From patchwork Fri Oct 24 12:26:22 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: dchellam X-Patchwork-Id: 72971 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B3BB6CCF9E0 for ; Fri, 24 Oct 2025 12:27:00 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web10.9215.1761308810587156075 for ; Fri, 24 Oct 2025 05:26:50 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@windriver.com header.s=PPS06212021 header.b=LEsVtHP9; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=2392d52613=divya.chellam@windriver.com) Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 59O5kFIH2272869 for ; Fri, 24 Oct 2025 05:26:50 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=content-transfer-encoding:content-type:date:from:message-id :mime-version:subject:to; s=PPS06212021; bh=XR1AQTqwxrEGx8a0EyzH 4ZxWsvDKviyc1fBjXJ+aF8M=; b=LEsVtHP92Vexp7zWz2ZxmjGkdP2hXkd4alHi dncP0Ror6/DUrC4xdpajAk8AbNMybJXxLcUGFV56oB+EiLEepH0HB9zBqm4iWHUc XMkJJBhBY8VMdOShABQfXcZ+dvXZzpUPiNjJFeOWER7wfM0NuT8/1M8k1Hh8yuKC iOXGxcNSVYOlKD+riDBXa+VGbDQbpYuJRUuJtkFZ/Am46pnWGjWdK1umleTLCvwD 1mdWc1BO9Ou1/onNXRunh+StLEnzNwFsetd9L0oMJrXHFzhS/00JvbUo/HToGLFD cBDorcrhwjHyj+8suiogTYSCMDlFmmZ1VUEHPKF6JW97hQsOZw== Received: from ala-exchng01.corp.ad.wrs.com ([128.224.246.36]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 49v660f4rb-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 24 Oct 2025 05:26:49 -0700 (PDT) Received: from blr-linux-engg1.wrs.com (10.11.232.110) by ala-exchng01.corp.ad.wrs.com (10.11.224.121) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.59; Fri, 24 Oct 2025 05:26:48 -0700 From: dchellam To: Subject: [oe][meta-oe][kirkstone][PATCH 1/3] mariadb: fix CVE-2025-21490 Date: Fri, 24 Oct 2025 17:56:22 +0530 Message-ID: <20251024122624.1325594-1-divya.chellam@windriver.com> X-Mailer: git-send-email 2.40.0 MIME-Version: 1.0 X-Originating-IP: [10.11.232.110] X-ClientProxiedBy: ALA-EXCHNG02.corp.ad.wrs.com (10.11.224.122) To ala-exchng01.corp.ad.wrs.com (10.11.224.121) X-Authority-Analysis: v=2.4 cv=VN3QXtPX c=1 sm=1 tr=0 ts=68fb708a cx=c_pps a=AbJuCvi4Y3V6hpbCNWx0WA==:117 a=AbJuCvi4Y3V6hpbCNWx0WA==:17 a=gmxlzscTznEA:10 a=IkcTkHD0fZMA:10 a=x6icFKpwvdMA:10 a=VkNPw1HP01LnGYTKEx00:22 a=PYnjg3YJAAAA:8 a=xNf9USuDAAAA:8 a=NEAV23lmAAAA:8 a=hkEv4HZQAAAA:8 a=t7CeM3EgAAAA:8 a=jpp-Wi3FAAAA:8 a=atUgxMe06am4ncSGy7MA:9 a=3ZKOabzyN94A:10 a=QEXdDO2ut3YA:10 a=NA03pvyaApPJG5valX87:22 a=FdTzh2GWekK77mhwV6Dw:22 a=3HWhRrkoiJongTt84g_J:22 X-Proofpoint-ORIG-GUID: 2SaAJn_nothZIJdM_huHybKUwD2VWVl8 X-Proofpoint-GUID: 2SaAJn_nothZIJdM_huHybKUwD2VWVl8 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMDI0MDExMCBTYWx0ZWRfX1UM6PHtmIjrj m9J1LfMBrQ3lZI5zflfihpq8Z18AJ65/j4rikWJXQjuPWBKV9f9dBUGvTop+PpgMR5TCDQFpaHX Xhr+ZhtLpmONkw1sF8O8KGbaea0q5sL317ayM0AfFS7jv5kX1CXHUXtfVVMhzbImBrY2N3gHuTd f59gCtV6/lntL/O5wfwnrrODFhew0VNbmiwcoHkGadlNp04WSSkEsMhszIyQ5hKsGRne3IdDHZs FqXt5cy9i8tzuowC+BrPURfcFICCNaQ2x+WTko9ROvDZ/AAh/cClfLHI0meBZkdrXkdycuM5clI DVzMoiPZh6JWYr1YQ9vRmfqfVQpkPteB7eocm7hbjH9aKWrXK2uSSrJGkBDN4hUpnZ9cl5jAKNH xsJ1tXKsYFIJxIATwm468Lk76DrY+w== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-10-24_01,2025-10-22_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 clxscore=1015 adultscore=0 spamscore=0 lowpriorityscore=0 bulkscore=0 suspectscore=0 impostorscore=0 priorityscore=1501 phishscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2510020000 definitions=main-2510240110 X-MIME-Autoconverted: from 8bit to quoted-printable by mx0a-0064b401.pphosted.com id 59O5kFIH2272869 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 24 Oct 2025 12:27:00 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/120955 From: Divya Chellam Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.40 and prior, 8.4.3 and prior and 9.1.