From patchwork Mon May 4 19:52:42 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Marko, Peter" X-Patchwork-Id: 87482 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 103FFCD3427 for ; Mon, 4 May 2026 19:53:27 +0000 (UTC) Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net [185.136.65.225]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.23681.1777924396846334661 for ; Mon, 04 May 2026 12:53:18 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm2 header.b=ckdLyoJg; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225, mailfrom: fm-256628-2026050419531423618f36bf0002073d-ddtltj@rts-flowmailer.siemens.com) Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 2026050419531423618f36bf0002073d for ; Mon, 04 May 2026 21:53:14 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc; bh=+W8G/ehp9wWBo7IwZu8iuQJhp/nTnWGQcuCimqrIenc=; b=ckdLyoJg44yppB5yImXwlpK4IRzPwowAdSme27onHuvc8S+SuGyYKf6gUusxsd5TPWIVT5 SiqIsG6pcpuVzMtbCLkG8HOkhfHCi/RZ1LNZy7SWXQN2h7KiOBLrOfljACWzwwnSrrBnWk6o lXVpLEeQJyC0uBUDjm5Vaf/8ux1eG6EwJiHfSlnlP8E1PPwO+l968eKz6PwBP3LiVqHaXG8A PZ09h5D+1LKXQpZJ+0BanmkGNZc23V45BduMqgZN2WFCQzgAxgPfTaahjWAy0YcP43zSlejC yfqhqd3rbmoHXHVLTEje/YWNZ+QVg10dEuNPmn8k2cG/3XBVfrCTdNVw==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [PATCH 1/5] tiff: patch CVE-2026-4775 Date: Mon, 4 May 2026 21:52:42 +0200 Message-ID: <20260504195246.1190112-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 04 May 2026 19:53:27 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/236453 From: Peter Marko Pick patch per [1]. [1] https://security-tracker.debian.org/tracker/CVE-2026-4775 Signed-off-by: Peter Marko --- .../libtiff/tiff/CVE-2026-4775.patch | 55 +++++++++++++++++++ meta/recipes-multimedia/libtiff/tiff_4.7.1.bb | 1 + 2 files changed, 56 insertions(+) create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2026-4775.patch diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2026-4775.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2026-4775.patch new file mode 100644 index 0000000000..1f3c026b28 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2026-4775.patch @@ -0,0 +1,55 @@ +From 782a11d6b5b61c6dc21e714950a4af5bf89f023c Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Sun, 22 Feb 2026 23:32:47 +0100 +Subject: [PATCH] TIFFReadRGBAImage(): prevent integer overflow and later heap + overflow on images with huge width in YCbCr tile decoding functions + +Fixes https://gitlab.com/libtiff/libtiff/-/issues/787 + +CVE: CVE-2026-4775 +Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/782a11d6b5b61c6dc21e714950a4af5bf89f023c] +Signed-off-by: Peter Marko +--- + libtiff/tif_getimage.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c +index 4543ddda..fa82d091 100644 +--- a/libtiff/tif_getimage.c ++++ b/libtiff/tif_getimage.c +@@ -2216,7 +2216,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr44tile) + uint32_t *cp1 = cp + w + toskew; + uint32_t *cp2 = cp1 + w + toskew; + uint32_t *cp3 = cp2 + w + toskew; +- int32_t incr = 3 * w + 4 * toskew; ++ const tmsize_t incr = 3 * (tmsize_t)w + 4 * (tmsize_t)toskew; + + (void)y; + /* adjust fromskew */ +@@ -2356,7 +2356,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr44tile) + DECLAREContigPutFunc(putcontig8bitYCbCr42tile) + { + uint32_t *cp1 = cp + w + toskew; +- int32_t incr = 2 * toskew + w; ++ const tmsize_t incr = 2 * (tmsize_t)toskew + w; + + (void)y; + fromskew = (fromskew / 4) * (4 * 2 + 2); +@@ -2512,7 +2512,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr41tile) + DECLAREContigPutFunc(putcontig8bitYCbCr22tile) + { + uint32_t *cp2; +- int32_t incr = 2 * toskew + w; ++ const tmsize_t incr = 2 * (tmsize_t)toskew + w; + (void)y; + fromskew = (fromskew / 2) * (2 * 2 + 2); + cp2 = cp + w + toskew; +@@ -2615,7 +2615,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr21tile) + DECLAREContigPutFunc(putcontig8bitYCbCr12tile) + { + uint32_t *cp2; +- int32_t incr = 2 * toskew + w; ++ const tmsize_t incr = 2 * (tmsize_t)toskew + w; + (void)y; + fromskew = (fromskew / 1) * (1 * 2 + 2); + cp2 = cp + w + toskew; diff --git a/meta/recipes-multimedia/libtiff/tiff_4.7.1.bb b/meta/recipes-multimedia/libtiff/tiff_4.7.1.bb index 0d4b3a4abd..750565e11c 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.7.1.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.7.1.bb @@ -9,6 +9,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.md;md5=4ab490c3088a0acff254eb2f8c577547" CVE_PRODUCT = "libtiff" SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ + file://CVE-2026-4775.patch \ " SRC_URI[sha256sum] = "f698d94f3103da8ca7438d84e0344e453fe0ba3b7486e04c5bf7a9a3fabe9b69" From patchwork Mon May 4 19:52:43 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Marko, Peter" X-Patchwork-Id: 87483 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1E9DCFF885A for ; Mon, 4 May 2026 19:53:27 +0000 (UTC) Received: from mta-65-226.siemens.flowmailer.net (mta-65-226.siemens.flowmailer.net [185.136.65.226]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.23661.1777924397984722795 for ; Mon, 04 May 2026 12:53:18 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm2 header.b=DGCT10p8; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.226, mailfrom: fm-256628-20260504195315e98a172fac0002078b-c5gkmt@rts-flowmailer.siemens.com) Received: by mta-65-226.siemens.flowmailer.net with ESMTPSA id 20260504195315e98a172fac0002078b for ; Mon, 04 May 2026 21:53:16 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=2aTT36VfPhi+GnsRTtby26kb2T9vhxe0TCV5JvHh61g=; b=DGCT10p87omXuY2t+GxXhitiLGx5JCT1cfpdP28W4XxClfFDHCyzJJ9HkgE7AMFI8JZipy qj6tTG+HMcUY6d2nIfHnM10zM6lXSxyx47qu+esuqaY67E9X++mK9aCBSDaARduCZ5IW3XdZ GBnM5pUZ2aQYkB1pNRfvBiYxBvBG7hIEX4onHilo75FkhKQvPxBev7X9VV2n0wpw5pFkh4MI m/ArZmAluCmQPeWchYwPbCUECql3N7nyDyhRcmY2/LVkcJdXMvsDtbZvscW4+214joA95oQv t0aWKsb89WC6Sxg8CtfjwvAeQ/T0rugF8eYp2pwjjqKN+FHjkt+8T+7g==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [PATCH 2/5] sudo: patch CVE-2026-35535 Date: Mon, 4 May 2026 21:52:43 +0200 Message-ID: <20260504195246.1190112-2-peter.marko@siemens.com> In-Reply-To: <20260504195246.1190112-1-peter.marko@siemens.com> References: <20260504195246.1190112-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 04 May 2026 19:53:27 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/236454 From: Peter Marko Pick patch mentioned in both NVD and Debian report. Signed-off-by: Peter Marko --- .../sudo/files/CVE-2026-35535.patch | 147 ++++++++++++++++++ meta/recipes-extended/sudo/sudo_1.9.17p2.bb | 1 + 2 files changed, 148 insertions(+) create mode 100644 meta/recipes-extended/sudo/files/CVE-2026-35535.patch diff --git a/meta/recipes-extended/sudo/files/CVE-2026-35535.patch b/meta/recipes-extended/sudo/files/CVE-2026-35535.patch new file mode 100644 index 0000000000..c90e4b3b0d --- /dev/null +++ b/meta/recipes-extended/sudo/files/CVE-2026-35535.patch @@ -0,0 +1,147 @@ +From 3e474c2f201484be83d994ae10a4e20e8c81bb69 Mon Sep 17 00:00:00 2001 +From: "Todd C. Miller" +Date: Sat, 8 Nov 2025 15:34:02 -0700 +Subject: [PATCH] exec_mailer: Set group as well as uid when running the mailer + +Also make a setuid(), setgid() or setgroups() failure fatal. + +Found by the ZeroPath AI Security Engineer + +CVE: CVE-2026-35535 +Upstream-Status: Backport [https://github.com/sudo-project/sudo/commit/3e474c2f201484be83d994ae10a4e20e8c81bb69] +Signed-off-by: Peter Marko +--- + include/sudo_eventlog.h | 3 ++- + lib/eventlog/eventlog.c | 21 +++++++++++++++++---- + lib/eventlog/eventlog_conf.c | 4 +++- + plugins/sudoers/logging.c | 2 +- + plugins/sudoers/policy.c | 2 +- + 5 files changed, 24 insertions(+), 8 deletions(-) + +diff --git a/include/sudo_eventlog.h b/include/sudo_eventlog.h +index eb9f4f4a8..485d2593e 100644 +--- a/include/sudo_eventlog.h ++++ b/include/sudo_eventlog.h +@@ -80,6 +80,7 @@ struct eventlog_config { + int syslog_rejectpri; + int syslog_alertpri; + uid_t mailuid; ++ gid_t mailgid; + bool omit_hostname; + const char *logpath; + const char *time_fmt; +@@ -151,7 +152,7 @@ void eventlog_set_syslog_rejectpri(int pri); + void eventlog_set_syslog_alertpri(int pri); + void eventlog_set_syslog_maxlen(size_t len); + void eventlog_set_file_maxlen(size_t len); +-void eventlog_set_mailuid(uid_t uid); ++void eventlog_set_mailuser(uid_t uid, gid_t gid); + void eventlog_set_omit_hostname(bool omit_hostname); + void eventlog_set_logpath(const char *path); + void eventlog_set_time_fmt(const char *fmt); +diff --git a/lib/eventlog/eventlog.c b/lib/eventlog/eventlog.c +index f4a9f330d..2db2f251c 100644 +--- a/lib/eventlog/eventlog.c ++++ b/lib/eventlog/eventlog.c +@@ -304,15 +304,13 @@ exec_mailer(int pipein) + syslog(LOG_ERR, _("unable to dup stdin: %m")); // -V618 + sudo_debug_printf(SUDO_DEBUG_ERROR, + "unable to dup stdin: %s", strerror(errno)); +- sudo_debug_exit(__func__, __FILE__, __LINE__, sudo_debug_subsys); +- _exit(127); ++ goto bad; + } + + /* Build up an argv based on the mailer path and flags */ + if ((mflags = strdup(evl_conf->mailerflags)) == NULL) { + syslog(LOG_ERR, _("unable to allocate memory")); // -V618 +- sudo_debug_exit(__func__, __FILE__, __LINE__, sudo_debug_subsys); +- _exit(127); ++ goto bad; + } + argv[0] = sudo_basename(mpath); + +@@ -331,11 +329,23 @@ exec_mailer(int pipein) + if (setuid(ROOT_UID) != 0) { + sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to change uid to %u", + ROOT_UID); ++ goto bad; ++ } ++ if (setgid(evl_conf->mailgid) != 0) { ++ sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to change gid to %u", ++ (unsigned int)evl_conf->mailgid); ++ goto bad; ++ } ++ if (setgroups(1, &evl_conf->mailgid) != 0) { ++ sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to set groups to %u", ++ (unsigned int)evl_conf->mailgid); ++ goto bad; + } + if (evl_conf->mailuid != ROOT_UID) { + if (setuid(evl_conf->mailuid) != 0) { + sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to change uid to %u", + (unsigned int)evl_conf->mailuid); ++ goto bad; + } + } + sudo_debug_exit(__func__, __FILE__, __LINE__, sudo_debug_subsys); +@@ -347,6 +357,9 @@ exec_mailer(int pipein) + sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to execute %s: %s", + mpath, strerror(errno)); + _exit(127); ++bad: ++ sudo_debug_exit(__func__, __FILE__, __LINE__, sudo_debug_subsys); ++ _exit(127); + } + + /* Send a message to