +In the past ~dozen releases it's been unsafe to use QueryContext with +a context that might become Done to get an *sql.Rows that's scanning +into a RawBytes. The Scan can succeed, but then while the caller's +reading the memory, a database/sql-managed goroutine can see the +context becoming done and call Close on the database/sql/driver and +make the caller's view of the RawBytes memory no longer valid, +introducing races, crashes, or database corruption. See #60304 +and #53970 for details. + +This change does the minimal surgery on database/sql to make it safe +again: Rows.Scan was already acquiring a mutex to check whether the +rows had been closed, so this change make Rows.Scan notice whether +*RawBytes was used and, if so, doesn't release the mutex on exit +before returning. That mean it's still locked while the user code +operates on the RawBytes memory and the concurrent context-watching +goroutine to close the database still runs, but if it fires, it then +gets blocked on the mutex until the next call to a Rows method (Next, +NextResultSet, Err, Close). + +Updates #60304 +Updates #53970 (earlier one I'd missed) + +Change-Id: Ie41c0c6f32c24887b2f53ec3686c2aab73a1bfff +Reviewed-on: https://go-review.googlesource.com/c/go/+/497675 +TryBot-Result: Gopher Robot +Reviewed-by: Ian Lance Taylor +Run-TryBot: Brad Fitzpatrick +Auto-Submit: Ian Lance Taylor +Reviewed-by: Russ Cox + +CVE: CVE-2025-47907 + +Upstream-Status: Backport [https://github.com/golang/go/commit/298fe517a9333c05143a8a8e1f9d5499f0c6e59b] + +Signed-off-by: Praveen Kumar +--- + src/database/sql/fakedb_test.go | 13 +++++- + src/database/sql/sql.go | 72 ++++++++++++++++++++++++++++++++- + src/database/sql/sql_test.go | 58 ++++++++++++++++++++++++++ + 3 files changed, 141 insertions(+), 2 deletions(-) + +diff --git a/src/database/sql/fakedb_test.go b/src/database/sql/fakedb_test.go +index 4b68f1c..33c57b9 100644 +--- a/src/database/sql/fakedb_test.go ++++ b/src/database/sql/fakedb_test.go +@@ -15,6 +15,7 @@ import ( + "strconv" + "strings" + "sync" ++ "sync/atomic" + "testing" + "time" + ) +@@ -90,6 +91,8 @@ func (cc *fakeDriverCtx) OpenConnector(name string) (driver.Connector, error) { + type fakeDB struct { + name string + ++ useRawBytes atomic.Bool ++ + mu sync.Mutex + tables map[string]*table + badConn bool +@@ -680,6 +683,8 @@ func (c *fakeConn) PrepareContext(ctx context.Context, query string) (driver.Stm + switch cmd { + case "WIPE": + // Nothing ++ case "USE_RAWBYTES": ++ c.db.useRawBytes.Store(true) + case "SELECT": + stmt, err = c.prepareSelect(stmt, parts) + case "CREATE": +@@ -783,6 +788,9 @@ func (s *fakeStmt) ExecContext(ctx context.Context, args []driver.NamedValue) (d + case "WIPE": + db.wipe() + return driver.ResultNoRows, nil ++ case "USE_RAWBYTES": ++ s.c.db.useRawBytes.Store(true) ++ return driver.ResultNoRows, nil + case "CREATE": + if err := db.createTable(s.table, s.colName, s.colType); err != nil { + return nil, err +@@ -912,6 +920,7 @@ func (s *fakeStmt) QueryContext(ctx context.Context, args []driver.NamedValue) ( + txStatus = "transaction" + } + cursor := &rowsCursor{ ++ db: s.c.db, + parentMem: s.c, + posRow: -1, + rows: [][]*row{ +@@ -1008,6 +1017,7 @@ func (s *fakeStmt) QueryContext(ctx context.Context, args []driver.NamedValue) ( + } + + cursor := &rowsCursor{ ++ db: s.c.db, + parentMem: s.c, + posRow: -1, + rows: setMRows, +@@ -1050,6 +1060,7 @@ func (tx *fakeTx) Rollback() error { + } + + type rowsCursor struct { ++ db *fakeDB + parentMem memToucher + cols [][]string + colType [][]string +@@ -1121,7 +1132,7 @@ func (rc *rowsCursor) Next(dest []driver.Value) error { + // messing up conversions or doing them differently. + dest[i] = v + +- if bs, ok := v.([]byte); ok { ++ if bs, ok := v.([]byte); ok && !rc.db.useRawBytes.Load() { + if rc.bytesClone == nil { + rc.bytesClone = make(map[*byte][]byte) + } +diff --git a/src/database/sql/sql.go b/src/database/sql/sql.go +index 68fb392..ef49e70 100644 +--- a/src/database/sql/sql.go ++++ b/src/database/sql/sql.go +@@ -2879,6 +2879,8 @@ type Rows struct { + cancel func() // called when Rows is closed, may be nil. + closeStmt *driverStmt // if non-nil, statement to Close on close + ++ contextDone atomic.Value // error that awaitDone saw; set before close attempt ++ + // closemu prevents Rows from closing while there + // is an active streaming result. It is held for read during non-close operations + // and exclusively during close. +@@ -2891,6 +2893,15 @@ type Rows struct { + // lastcols is only used in Scan, Next, and NextResultSet which are expected + // not to be called concurrently. + lastcols []driver.Value ++ ++ // closemuScanHold is whether the previous call to Scan kept closemu RLock'ed ++ // without unlocking it. It does that when the user passes a *RawBytes scan ++ // target. In that case, we need to prevent awaitDone from closing the Rows ++ // while the user's still using the memory. See go.dev/issue/60304. ++ // ++ // It is only used by Scan, Next, and NextResultSet which are expected ++ // not to be called concurrently. ++ closemuScanHold bool + } + + // lasterrOrErrLocked returns either lasterr or the provided err. +@@ -2928,7 +2939,11 @@ func (rs *Rows) awaitDone(ctx, txctx context.Context) { + } + select { + case <-ctx.Done(): ++ err := ctx.Err() ++ rs.contextDone.Store(&err) + case <-txctxDone: ++ err := txctx.Err() ++ rs.contextDone.Store(&err) + } + rs.close(ctx.Err()) + } +@@ -2940,6 +2955,15 @@ func (rs *Rows) awaitDone(ctx, txctx context.Context) { + // + // Every call to Scan, even the first one, must be preceded by a call to Next. + func (rs *Rows) Next() bool { ++ // If the user's calling Next, they're done with their previous row's Scan ++ // results (any RawBytes memory), so we can release the read lock that would ++ // be preventing awaitDone from calling close. ++ rs.closemuRUnlockIfHeldByScan() ++ ++ if rs.contextDone.Load() != nil { ++ return false ++ } ++ + var doClose, ok bool + withLock(rs.closemu.RLocker(), func() { + doClose, ok = rs.nextLocked() +@@ -2994,6 +3018,11 @@ func (rs *Rows) nextLocked() (doClose, ok bool) { + // scanning. If there are further result sets they may not have rows in the result + // set. + func (rs *Rows) NextResultSet() bool { ++ // If the user's calling NextResultSet, they're done with their previous ++ // row's Scan results (any RawBytes memory), so we can release the read lock ++ // that would be preventing awaitDone from calling close. ++ rs.closemuRUnlockIfHeldByScan() ++ + var doClose bool + defer func() { + if doClose { +@@ -3030,6 +3059,10 @@ func (rs *Rows) NextResultSet() bool { + // Err returns the error, if any, that was encountered during iteration. + // Err may be called after an explicit or implicit Close. + func (rs *Rows) Err() error { ++ if errp := rs.contextDone.Load(); errp != nil { ++ return *(errp.