From patchwork Tue Nov 18 11:03:16 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 74895 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2638ACED60B for ; Tue, 18 Nov 2025 11:03:30 +0000 (UTC) Received: from mail-pl1-f182.google.com (mail-pl1-f182.google.com [209.85.214.182]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.9826.1763463808306663211 for ; Tue, 18 Nov 2025 03:03:28 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=LCe9J9Wf; spf=pass (domain: gmail.com, ip: 209.85.214.182, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pl1-f182.google.com with SMTP id d9443c01a7336-2958db8ae4fso49516095ad.2 for ; Tue, 18 Nov 2025 03:03:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1763463807; x=1764068607; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=JTh8yCUXylvf4RTdbjVnlTAJCfPyUBgil3VT96xOXEY=; b=LCe9J9Wfv2jWRxZuKOha3L4N9WQ5xTRbhqQaH1i7PbFCSBmkK4MlfjMKKAyYW485MB VNr+P4uVNw/oWiQUjXbkBcsj4N3grhqSDN6JBfSLteec+5Z9DeHK5v44IycKfGdCurQP N2PZOXmuNZRgSFCoMoeS6MNZDXD5iuJ0+qUE5qaTkI/BvyPU6oXselbRUOAT3sGKZgwn UL9mqQINQBi4fFicF+JnEboVMHmj0K/l8AtFrLpy1NDaKQh5R3lx7vl5x1LXV8UE9iHC dhAxy0y2XYTvWdHdrR9b8P1YV4I5jnrfw/sulI4RsW7fqiYSQXOVDMTXjSH1nQEt7tyL pCKQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763463807; x=1764068607; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=JTh8yCUXylvf4RTdbjVnlTAJCfPyUBgil3VT96xOXEY=; b=Atqx4Zt0mxJaLjZ9td7kiSOklRqrpjndPE+GyVrRAnsYpye48T9R4zfsiPDRcHWfdX dIxDRCGjFf5Co6rCJUjR9Qw7Qqjvpygevz9jvrBzU4HyH/fNSlvCRHqCIOVTusmDpHlF 2DxKML5x5/fUOvEj7qcJmSBcQoh53w/MrvLmA1KYgevusWdVktwiSJXUdjwe9hC/HVx4 YahkWUPGKRfIgUVlJVAwhHU+8ObKl8EfM4c8dG6xdsty2o2w+UDa2lIKkBsDdPArrMm1 f6WZRLN+77jjHOq1QMziaxuG6cl5YV1CH3rO0WcyrOpUcr7g2T2TXllfYDTvZvZgOHHI csQg== X-Gm-Message-State: AOJu0YybzU4Y4Ucnj7BtkWNzcd9kGkyc2eASHj0VJS0gIHnvYduppXuO KL23YpU+r1oY8Flh2HHMr2XFzReaGGzIMjSMsSgwjeK3mOupFR4euIceECwbVg== X-Gm-Gg: ASbGncsp7eBW+2mw/tdkSf/eCu7LekU6OZ6WtOhyUL+YOYLeV0eHYnmiGxXYpUYxV0l O71/V3fBeVn2N50sl2I9Foy1wH4CBRpDQfj75N76YwE42tKGJKJA5u6wKzdSFsGMVM9cAcIqIbD 9nAzmhxnbDv5hpGd6MYo3jgZnIX/x4UV/GPkDZWUNp8veWscLQfrbQfZSHnsfFFKsKZcPH29C2x JxJdfL1R09xk+cm3j8X+unbKru85MgMGLv/7PeK7dehOEAnezdRR9/ZRzEj87xWRb5zLudUusGP b+X8FHXPqEWQpFnWQ+gEnoO3nFuiBybDkUUNlRmYfdphLV4k/GJPUGTjwaa82z0xuACQzLE8JDv 5q66quZZy98etXvG+NeghrFTzmsuuUoyR/toW+58nu/yrX9mgR/xChrJ3WPGJHbaieqbkFATm2D +ZamyLDo+SUTtPPPdu9pJo+tWW X-Google-Smtp-Source: AGHT+IH2gRleAbtK8+S92Dt5hpjeazBYCknCtBLFO0aPdjoCCRcyOZk9UVcClkdsRyMrsa0F/cQ/hw== X-Received: by 2002:a17:903:1104:b0:295:9b39:4533 with SMTP id d9443c01a7336-2986a73b30emr198810295ad.30.1763463807495; Tue, 18 Nov 2025 03:03:27 -0800 (PST) Received: from NVAPF55DW0D-IPD.. ([167.103.126.249]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2985c244e46sm167431675ad.25.2025.11.18.03.03.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 18 Nov 2025 03:03:27 -0800 (PST) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi Subject: [oe][meta-oe][scarthgap][PATCH 1/5] botan: patch CVE-2024-34703 Date: Wed, 19 Nov 2025 00:03:16 +1300 Message-ID: <20251118110320.1635988-1-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 18 Nov 2025 11:03:30 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/121852 From: Ankur Tyagi Details https://nvd.nist.gov/vuln/detail/CVE-2024-34703 Signed-off-by: Ankur Tyagi --- .../botan/botan/CVE-2024-34703.patch | 38 +++++++++++++++++++ meta-oe/recipes-crypto/botan/botan_3.2.0.bb | 4 +- 2 files changed, 41 insertions(+), 1 deletion(-) create mode 100644 meta-oe/recipes-crypto/botan/botan/CVE-2024-34703.patch diff --git a/meta-oe/recipes-crypto/botan/botan/CVE-2024-34703.patch b/meta-oe/recipes-crypto/botan/botan/CVE-2024-34703.patch new file mode 100644 index 0000000000..c3eb6e0936 --- /dev/null +++ b/meta-oe/recipes-crypto/botan/botan/CVE-2024-34703.patch @@ -0,0 +1,38 @@ +From 0d7909e8d88782fd827ed6869563c435f418c5ff Mon Sep 17 00:00:00 2001 +From: Jack Lloyd +Date: Tue, 20 Feb 2024 06:30:10 -0500 +Subject: [PATCH] When decoding an arbitrary elliptic curve, set an upper bound + on length + +Otherwise it's trivial to send a very large prime, which can take a +significant amount of computation to check. + +Reported by Bing Shi + +CVE: CVE-2024-34703 +Upstream-Status: Backport [https://github.com/randombit/botan/commit/fbe9ec578a8548958677224d2e60d2c2c838bc9a] +(cherry picked from commit fbe9ec578a8548958677224d2e60d2c2c838bc9a) +Signed-off-by: Ankur Tyagi +--- + src/lib/pubkey/ec_group/ec_group.cpp | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/lib/pubkey/ec_group/ec_group.cpp b/src/lib/pubkey/ec_group/ec_group.cpp +index eb4ed90e2..beaeedd51 100644 +--- a/src/lib/pubkey/ec_group/ec_group.cpp ++++ b/src/lib/pubkey/ec_group/ec_group.cpp +@@ -357,8 +357,12 @@ std::pair, bool> EC_Group::BER_decode_EC_group(co + .end_cons() + .verify_end(); + +- if(p.bits() < 64 || p.is_negative() || !is_bailie_psw_probable_prime(p)) { +- throw Decoding_Error("Invalid ECC p parameter"); ++ if(p.bits() < 112 || p.bits() > 1024) { ++ throw Decoding_Error("ECC p parameter is invalid size"); ++ } ++ ++ if(p.is_negative() || !is_bailie_psw_probable_prime(p)) { ++ throw Decoding_Error("ECC p parameter is not a prime"); + } + + if(a.is_negative() || a >= p) { diff --git a/meta-oe/recipes-crypto/botan/botan_3.2.0.bb b/meta-oe/recipes-crypto/botan/botan_3.2.0.bb index 1fdda65a05..3c603a9b26 100644 --- a/meta-oe/recipes-crypto/botan/botan_3.2.0.bb +++ b/meta-oe/recipes-crypto/botan/botan_3.2.0.bb @@ -4,7 +4,9 @@ LICENSE = "BSD-2-Clause" LIC_FILES_CHKSUM = "file://license.txt;md5=f5254d3abe90ec5bb82c5694ff751546" SECTION = "libs" -SRC_URI = "https://botan.randombit.net/releases/Botan-${PV}.tar.xz" +SRC_URI = "https://botan.randombit.net/releases/Botan-${PV}.tar.xz \ + file://CVE-2024-34703.patch \ +" SRC_URI[sha256sum] = "049c847835fcf6ef3a9e206b33de05dd38999c325e247482772a5598d9e5ece3" S = "${WORKDIR}/Botan-${PV}" From patchwork Tue Nov 18 11:03:17 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 74896 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 148BFCED613 for ; Tue, 18 Nov 2025 11:03:40 +0000 (UTC) Received: from mail-pl1-f170.google.com (mail-pl1-f170.google.com [209.85.214.170]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.9800.1763463810606153130 for ; Tue, 18 Nov 2025 03:03:30 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=HHo+ez+h; spf=pass (domain: gmail.com, ip: 209.85.214.170, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pl1-f170.google.com with SMTP id d9443c01a7336-297d4ac44fbso47059465ad.0 for ; Tue, 18 Nov 2025 03:03:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1763463810; x=1764068610; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=fPc+Jrp2dHqkN4fo+kyOvAd+VFui7HxBVpbj3cXWFuw=; b=HHo+ez+h/2Yzp97MpplyliqkcXe+Lq3ydVYmlQQQ8j3d63Fl78bU0RW2G49D5PtQW1 oUoZ0wW7+E6nend3Rbs+6jYaDxcuRvcXJhaN5tsx084PonP0a1nsSNwwMJ/QSiwEnDNj avJSaTaF/FV+o++Mt1mE17J+kjkEudQUA3o2QtfQdpyFLl7NWoJ9dQhRanxc4qlf9Tb9 E1K6Hpws4rzyfL16lljEOLnKIoxoNbATtvUbHe45LeHxXN02vX4FGs/KuuMLZn6QonS1 57ISl+cktLQP4CA/oUrHpE7HQyp3LKfOc8Lv6eEapZvEs1L3yzYVTxrtwwhaaOWXt/+H n70Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763463810; x=1764068610; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=fPc+Jrp2dHqkN4fo+kyOvAd+VFui7HxBVpbj3cXWFuw=; b=H5FlEnua2QRfp0kUDGCeAAu54hHtY0UUaVRH2+r8f/u58G1I3a8Lj2TouuUUkDm82B R0uuroTi2jIoPo6nFjdYaz0S+K1DOI3RsMAUsLFnKMNJdhmGEfnawj/5CaIaho4+kRAS 0NqznJW4mC+/G9NWZ/rJN4wEa3O9tyQ+1ewQTWIAgjtGrsvm/ccgpuyIUHuAp0/PZXNp Fh5Udg++x/w5gLvVi4O5XHArxO1MhnbYIi00UzOR8GB+lLqnqTfl+1Hoy4znqC8kp+jj EQg5kZ8qNfzH00tou5zpcbOEIh8RB5pLOVsqX62flfyxyX0EEAZBmx5oQiyb4Nh8Fft/ qz3Q== X-Gm-Message-State: AOJu0YzsmD9SD5++efc93a+o9RxD3fK8SNYK+bAiVhPIAZTTtRLAl0JJ VtjYjrzJ7Kru6yy9c8SRmrqJx3w8jNVuATY/QuyU8obhu/oVAzjf3++pvG7eSg== X-Gm-Gg: ASbGncvW5yoxKERzbkB2UvP9BgBOd60vg7l6eIUEguFJqh0le2RVSLiHJJB17nOB1Lb xgBY2c7rWM6OKfCFD4/fqR/TkBmQBlu2Ad5lMUOuXgwDWz91ll4u+UT1LAsOq6PEp+4I6I6ecvm J0n9KZQV4uIvsvrEaI6lPk8CTZykorKWwSRs+fDPC7/SK6nG9CkXP5LSfnDCbCDKvsELbm5ZSu0 JiCBHwWKw0wsZX727Xj5gA0ko4odR36xK+6hK3KeU6qYoCJvRWEibbN4F77FLLh23MpXGfHJDXg OQqrrkm25Lm1Bcshe/jwuald0gNNhfu+dwXA51GQG+jB0Vr/GwDZ6ihxCqLmrUnnhezpeLY7zXw mB+JMmtuCko3uRxZ96KVIYM13f0LmIhd9k2CW8iGfWxIVzur6GnC0YcIQSksaajxOfAB3D+xljQ wPvcVcKRysg+2f3v3xkSLxuClDdr6mnFDP5O0= X-Google-Smtp-Source: AGHT+IFg88pOsMJt8pwjuRm8ly1fiImy5h6zWZePiEbhM7j1bQmUJBin57W0jjuVjvKuErF1Va0G2Q== X-Received: by 2002:a17:902:cec7:b0:296:547a:4bf2 with SMTP id d9443c01a7336-299f55b6333mr27599045ad.27.1763463809738; Tue, 18 Nov 2025 03:03:29 -0800 (PST) Received: from NVAPF55DW0D-IPD.. ([167.103.126.249]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2985c244e46sm167431675ad.25.2025.11.18.03.03.