From patchwork Tue Dec 16 07:13:26 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 76572 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2BDA8D5B87C for ; Tue, 16 Dec 2025 07:13:43 +0000 (UTC) Received: from mail-pf1-f182.google.com (mail-pf1-f182.google.com [209.85.210.182]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.16480.1765869217927574307 for ; Mon, 15 Dec 2025 23:13:38 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=SIPbjJGu; spf=pass (domain: gmail.com, ip: 209.85.210.182, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pf1-f182.google.com with SMTP id d2e1a72fcca58-7b75e366866so1730413b3a.2 for ; Mon, 15 Dec 2025 23:13:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1765869217; x=1766474017; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=DWQ2OSPk80opXbd1tWrKeoa8lW5+6XqK4Qwpypu1QcU=; b=SIPbjJGuCwKofRq9algUd+4otJuoVnwbtgiIYBjEHcEkDbTotEIJGXu/cVUSJaifw0 v4KU+CV9dj/mWixyvGpycYOZdZp0dhFjfHVZmNjylt2z9PGIPfsu4HyMw0YLH4qhwOyo P+xVCGL6YWPRZ02AmzPy+OFXI8ZGNcQPsxYwTC+NK3plBdvnC4qaPioWYzcm/+7qZgmy brJUqWllYKSzZa1oDapFZl3rY95ufK31vBmKjg0tJIaRDsjypo77l59FeIiyIcq57TNH +O8gxGtkQlRdllasZ2vQBnjjSGGdwYKkCYjPcgOiMyZ6ZsOg3raMTQRUoRj210f6tKHs ljJw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1765869217; x=1766474017; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=DWQ2OSPk80opXbd1tWrKeoa8lW5+6XqK4Qwpypu1QcU=; b=PWfBbXOYFoutPvFZUKk17aw7EyYyUVQhqcCT6aegQiVUU4PfCmoxwlNn2Lh35vZXHY sgL3xsZBuwQcVzfdbdX96CMCPO9MjZt9tJSym1a3Ol11yF1294Q0mH7r8n4kGlCz4Nqq 48xLSDN9EjR73cLdTqY98DDCzGw7iC5vi2yGuyGRiNQIeaqBOTR1tO2PzFDr85IbT9co z7UbETHR563W7xiD/loJ05ooUOSZoMCGXcRlXglGtz289bklh6kgVfeGYNKPnmXxuDJs gBoreVaQvJ63WuRXMtGwFv+mhNUIK87u1f9flkVoRKAtstZIiGIk2Y40utAY0u2ulmPa ddxg== X-Gm-Message-State: AOJu0YynbkuDnxiu3+bWSRjJcxqAA66WvK0loQs0r+zq5zpjLmoyvq/6 1lPyuIq5E41HZNzIuaHETZuj92FQgKThCxrUiYiu5RYDb8O3LwW+c5B/2+qLnw== X-Gm-Gg: AY/fxX5no436Bib9vXYx3vOqv9rKmrcYCxqyqHTeH2WvYjyGlVQYU84iwa/Gd9k9p+o DuRKEaWk4ESJpYYfRXhvR2svv4YqqfM2VNS11GG3QGMMDw0ZkQstCwMbSlUusOWY4SrY5Trc0sa J0VG7L8kwubjrXkIOvG53V244RnaqV8tnQsVaAtJBPed3swGtd3QBh2b8efFA/MoUSt0n96gvRE F81U3E24oQJhVV/b7g1uuxgfIVFSlPHppTVqz1YgS8FsVX2NjzHre6vSVnX3IhD33bFWZqbGdpZ i5ZlheG1WKSX2/Tx3i3xW/6SaQaUeRlRgckGSrKsBe2TmO8193fkdPchbKbS7HE5nTG31CTrrZ/ qRBtqgsyLC3KlYr79r0usyQSaydhDGVr6lPYrgJhIcWxw9DDpfk5bURbfK5t/UE3usBfbBi+7Kj iVnf7WQU+Nb011BO/9goxsv2+U X-Google-Smtp-Source: AGHT+IGfsD/+9k68r7BD+I4u4b6ZvLhnRkswLDd4a2k3xUzKGDfBaXnWEay3hQcKVafXjB2VGW1LhA== X-Received: by 2002:a05:6a00:4407:b0:7e8:43f5:bd41 with SMTP id d2e1a72fcca58-7f6692abf0cmr12104265b3a.45.1765869216959; Mon, 15 Dec 2025 23:13:36 -0800 (PST) Received: from NVAPF55DW0D-IPD.. ([165.225.124.223]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7f4c5093d5csm14225372b3a.49.2025.12.15.23.13.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 15 Dec 2025 23:13:36 -0800 (PST) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi Subject: [oe][meta-oe][scarthgap][PATCH 1/4] jasper: patch CVE-2024-31744 Date: Tue, 16 Dec 2025 12:43:26 +0530 Message-ID: <20251216071329.3172170-1-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 16 Dec 2025 07:13:43 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122676 From: Ankur Tyagi Details https://nvd.nist.gov/vuln/detail/CVE-2024-31744 Signed-off-by: Ankur Tyagi --- .../jasper/jasper/0001-Fixes-381.patch | 30 +++++++++++++++++++ .../recipes-graphics/jasper/jasper_4.1.2.bb | 1 + 2 files changed, 31 insertions(+) create mode 100644 meta-oe/recipes-graphics/jasper/jasper/0001-Fixes-381.patch diff --git a/meta-oe/recipes-graphics/jasper/jasper/0001-Fixes-381.patch b/meta-oe/recipes-graphics/jasper/jasper/0001-Fixes-381.patch new file mode 100644 index 0000000000..21cf347d18 --- /dev/null +++ b/meta-oe/recipes-graphics/jasper/jasper/0001-Fixes-381.patch @@ -0,0 +1,30 @@ +From 0a3bbc33b88a44e03c7d7a2732b80f4e2ed45355 Mon Sep 17 00:00:00 2001 +From: Michael Adams +Date: Fri, 29 Mar 2024 07:57:29 -0700 +Subject: [PATCH] Fixes #381. + +Added a missing check to the jpc_dec_process_sod function of the JPC codec. +Added another image to the test set. + +CVE: CVE-2024-31744 +Upstream-Status: Backport [https://github.com/jasper-software/jasper/commit/6d084c53a77762f41bb5310713a5f1872fef55f5] +Signed-off-by: Ankur Tyagi +--- + src/libjasper/jpc/jpc_dec.