From patchwork Mon Apr 20 11:50:58 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 86473 X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B8D18F36C5C for ; Mon, 20 Apr 2026 11:51:07 +0000 (UTC) Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com [209.85.128.54]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.17708.1776685865856384848 for ; Mon, 20 Apr 2026 04:51:06 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20251104 header.b=R57Ak7bd; spf=pass (domain: gmail.com, ip: 209.85.128.54, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f54.google.com with SMTP id 5b1f17b1804b1-488b0e1b870so45487945e9.2 for ; Mon, 20 Apr 2026 04:51:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776685864; x=1777290664; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=1V0jiVYKdpeeocu9lwB4UeNV9TS4ItCp4s54U2Lv2xg=; b=R57Ak7bdpGdBFxQgs4aG4um6OwTxdDQV/D1aHBr6RfVK+Er7+jTMox4QGjO+1y4fA9 nwkT1bBxWDgR7QnxX8UAYvrznvtbR6nscSURAtOiFd09dSkVCx8OAzgBKy6fX81RUiE3 ZomSj2b9/dUv+bCLY9TeyhttF4mYGfhZimkObdADY1vwoIToYsjVD8u27waHIEeSwI95 whAI6mCv9Eemts4EE35k1e+NcQLklPB0ZqADX2iJ6axXR5jHd4PnEUrtaCQO7aEd3/xn nYi+P2qeujtQcoTz8PmJUJ0EyL9aWUlhkys092JKld/AhuMKNpcRh4g8UN6jW3y84MSj zqCw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776685864; x=1777290664; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=1V0jiVYKdpeeocu9lwB4UeNV9TS4ItCp4s54U2Lv2xg=; b=KpFxpuPCcR1OJUm3/MoLNI3YUwtsak8kv0hJ+I008EbT/4IBouT5h+olGGvAXYQsCf jJR+9wmCwD0heB7Mvt7hvoBmem0KPpLAx0dRmkhVy5HA23KtfxFZ+ThWtJapRwLb29B1 XlZD1w4iT8sELUr82j8as+TMO9AxDLkINApAxW/pN1zA0yV1PZ8Fbw3h0iNVZ2QnzNlV 0TkxH6i6uBUwOzaFXwUlTXOzp6K0vLfQ0wZ7mLKAixhAF3qzixv5j2CBr7X7m1tgkDgX ClQkV+akleQZ8h5G5nbSCMloGDkW3aodb9cNBlYkh9U2W7WMHbko/DpHFuKT+KhhL6xC hATQ== X-Gm-Message-State: AOJu0YxTuJydCnm/BYa0ZS35mPzwSsyOr+/WmAFYugo11qnqsmpEpnsB AYifmqSmUpqAC1wsJydhLMSZ29zHgW3IzueUva+x+Do4YwRaM3htsla+3GZ4hg== X-Gm-Gg: AeBDievJioYfBq9Gi3OFVqagHM+xLZSjrE5skC4puZg9TGtwwYnGJXdYBN7Bchqfmi2 fv9dv002E6YIak+50rKZLsTtn8rRc8JOojEmIfWrUu+dy8BgEknGLr7Pfkvst2JKGRXu2aZh2jr KHTA9DU9Xt5/5rIu7+2Pi+33NBejSDL49iuV9VCBvLRJ6Bwh6zFeR/tiiFeOMSBZcUJgk4r2mp+ gNklLwz3WyqUcHM7vkFD9Fp4u8SGlpeYllSgeucaSdVjKW3uVhrIes6FlTdQ80dvLTv4Ruesf6f NCEyBsOfN7ZdOBZx5ns0n1AV7ZQXnLDXkX3+fPpUZKs2mmSFJFeF9+TWQBD4qj0owrUN+JnnVmH jLRpTJLJOGsUQ041ln9TwAOWOxq/XlYHl5HjHD5wkmvET0ZZ7puu8+xwCciMHd9VnQ5umGyHyL+ 0W8uPX+QTcOCcweeA8ecpjjObCa3IkY4U= X-Received: by 2002:a05:600c:c085:b0:488:acbc:b2e with SMTP id 5b1f17b1804b1-488fb765b04mr140690535e9.17.1776685864043; Mon, 20 Apr 2026 04:51:04 -0700 (PDT) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-488fc1c773fsm314595715e9.12.2026.04.20.04.51.03 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 20 Apr 2026 04:51:03 -0700 (PDT) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][whinlatter][PATCH 1/3] botan: patch CVE-2026-34582 Date: Mon, 20 Apr 2026 13:50:58 +0200 Message-ID: <20260420115102.428743-1-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 20 Apr 2026 11:51:07 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/126500 Details: https://nvd.nist.gov/vuln/detail/CVE-2026-34582 Debian has identified[1] the PR that fixes this, however