From patchwork Sun Nov 30 20:35:04 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 75613 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 00E90D111A8 for ; Sun, 30 Nov 2025 20:35:16 +0000 (UTC) Received: from mail-wr1-f53.google.com (mail-wr1-f53.google.com [209.85.221.53]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.4992.1764534914461193999 for ; Sun, 30 Nov 2025 12:35:14 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=hC42H9RY; spf=pass (domain: gmail.com, ip: 209.85.221.53, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f53.google.com with SMTP id ffacd0b85a97d-42e2b78d45bso467804f8f.0 for ; Sun, 30 Nov 2025 12:35:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764534913; x=1765139713; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=wirD7U0DlzP+Pd3lqy24Plk+XjufcrkxDb2AIps5LDo=; b=hC42H9RY4inNblucuf4GVYTvhQ6P6rAIhZT+qgiJLqDHikxiorcrSrbZLPr4VOtt3R +dedtETWgecKe9PSPJhcPkGnsTmxLyi3uJtcEbux4aNP06fqlBPuesE4on1z2fPLN7Bi JIcLmGqUzxu/EyWDJivG0PKpb0S7xJu5UjiiEFjpyK6AQS3jmG+XMvQ675XwiJMAp/lS peYLkumZF/hNqhOeDt7F5LgbE/nFXFMLpEWp35/CjxISHT7yb91XlTMCtz4/EZzF/fAh khmi8p04fKx+zer5a+yVkI/jDCT/gMPeWZk6bZqZG3voRBAB6V1BP3gs3WNZiytAClSu vaUg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764534913; x=1765139713; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=wirD7U0DlzP+Pd3lqy24Plk+XjufcrkxDb2AIps5LDo=; b=f7irCJ3+8c7YolLoNNUShEUj+Z8TW7sR5K4hte2MOmGQLJ2teb7NC2jZx2phCEQAFA fF45lCzhggDL46P1bUD+gB5knuAiYZC1hNR6ayT2xtD19perFueXJz8CqitLmRextIgp peLV/vlAohOjz1Rrwlu/4sHTEb+2zdFJ0JpcS3VgymHBMm0S86QqMxOXBx7gvBlfkOlU x9dyl+IhENWMZlAcTg8TQpMvZuigjEMUB9u/2kF0wFCwcjHSdX/axWuS5o+4NAVLcFwd mK3E8gciy1Sp+k0xz1oc1duEg1H6CQF4ZwrrZUL+4xdG/EkFU0gT/NxWXlFZCPtbvbwx sBXw== X-Gm-Message-State: AOJu0Yz2Rpjwfurt14iYsn8n+HQR+VplAOuUtHL7+L4sRvbtPN+8z13P tmP/AoP0ewF1tbU4/Xdjxa417VrByXspWr6g4Cd2j7FtZ/3JilKCbrKaDTChRg== X-Gm-Gg: ASbGnctNHkPM+V7cpTKLbYWqJwnE8gw32YDGqu/1xAPyzxvEjWTIqA25dBtZnH+a2NB GpdRVoPjGBtfeZaagBVS22iwqCBZ476zuMCdYky8qG77MVx7ng4CIiTP/pOTb2p0iTKEbuVleHh C5CyHostxcngoO2wkO/Ro01gZOD6oQDj17AQg6foZkqpj/D2lqMOII6MKwdQnu5HTdtUuXQsnay BR2/lxzrQGXQjoUo2R1gm2aQDqO0rdNh8JeNN82wCVgBusyJDjAec3K4q1ffi9lXe7clIhcmLYo GPm/R2+c44483I0ys4SQzaSqEiahr2pihiiDepLs4ia89ACWs4Ib+SKVXEZu3Cm5g4mmNAP5au0 4K4FiWA1Z2fa0qc2pSe/MemMeqc7IA5LSQc6PTp2v7Z32CMDlqiwmTGXxWfHDituF2ewe4NUOl1 /4o+FtD50E X-Google-Smtp-Source: AGHT+IF5mMKYxxmzuF/VzcjCsvPVCwukXiBCOKzDGa9PXrLf73BCwc3AySh0ubw/0HznaSYGtIqUZA== X-Received: by 2002:a05:6000:400f:b0:42b:3c3e:5d53 with SMTP id ffacd0b85a97d-42cc1cedbf7mr38487605f8f.16.1764534912675; Sun, 30 Nov 2025 12:35:12 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-42e1ca8bae9sm21338810f8f.33.2025.11.30.12.35.12 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 30 Nov 2025 12:35:12 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][scarthgap][PATCH 1/8] yasm: add alternative CVE_PRODUCT Date: Sun, 30 Nov 2025 21:35:04 +0100 Message-ID: <20251130203511.462501-1-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 30 Nov 2025 20:35:16 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122181 There are multiple vendors for yasm: $ sqlite3 ./nvdcve_2-2.db "select distinct vendor, product from products where product = 'yasm';" tortall|yasm yasm_project|yasm Both products refer to the same application Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj (cherry picked from commit 93f85e4fd2fb124cb047f6b378cf0052a1f102aa) --- meta-oe/recipes-devtools/yasm/yasm_git.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta-oe/recipes-devtools/yasm/yasm_git.bb b/meta-oe/recipes-devtools/yasm/yasm_git.bb index 99717d3a32..71d3c7e47e 100644 --- a/meta-oe/recipes-devtools/yasm/yasm_git.bb +++ b/meta-oe/recipes-devtools/yasm/yasm_git.bb @@ -34,3 +34,4 @@ do_configure:prepend() { sed -i -e "s/^echo \"\/\* generated \$ac_cv_stdint_message \*\/\" >>\$ac_stdint$"// ${S}/m4/ax_create_stdint_h.m4 } +CVE_PRODUCT += "tortall:yasm yasm_project:yasm" From patchwork Sun Nov 30 20:35:05 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 75614 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 05A18D116F6 for ; Sun, 30 Nov 2025 20:35:17 +0000 (UTC) Received: from mail-wr1-f43.google.com (mail-wr1-f43.google.com [209.85.221.43]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.4994.1764534915973277078 for ; Sun, 30 Nov 2025 12:35:16 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=FdJb/Avv; spf=pass (domain: gmail.com, ip: 209.85.221.43, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f43.google.com with SMTP id ffacd0b85a97d-42e2e5da5fcso509180f8f.0 for ; Sun, 30 Nov 2025 12:35:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764534914; x=1765139714; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=sglZdjRKSyInwuG51prJLwxHInojGFdbvq/u4E8eop4=; b=FdJb/AvvdpzWpjE4CUePbQB4RWPEPKwoMK6E9v8cTtRu7JXhREas+bEzmEBefEmorv wV72/aM/0vH8AgjzFpQQrW0lrXxg1l1IiQ+D40zBWLbwtpj+XDaUdZnNzi/qrua/9xCe 55wYF42MW6YekDnkJ1HYUIz1GQ2KryF34zPp649mvgukG70vme0uOzUQTJVJCpXUtBml 5EQoKUnq9XIJWdeQFqTOVvNT0J2kUyGi/2zml/o0X/D8CUEwI8Jn89/v2xS5rC6M0TFk DGkOmYL+a/Mx/xl6dAIHV+xV6p2V9et4n1EZGbLCldw4/p7IgaprKvQG/0HDE88rfdHb T2Dw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764534914; x=1765139714; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=sglZdjRKSyInwuG51prJLwxHInojGFdbvq/u4E8eop4=; b=L7f5Q/qnVu7eRMqX3p29k2QUA6o7quJRLzaqpEpe7tqYGKdx4ZqiVSNQDrFDKlCiMF aWpxaoDk6qlvKMHTyRI7ofIQLsYeSGtusYb1nHjzMaeNIGarZD8b7Q02vcuRFm44L/Ai jZEM3yBzgvjLQTSeQdoV4as9TgpS9ql1BF7BJmunFv0W4zCfj6MVvQvyz66Ep6Se3Vfr 1jmv6mqtBRqn2zNxCxwhv9VlsPEe3jc926XtXaddD0WQ0xU8UaUaNVIseGH7YSiZTTXh FhNw5sEQpZnrXpq9VAM+ghmuesiG5qwXXQSTnqUguf2W2fetLJH4LIcxyWJ54FZZG+jA U8Ow== X-Gm-Message-State: AOJu0Yxbga33AOTa3x57A0OWhH9CpKa2xJLCpmovwZd5IIXaaLrJ4XKc H2wJTVjSzpMlx229fS5mqwhMhAEOpiQMVBz7/6sJZoqBsCvX3cr2K53qqh5kQw== X-Gm-Gg: ASbGnctCWyB9obEVh+vuwbXwPdbCmNGgdAewKt8QcSLwB6+tt/uy2rPs5D/jTH6t+gc xPhlczAwK2XUd/AGMKtO8Z8QIxddOCyntFy6kD17Ufy5Vx5nyVAr+d/eD7w+CIKW2G83HKdsWq2 fZrqmhcTeILb8f2G9LwDasfIPwpZdUQQDKXyfb+XDx62kmTew24FxFijPxTrfzw/FaKALbExgY/ D7zkZERy9SxCqpXhJ3MSqqH96U2oOSrh5BQN6CpnF2qOEhFkS0MXR5425IIV5GdpdPRDcpl3TzA Yn5t7/ktfKEA29McJ9ajbWe76v+yXz1ZNln6zwVodtJyeOo+gyOQfX6UQc/KnA2mtUEW9Vh39tL xg3EMnJ69jB1hyx07ng0IlFe4YHWm4dBnlNFbsDlbo6lhBNvfhd/jlVahXUkFv4NPOqs71TW7vW B8A4Xf+sTPUk0r9hJ27/I= X-Google-Smtp-Source: AGHT+IGMjsbkNH8Qf/v0uTCYbq63aE937P/4yd0UdFwNapV+zCtidbXu/bgLM++UAPDDVl65etL59g== X-Received: by 2002:a05:6000:4028:b0:42b:3366:632a with SMTP id ffacd0b85a97d-42e0f355caamr23772102f8f.39.1764534914231; Sun, 30 Nov 2025 12:35:14 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-42e1ca8bae9sm21338810f8f.33.2025.11.30.12.35.12 