From patchwork Wed Oct 29 02:54:27 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 73252 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 46CD0CCF9F2 for ; Wed, 29 Oct 2025 02:54:54 +0000 (UTC) Received: from mail-pg1-f181.google.com (mail-pg1-f181.google.com [209.85.215.181]) by mx.groups.io with SMTP id smtpd.web10.35.1761706491188511454 for ; Tue, 28 Oct 2025 19:54:51 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=ri2DpTtw; spf=softfail (domain: sakoman.com, ip: 209.85.215.181, mailfrom: steve@sakoman.com) Received: by mail-pg1-f181.google.com with SMTP id 41be03b00d2f7-b8aa14e5ed9so271929a12.0 for ; Tue, 28 Oct 2025 19:54:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1761706490; x=1762311290; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=kxMWwjw5HizvErksd0GPrmSu/wB5Faj+mhuwphN4FFg=; b=ri2DpTtwfwb5ZE1SEPdtXymSEn59Ib9VvDOiT+WtSZNyMNl03HrnTjnzVHoJKObFCb KNLPtHI/21KfOmRGLXT7hlGAJq8ORQwiK9GUCMGbdyVE9T5cX0OgpBRCZdrjSYEVoC+3 1/PX844olg94nYSt7fsx3JqkGfofacl0kdu8MczE4g4yZALuBHz5O+sRT46+NJ4uQq3q n9VZIdTiZbXO14RrIcSTh1NHQcah2tiB/hBfIj9mM8qhKAnwu8A0DnUrgTs9WYk131BA P7wWIa2+G1ghcnk5s0RGpJ6WdxzL3FdYt0o7QKadZ81n5JLmnsjS5RSMtT0LFt8JbeVL MifA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1761706490; x=1762311290; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=kxMWwjw5HizvErksd0GPrmSu/wB5Faj+mhuwphN4FFg=; b=MSOxhXVvut5hsgPULLaEwtRNDIcdSIp/oEfY9AUPYe6638NK/YjoBoTVOBaxwKd3Q6 UXbYgJdIXrhM/mffahlja5OlcHFj8Phn9l5NDuWFlNLhLk42cLD5YR14dPczI8fkXU6p DoMG0bA3weC8L4BMnd2wCzCnA+uqOZjJmsd2wNzsJJQtVqNBrqxlVsTz0DAW2fru8JGC etJ/tCQy3s48KLuIw5Scm3TM13T2HwloRlHOrMAd3TF5N9eyDEgWuEJgTVbidzsikTY4 pCop14SmllG8h9Bi4zQejaPDaLIMSA/BpjIhI58j/qI2lNLdiOUpc3tYQTWLnx60yZ5t 68Hw== X-Gm-Message-State: AOJu0YxKr1NGELmbrR0Q3SmzAXe7jLlC65YbW67Jo/zUPHBbD/62QrAZ 8hVuAhjxv4YkQ4GzZKf+TK+6+RVcpUmSNmbDIMnmrSlmlkMa6sUra5VZyp2+/Q+3L64llLRl0vz e17jsonw= X-Gm-Gg: ASbGncvzDszYiGBVn2KL9JSqLBGT51wnc87fczh2tI/QEWHmUcEgeKzd2fEBry4ENkl +W13VPqQsHadv+9dCUENdfgw2r47jQIHea9uEV07Oz20CiwtO89qh+SZAwyzzxV5pUxQWJq2Gqg nzj0cnwgh5WQcTVjVPDb1LMBSZITul1xzOMMkFEVxnIWto79ASQJbii0GKmBz/rIz4MEaUa3jEg QmR83AP6nHUzGJ6+FwnKiC188Qzk/5+REpxbM01dh1hIedFkzWx22lDX8zoQl+/rwb8CH/J80Au N7xi4VXatZA0jLsXPtzm1/qcpLfb2fLcOFeWBwLPwF/n5lwHmOzgbUCPsqUD8eUwjE4peh3DcX1 fl4liiCF580ozIor4i9Ddbws6R9hzqYeiMB/NhDsYmaq1WW9tjN+9ROeOW8zkEP9jVSw= X-Google-Smtp-Source: AGHT+IGg+myovbnT8i24g39rCLjCYheWFqlHPnauaSjd0pKT1aaNdzwSE+pphab8gYmfRTuYg4pnxw== X-Received: by 2002:a17:902:b696:b0:24c:caab:dfd2 with SMTP id d9443c01a7336-294def53dd5mr9313115ad.61.1761706490261; Tue, 28 Oct 2025 19:54:50 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:2bae:51f5:3bdc:4c68]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-29498d27345sm131058945ad.54.2025.10.28.19.54.49 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 28 Oct 2025 19:54:49 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 1/4] binutils: fix CVE-2025-11081 Date: Tue, 28 Oct 2025 19:54:27 -0700 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 29 Oct 2025 02:54:54 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/225423 From: Yash Shinde CVE: CVE-2025-11081 Trying to dump .sframe in a PE file results in a segfault accessing elf_section_data. * objdump (dump_sframe_section, dump_dwarf_section): Don't access elf_section_type without first checking the file is ELF. PR 33406 SEGV in dump_dwarf_section [https://sourceware.org/bugzilla/show_bug.cgi?id=33406] Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=f87a66db645caf8cc0e6fc87b0c28c78a38af59b] Signed-off-by: Yash Shinde Signed-off-by: Steve Sakoman --- .../binutils/binutils-2.38.inc | 1 + .../binutils/0046-CVE-2025-11081.patch | 84 +++++++++++++++++++ 2 files changed, 85 insertions(+) create mode 100644 meta/recipes-devtools/binutils/binutils/0046-CVE-2025-11081.patch diff --git a/meta/recipes-devtools/binutils/binutils-2.38.inc b/meta/recipes-devtools/binutils/binutils-2.38.inc index 2e978edc6f..2444a304be 100644 --- a/meta/recipes-devtools/binutils/binutils-2.38.inc +++ b/meta/recipes-devtools/binutils/binutils-2.38.inc @@ -82,5 +82,6 @@ SRC_URI = "\ file://0043-CVE-2025-7545.patch \ file://0044-CVE-2025-11082.patch \ file://0045-CVE-2025-11083.patch \ + file://0046-CVE-2025-11081.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/0046-CVE-2025-11081.patch b/meta/recipes-devtools/binutils/binutils/0046-CVE-2025-11081.patch new file mode 100644 index 0000000000..31dbef52fa --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0046-CVE-2025-11081.patch @@ -0,0 +1,84 @@ +From f87a66db645caf8cc0e6fc87b0c28c78a38af59b Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Tue, 9 Sep 2025 18:32:09 +0930 +Subject: [PATCH] PR 33406 SEGV in dump_dwarf_section + +Trying to dump .sframe in a PE file results in a segfault accessing +elf_section_data. + + * objdump (dump_sframe_section, dump_dwarf_section): Don't access + elf_section_type without first checking the file is ELF. +--- + binutils/objdump.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=f87a66db645caf8cc0e6fc87b0c28c78a38af59b] +CVE: CVE-2025-11081 + +Signed-off-by: Alan Modra +Signed-off-by: Yash Shinde + +diff --git a/binutils/objdump.c b/binutils/objdump.c +index 290f7e51f66..ee8823da05a 100644 +--- a/binutils/objdump.c ++++ b/binutils/objdump.c +@@ -4418,6 +4418,10 @@ + else + match = name; + ++ if (bfd_get_flavour (abfd) == bfd_target_elf_flavour ++ && elf_section_type (section) == SHT_GNU_SFRAME) ++ match = ".sframe"; ++ + for (i = 0; i < max; i++) + if ((strcmp (debug_displays [i].section.uncompressed_name, match) == 0 + || strcmp (debug_displays [i].section.compressed_name, match) == 0 +@@ -4923,6 +4927,36 @@ + } + ++static void ++dump_sframe_section (bfd *abfd, const char *sect_name, bool is_mainfile) ++ ++{ ++ /* Error checking for user provided SFrame section name, if any. */ ++ if (sect_name) ++ { ++ asection *sec = bfd_get_section_by_name (abfd, sect_name); ++ if (sec == NULL) ++ { ++ printf (_("No %s section present\n\n"), sanitize_string (sect_name)); ++ return; ++ } ++ /* Starting with Binutils 2.45, SFrame sections have section type ++ SHT_GNU_SFRAME. For SFrame sections from Binutils 2.44 or earlier, ++ check explcitly for SFrame sections of type SHT_PROGBITS and name ++ ".sframe" to allow them. */ ++ else if (bfd_get_flavour (abfd) != bfd_target_elf_flavour ++ || (elf_section_type (sec) != SHT_GNU_SFRAME ++ && !(elf_section_type (sec) == SHT_PROGBITS ++ && strcmp (sect_name, ".sframe") == 0))) ++ { ++ printf (_("Section %s does not contain SFrame data\n\n"), ++ sanitize_string (sect_name)); ++ return; ++ } ++ } ++ dump_dwarf (abfd, is_mainfile); ++} ++ + static void + dump_target_specific (bfd *abfd) + { + const struct objdump_private_desc * const *desc; +diff --git a/include/elf/common.h b/include/elf/common.h +--- a/include/elf/common.h ++++ b/include/elf/common.h +@@ -528,6 +528,8 @@ + #define SHT_LOOS 0x60000000 /* First of OS specific semantics */ + #define SHT_HIOS 0x6fffffff /* Last of OS specific semantics */ + ++#define SHT_GNU_SFRAME 0x6ffffff4 /* SFrame stack trace information. */ ++ + #define SHT_GNU_INCREMENTAL_INPUTS 0x6fff4700 /* incremental build data */ + #define SHT_GNU_ATTRIBUTES 0x6ffffff5 /* Object attributes */ + #define SHT_GNU_HASH 0x6ffffff6 /* GNU style symbol hash table */ From patchwork Wed Oct 29 02:54:28 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 73251 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4452BCCF9F1 for ; Wed, 29 Oct 2025 02:54:54 +0000 (UTC) Received: from mail-pg1-f182.google.com (mail-pg1-f182.google.com [209.85.215.182]) by mx.groups.io with SMTP id smtpd.web01.39.1761706493078130060 for ; Tue, 28 Oct 2025 19:54:53 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=YRFWQXqy; spf=softfail (domain: sakoman.com, ip: 209.85.215.182, mailfrom: steve@sakoman.com) Received: by mail-pg1-f182.google.com with SMTP id 41be03b00d2f7-b6a73db16efso6396249a12.3 for ; Tue, 28 Oct 2025 19:54:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1761706492; x=1762311292; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=q6EPhT9pEEaVQx4XeMTQ6W8BN62mWex8hjyMxacKhd0=; b=YRFWQXqyQGoANzLXKXTQbKMarxIpS3suxDMir2jQbJ9n9FkjU9NW2d3ni51bj3OoqN bfII1Gfso0kKWqsPJc5pvT1i+W7RUtKD6/mg7QzbodxKRdouDZgsHXMsSIE3mfG2lO6n qK4bjLrpisEEAk8qTKm+XmVEQv3ahWp0kYNVeX0fhKmoabkN+Vc7nU8l0vnCJttGNVJj iT5PtUMnuqWJdH9x2m28kXGQsVE/VuZNc4HsQ8n75pP/fsqdaNimY9/HUHNrY4whiZAU wtqdzH4TtvFhZylZZnp1jhxkbAqS8hq0zavymPVc56cG00QiawTQarvp8X6YojqUVJh8 RTFw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1761706492; x=1762311292; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=q6EPhT9pEEaVQx4XeMTQ6W8BN62mWex8hjyMxacKhd0=; b=UotIMUttetnv8Lb9kSYxhLZGPK+cdfHtK6eiymw2EHBI/WMmfTz8MdDs+h0lbpFNVy +tKkzJC4i1Y9xI+EpMlu1NKVstL/U473Z5LM8qU5nG6MBaRHiutHoOjQl2a8m1eGJSEe WvHXT3906GMLuuH7GkKcd0dfrRtNvCw5dOSjo3dqmFaiCyWOBAYG82c6zp7hEd6h76Z0 +hLpZf+bDgxcFTzpBC7jeS2N8gKOUPrD1IsUWBduNiolgXipynJ8kSdHzqjME56YeX3F fRRfYYRnPavNuVI0+hOmuy4PII3uf/T9lQSqHQgXjOiGDaBc2zTDnD8nuF0ieMUU/6SM vOpw== X-Gm-Message-State: AOJu0YzdB+D9nUk4Q7FOj/x6TzF0pl4dKWcXBWA+4hND29OlniJTO7vQ E4Tb9EbMIMCpIYQh0Ayq3qxLPDJ845Z+fmd3gzKwbXG3BZ7EBDM6crQFLD1zxBzzES0eg6DEMNJ kP1oThf4= X-Gm-Gg: ASbGnctYTkiYaQ7Jj3J3hcQluZhtL630iKe5RD8OiNZV2NDvvp3VJinff4jGbLqUayF 4bjD/nOoTui3rC8bTsgIZ6tONa7EKW5Fyxeudff3ePbmT6Oxu2PmEdrMUixOP2Oe22PvdqGEwdB 9GqZh2GG6TT2BjW9eujLgPNAqsDAjmw+0XSjlp13x9dKHgvgteOr1ebqhD82t28fR13Ex4gRu2U uxymyOE/FieDFZOjiN3wvLUYQAGhx49FiuCwo9K4+pWWfAaO8gArVO5A3GzTHVDceZjERR8lHNt 4ktGyLHIswwP1o3xTgIK54CiuB5Nzx3tD2tweXHAC88PAVTd7PNJoSgwOq3eL+YbQFkMk+wlWXH 6fv9wqOzqnAxpAKQtCpgycj1fkGcpmit1gMqjcMchAxg2UhAQ+D0GtgLTJJsvR/dZ5Qw= X-Google-Smtp-Source: AGHT+IHXMxr4mLXt3lP18lmgEKqKkIDA3r4DEJeR2SjSI3+gZqOrvHXU8r4NwmANdlkdfL11al8wcA== X-Received: by 2002:a17:902:e94d:b0:290:c5c8:941c with SMTP id d9443c01a7336-294deed4217mr17380805ad.29.1761706492194; Tue, 28 Oct 2025 19:54:52 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:2bae:51f5:3bdc:4c68]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-29498d27345sm131058945ad.54.2025.10.28.19.54.51 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 28 Oct 2025 19:54:51 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 2/4] binutils: fix CVE-2025-8225 Date: Tue, 28 Oct 2025 19:54:28 -0700 Message-ID: <9b5bb098b542a43a7aa97cc376c358f0a38778e3.1761692326.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 29 Oct 2025 02:54:54 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/225424 From: Yash Shinde CVE: CVE-2025-8225 It is possible with fuzzed files to have num_debug_info_entries zero after allocating space for debug_information, leading to multiple allocations. * dwarf.c (process_debug_info): Don't test num_debug_info_entries to determine whether debug_information has been allocated, test alloc_num_debug_info_entries. Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=e51fdff7d2e538c0e5accdd65649ac68e6e0ddd4] Signed-off-by: Yash Shinde Signed-off-by: Steve Sakoman --- .../binutils/binutils-2.38.inc | 1 + .../binutils/0047-CVE-2025-8225.patch | 47 +++++++++++++++++++ 2 files changed, 48 insertions(+) create mode 100644 meta/recipes-devtools/binutils/binutils/0047-CVE-2025-8225.patch diff --git a/meta/recipes-devtools/binutils/binutils-2.38.inc b/meta/recipes-devtools/binutils/binutils-2.38.inc index 2444a304be..ade69881a1 100644 --- a/meta/recipes-devtools/binutils/binutils-2.38.inc +++ b/meta/recipes-devtools/binutils/binutils-2.38.inc @@ -83,5 +83,6 @@ SRC_URI = "\ file://0044-CVE-2025-11082.patch \ file://0045-CVE-2025-11083.patch \ file://0046-CVE-2025-11081.patch \ + file://0047-CVE-2025-8225.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/0047-CVE-2025-8225.patch b/meta/recipes-devtools/binutils/binutils/0047-CVE-2025-8225.patch new file mode 100644 index 0000000000..410ba64143 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0047-CVE-2025-8225.patch @@ -0,0 +1,47 @@ +From e51fdff7d2e538c0e5accdd65649ac68e6e0ddd4 Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Wed, 19 Feb 2025 22:45:29 +1030 +Subject: [PATCH] binutils/dwarf.c debug_information leak + +It is possible with fuzzed files to have num_debug_info_entries zero +after allocating space for debug_information, leading to multiple +allocations. + + * dwarf.c (process_debug_info): Don't test num_debug_info_entries + to determine whether debug_information has been allocated, + test alloc_num_debug_info_entries. +--- + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=e51fdff7d2e538c0e5accdd65649ac68e6e0ddd4] +CVE: CVE-2025-8225 + + binutils/dwarf.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +Signed-off-by: Alan Modra +Signed-off-by: Yash Shinde + +diff --git a/binutils/dwarf.c b/binutils/dwarf.c +index 8e004cea839..bfbf83ec9f4 100644 +--- a/binutils/dwarf.c ++++ b/binutils/dwarf.c +@@ -3807,13 +3807,11 @@ process_debug_info (struct dwarf_section * section, + } + + if ((do_loc || do_debug_loc || do_debug_ranges || do_debug_info) +- && num_debug_info_entries == 0 +- && ! do_types) ++ && alloc_num_debug_info_entries == 0 ++ && !do_types) + { +- + /* Then allocate an array to hold the information. */ +- debug_information = (debug_info *) cmalloc (num_units, +- sizeof (* debug_information)); ++ debug_information = cmalloc (num_units, sizeof (*debug_information)); + if (debug_information == NULL) + { + error (_("Not enough memory for a debug info array of %u entries\n"), +-- +2.43.7 + From patchwork Wed Oct 29 02:54:29 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 73254 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2D03DCCD1BF for ; Wed, 29 Oct 2025 02:55:04 +0000 (UTC) Received: from mail-pl1-f175.google.com (mail-pl1-f175.google.com [209.85.214.175]) by mx.groups.io with SMTP id smtpd.web10.37.1761706495014494952 for ; Tue, 28 Oct 2025 19:54:55 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=e/TZz4FC; spf=softfail (domain: sakoman.com, ip: 209.85.214.175, mailfrom: steve@sakoman.com) Received: by mail-pl1-f175.google.com with SMTP id d9443c01a7336-269639879c3so57358765ad.2 for ; Tue, 28 Oct 2025 