From patchwork Tue Dec 16 07:15:32 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ankur Tyagi <ankur.tyagi85@gmail.com>
X-Patchwork-Id: 76577
Return-Path: <ankur.tyagi85@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 28E26D5B161
	for <webhook@archiver.kernel.org>; Tue, 16 Dec 2025 07:15:53 +0000 (UTC)
Received: from mail-pf1-f177.google.com (mail-pf1-f177.google.com
 [209.85.210.177])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.16738.1765869345124623191
 for <openembedded-devel@lists.openembedded.org>;
 Mon, 15 Dec 2025 23:15:45 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=aQmHjMGS;
 spf=pass (domain: gmail.com, ip: 209.85.210.177,
 mailfrom: ankur.tyagi85@gmail.com)
Received: by mail-pf1-f177.google.com with SMTP id
 d2e1a72fcca58-7b75e366866so1731174b3a.2
        for <openembedded-devel@lists.openembedded.org>;
 Mon, 15 Dec 2025 23:15:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1765869344; x=1766474144;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=wiBpiEGOegSJr87GamKseI/QUqa8FZoMJ/bm71sxtEU=;
        b=aQmHjMGSOlLfJ8qSiBMeqCy8XbsmUycisCD0Mq8iJGJmsQTsgDe3EWhp19pvSa1jnu
         9Vk6jEQYfsOR7dGRmnR83kZN1VGlEBObvHfgDLfZJKEqE4CspRdpontZ42dWuKt+OVne
         Q09jj3xcssmULG3q8TvLvSR4Q3ffisGFIYi0XY8YvlRZzFUwDzjNatHkWW6ZH9bPzxDr
         Bk+q23SHgDR7bt/dkPER0AZL7stetK+0ERMxOtOxzZPIXCY22qKIw63MqzgCEpnbn8/d
         BInoYGCED2ixjTAd7FFYSLW9F566s0aEBFJ6A08y/Ii8acgD2NV/og6ISrd3Rtg7L6cO
         emBA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1765869344; x=1766474144;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=wiBpiEGOegSJr87GamKseI/QUqa8FZoMJ/bm71sxtEU=;
        b=d8hIV64nbFyc5Yxd5rt/olawaXl1+jsUYcORBBav3L789yCe82SV1AEaG37kJgP5mh
         3gIUT8C3M+vVq9SoVV2FmFPIi+wcv0dEu/WB3wq7H7bChdPSzJ6nWtZN4dGdEQ8FeLDS
         2IU1II21qd6P6M98QiYhSr2kFlwgGUbCh/gaVd04BUltkAcPR+0SwOivMOT4aztVmSDf
         jFpxFIHvDx3CNlvLfeSJqdoDHhm0/m7YfmzeRVAO9JOgs3Epr8SxudJMNRu9+ILeGzUx
         OnGL8kxlv2n7N+UVPdn1KYWuRvAoNRq1G7Vz8Fr7t12Q+LTvBts3zCMyeaPbVzjn8HH9
         iwJQ==
X-Gm-Message-State: AOJu0YwfbRx+cz3tF9NqaKFOS9Bj84k7iCgEA/aRJmDfCuAxul3YbOOR
	N0hEK2Z+SPCb65mWib3fLSzZP/GxQ4ZBNmKMhKzPnq8dkiBugJMP2qQkoVDoTA==
X-Gm-Gg: AY/fxX6HcMkwFzy8TTSV5c9jyYNCB8gWBsh/IyfIq5HOK1d+8uAl8K3VtB+l3JXKZYP
	dn5JNU/vzFggCIApOo0y8kFVsQ9dri5RPl22WvNwTCDV7qcbxxNi7h+MVshXKF7KYHKlumY2uSo
	z+HJwR7ypH3f4eWgb1zacy/Ssc/PNYfjZNV3P3+j6SmzW9KMYgaHF56eUbF+Z1e0jy3lhgUrrgS
	bkLApumfGkUaQSaQO5afxpDIBN0/1sEbuO1Y1NSaRJ2AkzZgy9hv9qQ9u9hsPfeOm/QHC0gy0bU
	RWbHEz8p0OeDXi2ZCLzDLaxJblVcXfjoElaXCuLS3c63E2Wrcw0aFCxo8oLMMb+xrthOe0iWgLE
	vneISO0ZfufiWOdJw5MxCcXOEzQHGzPybiJ/fOLKJQ7snniGKdOHYlpI6qERvRkX2WWBh06socZ
	kuy1sLXGhUNhJoPtlsQ1ndAW/k
X-Google-Smtp-Source: 
 AGHT+IESjJKIiDqqCcHoAcS9nREnaSrSl0nSB17k9C/x9VNWMW/yWCcf1OW0VTlMI91nprKLpsZrjw==
X-Received: by 2002:a05:6a00:1824:b0:7f7:52ae:6b9a with SMTP id
 d2e1a72fcca58-7f752ae6e23mr9502394b3a.9.1765869344146;
        Mon, 15 Dec 2025 23:15:44 -0800 (PST)
Received: from NVAPF55DW0D-IPD.. ([165.225.124.223])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-7f4c2d48514sm14471448b3a.30.2025.12.15.23.15.42
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 15 Dec 2025 23:15:43 -0800 (PST)
From: ankur.tyagi85@gmail.com
To: openembedded-devel@lists.openembedded.org
Cc: Ankur Tyagi <ankur.tyagi85@gmail.com>
Subject: [oe][meta-networking][scarthgap][PATCH 1/6] civetweb: patch
 CVE-2025-9648
Date: Tue, 16 Dec 2025 12:45:32 +0530
Message-ID: <20251216071537.3174578-1-ankur.tyagi85@gmail.com>
X-Mailer: git-send-email 2.43.0
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Tue, 16 Dec 2025 07:15:53 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/122680

From: Ankur Tyagi <ankur.tyagi85@gmail.com>

Details https://nvd.nist.gov/vuln/detail/CVE-2025-9648

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 .../civetweb/civetweb/CVE-2025-9648.patch     | 254 ++++++++++++++++++
 .../civetweb/civetweb_1.16.bb                 |   1 +
 2 files changed, 255 insertions(+)
 create mode 100644 meta-networking/recipes-connectivity/civetweb/civetweb/CVE-2025-9648.patch