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 30 Nov 2025 12:35:12 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][scarthgap][PATCH 2/8] yasm: patch CVE-2023-29579 Date: Sun, 30 Nov 2025 21:35:05 +0100 Message-ID: <20251130203511.462501-2-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251130203511.462501-1-skandigraun@gmail.com> References: <20251130203511.462501-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 30 Nov 2025 20:35:16 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122182 Details: https://nvd.nist.gov/vuln/detail/CVE-2023-29579 The patch was taken from Debian: https://sources.debian.org/patches/yasm/1.3.0-8/1000-x86-dir-cpu-CVE-2023-29579.patch/ Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj (cherry picked from commit cc30757a7fd0af5f60b9a6408b3eb94c0810acda) --- .../yasm/yasm/CVE-2023-29579.patch | 39 +++++++++++++++++++ meta-oe/recipes-devtools/yasm/yasm_git.bb | 3 +- 2 files changed, 41 insertions(+), 1 deletion(-) create mode 100644 meta-oe/recipes-devtools/yasm/yasm/CVE-2023-29579.patch diff --git a/meta-oe/recipes-devtools/yasm/yasm/CVE-2023-29579.patch b/meta-oe/recipes-devtools/yasm/yasm/CVE-2023-29579.patch new file mode 100644 index 0000000000..58b4ed1996 --- /dev/null +++ b/meta-oe/recipes-devtools/yasm/yasm/CVE-2023-29579.patch @@ -0,0 +1,39 @@ +From 81c1b7b0a28f052eaadddcb010944bf67e6ae257 Mon Sep 17 00:00:00 2001 +From: Gyorgy Sarvari +Date: Sat, 15 Nov 2025 13:24:21 +0100 +Subject: [PATCH] Make sure CPU feature parsing use large enough string buffer. + Fixes CVE-2023-29579. + +Author: Petter Reinholdtsen +Bug: https://github.com/yasm/yasm/issues/214 +Bug-Debian: https://bugs.debian.org/1035951 +Forwarded: https://github.com/yasm/yasm/issues/214 +Last-Update: 2025-04-30 + +This patch is taken from Debian: +https://sources.debian.org/patches/yasm/1.3.0-8/1000-x86-dir-cpu-CVE-2023-29579.patch/ + +CVE: CVE-2023-29579 +Upstream-Status: Submitted [https://github.com/yasm/yasm/issues/214] + +Signed-off-by: Gyorgy Sarvari +--- + modules/arch/x86/x86arch.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/modules/arch/x86/x86arch.c b/modules/arch/x86/x86arch.c +index bac11774..58327958 100644 +--- a/modules/arch/x86/x86arch.c ++++ b/modules/arch/x86/x86arch.c +@@ -165,8 +165,9 @@ x86_dir_cpu(yasm_object *object, yasm_valparamhead *valparams, + yasm_error_set(YASM_ERROR_SYNTAX, + N_("invalid argument to [%s]"), "CPU"); + else { +- char strcpu[16]; +- sprintf(strcpu, "%lu", yasm_intnum_get_uint(intcpu)); ++ char strcpu[21]; /* 21 = ceil(log10(LONG_MAX)+1) */ ++ assert(8*sizeof(unsigned long) <= 64); ++ snprintf(strcpu, sizeof(strcpu), "%lu", yasm_intnum_get_uint(intcpu)); + yasm_x86__parse_cpu(arch_x86, strcpu, strlen(strcpu)); + } + } else diff --git a/meta-oe/recipes-devtools/yasm/yasm_git.bb b/meta-oe/recipes-devtools/yasm/yasm_git.bb index 71d3c7e47e..bce62caadd 100644 --- a/meta-oe/recipes-devtools/yasm/yasm_git.bb +++ b/meta-oe/recipes-devtools/yasm/yasm_git.bb @@ -17,7 +17,8 @@ SRC_URI = "git://github.com/yasm/yasm.git;branch=master;protocol=https \ file://0001-yasm-Set-build-date-to-SOURCE_DATE_EPOCH.patch \ file://0002-yasm-Use-BUILD_DATE-for-reproducibility.patch \ file://CVE-2024-22653.patch \ -" + file://CVE-2023-29579.patch \ + " S = "${WORKDIR}/git" From patchwork Sun Nov 30 20:35:06 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 75615 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C8CD8D116F6 for ; Sun, 30 Nov 2025 20:35:26 +0000 (UTC) Received: from mail-wr1-f42.google.com (mail-wr1-f42.google.com [209.85.221.42]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.4959.1764534917379436323 for ; Sun, 30 Nov 2025 12:35:17 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=OWgM9jRg; spf=pass (domain: gmail.com, ip: 209.85.221.42, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f42.google.com with SMTP id ffacd0b85a97d-42e2d5e119fso418678f8f.2 for ; Sun, 30 Nov 2025 12:35:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764534916; x=1765139716; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=D4MzH1tmKFTfAbDJrDo4LzBnUn1tuX0GGLIU+P0bOck=; b=OWgM9jRgW7o8HVxEhk6p5HvmuLAyWaAP5chn6NC+D4RjmLX2XYKCQef5vdgHjbKo/I Kx56K4EozgFyX4DH47R5Js95gP/Ob0rsPu+mBmy6VhC0xs7h+/4m29U4X++cGMUs04W6 giNxFlt0UFmACcbHDiPR60H5JX/tChKcLc9+AEMukGss9tTiDcfPTMw3IVt1qgQN4WLM alSypE14Pdq1jbM9p8Agjhnh5Fl1HOpLYsHIF4ddrXRhSMPR912lwlZeSM7dX0hwOSZV ZLGWSyRT9neYGMJVRx2SN1tHujW+EfGyarb/TPS5KQmcmLv2v2u8KZ+4lnBpqhnCPSX7 rPpw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764534916; x=1765139716; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=D4MzH1tmKFTfAbDJrDo4LzBnUn1tuX0GGLIU+P0bOck=; b=rGjnFrtw94TSdXl6UpKm7hoLgBmLZ6yrKdhVkHXG+rME5Be4Ou9GsILSZzcWCZ2zGG i+5xJhSZQWOgOq2ye9EzEiInVtd4+5FfjGN4itOuei+gA4x/YcDPyxlRz+YAbe+lzQkK 1v++Ywsa33MTXoWR9tOzDO6LmnkXNlO2ykM/eV/9R8L7qQ4as5DxErjKega777HefkN5 hZKSPrcTRNlXKc1ZgcLLrynPdkRZTvYCMavGSDo9crfddZfRM6jVZuevg0Jz2mkKZyrg XOY5Ya9aXF9qWfRlC6Xfk1E/kZ6cA4ab0ZfMv4pd0Po+a5WgUUQ12qi3Mxrya67HrXHU j8Qg== X-Gm-Message-State: AOJu0Yw8vQ3keMf6KYhTbzYhgKR4/5PJ4Iew7WQr9/fBFJZ+yVF4OAgY DiEQOFwLG1SqTHZ1GKoTh5NUO98eiWL9MejOF2z1vPIlZkFrMhSbCUWau4xxHA== X-Gm-Gg: ASbGncuwLDz5hLrtKxdotVZOvPucuk2Bvv26+Be7wTxQyhSqmdXY/n/RwZ7sbdWefoV 9kv2FI+UMCyTLBQoqj80GjKML+WugPXdN87TxrB9bVHOwEXXun4xilxlKyxYtUBtdGG9yp9I7KL qRoMOoyliNPUxeaPKxhc9SG8ZnSt5l71QKV+xhwA1ZCsIKCTfhaz6lD+LupKab8fEAz/ZuqBk64 RM4dAdz3J6w8B8ACWpKIWidu/T2DI4Q1DRhQqXA5h7Ut2h0IRHu3AtnP997YY5dvOye/l4tTARs 2CfUj2sNF4CObtkp6bKaIo7ajf7ya9/Z8BMJr7wR6O8GcaTdbyjrfCboTjVEQBBlGL+JBwoFYG6 JZ3DReClgZN/Pq3vH6zrCNahFlmZJ+8d9gysOM8t4yGY+Meeokro37/nELjzSjMys/OplsZ8m4d JCEyIsrSd0c9bMrFwmeUo= X-Google-Smtp-Source: AGHT+IGp8dTEjpkZ7OIIExGZHByE52vrKYvbccHV9pUFsPtMD3hzyFNz2uvILVR3Q6w+CxJN+VczNg== X-Received: by 2002:a05:6000:310f:b0:429:bce4:20bf with SMTP id ffacd0b85a97d-42cc1d194fdmr36381302f8f.55.1764534915478; Sun, 30 Nov 2025 12:35:15 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-42e1ca8bae9sm21338810f8f.33.2025.11.30.12.35.14 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 30 Nov 2025 12:35:15 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][scarthgap][PATCH 3/8] yasm: patch CVE-2021-33464 Date: Sun, 30 Nov 2025 21:35:06 +0100 Message-ID: <20251130203511.462501-3-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251130203511.462501-1-skandigraun@gmail.com> References: <20251130203511.462501-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 30 Nov 2025 20:35:26 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122183 Details: https://nvd.nist.gov/vuln/detail/CVE-2021-33464 The patch was taken from Debian: https://sources.debian.org/patches/yasm/1.3.0-8/1010-nasm-pp-no-env-CVE-2021-33464.patch/ Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj (cherry picked from commit 66a0b01b52e5d1cd2af4c41ae0b67541464874e6) --- .../yasm/yasm/CVE-2021-33464.patch | 34 +++++++++++++++++++ meta-oe/recipes-devtools/yasm/yasm_git.bb | 1 + 2 files changed, 35 insertions(+) create mode 100644 meta-oe/recipes-devtools/yasm/yasm/CVE-2021-33464.patch diff --git a/meta-oe/recipes-devtools/yasm/yasm/CVE-2021-33464.patch b/meta-oe/recipes-devtools/yasm/yasm/CVE-2021-33464.patch new file mode 100644 index 0000000000..ebae250ff9 --- /dev/null +++ b/meta-oe/recipes-devtools/yasm/yasm/CVE-2021-33464.patch @@ -0,0 +1,34 @@ +From 3c3f968d48d768c1e355199d4067d99cb72abc26 Mon Sep 17 00:00:00 2001 +From: Gyorgy Sarvari +Date: Sat, 15 Nov 2025 13:30:12 +0100 +Subject: [PATCH] Handle file descriptors with nonexisting env names better. + Avoid writing past allocated memory. + +This fixes CVE-2021-33464. +Author: Petter Reinholdtsen +Bug: https://github.com/yasm/yasm/issues/164 +Bug-Debian: https://bugs.debian.org/1016353 +Forwarded: https://github.com/yasm/yasm/issues/164 +Last-Update: 2025-04-30 + +CVE: CVE-2021-33464 +Upstream-Status: Submitted [https://github.com/yasm/yasm/issues/164] + +Signed-off-by: Gyorgy Sarvari +--- + modules/preprocs/nasm/nasm-pp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/modules/preprocs/nasm/nasm-pp.c b/modules/preprocs/nasm/nasm-pp.c +index 512f02c3..f9f92dd1 100644 +--- a/modules/preprocs/nasm/nasm-pp.c ++++ b/modules/preprocs/nasm/nasm-pp.c +@@ -1815,7 +1815,7 @@ inc_fopen(char *file, char **newname) + error(ERR_WARNING, "environment variable `%s' does not exist", + p1+1); + *p2 = '%'; +- p1 = p2+1; ++ pb = p1 = p2+1; + continue; + } + /* need to expand */ diff --git a/meta-oe/recipes-devtools/yasm/yasm_git.bb b/meta-oe/recipes-devtools/yasm/yasm_git.bb index bce62caadd..304fa0b34a 100644 --- a/meta-oe/recipes-devtools/yasm/yasm_git.bb +++ b/meta-oe/recipes-devtools/yasm/yasm_git.bb @@ -18,6 +18,7 @@ SRC_URI = "git://github.com/yasm/yasm.git;branch=master;protocol=https \ file://0002-yasm-Use-BUILD_DATE-for-reproducibility.patch \ file://CVE-2024-22653.patch \ file://CVE-2023-29579.patch \ + file://CVE-2021-33464.patch \ " S = "${WORKDIR}/git" From patchwork Sun Nov 30 20:35:07 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 75618 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 01BE7D116F8 for ; Sun, 30 Nov 2025 20:35:27 +0000 (UTC) Received: from mail-wm1-f51.google.com (mail-wm1-f51.google.com [209.85.128.51]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.4962.1764534919794853774 for ; Sun, 30 Nov 2025 12:35:20 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=ZicH7i1z; spf=pass (domain: gmail.com, ip: 209.85.128.51, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f51.google.com with SMTP id 5b1f17b1804b1-4775ae77516so36193035e9.1 for ; Sun, 30 Nov 2025 12:35:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764534918; x=1765139718; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=vhfEZTCzYTaaoG2c+6bonS2XARBQUXm42fDwjyQanhU=; b=ZicH7i1zCmpS4ZbkKnReV0Qr332zkviXO18YnvTSKT+t7CxV4ms/AioqJpRLZYDkB/ vniw5otMWb9rYjunJGHs5U4g4SuydTIrGQRFPBYt6dvSFfdzFz8RO0e5W4/cekIVFpUR 3yt2FAzbqMwmo2PLt/ivcV6hcScGmhfcY8V9aHLr9j7+4MnZziDJ4A8iAgOJz98iG0Dm FJ+pXAadKyGFbTC9EYENxLW4xQG3YISKEyghdV91ITOm/EqsmdQo4p7US2OjJvRBcsbi 3Ho1MCUC1afVHVAV+6NGRg46+7x/E2WMzsuxQbcp5cPSppfSDGZryBSaRMFXU85Zgi27 KquA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764534918; x=1765139718; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=vhfEZTCzYTaaoG2c+6bonS2XARBQUXm42fDwjyQanhU=; b=CyNg9U0yef5UHANNzBfOPzFuIv2sYYbtdk8/+mLt0aGJyA1OaG68SXewYgljS51iC+ ZAZYz8sLunhjk8uD32YiywKUygfSEhfxs6FS0MjpwIq4fsRKXJYhI7sJJA7QPIrUmR6S 5Jn9EFrUafQ+w2hTTpE6xbdFu+dpzY3edmD/22buXCAVamPjvUCyu+OBAx5WuIi1Gm3P mpNh0HkTJnlrUnvU3XReJhbQFws30dSPjNTdsWECjsxAq2x6YJ6ZQi5wltOec2AIXxMx 9F94SjKatxqmhHLZWf2rWWBj1XjikGbVUJy1NBMr9UvfDMugpW8V3VvHr+5AqmdDQT8s JTEA== X-Gm-Message-State: AOJu0YwK/qod+Zc1Urbgamm6v77rDv9R5YjUtzOU8eD3ZfEcF3iIJYdk xBdqBOMNSr7vrZSVZwedZbqI7OO0CDP6anEFVPkWTd0NuuNjXBmvkeEEkUHFQQ== X-Gm-Gg: ASbGncvXjf6pWdBUOPydRWkNa3O4qApJ7IY97rFHwi2j4qRn3te1KoFAeMQ9zsrfGsn Fg2K94NYhzmQ1yJerboHgiB6jsvIUfIgIFJ2mV76X6FZqAYJ3Wjp0YHwSwDNPDyyMe26CB0LdKg 8XeNTrV8Q23r+Czhfn9rgP6fnnS4ipsKtmSUPUHsVd2JiWrohXy/EwdGSX9jNqq58N5T2BRyTUZ AwvVaPtX2KSadUSTWiuWgnm94CmXHuASLvMdPCnMEYbd8oYTsTXYxcAM/8AtO8x7d2wXgqiz2G2 b00fyyXKwRB9yAuQM+clSfAQX07+83vKO+Dz1K242+V3FQRp8miwj+rlVS2Kn45dvdmQB8JYCrY 34zd/+WzB7dbm5tsnrKEjWSScgGCX40+Gz3ezZSU2TJoEkwZRkRsRn4S43VICxXj3jaxTKQF/Hk LxC/seZ/eO X-Google-Smtp-Source: AGHT+IEM/AIf2/LF5AESJJOmgNfMXkp/JvT4bQQ2XwvJdo746n0TaB5zuQlYCr9TGN+iM4/OYKuZmA== X-Received: by 2002:a05:600c:6296:b0:477:5cc6:7e44 with SMTP id 5b1f17b1804b1-477c10d7013mr363254905e9.11.1764534918008; Sun, 30 Nov 2025 12:35:18 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-42e1ca8bae9sm21338810f8f.33.2025.11.30.12.35.15 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 30 Nov 2025 12:35:16 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][scarthgap][PATCH 4/8] yasm: patch CVE-2021-33456 Date: Sun, 30 Nov 2025 21:35:07 +0100 Message-ID: <20251130203511.462501-4-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251130203511.462501-1-skandigraun@gmail.com> References: <20251130203511.462501-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 30 Nov 2025 20:35:26 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122184 Details: https://nvd.nist.gov/vuln/detail/CVE-2021-33465 The patch was taken from Debian: https://sources.debian.org/patches/yasm/1.3.0-8/1020-hash-null-CVE-2021-33456.patch/ Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj (cherry picked from commit 1e2731fce05d15020fddf3dca5d8ee42ec3c04e1) --- .../yasm/yasm/CVE-2021-33456.patch | 35 +++++++++++++++++++ meta-oe/recipes-devtools/yasm/yasm_git.bb | 1 + 2 files changed, 36 insertions(+) create mode 100644 meta-oe/recipes-devtools/yasm/yasm/CVE-2021-33456.patch diff --git a/meta-oe/recipes-devtools/yasm/yasm/CVE-2021-33456.patch b/meta-oe/recipes-devtools/yasm/yasm/CVE-2021-33456.patch new file mode 100644 index 0000000000..2340d8ed75 --- /dev/null +++ b/meta-oe/recipes-devtools/yasm/yasm/CVE-2021-33456.patch @@ -0,0 +1,35 @@ +From 1126140b8f5ece18c58640725f0e4c08e5ec97b0 Mon Sep 17 00:00:00 2001 +From: Gyorgy Sarvari +Date: Sat, 15 Nov 2025 13:34:15 +0100 +Subject: [PATCH] A potential null pointer difference is that the return value + of the hash may be null. This fixes CVE-2021-33456. + +From: lixuebing +Date: Mon, 25 Aug 2025 13:51:28 +0800 +Subject: Fix null-pointer-dereference in hash +Bug: https://github.com/yasm/yasm/issues/175 +Origin: https://github.com/yasm/yasm/pull/290 + +CVE: CVE-2021-33456 +Upstream-Status: Submitted [https://github.com/yasm/yasm/pull/290] + +Signed-off-by: Gyorgy Sarvari +--- + modules/preprocs/nasm/nasm-pp.