From patchwork Wed Nov 19 20:42:09 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 75044 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2566ACF58EE for ; Wed, 19 Nov 2025 20:42:41 +0000 (UTC) Received: from mail-pf1-f179.google.com (mail-pf1-f179.google.com [209.85.210.179]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.17324.1763584944264759569 for ; Wed, 19 Nov 2025 12:42:24 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=TrXgyWHQ; spf=softfail (domain: sakoman.com, ip: 209.85.210.179, mailfrom: steve@sakoman.com) Received: by mail-pf1-f179.google.com with SMTP id d2e1a72fcca58-7b9c17dd591so114333b3a.3 for ; Wed, 19 Nov 2025 12:42:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1763584943; x=1764189743; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=EZPHcZpLT6luHOe/6zG9Ndja3o9gYyrPcIIGwcbjloc=; b=TrXgyWHQq9Z1qGueCgvysmvNkT6IToKZaR5cFFj9s6cUQb1nBxOKExnrtTTQKjLkjb +imS33s9xWZc+Psz2itdZuppwtdRcHytnOrjBt87YenX61vzYnyWU6mnoOYM+1is6ok0 VCAi+PuAcYxCRF+KmeilSKw5WedUMYMfhJyoCfA0hB/nTpUWJM7GQ5Lic4NTj2HzQGB1 jIblk7KFJMYipMxrdDiyTMAvyShTmCImdQJvpWA3+x5RVd8bIA1Kn04EXIeOQvS+XMtL XVIBqEHaOS2/N6k1uFGFSF90grle5ZfNSc0urAXnSWENTxdvk+OnlAvE5+xfiw4O2SpG c6kA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763584943; x=1764189743; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=EZPHcZpLT6luHOe/6zG9Ndja3o9gYyrPcIIGwcbjloc=; b=WJ+/OEW+6LFpoTfKNCqyunEPqp4GbtplNNtlr3Fq1rcwrtHBLjFBIjITWeGAXwkGB9 1aPdPJbCyw0kz+DJURJtpouiP7CsXljN6tuecHyxT4/w0b1RBbR+rfmmVtetL0RzMLy0 mYOZo7F8LY42HmgezGSc8Jo/8ReZp6C+Nlo0GABbSEd3w1ej6CODd9NQtkteLKrzC/1k gLKnXwkTs/whSiXb+RriUGEQPqYIfcH1bXZHTPG56exlSAxM0ehWanoc9ChJFkL5L21p G2KHMi2uCPGXOUwbUK0bU5TyefGRWHP+SptyQl7yLo6DX9W42MrIJQZLr7oAtVaFAeAw Nt/g== X-Gm-Message-State: AOJu0YwKeM4/KJjmp4mQB+VTFVKIwKKtO9FN6oiyyw8TvOW8k8pc95b6 /8UzkcBPyoyko1YaAOtTqdl1MQlBALT9Y7zQBKewuI7XzR3v9/Z7JIwPMORzprF35HY0mdjBkop e9vVm X-Gm-Gg: ASbGncspbQCtrcshxOSzP/6qzMdNzOqa+0b0sOfXjSrUlb6RsUzarPI6eSY5tDHgsR3 b872TfigYNrmWodbUgPIqqMFdSq9EuvEBADh9g2yL1YTjAOxDebGgK4mHnsMKahsNrtForWfzXh gl8rMcJPuufAhwJQLUQquiwDvWi/9yq6dBENNOByvMhGbMtSonqwu7g8sKygMCkcicrUHfA/sO3 CRQtNEOJg7ce8QsU53Z6JW9wzi38ZHP2IfqFvgxB2KW08Gtrog7gZum1bC6+9KnFyvw298I5d1O 9chhG4bVIiw6FNANjfWJZoWppIUVVSFHVZPBGy3GfMeRSKK00cbtiLphyS9WsdRTC5KveRc9X4y wH5h37vCHnZA6o7eAYk+n7Im9YMLzbD5mj1RYe9vbVs5Ay4kJ9g0yup6TuBda+mvnBR0jZgCojc nW+8Iur9sbDq4y7u0+2/zP6yY= X-Google-Smtp-Source: AGHT+IGOIGknt+XJfDRRLVrBKJeSJYqtqCHYBcHRBSTXJGNIOK2c/pgtUGqZgzzS0zw/tKy84UKqSA== X-Received: by 2002:a05:6a00:1789:b0:7a2:882b:61b7 with SMTP id d2e1a72fcca58-7c3f12638f1mr501976b3a.32.1763584943445; Wed, 19 Nov 2025 12:42:23 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:95e8:2651:d6f9:404e]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7c3ecf7d5adsm269866b3a.11.2025.11.19.12.42.22 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 19 Nov 2025 12:42:23 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 1/7] elfutils: Fix CVE-2025-1376 Date: Wed, 19 Nov 2025 12:42:09 -0800 Message-ID: <1126e5c1e63b876499c78ac403d1327645edf1c7.1763584791.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 19 Nov 2025 20:42:41 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/226591 From: Soumya Sambu A vulnerability classified as problematic was found in GNU elfutils 0.192. This vulnerability affects the function elf_strptr in the library /libelf/elf_strptr.c of the component eu-strip. The manipulation leads to denial of service. It is possible to launch the attack on the local host. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is b16f441cca0a4841050e3215a9f120a6d8aea918. It is recommended to apply a patch to fix this issue. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-1376 Upstream patch: https://sourceware.org/git/?p=elfutils.git;a=commit;h=b16f441cca0a4841050e3215a9f120a6d8aea918 Signed-off-by: Soumya Sambu Signed-off-by: Steve Sakoman --- .../elfutils/elfutils_0.186.bb | 1 + .../elfutils/files/CVE-2025-1376.patch | 58 +++++++++++++++++++ 2 files changed, 59 insertions(+) create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2025-1376.patch diff --git a/meta/recipes-devtools/elfutils/elfutils_0.186.bb b/meta/recipes-devtools/elfutils/elfutils_0.186.bb index b945766b75..9f0fb43d50 100644 --- a/meta/recipes-devtools/elfutils/elfutils_0.186.bb +++ b/meta/recipes-devtools/elfutils/elfutils_0.186.bb @@ -25,6 +25,7 @@ SRC_URI = "https://sourceware.org/elfutils/ftp/${PV}/${BP}.tar.bz2 \ file://0001-debuginfod-debuginfod-client.c-use-long-for-cache-ti.patch \ file://CVE-2025-1352.patch \ file://CVE-2025-1372.patch \ + file://CVE-2025-1376.patch \ " SRC_URI:append:libc-musl = " \ file://0003-musl-utils.patch \ diff --git a/meta/recipes-devtools/elfutils/files/CVE-2025-1376.patch b/meta/recipes-devtools/elfutils/files/CVE-2025-1376.patch new file mode 100644 index 0000000000..1f40add305 --- /dev/null +++ b/meta/recipes-devtools/elfutils/files/CVE-2025-1376.patch @@ -0,0 +1,58 @@ +From b16f441cca0a4841050e3215a9f120a6d8aea918 Mon Sep 17 00:00:00 2001 +From: Mark Wielaard +Date: Thu, 13 Feb 2025 00:02:32 +0100 +Subject: [PATCH] libelf: Handle elf_strptr on section without any data + +In the unlikely situation that elf_strptr was called on a section with +sh_size already set, but that doesn't have any data yet we could crash +trying to verify the string to return. + +This could happen for example when a new section was created with +elf_newscn, but no data having been added yet. + + * libelf/elf_strptr.c (elf_strptr): Check strscn->rawdata_base + is not NULL. + +https://sourceware.org/bugzilla/show_bug.cgi?id=32672 + +Signed-off-by: Mark Wielaard + +CVE: CVE-2025-1376 + +Upstream-Status: Backport [https://sourceware.org/git/?p=elfutils.git;a=commit;h=b16f441cca0a4841050e3215a9f120a6d8aea918] + +Signed-off-by: Soumya Sambu +--- + libelf/elf_strptr.