19:54:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1761706494; x=1762311294; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=whOf5Lmr8UtE3CconDCP2va6ovDY1BLs0iQxq0agSSQ=; b=e/TZz4FCUckp1yY5/JU/qsu8bvIMIFJTx8eLAKPA5k3JsB40v7wrgnkOXH3VM9qddG WmnIgIZDvdPf16Se2m1QEjGkc66Ucg+3W2AXNR7jcTx3dqDsdzkZdwl5gPfA/BNLGpaI 0RfyMNbZMTXTgjsPgG2d9hOihrX3G4P9W0Kd2vlIGjUXmYS7bsZ4vZfx0ZuWn5wc1FdI U79MXhlcIxEEUCChrlXNlNDWfFUSywTnMpkd9wPRcc1QfsejO0atMKCr6cCoH+nwVkLt FS/6xHIkwbl8QuADl7cBnO9O/8yGE1ec95UdJr+qGKfXJyvts8of+oW/hVaidcIS6RKi mebQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1761706494; x=1762311294; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=whOf5Lmr8UtE3CconDCP2va6ovDY1BLs0iQxq0agSSQ=; b=IQtvtBEpeFERHirV2LemXe8WGRaNxxOsPu3RwlOq/wbHIOLHG+ZTdLF4xNgUaZoCmQ LDxXiWzAAPh0Cf/PA/2L9QCkAwPcVEszILaJmFrUO3r/UUhJrrkd8g7zlhZK4s3+OAJ0 TF7tA7i9aQ7Cu8SH3Yu3O4/DiR8gT5bvYXpiGJWG9HmXg7Pd5cNXn2yOgZlxPJ1YMJrB Bfg1eL9XLGUuKun5WXgvYK7BWFKRSQkdzrR2k6uyYvDNk9/2xw5YZAwiOI+HXdUw5wfM +sEZa5Rrz26y+0dJxsmRAdM/uqdZt5UzmwhjHw3vAYZ+8L4hs1Kscp4ACiOUlXB9uSbA iiMQ== X-Gm-Message-State: AOJu0YzBW5bHiCDquXEBBLuxRZKVVZzTYxZpYHhSsM5I3wGrXAsHSPt4 drzdndxE89Q01av4a5wRKcK4kmvQXvnLOs81Gv54cfAjReaGWRMbeuICPpumqcP4KXa4xCFAIe7 YCdCYIWY= X-Gm-Gg: ASbGncuVkd1WNtLx2e7qbIyXFBnAuqNGyfuErBzif3tPCUQyRv6Jn7G+7UGA2C1UuFQ IhtxaDUsAsFmQSrFCo1OedEP8sJUhvzUYkli+TF0iRenrNyev35n4ylVIraaBUhi2j3I/D09d3W BpYUKSSvnlQ6DGwe/9oL7VlZt2VgoOxHabTqt4MFwzItNT2idT3W8uYj70SwWGTbegT5SSPKwea L6hA1efO7vxndApdJMf3j6rVuq4jwASQA10w7vb8n/YlABvZwKSedjjxfr90Prw22CoodVSF0Wu cRkACBWJ0BAhJlMc66aMPJgshpwSN9KZRKCu/coiW0PbKSTeFFHW0A3g6PrDqdr43Gb1ffmeyh4 KsEWt4EhqaKmOmVf86FnPPQQf4yu2JncjMZ0Yx8i2UIs7XbzfsYVEJ0hva8yDWSqXNpM= X-Google-Smtp-Source: AGHT+IFA1+q8l4upCcO7yqzWX4c+CsD4f9oujNQUqQmToAA6e/hnRLUXAIB6zJpqyCxoPx9Fj/x0bw== X-Received: by 2002:a17:903:2348:b0:25d:37fc:32df with SMTP id d9443c01a7336-294deedb5c6mr16629595ad.47.1761706493893; Tue, 28 Oct 2025 19:54:53 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:2bae:51f5:3bdc:4c68]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-29498d27345sm131058945ad.54.2025.10.28.19.54.53 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 28 Oct 2025 19:54:53 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 3/4] git: fix CVE-2025-48386 Date: Tue, 28 Oct 2025 19:54:29 -0700 Message-ID: <3f2fce1ababbf6c94a9e4995d133d5338913b2ce.1761692326.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 29 Oct 2025 02:55:04 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/225425 From: Hitendra Prajapati Upstream-Status: Backport from https://github.com/git/git/commit/9de345cb273cc7faaeda279c7e07149d8a15a319 Signed-off-by: Hitendra Prajapati Signed-off-by: Steve Sakoman --- .../git/git/CVE-2025-48386.patch | 97 +++++++++++++++++++ meta/recipes-devtools/git/git_2.35.7.bb | 1 + 2 files changed, 98 insertions(+) create mode 100644 meta/recipes-devtools/git/git/CVE-2025-48386.patch diff --git a/meta/recipes-devtools/git/git/CVE-2025-48386.patch b/meta/recipes-devtools/git/git/CVE-2025-48386.patch new file mode 100644 index 0000000000..e78e95dbea --- /dev/null +++ b/meta/recipes-devtools/git/git/CVE-2025-48386.patch @@ -0,0 +1,97 @@ +From 9de345cb273cc7faaeda279c7e07149d8a15a319 Mon Sep 17 00:00:00 2001 +From: Taylor Blau +Date: Mon, 19 May 2025 18:30:29 -0400 +Subject: [PATCH] wincred: avoid buffer overflow in wcsncat() + +The wincred credential helper uses a static buffer ("target") as a +unique key for storing and comparing against internal storage. It does +this by building up a string is supposed to look