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/modules/preprocs/nasm/nasm-pp.c b/modules/preprocs/nasm/nasm-pp.c +index f9f92dd1..473d98c1 100644 +--- a/modules/preprocs/nasm/nasm-pp.c ++++ b/modules/preprocs/nasm/nasm-pp.c +@@ -1102,6 +1102,10 @@ hash(char *s) + { + unsigned int h = 0; + unsigned int i = 0; ++ /* Check if the input string is NULL to avoid null pointer dereference */ ++ if (s == NULL) { ++ return 0; ++ } + /* + * Powers of three, mod 31. + */ diff --git a/meta-oe/recipes-devtools/yasm/yasm_git.bb b/meta-oe/recipes-devtools/yasm/yasm_git.bb index 304fa0b34a..5d1739ebf3 100644 --- a/meta-oe/recipes-devtools/yasm/yasm_git.bb +++ b/meta-oe/recipes-devtools/yasm/yasm_git.bb @@ -19,6 +19,7 @@ SRC_URI = "git://github.com/yasm/yasm.git;branch=master;protocol=https \ file://CVE-2024-22653.patch \ file://CVE-2023-29579.patch \ file://CVE-2021-33464.patch \ + file://CVE-2021-33456.patch \ " S = "${WORKDIR}/git" From patchwork Sun Nov 30 20:35:08 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 75617 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E83E5D116F9 for ; Sun, 30 Nov 2025 20:35:26 +0000 (UTC) Received: from mail-wm1-f48.google.com (mail-wm1-f48.google.com [209.85.128.48]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.4963.1764534920437677605 for ; Sun, 30 Nov 2025 12:35:20 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=lJxVyjdV; spf=pass (domain: gmail.com, ip: 209.85.128.48, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f48.google.com with SMTP id 5b1f17b1804b1-4779a4fc95aso28866715e9.1 for ; Sun, 30 Nov 2025 12:35:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764534919; x=1765139719; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=tALSMGue9jsIHZGY2fXM0uj7qtmBCt466L7eDoG2XvI=; b=lJxVyjdV/iBbSJ9Et4abHkB8USiKq9LpoqdXrKwM4tBowYguCbEXXzsTnrZKxliiZf YG7j0tG6UCmIHdQOFxZi9WER6gTwZaKeiYq0Rp7NqhzXmpGTMqA6NJ0AUz527u45e9D4 hkAgnP/h7/JjSwrf+wXFFR8wAuZ7NzNrvOg5E89wgiPrNSMWb8e43SgPKT1wMy0E40v3 H9K6h8xZ/+tyYsWwla6IE5I+qtcS3I+Yo0GZD4yR4mrUNpdVPiPg2fxA03qjR5W1Q9ht CLCkNZ0Wf4W5h+FcoqSpt7OGkKgXNrL1Kr+9Ud4gdXpnixFiSgmmhETawavMMx9EFaFn zslA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764534919; x=1765139719; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=tALSMGue9jsIHZGY2fXM0uj7qtmBCt466L7eDoG2XvI=; b=qZnEhQRAvOOW3ljXfByGSfMbMv/xGBqc/llHWnBInTS8zymhBT7jkEKiffOT8w83M5 ozhIe+6UtFUOjEbh9vujg8X+cW2OGnlWA1LZGWqbGGWdKax1TCBqAQ0tCaQPCuLqlg6b OtwUN/sOhKRXrUT8foHx9rnzGxyNpzOf0ooqE4GuQrTcC0iF+X7WeUlJh0A6J1rm99ZD f/CxFGUSNKQO6AxRrGGptuVm+R1bcXtrQLZSDMusVbKZiE7MkImFQhAvR5JpavzOU2jb tyIHFtbqSpA6N7+gPNac+oYbB2Av3P9IDQVt1dLSO9V1Pmt/PIaGD/8SROkog+N+L0am XaQg== X-Gm-Message-State: AOJu0YzuEKwsIIEwyGaTfYJIeyaa6D8IyRWYcix9FWsChGrPjjH6nmen Pq0A/q4DGllpN9aVm7asb0vNfIcEDOeGMd8B3aay45KkduTaoNMiNCiu4VD48A== X-Gm-Gg: ASbGncsSOpzNus43tEYIIbtDSQVnLecheg1e7t0PuQ5b5x3NvwAA3StOzJBDgKsuO/f wXFLspUCbuPu2V6NE3r8Ru8WE7TOSlbG7zAZCIEwhibOM4chtSl06BIQubVLntBFoUyC3Z0UDrV pUgB3H75dhHQnwWmkbyVcd4CQEkfJAWL4DRZ8auvw1leCPo1nKgQynGGqMDHdMexiLiJgVf4w62 rtG4smBvaFbkloSGM5JfrtK8iAKZNX8DFWtyVNBjxlFdMCAdUmPdiePjG2X1N7az2YQ+uskO6U2 IxWiznbn029BqJYX2aNwrWgKkDTO1AOsWZ1vQ3z4eapKP7l0lmW4K/CBLf62V4aUl6BjG9Zi4O4 vWLjZToy7zbHBPJK8skQ73WT59ml/POnwNDkITBuuLO3x46wyUgspnNTyqSXr7XI0Nj3zlOrDzZ rSK6a7tefp7pRHW7hFcRA= X-Google-Smtp-Source: AGHT+IEZXkkSMwNJF50SvLo/KIGtKibIFj6yuFoGAllHgI5x8nR3dPCULCGV00gr4qo604LjZTfcVA== X-Received: by 2002:a05:600c:3ba7:b0:46e:59bd:f7e2 with SMTP id 5b1f17b1804b1-477c05139c2mr460705805e9.11.1764534918717; Sun, 30 Nov 2025 12:35:18 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-42e1ca8bae9sm21338810f8f.33.2025.11.30.12.35.18 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 30 Nov 2025 12:35:18 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][scarthgap][PATCH 5/8] redis: ignore CVE-2022-0543 Date: Sun, 30 Nov 2025 21:35:08 +0100 Message-ID: <20251130203511.462501-5-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251130203511.462501-1-skandigraun@gmail.com> References: <20251130203511.462501-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 30 Nov 2025 20:35:26 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122185 Details: https://nvd.nist.gov/vuln/detail/CVE-2022-0543 The issue is specific to the version packaged by Debian, it can be ignored. Signed-off-by: Gyorgy Sarvari --- meta-oe/recipes-extended/redis/redis_6.2.21.bb | 2 ++ meta-oe/recipes-extended/redis/redis_7.2.12.bb | 1 + 2 files changed, 3 insertions(+) diff --git a/meta-oe/recipes-extended/redis/redis_6.2.21.bb b/meta-oe/recipes-extended/redis/redis_6.2.21.bb index e0bf92b210..efa8677e76 100644 --- a/meta-oe/recipes-extended/redis/redis_6.2.21.bb +++ b/meta-oe/recipes-extended/redis/redis_6.2.21.bb @@ -65,3 +65,5 @@ INITSCRIPT_NAME = "redis-server" INITSCRIPT_PARAMS = "defaults 87" SYSTEMD_SERVICE:${PN} = "redis.service" + +CVE_STATUS[CVE-2022-0543] = "not-applicable-config: the vulnerability is not present in upstream, only in Debian-packaged versions" diff --git a/meta-oe/recipes-extended/redis/redis_7.2.12.bb b/meta-oe/recipes-extended/redis/redis_7.2.12.bb index bc60f75b01..cd2be6f27e 100644 --- a/meta-oe/recipes-extended/redis/redis_7.2.12.bb +++ b/meta-oe/recipes-extended/redis/redis_7.2.12.bb @@ -70,3 +70,4 @@ INITSCRIPT_PARAMS = "defaults 87" SYSTEMD_SERVICE:${PN} = "redis.service" CVE_STATUS[CVE-2022-3734] = "not-applicable-platform: CVE only applies for Windows." +CVE_STATUS[CVE-2022-0543] = "not-applicable-config: the vulnerability is not present in upstream, only in Debian-packaged versions" From patchwork Sun Nov 30 20:35:09 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 75619 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DC0E5D116F7 for ; Sun, 30 Nov 2025 20:35:26 +0000 (UTC) Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com [209.85.128.54]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.4998.1764534921081395683 for ; Sun, 30 Nov 2025 12:35:21 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=nSxJR/6n; spf=pass (domain: gmail.com, ip: 209.85.128.54, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f54.google.com with SMTP id 5b1f17b1804b1-4777771ed1aso20657675e9.2 for ; Sun, 30 Nov 2025 12:35:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764534919; x=1765139719; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=Sa9Zv4Xo8lYu96ItcYBuKhf00dCaVTf/R1kvAt3XHbU=; b=nSxJR/6nMTo+nRO28OxHjLDdW7Qad+2aiHD6prcL1c55n4T8KfAma7jDGL+SBVaKQy