(*error)) ++ } ++ + rs.closemu.RLock() + defer rs.closemu.RUnlock() + return rs.lasterrOrErrLocked(nil) +@@ -3223,6 +3256,11 @@ func rowsColumnInfoSetupConnLocked(rowsi driver.Rows) []*ColumnType { + // If any of the first arguments implementing Scanner returns an error, + // that error will be wrapped in the returned error + func (rs *Rows) Scan(dest ...interface{}) error { ++ if rs.closemuScanHold { ++ // This should only be possible if the user calls Scan twice in a row ++ // without calling Next. ++ return fmt.Errorf("sql: Scan called without calling Next (closemuScanHold)") ++ } + rs.closemu.RLock() + + if rs.lasterr != nil && rs.lasterr != io.EOF { +@@ -3234,23 +3272,50 @@ func (rs *Rows) Scan(dest ...interface{}) error { + rs.closemu.RUnlock() + return err + } +- rs.closemu.RUnlock() ++ ++ if scanArgsContainRawBytes(dest) { ++ rs.closemuScanHold = true ++ } else { ++ rs.closemu.RUnlock() ++ } + + if rs.lastcols == nil { ++ rs.closemuRUnlockIfHeldByScan() + return errors.New("sql: Scan called without calling Next") + } + if len(dest) != len(rs.lastcols) { ++ rs.closemuRUnlockIfHeldByScan() + return fmt.Errorf("sql: expected %d destination arguments in Scan, not %d", len(rs.lastcols), len(dest)) + } ++ + for i, sv := range rs.lastcols { + err := convertAssignRows(dest[i], sv, rs) + if err != nil { ++ rs.closemuRUnlockIfHeldByScan() + return fmt.Errorf(`sql: Scan error on column index %d, name %q: %w`, i, rs.rowsi.Columns()[i], err) + } + } + return nil + } + ++// closemuRUnlockIfHeldByScan releases any closemu.RLock held open by a previous ++// call to Scan with *RawBytes. ++func (rs *Rows) closemuRUnlockIfHeldByScan() { ++ if rs.closemuScanHold { ++ rs.closemuScanHold = false ++ rs.closemu.RUnlock() ++ } ++} ++ ++func scanArgsContainRawBytes(args []interface{}) bool { ++ for _, a := range args { ++ if _, ok := a.(*RawBytes); ok { ++ return true ++ } ++ } ++ return false ++} ++ + // rowsCloseHook returns a function so tests may install the + // hook through a test only mutex. + var rowsCloseHook = func() func(*Rows, *error) { return nil } +@@ -3260,6 +3325,11 @@ var rowsCloseHook = func() func(*Rows, *error) { return nil } + // the Rows are closed automatically and it will suffice to check the + // result of Err. Close is idempotent and does not affect the result of Err. + func (rs *Rows) Close() error { ++ // If the user's calling Close, they're done with their previous row's Scan ++ // results (any RawBytes memory), so we can release the read lock that would ++ // be preventing awaitDone from calling the unexported close before we do so. ++ rs.closemuRUnlockIfHeldByScan() ++ + return rs.close(nil) + } + +diff --git a/src/database/sql/sql_test.go b/src/database/sql/sql_test.go +index f771dee..53b38d1 100644 +--- a/src/database/sql/sql_test.go ++++ b/src/database/sql/sql_test.go +@@ -4255,6 +4255,64 @@ func TestRowsScanProperlyWrapsErrors(t *testing.T) { + } + } + ++// From go.dev/issue/60304 ++func TestContextCancelDuringRawBytesScan(t *testing.T) { ++ db := newTestDB(t, "people") ++ defer closeDB(t, db) ++ ++ if _, err := db.Exec("USE_RAWBYTES"); err != nil { ++ t.Fatal(err) ++ } ++ ++ ctx, cancel := context.WithCancel(context.Background()) ++ defer cancel() ++ ++ r, err := db.QueryContext(ctx, "SELECT|people|name|") ++ if err != nil { ++ t.Fatal(err) ++ } ++ numRows := 0 ++ var sink byte ++ for r.Next() { ++ numRows++ ++ var s RawBytes ++ err = r.Scan(&s) ++ if !r.closemuScanHold { ++ t.Errorf("expected closemu to be held") ++ } ++ if err != nil { ++ t.Fatal(err) ++ } ++ t.Logf("read %q", s) ++ if numRows == 2 { ++ cancel() // invalidate the context, which used to call close asynchronously ++ } ++ for _, b := range s { // some operation reading from the raw memory ++ sink += b ++ } ++ } ++ if r.closemuScanHold { ++ t.Errorf("closemu held; should not be") ++ } ++ ++ // There are 3 rows. We canceled after reading 2 so we expect either ++ // 2 or 3 depending on how the awaitDone goroutine schedules. ++ switch numRows { ++ case 0, 1: ++ t.Errorf("got %d rows; want 2+", numRows) ++ case 2: ++ if err := r.Err(); err != context.Canceled { ++ t.Errorf("unexpected error: %v (%T)", err, err) ++ } ++ default: ++ // Made it to the end. This is rare, but fine. Permit it. ++ } ++ ++ if err := r.Close(); err != nil { ++ t.Fatal(err) ++ } ++} ++ + // badConn implements a bad driver.Conn, for TestBadDriver. + // The Exec method panics. + type badConn struct{} diff --git a/meta/recipes-devtools/go/go-1.21/CVE-2025-47907-pre-0002.patch b/meta/recipes-devtools/go/go-1.21/CVE-2025-47907-pre-0002.patch new file mode 100644 index 0000000000..fe0b6a4d9c --- /dev/null +++ b/meta/recipes-devtools/go/go-1.21/CVE-2025-47907-pre-0002.patch @@ -0,0 +1,232 @@ +From c23579f031ecd09bf37c644723b33736dffa8b92 Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Tue, 23 Jan 2024 15:59:47 -0800 +Subject: [PATCH] database/sql: avoid clobbering driver-owned memory in + RawBytes + +Depending on the query, a RawBytes can contain memory owned by the +driver or by database/sql: + +If the driver provides the column as a []byte, +RawBytes aliases that []byte. + +If the driver provides the column as any other type, +RawBytes contains memory allocated by database/sql. +Prior to this CL, Rows.Scan will reuse existing capacity in a +RawBytes to permit a single allocation to be reused across rows. + +When a RawBytes is reused across queries, this can result +in database/sql writing to driver-owned memory. + +Add a buffer to Rows to store RawBytes data, and reuse this +buffer across calls to Rows.Scan. + +Fixes #65201 + +Change-Id: Iac640174c7afa97eeb39496f47dec202501b2483 +Reviewed-on: https://go-review.googlesource.com/c/go/+/557917 +Reviewed-by: Brad Fitzpatrick +Reviewed-by: Roland Shoemaker +LUCI-TryBot-Result: Go LUCI + +CVE: CVE-2025-47907 + +Upstream-Status: Backport [https://github.com/golang/go/commit/c23579f031ecd09bf37c644723b33736dffa8b92] + +Signed-off-by: Praveen Kumar +--- + src/database/sql/convert.go | 8 +++--- + src/database/sql/convert_test.go | 14 +++++++--- + src/database/sql/sql.go | 34 +++++++++++++++++++++++ + src/database/sql/sql_test.go | 47 ++++++++++++++++++++++++++++++++ + 4 files changed, 95 insertions(+), 8 deletions(-) + +diff --git a/src/database/sql/convert.go b/src/database/sql/convert.go +index b966ef9..3a581f6 100644 +--- a/src/database/sql/convert.go ++++ b/src/database/sql/convert.go +@@ -237,7 +237,7 @@ func convertAssignRows(dest, src interface{}, rows *Rows) error { + if d == nil { + return errNilPtr + } +- *d = append((*d)[:0], s...) ++ *d = rows.setrawbuf(append(rows.rawbuf(), s...)) + return nil + } + case []byte: +@@ -285,7 +285,7 @@ func convertAssignRows(dest, src interface{}, rows *Rows) error { + if d == nil { + return errNilPtr + } +- *d = s.AppendFormat((*d)[:0], time.RFC3339Nano) ++ *d = rows.setrawbuf(s.AppendFormat(rows.rawbuf(), time.RFC3339Nano)) + return nil + } + case decimalDecompose: +@@ -366,8 +366,8 @@ func convertAssignRows(dest, src interface{}, rows *Rows) error { + } + case *RawBytes: + sv = reflect.ValueOf(src) +- if b, ok := asBytes([]byte(*d)[:0], sv); ok { +- *d = RawBytes(b) ++ if b, ok := asBytes(rows.rawbuf(), sv); ok { ++ *d = rows.setrawbuf(b) + return nil + } + case *bool: +diff --git a/src/database/sql/convert_test.go b/src/database/sql/convert_test.go +index 2668a5e..23a70bf 100644 +--- a/src/database/sql/convert_test.go ++++ b/src/database/sql/convert_test.go +@@ -357,9 +357,10 @@ func TestRawBytesAllocs(t *testing.T) { + {"time", time.Unix(2, 5).UTC(), "1970-01-01T00:00:02.000000005Z"}, + } + +- buf := make(RawBytes, 10) +- test := func(name string, in interface{}, want string) { +- if err := convertAssign(&buf, in); err != nil { ++ var buf RawBytes ++ rows := &Rows{} ++ test := func(name string, in interface{}, want string) { ++ if err := convertAssignRows(&buf, in, rows); err != nil { + t.Fatalf("%s: convertAssign = %v", name, err) + } + match := len(buf) == len(want) +@@ -378,6 +379,7 @@ func TestRawBytesAllocs(t *testing.T) { + + n := testing.AllocsPerRun(100, func() { + for _, tt := range tests { ++ rows.raw = rows.raw[:0] + test(tt.name, tt.in, tt.want) + } + }) +@@ -386,7 +388,11 @@ func TestRawBytesAllocs(t *testing.T) { + // and gc. With 32-bit words there are more convT2E allocs, and + // with gccgo, only pointers currently go in interface data. + // So only care on amd64 gc for now. +- measureAllocs := runtime.GOARCH == "amd64" && runtime.Compiler == "gc" ++ measureAllocs := false ++ switch runtime.GOARCH { ++ case "amd64", "arm64": ++ measureAllocs = runtime.Compiler == "gc" ++ } + + if n > 0.5 && measureAllocs { + t.Fatalf("allocs = %v; want 0", n) +diff --git a/src/database/sql/sql.go b/src/database/sql/sql.go +index ef49e70..e25447c 100644 +--- a/src/database/sql/sql.go ++++ b/src/database/sql/sql.go +@@ -2894,6 +2894,13 @@ type Rows struct { + // not to be called concurrently. + lastcols []driver.Value + ++ // raw is a buffer for RawBytes that persists between Scan calls. ++ // This is used when the driver returns a mismatched type that requires ++ // a cloning allocation. For example, if the driver returns a *string and ++ // the user is scanning into a *RawBytes, we need to copy the string. ++ // The raw buffer here lets us reuse the memory for that copy across Scan calls. ++ raw []byte ++ + // closemuScanHold is whether the previous call to Scan kept closemu RLock'ed + // without unlocking it. It does that when the user passes a *RawBytes scan + // target. In that case, we need to prevent awaitDone from closing the Rows +@@ -3068,6 +3075,32 @@ func (rs *Rows) Err() error { + return rs.lasterrOrErrLocked(nil) + } + ++// rawbuf returns the buffer to append RawBytes values to. ++// This buffer is reused across calls to Rows.Scan. ++// ++// Usage: ++// ++// rawBytes = rows.setrawbuf(append(rows.rawbuf(), value...)) ++func (rs *Rows) rawbuf() []byte { ++ if rs == nil { ++ // convertAssignRows can take a nil *Rows; for simplicity handle it here ++ return nil ++ } ++ return rs.raw ++} ++ ++// setrawbuf updates the RawBytes buffer with the result of appending a new value to it. ++// It returns the new value. ++func (rs *Rows) setrawbuf(b []byte) RawBytes { ++ if rs == nil { ++ // convertAssignRows can take a nil *Rows; for simplicity handle it here ++ return RawBytes(b) ++ } ++ off := len(rs.raw) ++ rs.raw = b ++ return RawBytes(rs.raw[off:]) ++} ++ + var errRowsClosed = errors.New("sql: Rows are closed") + var errNoRows = errors.New("sql: no Rows available") + +@@ -3275,6 +3308,7 @@ func (rs *Rows) Scan(dest ...interface{}) error { + + if scanArgsContainRawBytes(dest) { + rs.closemuScanHold = true ++ rs.raw = rs.raw[:0] + } else { + rs.closemu.RUnlock() + } +diff --git a/src/database/sql/sql_test.go b/src/database/sql/sql_test.go +index 53b38d1..6aa9bf0 100644 +--- a/src/database/sql/sql_test.go ++++ b/src/database/sql/sql_test.go +@@ -4313,6 +4313,53 @@ func TestContextCancelDuringRawBytesScan(t *testing.T) { + } + } + ++// Issue #65201. ++// ++// If a RawBytes is reused across multiple queries, ++// subsequent queries shouldn't overwrite driver-owned memory from previous queries. ++func TestRawBytesReuse(t *testing.T) { ++ db := newTestDB(t, "people") ++ defer closeDB(t, db) ++ ++ if _, err := db.Exec("USE_RAWBYTES"); err != nil { ++ t.Fatal(err) ++ } ++ ++ var raw RawBytes ++ ++ // The RawBytes in this query aliases driver-owned memory. ++ rows, err := db.Query("SELECT|people|name|") ++ if err != nil { ++ t.Fatal(err) ++ } ++ rows.Next() ++ rows.Scan(&raw) // now raw is pointing to driver-owned memory ++ name1 := string(raw) ++ rows.Close() ++ ++ // The RawBytes in this query does not alias driver-owned memory. ++ rows, err = db.Query("SELECT|people|age|") ++ if err != nil { ++ t.Fatal(err) ++ } ++ rows.Next() ++ rows.Scan(&raw) // this must not write to the driver-owned memory in raw ++ rows.Close() ++ ++ // Repeat the first query. Nothing should have changed. ++ rows, err = db.Query("SELECT|people|name|") ++ if err != nil { ++ t.Fatal(err) ++ } ++ rows.Next() ++ rows.Scan(&raw) // raw points to driver-owned memory again ++ name2 := string(raw) ++ rows.Close() ++ if name1 != name2 { ++ t.Fatalf("Scan read name %q, want %q", name2, name1) ++ } ++} ++ + // badConn implements a bad driver.Conn, for TestBadDriver. + // The Exec method panics. + type badConn struct{} diff --git a/meta/recipes-devtools/go/go-1.21/CVE-2025-47907.patch b/meta/recipes-devtools/go/go-1.21/CVE-2025-47907.patch new file mode 100644 index 0000000000..b2af7df81b --- /dev/null +++ b/meta/recipes-devtools/go/go-1.21/CVE-2025-47907.patch @@ -0,0 +1,327 @@ +From 8a924caaf348fdc366bab906424616b2974ad4e9 Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Wed, 23 Jul 2025 14:26:54 -0700 +Subject: [PATCH] database/sql: avoid closing Rows while scan is in progress + +A database/sql/driver.Rows can return database-owned data +from Rows.Next. The driver.Rows documentation doesn't explicitly +document the lifetime guarantees for this data, but a reasonable +expectation is that the caller of Next should only access it +until the next call to Rows.Close or Rows.Next. + +Avoid violating that constraint when a query is cancelled while +a call to database/sql.Rows.Scan (note the difference between +the two different Rows types!) is in progress. We previously +took care to avoid closing a driver.Rows while the user has +access to driver-owned memory via a RawData, but we could still +close a driver.Rows while a Scan call was in the process of +reading previously-returned driver-owned data. + +Update the fake DB used in database/sql tests to invalidate +returned data to help catch other places we might be +incorrectly retaining it. + +Updates #74831 +Fixes #74832 + +Change-Id: Ice45b5fad51b679c38e3e1d21ef39156b56d6037 +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2540 +Reviewed-by: Roland Shoemaker +Reviewed-by: Neal Patel +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2601 +Reviewed-on: https://go-review.googlesource.com/c/go/+/693558 +TryBot-Bypass: Dmitri Shuralyov +Reviewed-by: Mark Freeman +Reviewed-by: Dmitri Shuralyov +Auto-Submit: Dmitri Shuralyov + +CVE: CVE-2025-47907 + +Upstream-Status: Backport [https://github.com/golang/go/commit/8a924caaf348fdc366bab906424616b2974ad4e9] + +Signed-off-by: Praveen Kumar +--- + src/database/sql/convert.go | 2 -- + src/database/sql/fakedb_test.go | 47 ++++++++++++-------------- + src/database/sql/sql.go | 26 +++++++------- + src/database/sql/sql_test.go | 60 ++++++++++++++++++++++++++++++--- + 4 files changed, 90 insertions(+), 45 deletions(-) + +diff --git a/src/database/sql/convert.go b/src/database/sql/convert.go +index 3a581f6..5b0c6f0 100644 +--- a/src/database/sql/convert.go ++++ b/src/database/sql/convert.go +@@ -324,7 +324,6 @@ func convertAssignRows(dest, src interface{}, rows *Rows) error { + if rows == nil { + return errors.New("invalid context to convert cursor rows, missing parent *Rows") + } +- rows.closemu.Lock() + *d = Rows{ + dc: rows.dc, + releaseConn: func(error) {}, +@@ -340,7 +339,6 @@ func convertAssignRows(dest, src interface{}, rows *Rows) error { + parentCancel() + } + } +- rows.closemu.Unlock() + return nil + } + } +diff --git a/src/database/sql/fakedb_test.go b/src/database/sql/fakedb_test.go +index 33c57b9..9f3d517 100644 +--- a/src/database/sql/fakedb_test.go ++++ b/src/database/sql/fakedb_test.go +@@ -5,6 +5,7 @@ + package sql + + import ( ++ "bytes" + "context" + "database/sql/driver" + "errors" +@@ -15,7 +16,6 @@ import ( + "strconv" + "strings" + "sync" +- "sync/atomic" + "testing" + "time" + ) +@@ -91,8 +91,6 @@ func (cc *fakeDriverCtx) OpenConnector(name string) (driver.Connector, error) { + type fakeDB struct { + name string + +- useRawBytes atomic.Bool +- + mu sync.Mutex + tables map[string]*table + badConn bool +@@ -683,8 +681,6 @@ func (c *fakeConn) PrepareContext(ctx context.Context, query string) (driver.Stm + switch cmd { + case "WIPE": + // Nothing +- case "USE_RAWBYTES": +- c.db.useRawBytes.Store(true) + case "SELECT": + stmt, err = c.prepareSelect(stmt, parts) + case "CREATE": +@@ -788,9 +784,6 @@ func (s *fakeStmt) ExecContext(ctx context.Context, args []driver.NamedValue) (d + case "WIPE": + db.wipe() + return driver.ResultNoRows, nil +- case "USE_RAWBYTES": +- s.c.db.useRawBytes.Store(true) +- return driver.ResultNoRows, nil + case "CREATE": + if err := db.createTable(s.table, s.colName, s.colType); err != nil { + return nil, err +@@ -1073,10 +1066,9 @@ type rowsCursor struct { + errPos int + err error + +- // a clone of slices to give out to clients, indexed by the +- // original slice's first byte address. we clone them +- // just so we're able to corrupt them on close. +- bytesClone map[*byte][]byte ++ // Data returned to clients. ++ // We clone and stash it here so it can be invalidated by Close and Next. ++ driverOwnedMemory [][]byte + + // Every operation writes to line to enable the race detector + // check for data races. +@@ -1090,9 +1082,19 @@ func (rc *rowsCursor) touchMem() { + rc.line++ + } + ++func (rc *rowsCursor) invalidateDriverOwnedMemory() { ++ for _, buf := range rc.driverOwnedMemory { ++ for i := range buf { ++ buf[i] = 'x' ++ } ++ } ++ rc.driverOwnedMemory = nil ++} ++ + func (rc *rowsCursor) Close() error { + rc.touchMem() + rc.parentMem.touchMem() ++ rc.invalidateDriverOwnedMemory() + rc.closed = true + return nil + } +@@ -1123,6 +1125,8 @@ func (rc *rowsCursor) Next(dest []driver.Value) error { + if rc.posRow >= len(rc.rows[rc.posSet]) { + return io.EOF // per interface spec + } ++ // Corrupt any previously returned bytes. ++ rc.invalidateDriverOwnedMemory() + for i, v := range rc.rows[rc.posSet][rc.posRow].cols { + // TODO(bradfitz): convert to subset types? naah, I + // think the subset types should only be input to +@@ -1130,20 +1134,13 @@ func (rc *rowsCursor) Next(dest []driver.Value) error { + // a wider range of types coming out of drivers. all + // for ease of drivers, and to prevent drivers from + // messing up conversions or doing them differently. +- dest[i] = v +- +- if bs, ok := v.([]byte); ok && !rc.db.useRawBytes.Load() { +- if rc.bytesClone == nil { +- rc.bytesClone = make(map[*byte][]byte) +- } +- clone, ok := rc.bytesClone[&bs[0]] +- if !ok { +- clone = make([]byte, len(bs)) +- copy(clone, bs) +- rc.bytesClone[&bs[0]] = clone +- } +- dest[i] = clone ++ if bs, ok := v.([]byte); ok { ++ // Clone []bytes and stash for later invalidation. ++ bs = bytes.Clone(bs) ++ rc.driverOwnedMemory = append(rc.driverOwnedMemory, bs) ++ v = bs + } ++ dest[i] = v + } + return nil + } +diff --git a/src/database/sql/sql.go b/src/database/sql/sql.go +index e25447c..a428e29 100644 +--- a/src/database/sql/sql.go ++++ b/src/database/sql/sql.go +@@ -3294,38 +3294,36 @@ func (rs *Rows) Scan(dest ...interface{}) error { + // without calling Next. + return fmt.Errorf("sql: Scan called without calling Next (closemuScanHold)") + } ++ + rs.closemu.RLock() ++ rs.raw = rs.raw[:0] ++ err := rs.scanLocked(dest...) ++ if err == nil && scanArgsContainRawBytes(dest) { ++ rs.closemuScanHold = true ++ } else { ++ rs.closemu.RUnlock() ++ } ++ return err ++} + ++func (rs *Rows) scanLocked(dest ...interface{}) error { + if rs.lasterr != nil && rs.lasterr != io.EOF { +- rs.closemu.RUnlock() + return rs.lasterr + } + if rs.closed { +- err := rs.lasterrOrErrLocked(errRowsClosed) +- rs.closemu.RUnlock() +- return err +- } +- +- if scanArgsContainRawBytes(dest) { +- rs.closemuScanHold = true +- rs.raw = rs.raw[:0] +- } else { +- rs.closemu.RUnlock() ++ return rs.lasterrOrErrLocked(errRowsClosed) + } + + if rs.lastcols == nil { +- rs.closemuRUnlockIfHeldByScan() + return errors.New("sql: Scan called without calling Next") + } + if len(dest) != len(rs.lastcols) { +- rs.closemuRUnlockIfHeldByScan() + return fmt.Errorf("sql: expected %d destination arguments in Scan, not %d", len(rs.lastcols), len(dest)) + } + + for i, sv := range rs.lastcols { + err := convertAssignRows(dest[i], sv, rs) + if err != nil { +- rs.closemuRUnlockIfHeldByScan() + return fmt.Errorf(`sql: Scan error on column index %d, name %q: %w`, i, rs.rowsi.Columns()[i], err) + } + } +diff --git a/src/database/sql/sql_test.go b/src/database/sql/sql_test.go +index 6aa9bf0..6aec7ec 100644 +--- a/src/database/sql/sql_test.go ++++ b/src/database/sql/sql_test.go +@@ -5,6 +5,7 @@ + package sql + + import ( ++ "bytes" + "context" + "database/sql/driver" + "errors" +@@ -4321,10 +4322,6 @@ func TestRawBytesReuse(t *testing.T) { + db := newTestDB(t, "people") + defer closeDB(t, db) + +- if _, err := db.Exec("USE_RAWBYTES"); err != nil { +- t.Fatal(err) +- } +- + var raw RawBytes + + // The RawBytes in this query aliases driver-owned memory. +@@ -4469,6 +4466,61 @@ func TestTypedString(t *testing.T) { + } + } + ++type testScanner struct { ++ scanf func(src any) error ++} ++ ++func (ts testScanner) Scan(src any) error { return ts.scanf(src) } ++ ++func TestContextCancelDuringScan(t *testing.T) { ++ db := newTestDB(t, "people") ++ defer closeDB(t, db) ++ ++ ctx, cancel := context.WithCancel(context.Background()) ++ defer cancel() ++ ++ scanStart := make(chan any) ++ scanEnd := make(chan error) ++ scanner := &testScanner{ ++ scanf: func(src any) error { ++ scanStart <- src ++ return <-scanEnd ++ }, ++ } ++ ++ // Start a query, and pause it mid-scan. ++ want := []byte("Alice") ++ r, err := db.QueryContext(ctx, "SELECT|people|name|name=?", string(want)) ++ if err != nil { ++ t.Fatal(err) ++ } ++ if !r.Next() { ++ t.Fatalf("r.Next() = false, want true") ++ } ++ go func() { ++ r.Scan(scanner) ++ }() ++ got := <-scanStart ++ defer close(scanEnd) ++ gotBytes, ok := got.([]byte) ++ if !ok { ++ t.Fatalf("r.Scan returned %T, want []byte", got) ++ } ++ if !bytes.Equal(gotBytes, want) { ++ t.Fatalf("before cancel: r.Scan returned %q, want %q", gotBytes, want) ++ } ++ ++ // Cancel the query. ++ // Sleep to give it a chance to finish canceling. ++ cancel() ++ time.Sleep(10 * time.Millisecond) ++ ++ // Cancelling the query should not have changed the result. ++ if !bytes.Equal(gotBytes, want) { ++ t.Fatalf("after cancel: r.Scan result is now %q, want %q", gotBytes, want) ++ } ++} ++ + func BenchmarkConcurrentDBExec(b *testing.B) { + b.ReportAllocs() + ct := new(concurrentDBExecTest) From patchwork Tue Sep 30 19:50:04 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 71319 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7A1D9CAC5B8 for ; Tue, 30 Sep 2025 19:50:21 +0000 (UTC) Received: from mail-pf1-f172.google.com (mail-pf1-f172.google.com [209.85.210.172]) by mx.groups.io with SMTP id smtpd.web11.227.1759261820095405214 for ; Tue, 30 Sep 2025 12:50:20 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=hq3Qg7U0; spf=softfail (domain: sakoman.com, ip: 209.85.210.172, mailfrom: steve@sakoman.com) Received: by mail-pf1-f172.google.com with SMTP id d2e1a72fcca58-77f605f22easo5824313b3a.2 for ; Tue, 30 Sep 2025 12:50:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1759261819; x=1759866619; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=YosUY6TkjzDn+Mut3B/gGqY0Mf/r4W+vjLNZqkDXZ7A=; b=hq3Qg7U0enL+1jeOi1znKWBaCrT1pcEYwtiwLkbw7iwomMMNl8/S+ML1ydDX/whtdq utFrDshgufpOIofie1d/gxECXLJx8IDdHDD9SKupAUKhcK2hCMx6BX5QFghI4wiaUD0C 05x9Ye1LjISnF3WxQvEzgvHbGcerotYVzMF77WuRrmSKCGpOWsvH2UYSqy8qQso/NIE9 UPfdLR9RpLoPY5BboEbWA4gxMLaG9Wz6aTOSZAMwuWAb03v0peBOilED+vpBCq7ylN28 CpZjh3h6sH1txhM6n/hPVHv7cyrTMD+YF7pee8RtBlKc108twEs8In2ua7QmiJQmacfF RLgQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1759261819; x=1759866619; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=YosUY6TkjzDn+Mut3B/gGqY0Mf/r4W+vjLNZqkDXZ7A=; b=NVJUEc1SuTJmFJseyAcmIGvAmPcAXrOxLhg+ivC2geM7ebtIftNq4r8d70zAJH5STE RCXXtApOMIv6vKXTusWB62Z3WaJDfnYwDs4rCp6DGjLEz5CG4nXY9I+zLFLu++/6LiAv 8fCxOt58gnP7RRB+5ZZ3tcaCT7j4UR95bixMhEX4EpQufGlJedLLMc1fDP1X+x6NQfLF cYJn1lRPAB5/8STEVdlLyAZb3BDpmz4cQvdk4AVL63UBUrlvrbAfT/zU7+GVPQEGPHMM z/KkwuqpkrxaYaZjls+rLxeTKLc1P51RPhvKdqIxJ+9i6uleEtQEEk4kzMIkYsihC5y4 