From patchwork Thu Dec 25 12:51:32 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 77518 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 89E90E7AD4F for ; Thu, 25 Dec 2025 12:51:50 +0000 (UTC) Received: from mail-wr1-f46.google.com (mail-wr1-f46.google.com [209.85.221.46]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.137503.1766667102450283543 for ; Thu, 25 Dec 2025 04:51:42 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=KJyj3lIS; spf=pass (domain: gmail.com, ip: 209.85.221.46, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f46.google.com with SMTP id ffacd0b85a97d-43277900fb4so327290f8f.1 for ; Thu, 25 Dec 2025 04:51:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1766667101; x=1767271901; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=jB2AmCifNuBl1CK0MtE0ka3eRd2DEYEAV7y8Nk/Z660=; b=KJyj3lISFL6+EJbb1xUlZsbZJeiVvhDdlFfW9LFgOwvmfzAoXq4+iSy2xB3L12SeNs 2ynpHNhQs84l33MvWp6+JG8WO4497clps0unIoRaGrhOyM/+S3Pr3Jbu7UFEukKNQzfk 5Yjj1B1GbsRJABJoSF2+3V0tQbamBNsNtX/JKfKtzR6jDS2vPcafS4PfYNseRNNRxxdh xL0Rcph8lztFjevQPmUTNCTRb5HQwRYh11USJzgEmOYVIhQXgkyBecjglA+YNMgqHENk ie5BS0sUOWHGZfp8jlJd5fziDy+33EQO4sGqmAnvfBgFKTG4npUeg2L7/1oH5pvPlbz4 LUmA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766667101; x=1767271901; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=jB2AmCifNuBl1CK0MtE0ka3eRd2DEYEAV7y8Nk/Z660=; b=tCb1Cf9OH3nlpRX+TFjge8reQrsIpOqjpV8RPEZjG1/drq9RedQVV7Nanp37CgiybJ 7fEiB43ko8ynZE3N2hF8SvRBnPGN6+OE3y9yehkxC1GzhVLI0tmZL9R56xDY110gbQM2 JufLAUovJXs2jMEKDCukS1hyplfyx1wphcoBedi9c2dVueolxdqcckfFtsSONEa5/WTH wK21gXShzjFj+T1ivazncTv1hWqM+w98YEJ6zP2r8SLoSKfLoCW/LL0U9wwr5UG3J/T7 0aIZL/4e6fmsrNBohZmhbhZ0KfCEGdpaRMs2JM2pix377f5juciBjlXB2oE1SUXAJT9s vYjg== X-Gm-Message-State: AOJu0YzEOCDcVjwPocSWte/z/BUaN+VBsOfsoydEruP1qwugr8bEPW5g wJeTpnqp8iLU7s2S4Edw8LpM3njs4r+C2bQyNGbN7UYoUF+WqQg507DvCpN8DA== X-Gm-Gg: AY/fxX55o8I5XHzT/foRhZEdV8y5AXuVN3JDOHKxCt7S0dswviCCaUcT0N5DnRJJGg+ wAJlyXI8wt4F8OFLlZ7gRP07Sc9bYOJmtXNZRGtBurRxV7ChLNA2bNDcwZlMTxMM2RLVj8F7aKk IJwuHMWY3zM4rTTxFDGhc9P4+GcwLIfq1tU9uhAvlFzBjNkpwAmI52ur/ZMHuXZC+VaWqsEbd0V jZLvQIMjYPRBnKzpzip8XDPDdcZrEJEbuDE5IggUheG4XObhwuQd87SjGMFxcMqgsirBsgKvNw1 49/qRvLT/155QewnR2Yd7fnzHmIK/MyC0yX1l7ABm5n9zklu/o9X55Aa5x67p5XKANzq00gd/9V ECJ83mWk+P0U4nRMsqJmsLSQPQB3G0ej2PobJJSMr/ub2qRAn/Ckg0Y9jEgONJAyO8hr5LoMRw3 JH6XDgVN5vloX6kxVUk34= X-Google-Smtp-Source: AGHT+IH96YoeUhYVDiKMhkaUq0zCdH0hhCvcZ7UxwvYb9RaKH7WZt8JZx/jHUO5Iglm4qqBZRJTceg== X-Received: by 2002:a05:6000:430b:b0:430:f736:7cc with SMTP id ffacd0b85a97d-4324e3ebf79mr22088487f8f.1.1766667100584; Thu, 25 Dec 2025 04:51:40 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4324ea830fesm40219073f8f.20.2025.12.25.04.51.40 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 25 Dec 2025 04:51:40 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-networking][kirkstone][PATCH 1/8] mtr: patch CVE-2025-49809 Date: Thu, 25 Dec 2025 13:51:32 +0100 Message-ID: <20251225125139.2436941-1-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 25 Dec 2025 12:51:50 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122913 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-49809 Pick the patch mentioned in the NVD report. Signed-off-by: Gyorgy Sarvari --- .../mtr/mtr/CVE-2025-49809.patch | 38 +++++++++++++++++++ .../recipes-support/mtr/mtr_0.95.bb | 4 +- 2 files changed, 41 insertions(+), 1 deletion(-) create mode 100644 meta-networking/recipes-support/mtr/mtr/CVE-2025-49809.patch diff --git a/meta-networking/recipes-support/mtr/mtr/CVE-2025-49809.patch b/meta-networking/recipes-support/mtr/mtr/CVE-2025-49809.patch new file mode 100644 index 0000000000..1f8ac4aeb9 --- /dev/null +++ b/meta-networking/recipes-support/mtr/mtr/CVE-2025-49809.patch @@ -0,0 +1,38 @@ +From 5eefb172ef1ab9e46d79c6bae60dbe7983c9f704 Mon Sep 17 00:00:00 2001 +From: "R.E. Wolff" +Date: Sun, 29 Jun 2025 14:06:00 +0200 +Subject: [PATCH] Added protection against use of MTR_PACKET under special + circumstances + +CVE: CVE-2025-49809 +Upstream-Status: Backport [https://github.com/traviscross/mtr/commit/5226f105f087c29d3cfad9f28000e7536af91ac6] +Signed-off-by: Gyorgy Sarvari +--- + ui/cmdpipe.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/ui/cmdpipe.c b/ui/cmdpipe.c +index d22b236..1a66293 100644 +--- a/ui/cmdpipe.c ++++ b/ui/cmdpipe.c +@@ -220,10 +220,17 @@ void execute_packet_child( + the path to the mtr-packet executable. This is necessary + for debugging changes for mtr-packet. + */ +- char *mtr_packet_path = getenv("MTR_PACKET"); +- if (mtr_packet_path == NULL) { ++ char * mtr_packet_path = NULL; ++ ++ // In the rare case that mtr-packet is not setuid-root, ++ // and a select group of users has sudo privileges to run ++ // mtr and not much else, THEN create /etc/mtr.is.run.under.sudo ++ // to prevent a privilege escalation when one of those accounts ++ // is compromised. CVE-2025-49809 ++ if (access ("/etc/mtr.is.run.under.sudo", F_OK) != 0) ++ mtr_packet_path = getenv("MTR_PACKET"); ++ if (mtr_packet_path == NULL) + mtr_packet_path = "mtr-packet"; +- } + + /* + First, try to execute mtr-packet from PATH diff --git a/meta-networking/recipes-support/mtr/mtr_0.95.bb b/meta-networking/recipes-support/mtr/mtr_0.95.bb index 92f9c4bfc0..8c385ae46a 100644 --- a/meta-networking/recipes-support/mtr/mtr_0.95.bb +++ b/meta-networking/recipes-support/mtr/mtr_0.95.bb @@ -9,7 +9,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ file://ui/mtr.c;beginline=5;endline=16;md5=00a894a39d53726a27386534d1c4e468" SRCREV = "852e5617fbf331cf292723702161f0ac9afe257c" -SRC_URI = "git://github.com/traviscross/mtr;branch=master;protocol=https" +SRC_URI = "git://github.com/traviscross/mtr;branch=master;protocol=https \ + file://CVE-2025-49809.patch \ + " S = "${WORKDIR}/git" From patchwork Thu Dec 25 12:51:33 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 77515 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 901BFE7AD50 for ; Thu, 25 Dec 2025 12:51:50 +0000 (UTC) Received: from mail-wr1-f46.google.com (mail-wr1-f46.google.com [209.85.221.46]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.137506.1766667104096187212 for ; Thu, 25 Dec 2025 04:51:44 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=GUCXEmDA; spf=pass (domain: gmail.com, ip: 209.85.221.46, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f46.google.com with SMTP id ffacd0b85a97d-42fed090e5fso3111241f8f.1 for ; Thu, 25 Dec 2025 04:51:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1766667102; x=1767271902; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=+U7nRoc3NWxOtmHeEATr0LpiOGGPgijAZwWnOFWazq4=; b=GUCXEmDAw6pKXcZ8fc/Uu34kpWjYgO4iLXxOVVFT3PCj28wSzzPGg/cItu3Nt6l4HX CeCcpMRkUQUQICLNCNE+u3zyBZG8h1zCAR+htbZv21vnfYXs78ndu78P5uIDXC3ZKeKz 34lasqMiIVxAdTZOq7NIem3JocnakwkNdv3X5fs/oK+YCr18mvyLSWuZIrV4TeMp/ixC 3we/WH/vlky/YNmlobO0uTvzyJMZdktfNOmN1giLWWopspk0Y6b4LCtewGzGVVYGa5oW