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). References: https://nvd.nist.gov/vuln/detail/CVE-2025-21490 https://security-tracker.debian.org/tracker/CVE-2025-21490 Upstream-patch: https://github.com/MariaDB/server/commit/82310f926b7c6547f25dd80e4edf3f38b22913e5 Signed-off-by: Divya Chellam --- meta-oe/recipes-dbs/mysql/mariadb.inc | 1 + .../mysql/mariadb/CVE-2025-21490.patch | 96 +++++++++++++++++++ 2 files changed, 97 insertions(+) create mode 100644 meta-oe/recipes-dbs/mysql/mariadb/CVE-2025-21490.patch diff --git a/meta-oe/recipes-dbs/mysql/mariadb.inc b/meta-oe/recipes-dbs/mysql/mariadb.inc index fde5fefd6a..27b5c46fa1 100644 --- a/meta-oe/recipes-dbs/mysql/mariadb.inc +++ b/meta-oe/recipes-dbs/mysql/mariadb.inc @@ -33,6 +33,7 @@ SRC_URI = "https://archive.mariadb.org/${BP}/source/${BP}.tar.gz \ file://CVE-2024-21096-0003.patch \ file://CVE-2024-21096-0004.patch \ file://CVE-2024-21096-0005.patch \ + file://CVE-2025-21490.patch \ " SRC_URI:append:libc-musl = " file://ppc-remove-glibc-dep.patch" diff --git a/meta-oe/recipes-dbs/mysql/mariadb/CVE-2025-21490.patch b/meta-oe/recipes-dbs/mysql/mariadb/CVE-2025-21490.patch new file mode 100644 index 0000000000..9c96f70313 --- /dev/null +++ b/meta-oe/recipes-dbs/mysql/mariadb/CVE-2025-21490.patch @@ -0,0 +1,96 @@ +From 82310f926b7c6547f25dd80e4edf3f38b22913e5 Mon Sep 17 00:00:00 2001 +From: Marko Mäkelä +Date: Wed, 22 Jan 2025 17:22:07 +0200 +Subject: [PATCH] MDEV-29182 Assertion fld->field_no < table->n_v_def failed on + cascade + +row_ins_cascade_calc_update_vec(): Skip any virtual columns in the +update vector of the parent table. + +Based on mysql/mysql-server@0ac176453bfef7fb1fdfa70af74618c32910181c + +Reviewed by: Debarun Banerjee + +CVE: CVE-2025-21490 + +Upstream-Status: Backport [https://github.com/MariaDB/server/commit/82310f926b7c6547f25dd80e4edf3f38b22913e5] + +Signed-off-by: Divya Chellam +--- + mysql-test/suite/innodb/r/foreign_key.result | 17 +++++++++++++++++ + mysql-test/suite/innodb/t/foreign_key.test | 15 +++++++++++++++ + storage/innobase/row/row0ins.cc | 4 +++- + 3 files changed, 35 insertions(+), 1 deletion(-) + +diff --git a/mysql-test/suite/innodb/r/foreign_key.result b/mysql-test/suite/innodb/r/foreign_key.result +index acf021db..6348e7a1 100644 +--- a/mysql-test/suite/innodb/r/foreign_key.result ++++ b/mysql-test/suite/innodb/r/foreign_key.result +@@ -982,6 +982,23 @@ t2 CREATE TABLE `t2` ( + CONSTRAINT `t2_ibfk_1` FOREIGN KEY (`a`) REFERENCES `t1` (`a`) + ) ENGINE=InnoDB DEFAULT CHARSET=latin1 COLLATE=latin1_swedish_ci + drop tables t2, t1; ++# ++# MDEV-29182 Assertion fld->field_no < table->n_v_def failed on cascade ++# ++CREATE TABLE t1(a INT PRIMARY KEY, b VARCHAR(3), c INT AS (LENGTH(b)) VIRTUAL, ++INDEX(c)) ENGINE=InnoDB; ++CREATE TABLE t2(a INT REFERENCES t1(a) ON UPDATE CASCADE, ++b INT GENERATED ALWAYS AS(a) VIRTUAL, INDEX(b)) ENGINE=InnoDB; ++INSERT INTO t1 SET a=1,b='fu'; ++INSERT INTO