diff --git a/meta-networking/recipes-connectivity/civetweb/civetweb/CVE-2025-9648.patch b/meta-networking/recipes-connectivity/civetweb/civetweb/CVE-2025-9648.patch
new file mode 100644
index 0000000000..0456203248
--- /dev/null
+++ b/meta-networking/recipes-connectivity/civetweb/civetweb/CVE-2025-9648.patch
@@ -0,0 +1,254 @@
+From 6f10111d24f9f7bdb637bba77c27700ecff56244 Mon Sep 17 00:00:00 2001
+From: bel2125 <bel2125@gmail.com>
+Date: Tue, 2 Sep 2025 14:08:41 +0200
+Subject: [PATCH] Make parsing of URL encoded forms more robust
+
+Reject requests that obviously violate the URL encoding.
+Fixes #1348
+
+CVE: CVE-2025-9648
+Upstream-Status: Backport [https://github.com/civetweb/civetweb/commit/782e18903515f43bafbf2e668994e82bdfa51133]
+(cherry picked from commit 782e18903515f43bafbf2e668994e82bdfa51133)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/civetweb.c      |  7 ++++++-
+ src/handle_form.inl | 46 +++++++++++++++++++++++++++++++++++++--------
+ 2 files changed, 44 insertions(+), 9 deletions(-)
+
+diff --git a/src/civetweb.c b/src/civetweb.c
+index 5452b36d..f843300c 100644
+--- a/src/civetweb.c
++++ b/src/civetweb.c
+@@ -1,4 +1,4 @@
+-/* Copyright (c) 2013-2021 the Civetweb developers
++/* Copyright (c) 2013-2025 the Civetweb developers
+  * Copyright (c) 2004-2013 Sergey Lyubka
+  *
+  * Permission is hereby granted, free of charge, to any person obtaining a copy
+@@ -7052,6 +7052,7 @@ mg_url_decode(const char *src,
+               int is_form_url_encoded)
+ {
+ 	int i, j, a, b;
++
+ #define HEXTOI(x) (isdigit(x) ? (x - '0') : (x - 'W'))
+ 
+ 	for (i = j = 0; (i < src_len) && (j < (dst_len - 1)); i++, j++) {
+@@ -7064,11 +7065,15 @@ mg_url_decode(const char *src,
+ 			i += 2;
+ 		} else if (is_form_url_encoded && (src[i] == '+')) {
+ 			dst[j] = ' ';
++		} else if ((unsigned char)src[i] <= ' ') {
++			return -1; /* invalid character */
+ 		} else {
+ 			dst[j] = src[i];
+ 		}
+ 	}
+ 
++#undef HEXTOI
++
+ 	dst[j] = '\0'; /* Null-terminate the destination */
+ 
+ 	return (i >= src_len) ? j : -1;
+diff --git a/src/handle_form.inl b/src/handle_form.inl
+index be477a05..0ebaf560 100644
+--- a/src/handle_form.inl
++++ b/src/handle_form.inl
+@@ -1,4 +1,4 @@
+-/* Copyright (c) 2016-2021 the Civetweb developers
++/* Copyright (c) 2016-2025 the Civetweb developers
+  *
+  * Permission is hereby granted, free of charge, to any person obtaining a copy
+  * of this software and associated documentation files (the "Software"), to deal
+@@ -39,7 +39,7 @@ url_encoded_field_found(const struct mg_connection *conn,
+ 	    mg_url_decode(key, (int)key_len, key_dec, (int)sizeof(key_dec), 1);
+ 
+ 	if (((size_t)key_dec_len >= (size_t)sizeof(key_dec)) || (key_dec_len < 0)) {
+-		return MG_FORM_FIELD_STORAGE_SKIP;
++		return MG_FORM_FIELD_STORAGE_ABORT;
+ 	}
+ 
+ 	if (filename) {
+@@ -53,7 +53,7 @@ url_encoded_field_found(const struct mg_connection *conn,
+ 		    || (filename_dec_len < 0)) {
+ 			/* Log error message and skip this field. */
+ 			mg_cry_internal(conn, "%s: Cannot decode filename", __func__);
+-			return MG_FORM_FIELD_STORAGE_SKIP;
++			return MG_FORM_FIELD_STORAGE_ABORT;
+ 		}
+ 		remove_dot_segments(filename_dec);
+ 
+@@ -95,6 +95,7 @@ url_encoded_field_get(
+     struct mg_form_data_handler *fdh)
+ {
+ 	char key_dec[1024];
++	int key_dec_len;
+ 
+ 	char *value_dec = (char *)mg_malloc_ctx(*value_len + 1, conn->phys_ctx);
+ 	int value_dec_len, ret;
+@@ -108,7 +109,8 @@ url_encoded_field_get(
+ 		return MG_FORM_FIELD_STORAGE_ABORT;
+ 	}
+ 
+-	mg_url_decode(key, (int)key_len, key_dec, (int)sizeof(key_dec), 1);
++	key_dec_len = mg_url_decode(
++	    key, (int)key_len, key_dec, (int)sizeof(key_dec), 1);
+ 
+ 	if (*value_len >= 2 && value[*value_len - 2] == '%')
+ 		*value_len -= 2;
+@@ -117,6 +119,11 @@ url_encoded_field_get(
+ 	value_dec_len = mg_url_decode(
+ 	    value, (int)*value_len, value_dec, ((int)*value_len) + 1, 1);
+ 
++	if ((key_dec_len < 0) || (value_dec_len < 0)) {
++		mg_free(value_dec);
++		return MG_FORM_FIELD_STORAGE_ABORT;
++	}
++
+ 	ret = fdh->field_get(key_dec,
+ 	                     value_dec,
+ 	                     (size_t)value_dec_len,
+@@ -136,9 +143,13 @@ unencoded_field_get(const struct mg_connection *conn,
+                     struct mg_form_data_handler *fdh)
+ {
+ 	char key_dec[1024];
++	int key_dec_len;
+ 	(void)conn;
+ 
+-	mg_url_decode(key, (int)key_len, key_dec, (int)sizeof(key_dec), 1);
++	key_dec_len = mg_url_decode(key, (int)key_len, key_dec, (int)sizeof(key_dec), 1);
++	if (key_dec_len < 0) {
++		return MG_FORM_FIELD_STORAGE_ABORT;
++	}
+ 
+ 	return fdh->field_get(key_dec, value, value_len, fdh->user_data);
+ }
+@@ -188,6 +199,7 @@ mg_handle_form_request(struct mg_connection *conn,
+ 	int buf_fill = 0;
+ 	int r;
+ 	int field_count = 0;
++	int abort_read = 0;
+ 	struct mg_file fstore = STRUCT_FILE_INITIALIZER;
+ 	int64_t file_size = 0; /* init here, to a avoid a false positive
+ 	                         "uninitialized variable used" warning */
+@@ -278,6 +290,7 @@ mg_handle_form_request(struct mg_connection *conn,
+ 				    conn, data, (size_t)keylen, val, (size_t *)&vallen, fdh);
+ 				if (r == MG_FORM_FIELD_HANDLE_ABORT) {
+ 					/* Stop request handling */
++					abort_read = 1;
+ 					break;
+ 				}
+ 				if (r == MG_FORM_FIELD_HANDLE_NEXT) {
+@@ -320,6 +333,7 @@ mg_handle_form_request(struct mg_connection *conn,
+ 							r = field_stored(conn, path, file_size, fdh);
+ 							if (r == MG_FORM_FIELD_HANDLE_ABORT) {
+ 								/* Stop request handling */
++								abort_read = 1;
+ 								break;
+ 							}
+ 
+@@ -358,6 +372,7 @@ mg_handle_form_request(struct mg_connection *conn,
+ 			if ((field_storage & MG_FORM_FIELD_STORAGE_ABORT)
+ 			    == MG_FORM_FIELD_STORAGE_ABORT) {
+ 				/* Stop parsing the request */
++				abort_read = 1;
+ 				break;
+ 			}
+ 
+@@ -386,7 +401,7 @@ mg_handle_form_request(struct mg_connection *conn,
+ 		 * Here we use "POST", and read the data from the request body.
+ 		 * The data read on the fly, so it is not required to buffer the
+ 		 * entire request in memory before processing it. */
+-		for (;;) {
++		while (!abort_read) {
+ 			const char *val;
+ 			const char *next;
+ 			ptrdiff_t keylen, vallen;
+@@ -440,6 +455,7 @@ mg_handle_form_request(struct mg_connection *conn,
+ 			if ((field_storage & MG_FORM_FIELD_STORAGE_ABORT)
+ 			    == MG_FORM_FIELD_STORAGE_ABORT) {
+ 				/* Stop parsing the request */
++				abort_read = 1;
+ 				break;
+ 			}
+ 
+@@ -468,6 +484,15 @@ mg_handle_form_request(struct mg_connection *conn,
+ 				} else {
+ 					vallen = (ptrdiff_t)strlen(val);
+ 					end_of_key_value_pair_found = all_data_read;
++					if ((buf + buf_fill) > (val + vallen)) {
++						/* Avoid DoS attacks by having a zero byte in the middle of
++						 * a request that is supposed to be URL encoded. Since this
++						 * request is certainly invalid, according to the protocol
++						 * specification, stop processing it. Fixes #1348 */
++						abort_read = 1;
++						break;
++					}
++
+ 				}
+ 
+ 				if (field_storage == MG_FORM_FIELD_STORAGE_GET) {
+@@ -489,6 +514,7 @@ mg_handle_form_request(struct mg_connection *conn,
+ 					get_block++;
+ 					if (r == MG_FORM_FIELD_HANDLE_ABORT) {
+ 						/* Stop request handling */
++						abort_read = 1;
+ 						break;
+ 					}
+ 					if (r == MG_FORM_FIELD_HANDLE_NEXT) {
+@@ -557,7 +583,6 @@ mg_handle_form_request(struct mg_connection *conn,
+ 						val = buf;
+ 					}
+ 				}
+-
+ 			} while (!end_of_key_value_pair_found);
+ 
+ #if !defined(NO_FILESYSTEMS)
+@@ -568,6 +593,7 @@ mg_handle_form_request(struct mg_connection *conn,
+ 					r = field_stored(conn, path, file_size, fdh);
+ 					if (r == MG_FORM_FIELD_HANDLE_ABORT) {
+ 						/* Stop request handling */
++						abort_read = 1;
+ 						break;
+ 					}
+ 				} else {
+@@ -581,7 +607,7 @@ mg_handle_form_request(struct mg_connection *conn,
+ 			}
+ #endif /* NO_FILESYSTEMS */
+ 
+-			if (all_data_read && (buf_fill == 0)) {
++			if ((all_data_read && (buf_fill == 0)) || abort_read) {
+ 				/* nothing more to process */
+ 				break;
+ 			}
+@@ -937,6 +963,7 @@ mg_handle_form_request(struct mg_connection *conn,
+ 					get_block++;
+ 					if (r == MG_FORM_FIELD_HANDLE_ABORT) {
+ 						/* Stop request handling */
++						abort_read = 1;
+ 						break;
+ 					}
+ 					if (r == MG_FORM_FIELD_HANDLE_NEXT) {
+@@ -1011,6 +1038,7 @@ mg_handle_form_request(struct mg_connection *conn,
+ 				                        fdh);
+ 				if (r == MG_FORM_FIELD_HANDLE_ABORT) {
+ 					/* Stop request handling */
++					abort_read = 1;
+ 					break;
+ 				}
+ 				if (r == MG_FORM_FIELD_HANDLE_NEXT) {
+@@ -1039,6 +1067,7 @@ mg_handle_form_request(struct mg_connection *conn,
+ 							r = field_stored(conn, path, file_size, fdh);
+ 							if (r == MG_FORM_FIELD_HANDLE_ABORT) {
+ 								/* Stop request handling */
++								abort_read = 1;
+ 								break;
+ 							}
+ 						} else {
+@@ -1057,6 +1086,7 @@ mg_handle_form_request(struct mg_connection *conn,
+ 			if ((field_storage & MG_FORM_FIELD_STORAGE_ABORT)
+ 			    == MG_FORM_FIELD_STORAGE_ABORT) {
+ 				/* Stop parsing the request */
++				abort_read = 1;
+ 				break;
+ 			}
+ 
diff --git a/meta-networking/recipes-connectivity/civetweb/civetweb_1.16.bb b/meta-networking/recipes-connectivity/civetweb/civetweb_1.16.bb
index a546efca7b..0c860f85a3 100644
--- a/meta-networking/recipes-connectivity/civetweb/civetweb_1.16.bb
+++ b/meta-networking/recipes-connectivity/civetweb/civetweb_1.16.bb
@@ -9,6 +9,7 @@ SRCREV = "d7ba35bbb649209c66e582d5a0244ba988a15159"
 SRC_URI = "git://github.com/civetweb/civetweb.git;branch=master;protocol=https \
            file://0001-Unittest-Link-librt-and-libm-using-l-option.patch \
            file://0001-Fix-heap-overflow-in-directory-URI-slash-redirection.patch \
+           file://CVE-2025-9648.patch \
            "
 