N6FQ8GcWsHNWPkKJbSAmE1CkOozQavqwVfkJks5F7zxViYvuXAzeFPiLYdQ/B7YHpCQz Nt2Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766667102; x=1767271902; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=+U7nRoc3NWxOtmHeEATr0LpiOGGPgijAZwWnOFWazq4=; b=iRDznYRok01oGx0yXDdYJby9YaJNz94qUxO/AUm47JYZzHGs782iF90pbftcosrZZe 9srpTJfCiecwnm9Bd5U17U29QBNvJ64ffGUO3y1c8i2pxWBK2SA27/BzVtoJdfA83vBH Y1gYWyb0VJ0byYv+qSU1bE35RcDqadY4JaN0+N/Z55BD2Gu8XAC0/undzcLxEpmR5Iui MLypCM6xw8pTXw8eh0PFEmalhN/4NuCCc+EqUTSoxUNKgwzqIgUYzOlM8NakmuX/ZRFi tuhKngY5k14+iv80ESvyQSVdWUHkxGCO20pHK3xgriRoLQjXvNkwz8s+Ki6Er5d9tlAD 6zkw== X-Gm-Message-State: AOJu0Ywo3E14rqvcnbfnrlyN+CkuBfjx7Mafp5+NOIcp1qPkBvf4/lb6 xjineJSmex2nhVvnUEnJ3f4b4mP0yjmuI8Ou3tKwiJ3wPHuWLZSpGf1Uf5YaLQ== X-Gm-Gg: AY/fxX6f+j/9PpHEseOJfSW+lAr8T6cOJyWwOhFeRBp5vS/RSsNAj+1WVxTfoMdGKh6 rmlwMwC6+I3lvJ9iHsi3yMi1aJw9BuyvF7QLdgR5COhCSCP42mibd3ZYbiApRW0C8hnkj0eczUH B1ORoAeLsNqNrlmuDUYUT7/CdaA5GDdspsiX2QfKtZULneJl6jsVwo/GwsQjxIqYy68Nsnb4MRT ezwHFoe63UgXH+amWGkj5jHMM9amtmaOipoi+Q+TxQonqGR3pNXqWjKSBLNqzU4h8DNkNI2tOw8 q5MCQKHkOUItS4H7CDgDwuxsxw87lxV/UjeFgnFK/A+FtHtXw14xVdUxOuSlripgyMtTo+DlMoJ HEuF3mGwZQjgmDR+AYZMIys3ZdiYcVKXjeQn5yqvknwvHYr+bWvyVWBUFfcjCMFCP39uYeoYbHG XKebDvq8hz X-Google-Smtp-Source: AGHT+IH44HoucVhpfuqnwOKGn8ajyRdKdt3f0XrwAJh4Mw6ZEhVssfK6guDp7ocjOJ7CMtmwThUmiQ== X-Received: by 2002:a05:6000:250d:b0:430:f607:b526 with SMTP id ffacd0b85a97d-4324e50a53dmr21788768f8f.50.1766667101191; Thu, 25 Dec 2025 04:51:41 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4324ea830fesm40219073f8f.20.2025.12.25.04.51.40 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 25 Dec 2025 04:51:40 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-multimedia][kirkstone][PATCH 2/8] mpd: Update status for CVE-2020-7465 and CVE-2020-7466 Date: Thu, 25 Dec 2025 13:51:33 +0100 Message-ID: <20251225125139.2436941-2-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251225125139.2436941-1-skandigraun@gmail.com> References: <20251225125139.2436941-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 25 Dec 2025 12:51:50 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122915 From: Ninette Adhikari The recipe used in the `meta-openembedded` is a different mpd package compared to the one which has the CVE issue. Package used in `meta-embedded`: http://www.musicpd.org Package with CVE issue: https://sourceforge.net/projects/mpd/ No action required. Signed-off-by: Ninette Adhikari Signed-off-by: Khem Raj (cherry picked from commit 3e3c25698124dd82163d966fa9d7e7e807cfecbe) Adapted to Kirkstone (CVE_STATUS -> CVE_CHECK_IGNORE) Signed-off-by: Gyorgy Sarvari --- meta-multimedia/recipes-multimedia/musicpd/mpd_0.23.12.bb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta-multimedia/recipes-multimedia/musicpd/mpd_0.23.12.bb b/meta-multimedia/recipes-multimedia/musicpd/mpd_0.23.12.bb index 0b4e9e3df1..8b9e938f8d 100644 --- a/meta-multimedia/recipes-multimedia/musicpd/mpd_0.23.12.bb +++ b/meta-multimedia/recipes-multimedia/musicpd/mpd_0.23.12.bb @@ -99,3 +99,6 @@ USERADD_PARAM:${PN} = " \ --home ${localstatedir}/lib/mpd \ --groups audio \ --user-group mpd" + +# cpe-incorrect: The recipe used in the meta-openembedded is a different mpd package compared to the one which has the CVE issue. +CVE_CHECK_IGNORE += "CVE-2020-7465 CVE-2020-7466" From patchwork Thu Dec 25 12:51:34 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 77521 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B8360E7AD62 for ; Thu, 25 Dec 2025 12:51:50 +0000 (UTC) Received: from mail-wr1-f41.google.com (mail-wr1-f41.google.com [209.85.221.41]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.137505.1766667103686259309 for ; Thu, 25 Dec 2025 04:51:43 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=BfMLi7Q1; spf=pass (domain: gmail.com, ip: 209.85.221.41, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f41.google.com with SMTP id ffacd0b85a97d-4327790c4e9so424445f8f.2 for ; Thu, 25 Dec 2025 04:51:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1766667102; x=1767271902; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=sWIUpaEXTqTeiagGCQoH5twOI2RQ54urHNDt9mtZ2PQ=; b=BfMLi7Q1ta6R55McJs9L+ySrf1wDyyPZWxVZFXxK8iTDkJwvB6k0Zc6sStPQqanX+j Lu5HmtTGpv+cZa6656DEyrozw5iGbqaNFqLaY/kvZZLRv8Ul2m7l0tgRq4zYytxB9tij 2oho92nwCiFbczK1oQSPZc2Y7kvWgf2acKa8TCUcOohxcJEhg3PkrhbfKqvgTn5xNAv0 0fhz7PFByltzIgZeJCcthbENwnT042e2xlAqH8nB0ZGnDxrYO6GTsCELHSGJO0DfCvnd NuO+GuqTFTCVWKJWOmKoLRiyPQMemPaZzyQWJv/h1JICTh1XO9tBIffbV0LUL4rG3/4h DIRQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766667102; x=1767271902; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=sWIUpaEXTqTeiagGCQoH5twOI2RQ54urHNDt9mtZ2PQ=; b=c1szZ+YD3mOdHn4/Tk/W1FibXvW+MfW8ft8YOR/QoA3cn1/g/O/Wb5+sLORyA53ZAn zSG0wBxK+xQjfQ7YM8g4zL363PDTU13WzuMXIxLFyy4Caq50533tOWSCXfg82LxVxi/o gHwqqKVZP2ijxvWjFe1tMgN+LHZ8jQwGQms+vvnLRAmeEy7OhFPXGbMcdZI4YcCrjDh8 MHT02N+ag4KwblO54qGgybcht8Ut40ieRFSGcctSw3wcdSafdi/eAIGw2MEg+CiM+riw imjwMyF4+MXzFLYkt4QFDuluozbA1lwAWh0S7XJpyDSvAW3R2NShrtUxOFYF5Nm3yEmt qJaA== X-Gm-Message-State: AOJu0YxIeJ+8fPw/yIOV7PYuhcCLy/Wn6Epj/lggst2V3YVhz6DJ1R2c sbUK+6ECAXHX6a7XnJjZisYALiIGHReCbvI8nbHWgQS3HxjSHk87Rco2PhVIqw== X-Gm-Gg: AY/fxX5oi0mVtNh/XREfTBm2Pm1v+bCdnP9HUm32R30/YVib9IErB1TB/9wX+FrLY2k hygHgyxmYlZyfgS6PAxoIeZsQySlw906HAdvBX9Iqr6V9WItmXyi4RW1GjFQ2w+eJqX/hTbGY/I NlrfxhF6Yvd9a7N2GpBw2BX4OFoQkI9AZWpADfn5wvaIwD4EjQ/aA/0XVZsQVwI8xXDrKY0M9xa kyd/26TscQXMM8C9oNGIZi0IutoFkQfqh5u+bqtLMlmsFZGyVvIJw6KTLVpzqTysd9XSzsWc2aD i4sVlFDmEBepZuCxnm5Z/WuXt+75q3g03PeDplorQxUNImVavrVVgsjJCBijz+qp8g7l46ycPVC AtVpwf5FkYLYVH5ckgIxnaG4zGpMDl3rVtAF4In0Ovdl9sNkbVAQ7PTBjTPeWL05UGNTQ/wlaeP liPxgEg+Ma X-Google-Smtp-Source: AGHT+IHC/B1XmqGn2OfCibg86MqMAD5ARIXhq0eIb+QXq8EolZnbpMT/KTV6G1DjuLAjgnno059+pg== X-Received: by 2002:a05:6000:220c:b0:431:752:671e with SMTP id ffacd0b85a97d-4324e4c906cmr25547396f8f.15.1766667101856; Thu, 25 Dec 2025 04:51:41 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4324ea830fesm40219073f8f.20.2025.12.25.04.51.41 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 25 Dec 2025 04:51:41 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 3/8] nanopb: patch CVE-2024-53984 Date: Thu, 25 Dec 2025 13:51:34 +0100 Message-ID: <20251225125139.2436941-3-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251225125139.2436941-1-skandigraun@gmail.com> References: <20251225125139.2436941-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 25 Dec 2025 12:51:50 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122914 Details: https://nvd.nist.gov/vuln/detail/CVE-2024-53984 Pick the patch referenced by the nvd report. Signed-off-by: Gyorgy Sarvari --- .../nanopb/nanopb/CVE-2024-53984.patch | 36 +++++++++++++++++++ .../recipes-devtools/nanopb/nanopb_0.4.5.bb | 4 ++- 2 files changed, 39 insertions(+), 1 deletion(-) create mode 100644 meta-oe/dynamic-layers/meta-python/recipes-devtools/nanopb/nanopb/CVE-2024-53984.patch diff --git a/meta-oe/dynamic-layers/meta-python/recipes-devtools/nanopb/nanopb/CVE-2024-53984.patch b/meta-oe/dynamic-layers/meta-python/recipes-devtools/nanopb/nanopb/CVE-2024-53984.patch new file mode 100644 index 0000000000..c7a0c3f007 --- /dev/null +++ b/meta-oe/dynamic-layers/meta-python/recipes-devtools/nanopb/nanopb/CVE-2024-53984.patch @@ -0,0 +1,36 @@ +From 84e8fb3da74d3b83179700284ce47c98a8804ab1 Mon Sep 17 00:00:00 2001 +From: Petteri Aimonen +Date: Sun, 1 Dec 2024 11:40:38 +0200 +Subject: [PATCH] Fix memory not released on error return (GHSA-xwqq-qxmw-hj5r) + +When all of the following conditions apply: + +* Compile time option PB_ENABLE_MALLOC is enabled. +* Message contains at least one field with FT_POINTER field type. +* Custom stream callback is used with unknown stream length (stream.bytes_left = SIZE_MAX) +* pb_decode_ex() function is used with flag PB_DECODE_DELIMITED. +* The input message is corrupted (accidentally or maliciously) in the length prefix. + +Then the pb_decode_ex() function does not automatically call pb_release(), like is done for other failure cases. +This could lead to memory leak and potential denial-of-service. + +CVE: CVE-2024-53984 +Upstream-Status: Backport [https://github.com/nanopb/nanopb/commit/2b86c255aa52250438d5aba124d0e86db495b378] +Signed-off-by: Gyorgy Sarvari +--- + pb_decode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/pb_decode.c b/pb_decode.c +index b194825..2a22607 100644 +--- a/pb_decode.c ++++ b/pb_decode.c +@@ -1156,7 +1156,7 @@ bool checkreturn pb_decode_ex(pb_istream_t *stream, const pb_msgdesc_t *fields, + status = pb_decode_inner(&substream, fields, dest_struct, flags); + + if (!pb_close_string_substream(stream, &substream)) +- return false; ++ status = false; + } + + #ifdef PB_ENABLE_MALLOC diff --git a/meta-oe/dynamic-layers/meta-python/recipes-devtools/nanopb/nanopb_0.4.5.bb b/meta-oe/dynamic-layers/meta-python/recipes-devtools/nanopb/nanopb_0.4.5.bb index 4b1853cc80..6edb2f11ce 100644 --- a/meta-oe/dynamic-layers/meta-python/recipes-devtools/nanopb/nanopb_0.4.5.bb +++ b/meta-oe/dynamic-layers/meta-python/recipes-devtools/nanopb/nanopb_0.4.5.bb @@ -4,7 +4,9 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=9db4b73a55a3994384112efcdb37c01f" DEPENDS = "protobuf-native" -SRC_URI = "git://github.com/nanopb/nanopb.git;branch=master;protocol=https" +SRC_URI = "git://github.com/nanopb/nanopb.git;branch=master;protocol=https \ + file://CVE-2024-53984.patch \ + " SRCREV = "c9124132a604047d0ef97a09c0e99cd9bed2c818" S = "${WORKDIR}/git" From patchwork Thu Dec 25 12:51:35 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 77516 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A8D67E7AD5E for ; Thu, 25 Dec 2025 12:51:50 +0000 (UTC) Received: from mail-wr1-f44.google.com (mail-wr1-f44.google.com [209.85.221.44]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.137507.1766667104161578497 for ; Thu, 25 Dec 2025 04:51:44 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=AHn2Nilq; spf=pass (domain: gmail.com, ip: 209.85.221.44, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f44.google.com with SMTP id ffacd0b85a97d-42fbc544b09so5072177f8f.1 for ; Thu, 25 Dec 2025 04:51:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1766667102; x=1767271902; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=3xpYk0ufJzEnHOO2ZV8SE00ScRWeoJMwUCaX/uKdDX8=; b=AHn2NilqcsX7FMuND36bVwX/A9Ty6wVGu57dK9Q5GY5iJIrGwTzUNFNxcijL8oFymS EGA+lb1WhhhDdUhgYGSHVjLJcsrIjiaz5D8LpUTh+q0+X/cPi21M4fV2Q7nD9veTv8oy CWueLruZWNMa92y5p5pFMB/CCqWXZYfhOR3pz+z1TnpHTN4FRVq8fMpstoDnmf8GSaWc sFZMkq8ec3+KeBu+DAJ8vT3nZqlqFcRot/4sY+zNCTUNsBsoiKfn1VQ0J85pOBoY+4X+ 5VffZYqyNnDqOff0+WmIj8glAViktFDyud6AA/FDG3eQSz1CERs+biuqh7Tgyd2CuHzO BhXg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766667102; x=1767271902; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=3xpYk0ufJzEnHOO2ZV8SE00ScRWeoJMwUCaX/uKdDX8=; b=wnKyTK8JYSc+6UCJpdFmT1BjCAegCNLFe13pQ2wHKFftluQc8G7Dy+fjZsx+tEHw6t TlyP7e8YLJeZhAwZvuW3JcZBHxgNE6x2VUkTJ9wY1wfVgH5Rwgav9DyL7SHNGmfoZwcy /JKw7f/o4Fz1pRHZAWbMbh8apoUjcTALe9PegyI3DjAlnEP2w9HKzl7b75MojTVEkzdj vmElYGk1ZgKdwexIN9KUDXILIvFu3sez4zn74vySbUPDFh6+BZXXVBoVOjH34KO2x8Xy 3V7nJ3lt7G2v6mlzL9c3pkXhe75ttilLdmuU+pNO6DkdalGXF7QLK+rkL4MSqKFvDZ6a IazQ== X-Gm-Message-State: AOJu0Yxuxy8IGERG5Q/ot5Kt/fADTJWgGAk7h3qPE1uD8NzMU1t4MIRL gnr9FqsC09HOz7MDRZITeNrZapquncg6IrmTCTGP4GIBDrvZDVG9ad7v7uABdA== X-Gm-Gg: AY/fxX4CzJBa5F5bTLrtrAJ1P2BT9JxjXOP9I9c/gAXxs48NVmdswVvCvwv30dzDSL9 bgf6zTQhmuKm1eqj7uC/eh91A4K1wBA+Nje3jGQ1Gt0Jbu3izxHeHNUOE3/YTx25OSORpRAUZod heeh2tjJXF2bVWAGG8ia5zc2WRNSumZ6SKFCOnwp8FSCEm4c1Harp5QkocC/pXECn0FbEeUyVqg YA8EpBUYZSn5Y2edHUN2aL7WxT0tdqXa38HUvI24FDWECyhrfTPJ8NxXwbu/tvi9W0OYAiRE/Gz VCfgJ/IEyArZwsDgY9HcBguCXiHqk0ysjbWPfx5qPhvysLPKw/9H55l8/9T+xBB/3OH/kRHc0WM oPXf3Tgz/80H69iqJvwT7MyqpUA+HKWCyJdU+jWOCefTSGfXtDSFm0oH/fVPAo83e9Q0FpU3S2i e0kVw/LEIT X-Google-Smtp-Source: AGHT+IEpyUBKge0cl7NYYZOoHR7qDg7HtrNQmZ5B7rmQrLpQqXBX6/Qwq62ZGB3WyWw+iLlM3GPSCw== X-Received: by 2002:a05:6000:144e:b0:3eb:c276:a347 with SMTP id ffacd0b85a97d-4324e45b407mr20314420f8f.0.1766667102465; Thu, 25 Dec 2025 04:51:42 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4324ea830fesm40219073f8f.20.2025.12.25.04.51.41 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 25 Dec 2025 04:51:42 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 4/8] redis: ignore CVE-2025-46686 Date: Thu, 25 Dec 2025 13:51:35 +0100 Message-ID: <20251225125139.2436941-4-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251225125139.2436941-1-skandigraun@gmail.com> References: <20251225125139.2436941-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 25 Dec 2025 12:51:50 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122916 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-46686 Upstream disputes that it is a security violation, and says that implementing a mitigation for this would negatively affect the rest of the application, so they elected to ignore it. See Github advisory about the same vulnerability: https://github.com/redis/redis/security/advisories/GHSA-2r7g-8hpc-rpq9 Signed-off-by: Gyorgy Sarvari --- meta-oe/recipes-extended/redis/redis_6.2.21.bb | 2 ++ meta-oe/recipes-extended/redis/redis_7.0.15.bb | 2 ++ 2 files changed, 4 insertions(+) diff --git a/meta-oe/recipes-extended/redis/redis_6.2.21.bb b/meta-oe/recipes-extended/redis/redis_6.2.21.bb index e81984c081..3c24d459d6 100644 --- a/meta-oe/recipes-extended/redis/redis_6.2.21.bb +++ b/meta-oe/recipes-extended/redis/redis_6.2.21.bb @@ -25,6 +25,8 @@ inherit autotools-brokensep update-rc.d systemd useradd CVE_CHECK_IGNORE += "CVE-2022-0543" # not-applicable-config: only affects Windows CVE_CHECK_IGNORE += "CVE-2022-3734" +# disputed: not strictly a bug, mitigating it would affect functionality +CVE_CHECK_IGNORE += "CVE-2025-46686" FINAL_LIBS:x86:toolchain-clang = "-latomic" FINAL_LIBS:riscv32:toolchain-clang = "-latomic" diff --git a/meta-oe/recipes-extended/redis/redis_7.0.15.bb b/meta-oe/recipes-extended/redis/redis_7.0.15.bb index 61a088775b..3768453db2 100644 --- a/meta-oe/recipes-extended/redis/redis_7.0.15.bb +++ b/meta-oe/recipes-extended/redis/redis_7.0.15.bb @@ -38,6 +38,8 @@ inherit autotools-brokensep update-rc.d systemd useradd CVE_CHECK_IGNORE += "CVE-2022-0543" # not-applicable-config: only affects Windows CVE_CHECK_IGNORE += "CVE-2022-3734" +# disputed: not strictly a bug, mitigating it would affect functionality +CVE_CHECK_IGNORE += "CVE-2025-46686" FINAL_LIBS:x86:toolchain-clang = "-latomic" FINAL_LIBS:riscv32:toolchain-clang = "-latomic" From patchwork Thu Dec 25 12:51:36 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 77519 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A51FFE7AD59 for ; Thu, 25 Dec 2025 12:51:50 +0000 (UTC) Received: from mail-wr1-f47.google.com (mail-wr1-f47.google.com [209.85.221.47]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.138121.1766667104869656600 for ; Thu, 25 Dec 2025 04:51:45 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=d3JOYwkS; spf=pass (domain: gmail.com, ip: 209.85.221.47, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f47.google.com with SMTP id ffacd0b85a97d-430f3ef2d37so5035728f8f.3 for ; Thu, 25 Dec 2025 04:51:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1766667103; x=1767271903; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=en3e8exwUbtZWLkDoecJvYHqleiNWkuWPyEAhPXOF0Q=; b=d3JOYwkSmOPS98aJCHJa/Wc5ZDjGrPjUO8HPd3GFNSryHQNxFoGSzOMWhNEBEWPUPQ JtdTZSAd59BG1grNcNDTq67+hhqx72gt4R4kgczCKuj/MmfGaNbrQ4MB1qVZb63b9DRx 3XVT2Fb8ua7S+aRovYXg0rseQGJnTaap2hKit1uAxNf/AQqIlRd1N5RCl0iwyTmK1o3e HAh7UOnwFV2LKH6ZDv6bf1anS32q5S+OvvhJESkDA0y01uZek1OQEE1G/ia9OlUoFBZR P58vnSS5CtLZqG99CRtc6tOG18v0tcqBrbK6V5K3VSDbNNviexLHvmM3hVefeyJRqr6Y sHew== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766667103; x=1767271903; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=en3e8exwUbtZWLkDoecJvYHqleiNWkuWPyEAhPXOF0Q=; b=ew7GT7VoEZgs6UxqEbiC1xHEUj+Uwf5G9xghNPNXevog2V7l7/BPlhZp7ESVBTuc8y r59dM1oQ5+YLipTPU24GqHn0nosLBo4iCuvrqANP6fWAfAPBVvBNC85KD22wmdejEJ/5 Lb1pK0crLIXgR+I1kMid6FsytQpj2qVsELiyKb/OOgd9MfWUt2YAH6qpxhnJ7B9pEIxa Rfi4AoBWj77i9iljPH7xY/9+l2fMI+c0KpIqHkAnkoJ0G16IY3Yc9AWKWqOc4CDhGt6H aV4Ih+GsP369TIUdjzJHJY3s1R1dkjQ5C2C93QbfHacEdrbaPflaImuspNXdBBlMqNHS iefg== X-Gm-Message-State: AOJu0YyvygZBqFhwr3WWr8C/W31vLys+YhXNhCjI+SE6VFlUvj12IAIQ CFCBXuuIxpL9M0jc9giEV2KjPKKv5zUx3kb1dTKbw32DdfSa5Uylu2YOgaGyuw== X-Gm-Gg: AY/fxX6Bq94Lc4G98cfXJTFKERvT15I6n6NgIVeQnUKnl8Qa2AXQrKGYj7n/HVz+zPk fnaRKvO9n0/tsFrmGwCHT+HlJC2RQ6jS2bufOTDkwQMBL1SGkFqkf2CZqkCWsuPo4f8vp32Y190 3X7CGqAN1yrRDsgyZ2O2pdMLiT3h1GrWINtyG3Nd3FVQDVhZmQoz1UdkJayLynj1lneu9UgguZY EAkLAOUHdl0FRKpMxwg/l8OKUZEHiek6pE3ZwmHTxyiutcXH8K+Uh1PyrxvZHVtOMQZ49sObWBE vguV3gjzVf4i0Yw5+3jGCoxgwN+BkFHkVUVsBcQ7Xu3U3jEJ7OAIupnIhn0vsc5a6sr0jO+06Fz Nd8B5gUmoss9IHbs8gQVOW6pypUIcPEPZl0ikLGkgF8C5F5s9/Lg76QtLY2i/4zO5v9rZ5pjUD0 mMRVUZ3CQCPQ4jk6JJdpc= X-Google-Smtp-Source: AGHT+IH0cwbfjCxfbWHmqQHefg17azz772Em+rEFyWd9vsRcEYsGxym24IkIRzl3r93fd6gQrGSywQ== X-Received: by 2002:a05:6000:7:b0:431:3a5:d9c1 with SMTP id ffacd0b85a97d-4324e4fd96emr17609502f8f.30.1766667103136; Thu, 25 Dec 2025 04:51:43 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4324ea830fesm40219073f8f.20.2025.12.25.04.51.42 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 25 Dec 2025 04:51:42 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 5/8] cups-filters: patch CVE-2025-57812 Date: Thu, 25 Dec 2025 13:51:36 +0100 Message-ID: <20251225125139.2436941-5-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251225125139.2436941-1-skandigraun@gmail.com> References: <20251225125139.2436941-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 25 Dec 2025 12:51:50 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122917 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-57812 Backport the patch that is referenced by te nvd report. Signed-off-by: Gyorgy Sarvari --- .../recipes-printing/cups/cups-filters.inc | 4 +- .../cups/cups-filters/CVE-2025-57812.patch | 127 ++++++++++++++++++ 2 files changed, 130 insertions(+), 1 deletion(-) create mode 100644 meta-oe/recipes-printing/cups/cups-filters/CVE-2025-57812.patch diff --git a/meta-oe/recipes-printing/cups/cups-filters.inc b/meta-oe/recipes-printing/cups/cups-filters.inc index 5952b5a2a6..26a7c5037a 100644 --- a/meta-oe/recipes-printing/cups/cups-filters.inc +++ b/meta-oe/recipes-printing/cups/cups-filters.inc @@ -9,7 +9,9 @@ SECTION = "console/utils" DEPENDS = "cups glib-2.0 glib-2.0-native dbus dbus-glib lcms ghostscript poppler qpdf libpng" DEPENDS:class-native = "poppler-native glib-2.0-native dbus-native pkgconfig-native gettext-native libpng-native" -SRC_URI = "http://openprinting.org/download/cups-filters/cups-filters-${PV}.tar.gz" +SRC_URI = "http://openprinting.org/download/cups-filters/cups-filters-${PV}.tar.gz \ + file://CVE-2025-57812.patch \ + " inherit autotools-brokensep gettext pkgconfig diff --git a/meta-oe/recipes-printing/cups/cups-filters/CVE-2025-57812.patch b/meta-oe/recipes-printing/cups/cups-filters/CVE-2025-57812.patch new file mode 100644 index 0000000000..1af27c10c1 --- /dev/null +++ b/meta-oe/recipes-printing/cups/cups-filters/CVE-2025-57812.patch @@ -0,0 +1,127 @@ +From c21664d57ebecb2c6ed05b38b1c39995ab14e916 Mon Sep 17 00:00:00 2001 +From: zdohnal +Date: Mon, 10 Nov 2025 18:58:31 +0100 +Subject: [PATCH] Merge commit from fork + +* Fix heap-buffer overflow write in cfImageLut + +1. fix for CVE-2025-57812 + +* Reject color images with 1 bit per sample + +2. fix for CVE-2025-57812 + +* Reject images where the number of samples does not correspond with the color space + +3. fix for CVE-2025-57812 + +* Reject images with planar color configuration + +4. fix for CVE-2025-57812 + +* Reject images with vertical scanlines + +5. fix for CVE-2025-57812 + +--------- + +Co-authored-by: Till Kamppeter +CVE: CVE-2025-57812 +Upstream-Status: Backport [https://github.com/OpenPrinting/libcupsfilters/commit/b69dfacec7f176281782e2f7ac44f04bf9633cfa] +Signed-off-by: Gyorgy Sarvari +--- + cupsfilters/image-tiff.c | 46 +++++++++++++++++++++++++++++++++++++++- + 1 file changed, 45 insertions(+), 1 deletion(-) + +diff --git a/cupsfilters/image-tiff.c b/cupsfilters/image-tiff.c +index 4fd8756..b34c1ef 100644 +--- a/cupsfilters/image-tiff.c ++++ b/cupsfilters/image-tiff.c +@@ -43,6 +43,7 @@ _cupsImageReadTIFF( + TIFF *tif; /* TIFF file */ + uint32 width, height; /* Size of image */ + uint16 photometric, /* Colorspace */ ++ planar, /* Color components in separate planes */ + compression, /* Type of compression */ + orientation, /* Orientation */ + resunit, /* Units for resolution */ +@@ -115,6 +116,15 @@ _cupsImageReadTIFF( + return (-1); + } + ++ if (TIFFGetField(tif, TIFFTAG_PLANARCONFIG, &planar) && ++ planar == PLANARCONFIG_SEPARATE) ++ { ++ fputs("DEBUG: Images with planar color configuration are not supported!\n", stderr); ++ TIFFClose(tif); ++ fclose(fp); ++ return (1); ++ } ++ + if (!TIFFGetField(tif, TIFFTAG_COMPRESSION, &compression)) + { + fputs("DEBUG: No compression tag in the file!\n", stderr); +@@ -129,6 +139,15 @@ _cupsImageReadTIFF( + if (!TIFFGetField(tif, TIFFTAG_BITSPERSAMPLE, &bits)) + bits = 1; + ++ if (bits == 1 && samples > 1) ++ { ++ fprintf(stderr, "ERROR: Color images with 1 bit per sample not supported! " ++ "Samples per pixel: %d; Bits per sample: %d\n", samples, bits); ++ TIFFClose(tif); ++ fclose(fp); ++ return (1); ++ } ++ + /* + * Get the image orientation... + */ +@@ -181,6 +200,23 @@ _cupsImageReadTIFF( + else + alpha = 0; + ++ // ++ // Check whether number of samples per pixel corresponds with color space ++ // ++ ++ if ((photometric == PHOTOMETRIC_RGB && (samples < 3 || samples > 4)) || ++ (photometric == PHOTOMETRIC_SEPARATED && samples != 4)) ++ { ++ fprintf(stderr, "DEBUG: Number of samples per pixel does not correspond to color space! " ++ "Color space: %s; Samples per pixel: %d\n", ++ (photometric == PHOTOMETRIC_RGB ? "RGB" : ++ (photometric == PHOTOMETRIC_SEPARATED ? "CMYK" : "Unknown")), ++ samples); ++ TIFFClose(tif); ++ fclose(fp); ++ return (1); ++ } ++ + /* + * Check the size of the image... + */ +@@ -253,6 +289,14 @@ _cupsImageReadTIFF( + break; + } + ++ if (orientation >= ORIENTATION_LEFTTOP) ++ { ++ fputs("ERROR: TIFF files with vertical scanlines are not supported!\n", stderr); ++ TIFFClose(tif); ++ fclose(fp); ++ return (-1); ++ } ++ + switch (orientation) + { + case ORIENTATION_TOPRIGHT : +@@ -1455,7 +1499,7 @@ _cupsImageReadTIFF( + } + + if (lut) +- cupsImageLut(out, img->xsize * 3, lut); ++ cupsImageLut(out, img->xsize * bpp, lut); + + _cupsImagePutRow(img, 0, y, img->xsize, out); + } From patchwork Thu Dec 25 12:51:37 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 77517 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9B9BDE7AD52 for ; Thu, 25 Dec 2025 12:51:50 +0000 (UTC) Received: from mail-wr1-f51.google.com (mail-wr1-f51.google.com [209.85.221.51]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.138122.1766667105647651410 for ; Thu, 25 Dec 2025 04:51:45 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=XmbbsgYA; spf=pass (domain: gmail.com, ip: 209.85.221.51, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f51.google.com with SMTP id ffacd0b85a97d-42fbad1fa90so5753965f8f.0 for ; Thu, 25 Dec 2025 04:51:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1766667104; x=1767271904; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=wi4eDlQ2kZ1ACt53S8JvKfYBEY0Rw7CI8KefhKsa/hQ=; b=XmbbsgYA8fkLUH9y86JrZYdDlqEnINvrMteiaQj6BBHgT96aZjM5seQdYHWOmp6Qd6 4Cw2Z7WgZ4IIpr4RmpD+xxQhEnMIHqaEopNWUQuptQAZbrrKWpW/Uv1ytBhq3MrTd6WR +L4CgFtYbqxeZBGlVw0Eko72hKRKrVJXwocUO+c5knT7E4CyG8EwKzzA5KXqf1eLcqsN RHPAzHLwH0R0gN4JQjxp6ImpFC5U8pWNe8HiW4Y/cYhnM06NVvuCgoORXP2pv+RBzYwZ MBq1KYUkUyWDxzfh/u6l28uXwzTOfAHfcx3AU4b0ComPFr0cI5JAI09GAmUIBCDA/fel YjEg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766667104; x=1767271904; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=wi4eDlQ2kZ1ACt53S8JvKfYBEY0Rw7CI8KefhKsa/hQ=; b=CwFRN/0fha0wb21L2drZ8UB1fKarb+K3M+bos/ph2NZE5wCGoZiFqQsu3qCMe9igpX BixequSidbXiKTdRovdn9PVWa2fNkSocOtF32nqbEcJ/Q90oJ6mHlaOKCZLeiAoiiFAm NXk6ZE1m69w/imTRYdY/u0pj95q0gOppnJTEy75AANImA9GQZvoU0yg8ZAmbhCJd09sz BNkC7VkS9KLesf/KnliyNvKHkb7Lb5Dd/HY0pjeW3umMAtZnQWi5XHUlh+R4N3bMATs9 dysbE7vgBYdPWM7/PShL0Y5m3Tpyrq54zZIKxex18/PtN4ShHof4I/DRCsxzfqkyefje ixVQ== X-Gm-Message-State: AOJu0Yz1cA75dbRASEV6dl80uQrCUQPbvpydUleYG72nNhudXLQXVE4P xqP/N/lo1cKdr4f/X+KqUV1IGlnECY3tGFlpkQ2szGyVaiirbTL5p2tOuVRYTQ== X-Gm-Gg: AY/fxX5zKiteUcwUYFqKCM+Icb/CcT+t01CoIMT6cZi0+482KUFgI4oNXZHCoTSrJue wct/gB4Ay8pAJrhOJpD28m6TjfIDZaDgli8qBEEm5a54EFTxoMrBbo1aVnGQe2EerYcEf4Fj8BV 8swifrPF9g79v0mXZFY4vrPVRonmXQU+h6jczs4CjXl9IoVz94bgHBb3RNBvOFr4XC8ciQdyYLp 9gs7KoGwYsl1pTtJEFfkJmC3TTAgIHNLoTVBTyXzcmbHi/Ao/n9YM+5rZXRJwwQq8plrop0suyv eA5LaiuxyNZFYNgynyYqUFLYb5llNpbO7VMmevzSO2nz/yVCvLHmYbYHLcIChvdYu5p95XXPhf1 eOE3KiUxZpTzHvdH67WeAB4nvLTZJqeR/hdimo2giQIB+g9egvhPpQtL2P923Z1xMrZs1+JTGP+ YzgVGR/0nFo98ZF6Yeip4= X-Google-Smtp-Source: AGHT+IFy8o5c6aeCBWgMh2wSOTlUnNDRvMuwMjte2yvnEwsnYrVdJ3CeBB59NSFDkLgIDqmBrJfRTw== X-Received: by 2002:a05:6000:2204:b0:431:66a:cbc3 with SMTP id ffacd0b85a97d-4324e4c127amr19837550f8f.6.1766667103789; Thu, 25 Dec 2025 04:51:43 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4324ea830fesm40219073f8f.20.2025.12.25.04.51.43 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 25 Dec 2025 04:51:43 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 6/8] cups-filters: patch CVE-2025-64524 Date: Thu, 25 Dec 2025 13:51:37 +0100 Message-ID: <20251225125139.2436941-6-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251225125139.2436941-1-skandigraun@gmail.com> References: <20251225125139.2436941-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 25 Dec 2025 12:51:50 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122918 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-64524 Pick the patch referenced by the nvd report. Signed-off-by: Gyorgy Sarvari --- .../recipes-printing/cups/cups-filters.inc | 1 + .../cups/cups-filters/CVE-2025-64524.patch | 81 +++++++++++++++++++ 2 files changed, 82 insertions(+) create mode 100644 meta-oe/recipes-printing/cups/cups-filters/CVE-2025-64524.patch diff --git a/meta-oe/recipes-printing/cups/cups-filters.inc b/meta-oe/recipes-printing/cups/cups-filters.inc index 26a7c5037a..fe87ac98ae 100644 --- a/meta-oe/recipes-printing/cups/cups-filters.inc +++ b/meta-oe/recipes-printing/cups/cups-filters.inc @@ -11,6 +11,7 @@ DEPENDS:class-native = "poppler-native glib-2.0-native dbus-native pkgconfig-nat SRC_URI = "http://openprinting.org/download/cups-filters/cups-filters-${PV}.tar.gz \ file://CVE-2025-57812.patch \ + file://CVE-2025-64524.patch \ " inherit autotools-brokensep gettext pkgconfig diff --git a/meta-oe/recipes-printing/cups/cups-filters/CVE-2025-64524.patch b/meta-oe/recipes-printing/cups/cups-filters/CVE-2025-64524.patch new file mode 100644 index 0000000000..f3481ddaa5 --- /dev/null +++ b/meta-oe/recipes-printing/cups/cups-filters/CVE-2025-64524.patch @@ -0,0 +1,81 @@ +From 3f24ec5518f3f7f9a7020cd88bb9bbf4e81475fe Mon Sep 17 00:00:00 2001 +From: Zdenek Dohnal +Date: Wed, 12 Nov 2025 15:47:24 +0100 +Subject: [PATCH] rastertopclx.c: Fix infinite loop caused by crafted file + +Infinite loop happened because of crafted input raster file, which led +into heap buffer overflow of `CompressBuf` array. + +Based on comments there should be always some `count` when compressing +the data, and processing of crafted file ended with offset and count +being 0. + +Fixes CVE-2025-64524 + +CVE: CVE-2025-64524 +Upstream-Status: Backport [https://github.com/OpenPrinting/cups-filters/commit/956283c74a34ae924266a2a63f8e5f529a1abd06] +Signed-off-by: Gyorgy Sarvari +--- + filter/rastertopclx.c | 26 ++++++++++++++++++++++++-- + 1 file changed, 24 insertions(+), 2 deletions(-) + +diff --git a/filter/rastertopclx.c b/filter/rastertopclx.c +index 3e7c129..b20d195 100644 +--- a/filter/rastertopclx.c ++++ b/filter/rastertopclx.c +@@ -818,10 +818,10 @@ StartPage(ppd_file_t *ppd, /* I - PPD file */ + } + + if (header->cupsCompression) +- CompBuffer = malloc(DotBufferSize * 4); ++ CompBuffer = calloc(DotBufferSize * 4, sizeof(unsigned char)); + + if (header->cupsCompression >= 3) +- SeedBuffer = malloc(DotBufferSize); ++ SeedBuffer = calloc(DotBufferSize, sizeof(unsigned char)); + + SeedInvalid = 1; + +@@ -1152,6 +1152,14 @@ CompressData(unsigned char *line, /* I - Data to compress */ + seed ++; + count ++; + } ++ ++ // ++ // Bail out if we don't have count to compress ++ // ++ ++ if (count == 0) ++ break; ++ + } + + /* +@@ -1245,6 +1253,13 @@ CompressData(unsigned char *line, /* I - Data to compress */ + + count = line_ptr - start; + ++ // ++ // Bail out if we don't have count to compress ++ // ++ ++ if (count == 0) ++ break; ++ + #if 0 + fprintf(stderr, "DEBUG: offset=%d, count=%d, comp_ptr=%p(%d of %d)...\n", + offset, count, comp_ptr, comp_ptr - CompBuffer, +@@ -1416,6 +1431,13 @@ CompressData(unsigned char *line, /* I - Data to compress */ + + count = (line_ptr - start) / 3; + ++ // ++ // Bail out if we don't have count to compress ++ // ++ ++ if (count == 0) ++ break; ++ + /* + * Place mode 10 compression data in the buffer; each sequence + * starts with a command byte that looks like: From patchwork Thu Dec 25 12:51:38 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 77520 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 97D49E7AD55 for ; Thu, 25 Dec 2025 12:51:50 +0000 (UTC) Received: from mail-wm1-f45.google.com (mail-wm1-f45.google.com [209.85.128.45]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.137508.1766667106223731531 for ; Thu, 25 Dec 2025 04:51:46 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=k+RnRzka; spf=pass (domain: gmail.com, ip: 209.85.128.45, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f45.google.com with SMTP id 5b1f17b1804b1-477ba2c1ca2so67436915e9.2 for ; Thu, 25 Dec 2025 04:51:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1766667104; x=1767271904; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=9msYJH7qhc3a6mSMK6ia0zQ1pXFpJlB7cLOPnlxTDag=; b=k+RnRzkanGVsiM2HQlMc9dydSQSX+bHJ5Cn5U/ez5pFT+C4YK1thecuVobSGKa5n/H VYlY2sMeMuATXhWEWj+KOKv5VyR1tPbOd7UZizZ18cLgYe89d41YafnLcuOj1eweHmMm MQbQkQySTaAA3FTxgbq8hOU2Vc2M52QaJdbJfgtFNE/fhvJsIjE7pSnFJ1uTdIGfs+aa OkbXehB7sqEm7Ar58iifl31BU+Ot40LWNcVN+79h8xXMGLc59COPPl5mNnIWtuKeunYa h5q/qa1pmkT4YdAzSXar0K6bDSOQ4OB258MWFfwpNl6CX6r56E7RIgk92ru6A3DUzE05 wuDA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766667104; x=1767271904; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=9msYJH7qhc3a6mSMK6ia0zQ1pXFpJlB7cLOPnlxTDag=; b=PT8bPKgOTRfR+F4Q8+bjY4krpq9atw4TQuk0Mrs9A+fcL74THFuvPo6kSv75077L6L mfuHexFRkeyRFw2UyhaFdDmAlzG+LAacDy19VDAOwiHOSC30TvqUjsylVUxXxz8T2es3 UYasE+MrnUxyXjUZewEdX2tctHWCHbDUcgTh6SE71Lx2mHyEIfVB6ZF3k4PmAXptHKBr hSwAhmud3dR8CE6sqjlOT7DtyTwcaJuPcxy3F8NNsupeJcCvAt+32bUT0jvLZVJLmIVx Kw8lTc6yjS2EkKbQhUjUIK1ohHkRVIjrK+X1Rrme9IOmPvBDvSW3FPwIuCFXkWbieQZr ZdWw== X-Gm-Message-State: AOJu0YxzQWnrRL4JyK1x7gksWvHO5eFf5v8KzzkGzmV2C2nwPaJEmsZb t6a3Mf+sdqieUlK+TKLDVbZ9oBrk7Y5T5ExWrrE4u/AwY6b5m+KdtNnwoDA54A== X-Gm-Gg: AY/fxX5XOMkBl3p01IgHwTldKzc7umUTJIT13EGP6AFNihTHyDuUeaHz5KvrRaN4JbQ gH7/QbxAulyFWhOJB6JlZVRNJ7vDP/g/kowU4oSKDTeaNbDLDMbP4KctPy2TmsIwaZ7WXT+GsFj gxizHb2CYMmIYAyg4FhHCCxQyzIkITzHbJ6ti3FWjXTT+FDKPEAA6ANkxt7Ic0HVhFwwH64EtNU Arg9sA0SrIkZhq/nV7XQSFCO1oK4UFur3oCiexT/iaVWEnB7Qkc5FvGaBnH4lRBiX4ijTARjYW3 7tm4yG+xzpA2fcStJ2s27myvgH2jihVybuvEW3ZxlCnzSaAWu/xnCEBc771fY4zTAO/DvxBlUMN EbccN1yeoUyo68MCzvKsfxTI0zD8BWRjku8ycIa+DbFrUjWZ8V3dCJLplJEvSTp0yQf9HTCuq/J gP9aMKukB1 X-Google-Smtp-Source: AGHT+IE/X8XWyXGHgjN5fXGWCwXEtNOa2VFWOxjdQS6LMFKx2n2zlArEJo8IehYBfDV4RaPcvwu1CQ== X-Received: by 2002:a05:6000:2305:b0:431:808:2d49 with SMTP id ffacd0b85a97d-4324e4c6fbfmr20969374f8f.8.1766667104473; Thu, 25 Dec 2025 04:51:44 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4324ea830fesm40219073f8f.20.2025.12.25.04.51.43 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 25 Dec 2025 04:51:44 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 7/8] cups-filters: patch CVE-2023-24805 Date: Thu, 25 Dec 2025 13:51:38 +0100 Message-ID: <20251225125139.2436941-7-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251225125139.2436941-1-skandigraun@gmail.com> References: <20251225125139.2436941-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 25 Dec 2025 12:51:50 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122919 Details: https://nvd.nist.gov/vuln/detail/CVE-2023-24805 Pick the patch referenced by the nvd report. Signed-off-by: Gyorgy Sarvari --- .../recipes-printing/cups/cups-filters.inc | 1 + .../cups/cups-filters/CVE-2023-24805.patch | 213 ++++++++++++++++++ 2 files changed, 214 insertions(+) create mode 100644 meta-oe/recipes-printing/cups/cups-filters/CVE-2023-24805.patch diff --git a/meta-oe/recipes-printing/cups/cups-filters.inc b/meta-oe/recipes-printing/cups/cups-filters.inc index fe87ac98ae..ddd6451ccc 100644 --- a/meta-oe/recipes-printing/cups/cups-filters.inc +++ b/meta-oe/recipes-printing/cups/cups-filters.inc @@ -12,6 +12,7 @@ DEPENDS:class-native = "poppler-native glib-2.0-native dbus-native pkgconfig-nat SRC_URI = "http://openprinting.org/download/cups-filters/cups-filters-${PV}.tar.gz \ file://CVE-2025-57812.patch \ file://CVE-2025-64524.patch \ + file://CVE-2023-24805.patch \ " inherit autotools-brokensep gettext pkgconfig diff --git a/meta-oe/recipes-printing/cups/cups-filters/CVE-2023-24805.patch b/meta-oe/recipes-printing/cups/cups-filters/CVE-2023-24805.patch new file mode 100644 index 0000000000..fd8ef7b806 --- /dev/null +++ b/meta-oe/recipes-printing/cups/cups-filters/CVE-2023-24805.patch @@ -0,0 +1,213 @@ +From c90dcbd2887c1221a1c298c7a194b1d93ed0e501 Mon Sep 17 00:00:00 2001 +From: Till Kamppeter +Date: Wed, 17 May 2023 11:12:37 +0200 +Subject: [PATCH] Merge pull request from GHSA-gpxc-v2m8-fr3x + +* beh backend: Use execv() instead of system() - CVE-2023-24805 + +With execv() command line arguments are passed as separate strings and +not the full command line in a single string. This prevents arbitrary +command execution by escaping the quoting of the arguments in a job +with forged job title. + +* beh backend: Extra checks against odd/forged input - CVE-2023-24805 + +- Do not allow '/' in the scheme of the URI (= backend executable + name), to assure that only backends inside /usr/lib/cups/backend/ + are used. + +- Pre-define scheme buffer to empty string, to be defined for case of + uri being NULL. + +- URI must have ':', to split off scheme, otherwise error. + +- Check return value of snprintf() to create call path for backend, to + error out on truncation of a too long scheme or on complete failure + due to a completely odd scheme. + +* beh backend: Further improvements - CVE-2023-24805 + +- Use strncat() instead of strncpy() for getting scheme from URI, the latter + does not require setting terminating zero byte in case of truncation. + +- Also exclude "." or ".." as scheme, as directories are not valid CUPS + backends. + +- Do not use fprintf() in sigterm_handler(), to not interfere with a + fprintf() which could be running in the main process when + sigterm_handler() is triggered. + +- Use "static volatile int" for global variable job_canceled. + +CVE: CVE-2023-24805 +Upstream-Status: Backport [https://github.com/OpenPrinting/cups-filters/commit/8f274035756c04efeb77eb654e9d4c4447287d65] +Signed-off-by: Gyorgy Sarvari +--- + backend/beh.c | 107 +++++++++++++++++++++++++++++++++++++++----------- + 1 file changed, 83 insertions(+), 24 deletions(-) + +diff --git a/backend/beh.c b/backend/beh.c +index 225fd27..e864c22 100644 +--- a/backend/beh.c ++++ b/backend/beh.c +@@ -22,12 +22,13 @@ + #include "backend-private.h" + #include + #include ++#include + + /* + * Local globals... + */ + +-static int job_canceled = 0; /* Set to 1 on SIGTERM */ ++static volatile int job_canceled = 0; /* Set to 1 on SIGTERM */ + + /* + * Local functions... +@@ -213,20 +214,43 @@ call_backend(char *uri, /* I - URI of final destination */ + char **argv, /* I - Command-line arguments */ + char *filename) { /* I - File name of input data */ + const char *cups_serverbin; /* Location of programs */ ++ char *backend_argv[8]; /* Arguments for called CUPS backend */ + char scheme[1024], /* Scheme from URI */ + *ptr, /* Pointer into scheme */ +- cmdline[65536]; /* Backend command line */ +- int retval; ++ backend_path[2048]; /* Backend path */ ++ int pid, ++ wait_pid, ++ wait_status, ++ retval = 0; ++ int bytes; + + /* + * Build the backend command line... + */ + +- strncpy(scheme, uri, sizeof(scheme) - 1); +- if (strlen(uri) > 1023) +- scheme[1023] = '\0'; ++ scheme[0] = '\0'; ++ strncat(scheme, uri, sizeof(scheme) - 1); + if ((ptr = strchr(scheme, ':')) != NULL) + *ptr = '\0'; ++ else ++ { ++ fprintf(stderr, ++ "ERROR: beh: Invalid URI, no colon (':') to mark end of scheme part.\n"); ++ exit (CUPS_BACKEND_FAILED); ++ } ++ if (strchr(scheme, '/')) ++ { ++ fprintf(stderr, ++ "ERROR: beh: Invalid URI, scheme contains a slash ('/').\n"); ++ exit (CUPS_BACKEND_FAILED); ++ } ++ if (!strcmp(scheme, ".") || !strcmp(scheme, "..")) ++ { ++ fprintf(stderr, ++ "ERROR: beh: Invalid URI, scheme (\"%s\") is a directory.\n", ++ scheme); ++ exit (CUPS_BACKEND_FAILED); ++ } + + if ((cups_serverbin = getenv("CUPS_SERVERBIN")) == NULL) + cups_serverbin = CUPS_SERVERBIN; +@@ -235,16 +259,26 @@ call_backend(char *uri, /* I - URI of final destination */ + fprintf(stderr, + "ERROR: beh: Direct output into a file not supported.\n"); + exit (CUPS_BACKEND_FAILED); +- } else +- snprintf(cmdline, sizeof(cmdline), +- "%s/backend/%s '%s' '%s' '%s' '%s' '%s' %s", +- cups_serverbin, scheme, argv[1], argv[2], argv[3], +- /* Apply number of copies only if beh was called with a +- file name and not with the print data in stdin, as +- backends should handle copies only if they are called +- with a file name */ +- (argc == 6 ? "1" : argv[4]), +- argv[5], filename); ++ } ++ ++ backend_argv[0] = uri; ++ backend_argv[1] = argv[1]; ++ backend_argv[2] = argv[2]; ++ backend_argv[3] = argv[3]; ++ backend_argv[4] = (argc == 6 ? "1" : argv[4]); ++ backend_argv[5] = argv[5]; ++ backend_argv[6] = filename; ++ backend_argv[7] = NULL; ++ ++ bytes = snprintf(backend_path, sizeof(backend_path), ++ "%s/backend/%s", cups_serverbin, scheme); ++ if (bytes < 0 || bytes >= sizeof(backend_path)) ++ { ++ fprintf(stderr, ++ "ERROR: beh: Invalid scheme (\"%s\"), could not determing backend path.\n", ++ scheme); ++ exit (CUPS_BACKEND_FAILED); ++ } + + /* + * Overwrite the device URI and run the actual backend... +@@ -253,17 +287,40 @@ call_backend(char *uri, /* I - URI of final destination */ + setenv("DEVICE_URI", uri, 1); + + fprintf(stderr, +- "DEBUG: beh: Executing backend command line \"%s\"...\n", +- cmdline); ++ "DEBUG: beh: Executing backend command line \"%s '%s' '%s' '%s' '%s' '%s'%s%s\"...\n", ++ backend_path, backend_argv[1], backend_argv[2], backend_argv[3], ++ backend_argv[4], backend_argv[5], ++ (backend_argv[6] && backend_argv[6][0] ? " " : ""), ++ (backend_argv[6] && backend_argv[6][0] ? backend_argv[6] : "")); + fprintf(stderr, + "DEBUG: beh: Using device URI: %s\n", + uri); + +- retval = system(cmdline) >> 8; ++ if ((pid = fork()) == 0) ++ { ++ retval = execv(backend_path, backend_argv); ++ if (retval == -1) ++ fprintf(stderr, "ERROR: Unable to execute backend: %s\n", ++ strerror(errno)); ++ exit (CUPS_BACKEND_FAILED); ++ } ++ else if (pid < 0) ++ { ++ fprintf(stderr, "ERROR: Unable to fork for backend\n"); ++ return (CUPS_BACKEND_FAILED); ++ } ++ ++ while ((wait_pid = wait(&wait_status)) < 0 && errno == EINTR); + +- if (retval == -1) +- fprintf(stderr, "ERROR: Unable to execute backend command line: %s\n", +- strerror(errno)); ++ if (wait_pid >= 0 && wait_status) ++ { ++ if (WIFEXITED(wait_status)) ++ retval = WEXITSTATUS(wait_status); ++ else if (WTERMSIG(wait_status) != SIGTERM) ++ retval = WTERMSIG(wait_status); ++ else ++ retval = 0; ++ } + + return (retval); + } +@@ -277,8 +334,10 @@ static void + sigterm_handler(int sig) { /* I - Signal number (unused) */ + (void)sig; + +- fprintf(stderr, +- "DEBUG: beh: Job canceled.\n"); ++ const char * const msg = "DEBUG: beh: Job canceled.