From patchwork Sat Jan 17 09:45:30 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 78985 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 162ABC98319 for ; Sat, 17 Jan 2026 09:46:09 +0000 (UTC) Received: from mail-pl1-f181.google.com (mail-pl1-f181.google.com [209.85.214.181]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.5748.1768643166764225957 for ; Sat, 17 Jan 2026 01:46:06 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=XRHWoLUv; spf=pass (domain: gmail.com, ip: 209.85.214.181, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pl1-f181.google.com with SMTP id d9443c01a7336-2a2ea96930cso17179725ad.2 for ; Sat, 17 Jan 2026 01:46:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768643166; x=1769247966; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=8HKbgxsrDsoy2x0pwmuJEbahwKUavAw4hAUsbEy7I+Y=; b=XRHWoLUvBQZnpRdFXBeZF4iL8nZvAZGmCL5Ndti8XeNp0hSJo8UKrifr/zdtFtLQM7 p9g0iWYcCGhPpESUMJdjQiOy6Ze5Q7lqxVzJmNJio7BL/xFk5AVYrxknqCWjIgYCWBzZ 7PTUdBr+bSnTL5/8krRGVziouty8gzpJxKwxLen2yJPAasbdJzQekR3Cdgyv0MILNwmy AqEgz1Hhz7WwAYXseFasS/cW/7jUd8z8fMP540U4znmU7dnhPBTfpO++0VcF7Lx1FDiF HC9nabmZcPFGX0AGNvUE7/z4wcJb1wEYMBHEtpmXESgIMioY/6qbQ1VDAlgCHZmGN6ZJ QNug== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768643166; x=1769247966; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=8HKbgxsrDsoy2x0pwmuJEbahwKUavAw4hAUsbEy7I+Y=; b=aCeB/UYSAaDQLO8J79yP+j+XfmBHhkfQELvk7oyP+bgjeNYa1WYlDjG8Y6sQhzYEra w2jRW+nXtCfHz/qxrFcgUc6BFj7/R+0ddRJSVF8fhQ8+FMf/z4U3scsnPhUe0z2YLjo4 zGHwygMmPNxNAtXRMp4YL7IdWdp8Y4XnxyVXneT3MmXGcwYesTTYQzdt71EbeOn+W5zA P7vfdVstNjbJna4KIoWHfmAhN687+rYVgj3AeoBRuqQ6S5hCWxf7JgVxlWO9Ou3W49oj YToPf6cyGIW3ZmRA6Anmbv10cjxkjxunoVHJjLKzV7el4+SlNVeOOQGX5T2Mh31XcALl e7qw== X-Gm-Message-State: AOJu0Yx50g7gNMhUvyABSeWUlOstOpCwGdctxpivKBVLYcqfEC3FtMCC zpapks1E43wB0ASOOljCwAAWgikAWddin4egCeSCH+cOaNVAsNivlRqtrE54FA1U X-Gm-Gg: AY/fxX7qbQdenhYnpfrZKYBLAf9VlOBAg9jr2wQ4bulu/+ewBDWCJ7pbSLKo0wCWnGf 90rrTTxBKI3IwEVtKQfANbCA5P9sDkasdT2kufU0I8yiz22Z+nSlCUxD2eprIprDkMBSKef1dbr /WJ3ss0DucKMfdJhbzYwpwQHiP1brgN7cFubOoSUeZ2uqyE6lppu+k1oKYx4Zs/iJkaNRb2Le34 LOC8p9ShrEfjB3kQb4i5Q7RBV7QsRBhxWUzNqGAzu08T/8dnAcI1A1KP+BQTeACUvdGWcw9BHrD yJCwj9OejGjIiFpWBnlkhO4bgCnTDuXdHntkxCtDbthovqian/2ezz5aR8qnUpd/3DDjpcQi7N+ GLgMY2tJ/zPr538G2KvjfcbZ5Kfv032WcpXbSAI8W4/JtiGulC6lHVMaoGGgKUys2hwRKsvHUNd DgYKYjLxNvwQJ/4QFvZKiZHjM= X-Received: by 2002:a17:903:28d:b0:29f:299a:b6e2 with SMTP id d9443c01a7336-2a7177c7807mr52801765ad.42.1768643165823; Sat, 17 Jan 2026 01:46:05 -0800 (PST) Received: from NVAPF55DW0D-IPD.. ([147.161.217.17]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2a7190c9ee9sm42289845ad.22.2026.01.17.01.46.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 17 Jan 2026 01:46:05 -0800 (PST) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi Subject: [oe][meta-oe][scarthgap][PATCH 1/6] gpsd: patch CVE-2025-67268 Date: Sat, 17 Jan 2026 22:45:30 +1300 Message-ID: <20260117094535.4191231-1-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 17 Jan 2026 09:46:09 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123547 From: Ankur Tyagi Details: https://nvd.nist.gov/vuln/detail/CVE-2025-67268 Signed-off-by: Ankur Tyagi --- .../gpsd/gpsd/CVE-2025-67268.patch | 214 ++++++++++++++++++ meta-oe/recipes-navigation/gpsd/gpsd_3.24.bb | 1 + 2 files changed, 215 insertions(+) create mode 100644 meta-oe/recipes-navigation/gpsd/gpsd/CVE-2025-67268.patch diff --git a/meta-oe/recipes-navigation/gpsd/gpsd/CVE-2025-67268.patch b/meta-oe/recipes-navigation/gpsd/gpsd/CVE-2025-67268.patch new file mode 100644 index 0000000000..132ca70a77 --- /dev/null +++ b/meta-oe/recipes-navigation/gpsd/gpsd/CVE-2025-67268.patch @@ -0,0 +1,214 @@ +From c0ed640a755884bd62fd09d21b72f18825539353 Mon Sep 17 00:00:00 2001 +From: "Gary E. Miller" +Date: Tue, 2 Dec 2025 19:36:04 -0800 +Subject: [PATCH] drivers/driver_nmea2000.c: Fix issue 356, skyview buffer + overrun. + +CVE: CVE-2025-67268 +Upstream-Status: Backport [https://gitlab.com/gpsd/gpsd/-/commit/dc966aa74c075d0a6535811d98628625cbfbe3f4?view=inline] +Signed-off-by: Ankur Tyagi +--- + drivers/driver_nmea2000.c | 77 ++++++++++++++++++++++++--------------- + 1 file changed, 48 insertions(+), 29 deletions(-) + +diff --git a/drivers/driver_nmea2000.c b/drivers/driver_nmea2000.c +index 66959f02d..a3b89a082 100644 +--- a/drivers/driver_nmea2000.c ++++ b/drivers/driver_nmea2000.c +@@ -12,11 +12,11 @@ + * Message contents can be had from canboat/analyzer: + * analyzer -explain + * +- * This file is Copyright 2012 by the GPSD project ++ * This file is Copyright by the GPSD project + * SPDX-License-Identifier: BSD-2-clause + */ + +-#include "../include/gpsd_config.h" /* must be before all includes */ ++#include "../include/gpsd_config.h" // must be before all includes + + #if defined(NMEA2000_ENABLE) + +@@ -68,7 +68,7 @@ typedef struct PGN + + #if LOG_FILE + FILE *logFile = NULL; +-#endif /* of if LOG_FILE */ ++#endif // of if LOG_FILE + + extern bool __attribute__ ((weak)) gpsd_add_device(const