 S = "${WORKDIR}/git"

From patchwork Tue Dec 16 07:15:33 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ankur Tyagi <ankur.tyagi85@gmail.com>
X-Patchwork-Id: 76579
Return-Path: <ankur.tyagi85@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 25955D5B87C
	for <webhook@archiver.kernel.org>; Tue, 16 Dec 2025 07:15:53 +0000 (UTC)
Received: from mail-pf1-f170.google.com (mail-pf1-f170.google.com
 [209.85.210.170])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.16739.1765869347152435494
 for <openembedded-devel@lists.openembedded.org>;
 Mon, 15 Dec 2025 23:15:47 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=lmqJWyTY;
 spf=pass (domain: gmail.com, ip: 209.85.210.170,
 mailfrom: ankur.tyagi85@gmail.com)
Received: by mail-pf1-f170.google.com with SMTP id
 d2e1a72fcca58-7f121c00dedso5262346b3a.0
        for <openembedded-devel@lists.openembedded.org>;
 Mon, 15 Dec 2025 23:15:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1765869346; x=1766474146;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=rG6HvPbd5Duy2HwO6Nlu33YDPJ8QdpxkR8Z6t7W94Oc=;
        b=lmqJWyTYsC/UIkFFP6Sf+HEmhbyYnO5pj80lymqsjmdkxtVoHnGk7v8GGsX39G8T13
         EZCHLLDjiSAfGFaaU0n/6KhmaBcLlh4UqFQoZO0M+e7GtvL+k4WsHGbzu3UQdagFqtB0
         H0YzHht/6OcmwiuYu5EUxeollg3KQX2GEsP38fyiGFdTfpoef4gjucDLAYSLpapFVtOb
         FCbyojFxoZOKMemSzi2QeiLDQscDieieTxbhmIBnUqi14ngzI85neHjzvufzvpWD6/rt
         9lN5hrk4kAZrBfSDPCQLvAdrFqd2zTCvLbOzEiBMvK6Kv93wJMExb6ofHWrNlgtGPW5+
         bQ/A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1765869346; x=1766474146;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=rG6HvPbd5Duy2HwO6Nlu33YDPJ8QdpxkR8Z6t7W94Oc=;
        b=Cj6UehBQ10qO0tE1ADKMjf5+WfvqB3EHDiKgYUsp73Jsc9BsNSgw4hbBKun7KDlaxr
         c7YekEw5yMCxRIoezrz6rTVJGZgGzpmjn6yEpYRCxOQqMysMgKKQcMryfVEdEpBUrEls
         KZFoXVKZ5RVNJOgdBH4wCI69FXWOC1GdJBt0T545VFw0iL0BICKjHrdlqRx3F7W99Apq
         4N0b5XfpGlRfOTfVRS4w9ipqneCDimELpvR2dmolfPAPctDXlgJrXGD7J77CbVTMZrrl
         aoaYvCJoCVX4l4mo6xyjAwdsU5PX8Kfqtp3E30mJN1GEYi/V2egT9LpMk9AreROJ3cZW
         5BNg==
X-Gm-Message-State: AOJu0Yyny9ztttZrBC6NsinUzgCbvqU/zw8hGTEqWT2PYieb6l5YpPn/
	Yjwxxii9ibRAVHCyz3HA7oAsPCLHBpoQzsKh8o7b0rgk/83EkBnh/3ye6aOgcQ==
X-Gm-Gg: AY/fxX7Pk5B/FMbJc8rXBkBxbbD+oZfU76OZqvq3HA61Xl/0y5XviWPv2jSzIjTIWLN
	uuok6nPh9Q58uq1bZozHiLjQ7AswBwt6spKjgjeYzx+pZrA4yqJEmAXi4X32Lh+W+GJSfNNIwsw
	V0jh2JVsiX+MshWtBlAphWxZvkT/lwp4ANs3mPcKZrb05eyC2gmB6bHuxrj+rXQsmr6HpB5HW7I
	HfgnY4is3+hBdAK4aANuXc0U1LcEMggs3q0FuTjbQ05NOhV6g+YpEpe5n603uD286Pi0JWtH9xk
	AHhkvTo+wlGFMMf322V+4XKazCw542YDJNZZ72VdYs8UZwH0c7jGHFpoungvtPVD5ECYrMzyxSH
	pJ8C1kstwX4tul8P0gBI2bn3oFSvcrsn5VNq541/gKWB7/RnSa0emnlupkD5FDvcINIML3L/y+A
	EB3kpbqDOz1PLluqLxCk2XNNjm
X-Google-Smtp-Source: 
 AGHT+IFlyXr4o6dcYFFvMmaiQ0yL60wE55l4NeHAUCJuMkhSUwkjds9UZaOYHTX6zCRQZF/h4LHbsw==
X-Received: by 2002:a05:6a20:9389:b0:366:23a6:c962 with SMTP id
 adf61e73a8af0-369adfb4f07mr14180135637.29.1765869346230;
        Mon, 15 Dec 2025 23:15:46 -0800 (PST)
Received: from NVAPF55DW0D-IPD.. ([165.225.124.223])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-7f4c2d48514sm14471448b3a.30.2025.12.15.23.15.44
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 15 Dec 2025 23:15:45 -0800 (PST)
From: ankur.tyagi85@gmail.com
To: openembedded-devel@lists.openembedded.org
Cc: Ankur Tyagi <ankur.tyagi85@gmail.com>
Subject: [oe][meta-networking][scarthgap][PATCH 2/6] fetchmail: patch
 CVE-2025-61962
Date: Tue, 16 Dec 2025 12:45:33 +0530
Message-ID: <20251216071537.3174578-2-ankur.tyagi85@gmail.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20251216071537.3174578-1-ankur.tyagi85@gmail.com>
References: <20251216071537.3174578-1-ankur.tyagi85@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Tue, 16 Dec 2025 07:15:53 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/122681

From: Ankur Tyagi <ankur.tyagi85@gmail.com>

Details https://nvd.nist.gov/vuln/detail/CVE-2025-61962

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 .../fetchmail/fetchmail/CVE-2025-61962.patch  | 51 +++++++++++++++++++
 .../fetchmail/fetchmail_6.4.38.bb             |  1 +
 2 files changed, 52 insertions(+)
 create mode 100644 meta-networking/recipes-support/fetchmail/fetchmail/CVE-2025-61962.patch

diff --git a/meta-networking/recipes-support/fetchmail/fetchmail/CVE-2025-61962.patch b/meta-networking/recipes-support/fetchmail/fetchmail/CVE-2025-61962.patch
new file mode 100644
index 0000000000..e7555021e4
--- /dev/null
+++ b/meta-networking/recipes-support/fetchmail/fetchmail/CVE-2025-61962.patch
@@ -0,0 +1,51 @@
+From 7860cf0689f8bd828bdd6e7116c6670416ead6d7 Mon Sep 17 00:00:00 2001
+From: Matthias Andree <matthias.andree@gmx.de>
+Date: Fri, 3 Oct 2025 13:11:59 +0200
+Subject: [PATCH] Security fix: avoid NULL+1 deref on invalid AUTH reply
+
+When fetchmail receives a 334 reply from the SMTP server
+that does not contain the mandated blank after that response
+code, it will attempt reading from memory location 1, which
+will usually lead to a crash.
+
+The simpler fix would have been to check for four bytes "334 "
+instead of three bytes "334" but that would make malformed
+replies and those that don't match the expected reply code
+indistinguishable.
+
+CVE: CVE-2025-61962
+Upstream-Status: Backport [https://gitlab.com/fetchmail/fetchmail/-/commit/4c3cebfa4e659fb778ca2cae0ccb3f69201609a8]
+(cherry picked from commit 4c3cebfa4e659fb778ca2cae0ccb3f69201609a8)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ smtp.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/smtp.c b/smtp.c
+index 8295c49a..9a89ef09 100644
+--- a/smtp.c
++++ b/smtp.c
+@@ -92,6 +92,11 @@ static void SMTP_auth(int sock, char smtp_mode, char *username, char *password,
+ 		}
+ 
+ 		p = strchr(tmp, ' ');
++		if (!p) {
++			report(stderr, "%s: \"%s\"\n", GT_("Malformed server reply"), visbuf(tmp));
++			SMTP_auth_error(sock, "");
++			return;
++		}
+ 		p++;
+ 		/* (hmh) from64tobits will not NULL-terminate strings! */
+ 		if (from64tobits(b64buf, p, sizeof(b64buf) - 1) <= 0) {
+@@ -145,6 +150,11 @@ static void SMTP_auth(int sock, char smtp_mode, char *username, char *password,
+ 		}
+ 
+ 		p = strchr(tmp, ' ');
++		if (!p) {
++			report(stderr, "%s: \"%s\"\n", GT_("Malformed server reply"), visbuf(tmp));
++			SMTP_auth_error(sock, "");
++			return;
++		}
+ 		p++;
+ 		if (from64tobits(b64buf, p, sizeof(b64buf) - 1) <= 0) {
+ 			SMTP_auth_error(sock, GT_("Bad base64 reply from server.\n"));
diff --git a/meta-networking/recipes-support/fetchmail/fetchmail_6.4.38.bb b/meta-networking/recipes-support/fetchmail/fetchmail_6.4.38.bb
index cc23d5a34e..6474cabd51 100644
--- a/meta-networking/recipes-support/fetchmail/fetchmail_6.4.38.bb
+++ b/meta-networking/recipes-support/fetchmail/fetchmail_6.4.38.bb
@@ -11,6 +11,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=ee6b9f41d9324434dd11bd8a38f1b044"
 DEPENDS = "openssl"
 
 SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}-${PV}.tar.xz \
+           file://CVE-2025-61962.patch \
            "
 SRC_URI[sha256sum] = "a6cb4ea863ac61d242ffb2db564a39123761578d3e40d71ce7b6f2905be609d9"
 

From patchwork Tue Dec 16 07:15:34 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ankur Tyagi <ankur.tyagi85@gmail.com>
X-Patchwork-Id: 76578
Return-Path: <ankur.tyagi85@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 33447D5C0CA
	for <webhook@archiver.kernel.org>; Tue, 16 Dec 2025 07:15:53 +0000 (UTC)
Received: from mail-pf1-f173.google.com (mail-pf1-f173.google.com
 [209.85.210.173])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.16512.1765869349054522073
 for <openembedded-devel@lists.openembedded.org>;
 Mon, 15 Dec 2025 23:15:49 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=kQDptEAH;
 spf=pass (domain: gmail.com, ip: 209.85.210.173,
 mailfrom: ankur.tyagi85@gmail.com)
Received: by mail-pf1-f173.google.com with SMTP id
 d2e1a72fcca58-7bb710d1d1dso6333900b3a.1
        for <openembedded-devel@lists.openembedded.org>;
 Mon, 15 Dec 2025 23:15:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1765869348; x=1766474148;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=mBjQhYYsr4snQU3wEg5ISjOg2XI5frfS7he11dl91FY=;
        b=kQDptEAHk62+Jib9lHei0fxevd/yOmOBXQ0/wnkKDfIGY2xmND16PYreejdwoKbTo+
         nMy4hhddX4XCi8bhSmqEmzT5xRjlpWvDm2701hrTUUP0/v9A6OWyTKDuHMfUDF7XjTVE
         /kZP9KHHvXsE8GZ8wq7/FDRz8Uya1NYIEEqG88euGneerB01a78hZ3zM7/+DF1tgLDKr
         itJx3+pe/hPE0SCilPaWJhiBLyzVDxmf7eAAK824uZ+SA4nCEvK4p2c09gHGbQB4J2PE
         3zk+0C1aqY3zY5spi2FKMGLPZZppqCcMBGUUswzyVbCDiAPzUUiYvY5mv4YYJduCo1ee
         MJAg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1765869348; x=1766474148;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=mBjQhYYsr4snQU3wEg5ISjOg2XI5frfS7he11dl91FY=;
        b=VEBvuH43JfUDqwzVf42OFnsOOVYK0aGQKpMlx5O+LIkQAuDGWh2G8bSsMCwKFcatot
         BxMZy6K2O+lNd2c5qksc0PMTfpiyQOtyGPPtFzWKLtqAOEqP/BLc4MHZFWpd6YICDLVh
         cYsarQ3/tpSbRY5nsM0DUvdd/59Iy4hZJ3q+oS8qQms+I4xOWfNSQHVgK7an0FcFuF4F
         vIhKGwDDt3nOV3m8a7AagVQOOKt83cQ7ZK6BYXuQm18MLH6DWlVQwqFVqNIrxYGFYEN5
         CIpGyMLPnAAz2S3eOwLwD3LhGpIrWUCqIGNvmAjdyt+Wih/6s7VTncAcdPFL7+Imbwzw
         ll6w==
X-Gm-Message-State: AOJu0Yw+AcFTz34o5Sc4IP3wAwPe7pNfHGgKtsLSADzdFBwj70Ydef0p
	D74ecTRwVzBAfG1+3HCmgcWkXUEws6TKHXtQGxe0T8tbzbqfLieiBMx03AZ89w==
X-Gm-Gg: AY/fxX47I7/wxL0jORnPTlq6QAZQynxbn++fiyskq1QMovWPVMNtdNDMFyfXrWgDd67
	cNKJqqUj2RKubITe/G3Xc4Y1r7ecAAKviEu9AY2ej9v9YDaDgXy+2T56pP3W6h9HNMnpymJJtLo
	r+ln+yIrVumTV2M2gKhPZdFi/RHmEz23cKQjzM0I+nfNPdHNjQIox9YOwO7YKZ42D/7/qFv6Dus
	BMtI5YggqPFNtllCl7l+vWWI09mSUiT/3lumUPzyqhkesb4JFV1efEqR9NxhFpAJlMBZP3MMU1Q
	Wn2Yc1r7DJnvz/BU710+RL985sEQIzZccmYBWnP6sQxHkYg/aiSF4e4IxMAYvXddbxr1ZLJ6V1A
	kyRusii8k0A0Kk1X+HdpzFCrq1c04zhK6JhVdlJLcsVVO/ATkVWRb/h29/4mdSQrneUOuT3HIsM
	qhKAoJ4GhJH9foDkwejpWiTqUk
X-Google-Smtp-Source: 
 AGHT+IH+K1X+0L9eoU7/Z7EBy11TWhvV7VrGSbXKIq488HBjz4lZ3KFebb880AJ7iNYKf0jzC0k8Zw==
X-Received: by 2002:a05:6a00:2993:b0:7ab:653a:ca0e with SMTP id
 d2e1a72fcca58-7f6679361demr13887140b3a.23.1765869348092;
        Mon, 15 Dec 2025 23:15:48 -0800 (PST)
Received: from NVAPF55DW0D-IPD.. ([165.225.124.223])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-7f4c2d48514sm14471448b3a.30.2025.12.15.23.15.46
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 15 Dec 2025 23:15:47 -0800 (PST)
From: ankur.tyagi85@gmail.com
To: openembedded-devel@lists.openembedded.org
Cc: Ankur Tyagi <ankur.tyagi85@gmail.com>
Subject: [oe][meta-networking][scarthgap][PATCH 3/6] unbound: patch
 CVE-2024-43167
Date: Tue, 16 Dec 2025 12:45:34 +0530
Message-ID: <20251216071537.3174578-3-ankur.tyagi85@gmail.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20251216071537.3174578-1-ankur.tyagi85@gmail.com>
References: <20251216071537.3174578-1-ankur.tyagi85@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Tue, 16 Dec 2025 07:15:53 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/122682

From: Ankur Tyagi <ankur.tyagi85@gmail.com>

Details https://nvd.nist.gov/vuln/detail/CVE-2024-43167

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 .../unbound/unbound/CVE-2024-43167.patch      | 46 +++++++++++++++++++
 .../recipes-support/unbound/unbound_1.19.3.bb |  1 +
 2 files changed, 47 insertions(+)
 create mode 100644 meta-networking/recipes-support/unbound/unbound/CVE-2024-43167.patch

diff --git a/meta-networking/recipes-support/unbound/unbound/CVE-2024-43167.patch b/meta-networking/recipes-support/unbound/unbound/CVE-2024-43167.patch
new file mode 100644
index 0000000000..23efc49338
--- /dev/null
+++ b/meta-networking/recipes-support/unbound/unbound/CVE-2024-43167.patch
@@ -0,0 +1,46 @@
+From 81b41525fd07660f60ccca0378d1e1650d0b45b7 Mon Sep 17 00:00:00 2001
+From: zhailiangliang <zhailiangliang@loongson.cn>
+Date: Tue, 21 May 2024 08:40:16 +0000
+Subject: [PATCH] fix null pointer dereference issue in function ub_ctx_set_fwd
+ of file libunbound/libunbound.c
+
+CVE: CVE-2024-43167
+Upstream-Status: Backport [https://github.com/NLnetLabs/unbound/commit/8e43e2574c4e02f79c562a061581cdcefe136912]
+(cherry picked from commit 8e43e2574c4e02f79c562a061581cdcefe136912)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ libunbound/libunbound.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/libunbound/libunbound.c b/libunbound/libunbound.c
+index 80a82bb4..c52114d9 100644
+--- a/libunbound/libunbound.c
++++ b/libunbound/libunbound.c
+@@ -976,7 +976,8 @@ ub_ctx_set_fwd(struct ub_ctx* ctx, const char* addr)
+ 	if(!addr) {
+ 		/* disable fwd mode - the root stub should be first. */
+ 		if(ctx->env->cfg->forwards &&
+-			strcmp(ctx->env->cfg->forwards->name, ".") == 0) {
++			(ctx->env->cfg->forwards->name &&
++			strcmp(ctx->env->cfg->forwards->name, ".") == 0)) {
+ 			s = ctx->env->cfg->forwards;
+ 			ctx->env->cfg->forwards = s->next;
+ 			s->next = NULL;
+@@ -996,7 +997,8 @@ ub_ctx_set_fwd(struct ub_ctx* ctx, const char* addr)
+ 	/* it parses, add root stub in front of list */
+ 	lock_basic_lock(&ctx->cfglock);
+ 	if(!ctx->env->cfg->forwards ||
+-		strcmp(ctx->env->cfg->forwards->name, ".") != 0) {
++		(ctx->env->cfg->forwards->name &&
++		strcmp(ctx->env->cfg->forwards->name, ".") != 0)) {
+ 		s = calloc(1, sizeof(*s));
+ 		if(!s) {
+ 			lock_basic_unlock(&ctx->cfglock);
+@@ -1014,6 +1016,7 @@ ub_ctx_set_fwd(struct ub_ctx* ctx, const char* addr)
+ 		ctx->env->cfg->forwards = s;
+ 	} else {
+ 		log_assert(ctx->env->cfg->forwards);
++		log_assert(ctx->env->cfg->forwards->name);
+ 		s = ctx->env->cfg->forwards;
+ 	}
+ 	dupl = strdup(addr);
diff --git a/meta-networking/recipes-support/unbound/unbound_1.19.3.bb b/meta-networking/recipes-support/unbound/unbound_1.19.3.bb
index 0542ae454b..9a537c2dc2 100644
--- a/meta-networking/recipes-support/unbound/unbound_1.19.3.bb
+++ b/meta-networking/recipes-support/unbound/unbound_1.19.3.bb
@@ -13,6 +13,7 @@ SRC_URI = "git://github.com/NLnetLabs/unbound.git;protocol=https;nobranch=1 \
            file://CVE-2024-8508.patch \
            file://CVE-2024-33655.patch \
            file://CVE-2025-11411.patch \
+           file://CVE-2024-43167.patch \
            "
 SRCREV = "48b6c60a24e9a5d6d369a7a37c9fe2a767f26abd"
 

