From patchwork Wed Mar 4 11:39:54 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 82447 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E79B7EB7ED7 for ; Wed, 4 Mar 2026 11:40:04 +0000 (UTC) Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com [209.85.128.54]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.16228.1772624399562986039 for ; Wed, 04 Mar 2026 03:39:59 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=D5u9t07y; spf=pass (domain: gmail.com, ip: 209.85.128.54, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f54.google.com with SMTP id 5b1f17b1804b1-480706554beso73240855e9.1 for ; Wed, 04 Mar 2026 03:39:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1772624398; x=1773229198; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=bskCIYhzixQ00YPbrqg2IZ/qLAuJrG+D8J1BYwtQBho=; b=D5u9t07yM2eaTIBxc8Eoj1BLiSE9edTuzful4gzI4Qrt5kjR/G2NYmv+RaxWTijSNA JnMc2ok1cnO5PfQZs6qjf33T5JbICsBT4N9zWvsleiaOa8EygEJJ4p7T3UQ8vrrZR38O ceF7tzMJ9r5A68jKYlHtAG1gw58HndLmE5pi1fhPAh16Sm9fkwCyyDmMvxnkC10IEm8s uz0mMn/eteOn1wC50brF0nJnaPv3NW3T4Q383VI3eTPQBQDNCEDe0sy1xiUKf2Iiklmg hPCqycnelBlVyFFjcTe73qlFd/I3ji1SVwNRl/wdehIkPvUgst13Yjt6+k4mxfaJCNxf jZag== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772624398; x=1773229198; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=bskCIYhzixQ00YPbrqg2IZ/qLAuJrG+D8J1BYwtQBho=; b=JvWrCVHN5zRmKwWk6TzKFhaR1ZbkJl0zi8tYsyGEvL29SFP++ROPf28h6Ep/s/JDkT dP5U80I0Qi4dcqtP3B4z1X11DwWoP0TRHEN7gyKQsylGEBQMbllLdMMSCudrakNql2Dn VRX0qcKlX1pNo78QFwMAk+KR88z6eEJEhOLrSI4TXFdaizwfsSoIu7MTzWlFTG9RnD2K ddKY1WmIS3zmJ8otWadjagr+lFP8DrJ1z0BLpjokW7uTRMgDkvhmqvIT2ZGWlKEk7R8j 6f978/4VdUgBq5slO7Xt9XuTQxYow6+MDUhOm8CpyVG2bFSO+ayjqY6QkOm2ExQgPmVP Cq+g== X-Gm-Message-State: AOJu0Ywx9UWYnfA9PPqdmcNsXr/wa+0ESeooNYECc1X4t43BNHDEyZu9 Y6z1ZfYqzrjPlFqT8hVA3m3ysSLdvqLHYnGBbrszmGFsFMNfnONa05t90eFKUw== X-Gm-Gg: ATEYQzwj3dsaP/bcUIdmKXcsI8odgW4Vmf2L1NGhGv3xtTgvLfyLk1jTdVMeVymBYZl XQNFv7OWIWiRzYsp8pQKb/TgnVk4oPG4Dem5qawvJ0rKdBClcvtDdCj+JxWjC6bpfeJKimeZiyi 7pe7XSXzAbWrP3UkvhDKqaxW0y66OsdReWAUqfY9E2oQhpxyG06aukI90MJCPDNPcCJ92kPGHzX bHrc8CuRe6OuQ88QVgeemme2/zQm1RnaZwUfG6gEP+S30sMg6u/3I5WlgkbstOLUtuSXBhJdxWb iHMDOiYv35xDUNtMk6f6ntVx4UDbn1gw7LY1QQQdRxsCafVI9sc/4P8cJiN5c+Img9mdes9U2eS N1FN5aa47ObiNnkgyb3tLjFuRrKT7LrFjqGi+OmwCRb1CVmpEyoxQ15K0EDv7a8hEigC+IR8VJV WPXg4un+e+DV2DAkb670xB X-Received: by 2002:a05:600c:470d:b0:47e:e87f:4bba with SMTP id 5b1f17b1804b1-485198a2b1emr27030345e9.29.1772624397642; Wed, 04 Mar 2026 03:39:57 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4851880724esm88692195e9.9.2026.03.04.03.39.57 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Mar 2026 03:39:57 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-networking][kirkstone][PATCH 1/3] memcached: patch CVE-2023-46852 Date: Wed, 4 Mar 2026 12:39:54 +0100 Message-ID: <20260304113956.2245844-1-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 04 Mar 2026 11:40:04 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124845 Details: https://nvd.nist.gov/vuln/detail/CVE-2023-46852 Backport the patch that is referenced by the NVD advisory. The test extension was not backported, because the modified testcase does not exist in the recipe version yet. Signed-off-by: Gyorgy Sarvari --- .../memcached/memcached/CVE-2023-46852.patch | 68 +++++++++++++++++++ .../memcached/memcached_1.6.15.bb | 1 + 2 files changed, 69 insertions(+) create mode 100644 meta-networking/recipes-support/memcached/memcached/CVE-2023-46852.patch diff --git