From patchwork Tue Oct 14 20:53:44 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 72300 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A651ECCD184 for ; Tue, 14 Oct 2025 20:54:16 +0000 (UTC) Received: from mail-pl1-f173.google.com (mail-pl1-f173.google.com [209.85.214.173]) by mx.groups.io with SMTP id smtpd.web11.348.1760475250637625464 for ; Tue, 14 Oct 2025 13:54:10 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=bcxrX/px; spf=pass (domain: gmail.com, ip: 209.85.214.173, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pl1-f173.google.com with SMTP id d9443c01a7336-27eceb38eb1so67356995ad.3 for ; Tue, 14 Oct 2025 13:54:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1760475250; x=1761080050; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=dfSba3QntZwva3rBV3aLv7uR32+1ejhntNnWxQzS4rk=; b=bcxrX/pxRdUmancg+MwQb3u3ql6bBaGmMgUYu/bZR0SrqndLmBAAkFPpSzfHji8svw UoHqWP96fm6kLkRAOV4klUEN1AdrMysTQKHF59rrq8+4bseH7Frpzl1kHI7bKXOev1zC qXPbV5HWUXTmmE5G+hFpFFoV3M7uAptp4A7hcozNzi07mso1bbJ/DuSX1RA/SCkGTlzh lZgokzZYyOfkgMTeTRIfYq91kFuMuENTM9o67E2cNVH/kDc5lujKJWQQFM9iTE/TnM6n vryqo1aEoFTDBgdOkWK1/V/7opIO1pnAvjsJfeQIcvLzz5d7aKH3W96NpGHJ72LPxZGG U7bQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760475250; x=1761080050; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=dfSba3QntZwva3rBV3aLv7uR32+1ejhntNnWxQzS4rk=; b=PTcGIqNwTQI9tt+ByByBFCOcvwf+dUrkyMjIABPKwmHCwMMsfoJq4J5prl1cAvZh3F HzVtshFHlDhnk9lkBNiDYCeYwxjYtsWCQasZDsQrobbu1zERbPh6MLLEh7VO5dOZlI2/ BiFYHPecJNflb0pC1eqAKkCVp0pIPOW9cxu2OYwobWoo+D6NlBJalg4zsYFysG/kgNFh r3ZBF8Hw1cTytMpui1NfmiSsq1iLf6oI1RMGQeTvgt4mXwvmXcra5RZEiXZGHia3fVNa EkOAbn6nEcMT3Vmu8ztP2fPoPKaGc/b3I+otgUxF+ia1Xl2uxoX26WcnfaFdkiBzeRW1 r3UA== X-Gm-Message-State: AOJu0Yw20i4iCJvZpSsXSZGKyMSJYWPV1sSQQgHItBSSFYytWRDA5XCz azCSeBfOw8Jgj0GPj5oNbEqjsmlQYWFSE4GxTM5tGH+n3HxNw4D3lacGhLyjeA== X-Gm-Gg: ASbGnctoKjDVrPr3ljc84BDE849A3ci5UczTODAxK1jjwDIsLh/i4VC3gI9lVaeHJXV Sg+PT1cYb4MV0t7/zRi1VSfwNLBVFZrHp5ZACxw8XmwNr/hrDno6OjCWB3WeyscyRPuqgNj9q5B u6WFKtXzvup9XMygCig7oi1XrQLh/PsYg+nWzJR6kSw9/PQpD6+ZZeLutey4HkuecHzazwHSuPd lOnw4uG/RKe8tKQZcVOELewasud4+CmKGrB/fph2IsaCC+zH2ahU3bm86+HRQl/BFG4LZR1mELM PrLOPqWzzU5g22eqc692iag0PLBcTkMk5xqhIlEPyV328eXw+nvyCelrfGmsy+aSQSZpLG2AU83 El7xcG+VNJcKfjKPT9fhCtUTh9id+bCFcjI8YNwyj/nELGgX6AywQf7PR6Bm6btUl8Q== X-Google-Smtp-Source: AGHT+IH3cog992Sjw/LhUFe1UYR82a062KVKIOfzNuLCCwZnWfxZp4pq/x4egXyB1+4Y+AeqJMpQVg== X-Received: by 2002:a17:903:2f4c:b0:27d:339c:4b0 with SMTP id d9443c01a7336-290273edeb5mr331503585ad.35.1760475249861; Tue, 14 Oct 2025 13:54:09 -0700 (PDT) Received: from NVAPF55DW0D-IPD.. ([147.161.216.252]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-29034dea083sm174952475ad.24.2025.10.14.13.54.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 Oct 2025 13:54:09 -0700 (PDT) From: Ankur Tyagi To: openembedded-devel@lists.openembedded.org Cc: Peter Marko , Khem Raj , Ankur Tyagi Subject: [oe][meta-oe][scarthgap][PATCH 01/18] dash: set CVE_PRODUCT Date: Wed, 15 Oct 2025 09:53:44 +1300 Message-ID: <20251014205402.1487867-1-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 14 Oct 2025 20:54:16 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/120634 From: Peter Marko This removes false positive CVE-2024-21485 from cve reports. $ sqlite3 nvdcve_2-2.db sqlite> select * from products where product = 'dash'; CVE-2009-0854|dash|dash|0.5.4|=|| CVE-2024-21485|plotly|dash|||2.13.0|< CVE-2024-21485|plotly|dash|2.14.0|>=|2.15.0|< Our dash:dash did not reach major version 1 yet. Signed-off-by: Peter Marko Signed-off-by: Khem Raj (cherry picked from commit e1427013e01df44b9275908f7605e8e25fc3fd83) Signed-off-by: Ankur Tyagi --- meta-oe/recipes-shells/dash/dash_0.5.12.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta-oe/recipes-shells/dash/dash_0.5.12.bb b/meta-oe/recipes-shells/dash/dash_0.5.12.bb index 947ef702d7..1bf3625760 100644 --- a/meta-oe/recipes-shells/dash/dash_0.5.12.bb +++ b/meta-oe/recipes-shells/dash/dash_0.5.12.bb @@ -10,6 +10,8 @@ inherit autotools update-alternatives SRC_URI = "http://gondor.apana.org.au/~herbert/${BPN}/files/${BP}.tar.gz" SRC_URI[sha256sum] = "6a474ac46e8b0b32916c4c60df694c82058d3297d8b385b74508030ca4a8f28a" +CVE_PRODUCT = "dash:dash" + EXTRA_OECONF += "--bindir=${base_bindir}" ALTERNATIVE:${PN} = "sh" From patchwork Tue Oct 14 20:53:45 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 72302 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id ACFB7CCD195 for ; Tue, 14 Oct 2025 20:54:16 +0000 (UTC) Received: from mail-pl1-f173.google.com (mail-pl1-f173.google.com [209.85.214.173]) by mx.groups.io with SMTP id smtpd.web11.350.1760475253826696983 for ; Tue, 14 Oct 2025 13:54:13 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=ndK1yy5S; spf=pass (domain: gmail.com, ip: 209.85.214.173, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pl1-f173.google.com with SMTP id d9443c01a7336-26c209802c0so57417585ad.0 for ; Tue, 14 Oct 2025 13:54:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1760475253; x=1761080053; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=6rx7t4NzcdExBiTrvoiUq7jOVrojlWBkoXsAZ5mPTlg=; b=ndK1yy5SQt7bVcx6LDbRFEPEkIrogaceskq1rAcKhY5j4LIWV0LDPEoz0CisbQBkT1 zDkYJspaPwcMNnb+rX1W1FhgiJfnXOVwXHKuJZLD0cQTkcB7ZVd0ZtdQ8b2OrUX9n3L5 pqA2/cLmTsCJDEcgeVolgWwpSZT6l969qBi/YhZIq5PsD3MXLBKDPcUf1YF0MH9nnmrL qj/Nq2AA0FHAo0yLuuZ8WgqEgJivQue72VhwAzlY8wsorDifqycX2J6lpH9xInQhadlT z/xs2Mh9DNESqrDELAIculL+jd/Ef1u9kjZeR+JommtEEZY2w4x4a+73Hd3IGF/MFNxl gtKw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760475253; x=1761080053; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=6rx7t4NzcdExBiTrvoiUq7jOVrojlWBkoXsAZ5mPTlg=; b=GHbEnCfsox22qdwKnpCPKdkn7loXTXgG2CSnQ7IibtfcdLsP4J4JMxxYeZuAnsr9gG EgfM8zPr9dxtKJtQ8qk8n31dEfDoCFShhGfOGeec7/7Td94gJcmAmF9w9xZhoHr/bE1o 2VTNinFdnuZ6Z3/Cs3Wk4XCsQf0DiaNYRIdc/SZCYNAIkk80B+2TtIwnakBeiseZeDY5 9qJaFqzZuML+JnJo0TM3KnI2Vc0PbpPi7NxL0ltDPDuqEShihHTda2WLzoFbFTw6mOCx BhOgosCf5P7B3zNT1MaNxVBk6deZZz2Xqp0tqucO7YbtCtLrAxKwFfAmIDTbJt6Iufe7 LK9g== X-Gm-Message-State: AOJu0Yy9LGGrse87VHqPeBeY7xN0ahVgoSHMquvQ5Xi3A8Eoa1+aq72B 7GLmorPqxwOKPkdrJThCnLTuuhI0Y7ABiwVSTTasddCFyMifPnWB2Xlg/mj8Qg== X-Gm-Gg: ASbGncsrmKR6Ak1R+QHVwkgGTtYIe41SSk5c7RN5dRzKNkNsqNaDq9sR6uYIZYcjg6b p6sI3/3rFW9pDRSdnYFZF5Pvy1WhOoIjxd9KG1WIIPscPpVC79ULPp+Q579+ZwwFkqSYn+fCl6t jj6P9o+LGlWEpVGbio2VnV7/S01opPzxOqdO4khSKlK71g3LNXLfbcalpCvhaIpide793+mZzrq 9ykMfPivak+RjZ+a63Ex7xRNdaAOAsaaQeYuWBRDkpD/5ihjdoaZ4Zt1eMemYdPhvS275HrKD14 6+TIlAFJpCSpX9ZctTYgqP62qOyKyK3L82odE4oQufEEdNakiDXSc+3SU2vudAEFBJot5DZBdI3 uaN0Rag6tiynckMpUCVSlGpj2iZ9sR18vYQQHGyZi1OQbx/PMp6V9IslrKev/E0ZRyA== X-Google-Smtp-Source: AGHT+IH7snUtMCGQmNoTH0PY2BQRe3gVUzim5hzpXG3Xi+Ett5nK6s4JFhk2PPxsiqAvW0+6DFa2xQ== X-Received: by 2002:a17:903:4b04:b0:267:f7bc:673c with SMTP id d9443c01a7336-29027402c47mr304503365ad.44.1760475252623; Tue, 14 Oct 2025 13:54:12 -0700 (PDT) Received: from NVAPF55DW0D-IPD.. ([147.161.216.252]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-29034dea083sm174952475ad.24.2025.10.14.13.54.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 Oct 2025 13:54:12 -0700 (PDT) From: Ankur Tyagi To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi , Gyorgy Sarvari Subject: [oe][meta-oe][scarthgap][PATCH 02/18] libppd: patch CVE-2024-47175 Date: Wed, 15 Oct 2025 09:53:45 +1300 Message-ID: <20251014205402.1487867-2-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251014205402.1487867-1-ankur.tyagi85@gmail.com> References: <20251014205402.1487867-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 14 Oct 2025 20:54:16 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/120635 Details https://nvd.nist.gov/vuln/detail/CVE-2024-47175 Signed-off-by: Ankur Tyagi Signed-off-by: Gyorgy Sarvari (cherry picked from commit 07330a98cf93806b7a4e0170a541b94962ff3960) Signed-off-by: Ankur Tyagi --- .../cups/libppd/0001-CVE-2024-47175.patch | 600 ++++++++++++++++++ meta-oe/recipes-printing/cups/libppd_2.0.0.bb | 5 +- 2 files changed, 604 insertions(+), 1 deletion(-) create mode 100644 meta-oe/recipes-printing/cups/libppd/0001-CVE-2024-47175.patch diff --git a/meta-oe/recipes-printing/cups/libppd/0001-CVE-2024-47175.patch b/meta-oe/recipes-printing/cups/libppd/0001-CVE-2024-47175.patch new file mode 100644 index 0000000000..ba9cc683af --- /dev/null +++ b/meta-oe/recipes-printing/cups/libppd/0001-CVE-2024-47175.patch @@ -0,0 +1,600 @@ +From 67a96c1e81bf219a5eefb81b513cf1f44d1a3700 Mon Sep 17 00:00:00 2001 +From: Zdenek Dohnal +Date: Thu, 26 Sep 2024 23:12:14 +0200 +Subject: [PATCH] CVE-2024-47175 + +Prevent PPD generation based on invalid IPP response + +Author: Mike Sweet +Minor fixes: Zdenek Dohnal + +CVE: CVE-2024-47175 +Upstream-Status: Backport [https://github.com/OpenPrinting/libppd/commit/d681747ebf12602cb426725eb8ce2753211e2477] + +(cherry picked from commit d681747ebf12602cb426725eb8ce2753211e2477) +Signed-off-by: Ankur Tyagi +--- + ppd/ppd-cache.c | 17 ++- + ppd/ppd-generator.c | 257 ++++++++++++++++++++++++++++---------------- + 2 files changed, 176 insertions(+), 98 deletions(-) + +diff --git a/ppd/ppd-cache.c b/ppd/ppd-cache.c +index 5aa617c1..747c9ad5 100644 +--- a/ppd/ppd-cache.c ++++ b/ppd/ppd-cache.c +@@ -1,6 +1,7 @@ + // + // PPD cache implementation for libppd. + // ++// Copyright © 2024 by OpenPrinting + // Copyright © 2010-2019 by Apple Inc. + // + // Licensed under Apache License v2.0. See the file "LICENSE" for more +@@ -3413,7 +3414,7 @@ ppdCacheGetBin( + + // + // Range check input... +- ++ + + if (!pc || !output_bin) + return (NULL); +@@ -3914,7 +3915,7 @@ ppdCacheGetPageSize( + { + // + // Check not only the base size (like "A4") but also variants (like +- // "A4.Borderless"). We check only the margins and orientation but do ++ // "A4.Borderless"). We check only the margins and orientation but do + // not re-check the size. + // + +@@ -4711,7 +4712,7 @@ ppdPwgPpdizeName(const char *ipp, // I - IPP keyword + *end; // End of name buffer + + +- if (!ipp) ++ if (!ipp || !_ppd_isalnum(*ipp)) + { + *name = '\0'; + return; +@@ -4721,13 +4722,19 @@ ppdPwgPpdizeName(const char *ipp, // I - IPP keyword + + for (ptr = name + 1, end = name + namesize - 1; *ipp && ptr < end;) + { +- if (*ipp == '-' && _ppd_isalnum(ipp[1])) ++ if (*ipp == '-' && isalnum(ipp[1])) + { + ipp ++; + *ptr++ = (char)toupper(*ipp++ & 255); + } +- else ++ else if (*ipp == '_' || *ipp == '.' || *ipp == '-' || isalnum(*ipp)) ++ { + *ptr++ = *ipp++; ++ } ++ else ++ { ++ ipp ++; ++ } + } + + *ptr = '\0'; +diff --git a/ppd/ppd-generator.c b/ppd/ppd-generator.c +index a815030b..011e086e 100644 +--- a/ppd/ppd-generator.c ++++ b/ppd/ppd-generator.c +@@ -1,15 +1,16 @@ + // + // PWG Raster/Apple Raster/PCLm/PDF/IPP legacy PPD generator for libppd. + // +-// Copyright 2016-2019 by Till Kamppeter. +-// Copyright 2017-2019 by Sahil Arora. +-// Copyright 2018-2019 by Deepak Patankar. ++// Copyright © 2024 by OpenPrinting ++// Copyright © 2016-2019 by Till Kamppeter. ++// Copyright © 2017-2019 by Sahil Arora. ++// Copyright © 2018-2019 by Deepak Patankar. + // + // The PPD generator is based on the PPD generator for the CUPS + // "lpadmin -m everywhere" functionality in the cups/ppd-cache.c + // file. The copyright of this file is: + // +-// Copyright 2010-2016 by Apple Inc. ++// Copyright © 2010-2016 by Apple Inc. + // + // Licensed under Apache License v2.0. See the file "LICENSE" for more + // information. +@@ -51,6 +52,7 @@ + + static int http_connect(http_t **http, const char *url, char *resource, + size_t ressize); ++static void ppd_put_string(cups_file_t *fp, cups_lang_t *lang, const char *ppd_option, const char *ppd_choice, const char *pwg_msgid); + + + // +@@ -60,7 +62,7 @@ static int http_connect(http_t **http, const char *url, char *resource, + // than CUPS 2.2.x. We have also an additional test and development + // platform for this code. Taken from cups/ppd-cache.c, + // cups/string-private.h, cups/string.c. +-// ++// + // The advantage of PPD generation instead of working with System V + // interface scripts is that the print dialogs of the clients do not + // need to ask the printer for its options via IPP. So we have access +@@ -124,7 +126,7 @@ char ppdgenerator_msg[1024]; + // IPP 1.x legacy) + // + +-char * // O - PPD filename or NULL ++char * // O - PPD filename or NULL + // on error + ppdCreatePPDFromIPP(char *buffer, // I - Filename buffer + size_t bufsize, // I - Size of filename +@@ -175,7 +177,7 @@ ppdCreatePPDFromIPP2(char *buffer, // I - Filename buffer + cups_array_t *conflicts, // I - Array of + // constraints + cups_array_t *sizes, // I - Media sizes we've +- // added ++ // added + char* default_pagesize, // I - Default page size + const char *default_cluster_color, // I - cluster def + // color (if cluster's +@@ -187,6 +189,7 @@ ppdCreatePPDFromIPP2(char *buffer, // I - Filename buffer + size_t status_msg_size) // I - Size of status + // message buffer + { ++ cups_lang_t *lang; // Localization language + cups_file_t *fp; // PPD file + cups_array_t *printer_sizes; // Media sizes we've added + cups_size_t *size; // Current media size +@@ -199,9 +202,10 @@ ppdCreatePPDFromIPP2(char *buffer, // I - Filename buffer + ipp_t *media_col, // Media collection + *media_size; // Media size collection + char make[256], // Make and model +- *model, // Model name ++ *mptr, // Pointer into make and model + ppdname[PPD_MAX_NAME]; + // PPD keyword ++ const char *model; // Model name + int i, j, // Looping vars + count = 0, // Number of values + bottom, // Largest bottom margin +@@ -283,6 +287,68 @@ ppdCreatePPDFromIPP2(char *buffer, // I - Filename buffer + return (NULL); + } + ++ // ++ // Get a sanitized make and model... ++ // ++ ++ if ((attr = ippFindAttribute(supported, "printer-make-and-model", IPP_TAG_TEXT)) != NULL && ippValidateAttribute(attr)) ++ { ++ // Sanitize the model name to only contain PPD-safe characters. ++ strlcpy(make, ippGetString(attr, 0, NULL), sizeof(make)); ++ ++ for (mptr = make; *mptr; mptr ++) ++ { ++ if (*mptr < ' ' || *mptr >= 127 || *mptr == '\"') ++ { ++ // Truncate the make and model on the first bad character... ++ *mptr = '\0'; ++ break; ++ } ++ } ++ ++ while (mptr > make) ++ { ++ // Strip trailing whitespace... ++ mptr --; ++ if (*mptr == ' ') ++ *mptr = '\0'; ++ } ++ ++ if (!make[0]) ++ { ++ // Use a default make and model if nothing remains... ++ strlcpy(make, "Unknown", sizeof(make)); ++ } ++ } ++ else ++ { ++ // Use a default make and model... ++ strlcpy(make, "Unknown", sizeof(make)); ++ } ++ ++ if (!strncasecmp(make, "Hewlett Packard ", 16) || !strncasecmp(make, "Hewlett-Packard ", 16)) ++ { ++ // Normalize HP printer make and model... ++ model = make + 16; ++ strlcpy(make, "HP", sizeof(make)); ++ ++ if (!strncasecmp(model, "HP ", 3)) ++ model += 3; ++ } ++ else if ((mptr = strchr(make, ' ')) != NULL) ++ { ++ // Separate "MAKE MODEL"... ++ while (*mptr && *mptr == ' ') ++ *mptr++ = '\0'; ++ ++ model = mptr; ++ } ++ else ++ { ++ // No separate model name... ++ model = "Printer"; ++ } ++ + // + // Standard stuff for PPD file... + // +@@ -311,25 +377,6 @@ ppdCreatePPDFromIPP2(char *buffer, // I - Filename buffer + } + } + +- if ((attr = ippFindAttribute(supported, "printer-make-and-model", +- IPP_TAG_TEXT)) != NULL) +- strlcpy(make, ippGetString(attr, 0, NULL), sizeof(make)); +- else if (make_model && make_model[0] != '\0') +- strlcpy(make, make_model, sizeof(make)); +- else +- strlcpy(make, "Unknown Printer", sizeof(make)); +- +- if (!strncasecmp(make, "Hewlett Packard ", 16) || +- !strncasecmp(make, "Hewlett-Packard ", 16)) +- { +- model = make + 16; +- strlcpy(make, "HP", sizeof(make)); +- } +- else if ((model = strchr(make, ' ')) != NULL) +- *model++ = '\0'; +- else +- model = make; +- + cupsFilePrintf(fp, "*Manufacturer: \"%s\"\n", make); + cupsFilePrintf(fp, "*ModelName: \"%s %s\"\n", make, model); + cupsFilePrintf(fp, "*Product: \"(%s %s)\"\n", make, model); +@@ -425,21 +472,19 @@ ppdCreatePPDFromIPP2(char *buffer, // I - Filename buffer + } + cupsFilePuts(fp, "\"\n"); + +- if ((attr = ippFindAttribute(supported, "printer-more-info", IPP_TAG_URI)) != +- NULL) ++ if ((attr = ippFindAttribute(supported, "printer-more-info", IPP_TAG_URI)) != NULL && ippValidateAttribute(attr)) + cupsFilePrintf(fp, "*APSupplies: \"%s\"\n", ippGetString(attr, 0, NULL)); + +- if ((attr = ippFindAttribute(supported, "printer-charge-info-uri", +- IPP_TAG_URI)) != NULL) +- cupsFilePrintf(fp, "*cupsChargeInfoURI: \"%s\"\n", ippGetString(attr, 0, +- NULL)); ++ if ((attr = ippFindAttribute(supported, "printer-charge-info-uri", IPP_TAG_URI)) != NULL && ippValidateAttribute(attr)) ++ cupsFilePrintf(fp, "*cupsChargeInfoURI: \"%s\"\n", ippGetString(attr, 0, NULL)); + + // Message catalogs for UI strings ++ lang = cupsLangDefault(); + opt_strings_catalog = cfCatalogOptionArrayNew(); + cfCatalogLoad(NULL, NULL, opt_strings_catalog); + + if ((attr = ippFindAttribute(supported, "printer-strings-uri", +- IPP_TAG_URI)) != NULL) ++ IPP_TAG_URI)) != NULL && ippValidateAttribute(attr)) + { + printer_opt_strings_catalog = cfCatalogOptionArrayNew(); + cfCatalogLoad(ippGetString(attr, 0, NULL), NULL, +@@ -492,7 +537,7 @@ ppdCreatePPDFromIPP2(char *buffer, // I - Filename buffer + response = cupsDoRequest(http, request, resource); + + if ((attr = ippFindAttribute(response, "printer-strings-uri", +- IPP_TAG_URI)) != NULL) ++ IPP_TAG_URI)) != NULL && ippValidateAttribute(attr)) + cupsFilePrintf(fp, "*cupsStringsURI %s: \"%s\"\n", keyword, + ippGetString(attr, 0, NULL)); + +@@ -518,13 +563,10 @@ ppdCreatePPDFromIPP2(char *buffer, // I - Filename buffer + IPP_TAG_BOOLEAN), 0)) + cupsFilePuts(fp, "*cupsJobAccountingUserId: True\n"); + +- if ((attr = ippFindAttribute(supported, "printer-privacy-policy-uri", +- IPP_TAG_URI)) != NULL) +- cupsFilePrintf(fp, "*cupsPrivacyURI: \"%s\"\n", +- ippGetString(attr, 0, NULL)); ++ if ((attr = ippFindAttribute(supported, "printer-privacy-policy-uri", IPP_TAG_URI)) != NULL && ippValidateAttribute(attr)) ++ cupsFilePrintf(fp, "*cupsPrivacyURI: \"%s\"\n", ippGetString(attr, 0, NULL)); + +- if ((attr = ippFindAttribute(supported, "printer-mandatory-job-attributes", +- IPP_TAG_KEYWORD)) != NULL) ++ if ((attr = ippFindAttribute(supported, "printer-mandatory-job-attributes", IPP_TAG_KEYWORD)) != NULL && ippValidateAttribute(attr)) + { + char prefix = '\"'; // Prefix for string + +@@ -544,8 +586,7 @@ ppdCreatePPDFromIPP2(char *buffer, // I - Filename buffer + cupsFilePuts(fp, "\"\n"); + } + +- if ((attr = ippFindAttribute(supported, "printer-requested-job-attributes", +- IPP_TAG_KEYWORD)) != NULL) ++ if ((attr = ippFindAttribute(supported, "printer-requested-job-attributes", IPP_TAG_KEYWORD)) != NULL && ippValidateAttribute(attr)) + { + char prefix = '\"'; // Prefix for string + +@@ -664,7 +705,7 @@ ppdCreatePPDFromIPP2(char *buffer, // I - Filename buffer + } + + // +- // Fax ++ // Fax + // + + if (is_fax) +@@ -705,21 +746,21 @@ ppdCreatePPDFromIPP2(char *buffer, // I - Filename buffer + #ifdef CUPS_RASTER_HAVE_APPLERASTER + else if (cupsArrayFind(pdl_list, "image/urf")) + { +- int resStore = 0; // Variable for storing the no. of resolutions in the resolution array ++ int resStore = 0; // Variable for storing the no. of resolutions in the resolution array + int resArray[__INT16_MAX__]; // Creating a resolution array supporting a maximum of 32767 resolutions. + int lowdpi = 0, middpi = 0, hidpi = 0; // Lower , middle and higher resolution + if ((attr = ippFindAttribute(supported, "urf-supported", + IPP_TAG_KEYWORD)) != NULL) + { + for (int i = 0, count = ippGetCount(attr); i < count; i ++) +- { ++ { + const char *rs = ippGetString(attr, i, NULL); // RS values +- const char *rsCopy = ippGetString(attr, i, NULL); // RS values(copy) ++ const char *rsCopy = ippGetString(attr, i, NULL); // RS values(copy) + if (strncasecmp(rs, "RS", 2)) // Comparing attributes to have RS in + // the beginning to indicate the + // resolution feature + continue; +- int resCount = 0; // Using a count variable which can be reset ++ int resCount = 0; // Using a count variable which can be reset + while (*rsCopy != '\0') // Parsing through the copy pointer to + // determine the no. of resolutions + { +@@ -817,7 +858,7 @@ ppdCreatePPDFromIPP2(char *buffer, // I - Filename buffer + formatfound = 1; + is_apple = 1; + } +- } ++ } + } + } + } +@@ -909,7 +950,7 @@ ppdCreatePPDFromIPP2(char *buffer, // I - Filename buffer + if (manual_copies == 1) + cupsFilePuts(fp, "*cupsManualCopies: True\n"); + +- // No resolution requirements by any of the supported PDLs? ++ // No resolution requirements by any of the supported PDLs? + // Use "printer-resolution-supported" attribute + if (common_res == NULL) + { +@@ -1027,7 +1068,7 @@ ppdCreatePPDFromIPP2(char *buffer, // I - Filename buffer + // + // PageSize/PageRegion/ImageableArea/PaperDimension + // +- ++ + cfGenerateSizes(supported, CF_GEN_SIZES_DEFAULT, &printer_sizes, &defattr, + NULL, NULL, NULL, NULL, NULL, NULL, + &min_width, &min_length, +@@ -1406,15 +1447,15 @@ ppdCreatePPDFromIPP2(char *buffer, // I - Filename buffer + if (!strcmp(sources[j], keyword)) + break; + if (j >= 0) +- cupsFilePrintf(fp, "*InputSlot %s%s%s: \"<>setpagedevice\"\n", +- ppdname, +- (human_readable ? "/" : ""), +- (human_readable ? human_readable : ""), j); ++ { ++ cupsFilePrintf(fp, "*InputSlot %s: \"<>setpagedevice\"\n", ppdname, j); ++ ppd_put_string(fp, lang, "InputSlot", ppdname, human_readable); ++ } + else +- cupsFilePrintf(fp, "*InputSlot %s%s%s: \"\"\n", +- ppdname, +- (human_readable ? "/" : ""), +- (human_readable ? human_readable : "")); ++ { ++ cupsFilePrintf(fp, "*InputSlot %s%s%s:\"\"\n", ppdname, human_readable ? "/" : "", human_readable ? human_readable : ""); ++ ppd_put_string(fp, lang, "InputSlot", ppdname, human_readable); ++ } + } + cupsFilePuts(fp, "*CloseUI: *InputSlot\n"); + } +@@ -1449,11 +1490,8 @@ ppdCreatePPDFromIPP2(char *buffer, // I - Filename buffer + human_readable = cfCatalogLookUpChoice((char *)keyword, "media-type", + opt_strings_catalog, + printer_opt_strings_catalog); +- cupsFilePrintf(fp, "*MediaType %s%s%s: \"<>setpagedevice\"\n", +- ppdname, +- (human_readable ? "/" : ""), +- (human_readable ? human_readable : ""), +- ppdname); ++ cupsFilePrintf(fp, "*MediaType %s: \"<>setpagedevice\"\n", ppdname, ppdname); ++ ppd_put_string(fp, lang, "MediaType", ppdname, human_readable); + } + cupsFilePuts(fp, "*CloseUI: *MediaType\n"); + } +@@ -1776,10 +1814,8 @@ ppdCreatePPDFromIPP2(char *buffer, // I - Filename buffer + human_readable = cfCatalogLookUpChoice((char *)keyword, "output-bin", + opt_strings_catalog, + printer_opt_strings_catalog); +- cupsFilePrintf(fp, "*OutputBin %s%s%s: \"\"\n", +- ppdname, +- (human_readable ? "/" : ""), +- (human_readable ? human_readable : "")); ++ cupsFilePrintf(fp, "*OutputBin %s: \"\"\n", ppdname); ++ ppd_put_string(fp, lang, "OutputBin", ppdname, human_readable); + outputorderinfofound = 0; + faceupdown = 1; + firsttolast = 1; +@@ -1833,7 +1869,7 @@ ppdCreatePPDFromIPP2(char *buffer, // I - Filename buffer + + // + // Finishing options... +- // ++ // + + if ((attr = ippFindAttribute(supported, "finishings-supported", + IPP_TAG_ENUM)) != NULL) +@@ -1958,9 +1994,8 @@ ppdCreatePPDFromIPP2(char *buffer, // I - Filename buffer + human_readable = cfCatalogLookUpChoice(buf, "finishings", + opt_strings_catalog, + printer_opt_strings_catalog); +- cupsFilePrintf(fp, "*StapleLocation %s%s%s: \"\"\n", ppd_keyword, +- (human_readable ? "/" : ""), +- (human_readable ? human_readable : "")); ++ cupsFilePrintf(fp, "*StapleLocation %s: \"\"\n", ppd_keyword); ++ ppd_put_string(fp, lang, "StapleLocation", ppd_keyword, human_readable); + cupsFilePrintf(fp, "*cupsIPPFinishings %d/%s: \"*StapleLocation %s\"\n", + value, keyword, ppd_keyword); + } +@@ -2050,9 +2085,8 @@ ppdCreatePPDFromIPP2(char *buffer, // I - Filename buffer + human_readable = cfCatalogLookUpChoice(buf, "finishings", + opt_strings_catalog, + printer_opt_strings_catalog); +- cupsFilePrintf(fp, "*FoldType %s%s%s: \"\"\n", ppd_keyword, +- (human_readable ? "/" : ""), +- (human_readable ? human_readable : "")); ++ cupsFilePrintf(fp, "*FoldType %s: \"\"\n", ppd_keyword); ++ ppd_put_string(fp, lang, "FoldType", ppd_keyword, human_readable); + cupsFilePrintf(fp, "*cupsIPPFinishings %d/%s: \"*FoldType %s\"\n", + value, keyword, ppd_keyword); + } +@@ -2149,9 +2183,8 @@ ppdCreatePPDFromIPP2(char *buffer, // I - Filename buffer + human_readable = cfCatalogLookUpChoice(buf, "finishings", + opt_strings_catalog, + printer_opt_strings_catalog); +- cupsFilePrintf(fp, "*PunchMedia %s%s%s: \"\"\n", ppd_keyword, +- (human_readable ? "/" : ""), +- (human_readable ? human_readable : "")); ++ cupsFilePrintf(fp, "*PunchMedia %s: \"\"\n", ppd_keyword); ++ ppd_put_string(fp, lang, "PunchMedia", ppd_keyword, human_readable); + cupsFilePrintf(fp, "*cupsIPPFinishings %d/%s: \"*PunchMedia %s\"\n", + value, keyword, ppd_keyword); + } +@@ -2242,9 +2275,8 @@ ppdCreatePPDFromIPP2(char *buffer, // I - Filename buffer + human_readable = cfCatalogLookUpChoice(buf, "finishings", + opt_strings_catalog, + printer_opt_strings_catalog); +- cupsFilePrintf(fp, "*CutMedia %s%s%s: \"\"\n", ppd_keyword, +- (human_readable ? "/" : ""), +- (human_readable ? human_readable : "")); ++ cupsFilePrintf(fp, "*CutMedia %s: \"\"\n", ppd_keyword); ++ ppd_put_string(fp, lang, "CutMedia", ppd_keyword, human_readable); + cupsFilePrintf(fp, "*cupsIPPFinishings %d/%s: \"*CutMedia %s\"\n", + value, keyword, ppd_keyword); + } +@@ -2268,7 +2300,7 @@ ppdCreatePPDFromIPP2(char *buffer, // I - Filename buffer + cupsFilePrintf(fp, "*OpenUI *cupsFinishingTemplate/%s: PickOne\n", + (human_readable ? human_readable : "Finishing Template")); + cupsFilePuts(fp, "*OrderDependency: 10 AnySetup *cupsFinishingTemplate\n"); +- cupsFilePuts(fp, "*DefaultcupsFinishingTemplate: none\n"); ++ cupsFilePuts(fp, "*DefaultcupsFinishingTemplate: None\n"); + human_readable = cfCatalogLookUpChoice("3", "finishings", + opt_strings_catalog, + printer_opt_strings_catalog); +@@ -2299,8 +2331,9 @@ ppdCreatePPDFromIPP2(char *buffer, // I - Filename buffer + printer_opt_strings_catalog); + if (human_readable == NULL) + human_readable = (char *)keyword; +- cupsFilePrintf(fp, "*cupsFinishingTemplate %s/%s: \"\n", keyword, +- human_readable); ++ ppdPwgPpdizeName(keyword, ppdname, sizeof(ppdname)); ++ cupsFilePrintf(fp, "*cupsFinishingTemplate %s: \"\n", ppdname); ++ ppd_put_string(fp, lang, "cupsFinishingTemplate", ppdname, human_readable); + for (finishing_attr = ippFirstAttribute(finishing_col); finishing_attr; + finishing_attr = ippNextAttribute(finishing_col)) { + if (ippGetValueTag(finishing_attr) == IPP_TAG_BEGIN_COLLECTION) { +@@ -2564,14 +2597,14 @@ ppdCreatePPDFromIPP2(char *buffer, // I - Filename buffer + if (!preset || !preset_name) + continue; + +- if ((localized_name = ++ ppdPwgPpdizeName(preset_name, ppdname, sizeof(ppdname)); ++ ++ localized_name = + cfCatalogLookUpOption((char *)preset_name, + opt_strings_catalog, +- printer_opt_strings_catalog)) == NULL) +- cupsFilePrintf(fp, "*APPrinterPreset %s: \"\n", preset_name); +- else +- cupsFilePrintf(fp, "*APPrinterPreset %s/%s: \"\n", preset_name, +- localized_name); ++ printer_opt_strings_catalog); ++ cupsFilePrintf(fp, "*APPrinterPreset %s: \"\n", ppdname); ++ ppd_put_string(fp, lang, "APPrinterPreset", ppdname, localized_name); + + for (member = ippFirstAttribute(preset); member; + member = ippNextAttribute(preset)) +@@ -2620,7 +2653,10 @@ ppdCreatePPDFromIPP2(char *buffer, // I - Filename buffer + ippGetString(ippFindAttribute(fin_col, + "finishing-template", + IPP_TAG_ZERO), 0, NULL)) != NULL) +- cupsFilePrintf(fp, "*cupsFinishingTemplate %s\n", keyword); ++ { ++ ppdPwgPpdizeName(keyword, ppdname, sizeof(ppdname)); ++ cupsFilePrintf(fp, "*cupsFinishingTemplate %s\n", ppdname); ++ } + } + } + else if (!strcmp(member_name, "media")) +@@ -2659,7 +2695,7 @@ ppdCreatePPDFromIPP2(char *buffer, // I - Filename buffer + NULL)) != NULL) + { + ppdPwgPpdizeName(keyword, ppdname, sizeof(ppdname)); +- cupsFilePrintf(fp, "*InputSlot %s\n", keyword); ++ cupsFilePrintf(fp, "*InputSlot %s\n", ppdname); + } + + if ((keyword = ippGetString(ippFindAttribute(media_col, "media-type", +@@ -2667,7 +2703,7 @@ ppdCreatePPDFromIPP2(char *buffer, // I - Filename buffer + NULL)) != NULL) + { + ppdPwgPpdizeName(keyword, ppdname, sizeof(ppdname)); +- cupsFilePrintf(fp, "*MediaType %s\n", keyword); ++ cupsFilePrintf(fp, "*MediaType %s\n", ppdname); + } + } + else if (!strcmp(member_name, "print-quality")) +@@ -2817,3 +2853,38 @@ http_connect(http_t **http, // IO - Current HTTP connection + + return (*http != NULL); + } ++ ++ ++/* ++ * 'ppd_put_strings()' - Write localization attributes to a PPD file. ++ */ ++ ++static void ++ppd_put_string(cups_file_t *fp, /* I - PPD file */ ++ cups_lang_t *lang, /* I - Language */ ++ const char *ppd_option,/* I - PPD option */ ++ const char *ppd_choice,/* I - PPD choice */ ++ const char *text) /* I - Localized text */ ++{ ++ if (!text) ++ return; ++ ++ // Add the first line of localized text... ++#if CUPS_VERSION_MAJOR > 2 ++ cupsFilePrintf(fp, "*%s.%s %s/", cupsLangGetName(lang), ppd_option, ppd_choice); ++#else ++ cupsFilePrintf(fp, "*%s.%s %s/", lang->language, ppd_option, ppd_choice); ++#endif // CUPS_VERSION_MAJOR > 2 ++ ++ while (*text && *text != '\n') ++ { ++ // Escape ":" and "<"... ++ if (*text == ':' || *text == '<') ++ cupsFilePrintf(fp, "<%02X>", *text); ++ else ++ cupsFilePutChar(fp, *text); ++ ++ text ++; ++ } ++ cupsFilePuts(fp, ": \"\"\n"); ++} diff --git a/meta-oe/recipes-printing/cups/libppd_2.0.0.bb b/meta-oe/recipes-printing/cups/libppd_2.0.0.bb index 99b1f6e730..f1cf25901e 100644 --- a/meta-oe/recipes-printing/cups/libppd_2.0.0.bb +++ b/meta-oe/recipes-printing/cups/libppd_2.0.0.bb @@ -5,7 +5,10 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=c1fca671047153ce6825c4ab06f2ab49" DEPENDS = "libcupsfilters" -SRC_URI = "https://github.com/OpenPrinting/${BPN}/releases/download/${PV}/${BP}.tar.xz" +SRC_URI = " \ + https://github.com/OpenPrinting/${BPN}/releases/download/${PV}/${BP}.tar.xz \ + file://0001-CVE-2024-47175.patch \ +" SRC_URI[sha256sum] = "882d3c659a336e91559de8f3c76fc26197fe6e5539d9b484a596e29a5a4e0bc8" inherit autotools gettext pkgconfig github-releases From patchwork Tue Oct 14 20:53:46 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 72301 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A77B7CCD18E for ; Tue, 14 Oct 2025 20:54:16 +0000 (UTC) Received: from mail-pf1-f171.google.com (mail-pf1-f171.google.com [209.85.210.171]) by mx.groups.io with SMTP id smtpd.web10.310.1760475255904882054 for ; Tue, 14 Oct 2025 13:54:16 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=DWL1RUT/; spf=pass (domain: gmail.com, ip: 209.85.210.171, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pf1-f171.google.com with SMTP id d2e1a72fcca58-782023ca359so5926112b3a.2 for ; Tue, 14 Oct 2025 13:54:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1760475255; x=1761080055; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Z49fD9FWj0dDkLy5BiLkXDPG/f0qusOHTxWfpEkr4FY=; b=DWL1RUT/aY3DuTC+urNoQXfL7RJQ/gBIVfrejJQYCp0XYPQQin1YiGN2u/oqmStyg4 PsvbmOjfKbOCdy2eroWxxLbLiAApRosH1UlYWQWYYTecb1B8MingwoYtgp0IBVhNizn7 xgBuJYVrOzf/8hd947lBw/U/czhkXYG1plwsJ7scRc4ajDkSmciCtICSVFqZ3cH+D8F0 ATI63DahHSY5zqHeTaYMnrnob5X6fz91g3CzS9Z/DUCU+TLCP8g3Vz6Bwewpg0IvIdmi LbhjbSUCoVQPs70CPSHojUjKT6chz30l4uabIl0TZmqCFL7sNIzYPgJy9BXqgfyB1voJ Dg8w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760475255; x=1761080055; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Z49fD9FWj0dDkLy5BiLkXDPG/f0qusOHTxWfpEkr4FY=; b=ComDbjx+8IaQwU1/nRvk+vghCfIBoNOxd7tP1ROOEIkz4shvc+Rvde2UCvjLbO9jIp Z6JUeWQ/DnlH98kfP6T06cqlrrQyUGG33kq4KjtTUARlXsOqpL4UqmFgnle7Y48d7LmO jwUDNBGi+0VmUrEfsyBrJCOcjjHnX4DMvQEgK3j+7mQQ3wR4Ymkfexzrw53EGI+z1JQA GfdA8FusF1b/anuXbqikEEJ93TlGHLineGgDxDS3SPDhzT0tBwI6K6twaBicdYJYRRYP YtMkVaFV6t16Ki3KC3XTDNZfIKFZGg2Kk422VgeG8iQ+rCVAWl0uEyXkOE/QToxa1Mig a8jA== X-Gm-Message-State: AOJu0YylRhzF0RfMDTa7q4HjLDU7azdYcQsKtUMLrzTb3z6rt/PkLgjk Qx/n0QXpvKPzVdg4zfeGyDVWuBVvBdqtn3V+yaMqAbedXhWVAV9vP8TUvNoyQg== X-Gm-Gg: ASbGnctqYmLb6HZGJ4XwJcW4LLMiCTXmUT56xXC69hqGugx9gfMFjcefAtsKO6N2hm3 Bv4EihvImKe15WC52NUYMQEFGtqB2gNzNeiWg7Jm3ndZBIDTHTjFa/W+wjucqZQ3FBV2A5KT3rs Cm5vUkyPJfivnfvKejf3znrQh51T8VLLJqVgcPfwk/m4RxGwPpkG5kLxyICgJKkdMb5P4WAjcHX uEnTeS7j4am1A0QHlxqv4MrSXTPbrbuWhw17OAK7loaBbC6Ix8G9adZIolNSreEHEjRsU/RuUUt iI/aal7BAEODa+AbDNaKq7dLPTxaNfqKzQBGRceC1AlP1ewSi0MHt6jklwoXF8O9xPuxQconB+e LOAAuDhqzTNV1+aRSKrKe9ncdy2m1eP1Md+T6kJPcuEQvsU/QoSnw9RM= X-Google-Smtp-Source: AGHT+IHjzlLsUPM64VUtuHMmJZGV7Osg70uaiOw/FH52l6fxTZYXdYsYDKEzc3fyfdFd9phWyZU02g== X-Received: by 2002:a17:903:9cb:b0:261:1abb:e302 with SMTP id d9443c01a7336-29027373d8bmr306940135ad.14.1760475255114; Tue, 14 Oct 2025 13:54:15 -0700 (PDT) Received: from NVAPF55DW0D-IPD.. ([147.161.216.252]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-29034dea083sm174952475ad.24.2025.10.14.13.54.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 Oct 2025 13:54:14 -0700 (PDT) From: Ankur Tyagi To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi , Gyorgy Sarvari Subject: [oe][meta-oe][scarthgap][PATCH 03/18] hdf5: patch CVE-2025-2923 Date: Wed, 15 Oct 2025 09:53:46 +1300 Message-ID: <20251014205402.1487867-3-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251014205402.1487867-1-ankur.tyagi85@gmail.com> References: <20251014205402.1487867-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 14 Oct 2025 20:54:16 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/120636 Details https://nvd.nist.gov/vuln/detail/CVE-2025-2923 Signed-off-by: Ankur Tyagi Signed-off-by: Gyorgy Sarvari (cherry picked from commit 01238545d8f0ac9aabc271538d0ca5ccd9f3d9f4) Signed-off-by: Ankur Tyagi --- .../hdf5/files/0001-CVE-2025-2923.patch | 67 +++++++++++++++++++ meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb | 1 + 2 files changed, 68 insertions(+) create mode 100644 meta-oe/recipes-support/hdf5/files/0001-CVE-2025-2923.patch diff --git a/meta-oe/recipes-support/hdf5/files/0001-CVE-2025-2923.patch b/meta-oe/recipes-support/hdf5/files/0001-CVE-2025-2923.patch new file mode 100644 index 0000000000..ffaade2503 --- /dev/null +++ b/meta-oe/recipes-support/hdf5/files/0001-CVE-2025-2923.patch @@ -0,0 +1,67 @@ +From 951ebdce0098dac1042d5e9650e655c6c1f92904 Mon Sep 17 00:00:00 2001 +From: jhendersonHDF +Date: Fri, 26 Sep 2025 13:13:10 -0500 +Subject: [PATCH] CVE-2025-2923 + +Fix issue with handling of corrupted object header continuation messages (#5829) + +An HDF5 file could be specifically constructed such that an object +header contained a corrupted continuation message which pointed +back to itself. This eventually resulted in an internal buffer being +allocated with too small of a size, leading to a heap buffer overflow +when encoding an object header message into it. This has been fixed +by checking the expected number of deserialized object header chunks +against the actual value as chunks are being deserialized. + +Fixes CVE-2025-6816, CVE-2025-6856, CVE-2025-2923 + +CVE: CVE-2025-2923 +Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/29c847a43db0cdc85b01cafa5a7613ea73932675] + +(cherry picked from commit 29c847a43db0cdc85b01cafa5a7613ea73932675) +Signed-off-by: Ankur Tyagi +--- + src/H5Oint.