From patchwork Tue Dec 16 07:15:35 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ankur Tyagi <ankur.tyagi85@gmail.com>
X-Patchwork-Id: 76576
Return-Path: <ankur.tyagi85@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 25997D5C0C0
	for <webhook@archiver.kernel.org>; Tue, 16 Dec 2025 07:15:53 +0000 (UTC)
Received: from mail-pf1-f181.google.com (mail-pf1-f181.google.com
 [209.85.210.181])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.16741.1765869350831360642
 for <openembedded-devel@lists.openembedded.org>;
 Mon, 15 Dec 2025 23:15:50 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=d7uVoaCP;
 spf=pass (domain: gmail.com, ip: 209.85.210.181,
 mailfrom: ankur.tyagi85@gmail.com)
Received: by mail-pf1-f181.google.com with SMTP id
 d2e1a72fcca58-7aab7623f42so5084530b3a.2
        for <openembedded-devel@lists.openembedded.org>;
 Mon, 15 Dec 2025 23:15:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1765869350; x=1766474150;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=Fmed4X2LNu1MMBfrzSeV+sH7FcME7Z+/WyYCyXuSoFE=;
        b=d7uVoaCPhy4Mu2Mfqq8JR5wfSi7koZI8nJzVWwAQ038U5bxISrfvKdZciXKeqnaiLn
         +ZJS+XsshNBiE9Oq9LWoANK7NiBSdOK5qHMfFeMICR4PajTe+gNCKbW78gNcG7vIv96P
         aZTvOy0mhkhEjDVIUQxvQe3kPIxTsH9bA8IetzzcjeyJFpO3cH2VR5ppy26HKvoJspyQ
         O4Q3gR7gGxjPJ0T0eZRLnydtBhTqcEAHjxLYoiIcITy9HN/rA762yz3RuayqFsKWgKZo
         CrjWvUpfzZ6jUezLGvUjMi8HAr9c8hLB9TNMHAtfCi6sjuVxUsG0vIIHa1tf//v6AfSZ
         PFJA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1765869350; x=1766474150;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=Fmed4X2LNu1MMBfrzSeV+sH7FcME7Z+/WyYCyXuSoFE=;
        b=CxJY7RVFbgqPj/lXp8msUTnl2AYutMhqDS4HZa1/G8hGe72VXZAtxjirv6w/15Efdn
         4BfTxcg7hl+oj6O3NFXE0h1F/sX4Qc2aQxmdPNK7Nk3IzJXebnMPkPqxDVjjHr93AH9h
         ZPLRuLzX9ygNmmehWF1cik0dxNYXAG1fr472gOe3D/QZJB9LBC+SlFvtDwXWcKOjgTW7
         ucB8QGZEXMNn1jnkXmsppvj2jXYhyDTPuxZlMm2Bo0FtcPP1UDAEBn2ETpNYfGNvMvTp
         VxoeFmefMURUJtMbSF5IbvO35jJzq4psxWGzhGOxUu2tiyUAmGCSU5SnvhcRSdNmmqEk
         2CiQ==
X-Gm-Message-State: AOJu0YwzjZQ9ovfqDoNZJeCFumtyUvrZSIUPuNQs2xv6mhH84qxYFiqq
	oKQcunycStZL8M+jCnX+G7U+LbQLOawuJ0LqOMSJCjr/gSwGdp6oxoTGHvWEfg==
X-Gm-Gg: AY/fxX54dYvDzZmpLpJ+QHx/917iBw2qvuZ86zE9iI7ghev9j38R+ypTRP1WL6WUOWh
	omA+SptMhkuL/e/uxrbwY0zGv0tl5bZ/8mkaIZlkz4HNjjPPqSvQFfApmBIfjPXYD8vrthZYlZk
	gHMdIW1n3diHBsXWnMNTLRmEevjgNk5Bz9pg4TOnQgIAOfgOYAPC05dFxohamoJWDwqlKqNAR7x
	tf+2uf3Z/HA1sIq02g9rDLqKdleZY/WtG+3iy0ssOo86XGFOMex+ITZlB2FtEAoGL1aG6GVgb1y
	uFsgDKiPxz4CRTT0ZRsqZE8CJz00GjhlHDTcGrOlH7hC/nTrrSB0m3f6jyHGlMOsKlmJG/j2Pp1
	/yysMI9w5/Noqn1n1l3zusD8iNvoqxr8g7s4gY/imecEi6ptE/BjtGxrCNGzPn0mL3J7iiGx8fa
	Tuw76pShZHzE5/5qBDx2A/vtRjQoqf39RXpBE=
X-Google-Smtp-Source: 
 AGHT+IGcr/IFgtkxt5fGI/1buhxEID/P7i8Dp5XL/FwEvPq6NMI4h/xA5Bcp4AHt237UvvKeY40iUQ==
X-Received: by 2002:a05:6a00:3311:b0:7e8:4433:8fa8 with SMTP id
 d2e1a72fcca58-7f669a9369amr12282556b3a.48.1765869349968;
        Mon, 15 Dec 2025 23:15:49 -0800 (PST)
Received: from NVAPF55DW0D-IPD.. ([165.225.124.223])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-7f4c2d48514sm14471448b3a.30.2025.12.15.23.15.48
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 15 Dec 2025 23:15:49 -0800 (PST)
From: ankur.tyagi85@gmail.com
To: openembedded-devel@lists.openembedded.org
Cc: Ankur Tyagi <ankur.tyagi85@gmail.com>
Subject: [oe][meta-networking][scarthgap][PATCH 4/6] unbound: patch
 CVE-2024-43168
Date: Tue, 16 Dec 2025 12:45:35 +0530
Message-ID: <20251216071537.3174578-4-ankur.tyagi85@gmail.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20251216071537.3174578-1-ankur.tyagi85@gmail.com>
References: <20251216071537.3174578-1-ankur.tyagi85@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Tue, 16 Dec 2025 07:15:53 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/122683

From: Ankur Tyagi <ankur.tyagi85@gmail.com>

Details https://nvd.nist.gov/vuln/detail/CVE-2024-43168

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 .../unbound/unbound/CVE-2024-43168_1.patch    | 29 ++++++++++
 .../unbound/unbound/CVE-2024-43168_2.patch    | 57 +++++++++++++++++++
 .../recipes-support/unbound/unbound_1.19.3.bb |  2 +
 3 files changed, 88 insertions(+)
 create mode 100644 meta-networking/recipes-support/unbound/unbound/CVE-2024-43168_1.patch
 create mode 100644 meta-networking/recipes-support/unbound/unbound/CVE-2024-43168_2.patch