t2 SET a=1; ++UPDATE t1 SET a=2,b='bar'; ++SELECT * FROM t1; ++a b c ++2 bar 3 ++SELECT * FROM t2; ++a b ++2 2 ++DROP TABLE t2,t1; + # End of 10.5 tests + # + # MDEV-26554 Table-rebuilding DDL on parent table causes crash +diff --git a/mysql-test/suite/innodb/t/foreign_key.test b/mysql-test/suite/innodb/t/foreign_key.test +index 4b047ea4..45205cce 100644 +--- a/mysql-test/suite/innodb/t/foreign_key.test ++++ b/mysql-test/suite/innodb/t/foreign_key.test +@@ -1007,6 +1007,21 @@ alter table t2 add foreign key(a) references t1; + show create table t2; + drop tables t2, t1; + ++ ++--echo # ++--echo # MDEV-29182 Assertion fld->field_no < table->n_v_def failed on cascade ++--echo # ++CREATE TABLE t1(a INT PRIMARY KEY, b VARCHAR(3), c INT AS (LENGTH(b)) VIRTUAL, ++ INDEX(c)) ENGINE=InnoDB; ++CREATE TABLE t2(a INT REFERENCES t1(a) ON UPDATE CASCADE, ++ b INT GENERATED ALWAYS AS(a) VIRTUAL, INDEX(b)) ENGINE=InnoDB; ++INSERT INTO t1 SET a=1,b='fu'; ++INSERT INTO t2 SET a=1; ++UPDATE t1 SET a=2,b='bar'; ++SELECT * FROM t1; ++SELECT * FROM t2; ++DROP TABLE t2,t1; ++ + --echo # End of 10.5 tests + + --echo # +diff --git a/storage/innobase/row/row0ins.cc b/storage/innobase/row/row0ins.cc +index 8385bcae..0d8ae8aa 100644 +--- a/storage/innobase/row/row0ins.cc ++++ b/storage/innobase/row/row0ins.cc +@@ -483,7 +483,9 @@ row_ins_cascade_calc_update_vec( + const upd_field_t* parent_ufield + = &parent_update->fields[j]; + +- if (parent_ufield->field_no == parent_field_no) { ++ if (parent_ufield->field_no == parent_field_no ++ && !(parent_ufield->new_val.type.prtype ++ & DATA_VIRTUAL)) { + + ulint min_size; + const dict_col_t* col; +-- +2.40.0 + From patchwork Fri Oct 24 12:26:23 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: dchellam X-Patchwork-Id: 72969 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B29C1CCD1A5 for ; Fri, 24 Oct 2025 12:27:00 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.9429.1761308812872051014 for ; Fri, 24 Oct 2025 05:26:53 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=PPS06212021 header.b=Vv++4kbf; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=2392d52613=divya.chellam@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 59O5wThA2887757 for ; Fri, 24 Oct 2025 12:26:52 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=PPS06212021; bh=As8FJrarDe3LIotdpOP0WYqFtmv71TVmUl/tTjub2/Y=; b=Vv++4kbfs6CO L/lr1/94OWZSu3VT0reoSneF4NFPWSHgmBds+35EWFnSAoIY6TQCY23bHi4n/j5X kgDhe0rCJesfbCEJNoHExmM1hskOcBUD/dTrmK3XVaJdgiaEV88gwSEkoTsPIqla bwr6sDCJ9rfMky1pa2lEvpw16z9RcqYT7I7VD72CSYjT623RQd9uku3eXtKKvuz3 xVx2VDuVAw25KNWibPHD2/RLYtwpBxnc11q1rAMojeDqlCag2Iu6s4QuODYI21Ei zz8NVAzcud9XKs/Dd1yOvA61/KVDeiNpk57zYm1WnwC451rRW/LskvAKrfWeu+Wp twz2VIVooA== Received: from ala-exchng01.corp.ad.wrs.com ([128.224.246.36]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 49y8athvps-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 24 Oct 2025 12:26:51 +0000 (GMT) Received: from blr-linux-engg1.wrs.com (10.11.232.110) by ala-exchng01.corp.ad.wrs.com (10.11.224.121) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.59; Fri, 24 Oct 2025 05:26:49 -0700 From: dchellam To: Subject: [oe][meta-oe][kirkstone][PATCH 2/3] jq: fix CVE-2025-9403 Date: Fri, 24 Oct 2025 17:56:23 +0530 Message-ID: <20251024122624.1325594-2-divya.chellam@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20251024122624.1325594-1-divya.chellam@windriver.com> References: <20251024122624.1325594-1-divya.chellam@windriver.com> MIME-Version: 1.0 X-Originating-IP: [10.11.232.110] X-ClientProxiedBy: ALA-EXCHNG02.corp.ad.wrs.com (10.11.224.122) To ala-exchng01.corp.ad.wrs.com (10.11.224.121) X-Authority-Analysis: v=2.4 cv=N9ck1m9B c=1 sm=1 tr=0 ts=68fb708b cx=c_pps a=AbJuCvi4Y3V6hpbCNWx0WA==:117 a=AbJuCvi4Y3V6hpbCNWx0WA==:17 a=gmxlzscTznEA:10 a=x6icFKpwvdMA:10 a=VkNPw1HP01LnGYTKEx00:22 a=PYnjg3YJAAAA:8 a=NEAV23lmAAAA:8 a=t7CeM3EgAAAA:8 a=tX0wWbkNTWi5hoOBzXAA:9 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMDI0MDExMCBTYWx0ZWRfX4Ksz4nfi7y3B BWTGM/A8eeXVtOk5KJhOZimZSfanby6RMLDgS/m0h9U+k6UDgpuRNVCpAaoBCevix+hepWAsJD2 IA1DxL5EBkzNn78rxFEzN1f1h9yPXIbnEkmbbUvXTZ3RcSK+UvvNfdBMVBcjvGWUvYLHO58uXnf Ks0RVLAE7d2kiz2L0fYDF6bYBCUxpo7aERl9BZxsXFNIF76XN3m5YdQ2Yi8Ymm2Ydb3c8ogmH15 D6iifCaGnof/j+5Umgeu/JuVrcAwotni/G+tiQ0nslHBfH/Q9YFrJDRVQAB1IQ+WIhW7NRlVd+U FG9eDriu64WqKKrMOU5nD+hEB6spRUr9Rm0VWQI+EycxEihMDef1s7odCcKwFrjrgIgyJ2pAXVe Put/3+dok4Bq38/3KMGu41da3hskDg== X-Proofpoint-ORIG-GUID: uHuuT9EmNlEqNP3t_5L0M66muyO4HkD8 X-Proofpoint-GUID: uHuuT9EmNlEqNP3t_5L0M66muyO4HkD8 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-10-24_01,2025-10-22_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 bulkscore=0 spamscore=0 impostorscore=0 adultscore=0 phishscore=0 suspectscore=0 clxscore=1015 lowpriorityscore=0 malwarescore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2510020000 definitions=main-2510240110 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 24 Oct 2025 12:27:00 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/120956 From: Divya Chellam A vulnerability was determined in jqlang jq up to 1.6. Impacted is the function run_jq_tests of the file jq_test.c of the component JSON Parser. Executing manipulation can lead to reachable assertion. The attack requires local access. The exploit has been publicly disclosed and may be utilized. Other versions might be affected as well. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-9403 Upstream-patch: https://github.com/jqlang/jq/commit/a4d9d540103ff9a262e304329c277ec89b27e5f9 Signed-off-by: Divya Chellam --- .../jq/jq/CVE-2025-9403.patch | 49 +++++++++++++++++++ meta-oe/recipes-devtools/jq/jq_git.bb | 1 + 2 files changed, 50 insertions(+) create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2025-9403.patch diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2025-9403.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2025-9403.patch new file mode 100644 index 0000000000..cb180c13f9 --- /dev/null +++ b/meta-oe/recipes-devtools/jq/jq/CVE-2025-9403.patch @@ -0,0 +1,49 @@ +From a4d9d540103ff9a262e304329c277ec89b27e5f9 Mon Sep 17 00:00:00 2001 +From: itchyny +Date: Mon, 15 Sep 2025 07:47:51 +0900 +Subject: [PATCH] Fix expected value assertion for NaN value (fix #3393) + (#3408) + +CVE: CVE-2025-9403 + +Upstream-Status: Backport [https://github.com/jqlang/jq/commit/a4d9d540103ff9a262e304329c277ec89b27e5f9] + +Signed-off-by: Divya Chellam +--- + src/jq_test.