From patchwork Fri Jan 2 13:32:33 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 77939 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0BF66FA374A for ; Fri, 2 Jan 2026 13:32:59 +0000 (UTC) Received: from mta-65-226.siemens.flowmailer.net (mta-65-226.siemens.flowmailer.net [185.136.65.226]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.5026.1767360767920129325 for ; Fri, 02 Jan 2026 05:32:49 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=NjuhIdUD; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.226, mailfrom: fm-256628-2026010213324402af9483ee0002078c-qb2iuj@rts-flowmailer.siemens.com) Received: by mta-65-226.siemens.flowmailer.net with ESMTPSA id 2026010213324402af9483ee0002078c for ; Fri, 02 Jan 2026 14:32:44 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc; bh=WEFFFoE+rtZRG9LdD1ln+7Y7UqXZPGzDNVugE0LWFSc=; b=NjuhIdUDmVhQPmQI5pFysJxPJD0AEItv5faOYmLEliPDU7C6cdjrM4TQ0j9M851XT9Hyzv TN/dmdiXaApylA+E94PdCZuYZj2qU7Je93y739+iKUKspe7vX7+d2tRvYI1O2wiGedMpXlpO JdhJ1dsATUJEz1TCLRWVDV+any+H6IZVDuERGgBWDZ3VVObmkGJ6aA9ZsR/LvgJs4w3qXSJQ EeffbWfXNDlq45K9LjVSZNF1GUwGcDxRLRvCUgo5iNrgytF42Q96CmTaaNxkhKBp0VKruyNv 5mgaolQQOo5MBP3M8X/WTVMpPjZt0znayGu6cSgPDwkS6j7f6GJFbejQ==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][scarthgap][PATCH 1/2] libpcap: patch CVE-2025-11961 Date: Fri, 2 Jan 2026 14:32:33 +0100 Message-Id: <20260102133234.2651606-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 02 Jan 2026 13:32:59 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/228844 From: Peter Marko Pick patch per [1]. Also pick additional preparation patch to apply it cleanly. [1] https://nvd.nist.gov/vuln/detail/CVE-2025-11961 Signed-off-by: Peter Marko --- .../libpcap/libpcap/CVE-2025-11961-01.patch | 38 ++ .../libpcap/libpcap/CVE-2025-11961-02.patch | 433 ++++++++++++++++++ .../libpcap/libpcap_1.10.4.bb | 2 + 3 files changed, 473 insertions(+) create mode 100644 meta/recipes-connectivity/libpcap/libpcap/CVE-2025-11961-01.patch create mode 100644 meta/recipes-connectivity/libpcap/libpcap/CVE-2025-11961-02.patch diff --git a/meta/recipes-connectivity/libpcap/libpcap/CVE-2025-11961-01.patch b/meta/recipes-connectivity/libpcap/libpcap/CVE-2025-11961-01.patch new file mode 100644 index 00000000000..73c3ab3f5c7 --- /dev/null +++ b/meta/recipes-connectivity/libpcap/libpcap/CVE-2025-11961-01.patch @@ -0,0 +1,38 @@ +From 7224be0fe2f4beb916b7b69141f478facd0f0634 Mon Sep 17 00:00:00 2001 +From: Denis Ovsienko +Date: Sat, 27 Dec 2025 21:36:11 +0000 +Subject: [PATCH] Rename one of the xdtoi() copies to simplify backporting. + +CVE: CVE-2025-11961 +Upstream-Status: Backport [https://github.com/the-tcpdump-group/libpcap/commit/7224be0fe2f4beb916b7b69141f478facd0f0634] +Signed-off-by: Peter Marko +--- + nametoaddr.