dz+KFHdfsl4/bVBt9cZc7EdpQQa0afGPzzo4I/UoA/vgFUUvuWaLCfhopvokoE+AbNBb T2h/+1StDNk860SOJdqc8937tI5ps3XKNxOYWgcijbp0oERpWpBpl9Iv4itOFkxMTbD4 VqcPi1WypO3ZJYsf1kTWz8cAdYaN6H8tfJm0kOhBPgX1qCI6prWvHoWZH5aWUXeiwbWI 2BatejPkHoFwyxiGGLQhGkSChKi2IC5eDsAbtZbN5MUnV/XSW9VdiJXgBf42syhvDJgq ib5Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764534919; x=1765139719; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=Sa9Zv4Xo8lYu96ItcYBuKhf00dCaVTf/R1kvAt3XHbU=; b=ty91xa0AtrEXypd/JeJgnViWwoxCuH2xDUSXbRedH2LBg8dKtM+MRKffvUfyczCmj3 D8h5SPHy7Dg9FrqCeNNLKGRKhWJnsnZejbYpYm+KRrMKlrJVDMn5JYiMsWknGpB2aUMD ExQUvm0JJ3MP9K1neLMPV03cRGmaLJ3iPMT/zNPZ1CIcPpB4kh4zVKhleymdmd74Nl1I sIhPKJd4zp1KRxjomfnYF2V8PkwOEBPbTkuko98K4LAXOoY/58YdbL5/bKbf7jlNLnW/ BQozv7tGEVDge4DRfyeEtmy2lhfhJz0L0tjr2Y+soVfI0X9oao1ht4V3xHQ/pQ9tF83R Dn3Q== X-Gm-Message-State: AOJu0YxskQe8Ns6GJ7gfQ155YgFj5hn7oPWj37r1rVcEj+kw4IWEUrgC EZr95/KbxRAO89kAwW5bAH1Pi3qKaNQRkGEE/i4Xk0PIXZJn5oMpiH5uED3sGA== X-Gm-Gg: ASbGncuMtWdMQ1yCWxMoHhs82lbuh4n1NRCf0XpRXi0rO9UZuk1alWLQmSvUAASWtV2 0xzAUoo+DwlP5Ex8b924Aps5d9D5LPun2lND8eA4g7yvG/NB1RetzBNjRIatUdE347neX0wp48y 39YRbnufJYhE0qlleCePmmYrD4HhRS4XCBMshx6W9oEJUKTlGr0LpvSN6WPygXZElVjk5SwuRoH +fA6fDVi1PyMGvhIfoQJDFxBm/8nBNemDUAkCwAYkf3a9nFDTygRLIIdfv6inARlyJsLIavDG+e rKnBxXP5Ooq0g0AZOowCggpxzZ6/uDPNQqbQ00aT20c8W88NKL+qDHXbJ+eadz3ArLGvEZsTsFV IvK6HfBQJ15SwTey0OXYkPPSN6MwxgPon4V1K+ZvYgBYasBD9+L4zi6Icy3b3CY0ejAAj7hHoZq mnj+InEi/qd0Uarosvwrk= X-Google-Smtp-Source: AGHT+IHgo7wPltnmzFr3buolESbC3PmY1HBP1i5PRhTxqNrrIE0uQMwo7uww2yRNMGz/+u2SxkUEyg== X-Received: by 2002:a05:600c:3593:b0:46e:32dd:1b1a with SMTP id 5b1f17b1804b1-477c0162f1fmr390604485e9.7.1764534919419; Sun, 30 Nov 2025 12:35:19 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-42e1ca8bae9sm21338810f8f.33.2025.11.30.12.35.18 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 30 Nov 2025 12:35:19 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][scarthgap][PATCH 6/8] redis: handle CVE-2025-27151 Date: Sun, 30 Nov 2025 21:35:09 +0100 Message-ID: <20251130203511.462501-6-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251130203511.462501-1-skandigraun@gmail.com> References: <20251130203511.462501-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 30 Nov 2025 20:35:26 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122186 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-27151 In redis 7 this is already patched[1], and the recipe contains the fix. For redis 6 backport the relevant patch (which is referenced in the nvd report) [1]: https://github.com/redis/redis/commit/d0eeee6e31f0fefb510007a8cfdf5dce729a8be9 Signed-off-by: Gyorgy Sarvari --- .../redis/redis/CVE-2025-27151.patch | 32 +++++++++++++++++++ .../recipes-extended/redis/redis_6.2.21.bb | 3 +- .../recipes-extended/redis/redis_7.2.12.bb | 1 + 3 files changed, 35 insertions(+), 1 deletion(-) create mode 100644 meta-oe/recipes-extended/redis/redis/CVE-2025-27151.patch diff --git a/meta-oe/recipes-extended/redis/redis/CVE-2025-27151.patch b/meta-oe/recipes-extended/redis/redis/CVE-2025-27151.patch new file mode 100644 index 0000000000..ccd56ea8a8 --- /dev/null +++ b/meta-oe/recipes-extended/redis/redis/CVE-2025-27151.patch @@ -0,0 +1,32 @@ +From 845233cecd6327a20957a97b78e61bccaaa652f7 Mon Sep 17 00:00:00 2001 +From: YaacovHazan +Date: Tue, 27 May 2025 10:23:27 +0300 +Subject: [PATCH] Check length of AOF file name in redis-check-aof + (CVE-2025-27151) + +Ensure that the length of the input file name does not exceed PATH_MAX + +CVE: CVE-2025-27151 +Upstream-Status: Backport [https://github.com/redis/redis/commit/d0eeee6e31f0fefb510007a8cfdf5dce729a8be9] +Signed-off-by: Gyorgy Sarvari +--- + src/redis-check-aof.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/redis-check-aof.c b/src/redis-check-aof.c +index 1507e0a..3961ac5 100644 +--- a/src/redis-check-aof.c ++++ b/src/redis-check-aof.c +@@ -164,6 +164,12 @@ int redis_check_aof_main(int argc, char **argv) { + exit(1); + } + ++ /* Check if filepath is longer than PATH_MAX */ ++ if (strlen(filename) > PATH_MAX) { ++ printf("Error: filename is too long (exceeds PATH_MAX)\n"); ++ exit(1); ++ } ++ + FILE *fp = fopen(filename,"r+"); + if (fp == NULL) { + printf("Cannot open file: %s\n", filename); diff --git a/meta-oe/recipes-extended/redis/redis_6.2.21.bb b/meta-oe/recipes-extended/redis/redis_6.2.21.bb index efa8677e76..d23d3c07c6 100644 --- a/meta-oe/recipes-extended/redis/redis_6.2.21.bb +++ b/meta-oe/recipes-extended/redis/redis_6.2.21.bb @@ -16,7 +16,8 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \ file://0004-src-Do-not-reset-FINAL_LIBS.patch \ file://0005-Define-_GNU_SOURCE-to-get-PTHREAD_MUTEX_INITIALIZER.patch \ file://0006-Define-correct-gregs-for-RISCV32.patch \ - " + file://CVE-2025-27151.patch \ + " SRC_URI[sha256sum] = "6383b32ba8d246f41bbbb83663381f5a5f4c4713235433cec22fc4a47e9b6d5f" diff --git a/meta-oe/recipes-extended/redis/redis_7.2.12.bb b/meta-oe/recipes-extended/redis/redis_7.2.12.bb index cd2be6f27e..efbe86b358 100644 --- a/meta-oe/recipes-extended/redis/redis_7.2.12.bb +++ b/meta-oe/recipes-extended/redis/redis_7.2.12.bb @@ -71,3 +71,4 @@ SYSTEMD_SERVICE:${PN} = "redis.service" CVE_STATUS[CVE-2022-3734] = "not-applicable-platform: CVE only applies for Windows." CVE_STATUS[CVE-2022-0543] = "not-applicable-config: the vulnerability is not present in upstream, only in Debian-packaged versions" +CVE_STATUS[CVE-2025-27151] = "fixed-version: the used version(7.2.12) contains the fix" From patchwork Sun Nov 30 20:35:10 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 75620 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D59FBCFD376 for ; Sun, 30 Nov 2025 20:35:26 +0000 (UTC) Received: from mail-wr1-f54.google.com (mail-wr1-f54.google.com [209.85.221.54]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.4999.1764534921931896134 for ; Sun, 30 Nov 2025 12:35:22 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=UYZSgdXs; spf=pass (domain: gmail.com, ip: 209.85.221.54, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f54.google.com with SMTP id ffacd0b85a97d-42b3b0d76fcso2192307f8f.3 for ; Sun, 30 Nov 2025 12:35:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764534920; x=1765139720; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=WG9ZWji02ArrqfFVP2u/8REGiu6LqyCgdP0EZ8i91vs=; b=UYZSgdXssolnB4x2SWajpZWWe73BIS1iwVouyNMgexXkzyLCDDdJ1l98mLOjERQQi+ cnkkY46gnbJggDMJMYxDVKn2cI3wzUcb3nrtODPOwfmoJczsxIW7GSICgtgsy2Rb9UwJ T5hrSav/Gard4xR/3iefeUjR44+axiGa7ls/j2RJFJDs4UxMr7kDFQyX1BsE4f6eOloG FHqP1NroGKVM06mXijLhibWbEVk3femkkvsGVbZFiVhE15thAKVRDgLWI8RS7mfPpdYo aamGyWzTrt875LVV1oqbQKQiKTdV75fDt3+y4ZXpW1aCGfD+PQ+ccL5PcEDd9neij+wY