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/libelf/elf_strptr.c b/libelf/elf_strptr.c +index c5a94f8..7be7f5e 100644 +--- a/libelf/elf_strptr.c ++++ b/libelf/elf_strptr.c +@@ -1,5 +1,6 @@ + /* Return string pointer from string section. + Copyright (C) 1998-2002, 2004, 2008, 2009, 2015 Red Hat, Inc. ++ Copyright (C) 2025 Mark J. Wielaard + This file is part of elfutils. + Contributed by Ulrich Drepper , 1998. + +@@ -183,9 +184,12 @@ elf_strptr (Elf *elf, size_t idx, size_t offset) + // initialized yet (when data_read is zero). So we cannot just + // look at the rawdata.d.d_size. + +- /* Make sure the string is NUL terminated. Start from the end, +- which very likely is a NUL char. */ +- if (likely (validate_str (strscn->rawdata_base, offset, sh_size))) ++ /* First check there actually is any data. This could be a new ++ section which hasn't had any data set yet. Then make sure ++ the string is at a valid offset and NUL terminated. */ ++ if (unlikely (strscn->rawdata_base == NULL)) ++ __libelf_seterrno (ELF_E_INVALID_SECTION); ++ else if (likely (validate_str (strscn->rawdata_base, offset, sh_size))) + result = &strscn->rawdata_base[offset]; + else + __libelf_seterrno (ELF_E_INVALID_INDEX); +-- +2.40.0 + From patchwork Wed Nov 19 20:42:10 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 75047 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4EC59CF58F8 for ; Wed, 19 Nov 2025 20:42:41 +0000 (UTC) Received: from mail-pl1-f171.google.com (mail-pl1-f171.google.com [209.85.214.171]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.17209.1763584945917377696 for ; Wed, 19 Nov 2025 12:42:25 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=XPJHaeBD; spf=softfail (domain: sakoman.com, ip: 209.85.214.171, mailfrom: steve@sakoman.com) Received: by mail-pl1-f171.google.com with SMTP id d9443c01a7336-29586626fbeso2025905ad.0 for ; Wed, 19 Nov 2025 12:42:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1763584945; x=1764189745; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=63p2fjl83WAe62P8/MeeNXLaZwMfD46zit7jYYqWLRc=; b=XPJHaeBD7BEAIVVGksFELQUPu5Ft730Fz/DMBJyboYfNBdJNsJVxsPrqDZf2CYxTDq w4ISsfs0VP6tkqKPbIxk2AtHMpfp6sgFNL7mo9ZXIm46nsRK+ef0ON5nuKligGxHF1gs 7ET2kJbFohUAstOsfT1oc13QvP0WZtOVN0iAdAow12w0+9N8seSEtPoxbPo/ziYyu0l6 YZLPLLvnx25SbJBC0O61Z169yWKYz3V7EiURVGJRc/W7WaTi1tKuHGUn4jcLFJ8kfthO ER+6QaeQpNjdmz2PGVhLo7UMQUg1Lgb5bJxqKoDw0Q9PxAU2SozWuHtN+7T39DE2qkC1 IKsg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763584945; x=1764189745; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=63p2fjl83WAe62P8/MeeNXLaZwMfD46zit7jYYqWLRc=; b=DLEqpEs8XSGTXeGwxfkqc8uUObMA5cw94/cVuogZO6LA9fVcL3Tc8oamDLQoR2pioF iP0omi5f044dponL6zA0TiXbZ9a8qwK2PrEwbI+GauMNILGhNNBEDUqXI0oBcOHC/vr1 T5/Q22xc+Q8anv99XgF46M7WrT2OahqJUI6i8lBay0dRJXv1oYd7JwogPOiFYnIaAlvm 1/3HxuYZKYV4a6atcU10/Z2iAqbupErHJM/hq5xpPaU1RfYOHRZIM4l942uGvcH3hBLe /fPtJrbFxkhzPlk0NfnKpM6sp7rmMd9Z7Nos0aLCKmllxm97NhoAfWvqH/7eGRbI+RLk 57Qw== X-Gm-Message-State: AOJu0YyLToYhfFQepqAKSjUinQJtds1KWF9pBJ7hGa/wSEILwK4UFI6W Oept0SVa+grRzXbK3O1nClN5LR154Wms8axWlXh53kqobqp1YQtPV+O0GpgatcdgEHTbCEj9SBU uhT/T X-Gm-Gg: ASbGncsgV78f2i/nCK/HiPI9KAx1BBIwuEa9Q2EAUu+0CqPvm0TAYS037UIFzqe0cLI GxVH9LXruK/K7vFfRFvf9f2qFs0GXuLvlhQvxFdwqDnfibk96i65IP7Bmq+Dz31T0iphgrqYL1w dHRSvivvE6FLAeWT9vACDFN9hLUo8j4yJeyOKVTOdhy5v6I5H8VAmathwi/TsiXMaCX8x9dS/8h J84XF9h6SWAP/lhjP7znoyfMq5nPC7ebSSANXv7oDYcdRC6AbXPrBGfMl3vyNBFTsXXpdSSBBbk dqiViQXiShpAfAFmdy6bTMZc7nHqfFEcCkLy5/dsrcB90cCREDQDVTzbbsVmuY+dWokCcacaGkv mCCN2RjVwVFC4Pw4K+wmxtG4XiWGNdE5CzEA7dlKyLMjg3ROBXk0VVhG9gZwgydwPQpbg55oQYb uBOsK4LriGmvQ2 X-Google-Smtp-Source: AGHT+IGjB/3jGlj2pa6vXxMxf8+yeVfYmJKxNs4XRuxmue7T4/jMo4wq6INo31PRu1OXIx379cUs4A== X-Received: by 2002:a17:903:19d0:b0:295:f95a:5122 with SMTP id d9443c01a7336-29b5ccf7f54mr2638235ad.15.1763584945090; Wed, 19 Nov 2025 12:42:25 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:95e8:2651:d6f9:404e]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7c3ecf7d5adsm269866b3a.11.2025.11.19.12.42.24 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 19 Nov 2025 12:42:24 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 2/7] elfutils: Fix CVE-2025-1377 Date: Wed, 19 Nov 2025 12:42:10 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 19 Nov 2025 20:42:41 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/226592 From: Soumya Sambu A vulnerability, which was classified as problematic, has been found in GNU elfutils 0.192. This issue affects the function gelf_getsymshndx of the file strip.c of the component eu-strip. The manipulation leads to denial of service. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is fbf1df9ca286de3323ae541973b08449f8d03aba. It is recommended to apply a patch to fix this issue. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-1377 Upstream patch: https://sourceware.org/git/?p=elfutils.git;a=commit;h=fbf1df9ca286de3323ae541973b08449f8d03aba Signed-off-by: Soumya Sambu Signed-off-by: Steve Sakoman --- .../elfutils/elfutils_0.186.bb | 1 + .../elfutils/files/CVE-2025-1377.patch | 68 +++++++++++++++++++ 2 files changed, 69 insertions(+) create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2025-1377.patch diff --git a/meta/recipes-devtools/elfutils/elfutils_0.186.bb b/meta/recipes-devtools/elfutils/elfutils_0.186.bb index 9f0fb43d50..f97a97c673 100644 --- a/meta/recipes-devtools/elfutils/elfutils_0.186.bb +++ b/meta/recipes-devtools/elfutils/elfutils_0.186.bb @@ -26,6 +26,7 @@ SRC_URI = "https://sourceware.org/elfutils/ftp/${PV}/${BP}.tar.bz2 \ file://CVE-2025-1352.patch \ file://CVE-2025-1372.patch \ file://CVE-2025-1376.patch \ + file://CVE-2025-1377.patch \ " SRC_URI:append:libc-musl = " \ file://0003-musl-utils.patch \ diff --git a/meta/recipes-devtools/elfutils/files/CVE-2025-1377.patch b/meta/recipes-devtools/elfutils/files/CVE-2025-1377.patch new file mode 100644 index 0000000000..de263738f2 --- /dev/null +++ b/meta/recipes-devtools/elfutils/files/CVE-2025-1377.patch @@ -0,0 +1,68 @@ +From fbf1df9ca286de3323ae541973b08449f8d03aba Mon Sep 17 00:00:00 2001 +From: Mark Wielaard +Date: Thu, 13 Feb 2025 14:59:34 +0100 +Subject: [PATCH] strip: Verify symbol table is a real symbol table + +We didn't check the symbol table referenced from the relocation table +was a real symbol table. This could cause a crash if that section +happened to be an SHT_NOBITS section without any data. Fix this by +adding an explicit check. + + * src/strip.c (INTERNAL_ERROR_MSG): New macro that takes a + message string to display. + (INTERNAL_ERROR): Use INTERNAL_ERROR_MSG with elf_errmsg (-1). + (remove_debug_relocations): Check the sh_link referenced + section is real and isn't a SHT_NOBITS section. + +https://sourceware.org/bugzilla/show_bug.cgi?id=32673 + +Signed-off-by: Mark Wielaard + +CVE: CVE-2025-1377 + +Upstream-Status: Backport [https://sourceware.org/git/?p=elfutils.git;a=commit;h=fbf1df9ca286de3323ae541973b08449f8d03aba] + +Signed-off-by: Soumya Sambu +--- + src/strip.