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/libjasper/jpc/jpc_dec.c b/src/libjasper/jpc/jpc_dec.c +index 929f7ae..7e44f05 100644 +--- a/src/libjasper/jpc/jpc_dec.c ++++ b/src/libjasper/jpc/jpc_dec.c +@@ -611,7 +611,9 @@ static int jpc_dec_process_sod(jpc_dec_t *dec, jpc_ms_t *ms) + if (dec->pkthdrstreams) { + /* Get the stream containing the packet header data for this + tile-part. */ +- if (!(tile->pkthdrstream = jpc_streamlist_remove(dec->pkthdrstreams, 0))) { ++ if (jpc_streamlist_numstreams(dec->pkthdrstreams) != 0 && ++ !(tile->pkthdrstream = jpc_streamlist_remove(dec->pkthdrstreams, ++ 0))) { + return -1; + } + } diff --git a/meta-oe/recipes-graphics/jasper/jasper_4.1.2.bb b/meta-oe/recipes-graphics/jasper/jasper_4.1.2.bb index 5f6ad067e0..398b3bd05f 100644 --- a/meta-oe/recipes-graphics/jasper/jasper_4.1.2.bb +++ b/meta-oe/recipes-graphics/jasper/jasper_4.1.2.bb @@ -7,6 +7,7 @@ SRC_URI = "git://github.com/jasper-software/jasper.git;protocol=https;branch=mas file://0001-Fixes-400.patch \ file://0001-Fixes-401.patch \ file://0001-Fixes-402-403.patch \ + file://0001-Fixes-381.patch \ " SRCREV = "ff633699cb785967a2cb0084d89d56e53c46e416" From patchwork Tue Dec 16 07:13:27 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 76574 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 067E0D5B87C for ; Tue, 16 Dec 2025 07:13:53 +0000 (UTC) Received: from mail-pf1-f176.google.com (mail-pf1-f176.google.com [209.85.210.176]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.16697.1765869220173362630 for ; Mon, 15 Dec 2025 23:13:40 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=G38C61qR; spf=pass (domain: gmail.com, ip: 209.85.210.176, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pf1-f176.google.com with SMTP id d2e1a72fcca58-7b6dd81e2d4so4272913b3a.0 for ; Mon, 15 Dec 2025 23:13:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1765869219; x=1766474019; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=/cCgLIbUldnLWC5DOrIGdR4OkRZRQe6mq9+UtHv2P6w=; b=G38C61qREC43XGBOIDv5Krr2BVYA6YoWbQI4P5yG83wq9VbKZI+veFpU2q3MFR1CtN CCTry/BcZ4sZkOLzCfes7gKzo5JamagKocALP4eBQrcOeus+PgKVTjGGsqyncoW21wHy yaMU577yTNrzdXjfs5L1HB9z2mefFPedK6ZZgvOM97DflB7zHkfI02J2UfZ+ct384rgw Nfyz1A41aoQjyxiDeIQMKEL+M2GJiBgxoQa6VQ77puhd7h149tbfO0ke/r89ddjlmu7e l6QOH9ZMOPwt09Bpbw11umRPoIFyTfK3Et3qpXStvpOpng4MlZXmiXaX22tbXVQesdba +hug== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1765869219; x=1766474019; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=/cCgLIbUldnLWC5DOrIGdR4OkRZRQe6mq9+UtHv2P6w=; b=BJ2QpBISZeZfXPla23n4xHpAAl/yOtHt2zl6VMSzABTPKuI3XzPku4KBnc0Py7SYx0 Py0R2o3qFvFGrSm3C/HXKrIw3FttPzLGkvexzWoPUwu+nv7mUbqPUfdMtNHI+O1S0Jt6 7z8xjhfpsoy/UG5G5iiBUOIKkySsfkl6gQnGQLhnee1TNPWG2nx70ax8kuCMSMG/Jb7f UiGsoHCsVShT0j8Mnfoq9zJWkqj90/IcI+gZL1IOT6Ytd+9Im5MoaFu13tnUbRP/h39y HWT6RroegcylVB2piUBMQEHN2tlSWTT51bZLyxFXFHaGb71Dd6qJu6l0Khj+uilV0Lmw umlQ== X-Gm-Message-State: AOJu0YzP55sxdsjMtouj77THuWifYidv14IO9RbjiSk2+UsVV5fZOSQb 75nR+a3sxNT6OP5BHTSIEvINrGijbsq0JwLa+hRN/jwc1m4554VuNXgYqOTd6A== X-Gm-Gg: AY/fxX4dT9JeO9KYXGJjsaFK/0N7aRNZv9s7AXdKf1jmLHXmJkLEdwLaNfdR42Zmg6W v040WDN+Lylzf2uF7PQQfFI9OWEWLMD4nrCX0+rnpAiUVePVXGvvsNRxmhbBI5hRyIto/uYmJ7p iFr+9eeRDeXRCSraOMnUlRraWUKznYfrfKNQAhRGhRvrnXSv9rzGVrWQ193lKvjw11C0wcNyofA ppTDG3biVW/CHr6d119xnOflP0IskzjOeyKNBoXcaZsqnEj5lXpqEy0X8c9OEFPs5J0yzIrtgJz VP0QWiTm2+Rw2iXyKfRpun61qBeTmJG354HjKYd7UBonUL2Cp1F4YCGnj8aFDxMqePHSr0gMcAo Ao96LlyIszH6eBk3sMFkOARQWWV9NPtuiSsxLfI2luGsa8KdPYEEQpY5ZypO2wBP4cAfG1o8KAd 0Za/KcM2OM/YUblPeKrejCZcZE X-Google-Smtp-Source: AGHT+IHsmix10PNvDtlCLUz1sk1T1DQ+ROUQ3S0x+pFJlTfJ4v6Yxvw6KHQr5fsMNpVIsmlAPE+3pA== X-Received: by 2002:a05:6a00:430e:b0:7e8:4433:8fb6 with SMTP id d2e1a72fcca58-7f66a07b23dmr13129233b3a.62.1765869219130; Mon, 15 Dec 2025 23:13:39 -0800 (PST) Received: from NVAPF55DW0D-IPD.. ([165.225.124.223]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7f4c5093d5csm14225372b3a.49.2025.12.15.23.13.