ha+A== X-Gm-Message-State: AOJu0YxxYRsILYsGOYTv5PAyFqG4tHxkO56gsgyWDGaQkP1ggm2E7Ekv u1IB1B08Ch9T7YAFxaYQZ77rga5XrOYOENfaQasev5QKESVwRadLYy1gEImirk5599hB331Nvv4 ThvyS X-Gm-Gg: ASbGncuV7Blz0qv8h52GARK0SUzr6XEvQnww8vDAnr7MUKM7y1Ze+WYjz2iPfnEZ5Po TYlZzxAwl90843YC8UKhLW/jBnlJd76uClismMzEHfNmTmHe/qKuermHJJHn4Dpt/g7eSBiZZ2f nPJaPJ4FCxcRRKAyVU6UHlkNQFXi8ixfWJPgwP7MR/woVKXVUeuHs4isbxq80IcILWWtcu20hWc QBZp/SPX9OFq+OKMFfn+TyxzibxX8fkElWVn1/DWWqPZnfNqhNk1uKNLJwZgv7dHFR++mQwsde3 NhTtOyaAotRzDbP1WegSYb4CiXgiZHHArtzDgk/j7ZqvUqCjK4E1VrAY1gSDGhaw5ZZkRCrk71M c3Uy80m89vX9r2LA5DL6rx972K2SG1Lpr05d6Z2iCexqoQd0J X-Google-Smtp-Source: AGHT+IGCNlTwqYoSufpS/Hm/P/J7tRbn4eNEMEMx+UXTJVdm0szQxe/M2468lN+lpDb/oTaOy5GbhQ== X-Received: by 2002:a05:6a00:848:b0:77f:605f:20e1 with SMTP id d2e1a72fcca58-78af422e910mr688324b3a.27.1759261819206; Tue, 30 Sep 2025 12:50:19 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:5e34:462b:e2f0:5898]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7810238ca6dsm14411202b3a.8.2025.09.30.12.50.18 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Sep 2025 12:50:18 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 2/7] grub2: fix CVE-2024-56738 Date: Tue, 30 Sep 2025 12:50:04 -0700 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 30 Sep 2025 19:50:21 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/224195 From: Yogita Urade Backport an algorithmic change to grub_crypto_memcmp() so that it completes in constant time and thus isn't susceptible to side-channel attacks. reference: https://git.openembedded.org/openembedded-core/commit/?id=30a1cc225a2bd5d044bf608d863a67df3f9c03be Upstream patch: https://cgit.git.savannah.gnu.org/cgit/grub.git/commit/?id=0739d24cd1648531d0708d1079ff6bbfa6140268 Signed-off-by: Yogita Urade Signed-off-by: Steve Sakoman --- .../grub/files/CVE-2024-56738.patch | 75 +++++++++++++++++++ meta/recipes-bsp/grub/grub2.inc | 1 + 2 files changed, 76 insertions(+) create mode 100644 meta/recipes-bsp/grub/files/CVE-2024-56738.patch diff --git a/meta/recipes-bsp/grub/files/CVE-2024-56738.patch b/meta/recipes-bsp/grub/files/CVE-2024-56738.patch new file mode 100644 index 0000000000..1212b2d3e5 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2024-56738.patch @@ -0,0 +1,75 @@ +From 4cef2fc7308b2132317ad166939994f098b41561 Mon Sep 17 00:00:00 2001 +From: Ross Burton +Date: Tue, 9 Sep 2025 14:23:14 +0100 +Subject: [PATCH] CVE-2024-56738 + +Backport an algorithmic change to grub_crypto_memcmp() so that it completes in +constant time and thus isn't susceptible to side-channel attacks. + +This is a partial backport of grub 0739d24cd +("libgcrypt: Adjust import script, definitions and API users for libgcrypt 1.11") + +CVE: CVE-2024-56738 +Upstream-Status: Backport [0739d24cd] +Signed-off-by: Ross Burton +Signed-off-by: Yogita Urade +--- + grub-core/lib/crypto.c | 23 ++++++++++++++++------- + include/grub/crypto.h | 2 +- + 2 files changed, 17 insertions(+), 8 deletions(-) + +diff --git a/grub-core/lib/crypto.c b/grub-core/lib/crypto.c +index ca334d5..1bfa922 100644 +--- a/grub-core/lib/crypto.c ++++ b/grub-core/lib/crypto.c +@@ -433,19 +433,28 @@ grub_crypto_gcry_error (gcry_err_code_t in) + return GRUB_ACCESS_DENIED; + } + ++/* ++ * Compare byte arrays of length LEN, return 1 if it's not same, ++ * 0, otherwise. ++ */ + int +-grub_crypto_memcmp (const void *a, const void *b, grub_size_t n) ++grub_crypto_memcmp (const void *b1, const void *b2, grub_size_t len) + { +- register grub_size_t counter = 0; +- const grub_uint8_t *pa, *pb; ++ const grub_uint8_t *a = b1; ++ const grub_uint8_t *b = b2; ++ int ab, ba; ++ grub_size_t i; + +- for (pa = a, pb = b; n; pa++, pb++, n--) ++ /* Constant-time compare. */ ++ for (i = 0, ab = 0, ba = 0; i < len; i++) + { +- if (*pa != *pb) +- counter++; ++ /* If a[i] != b[i], either ab or ba will be negative. */ ++ ab |= a[i] - b[i]; ++ ba |= b[i] - a[i]; + } + +- return !!counter; ++ /* 'ab | ba' is negative when buffers are not equal, extract sign bit. */ ++ return ((unsigned int)(ab | ba) >> (sizeof(unsigned int) * 8 - 1)) & 1; + } + + #ifndef GRUB_UTIL +diff --git a/include/grub/crypto.h b/include/grub/crypto.h +index 21cd1f7..432912b 100644 +--- a/include/grub/crypto.h ++++ b/include/grub/crypto.h +@@ -393,7 +393,7 @@ grub_crypto_pbkdf2 (const struct gcry_md_spec *md, + grub_uint8_t *DK, grub_size_t dkLen); + + int +-grub_crypto_memcmp (const void *a, const void *b, grub_size_t n); ++grub_crypto_memcmp (const void *b1, const void *b2, grub_size_t len); + + int + grub_password_get (char buf[], unsigned buf_size); +-- +2.40.0 diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index cb61080aeb..1b019752b7 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -59,6 +59,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://CVE-2025-0678_CVE-2025-1125.patch \ file://CVE-2025-0690.patch \ file://CVE-2025-1118.patch \ + file://CVE-2024-56738.patch \ " SRC_URI[sha256sum] = "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f" From patchwork Tue Sep 30 19:50:05 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 71322 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 61CD3CAC5B8 for ; Tue, 30 Sep 2025 19:50:31 +0000 (UTC) Received: from mail-pf1-f176.google.com (mail-pf1-f176.google.com [209.85.210.176]) by mx.groups.io with SMTP id smtpd.web11.230.1759261821588131986 for ; Tue, 30 Sep 2025 12:50:21 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=brC8w/Vm; spf=softfail (domain: sakoman.com, ip: 209.85.210.176, mailfrom: steve@sakoman.com) Received: by mail-pf1-f176.google.com with SMTP id d2e1a72fcca58-7833765433cso4620046b3a.0 for ; Tue, 30 Sep 2025 12:50:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1759261821; x=1759866621; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=ALqtEO9z4g4IaXL79YekV1Fc8+5fbJUmzk6ZeCnXRGE=; b=brC8w/VmPUgV7UkKxzjjQOF8uuWQXY4V9nZq1xsVH0uP4ZDBV8TBAXggPLM/s2M61x w7aWEcANuyZZlHa1SP40I90hGj64Q9mRn6iHOoRrSILV26/VIlVH0ErjSlDmRpt/eRRd sP1FYRY6vlffu/4jtGAOpLoj2ijIRj9Nfb+DK36TxZgDBiNrVVDm2hpa8pXYwMgJLsto CuXHStA+utdYVx2XxZfpCd+E37ioVM5NONvVzmuBcgU+RhLPE9eHzCzASq3mskNrF1A4 PJoc2oN4CyLvyFia0k4Vnxminkke2qTzordjn8eHwhnQnMYdQzjRxbbVQDarzadxEDxc 5XOw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1759261821; x=1759866621; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ALqtEO9z4g4IaXL79YekV1Fc8+5fbJUmzk6ZeCnXRGE=; b=ga3hh93CSOs45MEQbhmWv7HnyYfMcZMGV7UgNQ3QGfLD298Dzmc58oTQbwmlRENedC zNNMcQtS8WFXOH/OKe/gxHjIjLY5+boDGQTupLjJwWJn8gOGT6YtacUzChF2SbmhFAoQ 9Dy6IH8EqOU1x12qi2pu7TE/uCr1vTFb5fZMWLQOCMkOUZmjG0d1QDDq2o3epY9H7Aiw S0Of5A/FJTDha2WvnQtfBX6ITAKQJz2YeD8w6lOrMV8crSSOJIbAZOdKMYJ1jLY8md16 C/OsQxEAfKmt8QkCd3QoqDec6r649JcUPnf16bOwenyFwEZIHkAN8N0sGjlBrMOU+YNh 1R+A== X-Gm-Message-State: AOJu0YzGHTH1qun7cZwkrD8Ad+lqdV0YXEysroinl4bmBMBCiEttxNUn Iu2a49XZZ7auQHURjtF2Cx7Nr6TN6f5vfw2gefcmt6opxPkxz579A6MtUWFkxK6lIxep3Tgp7ZD C+MMK X-Gm-Gg: ASbGncv47UidMAgCV6jEeQptH9P65RQsZwru4DIB0sZsTcDQOKZVBphcHJCPcxclfVa R4UkhzBkToLdQji43bVT6L0T7R3W/RBGL14wDInJjkiZF+lTVLHfnNJa0fNuVxu36CZPhdZk4Q8 rLestxrpGVruf4JnyhJ+bICkAWqylBS4mkdTLru3WibsZU0A4gbPCMYFP71Xqq1zpJlEJeelw7e SfrO6MrRdv3smq+Ccltkn02v8TjkvN37y3s9umLqsFJH2EG3qgpyY6LMJwwrjKEXv/kyJYXNBo9 yv+4p95Zvef2+bHIGNOLj7gQ/tqW3bceNaPJODFVDZPbQAypZqHD0jxyly5lhqp/ns3pjqBSh8J 9X6a6E1WVamSZrXluwVo0Xl1l1KRXjCIpceRhh3GzyJKPrc3H X-Google-Smtp-Source: AGHT+IE4ViVRTkc+UvbQ9bx0gwkzVhTGC8PjplTsQ7nRvXxhDr0dlgCCbsLfi79tqpj202Y1az3JUQ== X-Received: by 2002:a05:6a00:848:b0:781:4ec:4ec4 with SMTP id d2e1a72fcca58-78af422dc47mr739753b3a.31.1759261820743; Tue, 30 Sep 2025 12:50:20 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:5e34:462b:e2f0:5898]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7810238ca6dsm14411202b3a.8.2025.09.30.12.50.20 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Sep 2025 12:50:20 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 3/7] curl: fix CVE-2025-9086 Date: Tue, 30 Sep 2025 12:50:05 -0700 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 30 Sep 2025 19:50:31 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/224196 From: Yogita Urade 1, A cookie is set using the secure keyword for https://target 2, curl is redirected to or otherwise made to speak with http://target (same hostname, but using clear text HTTP) using the same cookie set 3, The same cookie name is set - but with just a slash as path (path="/"). Since this site is not secure, the cookie should just be ignored. 