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/src/H5Oint.c b/src/H5Oint.c +index 022ee43..a5e0072 100644 +--- a/src/H5Oint.c ++++ b/src/H5Oint.c +@@ -1013,10 +1013,9 @@ H5O_protect(const H5O_loc_t *loc, unsigned prot_flags, bool pin_all_chunks) + */ + curr_msg = 0; + while (curr_msg < cont_msg_info.nmsgs) { +- H5O_chunk_proxy_t *chk_proxy; /* Proxy for chunk, to bring it into memory */ +-#ifndef NDEBUG +- size_t chkcnt = oh->nchunks; /* Count of chunks (for sanity checking) */ +-#endif /* NDEBUG */ ++ H5O_chunk_proxy_t *chk_proxy; /* Proxy for chunk, to bring it into memory */ ++ unsigned chunkno; /* Chunk number for chunk proxy */ ++ size_t chkcnt = oh->nchunks; /* Count of chunks (for sanity checking) */ + + /* Bring the chunk into the cache */ + /* (which adds to the object header) */ +@@ -1029,14 +1028,20 @@ H5O_protect(const H5O_loc_t *loc, unsigned prot_flags, bool pin_all_chunks) + + /* Sanity check */ + assert(chk_proxy->oh == oh); +- assert(chk_proxy->chunkno == chkcnt); +- assert(oh->nchunks == (chkcnt + 1)); ++ ++ chunkno = chk_proxy->chunkno; + + /* Release the chunk from the cache */ + if (H5AC_unprotect(loc->file, H5AC_OHDR_CHK, cont_msg_info.msgs[curr_msg].addr, chk_proxy, + H5AC__NO_FLAGS_SET) < 0) + HGOTO_ERROR(H5E_OHDR, H5E_CANTUNPROTECT, NULL, "unable to release object header chunk"); + ++ if (chunkno != chkcnt) ++ HGOTO_ERROR(H5E_OHDR, H5E_BADVALUE, NULL, "incorrect chunk number for object header chunk"); ++ if (oh->nchunks != (chkcnt + 1)) ++ HGOTO_ERROR(H5E_OHDR, H5E_BADVALUE, NULL, ++ "incorrect number of chunks after deserializing object header chunk"); ++ + /* Advance to next continuation message */ + curr_msg++; + } /* end while */ diff --git a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb index f34e5f183d..4305826b22 100644 --- a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb +++ b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb @@ -15,6 +15,7 @@ SRC_URI = " \ https://support.hdfgroup.org/ftp/HDF5/releases/hdf5-1.14/hdf5-1.14.4/src/${BPN}-${PV}.tar.gz \ file://0002-Remove-suffix-shared-from-shared-library-name.patch \ file://0001-cmake-remove-build-flags.patch \ + file://0001-CVE-2025-2923.patch \ " SRC_URI[sha256sum] = "019ac451d9e1cf89c0482ba2a06f07a46166caf23f60fea5ef3c37724a318e03" From patchwork Tue Oct 14 20:53:47 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 72304 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 92B44CCD184 for ; Tue, 14 Oct 2025 20:54:26 +0000 (UTC) Received: from mail-pg1-f179.google.com (mail-pg1-f179.google.com [209.85.215.179]) by mx.groups.io with SMTP id smtpd.web10.311.1760475258389832533 for ; Tue, 14 Oct 2025 13:54:18 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=SdB39oFu; spf=pass (domain: gmail.com, ip: 209.85.215.179, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pg1-f179.google.com with SMTP id 41be03b00d2f7-b6329b6e3b0so196212a12.1 for ; Tue, 14 Oct 2025 13:54:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1760475258; x=1761080058; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=os960+YvAPECZcOnkZ8D8wTgTbF9vHvo7RSwctv9RwQ=; b=SdB39oFurXkx0/7/tkJ4WE+GxL2HCPCO3USlytTUJBoB0EqPzezyUFhQM3wUoFyuYP Nv4JEJMhjYGPyuAP5qLIanZ3ga9fstybHntQtXCoakw1usyQjeJ8uE8j5zYCeAlgkCue VxKvZ7e79v6+Xz5QDfoikuC93pEWDsyHoYOjwnQAvibCfOKbkvfcvH+P4PnTTdE37XGP Dpz3zkwbYD9cnhL0pn8j0UyG6C5nJthzOivmbtk0bkU1bi8+2N9oVyO6OJSBmBephmZQ ripZTfEIoFWTudslmxd+mD2gX0UNVI9QbCMBEsKJIruFdoMN3SBYx2joxN5kHfLdgkae zGTA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760475258; x=1761080058; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=os960+YvAPECZcOnkZ8D8wTgTbF9vHvo7RSwctv9RwQ=; b=KmPy669WKYi86FDvlgu7aE3JhBRr8SswcrcGfW+GZH04m9uR4EHda+Hfkb2Y7NJLkr tf0Whp9krFYqUopu1Qnj0xoq/6EKR4B4G1F1HEQ2fZ4XR94tt8NSGj1nBqUSK0+BCL+F I/KYUBS+CXOSWHpR8UZGbpVYOYTj/VqxvPCzKpDEqpUX1q4enrbk2z9K+Ngi0kBhxAFj 7BmJmFhP64erJeiV+mQjBHN5yI1wBK58rYe0aqYi6lHgEc0MC0VtZ89KTIaYJPkAqgP9 1+yCA5/LSERmVCmHEn6peDt74JVEYaBdEol/TjNWdg6Qf8W+6IWBtVoZQvI2ea2AWgtj rAdQ== X-Gm-Message-State: AOJu0YzBO0tzelmSYlwqZGN8aNJXwLVvFxmtYCTrjxpqQkqS1+cfY/Jr P5dTEeFeFaIe9FWTD0/uH8nU2lksjlD4g9MDeRvbaEoNnCtgOeOVzgmQ9vVdDA== X-Gm-Gg: ASbGncuACTfFYeJjv771aFemy/snNj3DEXYYP5X7jb696IxzJrZD9TxqNBZEMdLaahD WTHCTRZVISpp0UeFyUyq7fX3wK8XQSSwO5hguZyHsGfF6KznhJ4ASapALD/UqwudDl4PhFMzPGQ uvxV1uVcf1N1dxqk2olXzkaJVH+bCg2wczv9ZO3xoyZfK3D+8zl5Y5Dvdj6B3keHA8MtcFV5Ld+ uRgCQREYKej7/ZMmq1n0g8uhKBLm39GdYmtM+f+VcWK4PErDnfk+C7GyoIri4RtkHzlfjYPUUKE 6dmjVxeEQjwhFtOKg+BHj1A/IwPWtWC3JCxV7eH67J6PhP8auT6Pu0jB/uxp7YQrhpdyQZlXogU UCJoKgduQeaP9BFsNvzKr+C9FgwRf0kDiOlTg9XuLIV/RxhthnlIfXVGbZoBwgZNaaw== X-Google-Smtp-Source: AGHT+IHqyY8be3RPtFfSaB7O8yGO7GgoHzNChCtB1fufO6LXNfEEbHY6Sn5jrQ4Lm3UCSySHfZWfiA== X-Received: by 2002:a17:903:faf:b0:28e:873d:8a with SMTP id d9443c01a7336-29027f0cd0cmr323725165ad.15.1760475257616; Tue, 14 Oct 2025 13:54:17 -0700 (PDT) Received: from NVAPF55DW0D-IPD.. ([147.161.216.252]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-29034dea083sm174952475ad.24.2025.10.14.13.54.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 Oct 2025 13:54:17 -0700 (PDT) From: Ankur Tyagi To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi , Gyorgy Sarvari Subject: [oe][meta-oe][scarthgap][PATCH 04/18] hdf5: patch CVE-2025-2924 Date: Wed, 15 Oct 2025 09:53:47 +1300 Message-ID: <20251014205402.1487867-4-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251014205402.1487867-1-ankur.tyagi85@gmail.com> References: <20251014205402.1487867-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 14 Oct 2025 20:54:26 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/120637 Details https://nvd.nist.gov/vuln/detail/CVE-2025-2924 Signed-off-by: Ankur Tyagi Signed-off-by: Gyorgy Sarvari (cherry picked from commit f0cdeee91832709fe78b1f2af2a0504af80c41d7) Signed-off-by: Ankur Tyagi --- .../hdf5/files/0002-CVE-2025-2924.patch | 39 +++++++++++++++++++ meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb | 1 + 2 files changed, 40 insertions(+) create mode 100644 meta-oe/recipes-support/hdf5/files/0002-CVE-2025-2924.patch diff --git a/meta-oe/recipes-support/hdf5/files/0002-CVE-2025-2924.patch b/meta-oe/recipes-support/hdf5/files/0002-CVE-2025-2924.patch new file mode 100644 index 0000000000..73ee50db1f --- /dev/null +++ b/meta-oe/recipes-support/hdf5/files/0002-CVE-2025-2924.patch @@ -0,0 +1,39 @@ +From 3a6f6c1f57c09281d4a9d11a1ae809fd21b666dd Mon Sep 17 00:00:00 2001 +From: Glenn Song <43005495+glennsong09@users.noreply.github.com> +Date: Mon, 15 Sep 2025 07:56:54 -0500 +Subject: [PATCH] CVE-2025-2924 + +Fixes heap-based buffer overflow in H5HL__fl_deserialize by adding an overflow check. + +CVE: CVE-2025-2924 +Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/0a57195ca67d278f1cf7d01566c121048e337a59] + +(cherry picked from commit 0a57195ca67d278f1cf7d01566c121048e337a59) +Signed-off-by: Ankur Tyagi +--- + src/H5HLcache.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/H5HLcache.c b/src/H5HLcache.c +index d0836fe..7f412d2 100644 +--- a/src/H5HLcache.c ++++ b/src/H5HLcache.c +@@ -225,6 +225,7 @@ H5HL__fl_deserialize(H5HL_t *heap) + /* check arguments */ + assert(heap); + assert(!heap->freelist); ++ HDcompile_assert(sizeof(hsize_t) == sizeof(uint64_t)); + + /* Build free list */ + free_block = heap->free_block; +@@ -232,6 +233,10 @@ H5HL__fl_deserialize(H5HL_t *heap) + const uint8_t *image; /* Pointer into image buffer */ + + /* Sanity check */ ++ ++ if (free_block > UINT64_MAX - (2 * heap->sizeof_size)) ++ HGOTO_ERROR(H5E_HEAP, H5E_BADRANGE, FAIL, "decoded heap block address overflow"); ++ + if ((free_block + (2 * heap->sizeof_size)) > heap->dblk_size) + HGOTO_ERROR(H5E_HEAP, H5E_BADRANGE, FAIL, "bad heap free list"); + diff --git a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb index 4305826b22..06a375c673 100644 --- a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb +++ b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb @@ -16,6 +16,7 @@ SRC_URI = " \ file://0002-Remove-suffix-shared-from-shared-library-name.patch \ file://0001-cmake-remove-build-flags.patch \ file://0001-CVE-2025-2923.patch \ + file://0002-CVE-2025-2924.patch \ " SRC_URI[sha256sum] = "019ac451d9e1cf89c0482ba2a06f07a46166caf23f60fea5ef3c37724a318e03" From patchwork Tue Oct 14 20:53:48 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 72305 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9F5CCCCD190 for ; Tue, 14 Oct 2025 20:54:26 +0000 (UTC) Received: from mail-pg1-f177.google.com (mail-pg1-f177.google.com [209.85.215.177]) by mx.groups.io with SMTP id smtpd.web10.312.1760475260813969715 for ; Tue, 14 Oct 2025 13:54:20 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=TSgEJBUq; spf=pass (domain: gmail.com, ip: 209.85.215.177, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pg1-f177.google.com with SMTP id 41be03b00d2f7-b57bffc0248so227528a12.0 for ; Tue, 14 Oct 2025 13:54:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1760475260; x=1761080060; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=iVYTYDiJtg9yXCCu8MvIt5olGPbEAq0roNm56tIgTfk=; b=TSgEJBUqu0DT6gRwLjhJawBw2oY6Ktg4UUt9Cp4LaQTUvdsCwZjTY3Q1X9y8P48AIb VL6Nx5XAR9h3gvOOIUh33Q2kssWpshRKgabE2Xm67aMmVJVLvtACO0MZK1YcNwOKYtZy 4iBkfp1mK32mvIfiiyQsvh51tr6iaT0psSCLi0iFB1kj+xjZYelqeGmCDa+gDeU3hj3G IdDtpLvSmewxQ8IpdnZcI14/7LdcCpJeRyZ3YXRVloN480yJIeshXw1hrubCjSuVAGqL 61Wj4tk3OBN0Jr0FJIjBLSlTmF14yaBdP+c1gKAfucZTmS3rXUUGC3n1OXx5ao1jcZVe Pprw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760475260; x=1761080060; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=iVYTYDiJtg9yXCCu8MvIt5olGPbEAq0roNm56tIgTfk=; b=vn1PDfcYioRzU+cXRm6nlCQFTy2QLnAU3Ytb+O7XMCQItT2Y/1K1nbUkzR9hc3ZAU9 0fU5Rguao1Tr4jMxur0Zk8Uo2PQmxOraE5HMkgJFmtcMLvn6ou1wgf4ThjYhU9xtjh7Y LfV8uN3dTPhVm52eBFvS5ipaiPBkBvYnTY/P9lIPzAh7FWbkHVhRHvJ8E3fR33bM7c1n +sUw1fXYjq4666Smd8/76M5u/EE5ZiqUkEDhKXF7r5UsgrGd/JL4IK6CThEuk4vtIVCi c6frYSShr+9Iliisc6LOtKpdR8qMnNTl40Dq2uvWMcTjIK6wj8r9xjPccnFTeD+OF2VQ ZdtA== X-Gm-Message-State: AOJu0YxMltyWts2Zw7dUXGoVFLGLaZLF6Cq3ww3bPA8WV3mKbN59dIMq WGdrV+AcHQpbUafokZjfKLKcObVvd8xqHmQJtK750D51Ksr+WJ3GyOP6gDd7Lg== X-Gm-Gg: ASbGncvyxzWZEzXK+hJVYhI6jz2jJM+rhYQp3ELRK73VExQ7WSvpUEeRDs3+1GCwPwT zIDHF25/X88JEMOImA/M1kg+F083YRBbTQklKM7Lg/x3Xd3BEadaV4YWfbsWjAscckHLYhE0QE2 XfElyFxvjnd/ldAiCKneYJh5Ou7R/sb29dfivTd8hue3KRhz2Bg31FkUEYUAe/kRcokA34pb6X7 py2h/0XD15zFzr33k8LsrrcL86Szeekncus31AHJ5PCF7EALISNHlcYUGS5tfmX07sze4SYTgNG X6hMD4XZLWBbUvjQ/hdT1X/9ut3ioHOjo3I4uQYuxjBGk68X473Y7TCSta6bEFln2ojr4NvFqpX QuOKn+EDfr2jv04obnkH1gw3PZu5OzXFvIClPElz9UdaCPAjNGusXYl8= X-Google-Smtp-Source: AGHT+IGabVRhcguCIZ3RRr3DB46yyLvDes2A/VujGefZXPxrRUmjBbae6xlIS2Zc5qtBxES7NYGb4A== X-Received: by 2002:a17:903:298e:b0:28e:b14e:d45 with SMTP id d9443c01a7336-28ec9cd7160mr395593555ad.30.1760475259950; Tue, 14 Oct 2025 13:54:19 -0700 (PDT) Received: from NVAPF55DW0D-IPD.. ([147.161.216.252]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-29034dea083sm174952475ad.24.2025.10.14.13.54.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 Oct 2025 13:54:19 -0700 (PDT) From: Ankur Tyagi To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi , Gyorgy Sarvari Subject: [oe][meta-oe][scarthgap][PATCH 05/18] hdf5: patch CVE-2025-2925 Date: Wed, 15 Oct 2025 09:53:48 +1300 Message-ID: <20251014205402.1487867-5-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251014205402.1487867-1-ankur.tyagi85@gmail.com> References: <20251014205402.1487867-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 14 Oct 2025 20:54:26 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/120638 Details https://nvd.nist.gov/vuln/detail/CVE-2025-2925 Signed-off-by: Ankur Tyagi Signed-off-by: Gyorgy Sarvari (cherry picked from commit e7832348a68e4ab18c981b3ddedb6627d989a997) Signed-off-by: Ankur Tyagi --- .../hdf5/files/0003-CVE-2025-2925.patch | 53 +++++++++++++++++++ meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb | 1 + 2 files changed, 54 insertions(+) create mode 100644 meta-oe/recipes-support/hdf5/files/0003-CVE-2025-2925.patch diff --git a/meta-oe/recipes-support/hdf5/files/0003-CVE-2025-2925.patch b/meta-oe/recipes-support/hdf5/files/0003-CVE-2025-2925.patch new file mode 100644 index 0000000000..83348190dd --- /dev/null +++ b/meta-oe/recipes-support/hdf5/files/0003-CVE-2025-2925.patch @@ -0,0 +1,53 @@ +From 57a511958842f50cbf07b05262f2fe95e70c141b Mon Sep 17 00:00:00 2001 +From: Glenn Song <43005495+glennsong09@users.noreply.github.com> +Date: Thu, 9 Oct 2025 14:48:55 -0500 +Subject: [PATCH] CVE-2025-2925 + +This PR fixes issue #5383, which was occurring due to actual_len + H5C_IMAGE_EXTRA_SPACE being 0. When realloc was called, it freed image, but gets sent to done before new_image can be assigned to image. Because the pointer for image isn't null, it attempts to free it here again, causing the double free to occur. This PR addresses Quincey's concern and fixes the issue while preserving new_image and image. + +The bug was first reproduced using the fuzzer and the POC file from #5383. With this change, the double free no longer occurs. + +CVE: CVE-2025-2925 +Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/4310c19608455c17a213383d07715efb2918defc] + +(cherry picked from commit 4310c19608455c17a213383d07715efb2918defc) +Signed-off-by: Ankur Tyagi +--- + src/H5Centry.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/src/H5Centry.c b/src/H5Centry.c +index 6883e89..bef93d8 100644 +--- a/src/H5Centry.c ++++ b/src/H5Centry.c +@@ -1051,9 +1051,14 @@ H5C__load_entry(H5F_t *f, + */ + do { + if (actual_len != len) { ++ /* Verify that the length isn't a bad value */ ++ if (len == 0) ++ HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, NULL, "len is a bad value"); ++ + if (NULL == (new_image = H5MM_realloc(image, len + H5C_IMAGE_EXTRA_SPACE))) + HGOTO_ERROR(H5E_CACHE, H5E_CANTALLOC, NULL, "image null after H5MM_realloc()"); + image = (uint8_t *)new_image; ++ + #if H5C_DO_MEMORY_SANITY_CHECKS + H5MM_memcpy(image + len, H5C_IMAGE_SANITY_VALUE, H5C_IMAGE_EXTRA_SPACE); + #endif /* H5C_DO_MEMORY_SANITY_CHECKS */ +@@ -1104,10 +1109,15 @@ H5C__load_entry(H5F_t *f, + if (H5C__verify_len_eoa(f, type, addr, &actual_len, true) < 0) + HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, NULL, "actual_len exceeds EOA"); + ++ /* Verify that the length isn't 0 */ ++ if (actual_len == 0) ++ HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, NULL, "actual_len is a bad value"); ++ + /* Expand buffer to new size */ + if (NULL == (new_image = H5MM_realloc(image, actual_len + H5C_IMAGE_EXTRA_SPACE))) + HGOTO_ERROR(H5E_CACHE, H5E_CANTALLOC, NULL, "image null after H5MM_realloc()"); + image = (uint8_t *)new_image; ++ + #if H5C_DO_MEMORY_SANITY_CHECKS + H5MM_memcpy(image + actual_len, H5C_IMAGE_SANITY_VALUE, H5C_IMAGE_EXTRA_SPACE); + #endif /* H5C_DO_MEMORY_SANITY_CHECKS */ diff --git a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb index 06a375c673..540c8459ea 100644 --- a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb +++ b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb @@ -17,6 +17,7 @@ SRC_URI = " \ file://0001-cmake-remove-build-flags.patch \ file://0001-CVE-2025-2923.patch \ file://0002-CVE-2025-2924.patch \ + file://0003-CVE-2025-2925.patch \ " SRC_URI[sha256sum] = "019ac451d9e1cf89c0482ba2a06f07a46166caf23f60fea5ef3c37724a318e03" From patchwork Tue Oct 14 20:53:49 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 72306 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A9F0CCCD195 for ; Tue, 14 Oct 2025 20:54:26 +0000 (UTC) Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com [209.85.214.180]) by mx.groups.io with SMTP id smtpd.web11.355.1760475263219002372 for ; Tue, 14 Oct 2025 13:54:23 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=QhFcQ+BC; spf=pass (domain: gmail.com, ip: 209.85.214.180, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pl1-f180.google.com with SMTP id d9443c01a7336-28832ad6f64so65343655ad.1 for ; Tue, 14 Oct 2025 13:54:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1760475262; x=1761080062; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=heORXTH2GEooFe3wJyETz4N+CSuea90g1lOti2wc9q0=; b=QhFcQ+BCjzQxpla/qHp6XYnWjGqDqOgj591cfi6bRWb+qT6Jo258ioYGDnE+Kk/qhV m/SG8xgfYzPHDm6aP0obzAYk9vHzRDnBYlO30Gh/rma7BeQCyG8/8/Zvetay4CaVfnGi Ugy6Vv/sDw4k3JJ4BwNkxaabdrFYXyRo8PQgVYChnUoEp9Fjug0SIV2Skkv+FhaOG+Bo EQwatNwADCUFd4aijiXBGR3rgfm7EnatWYFqhA2943FL6DMAZ5iEdg4o25iG8aRE8r9x oeguUGACDDR2aJ5D3vDhAthN5JVwtOCeNQdAcZDGmsNP111fHbtWYWj7YRLrwdlIaBQE 3fZg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760475262; x=1761080062; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=heORXTH2GEooFe3wJyETz4N+CSuea90g1lOti2wc9q0=; b=nbtp8I4jy9mpuAXqbAtk90+rbAdyaHFiSD2cHpafsXT02Y2HkZgEExHLaOVWc4gRwO wAT7UPTXrJsrvXAUV3Ym4O8gK77w2iRqnmDc46damOm2IjmNTRPXERxpXLDIaX8DWfCj KhKrhM8iHIjCo6EV66zUyQ8bzMPkoSCZSTrpoOH3kvNZMKkTUwelDrayRHsdP4wtRkeK BA9AwpnRp0zZHHoiaP7VNytGLnb9J1kPMrCQJAseA1rQW09nZnR+SaFhklkfKEoF4Z7/ er79+5lmrlRhic6t7m4DmDdXwWIr+DYLfuj4566BY8g1OtR+ypafAQ6ZIC/+LuCPHDHb EYRw== X-Gm-Message-State: AOJu0Yx5tq751Yi7Xv3cDxWfeaj9AcJqiksf4I77GmvgDHuKgB6qE6fn 5pgLkqP7l95ORZiCJV4uD7A58Aacl0Fj5KRu67J8TYqula80Ploug7LaqVbu1A== X-Gm-Gg: ASbGncu0HyTYsGtgW7KnndvoYAzmOYBdpEsOKi0gpiL9jMGgoq948rzn3tyQczMMEsb 1N9tOd6xhzOuC+LLnNgN2aO2ht05N2wkKJJJS/hq6i2m/ihuTqjMdtk+kE5wUziAIrD4MqsMYx8 6x7JSwUe6bwPA2IyA2J7a9fLekxDhYzmvjR9elmruRqRtHFkk9X0JHx/x4Q4p/j4pdkoORg/Q9y FxnIdTeipFnm7dA3OM438FIT+p6ZxbJxY8HKmOQeDyxq7WBH2dTYN//HeQJSyLbtKmVHOPalzHJ K/KxbGpBsb83ZgGKKJaRSQj7XhkMkmSll5mtXsdjiDqrGlGMbG4/9RBZO2aP/y4BFL9fbiLugo5 /WMN5wYiR6UnfLQJPxg4vPHacodvutzPNGV3S5x/vvyza/iESwIkgoyU= X-Google-Smtp-Source: AGHT+IE080xGHjtsk1NefbWA4R0whGEqhsG6G+3nRAc769U/nXk8siCXkCu35Om7zjNNsxC0pj7v/Q== X-Received: by 2002:a17:903:11cd:b0:275:81ca:2c5 with SMTP id d9443c01a7336-2902730538cmr361291785ad.59.1760475262342; Tue, 14 Oct 2025 13:54:22 -0700 (PDT) Received: from NVAPF55DW0D-IPD.. ([147.161.216.252]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-29034dea083sm174952475ad.24.2025.10.14.13.54.