char *device_name, + bool flag_nowait); +@@ -89,12 +89,12 @@ static int scale_int(int32_t var, const int64_t factor) + static void print_data(struct gps_context_t *context, + unsigned char *buffer, int len, PGN *pgn) + { +- if ((libgps_debuglevel >= LOG_IO) != 0) { +- int l1, l2, ptr; ++ if (LOG_IO <= libgps_debuglevel) { ++ int l1; + char bu[128]; + +- ptr = 0; +- l2 = sprintf(&bu[ptr], "got data:%6u:%3d: ", pgn->pgn, len); ++ int ptr = 0; ++ int l2 = sprintf(&bu[ptr], "got data:%6u:%3d: ", pgn->pgn, len); + ptr += l2; + for (l1=0;l1context, bu, len, pgn); +- /* FIXME? Get magnetic variation */ ++ // FIXME? Get magnetic variation + GPSD_LOG(LOG_DATA, &session->context->errout, + "pgn %6d(%3d):\n", pgn->pgn, session->driver.nmea2000.unit); + return(0); +@@ -358,7 +358,7 @@ static gps_mask_t hnd_126992(unsigned char *bu, int len, PGN *pgn, + { + // uint8_t sid; + // uint8_t source; +- uint64_t usecs; /* time in us */ ++ uint64_t usecs; // time in us + + print_data(session->context, bu, len, pgn); + GPSD_LOG(LOG_DATA, &session->context->errout, +@@ -434,6 +434,7 @@ static gps_mask_t hnd_129540(unsigned char *bu, int len, PGN *pgn, + struct gps_device_t *session) + { + int l1; ++ int expected_len; + + print_data(session->context, bu, len, pgn); + GPSD_LOG(LOG_DATA, &session->context->errout, +@@ -441,24 +442,39 @@ static gps_mask_t hnd_129540(unsigned char *bu, int len, PGN *pgn, + + session->driver.nmea2000.sid[2] = bu[0]; + session->gpsdata.satellites_visible = (int)bu[2]; ++ if (MAXCHANNELS <= session->gpsdata.satellites_visible) { ++ // Handle a CVE for overrunning skyview[] ++ GPSD_LOG(LOG_WARN, &session->context->errout, ++ "pgn %6d(%3d): Too many sats %d\n", ++ pgn->pgn, session->driver.nmea2000.unit, ++ session->gpsdata.satellites_visible); ++ session->gpsdata.satellites_visible = MAXCHANNELS; ++ } ++ expected_len = 3 + (12 * session->gpsdata.satellites_visible); ++ if (len != expected_len) { ++ GPSD_LOG(LOG_WARN, &session->context->errout, ++ "pgn %6d(%3d): wrong length %d s/b %d\n", ++ pgn->pgn, session->driver.nmea2000.unit, ++ len, expected_len); ++ return 0; ++ } + + memset(session->gpsdata.skyview, '\0', sizeof(session->gpsdata.skyview)); + for (l1=0;l1gpsdata.satellites_visible;l1++) { +- int svt; +- double azi, elev, snr; +- +- elev = getles16(bu, 3+12*l1+1) * 1e-4 * RAD_2_DEG; +- azi = getleu16(bu, 3+12*l1+3) * 1e-4 * RAD_2_DEG; +- snr = getles16(bu, 3+12*l1+5) * 1e-2; ++ int offset = 3 + (12 * l1); ++ double elev = getles16(bu, offset + 1) * 1e-4 * RAD_2_DEG; ++ double azi = getleu16(bu, offset + 3) * 1e-4 * RAD_2_DEG; ++ double snr = getles16(bu, offset + 5) * 1e-2; + +- svt = (int)(bu[3+12*l1+11] & 0x0f); ++ int svt = (int)(bu[offset + 11] & 0x0f); + +- session->gpsdata.skyview[l1].elevation = (short) (round(elev)); +- session->gpsdata.skyview[l1].azimuth = (short) (round(azi)); ++ session->gpsdata.skyview[l1].elevation = elev; ++ session->gpsdata.skyview[l1].azimuth = azi; + session->gpsdata.skyview[l1].ss = snr; +- session->gpsdata.skyview[l1].PRN = (short)bu[3+12*l1+0]; ++ session->gpsdata.skyview[l1].PRN = (int16_t)bu[offset]; + session->gpsdata.skyview[l1].used = false; +- if ((svt == 2) || (svt == 5)) { ++ if ((2 == svt) || ++ (5 == svt)) { + session->gpsdata.skyview[l1].used = true; + } + } +@@ -588,7 +604,7 @@ static gps_mask_t hnd_129029(unsigned char *bu, int len, PGN *pgn, + struct gps_device_t *session) + { + gps_mask_t mask; +- uint64_t usecs; /* time in us */ ++ uint64_t usecs; // time in us + + print_data(session->context, bu, len, pgn); + GPSD_LOG(LOG_DATA, &session->context->errout, +@@ -675,7 +691,7 @@ static gps_mask_t hnd_129038(unsigned char *bu, int len, PGN *pgn, + (unsigned int)ais_direction((unsigned int)getleu16(bu, 21), 1.0); + ais->type1.turn = ais_turn_rate((int)getles16(bu, 23)); + ais->type1.status = (unsigned int) ((bu[25] >> 0) & 0x0f); +- ais->type1.maneuver = 0; /* Not transmitted ???? */ ++ ais->type1.maneuver = 0; // Not transmitted ???? + decode_ais_channel_info(bu, len, 163, session); + + return(ONLINE_SET | AIS_SET); +@@ -730,8 +746,9 @@ static gps_mask_t hnd_129039(unsigned char *bu, int len, PGN *pgn, + + /* + * PGN 129040: AIS Class B Extended Position Report ++ * ++ * No test case for this message at the moment + */ +-/* No test case for this message at the moment */ + static gps_mask_t hnd_129040(unsigned char *bu, int len, PGN *pgn, + struct gps_device_t *session) + { +@@ -978,7 +995,7 @@ static gps_mask_t hnd_129794(unsigned char *bu, int len, PGN *pgn, + date2.tm_year+1900, + ais->type5.hour, + ais->type5.minute); +-#endif /* of #if NMEA2000_DEBUG_AIS */ ++#endif // end of #if NMEA2000_DEBUG_AIS + decode_ais_channel_info(bu, len, 592, session); + return(ONLINE_SET | AIS_SET); + } +@@ -988,8 +1005,9 @@ static gps_mask_t hnd_129794(unsigned char *bu, int len, PGN *pgn, + + /* + * PGN 129798: AIS SAR Aircraft Position Report ++ * ++ * No test case for this message at the moment + */ +-/* No test case for this message at