4, A bug in the path comparison logic makes curl read outside a heap buffer boundary The bug either causes a crash or it potentially makes the comparison come to the wrong conclusion and lets the clear-text site override the contents of the secure cookie, contrary to expectations and depending on the memory contents immediately following the single-byte allocation that holds the path. The presumed and correct behavior would be to plainly ignore the second set of the cookie since it was already set as secure on a secure host so overriding it on an insecure host should not be okay. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-9086 Upstream patch: https://github.com/curl/curl/commit/c6ae07c6a541e0e96d0040afb6 Signed-off-by: Yogita Urade Signed-off-by: Steve Sakoman --- .../curl/curl/CVE-2025-9086.patch | 55 +++++++++++++++++++ meta/recipes-support/curl/curl_7.82.0.bb | 1 + 2 files changed, 56 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2025-9086.patch diff --git a/meta/recipes-support/curl/curl/CVE-2025-9086.patch b/meta/recipes-support/curl/curl/CVE-2025-9086.patch new file mode 100644 index 0000000000..8ee7cd5192 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2025-9086.patch @@ -0,0 +1,55 @@ +From c6ae07c6a541e0e96d0040afb62b45dd37711300 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 11 Aug 2025 20:23:05 +0200 +Subject: [PATCH] cookie: don't treat the leading slash as trailing + +If there is only a leading slash in the path, keep that. Also add an +assert to make sure the path is never blank. + +Reported-by: Google Big Sleep +Closes #18266 + +CVE: CVE-2025-9086 +Upstream-Status: Backport [https://github.com/curl/curl/commit/c6ae07c6a541e0e96d0040afb6] + +Signed-off-by: Yogita Urade +--- + lib/cookie.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/lib/cookie.c b/lib/cookie.c +index e287458..ac7d3de 100644 +--- a/lib/cookie.c ++++ b/lib/cookie.c +@@ -312,7 +312,7 @@ static char *sanitize_cookie_path(const char *cookie_path) + } + + /* convert /hoge/ to /hoge */ +- if(len && new_path[len - 1] == '/') { ++ if(len > 1 && new_path[len - 1] == '/') { + new_path[len - 1] = 0x0; + } + +@@ -1078,7 +1078,7 @@ Curl_cookie_add(struct Curl_easy *data, + if(clist->spath && co->spath) { + if(clist->secure && !co->secure && !secure) { + size_t cllen; +- const char *sep; ++ const char *sep = NULL; + + /* + * A non-secure cookie may not overlay an existing secure cookie. +@@ -1087,8 +1087,9 @@ Curl_cookie_add(struct Curl_easy *data, + * "/loginhelper" is ok. + */ + +- sep = strchr(clist->spath + 1, '/'); +- ++ DEBUGASSERT(clist->spath[0]); ++ if(clist->spath[0]) ++ sep = strchr(clist->spath + 1, '/'); + if(sep) + cllen = sep - clist->spath; + else +-- +2.40.0 diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb index 623d8a4bc3..54362e6978 100644 --- a/meta/recipes-support/curl/curl_7.82.0.bb +++ b/meta/recipes-support/curl/curl_7.82.0.bb @@ -66,6 +66,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \ file://CVE-2024-11053-0001.patch \ file://CVE-2024-11053-0002.patch \ file://CVE-2025-0167.patch \ + file://CVE-2025-9086.patch \ " SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c" From patchwork Tue Sep 30 19:50:06 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 71321 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5ED3CCCA470 for ; Tue, 30 Sep 2025 19:50:31 +0000 (UTC) Received: from mail-pf1-f176.google.com (mail-pf1-f176.google.com [209.85.210.176]) by mx.groups.io with SMTP id smtpd.web10.226.1759261823137070678 for ; Tue, 30 Sep 2025 12:50:23 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=VSqZ9ZeE; spf=softfail (domain: sakoman.com, ip: 209.85.210.176, mailfrom: steve@sakoman.com) Received: by mail-pf1-f176.google.com with SMTP id d2e1a72fcca58-7835321bc98so3548672b3a.2 for ; Tue, 30 Sep 2025 12:50:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1759261822; x=1759866622; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=ZRLIFoXL5Iy3oUqTmphQEmsAsxNLiBaA+YsliYNLSA4=; b=VSqZ9ZeEhn1y+qO8iRUu29M5E8WXOmZuwEyRL776SVrf/+YDy5RblxCrhoY1IT3qxA jZcFcLsQZvYB3VyULCVCTVkOZSnUP6xicpNa1FmHW2oyGg8miYpUbgYcR4Ozcdzs5+mX XrwZbkoxVhz/zuR5KQ3vIWqHTwCcoVw4Z8N6G6lEteYcxuKxFElgpuqFBSVRaAh+fTuK YG6WjR69e8m1hvWqnycMHya95Z8r/8QZzKoxdN31NtBSEMreGy41/Plh7NHgbYIJd/+S HdMbRARu395r/2F5gs344zb3sEOFbT5F8vydbYwfAWl9yxiFcwPjy8Jcnyog+YHJ8ZZv P6RA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1759261822; x=1759866622; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ZRLIFoXL5Iy3oUqTmphQEmsAsxNLiBaA+YsliYNLSA4=; b=mWJSBi/Tf4HLFxiXdRrBgbwVk81P2G07N2o5hAG+q2//RwRf9iF3p2o2YE7+GYQJvA hZFxPpMIbqD56xQ72CbNuUrbS2TkfcbjIv0sA19mROI8Z3PCpGIB4mWyfN5XCecci3/w Kk/0jJmlj85H7IYpGOhcbrnbSP6URyJmr9gxuC7B3Z9CJrU3aiz3BgDHWKsVy7xy7QP4 Ib9LkCziHqJHzzBaGNYoT/Z5LZuEPEL9OJgkqj09718ox8GvTJvNOvaBarsD1Q4MHf2F YWesMMeb0pyEHRoOTqFykJm6yMyTfcqQCc7aJGmi2x6q2F8tTooI2ojxQ/cr+iF+PPMV 07CQ== X-Gm-Message-State: AOJu0YxQ5nam7loM42oCmq3DCsqJV6OZgDPwvaeF3n+6irK35wymtaVQ TUjy/Lt+BwxABM+knioc7MWydtibBougGk59TgHyRfZ9408Mn5jNdcsruF9ePm+C3yjQix8PMcD hOUkH X-Gm-Gg: ASbGncuKTxUZAARvNMMmItv/vwDBr/u7vkPVnq0bP/j60Okghv1fniWK5IYSW3S8yjt qcPq+m5pMJ4mNOnMBaPbS7TPZcUpTzkWXAgN9GfgKL6bpr3w491T6x63P11bsZDCgU6qAe4cNEM JcbaknUMnOXeA+ZihpViL4V0WtmjMY2FeMTdvMt9JC/oCDEOBH+50GnnMeGgKJ1GWKGTM1M4/cj FJgH/b7tJbDQG1YMTqM4NYA+Ror/6XNgjSmmUyfBBd5088RvyrLKj7/ZPBKJ5paS8USYrWJsMrr 2Acej19YaB5srLxcs/ghIXwJJsAwh+NgmbrB6c4RoemZMhZLQgS+WSsYoGlDHYqqGnoBmAoOVjD ZeBWxiOp//tX8lxSsrT8wGmjAdYQSuxMRlVglLg== X-Google-Smtp-Source: AGHT+IHn3umFEkND6RRP8ppu14HcnxWOSqAsfLZLlp3B8CW8xMt0NmAbLvnJuNoG//x8Lwd9/hqaNA== X-Received: by 2002:a05:6a00:92a7:b0:781:15b0:bea9 with SMTP id d2e1a72fcca58-78af417bba8mr651476b3a.22.1759261822326; Tue, 30 Sep 2025 12:50:22 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:5e34:462b:e2f0:5898]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7810238ca6dsm14411202b3a.8.2025.09.30.12.50.21 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Sep 2025 12:50:22 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 4/7] tiff: fix CVE-2025-9900 Date: Tue, 30 Sep 2025 12:50:06 -0700 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 30 Sep 2025 19:50:31 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/224197 From: Yogita Urade A flaw was found in Libtiff. This vulnerability is a "write-what-where" condition, triggered when the library processes a specially crafted TIFF image file.[EOL][EOL]By providing an abnormally large image height value in the file's metadata, an attacker can trick the library into writing attacker-controlled color data to an arbitrary memory location. This memory corruption can be exploited to cause a denial of service (application crash) or to achieve arbitrary code execution with the permissions of the user. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-9900 Upstream patch: https://gitlab.com/libtiff/libtiff/-/commit/3e0dcf0ec651638b2bd849b2e6f3124b36890d99 Signed-off-by: Yogita Urade Signed-off-by: Steve Sakoman --- .../libtiff/tiff/CVE-2025-9900.patch | 57 +++++++++++++++++++ meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 1 + 2 files changed, 58 insertions(+) create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2025-9900.patch diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2025-9900.