diff --git a/meta-networking/recipes-support/unbound/unbound/CVE-2024-43168_1.patch b/meta-networking/recipes-support/unbound/unbound/CVE-2024-43168_1.patch
new file mode 100644
index 0000000000..27bb01e596
--- /dev/null
+++ b/meta-networking/recipes-support/unbound/unbound/CVE-2024-43168_1.patch
@@ -0,0 +1,29 @@
+From ae1788088e0db0d7a31e9ef4edced212395089c1 Mon Sep 17 00:00:00 2001
+From: zhailiangliang <zhailiangliang@loongson.cn>
+Date: Wed, 3 Apr 2024 15:40:58 +0800
+Subject: [PATCH] fix heap-buffer-overflow issue in function cfg_mark_ports of
+ file util/config_file.c
+
+CVE: CVE-2024-43168
+Upstream-Status: Backport [https://github.com/NLnetLabs/unbound/commit/193401e7543a1e561dd634a3eaae932fa462a2b9]
+(cherry picked from commit 193401e7543a1e561dd634a3eaae932fa462a2b9)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ util/config_file.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/util/config_file.c b/util/config_file.c
+index 147f41e8..724b174c 100644
+--- a/util/config_file.c
++++ b/util/config_file.c
+@@ -1776,6 +1776,10 @@ cfg_mark_ports(const char* str, int allow, int* avail, int num)
+ #endif
+ 	if(!mid) {
+ 		int port = atoi(str);
++		if(port < 0) {
++			log_err("Prevent out-of-bounds access to array avail");
++			return 0;
++		}
+ 		if(port == 0 && strcmp(str, "0") != 0) {
+ 			log_err("cannot parse port number '%s'", str);
+ 			return 0;
diff --git a/meta-networking/recipes-support/unbound/unbound/CVE-2024-43168_2.patch b/meta-networking/recipes-support/unbound/unbound/CVE-2024-43168_2.patch
new file mode 100644
index 0000000000..a85200a8c2
--- /dev/null
+++ b/meta-networking/recipes-support/unbound/unbound/CVE-2024-43168_2.patch
@@ -0,0 +1,57 @@
+From c9c49b5f3244bde6f4300fc19e56d5944fb25c0c Mon Sep 17 00:00:00 2001
+From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
+Date: Wed, 3 Apr 2024 10:16:18 +0200
+Subject: [PATCH] - For #1040: adjust error text and disallow negative ports in
+ other   parts of cfg_mark_ports.
+
+CVE: CVE-2024-43168
+Upstream-Status: Backport [https://github.com/NLnetLabs/unbound/commit/dfff8d23cf4145c58e5c1e99d4159d3a91a70ab7]
+(cherry picked from commit dfff8d23cf4145c58e5c1e99d4159d3a91a70ab7)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ util/config_file.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/util/config_file.c b/util/config_file.c
+index 724b174c..c403d745 100644
+--- a/util/config_file.c
++++ b/util/config_file.c
+@@ -1777,7 +1777,7 @@ cfg_mark_ports(const char* str, int allow, int* avail, int num)
+ 	if(!mid) {
+ 		int port = atoi(str);
+ 		if(port < 0) {
+-			log_err("Prevent out-of-bounds access to array avail");
++			log_err("port number is negative: %d", port);
+ 			return 0;
+ 		}
+ 		if(port == 0 && strcmp(str, "0") != 0) {
+@@ -1789,6 +1789,10 @@ cfg_mark_ports(const char* str, int allow, int* avail, int num)
+ 	} else {
+ 		int i, low, high = atoi(mid+1);
+ 		char buf[16];
++		if(high < 0) {
++			log_err("port number is negative: %d", high);
++			return 0;
++		}
+ 		if(high == 0 && strcmp(mid+1, "0") != 0) {
+ 			log_err("cannot parse port number '%s'", mid+1);
+ 			return 0;
+@@ -1801,10 +1805,18 @@ cfg_mark_ports(const char* str, int allow, int* avail, int num)
+ 			memcpy(buf, str, (size_t)(mid-str));
+ 		buf[mid-str] = 0;
+ 		low = atoi(buf);
++		if(low < 0) {
++			log_err("port number is negative: %d", low);
++			return 0;
++		}
+ 		if(low == 0 && strcmp(buf, "0") != 0) {
+ 			log_err("cannot parse port number '%s'", buf);
+ 			return 0;
+ 		}
++		if(high > num) {
++			/* Stop very high values from taking a long time. */
++			high = num;
++		}
+ 		for(i=low; i<=high; i++) {
+ 			if(i < num)
+ 				avail[i] = (allow?i:0);
diff --git a/meta-networking/recipes-support/unbound/unbound_1.19.3.bb b/meta-networking/recipes-support/unbound/unbound_1.19.3.bb
index 9a537c2dc2..076f03f2ae 100644
--- a/meta-networking/recipes-support/unbound/unbound_1.19.3.bb
+++ b/meta-networking/recipes-support/unbound/unbound_1.19.3.bb
@@ -14,6 +14,8 @@ SRC_URI = "git://github.com/NLnetLabs/unbound.git;protocol=https;nobranch=1 \
            file://CVE-2024-33655.patch \
            file://CVE-2025-11411.patch \
            file://CVE-2024-43167.patch \
+           file://CVE-2024-43168_1.patch \
+           file://CVE-2024-43168_2.patch \
            "
 SRCREV = "48b6c60a24e9a5d6d369a7a37c9fe2a767f26abd"
 

From patchwork Tue Dec 16 07:15:36 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ankur Tyagi <ankur.tyagi85@gmail.com>
X-Patchwork-Id: 76580
Return-Path: <ankur.tyagi85@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 15B38D5B87C
	for <webhook@archiver.kernel.org>; Tue, 16 Dec 2025 07:16:03 +0000 (UTC)
Received: from mail-pf1-f180.google.com (mail-pf1-f180.google.com
 [209.85.210.180])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.16513.1765869353185528159
 for <openembedded-devel@lists.openembedded.org>;
 Mon, 15 Dec 2025 23:15:53 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=LKOF4Otv;
 spf=pass (domain: gmail.com, ip: 209.85.210.180,
 mailfrom: ankur.tyagi85@gmail.com)
Received: by mail-pf1-f180.google.com with SMTP id
 d2e1a72fcca58-7e1651ae0d5so3468191b3a.1
        for <openembedded-devel@lists.openembedded.org>;
 Mon, 15 Dec 2025 23:15:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1765869352; x=1766474152;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=htAbpUKlCc/TR4vGCROwIN8Gc694O1RCQc8DvhYzi+U=;
        b=LKOF4OtvNbRm+NuDJbd8r5kG2CD6lSbKwojhbfYJU/YOWOrisw1GnmCJutDI1jJrPq
         tuMfOBP3U3SueBqDWZwRzVznaJri89ZtJZaprn4CKncs6s4eDdxncInDTFEanV5Ccj8/
         oURwW5BH+QNyS/d3zLFVbQiWvfvFSfdVHzw2J4JhxH1fU0IXdc00IBp7SEuoNjlTuhju
         a1gbNYR0y6lDbI1UL9A9OfQS0j2QiAeMeLsApjP7Xyr6QWb45DFSdGbrz/F9gTEp60Hf
         d3YnjN99Uf5KxWSI4y6wdR758UfTILJZHCUiBbBBsMsi4l8zAnRp1Zs9/OpoQ43ZgirA
         R+YQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1765869352; x=1766474152;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=htAbpUKlCc/TR4vGCROwIN8Gc694O1RCQc8DvhYzi+U=;
        b=OrqdZPxTehZmzAKETlW4vTntDL+z/kGOJklA54lqM5FP7ihjYQ6HdJuSyLCm6/BpzX
         ml628GfSP23RI0c0jA9+bYj86m+sdn9Cqt2mJfwY5rYpEF3mNHHb0D9ctSmZsQnl02iZ
         3T94wXBR1adRSpqwC7ztaciO0xqAP5uXE5GW3cY6YXwskwIzB2/Ry9o2N9HZIPrzXF97
         +/8a9ygLUjXW+30R4KZkRCes3yDJs5QYMlKKiEmf7GHa8RrGLD2pTKdY7w4nJkdH7y4m
         Hsc7/fB4dsk6MPVb08vggO5naFg4Kd1HCEb1zsI8shwEAahI1/qqWyR7xofhUDLMwPH1
         JyGA==
X-Gm-Message-State: AOJu0Yz+t63itTfOrIpJNuqerZh7xcy6F6chFIx7URiXFkJHXpuqd+HU
	eO2Tr6sqRNvqos/kex6EaHjNNmhtBJCGLT2OGcOCHB2JcuZXab9tDZZZT3wHdA==
X-Gm-Gg: AY/fxX559iqpXuP0Lfz6T3qe47ZcF9382mRhQQu8QUJiaEPztJxOqS6cqNypkoZ4Qo1
	dv8/XHAIyMZNbUyyanfnDKXN1NIOJ5nZJ16FMCkZqEeLatMPbmdzdor6ZSoaDRksxLFUmc3vL4P
	LyaceUkmd4qA1X5ztzxyRT+hWKzfEnPHMcvkZkznJcAF6EIBiGoJC0uX9pRuMlcnXN+d3uEReLX
	qz7UXx0aOTimlPoY+fR2qbEW/ZOehdIxFlxBy3uw5zX6zyZgnECbd38vZ36b0Lm12Pbpwel/AIU
	nT795nrgcPv1EfUpiLZIqvzXR3g0sDWnaz4Q6Sjj7cP7fptCLqcIUZl91K/pxckrtSBrNZjjNpR
	zowROqy+24jcAI5hc+gS7Kdv25a5RnBiWif/DNkmGdhwb6EFHrrX2sH2ZycZpxVv/BbFmhMurEb
	sO9L+woWiPJ1t6N36dBaQbmR0P8MxRETVwnB0=
X-Google-Smtp-Source: 
 AGHT+IFFYzY5XCGCdtlGTJE5enSzVGrD4ZcpF/kg1YJBHxtrG3orqwd5g8wWJZtaTR4ZJ3VL5ZWIYw==
X-Received: by 2002:a05:6a00:1d14:b0:77f:4a83:8f9 with SMTP id
 d2e1a72fcca58-7f66763cdabmr12835226b3a.2.1765869352392;
        Mon, 15 Dec 2025 23:15:52 -0800 (PST)
Received: from NVAPF55DW0D-IPD.. ([165.225.124.223])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-7f4c2d48514sm14471448b3a.30.2025.12.15.23.15.50
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 15 Dec 2025 23:15:51 -0800 (PST)
From: ankur.tyagi85@gmail.com
To: openembedded-devel@lists.openembedded.org
Cc: Archana Polampalli <archana.polampalli@windriver.com>,
	Gyorgy Sarvari <skandigraun@gmail.com>,
	Ankur Tyagi <ankur.tyagi85@gmail.com>
Subject: [oe][meta-networking][scarthgap][PATCH 5/6] tcpreplay: fix
 CVE-2025-9157
Date: Tue, 16 Dec 2025 12:45:36 +0530
Message-ID: <20251216071537.3174578-5-ankur.tyagi85@gmail.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20251216071537.3174578-1-ankur.tyagi85@gmail.com>
References: <20251216071537.3174578-1-ankur.tyagi85@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Tue, 16 Dec 2025 07:16:03 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/122684

From: Archana Polampalli <archana.polampalli@windriver.com>

A vulnerability was determined in appneta tcpreplay up to 4.5.2-beta2.
The impacted element is the function untrunc_packet of the file
src/tcpedit/edit_packet.c of the component tcprewrite. Executing
manipulation can lead to use after free. It is possible to launch
the attack on the local host. The exploit has been publicly disclosed
and may be utilized. This patch is called 73008f261f1cdf7a1087dc8759115242696d35da.
Applying a patch is advised to resolve this issue.