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/src/strip.c b/src/strip.c +index d5b753d..0cfd8c8 100644 +--- a/src/strip.c ++++ b/src/strip.c +@@ -127,13 +127,14 @@ static char *tmp_debug_fname = NULL; + /* Close debug file descriptor, if opened. And remove temporary debug file. */ + static void cleanup_debug (void); + +-#define INTERNAL_ERROR(fname) \ ++#define INTERNAL_ERROR_MSG(fname, msg) \ + do { \ + cleanup_debug (); \ + error (EXIT_FAILURE, 0, _("%s: INTERNAL ERROR %d (%s): %s"), \ +- fname, __LINE__, PACKAGE_VERSION, elf_errmsg (-1)); \ ++ fname, __LINE__, PACKAGE_VERSION, msg); \ + } while (0) + ++#define INTERNAL_ERROR(fname) INTERNAL_ERROR_MSG(fname, elf_errmsg (-1)) + + /* Name of the output file. */ + static const char *output_fname; +@@ -632,7 +633,13 @@ remove_debug_relocations (Ebl *ebl, Elf *elf, GElf_Ehdr *ehdr, + resolve relocation symbol indexes. */ + Elf64_Word symt = shdr->sh_link; + Elf_Data *symdata, *xndxdata; +- Elf_Scn * symscn = elf_getscn (elf, symt); ++ Elf_Scn *symscn = elf_getscn (elf, symt);GElf_Shdr symshdr_mem; ++ GElf_Shdr *symshdr = gelf_getshdr (symscn, &symshdr_mem); ++ if (symshdr == NULL) ++ INTERNAL_ERROR (fname); ++ if (symshdr->sh_type == SHT_NOBITS) ++ INTERNAL_ERROR_MSG (fname, "NOBITS section"); ++ + symdata = elf_getdata (symscn, NULL); + xndxdata = get_xndxdata (elf, symscn); + if (symdata == NULL) +-- +2.40.0 + From patchwork Wed Nov 19 20:42:11 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 75046 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 529A0CF58F9 for ; Wed, 19 Nov 2025 20:42:41 +0000 (UTC) Received: from mail-pl1-f169.google.com (mail-pl1-f169.google.com [209.85.214.169]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.17210.1763584947507586515 for ; Wed, 19 Nov 2025 12:42:27 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=HjAjXAbg; spf=softfail (domain: sakoman.com, ip: 209.85.214.169, mailfrom: steve@sakoman.com) Received: by mail-pl1-f169.google.com with SMTP id d9443c01a7336-297e982506fso2255535ad.2 for ; Wed, 19 Nov 2025 12:42:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1763584947; x=1764189747; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=B0RPyu6MjkbsiOmby6gUX+y357/fU/tyYdWpbYHVa3Y=; b=HjAjXAbg2Gy6344kqkLVC/zUNJnX5zqAHZbUAQDb1VeyRK5qObRQy/s7uegs7v45nP vuhRRDow3Kw+L8AT8jL65S3yXU0jul39peuYE2TNLhiBg2a+qEx9QPnLJgy5UTzoPUyt 0uIv1WwYjA0fLjnxrlJTb3QW2WZaIYs4IdlfOctyLqwIBv4O81cHz+u0HSCSN7fYuS5u uHEgm1dpn5tzTedh82OieqeuCjxoKSxfnqqkdVnU8OQ+uFbJC9IgN9phQK5fGjqHs+8f LeqLhZeJb3UaAjtzoydW5zhEV6ZcdtWOYNVjCHeZrjtEsMVKpOGOIKo0QoKdnu7/rYLW syaQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763584947; x=1764189747; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=B0RPyu6MjkbsiOmby6gUX+y357/fU/tyYdWpbYHVa3Y=; b=rgex5zZxfZ4rwM+VJCUik6QRnwunsHTZiRG8QbUEST384tYlHdSSwLQYQnPbYmNNIf LrLvpE8va9Ov2ARAoWPxpxVAjy8Ey8OawZ3sc2b0LzBX6t5WLKQakHp7WiWzLmlh6bQQ OKAeWoPG/uWyDgHyOkEZf0ogGkJJjy5kP5IakuaAOx/4IrnFzs6GapV/zcQXSG4HzHM8 LCnTUn+ed/4h5yBGKhSJRh8uqhZ/IXhoIVPymYyE9KO8XtFi6NwLZFp3EBr0QKADNeBI mXhDS6A9T6eIPY5uPGGFhYySGvyGxq39iJPvefFg8vkI01XfGJeQFfmerxNJ7VVI7uEv ZZCg== X-Gm-Message-State: AOJu0Yz8MXoOJGzZ3SzW6TgBFq2IPbbJxMofd0DSAM5ZOWoeCNINBAK2 uas5dcBkhxZBvRA/NPA/kcdGF7yx5jlhiZ6b+2plTET5OBI4qu3yl3M2Zg5IdG3gNshCZtwbbPL XyLVG X-Gm-Gg: ASbGnctUGlZowc829VxlKqNpYkNNe+Etm4elpB2Ai3YZYBXM1VFKYDB5s/IiZV5acuF 9orE8lN2IybXD72ExW1SsF38+sGbmyC9fN/rw4UMB6lvp2G3pmqrJWRKP5V8/Rr85EqvVPpNLeR yPzGCIlPXv7nXMONAMPwGEv7lVs5pVt+U+rGExBb87srxq+jEbSM455M/03mruVMYzZpkkwLxWG j0cAlhGCit7S5h9JSSB6XLEnHhq6hgiKxzxGqBh+cIR65yjJtw0T2+/S73/4rFbF7PuNBep4kLZ VWJPmMd1Xes3g9/ke/P6evbfqw8GuBCGP+4VUGkjlt5taO60ZD84VdYLYNRGGrziYgThxINR3kn hIEjSw77Hq+Yo2/yYTUlFIenaSe9z/1bEXS3+SwUCbUrR3zkWqJ2yW23cxnQZRU6fuweWoADUpM e1xA== X-Google-Smtp-Source: AGHT+IEYfJCLfnXS7gJXpv4RAiVHkNILjJtJh9jTUqSiclANyUis+ClQ1JIqw2br6/HiHQ878YwsGg== X-Received: by 2002:a17:903:40c5:b0:295:6d30:e263 with SMTP id d9443c01a7336-29b5cd904edmr2511545ad.40.1763584946686; Wed, 19 Nov 2025 12:42:26 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:95e8:2651:d6f9:404e]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7c3ecf7d5adsm269866b3a.11.2025.11.19.12.42.25 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 19 Nov 2025 12:42:26 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 3/7] xwayland: Fix for CVE-2025-62229 Date: Wed, 19 Nov 2025 12:42:11 -0800 Message-ID: <5c6a07f215e00392b1831ed89ac0f8180823e124.1763584791.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 19 Nov 2025 20:42:41 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/226593 From: Vijay Anusuri Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/5a4286b13f631b66c20f5bc8db7b68211dcbd1d0 Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../xwayland/xwayland/CVE-2025-62229.patch | 89 +++++++++++++++++++ .../xwayland/xwayland_22.1.8.bb | 1 + 2 files changed, 90 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-62229.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-62229.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-62229.patch new file mode 100644 index 0000000000..634e8d44f1 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-62229.patch @@ -0,0 +1,89 @@ +From 5a4286b13f631b66c20f5bc8db7b68211dcbd1d0 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Wed, 2 Jul 2025 09:46:22 +0200 +Subject: [PATCH] present: Fix use-after-free in present_create_notifies() + +Using the Present extension, if an error occurs while processing and +adding the notifications after presenting a pixmap, the function +present_create_notifies() will clean up and remove the notifications +it added. + +However, there are two different code paths that can lead to an error +creating the notify, one being before the notify is being added to the +list, and another one after the notify is added. + +When the error occurs before it's been added, it removes the elements up +to the last added element, instead of the actual number of elements +which were added. + +As a result, in case of error, as with an invalid window for example, it +leaves a dangling