a/meta-networking/recipes-support/memcached/memcached/CVE-2023-46852.patch b/meta-networking/recipes-support/memcached/memcached/CVE-2023-46852.patch new file mode 100644 index 0000000000..d0b5db23b7 --- /dev/null +++ b/meta-networking/recipes-support/memcached/memcached/CVE-2023-46852.patch @@ -0,0 +1,68 @@ +From 3e7027caf6b1eb79d3d98a77e17051b120c30b9b Mon Sep 17 00:00:00 2001 +From: dormando +Date: Fri, 28 Jul 2023 10:32:16 -0700 +Subject: [PATCH] proxy: fix buffer overflow with multiget syntax + +"get[200 spaces]key1 key2\r\n" would overflow a temporary buffer used to +process multiget syntax. + +To exploit this you must first pass the check in try_read_command_proxy: +- The request before the first newline must be less than 1024 bytes. +- If it is more than 1024 bytes there is a limit of 100 spaces. +- The key length is still checked at 250 bytes +- Meaning you have up to 772 spaces and then the key to create stack + corruption. + +So the amount of data you can shove in here isn't unlimited. + +The fix caps the amount of data pre-key to be reasonable. Something like +GAT needs space for a 32bit TTL which is at most going to be 15 bytes + +spaces, so we limit it to 20 bytes. + +I hate hate hate hate hate the multiget syntax. hate it. + +CVE: CVE-2023-46852 +Upstream-Status: Backport [https://github.com/memcached/memcached/commit/76a6c363c18cfe7b6a1524ae64202ac9db330767] +Signed-off-by: Gyorgy Sarvari +--- + proto_proxy.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/proto_proxy.c b/proto_proxy.c +index 6c028f4..94e38b6 100644 +--- a/proto_proxy.c ++++ b/proto_proxy.c +@@ -613,6 +613,12 @@ int proxy_run_coroutine(lua_State *Lc, mc_resp *resp, io_pending_proxy_t *p, con + return 0; + } + ++// basically any data before the first key. ++// max is like 15ish plus spaces. we can be more strict about how many spaces ++// to expect because any client spamming space is being deliberately stupid ++// anyway. ++#define MAX_CMD_PREFIX 20 ++ + static void proxy_process_command(conn *c, char *command, size_t cmdlen, bool multiget) { + assert(c != NULL); + LIBEVENT_THREAD *thr = c->thread; +@@ -670,12 +676,18 @@ static void proxy_process_command(conn *c, char *command, size_t cmdlen, bool mu + if (!multiget && pr.cmd_type == CMD_TYPE_GET && pr.has_space) { + uint32_t keyoff = pr.tokens[pr.keytoken]; + while (pr.klen != 0) { +- char temp[KEY_MAX_LENGTH + 30]; ++ char temp[KEY_MAX_LENGTH + MAX_CMD_PREFIX + 30]; + char *cur = temp; + // Core daemon can abort the entire command if one key is bad, but + // we cannot from the proxy. Instead we have to inject errors into + // the stream. This should, thankfully, be rare at least. +- if (pr.klen > KEY_MAX_LENGTH) { ++ if (pr.tokens[pr.keytoken] > MAX_CMD_PREFIX) { ++ if (!resp_start(c)) { ++ conn_set_state(c, conn_closing); ++ return; ++ } ++ proxy_out_errstring(c->resp, PROXY_CLIENT_ERROR, "malformed request"); ++ } else if (pr.klen > KEY_MAX_LENGTH) { + if (!resp_start(c)) { + conn_set_state(c, conn_closing); + return; diff --git a/meta-networking/recipes-support/memcached/memcached_1.6.15.bb b/meta-networking/recipes-support/memcached/memcached_1.6.15.bb index 76e4768fb9..64065e8547 100644 --- a/meta-networking/recipes-support/memcached/memcached_1.6.15.bb +++ b/meta-networking/recipes-support/memcached/memcached_1.6.15.bb @@ -21,6 +21,7 @@ RDEPENDS:${PN} += "perl perl-module-posix perl-module-autoloader \ SRC_URI = "http://www.memcached.org/files/${BP}.tar.gz \ file://memcached-add-hugetlbfs-check.patch \ + file://CVE-2023-46852.patch \ " SRC_URI[sha256sum] = "8d7abe3d649378edbba16f42ef1d66ca3f2ac075f2eb97145ce164388e6ed515" From patchwork Wed Mar 4 11:39:55 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 82448 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DAC7EEB7ED5 for ; Wed, 4 Mar 2026 11:40:04 +0000 (UTC) Received: from mail-wm1-f50.google.com (mail-wm1-f50.google.com [209.85.128.50]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.16141.1772624400024384341 for ; Wed, 04 Mar 2026 03:40:00 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=c5peJnPi; spf=pass (domain: gmail.com, ip: 209.85.128.50, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f50.google.com with SMTP id 5b1f17b1804b1-482f454be5bso70925515e9.0 for ; Wed, 04 Mar 2026 03:39:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1772624398; x=1773229198; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=5RCcD2s+AhuFyal3u2xNE8auKPu66PWUibU4nNUuo3o=; b=c5peJnPittKH6euJQYARUbcGKRe5x6gFBtWCKGZkgxwdNG7WsszJY/tGoYnxiRCpha RiaMdWC5GXl/vFHZEVkB/5V8yY2C5cPFlobPocZxFy390eemLirAtJ/hl3fFiO3sMOMz ylXU3Z0y6lw1DIWI0ftQBhN9QV6uATTT4uXJ6OYaOD1ZGKj5H/qCN3Az069YYUlIGfRY /t9U18b1SCEvdjPOZcfsnZM9IaMjQMJXrMCj9bwWpoKxOuqjbwE8rQkF22TNxWcV+Jiz bW16aiAKIeI3+u5SEQaWevLemmWGP+YV6z2ZVzt1QNikSNyLsuuCXJVAhWhq2XmqJLkg bmRg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772624398; x=1773229198; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=5RCcD2s+AhuFyal3u2xNE8auKPu66PWUibU4nNUuo3o=; b=BMwoohnNU1X8xtFJchc3LV1Y8MHf2bU69lPoA3V6Bzh8cxCBM3n5H0qgEr1YXUJ8K5 nwYt7Y22zcsJKfj+DKUp7vB2dmWqv0K3eXcp1TqcPbeBHA63oT+gfOMWIqmh0gv643tX cjFntYHqe2Nkj7+vHyAkIUPX1wliGOln3ok/nbrnNIb7mbjukx7MAmH0xAN8w0T4CxlC /Zwdp6fcR4DdTebZGtHucBQf3KPJ4rCCrCjncZnypMQhAQo9TJ429HHMTYx7XhGi71Kv yOL9vhy6laBZyZIVmzSVg9KvQ1vRSCe5XeHyjuJ36a0M+RJKSeqeJU8oWGwI12pTPL75 X32A== X-Gm-Message-State: AOJu0Yx5zeCsPZrqxid1yEhmCqLTpUogqvtOtOST3k/IN7LyU3BcQMTb v6B2DvaS0FTaXLaN+fnk48spwntOPUzeMkC4CdU4LddPbMHMLmyV27jPW4be1w== X-Gm-Gg: ATEYQzwj4xutTqV99wPdRIKlxyozjfCGZIpXLU0SjtSveR6tF3zlohjupfwk+ouXCyY ycQSs8Ec2H3o9ukh5lVdOkiieAJgW19EQWSfbyZDUdOAP8Kclkus3t0+wDdT3ZsbPESNSQZnHmF FQqebyrFWN0yUMaQnAA64h9xpRva+n92MHK/0F7zLU+vdUvfkn9vsUN3J0A9RQwNPUnRDerk03H WspFuo+1919xyXy56x3GoMRH2rAdlv3k0cAOvzuCT6cEN8eydrgJlkhxB4G7tS1n52ViLXO1YnE cqMeSawgCnCQIWI++6SdjsGwsyNQHcD9ecboBjpA9gmFg+u7QgRKEn2/e7BNKIinKokbFzepWYP 5lsFkkWYTC07jIwBlD5bh+E7puC7knMk3vcuvshtxL3Ba56DcAVQxItCJdQdDjQIjM+bZXJT/8T m2vfRKbXqSCbXfGbOUeTyn X-Received: by 2002:a05:600c:8b6a:b0:480:4a90:1afd with SMTP id 5b1f17b1804b1-485197fa2c8mr27046905e9.0.1772624398235; Wed, 04 Mar 2026 03:39:58 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4851880724esm88692195e9.9.2026.03.04.03.39.57 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Mar 2026 03:39:57 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-networking][kirkstone][PATCH 2/3] memcached: patch CVE-2023-46853 Date: Wed, 4 Mar 2026 12:39:55 +0100 Message-ID: <20260304113956.2245844-2-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260304113956.2245844-1-skandigraun@gmail.com> References: <20260304113956.2245844-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 04 Mar 2026 11:40:04 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124846 Details: https://nvd.nist.gov/vuln/detail/CVE-2023-46853 Backport the patch that is referenced by the NVD advisory. Signed-off-by: Gyorgy Sarvari --- .../memcached/memcached/CVE-2023-46853.patch | 114 ++++++++++++++++++ .../memcached/memcached_1.6.15.bb | 1 + 2 files changed, 115 insertions(+) create mode 100644 meta-networking/recipes-support/memcached/memcached/CVE-2023-46853.patch diff --git a/meta-networking/recipes-support/memcached/memcached/CVE-2023-46853.patch b/meta-networking/recipes-support/memcached/memcached/CVE-2023-46853.patch new file mode 100644 index 0000000000..52066f7e71 --- /dev/null +++ b/meta-networking/recipes-support/memcached/memcached/CVE-2023-46853.patch @@ -0,0 +1,114 @@ +From 788c8ba8fe07d0df3c425458b6e3a1590cc25401 Mon Sep 17 00:00:00 2001 +From: dormando +Date: Wed, 2 Aug 2023 15:45:56 -0700 +Subject: [PATCH] proxy: fix off-by-one if \r is missing + +A bunch of the parser assumed we only had \r\n, but I didn't actually +have that strictness set. Some commands worked and some broke in subtle +ways when just "\n" was being submitted. + +I'm not 100% confident in this change yet so I'm opening a PR to stage +it while I run some more thorough tests. + +CVE: CVE-2023-46853 +Upstream-Status: Backport [https://github.com/memcached/memcached/commit/6987918e9a3094ec4fc8976f01f769f624d790fa] +Signed-off-by: Gyorgy Sarvari +--- + proxy.h | 1 + + proxy_request.c | 22 ++++++++++++++++------ + t/proxy.t | 5 +++-- + 3 files changed, 20 insertions(+), 8 deletions(-) + +diff --git a/proxy.h b/proxy.h +index 86b4aa9..df9ebd6 100644 +--- a/proxy.h ++++ b/proxy.h +@@ -268,6 +268,7 @@ struct mcp_parser_s { + uint8_t keytoken; // because GAT. sigh. also cmds without a key. + uint32_t parsed; // how far into the request we parsed already + uint32_t reqlen; // full length of request buffer. ++ uint32_t endlen; // index to the start of \r\n or \n + int vlen; + uint32_t klen; // length of key. + uint16_t tokens[PARSER_MAX_TOKENS]; // offsets for start of each token +diff --git a/proxy_request.c b/proxy_request.c +index f351cc1..1c34182 100644 +--- a/proxy_request.c ++++ b/proxy_request.c +@@ -9,7 +9,7 @@ + // where we later scan or directly feed data into API's. + static int _process_tokenize(mcp_parser_t *pr, const size_t max) { + const char *s = pr->request; +- int len = pr->reqlen - 2; ++ int len = pr->endlen; + + // since multigets can be huge, we can't purely judge reqlen against this + // limit, but we also can't index past it since the tokens are shorts. +@@ -79,7 +79,7 @@ static int _process_request_key(mcp_parser_t *pr) { + // Returns the offset for the next key. + size_t _process_request_next_key(mcp_parser_t *pr) { + const char *cur = pr->request + pr->parsed; +- int remain = pr->reqlen - pr->parsed - 2; ++ int remain = pr->endlen - pr->parsed; + + // chew off any leading whitespace. + while (remain) { +@@ -112,7 +112,7 @@ static int _process_request_metaflags(mcp_parser_t *pr, int token) { + return 0; + } + const char *cur = pr->request + pr->tokens[token]; +- const char *end = pr->request + pr->reqlen - 2; ++ const char *end = pr->request + pr->endlen; + + // We blindly convert flags into bits, since the range of possible + // flags is deliberately < 64. +@@ -276,15 +276,25 @@ int process_request(mcp_parser_t *pr, const char *command, size_t cmdlen) { + return -1; + } + +- const char *s = memchr(command, ' ', cmdlen-2); ++ // Commands can end with bare '\n's. Depressingly I intended to be strict ++ // with a \r\n requirement but never did this and need backcompat. ++ // In this case we _know_ \n is at cmdlen because we can't enter this ++ // function otherwise. ++ if (cm[cmdlen-2] == '\r') { ++ pr->endlen = cmdlen - 2; ++ } else { ++ pr->endlen = cmdlen - 1; ++ } ++ ++ const char *s = memchr(command, ' ', pr->endlen); + if (s != NULL) { + cl = s - command; + } else { +- cl = cmdlen - 2; ++ cl = pr->endlen; + } + pr->keytoken = 0; + pr->has_space = false; +- pr->parsed = cl + 1; ++ pr->parsed = cl; + pr->request = command; + pr->reqlen = cmdlen; + int token_max = PARSER_MAX_TOKENS; +diff --git a/t/proxy.t b/t/proxy.t +index c85796d..203924b 100644 +--- a/t/proxy.t ++++ b/t/proxy.t +@@ -151,13 +151,14 @@ my $p_sock = $p_srv->sock; + # NOTE: memcached always allowed [\r]\n for single command lines, but payloads + # (set/etc) require exactly \r\n as termination. + # doc/protocol.txt has always specified \r\n for command/response. +-# Proxy is more strict than normal server in this case. ++# Note a bug lead me to believe that the proxy was more strict, we accept any ++# \n or \r\n terminated commands. + { + my $s = $srv[0]->sock; + print $s "version\n"; + like(<$s>, qr/VERSION/, "direct server version cmd with just newline"); + print $p_sock "version\n"; +- like(<$p_sock>, qr/SERVER_ERROR/, "proxy version cmd with just newline"); ++ like(<$p_sock>, qr/VERSION/, "proxy version cmd with just newline"); + print $p_sock "version\r\n"; + like(<$p_sock>, qr/VERSION/, "proxy version cmd with full CRLF"); + } diff --git a/meta-networking/recipes-support/memcached/memcached_1.6.15.bb b/meta-networking/recipes-support/memcached/memcached_1.6.15.bb index 64065e8547..010e8591cd 100644 --- a/meta-networking/recipes-support/memcached/memcached_1.6.15.bb +++ b/meta-networking/recipes-support/memcached/memcached_1.6.15.bb @@ -22,6 +22,7 @@ RDEPENDS:${PN} += "perl perl-module-posix perl-module-autoloader \ SRC_URI = "http://www.memcached.org/files/${BP}.tar.gz \ file://memcached-add-hugetlbfs-check.patch \ file://CVE-2023-46852.patch \ + file://CVE-2023-46853.patch \ " SRC_URI[sha256sum] = "8d7abe3d649378edbba16f42ef1d66ca3f2ac075f2eb97145ce164388e6ed515" From patchwork Wed Mar 4 11:39:56 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 82449 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0B724EB7ED9 for ; Wed, 4 Mar 2026 11:40:05 +0000 (UTC) Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com [209.85.128.44]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.16230.1772624400561582832 for ; Wed, 04 Mar 2026 03:40:00 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=WZjbckIB; spf=pass (domain: gmail.com, ip: 209.85.128.44, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f44.google.com with SMTP id 5b1f17b1804b1-4837634de51so28548705e9.1 for ; Wed, 04 Mar 2026 03:40:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1772624399; x=1773229199; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=qZKb4iIe0Qgi4fCxlhy7OBQqcu8h2ZMzEF1mFew2oZI=; b=WZjbckIBIlHG7DDpF8Z2qJaIU0BVKS6ZgRKzpGPn1r0JwTWzYbyfR6g9+zWcSuu9a5 iIpxcKi8ep7NMrysyiD4wM/3+zTVrXJMl3rd7InulM6OqvKdPUCVIJMG2cUsTeiOjTI3 Lir0TjdWdAjXPsqcpOOk+OOaLdjpYbl9Rfs43idwwg0FS1hdo2b6rHHZttpd+c+0ILr6 KCYTczM0TXA8yTfMf21A4VeVbLxAFyqJL1nYy2m3ZjysbUDUM9gZNrDwD2KRcfmRfHtT +rV96M1MPNUtIvau130Pt08OmSQLtfA5Wz1M9IVbP6DWtEE+USaoh1cFMe7TABfwGT/s Cw/A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772624399; x=1773229199; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=qZKb4iIe0Qgi4fCxlhy7OBQqcu8h2ZMzEF1mFew2oZI=; b=dTtlwYWI9nej9T6XjH8HbWBbWIdmKeaXnZ7ZlrOpTiqhtns46jayIle2SATjhubGov QttCGxgzxIkWH8cFHIsDr7uLKkK24gq6Cbpv9hNKnvmM4q+IxEUlshSTx9XBfh/gyxM/ IAwS3M9mtTLnTKHZSPhVLm2E16Y/qFh/MQJCkQsMlIl7SN6Iq9Fcgxqz6Rd3y5OKk/pm 