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 Oct 2025 13:54:22 -0700 (PDT) From: Ankur Tyagi To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi , Gyorgy Sarvari Subject: [oe][meta-oe][scarthgap][PATCH 06/18] hdf5: patch CVE-2025-6269 Date: Wed, 15 Oct 2025 09:53:49 +1300 Message-ID: <20251014205402.1487867-6-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251014205402.1487867-1-ankur.tyagi85@gmail.com> References: <20251014205402.1487867-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 14 Oct 2025 20:54:26 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/120639 Details https://nvd.nist.gov/vuln/detail/CVE-2025-6269 Signed-off-by: Ankur Tyagi Signed-off-by: Gyorgy Sarvari (cherry picked from commit beb0dbaf258c94e5f36e052524b5b5627ab4c9cd) Signed-off-by: Ankur Tyagi --- .../0004-CVE-2025-6269-OSV-2023-77.patch | 294 ++++++++++++++++++ meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb | 1 + 2 files changed, 295 insertions(+) create mode 100644 meta-oe/recipes-support/hdf5/files/0004-CVE-2025-6269-OSV-2023-77.patch diff --git a/meta-oe/recipes-support/hdf5/files/0004-CVE-2025-6269-OSV-2023-77.patch b/meta-oe/recipes-support/hdf5/files/0004-CVE-2025-6269-OSV-2023-77.patch new file mode 100644 index 0000000000..4f155559bc --- /dev/null +++ b/meta-oe/recipes-support/hdf5/files/0004-CVE-2025-6269-OSV-2023-77.patch @@ -0,0 +1,294 @@ +From dfbbcfa5e8038813c99bc8bc1aa4926335c11df1 Mon Sep 17 00:00:00 2001 +From: aled-ua +Date: Wed, 15 Jan 2025 15:02:25 -0600 +Subject: [PATCH] CVE-2025-6269 OSV-2023-77 + +The GitHub issue #5579 included several security vulnerabilities in function +H5C__reconstruct_cache_entry(). + +This PR addressed them by: +- adding buffer size argument to the function +- adding buffer overflow checks +- adding input validations +- releasing allocated resource on failure + +These changes addressed the crashes reported. However, there is a skiplist +crash during the unwinding process that has to be investigated. + +CVE: CVE-2025-6269 +Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/7f27ba8c3a8483c3d7e5e2cb21fefb2c7563422d] +Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/3914bb7f7ec7105d8bfbeb3aebd92e867cff5b70] + +(cherry picked from commit 7f27ba8c3a8483c3d7e5e2cb21fefb2c7563422d) +(cherry picked from commit 3914bb7f7ec7105d8bfbeb3aebd92e867cff5b70) +Signed-off-by: Ankur Tyagi +--- + src/H5Cimage.c | 95 ++++++++++++++++++++++++++++++++++++++------------ + src/H5Ocont.c | 5 +-- + 2 files changed, 76 insertions(+), 24 deletions(-) + +diff --git a/src/H5Cimage.c b/src/H5Cimage.c +index ec1af78..b97be22 100644 +--- a/src/H5Cimage.c ++++ b/src/H5Cimage.c +@@ -118,7 +118,8 @@ do { \ + /* Helper routines */ + static size_t H5C__cache_image_block_entry_header_size(const H5F_t *f); + static size_t H5C__cache_image_block_header_size(const H5F_t *f); +-static herr_t H5C__decode_cache_image_header(const H5F_t *f, H5C_t *cache_ptr, const uint8_t **buf); ++static herr_t H5C__decode_cache_image_header(const H5F_t *f, H5C_t *cache_ptr, const uint8_t **buf, ++ size_t buf_size); + #ifndef NDEBUG /* only used in assertions */ + static herr_t H5C__decode_cache_image_entry(const H5F_t *f, const H5C_t *cache_ptr, const uint8_t **buf, + unsigned entry_num); +@@ -131,7 +132,8 @@ static void H5C__prep_for_file_close__compute_fd_heights_real(H5C_cache_entry_ + static herr_t H5C__prep_for_file_close__setup_image_entries_array(H5C_t *cache_ptr); + static herr_t H5C__prep_for_file_close__scan_entries(const H5F_t *f, H5C_t *cache_ptr); + static herr_t H5C__reconstruct_cache_contents(H5F_t *f, H5C_t *cache_ptr); +-static H5C_cache_entry_t *H5C__reconstruct_cache_entry(const H5F_t *f, H5C_t *cache_ptr, const uint8_t **buf); ++static H5C_cache_entry_t *H5C__reconstruct_cache_entry(const H5F_t *f, H5C_t *cache_ptr, hsize_t *buf_size, ++ const uint8_t **buf); + static herr_t H5C__write_cache_image_superblock_msg(H5F_t *f, bool create); + static herr_t H5C__read_cache_image(H5F_t *f, H5C_t *cache_ptr); + static herr_t H5C__write_cache_image(H5F_t *f, const H5C_t *cache_ptr); +@@ -299,7 +301,7 @@ H5C__construct_cache_image_buffer(H5F_t *f, H5C_t *cache_ptr) + /* needed for sanity checks */ + fake_cache_ptr->image_len = cache_ptr->image_len; + q = (const uint8_t *)cache_ptr->image_buffer; +- status = H5C__decode_cache_image_header(f, fake_cache_ptr, &q); ++ status = H5C__decode_cache_image_header(f, fake_cache_ptr, &q, cache_ptr->image_len + 1); + assert(status >= 0); + + assert(NULL != p); +@@ -1269,7 +1271,7 @@ H5C__cache_image_block_header_size(const H5F_t *f) + *------------------------------------------------------------------------- + */ + static herr_t +-H5C__decode_cache_image_header(const H5F_t *f, H5C_t *cache_ptr, const uint8_t **buf) ++H5C__decode_cache_image_header(const H5F_t *f, H5C_t *cache_ptr, const uint8_t **buf, size_t buf_size) + { + uint8_t version; + uint8_t flags; +@@ -1289,6 +1291,10 @@ H5C__decode_cache_image_header(const H5F_t *f, H5C_t *cache_ptr, const uint8_t * + /* Point to buffer to decode */ + p = *buf; + ++ /* Ensure buffer has enough data for signature comparison */ ++ if (H5_IS_BUFFER_OVERFLOW(p, H5C__MDCI_BLOCK_SIGNATURE_LEN, *buf + buf_size - 1)) ++ HGOTO_ERROR(H5E_CACHE, H5E_OVERFLOW, FAIL, "Insufficient buffer size for signature"); ++ + /* Check signature */ + if (memcmp(p, H5C__MDCI_BLOCK_SIGNATURE, (size_t)H5C__MDCI_BLOCK_SIGNATURE_LEN) != 0) + HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, FAIL, "Bad metadata cache image header signature"); +@@ -2372,6 +2378,7 @@ H5C__reconstruct_cache_contents(H5F_t *f, H5C_t *cache_ptr) + { + H5C_cache_entry_t *pf_entry_ptr; /* Pointer to prefetched entry */ + H5C_cache_entry_t *parent_ptr; /* Pointer to parent of prefetched entry */ ++ hsize_t image_len; /* Image length */ + const uint8_t *p; /* Pointer into image buffer */ + unsigned u, v; /* Local index variable */ + herr_t ret_value = SUCCEED; /* Return value */ +@@ -2387,10 +2394,11 @@ H5C__reconstruct_cache_contents(H5F_t *f, H5C_t *cache_ptr) + assert(cache_ptr->image_len > 0); + + /* Decode metadata cache image header */ +- p = (uint8_t *)cache_ptr->image_buffer; +- if (H5C__decode_cache_image_header(f, cache_ptr, &p) < 0) ++ p = (uint8_t *)cache_ptr->image_buffer; ++ image_len = cache_ptr->image_len; ++ if (H5C__decode_cache_image_header(f, cache_ptr, &p, image_len + 1) < 0) + HGOTO_ERROR(H5E_CACHE, H5E_CANTDECODE, FAIL, "cache image header decode failed"); +- assert((size_t)(p - (uint8_t *)cache_ptr->image_buffer) < cache_ptr->image_len); ++ assert((size_t)(p - (uint8_t *)cache_ptr->image_buffer) < image_len); + + /* The image_data_len and # of entries should be defined now */ + assert(cache_ptr->image_data_len > 0); +@@ -2402,7 +2410,7 @@ H5C__reconstruct_cache_contents(H5F_t *f, H5C_t *cache_ptr) + /* Create the prefetched entry described by the ith + * entry in cache_ptr->image_entrise. + */ +- if (NULL == (pf_entry_ptr = H5C__reconstruct_cache_entry(f, cache_ptr, &p))) ++ if (NULL == (pf_entry_ptr = H5C__reconstruct_cache_entry(f, cache_ptr, &image_len, &p))) + HGOTO_ERROR(H5E_CACHE, H5E_SYSTEM, FAIL, "reconstruction of cache entry failed"); + + /* Note that we make no checks on available cache space before +@@ -2558,19 +2566,21 @@ done: + *------------------------------------------------------------------------- + */ + static H5C_cache_entry_t * +-H5C__reconstruct_cache_entry(const H5F_t *f, H5C_t *cache_ptr, const uint8_t **buf) ++H5C__reconstruct_cache_entry(const H5F_t *f, H5C_t *cache_ptr, hsize_t *buf_size, const uint8_t **buf) + { + H5C_cache_entry_t *pf_entry_ptr = NULL; /* Reconstructed cache entry */ + uint8_t flags = 0; + bool is_dirty = false; ++ haddr_t eoa; ++ bool is_fd_parent = false; + #ifndef NDEBUG /* only used in assertions */ +- bool in_lru = false; +- bool is_fd_parent = false; +- bool is_fd_child = false; ++ bool in_lru = false; ++ bool is_fd_child = false; + #endif +- const uint8_t *p; + bool file_is_rw; +- H5C_cache_entry_t *ret_value = NULL; /* Return value */ ++ const uint8_t *p; ++ const uint8_t *p_end = *buf + *buf_size - 1; /* Pointer to last valid byte in buffer */ ++ H5C_cache_entry_t *ret_value = NULL; /* Return value */ + + FUNC_ENTER_PACKAGE + +@@ -2590,9 +2600,15 @@ H5C__reconstruct_cache_entry(const H5F_t *f, H5C_t *cache_ptr, const uint8_t **b + p = *buf; + + /* Decode type id */ ++ if (H5_IS_BUFFER_OVERFLOW(p, 1, p_end)) ++ HGOTO_ERROR(H5E_CACHE, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding"); + pf_entry_ptr->prefetch_type_id = *p++; ++ if (pf_entry_ptr->prefetch_type_id < H5AC_BT_ID || pf_entry_ptr->prefetch_type_id >= H5AC_NTYPES) ++ HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, NULL, "type id is out of valid range"); + + /* Decode flags */ ++ if (H5_IS_BUFFER_OVERFLOW(p, 1, p_end)) ++ HGOTO_ERROR(H5E_CACHE, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding"); + flags = *p++; + if (flags & H5C__MDCI_ENTRY_DIRTY_FLAG) + is_dirty = true; +@@ -2620,19 +2636,31 @@ H5C__reconstruct_cache_entry(const H5F_t *f, H5C_t *cache_ptr, const uint8_t **b + pf_entry_ptr->is_dirty = (is_dirty && file_is_rw); + + /* Decode ring */ ++ if (H5_IS_BUFFER_OVERFLOW(p, 1, p_end)) ++ HGOTO_ERROR(H5E_CACHE, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding"); + pf_entry_ptr->ring = *p++; +- assert(pf_entry_ptr->ring > (uint8_t)(H5C_RING_UNDEFINED)); +- assert(pf_entry_ptr->ring < (uint8_t)(H5C_RING_NTYPES)); ++ if (pf_entry_ptr->ring >= (uint8_t)(H5C_RING_NTYPES)) ++ HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, NULL, "ring is out of valid range"); + + /* Decode age */ ++ if (H5_IS_BUFFER_OVERFLOW(p, 1, p_end)) ++ HGOTO_ERROR(H5E_CACHE, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding"); + pf_entry_ptr->age = *p++; ++ if (pf_entry_ptr->age > H5AC__CACHE_IMAGE__ENTRY_AGEOUT__MAX) ++ HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, NULL, "entry age is out of policy range"); + + /* Decode dependency child count */ ++ if (H5_IS_BUFFER_OVERFLOW(p, 2, p_end)) ++ HGOTO_ERROR(H5E_CACHE, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding"); + UINT16DECODE(p, pf_entry_ptr->fd_child_count); +- assert((is_fd_parent && pf_entry_ptr->fd_child_count > 0) || +- (!is_fd_parent && pf_entry_ptr->fd_child_count == 0)); ++ if (is_fd_parent && pf_entry_ptr->fd_child_count <= 0) ++ HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, NULL, "parent entry has no children"); ++ else if (!is_fd_parent && pf_entry_ptr->fd_child_count != 0) ++ HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, NULL, "non-parent entry has children"); + + /* Decode dirty dependency child count */ ++ if (H5_IS_BUFFER_OVERFLOW(p, 2, p_end)) ++ HGOTO_ERROR(H5E_CACHE, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding"); + UINT16DECODE(p, pf_entry_ptr->fd_dirty_child_count); + if (!file_is_rw) + pf_entry_ptr->fd_dirty_child_count = 0; +@@ -2640,20 +2668,32 @@ H5C__reconstruct_cache_entry(const H5F_t *f, H5C_t *cache_ptr, const uint8_t **b + HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, NULL, "invalid dirty flush dependency child count"); + + /* Decode dependency parent count */ ++ if (H5_IS_BUFFER_OVERFLOW(p, 2, p_end)) ++ HGOTO_ERROR(H5E_CACHE, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding"); + UINT16DECODE(p, pf_entry_ptr->fd_parent_count); + assert((is_fd_child && pf_entry_ptr->fd_parent_count > 0) || + (!is_fd_child && pf_entry_ptr->fd_parent_count == 0)); + + /* Decode index in LRU */ ++ if (H5_IS_BUFFER_OVERFLOW(p, 4, p_end)) ++ HGOTO_ERROR(H5E_CACHE, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding"); + INT32DECODE(p, pf_entry_ptr->lru_rank); + assert((in_lru && pf_entry_ptr->lru_rank >= 0) || (!in_lru && pf_entry_ptr->lru_rank == -1)); + + /* Decode entry offset */ ++ if (H5_IS_BUFFER_OVERFLOW(p, H5F_SIZEOF_ADDR(f), p_end)) ++ HGOTO_ERROR(H5E_CACHE, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding"); + H5F_addr_decode(f, &p, &pf_entry_ptr->addr); +- if (!H5_addr_defined(pf_entry_ptr->addr)) +- HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, NULL, "invalid entry offset"); ++ ++ /* Validate address range */ ++ eoa = H5F_get_eoa(f, H5FD_MEM_DEFAULT); ++ if (!H5_addr_defined(pf_entry_ptr->addr) || H5_addr_overflow(pf_entry_ptr->addr, pf_entry_ptr->size) || ++ H5_addr_ge(pf_entry_ptr->addr + pf_entry_ptr->size, eoa)) ++ HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, NULL, "invalid entry address range"); + + /* Decode entry length */ ++ if (H5_IS_BUFFER_OVERFLOW(p, H5F_SIZEOF_SIZE(f), p_end)) ++ HGOTO_ERROR(H5E_CACHE, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding"); + H5F_DECODE_LENGTH(f, p, pf_entry_ptr->size); + if (pf_entry_ptr->size == 0) + HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, NULL, "invalid entry size"); +@@ -2674,6 +2714,9 @@ H5C__reconstruct_cache_entry(const H5F_t *f, H5C_t *cache_ptr, const uint8_t **b + "memory allocation failed for fd parent addrs buffer"); + + for (u = 0; u < pf_entry_ptr->fd_parent_count; u++) { ++ ++ if (H5_IS_BUFFER_OVERFLOW(p, H5F_SIZEOF_ADDR(f), p_end)) ++ HGOTO_ERROR(H5E_CACHE, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding"); + H5F_addr_decode(f, &p, &(pf_entry_ptr->fd_parent_addrs[u])); + if (!H5_addr_defined(pf_entry_ptr->fd_parent_addrs[u])) + HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, NULL, "invalid flush dependency parent offset"); +@@ -2689,6 +2732,8 @@ H5C__reconstruct_cache_entry(const H5F_t *f, H5C_t *cache_ptr, const uint8_t **b + #endif /* H5C_DO_MEMORY_SANITY_CHECKS */ + + /* Copy the entry image from the cache image block */ ++ if (H5_IS_BUFFER_OVERFLOW(p, pf_entry_ptr->size, p_end)) ++ HGOTO_ERROR(H5E_CACHE, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding"); + H5MM_memcpy(pf_entry_ptr->image_ptr, p, pf_entry_ptr->size); + p += pf_entry_ptr->size; + +@@ -2703,14 +2748,20 @@ H5C__reconstruct_cache_entry(const H5F_t *f, H5C_t *cache_ptr, const uint8_t **b + /* Sanity checks */ + assert(pf_entry_ptr->size > 0 && pf_entry_ptr->size < H5C_MAX_ENTRY_SIZE); + +- /* Update buffer pointer */ ++ /* Update buffer pointer and buffer len */ ++ *buf_size -= (hsize_t)(p - *buf); + *buf = p; + + ret_value = pf_entry_ptr; + + done: +- if (NULL == ret_value && pf_entry_ptr) ++ if (NULL == ret_value && pf_entry_ptr) { ++ if (pf_entry_ptr->image_ptr) ++ H5MM_xfree(pf_entry_ptr->image_ptr); ++ if (pf_entry_ptr->fd_parent_count > 0 && pf_entry_ptr->fd_parent_addrs) ++ H5MM_xfree(pf_entry_ptr->fd_parent_addrs); + pf_entry_ptr = H5FL_FREE(H5C_cache_entry_t, pf_entry_ptr); ++ } + + FUNC_LEAVE_NOAPI(ret_value) + } /* H5C__reconstruct_cache_entry() */ +diff --git a/src/H5Ocont.c b/src/H5Ocont.c +index 621095a..180b115 100644 +--- a/src/H5Ocont.c ++++ b/src/H5Ocont.c +@@ -93,6 +93,9 @@ H5O__cont_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNUSE + HGOTO_ERROR(H5E_OHDR, H5E_NOSPACE, NULL, "memory allocation failed"); + + /* Decode */ ++ ++ cont->chunkno = 0; ++ + if (H5_IS_BUFFER_OVERFLOW(p, H5F_sizeof_addr(f), p_end)) + HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding"); + H5F_addr_decode(f, &p, &(cont->addr)); +@@ -101,8 +104,6 @@ H5O__cont_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNUSE + HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding"); + H5F_DECODE_LENGTH(f, p, cont->size); + +- cont->chunkno = 0; +- + /* Set return value */ + ret_value = cont; + diff --git a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb index 540c8459ea..6d2d439460 100644 --- a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb +++ b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb @@ -18,6 +18,7 @@ SRC_URI = " \ file://0001-CVE-2025-2923.patch \ file://0002-CVE-2025-2924.patch \ file://0003-CVE-2025-2925.patch \ + file://0004-CVE-2025-6269-OSV-2023-77.patch \ " SRC_URI[sha256sum] = "019ac451d9e1cf89c0482ba2a06f07a46166caf23f60fea5ef3c37724a318e03" From patchwork Tue Oct 14 20:53:50 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 72303 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9682ECCD18E for ; Tue, 14 Oct 2025 20:54:26 +0000 (UTC) Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com [209.85.214.174]) by mx.groups.io with SMTP id smtpd.web10.315.1760475265429494707 for ; Tue, 14 Oct 2025 13:54:25 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=T/c6GKLB; spf=pass (domain: gmail.com, ip: 209.85.214.174, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pl1-f174.google.com with SMTP id d9443c01a7336-26e68904f0eso60100445ad.0 for ; Tue, 14 Oct 2025 13:54:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1760475265; x=1761080065; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=UDPOE6a3v42coAe5i+xdegPnrJahUafqdM1RNbGrV6A=; b=T/c6GKLBH1HrU8lsI4Jbw8OpeO1QnM1S0u5Ll3oHDsGhlGgvRlZkYKou9Pd8e8NfZ2 SWGN5vwyUSHrzLzRYRemRx92QtaB/jjEbslJwKH6tD5LVRdIE2NAjZmeqoY53sAXR4Ly ZIW4EOPKDtxi24cp+xaaxBAEXbN353ingpLa/qLcWEvG/W25SR12s/3PPG+ZGRHGFp2B E3TvxXkFxRzVujOdxn1xKRseWR+Q1ymaVUlorzOwZhJfa58NA0xYdGiEQ3uTAkwteOk/ OTvDE8JZ/mcUq/B+JwwwtCM9esI2gqTIVvAJCNiFRKQ9qTpeaDcqXAua/kMYhq11ReoY RpnA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760475265; x=1761080065; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=UDPOE6a3v42coAe5i+xdegPnrJahUafqdM1RNbGrV6A=; b=CQqsn0xPtzzODI3K7POGXEJhShwXgSHpFVXseXEpEuseEVhoA/o9ymtgPxa0JB+lV9 t0ersNuW0M8II6DU0tekWEzat4u9Us3O3M2/Xzjh7US9l6meWaX16x6+ZoEO4KyduZ3U Zplc5jz+yPeeiX52m33GRNO6635mRmGyfe963XT6KcT6LMZ39l9O7FhKPZQTG2SYIZBy EhvSutPH6Uog4p6bf6l4C+U7YQzcIEsNRjAse8ykwNvhY+04VG/pOOYVP/35k+dllCC0 qyX01QqjO24puRzFHbAyNUhmdg8QZEXRwpB/9jfLtFqrwKALKtgYjebIv2B04ycMpN83 MGFw== X-Gm-Message-State: AOJu0YyrmP/EqigzjZ73T1iKayTcCb0cRxJ6t9pMmm5huHXnkn4VNfzN ghsj7WYXJE3VoicBhPgJJmuEPoJAJAXEVmeEGj8FIc1cfvY1MgrZlRkQODL9VA== X-Gm-Gg: ASbGnctHcDwAWMp33i8HwiXSeTBHF+CKZNk6u2Kpta9FAixCqGGfGkqZ2NhCcoRg+Bq P/CCwUi9oQ9HJe68IMxuKn4UkIIkRGwZf0ma1ZFHvGw2++bV1i4XU8eGLNcT9PbcE59i2lIELpR TLZswMRVNFZVJGtO8G7yhAw8WM4mwPwlSCD1Th1fEVdKzlHODUwBdyBEVwpLwpiocaDHXAqrZfz dta9/FtWRcqtGYCS2zbTDPPzjWMh1dxeUa3KT8gGw8povvJsNgqMIQh0WbxwfyiSpzgQMIPN+oe wrsWOE5a1apDff485ho8Z7C3APMR2pm9sZR9Ugk2YAtMcRZDprWDvhUGMezx4gu/yFz1d5Y+CH+ 2kUsWMZIjB8ah1Fra64N0BQcPH692Ljex+6G1MBut1F8IECsrwrlmLV+Emxc/8+3DkQ== X-Google-Smtp-Source: AGHT+IGtRR+30i0/lC2xd5+JI83G+5SxRx/nZqKNaQrhi9wzPDaublPP6gTt3W77MX2f6FnpaoJrtQ== X-Received: by 2002:a17:903:244b:b0:272:c95c:866 with SMTP id d9443c01a7336-2902723c20cmr326754575ad.20.1760475264667; Tue, 14 Oct 2025 13:54:24 -0700 (PDT) Received: from NVAPF55DW0D-IPD.. ([147.161.216.252]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-29034dea083sm174952475ad.24.2025.10.14.13.54.22 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 Oct 2025 13:54:24 -0700 (PDT) From: Ankur Tyagi To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi , Gyorgy Sarvari Subject: [oe][meta-oe][scarthgap][PATCH 07/18] libcupsfilters: patch CVE-2024-47076 Date: Wed, 15 Oct 2025 09:53:50 +1300 Message-ID: <20251014205402.1487867-7-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251014205402.1487867-1-ankur.tyagi85@gmail.com> References: <20251014205402.1487867-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 14 Oct 2025 20:54:26 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/120640 Details https://nvd.nist.gov/vuln/detail/CVE-2024-47076 Signed-off-by: Ankur Tyagi Signed-off-by: Gyorgy Sarvari (cherry picked from commit 1ef236b6c507ccf280d9a9aa1cbba3a9c2fee5f8) Signed-off-by: Ankur Tyagi --- .../libcupsfilters/0001-CVE-2024-47076.patch | 38 +++++++++++++++++++ .../cups/libcupsfilters_2.0.0.bb | 1 + 2 files changed, 39 insertions(+) create mode 100644 meta-oe/recipes-printing/cups/libcupsfilters/0001-CVE-2024-47076.patch diff --git a/meta-oe/recipes-printing/cups/libcupsfilters/0001-CVE-2024-47076.patch b/meta-oe/recipes-printing/cups/libcupsfilters/0001-CVE-2024-47076.patch new file mode 100644 index 0000000000..5fdf2bd444 --- /dev/null +++ b/meta-oe/recipes-printing/cups/libcupsfilters/0001-CVE-2024-47076.patch @@ -0,0 +1,38 @@ +From 5f950f6a52c7453d76fb30dbc8d66bbc1cc682a3 Mon Sep 17 00:00:00 2001 +From: Zdenek Dohnal +Date: Thu, 26 Sep 2024 23:09:29 +0200 +Subject: [PATCH] CVE-2024-47076 + +cfGetPrinterAttributes5(): Validate response attributes before return + +The destination can be corrupted or forged, so validate the response +to strenghten security measures. + +CVE: CVE-2024-47076 +Upstream-Status: Backport [https://github.com/OpenPrinting/libcupsfilters/commit/95576ec3d20c109332d14672a807353cdc551018] + +(cherry picked from commit 95576ec3d20c109332d14672a807353cdc551018) +Signed-off-by: Ankur Tyagi +--- + cupsfilters/ipp.