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 18 Nov 2025 03:03:29 -0800 (PST) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi Subject: [oe][meta-oe][scarthgap][PATCH 2/5] botan: patch CVE-2024-50382 and CVE-2024-50383 Date: Wed, 19 Nov 2025 00:03:17 +1300 Message-ID: <20251118110320.1635988-2-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251118110320.1635988-1-ankur.tyagi85@gmail.com> References: <20251118110320.1635988-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 18 Nov 2025 11:03:40 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/121853 From: Ankur Tyagi Same patch fixes both vulnerabilities. Details: https://nvd.nist.gov/vuln/detail/CVE-2024-50382 https://nvd.nist.gov/vuln/detail/CVE-2024-50383 Signed-off-by: Ankur Tyagi --- .../CVE-2024-50382-and-CVE-2024-50383.patch | 66 +++++++++++++++++++ meta-oe/recipes-crypto/botan/botan_3.2.0.bb | 1 + 2 files changed, 67 insertions(+) create mode 100644 meta-oe/recipes-crypto/botan/botan/CVE-2024-50382-and-CVE-2024-50383.patch diff --git a/meta-oe/recipes-crypto/botan/botan/CVE-2024-50382-and-CVE-2024-50383.patch b/meta-oe/recipes-crypto/botan/botan/CVE-2024-50382-and-CVE-2024-50383.patch new file mode 100644 index 0000000000..d1b625f19b --- /dev/null +++ b/meta-oe/recipes-crypto/botan/botan/CVE-2024-50382-and-CVE-2024-50383.patch @@ -0,0 +1,66 @@ +From 157bf1cd6877e16084e910d68c1844ac73b4f6ff Mon Sep 17 00:00:00 2001 +From: Jack Lloyd +Date: Sat, 19 Oct 2024 07:43:18 -0400 +Subject: [PATCH] Add more value barriers to avoid compiler induced side + channels + +The paper https://arxiv.org/pdf/2410.13489 claims that on specific +architectures Clang and GCC may introduce jumps here. The donna128 +issues only affect 32-bit processors, which explains why we would not +see it in the x86-64 valgrind runs. + +The GHASH leak would seem to be generic but the authors only observed +it on RISC-V. + +CVE: CVE-2024-50382 +CVE: CVE-2024-50383 +Upstream-Status: Backport [https://github.com/randombit/botan/commit/53b0cfde580e86b03d0d27a488b6c134f662e957] +(cherry picked from commit 53b0cfde580e86b03d0d27a488b6c134f662e957) +Signed-off-by: Ankur Tyagi +--- + src/lib/utils/donna128.h | 5 +++-- + src/lib/utils/ghash/ghash.cpp | 2 +- + 2 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/lib/utils/donna128.h b/src/lib/utils/donna128.h +index f39f57f97..ab7fb4c83 100644 +--- a/src/lib/utils/donna128.h ++++ b/src/lib/utils/donna128.h +@@ -8,6 +8,7 @@ + #ifndef BOTAN_CURVE25519_DONNA128_H_ + #define BOTAN_CURVE25519_DONNA128_H_ + ++#include + #include + + namespace Botan { +@@ -54,14 +55,14 @@ class donna128 final { + l += x.l; + h += x.h; + +- const uint64_t carry = (l < x.l); ++ const uint64_t carry = CT::Mask::is_lt(l, x.l).if_set_return(1); + h += carry; + return *this; + } + + donna128& operator+=(uint64_t x) { + l += x; +- const uint64_t carry = (l < x); ++ const uint64_t carry = CT::Mask::is_lt(l, x).if_set_return(1); + h += carry; + return *this; + } +diff --git a/src/lib/utils/ghash/ghash.cpp b/src/lib/utils/ghash/ghash.cpp +index 38604afdb..5c244b4f8 100644 +--- a/src/lib/utils/ghash/ghash.cpp ++++ b/src/lib/utils/ghash/ghash.cpp +@@ -129,7 +129,7 @@ void GHASH::key_schedule(std::span key) { + m_HM[4 * j + 2 * i + 1] = H1; + + // GCM's bit ops are reversed so we carry out of the bottom +- const uint64_t carry = R * (H1 & 1); ++ const uint64_t carry = CT::Mask::expand(H1 & 1).if_set_return(R); + H1 = (H1 >> 1) | (H0 << 63); + H0 = (H0 >> 1) ^ carry; + } diff --git a/meta-oe/recipes-crypto/botan/botan_3.2.0.bb b/meta-oe/recipes-crypto/botan/botan_3.2.0.bb index 3c603a9b26..ef3e63a93b 100644 --- a/meta-oe/recipes-crypto/botan/botan_3.2.0.bb +++ b/meta-oe/recipes-crypto/botan/botan_3.2.0.bb @@ -6,6 +6,7 @@ SECTION = "libs" SRC_URI = "https://botan.randombit.net/releases/Botan-${PV}.tar.xz \ file://CVE-2024-34703.patch \ + file://CVE-2024-50382-and-CVE-2024-50383.patch \ " SRC_URI[sha256sum] = "049c847835fcf6ef3a9e206b33de05dd38999c325e247482772a5598d9e5ece3" From patchwork Tue Nov 18 11:03:18 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 74897 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 14883CED603 for ; Tue, 18 Nov 2025 11:03:40 +0000 (UTC) Received: from mail-pl1-f181.google.com (mail-pl1-f181.google.com [209.85.214.181]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.9827.1763463812675483211 for ; Tue, 18 Nov 2025 03:03:32 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=XSU7LDND; spf=pass (domain: gmail.com, ip: 209.85.214.181, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pl1-f181.google.com with SMTP id d9443c01a7336-29558061c68so62697705ad.0 for ; Tue, 18 Nov 2025 03:03:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1763463812; x=1764068612; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=xYI7JplaOfaSYdeSz8R+IvQc0ED6TyLtRt2CfrSs7Y8=; b=XSU7LDND0FsG6qPWrFLkkKaaEHXYvp43mns4aqqT3jQUQAM0IDkbzWJuP5jWoFk5Hn nob73D9/bjN4Ss7Sj/dOxOHOHH6V1cOavMz94Dnu0VNBhR2n4jfagFGjfLuT6Ab4PiF5 T7qmws5Sg8tHj8HBfCRMuhRijgCRrUPmH/BuX/X2C+cPpYRg+w+dFHpYXeg/BjVrEr6q pKX/IEceexEz+k1Ptwe+27UO6MoBcsL+SQgjUdW/s/MGlc2vQYqRHFk6mt2USLi+p+z1 v4+U3w3ApCfL/e5UQlqGi4DrA501E2vBNe6Wet/Jdm9tIgMsA2qr1EkVsEil0MLxi4k4 