the moment */ + static gps_mask_t hnd_129798(unsigned char *bu, int len, PGN *pgn, + struct gps_device_t *session) + { +@@ -1016,8 +1034,8 @@ static gps_mask_t hnd_129798(unsigned char *bu, int len, PGN *pgn, + ais->type9.alt = (unsigned int) (getleu64(bu, 21)/1000000); + ais->type9.regional = (unsigned int) ((bu[29] >> 0) & 0xff); + ais->type9.dte = (unsigned int) ((bu[30] >> 0) & 0x01); +-/* ais->type9.spare = (bu[30] >> 1) & 0x7f; */ +- ais->type9.assigned = 0; /* Not transmitted ???? */ ++// ais->type9.spare = (bu[30] >> 1) & 0x7f; ++ ais->type9.assigned = 0; // Not transmitted ???? + decode_ais_channel_info(bu, len, 163, session); + + return(ONLINE_SET | AIS_SET); +@@ -1028,8 +1046,9 @@ static gps_mask_t hnd_129798(unsigned char *bu, int len, PGN *pgn, + + /* + * PGN 129802: AIS Safety Related Broadcast Message ++ * ++ * No test case for this message at the moment + */ +-/* No test case for this message at the moment */ + static gps_mask_t hnd_129802(unsigned char *bu, int len, PGN *pgn, + struct gps_device_t *session) + { +@@ -1043,7 +1062,7 @@ static gps_mask_t hnd_129802(unsigned char *bu, int len, PGN *pgn, + if (decode_ais_header(session->context, bu, len, ais, 0x3fffffff) != 0) { + int l; + +-/* ais->type14.channel = (bu[ 5] >> 0) & 0x1f; */ ++// ais->type14.channel = (bu[ 5] >> 0) & 0x1f; + for (l=0;l<36;l++) { + ais->type14.text[l] = (char) bu[6+l]; + } diff --git a/meta-oe/recipes-navigation/gpsd/gpsd_3.24.bb b/meta-oe/recipes-navigation/gpsd/gpsd_3.24.bb index a755e39ed4..3833b4179b 100644 --- a/meta-oe/recipes-navigation/gpsd/gpsd_3.24.bb +++ b/meta-oe/recipes-navigation/gpsd/gpsd_3.24.bb @@ -7,6 +7,7 @@ PROVIDES = "virtual/gpsd" SRC_URI = "${SAVANNAH_GNU_MIRROR}/${BPN}/${BP}.tar.gz \ file://gpsd.init \ + file://CVE-2025-67268.patch \ " SRC_URI[sha256sum] = "00ee13f615655284874a661be13553abe66128e6deb5cd648af9bc0cb345fe5c" From patchwork Sat Jan 17 09:45:31 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 78989 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E1CD9C9831C for ; Sat, 17 Jan 2026 09:46:18 +0000 (UTC) Received: from mail-pl1-f172.google.com (mail-pl1-f172.google.com [209.85.214.172]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.5749.1768643169006280964 for ; Sat, 17 Jan 2026 01:46:09 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=ETQMnUxI; spf=pass (domain: gmail.com, ip: 209.85.214.172, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pl1-f172.google.com with SMTP id d9443c01a7336-2a58f2e514eso18566565ad.3 for ; Sat, 17 Jan 2026 01:46:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768643168; x=1769247968; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=v4K350E8BYvzp0VtXTGBuYi5Mtbo/yGH+/XPWF/LfNw=; b=ETQMnUxIzCRANuCPOArQJsSWBkeMGgMlSU22nfyfA3ptO7/0P9ADPWVB+aPeAuhLul FLlhgk+qbP3I7gG6XiTRMYG+48amXACNTtZsgQBmeEsALXMba50Lm4v3wc3VwX9znTBy CuiZq1NEb9AOmhQgDzIRupuGVCWSyFQUXsXcCAoASzTRUvcIiEXyEfbSxK3q8s0dA7zV JNG2XYL7QrfFvy9p3Z+n/LczOP73Wrxg6FkP+z2zZQj1esabEBPqhtwPANtqln51swR1 zCePsva3RVF6TEshySoEkLiOLuGQDIjA2siePNiLjtwQm08r1kb6FOWj2Rreol6YDRTq zHag== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768643168; x=1769247968; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=v4K350E8BYvzp0VtXTGBuYi5Mtbo/yGH+/XPWF/LfNw=; b=tckGUlIetneAA5GmgfQ49MvGgKL1EaKzwS4t++/UL0Mf766bn3KffulPDHLLGG5hil O9faUZiyVnhh4JHExisFB3aKtaG9h7RXUOAsaS86aWb8awhojdqo68X/BdF/rBKV3RAp fqxxj2z2RDhBM2DcAIqn4T2yCZ0M+O+/7Zv9pOJ9nIbDRJAqXoifokH8aHwR8MPzvAMU dO3GvI0xONuIbaRW+9ezZ2SRfOrTOgM1e+kG5Ga5hb8fxGSs5rkJkti6uMhOGt8AeakK 1q6hlyKGK9iJ1x7USej+X3jQFhgVtxTX/otXazNfDA/mtKj1DNj18B69MV4fTonoCL0i RzVQ== X-Gm-Message-State: AOJu0Yz9wD5U9mR5/FJ1y5TgC6aLJvj8nAzHZcTQBgTBHftIv7l9AFUn iuzNqhHFlefRyqqxnt/4ZOjm+3LzHznDTip5q7yGC+e6ozcHKC91A2Pha3TeT91S X-Gm-Gg: AY/fxX6p7bP54pGBpquDSqYvTsPVw4oBB+dfADhc9omR8jfQ3heZoR71zFtoeuTfB2e fmFwnQWqqyLD/Vi3wqdznvGT3OeJhGTdwCOZSiWPMrCu+Py+ZQuk/EtrNwfiXPH2/wTD+2Uifkz mho5H+3h+vVb2mKYEvuF3eRaHnyrpbZsQ7dklI7gVjdsR0hTolmmnyJj6gQBwPKxijAHj62w8Ai aFzb1GVf+tTzC6xHRYK1wOPlEm/+gD937sf0/VDxxQHnJekitd6909VxX7rgY8o99P9+jf60vjy DKBRZsYgYyS10mC4fc7Abx9NGrhb4nz8SbPnw3w+HTeLRGELoJexUTlQobgeA7FPKiumaL/1v9V glY3ezn9hgTZoqxtyhfbuH5QMwE9R03mwEQq4izQWLUhUOZF+pktsKSjXaQjiwRbTVWE67m/Uim UXR7B6H9agUIbl1S2zqio9Nnc= X-Received: by 2002:a17:903:2451:b0:2a1:325d:8219 with SMTP id d9443c01a7336-2a7188fd7a0mr46933275ad.38.1768643168123; Sat, 17 Jan 2026 01:46:08 -0800 (PST) Received: from NVAPF55DW0D-IPD.. ([147.161.217.17]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2a7190c9ee9sm42289845ad.22.2026.01.17.01.46.