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/nametoaddr.c b/nametoaddr.c +index dc75495c..bdaacbf1 100644 +--- a/nametoaddr.c ++++ b/nametoaddr.c +@@ -646,7 +646,7 @@ pcap_nametollc(const char *s) + + /* Hex digit to 8-bit unsigned integer. */ + static inline u_char +-xdtoi(u_char c) ++pcapint_xdtoi(u_char c) + { + if (c >= '0' && c <= '9') + return (u_char)(c - '0'); +@@ -728,10 +728,10 @@ pcap_ether_aton(const char *s) + while (*s) { + if (*s == ':' || *s == '.' || *s == '-') + s += 1; +- d = xdtoi(*s++); ++ d = pcapint_xdtoi(*s++); + if (PCAP_ISXDIGIT(*s)) { + d <<= 4; +- d |= xdtoi(*s++); ++ d |= pcapint_xdtoi(*s++); + } + *ep++ = d; + } diff --git a/meta/recipes-connectivity/libpcap/libpcap/CVE-2025-11961-02.patch b/meta/recipes-connectivity/libpcap/libpcap/CVE-2025-11961-02.patch new file mode 100644 index 00000000000..2dca7908ef0 --- /dev/null +++ b/meta/recipes-connectivity/libpcap/libpcap/CVE-2025-11961-02.patch @@ -0,0 +1,433 @@ +From b2d2f9a9a0581c40780bde509f7cc715920f1c02 Mon Sep 17 00:00:00 2001 +From: Denis Ovsienko +Date: Fri, 19 Dec 2025 17:31:13 +0000 +Subject: [PATCH] CVE-2025-11961: Fix OOBR and OOBW in pcap_ether_aton(). + +pcap_ether_aton() has for a long time required its string argument to be +a well-formed MAC-48 address, which is always the case when the argument +comes from other libpcap code, so the function has never validated the +input and used a simple loop to parse any of the three common MAC-48 +address formats. However, the function has also been a part of the +public API, so calling it directly with a malformed address can cause +the loop to read beyond the end of the input string and/or to write +beyond the end of the allocated output buffer. + +To handle invalid input more appropriately, replace the simple loop with +new functions and require the input to match a supported address format. + +This problem was reported by Jin Wei, Kunwei Qian and Ping Chen. + +(backported from commit dd08e53e9380e217ae7c7768da9cc3d7bf37bf83) + +CVE: CVE-2025-11961 +Upstream-Status: Backport [https://github.com/the-tcpdump-group/libpcap/commit/b2d2f9a9a0581c40780bde509f7cc715920f1c02] +Signed-off-by: Peter Marko +--- + gencode.c | 5 + + nametoaddr.c | 367 +++++++++++++++++++++++++++++++++++++++++++++++---- + 2 files changed, 349 insertions(+), 23 deletions(-) + +diff --git a/gencode.c b/gencode.c +index 3ddd15f8..76fb2d82 100644 +--- a/gencode.c ++++ b/gencode.c +@@ -7228,6 +7228,11 @@ gen_ecode(compiler_state_t *cstate, const char *s, struct qual q) + return (NULL); + + if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) { ++ /* ++ * Because the lexer guards the input string format, in this ++ * context the function returns NULL iff the implicit malloc() ++ * has failed. ++ */ + cstate->e = pcap_ether_aton(s); + if (cstate->e == NULL) + bpf_error(cstate, "malloc"); +diff --git a/nametoaddr.c b/nametoaddr.c +index f9fcd288..f50d0da5 100644 +--- a/nametoaddr.c ++++ b/nametoaddr.c +@@ -703,39 +703,360 @@ __pcap_atodn(const char *s, bpf_u_int32 *addr) + return(32); + } + ++// Man page: "xxxxxxxxxxxx", regexp: "^[0-9a-fA-F]{12}$". ++static u_char ++pcapint_atomac48_xxxxxxxxxxxx(const char *s, uint8_t *addr) ++{ ++ if (strlen(s) == 12 && ++ PCAP_ISXDIGIT(s[0]) && ++ PCAP_ISXDIGIT(s[1]) && ++ PCAP_ISXDIGIT(s[2]) && ++ PCAP_ISXDIGIT(s[3]) && ++ PCAP_ISXDIGIT(s[4]) && ++ PCAP_ISXDIGIT(s[5]) && ++ PCAP_ISXDIGIT(s[6]) && ++ PCAP_ISXDIGIT(s[7]) && ++ PCAP_ISXDIGIT(s[8]) && ++ PCAP_ISXDIGIT(s[9]) && ++ PCAP_ISXDIGIT(s[10]) && ++ PCAP_ISXDIGIT(s[11])) { ++ addr[0] = pcapint_xdtoi(s[0]) << 4 | pcapint_xdtoi(s[1]); ++ addr[1] = pcapint_xdtoi(s[2]) << 4 | pcapint_xdtoi(s[3]); ++ addr[2] = pcapint_xdtoi(s[4]) << 4 | pcapint_xdtoi(s[5]); ++ addr[3] = pcapint_xdtoi(s[6]) << 4 | pcapint_xdtoi(s[7]); ++ addr[4] = pcapint_xdtoi(s[8]) << 4 | pcapint_xdtoi(s[9]); ++ addr[5] = pcapint_xdtoi(s[10]) << 4 | pcapint_xdtoi(s[11]); ++ return 1; ++ } ++ return 0; ++} ++ ++// Man page: "xxxx.xxxx.xxxx", regexp: "^[0-9a-fA-F]{4}(\.[0-9a-fA-F]{4}){2}$". ++static u_char ++pcapint_atomac48_xxxx_3_times(const char *s, uint8_t *addr) ++{ ++ const char sep = '.'; ++ if (strlen(s) == 14 && ++ PCAP_ISXDIGIT(s[0]) && ++ PCAP_ISXDIGIT(s[1]) && ++ PCAP_ISXDIGIT(s[2]) && ++ PCAP_ISXDIGIT(s[3]) && ++ s[4] == sep && ++ PCAP_ISXDIGIT(s[5]) && ++ PCAP_ISXDIGIT(s[6]) && ++ PCAP_ISXDIGIT(s[7]) && ++ PCAP_ISXDIGIT(s[8]) && ++ s[9] == sep && ++ PCAP_ISXDIGIT(s[10]) && ++ PCAP_ISXDIGIT(s[11]) && ++ PCAP_ISXDIGIT(s[12]) && ++ PCAP_ISXDIGIT(s[13])) { ++ addr[0] = pcapint_xdtoi(s[0]) << 4 | pcapint_xdtoi(s[1]); ++ addr[1] = pcapint_xdtoi(s[2]) << 4 | pcapint_xdtoi(s[3]); ++ addr[2] = pcapint_xdtoi(s[5]) << 4 | pcapint_xdtoi(s[6]); ++ addr[3] = pcapint_xdtoi(s[7]) << 4 | pcapint_xdtoi(s[8]); ++ addr[4] = pcapint_xdtoi(s[10]) << 4 | pcapint_xdtoi(s[11]); ++ addr[5] = pcapint_xdtoi(s[12]) << 4 | pcapint_xdtoi(s[13]); ++ return 1; ++ } ++ return 0; ++} ++ + /* +- * Convert 's', which can have the one of the forms: ++ * Man page: "xx:xx:xx:xx:xx:xx", regexp: "^[0-9a-fA-F]{1,2}(:[0-9a-fA-F]{1,2}){5}$". ++ * Man page: "xx-xx-xx-xx-xx-xx", regexp: "^[0-9a-fA-F]{1,2}(-[0-9a-fA-F]{1,2}){5}$". ++ * Man page: "xx.xx.xx.xx.xx.xx", regexp: "^[0-9a-fA-F]{1,2}(\.