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
(cherry picked from commit 0538af085a47b038e369db9872ffed8945b200c2)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 .../tcpreplay/tcpreplay/CVE-2025-9157.patch   | 44 +++++++++++++++++++
 .../tcpreplay/tcpreplay_4.4.4.bb              |  1 +
 2 files changed, 45 insertions(+)
 create mode 100644 meta-networking/recipes-support/tcpreplay/tcpreplay/CVE-2025-9157.patch

diff --git a/meta-networking/recipes-support/tcpreplay/tcpreplay/CVE-2025-9157.patch b/meta-networking/recipes-support/tcpreplay/tcpreplay/CVE-2025-9157.patch
new file mode 100644
index 0000000000..e52ec0dffc
--- /dev/null
+++ b/meta-networking/recipes-support/tcpreplay/tcpreplay/CVE-2025-9157.patch
@@ -0,0 +1,44 @@
+From 73008f261f1cdf7a1087dc8759115242696d35da Mon Sep 17 00:00:00 2001
+From: Fred Klassen <fred.klassen@broadcom.com>
+Date: Mon, 18 Aug 2025 18:35:16 -0700
+Subject: [PATCH] Bug #970 tcprewrite: --fixlen: do not use realloc
+
+No need to realloc if buffer is already proven to be big enough.
+
+CVE: CVE-2025-9157
+
+Upstream-Status: Backport [https://github.com/appneta/tcpreplay/commit/73008f261f1cdf7a1087dc8759115242696d35da]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ src/tcpedit/edit_packet.c | 1 -
+ src/tcprewrite.c          | 2 ++
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/tcpedit/edit_packet.c b/src/tcpedit/edit_packet.c
+index 1025ff9..f9ade8f 100644
+--- a/src/tcpedit/edit_packet.c
++++ b/src/tcpedit/edit_packet.c
+@@ -558,7 +558,6 @@ untrunc_packet(tcpedit_t *tcpedit,
+          * which seems like a corrupted pcap
+          */
+         if (pkthdr->len > pkthdr->caplen) {
+-            packet = safe_realloc(packet, pkthdr->len + PACKET_HEADROOM);
+             memset(packet + pkthdr->caplen, '\0', pkthdr->len - pkthdr->caplen);
+             pkthdr->caplen = pkthdr->len;
+         } else if (pkthdr->len < pkthdr->caplen) {
+diff --git a/src/tcprewrite.c b/src/tcprewrite.c
+index c9aa52c..ee05a26 100644
+--- a/src/tcprewrite.c
++++ b/src/tcprewrite.c
+@@ -270,6 +270,8 @@ rewrite_packets(tcpedit_t *tcpedit_ctx, pcap_t *pin, pcap_dumper_t *pout)
+
+         if (pkthdr.caplen > MAX_SNAPLEN)
+             errx(-1, "Frame too big, caplen %d exceeds %d", pkthdr.caplen, MAX_SNAPLEN);
++        if (pkthdr.len > MAX_SNAPLEN)
++            errx(-1, "Frame too big, len %d exceeds %d", pkthdr.len, MAX_SNAPLEN);
+         /*
+          * copy over the packet so we can pad it out if necessary and
+          * because pcap_next() returns a const ptr
+--
+2.40.0
diff --git a/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.4.bb b/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.4.bb
index a784190868..866661b4d1 100644
--- a/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.4.bb
+++ b/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.4.bb
@@ -15,6 +15,7 @@ SRC_URI = "https://github.com/appneta/${BPN}/releases/download/v${PV}/${BP}.tar.
     file://CVE-2023-43279.patch \
     file://CVE-2024-22654-0001.patch \
     file://CVE-2024-22654-0002.patch \
+    file://CVE-2025-9157.patch \
 "
 
 SRC_URI[sha256sum] = "44f18fb6d3470ecaf77a51b901a119dae16da5be4d4140ffbb2785e37ad6d4bf"

From patchwork Tue Dec 16 07:15:37 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ankur Tyagi <ankur.tyagi85@gmail.com>
X-Patchwork-Id: 76581
Return-Path: <ankur.tyagi85@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 15B3FD5C0C0
	for <webhook@archiver.kernel.org>; Tue, 16 Dec 2025 07:16:03 +0000 (UTC)
Received: from mail-pf1-f172.google.com (mail-pf1-f172.google.com
 [209.85.210.172])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.16742.1765869355291198922
 for <openembedded-devel@lists.openembedded.org>;
 Mon, 15 Dec 2025 23:15:55 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=Z6qLOVlt;
 spf=pass (domain: gmail.com, ip: 209.85.210.172,
 mailfrom: ankur.tyagi85@gmail.com)
Received: by mail-pf1-f172.google.com with SMTP id
 d2e1a72fcca58-7f651586be1so1916310b3a.1
        for <openembedded-devel@lists.openembedded.org>;
 Mon, 15 Dec 2025 23:15:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1765869354; x=1766474154;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=WYk/wYGUmQmnuQXzlWo+K1vOqnRoRHtIChlv8BT9w08=;
        b=Z6qLOVltcC/3aS34RmzIh/laamASwIn5/l8g8TQJH8th70jyOJwWmCGmNW+aRW5Lmu
         LstUkcCbPuUMZguJGSRz1EcRGQm3G5MGXik3OY0ZOA8xL3d7O0aLnEwHOLQlgci6Layo
         BRKl1pNrYcaGdFnxMWIZPOykzeuyMRIHYxiPabtT0re06iQVdG/XwQXhAfyffad2DOaE
         f3NiDgvzYd6v8vRANWEuUNm9eeowzTpxqmllr9VKVnyiWhwbpdZF6iP/QyARYmYrQgfY
         StNgBwW5tNHSgynak356IEyt+MqOQIW8cg2qJLPG6kbD7Ozq1WZMf2nUdOcqYSQBpe30
         fTPA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1765869354; x=1766474154;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=WYk/wYGUmQmnuQXzlWo+K1vOqnRoRHtIChlv8BT9w08=;
        b=XW8H4SAEFeXoYHQ7gozr4/rFResIqLdz6lLiOuzxRIWPGpXeT3KqB1+d6UoPKBVvpe
         aNm9c0WEqR/ohteYNxeVj+J3DC8NhfZjaqtB7GPYLgvUW4WVGFkOfiDxxVQQJ9CDxQbb
         ALmUJeqjRJNKh3kNKNHlk5d5efs4d7AxMEbWuzipHcEtOXE8aD9QW1QNgMsoPvbvHza6
         c076Te1MQoTtalUAtXUiMLwpH5ycpQdEqRwRXRFeYfq8d0ZuysmFhSrgfhm9OnGPLnEI
         FuWYPhEGQIeNzDxoGaWWwFvKuoholgTQApjoiToRoedcyT/GNH+ipteOTj1Px0YGsX30
         P6qA==
X-Gm-Message-State: AOJu0YwBqXxjoARcTsY9habNKM2uhL/SfK4QSwFoqiyp6TJ3VpbAAhum
	01M/rWVBMh44jWG2h1W3HU985GCkXXpnRcDHb0DzeeAsHN586uNLewZ7KKmZVg==
X-Gm-Gg: AY/fxX4NpqYAB+1e1j+0UofxoeSqQg+hnZq8seovlk7lfDi3lCOm372cVwgmGIKZkn+
	mIv3XoZSHkpGVXd+v6VVFWX67H2+zP8Kb64GV9eSyfSfALEJTpaTpk0cWnSjhpTsqVjsFnHW1td
	wwAvjNWpJbgbhPUeDsyOfsaKRnNLTeZhftbibWDTlh14lcmIOgW5X+QKf2+EGNwp4wWggthtI4V
	GYn1PAfnjxb8DFvZhrVXLZ1+/dl7pJZcI6A3zWRbnG+X0WfXSoommS8E9Sdc1mhriwQ6SzdlGHW
	5xqJahtD6ykEqrkjDZBiwSOWP3MCqpGlVyW4HGzlLR+hcpDJjWquAcRmii1EByhksU4VPj3fvJL
	WZWTzqaBLLHRgl+BzZ5WsbqedCnc9Ki814KVRh0pK1FHk16QBOHOczHsh4Jkju9OTE2SAEehJaf
	9ZRq0L9v0wYHHR9iqVfPzHmJ4Dw8xvmi/YEO0=
X-Google-Smtp-Source: 
 AGHT+IG1lz2Od1obZBeTivH62Gh4AJ0++ijBOJPLBFlsatAD+6qAx4tCtQ44cGOCjFZhl8rIjR2udw==
X-Received: by 2002:a05:6a00:8b07:b0:7e8:3fcb:9b01 with SMTP id
 d2e1a72fcca58-7f51e0e81e8mr11496925b3a.23.1765869354361;
        Mon, 15 Dec 2025 23:15:54 -0800 (PST)
Received: from NVAPF55DW0D-IPD.. ([165.225.124.223])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-7f4c2d48514sm14471448b3a.30.2025.12.15.23.15.52
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 15 Dec 2025 23:15:53 -0800 (PST)
From: ankur.tyagi85@gmail.com
To: openembedded-devel@lists.openembedded.org
Cc: Ankur Tyagi <ankur.tyagi85@gmail.com>
Subject: [oe][meta-networking][scarthgap][PATCH 6/6] openvpn: patch
 CVE-2025-13086
Date: Tue, 16 Dec 2025 12:45:37 +0530
Message-ID: <20251216071537.3174578-6-ankur.tyagi85@gmail.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20251216071537.3174578-1-ankur.tyagi85@gmail.com>
References: <20251216071537.3174578-1-ankur.tyagi85@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Tue, 16 Dec 2025 07:16:03 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/122685