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 15 Dec 2025 23:13:38 -0800 (PST) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi Subject: [oe][meta-oe][scarthgap][PATCH 2/4] libcupsfilters: patch CVE-2025-57812 Date: Tue, 16 Dec 2025 12:43:27 +0530 Message-ID: <20251216071329.3172170-2-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251216071329.3172170-1-ankur.tyagi85@gmail.com> References: <20251216071329.3172170-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 16 Dec 2025 07:13:53 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122677 From: Ankur Tyagi Details https://nvd.nist.gov/vuln/detail/CVE-2025-57812 Signed-off-by: Ankur Tyagi --- .../cups/libcupsfilters/CVE-2025-57812.patch | 129 ++++++++++++++++++ .../cups/libcupsfilters_2.0.0.bb | 1 + 2 files changed, 130 insertions(+) create mode 100644 meta-oe/recipes-printing/cups/libcupsfilters/CVE-2025-57812.patch diff --git a/meta-oe/recipes-printing/cups/libcupsfilters/CVE-2025-57812.patch b/meta-oe/recipes-printing/cups/libcupsfilters/CVE-2025-57812.patch new file mode 100644 index 0000000000..e6f307b26a --- /dev/null +++ b/meta-oe/recipes-printing/cups/libcupsfilters/CVE-2025-57812.patch @@ -0,0 +1,129 @@ +From f62b9dffa58b19d0292c41ba826aad79062e2be6 Mon Sep 17 00:00:00 2001 +From: zdohnal +Date: Mon, 10 Nov 2025 18:58:31 +0100 +Subject: [PATCH] Merge commit from fork + +* Fix heap-buffer overflow write in cfImageLut + +1. fix for CVE-2025-57812 + +* Reject color images with 1 bit per sample + +2. fix for CVE-2025-57812 + +* Reject images where the number of samples does not correspond with the color space + +3. fix for CVE-2025-57812 + +* Reject images with planar color configuration + +4. fix for CVE-2025-57812 + +* Reject images with vertical scanlines + +5. fix for CVE-2025-57812 + +--------- + +Co-authored-by: Till Kamppeter + +CVE: CVE-2025-57812 +Upstream-Status: Backport [https://github.com/OpenPrinting/libcupsfilters/commit/b69dfacec7f176281782e2f7ac44f04bf9633cfa] +(cherry picked from commit b69dfacec7f176281782e2f7ac44f04bf9633cfa) +Signed-off-by: Ankur Tyagi +--- + cupsfilters/image-tiff.c | 46 +++++++++++++++++++++++++++++++++++++++- + 1 file changed, 45 insertions(+), 1 deletion(-) + +diff --git a/cupsfilters/image-tiff.c b/cupsfilters/image-tiff.c +index d92cce25..ff0a0fb3 100644 +--- a/cupsfilters/image-tiff.c ++++ b/cupsfilters/image-tiff.c +@@ -41,6 +41,7 @@ _cfImageReadTIFF( + TIFF *tif; // TIFF file + uint32_t width, height; // Size of image + uint16_t photometric, // Colorspace ++ planar, // Color components in separate planes + compression, // Type of compression + orientation, // Orientation + resunit, // Units for resolution +@@ -113,6 +114,15 @@ _cfImageReadTIFF( + return (-1); + } + ++ if (TIFFGetField(tif, TIFFTAG_PLANARCONFIG, &planar) && ++ planar == PLANARCONFIG_SEPARATE) ++ { ++ fputs("DEBUG: Images with planar color configuration are not supported!\n", stderr); ++ TIFFClose(tif); ++ fclose(fp); ++ return (1); ++ } ++ + if (!TIFFGetField(tif, TIFFTAG_COMPRESSION, &compression)) + { + DEBUG_puts("DEBUG: No compression tag in the file!\n"); +@@ -127,6 +137,15 @@ _cfImageReadTIFF( + if (!TIFFGetField(tif, TIFFTAG_BITSPERSAMPLE, &bits)) + bits = 1; + ++ if (bits == 1 && samples > 1) ++ { ++ fprintf(stderr, "ERROR: Color images with 1 bit per sample not supported! " ++ "Samples per pixel: %d; Bits per sample: %d\n", samples, bits); ++ TIFFClose(tif); ++ fclose(fp); ++ return (1); ++ } ++ + // + // Get the image orientation... + // +@@ -193,6 +212,23 @@ _cfImageReadTIFF( + else + alpha = 0; + ++ // ++ // Check whether number of samples per pixel corresponds with color space ++ // ++ ++ if ((photometric == PHOTOMETRIC_RGB && (samples < 3 || samples > 4)) || ++ (photometric == PHOTOMETRIC_SEPARATED && samples != 4)) ++ { ++ fprintf(stderr, "DEBUG: Number of samples per pixel does not correspond to color space! " ++ "Color space: %s; Samples per pixel: %d\n", ++ (photometric == PHOTOMETRIC_RGB ? "RGB" : ++ (photometric == PHOTOMETRIC_SEPARATED ? "CMYK" : "Unknown")), ++ samples); ++ TIFFClose(tif); ++ fclose(fp); ++ return (1); ++ } ++ + // + // Check the size of the image... + // +@@ -265,6 +301,14 @@ _cfImageReadTIFF( + break; + } + ++ if (orientation >= ORIENTATION_LEFTTOP) ++ { ++ fputs("ERROR: TIFF files with vertical scanlines are not supported!\n", stderr); ++ TIFFClose(tif); ++ fclose(fp); ++ return (-1); ++ } ++ + switch (orientation) + { + case ORIENTATION_TOPRIGHT : +@@ -1467,7 +1511,7 @@ _cfImageReadTIFF( + } + + if (lut) +- cfImageLut(out, img->xsize * 3, lut); ++ cfImageLut(out, img->xsize * bpp, lut); + + _cfImagePutRow(img, 0, y, img->xsize, out); + } diff --git a/meta-oe/recipes-printing/cups/libcupsfilters_2.0.0.bb b/meta-oe/recipes-printing/cups/libcupsfilters_2.0.0.bb index 827172a6a1..9178829611 100644 --- a/meta-oe/recipes-printing/cups/libcupsfilters_2.0.0.bb +++ b/meta-oe/recipes-printing/cups/libcupsfilters_2.0.0.bb @@ -9,6 +9,7 @@ SRC_URI = " \ https://github.com/OpenPrinting/${BPN}/releases/download/${PV}/${BP}.tar.xz \ file://0001-use-noexcept-false-instead-of-throw-from-c-17-onward.patch \ file://0001-CVE-2024-47076.patch \ + file://CVE-2025-57812.patch \ " SRC_URI[sha256sum] = "542f2bfbc58136a4743c11dc8c86cee03c9aca705612654e36ac34aa0d9aa601" From patchwork Tue Dec 16 07:13:28 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 76573 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 260C3D5B161 for ; Tue, 16 Dec 2025 07:13:43 +0000 (UTC) Received: from mail-pf1-f182.google.com (mail-pf1-f182.google.com [209.85.210.182]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.16481.1765869222336708694 for ; Mon, 15 Dec 2025 23:13:42 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=JWX9BCdJ; spf=pass (domain: gmail.com, ip: 209.85.210.182, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pf1-f182.google.com with SMTP id d2e1a72fcca58-7fbbb84f034so253531b3a.0 for ; Mon, 15 Dec 2025 23:13:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1765869221; x=1766474021; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Kg0X2PezVT6Qaqt1UFThCdnhphTmVqKO5IXtZ/WvWno=; b=JWX9BCdJ1UAk3XoYA8U5nW2OBWrbSE26RaJvWaUAx/97bsoVXamKNZjK27P9o28YfN Si84EQRr0xGed5WuyMmq2t96507a7yxFrsQ5MFLxJbPTrKvgzI7xPadTlCvu8j4aS4vD MSPgOuziTD7AWflBZ2sOkfMSzl6Ntj/mKv2hiQVQ6MQ9fUnYeTDzK6KaVik+QtKglEZP g7hSLYNWNOSjNJBuQi+fPtgQfVKikQhu/ExIPXEXFwZbh/8Q87xeAPYZRBSX0HO2FFl1 BWQ/tOse7QbsnARHYWnPVORNNrhh/Baep0i/Ad76HcfSruMsZDx23MEcutGa7gxjvB4V 8xBQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1765869221; x=1766474021; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=Kg0X2PezVT6Qaqt1UFThCdnhphTmVqKO5IXtZ/WvWno=; b=X3FSKd/Yxda6ro8tux/kICuvuEC7/XuW7JFGWkxg17mGWK0ZByQmccpofgTn72SEai L90lq7txmDvTqucKJqfgTv/5oIIB1sIuIHvCvt55nI22LPW7xsh3DLoSHFGzguhGin3E 8/dEAlElM55XMLlvRtzsaRYbhWh4tqv2KAMGqBCCclpM4x0JeHtwCLG3ftsY0iGKCW7E Le3QdVclVGHdbXOUnFemMkOtIgFCyXvGY5dKBBarN0j/bjbuZluBkn0IW/zpADlypfZM 5SQWnWwkQgy8K7R40JdFZy034gJU41LV1UrIFz121O52pNTXDs/shLbJAFtBkt9MpnFa YCWQ== X-Gm-Message-State: AOJu0Ywa3Z3a+NprL9ahDdvfqRv3wlgfRME/ORxFg4j10svTyw1cFohQ InVsjhm//+tc3yhQVXBD3/JT/OgTmzfm6JJpKHx9e6o2jRjGRxQaY2qUZ/vlwg== X-Gm-Gg: AY/fxX66hjlqgavTS4TIB8diXOWSuvXyJLwNnpFFmUX3G8YYFdirDtWStQWuxRyM36S dDlNhZBNNrzojlniY0yFMV72f9r2gUtwBmOdT8jXWbkX9VUkHskeEMCtPltOkJ3YF4075ERIj9P xPb9QVaWZH1HtebVaPhUcqDICJcU2y+ir3D0/ONArF7RjvCoXb6YzCQ0uQJMe6iykvT5Cd/9TTZ dwXnYEVnmT8+EUmGfEzjdJBCLmJYZF7bWjWEH039ewYxX8Ucv5WbEVSNn05SDKhg8WMROEerElz CJgECLSLc3YmLoX2MSiAep25RrF28JqgpC2SuGXokVYXayqngx7qtsDKPxswfJjZ2KGSIEpJxTF RQSWUSevWe5HqU3dhINtPcTbiuYwSTyvbIofXJRXOxb1h7b3prR7MJ4bj6y1tLfc/r8lWVgFgkD LZ1ZKqOT8V+gNO2pWs7wFi6Rhs X-Google-Smtp-Source: AGHT+IGFBRr22zVd+CI21e42KzwWNYZIRwC5G9bOGryY1RjfF13VmxeqhN2s8WXH9tVW8YgintUuCA== X-Received: by 2002:a05:6a00:a381:b0:7e8:4471:8c8 with SMTP id d2e1a72fcca58-7f6694aece0mr10267630b3a.41.1765869221327; Mon, 15 Dec 2025 23:13:41 -0800 (PST) Received: from NVAPF55DW0D-IPD.. ([165.225.124.223]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7f4c5093d5csm14225372b3a.49.2025.12.15.23.13.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 15 Dec 2025 23:13:40 -0800 (PST) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi Subject: [oe][meta-oe][scarthgap][PATCH 3/4] flatpak: patch CVE-2024-42472 Date: Tue, 16 Dec 2025 12:43:28 +0530 Message-ID: <20251216071329.3172170-3-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251216071329.3172170-1-ankur.tyagi85@gmail.com> References: <20251216071329.3172170-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 16 Dec 2025 07:13:43 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122678 From: Ankur Tyagi Details https://nvd.nist.gov/vuln/detail/CVE-2024-42472 Signed-off-by: Ankur Tyagi --- .../flatpak/flatpak/CVE-2024-42472_1.patch | 169 ++++++++++++++++++ .../flatpak/flatpak/CVE-2024-42472_2.patch | 44 +++++ .../flatpak/flatpak_1.15.8.bb | 2 + 3 files changed, 215 insertions(+) create mode 100644 meta-oe/recipes-extended/flatpak/flatpak/CVE-2024-42472_1.patch create mode 100644 meta-oe/recipes-extended/flatpak/flatpak/CVE-2024-42472_2.patch diff --git a/meta-oe/recipes-extended/flatpak/flatpak/CVE-2024-42472_1.patch b/meta-oe/recipes-extended/flatpak/flatpak/CVE-2024-42472_1.patch new file mode 100644 index 0000000000..c29d9655f1 --- /dev/null +++ b/meta-oe/recipes-extended/flatpak/flatpak/CVE-2024-42472_1.patch @@ -0,0 +1,169 @@ +From 2055273613350df0e6a7fa30d38d4ce6bc8079ca Mon Sep 17 00:00:00 2001 +From: Alexander Larsson +Date: Mon, 3 Jun 2024 