Toxw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764534920; x=1765139720; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=WG9ZWji02ArrqfFVP2u/8REGiu6LqyCgdP0EZ8i91vs=; b=j8rakP+hjUikj8cKIwoluIffhImp/wrPuO/tzNtbNKOXMCwjM87WqLSSssc+gIpV46 /LYPv1FH9rLPwAeirQldGRBaRstsT73sFVyJlqhH1eQIrMDEsuUmGUdNvlCPTYy+nAgc Io6C771xjXB3Z4DkTF2JTWwtrZ/B5K9KcSzVgtb0L1/kBhe7tshfl95DlTxBzOr4JejB bn3bOH2svE7cfJHGEeRJjwGQrZhDvBd1LEj4noaU4ipT6K8uwPBkppz6S4gT6UYQXl6/ NAYz7ufTWiA2YxEk5cIQWMjANsYa+lgBue/3E48YDGjtGAGXDawibDPWquL5AlVUTfT3 maBA== X-Gm-Message-State: AOJu0YxUzTof/VvMLPyTb0IiBg9peIj7igwTN9ot74rdMFHR3ppLJXSU gvBrcHmV6BAGzmiumFbSci+h7AxMDefhobjCZfJyJEWA8PMK/OkSavvjjid0lQ== X-Gm-Gg: ASbGncsRLJpNu3esbamMdMHv+2aUL4PRw+dp3CCDCZUAZP5j3TGKAyX6zIZoIT+q/QG tMYdvkJQaEw5N865OKY3Mn9ZtG+xHnxUIiz71Z+wwNbsJ2F1ivE2NUj4zq6LrK7V7/amxqkV6/H O8CXspJl/AUZq4LhyUGilfwiidEAGZbPk+P4A+D7Ey2o+3bDYevJ3T6KXzNpdKdsb9zZS/gsRGH Gu3SpqMZuhggmIc1iH5X0u8kMwJ++nzv22YpBSooX64wRQYIwFSMdKn5TgE+ruLMHHQbmhXs3bI WEQb6RLquyoUZDNhCv5VO4wpEuPnpfD7CzfStRMCbj4GeEDk6WxAYuM0+N6tVrkI7UQsQIqerb1 APt6EVfIT88ZhS1PshtTceOIvj/F9bFpW1eSqJqueIBq1MzxkhmB7+OaX+osqDfWZ4SlPazj8yD kgMsTNv6/P X-Google-Smtp-Source: AGHT+IGqiP5mUNXTJveuxzISG9O4qTdZ2cP+8iNDkz3PgWVPs7fTMGn3WCzprBvYluNoIaaS7m2eBg== X-Received: by 2002:a05:6000:26cb:b0:429:d186:8c49 with SMTP id ffacd0b85a97d-42cc1d526b1mr39885154f8f.56.1764534920128; Sun, 30 Nov 2025 12:35:20 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-42e1ca8bae9sm21338810f8f.33.2025.11.30.12.35.19 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 30 Nov 2025 12:35:19 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-networking][scarthgap][PATCH 7/8] nbdkit: patch CVE-2025-47711 Date: Sun, 30 Nov 2025 21:35:10 +0100 Message-ID: <20251130203511.462501-7-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251130203511.462501-1-skandigraun@gmail.com> References: <20251130203511.462501-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 30 Nov 2025 20:35:26 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122187 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-47711 Pick the patch from the repository which explicitly mentions this CVE ID. Signed-off-by: Gyorgy Sarvari --- .../nbdkit/nbdkit/CVE-2025-47711.patch | 172 ++++++++++++++++++ .../recipes-support/nbdkit/nbdkit_1.33.11.bb | 3 +- 2 files changed, 174 insertions(+), 1 deletion(-) create mode 100644 meta-networking/recipes-support/nbdkit/nbdkit/CVE-2025-47711.patch diff --git a/meta-networking/recipes-support/nbdkit/nbdkit/CVE-2025-47711.patch b/meta-networking/recipes-support/nbdkit/nbdkit/CVE-2025-47711.patch new file mode 100644 index 0000000000..a5eb519738 --- /dev/null +++ b/meta-networking/recipes-support/nbdkit/nbdkit/CVE-2025-47711.patch @@ -0,0 +1,172 @@ +From 8b41004f101505fd13e0491c88570a00820ccdc2 Mon Sep 17 00:00:00 2001 +From: Gyorgy Sarvari +Date: Tue, 22 Apr 2025 17:01:12 -0500 +Subject: [PATCH 1/2] server: Fix off-by-one for maximum block_status length + [CVE-2025-47711] + +From: Eric Blake + +There has been an off-by-one bug in the code for .extents since the +introduction of that callback. Remember, internally the code allows +plugins to report on extents with 64-bit lengths, but the protocol +only supports 32-bit block status calls (nbdkit will need to create +plugin version 3 before it can support NBD's newer 64-bit block +status). As such, the server loop intentionally truncates a plugin's +large extent to 2**32-1 bytes. But in the process of checking whether +the loop should exit early, or if any additional extents should be +reported to the client, the server used 'pos > offset+count' instead +of >=, which is one byte too far. If the client has requested exactly +2**32-1 bytes, and the plugin's first extent has that same length, the +code erroneously proceeds on to the plugin's second extent. Worse, if +the plugin's first extent has 2**32 bytes or more, it was truncated to +2**31-1 bytes, but not completely handled, and the failure to exit the +loop early means that the server then fails the assertion: + +nbdkit: ../../server/protocol.c:505: extents_to_block_descriptors: +Assertion `e.length <= length' failed. + +The single-byte fix addresses both symptoms, while the added test +demonstrates both when run on older nbdkit (the protocol violation +when the plugin returns 2**32-1 bytes in the first extent, and the +assertion failure when the plugin returns 2**32 or more bytes in the +first extent). + +The problem can only be triggered by a client request for 2**32-1 +bytes; anything smaller is immune. The problem also does not occur +for plugins that do not return extents information beyond the client's +request, or if the first extent is smaller than the client's request. + +The ability to cause the server to die from an assertion failure can +be used as a denial of service attack against other clients. +Mitigations: if you require the use of TLS, then you can ensure that +you only have trusted clients that won't trigger a block status call +of length 2**32-1 bytes. Also, you can use "--filter=blocksize-policy +blocksize-minimum=512" to reject block status attempts from clients +that are not sector-aligned. + +Fixes: 26455d45 ('server: protocol: Implement Block Status "base:allocation".', v1.11.10) +Reported-by: Nikolay Ivanets +Signed-off-by: Eric Blake +Message-ID: <20250423211953.GR1450@redhat.com> +Reviewed-by: Richard W.M. Jones + +CVE: CVE-2025-47711 +Upstream-Status: Backport [https://gitlab.com/nbdkit/nbdkit/-/commit/e6f96bd1b77c0cc927ce6aeff650b52238304f39] +Signed-off-by: Gyorgy Sarvari +--- + server/protocol.c | 2 +- + tests/Makefile.am | 2 ++ + tests/test-eval-extents.sh | 71 ++++++++++++++++++++++++++++++++++++++ + 3 files changed, 74 insertions(+), 1 deletion(-) + create mode 100755 tests/test-eval-extents.sh + +diff --git a/server/protocol.c b/server/protocol.c +index d9a5e282..c32fec82 100644 +--- a/server/protocol.c ++++ b/server/protocol.c +@@ -493,7 +493,7 @@ extents_to_block_descriptors (struct nbdkit_extents *extents, + (*nr_blocks)++; + + pos += length; +- if (pos > offset + count) /* this must be the last block */ ++ if (pos >= offset + count) /* this must be the last block */ + break; + + /* If we reach here then we must have consumed this whole +diff --git a/tests/Makefile.am b/tests/Makefile.am +index 9b846d24..36ac1e16 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -781,6 +781,7 @@ TESTS += \ + test-eval.sh \ + test-eval-file.sh \ + test-eval-exports.sh \ ++ test-eval-extents.sh \ + test-eval-cache.sh \ + test-eval-dump-plugin.sh \ + test-eval-disconnect.sh \ +@@ -789,6 +790,7 @@ EXTRA_DIST += \ + test-eval.sh \ + test-eval-file.sh \ + test-eval-exports.sh \ ++ test-eval-extents.sh \ + test-eval-cache.sh \ + test-eval-dump-plugin.sh \ + test-eval-disconnect.sh \ +diff --git a/tests/test-eval-extents.sh b/tests/test-eval-extents.sh +new file mode 100755 +index 00000000..92b503e6 +--- /dev/null ++++ b/tests/test-eval-extents.sh +@@ -0,0 +1,71 @@ ++#!