From patchwork Mon Apr 20 19:07:45 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ross Burton X-Patchwork-Id: 86515 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A7357F5A8BA for ; Mon, 20 Apr 2026 19:08:04 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.1306.1776712074667482746 for ; Mon, 20 Apr 2026 12:07:55 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@arm.com header.s=foss header.b=KxbV/V9C; spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: ross.burton@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 8984922E6 for ; Mon, 20 Apr 2026 12:07:48 -0700 (PDT) Received: from cesw-amp-gbt-1s-m12830-04.lab.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id C43A93F915 for ; Mon, 20 Apr 2026 12:07:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=arm.com; s=foss; t=1776712074; bh=9VQIOjIjHPoM128jAAMPvijLdG28xLWl8E/7m1wBXdw=; h=From:To:Subject:Date:From; b=KxbV/V9CYjWrlWIUoj7JvT7AO6JKF5cY3KDRP664sMYNbreL9lKvnu7g5/WiQc5lT iWePH7Gk63Nak111+TmQCnM0MH8Kq1DyWlSwEYRHZVGaKfUagno0nF1wQSDskqEKE2 cnwYY72VlcNRI3k7XYgJJChXhONFEB/t/kjf4yJE= From: Ross Burton To: openembedded-core@lists.openembedded.org Subject: [PATCH 1/5] bluez5: mark two CVEs as being in the wrong product Date: Mon, 20 Apr 2026 20:07:45 +0100 Message-ID: <20260420190749.1280090-1-ross.burton@arm.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 20 Apr 2026 19:08:04 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/235582 CVE-2020-12351 and CVE-2020-12352 ("BleedingTooth") are actually issues in the Linux kernel, not BlueZ as reported in the CVE. Signed-off-by: Ross Burton --- meta/recipes-connectivity/bluez5/bluez5_5.86.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-connectivity/bluez5/bluez5_5.86.bb b/meta/recipes-connectivity/bluez5/bluez5_5.86.bb index 2d56fc642de..8974a2c69c9 100644 --- a/meta/recipes-connectivity/bluez5/bluez5_5.86.bb +++ b/meta/recipes-connectivity/bluez5/bluez5_5.86.bb @@ -5,6 +5,8 @@ LDFLAGS += " ${@bb.utils.contains('DISTRO_FEATURES', 'ld-is-lld', '-Wl,-z,nostar SRC_URI[sha256sum] = "99f144540c6070591e4c53bcb977eb42664c62b7b36cb35a29cf72ded339621d" CVE_STATUS[CVE-2020-24490] = "cpe-incorrect: This issue has kernel fixes rather than bluez fixes" +CVE_STATUS[CVE-2020-12351] = "cpe-incorrect: This issue has kernel fixes rather than bluez fixes" +CVE_STATUS[CVE-2020-12352] = "cpe-incorrect: This issue has kernel fixes rather than bluez fixes" # noinst programs in Makefile.tools that are conditional on READLINE # support From patchwork Mon Apr 20 19:07:46 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ross Burton X-Patchwork-Id: 86516 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 990EBF5A8B8 for ; Mon, 20 Apr 2026 19:08:04 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.1308.1776712075389750993 for ; Mon, 20 Apr 2026 12:07:55 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@arm.com header.s=foss header.b=fbzjsbPu; spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: ross.burton@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 2BBB825DE for ; Mon, 20 Apr 2026 12:07:49 -0700 (PDT) Received: from cesw-amp-gbt-1s-m12830-04.lab.