pointer to the last element, leading to a use after +free case later: + + | Invalid write of size 8 + | at 0x5361D5: present_clear_window_notifies (present_notify.c:42) + | by 0x534A56: present_destroy_window (present_screen.c:107) + | by 0x41E441: xwl_destroy_window (xwayland-window.c:1959) + | by 0x4F9EC9: compDestroyWindow (compwindow.c:622) + | by 0x51EAC4: damageDestroyWindow (damage.c:1592) + | by 0x4FDC29: DbeDestroyWindow (dbe.c:1291) + | by 0x4EAC55: FreeWindowResources (window.c:1023) + | by 0x4EAF59: DeleteWindow (window.c:1091) + | by 0x4DE59A: doFreeResource (resource.c:890) + | by 0x4DEFB2: FreeClientResources (resource.c:1156) + | by 0x4A9AFB: CloseDownClient (dispatch.c:3567) + | by 0x5DCC78: ClientReady (connection.c:603) + | Address 0x16126200 is 16 bytes inside a block of size 2,048 free'd + | at 0x4841E43: free (vg_replace_malloc.c:989) + | by 0x5363DD: present_destroy_notifies (present_notify.c:111) + | by 0x53638D: present_create_notifies (present_notify.c:100) + | by 0x5368E9: proc_present_pixmap_common (present_request.c:164) + | by 0x536A7D: proc_present_pixmap (present_request.c:189) + | by 0x536FA9: proc_present_dispatch (present_request.c:337) + | by 0x4A1E4E: Dispatch (dispatch.c:561) + | by 0x4B00F1: dix_main (main.c:284) + | by 0x42879D: main (stubmain.c:34) + | Block was alloc'd at + | at 0x48463F3: calloc (vg_replace_malloc.c:1675) + | by 0x5362A1: present_create_notifies (present_notify.c:81) + | by 0x5368E9: proc_present_pixmap_common (present_request.c:164) + | by 0x536A7D: proc_present_pixmap (present_request.c:189) + | by 0x536FA9: proc_present_dispatch (present_request.c:337) + | by 0x4A1E4E: Dispatch (dispatch.c:561) + | by 0x4B00F1: dix_main (main.c:284) + | by 0x42879D: main (stubmain.c:34) + +To fix the issue, count and remove the actual number of notify elements +added in case of error. + +CVE-2025-62229, ZDI-CAN-27238 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/5a4286b13f631b66c20f5bc8db7b68211dcbd1d0] +CVE: CVE-2025-62229 +Signed-off-by: Vijay Anusuri +--- + present/present_notify.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/present/present_notify.c b/present/present_notify.c +index 7d19d9cfe1..fe84d1f070 100644 +--- a/present/present_notify.c ++++ b/present/present_notify.c +@@ -92,7 +92,7 @@ present_create_notifies(ClientPtr client, int num_notifies, xPresentNotify *x_no + if (status != Success) + goto bail; + +- added = i; ++ added++; + } + return Success; + +-- +GitLab + diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb index 73f5a05ce7..ba0ed6048e 100644 --- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb +++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb @@ -50,6 +50,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2025-49178.patch \ file://CVE-2025-49179.patch \ file://CVE-2025-49180.patch \ + file://CVE-2025-62229.patch \ " SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73" From patchwork Wed Nov 19 20:42:12 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 75041 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 27102CF58EF for ; Wed, 19 Nov 2025 20:42:41 +0000 (UTC) Received: from mail-pf1-f170.google.com (mail-pf1-f170.google.com [209.85.210.170]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.17326.1763584949357085730 for ; Wed, 19 Nov 2025 12:42:29 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=wjqGJkcE; spf=softfail (domain: sakoman.com, ip: 209.85.210.170, mailfrom: steve@sakoman.com) Received: by mail-pf1-f170.google.com with SMTP id d2e1a72fcca58-7b86e0d9615so178948b3a.0 for ; Wed, 19 Nov 2025 12:42:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1763584948; x=1764189748; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=lJWmz3eSG+Fia3aHH+m9exBQ+KP3Ny1We9TvOGO7SXs=; b=wjqGJkcEvTkKI6Q2OOnLF93icy2A0IOGFXvFHxzmHxBSS7q12I3uZjVQ8kFsYtBhke 9b808Tp6QDnaBaAKW4lifUYr/QlbJzEnPMaB1xa3QYZAgW9ouMuaCY1RglXJ6+/kgD21 pxm9Ye4vtYJYZGMjv3ovAXuvxh9S+gShUtsVVLAQ5FjldxUjDIxwcHkonvSyTQW88k8P sLe/iUvrJcLEsbyQM3c23L5hn4XX4p1bnCg9JT5FhMOEEih+03e+W50UwhILffChlQ77 LbimBV7E2w+ACujEXu1kM1EfuKYn1j6HVzue7jvTsT1MDH53fNmL+PHLFCGg2fx3IOJU 4Wew== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763584948; x=1764189748; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=lJWmz3eSG+Fia3aHH+m9exBQ+KP3Ny1We9TvOGO7SXs=; b=ULz9rXpgb91OSrdwRyU0hI1n22ySAa3rdY5IFBDvLMZBRDvcexFXXgQGu/mi0m55yY rUG9gmMGbGDhdrf999u+sj0McrLTCBEwODMFDjZPlfL9tSIRJfjAmIfzDiGqEDwZXw3f wYCHsr+tAex9Mo+Z359KFrwqF5PnGn3xyg2rihnG1wb9wBRQONY9+WnIaxF+W4ylTblI GYxCMYKDTrEDgD0HReCkEpjipMYS7oBLQV77PHVsvDGJ3OYc1ZheqGVb+EWlgrLJMin4 qVZT0puJV+51esW9816g06PO44K9vRG/oXuagmNXxR0WpYC8rRl2v9UmGkDXbGwUi/go ns5A== X-Gm-Message-State: AOJu0Yw216dfrWFNuCXnkZNawlQzVL3vjt3QPd6C4OgUDRY5Z22z/y77 mZYdAKfsXLICK4KhLWMIySdCeqGsrPskSxUssmpSovzK1HaABzUhCp9IKgrzsSbpfDd35n52Ygu muwDq X-Gm-Gg: ASbGncvmwO7x22vKzAj3f1GFoOwaHdoiTi7JakiCVw9cbhAVtVm9/Vi0pLOYzuy5Swi gd8zWJw5L/los8GzhbUPFRV+yZI9SkFA42CMa8eKHbVwf1sGOdaKEncrh5ajt4cdo6ksX/cHNn/ OGs4XhLrtEZ8gGongBBlL5DBK8A//93WPaCtaq0dtA+qv8IE6pB+qWi4M4Ps9Hfw+stc5ZdQ6IB sIXVPgdOCBIscofZGB5KX2Skyoni55iDjrvVEK5L04suVu0lzQ4pzKbLP4dPqzzFkzwvE4YCrl+ UQU8O6WZwJRNFghzc+mPnA9jVg1m/EFvTtB2evy9f5Y/3O/tYCcnCxZQgJs2Dz/RSuwwgpHjxSS RBy9NuhOQP4mk0V5Yib78XwqdocnO9eqqKQHDLRW6UYkDpdqLan78eZ7t3o8tZ06n1zNtyKGumc hOCg== X-Google-Smtp-Source: AGHT+IFswoJY8tlpZ9aLs6KR5akobMQyG7ZNECHJg7Kvzgu+lyq3YwPBO94bVc7uZFhGuAEfHRhVsQ== X-Received: by 2002:a05:6a20:94cb:b0:35d:b5a1:a61d with SMTP id adf61e73a8af0-3613ca9d687mr363143637.26.1763584948436; Wed, 19 Nov 2025 12:42:28 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:95e8:2651:d6f9:404e]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7c3ecf7d5adsm269866b3a.11.2025.11.19.12.42.27 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 19 Nov 2025 12:42:28 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 4/7] xwayland: Fix for CVE-2025-62230 Date: Wed, 19 Nov 2025 12:42:12 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 19 Nov 2025 20:42:41 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/226594 From: Vijay Anusuri Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/865089ca70840c0f13a61df135f7b44a9782a175 & https://gitlab.freedesktop.org/xorg/xserver/-/commit/87fe2553937a99fd914ad0cde999376a3adc3839 Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../xwayland/xwayland/CVE-2025-62230-1.patch | 63 +++++++++++++ .../xwayland/xwayland/CVE-2025-62230-2.patch | 92 +++++++++++++++++++ .../xwayland/xwayland_22.1.8.bb | 2 + 3 files changed, 157 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-62230-1.patch create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-62230-2.