the mailto user */ +diff --git a/lib/eventlog/eventlog_conf.c b/lib/eventlog/eventlog_conf.c +index bbc3daaac..3d37b632c 100644 +--- a/lib/eventlog/eventlog_conf.c ++++ b/lib/eventlog/eventlog_conf.c +@@ -70,6 +70,7 @@ static struct eventlog_config evl_conf = { + MAXSYSLOGLEN, /* syslog_maxlen */ + 0, /* file_maxlen */ + ROOT_UID, /* mailuid */ ++ ROOT_GID, /* mailgid */ + false, /* omit_hostname */ + _PATH_SUDO_LOGFILE, /* logpath */ + "%h %e %T", /* time_fmt */ +@@ -151,9 +152,10 @@ eventlog_set_file_maxlen(size_t len) + } + + void +-eventlog_set_mailuid(uid_t uid) ++eventlog_set_mailuser(uid_t uid, gid_t gid) + { + evl_conf.mailuid = uid; ++ evl_conf.mailgid = gid; + } + + void +diff --git a/plugins/sudoers/logging.c b/plugins/sudoers/logging.c +index ec092d14e..1626a28cb 100644 +--- a/plugins/sudoers/logging.c ++++ b/plugins/sudoers/logging.c +@@ -1157,7 +1157,7 @@ init_eventlog_config(void) + eventlog_set_syslog_alertpri(def_syslog_badpri); + eventlog_set_syslog_maxlen(def_syslog_maxlen); + eventlog_set_file_maxlen(def_loglinelen); +- eventlog_set_mailuid(ROOT_UID); ++ eventlog_set_mailuser(ROOT_UID, ROOT_GID); + eventlog_set_omit_hostname(!def_log_host); + eventlog_set_logpath(def_logfile); + eventlog_set_time_fmt(def_log_year ? "%h %e %T %Y" : "%h %e %T"); +diff --git a/plugins/sudoers/policy.c b/plugins/sudoers/policy.c +index af3210dda..706c492b7 100644 +--- a/plugins/sudoers/policy.c ++++ b/plugins/sudoers/policy.c +@@ -639,7 +639,7 @@ sudoers_policy_deserialize_info(struct sudoers_context *ctx, void *v, + } + + #ifdef NO_ROOT_MAILER +- eventlog_set_mailuid(ctx->user.uid); ++ eventlog_set_mailuser(ctx->user.uid, ctx->user.gid); + #endif + + /* Dump settings and user info (XXX - plugin args) */ diff --git a/meta/recipes-extended/sudo/sudo_1.9.17p2.bb b/meta/recipes-extended/sudo/sudo_1.9.17p2.bb index 6be2a7c678..7dfa0cef6c 100644 --- a/meta/recipes-extended/sudo/sudo_1.9.17p2.bb +++ b/meta/recipes-extended/sudo/sudo_1.9.17p2.bb @@ -4,6 +4,7 @@ SRC_URI = "https://www.sudo.ws/dist/sudo-${PV}.tar.gz \ ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ file://0001-sudo.conf.in-fix-conflict-with-multilib.patch \ file://0001-m4-Backport-ax_prog_cc_for_build.m4-macros.patch \ + file://CVE-2026-35535.patch \ " PAM_SRC_URI = "file://sudo.pam" From patchwork Mon May 4 19:52:44 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Marko, Peter" X-Patchwork-Id: 87481 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 114B0CD342F for ; Mon, 4 May 2026 19:53:27 +0000 (UTC) Received: from mta-65-228.siemens.flowmailer.net (mta-65-228.siemens.flowmailer.net [185.136.65.228]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.23684.1777924402531647596 for ; Mon, 04 May 2026 12:53:22 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm2 header.b=YvsBRd+A; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.228, mailfrom: fm-256628-20260504195320a757c3a288000207f3-zcerns@rts-flowmailer.siemens.com) Received: by mta-65-228.siemens.flowmailer.net with ESMTPSA id 20260504195320a757c3a288000207f3 for ; Mon, 04 May 2026 21:53:20 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=LqIAsTVbY8bx/Q7SEvLow7JMMUTgqYmkDqi7LcA7nD0=; b=YvsBRd+AemWby0YxPXuqFMBPo6UlJLas+OaK2mPQIScs5h4RSswh64bfU1JbAHVTODn0Uh w1uni6LgNWM6KbUqqatMDMZ77NTxiSoClYDRmk3MciVwh0Zp9KzNhVqP3u/bucFwmHukbeQL taIKwtrRAvb9epAskW5Afc84bOvsEFQue1y8knOSDMtQUZUaQlyCqx+esaaWMWfzBxpi2qXe