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 64CEA3F915 for ; Mon, 20 Apr 2026 12:07:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=arm.com; s=foss; t=1776712074; bh=1wma+27thg9gwMisryVjL7tv2427aNYMXFBJ/4rZc8o=; h=From:To:Subject:Date:In-Reply-To:References:From; b=fbzjsbPuKZ/yaxVINjTytOWswd16KzbNQHxGyZAkd18nj0ZxmPyXwl1wB1kco41KC uK7T4yRUdaWl9TjKRtfA6ABEMWqzH7zHfacODYA5z1exHBbRqurhRFkcJqu2FeQdu3 MV/h4gHLfPxf826rBJhkPTlbkYSY9MGLYiIFJOx8= From: Ross Burton To: openembedded-core@lists.openembedded.org Subject: [PATCH 2/5] systemd: mark several CVEs as fixed Date: Mon, 20 Apr 2026 20:07:46 +0100 Message-ID: <20260420190749.1280090-2-ross.burton@arm.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260420190749.1280090-1-ross.burton@arm.com> References: <20260420190749.1280090-1-ross.burton@arm.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 20 Apr 2026 19:08:04 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/235583 CVE-2019-3815 is specific to RHEL, and CVE-2026-40223 to -40226 have all been fixed in the stable branch. Signed-off-by: Ross Burton --- meta/recipes-core/systemd/systemd.inc | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/meta/recipes-core/systemd/systemd.inc b/meta/recipes-core/systemd/systemd.inc index b636d6e8b4f..f107c4c5da5 100644 --- a/meta/recipes-core/systemd/systemd.inc +++ b/meta/recipes-core/systemd/systemd.inc @@ -20,3 +20,9 @@ SRCBRANCH = "v259-stable" SRC_URI = "git://github.com/systemd/systemd.git;protocol=https;branch=${SRCBRANCH};tag=v${PV}" CVE_PRODUCT = "systemd" + +CVE_STATUS[CVE-2019-3815] = "not-applicable-platform: only applied to RHEL" +CVE_STATUS[CVE-2026-40223] = "fixed-version: fixed in 259.2" +CVE_STATUS[CVE-2026-40224] = "fixed-version: fixed in 259.3" +CVE_STATUS[CVE-2026-40225] = "fixed-version: fixed in 259.5" +CVE_STATUS[CVE-2026-40226] = "fixed-version: fixed in 259.4" From patchwork Mon Apr 20 19:07:47 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ross Burton X-Patchwork-Id: 86514 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 922CFF5A8B6 for ; Mon, 20 Apr 2026 19:08:04 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.1310.1776712075893373664 for ; Mon, 20 Apr 2026 12:07:56 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@arm.com header.s=foss header.b=gHrgVwad; spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: ross.burton@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id C0D6C22E6 for ; Mon, 20 Apr 2026 12:07:49 -0700 (PDT) Received: from cesw-amp-gbt-1s-m12830-04.lab.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 050213F915 for ; Mon, 20 Apr 2026 12:07:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=arm.com; s=foss; t=1776712075; bh=9lJGftGrE5hk/RBJu2fsdUA8112TyDJUu5WFvO8u6aM=; h=From:To:Subject:Date:In-Reply-To:References:From; b=gHrgVwadu/XBYp7RANfTYq6BATzY3aRNQVXnFMABFODTmoS/ALbVyyMRe1wg+IgBU TlpjmMrDW3Rv2hS0OqlIsq+v7/3nbcuZxOO3QWhR62HH8INh8LUXpO860qY4GXEz8x +k/ZMCzGy/7N0YGhSpNVjwXLq/gB2vAsXiZ0Qvj4= From: Ross Burton To: openembedded-core@lists.openembedded.org Subject: [PATCH 3/5] xz: mark several CVEs as fixed Date: Mon, 20 Apr 2026 20:07:47 +0100 Message-ID: <20260420190749.1280090-3-ross.burton@arm.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260420190749.1280090-1-ross.burton@arm.com> References: <20260420190749.1280090-1-ross.burton@arm.