From: Ankur Tyagi <ankur.tyagi85@gmail.com>

Details https://nvd.nist.gov/vuln/detail/CVE-2025-13086

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 .../openvpn/openvpn/CVE-2025-13086.patch      | 157 ++++++++++++++++++
 .../recipes-support/openvpn/openvpn_2.6.14.bb |   1 +
 2 files changed, 158 insertions(+)
 create mode 100644 meta-networking/recipes-support/openvpn/openvpn/CVE-2025-13086.patch

diff --git a/meta-networking/recipes-support/openvpn/openvpn/CVE-2025-13086.patch b/meta-networking/recipes-support/openvpn/openvpn/CVE-2025-13086.patch
new file mode 100644
index 0000000000..a37ef84a8d
--- /dev/null
+++ b/meta-networking/recipes-support/openvpn/openvpn/CVE-2025-13086.patch
@@ -0,0 +1,157 @@
+From c56eb06a59ce8ccd601f1d58aa71cbd1211ee8d6 Mon Sep 17 00:00:00 2001
+From: Arne Schwabe <arne@rfc2549.org>
+Date: Mon, 27 Oct 2025 10:05:55 +0100
+Subject: [PATCH] Fix memcmp check for the hmac verification in the 3way
+ handshake being inverted
+
+This is a stupid mistake but causes all hmac cookies to be accepted,
+thus breaking source IP address validation.   As a consequence, TLS
+sessions can be openend and state can be consumed in the server from
+IP addresses that did not initiate an initial connection.
+
+While at it, fix check to only allow [t-2;t] timeslots, disallowing
+HMACs coming in from a future timeslot.
+
+Github: OpenVPN/openvpn-private-issues#56
+
+CVE: 2025-13086
+
+Reported-By: Joshua Rogers <contact@joshua.hu>
+Found-by: ZeroPath (https://zeropath.com/)
+Reported-By: stefan@srlabs.de
+
+Change-Id: I9cbe2bf535575b47ddd7f34e985c5c1c6953a6fc
+Signed-off-by: Arne Schwabe <arne@rfc2549.org>
+Acked-by: Max Fillinger <max@max-fillinger.net>
+(cherry picked from commit 68ec931e7fb4af11d5ba0d4283df0350083fd373)
+
+CVE: CVE-2025-13086
+Upstream-Status: Backport [https://github.com/OpenVPN/openvpn/commit/fa6a1824b0f37bff137204156a74ca28cf5b6f83]
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/openvpn/ssl_pkt.c               |  7 ++--
+ tests/unit_tests/openvpn/test_pkt.c | 57 ++++++++++++++++++++++++++++-
+ 2 files changed, 60 insertions(+), 4 deletions(-)
+
+diff --git a/src/openvpn/ssl_pkt.c b/src/openvpn/ssl_pkt.c
+index 41299f46..e820dc93 100644
+--- a/src/openvpn/ssl_pkt.c
++++ b/src/openvpn/ssl_pkt.c
+@@ -545,13 +545,14 @@ check_session_id_hmac(struct tls_pre_decrypt_state *state,
+         return false;
+     }
+ 
+-    /* check adjacent timestamps too */
+-    for (int offset = -2; offset <= 1; offset++)
++    /* check adjacent timestamps too, the handwindow is split in 2 for the
++     * offset, so we check the current timeslot and the two before that */
++    for (int offset = -2; offset <= 0; offset++)
+     {
+         struct session_id expected_id =
+             calculate_session_id_hmac(state->peer_session_id, from, hmac, handwindow, offset);
+ 
+-        if (memcmp_constant_time(&expected_id, &state->server_session_id, SID_SIZE))
++        if (memcmp_constant_time(&expected_id, &state->server_session_id, SID_SIZE) == 0)
+         {
+             return true;
+         }
+diff --git a/tests/unit_tests/openvpn/test_pkt.c b/tests/unit_tests/openvpn/test_pkt.c
+index 74d7311f..4e97384d 100644
+--- a/tests/unit_tests/openvpn/test_pkt.c
++++ b/tests/unit_tests/openvpn/test_pkt.c
+@@ -429,6 +429,8 @@ test_verify_hmac_tls_auth(void **ut_state)
+     hmac_ctx_t *hmac = session_id_hmac_init();
+ 
+     struct link_socket_actual from = { 0 };
++    from.dest.addr.sa.sa_family = AF_INET;
++    from.dest.addr.in4.sin_addr.s_addr = ntohl(0x01020304);
+     struct tls_auth_standalone tas = { 0 };
+     struct tls_pre_decrypt_state state = { 0 };
+ 
+@@ -456,10 +458,12 @@ test_verify_hmac_tls_auth(void **ut_state)
+ static void
+ test_verify_hmac_none(void **ut_state)
+ {
++    now = 1000;
+     hmac_ctx_t *hmac = session_id_hmac_init();
+ 
+     struct link_socket_actual from = { 0 };
+     from.dest.addr.sa.sa_family = AF_INET;
++    from.dest.addr.in4.sin_addr.s_addr = ntohl(0x01020304);
+ 
+     struct tls_auth_standalone tas = { 0 };
+     struct tls_pre_decrypt_state state = { 0 };
+@@ -475,8 +479,59 @@ test_verify_hmac_none(void **ut_state)
+     assert_int_equal(verdict, VERDICT_VALID_ACK_V1);
+ 
+     bool valid = check_session_id_hmac(&state, &from.dest, hmac, 30);
++    assert_false(valid);
++
++    struct session_id client_id = { { 0xae, 0xb9, 0xaf, 0xe1, 0xf0, 0x1d, 0x79, 0xc8 } };
++    assert_memory_equal(&client_id, &state.peer_session_id, sizeof(struct session_id));
++
++    struct session_id expected_id = calculate_session_id_hmac(client_id, &from.dest, hmac, 30, 0);
++
++    free_tls_pre_decrypt_state(&state);
++    buf_reset_len(&buf);
++
++    /* Write the packet again into the buffer but this time, replacing the peer packet
++     * id with the expected one */
++    buf_write(&buf, client_ack_none_random_id, sizeof(client_ack_none_random_id) - 8);
++    buf_write(&buf, expected_id.id, 8);
++
++    verdict = tls_pre_decrypt_lite(&tas, &state, &from, &buf);
++    assert_int_equal(verdict, VERDICT_VALID_ACK_V1);
++    valid = check_session_id_hmac(&state, &from.dest, hmac, 30);
++
+     assert_true(valid);
+ 
++    /* Our handwindow is 30 so the slices are half of that, so they are
++     * (975,990), (990, 1005), (1005, 1020), (1020, 1035), (1035, 1050)
++     * So setting time to the two future ones should work
++     */
++    now = 980;
++    assert_false(check_session_id_hmac(&state, &from.dest, hmac, 30));
++    now = 1040;
++    assert_false(check_session_id_hmac(&state, &from.dest, hmac, 30));
++    now = 1002;
++    assert_true(check_session_id_hmac(&state, &from.dest, hmac, 30));
++    now = 1022;
++    assert_true(check_session_id_hmac(&state, &from.dest, hmac, 30));
++    now = 1010;
++    assert_true(check_session_id_hmac(&state, &from.dest, hmac, 30));
++
++    /* Changing the IP address should make this invalid */
++    from.dest.addr.in4.sin_addr.s_addr = ntohl(0x01020305);
++    assert_false(check_session_id_hmac(&state, &from.dest, hmac, 30));
++
++    /* Change to the correct one again */
++    from.dest.addr.in4.sin_addr.s_addr = ntohl(0x01020304);
++    assert_true(check_session_id_hmac(&state, &from.dest, hmac, 30));
++
++    /* Modify the peer id, should now fail hmac verification */
++    buf_inc_len(&buf, -4);
++    buf_write_u32(&buf, 0x12345678);
++
++    free_tls_pre_decrypt_state(&state);
++    verdict = tls_pre_decrypt_lite(&tas, &state, &from, &buf);
++    assert_int_equal(verdict, VERDICT_VALID_ACK_V1);
++    assert_false(check_session_id_hmac(&state, &from.dest, hmac, 30));
++
+     free_tls_pre_decrypt_state(&state);
+     free_buf(&buf);
+     hmac_ctx_cleanup(hmac);
+@@ -663,12 +718,12 @@ int
+ main(void)
+ {
+     const struct CMUnitTest tests[] = {
++        cmocka_unit_test(test_verify_hmac_none),
+         cmocka_unit_test(test_tls_decrypt_lite_none),
+         cmocka_unit_test(test_tls_decrypt_lite_auth),
+         cmocka_unit_test(test_tls_decrypt_lite_crypt),
+         cmocka_unit_test(test_parse_ack),
+         cmocka_unit_test(test_calc_session_id_hmac_static),
+-        cmocka_unit_test(test_verify_hmac_none),
+         cmocka_unit_test(test_verify_hmac_tls_auth),
+         cmocka_unit_test(test_generate_reset_packet_plain),
+         cmocka_unit_test(test_generate_reset_packet_tls_auth),
diff --git a/meta-networking/recipes-support/openvpn/openvpn_2.6.14.bb b/meta-networking/recipes-support/openvpn/openvpn_2.6.14.bb
index 5361709f0c..305a69bec4 100644
--- a/meta-networking/recipes-support/openvpn/openvpn_2.6.14.bb
+++ b/meta-networking/recipes-support/openvpn/openvpn_2.6.14.bb
@@ -10,6 +10,7 @@ inherit autotools systemd update-rc.d pkgconfig
 SRC_URI = "http://swupdate.openvpn.org/community/releases/${BP}.tar.gz \
            file://0001-configure.ac-eliminate-build-path-from-openvpn-versi.patch \
            file://openvpn \
+           file://CVE-2025-13086.patch \
           "
 
 UPSTREAM_CHECK_URI = "https://openvpn.net/community-downloads"