From patchwork Tue Dec 2 15:09:24 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 75724 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7ECBDD116F6 for ; Tue, 2 Dec 2025 15:09:51 +0000 (UTC) Received: from mail-pf1-f174.google.com (mail-pf1-f174.google.com [209.85.210.174]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.9916.1764688182508179615 for ; Tue, 02 Dec 2025 07:09:42 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=YPy7F5DG; spf=softfail (domain: sakoman.com, ip: 209.85.210.174, mailfrom: steve@sakoman.com) Received: by mail-pf1-f174.google.com with SMTP id d2e1a72fcca58-7ad1cd0db3bso4465308b3a.1 for ; Tue, 02 Dec 2025 07:09:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1764688182; x=1765292982; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=4Ew3xD+1mKi1cWLJ2zx2oKUsD2M65mZAja7Fk/nHOec=; b=YPy7F5DGkkGeaJU59Bh0BVH6FwiLDCGHc5+ldK1OtRuMHw/9iHPPrVY4024Bjjrtjs 6yqAWlIN3nVCcXW7/YCUgJ2cZVXmw0eXwsB1xUWKlR6PIsQ7ZfPaYVK+jKS2le63huza tZH1KzmXn0jUVwwKJ4525gaMkvtd7AVyCZW48VTqgzMlZ/SyafRRbDTOmHN1hZ47lYgP NfFaFT4AK0Hlv4GjIGV97lD2xHplNA8iU5VwglL8wHaHcZb+3C6iJYnRhyTb0TQkt03A Q3fBRvNbkt6COoH2uAhuU8iKKBohK+kJh6wiVMTNNGZLNPkMNDBTw/iKmfFt6okID/KR JS/Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764688182; x=1765292982; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=4Ew3xD+1mKi1cWLJ2zx2oKUsD2M65mZAja7Fk/nHOec=; b=v6yPSoGB0K+0ra3R7E019FyKVxbpuQ0f+vlNNQOBWpgZijMaDJfyZspaWPbEEc+x5+ yOuv4fUY5AMUKKcYFsiujvxeBNsdV6FyrsWr5H0DkXO/RZndvAHZzTPKD+igMU2qR45i 14iaNHzFNlaymgjlvtR993bClZfRnzWO3sS37JHrDjBtoil6uvt+5PAGVCJbwbrU9jzs 0tTq9X8qZtLW3vR0v5Kgr/WFFfIeD39Ye2gFSVp6M5SrYhtBgZ7PcVkXY13GsxulBAyh DV/Z/ugFX1JLZWA0EyYCkIoOuZRZcLMLWuGpY51oxYfiSmmzKh4tyhvkY0C/uXJRt+ib iwXw== X-Gm-Message-State: AOJu0YzvP5ToxnCATPMBSywNUG32i9JSFYJ2+YhaAnAfTmNn+h9koD+x VTIJ2SiMy5fO8J8KUjrTnYc9Nyjc5KkRX8NZDeSgxH+dqb+Lob6IvBtnMS3ISqvagyHFldItsXo mpjwR X-Gm-Gg: ASbGncszQzHAyv9kMF3JLfYw6yEGE+j5FiZItaZQ+4Uh4I7QqMmi9tZjTnwY7aZadu8 Sm3Z7D2usOp4RX8n/phAC69CTAQrprjEd7QdRd1s1vwoRSTJ/8tHXBTg+IkgOyxVKPwhvI6UqDg av5K6tgKvpEDW872QjktjIvRI4Xb6nLqu41r44FhigmbEwbKnkPzuyXhD+KC4JEiUyV8TWwysEw Y+7k06WlbZNnRQQaoUtSAL8WV/KRovwSy8JlpVg4B0VbXVuuyhgku2CEdV20PUAxh3VOxIE2b1x oGZMwM/ZobwdPmWpVmkDdGJ937QoFFQfcvAcnbMRc9Me6KNg2tyZgcdMAo0h0N0QcbX3YLqcR2Q 1cbZyPAKeT2OGXUfboxL4m0urexipxVQnGHIayvDbRIR9/VMnfwvugFWEypYFJObKDNqlrvxF7J uSTw== X-Google-Smtp-Source: AGHT+IGzwooeYraE3a7fZsJSp2GGttq+BguS/lnVsn0tbRemXLITmcRXxJKqMTAcAT+EtFv+/Wbo6g== X-Received: by 2002:a05:6a20:3ca2:b0:35c:f727:8a89 with SMTP id adf61e73a8af0-3637e0a589cmr33177654637.41.1764688181435; Tue, 02 Dec 2025 07:09:41 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:b8d9:92cd:3fd4:9b7a]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7d1516f6621sm17175182b3a.16.2025.12.02.07.09.40 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Dec 2025 07:09:41 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 01/10] gnutls: patch CVE-2025-9820 Date: Tue, 2 Dec 2025 07:09:24 -0800 Message-ID: <946f776b6f7ceacf76a643c5776b0efedb000efd.1764688053.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 02 Dec 2025 15:09:51 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/227160 From: Peter Marko This CVE is announced under [1]. Pick commit which mentions this CVE per [2]. [1] https://www.gnutls.org/security-new.html#GNUTLS-SA-2025-11-18 [2] https://security-tracker.debian.org/tracker/CVE-2025-9820 Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- .../gnutls/gnutls/CVE-2025-9820.patch | 250 ++++++++++++++++++ meta/recipes-support/gnutls/gnutls_3.7.4.bb | 1 + 2 files changed, 251 insertions(+) create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-9820.patch diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2025-9820.patch b/meta/recipes-support/gnutls/gnutls/CVE-2025-9820.patch new file mode 100644 index 0000000000..6ace251fed --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2025-9820.patch @@ -0,0 +1,250 @@ +From 1d56f96f6ab5034d677136b9d50b5a75dff0faf5 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Tue, 18 Nov 2025 13:17:55 +0900 +Subject: [PATCH] pkcs11: avoid stack overwrite when initializing a token + +If gnutls_pkcs11_token_init is called with label longer than 32 +characters, the internal storage used to blank-fill it would +overflow. This adds a guard to prevent that. + +Signed-off-by: Daiki Ueno + +CVE: CVE-2025-9820 +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/1d56f96f6ab5034d677136b9d50b5a75dff0faf5] +Signed-off-by: Peter Marko +--- + NEWS | 4 + + lib/pkcs11_write.c | 5 +- + tests/Makefile.am | 2 +- + tests/pkcs11/long-label.c | 164 ++++++++++++++++++++++++++++++++++++++ + 4 files changed, 172 insertions(+), 3 deletions(-) + create mode 100644 tests/pkcs11/long-label.c + +diff --git a/NEWS b/NEWS +index 0ae3c9991..d6df70ee6 100644 +--- a/NEWS ++++ b/NEWS +@@ -5,6 +5,10 @@ Copyright (C) 2000-2016 Free Software Foundation, Inc. + Copyright (C) 2013-2019 Nikos Mavrogiannopoulos + See the end for copying conditions. + ++** libgnutls: Fix stack overwrite in gnutls_pkcs11_token_init ++ Reported by Luigino Camastra from Aisle Research. [GNUTLS-SA-2025-11-18, ++ CVSS: low] [CVE-2025-9820] ++ + ** libgnutls: Fix NULL pointer dereference when 2nd Client Hello omits PSK + Reported by Stefan Bühler. [GNUTLS-SA-2025-07-07-4, CVSS: medium] + [CVE-2025-6395] +diff --git a/lib/pkcs11_write.c b/lib/pkcs11_write.c +index f5e9058e0..64b85a2df 100644 +--- a/lib/pkcs11_write.c ++++ b/lib/pkcs11_write.c +@@ -28,6 +28,7 @@ + #include "pkcs11x.h" + #include + #include "pk.h" ++#include "minmax.h" + + static const ck_bool_t tval = 1; + static const ck_bool_t fval = 0; +@@ -1199,7 +1200,7 @@ int gnutls_pkcs11_delete_url(const char *object_url, unsigned int flags) + * gnutls_pkcs11_token_init: + * @token_url: A PKCS #11 URL specifying a token + * @so_pin: Security Officer's PIN +- * @label: A name to be used for the token ++ * @label: A name to be used for the token, at most 32 characters + * + * This function will initialize (format) a token. If the token is + * at a factory defaults state the security officer's PIN given will be +@@ -1238,7 +1239,7 @@ gnutls_pkcs11_token_init(const char *token_url, + /* so it seems memset has other uses than zeroing! */ + memset(flabel, ' ', sizeof(flabel)); + if (label != NULL) +- memcpy(flabel, label, strlen(label)); ++ memcpy(flabel, label, MIN(sizeof(flabel), strlen(label))); + + rv = pkcs11_init_token(module, slot, (uint8_t *) so_pin, + strlen(so_pin), (uint8_t *) flabel); +diff --git a/tests/Makefile.am b/tests/Makefile.am +index be4966f4b..8327c90ca 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -485,7 +485,7 @@ buffer_CPPFLAGS = $(AM_CPPFLAGS) \ + if ENABLE_PKCS11 + if !WINDOWS + ctests += tls13/post-handshake-with-cert-pkcs11 pkcs11/tls-neg-pkcs11-no-key \ +- global-init-override ++ global-init-override pkcs11/long-label + tls13_post_handshake_with_cert_pkcs11_DEPENDENCIES = libpkcs11mock2.la libutils.la + tls13_post_handshake_with_cert_pkcs11_LDADD = $(LDADD) $(LIBDL) + pkcs11_tls_neg_pkcs11_no_key_DEPENDENCIES = libpkcs11mock2.la libutils.la +diff --git a/tests/pkcs11/long-label.c b/tests/pkcs11/long-label.c +new file mode 100644 +index 000000000..a70bc9728 +--- /dev/null ++++ b/tests/pkcs11/long-label.c +@@ -0,0 +1,164 @@ ++/* ++ * Copyright (C) 2025 Red Hat, Inc. ++ * ++ * Author: Daiki Ueno ++ * ++ * This file is part of GnuTLS. ++ * ++ * GnuTLS is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 3 of the License, or ++ * (at your option) any later version. ++ * ++ * GnuTLS is distributed in the hope that it will be useful, but ++ * WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General Public License ++ * along with this program. If not, see ++ */ ++ ++#ifdef HAVE_CONFIG_H ++#include "config.h" ++#endif ++ ++#include ++#include ++#include ++ ++#if defined(_WIN32) ++ ++int main(void) ++{ ++ exit(77); ++} ++ ++#else ++ ++#include ++#include ++#include ++ ++#include "cert-common.h" ++#include "pkcs11/softhsm.h" ++#include "utils.h" ++ ++/* This program tests that a token can be initialized with ++ * a label longer than 32 characters. ++ */ ++ ++static void tls_log_func(int level, const char *str) ++{ ++ fprintf(stderr, "server|<%d>| %s", level, str); ++} ++ ++#define PIN "1234" ++ ++#define CONFIG_NAME "softhsm-long-label" ++#define CONFIG CONFIG_NAME ".config" ++ ++static int pin_func(void *userdata, int attempt, const char *url, ++ const char *label, unsigned flags, char *pin, ++ size_t pin_max) ++{ ++ if (attempt == 0) { ++ strcpy(pin, PIN); ++ return 0; ++ } ++ return -1; ++} ++ ++static void test(const char *provider) ++{ ++ int ret; ++ size_t i; ++ ++ gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL); ++ ++ success("test with %s\n", provider); ++ ++ if (debug) { ++ gnutls_global_set_log_function(tls_log_func); ++ gnutls_global_set_log_level(4711); ++ } ++ ++ /* point to SoftHSM token that libpkcs11mock4.so internally uses */ ++ setenv(SOFTHSM_ENV, CONFIG, 1); ++ ++ gnutls_pkcs11_set_pin_function(pin_func, NULL); ++ ++ ret = gnutls_pkcs11_add_provider(provider, "trusted"); ++ if (ret != 0) { ++ fail("gnutls_pkcs11_add_provider: %s\n", gnutls_strerror(ret)); ++ } ++ ++ /* initialize softhsm token */ ++ ret = gnutls_pkcs11_token_init( ++ SOFTHSM_URL, PIN, ++ "this is a very long label whose length exceeds 32"); ++ if (ret < 0) { ++ fail("gnutls_pkcs11_token_init: %s\n", gnutls_strerror(ret)); ++ } ++ ++ for (i = 0;; i++) { ++ char *url = NULL; ++ ++ ret = gnutls_pkcs11_token_get_url(i, 0, &url); ++ if (ret < 0) ++ break; ++ if (strstr(url, ++ "token=this%20is%20a%20very%20long%20label%20whose")) ++ break; ++ } ++ if (ret < 0) ++ fail("gnutls_pkcs11_token_get_url: %s\n", gnutls_strerror(ret)); ++ ++ gnutls_pkcs11_deinit(); ++} ++ ++void doit(void) ++{ ++ const char *bin; ++ const char *lib; ++ char buf[128]; ++ ++ if (gnutls_fips140_mode_enabled()) ++ exit(77); ++ ++ /* this must be called once in the program */ ++ global_init(); ++ ++ /* we call gnutls_pkcs11_init manually */ ++ gnutls_pkcs11_deinit(); ++ ++ /* check if softhsm module is loadable */ ++ lib = softhsm_lib(); ++ ++ /* initialize SoftHSM token that libpkcs11mock4.so internally uses */ ++ bin = softhsm_bin(); ++ ++ set_softhsm_conf(CONFIG); ++ snprintf(buf, sizeof(buf), ++ "%s --init-token --slot 0 --label test --so-pin " PIN ++ " --pin " PIN, ++ bin); ++ system(buf); ++ ++ test(lib); ++ ++ lib = getenv("P11MOCKLIB4"); ++ if (lib == NULL) { ++ fail("P11MOCKLIB4 is not set\n"); ++ } ++ ++ set_softhsm_conf(CONFIG); ++ snprintf(buf, sizeof(buf), ++ "%s --init-token --slot 0 --label test --so-pin " PIN ++ " --pin " PIN, ++ bin); ++ system(buf); ++ ++ test(lib); ++} ++#endif /* _WIN32 */ diff --git a/meta/recipes-support/gnutls/gnutls_3.7.4.bb b/meta/recipes-support/gnutls/gnutls_3.7.4.bb index 8c8e08855b..e4dd47aea4 100644 --- a/meta/recipes-support/gnutls/gnutls_3.7.4.bb +++ b/meta/recipes-support/gnutls/gnutls_3.7.4.bb @@ -38,6 +38,7 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar file://CVE-2025-32988.patch \ file://CVE-2025-32990.patch \ file://CVE-2025-6395.patch \ + file://CVE-2025-9820.patch \ " SRC_URI[sha256sum] = "e6adbebcfbc95867de01060d93c789938cf89cc1d1f6ef9ef661890f6217451f" From patchwork Tue Dec 2 15:09:25 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 75727 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 97F22D11700 for ; Tue, 2 Dec 2025 15:09:51 +0000 (UTC) Received: from mail-pf1-f170.google.com (mail-pf1-f170.google.com [209.85.210.170]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.9917.1764688184680041369 for ; Tue, 02 Dec 2025 07:09:44 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=FJh+OuDa; spf=softfail (domain: sakoman.com, ip: 209.85.210.170, mailfrom: steve@sakoman.com) Received: by mail-pf1-f170.google.com with SMTP id d2e1a72fcca58-7b8e49d8b35so6212515b3a.3 for ; Tue, 02 Dec 2025 07:09:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1764688184; x=1765292984; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=7YzCbOsfhjFHkAwbyXcaOmRA8Ki/BUEgFGxafI2k0Fw=; b=FJh+OuDa8EBbplB/yjup9kaLarn4zUNSfavBdy+4dkTWe3VR2wtTQG4dprYJx4WBha CDVxn5dBNOUmmCSCi9bwRQymzc6ym5UBU0DtTDoujI5D+C1/NMUBDSuuUTTM4rgRYqVe 0JQsi/2X8UgIWQQ5IwkstLFaaJ0lk2QAZW+xZJ96Ytox/Xmwkp7xea4G97I0YGwLna7f PtRYqgK8A1EDZ4CuwFHeSBaQwGxB4rXPtAfw5Bc0NR8AkQ1rRYQvNaXUvhnVFonFA4LW PQ92CwOhUFTZo3sQRFFao+/jwKySpVTfEWvZEcjS5llCNd7VPTFLgy7btEM83Wc4jIhY o+kg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764688184; x=1765292984; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=7YzCbOsfhjFHkAwbyXcaOmRA8Ki/BUEgFGxafI2k0Fw=; b=XHeuc8L7wYzaGxWXoVo6IhPjH/5wshyOLijJzjJbcIUvogyPC08qz0THzb+Ix65nU5 GOqVZl3RoyFvQaxsz53KHfQatNAoYJGV1YStMRoz5vLa7OHyhsldK7QSKItuqcU51JEY guQN20ULpDGocBb7oAApthN9pgi3fKOeS9l10HZsunbnA3SnoI4HArFlXQ7zwlvjfnzC txQd/kSpaZp35PjLFdusCRXhbEqhmwEf8NIRs4AC7jNv1sWhj43EuiVWhPBvPTq7QWs8 3GxjHSOrw4cCuAJsSJcH6f7PLVm9yapo5fhgA/8EMK37nK8uxtm3qj+/YXKe3ISoMg+W JGww== X-Gm-Message-State: AOJu0YzD0Pk+NK/K14DdnDDKVbj1zqQ5QHMQvQ7Bv2FpAj0pBev/Zvmc lkgK7DBXitUlN10+OlWwp4UwTQa+K8d9RkvVvjGe5e0t/DfawsCtdW4FLhxJDd9eM3fkAeTiUQx +L9Xf X-Gm-Gg: ASbGncsgCSLmbW73Smx7gQXUZQfMq1H47ZIsvvczH1qmhk1knycAlWkpc+uVU8aYnQD 4pgovw/1Nnm3t7z4im368nmj3A8iVfHog+Yi0rAw8Cqa3MPHj9qGn4C+P5v1OeSUHc/E0es9jWP ZJ26MZiT6mESaFk41Jil8SgQnG2r2TLdlmVlqjre5kUCj6F1avx/mCV6e5PPq/XHD1bLT7CC0GQ 6jLHygfaFFaQkR0lT1HEsYLVAzoixS5QLulDoW9l+mcS17DWx/M4u9X6SiIW4SkJPZVfGhQmYw1 G0lOP29e6KG7B+bZQVjWuvtPtB3uayQQUoRl/gvPIPolGTwkTaZ2w8Y8b8+UlwHEnfK+i8QTylG Ua/ecl+1PZ1S/nNeGTN5W7fIHvdoxz1uo9B/zVbN5weK3U+OSXkEH7KPn7m9ccamtM8fgtdhwri tV/A== X-Google-Smtp-Source: AGHT+IHTfblOoDYvDYjWuka5v8E+XZGaipfk60h07gklU1Z8T/dHNmM5zjwvDfp0gRqSBurk3Tvp3g== X-Received: by 2002:a05:6a20:9189:b0:334:a180:b7ac with SMTP id adf61e73a8af0-36150f05e9bmr44684636637.39.1764688183544; Tue, 02 Dec 2025 07:09:43 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:b8d9:92cd:3fd4:9b7a]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7d1516f6621sm17175182b3a.16.2025.12.02.07.09.42 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Dec 2025 07:09:43 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 02/10] libpng: patch CVE-2025-64505 Date: Tue, 2 Dec 2025 07:09:25 -0800 Message-ID: <1470546924765d134c83b50e62974f048614b121.1764688053.