1ZIkDyjIfzAovntldWKZAVDeB6l9cdiTXrd4fsI5YdyjKkFxATmhUmgT8ClyTLzK18Ax yeZsE6VB3dHr7tC2IZqzIrhanvEuv3g0pWVDgJlvNOCQgnNRX/452XnFc3Zj8/d3ME37 Zxwg== X-Gm-Message-State: AOJu0YyVc/wFX0x0PAAOq1rl7YkNd9AVk4ftefo+0LWNjy/RDhC9nSgb KFJI/jA6VSMScD8SBqdg35JMIcnJ+WTu68SjVJTF08i2piyowmP+Utz7wiFbaQ== X-Gm-Gg: ATEYQzyUkPf1lFsUzx+gjhqC4Ba9d0c5fSPmaGV1D6tKntfa+OpS0biasJPLRwdXCYj oFnzyQ5aczk01Th0r9kujvCvO2b7xWYb6C/zxGCDSE3zT2h1cRKbD8CfinL2gH2w3PvllkgFm4z 7M6TfJ0fUPYKM11KrPbxtZJXOGSnTT1+WNbOR9nk8X079DSeNnxbggBFSLcZBnbWgk6WeGLJ9ZN HEsR3Xhb5Yj/s4kiEb00ufS51fAQfii1FJ5RW7Gzh8lPeAVL7t+wYeuhyoRmASKHGEyBTb6+xnB oscFBXtz6VkgoNf1SUTDWfoSs+lETs3EnqibyfWjUYYNhvouyFBSSBEZRjJve4m0x5D9a9OlgBR xpHB5Ce+8e1neOynMOwxHre+Xs7RwIJNEGd1/iF6YE/f0RxCi6LXTDtpFGLghOfJg1zN9zZnG2N b5zgWFLF/0EaQDLSuC2PcZvrlo1gq+ApA= X-Received: by 2002:a05:600c:8b67:b0:480:2521:4d92 with SMTP id 5b1f17b1804b1-4851989ca05mr26827045e9.24.1772624398825; Wed, 04 Mar 2026 03:39:58 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4851880724esm88692195e9.9.2026.03.04.03.39.58 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Mar 2026 03:39:58 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-webserver][kirkstone][PATCH 3/3] netdata: patch CVE-2023-22497 Date: Wed, 4 Mar 2026 12:39:56 +0100 Message-ID: <20260304113956.2245844-3-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260304113956.2245844-1-skandigraun@gmail.com> References: <20260304113956.2245844-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 04 Mar 2026 11:40:05 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124847 Details: https://nvd.nist.gov/vuln/detail/CVE-2023-22497 This patch was selected based on its description, and based on the associated PR. The description matches the issue described in the NVD advisory, and the PR credits the same reported that is also credited with the CVE ID (in the release notes of the application). Signed-off-by: Gyorgy Sarvari --- .../netdata/netdata/CVE-2023-22497.patch | 120 ++++++++++++++++++ .../netdata/netdata_1.34.1.bb | 4 +- 2 files changed, 123 insertions(+), 1 deletion(-) create mode 100644 meta-webserver/recipes-webadmin/netdata/netdata/CVE-2023-22497.patch diff --git a/meta-webserver/recipes-webadmin/netdata/netdata/CVE-2023-22497.patch b/meta-webserver/recipes-webadmin/netdata/netdata/CVE-2023-22497.patch new file mode 100644 index 0000000000..5aa2fde328 --- /dev/null +++ b/meta-webserver/recipes-webadmin/netdata/netdata/CVE-2023-22497.patch @@ -0,0 +1,120 @@ +From 1aa77696d0853ab515eddea8ee7a7d16d3813571 Mon Sep 17 00:00:00 2001 +From: Costa Tsaousis +Date: Tue, 29 Nov 2022 17:28:17 +0200 +Subject: [PATCH] Strict control of streaming API keys and MACHINE GUIDs in + stream.conf (#14063) + +do not allow machine guids to be used as API keys + +CVE: CVE-2023-22497 +Upstream-Status: Backport [https://github.com/netdata/netdata/commit/811028aea2f146cc0ac2bc403f7d692add400d63] +Signed-off-by: Gyorgy Sarvari +--- + streaming/rrdpush.c | 30 ++++++++++++++++++++++++------ + streaming/stream.conf | 10 ++++++++++ + 2 files changed, 34 insertions(+), 6 deletions(-) + +diff --git a/streaming/rrdpush.c b/streaming/rrdpush.c +index 8829d1e..0a0d9fc 100644 +--- a/streaming/rrdpush.c ++++ b/streaming/rrdpush.c +@@ -594,21 +594,30 @@ int rrdpush_receiver_thread_spawn(struct web_client *w, char *url) { + + if(regenerate_guid(key, buf) == -1) { + rrdhost_system_info_free(system_info); +- log_stream_connection(w->client_ip, w->client_port, (key && *key)?key:"-", (machine_guid && *machine_guid)?machine_guid:"-", (hostname && *hostname)?hostname:"-", "ACCESS DENIED - INVALID KEY"); ++ log_stream_connection(w->client_ip, w->client_port, key, machine_guid, hostname, "ACCESS DENIED - INVALID KEY"); + error("STREAM [receive from [%s]:%s]: API key '%s' is not valid GUID (use the command uuidgen to generate one). Forbidding access.", w->client_ip, w->client_port, key); + return rrdpush_receiver_permission_denied(w); + } + + if(regenerate_guid(machine_guid, buf) == -1) { + rrdhost_system_info_free(system_info); +- log_stream_connection(w->client_ip, w->client_port, (key && *key)?key:"-", (machine_guid && *machine_guid)?machine_guid:"-", (hostname && *hostname)?hostname:"-", "ACCESS DENIED - INVALID MACHINE GUID"); ++ log_stream_connection(w->client_ip, w->client_port, key, machine_guid, hostname, "ACCESS DENIED - INVALID MACHINE GUID"); + error("STREAM [receive from [%s]:%s]: machine GUID '%s' is not GUID. Forbidding access.", w->client_ip, w->client_port, machine_guid); + return rrdpush_receiver_permission_denied(w); + } + ++ const char *api_key_type = appconfig_get(&stream_config, key, "type", "api"); ++ if(!api_key_type || !*api_key_type) api_key_type = "unknown"; ++ if(strcmp(api_key_type, "api") != 0) { ++ rrdhost_system_info_free(system_info); ++ log_stream_connection(w->client_ip, w->client_port, key, machine_guid, hostname, "ACCESS DENIED - API KEY GIVEN IS NOT API KEY"); ++ error("STREAM [receive from [%s]:%s]: API key '%s' is a %s GUID. Forbidding access.", w->client_ip, w->client_port, key, api_key_type); ++ return rrdpush_receiver_permission_denied(w); ++ } ++ + if(!appconfig_get_boolean(&stream_config, key, "enabled", 0)) { + rrdhost_system_info_free(system_info); +- log_stream_connection(w->client_ip, w->client_port, (key && *key)?key:"-", (machine_guid && *machine_guid)?machine_guid:"-", (hostname && *hostname)?hostname:"-", "ACCESS DENIED - KEY NOT ENABLED"); ++ log_stream_connection(w->client_ip, w->client_port, key, machine_guid, hostname, "ACCESS DENIED - KEY NOT ENABLED"); + error("STREAM [receive from [%s]:%s]: API key '%s' is not allowed. Forbidding access.", w->client_ip, w->client_port, key); + return rrdpush_receiver_permission_denied(w); + } +@@ -619,7 +628,7 @@ int rrdpush_receiver_thread_spawn(struct web_client *w, char *url) { + if(!simple_pattern_matches(key_allow_from, w->client_ip)) { + simple_pattern_free(key_allow_from); + rrdhost_system_info_free(system_info); +- log_stream_connection(w->client_ip, w->client_port, (key && *key)?key:"-", (machine_guid && *machine_guid)?machine_guid:"-", (hostname && *hostname) ? hostname : "-", "ACCESS DENIED - KEY NOT ALLOWED FROM THIS IP"); ++ log_stream_connection(w->client_ip, w->client_port, key, machine_guid, hostname, "ACCESS DENIED - KEY NOT ALLOWED FROM THIS IP"); + error("STREAM [receive from [%s]:%s]: API key '%s' is not permitted from this IP. Forbidding access.", w->client_ip, w->client_port, key); + return rrdpush_receiver_permission_denied(w); + } +@@ -627,9 +636,18 @@ int rrdpush_receiver_thread_spawn(struct web_client *w, char *url) { + } + } + ++ const char *machine_guid_type = appconfig_get(&stream_config, machine_guid, "type", "machine"); ++ if(!machine_guid_type || !