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-62230-1.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-62230-1.patch new file mode 100644 index 0000000000..a3a0bae2d5 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-62230-1.patch @@ -0,0 +1,63 @@ +From 865089ca70840c0f13a61df135f7b44a9782a175 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Wed, 10 Sep 2025 15:55:06 +0200 +Subject: [PATCH] xkb: Make the RT_XKBCLIENT resource private +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Currently, the resource in only available to the xkb.c source file. + +In preparation for the next commit, to be able to free the resources +from XkbRemoveResourceClient(), make that variable private instead. + +This is related to: + +CVE-2025-62230, ZDI-CAN-27545 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Reviewed-by: Michel Dänzer +(cherry picked from commit 99790a2c9205a52fbbec01f21a92c9b7f4ed1d8f) + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/865089ca70840c0f13a61df135f7b44a9782a175] +CVE: CVE-2025-62230 +Signed-off-by: Vijay Anusuri +--- + include/xkbsrv.h | 2 ++ + xkb/xkb.c | 2 +- + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/include/xkbsrv.h b/include/xkbsrv.h +index fbb5427e1c..b2766277cf 100644 +--- a/include/xkbsrv.h ++++ b/include/xkbsrv.h +@@ -58,6 +58,8 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE. + #include "inputstr.h" + #include "events.h" + ++extern RESTYPE RT_XKBCLIENT; ++ + typedef struct _XkbInterest { + DeviceIntPtr dev; + ClientPtr client; +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 5131bfcdf7..26d965d482 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -51,7 +51,7 @@ int XkbKeyboardErrorCode; + CARD32 xkbDebugFlags = 0; + static CARD32 xkbDebugCtrls = 0; + +-static RESTYPE RT_XKBCLIENT; ++RESTYPE RT_XKBCLIENT = 0; + + /***====================================================================***/ + +-- +GitLab + diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-62230-2.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-62230-2.patch new file mode 100644 index 0000000000..0e4a69c64e --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-62230-2.patch @@ -0,0 +1,92 @@ +From 87fe2553937a99fd914ad0cde999376a3adc3839 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Wed, 10 Sep 2025 15:58:57 +0200 +Subject: [PATCH] xkb: Free the XKB resource when freeing XkbInterest +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +XkbRemoveResourceClient() would free the XkbInterest data associated +with the device, but not the resource associated with it. + +As a result, when the client terminates, the resource delete function +gets called and accesses already freed memory: + + | Invalid read of size 8 + | at 0x5BC0C0: XkbRemoveResourceClient (xkbEvents.c:1047) + | by 0x5B3391: XkbClientGone (xkb.c:7094) + | by 0x4DF138: doFreeResource (resource.c:890) + | by 0x4DFB50: FreeClientResources (resource.c:1156) + | by 0x4A9A59: CloseDownClient (dispatch.c:3550) + | by 0x5E0A53: ClientReady (connection.c:601) + | by 0x5E4FEF: ospoll_wait (ospoll.c:657) + | by 0x5DC834: WaitForSomething (WaitFor.c:206) + | by 0x4A1BA5: Dispatch (dispatch.c:491) + | by 0x4B0070: dix_main (main.c:277) + | by 0x4285E7: main (stubmain.c:34) + | Address 0x1893e278 is 184 bytes inside a block of size 928 free'd + | at 0x4842E43: free (vg_replace_malloc.c:989) + | by 0x49C1A6: CloseDevice (devices.c:1067) + | by 0x49C522: CloseOneDevice (devices.c:1193) + | by 0x49C6E4: RemoveDevice (devices.c:1244) + | by 0x5873D4: remove_master (xichangehierarchy.c:348) + | by 0x587921: ProcXIChangeHierarchy (xichangehierarchy.c:504) + | by 0x579BF1: ProcIDispatch (extinit.c:390) + | by 0x4A1D85: Dispatch (dispatch.c:551) + | by 0x4B0070: dix_main (main.c:277) + | by 0x4285E7: main (stubmain.c:34) + | Block was alloc'd at + | at 0x48473F3: calloc (vg_replace_malloc.c:1675) + | by 0x49A118: AddInputDevice (devices.c:262) + | by 0x4A0E58: AllocDevicePair (devices.c:2846) + | by 0x5866EE: add_master (xichangehierarchy.c:153) + | by 0x5878C2: ProcXIChangeHierarchy (xichangehierarchy.c:493) + | by 0x579BF1: ProcIDispatch (extinit.c:390) + | by 0x4A1D85: Dispatch (dispatch.c:551) + | by 0x4B0070: dix_main (main.c:277) + | by 0x4285E7: main (stubmain.c:34) + +To avoid that issue, make sure to free the resources when freeing the +device XkbInterest data. + +CVE-2025-62230, ZDI-CAN-27545 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Reviewed-by: Michel Dänzer +(cherry picked from commit 10c94238bdad17c11707e0bdaaa3a9cd54c504be) + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/87fe2553937a99fd914ad0cde999376a3adc3839] +CVE: CVE-2025-62230 +Signed-off-by: Vijay Anusuri +--- + xkb/xkbEvents.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/xkb/xkbEvents.c b/xkb/xkbEvents.c +index 0bbd661867..3d04ecf0c4 100644 +--- a/xkb/xkbEvents.c ++++ b/xkb/xkbEvents.c +@@ -1056,6 +1056,7 @@ XkbRemoveResourceClient(DevicePtr inDev, XID id) + autoCtrls = interest->autoCtrls; + autoValues = interest->autoCtrlValues; + client = interest->client; ++ FreeResource(interest->resource, RT_XKBCLIENT); + free(interest); + found = TRUE; + } +@@ -1067,6 +1068,7 @@ XkbRemoveResourceClient(DevicePtr inDev, XID id) + autoCtrls = victim->autoCtrls; + autoValues = victim->autoCtrlValues; + client = victim->client; ++ FreeResource(victim->resource, RT_XKBCLIENT); + free(victim); + found = TRUE; + } +-- +GitLab + diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb index ba0ed6048e..4fa88fbcff 100644 --- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb +++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb @@ -51,6 +51,8 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2025-49179.patch \ file://CVE-2025-49180.patch \ file://CVE-2025-62229.patch \ + file://CVE-2025-62230-1.patch \ + file://CVE-2025-62230-2.patch \ " SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73" From patchwork Wed Nov 19 