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/src/jq_test.c b/src/jq_test.c +index eed633f..40a1d23 100644 +--- a/src/jq_test.c ++++ b/src/jq_test.c +@@ -2,6 +2,7 @@ + #include + #include + #include ++#include + #include "jv.h" + #include "jq.h" + +@@ -200,11 +201,13 @@ static void run_jq_tests(jv lib_dirs, int verbose, FILE *testdata, int skip, int + printf(" for test at line number %u: %s\n", lineno, prog); + pass = 0; + } +- jv as_string = jv_dump_string(jv_copy(expected), rand() & ~(JV_PRINT_COLOR|JV_PRINT_REFCOUNT)); +- jv reparsed = jv_parse_sized(jv_string_value(as_string), jv_string_length_bytes(jv_copy(as_string))); +- assert(jv_equal(jv_copy(expected), jv_copy(reparsed))); +- jv_free(as_string); +- jv_free(reparsed); ++ if (!(jv_get_kind(expected) == JV_KIND_NUMBER && isnan(jv_number_value(expected)))) { ++ jv as_string = jv_dump_string(jv_copy(expected), rand() & ~(JV_PRINT_COLOR|JV_PRINT_REFCOUNT)); ++ jv reparsed = jv_parse_sized(jv_string_value(as_string), jv_string_length_bytes(jv_copy(as_string))); ++ assert(jv_equal(jv_copy(expected), jv_copy(reparsed))); ++ jv_free(as_string); ++ jv_free(reparsed); ++ } + jv_free(expected); + jv_free(actual); + } +-- +2.40.0 + diff --git a/meta-oe/recipes-devtools/jq/jq_git.bb b/meta-oe/recipes-devtools/jq/jq_git.bb index d36723cff4..35dc6ec9fa 100644 --- a/meta-oe/recipes-devtools/jq/jq_git.bb +++ b/meta-oe/recipes-devtools/jq/jq_git.bb @@ -15,6 +15,7 @@ SRC_URI = " \ file://CVE-2025-48060.patch \ file://CVE-2024-53427-01.patch \ file://CVE-2024-53427-02.patch \ + file://CVE-2025-9403.patch \ " SRCREV = "a9f97e9e61a910a374a5d768244e8ad63f407d3e" S = "${WORKDIR}/git" From patchwork Fri Oct 24 12:26:24 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: dchellam X-Patchwork-Id: 72970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B6684CCF9E3 for ; Fri, 24 Oct 2025 12:27:00 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web11.9430.1761308813484219119 for ; Fri, 24 Oct 2025 05:26:53 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=PPS06212021 header.b=pc1FFHBF; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=2392d52613=divya.chellam@windriver.com) Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 59O9fi0M1818243 for ; Fri, 24 Oct 2025 05:26:53 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=PPS06212021; bh=CWrsxwjjXtWrf1KxTyPVYKImxL1/UMLu8x/xn4kgGic=; b=pc1FFHBFnrMr R64hq0XByQOZitKpKHVAy4UvDs1S7WpN4Q08SV62MizCetpEYGnb1CZt4EF6CyBr E5hVqgaXzrtHU7IbiRUjwssnd4dOUWXqtV49R36yG/qH3wFCVvx4HKgSDQ6BQPRR AckXMwtI4uRY6hfLe1VGi9hcYuG+YgJ5jAvxojvTpeD1Qsp6o+mTcCQN9NUaF1HY EZsBX2dDUiSkXIlzK/+5I6BgRdUpYA6KZxRJvChCNk5OmEB930INwtZzQLUHIV6/ LU+WqMTMt0OSISPWzPjBDQRZZdtFddRuWzAPwBqDFsDRrJM+4XmUa9XGMAQv5n4Z 2S7b+RWepg== Received: from ala-exchng01.corp.ad.wrs.com ([128.224.246.36]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 49ys00gu4t-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 24 Oct 2025 05:26:53 -0700 (PDT) Received: from blr-linux-engg1.wrs.com (10.11.232.110) by ala-exchng01.corp.ad.wrs.com (10.11.224.121) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.59; Fri, 24 Oct 2025 05:26:51 -0700 From: dchellam To: Subject: [oe][meta-oe][kirkstone][PATCH 3/3] mariadb: fix CVE-2025-30722 Date: Fri, 24 Oct 2025 17:56:24 +0530 Message-ID: <20251024122624.1325594-3-divya.chellam@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20251024122624.1325594-1-divya.chellam@windriver.com> References: <20251024122624.1325594-1-divya.chellam@windriver.com> MIME-Version: 1.0 X-Originating-IP: [10.11.232.110] X-ClientProxiedBy: ALA-EXCHNG02.corp.ad.wrs.com (10.11.224.122) To