BADg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763463812; x=1764068612; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=xYI7JplaOfaSYdeSz8R+IvQc0ED6TyLtRt2CfrSs7Y8=; b=A4VLgsBDjmi9ESNy7SrxcZUvL++7b3RPeHHWGzzWG9JP3OQ8Mm3sJr+MeAXxWanXBn MZPfI14COT0NHQLvhe41vImoLvYKPKOWrh7f1VUh2yiYhAxiVL1wK9Yh6mkxczrc4MYp fwdZN8HqyZtVoCzdbpy9vMZiyyZATxnV8LM4gtIQqZc3HOlqRd9YkQLE4CGl4A25MeXL hQXikRyN35ykgc60zmR8TWRaFKt4fWM9uTvbPK+3M/jIMSrHUjrmdNXun4xyGzSBlmpx k7h7+PC0DxfgFKEncI9R0kYiradD6DJzIxAHwxQT1ETFb+3HFKsbp477LwQAGQ86n+Wk Vu2Q== X-Gm-Message-State: AOJu0YzhxsqxzEVFQBSdUeG1nJeTR5DSdWc7E/iE9cgZxLTHkynjCfPF AHO2BTCB3JaODN8XUeuGoXJg0kdHXz2nxOWlGtJ3nAwiO+Pt3Am/MbFjjgwfjA== X-Gm-Gg: ASbGncsHTOjMMQ3mj8NPX4exrP62BvPEsgZ3RjD2CcS+I5m0QYbU30BThUX0Lr/KwE/ wIFvw9tIz3G/9XdSc31ACAiEWEEjPbAHvdWBUz15rcn+a2fOeYw2GVYvZNKLPexGkDSHoRys/1+ q9Tg77N5q25pTBk+uenQa1xHUNHj59skbYwAo64ZF4u33bw5UIx6h5/xnuMPKUqndLGle6sz+wI QUCsIOs2YbXrpUGAMU4H44Sq8wgmeL+Cxs/cS/G3t85OdwFKFfBQgsZiGnWERLicKFiFGX9BHFG XoEpghhEAswhezNUviPFScclwG5UyBZc5uqNS6SW/T1XaMW10Do5JHeDbUrFWow2DWnIjxQCSHx xbGJgyKibnoh9Cq08LAc3FclmdsgcCV3ZhrHN/ENpimTh89i6UrHrEZg4M/4ORgCGSjynw3M6NY BWVRSvStKDx/aHqYcQkTKCrLP++pa5xIhTrMY= X-Google-Smtp-Source: AGHT+IH+4iLAY9CGjSCYWqrPf9RGVtYiEP6LDP/eFfeZTJjqSxvDAUsUU/t1I5BCTpDj8F2qDkaGvw== X-Received: by 2002:a17:902:f78d:b0:299:bdaa:a71b with SMTP id d9443c01a7336-299bdaaa8f7mr158824685ad.2.1763463811867; Tue, 18 Nov 2025 03:03:31 -0800 (PST) Received: from NVAPF55DW0D-IPD.. ([167.103.126.249]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2985c244e46sm167431675ad.25.2025.11.18.03.03.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 18 Nov 2025 03:03:31 -0800 (PST) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi Subject: [oe][meta-oe][scarthgap][PATCH 3/5] freerdp3: patch CVE-2025-4478 Date: Wed, 19 Nov 2025 00:03:18 +1300 Message-ID: <20251118110320.1635988-3-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251118110320.1635988-1-ankur.tyagi85@gmail.com> References: <20251118110320.1635988-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 18 Nov 2025 11:03:40 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/121854 From: Ankur Tyagi Details https://nvd.nist.gov/vuln/detail/CVE-2025-4478 Signed-off-by: Ankur Tyagi --- .../freerdp/freerdp3/CVE-2025-4478.patch | 60 +++++++++++++++++++ .../recipes-support/freerdp/freerdp3_3.4.0.bb | 1 + 2 files changed, 61 insertions(+) create mode 100644 meta-oe/recipes-support/freerdp/freerdp3/CVE-2025-4478.patch diff --git a/meta-oe/recipes-support/freerdp/freerdp3/CVE-2025-4478.patch b/meta-oe/recipes-support/freerdp/freerdp3/CVE-2025-4478.patch new file mode 100644 index 0000000000..f1315a38da --- /dev/null +++ b/meta-oe/recipes-support/freerdp/freerdp3/CVE-2025-4478.patch @@ -0,0 +1,60 @@ +From 36cd5554b50656f3492197f0fc02534dcc6b980f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jonas=20=C3=85dahl?= +Date: Tue, 13 May 2025 10:34:08 +0200 +Subject: [PATCH] transport: Initialize function pointers after resource + allocation + +The transport instance is freed when an error occurs. +If the TransportDisconnect function pointer is initialized it +causes SIGSEGV during free. + +CVE: CVE-2025-4478 +Upstream-Status: Backport [https://github.com/FreeRDP/FreeRDP/commit/a4bb702aa62e4fad91ca99142de075265555ec18] +(cherry picked from commit a4bb702aa62e4fad91ca99142de075265555ec18) +Signed-off-by: Ankur Tyagi +--- + libfreerdp/core/transport.c | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +diff --git a/libfreerdp/core/transport.c b/libfreerdp/core/transport.c +index a2a899b79..552a28a60 100644 +--- a/libfreerdp/core/transport.c ++++ b/libfreerdp/core/transport.c +@@ -1560,18 +1560,6 @@ rdpTransport* transport_new(rdpContext* context) + if (!transport->log) + goto fail; + +- // transport->io.DataHandler = transport_data_handler; +- transport->io.TCPConnect = freerdp_tcp_default_connect; +- transport->io.TLSConnect = transport_default_connect_tls; +- transport->io.TLSAccept = transport_default_accept_tls; +- transport->io.TransportAttach = transport_default_attach; +- transport->io.TransportDisconnect = transport_default_disconnect; +- transport->io.ReadPdu = transport_default_read_pdu; +- transport->io.WritePdu = transport_default_write; +- transport->io.ReadBytes = transport_read_layer; +- transport->io.GetPublicKey = transport_default_get_public_key; +- transport->io.SetBlockingMode = transport_default_set_blocking_mode; +- + transport->context = context; + transport->ReceivePool = StreamPool_New(TRUE, BUFFER_SIZE); + +@@ -1610,6 +1598,18 @@ rdpTransport* transport_new(rdpContext* context) + if (!InitializeCriticalSectionAndSpinCount(&(transport->WriteLock), 4000)) + goto fail; + ++ // transport->io.DataHandler = transport_data_handler; ++ transport->io.TCPConnect = freerdp_tcp_default_connect; ++ transport->io.TLSConnect = transport_default_connect_tls; ++ transport->io.TLSAccept = transport_default_accept_tls; ++ transport->io.TransportAttach = transport_default_attach; ++ transport->io.TransportDisconnect = transport_default_disconnect; ++ transport->io.ReadPdu = transport_default_read_pdu; ++ transport->io.WritePdu = transport_default_write; ++ transport->io.ReadBytes = transport_read_layer; ++ transport->io.GetPublicKey = transport_default_get_public_key; ++ transport->io.SetBlockingMode = transport_default_set_blocking_mode; ++ + return transport; + fail: + WINPR_PRAGMA_DIAG_PUSH diff --git a/meta-oe/recipes-support/freerdp/freerdp3_3.4.0.bb b/meta-oe/recipes-support/freerdp/freerdp3_3.4.0.bb index a272ba0ecb..3558697d42 100644 --- a/meta-oe/recipes-support/freerdp/freerdp3_3.4.0.bb +++ b/meta-oe/recipes-support/freerdp/freerdp3_3.4.0.bb @@ -19,6 +19,7 @@ SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=master;protocol=https \ file://CVE-2024-32660.patch \ file://CVE-2024-32661.patch \ file://CVE-2024-32662.patch \ + file://CVE-2025-4478.patch \ " S = "${WORKDIR}/git" From patchwork Tue Nov 18 11:03:19 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 74898 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 248E4CED60F for ; Tue, 18 Nov 2025 11:03:40 +0000 (UTC) Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com [209.85.214.180]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.9801.1763463815023565916 for ; Tue, 18 Nov 2025 03:03:35 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=g3yF77F0; spf=pass (domain: gmail.com, ip: 209.85.214.180, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pl1-f180.google.com with SMTP id d9443c01a7336-29568d93e87so48174025ad.2 for ; Tue, 18 Nov 2025 03:03:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1763463814; x=1764068614; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Rt0aIvrH5ZF1MrhN6kp+q7RdUgaVQeKj/vAm+g6A2ms=; b=g3yF77F04pKqhnXbAYqR5WXLLoPFv2i37Cu+4Jh4HmunXsxNwEenzKvc/3WJaWUwGJ ePx5slnLUZyyJJa42o0ljIfW4237P0nRnPSfWdIfNfT5eEoLs9v6Y9fO9jDL0rc3bdYI qKWHgd5yUGU56lwAlIcWQnUjRFEkWsQsQ5E6uccLiYZ7MRdIV3tuL+gGeUxLULdCXF6y L0fnsJ/MzcCuTpyPeMDfDPZtTJz9+fzNOpdng3W8m+NGA3IpjXu9pWOZNIlxd2Rb8jYo COWYIR89DSFPUDFI4GBoQ/YfjOrcGhP0FH8UeP9YApM5uYwFidBc9mQaD8UmKwA8XMgZ sF8w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763463814; x=1764068614; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=Rt0aIvrH5ZF1MrhN6kp+q7RdUgaVQeKj/vAm+g6A2ms=; b=LnwUoM+8EQvFv/3BU0WzGKgpa1q/PfS6WH7EYE165ltuX9UL/+9q+0/9zaRyYgzTxc Z74gfh6Fc67PR0Qm0nvIq+Qhd4JBzaf2EerdEMb1Ks4H45ahgxBeRYcXqAiPtyW/4L9/ gyHqvEHtP7QanPwoQJ/FJcyNUhc5ysuv5wUSXH829nrSqLjABKkVkkLGuLnKRlWlIHt2 3BN/W5Yu3sJkwzrT+zYo+VqV6JxaMSorlsdYAXwERWI+vov+v1DaahwgFtq6ew2AeCho PSLzUWZczHm1HSbehADwlGo820tzFuNIl+wYe68o+fc9kN/XsIRmbfIbRN8hteE0Z7o3 gq5Q== X-Gm-Message-State: AOJu0Yzm0HPewnw903akpjd3e4FDrV8nw0ZfTh3fK4+ORTEEQRHIWlvh I0H39pPrq9bx9I54rqXBP+8WxgV8Plh65q48NFuF9eXjgsNocuJPgwm2n1eodg== X-Gm-Gg: ASbGncv+ghTWUMIR1Y8YpsPs/WFgT6yG4ra/5qojuIQL3ceSm0fP2c380RLA/kGwmlp AQFUFH0zzHZe7dMiOVy8v1fuN6e/Lb/HKH0ULx9gfqHQ50reLhJP0U8uiZFJ1QoEgZn14W2KNoL fjbs2mWO3UZa0a++zDHKJtLZ90u4CXdgrUzDTMWZfRBlvIngEX8O8i+X0++fmm3USSLKIUN8EDy rab/MnXVu5zKAPCIpZmzXQbM0xfFfbtSmYLI6HAgcGAtdb0szMguWyrB05yNAT85XKuOdJhx6lm 6WEinlxp4ytcAfqzm9BOHz3Djm6kTuXsXmfc/CwIKULrxx+vwvFnxpbyFZBwTXYfOKqzWi/LFSN PHFPhoUYbPI22BFbPs+UuCTnsr4IhLrsNAhduigHTI5VzO5yMKI/eMt+tQQcDZCoigDaKUMgEwZ Pvzy+ZNC19eNsFYJwVfbOfikVV X-Google-Smtp-Source: AGHT+IExARDBYhiTy+yEoreCIG8krEoj4xb42GWdpuXWvrPU+B8h7cNJHl71mOOSyNO4AD8jMVW7gA== X-Received: by 2002:a17:902:e543:b0:28d:18fb:bb93 with SMTP id d9443c01a7336-2986a6b8261mr186068075ad.7.1763463814203; Tue, 18 Nov 2025 03:03:34 -0800 (PST) Received: from NVAPF55DW0D-IPD.. ([167.103.126.249]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2985c244e46sm167431675ad.25.2025.11.18.03.03.