20:42:13 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 75045 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2E9E1CF58F1 for ; Wed, 19 Nov 2025 20:42:41 +0000 (UTC) Received: from mail-pl1-f173.google.com (mail-pl1-f173.google.com [209.85.214.173]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.17214.1763584950630442190 for ; Wed, 19 Nov 2025 12:42:30 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=lyMa6V8c; spf=softfail (domain: sakoman.com, ip: 209.85.214.173, mailfrom: steve@sakoman.com) Received: by mail-pl1-f173.google.com with SMTP id d9443c01a7336-298145fe27eso2393145ad.1 for ; Wed, 19 Nov 2025 12:42:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1763584950; x=1764189750; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=FmVD0RYM73sT9vn2bQV4/u89jXaNqrbA9TJnCuFLtRA=; b=lyMa6V8c7LhJhsurggrlxkH79t4+SMDacXL1iLST47ss9pDVbt4tUGHwqW+EfaQUck 65+SYN3Sd6DVjpDpBlmvje/CORY3mRlfSmT9e3sgnVY370uICDzEfyjsxZYMNmumuBmC iQ1zkD38utxqqFe3NDf9Xefwi2SxUB4l2pcqGVywGzgTPCWdX6WVtUfTfRl0UzjMj5of mkx7lgXSBglkTKV1dPVmN1202yGL3ZWtE+Vaf30zpplUJRS2MuCEr2vfMKPjBhgUKT68 EJ3/uZLRLfjRskjlWXDrf5qbfQURRTwmoli8d78K2HW56uFLeuwCDyRRq2bBUKYgV7jz 94hQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763584950; x=1764189750; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=FmVD0RYM73sT9vn2bQV4/u89jXaNqrbA9TJnCuFLtRA=; b=QaaGiGOyUBw6Gq6cJ7bQcE6EpO/PAprBEvZwqgeIJFmcNpinyEzX87mTwf+HUrjqz2 P/HM+Th77bXx84RSze2ScpKZaKXi3TLiSvLniVxhukiBtBYspXKEqhaGsG28Z9tPHYq4 m0y66yr53Vj7AvtGYoSG4uNDdYoAaqSNaQK65jlqFUAdv/KYNx+FhrBCM9FN/BoQ5v8M KnIH6YNNwQHXUoBcMsI+x8ha08Hbhgjg60Dn2gM/wsDfWm4RtR9+0vtKCBlNTtnZ2TTS Gujm5AwliS2cmEKMWYJvYeKtRrGqyi2SAx14qUO2cwKTG0kU62xs/P4cyvx6vxeBitmE e/Ow== X-Gm-Message-State: AOJu0Yy5BzV7q8WRAUj6PEiMmh0qmyYIymUX1pO528lJlIQ8hJ7rI+6w 5GbP6at8worgJ79BhHsDpM2ZjdzVUCt3XWchCryguftk+mGo3izjqaMOKLKwbfa3jwYB4abG97w /A8lu X-Gm-Gg: ASbGncuoqlPkBWVz3SwEJEu4Lhucrc+sWMmARUzUGTpYDapZL0YOI/sRObRbcaB0eUs MJQkSEqhmTSW9GXuM1VzgEMG7N6L3z5doLlwQyTMkdg9sFt270OY82FzDZS+0s+VCzMhm8mLWvJ TrYTmpmX+S96y3ECgSsF2AXd0+GYKbsu8dBXrQfYZbQsVURdNdX4/ZtGEhXMH+SHn3tp2CUY0MO jTsMC6TrwSgTVUSOSb24j06OM1Zw7PFhG+RrP5MhZtk5OcA3/U10fktf8mFw/m9fbZeYCLngw5Q voskFMj7Tk5tgOSeebHzuNcNVbg2on0qvtlLGzZBxX07DRmb0Melpq5VDfk4ygkJusfd6yJGqsv XEEFuSHonTZKo5GntDWdl/97k2xoQyhW4Wk2XktFAMIyTjltJQySTvDUnFVtK9DNeqXl8+n4Ols jQDQ== X-Google-Smtp-Source: AGHT+IGiCx5HLTxLFDiK7p1jwGvL786jaRRUbexou0jgzClJIia66tPp/LfXgqsJq6C3X0qG/09w4g== X-Received: by 2002:a17:902:e543:b0:297:fc22:3ab2 with SMTP id d9443c01a7336-29b5b0f6534mr9389355ad.36.1763584949823; Wed, 19 Nov 2025 12:42:29 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:95e8:2651:d6f9:404e]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7c3ecf7d5adsm269866b3a.11.2025.11.19.12.42.29 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 19 Nov 2025 12:42:29 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 5/7] xwayland: Fix for CVE-2025-62231 Date: Wed, 19 Nov 2025 12:42:13 -0800 Message-ID: <24a1574d6f61a45ce104ab6ee01697df2575fd51.1763584791.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 19 Nov 2025 20:42:41 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/226595 From: Vijay Anusuri Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/3baad99f9c15028ed8c3e3d8408e5ec35db155aa Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../xwayland/xwayland/CVE-2025-62231.patch | 53 +++++++++++++++++++ .../xwayland/xwayland_22.1.8.bb | 1 + 2 files changed, 54 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-62231.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-62231.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-62231.patch new file mode 100644 index 0000000000..4bcf362531 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-62231.patch @@ -0,0 +1,53 @@ +From 3baad99f9c15028ed8c3e3d8408e5ec35db155aa Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Wed, 10 Sep 2025 16:30:29 +0200 +Subject: [PATCH] xkb: Prevent overflow in XkbSetCompatMap() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The XkbCompatMap structure stores its "num_si" and "size_si" fields +using an unsigned short. + +However, the function _XkbSetCompatMap() will store the sum of the +input data "firstSI" and "nSI" in both XkbCompatMap's "num_si" and +"size_si" without first checking if the sum overflows the maximum +unsigned short value, leading to a possible overflow. + +To avoid the issue, check whether the sum does not exceed the maximum +unsigned short value, or return a "BadValue" error otherwise. + +CVE-2025-62231, ZDI-CAN-27560 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan +Reviewed-by: Michel Dänzer +(cherry picked from commit 475d9f49acd0e55bc0b089ed77f732ad18585470) + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/3baad99f9c15028ed8c3e3d8408e5ec35db155aa] +CVE: CVE-2025-62231 +Signed-off-by: Vijay Anusuri +--- + xkb/xkb.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 26d965d482..137d70da27 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -2992,6 +2992,8 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev, + XkbSymInterpretPtr sym; + unsigned int skipped = 0; + ++ if ((unsigned) (req->firstSI + req->nSI) > USHRT_MAX) ++ return BadValue; + if ((unsigned) (req->firstSI + req->nSI) > compat->size_si) { + compat->num_si = compat->size_si = req->firstSI + req->nSI; + compat->sym_interpret = reallocarray(compat->sym_interpret, +-- +GitLab + diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb index 4fa88fbcff..745a2dd2ef 100644 --- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb +++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb @@ -53,6 +53,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2025-62229.patch \ file://CVE-2025-62230-1.patch \ file://CVE-2025-62230-2.patch \ + file://CVE-2025-62231.patch \ " SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73" From patchwork Wed Nov 19 20:42:14 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 75043 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 34804CF58F0 for ; Wed, 19 Nov 2025 20:42:41 +0000 (UTC) Received: from mail-pf1-f173.google.com (mail-pf1-f173.google.com [209.85.210.173]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.17329.1763584952251443288 for ; Wed, 19 Nov 2025 12:42:32 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=TmUUmu93; spf=softfail (domain: sakoman.com, ip: 209.85.210.173, mailfrom: steve@sakoman.com) Received: by mail-pf1-f173.google.com with SMTP id d2e1a72fcca58-7aace33b75bso117474b3a.1 for ; Wed, 19 Nov 2025 12:42:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1763584951; x=1764189751; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=ownsksxpZnuTfIYUBYhKalPDSG8JKvd0nlkl5oiEjU0=; b=TmUUmu93xZ7b1kS7lgtYtziAEbqnwXpq9cXj74hO+I31D/1l89whpfE/OBWlPSbiLL LykPkr0m+Ux0RUiw3EO4rlhoflv0kvaiHPL9z6Ie55HqmGl2HYaWLnoWGg9CdHiA1fVa da2rdoUkrr0liQ3Xa5eR93o7qv6rReC3EQrxt3kYq+/jg7tgUzbbTqa5w4IkM9ifeimN Z8RvbkbFAWlhm76f3hGFec4jZPcI8czW4XXmZqjCDFEXhrZOxuklKEI6zlDh0Kb+uxoi 5gItXnr3jfJgQ/VXGMX58ZEP4k9hb772BHupZAvdhIiE4kUE5zPCsE7+ryicwP7d/mTE LkiQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763584951; x=1764189751; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=ownsksxpZnuTfIYUBYhKalPDSG8JKvd0nlkl5oiEjU0=; b=bauUiyTgunwqAk1jlqp390GcPvU5SUstxzDQzktTfYTeJD4NVStZegKtSeWOfPrpWw 6I5tmT0nvYtpw5Wni+YltP2GWgFmU3oizGA9HigwtB9xsNHD+S0Zv313SO27ZR4bZAMy 9FmQLggAJR5CBeHjnzNZPuQ5/Md2ZWhDPPcizlbYIOHNSQQBJIrMwemDP5/wNo1kl46x bOxQKYJzPVy8wY6A9bsnZslKpGNbWvH1vtnM2ZKlEfTtx/6zX4f2SUhIcN9EAt1j2sI7 vwIJEzGu3rWH7B+XdmLBZSIOspMPRktNZurU5cwvlOsNzItZ+m4K30y9/6trAzanx1Kl LHGQ== X-Gm-Message-State: AOJu0YzB64xahMTTTaI52eGOY6DWbJ7/6Ama8CUjRLEPHcdmZZsr24uo 6cB1vQ2tYTYtwrclKsgIHIBaIPL+wW+Sc35AQ1Kcl2w6xuFEgbhI79AhTxVtNcSPMxnjybMiTkz 18ogf X-Gm-Gg: ASbGncvZdv6rAyzIUvlNanclsSegRcBEi5pqlg656AS0HKUU1ctcLzV8RixUrRT5lPC qZXa+FAQN+ZVX2TrofJaYezsUcOKcCMkht/OcDphJp+D0lmhYnOhCzKjo5fQ9JY+gWcwQK4kHRw 4CboipYVaKGZ/LWMSzjEtPQHyGX0tGX83UG5h9uW4+9BYsiSO3bp6SUFEog3+v3zWf7zW046A+3 ZNqRNxcnvurBuUy2WFKxSG5VRjbr8SGimoNj9KGwUxvBGDl1gSAgJYzYsyIXZs00YUVvN+evn/k Y2ADS3RGjWH4ur70mWhTqiiZrNpiswV92p7wgc1yc33CGwJNMXy/rFnHvaTo4La88DtLbWKfiH6 7OhcNlt4uJ2rUdELQTPAhXIJbO7ih+uvcuh2LDBzT6z3OI6zPWyTP/aM3JOJ1KYIJ8Jl+wY2cfk +E+w== X-Google-Smtp-Source: AGHT+IH21a4u6Zn9qGUX0UGd6tGRwkIUZjIIQ5ouLyPfpmNkdm9/OTL98ZHO+NoWJAiOj8rsBjRFXQ== X-Received: by 2002:a05:6a00:14d5:b0:7ab:21ca:a3be with SMTP id d2e1a72fcca58-7c3ef179960mr614974b3a.12.1763584951439; Wed, 19 Nov 2025 12:42:31 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:95e8:2651:d6f9:404e]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7c3ecf7d5adsm269866b3a.11.2025.11.19.12.42.30 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 19 Nov 2025 12:42:31 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 6/7] musl: patch CVE-2025-26519 Date: Wed, 19 Nov 2025 12:42:14 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 19 Nov 2025 20:42:41 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/226596 From: Gyorgy Sarvari Details: https://nvd.nist.gov/vuln/detail/CVE-2025-26519 Pick the patches that are attached to the musl advisory: https://www.openwall.com/lists/musl/2025/02/13/1 Signed-off-by: Gyorgy Sarvari Signed-off-by: Steve Sakoman --- .../musl/musl/CVE-2025-26519-1.patch | 39 +++++++++++++++++++ .../musl/musl/CVE-2025-26519-2.patch | 38 ++++++++++++++++++ meta/recipes-core/musl/musl_git.bb | 4 +- 3 files changed, 80 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-core/musl/musl/CVE-2025-26519-1.patch create mode 100644 meta/recipes-core/musl/musl/CVE-2025-26519-2.patch diff --git a/meta/recipes-core/musl/musl/CVE-2025-26519-1.patch b/meta/recipes-core/musl/musl/CVE-2025-26519-1.patch new file mode 100644 index 0000000000..a9ea3b4149 --- /dev/null +++ b/meta/recipes-core/musl/musl/CVE-2025-26519-1.patch @@ -0,0 +1,39 @@ +From 345d2a053c32f3443dbfdd313f49346ce30b92f8 Mon Sep 17 00:00:00 2001 +From: Rich Felker +Date: Wed, 19 Nov 2025 13:23:38 +0100 +Subject: [PATCH] iconv: fix erroneous input validation in EUC-KR decoder + +as a result of incorrect bounds checking on the lead byte being +decoded, certain invalid inputs which should produce an encoding +error, such as "\xc8\x41", instead produced out-of-bounds loads from +the ksc table. + +in a worst case, the loaded value may not be a valid unicode scalar +value, in which case, if the output encoding was UTF-8, wctomb would +return (size_t)-1, causing an overflow in the output pointer and +remaining buffer size which could clobber memory outside of the output +buffer. + +bug report was submitted in private by Nick Wellnhofer on account of +potential security implications. + +CVE: CVE-2025-26519 +Upstream-Status: Backport [https://git.musl-libc.org/cgit/musl/commit/?id=e5adcd97b5196e29991b524237381a0202a60659] +Signed-off-by: Gyorgy Sarvari +--- + src/locale/iconv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/locale/iconv.c b/src/locale/iconv.c +index 3047c27b..1fb66bc8 100644 +--- a/src/locale/iconv.c ++++ b/src/locale/iconv.c +@@ -495,7 +495,7 @@ size_t iconv(iconv_t cd, char **restrict in, size_t *restrict inb, char **restri + if (c >= 93 || d >= 94) { + c += (0xa1-0x81); + d += 0xa1; +- if (c >= 93 || c>=0xc6-0x81 && d>0x52) ++ if (c > 0xc6-0x81 || c==0xc6-0x81 && d>0x52) + goto ilseq; + if (d-'A'<26) d = d-'A'; + else if (d-'a'<26) d = d-'a'+26; diff --git a/meta/recipes-core/musl/musl/CVE-2025-26519-2.patch b/meta/recipes-core/musl/musl/CVE-2025-26519-2.patch new file mode 100644 index 0000000000..82a09af535 --- /dev/null +++ b/meta/recipes-core/musl/musl/CVE-2025-26519-2.patch @@ -0,0 +1,38 @@ +From b81230050f6c3348038fe470d260028824b9a9e5 Mon Sep 17 00:00:00 2001 +From: Rich Felker +Date: Wed, 19 Nov 2025 13:27:15 +0100 +Subject: [PATCH] iconv: harden UTF-8 output code path against input decoder + bugs + +the UTF-8 output code was written assuming an invariant that iconv's +decoders only emit valid Unicode Scalar Values which wctomb can encode +successfully, thereby always returning a value between 1 and 4. + +if this invariant is not satisfied, wctomb returns (size_t)-1, and the +subsequent adjustments to the output buffer pointer and remaining +output byte count overflow, moving the output position backwards, +potentially past the beginning of the buffer, without storing any +bytes. + +CVE: CVE-2025-26519 +Upstream-Status: Backport [https://git.musl-libc.org/cgit/musl/commit/?id=c47ad25ea3b484e10326f933e927c0bc8cded3da] +Signed-off-by: Gyorgy Sarvari +--- + src/locale/iconv.