the url seems to have a typo - it was PR number 5499[2], and not 5599[3]. (The backported commit's description matches the CVE's description) [1]: https://security-tracker.debian.org/tracker/CVE-2026-34582 [2]: https://github.com/randombit/botan/pull/5499 [3]: https://github.com/randombit/botan/pull/5599 Signed-off-by: Gyorgy Sarvari --- .../botan/botan/CVE-2026-34582.patch | 28 +++++++++++++++++++ meta-oe/recipes-crypto/botan/botan_3.10.0.bb | 1 + 2 files changed, 29 insertions(+) create mode 100644 meta-oe/recipes-crypto/botan/botan/CVE-2026-34582.patch diff --git a/meta-oe/recipes-crypto/botan/botan/CVE-2026-34582.patch b/meta-oe/recipes-crypto/botan/botan/CVE-2026-34582.patch new file mode 100644 index 0000000000..c7a09eae3b --- /dev/null +++ b/meta-oe/recipes-crypto/botan/botan/CVE-2026-34582.patch @@ -0,0 +1,28 @@ +From daf4c8c148165a7c316d816d2bcdc25ba1f6887d Mon Sep 17 00:00:00 2001 +From: Jack Lloyd +Date: Sun, 29 Mar 2026 08:25:18 -0400 +Subject: [PATCH] In TLS 1.3 require that the handshake is completed prior to + application data + +CVE: CVE-2026-34582 +Upstream-Status: Backport [https://github.com/randombit/botan/commit/4190398599413373f55b1073ac06fefd494af8c6] +Signed-off-by: Gyorgy Sarvari +--- + src/lib/tls/tls13/tls_channel_impl_13.cpp | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/lib/tls/tls13/tls_channel_impl_13.cpp b/src/lib/tls/tls13/tls_channel_impl_13.cpp +index 82a8e38..eee9bad 100644 +--- a/src/lib/tls/tls13/tls_channel_impl_13.cpp ++++ b/src/lib/tls/tls13/tls_channel_impl_13.cpp +@@ -163,6 +163,10 @@ size_t Channel_Impl_13::from_peer(std::span data) { + } else if(record.type == Record_Type::ChangeCipherSpec) { + process_dummy_change_cipher_spec(); + } else if(record.type == Record_Type::ApplicationData) { ++ BOTAN_ASSERT_NONNULL(m_cipher_state); ++ if(!m_cipher_state->can_decrypt_application_traffic()) { ++ throw Unexpected_Message("Application data received before handshake completion"); ++ } + BOTAN_ASSERT(record.seq_no.has_value(), "decrypted application traffic had a sequence number"); + callbacks().tls_record_received(record.seq_no.value(), record.fragment); + } else if(record.type == Record_Type::Alert) { diff --git a/meta-oe/recipes-crypto/botan/botan_3.10.0.bb b/meta-oe/recipes-crypto/botan/botan_3.10.0.bb index 0986a76557..bedc49f714 100644 --- a/meta-oe/recipes-crypto/botan/botan_3.10.0.bb +++ b/meta-oe/recipes-crypto/botan/botan_3.10.0.bb @@ -8,6 +8,7 @@ SRC_URI = "https://botan.randombit.net/releases/Botan-${PV}.tar.xz \ file://CVE-2026-32877.patch \ file://CVE-2026-32883.patch \ file://CVE-2026-32884.patch \ + file://CVE-2026-34582.patch \ " SRC_URI[sha256sum] = "fde194236f6d5434f136ea0a0627f6cc9d26af8b96e9f1e1c7d8c82cd90f4f24" From patchwork Mon Apr 20 11:50:59 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 86474 X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C22B2F36C5E for ; Mon, 20 Apr 2026 11:51:07 +0000 (UTC) Received: from mail-wm1-f52.google.com (mail-wm1-f52.google.com [209.85.128.52]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.17709.1776685867043505065 for ; Mon, 20 Apr 2026 04:51:07 