ala-exchng01.corp.ad.wrs.com (10.11.224.121) X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMDI0MDExMCBTYWx0ZWRfXwPNlV7ZSpMGM eg6wNGBrlOY5SmjPlpFXK6WnejtAY6TFzRHtQc5rKP4Q70UwRwC0MYgsjoAcwVq8jimpMSU5hM4 9ff1m+q/NV+lqDXuiCux0NPNexucbbjISALDicCa+lhe7lk5fqgY+/tsVMUqqdG1jNHZbmeDoBU oprlNQY3LLGCVOaV0+eYizcgqjb+HODxMv+Fm+8ZW7kpZs9Lq+wGzeh+4oesezxigX3h3n/HRAR h0TNVcccxmkUfWtMx6s063U1plL7F7TtExaxqMFpFqNO9qF7VrzktW7G3bOP9pmDY/VkqxBw1OV Px3fhTI0QpFIBbk4xnO+YjIH8Sw8IhzpEDlUZTHH7Hu68bCrrCS85JaM3W6/HAy7vHTowBoE9JK /orunQYQJgZua/Tuo4YrZEYCNikXtQ== X-Proofpoint-ORIG-GUID: snNbvef_t71qNclbYuiOBp11A8VHsI95 X-Proofpoint-GUID: snNbvef_t71qNclbYuiOBp11A8VHsI95 X-Authority-Analysis: v=2.4 cv=N/8k1m9B c=1 sm=1 tr=0 ts=68fb708d cx=c_pps a=AbJuCvi4Y3V6hpbCNWx0WA==:117 a=AbJuCvi4Y3V6hpbCNWx0WA==:17 a=gmxlzscTznEA:10 a=x6icFKpwvdMA:10 a=VkNPw1HP01LnGYTKEx00:22 a=xNf9USuDAAAA:8 a=NEAV23lmAAAA:8 a=hkEv4HZQAAAA:8 a=t7CeM3EgAAAA:8 a=agYDggu22eVc5DO3ySQA:9 a=NA03pvyaApPJG5valX87:22 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-10-24_01,2025-10-22_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 phishscore=0 priorityscore=1501 impostorscore=0 suspectscore=0 bulkscore=0 malwarescore=0 adultscore=0 spamscore=0 clxscore=1015 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2510020000 definitions=main-2510240110 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 24 Oct 2025 12:27:00 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/120957 From: Divya Chellam Vulnerability in the MySQL Client product of Oracle MySQL (component: Client: mysqldump). Supported versions that are affected are 8.0.0-8.0.41, 8.4.0-8.4.4 and 9.0.0-9.2.0. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Client accessible data as well as unauthorized update, insert or delete access to some of MySQL Client accessible data. CVSS 3.1 Base Score 5.9 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N). Reference: https://security-tracker.debian.org/tracker/CVE-2025-30722 Upstream-patch: https://github.com/MariaDB/server/commit/6aa860be27480db134a3c71065b9b47d15b72674 Signed-off-by: Divya Chellam --- meta-oe/recipes-dbs/mysql/mariadb.inc | 1 + .../mysql/mariadb/CVE-2025-30722.patch | 176 ++++++++++++++++++ 2 files changed, 177 insertions(+) create mode 100644 meta-oe/recipes-dbs/mysql/mariadb/CVE-2025-30722.patch diff --git a/meta-oe/recipes-dbs/mysql/mariadb.inc b/meta-oe/recipes-dbs/mysql/mariadb.inc index 27b5c46fa1..048e43d962 100644 --- a/meta-oe/recipes-dbs/mysql/mariadb.inc +++ b/meta-oe/recipes-dbs/mysql/mariadb.inc @@ -34,6 +34,7 @@ SRC_URI = "https://archive.mariadb.org/${BP}/source/${BP}.tar.gz \ file://CVE-2024-21096-0004.patch \ file://CVE-2024-21096-0005.patch \ file://CVE-2025-21490.patch \ + file://CVE-2025-30722.patch \ " SRC_URI:append:libc-musl = " file://ppc-remove-glibc-dep.patch" diff --git a/meta-oe/recipes-dbs/mysql/mariadb/CVE-2025-30722.patch b/meta-oe/recipes-dbs/mysql/mariadb/CVE-2025-30722.patch new file mode 100644 index 0000000000..d7e74d66f0 --- /dev/null +++ b/meta-oe/recipes-dbs/mysql/mariadb/CVE-2025-30722.patch @@ -0,0 +1,176 @@ +From 6aa860be27480db134a3c71065b9b47d15b72674 Mon Sep 17 00:00:00 2001 +From: Sergei Golubchik +Date: Tue, 11 Mar 2025 11:22:00 +0100 +Subject: [PATCH] MDEV-36268 mariadb-dump used wrong quoting character + +use ' not " and use quote_for_equal() + +Backported