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/cupsfilters/ipp.c b/cupsfilters/ipp.c +index a0814ae5..994c8dac 100644 +--- a/cupsfilters/ipp.c ++++ b/cupsfilters/ipp.c +@@ -452,6 +452,14 @@ cfGetPrinterAttributes5(http_t *http_printer, + ippDelete(response2); + } + } ++ ++ // Check if the response is valid ++ if (!ippValidateAttributes(response)) ++ { ++ ippDelete(response); ++ response = NULL; ++ } ++ + if (have_http == 0) httpClose(http_printer); + if (uri) free(uri); + return (response); diff --git a/meta-oe/recipes-printing/cups/libcupsfilters_2.0.0.bb b/meta-oe/recipes-printing/cups/libcupsfilters_2.0.0.bb index 7f7174d940..827172a6a1 100644 --- a/meta-oe/recipes-printing/cups/libcupsfilters_2.0.0.bb +++ b/meta-oe/recipes-printing/cups/libcupsfilters_2.0.0.bb @@ -8,6 +8,7 @@ DEPENDS = "cups fontconfig libexif dbus lcms qpdf poppler libpng jpeg tiff" SRC_URI = " \ https://github.com/OpenPrinting/${BPN}/releases/download/${PV}/${BP}.tar.xz \ file://0001-use-noexcept-false-instead-of-throw-from-c-17-onward.patch \ + file://0001-CVE-2024-47076.patch \ " SRC_URI[sha256sum] = "542f2bfbc58136a4743c11dc8c86cee03c9aca705612654e36ac34aa0d9aa601" From patchwork Tue Oct 14 20:53:51 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 72308 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id AA27DCCD190 for ; Tue, 14 Oct 2025 20:54:36 +0000 (UTC) Received: from mail-pl1-f171.google.com (mail-pl1-f171.google.com [209.85.214.171]) by mx.groups.io with SMTP id smtpd.web11.362.1760475268025527069 for ; Tue, 14 Oct 2025 13:54:28 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=WBlXPirU; spf=pass (domain: gmail.com, ip: 209.85.214.171, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pl1-f171.google.com with SMTP id d9443c01a7336-2698384978dso41075415ad.0 for ; Tue, 14 Oct 2025 13:54:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1760475267; x=1761080067; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=u3Ovq84Ww3RnDYl5wDzUuZKqu8/n/AulVB7VtUMuTRc=; b=WBlXPirU+hOVMKaEzzk8qy/E6EvU3rxVuGdFQJSrrO/bWNEgwJi7v5t2jjQYK1pJkj 2QkhWpYl301R9f14ZUO4EPlwzn2Qto18MGClYxqeWrzvyHL2IooqdQjXqlc7xIskZCWV PXywP3QbyXqMxeeuzAnK4R7TBZfEWGGOnj6m7V8zGRVisRct3pbcTAo5ChigNe47QUQM fa6ws4JGfpSi5b5QvS8n+UBa9/Z9CPewdUlEm17Nbu+85I3TWu5xhj5SHFUYSs6SScAL gsLb/9RITuzsZOq0cupfCl3OqgGMlNMsJ62wux25L8pyITMkX9CKrczAOmgV+YzJUZSb mQug== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760475267; x=1761080067; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=u3Ovq84Ww3RnDYl5wDzUuZKqu8/n/AulVB7VtUMuTRc=; b=gTxrZ7knbDvTkO0iack9lwW2f3oCJgmJd2fmmPrYD020wO22xmB/lxgFXB8Vu0sYMr zhZ0EJ2IRrSC48LhXfH3Jdk9Gyyk0gQdF/WKcNtLiRDcYKfrrA9dRuh/ICYbgS04Vxp8 Vxs3s90NFRx9otpLzVtdBK2e8YT8MOQo/CrGFhLglmD7uMVdG5QfWjeI05ZlZ+bp8C2V YKaWJgfLW8t2+mYIWbeVUx/Knx7iTx5jnw+DmONsUO3c1sgDnGioVy+5XZ2ZlbeEODnX Kj3f0kKQvhNlfdzKXOUgi/CAoReZX1DJTFL3T6QrQGV7xpbNMLwnvA8ypZEANXDVq+B4 OKUA== X-Gm-Message-State: AOJu0YwPTZqWH2BV4ueYs+H1116Gb6FhX36GqHEJn5BA/QMIgoA25R81 Thc1C0S+E+wzM8c2yTlPRNpySTaOHHufQBL92PY393mpU/MnBqm1uHHitg0q9A== X-Gm-Gg: ASbGncs0zR6Q/TlJttR7RQbwfNI3si7a627yJKMXKxBYr0M5QMV7ofACV8+F0bD8UP7 K5rA3FU5V+gl0u6w+JJSrg7Q+RxDb1BiFnh9VdjqWrUuv9EWCNyb4GP+rvkzsggufbQYJMqsSe9 6D/71wDRNnzJD0cLkiLHoCwmsCv2l3LblGaJUzxB+vdJ8Pie4UWnefOHOBfEbAdQRPqtZxs6X6W ZGmLpfm6YuESkYFtfxiNitLeL2XrAdcLf8Gy1uk0nO2ERmYH1hWHDJofrnVWg1CYtrJHxnre/qI CCgc8qxfFHVptdRfAaMioUpGRqGlnGLRCeYFmqg41Sq6ltsACuA4fRXriHY8SUcycY9dYq5jIxv B80hJd0s1J9Dffnk2APOlSH4y0q9aKem0ahUvoYNkF52kBsdymgDr8aW9qs9DDOAjXA== X-Google-Smtp-Source: AGHT+IHZy5pHkVcqnNAXVA0FUhUiiq45zjSEVVrXtIFb6FtqD3lDPqq/M0RhyNB57FnqiH0zpDkSBA== X-Received: by 2002:a17:903:19e5:b0:27e:ef35:2dbf with SMTP id d9443c01a7336-290272c1c46mr309676395ad.30.1760475267129; Tue, 14 Oct 2025 13:54:27 -0700 (PDT) Received: from NVAPF55DW0D-IPD.. ([147.161.216.252]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-29034dea083sm174952475ad.24.2025.10.14.13.54.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 Oct 2025 13:54:26 -0700 (PDT) From: Ankur Tyagi To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi , Gyorgy Sarvari Subject: [oe][meta-oe][scarthgap][PATCH 08/18] libraw: patch CVE-2025-43961 CVE-2025-43962 Date: Wed, 15 Oct 2025 09:53:51 +1300 Message-ID: <20251014205402.1487867-8-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251014205402.1487867-1-ankur.tyagi85@gmail.com> References: <20251014205402.1487867-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 14 Oct 2025 20:54:36 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/120641 Details - https://nvd.nist.gov/vuln/detail/CVE-2025-43961 - https://nvd.nist.gov/vuln/detail/CVE-2025-43962 Signed-off-by: Ankur Tyagi Signed-off-by: Gyorgy Sarvari (cherry picked from commit 337ab48ff821561af4786ee3c111dc6f81236505) Signed-off-by: Ankur Tyagi --- .../0001-CVE-2025-43961-CVE-2025-43962.patch | 108 ++++++++++++++++++ .../recipes-support/libraw/libraw_0.21.2.bb | 5 +- 2 files changed, 112 insertions(+), 1 deletion(-) create mode 100644 meta-oe/recipes-support/libraw/libraw/0001-CVE-2025-43961-CVE-2025-43962.patch diff --git a/meta-oe/recipes-support/libraw/libraw/0001-CVE-2025-43961-CVE-2025-43962.patch b/meta-oe/recipes-support/libraw/libraw/0001-CVE-2025-43961-CVE-2025-43962.patch new file mode 100644 index 0000000000..1abd302caf --- /dev/null +++ b/meta-oe/recipes-support/libraw/libraw/0001-CVE-2025-43961-CVE-2025-43962.patch @@ -0,0 +1,108 @@ +From 880829f7ed206c21ce05d5772f0928629c7dd577 Mon Sep 17 00:00:00 2001 +From: Alex Tutubalin +Date: Sat, 1 Feb 2025 15:32:39 +0300 +Subject: [PATCH] CVE-2025-43961 CVE-2025-43962 + +Prevent out-of-bounds read in fuji 0xf00c tag parser + +prevent OOB reads in phase_one_correct + +CVE: CVE-2025-43961 CVE-2025-43962 +Upstream-Status: Backport [https://github.com/LibRaw/LibRaw/commit/66fe663e02a4dd610b4e832f5d9af326709336c2] + +(cherry picked from commit 66fe663e02a4dd610b4e832f5d9af326709336c2) +Signed-off-by: Ankur Tyagi +--- + src/decoders/load_mfbacks.cpp | 18 ++++++++++++++---- + src/metadata/tiff.cpp | 28 +++++++++++++++++----------- + 2 files changed, 31 insertions(+), 15 deletions(-) + +diff --git a/src/decoders/load_mfbacks.cpp b/src/decoders/load_mfbacks.cpp +index cddc33eb..1a1bdfb3 100644 +--- a/src/decoders/load_mfbacks.cpp ++++ b/src/decoders/load_mfbacks.cpp +@@ -490,6 +490,9 @@ int LibRaw::phase_one_correct() + fseek(ifp, off_412, SEEK_SET); + for (i = 0; i < 9; i++) + head[i] = get4() & 0x7fff; ++ unsigned w0 = head[1] * head[3], w1 = head[2] * head[4]; ++ if (w0 > 10240000 || w1 > 10240000) ++ throw LIBRAW_EXCEPTION_ALLOC; + yval[0] = (float *)calloc(head[1] * head[3] + head[2] * head[4], 6); + yval[1] = (float *)(yval[0] + head[1] * head[3]); + xval[0] = (ushort *)(yval[1] + head[2] * head[4]); +@@ -514,10 +517,17 @@ int LibRaw::phase_one_correct() + for (k = j = 0; j < head[1]; j++) + if (num < xval[0][k = head[1] * i + j]) + break; +- frac = (j == 0 || j == head[1]) +- ? 0 +- : (xval[0][k] - num) / (xval[0][k] - xval[0][k - 1]); +- mult[i - cip] = yval[0][k - 1] * frac + yval[0][k] * (1 - frac); ++ if (j == 0 || j == head[1] || k < 1 || k >= w0+w1) ++ frac = 0; ++ else ++ { ++ int xdiv = (xval[0][k] - xval[0][k - 1]); ++ frac = xdiv ? (xval[0][k] - num) / (xval[0][k] - xval[0][k - 1]) : 0; ++ } ++ if (k < w0 + w1) ++ mult[i - cip] = yval[0][k > 0 ? k - 1 : 0] * frac + yval[0][k] * (1 - frac); ++ else ++ mult[i - cip] = 0; + } + i = ((mult[0] * (1 - cfrac) + mult[1] * cfrac) * row + num) * 2; + RAW(row, col) = LIM(i, 0, 65535); +diff --git a/src/metadata/tiff.cpp b/src/metadata/tiff.cpp +index c34b8647..af664937 100644 +--- a/src/metadata/tiff.cpp ++++ b/src/metadata/tiff.cpp +@@ -1032,31 +1032,37 @@ int LibRaw::parse_tiff_ifd(int base) + if ((fwb[0] == rafdata[fi]) && (fwb[1] == rafdata[fi + 1]) && + (fwb[2] == rafdata[fi + 2])) // found Tungsten WB + { +- if (rafdata[fi - 15] != ++ if (fi > 14 && rafdata[fi - 15] != + fwb[0]) // 15 is offset of Tungsten WB from the first + // preset, Fine Weather WB + continue; +- for (int wb_ind = 0, ofst = fi - 15; wb_ind < (int)Fuji_wb_list1.size(); +- wb_ind++, ofst += 3) +- { +- icWBC[Fuji_wb_list1[wb_ind]][1] = +- icWBC[Fuji_wb_list1[wb_ind]][3] = rafdata[ofst]; +- icWBC[Fuji_wb_list1[wb_ind]][0] = rafdata[ofst + 1]; +- icWBC[Fuji_wb_list1[wb_ind]][2] = rafdata[ofst + 2]; +- } ++ if (fi >= 15) ++ { ++ for (int wb_ind = 0, ofst = fi - 15; wb_ind < (int)Fuji_wb_list1.size(); ++ wb_ind++, ofst += 3) ++ { ++ icWBC[Fuji_wb_list1[wb_ind]][1] = ++ icWBC[Fuji_wb_list1[wb_ind]][3] = rafdata[ofst]; ++ icWBC[Fuji_wb_list1[wb_ind]][0] = rafdata[ofst + 1]; ++ icWBC[Fuji_wb_list1[wb_ind]][2] = rafdata[ofst + 2]; ++ } ++ } + + if (is34) + fi += 24; + fi += 96; + for (fj = fi; fj < (fi + 15); fj += 3) // looking for the end of the WB table + { ++ if (fj > libraw_internal_data.unpacker_data.lenRAFData - 3) ++ break; + if (rafdata[fj] != rafdata[fi]) + { + fj -= 93; + if (is34) + fj -= 9; +-// printf ("wb start in DNG: 0x%04x\n", fj*2-0x4e); +- for (int iCCT = 0, ofst = fj; iCCT < 31; ++//printf ("wb start in DNG: 0x%04x\n", fj*2-0x4e); ++ for (int iCCT = 0, ofst = fj; iCCT < 31 ++ && ofst < libraw_internal_data.unpacker_data.lenRAFData - 3; + iCCT++, ofst += 3) + { + icWBCCTC[iCCT][0] = FujiCCT_K[iCCT]; diff --git a/meta-oe/recipes-support/libraw/libraw_0.21.2.bb b/meta-oe/recipes-support/libraw/libraw_0.21.2.bb index 4d089f3b79..c6d9acb960 100644 --- a/meta-oe/recipes-support/libraw/libraw_0.21.2.bb +++ b/meta-oe/recipes-support/libraw/libraw_0.21.2.bb @@ -2,7 +2,10 @@ SUMMARY = "raw image decoder" LICENSE = "LGPL-2.1-only | CDDL-1.0" LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=1501ae0aa3c8544e63f08d6f7bf88a6f" -SRC_URI = "git://github.com/LibRaw/LibRaw.git;branch=0.21-stable;protocol=https" +SRC_URI = " \ + git://github.com/LibRaw/LibRaw.git;branch=0.21-stable;protocol=https \ + file://0001-CVE-2025-43961-CVE-2025-43962.patch \ +" SRCREV = "1ef70158d7fde1ced6aaddb0b9443c32a7121d3d" S = "${WORKDIR}/git" From patchwork Tue Oct 14 20:53:52 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 72307 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id AA248CCD18E for ; Tue, 14 Oct 2025 20:54:36 +0000 (UTC) Received: from mail-pl1-f171.google.com (mail-pl1-f171.google.com [209.85.214.171]) by mx.groups.io with SMTP id smtpd.web11.363.1760475270319474835 for ; Tue, 14 Oct 2025 13:54:30 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=TirFsPXU; spf=pass (domain: gmail.com, ip: 209.85.214.171, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pl1-f171.google.com with SMTP id d9443c01a7336-2681660d604so63456995ad.0 for ; Tue, 14 Oct 2025 13:54:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1760475269; x=1761080069; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=cZEJiuVWMeJJ8+CxKPDlfL4j+5gm619xbbXYX8LZH98=; b=TirFsPXUDH7/xd+y7gokCyYoDz8Sw44GKqdw2+2GSmvD8QsDTtE9d/Xioq3eGFDcLH t29FwqZwLk5Cn8CZ4K1rV899qxANAgxMl7LqmdLjk2Mr6EyWnUDOOzQAvjdbIuq/CG6c m+iE0tdFkRAw1HDrNfEzpf2/dMy3WBnt6uxVZBqrobDivVomRpKwPzFq9ddXUlB1tx5F OnTN7GCLNqAitRGiN/pUcZUn98dneVAmWtyjYX2XerQgdWTOhgoMqjrHgC7+vZdvKtH1 PR3i7fykMHoBWsa4ED1h09SALlo/SRGOUwU4CC8M+nbSTPON1Ur3bHEgjME7X4uqoDh0 sHfg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760475269; x=1761080069; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=cZEJiuVWMeJJ8+CxKPDlfL4j+5gm619xbbXYX8LZH98=; b=m5bBU6Lkuaih0DMq1WDY3893nFcgQ9E62lCT/OcPNFr7NmneV9lsBo8qT71ahAXjQa dxrCUxBJQOVazed8Bth2RsAiLYaompkWd3ta6Kqwi/LqIZCE4RDFcZ5Zp6Tb/sel5HKY ttl4OOA0x0fl/GKUuK/e5xBrCT6680+2izGSNrM0FOhUIAXakVbYChKl4ZM0BADjJJGG 2XV4ycK/QfPRt6GI7cxHg9d+/GLH3NJrwhF1q/tdmGvRurTeQDlZfKXqubxVHiUDWzGv hsr5UCrwL2eZu6Kmhiqzxur/asHPkTqamY2ygYsdkSZCq4qelOFlZYwvcmrjdogbQDNj fjKA== X-Gm-Message-State: AOJu0YztOf5UTdaqox6KhJ0VBhxnLpaCKWok5Q4Ais90xPj+5MzMLI1W RGWgqf7ZjaYfeXhz3uBAPZxldxYUMjVjGVkVDLo2WMhnYvE3Csx7v+6RKb9LkA== X-Gm-Gg: ASbGncvnD9uVjoA+yI4fdLC8UjyhGZrqf9fXAQJohciM4oxH4pW1YW6B3n+mcOPnN3w RmXob8ILMxPFTA/mbPHVA98huI2t7V2JST9I5+AVcg+BYYOrMJBD1WO3NY/pQZ+X983MriL0lCt 4jRcR5JcnWLT/vaVGkivjUnWSIQmUfzy31VZYBUvrpryfKTDpHVLP048xrMGHJRwbafP+vqEffA IPYbXqdPg7L/xtg1fWuogRkfNo0IzCC0lXwPvYqrCJyoKiSOXMikvEcot20FdlE/HabTDjTPkRi Ddpw3OTpQIPXwlDx1cr6WgSUdTSenY7YK0D5YWVjrP2Du5S51GLAG8liBucK8XhTID2wPqUnXDl dmwJ61r3s97JIJbq+qvG+ETdR4kS34S8jcDCAqpR/o9SimLeT4mDhakQ= X-Google-Smtp-Source: AGHT+IHfgnVac4wL0JNz3GHGvg6X8U23UpWrimIFRu/aa7fWGr3HaHydOt5Mgz00KM1UJfWbaDNrkA== X-Received: by 2002:a17:903:246:b0:27b:defc:802d with SMTP id d9443c01a7336-290272b537bmr335063795ad.28.1760475269566; Tue, 14 Oct 2025 13:54:29 -0700 (PDT) Received: from NVAPF55DW0D-IPD.. ([147.161.216.252]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-29034dea083sm174952475ad.24.2025.10.14.13.54.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 Oct 2025 13:54:29 -0700 (PDT) From: Ankur Tyagi To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi , Gyorgy Sarvari Subject: [oe][meta-oe][scarthgap][PATCH 09/18] libraw: patch CVE-2025-43963 Date: Wed, 15 Oct 2025 09:53:52 +1300 Message-ID: <20251014205402.1487867-9-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251014205402.1487867-1-ankur.tyagi85@gmail.com> References: <20251014205402.1487867-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 14 Oct 2025 20:54:36 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/120642 Details https://nvd.nist.gov/vuln/detail/CVE-2025-43963 Signed-off-by: Ankur Tyagi Signed-off-by: Gyorgy Sarvari (cherry picked from commit 287ed36b866adf46b0ec6245947da64531a98fa2) Signed-off-by: Ankur Tyagi --- .../libraw/libraw/0002-CVE-2025-43963.patch | 40 +++++++++++++++++++ .../recipes-support/libraw/libraw_0.21.2.bb | 1 + 2 files changed, 41 insertions(+) create mode 100644 meta-oe/recipes-support/libraw/libraw/0002-CVE-2025-43963.patch diff --git a/meta-oe/recipes-support/libraw/libraw/0002-CVE-2025-43963.patch b/meta-oe/recipes-support/libraw/libraw/0002-CVE-2025-43963.patch new file mode 100644 index 0000000000..d571164781 --- /dev/null +++ b/meta-oe/recipes-support/libraw/libraw/0002-CVE-2025-43963.patch @@ -0,0 +1,40 @@ +From 975393c804bc321fd4bc709c3c221733dac2d80a Mon Sep 17 00:00:00 2001 +From: Alex Tutubalin +Date: Thu, 6 Feb 2025 21:01:58 +0300 +Subject: [PATCH] CVE-2025-43963 + +check split_col/split_row values in phase_one_correct + +CVE: CVE-2025-43963 +Upstream-Status: Backport [https://github.com/LibRaw/LibRaw/commit/be26e7639ecf8beb55f124ce780e99842de2e964] + +(cherry picked from commit be26e7639ecf8beb55f124ce780e99842de2e964) +Signed-off-by: Ankur Tyagi +--- + src/decoders/load_mfbacks.cpp | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/decoders/load_mfbacks.cpp b/src/decoders/load_mfbacks.cpp +index 1a1bdfb3..f89aecce 100644 +--- a/src/decoders/load_mfbacks.cpp ++++ b/src/decoders/load_mfbacks.cpp +@@ -348,7 +348,8 @@ int LibRaw::phase_one_correct() + off_412 = ftell(ifp) - 38; + } + } +- else if (tag == 0x041f && !qlin_applied) ++ else if (tag == 0x041f && !qlin_applied && ph1.split_col > 0 && ph1.split_col < raw_width ++ && ph1.split_row > 0 && ph1.split_row < raw_height) + { /* Quadrant linearization */ + ushort lc[2][2][16], ref[16]; + int qr, qc; +@@ -432,7 +433,8 @@ int LibRaw::phase_one_correct() + } + qmult_applied = 1; + } +- else if (tag == 0x0431 && !qmult_applied) ++ else if (tag == 0x0431 && !qmult_applied && ph1.split_col > 0 && ph1.split_col < raw_width ++ && ph1.split_row > 0 && ph1.split_row < raw_height) + { /* Quadrant combined - four tile gain calibration */ + ushort lc[2][2][7], ref[7]; + int qr, qc; diff --git a/meta-oe/recipes-support/libraw/libraw_0.21.2.bb b/meta-oe/recipes-support/libraw/libraw_0.21.2.bb index c6d9acb960..d4750630e0 100644 --- a/meta-oe/recipes-support/libraw/libraw_0.21.2.bb +++ b/meta-oe/recipes-support/libraw/libraw_0.21.2.bb @@ -5,6 +5,7 @@ LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=1501ae0aa3c8544e63f08d6f7bf88a6f" SRC_URI = " \ git://github.com/LibRaw/LibRaw.git;branch=0.21-stable;protocol=https \ file://0001-CVE-2025-43961-CVE-2025-43962.patch \ + file://0002-CVE-2025-43963.patch \ " SRCREV = "1ef70158d7fde1ced6aaddb0b9443c32a7121d3d" S = "${WORKDIR}/git" From patchwork Tue Oct 14 20:53:53 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 72309 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id AF97DCCD184 for ; Tue, 14 Oct 2025 20:54:36 +0000 (UTC) Received: from mail-pg1-f180.google.com (mail-pg1-f180.google.com [209.85.215.180]) by mx.groups.io with SMTP id smtpd.web11.366.1760475272863487346 for ; Tue, 14 Oct 2025 13:54:32 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=dXp8BLH0; spf=pass (domain: gmail.com, ip: 209.85.215.180, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pg1-f180.google.com with SMTP id 41be03b00d2f7-b5a631b9c82so3581245a12.1 for ; Tue, 14 Oct 2025 13:54:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1760475272; x=1761080072; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=tzPRJ6DC/7o9gjhWlOYLJQKHHxkCY7yOiX6X4wOJykk=; b=dXp8BLH0ezJk81L71vuSxVNQuMe1l4sVuyYIdqa8RJ+KCeSHlTU+IOGIh9VlOI3CYQ i8OJPRZ9Rs9wHMBI+UuLswOgtV6zIJcg84mB7roz7LNI7XTEJQ1MOqetvn81pEMnsoqj rXZdPjYAsJJLfV0MaxTzF2bSmvwOK4D3Pbtqk90dr1Ffrz2t7r8vejLAKiOQlbktiKex F8Y3KWNepU+mWSW6EuKnguWRuZOb7oydjdRd9jvYtrrrhcBP5le7blMnKzhjACarhXSr K3YUogsClZ8BIWxcZ2UJyFtQ4smW4O+WvDI3lfnUAJN1gI5NiAXRDc6kiNzObAPh/BFf bBDg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760475272; x=1761080072; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=tzPRJ6DC/7o9gjhWlOYLJQKHHxkCY7yOiX6X4wOJykk=; b=GjP2iGgx2DAOP5ajC5yyjhTA+XpDY7AoGoIfBfhqDTNTwY9iW8/w7EiH2s94NsBzvp gJ8bdKfDlIjxYaN01TEwIy2lQpqcUOJrNaI7HKFqxUtiOXZmTZAslkqrDPrkJx/0qG9Z TDQV94isrei5SHPZzHwKqb+Jp1PEO74jlW96aRYoVMs8rFsxLd6unIR7mt2cJyF4bpo1 YXCVBL3msv0MznDDzSNbGokMDHvxtKrLwLUO5YbSAC4IuKqPNm1nB4D3wNa/3vH9g6Z9 Il010N0JA4keYcw5T2ScNOjejtBunNY9GvOxDG/kUEhxt4tuVEBSvJUGCHjhela8/k+n j+yA== X-Gm-Message-State: AOJu0YxBS91fMNKoeCkhOblezLgyjosEYnVk3r7rG1XJfSLqe1bsQMKe PArJDgWnPYvYMCr5BIrjajtpbFCGYyaGBTwdkqBLNTOloH5AflmY0sS+Rr32xQ== X-Gm-Gg: ASbGncvCwNjzVHdXQNGDNa+DaL1D3d6gQfseT05izqjkPkstkIbc/qnWhBngA76Wcig ix1j5QZqn2+/NRvJSHhw3ioRe8RlNwDEHAZp+NSHUzJAtcVlS1KvuywcnwrmCc3TRIbjdWNuEGb WJJc4T3Pj0p2HT5rIOAzzVaMAiP+FcCVYhkMTKFx6pIC5kilAoHXseg0SV7ztCoLk0N91rQ37vx RLrAoA8TwEvbh+SomaP1zu572lyeraGo258Eb4O42EYrVy8zHSwJgvDlWxkxvWl7EnRaDlgY/jj Ks6ohYesjo4bP3DONaiIBULJoadoSv1j/oe3bbH3Cdk0r0QcgkB4xsu8zJARBiHvHOpn66fApWk LwNxrl0Dp95o6GrHvP+Ka6ZdliPH4VWV6PZGoCTvjNZDlXJDE7Z/QlnIalmrgwts4ew== X-Google-Smtp-Source: AGHT+IHs/Sq89jQs6g/LDStY8aXlodA/lWSTMtWYmHFYXvFa/OIrprJ6nupIYo5fuon/DsAQTUfe3w== X-Received: by 2002:a17:903:3843:b0:24b:11c8:2d05 with SMTP id d9443c01a7336-290272dfc42mr325214245ad.45.1760475272018; Tue, 14 Oct 2025 13:54:32 -0700 (PDT) Received: from NVAPF55DW0D-IPD.. ([147.161.216.252]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-29034dea083sm174952475ad.24.2025.10.14.13.54.