12:22:30 +0200 +Subject: [PATCH] Don't follow symlinks when mounting persisted directories + +These directories are in a location under application control, so we +can't trust them to not be a symlink outside of the files accessibe to +the application. + +Continue to treat --persist=/foo as --persist=foo for backwards compat, +since this is how it (accidentally) worked before, but print a warning. + +Don't allow ".." elements in persist paths: these would not be useful +anyway, and are unlikely to be in use, however they could potentially +be used to confuse the persist path handling. + +This partially addresses CVE-2024-42472. If only one instance of the +malicious or compromised app is run at a time, the vulnerability +is avoided. If two instances can run concurrently, there is a +time-of-check/time-of-use issue remaining, which can only be resolved +with changes to bubblewrap; this will be resolved in a separate commit, +because the bubblewrap dependency might be more difficult to provide in +LTS distributions. + +Helps: CVE-2024-42472, GHSA-7hgv-f2j8-xw87 +[smcv: Make whitespace consistent] +[smcv: Use g_warning() if unable to create --persist paths] +[smcv: Use stat() to detect symlinks and warn about them] +Co-authored-by: Simon McVittie +Signed-off-by: Simon McVittie + +CVE: CVE-2024-42472 +Upstream-Status: Backport [https://github.com/flatpak/flatpak/commit/3caeb16c31a3ed62d744e2aaf01d684f7991051a] +(cherry picked from commit 3caeb16c31a3ed62d744e2aaf01d684f7991051a) +Signed-off-by: Ankur Tyagi +--- + common/flatpak-context.c | 109 +++++++++++++++++++++++++++++++++++++-- + 1 file changed, 105 insertions(+), 4 deletions(-) + +diff --git a/common/flatpak-context.c b/common/flatpak-context.c +index 297a89ef..98dac5ee 100644 +--- a/common/flatpak-context.c ++++ b/common/flatpak-context.c +@@ -2860,6 +2860,90 @@ flatpak_context_apply_env_appid (FlatpakBwrap *bwrap, + flatpak_bwrap_set_env (bwrap, "HOST_XDG_STATE_HOME", g_getenv ("XDG_STATE_HOME"), TRUE); + } + ++/* This creates zero or more directories unders base_fd+basedir, each ++ * being guaranteed to either exist and be a directory (no symlinks) ++ * or be created as a directory. The last directory is opened ++ * and the fd is returned. ++ */ ++static gboolean ++mkdir_p_open_nofollow_at (int base_fd, ++ const char *basedir, ++ int mode, ++ const char *subdir, ++ int *out_fd, ++ GError **error) ++{ ++ glnx_autofd int parent_fd = -1; ++ ++ if (g_path_is_absolute (subdir)) ++ { ++ const char *skipped_prefix = subdir; ++ ++ while (*skipped_prefix == '/') ++ skipped_prefix++; ++ ++ g_warning ("--persist=\"%s\" is deprecated, treating it as --persist=\"%s\"", subdir, skipped_prefix); ++ subdir = skipped_prefix; ++ } ++ ++ g_autofree char *subdir_dirname = g_path_get_dirname (subdir); ++ ++ if (strcmp (subdir_dirname, ".") == 0) ++ { ++ /* It is ok to open basedir with follow=true */ ++ if (!glnx_opendirat (base_fd, basedir, TRUE, &parent_fd, error)) ++ return FALSE; ++ } ++ else if (strcmp (subdir_dirname, "..") == 0) ++ { ++ return glnx_throw (error, "'..' not supported in --persist paths"); ++ } ++ else ++ { ++ if (!mkdir_p_open_nofollow_at (base_fd, basedir, mode, ++ subdir_dirname, &parent_fd, error)) ++ return FALSE; ++ } ++ ++ g_autofree char *subdir_basename = g_path_get_basename (subdir); ++ ++ if (strcmp (subdir_basename, ".") == 0) ++ { ++ *out_fd = glnx_steal_fd (&parent_fd); ++ return TRUE; ++ } ++ else if (strcmp (subdir_basename, "..") == 0) ++ { ++ return glnx_throw (error, "'..' not supported in --persist paths"); ++ } ++ ++ if (!glnx_shutil_mkdir_p_at (parent_fd, subdir_basename, mode, NULL, error)) ++ return FALSE; ++ ++ int fd = openat (parent_fd, subdir_basename, O_PATH | O_NONBLOCK | O_DIRECTORY | O_CLOEXEC | O_NOCTTY | O_NOFOLLOW); ++ if (fd == -1) ++ { ++ int saved_errno = errno; ++ struct stat stat_buf; ++ ++ /* If it's a symbolic link, that could be a user trying to offload ++ * large data to another filesystem, but it could equally well be ++ * a malicious or compromised app trying to exploit GHSA-7hgv-f2j8-xw87. ++ * Produce a clearer error message in this case. ++ * Unfortunately the errno we get in this case is ENOTDIR, so we have ++ * to ask again to find out whether it's really a symlink. */ ++ if (saved_errno == ENOTDIR && ++ fstatat (parent_fd, subdir_basename, &stat_buf, AT_SYMLINK_NOFOLLOW) == 0 && ++ S_ISLNK (stat_buf.st_mode)) ++ return glnx_throw (error, "Symbolic