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 17 Jan 2026 01:46:07 -0800 (PST) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi Subject: [oe][meta-oe][scarthgap][PATCH 2/6] gpsd: patch CVE-2025-67269 Date: Sat, 17 Jan 2026 22:45:31 +1300 Message-ID: <20260117094535.4191231-2-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260117094535.4191231-1-ankur.tyagi85@gmail.com> References: <20260117094535.4191231-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 17 Jan 2026 09:46:18 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123548 From: Ankur Tyagi Details: https://nvd.nist.gov/vuln/detail/CVE-2025-67269 Signed-off-by: Ankur Tyagi --- .../gpsd/gpsd/CVE-2025-67269.patch | 150 ++++++++++++++++++ meta-oe/recipes-navigation/gpsd/gpsd_3.24.bb | 1 + 2 files changed, 151 insertions(+) create mode 100644 meta-oe/recipes-navigation/gpsd/gpsd/CVE-2025-67269.patch diff --git a/meta-oe/recipes-navigation/gpsd/gpsd/CVE-2025-67269.patch b/meta-oe/recipes-navigation/gpsd/gpsd/CVE-2025-67269.patch new file mode 100644 index 0000000000..6967f2ba12 --- /dev/null +++ b/meta-oe/recipes-navigation/gpsd/gpsd/CVE-2025-67269.patch @@ -0,0 +1,150 @@ +From 0a0448c7d5dabe0eef940108c6e85de16e45e757 Mon Sep 17 00:00:00 2001 +From: "Gary E. Miller" +Date: Wed, 3 Dec 2025 19:04:03 -0800 +Subject: [PATCH] gpsd/packet.c: Fix integer underflow is malicious Navcom + packet + +Causes DoS. Fix issue 358 + +CVE: CVE-2025-67269 +Upstream-Status: Backport [https://gitlab.com/gpsd/gpsd/-/commit/ffa1d6f40bca0b035fc7f5e563160ebb67199da7] +Signed-off-by: Ankur Tyagi +--- + gpsd/packet.c | 63 ++++++++++++++++++++++++++++++++++++++------------- + 1 file changed, 47 insertions(+), 16 deletions(-) + +diff --git a/gpsd/packet.c b/gpsd/packet.c +index 8e14a17ff..51c51ced9 100644 +--- a/gpsd/packet.c ++++ b/gpsd/packet.c +@@ -947,18 +947,22 @@ static bool nextstate(struct gps_lexer_t *lexer, unsigned char c) + #endif // SIRF_ENABLE || SKYTRAQ_ENABLE + #ifdef SIRF_ENABLE + case SIRF_LEADER_2: +- // first part of length +- lexer->length = (size_t) (c << 8); ++ // first part of length, MSB ++ lexer->length = (c & 0x7f) << 8; ++ if (lexer->length > MAX_PACKET_LENGTH) { ++ lexer->length = 0; ++ return character_pushback(lexer, GROUND_STATE); ++ } // else + lexer->state = SIRF_LENGTH_1; + break; + case SIRF_LENGTH_1: + // second part of length + lexer->length += c + 2; +- if (lexer->length <= MAX_PACKET_LENGTH) { +- lexer->state = SIRF_PAYLOAD; +- } else { ++ if (lexer->length > MAX_PACKET_LENGTH) { ++ lexer->length = 0; + return character_pushback(lexer, GROUND_STATE); +- } ++ } // else ++ lexer->state = SIRF_PAYLOAD; + break; + case SIRF_PAYLOAD: + if (0 == --lexer->length) { +@@ -1000,6 +1004,7 @@ static bool nextstate(struct gps_lexer_t *lexer, unsigned char c) + return character_pushback(lexer, GROUND_STATE); + } + if (MAX_PACKET_LENGTH < lexer->length) { ++ lexer->length = 0; + return character_pushback(lexer, GROUND_STATE); + } + lexer->state = SKY_PAYLOAD; +@@ -1182,14 +1187,29 @@ static bool nextstate(struct gps_lexer_t *lexer, unsigned char c) + } + break; + case NAVCOM_LEADER_3: ++ // command ID + lexer->state = NAVCOM_ID; + break; + case NAVCOM_ID: +- lexer->length = (size_t)c - 4; ++ /* Length LSB ++ * Navcom length includes command ID, length bytes. and checksum. ++ * So for more than just the payload length. ++ * Minimum 4 bytes */ ++ if (4 > c) { ++ return character_pushback(lexer, GROUND_STATE); ++ } ++ lexer->length = c; + lexer->state = NAVCOM_LENGTH_1; + break; + case NAVCOM_LENGTH_1: ++ // Length USB. Navcom allows payload length up to 65,531 + lexer->length += (c << 8); ++ // don't count ID, length and checksum in payload length ++ lexer->length -= 4; ++ if (MAX_PACKET_LENGTH < lexer->length) { ++ lexer->length = 0; ++ return character_pushback(lexer, GROUND_STATE); ++ } // else + lexer->state = NAVCOM_LENGTH_2; + break; + case NAVCOM_LENGTH_2: +@@ -1316,11 +1336,11 @@ static bool nextstate(struct gps_lexer_t *lexer, unsigned char c) + lexer->length += 2; // checksum + // 10 bytes is the length of the Zodiac header + // no idea what Zodiac max length really is +- if ((MAX_PACKET_LENGTH - 10) >= lexer->length) { +- lexer->state = ZODIAC_PAYLOAD; +- } else { ++ if ((MAX_PACKET_LENGTH - 10) < lexer->length) { ++ lexer->length = 0; + return character_pushback(lexer, GROUND_STATE); +- } ++ } // else ++ lexer->state = ZODIAC_PAYLOAD; + break; + case ZODIAC_PAYLOAD: + if (0 == --lexer->length) { +@@ -1356,6 +1376,7 @@ static bool nextstate(struct gps_lexer_t *lexer, unsigned char c) + lexer->state = UBX_LENGTH_2; + } else { + // bad length ++ lexer->length = 0; + return character_pushback(lexer, GROUND_STATE); + } + break; +@@ -1502,16 +1523,16 @@ static bool nextstate(struct gps_lexer_t *lexer, unsigned char c) + lexer->state = GEOSTAR_MESSAGE_ID_2; + break; + case GEOSTAR_MESSAGE_ID_2: +- lexer->length = (size_t)c * 4; ++ lexer->length = c * 4; + lexer->state = GEOSTAR_LENGTH_1; + break; + case GEOSTAR_LENGTH_1: + lexer->length += (c << 8) * 4; +- if (MAX_PACKET_LENGTH >= lexer->length) { +- lexer->state = GEOSTAR_LENGTH_2; +- } else { ++ if (MAX_PACKET_LENGTH < lexer->length) { ++ lexer->length = 0; + return character_pushback(lexer, GROUND_STATE); +- } ++ } // else ++ lexer->state = GEOSTAR_LENGTH_2; + break; + case GEOSTAR_LENGTH_2: + lexer->state = GEOSTAR_PAYLOAD; +@@ -1823,6 +1844,16 @@ static bool nextstate(struct gps_lexer_t *lexer, unsigned char c) + #endif // STASH_ENABLE + } + ++ /* Catch length overflow. Should not happen. ++ * length is size_t, so underflow looks like overflow too. */ ++ if (MAX_PACKET_LENGTH <= lexer->length) { ++ GPSD_LOG(LOG_WARN, &lexer->errout, ++ "Too long: %zu state %u %s c x%x\n", ++ lexer->length, lexer->state, state_table[lexer->state], c); ++ // exit(255); ++ lexer->length = 0; ++ return character_pushback(lexer, GROUND_STATE); ++ } + return true; // no pushback + } + diff --git a/meta-oe/recipes-navigation/gpsd/gpsd_3.24.bb b/meta-oe/recipes-navigation/gpsd/gpsd_3.24.bb index 3833b4179b..171060044c 100644 --- a/meta-oe/recipes-navigation/gpsd/gpsd_3.24.bb +++ b/meta-oe/recipes-navigation/gpsd/gpsd_3.24.bb @@ -8,6 +8,7 @@ PROVIDES = "virtual/gpsd" SRC_URI = "${SAVANNAH_GNU_MIRROR}/${BPN}/${BP}.tar.gz \ file://gpsd.init \ file://CVE-2025-67268.patch \ + file://CVE-2025-67269.patch \ " SRC_URI[sha256sum] = "00ee13f615655284874a661be13553abe66128e6deb5cd648af9bc0cb345fe5c" From patchwork Sat Jan 17 09:45:32 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 78988 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0E1CCC98322 for ; Sat, 17 Jan 2026 09:46:19 +0000 (UTC) Received: from mail-pl1-f169.google.com (mail-pl1-f169.google.com [209.85.214.169]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.5739.1768643171822029534 for ; Sat, 17 Jan 2026 01:46:11 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=C9/y5xvd; spf=pass (domain: gmail.com, ip: 209.85.214.169, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pl1-f169.google.com with SMTP id d9443c01a7336-2a0a33d0585so17683275ad.1 for ; Sat, 17 Jan 2026 01:46:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768643171; x=1769247971; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=xBfcWNr1J/LRXgDlYYTehfAgrjvHV09FADTJUiaM1UQ=; b=C9/y5xvdD/3/T/lSRLyLAlW8j2olqiavTTLSIxKwFdoxgcH9fhzOw2ftMf246WSKML cpg6gGs2qVq/Wc/2G8pUhdL1Dei410oqUJHBCCjq7sXygwHQI1o+ERKdRdpfNsp3PadC xFe6Jhgl8ffrHYUGqOJtsBX/Sl+6JFQx6jR1YLDdLaeJcvjg57U5IhOPUFo1mqDXWRHq s+Y1bK/UEjas+x19LWtf3CJHC3aBekUOzEiaFiU8d+xc/HXxyvJf9Gt55f6v2VEZmjJW Y2M6ffnNdT1XWXpa9J5UStaA0gexxwbItwmTSmw6HJ6x2QyF+FqyzUt7Afe+sbcCIQnS iwDA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768643171; x=1769247971; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=xBfcWNr1J/LRXgDlYYTehfAgrjvHV09FADTJUiaM1UQ=; b=v4Sn0/y7fnNQop5+l1m7QnpKBo17fCixXmHWzbe5Tyork3Zxqi3pmzspeXd6cqInyw C89IocuD3JHuF9zvvKT21h1y1DC/J3RzdGtaHIoE7E0lE3GM9oMxbSVwCxrMLdnchcpL SZPaGdnoHN3pUrXyKE1mKUPr5alOG2vDFo59KfVcI+IP+TdP0SPLfewW6LdLeVdd739Y pqULxL2h4D53B8yYDHobMCB7kuBhpE5CTHHqXVC2EBZbTCWIAU/hqSRmq0sx4SoQ2pBW M4a1xZ7yuFeOw60oLrJ9Q06v1NBCb2kPCfo9TVSHt0+vCzkIvqZSuL5sVd/STVe4QgQ2 GcFQ== X-Gm-Message-State: AOJu0YwHfpPmB2ugL4Fg4MHlFYtxBBLyES2bhe3FxhQZ4VqgMFfc1p6e dUvpeLjahBJiEBPUqOWvB5rHYeR1YKqPnOT2/sYL4ftsqy6ZyEQdcIEOsQXqq3Qh X-Gm-Gg: AY/fxX76PTGY+aiU6EkUv84QOMobNQUnbn2s7Jgfjm9NlxieHkwAmPBXQc6L1PZ+p9s YBFG14786ll1srDTXjEtt9KvGV0KUKB+XgfSrmvGYlJOnXP3PI3+vXTUTwAqJT8j9SG2A/rPWX3 rbZYpubbms3o+uRunNzzl6WISqOi94woRkPFGRLCWk6tIi0uXMYuuQVe74ycawoPXio5vZZgxN6 wyf72bwjkxd2MrO9wbB/d6nSiGwLQhkBou1gew0HD13nAR/saEJJpzdJhTHaL2e4/UfiUYbSYaY znas2Y2EGtBk/W/kaKBV5++0NGhuW0tYcdjecwwVCgMFK5qHXGzLNvSyqgjlg107PqZ2oFQ4j6G qpNyKno7uth4lWxW8fwufO2wVFqRYQstNupLKAF2XbNw6KfLyqf+MltW4GbqK1vLz/8Izacg0Dd Sb/Ud69D1hrM1E1pqcLDFCJvg= X-Received: by 2002:a17:902:d2c9:b0:2a0:8be7:e3d0 with SMTP id d9443c01a7336-2a718859fe1mr52565375ad.10.1768643171000; Sat, 17 Jan 2026 01:46:11 -0800 (PST) Received: from NVAPF55DW0D-IPD.. ([147.161.217.17]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2a7190c9ee9sm42289845ad.22.2026.01.17.01.46.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 17 Jan 2026 01:46:10 -0800 (PST) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Yoann Congal , Khem Raj , Ankur Tyagi Subject: [oe][meta-oe][scarthgap][PATCH 3/6] boinc-client: fix hostname reproducibility Date: Sat, 17 Jan 2026 22:45:32 +1300 Message-ID: <20260117094535.4191231-3-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260117094535.4191231-1-ankur.tyagi85@gmail.com> References: <20260117094535.4191231-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 17 Jan 2026 09:46:19 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123549 From: Yoann Congal The generated svn_version.h contains the hostname which makes it non-reproducible. Fix this by removing the hostname from the file. Signed-off-by: Yoann Congal Signed-off-by: Khem Raj (cherry picked from commit f23543fb6e8dc8af1f50058ed5739c4419e462db) Signed-off-by: Ankur Tyagi --- meta-oe/recipes-extended/boinc/boinc-client_7.20.5.bb | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/meta-oe/recipes-extended/boinc/boinc-client_7.20.5.bb b/meta-oe/recipes-extended/boinc/boinc-client_7.20.5.bb index cfd134dd4f..624be655a5 100644 --- a/meta-oe/recipes-extended/boinc/boinc-client_7.20.5.bb +++ b/meta-oe/recipes-extended/boinc/boinc-client_7.20.5.bb @@ -78,7 +78,10 @@ do_install:prepend() { } do_install:append() { - sed -i -e 