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 Oct 2025 13:54:31 -0700 (PDT) From: Ankur Tyagi To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi , Gyorgy Sarvari Subject: [oe][meta-oe][scarthgap][PATCH 10/18] libraw: patch CVE-2025-43964 Date: Wed, 15 Oct 2025 09:53:53 +1300 Message-ID: <20251014205402.1487867-10-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251014205402.1487867-1-ankur.tyagi85@gmail.com> References: <20251014205402.1487867-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 14 Oct 2025 20:54:36 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/120643 Details https://nvd.nist.gov/vuln/detail/CVE-2025-43964 Signed-off-by: Ankur Tyagi Signed-off-by: Gyorgy Sarvari (cherry picked from commit 95f680e0df1844b259cb07d6668bf381439f784f) Signed-off-by: Ankur Tyagi --- .../libraw/libraw/0003-CVE-2025-43964.patch | 29 +++++++++++++++++++ .../recipes-support/libraw/libraw_0.21.2.bb | 1 + 2 files changed, 30 insertions(+) create mode 100644 meta-oe/recipes-support/libraw/libraw/0003-CVE-2025-43964.patch diff --git a/meta-oe/recipes-support/libraw/libraw/0003-CVE-2025-43964.patch b/meta-oe/recipes-support/libraw/libraw/0003-CVE-2025-43964.patch new file mode 100644 index 0000000000..d7d7664da3 --- /dev/null +++ b/meta-oe/recipes-support/libraw/libraw/0003-CVE-2025-43964.patch @@ -0,0 +1,29 @@ +From 0ecd9906f70114a974809bb35b4ec9fe7fed9011 Mon Sep 17 00:00:00 2001 +From: Alex Tutubalin +Date: Sun, 2 Mar 2025 11:35:43 +0300 +Subject: [PATCH] CVE-2025-43964 + +additional checks in PhaseOne correction tag 0x412 processing + +CVE: CVE-2025-43964 +Upstream-Status: Backport [https://github.com/LibRaw/LibRaw/commit/a50dc3f1127d2e37a9b39f57ad9bb2ebb60f18c0] + +(cherry picked from commit a50dc3f1127d2e37a9b39f57ad9bb2ebb60f18c0) +Signed-off-by: Ankur Tyagi +--- + src/decoders/load_mfbacks.cpp | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/decoders/load_mfbacks.cpp b/src/decoders/load_mfbacks.cpp +index f89aecce..95015d27 100644 +--- a/src/decoders/load_mfbacks.cpp ++++ b/src/decoders/load_mfbacks.cpp +@@ -495,6 +495,8 @@ int LibRaw::phase_one_correct() + unsigned w0 = head[1] * head[3], w1 = head[2] * head[4]; + if (w0 > 10240000 || w1 > 10240000) + throw LIBRAW_EXCEPTION_ALLOC; ++ if (w0 < 1 || w1 < 1) ++ throw LIBRAW_EXCEPTION_IO_CORRUPT; + yval[0] = (float *)calloc(head[1] * head[3] + head[2] * head[4], 6); + yval[1] = (float *)(yval[0] + head[1] * head[3]); + xval[0] = (ushort *)(yval[1] + head[2] * head[4]); diff --git a/meta-oe/recipes-support/libraw/libraw_0.21.2.bb b/meta-oe/recipes-support/libraw/libraw_0.21.2.bb index d4750630e0..1303c0e8ac 100644 --- a/meta-oe/recipes-support/libraw/libraw_0.21.2.bb +++ b/meta-oe/recipes-support/libraw/libraw_0.21.2.bb @@ -6,6 +6,7 @@ SRC_URI = " \ git://github.com/LibRaw/LibRaw.git;branch=0.21-stable;protocol=https \ file://0001-CVE-2025-43961-CVE-2025-43962.patch \ file://0002-CVE-2025-43963.patch \ + file://0003-CVE-2025-43964.patch \ " SRCREV = "1ef70158d7fde1ced6aaddb0b9443c32a7121d3d" S = "${WORKDIR}/git" From patchwork Tue Oct 14 20:53:54 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 72310 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B7DF3CCD195 for ; Tue, 14 Oct 2025 20:54:36 +0000 (UTC) Received: from mail-pg1-f171.google.com (mail-pg1-f171.google.com [209.85.215.171]) by mx.groups.io with SMTP id smtpd.web10.322.1760475275186070365 for ; Tue, 14 Oct 2025 13:54:35 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=SQSB4vD7; spf=pass (domain: gmail.com, ip: 209.85.215.171, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pg1-f171.google.com with SMTP id 41be03b00d2f7-b62e7221351so4753043a12.1 for ; Tue, 14 Oct 2025 13:54:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1760475274; x=1761080074; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=CI1rn/ZUvgVNkGCXi9630AQ9Xsj3nH6f8JtWqRRoiKY=; b=SQSB4vD7bInXXmQkGZHmuaHrn6QT3+XU+heGgOVq6gP3oKb5s1Bz21a7B/r2JTYghl UC0RuS4mqYDuLBicdz1M8OD5RhfWU56WQb9j/e86sIl+WqMS9MT5vkfeJzfvzJY7UpAL Wk4SKReXSAxBvS8kZiwCAYIikKrWSIZ4sDO2wz2zCdBkBLS+/iCSRvfvew7YFx3rXI7r uenGhn9wsYhW/zBgfXeUPEYeoq6u6+5OB5xn5uhNqtOeK7YDeZ0+pbmXWDr7dFsTbGFj JVF5dKyxw4ZabJQxMCte/f3ibVdEL2hPSNCkJPIbb+sNq2yS4qBVRqYcnAGLCmvpzg2b bIrw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760475274; x=1761080074; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=CI1rn/ZUvgVNkGCXi9630AQ9Xsj3nH6f8JtWqRRoiKY=; b=EHst2UmYdJ2NPcR0i1l+MnbEKRNygkoXU6JQRKwdf5wq2jQFJ3WNouGC9BavaGtsgM lqMzpvvhms6eGjfAiZXU+mFCHBOwJ4715oom25iG9WDxcYoGcYF5o80/vfq+uSx5Iny/ KEUtZ5pTDq1XRx3bG5GZW3cQVMexjiToNda+f/+V2TuAb5/RVNmNec5XNsvwRsC/3W8k lRFnl+BmjuBBpCClYD4SrUSSz0aJxMDEjMl0WWcA6673GriHho8i9m3nZVhIVYi/RPEC iFxe+WaM6EwCYbilxuTf2LAW8NkDHr3hyk2XrMRaWdAAcYoclcuZAjTMaBSEicEKTAZJ B9rQ== X-Gm-Message-State: AOJu0YxkZ8EA2PNUV8m8Jv6zyhq4lc0J7lSv1Doeto/L93eAXdUOISXV jpRk5IFilhDREQpbOigoRjGRt8JKIIJa/19LW+3BWk/GpxHoVRnAfETxauefOw== X-Gm-Gg: ASbGncvc1wyN9s4V+VHH4SGs4ly4Jbva0l+SM2D2PsOHaEi+dayiiCKevGgwpm//iH4 3tuQBEc2l2ONj+zHZx3WtyOWlu2dYxuj2h49IzpOaRQuj9Ni4w4ad3elBN8ApfoyvvTIa+XfDCg CC8q4nOjTVHxfz8XmIvoVwoyOsGdX+Bf0NKWXuc4EICOKZhc6iDsFUGgYAcZIFZZrAzIUwjbf4b B80bYycUYoBesoiLfs1crbmZZNvxcg0DzODu8JrpNU7Q6GiGn1InlxJlEpT5MctL3VWlB0pbaE0 P7x0OGCCLy6t7Sqes+GACRix4d9QcbLhH8ySi7MACaKIwRFtZZnFEOOgy5UCOW11xkpefkh1cLG LyD7NAM3GcRQ4+PSEeW/2KPDO3PS46RsXeSsEuag6Zi0iU0AIwrDdE0p57r+EsO+0nA== X-Google-Smtp-Source: AGHT+IGut4CH3+z4dL8f7DMln0EQo4iz1TXckFYyXDKLDVdqXIVDRG0p1sn3SC0j6NwUsuCoIbNKqQ== X-Received: by 2002:a17:903:3c30:b0:270:ea84:324a with SMTP id d9443c01a7336-290272c1898mr341305185ad.38.1760475274466; Tue, 14 Oct 2025 13:54:34 -0700 (PDT) Received: from NVAPF55DW0D-IPD.. ([147.161.216.252]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-29034dea083sm174952475ad.24.2025.10.14.13.54.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 Oct 2025 13:54:34 -0700 (PDT) From: Ankur Tyagi To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi , Gyorgy Sarvari Subject: [oe][meta-oe][scarthgap][PATCH 11/18] zlog: fix CVE-2024-22857 Date: Wed, 15 Oct 2025 09:53:54 +1300 Message-ID: <20251014205402.1487867-11-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251014205402.1487867-1-ankur.tyagi85@gmail.com> References: <20251014205402.1487867-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 14 Oct 2025 20:54:36 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/120644 Backport a fix from upstream https://github.com/HardySimpson/zlog/commit/c47f781a9f1e9604f5201e27d046d925d0d48ac4 Signed-off-by: Ankur Tyagi Signed-off-by: Gyorgy Sarvari (cherry picked from commit dead2a0070f640d782f64a1ed45b0aa539a131c6) Signed-off-by: Ankur Tyagi --- ...E-2024-22857-buffer-overflow-patched.patch | 31 +++++++++++++++++++ meta-oe/recipes-extended/zlog/zlog_1.2.16.bb | 4 ++- 2 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 meta-oe/recipes-extended/zlog/zlog/0001-CVE-2024-22857-buffer-overflow-patched.patch diff --git a/meta-oe/recipes-extended/zlog/zlog/0001-CVE-2024-22857-buffer-overflow-patched.patch b/meta-oe/recipes-extended/zlog/zlog/0001-CVE-2024-22857-buffer-overflow-patched.patch new file mode 100644 index 0000000000..1f11b07216 --- /dev/null +++ b/meta-oe/recipes-extended/zlog/zlog/0001-CVE-2024-22857-buffer-overflow-patched.patch @@ -0,0 +1,31 @@ +From bffbd94a0807efbab0f449b13d622d3cffa224a4 Mon Sep 17 00:00:00 2001 +From: Ali Raza +Date: Thu, 29 Feb 2024 11:36:25 +0500 +Subject: [PATCH] CVE-2024-22857: buffer overflow patched + +CVE: CVE-2024-22857 +Upstream-Status: Backport [https://github.com/HardySimpson/zlog/commit/c47f781a9f1e9604f5201e27d046d925d0d48ac4] + +(cherry picked from commit c47f781a9f1e9604f5201e27d046d925d0d48ac4) +Signed-off-by: Ankur Tyagi +--- + src/rule.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/rule.c b/src/rule.c +index ae3d74f..38d3fdc 100644 +--- a/src/rule.c ++++ b/src/rule.c +@@ -866,8 +866,10 @@ zlog_rule_t *zlog_rule_new(char *line, + } + break; + case '$' : +- sscanf(file_path + 1, "%s", a_rule->record_name); +- ++ // read only MAXLEN_PATH characters from the file_path + 1 ++ strncpy(a_rule->record_name, file_path + 1, MAXLEN_PATH); ++ a_rule->record_name[MAXLEN_PATH] = '\0'; ++ + if (file_limit) { /* record path exists */ + p = strchr(file_limit, '"'); + if (!p) { diff --git a/meta-oe/recipes-extended/zlog/zlog_1.2.16.bb b/meta-oe/recipes-extended/zlog/zlog_1.2.16.bb index b75802f09f..86a465d285 100644 --- a/meta-oe/recipes-extended/zlog/zlog_1.2.16.bb +++ b/meta-oe/recipes-extended/zlog/zlog_1.2.16.bb @@ -4,7 +4,9 @@ LICENSE = "LGPL-2.1-only" LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c" SRCREV = "dc2c284664757fce6ef8f96f8b3ab667a53ef489" -SRC_URI = "git://github.com/HardySimpson/zlog;branch=master;protocol=https" +SRC_URI = "git://github.com/HardySimpson/zlog;branch=master;protocol=https \ + file://0001-CVE-2024-22857-buffer-overflow-patched.patch \ + " S = "${WORKDIR}/git" From patchwork Tue Oct 14 20:53:55 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 72311 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id AE1ABCCD18E for ; Tue, 14 Oct 2025 20:54:46 +0000 (UTC) Received: from mail-pl1-f181.google.com (mail-pl1-f181.google.com [209.85.214.181]) by mx.groups.io with SMTP id smtpd.web10.324.1760475277544719995 for ; Tue, 14 Oct 2025 13:54:37 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=VzKwQvLk; spf=pass (domain: gmail.com, ip: 209.85.214.181, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pl1-f181.google.com with SMTP id d9443c01a7336-27eec33b737so86333055ad.1 for ; Tue, 14 Oct 2025 13:54:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1760475277; x=1761080077; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=EPc7iKlstsvTVWGdFgSMKhJkV6O2egiIM4zYzISJyTY=; b=VzKwQvLk+RE5+ger987K0/XUJy8d8AXWVonCEw7ThLJibOleFYqyJ8V2fZsNsx8PZ0 WegOOCffeYesueLDnpmkl9WFdQ5QpjG29wrDs/M1DgB3Z5/3b7JzbmKuCV3fGWK8rOSL U0vel6r94CSrOgy9SThmdRxsmvIUSxoYGKITBi0KDqswWvMCmwxIkt54aluxaTOVlJxq k7qV60ELMpjmCYOIEL0yY7Si3YwZHWlZVtg25C4gmnpaJI/QQZuoUfgdtt756aPFO94i ZMIlrO847bq7Fyjh26dMsWEnJrHLYVtXiSdcNRqMxKfs1TIqnQvELFaY/O24sCC9LM7p GgAw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760475277; x=1761080077; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=EPc7iKlstsvTVWGdFgSMKhJkV6O2egiIM4zYzISJyTY=; b=fCP5rJETJs99FPgpTTQ0kXGbcqauw8TVGE5vi5tN89wLDK/8Qzj/sJLw/BtZkp11oF Vbeyn5MfFrTsezVI8L034ibglyoWEUZJs23gukYNySuYDFxU2OGobbWxKmKUhw9ODY5O EwElSXN678yc5q9ycb7Uzdqo2YYFHotyq2SPejXunoIIv44zZGTkVXH/8kARLAVqtcV/ IAI/nekflSYtp1KtJ2s6YT3Tfh7zxPOf7fam3V8TU4UTfSE8szR5EFpmUPPydjSJw0nb D3SZA0FOEQ1Bt5wPzdIVXS9MFiCEW79CTvIUHdyXFmANEYNhRSu0sh6t2AQsBODySpaA PPUQ== X-Gm-Message-State: AOJu0Yy33QHqZIWZNlbPp4Tm/Lh7nhiYKvg0yyWuKih4tSg2rjkhcHvE MAVxllQ64eqELViqjrVNKzsrj8ap0CzyDtGpt5nbzBkWVhINB32zTIyEJkPaBw== X-Gm-Gg: ASbGncsWF46N0uisxKxOKvNyIslYdhRaaQSBH4v5Bda6T/cRvXR6bPrNA+ec2sJlqIA YlbiNDLuqtHBsBuYc8nSleZRNJ6h56ZCUjqHStz+BXHCkIvaeD0BF9ATRDeJTT55CbfZSlDfZMw EY23P/Cu1ZR6ZF3LcKU1fYxxg8Vkk6HF9JlYS1vBlwl1IHLLgvgJufx4aZ4HIVtqy3rTPXHXW4Z Hu4eJx9n1KUvn0hO7Kwrn/a81wselKwaSaYnkhtZNuFCOtc/8m0NpfQ7XAXz+LLEatyGqMYgmq7 EMfbaPxzQ0YD4taDWsER4npwTTKwuL9YDT3KVqwW0RTLz/aMvuQ6huLUigO1K3BppBhl+eDZrAl DKhsEtR0lkz7gAcazQ32D/Bjb/ocSQbaTl508HSDDVD+LkVmtmSEejKTfWifq+FAG1Q== X-Google-Smtp-Source: AGHT+IHSMu8uU1FdhARZKPg1r4u2zFdRMH/JEAiFmtx5YmNJWwA8aMcrCIT3UUzOaRYxx4YdztfSmQ== X-Received: by 2002:a17:902:cccd:b0:266:272b:7277 with SMTP id d9443c01a7336-29027319264mr347760555ad.59.1760475276796; Tue, 14 Oct 2025 13:54:36 -0700 (PDT) Received: from NVAPF55DW0D-IPD.. ([147.161.216.252]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-29034dea083sm174952475ad.24.2025.10.14.13.54.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 Oct 2025 13:54:36 -0700 (PDT) From: Ankur Tyagi To: openembedded-devel@lists.openembedded.org Cc: Gyorgy Sarvari , Ankur Tyagi Subject: [oe][meta-oe][scarthgap][PATCH 12/18] exiv2: patch CVE-2025-26623 Date: Wed, 15 Oct 2025 09:53:55 +1300 Message-ID: <20251014205402.1487867-12-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251014205402.1487867-1-ankur.tyagi85@gmail.com> References: <20251014205402.1487867-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 14 Oct 2025 20:54:46 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/120645 From: Gyorgy Sarvari Details: https://nvd.nist.gov/vuln/detail/CVE-2025-26623 Apply the first to PRs from the relevant issue. (The second PR adds a test, and the 3rd PR tries to reimplement correctly the feature that introduced the vulnerability: it is switching some raw pointers to smart pointers. It was not picked because the 1. In the original issue it is stated that the first PR itself fixes the vulnerability 2. The patch doesn't apply clean due to the time gap between our and their version 3. The behavior of the application does not change ) Signed-off-by: Gyorgy Sarvari (cherry picked from commit 7907a3e206fb049e609996df8d09141bfb291fcd) Signed-off-by: Ankur Tyagi --- .../0001-Revert-fix-copy-constructors.patch | 82 +++++++++++++++++++ meta-oe/recipes-support/exiv2/exiv2_0.28.3.bb | 4 +- 2 files changed, 85 insertions(+), 1 deletion(-) create mode 100644 meta-oe/recipes-support/exiv2/exiv2/0001-Revert-fix-copy-constructors.patch diff --git a/meta-oe/recipes-support/exiv2/exiv2/0001-Revert-fix-copy-constructors.patch b/meta-oe/recipes-support/exiv2/exiv2/0001-Revert-fix-copy-constructors.patch new file mode 100644 index 0000000000..b3074e2823 --- /dev/null +++ b/meta-oe/recipes-support/exiv2/exiv2/0001-Revert-fix-copy-constructors.patch @@ -0,0 +1,82 @@ +From f338465efb49166c543dcc2fc52810370ea90475 Mon Sep 17 00:00:00 2001 +From: Rosen Penev +Date: Mon, 17 Feb 2025 16:34:40 -0800 +Subject: [PATCH] Revert "fix copy constructors" + +This reverts commit afb2d998fe62f7e829e93e62506bf9968117c9c5. + +This commit is wrong and ends up resulting in use after frees because of +C pointers. The proper solution is shared_ptr instead of C pointers but +that's a lot more involved than reverting this. + +Signed-off-by: Rosen Penev + +CVE: CVE-2025-26623 +Upstream-Status: Backport [https://github.com/Exiv2/exiv2/pull/3174/commits/638ff11ce7480000974b5c619eafcb8618e3b586] +Signed-off-by: Gyorgy Sarvari +--- + src/tiffcomposite_int.cpp | 19 +++++++++++++++++++ + src/tiffcomposite_int.hpp | 6 +++--- + 2 files changed, 22 insertions(+), 3 deletions(-) + +diff --git a/src/tiffcomposite_int.cpp b/src/tiffcomposite_int.cpp +index 95ce450c7..3e6e93d5c 100644 +--- a/src/tiffcomposite_int.cpp ++++ b/src/tiffcomposite_int.cpp +@@ -127,6 +127,25 @@ TiffEntryBase::TiffEntryBase(const TiffEntryBase& rhs) : + storage_(rhs.storage_) { + } + ++TiffDirectory::TiffDirectory(const TiffDirectory& rhs) : TiffComponent(rhs), hasNext_(rhs.hasNext_) { ++} ++ ++TiffSubIfd::TiffSubIfd(const TiffSubIfd& rhs) : TiffEntryBase(rhs), newGroup_(rhs.newGroup_) { ++} ++ ++TiffBinaryArray::TiffBinaryArray(const TiffBinaryArray& rhs) : ++ TiffEntryBase(rhs), ++ cfgSelFct_(rhs.cfgSelFct_), ++ arraySet_(rhs.arraySet_), ++ arrayCfg_(rhs.arrayCfg_), ++ arrayDef_(rhs.arrayDef_), ++ defSize_(rhs.defSize_), ++ setSize_(rhs.setSize_), ++ origData_(rhs.origData_), ++ origSize_(rhs.origSize_), ++ pRoot_(rhs.pRoot_) { ++} ++ + TiffComponent::UniquePtr TiffComponent::clone() const { + return UniquePtr(doClone()); + } +diff --git a/src/tiffcomposite_int.hpp b/src/tiffcomposite_int.hpp +index 4506a4dca..307e0bd9e 100644 +--- a/src/tiffcomposite_int.hpp ++++ b/src/tiffcomposite_int.hpp +@@ -851,7 +851,7 @@ class TiffDirectory : public TiffComponent { + //! @name Protected Creators + //@{ + //! Copy constructor (used to implement clone()). +- TiffDirectory(const TiffDirectory&) = default; ++ TiffDirectory(const TiffDirectory& rhs); + //@} + + //! @name Protected Manipulators +@@ -944,7 +944,7 @@ class TiffSubIfd : public TiffEntryBase { + //! @name Protected Creators + //@{ + //! Copy constructor (used to implement clone()). +- TiffSubIfd(const TiffSubIfd&) = default; ++ TiffSubIfd(const TiffSubIfd& rhs); + TiffSubIfd& operator=(const TiffSubIfd&) = delete; + //@} + +@@ -1346,7 +1346,7 @@ class TiffBinaryArray : public TiffEntryBase { + //! @name Protected Creators + //@{ + //! Copy constructor (used to implement clone()). +- TiffBinaryArray(const TiffBinaryArray&) = default; ++ TiffBinaryArray(const TiffBinaryArray& rhs); + //@} + + //! @name Protected Manipulators diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.28.3.bb b/meta-oe/recipes-support/exiv2/exiv2_0.28.3.bb index 3e33ab7953..81e9954c1d 100644 --- a/meta-oe/recipes-support/exiv2/exiv2_0.28.3.bb +++ b/meta-oe/recipes-support/exiv2/exiv2_0.28.3.bb @@ -4,7 +4,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=625f055f41728f84a8d7938acc35bdc2" DEPENDS = "zlib expat brotli libinih" -SRC_URI = "git://github.com/Exiv2/exiv2.git;protocol=https;branch=0.28.x" +SRC_URI = "git://github.com/Exiv2/exiv2.git;protocol=https;branch=0.28.x \ + file://0001-Revert-fix-copy-constructors.patch \ + " SRCREV = "a6a79ef064f131ffd03c110acce2d3edb84ffa2e" S = "${WORKDIR}/git" From patchwork Tue Oct 14 20:53:56 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 72312 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id AE1E3CCD190 for ; Tue, 14 Oct 2025 20:54:46 +0000 (UTC) Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com [209.85.214.174]) by mx.groups.io with SMTP id smtpd.web11.371.1760475279978148351 for ; Tue, 14 Oct 2025 13:54:40 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=MIqbqyNj; spf=pass (domain: gmail.com, ip: 209.85.214.174, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pl1-f174.google.com with SMTP id d9443c01a7336-27c369f8986so53154615ad.3 for ; Tue, 14 Oct 2025 13:54:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1760475279; x=1761080079; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=/E9IK7jx4kGsq0qhSO9ij4dF/XwZmeonzqoX36aXpZM=; b=MIqbqyNjmLDnHG91UmckR5j3GJ4+soN5iKjtPs5b2nXBIQ7F+5gAD5uGfVVpk+HF8N NyRivn4agFUDR+117cz1R5tSxkv/UlzqKgQyHsRbwZwtdDSb40vBncuokHguY23dwfT/ +/utSuGf0j/U/c7Y2Wbkn6Ar8BYdEvAZE5X9xO9f6bQCRaOs/2bL2jJqzieqtSp7qUBv TE3uGj4/j83Ysv3YcrWAr3uZ9SHtUOdrQVKcq69Z+xxEy4+yez7esvScnwl91p8PPc4u ymgP2lTi+FaqnofSy52ExDFyhlKmPBvphAEyh/YOcxioGsFseMPDLAx+HDRWzle6GK12 9dTw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760475279; x=1761080079; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=/E9IK7jx4kGsq0qhSO9ij4dF/XwZmeonzqoX36aXpZM=; b=axW5z/qdmDKuw6sRraydmS060Ud1NANFFN/uduNfSyzsOTKlZUF5IzGtxnq/KfZ6uh hoFFxrqKte2Ksu1hiKPjpMO428OdHMTZLnUkCbKTpdF1g30O6MYWCH5oGWriPOFIxrsz exl326tI8Dr5KYwFeMScXyEEFjf9UQHnPOEKr6Bk/RG/TNy947ICzERGnBkgyTNcnxsS EAjhJRkEk74p2jFaUTk3F2rK84oCcNauDAMT20mEer42cLaTJ4zeSh7l4QGjtnxIM7+J KVgGZyScOkqNPXvzWYZ9kqU/k1MQbkBe0UXo8nbby/5S64gv4ZHcMIgcP8Z4C2BnDPoD ie5w== X-Gm-Message-State: AOJu0YwvuyHDZI/vxOUVCO+xtLITaSIhz61oVMv89UvPwZciFfpxVAJK K2wvKbMlvepS2rg/pTVisir977oGHtLAe7dvTWM5S7Drd8wVDoyOJJRbQWziMA== X-Gm-Gg: ASbGncvHEvzQ+y+24f+Jtca6GHgxitZiHOuigtQINk2d0rDc3oiuPaxYjX5Guo56Hrx 71cGbhtTtoSvR4VrBW7e4oO/fIlpfSFos/Iu+AbTjDkp/dhiSwA7RGIJg96re/rmtbXyzXtm4Me B0PVQXecwJviywGjNKonRp9i8muy8e5GB2KgbOGsGVK0XyRf2T1ObEH6dV/qAemddgaVswYSLwH 25YX9p/AfulFmW93ZJm6Q31bLAIsfBawZfuLA3wRQ+lCplkn8RvnFwOrMeGXSaPGPuyn66uIJ/R hdpiyTqQ48g15YVzCBctOnuVPdKgK6ZWWJ15qQLw8Eoij9MLT+C84v3nk6hZnEoyovLz0178LXQ a8qSWXOAjEkDJOmHn2HFAn1CK7XyqtR+nGvGKYtgTjUS3FeDzndaK390= X-Google-Smtp-Source: AGHT+IGKfIs2b5fN7+KmFreCGSwpUMwCeELCFay6hEyXi6yJleRqE5G/S/wZa0/EyX/VlCbR2He8yg== X-Received: by 2002:a17:903:247:b0:26a:23c7:68da with SMTP id d9443c01a7336-2902739a818mr309524505ad.25.1760475279134; Tue, 14 Oct 2025 13:54:39 -0700 (PDT) Received: from NVAPF55DW0D-IPD.. ([147.161.216.252]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-29034dea083sm174952475ad.24.2025.10.14.13.54.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 Oct 2025 13:54:38 -0700 (PDT) From: Ankur Tyagi To: openembedded-devel@lists.openembedded.org Cc: Gyorgy Sarvari , Ankur Tyagi Subject: [oe][meta-oe][scarthgap][PATCH 13/18] exiv2: patch CVE-2025-54080 Date: Wed, 15 Oct 2025 09:53:56 +1300 Message-ID: <20251014205402.1487867-13-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251014205402.1487867-1-ankur.tyagi85@gmail.com> References: <20251014205402.1487867-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 14 Oct 2025 20:54:46 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/120646 From: Gyorgy Sarvari Details: https://nvd.nist.gov/vuln/detail/CVE-2025-54080 Backport the patch mentioned in the details. Signed-off-by: Gyorgy Sarvari (cherry picked from commit 40036aa47ad24659d20643195525310fc5fce123) Signed-off-by: Ankur Tyagi --- .../exiv2/exiv2/0001-CVE-2025-54080-fix.patch | 77 +++++++++++++++++++ meta-oe/recipes-support/exiv2/exiv2_0.28.3.bb | 1 + 2 files changed, 78 insertions(+) create mode 100644 meta-oe/recipes-support/exiv2/exiv2/0001-CVE-2025-54080-fix.patch diff --git a/meta-oe/recipes-support/exiv2/exiv2/0001-CVE-2025-54080-fix.patch b/meta-oe/recipes-support/exiv2/exiv2/0001-CVE-2025-54080-fix.patch new file mode 100644 index 0000000000..6a4c80f8a8 --- /dev/null +++ b/meta-oe/recipes-support/exiv2/exiv2/0001-CVE-2025-54080-fix.patch @@ -0,0 +1,77 @@ +From 6a0c63f1362dac8badfad5d2dcc55fb4ff04fc60 Mon Sep 17 00:00:00 2001 +From: Kevin Backhouse +Date: Tue, 29 Jul 2025 18:58:46 +0100 +Subject: [PATCH] CVE-2025-54080 fix + +Upstream-Status: Backport [https://github.com/Exiv2/exiv2/commit/e737332427711f15bcdc4e903203d6b7493eaec0] +CVE: CVE-2025-54080 +Signed-off-by: Gyorgy Sarvari +--- + src/epsimage.cpp | 40 +++++++++++----------------------------- + 1 file changed, 11 insertions(+), 29 deletions(-) + +diff --git a/src/epsimage.cpp b/src/epsimage.cpp +index 2e2241b69..bb4aa3303 100644 +--- a/src/epsimage.cpp ++++ b/src/epsimage.cpp +@@ -241,6 +241,8 @@ void readWriteEpsMetadata(BasicIo& io, std::string& xmpPacket, NativePreviewList + uint32_t posTiff = 0; + uint32_t sizeTiff = 0; + ++ ErrorCode errcode = write ? ErrorCode::kerImageWriteFailed : ErrorCode::kerFailedToReadImageData; ++ + // check for DOS EPS + const bool dosEps = + (size >= dosEpsSignature.size() && memcmp(data, dosEpsSignature.data(), dosEpsSignature.size()) == 0); +@@ -248,12 +250,8 @@ void readWriteEpsMetadata(BasicIo& io, std::string& xmpPacket, NativePreviewList + #ifdef DEBUG + EXV_DEBUG << "readWriteEpsMetadata: Found DOS EPS signature\n"; + #endif +- if (size < 30) { +-#ifndef SUPPRESS_WARNINGS +- EXV_WARNING << "Premature end of file after DOS EPS signature.\n"; +-#endif +- throw Error(write ? ErrorCode::kerImageWriteFailed : ErrorCode::kerFailedToReadImageData); +- } ++ ++ enforce(size >= 30, errcode); + posEps = getULong(data + 4, littleEndian); + posEndEps = getULong(data + 8, littleEndian) + posEps; + posWmf = getULong(data + 12, littleEndian); +@@ -285,29 +283,13 @@ void readWriteEpsMetadata(BasicIo& io, std::string& xmpPacket, NativePreviewList + if (write) + throw Error(ErrorCode::kerImageWriteFailed); + } +- if (posEps < 30 || posEndEps > size) { +-#ifndef SUPPRESS_WARNINGS +- EXV_WARNING << "DOS EPS file has invalid position (" << posEps << ") or size (" << (posEndEps - posEps) +- << ") for EPS section.\n"; +-#endif +- throw Error(write ? ErrorCode::kerImageWriteFailed : ErrorCode::kerFailedToReadImageData); +- } +- if (sizeWmf != 0 && (posWmf < 30 || posWmf + sizeWmf > size)) { +-#ifndef SUPPRESS_WARNINGS +- EXV_WARNING << "DOS EPS file has invalid position (" << posWmf << ") or size (" << sizeWmf +- << ") for WMF section.\n"; +-#endif +- if (write) +- throw Error(ErrorCode::kerImageWriteFailed); +- } +- if (sizeTiff != 0 && (posTiff < 30 || posTiff + sizeTiff > size)) { +-#ifndef SUPPRESS_WARNINGS +- EXV_WARNING << "DOS EPS file has invalid position (" << posTiff << ") or size (" << sizeTiff +- << ") for TIFF section.\n"; +-#endif +- if (write) +- throw Error(ErrorCode::kerImageWriteFailed); +- } ++ enforce(30 <= posEps, errcode); ++ enforce(sizeWmf == 0 || 30 <= posWmf, errcode); ++ enforce(sizeTiff == 0 || 30 <= posTiff, errcode); ++ ++ enforce(posEps <= posEndEps && posEndEps <= size, errcode); ++ enforce(posWmf <= size && sizeWmf <= size - posWmf, errcode); ++ enforce(posTiff <= size && sizeTiff <= size - posTiff, errcode); + } + + // check first line diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.28.3.bb b/meta-oe/recipes-support/exiv2/exiv2_0.28.3.bb index 81e9954c1d..947d13208d 100644 --- a/meta-oe/recipes-support/exiv2/exiv2_0.28.3.bb +++ b/meta-oe/recipes-support/exiv2/exiv2_0.28.3.bb @@ -6,6 +6,7 @@ DEPENDS = "zlib expat brotli libinih" SRC_URI = "git://github.com/Exiv2/exiv2.git;protocol=https;branch=0.28.x \ file://0001-Revert-fix-copy-constructors.patch \ + file://0001-CVE-2025-54080-fix.patch \ " SRCREV = "a6a79ef064f131ffd03c110acce2d3edb84ffa2e" S = "${WORKDIR}/git" From patchwork Tue Oct 14 20:53:57 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 72313 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B55D0CCD195 for ; Tue, 14 Oct 2025 20:54:46 +0000 (UTC) Received: from mail-pl1-f175.google.com (mail-pl1-f175.google.com [209.85.214.175]) by mx.groups.io with SMTP id smtpd.web10.326.1760475282180778166 for ; Tue, 14 Oct 2025 13:54:42 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=jluXLaRL; spf=pass (domain: gmail.com, ip: 209.85.214.175, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pl1-f175.google.com with SMTP id d9443c01a7336-279e2554b6fso43359995ad.2 for ; Tue, 14 Oct 2025 13:54:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1760475281; x=1761080081; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=vbBadCOgCowt0UekIjc77ddK4E30Ff5pYfVWp+JuqxU=; b=jluXLaRLj6ZHk+hWGDp0+2lEVnvK17AKINOOabU5UksIDUXNNhE80HvJmTw/o60pYT AQu5+0NXZHtC3+SZcZWoVniQtVfGWUgdCnR2gnu1HfEzMKlCTYTIxeBpxsAgSo/WCM1x w9rsqFCEBt3L2VZDbf/fnY7kmGxM+zUYhRWX8wp4NDhE21QGwtT4/5fkhUGzcxTWcAO2 Yij0xyTd80XhYXbm+VXjqv3FmvxbcwFLFUo8Bv37jQHsSY6N7NjBP2bf7UBf+xFuWnmF LQb0z9T1emrje0t63q5mmYa3lUXrzh+qmJoUxXe0UhH1BtW+8CRZSp7TXtetU2lxZvYp jIhA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760475281; x=1761080081; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=vbBadCOgCowt0UekIjc77ddK4E30Ff5pYfVWp+JuqxU=; b=LKCKGHEYaN+yi1uFef1tfbdJB27B/ydzL5SHPSzJmC+zTKBfUCet+PWlhUUvCW+gVG Dp3y48qSpzI2omJFBDG0Sg5wal4v2KdzP+GnqyJ08649axAKQwhofi5JgNB0AefY8yE3 faMMdEB3EtAXU/BcYnjO0Odbsu+2zO8wpT2X5VtmS7XPIxtMzbGzZhSTCbZOr3mbOwDP lxsJJbMq2Fc0d20D9yAl7ehC5YWGhVlxKLxFhqY1tD2G4PoumwKqkyv1jxx4W/YBePp5 oCQ3yNV11faa/u1AKopeEy9p9CAwB2YI0Es8m62YpPJhdrGHsJ+joaUjrwkGmXWShOzt dANA== X-Gm-Message-State: AOJu0Yxb/ADnm/px30R2fQ3yfMS4foNkdacbJWR7vw3olcc1wdbeb/fw P6n6Wewa8/7lp5dHqxzYkKbu/dO5B4gFmjhkH6+0teGj/qXRYF//vxyNfaa6wg== X-Gm-Gg: ASbGnctXV3jcCyr6w2CYxkUWDlwYq1RCk27VyGK3FRlTc+buyA0F8MiH9BqIDY4dCd6 deXqghFavH7GjweVEgnY65sQ3SMDZGaXt9cvAwNH0+G2x4ET0N0IrnAHhafFNZ4Cj5bDOCSfErC qCjp9szDC76Lnuk4PYhb1Hy3Y2jWGHzpCri4O49dEJiGsHpLoNmQXbcPiqsyPd6cwe/JSUQ68iJ 2wIUDmN6ZJaoGnCdv4Mg5Viw2i4/lKJL0iQpwuLArMaFPfCstiqqMH6Jwt9Rr3vh1iCglDK6CPy trZeE2yNuWIevDw9vCppmABxZaGa7CHWjqHu3nJAx1kEEgNDTB0pw+ZqM+8TR+5WS+HB3L20vb0 mlibnchp+dF9iRD5PAdfDQwegCQqjczm0n5W0RPNXHPc6IYL/zZbdnyfTnIdyrdSzOA== X-Google-Smtp-Source: AGHT+IEwEYFcRK1Fx2jQ2srltj2UqxYKmz0AZq4MB+HmTPtaT+kpCsDGjaiNQKP8A5LMU+IpVZJpfw== X-Received: by 2002:a17:902:e952:b0:27e:f018:d2fb with SMTP id d9443c01a7336-2902735667emr334807295ad.6.1760475281460; Tue, 14 Oct 2025 13:54:41 -0700 (PDT) Received: from NVAPF55DW0D-IPD.. ([147.161.216.252]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-29034dea083sm174952475ad.24.2025.10.14.13.54.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 Oct 2025 13:54:41 -0700 (PDT) From: Ankur Tyagi To: openembedded-devel@lists.openembedded.org Cc: Gyorgy Sarvari , Ankur Tyagi Subject: [oe][meta-oe][scarthgap][PATCH 14/18] exiv2: patch CVE-2025-55304 Date: Wed, 15 Oct 2025 09:53:57 +1300 Message-ID: <20251014205402.1487867-14-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251014205402.1487867-1-ankur.tyagi85@gmail.com> References: <20251014205402.1487867-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 14 Oct 2025 20:54:46 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/120647 From: Gyorgy Sarvari Details: https://nvd.nist.gov/vuln/detail/CVE-2025-55304 Backport patch mentioned in the details of the vulnerability. Signed-off-by: Gyorgy Sarvari (cherry picked from commit f47fdfd73090c996f4edf9c7921bc07bbdffd908) Signed-off-by: Ankur Tyagi --- ...ppendIccProfile-to-fix-quadratic-per.patch | 96 +++++++++++++++++++ meta-oe/recipes-support/exiv2/exiv2_0.28.3.bb | 1 + 2 files changed, 97 insertions(+) create mode 100644 meta-oe/recipes-support/exiv2/exiv2/0001-Add-new-method-appendIccProfile-to-fix-quadratic-per.patch diff --git a/meta-oe/recipes-support/exiv2/exiv2/0001-Add-new-method-appendIccProfile-to-fix-quadratic-per.patch b/meta-oe/recipes-support/exiv2/exiv2/0001-Add-new-method-appendIccProfile-to-fix-quadratic-per.patch new file mode 100644 index 0000000000..a0399c539b --- /dev/null +++ b/meta-oe/recipes-support/exiv2/exiv2/0001-Add-new-method-appendIccProfile-to-fix-quadratic-per.patch @@ -0,0 +1,96 @@ +From 14a862213873b3f81941721a5972853fd269ca63 Mon Sep 17 00:00:00 2001 +From: Kevin Backhouse +Date: Fri, 15 Aug 2025 12:08:49 +0100 +Subject: [PATCH] Add new method appendIccProfile to fix quadratic performance + issue. + +Upstream-Status: Backport [https://github.com/Exiv2/exiv2/pull/3345/commits/e5bf22e0cebeabeb2ffd40678344467a271be12d] +CVE: CVE-2025-55304 +Signed-off-by: Gyorgy Sarvari +--- + include/exiv2/image.hpp | 10 ++++++++++ + src/image.cpp | 29 +++++++++++++++++++++-------- + src/jpgimage.cpp | 7 +------ + 3 files changed, 32 insertions(+), 14 deletions(-) + +diff --git a/include/exiv2/image.hpp b/include/exiv2/image.hpp +index 629a8a4fd..072016013 100644 +--- a/include/exiv2/image.hpp ++++ b/include/exiv2/image.hpp +@@ -191,6 +191,16 @@ class EXIV2API Image { + @param bTestValid - tests that iccProfile contains credible data + */ + virtual void setIccProfile(DataBuf&& iccProfile, bool bTestValid = true); ++ /*! ++ @brief Append more bytes to the iccProfile. ++ @param iccProfile DataBuf containing profile (binary) ++ @param bTestValid - tests that iccProfile contains credible data ++ */ ++ virtual void appendIccProfile(const uint8_t* bytes, size_t size, bool bTestValid); ++ /*! ++ @brief Throw an exception if the size at the beginning of the iccProfile isn't correct. ++ */ ++ virtual void checkIccProfile(); + /*! + @brief Erase iccProfile. the profile is not removed from + the actual image until the writeMetadata() method is called. +diff --git a/src/image.cpp b/src/image.cpp +index f06660cf7..eb6b3eb0a 100644 +--- a/src/image.cpp ++++ b/src/image.cpp +@@ -625,16 +625,29 @@ void Image::setComment(const std::string& comment) { + } + + void Image::setIccProfile(Exiv2::DataBuf&& iccProfile, bool bTestValid) { ++ iccProfile_ = std::move(iccProfile); + if (bTestValid) { +- if (iccProfile.size() < sizeof(long)) { +- throw Error(ErrorCode::kerInvalidIccProfile); +- } +- const size_t size = iccProfile.read_uint32(0, bigEndian); +- if (size != iccProfile.size()) { +- throw Error(ErrorCode::kerInvalidIccProfile); +- } ++ checkIccProfile(); ++ } ++} ++ ++void Image::appendIccProfile(const uint8_t* bytes, size_t size, bool bTestValid) { ++ const size_t start = iccProfile_.size(); ++ iccProfile_.resize(Safe::add(start, size)); ++ memcpy(iccProfile_.data(start), bytes, size); ++ if (bTestValid) { ++ checkIccProfile(); ++ } ++} ++ ++void Image::checkIccProfile() { ++ if (iccProfile_.size() < sizeof(long)) { ++ throw Error(ErrorCode::kerInvalidIccProfile); ++ } ++ const size_t size = iccProfile_.read_uint32(0, bigEndian); ++ if (size != iccProfile_.size()) { ++ throw Error(ErrorCode::kerInvalidIccProfile); + } +- iccProfile_ = std::move(iccProfile); + } + + void Image::clearIccProfile() { +diff --git a/src/jpgimage.cpp b/src/jpgimage.cpp +index 34187dc63..2c29135ae 100644 +--- a/src/jpgimage.cpp ++++ b/src/jpgimage.cpp +@@ -268,12 +268,7 @@ void JpegBase::readMetadata() { + icc_size = s; + } + +- DataBuf profile(Safe::add(iccProfile_.size(), icc_size)); +- if (!iccProfile_.empty()) { +- std::copy(iccProfile_.begin(), iccProfile_.end(), profile.begin()); +- } +- std::copy_n(buf.c_data(2 + 14), icc_size, profile.data() + iccProfile_.size()); +- setIccProfile(std::move(profile), chunk == chunks); ++ appendIccProfile(buf.c_data(2 + 14), icc_size, chunk == chunks); + } else if (pixelHeight_ == 0 && inRange2(marker, sof0_, sof3_, sof5_, sof15_)) { + // We hit a SOFn (start-of-frame) marker + if (size < 8) { diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.28.3.bb b/meta-oe/recipes-support/exiv2/exiv2_0.28.3.bb index 947d13208d..db32398b4f 100644 --- a/meta-oe/recipes-support/exiv2/exiv2_0.28.3.bb +++ b/meta-oe/recipes-support/exiv2/exiv2_0.28.3.bb @@ -7,6 +7,7 @@ DEPENDS = "zlib expat brotli libinih" SRC_URI = "git://github.com/Exiv2/exiv2.git;protocol=https;branch=0.28.x \ file://0001-Revert-fix-copy-constructors.patch \ file://0001-CVE-2025-54080-fix.patch \ + file://0001-Add-new-method-appendIccProfile-to-fix-quadratic-per.patch \ " SRCREV = "a6a79ef064f131ffd03c110acce2d3edb84ffa2e" S = "${WORKDIR}/git" From patchwork Tue Oct 14 20:53:58 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 72314 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B9294CCD196 for ; Tue, 14 Oct 2025 20:54:46 +0000 (UTC) Received: from mail-pl1-f181.google.com (mail-pl1-f181.google.com [209.85.214.181]) by mx.groups.io with SMTP id smtpd.web11.376.1760475284753829432 for ; Tue, 14 Oct 2025 13:54:44 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=DGJpKBDS; spf=pass (domain: gmail.com, ip: 209.85.214.181, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pl1-f181.google.com with SMTP id d9443c01a7336-2698384978dso41076855ad.0 for ; Tue, 14 Oct 2025 13:54:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1760475284; x=1761080084; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=V1H/ipdKeGjytMyN0hl/+I6wr3SIrllewKisFWn7BRs=; b=DGJpKBDSb2ctpillQr2DUfKACOgVmJXoYcokaYththX1IsZX8vkj78mr6FDBbX2pFf EeN9HgpsnfSwDpGoPVNBSfDmmDqK4g8T/irFL4R40nY9cOsa5hSrY2u3KUz9POwT4UXy /PucTwp9vGhXkhID6pXXwW5KsW7CX05AUDGpTNRHMNOFSHgEQfCmb+uF0B0oXQjJHKwv oKD8Ux//e8wQXyYrM2bN8FVlOzCuYaECPuItI3Mv1kq1qGQ7UBCaql/hRUFGY+zterth xwjLHIHqhJg3KRkauNY2jb1L2KpiUMA/s5KltEcDojYdWruJO/RjcctcJ0tLvupi3xIM 8Uvw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760475284; x=1761080084; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=V1H/ipdKeGjytMyN0hl/+I6wr3SIrllewKisFWn7BRs=; b=acz+bJa4TxOzoC6919uyS1bUL5LGiRt6Ldf24pltTCIcxsDi7fgQRyc+As+y5VqJLo hR2Q7nGHnPYUkWnaRna/tG3VZ90OzAyFOMz0mjWjRQ7e4GaCRCc8opUVkaBWgcTFq1WF HzvvyeNJHGCY43J6MoRtIEMRTOz5aaWyq5tO3j+Up+TZ7estRoHYPLvl/Qy8+TToimIZ 8P4AjFx2cbN3ip9ZjQ0thhqoqhln0AuZSfGH0Dnthw7P8J1CCvvHZ7uhcKG1pRZ+tSV5 OR4hZeQHHkHR1R9fwxPvdRvHZnt/Jwb9kSpUM2Komcf4/H/P92tUOC13bGCHzknaBUiV C6RA== X-Gm-Message-State: AOJu0YytND+FbB2rl7Zb68rXEwehWjjQcWp/5v8MO5eQ+GzCdeDQqrOY a5yhwd/uw1jQBelzeEJ0RYGW4L9tp8leiQZ/44GeSf107hDZyAJvhA4x/fbgog== X-Gm-Gg: ASbGncvDEE1mnuEO+TI9wLA4N4OfTGoo7ii7Pul1q4NwjySbUG0InD2GRhmZO+ya3Ax z/ls5WMMS6z82IyfD8BTU6mA0hmM/9pvrn9HZLrkBqnS/NMsp4icL+JNUZq/qRFal0BCzwQZpZW nWepmm+WQyrbazTEt+XtCO04XhL2MgETJhm+8t+17pzeOm3ps1qj510t+lCbbxYasdsMSHQuCzZ YQUAaj9hPvEqsA2kqe9nclGNIzV6u5uFIqEFMgEG7OcsE1FNeSt4zJgxd4Og6ehU6otR3dCMRwu saz24oMqEHAjUa8NV0oXK2Gh8H52Wkvn9iZpi6ybUqaHo7/IIouhK5XpfO+U2bKfKasFH3WHRrv yRt6Vl7HhZ7viYk2ImaGnVovipjLSoEHOq3SdKB0ZvCJQWCPwstGFpcU= X-Google-Smtp-Source: AGHT+IGJahdaroHgEGP9KLMXnza0uj/6wd3ro4iXr5Zb8Wws44F45kpNRR2R+Xwv6avAi7E+esiRgQ== X-Received: by 2002:a17:903:8cd:b0:269:8d85:2249 with SMTP id d9443c01a7336-29027240d03mr281852325ad.22.1760475284023; Tue, 14 Oct 2025 13:54:44 -0700 (PDT) Received: from NVAPF55DW0D-IPD.. ([147.161.216.252]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-29034dea083sm174952475ad.24.2025.10.14.13.54.