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 20 Apr 2026 19:08:04 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/235584 - CVE-2024-47611 was fixed in 5.6.3 and is Windows-specific. - CVE-2025-31115 was fixed in 5.8.1. - CVE-2025-58058 is specific to the Go xz module, not this recipe. Signed-off-by: Ross Burton --- meta/recipes-extended/xz/xz_5.8.2.bb | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/meta/recipes-extended/xz/xz_5.8.2.bb b/meta/recipes-extended/xz/xz_5.8.2.bb index 982f5054c3a..7ada44d9f58 100644 --- a/meta/recipes-extended/xz/xz_5.8.2.bb +++ b/meta/recipes-extended/xz/xz_5.8.2.bb @@ -72,3 +72,7 @@ do_install_ptest () { ln -s ${bindir}/xzdiff ${D}${PTEST_PATH}/src/scripts/xzdiff ln -s ${bindir}/xzgrep ${D}${PTEST_PATH}/src/scripts/xzgrep } + +CVE_STATUS[CVE-2024-47611] = "fixed-version: fixed in 5.6.3 and Windows-specific" +CVE_STATUS[CVE-2025-31115] = "fixed-version: fixed in 5.8.1" +CVE_STATUS[CVE-2025-58058] = "cpe-incorrect: this is specific to the Go xz module" From patchwork Mon Apr 20 19:07:48 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ross Burton X-Patchwork-Id: 86512 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2D458F5A8AA for ; Mon, 20 Apr 2026 19:08:04 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.1310.1776712075893373664 for ; Mon, 20 Apr 2026 12:07:56 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@arm.com header.s=foss header.b=ojwisC1A; spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: ross.burton@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 5655E25DE for ; Mon, 20 Apr 2026 12:07:50 -0700 (PDT) Received: from cesw-amp-gbt-1s-m12830-04.lab.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 99A313F915 for ; Mon, 20 Apr 2026 12:07:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=arm.com; s=foss; t=1776712075; bh=h2byWhp4LNsLvZon33ohA33bS+Efji/ajkucKC6TVpU=; h=From:To:Subject:Date:In-Reply-To:References:From; b=ojwisC1A8M5YKb63mkV0QAqTVir6eXFGmbu4rO+Ih5wHhctZO6FiAXKX0KJh8Hyni QdXZDRFkKWLDDQR0hzY4mo6Gj4ryYzUFaQrDF/+oLVzh0ewMDB8AMHIchOnqijzVuN bphjOMdCq/QQPsdyu100d6JGYoo3E7wptHc0ft/Q= From: Ross Burton To: openembedded-core@lists.openembedded.org Subject: [PATCH 4/5] xz: fix CVE-2026-34743 Date: Mon, 20 Apr 2026 20:07:48 +0100 Message-ID: <20260420190749.1280090-4-ross.burton@arm.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260420190749.1280090-1-ross.burton@arm.com> References: <20260420190749.1280090-1-ross.burton@arm.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 20 Apr 2026 19:08:04 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/235585 Backport a fix from upstream to resolve CVE-2026-34743: Prior to version 5.8.3, if lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where where a subsequent lzma_index_append() would allocate too little memory, and a buffer overflow would occur. Signed-off-by: Ross Burton --- ...buffer-overflow-in-lzma_index_append.patch | 66 +++++++++++++++++++ meta/recipes-extended/xz/xz_5.8.2.bb | 1 + 2 files changed, 67 insertions(+) create mode 100644 meta/recipes-extended/xz/xz/0001-liblzma-Fix-a-buffer-overflow-in-lzma_index_append.patch diff --git a/meta/recipes-extended/xz/xz/0001-liblzma-Fix-a-buffer-overflow-in-lzma_index_append.patch b/meta/recipes-extended/xz/xz/0001-liblzma-Fix-a-buffer-overflow-in-lzma_index_append.patch new file mode 100644 index 00000000000..d3918233eab --- /dev/null +++ b/meta/recipes-extended/xz/xz/0001-liblzma-Fix-a-buffer-overflow-in-lzma_index_append.patch @@ -0,0 +1,66 @@ +From c8c22869e780ff57c96b46939c3d79ff99395f87 Mon Sep 17 00:00:00 2001 +From: Lasse Collin +Date: Sun, 29 Mar 2026 19:11:21 +0300 +Subject: [PATCH] liblzma: Fix a buffer overflow in lzma_index_append() + +If