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20251104 header.b=WQr/Yjro; spf=pass (domain: gmail.com, ip: 209.85.128.52, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f52.google.com with SMTP id 5b1f17b1804b1-4891b0786beso8709625e9.1 for ; Mon, 20 Apr 2026 04:51:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776685865; x=1777290665; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=fxn4ab6qtDkZV70UMOobou5YbAimseGpn0bb3uvTiPM=; b=WQr/Yjro23ja7A4YxYgVgHfmJYzOwGy5IVRLQlzHd2CqiKVGrKmcFtEoYPL/aIqip1 wi9s8lwJCkAy3xYxgtzV7hxPpkVTed9yCYXU/qZS95we2eQIaA+NncoDwM803z08TP4p MKN6WGy5nTyI4Q4LsVudCQSv8zpGpIU/M+JXKFK1YIzJ9ShuGrD9rouu2YPfp6vSrRYP /2S9Zxdk/FoseMzsRAsc63vCKMYz4Cm8RNjuCcuG7xkMIViuSQCqaDUGDbZvCMWDMJLx /YmbYG1cqlnON12jogLtVzPgmwueLXUrBPZmy0lGPFvbN2sOaacstpp0SfibpJIODwjQ 1OTw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776685865; x=1777290665; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=fxn4ab6qtDkZV70UMOobou5YbAimseGpn0bb3uvTiPM=; b=qcV4VBD9SAZexxiMUz2UedN4KWZ6mmn0poM47xV2WERFrFV8p+CCqRCnE4cyo/I74O ck/VQq2tCj9ziTgXY7bN1qSLr2pIHvHJAHw9g+ohM9L75N3pclqekdjanvJvjKIMzVJG PwPG8IZT+eAysYCnK5skReszEoVP4BtA2bUmzsHbjIklPg5fLp3vd5lSl6QGouNc/UP/ Tdmn+oddojRdpczqj7px/zgkvzEmFH1/9hH427k34HKceF8D1gMy/mnMiwvI3xytLSma PqaarCo8ibYn/3hyhtnGsQtBC7ahSgnv4kpiPbWMrzvWSVQYnXjAObwFOr+6F0eZ01j1 drmA== X-Gm-Message-State: AOJu0YwV9PjJFxJQ/ltqVMHYkt6ReYW+dc1k0sBGHwjj5uQf3QstpALK 3+kk224kCU+JgnoDpd+1Y89nGU5uKN95bQdC+x6iQVT3nHWC4X9Zqm3MGWKv1Q== X-Gm-Gg: AeBDieucz+JvXTnMji8gYgT1fJ/NFdndLzsi7lXJ/V0l0W7lQhVuqiOIUo0YVFHsVTk aTwPmX+Zpifepzwsr5Mt7Finl2X32tzOwP3Ys8jjZIvWQGg1QfYnF9ntiE69hxP/O0rAhltaqt8 klm0kLeq0jsQm0yKVy3WwnvfmrFAhPL6sGWCrons+J/iZRsLbadFA73GSwkXsYFltc/3lfg5D1+ GnpRnshDxGL3RD87WW7fU18QjxagdONSWwHCWdDIg4C+Dy3UXsMiq/HsJcBbNhTSOD96QfBC1vD UAaFxq6Wjq4xZ1z7KS997nu/7jcejoBgHGmb50CpaH9M7LVf3Zu7JMGXnl/QNQ+hhCM4mW89d/n Zs0gKhPVQjn9gcYzrFI7VeLFXajofKRY252KvSVRw9mwD1atNZAclvlrKpoQY5HLr0CIV7dB9f9 XudyxhKjTXnfYYQ5A8/npmapkpfEvlrg8= X-Received: by 2002:a05:600c:4746:b0:488:9439:881a with SMTP id 5b1f17b1804b1-488fb738412mr172264205e9.2.1776685865043; Mon, 20 Apr 2026 04:51:05 -0700 (PDT) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-488fc1c773fsm314595715e9.12.2026.04.20.04.51.04 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 20 Apr 2026 04:51:04 -0700 (PDT) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-networking][whinlatter][PATCH 2/3] corosync: patch CVE-2026-35091 Date: Mon, 20 Apr 2026 13:50:59 +0200 Message-ID: <20260420115102.428743-2-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260420115102.428743-1-skandigraun@gmail.com> References: <20260420115102.428743-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 20 Apr 2026 11:51:07 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/126501 Details: https://nvd.nist.gov/vuln/detail/CVE-2026-35091 Pick the patch that mentions the CVE ID explicitly (it was identified by Debian also as the fix[1]) [1]: https://security-tracker.debian.org/tracker/CVE-2026-35091 Signed-off-by: Gyorgy Sarvari --- .../corosync/corosync/CVE-2026-35091.patch | 47 +++++++++++++++++++ .../corosync/corosync_3.1.10.bb | 1 + 2 files changed, 48 insertions(+) create mode 100644 meta-networking/recipes-extended/corosync/corosync/CVE-2026-35091.patch diff --git a/meta-networking/recipes-extended/corosync/corosync/CVE-2026-35091.patch b/meta-networking/recipes-extended/corosync/corosync/CVE-2026-35091.patch new file mode 100644 index 0000000000..a90193dbc5 --- /dev/null +++ b/meta-networking/recipes-extended/corosync/corosync/CVE-2026-35091.patch @@ -0,0 +1,47 @@ +From b9cb461121c8721c94a94309eb345a3c2f9ee9b4 Mon Sep 17 00:00:00 2001 +From: Jan Friesse +Date: Thu, 2 Apr 2026 09:00:39 +0200 +Subject: [PATCH] totemsrp: Return error if sanity check fails +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Previously, the check_memb_commit_token_sanity function correctly +checked the minimum message length. However, if the message was too +short, it incorrectly returned a success code (0) instead of the +expected failure code (-1). + +This commit ensures the appropriate error code is returned when the +message length sanity check fails. + +Fixes: CVE-2026-35091 + +Reported-by: Sebastián Alba Vives (@Sebasteuo / 0xS4bb1) +Signed-off-by: Jan Friesse +Also-proposed-by: nicholasyang +Reviewed-by: Christine Caulfield + +CVE: CVE-2026-35091 +Upstream-Status: Backport [https://github.com/corosync/corosync/commit/a16614accfdb3481264d7281843fadf439d9ab1b] +Signed-off-by: Gyorgy Sarvari +--- + exec/totemsrp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/exec/totemsrp.c b/exec/totemsrp.c +index 35bf971..94d6c21 100644 +--- a/exec/totemsrp.c ++++ b/exec/totemsrp.c +@@ -3811,10 +3811,10 @@ static int check_memb_commit_token_sanity( + log_printf (instance->totemsrp_log_level_security, + "Received memb_commit_token message is too short... ignoring."); + +- return (0); ++ return (-1); + } + +- addr_entries= mct_msg->addr_entries; ++ addr_entries = mct_msg->addr_entries; + if (endian_conversion_needed) { + addr_entries = swab32(addr_entries); + } diff --git a/meta-networking/recipes-extended/corosync/corosync_3.1.10.bb b/meta-networking/recipes-extended/corosync/corosync_3.1.10.bb index 07d9333ec8..7ccccefed5 100644 --- a/meta-networking/recipes-extended/corosync/corosync_3.1.10.bb +++ b/meta-networking/recipes-extended/corosync/corosync_3.1.10.bb @@ -9,6 +9,7 @@ inherit autotools pkgconfig systemd github-releases SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/${BP}.tar.gz \ file://corosync.conf \ + file://CVE-2026-35091.patch \ " SRC_URI[sha256sum] = "be361c827f99b215b3bd3fa2fb071c03dac6831c2a351963d938caef62604bc8" UPSTREAM_CHECK_GITTAGREGEX = "v(?P\d+(\.\d+)+)" From patchwork Mon Apr 20 11:51:00 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 86475 X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 97ED3F36C5E for ; Mon, 20 Apr 2026 11:51:17 +0000 (UTC) Received: from mail-wm1-f53.google.com (mail-wm1-f53.google.com [209.85.128.53]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.17336.1776685867582970882 for ; Mon, 20 Apr 2026 04:51:07 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20251104 header.b=R+g2A846; spf=pass (domain: gmail.com, ip: 