according to mariadb 10.11.12 + +CVE: CVE-2025-30722 + +Upstream-Status: Backport [https://github.com/MariaDB/server/commit/6aa860be27480db134a3c71065b9b47d15b72674] + +Signed-off-by: Divya Chellam +--- + client/mysqldump.c | 15 +++++++---- + mysql-test/main/mysqldump-system.result | 6 ++--- + mysql-test/main/mysqldump.result | 33 +++++++++++++++++++++++++ + mysql-test/main/mysqldump.test | 9 +++++++ + 4 files changed, 55 insertions(+), 8 deletions(-) + +diff --git a/client/mysqldump.c b/client/mysqldump.c +index 767413b1..9c0921c0 100644 +--- a/client/mysqldump.c ++++ b/client/mysqldump.c +@@ -2175,7 +2175,7 @@ static char *quote_for_equal(const char *name, char *buff) + *to++='\\'; + } + if (*name == '\'') +- *to++= '\\'; ++ *to++= '\''; + *to++= *name++; + } + to[0]= '\''; +@@ -3707,7 +3707,7 @@ static void dump_trigger_old(FILE *sql_file, MYSQL_RES *show_triggers_rs, + + fprintf(sql_file, + "DELIMITER ;;\n" +- "/*!50003 SET SESSION SQL_MODE=\"%s\" */;;\n" ++ "/*!50003 SET SESSION SQL_MODE='%s' */;;\n" + "/*!50003 CREATE */ ", + (*show_trigger_row)[6]); + +@@ -4686,17 +4686,19 @@ static int dump_all_users_roles_and_grants() + return 1; + while ((row= mysql_fetch_row(tableres))) + { ++ char buf[200]; + if (opt_replace_into) + /* Protection against removing the current import user */ + /* MySQL-8.0 export capability */ + fprintf(md_result_file, + "DELIMITER |\n" +- "/*M!100101 IF current_user()=\"%s\" THEN\n" ++ "/*M!100101 IF current_user()=%s THEN\n" + " SIGNAL SQLSTATE '45000' SET MYSQL_ERRNO=30001," + " MESSAGE_TEXT=\"Don't remove current user %s'\";\n" + "END IF */|\n" + "DELIMITER ;\n" +- "/*!50701 DROP USER IF EXISTS %s */;\n", row[0], row[0], row[0]); ++ "/*!50701 DROP USER IF EXISTS %s */;\n", ++ quote_for_equal(row[0],buf), row[0], row[0]); + if (dump_create_user(row[0])) + result= 1; + /* if roles exist, defer dumping grants until after roles created */ +@@ -6770,6 +6772,7 @@ static my_bool get_view_structure(char *table, char* db) + char *result_table, *opt_quoted_table; + char table_buff[NAME_LEN*2+3]; + char table_buff2[NAME_LEN*2+3]; ++ char temp_buff[NAME_LEN*2 + 3], temp_buff2[NAME_LEN*2 + 3]; + char query[QUERY_LENGTH]; + FILE *sql_file= md_result_file; + DBUG_ENTER("get_view_structure"); +@@ -6830,7 +6833,9 @@ static my_bool get_view_structure(char *table, char* db) + "SELECT CHECK_OPTION, DEFINER, SECURITY_TYPE, " + " CHARACTER_SET_CLIENT, COLLATION_CONNECTION " + "FROM information_schema.views " +- "WHERE table_name=\"%s\" AND table_schema=\"%s\"", table, db); ++ "WHERE table_name=%s AND table_schema=%s", ++ quote_for_equal(table, temp_buff2), ++ quote_for_equal(db, temp_buff)); + + if (mysql_query(mysql, query)) + { +diff --git a/mysql-test/main/mysqldump-system.result b/mysql-test/main/mysqldump-system.result +index 5619ec70..b502bd8d 100644 +--- a/mysql-test/main/mysqldump-system.result ++++ b/mysql-test/main/mysqldump-system.result +@@ -648,21 +648,21 @@ INSTALL PLUGIN test_plugin_server SONAME 'AUTH_TEST_PLUGIN_LIB'; + /*M!100401 UNINSTALL PLUGIN IF EXIST cleartext_plugin_server */; + INSTALL PLUGIN cleartext_plugin_server SONAME 'AUTH_TEST_PLUGIN_LIB'; + DELIMITER | +-/*M!100101 IF current_user()="'mariadb.sys'@'localhost'" THEN ++/*M!100101 IF current_user()='''mariadb.sys''@''localhost''' THEN + SIGNAL SQLSTATE '45000' SET