lzma_index_decoder() was used to decode an Index that contained no +Records, the resulting lzma_index had an invalid internal "prealloc" +value. If lzma_index_append() was called on this lzma_index, too +little memory would be allocated and a buffer overflow would occur. + +While this combination of the API functions is meant to work, in the +real-world apps this call sequence is rare or might not exist at all. + +This bug is older than xz 5.0.0, so all stable releases are affected. + +Reported-by: GitHub user christos-spearbit + +CVE: CVE-2026-34743 +Upstream-Status: Backport [https://github.com/tukaani-project/xz/commit/c8c22869e780ff57c96b46939c3d79ff99395f87] +Signed-off-by: Ross Burton +--- + src/liblzma/common/index.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/src/liblzma/common/index.c b/src/liblzma/common/index.c +index 6add6a68..c4aadb9b 100644 +--- a/src/liblzma/common/index.c ++++ b/src/liblzma/common/index.c +@@ -433,6 +433,26 @@ lzma_index_prealloc(lzma_index *i, lzma_vli records) + if (records > PREALLOC_MAX) + records = PREALLOC_MAX; + ++ // If index_decoder.c calls us with records == 0, it's decoding ++ // an Index that has no Records. In that case the decoder won't call ++ // lzma_index_append() at all, and i->prealloc isn't used during ++ // the Index decoding either. ++ // ++ // Normally the first lzma_index_append() call from the Index decoder ++ // would reset i->prealloc to INDEX_GROUP_SIZE. With no Records, ++ // lzma_index_append() isn't called and the resetting of prealloc ++ // won't occur either. Thus, if records == 0, use the default value ++ // INDEX_GROUP_SIZE instead. ++ // ++ // NOTE: lzma_index_append() assumes i->prealloc > 0. liblzma <= 5.8.2 ++ // didn't have this check and could set i->prealloc = 0, which would ++ // result in a buffer overflow if the application called ++ // lzma_index_append() after decoding an empty Index. Appending ++ // Records after decoding an Index is a rare thing to do, but ++ // it is supposed to work. ++ if (records == 0) ++ records = INDEX_GROUP_SIZE; ++ + i->prealloc = (size_t)(records); + return; + } +@@ -685,6 +705,7 @@ lzma_index_append(lzma_index *i, const lzma_allocator *allocator, + ++g->last; + } else { + // We need to allocate a new group. ++ assert(i->prealloc > 0); + g = lzma_alloc(sizeof(index_group) + + i->prealloc * sizeof(index_record), + allocator); +-- +2.43.0 + diff --git a/meta/recipes-extended/xz/xz_5.8.2.bb b/meta/recipes-extended/xz/xz_5.8.2.bb index 7ada44d9f58..15eaa7a52f8 100644 --- a/meta/recipes-extended/xz/xz_5.8.2.bb +++ b/meta/recipes-extended/xz/xz_5.8.2.bb @@ -26,6 +26,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=d38d562f6112174de93a9677682231b2 \ " SRC_URI = "https://github.com/tukaani-project/xz/releases/download/v${PV}/xz-${PV}.tar.gz \ + file://0001-liblzma-Fix-a-buffer-overflow-in-lzma_index_append.patch \ file://run-ptest \ " SRC_URI[sha256sum] = "ce09c50a5962786b83e5da389c90dd2c15ecd0980a258dd01f70f9e7ce58a8f1" From patchwork Mon Apr 20 19:07:49 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ross Burton X-Patchwork-Id: 86513 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1E191F5A8B1 for ; Mon, 20 Apr 2026 19:08:04 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.1311.1776712076881667769 for ; Mon, 20 Apr 2026 12:07:57 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@arm.com header.s=foss header.b=CyxAZvnm; spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: ross.burton@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id E26DF22E6 for ; Mon, 20 Apr 2026 12:07:50 -0700 (PDT) Received: from cesw-amp-gbt-1s-m12830-04.lab.