[0-9a-fA-F]{1,2}){5}$". ++ * (Any "xx" above can be "x", which is equivalent to "0x".) + * +- * "xx:xx:xx:xx:xx:xx" +- * "xx.xx.xx.xx.xx.xx" +- * "xx-xx-xx-xx-xx-xx" +- * "xxxx.xxxx.xxxx" +- * "xxxxxxxxxxxx" ++ * An equivalent (and parametrisable for EUI-64) FSM could be implemented using ++ * a smaller graph, but that graph would be neither acyclic nor planar nor ++ * trivial to verify. + * +- * (or various mixes of ':', '.', and '-') into a new +- * ethernet address. Assumes 's' is well formed. ++ * | ++ * [.] v ++ * +<---------- START ++ * | | ++ * | | [0-9a-fA-F] ++ * | [.] v ++ * +<--------- BYTE0_X ----------+ ++ * | | | ++ * | | [0-9a-fA-F] | ++ * | [.] v | ++ * +<--------- BYTE0_XX | [:\.-] ++ * | | | ++ * | | [:\.-] | ++ * | [.] v | ++ * +<----- BYTE0_SEP_BYTE1 <-----+ ++ * | | ++ * | | [0-9a-fA-F] ++ * | [.] v ++ * +<--------- BYTE1_X ----------+ ++ * | | | ++ * | | [0-9a-fA-F] | ++ * | [.] v | ++ * +<--------- BYTE1_XX | ++ * | | | ++ * | | | ++ * | [.] v | ++ * +<----- BYTE1_SEP_BYTE2 <-----+ ++ * | | ++ * | | [0-9a-fA-F] ++ * | [.] v ++ * +<--------- BYTE2_X ----------+ ++ * | | | ++ * | | [0-9a-fA-F] | ++ * | [.] v | ++ * +<--------- BYTE2_XX | ++ * | | | ++ * | | | ++ * | [.] v | ++ * +<----- BYTE2_SEP_BYTE3 <-----+ ++ * | | ++ * | | [0-9a-fA-F] ++ * | [.] v ++ * +<--------- BYTE3_X ----------+ ++ * | | | ++ * | | [0-9a-fA-F] | ++ * | [.] v | ++ * +<--------- BYTE3_XX | ++ * | | | ++ * | | | ++ * | [.] v | ++ * +<----- BYTE3_SEP_BYTE4 <-----+ ++ * | | ++ * | | [0-9a-fA-F] ++ * | [.] v ++ * +<--------- BYTE4_X ----------+ ++ * | | | ++ * | | [0-9a-fA-F] | ++ * | [.] v | ++ * +<--------- BYTE4_XX | ++ * | | | ++ * | | | ++ * | [.] v | ++ * +<----- BYTE4_SEP_BYTE5 <-----+ ++ * | | ++ * | | [0-9a-fA-F] ++ * | [.] v ++ * +<--------- BYTE5_X ----------+ ++ * | | | ++ * | | [0-9a-fA-F] | ++ * | [.] v | ++ * +<--------- BYTE5_XX | \0 ++ * | | | ++ * | | \0 | ++ * | | v ++ * +--> (reject) +---------> (accept) ++ * ++ */ ++static u_char ++pcapint_atomac48_x_xx_6_times(const char *s, uint8_t *addr) ++{ ++ enum { ++ START, ++ BYTE0_X, ++ BYTE0_XX, ++ BYTE0_SEP_BYTE1, ++ BYTE1_X, ++ BYTE1_XX, ++ BYTE1_SEP_BYTE2, ++ BYTE2_X, ++ BYTE2_XX, ++ BYTE2_SEP_BYTE3, ++ BYTE3_X, ++ BYTE3_XX, ++ BYTE3_SEP_BYTE4, ++ BYTE4_X, ++ BYTE4_XX, ++ BYTE4_SEP_BYTE5, ++ BYTE5_X, ++ BYTE5_XX, ++ } fsm_state = START; ++ uint8_t buf[6]; ++ const char *seplist = ":.