hC3wx9l0H02EopfRtLccCnu1UWUL5Z3B1aOAl2XSiF4GlLP+D0G+96MWecMckTxtXxo3BDi1 DOnfY5BLWzu43jMZQ0othJQi6kRuzp0Mkpk6FoLNboc7LE9HK0NMcvHg==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [PATCH 3/5] libssh2: patch CVE-2026-7598 Date: Mon, 4 May 2026 21:52:44 +0200 Message-ID: <20260504195246.1190112-3-peter.marko@siemens.com> In-Reply-To: <20260504195246.1190112-1-peter.marko@siemens.com> References: <20260504195246.1190112-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 04 May 2026 19:53:27 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/236455 From: Peter Marko Pick patch mentioned in both NVD and Debian report. Signed-off-by: Peter Marko --- .../libssh2/libssh2/CVE-2026-7598.patch | 56 +++++++++++++++++++ .../recipes-support/libssh2/libssh2_1.11.1.bb | 1 + 2 files changed, 57 insertions(+) create mode 100644 meta/recipes-support/libssh2/libssh2/CVE-2026-7598.patch diff --git a/meta/recipes-support/libssh2/libssh2/CVE-2026-7598.patch b/meta/recipes-support/libssh2/libssh2/CVE-2026-7598.patch new file mode 100644 index 0000000000..314e6af370 --- /dev/null +++ b/meta/recipes-support/libssh2/libssh2/CVE-2026-7598.patch @@ -0,0 +1,56 @@ +From 256d04b60d80bf1190e96b0ad1e91b2174d744b1 Mon Sep 17 00:00:00 2001 +From: Will Cosgrove +Date: Mon, 13 Apr 2026 11:18:25 -0700 +Subject: [PATCH] userauth.c: username_len bounds checking (#1858) + +Return errors when username_len will exceed bounds, fix existing bounds +check. + +Credit: +[dapickle](https://github.com/dapickle) + +CVE: CVE-2026-7598 +Upstream-Status: Backport [https://github.com/libssh2/libssh2/commit/256d04b60d80bf1190e96b0ad1e91b2174d744b1] +Signed-off-by: Peter Marko +--- + src/userauth.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/src/userauth.c b/src/userauth.c +index f8e02651..43d9ab9b 100644 +--- a/src/userauth.c ++++ b/src/userauth.c +@@ -80,6 +80,12 @@ static char *userauth_list(LIBSSH2_SESSION *session, const char *username, + memset(&session->userauth_list_packet_requirev_state, 0, + sizeof(session->userauth_list_packet_requirev_state)); + ++ if(username_len > UINT32_MAX - 27) { ++ _libssh2_error(session, LIBSSH2_ERROR_PROTO, ++ "username_len out of bounds"); ++ return NULL; ++ } ++ + session->userauth_list_data_len = username_len + 27; + + s = session->userauth_list_data = +@@ -307,6 +313,11 @@ userauth_password(LIBSSH2_SESSION *session, + * 40 = packet_type(1) + username_len(4) + service_len(4) + + * service(14)"ssh-connection" + method_len(4) + method(8)"password" + + * chgpwdbool(1) + password_len(4) */ ++ if(username_len > UINT32_MAX - 40) { ++ return _libssh2_error(session, LIBSSH2_ERROR_PROTO, ++ "username_len out of bounds"); ++ } ++ + session->userauth_pswd_data_len = username_len + 40; + + session->userauth_pswd_data0 = +@@ -447,7 +458,7 @@ password_response: + } + + /* basic data_len + newpw_len(4) */ +- if(username_len + password_len + 44 <= UINT_MAX) { ++ if(username_len <= UINT32_MAX - password_len - 44) { + session->userauth_pswd_data_len = + username_len + password_len + 44; + s = session->userauth_pswd_data = diff --git a/meta/recipes-support/libssh2/libssh2_1.11.1.bb b/meta/recipes-support/libssh2/libssh2_1.11.1.bb index 0d1237852f..e825c8c5bb 100644 --- a/meta/recipes-support/libssh2/libssh2_1.11.1.bb +++ b/meta/recipes-support/libssh2/libssh2_1.11.1.bb @@ -10,6 +10,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=2fbf8f834408079bf1fcbadb9814b1bc" SRC_URI = "http://www.libssh2.org/download/${BP}.tar.gz \ file://run-ptest \ file://0001-Return-error-if-user-KEX-methods-are-invalid.patch \ + file://CVE-2026-7598.patch \ " SRC_URI[sha256sum] = "d9ec76cbe34db98eec3539fe2c899d26b0c837cb3eb466a56b0f109cabf658f7" From patchwork Mon May 4 19:52:45 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Marko, Peter" X-Patchwork-Id: 87485 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 33170FF885A for ; Mon, 4 May 2026 19:53:37 +0000 (UTC) Received: from mta-64-225.siemens.flowmailer.net (mta-64-225.siemens.flowmailer.net [185.136.64.225]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.23687.1777924407797494872 for ; Mon, 04 May 2026 12:53:28 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm2 header.b=mMz3tLwK; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.225, mailfrom: fm-256628-20260504195325de652f28f60002077b-fvztjf@rts-flowmailer.siemens.com) Received: by mta-64-225.siemens.flowmailer.net with ESMTPSA id 20260504195325de652f28f60002077b for ; Mon, 04 May 2026 21:53:25 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=bdNWJC3cp21BrjiRtgw/uCtREQnmBz+TmuZ5wdK4DZw=; b=mMz3tLwKYJuhCGdFte2BuZ/EH9e9OZzkRtFSOqm9rnDuAJVFSrxARl1f2f2OLtDORhm/9D G1DDW+zVsOCUOgLctczG8MeCajZz+rnFw1bZ0hPjPybNSOFELNfaLnpJNFGUcax1NmFG8xzU PtIjfK0W+Mbazv4qPu8oGIgm1RYrct9lUtJEuCqMnPey2/oDJ0gqaoRb1GkQmO5G+Mpx+TyQ DmykEexAUP1KodNE/Hm+Ix+PV7lmvNgh+/zNSJtxfSrH+Y08sX2DuusjLn5r2vIIJVNhM+Zs CEQUzvhRHEotIh/63hT5GLzZcFcp5ORrjzuzEZ2UxTVj0/ERKUpeW6CA==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [PATCH 4/5] inetutils: patch CVE-2026-32772 Date: Mon, 4 May 2026 21:52:45 +0200 Message-ID: <20260504195246.1190112-4-peter.marko@siemens.com> In-Reply-To: <20260504195246.1190112-1-peter.marko@siemens.com> References: <20260504195246.1190112-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 04 May 2026 19:53:37 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/236456 From: Peter Marko Pick patch which references vulnerability report [1] linked in NVD report (see NEWS file). [1] https://www.openwall.com/lists/oss-security/2026/03/13/1 Signed-off-by: Peter Marko --- .../inetutils/inetutils/CVE-2026-32772.patch | 138 ++++++++++++++++++ .../inetutils/inetutils_2.7.bb | 1 + 2 files changed, 139 insertions(+) create mode 100644 meta/recipes-connectivity/inetutils/inetutils/CVE-2026-32772.patch diff --git a/meta/recipes-connectivity/inetutils/inetutils/CVE-2026-32772.patch b/meta/recipes-connectivity/inetutils/inetutils/CVE-2026-32772.patch new file mode 100644 index 0000000000..232774195f --- /dev/null +++ b/meta/recipes-connectivity/inetutils/inetutils/CVE-2026-32772.patch @@ -0,0 +1,138 @@ +From d6b8b83aa51616946fd314bc48087312d13c99f8 Mon Sep 17 00:00:00 2001 +From: Collin Funk +Date: Thu, 26 Mar 2026 22:52:54 -0700 +Subject: [PATCH] telnet: don't leak the value of unexported environment + variables + +Patch based on the following OpenBSD commit: + + +* NEWS.md: Mention the fix. +* telnet/commands.c (env_getvalue): Add a boolean argument to prevent +prevent unexported variables from being returned. +* telnet/externs.h (env_getvalue): Adjust the function declaration. +* telnet/authenc.c (telnet_getenv): Add the new argument. +* telnet/telnet.c (dooption, gettermname, suboption, env_opt_add) +(telnet): Likewise. + +CVE: CVE-2026-32772 +Upstream-Status: Backport [https://cgit.git.savannah.gnu.org/cgit/inetutils.git/commit/?id=d6b8b83aa51616946fd314bc48087312d13c99f8] +Signed-off-by: Peter