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 314293F915 for ; Mon, 20 Apr 2026 12:07:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=arm.com; s=foss; t=1776712076; bh=/dkCmsLUpPZR7uyV3smlAtVH/CrACEo+KHJHtzPXMzc=; h=From:To:Subject:Date:In-Reply-To:References:From; b=CyxAZvnmVvUn5IDPnvbNwD1POMKB3Lo24MMfo7zwFL2o5QTLSEA9SfEgWgx3kHCvk +qmYcBH4NASnuT4JACVTUZfv0YufMmlElPTRx0xRp3pCdcRREhv/FjURHMzn/BvDwE ofT4/v1EJxQMMDDfsTpx1QdOqVYJ3rDlcTL8Y4X8= From: Ross Burton To: openembedded-core@lists.openembedded.org Subject: [PATCH 5/5] util-linux: fix CVE-2026-27456 Date: Mon, 20 Apr 2026 20:07:49 +0100 Message-ID: <20260420190749.1280090-5-ross.burton@arm.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260420190749.1280090-1-ross.burton@arm.com> References: <20260420190749.1280090-1-ross.burton@arm.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 20 Apr 2026 19:08:04 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/235586 Backport a patch from upstream to fix CVE-2026-27456: Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. Signed-off-by: Ross Burton --- meta/recipes-core/util-linux/util-linux.inc | 1 + ...DEV_FL_NOFOLLOW-to-prevent-symlink-a.patch | 114 ++++++++++++++++++ 2 files changed, 115 insertions(+) create mode 100644 meta/recipes-core/util-linux/util-linux/0001-loopdev-add-LOOPDEV_FL_NOFOLLOW-to-prevent-symlink-a.patch diff --git a/meta/recipes-core/util-linux/util-linux.inc b/meta/recipes-core/util-linux/util-linux.inc index deb9bfd0644..02358626669 100644 --- a/meta/recipes-core/util-linux/util-linux.inc +++ b/meta/recipes-core/util-linux/util-linux.inc @@ -20,6 +20,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/utils/util-linux/v${MAJOR_VERSION}/util-lin file://0001-lsfd-mkfds-foreign-sockets-skip-when-lacking-sock_di.patch \ file://0001-ts-kill-decode-use-RTMIN-from-kill-L-instead-of-hard.patch \ file://0001-tests-script-Disable-size-option-test.patch \ + file://0001-loopdev-add-LOOPDEV_FL_NOFOLLOW-to-prevent-symlink-a.patch \ " SRC_URI[sha256sum] = "3330d873f0fceb5560b89a7dc14e4f3288bbd880e96903ed9b50ec2b5799e58b" diff --git a/meta/recipes-core/util-linux/util-linux/0001-loopdev-add-LOOPDEV_FL_NOFOLLOW-to-prevent-symlink-a.patch b/meta/recipes-core/util-linux/util-linux/0001-loopdev-add-LOOPDEV_FL_NOFOLLOW-to-prevent-symlink-a.patch new file mode 100644 index 00000000000..0951c9f5fbe --- /dev/null +++ b/meta/recipes-core/util-linux/util-linux/0001-loopdev-add-LOOPDEV_FL_NOFOLLOW-to-prevent-symlink-a.patch @@ -0,0 +1,114 @@ +From f55f9906b4f6eeb2b4a4120317df9de935253c10 Mon Sep 17 00:00:00 2001 +From: Karel Zak +Date: Thu, 19 Feb 2026 13:59:46 +0100 +Subject: [PATCH] loopdev: add LOOPDEV_FL_NOFOLLOW to prevent symlink attacks + +Add a new LOOPDEV_FL_NOFOLLOW flag for loop device context that +prevents symlink following in both path canonicalization and file open. + +When set: +- loopcxt_set_backing_file() uses strdup() instead of + ul_canonicalize_path() (which calls realpath() and follows symlinks) +- loopcxt_setup_device() adds O_NOFOLLOW to open() flags + +The flag is set for non-root (restricted) mount operations in +libmount's loop device hook. This prevents a TOCTOU race