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-9900.patch new file mode 100644 index 0000000000..9199cc6090 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-9900.patch @@ -0,0 +1,57 @@ +From 3e0dcf0ec651638b2bd849b2e6f3124b36890d99 Mon Sep 17 00:00:00 2001 +From: Su Laus +Date: Wed, 11 Jun 2025 19:45:19 +0000 +Subject: [PATCH] tif_getimage.c: Fix buffer underflow crash for less raster + rows at TIFFReadRGBAImageOriented() + +CVE: CVE-2025-9900 +Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/3e0dcf0ec651638b2bd849b2e6f3124b36890d99] + +Changes- +- Use old API TIFFWarningExt instead of TIFFWarningExtR. + +Signed-off-by: Yogita Urade +--- + libtiff/tif_getimage.c | 20 +++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c +index a9cd48f..4c807ad 100644 +--- a/libtiff/tif_getimage.c ++++ b/libtiff/tif_getimage.c +@@ -509,6 +509,22 @@ TIFFRGBAImageGet(TIFFRGBAImage* img, uint32_t* raster, uint32_t w, uint32_t h) + "No \"put\" routine setupl; probably can not handle image format"); + return (0); + } ++ /* Verify raster width and height against image width and height. */ ++ if (h > img->height) ++ { ++ /* Adapt parameters to read only available lines and put image at ++ * the bottom of the raster. */ ++ raster += (size_t)(h - img->height) * w; ++ h = img->height; ++ } ++ if (w > img->width) ++ { ++ TIFFWarningExt(img->tif, TIFFFileName(img->tif), ++ "Raster width of %d shall not be larger than image " ++ "width of %d -> raster width adapted for reading", ++ w, img->width); ++ w = img->width; ++ } + return (*img->get)(img, raster, w, h); + } + +@@ -527,9 +543,7 @@ TIFFReadRGBAImageOriented(TIFF* tif, + + if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop, emsg)) { + img.req_orientation = (uint16_t)orientation; +- /* XXX verify rwidth and rheight against width and height */ +- ok = TIFFRGBAImageGet(&img, raster+(rheight-img.height)*rwidth, +- rwidth, img.height); ++ ok = TIFFRGBAImageGet(&img, raster, rwidth, rheight); + TIFFRGBAImageEnd(&img); + } else { + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", emsg); +-- +2.40.0 diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb index 6db4d80cdf..0b4bef4c41 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb @@ -62,6 +62,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ file://CVE-2024-13978.patch \ file://CVE-2025-8534.patch \ file://CVE-2025-8851.patch \ + file://CVE-2025-9900.patch \ " SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8" From patchwork Tue Sep 30 19:50:07 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 71325 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 67ADCCCA476 for ; Tue, 30 Sep 2025 19:50:31 +0000 (UTC) Received: from mail-pf1-f171.google.com (mail-pf1-f171.google.com [209.85.210.171]) by mx.groups.io with SMTP id smtpd.web11.231.1759261824644393224 for ; Tue, 30 Sep 2025 12:50:24 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=q+MRTCGM; spf=softfail (domain: sakoman.com, ip: 209.85.210.171, mailfrom: steve@sakoman.com) Received: by mail-pf1-f171.google.com with SMTP id d2e1a72fcca58-782a77b5ec7so2790249b3a.1 for ; Tue, 30 Sep 2025 12:50:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1759261824; x=1759866624; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=6F038zZhDvxl7CKkidWtUnU+G74vVsYh8wvKquPZgBw=; b=q+MRTCGM7Kq13sbLnp2kcjAFeEu7U9+3nCY2rKQBCaNzUlHtASPVm0LMLD5Cgsxo6n ZSEvLt68SHjZ2NA2CGPaPY4IaSCSlDqY3MDNkW3y2zIF/K/Ohm1KpqaJq2NVQLT1tZSf 3zvqzw94lv5UU7Ck4Q042LknT0u1byOovONfAn8uIlnorxEylxhcqeynQ828Ng/ZSCr8 HYLN6jagAiMRoYfuVeq9vKwM97I7uoUgKQHcj0ctJh5RD7UgGRrMSmXSPHXCfJZHVCly tpX3rTn+LsI70eV33kN+iF22DaYsI30qXegYCsFn7noVXEJDroNYvB2AoTNTlAWqBbov kG6Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1759261824; x=1759866624; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=6F038zZhDvxl7CKkidWtUnU+G74vVsYh8wvKquPZgBw=; b=CO6aJR+M6BylOtZ857YzQYZbv4VObclHC58ob77hYLTt3rknP7Y7zZc90P2NOXup6n ydAgyrbxt2mGjNWiN43L4Vbbk9kqRONAaW2h78WeYvfcv+wGn8RekyvSc3UG81ajNNuI 379cn622oMiWUnERG+c7kKL1HVaxxJqQnlxA95q7zXgzOOUT4+KGrZRY8/tOMZ+wva5x Lx+DTs9S1DpxdLItnCL3s1uJZlS2+sHzhj92YSYIu8ROYfssl3jy/kqEnSat7LcO5DNf TIly9ySyHJRQByqfePkSrEf9NShxTB9zLgYF0n9W78mVtInshriAagqKrPJZZb7WI3pl Epzg== X-Gm-Message-State: AOJu0YwCrXCjJG+7nhC4lFiTclz2ArrFcFAvVQEPKMVEpLGf/KNhVokz JC7QVonrf6g1TrnEOIUSUDuGSAKe3pe4kKaXo7rw4qmgbhKPBHlVMnVnoPdupdjE+HlbZD2ikKa cQFlI X-Gm-Gg: ASbGnctBpVWNnu3eM67wriETaJQh0PCYCzGSiGEWvvPacxmrDuxDPm7SbN4laWv47pT okhHPtmFmjG8kMqnwcw9tSBfNldD8FLWCKgAKkYFGO9eA+alWJzsPl7TU7Mogb+MDVl9Pf7ROBj kyRhg5qOKwmUNnXcBMNSO7l1u+ulzRWtjYKpKpJ6V+SsC0Uj4/lHlJDNBWwqBp08UZkK1OsUBOo k9LsdLg4CxHZ6D7cEhi5V3GEeSWW1RBrJ6jfgMGBwmJ6ev4Fvhqlyqd+q4+EGd0aAGvkHsPKulB likyUOau5RG+xUGbFdyQXxQIdcwYvXhqcCMRWRks+xHxMYd3JtZ8tOJtzOuW4QsOx0+R60GCTXf UyuU5QRsF8OGf1T7RkK3SSAduVo1YnXU2k+jFRg== X-Google-Smtp-Source: AGHT+IGnL1VlFmy9CNCbNlkCRUY7Ix8FQTvXugrMrNbeqnb8/PDz7bZKzylNx6pdICSyrzDr6kfHeQ== X-Received: by 2002:a05:6a00:1146:b0:783:c33f:fe7f with SMTP id d2e1a72fcca58-78af3ec2a39mr775693b3a.0.1759261823821; Tue, 30 Sep 2025 12:50:23 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:5e34:462b:e2f0:5898]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7810238ca6dsm14411202b3a.8.2025.09.30.12.50.23 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Sep 2025 12:50:23 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 5/7] vim: upgrade 9.1.1652 -> 9.1.1683 Date: Tue, 30 Sep 2025 12:50:07 -0700 Message-ID: <24b7e7f719ca600a88aa893b87f6ea821caeadce.1759260542.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 30 Sep 2025 19:50:31 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/224198 From: Divya Chellam Handles CVE-2025-9389 Changes between 9.1.1652 -> 9.1.1683 ==================================== https://github.com/vim/vim/compare/v9.1.1652...v9.1.1683 Signed-off-by: Divya Chellam Signed-off-by: Steve Sakoman --- meta/recipes-support/vim/vim.inc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc index 2a9fda5376..289f31be70 100644 --- a/meta/recipes-support/vim/vim.inc +++ b/meta/recipes-support/vim/vim.inc @@ -18,8 +18,8 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \ file://no-path-adjust.patch \ " -PV .= ".1652" -SRCREV = "3e152c76adb9542af86760786d42a0beffe5354b" +PV .= ".1683" +SRCREV = "b922b30cfe4c044c83bac3cc908084ed20a83598" # Do not consider .z in x.y.z, as that is updated with every commit UPSTREAM_CHECK_GITTAGREGEX = "(?P\d+\.