's#${S}##g' ${D}${includedir}/boinc/svn_version.h + # By default, the SVN_VERSION definition looks like: + #define SVN_VERSION "$SHA1 [https://github.com/BOINC/boinc] ($HOSTNAME:$S [client_release/7/7.20]) [Server-Release: server_release/1.1/1.1.0]" + # ... remove HOSTNAME and S to make it reproducible. + sed -i -e '/^#define SVN_VERSION /s#(\S*:\S* \[#([#g' ${D}${includedir}/boinc/svn_version.h } SYSTEMD_SERVICE:${PN} = "boinc-client.service" From patchwork Sat Jan 17 09:45:33 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 78986 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E32E1C98310 for ; Sat, 17 Jan 2026 09:46:18 +0000 (UTC) Received: from mail-pl1-f170.google.com (mail-pl1-f170.google.com [209.85.214.170]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.5740.1768643174763626787 for ; Sat, 17 Jan 2026 01:46:14 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=NKd1cEUc; spf=pass (domain: gmail.com, ip: 209.85.214.170, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pl1-f170.google.com with SMTP id d9443c01a7336-2a0bb2f093aso17528915ad.3 for ; Sat, 17 Jan 2026 01:46:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768643174; x=1769247974; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=gU27x2o+Itl+R3q+t07Teswhia59sLByIdvOP0L8Hp0=; b=NKd1cEUc/qeW1IZeXIXVyqYIboRYYI29cqaH3m8fHUa5COJ0A91DzbsiZVplAcgG2e Wvlp7k5KMhRC7BR0bbjvzww2MDaem992D0qxs/Ba0lBJ9TVQZ0gCQ2vF2gvZilT7GMGx SzOKa0qLIas2BPoUIS0s/WpBife7qXW/RCSitODiyYeEex7ZuqjrZVPKTSMXRobFhOuo SzavXDgSXTFF3e0IjCaYHN86ww0QaHVBbYpjOdHQAxxKF1zPGDwX2S6IOYEQxQosJlip rdGzFYB0UxvJN0fI8qvCTPoxo6D+MqaL9qS6SjynMW8TDrUKegDLiNkvSusYEzeN4Qjf 0P+w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768643174; x=1769247974; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=gU27x2o+Itl+R3q+t07Teswhia59sLByIdvOP0L8Hp0=; b=rYEgDpSnRcUefgiadeMOUIF/HFDou8jsRk/ul6XN3YAo6oKcVleQNg3HDXz3721qNw OAB4yAoJ+GW5Y6y0Qd6XmARct4998PDKfuCK6OddjL9w6CpD+bb6pC+ITfRpKO/19zRU IG4Xe402ZOAM84/1WCziKXPnzy+UxLfIe6aC6TJcswCe25NDkaBmwKAWZkSzkst08je2 /q2AiWCkcAzHdsZw3YrvJ58IPQebrnGPoPvp4WDKfsaLYtMJqmgyOxXERkOU3+3o9phY Uqpr7yZQhVyIF9NLhJhJPpzfGeAwAYiqbJcAH+RpTYpXtipk5X2Ry90nOBGhp1Ftnln2 nKPA== X-Gm-Message-State: AOJu0YxXCqDA/79cjlzCKH6Y7d4lV2ec2KvqW4YPjegFhENMoeVTPXdv W0ot5U3O17CDoO4SYMCNCa2Jxzhz4Sk5ljrIrvaWfpfUpbsLsqJjgws8cn4g5Zhe X-Gm-Gg: AY/fxX5Knj4o6v7isQM4punTu+cNpA7734QSaWN7e+gJoR3jNj/hY0JFqaoFYicudln /gryCI0aQfnSafHn04EK1bFH+ByjRYib/dg9tHDBAep9UHblHDidyXPu2mN40LfWA2ZaOEoFIBS 7IrtXzvZ21ZeIetyUyWMurvKKG/EUyjEWrnR/QF+rw/mXFVaxXukenXZ84etv0zkS+7m9scGc0A Nl9GAYjdWPTst4FL8Y4N8iqwCLGXAZlKu2URy4LEPgQ1cGequo9zS6sw5KBCIalilKWD7R2ayCj q5jzR7Ug81ga4Z7LtuT3pDQhozMq/DOrQ2klDg12sml0S5BzlwR1K5XFlwCYfe2dYEwVupgbK7k gyeT806KzjaosNwhwnWt1OvbQeNIMHUGY1ErtTxzb3HaeUiJxzsg9o5r0N4x0XYx9gFj1SylhKU xNQ1o8kstKwfFTj6Rq6ASAJqs= X-Received: by 2002:a17:903:2ed0:b0:2a3:ee53:d201 with SMTP id d9443c01a7336-2a7174f8e23mr51810835ad.12.1768643173965; Sat, 17 Jan 2026 01:46:13 -0800 (PST) Received: from NVAPF55DW0D-IPD.. ([147.161.217.17]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2a7190c9ee9sm42289845ad.22.2026.01.17.01.46.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 17 Jan 2026 01:46:13 -0800 (PST) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Gyorgy Sarvari , Khem Raj , Ankur Tyagi Subject: [oe][meta-oe][scarthgap][PATCH 4/6] boinc-client: set CVE_PRODUCT Date: Sat, 17 Jan 2026 22:45:33 +1300 Message-ID: <20260117094535.4191231-4-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260117094535.4191231-1-ankur.tyagi85@gmail.com> References: <20260117094535.4191231-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 17 Jan 2026 09:46:18 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123550 From: Gyorgy Sarvari The relevant CVEs are tracked with underscore in their name. See CVE db query: sqlite> select vendor, product, count(*) from PRODUCTs where product like '%boinc%' group by 1, 2; berkeley|boinc_client|2 berkeley|boinc_forum|1 universityofcalifornia|boinc_client|165 universityofcalifornia|boinc_server|5 Set the CVE_PRODUCT accordingly. Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj (cherry picked from commit 31de060b48c57194ea2e6c6844d746eb59a0d056) Signed-off-by: Ankur Tyagi --- meta-oe/recipes-extended/boinc/boinc-client_7.20.5.bb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta-oe/recipes-extended/boinc/boinc-client_7.20.5.bb b/meta-oe/recipes-extended/boinc/boinc-client_7.20.5.bb index 624be655a5..f995fa443f 100644 --- a/meta-oe/recipes-extended/boinc/boinc-client_7.20.5.bb +++ b/meta-oe/recipes-extended/boinc/boinc-client_7.20.5.bb @@ -29,6 +29,9 @@ DEPENDS = "curl \ ${@bb.utils.contains('DISTRO_FEATURES', 'x11', 'gtk+3 wxwidgets libnotify xcb-util libxscrnsaver', '', d)} \ nettle \ " + +CVE_PRODUCT = "boinc_client" + SRCREV = "4774e1cbe0ad13cb9a6f7fffbb626a417316f61d" BRANCH = "client_release/7/7.20" SRC_URI = "git://github.com/BOINC/boinc;protocol=https;branch=${BRANCH} \ From patchwork Sat Jan 17 09:45:34 