link \"%s\" not allowed to avoid sandbox escape", subdir_basename); ++ ++ return glnx_throw_errno_prefix (error, "openat(%s)", subdir_basename); ++ } ++ ++ *out_fd = fd; ++ return TRUE; ++} ++ + void + flatpak_context_append_bwrap_filesystem (FlatpakContext *context, + FlatpakBwrap *bwrap, +@@ -2883,13 +2967,30 @@ flatpak_context_append_bwrap_filesystem (FlatpakContext *context, + while (g_hash_table_iter_next (&iter, &key, NULL)) + { + const char *persist = key; +- g_autofree char *src = g_build_filename (g_get_home_dir (), ".var/app", app_id, persist, NULL); ++ g_autofree char *appdir = g_build_filename (g_get_home_dir (), ".var/app", app_id, NULL); + g_autofree char *dest = g_build_filename (g_get_home_dir (), persist, NULL); ++ g_autoptr(GError) local_error = NULL; ++ ++ if (g_mkdir_with_parents (appdir, 0755) != 0) ++ { ++ g_warning ("Unable to create directory %s", appdir); ++ continue; ++ } ++ ++ /* Don't follow symlinks from the persist directory, as it is under user control */ ++ glnx_autofd int src_fd = -1; ++ if (!mkdir_p_open_nofollow_at (AT_FDCWD, appdir, 0755, ++ persist, &src_fd, ++ &local_error)) ++ { ++ g_warning ("Failed to create persist path %s: %s", persist, local_error->message); ++ continue; ++ } + +- if (g_mkdir_with_parents (src, 0755) != 0) +- g_info ("Unable to create directory %s", src); ++ g_autofree char *src_via_proc = g_strdup_printf ("/proc/self/fd/%d", src_fd); + +- flatpak_bwrap_add_bind_arg (bwrap, "--bind", src, dest); ++ flatpak_bwrap_add_fd (bwrap, g_steal_fd (&src_fd)); ++ flatpak_bwrap_add_bind_arg (bwrap, "--bind", src_via_proc, dest); + } + } + diff --git a/meta-oe/recipes-extended/flatpak/flatpak/CVE-2024-42472_2.patch b/meta-oe/recipes-extended/flatpak/flatpak/CVE-2024-42472_2.patch new file mode 100644 index 0000000000..ad06b9aa7e --- /dev/null +++ b/meta-oe/recipes-extended/flatpak/flatpak/CVE-2024-42472_2.patch @@ -0,0 +1,44 @@ +From dd8a68c126b8f73a58a37353b34ec25179859d79 Mon Sep 17 00:00:00 2001 +From: Alexander Larsson +Date: Tue, 18 Jun 2024 11:31:05 +0200 +Subject: [PATCH] persist directories: Pass using new bwrap --bind-fd option + +Instead of passing a /proc/self/fd bind mount we use --bind-fd, which +has two advantages: + * bwrap closes the fd when used, so it doesn't leak into the started app + * bwrap ensures that what was mounted was the passed in fd (same dev/ino), + as there is a small (required) gap between symlink resolve and mount + where the target path could be replaced. + +Please note that this change requires an updated version of bubblewrap. + +Resolves: CVE-2024-42472, GHSA-7hgv-f2j8-xw87 +[smcv: Make whitespace consistent] +Co-authored-by: Simon McVittie +Signed-off-by: Simon McVittie + +CVE: CVE-2024-42472 +Upstream-Status: Backport [https://github.com/flatpak/flatpak/commit/6bd603f6836e9b38b9b937d3b78f3fbf36e7ff75] +(cherry picked from commit 6bd603f6836e9b38b9b937d3b78f3fbf36e7ff75) +Signed-off-by: Ankur Tyagi +--- + common/flatpak-context.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/common/flatpak-context.c b/common/flatpak-context.c +index 98dac5ee..24150daa 100644 +--- a/common/flatpak-context.c ++++ b/common/flatpak-context.c +@@ -2987,10 +2987,10 @@ flatpak_context_append_bwrap_filesystem (FlatpakContext *context, + continue; + } + +- g_autofree char *src_via_proc = g_strdup_printf ("/proc/self/fd/%d", src_fd); ++ g_autofree char *src_via_proc = g_strdup_printf ("%d", src_fd); + + flatpak_bwrap_add_fd (bwrap, g_steal_fd (&src_fd)); +- flatpak_bwrap_add_bind_arg (bwrap, "--bind", src_via_proc, dest); ++ flatpak_bwrap_add_bind_arg (bwrap, "--bind-fd", src_via_proc, dest); + } + } + diff --git a/meta-oe/recipes-extended/flatpak/flatpak_1.15.8.bb b/meta-oe/recipes-extended/flatpak/flatpak_1.15.8.bb index fba7bc49a4..639027701b 100644 --- a/meta-oe/recipes-extended/flatpak/flatpak_1.15.8.bb +++ b/meta-oe/recipes-extended/flatpak/flatpak_1.15.8.bb @@ -6,6 +6,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c" SRC_URI = " \ gitsm://github.com/flatpak/flatpak;protocol=https;branch=main \ file://0001-flatpak-pc-add-pc_sysrootdir.patch \ + file://CVE-2024-42472_1.patch \ + file://CVE-2024-42472_2.patch \ " SRCREV = "925c80f913d69e7ca424428823e1431c4ffb0deb" From patchwork Tue Dec 16 07:13:29 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 76575 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 07783D5B161 for ; Tue, 16 Dec 2025 07:13:53 +0000 (UTC) Received: from mail-pf1-f169.google.com (mail-pf1-f169.google.com [209.85.210.169]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.16699.1765869224166736656 for ; Mon, 15 Dec 2025 23:13:44 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=HjO8MtSb; spf=pass (domain: gmail.com, ip: 209.85.210.169, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pf1-f169.google.com with SMTP id d2e1a72fcca58-7b89c1ce9easo4906098b3a.2 for ; Mon, 15 Dec 2025 23:13:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1765869223; x=1766474023; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=cmmxT3iRPUgyOhzW5YnajMDvaCuo8AWEiHqj4kU8yrI=; b=HjO8MtSb+6CnXeIVWvizZaIfvtCCCPVOzO97yyxOxQNzoV/drqJJ/W68fPl25tbZik BF2gHqk3JtQkYNFssw+UiG9YDYY7ZT09WC1p5NfgtiXIQ7CEuHq5WURMip6DRTbwN/xC CUzvbSi1XF1kVbdvFHulwtAiJHFI7IyK3eNIJc1+/T7tMOcKKhk/MmqYA7uzAcMMnA7u xgxwu7Y8tLTpJazMhPQ+nxNQB2OZYs4PFl7BfYwItDKDHZzrd3TDGMyfOPOR4uqrBnR9 NuD8pYOzyQsLhHXw+jksoVaeJPBNsEa+KGOiLHUIqVkk4uCIJm4TctYU8/gGZY4dTyx+ L6PA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1765869223; x=1766474023; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=cmmxT3iRPUgyOhzW5YnajMDvaCuo8AWEiHqj4kU8yrI=; b=D4l51jtszm3sIyeqLXp/jk2kr70Q0e9oCXR1cjG32GiLzF56+YV1doteotRStDLWD9 kIfHn1ssXJKfJoK1WmBYAUcr7r7yO8uAzU6Axw4zRF+++R0kC6i4qTVWlNrX3U2b46ks PTzmWQgCYLbDi6VmlQWe4MgKtCRY1zIb28Mgq2M22gBjV8N2Ksw9i1bsSm4qStyAWmNx 7Z1wMTp9LGgWMObVC0mdUKtkijokwbQZYStoHU2ikWh6Hs+i4SCpzO2erevj/q4mL8XV rObhr+9F/DLgDZvLCo9bNg+2c59FRk3xYQm9DH5r4SSWM+IFIDR1Y1Xs52UbSC9IDoWK 0mtA== X-Gm-Message-State: AOJu0YygCKhT5Y3x1E7nCFopA8zx4bMr7IHkzJMWFzFIymzSH8SXC7Jl 8/ymFmPWaV3O/O0TU47+0Rcx6hTutuq2l/yP7c28iJ+eJ2KzcyExLwcxR3lkGA== X-Gm-Gg: AY/fxX7FWOuXkOkk+7rX4qYv1txyIyNcREUScmiYbyc5Q5u70S4DpGXPN3UlEfkcpo1 R4z4a5yNbVdb9K1iVpUBXT6gQ1XwKduSOsS3Yb8BwAkqzFl7s0BRuFkLzxWXH47yT1oG9tFTgLB wOcfU37kr5/KGNtaxdhhU2NXI1UZi/pU9TRHRD7Vt2ZZVcZ/uFUqydauL3A3wYxqPvYb5sOtcNi vvJ4mpzli85Pnfui9H5M57mWyyyvUCTiZ+uUO0nbKVMJNbxdzj+Q4ejKzDE8sO1Y0BG/7SCx0ct okTjRDi/3hCKW/Glu558yc32qE2W8QBwcrf/3KWWsNu0ryFj9jFJlmC0W9SzKxJGaLeQ53WKLpx m0JITUvXNgxm34nq30MfzOeSHRdRXV5OJRJNBInZW4h872XXTYC0dFtCg4HgjKF8Fyodghimf3M NaSx5bWDNktn/O/M1Yfrpq18WL X-Google-Smtp-Source: AGHT+IGs42dZRRRR/J+UsoXmN0advbZC5eEttYBMOemeb4HB4AiUZdMdJ+9KEazQlvTrQHe1Ep+nwQ== X-Received: by 2002:a05:6a00:3694:b0:7b8:ac7f:5955 with SMTP id d2e1a72fcca58-7f667c20462mr11431944b3a.17.1765869223230; Mon, 15 Dec 2025 23:13:43 -0800 (PST) Received: from NVAPF55DW0D-IPD.. ([165.225.124.223]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7f4c5093d5csm14225372b3a.49.2025.12.15.23.13.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 15 Dec 2025 23:13:42 -0800 (PST) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi Subject: [oe][meta-oe][scarthgap][PATCH 4/4] editorconfig-core-c: patch CVE-2024-53849 Date: Tue, 16 Dec 2025 12:43:29 +0530 Message-ID: <20251216071329.3172170-4-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251216071329.3172170-1-ankur.tyagi85@gmail.com> References: <20251216071329.3172170-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 16 Dec 2025 07:13:53 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122679 From: Ankur Tyagi Details https://nvd.nist.gov/vuln/detail/CVE-2024-53849 Signed-off-by: Ankur Tyagi --- .../editorconfig-core-c_0.12.6.bb | 5 +- .../editorconfig/files/CVE-2024-53849_1.patch | 54 +++++++++++++++++++ .../editorconfig/files/CVE-2024-53849_2.patch | 48 +++++++++++++++++ 3 files changed, 106 insertions(+), 1 deletion(-) create mode 100644 meta-oe/recipes-devtools/editorconfig/files/CVE-2024-53849_1.patch create mode 100644 meta-oe/recipes-devtools/editorconfig/files/CVE-2024-53849_2.patch diff --git a/meta-oe/recipes-devtools/editorconfig/editorconfig-core-c_0.12.6.bb b/meta-oe/recipes-devtools/editorconfig/editorconfig-core-c_0.12.6.bb index 976120b515..2d99ca50ca 100644 --- a/meta-oe/recipes-devtools/editorconfig/editorconfig-core-c_0.12.6.bb +++ b/meta-oe/recipes-devtools/editorconfig/editorconfig-core-c_0.12.6.bb @@ -4,7 +4,10 @@ SECTION = "libs" LICENSE = "BSD-2-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=f515fff3ea0a2b9797eda60d83c0e5ca" -SRC_URI = "git://github.com/editorconfig/editorconfig-core-c.git;protocol=https;branch=master" +SRC_URI = "git://github.com/editorconfig/editorconfig-core-c.git;protocol=https;branch=master \ + file://CVE-2024-53849_1.patch \ + file://CVE-2024-53849_2.patch \ +" S = "${WORKDIR}/git" SRCREV = "b7837029494c03af5ea70ed9d265e8c2123bff53" diff --git a/meta-oe/recipes-devtools/editorconfig/files/CVE-2024-53849_1.patch b/meta-oe/recipes-devtools/editorconfig/files/CVE-2024-53849_1.patch new file mode 100644 index 0000000000..b3b6c30e5e --- /dev/null +++ b/meta-oe/recipes-devtools/editorconfig/files/CVE-2024-53849_1.patch @@ -0,0 +1,54 @@ +From d47a37a6186d98c6db308d467f822c438972bdbc Mon Sep 17 00:00:00 2001 +From: Christopher Wellons +Date: Sat, 17 Feb 2024 15:32:25 -0500 +Subject: [PATCH] Fix a few more stack buffer overflows + +Several overflows may occur in switch case '[' when the input pattern +contains many escaped characters. The added backslashes leave too little +space in the output pattern when processing nested brackets such that +the remaining input length exceeds the output capacity. Therefore all +these concatenations must also be checked. + +The ADD_CHAR was missed in 41281ea (#87). The switch can exit exactly at +capacity, leaving no room for the finishing '$', causing an overflow. + +These overflows were discovered through fuzz testing with afl. + +CVE: CVE-2024-53849 +Upstream-Status: Backport [https://github.com/editorconfig/editorconfig-core-c/commit/fca7cf19e0fb800c2d38f173c1f69ad40bf2a2f5] +(cherry picked from commit fca7cf19e0fb800c2d38f173c1f69ad40bf2a2f5) +Signed-off-by: Ankur Tyagi +--- + src/lib/ec_glob.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/src/lib/ec_glob.c b/src/lib/ec_glob.c +index ea62aee..e62af1f 100644 +--- a/src/lib/ec_glob.c ++++ b/src/lib/ec_glob.c +@@ -192,10 +192,14 @@ int ec_glob(const char *pattern, const char *string) + if (!right_bracket) /* The right bracket may not exist */ + right_bracket = c + strlen(c); + +- strcat(p_pcre, "\\"); ++ STRING_CAT(p_pcre, "\\", pcre_str_end); ++ /* Boundary check for strncat below. */ ++ if (pcre_str_end - p_pcre <= right_bracket - c) { ++ return -1; ++ } + strncat(p_pcre, c, right_bracket - c); + if (*right_bracket) /* right_bracket is a bracket */ +- strcat(p_pcre, "\\]"); ++ STRING_CAT(p_pcre, "\\]", pcre_str_end); + p_pcre += strlen(p_pcre); + c = right_bracket; + if (!*c) +@@ -339,7 +343,7 @@ int ec_glob(const char *pattern, const char *string) + } + } + +- *(p_pcre ++) = '$'; ++ ADD_CHAR(p_pcre, '$', pcre_str_end); + + pcre2_code_free(re); /* ^\\d+\\.\\.\\d+$ */ + diff --git a/meta-oe/recipes-devtools/editorconfig/files/CVE-2024-53849_2.patch b/meta-oe/recipes-devtools/editorconfig/files/CVE-2024-53849_2.patch new file mode 100644 index 0000000000..304c8acd9d --- /dev/null +++ b/meta-oe/recipes-devtools/editorconfig/files/CVE-2024-53849_2.patch @@ -0,0 +1,48 @@ +From 8ac5af4bc4b6344442f11f35fdc48177ce570a13 Mon Sep 17 00:00:00 2001 +From: Christopher Wellons +Date: Sat, 17 Feb 2024 16:01:57 -0500 +Subject: [PATCH] Fix pointer overflow in STRING_CAT + +The end pointer is positioned one past the end of the destination, and +it is undefined behavior to compute an address beyond the end pointer, +including for comparisons, even temporarily. The UB occurs exactly when +buffer overflow would have occurred, so the buffer overflow check could +be optimized away by compilers. Even if this wasn't the case, the check +could produce a false negative if the computed address overflowed the +address space, which is, after all, why the C standard doesn't define +behavior in the first place. + +The fix is simple: Check using sizes, not addresses. The explicit cast +suppresses warnings about signed-unsigned comparisons, and the assertion +checks the cast. + +CVE: CVE-2024-53849 +Upstream-Status: Backport [https://github.com/editorconfig/editorconfig-core-c/commit/4d5518a0a4e4910c37281ab13a048d0d86999782] +(cherry picked from commit 4d5518a0a4e4910c37281ab13a048d0d86999782) +Signed-off-by: Ankur Tyagi +--- + src/lib/ec_glob.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/lib/ec_glob.c b/src/lib/ec_glob.c +index e62af1f..c2b83cf 100644 +--- a/src/lib/ec_glob.c ++++ b/src/lib/ec_glob.c +@@ -27,6 +27,7 @@ + + #include "global.h" + ++#include + #include + #include + #include +@@ -51,7 +52,8 @@ static const UT_icd ut_int_pair_icd = {sizeof(int_pair),NULL,NULL,NULL}; + /* concatenate the string then move the pointer to the end */ + #define STRING_CAT(p, string, end) do { \ + size_t string_len = strlen(string); \ +- if (p + string_len >= end) \ ++ assert(end > p); \ ++ if (string_len >= (size_t)(end - p)) \ + return -1; \ + strcat(p, string); \ + p += string_len; \