condition +where an attacker could replace the backing file (specified in +/etc/fstab) with a symlink to an arbitrary root-owned file between +path resolution and open(). + +Vulnerable Code Flow: + + mount /mnt/point (non-root, SUID) + mount.c: sanitize_paths() on user args (mountpoint only) + mnt_context_mount() + mnt_context_prepare_mount() + mnt_context_apply_fstab() <-- source path from fstab + hooks run at MNT_STAGE_PREP_SOURCE + hook_loopdev.c: setup_loopdev() + backing_file = fstab source path ("/home/user/disk.img") + loopcxt_set_backing_file() <-- calls realpath() as ROOT + ul_canonicalize_path() <-- follows symlinks! + loopcxt_setup_device() + open(lc->filename, O_RDWR|O_CLOEXEC) <-- no O_NOFOLLOW + +Two vulnerabilities in the path: + +1) loopcxt_set_backing_file() calls ul_canonicalize_path() which uses + realpath() -- this follows symlinks as euid=0. If the attacker swaps + the file to a symlink before this call, lc->filename becomes the + resolved target path (e.g., /root/secret.img). + +2) loopcxt_setup_device() opens lc->filename without O_NOFOLLOW. Even + if canonicalization happened correctly, the file can be swapped to a + symlink between canonicalize and open. + +Addresses: https://github.com/util-linux/util-linux/security/advisories/GHSA-qq4x-vfq4-9h9g +Signed-off-by: Karel Zak +(cherry picked from commit 5e390467b26a3cf3fecc04e1a0d482dff3162fc4) + +CVE: CVE-2026-27456 +Upstream-Status: Backport +Signed-off-by: Ross Burton +--- + include/loopdev.h | 3 ++- + lib/loopdev.c | 7 ++++++- + libmount/src/hook_loopdev.c | 3 ++- + 3 files changed, 10 insertions(+), 3 deletions(-) + +diff --git a/include/loopdev.h b/include/loopdev.h +index e5ec1c98a..6bdb1393a 100644 +--- a/include/loopdev.h ++++ b/include/loopdev.h +@@ -140,7 +140,8 @@ enum { + LOOPDEV_FL_NOIOCTL = (1 << 6), + LOOPDEV_FL_DEVSUBDIR = (1 << 7), + LOOPDEV_FL_CONTROL = (1 << 8), /* system with /dev/loop-control */ +- LOOPDEV_FL_SIZELIMIT = (1 << 9) ++ LOOPDEV_FL_SIZELIMIT = (1 << 9), ++ LOOPDEV_FL_NOFOLLOW = (1 << 10) /* O_NOFOLLOW, don't follow symlinks */ + }; + + /* +diff --git a/lib/loopdev.c b/lib/loopdev.c +index 2359bf781..76685be70 100644 +--- a/lib/loopdev.c ++++ b/lib/loopdev.c +@@ -1267,7 +1267,10 @@ int loopcxt_set_backing_file(struct loopdev_cxt *lc, const char *filename) + if (!lc) + return -EINVAL; + +- lc->filename = canonicalize_path(filename); ++ if (lc->flags & LOOPDEV_FL_NOFOLLOW) ++ lc->filename = strdup(filename); ++ else ++ lc->filename = canonicalize_path(filename); + if (!lc->filename) + return -errno; + +@@ -1408,6 +1411,8 @@ int loopcxt_setup_device(struct loopdev_cxt *lc) + + if (lc->config.info.lo_flags & LO_FLAGS_DIRECT_IO) + flags |= O_DIRECT; ++ if (lc->flags & LOOPDEV_FL_NOFOLLOW) ++ flags |= O_NOFOLLOW; + + if ((file_fd = open(lc->filename, mode | flags)) < 0) { + if (mode != O_RDONLY && (errno == EROFS || errno == EACCES)) +diff --git a/libmount/src/hook_loopdev.c b/libmount/src/hook_loopdev.c +index 444d69d6f..34351116c 100644 +--- a/libmount/src/hook_loopdev.c ++++ b/libmount/src/hook_loopdev.c +@@ -272,7 +272,8 @@ static int setup_loopdev(struct libmnt_context *cxt, + } + + DBG(LOOP, ul_debugobj(cxt, "not found; create a new loop device")); +- rc = loopcxt_init(&lc, 0); ++ rc = loopcxt_init(&lc, ++ mnt_context_is_restricted(cxt) ? LOOPDEV_FL_NOFOLLOW : 0); + if (rc) + goto done_no_deinit; + if (mnt_opt_has_value(loopopt)) { +-- +2.43.0 +