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 78987 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id F0CFCC98320 for ; Sat, 17 Jan 2026 09:46:18 +0000 (UTC) Received: from mail-pg1-f176.google.com (mail-pg1-f176.google.com [209.85.215.176]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.5752.1768643177615201251 for ; Sat, 17 Jan 2026 01:46:17 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=RHvG3KXA; spf=pass (domain: gmail.com, ip: 209.85.215.176, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pg1-f176.google.com with SMTP id 41be03b00d2f7-bc29d64b39dso977116a12.3 for ; Sat, 17 Jan 2026 01:46:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768643177; x=1769247977; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=19ZlMrjgjJ2dzMqrOHnTNThms21przPO/K8lMKw2Avk=; b=RHvG3KXAXlx+q8CdzC7SIRzEJzLJpBGjBSBAbTpbIZBWpBQX7oCwxGxw4GOztXypq0 5HplQW1a+1vR41/59tKfkjDqHiiMdljuvRJeea1JYgIxRKdj1PhzBwT92dvkWbVOCY7l /DMQuIR4VYFOO94u9RrEvn4az8fN9CjF6LhbD/gpmFjmgKkUXIowWQN46iEAFisCqR/q 66UQqB2UHIi5e7UnWAiOmTR0nO5ntp9dXy6gvjFeB1vyTQR8cCoGniHtgUS8PIXRyvng 3S0jyqz9nZkAj2YFes7zN6q0hTQ8XrGaWpCUOhbxgGkg6srqs2beiHXLz1riE/sWnWwD u0oQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768643177; x=1769247977; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=19ZlMrjgjJ2dzMqrOHnTNThms21przPO/K8lMKw2Avk=; b=LpRdsNB5GUcpT0eJSN3u2dTGihPCcAPHdYBb9dAI1aRp1g0w1BB7s83XMDFsGZvm9O BRtc19p1jE95iNaDzx1nn/v5Wa0reJY26PWPKq7g9teWyNwB+xbj4gYxI2DjXPSCyiYw ZQwO3Tfj9x9hh+iBIdWpUpIcvqIQShL4B6Xw953FJpFnRNbxov+M2B1NP3R4GZtDXpke pHEw2ShV6X22ktVw4pmSbrCdA61gD/ppsySodh1oDH7NMWEaU92zUQ4yAssvt5llkLAU RrMM3A8aySIxbH4jlUImW/ADiyYW16l6VPcKtGv4aeJJ46zeWxDEJMRPBVDTkDizWNOT CqZQ== X-Gm-Message-State: AOJu0YxpOEffxf63zU8Sz77ZYK/mDrzr6KUWS+2TOd8PwPvn/rSuXDLO 1woYQplMIKBS8ei47txDbYqFJLclRwjh1+8WWv7AXgeu5J+QAt4DxkY2TMGnl03h X-Gm-Gg: AY/fxX5adWOayy7AfuuF1uhvPsynYRYlcbGODIqXgJhMDZJW4duqI1MuRCmDX8uf3jc pn/WYqOqvPk8mjs3zeXRMevLPqseW32+zmhqlQ9vq/bg1hsSX34hIStYcyyJVSKa7QzlhRdXPoc gfULcKlk0os/r7c/KPCSxlZTzv3itYKuHvZnT5v/qH5Um7a1Lv1GTzOlOdlJ5jquHh5vNNEvDBT 8fLACdx7lyf9ed14F+YD3Y5byF5vNrdw/Pv1OWxFX9EXZPj1eOIVRNtPZoHhe0Gpg3RE4XqKDQo mBRDryjizpoHc1bgsCMJuUIkYP3fIJj/XJ9eADWehdkZ6uw+MrXJ4TEf95mbsuXv+vYJ0nxaNPA E1+0QGpwFhO45k4Ywy7/DiLCHkT8RAac2r+zBKRmQQ9y3IkmdHCkUZFENjWsKgZol3u8wNhW7YF YL6IhEAXBoi31CFthxGjHzzes= X-Received: by 2002:a17:903:18c:b0:2a0:dabc:1383 with SMTP id d9443c01a7336-2a718883888mr47183065ad.14.1768643176809; Sat, 17 Jan 2026 01:46:16 -0800 (PST) Received: from NVAPF55DW0D-IPD.. ([147.161.217.17]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2a7190c9ee9sm42289845ad.22.2026.01.17.01.46.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 17 Jan 2026 01:46:16 -0800 (PST) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Gyorgy Sarvari , Khem Raj , Ankur Tyagi Subject: [oe][meta-oe][scarthgap][PATCH 5/6] boinc-client: mark CVE-2013-2018 patched Date: Sat, 17 Jan 2026 22:45:34 +1300 Message-ID: <20260117094535.4191231-5-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260117094535.4191231-1-ankur.tyagi85@gmail.com> References: <20260117094535.4191231-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 17 Jan 2026 09:46:18 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123551 From: Gyorgy Sarvari Details: https://nvd.nist.gov/vuln/detail/CVE-2013-2018 According to oss-security email[1], version 7.0.45 included the fixes[2][3][4] [1]: https://www.openwall.com/lists/oss-security/2013/04/29/11 [2]: https://github.com/BOINC/boinc/commit/6e205de096da83b12ffb2f0183b43e51261eb0c4 [3]: https://github.com/BOINC/boinc/commit/e8d6c33fe158129a5616e18eb84a7a9d44aca15f [4]: https://github.com/BOINC/boinc/commit/ce3110489bc139b8218252ba1cb0862d69f72ae3 Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj (cherry picked from commit 2a78ad8813845677132ad0f1552fcaa4961c3e15) Signed-off-by: Ankur Tyagi --- meta-oe/recipes-extended/boinc/boinc-client_7.20.5.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta-oe/recipes-extended/boinc/boinc-client_7.20.5.bb b/meta-oe/recipes-extended/boinc/boinc-client_7.20.5.bb index f995fa443f..0b17b71137 100644 --- a/meta-oe/recipes-extended/boinc/boinc-client_7.20.5.bb +++ b/meta-oe/recipes-extended/boinc/boinc-client_7.20.5.bb @@ -31,6 +31,7 @@ DEPENDS = "curl \ " CVE_PRODUCT = "boinc_client" +CVE_STATUS[CVE-2013-2018] = "fixed-version: fixed in version 7.0.45 and later" SRCREV = "4774e1cbe0ad13cb9a6f7fffbb626a417316f61d" BRANCH = "client_release/7/7.20" From patchwork Sat Jan 17 09:45:35 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 78990 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 068CFC9831C for ; Sat, 17 Jan 2026 09:46:29 +0000 (UTC) Received: from mail-pl1-f173.google.com (mail-pl1-f173.google.com [209.85.214.173]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.5753.1768643180599492718 for ; Sat, 17 Jan 2026 01:46:20 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=MW3oqyE0; spf=pass (domain: gmail.com, ip: 209.85.214.173, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pl1-f173.google.com