Marko +--- + NEWS | 5 +++++ + telnet/authenc.c | 2 +- + telnet/commands.c | 6 ++---- + telnet/externs.h | 3 ++- + telnet/telnet.c | 10 +++++----- + 5 files changed, 15 insertions(+), 11 deletions(-) + +diff --git a/NEWS b/NEWS +index 08370442..6e259e02 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,5 +1,10 @@ + GNU inetutils NEWS -- history of user-visible changes. + ++** telnet no longer leaks the value of unexported environment variables ++to servers sending the NEW-ENVIRON SEND USERVAR command. ++Reported by Justin Swartz in ++. ++ + ** telnetd no longer allows clients to write past the end of a stack + allocated buffer, possibly leading to remote code execution, using an + SLC suboption with many triplets using function octets greater than 18. +diff --git a/telnet/authenc.c b/telnet/authenc.c +index 2706c9f8..f8daea9d 100644 +--- a/telnet/authenc.c ++++ b/telnet/authenc.c +@@ -93,7 +93,7 @@ telnet_spin (void) + char * + telnet_getenv (char *val) + { +- return ((char *) env_getvalue (val)); ++ return (char *) env_getvalue (val, false); + } + + char * +diff --git a/telnet/commands.c b/telnet/commands.c +index 4967559b..9d85df73 100644 +--- a/telnet/commands.c ++++ b/telnet/commands.c +@@ -2050,12 +2050,10 @@ env_default (int init, int welldefined) + } + + unsigned char * +-env_getvalue (const char *var) ++env_getvalue (const char *var, bool exported_only) + { + struct env_lst *ep = env_find (var); +- if (ep) +- return (ep->value); +- return (NULL); ++ return ep && (! exported_only || ep->export) ? ep->value : NULL; + } + + #if defined OLD_ENVIRON && defined ENV_HACK +diff --git a/telnet/externs.h b/telnet/externs.h +index c1f5850e..0adc295a 100644 +--- a/telnet/externs.h ++++ b/telnet/externs.h +@@ -331,7 +331,8 @@ env_opt (unsigned char *, int), + env_opt_start (void), + env_opt_start_info (void), env_opt_add (unsigned char *), env_opt_end (int); + +-extern unsigned char *env_default (int, int), *env_getvalue (const char *); ++extern unsigned char *env_default (int, int); ++extern unsigned char *env_getvalue (const char *, bool); + + int dosynch (const char *); + int get_status (const char *); +diff --git a/telnet/telnet.c b/telnet/telnet.c +index 6b0befc3..f83dfc18 100644 +--- a/telnet/telnet.c ++++ b/telnet/telnet.c +@@ -496,7 +496,7 @@ dooption (int option) + #endif + + case TELOPT_XDISPLOC: /* X Display location */ +- if (env_getvalue ("DISPLAY")) ++ if (env_getvalue ("DISPLAY", false)) + new_state_ok = 1; + break; + +@@ -793,7 +793,7 @@ gettermname (void) + resettermname = 0; + if (tnamep && tnamep != unknown) + free (tnamep); +- if ((tname = (char *) env_getvalue ("TERM")) && ++ if ((tname = (char *) env_getvalue ("TERM", false)) && + (init_term (tname, &err) == 0)) + { + tnamep = mklist (termbuf, tname); +@@ -992,7 +992,7 @@ suboption (void) + unsigned char temp[50], *dp; + int len; + +- if ((dp = env_getvalue ("DISPLAY")) == NULL) ++ if ((dp = env_getvalue ("DISPLAY", false)) == NULL) + { + /* + * Something happened, we no longer have a DISPLAY +@@ -1727,7 +1727,7 @@ env_opt_add (unsigned char *ep) + env_opt_add (ep); + return; + } +- vp = env_getvalue ((char *) ep); ++ vp = env_getvalue ((char *) ep, true); + if (opt_replyp + (vp ? strlen ((char *) vp) : 0) + + strlen ((char *) ep) + 6 > opt_replyend) + { +@@ -2484,7 +2484,7 @@ telnet (char *user) + send_will (TELOPT_LINEMODE, 1); + send_will (TELOPT_NEW_ENVIRON, 1); + send_do (TELOPT_STATUS, 1); +- if (env_getvalue ("DISPLAY")) ++ if (env_getvalue ("DISPLAY", false)) + send_will (TELOPT_XDISPLOC, 1); + if (eight) + tel_enter_binary (eight); diff --git a/meta/recipes-connectivity/inetutils/inetutils_2.7.bb b/meta/recipes-connectivity/inetutils/inetutils_2.7.bb index a3b0b20768..eb8b669e7c 100644 --- a/meta/recipes-connectivity/inetutils/inetutils_2.7.bb +++ b/meta/recipes-connectivity/inetutils/inetutils_2.7.bb @@ -22,6 +22,7 @@ SRC_URI = "${GNU_MIRROR}/inetutils/inetutils-${PV}.tar.gz \ file://CVE-2026-24061-02.patch \ file://CVE-2026-28372.patch \ file://CVE-2026-32746.patch \ + file://CVE-2026-32772.patch \ " inherit autotools gettext update-alternatives texinfo From patchwork Mon May 4 19:52:46 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Marko, Peter" X-Patchwork-Id: 87484 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3F441CD3427 for ; Mon, 4 May 2026 19:53:37 +0000 (UTC) Received: from mta-64-225.siemens.flowmailer.net (mta-64-225.siemens.flowmailer.net [185.136.64.225]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.23691.1777924412817976445 for ; Mon, 04 May 2026 12:53:33 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm2 header.b=Y3JHl9+M; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.225, mailfrom: fm-256628-20260504195331ec72fb5a6200020759-n2s_yl@rts-flowmailer.siemens.com) Received: by mta-64-225.siemens.flowmailer.net with ESMTPSA id 20260504195331ec72fb5a6200020759 for ; Mon, 04 May 2026 21:53:31 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=ms0fGIFyk8GVg4pBsdxtFhrItHtQ5A5iZ9bBSMSxWrU=; b=Y3JHl9+MW10nVKmEeBeMfYrCzd2hZe7GcS34/E3jCOYxVQvReUkldhXw/mp3nKhuBs2cKz 2wyGOAOTgpZqNXaaAIH+UsvxmBxmPsVr7251wtJNH7m0QKViZ28wJpGeQMFG3NPf/2zMbuqS BsDgTxcL68ynURupkRIQa8wdRG7ZaViRRip8irqhOxYBPurmajgOEo08mwaORHAYiZX8Fq50 wUO+L89Z4Fr79Xab2/bvO8h6vlR4JDbvbWjxYS4S9Z9domAHGSuPTujMT6aLk5ZDSqddmOgK VVsD91++Ed56s8fr5eFvLYtcS1lcF+MHO1SVwpwzDUlyyta5XP5pWgjg==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [PATCH 5/5] libarchive: set status of CVE-2026-5745 Date: Mon, 4 May 2026 21:52:46 +0200 Message-ID: <20260504195246.1190112-5-peter.marko@siemens.com> In-Reply-To: <20260504195246.1190112-1-peter.marko@siemens.com> References: <20260504195246.1190112-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 04 May 2026 19:53:37 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/236457 From: Peter Marko Debian security tracker [1] links Github issue [2] which points to PR [3] which has been fixed on 3.8 branch with [4]. [1] https://security-tracker.debian.org/tracker/CVE-2026-5745 [2] https://github.com/libarchive/libarchive/issues/2904#issuecomment-4257068822 [3] https://github.com/libarchive/libarchive/pull/2905/changes [4] https://github.com/libarchive/libarchive/commit/8c04ac3c91841cdf75dc9de4a405cd7c69 Signed-off-by: Peter Marko --- meta/recipes-extended/libarchive/libarchive_3.8.7.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/recipes-extended/libarchive/libarchive_3.8.7.bb b/meta/recipes-extended/libarchive/libarchive_3.8.7.bb index 577362ef8b..e8c3a3bfe3 100644 --- a/meta/recipes-extended/libarchive/libarchive_3.8.7.bb +++ b/meta/recipes-extended/libarchive/libarchive_3.8.7.bb @@ -91,3 +91,4 @@ RDEPENDS:${PN}-ptest += "bsdtar bsdcpio" CVE_STATUS[CVE-2026-4426] = "fixed-version: fixed since 3.8.7" CVE_STATUS[CVE-2026-5121] = "fixed-version: fixed since 3.8.7" +CVE_STATUS[CVE-2026-5745] = "fixed-version: fixed since 3.8.6"