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 02 Dec 2025 15:09:51 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/227161 From: Peter Marko Pick commit per NVD report. Add two patches to apply it cleanly. Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- .../libpng/files/CVE-2025-64505-01.patch | 111 ++++++++++++ .../libpng/files/CVE-2025-64505-02.patch | 163 ++++++++++++++++++ .../libpng/files/CVE-2025-64505-03.patch | 52 ++++++ .../libpng/libpng_1.6.39.bb | 3 + 4 files changed, 329 insertions(+) create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-64505-01.patch create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-64505-02.patch create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-64505-03.patch diff --git a/meta/recipes-multimedia/libpng/files/CVE-2025-64505-01.patch b/meta/recipes-multimedia/libpng/files/CVE-2025-64505-01.patch new file mode 100644 index 0000000000..c8ca222d14 --- /dev/null +++ b/meta/recipes-multimedia/libpng/files/CVE-2025-64505-01.patch @@ -0,0 +1,111 @@ +From 0fa3c0f698c2ca618a0fa44e10a822678df85373 Mon Sep 17 00:00:00 2001 +From: Cosmin Truta +Date: Thu, 15 Feb 2024 21:53:24 +0200 +Subject: [PATCH] chore: Clean up the spurious uses of `sizeof(png_byte)`; fix + the manual + +By definition, `sizeof(png_byte)` is 1. + +Remove all the occurences of `sizeof(png_byte)` from the code, and fix +a related typo in the libpng manual. + +Also update the main .editorconfig file to reflect the fixing expected +by a FIXME note. + +CVE: CVE-2025-64505 +Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/0fa3c0f698c2ca618a0fa44e10a822678df85373] +Signed-off-by: Peter Marko +--- + libpng-manual.txt | 4 ++-- + libpng.3 | 4 ++-- + pngrtran.c | 17 +++++++---------- + 3 files changed, 11 insertions(+), 14 deletions(-) + +diff --git a/libpng-manual.txt b/libpng-manual.txt +index eb24ef483..d2918ce31 100644 +--- a/libpng-manual.txt ++++ b/libpng-manual.txt +@@ -1180,11 +1180,11 @@ where row_pointers is an array of pointers to the pixel data for each row: + If you know your image size and pixel size ahead of time, you can allocate + row_pointers prior to calling png_read_png() with + +- if (height > PNG_UINT_32_MAX/(sizeof (png_byte))) ++ if (height > PNG_UINT_32_MAX / (sizeof (png_bytep))) + png_error (png_ptr, + "Image is too tall to process in memory"); + +- if (width > PNG_UINT_32_MAX/pixel_size) ++ if (width > PNG_UINT_32_MAX / pixel_size) + png_error (png_ptr, + "Image is too wide to process in memory"); + +diff --git a/libpng.3 b/libpng.3 +index 57d06f2db..8875b219a 100644 +--- a/libpng.3 ++++ b/libpng.3 +@@ -1699,11 +1699,11 @@ where row_pointers is an array of pointers to the pixel data for each row: + If you know your image size and pixel size ahead of time, you can allocate + row_pointers prior to calling png_read_png() with + +- if (height > PNG_UINT_32_MAX/(sizeof (png_byte))) ++ if (height > PNG_UINT_32_MAX / (sizeof (png_bytep))) + png_error (png_ptr, + "Image is too tall to process in memory"); + +- if (width > PNG_UINT_32_MAX/pixel_size) ++ if (width > PNG_UINT_32_MAX / pixel_size) + png_error (png_ptr, + "Image is too wide to process in memory"); + +diff --git a/pngrtran.c b/pngrtran.c +index 74cca476b..041f9306c 100644 +--- a/pngrtran.c ++++ b/pngrtran.c +@@ -441,7 +441,7 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette, + int i; + + png_ptr->quantize_index = (png_bytep)png_malloc(png_ptr, +- (png_alloc_size_t)((png_uint_32)num_palette * (sizeof (png_byte)))); ++ (png_alloc_size_t)num_palette); + for (i = 0; i < num_palette; i++) + png_ptr->quantize_index[i] = (png_byte)i; + } +@@ -458,7 +458,7 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette, + + /* Initialize an array to sort colors */ + png_ptr->quantize_sort = (png_bytep)png_malloc(png_ptr, +- (png_alloc_size_t)((png_uint_32)num_palette * (sizeof (png_byte)))); ++ (png_alloc_size_t)num_palette); + + /* Initialize the quantize_sort array */ + for (i = 0; i < num_palette; i++) +@@ -592,11 +592,9 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette, + + /* Initialize palette index arrays */ + png_ptr->index_to_palette = (png_bytep)png_malloc(png_ptr, +- (png_alloc_size_t)((png_uint_32)num_palette * +- (sizeof (png_byte)))); ++ (png_alloc_size_t)num_palette); + png_ptr->palette_to_index = (png_bytep)png_malloc(png_ptr, +- (png_alloc_size_t)((png_uint_32)num_palette * +- (sizeof (png_byte)))); ++ (png_alloc_size_t)num_palette); + + /* Initialize the sort array */ + for (i = 0; i < num_palette; i++) +@@ -761,12 +759,11 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette, + size_t num_entries = ((size_t)1 << total_bits); + + png_ptr->palette_lookup = (png_bytep)png_calloc(png_ptr, +- (png_alloc_size_t)(num_entries * (sizeof (png_byte)))); ++ (png_alloc_size_t)(num_entries)); + +- distance = (png_bytep)png_malloc(png_ptr, (png_alloc_size_t)(num_entries * +- (sizeof (png_byte)))); ++ distance = (png_bytep)png_malloc(png_ptr, (png_alloc_size_t)num_entries); + +- memset(distance, 0xff, num_entries * (sizeof (png_byte))); ++ memset(distance, 0xff, num_entries); + + for (i = 0; i < num_palette; i++) + { diff --git a/meta/recipes-multimedia/libpng/files/CVE-2025-64505-02.patch b/meta/recipes-multimedia/libpng/files/CVE-2025-64505-02.patch new file mode 100644 index 0000000000..5a3e50b642 --- /dev/null +++ b/meta/recipes-multimedia/libpng/files/CVE-2025-64505-02.patch @@ -0,0 +1,163 @@ +From ea094764f3436e3c6524622724c2d342a3eff235 Mon Sep 17 00:00:00 2001 +From: Cosmin Truta +Date: Sat, 8 Nov 2025 17:16:59 +0200 +Subject: [PATCH] Fix a memory leak in function `png_set_quantize`; refactor + +Release the previously-allocated array `quantize_index` before +reallocating it. This avoids leaking memory when the function +`png_set_quantize` is called multiple times on the same `png_struct`. + +This function assumed single-call usage, but fuzzing revealed that +repeated calls would overwrite the pointers without freeing the +original allocations, leaking 256 bytes per call for `quantize_index` +and additional memory for `quantize_sort` when histogram-based +quantization is used. + +Also remove the array `quantize_sort` from the list of `png_struct` +members and make it a local variable. This array is initialized, +used and released exclusively inside the function `png_set_quantize`. + +Reported-by: Samsung-PENTEST +Analyzed-by: degrigis +Reviewed-by: John Bowler + +CVE: CVE-2025-64505 +Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/ea094764f3436e3c6524622724c2d342a3eff235] +Signed-off-by: Peter Marko +--- + pngrtran.c | 43 +++++++++++++++++++++++-------------------- + pngstruct.h | 1 - + 2 files changed, 23 insertions(+), 21 deletions(-) + +diff --git a/pngrtran.c b/pngrtran.c +index 1809db704..4632dd521 100644 +--- a/pngrtran.c ++++ b/pngrtran.c +@@ -440,6 +440,12 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette, + { + int i; + ++ /* Initialize the array to index colors. ++ * ++ * Be careful to avoid leaking memory. Applications are allowed to call ++ * this function more than once per png_struct. ++ */ ++ png_free(png_ptr, png_ptr->quantize_index); + png_ptr->quantize_index = (png_bytep)png_malloc(png_ptr, + (png_alloc_size_t)num_palette); + for (i = 0; i < num_palette; i++) +@@ -454,15 +460,14 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette, + * Perhaps not the best solution, but good enough. + */ + +- int i; ++ png_bytep quantize_sort; ++ int i, j; + +- /* Initialize an array to sort colors */ +- png_ptr->quantize_sort = (png_bytep)png_malloc(png_ptr, ++ /* Initialize the local array to sort colors. */ ++ quantize_sort = (png_bytep)png_malloc(png_ptr, + (png_alloc_size_t)num_palette); +- +- /* Initialize the quantize_sort array */ + for (i = 0; i < num_palette; i++) +- png_ptr->quantize_sort[i] = (png_byte)i; ++ quantize_sort[i] = (png_byte)i; + + /* Find the least used palette entries by starting a + * bubble sort, and running it until we have sorted +@@ -474,19 +479,18 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette, + for (i = num_palette - 1; i >= maximum_colors; i--) + { + int done; /* To stop early if the list is pre-sorted */ +- int j; + + done = 1; + for (j = 0; j < i; j++) + { +- if (histogram[png_ptr->quantize_sort[j]] +- < histogram[png_ptr->quantize_sort[j + 1]]) ++ if (histogram[quantize_sort[j]] ++ < histogram[quantize_sort[j + 1]]) + { + png_byte t; + +- t = png_ptr->quantize_sort[j]; +- png_ptr->quantize_sort[j] = png_ptr->quantize_sort[j + 1]; +- png_ptr->quantize_sort[j + 1] = t; ++ t = quantize_sort[j]; ++ quantize_sort[j] = quantize_sort[j + 1]; ++ quantize_sort[j + 1] = t; + done = 0; + } + } +@@ -498,18 +502,18 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette, + /* Swap the palette around, and set up a table, if necessary */ + if (full_quantize != 0) + { +- int j = num_palette; ++ j = num_palette; + + /* Put all the useful colors within the max, but don't + * move the others. + */ + for (i = 0; i < maximum_colors; i++) + { +- if ((int)png_ptr->quantize_sort[i] >= maximum_colors) ++ if ((int)quantize_sort[i] >= maximum_colors) + { + do + j--; +- while ((int)png_ptr->quantize_sort[j] >= maximum_colors); ++ while ((int)quantize_sort[j] >= maximum_colors); + + palette[i] = palette[j]; + } +@@ -517,7 +521,7 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette, + } + else + { +- int j = num_palette; ++ j = num_palette; + + /* Move all the used colors inside the max limit, and + * develop a translation table. +@@ -525,13 +529,13 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette, + for (i = 0; i < maximum_colors; i++) + { + /* Only move the colors we need to */ +- if ((int)png_ptr->quantize_sort[i] >= maximum_colors) ++ if ((int)quantize_sort[i] >= maximum_colors) + { + png_color tmp_color; + + do + j--; +- while ((int)png_ptr->quantize_sort[j] >= maximum_colors); ++ while ((int)quantize_sort[j] >= maximum_colors); + + tmp_color = palette[j]; + palette[j] = palette[i]; +@@ -569,8 +573,7 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette, + } + } + } +- png_free(png_ptr, png_ptr->quantize_sort); +- png_ptr->quantize_sort = NULL; ++ png_free(png_ptr, quantize_sort); + } + else + { +diff --git a/pngstruct.h b/pngstruct.h +index 084422bc1..fe5fa0415 100644 +--- a/pngstruct.h ++++ b/pngstruct.h +@@ -413,7 +413,6 @@ struct png_struct_def + + #ifdef PNG_READ_QUANTIZE_SUPPORTED + /* The following three members were added at version 1.0.14 and 1.2.4 */ +- png_bytep quantize_sort; /* working sort array */ + png_bytep index_to_palette; /* where the original index currently is + in the palette */ + png_bytep palette_to_index; /* which original index points to this diff --git a/meta/recipes-multimedia/libpng/files/CVE-2025-64505-03.patch b/meta/recipes-multimedia/libpng/files/CVE-2025-64505-03.patch new file mode 100644 index 0000000000..ddda8678ce --- /dev/null +++ b/meta/recipes-multimedia/libpng/files/CVE-2025-64505-03.patch @@ -0,0 +1,52 @@ +From 6a528eb5fd0dd7f6de1c39d30de0e41473431c37 Mon Sep 17 00:00:00 2001 +From: Cosmin Truta +Date: Sat, 8 Nov 2025 23:58:26 +0200 +Subject: [PATCH] Fix a buffer overflow in `png_do_quantize` + +Allocate the quantize_index array to PNG_MAX_PALETTE_LENGTH (256 bytes) +instead of num_palette bytes. This approach matches the allocation +pattern for `palette[]`, `trans_alpha[]` and `riffled_palette[]` which +were similarly oversized in libpng 1.2.1 to prevent buffer overflows +from malformed PNG files with out-of-range palette indices. + +Out-of-range palette indices `index >= num_palette` will now read +identity-mapped values from the `quantize_index` array (where index N +maps to palette entry N). This prevents undefined behavior while +avoiding runtime bounds checking overhead in the performance-critical +pixel processing loop. + +Reported-by: Samsung-PENTEST +Analyzed-by: degrigis + +CVE: CVE-2025-64505 +Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/6a528eb5fd0dd7f6de1c39d30de0e41473431c37] +Signed-off-by: Peter Marko +--- + pngrtran.