with SMTP id d9443c01a7336-2a102494058so18975365ad.0 for ; Sat, 17 Jan 2026 01:46:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768643180; x=1769247980; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=JtwTz01RfF4ZMsJckDzCz+VTj2iNfnwKwo6W4EHDpjQ=; b=MW3oqyE0bJpe4C+aFwJV/+Aydobg4xURPkbxnn3wxPdrMyiOXExnNGM4zmlncGJQXq knZPwTtAgo2rs9So64GLEm8UeCh9PfGqzPbpQusaSht6AQXe59pzwlmoYWqBqdpErwmA uI/K30sumRmvC+0pTe4bk9zrYY3ICVJwQSB0rORwtnP1VMhWH6JeCkR/1tZGwtPftS2O eUIQewgRb8ctdpf5WC39fnJYNQOVvfAzKEJYfBPPAU6f3EwL10RP6gRTedUAeB8SeG06 lWglca31Xaxx6UZs+pBzk9DAajcQCi3VNeOUVnaX5yQxh57W02ZFv3qsg6KuS+5/IxIU Luug== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768643180; x=1769247980; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=JtwTz01RfF4ZMsJckDzCz+VTj2iNfnwKwo6W4EHDpjQ=; b=KtdBQITOjWeVsX6LR95bp3FPYyejEE8drCCpDaywdxe8GwPiUJMzmGCR7tBYqS+tmj RzIT/p+jswrbauu8Mjkq4zpeh+egrdmJF35If9PY/RLLBwtH2WSSlMNc90DH7WtWl1re rTjOilQQnzQgrPbvuuxzgKmGeWLhAh+FNizD2g1wzBIdL4vMGT5feFZIfnHAWi8SazF9 iZjGbl+RDC648kLb+qHOuaVDgZ93qd1T7LcA0E84VF2eV6LNwlVhjpT2HIBFZSejkuN0 te+YdBspc80g2Lkl7IZQ9jVTVNKXcgLhK8wpMepBIitfduUPyG+6CZuRUEF5vwuglC1z X4VA== X-Gm-Message-State: AOJu0Yxba28CiYCTOK23FVMQp0GnifpwMiyL31EKcEFY/DxG5ETsffXL wPhHlIzE6Cggr0knNchK2mW/GnshLv660bdS4FYSVQARBMMgLYCYSseSg7A1M0nN X-Gm-Gg: AY/fxX5e6SNNFr4i5v1EZveYC3A3H5sSBbFMfYrHXYRvpa1W3WA0v8kfbu3YMtMBzkk olEAYLXSg6IQwcC4Y+hBvRSfLYczZlK/mXJ6W6cE6EekTgy6eFzcwTHHZUIq1deDa7jmj3GI25A QTS2u0Iasq6ODb1TAiVeJ+OVDE1PLSoh6JrerR3dE15aIBd1CgG2OscjXahWdb8qO9fuO5x7eEf +aVK7YV0I249XKtlOagYacQxlf/8ByxjxZE9ZyaDZOI5Nzo5LiVBuLlhBjGGaMRxjiA17OclOLd Rsn6LlJZjWZbqCe3N04EB87hYD6ptxjloaue+ogkLNK/Eb0UatP15caMav4lfc/D61cmrUorTgp Xmqb7VEQW/0YqTiZljheH9KOA4h75ANqKO24FL0bMlSeJfuaA+RC55wWCSlEYeY3BNcSxeBXbRv JODU2oPDaMfHr4PiIlDAp0V/8= X-Received: by 2002:a17:902:f686:b0:2a0:e5c3:d149 with SMTP id d9443c01a7336-2a71780a3e3mr48743265ad.23.1768643179810; Sat, 17 Jan 2026 01:46:19 -0800 (PST) Received: from NVAPF55DW0D-IPD.. ([147.161.217.17]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2a7190c9ee9sm42289845ad.22.2026.01.17.01.46.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 17 Jan 2026 01:46:19 -0800 (PST) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Gyorgy Sarvari , Khem Raj , Ankur Tyagi Subject: [oe][meta-oe][scarthgap][PATCH 6/6] lmdb: patch CVE-2026-22185 Date: Sat, 17 Jan 2026 22:45:35 +1300 Message-ID: <20260117094535.4191231-6-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260117094535.4191231-1-ankur.tyagi85@gmail.com> References: <20260117094535.4191231-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 17 Jan 2026 09:46:29 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123552 From: Gyorgy Sarvari Details: https://nvd.nist.gov/vuln/detail/CVE-2026-22185 Pick the patch that is mentioned as a solution in the related upstream bug[1]. [1]: https://bugs.openldap.org/show_bug.cgi?id=10421 Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj (cherry picked from commit e0f86a4a7f8e413c682fbd4a9c01b12b0234cd71) Signed-off-by: Ankur Tyagi --- .../lmdb/files/CVE-2026-22185.patch | 31 +++++++++++++++++++ meta-oe/recipes-dbs/lmdb/lmdb_0.9.31.bb | 1 + 2 files changed, 32 insertions(+) create mode 100644 meta-oe/recipes-dbs/lmdb/files/CVE-2026-22185.patch diff --git a/meta-oe/recipes-dbs/lmdb/files/CVE-2026-22185.patch b/meta-oe/recipes-dbs/lmdb/files/CVE-2026-22185.patch new file mode 100644 index 0000000000..6c85b2b8ed --- /dev/null +++ b/meta-oe/recipes-dbs/lmdb/files/CVE-2026-22185.patch @@ -0,0 +1,31 @@ +From 94ca20e5aed5d8730e045bb945fa3485b28a7981 Mon Sep 17 00:00:00 2001 +From: Gyorgy Sarvari +Date: Tue, 6 Jan 2026 20:52:25 +0000 +Subject: [PATCH] ITS#10421 mdb_load: check for malicious input + +From: Howard Chu + +CVE: CVE-2026-22185 +Upstream-Status: Backport [https://github.com/LMDB/lmdb/commit/8e1fda85532a3c74276df38a42d234dcdfa1e40d] +Signed-off-by: Gyorgy Sarvari +--- + libraries/liblmdb/mdb_load.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/libraries/liblmdb/mdb_load.c b/libraries/liblmdb/mdb_load.c +index d2a3cec..7eccf40 100644 +--- a/libraries/liblmdb/mdb_load.c ++++ b/libraries/liblmdb/mdb_load.c +@@ -208,6 +208,12 @@ badend: + + c1 = buf->mv_data; + len = strlen((char *)c1); ++ if (!len) { ++ /* This can only happen with an intentionally invalid input ++ * with a NUL byte after the leading SPACE ++ */ ++ goto badend; ++ } + l2 = len; + + /* Is buffer too short? */ diff --git a/meta-oe/recipes-dbs/lmdb/lmdb_0.9.31.bb b/meta-oe/recipes-dbs/lmdb/lmdb_0.9.31.bb index b2f1920f6b..0d06c74602 100644 --- a/meta-oe/recipes-dbs/lmdb/lmdb_0.9.31.bb +++ b/meta-oe/recipes-dbs/lmdb/lmdb_0.9.31.bb @@ -12,6 +12,7 @@ SRC_URI = "git://github.com/LMDB/lmdb.git;nobranch=1;protocol=https \ file://run-ptest \ file://0001-Makefile-use-libprefix-instead-of-libdir.patch \ file://0001-make-set-soname-on-liblmdb.patch;patchdir=../.. \ + file://CVE-2026-22185.patch;striplevel=3 \ " SRCREV = "ce201088de95d26fc0da36ba805bf2ddc2ba74ff"