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 18 Nov 2025 03:03:33 -0800 (PST) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi Subject: [oe][meta-oe][scarthgap][PATCH 4/5] hdf5: patch CVE-2025-2926 Date: Wed, 19 Nov 2025 00:03:19 +1300 Message-ID: <20251118110320.1635988-4-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251118110320.1635988-1-ankur.tyagi85@gmail.com> References: <20251118110320.1635988-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 18 Nov 2025 11:03:40 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/121855 From: Ankur Tyagi Details https://nvd.nist.gov/vuln/detail/CVE-2025-2926 Signed-off-by: Ankur Tyagi --- .../hdf5/files/CVE-2025-2926.patch | 32 +++++++++++++++++++ meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb | 1 + 2 files changed, 33 insertions(+) create mode 100644 meta-oe/recipes-support/hdf5/files/CVE-2025-2926.patch diff --git a/meta-oe/recipes-support/hdf5/files/CVE-2025-2926.patch b/meta-oe/recipes-support/hdf5/files/CVE-2025-2926.patch new file mode 100644 index 0000000000..c752de66e4 --- /dev/null +++ b/meta-oe/recipes-support/hdf5/files/CVE-2025-2926.patch @@ -0,0 +1,32 @@ +From 6680a7795b76d451ff17f193e5cdca7a86b01699 Mon Sep 17 00:00:00 2001 +From: bmribler <39579120+bmribler@users.noreply.github.com> +Date: Mon, 3 Nov 2025 13:01:04 -0500 +Subject: [PATCH] Fix CVE-2025-2926 (#5841) + +An image size was corrupted and decoded as 0 resulting in a NULL image buffer, +which caused a NULL pointer dereference when the image being copied to the buffer. +The invalid image size was caught in the PR #5710. This change catches right +before the copying. + +Fixes GH issue #5384 + +CVE: CVE-2025-2926 +Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/d37b537ff256f0fa65cb4f82b20f286ad9a2e1e2] +(cherry picked from commit d37b537ff256f0fa65cb4f82b20f286ad9a2e1e2) +Signed-off-by: Ankur Tyagi +--- + src/H5Ocache.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/H5Ocache.c b/src/H5Ocache.c +index 6916a9044c..9b82509812 100644 +--- a/src/H5Ocache.c ++++ b/src/H5Ocache.c +@@ -610,6 +610,7 @@ H5O__cache_chk_get_initial_load_size(void *_udata, size_t *image_len) + assert(udata); + assert(udata->oh); + assert(image_len); ++ assert(udata->size); + + /* Set the image length size */ + *image_len = udata->size; diff --git a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb index 80828ad30c..8a37323536 100644 --- a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb +++ b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb @@ -23,6 +23,7 @@ SRC_URI = " \ file://CVE-2025-2925.patch \ file://CVE-2025-6269-CVE-2025-6270-CVE-2025-6516_01.patch \ file://CVE-2025-6269-CVE-2025-6270-CVE-2025-6516_02.patch \ + file://CVE-2025-2926.patch \ " SRC_URI[sha256sum] = "019ac451d9e1cf89c0482ba2a06f07a46166caf23f60fea5ef3c37724a318e03" From patchwork Tue Nov 18 11:03:20 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 74899 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2B92BCED619 for ; Tue, 18 Nov 2025 11:03:40 +0000 (UTC) Received: from mail-pl1-f182.google.com (mail-pl1-f182.google.com [209.85.214.182]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.9828.1763463817589800653 for ; Tue, 18 Nov 2025 03:03:37 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=OS/IdYiC; spf=pass (domain: gmail.com, ip: 209.85.214.182, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pl1-f182.google.com with SMTP id d9443c01a7336-297dd95ffe4so49062825ad.3 for ; Tue, 18 Nov 2025 03:03:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1763463817; x=1764068617; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=2PfinRWOhIqiAZMnk5p/PdDow2c74DrIFo0/eWFkBr8=; b=OS/IdYiCtKXw3YQtavOSpuvF9aS6rlumoAZjg01cEh24T0AmIDrq1XSNj1nK9Dgwgl zB/Ue1qLg2EBrci7Q37QCd8KfA2CN2Bshv9uTjtzmfOLAHuMOvB5iEI+Gc08qlaJvWjp hM3dzDYpleijHaH2HdXHPhNm51wZdRQ6AsCK1qbtluyOasnO6PSNqAjC394hG5XZWbX9 jHVSdw/CxdkmmlL38y1/hnxPhQ1Nlg0eplzDmZCublKanKlPkr6nG0TYx28KzoQyWcDF VVTx8cxh41rtyAZ4nfFS5rOnZW7WQbWnck50Mmw+704RDJVJinNEDpZtGCr7ag3svyJF refw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763463817; x=1764068617; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=2PfinRWOhIqiAZMnk5p/PdDow2c74DrIFo0/eWFkBr8=; b=JP1Ln0c00DqWDJ5n+UidEmiK0fFD4mr6uJ35spI68kv/g5eNMwT7mfiFQAlHN7FT2L 9ME8oGXINabw6net0yA062irUsb6fGLyOXD1fjxt6RdPVGYOAomYKSEIRZnNxk7mjpwS WXMe3rAx/8lem2/F0lFx/pubvG+zWQp7U3mESEVtd8GfmShGw9xa6shPhU8TxpLFlBKV q8esPjBPSaemq0Biy48Uos5G9RFpTZjXKki0rBYIEw+Y1fq2QnPUU9jynvFKuJoRELkt t/naXghKVMse7ghr++8M4IrCkfgq7BonheMPROUH+ajv7gzwKmf7lA5srAfrLbET901k D5xQ== X-Gm-Message-State: AOJu0YxA7X1Qn09mxPi+yTqUhEZ+eYPOiRWHQA7RgXjZ4+Y5Va6L65iq 3QWg/gTUk+lJUB/PdNc7r1I/vU6ft8q41wX7LF9NMuD7OIRtwS1y3zFvOjfMoQ== X-Gm-Gg: ASbGnctWNShmx576dNrMKxzg76LlmqIgTTS9WhNUkEv5yAOVS4/f1zwOIwFlqE9pE+G fkDYcIppqjt2Z9tHX0i/Kg1lChNhDU4UPEcSvjxjRqTT2NyAZMYPt/aJiBPF+CA5d5/T48zElWf kLPp2AV1lkQ7J19k1cnZMq+lxG3GoBrnKrlpYb0E7tp2G5EH28u/LbnbnzLyvivE4192Orh9p59 qLzU6Xzs4hKMXRO8qCdeLwg0VeWxYjqRAbZVJkbqbUib3eBMvAH7kgHZ/eNzxVtcQ6Skvbept4W ONo9j5i6y+Hcc8tvOujAWQJ9dYJm0aChpTKl5YaCoUVDmIkA6NlxL9Rax804EtTZgHPAFkTUP+f nZ32h3AN4D8rnYOIdeppUBgL2xXkUTxeQOzbKnSOkLzKL7d5iZX+iLjRU57IGEvIBINSkWii4nQ /Fi2IfsDF3Akz1QdqxdDwau9K/Y3vC/YtCMQA9yi0j2qUDrg== X-Google-Smtp-Source: AGHT+IHAkGhi7fDG4P/QbcFUPPXPph44M31CztuNA+hnWzOaxA5pMxEGdpWEeX+yCCk106DRovD41g== X-Received: by 2002:a17:903:987:b0:268:cc5:5e4e with SMTP id d9443c01a7336-2986a6b5571mr208027015ad.1.1763463816746; Tue, 18 Nov 2025 03:03:36 -0800 (PST) Received: from NVAPF55DW0D-IPD.. ([167.103.126.249]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2985c244e46sm167431675ad.25.2025.11.18.03.03.