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 Oct 2025 13:54:43 -0700 (PDT) From: Ankur Tyagi To: openembedded-devel@lists.openembedded.org Cc: Peter Marko , Khem Raj , Ankur Tyagi Subject: [oe][meta-oe][scarthgap][PATCH 15/18] gattlib: mark CVE-2019-6498 as fixed Date: Wed, 15 Oct 2025 09:53:58 +1300 Message-ID: <20251014205402.1487867-15-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251014205402.1487867-1-ankur.tyagi85@gmail.com> References: <20251014205402.1487867-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 14 Oct 2025 20:54:46 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/120648 From: Peter Marko Our hash does not point to exact tag and CVE patch is already in. We use: 33a8a275928b186381bb0aea0f9778e330e57ec3 Fix: https://github.com/labapart/gattlib/commit/60b813a770e42fdb0e85c1d2da7a55327784b8d6 git describe --tags --match=v0.2 33a8a275928b186381bb0aea0f9778e330e57ec3 60b813a770e42fdb0e85c1d2da7a55327784b8d6 v0.2-262-g33a8a27 v0.2-85-g60b813a Signed-off-by: Peter Marko Signed-off-by: Khem Raj (cherry picked from commit e5a12d52522f10026570a5c48d6662a5359c4887) Signed-off-by: Ankur Tyagi --- meta-oe/recipes-connectivity/gattlib/gattlib_git.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta-oe/recipes-connectivity/gattlib/gattlib_git.bb b/meta-oe/recipes-connectivity/gattlib/gattlib_git.bb index 7ad28d594d..0841dc2596 100644 --- a/meta-oe/recipes-connectivity/gattlib/gattlib_git.bb +++ b/meta-oe/recipes-connectivity/gattlib/gattlib_git.bb @@ -17,6 +17,8 @@ SRCREV = "33a8a275928b186381bb0aea0f9778e330e57ec3" S = "${WORKDIR}/git" +CVE_STATUS[CVE-2019-6498] = "fixed-version: patch is already included in sources" + PACKAGECONFIG[examples] = "-DGATTLIB_BUILD_EXAMPLES=ON,-DGATTLIB_BUILD_EXAMPLES=OFF" # Set this to force use of DBus API if Bluez version is older than 5.42 From patchwork Tue Oct 14 20:53:59 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 72315 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B683ACCD184 for ; Tue, 14 Oct 2025 20:54:56 +0000 (UTC) Received: from mail-pg1-f176.google.com (mail-pg1-f176.google.com [209.85.215.176]) by mx.groups.io with SMTP id smtpd.web11.378.1760475287109125535 for ; Tue, 14 Oct 2025 13:54:47 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=k8sZb54p; spf=pass (domain: gmail.com, ip: 209.85.215.176, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pg1-f176.google.com with SMTP id 41be03b00d2f7-b5526b7c54eso3509405a12.0 for ; Tue, 14 Oct 2025 13:54:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1760475286; x=1761080086; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=AXQHJwFS0a+HJ0ixs5bXpKf7+JIbexdsYkmNmliyaZE=; b=k8sZb54pzdzekD1ftPdy/7TFGRW2ArdLV5gCvunK2ehux3tPsxKR5Qa2vRmuI0R2V2 h+0tBepFlhXTUkEIeoJW4LtnBZmWSn/vrP9YLnn9C8Xnk5I8zzpWUw6/EGGDb8L7gqDC q1149ojDHnc+UFTEQHf8QT/8Z7qqez6Y7+wlIGSmcLv2Ou7YDlHlVjyGNuN3lXM8pWTg kgESKQ6I/SGN4abRmLut32buxHigsZx5/FQcy8oEBaYH8Ly+S8tMplskQxOIF8fhJi1J jZHxQnobRmQGX5MpvJhjq0Cj3ZKSYNTa912kkMz3AtEpJfP0FuQkb+Oo2nz2FLu7p7NE lUJQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760475286; x=1761080086; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=AXQHJwFS0a+HJ0ixs5bXpKf7+JIbexdsYkmNmliyaZE=; b=QnvO+K0RC55AdnLjWnoCO+Z4fAFGaOjm1j5OVkb2uj7IDSfpJbKtNG8NWrm+aC+UHW l/yf0N0My5RwVPnadu84vS9zxIjnJL0tGkxS9DRqtRB6NrBRtqziTdXnT16AszLxGRrx OkhvdZy8CxlftQdbfdTTfHON/naOUpzdeIg9mcV70g7mPGzCHRATsbrf30f5VEiMu9N+ eHFaERopIqJqDBhHimqcyOXYi9LrXukQ6X7FQ8C3bTnztn4yr0peYniiGpTWx+SL1Atz S10RYAmACTB4Psxx9tYdRGd0HSIhbYPE6bWdETyOinberByaLycndPp5XomFPTEwZPzh WBmA== X-Gm-Message-State: AOJu0YwYYAJcwieaVFrhfwGSCkZyF/oJ7N0LAii/jeN7jw+OOIfDY49+ RXu64DsTorsxdc2WstbiXk+xyC8n/iJwqn8WXIvgtFIA8E4wCIWUvBUWN94e8w== X-Gm-Gg: ASbGncsJMLW7UTt4deoM0hYI1fGacEOqDKvIrSux2vI5679yJaOovtPd9cDya94XDib emENz3MXNQxUDcvgOWrMGuAA6wElox+vm2xGruhzy/vPdQ5PSnckopFk6IFTRj9zwiEMz4q7Gc1 5XbBjheZ8hDW+aRe1spSX0l7KaB/WMxFBjk8Y4X9RxAQd/sYRIZ6dff5TPqcF0T1xoP6MnOz6OQ yxgTzMu7dPn8681C1wIynEIUTVcgKav84yGbDxCK/B0SAukfuHTWa/W4dHOXt3n8Vfl0hyLhpFm /dbDE/IeXCV+Iqt46oy8zPX5iOhlYUGqcCBdffhDN5c4wGFpY+nybLCpwi0PyqOqASQLShLT3Yu iO7tquKvBxJpsrRjEgx1K7knbY3YJ4MwNJ3o93Dyxv6Qdv+hY6kjb6am00Jrm173LhA== X-Google-Smtp-Source: AGHT+IFUgm/i3MORLq4V9fxliPs3qK5f0qTyiFOMijrShQ9hK0nvyaoZRQFEkyZMbrEeVXJhvKg0VQ== X-Received: by 2002:a17:903:3885:b0:246:cfc4:9a30 with SMTP id d9443c01a7336-290272c037dmr321169835ad.35.1760475286317; Tue, 14 Oct 2025 13:54:46 -0700 (PDT) Received: from NVAPF55DW0D-IPD.. ([147.161.216.252]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-29034dea083sm174952475ad.24.2025.10.14.13.54.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 Oct 2025 13:54:46 -0700 (PDT) From: Ankur Tyagi To: openembedded-devel@lists.openembedded.org Cc: Khem Raj , Ankur Tyagi Subject: [oe][meta-oe][scarthgap][PATCH 16/18] influxdb: Do not remove non-existing files Date: Wed, 15 Oct 2025 09:53:59 +1300 Message-ID: <20251014205402.1487867-16-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251014205402.1487867-1-ankur.tyagi85@gmail.com> References: <20251014205402.1487867-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 14 Oct 2025 20:54:56 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/120649 From: Khem Raj Signed-off-by: Khem Raj (cherry picked from commit cd6e2d8f53b45108ae9aa7b2a2988452dff4a2eb) Signed-off-by: Ankur Tyagi --- meta-oe/recipes-dbs/influxdb/influxdb_1.8.10.bb | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/meta-oe/recipes-dbs/influxdb/influxdb_1.8.10.bb b/meta-oe/recipes-dbs/influxdb/influxdb_1.8.10.bb index 5301071516..9506d0e55d 100644 --- a/meta-oe/recipes-dbs/influxdb/influxdb_1.8.10.bb +++ b/meta-oe/recipes-dbs/influxdb/influxdb_1.8.10.bb @@ -38,19 +38,20 @@ USERADD_PACKAGES = "${PN}" USERADD_PARAM:${PN} = "--system -d /var/lib/influxdb -m -s /bin/nologin influxdb" do_install:prepend() { - rm ${B}/src/${GO_IMPORT}/build.py - rm ${B}/src/${GO_IMPORT}/build.sh - rm ${B}/src/${GO_IMPORT}/Dockerfile* + test -e ${B}/src/${GO_IMPORT}/build.py && rm ${B}/src/${GO_IMPORT}/build.py + test -e ${B}/src/${GO_IMPORT}/build.sh && rm ${B}/src/${GO_IMPORT}/build.sh + rm -rf ${B}/src/${GO_IMPORT}/Dockerfile* + sed -i -e "s#usr/bin/sh#bin/sh#g" ${B}/src/${GO_IMPORT}/scripts/ci/run_perftest.sh } do_install:append() { install -d ${D}${sysconfdir}/influxdb - install -m 0644 ${WORKDIR}/influxdb.conf ${D}${sysconfdir}/influxdb + install -m 0644 ${UNPACKDIR}/influxdb.conf ${D}${sysconfdir}/influxdb chown -R root:influxdb ${D}${sysconfdir}/influxdb install -d ${D}${sysconfdir}/init.d - install -m 0755 ${WORKDIR}/influxdb ${D}${sysconfdir}/init.d/influxdb + install -m 0755 ${UNPACKDIR}/influxdb ${D}${sysconfdir}/init.d/influxdb if [ "${@bb.utils.filter('DISTRO_FEATURES', 'sysvinit', d)}" ] ; then install -d ${D}${sysconfdir}/logrotate.d From patchwork Tue Oct 14 20:54:00 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 72316 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B7ADACCD190 for ; Tue, 14 Oct 2025 20:54:56 +0000 (UTC) Received: from mail-pg1-f181.google.com (mail-pg1-f181.google.com [209.85.215.181]) by mx.groups.io with SMTP id smtpd.web10.332.1760475289644343504 for ; Tue, 14 Oct 2025 13:54:49 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=K6g9TfZE; spf=pass (domain: gmail.com, ip: 209.85.215.181, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pg1-f181.google.com with SMTP id 41be03b00d2f7-b5507d3ccd8so4857832a12.0 for ; Tue, 14 Oct 2025 13:54:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1760475289; x=1761080089; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=KUBBfd6aAwoxlRKb+QK2tOi9JT/wFOoS5ypqGD7WYjM=; b=K6g9TfZEN+E66hlqkYycWnMNVr1MHR0c9G30ssCMc+ILnCRTVR6ZThJFkoEOftek3E aUjYTxghLAC00twZlWDifoxYQq+BbbUeARA2zUUZ8mgtg9PfmotSUF973miMnEAF4HFw r8JR898pfHzOsalSxBDvDSkKCj9QCbj9sVgWcm2tiDt4PaTt3yd4hAxSvnSvsSKKQpfh TAM0I9TfM3Y0NtwN1Mk8LRAtsleBKYqm04wq921/FwjaEsIJaXr+jBkZLweUF/9xgtjF 7PHhCuGsUuDI/tOP5v9L9wmE+z3+kVNkH3EseoJZpNqck9kWSobZrIGCZIqSnzaqhUN+ BRAA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760475289; x=1761080089; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=KUBBfd6aAwoxlRKb+QK2tOi9JT/wFOoS5ypqGD7WYjM=; b=hYFJZc3sfanJa/Gx40Ms9DDF6ZNPJ7ZEpuO5zTlfRns82fraYYLPUJ8sY81EZb0FOn f49mvTaWGUEYrWRQzML3xzqHJIVEAtfwNpJXgfTTim0vZSXy6EjMYL6g3XoQiSwqCZBH 4CALEstRwyS1cFdHDIJROMa3Vt27tNgza3VM+SaZv38z0mPlBhSAK/w11IEihjaMjOVz TvX+Q+wCvozRhCpNqwvGJ5wmS/JaCD3fQ2gs9Cyp4YVZJ94XJuH8TZKkg4hkCJbx7lMX FPwVxmFGHx5ilJ9rTS6SyCfe9wxK66SvyAhfjKTss9BwqYg5HYtebpOvQ4TVooxXOW5q yhGw== X-Gm-Message-State: AOJu0YxFQu2yxPtOVhWVJHsysUSp+i6uE/oQOanoxxuaKz802DQnDe3D cH3wqfRtoAtvzzgOHiD1Z7O9ZFuk12U9b4N1u7NfJHiJzF3MiJeU1Zl/q3T3Hw== X-Gm-Gg: ASbGncvjbz9hX8P2Xi5FgLQMry/S+oHxwsGHazQxflSJCzXc3CfTZXMwqTXuNvj8gz8 zZjqijN7utphFqutUK1OTGDF1BLVHQDJmBEPKlpq+f4cXDAXncTMNXbQPr6IGYl4EBgeYon4k1r X4nxXtKn7suUJTW0Ye8bfoQ6sZszsroQb1TN2KGogDqZq1fyRVwxmXhwjRNoeWmvzLWVOoPudoS W8Ew1xoE9Vkz+n649U72nBPdrkJSYTn/DweljYO/E9/zN/Ul9LsYMcAaRg3/D0XN7CY0AWBGHC5 Z2+cnwbKpYLF97IfH3lDzUc+jyeGEe6jtAD88wZPyTVVFl4aCT44WA3hpp/R/Upduc3ABYIiny8 eefY5Wt+vrqdfqqv6pcy0ny66oj4A20ZAH+hv/EWOe5lG1Pt6Pj6187izUTN1+QNbfw== X-Google-Smtp-Source: AGHT+IERMv/UpLv9H5BLNtZUPxMQNsU4o4nhexBieGpdgT3mei0kIWjrbOm33l6glM6rJovSLXodxA== X-Received: by 2002:a17:903:ac3:b0:272:dee1:c133 with SMTP id d9443c01a7336-2902723facfmr283829225ad.22.1760475288938; Tue, 14 Oct 2025 13:54:48 -0700 (PDT) Received: from NVAPF55DW0D-IPD.. ([147.161.216.252]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-29034dea083sm174952475ad.24.2025.10.14.13.54.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 Oct 2025 13:54:48 -0700 (PDT) From: Ankur Tyagi To: openembedded-devel@lists.openembedded.org Cc: Ninette Adhikari , Khem Raj , Ankur Tyagi Subject: [oe][meta-oe][scarthgap][PATCH 17/18] influxdb: Update CVE status for CVE-2019-10329 Date: Wed, 15 Oct 2025 09:54:00 +1300 Message-ID: <20251014205402.1487867-17-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251014205402.1487867-1-ankur.tyagi85@gmail.com> References: <20251014205402.1487867-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 14 Oct 2025 20:54:56 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/120650 From: Ninette Adhikari The version don't match and only the Jenkins plugin is affected. Signed-off-by: Ninette Adhikari Signed-off-by: Khem Raj (cherry picked from commit 524acf0542cafed3f5e82cd94291a653f6cf86e1) Signed-off-by: Ankur Tyagi --- meta-oe/recipes-dbs/influxdb/influxdb_1.8.10.bb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/meta-oe/recipes-dbs/influxdb/influxdb_1.8.10.bb b/meta-oe/recipes-dbs/influxdb/influxdb_1.8.10.bb index 9506d0e55d..cc8161cc3d 100644 --- a/meta-oe/recipes-dbs/influxdb/influxdb_1.8.10.bb +++ b/meta-oe/recipes-dbs/influxdb/influxdb_1.8.10.bb @@ -38,7 +38,7 @@ USERADD_PACKAGES = "${PN}" USERADD_PARAM:${PN} = "--system -d /var/lib/influxdb -m -s /bin/nologin influxdb" do_install:prepend() { - test -e ${B}/src/${GO_IMPORT}/build.py && rm ${B}/src/${GO_IMPORT}/build.py + test -e ${B}/src/${GO_IMPORT}/build.py && rm ${B}/src/${GO_IMPORT}/build.py test -e ${B}/src/${GO_IMPORT}/build.sh && rm ${B}/src/${GO_IMPORT}/build.sh rm -rf ${B}/src/${GO_IMPORT}/Dockerfile* @@ -75,3 +75,5 @@ INITSCRIPT_NAME = "influxdb" INITSCRIPT_PARAMS = "defaults" SYSTEMD_SERVICE:${PN} = "influxdb.service" + +CVE_STATUS[CVE-2019-10329] = "cpe-incorrect: Version does not match and only the Jenkins plugin is affected." From patchwork Tue Oct 14 20:54:01 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 72317 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C1EFCCCD18E for ; Tue, 14 Oct 2025 20:54:56 +0000 (UTC) Received: from mail-pl1-f179.google.com (mail-pl1-f179.google.com [209.85.214.179]) by mx.groups.io with SMTP id smtpd.web11.380.1760475291808585613 for ; Tue, 14 Oct 2025 13:54:51 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=P8JMpjFh; spf=pass (domain: gmail.com, ip: 209.85.214.179, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pl1-f179.google.com with SMTP id d9443c01a7336-27d3540a43fso57138285ad.3 for ; Tue, 14 Oct 2025 13:54:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1760475291; x=1761080091; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=aAbitykDe3OYlEZED5XRHUY1tK1YN7YxFN4UyIXXC0s=; b=P8JMpjFh816HuhF01dT/5wJYHR5ZObGWygs1zBMdo116fhmOZv6Xe2NB2lp/mFCrkj 4VonL7TnRUTclYXe1F6v147jFxtiF+SVC2wCGDLmI6vdhr5jxk9grRFWlnM+ANOkmdhp TvTaEWZ14voJcVinuBLKUy0mutYu/98iXrvdTLcThLbwCkXalPtwY32PUZ35MucPbLfz MfoEzdpxCAQJ838VbJrcC74iJ1JjLs8g0Koktm4cIfx1d6wRkialj3J9ZWyvhYQ00DHw Fq6syiuVy4881UI3tq8ibX6nkQ2JxnsPbnF9xM0YxIKC8BLmJYyADlw0i6ZG9jHXRjBv FOCg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760475291; x=1761080091; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=aAbitykDe3OYlEZED5XRHUY1tK1YN7YxFN4UyIXXC0s=; b=dYGSLB3ofaSXG425spuhUFTl1l17GjaNLX+cr63QEH4B8s6ERrMIKYuQCBnXRNx2Au ZLl3YfRbish0ELpqD9NYi7+Jdjrr0tHpkY44VYLmUphCsiRidRCKhD6n3JygZjTeDOKW 6/BK4Hu15GNGA1qx/8HyR7w7TCP9/l5zUombCafVrAAIjvPbdHHXPyge0QOW59RuCS+u W0ejhvR49OW+a6bEemqE/ZxgmSiTWQER0H6Vnd2Oqm4gOcgZ6e/MxFS/tvooe4k6iOQJ oiPWK6La408oH5kymmxCkTyTSSOQvowNJyHSWAB2WI4Tgq0eiGPLzfFE6HXLUwFujoL7 iPFg== X-Gm-Message-State: AOJu0YwQekDk+dYHLJyY5CvqXi0NBo/lcfgMFmT0vavIroA2+ZTVf4v0 Bp7SrSgzE0orXXZP4U/SwntvtlNKfiDWIhWmMJi/29q4N7UdOFY/xWkkan/3PQ== X-Gm-Gg: ASbGncvoP7QuxPR8PPplH4xgNdAalEep82JYR6CtYLqHoKdp11RErKzzB0NDdETVW9e qirup+LuZArzPzbM1bCsj3eQMQW/8zj3mSV97Se1tw22Ll8tnnm19tuM0buwTIRWaveQIAYpvap zzcqKo4VJotLQs0h+DXBafnswT4Qli7GpCCogvMIGjW4JRzdYaq2tiim4gxtRYFTEZmJMdWYd8m XTdhgq2YWaGzni1UScn97Q2UYEIey/F89ODDH28fIDadgl6XFRtfqDddEGVfVYNP4Q+xvWxWWgy ZCDelT+qXQoWmcKF2V6eJD968qvkH/oFKvmosCSAwDl6cAxzJ4098xU++TvkpHwnLXuL+DR14q2 PAe78DpOc996mHPEP3pCZ9RLm2pJ2o3476GQl/1j+5Ofoa8muSNEidaY= X-Google-Smtp-Source: AGHT+IEkD1E/HN6ulVpsbC4pWllA/2r14eb4tpeK5vO8w5INMmyzRPMGdwVK81Mcvzy1H/3M/ymcLw== X-Received: by 2002:a17:903:b0e:b0:273:240a:9b6f with SMTP id d9443c01a7336-290272c31b3mr324975815ad.39.1760475291059; Tue, 14 Oct 2025 13:54:51 -0700 (PDT) Received: from NVAPF55DW0D-IPD.. ([147.161.216.252]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-29034dea083sm174952475ad.24.2025.10.14.13.54.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 Oct 2025 13:54:50 -0700 (PDT) From: Ankur Tyagi To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi Subject: [oe][meta-oe][scarthgap][PATCH 18/18] jasper: upgrade to 4.1.2 release Date: Wed, 15 Oct 2025 09:54:01 +1300 Message-ID: <20251014205402.1487867-18-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251014205402.1487867-1-ankur.tyagi85@gmail.com> References: <20251014205402.1487867-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 14 Oct 2025 20:54:56 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/120651 Bugfixes including CVE-2023-51257 https://github.com/jasper-software/jasper/compare/version-4.1.1...version-4.1.2 Signed-off-by: Ankur Tyagi --- .../recipes-graphics/jasper/jasper_4.1.1.bb | 2 +- .../recipes-graphics/jasper/jasper_4.1.2.bb | 35 +++++++++++++++++++ 2 files changed, 36 insertions(+), 1 deletion(-) create mode 100644 meta-oe/recipes-graphics/jasper/jasper_4.1.2.bb diff --git a/meta-oe/recipes-graphics/jasper/jasper_4.1.1.bb b/meta-oe/recipes-graphics/jasper/jasper_4.1.1.bb index 5281980ecb..d6d5b5de32 100644 --- a/meta-oe/recipes-graphics/jasper/jasper_4.1.1.bb +++ b/meta-oe/recipes-graphics/jasper/jasper_4.1.1.bb @@ -4,7 +4,7 @@ LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=a80440d1d8f17d041c71c7271d6e06eb" SRC_URI = "git://github.com/jasper-software/jasper.git;protocol=https;branch=master" -SRCREV = "917f7708b755d8434f70618108c1a76f1b6a0a82" +SRCREV = "ff633699cb785967a2cb0084d89d56e53c46e416" CVE_STATUS[CVE-2015-8751] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions." diff --git a/meta-oe/recipes-graphics/jasper/jasper_4.1.2.bb b/meta-oe/recipes-graphics/jasper/jasper_4.1.2.bb new file mode 100644 index 0000000000..d4dae1f22a --- /dev/null +++ b/meta-oe/recipes-graphics/jasper/jasper_4.1.2.bb @@ -0,0 +1,35 @@ +SUMMARY = "Jpeg 2000 implementation" +HOMEPAGE = "https://jasper-software.github.io/jasper/" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=a80440d1d8f17d041c71c7271d6e06eb" + +SRC_URI = "git://github.com/jasper-software/jasper.git;protocol=https;branch=master" +SRCREV = "ff633699cb785967a2cb0084d89d56e53c46e416" + +CVE_STATUS[CVE-2015-8751] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions." +CVE_STATUS[CVE-2023-51257] = "fixed-version: patch is already included in sources" + +S = "${WORKDIR}/git" + +inherit cmake multilib_header + +do_configure:prepend() { + JAS_STDC_VERSION="$(echo __STDC_VERSION__ | ${CPP} -E -P -)" +} + +EXTRA_OECMAKE:append = " -DJAS_STDC_VERSION=${JAS_STDC_VERSION}" + +PACKAGECONFIG ??= "${@bb.utils.contains('DISTRO_FEATURES', 'opengl x11', 'opengl', '', d)} \ + jpeg" + +PACKAGECONFIG[jpeg] = "-DJAS_ENABLE_LIBJPEG=ON,-DJAS_ENABLE_LIBJPEG=OFF,jpeg," +PACKAGECONFIG[opengl] = "-DJAS_ENABLE_OPENGL=ON,-DJAS_ENABLE_OPENGL=OFF,freeglut," + +do_install:append() { + chrpath -d ${D}${bindir}/jasper + chrpath -d ${D}${bindir}/imginfo + chrpath -d ${D}${bindir}/imgcmp + chrpath -d ${D}${libdir}/libjasper.so.* + oe_multilib_header jasper/jas_config.h +} +