/usr/bin/env bash ++# nbdkit ++# Copyright Red Hat ++# ++# Redistribution and use in source and binary forms, with or without ++# modification, are permitted provided that the following conditions are ++# met: ++# ++# * Redistributions of source code must retain the above copyright ++# notice, this list of conditions and the following disclaimer. ++# ++# * Redistributions in binary form must reproduce the above copyright ++# notice, this list of conditions and the following disclaimer in the ++# documentation and/or other materials provided with the distribution. ++# ++# * Neither the name of Red Hat nor the names of its contributors may be ++# used to endorse or promote products derived from this software without ++# specific prior written permission. ++# ++# THIS SOFTWARE IS PROVIDED BY RED HAT AND CONTRIBUTORS ''AS IS'' AND ++# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ++# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A ++# PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RED HAT OR ++# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT ++# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF ++# USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ++# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, ++# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT ++# OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF ++# SUCH DAMAGE. ++ ++source ./functions.sh ++set -e ++set -x ++ ++requires_run ++requires_plugin eval ++requires_nbdsh_uri ++requires nbdsh --base-allocation --version ++ ++files="eval-extents.out" ++rm -f $files ++cleanup_fn rm -f $files ++ ++# Trigger an off-by-one bug introduced in v1.11.10 and fixed in v1.43.7 ++export script=' ++def f(context, offset, extents, status): ++ print(extents) ++ ++# First, probe where the server should return 2 extents. ++h.block_status(2**32-1, 2, f) ++ ++# Next, probe where the server has exactly 2**32-1 bytes in its first extent. ++h.block_status(2**32-1, 1, f) ++ ++# Now, probe where the first extent has to be truncated. ++h.block_status(2**32-1, 0, f) ++' ++nbdkit eval \ ++ get_size='echo 5G' \ ++ pread='dd if=/dev/zero count=$3 iflag=count_bytes' \ ++ extents='echo 0 4G 1; echo 4G 1G 2' \ ++ --run 'nbdsh --base-allocation --uri "$uri" -c "$script"' \ ++ > eval-extents.out ++cat eval-extents.out ++diff -u - eval-extents.out < X-Patchwork-Id: 75616 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C7A7FD111A8 for ; Sun, 30 Nov 2025 20:35:26 +0000 (UTC) Received: from mail-wm1-f43.google.com (mail-wm1-f43.google.com [209.85.128.43]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.4965.1764534923491960239 for ; Sun, 30 Nov 2025 12:35:23 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=NR9yII0Z; spf=pass (domain: gmail.com, ip: 209.85.128.43, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f43.google.com with SMTP id 5b1f17b1804b1-47778b23f64so19160325e9.0 for ; Sun, 30 Nov 2025 12:35:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764534922; x=1765139722; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=0g0D9Tjd1rmzbyAIWQFKMNJIC5mzvV73OPkWQd/NpMg=; b=NR9yII0Z+qw910lAMTmFqNt8k3glDPZ7MpSAGUxG0NuZesPRem40hkXfIV2/ZcYNLi a3Iq0su42joQDj82AwQsPfE7Y6DQfhKlgSK2Z/mWwq4U9aHq9H8bJOhZPg8stxCfU0E5 sNsjDXiYA4envk46XCUaIJJkYFasD09+JFJy3YiKDw0UVUxP6j3KB8oG1zGeyysHi4e8 hHdHEEsJhTkZWZiiN2r+YVByPea6ELXeXk3Wb44p/mWJtfyuqZuo3KPVSz03ZZYqCf9e KPHYKc5lz4GHwWfE8SeNlfkC1ntYyE/0HN2qBM7quf5N1+zjReRJBWUAgVr2LxtLUOpH 3C4Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764534922; x=1765139722; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=0g0D9Tjd1rmzbyAIWQFKMNJIC5mzvV73OPkWQd/NpMg=; b=SSQtWbOpa2UPqbAyXeVamWj5IIfw7p32mow7fIhW4c30KmtD0+8M6xHowU9OyMxfYO xgW4kSLg+G+w3uSlNtVZAtlUfoeXBXFzDFOANBrAlUmSz2jXm6B64/NbZyWRn3Utw7jJ +KqjtUz+EK9Uergit/1UsPR+YC2UDkSBKiWGU1YgjpXcdktlJD7RgHbhqvdpVDpvlneV rbu5AvuztjqUccrlkJ0MdPdoustUpHbINVEvXJ9sGwTi/2C0vFvn1J8mChbfZd5Vuk/2 YKEFBSxF7SRnl9NNztoR9LhJiGesLf4pJ+824j+OyowihIhpv6YxErqcHZVkUg+s7TM3 dHRg== X-Gm-Message-State: AOJu0YzyLXbwOuk6iPI1gwyeF2fKDyCdoiXCPCC1WMC3Q+gTty6Kmwke g+/eRFZfJUwxbG7BQAbVmjLwxsLmhlTvvhTWj3P0pvjNvG7bGK4LZzhINwR2Gw== X-Gm-Gg: ASbGncsRpgSruX+OMZ7x6G3Qzqi6piDzmZqD/JGe9PXM1BtwiX5WkVPLRVept6yt/wt UAZY+y7ZAvlidKeUSewqZyZd5Vvib9cnh9aEOs1gnqOVXBYo0NjUoAfqOrWxtrr1K8gPdw2HOh4 cChY85iqq5jp5yH6DpycZM5e3miptbply9jFUJEWa9TwTlCEddnl26zKzfcAkYuo5+wO9y3K0my XIOJKC6kG8GVQJzzQpcIEy3oTYqdKcmjQ6/iWXzpTy/OL7BF53GNswu4il0UQ5yA9nr3XMgxnAu f926W50+ZT0Exw/I4eaQDmhoViyrCOC9vG0Ys4VYKID/MdnZj0KzsDfStAjKhmTzRZLCEFbLsmq UKwvhLr5H8xCSM7JmBb6JSn5bTEtW+BWT3OCeWrptx3f9P5Cv+Ttk0Bocowf/scv84UmLGYlpj8 EdbkMnQObl X-Google-Smtp-Source: AGHT+IGiQ7reHZqUkOUEcaHTdkWXOqidOZfNCxW3LNS4ZzvlSZyUQuJls1EKqauLJg4X8uc0tBM4yg== X-Received: by 2002:a05:6000:2881:b0:42b:3dfb:645c with SMTP id ffacd0b85a97d-42cc1ac9debmr38592223f8f.12.1764534921762; Sun, 30 Nov 2025 12:35:21 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-42e1ca8bae9sm21338810f8f.33.2025.11.30.12.35.20 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 30 Nov 2025 12:35:21 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-networking][scarthgap][PATCH 8/8] nbdkit: patch CVE-2025-47712 Date: Sun, 30 Nov 2025 21:35:11 +0100 Message-ID: <20251130203511.462501-8-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251130203511.462501-1-skandigraun@gmail.com> References: <20251130203511.462501-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 30 Nov 2025 20:35:26 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122188 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-47712 Pick the patch from the project's repository which explicitly mentions this vulnerability ID. Signed-off-by: Gyorgy Sarvari --- .../nbdkit/nbdkit/CVE-2025-47712.patch | 166 ++++++++++++++++++ .../recipes-support/nbdkit/nbdkit_1.33.11.bb | 3 +- 2 files changed, 168 insertions(+), 1 deletion(-) create mode 100644 meta-networking/recipes-support/nbdkit/nbdkit/CVE-2025-47712.patch diff --git a/meta-networking/recipes-support/nbdkit/nbdkit/CVE-2025-47712.patch b/meta-networking/recipes-support/nbdkit/nbdkit/CVE-2025-47712.patch new file mode 100644 index 0000000000..0bd34f0995 --- /dev/null +++ b/meta-networking/recipes-support/nbdkit/nbdkit/CVE-2025-47712.patch @@ -0,0 +1,166 @@ +From fcc4b6e49c9e90b83de5619bba5c828b0e0dea45 Mon Sep 17 00:00:00 2001 +From: Gyorgy Sarvari +Date: Tue, 22 Apr 2025 19:53:39 -0500 +Subject: [PATCH 2/2] blocksize: Fix 32-bit overflow in .extents + [CVE-2025-47712] + +From: Eric Blake + +If the original request is larger than 2**32 - minblock, then we were +calling nbdkit_extents_aligned() with a count that rounded up then +overflowed to 0 instead of the intended 4G because of overflowing a +32-bit type, which in turn causes an assertion failure: + +nbdkit: ../../server/backend.c:814: backend_extents: Assertion `backend_valid_range (c, offset, count)' failed. + +The fix is to force the rounding to be in a 64-bit type from the +get-go. + +The ability for a well-behaved client to cause the server to die from +an assertion failure can be used as a denial of service attack against +other clients. Mitigations: if you requrire the use of TLS, then you +can ensure that you only have trusted clients that won't trigger a +block status call that large. Also, the problem only occurs when +using the blocksize filter, although setting the filter's maxlen +parameter to a smaller value than its default of 2**32-1 does not +help. + +Fixes: 2680be00 ('blocksize: Fix .extents when plugin changes type within minblock', v1.21.16) +Signed-off-by: Eric Blake +Message-ID: <20250423210917.1784789-3-eblake@redhat.com> +Reviewed-by: Richard W.M. Jones + +CVE: CVE-2025-47712 +Upstream-Status: Backport [https://gitlab.com/nbdkit/nbdkit/-/commit/a486f88d1eea653ea88b0bf8804c4825dab25ec7] +Signed-off-by: Gyorgy Sarvari +--- + filters/blocksize/blocksize.c | 5 +- + tests/Makefile.am | 2 + + tests/test-blocksize-extents-overflow.sh | 83 ++++++++++++++++++++++++ + 3 files changed, 88 insertions(+), 2 deletions(-) + create mode 100755 tests/test-blocksize-extents-overflow.sh + +diff --git a/filters/blocksize/blocksize.c b/filters/blocksize/blocksize.c +index 09195cea..e5c8b744 100644 +--- a/filters/blocksize/blocksize.c ++++ b/filters/blocksize/blocksize.c +@@ -482,8 +482,9 @@ blocksize_extents (nbdkit_next *next, + return -1; + } + +- if (nbdkit_extents_aligned (next, MIN (ROUND_UP (count, h->minblock), +- h->maxlen), ++ if (nbdkit_extents_aligned (next, ++ MIN (ROUND_UP ((uint64_t) count, h->minblock), ++ h->maxlen), + ROUND_DOWN (offset, h->minblock), flags, + h->minblock, extents2, err) == -1) + return -1; +diff --git a/tests/Makefile.am b/tests/Makefile.am +index 36ac1e16..a6fb1993 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -1473,12 +1473,14 @@ test_layers_filter3_la_LIBADD = $(IMPORT_LIBRARY_ON_WINDOWS) + TESTS += \ + test-blocksize.sh \ + test-blocksize-extents.sh \ ++ test-blocksize-extents-overflow.sh \ + test-blocksize-default.sh \ + test-blocksize-sharding.sh \ + $(NULL) + EXTRA_DIST += \ + test-blocksize.sh \ + test-blocksize-extents.sh \ ++ test-blocksize-extents-overflow.sh \ + test-blocksize-default.sh \ + test-blocksize-sharding.sh \ + $(NULL) +diff --git a/tests/test-blocksize-extents-overflow.sh b/tests/test-blocksize-extents-overflow.sh +new file mode 100755 +index 00000000..844c3999 +--- /dev/null ++++ b/tests/test-blocksize-extents-overflow.sh +@@ -0,0 +1,83 @@ ++#!/usr/bin/env bash ++# nbdkit ++# Copyright Red Hat ++# ++# Redistribution and use in source and binary forms, with or without ++# modification, are permitted provided that the following conditions are ++# met: ++# ++# * Redistributions of source code must retain the above copyright ++# notice, this list of conditions and the following disclaimer. ++# ++# * Redistributions in binary form must reproduce the above copyright ++# notice, this list of conditions and the following disclaimer in the ++# documentation and/or other materials provided with the distribution. ++# ++# * Neither the name of Red Hat nor the names of its contributors may be ++# used to endorse or promote products derived from this software without ++# specific prior written permission. ++# ++# THIS SOFTWARE IS PROVIDED BY RED HAT AND CONTRIBUTORS ''AS IS'' AND ++# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ++# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A ++# PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RED HAT OR ++# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT ++# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF ++# USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ++# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, ++# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT ++# OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF ++# SUCH DAMAGE. ++ ++# Demonstrate a fix for a bug where blocksize overflowed 32 bits ++ ++source ./functions.sh ++set -e ++set -x ++ ++requires_run ++requires_plugin eval ++requires_nbdsh_uri ++requires nbdsh --base-allocation --version ++ ++# Script a sparse server that requires 512-byte aligned requests. ++exts=' ++if test $(( ($3|$4) & 511 )) != 0; then ++ echo "EINVAL request unaligned" 2>&1 ++ exit 1 ++fi ++echo 0 5G 0 ++' ++ ++# We also need an nbdsh script to parse all extents, coalescing adjacent ++# types for simplicity. ++# FIXME: Once nbdkit plugin version 3 allows 64-bit block extents, run ++# this test twice, once for each bit size (32-bit needs 2 extents, 64-bit ++# will get the same result with only 1 extent). ++export script=' ++size = h.get_size() ++offs = 0 ++entries = [] ++def f(metacontext, offset, e, err): ++ global entries ++ global offs ++ assert offs == offset ++ for length, flags in zip(*[iter(e)] * 2): ++ if entries and flags == entries[-1][1]: ++ entries[-1] = (entries[-1][0] + length, flags) ++ else: ++ entries.append((length, flags)) ++ offs = offs + length ++ ++# Test a loop over the entire device ++while offs < size: ++ len = min(size - offs, 2**32-1) ++ h.block_status(len, offs, f) ++assert entries == [(5 * 2**30, 0)] ++' ++ ++# Now run everything ++nbdkit --filter=blocksize eval minblock=512 \ ++ get_size='echo 5G' pread='exit 1' extents="$exts" \ ++ --run 'nbdsh --base-allocation -u "$uri" -c "$script"' diff --git a/meta-networking/recipes-support/nbdkit/nbdkit_1.33.11.bb b/meta-networking/recipes-support/nbdkit/nbdkit_1.33.11.bb index 0c83991b4d..dd1e52214b 100644 --- a/meta-networking/recipes-support/nbdkit/nbdkit_1.33.11.bb +++ b/meta-networking/recipes-support/nbdkit/nbdkit_1.33.11.bb @@ -11,7 +11,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=26250adec854bc317493f6fb98efe049" SRC_URI = "git://github.com/libguestfs/nbdkit.git;protocol=https;branch=master \ file://0001-plugins-Avoid-absolute-buildpaths-in-binaries.patch \ - file://CVE-2025-47711.patch" + file://CVE-2025-47711.patch \ + file://CVE-2025-47712.patch" SRCREV = "6c02c6a469d62a047f230b0ccf03f72328312d2b" S = "${WORKDIR}/git"