209.85.128.53, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f53.google.com with SMTP id 5b1f17b1804b1-48896199cbaso31309505e9.1 for ; Mon, 20 Apr 2026 04:51:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776685866; x=1777290666; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=Gu7sc50sM4Ssjz3wLyCp43x+3x2chiIqQKOxcILmTjo=; b=R+g2A846SpmYHx5tMvPNZjMGCSvEPbwhsga9+KguNa0Ruw92mqiuZa57xUDFJXVsCD ojUb7D5Ki7IXTFO5FeLCqXjbENecVZ1GDWFQBsru0MztuE5h0Bi4jrLQtQ53MPnMpV1A hh2ENsYT1bkTL3p6MkzvOJ8MA+3zmPB7rq1HRFdeTyWq0TJTqsTEcpkgT2qsg+yXnsr3 w/OLb4ThyVzvdQ+EdQyDFvVefntm3GN2lqD4txp8dCYIjAj16T26UTXWclzkNdWomwpg 0Mp1dek5EKg8vtaPYFTKr0wW33p4tGLObYgjuFPCARpNvA9kqeiynLqOEBI0UOvZIO2p A5CQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776685866; x=1777290666; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=Gu7sc50sM4Ssjz3wLyCp43x+3x2chiIqQKOxcILmTjo=; b=a+/w02krnBEPVNlb/h5azV6DkmeilqgZVTeTmd9vDbyuoQjRgbOeIzjoFcO876UFUV YRzMhlHCI0PZCjksBcbwt2/DBh5NuJzhAXBU6eUsG0K0vXVWrvGWeLtb0X1LFb/la8xR A3it1jUiLlDNXhP3jXndnMnz04SJ6WGb2c93MzHRjQtr9qzS1kR9Z9sC28sw3Pg1Z9qi nz2NO7rsBa8aqXboCdGw+cIkBMV9G663EoPXs7QYP96ZnCKIQaw+CySSyN4ZIG8NP8HX 4zDwCMHBpPtYGPwJR6WCIun6rdGa2yddmQgOTwGVjDHD83ERGQRBCJ4bSCjzQ7UGX8EJ E8XQ== X-Gm-Message-State: AOJu0YyOQeyZwWXmMEgbqLqhNBu9TURSo24lUfkCHlMycOD0LuTF7AOG AKMf3ZKtSVZG9/Mo663Oe8QUD4qCTjJh3twod88c/aFMuGbogxnbGatn5owqaQ== X-Gm-Gg: AeBDieuAaB10Bej7p6Ne5dB8lJccQ/O4k1hAlZlyGWV0IAtQJi/baba1n+EkUjzb4g5 B3mG0A8/ZhJbDxrWbm8hSnY9o9/inaZ+8RETjY1SXLiELu9tLoZD61OR8DGiwTzyySPTQHPnUjH UAV0qEFXAOOP+l8ycvDg/INL/KVaVYoVAJqgq5cLn7U436MGprtkwfK7gEVhaiSNOsP7JwDddQF pWlo4F8gNZnZpeTLrHhmqB64LTxezR6WMeV/IfNVkmHfpWAoJn+zXmNxDsFjwac7jbW6t0xtaS7 7P8jXvvaJpdQVlFr7GnofKu3+wGErJ24/vQeHyXN0K+R5F6wK7yQX81ouDLZFDUBd1LP2x2sV3z uVCfF1Pt/S0DdMvEdXJxe1OT9H2JjgnoH3PqVgIZ6Jt8+QMIzOngxVtjm7AJbOEo1e4qCVbZDcG SW53PChIr4B9uxIyI7TMWWuUryNzqe/7A= X-Received: by 2002:a05:600c:c108:b0:488:a82f:bbb6 with SMTP id 5b1f17b1804b1-488fb78e576mr127997985e9.27.1776685865793; Mon, 20 Apr 2026 04:51:05 -0700 (PDT) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-488fc1c773fsm314595715e9.12.2026.04.20.04.51.05 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 20 Apr 2026 04:51:05 -0700 (PDT) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-networking][whinlatter][PATCH 3/3] corosync: patch CVE-2026-35092 Date: Mon, 20 Apr 2026 13:51:00 +0200 Message-ID: <20260420115102.428743-3-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260420115102.428743-1-skandigraun@gmail.com> References: <20260420115102.428743-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 20 Apr 2026 11:51:17 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/126502 Details: https://nvd.nist.gov/vuln/detail/CVE-2026-35092 Pick the patch that mentions the CVE ID explicitly (the same commit was identified by Debian also[1]) [1]: https://security-tracker.debian.org/tracker/CVE-2026-35092 Signed-off-by: Gyorgy Sarvari --- .../corosync/corosync/CVE-2026-35092.patch | 57 +++++++++++++++++++ .../corosync/corosync_3.1.10.bb | 1 + 2 files changed, 58 insertions(+) create mode 100644 meta-networking/recipes-extended/corosync/corosync/CVE-2026-35092.patch diff --git a/meta-networking/recipes-extended/corosync/corosync/CVE-2026-35092.patch b/meta-networking/recipes-extended/corosync/corosync/CVE-2026-35092.patch new file mode 100644 index 0000000000..a085d2a29f --- /dev/null +++ b/meta-networking/recipes-extended/corosync/corosync/CVE-2026-35092.patch @@ -0,0 +1,57 @@ +From 8f8a4747a0223b8897deda9a40a8a099c61fa80f Mon Sep 17 00:00:00 2001 +From: Jan Friesse +Date: Thu, 2 Apr 2026 09:44:06 +0200 +Subject: [PATCH] totemsrp: Fix integer overflow in memb_join_sanity +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This commit addresses an integer overflow (wraparound) vulnerability +in the check_memb_join_sanity function. + +Previously, the 32-bit unsigned network values proc_list_entries and +failed_list_entries were added together before being promoted to +size_t. This allowed the addition to wrap around in 32-bit arithmetic +(e.g., 0x80000000 + 0x80000000 = 0), resulting in a required_len +calculation that was incorrectly small. + +The solution is to cast the list entries to size_t and verify that +neither exceeds the maximum allowed value before the addition occurs. + +Fixes: CVE-2026-35092 + +Reported-by: Sebastián Alba Vives (@Sebasteuo / 0xS4bb1) +Signed-off-by: Jan Friesse +Also-proposed-by: nicholasyang +Reviewed-by: Christine Caulfield + +CVE: CVE-2026-35092 +Upstream-Status: Backport [https://github.com/corosync/corosync/commit/4082294f5094a7591e4e00658c5a605f05d644f1] +Signed-off-by: Gyorgy Sarvari +--- + exec/totemsrp.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/exec/totemsrp.c b/exec/totemsrp.c +index 94d6c21..6845cec 100644 +--- a/exec/totemsrp.c ++++ b/exec/totemsrp.c +@@ -3786,7 +3786,17 @@ static int check_memb_join_sanity( + failed_list_entries = swab32(failed_list_entries); + } + +- required_len = sizeof(struct memb_join) + ((proc_list_entries + failed_list_entries) * sizeof(struct srp_addr)); ++ if (proc_list_entries > PROCESSOR_COUNT_MAX || ++ failed_list_entries > PROCESSOR_COUNT_MAX) { ++ log_printf (instance->totemsrp_log_level_security, ++ "Received memb_join message list_entries exceeds the maximum " ++ "allowed value... ignoring."); ++ ++ return (-1); ++ } ++ ++ required_len = sizeof(struct memb_join) + ++ (((size_t)proc_list_entries + (size_t)failed_list_entries) * sizeof(struct srp_addr)); + if (msg_len < required_len) { + log_printf (instance->totemsrp_log_level_security, + "Received memb_join message is too short... ignoring."); diff --git a/meta-networking/recipes-extended/corosync/corosync_3.1.10.bb b/meta-networking/recipes-extended/corosync/corosync_3.1.10.bb index 7ccccefed5..77dea16e98 100644 --- a/meta-networking/recipes-extended/corosync/corosync_3.1.10.bb +++ b/meta-networking/recipes-extended/corosync/corosync_3.1.10.bb @@ -10,6 +10,7 @@ inherit autotools pkgconfig systemd github-releases SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/${BP}.tar.gz \ file://corosync.conf \ file://CVE-2026-35091.patch \ + file://CVE-2026-35092.patch \ " SRC_URI[sha256sum] = "be361c827f99b215b3bd3fa2fb071c03dac6831c2a351963d938caef62604bc8" UPSTREAM_CHECK_GITTAGREGEX = "v(?P\d+(\.\d+)+)"