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 18 Nov 2025 03:03:36 -0800 (PST) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Gyorgy Sarvari , Ankur Tyagi Subject: [oe][meta-oe][scarthgap][PATCH 5/5] iptraf-ng: patch CVE-2024-52949 Date: Wed, 19 Nov 2025 00:03:20 +1300 Message-ID: <20251118110320.1635988-5-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251118110320.1635988-1-ankur.tyagi85@gmail.com> References: <20251118110320.1635988-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 18 Nov 2025 11:03:40 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/121856 From: Gyorgy Sarvari Details: https://nvd.nist.gov/vuln/detail/CVE-2024-52949 Pick the commit that mentions the CVE in its description. Signed-off-by: Gyorgy Sarvari (cherry picked from commit 16071ef98f7cfd1501e9c399ac27afe2e061b22a) Signed-off-by: Ankur Tyagi --- .../iptraf/iptraf-ng/CVE-2024-52949.patch | 218 ++++++++++++++++++ .../iptraf/iptraf-ng_1.2.1.bb | 1 + 2 files changed, 219 insertions(+) create mode 100644 meta-oe/recipes-devtools/iptraf/iptraf-ng/CVE-2024-52949.patch diff --git a/meta-oe/recipes-devtools/iptraf/iptraf-ng/CVE-2024-52949.patch b/meta-oe/recipes-devtools/iptraf/iptraf-ng/CVE-2024-52949.patch new file mode 100644 index 0000000000..be6624dcdb --- /dev/null +++ b/meta-oe/recipes-devtools/iptraf/iptraf-ng/CVE-2024-52949.patch @@ -0,0 +1,218 @@ +From 6a35a7f68c2dd946c5092376d71bbf0b925e2c4e Mon Sep 17 00:00:00 2001 +From: Vitezslav Samel +Date: Thu, 21 Nov 2024 08:43:57 +0100 +Subject: [PATCH] interface names: limit length to IFNAMSIZ + +This fixes CVE-2024-52949 (stack based buffer overflow) +when copying user supplied interface name without any +check. + +Problem was reported by Massimiliano Ferraresi and Massimiliano Brolli +from TIM Red team (https://www.gruppotim.it/it/footer/red-team.html) + +CVE: CVE-2024-52949 +Upstream-Status: Backport [https://github.com/iptraf-ng/iptraf-ng/commit/2b623e991115358a57275af8a53feb5ae707b3ae] + +Reported-by: Massimiliano Ferraresi, Massimiliano Brolli +Signed-off-by: Vitezslav Samel +--- + src/ifaces.c | 16 ++++++++-------- + src/ifstats.c | 6 +++--- + src/iptraf-ng-compat.h | 1 + + src/iptraf.c | 9 +++++++++ + src/othptab.c | 2 +- + src/promisc.c | 2 +- + src/tcptable.c | 4 ++-- + src/wrapper.c | 8 ++++++++ + 8 files changed, 33 insertions(+), 15 deletions(-) + +diff --git a/src/ifaces.c b/src/ifaces.c +index aeb1614..4c5a545 100644 +--- a/src/ifaces.c ++++ b/src/ifaces.c +@@ -67,7 +67,7 @@ int dev_up(char *iface) + + fd = socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP); + +- strcpy(ifr.ifr_name, iface); ++ ifname_copy(ifr.ifr_name, iface); + ir = ioctl(fd, SIOCGIFFLAGS, &ifr); + + close(fd); +@@ -90,7 +90,7 @@ int dev_get_ifindex(const char *iface) + return fd; + + struct ifreq ifr; +- strcpy(ifr.ifr_name, iface); ++ ifname_copy(ifr.ifr_name, iface); + int ir = ioctl(fd, SIOCGIFINDEX, &ifr); + + /* need to preserve errno across call to close() */ +@@ -114,7 +114,7 @@ int dev_get_mtu(const char *iface) + return fd; + + struct ifreq ifr; +- strcpy(ifr.ifr_name, iface); ++ ifname_copy(ifr.ifr_name, iface); + int ir = ioctl(fd, SIOCGIFMTU, &ifr); + + /* need to preserve errno across call to close() */ +@@ -138,7 +138,7 @@ int dev_get_flags(const char *iface) + return fd; + + struct ifreq ifr; +- strcpy(ifr.ifr_name, iface); ++ ifname_copy(ifr.ifr_name, iface); + int ir = ioctl(fd, SIOCGIFFLAGS, &ifr); + + /* need to preserve errno across call to close() */ +@@ -162,7 +162,7 @@ int dev_set_flags(const char *iface, int flags) + return fd; + + struct ifreq ifr; +- strcpy(ifr.ifr_name, iface); ++ ifname_copy(ifr.ifr_name, iface); + int ir = ioctl(fd, SIOCGIFFLAGS, &ifr); + if (ir == -1) + goto err; +@@ -190,7 +190,7 @@ int dev_clear_flags(const char *iface, int flags) + return fd; + + struct ifreq ifr; +- strcpy(ifr.ifr_name, iface); ++ ifname_copy(ifr.ifr_name, iface); + int ir = ioctl(fd, SIOCGIFFLAGS, &ifr); + if (ir == -1) + goto err; +@@ -233,7 +233,7 @@ int dev_get_ifname(int ifindex, char *ifname) + return ir; + } + +- strncpy(ifname, ifr.ifr_name, IFNAMSIZ); ++ ifname_copy(ifname, ifr.ifr_name); + return ir; + } + +@@ -256,7 +256,7 @@ int dev_bind_ifname(int fd, const char * const ifname) + int ir; + struct ifreq ifr; + +- strcpy(ifr.ifr_name, ifname); ++ ifname_copy(ifr.ifr_name, ifname); + ir = ioctl(fd, SIOCGIFINDEX, &ifr); + if (ir) + return ir; +diff --git a/src/ifstats.c b/src/ifstats.c +index 00a2a3f..1b687b6 100644 +--- a/src/ifstats.c ++++ b/src/ifstats.c +@@ -194,7 +194,7 @@ static void initiflist(struct iflist **list) + + struct iflist *itmp = alloc_iflist_entry(); + itmp->ifindex = ifindex; +- strcpy(itmp->ifname, ifname); ++ ifname_copy(itmp->ifname, ifname); + + /* make the linked list sorted by ifindex */ + struct iflist *cur = *list, *last = NULL; +@@ -714,9 +714,9 @@ void selectiface(char *ifname, int withall, int *aborted) + if (!(*aborted) && (list != NULL)) { + ptmp = (struct iflist *) scrolllist.textptr->nodeptr; + if ((withall) && (ptmp->prev_entry == NULL)) /* All Interfaces */ +- strcpy(ifname, ""); ++ ifname_copy(ifname, ""); + else +- strcpy(ifname, ptmp->ifname); ++ ifname_copy(ifname, ptmp->ifname); + } + + tx_destroy_list(&scrolllist); +diff --git a/src/iptraf-ng-compat.h b/src/iptraf-ng-compat.h +index 5aec185..845f18b 100644 +--- a/src/iptraf-ng-compat.h ++++ b/src/iptraf-ng-compat.h +@@ -112,6 +112,7 @@ extern void *xmallocz(size_t size); + extern char *xstrdup(const char *s); + extern int strtoul_ui(char const *s, int base, unsigned int *result); + extern int strtol_i(char const *s, int base, int *result); ++extern void ifname_copy(char *dst, const char *src); + + extern void die(const char *err, ...) __noreturn __printf(1,2); + extern void die_errno(const char *fmt, ...) __noreturn __printf(1,2); +diff --git a/src/iptraf.c b/src/iptraf.c +index 95f8e53..e5dcb64 100644 +--- a/src/iptraf.c ++++ b/src/iptraf.c +@@ -388,6 +388,15 @@ int main(int argc, char **argv) + if (__builtin_popcount(command) > 1) + die("only one of -i|-d|-s|-z|-l|-g options must be used"); + ++ /* sanity check of passed arguments */ ++ if ((i_opt && strlen(i_opt) >= IFNAMSIZ) || ++ (d_opt && strlen(d_opt) >= IFNAMSIZ) || ++ (s_opt && strlen(s_opt) >= IFNAMSIZ) || ++ (z_opt && strlen(z_opt) >= IFNAMSIZ) || ++ (l_opt && strlen(l_opt) >= IFNAMSIZ)) { ++ die("interface name is too long"); ++ } ++ + strcpy(current_logfile, ""); + + if (f_opt) { +diff --git a/src/othptab.c b/src/othptab.c +index d1d9658..80f3dc8 100644 +--- a/src/othptab.c ++++ b/src/othptab.c +@@ -271,7 +271,7 @@ struct othptabent *add_othp_entry(struct othptable *table, struct pkt_hdr *pkt, + } + + new_entry->protocol = protocol; +- strcpy(new_entry->iface, ifname); ++ ifname_copy(new_entry->iface, ifname); + + new_entry->pkt_length = pkt->pkt_len; + +diff --git a/src/promisc.c b/src/promisc.c +index d94e8bb..4737962 100644 +--- a/src/promisc.c ++++ b/src/promisc.c +@@ -70,7 +70,7 @@ static void promisc_enable_dev(struct list_head *promisc, int sock, const char * + struct promisc_list *new = xmallocz(sizeof(*new)); + + new->ifindex = ifindex; +- strcpy(new->ifname, dev); ++ ifname_copy(new->ifname, dev); + list_add_tail(&new->list, promisc); + } + +diff --git a/src/tcptable.c b/src/tcptable.c +index 159d628..2c4efc1 100644 +--- a/src/tcptable.c ++++ b/src/tcptable.c +@@ -365,8 +365,8 @@ struct tcptableent *addentry(struct tcptable *table, + * Store interface name + */ + +- strcpy(new_entry->ifname, ifname); +- strcpy(new_entry->oth_connection->ifname, ifname); ++ ifname_copy(new_entry->ifname, ifname); ++ ifname_copy(new_entry->oth_connection->ifname, ifname); + + /* + * Zero out MAC address fields +diff --git a/src/wrapper.c b/src/wrapper.c +index 2eb3b59..1d2dc6f 100644 +--- a/src/wrapper.c ++++ b/src/wrapper.c +@@ -78,3 +78,11 @@ int strtol_i(char const *s, int base, int *result) + *result = ul; + return 0; + } ++ ++/* it's up to the caller to ensure there is room for */ ++/* at least IFNAMSIZ bytes in dst */ ++void ifname_copy(char *dst, const char *src) ++{ ++ strncpy(dst, src, IFNAMSIZ - 1); ++ dst[IFNAMSIZ - 1] = '\0'; ++} diff --git a/meta-oe/recipes-devtools/iptraf/iptraf-ng_1.2.1.bb b/meta-oe/recipes-devtools/iptraf/iptraf-ng_1.2.1.bb index 0f6bbb4d54..a622621990 100644 --- a/meta-oe/recipes-devtools/iptraf/iptraf-ng_1.2.1.bb +++ b/meta-oe/recipes-devtools/iptraf/iptraf-ng_1.2.1.bb @@ -28,6 +28,7 @@ SRC_URI = "https://src.fedoraproject.org/repo/pkgs/iptraf-ng/v${PV}.tar.gz/sha51 file://iptraf-ng-tmpfiles.conf \ file://ncurses-config.patch \ file://0001-make-Make-CC-weak-assignment.patch \ + file://CVE-2024-52949.patch \ " SRC_URI[sha256sum] = "9f5cef584065420dea1ba32c86126aede1fa9bd25b0f8362b0f9fd9754f00870"