MYSQL_ERRNO=30001, MESSAGE_TEXT="Don't remove current user 'mariadb.sys'@'localhost''"; + END IF */| + DELIMITER ; + /*!50701 DROP USER IF EXISTS 'mariadb.sys'@'localhost' */; + CREATE /*M!100103 OR REPLACE */ USER `mariadb.sys`@`localhost` PASSWORD EXPIRE; + DELIMITER | +-/*M!100101 IF current_user()="'root'@'localhost'" THEN ++/*M!100101 IF current_user()='''root''@''localhost''' THEN + SIGNAL SQLSTATE '45000' SET MYSQL_ERRNO=30001, MESSAGE_TEXT="Don't remove current user 'root'@'localhost''"; + END IF */| + DELIMITER ; + /*!50701 DROP USER IF EXISTS 'root'@'localhost' */; + CREATE /*M!100103 OR REPLACE */ USER `root`@`localhost`; + DELIMITER | +-/*M!100101 IF current_user()="'foobar'@'%'" THEN ++/*M!100101 IF current_user()='''foobar'@'%''' THEN + SIGNAL SQLSTATE '45000' SET MYSQL_ERRNO=30001, MESSAGE_TEXT="Don't remove current user 'foobar'@'%''"; + END IF */| + DELIMITER ; +diff --git a/mysql-test/main/mysqldump.result b/mysql-test/main/mysqldump.result +index ca9260f1..c55e5e49 100644 +--- a/mysql-test/main/mysqldump.result ++++ b/mysql-test/main/mysqldump.result +@@ -6699,4 +6699,37 @@ CREATE TABLE `t1` ( + /*!40101 SET character_set_client = @saved_cs_client */; + ERROR at line 9: Not allowed in the sandbox mode + drop table t1; ++# ++# MDEV-36268 mariadb-dump used wrong quoting character ++# ++create table t1 (a int); ++create view `v'1"2` as select * from t1 with check option; ++/*M!999999\- enable the sandbox mode */ ++/*!40101 SET @saved_cs_client = @@character_set_client */; ++/*!40101 SET character_set_client = utf8mb4 */; ++CREATE TABLE `t1` ( ++ `a` int(11) DEFAULT NULL ++) ENGINE=MyISAM DEFAULT CHARSET=latin1 COLLATE=latin1_swedish_ci; ++/*!40101 SET character_set_client = @saved_cs_client */; ++SET @saved_cs_client = @@character_set_client; ++SET character_set_client = utf8mb4; ++/*!50001 CREATE VIEW `v'1"2` AS SELECT ++ 1 AS `a` */; ++SET character_set_client = @saved_cs_client; ++/*!50001 DROP VIEW IF EXISTS `v'1"2`*/; ++/*!50001 SET @saved_cs_client = @@character_set_client */; ++/*!50001 SET @saved_cs_results = @@character_set_results */; ++/*!50001 SET @saved_col_connection = @@collation_connection */; ++/*!50001 SET character_set_client = utf8 */; ++/*!50001 SET character_set_results = utf8 */; ++/*!50001 SET collation_connection = utf8_general_ci */; ++/*!50001 CREATE ALGORITHM=UNDEFINED */ ++/*!50013 DEFINER=`root`@`localhost` SQL SECURITY DEFINER */ ++/*!50001 VIEW `v'1"2` AS select `t1`.`a` AS `a` from `t1` */ ++/*!50002 WITH CASCADED CHECK OPTION */; ++/*!50001 SET character_set_client = @saved_cs_client */; ++/*!50001 SET character_set_results = @saved_cs_results */; ++/*!50001 SET collation_connection = @saved_col_connection */; ++drop view `v'1"2`; ++drop table t1; + # End of 10.5 tests +diff --git a/mysql-test/main/mysqldump.test b/mysql-test/main/mysqldump.test +index 9248f2ac..64d73ad3 100644 +--- a/mysql-test/main/mysqldump.test ++++ b/mysql-test/main/mysqldump.test +@@ -3003,4 +3003,13 @@ EOF + --remove_file $MYSQLTEST_VARDIR/tmp/mdev33727.sql + drop table t1; + ++--echo # ++--echo # MDEV-36268 mariadb-dump used wrong quoting character ++--echo # ++create table t1 (a int); ++create view `v'1"2` as select * from t1 with check option; # "' ++--exec $MYSQL_DUMP --compact test ++drop view `v'1"2`; # "' ++drop table t1; ++ + --echo # End of 10.5 tests +-- +2.40.0 +