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/locale/iconv.c b/src/locale/iconv.c +index 1fb66bc8..fb1d3217 100644 +--- a/src/locale/iconv.c ++++ b/src/locale/iconv.c +@@ -538,6 +538,10 @@ size_t iconv(iconv_t cd, char **restrict in, size_t *restrict inb, char **restri + if (*outb < k) goto toobig; + memcpy(*out, tmp, k); + } else k = wctomb_utf8(*out, c); ++ /* This failure condition should be unreachable, but ++ * is included to prevent decoder bugs from translating ++ * into advancement outside the output buffer range. */ ++ if (k>4) goto ilseq; + *out += k; + *outb -= k; + break; diff --git a/meta/recipes-core/musl/musl_git.bb b/meta/recipes-core/musl/musl_git.bb index 4b85401360..f24da3b2cb 100644 --- a/meta/recipes-core/musl/musl_git.bb +++ b/meta/recipes-core/musl/musl_git.bb @@ -15,7 +15,9 @@ PV = "${BASEVER}+git${SRCPV}" SRC_URI = "git://git.musl-libc.org/musl;branch=master \ file://0001-Make-dynamic-linker-a-relative-symlink-to-libc.patch \ file://0002-ldso-Use-syslibdir-and-libdir-as-default-pathes-to-l.patch \ - " + file://CVE-2025-26519-1.patch \ + file://CVE-2025-26519-2.patch \ + " S = "${WORKDIR}/git" From patchwork Wed Nov 19 20:42:15 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 75042 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4326ECF58F5 for ; Wed, 19 Nov 2025 20:42:41 +0000 (UTC) Received: from mail-pf1-f176.google.com (mail-pf1-f176.google.com [209.85.210.176]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.17331.1763584954835842261 for ; Wed, 19 Nov 2025 12:42:34 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=VIbTCX9O; spf=softfail (domain: sakoman.com, ip: 209.85.210.176, mailfrom: steve@sakoman.com) Received: by mail-pf1-f176.google.com with SMTP id d2e1a72fcca58-7aae5f2633dso145452b3a.3 for ; Wed, 19 Nov 2025 12:42:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1763584954; x=1764189754; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=KzbxCuLZuOE8DhzKp8bEBUMr519lVeflWKm/mKwxjfg=; b=VIbTCX9OL9PShCYudzZPQAJW+tTcWp1A9HzvyOhC19BUYdY78eU7/7C1vv2eaid/dd exS4OzY95fH70tsrjB54mjIynfxBvF4gjCO+JKgV9KIzU5v2F4f9innfi0h/992bmZYQ Tg0OA2b8nR6M4zx00LuoqBAjmQ065t3UDS4n4S0lwFIlZ9vk0Qfu6ssC9yLBMyplsAaP 9HqaRWPgDo9fdo8152oryN0yBPuJZr1sF1A6dfOB16znuekCW4woq9ZneFIOdLfU4s6C 6b5jQZcikn/MGjO6iPZwygIGu7csrqCJFyGNOQfSfn2/XzdhTqtPtMk/37yi9dWOgVho NozQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763584954; x=1764189754; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=KzbxCuLZuOE8DhzKp8bEBUMr519lVeflWKm/mKwxjfg=; b=cJCte2Yqy1yFBRCbMogIHseWNi/8BKwEHi9VEFVOPjMXStii5q44S4D94p7f6VaF+9 vEOhIF29VT/vmYPmfpj1jQcVEuDTtP2SLwlAIHsTFS9UFqn6wbpshWogsQa5yhKzsx3x DO9Xwf7zcl6+zcTc8vevNC0fbD3HvqsEYyTTmCUOVW/BUCXxoHEB3zakNS2SmgeKjojI z0MPMavJNF23d2cJRz0udogqIF8Zit99UGGmKAXX+muuEgPiHRE7Ym44QZTunlrq4cQR quYKc+qQJZkUUqK4JTWVqr6FNDwjdd2I3CdNfQVvphbfhRio4r9PPgAhqBXnFpz6lfu0 NIOA== X-Gm-Message-State: AOJu0YzMUnmDflHLa04dlta+Q1HjblXfNV4VMv6HG3220JGJXbEJqwG4 BJuFKEk6lj4DKksfu0iVe0VDr19aUjRdFHCy56oMOzsJrdjoFq95bM6Ua76vt9vD1SWjaNvuxqc /r7T6 X-Gm-Gg: ASbGncsUK+hMPQnSMBJW3FQbAiOlOIYUY4BZA3C0sdNDjBzqckiKsZwrFc/Ym2zFbei fvRWihFQxqsw26c2Mp2VKN21QdBdJGg75EcuXWEGeybhK8Yp7n58FFJP/hY9jW3UXtYR6QLM61o dhTiioLKdcLPMt2j0eOXkCY3V1CsWq/Gm5bbPCKXcGWO7z37k0K5dno86lobV9a7sAot8fEv0AY Al8rvF0SXQqH+X9EscHB3ctIh9Sz3RjodlRAbnur/me/p5jom/CAzhQEYjOJxzHy/kAGn4XYQHz VzF9qh6qdyl3HtUcU+orsXL0qmrpzUIcitPJxofmSWDw7TPh8sdrB3KSTRCKdcbb32k0eD533/F 7jP/ezl+1xF8FxoWR23VdrMZ4KcZfZv3ohCXOWqZDK+uS9kj4nBKTKAx2aJCZGjaiKR7Sz3pdDn KrHXS53g4bPdJw X-Google-Smtp-Source: AGHT+IFSF6ind0QnE+hBmSSuuJE1HeZ5w1SXcALGtm1XKgMGfFpcmv+DOnzOin3yYP9/+wslK4M5vg== X-Received: by 2002:a05:6a00:1249:b0:77d:6a00:1cd1 with SMTP id d2e1a72fcca58-7c3efb55e60mr503582b3a.12.1763584954096; Wed, 19 Nov 2025 12:42:34 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:95e8:2651:d6f9:404e]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7c3ecf7d5adsm269866b3a.11.2025.11.19.12.42.32 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 19 Nov 2025 12:42:33 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 7/7] oe-build-perf-report: relax metadata matching rules Date: Wed, 19 Nov 2025 12:42:15 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 19 Nov 2025 20:42:41 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/226597 From: Richard Purdie As the poky repository is no longer used, measurements are indexed using the oe-core commit. But as bitbake, oe-core and meta-yocto are now retrieved from separate gits, while measuring performances for a given branch at some time interval, we can get the same commit for oe-core but different ones for bitbake or meta-yocto. As a consequence, metadata associated with the same index (oe-core commit) might differ. To work around this, relax the equality checks for commit, commit_time and commit_count since they might no longer match. Ideally we'd group them into separate results but for now, treat them as being the same. [Based on work from Mathieu Dubois-Briand but fixed differently] Signed-off-by: Richard Purdie (cherry picked from commit e7dc42e30c76bf0fbb4d3cc019bbec675bac55fa) Signed-off-by: Steve Sakoman --- scripts/lib/build_perf/report.py | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/scripts/lib/build_perf/report.py b/scripts/lib/build_perf/report.py index ab77424cc7..a143b74653 100644 --- a/scripts/lib/build_perf/report.py +++ b/scripts/lib/build_perf/report.py @@ -137,9 +137,12 @@ def results_xml_to_json(elem): def aggregate_metadata(metadata): """Aggregate metadata into one, basically a sanity check""" - mutable_keys = ('pretty_name', 'version_id') - def aggregate_obj(aggregate, obj, assert_str=True): + # A given OE-Core commit may point at different meta-yocto/bitbake commits so we have + # to ignore commit/commit_count/commit_time differences + mutable_keys = ('pretty_name', 'version_id', 'commit', 'commit_count', 'commit_time') + + def aggregate_obj(aggregate, obj, assert_obj=True): """Aggregate objects together""" assert type(aggregate) is type(obj), \ "Type mismatch: {} != {}".format(type(aggregate), type(obj)) @@ -151,7 +154,7 @@ def aggregate_metadata(metadata): assert len(aggregate) == len(obj) for i, val in enumerate(obj): aggregate_obj(aggregate[i], val) - elif not isinstance(obj, str) or (isinstance(obj, str) and assert_str): + elif assert_obj: assert aggregate == obj, "Data mismatch {} != {}".format(aggregate, obj) if not metadata: