From patchwork Fri Jan 2 11:28:55 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 77922 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 43190FA3730 for ; Fri, 2 Jan 2026 11:29:08 +0000 (UTC) Received: from mail-wr1-f54.google.com (mail-wr1-f54.google.com [209.85.221.54]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.3569.1767353344903399449 for ; Fri, 02 Jan 2026 03:29:05 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=KCckq5mQ; spf=pass (domain: gmail.com, ip: 209.85.221.54, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f54.google.com with SMTP id ffacd0b85a97d-42fb2314eb0so9413339f8f.2 for ; Fri, 02 Jan 2026 03:29:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767353343; x=1767958143; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=x+DqoPDHQsJKS5emE/lve77nYzwRY+MlDp0DmTiEDqU=; b=KCckq5mQIL83J8Emq4vTEpLg+g2ev4wlIy8DldGXyEs38qYXG7k+mVsg2utkQPW53Y LSm1YXG/j8hjucb2pWYfAdANP+hZ5v8rMD40FOQuWNoKGyXVTtExxjmTJ9nlvJVWAHrz pFmFresrs0+az3M8OHuwzxp2g8FTtvi8Wk6zzxA/1GUnGr8gEA/FScVR5Q7VCSOnNHZI NpbGojJYUwKmzVRLq1ogQqEx0ae+um4Z0bFsihc28lO7ECQqLMHwQVtXGGCw7i/XkxOd PdGovs9klBNulc4PP2W2cdx2u9ckxOopII4gdJfWNiDIiGSMTEl4W93ETH/CfhBRsZLC pw7A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767353343; x=1767958143; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=x+DqoPDHQsJKS5emE/lve77nYzwRY+MlDp0DmTiEDqU=; b=ZHTavNio9GCJ72YErPhdH5mhXiMUXbuXYuyNwMz3JfyEIWD/TOBe8VEpjfRnxuh7zA p6jP4IeBSkv5gYEyQ0xaKmI3qGNYtWPJMSBfUQzZuootlZ/9IQ6KgcSpYqUCfuvblott 8APbX8Ci0Z73R/FuPUJ7PMlSsGQOVC3yL35twMkRA/UVvDV/rbxbCjHqJT/uUEfICv3z jgn/FX/VkgDiDJchWCE85uKS4igO7VRmq2oNhsdbEvK+VsbqByb4GkLMfEKqEwcVc6aY L2/JREXG8KTBYa9Ogm9e35oqTOMObaBSAqgtGblOvcLEtk5BGesBM05Zu1jJD/2DnYsb gyTA== X-Gm-Message-State: AOJu0YwshjvFM+O+vjUfLNLi7v7uS5EiJD/p9knI2H1YfJcxvT5bjp65 jAAo9k75ju9zSQUCh0gRJ35sP9NcmuY7A/IMYbpzzlCyL+9AM75BA2yNa/EneA== X-Gm-Gg: AY/fxX5VgSChAxyqtdqls73CO9MrV/InPcvI9Y+XdV0sd8cEN1YlnmV+xzpzP0gSPge jxq/G5Eokh77uR4KACiQiD+lHKKJxuFHhmtidE19P8YASPumw9PMsRIW0oizybl4Z+RDwuXtcC7 kDxOUpDL1+UTP4AAo/XY/PW0NjnCrspfZiM/UGPCvQFei0wGX4kfl9ASZSeLBmyZkBinz4iZ9ox fCzjw/Xp9T9IZPeAfA+c0srHJYVMm3J4kVNhWy5hvZHF+MqL1FUf64xsWydr+jUpWy6MZlg9FCh iDPsAMuiQU73Ba/PR+TkvlIguhTbwewHtjAx30p/3YQOGVV2bYGWfgznjkkiP1pNyuiAsxc4c/y ypypjE8T62Ye58LkGQipaU8Bg0dockp+C81gN/o7YWNDA+zqRqapmux71iTL/ILS6QBnpEIeOsW vm/EUqiaNk X-Google-Smtp-Source: AGHT+IEMdOoVXD20F/RXvtnAPsLn3UD4rXcY2B+wuyPum8VgC8aKKES03/XN45TOoUn3x3MPPb+cww== X-Received: by 2002:a05:6000:4202:b0:430:f5ab:dc8e with SMTP id ffacd0b85a97d-4324e4c6338mr53826812f8f.13.1767353342567; Fri, 02 Jan 2026 03:29:02 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4324ea22674sm85562757f8f.10.2026.01.02.03.29.01 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 02 Jan 2026 03:29:01 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 1/5] fio: ignore CVE-2025-10824 Date: Fri, 2 Jan 2026 12:28:55 +0100 Message-ID: <20260102112900.1800006-1-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 02 Jan 2026 11:29:08 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123090 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-10824 The upstream maintainer wasn't able to reproduce the issue[1], and the related bug is closed without further action. [1]: https://github.com/axboe/fio/issues/1981 Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj (cherry picked from commit a275078cbeaa0fafcfa4eb60ca69f05a8fe3df99) Adapted to Kirkstone (CVE_STATUS -> CVE_CHECK_STATUS) Signed-off-by: Gyorgy Sarvari --- meta-oe/recipes-benchmark/fio/fio_3.30.bb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta-oe/recipes-benchmark/fio/fio_3.30.bb b/meta-oe/recipes-benchmark/fio/fio_3.30.bb index 62b21339d0..8b864e24f2 100644 --- a/meta-oe/recipes-benchmark/fio/fio_3.30.bb +++ b/meta-oe/recipes-benchmark/fio/fio_3.30.bb @@ -45,3 +45,6 @@ do_install() { install -d ${D}/${docdir}/${PN} cp -R --no-dereference --preserve=mode,links -v ${S}/examples ${D}/${docdir}/${PN}/ } + +# disputed: Maintainer could not reproduce the issue, issue is closed without change. +CVE_CHECK_IGNORE += "CVE-2025-10824" From patchwork Fri Jan 2 11:28:56 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 77924 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 41E01FA372F for ; Fri, 2 Jan 2026 11:29:08 +0000 (UTC) Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com [209.85.128.49]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.3570.1767353345100841344 for ; Fri, 02 Jan 2026 03:29:05 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=Zr05/kQu; spf=pass (domain: gmail.com, ip: 209.85.128.49, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f49.google.com with SMTP id 5b1f17b1804b1-477bf34f5f5so88223255e9.0 for ; Fri, 02 Jan 2026 03:29:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767353343; x=1767958143; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=07CtpzjEKTfDJfAKiyOgsghVWlBsdzqcCIx/okGDqcE=; b=Zr05/kQuH5f/Z5nHbCb6Y130t7EMREuit3S0nc3qHftpDOIpaO5HyszL7i7L6KPx/m ZbK12tYN9Tgt11X+Bcuf0LyzX2Xgll4hdLlDbTd/mENjF4EJq31FbwVnia2HnOoehU2S f9EaDAlKuSHVz0PsU/dZCX5Y0Tn9gN8WOimPvCZQT/414nRf8HuecevB4MeGlfcHXdZc pjO8hEXfbrzbgl3AP0GrnqeV7znq+JqWxMpDgTMH7wUP1NiaqNKow1C32l+8uwgC1ua7 DT/wzzRxpeY1kmgIGgsHuyJozgVZVZWgWaOhJkEKlmNS3eUGczmk4T/FWLrHt//wrF37 wE0g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767353343; x=1767958143; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=07CtpzjEKTfDJfAKiyOgsghVWlBsdzqcCIx/okGDqcE=; b=S6uyayu1011/XeZFiBe+S6hPPgXhih+mqQR8f2uSyCi49vMrTMA0FFvMgTSU2fbSbk QUeBPQyCFOVHo4gdkkl5KsqNFSxU2m46r8X9qfxDHZPyO5yqTMLPgou0yU5GTzE3cP/U UEvarnVn9cTGWTgwKs+mXmcxxOwr4d55WOF3AktDgczw7LwbHTT1Jcvg2pxhVJLkHJI7 rHuwoh8COSlPyukfkJ+u/h+JQvgiT9PkBxTIwOj74gqppdCGEQSeii4gMaDgDGpmW1Fi bW5Ss8fnpKotTPDfUn+zdow4A5rMT+6SaWluxlKHpp1Gd31FWF4ADpJm/tODQV+IQXWT F9TA== X-Gm-Message-State: AOJu0YwMQeNel2rhk7k9AzoGI5P2frBbBTl4tpyXGI6sRoP8JFcB0nVD UI8HekObdNHpPQI1qe/fnOmGR2OgZKpWt1+s57Y4cOVKx06yQsYhDpIvl+Qu+Q== X-Gm-Gg: AY/fxX6vwoETZwh+iixFZvbYV8grGRkp5lu4RDuGlVHapwz5vgE81uQp8+tFRnShZco z4xqsl1zO0XGVInE0UfQJxSV7aeBnH4ZyBKnwB2ldzfdbEldNhUcxu3E6yeIPsIbG68TlsHzbAb U8pHbEU6O9ObjqpvjBgqnqOn05zPsXSGEqozwZkirGVlkATwomtLA96/PSXXByNksEg151EJiZX X/ACMf/gZij3HUryWm6DbAsszGljY1s/cjt5Hi+8i9zZvJOizeugQmj7XweZ72GgrvH8UB2KKZz GNL5ffcUL7aqXF4eBic6Xss95umBmozzyWMYR97+eAvyIGrvoKZHWBlcxpBPZCxBaeyROWSxw5S lQWeDSDg1U01ZBDeX0ZgVtVxeO69uX+PtaYpArKYYde77o3WMDncgKSEpYzLUuBQJS8pqvG8VwD 663vk+dBrX X-Google-Smtp-Source: AGHT+IFINspBvVCBUr4rkw1rhfZBteGcoe+FsGZVeMVn1B/+J0ewGeH5zV8lVhw0KCj58D5j0GjuSw== X-Received: by 2002:a05:600c:4fd4:b0:477:7bca:8b34 with SMTP id 5b1f17b1804b1-47d1955b744mr477474935e9.6.1767353343412; Fri, 02 Jan 2026 03:29:03 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4324ea22674sm85562757f8f.10.2026.01.02.03.29.02 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 02 Jan 2026 03:29:02 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 2/5] nodejs: ignore CVE-2023-30583, CVE-2023-30584 and CVE-2023-30587 Date: Fri, 2 Jan 2026 12:28:56 +0100 Message-ID: <20260102112900.1800006-2-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260102112900.1800006-1-skandigraun@gmail.com> References: <20260102112900.1800006-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 02 Jan 2026 11:29:08 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123091 Details: https://nvd.nist.gov/vuln/detail/CVE-2023-30583 https://nvd.nist.gov/vuln/detail/CVE-2023-30584 https://nvd.nist.gov/vuln/detail/CVE-2023-30587 None of these vulnerabilities are present in the recipe version. CVE-2023-30583: While the main feature (blob) was intruced in v16, the vulnerable code (load blobs from file) was introduced in v20[1], and as such, the vulnerability is not present in the recipe version. CVE-2023-30584, CVE-2023-30587: The whole vulnerable feature (permission model) was introduced[2] in v20. Ignore these CVE IDs. [1]: https://github.com/nodejs/node/commit/950cec4c2642c15e2913f35babadda56c1d8a723 [2]: https://github.com/nodejs/node/commit/00c222593e49d817281bc88a322f41f8dca95885 Signed-off-by: Gyorgy Sarvari --- meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb b/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb index 05a6706c10..b2872bfd98 100644 --- a/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb +++ b/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb @@ -46,6 +46,9 @@ S = "${WORKDIR}/node-v${PV}" CVE_PRODUCT = "nodejs node.js" +# the vulnerabilities were introduced in v20 +CVE_CHECK_IGNORE = "CVE-2023-30583 CVE-2023-30584 CVE-2023-30587" + # v8 errors out if you have set CCACHE CCACHE = "" From patchwork Fri Jan 2 11:28:57 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 77926 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 518A5FA3734 for ; Fri, 2 Jan 2026 11:29:08 +0000 (UTC) Received: from mail-wm1-f45.google.com (mail-wm1-f45.google.com [209.85.128.45]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.3572.1767353345947408038 for ; Fri, 02 Jan 2026 03:29:06 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=KZ7B59TZ; spf=pass (domain: gmail.com, ip: 209.85.128.45, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f45.google.com with SMTP id 5b1f17b1804b1-47a95efd2ceso107848795e9.2 for ; Fri, 02 Jan 2026 03:29:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767353344; x=1767958144; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=B170RpxkF+sZMal/PDUqsXKmlUa8eapl6/r6LUpLW4Q=; b=KZ7B59TZp6d76HEBm9iWVNpVWQFr3YbDlW/EpGGwhhcdGMWzmQLBzWPJzPPPThUXI7 G9TNeFipy9mex6Qqna5XWAYtvAqyVH80Yqak4GnJ5yPhw/RLtGa1xwTDuZnVf8NO84Yu LVLjTMLi4wCPdnlwJSTnyh2DZqDwkePgbyQBmiIPEiybLhBp24pWvkosjV5aBIS7kqsZ K+InJhoDM7gmx4WpFhxKVgYonR+4o6BHXiUB0VDJxtQJCiiUjQreH12UvLdKOx4E/wOT 7L+szpOT6NFRkTdPLLWTmaZU2aLns56TJjy1wFHJ5rJsqJ2qTed3kZugHS589lMetDD1 NEbg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767353344; x=1767958144; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=B170RpxkF+sZMal/PDUqsXKmlUa8eapl6/r6LUpLW4Q=; b=GcueZ6AkVcU8VSdiENaSh72xlsHPDWVglLFtbwiBy8Xupkjyq6qRkOYgXcZXaajtrL +zzkHZ/8xYP2DJ+pC6uVH4Yd5sBVhmJLS3ixhas1Zxu1fuy4GvdiG3+Iuhlq671npsR/ +rKILZuSeAsJpvIhmAqd4YBUPZ2nasWyWnH7Cz9KFkuUdQoSvykNeGwWvJ8kz4Ogi76J UTE2ePyyMOSyZiFtoHDhQopPuqGABz9arbPPH4vU9HmjUd/pDy3iZkAm5ivFcQ43jxu6 cbzmrrErOrtiyThP0wfiuFjSYEXWnfcHhvdQ6rTXdJ5KIqsRqezIMwpjhTa9ZCIehVvS 05SQ== X-Gm-Message-State: AOJu0YwVD8gqW8nugZ5mpOHfIl8j0lrQT/tDd+SpuIXQGaikf4g7oZRy iooTGLC3aTGIRHECXugcNAgNDRDhZLB/J0+fym0eScqHCe8BiyLeeR0oDnDsbQ== X-Gm-Gg: AY/fxX6wAcwrjzteYU2xsKB6EplGz87v4B13zGEYjso/L49I1/Ar04ncgFC0H+KjvsW fKBJi+F446IdiFLHfYhZdmYqUkBBJhTFGWaikKRv0LcjWbiLBR6seUwSxE01cJE4kSfrmWFyFBy MOyeLGbzc8vsnIILpKFsEKXolFFFcEMxH4HUDfI9xVWiKgSDNub9ReueLIBBIcw2YSmb7glHKR8 SBxN2ppDoaOVyljKA/4c6jo2e/ShuG76W91bNye01QMyY9/qyvn+5zK7ETe0iSb7f8fgeszMuDJ GTXU0y00J1/ZqKMDteo1fblyR9kf1lmr/q0Q8SHnJPrzjKGPGDtP26ohdTXlGfkWeod+PuLbKpm 60ivjpWB7m92SS6meHCBJI7ZW3HD9luxbu+nW0L0SK5hH/8wTpCallhVExwAKxv+tpk7CSoyWy2 Xtn+ln4VTB X-Google-Smtp-Source: AGHT+IGwVNcWvdKye1rPaPMVfkx7nPtwEHi0rSwuTGDFC6JR0o1TjWE4pCHSvpFvDFVdqhk1gc/t4g== X-Received: by 2002:a05:600c:3487:b0:475:da1a:5418 with SMTP id 5b1f17b1804b1-47d1955b739mr565243645e9.1.1767353344167; Fri, 02 Jan 2026 03:29:04 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4324ea22674sm85562757f8f.10.2026.01.02.03.29.03 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 02 Jan 2026 03:29:03 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 3/5] nodejs: patch CVE-2023-39333 Date: Fri, 2 Jan 2026 12:28:57 +0100 Message-ID: <20260102112900.1800006-3-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260102112900.1800006-1-skandigraun@gmail.com> References: <20260102112900.1800006-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 02 Jan 2026 11:29:08 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123092 Details: https://nvd.nist.gov/vuln/detail/CVE-2023-39333 Backport the patch that mentions this CVE ID explicitly in its commit message. Signed-off-by: Gyorgy Sarvari --- .../nodejs/nodejs/CVE-2023-39333.patch | 57 +++++++++++++++++++ .../recipes-devtools/nodejs/nodejs_16.20.2.bb | 1 + 2 files changed, 58 insertions(+) create mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/CVE-2023-39333.patch diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2023-39333.patch b/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2023-39333.patch new file mode 100644 index 0000000000..3cea4e1c23 --- /dev/null +++ b/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2023-39333.patch @@ -0,0 +1,57 @@ +From 217a3dba7b2bfc94534c19e48a35bb9282367be2 Mon Sep 17 00:00:00 2001 +From: Gyorgy Sarvari +Date: Sun, 6 Aug 2023 10:41:33 +0000 +Subject: [PATCH] module: fix code injection through export names +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tobias Nießen + +createDynamicModule() properly escapes import names, but not export +names. In WebAssembly, any string is a valid export name. Importing a +WebAssembly module that uses a non-identifier export name leads to +either a syntax error in createDynamicModule() or to code injection, +that is, to the evaluation of almost arbitrary JavaScript code outside +of the WebAssembly module. + +To address this issue, adopt the same mechanism in createExport() that +createImport() already uses. Add tests for both exports and imports. + +PR-URL: https://github.com/nodejs-private/node-private/pull/461 +Backport-PR-URL: https://github.com/nodejs-private/node-private/pull/489 +Reviewed-By: Rafael Gonzaga +CVE-ID: CVE-2023-39333 + +CVE: CVE-2023-39333 +Upstream-Status: Backport [https://github.com/nodejs/node/commit/f5c90b2951ca8ce8e47136ef073a1778edcad15d] +Signed-off-by: Gyorgy Sarvari +--- + lib/internal/modules/esm/create_dynamic_module.js | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/lib/internal/modules/esm/create_dynamic_module.js b/lib/internal/modules/esm/create_dynamic_module.js +index f7c2008..c99da19 100644 +--- a/lib/internal/modules/esm/create_dynamic_module.js ++++ b/lib/internal/modules/esm/create_dynamic_module.js +@@ -18,13 +18,13 @@ function createImport(impt, index) { + import.meta.imports[${imptPath}] = $import_${index};`; + } + +-function createExport(expt) { +- const name = `${expt}`; +- return `let $${name}; +-export { $${name} as ${name} }; +-import.meta.exports.${name} = { +- get: () => $${name}, +- set: (v) => $${name} = v, ++function createExport(expt, index) { ++ const nameStringLit = JSONStringify(expt); ++ return `let $export_${index}; ++export { $export_${index} as ${nameStringLit} }; ++import.meta.exports[${nameStringLit}] = { ++ get: () => $export_${index}, ++ set: (v) => $export_${index} = v, + };`; + } + diff --git a/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb b/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb index b2872bfd98..2feec12f21 100644 --- a/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb +++ b/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb @@ -30,6 +30,7 @@ SRC_URI = "http://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz \ file://CVE-2024-22019.patch \ file://CVE-2024-22025.patch \ file://CVE-2023-46809.patch \ + file://CVE-2023-39333.patch \ " SRC_URI:append:class-target = " \ file://0001-Using-native-binaries.patch \ From patchwork Fri Jan 2 11:28:58 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 77925 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5D451FA3736 for ; Fri, 2 Jan 2026 11:29:08 +0000 (UTC) Received: from mail-wr1-f54.google.com (mail-wr1-f54.google.com [209.85.221.54]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.3573.1767353346692277396 for ; Fri, 02 Jan 2026 03:29:06 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=Q/iu1N7a; spf=pass (domain: gmail.com, ip: 209.85.221.54, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f54.google.com with SMTP id ffacd0b85a97d-42fbbc3df8fso5938691f8f.2 for ; Fri, 02 Jan 2026 03:29:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767353345; x=1767958145; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=KPZwrD9SYFvs8Tm8aP9uC8cxqpU06cxf/MjktXuiPMA=; b=Q/iu1N7a+H/g6wcDAs4IopV10SeV2QTwkgVcjq16xiffyDNaVHM9VuiiVjr7XmTOwm zwYRQ6kvE/Tvi4q8p71znDrcu99MLQ4vYjG20i1TMtL+bL1RLJjyxFGQIdKU4sozjvJo 6/RetSHpYNs3IpXR54eUrGceppiHZzHDovzPE11Aa45b3rIthaKuT8l8P7iKWgvwXGMD ejUXuJlDM0mPaFSxczBpA+JDkyMV46vsd9YHHBh1UTGt+2nRd2CPiyPz6OVwlKuIj8/4 7mJMhcbJORmTryO9hRFzJcWBNE5pCrsjyKKDHFCZ0PbaupDxeZ5Fs4ulFS6tXMSKGrpG QwRg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767353345; x=1767958145; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=KPZwrD9SYFvs8Tm8aP9uC8cxqpU06cxf/MjktXuiPMA=; b=CclEb/1XOjbl5vH0GoMd3gCA94xO9uf2A2WQ6zh83zpLcwnIOKFrwGqvO8M2S9qbta 4mkyFL6ELwOJ44zgiOVlO+EzJ+PPI96RnamRLlswYeADoyeCYimtSEHUqfHOjim4RgOd fvBEBUSPXV61oyis8cFtQ9If0jLEmwC5TeoTs4d0SMPhBzpdZjmDPuVa18zD7cUzpEfc VfUjqC69yNf/ISk6LkREih6UhtQRcISdj21d+1mGTcfUcsFxa5r10qCbE3P0H3ciFUAw MVy47WNUpKk308Td0/3oCVlxa3CuiOQOmEsGEJALWna3xtmbgKU1OvirrhPs42Up1nhf 7t5w== X-Gm-Message-State: AOJu0YxvyfxTGCJ570V6eYH2lM63Cnd2RQASufEgQywOs3xWPPtEmM3A OIcdpJX66Kgve6F0jkquZkakx4wEvlQ+MiRA6qqGOeMQ1zOpwRnjZwlWeKctSw== X-Gm-Gg: AY/fxX7IZ6p4gX2mF0Z9sUZm/3U8308N9ysZqzezE9+C8MnGz5LtVYLOUMrIX4OCmNr /qcU+UcIY5z/Z2wMd99LLs2z0eOrUvwxiuoPe+uOeevTago+ScYGdlKV5VYcPO2EMUCzRzbld/u n6DfetnDgWxAfsDeD+IOvAA/lUqfsTYrt2fOBb7rlHgoT7cAMZ1vlbM0F9MfCRogHw6Ccq7eyFI J3ruSgnGAisEdMPUKqyV9XeC9ng4txnpyJ+yn5zlGyLzbG3m9X9ZTouDf9yyE21XdzhRt8G/lF8 0v41VR6XSsMFOKx7q87Zjpge/t4VnBNTQ7v/6n8BmNGl+oMNx6cPZovDtzv3hpgXkUE7IvBOGR6 Zj/FdUw2gAXm3L7V8Ej/1XTTgn0l6EJss8PLzvpp9d4XExVhKBQyzYId3c0rV/tZdnbvHRX34eR jIojZH2HR0 X-Google-Smtp-Source: AGHT+IHtsXL9BnK2V+4kZRzGDpLUPsFyzJTDmhSkBdHLG3k4Z1yEHEdaxfV9LDKN8iNfMRs1S1znQA== X-Received: by 2002:a5d:5d0e:0:b0:42f:bad7:af55 with SMTP id ffacd0b85a97d-4324e4c70fbmr50606082f8f.6.1767353344998; Fri, 02 Jan 2026 03:29:04 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4324ea22674sm85562757f8f.10.2026.01.02.03.29.04 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 02 Jan 2026 03:29:04 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 4/5] nodejs: ignore CVE-2024-22017 Date: Fri, 2 Jan 2026 12:28:58 +0100 Message-ID: <20260102112900.1800006-4-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260102112900.1800006-1-skandigraun@gmail.com> References: <20260102112900.1800006-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 02 Jan 2026 11:29:08 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123093 Details: https://nvd.nist.gov/vuln/detail/CVE-2024-22017 The vulnerability is related to the io_uring usage of libuv. Libuv first introduced io_uring support in v1.45[1]. oe-core ships a non-vulnerable version (1.44.2), and nodejs vendors also an older version (1.43). Mark this CVE as ignored for this recipe version. [1]: https://github.com/libuv/libuv/commit/d2c31f429b87b476a7f1344d145dad4752a406d4 Signed-off-by: Gyorgy Sarvari --- meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb b/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb index 2feec12f21..9c279d1463 100644 --- a/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb +++ b/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb @@ -50,6 +50,9 @@ CVE_PRODUCT = "nodejs node.js" # the vulnerabilities were introduced in v20 CVE_CHECK_IGNORE = "CVE-2023-30583 CVE-2023-30584 CVE-2023-30587" +# the vulnerability was introduced later (with libuv 1.45) +CVE_CHECK_IGNORE += "CVE-2024-22017" + # v8 errors out if you have set CCACHE CCACHE = "" From patchwork Fri Jan 2 11:28:59 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 77923 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 407D9FA372E for ; Fri, 2 Jan 2026 11:29:08 +0000 (UTC) Received: from mail-wr1-f45.google.com (mail-wr1-f45.google.com [209.85.221.45]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.3575.1767353347601644082 for ; Fri, 02 Jan 2026 03:29:07 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=NJGUF3rZ; spf=pass (domain: gmail.com, ip: 209.85.221.45, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f45.google.com with SMTP id ffacd0b85a97d-42fbc3056afso6518104f8f.2 for ; Fri, 02 Jan 2026 03:29:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767353346; x=1767958146; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=3EwbTZKa+Lln6PD95qTlic2S0029CAF6VLZSi3NefMk=; b=NJGUF3rZE3qtR7GizlmkZOf6oI2l2WRxbZO2cuIxTkeyTqDCLyRKxjPMAhUYhiGwKo xCPWTMceDaNseFaH3sGGTXcgU2wi6ktiSCUJve4YnMiRnKSvdR/OMDeR2KJrW36swPTU RthiCQxIcpIorvmYhPVI71IVftScaS5Aakj61a8DO+ux/Gm+Wzz3Ey1c/wAB0cyMZDef Fh99SodC8o0KFtCN67nB1CfDmKgIw7BLKw86SMQQwk9WNKPJVJBUhhedYZHbCAqNG3kA tRxDmWYZV2dReR63yd92kxcU+JkQ1X/4TQgR8wOKNzqR7z9lkd/ZFswheenJ3Vm9TNjf EvNg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767353346; x=1767958146; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=3EwbTZKa+Lln6PD95qTlic2S0029CAF6VLZSi3NefMk=; b=kFa7piaitoporlZOMtwBOXptDNTBFw1mEvUwya1CgH97WNyTgqcIhCfBqBktZsV+UP /rkqpJAmum17RTegY05DYoeHfuXZnTxO501B/1zctwifsauT2S0z51vB+eHUr8SDdX0U IXIFi99kO06yYgmHW4Y3wSW27QaDfRdn1K30E1sBen7XqnUz5CClHvJZuZpGfQRsw7U3 OElO1OXd8l+4U30A6veK/tZW6YBUL3D9eddResnDrGHA+qeqKawygqLPXlWP3vs7a5+i idBOYoaMMIIbFeoa1OYOwtiUcsd66HPZ+0iYgzeGtAf/1s/p+QrQx6pJawKiRWjrgqlr 1e6g== X-Gm-Message-State: AOJu0YzHRipxjk2DbflWm1bMZOAf0sbIseDtD17EoMX14P+vETnp/LP0 URL2Q3AhJChm4C/+CD3ff6bv84b7hiM2abKPkp8mrsbeclprOlOCyUwVMH2mkA== X-Gm-Gg: AY/fxX7Y2ZbYStxisk2eMexESmPrrVSbDo48WGpqxBhIHYLLCnifrL8wXeXYHIsR/pC Nm416ebq5EqQdn9poYQmX8KACSNDjg2ad3dP3BVMOYE+4oJTbjTxtiRecD9NAyUlfIcU0sA6aCK tU7mfCyXxtcpgXpvq29a7nqtj+F45e4Ql8Pmuvxipu2cVJxRzbvKP7wCjnxXJUB6vszpZAnspto GPpRYsteQ0jQ+MggwHikqKt+rrdLkYX7m//xXnjsf8uTy2jafBgnC41yV+ZFQbg/Zln5eitx/rH K8nqtqwQJHT/RcVtEdxJdgvoBATEqcZPeY9IDP3Xnqo5F2S/hF7XHoUkNaaoisWTQUDBSlGKFN+ 60JMMO+BXZZDFF2KPoiroUm/Qh/lL3Ki0JMGpYuWTaGRIntJmQsEtzvf2DvCRbLWdXVFHhL6tsr p9NgM2KRfi X-Google-Smtp-Source: AGHT+IFA7YxbD8VQ6gyu1BIQuPQh7J2vkvk0Kwqwiycz5xuEwTb06//HUOnyIAsxn7pTF62OzBzgRA== X-Received: by 2002:a5d:4842:0:b0:432:84ee:1882 with SMTP id ffacd0b85a97d-43284ee2edfmr19704943f8f.36.1767353345795; Fri, 02 Jan 2026 03:29:05 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4324ea22674sm85562757f8f.10.2026.01.02.03.29.05 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 02 Jan 2026 03:29:05 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 5/5] nodejs: patch CVE-2024-27983 Date: Fri, 2 Jan 2026 12:28:59 +0100 Message-ID: <20260102112900.1800006-5-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260102112900.1800006-1-skandigraun@gmail.com> References: <20260102112900.1800006-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 02 Jan 2026 11:29:08 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123094 Details: https://nvd.nist.gov/vuln/detail/CVE-2024-27983 Pick the patch that mentions this CVE ID explcitly in its commit message. Signed-off-by: Gyorgy Sarvari --- .../nodejs/nodejs/CVE-2024-27983.patch | 40 +++++++++++++++++++ .../recipes-devtools/nodejs/nodejs_16.20.2.bb | 1 + 2 files changed, 41 insertions(+) create mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/CVE-2024-27983.patch diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2024-27983.patch b/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2024-27983.patch new file mode 100644 index 0000000000..895a92052f --- /dev/null +++ b/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2024-27983.patch @@ -0,0 +1,40 @@ +From a8e022586ffe06a27709f4d8c03f328e3042a77d Mon Sep 17 00:00:00 2001 +From: Gyorgy Sarvari +Date: Tue, 26 Mar 2024 15:55:13 -0300 +Subject: [PATCH] src: ensure to close stream when destroying session + +From: RafaelGSS + +Co-Authored-By: Anna Henningsen +PR-URL: https://github.com/nodejs-private/node-private/pull/561 +Fixes: https://hackerone.com/reports/2319584 +Reviewed-By: Michael Dawson +Reviewed-By: Marco Ippolito +Reviewed-By: Matteo Collina +Reviewed-By: Benjamin Gruenbaum +CVE-ID: CVE-2024-27983 + +CVE: CVE-2024-27983 +Upstream-Status: Backport [https://github.com/nodejs/node/commit/0fb816dbccde955cd24acc1b16497a91fab507c8] +Signed-off-by: Gyorgy Sarvari +--- + src/node_http2.cc | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/node_http2.cc b/src/node_http2.cc +index 53216dc..9a6d63d 100644 +--- a/src/node_http2.cc ++++ b/src/node_http2.cc +@@ -529,6 +529,12 @@ Http2Session::Http2Session(Http2State* http2_state, + Http2Session::~Http2Session() { + CHECK(!is_in_scope()); + Debug(this, "freeing nghttp2 session"); ++ // Ensure that all `Http2Stream` instances and the memory they hold ++ // on to are destroyed before the nghttp2 session is. ++ for (const auto& [id, stream] : streams_) { ++ stream->Detach(); ++ } ++ streams_.clear(); + // Explicitly reset session_ so the subsequent + // current_nghttp2_memory_ check passes. + session_.reset(); diff --git a/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb b/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb index 9c279d1463..9326b26421 100644 --- a/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb +++ b/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb @@ -31,6 +31,7 @@ SRC_URI = "http://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz \ file://CVE-2024-22025.patch \ file://CVE-2023-46809.patch \ file://CVE-2023-39333.patch \ + file://CVE-2024-27983.patch \ " SRC_URI:append:class-target = " \ file://0001-Using-native-binaries.patch \