-"; ++ char sep; ++ ++ while (*s) { ++ switch (fsm_state) { ++ case START: ++ if (PCAP_ISXDIGIT(*s)) { ++ buf[0] = pcapint_xdtoi(*s); ++ fsm_state = BYTE0_X; ++ break; ++ } ++ goto reject; ++ case BYTE0_X: ++ if (strchr(seplist, *s)) { ++ sep = *s; ++ fsm_state = BYTE0_SEP_BYTE1; ++ break; ++ } ++ if (PCAP_ISXDIGIT(*s)) { ++ buf[0] = buf[0] << 4 | pcapint_xdtoi(*s); ++ fsm_state = BYTE0_XX; ++ break; ++ } ++ goto reject; ++ case BYTE0_XX: ++ if (strchr(seplist, *s)) { ++ sep = *s; ++ fsm_state = BYTE0_SEP_BYTE1; ++ break; ++ } ++ goto reject; ++ case BYTE0_SEP_BYTE1: ++ if (PCAP_ISXDIGIT(*s)) { ++ buf[1] = pcapint_xdtoi(*s); ++ fsm_state = BYTE1_X; ++ break; ++ } ++ goto reject; ++ case BYTE1_X: ++ if (*s == sep) { ++ fsm_state = BYTE1_SEP_BYTE2; ++ break; ++ } ++ if (PCAP_ISXDIGIT(*s)) { ++ buf[1] = buf[1] << 4 | pcapint_xdtoi(*s); ++ fsm_state = BYTE1_XX; ++ break; ++ } ++ goto reject; ++ case BYTE1_XX: ++ if (*s == sep) { ++ fsm_state = BYTE1_SEP_BYTE2; ++ break; ++ } ++ goto reject; ++ case BYTE1_SEP_BYTE2: ++ if (PCAP_ISXDIGIT(*s)) { ++ buf[2] = pcapint_xdtoi(*s); ++ fsm_state = BYTE2_X; ++ break; ++ } ++ goto reject; ++ case BYTE2_X: ++ if (*s == sep) { ++ fsm_state = BYTE2_SEP_BYTE3; ++ break; ++ } ++ if (PCAP_ISXDIGIT(*s)) { ++ buf[2] = buf[2] << 4 | pcapint_xdtoi(*s); ++ fsm_state = BYTE2_XX; ++ break; ++ } ++ goto reject; ++ case BYTE2_XX: ++ if (*s == sep) { ++ fsm_state = BYTE2_SEP_BYTE3; ++ break; ++ } ++ goto reject; ++ case BYTE2_SEP_BYTE3: ++ if (PCAP_ISXDIGIT(*s)) { ++ buf[3] = pcapint_xdtoi(*s); ++ fsm_state = BYTE3_X; ++ break; ++ } ++ goto reject; ++ case BYTE3_X: ++ if (*s == sep) { ++ fsm_state = BYTE3_SEP_BYTE4; ++ break; ++ } ++ if (PCAP_ISXDIGIT(*s)) { ++ buf[3] = buf[3] << 4 | pcapint_xdtoi(*s); ++ fsm_state = BYTE3_XX; ++ break; ++ } ++ goto reject; ++ case BYTE3_XX: ++ if (*s == sep) { ++ fsm_state = BYTE3_SEP_BYTE4; ++ break; ++ } ++ goto reject; ++ case BYTE3_SEP_BYTE4: ++ if (PCAP_ISXDIGIT(*s)) { ++ buf[4] = pcapint_xdtoi(*s); ++ fsm_state = BYTE4_X; ++ break; ++ } ++ goto reject; ++ case BYTE4_X: ++ if (*s == sep) { ++ fsm_state = BYTE4_SEP_BYTE5; ++ break; ++ } ++ if (PCAP_ISXDIGIT(*s)) { ++ buf[4] = buf[4] << 4 | pcapint_xdtoi(*s); ++ fsm_state = BYTE4_XX; ++ break; ++ } ++ goto reject; ++ case BYTE4_XX: ++ if (*s == sep) { ++ fsm_state = BYTE4_SEP_BYTE5; ++ break; ++ } ++ goto reject; ++ case BYTE4_SEP_BYTE5: ++ if (PCAP_ISXDIGIT(*s)) { ++ buf[5] = pcapint_xdtoi(*s); ++ fsm_state = BYTE5_X; ++ break; ++ } ++ goto reject; ++ case BYTE5_X: ++ if (PCAP_ISXDIGIT(*s)) { ++ buf[5] = buf[5] << 4 | pcapint_xdtoi(*s); ++ fsm_state = BYTE5_XX; ++ break; ++ } ++ goto reject; ++ case BYTE5_XX: ++ goto reject; ++ } // switch ++ s++; ++ } // while ++ ++ if (fsm_state == BYTE5_X || fsm_state == BYTE5_XX) { ++ // accept ++ memcpy(addr, buf, sizeof(buf)); ++ return 1; ++ } ++ ++reject: ++ return 0; ++} ++ ++// The 'addr' argument must point to an array of at least 6 elements. ++static int ++pcapint_atomac48(const char *s, uint8_t *addr) ++{ ++ return s && ( ++ pcapint_atomac48_xxxxxxxxxxxx(s, addr) || ++ pcapint_atomac48_xxxx_3_times(s, addr) || ++ pcapint_atomac48_x_xx_6_times(s, addr) ++ ); ++} ++ ++/* ++ * If 's' is a MAC-48 address in one of the forms documented in pcap-filter(7) ++ * for "ether host", return a pointer to an allocated buffer with the binary ++ * value of the address. Return NULL on any error. + */ + u_char * + pcap_ether_aton(const char *s) + { +- register u_char *ep, *e; +- register u_char d; ++ uint8_t tmp[6]; ++ if (! pcapint_atomac48(s, tmp)) ++ return (NULL); + +- e = ep = (u_char *)malloc(6); ++ u_char *e = malloc(6); + if (e == NULL) + return (NULL); +- +- while (*s) { +- if (*s == ':' || *s == '.' || *s == '-') +- s += 1; +- d = pcapint_xdtoi(*s++); +- if (PCAP_ISXDIGIT(*s)) { +- d <<= 4; +- d |= pcapint_xdtoi(*s++); +- } +- *ep++ = d; +- } +- ++ memcpy(e, tmp, sizeof(tmp)); + return (e); + } + diff --git a/meta/recipes-connectivity/libpcap/libpcap_1.10.4.bb b/meta/recipes-connectivity/libpcap/libpcap_1.10.4.bb index 36eb4bca75b..df091e5ca2c 100644 --- a/meta/recipes-connectivity/libpcap/libpcap_1.10.4.bb +++ b/meta/recipes-connectivity/libpcap/libpcap_1.10.4.bb @@ -14,6 +14,8 @@ SRC_URI = "https://www.tcpdump.org/release/${BP}.tar.gz \ file://CVE-2023-7256-pre1.patch \ file://CVE-2023-7256.patch \ file://CVE-2024-8006.patch \ + file://CVE-2025-11961-01.patch \ + file://CVE-2025-11961-02.patch \ " SRC_URI[sha256sum] = "ed19a0383fad72e3ad435fd239d7cd80d64916b87269550159d20e47160ebe5f" From patchwork Fri Jan 2 13:32:34 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 77938 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0613CFA3748 for ; Fri, 2 Jan 2026 13:32:59 +0000 (UTC) Received: from mta-65-226.siemens.flowmailer.net (mta-65-226.siemens.flowmailer.net [185.136.65.226]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.5026.1767360767920129325 for ; Fri, 02 Jan 2026 05:32:51 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=ShOT97Lc; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.226, mailfrom: fm-256628-20260102133250afa50dc1830002078b-w0qaqz@rts-flowmailer.siemens.com) Received: by mta-65-226.siemens.flowmailer.net with ESMTPSA id 20260102133250afa50dc1830002078b for ; Fri, 02 Jan 2026 14:32:50 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=nSI6+DkH/7tnBOyWDUQHSKFByMZckfUuMSICEw2Q7vk=; b=ShOT97Lc4k+yGHSRQsQhkL0nEGKFEJNaOvIPhLO0Ep6GuzHew2JiVn54iCpmOneUUXPP4X gGEMqdD0SFapKOzjK3mzneo5XVuoOfyq2/W4o+NymsqCub8lqSj2hDBE5eD6PWjZ5ZgPfKkM FeOA/MThhgqBqHoZ6bhJOOZTd+J/8BRltJgcVDi2IUhVNtOQu1ANnsZ5bfOT09XFJQqE/pBN HDAb0NcdanyFlCt+DM3RafKwruROpUaR8EY/cyvrvAbZSbH5lxjbsq6SneAC/xUEI1blJgEG 06LNBvtvFh0hgyx5YTCITnaXGn8StOo8hK4c+90srdiMMb0srs4mmAHg==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][scarthgap][PATCH 