\n"; ++ // The if() is to eliminate the return value and silence the warning ++ // about an unused return value. ++ if (write(2, msg, strlen(msg))); + + if (job_canceled) + _exit(CUPS_BACKEND_OK); From patchwork Thu Dec 25 12:51:39 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 77514 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 88905E7AD44 for ; Thu, 25 Dec 2025 12:51:50 +0000 (UTC) Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com [209.85.128.44]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.138123.1766667108005721870 for ; Thu, 25 Dec 2025 04:51:48 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=Z+hdq0LA; spf=pass (domain: gmail.com, ip: 209.85.128.44, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f44.google.com with SMTP id 5b1f17b1804b1-477b198f4bcso42238345e9.3 for ; Thu, 25 Dec 2025 04:51:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1766667106; x=1767271906; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=+0Rc/GGRPh8YzlnRHxWu2uk3mjZScLBnNtyPkI+ViIY=; b=Z+hdq0LAnezQ6gHgTiexji6xeUkaznLmnaru/o3EpuZXvvIlWII2b51AGehnUT6AvV 4zq6k3+aqf4OpR9Ojasmk4S4STWffJSf0PG/3QVwe4r5dVZqy4EGTKAsXVj6fRLgZ4e6 bKsysVjOV8KxG+UK9F8UFkKW1D5nXYS93ADDyqDcWnfYZ+5k4R+KY5+hmc70QssbGwPt iEoxF90DZiqTr8OwXecgwtYFRwj6RcQH/hQR2x/dYpoed9LsphnQ/0RTRIMU0uGoG541 wKaStcWOqlKoGrFuChB054kX8RsWR5LxXaphMcrqMP7pAk8oSgJSorxMZ7MCCXTGRJ5z dyFQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766667106; x=1767271906; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=+0Rc/GGRPh8YzlnRHxWu2uk3mjZScLBnNtyPkI+ViIY=; b=d4/rfsU1bI3OpnGcPsPGJlzQuMEpErCLVj4dx3bleHUrZqgakuEzdIzqjl49njAMJZ etjm3i2wke4ph4upJgPlUqscAYj3J80UkCC3OuZ/t8jXLxXfbo/4E7oZavVLxKM+1HUR fDnx2WbMdnEdfoI4Tvc/fFwVcNlNExzlc+hzpu+kdYC6Es01y1ma9cSP1YKC02lvAMbU LrrGf/15/8hP4++m435IZ4t6Exoa+OGOGDj/I96UNDngwDUN5g4ehI+Vq/Qrn9ViHJzL Y387fGgybX016GzYdNTWrm98kMuvgHt6KBiJ+5+eghKKOHllwZ3c6byGvetIcnSi8klE Gk1A== X-Gm-Message-State: AOJu0YwpcU+C/cQDC4CPsGb/0n3YvS/NEZMDWYY+BS08B7OinfUOtVLb fSCzF8AMoYlvVTWtnu1FlwwSTclA8GmvF62lGljyv/FWQlr2V5+g2N8S2grj2w== X-Gm-Gg: AY/fxX4ncS7W1gF2bT0zReesayDiCXF+ylpoiu7MMebou9586t3ozCgQr8wrtOgIddg kbRSGLTrtUwP93XcCfyDS14BUcyjiQmj3+ow0avZVKcaETzIsS+wMXt/cPUNCMNdr+SJEWH/cAm 8hjRSB0Di2EHHuTNhxbmkNblkGzjuTNi8e+zT3M+XVbhurtuM0FkjpePrRBXJRSuQAr9wQY/Eg6 xvga17YrDp7H/RJIKOYS9+1eOUgW5x9ObHz8oy2PlxRwgejid3gWGYSF68ZNCkCkV79GhzDN/5U leDLSgwRwBJVeudMa31LVu/Lh7TT814L7h2Hf6hr92ybxTuWqxtDIWlBiezNNkjco4lCexWjQMx UE4xJ5kNbVus1qupP3dpDRGJ9Q9t6QadHNtP/WR87yW0pxSJkEzRFaOJTMGplO2irjqetYgjoIH F9VIeto5Hv X-Google-Smtp-Source: AGHT+IGu/ME26weNARG5CRTDES0tEyzehHFaHqwckOz/xLEWQGvtL+Ejca0CoLxLcEn0PfF40gbFXg== X-Received: by 2002:a05:600c:3b1f:b0:477:bb0:751b with SMTP id 5b1f17b1804b1-47d20423ca4mr189928325e9.27.1766667106201; Thu, 25 Dec 2025 04:51:46 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4324ea830fesm40219073f8f.20.2025.12.25.04.51.44 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 25 Dec 2025 04:51:45 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 8/8] dbus-broker: patch CVE-2022-31212 Date: Thu, 25 Dec 2025 13:51:39 +0100 Message-ID: <20251225125139.2436941-8-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251225125139.2436941-1-skandigraun@gmail.com> References: <20251225125139.2436941-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 25 Dec 2025 12:51:50 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122920 Details: https://nvd.nist.gov/vuln/detail/CVE-2022-31212 A detailed writeup[1] is referenced by the nvd report, which describes that the vulnerability itself is not in the application, rather in a dependency of it, in c-shutil, which is pulled in as a submodule. Pick the patch from this submodule that fixes a stack overflow, and adds a test explictly verifying the described vulnerability. [1]: https://sec-consult.com/vulnerability-lab/advisory/memory-corruption-vulnerabilities-dbus-broker/ Signed-off-by: Gyorgy Sarvari --- .../dbus/dbus-broker/CVE-2022-31212.patch | 70 +++++++++++++++++++ meta-oe/recipes-core/dbus/dbus-broker_29.bb | 4 +- 2 files changed, 73 insertions(+), 1 deletion(-) create mode 100644 meta-oe/recipes-core/dbus/dbus-broker/CVE-2022-31212.patch diff --git a/meta-oe/recipes-core/dbus/dbus-broker/CVE-2022-31212.patch b/meta-oe/recipes-core/dbus/dbus-broker/CVE-2022-31212.patch new file mode 100644 index 0000000000..a173e88d34 --- /dev/null +++ b/meta-oe/recipes-core/dbus/dbus-broker/CVE-2022-31212.patch @@ -0,0 +1,70 @@ +From 2dfb73805571bd48e92b2d09962bc99f3bc4f86b Mon Sep 17 00:00:00 2001 +From: David Rheinsberg +Date: Tue, 19 Apr 2022 13:11:02 +0200 +Subject: [PATCH] strnspn: fix buffer overflow + +Fix the strnspn and strncspn functions to use a properly sized buffer. +It used to be 1 byte too short. Checking for `0xff` in a string will +thus write `0xff` once byte beyond the stack space of the local buffer. + +Note that the public API does not allow to pass `0xff` to those +functions. Therefore, this is a read-only buffer overrun, possibly +causing bogus reports from the parser, but still well-defined. + +Reported-by: Steffen Robertz +Signed-off-by: David Rheinsberg + +CVE: CVE-2022-31212 +Upstream-Status: Backport [https://github.com/c-util/c-shquote/commit/7fd15f8e272136955f7ffc37df29fbca9ddceca1] +Signed-off-by: Gyorgy Sarvari +--- + subprojects/c-shquote/src/c-shquote.c | 4 ++-- + subprojects/c-shquote/src/test-private.c | 6 ++++++ + 2 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/subprojects/c-shquote/src/c-shquote.c b/subprojects/c-shquote/src/c-shquote.c +index b268906..abb55d6 100644 +--- a/subprojects/c-shquote/src/c-shquote.c ++++ b/subprojects/c-shquote/src/c-shquote.c +@@ -85,7 +85,7 @@ int c_shquote_consume_char(char **outp, + size_t c_shquote_strnspn(const char *string, + size_t n_string, + const char *accept) { +- bool buffer[UCHAR_MAX] = {}; ++ bool buffer[UCHAR_MAX + 1] = {}; + + for ( ; *accept; ++accept) + buffer[(unsigned char)*accept] = true; +@@ -100,7 +100,7 @@ size_t c_shquote_strnspn(const char *string, + size_t c_shquote_strncspn(const char *string, + size_t n_string, + const char *reject) { +- bool buffer[UCHAR_MAX] = {}; ++ bool buffer[UCHAR_MAX + 1] = {}; + + if (strlen(reject) == 1) { + const char *p; +diff --git a/subprojects/c-shquote/src/test-private.c b/subprojects/c-shquote/src/test-private.c +index 57a7250..c6afe40 100644 +--- a/subprojects/c-shquote/src/test-private.c ++++ b/subprojects/c-shquote/src/test-private.c +@@ -148,6 +148,9 @@ static void test_strnspn(void) { + + len = c_shquote_strnspn("ab", 2, "bc"); + c_assert(len == 0); ++ ++ len = c_shquote_strnspn("ab", 2, "\xff"); ++ c_assert(len == 0); + } + + static void test_strncspn(void) { +@@ -167,6 +170,9 @@ static void test_strncspn(void) { + + len = c_shquote_strncspn("ab", 2, "cd"); + c_assert(len == 2); ++ ++ len = c_shquote_strncspn("ab", 2, "\xff"); ++ c_assert(len == 2); + } + + static void test_discard_comment(void) { diff --git a/meta-oe/recipes-core/dbus/dbus-broker_29.bb b/meta-oe/recipes-core/dbus/dbus-broker_29.bb index 525db345b0..aafeda206e 100644 --- a/meta-oe/recipes-core/dbus/dbus-broker_29.bb +++ b/meta-oe/recipes-core/dbus/dbus-broker_29.bb @@ -6,7 +6,9 @@ SECTION = "base" LICENSE = "Apache-2.0" LIC_FILES_CHKSUM = "file://LICENSE;md5=7b486c2338d225a1405d979ed2c15ce8" -SRC_URI = "https://github.com/bus1/dbus-broker/releases/download/v${PV}/dbus-broker-${PV}.tar.xz" +SRC_URI = "https://github.com/bus1/dbus-broker/releases/download/v${PV}/dbus-broker-${PV}.tar.xz \ + file://CVE-2022-31212.patch \ + " SRC_URI[sha256sum] = "4eca425db52b7ab1027153e93fea9b3f11759db9e93ffbf88759b73ddfb8026a" UPSTREAM_CHECK_URI = "https://github.com/bus1/${BPN}/releases"