like: + + git:$PROTOCOL://$USERNAME@$HOST/@path + +However, the static "target" buffer is declared as a wide string with no +more than 1,024 wide characters. The first call to wcsncat() is almost +correct (it copies no more than ARRAY_SIZE(target) wchar_t's), but does +not account for the trailing NUL, introducing an off-by-one error. + +But subsequent calls to wcsncat() have an additional problem on top of +the off-by-one. They do not account for the length of the existing +wide string being built up in 'target'. So the following: + + $ perl -e ' + my $x = "x" x 1_000; + print "protocol=$x\nhost=$x\nusername=$x\npath=$x\n" + ' | + C\:/Program\ Files/Git/mingw64/libexec/git-core/git-credential-wincred.exe get + +will result in a segmentation fault from over-filling buffer. + +This bug is as old as the wincred helper itself, dating back to +a6253da (contrib: add win32 credential-helper, 2012-07-27). Commit +8b2d219 (wincred: improve compatibility with windows versions, +2013-01-10) replaced the use of strncat() with wcsncat(), but retained +the buggy behavior. + +Fix this by using a "target_append()" helper which accounts for both the +length of the existing string within the buffer, as well as the trailing +NUL character. + +Reported-by: David Leadbeater +Helped-by: David Leadbeater +Helped-by: Jeff King +Signed-off-by: Taylor Blau + +CVE: CVE-2025-48386 +Upstream-Status: Backport [https://github.com/git/git/commit/9de345cb273cc7faaeda279c7e07149d8a15a319] +Signed-off-by: Hitendra Prajapati +--- + .../wincred/git-credential-wincred.c | 22 +++++++++++++------ + 1 file changed, 15 insertions(+), 7 deletions(-) + +diff --git a/contrib/credential/wincred/git-credential-wincred.c b/contrib/credential/wincred/git-credential-wincred.c +index 5091048..00ecd87 100644 +--- a/contrib/credential/wincred/git-credential-wincred.c ++++ b/contrib/credential/wincred/git-credential-wincred.c +@@ -93,6 +93,14 @@ static void load_cred_funcs(void) + + static WCHAR *wusername, *password, *protocol, *host, *path, target[1024]; + ++static void target_append(const WCHAR *src) ++{ ++ size_t avail = ARRAY_SIZE(target) - wcslen(target) - 1; /* -1 for NUL */ ++ if (avail < wcslen(src)) ++ die("target buffer overflow"); ++ wcsncat(target, src, avail); ++} ++ + static void write_item(const char *what, LPCWSTR wbuf, int wlen) + { + char *buf; +@@ -304,17 +312,17 @@ int main(int argc, char *argv[]) + + /* prepare 'target', the unique key for the credential */ + wcscpy(target, L"git:"); +- wcsncat(target, protocol, ARRAY_SIZE(target)); +- wcsncat(target, L"://", ARRAY_SIZE(target)); ++ target_append(protocol); ++ target_append(L"://"); + if (wusername) { +- wcsncat(target, wusername, ARRAY_SIZE(target)); +- wcsncat(target, L"@", ARRAY_SIZE(target)); ++ target_append(wusername); ++ target_append(L"@"); + } + if (host) +- wcsncat(target, host, ARRAY_SIZE(target)); ++ target_append(host); + if (path) { +- wcsncat(target, L"/", ARRAY_SIZE(target)); +- wcsncat(target, path, ARRAY_SIZE(target)); ++ target_append(L"/"); ++ target_append(path); + } + + if (!strcmp(argv[1], "get")) +-- +2.50.1 + diff --git a/meta/recipes-devtools/git/git_2.35.7.bb b/meta/recipes-devtools/git/git_2.35.7.bb index 2079c3ddc8..063446645e 100644 --- a/meta/recipes-devtools/git/git_2.35.7.bb +++ b/meta/recipes-devtools/git/git_2.35.7.bb @@ -28,6 +28,7 @@ SRC_URI = "${KERNELORG_MIRROR}/software/scm/git/git-${PV}.tar.gz;name=tarball \ file://CVE-2024-52006.patch \ file://CVE-2025-27614-CVE-2025-27613-CVE-2025-46334-CVE-2025-46835.patch \ file://CVE-2025-48384.patch \ + file://CVE-2025-48386.patch \ " S = "${WORKDIR}/git-${PV}" From patchwork Wed Oct 29 02:54:30 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 73253 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2E811CCF9F2 for ; Wed, 29 Oct 2025 02:55:04 +0000 (UTC) Received: from mail-pl1-f177.google.com (mail-pl1-f177.google.com [209.85.214.177]) by mx.groups.io with SMTP id smtpd.web10.39.1761706496615428183 for ; Tue, 28 Oct 2025 19:54:56 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=Ur7HAeBK; spf=softfail (domain: sakoman.com, ip: 209.85.214.177, mailfrom: steve@sakoman.com) Received: by mail-pl1-f177.google.com with SMTP id d9443c01a7336-290cd62acc3so75015585ad.2 for ; Tue, 28 Oct 2025 19:54:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1761706496; x=1762311296; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=v/z+HtnknAKnaovJbXB9+ZxjkflXoL5ptkzL8ulzkxs=; b=Ur7HAeBKHFEqUcHV4ixW6bD4RLuztEIslTeYjD3qFFQ9JIkJYL1ZX7lXApzzhC/QAZ dx9mk7cB7+AopQts9ydoc8QGx7/8/bDPKleZ9ZV28acGWGYQanzT8v2aQjY3geXvv0FV zkapOIuW+G3eCTc9Am5g7j9Jtst9MHeZQ6PWFBKJlwRYr87NdwoEK34spSgdSXCv4MVq 1FoL8M6dDcm2DXOKBFU8H/AbSJM9Yf3xUmama99HlSiZq3dImZQWvaJ1Birqe2zC8gKa NeoFauKQqRf6r7U1cTMGGqYDZQs0ZoZdB7ChcLKTDwJDY/KHEObvlouNEpZJJL7I8QW3 d2qQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1761706496; x=1762311296; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=v/z+HtnknAKnaovJbXB9+ZxjkflXoL5ptkzL8ulzkxs=; b=ACWxeZQNPv9FfP/vPtZKSColL3eFSNRAeSDXRh6F15yoAbtK2/He51hBaAUucV3kHF 0hrnhyPhzD3K0mVaWPiYHEnxmq5R2JhqJ9cbOQiEjPwiaYq6r2DusnRmWmnLUaSI//mE 2LqpDrG9hwwObYwsutW2pNEIPBt3oGq2vHPYNSUWnBF/pyRUzmdHiYXwzVxc8O3bleEy usNTD29CzM61wBDVYN60uv7cmsfLzEGhQxBUxenbgKta2xEVNUZnKDsLa4jTQFksWzI9 SZ1aSfubLAGe3JcJVCiZCPorgXW6ZRFNLHe481A8zXCaWQXdS86Myd19wvfple6rgkHV RFxQ== X-Gm-Message-State: AOJu0YyuEihUC4jOi2l97WjyO8+qNhVttxzbOW+7tG2AzDksoHQb1FDq vvlg1NHB3IGhYcZskWydmiCjml1MqmqAO2ydvaIEz14OAW/5cMHgNp27CVlvvpyHJx47Zmd6R0H 0QTqNxU0= X-Gm-Gg: ASbGncsadMc49eXwDsdzwlVn8UDX3Mhqq59kgDpnJ0c0RpXl0mp8bqsThwULFq4zD5n U325lRli90MRTpokRkrd2hUvU8X76BRplCPNh1PU5uDpWrcIy2ev+DwPm+8+OuXDe3PuHV4I6D9 uS4pk+AvHYQbTaXtEpN55I2xFdKFFcnrMo+aIz2kTYAEJCBIxmWqbzJcLshJy2S1Utq8DRlv1Hw HBpUBrg/gdvvu7RLBq0jrQXGPprRlldeorSvlwbwzRjF2gKTAVKVID3H83q9Ze4ysYTnI+HZ+rr A5CphPK7Fq7Idhp8ttdy1x23scCxyg+cKvQyifCzIEf4pRYSfRF7jSM1BfHhI5PIZmLkXfm6YcN G8VHGipddX8OcEPOloeeFAim0AW4dnFd1dQUESZgDVTHJ2IwVOvY8qF98IWgYChsPrGw= X-Google-Smtp-Source: AGHT+IEQMI3uBQh7aup4RgEPm4AhaKRZlggR7X7Zmf5V5RoLztUpEcErbfLlIQnrsewbP7DRnj9D7A== X-Received: by 2002:a17:902:da88:b0:294:cc1d:e2b3 with SMTP id d9443c01a7336-294deed41c8mr16123515ad.38.1761706495684; Tue, 28 Oct 2025 19:54:55 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:2bae:51f5:3bdc:4c68]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-29498d27345sm131058945ad.54.2025.10.28.19.54.54 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 28 Oct 2025 19:54:55 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 4/4] lz4: patch CVE-2025-62813 Date: Tue, 28 Oct 2025 19:54:30 -0700 Message-ID: <612d09f6b9e262640ed3ee0ee81ac4b6d7c29f4d.1761692326.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 29 Oct 2025 02:55:04 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/225426 From: Peter Marko Pick commit mentioned in NVD report. Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- .../lz4/files/CVE-2025-62813.patch | 69 +++++++++++++++++++ meta/recipes-support/lz4/lz4_1.9.4.bb | 4 +- 2 files changed, 72 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-support/lz4/files/CVE-2025-62813.patch diff --git a/meta/recipes-support/lz4/files/CVE-2025-62813.patch b/meta/recipes-support/lz4/files/CVE-2025-62813.patch new file mode 100644 index 0000000000..cb4d497d7c --- /dev/null +++ b/meta/recipes-support/lz4/files/CVE-2025-62813.patch @@ -0,0 +1,69 @@ +From f64efec011c058bd70348576438abac222fe6c82 Mon Sep 17 00:00:00 2001 +From: louislafosse +Date: Mon, 31 Mar 2025 20:48:52 +0200 +Subject: [PATCH] fix(null) : improve error handlings when passing a null + pointer to some functions from lz4frame + +CVE: CVE-2025-62813 +Upstream-Status: Backport [https://github.com/lz4/lz4/commit/f64efec011c058bd70348576438abac222fe6c82] +Signed-off-by: Peter Marko +--- + lib/lz4frame.c | 15 +++++++++++++-- + tests/frametest.c | 9 ++++++--- + 2 files changed, 19 insertions(+), 5 deletions(-) + +diff --git a/lib/lz4frame.c b/lib/lz4frame.c +index 85daca7b..c9e4a3cf 100644 +--- a/lib/lz4frame.c ++++ b/lib/lz4frame.c +@@ -530,9 +530,16 @@ LZ4F_CDict* + LZ4F_createCDict_advanced(LZ4F_CustomMem cmem, const void* dictBuffer, size_t dictSize) + { + const char* dictStart = (const char*)dictBuffer; +- LZ4F_CDict* const cdict = (LZ4F_CDict*)LZ4F_malloc(sizeof(*cdict), cmem); ++ LZ4F_CDict* cdict = NULL; ++ + DEBUGLOG(4, "LZ4F_createCDict_advanced"); +- if (!cdict) return NULL; ++ ++ if (!dictStart) ++ return NULL; ++ cdict = (LZ4F_CDict*)LZ4F_malloc(sizeof(*cdict), cmem); ++ if (!cdict) ++ return NULL; ++ + cdict->cmem = cmem; + if (dictSize > 64 KB) { + dictStart += dictSize - 64 KB; +@@ -1429,6 +1436,10 @@ LZ4F_errorCode_t LZ4F_getFrameInfo(LZ4F_dctx* dctx, + LZ4F_frameInfo_t* frameInfoPtr, + const void* srcBuffer, size_t* srcSizePtr) + { ++ assert(dctx != NULL); ++ RETURN_ERROR_IF(frameInfoPtr == NULL, parameter_null); ++ RETURN_ERROR_IF(srcSizePtr == NULL, parameter_null); ++ + LZ4F_STATIC_ASSERT(dstage_getFrameHeader < dstage_storeFrameHeader); + if (dctx->dStage > dstage_storeFrameHeader) { + /* frameInfo already decoded */ +diff --git a/tests/frametest.c b/tests/frametest.c +index de0fe643..90247547 100644 +--- a/tests/frametest.c ++++ b/tests/frametest.c +@@ -589,10 +589,13 @@ int basicTests(U32 seed, double compressibility) + size_t const srcSize = 65 KB; /* must be > 64 KB to avoid short-size optimizations */ + size_t const dstCapacity = LZ4F_compressFrameBound(srcSize, NULL); + size_t cSizeNoDict, cSizeWithDict; +- LZ4F_CDict* const cdict = LZ4F_createCDict(CNBuffer, dictSize); +- if (cdict == NULL) goto _output_error; +- CHECK( LZ4F_createCompressionContext(&cctx, LZ4F_VERSION) ); ++ LZ4F_CDict* cdict = NULL; + ++ CHECK( LZ4F_createCompressionContext(&cctx, LZ4F_VERSION) ); ++ cdict = LZ4F_createCDict(CNBuffer, dictSize); ++ if (cdict == NULL) ++ goto _output_error; ++ + DISPLAYLEVEL(3, "Testing LZ4F_createCDict_advanced : "); + { LZ4F_CDict* const cda = LZ4F_createCDict_advanced(lz4f_cmem_test, CNBuffer, dictSize); + if (cda == NULL) goto _output_error; diff --git a/meta/recipes-support/lz4/lz4_1.9.4.bb b/meta/recipes-support/lz4/lz4_1.9.4.bb index a2a178bab5..16bb4d0823 100644 --- a/meta/recipes-support/lz4/lz4_1.9.4.bb +++ b/meta/recipes-support/lz4/lz4_1.9.4.bb @@ -12,7 +12,9 @@ PE = "1" SRCREV = "5ff839680134437dbf4678f3d0c7b371d84f4964" -SRC_URI = "git://github.com/lz4/lz4.git;branch=release;protocol=https" +SRC_URI = "git://github.com/lz4/lz4.git;branch=release;protocol=https \ + file://CVE-2025-62813.patch \ +" UPSTREAM_CHECK_GITTAGREGEX = "v(?P.*)" S = "${WORKDIR}/git"