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/pngrtran.c b/pngrtran.c +index 4632dd521..9c2475fde 100644 +--- a/pngrtran.c ++++ b/pngrtran.c +@@ -441,14 +441,18 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette, + int i; + + /* Initialize the array to index colors. ++ * ++ * Ensure quantize_index can fit 256 elements (PNG_MAX_PALETTE_LENGTH) ++ * rather than num_palette elements. This is to prevent buffer overflows ++ * caused by malformed PNG files with out-of-range palette indices. + * + * Be careful to avoid leaking memory. Applications are allowed to call + * this function more than once per png_struct. + */ + png_free(png_ptr, png_ptr->quantize_index); + png_ptr->quantize_index = (png_bytep)png_malloc(png_ptr, +- (png_alloc_size_t)num_palette); +- for (i = 0; i < num_palette; i++) ++ PNG_MAX_PALETTE_LENGTH); ++ for (i = 0; i < PNG_MAX_PALETTE_LENGTH; i++) + png_ptr->quantize_index[i] = (png_byte)i; + } + diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb index 011eec94a2..62e3e81b4f 100644 --- a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb +++ b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb @@ -13,6 +13,9 @@ LIBV = "16" SRC_URI = "\ ${SOURCEFORGE_MIRROR}/${BPN}/${BPN}${LIBV}/${BP}.tar.xz \ file://run-ptest \ + file://CVE-2025-64505-01.patch \ + file://CVE-2025-64505-02.patch \ + file://CVE-2025-64505-03.patch \ " SRC_URI[sha256sum] = "1f4696ce70b4ee5f85f1e1623dc1229b210029fa4b7aee573df3e2ba7b036937" From patchwork Tue Dec 2 15:09:26 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 75723 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7BAA2CFD2F6 for ; Tue, 2 Dec 2025 15:09:51 +0000 (UTC) Received: from mail-pf1-f172.google.com (mail-pf1-f172.google.com [209.85.210.172]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.9660.1764688186913764279 for ; Tue, 02 Dec 2025 07:09:46 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=dBh0/zko; spf=softfail (domain: sakoman.com, ip: 209.85.210.172, mailfrom: steve@sakoman.com) Received: by mail-pf1-f172.google.com with SMTP id d2e1a72fcca58-7b22ffa2a88so5477401b3a.1 for ; Tue, 02 Dec 2025 07:09:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1764688186; x=1765292986; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=m6qgE/dHvzs4tydVJtnkS2wYX8LmKQbGgh945PA4vXs=; b=dBh0/zko+p4r3hdzCYpu7kh1Ku18hQ7Dyk5L8n3pYyGTIQUZSfOLYG+zsSgRK+3IFo dIEXd2Rku7AST7GuuCYmcXdqeXXw2QaxMBKkq6cx5ue9lUoBATx543PCsxk8QFdJpPWy tEIhsneRKC9h+u68CPqJTFqTxE5p/RRnFaSOiz9e6oLeZ7IBiHl2LxzbkwArEPhfx6ya ofgcS2YsUeEmFs812Mduq8uF3/uUWWSXEFDGayXGebsRh2b/XWTu9vHYIVPYpPEhwDRR mZYmZtM7byKgm4DIFV7fGiGcjQZ60floTb9jc7Ype9mcMrG/C8sVPnJX/495ASQMcUu+ 21Fw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764688186; x=1765292986; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=m6qgE/dHvzs4tydVJtnkS2wYX8LmKQbGgh945PA4vXs=; b=eNBnhguXRkEr2ljQlS9TL/NeMz9e1PvJo/dE4tAer1MwnlXOI62fQz3rU22NIld1ij ZKUBWNGfqfGGsAw9CgtP4vjk8kYlk9U+suuLETr7Kn9LlbDSR5Aa1hgn7xRzakv6oClw NgmbdJ1XfjJMZ0a4uUp+6PYDmqq5Cani2YJINtcqF5e08vF0cK1Jex+oyiY7luH4NMk/ J1OviNb+3DwbaLc/i7wf64X1aEDrOMjv2rBJWw9U6Vv33aaA3cX7S8fUbtF3NVbcfCjL XLU6mPlX6FXFl5ZiPfMWPPGtZ8j9VeHJjkRUFBKgXflyhAlQOW+0OBW3+hWtzPDc0qza fpvw== X-Gm-Message-State: AOJu0YyRTFL8btyD/35kcY8w8PXb6z6u63usa0wKr7wqoLAAQSenbtLb dXYYEEIcMvT8lb4Kg/ebg0OnhSAF4w/W9PmX9j2pH642jJijlxM7zeKKL1GKyi2bjddLAQvLTea jMaVg X-Gm-Gg: ASbGncul52w4Syt8tEcZHp3uZ7/Mi3xpNz1lBgBTKQle2YWzp3xeA21vgh9ZnKHtJLp qSQF+cF717yzaiHABItXRGU4+Uxs7CHv1iepkEER3la6pzwbHqUoml6+IaicXPNwVYZSTwWjpC6 XD4xD8AHPIPQ5SSvhf0zAMQquQbEuaI8azElY43HbovlYN4Fhvht/DxdoIdddcI0/kaDXifuKm9 h4dXEEifqHXowAmW9vk2TA3u2WIvv6SA21ZUrLCuM/qU64Id+BMt1W1KzJlt1xekMK1UvZckgmr RIyf+uGEsYFabyBLwUQYlgzf4F41vaKrsteLoWASf3p2mwMU5s84HIKB8dZou7hPg6QFCLLOFBe GJkn4YXL8qBTVC41K0mGahIt6Ap7sxCrl1uP6FdgX5uSG0J5vI9IcouWXk+peIREhW3zZfwb5a7 CN0A== X-Google-Smtp-Source: AGHT+IHQaRPW5Z+82UY9pEzbYcDPyEGN8fKYO8CtOfId4rHQlnPo24EZfkjrwsD/rMj2IG5QI0tj9Q== X-Received: by 2002:a05:6a21:999b:b0:35d:d477:a7d6 with SMTP id adf61e73a8af0-36150e6ddd2mr39141625637.13.1764688185916; Tue, 02 Dec 2025 07:09:45 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:b8d9:92cd:3fd4:9b7a]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7d1516f6621sm17175182b3a.16.2025.12.02.07.09.45 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Dec 2025 07:09:45 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 03/10] libpng: patch CVE-2025-64506 Date: Tue, 2 Dec 2025 07:09:26 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 02 Dec 2025 15:09:51 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/227162 From: Peter Marko Pick commit per NVD report. Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- .../libpng/files/CVE-2025-64506.patch | 57 +++++++++++++++++++ .../libpng/libpng_1.6.39.bb | 1 + 2 files changed, 58 insertions(+) create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-64506.patch diff --git a/meta/recipes-multimedia/libpng/files/CVE-2025-64506.patch b/meta/recipes-multimedia/libpng/files/CVE-2025-64506.patch new file mode 100644 index 0000000000..696f459971 --- /dev/null +++ b/meta/recipes-multimedia/libpng/files/CVE-2025-64506.patch @@ -0,0 +1,57 @@ +From 2bd84c019c300b78e811743fbcddb67c9d9bf821 Mon Sep 17 00:00:00 2001 +From: Cosmin Truta +Date: Fri, 7 Nov 2025 22:40:05 +0200 +Subject: [PATCH] Fix a heap buffer overflow in `png_write_image_8bit` + +The condition guarding the pre-transform path incorrectly allowed 8-bit +input data to enter `png_write_image_8bit` which expects 16-bit input. +This caused out-of-bounds reads when processing 8-bit grayscale+alpha +images (GitHub #688), or 8-bit RGB or RGB+alpha images (GitHub #746), +with the `convert_to_8bit` flag set (an invalid combination that should +bypass the pre-transform path). + +The second part of the condition, i.e. + + colormap == 0 && convert_to_8bit != 0 + +failed to verify that input was 16-bit, i.e. + + linear != 0 + +contradicting the comment "This only applies when the input is 16-bit". + +The fix consists in restructuring the condition to ensure both the +`alpha` path and the `convert_to_8bit` path require linear (16-bit) +input. The corrected condition, i.e. + + linear != 0 && (alpha != 0 || display->convert_to_8bit != 0) + +matches the expectation of the `png_write_image_8bit` function and +prevents treating 8-bit buffers as 16-bit data. + +Reported-by: Samsung-PENTEST +Reported-by: weijinjinnihao +Analyzed-by: degrigis +Reviewed-by: John Bowler + +CVE: CVE-2025-64506 +Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/2bd84c019c300b78e811743fbcddb67c9d9bf821] +Signed-off-by: Peter Marko +--- + pngwrite.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/pngwrite.c b/pngwrite.c +index 35a5d17b6..83148960e 100644 +--- a/pngwrite.c ++++ b/pngwrite.c +@@ -2129,8 +2129,7 @@ png_image_write_main(png_voidp argument) + * before it is written. This only applies when the input is 16-bit and + * either there is an alpha channel or it is converted to 8-bit. + */ +- if ((linear != 0 && alpha != 0 ) || +- (colormap == 0 && display->convert_to_8bit != 0)) ++ if (linear != 0 && (alpha != 0 || display->convert_to_8bit != 0)) + { + png_bytep row = png_voidcast(png_bytep, png_malloc(png_ptr, + png_get_rowbytes(png_ptr, info_ptr))); diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb index 62e3e81b4f..cc35e7a725 100644 --- a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb +++ b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb @@ -16,6 +16,7 @@ SRC_URI = "\ file://CVE-2025-64505-01.patch \ file://CVE-2025-64505-02.patch \ file://CVE-2025-64505-03.patch \ + file://CVE-2025-64506.patch \ " SRC_URI[sha256sum] = "1f4696ce70b4ee5f85f1e1623dc1229b210029fa4b7aee573df3e2ba7b036937" From patchwork Tue Dec 2 15:09:27 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 75725 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8B57BD116F9 for ; Tue, 2 Dec 2025 15:09:51 +0000 (UTC) Received: from mail-pf1-f177.google.com (mail-pf1-f177.google.com [209.85.210.177]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.9661.1764688189116371553 for ; Tue, 02 Dec 2025 07:09:49 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=JNIgQDkj; spf=softfail (domain: sakoman.com, ip: 209.85.210.177, mailfrom: steve@sakoman.com) Received: by mail-pf1-f177.google.com with SMTP id d2e1a72fcca58-7aace33b75bso5323880b3a.1 for ; Tue, 02 Dec 2025 07:09:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1764688188; x=1765292988; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=UySqQUCB/5HIusTG90fqWMIRWqJNCGams8IKJ2MpfNc=; b=JNIgQDkjJeHeHz7eH+O7BiEwOb8wYmd+V7ZXr8gGBO1/ZnHQWKDAye+PhhC0XhFApM DQNtjzj+W6slaIsUjRRkZATMj6wVTAqE/mnqTOYI7JvjQi7lM0BnrP2UFtn3B7VRTuCU WPPYjeahlFPldWSYoh5rd/bowkdNa80wnWsGBqmAUBHbXnKsBSsBEMK5GoPnmnmXuVaj XELxpKTMwnOHcI5S7vIJuTl945V9j0BqIIQ5Wh2PnbWcvSb8iHFEuZABkmqO7ZrslQKt wXn7SqHKFW2jGpJ/J5QOtanA3EtbL4TvBlqJxvor/xrAvbgcgf9x7Cp368IPPPQ67bNt OLSg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764688188; x=1765292988; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=UySqQUCB/5HIusTG90fqWMIRWqJNCGams8IKJ2MpfNc=; b=XESavtdY22T/lOJx441umXsr+vwsdCphBRd/+B8Y4OJtLaliL2s9ePmBw2MgGqHZCA c3tibW+sCkeevXmSH/I4bo1dPQOQmnvy8CqfzsM22m5jw+yOGUPWD2YhZNQBNxeGBqNK /NS6Bg3IgcD0F29xPUD4LfUek3UahYrpRnNcftYVnJ1VmNYyvYFGtakNn72DyVJfjqVF gICLjHRKfMYrhEsJaRD2trxESWjGLyCuE8KLKN88lhTwzqjzzUwfIGEP0mY56P1Tj/yu 28rJML1T3FUpt0tWVj0hZazEncarCbYlD3LyDnHtBoEaDwfBZebpWMbJ3CXzZA2mFFph 63sA== X-Gm-Message-State: AOJu0YxdZrSgKcXyFYzp5AjoHVLMsYlczwA7+3bPrJFpa3V6jCWLvblI uwgi8P2wHVrd3SvOK4PZteo+gQhykMNp4555x64r4bVH6eslJVgf962Y4FQ9YbL0421G3kNErSN 2JXTq X-Gm-Gg: ASbGncutSbxlUyNJN9meL0fmVQ7Jbio5woFGTsNgmIoZcmkVFazHR4VOsEQF1+I5pDY epmwMzRzzjzy5F4LWAqCEqmQAF0BPEwvrzhlwucL5vh55DjO02HIEpy3keik0MwouWsjITnROi9 zdG6JyOGj2QEh93C1lRDmm9gETmrvPYYgAEZ+schezujFp0LUwcFn3MwMlKh+fuPlt0qI7n0rqM YVMYgvUy9EPAEK6m3d8Fja/hrKOd/E6E9KljPwAZwgZyj/1OEp/ViUv38Kh+7xy7mXMgbVDTDDC pe6wa8Pu6sxEQ2tmTktCmP7QdTn0Bc0jRrEIpIP6cVWfRCSff+QcxpK0Bg5DShpS6SK6BpPJAWD ordxodkclzhJDZInfJRXIayYgB6bwURO1mbMnnCE9Dku0wx/1Zi+Qr2c50CwRdyBOD9z9UR57vX DcRw== X-Google-Smtp-Source: AGHT+IEDLhxB2RX3vR6cPUsGH0VmcuByjRsaVan1smFaR8l4u9amDHVe5WanUF+tAoA7UCjbjg9WJw== X-Received: by 2002:a05:6a20:431e:b0:35f:6586:5df6 with SMTP id adf61e73a8af0-36150e27820mr45715225637.11.1764688188244; Tue, 02 Dec 2025 07:09:48 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:b8d9:92cd:3fd4:9b7a]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7d1516f6621sm17175182b3a.16.2025.12.02.07.09.47 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Dec 2025 07:09:47 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 04/10] libpng: patch CVE-2025-64720 Date: Tue, 2 Dec 2025 07:09:27 -0800 Message-ID: <9694df176a13eeac174c7da2bcf8243969dbcda6.1764688053.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 02 Dec 2025 15:09:51 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/227163 From: Peter Marko Pick commit per NVD report. Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- .../libpng/files/CVE-2025-64720.patch | 103 ++++++++++++++++++ .../libpng/libpng_1.6.39.bb | 1 + 2 files changed, 104 insertions(+) create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-64720.patch diff --git a/meta/recipes-multimedia/libpng/files/CVE-2025-64720.patch b/meta/recipes-multimedia/libpng/files/CVE-2025-64720.patch new file mode 100644 index 0000000000..08df7c3210 --- /dev/null +++ b/meta/recipes-multimedia/libpng/files/CVE-2025-64720.patch @@ -0,0 +1,103 @@ +From 08da33b4c88cfcd36e5a706558a8d7e0e4773643 Mon Sep 17 00:00:00 2001 +From: Cosmin Truta +Date: Wed, 12 Nov 2025 13:46:23 +0200 +Subject: [PATCH] Fix a buffer overflow in `png_init_read_transformations` + +The palette compositing code in `png_init_read_transformations` was +incorrectly applying background compositing when PNG_FLAG_OPTIMIZE_ALPHA +was set. This violated the premultiplied alpha invariant +`component <= alpha` expected by `png_image_read_composite`, causing +values that exceeded the valid range for the PNG_sRGB_FROM_LINEAR lookup +tables. + +When PNG_ALPHA_OPTIMIZED is active, palette entries should contain pure +premultiplied RGB values without background compositing. The background +compositing must happen later in `png_image_read_composite` where the +actual background color from the PNG file is available. + +The fix consists in introducing conditional behavior based on +PNG_FLAG_OPTIMIZE_ALPHA: when set, the code performs only +premultiplication using the formula `component * alpha + 127) / 255` +with proper gamma correction. When not set, the original background +compositing calculation based on the `png_composite` macro is preserved. + +This prevents buffer overflows in `png_image_read_composite` where +out-of-range premultiplied values would cause out-of-bounds array access +in `png_sRGB_base[]` and `png_sRGB_delta[]`. + +Reported-by: Samsung-PENTEST +Analyzed-by: John Bowler + +CVE: CVE-2025-64720 +Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/08da33b4c88cfcd36e5a706558a8d7e0e4773643] +Signed-off-by: Peter Marko +--- + pngrtran.c | 52 ++++++++++++++++++++++++++++++++++++++++++---------- + 1 file changed, 42 insertions(+), 10 deletions(-) + +diff --git a/pngrtran.c b/pngrtran.c +index 548780030..2f5202255 100644 +--- a/pngrtran.c ++++ b/pngrtran.c +@@ -1698,19 +1698,51 @@ png_init_read_transformations(png_structrp png_ptr) + } + else /* if (png_ptr->trans_alpha[i] != 0xff) */ + { +- png_byte v, w; ++ if ((png_ptr->flags & PNG_FLAG_OPTIMIZE_ALPHA) != 0) ++ { ++ /* Premultiply only: ++ * component = round((component * alpha) / 255) ++ */ ++ png_uint_32 component; + +- v = png_ptr->gamma_to_1[palette[i].red]; +- png_composite(w, v, png_ptr->trans_alpha[i], back_1.red); +- palette[i].red = png_ptr->gamma_from_1[w]; ++ component = png_ptr->gamma_to_1[palette[i].red]; ++ component = ++ (component * png_ptr->trans_alpha[i] + 128) / 255; ++ palette[i].red = png_ptr->gamma_from_1[component]; + +- v = png_ptr->gamma_to_1[palette[i].green]; +- png_composite(w, v, png_ptr->trans_alpha[i], back_1.green); +- palette[i].green = png_ptr->gamma_from_1[w]; ++ component = png_ptr->gamma_to_1[palette[i].green]; ++ component = ++ (component * png_ptr->trans_alpha[i] + 128) / 255; ++ palette[i].green = png_ptr->gamma_from_1[component]; + +- v = png_ptr->gamma_to_1[palette[i].blue]; +- png_composite(w, v, png_ptr->trans_alpha[i], back_1.blue); +- palette[i].blue = png_ptr->gamma_from_1[w]; ++ component = png_ptr->gamma_to_1[palette[i].blue]; ++ component = ++ (component * png_ptr->trans_alpha[i] + 128) / 255; ++ palette[i].blue = png_ptr->gamma_from_1[component]; ++ } ++ else ++ { ++ /* Composite with background color: ++ * component = ++ * alpha * component + (1 - alpha) * background ++ */ ++ png_byte v, w; ++ ++ v = png_ptr->gamma_to_1[palette[i].red]; ++ png_composite(w, v, ++ png_ptr->trans_alpha[i], back_1.red); ++ palette[i].red = png_ptr->gamma_from_1[w]; ++ ++ v = png_ptr->gamma_to_1[palette[i].green]; ++ png_composite(w, v, ++ png_ptr->trans_alpha[i], back_1.green); ++ palette[i].green = png_ptr->gamma_from_1[w]; ++ ++ v = png_ptr->gamma_to_1[palette[i].blue]; ++ png_composite(w, v, ++ png_ptr->trans_alpha[i], back_1.blue); ++ palette[i].blue = png_ptr->gamma_from_1[w]; ++ } + } + } + else diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb index cc35e7a725..efb8eba372 100644 --- a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb +++ b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb @@ -17,6 +17,7 @@ SRC_URI = "\ file://CVE-2025-64505-02.patch \ file://CVE-2025-64505-03.patch \ file://CVE-2025-64506.patch \ + file://CVE-2025-64720.patch \ " SRC_URI[sha256sum] = "1f4696ce70b4ee5f85f1e1623dc1229b210029fa4b7aee573df3e2ba7b036937" From patchwork Tue Dec 2 15:09:28 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 75726 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9F21AD11702 for ; Tue, 2 Dec 2025 15:09:51 +0000 (UTC) Received: from mail-pf1-f182.google.com (mail-pf1-f182.google.com [209.85.210.182]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.9663.1764688191360257942 for ; Tue, 02 Dec 2025 07:09:51 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=LoeIBaZB; spf=softfail (domain: sakoman.com, ip: 209.85.210.182, mailfrom: steve@sakoman.com) Received: by mail-pf1-f182.google.com with SMTP id d2e1a72fcca58-7c66822dd6dso3504007b3a.0 for ; Tue, 02 Dec 2025 07:09:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1764688190; x=1765292990; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=OrTeKnFWHKFFWOm4SRDqyYNp2nBiWmVJcgqkXR84ITM=; b=LoeIBaZBkwgW9PXbNlrZ5xwVG422t0x3W1P0U1lxYRpMwixCSZG31lA8OqZel26yZ6 4f3iTkTJ5xRrVUO8NILUthnZrTSMwdz+e77AnTVrxl+QCrjsRcSe8AY63I/WdULJ+5kx 1PNmneD209gcr3iB+xjYYYh6F4tk55VjEbQvbyxqE0hQwPtxOxP1nCEkFqVA80N1ZemA HrKYrc7cdQJ5nbxxkG3UDtkWi93c1zIgREGbtfY9daATgiM8xnbRh4eDkofX9ovb5rJH t36ougqjgq/iqaBkb0462+31ZF2PozLgIF9bO2cdzFqa+4KCcrkFvldsONksvqBuArbH GwpQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764688190; x=1765292990; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=OrTeKnFWHKFFWOm4SRDqyYNp2nBiWmVJcgqkXR84ITM=; b=gebzq6HV88zdLrfy4C/e2ST52BipkYF2L4sUaY3eeI4onseGRFP2kNqT1etNEfjLiO Agg58onlxTpBJ2g4VRKBgjhjorbe0KDZZgkM2nRbKgucVR0/69np72rmNyCDyEHZxYtU oz/j3oYyKZ9ox+TF6i5fvLZVLE5+X3eAyW/rFAPjwBeteEEqU1a1F/uRxDHoQH8eeMjI PutHJu5ykWZwKHLpdnl+xFWY1Ha36idy/k5xLQ0h6N/74Rglbfq7O3hd3/114QuRus4g 1P/hMCtHPngjKNAdNJHcm1DA4pAAxwHjhwst00sWpsPM34EfpNGxax89IYlXz1byDMxM SV5Q== X-Gm-Message-State: AOJu0YxRB+2/91XxqYiQBZQib4KnrD8KpFzg4Nba4LgwMUPq+VfPu8Fe aBf9GVyp3cpNy8tFJidI0E+0QAydjHzpItRGfQ7BLoReER+tZUfH2KCQyCRjpraJxAlAuIUUfVQ IJS1G X-Gm-Gg: ASbGncvvII/vJdp/L8czr1V/3mGQrXu3o46uHOnwZxCiG+ZEAfQDL5Aotvg4UxsSKT1 VufEtWMTi+CtW85N+pv7z/oYVCwOvQhbt1qJOrOd46BLJbSQVluNacHmGrVds7h7kxMh/Ta+PLN S/vIVV26vHcS7IG/Y90pwekfiq9uD17PFGeJbELZYlQGDypp+f6CgHPXFiEuD4p6v0j6FUAQd66 1OqDDyNd8s/JkqWlTARWLiZwQybXiiwuLhYCay/g/sN05SIAWjmdStsOlWEjmAXIqn9ffEqFiGe bzLisXVqGagFGotQFPjQUgBE6OrRhBH8N0vXd611QI1Ix8hwPag5dV5i048KkiVoNvn3IwF3Hms L4ZJ9w2Ej/1qtLhtQJvARYBtlfaEKUzTUXujeTkVlnhjRkvO2OrnwWxUtCUoK35OFgZB7fsMQCC 54qQ== X-Google-Smtp-Source: AGHT+IHcxrKSWSHjKKXeN8xdZ2sWOoQcjPdLETTLZxF9LIy5iYret4Pe1N7xxwCsV7FGeX45zTJshA== X-Received: by 2002:a05:6a20:3d92:b0:334:b280:b12 with SMTP id adf61e73a8af0-363e8c79fe4mr3163132637.1.1764688190182; Tue, 02 Dec 2025 07:09:50 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:b8d9:92cd:3fd4:9b7a]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7d1516f6621sm17175182b3a.16.2025.12.02.07.09.49 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Dec 2025 07:09:49 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 05/10] libpng: patch CVE-2025-65018 Date: Tue, 2 Dec 2025 07:09:28 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 02 Dec 2025 15:09:51 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/227164 From: Peter Marko Pick commits per NVD report. Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- .../libpng/files/CVE-2025-65018-01.patch | 60 +++++++ .../libpng/files/CVE-2025-65018-02.patch | 163 ++++++++++++++++++ .../libpng/libpng_1.6.39.bb | 2 + 3 files changed, 225 insertions(+) create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-65018-01.patch create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-65018-02.patch diff --git a/meta/recipes-multimedia/libpng/files/CVE-2025-65018-01.patch b/meta/recipes-multimedia/libpng/files/CVE-2025-65018-01.patch new file mode 100644 index 0000000000..a3e31ea6ac --- /dev/null +++ b/meta/recipes-multimedia/libpng/files/CVE-2025-65018-01.patch @@ -0,0 +1,60 @@ +From 16b5e3823918840aae65c0a6da57c78a5a496a4d Mon Sep 17 00:00:00 2001 +From: Cosmin Truta +Date: Mon, 17 Nov 2025 20:38:47 +0200 +Subject: [PATCH] Fix a buffer overflow in `png_image_finish_read` +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reject bit-depth mismatches between IHDR and the requested output +format. When a 16-bit PNG is processed with an 8-bit output format +request, `png_combine_row` writes using the IHDR depth before +transformation, causing writes beyond the buffer allocated via +`PNG_IMAGE_SIZE(image)`. + +The validation establishes a safe API contract where +`PNG_IMAGE_SIZE(image)` is guaranteed to be sufficient across the +transformation pipeline. + +Example overflow (32×32 pixels, 16-bit RGB to 8-bit RGBA): +- Input format: 16 bits/channel × 3 channels = 6144 bytes +- Output buffer: 8 bits/channel × 4 channels = 4096 bytes +- Overflow: 6144 bytes - 4096 bytes = 2048 bytes + +Larger images produce proportionally larger overflows. For example, +for 256×256 pixels, the overflow is 131072 bytes. + +Reported-by: yosiimich + +CVE: CVE-2025-65018 +Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/16b5e3823918840aae65c0a6da57c78a5a496a4d] +Signed-off-by: Peter Marko +--- + pngread.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/pngread.c b/pngread.c +index 212afb7d2..92571ec33 100644 +--- a/pngread.c ++++ b/pngread.c +@@ -4164,6 +4164,20 @@ png_image_finish_read(png_imagep image, png_const_colorp background, + int result; + png_image_read_control display; + ++ /* Reject bit depth mismatches to avoid buffer overflows. */ ++ png_uint_32 ihdr_bit_depth = ++ image->opaque->png_ptr->bit_depth; ++ int requested_linear = ++ (image->format & PNG_FORMAT_FLAG_LINEAR) != 0; ++ if (ihdr_bit_depth == 16 && !requested_linear) ++ return png_image_error(image, ++ "png_image_finish_read: " ++ "16-bit PNG must use 16-bit output format"); ++ if (ihdr_bit_depth < 16 && requested_linear) ++ return png_image_error(image, ++ "png_image_finish_read: " ++ "8-bit PNG must not use 16-bit output format"); ++ + memset(&display, 0, (sizeof display)); + display.image = image; + display.buffer = buffer; diff --git a/meta/recipes-multimedia/libpng/files/CVE-2025-65018-02.patch b/meta/recipes-multimedia/libpng/files/CVE-2025-65018-02.patch new file mode 100644 index 0000000000..b64a45e9f3 --- /dev/null +++ b/meta/recipes-multimedia/libpng/files/CVE-2025-65018-02.patch @@ -0,0 +1,163 @@ +From 218612ddd6b17944e21eda56caf8b4bf7779d1ea Mon Sep 17 00:00:00 2001 +From: Cosmin Truta +Date: Wed, 19 Nov 2025 21:45:13 +0200 +Subject: [PATCH] Rearchitect the fix to the buffer overflow in + `png_image_finish_read` + +Undo the fix from commit 16b5e3823918840aae65c0a6da57c78a5a496a4d. +That fix turned out to be unnecessarily limiting. It rejected all +16-to-8 bit transformations, although the vulnerability only affects +interlaced PNGs where `png_combine_row` writes using IHDR bit-depth +before the transformation completes. + +The proper solution is to add an intermediate `local_row` buffer, +specifically for the slow but necessary step of 16-to-8 bit conversion +of interlaced images. (The processing of non-interlaced images remains +intact, using the fast path.) We added the flag `do_local_scale` and +the function `png_image_read_direct_scaled`, following the pattern that +involves `do_local_compose`. + +In conclusion: +- The 16-to-8 bit transformations of interlaced images are now safe, + as they use an intermediate buffer. +- The 16-to-8 bit transformations of non-interlaced images remain safe, + as the fast path remains unchanged. +- All our regression tests are now passing. + +CVE: CVE-2025-65018 +Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/218612ddd6b17944e21eda56caf8b4bf7779d1ea] +Signed-off-by: Peter Marko +--- + pngread.c | 89 ++++++++++++++++++++++++++++++++++++++++++++++--------- + 1 file changed, 75 insertions(+), 14 deletions(-) + +diff --git a/pngread.c b/pngread.c +index 92571ec33..79917daaa 100644 +--- a/pngread.c ++++ b/pngread.c +@@ -3260,6 +3260,54 @@ png_image_read_colormapped(png_voidp argument) + } + } + ++/* Row reading for interlaced 16-to-8 bit depth conversion with local buffer. */ ++static int ++png_image_read_direct_scaled(png_voidp argument) ++{ ++ png_image_read_control *display = png_voidcast(png_image_read_control*, ++ argument); ++ png_imagep image = display->image; ++ png_structrp png_ptr = image->opaque->png_ptr; ++ png_bytep local_row = png_voidcast(png_bytep, display->local_row); ++ png_bytep first_row = png_voidcast(png_bytep, display->first_row); ++ ptrdiff_t row_bytes = display->row_bytes; ++ int passes; ++ ++ /* Handle interlacing. */ ++ switch (png_ptr->interlaced) ++ { ++ case PNG_INTERLACE_NONE: ++ passes = 1; ++ break; ++ ++ case PNG_INTERLACE_ADAM7: ++ passes = PNG_INTERLACE_ADAM7_PASSES; ++ break; ++ ++ default: ++ png_error(png_ptr, "unknown interlace type"); ++ } ++ ++ /* Read each pass using local_row as intermediate buffer. */ ++ while (--passes >= 0) ++ { ++ png_uint_32 y = image->height; ++ png_bytep output_row = first_row; ++ ++ for (; y > 0; --y) ++ { ++ /* Read into local_row (gets transformed 8-bit data). */ ++ png_read_row(png_ptr, local_row, NULL); ++ ++ /* Copy from local_row to user buffer. */ ++ memcpy(output_row, local_row, (size_t)row_bytes); ++ output_row += row_bytes; ++ } ++ } ++ ++ return 1; ++} ++ + /* Just the row reading part of png_image_read. */ + static int + png_image_read_composite(png_voidp argument) +@@ -3678,6 +3726,7 @@ png_image_read_direct(png_voidp argument) + int linear = (format & PNG_FORMAT_FLAG_LINEAR) != 0; + int do_local_compose = 0; + int do_local_background = 0; /* to avoid double gamma correction bug */ ++ int do_local_scale = 0; /* for interlaced 16-to-8 bit conversion */ + int passes = 0; + + /* Add transforms to ensure the correct output format is produced then check +@@ -3804,8 +3853,16 @@ png_image_read_direct(png_voidp argument) + png_set_expand_16(png_ptr); + + else /* 8-bit output */ ++ { + png_set_scale_16(png_ptr); + ++ /* For interlaced images, use local_row buffer to avoid overflow ++ * in png_combine_row() which writes using IHDR bit-depth. ++ */ ++ if (png_ptr->interlaced != 0) ++ do_local_scale = 1; ++ } ++ + change &= ~PNG_FORMAT_FLAG_LINEAR; + } + +@@ -4081,6 +4138,24 @@ png_image_read_direct(png_voidp argument) + return result; + } + ++ else if (do_local_scale != 0) ++ { ++ /* For interlaced 16-to-8 conversion, use an intermediate row buffer ++ * to avoid buffer overflows in png_combine_row. The local_row is sized ++ * for the transformed (8-bit) output, preventing the overflow that would ++ * occur if png_combine_row wrote 16-bit data directly to the user buffer. ++ */ ++ int result; ++ png_voidp row = png_malloc(png_ptr, png_get_rowbytes(png_ptr, info_ptr)); ++ ++ display->local_row = row; ++ result = png_safe_execute(image, png_image_read_direct_scaled, display); ++ display->local_row = NULL; ++ png_free(png_ptr, row); ++ ++ return result; ++ } ++ + else + { + png_alloc_size_t row_bytes = (png_alloc_size_t)display->row_bytes; +@@ -4164,20 +4239,6 @@ png_image_finish_read(png_imagep image, png_const_colorp background, + int result; + png_image_read_control display; + +- /* Reject bit depth mismatches to avoid buffer overflows. */ +- png_uint_32 ihdr_bit_depth = +- image->opaque->png_ptr->bit_depth; +- int requested_linear = +- (image->format & PNG_FORMAT_FLAG_LINEAR) != 0; +- if (ihdr_bit_depth == 16 && !requested_linear) +- return png_image_error(image, +- "png_image_finish_read: " +- "16-bit PNG must use 16-bit output format"); +- if (ihdr_bit_depth < 16 && requested_linear) +- return png_image_error(image, +- "png_image_finish_read: " +- "8-bit PNG must not use 16-bit output format"); +- + memset(&display, 0, (sizeof display)); + display.image = image; + display.buffer = buffer; diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb index efb8eba372..47b76a704b 100644 --- a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb +++ b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb @@ -18,6 +18,8 @@ SRC_URI = "\ file://CVE-2025-64505-03.patch \ file://CVE-2025-64506.patch \ file://CVE-2025-64720.patch \ + file://CVE-2025-65018-01.patch \ + file://CVE-2025-65018-02.patch \ " SRC_URI[sha256sum] = "1f4696ce70b4ee5f85f1e1623dc1229b210029fa4b7aee573df3e2ba7b036937" From patchwork Tue Dec 2 15:09:29 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 75728 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 96343CFD2F6 for ; Tue, 2 Dec 2025 15:10:01 +0000 (UTC) Received: from mail-pf1-f179.google.com (mail-pf1-f179.google.com [209.85.210.179]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.9664.1764688193729204243 for ; Tue, 02 Dec 2025 07:09:53 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=Kwlas2/D; spf=softfail (domain: sakoman.com, ip: 209.85.210.179, mailfrom: steve@sakoman.com) Received: by mail-pf1-f179.google.com with SMTP id d2e1a72fcca58-7ba49f92362so3219296b3a.1 for ; Tue, 02 Dec 2025 07:09:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1764688193; x=1765292993; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=lluKorE/qs7jwUPCvAJZXYqPOdglcchOSu8HCTJ5hjQ=; b=Kwlas2/DPpEAM89fAG8jxjczdYkhI17hTdAFpYPl6uvh1rJB8i6zfKfdLou+lP5Xq2 X95pAtWY/U3yJkwyZOkTBm5ooBhqObMF3KRX+msS+5+vfIl2QyZ0f7Z27J0c3As+nBd8 7YW7hmzyAZK91IKLxDcdHUygu55zMot/2YgnwInGTzN4IkJCni166w6je7aOcJCQmbyK paTI6YXW0ZWJba+Oe35ijQylsjEGhayEpavWQPVdsj8LwnPv3nsnpT2WUiZrAEX6/veX 31DPV/JQsQ3lYa3SrO7PS5buqYxtKrG3JXuVgqpaecDjrhBjgBAZ1IAZt9WQGGBOpHLr GgDA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764688193; x=1765292993; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=lluKorE/qs7jwUPCvAJZXYqPOdglcchOSu8HCTJ5hjQ=; b=RpfeZHZdBYV2NTkI+evoaOThrHr+N2fI51iVzY0IL4pdtLWJ6Tw6jz6abPezl01F2L wk6CWqzf3/FsE0I0WTRHqyq7/GtNEW6N12gNYdfAl+weCGLjcuJnWxvqdQVTI/Y6Sw0s fwccfafmFNILnlNuMm777+2vuCMuRs5HprtXXXCusAch+vO3nsD0VH30ZPj7L7BPgbcq 4SS2L2Mi1lzzB5G2b87b6gIH+CD48lLDuD46teWP2S+RhL4QuAnqKffo2nHdTmvVSDg8 T/4eZ8y5cTATo9b4Hdm5cikHvehx3big1DTtl0xAKwBbfX+n+kVF0WwZj8lJ2+OvXhZX 32jg== X-Gm-Message-State: AOJu0YxsvrWX53dv4MsvrkkLcRK/CgPXKKsmBN4qY8f2GbYDV1gqN+KI y5KgEIG2m4R6FBh6CsLdBah2laaxOfks60/eH86Ogxynf780xKml15djleP77cbY5fxfFvzIDon ZV0Jf X-Gm-Gg: ASbGnctFgyNO2H4CxvrAp0lwoCaixS1+9bzBj5koS+QULIeFZwA63Fu1wtHk1PpoVlm YYZeJvZl37vb3xF5dItp/7dHf00dEqKNjripxoLPf/ST1wW7Xyd60aZjDX/CmMgHnmisDDEQWye BbJR4O3N3dUhnQ6+XtxtAGoWVfQ6GmVEy3aphhXhXZ46TEl7kamwhJ4I+vIs/FZmvHM5FO9872F zcJAJDV3X2maO0oPM8wjnrLjtBQatRCO8qhSnlWrqmFStorcAsPjFky2NpOa2CCFP9vKk/UAzYI OovU3U1lgZy/OHC0Sau/5Q4ITKgLqOQ1Ra3OVc02DlLkA9beE0vDKZShTMObc23+gRoguHBlogR LN1jFaZ+DKPEzD1Hz6AE3uV4wkiiELQsEtC+Bq43aE/I4nK3bIuuJgepAW3luwQHDiMxPuL/IUa IBgQ== X-Google-Smtp-Source: AGHT+IENauZraWM/oTp4v//LQJMu12ejY7Jb3y0s8gLWdW/3yZyVi1MNCSkxUIDS5SiYEV0wRISCLQ== X-Received: by 2002:a05:6a20:94c8:b0:35f:84c7:4012 with SMTP id adf61e73a8af0-363e8d5b595mr3381317637.29.1764688192515; Tue, 02 Dec 2025 07:09:52 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:b8d9:92cd:3fd4:9b7a]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7d1516f6621sm17175182b3a.16.2025.12.02.07.09.51 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Dec 2025 07:09:52 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 06/10] go: fix CVE-2025-58187 Date: Tue, 2 Dec 2025 07:09:29 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 02 Dec 2025 15:10:01 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/227165 From: Archana Polampalli Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains. Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- meta/recipes-devtools/go/go-1.17.13.inc | 1 + .../go/go-1.18/CVE-2025-58187.patch | 349 ++++++++++++++++++ 2 files changed, 350 insertions(+) create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2025-58187.patch diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc index 465f24e108..c5aa3f9786 100644 --- a/meta/recipes-devtools/go/go-1.17.13.inc +++ b/meta/recipes-devtools/go/go-1.17.13.inc @@ -69,6 +69,7 @@ SRC_URI = "https://golang.org/dl/go${PV}.src.tar.gz;name=main \ file://CVE-2025-47907.patch \ file://CVE-2025-47906.patch \ file://CVE-2024-24783.patch \ + file://CVE-2025-58187.patch \ " SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd" diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2025-58187.patch b/meta/recipes-devtools/go/go-1.18/CVE-2025-58187.patch new file mode 100644 index 0000000000..810487674c --- /dev/null +++ b/meta/recipes-devtools/go/go-1.18/CVE-2025-58187.patch @@ -0,0 +1,349 @@ +From f334417e71f8b078ad64035bddb6df7f8910da6c Mon Sep 17 00:00:00 2001 +From: Neal Patel +Date: Mon, 15 Sep 2025 16:31:22 -0400 +Subject: [PATCH] crypto/x509: improve domain name verification + +Don't use domainToReverseLabels to check if domain names are valid, +since it is not particularly performant, and can contribute to DoS +vectors. Instead just iterate over the name and enforce the properties +we care about. + +This also enforces that DNS names, both in SANs and name constraints, +are valid. We previously allowed invalid SANs, because some +intermediates had these weird names (see #23995), but there are +currently no trusted intermediates that have this property, and since we +target the web PKI, supporting this particular case is not a high +priority. + +Thank you to Jakub Ciolek for reporting this issue. + +Fixes CVE-2025-58187 +For #75681 +Fixes #75714 + +Change-Id: I6ebce847dcbe5fc63ef2f9a74f53f11c4c56d3d1 +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2820 +Reviewed-by: Damien Neil +Reviewed-by: Roland Shoemaker +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2982 +Reviewed-by: Nicholas Husin +Reviewed-on: https://go-review.googlesource.com/c/go/+/709839 +Auto-Submit: Michael Pratt +Reviewed-by: Carlos Amedee +TryBot-Bypass: Michael Pratt + +CVE: CVE-2025-58187 + +Upstream-Status: Backport [https://github.com/golang/go/commit/f334417e71f8b078ad64035bddb6df7f8910da6c] + +Signed-off-by: Archana Polampalli +--- + src/crypto/x509/name_constraints_test.go | 66 ++------------------ + src/crypto/x509/parser.go | 77 ++++++++++++++---------- + src/crypto/x509/parser_test.go | 43 +++++++++++++ + src/crypto/x509/verify.go | 1 + + 4 files changed, 95 insertions(+), 92 deletions(-) + +diff --git a/src/crypto/x509/name_constraints_test.go b/src/crypto/x509/name_constraints_test.go +index c59a7dc..d4f7d41 100644 +--- a/src/crypto/x509/name_constraints_test.go ++++ b/src/crypto/x509/name_constraints_test.go +@@ -1452,63 +1452,7 @@ var nameConstraintsTests = []nameConstraintsTest{ + requestedEKUs: []ExtKeyUsage{ExtKeyUsageServerAuth}, + }, + +- // An invalid DNS SAN should be detected only at validation time so +- // that we can process CA certificates in the wild that have invalid SANs. +- // See https://github.com/golang/go/issues/23995 +- +- // #77: an invalid DNS or mail SAN will not be detected if name constraint +- // checking is not triggered. +- { +- roots: make([]constraintsSpec, 1), +- intermediates: [][]constraintsSpec{ +- { +- {}, +- }, +- }, +- leaf: leafSpec{ +- sans: []string{"dns:this is invalid", "email:this @ is invalid"}, +- }, +- }, +- +- // #78: an invalid DNS SAN will be detected if any name constraint checking +- // is triggered. +- { +- roots: []constraintsSpec{ +- { +- bad: []string{"uri:"}, +- }, +- }, +- intermediates: [][]constraintsSpec{ +- { +- {}, +- }, +- }, +- leaf: leafSpec{ +- sans: []string{"dns:this is invalid"}, +- }, +- expectedError: "cannot parse dnsName", +- }, +- +- // #79: an invalid email SAN will be detected if any name constraint +- // checking is triggered. +- { +- roots: []constraintsSpec{ +- { +- bad: []string{"uri:"}, +- }, +- }, +- intermediates: [][]constraintsSpec{ +- { +- {}, +- }, +- }, +- leaf: leafSpec{ +- sans: []string{"email:this @ is invalid"}, +- }, +- expectedError: "cannot parse rfc822Name", +- }, +- +- // #80: if several EKUs are requested, satisfying any of them is sufficient. ++ // #77: if several EKUs are requested, satisfying any of them is sufficient. + { + roots: make([]constraintsSpec, 1), + intermediates: [][]constraintsSpec{ +@@ -1523,7 +1467,7 @@ var nameConstraintsTests = []nameConstraintsTest{ + requestedEKUs: []ExtKeyUsage{ExtKeyUsageClientAuth, ExtKeyUsageEmailProtection}, + }, + +- // #81: EKUs that are not asserted in VerifyOpts are not required to be ++ // #78: EKUs that are not asserted in VerifyOpts are not required to be + // nested. + { + roots: make([]constraintsSpec, 1), +@@ -1542,7 +1486,7 @@ var nameConstraintsTests = []nameConstraintsTest{ + }, + }, + +- // #82: a certificate without SANs and CN is accepted in a constrained chain. ++ // #79: a certificate without SANs and CN is accepted in a constrained chain. + { + roots: []constraintsSpec{ + { +@@ -1559,7 +1503,7 @@ var nameConstraintsTests = []nameConstraintsTest{ + }, + }, + +- // #83: a certificate without SANs and with a CN that does not parse as a ++ // #80: a certificate without SANs and with a CN that does not parse as a + // hostname is accepted in a constrained chain. + { + roots: []constraintsSpec{ +@@ -1578,7 +1522,7 @@ var nameConstraintsTests = []nameConstraintsTest{ + }, + }, + +- // #84: a certificate with SANs and CN is accepted in a constrained chain. ++ // #81: a certificate with SANs and CN is accepted in a constrained chain. + { + roots: []constraintsSpec{ + { +diff --git a/src/crypto/x509/parser.go b/src/crypto/x509/parser.go +index 635e74b..0788210 100644 +--- a/src/crypto/x509/parser.go ++++ b/src/crypto/x509/parser.go +@@ -391,10 +391,14 @@ func parseSANExtension(der cryptobyte.String) (dnsNames, emailAddresses []string + if err := isIA5String(email); err != nil { + return errors.New("x509: SAN rfc822Name is malformed") + } ++ parsed, ok := parseRFC2821Mailbox(email) ++ if !ok || (ok && !domainNameValid(parsed.domain, false)) { ++ return errors.New("x509: SAN rfc822Name is malformed") ++ } + emailAddresses = append(emailAddresses, email) + case nameTypeDNS: + name := string(data) +- if err := isIA5String(name); err != nil { ++ if err := isIA5String(name); err != nil || (err == nil && !domainNameValid(name, false)) { + return errors.New("x509: SAN dNSName is malformed") + } + dnsNames = append(dnsNames, string(name)) +@@ -404,14 +408,9 @@ func parseSANExtension(der cryptobyte.String) (dnsNames, emailAddresses []string + return errors.New("x509: SAN uniformResourceIdentifier is malformed") + } + uri, err := url.Parse(uriStr) +- if err != nil { ++ if err != nil || (err == nil && uri.Host != "" && !domainNameValid(uri.Host, false)) { + return fmt.Errorf("x509: cannot parse URI %q: %s", uriStr, err) + } +- if len(uri.Host) > 0 { +- if _, ok := domainToReverseLabels(uri.Host); !ok { +- return fmt.Errorf("x509: cannot parse URI %q: invalid domain", uriStr) +- } +- } + uris = append(uris, uri) + case nameTypeIP: + switch len(data) { +@@ -551,15 +550,7 @@ func parseNameConstraintsExtension(out *Certificate, e pkix.Extension) (unhandle + return nil, nil, nil, nil, errors.New("x509: invalid constraint value: " + err.Error()) + } + +- trimmedDomain := domain +- if len(trimmedDomain) > 0 && trimmedDomain[0] == '.' { +- // constraints can have a leading +- // period to exclude the domain +- // itself, but that's not valid in a +- // normal domain name. +- trimmedDomain = trimmedDomain[1:] +- } +- if _, ok := domainToReverseLabels(trimmedDomain); !ok { ++ if !domainNameValid(domain, true) { + return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse dnsName constraint %q", domain) + } + dnsNames = append(dnsNames, domain) +@@ -600,12 +591,7 @@ func parseNameConstraintsExtension(out *Certificate, e pkix.Extension) (unhandle + return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse rfc822Name constraint %q", constraint) + } + } else { +- // Otherwise it's a domain name. +- domain := constraint +- if len(domain) > 0 && domain[0] == '.' { +- domain = domain[1:] +- } +- if _, ok := domainToReverseLabels(domain); !ok { ++ if !domainNameValid(constraint, true) { + return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse rfc822Name constraint %q", constraint) + } + } +@@ -621,15 +607,7 @@ func parseNameConstraintsExtension(out *Certificate, e pkix.Extension) (unhandle + return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse URI constraint %q: cannot be IP address", domain) + } + +- trimmedDomain := domain +- if len(trimmedDomain) > 0 && trimmedDomain[0] == '.' { +- // constraints can have a leading +- // period to exclude the domain itself, +- // but that's not valid in a normal +- // domain name. +- trimmedDomain = trimmedDomain[1:] +- } +- if _, ok := domainToReverseLabels(trimmedDomain); !ok { ++ if !domainNameValid(domain, true) { + return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse URI constraint %q", domain) + } + uriDomains = append(uriDomains, domain) +@@ -1011,3 +989,40 @@ func ParseCertificates(der []byte) ([]*Certificate, error) { + } + return certs, nil + } ++ ++// domainNameValid does minimal domain name validity checking. In particular it ++// enforces the following properties: ++// - names cannot have the trailing period ++// - names can only have a leading period if constraint is true ++// - names must be <= 253 characters ++// - names cannot have empty labels ++// - names cannot labels that are longer than 63 characters ++// ++// Note that this does not enforce the LDH requirements for domain names. ++func domainNameValid(s string, constraint bool) bool { ++ if len(s) == 0 && constraint { ++ return true ++ } ++ if len(s) == 0 || (!constraint && s[0] == '.') || s[len(s)-1] == '.' || len(s) > 253 { ++ return false ++ } ++ lastDot := -1 ++ if constraint && s[0] == '.' { ++ s = s[1:] ++ } ++ ++ for i := 0; i <= len(s); i++ { ++ if i == len(s) || s[i] == '.' { ++ labelLen := i ++ if lastDot >= 0 { ++ labelLen -= lastDot + 1 ++ } ++ if labelLen == 0 || labelLen > 63 { ++ return false ++ } ++ lastDot = i ++ } ++ } ++ ++ return true ++} +diff --git a/src/crypto/x509/parser_test.go b/src/crypto/x509/parser_test.go +index d7cf7ea..95ed116 100644 +--- a/src/crypto/x509/parser_test.go ++++ b/src/crypto/x509/parser_test.go +@@ -5,6 +5,7 @@ package x509 + + import ( + "encoding/asn1" ++ "strings" + "testing" + + cryptobyte_asn1 "golang.org/x/crypto/cryptobyte/asn1" +@@ -100,3 +101,45 @@ func TestParseASN1String(t *testing.T) { + }) + } + } ++ ++func TestDomainNameValid(t *testing.T) { ++ for _, tc := range []struct { ++ name string ++ dnsName string ++ constraint bool ++ valid bool ++ }{ ++ {"empty name, name", "", false, false}, ++ {"empty name, constraint", "", true, true}, ++ {"empty label, name", "a..a", false, false}, ++ {"empty label, constraint", "a..a", true, false}, ++ {"period, name", ".", false, false}, ++ {"period, constraint", ".", true, false}, // TODO(roland): not entirely clear if this is a valid constraint (require at least one label?) ++ {"valid, name", "a.b.c", false, true}, ++ {"valid, constraint", "a.b.c", true, true}, ++ {"leading period, name", ".a.b.c", false, false}, ++ {"leading period, constraint", ".a.b.c", true, true}, ++ {"trailing period, name", "a.", false, false}, ++ {"trailing period, constraint", "a.", true, false}, ++ {"bare label, name", "a", false, true}, ++ {"bare label, constraint", "a", true, true}, ++ {"254 char label, name", strings.Repeat("a.a", 84) + "aaa", false, false}, ++ {"254 char label, constraint", strings.Repeat("a.a", 84) + "aaa", true, false}, ++ {"253 char label, name", strings.Repeat("a.a", 84) + "aa", false, false}, ++ {"253 char label, constraint", strings.Repeat("a.a", 84) + "aa", true, false}, ++ {"64 char single label, name", strings.Repeat("a", 64), false, false}, ++ {"64 char single label, constraint", strings.Repeat("a", 64), true, false}, ++ {"63 char single label, name", strings.Repeat("a", 63), false, true}, ++ {"63 char single label, constraint", strings.Repeat("a", 63), true, true}, ++ {"64 char label, name", "a." + strings.Repeat("a", 64), false, false}, ++ {"64 char label, constraint", "a." + strings.Repeat("a", 64), true, false}, ++ {"63 char label, name", "a." + strings.Repeat("a", 63), false, true}, ++ {"63 char label, constraint", "a." + strings.Repeat("a", 63), true, true}, ++ } { ++ t.Run(tc.name, func(t *testing.T) { ++ if tc.valid != domainNameValid(tc.dnsName, tc.constraint) { ++ t.Errorf("domainNameValid(%q, %t) = %v; want %v", tc.dnsName, tc.constraint, !tc.valid, tc.valid) ++ } ++ }) ++ } ++} +diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go +index 3e95808..fb2f4b2 100644 +--- a/src/crypto/x509/verify.go ++++ b/src/crypto/x509/verify.go +@@ -357,6 +357,7 @@ func parseRFC2821Mailbox(in string) (mailbox rfc2821Mailbox, ok bool) { + // domainToReverseLabels converts a textual domain name like foo.example.com to + // the list of labels in reverse order, e.g. ["com", "example", "foo"]. + func domainToReverseLabels(domain string) (reverseLabels []string, ok bool) { ++ reverseLabels = make([]string, 0, strings.Count(domain, ".")+1) + for len(domain) > 0 { + if i := strings.LastIndexByte(domain, '.'); i == -1 { + reverseLabels = append(reverseLabels, domain) +-- +2.40.0 + From patchwork Tue Dec 2 15:09:30 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 75730 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B6DEDD116F9 for ; Tue, 2 Dec 2025 15:10:01 +0000 (UTC) Received: from mail-pf1-f178.google.com (mail-pf1-f178.google.com [209.85.210.178]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.9921.1764688195056653886 for ; Tue, 02 Dec 2025 07:09:55 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=FcW6ZZ3E; spf=softfail (domain: sakoman.com, ip: 209.85.210.178, mailfrom: steve@sakoman.com) Received: by mail-pf1-f178.google.com with SMTP id d2e1a72fcca58-7b9387df58cso8915774b3a.3 for ; Tue, 02 Dec 2025 07:09:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1764688194; x=1765292994; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=sVdkDLx9WHPbIp+eBVPjfzgzSczMtptBN+9P+4BY12A=; b=FcW6ZZ3End7Jowh5Pxrh4HbKP26T1gF3/Q+PyfJr5nqOSLUNBJXVlgOHS/eudaysaJ ibmvdszEmRa1a18NZp7DyIMVOjECEm/XBpy511McNNQdD1tCjf+TwnkdJitP0Mr6AW6w 6RRHoGPW0Ik1rPdcZfFnv9evbJS2UpHIDeIK7vdvH4MVi/NXLt4RNJ7m0QfT9WuluIJ1 aBUKd4vww9FefOr3VTKQP8OGvjtSRGVdwoUE2VGn21Cc6i1W7eLgbsRPf64UWylWJ9YV zCTHdzj2vBiA0rzpjDZVhsoVPm5ESD6ppLgwTpw85dJb8nccevQw1L0yMkyIm4WrZLQH gofg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764688194; x=1765292994; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=sVdkDLx9WHPbIp+eBVPjfzgzSczMtptBN+9P+4BY12A=; b=WjFbQ6d4T/PzNjqSH43KIopKvfTODm/JDHP6fTM3rU6k44PDtpuL4LSvMhyjtBNbSq Xn/6vbDHrzyAkA2vBhPuVcwoh/X1mqJutouQEeG7UnbYArIN5/j6InJLY1QZkAfKISTf aulOUakUQenVhf1f/jV8sEzzgh7tKYJGD+CqH91JPidjJdEbfcDoOhj5xhH0yMWpn1WY JL+yLZuYU5wHT8r7WY5b2qg+PrE6Xo336YxVwpQs3Np25aEFJ1smVKWeAd1Br4SksneD ym9q25hC2SJPIstI80eb+ymx5tE8TGuF5SJWPpDXe/1wrT5Sjw+M9fjpKzxes87BZ3gT fIOQ== X-Gm-Message-State: AOJu0Yy5vT3fuDd6hdzc1ZpN3agCVChsiD3qzObL1G6q6fp2IjQKFC4W ynbnOrm4CvM5e2+qIqNpLd14vjkhvyMTefJ5UNiKlHSEXfSgqJ740UgXuyk5gfxGknNEHNbn49i 7qYIt X-Gm-Gg: ASbGncvcGfafAgffD+5sOWSPNEPv29Jl2u9pLACC0nT2sHR2Uv9LgySs70FkTJt73An Z51gpvzY4KfZANJ+UE6I9ocLMGAfaMJYCIT+/mIU7bYe7TJs+Wr1LsXyV3qLRmz6Iwcma/C5jap WBoB4Ixqd04koD/C3U7HhqOPrFt4YqagWeH724x+ioykctGn18cyuBM2adyXmE9ihSzymVg+0ux CTx3cSvxMNQs06NLanNRla9Wn3D3w8birExIW8EXcMsXwkXsOBUVHp4xB8aBgDOroREYJch1no0 UnFtPsOHGoUrts/yeGLTYMlQixsMqckrTQHJSitdLwlC2CsadCL36SO8dw+TuA5/Zqwoj10bCQy v9vYxyoJ9+7TgO+0qfMSsPZkXOQ+upOMxW0yIDjpOIv4aYDQydsLygJ6PQ8JQBITHvVbS6kS2SC vbQA== X-Google-Smtp-Source: AGHT+IGTS+HOqIFTFi2I2NabmlMphOsH4hx3XL5CX30aOxmHO2QeZhMH9RfD7KWrzxlXJnsuSpQZOw== X-Received: by 2002:a05:6a00:3cd0:b0:7b8:83fe:7d7b with SMTP id d2e1a72fcca58-7ca8975eed8mr34417934b3a.15.1764688194239; Tue, 02 Dec 2025 07:09:54 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:b8d9:92cd:3fd4:9b7a]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7d1516f6621sm17175182b3a.16.2025.12.02.07.09.53 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Dec 2025 07:09:53 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 07/10] go: fix CVE-2025-58189 Date: Tue, 2 Dec 2025 07:09:30 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 02 Dec 2025 15:10:01 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/227166 From: Archana Polampalli When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped. Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- meta/recipes-devtools/go/go-1.17.13.inc | 1 + .../go/go-1.18/CVE-2025-58189.patch | 51 +++++++++++++++++++ 2 files changed, 52 insertions(+) create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2025-58189.patch diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc index c5aa3f9786..61fee12cf9 100644 --- a/meta/recipes-devtools/go/go-1.17.13.inc +++ b/meta/recipes-devtools/go/go-1.17.13.inc @@ -70,6 +70,7 @@ SRC_URI = "https://golang.org/dl/go${PV}.src.tar.gz;name=main \ file://CVE-2025-47906.patch \ file://CVE-2024-24783.patch \ file://CVE-2025-58187.patch \ + file://CVE-2025-58189.patch \ " SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd" diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2025-58189.patch b/meta/recipes-devtools/go/go-1.18/CVE-2025-58189.patch new file mode 100644 index 0000000000..835f071733 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.18/CVE-2025-58189.patch @@ -0,0 +1,51 @@ +From 2e1e356e33b9c792a9643749a7626a1789197bb9 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Mon, 29 Sep 2025 10:11:56 -0700 +Subject: [PATCH] crypto/tls: quote protocols in ALPN error message + +Quote the protocols sent by the client when returning the ALPN +negotiation error message. + +Fixes CVE-2025-58189 +Updates #75652 +Fixes #75660 + +Change-Id: Ie7b3a1ed0b6efcc1705b71f0f1e8417126661330 +Reviewed-on: https://go-review.googlesource.com/c/go/+/707776 +Auto-Submit: Roland Shoemaker +Reviewed-by: Neal Patel +Reviewed-by: Nicholas Husin +Auto-Submit: Nicholas Husin +Reviewed-by: Nicholas Husin +TryBot-Bypass: Roland Shoemaker +Reviewed-by: Daniel McCarney +(cherry picked from commit 4e9006a716533fe1c7ee08df02dfc73078f7dc19) +Reviewed-on: https://go-review.googlesource.com/c/go/+/708096 +LUCI-TryBot-Result: Go LUCI +Reviewed-by: Carlos Amedee + +CVE: CVE-2025-58189 + +Upstream-Status: Backport [https://github.com/golang/go/commit/2e1e356e33b9c792a9643749a7626a1789197bb9] + +Signed-off-by: Archana Polampalli +--- + src/crypto/tls/handshake_server.go | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/crypto/tls/handshake_server.go b/src/crypto/tls/handshake_server.go +index 4e84aa9..17b6891 100644 +--- a/src/crypto/tls/handshake_server.go ++++ b/src/crypto/tls/handshake_server.go +@@ -312,7 +312,7 @@ func negotiateALPN(serverProtos, clientProtos []string, quic bool) (string, erro + if http11fallback { + return "", nil + } +- return "", fmt.Errorf("tls: client requested unsupported application protocols (%s)", clientProtos) ++ return "", fmt.Errorf("tls: client requested unsupported application protocols (%q)", clientProtos) + } + + // supportsECDHE returns whether ECDHE key exchanges can be used with this +-- +2.40.0 + From patchwork Tue Dec 2 15:09:31 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 75729 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9C4C2D116F6 for ; Tue, 2 Dec 2025 15:10:01 +0000 (UTC) Received: from mail-pf1-f179.google.com (mail-pf1-f179.google.com [209.85.210.179]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.9665.1764688197525487986 for ; Tue, 02 Dec 2025 07:09:57 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=I55A/V7X; spf=softfail (domain: sakoman.com, ip: 209.85.210.179, mailfrom: steve@sakoman.com) Received: by mail-pf1-f179.google.com with SMTP id d2e1a72fcca58-7b8bbf16b71so6823153b3a.2 for ; Tue, 02 Dec 2025 07:09:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1764688197; x=1765292997; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=G49MjZ/BoBQrjeY4WMc2r6r5hN/XFJxCl/1Cox2wVA8=; b=I55A/V7XdnhcR5RIZVO/G6ASKfPtJs8Gz2Mv+P2HO7uzRLxjfkJfh/+ikuzOLHtTC9 /EtviYU1lNTStUdPW7bpGbkkQHYNpFHbaPt9FOVIRmAgQaU2Wrpuyw4biXTI51Wcr68Q MFn0qX/d9nAy/mZiuuz7vuoTuHDRbO7FrhUl045UkbdiU6OA+HfEtEepPM3rid3XiiZz bP2uL9PyaGtgEwCfDvPFEiGHxtux+aNw7XsT2y6pvoCJs4amzh2MmsEioimQ0/o2O6Q2 4/x3ZizVvqsk6LLN00aNh7Ckrt4PMfs3LVQ751CK1QmFWuv3n8+Vv+zUdqHO5/DWNBuN oP6w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764688197; x=1765292997; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=G49MjZ/BoBQrjeY4WMc2r6r5hN/XFJxCl/1Cox2wVA8=; b=emVz+TE2AwZ6Nf2Jvp3X45Di0rvcyjCp+YgKZlwa21+X7MClI2p3B7/K8WjYUL/rLy tN1NR9aFeV7zR6J4d+magkkl0B8UyhSt+STsq1m+LowqNtrlFLl0oPcYnAWRRV1JMWHi SeCRIXkkZYOVzoF6TPCaQeZBjN1MP748+sDriJc4J9iMBnpptOz/XqZ11PrZ849QRqMu S3efVDivXFpc4a7rBy6VyFFpqJxilg6PszJBExppeqCRV/5irfqPqE+8HW9HKKapmH+D /WfA7R8i6PkJodSeJARkuagsXAaqRMaMnfTe+H6N/Nd3KfF5JqMy05iS5aMV9z43kaMF kkLw== X-Gm-Message-State: AOJu0YyuOSDE5F36SL/LxQApZYhimtMj0UNu/BuXrqR1acbV5DEVkUpJ 4l6SPVEPGAMVXDovtMziUdhxiDA43ntovRBHBfi2RtF0qPJC2+TnCGEeNnnj36qB+35mNeG3m4T xAzQT X-Gm-Gg: ASbGncsfHJMnPDFJCcqthkW/ZyHOETlCNrlWyVGDHbTAYNh8JUQU/DoIAaMk0z0xT/X Wq3+Uyf1PwOxdh8oPuCk+EG3LdhaPqiNL+ZbZfsgscmkIfVwYDRJbZqdPNI31KP1D+VvdkiH/KR lkj/IUQP2c78ohWAag0PNdnxw96Z9fVYNMNI2G/+52nNHzKfHUzgCNL3KIpcAz5lKGfCDNIt74K WiWpuMy1xC9oECm/7oVWpTVU/hq8x7ZGbMHF0+1btSSkn5q4sLACU1OFOhM4/ZbVIr832iaBbNS 0eUP4jmItRKr+4H9FIdGUmuKiI0QHtSXGkX0pD23CwoCY4tCrc0oZxEvRQw0MaC7KyaTSN64wqi kCcMVqrsvSghoe7bpRmpWtWzAaM6b4L7+1UDV0trMIpDTxdBqpY9kEc7KO+gYzXucbx/Rdc/zwB G7vpVZDoOll1MV X-Google-Smtp-Source: AGHT+IFN4iTIBo30oLfm+kbDp+8JydZv/uQk//1GsGWJANqlq/9N2i7aRjIcldpzbkQUYNyUKWonPw== X-Received: by 2002:a05:6a20:4306:b0:342:44f3:d1bc with SMTP id adf61e73a8af0-3614ed922b6mr47880550637.35.1764688196056; Tue, 02 Dec 2025 07:09:56 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:b8d9:92cd:3fd4:9b7a]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7d1516f6621sm17175182b3a.16.2025.12.02.07.09.55 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Dec 2025 07:09:55 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 08/10] go: fix CVE-2025-61723 Date: Tue, 2 Dec 2025 07:09:31 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 02 Dec 2025 15:10:01 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/227167 From: Archana Polampalli The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs. Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- meta/recipes-devtools/go/go-1.17.13.inc | 1 + .../go/go-1.18/CVE-2025-61723.patch | 221 ++++++++++++++++++ 2 files changed, 222 insertions(+) create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2025-61723.patch diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc index 61fee12cf9..b621fb189c 100644 --- a/meta/recipes-devtools/go/go-1.17.13.inc +++ b/meta/recipes-devtools/go/go-1.17.13.inc @@ -71,6 +71,7 @@ SRC_URI = "https://golang.org/dl/go${PV}.src.tar.gz;name=main \ file://CVE-2024-24783.patch \ file://CVE-2025-58187.patch \ file://CVE-2025-58189.patch \ + file://CVE-2025-61723.patch \ " SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd" diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2025-61723.patch b/meta/recipes-devtools/go/go-1.18/CVE-2025-61723.patch new file mode 100644 index 0000000000..8c838a6d8a --- /dev/null +++ b/meta/recipes-devtools/go/go-1.18/CVE-2025-61723.patch @@ -0,0 +1,221 @@ +From 74d4d836b91318a8764b94bc2b4b66ff599eb5f2 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Tue, 30 Sep 2025 11:16:56 -0700 +Subject: [PATCH] encoding/pem: make Decode complexity linear Because Decode + scanned the input first for the first BEGIN line, and then the first END + line, the complexity of Decode is quadratic. If the input contained a large + number of BEGINs and then a single END right at the end of the input, we + would find the first BEGIN, and then scan the entire input for the END, and + fail to parse the block, so move onto the next BEGIN, scan the entire input + for the END, etc. + +Instead, look for the first END in the input, and then the first BEGIN +that precedes the found END. We then process the bytes between the BEGIN +and END, and move onto the bytes after the END for further processing. +This gives us linear complexity. + +Fixes CVE-2025-61723 +For #75676 +Fixes #75708 + +Change-Id: I813c4f63e78bca4054226c53e13865c781564ccf +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2921 +Reviewed-by: Nicholas Husin +Reviewed-by: Damien Neil +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2986 +Reviewed-on: https://go-review.googlesource.com/c/go/+/709842 +TryBot-Bypass: Michael Pratt +Auto-Submit: Michael Pratt +Reviewed-by: Carlos Amedee + +CVE: CVE-2025-61723 + +Upstream-Status: Backport [https://github.com/golang/go/commit/74d4d836b91318a8764b94bc2b4b66ff599eb5f2] + +Signed-off-by: Archana Polampalli +--- + src/encoding/pem/pem.go | 67 +++++++++++++++++++----------------- + src/encoding/pem/pem_test.go | 13 +++---- + 2 files changed, 43 insertions(+), 37 deletions(-) + +diff --git a/src/encoding/pem/pem.go b/src/encoding/pem/pem.go +index 1bee1c1..01bed75 100644 +--- a/src/encoding/pem/pem.go ++++ b/src/encoding/pem/pem.go +@@ -35,7 +35,7 @@ type Block struct { + // line bytes. The remainder of the byte array (also not including the new line + // bytes) is also returned and this will always be smaller than the original + // argument. +-func getLine(data []byte) (line, rest []byte) { ++func getLine(data []byte) (line, rest []byte, consumed int) { + i := bytes.IndexByte(data, '\n') + var j int + if i < 0 { +@@ -47,7 +47,7 @@ func getLine(data []byte) (line, rest []byte) { + i-- + } + } +- return bytes.TrimRight(data[0:i], " \t"), data[j:] ++ return bytes.TrimRight(data[0:i], " \t"), data[j:], j + } + + // removeSpacesAndTabs returns a copy of its input with all spaces and tabs +@@ -88,19 +88,29 @@ func Decode(data []byte) (p *Block, rest []byte) { + // the byte array, we'll accept the start string without it. + rest = data + for { +- if bytes.HasPrefix(rest, pemStart[1:]) { +- rest = rest[len(pemStart)-1:] +- } else if i := bytes.Index(rest, pemStart); i >= 0 { +- rest = rest[i+len(pemStart) : len(rest)] +- } else { ++ // Find the first END line, and then find the last BEGIN line before ++ // the end line. This lets us skip any repeated BEGIN lines that don't ++ // have a matching END. ++ endIndex := bytes.Index(rest, pemEnd) ++ if endIndex < 0 { + return nil, data + } +- ++ endTrailerIndex := endIndex + len(pemEnd) ++ beginIndex := bytes.LastIndex(rest[:endIndex], pemStart[1:]) ++ if beginIndex < 0 || beginIndex > 0 && rest[beginIndex-1] != '\n' { ++ return nil, data ++ } ++ rest = rest[beginIndex+len(pemStart)-1:] ++ endIndex -= beginIndex + len(pemStart) - 1 ++ endTrailerIndex -= beginIndex + len(pemStart) - 1 + var typeLine []byte +- typeLine, rest = getLine(rest) ++ var consumed int ++ typeLine, rest, consumed = getLine(rest) + if !bytes.HasSuffix(typeLine, pemEndOfLine) { + continue + } ++ endIndex -= consumed ++ endTrailerIndex -= consumed + typeLine = typeLine[0 : len(typeLine)-len(pemEndOfLine)] + + p = &Block{ +@@ -114,7 +124,7 @@ func Decode(data []byte) (p *Block, rest []byte) { + if len(rest) == 0 { + return nil, data + } +- line, next := getLine(rest) ++ line, next, consumed := getLine(rest) + + i := bytes.IndexByte(line, ':') + if i == -1 { +@@ -127,21 +137,13 @@ func Decode(data []byte) (p *Block, rest []byte) { + val = bytes.TrimSpace(val) + p.Headers[string(key)] = string(val) + rest = next ++ endIndex -= consumed ++ endTrailerIndex -= consumed + } + +- var endIndex, endTrailerIndex int +- +- // If there were no headers, the END line might occur +- // immediately, without a leading newline. +- if len(p.Headers) == 0 && bytes.HasPrefix(rest, pemEnd[1:]) { +- endIndex = 0 +- endTrailerIndex = len(pemEnd) - 1 +- } else { +- endIndex = bytes.Index(rest, pemEnd) +- endTrailerIndex = endIndex + len(pemEnd) +- } +- +- if endIndex < 0 { ++ // If there were headers, there must be a newline between the headers ++ // and the END line, so endIndex should be >= 0. ++ if len(p.Headers) > 0 && endIndex < 0 { + continue + } + +@@ -161,21 +163,24 @@ func Decode(data []byte) (p *Block, rest []byte) { + } + + // The line must end with only whitespace. +- if s, _ := getLine(restOfEndLine); len(s) != 0 { ++ if s, _, _ := getLine(restOfEndLine); len(s) != 0 { + continue + } + +- base64Data := removeSpacesAndTabs(rest[:endIndex]) +- p.Bytes = make([]byte, base64.StdEncoding.DecodedLen(len(base64Data))) +- n, err := base64.StdEncoding.Decode(p.Bytes, base64Data) +- if err != nil { +- continue ++ p.Bytes = []byte{} ++ if endIndex > 0 { ++ base64Data := removeSpacesAndTabs(rest[:endIndex]) ++ p.Bytes = make([]byte, base64.StdEncoding.DecodedLen(len(base64Data))) ++ n, err := base64.StdEncoding.Decode(p.Bytes, base64Data) ++ if err != nil { ++ continue ++ } ++ p.Bytes = p.Bytes[:n] + } +- p.Bytes = p.Bytes[:n] + + // the -1 is because we might have only matched pemEnd without the + // leading newline if the PEM block was empty. +- _, rest = getLine(rest[endIndex+len(pemEnd)-1:]) ++ _, rest, _ = getLine(rest[endIndex+len(pemEnd)-1:]) + return p, rest + } + } +diff --git a/src/encoding/pem/pem_test.go b/src/encoding/pem/pem_test.go +index c94b5ca..a326f9b 100644 +--- a/src/encoding/pem/pem_test.go ++++ b/src/encoding/pem/pem_test.go +@@ -34,7 +34,7 @@ var getLineTests = []GetLineTest{ + + func TestGetLine(t *testing.T) { + for i, test := range getLineTests { +- x, y := getLine([]byte(test.in)) ++ x, y, _ := getLine([]byte(test.in)) + if