*machine_guid_type) machine_guid_type = "unknown"; ++ if(strcmp(machine_guid_type, "machine") != 0) { ++ rrdhost_system_info_free(system_info); ++ log_stream_connection(w->client_ip, w->client_port, key, machine_guid, hostname, "ACCESS DENIED - MACHINE GUID GIVEN IS NOT A MACHINE GUID"); ++ error("STREAM [receive from [%s]:%s]: machine GUID '%s' is a %s GUID. Forbidding access.", w->client_ip, w->client_port, machine_guid, machine_guid_type); ++ return rrdpush_receiver_permission_denied(w); ++ } ++ + if(!appconfig_get_boolean(&stream_config, machine_guid, "enabled", 1)) { + rrdhost_system_info_free(system_info); +- log_stream_connection(w->client_ip, w->client_port, (key && *key)?key:"-", (machine_guid && *machine_guid)?machine_guid:"-", (hostname && *hostname)?hostname:"-", "ACCESS DENIED - MACHINE GUID NOT ENABLED"); ++ log_stream_connection(w->client_ip, w->client_port, key, machine_guid, hostname, "ACCESS DENIED - MACHINE GUID NOT ENABLED"); + error("STREAM [receive from [%s]:%s]: machine GUID '%s' is not allowed. Forbidding access.", w->client_ip, w->client_port, machine_guid); + return rrdpush_receiver_permission_denied(w); + } +@@ -640,7 +658,7 @@ int rrdpush_receiver_thread_spawn(struct web_client *w, char *url) { + if(!simple_pattern_matches(machine_allow_from, w->client_ip)) { + simple_pattern_free(machine_allow_from); + rrdhost_system_info_free(system_info); +- log_stream_connection(w->client_ip, w->client_port, (key && *key)?key:"-", (machine_guid && *machine_guid)?machine_guid:"-", (hostname && *hostname) ? hostname : "-", "ACCESS DENIED - MACHINE GUID NOT ALLOWED FROM THIS IP"); ++ log_stream_connection(w->client_ip, w->client_port, key, machine_guid, hostname, "ACCESS DENIED - MACHINE GUID NOT ALLOWED FROM THIS IP"); + error("STREAM [receive from [%s]:%s]: Machine GUID '%s' is not permitted from this IP. Forbidding access.", w->client_ip, w->client_port, machine_guid); + return rrdpush_receiver_permission_denied(w); + } +diff --git a/streaming/stream.conf b/streaming/stream.conf +index e65e76f..7229ade 100644 +--- a/streaming/stream.conf ++++ b/streaming/stream.conf +@@ -115,6 +115,11 @@ + [API_KEY] + # Default settings for this API key + ++ # This GUID is to be used as an API key from remote agents connecting ++ # to this machine. Failure to match such a key, denies access. ++ # YOU MUST SET THIS FIELD ON ALL API KEYS. ++ type = api ++ + # You can disable the API key, by setting this to: no + # The default (for unknown API keys) is: no + enabled = no +@@ -184,6 +189,11 @@ + # you can give settings for each sending host here. + + [MACHINE_GUID] ++ # This GUID is to be used as a MACHINE GUID from remote agents connecting ++ # to this machine, not an API key. ++ # YOU MUST SET THIS FIELD ON ALL MACHINE GUIDs. ++ type = machine ++ + # enable this host: yes | no + # When disabled, the parent will not receive metrics for this host. + # THIS IS NOT A SECURITY MECHANISM - AN ATTACKER CAN SET ANY OTHER GUID. diff --git a/meta-webserver/recipes-webadmin/netdata/netdata_1.34.1.bb b/meta-webserver/recipes-webadmin/netdata/netdata_1.34.1.bb index 516fde6281..4d57b84b07 100644 --- a/meta-webserver/recipes-webadmin/netdata/netdata_1.34.1.bb +++ b/meta-webserver/recipes-webadmin/netdata/netdata_1.34.1.bb @@ -7,7 +7,9 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=fc9b848046ef54b5eaee6071947abd24" DEPENDS += "libuv util-linux zlib" -SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/v${PV}/${BPN}-v${PV}.tar.gz" +SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/v${PV}/${BPN}-v${PV}.tar.gz \ + file://CVE-2023-22497.patch \ + " SRC_URI[sha256sum] = "8ea0786df0e952209c14efeb02e25339a0769aa3edc029e12816b8ead24a82d7" # default netdata.conf for netdata configuration