\d+)\.0" From patchwork Tue Sep 30 19:50:08 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 71324 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 74468CCD182 for ; Tue, 30 Sep 2025 19:50:31 +0000 (UTC) Received: from mail-pf1-f180.google.com (mail-pf1-f180.google.com [209.85.210.180]) by mx.groups.io with SMTP id smtpd.web11.232.1759261826161621060 for ; Tue, 30 Sep 2025 12:50:26 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=Oj75s7L5; spf=softfail (domain: sakoman.com, ip: 209.85.210.180, mailfrom: steve@sakoman.com) Received: by mail-pf1-f180.google.com with SMTP id d2e1a72fcca58-7810289cd4bso6044968b3a.2 for ; Tue, 30 Sep 2025 12:50:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1759261825; x=1759866625; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=Re5M6v/AZnhdSj6vXKqCYigh2hO93pIgboE7v5sVUVs=; b=Oj75s7L5M9pfgqzDj8QkkwJKWtTIDJmMw2SPpolQ3ynfMWO+iCBQvsXh9gobPGaXQ/ dZK4Stkz3CeMVvQq4M98+SWbKZgyg+bbbNFn7ibiUhIntcpWNucwc1cr0yswRsieqCPF eLLi+JzXuuxbvkWBMjn51bOnWjeH+j6jUcjTLAMSaQl8lou5+Zv1sf/041qgK9gzd0XC y9pcfNN2qHW6VXZRt/vTfokLo6nPuPoKXviLaioeE1ikmiCdRbtCNX7F4DxiGvf6StzT gLiv5Htk5w2QDox+RXRxQovjWmPSaXleShtUvTB8NfcJe6EsnpzSEI2ZqWVz8SqZTdze TTWg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1759261825; x=1759866625; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Re5M6v/AZnhdSj6vXKqCYigh2hO93pIgboE7v5sVUVs=; b=IPRnRHKZ+w9/QW/csCT9HQTWF0e0wiUkCzCEKMASp+E3EUTvaVap70sI0EspbzHTSB s0Ly4T7XcBuw53aD4ZsrpQtPNcvGwv2jDw79EjsV2MKCal0M0YxZOl8OFfEkgAR9koTA KlsWUmHhninLd1lqO1Un6L/ESAtmnSSKESK7/0jXuHc/RDj2XVXSn3l/oPar4auppf/X 3Ch6EnwiinSCm8zxAqLZ6LJsMcsT9ACVwE7wFf8gKCfOMTApHglTx0r8SL0sViWYwy6h axii3hmuzx04X+NHcijgLZp27FDUjLD/G9vHJwprbfPYDiyxqT2PtCUFNWInyfMsEOS7 gk9g== X-Gm-Message-State: AOJu0YwbdR+hhVH5Z0Fswo42MQ7JjqNe2N1Bkk2DCgdX5844NvgdDa4L bPLofij7sUq1ZC9f8fjfC8SdcBT4KQ4ZosEtWFKk7TRql3UqUz2bIc2OH+M2u7hZHkQT4uTN07K JCXBj X-Gm-Gg: ASbGnct2MfL/mMfHkwEh93hfu04MACnX2//VnOVX+ZcMwJt4V7x/oRmdf1nbco3IKbo JdLEAt+2JXyujYUThSTuhyOrlVK7Rpmkz/MVAB0OG/3xwFtRVFfYl5LSJKu+3tg5W2rExQ7TZns uVO+2NfiizJJVQGzio9awuFUhwxCYwL7z74mrgyieNB2P6gI8cg1DxOh9/XIb2M1NCYWAnItcZ3 cI/D88GY0AuY6odboF2kRY5X9RqIHBZ+VcteJKsTU0Yc7fM0B9/bx+F0MOkq4uwwpUQxBGQ12xH Gn89rZz1vOBKAhstrXcQdpD3caKlxzwG3FDjPA1fSPPS4Ugv9Q46gwo/LOogLIegvklFMJhQ93/ MycAidXSEPo0T4EnnWKA7DKrR2fHNV8qkC8D0jwKTWgQyzz/4 X-Google-Smtp-Source: AGHT+IH1cSHx8vDKKkeZ9XcXFKKTMqS4XeeUzbTR62NGsaOzpZuCFW3E9A0ggFkZ68b56ieNnP/7jw== X-Received: by 2002:a05:6a00:190c:b0:78a:eff2:6c0 with SMTP id d2e1a72fcca58-78af425d764mr629528b3a.25.1759261825297; Tue, 30 Sep 2025 12:50:25 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:5e34:462b:e2f0:5898]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7810238ca6dsm14411202b3a.8.2025.09.30.12.50.24 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Sep 2025 12:50:24 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 6/7] python3-jinja2: upgrade 3.1.4 -> 3.1.6 Date: Tue, 30 Sep 2025 12:50:08 -0700 Message-ID: <7108dccff524888d77f0e5e02d9cc4523a700a91.1759260542.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 30 Sep 2025 19:50:31 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/224199 From: Soumya Sambu Includes fix for - CVE-2024-56326, CVE-2025-27516, CVE-2024-56201 Changelog: https://github.com/pallets/jinja/blob/3.1.6/CHANGES.rst https://github.com/pallets/jinja/blob/3.1.5/CHANGES.rst (From OE-Core rev: a935ef8f205c9510ebc5539c133960bc72504902) Signed-off-by: Soumya Sambu Signed-off-by: Steve Sakoman Signed-off-by: Soumya Sambu Signed-off-by: Steve Sakoman --- .../{python3-jinja2_3.1.4.bb => python3-jinja2_3.1.6.bb} | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) rename meta/recipes-devtools/python/{python3-jinja2_3.1.4.bb => python3-jinja2_3.1.6.bb} (82%) diff --git a/meta/recipes-devtools/python/python3-jinja2_3.1.4.bb b/meta/recipes-devtools/python/python3-jinja2_3.1.6.bb similarity index 82% rename from meta/recipes-devtools/python/python3-jinja2_3.1.4.bb rename to meta/recipes-devtools/python/python3-jinja2_3.1.6.bb index 3fe82d5e4e..d4f61cad26 100644 --- a/meta/recipes-devtools/python/python3-jinja2_3.1.4.bb +++ b/meta/recipes-devtools/python/python3-jinja2_3.1.6.bb @@ -4,7 +4,7 @@ HOMEPAGE = "https://pypi.org/project/Jinja2/" LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=5dc88300786f1c214c1e9827a5229462" -SRC_URI[sha256sum] = "4a3aee7acbbe7303aede8e9648d13b8bf88a429282aa6122a993f0ac800cb369" +SRC_URI[sha256sum] = "0137fb05990d35f1275a587e9aee6d56da821fc83491a0fb838183be43f66d6d" PYPI_PACKAGE = "jinja2" @@ -22,6 +22,9 @@ SRC_URI += " \ do_install_ptest() { install -d ${D}${PTEST_PATH}/tests cp -rf ${S}/tests/* ${D}${PTEST_PATH}/tests/ + + # test_async items require trio module + rm -f ${D}${PTEST_PATH}/tests/test_async.py ${D}${PTEST_PATH}/tests/test_async_filters.py } RDEPENDS:${PN}-ptest += " \ From patchwork Tue Sep 30 19:50:09 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 71323 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 744A8CCD180 for ; Tue, 30 Sep 2025 19:50:31 +0000 (UTC) Received: from mail-pf1-f176.google.com (mail-pf1-f176.google.com [209.85.210.176]) by mx.groups.io with SMTP id smtpd.web11.234.1759261827650212731 for ; Tue, 30 Sep 2025 12:50:27 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=rc1QUgzu; spf=softfail (domain: sakoman.com, ip: 209.85.210.176, mailfrom: steve@sakoman.com) Received: by mail-pf1-f176.google.com with SMTP id d2e1a72fcca58-781206cce18so268585b3a.0 for ; Tue, 30 Sep 2025 12:50:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1759261827; x=1759866627; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=I87mr/YDl2XAOqWI0t/m7yn8InbCZN262f14wEQOD3Y=; b=rc1QUgzuXJ6yEu2W7EZC9qxEmnMmA2WdK88xEcUg27OJrhRDKiRCwWgHf+1kFbTr3p XItKRrzzHUcn3nOn1RZK+xvID1MYcbNGRdA7ixy5B9QPCLTnsPAF9kBLRuBYYYXBCmiO UXPAeKrSx0QzBzgC9gCaWKxZnNkDYRT4s95az09+8We2tYkl8jY8Ek3Jhpmvq6tJk36w vrnU391wkY9POz036wZu1hDLzX2MVLtTnfDqLqTkIjkXG0SgWIv8LPO5uUOSutC8j2q6 kA0qHNIDZuu6D5NmVwW2CeamSA9sIQo0eB3FH5ULz8yBUCnsvJ6RANpb1EuNdNmrvfQS nCSQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1759261827; x=1759866627; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=I87mr/YDl2XAOqWI0t/m7yn8InbCZN262f14wEQOD3Y=; b=qgdnqln6RdFMYWdOpzXSG3kCov81DSZgoytzz1MqP0s7zeKJoPdIytymnrQtYuPMzw o1I8nFLrPf138V4ywBxHFy+mslmMXxPOELi2XUT3KrUKi3SO9R8mIOJJUBq8KuVsA6Vm WjR75w/inXDxxMc6/NfVbGAIt4noA9GIRVz93Hduhdrwc7b+TQIaT+kQasTY8LuhnSFY U89VvcMinZvCtx0R1DFv27kaBVgxH1h1JOSEVyA1LF2DK9LO83Dh0ZibWa09wYIJmZri ffgDXAQQAwKSl7MG6iE9tmwFCTYIhX3sZy3YqOT9UcMAZnCnDRYxqhFOfq/E3muQyXYl RZDA== X-Gm-Message-State: AOJu0Yy6/EQI3hagk9GITMCndKB7lOwKmqCm8ldQcWz78/Vqild8rseT bpoFwoQZTKCK80vnWx+YOMCKLAUrYQWVuoNTq+553FCRGlWwt+KzhfhhekCdYTd+2coXMvJn1bc zWazH X-Gm-Gg: ASbGncsB7/gjEhfXbbfgd/4OrxRDHDXdLStZ9IQrKBTyObE6Ywt1OXCnPHEdbiLc506 yiSzMnr/KI/IuUpZxFAPvUcZ8a7Fqg6UuVztzw8YrAw+aywdx7ev3mTBwkfDSI7I4OoPh3ariY8 pbZjQvQ7QiinfHYq5vAi4GIFO39JapgT66V1Y5PaK0/nOlqFc+roT96C2dW15m52wLiRyJoUk8g dL+NfqmULR1TApIFE9wfxgKS7mEal3Va5zONV1ZSEbyF21XRTxnYyvZjigteOiKvkYfm3kDz9Fi +0GeZ17TSWW9fTd0wtxn301kGm7byifARIzw+GBdaFkrdCs5DLP+uZ5/gPJY/sDcbT4FH7Z0kbe V6XzqQ1lBsCF0v8NVGoseBlO0AwLQdZOHR2Hs7Kw//zv1rjYu X-Google-Smtp-Source: AGHT+IELxq0D8gzXWiPoE6KlHbWGKlJu3YIV3cf7s7Z3T057xhDOeCUrVuTwIuKHyud5kHX1YeDrxA== X-Received: by 2002:a05:6300:8804:b0:245:ffe1:5619 with SMTP id adf61e73a8af0-32199e80039mr1260049637.23.1759261826911; Tue, 30 Sep 2025 12:50:26 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:5e34:462b:e2f0:5898]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7810238ca6dsm14411202b3a.8.2025.09.30.12.50.26 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Sep 2025 12:50:26 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 7/7] libhandy: update git branch name Date: Tue, 30 Sep 2025 12:50:09 -0700 Message-ID: <2285f30e643f52511c328e4f6e1f0c042bea4110.1759260542.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 30 Sep 2025 19:50:31 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/224200 From: Gyorgy Sarvari Master branch was renamed to main. Signed-off-by: Gyorgy Sarvari Signed-off-by: Steve Sakoman --- meta/recipes-gnome/libhandy/libhandy_1.5.0.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-gnome/libhandy/libhandy_1.5.0.bb b/meta/recipes-gnome/libhandy/libhandy_1.5.0.bb index 722593dfb1..4b3f43df1c 100644 --- a/meta/recipes-gnome/libhandy/libhandy_1.5.0.bb +++ b/meta/recipes-gnome/libhandy/libhandy_1.5.0.bb @@ -9,7 +9,7 @@ BUGTRACKER = "https://gitlab.gnome.org/GNOME/libhandy/-/issues" LICENSE = "LGPL-2.1-only" LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c" -SRC_URI = "git://gitlab.gnome.org/GNOME/libhandy.git;protocol=https;branch=master \ +SRC_URI = "git://gitlab.gnome.org/GNOME/libhandy.git;protocol=https;branch=main \ file://0001-Add-private-headers.patch \ " SRCREV = "8fa8306a79215fc6ebf2483145da98bf9b2495ab"