string(x) != test.out1 || string(y) != test.out2 { + t.Errorf("#%d got:%+v,%+v want:%s,%s", i, x, y, test.out1, test.out2) + } +@@ -46,6 +46,7 @@ func TestDecode(t *testing.T) { + if !reflect.DeepEqual(result, certificate) { + t.Errorf("#0 got:%#v want:%#v", result, certificate) + } ++ + result, remainder = Decode(remainder) + if !reflect.DeepEqual(result, privateKey) { + t.Errorf("#1 got:%#v want:%#v", result, privateKey) +@@ -68,7 +69,7 @@ func TestDecode(t *testing.T) { + } + + result, remainder = Decode(remainder) +- if result == nil || result.Type != "HEADERS" || len(result.Headers) != 1 { ++ if result == nil || result.Type != "VALID HEADERS" || len(result.Headers) != 1 { + t.Errorf("#5 expected single header block but got :%v", result) + } + +@@ -381,15 +382,15 @@ ZWAaUoVtWIQ52aKS0p19G99hhb+IVANC4akkdHV4SP8i7MVNZhfUmg== + + # This shouldn't be recognised because of the missing newline after the + headers. +------BEGIN HEADERS----- ++-----BEGIN INVALID HEADERS----- + Header: 1 +------END HEADERS----- ++-----END INVALID HEADERS----- + + # This should be valid, however. +------BEGIN HEADERS----- ++-----BEGIN VALID HEADERS----- + Header: 1 + +------END HEADERS-----`) ++-----END VALID HEADERS-----`) + + var certificate = &Block{Type: "CERTIFICATE", + Headers: map[string]string{}, +-- +2.40.0 + From patchwork Tue Dec 2 15:09:32 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 75731 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A4722D11700 for ; Tue, 2 Dec 2025 15:10:01 +0000 (UTC) Received: from mail-pf1-f173.google.com (mail-pf1-f173.google.com [209.85.210.173]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.9923.1764688199604400918 for ; Tue, 02 Dec 2025 07:09:59 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=si7myve5; spf=softfail (domain: sakoman.com, ip: 209.85.210.173, mailfrom: steve@sakoman.com) Received: by mail-pf1-f173.google.com with SMTP id d2e1a72fcca58-7aa2170adf9so4720978b3a.0 for ; Tue, 02 Dec 2025 07:09:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1764688199; x=1765292999; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=8pR+tOxR9Seg/opEM/qlPdmKbj0O/E6so1B/TfnmI48=; b=si7myve5nyPT5YY+4d4d4/KLLVQHOlBdWUfEtUeOPRmbAO+aM1imFGgIOJhrqWolil WoN/XQYceuYLT3MNCMWdrHHDQY6x1X4d9E88sQASMf8Czdhfn9mAx1HZAZFrcxW3nw2g LF46H0BlpG61ruJpxAaUaXrQ77ergdJX+wTh7gctM91k1HnoSxd9zEfhJePef64DFVHQ Mci+Rhv8svIDusqfqEex/C/fplvicDI+V7HKehLnz43+kvvqaoHGA4lVnENQeDBwzWdF JUMSlnivjm8+gmtNHKTaXYi16sbdTQE0RG5S8uknVf4z3UJEzppmqQ89YBk+XS/16WLo +Ivg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764688199; x=1765292999; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=8pR+tOxR9Seg/opEM/qlPdmKbj0O/E6so1B/TfnmI48=; b=iEvqE70TgCN13Cz42e6lHwKu441DSC2vjeLpVLdcm2tx2JptMDn0ji3RKui6w8iKRr UOmx2ml+tVmgDI7EszRck56MGs47dJnVw7teICaemReYCevty/3iIR6GHZeFk7JiFw8k ePsJQsJa/CW1mHL7pHtso7DU4R1YGQK/k+wkdfVW1icxrlXCJVRxVViYMqfqZxx0kJ9j ytq5NQB6w2O06AOpbAjsI0K2mJKnyv/FXt6fY/v2nGifK0vPC702myXfH8n1F2okOd9b Iock+rSW7xASNdsnwbAdcPSmt/ujw6KTzLYxMmVNFaQfcCj/4hocDgbNdZvspZqEQnO0 3kOg== X-Gm-Message-State: AOJu0YwNfSUhj61ZgsLrK5rR1IVZvRsLBjA5EPstuNYTZpqIVrPSbFtM VNVoX/zRh1SDmD9kwli6UtpI3dmno1Lw2a70H5f8VgM6PKnl1QGC+GDCrR7mDCyi794HUh/eaRY 7k0Xt X-Gm-Gg: ASbGnct/jGg0Q2q4smxro0Ec68v8jIU87skLNziN0bGOsK/tJQZzQWmw7G38Yeqyy1m 2std7/mtUdz9mMbPOgnXXpQw4yrT9hJSYgN+6BQWJLvUgPO0WV8e0cvsv/Q/LhV7ku5VrS6fGXS ZjrxQ8pg+Vu5EAP11FVK4UtzYNEig/b6w+HlFcXMJRkAxiXGdFuIiEy2e5VW2JQZnfuMmaIbh8v EsEEwc/grKcphXr8TVLzPWfft4dBNHhLTcp8f7J81/jlYUGtw+Vj1301EHAhnwfZTR7CKyGTjlg d/8czPbYIzWPnQyS9j97XsvV8mwoukOfRVwP9nXeysXglSk6+G+IXUpatbHCyoFdY92loJRLJnF w7IgNRBH9vE5ItrxiZ+4b1A4/jGZ5WAnmfv+MqIqUw5RUMD96Uqb1vyPev8wSL83AWFtphSI5eR Qhng== X-Google-Smtp-Source: AGHT+IG+K3ht3O61koIU732cvtjuOG8LBFv2c/euCHSc/kameZ2CeYc4PawJUOcNZ7u4BenBapJB1g== X-Received: by 2002:a05:6a00:853:b0:7b8:9da6:146c with SMTP id d2e1a72fcca58-7ca88e8dfb5mr31868470b3a.4.1764688198514; Tue, 02 Dec 2025 07:09:58 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:b8d9:92cd:3fd4:9b7a]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7d1516f6621sm17175182b3a.16.2025.12.02.07.09.57 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Dec 2025 07:09:58 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 09/10] go: fix CVE-2025-61724 Date: Tue, 2 Dec 2025 07:09:32 -0800 Message-ID: <188dbac037809d6e8f0e1667f563fea997ea04b8.1764688054.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 02 Dec 2025 15:10:01 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/227168 From: Archana Polampalli The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption. Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- meta/recipes-devtools/go/go-1.17.13.inc | 1 + .../go/go-1.18/CVE-2025-61724.patch | 74 +++++++++++++++++++ 2 files changed, 75 insertions(+) create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2025-61724.patch diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc index b621fb189c..bb5e839950 100644 --- a/meta/recipes-devtools/go/go-1.17.13.inc +++ b/meta/recipes-devtools/go/go-1.17.13.inc @@ -72,6 +72,7 @@ SRC_URI = "https://golang.org/dl/go${PV}.src.tar.gz;name=main \ file://CVE-2025-58187.patch \ file://CVE-2025-58189.patch \ file://CVE-2025-61723.patch \ + file://CVE-2025-61724.patch \ " SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd" diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2025-61724.patch b/meta/recipes-devtools/go/go-1.18/CVE-2025-61724.patch new file mode 100644 index 0000000000..8c63022909 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.18/CVE-2025-61724.patch @@ -0,0 +1,74 @@ +From a402f4ad285514f5f3db90516d72047d591b307a Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Tue, 30 Sep 2025 15:11:16 -0700 +Subject: [PATCH] net/textproto: avoid quadratic complexity in + Reader.ReadResponse Reader.ReadResponse constructed a response string from + repeated string concatenation, permitting a malicious sender to cause + excessive memory allocation and CPU consumption by sending a response + consisting of many short lines. + +Use a strings.Builder to construct the string instead. + +Thanks to Jakub Ciolek for reporting this issue. + +Fixes CVE-2025-61724 +For #75716 +Fixes #75717 + +Change-Id: I1a98ce85a21b830cb25799f9ac9333a67400d736 +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2940 +Reviewed-by: Roland Shoemaker +Reviewed-by: Nicholas Husin +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2980 +Reviewed-by: Damien Neil +Reviewed-on: https://go-review.googlesource.com/c/go/+/709837 +Reviewed-by: Carlos Amedee +TryBot-Bypass: Michael Pratt +Auto-Submit: Michael Pratt + +CVE: CVE-2025-61724 + +Upstream-Status: Backport [https://github.com/golang/go/commit/a402f4ad285514f5f3db90516d72047d591b307a] + +Signed-off-by: Archana Polampalli +--- + src/net/textproto/reader.go | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/src/net/textproto/reader.go b/src/net/textproto/reader.go +index 3ac4d4d..a996257 100644 +--- a/src/net/textproto/reader.go ++++ b/src/net/textproto/reader.go +@@ -288,8 +288,10 @@ func (r *Reader) ReadCodeLine(expectCode int) (code int, message string, err err + // An expectCode <= 0 disables the check of the status code. + // + func (r *Reader) ReadResponse(expectCode int) (code int, message string, err error) { +- code, continued, message, err := r.readCodeLine(expectCode) ++ code, continued, first, err := r.readCodeLine(expectCode) + multi := continued ++ var messageBuilder strings.Builder ++ messageBuilder.WriteString(first) + for continued { + line, err := r.ReadLine() + if err != nil { +@@ -300,12 +302,15 @@ func (r *Reader) ReadResponse(expectCode int) (code int, message string, err err + var moreMessage string + code2, continued, moreMessage, err = parseCodeLine(line, 0) + if err != nil || code2 != code { +- message += "\n" + strings.TrimRight(line, "\r\n") ++ messageBuilder.WriteByte('\n') ++ messageBuilder.WriteString(strings.TrimRight(line, "\r\n")) + continued = true + continue + } +- message += "\n" + moreMessage ++ messageBuilder.WriteByte('\n') ++ messageBuilder.WriteString(moreMessage) + } ++ message = messageBuilder.String() + if err != nil && multi && message != "" { + // replace one line error message with all lines (full message) + err = &Error{code, message} +-- +2.40.0 + From patchwork Tue Dec 2 15:09:33 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 75732 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id AC5EBD116F6 for ; Tue, 2 Dec 2025 15:10:11 +0000 (UTC) Received: from mail-pf1-f180.google.com (mail-pf1-f180.google.com [209.85.210.180]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.9926.1764688203761543038 for ; Tue, 02 Dec 2025 07:10:03 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=DIJuRVBb; spf=softfail (domain: sakoman.com, ip: 209.85.210.180, mailfrom: steve@sakoman.com) Received: by mail-pf1-f180.google.com with SMTP id d2e1a72fcca58-7aace33b75bso5324099b3a.1 for ; Tue, 02 Dec 2025 07:10:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1764688203; x=1765293003; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=sX/ai9mPh3CNPfpJj4yE7q3AzBon+d7NIjBo2EMIrq8=; b=DIJuRVBbfwrs3ThoEFQSTQD+SVWl3N/8c3sgehmSoEXavyEsa7Doaa3EEN2D2VTzgM 2+Ps2rl4sy+a7DcTZBzsrsPpcN11vwTrllY2SntDQ5Ir45DRendnT2cMWnHuMmnV2ZTg U43jEj3JFqkPTrR8s91n6v01izBpCIOWCSQ8D4OyI/2gjjhpT8OGylqhNK3bZ9WKRJ2A oeyjEQRyxX4yRR2ZriPEBfI27NVzWX3QADG1fZeMlieCHgZj4g/b78/9ewh7KSPD6gPf LsEedM+ScTTklGHf6BDWfSFGgVDYDRIws5X/PRX7qwf2ASmfLyYYeY+F3zphnO1Hjvus eapg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764688203; x=1765293003; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=sX/ai9mPh3CNPfpJj4yE7q3AzBon+d7NIjBo2EMIrq8=; b=J0hWrTxSvdiAbMby9Bx4aRuv1nk3tgWM5WthFJc4cIOAd0HT9X/Ft73+60i3u579hi QNpVtkumAGtQtlpjXwEa/wwbLsnn08twPn/TWKucQoTpwjonGQIHe1gH92rpJ4syu+54 K4aQA2D9UbXG9Foj0AcMyzM8Rl+G6pXpSw068yguOnV9OUb7Bho7OiK6/na7xsfuFINd Dnk/jZEgzpqiw635xGxUUSi+zeyHUJp38yxOfyDvTu25ObL3/OQakudH52XRMaKMT6zx ScNYVTsk99Wp7Gp4/YN2D3VsIhzBoN5JQ2IvZTcp6MzchAy51xNNkFhgV/a/J8zgkqtI OB1w== X-Gm-Message-State: AOJu0YzRJsZW6tRsh1Q33QtLu/uA5UusQjR4aMEQRgfVEI2IeOLbPBw9 tpIPC8dIJJegzGsJqqtsC1HKJc9I/g+lRZ2DmpSRpeISDR5HzJnAlVQv29rzYg1vgJBxSiTKeOM ZOZ5V X-Gm-Gg: ASbGncsns1WtI3dVbAAOpfQeLhu2V+Hc4bEe09BxPP9gdwf37saB7lXjJMziYq9dkZA uAVfiMiFUIMrIRvaOP1koKVjl47Z6q/kBykDHGc0ZnDAYydocLaqv5jiduVyldWu7hvO+WNLAnf /SmlrqLLlEy9nDr/fMKKzwV2shKvQX5BL/3SM5Dg3PKYCFsmHmOYNtEY9XgsKyAXUveNFAO5ELW MxZRjSfwHdhpjg2KIlajLIy3nFQZ2vNQd2WGCGF/VzPpH0t8VIFs3xBJb18yKtRWvXj1LoPaZIX gsiV50fqZBZ+ExEz7eUzEdnsUO6+Oo5Jl+Uryr5Whi3rShtKiQO3HXtmbIXu8m7RjlPnlP0YMAG OC3gX0fnHEY6CGHHrbDDWoHbc22L+h23/WJs6yePPkEVov7WbjLlw0ra0I17yjn9seN2T2DKX04 BKvA== X-Google-Smtp-Source: AGHT+IHEKJXEHONkaYWkaY80cKGmwMwZ0JnTQ5p8pWkR3M/68mc0TorgCv1HxN/NNdk6S+kJGqJPEg== X-Received: by 2002:a05:6a20:3c8e:b0:35e:6c3:c8d6 with SMTP id adf61e73a8af0-36150f2d90dmr47071430637.41.1764688202782; Tue, 02 Dec 2025 07:10:02 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:b8d9:92cd:3fd4:9b7a]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7d1516f6621sm17175182b3a.16.2025.12.02.07.10.01 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Dec 2025 07:10:02 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 10/10] systemd-bootchart: update SRC_URI branch Date: Tue, 2 Dec 2025 07:09:33 -0800 Message-ID: <80c7fd87fd95a79c6eb5f41b95cf70ccc70d9615.1764688054.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 02 Dec 2025 15:10:11 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/227169 From: Gyorgy Sarvari The branch was renamed from master to main. Signed-off-by: Gyorgy Sarvari Signed-off-by: Steve Sakoman --- .../recipes-devtools/systemd-bootchart/systemd-bootchart_234.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-devtools/systemd-bootchart/systemd-bootchart_234.bb b/meta/recipes-devtools/systemd-bootchart/systemd-bootchart_234.bb index bc3eee2093..98237aba65 100644 --- a/meta/recipes-devtools/systemd-bootchart/systemd-bootchart_234.bb +++ b/meta/recipes-devtools/systemd-bootchart/systemd-bootchart_234.bb @@ -8,7 +8,7 @@ LICENSE = "LGPL-2.1-only & GPL-2.0-only" LIC_FILES_CHKSUM = "file://LICENSE.LGPL2.1;md5=4fbd65380cdd255951079008b364516c \ file://LICENSE.GPL2;md5=751419260aa954499f7abaabaa882bbe" -SRC_URI = "git://github.com/systemd/systemd-bootchart.git;protocol=https;branch=master \ +SRC_URI = "git://github.com/systemd/systemd-bootchart.git;protocol=https;branch=main \ file://0001-architecture-Recognise-RISCV-32-RISCV-64.patch \ file://mips64.patch \ file://no_lto.patch \