2/2] libpcap: patch CVE-2025-11964 Date: Fri, 2 Jan 2026 14:32:34 +0100 Message-Id: <20260102133234.2651606-2-peter.marko@siemens.com> In-Reply-To: <20260102133234.2651606-1-peter.marko@siemens.com> References: <20260102133234.2651606-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 02 Jan 2026 13:32:59 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/228845 From: Peter Marko Pick patch per [1]. [1] https://nvd.nist.gov/vuln/detail/CVE-2025-11964 Signed-off-by: Peter Marko --- .../libpcap/libpcap/CVE-2025-11964.patch | 33 +++++++++++++++++++ .../libpcap/libpcap_1.10.4.bb | 1 + 2 files changed, 34 insertions(+) create mode 100644 meta/recipes-connectivity/libpcap/libpcap/CVE-2025-11964.patch diff --git a/meta/recipes-connectivity/libpcap/libpcap/CVE-2025-11964.patch b/meta/recipes-connectivity/libpcap/libpcap/CVE-2025-11964.patch new file mode 100644 index 00000000000..003d21fb1f1 --- /dev/null +++ b/meta/recipes-connectivity/libpcap/libpcap/CVE-2025-11964.patch @@ -0,0 +1,33 @@ +From 7fabf607f2319a36a0bd78444247180acb838e69 Mon Sep 17 00:00:00 2001 +From: Guy Harris +Date: Sun, 7 Sep 2025 12:51:56 -0700 +Subject: [PATCH] Fix a copy-and-pasteo in utf_16le_to_utf_8_truncated(). + +For the four octets of UTF-8 case, it was decrementing the remaining +buffer length by 3, not 4. + +Thanks to a team of developers from the Univesity of Waterloo for +reporting this. + +(cherry picked from commit aebfca1aea2fc8c177760a26e8f4de27b51d1b3b) + +CVE: CVE-2025-11964 +Upstream-Status: Backport [https://github.com/the-tcpdump-group/libpcap/commit/7fabf607f2319a36a0bd78444247180acb838e69] +Signed-off-by: Peter Marko +--- + fmtutils.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fmtutils.c b/fmtutils.c +index a5a4fe62..78a0f8b7 100644 +--- a/fmtutils.c ++++ b/fmtutils.c +@@ -235,7 +235,7 @@ utf_16le_to_utf_8_truncated(const wchar_t *utf_16, char *utf_8, + *utf_8++ = ((uc >> 12) & 0x3F) | 0x80; + *utf_8++ = ((uc >> 6) & 0x3F) | 0x80; + *utf_8++ = ((uc >> 0) & 0x3F) | 0x80; +- utf_8_len -= 3; ++ utf_8_len -= 4; + } + } + diff --git a/meta/recipes-connectivity/libpcap/libpcap_1.10.4.bb b/meta/recipes-connectivity/libpcap/libpcap_1.10.4.bb index df091e5ca2c..ee7d7540f67 100644 --- a/meta/recipes-connectivity/libpcap/libpcap_1.10.4.bb +++ b/meta/recipes-connectivity/libpcap/libpcap_1.10.4.bb @@ -16,6 +16,7 @@ SRC_URI = "https://www.tcpdump.org/release/${BP}.tar.gz \ file://CVE-2024-8006.patch \ file://CVE-2025-11961-01.patch \ file://CVE-2025-11961-02.patch \ + file://CVE-2025-11964.patch \ " SRC_URI[sha256sum] = "ed19a0383fad72e3ad435fd239d7cd80d64916b87269550159d20e47160ebe5f"